- (tim) [configure.ac] Add AC_REVISION. Add sys/time.h to lastlog.h test

[openssh.git] / gss-serv.c
diff --git a/gss-serv.c b/gss-serv.c

index 8fd1d63f03aafff54600cb82f6fdd6f02ec9f894..26eec25bdc8137371d1e8affd751ed5b44a3ccb9 100644 (file)
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: gss-serv.c,v 1.3 2003/08/31 13:31:57 markus Exp $     */
+/*     $OpenBSD: gss-serv.c,v 1.13 2005/10/13 22:24:31 stevesk Exp $   */
  
  /*
   * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -29,20 +29,16 @@
  #ifdef GSSAPI
  
  #include "bufaux.h"
-#include "compat.h"
  #include "auth.h"
  #include "log.h"
  #include "channels.h"
  #include "session.h"
  #include "servconf.h"
-#include "monitor_wrap.h"
  #include "xmalloc.h"
  #include "getput.h"
  
  #include "ssh-gss.h"
  
-extern ServerOptions options;
-
  static ssh_gssapi_client gssapi_client =
      { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
      GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}};
@@ -61,7 +57,7 @@ ssh_gssapi_mech* supported_mechs[]= {
         &gssapi_null_mech,
  };
  
-/* Unpriviledged */
+/* Unprivileged */
  void
  ssh_gssapi_supported_oids(gss_OID_set *oidset)
  {
@@ -90,7 +86,7 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset)
   *    oid
   *    credentials      (from ssh_gssapi_acquire_cred)
   */
-/* Priviledged */
+/* Privileged */
  OM_uint32
  ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *recv_tok,
      gss_buffer_desc *send_tok, OM_uint32 *flags)
@@ -134,18 +130,18 @@ ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *recv_tok,
  static OM_uint32
  ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name)
  {
-       char *tok;
+       u_char *tok;
         OM_uint32 offset;
         OM_uint32 oidl;
  
-       tok=ename->value;
+       tok = ename->value;
  
         /*
          * Check that ename is long enough for all of the fixed length
          * header, and that the initial ID bytes are correct
          */
  
-       if (ename->length<6 || memcmp(tok,"\x04\x01", 2)!=0)
+       if (ename->length < 6 || memcmp(tok, "\x04\x01", 2) != 0)
                 return GSS_S_FAILURE;
  
         /*
@@ -164,7 +160,7 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name)
          */
         if (tok[4] != 0x06 || tok[5] != oidl ||
             ename->length < oidl+6 ||
-          !ssh_gssapi_check_oid(ctx,tok+6,oidl))
+           !ssh_gssapi_check_oid(ctx, tok+6, oidl))
                 return GSS_S_FAILURE;
  
         offset = oidl+6;
@@ -179,7 +175,7 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name)
                 return GSS_S_FAILURE;
  
         name->value = xmalloc(name->length+1);
-       memcpy(name->value,tok+offset,name->length);
+       memcpy(name->value, tok+offset,name->length);
         ((char *)name->value)[name->length] = 0;
  
         return GSS_S_COMPLETE;
@@ -188,7 +184,7 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name)
  /* Extract the client details from a given context. This can only reliably
   * be called once for a context */
  
-/* Priviledged (called from accept_secure_ctx) */
+/* Privileged (called from accept_secure_ctx) */
  OM_uint32
  ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
  {
@@ -232,9 +228,9 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
         return (ctx->major);
  }
  
-/* As user - called through fatal cleanup hook */
+/* As user - called on fatal/exit */
  void
-ssh_gssapi_cleanup_creds(void *ignored)
+ssh_gssapi_cleanup_creds(void)
  {
         if (gssapi_client.store.filename != NULL) {
                 /* Unlink probably isn't sufficient */
@@ -249,8 +245,6 @@ ssh_gssapi_storecreds(void)
  {
         if (gssapi_client.mech && gssapi_client.mech->storecreds) {
                 (*gssapi_client.mech->storecreds)(&gssapi_client);
-               if (options.gss_cleanup_creds)
-                       fatal_add_cleanup(ssh_gssapi_cleanup_creds, NULL);
         } else
                 debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");
  }
@@ -265,28 +259,48 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep)
  
         if (gssapi_client.store.envvar != NULL &&
             gssapi_client.store.envval != NULL) {
-
                 debug("Setting %s to %s", gssapi_client.store.envvar,
-               gssapi_client.store.envval);
+                   gssapi_client.store.envval);
                 child_set_env(envp, envsizep, gssapi_client.store.envvar,
-                    gssapi_client.store.envval);
+                   gssapi_client.store.envval);
         }
  }
  
-/* Priviledged */
+/* Privileged */
  int
  ssh_gssapi_userok(char *user)
  {
+       OM_uint32 lmin;
+
         if (gssapi_client.exportedname.length == 0 ||
             gssapi_client.exportedname.value == NULL) {
                 debug("No suitable client data");
                 return 0;
         }
         if (gssapi_client.mech && gssapi_client.mech->userok)
-               return ((*gssapi_client.mech->userok)(&gssapi_client, user));
+               if ((*gssapi_client.mech->userok)(&gssapi_client, user))
+                       return 1;
+               else {
+                       /* Destroy delegated credentials if userok fails */
+                       gss_release_buffer(&lmin, &gssapi_client.displayname);
+                       gss_release_buffer(&lmin, &gssapi_client.exportedname);
+                       gss_release_cred(&lmin, &gssapi_client.creds);
+                       memset(&gssapi_client, 0, sizeof(ssh_gssapi_client));
+                       return 0;
+               }
         else
                 debug("ssh_gssapi_userok: Unknown GSSAPI mechanism");
         return (0);
  }
  
+/* Privileged */
+OM_uint32
+ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
+{
+       ctx->major = gss_verify_mic(&ctx->minor, ctx->context,
+           gssbuf, gssmic, NULL);
+
+       return (ctx->major);
+}
+
  #endif