Attachment #2273 for bug #2107

Lines 77-83 userauth_gssapi(Authctxt *authctxt) Link Here

(-)auth2-gss.c (-1 / +1 lines)
77	return (0);	77	return (0);
78	}	78	}
79		79
80	ssh_gssapi_supported_oids(&supported);	80	PRIVSEP(ssh_gssapi_supported_oids(&supported));
81	do {	81	do {
82	mechs--;	82	mechs--;
83		83




#endif

#ifdef GSSAPI
int mm_answer_gss_supported_oids(int, Buffer *);
int mm_answer_gss_setup_ctx(int, Buffer *);
int mm_answer_gss_accept_ctx(int, Buffer *);
int mm_answer_gss_userok(int, Buffer *);

    {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
    {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify},
#ifdef GSSAPI
    {MONITOR_REQ_GSSSUPPORTEDOIDS, MON_ISAUTH, mm_answer_gss_supported_oids},
    {MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx},
    {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
    {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},


#ifdef GSSAPI
int
mm_answer_gss_supported_oids(int sock, Buffer *m)
{
	gss_OID_set oidset;
	size_t i;
	OM_uint32 min_status;

	ssh_gssapi_supported_oids(&oidset);

	buffer_clear(m);
	buffer_put_int(m, (u_int)oidset->count);
	for (i = 0; i < oidset->count; i++)
		buffer_put_string(m, oidset->elements[i].elements,
				  oidset->elements[i].length);

	gss_release_oid_set(&min_status, &oidset);

	mm_request_send(sock, MONITOR_ANS_GSSSUPPORTEDOIDS, m);

	return (0);
}

int
mm_answer_gss_setup_ctx(int sock, Buffer *m)
{
	gss_OID_desc goid;




	MONITOR_REQ_RSAKEYALLOWED = 36, MONITOR_ANS_RSAKEYALLOWED = 37,
	MONITOR_REQ_RSACHALLENGE = 38, MONITOR_ANS_RSACHALLENGE = 39,
	MONITOR_REQ_RSARESPONSE = 40, MONITOR_ANS_RSARESPONSE = 41,
	MONITOR_REQ_GSSSUPPORTEDOIDS = 42, MONITOR_ANS_GSSSUPPORTEDOIDS = 43,
	MONITOR_REQ_GSSSETUP = 44, MONITOR_ANS_GSSSETUP = 45,
	MONITOR_REQ_GSSSTEP = 46, MONITOR_ANS_GSSSTEP = 47,
	MONITOR_REQ_GSSUSEROK = 48, MONITOR_ANS_GSSUSEROK = 49,
	MONITOR_REQ_GSSCHECKMIC = 50, MONITOR_ANS_GSSCHECKMIC = 51,
	MONITOR_REQ_TERM = 52,
	MONITOR_REQ_JPAKE_STEP1 = 54, MONITOR_ANS_JPAKE_STEP1 = 55,
	MONITOR_REQ_JPAKE_GET_PWDATA = 56, MONITOR_ANS_JPAKE_GET_PWDATA = 57,
	MONITOR_REQ_JPAKE_STEP2 = 58, MONITOR_ANS_JPAKE_STEP2 = 59,
	MONITOR_REQ_JPAKE_KEY_CONFIRM = 60, MONITOR_ANS_JPAKE_KEY_CONFIRM = 61,
	MONITOR_REQ_JPAKE_CHECK_CONFIRM = 62, MONITOR_ANS_JPAKE_CHECK_CONFIRM = 63,

	MONITOR_REQ_PAM_START = 100,
	MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,




#endif /* SSH_AUDIT_EVENTS */

#ifdef GSSAPI
void
mm_ssh_gssapi_supported_oids(gss_OID_set *oidset)
{
	Buffer m;
	gss_OID_set oids;
	size_t i;
	u_int len;

	buffer_init(&m);

	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSUPPORTEDOIDS, &m);
	mm_request_receive_expect(pmonitor->m_recvfd,
				  MONITOR_ANS_GSSSUPPORTEDOIDS, &m);

	*oidset = xcalloc(1, sizeof(**oidset));
	oids = *oidset;
	oids->count = buffer_get_int(&m);
	oids->elements = xcalloc(oids->count, sizeof(*oids->elements));
	for (i = 0; i < oids->count; i++) {
		oids->elements[i].elements = buffer_get_string(&m, &len);
		oids->elements[i].length = len;
	}

	buffer_free(&m);
}

OM_uint32
mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID goid)
{

Lines 55-60 int mm_auth_rsa_verify_response(Key *, B Link Here

(-)monitor_wrap.h (+1 lines)
55	BIGNUM mm_auth_rsa_generate_challenge(Key );	55	BIGNUM mm_auth_rsa_generate_challenge(Key );
56		56
57	#ifdef GSSAPI	57	#ifdef GSSAPI
		58	void mm_ssh_gssapi_supported_oids(gss_OID_set *);
58	OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);	59	OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
59	OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,	60	OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
60	gss_buffer_desc , gss_buffer_desc , OM_uint32 *);	61	gss_buffer_desc , gss_buffer_desc , OM_uint32 *);




	fi
done

cp $OBJ/ssh_proxy $OBJ/ssh_proxy.orig
cp $OBJ/sshd_proxy $OBJ/sshd_proxy.orig
echo 'GSSAPIAuthentication yes' >> $OBJ/ssh_proxy
echo 'GSSAPIAuthentication yes' >> $OBJ/sshd_proxy

for p in 1 2; do
	${SSH} -vvv -$p -F $OBJ/ssh_proxy 999.999.999.999 true
	if [ $? -ne 0 ]; then
		# XXX replace this with fail once sandbox has stabilised
		warn "ssh privsep/sandbox+proxyconnect+gssapiauth protocol $p failed"
	fi
done
exit 0

cp $OBJ/ssh_proxy.orig $OBJ/ssh_proxy
cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy

# Because sandbox is sensitive to changes in libc, especially malloc, retest
# with every malloc.conf option (and none).
for m in '' A F G H J P R S X Z '<' '>'; do

Return to bug 2107

Lines 176-181 int mm_answer_pam_free_ctx(int, Buffer * Link Here

(-)monitor.c (+24 lines)
176	#endif	176	#endif
177		177
178	#ifdef GSSAPI	178	#ifdef GSSAPI
		179	int mm_answer_gss_supported_oids(int, Buffer *);
179	int mm_answer_gss_setup_ctx(int, Buffer *);	180	int mm_answer_gss_setup_ctx(int, Buffer *);
180	int mm_answer_gss_accept_ctx(int, Buffer *);	181	int mm_answer_gss_accept_ctx(int, Buffer *);
181	int mm_answer_gss_userok(int, Buffer *);	182	int mm_answer_gss_userok(int, Buffer *);
Lines 248-253 struct mon_table mon_dispatch_proto20[] Link Here
248	{MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},	249	{MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
249	{MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify},	250	{MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify},
250	#ifdef GSSAPI	251	#ifdef GSSAPI
		252	{MONITOR_REQ_GSSSUPPORTEDOIDS, MON_ISAUTH, mm_answer_gss_supported_oids},
251	{MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx},	253	{MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx},
252	{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},	254	{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
253	{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},	255	{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
Lines 2051-2056 monitor_reinit(struct monitor *mon) Link Here
2051		2053
2052	#ifdef GSSAPI	2054	#ifdef GSSAPI
2053	int	2055	int
		2056	mm_answer_gss_supported_oids(int sock, Buffer *m)
		2057	{
		2058	gss_OID_set oidset;
		2059	size_t i;
		2060	OM_uint32 min_status;
		2061
		2062	ssh_gssapi_supported_oids(&oidset);
		2063
		2064	buffer_clear(m);
		2065	buffer_put_int(m, (u_int)oidset->count);
		2066	for (i = 0; i < oidset->count; i++)
		2067	buffer_put_string(m, oidset->elements[i].elements,
		2068	oidset->elements[i].length);
		2069
		2070	gss_release_oid_set(&min_status, &oidset);
		2071
		2072	mm_request_send(sock, MONITOR_ANS_GSSSUPPORTEDOIDS, m);
		2073
		2074	return (0);
		2075	}
		2076
		2077	int
2054	mm_answer_gss_setup_ctx(int sock, Buffer *m)	2078	mm_answer_gss_setup_ctx(int sock, Buffer *m)
2055	{	2079	{
2056	gss_OID_desc goid;	2080	gss_OID_desc goid;

Lines 1207-1212 mm_audit_run_command(const char *command Link Here

(-)monitor_wrap.c (+26 lines)
1207	#endif /* SSH_AUDIT_EVENTS */	1207	#endif /* SSH_AUDIT_EVENTS */
1208		1208
1209	#ifdef GSSAPI	1209	#ifdef GSSAPI
		1210	void
		1211	mm_ssh_gssapi_supported_oids(gss_OID_set *oidset)
		1212	{
		1213	Buffer m;
		1214	gss_OID_set oids;
		1215	size_t i;
		1216	u_int len;
		1217
		1218	buffer_init(&m);
		1219
		1220	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSUPPORTEDOIDS, &m);
		1221	mm_request_receive_expect(pmonitor->m_recvfd,
		1222	MONITOR_ANS_GSSSUPPORTEDOIDS, &m);
		1223
		1224	oidset = xcalloc(1, sizeof(*oidset));
		1225	oids = *oidset;
		1226	oids->count = buffer_get_int(&m);
		1227	oids->elements = xcalloc(oids->count, sizeof(*oids->elements));
		1228	for (i = 0; i < oids->count; i++) {
		1229	oids->elements[i].elements = buffer_get_string(&m, &len);
		1230	oids->elements[i].length = len;
		1231	}
		1232
		1233	buffer_free(&m);
		1234	}
		1235
1210	OM_uint32	1236	OM_uint32
1211	mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID goid)	1237	mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID goid)
1212	{	1238	{

Lines 51-66 enum monitor_reqtype { Link Here

(-)monitor.h (-10 / +11 lines)
51	MONITOR_REQ_RSAKEYALLOWED = 36, MONITOR_ANS_RSAKEYALLOWED = 37,	51	MONITOR_REQ_RSAKEYALLOWED = 36, MONITOR_ANS_RSAKEYALLOWED = 37,
52	MONITOR_REQ_RSACHALLENGE = 38, MONITOR_ANS_RSACHALLENGE = 39,	52	MONITOR_REQ_RSACHALLENGE = 38, MONITOR_ANS_RSACHALLENGE = 39,
53	MONITOR_REQ_RSARESPONSE = 40, MONITOR_ANS_RSARESPONSE = 41,	53	MONITOR_REQ_RSARESPONSE = 40, MONITOR_ANS_RSARESPONSE = 41,
54	MONITOR_REQ_GSSSETUP = 42, MONITOR_ANS_GSSSETUP = 43,	54	MONITOR_REQ_GSSSUPPORTEDOIDS = 42, MONITOR_ANS_GSSSUPPORTEDOIDS = 43,
55	MONITOR_REQ_GSSSTEP = 44, MONITOR_ANS_GSSSTEP = 45,	55	MONITOR_REQ_GSSSETUP = 44, MONITOR_ANS_GSSSETUP = 45,
56	MONITOR_REQ_GSSUSEROK = 46, MONITOR_ANS_GSSUSEROK = 47,	56	MONITOR_REQ_GSSSTEP = 46, MONITOR_ANS_GSSSTEP = 47,
57	MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49,	57	MONITOR_REQ_GSSUSEROK = 48, MONITOR_ANS_GSSUSEROK = 49,
58	MONITOR_REQ_TERM = 50,	58	MONITOR_REQ_GSSCHECKMIC = 50, MONITOR_ANS_GSSCHECKMIC = 51,
59	MONITOR_REQ_JPAKE_STEP1 = 52, MONITOR_ANS_JPAKE_STEP1 = 53,	59	MONITOR_REQ_TERM = 52,
60	MONITOR_REQ_JPAKE_GET_PWDATA = 54, MONITOR_ANS_JPAKE_GET_PWDATA = 55,	60	MONITOR_REQ_JPAKE_STEP1 = 54, MONITOR_ANS_JPAKE_STEP1 = 55,
61	MONITOR_REQ_JPAKE_STEP2 = 56, MONITOR_ANS_JPAKE_STEP2 = 57,	61	MONITOR_REQ_JPAKE_GET_PWDATA = 56, MONITOR_ANS_JPAKE_GET_PWDATA = 57,
62	MONITOR_REQ_JPAKE_KEY_CONFIRM = 58, MONITOR_ANS_JPAKE_KEY_CONFIRM = 59,	62	MONITOR_REQ_JPAKE_STEP2 = 58, MONITOR_ANS_JPAKE_STEP2 = 59,
63	MONITOR_REQ_JPAKE_CHECK_CONFIRM = 60, MONITOR_ANS_JPAKE_CHECK_CONFIRM = 61,	63	MONITOR_REQ_JPAKE_KEY_CONFIRM = 60, MONITOR_ANS_JPAKE_KEY_CONFIRM = 61,
		64	MONITOR_REQ_JPAKE_CHECK_CONFIRM = 62, MONITOR_ANS_JPAKE_CHECK_CONFIRM = 63,
64		65
65	MONITOR_REQ_PAM_START = 100,	66	MONITOR_REQ_PAM_START = 100,
66	MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,	67	MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,

Lines 24-29 for p in 1 2; do Link Here

(-)regress/connect-privsep.sh (+17 lines)
24	fi	24	fi
25	done	25	done
26		26
		27	cp $OBJ/ssh_proxy $OBJ/ssh_proxy.orig
		28	cp $OBJ/sshd_proxy $OBJ/sshd_proxy.orig
		29	echo 'GSSAPIAuthentication yes' >> $OBJ/ssh_proxy
		30	echo 'GSSAPIAuthentication yes' >> $OBJ/sshd_proxy
		31
		32	for p in 1 2; do
		33	${SSH} -vvv -$p -F $OBJ/ssh_proxy 999.999.999.999 true
		34	if [ $? -ne 0 ]; then
		35	# XXX replace this with fail once sandbox has stabilised
		36	warn "ssh privsep/sandbox+proxyconnect+gssapiauth protocol $p failed"
		37	fi
		38	done
		39	exit 0
		40
		41	cp $OBJ/ssh_proxy.orig $OBJ/ssh_proxy
		42	cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
		43
27	# Because sandbox is sensitive to changes in libc, especially malloc, retest	44	# Because sandbox is sensitive to changes in libc, especially malloc, retest
28	# with every malloc.conf option (and none).	45	# with every malloc.conf option (and none).
29	for m in '' A F G H J P R S X Z '<' '>'; do	46	for m in '' A F G H J P R S X Z '<' '>'; do