1 files changed, 63 insertions, 3 deletions
diff --git a/kex.c b/kex.c
index 34808b5c3..a2a4794e8 100644
--- a/kex.c
+++ b/kex.c
@@ -55,11 +55,16 @@
 #include "misc.h"
 #include "dispatch.h"
 #include "monitor.h"
+#include "xmalloc.h"
 #include "ssherr.h"
 #include "sshbuf.h"
 #include "digest.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
+#endif
 /* prototype */
 static int kex_choose_conf(struct ssh *);
 static int kex_input_newkeys(int, u_int32_t, struct ssh *);
@@ -113,15 +118,28 @@ static const struct kexalg kexalgs[] = {
 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
        { NULL, -1, -1, -1},
 };
+static const struct kexalg gss_kexalgs[] = {
+#ifdef GSSAPI
+        { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
+        { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
+        { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
+        { KEX_GSS_GRP14_SHA256_ID, KEX_GSS_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
+        { KEX_GSS_GRP16_SHA512_ID, KEX_GSS_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
+        { KEX_GSS_NISTP256_SHA256_ID, KEX_GSS_NISTP256_SHA256,
+            NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
+        { KEX_GSS_C25519_SHA256_ID, KEX_GSS_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
+#endif
+        { NULL, -1, -1, -1 },
+};
-char *
+static char *
-kex_alg_list(char sep)
+kex_alg_list_internal(char sep, const struct kexalg *algs)
 {
        char *ret = NULL, *tmp;
        size_t nlen, rlen = 0;
        const struct kexalg *k;
-        for (k = kexalgs; k->name != NULL; k++) {
+        for (k = algs; k->name != NULL; k++) {
                if (ret != NULL)
                        ret[rlen++] = sep;
                nlen = strlen(k->name);
@@ -136,6 +154,18 @@ kex_alg_list(char sep)
        return ret;
 }
+char *
+kex_alg_list(char sep)
+{
+        return kex_alg_list_internal(sep, kexalgs);
+}
+char *
+kex_gss_alg_list(char sep)
+{
+        return kex_alg_list_internal(sep, gss_kexalgs);
+}
 static const struct kexalg *
 kex_alg_by_name(const char *name)
 {
@@ -145,6 +175,10 @@ kex_alg_by_name(const char *name)
                if (strcmp(k->name, name) == 0)
                        return k;
        }
+        for (k = gss_kexalgs; k->name != NULL; k++) {
+                if (strncmp(k->name, name, strlen(k->name)) == 0)
+                        return k;
+        }
        return NULL;
 }
@@ -301,6 +335,29 @@ kex_assemble_names(char **listp, const char *def, const char *all)
        return r;
 }
+/* Validate GSS KEX method name list */
+int
+kex_gss_names_valid(const char *names)
+{
+        char *s, *cp, *p;
+        if (names == NULL || *names == '\0')
+                return 0;
+        s = cp = xstrdup(names);
+        for ((p = strsep(&cp, ",")); p && *p != '\0';
+            (p = strsep(&cp, ","))) {
+                if (strncmp(p, "gss-", 4) != 0
+                  || kex_alg_by_name(p) == NULL) {
+                        error("Unsupported KEX algorithm \"%.100s\"", p);
+                        free(s);
+                        return 0;
+                }
+        }
+        debug3("gss kex names ok: [%s]", names);
+        free(s);
+        return 1;
+}
 /* put algorithm proposal into buffer */
 int
 kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
@@ -657,6 +714,9 @@ kex_free(struct kex *kex)
        sshbuf_free(kex->server_version);
        sshbuf_free(kex->client_pub);
        free(kex->session_id);
+#ifdef GSSAPI
+        free(kex->gss_host);
+#endif /* GSSAPI */
        free(kex->failed_choice);
        free(kex->hostkey_alg);
        free(kex->name);

diff --git a/kex.c b/kex.c index 34808b5c3..a2a4794e8 100644 --- a/kex.c +++ b/kex.c
@@ -55,11 +55,16 @@
55	#include "misc.h"	55	#include "misc.h"
56	#include "dispatch.h"	56	#include "dispatch.h"
57	#include "monitor.h"	57	#include "monitor.h"
		58	#include "xmalloc.h"
58		59
59	#include "ssherr.h"	60	#include "ssherr.h"
60	#include "sshbuf.h"	61	#include "sshbuf.h"
61	#include "digest.h"	62	#include "digest.h"
62		63
		64	#ifdef GSSAPI
		65	#include "ssh-gss.h"
		66	#endif
		67
63	/* prototype */	68	/* prototype */
64	static int kex_choose_conf(struct ssh *);	69	static int kex_choose_conf(struct ssh *);
65	static int kex_input_newkeys(int, u_int32_t, struct ssh *);	70	static int kex_input_newkeys(int, u_int32_t, struct ssh *);
@@ -113,15 +118,28 @@ static const struct kexalg kexalgs[] = {
113	#endif /* HAVE_EVP_SHA256 \|\| !WITH_OPENSSL */	118	#endif /* HAVE_EVP_SHA256 \|\| !WITH_OPENSSL */
114	{ NULL, -1, -1, -1},	119	{ NULL, -1, -1, -1},
115	};	120	};
		121	static const struct kexalg gss_kexalgs[] = {
		122	#ifdef GSSAPI
		123	{ KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
		124	{ KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
		125	{ KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
		126	{ KEX_GSS_GRP14_SHA256_ID, KEX_GSS_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
		127	{ KEX_GSS_GRP16_SHA512_ID, KEX_GSS_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
		128	{ KEX_GSS_NISTP256_SHA256_ID, KEX_GSS_NISTP256_SHA256,
		129	NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
		130	{ KEX_GSS_C25519_SHA256_ID, KEX_GSS_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
		131	#endif
		132	{ NULL, -1, -1, -1 },
		133	};
116		134
117	char *	135	static char *
118	kex_alg_list(char sep)	136	kex_alg_list_internal(char sep, const struct kexalg *algs)
119	{	137	{
120	char ret = NULL, tmp;	138	char ret = NULL, tmp;
121	size_t nlen, rlen = 0;	139	size_t nlen, rlen = 0;
122	const struct kexalg *k;	140	const struct kexalg *k;
123		141
124	for (k = kexalgs; k->name != NULL; k++) {	142	for (k = algs; k->name != NULL; k++) {
125	if (ret != NULL)	143	if (ret != NULL)
126	ret[rlen++] = sep;	144	ret[rlen++] = sep;
127	nlen = strlen(k->name);	145	nlen = strlen(k->name);
@@ -136,6 +154,18 @@ kex_alg_list(char sep)
136	return ret;	154	return ret;
137	}	155	}
138		156
		157	char *
		158	kex_alg_list(char sep)
		159	{
		160	return kex_alg_list_internal(sep, kexalgs);
		161	}
		162
		163	char *
		164	kex_gss_alg_list(char sep)
		165	{
		166	return kex_alg_list_internal(sep, gss_kexalgs);
		167	}
		168
139	static const struct kexalg *	169	static const struct kexalg *
140	kex_alg_by_name(const char *name)	170	kex_alg_by_name(const char *name)
141	{	171	{
@@ -145,6 +175,10 @@ kex_alg_by_name(const char *name)
145	if (strcmp(k->name, name) == 0)	175	if (strcmp(k->name, name) == 0)
146	return k;	176	return k;
147	}	177	}
		178	for (k = gss_kexalgs; k->name != NULL; k++) {
		179	if (strncmp(k->name, name, strlen(k->name)) == 0)
		180	return k;
		181	}
148	return NULL;	182	return NULL;
149	}	183	}
150		184
@@ -301,6 +335,29 @@ kex_assemble_names(char *listp, const char def, const char *all)
301	return r;	335	return r;
302	}	336	}
303		337
		338	/* Validate GSS KEX method name list */
		339	int
		340	kex_gss_names_valid(const char *names)
		341	{
		342	char s, cp, *p;
		343
		344	if (names == NULL \|\| *names == '\0')
		345	return 0;
		346	s = cp = xstrdup(names);
		347	for ((p = strsep(&cp, ",")); p && *p != '\0';
		348	(p = strsep(&cp, ","))) {
		349	if (strncmp(p, "gss-", 4) != 0
		350	\|\| kex_alg_by_name(p) == NULL) {
		351	error("Unsupported KEX algorithm \"%.100s\"", p);
		352	free(s);
		353	return 0;
		354	}
		355	}
		356	debug3("gss kex names ok: [%s]", names);
		357	free(s);
		358	return 1;
		359	}
		360
304	/* put algorithm proposal into buffer */	361	/* put algorithm proposal into buffer */
305	int	362	int
306	kex_prop2buf(struct sshbuf b, char proposal[PROPOSAL_MAX])	363	kex_prop2buf(struct sshbuf b, char proposal[PROPOSAL_MAX])
@@ -657,6 +714,9 @@ kex_free(struct kex *kex)
657	sshbuf_free(kex->server_version);	714	sshbuf_free(kex->server_version);
658	sshbuf_free(kex->client_pub);	715	sshbuf_free(kex->client_pub);
659	free(kex->session_id);	716	free(kex->session_id);
		717	#ifdef GSSAPI
		718	free(kex->gss_host);
		719	#endif /* GSSAPI */
660	free(kex->failed_choice);	720	free(kex->failed_choice);
661	free(kex->hostkey_alg);	721	free(kex->hostkey_alg);
662	free(kex->name);	722	free(kex->name);