#

# GSS-API key exchange support

#

# Based on https://github.com/SimonWilkinson/gss-openssh/commit/ffae842

# Updated to apply to OpenSSH 6.5.

# Default value for GSSAPIKeyExchange changed to yes to match SunSSH behavior.

# New files kexgssc.c and kexgsss.c moved to ../sources/ and made cstyle clean.

#

# Upstream rejected GSS-API key exchange several times before.

#

diff -pur old/Makefile.in new/Makefile.in

--- old/Makefile.in

+++ new/Makefile.in

@@ -87,6 +87,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \

 	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \

 	msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \

 	sftp_provider.o \

+	kexgssc.o \

 	ssh-pkcs11.o smult_curve25519_ref.o \

 	poly1305.o chacha.o cipher-chachapoly.o \

 	ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \

@@ -107,7 +108,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw

 	auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \

 	auth2-none.o auth2-passwd.o auth2-pubkey.o \

 	monitor_mm.o monitor.o monitor_wrap.o auth-krb5.o \

-	auth2-gss.o gss-serv.o gss-serv-krb5.o \

+	auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \

 	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \

 	sftp-server.o sftp-common.o sftp_provider.o \

 	sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \

diff -pur old/auth2-gss.c new/auth2-gss.c

--- old/auth2-gss.c

+++ new/auth2-gss.c

@@ -1,7 +1,7 @@

 /* $OpenBSD: auth2-gss.c,v 1.22 2015/01/19 20:07:45 markus Exp $ */

 /*

- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.

+ * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.

  *

  * Redistribution and use in source and binary forms, with or without

  * modification, are permitted provided that the following conditions

@@ -53,6 +53,39 @@ static int input_gssapi_mic(int type, u_

 static int input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);

 static int input_gssapi_errtok(int, u_int32_t, void *);

+/* 

+ * The 'gssapi_keyex' userauth mechanism.

+ */

+static int

+userauth_gsskeyex(Authctxt *authctxt)

+{

+	int authenticated = 0;

+	Buffer b;

+	gss_buffer_desc mic, gssbuf;

+	u_int len;

+

+	mic.value = packet_get_string(&len);

+	mic.length = len;

+

+	packet_check_eom();

+

+	ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,

+	    "gssapi-keyex");

+

+	gssbuf.value = buffer_ptr(&b);

+	gssbuf.length = buffer_len(&b);

+

+	/* gss_kex_context is NULL with privsep, so we can't check it here */

+	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context, 

+	    &gssbuf, &mic))))

+		authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));

+	

+	buffer_free(&b);

+	free(mic.value);

+

+	return (authenticated);

+}

+

 /*

  * We only support those mechanisms that we know about (ie ones that we know

  * how to check local user kuserok and the like)

@@ -290,6 +323,12 @@ input_gssapi_mic(int type, u_int32_t ple

 	return 0;

 }

+Authmethod method_gsskeyex = {

+	"gssapi-keyex",

+	userauth_gsskeyex,

+	&options.gss_authentication

+};

+

 Authmethod method_gssapi = {

 	"gssapi-with-mic",

 	userauth_gssapi,

diff -pur old/auth2.c new/auth2.c

--- old/auth2.c

+++ new/auth2.c

@@ -70,6 +70,7 @@ extern Authmethod method_passwd;

 extern Authmethod method_kbdint;

 extern Authmethod method_hostbased;

 #ifdef GSSAPI

+extern Authmethod method_gsskeyex;

 extern Authmethod method_gssapi;

 #endif

@@ -77,6 +78,7 @@ Authmethod *authmethods[] = {

 	&method_none,

 	&method_pubkey,

 #ifdef GSSAPI

+	&method_gsskeyex,

 	&method_gssapi,

 #endif

 	&method_passwd,

diff -pur old/gss-genr.c new/gss-genr.c

--- old/gss-genr.c

+++ new/gss-genr.c

@@ -1,7 +1,7 @@

 /* $OpenBSD: gss-genr.c,v 1.23 2015/01/20 23:14:00 deraadt Exp $ */

 /*

- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.

+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.

  *

  * Redistribution and use in source and binary forms, with or without

  * modification, are permitted provided that the following conditions

@@ -41,12 +41,167 @@

 #include "buffer.h"

 #include "log.h"

 #include "ssh2.h"

+#include "cipher.h"

+#include "key.h"

+#include "kex.h"

+#include <openssl/evp.h>

 #include "ssh-gss.h"

 extern u_char *session_id2;

 extern u_int session_id2_len;

+typedef struct {

+	char *encoded;

+	gss_OID oid;

+} ssh_gss_kex_mapping;

+

+/*

+ * XXX - It would be nice to find a more elegant way of handling the

+ * XXX   passing of the key exchange context to the userauth routines

+ */

+

+Gssctxt *gss_kex_context = NULL;

+

+static ssh_gss_kex_mapping *gss_enc2oid = NULL;

+

+int 

+ssh_gssapi_oid_table_ok() {

+	return (gss_enc2oid != NULL);

+}

+

+/*

+ * Return a list of the gss-group1-sha1 mechanisms supported by this program

+ *

+ * We test mechanisms to ensure that we can use them, to avoid starting

+ * a key exchange with a bad mechanism

+ */

+

+char *

+ssh_gssapi_client_mechanisms(const char *host) {

+	gss_OID_set gss_supported;

+	OM_uint32 min_status;

+

+	if (GSS_ERROR(gss_indicate_mechs(&min_status, &gss_supported)))

+		return NULL;

+

+	return(ssh_gssapi_kex_mechs(gss_supported, ssh_gssapi_check_mechanism,

+	    host));

+}

+

+char *

+ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,

+    const char *data) {

+	Buffer buf;

+	size_t i;

+	int oidpos, enclen;

+	char *mechs, *encoded;

+	u_char digest[EVP_MAX_MD_SIZE];

+	char deroid[2];

+	const EVP_MD *evp_md = EVP_md5();

+	EVP_MD_CTX md;

+

+	if (gss_enc2oid != NULL) {

+		for (i = 0; gss_enc2oid[i].encoded != NULL; i++)

+			free(gss_enc2oid[i].encoded);

+		free(gss_enc2oid);

+	}

+

+	gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping) *

+	    (gss_supported->count + 1));

+

+	buffer_init(&buf);

+

+	oidpos = 0;

+	for (i = 0; i < gss_supported->count; i++) {

+		if (gss_supported->elements[i].length < 128 &&

+		    (*check)(NULL, &(gss_supported->elements[i]), data)) {

+

+			deroid[0] = SSH_GSS_OIDTYPE;

+			deroid[1] = gss_supported->elements[i].length;

+

+			EVP_DigestInit(&md, evp_md);

+			EVP_DigestUpdate(&md, deroid, 2);

+			EVP_DigestUpdate(&md,

+			    gss_supported->elements[i].elements,

+			    gss_supported->elements[i].length);

+			EVP_DigestFinal(&md, digest, NULL);

+

+			encoded = xmalloc(EVP_MD_size(evp_md) * 2);

+			enclen = __b64_ntop(digest, EVP_MD_size(evp_md),

+			    encoded, EVP_MD_size(evp_md) * 2);

+

+			if (oidpos != 0)

+				buffer_put_char(&buf, ',');

+

+			buffer_append(&buf, KEX_GSS_GEX_SHA1_ID,

+			    sizeof(KEX_GSS_GEX_SHA1_ID) - 1);

+			buffer_append(&buf, encoded, enclen);

+			buffer_put_char(&buf, ',');

+			buffer_append(&buf, KEX_GSS_GRP1_SHA1_ID, 

+			    sizeof(KEX_GSS_GRP1_SHA1_ID) - 1);

+			buffer_append(&buf, encoded, enclen);

+			buffer_put_char(&buf, ',');

+			buffer_append(&buf, KEX_GSS_GRP14_SHA1_ID,

+			    sizeof(KEX_GSS_GRP14_SHA1_ID) - 1);

+			buffer_append(&buf, encoded, enclen);

+

+			gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);

+			gss_enc2oid[oidpos].encoded = encoded;

+			oidpos++;

+		}

+	}

+	gss_enc2oid[oidpos].oid = NULL;

+	gss_enc2oid[oidpos].encoded = NULL;

+

+	buffer_put_char(&buf, '\0');

+

+	mechs = xmalloc(buffer_len(&buf));

+	buffer_get(&buf, mechs, buffer_len(&buf));

+	buffer_free(&buf);

+

+	if (strlen(mechs) == 0) {

+		free(mechs);

+		mechs = NULL;

+	}

+	

+	return (mechs);

+}

+

+gss_OID

+ssh_gssapi_id_kex(Gssctxt *ctx, char *name, int kex_type) {

+	int i = 0;

+	

+	switch (kex_type) {

+	case KEX_GSS_GRP1_SHA1:

+		if (strlen(name) < sizeof(KEX_GSS_GRP1_SHA1_ID))

+			return GSS_C_NO_OID;

+		name += sizeof(KEX_GSS_GRP1_SHA1_ID) - 1;

+		break;

+	case KEX_GSS_GRP14_SHA1:

+		if (strlen(name) < sizeof(KEX_GSS_GRP14_SHA1_ID))

+			return GSS_C_NO_OID;

+		name += sizeof(KEX_GSS_GRP14_SHA1_ID) - 1;

+		break;

+	case KEX_GSS_GEX_SHA1:

+		if (strlen(name) < sizeof(KEX_GSS_GEX_SHA1_ID))

+			return GSS_C_NO_OID;

+		name += sizeof(KEX_GSS_GEX_SHA1_ID) - 1;

+		break;

+	default:

+		return GSS_C_NO_OID;

+	}

+