fix bug in openssh patch

[gssapi-openssh.git] / openssh / gss-serv.c

diff --git a/openssh/gss-serv.c b/openssh/gss-serv.c
index 999894d1b1bf24179de0240aeedc6111b5d8cf3a..39184d72055583e99e3527c3055ab8e7e6683417 100644 (file)
--- a/openssh/gss-serv.c
+++ b/openssh/gss-serv.c
@@ -1,7 +1,7 @@
 /* $OpenBSD: gss-serv.c,v 1.20 2006/08/03 03:34:42 deraadt Exp $ */
 
 /*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2006 Simon Wilkinson. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -42,13 +42,15 @@
 #include "log.h"
 #include "channels.h"
 #include "session.h"
+#include "misc.h"
 #include "servconf.h"
+
 #include "xmalloc.h"
 #include "ssh-gss.h"
 #include "monitor_wrap.h"
-#include "misc.h"
 
 extern ServerOptions options;
+extern Authctxt *the_authctxt;
 
 static ssh_gssapi_client gssapi_client =
     { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
@@ -90,12 +92,12 @@ ssh_gssapi_server_mechanisms() {
 
 /* Unprivileged */
 int
-ssh_gssapi_server_check_mech(Gssctxt **ctx, gss_OID oid, const char *data) {
+ssh_gssapi_server_check_mech(Gssctxt **dum, gss_OID oid, const char *data) {
+       Gssctxt *ctx = NULL;
        int res;
  
-       res = !GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(ctx, oid)));
-       if (!res)
-               ssh_gssapi_delete_ctx(ctx);
+       res = !GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctx, oid)));
+       ssh_gssapi_delete_ctx(&ctx);
 
        return (res);
 }
@@ -126,6 +128,56 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset)
        gss_release_oid_set(&min_status, &supported);
 }
 
+OM_uint32
+ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
+{
+       if (*ctx)
+               ssh_gssapi_delete_ctx(ctx);
+       ssh_gssapi_build_ctx(ctx);
+       ssh_gssapi_set_oid(*ctx, oid);
+       return (ssh_gssapi_acquire_cred(*ctx));
+}
+
+/* Acquire credentials for a server running on the current host.
+ * Requires that the context structure contains a valid OID
+ */
+
+/* Returns a GSSAPI error code */
+OM_uint32
+ssh_gssapi_acquire_cred(Gssctxt *ctx)
+{
+       OM_uint32 status;
+       char lname[MAXHOSTNAMELEN];
+       gss_OID_set oidset;
+
+       if (options.gss_strict_acceptor) {
+               gss_create_empty_oid_set(&status, &oidset);
+               gss_add_oid_set_member(&status, ctx->oid, &oidset);
+
+               if (gethostname(lname, MAXHOSTNAMELEN)) {
+                       gss_release_oid_set(&status, &oidset);
+                       return (-1);
+               }
+
+               if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
+                       gss_release_oid_set(&status, &oidset);
+                       return (ctx->major);
+               }
+
+               if ((ctx->major = gss_acquire_cred(&ctx->minor,
+                   ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, 
+                   NULL, NULL)))
+                       ssh_gssapi_error(ctx);
+
+               gss_release_oid_set(&status, &oidset);
+               return (ctx->major);
+       } else {
+               ctx->name = GSS_C_NO_NAME;
+               ctx->creds = GSS_C_NO_CREDENTIAL;
+       }
+       return GSS_S_COMPLETE;
+}
+
 
 /* Wrapper around accept_sec_context
  * Requires that the context contains:
@@ -310,6 +362,11 @@ void
 ssh_gssapi_storecreds(void)
 {
        if (gssapi_client.mech && gssapi_client.mech->storecreds) {
+        if (options.gss_creds_path) {
+            gssapi_client.store.filename =
+                expand_authorized_keys(options.gss_creds_path,
+                                       the_authctxt->pw);
+        }
                (*gssapi_client.mech->storecreds)(&gssapi_client);
        } else
                debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");