1 files changed, 107 insertions, 1 deletions
diff --git a/monitor.c b/monitor.c
index dbe29f128..b0896ef7f 100644
--- a/monitor.c
+++ b/monitor.c
@@ -178,6 +178,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
 int mm_answer_gss_accept_ctx(int, Buffer *);
 int mm_answer_gss_userok(int, Buffer *);
 int mm_answer_gss_checkmic(int, Buffer *);
+int mm_answer_gss_sign(int, Buffer *);
+int mm_answer_gss_updatecreds(int, Buffer *);
 #endif
 #ifdef SSH_AUDIT_EVENTS
@@ -255,11 +257,18 @@ struct mon_table mon_dispatch_proto20[] = {
    {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
    {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
    {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
+    {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
 #endif
    {0, 0, NULL}
 };
 struct mon_table mon_dispatch_postauth20[] = {
+#ifdef GSSAPI
+    {MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
+    {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
+    {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
+    {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds},
+#endif
 #ifdef WITH_OPENSSL
    {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
 #endif
@@ -374,6 +383,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
                /* Permit requests for moduli and signatures */
                monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
+#ifdef GSSAPI
+                /* and for the GSSAPI key exchange */
+                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
+#endif
        } else {
                mon_dispatch = mon_dispatch_proto15;
@@ -482,6 +495,10 @@ monitor_child_postauth(struct monitor *pmonitor)
                monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
+#ifdef GSSAPI
+                /* and for the GSSAPI key exchange */
+                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
+#endif          
        } else {
                mon_dispatch = mon_dispatch_postauth15;
                monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -1861,6 +1878,13 @@ mm_get_kex(Buffer *m)
        kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
 #endif
        kex->kex[KEX_C25519_SHA256] = kexc25519_server;
+#ifdef GSSAPI
+        if (options.gss_keyex) {
+                kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
+                kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
+                kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
+        }
+#endif
        kex->server = 1;
        kex->hostkey_type = buffer_get_int(m);
        kex->kex_type = buffer_get_int(m);
@@ -2068,6 +2092,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
        OM_uint32 major;
        u_int len;
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
        goid.elements = buffer_get_string(m, &len);
        goid.length = len;
@@ -2095,6 +2122,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
        OM_uint32 flags = 0; /* GSI needs this */
        u_int len;
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
        in.value = buffer_get_string(m, &len);
        in.length = len;
        major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
@@ -2112,6 +2142,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
+                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1);
        }
        return (0);
 }
@@ -2123,6 +2154,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
        OM_uint32 ret;
        u_int len;
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
        gssbuf.value = buffer_get_string(m, &len);
        gssbuf.length = len;
        mic.value = buffer_get_string(m, &len);
@@ -2149,7 +2183,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
 {
        int authenticated;
-        authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
+        authenticated = authctxt->valid && 
+            ssh_gssapi_userok(authctxt->user, authctxt->pw);
        buffer_clear(m);
        buffer_put_int(m, authenticated);
@@ -2162,5 +2200,73 @@ mm_answer_gss_userok(int sock, Buffer *m)
        /* Monitor loop will terminate if authenticated */
        return (authenticated);
 }
+int 
+mm_answer_gss_sign(int socket, Buffer *m)
+{
+        gss_buffer_desc data;
+        gss_buffer_desc hash = GSS_C_EMPTY_BUFFER;
+        OM_uint32 major, minor;
+        u_int len;
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
+        data.value = buffer_get_string(m, &len);
+        data.length = len;
+        if (data.length != 20) 
+                fatal("%s: data length incorrect: %d", __func__, 
+                    (int) data.length);
+        /* Save the session ID on the first time around */
+        if (session_id2_len == 0) {
+                session_id2_len = data.length;
+                session_id2 = xmalloc(session_id2_len);
+                memcpy(session_id2, data.value, session_id2_len);
+        }
+        major = ssh_gssapi_sign(gsscontext, &data, &hash);
+        free(data.value);
+        buffer_clear(m);
+        buffer_put_int(m, major);
+        buffer_put_string(m, hash.value, hash.length);
+        mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
+        gss_release_buffer(&minor, &hash);
+        /* Turn on getpwnam permissions */
+        monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
+        
+        /* And credential updating, for when rekeying */
+        monitor_permit(mon_dispatch, MONITOR_REQ_GSSUPCREDS, 1);
+        return (0);
+}
+int
+mm_answer_gss_updatecreds(int socket, Buffer *m) {
+        ssh_gssapi_ccache store;
+        int ok;
+        store.filename = buffer_get_string(m, NULL);
+        store.envvar   = buffer_get_string(m, NULL);
+        store.envval   = buffer_get_string(m, NULL);
+        ok = ssh_gssapi_update_creds(&store);
+        free(store.filename);
+        free(store.envvar);
+        free(store.envval);
+        buffer_clear(m);
+        buffer_put_int(m, ok);
+        mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m);
+        return(0);
+}
 #endif /* GSSAPI */

diff --git a/monitor.c b/monitor.c index dbe29f128..b0896ef7f 100644 --- a/monitor.c +++ b/monitor.c
@@ -178,6 +178,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
178	int mm_answer_gss_accept_ctx(int, Buffer *);	178	int mm_answer_gss_accept_ctx(int, Buffer *);
179	int mm_answer_gss_userok(int, Buffer *);	179	int mm_answer_gss_userok(int, Buffer *);
180	int mm_answer_gss_checkmic(int, Buffer *);	180	int mm_answer_gss_checkmic(int, Buffer *);
		181	int mm_answer_gss_sign(int, Buffer *);
		182	int mm_answer_gss_updatecreds(int, Buffer *);
181	#endif	183	#endif
182		184
183	#ifdef SSH_AUDIT_EVENTS	185	#ifdef SSH_AUDIT_EVENTS
@@ -255,11 +257,18 @@ struct mon_table mon_dispatch_proto20[] = {
255	{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},	257	{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
256	{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},	258	{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
257	{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},	259	{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
		260	{MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
258	#endif	261	#endif
259	{0, 0, NULL}	262	{0, 0, NULL}
260	};	263	};
261		264
262	struct mon_table mon_dispatch_postauth20[] = {	265	struct mon_table mon_dispatch_postauth20[] = {
		266	#ifdef GSSAPI
		267	{MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
		268	{MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
		269	{MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
		270	{MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds},
		271	#endif
263	#ifdef WITH_OPENSSL	272	#ifdef WITH_OPENSSL
264	{MONITOR_REQ_MODULI, 0, mm_answer_moduli},	273	{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
265	#endif	274	#endif
@@ -374,6 +383,10 @@ monitor_child_preauth(Authctxt _authctxt, struct monitor pmonitor)
374	/* Permit requests for moduli and signatures */	383	/* Permit requests for moduli and signatures */
375	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);	384	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
376	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);	385	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
		386	#ifdef GSSAPI
		387	/* and for the GSSAPI key exchange */
		388	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
		389	#endif
377	} else {	390	} else {
378	mon_dispatch = mon_dispatch_proto15;	391	mon_dispatch = mon_dispatch_proto15;
379		392
@@ -482,6 +495,10 @@ monitor_child_postauth(struct monitor *pmonitor)
482	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);	495	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
483	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);	496	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
484	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);	497	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
		498	#ifdef GSSAPI
		499	/* and for the GSSAPI key exchange */
		500	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
		501	#endif
485	} else {	502	} else {
486	mon_dispatch = mon_dispatch_postauth15;	503	mon_dispatch = mon_dispatch_postauth15;
487	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);	504	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -1861,6 +1878,13 @@ mm_get_kex(Buffer *m)
1861	kex->kex[KEX_ECDH_SHA2] = kexecdh_server;	1878	kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
1862	#endif	1879	#endif
1863	kex->kex[KEX_C25519_SHA256] = kexc25519_server;	1880	kex->kex[KEX_C25519_SHA256] = kexc25519_server;
		1881	#ifdef GSSAPI
		1882	if (options.gss_keyex) {
		1883	kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
		1884	kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
		1885	kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
		1886	}
		1887	#endif
1864	kex->server = 1;	1888	kex->server = 1;
1865	kex->hostkey_type = buffer_get_int(m);	1889	kex->hostkey_type = buffer_get_int(m);
1866	kex->kex_type = buffer_get_int(m);	1890	kex->kex_type = buffer_get_int(m);
@@ -2068,6 +2092,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
2068	OM_uint32 major;	2092	OM_uint32 major;
2069	u_int len;	2093	u_int len;
2070		2094
		2095	if (!options.gss_authentication && !options.gss_keyex)
		2096	fatal("In GSSAPI monitor when GSSAPI is disabled");
		2097
2071	goid.elements = buffer_get_string(m, &len);	2098	goid.elements = buffer_get_string(m, &len);
2072	goid.length = len;	2099	goid.length = len;
2073		2100
@@ -2095,6 +2122,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
2095	OM_uint32 flags = 0; /* GSI needs this */	2122	OM_uint32 flags = 0; /* GSI needs this */
2096	u_int len;	2123	u_int len;
2097		2124
		2125	if (!options.gss_authentication && !options.gss_keyex)
		2126	fatal("In GSSAPI monitor when GSSAPI is disabled");
		2127
2098	in.value = buffer_get_string(m, &len);	2128	in.value = buffer_get_string(m, &len);
2099	in.length = len;	2129	in.length = len;
2100	major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);	2130	major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
@@ -2112,6 +2142,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
2112	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);	2142	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
2113	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);	2143	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
2114	monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);	2144	monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
		2145	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1);
2115	}	2146	}
2116	return (0);	2147	return (0);
2117	}	2148	}
@@ -2123,6 +2154,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
2123	OM_uint32 ret;	2154	OM_uint32 ret;
2124	u_int len;	2155	u_int len;
2125		2156
		2157	if (!options.gss_authentication && !options.gss_keyex)
		2158	fatal("In GSSAPI monitor when GSSAPI is disabled");
		2159
2126	gssbuf.value = buffer_get_string(m, &len);	2160	gssbuf.value = buffer_get_string(m, &len);
2127	gssbuf.length = len;	2161	gssbuf.length = len;
2128	mic.value = buffer_get_string(m, &len);	2162	mic.value = buffer_get_string(m, &len);
@@ -2149,7 +2183,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
2149	{	2183	{
2150	int authenticated;	2184	int authenticated;
2151		2185
2152	authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);	2186	if (!options.gss_authentication && !options.gss_keyex)
		2187	fatal("In GSSAPI monitor when GSSAPI is disabled");
		2188
		2189	authenticated = authctxt->valid &&
		2190	ssh_gssapi_userok(authctxt->user, authctxt->pw);
2153		2191
2154	buffer_clear(m);	2192	buffer_clear(m);
2155	buffer_put_int(m, authenticated);	2193	buffer_put_int(m, authenticated);
@@ -2162,5 +2200,73 @@ mm_answer_gss_userok(int sock, Buffer *m)
2162	/* Monitor loop will terminate if authenticated */	2200	/* Monitor loop will terminate if authenticated */
2163	return (authenticated);	2201	return (authenticated);
2164	}	2202	}
		2203
		2204	int
		2205	mm_answer_gss_sign(int socket, Buffer *m)
		2206	{
		2207	gss_buffer_desc data;
		2208	gss_buffer_desc hash = GSS_C_EMPTY_BUFFER;
		2209	OM_uint32 major, minor;
		2210	u_int len;
		2211
		2212	if (!options.gss_authentication && !options.gss_keyex)
		2213	fatal("In GSSAPI monitor when GSSAPI is disabled");
		2214
		2215	data.value = buffer_get_string(m, &len);
		2216	data.length = len;
		2217	if (data.length != 20)
		2218	fatal("%s: data length incorrect: %d", __func__,
		2219	(int) data.length);
		2220
		2221	/* Save the session ID on the first time around */
		2222	if (session_id2_len == 0) {
		2223	session_id2_len = data.length;
		2224	session_id2 = xmalloc(session_id2_len);
		2225	memcpy(session_id2, data.value, session_id2_len);
		2226	}
		2227	major = ssh_gssapi_sign(gsscontext, &data, &hash);
		2228
		2229	free(data.value);
		2230
		2231	buffer_clear(m);
		2232	buffer_put_int(m, major);
		2233	buffer_put_string(m, hash.value, hash.length);
		2234
		2235	mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
		2236
		2237	gss_release_buffer(&minor, &hash);
		2238
		2239	/* Turn on getpwnam permissions */
		2240	monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
		2241
		2242	/* And credential updating, for when rekeying */
		2243	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUPCREDS, 1);
		2244
		2245	return (0);
		2246	}
		2247
		2248	int
		2249	mm_answer_gss_updatecreds(int socket, Buffer *m) {
		2250	ssh_gssapi_ccache store;
		2251	int ok;
		2252
		2253	store.filename = buffer_get_string(m, NULL);
		2254	store.envvar = buffer_get_string(m, NULL);
		2255	store.envval = buffer_get_string(m, NULL);
		2256
		2257	ok = ssh_gssapi_update_creds(&store);
		2258
		2259	free(store.filename);
		2260	free(store.envvar);
		2261	free(store.envval);
		2262
		2263	buffer_clear(m);
		2264	buffer_put_int(m, ok);
		2265
		2266	mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m);
		2267
		2268	return(0);
		2269	}
		2270
2165	#endif /* GSSAPI */	2271	#endif /* GSSAPI */
2166		2272