* New upstream release (closes: #536182). Yes, I know 5.3p1 has been out

  for a while, but there's no GSSAPI patch available for it yet.
  - Change the default cipher order to prefer the AES CTR modes and the
    revised "arcfour256" mode to CBC mode ciphers that are susceptible to
    CPNI-957037 "Plaintext Recovery Attack Against SSH".
  - Add countermeasures to mitigate CPNI-957037-style attacks against the
    SSH protocol's use of CBC-mode ciphers. Upon detection of an invalid
    packet length or Message Authentication Code, ssh/sshd will continue
    reading up to the maximum supported packet length rather than
    immediately terminating the connection. This eliminates most of the
    known differences in behaviour that leaked information about the
    plaintext of injected data which formed the basis of this attack
    (closes: #506115, LP: #379329).
  - ForceCommand directive now accepts commandline arguments for the
    internal-sftp server (closes: #524423, LP: #362511).
  - Add AllowAgentForwarding to available Match keywords list (closes:
    #540623).
  - Make ssh(1) send the correct channel number for
    SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to
    avoid triggering 'Non-public channel' error messages on sshd(8) in
    openssh-5.1.
  - Avoid printing 'Non-public channel' warnings in sshd(8), since the
    ssh(1) has sent incorrect channel numbers since ~2004 (this reverts a
    behaviour introduced in openssh-5.1; closes: #496017).
* Update to GSSAPI patch from
  http://www.sxw.org.uk/computing/patches/openssh-5.2p1-gsskex-all-20090726.patch,
  including cascading credentials support (LP: #416958).

1 files changed, 336 insertions, 17 deletions

diff --git a/sshconnect2.c b/sshconnect2.c
index 185e7b204..bb72db5dd 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,6 +1,7 @@
-/* $OpenBSD: sshconnect2.c,v 1.166 2008/07/17 08:48:00 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.170 2008/11/04 08:22:13 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ * Copyright (c) 2008 Damien Miller.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -67,6 +68,7 @@
 #include "msg.h"
 #include "pathnames.h"
 #include "uidswap.h"
+#include "jpake.h"
 
 #ifdef GSSAPI
 #include "ssh-gss.h"
@@ -121,7 +123,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
                 else
                         gss_host = host;
 
-                gss = ssh_gssapi_client_mechanisms(gss_host);
+                gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity);
                 if (gss) {
                         debug("Offering GSSAPI proposal: %s", gss);
                         xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
@@ -164,6 +166,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
                 orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
                 xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS], 
                     "%s,null", orig);
+                xfree(gss);
         }
 #endif
 
@@ -177,18 +180,23 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
         kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
         kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
 #ifdef GSSAPI
-        kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
-        kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_client;
-        kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client;
+        if (options.gss_keyex) {
+                kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
+                kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_client;
+                kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client;
+        }
 #endif
         kex->client_version_string=client_version_string;
         kex->server_version_string=server_version_string;
         kex->verify_host_key=&verify_host_key_callback;
 
 #ifdef GSSAPI
-        kex->gss_deleg_creds = options.gss_deleg_creds;
-        kex->gss_trust_dns = options.gss_trust_dns;
-        kex->gss_host = gss_host;
+        if (options.gss_keyex) {
+                kex->gss_deleg_creds = options.gss_deleg_creds;
+                kex->gss_trust_dns = options.gss_trust_dns;
+                kex->gss_client = options.gss_client_identity;
+                kex->gss_host = gss_host;
+        }
 #endif
 
         xxx_kex = kex;
@@ -247,6 +255,7 @@ struct Authctxt {
 struct Authmethod {
         char    *name;          /* string to compare against server's list */
         int     (*userauth)(Authctxt *authctxt);
+        void    (*cleanup)(Authctxt *authctxt);
         int     *enabled;       /* flag in option struct that enables method */
         int     *batch_flag;    /* flag in option struct that disables method */
 };
@@ -258,13 +267,18 @@ void	input_userauth_error(int, u_int32_t, void *);
 void    input_userauth_info_req(int, u_int32_t, void *);
 void    input_userauth_pk_ok(int, u_int32_t, void *);
 void    input_userauth_passwd_changereq(int, u_int32_t, void *);
+void    input_userauth_jpake_server_step1(int, u_int32_t, void *);
+void    input_userauth_jpake_server_step2(int, u_int32_t, void *);
+void    input_userauth_jpake_server_confirm(int, u_int32_t, void *);
 
 int     userauth_none(Authctxt *);
 int     userauth_pubkey(Authctxt *);
 int     userauth_passwd(Authctxt *);
 int     userauth_kbdint(Authctxt *);
 int     userauth_hostbased(Authctxt *);
-int     userauth_kerberos(Authctxt *);
+int     userauth_jpake(Authctxt *);
+
+void    userauth_jpake_cleanup(Authctxt *);
 
 #ifdef GSSAPI
 int     userauth_gssapi(Authctxt *authctxt);
@@ -295,6 +309,7 @@ Authmethod authmethods[] = {
                 NULL},
         {"gssapi-with-mic",
                 userauth_gssapi,
+                NULL,
                 &options.gss_authentication,
                 NULL},
         {"gssapi",
@@ -304,25 +319,37 @@ Authmethod authmethods[] = {
 #endif
         {"hostbased",
                 userauth_hostbased,
+                NULL,
                 &options.hostbased_authentication,
                 NULL},
         {"publickey",
                 userauth_pubkey,
+                NULL,
                 &options.pubkey_authentication,
                 NULL},
+#ifdef JPAKE
+        {"jpake-01@openssh.com",
+                userauth_jpake,
+                userauth_jpake_cleanup,
+                &options.zero_knowledge_password_authentication,
+                &options.batch_mode},
+#endif
         {"keyboard-interactive",
                 userauth_kbdint,
+                NULL,
                 &options.kbd_interactive_authentication,
                 &options.batch_mode},
         {"password",
                 userauth_passwd,
+                NULL,
                 &options.password_authentication,
                 &options.batch_mode},
         {"none",
                 userauth_none,
                 NULL,
+                NULL,
                 NULL},
-        {NULL, NULL, NULL, NULL}
+        {NULL, NULL, NULL, NULL, NULL}
 };
 
 void
@@ -390,6 +417,9 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host,
 void
 userauth(Authctxt *authctxt, char *authlist)
 {
+        if (authctxt->method != NULL && authctxt->method->cleanup != NULL)
+                authctxt->method->cleanup(authctxt);
+
         if (authctxt->methoddata) {
                 xfree(authctxt->methoddata);
                 authctxt->methoddata = NULL;
@@ -422,6 +452,7 @@ userauth(Authctxt *authctxt, char *authlist)
         }
 }
 
+/* ARGSUSED */
 void
 input_userauth_error(int type, u_int32_t seq, void *ctxt)
 {
@@ -429,6 +460,7 @@ input_userauth_error(int type, u_int32_t seq, void *ctxt)
             "type %d", type);
 }
 
+/* ARGSUSED */
 void
 input_userauth_banner(int type, u_int32_t seq, void *ctxt)
 {
@@ -438,12 +470,11 @@ input_userauth_banner(int type, u_int32_t seq, void *ctxt)
         debug3("input_userauth_banner");
         raw = packet_get_string(&len);
         lang = packet_get_string(NULL);
-        if (options.log_level >= SYSLOG_LEVEL_INFO) {
+        if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO) {
                 if (len > 65536)
                         len = 65536;
                 msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */
                 strnvis(msg, raw, len * 4 + 1, VIS_SAFE|VIS_OCTAL);
-                msg[len*4] = '\0';
                 fprintf(stderr, "%s", msg);
                 xfree(msg);
         }
@@ -451,6 +482,7 @@ input_userauth_banner(int type, u_int32_t seq, void *ctxt)
         xfree(lang);
 }
 
+/* ARGSUSED */
 void
 input_userauth_success(int type, u_int32_t seq, void *ctxt)
 {
@@ -468,6 +500,7 @@ input_userauth_success(int type, u_int32_t seq, void *ctxt)
         authctxt->success = 1;                  /* break out */
 }
 
+/* ARGSUSED */
 void
 input_userauth_failure(int type, u_int32_t seq, void *ctxt)
 {
@@ -488,6 +521,8 @@ input_userauth_failure(int type, u_int32_t seq, void *ctxt)
 
         userauth(authctxt, authlist);
 }
+
+/* ARGSUSED */
 void
 input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
 {
@@ -567,26 +602,30 @@ userauth_gssapi(Authctxt *authctxt)
         static u_int mech = 0;
         OM_uint32 min;
         int ok = 0;
-        char *gss_host = NULL;
+        const char *gss_host;
         int old_gssapi_method;
 
         if (options.gss_trust_dns)
-                gss_host = (char *)get_canonical_hostname(1);
+                gss_host = get_canonical_hostname(1);
         else
-                gss_host = (char *)authctxt->host;
+                gss_host = authctxt->host;
 
         /* Try one GSSAPI method at a time, rather than sending them all at
          * once. */
 
         if (gss_supported == NULL)
-                gss_indicate_mechs(&min, &gss_supported);
+                if (GSS_ERROR(gss_indicate_mechs(&min, &gss_supported))) {
+                        gss_supported = NULL;
+                        return 0;
+                }
 
         /* Check to see if the mechanism is usable before we offer it */
         while (mech < gss_supported->count && !ok) {
                 /* My DER encoding requires length<128 */
                 if (gss_supported->elements[mech].length < 128 &&
                     ssh_gssapi_check_mechanism(&gssctxt, 
-                    &gss_supported->elements[mech], gss_host)) {
+                    &gss_supported->elements[mech], gss_host, 
+                    options.gss_client_identity)) {
                         ok = 1; /* Mechanism works */
                 } else {
                         mech++;
@@ -691,6 +730,7 @@ process_gssapi_token(void *ctxt, gss_buffer_t recv_tok)
         return status;
 }
 
+/* ARGSUSED */
 void
 input_gssapi_response(int type, u_int32_t plen, void *ctxt)
 {
@@ -736,6 +776,7 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
         }
 }
 
+/* ARGSUSED */
 void
 input_gssapi_token(int type, u_int32_t plen, void *ctxt)
 {
@@ -763,6 +804,7 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt)
         }
 }
 
+/* ARGSUSED */
 void
 input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
 {
@@ -792,6 +834,7 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
         /* Server will be returning a failed packet after this one */
 }
 
+/* ARGSUSED */
 void
 input_gssapi_error(int type, u_int32_t plen, void *ctxt)
 {
@@ -898,9 +941,11 @@ userauth_passwd(Authctxt *authctxt)
 
         return 1;
 }
+
 /*
  * parse PASSWD_CHANGEREQ, prompt user and send SSH2_MSG_USERAUTH_REQUEST
  */
+/* ARGSUSED */
 void
 input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt)
 {
@@ -965,6 +1010,209 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt)
             &input_userauth_passwd_changereq);
 }
 
+#ifdef JPAKE
+static char *
+pw_encrypt(const char *password, const char *crypt_scheme, const char *salt)
+{
+        /* OpenBSD crypt(3) handles all of these */
+        if (strcmp(crypt_scheme, "crypt") == 0 ||
+            strcmp(crypt_scheme, "bcrypt") == 0 ||
+            strcmp(crypt_scheme, "md5crypt") == 0 ||
+            strcmp(crypt_scheme, "crypt-extended") == 0)
+                return xstrdup(crypt(password, salt));
+        error("%s: unsupported password encryption scheme \"%.100s\"",
+            __func__, crypt_scheme);
+        return NULL;
+}
+
+static BIGNUM *
+jpake_password_to_secret(Authctxt *authctxt, const char *crypt_scheme,
+    const char *salt)
+{
+        char prompt[256], *password, *crypted;
+        u_char *secret;
+        u_int secret_len;
+        BIGNUM *ret;
+
+        snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password (JPAKE): ",
+            authctxt->server_user, authctxt->host);
+        password = read_passphrase(prompt, 0);
+
+        if ((crypted = pw_encrypt(password, crypt_scheme, salt)) == NULL) {
+                logit("Disabling %s authentication", authctxt->method->name);
+                authctxt->method->enabled = NULL;
+                /* Continue with an empty password to fail gracefully */
+                crypted = xstrdup("");
+        }
+
+#ifdef JPAKE_DEBUG
+        debug3("%s: salt = %s", __func__, salt);
+        debug3("%s: scheme = %s", __func__, crypt_scheme);
+        debug3("%s: crypted = %s", __func__, crypted);
+#endif
+
+        if (hash_buffer(crypted, strlen(crypted), EVP_sha256(),
+            &secret, &secret_len) != 0)
+                fatal("%s: hash_buffer", __func__);
+
+        bzero(password, strlen(password));
+        bzero(crypted, strlen(crypted));
+        xfree(password);
+        xfree(crypted);
+
+        if ((ret = BN_bin2bn(secret, secret_len, NULL)) == NULL)
+                fatal("%s: BN_bin2bn (secret)", __func__);
+        bzero(secret, secret_len);
+        xfree(secret);
+
+        return ret;
+}
+
+/* ARGSUSED */
+void
+input_userauth_jpake_server_step1(int type, u_int32_t seq, void *ctxt)
+{
+        Authctxt *authctxt = ctxt;
+        struct jpake_ctx *pctx = authctxt->methoddata;
+        u_char *x3_proof, *x4_proof, *x2_s_proof;
+        u_int x3_proof_len, x4_proof_len, x2_s_proof_len;
+        char *crypt_scheme, *salt;
+
+        /* Disable this message */
+        dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP1, NULL);
+
+        if ((pctx->g_x3 = BN_new()) == NULL ||
+            (pctx->g_x4 = BN_new()) == NULL)
+                fatal("%s: BN_new", __func__);
+
+        /* Fetch step 1 values */
+        crypt_scheme = packet_get_string(NULL);
+        salt = packet_get_string(NULL);
+        pctx->server_id = packet_get_string(&pctx->server_id_len);
+        packet_get_bignum2(pctx->g_x3);
+        packet_get_bignum2(pctx->g_x4);
+        x3_proof = packet_get_string(&x3_proof_len);
+        x4_proof = packet_get_string(&x4_proof_len);
+        packet_check_eom();
+
+        JPAKE_DEBUG_CTX((pctx, "step 1 received in %s", __func__));
+
+        /* Obtain password and derive secret */
+        pctx->s = jpake_password_to_secret(authctxt, crypt_scheme, salt);
+        bzero(crypt_scheme, strlen(crypt_scheme));
+        bzero(salt, strlen(salt));
+        xfree(crypt_scheme);
+        xfree(salt);
+        JPAKE_DEBUG_BN((pctx->s, "%s: s = ", __func__));
+
+        /* Calculate step 2 values */
+        jpake_step2(pctx->grp, pctx->s, pctx->g_x1,
+            pctx->g_x3, pctx->g_x4, pctx->x2,
+            pctx->server_id, pctx->server_id_len,
+            pctx->client_id, pctx->client_id_len,
+            x3_proof, x3_proof_len,
+            x4_proof, x4_proof_len,
+            &pctx->a,
+            &x2_s_proof, &x2_s_proof_len);
+
+        bzero(x3_proof, x3_proof_len);
+        bzero(x4_proof, x4_proof_len);
+        xfree(x3_proof);
+        xfree(x4_proof);
+
+        JPAKE_DEBUG_CTX((pctx, "step 2 sending in %s", __func__));
+
+        /* Send values for step 2 */
+        packet_start(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP2);
+        packet_put_bignum2(pctx->a);
+        packet_put_string(x2_s_proof, x2_s_proof_len);
+        packet_send();
+
+        bzero(x2_s_proof, x2_s_proof_len);
+        xfree(x2_s_proof);
+
+        /* Expect step 2 packet from peer */
+        dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP2,
+            input_userauth_jpake_server_step2);
+}
+
+/* ARGSUSED */
+void
+input_userauth_jpake_server_step2(int type, u_int32_t seq, void *ctxt)
+{
+        Authctxt *authctxt = ctxt;
+        struct jpake_ctx *pctx = authctxt->methoddata;
+        u_char *x4_s_proof;
+        u_int x4_s_proof_len;
+
+        /* Disable this message */
+        dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP2, NULL);
+
+        if ((pctx->b = BN_new()) == NULL)
+                fatal("%s: BN_new", __func__);
+
+        /* Fetch step 2 values */
+        packet_get_bignum2(pctx->b);
+        x4_s_proof = packet_get_string(&x4_s_proof_len);
+        packet_check_eom();
+
+        JPAKE_DEBUG_CTX((pctx, "step 2 received in %s", __func__));
+
+        /* Derive shared key and calculate confirmation hash */
+        jpake_key_confirm(pctx->grp, pctx->s, pctx->b,
+            pctx->x2, pctx->g_x1, pctx->g_x2, pctx->g_x3, pctx->g_x4,
+            pctx->client_id, pctx->client_id_len,
+            pctx->server_id, pctx->server_id_len,
+            session_id2, session_id2_len,
+            x4_s_proof, x4_s_proof_len,
+            &pctx->k,
+            &pctx->h_k_cid_sessid, &pctx->h_k_cid_sessid_len);
+
+        bzero(x4_s_proof, x4_s_proof_len);
+        xfree(x4_s_proof);
+
+        JPAKE_DEBUG_CTX((pctx, "confirm sending in %s", __func__));
+
+        /* Send key confirmation proof */
+        packet_start(SSH2_MSG_USERAUTH_JPAKE_CLIENT_CONFIRM);
+        packet_put_string(pctx->h_k_cid_sessid, pctx->h_k_cid_sessid_len);
+        packet_send();
+
+        /* Expect confirmation from peer */
+        dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_CONFIRM,
+            input_userauth_jpake_server_confirm);
+}
+
+/* ARGSUSED */
+void
+input_userauth_jpake_server_confirm(int type, u_int32_t seq, void *ctxt)
+{
+        Authctxt *authctxt = ctxt;
+        struct jpake_ctx *pctx = authctxt->methoddata;
+
+        /* Disable this message */
+        dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_CONFIRM, NULL);
+
+        pctx->h_k_sid_sessid = packet_get_string(&pctx->h_k_sid_sessid_len);
+        packet_check_eom();
+
+        JPAKE_DEBUG_CTX((pctx, "confirm received in %s", __func__));
+
+        /* Verify expected confirmation hash */
+        if (jpake_check_confirm(pctx->k,
+            pctx->server_id, pctx->server_id_len,
+            session_id2, session_id2_len,
+            pctx->h_k_sid_sessid, pctx->h_k_sid_sessid_len) == 1)
+                debug("%s: %s success", __func__, authctxt->method->name);
+        else {
+                debug("%s: confirmation mismatch", __func__);
+                /* XXX stash this so if auth succeeds then we can warn/kill */
+        }
+
+        userauth_jpake_cleanup(authctxt);
+}
+#endif /* JPAKE */
+
 static int
 identity_sign(Identity *id, u_char **sigp, u_int *lenp,
     u_char *data, u_int datalen)
@@ -1541,6 +1789,76 @@ userauth_hostbased(Authctxt *authctxt)
         return 1;
 }
 
+#ifdef JPAKE
+int
+userauth_jpake(Authctxt *authctxt)
+{
+        struct jpake_ctx *pctx;
+        u_char *x1_proof, *x2_proof;
+        u_int x1_proof_len, x2_proof_len;
+        static int attempt = 0; /* XXX share with userauth_password's? */
+
+        if (attempt++ >= options.number_of_password_prompts)
+                return 0;
+        if (attempt != 1)
+                error("Permission denied, please try again.");
+
+        if (authctxt->methoddata != NULL)
+                fatal("%s: authctxt->methoddata already set (%p)",
+                    __func__, authctxt->methoddata);
+
+        authctxt->methoddata = pctx = jpake_new();
+
+        /*
+         * Send request immediately, to get the protocol going while
+         * we do the initial computations.
+         */
+        packet_start(SSH2_MSG_USERAUTH_REQUEST);
+        packet_put_cstring(authctxt->server_user);
+        packet_put_cstring(authctxt->service);
+        packet_put_cstring(authctxt->method->name);
+        packet_send();
+        packet_write_wait();
+
+        jpake_step1(pctx->grp,
+            &pctx->client_id, &pctx->client_id_len,
+            &pctx->x1, &pctx->x2, &pctx->g_x1, &pctx->g_x2,
+            &x1_proof, &x1_proof_len,
+            &x2_proof, &x2_proof_len);
+
+        JPAKE_DEBUG_CTX((pctx, "step 1 sending in %s", __func__));
+
+        packet_start(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP1);
+        packet_put_string(pctx->client_id, pctx->client_id_len);
+        packet_put_bignum2(pctx->g_x1);
+        packet_put_bignum2(pctx->g_x2);
+        packet_put_string(x1_proof, x1_proof_len);
+        packet_put_string(x2_proof, x2_proof_len);
+        packet_send();
+
+        bzero(x1_proof, x1_proof_len);
+        bzero(x2_proof, x2_proof_len);
+        xfree(x1_proof);
+        xfree(x2_proof);
+
+        /* Expect step 1 packet from peer */
+        dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP1,
+            input_userauth_jpake_server_step1);
+
+        return 1;
+}
+
+void
+userauth_jpake_cleanup(Authctxt *authctxt)
+{
+        debug3("%s: clean up", __func__);
+        if (authctxt->methoddata != NULL) {
+                jpake_free(authctxt->methoddata);
+                authctxt->methoddata = NULL;
+        }
+}
+#endif /* JPAKE */
+
 /* find auth method */
 
 /*
@@ -1642,3 +1960,4 @@ authmethods_get(void)
         buffer_free(&b);
         return list;
 }
+