diff options
author | Colin Watson <cjwatson@debian.org> | 2015-08-19 14:23:51 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2015-08-19 16:48:11 +0100 |
commit | 0f0841b2d28b7463267d4d91577e72e3340a1d3a (patch) | |
tree | ba55fcd2b6e2cc22b30f5afb561dbb3da4c8b6c7 /debian/patches/gssapi.patch | |
parent | f2a5f5dae656759efb0b76c3d94890b65c197a02 (diff) | |
parent | 8698446b972003b63dfe5dcbdb86acfe986afb85 (diff) |
New upstream release (6.8p1).
Diffstat (limited to 'debian/patches/gssapi.patch')
-rw-r--r-- | debian/patches/gssapi.patch | 536 |
1 files changed, 239 insertions, 297 deletions
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index e8cbc1083..b3c437194 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 1c1b6fa17982eb622e2c4e8f4a279f2113f57413 Mon Sep 17 00:00:00 2001 | 1 | From 06879e71614170580ffa7568ec5c009f60a9d084 Mon Sep 17 00:00:00 2001 |
2 | From: Simon Wilkinson <simon@sxw.org.uk> | 2 | From: Simon Wilkinson <simon@sxw.org.uk> |
3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 |
4 | Subject: GSSAPI key exchange support | 4 | Subject: GSSAPI key exchange support |
@@ -17,26 +17,25 @@ have it merged into the main openssh package rather than having separate | |||
17 | security history. | 17 | security history. |
18 | 18 | ||
19 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 | 19 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 |
20 | Last-Updated: 2014-10-07 | 20 | Last-Updated: 2015-08-19 |
21 | 21 | ||
22 | Patch-Name: gssapi.patch | 22 | Patch-Name: gssapi.patch |
23 | --- | 23 | --- |
24 | ChangeLog.gssapi | 113 +++++++++++++++++++ | 24 | ChangeLog.gssapi | 113 +++++++++++++++++++ |
25 | Makefile.in | 3 +- | 25 | Makefile.in | 5 +- |
26 | auth-krb5.c | 17 ++- | 26 | auth-krb5.c | 17 ++- |
27 | auth2-gss.c | 48 +++++++- | 27 | auth2-gss.c | 48 +++++++- |
28 | auth2.c | 2 + | 28 | auth2.c | 2 + |
29 | clientloop.c | 13 +++ | 29 | clientloop.c | 13 +++ |
30 | config.h.in | 6 + | 30 | config.h.in | 6 + |
31 | configure | 57 ++++++++++ | ||
32 | configure.ac | 24 ++++ | 31 | configure.ac | 24 ++++ |
33 | gss-genr.c | 275 ++++++++++++++++++++++++++++++++++++++++++++- | 32 | gss-genr.c | 275 ++++++++++++++++++++++++++++++++++++++++++++- |
34 | gss-serv-krb5.c | 85 ++++++++++++-- | 33 | gss-serv-krb5.c | 85 ++++++++++++-- |
35 | gss-serv.c | 221 +++++++++++++++++++++++++++++++----- | 34 | gss-serv.c | 221 +++++++++++++++++++++++++++++++----- |
36 | kex.c | 16 +++ | 35 | kex.c | 16 +++ |
37 | kex.h | 14 +++ | 36 | kex.h | 14 +++ |
38 | kexgssc.c | 332 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ | 37 | kexgssc.c | 336 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
39 | kexgsss.c | 290 ++++++++++++++++++++++++++++++++++++++++++++++++ | 38 | kexgsss.c | 295 ++++++++++++++++++++++++++++++++++++++++++++++++ |
40 | monitor.c | 108 +++++++++++++++++- | 39 | monitor.c | 108 +++++++++++++++++- |
41 | monitor.h | 3 + | 40 | monitor.h | 3 + |
42 | monitor_wrap.c | 47 +++++++- | 41 | monitor_wrap.c | 47 +++++++- |
@@ -48,13 +47,13 @@ Patch-Name: gssapi.patch | |||
48 | ssh-gss.h | 41 ++++++- | 47 | ssh-gss.h | 41 ++++++- |
49 | ssh_config | 2 + | 48 | ssh_config | 2 + |
50 | ssh_config.5 | 34 +++++- | 49 | ssh_config.5 | 34 +++++- |
51 | sshconnect2.c | 124 ++++++++++++++++++++- | 50 | sshconnect2.c | 124 +++++++++++++++++++- |
52 | sshd.c | 110 ++++++++++++++++++ | 51 | sshd.c | 110 ++++++++++++++++++ |
53 | sshd_config | 2 + | 52 | sshd_config | 2 + |
54 | sshd_config.5 | 28 +++++ | 53 | sshd_config.5 | 28 +++++ |
55 | sshkey.c | 3 +- | 54 | sshkey.c | 3 +- |
56 | sshkey.h | 1 + | 55 | sshkey.h | 1 + |
57 | 33 files changed, 2052 insertions(+), 59 deletions(-) | 56 | 32 files changed, 2005 insertions(+), 60 deletions(-) |
58 | create mode 100644 ChangeLog.gssapi | 57 | create mode 100644 ChangeLog.gssapi |
59 | create mode 100644 kexgssc.c | 58 | create mode 100644 kexgssc.c |
60 | create mode 100644 kexgsss.c | 59 | create mode 100644 kexgsss.c |
@@ -179,21 +178,23 @@ index 0000000..f117a33 | |||
179 | + (from jbasney AT ncsa.uiuc.edu) | 178 | + (from jbasney AT ncsa.uiuc.edu) |
180 | + <gssapi-with-mic support is Bugzilla #1008> | 179 | + <gssapi-with-mic support is Bugzilla #1008> |
181 | diff --git a/Makefile.in b/Makefile.in | 180 | diff --git a/Makefile.in b/Makefile.in |
182 | index 06be3d5..086d8dd 100644 | 181 | index 40cc7aa..3d2a328 100644 |
183 | --- a/Makefile.in | 182 | --- a/Makefile.in |
184 | +++ b/Makefile.in | 183 | +++ b/Makefile.in |
185 | @@ -82,6 +82,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ | 184 | @@ -91,7 +91,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ |
186 | atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ | 185 | sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \ |
187 | monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ | 186 | kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \ |
188 | kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ | 187 | kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \ |
189 | + kexgssc.o \ | 188 | - kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o |
190 | msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ | 189 | + kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \ |
191 | ssh-pkcs11.o krl.o smult_curve25519_ref.o \ | 190 | + kexgssc.o |
192 | kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \ | 191 | |
193 | @@ -101,7 +102,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ | 192 | SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ |
193 | sshconnect.o sshconnect1.o sshconnect2.o mux.o \ | ||
194 | @@ -105,7 +106,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ | ||
195 | auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ | ||
194 | auth2-none.o auth2-passwd.o auth2-pubkey.o \ | 196 | auth2-none.o auth2-passwd.o auth2-pubkey.o \ |
195 | monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ | 197 | monitor_mm.o monitor.o monitor_wrap.o auth-krb5.o \ |
196 | kexc25519s.o auth-krb5.o \ | ||
197 | - auth2-gss.o gss-serv.o gss-serv-krb5.o \ | 198 | - auth2-gss.o gss-serv.o gss-serv-krb5.o \ |
198 | + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ | 199 | + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ |
199 | loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ | 200 | loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ |
@@ -251,11 +252,11 @@ index 0089b18..ec47869 100644 | |||
251 | return (krb5_cc_resolve(ctx, ccname, ccache)); | 252 | return (krb5_cc_resolve(ctx, ccname, ccache)); |
252 | } | 253 | } |
253 | diff --git a/auth2-gss.c b/auth2-gss.c | 254 | diff --git a/auth2-gss.c b/auth2-gss.c |
254 | index 447f896..284f364 100644 | 255 | index 1ca8357..3b5036d 100644 |
255 | --- a/auth2-gss.c | 256 | --- a/auth2-gss.c |
256 | +++ b/auth2-gss.c | 257 | +++ b/auth2-gss.c |
257 | @@ -1,7 +1,7 @@ | 258 | @@ -1,7 +1,7 @@ |
258 | /* $OpenBSD: auth2-gss.c,v 1.21 2014/02/26 20:28:44 djm Exp $ */ | 259 | /* $OpenBSD: auth2-gss.c,v 1.22 2015/01/19 20:07:45 markus Exp $ */ |
259 | 260 | ||
260 | /* | 261 | /* |
261 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 262 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
@@ -263,9 +264,9 @@ index 447f896..284f364 100644 | |||
263 | * | 264 | * |
264 | * Redistribution and use in source and binary forms, with or without | 265 | * Redistribution and use in source and binary forms, with or without |
265 | * modification, are permitted provided that the following conditions | 266 | * modification, are permitted provided that the following conditions |
266 | @@ -53,6 +53,40 @@ static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt); | 267 | @@ -53,6 +53,40 @@ static int input_gssapi_mic(int type, u_int32_t plen, void *ctxt); |
267 | static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); | 268 | static int input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); |
268 | static void input_gssapi_errtok(int, u_int32_t, void *); | 269 | static int input_gssapi_errtok(int, u_int32_t, void *); |
269 | 270 | ||
270 | +/* | 271 | +/* |
271 | + * The 'gssapi_keyex' userauth mechanism. | 272 | + * The 'gssapi_keyex' userauth mechanism. |
@@ -304,7 +305,7 @@ index 447f896..284f364 100644 | |||
304 | /* | 305 | /* |
305 | * We only support those mechanisms that we know about (ie ones that we know | 306 | * We only support those mechanisms that we know about (ie ones that we know |
306 | * how to check local user kuserok and the like) | 307 | * how to check local user kuserok and the like) |
307 | @@ -236,7 +270,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) | 308 | @@ -238,7 +272,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) |
308 | 309 | ||
309 | packet_check_eom(); | 310 | packet_check_eom(); |
310 | 311 | ||
@@ -314,7 +315,7 @@ index 447f896..284f364 100644 | |||
314 | 315 | ||
315 | authctxt->postponed = 0; | 316 | authctxt->postponed = 0; |
316 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); | 317 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); |
317 | @@ -271,7 +306,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) | 318 | @@ -274,7 +309,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) |
318 | gssbuf.length = buffer_len(&b); | 319 | gssbuf.length = buffer_len(&b); |
319 | 320 | ||
320 | if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) | 321 | if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) |
@@ -324,8 +325,8 @@ index 447f896..284f364 100644 | |||
324 | else | 325 | else |
325 | logit("GSSAPI MIC check failed"); | 326 | logit("GSSAPI MIC check failed"); |
326 | 327 | ||
327 | @@ -286,6 +322,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) | 328 | @@ -290,6 +326,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) |
328 | userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); | 329 | return 0; |
329 | } | 330 | } |
330 | 331 | ||
331 | +Authmethod method_gsskeyex = { | 332 | +Authmethod method_gsskeyex = { |
@@ -338,7 +339,7 @@ index 447f896..284f364 100644 | |||
338 | "gssapi-with-mic", | 339 | "gssapi-with-mic", |
339 | userauth_gssapi, | 340 | userauth_gssapi, |
340 | diff --git a/auth2.c b/auth2.c | 341 | diff --git a/auth2.c b/auth2.c |
341 | index d9b440a..2f0d565 100644 | 342 | index 7177962..3f49bdc 100644 |
342 | --- a/auth2.c | 343 | --- a/auth2.c |
343 | +++ b/auth2.c | 344 | +++ b/auth2.c |
344 | @@ -70,6 +70,7 @@ extern Authmethod method_passwd; | 345 | @@ -70,6 +70,7 @@ extern Authmethod method_passwd; |
@@ -358,12 +359,12 @@ index d9b440a..2f0d565 100644 | |||
358 | #endif | 359 | #endif |
359 | &method_passwd, | 360 | &method_passwd, |
360 | diff --git a/clientloop.c b/clientloop.c | 361 | diff --git a/clientloop.c b/clientloop.c |
361 | index 397c965..f9175e3 100644 | 362 | index a9c8a90..7df9413 100644 |
362 | --- a/clientloop.c | 363 | --- a/clientloop.c |
363 | +++ b/clientloop.c | 364 | +++ b/clientloop.c |
364 | @@ -111,6 +111,10 @@ | 365 | @@ -114,6 +114,10 @@ |
365 | #include "msg.h" | 366 | #include "ssherr.h" |
366 | #include "roaming.h" | 367 | #include "hostfile.h" |
367 | 368 | ||
368 | +#ifdef GSSAPI | 369 | +#ifdef GSSAPI |
369 | +#include "ssh-gss.h" | 370 | +#include "ssh-gss.h" |
@@ -387,12 +388,12 @@ index 397c965..f9175e3 100644 | |||
387 | + | 388 | + |
388 | if (need_rekeying || packet_need_rekeying()) { | 389 | if (need_rekeying || packet_need_rekeying()) { |
389 | debug("need rekeying"); | 390 | debug("need rekeying"); |
390 | xxx_kex->done = 0; | 391 | active_state->kex->done = 0; |
391 | diff --git a/config.h.in b/config.h.in | 392 | diff --git a/config.h.in b/config.h.in |
392 | index 16d6206..a9a8b7a 100644 | 393 | index 7e7e38e..6c7de98 100644 |
393 | --- a/config.h.in | 394 | --- a/config.h.in |
394 | +++ b/config.h.in | 395 | +++ b/config.h.in |
395 | @@ -1622,6 +1622,9 @@ | 396 | @@ -1623,6 +1623,9 @@ |
396 | /* Use btmp to log bad logins */ | 397 | /* Use btmp to log bad logins */ |
397 | #undef USE_BTMP | 398 | #undef USE_BTMP |
398 | 399 | ||
@@ -402,7 +403,7 @@ index 16d6206..a9a8b7a 100644 | |||
402 | /* Use libedit for sftp */ | 403 | /* Use libedit for sftp */ |
403 | #undef USE_LIBEDIT | 404 | #undef USE_LIBEDIT |
404 | 405 | ||
405 | @@ -1637,6 +1640,9 @@ | 406 | @@ -1638,6 +1641,9 @@ |
406 | /* Use PIPES instead of a socketpair() */ | 407 | /* Use PIPES instead of a socketpair() */ |
407 | #undef USE_PIPES | 408 | #undef USE_PIPES |
408 | 409 | ||
@@ -412,79 +413,11 @@ index 16d6206..a9a8b7a 100644 | |||
412 | /* Define if you have Solaris process contracts */ | 413 | /* Define if you have Solaris process contracts */ |
413 | #undef USE_SOLARIS_PROCESS_CONTRACTS | 414 | #undef USE_SOLARIS_PROCESS_CONTRACTS |
414 | 415 | ||
415 | diff --git a/configure b/configure | ||
416 | index 6815388..ea5f200 100755 | ||
417 | --- a/configure | ||
418 | +++ b/configure | ||
419 | @@ -7168,6 +7168,63 @@ $as_echo "#define SSH_TUN_COMPAT_AF 1" >>confdefs.h | ||
420 | |||
421 | $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h | ||
422 | |||
423 | + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if we have the Security Authorization Session API" >&5 | ||
424 | +$as_echo_n "checking if we have the Security Authorization Session API... " >&6; } | ||
425 | + cat confdefs.h - <<_ACEOF >conftest.$ac_ext | ||
426 | +/* end confdefs.h. */ | ||
427 | +#include <Security/AuthSession.h> | ||
428 | +int | ||
429 | +main () | ||
430 | +{ | ||
431 | +SessionCreate(0, 0); | ||
432 | + ; | ||
433 | + return 0; | ||
434 | +} | ||
435 | +_ACEOF | ||
436 | +if ac_fn_c_try_compile "$LINENO"; then : | ||
437 | + ac_cv_use_security_session_api="yes" | ||
438 | + | ||
439 | +$as_echo "#define USE_SECURITY_SESSION_API 1" >>confdefs.h | ||
440 | + | ||
441 | + LIBS="$LIBS -framework Security" | ||
442 | + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 | ||
443 | +$as_echo "yes" >&6; } | ||
444 | +else | ||
445 | + ac_cv_use_security_session_api="no" | ||
446 | + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | ||
447 | +$as_echo "no" >&6; } | ||
448 | +fi | ||
449 | +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext | ||
450 | + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if we have an in-memory credentials cache" >&5 | ||
451 | +$as_echo_n "checking if we have an in-memory credentials cache... " >&6; } | ||
452 | + cat confdefs.h - <<_ACEOF >conftest.$ac_ext | ||
453 | +/* end confdefs.h. */ | ||
454 | +#include <Kerberos/Kerberos.h> | ||
455 | +int | ||
456 | +main () | ||
457 | +{ | ||
458 | +cc_context_t c; | ||
459 | + (void) cc_initialize (&c, 0, NULL, NULL); | ||
460 | + ; | ||
461 | + return 0; | ||
462 | +} | ||
463 | +_ACEOF | ||
464 | +if ac_fn_c_try_compile "$LINENO"; then : | ||
465 | + | ||
466 | +$as_echo "#define USE_CCAPI 1" >>confdefs.h | ||
467 | + | ||
468 | + LIBS="$LIBS -framework Security" | ||
469 | + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 | ||
470 | +$as_echo "yes" >&6; } | ||
471 | + if test "x$ac_cv_use_security_session_api" = "xno"; then | ||
472 | + as_fn_error $? "*** Need a security framework to use the credentials cache API ***" "$LINENO" 5 | ||
473 | + fi | ||
474 | +else | ||
475 | + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | ||
476 | +$as_echo "no" >&6; } | ||
477 | + | ||
478 | +fi | ||
479 | +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext | ||
480 | |||
481 | ac_fn_c_check_decl "$LINENO" "AU_IPv4" "ac_cv_have_decl_AU_IPv4" "$ac_includes_default" | ||
482 | if test "x$ac_cv_have_decl_AU_IPv4" = xyes; then : | ||
483 | diff --git a/configure.ac b/configure.ac | 416 | diff --git a/configure.ac b/configure.ac |
484 | index 67c4486..90e81e1 100644 | 417 | index b4d6598..216a9fd 100644 |
485 | --- a/configure.ac | 418 | --- a/configure.ac |
486 | +++ b/configure.ac | 419 | +++ b/configure.ac |
487 | @@ -584,6 +584,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) | 420 | @@ -620,6 +620,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) |
488 | [Use tunnel device compatibility to OpenBSD]) | 421 | [Use tunnel device compatibility to OpenBSD]) |
489 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], | 422 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], |
490 | [Prepend the address family to IP tunnel traffic]) | 423 | [Prepend the address family to IP tunnel traffic]) |
@@ -516,11 +449,11 @@ index 67c4486..90e81e1 100644 | |||
516 | AC_CHECK_DECL([AU_IPv4], [], | 449 | AC_CHECK_DECL([AU_IPv4], [], |
517 | AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) | 450 | AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) |
518 | diff --git a/gss-genr.c b/gss-genr.c | 451 | diff --git a/gss-genr.c b/gss-genr.c |
519 | index b39281b..1e569ad 100644 | 452 | index 60ac65f..5610f0b 100644 |
520 | --- a/gss-genr.c | 453 | --- a/gss-genr.c |
521 | +++ b/gss-genr.c | 454 | +++ b/gss-genr.c |
522 | @@ -1,7 +1,7 @@ | 455 | @@ -1,7 +1,7 @@ |
523 | /* $OpenBSD: gss-genr.c,v 1.22 2013/11/08 00:39:15 djm Exp $ */ | 456 | /* $OpenBSD: gss-genr.c,v 1.23 2015/01/20 23:14:00 deraadt Exp $ */ |
524 | 457 | ||
525 | /* | 458 | /* |
526 | - * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. | 459 | - * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. |
@@ -528,7 +461,7 @@ index b39281b..1e569ad 100644 | |||
528 | * | 461 | * |
529 | * Redistribution and use in source and binary forms, with or without | 462 | * Redistribution and use in source and binary forms, with or without |
530 | * modification, are permitted provided that the following conditions | 463 | * modification, are permitted provided that the following conditions |
531 | @@ -39,12 +39,167 @@ | 464 | @@ -40,12 +40,167 @@ |
532 | #include "buffer.h" | 465 | #include "buffer.h" |
533 | #include "log.h" | 466 | #include "log.h" |
534 | #include "ssh2.h" | 467 | #include "ssh2.h" |
@@ -696,7 +629,7 @@ index b39281b..1e569ad 100644 | |||
696 | /* Check that the OID in a data stream matches that in the context */ | 629 | /* Check that the OID in a data stream matches that in the context */ |
697 | int | 630 | int |
698 | ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len) | 631 | ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len) |
699 | @@ -197,7 +352,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok, | 632 | @@ -198,7 +353,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok, |
700 | } | 633 | } |
701 | 634 | ||
702 | ctx->major = gss_init_sec_context(&ctx->minor, | 635 | ctx->major = gss_init_sec_context(&ctx->minor, |
@@ -705,7 +638,7 @@ index b39281b..1e569ad 100644 | |||
705 | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, | 638 | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, |
706 | 0, NULL, recv_tok, NULL, send_tok, flags, NULL); | 639 | 0, NULL, recv_tok, NULL, send_tok, flags, NULL); |
707 | 640 | ||
708 | @@ -227,8 +382,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host) | 641 | @@ -228,8 +383,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host) |
709 | } | 642 | } |
710 | 643 | ||
711 | OM_uint32 | 644 | OM_uint32 |
@@ -748,7 +681,7 @@ index b39281b..1e569ad 100644 | |||
748 | if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context, | 681 | if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context, |
749 | GSS_C_QOP_DEFAULT, buffer, hash))) | 682 | GSS_C_QOP_DEFAULT, buffer, hash))) |
750 | ssh_gssapi_error(ctx); | 683 | ssh_gssapi_error(ctx); |
751 | @@ -236,6 +425,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash) | 684 | @@ -237,6 +426,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash) |
752 | return (ctx->major); | 685 | return (ctx->major); |
753 | } | 686 | } |
754 | 687 | ||
@@ -768,7 +701,7 @@ index b39281b..1e569ad 100644 | |||
768 | void | 701 | void |
769 | ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, | 702 | ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, |
770 | const char *context) | 703 | const char *context) |
771 | @@ -249,11 +451,16 @@ ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, | 704 | @@ -250,11 +452,16 @@ ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, |
772 | } | 705 | } |
773 | 706 | ||
774 | int | 707 | int |
@@ -786,7 +719,7 @@ index b39281b..1e569ad 100644 | |||
786 | 719 | ||
787 | /* RFC 4462 says we MUST NOT do SPNEGO */ | 720 | /* RFC 4462 says we MUST NOT do SPNEGO */ |
788 | if (oid->length == spnego_oid.length && | 721 | if (oid->length == spnego_oid.length && |
789 | @@ -263,6 +470,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) | 722 | @@ -264,6 +471,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) |
790 | ssh_gssapi_build_ctx(ctx); | 723 | ssh_gssapi_build_ctx(ctx); |
791 | ssh_gssapi_set_oid(*ctx, oid); | 724 | ssh_gssapi_set_oid(*ctx, oid); |
792 | major = ssh_gssapi_import_name(*ctx, host); | 725 | major = ssh_gssapi_import_name(*ctx, host); |
@@ -797,7 +730,7 @@ index b39281b..1e569ad 100644 | |||
797 | if (!GSS_ERROR(major)) { | 730 | if (!GSS_ERROR(major)) { |
798 | major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, | 731 | major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, |
799 | NULL); | 732 | NULL); |
800 | @@ -272,10 +483,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) | 733 | @@ -273,10 +484,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) |
801 | GSS_C_NO_BUFFER); | 734 | GSS_C_NO_BUFFER); |
802 | } | 735 | } |
803 | 736 | ||
@@ -992,11 +925,11 @@ index 795992d..fd8b371 100644 | |||
992 | 925 | ||
993 | #endif /* KRB5 */ | 926 | #endif /* KRB5 */ |
994 | diff --git a/gss-serv.c b/gss-serv.c | 927 | diff --git a/gss-serv.c b/gss-serv.c |
995 | index 5c59924..50fa438 100644 | 928 | index e7b8c52..539862d 100644 |
996 | --- a/gss-serv.c | 929 | --- a/gss-serv.c |
997 | +++ b/gss-serv.c | 930 | +++ b/gss-serv.c |
998 | @@ -1,7 +1,7 @@ | 931 | @@ -1,7 +1,7 @@ |
999 | /* $OpenBSD: gss-serv.c,v 1.27 2014/07/03 03:34:09 djm Exp $ */ | 932 | /* $OpenBSD: gss-serv.c,v 1.28 2015/01/20 23:14:00 deraadt Exp $ */ |
1000 | 933 | ||
1001 | /* | 934 | /* |
1002 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 935 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
@@ -1004,7 +937,7 @@ index 5c59924..50fa438 100644 | |||
1004 | * | 937 | * |
1005 | * Redistribution and use in source and binary forms, with or without | 938 | * Redistribution and use in source and binary forms, with or without |
1006 | * modification, are permitted provided that the following conditions | 939 | * modification, are permitted provided that the following conditions |
1007 | @@ -45,15 +45,21 @@ | 940 | @@ -44,15 +44,21 @@ |
1008 | #include "channels.h" | 941 | #include "channels.h" |
1009 | #include "session.h" | 942 | #include "session.h" |
1010 | #include "misc.h" | 943 | #include "misc.h" |
@@ -1028,7 +961,7 @@ index 5c59924..50fa438 100644 | |||
1028 | 961 | ||
1029 | #ifdef KRB5 | 962 | #ifdef KRB5 |
1030 | extern ssh_gssapi_mech gssapi_kerberos_mech; | 963 | extern ssh_gssapi_mech gssapi_kerberos_mech; |
1031 | @@ -100,25 +106,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) | 964 | @@ -99,25 +105,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) |
1032 | char lname[NI_MAXHOST]; | 965 | char lname[NI_MAXHOST]; |
1033 | gss_OID_set oidset; | 966 | gss_OID_set oidset; |
1034 | 967 | ||
@@ -1075,7 +1008,7 @@ index 5c59924..50fa438 100644 | |||
1075 | } | 1008 | } |
1076 | 1009 | ||
1077 | /* Privileged */ | 1010 | /* Privileged */ |
1078 | @@ -133,6 +146,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) | 1011 | @@ -132,6 +145,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) |
1079 | } | 1012 | } |
1080 | 1013 | ||
1081 | /* Unprivileged */ | 1014 | /* Unprivileged */ |
@@ -1105,7 +1038,7 @@ index 5c59924..50fa438 100644 | |||
1105 | void | 1038 | void |
1106 | ssh_gssapi_supported_oids(gss_OID_set *oidset) | 1039 | ssh_gssapi_supported_oids(gss_OID_set *oidset) |
1107 | { | 1040 | { |
1108 | @@ -142,7 +178,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset) | 1041 | @@ -141,7 +177,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset) |
1109 | gss_OID_set supported; | 1042 | gss_OID_set supported; |
1110 | 1043 | ||
1111 | gss_create_empty_oid_set(&min_status, oidset); | 1044 | gss_create_empty_oid_set(&min_status, oidset); |
@@ -1116,7 +1049,7 @@ index 5c59924..50fa438 100644 | |||
1116 | 1049 | ||
1117 | while (supported_mechs[i]->name != NULL) { | 1050 | while (supported_mechs[i]->name != NULL) { |
1118 | if (GSS_ERROR(gss_test_oid_set_member(&min_status, | 1051 | if (GSS_ERROR(gss_test_oid_set_member(&min_status, |
1119 | @@ -268,8 +306,48 @@ OM_uint32 | 1052 | @@ -267,8 +305,48 @@ OM_uint32 |
1120 | ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) | 1053 | ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) |
1121 | { | 1054 | { |
1122 | int i = 0; | 1055 | int i = 0; |
@@ -1166,7 +1099,7 @@ index 5c59924..50fa438 100644 | |||
1166 | 1099 | ||
1167 | client->mech = NULL; | 1100 | client->mech = NULL; |
1168 | 1101 | ||
1169 | @@ -284,6 +362,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) | 1102 | @@ -283,6 +361,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) |
1170 | if (client->mech == NULL) | 1103 | if (client->mech == NULL) |
1171 | return GSS_S_FAILURE; | 1104 | return GSS_S_FAILURE; |
1172 | 1105 | ||
@@ -1180,7 +1113,7 @@ index 5c59924..50fa438 100644 | |||
1180 | if ((ctx->major = gss_display_name(&ctx->minor, ctx->client, | 1113 | if ((ctx->major = gss_display_name(&ctx->minor, ctx->client, |
1181 | &client->displayname, NULL))) { | 1114 | &client->displayname, NULL))) { |
1182 | ssh_gssapi_error(ctx); | 1115 | ssh_gssapi_error(ctx); |
1183 | @@ -301,6 +386,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) | 1116 | @@ -300,6 +385,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) |
1184 | return (ctx->major); | 1117 | return (ctx->major); |
1185 | } | 1118 | } |
1186 | 1119 | ||
@@ -1189,7 +1122,7 @@ index 5c59924..50fa438 100644 | |||
1189 | /* We can't copy this structure, so we just move the pointer to it */ | 1122 | /* We can't copy this structure, so we just move the pointer to it */ |
1190 | client->creds = ctx->client_creds; | 1123 | client->creds = ctx->client_creds; |
1191 | ctx->client_creds = GSS_C_NO_CREDENTIAL; | 1124 | ctx->client_creds = GSS_C_NO_CREDENTIAL; |
1192 | @@ -348,7 +435,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep) | 1125 | @@ -347,7 +434,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep) |
1193 | 1126 | ||
1194 | /* Privileged */ | 1127 | /* Privileged */ |
1195 | int | 1128 | int |
@@ -1198,7 +1131,7 @@ index 5c59924..50fa438 100644 | |||
1198 | { | 1131 | { |
1199 | OM_uint32 lmin; | 1132 | OM_uint32 lmin; |
1200 | 1133 | ||
1201 | @@ -358,9 +445,11 @@ ssh_gssapi_userok(char *user) | 1134 | @@ -357,9 +444,11 @@ ssh_gssapi_userok(char *user) |
1202 | return 0; | 1135 | return 0; |
1203 | } | 1136 | } |
1204 | if (gssapi_client.mech && gssapi_client.mech->userok) | 1137 | if (gssapi_client.mech && gssapi_client.mech->userok) |
@@ -1212,7 +1145,7 @@ index 5c59924..50fa438 100644 | |||
1212 | /* Destroy delegated credentials if userok fails */ | 1145 | /* Destroy delegated credentials if userok fails */ |
1213 | gss_release_buffer(&lmin, &gssapi_client.displayname); | 1146 | gss_release_buffer(&lmin, &gssapi_client.displayname); |
1214 | gss_release_buffer(&lmin, &gssapi_client.exportedname); | 1147 | gss_release_buffer(&lmin, &gssapi_client.exportedname); |
1215 | @@ -374,14 +463,90 @@ ssh_gssapi_userok(char *user) | 1148 | @@ -373,14 +462,90 @@ ssh_gssapi_userok(char *user) |
1216 | return (0); | 1149 | return (0); |
1217 | } | 1150 | } |
1218 | 1151 | ||
@@ -1310,11 +1243,11 @@ index 5c59924..50fa438 100644 | |||
1310 | 1243 | ||
1311 | #endif | 1244 | #endif |
1312 | diff --git a/kex.c b/kex.c | 1245 | diff --git a/kex.c b/kex.c |
1313 | index a173e70..891852b 100644 | 1246 | index 8c2b001..be938ad 100644 |
1314 | --- a/kex.c | 1247 | --- a/kex.c |
1315 | +++ b/kex.c | 1248 | +++ b/kex.c |
1316 | @@ -53,6 +53,10 @@ | 1249 | @@ -55,6 +55,10 @@ |
1317 | #include "roaming.h" | 1250 | #include "sshbuf.h" |
1318 | #include "digest.h" | 1251 | #include "digest.h" |
1319 | 1252 | ||
1320 | +#ifdef GSSAPI | 1253 | +#ifdef GSSAPI |
@@ -1324,8 +1257,8 @@ index a173e70..891852b 100644 | |||
1324 | #if OPENSSL_VERSION_NUMBER >= 0x00907000L | 1257 | #if OPENSSL_VERSION_NUMBER >= 0x00907000L |
1325 | # if defined(HAVE_EVP_SHA256) | 1258 | # if defined(HAVE_EVP_SHA256) |
1326 | # define evp_ssh_sha256 EVP_sha256 | 1259 | # define evp_ssh_sha256 EVP_sha256 |
1327 | @@ -96,6 +100,14 @@ static const struct kexalg kexalgs[] = { | 1260 | @@ -97,6 +101,14 @@ static const struct kexalg kexalgs[] = { |
1328 | #endif /* HAVE_EVP_SHA256 */ | 1261 | #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ |
1329 | { NULL, -1, -1, -1}, | 1262 | { NULL, -1, -1, -1}, |
1330 | }; | 1263 | }; |
1331 | +static const struct kexalg kexalg_prefixes[] = { | 1264 | +static const struct kexalg kexalg_prefixes[] = { |
@@ -1339,7 +1272,7 @@ index a173e70..891852b 100644 | |||
1339 | 1272 | ||
1340 | char * | 1273 | char * |
1341 | kex_alg_list(char sep) | 1274 | kex_alg_list(char sep) |
1342 | @@ -124,6 +136,10 @@ kex_alg_by_name(const char *name) | 1275 | @@ -129,6 +141,10 @@ kex_alg_by_name(const char *name) |
1343 | if (strcmp(k->name, name) == 0) | 1276 | if (strcmp(k->name, name) == 0) |
1344 | return k; | 1277 | return k; |
1345 | } | 1278 | } |
@@ -1351,10 +1284,10 @@ index a173e70..891852b 100644 | |||
1351 | } | 1284 | } |
1352 | 1285 | ||
1353 | diff --git a/kex.h b/kex.h | 1286 | diff --git a/kex.h b/kex.h |
1354 | index 4c40ec8..c179a4d 100644 | 1287 | index f70b81f..7194b14 100644 |
1355 | --- a/kex.h | 1288 | --- a/kex.h |
1356 | +++ b/kex.h | 1289 | +++ b/kex.h |
1357 | @@ -76,6 +76,9 @@ enum kex_exchange { | 1290 | @@ -93,6 +93,9 @@ enum kex_exchange { |
1358 | KEX_DH_GEX_SHA256, | 1291 | KEX_DH_GEX_SHA256, |
1359 | KEX_ECDH_SHA2, | 1292 | KEX_ECDH_SHA2, |
1360 | KEX_C25519_SHA256, | 1293 | KEX_C25519_SHA256, |
@@ -1364,8 +1297,8 @@ index 4c40ec8..c179a4d 100644 | |||
1364 | KEX_MAX | 1297 | KEX_MAX |
1365 | }; | 1298 | }; |
1366 | 1299 | ||
1367 | @@ -135,6 +138,12 @@ struct Kex { | 1300 | @@ -139,6 +142,12 @@ struct kex { |
1368 | int flags; | 1301 | u_int flags; |
1369 | int hash_alg; | 1302 | int hash_alg; |
1370 | int ec_nid; | 1303 | int ec_nid; |
1371 | +#ifdef GSSAPI | 1304 | +#ifdef GSSAPI |
@@ -1376,25 +1309,25 @@ index 4c40ec8..c179a4d 100644 | |||
1376 | +#endif | 1309 | +#endif |
1377 | char *client_version_string; | 1310 | char *client_version_string; |
1378 | char *server_version_string; | 1311 | char *server_version_string; |
1379 | int (*verify_host_key)(Key *); | 1312 | int (*verify_host_key)(struct sshkey *, struct ssh *); |
1380 | @@ -167,6 +176,11 @@ void kexecdh_server(Kex *); | 1313 | @@ -184,6 +193,11 @@ int kexecdh_server(struct ssh *); |
1381 | void kexc25519_client(Kex *); | 1314 | int kexc25519_client(struct ssh *); |
1382 | void kexc25519_server(Kex *); | 1315 | int kexc25519_server(struct ssh *); |
1383 | 1316 | ||
1384 | +#ifdef GSSAPI | 1317 | +#ifdef GSSAPI |
1385 | +void kexgss_client(Kex *); | 1318 | +int kexgss_client(struct ssh *); |
1386 | +void kexgss_server(Kex *); | 1319 | +int kexgss_server(struct ssh *); |
1387 | +#endif | 1320 | +#endif |
1388 | + | 1321 | + |
1389 | void | 1322 | int kex_dh_hash(const char *, const char *, |
1390 | kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int, | 1323 | const u_char *, size_t, const u_char *, size_t, const u_char *, size_t, |
1391 | BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); | 1324 | const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *); |
1392 | diff --git a/kexgssc.c b/kexgssc.c | 1325 | diff --git a/kexgssc.c b/kexgssc.c |
1393 | new file mode 100644 | 1326 | new file mode 100644 |
1394 | index 0000000..92a31c5 | 1327 | index 0000000..a49bac2 |
1395 | --- /dev/null | 1328 | --- /dev/null |
1396 | +++ b/kexgssc.c | 1329 | +++ b/kexgssc.c |
1397 | @@ -0,0 +1,332 @@ | 1330 | @@ -0,0 +1,336 @@ |
1398 | +/* | 1331 | +/* |
1399 | + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. | 1332 | + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. |
1400 | + * | 1333 | + * |
@@ -1439,43 +1372,46 @@ index 0000000..92a31c5 | |||
1439 | +#include "log.h" | 1372 | +#include "log.h" |
1440 | +#include "packet.h" | 1373 | +#include "packet.h" |
1441 | +#include "dh.h" | 1374 | +#include "dh.h" |
1375 | +#include "digest.h" | ||
1442 | + | 1376 | + |
1443 | +#include "ssh-gss.h" | 1377 | +#include "ssh-gss.h" |
1444 | + | 1378 | + |
1445 | +void | 1379 | +int |
1446 | +kexgss_client(Kex *kex) { | 1380 | +kexgss_client(struct ssh *ssh) { |
1447 | + gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; | 1381 | + gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; |
1448 | + gss_buffer_desc recv_tok, gssbuf, msg_tok, *token_ptr; | 1382 | + gss_buffer_desc recv_tok, gssbuf, msg_tok, *token_ptr; |
1449 | + Gssctxt *ctxt; | 1383 | + Gssctxt *ctxt; |
1450 | + OM_uint32 maj_status, min_status, ret_flags; | 1384 | + OM_uint32 maj_status, min_status, ret_flags; |
1451 | + u_int klen, kout, slen = 0, hashlen, strlen; | 1385 | + u_int klen, kout, slen = 0, strlen; |
1452 | + DH *dh; | 1386 | + DH *dh; |
1453 | + BIGNUM *dh_server_pub = NULL; | 1387 | + BIGNUM *dh_server_pub = NULL; |
1454 | + BIGNUM *shared_secret = NULL; | 1388 | + BIGNUM *shared_secret = NULL; |
1455 | + BIGNUM *p = NULL; | 1389 | + BIGNUM *p = NULL; |
1456 | + BIGNUM *g = NULL; | 1390 | + BIGNUM *g = NULL; |
1457 | + u_char *kbuf, *hash; | 1391 | + u_char *kbuf; |
1458 | + u_char *serverhostkey = NULL; | 1392 | + u_char *serverhostkey = NULL; |
1459 | + u_char *empty = ""; | 1393 | + u_char *empty = ""; |
1460 | + char *msg; | 1394 | + char *msg; |
1461 | + int type = 0; | 1395 | + int type = 0; |
1462 | + int first = 1; | 1396 | + int first = 1; |
1463 | + int nbits = 0, min = DH_GRP_MIN, max = DH_GRP_MAX; | 1397 | + int nbits = 0, min = DH_GRP_MIN, max = DH_GRP_MAX; |
1398 | + u_char hash[SSH_DIGEST_MAX_LENGTH]; | ||
1399 | + size_t hashlen; | ||
1464 | + | 1400 | + |
1465 | + /* Initialise our GSSAPI world */ | 1401 | + /* Initialise our GSSAPI world */ |
1466 | + ssh_gssapi_build_ctx(&ctxt); | 1402 | + ssh_gssapi_build_ctx(&ctxt); |
1467 | + if (ssh_gssapi_id_kex(ctxt, kex->name, kex->kex_type) | 1403 | + if (ssh_gssapi_id_kex(ctxt, ssh->kex->name, ssh->kex->kex_type) |
1468 | + == GSS_C_NO_OID) | 1404 | + == GSS_C_NO_OID) |
1469 | + fatal("Couldn't identify host exchange"); | 1405 | + fatal("Couldn't identify host exchange"); |
1470 | + | 1406 | + |
1471 | + if (ssh_gssapi_import_name(ctxt, kex->gss_host)) | 1407 | + if (ssh_gssapi_import_name(ctxt, ssh->kex->gss_host)) |
1472 | + fatal("Couldn't import hostname"); | 1408 | + fatal("Couldn't import hostname"); |
1473 | + | 1409 | + |
1474 | + if (kex->gss_client && | 1410 | + if (ssh->kex->gss_client && |
1475 | + ssh_gssapi_client_identity(ctxt, kex->gss_client)) | 1411 | + ssh_gssapi_client_identity(ctxt, ssh->kex->gss_client)) |
1476 | + fatal("Couldn't acquire client credentials"); | 1412 | + fatal("Couldn't acquire client credentials"); |
1477 | + | 1413 | + |
1478 | + switch (kex->kex_type) { | 1414 | + switch (ssh->kex->kex_type) { |
1479 | + case KEX_GSS_GRP1_SHA1: | 1415 | + case KEX_GSS_GRP1_SHA1: |
1480 | + dh = dh_new_group1(); | 1416 | + dh = dh_new_group1(); |
1481 | + break; | 1417 | + break; |
@@ -1484,7 +1420,7 @@ index 0000000..92a31c5 | |||
1484 | + break; | 1420 | + break; |
1485 | + case KEX_GSS_GEX_SHA1: | 1421 | + case KEX_GSS_GEX_SHA1: |
1486 | + debug("Doing group exchange\n"); | 1422 | + debug("Doing group exchange\n"); |
1487 | + nbits = dh_estimate(kex->we_need * 8); | 1423 | + nbits = dh_estimate(ssh->kex->we_need * 8); |
1488 | + packet_start(SSH2_MSG_KEXGSS_GROUPREQ); | 1424 | + packet_start(SSH2_MSG_KEXGSS_GROUPREQ); |
1489 | + packet_put_int(min); | 1425 | + packet_put_int(min); |
1490 | + packet_put_int(nbits); | 1426 | + packet_put_int(nbits); |
@@ -1509,11 +1445,11 @@ index 0000000..92a31c5 | |||
1509 | + dh = dh_new_group(g, p); | 1445 | + dh = dh_new_group(g, p); |
1510 | + break; | 1446 | + break; |
1511 | + default: | 1447 | + default: |
1512 | + fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type); | 1448 | + fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type); |
1513 | + } | 1449 | + } |
1514 | + | 1450 | + |
1515 | + /* Step 1 - e is dh->pub_key */ | 1451 | + /* Step 1 - e is dh->pub_key */ |
1516 | + dh_gen_key(dh, kex->we_need * 8); | 1452 | + dh_gen_key(dh, ssh->kex->we_need * 8); |
1517 | + | 1453 | + |
1518 | + /* This is f, we initialise it now to make life easier */ | 1454 | + /* This is f, we initialise it now to make life easier */ |
1519 | + dh_server_pub = BN_new(); | 1455 | + dh_server_pub = BN_new(); |
@@ -1526,7 +1462,7 @@ index 0000000..92a31c5 | |||
1526 | + debug("Calling gss_init_sec_context"); | 1462 | + debug("Calling gss_init_sec_context"); |
1527 | + | 1463 | + |
1528 | + maj_status = ssh_gssapi_init_ctx(ctxt, | 1464 | + maj_status = ssh_gssapi_init_ctx(ctxt, |
1529 | + kex->gss_deleg_creds, token_ptr, &send_tok, | 1465 | + ssh->kex->gss_deleg_creds, token_ptr, &send_tok, |
1530 | + &ret_flags); | 1466 | + &ret_flags); |
1531 | + | 1467 | + |
1532 | + if (GSS_ERROR(maj_status)) { | 1468 | + if (GSS_ERROR(maj_status)) { |
@@ -1659,38 +1595,39 @@ index 0000000..92a31c5 | |||
1659 | + memset(kbuf, 0, klen); | 1595 | + memset(kbuf, 0, klen); |
1660 | + free(kbuf); | 1596 | + free(kbuf); |
1661 | + | 1597 | + |
1662 | + switch (kex->kex_type) { | 1598 | + hashlen = sizeof(hash); |
1599 | + switch (ssh->kex->kex_type) { | ||
1663 | + case KEX_GSS_GRP1_SHA1: | 1600 | + case KEX_GSS_GRP1_SHA1: |
1664 | + case KEX_GSS_GRP14_SHA1: | 1601 | + case KEX_GSS_GRP14_SHA1: |
1665 | + kex_dh_hash( kex->client_version_string, | 1602 | + kex_dh_hash( ssh->kex->client_version_string, |
1666 | + kex->server_version_string, | 1603 | + ssh->kex->server_version_string, |
1667 | + buffer_ptr(&kex->my), buffer_len(&kex->my), | 1604 | + buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my), |
1668 | + buffer_ptr(&kex->peer), buffer_len(&kex->peer), | 1605 | + buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer), |
1669 | + (serverhostkey ? serverhostkey : empty), slen, | 1606 | + (serverhostkey ? serverhostkey : empty), slen, |
1670 | + dh->pub_key, /* e */ | 1607 | + dh->pub_key, /* e */ |
1671 | + dh_server_pub, /* f */ | 1608 | + dh_server_pub, /* f */ |
1672 | + shared_secret, /* K */ | 1609 | + shared_secret, /* K */ |
1673 | + &hash, &hashlen | 1610 | + hash, &hashlen |
1674 | + ); | 1611 | + ); |
1675 | + break; | 1612 | + break; |
1676 | + case KEX_GSS_GEX_SHA1: | 1613 | + case KEX_GSS_GEX_SHA1: |
1677 | + kexgex_hash( | 1614 | + kexgex_hash( |
1678 | + kex->hash_alg, | 1615 | + ssh->kex->hash_alg, |
1679 | + kex->client_version_string, | 1616 | + ssh->kex->client_version_string, |
1680 | + kex->server_version_string, | 1617 | + ssh->kex->server_version_string, |
1681 | + buffer_ptr(&kex->my), buffer_len(&kex->my), | 1618 | + buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my), |
1682 | + buffer_ptr(&kex->peer), buffer_len(&kex->peer), | 1619 | + buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer), |
1683 | + (serverhostkey ? serverhostkey : empty), slen, | 1620 | + (serverhostkey ? serverhostkey : empty), slen, |
1684 | + min, nbits, max, | 1621 | + min, nbits, max, |
1685 | + dh->p, dh->g, | 1622 | + dh->p, dh->g, |
1686 | + dh->pub_key, | 1623 | + dh->pub_key, |
1687 | + dh_server_pub, | 1624 | + dh_server_pub, |
1688 | + shared_secret, | 1625 | + shared_secret, |
1689 | + &hash, &hashlen | 1626 | + hash, &hashlen |
1690 | + ); | 1627 | + ); |
1691 | + break; | 1628 | + break; |
1692 | + default: | 1629 | + default: |
1693 | + fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type); | 1630 | + fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type); |
1694 | + } | 1631 | + } |
1695 | + | 1632 | + |
1696 | + gssbuf.value = hash; | 1633 | + gssbuf.value = hash; |
@@ -1707,13 +1644,13 @@ index 0000000..92a31c5 | |||
1707 | + BN_clear_free(dh_server_pub); | 1644 | + BN_clear_free(dh_server_pub); |
1708 | + | 1645 | + |
1709 | + /* save session id */ | 1646 | + /* save session id */ |
1710 | + if (kex->session_id == NULL) { | 1647 | + if (ssh->kex->session_id == NULL) { |
1711 | + kex->session_id_len = hashlen; | 1648 | + ssh->kex->session_id_len = hashlen; |
1712 | + kex->session_id = xmalloc(kex->session_id_len); | 1649 | + ssh->kex->session_id = xmalloc(ssh->kex->session_id_len); |
1713 | + memcpy(kex->session_id, hash, kex->session_id_len); | 1650 | + memcpy(ssh->kex->session_id, hash, ssh->kex->session_id_len); |
1714 | + } | 1651 | + } |
1715 | + | 1652 | + |
1716 | + if (kex->gss_deleg_creds) | 1653 | + if (ssh->kex->gss_deleg_creds) |
1717 | + ssh_gssapi_credentials_updated(ctxt); | 1654 | + ssh_gssapi_credentials_updated(ctxt); |
1718 | + | 1655 | + |
1719 | + if (gss_kex_context == NULL) | 1656 | + if (gss_kex_context == NULL) |
@@ -1721,18 +1658,18 @@ index 0000000..92a31c5 | |||
1721 | + else | 1658 | + else |
1722 | + ssh_gssapi_delete_ctx(&ctxt); | 1659 | + ssh_gssapi_delete_ctx(&ctxt); |
1723 | + | 1660 | + |
1724 | + kex_derive_keys_bn(kex, hash, hashlen, shared_secret); | 1661 | + kex_derive_keys_bn(ssh, hash, hashlen, shared_secret); |
1725 | + BN_clear_free(shared_secret); | 1662 | + BN_clear_free(shared_secret); |
1726 | + kex_finish(kex); | 1663 | + return kex_send_newkeys(ssh); |
1727 | +} | 1664 | +} |
1728 | + | 1665 | + |
1729 | +#endif /* GSSAPI */ | 1666 | +#endif /* GSSAPI */ |
1730 | diff --git a/kexgsss.c b/kexgsss.c | 1667 | diff --git a/kexgsss.c b/kexgsss.c |
1731 | new file mode 100644 | 1668 | new file mode 100644 |
1732 | index 0000000..6a0ece8 | 1669 | index 0000000..0847469 |
1733 | --- /dev/null | 1670 | --- /dev/null |
1734 | +++ b/kexgsss.c | 1671 | +++ b/kexgsss.c |
1735 | @@ -0,0 +1,290 @@ | 1672 | @@ -0,0 +1,295 @@ |
1736 | +/* | 1673 | +/* |
1737 | + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. | 1674 | + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. |
1738 | + * | 1675 | + * |
@@ -1779,11 +1716,12 @@ index 0000000..6a0ece8 | |||
1779 | +#include "monitor_wrap.h" | 1716 | +#include "monitor_wrap.h" |
1780 | +#include "misc.h" | 1717 | +#include "misc.h" |
1781 | +#include "servconf.h" | 1718 | +#include "servconf.h" |
1719 | +#include "digest.h" | ||
1782 | + | 1720 | + |
1783 | +extern ServerOptions options; | 1721 | +extern ServerOptions options; |
1784 | + | 1722 | + |
1785 | +void | 1723 | +int |
1786 | +kexgss_server(Kex *kex) | 1724 | +kexgss_server(struct ssh *ssh) |
1787 | +{ | 1725 | +{ |
1788 | + OM_uint32 maj_status, min_status; | 1726 | + OM_uint32 maj_status, min_status; |
1789 | + | 1727 | + |
@@ -1798,8 +1736,8 @@ index 0000000..6a0ece8 | |||
1798 | + gss_buffer_desc gssbuf, recv_tok, msg_tok; | 1736 | + gss_buffer_desc gssbuf, recv_tok, msg_tok; |
1799 | + gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; | 1737 | + gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; |
1800 | + Gssctxt *ctxt = NULL; | 1738 | + Gssctxt *ctxt = NULL; |
1801 | + u_int slen, klen, kout, hashlen; | 1739 | + u_int slen, klen, kout; |
1802 | + u_char *kbuf, *hash; | 1740 | + u_char *kbuf; |
1803 | + DH *dh; | 1741 | + DH *dh; |
1804 | + int min = -1, max = -1, nbits = -1; | 1742 | + int min = -1, max = -1, nbits = -1; |
1805 | + BIGNUM *shared_secret = NULL; | 1743 | + BIGNUM *shared_secret = NULL; |
@@ -1807,6 +1745,8 @@ index 0000000..6a0ece8 | |||
1807 | + int type = 0; | 1745 | + int type = 0; |
1808 | + gss_OID oid; | 1746 | + gss_OID oid; |
1809 | + char *mechs; | 1747 | + char *mechs; |
1748 | + u_char hash[SSH_DIGEST_MAX_LENGTH]; | ||
1749 | + size_t hashlen; | ||
1810 | + | 1750 | + |
1811 | + /* Initialise GSSAPI */ | 1751 | + /* Initialise GSSAPI */ |
1812 | + | 1752 | + |
@@ -1819,8 +1759,8 @@ index 0000000..6a0ece8 | |||
1819 | + free(mechs); | 1759 | + free(mechs); |
1820 | + } | 1760 | + } |
1821 | + | 1761 | + |
1822 | + debug2("%s: Identifying %s", __func__, kex->name); | 1762 | + debug2("%s: Identifying %s", __func__, ssh->kex->name); |
1823 | + oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type); | 1763 | + oid = ssh_gssapi_id_kex(NULL, ssh->kex->name, ssh->kex->kex_type); |
1824 | + if (oid == GSS_C_NO_OID) | 1764 | + if (oid == GSS_C_NO_OID) |
1825 | + fatal("Unknown gssapi mechanism"); | 1765 | + fatal("Unknown gssapi mechanism"); |
1826 | + | 1766 | + |
@@ -1829,7 +1769,7 @@ index 0000000..6a0ece8 | |||
1829 | + if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid)))) | 1769 | + if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid)))) |
1830 | + fatal("Unable to acquire credentials for the server"); | 1770 | + fatal("Unable to acquire credentials for the server"); |
1831 | + | 1771 | + |
1832 | + switch (kex->kex_type) { | 1772 | + switch (ssh->kex->kex_type) { |
1833 | + case KEX_GSS_GRP1_SHA1: | 1773 | + case KEX_GSS_GRP1_SHA1: |
1834 | + dh = dh_new_group1(); | 1774 | + dh = dh_new_group1(); |
1835 | + break; | 1775 | + break; |
@@ -1860,10 +1800,10 @@ index 0000000..6a0ece8 | |||
1860 | + packet_write_wait(); | 1800 | + packet_write_wait(); |
1861 | + break; | 1801 | + break; |
1862 | + default: | 1802 | + default: |
1863 | + fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type); | 1803 | + fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type); |
1864 | + } | 1804 | + } |
1865 | + | 1805 | + |
1866 | + dh_gen_key(dh, kex->we_need * 8); | 1806 | + dh_gen_key(dh, ssh->kex->we_need * 8); |
1867 | + | 1807 | + |
1868 | + do { | 1808 | + do { |
1869 | + debug("Wait SSH2_MSG_GSSAPI_INIT"); | 1809 | + debug("Wait SSH2_MSG_GSSAPI_INIT"); |
@@ -1946,43 +1886,44 @@ index 0000000..6a0ece8 | |||
1946 | + memset(kbuf, 0, klen); | 1886 | + memset(kbuf, 0, klen); |
1947 | + free(kbuf); | 1887 | + free(kbuf); |
1948 | + | 1888 | + |
1949 | + switch (kex->kex_type) { | 1889 | + hashlen = sizeof(hash); |
1890 | + switch (ssh->kex->kex_type) { | ||
1950 | + case KEX_GSS_GRP1_SHA1: | 1891 | + case KEX_GSS_GRP1_SHA1: |
1951 | + case KEX_GSS_GRP14_SHA1: | 1892 | + case KEX_GSS_GRP14_SHA1: |
1952 | + kex_dh_hash( | 1893 | + kex_dh_hash( |
1953 | + kex->client_version_string, kex->server_version_string, | 1894 | + ssh->kex->client_version_string, ssh->kex->server_version_string, |
1954 | + buffer_ptr(&kex->peer), buffer_len(&kex->peer), | 1895 | + buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer), |
1955 | + buffer_ptr(&kex->my), buffer_len(&kex->my), | 1896 | + buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my), |
1956 | + NULL, 0, /* Change this if we start sending host keys */ | 1897 | + NULL, 0, /* Change this if we start sending host keys */ |
1957 | + dh_client_pub, dh->pub_key, shared_secret, | 1898 | + dh_client_pub, dh->pub_key, shared_secret, |
1958 | + &hash, &hashlen | 1899 | + hash, &hashlen |
1959 | + ); | 1900 | + ); |
1960 | + break; | 1901 | + break; |
1961 | + case KEX_GSS_GEX_SHA1: | 1902 | + case KEX_GSS_GEX_SHA1: |
1962 | + kexgex_hash( | 1903 | + kexgex_hash( |
1963 | + kex->hash_alg, | 1904 | + ssh->kex->hash_alg, |
1964 | + kex->client_version_string, kex->server_version_string, | 1905 | + ssh->kex->client_version_string, ssh->kex->server_version_string, |
1965 | + buffer_ptr(&kex->peer), buffer_len(&kex->peer), | 1906 | + buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer), |
1966 | + buffer_ptr(&kex->my), buffer_len(&kex->my), | 1907 | + buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my), |
1967 | + NULL, 0, | 1908 | + NULL, 0, |
1968 | + min, nbits, max, | 1909 | + min, nbits, max, |
1969 | + dh->p, dh->g, | 1910 | + dh->p, dh->g, |
1970 | + dh_client_pub, | 1911 | + dh_client_pub, |
1971 | + dh->pub_key, | 1912 | + dh->pub_key, |
1972 | + shared_secret, | 1913 | + shared_secret, |
1973 | + &hash, &hashlen | 1914 | + hash, &hashlen |
1974 | + ); | 1915 | + ); |
1975 | + break; | 1916 | + break; |
1976 | + default: | 1917 | + default: |
1977 | + fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type); | 1918 | + fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type); |
1978 | + } | 1919 | + } |
1979 | + | 1920 | + |
1980 | + BN_clear_free(dh_client_pub); | 1921 | + BN_clear_free(dh_client_pub); |
1981 | + | 1922 | + |
1982 | + if (kex->session_id == NULL) { | 1923 | + if (ssh->kex->session_id == NULL) { |
1983 | + kex->session_id_len = hashlen; | 1924 | + ssh->kex->session_id_len = hashlen; |
1984 | + kex->session_id = xmalloc(kex->session_id_len); | 1925 | + ssh->kex->session_id = xmalloc(ssh->kex->session_id_len); |
1985 | + memcpy(kex->session_id, hash, kex->session_id_len); | 1926 | + memcpy(ssh->kex->session_id, hash, ssh->kex->session_id_len); |
1986 | + } | 1927 | + } |
1987 | + | 1928 | + |
1988 | + gssbuf.value = hash; | 1929 | + gssbuf.value = hash; |
@@ -2013,21 +1954,22 @@ index 0000000..6a0ece8 | |||
2013 | + | 1954 | + |
2014 | + DH_free(dh); | 1955 | + DH_free(dh); |
2015 | + | 1956 | + |
2016 | + kex_derive_keys_bn(kex, hash, hashlen, shared_secret); | 1957 | + kex_derive_keys_bn(ssh, hash, hashlen, shared_secret); |
2017 | + BN_clear_free(shared_secret); | 1958 | + BN_clear_free(shared_secret); |
2018 | + kex_finish(kex); | 1959 | + kex_send_newkeys(ssh); |
2019 | + | 1960 | + |
2020 | + /* If this was a rekey, then save out any delegated credentials we | 1961 | + /* If this was a rekey, then save out any delegated credentials we |
2021 | + * just exchanged. */ | 1962 | + * just exchanged. */ |
2022 | + if (options.gss_store_rekey) | 1963 | + if (options.gss_store_rekey) |
2023 | + ssh_gssapi_rekey_creds(); | 1964 | + ssh_gssapi_rekey_creds(); |
1965 | + return 0; | ||
2024 | +} | 1966 | +} |
2025 | +#endif /* GSSAPI */ | 1967 | +#endif /* GSSAPI */ |
2026 | diff --git a/monitor.c b/monitor.c | 1968 | diff --git a/monitor.c b/monitor.c |
2027 | index dbe29f1..b0896ef 100644 | 1969 | index bab6ce8..a2027e5 100644 |
2028 | --- a/monitor.c | 1970 | --- a/monitor.c |
2029 | +++ b/monitor.c | 1971 | +++ b/monitor.c |
2030 | @@ -178,6 +178,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); | 1972 | @@ -157,6 +157,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); |
2031 | int mm_answer_gss_accept_ctx(int, Buffer *); | 1973 | int mm_answer_gss_accept_ctx(int, Buffer *); |
2032 | int mm_answer_gss_userok(int, Buffer *); | 1974 | int mm_answer_gss_userok(int, Buffer *); |
2033 | int mm_answer_gss_checkmic(int, Buffer *); | 1975 | int mm_answer_gss_checkmic(int, Buffer *); |
@@ -2036,7 +1978,7 @@ index dbe29f1..b0896ef 100644 | |||
2036 | #endif | 1978 | #endif |
2037 | 1979 | ||
2038 | #ifdef SSH_AUDIT_EVENTS | 1980 | #ifdef SSH_AUDIT_EVENTS |
2039 | @@ -255,11 +257,18 @@ struct mon_table mon_dispatch_proto20[] = { | 1981 | @@ -234,11 +236,18 @@ struct mon_table mon_dispatch_proto20[] = { |
2040 | {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, | 1982 | {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, |
2041 | {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, | 1983 | {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, |
2042 | {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, | 1984 | {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, |
@@ -2055,7 +1997,7 @@ index dbe29f1..b0896ef 100644 | |||
2055 | #ifdef WITH_OPENSSL | 1997 | #ifdef WITH_OPENSSL |
2056 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, | 1998 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, |
2057 | #endif | 1999 | #endif |
2058 | @@ -374,6 +383,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | 2000 | @@ -353,6 +362,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) |
2059 | /* Permit requests for moduli and signatures */ | 2001 | /* Permit requests for moduli and signatures */ |
2060 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 2002 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
2061 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 2003 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
@@ -2066,7 +2008,7 @@ index dbe29f1..b0896ef 100644 | |||
2066 | } else { | 2008 | } else { |
2067 | mon_dispatch = mon_dispatch_proto15; | 2009 | mon_dispatch = mon_dispatch_proto15; |
2068 | 2010 | ||
2069 | @@ -482,6 +495,10 @@ monitor_child_postauth(struct monitor *pmonitor) | 2011 | @@ -461,6 +474,10 @@ monitor_child_postauth(struct monitor *pmonitor) |
2070 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 2012 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
2071 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 2013 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
2072 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 2014 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
@@ -2077,21 +2019,21 @@ index dbe29f1..b0896ef 100644 | |||
2077 | } else { | 2019 | } else { |
2078 | mon_dispatch = mon_dispatch_postauth15; | 2020 | mon_dispatch = mon_dispatch_postauth15; |
2079 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 2021 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
2080 | @@ -1861,6 +1878,13 @@ mm_get_kex(Buffer *m) | 2022 | @@ -1860,6 +1877,13 @@ monitor_apply_keystate(struct monitor *pmonitor) |
2081 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; | 2023 | # endif |
2082 | #endif | 2024 | #endif /* WITH_OPENSSL */ |
2083 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; | 2025 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; |
2084 | +#ifdef GSSAPI | 2026 | +#ifdef GSSAPI |
2085 | + if (options.gss_keyex) { | 2027 | + if (options.gss_keyex) { |
2086 | + kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; | 2028 | + kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; |
2087 | + kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server; | 2029 | + kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server; |
2088 | + kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server; | 2030 | + kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server; |
2089 | + } | 2031 | + } |
2090 | +#endif | 2032 | +#endif |
2091 | kex->server = 1; | 2033 | kex->load_host_public_key=&get_hostkey_public_by_type; |
2092 | kex->hostkey_type = buffer_get_int(m); | 2034 | kex->load_host_private_key=&get_hostkey_private_by_type; |
2093 | kex->kex_type = buffer_get_int(m); | 2035 | kex->host_key_index=&get_hostkey_index; |
2094 | @@ -2068,6 +2092,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) | 2036 | @@ -1959,6 +1983,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) |
2095 | OM_uint32 major; | 2037 | OM_uint32 major; |
2096 | u_int len; | 2038 | u_int len; |
2097 | 2039 | ||
@@ -2101,7 +2043,7 @@ index dbe29f1..b0896ef 100644 | |||
2101 | goid.elements = buffer_get_string(m, &len); | 2043 | goid.elements = buffer_get_string(m, &len); |
2102 | goid.length = len; | 2044 | goid.length = len; |
2103 | 2045 | ||
2104 | @@ -2095,6 +2122,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) | 2046 | @@ -1986,6 +2013,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) |
2105 | OM_uint32 flags = 0; /* GSI needs this */ | 2047 | OM_uint32 flags = 0; /* GSI needs this */ |
2106 | u_int len; | 2048 | u_int len; |
2107 | 2049 | ||
@@ -2111,7 +2053,7 @@ index dbe29f1..b0896ef 100644 | |||
2111 | in.value = buffer_get_string(m, &len); | 2053 | in.value = buffer_get_string(m, &len); |
2112 | in.length = len; | 2054 | in.length = len; |
2113 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); | 2055 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); |
2114 | @@ -2112,6 +2142,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) | 2056 | @@ -2003,6 +2033,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) |
2115 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); | 2057 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); |
2116 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); | 2058 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); |
2117 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); | 2059 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); |
@@ -2119,7 +2061,7 @@ index dbe29f1..b0896ef 100644 | |||
2119 | } | 2061 | } |
2120 | return (0); | 2062 | return (0); |
2121 | } | 2063 | } |
2122 | @@ -2123,6 +2154,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m) | 2064 | @@ -2014,6 +2045,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m) |
2123 | OM_uint32 ret; | 2065 | OM_uint32 ret; |
2124 | u_int len; | 2066 | u_int len; |
2125 | 2067 | ||
@@ -2129,7 +2071,7 @@ index dbe29f1..b0896ef 100644 | |||
2129 | gssbuf.value = buffer_get_string(m, &len); | 2071 | gssbuf.value = buffer_get_string(m, &len); |
2130 | gssbuf.length = len; | 2072 | gssbuf.length = len; |
2131 | mic.value = buffer_get_string(m, &len); | 2073 | mic.value = buffer_get_string(m, &len); |
2132 | @@ -2149,7 +2183,11 @@ mm_answer_gss_userok(int sock, Buffer *m) | 2074 | @@ -2040,7 +2074,11 @@ mm_answer_gss_userok(int sock, Buffer *m) |
2133 | { | 2075 | { |
2134 | int authenticated; | 2076 | int authenticated; |
2135 | 2077 | ||
@@ -2142,7 +2084,7 @@ index dbe29f1..b0896ef 100644 | |||
2142 | 2084 | ||
2143 | buffer_clear(m); | 2085 | buffer_clear(m); |
2144 | buffer_put_int(m, authenticated); | 2086 | buffer_put_int(m, authenticated); |
2145 | @@ -2162,5 +2200,73 @@ mm_answer_gss_userok(int sock, Buffer *m) | 2087 | @@ -2053,5 +2091,73 @@ mm_answer_gss_userok(int sock, Buffer *m) |
2146 | /* Monitor loop will terminate if authenticated */ | 2088 | /* Monitor loop will terminate if authenticated */ |
2147 | return (authenticated); | 2089 | return (authenticated); |
2148 | } | 2090 | } |
@@ -2217,7 +2159,7 @@ index dbe29f1..b0896ef 100644 | |||
2217 | #endif /* GSSAPI */ | 2159 | #endif /* GSSAPI */ |
2218 | 2160 | ||
2219 | diff --git a/monitor.h b/monitor.h | 2161 | diff --git a/monitor.h b/monitor.h |
2220 | index 5bc41b5..7f32b0c 100644 | 2162 | index 93b8b66..bc50ade 100644 |
2221 | --- a/monitor.h | 2163 | --- a/monitor.h |
2222 | +++ b/monitor.h | 2164 | +++ b/monitor.h |
2223 | @@ -65,6 +65,9 @@ enum monitor_reqtype { | 2165 | @@ -65,6 +65,9 @@ enum monitor_reqtype { |
@@ -2231,10 +2173,10 @@ index 5bc41b5..7f32b0c 100644 | |||
2231 | 2173 | ||
2232 | struct mm_master; | 2174 | struct mm_master; |
2233 | diff --git a/monitor_wrap.c b/monitor_wrap.c | 2175 | diff --git a/monitor_wrap.c b/monitor_wrap.c |
2234 | index 45dc169..e476f0d 100644 | 2176 | index b379f05..b667218 100644 |
2235 | --- a/monitor_wrap.c | 2177 | --- a/monitor_wrap.c |
2236 | +++ b/monitor_wrap.c | 2178 | +++ b/monitor_wrap.c |
2237 | @@ -1281,7 +1281,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) | 2179 | @@ -1068,7 +1068,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) |
2238 | } | 2180 | } |
2239 | 2181 | ||
2240 | int | 2182 | int |
@@ -2243,7 +2185,7 @@ index 45dc169..e476f0d 100644 | |||
2243 | { | 2185 | { |
2244 | Buffer m; | 2186 | Buffer m; |
2245 | int authenticated = 0; | 2187 | int authenticated = 0; |
2246 | @@ -1298,5 +1298,50 @@ mm_ssh_gssapi_userok(char *user) | 2188 | @@ -1085,5 +1085,50 @@ mm_ssh_gssapi_userok(char *user) |
2247 | debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); | 2189 | debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); |
2248 | return (authenticated); | 2190 | return (authenticated); |
2249 | } | 2191 | } |
@@ -2295,7 +2237,7 @@ index 45dc169..e476f0d 100644 | |||
2295 | #endif /* GSSAPI */ | 2237 | #endif /* GSSAPI */ |
2296 | 2238 | ||
2297 | diff --git a/monitor_wrap.h b/monitor_wrap.h | 2239 | diff --git a/monitor_wrap.h b/monitor_wrap.h |
2298 | index 18c2501..a4e9d24 100644 | 2240 | index e18784a..0c770e8 100644 |
2299 | --- a/monitor_wrap.h | 2241 | --- a/monitor_wrap.h |
2300 | +++ b/monitor_wrap.h | 2242 | +++ b/monitor_wrap.h |
2301 | @@ -58,8 +58,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(Key *); | 2243 | @@ -58,8 +58,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(Key *); |
@@ -2311,10 +2253,10 @@ index 18c2501..a4e9d24 100644 | |||
2311 | 2253 | ||
2312 | #ifdef USE_PAM | 2254 | #ifdef USE_PAM |
2313 | diff --git a/readconf.c b/readconf.c | 2255 | diff --git a/readconf.c b/readconf.c |
2314 | index 7948ce1..9127e93 100644 | 2256 | index 42a2961..254dbce 100644 |
2315 | --- a/readconf.c | 2257 | --- a/readconf.c |
2316 | +++ b/readconf.c | 2258 | +++ b/readconf.c |
2317 | @@ -142,6 +142,8 @@ typedef enum { | 2259 | @@ -147,6 +147,8 @@ typedef enum { |
2318 | oClearAllForwardings, oNoHostAuthenticationForLocalhost, | 2260 | oClearAllForwardings, oNoHostAuthenticationForLocalhost, |
2319 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, | 2261 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, |
2320 | oAddressFamily, oGssAuthentication, oGssDelegateCreds, | 2262 | oAddressFamily, oGssAuthentication, oGssDelegateCreds, |
@@ -2323,7 +2265,7 @@ index 7948ce1..9127e93 100644 | |||
2323 | oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, | 2265 | oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, |
2324 | oSendEnv, oControlPath, oControlMaster, oControlPersist, | 2266 | oSendEnv, oControlPath, oControlMaster, oControlPersist, |
2325 | oHashKnownHosts, | 2267 | oHashKnownHosts, |
2326 | @@ -185,10 +187,19 @@ static struct { | 2268 | @@ -191,10 +193,19 @@ static struct { |
2327 | { "afstokenpassing", oUnsupported }, | 2269 | { "afstokenpassing", oUnsupported }, |
2328 | #if defined(GSSAPI) | 2270 | #if defined(GSSAPI) |
2329 | { "gssapiauthentication", oGssAuthentication }, | 2271 | { "gssapiauthentication", oGssAuthentication }, |
@@ -2343,7 +2285,7 @@ index 7948ce1..9127e93 100644 | |||
2343 | #endif | 2285 | #endif |
2344 | { "fallbacktorsh", oDeprecated }, | 2286 | { "fallbacktorsh", oDeprecated }, |
2345 | { "usersh", oDeprecated }, | 2287 | { "usersh", oDeprecated }, |
2346 | @@ -865,10 +876,30 @@ parse_time: | 2288 | @@ -892,10 +903,30 @@ parse_time: |
2347 | intptr = &options->gss_authentication; | 2289 | intptr = &options->gss_authentication; |
2348 | goto parse_flag; | 2290 | goto parse_flag; |
2349 | 2291 | ||
@@ -2374,7 +2316,7 @@ index 7948ce1..9127e93 100644 | |||
2374 | case oBatchMode: | 2316 | case oBatchMode: |
2375 | intptr = &options->batch_mode; | 2317 | intptr = &options->batch_mode; |
2376 | goto parse_flag; | 2318 | goto parse_flag; |
2377 | @@ -1538,7 +1569,12 @@ initialize_options(Options * options) | 2319 | @@ -1601,7 +1632,12 @@ initialize_options(Options * options) |
2378 | options->pubkey_authentication = -1; | 2320 | options->pubkey_authentication = -1; |
2379 | options->challenge_response_authentication = -1; | 2321 | options->challenge_response_authentication = -1; |
2380 | options->gss_authentication = -1; | 2322 | options->gss_authentication = -1; |
@@ -2387,7 +2329,7 @@ index 7948ce1..9127e93 100644 | |||
2387 | options->password_authentication = -1; | 2329 | options->password_authentication = -1; |
2388 | options->kbd_interactive_authentication = -1; | 2330 | options->kbd_interactive_authentication = -1; |
2389 | options->kbd_interactive_devices = NULL; | 2331 | options->kbd_interactive_devices = NULL; |
2390 | @@ -1661,8 +1697,14 @@ fill_default_options(Options * options) | 2332 | @@ -1728,8 +1764,14 @@ fill_default_options(Options * options) |
2391 | options->challenge_response_authentication = 1; | 2333 | options->challenge_response_authentication = 1; |
2392 | if (options->gss_authentication == -1) | 2334 | if (options->gss_authentication == -1) |
2393 | options->gss_authentication = 0; | 2335 | options->gss_authentication = 0; |
@@ -2403,7 +2345,7 @@ index 7948ce1..9127e93 100644 | |||
2403 | options->password_authentication = 1; | 2345 | options->password_authentication = 1; |
2404 | if (options->kbd_interactive_authentication == -1) | 2346 | if (options->kbd_interactive_authentication == -1) |
2405 | diff --git a/readconf.h b/readconf.h | 2347 | diff --git a/readconf.h b/readconf.h |
2406 | index 0b9cb77..0e29889 100644 | 2348 | index 576b9e3..ef39c4c 100644 |
2407 | --- a/readconf.h | 2349 | --- a/readconf.h |
2408 | +++ b/readconf.h | 2350 | +++ b/readconf.h |
2409 | @@ -45,7 +45,12 @@ typedef struct { | 2351 | @@ -45,7 +45,12 @@ typedef struct { |
@@ -2420,10 +2362,10 @@ index 0b9cb77..0e29889 100644 | |||
2420 | * authentication. */ | 2362 | * authentication. */ |
2421 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ | 2363 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ |
2422 | diff --git a/servconf.c b/servconf.c | 2364 | diff --git a/servconf.c b/servconf.c |
2423 | index b7f3294..cb3c831 100644 | 2365 | index 3185462..f68c0d0 100644 |
2424 | --- a/servconf.c | 2366 | --- a/servconf.c |
2425 | +++ b/servconf.c | 2367 | +++ b/servconf.c |
2426 | @@ -109,7 +109,10 @@ initialize_server_options(ServerOptions *options) | 2368 | @@ -114,7 +114,10 @@ initialize_server_options(ServerOptions *options) |
2427 | options->kerberos_ticket_cleanup = -1; | 2369 | options->kerberos_ticket_cleanup = -1; |
2428 | options->kerberos_get_afs_token = -1; | 2370 | options->kerberos_get_afs_token = -1; |
2429 | options->gss_authentication=-1; | 2371 | options->gss_authentication=-1; |
@@ -2434,7 +2376,7 @@ index b7f3294..cb3c831 100644 | |||
2434 | options->password_authentication = -1; | 2376 | options->password_authentication = -1; |
2435 | options->kbd_interactive_authentication = -1; | 2377 | options->kbd_interactive_authentication = -1; |
2436 | options->challenge_response_authentication = -1; | 2378 | options->challenge_response_authentication = -1; |
2437 | @@ -250,8 +253,14 @@ fill_default_server_options(ServerOptions *options) | 2379 | @@ -269,8 +272,14 @@ fill_default_server_options(ServerOptions *options) |
2438 | options->kerberos_get_afs_token = 0; | 2380 | options->kerberos_get_afs_token = 0; |
2439 | if (options->gss_authentication == -1) | 2381 | if (options->gss_authentication == -1) |
2440 | options->gss_authentication = 0; | 2382 | options->gss_authentication = 0; |
@@ -2449,10 +2391,10 @@ index b7f3294..cb3c831 100644 | |||
2449 | if (options->password_authentication == -1) | 2391 | if (options->password_authentication == -1) |
2450 | options->password_authentication = 1; | 2392 | options->password_authentication = 1; |
2451 | if (options->kbd_interactive_authentication == -1) | 2393 | if (options->kbd_interactive_authentication == -1) |
2452 | @@ -352,7 +361,9 @@ typedef enum { | 2394 | @@ -391,7 +400,9 @@ typedef enum { |
2453 | sBanner, sUseDNS, sHostbasedAuthentication, | 2395 | sBanner, sUseDNS, sHostbasedAuthentication, |
2454 | sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, | 2396 | sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, |
2455 | sClientAliveCountMax, sAuthorizedKeysFile, | 2397 | sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, |
2456 | - sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, | 2398 | - sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, |
2457 | + sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, | 2399 | + sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, |
2458 | + sGssKeyEx, sGssStoreRekey, | 2400 | + sGssKeyEx, sGssStoreRekey, |
@@ -2460,7 +2402,7 @@ index b7f3294..cb3c831 100644 | |||
2460 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, | 2402 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, |
2461 | sUsePrivilegeSeparation, sAllowAgentForwarding, | 2403 | sUsePrivilegeSeparation, sAllowAgentForwarding, |
2462 | sHostCertificate, | 2404 | sHostCertificate, |
2463 | @@ -421,10 +432,20 @@ static struct { | 2405 | @@ -462,10 +473,20 @@ static struct { |
2464 | #ifdef GSSAPI | 2406 | #ifdef GSSAPI |
2465 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, | 2407 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
2466 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, | 2408 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
@@ -2481,7 +2423,7 @@ index b7f3294..cb3c831 100644 | |||
2481 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, | 2423 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, |
2482 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, | 2424 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, |
2483 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, | 2425 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, |
2484 | @@ -1104,10 +1125,22 @@ process_server_config_line(ServerOptions *options, char *line, | 2426 | @@ -1166,10 +1187,22 @@ process_server_config_line(ServerOptions *options, char *line, |
2485 | intptr = &options->gss_authentication; | 2427 | intptr = &options->gss_authentication; |
2486 | goto parse_flag; | 2428 | goto parse_flag; |
2487 | 2429 | ||
@@ -2504,7 +2446,7 @@ index b7f3294..cb3c831 100644 | |||
2504 | case sPasswordAuthentication: | 2446 | case sPasswordAuthentication: |
2505 | intptr = &options->password_authentication; | 2447 | intptr = &options->password_authentication; |
2506 | goto parse_flag; | 2448 | goto parse_flag; |
2507 | @@ -2042,7 +2075,10 @@ dump_config(ServerOptions *o) | 2449 | @@ -2125,7 +2158,10 @@ dump_config(ServerOptions *o) |
2508 | #endif | 2450 | #endif |
2509 | #ifdef GSSAPI | 2451 | #ifdef GSSAPI |
2510 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); | 2452 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); |
@@ -2516,10 +2458,10 @@ index b7f3294..cb3c831 100644 | |||
2516 | dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); | 2458 | dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); |
2517 | dump_cfg_fmtint(sKbdInteractiveAuthentication, | 2459 | dump_cfg_fmtint(sKbdInteractiveAuthentication, |
2518 | diff --git a/servconf.h b/servconf.h | 2460 | diff --git a/servconf.h b/servconf.h |
2519 | index 766db3a..f8265a8 100644 | 2461 | index 9922f0c..d2ed4d7 100644 |
2520 | --- a/servconf.h | 2462 | --- a/servconf.h |
2521 | +++ b/servconf.h | 2463 | +++ b/servconf.h |
2522 | @@ -113,7 +113,10 @@ typedef struct { | 2464 | @@ -115,7 +115,10 @@ typedef struct { |
2523 | int kerberos_get_afs_token; /* If true, try to get AFS token if | 2465 | int kerberos_get_afs_token; /* If true, try to get AFS token if |
2524 | * authenticated with Kerberos. */ | 2466 | * authenticated with Kerberos. */ |
2525 | int gss_authentication; /* If true, permit GSSAPI authentication */ | 2467 | int gss_authentication; /* If true, permit GSSAPI authentication */ |
@@ -2647,10 +2589,10 @@ index 03a228f..228e5ab 100644 | |||
2647 | # CheckHostIP yes | 2589 | # CheckHostIP yes |
2648 | # AddressFamily any | 2590 | # AddressFamily any |
2649 | diff --git a/ssh_config.5 b/ssh_config.5 | 2591 | diff --git a/ssh_config.5 b/ssh_config.5 |
2650 | index f9ede7a..e6649ac 100644 | 2592 | index 140d0ba..4476171 100644 |
2651 | --- a/ssh_config.5 | 2593 | --- a/ssh_config.5 |
2652 | +++ b/ssh_config.5 | 2594 | +++ b/ssh_config.5 |
2653 | @@ -701,11 +701,43 @@ Specifies whether user authentication based on GSSAPI is allowed. | 2595 | @@ -743,11 +743,43 @@ Specifies whether user authentication based on GSSAPI is allowed. |
2654 | The default is | 2596 | The default is |
2655 | .Dq no . | 2597 | .Dq no . |
2656 | Note that this option applies to protocol version 2 only. | 2598 | Note that this option applies to protocol version 2 only. |
@@ -2696,12 +2638,12 @@ index f9ede7a..e6649ac 100644 | |||
2696 | Indicates that | 2638 | Indicates that |
2697 | .Xr ssh 1 | 2639 | .Xr ssh 1 |
2698 | diff --git a/sshconnect2.c b/sshconnect2.c | 2640 | diff --git a/sshconnect2.c b/sshconnect2.c |
2699 | index 68f7f4f..7b478f1 100644 | 2641 | index ba56f64..faa8ec5 100644 |
2700 | --- a/sshconnect2.c | 2642 | --- a/sshconnect2.c |
2701 | +++ b/sshconnect2.c | 2643 | +++ b/sshconnect2.c |
2702 | @@ -159,9 +159,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | 2644 | @@ -160,9 +160,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) |
2703 | char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT }; | 2645 | struct kex *kex; |
2704 | Kex *kex; | 2646 | int r; |
2705 | 2647 | ||
2706 | +#ifdef GSSAPI | 2648 | +#ifdef GSSAPI |
2707 | + char *orig = NULL, *gss = NULL; | 2649 | + char *orig = NULL, *gss = NULL; |
@@ -2734,7 +2676,7 @@ index 68f7f4f..7b478f1 100644 | |||
2734 | if (options.ciphers == (char *)-1) { | 2676 | if (options.ciphers == (char *)-1) { |
2735 | logit("No valid ciphers for protocol version 2 given, using defaults."); | 2677 | logit("No valid ciphers for protocol version 2 given, using defaults."); |
2736 | options.ciphers = NULL; | 2678 | options.ciphers = NULL; |
2737 | @@ -199,6 +224,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | 2679 | @@ -200,6 +225,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) |
2738 | myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( | 2680 | myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( |
2739 | myproposal[PROPOSAL_KEX_ALGS]); | 2681 | myproposal[PROPOSAL_KEX_ALGS]); |
2740 | 2682 | ||
@@ -2752,8 +2694,8 @@ index 68f7f4f..7b478f1 100644 | |||
2752 | if (options.rekey_limit || options.rekey_interval) | 2694 | if (options.rekey_limit || options.rekey_interval) |
2753 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, | 2695 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, |
2754 | (time_t)options.rekey_interval); | 2696 | (time_t)options.rekey_interval); |
2755 | @@ -213,10 +249,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | 2697 | @@ -218,10 +254,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) |
2756 | kex->kex[KEX_ECDH_SHA2] = kexecdh_client; | 2698 | # endif |
2757 | #endif | 2699 | #endif |
2758 | kex->kex[KEX_C25519_SHA256] = kexc25519_client; | 2700 | kex->kex[KEX_C25519_SHA256] = kexc25519_client; |
2759 | +#ifdef GSSAPI | 2701 | +#ifdef GSSAPI |
@@ -2780,18 +2722,18 @@ index 68f7f4f..7b478f1 100644 | |||
2780 | + } | 2722 | + } |
2781 | +#endif | 2723 | +#endif |
2782 | + | 2724 | + |
2783 | xxx_kex = kex; | 2725 | dispatch_run(DISPATCH_BLOCK, &kex->done, active_state); |
2784 | 2726 | ||
2785 | dispatch_run(DISPATCH_BLOCK, &kex->done, kex); | 2727 | if (options.use_roaming && !kex->roaming) { |
2786 | @@ -306,6 +362,7 @@ void input_gssapi_token(int type, u_int32_t, void *); | 2728 | @@ -313,6 +369,7 @@ int input_gssapi_token(int type, u_int32_t, void *); |
2787 | void input_gssapi_hash(int type, u_int32_t, void *); | 2729 | int input_gssapi_hash(int type, u_int32_t, void *); |
2788 | void input_gssapi_error(int, u_int32_t, void *); | 2730 | int input_gssapi_error(int, u_int32_t, void *); |
2789 | void input_gssapi_errtok(int, u_int32_t, void *); | 2731 | int input_gssapi_errtok(int, u_int32_t, void *); |
2790 | +int userauth_gsskeyex(Authctxt *authctxt); | 2732 | +int userauth_gsskeyex(Authctxt *authctxt); |
2791 | #endif | 2733 | #endif |
2792 | 2734 | ||
2793 | void userauth(Authctxt *, char *); | 2735 | void userauth(Authctxt *, char *); |
2794 | @@ -321,6 +378,11 @@ static char *authmethods_get(void); | 2736 | @@ -328,6 +385,11 @@ static char *authmethods_get(void); |
2795 | 2737 | ||
2796 | Authmethod authmethods[] = { | 2738 | Authmethod authmethods[] = { |
2797 | #ifdef GSSAPI | 2739 | #ifdef GSSAPI |
@@ -2803,7 +2745,7 @@ index 68f7f4f..7b478f1 100644 | |||
2803 | {"gssapi-with-mic", | 2745 | {"gssapi-with-mic", |
2804 | userauth_gssapi, | 2746 | userauth_gssapi, |
2805 | NULL, | 2747 | NULL, |
2806 | @@ -617,19 +679,31 @@ userauth_gssapi(Authctxt *authctxt) | 2748 | @@ -634,19 +696,31 @@ userauth_gssapi(Authctxt *authctxt) |
2807 | static u_int mech = 0; | 2749 | static u_int mech = 0; |
2808 | OM_uint32 min; | 2750 | OM_uint32 min; |
2809 | int ok = 0; | 2751 | int ok = 0; |
@@ -2837,7 +2779,7 @@ index 68f7f4f..7b478f1 100644 | |||
2837 | ok = 1; /* Mechanism works */ | 2779 | ok = 1; /* Mechanism works */ |
2838 | } else { | 2780 | } else { |
2839 | mech++; | 2781 | mech++; |
2840 | @@ -726,8 +800,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) | 2782 | @@ -743,8 +817,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) |
2841 | { | 2783 | { |
2842 | Authctxt *authctxt = ctxt; | 2784 | Authctxt *authctxt = ctxt; |
2843 | Gssctxt *gssctxt; | 2785 | Gssctxt *gssctxt; |
@@ -2848,9 +2790,9 @@ index 68f7f4f..7b478f1 100644 | |||
2848 | 2790 | ||
2849 | if (authctxt == NULL) | 2791 | if (authctxt == NULL) |
2850 | fatal("input_gssapi_response: no authentication context"); | 2792 | fatal("input_gssapi_response: no authentication context"); |
2851 | @@ -836,6 +910,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) | 2793 | @@ -857,6 +931,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) |
2852 | free(msg); | ||
2853 | free(lang); | 2794 | free(lang); |
2795 | return 0; | ||
2854 | } | 2796 | } |
2855 | + | 2797 | + |
2856 | +int | 2798 | +int |
@@ -2898,12 +2840,12 @@ index 68f7f4f..7b478f1 100644 | |||
2898 | 2840 | ||
2899 | int | 2841 | int |
2900 | diff --git a/sshd.c b/sshd.c | 2842 | diff --git a/sshd.c b/sshd.c |
2901 | index 481d001..e6706a8 100644 | 2843 | index e1c767c..cf38bae 100644 |
2902 | --- a/sshd.c | 2844 | --- a/sshd.c |
2903 | +++ b/sshd.c | 2845 | +++ b/sshd.c |
2904 | @@ -123,6 +123,10 @@ | 2846 | @@ -125,6 +125,10 @@ |
2905 | #include "ssh-sandbox.h" | ||
2906 | #include "version.h" | 2847 | #include "version.h" |
2848 | #include "ssherr.h" | ||
2907 | 2849 | ||
2908 | +#ifdef USE_SECURITY_SESSION_API | 2850 | +#ifdef USE_SECURITY_SESSION_API |
2909 | +#include <Security/AuthSession.h> | 2851 | +#include <Security/AuthSession.h> |
@@ -2912,7 +2854,7 @@ index 481d001..e6706a8 100644 | |||
2912 | #ifndef O_NOCTTY | 2854 | #ifndef O_NOCTTY |
2913 | #define O_NOCTTY 0 | 2855 | #define O_NOCTTY 0 |
2914 | #endif | 2856 | #endif |
2915 | @@ -1745,10 +1749,13 @@ main(int ac, char **av) | 2857 | @@ -1815,10 +1819,13 @@ main(int ac, char **av) |
2916 | logit("Disabling protocol version 1. Could not load host key"); | 2858 | logit("Disabling protocol version 1. Could not load host key"); |
2917 | options.protocol &= ~SSH_PROTO_1; | 2859 | options.protocol &= ~SSH_PROTO_1; |
2918 | } | 2860 | } |
@@ -2926,7 +2868,7 @@ index 481d001..e6706a8 100644 | |||
2926 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { | 2868 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { |
2927 | logit("sshd: no hostkeys available -- exiting."); | 2869 | logit("sshd: no hostkeys available -- exiting."); |
2928 | exit(1); | 2870 | exit(1); |
2929 | @@ -2060,6 +2067,60 @@ main(int ac, char **av) | 2871 | @@ -2132,6 +2139,60 @@ main(int ac, char **av) |
2930 | remote_ip, remote_port, | 2872 | remote_ip, remote_port, |
2931 | get_local_ipaddr(sock_in), get_local_port()); | 2873 | get_local_ipaddr(sock_in), get_local_port()); |
2932 | 2874 | ||
@@ -2987,7 +2929,7 @@ index 481d001..e6706a8 100644 | |||
2987 | /* | 2929 | /* |
2988 | * We don't want to listen forever unless the other side | 2930 | * We don't want to listen forever unless the other side |
2989 | * successfully authenticates itself. So we set up an alarm which is | 2931 | * successfully authenticates itself. So we set up an alarm which is |
2990 | @@ -2482,6 +2543,48 @@ do_ssh2_kex(void) | 2932 | @@ -2561,6 +2622,48 @@ do_ssh2_kex(void) |
2991 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( | 2933 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( |
2992 | list_hostkey_types()); | 2934 | list_hostkey_types()); |
2993 | 2935 | ||
@@ -3034,10 +2976,10 @@ index 481d001..e6706a8 100644 | |||
3034 | +#endif | 2976 | +#endif |
3035 | + | 2977 | + |
3036 | /* start key exchange */ | 2978 | /* start key exchange */ |
3037 | kex = kex_setup(myproposal); | 2979 | if ((r = kex_setup(active_state, myproposal)) != 0) |
3038 | #ifdef WITH_OPENSSL | 2980 | fatal("kex_setup: %s", ssh_err(r)); |
3039 | @@ -2492,6 +2595,13 @@ do_ssh2_kex(void) | 2981 | @@ -2575,6 +2678,13 @@ do_ssh2_kex(void) |
3040 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; | 2982 | # endif |
3041 | #endif | 2983 | #endif |
3042 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; | 2984 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; |
3043 | +#ifdef GSSAPI | 2985 | +#ifdef GSSAPI |
@@ -3051,7 +2993,7 @@ index 481d001..e6706a8 100644 | |||
3051 | kex->client_version_string=client_version_string; | 2993 | kex->client_version_string=client_version_string; |
3052 | kex->server_version_string=server_version_string; | 2994 | kex->server_version_string=server_version_string; |
3053 | diff --git a/sshd_config b/sshd_config | 2995 | diff --git a/sshd_config b/sshd_config |
3054 | index e9045bc..d9b8594 100644 | 2996 | index c9042ac..a71ad19 100644 |
3055 | --- a/sshd_config | 2997 | --- a/sshd_config |
3056 | +++ b/sshd_config | 2998 | +++ b/sshd_config |
3057 | @@ -84,6 +84,8 @@ AuthorizedKeysFile .ssh/authorized_keys | 2999 | @@ -84,6 +84,8 @@ AuthorizedKeysFile .ssh/authorized_keys |
@@ -3064,10 +3006,10 @@ index e9045bc..d9b8594 100644 | |||
3064 | # Set this to 'yes' to enable PAM authentication, account processing, | 3006 | # Set this to 'yes' to enable PAM authentication, account processing, |
3065 | # and session processing. If this is enabled, PAM authentication will | 3007 | # and session processing. If this is enabled, PAM authentication will |
3066 | diff --git a/sshd_config.5 b/sshd_config.5 | 3008 | diff --git a/sshd_config.5 b/sshd_config.5 |
3067 | index fd44abe..c8b43da 100644 | 3009 | index 6dce0c7..0331496 100644 |
3068 | --- a/sshd_config.5 | 3010 | --- a/sshd_config.5 |
3069 | +++ b/sshd_config.5 | 3011 | +++ b/sshd_config.5 |
3070 | @@ -527,12 +527,40 @@ Specifies whether user authentication based on GSSAPI is allowed. | 3012 | @@ -564,12 +564,40 @@ Specifies whether user authentication based on GSSAPI is allowed. |
3071 | The default is | 3013 | The default is |
3072 | .Dq no . | 3014 | .Dq no . |
3073 | Note that this option applies to protocol version 2 only. | 3015 | Note that this option applies to protocol version 2 only. |
@@ -3105,14 +3047,14 @@ index fd44abe..c8b43da 100644 | |||
3105 | +successful connection rekeying. This option can be used to accepted renewed | 3047 | +successful connection rekeying. This option can be used to accepted renewed |
3106 | +or updated credentials from a compatible client. The default is | 3048 | +or updated credentials from a compatible client. The default is |
3107 | +.Dq no . | 3049 | +.Dq no . |
3108 | .It Cm HostbasedAuthentication | 3050 | .It Cm HostbasedAcceptedKeyTypes |
3109 | Specifies whether rhosts or /etc/hosts.equiv authentication together | 3051 | Specifies the key types that will be accepted for hostbased authentication |
3110 | with successful public key client host authentication is allowed | 3052 | as a comma-separated pattern list. |
3111 | diff --git a/sshkey.c b/sshkey.c | 3053 | diff --git a/sshkey.c b/sshkey.c |
3112 | index fdd0c8a..1a96eae 100644 | 3054 | index 4768790..cd5992e 100644 |
3113 | --- a/sshkey.c | 3055 | --- a/sshkey.c |
3114 | +++ b/sshkey.c | 3056 | +++ b/sshkey.c |
3115 | @@ -110,6 +110,7 @@ static const struct keytype keytypes[] = { | 3057 | @@ -116,6 +116,7 @@ static const struct keytype keytypes[] = { |
3116 | { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00", | 3058 | { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00", |
3117 | KEY_DSA_CERT_V00, 0, 1 }, | 3059 | KEY_DSA_CERT_V00, 0, 1 }, |
3118 | #endif /* WITH_OPENSSL */ | 3060 | #endif /* WITH_OPENSSL */ |
@@ -3120,7 +3062,7 @@ index fdd0c8a..1a96eae 100644 | |||
3120 | { NULL, NULL, -1, -1, 0 } | 3062 | { NULL, NULL, -1, -1, 0 } |
3121 | }; | 3063 | }; |
3122 | 3064 | ||
3123 | @@ -198,7 +199,7 @@ key_alg_list(int certs_only, int plain_only) | 3065 | @@ -204,7 +205,7 @@ key_alg_list(int certs_only, int plain_only) |
3124 | const struct keytype *kt; | 3066 | const struct keytype *kt; |
3125 | 3067 | ||
3126 | for (kt = keytypes; kt->type != -1; kt++) { | 3068 | for (kt = keytypes; kt->type != -1; kt++) { |
@@ -3130,7 +3072,7 @@ index fdd0c8a..1a96eae 100644 | |||
3130 | if ((certs_only && !kt->cert) || (plain_only && kt->cert)) | 3072 | if ((certs_only && !kt->cert) || (plain_only && kt->cert)) |
3131 | continue; | 3073 | continue; |
3132 | diff --git a/sshkey.h b/sshkey.h | 3074 | diff --git a/sshkey.h b/sshkey.h |
3133 | index 450b30c..b573e7f 100644 | 3075 | index 62c1c3e..9314e85 100644 |
3134 | --- a/sshkey.h | 3076 | --- a/sshkey.h |
3135 | +++ b/sshkey.h | 3077 | +++ b/sshkey.h |
3136 | @@ -64,6 +64,7 @@ enum sshkey_types { | 3078 | @@ -64,6 +64,7 @@ enum sshkey_types { |