1 files changed, 107 insertions, 1 deletions
diff --git a/monitor.c b/monitor.c
index 9eb4e35c9..517acf3dc 100644
--- a/monitor.c
+++ b/monitor.c
@@ -172,6 +172,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
 int mm_answer_gss_accept_ctx(int, Buffer *);
 int mm_answer_gss_userok(int, Buffer *);
 int mm_answer_gss_checkmic(int, Buffer *);
+int mm_answer_gss_sign(int, Buffer *);
+int mm_answer_gss_updatecreds(int, Buffer *);
 #endif
 #ifdef SSH_AUDIT_EVENTS
@@ -241,6 +243,7 @@ struct mon_table mon_dispatch_proto20[] = {
    {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
    {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
    {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
+    {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
 #endif
 #ifdef JPAKE
    {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},
@@ -253,6 +256,12 @@ struct mon_table mon_dispatch_proto20[] = {
 };
 struct mon_table mon_dispatch_postauth20[] = {
+#ifdef GSSAPI
+    {MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
+    {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
+    {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
+    {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds},
+#endif
    {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
    {MONITOR_REQ_SIGN, 0, mm_answer_sign},
    {MONITOR_REQ_PTY, 0, mm_answer_pty},
@@ -357,6 +366,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
                /* Permit requests for moduli and signatures */
                monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
+#ifdef GSSAPI
+                /* and for the GSSAPI key exchange */
+                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
+#endif
        } else {
                mon_dispatch = mon_dispatch_proto15;
@@ -443,6 +456,10 @@ monitor_child_postauth(struct monitor *pmonitor)
                monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
+#ifdef GSSAPI
+                /* and for the GSSAPI key exchange */
+                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
+#endif          
        } else {
                mon_dispatch = mon_dispatch_postauth15;
                monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -1691,6 +1708,13 @@ mm_get_kex(Buffer *m)
        kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
        kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
        kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
+#ifdef GSSAPI
+        if (options.gss_keyex) {
+                kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
+                kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
+                kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
+        }
+#endif
        kex->server = 1;
        kex->hostkey_type = buffer_get_int(m);
        kex->kex_type = buffer_get_int(m);
@@ -1897,6 +1921,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
        OM_uint32 major;
        u_int len;
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
        goid.elements = buffer_get_string(m, &len);
        goid.length = len;
@@ -1924,6 +1951,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
        OM_uint32 flags = 0; /* GSI needs this */
        u_int len;
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
        in.value = buffer_get_string(m, &len);
        in.length = len;
        major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
@@ -1941,6 +1971,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
+                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1);
        }
        return (0);
 }
@@ -1952,6 +1983,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
        OM_uint32 ret;
        u_int len;
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
        gssbuf.value = buffer_get_string(m, &len);
        gssbuf.length = len;
        mic.value = buffer_get_string(m, &len);
@@ -1978,7 +2012,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
 {
        int authenticated;
-        authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
+        authenticated = authctxt->valid && 
+            ssh_gssapi_userok(authctxt->user, authctxt->pw);
        buffer_clear(m);
        buffer_put_int(m, authenticated);
@@ -1991,6 +2029,74 @@ mm_answer_gss_userok(int sock, Buffer *m)
        /* Monitor loop will terminate if authenticated */
        return (authenticated);
 }
+int 
+mm_answer_gss_sign(int socket, Buffer *m)
+{
+        gss_buffer_desc data;
+        gss_buffer_desc hash = GSS_C_EMPTY_BUFFER;
+        OM_uint32 major, minor;
+        u_int len;
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
+        data.value = buffer_get_string(m, &len);
+        data.length = len;
+        if (data.length != 20) 
+                fatal("%s: data length incorrect: %d", __func__, 
+                    (int) data.length);
+        /* Save the session ID on the first time around */
+        if (session_id2_len == 0) {
+                session_id2_len = data.length;
+                session_id2 = xmalloc(session_id2_len);
+                memcpy(session_id2, data.value, session_id2_len);
+        }
+        major = ssh_gssapi_sign(gsscontext, &data, &hash);
+        xfree(data.value);
+        buffer_clear(m);
+        buffer_put_int(m, major);
+        buffer_put_string(m, hash.value, hash.length);
+        mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
+        gss_release_buffer(&minor, &hash);
+        /* Turn on getpwnam permissions */
+        monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
+        
+        /* And credential updating, for when rekeying */
+        monitor_permit(mon_dispatch, MONITOR_REQ_GSSUPCREDS, 1);
+        return (0);
+}
+int
+mm_answer_gss_updatecreds(int socket, Buffer *m) {
+        ssh_gssapi_ccache store;
+        int ok;
+        store.filename = buffer_get_string(m, NULL);
+        store.envvar   = buffer_get_string(m, NULL);
+        store.envval   = buffer_get_string(m, NULL);
+        ok = ssh_gssapi_update_creds(&store);
+        xfree(store.filename);
+        xfree(store.envvar);
+        xfree(store.envval);
+        buffer_clear(m);
+        buffer_put_int(m, ok);
+        mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m);
+        return(0);
+}
 #endif /* GSSAPI */
 #ifdef JPAKE

diff --git a/monitor.c b/monitor.c index 9eb4e35c9..517acf3dc 100644 --- a/monitor.c +++ b/monitor.c
@@ -172,6 +172,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
172	int mm_answer_gss_accept_ctx(int, Buffer *);	172	int mm_answer_gss_accept_ctx(int, Buffer *);
173	int mm_answer_gss_userok(int, Buffer *);	173	int mm_answer_gss_userok(int, Buffer *);
174	int mm_answer_gss_checkmic(int, Buffer *);	174	int mm_answer_gss_checkmic(int, Buffer *);
		175	int mm_answer_gss_sign(int, Buffer *);
		176	int mm_answer_gss_updatecreds(int, Buffer *);
175	#endif	177	#endif
176		178
177	#ifdef SSH_AUDIT_EVENTS	179	#ifdef SSH_AUDIT_EVENTS
@@ -241,6 +243,7 @@ struct mon_table mon_dispatch_proto20[] = {
241	{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},	243	{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
242	{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},	244	{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
243	{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},	245	{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
		246	{MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
244	#endif	247	#endif
245	#ifdef JPAKE	248	#ifdef JPAKE
246	{MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},	249	{MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},
@@ -253,6 +256,12 @@ struct mon_table mon_dispatch_proto20[] = {
253	};	256	};
254		257
255	struct mon_table mon_dispatch_postauth20[] = {	258	struct mon_table mon_dispatch_postauth20[] = {
		259	#ifdef GSSAPI
		260	{MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
		261	{MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
		262	{MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
		263	{MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds},
		264	#endif
256	{MONITOR_REQ_MODULI, 0, mm_answer_moduli},	265	{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
257	{MONITOR_REQ_SIGN, 0, mm_answer_sign},	266	{MONITOR_REQ_SIGN, 0, mm_answer_sign},
258	{MONITOR_REQ_PTY, 0, mm_answer_pty},	267	{MONITOR_REQ_PTY, 0, mm_answer_pty},
@@ -357,6 +366,10 @@ monitor_child_preauth(Authctxt _authctxt, struct monitor pmonitor)
357	/* Permit requests for moduli and signatures */	366	/* Permit requests for moduli and signatures */
358	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);	367	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
359	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);	368	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
		369	#ifdef GSSAPI
		370	/* and for the GSSAPI key exchange */
		371	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
		372	#endif
360	} else {	373	} else {
361	mon_dispatch = mon_dispatch_proto15;	374	mon_dispatch = mon_dispatch_proto15;
362		375
@@ -443,6 +456,10 @@ monitor_child_postauth(struct monitor *pmonitor)
443	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);	456	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
444	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);	457	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
445	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);	458	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
		459	#ifdef GSSAPI
		460	/* and for the GSSAPI key exchange */
		461	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
		462	#endif
446	} else {	463	} else {
447	mon_dispatch = mon_dispatch_postauth15;	464	mon_dispatch = mon_dispatch_postauth15;
448	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);	465	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -1691,6 +1708,13 @@ mm_get_kex(Buffer *m)
1691	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;	1708	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
1692	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;	1709	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
1693	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;	1710	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
		1711	#ifdef GSSAPI
		1712	if (options.gss_keyex) {
		1713	kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
		1714	kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
		1715	kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
		1716	}
		1717	#endif
1694	kex->server = 1;	1718	kex->server = 1;
1695	kex->hostkey_type = buffer_get_int(m);	1719	kex->hostkey_type = buffer_get_int(m);
1696	kex->kex_type = buffer_get_int(m);	1720	kex->kex_type = buffer_get_int(m);
@@ -1897,6 +1921,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
1897	OM_uint32 major;	1921	OM_uint32 major;
1898	u_int len;	1922	u_int len;
1899		1923
		1924	if (!options.gss_authentication && !options.gss_keyex)
		1925	fatal("In GSSAPI monitor when GSSAPI is disabled");
		1926
1900	goid.elements = buffer_get_string(m, &len);	1927	goid.elements = buffer_get_string(m, &len);
1901	goid.length = len;	1928	goid.length = len;
1902		1929
@@ -1924,6 +1951,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
1924	OM_uint32 flags = 0; /* GSI needs this */	1951	OM_uint32 flags = 0; /* GSI needs this */
1925	u_int len;	1952	u_int len;
1926		1953
		1954	if (!options.gss_authentication && !options.gss_keyex)
		1955	fatal("In GSSAPI monitor when GSSAPI is disabled");
		1956
1927	in.value = buffer_get_string(m, &len);	1957	in.value = buffer_get_string(m, &len);
1928	in.length = len;	1958	in.length = len;
1929	major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);	1959	major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
@@ -1941,6 +1971,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
1941	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);	1971	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
1942	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);	1972	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
1943	monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);	1973	monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
		1974	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1);
1944	}	1975	}
1945	return (0);	1976	return (0);
1946	}	1977	}
@@ -1952,6 +1983,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
1952	OM_uint32 ret;	1983	OM_uint32 ret;
1953	u_int len;	1984	u_int len;
1954		1985
		1986	if (!options.gss_authentication && !options.gss_keyex)
		1987	fatal("In GSSAPI monitor when GSSAPI is disabled");
		1988
1955	gssbuf.value = buffer_get_string(m, &len);	1989	gssbuf.value = buffer_get_string(m, &len);
1956	gssbuf.length = len;	1990	gssbuf.length = len;
1957	mic.value = buffer_get_string(m, &len);	1991	mic.value = buffer_get_string(m, &len);
@@ -1978,7 +2012,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
1978	{	2012	{
1979	int authenticated;	2013	int authenticated;
1980		2014
1981	authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);	2015	if (!options.gss_authentication && !options.gss_keyex)
		2016	fatal("In GSSAPI monitor when GSSAPI is disabled");
		2017
		2018	authenticated = authctxt->valid &&
		2019	ssh_gssapi_userok(authctxt->user, authctxt->pw);
1982		2020
1983	buffer_clear(m);	2021	buffer_clear(m);
1984	buffer_put_int(m, authenticated);	2022	buffer_put_int(m, authenticated);
@@ -1991,6 +2029,74 @@ mm_answer_gss_userok(int sock, Buffer *m)
1991	/* Monitor loop will terminate if authenticated */	2029	/* Monitor loop will terminate if authenticated */
1992	return (authenticated);	2030	return (authenticated);
1993	}	2031	}
		2032
		2033	int
		2034	mm_answer_gss_sign(int socket, Buffer *m)
		2035	{
		2036	gss_buffer_desc data;
		2037	gss_buffer_desc hash = GSS_C_EMPTY_BUFFER;
		2038	OM_uint32 major, minor;
		2039	u_int len;
		2040
		2041	if (!options.gss_authentication && !options.gss_keyex)
		2042	fatal("In GSSAPI monitor when GSSAPI is disabled");
		2043
		2044	data.value = buffer_get_string(m, &len);
		2045	data.length = len;
		2046	if (data.length != 20)
		2047	fatal("%s: data length incorrect: %d", __func__,
		2048	(int) data.length);
		2049
		2050	/* Save the session ID on the first time around */
		2051	if (session_id2_len == 0) {
		2052	session_id2_len = data.length;
		2053	session_id2 = xmalloc(session_id2_len);
		2054	memcpy(session_id2, data.value, session_id2_len);
		2055	}
		2056	major = ssh_gssapi_sign(gsscontext, &data, &hash);
		2057
		2058	xfree(data.value);
		2059
		2060	buffer_clear(m);
		2061	buffer_put_int(m, major);
		2062	buffer_put_string(m, hash.value, hash.length);
		2063
		2064	mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
		2065
		2066	gss_release_buffer(&minor, &hash);
		2067
		2068	/* Turn on getpwnam permissions */
		2069	monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
		2070
		2071	/* And credential updating, for when rekeying */
		2072	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUPCREDS, 1);
		2073
		2074	return (0);
		2075	}
		2076
		2077	int
		2078	mm_answer_gss_updatecreds(int socket, Buffer *m) {
		2079	ssh_gssapi_ccache store;
		2080	int ok;
		2081
		2082	store.filename = buffer_get_string(m, NULL);
		2083	store.envvar = buffer_get_string(m, NULL);
		2084	store.envval = buffer_get_string(m, NULL);
		2085
		2086	ok = ssh_gssapi_update_creds(&store);
		2087
		2088	xfree(store.filename);
		2089	xfree(store.envvar);
		2090	xfree(store.envval);
		2091
		2092	buffer_clear(m);
		2093	buffer_put_int(m, ok);
		2094
		2095	mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m);
		2096
		2097	return(0);
		2098	}
		2099
1994	#endif /* GSSAPI */	2100	#endif /* GSSAPI */
1995		2101
1996	#ifdef JPAKE	2102	#ifdef JPAKE