From 8f4b1771ff397f5dce6ed6462c992c41e1cd2c33 Mon Sep 17 00:00:00 2001
From: Sebastian Deiss <sebastian.deiss@atos.net>
Date: Mon, 18 Sep 2017 10:24:15 +0200
Subject: Fix rekeying with GSS-API key exchange

When GSS-API key exchange is used a rekey caused a GSS-API MIC
failure and closed the transport.
This happened because the MIC of the transport session ID
(H of the initial kex) was checked against the MIC of the new H
created during rekey.
---
 tests/test_kex_gss.py | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

(limited to 'tests/test_kex_gss.py')

diff --git a/tests/test_kex_gss.py b/tests/test_kex_gss.py
index 3bf788da..af342a7c 100644
--- a/tests/test_kex_gss.py
+++ b/tests/test_kex_gss.py
@@ -93,7 +93,7 @@ class GSSKexTest(unittest.TestCase):
         server = NullServer()
         self.ts.start_server(self.event, server)
 
-    def test_1_gsskex_and_auth(self):
+    def _test_gsskex_and_auth(self, gss_host, rekey=False):
         """
         Verify that Paramiko can handle SSHv2 GSS-API / SSPI authenticated
         Diffie-Hellman Key Exchange and user authentication with the GSS-API
@@ -106,16 +106,19 @@ class GSSKexTest(unittest.TestCase):
         self.tc.get_host_keys().add('[%s]:%d' % (self.hostname, self.port),
                                     'ssh-rsa', public_host_key)
         self.tc.connect(self.hostname, self.port, username=self.username,
-                        gss_auth=True, gss_kex=True)
+                        gss_auth=True, gss_kex=True, gss_host=gss_host)
 
         self.event.wait(1.0)
         self.assert_(self.event.is_set())
         self.assert_(self.ts.is_active())
         self.assertEquals(self.username, self.ts.get_username())
         self.assertEquals(True, self.ts.is_authenticated())
+        self.assertEquals(True, self.tc.get_transport().gss_kex_used)
 
         stdin, stdout, stderr = self.tc.exec_command('yes')
         schan = self.ts.accept(1.0)
+        if rekey:
+            self.tc.get_transport().renegotiate_keys()
 
         schan.send('Hello there.\n')
         schan.send_stderr('This is on stderr.\n')
@@ -129,3 +132,17 @@ class GSSKexTest(unittest.TestCase):
         stdin.close()
         stdout.close()
         stderr.close()
+
+    def test_1_gsskex_and_auth(self):
+        """
+        Verify that Paramiko can handle SSHv2 GSS-API / SSPI authenticated
+        Diffie-Hellman Key Exchange and user authentication with the GSS-API
+        context created during key exchange.
+        """
+        self._test_gsskex_and_auth(gss_host=None)
+
+    def test_2_gsskex_and_auth_rekey(self):
+        """
+        Verify that Paramiko can rekey.
+        """
+        self._test_gsskex_and_auth(gss_host=None, rekey=True)
-- 
cgit v1.2.3