#

# GSS-API key exchange support

#

# Based on https://github.com/SimonWilkinson/gss-openssh/commit/ffae842

# Updated to apply to OpenSSH 6.5.

# Default value for GSSAPIKeyExchange changed to yes to match SunSSH behavior.

# New files kexgssc.c and kexgsss.c moved to ../sources/ and made cstyle clean.

#

# Upstream rejected GSS-API key exchange several times before.

#

diff -pur old/Makefile.in new/Makefile.in

--- old/Makefile.in	2015-12-10 14:51:47.781146370 -0800

+++ new/Makefile.in	2015-12-10 14:48:21.907121340 -0800

@@ -85,6 +85,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \

 	atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o \

 	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \

 	msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \

+	kexgssc.o \

 	ssh-pkcs11.o smult_curve25519_ref.o \

 	poly1305.o chacha.o cipher-chachapoly.o \

 	ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \

@@ -105,7 +106,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw

 	auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \

 	auth2-none.o auth2-passwd.o auth2-pubkey.o \

 	monitor_mm.o monitor.o monitor_wrap.o auth-krb5.o \

-	auth2-gss.o gss-serv.o gss-serv-krb5.o \

+	auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \

 	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \

 	sftp-server.o sftp-common.o \

 	roaming_common.o roaming_serv.o \

diff -pur old/auth2-gss.c new/auth2-gss.c

--- old/auth2-gss.c

+++ new/auth2-gss.c

@@ -1,7 +1,7 @@

 /* $OpenBSD: auth2-gss.c,v 1.22 2015/01/19 20:07:45 markus Exp $ */

 /*

- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.

+ * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.

  *

  * Redistribution and use in source and binary forms, with or without

  * modification, are permitted provided that the following conditions

@@ -53,6 +53,39 @@ static int input_gssapi_mic(int type, u_

 static int input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);

 static int input_gssapi_errtok(int, u_int32_t, void *);

+/* 

+ * The 'gssapi_keyex' userauth mechanism.

+ */

+static int

+userauth_gsskeyex(Authctxt *authctxt)

+{

+	int authenticated = 0;

+	Buffer b;

+	gss_buffer_desc mic, gssbuf;

+	u_int len;

+

+	mic.value = packet_get_string(&len);

+	mic.length = len;

+

+	packet_check_eom();

+

+	ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,

+	    "gssapi-keyex");

+

+	gssbuf.value = buffer_ptr(&b);

+	gssbuf.length = buffer_len(&b);

+

+	/* gss_kex_context is NULL with privsep, so we can't check it here */

+	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context, 

+	    &gssbuf, &mic))))

+		authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));

+	

+	buffer_free(&b);

+	free(mic.value);

+

+	return (authenticated);

+}

+

 /*

  * We only support those mechanisms that we know about (ie ones that we know

  * how to check local user kuserok and the like)

@@ -290,6 +323,12 @@ input_gssapi_mic(int type, u_int32_t ple

 	return 0;

 }

+Authmethod method_gsskeyex = {

+	"gssapi-keyex",

+	userauth_gsskeyex,

+	&options.gss_authentication

+};

+

 Authmethod method_gssapi = {

 	"gssapi-with-mic",

 	userauth_gssapi,

diff -pur old/auth2.c new/auth2.c

--- old/auth2.c

+++ new/auth2.c

@@ -70,6 +70,7 @@ extern Authmethod method_passwd;

 extern Authmethod method_kbdint;

 extern Authmethod method_hostbased;

 #ifdef GSSAPI

+extern Authmethod method_gsskeyex;

 extern Authmethod method_gssapi;

 #endif

@@ -77,6 +78,7 @@ Authmethod *authmethods[] = {

 	&method_none,

 	&method_pubkey,

 #ifdef GSSAPI

+	&method_gsskeyex,

 	&method_gssapi,

 #endif

 	&method_passwd,

diff -pur old/configure new/configure

--- old/configure

+++ new/configure

@@ -10944,8 +10944,10 @@ fi

 fi

-        $as_echo "#define USE_GSS_STORE_CRED 1" >>confdefs.h

-        $as_echo "#define GSSAPI_STORECREDS_NEEDS_RUID 1" >>confdefs.h

+cat >>confdefs.h <<\_ACEOF

+#define	USE_GSS_STORE_CRED 1

+#define	GSSAPI_STORECREDS_NEEDS_RUID 1

+_ACEOF

 	TEST_SHELL=$SHELL	# let configure find us a capable shell

 	;;

diff -pur old/gss-genr.c new/gss-genr.c

--- old/gss-genr.c

+++ new/gss-genr.c

@@ -1,7 +1,7 @@

 /* $OpenBSD: gss-genr.c,v 1.23 2015/01/20 23:14:00 deraadt Exp $ */

 /*

- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.

+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.

  *

  * Redistribution and use in source and binary forms, with or without

  * modification, are permitted provided that the following conditions

@@ -41,12 +41,167 @@

 #include "buffer.h"

 #include "log.h"

 #include "ssh2.h"

+#include "cipher.h"

+#include "key.h"

+#include "kex.h"

+#include <openssl/evp.h>

 #include "ssh-gss.h"

 extern u_char *session_id2;

 extern u_int session_id2_len;

+typedef struct {

+	char *encoded;

+	gss_OID oid;

+} ssh_gss_kex_mapping;

+

+/*

+ * XXX - It would be nice to find a more elegant way of handling the

+ * XXX   passing of the key exchange context to the userauth routines

+ */

+

+Gssctxt *gss_kex_context = NULL;

+

+static ssh_gss_kex_mapping *gss_enc2oid = NULL;

+

+int 

+ssh_gssapi_oid_table_ok() {

+	return (gss_enc2oid != NULL);

+}

+

+/*

+ * Return a list of the gss-group1-sha1 mechanisms supported by this program

+ *

+ * We test mechanisms to ensure that we can use them, to avoid starting

+ * a key exchange with a bad mechanism

+ */

+

+char *

+ssh_gssapi_client_mechanisms(const char *host) {

+	gss_OID_set gss_supported;

+	OM_uint32 min_status;

+

+	if (GSS_ERROR(gss_indicate_mechs(&min_status, &gss_supported)))

+		return NULL;

+

+	return(ssh_gssapi_kex_mechs(gss_supported, ssh_gssapi_check_mechanism,

+	    host));

+}

+

+char *

+ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,

+    const char *data) {

+	Buffer buf;

+	size_t i;

+	int oidpos, enclen;

+	char *mechs, *encoded;

+	u_char digest[EVP_MAX_MD_SIZE];

+	char deroid[2];

+	const EVP_MD *evp_md = EVP_md5();

+	EVP_MD_CTX md;

+

+	if (gss_enc2oid != NULL) {

+		for (i = 0; gss_enc2oid[i].encoded != NULL; i++)

+			free(gss_enc2oid[i].encoded);

+		free(gss_enc2oid);

+	}

+

+	gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping) *

+	    (gss_supported->count + 1));

+

+	buffer_init(&buf);

+

+	oidpos = 0;

+	for (i = 0; i < gss_supported->count; i++) {

+		if (gss_supported->elements[i].length < 128 &&

+		    (*check)(NULL, &(gss_supported->elements[i]), data)) {

+

+			deroid[0] = SSH_GSS_OIDTYPE;

+			deroid[1] = gss_supported->elements[i].length;

+

+			EVP_DigestInit(&md, evp_md);

+			EVP_DigestUpdate(&md, deroid, 2);

+			EVP_DigestUpdate(&md,

+			    gss_supported->elements[i].elements,

+			    gss_supported->elements[i].length);

+			EVP_DigestFinal(&md, digest, NULL);

+

+			encoded = xmalloc(EVP_MD_size(evp_md) * 2);

+			enclen = __b64_ntop(digest, EVP_MD_size(evp_md),

+			    encoded, EVP_MD_size(evp_md) * 2);

+

+			if (oidpos != 0)

+				buffer_put_char(&buf, ',');

+

+			buffer_append(&buf, KEX_GSS_GEX_SHA1_ID,

+			    sizeof(KEX_GSS_GEX_SHA1_ID) - 1);

+			buffer_append(&buf, encoded, enclen);

+			buffer_put_char(&buf, ',');

+			buffer_append(&buf, KEX_GSS_GRP1_SHA1_ID, 

+			    sizeof(KEX_GSS_GRP1_SHA1_ID) - 1);

+			buffer_append(&buf, encoded, enclen);

+			buffer_put_char(&buf, ',');

+			buffer_append(&buf, KEX_GSS_GRP14_SHA1_ID,

+			    sizeof(KEX_GSS_GRP14_SHA1_ID) - 1);

+			buffer_append(&buf, encoded, enclen);

+

+			gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);

+			gss_enc2oid[oidpos].encoded = encoded;

+			oidpos++;

+		}

+	}

+	gss_enc2oid[oidpos].oid = NULL;

+	gss_enc2oid[oidpos].encoded = NULL;

+

+	buffer_put_char(&buf, '\0');

+

+	mechs = xmalloc(buffer_len(&buf));

+	buffer_get(&buf, mechs, buffer_len(&buf));

+	buffer_free(&buf);

+

+	if (strlen(mechs) == 0) {

+		free(mechs);

+		mechs = NULL;

+	}

+	

+	return (mechs);

+}

+

+gss_OID

+ssh_gssapi_id_kex(Gssctxt *ctx, char *name, int kex_type) {

+	int i = 0;

+	

+	switch (kex_type) {

+	case KEX_GSS_GRP1_SHA1:

+		if (strlen(name) < sizeof(KEX_GSS_GRP1_SHA1_ID))

+			return GSS_C_NO_OID;

+		name += sizeof(KEX_GSS_GRP1_SHA1_ID) - 1;

+		break;

+	case KEX_GSS_GRP14_SHA1:

+		if (strlen(name) < sizeof(KEX_GSS_GRP14_SHA1_ID))

+			return GSS_C_NO_OID;

+		name += sizeof(KEX_GSS_GRP14_SHA1_ID) - 1;

+		break;

+	case KEX_GSS_GEX_SHA1:

+		if (strlen(name) < sizeof(KEX_GSS_GEX_SHA1_ID))

+			return GSS_C_NO_OID;

+		name += sizeof(KEX_GSS_GEX_SHA1_ID) - 1;

+		break;

+	default:

+		return GSS_C_NO_OID;

+	}

+

+	while (gss_enc2oid[i].encoded != NULL &&

+	    strcmp(name, gss_enc2oid[i].encoded) != 0)

+		i++;

+

+	if (gss_enc2oid[i].oid != NULL && ctx != NULL)

+		ssh_gssapi_set_oid(ctx, gss_enc2oid[i].oid);

+

+	return gss_enc2oid[i].oid;

+}

+

 /* Check that the OID in a data stream matches that in the context */

 int

 ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len)

@@ -231,6 +386,9 @@ ssh_gssapi_import_name(Gssctxt *ctx, con

 OM_uint32

 ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)

 {

+	if (ctx == NULL) 

+		return -1;

+

 	if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,

 	    GSS_C_QOP_DEFAULT, buffer, hash)))

 		ssh_gssapi_error(ctx);

@@ -238,6 +396,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer

 	return (ctx->major);

 }

+/* Priviledged when used by server */

+OM_uint32

+ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)

+{

+	if (ctx == NULL)

+		return -1;

+

+	ctx->major = gss_verify_mic(&ctx->minor, ctx->context,

+	    gssbuf, gssmic, NULL);

+

+	return (ctx->major);

+}

+

 void

 ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,

     const char *context)

@@ -256,6 +427,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx

 	gss_buffer_desc token = GSS_C_EMPTY_BUFFER;

 	OM_uint32 major, minor;

 	gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"};

+	Gssctxt *intctx = NULL;

+

+	if (ctx == NULL)

+		ctx = &intctx;

 	/* RFC 4462 says we MUST NOT do SPNEGO */

 	if (oid->length == spnego_oid.length && 

@@ -274,7 +449,7 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx

 			    GSS_C_NO_BUFFER);

 	}

-	if (GSS_ERROR(major)) 

+	if (GSS_ERROR(major) || intctx != NULL) 

 		ssh_gssapi_delete_ctx(ctx);

 	return (!GSS_ERROR(major));

diff -pur old/gss-serv.c new/gss-serv.c

--- old/gss-serv.c

+++ new/gss-serv.c

@@ -1,7 +1,7 @@

 /* $OpenBSD: gss-serv.c,v 1.29 2015/05/22 03:50:02 djm Exp $ */

 /*

- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.

+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.

  *

  * Redistribution and use in source and binary forms, with or without

  * modification, are permitted provided that the following conditions

@@ -47,6 +47,7 @@

 #include "servconf.h"

 #include "ssh-gss.h"

+#include "monitor_wrap.h"

 extern ServerOptions options;

@@ -142,6 +143,28 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss

 }

 /* Unprivileged */

+char *

+ssh_gssapi_server_mechanisms() {

+	gss_OID_set	supported;

+

+	ssh_gssapi_supported_oids(&supported);

+	return (ssh_gssapi_kex_mechs(supported, &ssh_gssapi_server_check_mech,

+	    NULL));

+}

+

+/* Unprivileged */

+int

+ssh_gssapi_server_check_mech(Gssctxt **dum, gss_OID oid, const char *data) {

+	Gssctxt *ctx = NULL;

+	int res;

+ 

+	res = !GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctx, oid)));

+	ssh_gssapi_delete_ctx(&ctx);

+

+	return (res);

+}

+

+/* Unprivileged */

 void

 ssh_gssapi_supported_oids(gss_OID_set *oidset)

 {

@@ -151,7 +174,9 @@ ssh_gssapi_supported_oids(gss_OID_set *o

 	gss_OID_set supported;

 	gss_create_empty_oid_set(&min_status, oidset);

-	gss_indicate_mechs(&min_status, &supported);

+

+	if (GSS_ERROR(gss_indicate_mechs(&min_status, &supported)))

+		return;

 	while (supported_mechs[i]->name != NULL) {

 		if (GSS_ERROR(gss_test_oid_set_member(&min_status,

@@ -427,14 +452,4 @@ ssh_gssapi_userok(char *user)

 	return (0);

 }

-/* Privileged */

-OM_uint32

-ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)

-{

-	ctx->major = gss_verify_mic(&ctx->minor, ctx->context,

-	    gssbuf, gssmic, NULL);

-

-	return (ctx->major);

-}

-

 #endif

diff -pur old/kex.c new/kex.c

--- old/kex.c

+++ new/kex.c

@@ -55,6 +55,10 @@

 #include "sshbuf.h"

 #include "digest.h"

+#ifdef GSSAPI

+#include "ssh-gss.h"

+#endif

+

 #if OPENSSL_VERSION_NUMBER >= 0x00907000L

 # if defined(HAVE_EVP_SHA256)

 # define evp_ssh_sha256 EVP_sha256

@@ -95,6 +99,11 @@ static const struct kexalg kexalgs[] = {

 #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)

 	{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },

 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */

+#ifdef GSSAPI

+	{ KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },

+	{ KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },

+	{ KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },

+#endif

 	{ NULL, -1, -1, -1},

 };

@@ -126,7 +135,7 @@ kex_alg_by_name(const char *name)

 	const struct kexalg *k;

 	for (k = kexalgs; k->name != NULL; k++) {

-		if (strcmp(k->name, name) == 0)

+		if (strncmp(k->name, name, strlen(k->name)) == 0)

 			return k;

 	}

 	return NULL;

diff -pur old/kex.h new/kex.h

--- old/kex.h

+++ new/kex.h

@@ -93,6 +93,9 @@ enum kex_exchange {

 	KEX_DH_GEX_SHA256,

 	KEX_ECDH_SHA2,

 	KEX_C25519_SHA256,

+	KEX_GSS_GRP1_SHA1,

+	KEX_GSS_GRP14_SHA1,

+	KEX_GSS_GEX_SHA1,

 	KEX_MAX

 };

@@ -139,6 +142,10 @@ struct kex {

 	u_int	flags;

 	int	hash_alg;

 	int	ec_nid;

+#ifdef GSSAPI

+	int	gss_deleg_creds;

+	char    *gss_host;

+#endif

 	char	*client_version_string;

 	char	*server_version_string;

 	char	*failed_choice;

@@ -186,6 +193,10 @@ int	 kexecdh_client(struct ssh *);

 int	 kexecdh_server(struct ssh *);

 int	 kexc25519_client(struct ssh *);

 int	 kexc25519_server(struct ssh *);

+#ifdef GSSAPI

+int	 kexgss_client(struct ssh *);

+int	 kexgss_server(struct ssh *);

+#endif

 int	 kex_dh_hash(const char *, const char *,

     const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,

diff -pur old/monitor.c new/monitor.c

--- old/monitor.c

+++ new/monitor.c

@@ -160,6 +160,7 @@ int mm_answer_gss_setup_ctx(int, Buffer

 int mm_answer_gss_accept_ctx(int, Buffer *);

 int mm_answer_gss_userok(int, Buffer *);

 int mm_answer_gss_checkmic(int, Buffer *);

+int mm_answer_gss_sign(int, Buffer *);

 #endif

 #ifdef SSH_AUDIT_EVENTS

@@ -244,11 +245,17 @@ struct mon_table mon_dispatch_proto20[]

     {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},

     {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},

     {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},

+    {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},

 #endif

     {0, 0, NULL}

 };

 struct mon_table mon_dispatch_postauth20[] = {

+#ifdef GSSAPI

+    {MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},