summaryrefslogtreecommitdiffstats
path: root/debian/patches/gssapi.patch
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-13 08:20:06 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-13 08:20:06 +0000
commitd92ccc5852f34167429fdadb46294ea5527d8883 (patch)
tree9814bfc193fab03dcb43d6218721ef079ed01901 /debian/patches/gssapi.patch
parentMerging upstream version 1:9.7p1. (diff)
downloadopenssh-d92ccc5852f34167429fdadb46294ea5527d8883.tar.xz
openssh-d92ccc5852f34167429fdadb46294ea5527d8883.zip
Adding debian version 1:9.7p1-1.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/patches/gssapi.patch')
-rw-r--r--debian/patches/gssapi.patch117
1 files changed, 51 insertions, 66 deletions
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 0590558..b943ba7 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
-From cabc0eedcbd5c1aa3e09c56968ecdc8b47317c37 Mon Sep 17 00:00:00 2001
+From 156d561811630c66f06068ee7892b3cbf90f0d1a Mon Sep 17 00:00:00 2001
From: Simon Wilkinson <simon@sxw.org.uk>
Date: Sun, 9 Feb 2014 16:09:48 +0000
Subject: GSSAPI key exchange support
@@ -21,14 +21,14 @@ Author: Colin Watson <cjwatson@debian.org>
Author: Jakub Jelen <jjelen@redhat.com>
Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/pull/23
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
-Last-Updated: 2023-12-18
+Last-Updated: 2024-03-14
Patch-Name: gssapi.patch
---
Makefile.in | 5 +-
README.md | 36 +++
auth.c | 94 +-------
- auth2-gss.c | 56 ++++-
+ auth2-gss.c | 57 ++++-
auth2.c | 2 +
canohost.c | 91 ++++++++
canohost.h | 3 +
@@ -58,13 +58,13 @@ Patch-Name: gssapi.patch
ssh.c | 6 +-
ssh_config | 2 +
ssh_config.5 | 57 +++++
- sshconnect2.c | 156 ++++++++++++-
+ sshconnect2.c | 146 +++++++++++-
sshd.c | 62 ++++-
sshd_config | 2 +
sshd_config.5 | 30 +++
sshkey.c | 8 +-
sshkey.h | 1 +
- 39 files changed, 2772 insertions(+), 164 deletions(-)
+ 39 files changed, 2763 insertions(+), 164 deletions(-)
create mode 100644 kexgssc.c
create mode 100644 kexgsss.c
create mode 100644 ssh-null.c
@@ -256,7 +256,7 @@ index 3b380d9bb..8ccf06370 100644
* Return the canonical name of the host in the other side of the current
* connection. The host name is cached, so it is efficient to call this
diff --git a/auth2-gss.c b/auth2-gss.c
-index f72a38998..da3bf99c1 100644
+index f72a38998..c3b8e6288 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -1,7 +1,7 @@
@@ -337,12 +337,13 @@ index f72a38998..da3bf99c1 100644
else
logit("GSSAPI MIC check failed");
-@@ -333,6 +377,12 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
+@@ -333,6 +377,13 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
return 0;
}
+Authmethod method_gsskeyex = {
+ "gssapi-keyex",
++ NULL,
+ userauth_gsskeyex,
+ &options.gss_authentication
+};
@@ -487,7 +488,7 @@ index 26d62855a..0cadc9f18 100644
int get_peer_port(int);
char *get_local_ipaddr(int);
diff --git a/clientloop.c b/clientloop.c
-index eb4902905..1ffe685a3 100644
+index 8ec36af94..a1f94a85a 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -115,6 +115,10 @@
@@ -518,10 +519,10 @@ index eb4902905..1ffe685a3 100644
if (conn_in_ready)
client_process_net_input(ssh);
diff --git a/configure.ac b/configure.ac
-index 379cd746b..2aeab040c 100644
+index 82e8bb7c1..bb3e644fe 100644
--- a/configure.ac
+++ b/configure.ac
-@@ -766,6 +766,30 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
+@@ -774,6 +774,30 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
[Use tunnel device compatibility to OpenBSD])
AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
[Prepend the address family to IP tunnel traffic])
@@ -553,11 +554,11 @@ index 379cd746b..2aeab040c 100644
AC_CHECK_DECL([AU_IPv4], [],
AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
diff --git a/gss-genr.c b/gss-genr.c
-index 2cd695e54..9f9745b7f 100644
+index aa34b71c5..3aa14333a 100644
--- a/gss-genr.c
+++ b/gss-genr.c
@@ -1,7 +1,7 @@
- /* $OpenBSD: gss-genr.c,v 1.28 2021/01/27 10:05:28 djm Exp $ */
+ /* $OpenBSD: gss-genr.c,v 1.29 2024/02/01 02:37:33 djm Exp $ */
/*
- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
@@ -849,7 +850,7 @@ index 2cd695e54..9f9745b7f 100644
+ ctx = &intctx;
/* RFC 4462 says we MUST NOT do SPNEGO */
- if (oid->length == spnego_oid.length &&
+ if (oid->length == spnego_oid.length &&
@@ -285,6 +514,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
ssh_gssapi_build_ctx(ctx);
ssh_gssapi_set_oid(*ctx, oid);
@@ -859,13 +860,13 @@ index 2cd695e54..9f9745b7f 100644
+ major = ssh_gssapi_client_identity(*ctx, client);
+
if (!GSS_ERROR(major)) {
- major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token,
+ major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token,
NULL);
@@ -294,10 +527,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
GSS_C_NO_BUFFER);
}
-- if (GSS_ERROR(major))
+- if (GSS_ERROR(major))
+ if (GSS_ERROR(major) || intctx != NULL)
ssh_gssapi_delete_ctx(ctx);
@@ -1360,7 +1361,7 @@ index 00e3d118b..162fec447 100644
/* Privileged */
diff --git a/kex.c b/kex.c
-index cbb2af596..acab53195 100644
+index 8a0f16513..e4a2362bd 100644
--- a/kex.c
+++ b/kex.c
@@ -58,12 +58,17 @@
@@ -1473,7 +1474,7 @@ index cbb2af596..acab53195 100644
/* put algorithm proposal into buffer */
int
kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
-@@ -964,6 +1021,9 @@ kex_free(struct kex *kex)
+@@ -987,6 +1044,9 @@ kex_free(struct kex *kex)
sshbuf_free(kex->session_id);
sshbuf_free(kex->initial_sig);
sshkey_free(kex->initial_hostkey);
@@ -1484,7 +1485,7 @@ index cbb2af596..acab53195 100644
free(kex->hostkey_alg);
free(kex->name);
diff --git a/kex.h b/kex.h
-index ba3a6a4ea..faee60f16 100644
+index 0caf42b50..32da837f8 100644
--- a/kex.h
+++ b/kex.h
@@ -102,6 +102,15 @@ enum kex_exchange {
@@ -3031,7 +3032,7 @@ index 0df49c25b..830fdb308 100644
#ifdef USE_PAM
diff --git a/readconf.c b/readconf.c
-index a2282b562..ef67ab20f 100644
+index 3a64a0441..91d3c0aa0 100644
--- a/readconf.c
+++ b/readconf.c
@@ -70,6 +70,7 @@
@@ -3074,7 +3075,7 @@ index a2282b562..ef67ab20f 100644
#endif
#ifdef ENABLE_PKCS11
{ "pkcs11provider", oPKCS11Provider },
-@@ -1210,10 +1225,46 @@ parse_time:
+@@ -1227,10 +1242,46 @@ parse_time:
intptr = &options->gss_authentication;
goto parse_flag;
@@ -3121,7 +3122,7 @@ index a2282b562..ef67ab20f 100644
case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
-@@ -2505,7 +2556,13 @@ initialize_options(Options * options)
+@@ -2542,7 +2593,13 @@ initialize_options(Options * options)
options->fwd_opts.streamlocal_bind_unlink = -1;
options->pubkey_authentication = -1;
options->gss_authentication = -1;
@@ -3135,7 +3136,7 @@ index a2282b562..ef67ab20f 100644
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
-@@ -2668,8 +2725,18 @@ fill_default_options(Options * options)
+@@ -2705,8 +2762,18 @@ fill_default_options(Options * options)
options->pubkey_authentication = SSH_PUBKEY_AUTH_ALL;
if (options->gss_authentication == -1)
options->gss_authentication = 0;
@@ -3154,7 +3155,7 @@ index a2282b562..ef67ab20f 100644
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
-@@ -3494,7 +3561,14 @@ dump_client_config(Options *o, const char *host)
+@@ -3533,7 +3600,14 @@ dump_client_config(Options *o, const char *host)
dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);
#ifdef GSSAPI
dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);
@@ -3170,7 +3171,7 @@ index a2282b562..ef67ab20f 100644
dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);
diff --git a/readconf.h b/readconf.h
-index ff7180cd0..0d2ad44f9 100644
+index 9447d5d6e..f039c11bd 100644
--- a/readconf.h
+++ b/readconf.h
@@ -40,7 +40,13 @@ typedef struct {
@@ -3188,7 +3189,7 @@ index ff7180cd0..0d2ad44f9 100644
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
diff --git a/servconf.c b/servconf.c
-index 86c297936..940e1d50a 100644
+index 4b434909a..961cf9e45 100644
--- a/servconf.c
+++ b/servconf.c
@@ -68,6 +68,7 @@
@@ -3261,7 +3262,7 @@ index 86c297936..940e1d50a 100644
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
{ "challengeresponseauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */
-@@ -1616,6 +1639,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
+@@ -1618,6 +1641,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
intptr = &options->gss_authentication;
goto parse_flag;
@@ -3272,7 +3273,7 @@ index 86c297936..940e1d50a 100644
case sGssCleanupCreds:
intptr = &options->gss_cleanup_creds;
goto parse_flag;
-@@ -1624,6 +1651,22 @@ process_server_config_line_depth(ServerOptions *options, char *line,
+@@ -1626,6 +1653,22 @@ process_server_config_line_depth(ServerOptions *options, char *line,
intptr = &options->gss_strict_acceptor;
goto parse_flag;
@@ -3295,7 +3296,7 @@ index 86c297936..940e1d50a 100644
case sPasswordAuthentication:
intptr = &options->password_authentication;
goto parse_flag;
-@@ -3058,6 +3101,10 @@ dump_config(ServerOptions *o)
+@@ -3112,6 +3155,10 @@ dump_config(ServerOptions *o)
#ifdef GSSAPI
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
@@ -3323,7 +3324,7 @@ index ed7b72e8e..2ce4ae0ad 100644
* authentication. */
int kbd_interactive_authentication; /* If true, permit */
diff --git a/session.c b/session.c
-index aa342e84d..f985b8177 100644
+index c821dcd44..cbb4edac5 100644
--- a/session.c
+++ b/session.c
@@ -2687,13 +2687,19 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt)
@@ -3614,7 +3615,7 @@ index 936c995ba..877c3bc64 100644
(key types),
.Ar key-ca-sign
diff --git a/ssh.c b/ssh.c
-index 48d93ddf2..f50cecdbb 100644
+index 0019281f4..484a26528 100644
--- a/ssh.c
+++ b/ssh.c
@@ -827,6 +827,8 @@ main(int ac, char **av)
@@ -3651,10 +3652,10 @@ index cc5663562..16197d15d 100644
# CheckHostIP no
# AddressFamily any
diff --git a/ssh_config.5 b/ssh_config.5
-index 4bbdfefd1..7ca72aedf 100644
+index 2931d807e..8e8aeb640 100644
--- a/ssh_config.5
+++ b/ssh_config.5
-@@ -928,10 +928,67 @@ The default is
+@@ -938,10 +938,67 @@ The default is
Specifies whether user authentication based on GSSAPI is allowed.
The default is
.Cm no .
@@ -3723,7 +3724,7 @@ index 4bbdfefd1..7ca72aedf 100644
Indicates that
.Xr ssh 1
diff --git a/sshconnect2.c b/sshconnect2.c
-index fab1e36be..cb584ad27 100644
+index 745c2a051..b7c376116 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -80,8 +80,6 @@
@@ -3736,7 +3737,7 @@ index fab1e36be..cb584ad27 100644
/*
@@ -224,6 +222,11 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
- char *s, *all_key, *hkalgs = NULL;
+ char *all_key, *hkalgs = NULL;
int r, use_known_hosts_order = 0;
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
@@ -3747,7 +3748,7 @@ index fab1e36be..cb584ad27 100644
xxx_host = host;
xxx_hostaddr = hostaddr;
xxx_conn_info = cinfo;
-@@ -261,6 +264,42 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
+@@ -259,6 +262,42 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
free(hkalgs);
@@ -3790,7 +3791,7 @@ index fab1e36be..cb584ad27 100644
/* start key exchange */
if ((r = kex_setup(ssh, myproposal)) != 0)
fatal_r(r, "kex_setup");
-@@ -275,17 +314,47 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
+@@ -273,11 +312,31 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
# ifdef OPENSSL_HAS_ECC
ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client;
# endif
@@ -3821,25 +3822,9 @@ index fab1e36be..cb584ad27 100644
+#endif
+
ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &ssh->kex->done);
+ kex_proposal_free_entries(myproposal);
- /* remove ext-info from the KEX proposals for rekeying */
- free(myproposal[PROPOSAL_KEX_ALGS]);
- myproposal[PROPOSAL_KEX_ALGS] =
- compat_kex_proposal(ssh, options.kex_algorithms);
-+#if defined(GSSAPI) && defined(WITH_OPENSSL)
-+ /* repair myproposal after it was crumpled by the */
-+ /* ext-info removal above */
-+ if (gss) {
-+ orig = myproposal[PROPOSAL_KEX_ALGS];
-+ xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
-+ "%s,%s", gss, orig);
-+ free(gss);
-+ }
-+#endif
- if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0)
- fatal_r(r, "kex_prop2buf");
-
-@@ -379,6 +448,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *);
+@@ -370,6 +429,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *);
static int input_gssapi_token(int type, u_int32_t, struct ssh *);
static int input_gssapi_error(int, u_int32_t, struct ssh *);
static int input_gssapi_errtok(int, u_int32_t, struct ssh *);
@@ -3847,7 +3832,7 @@ index fab1e36be..cb584ad27 100644
#endif
void userauth(struct ssh *, char *);
-@@ -395,6 +465,11 @@ static char *authmethods_get(void);
+@@ -386,6 +446,11 @@ static char *authmethods_get(void);
Authmethod authmethods[] = {
#ifdef GSSAPI
@@ -3859,7 +3844,7 @@ index fab1e36be..cb584ad27 100644
{"gssapi-with-mic",
userauth_gssapi,
userauth_gssapi_cleanup,
-@@ -766,12 +841,32 @@ userauth_gssapi(struct ssh *ssh)
+@@ -757,12 +822,32 @@ userauth_gssapi(struct ssh *ssh)
OM_uint32 min;
int r, ok = 0;
gss_OID mech = NULL;
@@ -3893,7 +3878,7 @@ index fab1e36be..cb584ad27 100644
/* Check to see whether the mechanism is usable before we offer it */
while (authctxt->mech_tried < authctxt->gss_supported_mechs->count &&
-@@ -780,13 +875,15 @@ userauth_gssapi(struct ssh *ssh)
+@@ -771,13 +856,15 @@ userauth_gssapi(struct ssh *ssh)
elements[authctxt->mech_tried];
/* My DER encoding requires length<128 */
if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
@@ -3910,7 +3895,7 @@ index fab1e36be..cb584ad27 100644
if (!ok || mech == NULL)
return 0;
-@@ -1020,6 +1117,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh)
+@@ -1011,6 +1098,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh)
free(lang);
return r;
}
@@ -3967,7 +3952,7 @@ index fab1e36be..cb584ad27 100644
static int
diff --git a/sshd.c b/sshd.c
-index 9cbe92293..fee5cac64 100644
+index b4f2b9742..d5c3dfe57 100644
--- a/sshd.c
+++ b/sshd.c
@@ -798,8 +798,8 @@ notify_hostkeys(struct ssh *ssh)
@@ -4074,10 +4059,10 @@ index 36894ace5..ecfe8d026 100644
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
diff --git a/sshd_config.5 b/sshd_config.5
-index 7e1a56cd0..d2f09de9b 100644
+index a0f16874f..c0c1b0d9a 100644
--- a/sshd_config.5
+++ b/sshd_config.5
-@@ -731,6 +731,11 @@ Specifies whether to automatically destroy the user's credentials cache
+@@ -739,6 +739,11 @@ Specifies whether to automatically destroy the user's credentials cache
on logout.
The default is
.Cm yes .
@@ -4089,7 +4074,7 @@ index 7e1a56cd0..d2f09de9b 100644
.It Cm GSSAPIStrictAcceptorCheck
Determines whether to be strict about the identity of the GSSAPI acceptor
a client authenticates against.
-@@ -745,6 +750,31 @@ machine's default store.
+@@ -753,6 +758,31 @@ machine's default store.
This facility is provided to assist with operation on multi homed machines.
The default is
.Cm yes .
@@ -4122,10 +4107,10 @@ index 7e1a56cd0..d2f09de9b 100644
Specifies the signature algorithms that will be accepted for hostbased
authentication as a list of comma-separated patterns.
diff --git a/sshkey.c b/sshkey.c
-index 06db9b5da..1e7810337 100644
+index d4356e72c..c7abbe298 100644
--- a/sshkey.c
+++ b/sshkey.c
-@@ -128,6 +128,9 @@ extern const struct sshkey_impl sshkey_dsa_cert_impl;
+@@ -130,6 +130,9 @@ extern const struct sshkey_impl sshkey_dsa_cert_impl;
extern const struct sshkey_impl sshkey_xmss_impl;
extern const struct sshkey_impl sshkey_xmss_cert_impl;
#endif
@@ -4135,7 +4120,7 @@ index 06db9b5da..1e7810337 100644
const struct sshkey_impl * const keyimpls[] = {
&sshkey_ed25519_impl,
-@@ -165,6 +168,9 @@ const struct sshkey_impl * const keyimpls[] = {
+@@ -169,6 +172,9 @@ const struct sshkey_impl * const keyimpls[] = {
&sshkey_xmss_impl,
&sshkey_xmss_cert_impl,
#endif
@@ -4145,7 +4130,7 @@ index 06db9b5da..1e7810337 100644
NULL
};
-@@ -320,7 +326,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
+@@ -324,7 +330,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
for (i = 0; keyimpls[i] != NULL; i++) {
impl = keyimpls[i];