From fe206de954f2ca15cba13d435ea16020c1e6b6fe Mon Sep 17 00:00:00 2001
From: djm <djm>
Date: Wed, 31 Aug 2005 09:46:26 +0000
Subject: [PATCH]  - (djm) OpenBSD CVS Sync    - djm@cvs.openbsd.org 2005/08/30
 22:08:05      [gss-serv.c sshconnect2.c]      destroy credentials if
 krb5_kuserok() call fails. Stops credentials being      delegated to users
 who are not authorised for GSSAPIAuthentication when     
 GSSAPIDeletegateCredentials=yes and another authentication mechanism     
 succeeds; bz#1073 reported by paul.moore AT centrify.com, fix by      simon
 AT sxw.org.uk, tested todd@ biorn@ jakob@; ok deraadt@

---
 ChangeLog     | 10 ++++++++++
 gss-serv.c    | 15 +++++++++++++--
 sshconnect2.c |  5 +++--
 3 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index fb6f58cd..7a34d193 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+20050830
+ - (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2005/08/30 22:08:05
+     [gss-serv.c sshconnect2.c]
+     destroy credentials if krb5_kuserok() call fails. Stops credentials being
+     delegated to users who are not authorised for GSSAPIAuthentication when
+     GSSAPIDeletegateCredentials=yes and another authentication mechanism 
+     succeeds; bz#1073 reported by paul.moore AT centrify.com, fix by 
+     simon AT sxw.org.uk, tested todd@ biorn@ jakob@; ok deraadt@
+
 20050830
  - (tim) [configure.ac] Back out last change. It needs to be done differently.
 
diff --git a/gss-serv.c b/gss-serv.c
index e191eb5a..11713045 100644
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: gss-serv.c,v 1.7 2005/07/17 07:17:55 djm Exp $	*/
+/*	$OpenBSD: gss-serv.c,v 1.8 2005/08/30 22:08:05 djm Exp $	*/
 
 /*
  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -275,13 +275,24 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep)
 int
 ssh_gssapi_userok(char *user)
 {
+	OM_uint32 lmin;
+
 	if (gssapi_client.exportedname.length == 0 ||
 	    gssapi_client.exportedname.value == NULL) {
 		debug("No suitable client data");
 		return 0;
 	}
 	if (gssapi_client.mech && gssapi_client.mech->userok)
-		return ((*gssapi_client.mech->userok)(&gssapi_client, user));
+		if ((*gssapi_client.mech->userok)(&gssapi_client, user))
+			return 1;
+		else {
+			/* Destroy delegated credentials if userok fails */
+			gss_release_buffer(&lmin, &gssapi_client.displayname);
+			gss_release_buffer(&lmin, &gssapi_client.exportedname);
+			gss_release_cred(&lmin, &gssapi_client.creds);
+			memset(&gssapi_client, 0, sizeof(ssh_gssapi_client));
+			return 0;
+		}
 	else
 		debug("ssh_gssapi_userok: Unknown GSSAPI mechanism");
 	return (0);
diff --git a/sshconnect2.c b/sshconnect2.c
index baee664e..ee7932d6 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.141 2005/07/25 11:59:40 markus Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.142 2005/08/30 22:08:05 djm Exp $");
 
 #include "openbsd-compat/sys-queue.h"
 
@@ -545,7 +545,8 @@ process_gssapi_token(void *ctxt, gss_buffer_t recv_tok)
 	Authctxt *authctxt = ctxt;
 	Gssctxt *gssctxt = authctxt->methoddata;
 	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
-	gss_buffer_desc gssbuf, mic;
+	gss_buffer_desc mic = GSS_C_EMPTY_BUFFER;
+	gss_buffer_desc gssbuf;
 	OM_uint32 status, ms, flags;
 	Buffer b;
 
-- 
2.45.2