1 files changed, 281 insertions, 7 deletions
diff --git a/monitor.c b/monitor.c
index ef46938c4..6a82936d4 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.99 2008/07/10 18:08:11 markus Exp $ */
+/* $OpenBSD: monitor.c,v 1.101 2009/02/12 03:26:22 djm Exp $ */
 /*
 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -87,6 +87,7 @@
 #include "misc.h"
 #include "compat.h"
 #include "ssh2.h"
+#include "jpake.h"
 #ifdef GSSAPI
 static Gssctxt *gsscontext = NULL;
@@ -149,6 +150,11 @@ int mm_answer_rsa_challenge(int, Buffer *);
 int mm_answer_rsa_response(int, Buffer *);
 int mm_answer_sesskey(int, Buffer *);
 int mm_answer_sessid(int, Buffer *);
+int mm_answer_jpake_get_pwdata(int, Buffer *);
+int mm_answer_jpake_step1(int, Buffer *);
+int mm_answer_jpake_step2(int, Buffer *);
+int mm_answer_jpake_key_confirm(int, Buffer *);
+int mm_answer_jpake_check_confirm(int, Buffer *);
 #ifdef USE_PAM
 int mm_answer_pam_start(int, Buffer *);
@@ -165,6 +171,7 @@ int mm_answer_gss_accept_ctx(int, Buffer *);
 int mm_answer_gss_userok(int, Buffer *);
 int mm_answer_gss_checkmic(int, Buffer *);
 int mm_answer_gss_sign(int, Buffer *);
+int mm_answer_gss_updatecreds(int, Buffer *);
 #endif
 #ifdef SSH_AUDIT_EVENTS
@@ -236,6 +243,13 @@ struct mon_table mon_dispatch_proto20[] = {
    {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
    {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
 #endif
+#ifdef JPAKE
+    {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},
+    {MONITOR_REQ_JPAKE_STEP1, MON_ISAUTH, mm_answer_jpake_step1},
+    {MONITOR_REQ_JPAKE_STEP2, MON_ONCE, mm_answer_jpake_step2},
+    {MONITOR_REQ_JPAKE_KEY_CONFIRM, MON_ONCE, mm_answer_jpake_key_confirm},
+    {MONITOR_REQ_JPAKE_CHECK_CONFIRM, MON_AUTH, mm_answer_jpake_check_confirm},
+#endif
    {0, 0, NULL}
 };
@@ -244,6 +258,7 @@ struct mon_table mon_dispatch_postauth20[] = {
    {MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
    {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
    {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
+    {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds},
 #endif
    {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
    {MONITOR_REQ_SIGN, 0, mm_answer_sign},
@@ -390,6 +405,15 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
                        if (!authenticated)
                                authctxt->failures++;
                }
+#ifdef JPAKE
+                /* Cleanup JPAKE context after authentication */
+                if (ent->flags & MON_AUTHDECIDE) {
+                        if (authctxt->jpake_ctx != NULL) {
+                                jpake_free(authctxt->jpake_ctx);
+                                authctxt->jpake_ctx = NULL;
+                        }
+                }
+#endif
        }
        if (!authctxt->valid)
@@ -1493,7 +1517,9 @@ mm_answer_rsa_challenge(int sock, Buffer *m)
                fatal("%s: key type mismatch", __func__);
        if ((key = key_from_blob(blob, blen)) == NULL)
                fatal("%s: received bad key", __func__);
+        if (key->type != KEY_RSA)
+                fatal("%s: received bad key type %d", __func__, key->type);
+        key->type = KEY_RSA1;
        if (ssh1_challenge)
                BN_clear_free(ssh1_challenge);
        ssh1_challenge = auth_rsa_generate_challenge(key);
@@ -1691,9 +1717,11 @@ mm_get_kex(Buffer *m)
        kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
        kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
 #ifdef GSSAPI
-        kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
+        if (options.gss_keyex) {
-        kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
+                kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
-        kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
+                kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
+                kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
+        }
 #endif
        kex->server = 1;
        kex->hostkey_type = buffer_get_int(m);
@@ -1894,6 +1922,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
        OM_uint32 major;
        u_int len;
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
        goid.elements = buffer_get_string(m, &len);
        goid.length = len;
@@ -1921,6 +1952,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
        OM_uint32 flags = 0; /* GSI needs this */
        u_int len;
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
        in.value = buffer_get_string(m, &len);
        in.length = len;
        major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
@@ -1950,6 +1984,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
        OM_uint32 ret;
        u_int len;
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
        gssbuf.value = buffer_get_string(m, &len);
        gssbuf.length = len;
        mic.value = buffer_get_string(m, &len);
@@ -1976,7 +2013,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
 {
        int authenticated;
-        authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
+        authenticated = authctxt->valid && 
+            ssh_gssapi_userok(authctxt->user, authctxt->pw);
        buffer_clear(m);
        buffer_put_int(m, authenticated);
@@ -1998,10 +2039,14 @@ mm_answer_gss_sign(int socket, Buffer *m)
        OM_uint32 major, minor;
        u_int len;
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
        data.value = buffer_get_string(m, &len);
        data.length = len;
        if (data.length != 20) 
-                fatal("%s: data length incorrect: %d", __func__, data.length);
+                fatal("%s: data length incorrect: %d", __func__, 
+                    (int) data.length);
        /* Save the session ID on the first time around */
        if (session_id2_len == 0) {
@@ -2023,8 +2068,237 @@ mm_answer_gss_sign(int socket, Buffer *m)
        /* Turn on getpwnam permissions */
        monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
+        
+        /* And credential updating, for when rekeying */
+        monitor_permit(mon_dispatch, MONITOR_REQ_GSSUPCREDS, 1);
        return (0);
 }
+int
+mm_answer_gss_updatecreds(int socket, Buffer *m) {
+        ssh_gssapi_ccache store;
+        int ok;
+        store.filename = buffer_get_string(m, NULL);
+        store.envvar   = buffer_get_string(m, NULL);
+        store.envval   = buffer_get_string(m, NULL);
+        ok = ssh_gssapi_update_creds(&store);
+        xfree(store.filename);
+        xfree(store.envvar);
+        xfree(store.envval);
+        buffer_clear(m);
+        buffer_put_int(m, ok);
+        mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m);
+        return(0);
+}
 #endif /* GSSAPI */
+#ifdef JPAKE
+int
+mm_answer_jpake_step1(int sock, Buffer *m)
+{
+        struct jpake_ctx *pctx;
+        u_char *x3_proof, *x4_proof;
+        u_int x3_proof_len, x4_proof_len;
+        if (!options.zero_knowledge_password_authentication)
+                fatal("zero_knowledge_password_authentication disabled");
+        if (authctxt->jpake_ctx != NULL)
+                fatal("%s: authctxt->jpake_ctx already set (%p)",
+                    __func__, authctxt->jpake_ctx);
+        authctxt->jpake_ctx = pctx = jpake_new();
+        jpake_step1(pctx->grp,
+            &pctx->server_id, &pctx->server_id_len,
+            &pctx->x3, &pctx->x4, &pctx->g_x3, &pctx->g_x4,
+            &x3_proof, &x3_proof_len,
+            &x4_proof, &x4_proof_len);
+        JPAKE_DEBUG_CTX((pctx, "step1 done in %s", __func__));
+        buffer_clear(m);
+        buffer_put_string(m, pctx->server_id, pctx->server_id_len);
+        buffer_put_bignum2(m, pctx->g_x3);
+        buffer_put_bignum2(m, pctx->g_x4);
+        buffer_put_string(m, x3_proof, x3_proof_len);
+        buffer_put_string(m, x4_proof, x4_proof_len);
+        debug3("%s: sending step1", __func__);
+        mm_request_send(sock, MONITOR_ANS_JPAKE_STEP1, m);
+        bzero(x3_proof, x3_proof_len);
+        bzero(x4_proof, x4_proof_len);
+        xfree(x3_proof);
+        xfree(x4_proof);
+        monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_GET_PWDATA, 1);
+        monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 0);
+        return 0;
+}
+int
+mm_answer_jpake_get_pwdata(int sock, Buffer *m)
+{
+        struct jpake_ctx *pctx = authctxt->jpake_ctx;
+        char *hash_scheme, *salt;
+        if (pctx == NULL)
+                fatal("%s: pctx == NULL", __func__);
+        auth2_jpake_get_pwdata(authctxt, &pctx->s, &hash_scheme, &salt);
+        buffer_clear(m);
+        /* pctx->s is sensitive, not returned to slave */
+        buffer_put_cstring(m, hash_scheme);
+        buffer_put_cstring(m, salt);
+        debug3("%s: sending pwdata", __func__);
+        mm_request_send(sock, MONITOR_ANS_JPAKE_GET_PWDATA, m);
+        bzero(hash_scheme, strlen(hash_scheme));
+        bzero(salt, strlen(salt));
+        xfree(hash_scheme);
+        xfree(salt);
+        monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP2, 1);
+        return 0;
+}
+int
+mm_answer_jpake_step2(int sock, Buffer *m)
+{
+        struct jpake_ctx *pctx = authctxt->jpake_ctx;
+        u_char *x1_proof, *x2_proof, *x4_s_proof;
+        u_int x1_proof_len, x2_proof_len, x4_s_proof_len;
+        if (pctx == NULL)
+                fatal("%s: pctx == NULL", __func__);
+        if ((pctx->g_x1 = BN_new()) == NULL ||
+            (pctx->g_x2 = BN_new()) == NULL)
+                fatal("%s: BN_new", __func__);
+        buffer_get_bignum2(m, pctx->g_x1);
+        buffer_get_bignum2(m, pctx->g_x2);
+        pctx->client_id = buffer_get_string(m, &pctx->client_id_len);
+        x1_proof = buffer_get_string(m, &x1_proof_len);
+        x2_proof = buffer_get_string(m, &x2_proof_len);
+        jpake_step2(pctx->grp, pctx->s, pctx->g_x3,
+            pctx->g_x1, pctx->g_x2, pctx->x4,
+            pctx->client_id, pctx->client_id_len,
+            pctx->server_id, pctx->server_id_len,
+            x1_proof, x1_proof_len,
+            x2_proof, x2_proof_len,
+            &pctx->b,
+            &x4_s_proof, &x4_s_proof_len);
+        JPAKE_DEBUG_CTX((pctx, "step2 done in %s", __func__));
+        bzero(x1_proof, x1_proof_len);
+        bzero(x2_proof, x2_proof_len);
+        xfree(x1_proof);
+        xfree(x2_proof);
+        buffer_clear(m);
+        buffer_put_bignum2(m, pctx->b);
+        buffer_put_string(m, x4_s_proof, x4_s_proof_len);
+        debug3("%s: sending step2", __func__);
+        mm_request_send(sock, MONITOR_ANS_JPAKE_STEP2, m);
+        bzero(x4_s_proof, x4_s_proof_len);
+        xfree(x4_s_proof);
+        monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_KEY_CONFIRM, 1);
+        return 0;
+}
+int
+mm_answer_jpake_key_confirm(int sock, Buffer *m)
+{
+        struct jpake_ctx *pctx = authctxt->jpake_ctx;
+        u_char *x2_s_proof;
+        u_int x2_s_proof_len;
+        if (pctx == NULL)
+                fatal("%s: pctx == NULL", __func__);
+        if ((pctx->a = BN_new()) == NULL)
+                fatal("%s: BN_new", __func__);
+        buffer_get_bignum2(m, pctx->a);
+        x2_s_proof = buffer_get_string(m, &x2_s_proof_len);
+        jpake_key_confirm(pctx->grp, pctx->s, pctx->a,
+            pctx->x4, pctx->g_x3, pctx->g_x4, pctx->g_x1, pctx->g_x2,
+            pctx->server_id, pctx->server_id_len,
+            pctx->client_id, pctx->client_id_len,
+            session_id2, session_id2_len,
+            x2_s_proof, x2_s_proof_len,
+            &pctx->k,
+            &pctx->h_k_sid_sessid, &pctx->h_k_sid_sessid_len);
+        JPAKE_DEBUG_CTX((pctx, "key_confirm done in %s", __func__));
+        bzero(x2_s_proof, x2_s_proof_len);
+        buffer_clear(m);
+        /* pctx->k is sensitive, not sent */
+        buffer_put_string(m, pctx->h_k_sid_sessid, pctx->h_k_sid_sessid_len);
+        debug3("%s: sending confirmation hash", __func__);
+        mm_request_send(sock, MONITOR_ANS_JPAKE_KEY_CONFIRM, m);
+        monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_CHECK_CONFIRM, 1);
+        return 0;
+}
+int
+mm_answer_jpake_check_confirm(int sock, Buffer *m)
+{
+        int authenticated = 0;
+        u_char *peer_confirm_hash;
+        u_int peer_confirm_hash_len;
+        struct jpake_ctx *pctx = authctxt->jpake_ctx;
+        if (pctx == NULL)
+                fatal("%s: pctx == NULL", __func__);
+        peer_confirm_hash = buffer_get_string(m, &peer_confirm_hash_len);
+        authenticated = jpake_check_confirm(pctx->k,
+            pctx->client_id, pctx->client_id_len,
+            session_id2, session_id2_len,
+            peer_confirm_hash, peer_confirm_hash_len) && authctxt->valid;
+        JPAKE_DEBUG_CTX((pctx, "check_confirm done in %s", __func__));
+        bzero(peer_confirm_hash, peer_confirm_hash_len);
+        xfree(peer_confirm_hash);
+        buffer_clear(m);
+        buffer_put_int(m, authenticated);
+        debug3("%s: sending result %d", __func__, authenticated);
+        mm_request_send(sock, MONITOR_ANS_JPAKE_CHECK_CONFIRM, m);
+        monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 1);
+        auth_method = "jpake-01@openssh.com";
+        return authenticated;
+}
+#endif /* JPAKE */

diff --git a/monitor.c b/monitor.c index ef46938c4..6a82936d4 100644 --- a/monitor.c +++ b/monitor.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: monitor.c,v 1.99 2008/07/10 18:08:11 markus Exp $ */	1	/* $OpenBSD: monitor.c,v 1.101 2009/02/12 03:26:22 djm Exp $ */
2	/*	2	/*
3	* Copyright 2002 Niels Provos <provos@citi.umich.edu>	3	* Copyright 2002 Niels Provos <provos@citi.umich.edu>
4	* Copyright 2002 Markus Friedl <markus@openbsd.org>	4	* Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -87,6 +87,7 @@
87	#include "misc.h"	87	#include "misc.h"
88	#include "compat.h"	88	#include "compat.h"
89	#include "ssh2.h"	89	#include "ssh2.h"
		90	#include "jpake.h"
90		91
91	#ifdef GSSAPI	92	#ifdef GSSAPI
92	static Gssctxt *gsscontext = NULL;	93	static Gssctxt *gsscontext = NULL;
@@ -149,6 +150,11 @@ int mm_answer_rsa_challenge(int, Buffer *);
149	int mm_answer_rsa_response(int, Buffer *);	150	int mm_answer_rsa_response(int, Buffer *);
150	int mm_answer_sesskey(int, Buffer *);	151	int mm_answer_sesskey(int, Buffer *);
151	int mm_answer_sessid(int, Buffer *);	152	int mm_answer_sessid(int, Buffer *);
		153	int mm_answer_jpake_get_pwdata(int, Buffer *);
		154	int mm_answer_jpake_step1(int, Buffer *);
		155	int mm_answer_jpake_step2(int, Buffer *);
		156	int mm_answer_jpake_key_confirm(int, Buffer *);
		157	int mm_answer_jpake_check_confirm(int, Buffer *);
152		158
153	#ifdef USE_PAM	159	#ifdef USE_PAM
154	int mm_answer_pam_start(int, Buffer *);	160	int mm_answer_pam_start(int, Buffer *);
@@ -165,6 +171,7 @@ int mm_answer_gss_accept_ctx(int, Buffer *);
165	int mm_answer_gss_userok(int, Buffer *);	171	int mm_answer_gss_userok(int, Buffer *);
166	int mm_answer_gss_checkmic(int, Buffer *);	172	int mm_answer_gss_checkmic(int, Buffer *);
167	int mm_answer_gss_sign(int, Buffer *);	173	int mm_answer_gss_sign(int, Buffer *);
		174	int mm_answer_gss_updatecreds(int, Buffer *);
168	#endif	175	#endif
169		176
170	#ifdef SSH_AUDIT_EVENTS	177	#ifdef SSH_AUDIT_EVENTS
@@ -236,6 +243,13 @@ struct mon_table mon_dispatch_proto20[] = {
236	{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},	243	{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
237	{MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},	244	{MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
238	#endif	245	#endif
		246	#ifdef JPAKE
		247	{MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},
		248	{MONITOR_REQ_JPAKE_STEP1, MON_ISAUTH, mm_answer_jpake_step1},
		249	{MONITOR_REQ_JPAKE_STEP2, MON_ONCE, mm_answer_jpake_step2},
		250	{MONITOR_REQ_JPAKE_KEY_CONFIRM, MON_ONCE, mm_answer_jpake_key_confirm},
		251	{MONITOR_REQ_JPAKE_CHECK_CONFIRM, MON_AUTH, mm_answer_jpake_check_confirm},
		252	#endif
239	{0, 0, NULL}	253	{0, 0, NULL}
240	};	254	};
241		255
@@ -244,6 +258,7 @@ struct mon_table mon_dispatch_postauth20[] = {
244	{MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},	258	{MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
245	{MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},	259	{MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
246	{MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},	260	{MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
		261	{MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds},
247	#endif	262	#endif
248	{MONITOR_REQ_MODULI, 0, mm_answer_moduli},	263	{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
249	{MONITOR_REQ_SIGN, 0, mm_answer_sign},	264	{MONITOR_REQ_SIGN, 0, mm_answer_sign},
@@ -390,6 +405,15 @@ monitor_child_preauth(Authctxt _authctxt, struct monitor pmonitor)
390	if (!authenticated)	405	if (!authenticated)
391	authctxt->failures++;	406	authctxt->failures++;
392	}	407	}
		408	#ifdef JPAKE
		409	/* Cleanup JPAKE context after authentication */
		410	if (ent->flags & MON_AUTHDECIDE) {
		411	if (authctxt->jpake_ctx != NULL) {
		412	jpake_free(authctxt->jpake_ctx);
		413	authctxt->jpake_ctx = NULL;
		414	}
		415	}
		416	#endif
393	}	417	}
394		418
395	if (!authctxt->valid)	419	if (!authctxt->valid)
@@ -1493,7 +1517,9 @@ mm_answer_rsa_challenge(int sock, Buffer *m)
1493	fatal("%s: key type mismatch", __func__);	1517	fatal("%s: key type mismatch", __func__);
1494	if ((key = key_from_blob(blob, blen)) == NULL)	1518	if ((key = key_from_blob(blob, blen)) == NULL)
1495	fatal("%s: received bad key", __func__);	1519	fatal("%s: received bad key", __func__);
1496		1520	if (key->type != KEY_RSA)
		1521	fatal("%s: received bad key type %d", __func__, key->type);
		1522	key->type = KEY_RSA1;
1497	if (ssh1_challenge)	1523	if (ssh1_challenge)
1498	BN_clear_free(ssh1_challenge);	1524	BN_clear_free(ssh1_challenge);
1499	ssh1_challenge = auth_rsa_generate_challenge(key);	1525	ssh1_challenge = auth_rsa_generate_challenge(key);
@@ -1691,9 +1717,11 @@ mm_get_kex(Buffer *m)
1691	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;	1717	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
1692	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;	1718	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
1693	#ifdef GSSAPI	1719	#ifdef GSSAPI
1694	kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;	1720	if (options.gss_keyex) {
1695	kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;	1721	kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
1696	kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;	1722	kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
		1723	kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
		1724	}
1697	#endif	1725	#endif
1698	kex->server = 1;	1726	kex->server = 1;
1699	kex->hostkey_type = buffer_get_int(m);	1727	kex->hostkey_type = buffer_get_int(m);
@@ -1894,6 +1922,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
1894	OM_uint32 major;	1922	OM_uint32 major;
1895	u_int len;	1923	u_int len;
1896		1924
		1925	if (!options.gss_authentication && !options.gss_keyex)
		1926	fatal("In GSSAPI monitor when GSSAPI is disabled");
		1927
1897	goid.elements = buffer_get_string(m, &len);	1928	goid.elements = buffer_get_string(m, &len);
1898	goid.length = len;	1929	goid.length = len;
1899		1930
@@ -1921,6 +1952,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
1921	OM_uint32 flags = 0; /* GSI needs this */	1952	OM_uint32 flags = 0; /* GSI needs this */
1922	u_int len;	1953	u_int len;
1923		1954
		1955	if (!options.gss_authentication && !options.gss_keyex)
		1956	fatal("In GSSAPI monitor when GSSAPI is disabled");
		1957
1924	in.value = buffer_get_string(m, &len);	1958	in.value = buffer_get_string(m, &len);
1925	in.length = len;	1959	in.length = len;
1926	major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);	1960	major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
@@ -1950,6 +1984,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
1950	OM_uint32 ret;	1984	OM_uint32 ret;
1951	u_int len;	1985	u_int len;
1952		1986
		1987	if (!options.gss_authentication && !options.gss_keyex)
		1988	fatal("In GSSAPI monitor when GSSAPI is disabled");
		1989
1953	gssbuf.value = buffer_get_string(m, &len);	1990	gssbuf.value = buffer_get_string(m, &len);
1954	gssbuf.length = len;	1991	gssbuf.length = len;
1955	mic.value = buffer_get_string(m, &len);	1992	mic.value = buffer_get_string(m, &len);
@@ -1976,7 +2013,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
1976	{	2013	{
1977	int authenticated;	2014	int authenticated;
1978		2015
1979	authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);	2016	if (!options.gss_authentication && !options.gss_keyex)
		2017	fatal("In GSSAPI monitor when GSSAPI is disabled");
		2018
		2019	authenticated = authctxt->valid &&
		2020	ssh_gssapi_userok(authctxt->user, authctxt->pw);
1980		2021
1981	buffer_clear(m);	2022	buffer_clear(m);
1982	buffer_put_int(m, authenticated);	2023	buffer_put_int(m, authenticated);
@@ -1998,10 +2039,14 @@ mm_answer_gss_sign(int socket, Buffer *m)
1998	OM_uint32 major, minor;	2039	OM_uint32 major, minor;
1999	u_int len;	2040	u_int len;
2000		2041
		2042	if (!options.gss_authentication && !options.gss_keyex)
		2043	fatal("In GSSAPI monitor when GSSAPI is disabled");
		2044
2001	data.value = buffer_get_string(m, &len);	2045	data.value = buffer_get_string(m, &len);
2002	data.length = len;	2046	data.length = len;
2003	if (data.length != 20)	2047	if (data.length != 20)
2004	fatal("%s: data length incorrect: %d", __func__, data.length);	2048	fatal("%s: data length incorrect: %d", __func__,
		2049	(int) data.length);
2005		2050
2006	/* Save the session ID on the first time around */	2051	/* Save the session ID on the first time around */
2007	if (session_id2_len == 0) {	2052	if (session_id2_len == 0) {
@@ -2023,8 +2068,237 @@ mm_answer_gss_sign(int socket, Buffer *m)
2023		2068
2024	/* Turn on getpwnam permissions */	2069	/* Turn on getpwnam permissions */
2025	monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);	2070	monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
		2071
		2072	/* And credential updating, for when rekeying */
		2073	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUPCREDS, 1);
2026		2074
2027	return (0);	2075	return (0);
2028	}	2076	}
2029		2077
		2078	int
		2079	mm_answer_gss_updatecreds(int socket, Buffer *m) {
		2080	ssh_gssapi_ccache store;
		2081	int ok;
		2082
		2083	store.filename = buffer_get_string(m, NULL);
		2084	store.envvar = buffer_get_string(m, NULL);
		2085	store.envval = buffer_get_string(m, NULL);
		2086
		2087	ok = ssh_gssapi_update_creds(&store);
		2088
		2089	xfree(store.filename);
		2090	xfree(store.envvar);
		2091	xfree(store.envval);
		2092
		2093	buffer_clear(m);
		2094	buffer_put_int(m, ok);
		2095
		2096	mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m);
		2097
		2098	return(0);
		2099	}
		2100
2030	#endif /* GSSAPI */	2101	#endif /* GSSAPI */
		2102
		2103	#ifdef JPAKE
		2104	int
		2105	mm_answer_jpake_step1(int sock, Buffer *m)
		2106	{
		2107	struct jpake_ctx *pctx;
		2108	u_char x3_proof, x4_proof;
		2109	u_int x3_proof_len, x4_proof_len;
		2110
		2111	if (!options.zero_knowledge_password_authentication)
		2112	fatal("zero_knowledge_password_authentication disabled");
		2113
		2114	if (authctxt->jpake_ctx != NULL)
		2115	fatal("%s: authctxt->jpake_ctx already set (%p)",
		2116	__func__, authctxt->jpake_ctx);
		2117	authctxt->jpake_ctx = pctx = jpake_new();
		2118
		2119	jpake_step1(pctx->grp,
		2120	&pctx->server_id, &pctx->server_id_len,
		2121	&pctx->x3, &pctx->x4, &pctx->g_x3, &pctx->g_x4,
		2122	&x3_proof, &x3_proof_len,
		2123	&x4_proof, &x4_proof_len);
		2124
		2125	JPAKE_DEBUG_CTX((pctx, "step1 done in %s", __func__));
		2126
		2127	buffer_clear(m);
		2128
		2129	buffer_put_string(m, pctx->server_id, pctx->server_id_len);
		2130	buffer_put_bignum2(m, pctx->g_x3);
		2131	buffer_put_bignum2(m, pctx->g_x4);
		2132	buffer_put_string(m, x3_proof, x3_proof_len);
		2133	buffer_put_string(m, x4_proof, x4_proof_len);
		2134
		2135	debug3("%s: sending step1", __func__);
		2136	mm_request_send(sock, MONITOR_ANS_JPAKE_STEP1, m);
		2137
		2138	bzero(x3_proof, x3_proof_len);
		2139	bzero(x4_proof, x4_proof_len);
		2140	xfree(x3_proof);
		2141	xfree(x4_proof);
		2142
		2143	monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_GET_PWDATA, 1);
		2144	monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 0);
		2145
		2146	return 0;
		2147	}
		2148
		2149	int
		2150	mm_answer_jpake_get_pwdata(int sock, Buffer *m)
		2151	{
		2152	struct jpake_ctx *pctx = authctxt->jpake_ctx;
		2153	char hash_scheme, salt;
		2154
		2155	if (pctx == NULL)
		2156	fatal("%s: pctx == NULL", __func__);
		2157
		2158	auth2_jpake_get_pwdata(authctxt, &pctx->s, &hash_scheme, &salt);
		2159
		2160	buffer_clear(m);
		2161	/* pctx->s is sensitive, not returned to slave */
		2162	buffer_put_cstring(m, hash_scheme);
		2163	buffer_put_cstring(m, salt);
		2164
		2165	debug3("%s: sending pwdata", __func__);
		2166	mm_request_send(sock, MONITOR_ANS_JPAKE_GET_PWDATA, m);
		2167
		2168	bzero(hash_scheme, strlen(hash_scheme));
		2169	bzero(salt, strlen(salt));
		2170	xfree(hash_scheme);
		2171	xfree(salt);
		2172
		2173	monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP2, 1);
		2174
		2175	return 0;
		2176	}
		2177
		2178	int
		2179	mm_answer_jpake_step2(int sock, Buffer *m)
		2180	{
		2181	struct jpake_ctx *pctx = authctxt->jpake_ctx;
		2182	u_char x1_proof, x2_proof, *x4_s_proof;
		2183	u_int x1_proof_len, x2_proof_len, x4_s_proof_len;
		2184
		2185	if (pctx == NULL)
		2186	fatal("%s: pctx == NULL", __func__);
		2187
		2188	if ((pctx->g_x1 = BN_new()) == NULL \|\|
		2189	(pctx->g_x2 = BN_new()) == NULL)
		2190	fatal("%s: BN_new", __func__);
		2191	buffer_get_bignum2(m, pctx->g_x1);
		2192	buffer_get_bignum2(m, pctx->g_x2);
		2193	pctx->client_id = buffer_get_string(m, &pctx->client_id_len);
		2194	x1_proof = buffer_get_string(m, &x1_proof_len);
		2195	x2_proof = buffer_get_string(m, &x2_proof_len);
		2196
		2197	jpake_step2(pctx->grp, pctx->s, pctx->g_x3,
		2198	pctx->g_x1, pctx->g_x2, pctx->x4,
		2199	pctx->client_id, pctx->client_id_len,
		2200	pctx->server_id, pctx->server_id_len,
		2201	x1_proof, x1_proof_len,
		2202	x2_proof, x2_proof_len,
		2203	&pctx->b,
		2204	&x4_s_proof, &x4_s_proof_len);
		2205
		2206	JPAKE_DEBUG_CTX((pctx, "step2 done in %s", __func__));
		2207
		2208	bzero(x1_proof, x1_proof_len);
		2209	bzero(x2_proof, x2_proof_len);
		2210	xfree(x1_proof);
		2211	xfree(x2_proof);
		2212
		2213	buffer_clear(m);
		2214
		2215	buffer_put_bignum2(m, pctx->b);
		2216	buffer_put_string(m, x4_s_proof, x4_s_proof_len);
		2217
		2218	debug3("%s: sending step2", __func__);
		2219	mm_request_send(sock, MONITOR_ANS_JPAKE_STEP2, m);
		2220
		2221	bzero(x4_s_proof, x4_s_proof_len);
		2222	xfree(x4_s_proof);
		2223
		2224	monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_KEY_CONFIRM, 1);
		2225
		2226	return 0;
		2227	}
		2228
		2229	int
		2230	mm_answer_jpake_key_confirm(int sock, Buffer *m)
		2231	{
		2232	struct jpake_ctx *pctx = authctxt->jpake_ctx;
		2233	u_char *x2_s_proof;
		2234	u_int x2_s_proof_len;
		2235
		2236	if (pctx == NULL)
		2237	fatal("%s: pctx == NULL", __func__);
		2238
		2239	if ((pctx->a = BN_new()) == NULL)
		2240	fatal("%s: BN_new", __func__);
		2241	buffer_get_bignum2(m, pctx->a);
		2242	x2_s_proof = buffer_get_string(m, &x2_s_proof_len);
		2243
		2244	jpake_key_confirm(pctx->grp, pctx->s, pctx->a,
		2245	pctx->x4, pctx->g_x3, pctx->g_x4, pctx->g_x1, pctx->g_x2,
		2246	pctx->server_id, pctx->server_id_len,
		2247	pctx->client_id, pctx->client_id_len,
		2248	session_id2, session_id2_len,
		2249	x2_s_proof, x2_s_proof_len,
		2250	&pctx->k,
		2251	&pctx->h_k_sid_sessid, &pctx->h_k_sid_sessid_len);
		2252
		2253	JPAKE_DEBUG_CTX((pctx, "key_confirm done in %s", __func__));
		2254
		2255	bzero(x2_s_proof, x2_s_proof_len);
		2256	buffer_clear(m);
		2257
		2258	/* pctx->k is sensitive, not sent */
		2259	buffer_put_string(m, pctx->h_k_sid_sessid, pctx->h_k_sid_sessid_len);
		2260
		2261	debug3("%s: sending confirmation hash", __func__);
		2262	mm_request_send(sock, MONITOR_ANS_JPAKE_KEY_CONFIRM, m);
		2263
		2264	monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_CHECK_CONFIRM, 1);
		2265
		2266	return 0;
		2267	}
		2268
		2269	int
		2270	mm_answer_jpake_check_confirm(int sock, Buffer *m)
		2271	{
		2272	int authenticated = 0;
		2273	u_char *peer_confirm_hash;
		2274	u_int peer_confirm_hash_len;
		2275	struct jpake_ctx *pctx = authctxt->jpake_ctx;
		2276
		2277	if (pctx == NULL)
		2278	fatal("%s: pctx == NULL", __func__);
		2279
		2280	peer_confirm_hash = buffer_get_string(m, &peer_confirm_hash_len);
		2281
		2282	authenticated = jpake_check_confirm(pctx->k,
		2283	pctx->client_id, pctx->client_id_len,
		2284	session_id2, session_id2_len,
		2285	peer_confirm_hash, peer_confirm_hash_len) && authctxt->valid;
		2286
		2287	JPAKE_DEBUG_CTX((pctx, "check_confirm done in %s", __func__));
		2288
		2289	bzero(peer_confirm_hash, peer_confirm_hash_len);
		2290	xfree(peer_confirm_hash);
		2291
		2292	buffer_clear(m);
		2293	buffer_put_int(m, authenticated);
		2294
		2295	debug3("%s: sending result %d", __func__, authenticated);
		2296	mm_request_send(sock, MONITOR_ANS_JPAKE_CHECK_CONFIRM, m);
		2297
		2298	monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 1);
		2299
		2300	auth_method = "jpake-01@openssh.com";
		2301	return authenticated;
		2302	}
		2303
		2304	#endif /* JPAKE */