GSSAPI key exchange support

This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2014-02-10 Patch-Name: gssapi.patch
author: Simon Wilkinson <simon@sxw.org.uk> 2014-02-09 16:09:48 +0000
committer: Colin Watson <cjwatson@debian.org> 2014-02-10 02:40:08 +0000
commit: cd404114ded78fc51d5d9cbd458d55c9b2f67daa (patch)
tree: df7a424d9301b69af906b50d550bfce6e6e2c5f3 /kexgssc.c
parent: 9a975a9faed7c4f334e8c8490db3e77e102f2b21 (diff)
1 files changed, 333 insertions, 0 deletions
diff --git a/kexgssc.c b/kexgssc.c
new file mode 100644
index 000000000..14f559883
--- /dev/null
+++ b/kexgssc.c
@@ -0,0 +1,333 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include "includes.h"
+#ifdef GSSAPI
+#include "includes.h"
+#include <openssl/crypto.h>
+#include <openssl/bn.h>
+#include <string.h>
+#include "xmalloc.h"
+#include "buffer.h"
+#include "ssh2.h"
+#include "key.h"
+#include "cipher.h"
+#include "kex.h"
+#include "log.h"
+#include "packet.h"
+#include "dh.h"
+#include "ssh-gss.h"
+void
+kexgss_client(Kex *kex) {
+        gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
+        gss_buffer_desc recv_tok, gssbuf, msg_tok, *token_ptr;
+        Gssctxt *ctxt;
+        OM_uint32 maj_status, min_status, ret_flags;
+        u_int klen, kout, slen = 0, hashlen, strlen;
+        DH *dh; 
+        BIGNUM *dh_server_pub = NULL;
+        BIGNUM *shared_secret = NULL;
+        BIGNUM *p = NULL;
+        BIGNUM *g = NULL;       
+        u_char *kbuf, *hash;
+        u_char *serverhostkey = NULL;
+        u_char *empty = "";
+        char *msg;
+        char *lang;
+        int type = 0;
+        int first = 1;
+        int nbits = 0, min = DH_GRP_MIN, max = DH_GRP_MAX;
+        /* Initialise our GSSAPI world */       
+        ssh_gssapi_build_ctx(&ctxt);
+        if (ssh_gssapi_id_kex(ctxt, kex->name, kex->kex_type) 
+            == GSS_C_NO_OID)
+                fatal("Couldn't identify host exchange");
+        if (ssh_gssapi_import_name(ctxt, kex->gss_host))
+                fatal("Couldn't import hostname");
+        if (kex->gss_client && 
+            ssh_gssapi_client_identity(ctxt, kex->gss_client))
+                fatal("Couldn't acquire client credentials");
+        switch (kex->kex_type) {
+        case KEX_GSS_GRP1_SHA1:
+                dh = dh_new_group1();
+                break;
+        case KEX_GSS_GRP14_SHA1:
+                dh = dh_new_group14();
+                break;
+        case KEX_GSS_GEX_SHA1:
+                debug("Doing group exchange\n");
+                nbits = dh_estimate(kex->we_need * 8);
+                packet_start(SSH2_MSG_KEXGSS_GROUPREQ);
+                packet_put_int(min);
+                packet_put_int(nbits);
+                packet_put_int(max);
+                packet_send();
+                packet_read_expect(SSH2_MSG_KEXGSS_GROUP);
+                if ((p = BN_new()) == NULL)
+                        fatal("BN_new() failed");
+                packet_get_bignum2(p);
+                if ((g = BN_new()) == NULL)
+                        fatal("BN_new() failed");
+                packet_get_bignum2(g);
+                packet_check_eom();
+                if (BN_num_bits(p) < min || BN_num_bits(p) > max)
+                        fatal("GSSGRP_GEX group out of range: %d !< %d !< %d",
+                            min, BN_num_bits(p), max);
+                dh = dh_new_group(g, p);
+                break;
+        default:
+                fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
+        }
+        
+        /* Step 1 - e is dh->pub_key */
+        dh_gen_key(dh, kex->we_need * 8);
+        /* This is f, we initialise it now to make life easier */
+        dh_server_pub = BN_new();
+        if (dh_server_pub == NULL)
+                fatal("dh_server_pub == NULL");
+        token_ptr = GSS_C_NO_BUFFER;
+                         
+        do {
+                debug("Calling gss_init_sec_context");
+                
+                maj_status = ssh_gssapi_init_ctx(ctxt,
+                    kex->gss_deleg_creds, token_ptr, &send_tok,
+                    &ret_flags);
+                if (GSS_ERROR(maj_status)) {
+                        if (send_tok.length != 0) {
+                                packet_start(SSH2_MSG_KEXGSS_CONTINUE);
+                                packet_put_string(send_tok.value,
+                                    send_tok.length);
+                        }
+                        fatal("gss_init_context failed");
+                }
+                /* If we've got an old receive buffer get rid of it */
+                if (token_ptr != GSS_C_NO_BUFFER)
+                        free(recv_tok.value);
+                if (maj_status == GSS_S_COMPLETE) {
+                        /* If mutual state flag is not true, kex fails */
+                        if (!(ret_flags & GSS_C_MUTUAL_FLAG))
+                                fatal("Mutual authentication failed");
+                        /* If integ avail flag is not true kex fails */
+                        if (!(ret_flags & GSS_C_INTEG_FLAG))
+                                fatal("Integrity check failed");
+                }
+                /* 
+                 * If we have data to send, then the last message that we
+                 * received cannot have been a 'complete'. 
+                 */
+                if (send_tok.length != 0) {
+                        if (first) {
+                                packet_start(SSH2_MSG_KEXGSS_INIT);
+                                packet_put_string(send_tok.value,
+                                    send_tok.length);
+                                packet_put_bignum2(dh->pub_key);
+                                first = 0;
+                        } else {
+                                packet_start(SSH2_MSG_KEXGSS_CONTINUE);
+                                packet_put_string(send_tok.value,
+                                    send_tok.length);
+                        }
+                        packet_send();
+                        gss_release_buffer(&min_status, &send_tok);
+                        /* If we've sent them data, they should reply */
+                        do {    
+                                type = packet_read();
+                                if (type == SSH2_MSG_KEXGSS_HOSTKEY) {
+                                        debug("Received KEXGSS_HOSTKEY");
+                                        if (serverhostkey)
+                                                fatal("Server host key received more than once");
+                                        serverhostkey = 
+                                            packet_get_string(&slen);
+                                }
+                        } while (type == SSH2_MSG_KEXGSS_HOSTKEY);
+                        switch (type) {
+                        case SSH2_MSG_KEXGSS_CONTINUE:
+                                debug("Received GSSAPI_CONTINUE");
+                                if (maj_status == GSS_S_COMPLETE) 
+                                        fatal("GSSAPI Continue received from server when complete");
+                                recv_tok.value = packet_get_string(&strlen);
+                                recv_tok.length = strlen; 
+                                break;
+                        case SSH2_MSG_KEXGSS_COMPLETE:
+                                debug("Received GSSAPI_COMPLETE");
+                                packet_get_bignum2(dh_server_pub);
+                                msg_tok.value =  packet_get_string(&strlen);
+                                msg_tok.length = strlen; 
+                                /* Is there a token included? */
+                                if (packet_get_char()) {
+                                        recv_tok.value=
+                                            packet_get_string(&strlen);
+                                        recv_tok.length = strlen;
+                                        /* If we're already complete - protocol error */
+                                        if (maj_status == GSS_S_COMPLETE)
+                                                packet_disconnect("Protocol error: received token when complete");
+                                        } else {
+                                                /* No token included */
+                                                if (maj_status != GSS_S_COMPLETE)
+                                                        packet_disconnect("Protocol error: did not receive final token");
+                                }
+                                break;
+                        case SSH2_MSG_KEXGSS_ERROR:
+                                debug("Received Error");
+                                maj_status = packet_get_int();
+                                min_status = packet_get_int();
+                                msg = packet_get_string(NULL);
+                                lang = packet_get_string(NULL);
+                                fatal("GSSAPI Error: \n%.400s",msg);
+                        default:
+                                packet_disconnect("Protocol error: didn't expect packet type %d",
+                                type);
+                        }
+                        token_ptr = &recv_tok;
+                } else {
+                        /* No data, and not complete */
+                        if (maj_status != GSS_S_COMPLETE)
+                                fatal("Not complete, and no token output");
+                }
+        } while (maj_status & GSS_S_CONTINUE_NEEDED);
+        /* 
+         * We _must_ have received a COMPLETE message in reply from the 
+         * server, which will have set dh_server_pub and msg_tok 
+         */
+        if (type != SSH2_MSG_KEXGSS_COMPLETE)
+                fatal("Didn't receive a SSH2_MSG_KEXGSS_COMPLETE when I expected it");
+        /* Check f in range [1, p-1] */
+        if (!dh_pub_is_valid(dh, dh_server_pub))
+                packet_disconnect("bad server public DH value");
+        /* compute K=f^x mod p */
+        klen = DH_size(dh);
+        kbuf = xmalloc(klen);
+        kout = DH_compute_key(kbuf, dh_server_pub, dh);
+        if (kout < 0)
+                fatal("DH_compute_key: failed");
+        shared_secret = BN_new();
+        if (shared_secret == NULL)
+                fatal("kexgss_client: BN_new failed");
+        if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
+                fatal("kexdh_client: BN_bin2bn failed");
+        memset(kbuf, 0, klen);
+        free(kbuf);
+        switch (kex->kex_type) {
+        case KEX_GSS_GRP1_SHA1:
+        case KEX_GSS_GRP14_SHA1:
+                kex_dh_hash( kex->client_version_string, 
+                    kex->server_version_string,
+                    buffer_ptr(&kex->my), buffer_len(&kex->my),
+                    buffer_ptr(&kex->peer), buffer_len(&kex->peer),
+                    (serverhostkey ? serverhostkey : empty), slen,
+                    dh->pub_key,        /* e */
+                    dh_server_pub,      /* f */
+                    shared_secret,      /* K */
+                    &hash, &hashlen
+                );
+                break;
+        case KEX_GSS_GEX_SHA1:
+                kexgex_hash(
+                    kex->hash_alg,
+                    kex->client_version_string,
+                    kex->server_version_string,
+                    buffer_ptr(&kex->my), buffer_len(&kex->my),
+                    buffer_ptr(&kex->peer), buffer_len(&kex->peer),
+                    (serverhostkey ? serverhostkey : empty), slen,
+                    min, nbits, max,
+                    dh->p, dh->g,
+                    dh->pub_key,
+                    dh_server_pub,
+                    shared_secret,
+                    &hash, &hashlen
+                );
+                break;
+        default:
+                fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
+        }
+        gssbuf.value = hash;
+        gssbuf.length = hashlen;
+        /* Verify that the hash matches the MIC we just got. */
+        if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok)))
+                packet_disconnect("Hash's MIC didn't verify");
+        free(msg_tok.value);
+        DH_free(dh);
+        free(serverhostkey);
+        BN_clear_free(dh_server_pub);
+        /* save session id */
+        if (kex->session_id == NULL) {
+                kex->session_id_len = hashlen;
+                kex->session_id = xmalloc(kex->session_id_len);
+                memcpy(kex->session_id, hash, kex->session_id_len);
+        }
+        if (kex->gss_deleg_creds)
+                ssh_gssapi_credentials_updated(ctxt);
+        if (gss_kex_context == NULL)
+                gss_kex_context = ctxt;
+        else
+                ssh_gssapi_delete_ctx(&ctxt);
+        kex_derive_keys_bn(kex, hash, hashlen, shared_secret);
+        BN_clear_free(shared_secret);
+        kex_finish(kex);
+}
+#endif /* GSSAPI */
author	Simon Wilkinson <simon@sxw.org.uk>	2014-02-09 16:09:48 +0000
committer	Colin Watson <cjwatson@debian.org>	2014-02-10 02:40:08 +0000
commit	cd404114ded78fc51d5d9cbd458d55c9b2f67daa (patch)
tree	df7a424d9301b69af906b50d550bfce6e6e2c5f3 /kexgssc.c
parent	9a975a9faed7c4f334e8c8490db3e77e102f2b21 (diff)

diff --git a/kexgssc.c b/kexgssc.c new file mode 100644 index 000000000..14f559883 --- /dev/null +++ b/kexgssc.c
@@ -0,0 +1,333 @@
	1	/*
	2	* Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
	3	*
	4	* Redistribution and use in source and binary forms, with or without
	5	* modification, are permitted provided that the following conditions
	6	* are met:
	7	* 1. Redistributions of source code must retain the above copyright
	8	* notice, this list of conditions and the following disclaimer.
	9	* 2. Redistributions in binary form must reproduce the above copyright
	10	* notice, this list of conditions and the following disclaimer in the
	11	* documentation and/or other materials provided with the distribution.
	12	*
	13	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
	14	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	15	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	16	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	17	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	18	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	19	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	20	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	21	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	22	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	23	*/
	24
	25	#include "includes.h"
	26
	27	#ifdef GSSAPI
	28
	29	#include "includes.h"
	30
	31	#include <openssl/crypto.h>
	32	#include <openssl/bn.h>
	33
	34	#include <string.h>
	35
	36	#include "xmalloc.h"
	37	#include "buffer.h"
	38	#include "ssh2.h"
	39	#include "key.h"
	40	#include "cipher.h"
	41	#include "kex.h"
	42	#include "log.h"
	43	#include "packet.h"
	44	#include "dh.h"
	45
	46	#include "ssh-gss.h"
	47
	48	void
	49	kexgss_client(Kex *kex) {
	50	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
	51	gss_buffer_desc recv_tok, gssbuf, msg_tok, *token_ptr;
	52	Gssctxt *ctxt;
	53	OM_uint32 maj_status, min_status, ret_flags;
	54	u_int klen, kout, slen = 0, hashlen, strlen;
	55	DH *dh;
	56	BIGNUM *dh_server_pub = NULL;
	57	BIGNUM *shared_secret = NULL;
	58	BIGNUM *p = NULL;
	59	BIGNUM *g = NULL;
	60	u_char kbuf, hash;
	61	u_char *serverhostkey = NULL;
	62	u_char *empty = "";
	63	char *msg;
	64	char *lang;
	65	int type = 0;
	66	int first = 1;
	67	int nbits = 0, min = DH_GRP_MIN, max = DH_GRP_MAX;
	68
	69	/* Initialise our GSSAPI world */
	70	ssh_gssapi_build_ctx(&ctxt);
	71	if (ssh_gssapi_id_kex(ctxt, kex->name, kex->kex_type)
	72	== GSS_C_NO_OID)
	73	fatal("Couldn't identify host exchange");
	74
	75	if (ssh_gssapi_import_name(ctxt, kex->gss_host))
	76	fatal("Couldn't import hostname");
	77
	78	if (kex->gss_client &&
	79	ssh_gssapi_client_identity(ctxt, kex->gss_client))
	80	fatal("Couldn't acquire client credentials");
	81
	82	switch (kex->kex_type) {
	83	case KEX_GSS_GRP1_SHA1:
	84	dh = dh_new_group1();
	85	break;
	86	case KEX_GSS_GRP14_SHA1:
	87	dh = dh_new_group14();
	88	break;
	89	case KEX_GSS_GEX_SHA1:
	90	debug("Doing group exchange\n");
	91	nbits = dh_estimate(kex->we_need * 8);
	92	packet_start(SSH2_MSG_KEXGSS_GROUPREQ);
	93	packet_put_int(min);
	94	packet_put_int(nbits);
	95	packet_put_int(max);
	96
	97	packet_send();
	98
	99	packet_read_expect(SSH2_MSG_KEXGSS_GROUP);
	100
	101	if ((p = BN_new()) == NULL)
	102	fatal("BN_new() failed");
	103	packet_get_bignum2(p);
	104	if ((g = BN_new()) == NULL)
	105	fatal("BN_new() failed");
	106	packet_get_bignum2(g);
	107	packet_check_eom();
	108
	109	if (BN_num_bits(p) < min \|\| BN_num_bits(p) > max)
	110	fatal("GSSGRP_GEX group out of range: %d !< %d !< %d",
	111	min, BN_num_bits(p), max);
	112
	113	dh = dh_new_group(g, p);
	114	break;
	115	default:
	116	fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
	117	}
	118
	119	/* Step 1 - e is dh->pub_key */
	120	dh_gen_key(dh, kex->we_need * 8);
	121
	122	/* This is f, we initialise it now to make life easier */
	123	dh_server_pub = BN_new();
	124	if (dh_server_pub == NULL)
	125	fatal("dh_server_pub == NULL");
	126
	127	token_ptr = GSS_C_NO_BUFFER;
	128
	129	do {
	130	debug("Calling gss_init_sec_context");
	131
	132	maj_status = ssh_gssapi_init_ctx(ctxt,
	133	kex->gss_deleg_creds, token_ptr, &send_tok,
	134	&ret_flags);
	135
	136	if (GSS_ERROR(maj_status)) {
	137	if (send_tok.length != 0) {
	138	packet_start(SSH2_MSG_KEXGSS_CONTINUE);
	139	packet_put_string(send_tok.value,
	140	send_tok.length);
	141	}
	142	fatal("gss_init_context failed");
	143	}
	144
	145	/* If we've got an old receive buffer get rid of it */
	146	if (token_ptr != GSS_C_NO_BUFFER)
	147	free(recv_tok.value);
	148
	149	if (maj_status == GSS_S_COMPLETE) {
	150	/* If mutual state flag is not true, kex fails */
	151	if (!(ret_flags & GSS_C_MUTUAL_FLAG))
	152	fatal("Mutual authentication failed");
	153
	154	/* If integ avail flag is not true kex fails */
	155	if (!(ret_flags & GSS_C_INTEG_FLAG))
	156	fatal("Integrity check failed");
	157	}
	158
	159	/*
	160	* If we have data to send, then the last message that we
	161	* received cannot have been a 'complete'.
	162	*/
	163	if (send_tok.length != 0) {
	164	if (first) {
	165	packet_start(SSH2_MSG_KEXGSS_INIT);
	166	packet_put_string(send_tok.value,
	167	send_tok.length);
	168	packet_put_bignum2(dh->pub_key);
	169	first = 0;
	170	} else {
	171	packet_start(SSH2_MSG_KEXGSS_CONTINUE);
	172	packet_put_string(send_tok.value,
	173	send_tok.length);
	174	}
	175	packet_send();
	176	gss_release_buffer(&min_status, &send_tok);
	177
	178	/* If we've sent them data, they should reply */
	179	do {
	180	type = packet_read();
	181	if (type == SSH2_MSG_KEXGSS_HOSTKEY) {
	182	debug("Received KEXGSS_HOSTKEY");
	183	if (serverhostkey)
	184	fatal("Server host key received more than once");
	185	serverhostkey =
	186	packet_get_string(&slen);
	187	}
	188	} while (type == SSH2_MSG_KEXGSS_HOSTKEY);
	189
	190	switch (type) {
	191	case SSH2_MSG_KEXGSS_CONTINUE:
	192	debug("Received GSSAPI_CONTINUE");
	193	if (maj_status == GSS_S_COMPLETE)
	194	fatal("GSSAPI Continue received from server when complete");
	195	recv_tok.value = packet_get_string(&strlen);
	196	recv_tok.length = strlen;
	197	break;
	198	case SSH2_MSG_KEXGSS_COMPLETE:
	199	debug("Received GSSAPI_COMPLETE");
	200	packet_get_bignum2(dh_server_pub);
	201	msg_tok.value = packet_get_string(&strlen);
	202	msg_tok.length = strlen;
	203
	204	/* Is there a token included? */
	205	if (packet_get_char()) {
	206	recv_tok.value=
	207	packet_get_string(&strlen);
	208	recv_tok.length = strlen;
	209	/* If we're already complete - protocol error */
	210	if (maj_status == GSS_S_COMPLETE)
	211	packet_disconnect("Protocol error: received token when complete");
	212	} else {
	213	/* No token included */
	214	if (maj_status != GSS_S_COMPLETE)
	215	packet_disconnect("Protocol error: did not receive final token");
	216	}
	217	break;
	218	case SSH2_MSG_KEXGSS_ERROR:
	219	debug("Received Error");
	220	maj_status = packet_get_int();
	221	min_status = packet_get_int();
	222	msg = packet_get_string(NULL);
	223	lang = packet_get_string(NULL);
	224	fatal("GSSAPI Error: \n%.400s",msg);
	225	default:
	226	packet_disconnect("Protocol error: didn't expect packet type %d",
	227	type);
	228	}
	229	token_ptr = &recv_tok;
	230	} else {
	231	/* No data, and not complete */
	232	if (maj_status != GSS_S_COMPLETE)
	233	fatal("Not complete, and no token output");
	234	}
	235	} while (maj_status & GSS_S_CONTINUE_NEEDED);
	236
	237	/*
	238	* We _must_ have received a COMPLETE message in reply from the
	239	* server, which will have set dh_server_pub and msg_tok
	240	*/
	241
	242	if (type != SSH2_MSG_KEXGSS_COMPLETE)
	243	fatal("Didn't receive a SSH2_MSG_KEXGSS_COMPLETE when I expected it");
	244
	245	/* Check f in range [1, p-1] */
	246	if (!dh_pub_is_valid(dh, dh_server_pub))
	247	packet_disconnect("bad server public DH value");
	248
	249	/* compute K=f^x mod p */
	250	klen = DH_size(dh);
	251	kbuf = xmalloc(klen);
	252	kout = DH_compute_key(kbuf, dh_server_pub, dh);
	253	if (kout < 0)
	254	fatal("DH_compute_key: failed");
	255
	256	shared_secret = BN_new();
	257	if (shared_secret == NULL)
	258	fatal("kexgss_client: BN_new failed");
	259
	260	if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
	261	fatal("kexdh_client: BN_bin2bn failed");
	262
	263	memset(kbuf, 0, klen);
	264	free(kbuf);
	265
	266	switch (kex->kex_type) {
	267	case KEX_GSS_GRP1_SHA1:
	268	case KEX_GSS_GRP14_SHA1:
	269	kex_dh_hash( kex->client_version_string,
	270	kex->server_version_string,
	271	buffer_ptr(&kex->my), buffer_len(&kex->my),
	272	buffer_ptr(&kex->peer), buffer_len(&kex->peer),
	273	(serverhostkey ? serverhostkey : empty), slen,
	274	dh->pub_key, /* e */
	275	dh_server_pub, /* f */
	276	shared_secret, /* K */
	277	&hash, &hashlen
	278	);
	279	break;
	280	case KEX_GSS_GEX_SHA1:
	281	kexgex_hash(
	282	kex->hash_alg,
	283	kex->client_version_string,
	284	kex->server_version_string,
	285	buffer_ptr(&kex->my), buffer_len(&kex->my),
	286	buffer_ptr(&kex->peer), buffer_len(&kex->peer),
	287	(serverhostkey ? serverhostkey : empty), slen,
	288	min, nbits, max,
	289	dh->p, dh->g,
	290	dh->pub_key,
	291	dh_server_pub,
	292	shared_secret,
	293	&hash, &hashlen
	294	);
	295	break;
	296	default:
	297	fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
	298	}
	299
	300	gssbuf.value = hash;
	301	gssbuf.length = hashlen;
	302
	303	/* Verify that the hash matches the MIC we just got. */
	304	if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok)))
	305	packet_disconnect("Hash's MIC didn't verify");
	306
	307	free(msg_tok.value);
	308
	309	DH_free(dh);
	310	free(serverhostkey);
	311	BN_clear_free(dh_server_pub);
	312
	313	/* save session id */
	314	if (kex->session_id == NULL) {
	315	kex->session_id_len = hashlen;
	316	kex->session_id = xmalloc(kex->session_id_len);
	317	memcpy(kex->session_id, hash, kex->session_id_len);
	318	}
	319
	320	if (kex->gss_deleg_creds)
	321	ssh_gssapi_credentials_updated(ctxt);
	322
	323	if (gss_kex_context == NULL)
	324	gss_kex_context = ctxt;
	325	else
	326	ssh_gssapi_delete_ctx(&ctxt);
	327
	328	kex_derive_keys_bn(kex, hash, hashlen, shared_secret);
	329	BN_clear_free(shared_secret);
	330	kex_finish(kex);
	331	}
	332
	333	#endif /* GSSAPI */