- djm@cvs.openbsd.org 2006/08/18 13:54:54

[gss-genr.c ssh-gss.h sshconnect2.c]
     bz #1218 - disable SPNEGO as per RFC4462; diff from simon AT sxw.org.uk
     ok markus@

ChangeLog

@@ -34,6 +34,10 @@
      [misc.h]
      reorder so prototypes are sorted by the files they refer to; no
      binary change
+   - djm@cvs.openbsd.org 2006/08/18 13:54:54
+     [gss-genr.c ssh-gss.h sshconnect2.c]
+     bz #1218 - disable SPNEGO as per RFC4462; diff from simon AT sxw.org.uk
+     ok markus@
 
 20060817
  - (dtucker) [openbsd-compat/fake-rfc2553.c openbsd-compat/setproctitle.c]
@@ -5255,4 +5259,4 @@
    - (djm) Trim deprecated options from INSTALL. Mention UsePAM
    - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
 
-$Id: ChangeLog,v 1.4493 2006/08/18 14:33:05 djm Exp $
+$Id: ChangeLog,v 1.4494 2006/08/18 14:33:34 djm Exp $

gss-genr.c

@@ -1,7 +1,7 @@
-/* $OpenBSD: gss-genr.c,v 1.13 2006/08/03 03:34:42 deraadt Exp $ */
+/* $OpenBSD: gss-genr.c,v 1.14 2006/08/18 13:54:54 djm Exp $ */
 
 /*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2006 Simon Wilkinson. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -291,4 +291,33 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
 	return (ssh_gssapi_acquire_cred(*ctx));
 }
 
+int
+ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, char *host)
+{
+	gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
+	OM_uint32 major, minor;
+	gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"};
+
+	/* RFC 4462 says we MUST NOT do SPNEGO */
+	if (oid->length == spnego_oid.length && 
+	    (memcmp(oid->elements, spnego_oid.elements, oid->length) == 0))
+		return -1;
+
+	ssh_gssapi_build_ctx(ctx);
+	ssh_gssapi_set_oid(*ctx, oid);
+	major = ssh_gssapi_import_name(*ctx, host);
+	if (!GSS_ERROR(major)) {
+		major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, 
+		    NULL);
+		gss_release_buffer(&minor, &token);
+		gss_delete_sec_context(&minor, &(*ctx)->context, 
+		    GSS_C_NO_BUFFER);
+	}
+
+	if (GSS_ERROR(major)) 
+		ssh_gssapi_delete_ctx(ctx);
+
+	return (!GSS_ERROR(major));
+}
+
 #endif /* GSSAPI */

ssh-gss.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-gss.h,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
+/* $OpenBSD: ssh-gss.h,v 1.8 2006/08/18 13:54:54 djm Exp $ */
 /*
  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
  *
@@ -118,6 +118,7 @@ void ssh_gssapi_delete_ctx(Gssctxt **);
 OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
 OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
 void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *);
+int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, char *);
 
 /* In the server */
 int ssh_gssapi_userok(char *name);

sshconnect2.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.160 2006/08/03 03:34:42 deraadt Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.161 2006/08/18 13:54:54 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -508,25 +508,18 @@ userauth_gssapi(Authctxt *authctxt)
 
 	/* Check to see if the mechanism is usable before we offer it */
 	while (mech < gss_supported->count && !ok) {
-		if (gssctxt)
-			ssh_gssapi_delete_ctx(&gssctxt);
-		ssh_gssapi_build_ctx(&gssctxt);
-		ssh_gssapi_set_oid(gssctxt, &gss_supported->elements[mech]);
-
 		/* My DER encoding requires length<128 */
 		if (gss_supported->elements[mech].length < 128 &&
-		    !GSS_ERROR(ssh_gssapi_import_name(gssctxt,
-		    authctxt->host))) {
+		    ssh_gssapi_check_mechanism(&gssctxt, 
+		    &gss_supported->elements[mech], authctxt->host)) {
 			ok = 1; /* Mechanism works */
 		} else {
 			mech++;
 		}
 	}
 
-	if (!ok) {
-		ssh_gssapi_delete_ctx(&gssctxt);
+	if (!ok)
 		return 0;
-	}
 
 	authctxt->methoddata=(void *)gssctxt;