author | Tomas Kuthan <tomas.kuthan@oracle.com> |
Tue, 30 Dec 2014 12:58:06 -0800 | |
changeset 3574 | 80e9a4e240d3 |
child 4503 | bf30d46ab06e |
permissions | -rw-r--r-- |
3574
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
1 |
/* |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
2 |
* Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
3 |
* |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
4 |
* Redistribution and use in source and binary forms, with or without |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
5 |
* modification, are permitted provided that the following conditions |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
6 |
* are met: |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
7 |
* 1. Redistributions of source code must retain the above copyright |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
8 |
* notice, this list of conditions and the following disclaimer. |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
9 |
* 2. Redistributions in binary form must reproduce the above copyright |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
10 |
* notice, this list of conditions and the following disclaimer in the |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
11 |
* documentation and/or other materials provided with the distribution. |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
12 |
* |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
13 |
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
14 |
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
15 |
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
16 |
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
17 |
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
18 |
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
19 |
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
20 |
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
21 |
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
22 |
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
23 |
*/ |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
24 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
25 |
#include "includes.h" |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
26 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
27 |
#ifdef GSSAPI |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
28 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
29 |
#include <string.h> |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
30 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
31 |
#include <openssl/crypto.h> |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
32 |
#include <openssl/bn.h> |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
33 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
34 |
#include "xmalloc.h" |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
35 |
#include "buffer.h" |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
36 |
#include "ssh2.h" |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
37 |
#include "key.h" |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
38 |
#include "cipher.h" |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
39 |
#include "kex.h" |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
40 |
#include "log.h" |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
41 |
#include "packet.h" |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
42 |
#include "dh.h" |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
43 |
#include "ssh-gss.h" |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
44 |
#include "monitor_wrap.h" |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
45 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
46 |
void |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
47 |
kexgss_server(Kex *kex) |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
48 |
{ |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
49 |
OM_uint32 maj_status, min_status; |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
50 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
51 |
/* |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
52 |
* Some GSSAPI implementations use the input value of ret_flags (an |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
53 |
* output variable) as a means of triggering mechanism specific |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
54 |
* features. Initializing it to zero avoids inadvertently |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
55 |
* activating this non-standard behaviour. |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
56 |
*/ |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
57 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
58 |
OM_uint32 ret_flags = 0; |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
59 |
gss_buffer_desc gssbuf, recv_tok, msg_tok; |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
60 |
gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
61 |
Gssctxt *ctxt = NULL; |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
62 |
uint_t slen, klen, kout, hashlen; |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
63 |
uchar_t *kbuf, *hash; |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
64 |
DH *dh; |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
65 |
int min = -1, max = -1, nbits = -1; |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
66 |
BIGNUM *shared_secret = NULL; |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
67 |
BIGNUM *dh_client_pub = NULL; |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
68 |
int type = 0; |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
69 |
gss_OID oid; |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
70 |
char *mechs; |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
71 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
72 |
/* Initialise GSSAPI */ |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
73 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
74 |
/* |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
75 |
* If we're rekeying, privsep means that some of the private structures |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
76 |
* in the GSSAPI code are no longer available. This kludges them back |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
77 |
* into life |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
78 |
*/ |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
79 |
if (!ssh_gssapi_oid_table_ok()) |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
80 |
if ((mechs = ssh_gssapi_server_mechanisms())) |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
81 |
free(mechs); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
82 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
83 |
debug2("%s: Identifying %s", __func__, kex->name); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
84 |
oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
85 |
if (oid == GSS_C_NO_OID) |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
86 |
fatal("Unknown gssapi mechanism"); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
87 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
88 |
debug2("%s: Acquiring credentials", __func__); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
89 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
90 |
if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid)))) |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
91 |
fatal("Unable to acquire credentials for the server"); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
92 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
93 |
switch (kex->kex_type) { |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
94 |
case KEX_GSS_GRP1_SHA1: |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
95 |
dh = dh_new_group1(); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
96 |
break; |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
97 |
case KEX_GSS_GRP14_SHA1: |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
98 |
dh = dh_new_group14(); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
99 |
break; |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
100 |
case KEX_GSS_GEX_SHA1: |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
101 |
debug("Doing group exchange"); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
102 |
packet_read_expect(SSH2_MSG_KEXGSS_GROUPREQ); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
103 |
min = packet_get_int(); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
104 |
nbits = packet_get_int(); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
105 |
max = packet_get_int(); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
106 |
min = MAX(DH_GRP_MIN, min); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
107 |
max = MIN(DH_GRP_MAX, max); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
108 |
packet_check_eom(); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
109 |
if (max < min || nbits < min || max < nbits) |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
110 |
fatal("GSS_GEX, bad parameters: %d !< %d !< %d", |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
111 |
min, nbits, max); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
112 |
dh = PRIVSEP(choose_dh(min, nbits, max)); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
113 |
if (dh == NULL) |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
114 |
packet_disconnect("Protocol error:" |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
115 |
" no matching group found"); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
116 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
117 |
packet_start(SSH2_MSG_KEXGSS_GROUP); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
118 |
packet_put_bignum2(dh->p); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
119 |
packet_put_bignum2(dh->g); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
120 |
packet_send(); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
121 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
122 |
packet_write_wait(); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
123 |
break; |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
124 |
default: |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
125 |
fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
126 |
} |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
127 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
128 |
dh_gen_key(dh, kex->we_need * 8); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
129 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
130 |
do { |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
131 |
debug("Wait SSH2_MSG_GSSAPI_INIT"); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
132 |
type = packet_read(); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
133 |
switch (type) { |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
134 |
case SSH2_MSG_KEXGSS_INIT: |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
135 |
if (dh_client_pub != NULL) |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
136 |
fatal("Received KEXGSS_INIT after" |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
137 |
" initialising"); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
138 |
recv_tok.value = packet_get_string(&slen); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
139 |
recv_tok.length = slen; |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
140 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
141 |
if ((dh_client_pub = BN_new()) == NULL) |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
142 |
fatal("dh_client_pub == NULL"); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
143 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
144 |
packet_get_bignum2(dh_client_pub); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
145 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
146 |
/* Send SSH_MSG_KEXGSS_HOSTKEY here, if we want */ |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
147 |
break; |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
148 |
case SSH2_MSG_KEXGSS_CONTINUE: |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
149 |
recv_tok.value = packet_get_string(&slen); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
150 |
recv_tok.length = slen; |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
151 |
break; |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
152 |
default: |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
153 |
packet_disconnect( |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
154 |
"Protocol error: didn't expect packet type %d", |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
155 |
type); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
156 |
} |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
157 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
158 |
maj_status = PRIVSEP(ssh_gssapi_accept_ctx(ctxt, &recv_tok, |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
159 |
&send_tok, &ret_flags)); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
160 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
161 |
free(recv_tok.value); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
162 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
163 |
if (maj_status != GSS_S_COMPLETE && send_tok.length == 0) |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
164 |
fatal("Zero length token output when incomplete"); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
165 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
166 |
if (dh_client_pub == NULL) |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
167 |
fatal("No client public key"); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
168 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
169 |
if (maj_status & GSS_S_CONTINUE_NEEDED) { |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
170 |
debug("Sending GSSAPI_CONTINUE"); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
171 |
packet_start(SSH2_MSG_KEXGSS_CONTINUE); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
172 |
packet_put_string(send_tok.value, send_tok.length); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
173 |
packet_send(); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
174 |
gss_release_buffer(&min_status, &send_tok); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
175 |
} |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
176 |
} while (maj_status & GSS_S_CONTINUE_NEEDED); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
177 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
178 |
if (GSS_ERROR(maj_status)) { |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
179 |
if (send_tok.length > 0) { |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
180 |
packet_start(SSH2_MSG_KEXGSS_CONTINUE); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
181 |
packet_put_string(send_tok.value, send_tok.length); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
182 |
packet_send(); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
183 |
} |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
184 |
fatal("accept_ctx died"); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
185 |
} |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
186 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
187 |
if (!(ret_flags & GSS_C_MUTUAL_FLAG)) |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
188 |
fatal("Mutual Authentication flag wasn't set"); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
189 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
190 |
if (!(ret_flags & GSS_C_INTEG_FLAG)) |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
191 |
fatal("Integrity flag wasn't set"); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
192 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
193 |
if (!dh_pub_is_valid(dh, dh_client_pub)) |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
194 |
packet_disconnect("bad client public DH value"); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
195 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
196 |
klen = DH_size(dh); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
197 |
kbuf = xmalloc(klen); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
198 |
kout = DH_compute_key(kbuf, dh_client_pub, dh); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
199 |
if (kout < 0) |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
200 |
fatal("DH_compute_key: failed"); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
201 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
202 |
shared_secret = BN_new(); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
203 |
if (shared_secret == NULL) |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
204 |
fatal("kexgss_server: BN_new failed"); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
205 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
206 |
if (BN_bin2bn(kbuf, kout, shared_secret) == NULL) |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
207 |
fatal("kexgss_server: BN_bin2bn failed"); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
208 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
209 |
memset(kbuf, 0, klen); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
210 |
free(kbuf); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
211 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
212 |
switch (kex->kex_type) { |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
213 |
case KEX_GSS_GRP1_SHA1: |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
214 |
case KEX_GSS_GRP14_SHA1: |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
215 |
kex_dh_hash( |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
216 |
kex->client_version_string, kex->server_version_string, |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
217 |
buffer_ptr(&kex->peer), buffer_len(&kex->peer), |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
218 |
buffer_ptr(&kex->my), buffer_len(&kex->my), |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
219 |
NULL, 0, /* Change this if we start sending host keys */ |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
220 |
dh_client_pub, dh->pub_key, shared_secret, |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
221 |
&hash, &hashlen); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
222 |
break; |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
223 |
case KEX_GSS_GEX_SHA1: |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
224 |
kexgex_hash( |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
225 |
kex->hash_alg, |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
226 |
kex->client_version_string, kex->server_version_string, |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
227 |
buffer_ptr(&kex->peer), buffer_len(&kex->peer), |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
228 |
buffer_ptr(&kex->my), buffer_len(&kex->my), |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
229 |
NULL, 0, |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
230 |
min, nbits, max, |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
231 |
dh->p, dh->g, |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
232 |
dh_client_pub, |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
233 |
dh->pub_key, |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
234 |
shared_secret, |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
235 |
&hash, &hashlen); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
236 |
break; |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
237 |
default: |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
238 |
fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
239 |
} |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
240 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
241 |
BN_clear_free(dh_client_pub); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
242 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
243 |
if (kex->session_id == NULL) { |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
244 |
kex->session_id_len = hashlen; |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
245 |
kex->session_id = xmalloc(kex->session_id_len); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
246 |
memcpy(kex->session_id, hash, kex->session_id_len); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
247 |
} |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
248 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
249 |
gssbuf.value = hash; |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
250 |
gssbuf.length = hashlen; |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
251 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
252 |
if (GSS_ERROR(PRIVSEP(ssh_gssapi_sign(ctxt, &gssbuf, &msg_tok)))) |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
253 |
fatal("Couldn't get MIC"); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
254 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
255 |
packet_start(SSH2_MSG_KEXGSS_COMPLETE); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
256 |
packet_put_bignum2(dh->pub_key); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
257 |
packet_put_string(msg_tok.value, msg_tok.length); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
258 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
259 |
if (send_tok.length != 0) { |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
260 |
packet_put_char(1); /* true */ |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
261 |
packet_put_string(send_tok.value, send_tok.length); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
262 |
} else { |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
263 |
packet_put_char(0); /* false */ |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
264 |
} |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
265 |
packet_send(); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
266 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
267 |
gss_release_buffer(&min_status, &send_tok); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
268 |
gss_release_buffer(&min_status, &msg_tok); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
269 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
270 |
if (gss_kex_context == NULL) |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
271 |
gss_kex_context = ctxt; |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
272 |
else |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
273 |
ssh_gssapi_delete_ctx(&ctxt); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
274 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
275 |
DH_free(dh); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
276 |
|
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
277 |
kex_derive_keys_bn(kex, hash, hashlen, shared_secret); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
278 |
BN_clear_free(shared_secret); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
279 |
kex_finish(kex); |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
280 |
} |
80e9a4e240d3
PSARC/2014/390 OpenSSH GSSKEY
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
281 |
#endif /* GSSAPI */ |