1 files changed, 107 insertions, 1 deletions
diff --git a/monitor.c b/monitor.c
index ace25c404..fd287d8c0 100644
--- a/monitor.c
+++ b/monitor.c
@@ -172,6 +172,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
 int mm_answer_gss_accept_ctx(int, Buffer *);
 int mm_answer_gss_userok(int, Buffer *);
 int mm_answer_gss_checkmic(int, Buffer *);
+int mm_answer_gss_sign(int, Buffer *);
+int mm_answer_gss_updatecreds(int, Buffer *);
 #endif
 #ifdef SSH_AUDIT_EVENTS
@@ -241,6 +243,7 @@ struct mon_table mon_dispatch_proto20[] = {
    {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
    {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
    {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
+    {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
 #endif
 #ifdef JPAKE
    {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},
@@ -253,6 +256,12 @@ struct mon_table mon_dispatch_proto20[] = {
 };
 struct mon_table mon_dispatch_postauth20[] = {
+#ifdef GSSAPI
+    {MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
+    {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
+    {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
+    {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds},
+#endif
    {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
    {MONITOR_REQ_SIGN, 0, mm_answer_sign},
    {MONITOR_REQ_PTY, 0, mm_answer_pty},
@@ -357,6 +366,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
                /* Permit requests for moduli and signatures */
                monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
+#ifdef GSSAPI
+                /* and for the GSSAPI key exchange */
+                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
+#endif
        } else {
                mon_dispatch = mon_dispatch_proto15;
@@ -443,6 +456,10 @@ monitor_child_postauth(struct monitor *pmonitor)
                monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
+#ifdef GSSAPI
+                /* and for the GSSAPI key exchange */
+                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
+#endif          
        } else {
                mon_dispatch = mon_dispatch_postauth15;
                monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -1706,6 +1723,13 @@ mm_get_kex(Buffer *m)
        kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
        kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
        kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
+#ifdef GSSAPI
+        if (options.gss_keyex) {
+                kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
+                kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
+                kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
+        }
+#endif
        kex->server = 1;
        kex->hostkey_type = buffer_get_int(m);
        kex->kex_type = buffer_get_int(m);
@@ -1911,6 +1935,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
        OM_uint32 major;
        u_int len;
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
        goid.elements = buffer_get_string(m, &len);
        goid.length = len;
@@ -1938,6 +1965,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
        OM_uint32 flags = 0; /* GSI needs this */
        u_int len;
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
        in.value = buffer_get_string(m, &len);
        in.length = len;
        major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
@@ -1955,6 +1985,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
+                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1);
        }
        return (0);
 }
@@ -1966,6 +1997,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
        OM_uint32 ret;
        u_int len;
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
        gssbuf.value = buffer_get_string(m, &len);
        gssbuf.length = len;
        mic.value = buffer_get_string(m, &len);
@@ -1992,7 +2026,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
 {
        int authenticated;
-        authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
+        authenticated = authctxt->valid && 
+            ssh_gssapi_userok(authctxt->user, authctxt->pw);
        buffer_clear(m);
        buffer_put_int(m, authenticated);
@@ -2005,6 +2043,74 @@ mm_answer_gss_userok(int sock, Buffer *m)
        /* Monitor loop will terminate if authenticated */
        return (authenticated);
 }
+int 
+mm_answer_gss_sign(int socket, Buffer *m)
+{
+        gss_buffer_desc data;
+        gss_buffer_desc hash = GSS_C_EMPTY_BUFFER;
+        OM_uint32 major, minor;
+        u_int len;
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
+        data.value = buffer_get_string(m, &len);
+        data.length = len;
+        if (data.length != 20) 
+                fatal("%s: data length incorrect: %d", __func__, 
+                    (int) data.length);
+        /* Save the session ID on the first time around */
+        if (session_id2_len == 0) {
+                session_id2_len = data.length;
+                session_id2 = xmalloc(session_id2_len);
+                memcpy(session_id2, data.value, session_id2_len);
+        }
+        major = ssh_gssapi_sign(gsscontext, &data, &hash);
+        xfree(data.value);
+        buffer_clear(m);
+        buffer_put_int(m, major);
+        buffer_put_string(m, hash.value, hash.length);
+        mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
+        gss_release_buffer(&minor, &hash);
+        /* Turn on getpwnam permissions */
+        monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
+        
+        /* And credential updating, for when rekeying */
+        monitor_permit(mon_dispatch, MONITOR_REQ_GSSUPCREDS, 1);
+        return (0);
+}
+int
+mm_answer_gss_updatecreds(int socket, Buffer *m) {
+        ssh_gssapi_ccache store;
+        int ok;
+        store.filename = buffer_get_string(m, NULL);
+        store.envvar   = buffer_get_string(m, NULL);
+        store.envval   = buffer_get_string(m, NULL);
+        ok = ssh_gssapi_update_creds(&store);
+        xfree(store.filename);
+        xfree(store.envvar);
+        xfree(store.envval);
+        buffer_clear(m);
+        buffer_put_int(m, ok);
+        mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m);
+        return(0);
+}
 #endif /* GSSAPI */
 #ifdef JPAKE

diff --git a/monitor.c b/monitor.c index ace25c404..fd287d8c0 100644 --- a/monitor.c +++ b/monitor.c
@@ -172,6 +172,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
172	int mm_answer_gss_accept_ctx(int, Buffer *);	172	int mm_answer_gss_accept_ctx(int, Buffer *);
173	int mm_answer_gss_userok(int, Buffer *);	173	int mm_answer_gss_userok(int, Buffer *);
174	int mm_answer_gss_checkmic(int, Buffer *);	174	int mm_answer_gss_checkmic(int, Buffer *);
		175	int mm_answer_gss_sign(int, Buffer *);
		176	int mm_answer_gss_updatecreds(int, Buffer *);
175	#endif	177	#endif
176		178
177	#ifdef SSH_AUDIT_EVENTS	179	#ifdef SSH_AUDIT_EVENTS
@@ -241,6 +243,7 @@ struct mon_table mon_dispatch_proto20[] = {
241	{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},	243	{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
242	{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},	244	{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
243	{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},	245	{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
		246	{MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
244	#endif	247	#endif
245	#ifdef JPAKE	248	#ifdef JPAKE
246	{MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},	249	{MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},
@@ -253,6 +256,12 @@ struct mon_table mon_dispatch_proto20[] = {
253	};	256	};
254		257
255	struct mon_table mon_dispatch_postauth20[] = {	258	struct mon_table mon_dispatch_postauth20[] = {
		259	#ifdef GSSAPI
		260	{MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
		261	{MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
		262	{MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
		263	{MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds},
		264	#endif
256	{MONITOR_REQ_MODULI, 0, mm_answer_moduli},	265	{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
257	{MONITOR_REQ_SIGN, 0, mm_answer_sign},	266	{MONITOR_REQ_SIGN, 0, mm_answer_sign},
258	{MONITOR_REQ_PTY, 0, mm_answer_pty},	267	{MONITOR_REQ_PTY, 0, mm_answer_pty},
@@ -357,6 +366,10 @@ monitor_child_preauth(Authctxt _authctxt, struct monitor pmonitor)
357	/* Permit requests for moduli and signatures */	366	/* Permit requests for moduli and signatures */
358	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);	367	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
359	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);	368	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
		369	#ifdef GSSAPI
		370	/* and for the GSSAPI key exchange */
		371	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
		372	#endif
360	} else {	373	} else {
361	mon_dispatch = mon_dispatch_proto15;	374	mon_dispatch = mon_dispatch_proto15;
362		375
@@ -443,6 +456,10 @@ monitor_child_postauth(struct monitor *pmonitor)
443	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);	456	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
444	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);	457	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
445	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);	458	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
		459	#ifdef GSSAPI
		460	/* and for the GSSAPI key exchange */
		461	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
		462	#endif
446	} else {	463	} else {
447	mon_dispatch = mon_dispatch_postauth15;	464	mon_dispatch = mon_dispatch_postauth15;
448	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);	465	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -1706,6 +1723,13 @@ mm_get_kex(Buffer *m)
1706	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;	1723	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
1707	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;	1724	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
1708	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;	1725	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
		1726	#ifdef GSSAPI
		1727	if (options.gss_keyex) {
		1728	kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
		1729	kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
		1730	kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
		1731	}
		1732	#endif
1709	kex->server = 1;	1733	kex->server = 1;
1710	kex->hostkey_type = buffer_get_int(m);	1734	kex->hostkey_type = buffer_get_int(m);
1711	kex->kex_type = buffer_get_int(m);	1735	kex->kex_type = buffer_get_int(m);
@@ -1911,6 +1935,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
1911	OM_uint32 major;	1935	OM_uint32 major;
1912	u_int len;	1936	u_int len;
1913		1937
		1938	if (!options.gss_authentication && !options.gss_keyex)
		1939	fatal("In GSSAPI monitor when GSSAPI is disabled");
		1940
1914	goid.elements = buffer_get_string(m, &len);	1941	goid.elements = buffer_get_string(m, &len);
1915	goid.length = len;	1942	goid.length = len;
1916		1943
@@ -1938,6 +1965,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
1938	OM_uint32 flags = 0; /* GSI needs this */	1965	OM_uint32 flags = 0; /* GSI needs this */
1939	u_int len;	1966	u_int len;
1940		1967
		1968	if (!options.gss_authentication && !options.gss_keyex)
		1969	fatal("In GSSAPI monitor when GSSAPI is disabled");
		1970
1941	in.value = buffer_get_string(m, &len);	1971	in.value = buffer_get_string(m, &len);
1942	in.length = len;	1972	in.length = len;
1943	major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);	1973	major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
@@ -1955,6 +1985,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
1955	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);	1985	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
1956	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);	1986	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
1957	monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);	1987	monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
		1988	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1);
1958	}	1989	}
1959	return (0);	1990	return (0);
1960	}	1991	}
@@ -1966,6 +1997,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
1966	OM_uint32 ret;	1997	OM_uint32 ret;
1967	u_int len;	1998	u_int len;
1968		1999
		2000	if (!options.gss_authentication && !options.gss_keyex)
		2001	fatal("In GSSAPI monitor when GSSAPI is disabled");
		2002
1969	gssbuf.value = buffer_get_string(m, &len);	2003	gssbuf.value = buffer_get_string(m, &len);
1970	gssbuf.length = len;	2004	gssbuf.length = len;
1971	mic.value = buffer_get_string(m, &len);	2005	mic.value = buffer_get_string(m, &len);
@@ -1992,7 +2026,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
1992	{	2026	{
1993	int authenticated;	2027	int authenticated;
1994		2028
1995	authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);	2029	if (!options.gss_authentication && !options.gss_keyex)
		2030	fatal("In GSSAPI monitor when GSSAPI is disabled");
		2031
		2032	authenticated = authctxt->valid &&
		2033	ssh_gssapi_userok(authctxt->user, authctxt->pw);
1996		2034
1997	buffer_clear(m);	2035	buffer_clear(m);
1998	buffer_put_int(m, authenticated);	2036	buffer_put_int(m, authenticated);
@@ -2005,6 +2043,74 @@ mm_answer_gss_userok(int sock, Buffer *m)
2005	/* Monitor loop will terminate if authenticated */	2043	/* Monitor loop will terminate if authenticated */
2006	return (authenticated);	2044	return (authenticated);
2007	}	2045	}
		2046
		2047	int
		2048	mm_answer_gss_sign(int socket, Buffer *m)
		2049	{
		2050	gss_buffer_desc data;
		2051	gss_buffer_desc hash = GSS_C_EMPTY_BUFFER;
		2052	OM_uint32 major, minor;
		2053	u_int len;
		2054
		2055	if (!options.gss_authentication && !options.gss_keyex)
		2056	fatal("In GSSAPI monitor when GSSAPI is disabled");
		2057
		2058	data.value = buffer_get_string(m, &len);
		2059	data.length = len;
		2060	if (data.length != 20)
		2061	fatal("%s: data length incorrect: %d", __func__,
		2062	(int) data.length);
		2063
		2064	/* Save the session ID on the first time around */
		2065	if (session_id2_len == 0) {
		2066	session_id2_len = data.length;
		2067	session_id2 = xmalloc(session_id2_len);
		2068	memcpy(session_id2, data.value, session_id2_len);
		2069	}
		2070	major = ssh_gssapi_sign(gsscontext, &data, &hash);
		2071
		2072	xfree(data.value);
		2073
		2074	buffer_clear(m);
		2075	buffer_put_int(m, major);
		2076	buffer_put_string(m, hash.value, hash.length);
		2077
		2078	mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
		2079
		2080	gss_release_buffer(&minor, &hash);
		2081
		2082	/* Turn on getpwnam permissions */
		2083	monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
		2084
		2085	/* And credential updating, for when rekeying */
		2086	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUPCREDS, 1);
		2087
		2088	return (0);
		2089	}
		2090
		2091	int
		2092	mm_answer_gss_updatecreds(int socket, Buffer *m) {
		2093	ssh_gssapi_ccache store;
		2094	int ok;
		2095
		2096	store.filename = buffer_get_string(m, NULL);
		2097	store.envvar = buffer_get_string(m, NULL);
		2098	store.envval = buffer_get_string(m, NULL);
		2099
		2100	ok = ssh_gssapi_update_creds(&store);
		2101
		2102	xfree(store.filename);
		2103	xfree(store.envvar);
		2104	xfree(store.envval);
		2105
		2106	buffer_clear(m);
		2107	buffer_put_int(m, ok);
		2108
		2109	mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m);
		2110
		2111	return(0);
		2112	}
		2113
2008	#endif /* GSSAPI */	2114	#endif /* GSSAPI */
2009		2115
2010	#ifdef JPAKE	2116	#ifdef JPAKE