GSSAPI key exchange support

This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2015-09-17 Patch-Name: gssapi.patch
author: Simon Wilkinson <simon@sxw.org.uk> 2014-02-09 16:09:48 +0000
committer: Colin Watson <cjwatson@debian.org> 2015-09-17 13:52:32 +0100
commit: 70b18066d3921277861e98902c9cf41a10ac6898 (patch)
tree: 0bfe9fa4fee0c290b5ff1bc1c2977048beecd37b /kexgssc.c
parent: 544df7a04ae5b5c1fc30be7c445ad685d7a02dc9 (diff)
1 files changed, 336 insertions, 0 deletions
diff --git a/kexgssc.c b/kexgssc.c
new file mode 100644
index 000000000..a49bac295
--- /dev/null
+++ b/kexgssc.c
@@ -0,0 +1,336 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include "includes.h"
+#ifdef GSSAPI
+#include "includes.h"
+#include <openssl/crypto.h>
+#include <openssl/bn.h>
+#include <string.h>
+#include "xmalloc.h"
+#include "buffer.h"
+#include "ssh2.h"
+#include "key.h"
+#include "cipher.h"
+#include "kex.h"
+#include "log.h"
+#include "packet.h"
+#include "dh.h"
+#include "digest.h"
+#include "ssh-gss.h"
+int
+kexgss_client(struct ssh *ssh) {
+        gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
+        gss_buffer_desc recv_tok, gssbuf, msg_tok, *token_ptr;
+        Gssctxt *ctxt;
+        OM_uint32 maj_status, min_status, ret_flags;
+        u_int klen, kout, slen = 0, strlen;
+        DH *dh; 
+        BIGNUM *dh_server_pub = NULL;
+        BIGNUM *shared_secret = NULL;
+        BIGNUM *p = NULL;
+        BIGNUM *g = NULL;       
+        u_char *kbuf;
+        u_char *serverhostkey = NULL;
+        u_char *empty = "";
+        char *msg;
+        int type = 0;
+        int first = 1;
+        int nbits = 0, min = DH_GRP_MIN, max = DH_GRP_MAX;
+        u_char hash[SSH_DIGEST_MAX_LENGTH];
+        size_t hashlen;
+        /* Initialise our GSSAPI world */       
+        ssh_gssapi_build_ctx(&ctxt);
+        if (ssh_gssapi_id_kex(ctxt, ssh->kex->name, ssh->kex->kex_type) 
+            == GSS_C_NO_OID)
+                fatal("Couldn't identify host exchange");
+        if (ssh_gssapi_import_name(ctxt, ssh->kex->gss_host))
+                fatal("Couldn't import hostname");
+        if (ssh->kex->gss_client && 
+            ssh_gssapi_client_identity(ctxt, ssh->kex->gss_client))
+                fatal("Couldn't acquire client credentials");
+        switch (ssh->kex->kex_type) {
+        case KEX_GSS_GRP1_SHA1:
+                dh = dh_new_group1();
+                break;
+        case KEX_GSS_GRP14_SHA1:
+                dh = dh_new_group14();
+                break;
+        case KEX_GSS_GEX_SHA1:
+                debug("Doing group exchange\n");
+                nbits = dh_estimate(ssh->kex->we_need * 8);
+                packet_start(SSH2_MSG_KEXGSS_GROUPREQ);
+                packet_put_int(min);
+                packet_put_int(nbits);
+                packet_put_int(max);
+                packet_send();
+                packet_read_expect(SSH2_MSG_KEXGSS_GROUP);
+                if ((p = BN_new()) == NULL)
+                        fatal("BN_new() failed");
+                packet_get_bignum2(p);
+                if ((g = BN_new()) == NULL)
+                        fatal("BN_new() failed");
+                packet_get_bignum2(g);
+                packet_check_eom();
+                if (BN_num_bits(p) < min || BN_num_bits(p) > max)
+                        fatal("GSSGRP_GEX group out of range: %d !< %d !< %d",
+                            min, BN_num_bits(p), max);
+                dh = dh_new_group(g, p);
+                break;
+        default:
+                fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type);
+        }
+        
+        /* Step 1 - e is dh->pub_key */
+        dh_gen_key(dh, ssh->kex->we_need * 8);
+        /* This is f, we initialise it now to make life easier */
+        dh_server_pub = BN_new();
+        if (dh_server_pub == NULL)
+                fatal("dh_server_pub == NULL");
+        token_ptr = GSS_C_NO_BUFFER;
+                         
+        do {
+                debug("Calling gss_init_sec_context");
+                
+                maj_status = ssh_gssapi_init_ctx(ctxt,
+                    ssh->kex->gss_deleg_creds, token_ptr, &send_tok,
+                    &ret_flags);
+                if (GSS_ERROR(maj_status)) {
+                        if (send_tok.length != 0) {
+                                packet_start(SSH2_MSG_KEXGSS_CONTINUE);
+                                packet_put_string(send_tok.value,
+                                    send_tok.length);
+                        }
+                        fatal("gss_init_context failed");
+                }
+                /* If we've got an old receive buffer get rid of it */
+                if (token_ptr != GSS_C_NO_BUFFER)
+                        free(recv_tok.value);
+                if (maj_status == GSS_S_COMPLETE) {
+                        /* If mutual state flag is not true, kex fails */
+                        if (!(ret_flags & GSS_C_MUTUAL_FLAG))
+                                fatal("Mutual authentication failed");
+                        /* If integ avail flag is not true kex fails */
+                        if (!(ret_flags & GSS_C_INTEG_FLAG))
+                                fatal("Integrity check failed");
+                }
+                /* 
+                 * If we have data to send, then the last message that we
+                 * received cannot have been a 'complete'. 
+                 */
+                if (send_tok.length != 0) {
+                        if (first) {
+                                packet_start(SSH2_MSG_KEXGSS_INIT);
+                                packet_put_string(send_tok.value,
+                                    send_tok.length);
+                                packet_put_bignum2(dh->pub_key);
+                                first = 0;
+                        } else {
+                                packet_start(SSH2_MSG_KEXGSS_CONTINUE);
+                                packet_put_string(send_tok.value,
+                                    send_tok.length);
+                        }
+                        packet_send();
+                        gss_release_buffer(&min_status, &send_tok);
+                        /* If we've sent them data, they should reply */
+                        do {    
+                                type = packet_read();
+                                if (type == SSH2_MSG_KEXGSS_HOSTKEY) {
+                                        debug("Received KEXGSS_HOSTKEY");
+                                        if (serverhostkey)
+                                                fatal("Server host key received more than once");
+                                        serverhostkey = 
+                                            packet_get_string(&slen);
+                                }
+                        } while (type == SSH2_MSG_KEXGSS_HOSTKEY);
+                        switch (type) {
+                        case SSH2_MSG_KEXGSS_CONTINUE:
+                                debug("Received GSSAPI_CONTINUE");
+                                if (maj_status == GSS_S_COMPLETE) 
+                                        fatal("GSSAPI Continue received from server when complete");
+                                recv_tok.value = packet_get_string(&strlen);
+                                recv_tok.length = strlen; 
+                                break;
+                        case SSH2_MSG_KEXGSS_COMPLETE:
+                                debug("Received GSSAPI_COMPLETE");
+                                packet_get_bignum2(dh_server_pub);
+                                msg_tok.value =  packet_get_string(&strlen);
+                                msg_tok.length = strlen; 
+                                /* Is there a token included? */
+                                if (packet_get_char()) {
+                                        recv_tok.value=
+                                            packet_get_string(&strlen);
+                                        recv_tok.length = strlen;
+                                        /* If we're already complete - protocol error */
+                                        if (maj_status == GSS_S_COMPLETE)
+                                                packet_disconnect("Protocol error: received token when complete");
+                                        } else {
+                                                /* No token included */
+                                                if (maj_status != GSS_S_COMPLETE)
+                                                        packet_disconnect("Protocol error: did not receive final token");
+                                }
+                                break;
+                        case SSH2_MSG_KEXGSS_ERROR:
+                                debug("Received Error");
+                                maj_status = packet_get_int();
+                                min_status = packet_get_int();
+                                msg = packet_get_string(NULL);
+                                (void) packet_get_string_ptr(NULL);
+                                fatal("GSSAPI Error: \n%.400s",msg);
+                        default:
+                                packet_disconnect("Protocol error: didn't expect packet type %d",
+                                type);
+                        }
+                        token_ptr = &recv_tok;
+                } else {
+                        /* No data, and not complete */
+                        if (maj_status != GSS_S_COMPLETE)
+                                fatal("Not complete, and no token output");
+                }
+        } while (maj_status & GSS_S_CONTINUE_NEEDED);
+        /* 
+         * We _must_ have received a COMPLETE message in reply from the 
+         * server, which will have set dh_server_pub and msg_tok 
+         */
+        if (type != SSH2_MSG_KEXGSS_COMPLETE)
+                fatal("Didn't receive a SSH2_MSG_KEXGSS_COMPLETE when I expected it");
+        /* Check f in range [1, p-1] */
+        if (!dh_pub_is_valid(dh, dh_server_pub))
+                packet_disconnect("bad server public DH value");
+        /* compute K=f^x mod p */
+        klen = DH_size(dh);
+        kbuf = xmalloc(klen);
+        kout = DH_compute_key(kbuf, dh_server_pub, dh);
+        if (kout < 0)
+                fatal("DH_compute_key: failed");
+        shared_secret = BN_new();
+        if (shared_secret == NULL)
+                fatal("kexgss_client: BN_new failed");
+        if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
+                fatal("kexdh_client: BN_bin2bn failed");
+        memset(kbuf, 0, klen);
+        free(kbuf);
+        hashlen = sizeof(hash);
+        switch (ssh->kex->kex_type) {
+        case KEX_GSS_GRP1_SHA1:
+        case KEX_GSS_GRP14_SHA1:
+                kex_dh_hash( ssh->kex->client_version_string, 
+                    ssh->kex->server_version_string,
+                    buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my),
+                    buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer),
+                    (serverhostkey ? serverhostkey : empty), slen,
+                    dh->pub_key,        /* e */
+                    dh_server_pub,      /* f */
+                    shared_secret,      /* K */
+                    hash, &hashlen
+                );
+                break;
+        case KEX_GSS_GEX_SHA1:
+                kexgex_hash(
+                    ssh->kex->hash_alg,
+                    ssh->kex->client_version_string,
+                    ssh->kex->server_version_string,
+                    buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my),
+                    buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer),
+                    (serverhostkey ? serverhostkey : empty), slen,
+                    min, nbits, max,
+                    dh->p, dh->g,
+                    dh->pub_key,
+                    dh_server_pub,
+                    shared_secret,
+                    hash, &hashlen
+                );
+                break;
+        default:
+                fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type);
+        }
+        gssbuf.value = hash;
+        gssbuf.length = hashlen;
+        /* Verify that the hash matches the MIC we just got. */
+        if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok)))
+                packet_disconnect("Hash's MIC didn't verify");
+        free(msg_tok.value);
+        DH_free(dh);
+        free(serverhostkey);
+        BN_clear_free(dh_server_pub);
+        /* save session id */
+        if (ssh->kex->session_id == NULL) {
+                ssh->kex->session_id_len = hashlen;
+                ssh->kex->session_id = xmalloc(ssh->kex->session_id_len);
+                memcpy(ssh->kex->session_id, hash, ssh->kex->session_id_len);
+        }
+        if (ssh->kex->gss_deleg_creds)
+                ssh_gssapi_credentials_updated(ctxt);
+        if (gss_kex_context == NULL)
+                gss_kex_context = ctxt;
+        else
+                ssh_gssapi_delete_ctx(&ctxt);
+        kex_derive_keys_bn(ssh, hash, hashlen, shared_secret);
+        BN_clear_free(shared_secret);
+        return kex_send_newkeys(ssh);
+}
+#endif /* GSSAPI */
author	Simon Wilkinson <simon@sxw.org.uk>	2014-02-09 16:09:48 +0000
committer	Colin Watson <cjwatson@debian.org>	2015-09-17 13:52:32 +0100
commit	70b18066d3921277861e98902c9cf41a10ac6898 (patch)
tree	0bfe9fa4fee0c290b5ff1bc1c2977048beecd37b /kexgssc.c
parent	544df7a04ae5b5c1fc30be7c445ad685d7a02dc9 (diff)

diff --git a/kexgssc.c b/kexgssc.c new file mode 100644 index 000000000..a49bac295 --- /dev/null +++ b/kexgssc.c
@@ -0,0 +1,336 @@
	1	/*
	2	* Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
	3	*
	4	* Redistribution and use in source and binary forms, with or without
	5	* modification, are permitted provided that the following conditions
	6	* are met:
	7	* 1. Redistributions of source code must retain the above copyright
	8	* notice, this list of conditions and the following disclaimer.
	9	* 2. Redistributions in binary form must reproduce the above copyright
	10	* notice, this list of conditions and the following disclaimer in the
	11	* documentation and/or other materials provided with the distribution.
	12	*
	13	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
	14	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	15	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	16	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	17	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	18	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	19	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	20	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	21	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	22	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	23	*/
	24
	25	#include "includes.h"
	26
	27	#ifdef GSSAPI
	28
	29	#include "includes.h"
	30
	31	#include <openssl/crypto.h>
	32	#include <openssl/bn.h>
	33
	34	#include <string.h>
	35
	36	#include "xmalloc.h"
	37	#include "buffer.h"
	38	#include "ssh2.h"
	39	#include "key.h"
	40	#include "cipher.h"
	41	#include "kex.h"
	42	#include "log.h"
	43	#include "packet.h"
	44	#include "dh.h"
	45	#include "digest.h"
	46
	47	#include "ssh-gss.h"
	48
	49	int
	50	kexgss_client(struct ssh *ssh) {
	51	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
	52	gss_buffer_desc recv_tok, gssbuf, msg_tok, *token_ptr;
	53	Gssctxt *ctxt;
	54	OM_uint32 maj_status, min_status, ret_flags;
	55	u_int klen, kout, slen = 0, strlen;
	56	DH *dh;
	57	BIGNUM *dh_server_pub = NULL;
	58	BIGNUM *shared_secret = NULL;
	59	BIGNUM *p = NULL;
	60	BIGNUM *g = NULL;
	61	u_char *kbuf;
	62	u_char *serverhostkey = NULL;
	63	u_char *empty = "";
	64	char *msg;
	65	int type = 0;
	66	int first = 1;
	67	int nbits = 0, min = DH_GRP_MIN, max = DH_GRP_MAX;
	68	u_char hash[SSH_DIGEST_MAX_LENGTH];
	69	size_t hashlen;
	70
	71	/* Initialise our GSSAPI world */
	72	ssh_gssapi_build_ctx(&ctxt);
	73	if (ssh_gssapi_id_kex(ctxt, ssh->kex->name, ssh->kex->kex_type)
	74	== GSS_C_NO_OID)
	75	fatal("Couldn't identify host exchange");
	76
	77	if (ssh_gssapi_import_name(ctxt, ssh->kex->gss_host))
	78	fatal("Couldn't import hostname");
	79
	80	if (ssh->kex->gss_client &&
	81	ssh_gssapi_client_identity(ctxt, ssh->kex->gss_client))
	82	fatal("Couldn't acquire client credentials");
	83
	84	switch (ssh->kex->kex_type) {
	85	case KEX_GSS_GRP1_SHA1:
	86	dh = dh_new_group1();
	87	break;
	88	case KEX_GSS_GRP14_SHA1:
	89	dh = dh_new_group14();
	90	break;
	91	case KEX_GSS_GEX_SHA1:
	92	debug("Doing group exchange\n");
	93	nbits = dh_estimate(ssh->kex->we_need * 8);
	94	packet_start(SSH2_MSG_KEXGSS_GROUPREQ);
	95	packet_put_int(min);
	96	packet_put_int(nbits);
	97	packet_put_int(max);
	98
	99	packet_send();
	100
	101	packet_read_expect(SSH2_MSG_KEXGSS_GROUP);
	102
	103	if ((p = BN_new()) == NULL)
	104	fatal("BN_new() failed");
	105	packet_get_bignum2(p);
	106	if ((g = BN_new()) == NULL)
	107	fatal("BN_new() failed");
	108	packet_get_bignum2(g);
	109	packet_check_eom();
	110
	111	if (BN_num_bits(p) < min \|\| BN_num_bits(p) > max)
	112	fatal("GSSGRP_GEX group out of range: %d !< %d !< %d",
	113	min, BN_num_bits(p), max);
	114
	115	dh = dh_new_group(g, p);
	116	break;
	117	default:
	118	fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type);
	119	}
	120
	121	/* Step 1 - e is dh->pub_key */
	122	dh_gen_key(dh, ssh->kex->we_need * 8);
	123
	124	/* This is f, we initialise it now to make life easier */
	125	dh_server_pub = BN_new();
	126	if (dh_server_pub == NULL)
	127	fatal("dh_server_pub == NULL");
	128
	129	token_ptr = GSS_C_NO_BUFFER;
	130
	131	do {
	132	debug("Calling gss_init_sec_context");
	133
	134	maj_status = ssh_gssapi_init_ctx(ctxt,
	135	ssh->kex->gss_deleg_creds, token_ptr, &send_tok,
	136	&ret_flags);
	137
	138	if (GSS_ERROR(maj_status)) {
	139	if (send_tok.length != 0) {
	140	packet_start(SSH2_MSG_KEXGSS_CONTINUE);
	141	packet_put_string(send_tok.value,
	142	send_tok.length);
	143	}
	144	fatal("gss_init_context failed");
	145	}
	146
	147	/* If we've got an old receive buffer get rid of it */
	148	if (token_ptr != GSS_C_NO_BUFFER)
	149	free(recv_tok.value);
	150
	151	if (maj_status == GSS_S_COMPLETE) {
	152	/* If mutual state flag is not true, kex fails */
	153	if (!(ret_flags & GSS_C_MUTUAL_FLAG))
	154	fatal("Mutual authentication failed");
	155
	156	/* If integ avail flag is not true kex fails */
	157	if (!(ret_flags & GSS_C_INTEG_FLAG))
	158	fatal("Integrity check failed");
	159	}
	160
	161	/*
	162	* If we have data to send, then the last message that we
	163	* received cannot have been a 'complete'.
	164	*/
	165	if (send_tok.length != 0) {
	166	if (first) {
	167	packet_start(SSH2_MSG_KEXGSS_INIT);
	168	packet_put_string(send_tok.value,
	169	send_tok.length);
	170	packet_put_bignum2(dh->pub_key);
	171	first = 0;
	172	} else {
	173	packet_start(SSH2_MSG_KEXGSS_CONTINUE);
	174	packet_put_string(send_tok.value,
	175	send_tok.length);
	176	}
	177	packet_send();
	178	gss_release_buffer(&min_status, &send_tok);
	179
	180	/* If we've sent them data, they should reply */
	181	do {
	182	type = packet_read();
	183	if (type == SSH2_MSG_KEXGSS_HOSTKEY) {
	184	debug("Received KEXGSS_HOSTKEY");
	185	if (serverhostkey)
	186	fatal("Server host key received more than once");
	187	serverhostkey =
	188	packet_get_string(&slen);
	189	}
	190	} while (type == SSH2_MSG_KEXGSS_HOSTKEY);
	191
	192	switch (type) {
	193	case SSH2_MSG_KEXGSS_CONTINUE:
	194	debug("Received GSSAPI_CONTINUE");
	195	if (maj_status == GSS_S_COMPLETE)
	196	fatal("GSSAPI Continue received from server when complete");
	197	recv_tok.value = packet_get_string(&strlen);
	198	recv_tok.length = strlen;
	199	break;
	200	case SSH2_MSG_KEXGSS_COMPLETE:
	201	debug("Received GSSAPI_COMPLETE");
	202	packet_get_bignum2(dh_server_pub);
	203	msg_tok.value = packet_get_string(&strlen);
	204	msg_tok.length = strlen;
	205
	206	/* Is there a token included? */
	207	if (packet_get_char()) {
	208	recv_tok.value=
	209	packet_get_string(&strlen);
	210	recv_tok.length = strlen;
	211	/* If we're already complete - protocol error */
	212	if (maj_status == GSS_S_COMPLETE)
	213	packet_disconnect("Protocol error: received token when complete");
	214	} else {
	215	/* No token included */
	216	if (maj_status != GSS_S_COMPLETE)
	217	packet_disconnect("Protocol error: did not receive final token");
	218	}
	219	break;
	220	case SSH2_MSG_KEXGSS_ERROR:
	221	debug("Received Error");
	222	maj_status = packet_get_int();
	223	min_status = packet_get_int();
	224	msg = packet_get_string(NULL);
	225	(void) packet_get_string_ptr(NULL);
	226	fatal("GSSAPI Error: \n%.400s",msg);
	227	default:
	228	packet_disconnect("Protocol error: didn't expect packet type %d",
	229	type);
	230	}
	231	token_ptr = &recv_tok;
	232	} else {
	233	/* No data, and not complete */
	234	if (maj_status != GSS_S_COMPLETE)
	235	fatal("Not complete, and no token output");
	236	}
	237	} while (maj_status & GSS_S_CONTINUE_NEEDED);
	238
	239	/*
	240	* We _must_ have received a COMPLETE message in reply from the
	241	* server, which will have set dh_server_pub and msg_tok
	242	*/
	243
	244	if (type != SSH2_MSG_KEXGSS_COMPLETE)
	245	fatal("Didn't receive a SSH2_MSG_KEXGSS_COMPLETE when I expected it");
	246
	247	/* Check f in range [1, p-1] */
	248	if (!dh_pub_is_valid(dh, dh_server_pub))
	249	packet_disconnect("bad server public DH value");
	250
	251	/* compute K=f^x mod p */
	252	klen = DH_size(dh);
	253	kbuf = xmalloc(klen);
	254	kout = DH_compute_key(kbuf, dh_server_pub, dh);
	255	if (kout < 0)
	256	fatal("DH_compute_key: failed");
	257
	258	shared_secret = BN_new();
	259	if (shared_secret == NULL)
	260	fatal("kexgss_client: BN_new failed");
	261
	262	if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
	263	fatal("kexdh_client: BN_bin2bn failed");
	264
	265	memset(kbuf, 0, klen);
	266	free(kbuf);
	267
	268	hashlen = sizeof(hash);
	269	switch (ssh->kex->kex_type) {
	270	case KEX_GSS_GRP1_SHA1:
	271	case KEX_GSS_GRP14_SHA1:
	272	kex_dh_hash( ssh->kex->client_version_string,
	273	ssh->kex->server_version_string,
	274	buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my),
	275	buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer),
	276	(serverhostkey ? serverhostkey : empty), slen,
	277	dh->pub_key, /* e */
	278	dh_server_pub, /* f */
	279	shared_secret, /* K */
	280	hash, &hashlen
	281	);
	282	break;
	283	case KEX_GSS_GEX_SHA1:
	284	kexgex_hash(
	285	ssh->kex->hash_alg,
	286	ssh->kex->client_version_string,
	287	ssh->kex->server_version_string,
	288	buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my),
	289	buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer),
	290	(serverhostkey ? serverhostkey : empty), slen,
	291	min, nbits, max,
	292	dh->p, dh->g,
	293	dh->pub_key,
	294	dh_server_pub,
	295	shared_secret,
	296	hash, &hashlen
	297	);
	298	break;
	299	default:
	300	fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type);
	301	}
	302
	303	gssbuf.value = hash;
	304	gssbuf.length = hashlen;
	305
	306	/* Verify that the hash matches the MIC we just got. */
	307	if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok)))
	308	packet_disconnect("Hash's MIC didn't verify");
	309
	310	free(msg_tok.value);
	311
	312	DH_free(dh);
	313	free(serverhostkey);
	314	BN_clear_free(dh_server_pub);
	315
	316	/* save session id */
	317	if (ssh->kex->session_id == NULL) {
	318	ssh->kex->session_id_len = hashlen;
	319	ssh->kex->session_id = xmalloc(ssh->kex->session_id_len);
	320	memcpy(ssh->kex->session_id, hash, ssh->kex->session_id_len);
	321	}
	322
	323	if (ssh->kex->gss_deleg_creds)
	324	ssh_gssapi_credentials_updated(ctxt);
	325
	326	if (gss_kex_context == NULL)
	327	gss_kex_context = ctxt;
	328	else
	329	ssh_gssapi_delete_ctx(&ctxt);
	330
	331	kex_derive_keys_bn(ssh, hash, hashlen, shared_secret);
	332	BN_clear_free(shared_secret);
	333	return kex_send_newkeys(ssh);
	334	}
	335
	336	#endif /* GSSAPI */