1 files changed, 128 insertions, 11 deletions
diff --git a/monitor.c b/monitor.c
index 4cf79dfc9..11868952b 100644
--- a/monitor.c
+++ b/monitor.c
@@ -148,6 +148,8 @@ int mm_answer_gss_setup_ctx(struct ssh *, int, struct sshbuf *);
 int mm_answer_gss_accept_ctx(struct ssh *, int, struct sshbuf *);
 int mm_answer_gss_userok(struct ssh *, int, struct sshbuf *);
 int mm_answer_gss_checkmic(struct ssh *, int, struct sshbuf *);
+int mm_answer_gss_sign(struct ssh *, int, struct sshbuf *);
+int mm_answer_gss_updatecreds(struct ssh *, int, struct sshbuf *);
 #endif
 #ifdef SSH_AUDIT_EVENTS
@@ -220,11 +222,18 @@ struct mon_table mon_dispatch_proto20[] = {
    {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
    {MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok},
    {MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic},
+    {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
 #endif
    {0, 0, NULL}
 };
 struct mon_table mon_dispatch_postauth20[] = {
+#ifdef GSSAPI
+    {MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
+    {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
+    {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
+    {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds},
+#endif
 #ifdef WITH_OPENSSL
    {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
 #endif
@@ -293,6 +302,10 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor)
        /* Permit requests for moduli and signatures */
        monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
        monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
+#ifdef GSSAPI
+        /* and for the GSSAPI key exchange */
+        monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
+#endif
        /* The first few requests do not require asynchronous access */
        while (!authenticated) {
@@ -406,6 +419,10 @@ monitor_child_postauth(struct ssh *ssh, struct monitor *pmonitor)
        monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
        monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
        monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
+#ifdef GSSAPI
+        /* and for the GSSAPI key exchange */
+        monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
+#endif
        if (auth_opts->permit_pty_flag) {
                monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
@@ -1725,6 +1742,17 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor)
 # ifdef OPENSSL_HAS_ECC
                kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
 # endif
+# ifdef GSSAPI
+                if (options.gss_keyex) {
+                        kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
+                        kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
+                        kex->kex[KEX_GSS_GRP14_SHA256] = kexgss_server;
+                        kex->kex[KEX_GSS_GRP16_SHA512] = kexgss_server;
+                        kex->kex[KEX_GSS_GEX_SHA1] = kexgssgex_server;
+                        kex->kex[KEX_GSS_NISTP256_SHA256] = kexgss_server;
+                        kex->kex[KEX_GSS_C25519_SHA256] = kexgss_server;
+                }
+# endif
 #endif /* WITH_OPENSSL */
                kex->kex[KEX_C25519_SHA256] = kex_gen_server;
                kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server;
@@ -1818,8 +1846,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
        u_char *p;
        int r;
-        if (!options.gss_authentication)
+        if (!options.gss_authentication && !options.gss_keyex)
-                fatal("%s: GSSAPI authentication not enabled", __func__);
+                fatal("%s: GSSAPI not enabled", __func__);
        if ((r = sshbuf_get_string(m, &p, &len)) != 0)
                fatal("%s: buffer error: %s", __func__, ssh_err(r));
@@ -1851,8 +1879,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
        OM_uint32 flags = 0; /* GSI needs this */
        int r;
-        if (!options.gss_authentication)
+        if (!options.gss_authentication && !options.gss_keyex)
-                fatal("%s: GSSAPI authentication not enabled", __func__);
+                fatal("%s: GSSAPI not enabled", __func__);
        if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0)
                fatal("%s: buffer error: %s", __func__, ssh_err(r));
@@ -1872,6 +1900,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
+                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1);
        }
        return (0);
 }
@@ -1883,8 +1912,8 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m)
        OM_uint32 ret;
        int r;
-        if (!options.gss_authentication)
+        if (!options.gss_authentication && !options.gss_keyex)
-                fatal("%s: GSSAPI authentication not enabled", __func__);
+                fatal("%s: GSSAPI not enabled", __func__);
        if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 ||
            (r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0)
@@ -1910,13 +1939,17 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m)
 int
 mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
 {
-        int r, authenticated;
+        int r, authenticated, kex;
        const char *displayname;
-        if (!options.gss_authentication)
+        if (!options.gss_authentication && !options.gss_keyex)
-                fatal("%s: GSSAPI authentication not enabled", __func__);
+                fatal("%s: GSSAPI not enabled", __func__);
-        authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
+        if ((r = sshbuf_get_u32(m, &kex)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
+        authenticated = authctxt->valid &&
+            ssh_gssapi_userok(authctxt->user, authctxt->pw, kex);
        sshbuf_reset(m);
        if ((r = sshbuf_put_u32(m, authenticated)) != 0)
@@ -1925,7 +1958,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
        debug3("%s: sending result %d", __func__, authenticated);
        mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
-        auth_method = "gssapi-with-mic";
+        if (kex) {
+                auth_method = "gssapi-keyex";
+        } else {
+                auth_method = "gssapi-with-mic";
+        }
        if ((displayname = ssh_gssapi_displayname()) != NULL)
                auth2_record_info(authctxt, "%s", displayname);
@@ -1933,5 +1970,85 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
        /* Monitor loop will terminate if authenticated */
        return (authenticated);
 }
+int
+mm_answer_gss_sign(struct ssh *ssh, int socket, struct sshbuf *m)
+{
+        gss_buffer_desc data;
+        gss_buffer_desc hash = GSS_C_EMPTY_BUFFER;
+        OM_uint32 major, minor;
+        size_t len;
+        u_char *p = NULL;
+        int r;
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("%s: GSSAPI not enabled", __func__);
+        if ((r = sshbuf_get_string(m, &p, &len)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
+        data.value = p;
+        data.length = len;
+        /* Lengths of SHA-1, SHA-256 and SHA-512 hashes that are used */
+        if (data.length != 20 && data.length != 32 && data.length != 64)
+                fatal("%s: data length incorrect: %d", __func__,
+                    (int) data.length);
+        /* Save the session ID on the first time around */
+        if (session_id2_len == 0) {
+                session_id2_len = data.length;
+                session_id2 = xmalloc(session_id2_len);
+                memcpy(session_id2, data.value, session_id2_len);
+        }
+        major = ssh_gssapi_sign(gsscontext, &data, &hash);
+        free(data.value);
+        sshbuf_reset(m);
+        if ((r = sshbuf_put_u32(m, major)) != 0 ||
+            (r = sshbuf_put_string(m, hash.value, hash.length)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
+        mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
+        gss_release_buffer(&minor, &hash);
+        /* Turn on getpwnam permissions */
+        monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
+        /* And credential updating, for when rekeying */
+        monitor_permit(mon_dispatch, MONITOR_REQ_GSSUPCREDS, 1);
+        return (0);
+}
+int
+mm_answer_gss_updatecreds(struct ssh *ssh, int socket, struct sshbuf *m) {
+        ssh_gssapi_ccache store;
+        int r, ok;
+        if (!options.gss_authentication && !options.gss_keyex)
+                fatal("%s: GSSAPI not enabled", __func__);
+        if ((r = sshbuf_get_string(m, (u_char **)&store.filename, NULL)) != 0 ||
+            (r = sshbuf_get_string(m, (u_char **)&store.envvar, NULL)) != 0 ||
+            (r = sshbuf_get_string(m, (u_char **)&store.envval, NULL)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
+        ok = ssh_gssapi_update_creds(&store);
+        free(store.filename);
+        free(store.envvar);
+        free(store.envval);
+        sshbuf_reset(m);
+        if ((r = sshbuf_put_u32(m, ok)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
+        mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m);
+        return(0);
+}
 #endif /* GSSAPI */

diff --git a/monitor.c b/monitor.c index 4cf79dfc9..11868952b 100644 --- a/monitor.c +++ b/monitor.c
@@ -148,6 +148,8 @@ int mm_answer_gss_setup_ctx(struct ssh , int, struct sshbuf );
148	int mm_answer_gss_accept_ctx(struct ssh , int, struct sshbuf );	148	int mm_answer_gss_accept_ctx(struct ssh , int, struct sshbuf );
149	int mm_answer_gss_userok(struct ssh , int, struct sshbuf );	149	int mm_answer_gss_userok(struct ssh , int, struct sshbuf );
150	int mm_answer_gss_checkmic(struct ssh , int, struct sshbuf );	150	int mm_answer_gss_checkmic(struct ssh , int, struct sshbuf );
		151	int mm_answer_gss_sign(struct ssh , int, struct sshbuf );
		152	int mm_answer_gss_updatecreds(struct ssh , int, struct sshbuf );
151	#endif	153	#endif
152		154
153	#ifdef SSH_AUDIT_EVENTS	155	#ifdef SSH_AUDIT_EVENTS
@@ -220,11 +222,18 @@ struct mon_table mon_dispatch_proto20[] = {
220	{MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},	222	{MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
221	{MONITOR_REQ_GSSUSEROK, MON_ONCE\|MON_AUTHDECIDE, mm_answer_gss_userok},	223	{MONITOR_REQ_GSSUSEROK, MON_ONCE\|MON_AUTHDECIDE, mm_answer_gss_userok},
222	{MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic},	224	{MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic},
		225	{MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
223	#endif	226	#endif
224	{0, 0, NULL}	227	{0, 0, NULL}
225	};	228	};
226		229
227	struct mon_table mon_dispatch_postauth20[] = {	230	struct mon_table mon_dispatch_postauth20[] = {
		231	#ifdef GSSAPI
		232	{MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
		233	{MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
		234	{MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
		235	{MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds},
		236	#endif
228	#ifdef WITH_OPENSSL	237	#ifdef WITH_OPENSSL
229	{MONITOR_REQ_MODULI, 0, mm_answer_moduli},	238	{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
230	#endif	239	#endif
@@ -293,6 +302,10 @@ monitor_child_preauth(struct ssh ssh, struct monitor pmonitor)
293	/* Permit requests for moduli and signatures */	302	/* Permit requests for moduli and signatures */
294	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);	303	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
295	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);	304	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
		305	#ifdef GSSAPI
		306	/* and for the GSSAPI key exchange */
		307	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
		308	#endif
296		309
297	/* The first few requests do not require asynchronous access */	310	/* The first few requests do not require asynchronous access */
298	while (!authenticated) {	311	while (!authenticated) {
@@ -406,6 +419,10 @@ monitor_child_postauth(struct ssh ssh, struct monitor pmonitor)
406	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);	419	monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
407	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);	420	monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
408	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);	421	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
		422	#ifdef GSSAPI
		423	/* and for the GSSAPI key exchange */
		424	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
		425	#endif
409		426
410	if (auth_opts->permit_pty_flag) {	427	if (auth_opts->permit_pty_flag) {
411	monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);	428	monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
@@ -1725,6 +1742,17 @@ monitor_apply_keystate(struct ssh ssh, struct monitor pmonitor)
1725	# ifdef OPENSSL_HAS_ECC	1742	# ifdef OPENSSL_HAS_ECC
1726	kex->kex[KEX_ECDH_SHA2] = kex_gen_server;	1743	kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
1727	# endif	1744	# endif
		1745	# ifdef GSSAPI
		1746	if (options.gss_keyex) {
		1747	kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
		1748	kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
		1749	kex->kex[KEX_GSS_GRP14_SHA256] = kexgss_server;
		1750	kex->kex[KEX_GSS_GRP16_SHA512] = kexgss_server;
		1751	kex->kex[KEX_GSS_GEX_SHA1] = kexgssgex_server;
		1752	kex->kex[KEX_GSS_NISTP256_SHA256] = kexgss_server;
		1753	kex->kex[KEX_GSS_C25519_SHA256] = kexgss_server;
		1754	}
		1755	# endif
1728	#endif /* WITH_OPENSSL */	1756	#endif /* WITH_OPENSSL */
1729	kex->kex[KEX_C25519_SHA256] = kex_gen_server;	1757	kex->kex[KEX_C25519_SHA256] = kex_gen_server;
1730	kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server;	1758	kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server;
@@ -1818,8 +1846,8 @@ mm_answer_gss_setup_ctx(struct ssh ssh, int sock, struct sshbuf m)
1818	u_char *p;	1846	u_char *p;
1819	int r;	1847	int r;
1820		1848
1821	if (!options.gss_authentication)	1849	if (!options.gss_authentication && !options.gss_keyex)
1822	fatal("%s: GSSAPI authentication not enabled", __func__);	1850	fatal("%s: GSSAPI not enabled", __func__);
1823		1851
1824	if ((r = sshbuf_get_string(m, &p, &len)) != 0)	1852	if ((r = sshbuf_get_string(m, &p, &len)) != 0)
1825	fatal("%s: buffer error: %s", __func__, ssh_err(r));	1853	fatal("%s: buffer error: %s", __func__, ssh_err(r));
@@ -1851,8 +1879,8 @@ mm_answer_gss_accept_ctx(struct ssh ssh, int sock, struct sshbuf m)
1851	OM_uint32 flags = 0; /* GSI needs this */	1879	OM_uint32 flags = 0; /* GSI needs this */
1852	int r;	1880	int r;
1853		1881
1854	if (!options.gss_authentication)	1882	if (!options.gss_authentication && !options.gss_keyex)
1855	fatal("%s: GSSAPI authentication not enabled", __func__);	1883	fatal("%s: GSSAPI not enabled", __func__);
1856		1884
1857	if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0)	1885	if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0)
1858	fatal("%s: buffer error: %s", __func__, ssh_err(r));	1886	fatal("%s: buffer error: %s", __func__, ssh_err(r));
@@ -1872,6 +1900,7 @@ mm_answer_gss_accept_ctx(struct ssh ssh, int sock, struct sshbuf m)
1872	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);	1900	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
1873	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);	1901	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
1874	monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);	1902	monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
		1903	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1);
1875	}	1904	}
1876	return (0);	1905	return (0);
1877	}	1906	}
@@ -1883,8 +1912,8 @@ mm_answer_gss_checkmic(struct ssh ssh, int sock, struct sshbuf m)
1883	OM_uint32 ret;	1912	OM_uint32 ret;
1884	int r;	1913	int r;
1885		1914
1886	if (!options.gss_authentication)	1915	if (!options.gss_authentication && !options.gss_keyex)
1887	fatal("%s: GSSAPI authentication not enabled", __func__);	1916	fatal("%s: GSSAPI not enabled", __func__);
1888		1917
1889	if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 \|\|	1918	if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 \|\|
1890	(r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0)	1919	(r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0)
@@ -1910,13 +1939,17 @@ mm_answer_gss_checkmic(struct ssh ssh, int sock, struct sshbuf m)
1910	int	1939	int
1911	mm_answer_gss_userok(struct ssh ssh, int sock, struct sshbuf m)	1940	mm_answer_gss_userok(struct ssh ssh, int sock, struct sshbuf m)
1912	{	1941	{
1913	int r, authenticated;	1942	int r, authenticated, kex;
1914	const char *displayname;	1943	const char *displayname;
1915		1944
1916	if (!options.gss_authentication)	1945	if (!options.gss_authentication && !options.gss_keyex)
1917	fatal("%s: GSSAPI authentication not enabled", __func__);	1946	fatal("%s: GSSAPI not enabled", __func__);
1918		1947
1919	authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);	1948	if ((r = sshbuf_get_u32(m, &kex)) != 0)
		1949	fatal("%s: buffer error: %s", __func__, ssh_err(r));
		1950
		1951	authenticated = authctxt->valid &&
		1952	ssh_gssapi_userok(authctxt->user, authctxt->pw, kex);
1920		1953
1921	sshbuf_reset(m);	1954	sshbuf_reset(m);
1922	if ((r = sshbuf_put_u32(m, authenticated)) != 0)	1955	if ((r = sshbuf_put_u32(m, authenticated)) != 0)
@@ -1925,7 +1958,11 @@ mm_answer_gss_userok(struct ssh ssh, int sock, struct sshbuf m)
1925	debug3("%s: sending result %d", __func__, authenticated);	1958	debug3("%s: sending result %d", __func__, authenticated);
1926	mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);	1959	mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
1927		1960
1928	auth_method = "gssapi-with-mic";	1961	if (kex) {
		1962	auth_method = "gssapi-keyex";
		1963	} else {
		1964	auth_method = "gssapi-with-mic";
		1965	}
1929		1966
1930	if ((displayname = ssh_gssapi_displayname()) != NULL)	1967	if ((displayname = ssh_gssapi_displayname()) != NULL)
1931	auth2_record_info(authctxt, "%s", displayname);	1968	auth2_record_info(authctxt, "%s", displayname);
@@ -1933,5 +1970,85 @@ mm_answer_gss_userok(struct ssh ssh, int sock, struct sshbuf m)
1933	/* Monitor loop will terminate if authenticated */	1970	/* Monitor loop will terminate if authenticated */
1934	return (authenticated);	1971	return (authenticated);
1935	}	1972	}
		1973
		1974	int
		1975	mm_answer_gss_sign(struct ssh ssh, int socket, struct sshbuf m)
		1976	{
		1977	gss_buffer_desc data;
		1978	gss_buffer_desc hash = GSS_C_EMPTY_BUFFER;
		1979	OM_uint32 major, minor;
		1980	size_t len;
		1981	u_char *p = NULL;
		1982	int r;
		1983
		1984	if (!options.gss_authentication && !options.gss_keyex)
		1985	fatal("%s: GSSAPI not enabled", __func__);
		1986
		1987	if ((r = sshbuf_get_string(m, &p, &len)) != 0)
		1988	fatal("%s: buffer error: %s", __func__, ssh_err(r));
		1989	data.value = p;
		1990	data.length = len;
		1991	/* Lengths of SHA-1, SHA-256 and SHA-512 hashes that are used */
		1992	if (data.length != 20 && data.length != 32 && data.length != 64)
		1993	fatal("%s: data length incorrect: %d", __func__,
		1994	(int) data.length);
		1995
		1996	/* Save the session ID on the first time around */
		1997	if (session_id2_len == 0) {
		1998	session_id2_len = data.length;
		1999	session_id2 = xmalloc(session_id2_len);
		2000	memcpy(session_id2, data.value, session_id2_len);
		2001	}
		2002	major = ssh_gssapi_sign(gsscontext, &data, &hash);
		2003
		2004	free(data.value);
		2005
		2006	sshbuf_reset(m);
		2007
		2008	if ((r = sshbuf_put_u32(m, major)) != 0 \|\|
		2009	(r = sshbuf_put_string(m, hash.value, hash.length)) != 0)
		2010	fatal("%s: buffer error: %s", __func__, ssh_err(r));
		2011
		2012	mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
		2013
		2014	gss_release_buffer(&minor, &hash);
		2015
		2016	/* Turn on getpwnam permissions */
		2017	monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
		2018
		2019	/* And credential updating, for when rekeying */
		2020	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUPCREDS, 1);
		2021
		2022	return (0);
		2023	}
		2024
		2025	int
		2026	mm_answer_gss_updatecreds(struct ssh ssh, int socket, struct sshbuf m) {
		2027	ssh_gssapi_ccache store;
		2028	int r, ok;
		2029
		2030	if (!options.gss_authentication && !options.gss_keyex)
		2031	fatal("%s: GSSAPI not enabled", __func__);
		2032
		2033	if ((r = sshbuf_get_string(m, (u_char **)&store.filename, NULL)) != 0 \|\|
		2034	(r = sshbuf_get_string(m, (u_char **)&store.envvar, NULL)) != 0 \|\|
		2035	(r = sshbuf_get_string(m, (u_char **)&store.envval, NULL)) != 0)
		2036	fatal("%s: buffer error: %s", __func__, ssh_err(r));
		2037
		2038	ok = ssh_gssapi_update_creds(&store);
		2039
		2040	free(store.filename);
		2041	free(store.envvar);
		2042	free(store.envval);
		2043
		2044	sshbuf_reset(m);
		2045	if ((r = sshbuf_put_u32(m, ok)) != 0)
		2046	fatal("%s: buffer error: %s", __func__, ssh_err(r));
		2047
		2048	mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m);
		2049
		2050	return(0);
		2051	}
		2052
1936	#endif /* GSSAPI */	2053	#endif /* GSSAPI */
1937		2054