| gss-serv.c (126274) | gss-serv.c (149749) |
|---|---|
| 1/* $OpenBSD: gss-serv.c,v 1.5 2003/11/17 11:06:07 markus Exp $ */ | 1/* $OpenBSD: gss-serv.c,v 1.8 2005/08/30 22:08:05 djm Exp $ */ |
| 2 3/* 4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright --- 119 unchanged lines hidden (view full) --- 129/* 130 * This parses an exported name, extracting the mechanism specific portion 131 * to use for ACL checking. It verifies that the name belongs the mechanism 132 * originally selected. 133 */ 134static OM_uint32 135ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name) 136{ | 2 3/* 4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright --- 119 unchanged lines hidden (view full) --- 129/* 130 * This parses an exported name, extracting the mechanism specific portion 131 * to use for ACL checking. It verifies that the name belongs the mechanism 132 * originally selected. 133 */ 134static OM_uint32 135ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name) 136{ |
| 137 char *tok; | 137 u_char *tok; |
| 138 OM_uint32 offset; 139 OM_uint32 oidl; 140 141 tok=ename->value; 142 143 /* 144 * Check that ename is long enough for all of the fixed length 145 * header, and that the initial ID bytes are correct --- 13 unchanged lines hidden (view full) --- 159 oidl = oidl-2; /* turn it into the _real_ length of the variable OID */ 160 161 /* 162 * Check the BER encoding for correct type and length, that the 163 * string is long enough and that the OID matches that in our context 164 */ 165 if (tok[4] != 0x06 || tok[5] != oidl || 166 ename->length < oidl+6 || | 138 OM_uint32 offset; 139 OM_uint32 oidl; 140 141 tok=ename->value; 142 143 /* 144 * Check that ename is long enough for all of the fixed length 145 * header, and that the initial ID bytes are correct --- 13 unchanged lines hidden (view full) --- 159 oidl = oidl-2; /* turn it into the _real_ length of the variable OID */ 160 161 /* 162 * Check the BER encoding for correct type and length, that the 163 * string is long enough and that the OID matches that in our context 164 */ 165 if (tok[4] != 0x06 || tok[5] != oidl || 166 ename->length < oidl+6 || |
| 167 !ssh_gssapi_check_oid(ctx,tok+6,oidl)) | 167 !ssh_gssapi_check_oid(ctx,tok+6,oidl)) |
| 168 return GSS_S_FAILURE; 169 170 offset = oidl+6; 171 172 if (ename->length < offset+4) 173 return GSS_S_FAILURE; 174 175 name->length = GET_32BIT(tok+offset); --- 86 unchanged lines hidden (view full) --- 262{ 263 264 if (gssapi_client.store.envvar != NULL && 265 gssapi_client.store.envval != NULL) { 266 267 debug("Setting %s to %s", gssapi_client.store.envvar, 268 gssapi_client.store.envval); 269 child_set_env(envp, envsizep, gssapi_client.store.envvar, | 168 return GSS_S_FAILURE; 169 170 offset = oidl+6; 171 172 if (ename->length < offset+4) 173 return GSS_S_FAILURE; 174 175 name->length = GET_32BIT(tok+offset); --- 86 unchanged lines hidden (view full) --- 262{ 263 264 if (gssapi_client.store.envvar != NULL && 265 gssapi_client.store.envval != NULL) { 266 267 debug("Setting %s to %s", gssapi_client.store.envvar, 268 gssapi_client.store.envval); 269 child_set_env(envp, envsizep, gssapi_client.store.envvar, |
| 270 gssapi_client.store.envval); | 270 gssapi_client.store.envval); |
| 271 } 272} 273 274/* Priviledged */ 275int 276ssh_gssapi_userok(char *user) 277{ | 271 } 272} 273 274/* Priviledged */ 275int 276ssh_gssapi_userok(char *user) 277{ |
| 278 OM_uint32 lmin; 279 |
|
| 278 if (gssapi_client.exportedname.length == 0 || 279 gssapi_client.exportedname.value == NULL) { 280 debug("No suitable client data"); 281 return 0; 282 } 283 if (gssapi_client.mech && gssapi_client.mech->userok) | 280 if (gssapi_client.exportedname.length == 0 || 281 gssapi_client.exportedname.value == NULL) { 282 debug("No suitable client data"); 283 return 0; 284 } 285 if (gssapi_client.mech && gssapi_client.mech->userok) |
| 284 return ((*gssapi_client.mech->userok)(&gssapi_client, user)); | 286 if ((*gssapi_client.mech->userok)(&gssapi_client, user)) 287 return 1; 288 else { 289 /* Destroy delegated credentials if userok fails */ 290 gss_release_buffer(&lmin, &gssapi_client.displayname); 291 gss_release_buffer(&lmin, &gssapi_client.exportedname); 292 gss_release_cred(&lmin, &gssapi_client.creds); 293 memset(&gssapi_client, 0, sizeof(ssh_gssapi_client)); 294 return 0; 295 } |
| 285 else 286 debug("ssh_gssapi_userok: Unknown GSSAPI mechanism"); 287 return (0); 288} 289 290/* Priviledged */ 291OM_uint32 292ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) 293{ 294 ctx->major = gss_verify_mic(&ctx->minor, ctx->context, 295 gssbuf, gssmic, NULL); 296 297 return (ctx->major); 298} 299 300#endif | 296 else 297 debug("ssh_gssapi_userok: Unknown GSSAPI mechanism"); 298 return (0); 299} 300 301/* Priviledged */ 302OM_uint32 303ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) 304{ 305 ctx->major = gss_verify_mic(&ctx->minor, ctx->context, 306 gssbuf, gssmic, NULL); 307 308 return (ctx->major); 309} 310 311#endif |