diff -ruw cvs-1.11.orig/src/server.c cvs-1.11/src/server.c --- cvs-1.11.orig/src/server.c Fri Jul 28 22:18:40 2000 +++ cvs-1.11/src/server.c Sat Feb 24 02:56:22 2001 @@ -5835,10 +5835,6 @@ #ifdef HAVE_GSSAPI -#ifndef MAXHOSTNAMELEN -#define MAXHOSTNAMELEN (256) -#endif - /* Authenticate a GSSAPI connection. This is called from pserver_authenticate_connection, and it handles success and failure the same way. */ @@ -5846,38 +5842,13 @@ static void gserver_authenticate_connection () { - char hostname[MAXHOSTNAMELEN]; - struct hostent *hp; - gss_buffer_desc tok_in, tok_out; + gss_buffer_desc tok_in, tok_out, server_name_buf; char buf[1024]; OM_uint32 stat_min, ret; - gss_name_t server_name, client_name; - gss_cred_id_t server_creds; + gss_name_t client_name, server_name; int nbytes; gss_OID mechid; - gethostname (hostname, sizeof hostname); - hp = gethostbyname (hostname); - if (hp == NULL) - error (1, 0, "can't get canonical hostname"); - - sprintf (buf, "address@hidden", hp->h_name); - tok_in.value = buf; - tok_in.length = strlen (buf); - - if (gss_import_name (&stat_min, &tok_in, GSS_C_NT_HOSTBASED_SERVICE, - &server_name) != GSS_S_COMPLETE) - error (1, 0, "could not import GSSAPI service name %s", buf); - - /* Acquire the server credential to verify the client's - authentication. */ - if (gss_acquire_cred (&stat_min, server_name, 0, GSS_C_NULL_OID_SET, - GSS_C_ACCEPT, &server_creds, - NULL, NULL) != GSS_S_COMPLETE) - error (1, 0, "could not acquire GSSAPI server credentials"); - - gss_release_name (&stat_min, &server_name); - /* The client will send us a two byte length followed by that many bytes. */ if (fread (buf, 1, 2, stdin) != 2) @@ -5895,7 +5866,7 @@ if (gss_accept_sec_context (&stat_min, &gcontext, /* context_handle */ - server_creds, /* verifier_cred_handle */ + GSS_C_NO_CREDENTIAL, /* verifier_cred_handle */ &tok_in, /* input_token */ NULL, /* channel bindings */ &client_name, /* src_name */ @@ -5908,6 +5879,34 @@ { error (1, 0, "could not verify credentials"); } + + if (gss_inquire_context (&stat_min, + gcontext, + NULL, + &server_name, + NULL, + NULL, + NULL, + NULL, + NULL) != GSS_S_COMPLETE) + { + error (1, 0, "could not get server name"); + } + + if (gss_display_name (&stat_min, server_name, &server_name_buf, NULL) + != GSS_S_COMPLETE) + { + error (1, 0, "could not display server name"); + } + + if (server_name_buf.length < 4 + || strncmp(server_name_buf.value, "cvs/", 4) != 0) + { + error (1, 0, "wrong server: (%.*s)", + server_name_buf.length, server_name_buf.value); + } + + gss_release_buffer (&stat_min, &server_name_buf); /* FIXME: Use Kerberos v5 specific code to authenticate to a user. We could instead use an authentication to access mapping. */ Only in cvs-1.11/src: server.c~