1 files changed, 62 insertions, 2 deletions
diff --git a/monitor.c b/monitor.c
index e6f648b0b..e9693ef63 100644
--- a/monitor.c
+++ b/monitor.c
@@ -141,6 +141,7 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
 int mm_answer_gss_accept_ctx(int, Buffer *);
 int mm_answer_gss_userok(int, Buffer *);
 int mm_answer_gss_checkmic(int, Buffer *);
+int mm_answer_gss_sign(int, Buffer *);
 #endif
 #ifdef SSH_AUDIT_EVENTS
@@ -209,11 +210,17 @@ struct mon_table mon_dispatch_proto20[] = {
    {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
    {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
    {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
+    {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
 #endif
    {0, 0, NULL}
 };
 struct mon_table mon_dispatch_postauth20[] = {
+#ifdef GSSAPI
+    {MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
+    {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
+    {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
+#endif
    {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
    {MONITOR_REQ_SIGN, 0, mm_answer_sign},
    {MONITOR_REQ_PTY, 0, mm_answer_pty},
@@ -318,6 +325,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
                /* Permit requests for moduli and signatures */
                monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
+#ifdef GSSAPI
+                /* and for the GSSAPI key exchange */
+                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
+#endif
        } else {
                mon_dispatch = mon_dispatch_proto15;
@@ -391,6 +402,10 @@ monitor_child_postauth(struct monitor *pmonitor)
                monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
+#ifdef GSSAPI
+                /* and for the GSSAPI key exchange */
+                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
+#endif          
        } else {
                mon_dispatch = mon_dispatch_postauth15;
                monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -659,14 +674,20 @@ mm_answer_authserv(int sock, Buffer *m)
        authctxt->service = buffer_get_string(m, NULL);
        authctxt->style = buffer_get_string(m, NULL);
-        debug3("%s: service=%s, style=%s",
+        authctxt->role = buffer_get_string(m, NULL);
-            __func__, authctxt->service, authctxt->style);
+        debug3("%s: service=%s, style=%s, role=%s",
+            __func__, authctxt->service, authctxt->style, authctxt->role);
        if (strlen(authctxt->style) == 0) {
                xfree(authctxt->style);
                authctxt->style = NULL;
        }
+        if (strlen(authctxt->role) == 0) {
+                xfree(authctxt->role);
+                authctxt->role = NULL;
+        }
        return (0);
 }
@@ -1621,6 +1642,9 @@ mm_get_kex(Buffer *m)
        kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
        kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
        kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
+#ifdef GSSAPI
+        kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
+#endif
        kex->server = 1;
        kex->hostkey_type = buffer_get_int(m);
        kex->kex_type = buffer_get_int(m);
@@ -1863,6 +1887,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
+                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1);
        }
        return (0);
 }
@@ -1913,4 +1938,39 @@ mm_answer_gss_userok(int sock, Buffer *m)
        /* Monitor loop will terminate if authenticated */
        return (authenticated);
 }
+int 
+mm_answer_gss_sign(int socket, Buffer *m)
+{
+        gss_buffer_desc data, hash;
+        OM_uint32 major, minor;
+        data.value = buffer_get_string(m, &data.length);
+        if (data.length != 20) 
+                fatal("%s: data length incorrect: %d", __func__, data.length);
+        /* Save the session ID on the first time around */
+        if (session_id2_len == 0) {
+                session_id2_len = data.length;
+                session_id2 = xmalloc(session_id2_len);
+                memcpy(session_id2, data.value, session_id2_len);
+        }
+        major = ssh_gssapi_sign(gsscontext, &data, &hash);
+        xfree(data.value);
+        buffer_clear(m);
+        buffer_put_int(m, major);
+        buffer_put_string(m, hash.value, hash.length);
+        mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
+        gss_release_buffer(&minor, &hash);
+        /* Turn on getpwnam permissions */
+        monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
+        return (0);
+}
 #endif /* GSSAPI */

diff --git a/monitor.c b/monitor.c index e6f648b0b..e9693ef63 100644 --- a/monitor.c +++ b/monitor.c
@@ -141,6 +141,7 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
141	int mm_answer_gss_accept_ctx(int, Buffer *);	141	int mm_answer_gss_accept_ctx(int, Buffer *);
142	int mm_answer_gss_userok(int, Buffer *);	142	int mm_answer_gss_userok(int, Buffer *);
143	int mm_answer_gss_checkmic(int, Buffer *);	143	int mm_answer_gss_checkmic(int, Buffer *);
		144	int mm_answer_gss_sign(int, Buffer *);
144	#endif	145	#endif
145		146
146	#ifdef SSH_AUDIT_EVENTS	147	#ifdef SSH_AUDIT_EVENTS
@@ -209,11 +210,17 @@ struct mon_table mon_dispatch_proto20[] = {
209	{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},	210	{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
210	{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},	211	{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
211	{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},	212	{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
		213	{MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
212	#endif	214	#endif
213	{0, 0, NULL}	215	{0, 0, NULL}
214	};	216	};
215		217
216	struct mon_table mon_dispatch_postauth20[] = {	218	struct mon_table mon_dispatch_postauth20[] = {
		219	#ifdef GSSAPI
		220	{MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
		221	{MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
		222	{MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
		223	#endif
217	{MONITOR_REQ_MODULI, 0, mm_answer_moduli},	224	{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
218	{MONITOR_REQ_SIGN, 0, mm_answer_sign},	225	{MONITOR_REQ_SIGN, 0, mm_answer_sign},
219	{MONITOR_REQ_PTY, 0, mm_answer_pty},	226	{MONITOR_REQ_PTY, 0, mm_answer_pty},
@@ -318,6 +325,10 @@ monitor_child_preauth(Authctxt _authctxt, struct monitor pmonitor)
318	/* Permit requests for moduli and signatures */	325	/* Permit requests for moduli and signatures */
319	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);	326	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
320	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);	327	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
		328	#ifdef GSSAPI
		329	/* and for the GSSAPI key exchange */
		330	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
		331	#endif
321	} else {	332	} else {
322	mon_dispatch = mon_dispatch_proto15;	333	mon_dispatch = mon_dispatch_proto15;
323		334
@@ -391,6 +402,10 @@ monitor_child_postauth(struct monitor *pmonitor)
391	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);	402	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
392	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);	403	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
393	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);	404	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
		405	#ifdef GSSAPI
		406	/* and for the GSSAPI key exchange */
		407	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
		408	#endif
394	} else {	409	} else {
395	mon_dispatch = mon_dispatch_postauth15;	410	mon_dispatch = mon_dispatch_postauth15;
396	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);	411	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -659,14 +674,20 @@ mm_answer_authserv(int sock, Buffer *m)
659		674
660	authctxt->service = buffer_get_string(m, NULL);	675	authctxt->service = buffer_get_string(m, NULL);
661	authctxt->style = buffer_get_string(m, NULL);	676	authctxt->style = buffer_get_string(m, NULL);
662	debug3("%s: service=%s, style=%s",	677	authctxt->role = buffer_get_string(m, NULL);
663	__func__, authctxt->service, authctxt->style);	678	debug3("%s: service=%s, style=%s, role=%s",
		679	__func__, authctxt->service, authctxt->style, authctxt->role);
664		680
665	if (strlen(authctxt->style) == 0) {	681	if (strlen(authctxt->style) == 0) {
666	xfree(authctxt->style);	682	xfree(authctxt->style);
667	authctxt->style = NULL;	683	authctxt->style = NULL;
668	}	684	}
669		685
		686	if (strlen(authctxt->role) == 0) {
		687	xfree(authctxt->role);
		688	authctxt->role = NULL;
		689	}
		690
670	return (0);	691	return (0);
671	}	692	}
672		693
@@ -1621,6 +1642,9 @@ mm_get_kex(Buffer *m)
1621	kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;	1642	kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
1622	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;	1643	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
1623	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;	1644	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
		1645	#ifdef GSSAPI
		1646	kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
		1647	#endif
1624	kex->server = 1;	1648	kex->server = 1;
1625	kex->hostkey_type = buffer_get_int(m);	1649	kex->hostkey_type = buffer_get_int(m);
1626	kex->kex_type = buffer_get_int(m);	1650	kex->kex_type = buffer_get_int(m);
@@ -1863,6 +1887,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
1863	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);	1887	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
1864	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);	1888	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
1865	monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);	1889	monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
		1890	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1);
1866	}	1891	}
1867	return (0);	1892	return (0);
1868	}	1893	}
@@ -1913,4 +1938,39 @@ mm_answer_gss_userok(int sock, Buffer *m)
1913	/* Monitor loop will terminate if authenticated */	1938	/* Monitor loop will terminate if authenticated */
1914	return (authenticated);	1939	return (authenticated);
1915	}	1940	}
		1941
		1942	int
		1943	mm_answer_gss_sign(int socket, Buffer *m)
		1944	{
		1945	gss_buffer_desc data, hash;
		1946	OM_uint32 major, minor;
		1947
		1948	data.value = buffer_get_string(m, &data.length);
		1949	if (data.length != 20)
		1950	fatal("%s: data length incorrect: %d", __func__, data.length);
		1951
		1952	/* Save the session ID on the first time around */
		1953	if (session_id2_len == 0) {
		1954	session_id2_len = data.length;
		1955	session_id2 = xmalloc(session_id2_len);
		1956	memcpy(session_id2, data.value, session_id2_len);
		1957	}
		1958	major = ssh_gssapi_sign(gsscontext, &data, &hash);
		1959
		1960	xfree(data.value);
		1961
		1962	buffer_clear(m);
		1963	buffer_put_int(m, major);
		1964	buffer_put_string(m, hash.value, hash.length);
		1965
		1966	mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
		1967
		1968	gss_release_buffer(&minor, &hash);
		1969
		1970	/* Turn on getpwnam permissions */
		1971	monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
		1972
		1973	return (0);
		1974	}
		1975
1916	#endif /* GSSAPI */	1976	#endif /* GSSAPI */