1 files changed, 107 insertions, 1 deletions
diff --git a/monitor.c b/monitor.c
index 44dff98c9..9079c9762 100644
--- a/monitor.c
+++ b/monitor.c
@@ -181,6 +181,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
 int mm_answer_gss_accept_ctx(int, Buffer *);
 int mm_answer_gss_userok(int, Buffer *);
 int mm_answer_gss_checkmic(int, Buffer *);
+int mm_answer_gss_sign(int, Buffer *);
+int mm_answer_gss_updatecreds(int, Buffer *);
 #endif
 #ifdef SSH_AUDIT_EVENTS
@@ -253,6 +255,7 @@ struct mon_table mon_dispatch_proto20[] = {
    {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
    {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
    {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
+    {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
 #endif
 #ifdef JPAKE
    {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},
@@ -265,6 +268,12 @@ struct mon_table mon_dispatch_proto20[] = {
 };
 struct mon_table mon_dispatch_postauth20[] = {
+#ifdef GSSAPI
+    {MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
+    {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
+    {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
+    {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds},
+#endif
    {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
    {MONITOR_REQ_SIGN, 0, mm_answer_sign},
    {MONITOR_REQ_PTY, 0, mm_answer_pty},
@@ -373,6 +382,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
                /* Permit requests for moduli and signatures */
                monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
+#ifdef GSSAPI
+                /* and for the GSSAPI key exchange */
+                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
+#endif
        } else {
                mon_dispatch = mon_dispatch_proto15;
@@ -487,6 +500,10 @@ monitor_child_postauth(struct monitor *pmonitor)
                monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
+#ifdef GSSAPI
+                /* and for the GSSAPI key exchange */
+                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
+#endif          
        } else {
                mon_dispatch = mon_dispatch_postauth15;
                monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -1855,6 +1872,13 @@ mm_get_kex(Buffer *m)
        kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
        kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
        kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
+#ifdef GSSAPI
+        if (options.gss_keyex) {
+                kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
+                kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
+                kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
+        }
+#endif
        kex->server = 1;
        kex->hostkey_type = buffer_get_int(m);
        kex->kex_type = buffer_get_int(m);
@@ -2062,6 +2086,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
        OM_uint32 major;
        u_int len;
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
        goid.elements = buffer_get_string(m, &len);
        goid.length = len;
@@ -2089,6 +2116,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
        OM_uint32 flags = 0; /* GSI needs this */
        u_int len;
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
        in.value = buffer_get_string(m, &len);
        in.length = len;
        major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
@@ -2106,6 +2136,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
+                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1);
        }
        return (0);
 }
@@ -2117,6 +2148,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
        OM_uint32 ret;
        u_int len;
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
        gssbuf.value = buffer_get_string(m, &len);
        gssbuf.length = len;
        mic.value = buffer_get_string(m, &len);
@@ -2143,7 +2177,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
 {
        int authenticated;
-        authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
+        authenticated = authctxt->valid && 
+            ssh_gssapi_userok(authctxt->user, authctxt->pw);
        buffer_clear(m);
        buffer_put_int(m, authenticated);
@@ -2156,6 +2194,74 @@ mm_answer_gss_userok(int sock, Buffer *m)
        /* Monitor loop will terminate if authenticated */
        return (authenticated);
 }
+int 
+mm_answer_gss_sign(int socket, Buffer *m)
+{
+        gss_buffer_desc data;
+        gss_buffer_desc hash = GSS_C_EMPTY_BUFFER;
+        OM_uint32 major, minor;
+        u_int len;
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("In GSSAPI monitor when GSSAPI is disabled");
+        data.value = buffer_get_string(m, &len);
+        data.length = len;
+        if (data.length != 20) 
+                fatal("%s: data length incorrect: %d", __func__, 
+                    (int) data.length);
+        /* Save the session ID on the first time around */
+        if (session_id2_len == 0) {
+                session_id2_len = data.length;
+                session_id2 = xmalloc(session_id2_len);
+                memcpy(session_id2, data.value, session_id2_len);
+        }
+        major = ssh_gssapi_sign(gsscontext, &data, &hash);
+        free(data.value);
+        buffer_clear(m);
+        buffer_put_int(m, major);
+        buffer_put_string(m, hash.value, hash.length);
+        mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
+        gss_release_buffer(&minor, &hash);
+        /* Turn on getpwnam permissions */
+        monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
+        
+        /* And credential updating, for when rekeying */
+        monitor_permit(mon_dispatch, MONITOR_REQ_GSSUPCREDS, 1);
+        return (0);
+}
+int
+mm_answer_gss_updatecreds(int socket, Buffer *m) {
+        ssh_gssapi_ccache store;
+        int ok;
+        store.filename = buffer_get_string(m, NULL);
+        store.envvar   = buffer_get_string(m, NULL);
+        store.envval   = buffer_get_string(m, NULL);
+        ok = ssh_gssapi_update_creds(&store);
+        free(store.filename);
+        free(store.envvar);
+        free(store.envval);
+        buffer_clear(m);
+        buffer_put_int(m, ok);
+        mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m);
+        return(0);
+}
 #endif /* GSSAPI */
 #ifdef JPAKE

diff --git a/monitor.c b/monitor.c index 44dff98c9..9079c9762 100644 --- a/monitor.c +++ b/monitor.c
@@ -181,6 +181,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
181	int mm_answer_gss_accept_ctx(int, Buffer *);	181	int mm_answer_gss_accept_ctx(int, Buffer *);
182	int mm_answer_gss_userok(int, Buffer *);	182	int mm_answer_gss_userok(int, Buffer *);
183	int mm_answer_gss_checkmic(int, Buffer *);	183	int mm_answer_gss_checkmic(int, Buffer *);
		184	int mm_answer_gss_sign(int, Buffer *);
		185	int mm_answer_gss_updatecreds(int, Buffer *);
184	#endif	186	#endif
185		187
186	#ifdef SSH_AUDIT_EVENTS	188	#ifdef SSH_AUDIT_EVENTS
@@ -253,6 +255,7 @@ struct mon_table mon_dispatch_proto20[] = {
253	{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},	255	{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
254	{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},	256	{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
255	{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},	257	{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
		258	{MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
256	#endif	259	#endif
257	#ifdef JPAKE	260	#ifdef JPAKE
258	{MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},	261	{MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},
@@ -265,6 +268,12 @@ struct mon_table mon_dispatch_proto20[] = {
265	};	268	};
266		269
267	struct mon_table mon_dispatch_postauth20[] = {	270	struct mon_table mon_dispatch_postauth20[] = {
		271	#ifdef GSSAPI
		272	{MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
		273	{MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
		274	{MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
		275	{MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds},
		276	#endif
268	{MONITOR_REQ_MODULI, 0, mm_answer_moduli},	277	{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
269	{MONITOR_REQ_SIGN, 0, mm_answer_sign},	278	{MONITOR_REQ_SIGN, 0, mm_answer_sign},
270	{MONITOR_REQ_PTY, 0, mm_answer_pty},	279	{MONITOR_REQ_PTY, 0, mm_answer_pty},
@@ -373,6 +382,10 @@ monitor_child_preauth(Authctxt _authctxt, struct monitor pmonitor)
373	/* Permit requests for moduli and signatures */	382	/* Permit requests for moduli and signatures */
374	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);	383	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
375	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);	384	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
		385	#ifdef GSSAPI
		386	/* and for the GSSAPI key exchange */
		387	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
		388	#endif
376	} else {	389	} else {
377	mon_dispatch = mon_dispatch_proto15;	390	mon_dispatch = mon_dispatch_proto15;
378		391
@@ -487,6 +500,10 @@ monitor_child_postauth(struct monitor *pmonitor)
487	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);	500	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
488	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);	501	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
489	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);	502	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
		503	#ifdef GSSAPI
		504	/* and for the GSSAPI key exchange */
		505	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
		506	#endif
490	} else {	507	} else {
491	mon_dispatch = mon_dispatch_postauth15;	508	mon_dispatch = mon_dispatch_postauth15;
492	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);	509	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -1855,6 +1872,13 @@ mm_get_kex(Buffer *m)
1855	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;	1872	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
1856	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;	1873	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
1857	kex->kex[KEX_ECDH_SHA2] = kexecdh_server;	1874	kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
		1875	#ifdef GSSAPI
		1876	if (options.gss_keyex) {
		1877	kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
		1878	kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
		1879	kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
		1880	}
		1881	#endif
1858	kex->server = 1;	1882	kex->server = 1;
1859	kex->hostkey_type = buffer_get_int(m);	1883	kex->hostkey_type = buffer_get_int(m);
1860	kex->kex_type = buffer_get_int(m);	1884	kex->kex_type = buffer_get_int(m);
@@ -2062,6 +2086,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
2062	OM_uint32 major;	2086	OM_uint32 major;
2063	u_int len;	2087	u_int len;
2064		2088
		2089	if (!options.gss_authentication && !options.gss_keyex)
		2090	fatal("In GSSAPI monitor when GSSAPI is disabled");
		2091
2065	goid.elements = buffer_get_string(m, &len);	2092	goid.elements = buffer_get_string(m, &len);
2066	goid.length = len;	2093	goid.length = len;
2067		2094
@@ -2089,6 +2116,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
2089	OM_uint32 flags = 0; /* GSI needs this */	2116	OM_uint32 flags = 0; /* GSI needs this */
2090	u_int len;	2117	u_int len;
2091		2118
		2119	if (!options.gss_authentication && !options.gss_keyex)
		2120	fatal("In GSSAPI monitor when GSSAPI is disabled");
		2121
2092	in.value = buffer_get_string(m, &len);	2122	in.value = buffer_get_string(m, &len);
2093	in.length = len;	2123	in.length = len;
2094	major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);	2124	major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
@@ -2106,6 +2136,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
2106	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);	2136	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
2107	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);	2137	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
2108	monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);	2138	monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
		2139	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1);
2109	}	2140	}
2110	return (0);	2141	return (0);
2111	}	2142	}
@@ -2117,6 +2148,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
2117	OM_uint32 ret;	2148	OM_uint32 ret;
2118	u_int len;	2149	u_int len;
2119		2150
		2151	if (!options.gss_authentication && !options.gss_keyex)
		2152	fatal("In GSSAPI monitor when GSSAPI is disabled");
		2153
2120	gssbuf.value = buffer_get_string(m, &len);	2154	gssbuf.value = buffer_get_string(m, &len);
2121	gssbuf.length = len;	2155	gssbuf.length = len;
2122	mic.value = buffer_get_string(m, &len);	2156	mic.value = buffer_get_string(m, &len);
@@ -2143,7 +2177,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
2143	{	2177	{
2144	int authenticated;	2178	int authenticated;
2145		2179
2146	authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);	2180	if (!options.gss_authentication && !options.gss_keyex)
		2181	fatal("In GSSAPI monitor when GSSAPI is disabled");
		2182
		2183	authenticated = authctxt->valid &&
		2184	ssh_gssapi_userok(authctxt->user, authctxt->pw);
2147		2185
2148	buffer_clear(m);	2186	buffer_clear(m);
2149	buffer_put_int(m, authenticated);	2187	buffer_put_int(m, authenticated);
@@ -2156,6 +2194,74 @@ mm_answer_gss_userok(int sock, Buffer *m)
2156	/* Monitor loop will terminate if authenticated */	2194	/* Monitor loop will terminate if authenticated */
2157	return (authenticated);	2195	return (authenticated);
2158	}	2196	}
		2197
		2198	int
		2199	mm_answer_gss_sign(int socket, Buffer *m)
		2200	{
		2201	gss_buffer_desc data;
		2202	gss_buffer_desc hash = GSS_C_EMPTY_BUFFER;
		2203	OM_uint32 major, minor;
		2204	u_int len;
		2205
		2206	if (!options.gss_authentication && !options.gss_keyex)
		2207	fatal("In GSSAPI monitor when GSSAPI is disabled");
		2208
		2209	data.value = buffer_get_string(m, &len);
		2210	data.length = len;
		2211	if (data.length != 20)
		2212	fatal("%s: data length incorrect: %d", __func__,
		2213	(int) data.length);
		2214
		2215	/* Save the session ID on the first time around */
		2216	if (session_id2_len == 0) {
		2217	session_id2_len = data.length;
		2218	session_id2 = xmalloc(session_id2_len);
		2219	memcpy(session_id2, data.value, session_id2_len);
		2220	}
		2221	major = ssh_gssapi_sign(gsscontext, &data, &hash);
		2222
		2223	free(data.value);
		2224
		2225	buffer_clear(m);
		2226	buffer_put_int(m, major);
		2227	buffer_put_string(m, hash.value, hash.length);
		2228
		2229	mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
		2230
		2231	gss_release_buffer(&minor, &hash);
		2232
		2233	/* Turn on getpwnam permissions */
		2234	monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
		2235
		2236	/* And credential updating, for when rekeying */
		2237	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUPCREDS, 1);
		2238
		2239	return (0);
		2240	}
		2241
		2242	int
		2243	mm_answer_gss_updatecreds(int socket, Buffer *m) {
		2244	ssh_gssapi_ccache store;
		2245	int ok;
		2246
		2247	store.filename = buffer_get_string(m, NULL);
		2248	store.envvar = buffer_get_string(m, NULL);
		2249	store.envval = buffer_get_string(m, NULL);
		2250
		2251	ok = ssh_gssapi_update_creds(&store);
		2252
		2253	free(store.filename);
		2254	free(store.envvar);
		2255	free(store.envval);
		2256
		2257	buffer_clear(m);
		2258	buffer_put_int(m, ok);
		2259
		2260	mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m);
		2261
		2262	return(0);
		2263	}
		2264
2159	#endif /* GSSAPI */	2265	#endif /* GSSAPI */
2160		2266
2161	#ifdef JPAKE	2267	#ifdef JPAKE