kentpeacock / rpms / openssh

Forked from rpms/openssh 2 years ago
Clone
Blob Blame History Raw
From 6ff8f667f792052fd47689c3e421fcd6ddca1cd0 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 25 Aug 2017 19:15:48 +0200
Subject: [PATCH 1/3] GSSAPI Key exchange methods with DH and SHA2

---
 gss-genr.c         | 10 ++++++++++
 kex.c              |  2 ++
 kex.h              |  2 ++
 kexgssc.c          |  6 ++++++
 kexgsss.c          |  6 ++++++
 monitor.c          |  2 ++
 regress/kextype.sh |  4 +++-
 regress/rekey.sh   |  8 ++++++--
 ssh-gss.h          |  2 ++
 ssh_config.5       |  4 +++-
 sshconnect2.c      |  2 ++
 sshd.c             |  2 ++
 sshd_config.5      |  4 +++-
 13 files changed, 49 insertions(+), 5 deletions(-)

diff --git a/gss-genr.c b/gss-genr.c
index dc63682d..c6eff3d7 100644
--- a/gss-genr.c
+++ b/gss-genr.c
@@ -183,6 +183,16 @@ ssh_gssapi_id_kex(Gssctxt *ctx, char *name, int kex_type) {
 			return GSS_C_NO_OID;
 		name += sizeof(KEX_GSS_GRP14_SHA1_ID) - 1;
 		break;
+	case KEX_GSS_GRP14_SHA256:
+		if (strlen(name) < sizeof(KEX_GSS_GRP14_SHA256_ID))
+			return GSS_C_NO_OID;
+		name += sizeof(KEX_GSS_GRP14_SHA256_ID) - 1;
+		break;
+	case KEX_GSS_GRP16_SHA512:
+		if (strlen(name) < sizeof(KEX_GSS_GRP16_SHA512_ID))
+			return GSS_C_NO_OID;
+		name += sizeof(KEX_GSS_GRP16_SHA512_ID) - 1;
+		break;
 	case KEX_GSS_GEX_SHA1:
 		if (strlen(name) < sizeof(KEX_GSS_GEX_SHA1_ID))
 			return GSS_C_NO_OID;
diff --git a/kex.c b/kex.c
index 63e028fa..e798fecb 100644
--- a/kex.c
+++ b/kex.c
@@ -112,6 +112,8 @@ static const struct kexalg kexalgs[] = {
 	{ KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
 	{ KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
 	{ KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
+	{ KEX_GSS_GRP14_SHA256_ID, KEX_GSS_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
+	{ KEX_GSS_GRP16_SHA512_ID, KEX_GSS_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
 #endif
 	{ NULL, -1, -1, -1},
 };
diff --git a/kex.h b/kex.h
index 8a2b37c5..f27958ae 100644
--- a/kex.h
+++ b/kex.h
@@ -102,6 +102,8 @@ enum kex_exchange {
 #ifdef GSSAPI
 	KEX_GSS_GRP1_SHA1,
 	KEX_GSS_GRP14_SHA1,
+	KEX_GSS_GRP14_SHA256,
+	KEX_GSS_GRP16_SHA512,
 	KEX_GSS_GEX_SHA1,
 #endif
 	KEX_MAX
diff --git a/kexgssc.c b/kexgssc.c
index 132df8b5..ed23f06d 100644
--- a/kexgssc.c
+++ b/kexgssc.c
@@ -88,8 +88,12 @@ kexgss_client(struct ssh *ssh) {
 		dh = dh_new_group1();
 		break;
 	case KEX_GSS_GRP14_SHA1:
+	case KEX_GSS_GRP14_SHA256:
 		dh = dh_new_group14();
 		break;
+	case KEX_GSS_GRP16_SHA512:
+		dh = dh_new_group16();
+		break;
 	case KEX_GSS_GEX_SHA1:
 		debug("Doing group exchange\n");
 		nbits = dh_estimate(ssh->kex->we_need * 8);
@@ -272,6 +276,8 @@ kexgss_client(struct ssh *ssh) {
 	switch (ssh->kex->kex_type) {
 	case KEX_GSS_GRP1_SHA1:
 	case KEX_GSS_GRP14_SHA1:
+	case KEX_GSS_GRP14_SHA256:
+	case KEX_GSS_GRP16_SHA512:
 		kex_dh_hash(ssh->kex->hash_alg, ssh->kex->client_version_string, 
 		    ssh->kex->server_version_string,
		    sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
diff --git a/kexgsss.c b/kexgsss.c
index 82a715cc..b7da8823 100644
--- a/kexgsss.c
+++ b/kexgsss.c
@@ -104,8 +104,12 @@ kexgss_server(struct ssh *ssh)
 		dh = dh_new_group1();
 		break;
 	case KEX_GSS_GRP14_SHA1:
+	case KEX_GSS_GRP14_SHA256:
 		dh = dh_new_group14();
 		break;
+	case KEX_GSS_GRP16_SHA512:
+		dh = dh_new_group16();
+		break;
 	case KEX_GSS_GEX_SHA1:
 		debug("Doing group exchange");
 		packet_read_expect(SSH2_MSG_KEXGSS_GROUPREQ);
@@ -223,6 +227,8 @@ kexgss_server(struct ssh *ssh)
 	switch (ssh->kex->kex_type) {
 	case KEX_GSS_GRP1_SHA1:
 	case KEX_GSS_GRP14_SHA1:
+	case KEX_GSS_GRP14_SHA256:
+	case KEX_GSS_GRP16_SHA512:
 		kex_dh_hash(ssh->kex->hash_alg,
 		    ssh->kex->client_version_string, ssh->kex->server_version_string,
		    sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
diff --git a/monitor.c b/monitor.c
index 17046936..d6bc7ac7 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1648,6 +1648,8 @@ monitor_apply_keystate(struct monitor *pmonitor)
 	if (options.gss_keyex) {
 		kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
 		kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
+		kex->kex[KEX_GSS_GRP14_SHA256] = kexgss_server;
+		kex->kex[KEX_GSS_GRP16_SHA512] = kexgss_server;
 		kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
 	}
 #endif
diff --git a/regress/kextype.sh b/regress/kextype.sh
index 780362ca..45f4f16d 100644
--- a/regress/kextype.sh
+++ b/regress/kextype.sh
@@ -14,7 +14,9 @@ echo "KexAlgorithms=$KEXOPT" >> $OBJ/sshd_proxy
 
 tries="1 2 3 4"
 for k in `${SSH} -Q kex`; do
-	if [ $k = "gss-gex-sha1-" -o $k = "gss-group1-sha1-" -o $k = "gss-group14-sha1-" ]; then
+	if [ $k = "gss-gex-sha1-" -o $k = "gss-group1-sha1-" -o \
+	    $k = "gss-group14-sha1-" -o $k = "gss-group14-sha256-" -o \
+	    $k = "gss-group16-sha512-" ]; then
 		continue
 	fi
 	verbose "kex $k"
diff --git a/regress/rekey.sh b/regress/rekey.sh
index 9fbe9b38..a2921bef 100644
--- a/regress/rekey.sh
+++ b/regress/rekey.sh
@@ -38,7 +38,9 @@ increase_datafile_size 300
 
 opts=""
 for i in `${SSH} -Q kex`; do
-	if [ $i = "gss-gex-sha1-" -o $i = "gss-group1-sha1-" -o $i = "gss-group14-sha1-" ]; then
+	if [ $i = "gss-gex-sha1-" -o $i = "gss-group1-sha1-" -o \
+	    $i = "gss-group14-sha1-" -o $i = "gss-group14-sha256-" -o \
+	    $i = "gss-group16-sha512-" ]; then
 		continue
 	fi
 	opts="$opts KexAlgorithms=$i"
@@ -59,7 +61,9 @@ done
 if ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then
   for c in `${SSH} -Q cipher-auth`; do
     for kex in `${SSH} -Q kex`; do
-	if [ $kex = "gss-gex-sha1-" -o $kex = "gss-group1-sha1-" -o $kex = "gss-group14-sha1-" ]; then
+	if [ $kex = "gss-gex-sha1-" -o $kex = "gss-group1-sha1-" -o \
+	    $kex = "gss-group14-sha1-" -o $kex = "gss-group14-sha256-" -o \
+	    $kex = "gss-group16-sha512-" ]; then
 		continue
 	fi
 	verbose "client rekey $c $kex"
diff --git a/ssh-gss.h b/ssh-gss.h
index 6b6adb2b..7bf8d75e 100644
--- a/ssh-gss.h
+++ b/ssh-gss.h
@@ -70,6 +70,8 @@
 #define SSH2_MSG_KEXGSS_GROUP				41
 #define KEX_GSS_GRP1_SHA1_ID				"gss-group1-sha1-"
 #define KEX_GSS_GRP14_SHA1_ID				"gss-group14-sha1-"
+#define KEX_GSS_GRP14_SHA256_ID			"gss-group14-sha256-"
+#define KEX_GSS_GRP16_SHA512_ID			"gss-group16-sha512-"
 #define KEX_GSS_GEX_SHA1_ID				"gss-gex-sha1-"
 
 #define        GSS_KEX_DEFAULT_KEX \
diff --git a/ssh_config.5 b/ssh_config.5
index 6b24649e..3d6da510 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -760,7 +760,9 @@ key exchange. Possible values are
 .Bd -literal -offset 3n
 gss-gex-sha1-,
 gss-group1-sha1-,
-gss-group14-sha1-
+gss-group14-sha1-,
+gss-group14-sha256-,
+gss-group16-sha512-
 .Ed
 .Pp
 The default is
diff --git a/sshconnect2.c b/sshconnect2.c
index 8db98293..5d6b8be0 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -253,6 +253,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
 	if (options.gss_keyex) {
 		kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
 		kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_client;
+		kex->kex[KEX_GSS_GRP14_SHA256] = kexgss_client;
+		kex->kex[KEX_GSS_GRP16_SHA512] = kexgss_client;
 		kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client;
 	}
 #endif
diff --git a/sshd.c b/sshd.c
index 895df26f..e4c879a2 100644
--- a/sshd.c
+++ b/sshd.c
@@ -2244,6 +2244,8 @@ do_ssh2_kex(void)
 	if (options.gss_keyex) {
 		kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
 		kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
+		kex->kex[KEX_GSS_GRP14_SHA256] = kexgss_server;
+		kex->kex[KEX_GSS_GRP16_SHA512] = kexgss_server;
 		kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
 	}
 #endif
diff --git a/sshd_config.5 b/sshd_config.5
index bf81f6af..0793418b 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -675,7 +675,9 @@ key exchange. Possible values are
 .Bd -literal -offset 3n
 gss-gex-sha1-,
 gss-group1-sha1-,
-gss-group14-sha1-
+gss-group14-sha1-,
+gss-group14-sha256-,
+gss-group16-sha512-
 .Ed
 .Pp
 The default is
-- 
2.13.5


From 7d56144903fc625c33da7fabf103f4f6bba4d43a Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 29 Aug 2017 15:32:14 +0200
Subject: [PATCH 2/3] GSSAPI Key exchange using ECDH and SHA2

---
 gss-genr.c         |  10 ++
 kex.c              |   3 +
 kex.h              |   4 +
 kexgssc.c          | 392 ++++++++++++++++++++++++++++++++++++++++++++++++++++-
 kexgsss.c          | 333 +++++++++++++++++++++++++++++++++++++++++++++
 monitor.c          |   5 +-
 regress/kextype.sh |   1 +
 regress/rekey.sh   |   2 +
 ssh-gss.h          |   2 +
 ssh_config.5       |   4 +-
 sshconnect2.c      |   2 +
 sshd.c             |   2 +
 sshd_config.5      |   4 +-
 13 files changed, 754 insertions(+), 10 deletions(-)

diff --git a/gss-genr.c b/gss-genr.c
index c6eff3d7..22040244 100644
--- a/gss-genr.c
+++ b/gss-genr.c
@@ -198,6 +198,16 @@ ssh_gssapi_id_kex(Gssctxt *ctx, char *name, int kex_type) {
 			return GSS_C_NO_OID;
 		name += sizeof(KEX_GSS_GEX_SHA1_ID) - 1;
 		break;
+	case KEX_GSS_NISTP256_SHA256:
+		if (strlen(name) < sizeof(KEX_GSS_NISTP256_SHA256_ID))
+			return GSS_C_NO_OID;
+		name += sizeof(KEX_GSS_NISTP256_SHA256_ID) - 1;
+		break;
+	case KEX_GSS_C25519_SHA256:
+		if (strlen(name) < sizeof(KEX_GSS_C25519_SHA256_ID))
+			return GSS_C_NO_OID;
+		name += sizeof(KEX_GSS_C25519_SHA256_ID) - 1;
+		break;
 	default:
 		return GSS_C_NO_OID;
 	}
diff --git a/kex.c b/kex.c
index e798fecb..bdeeada9 100644
--- a/kex.c
+++ b/kex.c
@@ -114,6 +114,9 @@ static const struct kexalg kexalgs[] = {
 	{ KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
 	{ KEX_GSS_GRP14_SHA256_ID, KEX_GSS_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
 	{ KEX_GSS_GRP16_SHA512_ID, KEX_GSS_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
+	{ KEX_GSS_NISTP256_SHA256_ID, KEX_GSS_NISTP256_SHA256,
+	    NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
+	{ KEX_GSS_C25519_SHA256_ID, KEX_GSS_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
 #endif
 	{ NULL, -1, -1, -1},
 };
diff --git a/kex.h b/kex.h
index f27958ae..7def8561 100644
--- a/kex.h
+++ b/kex.h
@@ -105,6 +105,8 @@ enum kex_exchange {
 	KEX_GSS_GRP14_SHA256,
 	KEX_GSS_GRP16_SHA512,
 	KEX_GSS_GEX_SHA1,
+	KEX_GSS_NISTP256_SHA256,
+	KEX_GSS_C25519_SHA256,
 #endif
 	KEX_MAX
 };
@@ -211,6 +213,8 @@ int	 kexecdh_server(struct ssh *);
 int	 kexc25519_client(struct ssh *);
 int	 kexc25519_server(struct ssh *);
 #ifdef GSSAPI
+int	 kexecgss_client(struct ssh *);
+int	 kexecgss_server(struct ssh *);
 int	 kexgss_client(struct ssh *);
 int	 kexgss_server(struct ssh *);
 #endif
diff --git a/kexgssc.c b/kexgssc.c
index ed23f06d..bdb3109a 100644
--- a/kexgssc.c
+++ b/kexgssc.c
@@ -43,6 +43,7 @@
 #include "packet.h"
 #include "dh.h"
 #include "digest.h"
+#include "ssherr.h"
 
 #include "ssh-gss.h"
 
@@ -52,7 +53,7 @@ kexgss_client(struct ssh *ssh) {
 	gss_buffer_desc recv_tok, gssbuf, msg_tok, *token_ptr;
 	Gssctxt *ctxt;
 	OM_uint32 maj_status, min_status, ret_flags;
-	u_int klen, kout, slen = 0, strlen;
+	u_int klen, kout, slen = 0, packet_len;
 	DH *dh; 
 	BIGNUM *dh_server_pub = NULL;
 	BIGNUM *shared_secret = NULL;
@@ -201,20 +202,20 @@ kexgss_client(struct ssh *ssh) {
 				debug("Received GSSAPI_CONTINUE");
 				if (maj_status == GSS_S_COMPLETE) 
 					fatal("GSSAPI Continue received from server when complete");
-				recv_tok.value = packet_get_string(&strlen);
-				recv_tok.length = strlen; 
+				recv_tok.value = packet_get_string(&packet_len);
+				recv_tok.length = packet_len;
 				break;
 			case SSH2_MSG_KEXGSS_COMPLETE:
 				debug("Received GSSAPI_COMPLETE");
 				packet_get_bignum2(dh_server_pub);
-				msg_tok.value =  packet_get_string(&strlen);
-				msg_tok.length = strlen; 
+				msg_tok.value =  packet_get_string(&packet_len);
+				msg_tok.length = packet_len;
 
 				/* Is there a token included? */
 				if (packet_get_char()) {
 					recv_tok.value=
-					    packet_get_string(&strlen);
-					recv_tok.length = strlen;
+					    packet_get_string(&packet_len);
+					recv_tok.length = packet_len;
 					/* If we're already complete - protocol error */
 					if (maj_status == GSS_S_COMPLETE)
 						packet_disconnect("Protocol error: received token when complete");
@@ -344,4 +345,382 @@ kexgss_client(struct ssh *ssh) {
 	return kex_send_newkeys(ssh);
 }
 
+int
+kexecgss_client(struct ssh *ssh) {
+	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
+	gss_buffer_desc recv_tok, gssbuf, msg_tok, *token_ptr;
+	Gssctxt *ctxt;
+	OM_uint32 maj_status, min_status, ret_flags;
+	u_int klen = 0, slen = 0, packet_len;
+	u_char *server_pub = NULL;
+	u_int server_pub_len = 0;
+	BIGNUM *shared_secret = NULL;
+	u_char *kbuf = NULL;
+	u_char *serverhostkey = NULL;
+	u_char *empty = "";
+	char *msg;
+	char *lang;
+	int type = 0;
+	int first = 1;
+	u_char hash[SSH_DIGEST_MAX_LENGTH];
+	size_t hashlen;
+	const EC_GROUP *group = NULL;
+	const EC_POINT *public_key;
+	struct sshbuf *Q_C = NULL;
+	struct kex *kex = ssh->kex;
+	EC_POINT *server_public = NULL;
+	struct sshbuf *c25519_shared_secret = NULL;
+	int r;
+
+	/* Initialise our GSSAPI world */
+	ssh_gssapi_build_ctx(&ctxt);
+	if (ssh_gssapi_id_kex(ctxt, kex->name, kex->kex_type)
+	    == GSS_C_NO_OID)
+		fatal("Couldn't identify host exchange");
+
+	if (ssh_gssapi_import_name(ctxt, kex->gss_host))
+		fatal("Couldn't import hostname");
+
+	if (kex->gss_client &&
+	    ssh_gssapi_client_identity(ctxt, kex->gss_client))
+		fatal("Couldn't acquire client credentials");
+
+	if ((Q_C = sshbuf_new()) == NULL) {
+		r = SSH_ERR_ALLOC_FAIL;
+		goto out;
+	}
+
+	switch (kex->kex_type) {
+	case KEX_GSS_NISTP256_SHA256:
+		if ((kex->ec_client_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) {
+			r = SSH_ERR_ALLOC_FAIL;
+			goto out;
+		}
+		if (EC_KEY_generate_key(kex->ec_client_key) != 1) {
+			r = SSH_ERR_LIBCRYPTO_ERROR;
+			goto out;
+		}
+		group = EC_KEY_get0_group(kex->ec_client_key);
+		public_key = EC_KEY_get0_public_key(kex->ec_client_key);
+#ifdef DEBUG_KEXECDH
+	fputs("client private key:\n", stderr);
+	sshkey_dump_ec_key(kex->ec_client_key);
+#endif
+
+		sshbuf_put_ec(Q_C, public_key, group);
+		break;
+	case KEX_GSS_C25519_SHA256:
+		kexc25519_keygen(kex->c25519_client_key, kex->c25519_client_pubkey);
+#ifdef DEBUG_KEXECDH
+		dump_digest("client private key:", kex->c25519_client_key,
+		    sizeof(kex->c25519_client_key));
+#endif
+
+		if ((r = sshbuf_put_string(Q_C, kex->c25519_client_pubkey,
+		    sizeof(kex->c25519_client_pubkey))) != 0)
+			fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		break;
+	default:
+		fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
+	}
+
+	token_ptr = GSS_C_NO_BUFFER;
+
+	do {
+		/* Step 2 - call GSS_Init_sec_context() */
+		debug("Calling gss_init_sec_context");
+
+		maj_status = ssh_gssapi_init_ctx(ctxt,
+		    kex->gss_deleg_creds, token_ptr, &send_tok,
+		    &ret_flags);
+
+		if (GSS_ERROR(maj_status)) {
+			if (send_tok.length != 0) {
+				packet_start(SSH2_MSG_KEXGSS_CONTINUE);
+				packet_put_string(send_tok.value,
+				    send_tok.length);
+			}
+			fatal("gss_init_context failed");
+		}
+
+		/* If we've got an old receive buffer get rid of it */
+		if (token_ptr != GSS_C_NO_BUFFER)
+			free(recv_tok.value);
+
+		if (maj_status == GSS_S_COMPLETE) {
+			/* If mutual state flag is not true, kex fails */
+			if (!(ret_flags & GSS_C_MUTUAL_FLAG))
+				fatal("Mutual authentication failed");
+
+			/* If integ avail flag is not true kex fails */
+			if (!(ret_flags & GSS_C_INTEG_FLAG))
+				fatal("Integrity check failed");
+		}
+
+		/*
+		 * If we have data to send, then the last message that we
+		 * received cannot have been a 'complete'.
+		 */
+		if (send_tok.length != 0) {
+			if (first) {
+				const u_char * ptr;
+				size_t len;
+
+				packet_start(SSH2_MSG_KEXGSS_INIT);
+				packet_put_string(send_tok.value,
+				    send_tok.length);
+				sshbuf_get_string_direct(Q_C, &ptr, &len);
+				packet_put_string(ptr, len);
+				first = 0;
+			} else {
+				packet_start(SSH2_MSG_KEXGSS_CONTINUE);
+				packet_put_string(send_tok.value,
+				    send_tok.length);
+			}
+			packet_send();
+			gss_release_buffer(&min_status, &send_tok);
+
+			/* If we've sent them data, they should reply */
+			do {
+				type = packet_read();
+				if (type == SSH2_MSG_KEXGSS_HOSTKEY) {
+					debug("Received KEXGSS_HOSTKEY");
+					if (serverhostkey)
+						fatal("Server host key received more than once");
+					serverhostkey =
+					    packet_get_string(&slen);
+				}
+			} while (type == SSH2_MSG_KEXGSS_HOSTKEY);
+
+			switch (type) {
+			case SSH2_MSG_KEXGSS_CONTINUE:
+				debug("Received GSSAPI_CONTINUE");
+				if (maj_status == GSS_S_COMPLETE)
+					fatal("GSSAPI Continue received from server when complete");
+				recv_tok.value = packet_get_string(&packet_len);
+				recv_tok.length = packet_len;
+				break;
+			case SSH2_MSG_KEXGSS_COMPLETE:
+				debug("Received GSSAPI_COMPLETE");
+				server_pub = packet_get_string(&server_pub_len);
+				msg_tok.value = packet_get_string(&packet_len);
+				msg_tok.length = packet_len;
+
+				/* Is there a token included? */
+				if (packet_get_char()) {
+					recv_tok.value=
+					    packet_get_string(&packet_len);
+					recv_tok.length = packet_len;
+					/* If we're already complete - protocol error */
+					if (maj_status == GSS_S_COMPLETE)
+						packet_disconnect("Protocol error: received token when complete");
+					} else {
+						/* No token included */
+						if (maj_status != GSS_S_COMPLETE)
+							packet_disconnect("Protocol error: did not receive final token");
+				}
+				break;
+			case SSH2_MSG_KEXGSS_ERROR:
+				debug("Received Error");
+				maj_status = packet_get_int();
+				min_status = packet_get_int();
+				msg = packet_get_string(NULL);
+				lang = packet_get_string(NULL);
+				fatal("GSSAPI Error: \n%.400s",msg);
+			default:
+				packet_disconnect("Protocol error: didn't expect packet type %d",
+				    type);
+			}
+			token_ptr = &recv_tok;
+		} else {
+			/* No data, and not complete */
+			if (maj_status != GSS_S_COMPLETE)
+				fatal("Not complete, and no token output");
+		}
+	} while (maj_status & GSS_S_CONTINUE_NEEDED);
+
+	/*
+	 * We _must_ have received a COMPLETE message in reply from the
+	 * server, which will have set dh_server_pub and msg_tok
+	 */
+
+	if (type != SSH2_MSG_KEXGSS_COMPLETE)
+		fatal("Didn't receive a SSH2_MSG_KEXGSS_COMPLETE when I expected it");
+
+	/* 7. C verifies that the key Q_S is valid */
+	/* 8. C computes shared secret */
+	switch (kex->kex_type) {
+	case KEX_GSS_NISTP256_SHA256:
+		if (server_pub_len != 65)
+			fatal("The received NIST-P256 key did not match"
+			    "expected length (expected 65, got %d)", server_pub_len);
+
+		if (server_pub[0] != POINT_CONVERSION_UNCOMPRESSED)
+			fatal("The received NIST-P256 key does not have first octet 0x04");
+
+		if ((server_public = EC_POINT_new(group)) == NULL) {
+			r = SSH_ERR_ALLOC_FAIL;
+			goto out;
+		}
+
+		if (!EC_POINT_oct2point(group, server_public, server_pub,
+		    server_pub_len, NULL))
+			fatal("Can not decode received NIST-P256 client key");
+#ifdef DEBUG_KEXECDH
+		fputs("server public key:\n", stderr);
+		sshkey_dump_ec_point(group, server_public);
+#endif
+
+		if (sshkey_ec_validate_public(group, server_public) != 0) {
+			sshpkt_disconnect(ssh, "invalid client public key");
+			r = SSH_ERR_MESSAGE_INCOMPLETE;
+			goto out;
+		}
+
+		if (!EC_POINT_is_on_curve(group, server_public, NULL))
+			fatal("Received NIST-P256 client key is not on curve");
+
+		/* Calculate shared_secret */
+		klen = (EC_GROUP_get_degree(group) + 7) / 8;
+		if ((kbuf = malloc(klen)) == NULL ||
+		    (shared_secret = BN_new()) == NULL) {
+			r = SSH_ERR_ALLOC_FAIL;
+			goto out;
+		}
+		if (ECDH_compute_key(kbuf, klen, server_public,
+		    kex->ec_client_key, NULL) != (int)klen ||
+		    BN_bin2bn(kbuf, klen, shared_secret) == NULL) {
+			r = SSH_ERR_LIBCRYPTO_ERROR;
+			goto out;
+		}
+#ifdef DEBUG_KEXECDH
+		dump_digest("shared secret", kbuf, klen);
+#endif
+		break;
+	case KEX_GSS_C25519_SHA256:
+		if (server_pub_len != 32)
+			fatal("The received curve25519 key did not match"
+			    "expected length (expected 32, got %d)", server_pub_len);
+
+		if (server_pub[server_pub_len-1] & 0x80)
+			fatal("The received key has MSB of last octet set!");
+#ifdef DEBUG_KEXECDH
+		dump_digest("server public key:", server_pub, CURVE25519_SIZE);
+#endif
+
+		/* generate shared secret */
+		if ((c25519_shared_secret = sshbuf_new()) == NULL) {
+			r = SSH_ERR_ALLOC_FAIL;
+			goto out;
+		}
+		if ((r = kexc25519_shared_key(kex->c25519_client_key,
+		    server_pub, c25519_shared_secret)) < 0)
+			goto out;
+
+		/* if all octets of the shared secret are zero octets,
+		 * is already checked in kexc25519_shared_key() */
+		break;
+	default:
+		fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
+	}
+
+	hashlen = sizeof(hash);
+	switch (kex->kex_type) {
+	case KEX_GSS_NISTP256_SHA256:
+		kex_ecdh_hash(
+		    kex->hash_alg,
+		    group,
+		    kex->client_version_string,
+		    kex->server_version_string,
+		    sshbuf_ptr(kex->my), sshbuf_len(kex->my),
+		    sshbuf_ptr(kex->peer), sshbuf_len(kex->peer),
+		    (serverhostkey ? serverhostkey : empty), slen,
+		    EC_KEY_get0_public_key(kex->ec_client_key),
+		    server_public,
+		    shared_secret,
+		    hash, &hashlen
+		);
+		break;
+	case KEX_GSS_C25519_SHA256:
+		kex_c25519_hash(
+		    kex->hash_alg,
+		    kex->client_version_string, kex->server_version_string,
+		    sshbuf_ptr(kex->my), sshbuf_len(kex->my),
+		    sshbuf_ptr(kex->peer), sshbuf_len(kex->peer),
+		    (serverhostkey ? serverhostkey : empty), slen,
+		    kex->c25519_client_pubkey, server_pub,
+		    sshbuf_ptr(c25519_shared_secret), sshbuf_len(c25519_shared_secret),
+		    hash, &hashlen
+		);
+		break;
+	default:
+		fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
+	}
+
+	gssbuf.value = hash;
+	gssbuf.length = hashlen;
+
+	/* Verify that the hash matches the MIC we just got. */
+	if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok)))
+		packet_disconnect("Hash's MIC didn't verify");
+
+	free(msg_tok.value);
+
+	/* save session id */
+	if (kex->session_id == NULL) {
+		kex->session_id_len = hashlen;
+		kex->session_id = xmalloc(kex->session_id_len);
+		memcpy(kex->session_id, hash, kex->session_id_len);
+	}
+
+	if (kex->gss_deleg_creds)
+		ssh_gssapi_credentials_updated(ctxt);
+
+	if (gss_kex_context == NULL)
+		gss_kex_context = ctxt;
+	else
+		ssh_gssapi_delete_ctx(&ctxt);
+
+	/* Finally derive the keys and send them */
+	switch (kex->kex_type) {
+	case KEX_GSS_NISTP256_SHA256:
+		if ((r = kex_derive_keys_bn(ssh, hash, hashlen, shared_secret)) != 0)
+			goto out;
+		break;
+	case KEX_GSS_C25519_SHA256:
+		if ((r = kex_derive_keys(ssh, hash, hashlen, c25519_shared_secret)) != 0)
+			goto out;
+		break;
+	default:
+		fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
+	}
+	r = kex_send_newkeys(ssh);
+out:
+	free(serverhostkey);
+	explicit_bzero(hash, sizeof(hash));
+	sshbuf_free(Q_C);
+	if (server_pub)
+		free(server_pub);
+	switch (kex->kex_type) {
+	case KEX_GSS_NISTP256_SHA256:
+		if (kex->ec_client_key) {
+			EC_KEY_free(kex->ec_client_key);
+			kex->ec_client_key = NULL;
+		}
+		if (server_public)
+			EC_POINT_clear_free(server_public);
+		if (kbuf) {
+			explicit_bzero(kbuf, klen);
+			free(kbuf);
+		}
+		if (shared_secret)
+			BN_clear_free(shared_secret);
+		break;
+	case KEX_GSS_C25519_SHA256:
+		explicit_bzero(kex->c25519_client_key, sizeof(kex->c25519_client_key));
+		sshbuf_free(c25519_shared_secret);
+		break;
+	}
+	return r;
+}
 #endif /* GSSAPI */
diff --git a/kexgsss.c b/kexgsss.c
index b7da8823..a7c42803 100644
--- a/kexgsss.c
+++ b/kexgsss.c
@@ -46,6 +46,7 @@
 #include "servconf.h"
 #include "ssh-gss.h"
 #include "digest.h"
+#include "ssherr.h"
 
 extern ServerOptions options;
 
@@ -303,4 +304,338 @@ kexgss_server(struct ssh *ssh)
 		ssh_gssapi_rekey_creds();
 	return 0;
 }
+
+int
+kexecgss_server(struct ssh *ssh)
+{
+	OM_uint32 maj_status, min_status;
+
+	/*
+	 * Some GSSAPI implementations use the input value of ret_flags (an
+	 * output variable) as a means of triggering mechanism specific
+	 * features. Initializing it to zero avoids inadvertently
+	 * activating this non-standard behaviour.
+	 */
+
+	OM_uint32 ret_flags = 0;
+	gss_buffer_desc gssbuf, recv_tok, msg_tok;
+	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
+	Gssctxt *ctxt = NULL;
+	u_int slen, klen = 0;
+	u_char *kbuf = NULL;
+	BIGNUM *shared_secret = NULL;
+	int type = 0;
+	gss_OID oid;
+	char *mechs;
+	u_char hash[SSH_DIGEST_MAX_LENGTH];
+	size_t hashlen;
+	u_char *client_pub = NULL;
+	u_int client_pub_len = 0;
+	const EC_GROUP *group = NULL;
+	EC_POINT *client_public = NULL;
+	EC_KEY *server_key = NULL;
+	const EC_POINT *public_key;
+	u_char c25519_server_key[CURVE25519_SIZE];
+	u_char c25519_server_pubkey[CURVE25519_SIZE];
+	struct sshbuf *c25519_shared_secret = NULL;
+	struct sshbuf *Q_S;
+	struct kex *kex = ssh->kex;
+	int r;
+
+	/* Initialise GSSAPI */
+
+	/* If we're rekeying, privsep means that some of the private structures
+	 * in the GSSAPI code are no longer available. This kludges them back
+	 * into life
+	 */
+	if (!ssh_gssapi_oid_table_ok())
+		if ((mechs = ssh_gssapi_server_mechanisms()))
+			free(mechs);
+
+	debug2("%s: Identifying %s", __func__, kex->name);
+	oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type);
+	if (oid == GSS_C_NO_OID)
+	   fatal("Unknown gssapi mechanism");
+
+	debug2("%s: Acquiring credentials", __func__);
+
+	if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid))))
+		fatal("Unable to acquire credentials for the server");
+
+	if ((Q_S = sshbuf_new()) == NULL) {
+		r = SSH_ERR_ALLOC_FAIL;
+		goto out;
+	}
+
+	/* 5. S generates an ephemeral key pair (do the allocations early) */
+	switch (kex->kex_type) {
+	case KEX_GSS_NISTP256_SHA256:
+		if ((server_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) {
+			r = SSH_ERR_ALLOC_FAIL;
+			goto out;
+		}
+		if (EC_KEY_generate_key(server_key) != 1) {
+			r = SSH_ERR_LIBCRYPTO_ERROR;
+			goto out;
+		}
+		group = EC_KEY_get0_group(server_key);
+		public_key = EC_KEY_get0_public_key(server_key);
+
+		sshbuf_put_ec(Q_S, public_key, group);
+		break;
+	case KEX_GSS_C25519_SHA256:
+		kexc25519_keygen(c25519_server_key, c25519_server_pubkey);
+#ifdef DEBUG_KEXECDH
+		dump_digest("server private key:", c25519_server_key,
+		    sizeof(c25519_server_key));
+#endif
+		if ((r = sshbuf_put_string(Q_S, c25519_server_pubkey,
+		    sizeof(c25519_server_pubkey))) != 0)
+			fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		break;
+	default:
+		fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
+	}
+
+	do {
+		debug("Wait SSH2_MSG_GSSAPI_INIT");
+		type = packet_read();
+		switch(type) {
+		case SSH2_MSG_KEXGSS_INIT:
+			if (client_pub != NULL)
+				fatal("Received KEXGSS_INIT after initialising");
+			recv_tok.value = packet_get_string(&slen);
+			recv_tok.length = slen;
+
+			client_pub = packet_get_string(&client_pub_len);
+
+			/* Send SSH_MSG_KEXGSS_HOSTKEY here, if we want */
+			break;
+		case SSH2_MSG_KEXGSS_CONTINUE:
+			recv_tok.value = packet_get_string(&slen);
+			recv_tok.length = slen;
+			break;
+		default:
+			packet_disconnect(
+			    "Protocol error: didn't expect packet type %d",
+			    type);
+		}
+
+		maj_status = PRIVSEP(ssh_gssapi_accept_ctx(ctxt, &recv_tok,
+		    &send_tok, &ret_flags));
+
+		free(recv_tok.value);
+
+		if (maj_status != GSS_S_COMPLETE && send_tok.length == 0)
+			fatal("Zero length token output when incomplete");
+
+		if (client_pub == NULL)
+			fatal("No client public key");
+
+		if (maj_status & GSS_S_CONTINUE_NEEDED) {
+			debug("Sending GSSAPI_CONTINUE");
+			packet_start(SSH2_MSG_KEXGSS_CONTINUE);
+			packet_put_string(send_tok.value, send_tok.length);
+			packet_send();
+			gss_release_buffer(&min_status, &send_tok);
+		}
+	} while (maj_status & GSS_S_CONTINUE_NEEDED);
+
+	if (GSS_ERROR(maj_status)) {
+		if (send_tok.length > 0) {
+			packet_start(SSH2_MSG_KEXGSS_CONTINUE);
+			packet_put_string(send_tok.value, send_tok.length);
+			packet_send();
+		}
+		fatal("accept_ctx died");
+	}
+
+	if (!(ret_flags & GSS_C_MUTUAL_FLAG))
+		fatal("Mutual Authentication flag wasn't set");
+
+	if (!(ret_flags & GSS_C_INTEG_FLAG))
+		fatal("Integrity flag wasn't set");
+
+	/* 3. S verifies that the (client) key is valid */
+	/* calculate shared secret */
+	switch (kex->kex_type) {
+	case KEX_GSS_NISTP256_SHA256:
+		if (client_pub_len != 65)
+			fatal("The received NIST-P256 key did not match"
+			    "expected length (expected 65, got %d)", client_pub_len);
+
+		if (client_pub[0] != POINT_CONVERSION_UNCOMPRESSED)
+			fatal("The received NIST-P256 key does not have first octet 0x04");
+
+		if ((client_public = EC_POINT_new(group)) == NULL) {
+			r = SSH_ERR_ALLOC_FAIL;
+			goto out;
+		}
+
+		if (!EC_POINT_oct2point(group, client_public, client_pub,
+		    client_pub_len, NULL))
+			fatal("Can not decode received NIST-P256 client key");
+
+		if (sshkey_ec_validate_public(group, client_public) != 0) {
+			sshpkt_disconnect(ssh, "invalid client public key");
+			r = SSH_ERR_MESSAGE_INCOMPLETE;
+			goto out;
+		}
+
+		if (!EC_POINT_is_on_curve(group, client_public, NULL))
+			fatal("Received NIST-P256 client key is not on curve");
+
+		/* Calculate shared_secret */
+		klen = (EC_GROUP_get_degree(group) + 7) / 8;
+		if ((kbuf = malloc(klen)) == NULL ||
+		    (shared_secret = BN_new()) == NULL) {
+			r = SSH_ERR_ALLOC_FAIL;
+			goto out;
+		}
+		if (ECDH_compute_key(kbuf, klen, client_public,
+		    server_key, NULL) != (int)klen ||
+		    BN_bin2bn(kbuf, klen, shared_secret) == NULL) {
+			r = SSH_ERR_LIBCRYPTO_ERROR;
+			goto out;
+		}
+		break;
+	case KEX_GSS_C25519_SHA256:
+		if (client_pub_len != 32)
+			fatal("The received curve25519 key did not match"
+			    "expected length (expected 32, got %d)", client_pub_len);
+
+		if (client_pub[client_pub_len-1] & 0x80)
+			fatal("The received key has MSB of last octet set!");
+
+		/* generate shared secret */
+		if ((c25519_shared_secret = sshbuf_new()) == NULL) {
+			r = SSH_ERR_ALLOC_FAIL;
+			goto out;
+		}
+		if ((r = kexc25519_shared_key(c25519_server_key,
+		    client_pub, c25519_shared_secret)) < 0)
+			goto out;
+
+		/* if all octets of the shared secret are zero octets,
+		 * is already checked in kexc25519_shared_key() */
+		break;
+	default:
+		fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
+	}
+
+	hashlen = sizeof(hash);
+	switch (kex->kex_type) {
+	case KEX_GSS_NISTP256_SHA256:
+		kex_ecdh_hash(
+		    kex->hash_alg,
+		    group,
+		    kex->client_version_string,
+		    kex->server_version_string,
+		    sshbuf_ptr(kex->peer), sshbuf_len(kex->peer),
+		    sshbuf_ptr(kex->my), sshbuf_len(kex->my),
+		    NULL, 0,
+		    client_public,
+		    EC_KEY_get0_public_key(server_key),
+		    shared_secret,
+		    hash, &hashlen
+		);
+		break;
+	case KEX_GSS_C25519_SHA256:
+		kex_c25519_hash(
+		    kex->hash_alg,
+		    kex->client_version_string, kex->server_version_string,
+		    sshbuf_ptr(kex->peer), sshbuf_len(kex->peer),
+		    sshbuf_ptr(kex->my), sshbuf_len(kex->my),
+		    NULL, 0,
+		    client_pub, c25519_server_pubkey,
+		    sshbuf_ptr(c25519_shared_secret), sshbuf_len(c25519_shared_secret),
+		    hash, &hashlen
+		);
+		break;
+	default:
+		fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
+	}
+
+	if (kex->session_id == NULL) {
+		kex->session_id_len = hashlen;
+		kex->session_id = xmalloc(kex->session_id_len);
+		memcpy(kex->session_id, hash, kex->session_id_len);
+	}
+
+	gssbuf.value = hash;
+	gssbuf.length = hashlen;
+
+	if (GSS_ERROR(PRIVSEP(ssh_gssapi_sign(ctxt,&gssbuf,&msg_tok))))
+		fatal("Couldn't get MIC");
+
+	packet_start(SSH2_MSG_KEXGSS_COMPLETE);
+	{
+		const u_char *ptr;
+		size_t len;
+		if ((r = sshbuf_get_string_direct(Q_S, &ptr, &len)) != 0)
+			fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		packet_put_string(ptr, len);
+	}
+	packet_put_string(msg_tok.value, msg_tok.length);
+
+	if (send_tok.length != 0) {
+		packet_put_char(1); /* true */
+		packet_put_string(send_tok.value, send_tok.length);
+	} else {
+		packet_put_char(0); /* false */
+	}
+	packet_send();
+
+	gss_release_buffer(&min_status, &send_tok);
+	gss_release_buffer(&min_status, &msg_tok);
+
+	if (gss_kex_context == NULL)
+		gss_kex_context = ctxt;
+	else
+		ssh_gssapi_delete_ctx(&ctxt);
+
+	/* Finally derive the keys and send them */
+	switch (kex->kex_type) {
+	case KEX_GSS_NISTP256_SHA256:
+		if ((r = kex_derive_keys_bn(ssh, hash, hashlen, shared_secret)) != 0)
+			goto out;
+		break;
+	case KEX_GSS_C25519_SHA256:
+		if ((r = kex_derive_keys(ssh, hash, hashlen, c25519_shared_secret)) != 0)
+			goto out;
+		break;
+	default:
+		fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
+	}
+	if ((r = kex_send_newkeys(ssh)) != 0)
+		goto out;
+
+	/* If this was a rekey, then save out any delegated credentials we
+	 * just exchanged.  */
+	if (options.gss_store_rekey)
+		ssh_gssapi_rekey_creds();
+out:
+	explicit_bzero(hash, sizeof(hash));
+	if (Q_S)
+		sshbuf_free(Q_S);
+	if (client_pub)
+		free(client_pub);
+	switch (kex->kex_type) {
+	case KEX_GSS_NISTP256_SHA256:
+		if (server_key)
+			EC_KEY_free(server_key);
+		if (kbuf) {
+			explicit_bzero(kbuf, klen);
+			free(kbuf);
+		}
+		if (shared_secret)
+			BN_clear_free(shared_secret);
+		break;
+	case KEX_GSS_C25519_SHA256:
+		explicit_bzero(c25519_server_key, sizeof(c25519_server_key));
+		sshbuf_free(c25519_shared_secret);
+		break;
+	}
+	return r;
+}
 #endif /* GSSAPI */
diff --git a/monitor.c b/monitor.c
index d6bc7ac7..b11616c8 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1651,6 +1651,8 @@ monitor_apply_keystate(struct monitor *pmonitor)
 		kex->kex[KEX_GSS_GRP14_SHA256] = kexgss_server;
 		kex->kex[KEX_GSS_GRP16_SHA512] = kexgss_server;
 		kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
+		kex->kex[KEX_GSS_NISTP256_SHA256] = kexecgss_server;
+		kex->kex[KEX_GSS_C25519_SHA256] = kexecgss_server;
 	}
 #endif
 		kex->load_host_public_key=&get_hostkey_public_by_type;
@@ -1867,7 +1869,8 @@ mm_answer_gss_sign(int socket, Buffer *m)
 
 	if ((r = sshbuf_get_string(m, (u_char **)&data.value, &data.length)) != 0)
 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
-	if (data.length != 20) 
+	/* Lengths of SHA-1, SHA-256 and SHA-512 hashes that are used */
+	if (data.length != 20 && data.length != 32 && data.length != 64)
 		fatal("%s: data length incorrect: %d", __func__, 
 		    (int) data.length);
 
diff --git a/regress/kextype.sh b/regress/kextype.sh
index 45f4f16d..d5b4a713 100644
--- a/regress/kextype.sh
+++ b/regress/kextype.sh
@@ -15,6 +15,7 @@ echo "KexAlgorithms=$KEXOPT" >> $OBJ/sshd_proxy
 tries="1 2 3 4"
 for k in `${SSH} -Q kex`; do
 	if [ $k = "gss-gex-sha1-" -o $k = "gss-group1-sha1-" -o \
+	    $k = "gss-nistp256-sha256-" -o $k = "gss-curve25519-sha256-" -o \
 	    $k = "gss-group14-sha1-" -o $k = "gss-group14-sha256-" -o \
 	    $k = "gss-group16-sha512-" ]; then
 		continue
diff --git a/regress/rekey.sh b/regress/rekey.sh
index a2921bef..b118c6c8 100644
--- a/regress/rekey.sh
+++ b/regress/rekey.sh
@@ -39,6 +39,7 @@ increase_datafile_size 300
 opts=""
 for i in `${SSH} -Q kex`; do
 	if [ $i = "gss-gex-sha1-" -o $i = "gss-group1-sha1-" -o \
+	    $i = "gss-nistp256-sha256-" -o $i = "gss-curve25519-sha256-" -o \
 	    $i = "gss-group14-sha1-" -o $i = "gss-group14-sha256-" -o \
 	    $i = "gss-group16-sha512-" ]; then
 		continue
@@ -62,6 +63,7 @@ if ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then
   for c in `${SSH} -Q cipher-auth`; do
     for kex in `${SSH} -Q kex`; do
 	if [ $kex = "gss-gex-sha1-" -o $kex = "gss-group1-sha1-" -o \
+	    $kex = "gss-nistp256-sha256-" -o $kex = "gss-curve25519-sha256-" -o \
 	    $kex = "gss-group14-sha1-" -o $kex = "gss-group14-sha256-" -o \
 	    $kex = "gss-group16-sha512-" ]; then
 		continue
diff --git a/ssh-gss.h b/ssh-gss.h
index 7bf8d75e..1f73721d 100644
--- a/ssh-gss.h
+++ b/ssh-gss.h
@@ -73,6 +73,8 @@
 #define KEX_GSS_GRP14_SHA256_ID			"gss-group14-sha256-"
 #define KEX_GSS_GRP16_SHA512_ID			"gss-group16-sha512-"
 #define KEX_GSS_GEX_SHA1_ID				"gss-gex-sha1-"
+#define KEX_GSS_NISTP256_SHA256_ID			"gss-nistp256-sha256-"
+#define KEX_GSS_C25519_SHA256_ID			"gss-curve25519-sha256-"
 
 #define        GSS_KEX_DEFAULT_KEX \
 	KEX_GSS_GEX_SHA1_ID "," \
diff --git a/ssh_config.5 b/ssh_config.5
index 3d6da510..1dc29bf1 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -762,7 +762,9 @@ gss-gex-sha1-,
 gss-group1-sha1-,
 gss-group14-sha1-,
 gss-group14-sha256-,
-gss-group16-sha512-
+gss-group16-sha512-,
+gss-nistp256-sha256-,
+gss-curve25519-sha256-
 .Ed
 .Pp
 The default is
diff --git a/sshconnect2.c b/sshconnect2.c
index 5d6b8be0..280ae5a6 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -256,6 +256,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
 		kex->kex[KEX_GSS_GRP14_SHA256] = kexgss_client;
 		kex->kex[KEX_GSS_GRP16_SHA512] = kexgss_client;
 		kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client;
+		kex->kex[KEX_GSS_NISTP256_SHA256] = kexecgss_client;
+		kex->kex[KEX_GSS_C25519_SHA256] = kexecgss_client;
 	}
 #endif
 	kex->kex[KEX_C25519_SHA256] = kexc25519_client;
diff --git a/sshd.c b/sshd.c
index e4c879a2..a35735d8 100644
--- a/sshd.c
+++ b/sshd.c
@@ -2247,6 +2247,8 @@ do_ssh2_kex(void)
 		kex->kex[KEX_GSS_GRP14_SHA256] = kexgss_server;
 		kex->kex[KEX_GSS_GRP16_SHA512] = kexgss_server;
 		kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
+		kex->kex[KEX_GSS_NISTP256_SHA256] = kexecgss_server;
+		kex->kex[KEX_GSS_C25519_SHA256] = kexecgss_server;
 	}
 #endif
 	kex->server = 1;
diff --git a/sshd_config.5 b/sshd_config.5
index 0793418b..888316bf 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -677,7 +677,9 @@ gss-gex-sha1-,
 gss-group1-sha1-,
 gss-group14-sha1-,
 gss-group14-sha256-,
-gss-group16-sha512-
+gss-group16-sha512-,
+gss-nistp256-sha256-,
+gss-curve25519-sha256-
 .Ed
 .Pp
 The default is
-- 
2.13.5


From 0431695660d5eb1dd1169d42a1624c75a92aa5d2 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 30 Aug 2017 15:30:51 +0200
Subject: [PATCH 3/3] Simplify rough edges of GSSAPI Kex

---
 gss-genr.c         | 53 +++++++++++++++++------------------------------------
 regress/kextype.sh | 10 ++++------
 regress/rekey.sh   | 20 ++++++++------------
 3 files changed, 29 insertions(+), 54 deletions(-)

diff --git a/gss-genr.c b/gss-genr.c
index 22040244..c671be31 100644
--- a/gss-genr.c
+++ b/gss-genr.c
@@ -171,47 +171,28 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
 gss_OID
 ssh_gssapi_id_kex(Gssctxt *ctx, char *name, int kex_type) {
 	int i = 0;
-	
-	switch (kex_type) {
-	case KEX_GSS_GRP1_SHA1:
-		if (strlen(name) < sizeof(KEX_GSS_GRP1_SHA1_ID))
-			return GSS_C_NO_OID;
-		name += sizeof(KEX_GSS_GRP1_SHA1_ID) - 1;
-		break;
-	case KEX_GSS_GRP14_SHA1:
-		if (strlen(name) < sizeof(KEX_GSS_GRP14_SHA1_ID))
-			return GSS_C_NO_OID;
-		name += sizeof(KEX_GSS_GRP14_SHA1_ID) - 1;
-		break;
-	case KEX_GSS_GRP14_SHA256:
-		if (strlen(name) < sizeof(KEX_GSS_GRP14_SHA256_ID))
-			return GSS_C_NO_OID;
-		name += sizeof(KEX_GSS_GRP14_SHA256_ID) - 1;
-		break;
-	case KEX_GSS_GRP16_SHA512:
-		if (strlen(name) < sizeof(KEX_GSS_GRP16_SHA512_ID))
-			return GSS_C_NO_OID;
-		name += sizeof(KEX_GSS_GRP16_SHA512_ID) - 1;
-		break;
-	case KEX_GSS_GEX_SHA1:
-		if (strlen(name) < sizeof(KEX_GSS_GEX_SHA1_ID))
-			return GSS_C_NO_OID;
-		name += sizeof(KEX_GSS_GEX_SHA1_ID) - 1;
-		break;
-	case KEX_GSS_NISTP256_SHA256:
-		if (strlen(name) < sizeof(KEX_GSS_NISTP256_SHA256_ID))
-			return GSS_C_NO_OID;
-		name += sizeof(KEX_GSS_NISTP256_SHA256_ID) - 1;
-		break;
-	case KEX_GSS_C25519_SHA256:
-		if (strlen(name) < sizeof(KEX_GSS_C25519_SHA256_ID))
-			return GSS_C_NO_OID;
-		name += sizeof(KEX_GSS_C25519_SHA256_ID) - 1;
+
+#define SKIP_KEX_NAME(type) \
+	case type: \
+		if (strlen(name) < sizeof(type##_ID)) \
+			return GSS_C_NO_OID; \
+		name += sizeof(type##_ID) - 1; \
 		break;
+
+	switch (kex_type) {
+	SKIP_KEX_NAME(KEX_GSS_GRP1_SHA1)
+	SKIP_KEX_NAME(KEX_GSS_GRP14_SHA1)
+	SKIP_KEX_NAME(KEX_GSS_GRP14_SHA256)
+	SKIP_KEX_NAME(KEX_GSS_GRP16_SHA512)
+	SKIP_KEX_NAME(KEX_GSS_GEX_SHA1)
+	SKIP_KEX_NAME(KEX_GSS_NISTP256_SHA256)
+	SKIP_KEX_NAME(KEX_GSS_C25519_SHA256)
 	default:
 		return GSS_C_NO_OID;
 	}
 
+#undef SKIP_KEX_NAME
+
 	while (gss_enc2oid[i].encoded != NULL &&
 	    strcmp(name, gss_enc2oid[i].encoded) != 0)
 		i++;
diff --git a/regress/kextype.sh b/regress/kextype.sh
index d5b4a713..6b4af28a 100644
--- a/regress/kextype.sh
+++ b/regress/kextype.sh
@@ -14,12 +14,10 @@ echo "KexAlgorithms=$KEXOPT" >> $OBJ/sshd_proxy
 
 tries="1 2 3 4"
 for k in `${SSH} -Q kex`; do
-	if [ $k = "gss-gex-sha1-" -o $k = "gss-group1-sha1-" -o \
-	    $k = "gss-nistp256-sha256-" -o $k = "gss-curve25519-sha256-" -o \
-	    $k = "gss-group14-sha1-" -o $k = "gss-group14-sha256-" -o \
-	    $k = "gss-group16-sha512-" ]; then
-		continue
-	fi
+	# ignore GSSAPI key exchange mechanisms (all of them start with gss-)
+	case $k in
+		gss-* ) continue ;;
+	esac
 	verbose "kex $k"
 	for i in $tries; do
 		${SSH} -F $OBJ/ssh_proxy -o KexAlgorithms=$k x true
diff --git a/regress/rekey.sh b/regress/rekey.sh
index b118c6c8..d6a8742f 100644
--- a/regress/rekey.sh
+++ b/regress/rekey.sh
@@ -38,12 +38,10 @@ increase_datafile_size 300
 
 opts=""
 for i in `${SSH} -Q kex`; do
-	if [ $i = "gss-gex-sha1-" -o $i = "gss-group1-sha1-" -o \
-	    $i = "gss-nistp256-sha256-" -o $i = "gss-curve25519-sha256-" -o \
-	    $i = "gss-group14-sha1-" -o $i = "gss-group14-sha256-" -o \
-	    $i = "gss-group16-sha512-" ]; then
-		continue
-	fi
+	# ignore GSSAPI key exchange mechanisms (all of them start with gss-)
+	case $i in
+		gss-* ) continue ;;
+	esac
 	opts="$opts KexAlgorithms=$i"
 done
 for i in `${SSH} -Q cipher`; do
@@ -62,12 +60,10 @@ done
 if ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then
   for c in `${SSH} -Q cipher-auth`; do
     for kex in `${SSH} -Q kex`; do
-	if [ $kex = "gss-gex-sha1-" -o $kex = "gss-group1-sha1-" -o \
-	    $kex = "gss-nistp256-sha256-" -o $kex = "gss-curve25519-sha256-" -o \
-	    $kex = "gss-group14-sha1-" -o $kex = "gss-group14-sha256-" -o \
-	    $kex = "gss-group16-sha512-" ]; then
-		continue
-	fi
+	# ignore GSSAPI key exchange mechanisms (all of them start with gss-)
+	case $kex in
+		gss-* ) continue ;;
+	esac
 	verbose "client rekey $c $kex"
 	ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c
     done
-- 
2.13.5