kentpeacock / rpms / openssh

Forked from rpms/openssh 2 years ago
Clone
f5835d
From 6ff8f667f792052fd47689c3e421fcd6ddca1cd0 Mon Sep 17 00:00:00 2001
f5835d
From: Jakub Jelen <jjelen@redhat.com>
f5835d
Date: Fri, 25 Aug 2017 19:15:48 +0200
f5835d
Subject: [PATCH 1/3] GSSAPI Key exchange methods with DH and SHA2
f5835d
f5835d
---
f5835d
 gss-genr.c         | 10 ++++++++++
f5835d
 kex.c              |  2 ++
f5835d
 kex.h              |  2 ++
f5835d
 kexgssc.c          |  6 ++++++
f5835d
 kexgsss.c          |  6 ++++++
f5835d
 monitor.c          |  2 ++
f5835d
 regress/kextype.sh |  4 +++-
f5835d
 regress/rekey.sh   |  8 ++++++--
f5835d
 ssh-gss.h          |  2 ++
f5835d
 ssh_config.5       |  4 +++-
f5835d
 sshconnect2.c      |  2 ++
f5835d
 sshd.c             |  2 ++
f5835d
 sshd_config.5      |  4 +++-
f5835d
 13 files changed, 49 insertions(+), 5 deletions(-)
f5835d
f5835d
diff --git a/gss-genr.c b/gss-genr.c
f5835d
index dc63682d..c6eff3d7 100644
f5835d
--- a/gss-genr.c
f5835d
+++ b/gss-genr.c
f5835d
@@ -183,6 +183,16 @@ ssh_gssapi_id_kex(Gssctxt *ctx, char *name, int kex_type) {
f5835d
 			return GSS_C_NO_OID;
f5835d
 		name += sizeof(KEX_GSS_GRP14_SHA1_ID) - 1;
f5835d
 		break;
f5835d
+	case KEX_GSS_GRP14_SHA256:
f5835d
+		if (strlen(name) < sizeof(KEX_GSS_GRP14_SHA256_ID))
f5835d
+			return GSS_C_NO_OID;
f5835d
+		name += sizeof(KEX_GSS_GRP14_SHA256_ID) - 1;
f5835d
+		break;
f5835d
+	case KEX_GSS_GRP16_SHA512:
f5835d
+		if (strlen(name) < sizeof(KEX_GSS_GRP16_SHA512_ID))
f5835d
+			return GSS_C_NO_OID;
f5835d
+		name += sizeof(KEX_GSS_GRP16_SHA512_ID) - 1;
f5835d
+		break;
f5835d
 	case KEX_GSS_GEX_SHA1:
f5835d
 		if (strlen(name) < sizeof(KEX_GSS_GEX_SHA1_ID))
f5835d
 			return GSS_C_NO_OID;
f5835d
diff --git a/kex.c b/kex.c
f5835d
index 63e028fa..e798fecb 100644
f5835d
--- a/kex.c
f5835d
+++ b/kex.c
f5835d
@@ -112,6 +112,8 @@ static const struct kexalg kexalgs[] = {
f5835d
 	{ KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
f5835d
 	{ KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
f5835d
 	{ KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
f5835d
+	{ KEX_GSS_GRP14_SHA256_ID, KEX_GSS_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
f5835d
+	{ KEX_GSS_GRP16_SHA512_ID, KEX_GSS_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
f5835d
 #endif
f5835d
 	{ NULL, -1, -1, -1},
f5835d
 };
f5835d
diff --git a/kex.h b/kex.h
f5835d
index 8a2b37c5..f27958ae 100644
f5835d
--- a/kex.h
f5835d
+++ b/kex.h
f5835d
@@ -102,6 +102,8 @@ enum kex_exchange {
f5835d
 #ifdef GSSAPI
f5835d
 	KEX_GSS_GRP1_SHA1,
f5835d
 	KEX_GSS_GRP14_SHA1,
f5835d
+	KEX_GSS_GRP14_SHA256,
f5835d
+	KEX_GSS_GRP16_SHA512,
f5835d
 	KEX_GSS_GEX_SHA1,
f5835d
 #endif
f5835d
 	KEX_MAX
f5835d
diff --git a/kexgssc.c b/kexgssc.c
f5835d
index 132df8b5..ed23f06d 100644
f5835d
--- a/kexgssc.c
f5835d
+++ b/kexgssc.c
f5835d
@@ -88,8 +88,12 @@ kexgss_client(struct ssh *ssh) {
f5835d
 		dh = dh_new_group1();
f5835d
 		break;
f5835d
 	case KEX_GSS_GRP14_SHA1:
f5835d
+	case KEX_GSS_GRP14_SHA256:
f5835d
 		dh = dh_new_group14();
f5835d
 		break;
f5835d
+	case KEX_GSS_GRP16_SHA512:
f5835d
+		dh = dh_new_group16();
f5835d
+		break;
f5835d
 	case KEX_GSS_GEX_SHA1:
f5835d
 		debug("Doing group exchange\n");
f5835d
 		nbits = dh_estimate(ssh->kex->we_need * 8);
f5835d
@@ -272,6 +276,8 @@ kexgss_client(struct ssh *ssh) {
f5835d
 	switch (ssh->kex->kex_type) {
f5835d
 	case KEX_GSS_GRP1_SHA1:
f5835d
 	case KEX_GSS_GRP14_SHA1:
f5835d
+	case KEX_GSS_GRP14_SHA256:
f5835d
+	case KEX_GSS_GRP16_SHA512:
f5835d
 		kex_dh_hash(ssh->kex->hash_alg, ssh->kex->client_version_string, 
f5835d
 		    ssh->kex->server_version_string,
f5835d
		    sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
f5835d
diff --git a/kexgsss.c b/kexgsss.c
f5835d
index 82a715cc..b7da8823 100644
f5835d
--- a/kexgsss.c
f5835d
+++ b/kexgsss.c
f5835d
@@ -104,8 +104,12 @@ kexgss_server(struct ssh *ssh)
f5835d
 		dh = dh_new_group1();
f5835d
 		break;
f5835d
 	case KEX_GSS_GRP14_SHA1:
f5835d
+	case KEX_GSS_GRP14_SHA256:
f5835d
 		dh = dh_new_group14();
f5835d
 		break;
f5835d
+	case KEX_GSS_GRP16_SHA512:
f5835d
+		dh = dh_new_group16();
f5835d
+		break;
f5835d
 	case KEX_GSS_GEX_SHA1:
f5835d
 		debug("Doing group exchange");
f5835d
 		packet_read_expect(SSH2_MSG_KEXGSS_GROUPREQ);
f5835d
@@ -223,6 +227,8 @@ kexgss_server(struct ssh *ssh)
f5835d
 	switch (ssh->kex->kex_type) {
f5835d
 	case KEX_GSS_GRP1_SHA1:
f5835d
 	case KEX_GSS_GRP14_SHA1:
f5835d
+	case KEX_GSS_GRP14_SHA256:
f5835d
+	case KEX_GSS_GRP16_SHA512:
f5835d
 		kex_dh_hash(ssh->kex->hash_alg,
f5835d
 		    ssh->kex->client_version_string, ssh->kex->server_version_string,
f5835d
		    sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
f5835d
diff --git a/monitor.c b/monitor.c
f5835d
index 17046936..d6bc7ac7 100644
f5835d
--- a/monitor.c
f5835d
+++ b/monitor.c
f5835d
@@ -1648,6 +1648,8 @@ monitor_apply_keystate(struct monitor *pmonitor)
f5835d
 	if (options.gss_keyex) {
f5835d
 		kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
f5835d
 		kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
f5835d
+		kex->kex[KEX_GSS_GRP14_SHA256] = kexgss_server;
f5835d
+		kex->kex[KEX_GSS_GRP16_SHA512] = kexgss_server;
f5835d
 		kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
f5835d
 	}
f5835d
 #endif
f5835d
diff --git a/regress/kextype.sh b/regress/kextype.sh
f5835d
index 780362ca..45f4f16d 100644
f5835d
--- a/regress/kextype.sh
f5835d
+++ b/regress/kextype.sh
f5835d
@@ -14,7 +14,9 @@ echo "KexAlgorithms=$KEXOPT" >> $OBJ/sshd_proxy
f5835d
 
f5835d
 tries="1 2 3 4"
f5835d
 for k in `${SSH} -Q kex`; do
f5835d
-	if [ $k = "gss-gex-sha1-" -o $k = "gss-group1-sha1-" -o $k = "gss-group14-sha1-" ]; then
f5835d
+	if [ $k = "gss-gex-sha1-" -o $k = "gss-group1-sha1-" -o \
f5835d
+	    $k = "gss-group14-sha1-" -o $k = "gss-group14-sha256-" -o \
f5835d
+	    $k = "gss-group16-sha512-" ]; then
f5835d
 		continue
f5835d
 	fi
f5835d
 	verbose "kex $k"
f5835d
diff --git a/regress/rekey.sh b/regress/rekey.sh
f5835d
index 9fbe9b38..a2921bef 100644
f5835d
--- a/regress/rekey.sh
f5835d
+++ b/regress/rekey.sh
f5835d
@@ -38,7 +38,9 @@ increase_datafile_size 300
f5835d
 
f5835d
 opts=""
f5835d
 for i in `${SSH} -Q kex`; do
f5835d
-	if [ $i = "gss-gex-sha1-" -o $i = "gss-group1-sha1-" -o $i = "gss-group14-sha1-" ]; then
f5835d
+	if [ $i = "gss-gex-sha1-" -o $i = "gss-group1-sha1-" -o \
f5835d
+	    $i = "gss-group14-sha1-" -o $i = "gss-group14-sha256-" -o \
f5835d
+	    $i = "gss-group16-sha512-" ]; then
f5835d
 		continue
f5835d
 	fi
f5835d
 	opts="$opts KexAlgorithms=$i"
f5835d
@@ -59,7 +61,9 @@ done
f5835d
 if ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then
f5835d
   for c in `${SSH} -Q cipher-auth`; do
f5835d
     for kex in `${SSH} -Q kex`; do
f5835d
-	if [ $kex = "gss-gex-sha1-" -o $kex = "gss-group1-sha1-" -o $kex = "gss-group14-sha1-" ]; then
f5835d
+	if [ $kex = "gss-gex-sha1-" -o $kex = "gss-group1-sha1-" -o \
f5835d
+	    $kex = "gss-group14-sha1-" -o $kex = "gss-group14-sha256-" -o \
f5835d
+	    $kex = "gss-group16-sha512-" ]; then
f5835d
 		continue
f5835d
 	fi
f5835d
 	verbose "client rekey $c $kex"
f5835d
diff --git a/ssh-gss.h b/ssh-gss.h
f5835d
index 6b6adb2b..7bf8d75e 100644
f5835d
--- a/ssh-gss.h
f5835d
+++ b/ssh-gss.h
f5835d
@@ -70,6 +70,8 @@
f5835d
 #define SSH2_MSG_KEXGSS_GROUP				41
f5835d
 #define KEX_GSS_GRP1_SHA1_ID				"gss-group1-sha1-"
f5835d
 #define KEX_GSS_GRP14_SHA1_ID				"gss-group14-sha1-"
f5835d
+#define KEX_GSS_GRP14_SHA256_ID			"gss-group14-sha256-"
f5835d
+#define KEX_GSS_GRP16_SHA512_ID			"gss-group16-sha512-"
f5835d
 #define KEX_GSS_GEX_SHA1_ID				"gss-gex-sha1-"
f5835d
 
f5835d
 #define        GSS_KEX_DEFAULT_KEX \
f5835d
diff --git a/ssh_config.5 b/ssh_config.5
f5835d
index 6b24649e..3d6da510 100644
f5835d
--- a/ssh_config.5
f5835d
+++ b/ssh_config.5
f5835d
@@ -760,7 +760,9 @@ key exchange. Possible values are
f5835d
 .Bd -literal -offset 3n
f5835d
 gss-gex-sha1-,
f5835d
 gss-group1-sha1-,
f5835d
-gss-group14-sha1-
f5835d
+gss-group14-sha1-,
f5835d
+gss-group14-sha256-,
f5835d
+gss-group16-sha512-
f5835d
 .Ed
f5835d
 .Pp
f5835d
 The default is
f5835d
diff --git a/sshconnect2.c b/sshconnect2.c
f5835d
index 8db98293..5d6b8be0 100644
f5835d
--- a/sshconnect2.c
f5835d
+++ b/sshconnect2.c
f5835d
@@ -253,6 +253,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
f5835d
 	if (options.gss_keyex) {
f5835d
 		kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
f5835d
 		kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_client;
f5835d
+		kex->kex[KEX_GSS_GRP14_SHA256] = kexgss_client;
f5835d
+		kex->kex[KEX_GSS_GRP16_SHA512] = kexgss_client;
f5835d
 		kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client;
f5835d
 	}
f5835d
 #endif
f5835d
diff --git a/sshd.c b/sshd.c
f5835d
index 895df26f..e4c879a2 100644
f5835d
--- a/sshd.c
f5835d
+++ b/sshd.c
f5835d
@@ -2244,6 +2244,8 @@ do_ssh2_kex(void)
f5835d
 	if (options.gss_keyex) {
f5835d
 		kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
f5835d
 		kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
f5835d
+		kex->kex[KEX_GSS_GRP14_SHA256] = kexgss_server;
f5835d
+		kex->kex[KEX_GSS_GRP16_SHA512] = kexgss_server;
f5835d
 		kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
f5835d
 	}
f5835d
 #endif
f5835d
diff --git a/sshd_config.5 b/sshd_config.5
f5835d
index bf81f6af..0793418b 100644
f5835d
--- a/sshd_config.5
f5835d
+++ b/sshd_config.5
f5835d
@@ -675,7 +675,9 @@ key exchange. Possible values are
f5835d
 .Bd -literal -offset 3n
f5835d
 gss-gex-sha1-,
f5835d
 gss-group1-sha1-,
f5835d
-gss-group14-sha1-
f5835d
+gss-group14-sha1-,
f5835d
+gss-group14-sha256-,
f5835d
+gss-group16-sha512-
f5835d
 .Ed
f5835d
 .Pp
f5835d
 The default is
f5835d
-- 
f5835d
2.13.5
f5835d
f5835d
f5835d
From 7d56144903fc625c33da7fabf103f4f6bba4d43a Mon Sep 17 00:00:00 2001
f5835d
From: Jakub Jelen <jjelen@redhat.com>
f5835d
Date: Tue, 29 Aug 2017 15:32:14 +0200
f5835d
Subject: [PATCH 2/3] GSSAPI Key exchange using ECDH and SHA2
f5835d
f5835d
---
f5835d
 gss-genr.c         |  10 ++
f5835d
 kex.c              |   3 +
f5835d
 kex.h              |   4 +
f5835d
 kexgssc.c          | 392 ++++++++++++++++++++++++++++++++++++++++++++++++++++-
f5835d
 kexgsss.c          | 333 +++++++++++++++++++++++++++++++++++++++++++++
f5835d
 monitor.c          |   5 +-
f5835d
 regress/kextype.sh |   1 +
f5835d
 regress/rekey.sh   |   2 +
f5835d
 ssh-gss.h          |   2 +
f5835d
 ssh_config.5       |   4 +-
f5835d
 sshconnect2.c      |   2 +
f5835d
 sshd.c             |   2 +
f5835d
 sshd_config.5      |   4 +-
f5835d
 13 files changed, 754 insertions(+), 10 deletions(-)
f5835d
f5835d
diff --git a/gss-genr.c b/gss-genr.c
f5835d
index c6eff3d7..22040244 100644
f5835d
--- a/gss-genr.c
f5835d
+++ b/gss-genr.c
f5835d
@@ -198,6 +198,16 @@ ssh_gssapi_id_kex(Gssctxt *ctx, char *name, int kex_type) {
f5835d
 			return GSS_C_NO_OID;
f5835d
 		name += sizeof(KEX_GSS_GEX_SHA1_ID) - 1;
f5835d
 		break;
f5835d
+	case KEX_GSS_NISTP256_SHA256:
f5835d
+		if (strlen(name) < sizeof(KEX_GSS_NISTP256_SHA256_ID))
f5835d
+			return GSS_C_NO_OID;
f5835d
+		name += sizeof(KEX_GSS_NISTP256_SHA256_ID) - 1;
f5835d
+		break;
f5835d
+	case KEX_GSS_C25519_SHA256:
f5835d
+		if (strlen(name) < sizeof(KEX_GSS_C25519_SHA256_ID))
f5835d
+			return GSS_C_NO_OID;
f5835d
+		name += sizeof(KEX_GSS_C25519_SHA256_ID) - 1;
f5835d
+		break;
f5835d
 	default:
f5835d
 		return GSS_C_NO_OID;
f5835d
 	}
f5835d
diff --git a/kex.c b/kex.c
f5835d
index e798fecb..bdeeada9 100644
f5835d
--- a/kex.c
f5835d
+++ b/kex.c
f5835d
@@ -114,6 +114,9 @@ static const struct kexalg kexalgs[] = {
f5835d
 	{ KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
f5835d
 	{ KEX_GSS_GRP14_SHA256_ID, KEX_GSS_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
f5835d
 	{ KEX_GSS_GRP16_SHA512_ID, KEX_GSS_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
f5835d
+	{ KEX_GSS_NISTP256_SHA256_ID, KEX_GSS_NISTP256_SHA256,
f5835d
+	    NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
f5835d
+	{ KEX_GSS_C25519_SHA256_ID, KEX_GSS_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
f5835d
 #endif
f5835d
 	{ NULL, -1, -1, -1},
f5835d
 };
f5835d
diff --git a/kex.h b/kex.h
f5835d
index f27958ae..7def8561 100644
f5835d
--- a/kex.h
f5835d
+++ b/kex.h
f5835d
@@ -105,6 +105,8 @@ enum kex_exchange {
f5835d
 	KEX_GSS_GRP14_SHA256,
f5835d
 	KEX_GSS_GRP16_SHA512,
f5835d
 	KEX_GSS_GEX_SHA1,
f5835d
+	KEX_GSS_NISTP256_SHA256,
f5835d
+	KEX_GSS_C25519_SHA256,
f5835d
 #endif
f5835d
 	KEX_MAX
f5835d
 };
f5835d
@@ -211,6 +213,8 @@ int	 kexecdh_server(struct ssh *);
f5835d
 int	 kexc25519_client(struct ssh *);
f5835d
 int	 kexc25519_server(struct ssh *);
f5835d
 #ifdef GSSAPI
f5835d
+int	 kexecgss_client(struct ssh *);
f5835d
+int	 kexecgss_server(struct ssh *);
f5835d
 int	 kexgss_client(struct ssh *);
f5835d
 int	 kexgss_server(struct ssh *);
f5835d
 #endif
f5835d
diff --git a/kexgssc.c b/kexgssc.c
f5835d
index ed23f06d..bdb3109a 100644
f5835d
--- a/kexgssc.c
f5835d
+++ b/kexgssc.c
f5835d
@@ -43,6 +43,7 @@
f5835d
 #include "packet.h"
f5835d
 #include "dh.h"
f5835d
 #include "digest.h"
f5835d
+#include "ssherr.h"
f5835d
 
f5835d
 #include "ssh-gss.h"
f5835d
 
f5835d
@@ -52,7 +53,7 @@ kexgss_client(struct ssh *ssh) {
f5835d
 	gss_buffer_desc recv_tok, gssbuf, msg_tok, *token_ptr;
f5835d
 	Gssctxt *ctxt;
f5835d
 	OM_uint32 maj_status, min_status, ret_flags;
f5835d
-	u_int klen, kout, slen = 0, strlen;
f5835d
+	u_int klen, kout, slen = 0, packet_len;
f5835d
 	DH *dh; 
f5835d
 	BIGNUM *dh_server_pub = NULL;
f5835d
 	BIGNUM *shared_secret = NULL;
f5835d
@@ -201,20 +202,20 @@ kexgss_client(struct ssh *ssh) {
f5835d
 				debug("Received GSSAPI_CONTINUE");
f5835d
 				if (maj_status == GSS_S_COMPLETE) 
f5835d
 					fatal("GSSAPI Continue received from server when complete");
f5835d
-				recv_tok.value = packet_get_string(&strlen);
f5835d
-				recv_tok.length = strlen; 
f5835d
+				recv_tok.value = packet_get_string(&packet_len);
f5835d
+				recv_tok.length = packet_len;
f5835d
 				break;
f5835d
 			case SSH2_MSG_KEXGSS_COMPLETE:
f5835d
 				debug("Received GSSAPI_COMPLETE");
f5835d
 				packet_get_bignum2(dh_server_pub);
f5835d
-				msg_tok.value =  packet_get_string(&strlen);
f5835d
-				msg_tok.length = strlen; 
f5835d
+				msg_tok.value =  packet_get_string(&packet_len);
f5835d
+				msg_tok.length = packet_len;
f5835d
 
f5835d
 				/* Is there a token included? */
f5835d
 				if (packet_get_char()) {
f5835d
 					recv_tok.value=
f5835d
-					    packet_get_string(&strlen);
f5835d
-					recv_tok.length = strlen;
f5835d
+					    packet_get_string(&packet_len);
f5835d
+					recv_tok.length = packet_len;
f5835d
 					/* If we're already complete - protocol error */
f5835d
 					if (maj_status == GSS_S_COMPLETE)
f5835d
 						packet_disconnect("Protocol error: received token when complete");
f5835d
@@ -344,4 +345,382 @@ kexgss_client(struct ssh *ssh) {
f5835d
 	return kex_send_newkeys(ssh);
f5835d
 }
f5835d
 
f5835d
+int
f5835d
+kexecgss_client(struct ssh *ssh) {
f5835d
+	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
f5835d
+	gss_buffer_desc recv_tok, gssbuf, msg_tok, *token_ptr;
f5835d
+	Gssctxt *ctxt;
f5835d
+	OM_uint32 maj_status, min_status, ret_flags;
f5835d
+	u_int klen = 0, slen = 0, packet_len;
f5835d
+	u_char *server_pub = NULL;
f5835d
+	u_int server_pub_len = 0;
f5835d
+	BIGNUM *shared_secret = NULL;
f5835d
+	u_char *kbuf = NULL;
f5835d
+	u_char *serverhostkey = NULL;
f5835d
+	u_char *empty = "";
f5835d
+	char *msg;
f5835d
+	char *lang;
f5835d
+	int type = 0;
f5835d
+	int first = 1;
f5835d
+	u_char hash[SSH_DIGEST_MAX_LENGTH];
f5835d
+	size_t hashlen;
f5835d
+	const EC_GROUP *group = NULL;
f5835d
+	const EC_POINT *public_key;
f5835d
+	struct sshbuf *Q_C = NULL;
f5835d
+	struct kex *kex = ssh->kex;
f5835d
+	EC_POINT *server_public = NULL;
f5835d
+	struct sshbuf *c25519_shared_secret = NULL;
f5835d
+	int r;
f5835d
+
f5835d
+	/* Initialise our GSSAPI world */
f5835d
+	ssh_gssapi_build_ctx(&ctxt);
f5835d
+	if (ssh_gssapi_id_kex(ctxt, kex->name, kex->kex_type)
f5835d
+	    == GSS_C_NO_OID)
f5835d
+		fatal("Couldn't identify host exchange");
f5835d
+
f5835d
+	if (ssh_gssapi_import_name(ctxt, kex->gss_host))
f5835d
+		fatal("Couldn't import hostname");
f5835d
+
f5835d
+	if (kex->gss_client &&
f5835d
+	    ssh_gssapi_client_identity(ctxt, kex->gss_client))
f5835d
+		fatal("Couldn't acquire client credentials");
f5835d
+
f5835d
+	if ((Q_C = sshbuf_new()) == NULL) {
f5835d
+		r = SSH_ERR_ALLOC_FAIL;
f5835d
+		goto out;
f5835d
+	}
f5835d
+
f5835d
+	switch (kex->kex_type) {
f5835d
+	case KEX_GSS_NISTP256_SHA256:
f5835d
+		if ((kex->ec_client_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) {
f5835d
+			r = SSH_ERR_ALLOC_FAIL;
f5835d
+			goto out;
f5835d
+		}
f5835d
+		if (EC_KEY_generate_key(kex->ec_client_key) != 1) {
f5835d
+			r = SSH_ERR_LIBCRYPTO_ERROR;
f5835d
+			goto out;
f5835d
+		}
f5835d
+		group = EC_KEY_get0_group(kex->ec_client_key);
f5835d
+		public_key = EC_KEY_get0_public_key(kex->ec_client_key);
f5835d
+#ifdef DEBUG_KEXECDH
f5835d
+	fputs("client private key:\n", stderr);
f5835d
+	sshkey_dump_ec_key(kex->ec_client_key);
f5835d
+#endif
f5835d
+
f5835d
+		sshbuf_put_ec(Q_C, public_key, group);
f5835d
+		break;
f5835d
+	case KEX_GSS_C25519_SHA256:
f5835d
+		kexc25519_keygen(kex->c25519_client_key, kex->c25519_client_pubkey);
f5835d
+#ifdef DEBUG_KEXECDH
f5835d
+		dump_digest("client private key:", kex->c25519_client_key,
f5835d
+		    sizeof(kex->c25519_client_key));
f5835d
+#endif
f5835d
+
f5835d
+		if ((r = sshbuf_put_string(Q_C, kex->c25519_client_pubkey,
f5835d
+		    sizeof(kex->c25519_client_pubkey))) != 0)
f5835d
+			fatal("%s: buffer error: %s", __func__, ssh_err(r));
f5835d
+		break;
f5835d
+	default:
f5835d
+		fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
f5835d
+	}
f5835d
+
f5835d
+	token_ptr = GSS_C_NO_BUFFER;
f5835d
+
f5835d
+	do {
f5835d
+		/* Step 2 - call GSS_Init_sec_context() */
f5835d
+		debug("Calling gss_init_sec_context");
f5835d
+
f5835d
+		maj_status = ssh_gssapi_init_ctx(ctxt,
f5835d
+		    kex->gss_deleg_creds, token_ptr, &send_tok,
f5835d
+		    &ret_flags);
f5835d
+
f5835d
+		if (GSS_ERROR(maj_status)) {
f5835d
+			if (send_tok.length != 0) {
f5835d
+				packet_start(SSH2_MSG_KEXGSS_CONTINUE);
f5835d
+				packet_put_string(send_tok.value,
f5835d
+				    send_tok.length);
f5835d
+			}
f5835d
+			fatal("gss_init_context failed");
f5835d
+		}
f5835d
+
f5835d
+		/* If we've got an old receive buffer get rid of it */
f5835d
+		if (token_ptr != GSS_C_NO_BUFFER)
f5835d
+			free(recv_tok.value);
f5835d
+
f5835d
+		if (maj_status == GSS_S_COMPLETE) {
f5835d
+			/* If mutual state flag is not true, kex fails */
f5835d
+			if (!(ret_flags & GSS_C_MUTUAL_FLAG))
f5835d
+				fatal("Mutual authentication failed");
f5835d
+
f5835d
+			/* If integ avail flag is not true kex fails */
f5835d
+			if (!(ret_flags & GSS_C_INTEG_FLAG))
f5835d
+				fatal("Integrity check failed");
f5835d
+		}
f5835d
+
f5835d
+		/*
f5835d
+		 * If we have data to send, then the last message that we
f5835d
+		 * received cannot have been a 'complete'.
f5835d
+		 */
f5835d
+		if (send_tok.length != 0) {
f5835d
+			if (first) {
f5835d
+				const u_char * ptr;
f5835d
+				size_t len;
f5835d
+
f5835d
+				packet_start(SSH2_MSG_KEXGSS_INIT);
f5835d
+				packet_put_string(send_tok.value,
f5835d
+				    send_tok.length);
f5835d
+				sshbuf_get_string_direct(Q_C, &ptr, &len;;
f5835d
+				packet_put_string(ptr, len);
f5835d
+				first = 0;
f5835d
+			} else {
f5835d
+				packet_start(SSH2_MSG_KEXGSS_CONTINUE);
f5835d
+				packet_put_string(send_tok.value,
f5835d
+				    send_tok.length);
f5835d
+			}
f5835d
+			packet_send();
f5835d
+			gss_release_buffer(&min_status, &send_tok);
f5835d
+
f5835d
+			/* If we've sent them data, they should reply */
f5835d
+			do {
f5835d
+				type = packet_read();
f5835d
+				if (type == SSH2_MSG_KEXGSS_HOSTKEY) {
f5835d
+					debug("Received KEXGSS_HOSTKEY");
f5835d
+					if (serverhostkey)
f5835d
+						fatal("Server host key received more than once");
f5835d
+					serverhostkey =
f5835d
+					    packet_get_string(&slen);
f5835d
+				}
f5835d
+			} while (type == SSH2_MSG_KEXGSS_HOSTKEY);
f5835d
+
f5835d
+			switch (type) {
f5835d
+			case SSH2_MSG_KEXGSS_CONTINUE:
f5835d
+				debug("Received GSSAPI_CONTINUE");
f5835d
+				if (maj_status == GSS_S_COMPLETE)
f5835d
+					fatal("GSSAPI Continue received from server when complete");
f5835d
+				recv_tok.value = packet_get_string(&packet_len);
f5835d
+				recv_tok.length = packet_len;
f5835d
+				break;
f5835d
+			case SSH2_MSG_KEXGSS_COMPLETE:
f5835d
+				debug("Received GSSAPI_COMPLETE");
f5835d
+				server_pub = packet_get_string(&server_pub_len);
f5835d
+				msg_tok.value = packet_get_string(&packet_len);
f5835d
+				msg_tok.length = packet_len;
f5835d
+
f5835d
+				/* Is there a token included? */
f5835d
+				if (packet_get_char()) {
f5835d
+					recv_tok.value=
f5835d
+					    packet_get_string(&packet_len);
f5835d
+					recv_tok.length = packet_len;
f5835d
+					/* If we're already complete - protocol error */
f5835d
+					if (maj_status == GSS_S_COMPLETE)
f5835d
+						packet_disconnect("Protocol error: received token when complete");
f5835d
+					} else {
f5835d
+						/* No token included */
f5835d
+						if (maj_status != GSS_S_COMPLETE)
f5835d
+							packet_disconnect("Protocol error: did not receive final token");
f5835d
+				}
f5835d
+				break;
f5835d
+			case SSH2_MSG_KEXGSS_ERROR:
f5835d
+				debug("Received Error");
f5835d
+				maj_status = packet_get_int();
f5835d
+				min_status = packet_get_int();
f5835d
+				msg = packet_get_string(NULL);
f5835d
+				lang = packet_get_string(NULL);
f5835d
+				fatal("GSSAPI Error: \n%.400s",msg);
f5835d
+			default:
f5835d
+				packet_disconnect("Protocol error: didn't expect packet type %d",
f5835d
+				    type);
f5835d
+			}
f5835d
+			token_ptr = &recv_tok;
f5835d
+		} else {
f5835d
+			/* No data, and not complete */
f5835d
+			if (maj_status != GSS_S_COMPLETE)
f5835d
+				fatal("Not complete, and no token output");
f5835d
+		}
f5835d
+	} while (maj_status & GSS_S_CONTINUE_NEEDED);
f5835d
+
f5835d
+	/*
f5835d
+	 * We _must_ have received a COMPLETE message in reply from the
f5835d
+	 * server, which will have set dh_server_pub and msg_tok
f5835d
+	 */
f5835d
+
f5835d
+	if (type != SSH2_MSG_KEXGSS_COMPLETE)
f5835d
+		fatal("Didn't receive a SSH2_MSG_KEXGSS_COMPLETE when I expected it");
f5835d
+
f5835d
+	/* 7. C verifies that the key Q_S is valid */
f5835d
+	/* 8. C computes shared secret */
f5835d
+	switch (kex->kex_type) {
f5835d
+	case KEX_GSS_NISTP256_SHA256:
f5835d
+		if (server_pub_len != 65)
f5835d
+			fatal("The received NIST-P256 key did not match"
f5835d
+			    "expected length (expected 65, got %d)", server_pub_len);
f5835d
+
f5835d
+		if (server_pub[0] != POINT_CONVERSION_UNCOMPRESSED)
f5835d
+			fatal("The received NIST-P256 key does not have first octet 0x04");
f5835d
+
f5835d
+		if ((server_public = EC_POINT_new(group)) == NULL) {
f5835d
+			r = SSH_ERR_ALLOC_FAIL;
f5835d
+			goto out;
f5835d
+		}
f5835d
+
f5835d
+		if (!EC_POINT_oct2point(group, server_public, server_pub,
f5835d
+		    server_pub_len, NULL))
f5835d
+			fatal("Can not decode received NIST-P256 client key");
f5835d
+#ifdef DEBUG_KEXECDH
f5835d
+		fputs("server public key:\n", stderr);
f5835d
+		sshkey_dump_ec_point(group, server_public);
f5835d
+#endif
f5835d
+
f5835d
+		if (sshkey_ec_validate_public(group, server_public) != 0) {
f5835d
+			sshpkt_disconnect(ssh, "invalid client public key");
f5835d
+			r = SSH_ERR_MESSAGE_INCOMPLETE;
f5835d
+			goto out;
f5835d
+		}
f5835d
+
f5835d
+		if (!EC_POINT_is_on_curve(group, server_public, NULL))
f5835d
+			fatal("Received NIST-P256 client key is not on curve");
f5835d
+
f5835d
+		/* Calculate shared_secret */
f5835d
+		klen = (EC_GROUP_get_degree(group) + 7) / 8;
f5835d
+		if ((kbuf = malloc(klen)) == NULL ||
f5835d
+		    (shared_secret = BN_new()) == NULL) {
f5835d
+			r = SSH_ERR_ALLOC_FAIL;
f5835d
+			goto out;
f5835d
+		}
f5835d
+		if (ECDH_compute_key(kbuf, klen, server_public,
f5835d
+		    kex->ec_client_key, NULL) != (int)klen ||
f5835d
+		    BN_bin2bn(kbuf, klen, shared_secret) == NULL) {
f5835d
+			r = SSH_ERR_LIBCRYPTO_ERROR;
f5835d
+			goto out;
f5835d
+		}
f5835d
+#ifdef DEBUG_KEXECDH
f5835d
+		dump_digest("shared secret", kbuf, klen);
f5835d
+#endif
f5835d
+		break;
f5835d
+	case KEX_GSS_C25519_SHA256:
f5835d
+		if (server_pub_len != 32)
f5835d
+			fatal("The received curve25519 key did not match"
f5835d
+			    "expected length (expected 32, got %d)", server_pub_len);
f5835d
+
f5835d
+		if (server_pub[server_pub_len-1] & 0x80)
f5835d
+			fatal("The received key has MSB of last octet set!");
f5835d
+#ifdef DEBUG_KEXECDH
f5835d
+		dump_digest("server public key:", server_pub, CURVE25519_SIZE);
f5835d
+#endif
f5835d
+
f5835d
+		/* generate shared secret */
f5835d
+		if ((c25519_shared_secret = sshbuf_new()) == NULL) {
f5835d
+			r = SSH_ERR_ALLOC_FAIL;
f5835d
+			goto out;
f5835d
+		}
f5835d
+		if ((r = kexc25519_shared_key(kex->c25519_client_key,
f5835d
+		    server_pub, c25519_shared_secret)) < 0)
f5835d
+			goto out;
f5835d
+
f5835d
+		/* if all octets of the shared secret are zero octets,
f5835d
+		 * is already checked in kexc25519_shared_key() */
f5835d
+		break;
f5835d
+	default:
f5835d
+		fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
f5835d
+	}
f5835d
+
f5835d
+	hashlen = sizeof(hash);
f5835d
+	switch (kex->kex_type) {
f5835d
+	case KEX_GSS_NISTP256_SHA256:
f5835d
+		kex_ecdh_hash(
f5835d
+		    kex->hash_alg,
f5835d
+		    group,
f5835d
+		    kex->client_version_string,
f5835d
+		    kex->server_version_string,
f5835d
+		    sshbuf_ptr(kex->my), sshbuf_len(kex->my),
f5835d
+		    sshbuf_ptr(kex->peer), sshbuf_len(kex->peer),
f5835d
+		    (serverhostkey ? serverhostkey : empty), slen,
f5835d
+		    EC_KEY_get0_public_key(kex->ec_client_key),
f5835d
+		    server_public,
f5835d
+		    shared_secret,
f5835d
+		    hash, &hashlen
f5835d
+		);
f5835d
+		break;
f5835d
+	case KEX_GSS_C25519_SHA256:
f5835d
+		kex_c25519_hash(
f5835d
+		    kex->hash_alg,
f5835d
+		    kex->client_version_string, kex->server_version_string,
f5835d
+		    sshbuf_ptr(kex->my), sshbuf_len(kex->my),
f5835d
+		    sshbuf_ptr(kex->peer), sshbuf_len(kex->peer),
f5835d
+		    (serverhostkey ? serverhostkey : empty), slen,
f5835d
+		    kex->c25519_client_pubkey, server_pub,
f5835d
+		    sshbuf_ptr(c25519_shared_secret), sshbuf_len(c25519_shared_secret),
f5835d
+		    hash, &hashlen
f5835d
+		);
f5835d
+		break;
f5835d
+	default:
f5835d
+		fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
f5835d
+	}
f5835d
+
f5835d
+	gssbuf.value = hash;
f5835d
+	gssbuf.length = hashlen;
f5835d
+
f5835d
+	/* Verify that the hash matches the MIC we just got. */
f5835d
+	if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok)))
f5835d
+		packet_disconnect("Hash's MIC didn't verify");
f5835d
+
f5835d
+	free(msg_tok.value);
f5835d
+
f5835d
+	/* save session id */
f5835d
+	if (kex->session_id == NULL) {
f5835d
+		kex->session_id_len = hashlen;
f5835d
+		kex->session_id = xmalloc(kex->session_id_len);
f5835d
+		memcpy(kex->session_id, hash, kex->session_id_len);
f5835d
+	}
f5835d
+
f5835d
+	if (kex->gss_deleg_creds)
f5835d
+		ssh_gssapi_credentials_updated(ctxt);
f5835d
+
f5835d
+	if (gss_kex_context == NULL)
f5835d
+		gss_kex_context = ctxt;
f5835d
+	else
f5835d
+		ssh_gssapi_delete_ctx(&ctxt);
f5835d
+
f5835d
+	/* Finally derive the keys and send them */
f5835d
+	switch (kex->kex_type) {
f5835d
+	case KEX_GSS_NISTP256_SHA256:
f5835d
+		if ((r = kex_derive_keys_bn(ssh, hash, hashlen, shared_secret)) != 0)
f5835d
+			goto out;
f5835d
+		break;
f5835d
+	case KEX_GSS_C25519_SHA256:
f5835d
+		if ((r = kex_derive_keys(ssh, hash, hashlen, c25519_shared_secret)) != 0)
f5835d
+			goto out;
f5835d
+		break;
f5835d
+	default:
f5835d
+		fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
f5835d
+	}
f5835d
+	r = kex_send_newkeys(ssh);
f5835d
+out:
f5835d
+	free(serverhostkey);
f5835d
+	explicit_bzero(hash, sizeof(hash));
f5835d
+	sshbuf_free(Q_C);
f5835d
+	if (server_pub)
f5835d
+		free(server_pub);
f5835d
+	switch (kex->kex_type) {
f5835d
+	case KEX_GSS_NISTP256_SHA256:
f5835d
+		if (kex->ec_client_key) {
f5835d
+			EC_KEY_free(kex->ec_client_key);
f5835d
+			kex->ec_client_key = NULL;
f5835d
+		}
f5835d
+		if (server_public)
f5835d
+			EC_POINT_clear_free(server_public);
f5835d
+		if (kbuf) {
f5835d
+			explicit_bzero(kbuf, klen);
f5835d
+			free(kbuf);
f5835d
+		}
f5835d
+		if (shared_secret)
f5835d
+			BN_clear_free(shared_secret);
f5835d
+		break;
f5835d
+	case KEX_GSS_C25519_SHA256:
f5835d
+		explicit_bzero(kex->c25519_client_key, sizeof(kex->c25519_client_key));
f5835d
+		sshbuf_free(c25519_shared_secret);
f5835d
+		break;
f5835d
+	}
f5835d
+	return r;
f5835d
+}
f5835d
 #endif /* GSSAPI */
f5835d
diff --git a/kexgsss.c b/kexgsss.c
f5835d
index b7da8823..a7c42803 100644
f5835d
--- a/kexgsss.c
f5835d
+++ b/kexgsss.c
f5835d
@@ -46,6 +46,7 @@
f5835d
 #include "servconf.h"
f5835d
 #include "ssh-gss.h"
f5835d
 #include "digest.h"
f5835d
+#include "ssherr.h"
f5835d
 
f5835d
 extern ServerOptions options;
f5835d
 
f5835d
@@ -303,4 +304,338 @@ kexgss_server(struct ssh *ssh)
f5835d
 		ssh_gssapi_rekey_creds();
f5835d
 	return 0;
f5835d
 }
f5835d
+
f5835d
+int
f5835d
+kexecgss_server(struct ssh *ssh)
f5835d
+{
f5835d
+	OM_uint32 maj_status, min_status;
f5835d
+
f5835d
+	/*
f5835d
+	 * Some GSSAPI implementations use the input value of ret_flags (an
f5835d
+	 * output variable) as a means of triggering mechanism specific
f5835d
+	 * features. Initializing it to zero avoids inadvertently
f5835d
+	 * activating this non-standard behaviour.
f5835d
+	 */
f5835d
+
f5835d
+	OM_uint32 ret_flags = 0;
f5835d
+	gss_buffer_desc gssbuf, recv_tok, msg_tok;
f5835d
+	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
f5835d
+	Gssctxt *ctxt = NULL;
f5835d
+	u_int slen, klen = 0;
f5835d
+	u_char *kbuf = NULL;
f5835d
+	BIGNUM *shared_secret = NULL;
f5835d
+	int type = 0;
f5835d
+	gss_OID oid;
f5835d
+	char *mechs;
f5835d
+	u_char hash[SSH_DIGEST_MAX_LENGTH];
f5835d
+	size_t hashlen;
f5835d
+	u_char *client_pub = NULL;
f5835d
+	u_int client_pub_len = 0;
f5835d
+	const EC_GROUP *group = NULL;
f5835d
+	EC_POINT *client_public = NULL;
f5835d
+	EC_KEY *server_key = NULL;
f5835d
+	const EC_POINT *public_key;
f5835d
+	u_char c25519_server_key[CURVE25519_SIZE];
f5835d
+	u_char c25519_server_pubkey[CURVE25519_SIZE];
f5835d
+	struct sshbuf *c25519_shared_secret = NULL;
f5835d
+	struct sshbuf *Q_S;
f5835d
+	struct kex *kex = ssh->kex;
f5835d
+	int r;
f5835d
+
f5835d
+	/* Initialise GSSAPI */
f5835d
+
f5835d
+	/* If we're rekeying, privsep means that some of the private structures
f5835d
+	 * in the GSSAPI code are no longer available. This kludges them back
f5835d
+	 * into life
f5835d
+	 */
f5835d
+	if (!ssh_gssapi_oid_table_ok())
f5835d
+		if ((mechs = ssh_gssapi_server_mechanisms()))
f5835d
+			free(mechs);
f5835d
+
f5835d
+	debug2("%s: Identifying %s", __func__, kex->name);
f5835d
+	oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type);
f5835d
+	if (oid == GSS_C_NO_OID)
f5835d
+	   fatal("Unknown gssapi mechanism");
f5835d
+
f5835d
+	debug2("%s: Acquiring credentials", __func__);
f5835d
+
f5835d
+	if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid))))
f5835d
+		fatal("Unable to acquire credentials for the server");
f5835d
+
f5835d
+	if ((Q_S = sshbuf_new()) == NULL) {
f5835d
+		r = SSH_ERR_ALLOC_FAIL;
f5835d
+		goto out;
f5835d
+	}
f5835d
+
f5835d
+	/* 5. S generates an ephemeral key pair (do the allocations early) */
f5835d
+	switch (kex->kex_type) {
f5835d
+	case KEX_GSS_NISTP256_SHA256:
f5835d
+		if ((server_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) {
f5835d
+			r = SSH_ERR_ALLOC_FAIL;
f5835d
+			goto out;
f5835d
+		}
f5835d
+		if (EC_KEY_generate_key(server_key) != 1) {
f5835d
+			r = SSH_ERR_LIBCRYPTO_ERROR;
f5835d
+			goto out;
f5835d
+		}
f5835d
+		group = EC_KEY_get0_group(server_key);
f5835d
+		public_key = EC_KEY_get0_public_key(server_key);
f5835d
+
f5835d
+		sshbuf_put_ec(Q_S, public_key, group);
f5835d
+		break;
f5835d
+	case KEX_GSS_C25519_SHA256:
f5835d
+		kexc25519_keygen(c25519_server_key, c25519_server_pubkey);
f5835d
+#ifdef DEBUG_KEXECDH
f5835d
+		dump_digest("server private key:", c25519_server_key,
f5835d
+		    sizeof(c25519_server_key));
f5835d
+#endif
f5835d
+		if ((r = sshbuf_put_string(Q_S, c25519_server_pubkey,
f5835d
+		    sizeof(c25519_server_pubkey))) != 0)
f5835d
+			fatal("%s: buffer error: %s", __func__, ssh_err(r));
f5835d
+		break;
f5835d
+	default:
f5835d
+		fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
f5835d
+	}
f5835d
+
f5835d
+	do {
f5835d
+		debug("Wait SSH2_MSG_GSSAPI_INIT");
f5835d
+		type = packet_read();
f5835d
+		switch(type) {
f5835d
+		case SSH2_MSG_KEXGSS_INIT:
f5835d
+			if (client_pub != NULL)
f5835d
+				fatal("Received KEXGSS_INIT after initialising");
f5835d
+			recv_tok.value = packet_get_string(&slen);
f5835d
+			recv_tok.length = slen;
f5835d
+
f5835d
+			client_pub = packet_get_string(&client_pub_len);
f5835d
+
f5835d
+			/* Send SSH_MSG_KEXGSS_HOSTKEY here, if we want */
f5835d
+			break;
f5835d
+		case SSH2_MSG_KEXGSS_CONTINUE:
f5835d
+			recv_tok.value = packet_get_string(&slen);
f5835d
+			recv_tok.length = slen;
f5835d
+			break;
f5835d
+		default:
f5835d
+			packet_disconnect(
f5835d
+			    "Protocol error: didn't expect packet type %d",
f5835d
+			    type);
f5835d
+		}
f5835d
+
f5835d
+		maj_status = PRIVSEP(ssh_gssapi_accept_ctx(ctxt, &recv_tok,
f5835d
+		    &send_tok, &ret_flags));
f5835d
+
f5835d
+		free(recv_tok.value);
f5835d
+
f5835d
+		if (maj_status != GSS_S_COMPLETE && send_tok.length == 0)
f5835d
+			fatal("Zero length token output when incomplete");
f5835d
+
f5835d
+		if (client_pub == NULL)
f5835d
+			fatal("No client public key");
f5835d
+
f5835d
+		if (maj_status & GSS_S_CONTINUE_NEEDED) {
f5835d
+			debug("Sending GSSAPI_CONTINUE");
f5835d
+			packet_start(SSH2_MSG_KEXGSS_CONTINUE);
f5835d
+			packet_put_string(send_tok.value, send_tok.length);
f5835d
+			packet_send();
f5835d
+			gss_release_buffer(&min_status, &send_tok);
f5835d
+		}
f5835d
+	} while (maj_status & GSS_S_CONTINUE_NEEDED);
f5835d
+
f5835d
+	if (GSS_ERROR(maj_status)) {
f5835d
+		if (send_tok.length > 0) {
f5835d
+			packet_start(SSH2_MSG_KEXGSS_CONTINUE);
f5835d
+			packet_put_string(send_tok.value, send_tok.length);
f5835d
+			packet_send();
f5835d
+		}
f5835d
+		fatal("accept_ctx died");
f5835d
+	}
f5835d
+
f5835d
+	if (!(ret_flags & GSS_C_MUTUAL_FLAG))
f5835d
+		fatal("Mutual Authentication flag wasn't set");
f5835d
+
f5835d
+	if (!(ret_flags & GSS_C_INTEG_FLAG))
f5835d
+		fatal("Integrity flag wasn't set");
f5835d
+
f5835d
+	/* 3. S verifies that the (client) key is valid */
f5835d
+	/* calculate shared secret */
f5835d
+	switch (kex->kex_type) {
f5835d
+	case KEX_GSS_NISTP256_SHA256:
f5835d
+		if (client_pub_len != 65)
f5835d
+			fatal("The received NIST-P256 key did not match"
f5835d
+			    "expected length (expected 65, got %d)", client_pub_len);
f5835d
+
f5835d
+		if (client_pub[0] != POINT_CONVERSION_UNCOMPRESSED)
f5835d
+			fatal("The received NIST-P256 key does not have first octet 0x04");
f5835d
+
f5835d
+		if ((client_public = EC_POINT_new(group)) == NULL) {
f5835d
+			r = SSH_ERR_ALLOC_FAIL;
f5835d
+			goto out;
f5835d
+		}
f5835d
+
f5835d
+		if (!EC_POINT_oct2point(group, client_public, client_pub,
f5835d
+		    client_pub_len, NULL))
f5835d
+			fatal("Can not decode received NIST-P256 client key");
f5835d
+
f5835d
+		if (sshkey_ec_validate_public(group, client_public) != 0) {
f5835d
+			sshpkt_disconnect(ssh, "invalid client public key");
f5835d
+			r = SSH_ERR_MESSAGE_INCOMPLETE;
f5835d
+			goto out;
f5835d
+		}
f5835d
+
f5835d
+		if (!EC_POINT_is_on_curve(group, client_public, NULL))
f5835d
+			fatal("Received NIST-P256 client key is not on curve");
f5835d
+
f5835d
+		/* Calculate shared_secret */
f5835d
+		klen = (EC_GROUP_get_degree(group) + 7) / 8;
f5835d
+		if ((kbuf = malloc(klen)) == NULL ||
f5835d
+		    (shared_secret = BN_new()) == NULL) {
f5835d
+			r = SSH_ERR_ALLOC_FAIL;
f5835d
+			goto out;
f5835d
+		}
f5835d
+		if (ECDH_compute_key(kbuf, klen, client_public,
f5835d
+		    server_key, NULL) != (int)klen ||
f5835d
+		    BN_bin2bn(kbuf, klen, shared_secret) == NULL) {
f5835d
+			r = SSH_ERR_LIBCRYPTO_ERROR;
f5835d
+			goto out;
f5835d
+		}
f5835d
+		break;
f5835d
+	case KEX_GSS_C25519_SHA256:
f5835d
+		if (client_pub_len != 32)
f5835d
+			fatal("The received curve25519 key did not match"
f5835d
+			    "expected length (expected 32, got %d)", client_pub_len);
f5835d
+
f5835d
+		if (client_pub[client_pub_len-1] & 0x80)
f5835d
+			fatal("The received key has MSB of last octet set!");
f5835d
+
f5835d
+		/* generate shared secret */
f5835d
+		if ((c25519_shared_secret = sshbuf_new()) == NULL) {
f5835d
+			r = SSH_ERR_ALLOC_FAIL;
f5835d
+			goto out;
f5835d
+		}
f5835d
+		if ((r = kexc25519_shared_key(c25519_server_key,
f5835d
+		    client_pub, c25519_shared_secret)) < 0)
f5835d
+			goto out;
f5835d
+
f5835d
+		/* if all octets of the shared secret are zero octets,
f5835d
+		 * is already checked in kexc25519_shared_key() */
f5835d
+		break;
f5835d
+	default:
f5835d
+		fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
f5835d
+	}
f5835d
+
f5835d
+	hashlen = sizeof(hash);
f5835d
+	switch (kex->kex_type) {
f5835d
+	case KEX_GSS_NISTP256_SHA256:
f5835d
+		kex_ecdh_hash(
f5835d
+		    kex->hash_alg,
f5835d
+		    group,
f5835d
+		    kex->client_version_string,
f5835d
+		    kex->server_version_string,
f5835d
+		    sshbuf_ptr(kex->peer), sshbuf_len(kex->peer),
f5835d
+		    sshbuf_ptr(kex->my), sshbuf_len(kex->my),
f5835d
+		    NULL, 0,
f5835d
+		    client_public,
f5835d
+		    EC_KEY_get0_public_key(server_key),
f5835d
+		    shared_secret,
f5835d
+		    hash, &hashlen
f5835d
+		);
f5835d
+		break;
f5835d
+	case KEX_GSS_C25519_SHA256:
f5835d
+		kex_c25519_hash(
f5835d
+		    kex->hash_alg,
f5835d
+		    kex->client_version_string, kex->server_version_string,
f5835d
+		    sshbuf_ptr(kex->peer), sshbuf_len(kex->peer),
f5835d
+		    sshbuf_ptr(kex->my), sshbuf_len(kex->my),
f5835d
+		    NULL, 0,
f5835d
+		    client_pub, c25519_server_pubkey,
f5835d
+		    sshbuf_ptr(c25519_shared_secret), sshbuf_len(c25519_shared_secret),
f5835d
+		    hash, &hashlen
f5835d
+		);
f5835d
+		break;
f5835d
+	default:
f5835d
+		fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
f5835d
+	}
f5835d
+
f5835d
+	if (kex->session_id == NULL) {
f5835d
+		kex->session_id_len = hashlen;
f5835d
+		kex->session_id = xmalloc(kex->session_id_len);
f5835d
+		memcpy(kex->session_id, hash, kex->session_id_len);
f5835d
+	}
f5835d
+
f5835d
+	gssbuf.value = hash;
f5835d
+	gssbuf.length = hashlen;
f5835d
+
f5835d
+	if (GSS_ERROR(PRIVSEP(ssh_gssapi_sign(ctxt,&gssbuf,&msg_tok))))
f5835d
+		fatal("Couldn't get MIC");
f5835d
+
f5835d
+	packet_start(SSH2_MSG_KEXGSS_COMPLETE);
f5835d
+	{
f5835d
+		const u_char *ptr;
f5835d
+		size_t len;
f5835d
+		if ((r = sshbuf_get_string_direct(Q_S, &ptr, &len)) != 0)
f5835d
+			fatal("%s: buffer error: %s", __func__, ssh_err(r));
f5835d
+		packet_put_string(ptr, len);
f5835d
+	}
f5835d
+	packet_put_string(msg_tok.value, msg_tok.length);
f5835d
+
f5835d
+	if (send_tok.length != 0) {
f5835d
+		packet_put_char(1); /* true */
f5835d
+		packet_put_string(send_tok.value, send_tok.length);
f5835d
+	} else {
f5835d
+		packet_put_char(0); /* false */
f5835d
+	}
f5835d
+	packet_send();
f5835d
+
f5835d
+	gss_release_buffer(&min_status, &send_tok);
f5835d
+	gss_release_buffer(&min_status, &msg_tok);
f5835d
+
f5835d
+	if (gss_kex_context == NULL)
f5835d
+		gss_kex_context = ctxt;
f5835d
+	else
f5835d
+		ssh_gssapi_delete_ctx(&ctxt);
f5835d
+
f5835d
+	/* Finally derive the keys and send them */
f5835d
+	switch (kex->kex_type) {
f5835d
+	case KEX_GSS_NISTP256_SHA256:
f5835d
+		if ((r = kex_derive_keys_bn(ssh, hash, hashlen, shared_secret)) != 0)
f5835d
+			goto out;
f5835d
+		break;
f5835d
+	case KEX_GSS_C25519_SHA256:
f5835d
+		if ((r = kex_derive_keys(ssh, hash, hashlen, c25519_shared_secret)) != 0)
f5835d
+			goto out;
f5835d
+		break;
f5835d
+	default:
f5835d
+		fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
f5835d
+	}
f5835d
+	if ((r = kex_send_newkeys(ssh)) != 0)
f5835d
+		goto out;
f5835d
+
f5835d
+	/* If this was a rekey, then save out any delegated credentials we
f5835d
+	 * just exchanged.  */
f5835d
+	if (options.gss_store_rekey)
f5835d
+		ssh_gssapi_rekey_creds();
f5835d
+out:
f5835d
+	explicit_bzero(hash, sizeof(hash));
f5835d
+	if (Q_S)
f5835d
+		sshbuf_free(Q_S);
f5835d
+	if (client_pub)
f5835d
+		free(client_pub);
f5835d
+	switch (kex->kex_type) {
f5835d
+	case KEX_GSS_NISTP256_SHA256:
f5835d
+		if (server_key)
f5835d
+			EC_KEY_free(server_key);
f5835d
+		if (kbuf) {
f5835d
+			explicit_bzero(kbuf, klen);
f5835d
+			free(kbuf);
f5835d
+		}
f5835d
+		if (shared_secret)
f5835d
+			BN_clear_free(shared_secret);
f5835d
+		break;
f5835d
+	case KEX_GSS_C25519_SHA256:
f5835d
+		explicit_bzero(c25519_server_key, sizeof(c25519_server_key));
f5835d
+		sshbuf_free(c25519_shared_secret);
f5835d
+		break;
f5835d
+	}
f5835d
+	return r;
f5835d
+}
f5835d
 #endif /* GSSAPI */
f5835d
diff --git a/monitor.c b/monitor.c
f5835d
index d6bc7ac7..b11616c8 100644
f5835d
--- a/monitor.c
f5835d
+++ b/monitor.c
f5835d
@@ -1651,6 +1651,8 @@ monitor_apply_keystate(struct monitor *pmonitor)
f5835d
 		kex->kex[KEX_GSS_GRP14_SHA256] = kexgss_server;
f5835d
 		kex->kex[KEX_GSS_GRP16_SHA512] = kexgss_server;
f5835d
 		kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
f5835d
+		kex->kex[KEX_GSS_NISTP256_SHA256] = kexecgss_server;
f5835d
+		kex->kex[KEX_GSS_C25519_SHA256] = kexecgss_server;
f5835d
 	}
f5835d
 #endif
f5835d
 		kex->load_host_public_key=&get_hostkey_public_by_type;
f5835d
@@ -1867,7 +1869,8 @@ mm_answer_gss_sign(int socket, Buffer *m)
f5835d
 
f5835d
 	if ((r = sshbuf_get_string(m, (u_char **)&data.value, &data.length)) != 0)
f5835d
 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
f5835d
-	if (data.length != 20) 
f5835d
+	/* Lengths of SHA-1, SHA-256 and SHA-512 hashes that are used */
f5835d
+	if (data.length != 20 && data.length != 32 && data.length != 64)
f5835d
 		fatal("%s: data length incorrect: %d", __func__, 
f5835d
 		    (int) data.length);
f5835d
 
f5835d
diff --git a/regress/kextype.sh b/regress/kextype.sh
f5835d
index 45f4f16d..d5b4a713 100644
f5835d
--- a/regress/kextype.sh
f5835d
+++ b/regress/kextype.sh
f5835d
@@ -15,6 +15,7 @@ echo "KexAlgorithms=$KEXOPT" >> $OBJ/sshd_proxy
f5835d
 tries="1 2 3 4"
f5835d
 for k in `${SSH} -Q kex`; do
f5835d
 	if [ $k = "gss-gex-sha1-" -o $k = "gss-group1-sha1-" -o \
f5835d
+	    $k = "gss-nistp256-sha256-" -o $k = "gss-curve25519-sha256-" -o \
f5835d
 	    $k = "gss-group14-sha1-" -o $k = "gss-group14-sha256-" -o \
f5835d
 	    $k = "gss-group16-sha512-" ]; then
f5835d
 		continue
f5835d
diff --git a/regress/rekey.sh b/regress/rekey.sh
f5835d
index a2921bef..b118c6c8 100644
f5835d
--- a/regress/rekey.sh
f5835d
+++ b/regress/rekey.sh
f5835d
@@ -39,6 +39,7 @@ increase_datafile_size 300
f5835d
 opts=""
f5835d
 for i in `${SSH} -Q kex`; do
f5835d
 	if [ $i = "gss-gex-sha1-" -o $i = "gss-group1-sha1-" -o \
f5835d
+	    $i = "gss-nistp256-sha256-" -o $i = "gss-curve25519-sha256-" -o \
f5835d
 	    $i = "gss-group14-sha1-" -o $i = "gss-group14-sha256-" -o \
f5835d
 	    $i = "gss-group16-sha512-" ]; then
f5835d
 		continue
f5835d
@@ -62,6 +63,7 @@ if ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then
f5835d
   for c in `${SSH} -Q cipher-auth`; do
f5835d
     for kex in `${SSH} -Q kex`; do
f5835d
 	if [ $kex = "gss-gex-sha1-" -o $kex = "gss-group1-sha1-" -o \
f5835d
+	    $kex = "gss-nistp256-sha256-" -o $kex = "gss-curve25519-sha256-" -o \
f5835d
 	    $kex = "gss-group14-sha1-" -o $kex = "gss-group14-sha256-" -o \
f5835d
 	    $kex = "gss-group16-sha512-" ]; then
f5835d
 		continue
f5835d
diff --git a/ssh-gss.h b/ssh-gss.h
f5835d
index 7bf8d75e..1f73721d 100644
f5835d
--- a/ssh-gss.h
f5835d
+++ b/ssh-gss.h
f5835d
@@ -73,6 +73,8 @@
f5835d
 #define KEX_GSS_GRP14_SHA256_ID			"gss-group14-sha256-"
f5835d
 #define KEX_GSS_GRP16_SHA512_ID			"gss-group16-sha512-"
f5835d
 #define KEX_GSS_GEX_SHA1_ID				"gss-gex-sha1-"
f5835d
+#define KEX_GSS_NISTP256_SHA256_ID			"gss-nistp256-sha256-"
f5835d
+#define KEX_GSS_C25519_SHA256_ID			"gss-curve25519-sha256-"
f5835d
 
f5835d
 #define        GSS_KEX_DEFAULT_KEX \
f5835d
 	KEX_GSS_GEX_SHA1_ID "," \
f5835d
diff --git a/ssh_config.5 b/ssh_config.5
f5835d
index 3d6da510..1dc29bf1 100644
f5835d
--- a/ssh_config.5
f5835d
+++ b/ssh_config.5
f5835d
@@ -762,7 +762,9 @@ gss-gex-sha1-,
f5835d
 gss-group1-sha1-,
f5835d
 gss-group14-sha1-,
f5835d
 gss-group14-sha256-,
f5835d
-gss-group16-sha512-
f5835d
+gss-group16-sha512-,
f5835d
+gss-nistp256-sha256-,
f5835d
+gss-curve25519-sha256-
f5835d
 .Ed
f5835d
 .Pp
f5835d
 The default is
f5835d
diff --git a/sshconnect2.c b/sshconnect2.c
f5835d
index 5d6b8be0..280ae5a6 100644
f5835d
--- a/sshconnect2.c
f5835d
+++ b/sshconnect2.c
f5835d
@@ -256,6 +256,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
f5835d
 		kex->kex[KEX_GSS_GRP14_SHA256] = kexgss_client;
f5835d
 		kex->kex[KEX_GSS_GRP16_SHA512] = kexgss_client;
f5835d
 		kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client;
f5835d
+		kex->kex[KEX_GSS_NISTP256_SHA256] = kexecgss_client;
f5835d
+		kex->kex[KEX_GSS_C25519_SHA256] = kexecgss_client;
f5835d
 	}
f5835d
 #endif
f5835d
 	kex->kex[KEX_C25519_SHA256] = kexc25519_client;
f5835d
diff --git a/sshd.c b/sshd.c
f5835d
index e4c879a2..a35735d8 100644
f5835d
--- a/sshd.c
f5835d
+++ b/sshd.c
f5835d
@@ -2247,6 +2247,8 @@ do_ssh2_kex(void)
f5835d
 		kex->kex[KEX_GSS_GRP14_SHA256] = kexgss_server;
f5835d
 		kex->kex[KEX_GSS_GRP16_SHA512] = kexgss_server;
f5835d
 		kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
f5835d
+		kex->kex[KEX_GSS_NISTP256_SHA256] = kexecgss_server;
f5835d
+		kex->kex[KEX_GSS_C25519_SHA256] = kexecgss_server;
f5835d
 	}
f5835d
 #endif
f5835d
 	kex->server = 1;
f5835d
diff --git a/sshd_config.5 b/sshd_config.5
f5835d
index 0793418b..888316bf 100644
f5835d
--- a/sshd_config.5
f5835d
+++ b/sshd_config.5
f5835d
@@ -677,7 +677,9 @@ gss-gex-sha1-,
f5835d
 gss-group1-sha1-,
f5835d
 gss-group14-sha1-,
f5835d
 gss-group14-sha256-,
f5835d
-gss-group16-sha512-
f5835d
+gss-group16-sha512-,
f5835d
+gss-nistp256-sha256-,
f5835d
+gss-curve25519-sha256-
f5835d
 .Ed
f5835d
 .Pp
f5835d
 The default is
f5835d
-- 
f5835d
2.13.5
f5835d
f5835d
f5835d
From 0431695660d5eb1dd1169d42a1624c75a92aa5d2 Mon Sep 17 00:00:00 2001
f5835d
From: Jakub Jelen <jjelen@redhat.com>
f5835d
Date: Wed, 30 Aug 2017 15:30:51 +0200
f5835d
Subject: [PATCH 3/3] Simplify rough edges of GSSAPI Kex
f5835d
f5835d
---
f5835d
 gss-genr.c         | 53 +++++++++++++++++------------------------------------
f5835d
 regress/kextype.sh | 10 ++++------
f5835d
 regress/rekey.sh   | 20 ++++++++------------
f5835d
 3 files changed, 29 insertions(+), 54 deletions(-)
f5835d
f5835d
diff --git a/gss-genr.c b/gss-genr.c
f5835d
index 22040244..c671be31 100644
f5835d
--- a/gss-genr.c
f5835d
+++ b/gss-genr.c
f5835d
@@ -171,47 +171,28 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
f5835d
 gss_OID
f5835d
 ssh_gssapi_id_kex(Gssctxt *ctx, char *name, int kex_type) {
f5835d
 	int i = 0;
f5835d
-	
f5835d
-	switch (kex_type) {
f5835d
-	case KEX_GSS_GRP1_SHA1:
f5835d
-		if (strlen(name) < sizeof(KEX_GSS_GRP1_SHA1_ID))
f5835d
-			return GSS_C_NO_OID;
f5835d
-		name += sizeof(KEX_GSS_GRP1_SHA1_ID) - 1;
f5835d
-		break;
f5835d
-	case KEX_GSS_GRP14_SHA1:
f5835d
-		if (strlen(name) < sizeof(KEX_GSS_GRP14_SHA1_ID))
f5835d
-			return GSS_C_NO_OID;
f5835d
-		name += sizeof(KEX_GSS_GRP14_SHA1_ID) - 1;
f5835d
-		break;
f5835d
-	case KEX_GSS_GRP14_SHA256:
f5835d
-		if (strlen(name) < sizeof(KEX_GSS_GRP14_SHA256_ID))
f5835d
-			return GSS_C_NO_OID;
f5835d
-		name += sizeof(KEX_GSS_GRP14_SHA256_ID) - 1;
f5835d
-		break;
f5835d
-	case KEX_GSS_GRP16_SHA512:
f5835d
-		if (strlen(name) < sizeof(KEX_GSS_GRP16_SHA512_ID))
f5835d
-			return GSS_C_NO_OID;
f5835d
-		name += sizeof(KEX_GSS_GRP16_SHA512_ID) - 1;
f5835d
-		break;
f5835d
-	case KEX_GSS_GEX_SHA1:
f5835d
-		if (strlen(name) < sizeof(KEX_GSS_GEX_SHA1_ID))
f5835d
-			return GSS_C_NO_OID;
f5835d
-		name += sizeof(KEX_GSS_GEX_SHA1_ID) - 1;
f5835d
-		break;
f5835d
-	case KEX_GSS_NISTP256_SHA256:
f5835d
-		if (strlen(name) < sizeof(KEX_GSS_NISTP256_SHA256_ID))
f5835d
-			return GSS_C_NO_OID;
f5835d
-		name += sizeof(KEX_GSS_NISTP256_SHA256_ID) - 1;
f5835d
-		break;
f5835d
-	case KEX_GSS_C25519_SHA256:
f5835d
-		if (strlen(name) < sizeof(KEX_GSS_C25519_SHA256_ID))
f5835d
-			return GSS_C_NO_OID;
f5835d
-		name += sizeof(KEX_GSS_C25519_SHA256_ID) - 1;
f5835d
+
f5835d
+#define SKIP_KEX_NAME(type) \
f5835d
+	case type: \
f5835d
+		if (strlen(name) < sizeof(type##_ID)) \
f5835d
+			return GSS_C_NO_OID; \
f5835d
+		name += sizeof(type##_ID) - 1; \
f5835d
 		break;
f5835d
+
f5835d
+	switch (kex_type) {
f5835d
+	SKIP_KEX_NAME(KEX_GSS_GRP1_SHA1)
f5835d
+	SKIP_KEX_NAME(KEX_GSS_GRP14_SHA1)
f5835d
+	SKIP_KEX_NAME(KEX_GSS_GRP14_SHA256)
f5835d
+	SKIP_KEX_NAME(KEX_GSS_GRP16_SHA512)
f5835d
+	SKIP_KEX_NAME(KEX_GSS_GEX_SHA1)
f5835d
+	SKIP_KEX_NAME(KEX_GSS_NISTP256_SHA256)
f5835d
+	SKIP_KEX_NAME(KEX_GSS_C25519_SHA256)
f5835d
 	default:
f5835d
 		return GSS_C_NO_OID;
f5835d
 	}
f5835d
 
f5835d
+#undef SKIP_KEX_NAME
f5835d
+
f5835d
 	while (gss_enc2oid[i].encoded != NULL &&
f5835d
 	    strcmp(name, gss_enc2oid[i].encoded) != 0)
f5835d
 		i++;
f5835d
diff --git a/regress/kextype.sh b/regress/kextype.sh
f5835d
index d5b4a713..6b4af28a 100644
f5835d
--- a/regress/kextype.sh
f5835d
+++ b/regress/kextype.sh
f5835d
@@ -14,12 +14,10 @@ echo "KexAlgorithms=$KEXOPT" >> $OBJ/sshd_proxy
f5835d
 
f5835d
 tries="1 2 3 4"
f5835d
 for k in `${SSH} -Q kex`; do
f5835d
-	if [ $k = "gss-gex-sha1-" -o $k = "gss-group1-sha1-" -o \
f5835d
-	    $k = "gss-nistp256-sha256-" -o $k = "gss-curve25519-sha256-" -o \
f5835d
-	    $k = "gss-group14-sha1-" -o $k = "gss-group14-sha256-" -o \
f5835d
-	    $k = "gss-group16-sha512-" ]; then
f5835d
-		continue
f5835d
-	fi
f5835d
+	# ignore GSSAPI key exchange mechanisms (all of them start with gss-)
f5835d
+	case $k in
f5835d
+		gss-* ) continue ;;
f5835d
+	esac
f5835d
 	verbose "kex $k"
f5835d
 	for i in $tries; do
f5835d
 		${SSH} -F $OBJ/ssh_proxy -o KexAlgorithms=$k x true
f5835d
diff --git a/regress/rekey.sh b/regress/rekey.sh
f5835d
index b118c6c8..d6a8742f 100644
f5835d
--- a/regress/rekey.sh
f5835d
+++ b/regress/rekey.sh
f5835d
@@ -38,12 +38,10 @@ increase_datafile_size 300
f5835d
 
f5835d
 opts=""
f5835d
 for i in `${SSH} -Q kex`; do
f5835d
-	if [ $i = "gss-gex-sha1-" -o $i = "gss-group1-sha1-" -o \
f5835d
-	    $i = "gss-nistp256-sha256-" -o $i = "gss-curve25519-sha256-" -o \
f5835d
-	    $i = "gss-group14-sha1-" -o $i = "gss-group14-sha256-" -o \
f5835d
-	    $i = "gss-group16-sha512-" ]; then
f5835d
-		continue
f5835d
-	fi
f5835d
+	# ignore GSSAPI key exchange mechanisms (all of them start with gss-)
f5835d
+	case $i in
f5835d
+		gss-* ) continue ;;
f5835d
+	esac
f5835d
 	opts="$opts KexAlgorithms=$i"
f5835d
 done
f5835d
 for i in `${SSH} -Q cipher`; do
f5835d
@@ -62,12 +60,10 @@ done
f5835d
 if ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then
f5835d
   for c in `${SSH} -Q cipher-auth`; do
f5835d
     for kex in `${SSH} -Q kex`; do
f5835d
-	if [ $kex = "gss-gex-sha1-" -o $kex = "gss-group1-sha1-" -o \
f5835d
-	    $kex = "gss-nistp256-sha256-" -o $kex = "gss-curve25519-sha256-" -o \
f5835d
-	    $kex = "gss-group14-sha1-" -o $kex = "gss-group14-sha256-" -o \
f5835d
-	    $kex = "gss-group16-sha512-" ]; then
f5835d
-		continue
f5835d
-	fi
f5835d
+	# ignore GSSAPI key exchange mechanisms (all of them start with gss-)
f5835d
+	case $kex in
f5835d
+		gss-* ) continue ;;
f5835d
+	esac
f5835d
 	verbose "client rekey $c $kex"
f5835d
 	ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c
f5835d
     done
f5835d
-- 
f5835d
2.13.5
f5835d