aboutsummaryrefslogtreecommitdiff
path: root/src/gssapi.c
diff options
context:
space:
mode:
authorAris Adamantiadis <aris@0xbadc0de.be>2013-07-03 23:44:45 +0200
committerAndreas Schneider <asn@cryptomilk.org>2013-07-13 15:23:33 +0200
commitc231029be32885f5a7cbef97c64147fdb1586f0f (patch)
tree40b06dfbf14b535c8c79d85b7022549036372d51 /src/gssapi.c
parent2ab7f2be75df1432fa7caad39ea40518ada95af3 (diff)
downloadlibssh-c231029be32885f5a7cbef97c64147fdb1586f0f.tar.gz
libssh-c231029be32885f5a7cbef97c64147fdb1586f0f.tar.xz
libssh-c231029be32885f5a7cbef97c64147fdb1586f0f.zip
gssapi: Fix ticket forwarding bug
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Diffstat (limited to 'src/gssapi.c')
-rw-r--r--src/gssapi.c30
1 files changed, 18 insertions, 12 deletions
diff --git a/src/gssapi.c b/src/gssapi.c
index e2489dc6..d26c1c56 100644
--- a/src/gssapi.c
+++ b/src/gssapi.c
@@ -595,18 +595,24 @@ static int ssh_gssapi_match(ssh_session session, char *hostname, char *username,
GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | (deleg ? GSS_C_DELEG_FLAG : 0),
0, NULL, &input_token, NULL, &output_token, NULL, NULL);
if (!GSS_ERROR(maj_stat)){
- gss_OID_set tmp;
- gss_create_empty_oid_set(&min_stat, &tmp);
- gss_add_oid_set_member(&min_stat, oid, &tmp);
- maj_stat = gss_acquire_cred(&min_stat, user_name, 0,
- tmp, GSS_C_INITIATE,
- &client_creds, NULL, NULL);
- gss_release_oid_set(&min_stat, &tmp);
- if (!GSS_ERROR(maj_stat)){
- gss_release_cred(&min_stat, &client_creds);
- gss_add_oid_set_member(&min_stat,oid,valid_oids);
- ssh_log(session, SSH_LOG_PROTOCOL, "Matched oid %u for server", i);
- }
+ gss_OID_set tmp;
+ if (session->gssapi->client.client_deleg_creds != GSS_C_NO_CREDENTIAL){
+ /* we know the oid is ok since init_sec_context worked */
+ gss_add_oid_set_member(&min_stat, oid, valid_oids);
+ ssh_log(session, SSH_LOG_PROTOCOL, "Matched oid %u for server (with forwarding)", i);
+ } else {
+ gss_create_empty_oid_set(&min_stat, &tmp);
+ gss_add_oid_set_member(&min_stat, oid, &tmp);
+ maj_stat = gss_acquire_cred(&min_stat, user_name, 0,
+ tmp, GSS_C_INITIATE,
+ &client_creds, NULL, NULL);
+ gss_release_oid_set(&min_stat, &tmp);
+ if (!GSS_ERROR(maj_stat)){
+ gss_release_cred(&min_stat, &client_creds);
+ gss_add_oid_set_member(&min_stat,oid,valid_oids);
+ ssh_log(session, SSH_LOG_PROTOCOL, "Matched oid %u for server", i);
+ }
+ }
}
gss_delete_sec_context(&min_stat,&ctx, &output_token);
ctx = GSS_C_NO_CONTEXT;