diff options
Diffstat (limited to 'debian/patches/gssapi.patch')
| -rw-r--r-- | debian/patches/gssapi.patch | 117 |
1 files changed, 51 insertions, 66 deletions
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index 0590558..b943ba7 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch @@ -1,4 +1,4 @@ -From cabc0eedcbd5c1aa3e09c56968ecdc8b47317c37 Mon Sep 17 00:00:00 2001 +From 156d561811630c66f06068ee7892b3cbf90f0d1a Mon Sep 17 00:00:00 2001 From: Simon Wilkinson <simon@sxw.org.uk> Date: Sun, 9 Feb 2014 16:09:48 +0000 Subject: GSSAPI key exchange support @@ -21,14 +21,14 @@ Author: Colin Watson <cjwatson@debian.org> Author: Jakub Jelen <jjelen@redhat.com> Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/pull/23 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 -Last-Updated: 2023-12-18 +Last-Updated: 2024-03-14 Patch-Name: gssapi.patch --- Makefile.in | 5 +- README.md | 36 +++ auth.c | 94 +------- - auth2-gss.c | 56 ++++- + auth2-gss.c | 57 ++++- auth2.c | 2 + canohost.c | 91 ++++++++ canohost.h | 3 + @@ -58,13 +58,13 @@ Patch-Name: gssapi.patch ssh.c | 6 +- ssh_config | 2 + ssh_config.5 | 57 +++++ - sshconnect2.c | 156 ++++++++++++- + sshconnect2.c | 146 +++++++++++- sshd.c | 62 ++++- sshd_config | 2 + sshd_config.5 | 30 +++ sshkey.c | 8 +- sshkey.h | 1 + - 39 files changed, 2772 insertions(+), 164 deletions(-) + 39 files changed, 2763 insertions(+), 164 deletions(-) create mode 100644 kexgssc.c create mode 100644 kexgsss.c create mode 100644 ssh-null.c @@ -256,7 +256,7 @@ index 3b380d9bb..8ccf06370 100644 * Return the canonical name of the host in the other side of the current * connection. The host name is cached, so it is efficient to call this diff --git a/auth2-gss.c b/auth2-gss.c -index f72a38998..da3bf99c1 100644 +index f72a38998..c3b8e6288 100644 --- a/auth2-gss.c +++ b/auth2-gss.c @@ -1,7 +1,7 @@ @@ -337,12 +337,13 @@ index f72a38998..da3bf99c1 100644 else logit("GSSAPI MIC check failed"); -@@ -333,6 +377,12 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh) +@@ -333,6 +377,13 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh) return 0; } +Authmethod method_gsskeyex = { + "gssapi-keyex", ++ NULL, + userauth_gsskeyex, + &options.gss_authentication +}; @@ -487,7 +488,7 @@ index 26d62855a..0cadc9f18 100644 int get_peer_port(int); char *get_local_ipaddr(int); diff --git a/clientloop.c b/clientloop.c -index eb4902905..1ffe685a3 100644 +index 8ec36af94..a1f94a85a 100644 --- a/clientloop.c +++ b/clientloop.c @@ -115,6 +115,10 @@ @@ -518,10 +519,10 @@ index eb4902905..1ffe685a3 100644 if (conn_in_ready) client_process_net_input(ssh); diff --git a/configure.ac b/configure.ac -index 379cd746b..2aeab040c 100644 +index 82e8bb7c1..bb3e644fe 100644 --- a/configure.ac +++ b/configure.ac -@@ -766,6 +766,30 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) +@@ -774,6 +774,30 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) [Use tunnel device compatibility to OpenBSD]) AC_DEFINE([SSH_TUN_PREPEND_AF], [1], [Prepend the address family to IP tunnel traffic]) @@ -553,11 +554,11 @@ index 379cd746b..2aeab040c 100644 AC_CHECK_DECL([AU_IPv4], [], AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) diff --git a/gss-genr.c b/gss-genr.c -index 2cd695e54..9f9745b7f 100644 +index aa34b71c5..3aa14333a 100644 --- a/gss-genr.c +++ b/gss-genr.c @@ -1,7 +1,7 @@ - /* $OpenBSD: gss-genr.c,v 1.28 2021/01/27 10:05:28 djm Exp $ */ + /* $OpenBSD: gss-genr.c,v 1.29 2024/02/01 02:37:33 djm Exp $ */ /* - * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. @@ -849,7 +850,7 @@ index 2cd695e54..9f9745b7f 100644 + ctx = &intctx; /* RFC 4462 says we MUST NOT do SPNEGO */ - if (oid->length == spnego_oid.length && + if (oid->length == spnego_oid.length && @@ -285,6 +514,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) ssh_gssapi_build_ctx(ctx); ssh_gssapi_set_oid(*ctx, oid); @@ -859,13 +860,13 @@ index 2cd695e54..9f9745b7f 100644 + major = ssh_gssapi_client_identity(*ctx, client); + if (!GSS_ERROR(major)) { - major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, + major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, NULL); @@ -294,10 +527,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) GSS_C_NO_BUFFER); } -- if (GSS_ERROR(major)) +- if (GSS_ERROR(major)) + if (GSS_ERROR(major) || intctx != NULL) ssh_gssapi_delete_ctx(ctx); @@ -1360,7 +1361,7 @@ index 00e3d118b..162fec447 100644 /* Privileged */ diff --git a/kex.c b/kex.c -index cbb2af596..acab53195 100644 +index 8a0f16513..e4a2362bd 100644 --- a/kex.c +++ b/kex.c @@ -58,12 +58,17 @@ @@ -1473,7 +1474,7 @@ index cbb2af596..acab53195 100644 /* put algorithm proposal into buffer */ int kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX]) -@@ -964,6 +1021,9 @@ kex_free(struct kex *kex) +@@ -987,6 +1044,9 @@ kex_free(struct kex *kex) sshbuf_free(kex->session_id); sshbuf_free(kex->initial_sig); sshkey_free(kex->initial_hostkey); @@ -1484,7 +1485,7 @@ index cbb2af596..acab53195 100644 free(kex->hostkey_alg); free(kex->name); diff --git a/kex.h b/kex.h -index ba3a6a4ea..faee60f16 100644 +index 0caf42b50..32da837f8 100644 --- a/kex.h +++ b/kex.h @@ -102,6 +102,15 @@ enum kex_exchange { @@ -3031,7 +3032,7 @@ index 0df49c25b..830fdb308 100644 #ifdef USE_PAM diff --git a/readconf.c b/readconf.c -index a2282b562..ef67ab20f 100644 +index 3a64a0441..91d3c0aa0 100644 --- a/readconf.c +++ b/readconf.c @@ -70,6 +70,7 @@ @@ -3074,7 +3075,7 @@ index a2282b562..ef67ab20f 100644 #endif #ifdef ENABLE_PKCS11 { "pkcs11provider", oPKCS11Provider }, -@@ -1210,10 +1225,46 @@ parse_time: +@@ -1227,10 +1242,46 @@ parse_time: intptr = &options->gss_authentication; goto parse_flag; @@ -3121,7 +3122,7 @@ index a2282b562..ef67ab20f 100644 case oBatchMode: intptr = &options->batch_mode; goto parse_flag; -@@ -2505,7 +2556,13 @@ initialize_options(Options * options) +@@ -2542,7 +2593,13 @@ initialize_options(Options * options) options->fwd_opts.streamlocal_bind_unlink = -1; options->pubkey_authentication = -1; options->gss_authentication = -1; @@ -3135,7 +3136,7 @@ index a2282b562..ef67ab20f 100644 options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->kbd_interactive_devices = NULL; -@@ -2668,8 +2725,18 @@ fill_default_options(Options * options) +@@ -2705,8 +2762,18 @@ fill_default_options(Options * options) options->pubkey_authentication = SSH_PUBKEY_AUTH_ALL; if (options->gss_authentication == -1) options->gss_authentication = 0; @@ -3154,7 +3155,7 @@ index a2282b562..ef67ab20f 100644 if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -@@ -3494,7 +3561,14 @@ dump_client_config(Options *o, const char *host) +@@ -3533,7 +3600,14 @@ dump_client_config(Options *o, const char *host) dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports); #ifdef GSSAPI dump_cfg_fmtint(oGssAuthentication, o->gss_authentication); @@ -3170,7 +3171,7 @@ index a2282b562..ef67ab20f 100644 dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts); dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication); diff --git a/readconf.h b/readconf.h -index ff7180cd0..0d2ad44f9 100644 +index 9447d5d6e..f039c11bd 100644 --- a/readconf.h +++ b/readconf.h @@ -40,7 +40,13 @@ typedef struct { @@ -3188,7 +3189,7 @@ index ff7180cd0..0d2ad44f9 100644 * authentication. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ diff --git a/servconf.c b/servconf.c -index 86c297936..940e1d50a 100644 +index 4b434909a..961cf9e45 100644 --- a/servconf.c +++ b/servconf.c @@ -68,6 +68,7 @@ @@ -3261,7 +3262,7 @@ index 86c297936..940e1d50a 100644 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, { "challengeresponseauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */ -@@ -1616,6 +1639,10 @@ process_server_config_line_depth(ServerOptions *options, char *line, +@@ -1618,6 +1641,10 @@ process_server_config_line_depth(ServerOptions *options, char *line, intptr = &options->gss_authentication; goto parse_flag; @@ -3272,7 +3273,7 @@ index 86c297936..940e1d50a 100644 case sGssCleanupCreds: intptr = &options->gss_cleanup_creds; goto parse_flag; -@@ -1624,6 +1651,22 @@ process_server_config_line_depth(ServerOptions *options, char *line, +@@ -1626,6 +1653,22 @@ process_server_config_line_depth(ServerOptions *options, char *line, intptr = &options->gss_strict_acceptor; goto parse_flag; @@ -3295,7 +3296,7 @@ index 86c297936..940e1d50a 100644 case sPasswordAuthentication: intptr = &options->password_authentication; goto parse_flag; -@@ -3058,6 +3101,10 @@ dump_config(ServerOptions *o) +@@ -3112,6 +3155,10 @@ dump_config(ServerOptions *o) #ifdef GSSAPI dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); @@ -3323,7 +3324,7 @@ index ed7b72e8e..2ce4ae0ad 100644 * authentication. */ int kbd_interactive_authentication; /* If true, permit */ diff --git a/session.c b/session.c -index aa342e84d..f985b8177 100644 +index c821dcd44..cbb4edac5 100644 --- a/session.c +++ b/session.c @@ -2687,13 +2687,19 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt) @@ -3614,7 +3615,7 @@ index 936c995ba..877c3bc64 100644 (key types), .Ar key-ca-sign diff --git a/ssh.c b/ssh.c -index 48d93ddf2..f50cecdbb 100644 +index 0019281f4..484a26528 100644 --- a/ssh.c +++ b/ssh.c @@ -827,6 +827,8 @@ main(int ac, char **av) @@ -3651,10 +3652,10 @@ index cc5663562..16197d15d 100644 # CheckHostIP no # AddressFamily any diff --git a/ssh_config.5 b/ssh_config.5 -index 4bbdfefd1..7ca72aedf 100644 +index 2931d807e..8e8aeb640 100644 --- a/ssh_config.5 +++ b/ssh_config.5 -@@ -928,10 +928,67 @@ The default is +@@ -938,10 +938,67 @@ The default is Specifies whether user authentication based on GSSAPI is allowed. The default is .Cm no . @@ -3723,7 +3724,7 @@ index 4bbdfefd1..7ca72aedf 100644 Indicates that .Xr ssh 1 diff --git a/sshconnect2.c b/sshconnect2.c -index fab1e36be..cb584ad27 100644 +index 745c2a051..b7c376116 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -80,8 +80,6 @@ @@ -3736,7 +3737,7 @@ index fab1e36be..cb584ad27 100644 /* @@ -224,6 +222,11 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port, - char *s, *all_key, *hkalgs = NULL; + char *all_key, *hkalgs = NULL; int r, use_known_hosts_order = 0; +#if defined(GSSAPI) && defined(WITH_OPENSSL) @@ -3747,7 +3748,7 @@ index fab1e36be..cb584ad27 100644 xxx_host = host; xxx_hostaddr = hostaddr; xxx_conn_info = cinfo; -@@ -261,6 +264,42 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port, +@@ -259,6 +262,42 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port, free(hkalgs); @@ -3790,7 +3791,7 @@ index fab1e36be..cb584ad27 100644 /* start key exchange */ if ((r = kex_setup(ssh, myproposal)) != 0) fatal_r(r, "kex_setup"); -@@ -275,17 +314,47 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port, +@@ -273,11 +312,31 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port, # ifdef OPENSSL_HAS_ECC ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client; # endif @@ -3821,25 +3822,9 @@ index fab1e36be..cb584ad27 100644 +#endif + ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &ssh->kex->done); + kex_proposal_free_entries(myproposal); - /* remove ext-info from the KEX proposals for rekeying */ - free(myproposal[PROPOSAL_KEX_ALGS]); - myproposal[PROPOSAL_KEX_ALGS] = - compat_kex_proposal(ssh, options.kex_algorithms); -+#if defined(GSSAPI) && defined(WITH_OPENSSL) -+ /* repair myproposal after it was crumpled by the */ -+ /* ext-info removal above */ -+ if (gss) { -+ orig = myproposal[PROPOSAL_KEX_ALGS]; -+ xasprintf(&myproposal[PROPOSAL_KEX_ALGS], -+ "%s,%s", gss, orig); -+ free(gss); -+ } -+#endif - if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0) - fatal_r(r, "kex_prop2buf"); - -@@ -379,6 +448,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *); +@@ -370,6 +429,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *); static int input_gssapi_token(int type, u_int32_t, struct ssh *); static int input_gssapi_error(int, u_int32_t, struct ssh *); static int input_gssapi_errtok(int, u_int32_t, struct ssh *); @@ -3847,7 +3832,7 @@ index fab1e36be..cb584ad27 100644 #endif void userauth(struct ssh *, char *); -@@ -395,6 +465,11 @@ static char *authmethods_get(void); +@@ -386,6 +446,11 @@ static char *authmethods_get(void); Authmethod authmethods[] = { #ifdef GSSAPI @@ -3859,7 +3844,7 @@ index fab1e36be..cb584ad27 100644 {"gssapi-with-mic", userauth_gssapi, userauth_gssapi_cleanup, -@@ -766,12 +841,32 @@ userauth_gssapi(struct ssh *ssh) +@@ -757,12 +822,32 @@ userauth_gssapi(struct ssh *ssh) OM_uint32 min; int r, ok = 0; gss_OID mech = NULL; @@ -3893,7 +3878,7 @@ index fab1e36be..cb584ad27 100644 /* Check to see whether the mechanism is usable before we offer it */ while (authctxt->mech_tried < authctxt->gss_supported_mechs->count && -@@ -780,13 +875,15 @@ userauth_gssapi(struct ssh *ssh) +@@ -771,13 +856,15 @@ userauth_gssapi(struct ssh *ssh) elements[authctxt->mech_tried]; /* My DER encoding requires length<128 */ if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt, @@ -3910,7 +3895,7 @@ index fab1e36be..cb584ad27 100644 if (!ok || mech == NULL) return 0; -@@ -1020,6 +1117,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh) +@@ -1011,6 +1098,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh) free(lang); return r; } @@ -3967,7 +3952,7 @@ index fab1e36be..cb584ad27 100644 static int diff --git a/sshd.c b/sshd.c -index 9cbe92293..fee5cac64 100644 +index b4f2b9742..d5c3dfe57 100644 --- a/sshd.c +++ b/sshd.c @@ -798,8 +798,8 @@ notify_hostkeys(struct ssh *ssh) @@ -4074,10 +4059,10 @@ index 36894ace5..ecfe8d026 100644 # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will diff --git a/sshd_config.5 b/sshd_config.5 -index 7e1a56cd0..d2f09de9b 100644 +index a0f16874f..c0c1b0d9a 100644 --- a/sshd_config.5 +++ b/sshd_config.5 -@@ -731,6 +731,11 @@ Specifies whether to automatically destroy the user's credentials cache +@@ -739,6 +739,11 @@ Specifies whether to automatically destroy the user's credentials cache on logout. The default is .Cm yes . @@ -4089,7 +4074,7 @@ index 7e1a56cd0..d2f09de9b 100644 .It Cm GSSAPIStrictAcceptorCheck Determines whether to be strict about the identity of the GSSAPI acceptor a client authenticates against. -@@ -745,6 +750,31 @@ machine's default store. +@@ -753,6 +758,31 @@ machine's default store. This facility is provided to assist with operation on multi homed machines. The default is .Cm yes . @@ -4122,10 +4107,10 @@ index 7e1a56cd0..d2f09de9b 100644 Specifies the signature algorithms that will be accepted for hostbased authentication as a list of comma-separated patterns. diff --git a/sshkey.c b/sshkey.c -index 06db9b5da..1e7810337 100644 +index d4356e72c..c7abbe298 100644 --- a/sshkey.c +++ b/sshkey.c -@@ -128,6 +128,9 @@ extern const struct sshkey_impl sshkey_dsa_cert_impl; +@@ -130,6 +130,9 @@ extern const struct sshkey_impl sshkey_dsa_cert_impl; extern const struct sshkey_impl sshkey_xmss_impl; extern const struct sshkey_impl sshkey_xmss_cert_impl; #endif @@ -4135,7 +4120,7 @@ index 06db9b5da..1e7810337 100644 const struct sshkey_impl * const keyimpls[] = { &sshkey_ed25519_impl, -@@ -165,6 +168,9 @@ const struct sshkey_impl * const keyimpls[] = { +@@ -169,6 +172,9 @@ const struct sshkey_impl * const keyimpls[] = { &sshkey_xmss_impl, &sshkey_xmss_cert_impl, #endif @@ -4145,7 +4130,7 @@ index 06db9b5da..1e7810337 100644 NULL }; -@@ -320,7 +326,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) +@@ -324,7 +330,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) for (i = 0; keyimpls[i] != NULL; i++) { impl = keyimpls[i]; |