1 files changed, 107 insertions, 1 deletions
diff --git a/monitor.c b/monitor.c
index e7abf2498..ff5547e0e 100644
--- a/monitor.c
+++ b/monitor.c
@@ -180,6 +180,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
 int mm_answer_gss_accept_ctx(int, Buffer *);
 int mm_answer_gss_userok(int, Buffer *);
 int mm_answer_gss_checkmic(int, Buffer *);
+int mm_answer_gss_sign(int, Buffer *);
+int mm_answer_gss_updatecreds(int, Buffer *);
 #endif
 #ifdef SSH_AUDIT_EVENTS
@@ -251,6 +253,7 @@ struct mon_table mon_dispatch_proto20[] = {
    {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
    {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
    {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
+    {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
 #endif
 #ifdef JPAKE
    {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},
@@ -263,6 +266,12 @@ struct mon_table mon_dispatch_proto20[] = {
 };
 struct mon_table mon_dispatch_postauth20[] = {
+#ifdef GSSAPI
+    {MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
+    {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
+    {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
+    {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds},
+#endif
    {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
    {MONITOR_REQ_SIGN, 0, mm_answer_sign},
    {MONITOR_REQ_PTY, 0, mm_answer_pty},
@@ -371,6 +380,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
                /* Permit requests for moduli and signatures */
                monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
+#ifdef GSSAPI
+                /* and for the GSSAPI key exchange */
+                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
+#endif
        } else {
                mon_dispatch = mon_dispatch_proto15;
@@ -468,6 +481,10 @@ monitor_child_postauth(struct monitor *pmonitor)
                monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
+#ifdef GSSAPI
+                /* and for the GSSAPI key exchange */
+                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
+#endif          
        } else {
                mon_dispatch = mon_dispatch_postauth15;
                monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -1803,6 +1820,13 @@ mm_get_kex(Buffer *m)
        kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
        kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
        kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
+#ifdef GSSAPI
+        if (options.gss_keyex) {
+                kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
+                kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
+                kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
+        }
+#endif
        kex->server = 1;
        kex->hostkey_type = buffer_get_int(m);
        kex->kex_type = buffer_get_int(m);
@@ -2009,6 +2033,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
        OM_uint32 major;
        u_int len;
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
        goid.elements = buffer_get_string(m, &len);
        goid.length = len;
@@ -2036,6 +2063,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
        OM_uint32 flags = 0; /* GSI needs this */
        u_int len;
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
        in.value = buffer_get_string(m, &len);
        in.length = len;
        major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
@@ -2053,6 +2083,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
+                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1);
        }
        return (0);
 }
@@ -2064,6 +2095,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
        OM_uint32 ret;
        u_int len;
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
        gssbuf.value = buffer_get_string(m, &len);
        gssbuf.length = len;
        mic.value = buffer_get_string(m, &len);
@@ -2090,7 +2124,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
 {
        int authenticated;
-        authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
+        authenticated = authctxt->valid && 
+            ssh_gssapi_userok(authctxt->user, authctxt->pw);
        buffer_clear(m);
        buffer_put_int(m, authenticated);
@@ -2103,6 +2141,74 @@ mm_answer_gss_userok(int sock, Buffer *m)
        /* Monitor loop will terminate if authenticated */
        return (authenticated);
 }
+int 
+mm_answer_gss_sign(int socket, Buffer *m)
+{
+        gss_buffer_desc data;
+        gss_buffer_desc hash = GSS_C_EMPTY_BUFFER;
+        OM_uint32 major, minor;
+        u_int len;
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
+        data.value = buffer_get_string(m, &len);
+        data.length = len;
+        if (data.length != 20) 
+                fatal("%s: data length incorrect: %d", __func__, 
+                    (int) data.length);
+        /* Save the session ID on the first time around */
+        if (session_id2_len == 0) {
+                session_id2_len = data.length;
+                session_id2 = xmalloc(session_id2_len);
+                memcpy(session_id2, data.value, session_id2_len);
+        }
+        major = ssh_gssapi_sign(gsscontext, &data, &hash);
+        xfree(data.value);
+        buffer_clear(m);
+        buffer_put_int(m, major);
+        buffer_put_string(m, hash.value, hash.length);
+        mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
+        gss_release_buffer(&minor, &hash);
+        /* Turn on getpwnam permissions */
+        monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
+        
+        /* And credential updating, for when rekeying */
+        monitor_permit(mon_dispatch, MONITOR_REQ_GSSUPCREDS, 1);
+        return (0);
+}
+int
+mm_answer_gss_updatecreds(int socket, Buffer *m) {
+        ssh_gssapi_ccache store;
+        int ok;
+        store.filename = buffer_get_string(m, NULL);
+        store.envvar   = buffer_get_string(m, NULL);
+        store.envval   = buffer_get_string(m, NULL);
+        ok = ssh_gssapi_update_creds(&store);
+        xfree(store.filename);
+        xfree(store.envvar);
+        xfree(store.envval);
+        buffer_clear(m);
+        buffer_put_int(m, ok);
+        mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m);
+        return(0);
+}
 #endif /* GSSAPI */
 #ifdef JPAKE

diff --git a/monitor.c b/monitor.c index e7abf2498..ff5547e0e 100644 --- a/monitor.c +++ b/monitor.c
@@ -180,6 +180,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
180	int mm_answer_gss_accept_ctx(int, Buffer *);	180	int mm_answer_gss_accept_ctx(int, Buffer *);
181	int mm_answer_gss_userok(int, Buffer *);	181	int mm_answer_gss_userok(int, Buffer *);
182	int mm_answer_gss_checkmic(int, Buffer *);	182	int mm_answer_gss_checkmic(int, Buffer *);
		183	int mm_answer_gss_sign(int, Buffer *);
		184	int mm_answer_gss_updatecreds(int, Buffer *);
183	#endif	185	#endif
184		186
185	#ifdef SSH_AUDIT_EVENTS	187	#ifdef SSH_AUDIT_EVENTS
@@ -251,6 +253,7 @@ struct mon_table mon_dispatch_proto20[] = {
251	{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},	253	{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
252	{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},	254	{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
253	{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},	255	{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
		256	{MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
254	#endif	257	#endif
255	#ifdef JPAKE	258	#ifdef JPAKE
256	{MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},	259	{MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},
@@ -263,6 +266,12 @@ struct mon_table mon_dispatch_proto20[] = {
263	};	266	};
264		267
265	struct mon_table mon_dispatch_postauth20[] = {	268	struct mon_table mon_dispatch_postauth20[] = {
		269	#ifdef GSSAPI
		270	{MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
		271	{MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
		272	{MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
		273	{MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds},
		274	#endif
266	{MONITOR_REQ_MODULI, 0, mm_answer_moduli},	275	{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
267	{MONITOR_REQ_SIGN, 0, mm_answer_sign},	276	{MONITOR_REQ_SIGN, 0, mm_answer_sign},
268	{MONITOR_REQ_PTY, 0, mm_answer_pty},	277	{MONITOR_REQ_PTY, 0, mm_answer_pty},
@@ -371,6 +380,10 @@ monitor_child_preauth(Authctxt _authctxt, struct monitor pmonitor)
371	/* Permit requests for moduli and signatures */	380	/* Permit requests for moduli and signatures */
372	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);	381	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
373	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);	382	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
		383	#ifdef GSSAPI
		384	/* and for the GSSAPI key exchange */
		385	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
		386	#endif
374	} else {	387	} else {
375	mon_dispatch = mon_dispatch_proto15;	388	mon_dispatch = mon_dispatch_proto15;
376		389
@@ -468,6 +481,10 @@ monitor_child_postauth(struct monitor *pmonitor)
468	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);	481	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
469	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);	482	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
470	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);	483	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
		484	#ifdef GSSAPI
		485	/* and for the GSSAPI key exchange */
		486	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
		487	#endif
471	} else {	488	} else {
472	mon_dispatch = mon_dispatch_postauth15;	489	mon_dispatch = mon_dispatch_postauth15;
473	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);	490	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -1803,6 +1820,13 @@ mm_get_kex(Buffer *m)
1803	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;	1820	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
1804	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;	1821	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
1805	kex->kex[KEX_ECDH_SHA2] = kexecdh_server;	1822	kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
		1823	#ifdef GSSAPI
		1824	if (options.gss_keyex) {
		1825	kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
		1826	kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
		1827	kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
		1828	}
		1829	#endif
1806	kex->server = 1;	1830	kex->server = 1;
1807	kex->hostkey_type = buffer_get_int(m);	1831	kex->hostkey_type = buffer_get_int(m);
1808	kex->kex_type = buffer_get_int(m);	1832	kex->kex_type = buffer_get_int(m);
@@ -2009,6 +2033,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
2009	OM_uint32 major;	2033	OM_uint32 major;
2010	u_int len;	2034	u_int len;
2011		2035
		2036	if (!options.gss_authentication && !options.gss_keyex)
		2037	fatal("In GSSAPI monitor when GSSAPI is disabled");
		2038
2012	goid.elements = buffer_get_string(m, &len);	2039	goid.elements = buffer_get_string(m, &len);
2013	goid.length = len;	2040	goid.length = len;
2014		2041
@@ -2036,6 +2063,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
2036	OM_uint32 flags = 0; /* GSI needs this */	2063	OM_uint32 flags = 0; /* GSI needs this */
2037	u_int len;	2064	u_int len;
2038		2065
		2066	if (!options.gss_authentication && !options.gss_keyex)
		2067	fatal("In GSSAPI monitor when GSSAPI is disabled");
		2068
2039	in.value = buffer_get_string(m, &len);	2069	in.value = buffer_get_string(m, &len);
2040	in.length = len;	2070	in.length = len;
2041	major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);	2071	major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
@@ -2053,6 +2083,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
2053	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);	2083	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
2054	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);	2084	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
2055	monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);	2085	monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
		2086	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1);
2056	}	2087	}
2057	return (0);	2088	return (0);
2058	}	2089	}
@@ -2064,6 +2095,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
2064	OM_uint32 ret;	2095	OM_uint32 ret;
2065	u_int len;	2096	u_int len;
2066		2097
		2098	if (!options.gss_authentication && !options.gss_keyex)
		2099	fatal("In GSSAPI monitor when GSSAPI is disabled");
		2100
2067	gssbuf.value = buffer_get_string(m, &len);	2101	gssbuf.value = buffer_get_string(m, &len);
2068	gssbuf.length = len;	2102	gssbuf.length = len;
2069	mic.value = buffer_get_string(m, &len);	2103	mic.value = buffer_get_string(m, &len);
@@ -2090,7 +2124,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
2090	{	2124	{
2091	int authenticated;	2125	int authenticated;
2092		2126
2093	authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);	2127	if (!options.gss_authentication && !options.gss_keyex)
		2128	fatal("In GSSAPI monitor when GSSAPI is disabled");
		2129
		2130	authenticated = authctxt->valid &&
		2131	ssh_gssapi_userok(authctxt->user, authctxt->pw);
2094		2132
2095	buffer_clear(m);	2133	buffer_clear(m);
2096	buffer_put_int(m, authenticated);	2134	buffer_put_int(m, authenticated);
@@ -2103,6 +2141,74 @@ mm_answer_gss_userok(int sock, Buffer *m)
2103	/* Monitor loop will terminate if authenticated */	2141	/* Monitor loop will terminate if authenticated */
2104	return (authenticated);	2142	return (authenticated);
2105	}	2143	}
		2144
		2145	int
		2146	mm_answer_gss_sign(int socket, Buffer *m)
		2147	{
		2148	gss_buffer_desc data;
		2149	gss_buffer_desc hash = GSS_C_EMPTY_BUFFER;
		2150	OM_uint32 major, minor;
		2151	u_int len;
		2152
		2153	if (!options.gss_authentication && !options.gss_keyex)
		2154	fatal("In GSSAPI monitor when GSSAPI is disabled");
		2155
		2156	data.value = buffer_get_string(m, &len);
		2157	data.length = len;
		2158	if (data.length != 20)
		2159	fatal("%s: data length incorrect: %d", __func__,
		2160	(int) data.length);
		2161
		2162	/* Save the session ID on the first time around */
		2163	if (session_id2_len == 0) {
		2164	session_id2_len = data.length;
		2165	session_id2 = xmalloc(session_id2_len);
		2166	memcpy(session_id2, data.value, session_id2_len);
		2167	}
		2168	major = ssh_gssapi_sign(gsscontext, &data, &hash);
		2169
		2170	xfree(data.value);
		2171
		2172	buffer_clear(m);
		2173	buffer_put_int(m, major);
		2174	buffer_put_string(m, hash.value, hash.length);
		2175
		2176	mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
		2177
		2178	gss_release_buffer(&minor, &hash);
		2179
		2180	/* Turn on getpwnam permissions */
		2181	monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
		2182
		2183	/* And credential updating, for when rekeying */
		2184	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUPCREDS, 1);
		2185
		2186	return (0);
		2187	}
		2188
		2189	int
		2190	mm_answer_gss_updatecreds(int socket, Buffer *m) {
		2191	ssh_gssapi_ccache store;
		2192	int ok;
		2193
		2194	store.filename = buffer_get_string(m, NULL);
		2195	store.envvar = buffer_get_string(m, NULL);
		2196	store.envval = buffer_get_string(m, NULL);
		2197
		2198	ok = ssh_gssapi_update_creds(&store);
		2199
		2200	xfree(store.filename);
		2201	xfree(store.envvar);
		2202	xfree(store.envval);
		2203
		2204	buffer_clear(m);
		2205	buffer_put_int(m, ok);
		2206
		2207	mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m);
		2208
		2209	return(0);
		2210	}
		2211
2106	#endif /* GSSAPI */	2212	#endif /* GSSAPI */
2107		2213
2108	#ifdef JPAKE	2214	#ifdef JPAKE