1 files changed, 59 insertions, 0 deletions
diff --git a/monitor.c b/monitor.c
index 73cf6bc9b..ef46938c4 100644
--- a/monitor.c
+++ b/monitor.c
@@ -164,6 +164,7 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
 int mm_answer_gss_accept_ctx(int, Buffer *);
 int mm_answer_gss_userok(int, Buffer *);
 int mm_answer_gss_checkmic(int, Buffer *);
+int mm_answer_gss_sign(int, Buffer *);
 #endif
 #ifdef SSH_AUDIT_EVENTS
@@ -233,11 +234,17 @@ struct mon_table mon_dispatch_proto20[] = {
    {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
    {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
    {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
+    {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
 #endif
    {0, 0, NULL}
 };
 struct mon_table mon_dispatch_postauth20[] = {
+#ifdef GSSAPI
+    {MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
+    {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
+    {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
+#endif
    {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
    {MONITOR_REQ_SIGN, 0, mm_answer_sign},
    {MONITOR_REQ_PTY, 0, mm_answer_pty},
@@ -342,6 +349,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
                /* Permit requests for moduli and signatures */
                monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
+#ifdef GSSAPI
+                /* and for the GSSAPI key exchange */
+                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
+#endif
        } else {
                mon_dispatch = mon_dispatch_proto15;
@@ -419,6 +430,10 @@ monitor_child_postauth(struct monitor *pmonitor)
                monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
+#ifdef GSSAPI
+                /* and for the GSSAPI key exchange */
+                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
+#endif          
        } else {
                mon_dispatch = mon_dispatch_postauth15;
                monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -1675,6 +1690,11 @@ mm_get_kex(Buffer *m)
        kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
        kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
        kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
+#ifdef GSSAPI
+        kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
+        kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
+        kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
+#endif
        kex->server = 1;
        kex->hostkey_type = buffer_get_int(m);
        kex->kex_type = buffer_get_int(m);
@@ -1918,6 +1938,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
+                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1);
        }
        return (0);
 }
@@ -1968,4 +1989,42 @@ mm_answer_gss_userok(int sock, Buffer *m)
        /* Monitor loop will terminate if authenticated */
        return (authenticated);
 }
+int 
+mm_answer_gss_sign(int socket, Buffer *m)
+{
+        gss_buffer_desc data;
+        gss_buffer_desc hash = GSS_C_EMPTY_BUFFER;
+        OM_uint32 major, minor;
+        u_int len;
+        data.value = buffer_get_string(m, &len);
+        data.length = len;
+        if (data.length != 20) 
+                fatal("%s: data length incorrect: %d", __func__, data.length);
+        /* Save the session ID on the first time around */
+        if (session_id2_len == 0) {
+                session_id2_len = data.length;
+                session_id2 = xmalloc(session_id2_len);
+                memcpy(session_id2, data.value, session_id2_len);
+        }
+        major = ssh_gssapi_sign(gsscontext, &data, &hash);
+        xfree(data.value);
+        buffer_clear(m);
+        buffer_put_int(m, major);
+        buffer_put_string(m, hash.value, hash.length);
+        mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
+        gss_release_buffer(&minor, &hash);
+        /* Turn on getpwnam permissions */
+        monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
+        return (0);
+}
 #endif /* GSSAPI */

diff --git a/monitor.c b/monitor.c index 73cf6bc9b..ef46938c4 100644 --- a/monitor.c +++ b/monitor.c
@@ -164,6 +164,7 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
164	int mm_answer_gss_accept_ctx(int, Buffer *);	164	int mm_answer_gss_accept_ctx(int, Buffer *);
165	int mm_answer_gss_userok(int, Buffer *);	165	int mm_answer_gss_userok(int, Buffer *);
166	int mm_answer_gss_checkmic(int, Buffer *);	166	int mm_answer_gss_checkmic(int, Buffer *);
		167	int mm_answer_gss_sign(int, Buffer *);
167	#endif	168	#endif
168		169
169	#ifdef SSH_AUDIT_EVENTS	170	#ifdef SSH_AUDIT_EVENTS
@@ -233,11 +234,17 @@ struct mon_table mon_dispatch_proto20[] = {
233	{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},	234	{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
234	{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},	235	{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
235	{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},	236	{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
		237	{MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
236	#endif	238	#endif
237	{0, 0, NULL}	239	{0, 0, NULL}
238	};	240	};
239		241
240	struct mon_table mon_dispatch_postauth20[] = {	242	struct mon_table mon_dispatch_postauth20[] = {
		243	#ifdef GSSAPI
		244	{MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
		245	{MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
		246	{MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
		247	#endif
241	{MONITOR_REQ_MODULI, 0, mm_answer_moduli},	248	{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
242	{MONITOR_REQ_SIGN, 0, mm_answer_sign},	249	{MONITOR_REQ_SIGN, 0, mm_answer_sign},
243	{MONITOR_REQ_PTY, 0, mm_answer_pty},	250	{MONITOR_REQ_PTY, 0, mm_answer_pty},
@@ -342,6 +349,10 @@ monitor_child_preauth(Authctxt _authctxt, struct monitor pmonitor)
342	/* Permit requests for moduli and signatures */	349	/* Permit requests for moduli and signatures */
343	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);	350	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
344	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);	351	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
		352	#ifdef GSSAPI
		353	/* and for the GSSAPI key exchange */
		354	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
		355	#endif
345	} else {	356	} else {
346	mon_dispatch = mon_dispatch_proto15;	357	mon_dispatch = mon_dispatch_proto15;
347		358
@@ -419,6 +430,10 @@ monitor_child_postauth(struct monitor *pmonitor)
419	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);	430	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
420	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);	431	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
421	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);	432	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
		433	#ifdef GSSAPI
		434	/* and for the GSSAPI key exchange */
		435	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
		436	#endif
422	} else {	437	} else {
423	mon_dispatch = mon_dispatch_postauth15;	438	mon_dispatch = mon_dispatch_postauth15;
424	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);	439	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -1675,6 +1690,11 @@ mm_get_kex(Buffer *m)
1675	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;	1690	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
1676	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;	1691	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
1677	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;	1692	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
		1693	#ifdef GSSAPI
		1694	kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
		1695	kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
		1696	kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
		1697	#endif
1678	kex->server = 1;	1698	kex->server = 1;
1679	kex->hostkey_type = buffer_get_int(m);	1699	kex->hostkey_type = buffer_get_int(m);
1680	kex->kex_type = buffer_get_int(m);	1700	kex->kex_type = buffer_get_int(m);
@@ -1918,6 +1938,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
1918	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);	1938	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
1919	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);	1939	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
1920	monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);	1940	monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
		1941	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1);
1921	}	1942	}
1922	return (0);	1943	return (0);
1923	}	1944	}
@@ -1968,4 +1989,42 @@ mm_answer_gss_userok(int sock, Buffer *m)
1968	/* Monitor loop will terminate if authenticated */	1989	/* Monitor loop will terminate if authenticated */
1969	return (authenticated);	1990	return (authenticated);
1970	}	1991	}
		1992
		1993	int
		1994	mm_answer_gss_sign(int socket, Buffer *m)
		1995	{
		1996	gss_buffer_desc data;
		1997	gss_buffer_desc hash = GSS_C_EMPTY_BUFFER;
		1998	OM_uint32 major, minor;
		1999	u_int len;
		2000
		2001	data.value = buffer_get_string(m, &len);
		2002	data.length = len;
		2003	if (data.length != 20)
		2004	fatal("%s: data length incorrect: %d", __func__, data.length);
		2005
		2006	/* Save the session ID on the first time around */
		2007	if (session_id2_len == 0) {
		2008	session_id2_len = data.length;
		2009	session_id2 = xmalloc(session_id2_len);
		2010	memcpy(session_id2, data.value, session_id2_len);
		2011	}
		2012	major = ssh_gssapi_sign(gsscontext, &data, &hash);
		2013
		2014	xfree(data.value);
		2015
		2016	buffer_clear(m);
		2017	buffer_put_int(m, major);
		2018	buffer_put_string(m, hash.value, hash.length);
		2019
		2020	mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
		2021
		2022	gss_release_buffer(&minor, &hash);
		2023
		2024	/* Turn on getpwnam permissions */
		2025	monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
		2026
		2027	return (0);
		2028	}
		2029
1971	#endif /* GSSAPI */	2030	#endif /* GSSAPI */