* New upstream release (closes: #536182). Yes, I know 5.3p1 has been out

  for a while, but there's no GSSAPI patch available for it yet.
  - Change the default cipher order to prefer the AES CTR modes and the
    revised "arcfour256" mode to CBC mode ciphers that are susceptible to
    CPNI-957037 "Plaintext Recovery Attack Against SSH".
  - Add countermeasures to mitigate CPNI-957037-style attacks against the
    SSH protocol's use of CBC-mode ciphers. Upon detection of an invalid
    packet length or Message Authentication Code, ssh/sshd will continue
    reading up to the maximum supported packet length rather than
    immediately terminating the connection. This eliminates most of the
    known differences in behaviour that leaked information about the
    plaintext of injected data which formed the basis of this attack
    (closes: #506115, LP: #379329).
  - ForceCommand directive now accepts commandline arguments for the
    internal-sftp server (closes: #524423, LP: #362511).
  - Add AllowAgentForwarding to available Match keywords list (closes:
    #540623).
  - Make ssh(1) send the correct channel number for
    SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to
    avoid triggering 'Non-public channel' error messages on sshd(8) in
    openssh-5.1.
  - Avoid printing 'Non-public channel' warnings in sshd(8), since the
    ssh(1) has sent incorrect channel numbers since ~2004 (this reverts a
    behaviour introduced in openssh-5.1; closes: #496017).
* Update to GSSAPI patch from
  http://www.sxw.org.uk/computing/patches/openssh-5.2p1-gsskex-all-20090726.patch,
  including cascading credentials support (LP: #416958).

1 files changed, 281 insertions, 7 deletions

diff --git a/monitor.c b/monitor.c
index 5305911a4..74f7e05b0 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.99 2008/07/10 18:08:11 markus Exp $ */
+/* $OpenBSD: monitor.c,v 1.101 2009/02/12 03:26:22 djm Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -87,6 +87,7 @@
 #include "misc.h"
 #include "compat.h"
 #include "ssh2.h"
+#include "jpake.h"
 
 #ifdef GSSAPI
 static Gssctxt *gsscontext = NULL;
@@ -150,6 +151,11 @@ int mm_answer_rsa_challenge(int, Buffer *);
 int mm_answer_rsa_response(int, Buffer *);
 int mm_answer_sesskey(int, Buffer *);
 int mm_answer_sessid(int, Buffer *);
+int mm_answer_jpake_get_pwdata(int, Buffer *);
+int mm_answer_jpake_step1(int, Buffer *);
+int mm_answer_jpake_step2(int, Buffer *);
+int mm_answer_jpake_key_confirm(int, Buffer *);
+int mm_answer_jpake_check_confirm(int, Buffer *);
 
 #ifdef USE_PAM
 int mm_answer_pam_start(int, Buffer *);
@@ -166,6 +172,7 @@ int mm_answer_gss_accept_ctx(int, Buffer *);
 int mm_answer_gss_userok(int, Buffer *);
 int mm_answer_gss_checkmic(int, Buffer *);
 int mm_answer_gss_sign(int, Buffer *);
+int mm_answer_gss_updatecreds(int, Buffer *);
 #endif
 
 #ifdef SSH_AUDIT_EVENTS
@@ -238,6 +245,13 @@ struct mon_table mon_dispatch_proto20[] = {
     {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
     {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
 #endif
+#ifdef JPAKE
+    {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},
+    {MONITOR_REQ_JPAKE_STEP1, MON_ISAUTH, mm_answer_jpake_step1},
+    {MONITOR_REQ_JPAKE_STEP2, MON_ONCE, mm_answer_jpake_step2},
+    {MONITOR_REQ_JPAKE_KEY_CONFIRM, MON_ONCE, mm_answer_jpake_key_confirm},
+    {MONITOR_REQ_JPAKE_CHECK_CONFIRM, MON_AUTH, mm_answer_jpake_check_confirm},
+#endif
     {0, 0, NULL}
 };
 
@@ -246,6 +260,7 @@ struct mon_table mon_dispatch_postauth20[] = {
     {MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
     {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
     {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
+    {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds},
 #endif
     {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
     {MONITOR_REQ_SIGN, 0, mm_answer_sign},
@@ -392,6 +407,15 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
                         if (!authenticated)
                                 authctxt->failures++;
                 }
+#ifdef JPAKE
+                /* Cleanup JPAKE context after authentication */
+                if (ent->flags & MON_AUTHDECIDE) {
+                        if (authctxt->jpake_ctx != NULL) {
+                                jpake_free(authctxt->jpake_ctx);
+                                authctxt->jpake_ctx = NULL;
+                        }
+                }
+#endif
         }
 
         if (!authctxt->valid)
@@ -1519,7 +1543,9 @@ mm_answer_rsa_challenge(int sock, Buffer *m)
                 fatal("%s: key type mismatch", __func__);
         if ((key = key_from_blob(blob, blen)) == NULL)
                 fatal("%s: received bad key", __func__);
-
+        if (key->type != KEY_RSA)
+                fatal("%s: received bad key type %d", __func__, key->type);
+        key->type = KEY_RSA1;
         if (ssh1_challenge)
                 BN_clear_free(ssh1_challenge);
         ssh1_challenge = auth_rsa_generate_challenge(key);
@@ -1717,9 +1743,11 @@ mm_get_kex(Buffer *m)
         kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
         kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
 #ifdef GSSAPI
-        kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
-        kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
-        kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
+        if (options.gss_keyex) {
+                kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
+                kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
+                kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
+        }
 #endif
         kex->server = 1;
         kex->hostkey_type = buffer_get_int(m);
@@ -1920,6 +1948,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
         OM_uint32 major;
         u_int len;
 
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
+
         goid.elements = buffer_get_string(m, &len);
         goid.length = len;
 
@@ -1947,6 +1978,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
         OM_uint32 flags = 0; /* GSI needs this */
         u_int len;
 
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
+
         in.value = buffer_get_string(m, &len);
         in.length = len;
         major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
@@ -1976,6 +2010,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
         OM_uint32 ret;
         u_int len;
 
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
+
         gssbuf.value = buffer_get_string(m, &len);
         gssbuf.length = len;
         mic.value = buffer_get_string(m, &len);
@@ -2002,7 +2039,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
 {
         int authenticated;
 
-        authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
+
+        authenticated = authctxt->valid && 
+            ssh_gssapi_userok(authctxt->user, authctxt->pw);
 
         buffer_clear(m);
         buffer_put_int(m, authenticated);
@@ -2024,10 +2065,14 @@ mm_answer_gss_sign(int socket, Buffer *m)
         OM_uint32 major, minor;
         u_int len;
 
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
+
         data.value = buffer_get_string(m, &len);
         data.length = len;
         if (data.length != 20) 
-                fatal("%s: data length incorrect: %d", __func__, data.length);
+                fatal("%s: data length incorrect: %d", __func__, 
+                    (int) data.length);
 
         /* Save the session ID on the first time around */
         if (session_id2_len == 0) {
@@ -2049,8 +2094,237 @@ mm_answer_gss_sign(int socket, Buffer *m)
 
         /* Turn on getpwnam permissions */
         monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
+        
+        /* And credential updating, for when rekeying */
+        monitor_permit(mon_dispatch, MONITOR_REQ_GSSUPCREDS, 1);
 
         return (0);
 }
 
+int
+mm_answer_gss_updatecreds(int socket, Buffer *m) {
+        ssh_gssapi_ccache store;
+        int ok;
+
+        store.filename = buffer_get_string(m, NULL);
+        store.envvar   = buffer_get_string(m, NULL);
+        store.envval   = buffer_get_string(m, NULL);
+
+        ok = ssh_gssapi_update_creds(&store);
+
+        xfree(store.filename);
+        xfree(store.envvar);
+        xfree(store.envval);
+
+        buffer_clear(m);
+        buffer_put_int(m, ok);
+
+        mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m);
+
+        return(0);
+}
+
 #endif /* GSSAPI */
+
+#ifdef JPAKE
+int
+mm_answer_jpake_step1(int sock, Buffer *m)
+{
+        struct jpake_ctx *pctx;
+        u_char *x3_proof, *x4_proof;
+        u_int x3_proof_len, x4_proof_len;
+
+        if (!options.zero_knowledge_password_authentication)
+                fatal("zero_knowledge_password_authentication disabled");
+
+        if (authctxt->jpake_ctx != NULL)
+                fatal("%s: authctxt->jpake_ctx already set (%p)",
+                    __func__, authctxt->jpake_ctx);
+        authctxt->jpake_ctx = pctx = jpake_new();
+
+        jpake_step1(pctx->grp,
+            &pctx->server_id, &pctx->server_id_len,
+            &pctx->x3, &pctx->x4, &pctx->g_x3, &pctx->g_x4,
+            &x3_proof, &x3_proof_len,
+            &x4_proof, &x4_proof_len);
+
+        JPAKE_DEBUG_CTX((pctx, "step1 done in %s", __func__));
+
+        buffer_clear(m);
+
+        buffer_put_string(m, pctx->server_id, pctx->server_id_len);
+        buffer_put_bignum2(m, pctx->g_x3);
+        buffer_put_bignum2(m, pctx->g_x4);
+        buffer_put_string(m, x3_proof, x3_proof_len);
+        buffer_put_string(m, x4_proof, x4_proof_len);
+
+        debug3("%s: sending step1", __func__);
+        mm_request_send(sock, MONITOR_ANS_JPAKE_STEP1, m);
+
+        bzero(x3_proof, x3_proof_len);
+        bzero(x4_proof, x4_proof_len);
+        xfree(x3_proof);
+        xfree(x4_proof);
+
+        monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_GET_PWDATA, 1);
+        monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 0);
+
+        return 0;
+}
+
+int
+mm_answer_jpake_get_pwdata(int sock, Buffer *m)
+{
+        struct jpake_ctx *pctx = authctxt->jpake_ctx;
+        char *hash_scheme, *salt;
+
+        if (pctx == NULL)
+                fatal("%s: pctx == NULL", __func__);
+
+        auth2_jpake_get_pwdata(authctxt, &pctx->s, &hash_scheme, &salt);
+
+        buffer_clear(m);
+        /* pctx->s is sensitive, not returned to slave */
+        buffer_put_cstring(m, hash_scheme);
+        buffer_put_cstring(m, salt);
+
+        debug3("%s: sending pwdata", __func__);
+        mm_request_send(sock, MONITOR_ANS_JPAKE_GET_PWDATA, m);
+
+        bzero(hash_scheme, strlen(hash_scheme));
+        bzero(salt, strlen(salt));
+        xfree(hash_scheme);
+        xfree(salt);
+
+        monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP2, 1);
+
+        return 0;
+}
+
+int
+mm_answer_jpake_step2(int sock, Buffer *m)
+{
+        struct jpake_ctx *pctx = authctxt->jpake_ctx;
+        u_char *x1_proof, *x2_proof, *x4_s_proof;
+        u_int x1_proof_len, x2_proof_len, x4_s_proof_len;
+
+        if (pctx == NULL)
+                fatal("%s: pctx == NULL", __func__);
+
+        if ((pctx->g_x1 = BN_new()) == NULL ||
+            (pctx->g_x2 = BN_new()) == NULL)
+                fatal("%s: BN_new", __func__);
+        buffer_get_bignum2(m, pctx->g_x1);
+        buffer_get_bignum2(m, pctx->g_x2);
+        pctx->client_id = buffer_get_string(m, &pctx->client_id_len);
+        x1_proof = buffer_get_string(m, &x1_proof_len);
+        x2_proof = buffer_get_string(m, &x2_proof_len);
+
+        jpake_step2(pctx->grp, pctx->s, pctx->g_x3,
+            pctx->g_x1, pctx->g_x2, pctx->x4,
+            pctx->client_id, pctx->client_id_len,
+            pctx->server_id, pctx->server_id_len,
+            x1_proof, x1_proof_len,
+            x2_proof, x2_proof_len,
+            &pctx->b,
+            &x4_s_proof, &x4_s_proof_len);
+
+        JPAKE_DEBUG_CTX((pctx, "step2 done in %s", __func__));
+
+        bzero(x1_proof, x1_proof_len);
+        bzero(x2_proof, x2_proof_len);
+        xfree(x1_proof);
+        xfree(x2_proof);
+
+        buffer_clear(m);
+
+        buffer_put_bignum2(m, pctx->b);
+        buffer_put_string(m, x4_s_proof, x4_s_proof_len);
+
+        debug3("%s: sending step2", __func__);
+        mm_request_send(sock, MONITOR_ANS_JPAKE_STEP2, m);
+
+        bzero(x4_s_proof, x4_s_proof_len);
+        xfree(x4_s_proof);
+
+        monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_KEY_CONFIRM, 1);
+
+        return 0;
+}
+
+int
+mm_answer_jpake_key_confirm(int sock, Buffer *m)
+{
+        struct jpake_ctx *pctx = authctxt->jpake_ctx;
+        u_char *x2_s_proof;
+        u_int x2_s_proof_len;
+
+        if (pctx == NULL)
+                fatal("%s: pctx == NULL", __func__);
+
+        if ((pctx->a = BN_new()) == NULL)
+                fatal("%s: BN_new", __func__);
+        buffer_get_bignum2(m, pctx->a);
+        x2_s_proof = buffer_get_string(m, &x2_s_proof_len);
+
+        jpake_key_confirm(pctx->grp, pctx->s, pctx->a,
+            pctx->x4, pctx->g_x3, pctx->g_x4, pctx->g_x1, pctx->g_x2,
+            pctx->server_id, pctx->server_id_len,
+            pctx->client_id, pctx->client_id_len,
+            session_id2, session_id2_len,
+            x2_s_proof, x2_s_proof_len,
+            &pctx->k,
+            &pctx->h_k_sid_sessid, &pctx->h_k_sid_sessid_len);
+
+        JPAKE_DEBUG_CTX((pctx, "key_confirm done in %s", __func__));
+
+        bzero(x2_s_proof, x2_s_proof_len);
+        buffer_clear(m);
+
+        /* pctx->k is sensitive, not sent */
+        buffer_put_string(m, pctx->h_k_sid_sessid, pctx->h_k_sid_sessid_len);
+
+        debug3("%s: sending confirmation hash", __func__);
+        mm_request_send(sock, MONITOR_ANS_JPAKE_KEY_CONFIRM, m);
+
+        monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_CHECK_CONFIRM, 1);
+
+        return 0;
+}
+
+int
+mm_answer_jpake_check_confirm(int sock, Buffer *m)
+{
+        int authenticated = 0;
+        u_char *peer_confirm_hash;
+        u_int peer_confirm_hash_len;
+        struct jpake_ctx *pctx = authctxt->jpake_ctx;
+
+        if (pctx == NULL)
+                fatal("%s: pctx == NULL", __func__);
+
+        peer_confirm_hash = buffer_get_string(m, &peer_confirm_hash_len);
+
+        authenticated = jpake_check_confirm(pctx->k,
+            pctx->client_id, pctx->client_id_len,
+            session_id2, session_id2_len,
+            peer_confirm_hash, peer_confirm_hash_len) && authctxt->valid;
+
+        JPAKE_DEBUG_CTX((pctx, "check_confirm done in %s", __func__));
+
+        bzero(peer_confirm_hash, peer_confirm_hash_len);
+        xfree(peer_confirm_hash);
+
+        buffer_clear(m);
+        buffer_put_int(m, authenticated);
+
+        debug3("%s: sending result %d", __func__, authenticated);
+        mm_request_send(sock, MONITOR_ANS_JPAKE_CHECK_CONFIRM, m);
+
+        monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 1);
+
+        auth_method = "jpake-01@openssh.com";
+        return authenticated;
+}
+
+#endif /* JPAKE */