1 files changed, 128 insertions, 11 deletions
diff --git a/monitor.c b/monitor.c
index 2ce89fe90..ebf76c7f9 100644
--- a/monitor.c
+++ b/monitor.c
@@ -148,6 +148,8 @@ int mm_answer_gss_setup_ctx(struct ssh *, int, struct sshbuf *);
 int mm_answer_gss_accept_ctx(struct ssh *, int, struct sshbuf *);
 int mm_answer_gss_userok(struct ssh *, int, struct sshbuf *);
 int mm_answer_gss_checkmic(struct ssh *, int, struct sshbuf *);
+int mm_answer_gss_sign(struct ssh *, int, struct sshbuf *);
+int mm_answer_gss_updatecreds(struct ssh *, int, struct sshbuf *);
 #endif
 #ifdef SSH_AUDIT_EVENTS
@@ -220,11 +222,18 @@ struct mon_table mon_dispatch_proto20[] = {
    {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
    {MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok},
    {MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic},
+    {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
 #endif
    {0, 0, NULL}
 };
 struct mon_table mon_dispatch_postauth20[] = {
+#ifdef GSSAPI
+    {MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
+    {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
+    {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
+    {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds},
+#endif
 #ifdef WITH_OPENSSL
    {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
 #endif
@@ -293,6 +302,10 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor)
        /* Permit requests for moduli and signatures */
        monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
        monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
+#ifdef GSSAPI
+        /* and for the GSSAPI key exchange */
+        monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
+#endif
        /* The first few requests do not require asynchronous access */
        while (!authenticated) {
@@ -406,6 +419,10 @@ monitor_child_postauth(struct ssh *ssh, struct monitor *pmonitor)
        monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
        monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
        monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
+#ifdef GSSAPI
+        /* and for the GSSAPI key exchange */
+        monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
+#endif
        if (auth_opts->permit_pty_flag) {
                monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
@@ -1713,6 +1730,17 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor)
 # ifdef OPENSSL_HAS_ECC
                kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
 # endif
+# ifdef GSSAPI
+                if (options.gss_keyex) {
+                        kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
+                        kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
+                        kex->kex[KEX_GSS_GRP14_SHA256] = kexgss_server;
+                        kex->kex[KEX_GSS_GRP16_SHA512] = kexgss_server;
+                        kex->kex[KEX_GSS_GEX_SHA1] = kexgssgex_server;
+                        kex->kex[KEX_GSS_NISTP256_SHA256] = kexgss_server;
+                        kex->kex[KEX_GSS_C25519_SHA256] = kexgss_server;
+                }
+# endif
 #endif /* WITH_OPENSSL */
                kex->kex[KEX_C25519_SHA256] = kex_gen_server;
                kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server;
@@ -1806,8 +1834,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
        u_char *p;
        int r;
-        if (!options.gss_authentication)
+        if (!options.gss_authentication && !options.gss_keyex)
-                fatal("%s: GSSAPI authentication not enabled", __func__);
+                fatal("%s: GSSAPI not enabled", __func__);
        if ((r = sshbuf_get_string(m, &p, &len)) != 0)
                fatal("%s: buffer error: %s", __func__, ssh_err(r));
@@ -1839,8 +1867,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
        OM_uint32 flags = 0; /* GSI needs this */
        int r;
-        if (!options.gss_authentication)
+        if (!options.gss_authentication && !options.gss_keyex)
-                fatal("%s: GSSAPI authentication not enabled", __func__);
+                fatal("%s: GSSAPI not enabled", __func__);
        if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0)
                fatal("%s: buffer error: %s", __func__, ssh_err(r));
@@ -1860,6 +1888,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
+                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1);
        }
        return (0);
 }
@@ -1871,8 +1900,8 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m)
        OM_uint32 ret;
        int r;
-        if (!options.gss_authentication)
+        if (!options.gss_authentication && !options.gss_keyex)
-                fatal("%s: GSSAPI authentication not enabled", __func__);
+                fatal("%s: GSSAPI not enabled", __func__);
        if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 ||
            (r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0)
@@ -1898,13 +1927,17 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m)
 int
 mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
 {
-        int r, authenticated;
+        int r, authenticated, kex;
        const char *displayname;
-        if (!options.gss_authentication)
+        if (!options.gss_authentication && !options.gss_keyex)
-                fatal("%s: GSSAPI authentication not enabled", __func__);
+                fatal("%s: GSSAPI not enabled", __func__);
-        authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
+        if ((r = sshbuf_get_u32(m, &kex)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
+        authenticated = authctxt->valid &&
+            ssh_gssapi_userok(authctxt->user, authctxt->pw, kex);
        sshbuf_reset(m);
        if ((r = sshbuf_put_u32(m, authenticated)) != 0)
@@ -1913,7 +1946,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
        debug3("%s: sending result %d", __func__, authenticated);
        mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
-        auth_method = "gssapi-with-mic";
+        if (kex) {
+                auth_method = "gssapi-keyex";
+        } else {
+                auth_method = "gssapi-with-mic";
+        }
        if ((displayname = ssh_gssapi_displayname()) != NULL)
                auth2_record_info(authctxt, "%s", displayname);
@@ -1921,5 +1958,85 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
        /* Monitor loop will terminate if authenticated */
        return (authenticated);
 }
+int
+mm_answer_gss_sign(struct ssh *ssh, int socket, struct sshbuf *m)
+{
+        gss_buffer_desc data;
+        gss_buffer_desc hash = GSS_C_EMPTY_BUFFER;
+        OM_uint32 major, minor;
+        size_t len;
+        u_char *p = NULL;
+        int r;
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("%s: GSSAPI not enabled", __func__);
+        if ((r = sshbuf_get_string(m, &p, &len)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
+        data.value = p;
+        data.length = len;
+        /* Lengths of SHA-1, SHA-256 and SHA-512 hashes that are used */
+        if (data.length != 20 && data.length != 32 && data.length != 64)
+                fatal("%s: data length incorrect: %d", __func__,
+                    (int) data.length);
+        /* Save the session ID on the first time around */
+        if (session_id2_len == 0) {
+                session_id2_len = data.length;
+                session_id2 = xmalloc(session_id2_len);
+                memcpy(session_id2, data.value, session_id2_len);
+        }
+        major = ssh_gssapi_sign(gsscontext, &data, &hash);
+        free(data.value);
+        sshbuf_reset(m);
+        if ((r = sshbuf_put_u32(m, major)) != 0 ||
+            (r = sshbuf_put_string(m, hash.value, hash.length)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
+        mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
+        gss_release_buffer(&minor, &hash);
+        /* Turn on getpwnam permissions */
+        monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
+        /* And credential updating, for when rekeying */
+        monitor_permit(mon_dispatch, MONITOR_REQ_GSSUPCREDS, 1);
+        return (0);
+}
+int
+mm_answer_gss_updatecreds(struct ssh *ssh, int socket, struct sshbuf *m) {
+        ssh_gssapi_ccache store;
+        int r, ok;
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("%s: GSSAPI not enabled", __func__);
+        if ((r = sshbuf_get_string(m, (u_char **)&store.filename, NULL)) != 0 ||
+            (r = sshbuf_get_string(m, (u_char **)&store.envvar, NULL)) != 0 ||
+            (r = sshbuf_get_string(m, (u_char **)&store.envval, NULL)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
+        ok = ssh_gssapi_update_creds(&store);
+        free(store.filename);
+        free(store.envvar);
+        free(store.envval);
+        sshbuf_reset(m);
+        if ((r = sshbuf_put_u32(m, ok)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
+        mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m);
+        return(0);
+}
 #endif /* GSSAPI */

diff --git a/monitor.c b/monitor.c index 2ce89fe90..ebf76c7f9 100644 --- a/monitor.c +++ b/monitor.c
@@ -148,6 +148,8 @@ int mm_answer_gss_setup_ctx(struct ssh , int, struct sshbuf );
148	int mm_answer_gss_accept_ctx(struct ssh , int, struct sshbuf );	148	int mm_answer_gss_accept_ctx(struct ssh , int, struct sshbuf );
149	int mm_answer_gss_userok(struct ssh , int, struct sshbuf );	149	int mm_answer_gss_userok(struct ssh , int, struct sshbuf );
150	int mm_answer_gss_checkmic(struct ssh , int, struct sshbuf );	150	int mm_answer_gss_checkmic(struct ssh , int, struct sshbuf );
		151	int mm_answer_gss_sign(struct ssh , int, struct sshbuf );
		152	int mm_answer_gss_updatecreds(struct ssh , int, struct sshbuf );
151	#endif	153	#endif
152		154
153	#ifdef SSH_AUDIT_EVENTS	155	#ifdef SSH_AUDIT_EVENTS
@@ -220,11 +222,18 @@ struct mon_table mon_dispatch_proto20[] = {
220	{MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},	222	{MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
221	{MONITOR_REQ_GSSUSEROK, MON_ONCE\|MON_AUTHDECIDE, mm_answer_gss_userok},	223	{MONITOR_REQ_GSSUSEROK, MON_ONCE\|MON_AUTHDECIDE, mm_answer_gss_userok},
222	{MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic},	224	{MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic},
		225	{MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
223	#endif	226	#endif
224	{0, 0, NULL}	227	{0, 0, NULL}
225	};	228	};
226		229
227	struct mon_table mon_dispatch_postauth20[] = {	230	struct mon_table mon_dispatch_postauth20[] = {
		231	#ifdef GSSAPI
		232	{MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
		233	{MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
		234	{MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
		235	{MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds},
		236	#endif
228	#ifdef WITH_OPENSSL	237	#ifdef WITH_OPENSSL
229	{MONITOR_REQ_MODULI, 0, mm_answer_moduli},	238	{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
230	#endif	239	#endif
@@ -293,6 +302,10 @@ monitor_child_preauth(struct ssh ssh, struct monitor pmonitor)
293	/* Permit requests for moduli and signatures */	302	/* Permit requests for moduli and signatures */
294	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);	303	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
295	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);	304	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
		305	#ifdef GSSAPI
		306	/* and for the GSSAPI key exchange */
		307	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
		308	#endif
296		309
297	/* The first few requests do not require asynchronous access */	310	/* The first few requests do not require asynchronous access */
298	while (!authenticated) {	311	while (!authenticated) {
@@ -406,6 +419,10 @@ monitor_child_postauth(struct ssh ssh, struct monitor pmonitor)
406	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);	419	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
407	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);	420	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
408	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);	421	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
		422	#ifdef GSSAPI
		423	/* and for the GSSAPI key exchange */
		424	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
		425	#endif
409		426
410	if (auth_opts->permit_pty_flag) {	427	if (auth_opts->permit_pty_flag) {
411	monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);	428	monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
@@ -1713,6 +1730,17 @@ monitor_apply_keystate(struct ssh ssh, struct monitor pmonitor)
1713	# ifdef OPENSSL_HAS_ECC	1730	# ifdef OPENSSL_HAS_ECC
1714	kex->kex[KEX_ECDH_SHA2] = kex_gen_server;	1731	kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
1715	# endif	1732	# endif
		1733	# ifdef GSSAPI
		1734	if (options.gss_keyex) {
		1735	kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
		1736	kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
		1737	kex->kex[KEX_GSS_GRP14_SHA256] = kexgss_server;
		1738	kex->kex[KEX_GSS_GRP16_SHA512] = kexgss_server;
		1739	kex->kex[KEX_GSS_GEX_SHA1] = kexgssgex_server;
		1740	kex->kex[KEX_GSS_NISTP256_SHA256] = kexgss_server;
		1741	kex->kex[KEX_GSS_C25519_SHA256] = kexgss_server;
		1742	}
		1743	# endif
1716	#endif /* WITH_OPENSSL */	1744	#endif /* WITH_OPENSSL */
1717	kex->kex[KEX_C25519_SHA256] = kex_gen_server;	1745	kex->kex[KEX_C25519_SHA256] = kex_gen_server;
1718	kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server;	1746	kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server;
@@ -1806,8 +1834,8 @@ mm_answer_gss_setup_ctx(struct ssh ssh, int sock, struct sshbuf m)
1806	u_char *p;	1834	u_char *p;
1807	int r;	1835	int r;
1808		1836
1809	if (!options.gss_authentication)	1837	if (!options.gss_authentication && !options.gss_keyex)
1810	fatal("%s: GSSAPI authentication not enabled", __func__);	1838	fatal("%s: GSSAPI not enabled", __func__);
1811		1839
1812	if ((r = sshbuf_get_string(m, &p, &len)) != 0)	1840	if ((r = sshbuf_get_string(m, &p, &len)) != 0)
1813	fatal("%s: buffer error: %s", __func__, ssh_err(r));	1841	fatal("%s: buffer error: %s", __func__, ssh_err(r));
@@ -1839,8 +1867,8 @@ mm_answer_gss_accept_ctx(struct ssh ssh, int sock, struct sshbuf m)
1839	OM_uint32 flags = 0; /* GSI needs this */	1867	OM_uint32 flags = 0; /* GSI needs this */
1840	int r;	1868	int r;
1841		1869
1842	if (!options.gss_authentication)	1870	if (!options.gss_authentication && !options.gss_keyex)
1843	fatal("%s: GSSAPI authentication not enabled", __func__);	1871	fatal("%s: GSSAPI not enabled", __func__);
1844		1872
1845	if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0)	1873	if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0)
1846	fatal("%s: buffer error: %s", __func__, ssh_err(r));	1874	fatal("%s: buffer error: %s", __func__, ssh_err(r));
@@ -1860,6 +1888,7 @@ mm_answer_gss_accept_ctx(struct ssh ssh, int sock, struct sshbuf m)
1860	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);	1888	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
1861	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);	1889	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
1862	monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);	1890	monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
		1891	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1);
1863	}	1892	}
1864	return (0);	1893	return (0);
1865	}	1894	}
@@ -1871,8 +1900,8 @@ mm_answer_gss_checkmic(struct ssh ssh, int sock, struct sshbuf m)
1871	OM_uint32 ret;	1900	OM_uint32 ret;
1872	int r;	1901	int r;
1873		1902
1874	if (!options.gss_authentication)	1903	if (!options.gss_authentication && !options.gss_keyex)
1875	fatal("%s: GSSAPI authentication not enabled", __func__);	1904	fatal("%s: GSSAPI not enabled", __func__);
1876		1905
1877	if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 \|\|	1906	if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 \|\|
1878	(r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0)	1907	(r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0)
@@ -1898,13 +1927,17 @@ mm_answer_gss_checkmic(struct ssh ssh, int sock, struct sshbuf m)
1898	int	1927	int
1899	mm_answer_gss_userok(struct ssh ssh, int sock, struct sshbuf m)	1928	mm_answer_gss_userok(struct ssh ssh, int sock, struct sshbuf m)
1900	{	1929	{
1901	int r, authenticated;	1930	int r, authenticated, kex;
1902	const char *displayname;	1931	const char *displayname;
1903		1932
1904	if (!options.gss_authentication)	1933	if (!options.gss_authentication && !options.gss_keyex)
1905	fatal("%s: GSSAPI authentication not enabled", __func__);	1934	fatal("%s: GSSAPI not enabled", __func__);
1906		1935
1907	authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);	1936	if ((r = sshbuf_get_u32(m, &kex)) != 0)
		1937	fatal("%s: buffer error: %s", __func__, ssh_err(r));
		1938
		1939	authenticated = authctxt->valid &&
		1940	ssh_gssapi_userok(authctxt->user, authctxt->pw, kex);
1908		1941
1909	sshbuf_reset(m);	1942	sshbuf_reset(m);
1910	if ((r = sshbuf_put_u32(m, authenticated)) != 0)	1943	if ((r = sshbuf_put_u32(m, authenticated)) != 0)
@@ -1913,7 +1946,11 @@ mm_answer_gss_userok(struct ssh ssh, int sock, struct sshbuf m)
1913	debug3("%s: sending result %d", __func__, authenticated);	1946	debug3("%s: sending result %d", __func__, authenticated);
1914	mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);	1947	mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
1915		1948
1916	auth_method = "gssapi-with-mic";	1949	if (kex) {
		1950	auth_method = "gssapi-keyex";
		1951	} else {
		1952	auth_method = "gssapi-with-mic";
		1953	}
1917		1954
1918	if ((displayname = ssh_gssapi_displayname()) != NULL)	1955	if ((displayname = ssh_gssapi_displayname()) != NULL)
1919	auth2_record_info(authctxt, "%s", displayname);	1956	auth2_record_info(authctxt, "%s", displayname);
@@ -1921,5 +1958,85 @@ mm_answer_gss_userok(struct ssh ssh, int sock, struct sshbuf m)
1921	/* Monitor loop will terminate if authenticated */	1958	/* Monitor loop will terminate if authenticated */
1922	return (authenticated);	1959	return (authenticated);
1923	}	1960	}
		1961
		1962	int
		1963	mm_answer_gss_sign(struct ssh ssh, int socket, struct sshbuf m)
		1964	{
		1965	gss_buffer_desc data;
		1966	gss_buffer_desc hash = GSS_C_EMPTY_BUFFER;
		1967	OM_uint32 major, minor;
		1968	size_t len;
		1969	u_char *p = NULL;
		1970	int r;
		1971
		1972	if (!options.gss_authentication && !options.gss_keyex)
		1973	fatal("%s: GSSAPI not enabled", __func__);
		1974
		1975	if ((r = sshbuf_get_string(m, &p, &len)) != 0)
		1976	fatal("%s: buffer error: %s", __func__, ssh_err(r));
		1977	data.value = p;
		1978	data.length = len;
		1979	/* Lengths of SHA-1, SHA-256 and SHA-512 hashes that are used */
		1980	if (data.length != 20 && data.length != 32 && data.length != 64)
		1981	fatal("%s: data length incorrect: %d", __func__,
		1982	(int) data.length);
		1983
		1984	/* Save the session ID on the first time around */
		1985	if (session_id2_len == 0) {
		1986	session_id2_len = data.length;
		1987	session_id2 = xmalloc(session_id2_len);
		1988	memcpy(session_id2, data.value, session_id2_len);
		1989	}
		1990	major = ssh_gssapi_sign(gsscontext, &data, &hash);
		1991
		1992	free(data.value);
		1993
		1994	sshbuf_reset(m);
		1995
		1996	if ((r = sshbuf_put_u32(m, major)) != 0 \|\|
		1997	(r = sshbuf_put_string(m, hash.value, hash.length)) != 0)
		1998	fatal("%s: buffer error: %s", __func__, ssh_err(r));
		1999
		2000	mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
		2001
		2002	gss_release_buffer(&minor, &hash);
		2003
		2004	/* Turn on getpwnam permissions */
		2005	monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
		2006
		2007	/* And credential updating, for when rekeying */
		2008	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUPCREDS, 1);
		2009
		2010	return (0);
		2011	}
		2012
		2013	int
		2014	mm_answer_gss_updatecreds(struct ssh ssh, int socket, struct sshbuf m) {
		2015	ssh_gssapi_ccache store;
		2016	int r, ok;
		2017
		2018	if (!options.gss_authentication && !options.gss_keyex)
		2019	fatal("%s: GSSAPI not enabled", __func__);
		2020
		2021	if ((r = sshbuf_get_string(m, (u_char **)&store.filename, NULL)) != 0 \|\|
		2022	(r = sshbuf_get_string(m, (u_char **)&store.envvar, NULL)) != 0 \|\|
		2023	(r = sshbuf_get_string(m, (u_char **)&store.envval, NULL)) != 0)
		2024	fatal("%s: buffer error: %s", __func__, ssh_err(r));
		2025
		2026	ok = ssh_gssapi_update_creds(&store);
		2027
		2028	free(store.filename);
		2029	free(store.envvar);
		2030	free(store.envval);
		2031
		2032	sshbuf_reset(m);
		2033	if ((r = sshbuf_put_u32(m, ok)) != 0)
		2034	fatal("%s: buffer error: %s", __func__, ssh_err(r));
		2035
		2036	mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m);
		2037
		2038	return(0);
		2039	}
		2040
1924	#endif /* GSSAPI */	2041	#endif /* GSSAPI */
1925		2042