<pre style='margin:0'>
Mihai Moldovan (Ionic) pushed a commit to branch master
in repository macports-ports.
</pre>
<p><a href="https://github.com/macports/macports-ports/commit/cd1cc0653a300ac6714501bdb64bdedabddb8d75">https://github.com/macports/macports-ports/commit/cd1cc0653a300ac6714501bdb64bdedabddb8d75</a></p>
<pre style="white-space: pre; background: #F8F8F8">The following commit(s) were added to refs/heads/master by this push:
<span style='display:block; white-space:pre;color:#404040;'> new cd1cc06 net/{openssh,ssh-copy-id}: update to 7.6p1.
</span>cd1cc06 is described below
<span style='display:block; white-space:pre;color:#808000;'>commit cd1cc0653a300ac6714501bdb64bdedabddb8d75
</span>Author: Mihai Moldovan <ionic@ionic.de>
AuthorDate: Mon Oct 9 00:44:10 2017 +0200
<span style='display:block; white-space:pre;color:#404040;'> net/{openssh,ssh-copy-id}: update to 7.6p1.
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> Fixes: https://trac.macports.org/ticket/53108
</span><span style='display:block; white-space:pre;color:#404040;'> Fixes: https://trac.macports.org/ticket/54762
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> Changes:
</span><span style='display:block; white-space:pre;color:#404040;'> - Rebase patches.
</span><span style='display:block; white-space:pre;color:#404040;'> - Update to newer HPN patchset version. Based upon the 7.5p1 version
</span><span style='display:block; white-space:pre;color:#404040;'> 13 patch. Preliminary, a newer version will be backported once
</span><span style='display:block; white-space:pre;color:#404040;'> available upstream.
</span><span style='display:block; white-space:pre;color:#404040;'> - Merge in ssh-copy-id as a subport and delete the standalone port.
</span><span style='display:block; white-space:pre;color:#404040;'> - Provide maintainer helpers for quilt patch management. Not used
</span><span style='display:block; white-space:pre;color:#404040;'> within the Portfile itself.
</span><span style='display:block; white-space:pre;color:#404040;'> - Remove unreachable or outdated mirrors.
</span><span style='display:block; white-space:pre;color:#404040;'> - Add new size parameter to checksums.
</span>---
net/openssh/Portfile | 418 ++++----
...-Apple-keychain-integration-other-changes.patch | 447 +++++----
net/openssh/files/launchd.patch | 99 +-
...sh-7.6p1-gsskex-all-20141021-mp-20171009.patch} | 848 +++++++++-------
...sh14v11.diff => openssh-7.6p1-hpnssh14v13.diff} | 1016 +++++++++-----------
net/openssh/files/pam.patch | 8 +-
...dbox-darwin.c-apple-sandbox-named-external.diff | 6 +-
.../patch-sshd.c-apple-sandbox-named-external.diff | 6 +-
net/openssh/files/quilt.env | 6 +
net/openssh/files/series | 6 +
net/openssh/files/series-gsskex | 6 +
net/openssh/files/series-hpn | 5 +
net/ssh-copy-id/Portfile | 45 -
13 files changed, 1490 insertions(+), 1426 deletions(-)
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/openssh/Portfile b/net/openssh/Portfile
</span><span style='display:block; white-space:pre;color:#808080;'>index 85757c3..eee490a 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/openssh/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/openssh/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3,8 +3,8 @@
</span> PortSystem 1.0
name openssh
<span style='display:block; white-space:pre;background:#ffe0e0;'>-version 7.3p1
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-revision 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+version 7.6p1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+revision 0
</span> categories net
platforms darwin
maintainers nomaintainer
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -27,222 +27,252 @@ long_description OpenSSH is a FREE version of the SSH protocol suite of \
</span> homepage http://www.openbsd.org/openssh/
checksums ${distfiles} \
<span style='display:block; white-space:pre;background:#ffe0e0;'>- rmd160 823fc1e16c5d27a2361ed0b22f5ee24be11d2c13 \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sha256 3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ rmd160 486ae743f51ffbf8197d564aab9ae54f9e2ac9da \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sha256 a323caeeddfe145baaa0db16e98d784b1fbc7dd436a6bf1f479dfd5cd1d21723 \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ size 1489788
</span>
master_sites openbsd:OpenSSH/portable \
ftp://ftp.cise.ufl.edu/pub/mirrors/openssh/portable/ \
<span style='display:block; white-space:pre;background:#ffe0e0;'>- ftp://reflection.ncsa.uiuc.edu/pub/OpenBSD/OpenSSH/portable/ \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ftp://ftp.cse.buffalo.edu/pub/OpenBSD/OpenSSH/portable/ \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ftp://openbsd.mirrors.pair.com/ftp/OpenSSH/portable \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ftp://openbsd.secsup.org/pub/openbsd/OpenSSH/portable/
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-depends_lib path:lib/libssl.dylib:openssl \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- port:libedit \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- port:ncurses \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- port:zlib
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-depends_run port:ssh-copy-id
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# the HPN patch needs this, so rewrite all other patches to support it, too
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-patch.args -p1
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-patchfiles launchd.patch \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- pam.patch \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- patch-sandbox-darwin.c-apple-sandbox-named-external.diff \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- patch-sshd.c-apple-sandbox-named-external.diff
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# We need a couple of patches
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# - pam.patch
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# getpwnam(3) on OS X always returns "*********" in the pw_passwd field even
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# when run as root, so it can't be used for authentication. This patch just
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# forces the use of PAM regardless of the configuration.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# - patch-*-apple-sandbox-named-external.diff
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# Use Apple's sandbox_init(3) in addition to standard privilege separation.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# This requires a sandbox profile (which we provide) and the sandbox_init(3)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# call before the chroot(2) to privsep-path ($prefix/var/empty), or it will
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# fail to load the sandbox description and libsandbox.1.dylib.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-post-patch {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # reinplace prefix in path to sandbox definition added by
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # patch-sandbox-darwin.c-apple-sandbox-named-external.diff
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- reinplace "s|@PREFIX@|${prefix}|g" ${worksrcpath}/sandbox-darwin.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ http://openbsd.mirrors.pair.com/OpenSSH/portable
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+if {${name} eq ${subport}} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ depends_lib path:lib/libssl.dylib:openssl \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ port:libedit \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ port:ncurses \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ port:zlib
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ depends_run port:ssh-copy-id
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # the HPN patch needs this, so rewrite all other patches to support it, too
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ patch.args -p1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ patchfiles launchd.patch \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ pam.patch \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ patch-sandbox-darwin.c-apple-sandbox-named-external.diff \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ patch-sshd.c-apple-sandbox-named-external.diff
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # We need a couple of patches
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # - pam.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # getpwnam(3) on OS X always returns "*********" in the pw_passwd field even
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # when run as root, so it can't be used for authentication. This patch just
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # forces the use of PAM regardless of the configuration.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # - patch-*-apple-sandbox-named-external.diff
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Use Apple's sandbox_init(3) in addition to standard privilege separation.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # This requires a sandbox profile (which we provide) and the sandbox_init(3)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # call before the chroot(2) to privsep-path ($prefix/var/empty), or it will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # fail to load the sandbox description and libsandbox.1.dylib.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ post-patch {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # reinplace prefix in path to sandbox definition added by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # patch-sandbox-darwin.c-apple-sandbox-named-external.diff
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ reinplace "s|@PREFIX@|${prefix}|g" ${worksrcpath}/sandbox-darwin.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span>
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# strnvis(3) isn't actually "broken". OpenBSD decided to be special and flip
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# the order of arguments to strnvis and considers everyone else to be broken.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-configure.cppflags-append -DBROKEN_STRNVIS=1
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# Use Apple's sandboxing feature
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-configure.cppflags-append -D__APPLE_SANDBOX_NAMED_EXTERNAL__ \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- -D__APPLE_API_STRICT_CONFORMANCE
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-configure.ldflags-append -Wl,-search_paths_first
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-configure.args --with-ssl-dir=${prefix} \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- --sysconfdir=${prefix}/etc/ssh \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- --with-privsep-path=/var/empty \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- --with-md5-passwords \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- --with-pid-dir=${prefix}/var/run \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- --with-pam \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- --mandir=${prefix}/share/man \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- --with-zlib=${prefix} \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- --without-kerberos5 \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- --with-libedit \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- --with-pie \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- --without-xauth
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-use_parallel_build yes
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-destroot.target install-nokeys
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-test.run yes
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-test.target tests
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-post-destroot {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- destroot.keepdirs ${destroot}${prefix}/var/run
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # switch default port to avoid conflict with system sshd
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- reinplace "s|#Port 22|Port 2222|g" ${destroot}${prefix}/etc/ssh/sshd_config
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # install sandbox definition
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- xinstall -m 755 -d ${destroot}${prefix}/share/${name}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- xinstall -m 644 ${filespath}/org.openssh.sshd.sb ${destroot}${prefix}/share/${name}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- file rename "${destroot}${prefix}/etc/ssh/sshd_config" "${destroot}${prefix}/etc/ssh/sshd_config.example"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- file rename "${destroot}${prefix}/etc/ssh/ssh_config" "${destroot}${prefix}/etc/ssh/ssh_config.example"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # strnvis(3) isn't actually "broken". OpenBSD decided to be special and flip
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # the order of arguments to strnvis and considers everyone else to be broken.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ configure.cppflags-append -DBROKEN_STRNVIS=1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Use Apple's sandboxing feature
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ configure.cppflags-append -D__APPLE_SANDBOX_NAMED_EXTERNAL__ \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -D__APPLE_API_STRICT_CONFORMANCE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ configure.ldflags-append -Wl,-search_paths_first
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ configure.args --with-ssl-dir=${prefix} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ --sysconfdir=${prefix}/etc/ssh \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ --with-privsep-path=/var/empty \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ --with-md5-passwords \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ --with-pid-dir=${prefix}/var/run \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ --with-pam \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ --mandir=${prefix}/share/man \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ --with-zlib=${prefix} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ --without-kerberos5 \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ --with-libedit \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ --with-pie \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ --without-xauth \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ --without-ldns
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ use_parallel_build yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ destroot.target install-nokeys
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ test.run yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ test.target tests
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ post-destroot {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ destroot.keepdirs ${destroot}${prefix}/var/run
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # switch default port to avoid conflict with system sshd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ reinplace "s|#Port 22|Port 2222|g" ${destroot}${prefix}/etc/ssh/sshd_config
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # install sandbox definition
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 755 -d ${destroot}${prefix}/share/${name}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 644 ${filespath}/org.openssh.sshd.sb ${destroot}${prefix}/share/${name}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ file rename "${destroot}${prefix}/etc/ssh/sshd_config" "${destroot}${prefix}/etc/ssh/sshd_config.example"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ file rename "${destroot}${prefix}/etc/ssh/ssh_config" "${destroot}${prefix}/etc/ssh/ssh_config.example"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ post-activate {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if {![file exists "${prefix}/etc/ssh/sshd_config"]} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ copy "${prefix}/etc/ssh/sshd_config.example" "${prefix}/etc/ssh/sshd_config"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if {![file exists "${prefix}/etc/ssh/ssh_config"]} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ copy "${prefix}/etc/ssh/ssh_config.example" "${prefix}/etc/ssh/ssh_config"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span>
<span style='display:block; white-space:pre;background:#ffe0e0;'>-post-activate {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if {![file exists "${prefix}/etc/ssh/sshd_config"]} {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- copy "${prefix}/etc/ssh/sshd_config.example" "${prefix}/etc/ssh/sshd_config"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ variant xauth description {Build with support for xauth} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ configure.args-replace --without-xauth \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ --with-xauth=${prefix}/bin/xauth
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ depends_run-append port:xauth
</span> }
<span style='display:block; white-space:pre;background:#ffe0e0;'>- if {![file exists "${prefix}/etc/ssh/ssh_config"]} {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- copy "${prefix}/etc/ssh/ssh_config.example" "${prefix}/etc/ssh/ssh_config"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ variant hpn conflicts gsskex description {Apply high performance patch} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Old location(s):
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # http://www.psc.edu/index.php/hpn-ssh
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Current location(s):
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # http://hpnssh.sourceforge.net/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # http://www.freshports.org/security/openssh-portable/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # (is usually quick in updating the HPN patch for new versions,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # take a look there, too.)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Formerly from FreeBSD, now copied over from FreeBSD's ports directory.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #patch_sites-append http://mirror.shatow.net/freebsd/${name}/ \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # freebsd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #set hpn_patchfile ${name}-6.7p1-hpnssh14v5.diff.gz
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #checksums-append ${hpn_patchfile} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # rmd160 0cf7ffdd9b60d518d76076faf31df6a7a6d4ae52 \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # sha256 846ad51577de8308d60dbfaa58ba18d112d0732fdf21063ebc78407fc8e4a7b6
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set hpn_patchfile ${name}-${version}-hpnssh14v13.diff
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ patchfiles-append ${hpn_patchfile}
</span> }
<span style='display:block; white-space:pre;background:#ffe0e0;'>-}
</span>
<span style='display:block; white-space:pre;background:#ffe0e0;'>-variant xauth description {Build with support for xauth} {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- configure.args-delete --without-xauth
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- configure.args-append --with-xauth=${prefix}/bin/xauth
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- depends_run-append port:xauth
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ variant gsskex conflicts hpn requires kerberos5 description "Add OpenSSH GSSAPI key exchange patch" {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ use_autoreconf yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ patchfiles-append 0002-Apple-keychain-integration-other-changes.patch \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ openssh-7.6p1-gsskex-all-20141021-mp-20171009.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ configure.cppflags-append \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -F/System/Library/Frameworks/DirectoryService.framework \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -F/System/Library/Frameworks/CoreFoundation.framework \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -D_UTMPX_COMPAT \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -D__APPLE_LAUNCHD__ \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -D__APPLE_MEMBERSHIP__ \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -D__APPLE_XSAN__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ configure.ldflags-append \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -Wl,-pie \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -framework CoreFoundation \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -framework DirectoryService
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ configure.cflags-append -fPIE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ configure.args-append --with-4in6 \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ --with-audit=bsm \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ --with-keychain=apple \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ --disable-utmp \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ --disable-wtmp \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ --with-privsep-user=_sshd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span>
<span style='display:block; white-space:pre;background:#ffe0e0;'>-variant hpn conflicts gsskex description {Apply high performance patch} {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # Old location(s):
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # http://www.psc.edu/index.php/hpn-ssh
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # Current location(s):
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # http://hpnssh.sourceforge.net/
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # http://www.freshports.org/security/openssh-portable/
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # (is usually quick in updating the HPN patch for new versions,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # take a look there, too.)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # Formerly from FreeBSD, now copied over from FreeBSD's ports directory.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #patch_sites-append http://mirror.shatow.net/freebsd/${name}/ \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # freebsd
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #set hpn_patchfile ${name}-6.7p1-hpnssh14v5.diff.gz
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #checksums-append ${hpn_patchfile} \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # rmd160 0cf7ffdd9b60d518d76076faf31df6a7a6d4ae52 \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # sha256 846ad51577de8308d60dbfaa58ba18d112d0732fdf21063ebc78407fc8e4a7b6
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- set hpn_patchfile ${name}-${version}-hpnssh14v11.diff
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- patchfiles-append ${hpn_patchfile}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- use_autoreconf yes
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- configure.args-append --with-hpn
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ variant kerberos5 description "Add Kerberos5 support" {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ depends_lib-append port:kerberos5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ configure.args-delete --without-kerberos5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ configure.args-append --with-kerberos5=${prefix}
</span>
<span style='display:block; white-space:pre;background:#ffe0e0;'>-variant gsskex conflicts hpn requires kerberos5 description "Add OpenSSH GSSAPI key exchange patch" {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- use_autoreconf yes
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- patchfiles-append 0002-Apple-keychain-integration-other-changes.patch \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- openssh-7.3p1-gsskex-all-20141021-mp-20160929.patch
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- configure.cppflags-append \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- -F/System/Library/Frameworks/DirectoryService.framework \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- -F/System/Library/Frameworks/CoreFoundation.framework \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- -D_UTMPX_COMPAT \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- -D__APPLE_LAUNCHD__ \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- -D__APPLE_MEMBERSHIP__ \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- -D__APPLE_XSAN__
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- configure.ldflags-append \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- -Wl,-pie \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- -framework CoreFoundation \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- -framework DirectoryService
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- configure.cflags-append -fPIE
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- configure.args-append --with-4in6 \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- --with-audit=bsm \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- --with-keychain=apple \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- --disable-utmp \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- --disable-wtmp \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- --with-privsep-user=_sshd
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if {${os.platform} eq "darwin"} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ post-extract {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0755 -W "${filespath}" slogin "${worksrcpath}/"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span>
<span style='display:block; white-space:pre;background:#ffe0e0;'>-variant kerberos5 description "Add Kerberos5 support" {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- depends_lib-append port:kerberos5
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- configure.args-delete --without-kerberos5
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- configure.args-append --with-kerberos5=${prefix}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ pre-configure {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ reinplace -W "${worksrcpath}" "s|@@PREFIX@@|${prefix}|" slogin
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span>
<span style='display:block; white-space:pre;background:#ffe0e0;'>- if {${os.platform} eq "darwin"} {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- post-extract {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- xinstall -m 0755 -W "${filespath}" slogin "${worksrcpath}/"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ post-destroot {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 0755 ${worksrcpath}/slogin \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${destroot}${prefix}/bin/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span> }
<span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ variant ldns description "Use ldns for DNSSEC support" {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ configure.args-replace --without-ldns \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ --with-ldns
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ depends_lib-append port:ldns
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ default_variants +kerberos5 +xauth
</span>
<span style='display:block; white-space:pre;background:#e0ffe0;'>+ platform darwin {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # create link to /usr/include/pam because 'security' was renamed to 'pam'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # in OS X.
</span> pre-configure {
<span style='display:block; white-space:pre;background:#ffe0e0;'>- reinplace -W "${worksrcpath}" "s|@@PREFIX@@|${prefix}|" slogin
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -d ${workpath}/include
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ file delete ${workpath}/include/security
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ln -s /usr/include/pam ${workpath}/include/security
</span> }
<span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span>
<span style='display:block; white-space:pre;background:#ffe0e0;'>- post-destroot {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- xinstall -m 0755 ${worksrcpath}/slogin \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ${destroot}${prefix}/bin/
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ platform darwin 9 {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # 10.5/ppc doesn't like the sandbox file we supply
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ configure.cppflags-delete -D__APPLE_SANDBOX_NAMED_EXTERNAL__
</span> }
<span style='display:block; white-space:pre;background:#ffe0e0;'>-}
</span>
<span style='display:block; white-space:pre;background:#ffe0e0;'>-variant ldns description "Use ldns for DNSSEC support" {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- configure.args-append --with-ldns
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- depends_lib-append port:ldns
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ startupitem.create yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ startupitem.name OpenSSH
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ startupitem.start \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "if \[ -x ${prefix}/sbin/sshd \]; then
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if \[ ! -f ${prefix}/etc/ssh/ssh_host_dsa_key \]; then
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${prefix}/bin/ssh-keygen -t dsa -f \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${prefix}/etc/ssh/ssh_host_dsa_key -N \"\" -C `hostname`
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fi
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if \[ ! -f ${prefix}/etc/ssh/ssh_host_rsa_key \]; then
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${prefix}/bin/ssh-keygen -t rsa -f \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${prefix}/etc/ssh/ssh_host_rsa_key -N \"\" -C `hostname`
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fi
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if \[ ! -f ${prefix}/etc/ssh/ssh_host_ecdsa_key \]; then
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${prefix}/bin/ssh-keygen -t ecdsa -f \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${prefix}/etc/ssh/ssh_host_ecdsa_key -N \"\" -C `hostname`
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fi
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if \[ ! -f ${prefix}/etc/ssh/ssh_host_ed25519_key \]; then
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${prefix}/bin/ssh-keygen -t ed25519 -f \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${prefix}/etc/ssh/ssh_host_ed25519_key -N \"\" -C `hostname`
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fi
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${prefix}/sbin/sshd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fi"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ startupitem.stop \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "if \[ -r ${prefix}/var/run/sshd.pid \]; then
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kill `cat ${prefix}/var/run/sshd.pid`
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fi"
</span> }
<span style='display:block; white-space:pre;background:#ffe0e0;'>-default_variants +kerberos5 +xauth
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+subport ssh-copy-id {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ revision 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ platforms darwin freebsd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ supported_archs noarch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ maintainers {l2dy @l2dy} openmaintainer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ description Shell script to install your public key(s) on a remote machine
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ long_description ${description}
</span>
<span style='display:block; white-space:pre;background:#ffe0e0;'>-platform darwin {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # create link to /usr/include/pam because 'security' was renamed to 'pam'
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # in OS X.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- pre-configure {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- xinstall -d ${workpath}/include
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- file delete ${workpath}/include/security
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ln -s /usr/include/pam ${workpath}/include/security
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Make sure to not create multiple copies of the same distfile.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ distname openssh-${version}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ dist_subdir openssh
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ use_configure no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ build {}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ destroot {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 755 ${worksrcpath}/contrib/ssh-copy-id ${destroot}${prefix}/bin
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 644 ${worksrcpath}/contrib/ssh-copy-id.1 ${destroot}${prefix}/share/man/man1
</span> }
<span style='display:block; white-space:pre;background:#ffe0e0;'>-}
</span>
<span style='display:block; white-space:pre;background:#ffe0e0;'>-platform darwin 9 {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # 10.5/ppc doesn't like the sandbox file we supply
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- configure.cppflags-delete -D__APPLE_SANDBOX_NAMED_EXTERNAL__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ pre-activate {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if {![catch {set installed [lindex [registry_active openssh] 0]}]} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set _version [lindex $installed 1]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set _revision [lindex $installed 2]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if {[vercmp $_version 7.3p1] < 0 || ([vercmp $_version 7.3p1] == 0 && $_revision < 1)} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # openssh @7.3p1 and earlier used to install some files now provided by ssh-copy-id
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ registry_deactivate_composite openssh "" [list ports_nodepcheck 1]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span> }
<span style='display:block; white-space:pre;background:#ffe0e0;'>-startupitem.create yes
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-startupitem.name OpenSSH
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-startupitem.start \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- "if \[ -x ${prefix}/sbin/sshd ]; then
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if \[ ! -f ${prefix}/etc/ssh/ssh_host_dsa_key \]; then
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ${prefix}/bin/ssh-keygen -t dsa -f \\
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ${prefix}/etc/ssh/ssh_host_dsa_key -N \"\" -C `hostname`
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fi
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if \[ ! -f ${prefix}/etc/ssh/ssh_host_rsa_key \]; then
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ${prefix}/bin/ssh-keygen -t rsa -f \\
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ${prefix}/etc/ssh/ssh_host_rsa_key -N \"\" -C `hostname`
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fi
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if \[ ! -f ${prefix}/etc/ssh/ssh_host_ecdsa_key \]; then
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ${prefix}/bin/ssh-keygen -t ecdsa -f \\
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ${prefix}/etc/ssh/ssh_host_ecdsa_key -N \"\" -C `hostname`
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fi
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if \[ ! -f ${prefix}/etc/ssh/ssh_host_ed25519_key \]; then
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ${prefix}/bin/ssh-keygen -t ed25519 -f \\
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ${prefix}/etc/ssh/ssh_host_ed25519_key -N \"\" -C `hostname`
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fi
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ${prefix}/sbin/sshd
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fi"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-startupitem.stop \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- "if \[ -r ${prefix}/var/run/sshd.pid \]; then
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kill `cat ${prefix}/var/run/sshd.pid`
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fi"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span> livecheck.type regex
<span style='display:block; white-space:pre;background:#ffe0e0;'>-livecheck.url http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-livecheck.regex openssh-(\[5-9\].\[0-9\]p\[0-9\])[quotemeta ${extract.suffix}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+livecheck.url https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+livecheck.regex openssh-(\[5-9\]+.\[0-9\]+p\[0-9\]+)[quotemeta ${extract.suffix}]
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/openssh/files/0002-Apple-keychain-integration-other-changes.patch b/net/openssh/files/0002-Apple-keychain-integration-other-changes.patch
</span><span style='display:block; white-space:pre;color:#808080;'>index ebb7d50..a2920ec 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/openssh/files/0002-Apple-keychain-integration-other-changes.patch
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/openssh/files/0002-Apple-keychain-integration-other-changes.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1,5 +1,5 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/Makefile.in 2016-09-29 10:37:08.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/Makefile.in 2016-09-29 11:02:49.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/Makefile.in 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/Makefile.in 2017-10-08 09:09:59.000000000 +0200
</span> @@ -59,6 +59,7 @@ SED=@SED@
ENT=@ENT@
XAUTH_PATH=@XAUTH_PATH@
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -52,7 +52,7 @@
</span>
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
$(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -312,7 +316,7 @@ install-files:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -325,7 +329,7 @@ install-files:
</span> $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -61,9 +61,9 @@
</span> $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/audit-bsm.c 2016-09-29 10:37:08.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/audit-bsm.c 2016-09-29 11:32:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -263,7 +263,12 @@ bsm_audit_record(int typ, char *string,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/audit-bsm.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/audit-bsm.c 2017-10-08 09:09:58.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -261,7 +261,12 @@ bsm_audit_record(int typ, char *string,
</span> pid_t pid = getpid();
AuditInfoTermID tid = ssh_bsm_tid;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -77,9 +77,9 @@
</span> uid = the_authctxt->pw->pw_uid;
gid = the_authctxt->pw->pw_gid;
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/auth-pam.c 2016-09-29 11:02:49.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/auth-pam.c 2016-09-29 11:30:33.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -794,10 +794,11 @@ sshpam_query(void *ctx, char **name, cha
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/auth-pam.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/auth-pam.c 2017-10-08 09:09:58.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -795,10 +795,11 @@ sshpam_query(void *ctx, char **name, cha
</span> free(msg);
return (0);
}
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -93,9 +93,9 @@
</span> /* FALLTHROUGH */
default:
*num = 0;
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/auth.c 2016-09-29 10:37:08.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/auth.c 2016-09-29 11:02:49.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -215,7 +215,7 @@ allowed_user(struct passwd * pw)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/auth.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/auth.c 2017-10-08 09:09:59.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -223,7 +223,7 @@ allowed_user(struct passwd * pw)
</span> }
if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
/* Get the user's group access list (primary and supplementary) */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -104,9 +104,9 @@
</span> logit("User %.100s from %.100s not allowed because "
"not in any group", pw->pw_name, hostname);
return 0;
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/authfd.c 2016-09-29 10:37:08.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/authfd.c 2016-09-29 11:02:49.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -165,6 +165,29 @@ ssh_request_reply(int sock, struct sshbu
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/authfd.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/authfd.c 2017-10-08 09:09:58.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -164,6 +164,29 @@ ssh_request_reply(int sock, struct sshbu
</span> }
/*
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -136,9 +136,9 @@
</span> * Closes the agent socket if it should be closed (depends on how it was
* obtained). The argument must have been returned by
* ssh_get_authentication_socket().
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/authfd.h 2016-09-29 10:37:08.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/authfd.h 2016-09-29 11:02:49.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -43,6 +43,9 @@ int ssh_agent_sign(int sock, struct sshk
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/authfd.h 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/authfd.h 2017-10-08 09:09:58.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -42,6 +42,9 @@ int ssh_agent_sign(int sock, const struc
</span> u_char **sigp, size_t *lenp,
const u_char *data, size_t datalen, const char *alg, u_int compat);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -148,7 +148,7 @@
</span> /* Messages for the authentication agent connection. */
#define SSH_AGENTC_REQUEST_RSA_IDENTITIES 1
#define SSH_AGENT_RSA_IDENTITIES_ANSWER 2
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -76,6 +79,9 @@ int ssh_agent_sign(int sock, struct sshk
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -75,6 +78,9 @@ int ssh_agent_sign(int sock, const struc
</span> #define SSH2_AGENTC_ADD_ID_CONSTRAINED 25
#define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -158,10 +158,10 @@
</span> #define SSH_AGENT_CONSTRAIN_LIFETIME 1
#define SSH_AGENT_CONSTRAIN_CONFIRM 2
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/config.h.in 2016-09-29 10:37:08.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/config.h.in 2016-09-29 11:02:49.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/config.h.in 2017-10-03 18:06:11.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/config.h.in 2017-10-08 09:09:59.000000000 +0200
</span> @@ -78,6 +78,18 @@
<span style='display:block; white-space:pre;background:#ffe0e0;'>- /* missing VIS_ALL */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* strnvis detected broken */
</span> #undef BROKEN_STRNVIS
+/* platform uses an in-memory credentials cache */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -179,9 +179,9 @@
</span> /* tcgetattr with ICANON may hang */
#undef BROKEN_TCGETATTR_ICANON
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/configure.ac 2016-09-29 10:37:08.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/configure.ac 2016-09-29 11:02:49.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -4972,10 +4972,40 @@ AC_CHECK_MEMBER([struct utmp.ut_line], [
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/configure.ac 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/configure.ac 2017-10-08 09:09:59.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -5042,10 +5042,40 @@ AC_CHECK_MEMBER([struct utmp.ut_line], [
</span> #endif
])
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -222,8 +222,8 @@
</span> if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
TEST_SSH_IPV6=no
else
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/groupaccess.c 2016-09-29 10:37:08.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/groupaccess.c 2016-09-29 11:32:59.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/groupaccess.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/groupaccess.c 2017-10-08 09:09:58.000000000 +0200
</span> @@ -34,38 +34,67 @@
#include <string.h>
#include <limits.h>
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -331,8 +331,8 @@
</span> return 0;
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/groupaccess.h 2016-09-29 10:37:08.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/groupaccess.h 2016-09-29 11:02:49.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/groupaccess.h 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/groupaccess.h 2017-10-08 09:09:58.000000000 +0200
</span> @@ -27,7 +27,7 @@
#ifndef GROUPACCESS_H
#define GROUPACCESS_H
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -343,8 +343,8 @@
</span> int ga_match_pattern_list(const char *);
void ga_free(void);
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/keychain.c 2016-09-29 11:33:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -0,0 +1,694 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/keychain.c 2017-10-08 09:09:58.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -0,0 +1,697 @@
</span> +/*
+ * Copyright (c) 2007 Apple Inc. All rights reserved.
+ *
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -596,7 +596,7 @@
</span> + * Remove the passphrase for a given identity from the keychain.
+ */
+void
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+remove_from_keychain(const char *filename)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++remove_from_keychain(const char *filename, int qflag)
</span> +{
+
+#if defined(__APPLE_KEYCHAIN__)
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -656,8 +656,11 @@
</span> + (const char *)utf8_filename, NULL, NULL, &itemRef);
+ if (rv == noErr) {
+ /* Remove the passphrase from the keychain. */
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (SecKeychainItemDelete(itemRef) == noErr)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "Passphrase removed from keychain: %s\n", filename);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (SecKeychainItemDelete(itemRef) == noErr) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!qflag) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fprintf(stderr, "Passphrase removed from keychain: %s\n", filename);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span> + else
+ fprintf(stderr, "Could not remove keychain item\n");
+ } else if (rv != errSecItemNotFound)
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1040,7 +1043,7 @@
</span> +
+}
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/keychain.h 2016-09-29 11:34:19.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/keychain.h 2017-10-08 09:09:58.000000000 +0200
</span> @@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 2007 Apple Inc. All rights reserved.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1083,13 +1086,13 @@
</span> +#endif
+
+void store_in_keychain(const char *filename, const char *passphrase);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+void remove_from_keychain(const char *filename);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++void remove_from_keychain(const char *filename, int qflag);
</span> +int add_identities_using_keychain(
+ int (*add_identity)(const char *, const char *));
+char *keychain_read_passphrase(const char *filename, int oAskPassGUI);
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/readconf.c 2016-09-29 10:37:08.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/readconf.c 2016-09-29 11:14:22.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -168,6 +168,9 @@ typedef enum {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/readconf.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/readconf.c 2017-10-08 09:09:59.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -169,6 +169,9 @@ typedef enum {
</span> oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1099,7 +1102,7 @@
</span> oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
oPubkeyAcceptedKeyTypes, oProxyJump,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -296,6 +299,9 @@ static struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -305,6 +308,9 @@ static struct {
</span> { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
{ "ignoreunknown", oIgnoreUnknown },
{ "proxyjump", oProxyJump },
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1109,7 +1112,7 @@
</span>
{ NULL, oBadOption }
};
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1543,6 +1549,12 @@ parse_keytypes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1555,6 +1561,12 @@ parse_keytypes:
</span> charptr = &options->ignored_unknown;
goto parse_string;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1122,7 +1125,7 @@
</span> case oProxyUseFdpass:
intptr = &options->proxy_use_fdpass;
goto parse_flag;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1848,6 +1860,9 @@ initialize_options(Options * options)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1859,6 +1871,9 @@ initialize_options(Options * options)
</span> options->request_tty = -1;
options->proxy_use_fdpass = -1;
options->ignored_unknown = NULL;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1132,7 +1135,7 @@
</span> options->num_canonical_domains = 0;
options->num_permitted_cnames = 0;
options->canonicalize_max_dots = -1;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2033,6 +2048,10 @@ fill_default_options(Options * options)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2026,6 +2041,10 @@ fill_default_options(Options * options)
</span> options->ip_qos_bulk = IPTOS_THROUGHPUT;
if (options->request_tty == -1)
options->request_tty = REQUEST_TTY_AUTO;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1143,9 +1146,9 @@
</span> if (options->proxy_use_fdpass == -1)
options->proxy_use_fdpass = 0;
if (options->canonicalize_max_dots == -1)
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/readconf.h 2016-09-29 10:37:08.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/readconf.h 2016-09-29 11:02:49.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -169,6 +169,10 @@ typedef struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/readconf.h 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/readconf.h 2017-10-08 09:09:59.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -164,6 +164,10 @@ typedef struct {
</span> char *jump_extra;
char *ignored_unknown; /* Pattern list of unknown tokens to ignore */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1156,18 +1159,18 @@
</span> } Options;
#define SSH_CANONICALISE_NO 0
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/scp.1 2016-09-29 10:37:08.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/scp.1 2016-09-29 11:02:50.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/scp.1 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/scp.1 2017-10-08 09:09:58.000000000 +0200
</span> @@ -19,7 +19,7 @@
.Sh SYNOPSIS
.Nm scp
.Bk -words
<span style='display:block; white-space:pre;background:#ffe0e0;'>--.Op Fl 12346BCpqrv
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+.Op Fl 12346BCEpqrv
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-.Op Fl 346BCpqrv
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Op Fl 346BCEpqrv
</span> .Op Fl c Ar cipher
.Op Fl F Ar ssh_config
.Op Fl i Ar identity_file
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -95,6 +95,8 @@ Passes the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -87,6 +87,8 @@ Passes the
</span> flag to
.Xr ssh 1
to enable compression.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1176,9 +1179,9 @@
</span> .It Fl c Ar cipher
Selects the cipher to use for encrypting the data transfer.
This option is directly passed to
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/scp.c 2016-09-29 10:37:08.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/scp.c 2016-09-29 11:34:54.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -78,6 +78,9 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/scp.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/scp.c 2017-10-08 09:09:58.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -77,6 +77,9 @@
</span> #ifdef HAVE_SYS_STAT_H
# include <sys/stat.h>
#endif
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1188,7 +1191,7 @@
</span> #ifdef HAVE_POLL_H
#include <poll.h>
#else
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -117,6 +120,11 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -119,6 +122,11 @@
</span> #include "progressmeter.h"
#include "utf8.h"
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1200,7 +1203,7 @@
</span> extern char *__progname;
#define COPY_BUFLEN 16384
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -153,6 +161,12 @@ char *ssh_program = _PATH_SSH_PROGRAM;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -155,6 +163,12 @@ char *ssh_program = _PATH_SSH_PROGRAM;
</span> /* This is used to store the pid of ssh_program */
pid_t do_cmd_pid = -1;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1213,7 +1216,7 @@
</span> static void
killchild(int signo)
{
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -400,7 +414,11 @@ main(int argc, char **argv)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -402,7 +416,11 @@ main(int argc, char **argv)
</span> addargs(&args, "-oClearAllForwardings=yes");
fflag = tflag = 0;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1225,7 +1228,7 @@
</span> switch (ch) {
/* User-visible flags. */
case '1':
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -461,6 +479,11 @@ main(int argc, char **argv)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -467,6 +485,11 @@ main(int argc, char **argv)
</span> showprogress = 0;
break;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1237,7 +1240,7 @@
</span> /* Server options. */
case 'd':
targetshouldbedirectory = 1;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -520,7 +543,12 @@ main(int argc, char **argv)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -526,7 +549,12 @@ main(int argc, char **argv)
</span> remin = remout = -1;
do_cmd_pid = -1;
/* Command to be executed on remote system using "ssh". */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1250,7 +1253,7 @@
</span> verbose_mode ? " -v" : "",
iamrecursive ? " -r" : "", pflag ? " -p" : "",
targetshouldbedirectory ? " -d" : "");
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -766,6 +794,10 @@ source(int argc, char **argv)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -772,6 +800,10 @@ source(int argc, char **argv)
</span> int fd = -1, haderr, indx;
char *last, *name, buf[2048], encname[PATH_MAX];
int len;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1261,7 +1264,7 @@
</span>
for (indx = 0; indx < argc; ++indx) {
name = argv[indx];
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -773,12 +805,26 @@ source(int argc, char **argv)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -779,12 +811,26 @@ source(int argc, char **argv)
</span> len = strlen(name);
while (len > 1 && name[len-1] == '/')
name[--len] = '\0';
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1288,7 +1291,7 @@
</span> if (fstat(fd, &stb) < 0) {
syserr: run_err("%s: %s", name, strerror(errno));
goto next;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -862,6 +908,36 @@ next: if (fd != -1) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -868,6 +914,36 @@ next: if (fd != -1) {
</span> else
run_err("%s: %s", name, strerror(haderr));
(void) response();
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1325,7 +1328,7 @@
</span> if (showprogress)
stop_progress_meter();
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -955,6 +1031,10 @@ sink(int argc, char **argv)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -969,6 +1045,10 @@ sink(int argc, char **argv)
</span> if (stat(targ, &stb) == 0 && S_ISDIR(stb.st_mode))
targisdir = 1;
for (first = 1;; first = 0) {
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1336,7 +1339,7 @@
</span> cp = buf;
if (atomicio(read, remin, cp, 1) != 1)
return;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1103,10 +1183,51 @@ sink(int argc, char **argv)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1120,10 +1200,51 @@ sink(int argc, char **argv)
</span> }
omode = mode;
mode |= S_IWUSR;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1388,7 +1391,7 @@
</span> (void) atomicio(vwrite, remout, "", 1);
if ((bp = allocbuf(&buffer, ofd, COPY_BUFLEN)) == NULL) {
(void) close(ofd);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1189,6 +1310,29 @@ bad: run_err("%s: %s", np, strerror(er
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1206,6 +1327,29 @@ bad: run_err("%s: %s", np, strerror(er
</span> wrerrno = errno;
}
(void) response();
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1418,30 +1421,30 @@
</span> if (showprogress)
stop_progress_meter();
if (setimes && wrerr == NO) {
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1257,7 +1401,11 @@ void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1274,7 +1418,11 @@ void
</span> usage(void)
{
(void) fprintf(stderr,
+#if HAVE_COPYFILE
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ "usage: scp [-12346BCEpqrv] [-c cipher] [-F ssh_config] [-i identity_file]\n"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "usage: scp [-346BCEpqrv] [-c cipher] [-F ssh_config] [-i identity_file]\n"
</span> +#else
<span style='display:block; white-space:pre;background:#ffe0e0;'>- "usage: scp [-12346BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file]\n"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "usage: scp [-346BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file]\n"
</span> +#endif
" [-l limit] [-o ssh_option] [-P port] [-S program]\n"
" [[user@]host1:]file1 ... [[user@]host2:]file2\n");
exit(1);
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/servconf.c 2016-09-29 10:37:08.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/servconf.c 2016-09-29 11:02:50.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -292,7 +292,7 @@ fill_default_server_options(ServerOption
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/servconf.c 2017-10-08 09:09:58.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/servconf.c 2017-10-08 09:09:59.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -273,7 +273,7 @@ fill_default_server_options(ServerOption
</span> if (options->gss_strict_acceptor == -1)
<span style='display:block; white-space:pre;background:#ffe0e0;'>- options->gss_strict_acceptor = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->gss_strict_acceptor = 1;
</span> if (options->password_authentication == -1)
- options->password_authentication = 1;
+ options->password_authentication = 0;
if (options->kbd_interactive_authentication == -1)
options->kbd_interactive_authentication = 0;
if (options->challenge_response_authentication == -1)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -771,7 +771,7 @@ match_cfg_line_group(const char *grps, i
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -795,7 +795,7 @@ match_cfg_line_group(const char *grps, i
</span> if ((pw = getpwnam(user)) == NULL) {
debug("Can't match group at line %d because user %.100s does "
"not exist", line, user);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1450,10 +1453,10 @@
</span> debug("Can't Match group because user %.100s not in any group "
"at line %d", user, line);
} else if (ga_match_pattern_list(grps) != 1) {
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/session.c 2016-09-29 10:37:08.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/session.c 2016-09-29 11:02:50.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2140,8 +2140,10 @@ session_pty_req(Session *s)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- n_bytes = packet_remaining();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/session.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/session.c 2017-10-08 09:09:58.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1890,8 +1890,10 @@ session_pty_req(struct ssh *ssh, Session
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ n_bytes = packet_remaining();
</span> tty_parse_modes(s->ttyfd, &n_bytes);
+#ifndef __APPLE_PRIVPTY__
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1463,7 +1466,7 @@
</span>
/* Set window size from the packet. */
pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2387,9 +2389,11 @@ session_pty_cleanup2(Session *s)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2134,9 +2136,11 @@ session_pty_cleanup2(Session *s)
</span> if (s->pid != 0)
record_logout(s->pid, s->tty, s->pw->pw_name);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1475,20 +1478,20 @@
</span>
/*
* Close the server side of the socket pairs. We must do this after
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/ssh-add.0 2016-09-29 10:37:08.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/ssh-add.0 2016-09-29 11:02:50.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/ssh-add.0 2017-10-03 18:05:55.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh-add.0 2017-10-08 09:09:58.000000000 +0200
</span> @@ -4,7 +4,7 @@ NAME
ssh-add M-bM-^@M-^S adds private key identities to the authentication agent
SYNOPSIS
<span style='display:block; white-space:pre;background:#ffe0e0;'>-- ssh-add [-cDdkLlXx] [-E fingerprint_hash] [-t life] [file ...]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh-add [-cDdkKLlXx] [-E fingerprint_hash] [-t life] [file ...]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- ssh-add [-cDdkLlqXx] [-E fingerprint_hash] [-t life] [file ...]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh-add [-cDdkLlMmqXx] [-E fingerprint_hash] [-t life] [file ...]
</span> ssh-add -s pkcs11
ssh-add -e pkcs11
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -60,6 +60,13 @@ DESCRIPTION
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- -l Lists fingerprints of all identities currently represented by the
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- agent.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -62,6 +62,13 @@ DESCRIPTION
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -q Be quiet after a successful operation.
</span>
+ -m Add identities to the agent using any passphrases stored in your
+ Mac OS X keychain.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1500,18 +1503,18 @@
</span> -s pkcs11
Add keys provided by the PKCS#11 shared library pkcs11.
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/ssh-add.1 2016-09-29 10:37:08.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/ssh-add.1 2016-09-29 11:02:50.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/ssh-add.1 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh-add.1 2017-10-08 09:09:58.000000000 +0200
</span> @@ -43,7 +43,7 @@
.Nd adds private key identities to the authentication agent
.Sh SYNOPSIS
.Nm ssh-add
<span style='display:block; white-space:pre;background:#ffe0e0;'>--.Op Fl cDdkLlXx
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+.Op Fl cDdkLlMmXx
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-.Op Fl cDdkLlqXx
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Op Fl cDdkLlMmqXx
</span> .Op Fl E Ar fingerprint_hash
.Op Fl t Ar life
.Op Ar
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -127,6 +127,13 @@ Lists public key parameters of all ident
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -126,6 +126,13 @@ Lists public key parameters of all ident
</span> by the agent.
.It Fl l
Lists fingerprints of all identities currently represented by the agent.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1522,12 +1525,12 @@
</span> +When adding identities, each passphrase will also be stored in your Mac OS
+Xkeychain. When removing identities with -d, each passphrase will be removed
+from your Mac OS X keychain.
<span style='display:block; white-space:pre;background:#e0ffe0;'>+ .It Fl q
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Be quiet after a successful operation.
</span> .It Fl s Ar pkcs11
<span style='display:block; white-space:pre;background:#ffe0e0;'>- Add keys provided by the PKCS#11 shared library
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .Ar pkcs11 .
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/ssh-add.c 2016-09-29 10:37:08.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/ssh-add.c 2016-09-29 11:02:50.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -65,6 +65,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/ssh-add.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh-add.c 2017-10-08 09:09:58.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -64,6 +64,7 @@
</span> #include "misc.h"
#include "ssherr.h"
#include "digest.h"
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1535,43 +1538,45 @@
</span>
/* argv0 */
extern char *__progname;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -106,12 +107,25 @@ clear_pass(void)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -102,12 +103,27 @@ clear_pass(void)
</span> }
static int
<span style='display:block; white-space:pre;background:#ffe0e0;'>--delete_file(int agent_fd, const char *filename, int key_only)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+add_from_keychain(int agent_fd)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-delete_file(int agent_fd, const char *filename, int key_only, int qflag)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++add_from_keychain(int agent_fd, int qflag)
</span> +{
+ if (ssh_add_from_keychain(agent_fd) == 0)
+ return -1;
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "Added keychain identities.\n");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!qflag) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fprintf(stderr, "Added keychain identities.\n");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span> + return 0;
+}
+
+static int
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+delete_file(int agent_fd, int keychain, const char *filename, int key_only)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++delete_file(int agent_fd, int keychain, const char *filename, int key_only, int qflag)
</span> {
struct sshkey *public, *cert = NULL;
char *certpath = NULL, *comment = NULL;
int r, ret = -1;
+ if (keychain)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ remove_from_keychain(filename);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ remove_from_keychain(filename, qflag);
</span> +
if ((r = sshkey_load_public(filename, &public, &comment)) != 0) {
printf("Bad key file %s: %s\n", filename, ssh_err(r));
return -1;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -178,7 +192,7 @@ delete_all(int agent_fd)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -184,7 +200,7 @@ delete_all(int agent_fd)
</span> }
static int
<span style='display:block; white-space:pre;background:#ffe0e0;'>--add_file(int agent_fd, const char *filename, int key_only)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+add_file(int agent_fd, int keychain, const char *filename, int key_only)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-add_file(int agent_fd, const char *filename, int key_only, int qflag)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++add_file(int agent_fd, int keychain, const char *filename, int key_only, int qflag)
</span> {
struct sshkey *private, *cert;
char *comment = NULL;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -222,6 +236,10 @@ add_file(int agent_fd, const char *filen
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -228,6 +244,10 @@ add_file(int agent_fd, const char *filen
</span> filename, ssh_err(r));
goto fail_load;
}
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1582,7 +1587,7 @@
</span> /* try last */
if (private == NULL && pass != NULL) {
if ((r = sshkey_parse_private_fileblob(keyblob, pass, &private,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -230,6 +248,8 @@ add_file(int agent_fd, const char *filen
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -236,6 +256,8 @@ add_file(int agent_fd, const char *filen
</span> filename, ssh_err(r));
goto fail_load;
}
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1591,7 +1596,7 @@
</span> }
if (private == NULL) {
/* clear passphrase since it did not work */
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -241,8 +261,13 @@ add_file(int agent_fd, const char *filen
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -247,8 +269,13 @@ add_file(int agent_fd, const char *filen
</span> if (strcmp(pass, "") == 0)
goto fail_load;
if ((r = sshkey_parse_private_fileblob(keyblob, pass,
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1606,27 +1611,27 @@
</span> else if (r != SSH_ERR_KEY_WRONG_PASSPHRASE) {
fprintf(stderr,
"Error loading key \"%s\": %s\n",
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -440,13 +465,13 @@ lock_agent(int agent_fd, int lock)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -432,13 +459,13 @@ lock_agent(int agent_fd, int lock)
</span> }
static int
<span style='display:block; white-space:pre;background:#ffe0e0;'>--do_file(int agent_fd, int deleting, int key_only, char *file)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+do_file(int agent_fd, int deleting, int keychain, int key_only, char *file)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-do_file(int agent_fd, int deleting, int key_only, char *file, int qflag)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++do_file(int agent_fd, int deleting, int keychain, int key_only, char *file, int qflag)
</span> {
if (deleting) {
<span style='display:block; white-space:pre;background:#ffe0e0;'>-- if (delete_file(agent_fd, file, key_only) == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (delete_file(agent_fd, keychain, file, key_only) == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (delete_file(agent_fd, file, key_only, qflag) == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (delete_file(agent_fd, keychain, file, key_only, qflag) == -1)
</span> return -1;
} else {
<span style='display:block; white-space:pre;background:#ffe0e0;'>-- if (add_file(agent_fd, file, key_only) == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (add_file(agent_fd, keychain, file, key_only) == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (add_file(agent_fd, file, key_only, qflag) == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (add_file(agent_fd, keychain, file, key_only, qflag) == -1)
</span> return -1;
}
return 0;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -469,6 +494,11 @@ usage(void)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fprintf(stderr, " -X Unlock agent.\n");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -462,6 +489,11 @@ usage(void)
</span> fprintf(stderr, " -s pkcs11 Add keys from PKCS#11 provider.\n");
fprintf(stderr, " -e pkcs11 Remove keys provided by PKCS#11 provider.\n");
<span style='display:block; white-space:pre;background:#e0ffe0;'>+ fprintf(stderr, " -q Be quiet after a successful operation.\n");
</span> +#ifdef KEYCHAIN
+ fprintf(stderr, " -m Add all identities stored in your Mac OS X keychain.\n");
+ fprintf(stderr, " -M Store passphrases in your Mac OS X keychain.\n");
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1635,58 +1640,70 @@
</span> }
int
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -480,6 +510,7 @@ main(int argc, char **argv)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -473,6 +505,7 @@ main(int argc, char **argv)
</span> char *pkcs11provider = NULL;
int r, i, ch, deleting = 0, ret = 0, key_only = 0;
<span style='display:block; white-space:pre;background:#ffe0e0;'>- int xflag = 0, lflag = 0, Dflag = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int keychain = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int xflag = 0, lflag = 0, Dflag = 0, qflag = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int keychain = 0, load_from_keychain = 0;
</span>
ssh_malloc_init(); /* must be called before any mallocs */
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -507,7 +538,7 @@ main(int argc, char **argv)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -500,7 +533,7 @@ main(int argc, char **argv)
</span> exit(2);
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>-- while ((ch = getopt(argc, argv, "klLcdDxXE:e:s:t:")) != -1) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ while ((ch = getopt(argc, argv, "kKlLcdDxXmME:e:s:t:")) != -1) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- while ((ch = getopt(argc, argv, "klLcdDxXE:e:qs:t:")) != -1) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ while ((ch = getopt(argc, argv, "klLcdDxXmME:e:qs:t:")) != -1) {
</span> switch (ch) {
case 'E':
fingerprint_hash = ssh_digest_alg_by_name(optarg);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -552,6 +583,13 @@ main(int argc, char **argv)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- goto done;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -548,6 +581,12 @@ main(int argc, char **argv)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case 'q':
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ qflag = 1;
</span> break;
+ case 'm':
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (add_from_keychain(agent_fd) == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ret = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto done;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ load_from_keychain = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ break;
</span> + case 'M':
+ keychain = 1;
+ break;
default:
usage();
ret = 1;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -600,7 +638,7 @@ main(int argc, char **argv)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -555,6 +594,12 @@ main(int argc, char **argv)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (load_from_keychain) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (add_from_keychain(agent_fd, qflag) == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ret = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto done;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ((xflag != 0) + (lflag != 0) + (Dflag != 0) > 1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fatal("Invalid combination of actions");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ else if (xflag) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -596,7 +641,7 @@ main(int argc, char **argv)
</span> default_files[i]);
if (stat(buf, &st) < 0)
continue;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-- if (do_file(agent_fd, deleting, key_only, buf) == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (do_file(agent_fd, deleting, keychain, key_only, buf) == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (do_file(agent_fd, deleting, key_only, buf,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (do_file(agent_fd, deleting, keychain, key_only, buf,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ qflag) == -1)
</span> ret = 1;
else
<span style='display:block; white-space:pre;background:#ffe0e0;'>- count++;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -609,7 +647,7 @@ main(int argc, char **argv)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -606,7 +651,7 @@ main(int argc, char **argv)
</span> ret = 1;
} else {
for (i = 0; i < argc; i++) {
- if (do_file(agent_fd, deleting, key_only,
+ if (do_file(agent_fd, deleting, keychain, key_only,
<span style='display:block; white-space:pre;background:#ffe0e0;'>- argv[i]) == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ argv[i], qflag) == -1)
</span> ret = 1;
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/ssh-agent.c 2016-09-29 10:37:08.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/ssh-agent.c 2016-09-29 11:02:50.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -71,6 +71,9 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/ssh-agent.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh-agent.c 2017-10-08 09:22:41.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -73,18 +73,24 @@
</span> #ifdef HAVE_UTIL_H
# include <util.h>
#endif
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1696,7 +1713,6 @@
</span>
#include "xmalloc.h"
#include "ssh.h"
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -78,11 +81,14 @@
</span> #include "sshbuf.h"
#include "sshkey.h"
#include "authfd.h"
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1706,12 +1722,13 @@
</span> #include "misc.h"
#include "digest.h"
#include "ssherr.h"
<span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "match.h"
</span> +#include "keychain.h"
+#include "key.h"
#ifdef ENABLE_PKCS11
#include "ssh-pkcs11.h"
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -837,6 +843,61 @@ process_remove_smartcard_key(SocketEntry
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -638,6 +644,56 @@ send:
</span> }
#endif /* ENABLE_PKCS11 */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1719,23 +1736,18 @@
</span> +add_identity_callback(const char *filename, const char *passphrase)
+{
+ Key *k;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int version;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Idtab *tab;
</span> +
+ if ((k = key_load_private(filename, passphrase, NULL)) == NULL)
+ return 1;
+ switch (k->type) {
+ case KEY_RSA:
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case KEY_RSA1:
</span> + if (RSA_blinding_on(k->rsa, NULL) != 1) {
+ key_free(k);
+ return 1;
+ }
+ break;
+ }
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ version = k->type == KEY_RSA1 ? 1 : 2;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ tab = idtab_lookup(version);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (lookup_identity(k, version) == NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (lookup_identity(k) == NULL) {
</span> + Identity *id = xmalloc(sizeof(Identity));
+ id->key = k;
+ id->comment = xstrdup(filename);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1745,8 +1757,8 @@
</span> + }
+ id->death = 0;
+ id->confirm = 0;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ TAILQ_INSERT_TAIL(&tab->idlist, id, next);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ tab->nentries++;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ TAILQ_INSERT_TAIL(&idtab->idlist, id, next);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ idtab->nentries++;
</span> + } else {
+ key_free(k);
+ return 1;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1772,8 +1784,8 @@
</span> +
/* dispatch incoming messages */
<span style='display:block; white-space:pre;background:#ffe0e0;'>- static void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -931,6 +992,9 @@ process_message(SocketEntry *e)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -730,6 +786,9 @@ process_message(u_int socknum)
</span> process_remove_smartcard_key(e);
break;
#endif /* ENABLE_PKCS11 */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1783,7 +1795,7 @@
</span> default:
/* Unknown message. Respond with failure. */
error("Unknown message %d", type);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1181,7 +1245,11 @@ usage(void)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1016,7 +1075,11 @@ usage(void)
</span> int
main(int ac, char **av)
{
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1793,23 +1805,23 @@
</span> int c_flag = 0, d_flag = 0, D_flag = 0, k_flag = 0, s_flag = 0;
+#endif
int sock, fd, ch, result, saved_errno;
<span style='display:block; white-space:pre;background:#ffe0e0;'>- u_int nalloc;
</span> char *shell, *format, *pidstr, *agentsocket = NULL;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1214,7 +1282,11 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef HAVE_SETRLIMIT
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1049,7 +1112,11 @@ main(int ac, char **av)
</span> __progname = ssh_get_progname(av[0]);
seed_rng();
+#ifdef __APPLE_LAUNCHD__
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ while ((ch = getopt(ac, av, "cDdklsE:a:t:")) != -1) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ while ((ch = getopt(ac, av, "cDdklsE:a:P:t:")) != -1) {
</span> +#else
<span style='display:block; white-space:pre;background:#ffe0e0;'>- while ((ch = getopt(ac, av, "cDdksE:a:t:")) != -1) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ while ((ch = getopt(ac, av, "cDdksE:a:P:t:")) != -1) {
</span> +#endif
switch (ch) {
case 'E':
fingerprint_hash = ssh_digest_alg_by_name(optarg);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1229,6 +1301,11 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- case 'k':
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- k_flag++;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1069,6 +1136,11 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fatal("-P option already specified");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ pkcs11_whitelist = xstrdup(optarg);
</span> break;
+#ifdef __APPLE_LAUNCHD__
+ case 'l':
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1819,7 +1831,7 @@
</span> case 's':
if (c_flag)
usage();
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1260,7 +1337,11 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1100,7 +1172,11 @@ main(int ac, char **av)
</span> ac -= optind;
av += optind;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1830,8 +1842,8 @@
</span> +#endif
usage();
<span style='display:block; white-space:pre;background:#ffe0e0;'>- if (ac == 0 && !c_flag && !s_flag) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1316,6 +1397,53 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (pkcs11_whitelist == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1159,6 +1235,53 @@ main(int ac, char **av)
</span> * Create socket early so it will exist before command gets run from
* the parent.
*/
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1885,7 +1897,7 @@
</span> prev_mask = umask(0177);
sock = unix_listener(socket_name, SSH_LISTEN_BACKLOG, 0);
if (sock < 0) {
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1324,6 +1452,14 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1167,6 +1290,14 @@ main(int ac, char **av)
</span> cleanup_exit(1);
}
umask(prev_mask);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1900,7 +1912,7 @@
</span>
/*
* Fork, and have the parent execute the command, if any, or present
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1401,6 +1537,7 @@ skip:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1244,6 +1375,7 @@ skip:
</span> pkcs11_init(0);
#endif
new_socket(AUTH_SOCKET, sock);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1908,7 +1920,7 @@
</span> if (ac > 0)
parent_alive_interval = 10;
idtab_init();
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1414,6 +1551,10 @@ skip:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1256,6 +1388,10 @@ skip:
</span> fatal("%s: pledge: %s", __progname, strerror(errno));
platform_pledge_agent();
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1917,10 +1929,10 @@
</span> +#endif
+
while (1) {
<span style='display:block; white-space:pre;background:#ffe0e0;'>- prepare_select(&readsetp, &writesetp, &max_fd, &nalloc, &tvp);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- result = select(max_fd + 1, readsetp, writesetp, NULL, tvp);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/ssh-keysign.8 2016-09-29 10:37:08.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/ssh-keysign.8 2016-09-29 11:02:50.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ prepare_poll(&pfd, &npfd, &timeout);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ result = poll(pfd, npfd, timeout);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/ssh-keysign.8 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh-keysign.8 2017-10-08 09:09:58.000000000 +0200
</span> @@ -72,6 +72,9 @@ accessible to others.
Since they are readable only by root,
.Nm
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1931,29 +1943,8 @@
</span> .Pp
.It Pa /etc/ssh/ssh_host_dsa_key-cert.pub
.It Pa /etc/ssh/ssh_host_ecdsa_key-cert.pub
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshconnect1.c 2016-09-29 10:37:08.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshconnect1.c 2016-09-29 11:02:50.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -51,6 +51,7 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "auth.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "digest.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "ssherr.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "keychain.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Session id for the current session. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- u_char session_id[16];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -274,6 +275,10 @@ try_rsa_authentication(int idx)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- snprintf(buf, sizeof(buf),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- "Enter passphrase for RSA key '%.100s': ", comment);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- for (i = 0; i < options.number_of_password_prompts; i++) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef __APPLE_KEYCHAIN__
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ passphrase = keychain_read_passphrase(comment, options.ask_pass_gui);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (passphrase == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- passphrase = read_passphrase(buf, 0);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (strcmp(passphrase, "") != 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- private = key_load_private_type(KEY_RSA1,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshconnect2.c 2016-09-29 10:37:08.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshconnect2.c 2016-09-29 11:17:29.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshconnect2.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshconnect2.c 2017-10-08 09:09:59.000000000 +0200
</span> @@ -72,6 +72,7 @@
#include "hostfile.h"
#include "ssherr.h"
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1962,7 +1953,7 @@
</span>
#ifdef GSSAPI
#include "ssh-gss.h"
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1205,6 +1206,10 @@ load_identity_file(Identity *id)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1251,6 +1252,10 @@ load_identity_file(Identity *id)
</span> if (i == 0)
passphrase = "";
else {
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1973,9 +1964,9 @@
</span> passphrase = read_passphrase(prompt, 0);
if (*passphrase == '\0') {
debug2("no passphrase given, try next key");
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshd.0 2016-09-29 10:37:08.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshd.0 2016-09-29 11:02:50.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -651,8 +651,7 @@ FILES
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshd.0 2017-10-03 18:05:55.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshd.0 2017-10-08 09:09:58.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -618,8 +618,7 @@ FILES
</span>
SEE ALSO
scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1),
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1985,9 +1976,9 @@
</span>
AUTHORS
OpenSSH is a derivative of the original and free ssh 1.2.12 release by
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshd.8 2016-09-29 10:37:08.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshd.8 2016-09-29 11:02:50.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -986,10 +986,7 @@ The content of this file is not sensitiv
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshd.8 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshd.8 2017-10-08 09:09:58.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -943,10 +943,7 @@ The content of this file is not sensitiv
</span> .Xr ssh-keygen 1 ,
.Xr ssh-keyscan 1 ,
.Xr chroot 2 ,
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1998,9 +1989,9 @@
</span> .Xr sftp-server 8
.Sh AUTHORS
OpenSSH is a derivative of the original and free
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshd.c 2016-09-29 10:37:05.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshd.c 2016-09-29 11:02:50.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2295,6 +2295,12 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshd.c 2017-10-08 09:09:58.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshd.c 2017-10-08 09:09:59.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2063,6 +2063,12 @@ main(int ac, char **av)
</span> audit_event(SSH_AUTH_SUCCESS);
#endif
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2013,7 +2004,7 @@
</span> #ifdef GSSAPI
if (options.gss_authentication) {
temporarily_use_uid(authctxt->pw);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2302,12 +2308,6 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2070,12 +2076,6 @@ main(int ac, char **av)
</span> restore_uid();
}
#endif
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2026,9 +2017,9 @@
</span>
/*
* In privilege separation, we fork another child and prepare
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshd_config 2016-09-29 10:37:08.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshd_config 2016-09-29 11:18:08.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -34,7 +34,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshd_config 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshd_config 2017-10-08 09:09:59.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -24,7 +24,7 @@
</span> #RekeyLimit default none
# Logging
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2037,7 +2028,7 @@
</span> #LogLevel INFO
# Authentication:
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -67,8 +67,9 @@ AuthorizedKeysFile .ssh/authorized_keys
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -54,8 +54,9 @@ AuthorizedKeysFile .ssh/authorized_keys
</span> # Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2049,7 +2040,7 @@
</span> #PermitEmptyPasswords no
# Change to no to disable s/key passwords
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -93,7 +94,10 @@ AuthorizedKeysFile .ssh/authorized_keys
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -80,7 +81,10 @@ AuthorizedKeysFile .ssh/authorized_keys
</span> # If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2061,43 +2052,43 @@
</span>
#AllowAgentForwarding yes
#AllowTcpForwarding yes
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshd_config.0 2016-09-29 10:37:08.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshd_config.0 2016-09-29 11:02:50.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -696,7 +696,7 @@ DESCRIPTION
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshd_config.0 2017-10-03 18:05:56.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshd_config.0 2017-10-08 09:09:58.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -674,7 +674,7 @@ DESCRIPTION
</span>
PasswordAuthentication
Specifies whether password authentication is allowed. The
<span style='display:block; white-space:pre;background:#ffe0e0;'>-- default is M-bM-^@M-^\yesM-bM-^@M-^].
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ default is M-bM-^@M-^\noM-bM-^@M-^].
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- default is yes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ default is no.
</span>
PermitEmptyPasswords
When password authentication is allowed, it specifies whether the
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -958,7 +958,7 @@ DESCRIPTION
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -904,7 +904,7 @@ DESCRIPTION
</span> either PasswordAuthentication or ChallengeResponseAuthentication.
If UsePAM is enabled, you will not be able to run sshd(8) as a
<span style='display:block; white-space:pre;background:#ffe0e0;'>-- non-root user. The default is M-bM-^@M-^\noM-bM-^@M-^].
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ non-root user. The default is M-bM-^@M-^\yesM-bM-^@M-^].
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- UsePrivilegeSeparation
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Specifies whether sshd(8) separates privileges by creating an
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshd_config.5 2016-09-29 10:37:08.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshd_config.5 2016-09-29 11:02:50.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1180,7 +1180,7 @@ are refused if the number of unauthentic
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- non-root user. The default is no.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ non-root user. The default is yes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ VersionAddendum
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Optionally specifies additional text to append to the SSH
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshd_config.5 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshd_config.5 2017-10-08 09:09:59.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1143,7 +1143,7 @@ are refused if the number of unauthentic
</span> .It Cm PasswordAuthentication
Specifies whether password authentication is allowed.
The default is
<span style='display:block; white-space:pre;background:#ffe0e0;'>--.Dq yes .
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+.Dq no .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-.Cm yes .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Cm no .
</span> .It Cm PermitEmptyPasswords
When password authentication is allowed, it specifies whether the
server allows login to accounts with empty password strings.
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1595,7 +1595,7 @@ is enabled, you will not be able to run
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1500,7 +1500,7 @@ is enabled, you will not be able to run
</span> .Xr sshd 8
as a non-root user.
The default is
<span style='display:block; white-space:pre;background:#ffe0e0;'>--.Dq no .
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+.Dq yes .
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .It Cm UsePrivilegeSeparation
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Specifies whether
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .Xr sshd 8
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-.Cm no .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Cm yes .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .It Cm VersionAddendum
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Optionally specifies additional text to append to the SSH protocol banner
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sent by the server upon connection.
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/openssh/files/launchd.patch b/net/openssh/files/launchd.patch
</span><span style='display:block; white-space:pre;color:#808080;'>index eab1899..0068461 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/openssh/files/launchd.patch
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/openssh/files/launchd.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1,51 +1,6 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/channels.c 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/channels.c 2016-09-29 06:55:54.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -4041,15 +4041,35 @@ x11_connect_display(void)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * connection to the real X server.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- /* Check if the display is from launchd. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #ifdef __APPLE__
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- if (strncmp(display, "/tmp/launch", 11) == 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- sock = connect_local_xsocket_path(display);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- if (sock < 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- return -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Check if the display is a path to a socket (as set by launchd). */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char path[PATH_MAX];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ struct stat sbuf;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int is_path_to_socket = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ strlcpy(path, display, sizeof(path));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (0 == stat(path, &sbuf)) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ is_path_to_socket = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char *dot = strrchr(path, '.');
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (dot) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ *dot = '\0';
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* screen = atoi(dot + 1); */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (0 == stat(path, &sbuf)) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ is_path_to_socket=1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- /* OK, we now have a connection to the display. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- return sock;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (is_path_to_socket) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sock = connect_local_xsocket_path(path);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (sock < 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* OK, we now have a connection to the display. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return sock;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/clientloop.c 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/clientloop.c 2016-09-29 06:55:55.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -316,6 +316,10 @@ client_x11_get_proto(const char *display
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/clientloop.c 2017-10-07 04:21:42.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/clientloop.c 2017-10-07 04:30:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -301,6 +301,10 @@ client_x11_get_proto(struct ssh *ssh, co
</span> struct stat st;
u_int now, x11_timeout_real;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -56,7 +11,7 @@
</span> *_proto = proto;
*_data = data;
proto[0] = data[0] = xauthfile[0] = xauthdir[0] = '\0';
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -332,6 +336,34 @@ client_x11_get_proto(const char *display
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -317,6 +321,19 @@ client_x11_get_proto(struct ssh *ssh, co
</span> }
if (xauth_path != NULL) {
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -68,32 +23,17 @@
</span> + * to determine if an error should be displayed.
+ */
+ char path[PATH_MAX];
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ struct stat sbuf;
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ strlcpy(path, display, sizeof(path));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (0 == stat(path, &sbuf)) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ is_path_to_socket = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char *dot = strrchr(path, '.');
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (dot) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ *dot = '\0';
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* screen = atoi(dot + 1); */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (0 == stat(path, &sbuf)) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ is_path_to_socket = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("x11_get_proto: $DISPLAY is launchd, removing screennum");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ setenv("DISPLAY", path, 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ is_path_to_socket = is_path_to_xsocket(display, path, sizeof(path));
</span> + }
+#endif /* __APPLE__ */
+
/*
* Handle FamilyLocal case where $DISPLAY does
* not match an authorization entry. For this we
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -441,6 +473,9 @@ client_x11_get_proto(const char *display
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (!got_data) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- u_int32_t rnd = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -428,6 +445,9 @@ client_x11_get_proto(struct ssh *ssh, co
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ u_int8_t rnd[16];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ u_int i;
</span>
+#if __APPLE__
+ if (!is_path_to_socket)
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -101,3 +41,26 @@
</span> logit("Warning: No xauth data; "
"using fake authentication data for X11 forwarding.");
strlcpy(proto, SSH_X11_PROTO, sizeof proto);
<span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/channels.c 2017-10-07 04:21:42.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/channels.c 2017-10-07 04:26:38.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -4517,7 +4517,7 @@ connect_local_xsocket(u_int dnr)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef __APPLE__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-static int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ is_path_to_xsocket(const char *display, char *path, size_t pathlen)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ struct stat sbuf;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/channels.h 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/channels.h 2017-10-07 04:26:24.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -316,6 +316,9 @@ int permitopen_port(const char *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* x11 forwarding */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void channel_set_x11_refuse_time(struct ssh *, u_int);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __APPLE__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int is_path_to_xsocket(const char *, char *, size_t);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int x11_connect_display(struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int x11_create_display_inet(struct ssh *, int, int, int, u_int *, int **);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void x11_request_forwarding_with_spoofing(struct ssh *, int,
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/openssh/files/openssh-7.3p1-gsskex-all-20141021-mp-20160929.patch b/net/openssh/files/openssh-7.6p1-gsskex-all-20141021-mp-20171009.patch
</span>similarity index 81%
rename from net/openssh/files/openssh-7.3p1-gsskex-all-20141021-mp-20160929.patch
rename to net/openssh/files/openssh-7.6p1-gsskex-all-20141021-mp-20171009.patch
<span style='display:block; white-space:pre;color:#808080;'>index c89189e..f0b18bc 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/openssh/files/openssh-7.3p1-gsskex-all-20141021-mp-20160929.patch
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/openssh/files/openssh-7.6p1-gsskex-all-20141021-mp-20171009.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -23,18 +23,20 @@ Patch-Name: gssapi.patch
</span>
Updated by: Mihai Moldovan <ionic@macports.org>
<span style='display:block; white-space:pre;background:#ffe0e0;'>-Patch-Name: openssh-6.7p1-gsskex-all-20141021-284f364.patch
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-Abstract: Updated for OpenSSH 7.3p1 with MacPorts patches for integration
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- with Apple's launchd, pam, sandbox and KeyChain.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Patch-Name: openssh-7.6p1-gsskex-all-20141021-mp-20171009.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Abstract: Updated for OpenSSH 7.6p1 with MacPorts patches for integration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ with Apple's launchd, pam, sandbox and Keychain.
</span> WARNING: the commit ID does NOT match this patch. It is merely
provided for reference.
<span style='display:block; white-space:pre;background:#ffe0e0;'>-Last-Updated: 2016-09-29
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Last-Updated: 2017-10-09
</span> X-Ref: http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/tree/openssh-6.1p1-gssapi-canohost.patch?id=b487a6d746c5bff2889ce09f98535d3b5e1e7e65
X-Ref: http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/tree/openssh-7.0p1-gssKexAlgorithms.patch?id=13073f8d9ccec27646453f729aaa2952ae86ad01
X-Ref: http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/tree/openssh-7.1p1-gssapi-documentation.patch?id=d9d9575f0065dc0cf84743fa8c163df70c0623b8
X-Ref: http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/tree/openssh-7.2p1-gsskex.patch?id=b487a6d746c5bff2889ce09f98535d3b5e1e7e65
<span style='display:block; white-space:pre;background:#e0ffe0;'>+X-Ref: http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/tree/openssh-7.2p1-gsskex.patch?id=17b491b3075c078c75ca0fa5ad7438e52747b3b0
</span> X-Ref: http://sources.debian.net/data/main/o/openssh/1:7.3p1-1/debian/patches/gssapi.patch
X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/gssapi.patch?id=477bb7636238c106f8cd7c868a8c0c5eabcfb3db
<span style='display:block; white-space:pre;background:#e0ffe0;'>+X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/gssapi.patch?id=0556ea972b15607b7e13ff31bc05840881c91dd3
</span> ---
ChangeLog.gssapi | 113 +++++++++++++++++++
Makefile.in | 3 +-
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -75,18 +77,18 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> create mode 100644 kexgsss.c
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/ChangeLog.gssapi 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ChangeLog.gssapi 2017-10-08 09:42:57.000000000 +0200
</span> @@ -0,0 +1,113 @@
+20110101
+ - Finally update for OpenSSH 5.6p1
+ - Add GSSAPIServerIdentity option from Jim Basney
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span> +20100308
+ - [ Makefile.in, key.c, key.h ]
+ Updates for OpenSSH 5.4p1
+ - [ servconf.c ]
+ Include GSSAPI options in the sshd -T configuration dump, and flag
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ some older configuration options as being unsupported. Thanks to Colin
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ some older configuration options as being unsupported. Thanks to Colin
</span> + Watson.
+ -
+
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -123,12 +125,12 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +
+20070317
+ - [ gss-serv-krb5.c ]
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Remove C99ism, where new_ccname was being declared in the middle of a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Remove C99ism, where new_ccname was being declared in the middle of a
</span> + function
+
+20061220
+ - [ servconf.c ]
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Make default for GSSAPIStrictAcceptorCheck be Yes, to match previous, and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Make default for GSSAPIStrictAcceptorCheck be Yes, to match previous, and
</span> + documented, behaviour. Reported by Dan Watson.
+
+20060910
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -149,12 +151,12 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +20060909
+ - [ gss-genr.c gss-serv.c ]
+ move ssh_gssapi_acquire_cred() and ssh_gssapi_server_ctx to be server
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ only, where they belong
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ only, where they belong
</span> + <Bugzilla #1225>
+
+20060829
+ - [ gss-serv-krb5.c ]
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Fix CCAPI credentials cache name when creating KRB5CCNAME environment
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Fix CCAPI credentials cache name when creating KRB5CCNAME environment
</span> + variable
+
+20060828
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -164,13 +166,13 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +
+20060818
+ - [ gss-genr.c ssh-gss.h sshconnect2.c ]
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Make sure that SPENGO is disabled
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Make sure that SPENGO is disabled
</span> + <Bugzilla #1218 - Fixed upstream 20060818>
+
+20060421
+ - [ gssgenr.c, sshconnect2.c ]
+ a few type changes (signed versus unsigned, int versus size_t) to
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fix compiler errors/warnings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fix compiler errors/warnings
</span> + (from jbasney AT ncsa.uiuc.edu)
+ - [ kexgssc.c, sshconnect2.c ]
+ fix uninitialized variable warnings
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -183,39 +185,43 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + #ifdef HAVE_GSSAPI_KRB5 should be #ifdef HAVE_GSSAPI_KRB5_H
+ (from jbasney AT ncsa.uiuc.edu)
+ <Fixed upstream 20060304>
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ readconf.c, readconf.h, ssh_config.5, sshconnect2.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ - [ readconf.c, readconf.h, ssh_config.5, sshconnect2.c
</span> + add client-side GssapiKeyExchange option
+ (from jbasney AT ncsa.uiuc.edu)
+ - [ sshconnect2.c ]
+ add support for GssapiTrustDns option for gssapi-with-mic
+ (from jbasney AT ncsa.uiuc.edu)
+ <gssapi-with-mic support is Bugzilla #1008>
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/Makefile.in 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/Makefile.in 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -93,10 +93,10 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/Makefile.in 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/Makefile.in 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -77,7 +77,7 @@ LIBOPENSSH_OBJS=\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ bitmap.o
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- authfd.o authfile.o bufaux.o bufbn.o bufec.o buffer.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ authfd.o authfile.o auth-compat.o bufaux.o bufbn.o bufec.o buffer.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ canohost.o channels.o cipher.o cipher-aes.o cipher-aesctr.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ cipher-ctr.o cleanup.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ compat.o crc32.o fatal.o hostfile.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -93,6 +93,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
</span> kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
<span style='display:block; white-space:pre;background:#ffe0e0;'>-- platform-pledge.o platform-tracing.o
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ platform-pledge.o platform-tracing.o kexgssc.o
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kexgssc.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ platform-pledge.o platform-tracing.o platform-misc.o
</span>
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
<span style='display:block; white-space:pre;background:#ffe0e0;'>-- sshconnect.o sshconnect1.o sshconnect2.o mux.o
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sshconnect.o sshconnect1.o sshconnect2.o mux.o auth-compat.o
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- audit.o audit-bsm.o audit-linux.o platform.o \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -106,7 +106,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -106,7 +107,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
</span> auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
auth2-none.o auth2-passwd.o auth2-pubkey.o \
<span style='display:block; white-space:pre;background:#ffe0e0;'>- monitor_mm.o monitor.o monitor_wrap.o auth-krb5.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ monitor.o monitor_wrap.o auth-krb5.o \
</span> - auth2-gss.o gss-serv.o gss-serv-krb5.o \
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
sftp-server.o sftp-common.o \
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/auth-krb5.c 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/auth-krb5.c 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/auth-krb5.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/auth-krb5.c 2017-10-08 09:42:57.000000000 +0200
</span> @@ -182,8 +182,13 @@ auth_krb5_password(Authctxt *authctxt, c
len = strlen(authctxt->krb5_ticket_file) + 6;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -263,10 +269,10 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span>
return (krb5_cc_resolve(ctx, ccname, ccache));
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/auth2-gss.c 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/auth2-gss.c 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/auth2-gss.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/auth2-gss.c 2017-10-08 09:42:57.000000000 +0200
</span> @@ -1,7 +1,7 @@
<span style='display:block; white-space:pre;background:#ffe0e0;'>- /* $OpenBSD: auth2-gss.c,v 1.22 2015/01/19 20:07:45 markus Exp $ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* $OpenBSD: auth2-gss.c,v 1.26 2017/06/24 06:34:38 djm Exp $ */
</span>
/*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -274,15 +280,16 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -54,6 +54,40 @@ static int input_gssapi_exchange_complet
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static int input_gssapi_errtok(int, u_int32_t, void *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -54,6 +54,41 @@ static int input_gssapi_exchange_complet
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static int input_gssapi_errtok(int, u_int32_t, struct ssh *);
</span>
/*
+ * The 'gssapi_keyex' userauth mechanism.
+ */
+static int
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+userauth_gsskeyex(Authctxt *authctxt)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++userauth_gsskeyex(struct ssh *ssh)
</span> +{
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ Authctxt *authctxt = ssh->authctxt;
</span> + int authenticated = 0;
+ Buffer b;
+ gss_buffer_desc mic, gssbuf;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -315,7 +322,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> * We only support those mechanisms that we know about (ie ones that we know
* how to check local user kuserok and the like)
*/
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -238,7 +272,8 @@ input_gssapi_exchange_complete(int type,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -240,7 +275,8 @@ input_gssapi_exchange_complete(int type,
</span>
packet_check_eom();
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -323,9 +330,9 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
+ authctxt->pw));
<span style='display:block; white-space:pre;background:#ffe0e0;'>- authctxt->postponed = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -274,7 +309,8 @@ input_gssapi_mic(int type, u_int32_t ple
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ((!use_privsep || mm_is_monitor()) &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (displayname = ssh_gssapi_displayname()) != NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -281,7 +317,8 @@ input_gssapi_mic(int type, u_int32_t ple
</span> gssbuf.length = buffer_len(&b);
if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -335,7 +342,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> else
logit("GSSAPI MIC check failed");
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -290,6 +326,12 @@ input_gssapi_mic(int type, u_int32_t ple
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -301,6 +338,12 @@ input_gssapi_mic(int type, u_int32_t ple
</span> return 0;
}
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -348,9 +355,9 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> Authmethod method_gssapi = {
"gssapi-with-mic",
userauth_gssapi,
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/auth2.c 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/auth2.c 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -70,6 +70,7 @@ extern Authmethod method_passwd;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/auth2.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/auth2.c 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -72,6 +72,7 @@ extern Authmethod method_passwd;
</span> extern Authmethod method_kbdint;
extern Authmethod method_hostbased;
#ifdef GSSAPI
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -358,7 +365,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> extern Authmethod method_gssapi;
#endif
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -77,6 +78,7 @@ Authmethod *authmethods[] = {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -79,6 +80,7 @@ Authmethod *authmethods[] = {
</span> &method_none,
&method_pubkey,
#ifdef GSSAPI
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -366,9 +373,9 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> &method_gssapi,
#endif
&method_passwd,
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/clientloop.c 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/clientloop.c 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -114,6 +114,10 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/clientloop.c 2017-10-08 09:42:56.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/clientloop.c 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -112,6 +112,10 @@
</span> #include "ssherr.h"
#include "hostfile.h"
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -379,17 +386,17 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> /* import options */
extern Options options;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1701,9 +1705,18 @@ client_loop(int have_pty, int escape_cha
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1369,9 +1373,18 @@ client_loop(struct ssh *ssh, int have_pt
</span> break;
/* Do channel operations unless rekeying in progress. */
<span style='display:block; white-space:pre;background:#ffe0e0;'>-- if (!ssh_packet_is_rekeying(active_state))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!ssh_packet_is_rekeying(active_state)) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- channel_after_select(readset, writeset);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (!ssh_packet_is_rekeying(ssh))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!ssh_packet_is_rekeying(ssh)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ channel_after_select(ssh, readset, writeset);
</span>
+#ifdef GSSAPI
+ if (options.gss_renewal_rekey &&
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_gssapi_credentials_updated(GSS_C_NO_CONTEXT)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_gssapi_credentials_updated(NULL)) {
</span> + debug("credentials updated - forcing rekey");
+ need_rekeying = 1;
+ }
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -399,9 +406,9 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> /* Buffer input from the connection. */
client_process_net_input(readset);
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/config.h.in 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/config.h.in 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1680,6 +1680,9 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/config.h.in 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/config.h.in 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1708,6 +1708,9 @@
</span> /* Use btmp to log bad logins */
#undef USE_BTMP
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -411,7 +418,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> /* Use libedit for sftp */
#undef USE_LIBEDIT
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1698,6 +1701,9 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1726,6 +1729,9 @@
</span> /* Define if you have Solaris privileges */
#undef USE_SOLARIS_PRIVS
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -421,9 +428,9 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> /* Define if you have Solaris process contracts */
#undef USE_SOLARIS_PROCESS_CONTRACTS
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/configure.ac 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/configure.ac 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -632,6 +632,30 @@ main() { if (NSVersionOfRunTimeLibrary("
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/configure.ac 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/configure.ac 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -621,6 +621,30 @@ main() { if (NSVersionOfRunTimeLibrary("
</span> [Use tunnel device compatibility to OpenBSD])
AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
[Prepend the address family to IP tunnel traffic])
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -431,7 +438,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + AC_TRY_COMPILE([#include <Security/AuthSession.h>],
+ [SessionCreate(0, 0);],
+ [ac_cv_use_security_session_api="yes"
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ AC_DEFINE([USE_SECURITY_SESSION_API], [1],
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ AC_DEFINE([USE_SECURITY_SESSION_API], [1],
</span> + [platform has the Security Authorization Session API])
+ LIBS="$LIBS -framework Security"
+ AC_MSG_RESULT([yes])],
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -442,7 +449,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + [#include <Kerberos/Kerberos.h>],
+ [cc_context_t c;
+ (void) cc_initialize (&c, 0, NULL, NULL);],
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ [AC_DEFINE([USE_CCAPI], [1],
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ [AC_DEFINE([USE_CCAPI], [1],
</span> + [platform uses an in-memory credentials cache])
+ LIBS="$LIBS -framework Security"
+ AC_MSG_RESULT([yes])
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -454,10 +461,10 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> m4_pattern_allow([AU_IPv])
AC_CHECK_DECL([AU_IPv4], [],
AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/gss-genr.c 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/gss-genr.c 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/gss-genr.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/gss-genr.c 2017-10-08 09:42:57.000000000 +0200
</span> @@ -1,7 +1,7 @@
<span style='display:block; white-space:pre;background:#ffe0e0;'>- /* $OpenBSD: gss-genr.c,v 1.23 2015/01/20 23:14:00 deraadt Exp $ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* $OpenBSD: gss-genr.c,v 1.24 2016/09/12 01:22:38 deraadt Exp $ */
</span>
/*
- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -465,7 +472,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -41,12 +41,167 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -40,12 +40,167 @@
</span> #include "buffer.h"
#include "log.h"
#include "ssh2.h"
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -592,7 +599,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + free(mechs);
+ mechs = NULL;
+ }
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span> + return (mechs);
+}
+
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -633,7 +640,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> /* Check that the OID in a data stream matches that in the context */
int
ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -199,7 +354,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int de
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -198,7 +353,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int de
</span> }
ctx->major = gss_init_sec_context(&ctx->minor,
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -642,7 +649,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,
0, NULL, recv_tok, NULL, send_tok, flags, NULL);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -229,8 +384,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, con
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -228,8 +383,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, con
</span> }
OM_uint32
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -663,8 +670,8 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + GSS_C_NT_USER_NAME, &gssname);
+
+ if (!ctx->major)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ctx->major = gss_acquire_cred(&ctx->minor,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gssname, 0, oidset, GSS_C_INITIATE,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ctx->major = gss_acquire_cred(&ctx->minor,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gssname, 0, oidset, GSS_C_INITIATE,
</span> + &ctx->client_creds, NULL, NULL);
+
+ gss_release_name(&status, &gssname);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -679,13 +686,13 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +OM_uint32
ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
{
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (ctx == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (ctx == NULL)
</span> + return -1;
+
if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
GSS_C_QOP_DEFAULT, buffer, hash)))
ssh_gssapi_error(ctx);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -238,6 +427,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -237,6 +426,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer
</span> return (ctx->major);
}
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -705,12 +712,12 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> void
ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
const char *context)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -251,11 +453,16 @@ ssh_gssapi_buildmic(Buffer *b, const cha
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -250,11 +452,16 @@ ssh_gssapi_buildmic(Buffer *b, const cha
</span> }
int
-ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host,
</span> + const char *client)
{
gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -723,7 +730,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span>
/* RFC 4462 says we MUST NOT do SPNEGO */
if (oid->length == spnego_oid.length &&
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -265,6 +472,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -264,6 +471,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
</span> ssh_gssapi_build_ctx(ctx);
ssh_gssapi_set_oid(*ctx, oid);
major = ssh_gssapi_import_name(*ctx, host);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -734,12 +741,12 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> if (!GSS_ERROR(major)) {
major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token,
NULL);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -274,10 +485,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -273,10 +484,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
</span> GSS_C_NO_BUFFER);
}
- if (GSS_ERROR(major))
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (GSS_ERROR(major) || intctx != NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (GSS_ERROR(major) || intctx != NULL)
</span> ssh_gssapi_delete_ctx(ctx);
return (!GSS_ERROR(major));
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -754,7 +761,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + static OM_uint32 last_call = 0;
+ OM_uint32 lifetime, now, major, minor;
+ int equal;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span> + now = time(NULL);
+
+ if (ctxt) {
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -782,8 +789,8 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +
+ if (saved_mech == GSS_C_NO_OID)
+ return 0;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ major = gss_inquire_cred(&minor, GSS_C_NO_CREDENTIAL,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ major = gss_inquire_cred(&minor, GSS_C_NO_CREDENTIAL,
</span> + &name, &lifetime, NULL, NULL);
+ if (major == GSS_S_CREDENTIALS_EXPIRED)
+ return 0;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -802,8 +809,8 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +}
+
#endif /* GSSAPI */
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/gss-serv-krb5.c 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/gss-serv-krb5.c 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/gss-serv-krb5.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/gss-serv-krb5.c 2017-10-08 09:42:57.000000000 +0200
</span> @@ -1,7 +1,7 @@
/* $OpenBSD: gss-serv-krb5.c,v 1.8 2013/07/20 01:55:13 djm Exp $ */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -873,12 +880,12 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + krb5_error_code problem;
+ OM_uint32 maj_status, min_status;
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((problem = krb5_cc_resolve(krb_context, store->envval, &ccache))) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ logit("krb5_cc_resolve(): %.100s",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ krb5_get_err_text(krb_context, problem));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((problem = krb5_cc_resolve(krb_context, store->envval, &ccache))) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ logit("krb5_cc_resolve(): %.100s",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ krb5_get_err_text(krb_context, problem));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span> + /* Find out who the principal in this cache is */
+ if ((problem = krb5_cc_get_principal(krb_context, ccache,
+ &principal))) {
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -941,10 +948,10 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> };
#endif /* KRB5 */
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/gss-serv.c 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/gss-serv.c 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/gss-serv.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/gss-serv.c 2017-10-08 09:42:57.000000000 +0200
</span> @@ -1,7 +1,7 @@
<span style='display:block; white-space:pre;background:#ffe0e0;'>- /* $OpenBSD: gss-serv.c,v 1.29 2015/05/22 03:50:02 djm Exp $ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* $OpenBSD: gss-serv.c,v 1.30 2017/06/24 06:34:38 djm Exp $ */
</span>
/*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -975,17 +982,16 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span>
#ifdef KRB5
extern ssh_gssapi_mech gssapi_kerberos_mech;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -142,6 +145,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -142,6 +145,28 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss
</span> }
/* Unprivileged */
+char *
+ssh_gssapi_server_mechanisms(void) {
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_OID_set supported;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_gssapi_supported_oids(&supported);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return (ssh_gssapi_kex_mechs(supported, &ssh_gssapi_server_check_mech,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ NULL, NULL));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (supported_oids == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_gssapi_prepare_supported_oids();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return (ssh_gssapi_kex_mechs(supported_oids,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &ssh_gssapi_server_check_mech, NULL, NULL));
</span> +}
+
+/* Unprivileged */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -994,7 +1000,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + const char *dummy) {
+ Gssctxt *ctx = NULL;
+ int res;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span> + res = !GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctx, oid)));
+ ssh_gssapi_delete_ctx(&ctx);
+
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1005,7 +1011,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> void
ssh_gssapi_supported_oids(gss_OID_set *oidset)
{
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -151,7 +177,9 @@ ssh_gssapi_supported_oids(gss_OID_set *o
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -151,7 +176,9 @@ ssh_gssapi_supported_oids(gss_OID_set *o
</span> gss_OID_set supported;
gss_create_empty_oid_set(&min_status, oidset);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1016,7 +1022,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span>
while (supported_mechs[i]->name != NULL) {
if (GSS_ERROR(gss_test_oid_set_member(&min_status,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -277,8 +305,48 @@ OM_uint32
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -277,8 +304,48 @@ OM_uint32
</span> ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
{
int i = 0;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1032,41 +1038,41 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + return GSS_S_COMPLETE;
+ }
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((ctx->major = gss_inquire_cred_by_mech(&ctx->minor,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ctx->client_creds, ctx->oid, &new_name,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((ctx->major = gss_inquire_cred_by_mech(&ctx->minor,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ctx->client_creds, ctx->oid, &new_name,
</span> + NULL, NULL, NULL))) {
+ ssh_gssapi_error(ctx);
+ return (ctx->major);
+ }
<span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- gss_buffer_desc ename;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ctx->major = gss_compare_name(&ctx->minor, client->name,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ctx->major = gss_compare_name(&ctx->minor, client->name,
</span> + new_name, &equal);
+
+ if (GSS_ERROR(ctx->major)) {
+ ssh_gssapi_error(ctx);
+ return (ctx->major);
+ }
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span> + if (!equal) {
+ debug("Rekeyed credentials have different name");
+ return GSS_S_COMPLETE;
+ }
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- gss_buffer_desc ename;
</span> + debug("Marking rekeyed credentials for export");
+
+ gss_release_name(&ctx->minor, &client->name);
+ gss_release_cred(&ctx->minor, &client->creds);
+ client->name = new_name;
+ client->creds = ctx->client_creds;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ctx->client_creds = GSS_C_NO_CREDENTIAL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ctx->client_creds = GSS_C_NO_CREDENTIAL;
</span> + client->updated = 1;
+ return GSS_S_COMPLETE;
+ }
client->mech = NULL;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -293,6 +361,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -293,6 +360,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g
</span> if (client->mech == NULL)
return GSS_S_FAILURE;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1080,7 +1086,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> if ((ctx->major = gss_display_name(&ctx->minor, ctx->client,
&client->displayname, NULL))) {
ssh_gssapi_error(ctx);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -310,6 +385,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -310,6 +384,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g
</span> return (ctx->major);
}
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1089,7 +1095,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> /* We can't copy this structure, so we just move the pointer to it */
client->creds = ctx->client_creds;
ctx->client_creds = GSS_C_NO_CREDENTIAL;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -320,11 +397,20 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -320,11 +396,20 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g
</span> void
ssh_gssapi_cleanup_creds(void)
{
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1115,7 +1121,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> }
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -357,7 +443,7 @@ ssh_gssapi_do_child(char ***envp, u_int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -357,7 +442,7 @@ ssh_gssapi_do_child(char ***envp, u_int
</span>
/* Privileged */
int
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1124,7 +1130,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> {
OM_uint32 lmin;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -367,9 +453,11 @@ ssh_gssapi_userok(char *user)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -367,9 +452,11 @@ ssh_gssapi_userok(char *user)
</span> return 0;
}
if (gssapi_client.mech && gssapi_client.mech->userok)
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1138,14 +1144,14 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> /* Destroy delegated credentials if userok fails */
gss_release_buffer(&lmin, &gssapi_client.displayname);
gss_release_buffer(&lmin, &gssapi_client.exportedname);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -383,14 +471,90 @@ ssh_gssapi_userok(char *user)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -383,14 +470,90 @@ ssh_gssapi_userok(char *user)
</span> return (0);
}
-/* Privileged */
-OM_uint32
-ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* These bits are only used for rekeying. The unpriviledged child is running
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* These bits are only used for rekeying. The unpriviledged child is running
</span> + * as the user, the monitor is root.
+ *
+ * In the child, we want to :
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1156,7 +1162,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +/* Stuff for PAM */
+
+#ifdef USE_PAM
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+static int ssh_gssapi_simple_conv(int n, const struct pam_message **msg,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static int ssh_gssapi_simple_conv(int n, const struct pam_message **msg,
</span> + struct pam_response **resp, void *data)
{
- ctx->major = gss_verify_mic(&ctx->minor, ctx->context,
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1176,11 +1182,11 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + char *envstr;
+#endif
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (gssapi_client.store.filename == NULL &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (gssapi_client.store.filename == NULL &&
</span> + gssapi_client.store.envval == NULL &&
+ gssapi_client.store.envvar == NULL)
+ return;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span> + ok = PRIVSEP(ssh_gssapi_update_creds(&gssapi_client.store));
+
+ if (!ok)
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1192,7 +1198,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + * be next to impossible. In any case, we may want different options
+ * for rekeying. So, use our own :)
+ */
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef USE_PAM
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef USE_PAM
</span> + if (!use_privsep) {
+ debug("Not even going to try and do PAM with privsep disabled");
+ return;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1203,7 +1209,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + if (ret)
+ return;
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ xasprintf(&envstr, "%s=%s", gssapi_client.store.envvar,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ xasprintf(&envstr, "%s=%s", gssapi_client.store.envvar,
</span> + gssapi_client.store.envval);
+
+ ret = pam_putenv(pamh, envstr);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1213,7 +1219,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +#endif
+}
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int
</span> +ssh_gssapi_update_creds(ssh_gssapi_ccache *store) {
+ int ok = 0;
+
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1234,10 +1240,10 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + return ok;
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/kex.c 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/kex.c 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -55,6 +55,10 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Privileged */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/kex.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/kex.c 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -54,6 +54,10 @@
</span> #include "sshbuf.h"
#include "digest.h"
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1245,10 +1251,10 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +#include "ssh-gss.h"
+#endif
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>- #if OPENSSL_VERSION_NUMBER >= 0x00907000L
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # if defined(HAVE_EVP_SHA256)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # define evp_ssh_sha256 EVP_sha256
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -113,6 +117,14 @@ static const struct kexalg kexalgs[] = {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* prototype */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static int kex_choose_conf(struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static int kex_input_newkeys(int, u_int32_t, struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -105,6 +109,14 @@ static const struct kexalg kexalgs[] = {
</span> #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
{ NULL, -1, -1, -1},
};
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1263,7 +1269,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span>
char *
kex_alg_list(char sep)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -145,6 +157,12 @@ kex_alg_by_name(const char *name)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -137,6 +149,12 @@ kex_alg_by_name(const char *name)
</span> if (strcmp(k->name, name) == 0)
return k;
}
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1276,7 +1282,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> return NULL;
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -587,6 +605,9 @@ kex_free(struct kex *kex)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -601,6 +619,9 @@ kex_free(struct kex *kex)
</span> sshbuf_free(kex->peer);
sshbuf_free(kex->my);
free(kex->session_id);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1286,9 +1292,9 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> free(kex->client_version_string);
free(kex->server_version_string);
free(kex->failed_choice);
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/kex.h 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/kex.h 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -98,6 +98,11 @@ enum kex_exchange {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/kex.h 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/kex.h 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -99,6 +99,11 @@ enum kex_exchange {
</span> KEX_DH_GEX_SHA256,
KEX_ECDH_SHA2,
KEX_C25519_SHA256,
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1300,20 +1306,20 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> KEX_MAX
};
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -146,6 +151,12 @@ struct kex {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -147,6 +152,12 @@ struct kex {
</span> u_int flags;
int hash_alg;
int ec_nid;
+#ifdef GSSAPI
+ int gss_deleg_creds;
+ int gss_trust_dns;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char *gss_host;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char *gss_host;
</span> + char *gss_client;
+#endif
char *client_version_string;
char *server_version_string;
char *failed_choice;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -196,6 +207,11 @@ int kexecdh_server(struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -197,6 +208,11 @@ int kexecdh_server(struct ssh *);
</span> int kexc25519_client(struct ssh *);
int kexc25519_server(struct ssh *);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1326,8 +1332,8 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *);
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/kexgssc.c 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -0,0 +1,339 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/kexgssc.c 2017-10-08 09:43:13.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -0,0 +1,336 @@
</span> +/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
+ *
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1356,8 +1362,6 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +
+#ifdef GSSAPI
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "includes.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span> +#include <openssl/crypto.h>
+#include <openssl/bn.h>
+
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1462,7 +1466,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +
+ do {
+ debug("Calling gss_init_sec_context");
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span> + maj_status = ssh_gssapi_init_ctx(ctxt,
+ kex->gss_deleg_creds, token_ptr, &send_tok,
+ &ret_flags);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1642,8 +1646,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + free(msg_tok.value);
+
+ DH_free(dh);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (serverhostkey)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ free(serverhostkey);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ free(serverhostkey);
</span> + BN_clear_free(dh_server_pub);
+
+ /* save session id */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1668,8 +1671,8 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +
+#endif /* GSSAPI */
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/kexgsss.c 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -0,0 +1,302 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/kexgsss.c 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -0,0 +1,300 @@
</span> +/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
+ *
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1716,7 +1719,6 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +#include "monitor_wrap.h"
+#include "misc.h"
+#include "servconf.h"
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "ssh-gss.h"
</span> +#include "digest.h"
+
+extern ServerOptions options;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1760,9 +1762,8 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + * into life
+ */
+ if (!ssh_gssapi_oid_table_ok()) {
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((mechs = ssh_gssapi_server_mechanisms())) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ free(mechs);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ mechs = ssh_gssapi_server_mechanisms();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ free(mechs);
</span> + }
+
+ debug2("%s: Identifying %s", __func__, kex->name);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1972,9 +1973,9 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + return r;
+}
+#endif /* GSSAPI */
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/monitor.c 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/monitor.c 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -158,6 +158,8 @@ int mm_answer_gss_setup_ctx(int, Buffer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/monitor.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/monitor.c 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -157,6 +157,8 @@ int mm_answer_gss_setup_ctx(int, Buffer
</span> int mm_answer_gss_accept_ctx(int, Buffer *);
int mm_answer_gss_userok(int, Buffer *);
int mm_answer_gss_checkmic(int, Buffer *);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1983,10 +1984,10 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> #endif
#ifdef SSH_AUDIT_EVENTS
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -235,11 +237,18 @@ struct mon_table mon_dispatch_proto20[]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -230,11 +232,18 @@ struct mon_table mon_dispatch_proto20[]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok},
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic},
</span> + {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
#endif
{0, 0, NULL}
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2002,29 +2003,29 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> #ifdef WITH_OPENSSL
{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
#endif
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -354,6 +363,10 @@ monitor_child_preauth(Authctxt *_authctx
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Permit requests for moduli and signatures */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -302,6 +311,10 @@ monitor_child_preauth(Authctxt *_authctx
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Permit requests for moduli and signatures */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
</span> +#ifdef GSSAPI
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* and for the GSSAPI key exchange */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* and for the GSSAPI key exchange */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
</span> +#endif
<span style='display:block; white-space:pre;background:#ffe0e0;'>- } else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- mon_dispatch = mon_dispatch_proto15;
</span>
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -462,6 +475,10 @@ monitor_child_postauth(struct monitor *p
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* The first few requests do not require asynchronous access */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ while (!authenticated) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -408,6 +421,10 @@ monitor_child_postauth(struct monitor *p
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
</span> +#ifdef GSSAPI
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* and for the GSSAPI key exchange */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- } else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- mon_dispatch = mon_dispatch_postauth15;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1876,6 +1893,13 @@ monitor_apply_keystate(struct monitor *p
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* and for the GSSAPI key exchange */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!no_pty_flag) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1626,6 +1643,13 @@ monitor_apply_keystate(struct monitor *p
</span> # endif
#endif /* WITH_OPENSSL */
kex->kex[KEX_C25519_SHA256] = kexc25519_server;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2038,27 +2039,29 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> kex->load_host_public_key=&get_hostkey_public_by_type;
kex->load_host_private_key=&get_hostkey_private_by_type;
kex->host_key_index=&get_hostkey_index;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1975,6 +1999,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1714,8 +1738,8 @@ mm_answer_gss_setup_ctx(int sock, Buffer
</span> OM_uint32 major;
u_int len;
<span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (!options.gss_authentication)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- fatal("%s: GSSAPI authentication not enabled", __func__);
</span> + if (!options.gss_authentication && !options.gss_keyex)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("In GSSAPI monitor when GSSAPI is disabled");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: GSSAPI not enabled", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span> goid.elements = buffer_get_string(m, &len);
goid.length = len;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2002,6 +2029,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1744,8 +1768,8 @@ mm_answer_gss_accept_ctx(int sock, Buffe
</span> OM_uint32 flags = 0; /* GSI needs this */
u_int len;
<span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (!options.gss_authentication)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- fatal("%s: GSSAPI authentication not enabled", __func__);
</span> + if (!options.gss_authentication && !options.gss_keyex)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("In GSSAPI monitor when GSSAPI is disabled");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: GSSAPI not enabled", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span> in.value = buffer_get_string(m, &len);
in.length = len;
<span style='display:block; white-space:pre;background:#ffe0e0;'>- major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2019,6 +2049,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1764,6 +1788,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
</span> monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2066,35 +2069,38 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> }
return (0);
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2030,6 +2061,9 @@ mm_answer_gss_checkmic(int sock, Buffer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1775,8 +1800,8 @@ mm_answer_gss_checkmic(int sock, Buffer
</span> OM_uint32 ret;
u_int len;
<span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (!options.gss_authentication)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- fatal("%s: GSSAPI authentication not enabled", __func__);
</span> + if (!options.gss_authentication && !options.gss_keyex)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("In GSSAPI monitor when GSSAPI is disabled");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: GSSAPI not enabled", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span> gssbuf.value = buffer_get_string(m, &len);
gssbuf.length = len;
<span style='display:block; white-space:pre;background:#ffe0e0;'>- mic.value = buffer_get_string(m, &len);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2056,7 +2090,11 @@ mm_answer_gss_userok(int sock, Buffer *m
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1805,10 +1830,11 @@ mm_answer_gss_userok(int sock, Buffer *m
</span> int authenticated;
<span style='display:block; white-space:pre;background:#e0ffe0;'>+ const char *displayname;
</span>
<span style='display:block; white-space:pre;background:#ffe0e0;'>-- authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (!options.gss_authentication)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- fatal("%s: GSSAPI authentication not enabled", __func__);
</span> + if (!options.gss_authentication && !options.gss_keyex)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("In GSSAPI monitor when GSSAPI is disabled");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ authenticated = authctxt->valid &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: GSSAPI not enabled", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ authenticated = authctxt->valid &&
</span> + ssh_gssapi_userok(authctxt->user, authctxt->pw);
buffer_clear(m);
buffer_put_int(m, authenticated);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2069,5 +2107,73 @@ mm_answer_gss_userok(int sock, Buffer *m
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1824,5 +1850,76 @@ mm_answer_gss_userok(int sock, Buffer *m
</span> /* Monitor loop will terminate if authenticated */
return (authenticated);
}
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int
</span> +mm_answer_gss_sign(int socket, Buffer *m)
+{
+ gss_buffer_desc data;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2103,12 +2109,12 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + u_int len;
+
+ if (!options.gss_authentication && !options.gss_keyex)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("In GSSAPI monitor when GSSAPI is disabled");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: GSSAPI not enabled", __func__);
</span> +
+ data.value = buffer_get_string(m, &len);
+ data.length = len;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (data.length != 20)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: data length incorrect: %d", __func__,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (data.length != 20)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: data length incorrect: %d", __func__,
</span> + (int) data.length);
+
+ /* Save the session ID on the first time around */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2131,7 +2137,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +
+ /* Turn on getpwnam permissions */
+ monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span> + /* And credential updating, for when rekeying */
+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSUPCREDS, 1);
+
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2143,6 +2149,9 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + ssh_gssapi_ccache store;
+ int ok;
+
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!options.gss_authentication && !options.gss_keyex)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: GSSAPI not enabled", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span> + store.filename = buffer_get_string(m, NULL);
+ store.envvar = buffer_get_string(m, NULL);
+ store.envval = buffer_get_string(m, NULL);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2163,8 +2172,8 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +
#endif /* GSSAPI */
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/monitor.h 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/monitor.h 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/monitor.h 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/monitor.h 2017-10-08 09:42:57.000000000 +0200
</span> @@ -65,6 +65,9 @@ enum monitor_reqtype {
MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113,
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2174,10 +2183,10 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +
};
<span style='display:block; white-space:pre;background:#ffe0e0;'>- struct mm_master;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/monitor_wrap.c 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/monitor_wrap.c 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1073,7 +1073,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ struct monitor {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/monitor_wrap.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/monitor_wrap.c 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -937,7 +937,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
</span> }
int
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2186,7 +2195,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> {
Buffer m;
int authenticated = 0;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1090,5 +1090,50 @@ mm_ssh_gssapi_userok(char *user)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -954,5 +954,50 @@ mm_ssh_gssapi_userok(char *user)
</span> debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
return (authenticated);
}
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2224,22 +2233,22 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + buffer_put_cstring(&m, store->filename ? store->filename : "");
+ buffer_put_cstring(&m, store->envvar ? store->envvar : "");
+ buffer_put_cstring(&m, store->envval ? store->envval : "");
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span> + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUPCREDS, &m);
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUPCREDS, &m);
+
+ ok = buffer_get_int(&m);
+
+ buffer_free(&m);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span> + return (ok);
+}
+
#endif /* GSSAPI */
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/monitor_wrap.h 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/monitor_wrap.h 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -60,8 +60,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/monitor_wrap.h 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/monitor_wrap.h 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -57,8 +57,10 @@ int mm_sshkey_verify(const struct sshkey
</span> OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2251,19 +2260,19 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> #endif
#ifdef USE_PAM
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/readconf.c 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/readconf.c 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/readconf.c 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/readconf.c 2017-10-08 09:42:57.000000000 +0200
</span> @@ -160,6 +160,8 @@ typedef enum {
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+ oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ oGssServerIdentity,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ oGssServerIdentity,
</span> oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -208,10 +210,19 @@ static struct {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "afstokenpassing", oUnsupported },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -202,10 +204,19 @@ static struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Sometimes-unsupported options */
</span> #if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication },
+ { "gssapikeyexchange", oGssKeyEx },
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2272,7 +2281,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + { "gssapiclientidentity", oGssClientIdentity },
+ { "gssapiserveridentity", oGssServerIdentity },
+ { "gssapirenewalforcesrekey", oGssRenewalRekey },
<span style='display:block; white-space:pre;background:#ffe0e0;'>- #else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # else
</span> { "gssapiauthentication", oUnsupported },
+ { "gssapikeyexchange", oUnsupported },
{ "gssapidelegatecredentials", oUnsupported },
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2280,9 +2289,9 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + { "gssapiclientidentity", oUnsupported },
+ { "gssapirenewalforcesrekey", oUnsupported },
#endif
<span style='display:block; white-space:pre;background:#ffe0e0;'>- { "fallbacktorsh", oDeprecated },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "usersh", oDeprecated },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -968,10 +979,30 @@ parse_time:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef ENABLE_PKCS11
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "smartcarddevice", oPKCS11Provider },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -982,10 +993,30 @@ parse_time:
</span> intptr = &options->gss_authentication;
goto parse_flag;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2313,7 +2322,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1789,7 +1820,12 @@ initialize_options(Options * options)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1802,7 +1833,12 @@ initialize_options(Options * options)
</span> options->pubkey_authentication = -1;
options->challenge_response_authentication = -1;
options->gss_authentication = -1;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2326,7 +2335,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1936,8 +1972,14 @@ fill_default_options(Options * options)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1945,8 +1981,14 @@ fill_default_options(Options * options)
</span> options->challenge_response_authentication = 1;
if (options->gss_authentication == -1)
options->gss_authentication = 0;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2341,24 +2350,24 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/readconf.h 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/readconf.h 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -45,7 +45,12 @@ typedef struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/readconf.h 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/readconf.h 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -42,7 +42,12 @@ typedef struct {
</span> int challenge_response_authentication;
/* Try S/Key or TIS, authentication. */
int gss_authentication; /* Try GSS authentication */
+ int gss_keyex; /* Try GSS key exchange */
int gss_deleg_creds; /* Delegate GSS credentials */
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int gss_renewal_rekey; /* Credential renewal forces rekey */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int gss_renewal_rekey; /* Credential renewal forces rekey */
</span> + char *gss_client_identity; /* Principal to initiate GSSAPI with */
+ char *gss_server_identity; /* GSSAPI target principal */
int password_authentication; /* Try password
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/servconf.c 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/servconf.c 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -117,8 +117,10 @@ initialize_server_options(ServerOptions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/servconf.c 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/servconf.c 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -113,8 +113,10 @@ initialize_server_options(ServerOptions
</span> options->kerberos_ticket_cleanup = -1;
options->kerberos_get_afs_token = -1;
options->gss_authentication=-1;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2369,7 +2378,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -287,10 +289,14 @@ fill_default_server_options(ServerOption
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -268,10 +270,14 @@ fill_default_server_options(ServerOption
</span> options->kerberos_get_afs_token = 0;
if (options->gss_authentication == -1)
options->gss_authentication = 0;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2378,14 +2387,13 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> if (options->gss_cleanup_creds == -1)
options->gss_cleanup_creds = 1;
if (options->gss_strict_acceptor == -1)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-- options->gss_strict_acceptor = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->gss_strict_acceptor = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->gss_strict_acceptor = 1;
</span> + if (options->gss_store_rekey == -1)
+ options->gss_store_rekey = 0;
if (options->password_authentication == -1)
options->password_authentication = 0;
if (options->kbd_interactive_authentication == -1)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -427,6 +433,7 @@ typedef enum {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -410,6 +416,7 @@ typedef enum {
</span> sHostKeyAlgorithms,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2393,7 +2401,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -501,11 +508,17 @@ static struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -485,11 +492,17 @@ static struct {
</span> { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2411,7 +2419,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1251,6 +1264,10 @@ process_server_config_line(ServerOptions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1253,6 +1266,10 @@ process_server_config_line(ServerOptions
</span> intptr = &options->gss_authentication;
goto parse_flag;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2422,7 +2430,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> case sGssCleanupCreds:
intptr = &options->gss_cleanup_creds;
goto parse_flag;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1259,6 +1276,10 @@ process_server_config_line(ServerOptions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1261,6 +1278,10 @@ process_server_config_line(ServerOptions
</span> intptr = &options->gss_strict_acceptor;
goto parse_flag;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2433,7 +2441,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> case sPasswordAuthentication:
intptr = &options->password_authentication;
goto parse_flag;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2308,7 +2329,10 @@ dump_config(ServerOptions *o)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2301,7 +2322,10 @@ dump_config(ServerOptions *o)
</span> #endif
#ifdef GSSAPI
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2444,9 +2452,9 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> #endif
dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
dump_cfg_fmtint(sKbdInteractiveAuthentication,
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/servconf.h 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/servconf.h 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -118,8 +118,10 @@ typedef struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/servconf.h 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/servconf.h 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -119,8 +119,10 @@ typedef struct {
</span> int kerberos_get_afs_token; /* If true, try to get AFS token if
* authenticated with Kerberos. */
int gss_authentication; /* If true, permit GSSAPI authentication */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2457,10 +2465,10 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> int password_authentication; /* If true, permit password
* authentication. */
int kbd_interactive_authentication; /* If true, permit */
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/ssh-gss.h 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/ssh-gss.h 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/ssh-gss.h 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh-gss.h 2017-10-08 09:42:57.000000000 +0200
</span> @@ -1,6 +1,6 @@
<span style='display:block; white-space:pre;background:#ffe0e0;'>- /* $OpenBSD: ssh-gss.h,v 1.11 2014/02/26 20:28:44 djm Exp $ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* $OpenBSD: ssh-gss.h,v 1.12 2017/06/24 06:34:38 djm Exp $ */
</span> /*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2523,7 +2531,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span>
int ssh_gssapi_check_oid(Gssctxt *, void *, size_t);
void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -119,16 +136,32 @@ void ssh_gssapi_build_ctx(Gssctxt **);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -119,17 +136,33 @@ void ssh_gssapi_build_ctx(Gssctxt **);
</span> void ssh_gssapi_delete_ctx(Gssctxt **);
OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2548,6 +2556,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> void ssh_gssapi_do_child(char ***, u_int *);
void ssh_gssapi_cleanup_creds(void);
void ssh_gssapi_storecreds(void);
<span style='display:block; white-space:pre;background:#e0ffe0;'>+ const char *ssh_gssapi_displayname(void);
</span>
+char *ssh_gssapi_server_mechanisms(void);
+int ssh_gssapi_oid_table_ok(void);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2558,9 +2567,9 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> #endif /* GSSAPI */
#endif /* _SSH_GSS_H */
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/ssh_config 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/ssh_config 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -26,6 +26,8 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/ssh_config 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh_config 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -24,6 +24,8 @@
</span> # HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2569,54 +2578,53 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> # BatchMode no
# CheckHostIP yes
# AddressFamily any
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/ssh_config.5 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/ssh_config.5 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -826,10 +826,43 @@ The default is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/ssh_config.5 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh_config.5 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -720,10 +720,42 @@ The default is
</span> Specifies whether user authentication based on GSSAPI is allowed.
The default is
<span style='display:block; white-space:pre;background:#ffe0e0;'>- .Dq no .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .Cm no .
</span> +.It Cm GSSAPIKeyExchange
+Specifies whether key exchange based on GSSAPI may be used. When using
+GSSAPI key exchange the server need not have a host key.
+The default is
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+.Dq no .
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Note that this option applies to protocol version 2 only.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Cm no .
</span> +.It Cm GSSAPIClientIdentity
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+If set, specifies the GSSAPI client identity that ssh should use when
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+connecting to the server. The default is unset, which means that the default
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++If set, specifies the GSSAPI client identity that ssh should use when
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++connecting to the server. The default is unset, which means that the default
</span> +identity will be used.
+.It Cm GSSAPIServerIdentity
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+If set, specifies the GSSAPI server identity that ssh should expect when
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++If set, specifies the GSSAPI server identity that ssh should expect when
</span> +connecting to the server. The default is unset, which means that the
+expected GSSAPI server identity will be determined from the target
+hostname.
.It Cm GSSAPIDelegateCredentials
Forward (delegate) credentials to the server.
The default is
<span style='display:block; white-space:pre;background:#ffe0e0;'>- .Dq no .
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Note that this option applies to protocol version 2 connections using GSSAPI.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .Cm no .
</span> +.It Cm GSSAPIRenewalForcesRekey
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+If set to
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+.Dq yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++If set to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Cm yes
</span> +then renewal of the client's GSSAPI credentials will force the rekeying of the
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ssh connection. With a compatible server, this can delegate the renewed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssh connection. With a compatible server, this can delegate the renewed
</span> +credentials to a session on the server.
+The default is
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+.Dq no .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Cm no .
</span> +.It Cm GSSAPITrustDns
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+Set to
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+.Dq yes to indicate that the DNS is trusted to securely canonicalize
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+the name of the host being connected to. If
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+.Dq no, the hostname entered on the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Set to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Cm yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++to indicate that the DNS is trusted to securely canonicalize
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++the name of the host being connected to. If
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Cm no ,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++the hostname entered on the
</span> +command line will be passed untouched to the GSSAPI library.
+The default is
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+.Dq no .
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+This option only applies to protocol version 2 connections using GSSAPI.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Cm no .
</span> .It Cm HashKnownHosts
Indicates that
.Xr ssh 1
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshconnect2.c 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshconnect2.c 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshconnect2.c 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshconnect2.c 2017-10-08 09:42:57.000000000 +0200
</span> @@ -73,6 +73,7 @@
#include "ssherr.h"
#include "utf8.h"
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2650,7 +2658,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + if (options.gss_server_identity)
+ gss_host = xstrdup(options.gss_server_identity);
+ if (options.gss_trust_dns)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_host = xstrdup(get_canonical_hostname(active_state, 1));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_host = xstrdup(auth_get_canonical_hostname(active_state, 1));
</span> + else
+ gss_host = xstrdup(host);
+
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2671,8 +2679,8 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +#endif
+
if (options.rekey_limit || options.rekey_interval)
<span style='display:block; white-space:pre;background:#ffe0e0;'>- packet_set_rekey_limits((u_int32_t)options.rekey_limit,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- (time_t)options.rekey_interval);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ packet_set_rekey_limits(options.rekey_limit,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options.rekey_interval);
</span> @@ -214,10 +249,26 @@ ssh_kex2(char *host, struct sockaddr *ho
# endif
#endif
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2697,18 +2705,18 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + }
+#endif
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>- dispatch_run(DISPATCH_BLOCK, &kex->done, active_state);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_dispatch_run_fatal(active_state, DISPATCH_BLOCK, &kex->done);
</span>
/* remove ext-info from the KEX proposals for rekeying */
@@ -312,6 +363,7 @@ int input_gssapi_token(int type, u_int32
<span style='display:block; white-space:pre;background:#ffe0e0;'>- int input_gssapi_hash(int type, u_int32_t, void *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int input_gssapi_error(int, u_int32_t, void *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int input_gssapi_errtok(int, u_int32_t, void *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int input_gssapi_hash(int type, u_int32_t, struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int input_gssapi_error(int, u_int32_t, struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int input_gssapi_errtok(int, u_int32_t, struct ssh *);
</span> +int userauth_gsskeyex(Authctxt *authctxt);
#endif
void userauth(Authctxt *, char *);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -327,6 +379,11 @@ static char *authmethods_get(void);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -328,6 +380,11 @@ static char *authmethods_get(void);
</span>
Authmethod authmethods[] = {
#ifdef GSSAPI
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2720,7 +2728,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> {"gssapi-with-mic",
userauth_gssapi,
NULL,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -651,25 +708,40 @@ userauth_gssapi(Authctxt *authctxt)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -655,25 +712,40 @@ userauth_gssapi(Authctxt *authctxt)
</span> static u_int mech = 0;
OM_uint32 min;
int ok = 0;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2729,7 +2737,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + if (options.gss_server_identity)
+ gss_host = xstrdup(options.gss_server_identity);
+ else if (options.gss_trust_dns)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_host = xstrdup(get_canonical_hostname(active_state, 1));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_host = xstrdup(auth_get_canonical_hostname(active_state, 1));
</span> + else
+ gss_host = xstrdup(authctxt->host);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2748,10 +2756,11 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> while (mech < gss_supported->count && !ok) {
/* My DER encoding requires length<128 */
if (gss_supported->elements[mech].length < 128 &&
<span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_gssapi_check_mechanism(&gssctxt,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- ssh_gssapi_check_mechanism(&gssctxt,
</span> - &gss_supported->elements[mech], authctxt->host)) {
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &gss_supported->elements[mech], gss_host,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options.gss_client_identity)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_gssapi_check_mechanism(&gssctxt,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &gss_supported->elements[mech], gss_host,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options.gss_client_identity)) {
</span> ok = 1; /* Mechanism works */
} else {
mech++;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2763,9 +2772,9 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> if (!ok)
return 0;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -760,8 +832,8 @@ input_gssapi_response(int type, u_int32_
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -764,8 +836,8 @@ input_gssapi_response(int type, u_int32_
</span> {
<span style='display:block; white-space:pre;background:#ffe0e0;'>- Authctxt *authctxt = ctxt;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Authctxt *authctxt = ssh->authctxt;
</span> Gssctxt *gssctxt;
- int oidlen;
- char *oidv;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2774,7 +2783,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span>
if (authctxt == NULL)
fatal("input_gssapi_response: no authentication context");
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -874,6 +946,48 @@ input_gssapi_error(int type, u_int32_t p
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -878,6 +950,48 @@ input_gssapi_error(int type, u_int32_t p
</span> free(lang);
return 0;
}
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2792,7 +2801,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + return (0);
+
+ if (gss_kex_context == NULL) {
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("No valid Key exchange context");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("No valid Key exchange context");
</span> + return (0);
+ }
+
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2823,9 +2832,9 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> #endif /* GSSAPI */
int
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshd.c 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshd.c 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -125,6 +125,10 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshd.c 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshd.c 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -122,6 +122,10 @@
</span> #include "version.h"
#include "ssherr.h"
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2833,10 +2842,19 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +#include <Security/AuthSession.h>
+#endif
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>- #ifndef O_NOCTTY
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #define O_NOCTTY 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Re-exec fds */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -529,7 +533,7 @@ privsep_preauth_child(void)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Cache supported mechanism OIDs for later use */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (options.gss_authentication)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options.gss_authentication || options.gss_keyex)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_gssapi_prepare_supported_oids();
</span> #endif
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -980,8 +984,9 @@ notify_hostkeys(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -870,8 +874,9 @@ notify_hostkeys(struct ssh *ssh)
</span> }
debug3("%s: sent %d hostkeys", __func__, nkeys);
if (nkeys == 0)
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2848,21 +2866,21 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> sshbuf_free(buf);
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1899,10 +1904,13 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- logit("Disabling protocol version 1. Could not load host key");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options.protocol &= ~SSH_PROTO_1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1715,10 +1720,13 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ key ? "private" : "agent", i, sshkey_ssh_name(pubkey), fp);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ free(fp);
</span> }
+#ifndef GSSAPI
+ /* The GSSAPI key exchange can run without a host key */
<span style='display:block; white-space:pre;background:#ffe0e0;'>- if ((options.protocol & SSH_PROTO_2) && !sensitive_data.have_ssh2_key) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- logit("Disabling protocol version 2. Could not load host key");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options.protocol &= ~SSH_PROTO_2;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!sensitive_data.have_ssh2_key) {
</span> logit("sshd: no hostkeys available -- exiting.");
exit(1);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2214,6 +2222,60 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * Load certificates. They are stored in an array at identical
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1994,6 +2002,60 @@ main(int ac, char **av)
</span> remote_ip, remote_port, laddr, ssh_local_port(ssh));
free(laddr);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2908,7 +2926,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + error("SessionCreate() failed with error %.8X",
+ (unsigned) err);
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ err = SessionGetInfo(callerSecuritySession, &sid,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ err = SessionGetInfo(callerSecuritySession, &sid,
</span> + &sattrs);
+ if (err)
+ error("SessionGetInfo() failed with error %.8X",
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2923,7 +2941,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> /*
* We don't want to listen forever unless the other side
* successfully authenticates itself. So we set up an alarm which is
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2638,6 +2700,48 @@ do_ssh2_kex(void)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2177,6 +2239,48 @@ do_ssh2_kex(void)
</span> myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
list_hostkey_types());
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2934,7 +2952,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + char *newstr = NULL;
+ orig = myproposal[PROPOSAL_KEX_ALGS];
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span> + * If we don't have a host key, then there's no point advertising
+ * the other key exchange algorithms
+ */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2972,7 +2990,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> /* start key exchange */
if ((r = kex_setup(active_state, myproposal)) != 0)
fatal("kex_setup: %s", ssh_err(r));
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2655,6 +2759,13 @@ do_ssh2_kex(void)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2194,6 +2298,13 @@ do_ssh2_kex(void)
</span> # endif
#endif
kex->kex[KEX_C25519_SHA256] = kexc25519_server;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2986,9 +3004,9 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> kex->server = 1;
kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string;
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshd_config 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshd_config 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -84,6 +84,8 @@ AuthorizedKeysFile .ssh/authorized_keys
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshd_config 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshd_config 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -71,6 +71,8 @@ AuthorizedKeysFile .ssh/authorized_keys
</span> # GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2997,36 +3015,35 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span>
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshd_config.5 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshd_config.5 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -632,6 +632,12 @@ The default is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshd_config.5 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshd_config.5 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -635,6 +635,11 @@ The default is
</span> Specifies whether user authentication based on GSSAPI is allowed.
The default is
<span style='display:block; white-space:pre;background:#ffe0e0;'>- .Dq no .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .Cm no .
</span> +.It Cm GSSAPIKeyExchange
+Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
+doesn't rely on ssh keys to verify host identity.
+The default is
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+.Dq no .
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Note that this option applies to protocol version 2 only.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Cm no .
</span> .It Cm GSSAPICleanupCredentials
Specifies whether to automatically destroy the user's credentials cache
on logout.
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -652,6 +658,11 @@ machine's default store.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -654,6 +659,11 @@ machine's default store.
</span> This facility is provided to assist with operation on multi homed machines.
The default is
<span style='display:block; white-space:pre;background:#ffe0e0;'>- .Dq yes .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .Cm yes .
</span> +.It Cm GSSAPIStoreCredentialsOnRekey
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+Controls whether the user's GSSAPI credentials should be updated following a
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+successful connection rekeying. This option can be used to accepted renewed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Controls whether the user's GSSAPI credentials should be updated following a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++successful connection rekeying. This option can be used to accepted renewed
</span> +or updated credentials from a compatible client. The default is
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+.Dq no .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Cm no .
</span> .It Cm HostbasedAcceptedKeyTypes
Specifies the key types that will be accepted for hostbased authentication
as a comma-separated pattern list.
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshkey.c 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshkey.c 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -115,6 +115,7 @@ static const struct keytype keytypes[] =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshkey.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshkey.c 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -112,6 +112,7 @@ static const struct keytype keytypes[] =
</span> # endif /* OPENSSL_HAS_NISTP521 */
# endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3034,9 +3051,18 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> { NULL, NULL, -1, -1, 0, 0 }
};
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshkey.h 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshkey.h 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -62,6 +62,7 @@ enum sshkey_types {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -200,7 +201,7 @@ sshkey_alg_list(int certs_only, int plai
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ const struct keytype *kt;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ for (kt = keytypes; kt->type != -1; kt++) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (kt->name == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (kt->name == NULL || kt->type == KEY_NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ continue;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!include_sigonly && kt->sigonly)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ continue;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshkey.h 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshkey.h 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -61,6 +61,7 @@ enum sshkey_types {
</span> KEY_DSA_CERT,
KEY_ECDSA_CERT,
KEY_ED25519_CERT,
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3044,18 +3070,138 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> KEY_UNSPEC
};
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/auth.c 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/auth.c 2016-09-29 14:45:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -363,6 +363,7 @@ auth_root_allowed(const char *method)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/auth.c 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/auth.c 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -395,7 +395,8 @@ auth_root_allowed(const char *method)
</span> case PERMIT_NO_PASSWD:
if (strcmp(method, "publickey") == 0 ||
strcmp(method, "hostbased") == 0 ||
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ strcmp(method, "gssapi-keyex") == 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- strcmp(method, "gssapi-with-mic") == 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- strcmp(method, "gssapi-with-mic") == 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ strcmp(method, "gssapi-with-mic") == 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ strcmp(method, "gssapi-keyex") == 0)
</span> return 1;
break;
<span style='display:block; white-space:pre;background:#e0ffe0;'>+ case PERMIT_FORCED_ONLY:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -726,117 +727,3 @@ fakepw(void)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return (&fake);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-/*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * Returns the remote DNS hostname as a string. The returned string must not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * be freed. NB. this will usually trigger a DNS query the first time it is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * called.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * This function does additional checks on the hostname to mitigate some
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * attacks on legacy rhosts-style authentication.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * XXX is RhostsRSAAuthentication vulnerable to these?
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-static char *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-remote_hostname(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- struct sockaddr_storage from;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- socklen_t fromlen;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- struct addrinfo hints, *ai, *aitop;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- char name[NI_MAXHOST], ntop2[NI_MAXHOST];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- const char *ntop = ssh_remote_ipaddr(ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- /* Get IP address of client. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- fromlen = sizeof(from);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- memset(&from, 0, sizeof(from));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (getpeername(ssh_packet_get_connection_in(ssh),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- (struct sockaddr *)&from, &fromlen) < 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- debug("getpeername failed: %.100s", strerror(errno));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- return strdup(ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- ipv64_normalise_mapped(&from, &fromlen);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (from.ss_family == AF_INET6)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- fromlen = sizeof(struct sockaddr_in6);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- debug3("Trying to reverse map address %.100s.", ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- /* Map the IP address to a host name. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- NULL, 0, NI_NAMEREQD) != 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- /* Host name not found. Use ip address. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- return strdup(ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * if reverse lookup result looks like a numeric hostname,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * someone is trying to trick us by PTR record like following:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- memset(&hints, 0, sizeof(hints));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- hints.ai_socktype = SOCK_DGRAM; /*dummy*/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- hints.ai_flags = AI_NUMERICHOST;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- name, ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- freeaddrinfo(ai);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- return strdup(ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- /* Names are stored in lowercase. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- lowercase(name);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * Map it back to an IP address and check that the given
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * address actually is an address of this host. This is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * necessary because anyone with access to a name server can
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * define arbitrary names for an IP address. Mapping from
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * name to IP address can be trusted better (but can still be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * fooled if the intruder has access to the name server of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * the domain).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- memset(&hints, 0, sizeof(hints));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- hints.ai_family = from.ss_family;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- hints.ai_socktype = SOCK_STREAM;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- logit("reverse mapping checking getaddrinfo for %.700s "
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- "[%s] failed.", name, ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- return strdup(ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- /* Look for the address from the list of addresses. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- for (ai = aitop; ai; ai = ai->ai_next) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- (strcmp(ntop, ntop2) == 0))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- freeaddrinfo(aitop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- /* If we reached the end of the list, the address was not there. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (ai == NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- /* Address not found for the host name. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- logit("Address %.100s maps to %.600s, but this does not "
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- "map back to the address.", ntop, name);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- return strdup(ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- return strdup(name);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-/*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * Return the canonical name of the host in the other side of the current
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * connection. The host name is cached, so it is efficient to call this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * several times.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-const char *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- static char *dnsname;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (!use_dns)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- return ssh_remote_ipaddr(ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- else if (dnsname != NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- return dnsname;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- dnsname = remote_hostname(ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- return dnsname;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-}
</span> --- /dev/null 1970-01-01 00:00:00.000000000 +0000
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/auth-compat.c 2016-09-29 14:46:41.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/auth-compat.c 2017-10-08 09:42:57.000000000 +0200
</span> @@ -0,0 +1,175 @@
+/*
+ * Copyright (c) 2000 Markus Friedl. All rights reserved.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3190,7 +3336,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + hints.ai_socktype = SOCK_STREAM;
+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
+ logit("reverse mapping checking getaddrinfo for %.700s "
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ "[%s] failed - POSSIBLE BREAK-IN ATTEMPT!", name, ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "[%s] failed.", name, ntop);
</span> + return strdup(ntop);
+ }
+ /* Look for the address from the list of addresses. */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3205,7 +3351,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + if (ai == NULL) {
+ /* Address not found for the host name. */
+ logit("Address %.100s maps to %.600s, but this does not "
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ "map back to the address - POSSIBLE BREAK-IN ATTEMPT!",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "map back to the address.",
</span> + ntop, name);
+ return strdup(ntop);
+ }
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3219,7 +3365,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + */
+
+const char *
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+get_canonical_hostname(struct ssh *ssh, int use_dns)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
</span> +{
+ static char *dnsname;
+
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3233,7 +3379,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + }
+}
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/auth-compat.h 2016-09-29 14:46:28.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/auth-compat.h 2017-10-08 09:42:57.000000000 +0200
</span> @@ -0,0 +1,34 @@
+/*
+ * Copyright (c) 2000 Markus Friedl. All rights reserved.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3265,7 +3411,27 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +
+#include "packet.h"
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+const char *get_canonical_hostname(struct ssh *, int);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+char *remote_hostname(struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++char *remote_hostname(struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++const char *auth_get_canonical_hostname(struct ssh *, int);
</span> +
+#endif
<span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/auth.h 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/auth.h 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -42,6 +42,8 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include <krb5.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "auth-compat.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ struct ssh;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ struct sshkey;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ struct sshbuf;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -199,8 +201,6 @@ FILE *auth_openkeyfile(const char *, str
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ FILE *auth_openprincipals(const char *, struct passwd *, int);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int auth_key_is_revoked(struct sshkey *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-const char *auth_get_canonical_hostname(struct ssh *, int);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ HostStatus
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ check_key_in_hostfiles(struct passwd *, struct sshkey *, const char *,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ const char *, const char *);
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/openssh/files/openssh-7.3p1-hpnssh14v11.diff b/net/openssh/files/openssh-7.6p1-hpnssh14v13.diff
</span>similarity index 71%
rename from net/openssh/files/openssh-7.3p1-hpnssh14v11.diff
rename to net/openssh/files/openssh-7.6p1-hpnssh14v13.diff
<span style='display:block; white-space:pre;color:#808080;'>index f12208c..8bd7c4d 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/openssh/files/openssh-7.3p1-hpnssh14v11.diff
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/openssh/files/openssh-7.6p1-hpnssh14v13.diff
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1,5 +1,5 @@
</span> --- /dev/null 1970-01-01 00:00:00.000000000 +0000
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/HPN-README 2016-09-29 10:22:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/HPN-README 2017-10-07 06:27:39.000000000 +0200
</span> @@ -0,0 +1,130 @@
+Notes:
+
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -51,15 +51,15 @@
</span> +
+Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set
+HPN Buffer Size = TCP receive buffer value.
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+Users on non-autotuning systesm should disable TCPRcvBufPoll in the
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ssh_cofig and sshd_config
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Users on non-autotuning systems should disable TCPRcvBufPoll in the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssh_config and sshd_config
</span> +
+Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+HPN Buffer Size = minmum of TCP receive buffer and HPNBufferSize.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++HPN Buffer Size = minimum of TCP receive buffer and HPNBufferSize.
</span> +This would be the system defined TCP receive buffer (RWIN).
+
+Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf SET
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++HPN Buffer Size = minimum of TCPRcvBuf and HPNBufferSize.
</span> +Generally there is no need to set both.
+
+Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -67,7 +67,7 @@
</span> +The buffer will grow up to the maximum size specified here.
+
+Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf SET
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++HPN Buffer Size = minimum of TCPRcvBuf and HPNBufferSize.
</span> +Generally there is no need to set both of these, especially on autotuning
+systems. However, if the users wishes to override the autotuning this would be
+one way to do it.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -131,8 +131,8 @@
</span> + (tasota@gmail.com) an NSF REU grant recipient for 2013.
+ This work was financed, in part, by Cisco System, Inc., the National
+ Library of Medicine, and the National Science Foundation.
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/Makefile.in 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/Makefile.in 2016-09-29 10:22:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/Makefile.in 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/Makefile.in 2017-10-07 06:27:39.000000000 +0200
</span> @@ -44,7 +44,7 @@ CC=@CC@
LD=@LD@
CFLAGS=@CFLAGS@
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -146,22 +146,39 @@
</span> LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
authfd.o authfile.o bufaux.o bufbn.o bufec.o buffer.o \
canohost.o channels.o cipher.o cipher-aes.o cipher-aesctr.o \
<span style='display:block; white-space:pre;background:#ffe0e0;'>-- cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ cipher-bf1.o cipher-ctr.o cipher-ctr-mt.o cipher-3des1.o cleanup.o \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- compat.o crc32.o deattack.o fatal.o hostfile.o \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- log.o match.o md-sha256.o moduli.o nchan.o packet.o opacket.o \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/auth2.c 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/auth2.c 2016-09-29 10:22:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -50,6 +50,7 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "dispatch.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "pathnames.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "buffer.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "canohost.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "ssh-gss.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -73,6 +74,8 @@ extern Authmethod method_hostbased;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- cipher-ctr.o cleanup.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cipher-ctr.o cipher-ctr-mt.o cleanup.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ compat.o crc32.o fatal.o hostfile.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ log.o match.o moduli.o nchan.o packet.o opacket.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ readpass.o ttymodes.o xmalloc.o addrmatch.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/README 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/README 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1,3 +1,22 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++THE FOLLOWING few lines are message from the developer of hpn-ssh. It is not part
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++of the README file for OpenSSH.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++HOWDY ALL! I hate doing this but I realize that I’ve been working on HPN-SSH for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++almost 13 years now. Initially I was funded by a generous grant from Cisco, the NSF,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++and NIH. That money is long long gone by now and I can only work on HPN-SSH when I
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++have the time. *IF* I can get some donations to the project at
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++http://www.psc.edu/index.php/hpn-ssh it would let me free up more cycles to work on it.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Keep in mind that I don’t get any money from the donations. It all goes to support
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++the work of PSC (see psc.edu). However, if I can get some donations I’d have the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++back up I need to demand time to work on it. Now, that being said, if you want to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++support me directly I do have a wishlist at amazon http://amzn.com/w/34XO95A1A9CJL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++I don’t really expect anyone to buy me things or donate money.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++It’s not why I’ve spent a whole lot of hours working on this.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++I just thought I’d throw it out there.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++----------Original README Follows--------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ See https://www.openssh.com/releasenotes.html#7.6p1 for the release notes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Please read https://www.openssh.com/report.html for bug reporting
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/auth2.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/auth2.c 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -75,6 +75,8 @@ extern Authmethod method_hostbased;
</span> extern Authmethod method_gssapi;
#endif
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -170,7 +187,7 @@
</span> Authmethod *authmethods[] = {
&method_none,
&method_pubkey,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -224,6 +227,11 @@ input_userauth_request(int type, u_int32
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -229,6 +231,11 @@ input_userauth_request(int type, u_int32
</span> service = packet_get_cstring(NULL);
method = packet_get_cstring(NULL);
debug("userauth-request for user %s service %s method %s", user, service, method);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -182,29 +199,28 @@
</span> debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
if ((style = strchr(user, ':')) != NULL)
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/channels.c 2016-09-29 10:22:25.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/channels.c 2016-09-29 10:22:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -189,6 +189,10 @@ static void port_open_helper(Channel *c,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static int connect_next(struct channel_connect *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static void channel_connect_ctx_free(struct channel_connect *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/channels.c 2017-10-07 06:27:38.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/channels.c 2017-10-07 06:37:22.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -215,6 +215,9 @@ static int rdynamic_connect_finish(struc
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Setup helper */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static void channel_handler_init(struct ssh_channels *sc);
</span>
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span> +static int hpn_disabled = 0;
+static int hpn_buffer_size = 2 * 1024 * 1024;
+
/* -- channel core */
<span style='display:block; white-space:pre;background:#ffe0e0;'>- Channel *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -339,6 +343,7 @@ channel_new(char *ctype, int type, int r
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -391,6 +394,7 @@ channel_new(struct ssh *ssh, char *ctype
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->local_window = window;
</span> c->local_window_max = window;
<span style='display:block; white-space:pre;background:#ffe0e0;'>- c->local_consumed = 0;
</span> c->local_maxpacket = maxpack;
+ c->dynamic_window = 0;
<span style='display:block; white-space:pre;background:#ffe0e0;'>- c->remote_id = -1;
</span> c->remote_name = xstrdup(remote_name);
<span style='display:block; white-space:pre;background:#ffe0e0;'>- c->remote_window = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -843,11 +848,39 @@ channel_pre_open_13(Channel *c, fd_set *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- FD_SET(c->sock, writeset);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->ctl_chan = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->delayed = 1; /* prevent call to channel_post handler */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -972,13 +976,41 @@ channel_pre_connecting(struct ssh *ssh,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ FD_SET(c->sock, writeset);
</span> }
+static int
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -221,7 +237,7 @@
</span> + ret = getsockopt(packet_get_connection_in(),
+ SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz);
+ /* return no more than SSHBUF_SIZE_MAX (currently 256MB) */
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((ret == 0) && tcpwinsz > SSHBUF_SIZE_MAX)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (ret == 0 && tcpwinsz > SSHBUF_SIZE_MAX)
</span> + tcpwinsz = SSHBUF_SIZE_MAX;
+
+ debug2("tcpwinsz: %d for connection: %d", tcpwinsz,
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -230,35 +246,43 @@
</span> +}
+
static void
<span style='display:block; white-space:pre;background:#ffe0e0;'>- channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ channel_pre_open(struct ssh *ssh, Channel *c,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fd_set *readset, fd_set *writeset)
</span> {
<span style='display:block; white-space:pre;background:#ffe0e0;'>- u_int limit = compat20 ? c->remote_window : packet_get_maxsize();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span> + /* check buffer limits */
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((!c->tcpwinsz) || (c->dynamic_window > 0))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!c->tcpwinsz || c->dynamic_window > 0)
</span> + c->tcpwinsz = channel_tcpwinsz();
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ limit = MIN(limit, 2 * c->tcpwinsz);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_int limit = MIN(c->remote_window, 2 * c->tcpwinsz);
</span> +
if (c->istate == CHAN_INPUT_OPEN &&
<span style='display:block; white-space:pre;background:#ffe0e0;'>- limit > 0 &&
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- buffer_len(&c->input) < limit &&
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1865,14 +1898,21 @@ channel_check_window(Channel *c)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c->local_maxpacket*3) ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c->local_window < c->local_window_max/2) &&
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c->local_consumed > 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- c->remote_window > 0 &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- sshbuf_len(c->input) < c->remote_window &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ limit > 0 &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_len(c->input) < limit &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sshbuf_check_reserve(c->input, CHAN_RBUF) == 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ FD_SET(c->rfd, readset);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (c->ostate == CHAN_OUTPUT_OPEN ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2092,10 +2124,17 @@ channel_check_window(struct ssh *ssh, Ch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!c->have_remote_id)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fatal(":%s: channel %d: no remote id",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ __func__, c->self);
</span> + u_int addition = 0;
+ /* adjust max window size if we are in a dynamic environment */
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (c->dynamic_window && (c->tcpwinsz > c->local_window_max)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (c->dynamic_window && c->tcpwinsz > c->local_window_max) {
</span> + /* grow the window somewhat aggressively to maintain pressure */
+ addition = 1.5 * (c->tcpwinsz - c->local_window_max);
+ c->local_window_max += addition;
+ }
<span style='display:block; white-space:pre;background:#ffe0e0;'>- packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- packet_put_int(c->remote_id);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- packet_put_int(c->local_consumed);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_put_int(c->local_consumed + addition);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- packet_send();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ((r = sshpkt_start(ssh,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (r = sshpkt_send(ssh)) != 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fatal("%s: channel %i: %s", __func__,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->self, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2103,7 +2142,7 @@ channel_check_window(struct ssh *ssh, Ch
</span> debug2("channel %d: window %d sent adjust %d",
c->self, c->local_window,
c->local_consumed);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -267,58 +291,10 @@
</span> c->local_consumed = 0;
}
return 1;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2236,11 +2276,12 @@ channel_after_select(fd_set *readset, fd
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* If there is data to send to the connection, enqueue some of it now. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- channel_output_poll(void)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Channel *c;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- u_int i, len;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int packet_length = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- for (i = 0; i < channels_alloc; i++) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c = channels[i];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2288,7 +2329,7 @@ channel_output_poll(void)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- packet_start(SSH2_MSG_CHANNEL_DATA);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- packet_put_int(c->remote_id);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- packet_put_string(data, dlen);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- packet_send();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_length = packet_send();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c->remote_window -= dlen;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- free(data);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2318,7 +2359,7 @@ channel_output_poll(void)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- SSH2_MSG_CHANNEL_DATA : SSH_MSG_CHANNEL_DATA);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- packet_put_int(c->remote_id);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- packet_put_string(buffer_ptr(&c->input), len);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- packet_send();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_length = packet_send();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- buffer_consume(&c->input, len);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c->remote_window -= len;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2353,12 +2394,13 @@ channel_output_poll(void)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- packet_put_int(c->remote_id);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- packet_put_int(SSH2_EXTENDED_DATA_STDERR);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- packet_put_string(buffer_ptr(&c->extended), len);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- packet_send();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_length = packet_send();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- buffer_consume(&c->extended, len);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c->remote_window -= len;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- debug2("channel %d: sent ext data %d", c->self, len);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return packet_length;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2816,6 +2858,15 @@ channel_fwd_bind_addr(const char *listen
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -3275,6 +3314,14 @@ channel_fwd_bind_addr(const char *listen
</span> return addr;
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span> +void
+channel_set_hpn(int external_hpn_disabled, int external_hpn_buffer_size)
+{
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -328,48 +304,34 @@
</span> +}
+
static int
<span style='display:block; white-space:pre;background:#ffe0e0;'>- channel_setup_fwd_listener_tcpip(int type, struct Forward *fwd,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int *allocated_listen_port, struct ForwardOptions *fwd_opts)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2944,9 +2995,15 @@ channel_setup_fwd_listener_tcpip(int typ
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ struct Forward *fwd, int *allocated_listen_port,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -3410,8 +3457,10 @@ channel_setup_fwd_listener_tcpip(struct
</span> }
/* Allocate a channel number for the socket. */
<span style='display:block; white-space:pre;background:#ffe0e0;'>-- c = channel_new("port listener", type, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- 0, "port listener", 1);
</span> + /* explicitly test for hpn disabled option. if true use smaller window size */
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (hpn_disabled)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c = channel_new("port listener", type, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ 0, "port listener", 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c = channel_new("port listener", type, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ 0, "port listener", 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c = channel_new(ssh, "port listener", type, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : hpn_buffer_size,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ CHAN_TCP_PACKET_DEFAULT,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 0, "port listener", 1);
</span> c->path = xstrdup(host);
c->host_port = fwd->connect_port;
<span style='display:block; white-space:pre;background:#ffe0e0;'>- c->listening_addr = addr == NULL ? NULL : xstrdup(addr);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -3979,10 +4036,17 @@ x11_create_display_inet(int x11_display_
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- *chanids = xcalloc(num_socks + 1, sizeof(**chanids));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- for (n = 0; n < num_socks; n++) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -4477,7 +4526,9 @@ x11_create_display_inet(struct ssh *ssh,
</span> sock = socks[n];
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Is this really necassary? */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (hpn_disabled)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- nc = channel_new("x11 listener",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ nc = channel_new(ssh, "x11 listener",
</span> SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
<span style='display:block; white-space:pre;background:#ffe0e0;'>- CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Is this really necassary? */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : hpn_buffer_size,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ CHAN_X11_PACKET_DEFAULT,
</span> 0, "X11 inet listener", 1);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ nc = channel_new("x11 listener",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ hpn_buffer_size, CHAN_X11_PACKET_DEFAULT,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ 0, "X11 inet listener", 1);
</span> nc->single_connection = single_connection;
(*chanids)[n] = nc->self;
<span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/channels.h 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/channels.h 2016-09-29 10:22:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -134,8 +134,10 @@ struct Channel {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/channels.h 2017-10-07 06:27:38.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/channels.h 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -141,8 +141,10 @@ struct Channel {
</span> u_int local_window_max;
u_int local_consumed;
u_int local_maxpacket;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -380,26 +342,17 @@
</span>
char *ctype; /* type */
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -247,7 +249,7 @@ int channel_input_status_confirm(int, u
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void channel_prepare_select(fd_set **, fd_set **, int *, u_int*,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- time_t*, int);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void channel_after_select(fd_set *, fd_set *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--void channel_output_poll(void);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int channel_output_poll(void);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int channel_not_very_much_buffered_data(void);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void channel_close_all(void);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -312,4 +314,7 @@ void chan_rcvd_ieof(Channel *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void chan_write_failed(Channel *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void chan_obuf_empty(Channel *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -339,4 +341,7 @@ void chan_rcvd_ieof(struct ssh *, Chann
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void chan_write_failed(struct ssh *, Channel *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void chan_obuf_empty(struct ssh *, Channel *);
</span>
+/* hpn handler */
+void channel_set_hpn(int, int);
+
#endif
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/cipher-ctr-mt.c 2016-09-29 10:22:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -0,0 +1,533 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/cipher-ctr-mt.c 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -0,0 +1,602 @@
</span> +/*
+ * OpenSSH Multi-threaded AES-CTR Cipher
+ *
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -529,7 +482,7 @@
</span> + u_char keys[KQLEN][AES_BLOCK_SIZE];
+ u_char ctr[AES_BLOCK_SIZE];
+ u_char pad0[CACHELINE_LEN];
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ volatile int qstate;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int qstate;
</span> + pthread_mutex_t lock;
+ pthread_cond_t cond;
+ u_char pad1[CACHELINE_LEN];
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -543,6 +496,11 @@
</span> + STATS_STRUCT(stats);
+ u_char aes_counter[AES_BLOCK_SIZE];
+ pthread_t tid[CIPHER_THREADS];
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_rwlock_t tid_lock;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __APPLE__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_rwlock_t stop_lock;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int exit_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /* __APPLE__ */
</span> + int state;
+ int qidx;
+ int ridx;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -589,6 +547,57 @@
</span> + pthread_mutex_unlock((pthread_mutex_t *)x);
+}
+
<span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __APPLE__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* Check if we should exit, we are doing both cancel and exit condition
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * since on OSX threads seem to occasionally fail to notice when they have
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * been cancelled. We want to have a backup to make sure that we won't hang
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * when the main process join()-s the cancelled thread.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++thread_loop_check_exit(struct ssh_aes_ctr_ctx *c)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int exit_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_rwlock_rdlock(&c->stop_lock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ exit_flag = c->exit_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_rwlock_unlock(&c->stop_lock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (exit_flag)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_exit(NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# define thread_loop_check_exit(s)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /* __APPLE__ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Helper function to terminate the helper threads
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++stop_and_join_pregen_threads(struct ssh_aes_ctr_ctx *c)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int i;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __APPLE__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* notify threads that they should exit */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_rwlock_wrlock(&c->stop_lock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c->exit_flag = TRUE;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_rwlock_unlock(&c->stop_lock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /* __APPLE__ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Cancel pregen threads */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ for (i = 0; i < CIPHER_THREADS; i++) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_cancel(c->tid[i]);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ for (i = 0; i < NUMKQ; i++) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_mutex_lock(&c->q[i].lock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_cond_broadcast(&c->q[i].cond);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_mutex_unlock(&c->q[i].lock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ for (i = 0; i < CIPHER_THREADS; i++) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_join(c->tid[i], NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span> +/*
+ * The life of a pregen thread:
+ * Find empty keystream queues and fill them using their counter.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -603,6 +612,7 @@
</span> + struct kq *q;
+ int i;
+ int qidx;
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_t first_tid;
</span> +
+ /* Threads stats on cancellation */
+ STATS_INIT(stats);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -613,11 +623,15 @@
</span> + /* Thread local copy of AES key */
+ memcpy(&key, &c->aes_ctx, sizeof(key));
+
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_rwlock_rdlock(&c->tid_lock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ first_tid = c->tid[0];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_rwlock_unlock(&c->tid_lock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span> + /*
+ * Handle the special case of startup, one thread must fill
+ * the first KQ then mark it as draining. Lock held throughout.
+ */
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (pthread_equal(pthread_self(), c->tid[0])) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (pthread_equal(pthread_self(), first_tid)) {
</span> + q = &c->q[0];
+ pthread_mutex_lock(&q->lock);
+ if (q->qstate == KQINIT) {
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -647,12 +661,16 @@
</span> + /* Check if I was cancelled, also checked in cond_wait */
+ pthread_testcancel();
+
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Check if we should exit as well */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ thread_loop_check_exit(c);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span> + /* Lock queue and block if its draining */
+ q = &c->q[qidx];
+ pthread_mutex_lock(&q->lock);
+ pthread_cleanup_push(thread_loop_cleanup, &q->lock);
+ while (q->qstate == KQDRAINING || q->qstate == KQINIT) {
+ STATS_WAIT(stats);
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ thread_loop_check_exit(c);
</span> + pthread_cond_wait(&q->cond, &q->lock);
+ }
+ pthread_cleanup_pop(0);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -670,6 +688,7 @@
</span> + * can see that it's being filled.
+ */
+ q->qstate = KQFILLING;
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_cond_broadcast(&q->cond);
</span> + pthread_mutex_unlock(&q->lock);
+ for (i = 0; i < KQLEN; i++) {
+ AES_encrypt(q->ctr, q->keys[i], &key);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -681,7 +700,7 @@
</span> + ssh_ctr_add(q->ctr, KQLEN * (NUMKQ - 1), AES_BLOCK_SIZE);
+ q->qstate = KQFULL;
+ STATS_FILL(stats);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_cond_signal(&q->cond);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_cond_broadcast(&q->cond);
</span> + pthread_mutex_unlock(&q->lock);
+ }
+
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -773,6 +792,7 @@
</span> + pthread_cond_wait(&q->cond, &q->lock);
+ }
+ q->qstate = KQDRAINING;
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_cond_broadcast(&q->cond);
</span> + pthread_mutex_unlock(&q->lock);
+
+ /* Mark consumed queue empty and signal producers */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -799,6 +819,11 @@
</span> +
+ if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
+ c = xmalloc(sizeof(*c));
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_rwlock_init(&c->tid_lock, NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __APPLE__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_rwlock_init(&c->stop_lock, NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c->exit_flag = FALSE;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /* __APPLE__ */
</span> +
+ c->state = HAVE_NONE;
+ for (i = 0; i < NUMKQ; i++) {
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -811,11 +836,14 @@
</span> + }
+
+ if (c->state == (HAVE_KEY | HAVE_IV)) {
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Cancel pregen threads */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ for (i = 0; i < CIPHER_THREADS; i++)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_cancel(c->tid[i]);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ for (i = 0; i < CIPHER_THREADS; i++)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_join(c->tid[i], NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* tell the pregen threads to exit */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ stop_and_join_pregen_threads(c);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __APPLE__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* reset the exit flag */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c->exit_flag = FALSE;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /* __APPLE__ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span> + /* Start over getting key & iv */
+ c->state = HAVE_NONE;
+ }
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -846,10 +874,12 @@
</span> + /* Start threads */
+ for (i = 0; i < CIPHER_THREADS; i++) {
+ debug("spawned a thread");
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_rwlock_wrlock(&c->tid_lock);
</span> + pthread_create(&c->tid[i], NULL, thread_loop, c);
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_rwlock_unlock(&c->tid_lock);
</span> + }
+ pthread_mutex_lock(&c->q[0].lock);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ while (c->q[0].qstate != KQDRAINING)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ while (c->q[0].qstate == KQINIT)
</span> + pthread_cond_wait(&c->q[0].cond, &c->q[0].lock);
+ pthread_mutex_unlock(&c->q[0].lock);
+ }
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -863,15 +893,10 @@
</span> +ssh_aes_ctr_thread_destroy(EVP_CIPHER_CTX *ctx)
+{
+ struct ssh_aes_ctr_ctx *c;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int i;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span> + c = EVP_CIPHER_CTX_get_app_data(ctx);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* destroy threads */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ for (i = 0; i < CIPHER_THREADS; i++) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_cancel(c->tid[i]);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ for (i = 0; i < CIPHER_THREADS; i++) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_join(c->tid[i], NULL);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ stop_and_join_pregen_threads(c);
</span> +}
+
+void
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -883,7 +908,9 @@
</span> + /* reconstruct threads */
+ for (i = 0; i < CIPHER_THREADS; i++) {
+ debug("spawned a thread");
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_rwlock_wrlock(&c->tid_lock);
</span> + pthread_create(&c->tid[i], NULL, thread_loop, c);
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_rwlock_unlock(&c->tid_lock);
</span> + }
+}
+
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -891,18 +918,13 @@
</span> +ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx)
+{
+ struct ssh_aes_ctr_ctx *c;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int i;
</span> +
+ if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
+#ifdef CIPHER_THREAD_STATS
+ debug("main thread: %u drains, %u waits", c->stats.drains,
+ c->stats.waits);
+#endif
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Cancel pregen threads */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ for (i = 0; i < CIPHER_THREADS; i++)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_cancel(c->tid[i]);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ for (i = 0; i < CIPHER_THREADS; i++)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pthread_join(c->tid[i], NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ stop_and_join_pregen_threads(c);
</span> +
+ memset(c, 0, sizeof(*c));
+ free(c);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -933,11 +955,11 @@
</span> +}
+
+#endif /* defined(WITH_OPENSSL) */
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/cipher.c 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/cipher.c 2016-09-29 10:22:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -57,6 +57,13 @@ extern const EVP_CIPHER *evp_ssh1_3des(v
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- extern int ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/cipher.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/cipher.c 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -52,6 +52,13 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "openbsd-compat/openssl-compat.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span>
+/* for multi-threaded aes-ctr cipher */
+extern const EVP_CIPHER *evp_aes_ctr_mt(void);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -946,19 +968,19 @@
</span> +/* extern void ssh_aes_ctr_thread_destroy(EVP_CIPHER_CTX *ctx); */
+/* extern void ssh_aes_ctr_thread_reconstruction(EVP_CIPHER_CTX *ctx); */
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>- struct sshcipher {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- char *name;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int number; /* for ssh1 only */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -77,7 +84,7 @@ struct sshcipher {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ struct sshcipher_ctx {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int plaintext;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int encrypt;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -80,7 +87,7 @@ struct sshcipher {
</span> #endif
};
-static const struct sshcipher ciphers[] = {
+static struct sshcipher ciphers[] = {
<span style='display:block; white-space:pre;background:#ffe0e0;'>- #ifdef WITH_SSH1
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -156,6 +163,29 @@ cipher_alg_list(char sep, int auth_only)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef WITH_OPENSSL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "3des-cbc", 8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "aes128-cbc", 16, 16, 0, 0, CFLAG_CBC, EVP_aes_128_cbc },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -138,6 +145,29 @@ cipher_alg_list(char sep, int auth_only)
</span> return ret;
}
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -966,9 +988,9 @@
</span> + * single to multithreaded ctr cipher swap we only rekey when appropriate
+ */
+const char *
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+cipher_return_name(const struct sshcipher *c)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++cipher_ctx_name(const struct sshcipher_ctx *cc)
</span> +{
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return c->name;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return cc->cipher->name;
</span> +}
+
+/* in order to get around sandbox and forking issues with a threaded cipher
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -988,8 +1010,8 @@
</span> u_int
cipher_blocksize(const struct sshcipher *c)
{
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -217,10 +247,10 @@ cipher_mask_ssh1(int client)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return mask;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -187,10 +217,10 @@ cipher_ctx_is_plaintext(struct sshcipher
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return cc->plaintext;
</span> }
-const struct sshcipher *
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1001,114 +1023,75 @@
</span> for (c = ciphers; c->name != NULL; c++)
if (strcmp(c->name, name) == 0)
return c;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -252,7 +282,8 @@ ciphers_valid(const char *names)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -212,7 +242,7 @@ ciphers_valid(const char *names)
</span> for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
(p = strsep(&cp, CIPHER_SEP))) {
c = cipher_by_name(p);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-- if (c == NULL || c->number != SSH_CIPHER_SSH2) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (c == NULL || (c->number != SSH_CIPHER_SSH2 &&
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c->number != SSH_CIPHER_NONE)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (c == NULL || (c->flags & CFLAG_INTERNAL) != 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (c == NULL) {
</span> free(cipher_list);
return 0;
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -552,6 +583,7 @@ cipher_get_keyiv(struct sshcipher_ctx *c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- switch (c->number) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #ifdef WITH_OPENSSL
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case SSH_CIPHER_NONE:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- case SSH_CIPHER_SSH2:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- case SSH_CIPHER_DES:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- case SSH_CIPHER_BLOWFISH:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -600,6 +632,7 @@ cipher_set_keyiv(struct sshcipher_ctx *c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- switch (c->number) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #ifdef WITH_OPENSSL
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case SSH_CIPHER_NONE:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- case SSH_CIPHER_SSH2:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- case SSH_CIPHER_DES:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- case SSH_CIPHER_BLOWFISH:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/cipher.h 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/cipher.h 2016-09-29 10:22:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -72,8 +72,11 @@ struct sshcipher_ctx {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- const struct sshcipher *cipher;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- };
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/cipher.h 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/cipher.h 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -48,7 +48,10 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ struct sshcipher;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ struct sshcipher_ctx;
</span>
<span style='display:block; white-space:pre;background:#e0ffe0;'>+-const struct sshcipher *cipher_by_name(const char *);
</span> +void ssh_aes_ctr_thread_destroy(EVP_CIPHER_CTX *ctx); // defined in cipher-ctr-mt.c
+void ssh_aes_ctr_thread_reconstruction(EVP_CIPHER_CTX *ctx);
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>- u_int cipher_mask_ssh1(int);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--const struct sshcipher *cipher_by_name(const char *);
</span> +struct sshcipher *cipher_by_name(const char *);
<span style='display:block; white-space:pre;background:#ffe0e0;'>- const struct sshcipher *cipher_by_number(int);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int cipher_number(const char *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- char *cipher_name(int);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -95,6 +98,8 @@ u_int cipher_seclen(const struct sshcip
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ const char *cipher_warning_message(const struct sshcipher_ctx *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int ciphers_valid(const char *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char *cipher_alg_list(char, int);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -65,7 +68,9 @@ u_int cipher_seclen(const struct sshcip
</span> u_int cipher_authlen(const struct sshcipher *);
u_int cipher_ivlen(const struct sshcipher *);
u_int cipher_is_cbc(const struct sshcipher *);
+void cipher_reset_multithreaded(void);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+const char *cipher_return_name(const struct sshcipher *);
</span>
<span style='display:block; white-space:pre;background:#ffe0e0;'>- u_int cipher_get_number(const struct sshcipher *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++const char *cipher_ctx_name(const struct sshcipher_ctx *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ u_int cipher_ctx_is_plaintext(struct sshcipher_ctx *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span> int cipher_get_keyiv(struct sshcipher_ctx *, u_char *, u_int);
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/clientloop.c 2016-09-29 10:22:25.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/clientloop.c 2016-09-29 10:22:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1999,9 +1999,15 @@ client_request_x11(const char *request_t
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sock = x11_connect_display();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (sock < 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/clientloop.c 2017-10-07 06:27:38.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/clientloop.c 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1590,7 +1590,9 @@ client_request_x11(struct ssh *ssh, cons
</span> return NULL;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* again is this really necessary for X11? */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options.hpn_disabled)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c = channel_new("x11",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c = channel_new(ssh, "x11",
</span> SSH_CHANNEL_X11_OPEN, sock, sock, -1,
<span style='display:block; white-space:pre;background:#ffe0e0;'>- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c = channel_new("x11",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ SSH_CHANNEL_X11_OPEN, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options.hpn_buffer_size, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* again is this really necessary for X11? */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
</span> c->force_drain = 1;
return c;
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2024,9 +2030,15 @@ client_request_agent(const char *request
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1615,7 +1617,8 @@ client_request_agent(struct ssh *ssh, co
</span> }
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options.hpn_disabled)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c = channel_new("authentication agent connection",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ SSH_CHANNEL_OPEN, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ "authentication agent connection", 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c = channel_new("authentication agent connection",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c = channel_new(ssh, "authentication agent connection",
</span> SSH_CHANNEL_OPEN, sock, sock, -1,
- CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ CHAN_TCP_PACKET_DEFAULT, 0,
</span> "authentication agent connection", 1);
c->force_drain = 1;
return c;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2054,10 +2066,18 @@ client_request_tun_fwd(int tun_mode, int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1640,7 +1643,8 @@ client_request_tun_fwd(struct ssh *ssh,
</span> }
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if(options.hpn_disabled)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
</span> - CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ 0, "tun", 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ 0, "tun", 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
</span> c->datagram = 1;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span> #if defined(SSH_TUN_FILTER)
<span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- channel_register_filter(c->self, sys_tun_infilter,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/compat.c 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/compat.c 2016-09-29 10:22:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -210,6 +210,13 @@ compat_datafellows(const char *version)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/compat.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/compat.c 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -198,6 +198,13 @@ compat_datafellows(const char *version)
</span> debug("match: %s pat %s compat 0x%08x",
version, check[i].pat, check[i].bugs);
datafellows = check[i].bugs; /* XXX for now */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1122,27 +1105,19 @@
</span> return check[i].bugs;
}
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/compat.h 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/compat.h 2016-09-29 10:22:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/compat.h 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/compat.h 2017-10-07 06:27:39.000000000 +0200
</span> @@ -62,6 +62,7 @@
#define SSH_BUG_CURVE25519PAD 0x10000000
#define SSH_BUG_HOSTKEYS 0x20000000
#define SSH_BUG_DHGEX_LARGE 0x40000000
+#define SSH_BUG_LARGEWINDOW 0x80000000
<span style='display:block; white-space:pre;background:#ffe0e0;'>- void enable_compat13(void);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void enable_compat20(void);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/kex.c 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/kex.c 2016-09-29 10:22:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -53,6 +53,7 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "ssherr.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "sshbuf.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "canohost.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "digest.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #if OPENSSL_VERSION_NUMBER >= 0x00907000L
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -754,6 +755,11 @@ kex_choose_conf(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ u_int compat_datafellows(const char *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int proto_spec(const char *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/kex.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/kex.c 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -773,6 +773,11 @@ kex_choose_conf(struct ssh *ssh)
</span> int nenc, nmac, ncomp;
u_int mode, ctos, need, dh_need, authlen;
int r, first_kex_follows;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1154,7 +1129,7 @@
</span>
debug2("local %s KEXINIT proposal", kex->server ? "server" : "client");
if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -826,11 +832,35 @@ kex_choose_conf(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -843,11 +848,35 @@ kex_choose_conf(struct ssh *ssh)
</span> peer[ncomp] = NULL;
goto out;
}
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1190,26 +1165,9 @@
</span> }
need = dh_need = 0;
for (mode = 0; mode < MODE_MAX; mode++) {
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/opacket.c 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/opacket.c 2016-09-29 10:22:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -108,13 +108,15 @@ ssh_packet_put_ecpoint(struct ssh *ssh,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif /* WITH_OPENSSL */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_packet_send(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int r;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if ((r = sshpkt_send(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fatal("%s: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return r;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- u_int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -294,13 +296,15 @@ packet_write_wait(void)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/opacket.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/opacket.c 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -274,13 +274,15 @@ packet_write_wait(void)
</span> sshpkt_fatal(active_state, __func__, r);
}
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1226,18 +1184,9 @@
</span> }
void
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/opacket.h 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/opacket.h 2016-09-29 10:22:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -12,7 +12,7 @@ void ssh_packet_put_ecpoint(struct s
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void ssh_packet_put_string(struct ssh *, const void *buf, u_int len);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void ssh_packet_put_cstring(struct ssh *, const char *str);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void ssh_packet_put_raw(struct ssh *, const void *buf, u_int len);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--void ssh_packet_send(struct ssh *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int ssh_packet_send(struct ssh *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- u_int ssh_packet_get_char(struct ssh *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- u_int ssh_packet_get_int(struct ssh *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -44,7 +44,7 @@ int packet_read_seqnr(u_int32_t *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/opacket.h 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/opacket.h 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -42,7 +42,7 @@ int packet_read_seqnr(u_int32_t *);
</span> int packet_read_poll_seqnr(u_int32_t *);
void packet_process_incoming(const char *buf, u_int len);
void packet_write_wait(void);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1246,9 +1195,9 @@
</span> void packet_read_expect(int expected_type);
#define packet_set_timeout(timeout, count) \
ssh_packet_set_timeout(active_state, (timeout), (count))
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/packet.c 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/packet.c 2016-09-29 10:22:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -277,7 +277,7 @@ struct ssh *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/packet.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/packet.c 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -280,7 +280,7 @@ struct ssh *
</span> ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
{
struct session_state *state;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1257,7 +1206,7 @@
</span> int r;
if (none == NULL) {
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1074,6 +1074,24 @@ ssh_set_newkeys(struct ssh *ssh, int mod
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -914,6 +914,24 @@ ssh_set_newkeys(struct ssh *ssh, int mod
</span> return 0;
}
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1282,7 +1231,7 @@
</span> #define MAX_PACKETS (1U<<31)
static int
ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1100,6 +1118,13 @@ ssh_packet_need_rekeying(struct ssh *ssh
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -940,6 +958,13 @@ ssh_packet_need_rekeying(struct ssh *ssh
</span> if (state->p_send.packets == 0 && state->p_read.packets == 0)
return 0;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1295,8 +1244,8 @@
</span> +
/* Time-based rekeying */
if (state->rekey_interval != 0 &&
<span style='display:block; white-space:pre;background:#ffe0e0;'>- state->rekey_time + state->rekey_interval <= monotime())
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -3014,3 +3039,10 @@ sshpkt_add_padding(struct ssh *ssh, u_ch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (int64_t)state->rekey_time + state->rekey_interval <= monotime())
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2666,3 +2691,10 @@ sshpkt_add_padding(struct ssh *ssh, u_ch
</span> ssh->state->extra_pad = pad;
return 0;
}
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1305,11 +1254,11 @@
</span> +void *
+ssh_packet_get_send_context(struct ssh *ssh)
+{
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return (void *)&ssh->state->send_context;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return ssh->state->send_context;
</span> +}
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/packet.h 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/packet.h 2016-09-29 10:22:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -142,6 +142,10 @@ int ssh_packet_inc_alive_timeouts(struc
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/packet.h 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/packet.h 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -155,6 +155,10 @@ int ssh_packet_inc_alive_timeouts(struc
</span> int ssh_packet_set_maxsize(struct ssh *, u_int);
u_int ssh_packet_get_maxsize(struct ssh *);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1320,17 +1269,16 @@
</span> int ssh_packet_get_state(struct ssh *, struct sshbuf *);
int ssh_packet_set_state(struct ssh *, struct sshbuf *);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -155,6 +159,8 @@ time_t ssh_packet_get_rekey_timeout(str
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -168,6 +172,7 @@ time_t ssh_packet_get_rekey_timeout(str
</span>
void *ssh_packet_get_input(struct ssh *);
void *ssh_packet_get_output(struct ssh *);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+void *ssh_packet_get_receive_context(struct ssh *);
</span> +void *ssh_packet_get_send_context(struct ssh *);
/* new API */
int sshpkt_start(struct ssh *ssh, u_char type);
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/progressmeter.c 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/progressmeter.c 2016-09-29 10:22:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/progressmeter.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/progressmeter.c 2017-10-07 06:27:39.000000000 +0200
</span> @@ -69,6 +69,8 @@ static const char *file; /* name of the
static off_t start_pos; /* initial position of transfer */
static off_t end_pos; /* ending position of transfer */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1391,8 +1339,8 @@
</span> }
/*ARGSUSED*/
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/readconf.c 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/readconf.c 2016-09-29 10:22:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/readconf.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/readconf.c 2017-10-07 06:27:39.000000000 +0200
</span> @@ -66,6 +66,7 @@
#include "uidswap.h"
#include "myproposal.h"
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1401,25 +1349,27 @@
</span>
/* Format of the configuration file:
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -164,6 +165,8 @@ typedef enum {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- oSendEnv, oControlPath, oControlMaster, oControlPersist,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -165,6 +166,9 @@ typedef enum {
</span> oHashKnownHosts,
<span style='display:block; white-space:pre;background:#ffe0e0;'>- oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ oTunnel, oTunnelDevice,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ oLocalCommand, oPermitLocalCommand, oRemoteCommand,
</span> + oNoneEnabled, oNoneSwitch,
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ oDisableMTAES,
</span> + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
oVisualHostKey,
oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -281,6 +284,8 @@ static struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -290,6 +294,9 @@ static struct {
</span> { "kexalgorithms", oKexAlgorithms },
{ "ipqos", oIPQoS },
{ "requesttty", oRequestTTY },
+ { "noneenabled", oNoneEnabled },
+ { "noneswitch", oNoneSwitch },
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "disablemtaes", oDisableMTAES },
</span> { "proxyusefdpass", oProxyUseFdpass },
{ "canonicaldomains", oCanonicalDomains },
{ "canonicalizefallbacklocal", oCanonicalizeFallbackLocal },
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -297,6 +302,11 @@ static struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -306,6 +313,11 @@ static struct {
</span> { "ignoreunknown", oIgnoreUnknown },
{ "proxyjump", oProxyJump },
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1431,7 +1381,7 @@
</span> { NULL, oBadOption }
};
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -974,6 +984,38 @@ parse_time:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -988,6 +1000,42 @@ parse_time:
</span> intptr = &options->check_host_ip;
goto parse_flag;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1439,6 +1389,10 @@
</span> + intptr = &options->none_enabled;
+ goto parse_flag;
+
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ case oDisableMTAES:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ intptr = &options->disable_multithreaded;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span> + /*
+ * We check to see if the command comes from the command
+ * line or not. If it does then enable it otherwise fail.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1470,7 +1424,7 @@
</span> case oVerifyHostKeyDNS:
intptr = &options->verify_host_key_dns;
multistate_ptr = multistate_yesnoask;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1166,6 +1208,10 @@ parse_int:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1176,6 +1224,10 @@ parse_int:
</span> intptr = &options->connection_attempts;
goto parse_int;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1478,15 +1432,16 @@
</span> + intptr = &options->tcp_rcv_buf;
+ goto parse_int;
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>- case oCipher:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- intptr = &options->cipher;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case oCiphers:
</span> arg = strdelim(&s);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1846,6 +1892,12 @@ initialize_options(Options * options)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!arg || *arg == '\0')
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1857,6 +1909,13 @@ initialize_options(Options * options)
</span> options->ip_qos_interactive = -1;
options->ip_qos_bulk = -1;
options->request_tty = -1;
+ options->none_switch = -1;
+ options->none_enabled = -1;
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->disable_multithreaded = -1;
</span> + options->hpn_disabled = -1;
+ options->hpn_buffer_size = -1;
+ options->tcp_rcv_buf_poll = -1;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1494,7 +1449,7 @@
</span> options->proxy_use_fdpass = -1;
options->ignored_unknown = NULL;
options->num_canonical_domains = 0;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2009,6 +2061,30 @@ fill_default_options(Options * options)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2002,6 +2061,32 @@ fill_default_options(Options * options)
</span> options->server_alive_interval = 0;
if (options->server_alive_count_max == -1)
options->server_alive_count_max = 3;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1502,6 +1457,8 @@
</span> + options->none_switch = 0;
+ if (options->none_enabled == -1)
+ options->none_enabled = 0;
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->disable_multithreaded == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->disable_multithreaded = 0;
</span> + if (options->hpn_disabled == -1)
+ options->hpn_disabled = 0;
+ if (options->hpn_buffer_size > -1) {
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1525,11 +1482,11 @@
</span> if (options->control_master == -1)
options->control_master = 0;
if (options->control_persist == -1) {
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/readconf.h 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/readconf.h 2016-09-29 10:22:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -57,6 +57,10 @@ typedef struct {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int compression_level; /* Compression level 1 (fast) to 9
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * (best). */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/readconf.h 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/readconf.h 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -52,6 +52,10 @@ typedef struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int strict_host_key_checking; /* Strict host key checking. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int compression; /* Compress packets in both directions. */
</span> int tcp_keep_alive; /* Set SO_KEEPALIVE. */
+ int tcp_rcv_buf; /* user switch to set tcp recv buffer */
+ int tcp_rcv_buf_poll; /* Option to poll recv buf every window transfer */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1537,43 +1494,44 @@
</span> + int hpn_buffer_size; /* User definable size for HPN buffer window */
int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */
int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
<span style='display:block; white-space:pre;background:#ffe0e0;'>- LogLevel log_level; /* Level for logging. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -118,7 +122,10 @@ typedef struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ SyslogFacility log_facility; /* Facility for system logging. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -112,7 +116,11 @@ typedef struct {
</span>
int enable_ssh_keysign;
int64_t rekey_limit;
+ int none_switch; /* Use none cipher */
+ int none_enabled; /* Allow none to be used */
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ int disable_multithreaded; /*disable multithreaded aes-ctr*/
</span> int rekey_interval;
+
int no_host_authentication_for_localhost;
int identities_only;
int server_alive_interval;
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sandbox-seccomp-filter.c 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sandbox-seccomp-filter.c 2016-09-29 10:22:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -147,6 +147,9 @@ static const struct sock_filter preauth_
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sandbox-seccomp-filter.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sandbox-seccomp-filter.c 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -166,6 +166,9 @@ static const struct sock_filter preauth_
</span> #ifdef __NR_exit_group
<span style='display:block; white-space:pre;background:#ffe0e0;'>- SC_ALLOW(exit_group),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ SC_ALLOW(__NR_exit_group),
</span> #endif
+#ifdef __NR_getpeername /* not defined on archs that go via socketcall(2) */
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ SC_ALLOW(getpeername),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ SC_ALLOW(__NR_getpeername),
</span> +#endif
#ifdef __NR_getpgid
<span style='display:block; white-space:pre;background:#ffe0e0;'>- SC_ALLOW(getpgid),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ SC_ALLOW(__NR_getpgid),
</span> #endif
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -198,6 +201,9 @@ static const struct sock_filter preauth_
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -217,6 +220,9 @@ static const struct sock_filter preauth_
</span> #ifdef __NR_sigprocmask
<span style='display:block; white-space:pre;background:#ffe0e0;'>- SC_ALLOW(sigprocmask),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ SC_ALLOW(__NR_sigprocmask),
</span> #endif
+#ifdef __NR_socketcall
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ SC_ALLOW(socketcall),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ SC_ALLOW(__NR_socketcall),
</span> +#endif
#ifdef __NR_time
<span style='display:block; white-space:pre;background:#ffe0e0;'>- SC_ALLOW(time),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ SC_ALLOW(__NR_time),
</span> #endif
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/scp.c 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/scp.c 2016-09-29 10:22:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -764,7 +764,7 @@ source(int argc, char **argv)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/scp.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/scp.c 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -770,7 +770,7 @@ source(int argc, char **argv)
</span> off_t i, statbytes;
size_t amt, nr;
int fd = -1, haderr, indx;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1582,7 +1540,7 @@
</span> int len;
for (indx = 0; indx < argc; ++indx) {
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -932,7 +932,7 @@ sink(int argc, char **argv)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -943,7 +943,7 @@ sink(int argc, char **argv)
</span> off_t size, statbytes;
unsigned long long ull;
int setimes, targisdir, wrerrno = 0;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1591,8 +1549,8 @@
</span> struct timeval tv[2];
#define atime tv[0]
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/servconf.c 2016-09-29 10:22:25.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/servconf.c 2016-09-29 10:22:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/servconf.c 2017-10-07 06:27:38.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/servconf.c 2017-10-07 06:27:39.000000000 +0200
</span> @@ -57,6 +57,7 @@
#include "auth.h"
#include "myproposal.h"
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1601,18 +1559,19 @@
</span>
static void add_listen_addr(ServerOptions *, char *, int);
static void add_one_listen_addr(ServerOptions *, char *, int);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -165,6 +166,10 @@ initialize_server_options(ServerOptions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -159,6 +160,11 @@ initialize_server_options(ServerOptions
</span> options->authorized_principals_file = NULL;
options->authorized_principals_command = NULL;
options->authorized_principals_command_user = NULL;
+ options->none_enabled = -1;
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->disable_multithreaded = -1,
</span> + options->tcp_rcv_buf_poll = -1;
+ options->hpn_disabled = -1;
+ options->hpn_buffer_size = -1;
options->ip_qos_interactive = -1;
options->ip_qos_bulk = -1;
options->version_addendum = NULL;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -196,6 +201,10 @@ void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -192,6 +198,10 @@ void
</span> fill_default_server_options(ServerOptions *options)
{
int i;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1623,12 +1582,14 @@
</span>
/* Portable-specific options */
if (options->use_pam == -1)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -341,6 +350,43 @@ fill_default_server_options(ServerOption
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -320,6 +330,45 @@ fill_default_server_options(ServerOption
</span> }
if (options->permit_tun == -1)
options->permit_tun = SSH_TUNMODE_NO;
+ if (options->none_enabled == -1)
+ options->none_enabled = 0;
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->disable_multithreaded == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->disable_multithreaded = 0;
</span> + if (options->hpn_disabled == -1)
+ options->hpn_disabled = 0;
+
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1667,39 +1628,32 @@
</span> if (options->ip_qos_interactive == -1)
options->ip_qos_interactive = IPTOS_LOWDELAY;
if (options->ip_qos_bulk == -1)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -415,6 +461,8 @@ typedef enum {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -398,6 +447,9 @@ typedef enum {
</span> sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily,
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
+ sNoneEnabled,
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ sDisableMTAES,
</span> + sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
<span style='display:block; white-space:pre;background:#ffe0e0;'>- sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -568,6 +616,10 @@ static struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sPermitUserEnvironment, sAllowTcpForwarding, sCompression,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -552,6 +604,11 @@ static struct {
</span> { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
+ { "noneenabled", sNoneEnabled, SSHCFG_ALL },
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "disableMTAES", sDisableMTAES, SSHCFG_ALL },
</span> + { "hpndisabled", sHPNDisabled, SSHCFG_ALL },
+ { "hpnbuffersize", sHPNBufferSize, SSHCFG_ALL },
+ { "tcprcvbufpoll", sTcpRcvBufPoll, SSHCFG_ALL },
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
{ "ipqos", sIPQoS, SSHCFG_ALL },
{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -606,6 +658,7 @@ parse_token(const char *cp, const char *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- for (i = 0; keywords[i].name; i++)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (strcasecmp(cp, keywords[i].name) == 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Config token is %s", keywords[i].name);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- *flags = keywords[i].flags;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return keywords[i].opcode;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1185,10 +1238,27 @@ process_server_config_line(ServerOptions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1194,10 +1251,30 @@ process_server_config_line(ServerOptions
</span> *intptr = value;
break;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span> + case sTcpRcvBufPoll:
+ intptr = &options->tcp_rcv_buf_poll;
+ goto parse_flag;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1720,41 +1674,42 @@
</span> + intptr = &options->none_enabled;
+ goto parse_flag;
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>- case sRhostsRSAAuthentication:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- intptr = &options->rhosts_rsa_authentication;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case sDisableMTAES:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ intptr = &options->disable_multithreaded;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case sHostbasedAuthentication:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ intptr = &options->hostbased_authentication;
</span> goto parse_flag;
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/servconf.h 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/servconf.h 2016-09-29 10:22:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -172,6 +172,11 @@ typedef struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/servconf.h 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/servconf.h 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -173,6 +173,13 @@ typedef struct {
</span> char *adm_forced_command;
int use_pam; /* Enable auth via PAM */
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int tcp_rcv_buf_poll; /* poll tcp rcv window in autotuning kernels*/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int tcp_rcv_buf_poll; /* poll tcp rcv window in autotuning kernels*/
</span> + int hpn_disabled; /* disable hpn functionality. false by default */
+ int hpn_buffer_size; /* set the hpn buffer size - default 3MB */
+
+ int none_enabled; /* Enable NONE cipher switch */
<span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int disable_multithreaded; /*disable multithreaded aes-ctr cipher */
</span>
int permit_tun;
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/serverloop.c 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/serverloop.c 2016-09-29 10:22:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -93,10 +93,10 @@ static int fdin; /* Descriptor for stdi
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static int fdout; /* Descriptor for stdout (for reading);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- May be same number as fdin. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static int fderr; /* Descriptor for stderr. May be -1. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--static long stdin_bytes = 0; /* Number of bytes written to stdin. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--static long stdout_bytes = 0; /* Number of stdout bytes sent to client. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--static long stderr_bytes = 0; /* Number of stderr bytes sent to client. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--static long fdout_bytes = 0; /* Number of stdout bytes read from program. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/serverloop.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/serverloop.c 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -84,6 +84,9 @@ extern ServerOptions options;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ extern Authctxt *the_authctxt;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ extern int use_privsep;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span> +static u_long stdin_bytes = 0; /* Number of bytes written to stdin. */
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+static u_long stdout_bytes = 0; /* Number of stdout bytes sent to client. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+static u_long stderr_bytes = 0; /* Number of stderr bytes sent to client. */
</span> +static u_long fdout_bytes = 0; /* Number of stdout bytes read from program. */
<span style='display:block; white-space:pre;background:#ffe0e0;'>- static int stdin_eof = 0; /* EOF message received from client. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static int fdout_eof = 0; /* EOF encountered reading from fdout. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static int fderr_eof = 0; /* EOF encountered readung from fderr. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -121,6 +121,20 @@ static volatile sig_atomic_t received_si
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static int no_more_sessions = 0; /* Disallow further sessions. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -100,6 +103,20 @@ static volatile sig_atomic_t received_si
</span> static void server_init_dispatch(void);
/*
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1775,38 +1730,30 @@
</span> * we write to this pipe if a SIGCHLD is caught in order to avoid
* the race between select() and child_terminated
*/
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -421,6 +435,7 @@ process_input(fd_set *readset)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -317,6 +334,7 @@ process_input(struct ssh *ssh, fd_set *r
</span> } else {
/* Buffer any received data. */
packet_process_incoming(buf, len);
+ fdout_bytes += len;
}
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>- if (compat20)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -443,6 +458,7 @@ process_input(fd_set *readset)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- } else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- buffer_append(&stdout_buffer, buf, len);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fdout_bytes += len;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("FD out now: %ld", fdout_bytes);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Read and buffer any available stderr data from the program. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -510,7 +526,7 @@ process_output(fd_set *writeset)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -330,7 +348,7 @@ process_output(fd_set *writeset, int con
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span> /* Send any buffered packet data to the client. */
if (FD_ISSET(connection_out, writeset))
- packet_write_poll();
+ stdin_bytes += packet_write_poll();
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>- /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -824,11 +840,13 @@ void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- server_loop2(Authctxt *authctxt)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -365,11 +383,13 @@ void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ server_loop2(struct ssh *ssh, Authctxt *authctxt)
</span> {
fd_set *readset = NULL, *writeset = NULL;
+ double start_time, total_time;
int max_fd;
<span style='display:block; white-space:pre;background:#ffe0e0;'>- u_int nalloc = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ u_int nalloc = 0, connection_in, connection_out;
</span> u_int64_t rekey_timeout_ms = 0;
debug("Entering interactive session for SSH2.");
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1814,10 +1761,10 @@
</span>
mysignal(SIGCHLD, sigchld_handler);
child_terminated = 0;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -887,6 +905,11 @@ server_loop2(Authctxt *authctxt)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -426,6 +446,11 @@ server_loop2(struct ssh *ssh, Authctxt *
</span>
/* free remaining sessions, e.g. remove wtmp entries */
<span style='display:block; white-space:pre;background:#ffe0e0;'>- session_destroy_all(NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ session_destroy_all(ssh, NULL);
</span> + total_time = get_current_time() - start_time;
+ logit("SSH: Server;LType: Throughput;Remote: %s-%d;IN: %lu;OUT: %lu;Duration: %.1f;tPut_in: %.1f;tPut_out: %.1f",
+ ssh_remote_ipaddr(active_state), ssh_remote_port(active_state),
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1826,58 +1773,48 @@
</span> }
static int
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1045,8 +1068,12 @@ server_request_tun(void)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sock = tun_open(tun, mode);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -545,7 +570,8 @@ server_request_tun(struct ssh *ssh)
</span> if (sock < 0)
goto done;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options.hpn_disabled)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c = channel_new(ssh, "tun", SSH_CHANNEL_OPEN, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
</span> c->datagram = 1;
#if defined(SSH_TUN_FILTER)
if (mode == SSH_TUNMODE_POINTOPOINT)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1082,6 +1109,8 @@ server_request_session(void)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c = channel_new("session", SSH_CHANNEL_LARVAL,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -581,6 +607,8 @@ server_request_session(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c = channel_new(ssh, "session", SSH_CHANNEL_LARVAL,
</span> -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT,
0, "server-session", 1);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((options.tcp_rcv_buf_poll) && (!options.hpn_disabled))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options.tcp_rcv_buf_poll && !options.hpn_disabled)
</span> + c->dynamic_window = 1;
if (session_open(the_authctxt, c->self) != 1) {
debug("session open failed, free channel %d", c->self);
<span style='display:block; white-space:pre;background:#ffe0e0;'>- channel_free(c);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/session.c 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/session.c 2016-09-29 10:22:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -222,6 +222,7 @@ auth_input_request_forwarding(struct pas
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ channel_free(ssh, c);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/session.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/session.c 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -223,6 +223,7 @@ auth_input_request_forwarding(struct ssh
</span> goto authsock_err;
/* Allocate a channel for the authentication agent socket. */
+ /* this shouldn't matter if its hpn or not - cjr */
<span style='display:block; white-space:pre;background:#ffe0e0;'>- nc = channel_new("auth socket",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ nc = channel_new(ssh, "auth socket",
</span> SSH_CHANNEL_AUTH_SOCKET, sock, sock, -1,
CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2361,10 +2362,16 @@ session_set_fds(Session *s, int fdin, in
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (s->chanid == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fatal("no channel for session %d", s->self);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options.hpn_disabled)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- channel_set_fds(s->chanid,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2111,7 +2112,8 @@ session_set_fds(struct ssh *ssh, Session
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ channel_set_fds(ssh, s->chanid,
</span> fdout, fdin, fderr,
ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
<span style='display:block; white-space:pre;background:#ffe0e0;'>- 1, is_tty, CHAN_SES_WINDOW_DEFAULT);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ channel_set_fds(s->chanid,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fdout, fdin, fderr,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ 1, is_tty, options.hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- 1, is_tty, CHAN_SES_WINDOW_DEFAULT);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ 1, is_tty,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options.hpn_disabled ? CHAN_SES_WINDOW_DEFAULT : options.hpn_buffer_size);
</span> }
/*
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sftp.1 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sftp.1 2016-09-29 10:22:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -266,7 +266,8 @@ diagnostic messages from
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sftp.1 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sftp.1 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -258,7 +258,8 @@ diagnostic messages from
</span> Specify how many requests may be outstanding at any one time.
Increasing this may slightly improve file transfer speed
but will increase memory usage.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1887,9 +1824,9 @@
</span> .It Fl r
Recursively copy entire directories when uploading and downloading.
Note that
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sftp.c 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sftp.c 2016-09-29 10:22:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -73,7 +73,7 @@ typedef void EditLine;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sftp.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sftp.c 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -72,7 +72,7 @@ typedef void EditLine;
</span> #include "sftp-client.h"
#define DEFAULT_COPY_BUFLEN 32768 /* Size of buffer for up/download */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1898,9 +1835,9 @@
</span>
/* File to read commands from */
FILE* infile;
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/ssh.c 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/ssh.c 2016-09-29 10:22:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -910,6 +910,10 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/ssh.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh.c 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -899,6 +899,10 @@ main(int ac, char **av)
</span> break;
case 'T':
options.request_tty = REQUEST_TTY_NO;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1911,7 +1848,7 @@
</span> break;
case 'o':
line = xstrdup(optarg);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1502,6 +1506,8 @@ control_persist_detach(void)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1524,6 +1528,8 @@ control_persist_detach(void)
</span> setproctitle("%s [mux]", options.control_path);
}
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1920,7 +1857,7 @@
</span> /* Do fork() after authentication. Used by "ssh -f" */
static void
fork_postauth(void)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1895,6 +1901,78 @@ ssh_session2_setup(int id, int success,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1750,6 +1756,78 @@ ssh_session2_setup(struct ssh *ssh, int
</span> NULL, fileno(stdin), &command, environ);
}
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1998,8 +1935,8 @@
</span> +
/* open new channel for a session */
static int
<span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_session2_open(void)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1921,9 +1999,11 @@ ssh_session2_open(void)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_session2_open(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1776,9 +1854,11 @@ ssh_session2_open(struct ssh *ssh)
</span> if (!isatty(err))
set_nonblock(err);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2012,18 +1949,18 @@
</span> window >>= 1;
packetmax >>= 1;
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1932,6 +2012,10 @@ ssh_session2_open(void)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1787,6 +1867,10 @@ ssh_session2_open(struct ssh *ssh)
</span> window, packetmax, CHAN_EXTENDED_WRITE,
"client-session", /*nonblock*/0);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((options.tcp_rcv_buf_poll > 0) && (!options.hpn_disabled)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options.tcp_rcv_buf_poll > 0 && !options.hpn_disabled) {
</span> + c->dynamic_window = 1;
+ debug("Enabled Dynamic Window Scaling");
+ }
<span style='display:block; white-space:pre;background:#ffe0e0;'>- debug3("ssh_session2_open: channel_new: %d", c->self);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debug3("%s: channel_new: %d", __func__, c->self);
</span>
<span style='display:block; white-space:pre;background:#ffe0e0;'>- channel_send_open(c->self);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1947,6 +2031,13 @@ ssh_session2(void)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ channel_send_open(ssh, c->self);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1802,6 +1886,13 @@ ssh_session2(struct ssh *ssh)
</span> {
int id = -1;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2036,9 +1973,9 @@
</span> +
/* XXX should be pre-session */
if (!options.control_persist)
<span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_init_stdio_forwarding();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshbuf.h 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshbuf.h 2016-09-29 10:22:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_init_stdio_forwarding(ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshbuf.h 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshbuf.h 2017-10-07 06:27:39.000000000 +0200
</span> @@ -28,7 +28,7 @@
# endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2048,9 +1985,9 @@
</span> #define SSHBUF_REFS_MAX 0x100000 /* Max child buffers */
#define SSHBUF_MAX_BIGNUM (16384 / 8) /* Max bignum *bytes* */
#define SSHBUF_MAX_ECPOINT ((528 * 2 / 8) + 1) /* Max EC point *bytes* */
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshconnect.c 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshconnect.c 2016-09-29 10:22:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -268,6 +268,31 @@ ssh_kill_proxy_command(void)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshconnect.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshconnect.c 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -271,6 +271,30 @@ ssh_kill_proxy_command(void)
</span> }
/*
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2069,20 +2006,19 @@
</span> +
+ debug("setsockopt Attempting to set SO_RCVBUF to %d", options.tcp_rcv_buf);
+ if (setsockopt(sock, SOL_SOCKET, SO_RCVBUF, buf, sz) >= 0) {
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ getsockopt(sock, SOL_SOCKET, SO_RCVBUF, &socksize, &socksizelen);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("setsockopt SO_RCVBUF: %.100s %d", strerror(errno), socksize);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ getsockopt(sock, SOL_SOCKET, SO_RCVBUF, &socksize, &socksizelen);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("setsockopt SO_RCVBUF: %.100s %d", strerror(errno), socksize);
</span> + }
+ else
+ error("Couldn't set socket receive buffer to %d: %.100s",
+ options.tcp_rcv_buf, strerror(errno));
+}
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span> +/*
* Creates a (possibly privileged) socket for use as the ssh connection.
*/
static int
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -283,6 +308,9 @@ ssh_create_socket(int privileged, struct
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -286,6 +310,9 @@ ssh_create_socket(int privileged, struct
</span> }
fcntl(sock, F_SETFD, FD_CLOEXEC);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2092,21 +2028,17 @@
</span> /* Bind the socket to an alternative local IP address */
if (options.bind_address == NULL && !privileged)
return sock;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -527,10 +555,10 @@ send_client_banner(int connection_out, i
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -517,7 +544,7 @@ send_client_banner(int connection_out, i
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span> /* Send our own protocol version identification. */
<span style='display:block; white-space:pre;background:#ffe0e0;'>- if (compat20) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- } else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ PROTOCOL_MAJOR_1, minor1, SSH_RELEASE);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
</span> if (atomicio(vwrite, connection_out, client_version_string,
strlen(client_version_string)) != strlen(client_version_string))
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshconnect2.c 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshconnect2.c 2016-09-29 10:22:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fatal("write: %.100s", strerror(errno));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshconnect2.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshconnect2.c 2017-10-07 06:27:39.000000000 +0200
</span> @@ -83,6 +83,13 @@ extern char *server_version_string;
extern Options options;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2139,10 +2071,11 @@
</span> xxx_host = host;
xxx_hostaddr = hostaddr;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -404,6 +415,44 @@ ssh_userauth2(const char *local_user, co
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- pubkey_cleanup(&authctxt);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_dispatch_range(ssh, SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -409,6 +420,47 @@ ssh_userauth2(const char *local_user, co
</span>
<span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!authctxt.success)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fatal("Authentication failed.");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span> + /*
+ * If the user wants to use the none cipher, do it post authentication
+ * and only if the right conditions are met -- both of the NONE commands
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2165,47 +2098,49 @@
</span> + }
+
+#ifdef WITH_OPENSSL
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* if we are using aes-ctr there can be issues in either a fork or sandbox
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * so the initial aes-ctr is defined to point to the original single process
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * evp. After authentication we'll be past the fork and the sandboxed privsep
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * so we repoint the define to the multithreaded evp. To start the threads we
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * then force a rekey
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ struct sshcipher_ctx *ccsend = ssh_packet_get_send_context(active_state);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options.disable_multithreaded == 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* if we are using aes-ctr there can be issues in either a fork or sandbox
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * so the initial aes-ctr is defined to point to the original single process
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * evp. After authentication we'll be past the fork and the sandboxed privsep
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * so we repoint the define to the multithreaded evp. To start the threads we
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * then force a rekey
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const void *cc = ssh_packet_get_send_context(active_state);
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* only do this for the ctr cipher. otherwise gcm mode breaks. Don't know why though */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (strstr(cipher_return_name(ccsend->cipher), "ctr")) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Single to Multithread CTR cipher swap - client request");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ cipher_reset_multithreaded();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_request_rekeying();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* only do this for the ctr cipher. otherwise gcm mode breaks. Don't know why though */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (strstr(cipher_ctx_name(cc), "ctr")) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Single to Multithread CTR cipher swap - client request");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cipher_reset_multithreaded();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_request_rekeying();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span> + }
+#endif
+
debug("Authentication succeeded (%s).", authctxt.method->name);
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshd.c 2016-09-29 10:22:25.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshd.c 2016-09-29 10:24:06.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -432,7 +432,7 @@ sshd_exchange_identification(struct ssh
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshd.c 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshd.c 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -367,7 +367,7 @@ sshd_exchange_identification(struct ssh
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char remote_version[256]; /* Must be at least as big as buf. */
</span>
<span style='display:block; white-space:pre;background:#ffe0e0;'>- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- major, minor, SSH_VERSION,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ major, minor, SSH_RELEASE,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
</span> *options.version_addendum == '\0' ? "" : " ",
<span style='display:block; white-space:pre;background:#ffe0e0;'>- options.version_addendum, newline);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options.version_addendum);
</span>
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -487,6 +487,9 @@ sshd_exchange_identification(struct ssh
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -422,6 +422,9 @@ sshd_exchange_identification(struct ssh
</span> }
debug("Client protocol version %d.%d; client software version %.100s",
remote_major, remote_minor, remote_version);
+ logit("SSH: Server;Ltype: Version;Remote: %s-%d;Protocol: %d.%d;Client: %.100s",
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
</span> + remote_major, remote_minor, remote_version);
ssh->compat = compat_datafellows(remote_version);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1184,6 +1187,8 @@ server_listen(void)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1026,6 +1029,8 @@ server_listen(void)
</span> int ret, listen_sock, on = 1;
struct addrinfo *ai;
char ntop[NI_MAXHOST], strport[NI_MAXSERV];
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2214,7 +2149,7 @@
</span>
for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1224,6 +1229,11 @@ server_listen(void)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1071,6 +1076,11 @@ server_listen(void)
</span>
debug("Bind to port %s on %s.", strport, ntop);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2226,7 +2161,7 @@
</span> /* Bind the socket to the desired port. */
if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
error("Bind to port %s on %s failed: %.200s.",
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1765,6 +1775,13 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1595,6 +1605,13 @@ main(int ac, char **av)
</span> /* Fill in default values for those options not explicitly set. */
fill_default_server_options(&options);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2240,7 +2175,7 @@
</span> /* challenge-response is implemented via keyboard interactive */
if (options.challenge_response_authentication)
options.kbd_interactive_authentication = 1;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2214,6 +2231,9 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1994,6 +2011,9 @@ main(int ac, char **av)
</span> remote_ip, remote_port, laddr, ssh_local_port(ssh));
free(laddr);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2250,32 +2185,34 @@
</span> /*
* We don't want to listen forever unless the other side
* successfully authenticates itself. So we set up an alarm which is
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2328,6 +2348,24 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- notify_hostkeys(active_state);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2093,6 +2113,26 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ notify_hostkeys(ssh);
</span>
/* Start session. */
+
+#ifdef WITH_OPENSSL
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* if we are using aes-ctr there can be issues in either a fork or sandbox
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * so the initial aes-ctr is defined to point ot the original single process
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * evp. After authentication we'll be past the fork and the sandboxed privsep
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * so we repoint the define to the multithreaded evp. To start the threads we
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * then force a rekey
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ struct sshcipher_ctx *ccsend = ssh_packet_get_send_context(active_state);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options.disable_multithreaded == 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* if we are using aes-ctr there can be issues in either a fork or sandbox
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * so the initial aes-ctr is defined to point ot the original single process
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * evp. After authentication we'll be past the fork and the sandboxed privsep
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * so we repoint the define to the multithreaded evp. To start the threads we
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * then force a rekey
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const void *cc = ssh_packet_get_send_context(active_state);
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* only rekey if necessary. If we don't do this gcm mode cipher breaks */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (strstr(cipher_return_name(ccsend->cipher), "ctr")) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Single to Multithreaded CTR cipher swap - server request");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ cipher_reset_multithreaded();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_request_rekeying();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* only rekey if necessary. If we don't do this gcm mode cipher breaks */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (strstr(cipher_ctx_name(cc), "ctr")) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Single to Multithreaded CTR cipher swap - server request");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cipher_reset_multithreaded();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_request_rekeying();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span> + }
+#endif
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>- do_authenticated(authctxt);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ do_authenticated(ssh, authctxt);
</span>
/* The connection has been terminated. */
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2613,6 +2651,9 @@ do_ssh2_kex(void)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2156,6 +2196,9 @@ do_ssh2_kex(void)
</span> struct kex *kex;
int r;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2285,9 +2222,9 @@
</span> myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
options.kex_algorithms);
myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshd_config 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshd_config 2016-09-29 10:22:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -124,6 +124,20 @@ AuthorizedKeysFile .ssh/authorized_keys
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshd_config 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshd_config 2017-10-07 06:27:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -110,6 +110,19 @@ AuthorizedKeysFile .ssh/authorized_keys
</span> # override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2301,19 +2238,18 @@
</span> +# buffer size for hpn to non-hpn connections
+#HPNBufferSize 2048
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span> +# allow the use of the none cipher
+#NoneEnabled no
+
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/version.h 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/version.h 2016-09-29 10:22:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/version.h 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/version.h 2017-10-07 06:27:39.000000000 +0200
</span> @@ -3,4 +3,5 @@
<span style='display:block; white-space:pre;background:#ffe0e0;'>- #define SSH_VERSION "OpenSSH_7.3"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define SSH_VERSION "OpenSSH_7.6"
</span>
#define SSH_PORTABLE "p1"
-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#define SSH_HPN "-hpn14v11"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define SSH_HPN "-hpn14v12"
</span> +#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/openssh/files/pam.patch b/net/openssh/files/pam.patch
</span><span style='display:block; white-space:pre;color:#808080;'>index 49a25da..8669671 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/openssh/files/pam.patch
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/openssh/files/pam.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1,6 +1,6 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/servconf.c 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/servconf.c 2016-09-29 06:57:25.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -199,7 +199,7 @@ fill_default_server_options(ServerOption
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/servconf.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/servconf.c 2017-10-07 04:34:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -195,7 +195,7 @@ fill_default_server_options(ServerOption
</span>
/* Portable-specific options */
if (options->use_pam == -1)
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -8,4 +8,4 @@
</span> + options->use_pam = 1;
/* Standard Options */
<span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options->protocol == SSH_PROTO_UNKNOWN)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (options->num_host_key_files == 0) {
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/openssh/files/patch-sandbox-darwin.c-apple-sandbox-named-external.diff b/net/openssh/files/patch-sandbox-darwin.c-apple-sandbox-named-external.diff
</span><span style='display:block; white-space:pre;color:#808080;'>index 9a87ccb..cf2b56a 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/openssh/files/patch-sandbox-darwin.c-apple-sandbox-named-external.diff
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/openssh/files/patch-sandbox-darwin.c-apple-sandbox-named-external.diff
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1,6 +1,6 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sandbox-darwin.c 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sandbox-darwin.c 2016-09-29 06:57:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -62,8 +62,16 @@ ssh_sandbox_child(struct ssh_sandbox *bo
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sandbox-darwin.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sandbox-darwin.c 2017-10-07 04:34:48.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -63,8 +63,16 @@ ssh_sandbox_child(struct ssh_sandbox *bo
</span> struct rlimit rl_zero;
debug3("%s: starting Darwin sandbox", __func__);
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/openssh/files/patch-sshd.c-apple-sandbox-named-external.diff b/net/openssh/files/patch-sshd.c-apple-sandbox-named-external.diff
</span><span style='display:block; white-space:pre;color:#808080;'>index d41db49..4b90f65 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/openssh/files/patch-sshd.c-apple-sandbox-named-external.diff
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/openssh/files/patch-sshd.c-apple-sandbox-named-external.diff
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1,6 +1,6 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshd.c 2016-07-28 00:54:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshd.c 2016-09-29 06:57:45.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -719,10 +719,17 @@ privsep_preauth(Authctxt *authctxt)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshd.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshd.c 2017-10-07 04:35:20.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -617,10 +617,17 @@ privsep_preauth(Authctxt *authctxt)
</span> /* Arrange for logging to be sent to the monitor */
set_log_handler(mm_log_handler, pmonitor);
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/openssh/files/quilt.env b/net/openssh/files/quilt.env
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..a4f2494
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/openssh/files/quilt.env
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,6 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Maintainer helper for working with quilt.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If needed, adjust to your needs.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+export QUILT_PATCHES=/opt/macports/net/openssh/files/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+export QUILT_DIFF_ARGS='--no-index -pab --color=auto'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+export QUILT_DIFF_OPTS='-p'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+export QUILT_REFRESH_ARGS='-p ab --no-index'
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/openssh/files/series b/net/openssh/files/series
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..e9540ff
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/openssh/files/series
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,6 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+launchd.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+pam.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+patch-sandbox-darwin.c-apple-sandbox-named-external.diff
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+patch-sshd.c-apple-sandbox-named-external.diff
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+0002-Apple-keychain-integration-other-changes.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+openssh-7.6p1-gsskex-all-20141021-mp-20171008.patch
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/openssh/files/series-gsskex b/net/openssh/files/series-gsskex
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..e9540ff
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/openssh/files/series-gsskex
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,6 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+launchd.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+pam.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+patch-sandbox-darwin.c-apple-sandbox-named-external.diff
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+patch-sshd.c-apple-sandbox-named-external.diff
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+0002-Apple-keychain-integration-other-changes.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+openssh-7.6p1-gsskex-all-20141021-mp-20171008.patch
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/openssh/files/series-hpn b/net/openssh/files/series-hpn
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..4c94a6c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/openssh/files/series-hpn
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,5 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+launchd.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+pam.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+patch-sandbox-darwin.c-apple-sandbox-named-external.diff
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+patch-sshd.c-apple-sandbox-named-external.diff
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+openssh-7.6p1-hpnssh14v13.diff
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/ssh-copy-id/Portfile b/net/ssh-copy-id/Portfile
</span>deleted file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index fcd4147..0000000
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/ssh-copy-id/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1,45 +0,0 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# -*- coding: utf-8; mode: tcl; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- vim:fenc=utf-8:ft=tcl:et:sw=4:ts=4:sts=4
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-PortSystem 1.0
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-name ssh-copy-id
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-version 7.5p1
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-revision 1
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-categories net
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-platforms darwin freebsd
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-supported_archs noarch
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-license BSD
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-maintainers {l2dy @l2dy} openmaintainer
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-description Shell script to install your public key(s) on a remote machine
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-long_description ${description}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-homepage https://www.openssh.com/
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-master_sites openbsd:OpenSSH/portable
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-distname openssh-${version}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-dist_subdir openssh
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-checksums rmd160 c1b176a1fe92495d056edda0c5db54efcfb8764a \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sha256 9846e3c5fab9f0547400b4d2c017992f914222b3fd1f8eee6c7dc6bc5e59f9f0
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-use_configure no
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-build {}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-destroot {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- xinstall -m 755 ${worksrcpath}/contrib/ssh-copy-id ${destroot}${prefix}/bin
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- xinstall -m 644 ${worksrcpath}/contrib/ssh-copy-id.1 ${destroot}${prefix}/share/man/man1
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-pre-activate {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if {![catch {set installed [lindex [registry_active openssh] 0]}]} {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- set _version [lindex $installed 1]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- set _revision [lindex $installed 2]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if {[vercmp $_version 7.3p1] < 0 || ([vercmp $_version 7.3p1] == 0 && $_revision < 1)} {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # openssh @7.3p1 and earlier used to install some files now provided by ssh-copy-id
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- registry_deactivate_composite openssh "" [list ports_nodepcheck 1]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-livecheck.type regex
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-livecheck.url https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-livecheck.regex openssh-(\[5-9\].\[0-9\]p\[0-9\])[quotemeta ${extract.suffix}]
</span></pre><pre style='margin:0'>
</pre>