Adding debian version 1:9.7p1-1.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
author: Daniel Baumann <daniel.baumann@progress-linux.org> 2024-04-13 08:20:06 +0000
committer: Daniel Baumann <daniel.baumann@progress-linux.org> 2024-04-13 08:20:06 +0000
commit: d92ccc5852f34167429fdadb46294ea5527d8883 (patch)
tree: 9814bfc193fab03dcb43d6218721ef079ed01901 /debian/patches/gssapi.patch
parent: Merging upstream version 1:9.7p1. (diff)
download: openssh-d92ccc5852f34167429fdadb46294ea5527d8883.tar.xz
openssh-d92ccc5852f34167429fdadb46294ea5527d8883.zip
1 files changed, 51 insertions, 66 deletions
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 0590558..b943ba7 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
-From cabc0eedcbd5c1aa3e09c56968ecdc8b47317c37 Mon Sep 17 00:00:00 2001
+From 156d561811630c66f06068ee7892b3cbf90f0d1a Mon Sep 17 00:00:00 2001
 From: Simon Wilkinson <simon@sxw.org.uk>
 Date: Sun, 9 Feb 2014 16:09:48 +0000
 Subject: GSSAPI key exchange support
@@ -21,14 +21,14 @@ Author: Colin Watson <cjwatson@debian.org>
 Author: Jakub Jelen <jjelen@redhat.com>
 Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/pull/23
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
-Last-Updated: 2023-12-18
+Last-Updated: 2024-03-14
 
 Patch-Name: gssapi.patch
 ---
  Makefile.in     |   5 +-
  README.md       |  36 +++
  auth.c          |  94 +-------
- auth2-gss.c     |  56 ++++-
+ auth2-gss.c     |  57 ++++-
  auth2.c         |   2 +
  canohost.c      |  91 ++++++++
  canohost.h      |   3 +
@@ -58,13 +58,13 @@ Patch-Name: gssapi.patch
  ssh.c           |   6 +-
  ssh_config      |   2 +
  ssh_config.5    |  57 +++++
- sshconnect2.c   | 156 ++++++++++++-
+ sshconnect2.c   | 146 +++++++++++-
  sshd.c          |  62 ++++-
  sshd_config     |   2 +
  sshd_config.5   |  30 +++
  sshkey.c        |   8 +-
  sshkey.h        |   1 +
- 39 files changed, 2772 insertions(+), 164 deletions(-)
+ 39 files changed, 2763 insertions(+), 164 deletions(-)
  create mode 100644 kexgssc.c
  create mode 100644 kexgsss.c
  create mode 100644 ssh-null.c
@@ -256,7 +256,7 @@ index 3b380d9bb..8ccf06370 100644
   * Return the canonical name of the host in the other side of the current
   * connection.  The host name is cached, so it is efficient to call this
 diff --git a/auth2-gss.c b/auth2-gss.c
-index f72a38998..da3bf99c1 100644
+index f72a38998..c3b8e6288 100644
 --- a/auth2-gss.c
 +++ b/auth2-gss.c
 @@ -1,7 +1,7 @@
@@ -337,12 +337,13 @@ index f72a38998..da3bf99c1 100644
  	else
  		logit("GSSAPI MIC check failed");
  
-@@ -333,6 +377,12 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
+@@ -333,6 +377,13 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
  	return 0;
  }
  
 +Authmethod method_gsskeyex = {
 +	"gssapi-keyex",
++	NULL,
 +	userauth_gsskeyex,
 +	&options.gss_authentication
 +};
@@ -487,7 +488,7 @@ index 26d62855a..0cadc9f18 100644
  int		 get_peer_port(int);
  char		*get_local_ipaddr(int);
 diff --git a/clientloop.c b/clientloop.c
-index eb4902905..1ffe685a3 100644
+index 8ec36af94..a1f94a85a 100644
 --- a/clientloop.c
 +++ b/clientloop.c
 @@ -115,6 +115,10 @@
@@ -518,10 +519,10 @@ index eb4902905..1ffe685a3 100644
  		if (conn_in_ready)
  			client_process_net_input(ssh);
 diff --git a/configure.ac b/configure.ac
-index 379cd746b..2aeab040c 100644
+index 82e8bb7c1..bb3e644fe 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -766,6 +766,30 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
+@@ -774,6 +774,30 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
  	    [Use tunnel device compatibility to OpenBSD])
  	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
  	    [Prepend the address family to IP tunnel traffic])
@@ -553,11 +554,11 @@ index 379cd746b..2aeab040c 100644
  	AC_CHECK_DECL([AU_IPv4], [],
  	    AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
 diff --git a/gss-genr.c b/gss-genr.c
-index 2cd695e54..9f9745b7f 100644
+index aa34b71c5..3aa14333a 100644
 --- a/gss-genr.c
 +++ b/gss-genr.c
 @@ -1,7 +1,7 @@
- /* $OpenBSD: gss-genr.c,v 1.28 2021/01/27 10:05:28 djm Exp $ */
+ /* $OpenBSD: gss-genr.c,v 1.29 2024/02/01 02:37:33 djm Exp $ */
  
  /*
 - * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
@@ -849,7 +850,7 @@ index 2cd695e54..9f9745b7f 100644
 +		ctx = &intctx;
  
  	/* RFC 4462 says we MUST NOT do SPNEGO */
- 	if (oid->length == spnego_oid.length && 
+ 	if (oid->length == spnego_oid.length &&
 @@ -285,6 +514,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
  	ssh_gssapi_build_ctx(ctx);
  	ssh_gssapi_set_oid(*ctx, oid);
@@ -859,13 +860,13 @@ index 2cd695e54..9f9745b7f 100644
 +		major = ssh_gssapi_client_identity(*ctx, client);
 +
  	if (!GSS_ERROR(major)) {
- 		major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, 
+ 		major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token,
  		    NULL);
 @@ -294,10 +527,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
  			    GSS_C_NO_BUFFER);
  	}
  
--	if (GSS_ERROR(major)) 
+-	if (GSS_ERROR(major))
 +	if (GSS_ERROR(major) || intctx != NULL)
  		ssh_gssapi_delete_ctx(ctx);
  
@@ -1360,7 +1361,7 @@ index 00e3d118b..162fec447 100644
  
  /* Privileged */
 diff --git a/kex.c b/kex.c
-index cbb2af596..acab53195 100644
+index 8a0f16513..e4a2362bd 100644
 --- a/kex.c
 +++ b/kex.c
 @@ -58,12 +58,17 @@
@@ -1473,7 +1474,7 @@ index cbb2af596..acab53195 100644
  /* put algorithm proposal into buffer */
  int
  kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
-@@ -964,6 +1021,9 @@ kex_free(struct kex *kex)
+@@ -987,6 +1044,9 @@ kex_free(struct kex *kex)
  	sshbuf_free(kex->session_id);
  	sshbuf_free(kex->initial_sig);
  	sshkey_free(kex->initial_hostkey);
@@ -1484,7 +1485,7 @@ index cbb2af596..acab53195 100644
  	free(kex->hostkey_alg);
  	free(kex->name);
 diff --git a/kex.h b/kex.h
-index ba3a6a4ea..faee60f16 100644
+index 0caf42b50..32da837f8 100644
 --- a/kex.h
 +++ b/kex.h
 @@ -102,6 +102,15 @@ enum kex_exchange {
@@ -3031,7 +3032,7 @@ index 0df49c25b..830fdb308 100644
  
  #ifdef USE_PAM
 diff --git a/readconf.c b/readconf.c
-index a2282b562..ef67ab20f 100644
+index 3a64a0441..91d3c0aa0 100644
 --- a/readconf.c
 +++ b/readconf.c
 @@ -70,6 +70,7 @@
@@ -3074,7 +3075,7 @@ index a2282b562..ef67ab20f 100644
  #endif
  #ifdef ENABLE_PKCS11
  	{ "pkcs11provider", oPKCS11Provider },
-@@ -1210,10 +1225,46 @@ parse_time:
+@@ -1227,10 +1242,46 @@ parse_time:
  		intptr = &options->gss_authentication;
  		goto parse_flag;
  
@@ -3121,7 +3122,7 @@ index a2282b562..ef67ab20f 100644
  	case oBatchMode:
  		intptr = &options->batch_mode;
  		goto parse_flag;
-@@ -2505,7 +2556,13 @@ initialize_options(Options * options)
+@@ -2542,7 +2593,13 @@ initialize_options(Options * options)
  	options->fwd_opts.streamlocal_bind_unlink = -1;
  	options->pubkey_authentication = -1;
  	options->gss_authentication = -1;
@@ -3135,7 +3136,7 @@ index a2282b562..ef67ab20f 100644
  	options->password_authentication = -1;
  	options->kbd_interactive_authentication = -1;
  	options->kbd_interactive_devices = NULL;
-@@ -2668,8 +2725,18 @@ fill_default_options(Options * options)
+@@ -2705,8 +2762,18 @@ fill_default_options(Options * options)
  		options->pubkey_authentication = SSH_PUBKEY_AUTH_ALL;
  	if (options->gss_authentication == -1)
  		options->gss_authentication = 0;
@@ -3154,7 +3155,7 @@ index a2282b562..ef67ab20f 100644
  	if (options->password_authentication == -1)
  		options->password_authentication = 1;
  	if (options->kbd_interactive_authentication == -1)
-@@ -3494,7 +3561,14 @@ dump_client_config(Options *o, const char *host)
+@@ -3533,7 +3600,14 @@ dump_client_config(Options *o, const char *host)
  	dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);
  #ifdef GSSAPI
  	dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);
@@ -3170,7 +3171,7 @@ index a2282b562..ef67ab20f 100644
  	dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
  	dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);
 diff --git a/readconf.h b/readconf.h
-index ff7180cd0..0d2ad44f9 100644
+index 9447d5d6e..f039c11bd 100644
 --- a/readconf.h
 +++ b/readconf.h
 @@ -40,7 +40,13 @@ typedef struct {
@@ -3188,7 +3189,7 @@ index ff7180cd0..0d2ad44f9 100644
  						 * authentication. */
  	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
 diff --git a/servconf.c b/servconf.c
-index 86c297936..940e1d50a 100644
+index 4b434909a..961cf9e45 100644
 --- a/servconf.c
 +++ b/servconf.c
 @@ -68,6 +68,7 @@
@@ -3261,7 +3262,7 @@ index 86c297936..940e1d50a 100644
  	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
  	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
  	{ "challengeresponseauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */
-@@ -1616,6 +1639,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
+@@ -1618,6 +1641,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
  		intptr = &options->gss_authentication;
  		goto parse_flag;
  
@@ -3272,7 +3273,7 @@ index 86c297936..940e1d50a 100644
  	case sGssCleanupCreds:
  		intptr = &options->gss_cleanup_creds;
  		goto parse_flag;
-@@ -1624,6 +1651,22 @@ process_server_config_line_depth(ServerOptions *options, char *line,
+@@ -1626,6 +1653,22 @@ process_server_config_line_depth(ServerOptions *options, char *line,
  		intptr = &options->gss_strict_acceptor;
  		goto parse_flag;
  
@@ -3295,7 +3296,7 @@ index 86c297936..940e1d50a 100644
  	case sPasswordAuthentication:
  		intptr = &options->password_authentication;
  		goto parse_flag;
-@@ -3058,6 +3101,10 @@ dump_config(ServerOptions *o)
+@@ -3112,6 +3155,10 @@ dump_config(ServerOptions *o)
  #ifdef GSSAPI
  	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
  	dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
@@ -3323,7 +3324,7 @@ index ed7b72e8e..2ce4ae0ad 100644
  						 * authentication. */
  	int     kbd_interactive_authentication;	/* If true, permit */
 diff --git a/session.c b/session.c
-index aa342e84d..f985b8177 100644
+index c821dcd44..cbb4edac5 100644
 --- a/session.c
 +++ b/session.c
 @@ -2687,13 +2687,19 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt)
@@ -3614,7 +3615,7 @@ index 936c995ba..877c3bc64 100644
  (key types),
  .Ar key-ca-sign
 diff --git a/ssh.c b/ssh.c
-index 48d93ddf2..f50cecdbb 100644
+index 0019281f4..484a26528 100644
 --- a/ssh.c
 +++ b/ssh.c
 @@ -827,6 +827,8 @@ main(int ac, char **av)
@@ -3651,10 +3652,10 @@ index cc5663562..16197d15d 100644
  #   CheckHostIP no
  #   AddressFamily any
 diff --git a/ssh_config.5 b/ssh_config.5
-index 4bbdfefd1..7ca72aedf 100644
+index 2931d807e..8e8aeb640 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -928,10 +928,67 @@ The default is
+@@ -938,10 +938,67 @@ The default is
  Specifies whether user authentication based on GSSAPI is allowed.
  The default is
  .Cm no .
@@ -3723,7 +3724,7 @@ index 4bbdfefd1..7ca72aedf 100644
  Indicates that
  .Xr ssh 1
 diff --git a/sshconnect2.c b/sshconnect2.c
-index fab1e36be..cb584ad27 100644
+index 745c2a051..b7c376116 100644
 --- a/sshconnect2.c
 +++ b/sshconnect2.c
 @@ -80,8 +80,6 @@
@@ -3736,7 +3737,7 @@ index fab1e36be..cb584ad27 100644
  
  /*
 @@ -224,6 +222,11 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
- 	char *s, *all_key, *hkalgs = NULL;
+ 	char *all_key, *hkalgs = NULL;
  	int r, use_known_hosts_order = 0;
  
 +#if defined(GSSAPI) && defined(WITH_OPENSSL)
@@ -3747,7 +3748,7 @@ index fab1e36be..cb584ad27 100644
  	xxx_host = host;
  	xxx_hostaddr = hostaddr;
  	xxx_conn_info = cinfo;
-@@ -261,6 +264,42 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
+@@ -259,6 +262,42 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
  
  	free(hkalgs);
  
@@ -3790,7 +3791,7 @@ index fab1e36be..cb584ad27 100644
  	/* start key exchange */
  	if ((r = kex_setup(ssh, myproposal)) != 0)
  		fatal_r(r, "kex_setup");
-@@ -275,17 +314,47 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
+@@ -273,11 +312,31 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
  # ifdef OPENSSL_HAS_ECC
  	ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client;
  # endif
@@ -3821,25 +3822,9 @@ index fab1e36be..cb584ad27 100644
 +#endif
 +
  	ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &ssh->kex->done);
+ 	kex_proposal_free_entries(myproposal);
  
- 	/* remove ext-info from the KEX proposals for rekeying */
- 	free(myproposal[PROPOSAL_KEX_ALGS]);
- 	myproposal[PROPOSAL_KEX_ALGS] =
- 	    compat_kex_proposal(ssh, options.kex_algorithms);
-+#if defined(GSSAPI) && defined(WITH_OPENSSL)
-+	/* repair myproposal after it was crumpled by the */
-+	/* ext-info removal above */
-+	if (gss) {
-+		orig = myproposal[PROPOSAL_KEX_ALGS];
-+		xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
-+		    "%s,%s", gss, orig);
-+		free(gss);
-+	}
-+#endif
- 	if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0)
- 		fatal_r(r, "kex_prop2buf");
- 
-@@ -379,6 +448,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *);
+@@ -370,6 +429,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *);
  static int input_gssapi_token(int type, u_int32_t, struct ssh *);
  static int input_gssapi_error(int, u_int32_t, struct ssh *);
  static int input_gssapi_errtok(int, u_int32_t, struct ssh *);
@@ -3847,7 +3832,7 @@ index fab1e36be..cb584ad27 100644
  #endif
  
  void	userauth(struct ssh *, char *);
-@@ -395,6 +465,11 @@ static char *authmethods_get(void);
+@@ -386,6 +446,11 @@ static char *authmethods_get(void);
  
  Authmethod authmethods[] = {
  #ifdef GSSAPI
@@ -3859,7 +3844,7 @@ index fab1e36be..cb584ad27 100644
  	{"gssapi-with-mic",
  		userauth_gssapi,
  		userauth_gssapi_cleanup,
-@@ -766,12 +841,32 @@ userauth_gssapi(struct ssh *ssh)
+@@ -757,12 +822,32 @@ userauth_gssapi(struct ssh *ssh)
  	OM_uint32 min;
  	int r, ok = 0;
  	gss_OID mech = NULL;
@@ -3893,7 +3878,7 @@ index fab1e36be..cb584ad27 100644
  
  	/* Check to see whether the mechanism is usable before we offer it */
  	while (authctxt->mech_tried < authctxt->gss_supported_mechs->count &&
-@@ -780,13 +875,15 @@ userauth_gssapi(struct ssh *ssh)
+@@ -771,13 +856,15 @@ userauth_gssapi(struct ssh *ssh)
  		    elements[authctxt->mech_tried];
  		/* My DER encoding requires length<128 */
  		if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
@@ -3910,7 +3895,7 @@ index fab1e36be..cb584ad27 100644
  	if (!ok || mech == NULL)
  		return 0;
  
-@@ -1020,6 +1117,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh)
+@@ -1011,6 +1098,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh)
  	free(lang);
  	return r;
  }
@@ -3967,7 +3952,7 @@ index fab1e36be..cb584ad27 100644
  
  static int
 diff --git a/sshd.c b/sshd.c
-index 9cbe92293..fee5cac64 100644
+index b4f2b9742..d5c3dfe57 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -798,8 +798,8 @@ notify_hostkeys(struct ssh *ssh)
@@ -4074,10 +4059,10 @@ index 36894ace5..ecfe8d026 100644
  # Set this to 'yes' to enable PAM authentication, account processing,
  # and session processing. If this is enabled, PAM authentication will
 diff --git a/sshd_config.5 b/sshd_config.5
-index 7e1a56cd0..d2f09de9b 100644
+index a0f16874f..c0c1b0d9a 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -731,6 +731,11 @@ Specifies whether to automatically destroy the user's credentials cache
+@@ -739,6 +739,11 @@ Specifies whether to automatically destroy the user's credentials cache
  on logout.
  The default is
  .Cm yes .
@@ -4089,7 +4074,7 @@ index 7e1a56cd0..d2f09de9b 100644
  .It Cm GSSAPIStrictAcceptorCheck
  Determines whether to be strict about the identity of the GSSAPI acceptor
  a client authenticates against.
-@@ -745,6 +750,31 @@ machine's default store.
+@@ -753,6 +758,31 @@ machine's default store.
  This facility is provided to assist with operation on multi homed machines.
  The default is
  .Cm yes .
@@ -4122,10 +4107,10 @@ index 7e1a56cd0..d2f09de9b 100644
  Specifies the signature algorithms that will be accepted for hostbased
  authentication as a list of comma-separated patterns.
 diff --git a/sshkey.c b/sshkey.c
-index 06db9b5da..1e7810337 100644
+index d4356e72c..c7abbe298 100644
 --- a/sshkey.c
 +++ b/sshkey.c
-@@ -128,6 +128,9 @@ extern const struct sshkey_impl sshkey_dsa_cert_impl;
+@@ -130,6 +130,9 @@ extern const struct sshkey_impl sshkey_dsa_cert_impl;
  extern const struct sshkey_impl sshkey_xmss_impl;
  extern const struct sshkey_impl sshkey_xmss_cert_impl;
  #endif
@@ -4135,7 +4120,7 @@ index 06db9b5da..1e7810337 100644
  
  const struct sshkey_impl * const keyimpls[] = {
  	&sshkey_ed25519_impl,
-@@ -165,6 +168,9 @@ const struct sshkey_impl * const keyimpls[] = {
+@@ -169,6 +172,9 @@ const struct sshkey_impl * const keyimpls[] = {
  	&sshkey_xmss_impl,
  	&sshkey_xmss_cert_impl,
  #endif
@@ -4145,7 +4130,7 @@ index 06db9b5da..1e7810337 100644
  	NULL
  };
  
-@@ -320,7 +326,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
+@@ -324,7 +330,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
  
  	for (i = 0; keyimpls[i] != NULL; i++) {
  		impl = keyimpls[i];
author	Daniel Baumann <daniel.baumann@progress-linux.org>	2024-04-13 08:20:06 +0000
committer	Daniel Baumann <daniel.baumann@progress-linux.org>	2024-04-13 08:20:06 +0000
commit	d92ccc5852f34167429fdadb46294ea5527d8883 (patch)
tree	9814bfc193fab03dcb43d6218721ef079ed01901 /debian/patches/gssapi.patch
parent	Merging upstream version 1:9.7p1. (diff)
download	openssh-d92ccc5852f34167429fdadb46294ea5527d8883.tar.xz openssh-d92ccc5852f34167429fdadb46294ea5527d8883.zip