1 files changed, 107 insertions, 1 deletions
diff --git a/monitor.c b/monitor.c
index f57e74ba5..6a82936d4 100644
--- a/monitor.c
+++ b/monitor.c
@@ -170,6 +170,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
 int mm_answer_gss_accept_ctx(int, Buffer *);
 int mm_answer_gss_userok(int, Buffer *);
 int mm_answer_gss_checkmic(int, Buffer *);
+int mm_answer_gss_sign(int, Buffer *);
+int mm_answer_gss_updatecreds(int, Buffer *);
 #endif
 #ifdef SSH_AUDIT_EVENTS
@@ -239,6 +241,7 @@ struct mon_table mon_dispatch_proto20[] = {
    {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
    {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
    {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
+    {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
 #endif
 #ifdef JPAKE
    {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},
@@ -251,6 +254,12 @@ struct mon_table mon_dispatch_proto20[] = {
 };
 struct mon_table mon_dispatch_postauth20[] = {
+#ifdef GSSAPI
+    {MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
+    {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
+    {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
+    {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds},
+#endif
    {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
    {MONITOR_REQ_SIGN, 0, mm_answer_sign},
    {MONITOR_REQ_PTY, 0, mm_answer_pty},
@@ -355,6 +364,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
                /* Permit requests for moduli and signatures */
                monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
+#ifdef GSSAPI
+                /* and for the GSSAPI key exchange */
+                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
+#endif
        } else {
                mon_dispatch = mon_dispatch_proto15;
@@ -441,6 +454,10 @@ monitor_child_postauth(struct monitor *pmonitor)
                monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
+#ifdef GSSAPI
+                /* and for the GSSAPI key exchange */
+                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
+#endif          
        } else {
                mon_dispatch = mon_dispatch_postauth15;
                monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -1699,6 +1716,13 @@ mm_get_kex(Buffer *m)
        kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
        kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
        kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
+#ifdef GSSAPI
+        if (options.gss_keyex) {
+                kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
+                kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
+                kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
+        }
+#endif
        kex->server = 1;
        kex->hostkey_type = buffer_get_int(m);
        kex->kex_type = buffer_get_int(m);
@@ -1898,6 +1922,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
        OM_uint32 major;
        u_int len;
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
        goid.elements = buffer_get_string(m, &len);
        goid.length = len;
@@ -1925,6 +1952,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
        OM_uint32 flags = 0; /* GSI needs this */
        u_int len;
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
        in.value = buffer_get_string(m, &len);
        in.length = len;
        major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
@@ -1942,6 +1972,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
+                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1);
        }
        return (0);
 }
@@ -1953,6 +1984,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
        OM_uint32 ret;
        u_int len;
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
        gssbuf.value = buffer_get_string(m, &len);
        gssbuf.length = len;
        mic.value = buffer_get_string(m, &len);
@@ -1979,7 +2013,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
 {
        int authenticated;
-        authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
+        authenticated = authctxt->valid && 
+            ssh_gssapi_userok(authctxt->user, authctxt->pw);
        buffer_clear(m);
        buffer_put_int(m, authenticated);
@@ -1992,6 +2030,74 @@ mm_answer_gss_userok(int sock, Buffer *m)
        /* Monitor loop will terminate if authenticated */
        return (authenticated);
 }
+int 
+mm_answer_gss_sign(int socket, Buffer *m)
+{
+        gss_buffer_desc data;
+        gss_buffer_desc hash = GSS_C_EMPTY_BUFFER;
+        OM_uint32 major, minor;
+        u_int len;
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
+        data.value = buffer_get_string(m, &len);
+        data.length = len;
+        if (data.length != 20) 
+                fatal("%s: data length incorrect: %d", __func__, 
+                    (int) data.length);
+        /* Save the session ID on the first time around */
+        if (session_id2_len == 0) {
+                session_id2_len = data.length;
+                session_id2 = xmalloc(session_id2_len);
+                memcpy(session_id2, data.value, session_id2_len);
+        }
+        major = ssh_gssapi_sign(gsscontext, &data, &hash);
+        xfree(data.value);
+        buffer_clear(m);
+        buffer_put_int(m, major);
+        buffer_put_string(m, hash.value, hash.length);
+        mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
+        gss_release_buffer(&minor, &hash);
+        /* Turn on getpwnam permissions */
+        monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
+        
+        /* And credential updating, for when rekeying */
+        monitor_permit(mon_dispatch, MONITOR_REQ_GSSUPCREDS, 1);
+        return (0);
+}
+int
+mm_answer_gss_updatecreds(int socket, Buffer *m) {
+        ssh_gssapi_ccache store;
+        int ok;
+        store.filename = buffer_get_string(m, NULL);
+        store.envvar   = buffer_get_string(m, NULL);
+        store.envval   = buffer_get_string(m, NULL);
+        ok = ssh_gssapi_update_creds(&store);
+        xfree(store.filename);
+        xfree(store.envvar);
+        xfree(store.envval);
+        buffer_clear(m);
+        buffer_put_int(m, ok);
+        mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m);
+        return(0);
+}
 #endif /* GSSAPI */
 #ifdef JPAKE

diff --git a/monitor.c b/monitor.c index f57e74ba5..6a82936d4 100644 --- a/monitor.c +++ b/monitor.c
@@ -170,6 +170,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
170	int mm_answer_gss_accept_ctx(int, Buffer *);	170	int mm_answer_gss_accept_ctx(int, Buffer *);
171	int mm_answer_gss_userok(int, Buffer *);	171	int mm_answer_gss_userok(int, Buffer *);
172	int mm_answer_gss_checkmic(int, Buffer *);	172	int mm_answer_gss_checkmic(int, Buffer *);
		173	int mm_answer_gss_sign(int, Buffer *);
		174	int mm_answer_gss_updatecreds(int, Buffer *);
173	#endif	175	#endif
174		176
175	#ifdef SSH_AUDIT_EVENTS	177	#ifdef SSH_AUDIT_EVENTS
@@ -239,6 +241,7 @@ struct mon_table mon_dispatch_proto20[] = {
239	{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},	241	{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
240	{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},	242	{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
241	{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},	243	{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
		244	{MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
242	#endif	245	#endif
243	#ifdef JPAKE	246	#ifdef JPAKE
244	{MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},	247	{MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},
@@ -251,6 +254,12 @@ struct mon_table mon_dispatch_proto20[] = {
251	};	254	};
252		255
253	struct mon_table mon_dispatch_postauth20[] = {	256	struct mon_table mon_dispatch_postauth20[] = {
		257	#ifdef GSSAPI
		258	{MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
		259	{MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
		260	{MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
		261	{MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds},
		262	#endif
254	{MONITOR_REQ_MODULI, 0, mm_answer_moduli},	263	{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
255	{MONITOR_REQ_SIGN, 0, mm_answer_sign},	264	{MONITOR_REQ_SIGN, 0, mm_answer_sign},
256	{MONITOR_REQ_PTY, 0, mm_answer_pty},	265	{MONITOR_REQ_PTY, 0, mm_answer_pty},
@@ -355,6 +364,10 @@ monitor_child_preauth(Authctxt _authctxt, struct monitor pmonitor)
355	/* Permit requests for moduli and signatures */	364	/* Permit requests for moduli and signatures */
356	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);	365	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
357	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);	366	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
		367	#ifdef GSSAPI
		368	/* and for the GSSAPI key exchange */
		369	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
		370	#endif
358	} else {	371	} else {
359	mon_dispatch = mon_dispatch_proto15;	372	mon_dispatch = mon_dispatch_proto15;
360		373
@@ -441,6 +454,10 @@ monitor_child_postauth(struct monitor *pmonitor)
441	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);	454	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
442	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);	455	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
443	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);	456	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
		457	#ifdef GSSAPI
		458	/* and for the GSSAPI key exchange */
		459	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
		460	#endif
444	} else {	461	} else {
445	mon_dispatch = mon_dispatch_postauth15;	462	mon_dispatch = mon_dispatch_postauth15;
446	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);	463	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -1699,6 +1716,13 @@ mm_get_kex(Buffer *m)
1699	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;	1716	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
1700	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;	1717	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
1701	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;	1718	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
		1719	#ifdef GSSAPI
		1720	if (options.gss_keyex) {
		1721	kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
		1722	kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
		1723	kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
		1724	}
		1725	#endif
1702	kex->server = 1;	1726	kex->server = 1;
1703	kex->hostkey_type = buffer_get_int(m);	1727	kex->hostkey_type = buffer_get_int(m);
1704	kex->kex_type = buffer_get_int(m);	1728	kex->kex_type = buffer_get_int(m);
@@ -1898,6 +1922,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
1898	OM_uint32 major;	1922	OM_uint32 major;
1899	u_int len;	1923	u_int len;
1900		1924
		1925	if (!options.gss_authentication && !options.gss_keyex)
		1926	fatal("In GSSAPI monitor when GSSAPI is disabled");
		1927
1901	goid.elements = buffer_get_string(m, &len);	1928	goid.elements = buffer_get_string(m, &len);
1902	goid.length = len;	1929	goid.length = len;
1903		1930
@@ -1925,6 +1952,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
1925	OM_uint32 flags = 0; /* GSI needs this */	1952	OM_uint32 flags = 0; /* GSI needs this */
1926	u_int len;	1953	u_int len;
1927		1954
		1955	if (!options.gss_authentication && !options.gss_keyex)
		1956	fatal("In GSSAPI monitor when GSSAPI is disabled");
		1957
1928	in.value = buffer_get_string(m, &len);	1958	in.value = buffer_get_string(m, &len);
1929	in.length = len;	1959	in.length = len;
1930	major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);	1960	major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
@@ -1942,6 +1972,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
1942	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);	1972	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
1943	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);	1973	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
1944	monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);	1974	monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
		1975	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1);
1945	}	1976	}
1946	return (0);	1977	return (0);
1947	}	1978	}
@@ -1953,6 +1984,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
1953	OM_uint32 ret;	1984	OM_uint32 ret;
1954	u_int len;	1985	u_int len;
1955		1986
		1987	if (!options.gss_authentication && !options.gss_keyex)
		1988	fatal("In GSSAPI monitor when GSSAPI is disabled");
		1989
1956	gssbuf.value = buffer_get_string(m, &len);	1990	gssbuf.value = buffer_get_string(m, &len);
1957	gssbuf.length = len;	1991	gssbuf.length = len;
1958	mic.value = buffer_get_string(m, &len);	1992	mic.value = buffer_get_string(m, &len);
@@ -1979,7 +2013,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
1979	{	2013	{
1980	int authenticated;	2014	int authenticated;
1981		2015
1982	authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);	2016	if (!options.gss_authentication && !options.gss_keyex)
		2017	fatal("In GSSAPI monitor when GSSAPI is disabled");
		2018
		2019	authenticated = authctxt->valid &&
		2020	ssh_gssapi_userok(authctxt->user, authctxt->pw);
1983		2021
1984	buffer_clear(m);	2022	buffer_clear(m);
1985	buffer_put_int(m, authenticated);	2023	buffer_put_int(m, authenticated);
@@ -1992,6 +2030,74 @@ mm_answer_gss_userok(int sock, Buffer *m)
1992	/* Monitor loop will terminate if authenticated */	2030	/* Monitor loop will terminate if authenticated */
1993	return (authenticated);	2031	return (authenticated);
1994	}	2032	}
		2033
		2034	int
		2035	mm_answer_gss_sign(int socket, Buffer *m)
		2036	{
		2037	gss_buffer_desc data;
		2038	gss_buffer_desc hash = GSS_C_EMPTY_BUFFER;
		2039	OM_uint32 major, minor;
		2040	u_int len;
		2041
		2042	if (!options.gss_authentication && !options.gss_keyex)
		2043	fatal("In GSSAPI monitor when GSSAPI is disabled");
		2044
		2045	data.value = buffer_get_string(m, &len);
		2046	data.length = len;
		2047	if (data.length != 20)
		2048	fatal("%s: data length incorrect: %d", __func__,
		2049	(int) data.length);
		2050
		2051	/* Save the session ID on the first time around */
		2052	if (session_id2_len == 0) {
		2053	session_id2_len = data.length;
		2054	session_id2 = xmalloc(session_id2_len);
		2055	memcpy(session_id2, data.value, session_id2_len);
		2056	}
		2057	major = ssh_gssapi_sign(gsscontext, &data, &hash);
		2058
		2059	xfree(data.value);
		2060
		2061	buffer_clear(m);
		2062	buffer_put_int(m, major);
		2063	buffer_put_string(m, hash.value, hash.length);
		2064
		2065	mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
		2066
		2067	gss_release_buffer(&minor, &hash);
		2068
		2069	/* Turn on getpwnam permissions */
		2070	monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
		2071
		2072	/* And credential updating, for when rekeying */
		2073	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUPCREDS, 1);
		2074
		2075	return (0);
		2076	}
		2077
		2078	int
		2079	mm_answer_gss_updatecreds(int socket, Buffer *m) {
		2080	ssh_gssapi_ccache store;
		2081	int ok;
		2082
		2083	store.filename = buffer_get_string(m, NULL);
		2084	store.envvar = buffer_get_string(m, NULL);
		2085	store.envval = buffer_get_string(m, NULL);
		2086
		2087	ok = ssh_gssapi_update_creds(&store);
		2088
		2089	xfree(store.filename);
		2090	xfree(store.envvar);
		2091	xfree(store.envval);
		2092
		2093	buffer_clear(m);
		2094	buffer_put_int(m, ok);
		2095
		2096	mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m);
		2097
		2098	return(0);
		2099	}
		2100
1995	#endif /* GSSAPI */	2101	#endif /* GSSAPI */
1996		2102
1997	#ifdef JPAKE	2103	#ifdef JPAKE