<pre style='margin:0'>
Mihai Moldovan (Ionic) pushed a commit to branch master
in repository macports-ports.
</pre>
<p><a href="https://github.com/macports/macports-ports/commit/715635bdfb881e287a52e23b298e379a4e9c03ac">https://github.com/macports/macports-ports/commit/715635bdfb881e287a52e23b298e379a4e9c03ac</a></p>
<pre style="white-space: pre; background: #F8F8F8">The following commit(s) were added to refs/heads/master by this push:
<span style='display:block; white-space:pre;color:#404040;'> new 715635b net/{openssh,ssh-copy-id}: update to 8.1p1.
</span>715635b is described below
<span style='display:block; white-space:pre;color:#808000;'>commit 715635bdfb881e287a52e23b298e379a4e9c03ac
</span>Author: Mihai Moldovan <ionic@ionic.de>
AuthorDate: Wed Oct 16 13:05:37 2019 +0200
<span style='display:block; white-space:pre;color:#404040;'> net/{openssh,ssh-copy-id}: update to 8.1p1.
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> Fixes: https://trac.macports.org/ticket/56331
</span><span style='display:block; white-space:pre;color:#404040;'> Fixes: https://trac.macports.org/ticket/57025
</span><span style='display:block; white-space:pre;color:#404040;'> Fixes: https://trac.macports.org/ticket/58047
</span><span style='display:block; white-space:pre;color:#404040;'> Fixes: https://trac.macports.org/ticket/59009
</span><span style='display:block; white-space:pre;color:#404040;'> Fixes: https://trac.macports.org/ticket/59016
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> Changes:
</span><span style='display:block; white-space:pre;color:#404040;'> - Rebase patches.
</span><span style='display:block; white-space:pre;color:#404040;'> - Update to newer HPN patchset version. Based upon the 8.0p1 version
</span><span style='display:block; white-space:pre;color:#404040;'> 14.18 patch. Add a rebased OpenSSL-1.1-compat patch.
</span><span style='display:block; white-space:pre;color:#404040;'> - Switch to new ObjC-based Keychain integration as provided by Apple.
</span><span style='display:block; white-space:pre;color:#404040;'> Might fail on older platforms. If it does, we will need to bring
</span><span style='display:block; white-space:pre;color:#404040;'> back the old C-based implementation as an alternative for these.
</span><span style='display:block; white-space:pre;color:#404040;'> - Made the keychain integration and launchd startup patch a default
</span><span style='display:block; white-space:pre;color:#404040;'> one based upon request (and to be consistent with Apple's shipped
</span><span style='display:block; white-space:pre;color:#404040;'> OpenSSH version).
</span><span style='display:block; white-space:pre;color:#404040;'> - Portfile cleanup, don't define compile constants from outside - have
</span><span style='display:block; white-space:pre;color:#404040;'> autotools do that correctly.
</span><span style='display:block; white-space:pre;color:#404040;'> - Clarify where some of the patches come from - and especially for the
</span><span style='display:block; white-space:pre;color:#404040;'> gsskex patch that it is NOT a single patch taken from one location
</span><span style='display:block; white-space:pre;color:#404040;'> and rebased against the current OpenSSH version.
</span><span style='display:block; white-space:pre;color:#404040;'> - Renamed (now used) -m/-M options to -A/-K for the keychain
</span><span style='display:block; white-space:pre;color:#404040;'> integration.
</span>---
net/openssh/Portfile | 68 +-
...-Apple-keychain-integration-other-changes.patch | 2545 +++++----------
net/openssh/files/gssapi.patch | 3353 --------------------
net/openssh/files/launchd.patch | 22 +-
net/openssh/files/openssh-7.9p1-hpnssh14v15.diff | 1310 --------
...sh-8.1p1-gsskex-all-20141021-mp-20191015.patch} | 2091 +++++++-----
.../openssh-8.1p1-hpnssh14v18-openssl-1.1.diff | 77 +
net/openssh/files/openssh-8.1p1-hpnssh14v18.diff | 2458 ++++++++++++++
net/openssh/files/pam.patch | 6 +-
...dbox-darwin.c-apple-sandbox-named-external.diff | 4 +-
.../patch-sshd.c-apple-sandbox-named-external.diff | 8 +-
net/openssh/files/series | 2 +-
net/openssh/files/series-gsskex | 2 +-
net/openssh/files/series-hpn | 4 +-
14 files changed, 4660 insertions(+), 7290 deletions(-)
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/openssh/Portfile b/net/openssh/Portfile
</span><span style='display:block; white-space:pre;color:#808080;'>index 148683f..7cd372b 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/openssh/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/openssh/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3,7 +3,8 @@
</span> PortSystem 1.0
name openssh
<span style='display:block; white-space:pre;background:#ffe0e0;'>-version 7.9p1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+version 8.1p1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+revision 0
</span> categories net
platforms darwin
maintainers nomaintainer
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -26,17 +27,15 @@ long_description OpenSSH is a FREE version of the SSH protocol suite of \
</span>
homepage http://www.openbsd.org/openssh/
<span style='display:block; white-space:pre;background:#ffe0e0;'>-checksums rmd160 236617fb9c04dcca12f9d56b5975efda4e798f53 \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sha256 6b4b3ba2253d84ed3771c8050728d597c91cfce898713beb7b64a305b6f11aad \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- size 1565384
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+checksums rmd160 0d9bcaa22b77a8e26fbe4804ea4ae017e45b1568 \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sha256 02f5dbef3835d0753556f973cd57b4c19b6b1f6cd24c03445e23ac77ca1b93ff \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ size 1625894
</span>
master_sites openbsd:OpenSSH/portable \
ftp://ftp.cise.ufl.edu/pub/mirrors/openssh/portable/ \
http://openbsd.mirrors.pair.com/OpenSSH/portable
if {${name} eq ${subport}} {
<span style='display:block; white-space:pre;background:#ffe0e0;'>- revision 2
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span> depends_lib path:lib/libssl.dylib:openssl \
port:libedit \
port:ncurses \
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -48,7 +47,8 @@ if {${name} eq ${subport}} {
</span> patchfiles launchd.patch \
pam.patch \
patch-sandbox-darwin.c-apple-sandbox-named-external.diff \
<span style='display:block; white-space:pre;background:#ffe0e0;'>- patch-sshd.c-apple-sandbox-named-external.diff
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ patch-sshd.c-apple-sandbox-named-external.diff \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 0002-Apple-keychain-integration-other-changes.patch \
</span>
# We need a couple of patches
# - pam.patch
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -60,6 +60,8 @@ if {${name} eq ${subport}} {
</span> # This requires a sandbox profile (which we provide) and the sandbox_init(3)
# call before the chroot(2) to privsep-path (${prefix}/var/empty), or it will
# fail to load the sandbox description and libsandbox.1.dylib.
<span style='display:block; white-space:pre;background:#e0ffe0;'>+ # - 0002-Apple-keychain-integration-other-changes.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Adds Apple Keychain integration and ssh-agent's launchd mode
</span>
post-patch {
# reinplace prefix in path to sandbox definition added by
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -67,13 +69,15 @@ if {${name} eq ${subport}} {
</span> reinplace "s|@PREFIX@|${prefix}|g" ${worksrcpath}/sandbox-darwin.c
}
<span style='display:block; white-space:pre;background:#e0ffe0;'>+ use_autoreconf yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span> # strnvis(3) isn't actually "broken". OpenBSD decided to be special and flip
# the order of arguments to strnvis and considers everyone else to be broken.
configure.cppflags-append -DBROKEN_STRNVIS=1
# Use Apple's sandboxing feature
<span style='display:block; white-space:pre;background:#ffe0e0;'>- configure.cppflags-append -D__APPLE_SANDBOX_NAMED_EXTERNAL__ \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- -D__APPLE_API_STRICT_CONFORMANCE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ configure.cppflags-append -D__APPLE_SANDBOX_NAMED_EXTERNAL__ \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -D__APPLE_API_STRICT_CONFORMANCE
</span> configure.ldflags-append -Wl,-search_paths_first
configure.args --with-ssl-dir=${prefix} \
--sysconfdir=${prefix}/etc/ssh \
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -87,7 +91,9 @@ if {${name} eq ${subport}} {
</span> --with-libedit \
--with-pie \
--without-xauth \
<span style='display:block; white-space:pre;background:#ffe0e0;'>- --without-ldns
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ --without-ldns \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ --with-audit=bsm \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ --with-keychain=apple
</span>
use_parallel_build yes
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -119,6 +125,14 @@ if {${name} eq ${subport}} {
</span> }
}
<span style='display:block; white-space:pre;background:#e0ffe0;'>+ notes-append "
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Apple's keychain integration and launchd changes are now\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ included by default, not just with the gsskex variant.\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ The parameters were changed from -m/-M to -A/-K in\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ accordance with Apple's changes, because upstream started\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ using the former switches themselves recently."
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span> variant xauth description {Build with support for xauth} {
configure.args-replace --without-xauth \
--with-xauth=${prefix}/bin/xauth
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -126,41 +140,25 @@ if {${name} eq ${subport}} {
</span> }
variant hpn conflicts gsskex description {Apply high performance patch} {
<span style='display:block; white-space:pre;background:#ffe0e0;'>- # Old location(s):
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # http://www.psc.edu/index.php/hpn-ssh
</span> # Current location(s):
<span style='display:block; white-space:pre;background:#e0ffe0;'>+ # https://github.com/rapier1/openssh-portable/
</span> # http://www.freshports.org/security/openssh-portable/
# (is usually quick in updating the HPN patch for new versions,
# take a look there, too.)
<span style='display:block; white-space:pre;background:#ffe0e0;'>- # Source: FreeBSD /usr/ports/net/openssh-portable/files/extra-patch-hpn
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # FreeBSD uses patch option `-p2', so first path prefix was removed
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # from the original.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- use_autoreconf yes
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- patchfiles-append ${name}-${version}-hpnssh14v15.diff
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- configure.args-append --with-hpn --with-nonecipher
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Formerly taken directly from FreeBSD as a distfile, now copied over
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # from either upstream at or FreeBSD's ports directory and rebased.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set hpn_patchfile ${name}-${version}-hpnssh14v18
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ patchfiles-append ${hpn_patchfile}.diff \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${hpn_patchfile}-openssl-1.1.diff
</span> }
variant gsskex conflicts hpn requires kerberos5 description "Add OpenSSH GSSAPI key exchange patch" {
<span style='display:block; white-space:pre;background:#ffe0e0;'>- # Source: https://salsa.debian.org/ssh-team/openssh/blob/master/debian/patches/gssapi.patch
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # TODO: Update patch 0002-Apple-keychain-integration-other-changes.patch to use OpenSSL 1.1 APIs.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- use_autoreconf yes
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- patchfiles-append gssapi.patch
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- configure.cppflags-append \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- -F/System/Library/Frameworks/DirectoryService.framework \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- -F/System/Library/Frameworks/CoreFoundation.framework \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- -D_UTMPX_COMPAT \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- -D__APPLE_LAUNCHD__ \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- -D__APPLE_MEMBERSHIP__ \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- -D__APPLE_XSAN__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ patchfiles-append openssh-8.1p1-gsskex-all-20141021-mp-20191015.patch
</span> configure.ldflags-append \
<span style='display:block; white-space:pre;background:#ffe0e0;'>- -Wl,-pie \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- -framework CoreFoundation \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- -framework DirectoryService
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -Wl,-pie
</span> configure.cflags-append -fPIE
configure.args-append --with-4in6 \
<span style='display:block; white-space:pre;background:#ffe0e0;'>- --with-audit=bsm \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- --with-keychain=apple \
</span> --disable-utmp \
--disable-wtmp \
--with-privsep-user=_sshd
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -239,7 +237,7 @@ if {${name} eq ${subport}} {
</span> }
subport ssh-copy-id {
<span style='display:block; white-space:pre;background:#ffe0e0;'>- revision 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ revision 0
</span> platforms darwin freebsd
supported_archs noarch
maintainers {l2dy @l2dy} openmaintainer
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/openssh/files/0002-Apple-keychain-integration-other-changes.patch b/net/openssh/files/0002-Apple-keychain-integration-other-changes.patch
</span><span style='display:block; white-space:pre;color:#808080;'>index a2920ec..b53b789 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/openssh/files/0002-Apple-keychain-integration-other-changes.patch
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/openssh/files/0002-Apple-keychain-integration-other-changes.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1,352 +1,8 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/Makefile.in 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/Makefile.in 2017-10-08 09:09:59.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -59,6 +59,7 @@ SED=@SED@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ENT=@ENT@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- XAUTH_PATH=@XAUTH_PATH@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+KEYCHAIN_LDFLAGS=@KEYCHAIN_LDFLAGS@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- EXEEXT=@EXEEXT@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- MANFMT=@MANFMT@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -112,6 +113,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sandbox-solaris.o
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+KEYCHAINOBJS=keychain.o
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- MANTYPE = @MANTYPE@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -147,6 +150,7 @@ all: $(CONFIGFILES) $(MANPAGES) $(TARGET
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- $(LIBSSH_OBJS): Makefile.in config.h
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- $(SSHOBJS): Makefile.in config.h
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- $(SSHDOBJS): Makefile.in config.h
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+$(KEYCHAINOBJS): Makefile.in config.h
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .c.o:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- $(CC) $(CFLAGS) $(CPPFLAGS) -c $< -o $@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -160,8 +164,8 @@ libssh.a: $(LIBSSH_OBJS)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- $(AR) rv $@ $(LIBSSH_OBJS)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- $(RANLIB) $@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) $(KEYCHAINOBJS)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ $(LD) -o $@ $(SSHOBJS) $(KEYCHAINOBJS) $(LDFLAGS) $(KEYCHAIN_LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -169,11 +173,11 @@ sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(S
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o $(KEYCHAINOBJS)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ $(LD) -o $@ ssh-add.o $(KEYCHAINOBJS) $(LDFLAGS) $(KEYCHAIN_LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o $(KEYCHAINOBJS)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(KEYCHAINOBJS) $(LDFLAGS) $(KEYCHAIN_LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -325,7 +329,7 @@ install-files:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ $(INSTALL) -m 0711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/audit-bsm.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/audit-bsm.c 2017-10-08 09:09:58.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -261,7 +261,12 @@ bsm_audit_record(int typ, char *string,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- pid_t pid = getpid();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- AuditInfoTermID tid = ssh_bsm_tid;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- if (the_authctxt != NULL && the_authctxt->valid) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (the_authctxt == NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ error("BSM audit: audit record internal error (NULL ctxt)");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ abort();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (the_authctxt->valid) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- uid = the_authctxt->pw->pw_uid;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- gid = the_authctxt->pw->pw_gid;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/auth-pam.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/auth-pam.c 2017-10-08 09:09:58.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -795,10 +795,11 @@ sshpam_query(void *ctx, char **name, cha
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- free(msg);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return (0);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- error("PAM: %s for %s%.100s from %.100s", msg,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ error("PAM: %s for %s%.100s from %.100s via %s", msg,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sshpam_authctxt->valid ? "" : "illegal user ",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sshpam_authctxt->user,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- auth_get_canonical_hostname(ssh, options.use_dns));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ auth_get_canonical_hostname(ssh, options.use_dns),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ get_local_ipaddr(ssh_packet_get_connection_in(ssh)));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* FALLTHROUGH */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- default:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- *num = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/auth.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/auth.c 2017-10-08 09:09:59.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -223,7 +223,7 @@ allowed_user(struct passwd * pw)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Get the user's group access list (primary and supplementary) */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (ga_init(pw) == 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- logit("User %.100s from %.100s not allowed because "
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- "not in any group", pw->pw_name, hostname);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/authfd.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/authfd.c 2017-10-08 09:09:58.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -164,6 +164,29 @@ ssh_request_reply(int sock, struct sshbu
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Adds identities using passphrases stored in the keychain. This call is not
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * meant to be used by normal applications.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ssh_add_from_keychain(int agent_fd)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Buffer msg;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int type;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_init(&msg);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_put_char(&msg, SSH_AGENTC_ADD_FROM_KEYCHAIN);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (ssh_request_reply(agent_fd, &msg, &msg) == 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_free(&msg);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ type = buffer_get_char(&msg);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_free(&msg);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return decode_reply(type);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * Closes the agent socket if it should be closed (depends on how it was
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * obtained). The argument must have been returned by
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * ssh_get_authentication_socket().
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/authfd.h 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/authfd.h 2017-10-08 09:09:58.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -42,6 +42,9 @@ int ssh_agent_sign(int sock, const struc
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- u_char **sigp, size_t *lenp,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- const u_char *data, size_t datalen, const char *alg, u_int compat);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ssh_add_from_keychain(int agent_fd);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Messages for the authentication agent connection. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #define SSH_AGENTC_REQUEST_RSA_IDENTITIES 1
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #define SSH_AGENT_RSA_IDENTITIES_ANSWER 2
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -75,6 +78,9 @@ int ssh_agent_sign(int sock, const struc
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #define SSH2_AGENTC_ADD_ID_CONSTRAINED 25
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* keychain */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#define SSH_AGENTC_ADD_FROM_KEYCHAIN 27
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #define SSH_AGENT_CONSTRAIN_LIFETIME 1
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #define SSH_AGENT_CONSTRAIN_CONFIRM 2
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/config.h.in 2017-10-03 18:06:11.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/config.h.in 2017-10-08 09:09:59.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -78,6 +78,18 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* strnvis detected broken */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #undef BROKEN_STRNVIS
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* platform uses an in-memory credentials cache */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#undef USE_CCAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* platform has a Security Authorization Session API */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#undef USE_SECURITY_SESSION_API
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* Define to 1 if you have the `copyfile' function. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#undef HAVE_COPYFILE
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* Define to 1 if you have the <copyfile.h> header file. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#undef HAVE_COPYFILE_H
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* tcgetattr with ICANON may hang */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #undef BROKEN_TCGETATTR_ICANON
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/configure.ac 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/configure.ac 2017-10-08 09:09:59.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -5042,10 +5042,40 @@ AC_CHECK_MEMBER([struct utmp.ut_line], [
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ])
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+dnl Keychain support
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+AC_ARG_WITH(keychain,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ [ --with-keychain=apple Use Mac OS X Keychain],
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ [
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case "$withval" in
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ apple|no)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ KEYCHAIN=$withval
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ;;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ *)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ AC_MSG_ERROR(invalid keychain type: $withval)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ;;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ esac
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+if test ! -z "$KEYCHAIN" -a "$KEYCHAIN" != "no"; then
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case "$KEYCHAIN" in
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ apple)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ AC_CHECK_HEADERS(Security/Security.h, [
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CPPFLAGS="$CPPFLAGS -D__APPLE_KEYCHAIN__"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ KEYCHAIN_LDFLAGS="-framework Security -framework CoreFoundation"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ AC_SUBST(KEYCHAIN_LDFLAGS)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ],
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ AC_MSG_WARN([Security framework not found. Disabling Mac OS X Keychain support.]))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ;;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ esac
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+fi
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- dnl Adding -Werror to CFLAGS early prevents configure tests from running.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- dnl Add now.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- CFLAGS="$CFLAGS $werror_flags"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+AC_CHECK_FUNCS(copyfile)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+AC_CHECK_HEADERS(copyfile.h)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- TEST_SSH_IPV6=no
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/groupaccess.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/groupaccess.c 2017-10-08 09:09:58.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -34,38 +34,67 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include <string.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include <limits.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef __APPLE_MEMBERSHIP__
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <membership.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "xmalloc.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "groupaccess.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "match.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "log.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef __APPLE_MEMBERSHIP__
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+// SPI for 5235093
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int32_t getgrouplist_2(const char *, gid_t, gid_t **);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int32_t getgroupcount(const char *, gid_t);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static int ngroups;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static char **groups_byname;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef __APPLE_MEMBERSHIP__
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+uuid_t u_uuid;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * Initialize group access list for user with primary (base) and
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * supplementary groups. Return the number of groups in the list.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--ga_init(const char *user, gid_t base)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ga_init(struct passwd *pw)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- gid_t *groups_bygid;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gid_t *groups_bygid = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int i, j;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- struct group *gr;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef __APPLE_MEMBERSHIP__
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (0 != mbr_uid_to_uuid(pw->pw_uid, u_uuid))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (ngroups > 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ga_free();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifndef __APPLE_MEMBERSHIP__
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ngroups = NGROUPS_MAX;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #if defined(HAVE_SYSCONF) && defined(_SC_NGROUPS_MAX)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ngroups = MAX(NGROUPS_MAX, sysconf(_SC_NGROUPS_MAX));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- groups_bygid = xcalloc(ngroups, sizeof(*groups_bygid));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (-1 == (ngroups = getgrouplist_2(pw->pw_name, pw->pw_gid,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &groups_bygid))) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ logit("getgrouplist_2 failed");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- groups_byname = xcalloc(ngroups, sizeof(*groups_byname));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- if (getgrouplist(user, base, groups_bygid, &ngroups) == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- logit("getgrouplist: groups list too small");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifndef __APPLE_MEMBERSHIP__
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (getgrouplist(pw->pw_name, pw->pw_gid, groups_bygid, &ngroups) == -1) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ logit("getgrouplist: groups list too small");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ free(groups_bygid);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- for (i = 0, j = 0; i < ngroups; i++)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if ((gr = getgrgid(groups_bygid[i])) != NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- groups_byname[j++] = xstrdup(gr->gr_name);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -76,16 +105,32 @@ ga_init(const char *user, gid_t base)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * Return 1 if one of user's groups is contained in groups.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * Return 0 otherwise. Use match_pattern() for string comparison.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Use mbr_check_membership() for membership checking on Mac OS X.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ga_match(char * const *groups, int n)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef __APPLE_MEMBERSHIP__
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int i, ismember = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ uuid_t g_uuid;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ struct group *grp;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ for (i = 0; i < n; i++) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((grp = getgrnam(groups[i])) == NULL ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (mbr_gid_to_uuid(grp->gr_gid, g_uuid) != 0) ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (mbr_check_membership(u_uuid, g_uuid, &ismember) != 0))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (ismember)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int i, j;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- for (i = 0; i < ngroups; i++)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- for (j = 0; j < n; j++)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (match_pattern(groups_byname[i], groups[j]))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/groupaccess.h 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/groupaccess.h 2017-10-08 09:09:58.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -27,7 +27,7 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #ifndef GROUPACCESS_H
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #define GROUPACCESS_H
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--int ga_init(const char *, gid_t);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int ga_init(struct passwd *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int ga_match(char * const *, int);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int ga_match_pattern_list(const char *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void ga_free(void);
</span> --- /dev/null 1970-01-01 00:00:00.000000000 +0000
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/keychain.c 2017-10-08 09:09:58.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -0,0 +1,697 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/keychain.m 2019-10-16 10:32:49.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -0,0 +1,241 @@
</span> +/*
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Copyright (c) 2007 Apple Inc. All rights reserved.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Copyright (c) 2007-2016 Apple Inc. All rights reserved.
</span> + *
+ * @APPLE_BSD_LICENSE_HEADER_START@
+ *
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -377,676 +33,220 @@
</span> + * @APPLE_BSD_LICENSE_HEADER_END@
+ */
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "includes.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#import <Foundation/Foundation.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#import <Security/Security.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#import "SecItemPriv-shim.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include <sys/stat.h>
</span> +#include <stdio.h>
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <string.h>
</span> +
+#include "xmalloc.h"
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "key.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "authfd.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "sshkey.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "ssherr.h"
</span> +#include "authfile.h"
<span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "openbsd-compat/openbsd-compat.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "log.h"
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#if defined(__APPLE_KEYCHAIN__)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <CoreFoundation/CoreFoundation.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <Security/Security.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* Our Security/SecPassword.h is not yet API, so I will define the constants that I am using here. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int kSecPasswordGet = 1<<0; // Get password from keychain or user
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int kSecPasswordSet = 1<<1; // Set password (passed in if kSecPasswordGet not set, otherwise from user)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int kSecPasswordFail = 1<<2; // Wrong password (ignore item in keychain and flag error)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+OSStatus SecGenericPasswordCreate(SecKeychainAttributeList *searchAttrList, SecKeychainAttributeList *itemAttrList, SecPasswordRef *itemRef);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+OSStatus SecPasswordAction(SecPasswordRef itemRef, CFTypeRef message, UInt32 flags, UInt32 *length, const void **data);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+OSStatus SecPasswordSetInitialAccess(SecPasswordRef itemRef, SecAccessRef accessRef);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Platform-specific helper functions.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#if defined(__APPLE_KEYCHAIN__)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+static int get_boolean_preference(const char *key, int default_value,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int foreground)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++char *keychain_read_passphrase(const char *filename)
</span> +{
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int value = default_value;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFStringRef keyRef = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFPropertyListRef valueRef = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ keyRef = CFStringCreateWithCString(NULL, key, kCFStringEncodingUTF8);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (keyRef != NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ valueRef = CFPreferencesCopyAppValue(keyRef,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFSTR("org.openbsd.openssh"));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (valueRef != NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (CFGetTypeID(valueRef) == CFBooleanGetTypeID())
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ value = CFBooleanGetValue(valueRef);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else if (foreground)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "Ignoring nonboolean %s preference.\n", key);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (keyRef)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFRelease(keyRef);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (valueRef)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFRelease(valueRef);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return value;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ OSStatus ret = errSecSuccess;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ NSString *accountString = [NSString stringWithUTF8String: filename];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ NSData *passphraseData = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (accountString == nil) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug2("Cannot retrieve identity passphrase from the keychain since the path is not UTF8.");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ NSDictionary *searchQuery = @{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (id)kSecClass: (id)kSecClassGenericPassword,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (id)kSecAttrAccount: accountString,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (id)kSecAttrLabel: [NSString stringWithFormat: @"SSH: %@", accountString],
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (id)kSecAttrService: @"OpenSSH",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#if ((defined (MAC_OS_X_VERSION_10_11)) && (MAC_OS_X_VERSION_MIN_REQUIRED >= MAC_OS_X_VERSION_10_11))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (id)kSecAttrNoLegacy: @YES,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (id)kSecUseAuthenticationUI: (id)kSecUseAuthenticationUIFail,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /* ((defined (MAC_OS_X_VERSION_10_11)) && (MAC_OS_X_VERSION_MIN_REQUIRED >= MAC_OS_X_VERSION_10_11)) */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (id)kSecAttrAccessGroup: @"com.apple.ssh.passphrases",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (id)kSecReturnData: @YES};
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug3("Search for item with query: %s", [[searchQuery description] UTF8String]);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ret = SecItemCopyMatching((CFDictionaryRef)searchQuery, (CFTypeRef *)&passphraseData);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (ret == errSecItemNotFound) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug2("Passphrase not found in the keychain.");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else if (ret != errSecSuccess) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ NSString *errorString = (NSString *)SecCopyErrorMessageString(ret, NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug2("Unexpected keychain error while searching for an item: %s", [errorString UTF8String]);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ [errorString release];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ [passphraseData release];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (![passphraseData isKindOfClass: [NSData class]]) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug2("Malformed result returned from the keychain");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ [passphraseData release];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char *passphrase = xcalloc([passphraseData length] + 1, sizeof(char));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ [passphraseData getBytes: passphrase length: [passphraseData length]];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ [passphraseData release];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ // Try to load the key first and only return the passphrase if we know it's the right one
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct sshkey *private = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int r = sshkey_load_private_type(KEY_UNSPEC, filename, passphrase, &private, NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (r != SSH_ERR_SUCCESS) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug2("Could not unlock key with the passphrase retrieved from the keychain.");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ freezero(passphrase, strlen(passphrase));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshkey_free(private);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return passphrase;
</span> +}
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Store the passphrase for a given identity in the keychain.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+store_in_keychain(const char *filename, const char *passphrase)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++void store_in_keychain(const char *filename, const char *passphrase)
</span> +{
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#if defined(__APPLE_KEYCHAIN__)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * store_in_keychain
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Mac OS X implementation
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFStringRef cfstr_relative_filename = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFURLRef cfurl_relative_filename = NULL, cfurl_filename = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFStringRef cfstr_filename = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFDataRef cfdata_filename = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFIndex filename_len;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ UInt8 *label = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ UInt8 *utf8_filename;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ OSStatus rv;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ SecKeychainItemRef itemRef = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ SecTrustedApplicationRef apps[] = {NULL, NULL, NULL};
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFArrayRef trustedlist = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ SecAccessRef initialAccess = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Bail out if KeychainIntegration preference is -bool NO */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (get_boolean_preference("KeychainIntegration", 1, 1) == 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "Keychain integration is disabled.\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto err;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ OSStatus ret = errSecSuccess;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ BOOL updateExistingItem = NO;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ NSString *accountString = [NSString stringWithUTF8String: filename];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (accountString == nil) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug2("Cannot store identity passphrase into the keychain since the path is not UTF8.");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ NSDictionary *defaultAttributes = @{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (id)kSecClass: (id)kSecClassGenericPassword,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (id)kSecAttrAccount: accountString,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (id)kSecAttrLabel: [NSString stringWithFormat: @"SSH: %@", accountString],
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (id)kSecAttrService: @"OpenSSH",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#if ((defined (MAC_OS_X_VERSION_10_11)) && (MAC_OS_X_VERSION_MIN_REQUIRED >= MAC_OS_X_VERSION_10_11))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (id)kSecAttrNoLegacy: @YES,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (id)kSecUseAuthenticationUI: (id)kSecUseAuthenticationUIFail,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /* ((defined (MAC_OS_X_VERSION_10_11)) && (MAC_OS_X_VERSION_MIN_REQUIRED >= MAC_OS_X_VERSION_10_11)) */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (id)kSecAttrAccessGroup: @"com.apple.ssh.passphrases"};
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ CFTypeRef searchResults = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ NSMutableDictionary *searchQuery = [@{(id)kSecReturnRef: @YES} mutableCopy];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ [searchQuery addEntriesFromDictionary: defaultAttributes];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug3("Search for existing item with query: %s", [[searchQuery description] UTF8String]);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ret = SecItemCopyMatching((CFDictionaryRef)searchQuery, &searchResults);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ [searchQuery release];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (ret == errSecSuccess) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug3("Item already exists in the keychain, updating.");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ updateExistingItem = YES;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else if (ret == errSecItemNotFound) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug3("Item does not exist in the keychain, adding.");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ NSString *errorString = (NSString *)SecCopyErrorMessageString(ret, NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug3("Unexpected keychain error while searching for an item: %s", [errorString UTF8String]);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ [errorString release];
</span> + }
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Interpret filename with the correct encoding. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((cfstr_relative_filename =
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFStringCreateWithFileSystemRepresentation(NULL, filename)) == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "CFStringCreateWithFileSystemRepresentation failed\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto err;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((cfurl_relative_filename = CFURLCreateWithFileSystemPath(NULL,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ cfstr_relative_filename, kCFURLPOSIXPathStyle, false)) == NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "CFURLCreateWithFileSystemPath failed\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto err;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((cfurl_filename = CFURLCopyAbsoluteURL(cfurl_relative_filename)) ==
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "CFURLCopyAbsoluteURL failed\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto err;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((cfstr_filename = CFURLCopyFileSystemPath(cfurl_filename,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kCFURLPOSIXPathStyle)) == NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "CFURLCopyFileSystemPath failed\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto err;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((cfdata_filename = CFStringCreateExternalRepresentation(NULL,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ cfstr_filename, kCFStringEncodingUTF8, 0)) == NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "CFStringCreateExternalRepresentation failed\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto err;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ filename_len = CFDataGetLength(cfdata_filename);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((label = xmalloc(filename_len + 5)) == NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "xmalloc failed\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto err;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ memcpy(label, "SSH: ", 5);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ utf8_filename = label + 5;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFDataGetBytes(cfdata_filename, CFRangeMake(0, filename_len),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ utf8_filename);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Check if we already have this passphrase. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ rv = SecKeychainFindGenericPassword(NULL, 3, "SSH", filename_len,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (char *)utf8_filename, NULL, NULL, &itemRef);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (rv == errSecItemNotFound) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Add a new keychain item. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ SecKeychainAttribute attrs[] = {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ {kSecLabelItemAttr, filename_len + 5, label},
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ {kSecServiceItemAttr, 3, "SSH"},
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ {kSecAccountItemAttr, filename_len, utf8_filename}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ };
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ SecKeychainAttributeList attrList =
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ {sizeof(attrs) / sizeof(attrs[0]), attrs};
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (SecTrustedApplicationCreateFromPath("/usr/bin/ssh-agent",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &apps[0]) != noErr ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ SecTrustedApplicationCreateFromPath("/usr/bin/ssh-add",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &apps[1]) != noErr ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ SecTrustedApplicationCreateFromPath("/usr/bin/ssh",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &apps[2]) != noErr) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "SecTrustedApplicationCreateFromPath failed\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto err;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((trustedlist = CFArrayCreate(NULL, (const void **)apps,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sizeof(apps) / sizeof(apps[0]), &kCFTypeArrayCallBacks)) ==
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "CFArrayCreate failed\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto err;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (updateExistingItem) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ NSDictionary *updateQuery = defaultAttributes;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ NSDictionary *changes = @{(id)kSecValueData: [NSData dataWithBytesNoCopy: (void *)passphrase length: strlen(passphrase) freeWhenDone: NO]};
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ret = SecItemUpdate((CFDictionaryRef)updateQuery, (CFDictionaryRef)changes);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (ret != errSecSuccess) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ NSString *errorString = (NSString *)SecCopyErrorMessageString(ret, NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug3("Unexpected keychain error while updating the item: %s", [errorString UTF8String]);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ [errorString release];
</span> + }
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (SecAccessCreate(cfstr_filename, trustedlist,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &initialAccess) != noErr) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "SecAccessCreate failed\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto err;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ NSMutableDictionary *addQuery = [@{(id)kSecValueData: [NSData dataWithBytesNoCopy: (void *)passphrase length: strlen(passphrase) freeWhenDone: NO]} mutableCopy];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ [addQuery addEntriesFromDictionary: defaultAttributes];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ret = SecItemAdd((CFDictionaryRef)addQuery, NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ [addQuery release];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (ret != errSecSuccess) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ NSString *errorString = (NSString *)SecCopyErrorMessageString(ret, NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug3("Unexpected keychain error while inserting the item: %s", [errorString UTF8String]);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ [errorString release];
</span> + }
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (SecKeychainItemCreateFromContent(
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kSecGenericPasswordItemClass, &attrList, strlen(passphrase),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ passphrase, NULL, initialAccess, NULL) == noErr)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "Passphrase stored in keychain: %s\n", filename);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "Could not create keychain item\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else if (rv == noErr) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Update an existing keychain item. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (SecKeychainItemModifyAttributesAndData(itemRef, NULL,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ strlen(passphrase), passphrase) == noErr)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "Passphrase updated in keychain: %s\n", filename);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "Could not modify keychain item\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "Could not access keychain\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+err: /* Clean up. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (cfstr_relative_filename)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFRelease(cfstr_relative_filename);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (cfurl_relative_filename)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFRelease(cfurl_relative_filename);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (cfurl_filename)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFRelease(cfurl_filename);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (cfstr_filename)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFRelease(cfstr_filename);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (cfdata_filename)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFRelease(cfdata_filename);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (label)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ free(label);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (itemRef)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFRelease(itemRef);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (apps[0])
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFRelease(apps[0]);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (apps[1])
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFRelease(apps[1]);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (apps[2])
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFRelease(apps[2]);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (trustedlist)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFRelease(trustedlist);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (initialAccess)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFRelease(initialAccess);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * store_in_keychain
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * no keychain implementation
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "Keychain is not available on this system\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span> +}
+
+/*
+ * Remove the passphrase for a given identity from the keychain.
+ */
+void
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+remove_from_keychain(const char *filename, int qflag)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++remove_from_keychain(const char *filename)
</span> +{
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#if defined(__APPLE_KEYCHAIN__)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * remove_from_keychain
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Mac OS X implementation
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFStringRef cfstr_relative_filename = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFURLRef cfurl_relative_filename = NULL, cfurl_filename = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFStringRef cfstr_filename = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFDataRef cfdata_filename = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFIndex filename_len;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ const UInt8 *utf8_filename;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ OSStatus rv;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ SecKeychainItemRef itemRef = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Bail out if KeychainIntegration preference is -bool NO */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (get_boolean_preference("KeychainIntegration", 1, 1) == 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "Keychain integration is disabled.\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto err;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Interpret filename with the correct encoding. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((cfstr_relative_filename =
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFStringCreateWithFileSystemRepresentation(NULL, filename)) == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "CFStringCreateWithFileSystemRepresentation failed\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto err;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((cfurl_relative_filename = CFURLCreateWithFileSystemPath(NULL,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ cfstr_relative_filename, kCFURLPOSIXPathStyle, false)) == NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "CFURLCreateWithFileSystemPath failed\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto err;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((cfurl_filename = CFURLCopyAbsoluteURL(cfurl_relative_filename)) ==
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "CFURLCopyAbsoluteURL failed\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto err;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((cfstr_filename = CFURLCopyFileSystemPath(cfurl_filename,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kCFURLPOSIXPathStyle)) == NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "CFURLCopyFileSystemPath failed\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto err;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ OSStatus ret = errSecSuccess;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ NSString *accountString = [NSString stringWithUTF8String: filename];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (accountString == nil) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug2("Cannot delete identity passphrase from the keychain since the path is not UTF8.");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ NSDictionary *searchQuery = @{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (id)kSecClass: (id)kSecClassGenericPassword,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (id)kSecAttrAccount: accountString,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (id)kSecAttrService: @"OpenSSH",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#if ((defined (MAC_OS_X_VERSION_10_11)) && (MAC_OS_X_VERSION_MIN_REQUIRED >= MAC_OS_X_VERSION_10_11))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (id)kSecAttrNoLegacy: @YES,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (id)kSecUseAuthenticationUI: (id)kSecUseAuthenticationUIFail,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /* ((defined (MAC_OS_X_VERSION_10_11)) && (MAC_OS_X_VERSION_MIN_REQUIRED >= MAC_OS_X_VERSION_10_11)) */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (id)kSecAttrAccessGroup: @"com.apple.ssh.passphrases"};
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ret = SecItemDelete((CFDictionaryRef)searchQuery);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (ret == errSecSuccess) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ NSString *errorString = (NSString *)SecCopyErrorMessageString(ret, NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug3("Unexpected keychain error while deleting the item: %s", [errorString UTF8String]);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ [errorString release];
</span> + }
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((cfdata_filename = CFStringCreateExternalRepresentation(NULL,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ cfstr_filename, kCFStringEncodingUTF8, 0)) == NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "CFStringCreateExternalRepresentation failed\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto err;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ filename_len = CFDataGetLength(cfdata_filename);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ utf8_filename = CFDataGetBytePtr(cfdata_filename);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Check if we already have this passphrase. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ rv = SecKeychainFindGenericPassword(NULL, 3, "SSH", filename_len,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (const char *)utf8_filename, NULL, NULL, &itemRef);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (rv == noErr) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Remove the passphrase from the keychain. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (SecKeychainItemDelete(itemRef) == noErr) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!qflag) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "Passphrase removed from keychain: %s\n", filename);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "Could not remove keychain item\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else if (rv != errSecItemNotFound)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "Could not access keychain\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+err: /* Clean up. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (cfstr_relative_filename)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFRelease(cfstr_relative_filename);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (cfurl_relative_filename)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFRelease(cfurl_relative_filename);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (cfurl_filename)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFRelease(cfurl_filename);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (cfstr_filename)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFRelease(cfstr_filename);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (cfdata_filename)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFRelease(cfdata_filename);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (itemRef)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFRelease(itemRef);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * remove_from_keychain
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * no keychain implementation
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "Keychain is not available on this system\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span> +}
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+/*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Add identities to ssh-agent using passphrases stored in the keychain.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Returns zero on success and nonzero on failure.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * add_identity is a callback into ssh-agent. It takes a filename and a
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * passphrase, and attempts to add the identity to the agent. It returns
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * zero on success and nonzero on failure.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span> +int
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+add_identities_using_keychain(int (*add_identity)(const char *, const char *))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++load_identities_from_keychain(int (^add_identity)(const char *identity))
</span> +{
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#if defined(__APPLE_KEYCHAIN__)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * add_identities_using_keychain
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Mac OS X implementation
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ OSStatus rv;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ SecKeychainSearchRef searchRef;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ SecKeychainItemRef itemRef;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ UInt32 length;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ void *data;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFIndex maxsize;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Bail out if KeychainIntegration preference is -bool NO */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (get_boolean_preference("KeychainIntegration", 1, 0) == 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Search for SSH passphrases in the keychain */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ SecKeychainAttribute attrs[] = {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ {kSecServiceItemAttr, 3, "SSH"}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ };
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ SecKeychainAttributeList attrList =
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ {sizeof(attrs) / sizeof(attrs[0]), attrs};
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((rv = SecKeychainSearchCreateFromAttributes(NULL,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kSecGenericPasswordItemClass, &attrList, &searchRef)) != noErr)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int ret = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ OSStatus err = errSecSuccess;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ NSArray *searchResults = nil;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ NSDictionary *searchQuery = @{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (id)kSecClass: (id)kSecClassGenericPassword,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (id)kSecAttrService: @"OpenSSH",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#if ((defined (MAC_OS_X_VERSION_10_11)) && (MAC_OS_X_VERSION_MIN_REQUIRED >= MAC_OS_X_VERSION_10_11))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (id)kSecAttrNoLegacy: @YES,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (id)kSecUseAuthenticationUI: (id)kSecUseAuthenticationUIFail,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /* ((defined (MAC_OS_X_VERSION_10_11)) && (MAC_OS_X_VERSION_MIN_REQUIRED >= MAC_OS_X_VERSION_10_11)) */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (id)kSecAttrAccessGroup: @"com.apple.ssh.passphrases",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (id)kSecReturnAttributes: @YES,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (id)kSecMatchLimit: (id)kSecMatchLimitAll};
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ err = SecItemCopyMatching((CFDictionaryRef)searchQuery, (CFTypeRef *)&searchResults);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (err == errSecItemNotFound) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fprintf(stderr, "No identity found in the keychain.\n");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ [searchResults release];
</span> + return 0;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Iterate through the search results. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ while ((rv = SecKeychainSearchCopyNext(searchRef, &itemRef)) == noErr) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ UInt32 tag = kSecAccountItemAttr;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ UInt32 format = kSecFormatUnknown;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ SecKeychainAttributeInfo info = {1, &tag, &format};
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ SecKeychainAttributeList *itemAttrList = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFStringRef cfstr_filename = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char *filename = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char *passphrase = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Retrieve filename and passphrase. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((rv = SecKeychainItemCopyAttributesAndData(itemRef, &info,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ NULL, &itemAttrList, &length, &data)) != noErr)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto err;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (itemAttrList->count != 1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto err;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ cfstr_filename = CFStringCreateWithBytes(NULL,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ itemAttrList->attr->data, itemAttrList->attr->length,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kCFStringEncodingUTF8, true);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ maxsize = CFStringGetMaximumSizeOfFileSystemRepresentation(
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ cfstr_filename);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((filename = xmalloc(maxsize)) == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto err;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (CFStringGetFileSystemRepresentation(cfstr_filename,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ filename, maxsize) == false)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto err;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((passphrase = xmalloc(length + 1)) == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto err;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ memcpy(passphrase, data, length);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ passphrase[length] = '\0';
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Add the identity. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ add_identity(filename, passphrase);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+err: /* Clean up. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (itemRef)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFRelease(itemRef);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (cfstr_filename)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFRelease(cfstr_filename);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (filename)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ free(filename);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (passphrase)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ free(passphrase);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (itemAttrList)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ SecKeychainItemFreeAttributesAndData(itemAttrList,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ data);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else if (err != errSecSuccess || ![searchResults isKindOfClass: [NSArray class]]) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 1;
</span> + }
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFRelease(searchRef);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * add_identities_using_keychain
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * no implementation
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ for (NSDictionary *itemAttributes in searchResults) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ NSString *accountString = itemAttributes[(id)kSecAttrAccount];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct stat st;
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Prompt the user for a key's passphrase. The user will be offered the option
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * of storing the passphrase in their keychain. Returns the passphrase
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * (which the caller is responsible for freeing), or NULL if this function
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * fails or is not implemented. If this function is not implemented, ssh will
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * fall back on the standard read_passphrase function, and the user will need
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * to use ssh-add -K to add their keys to the keychain.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+char *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+keychain_read_passphrase(const char *filename, int oAskPassGUI)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#if defined(__APPLE_KEYCHAIN__)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * keychain_read_passphrase
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Mac OS X implementation
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFStringRef cfstr_relative_filename = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFURLRef cfurl_relative_filename = NULL, cfurl_filename = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFStringRef cfstr_filename = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFDataRef cfdata_filename = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFIndex filename_len;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ UInt8 *label = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ UInt8 *utf8_filename;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ SecPasswordRef passRef = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ SecTrustedApplicationRef apps[] = {NULL, NULL, NULL};
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFArrayRef trustedlist = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ SecAccessRef initialAccess = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFURLRef path = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFStringRef pathFinal = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFURLRef bundle_url = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFBundleRef bundle = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFStringRef promptTemplate = NULL, prompt = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ UInt32 length;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ const void *data;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int sock = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char *result = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Bail out if KeychainIntegration preference is -bool NO */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (get_boolean_preference("KeychainIntegration", 1, 1) == 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto err;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Bail out if the user set AskPassGUI preference to -bool NO */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (get_boolean_preference("AskPassGUI", 1, 1) == 0 || oAskPassGUI == 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto err;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Bail out if we can't communicate with ssh-agent */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((ssh_get_authentication_socket(&sock)) != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto err;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Interpret filename with the correct encoding. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((cfstr_relative_filename =
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFStringCreateWithFileSystemRepresentation(NULL, filename)) == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "CFStringCreateWithFileSystemRepresentation failed\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto err;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((cfurl_relative_filename = CFURLCreateWithFileSystemPath(NULL,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ cfstr_relative_filename, kCFURLPOSIXPathStyle, false)) == NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "CFURLCreateWithFileSystemPath failed\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto err;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((cfurl_filename = CFURLCopyAbsoluteURL(cfurl_relative_filename)) ==
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "CFURLCopyAbsoluteURL failed\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto err;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((cfstr_filename = CFURLCopyFileSystemPath(cfurl_filename,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kCFURLPOSIXPathStyle)) == NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "CFURLCopyFileSystemPath failed\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto err;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((cfdata_filename = CFStringCreateExternalRepresentation(NULL,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ cfstr_filename, kCFStringEncodingUTF8, 0)) == NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "CFStringCreateExternalRepresentation failed\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto err;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ filename_len = CFDataGetLength(cfdata_filename);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((label = xmalloc(filename_len + 5)) == NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "xmalloc failed\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto err;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ memcpy(label, "SSH: ", 5);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ utf8_filename = label + 5;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFDataGetBytes(cfdata_filename, CFRangeMake(0, filename_len),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ utf8_filename);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Build a SecPasswordRef. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ SecKeychainAttribute searchAttrs[] = {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ {kSecServiceItemAttr, 3, "SSH"},
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ {kSecAccountItemAttr, filename_len, utf8_filename}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ };
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ SecKeychainAttributeList searchAttrList =
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ {sizeof(searchAttrs) / sizeof(searchAttrs[0]), searchAttrs};
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ SecKeychainAttribute attrs[] = {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ {kSecLabelItemAttr, filename_len + 5, label},
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ {kSecServiceItemAttr, 3, "SSH"},
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ {kSecAccountItemAttr, filename_len, utf8_filename}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ };
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ SecKeychainAttributeList attrList =
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ {sizeof(attrs) / sizeof(attrs[0]), attrs};
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (SecGenericPasswordCreate(&searchAttrList, &attrList, &passRef) !=
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ noErr) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "SecGenericPasswordCreate failed\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto err;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (SecTrustedApplicationCreateFromPath("/usr/bin/ssh-agent", &apps[0])
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ != noErr ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ SecTrustedApplicationCreateFromPath("/usr/bin/ssh-add", &apps[1])
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ != noErr ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ SecTrustedApplicationCreateFromPath("/usr/bin/ssh", &apps[2])
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ != noErr) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "SecTrustedApplicationCreateFromPath failed\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto err;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((trustedlist = CFArrayCreate(NULL, (const void **)apps,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sizeof(apps) / sizeof(apps[0]), &kCFTypeArrayCallBacks)) == NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "CFArrayCreate failed\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto err;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (SecAccessCreate(cfstr_filename, trustedlist, &initialAccess)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ != noErr) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "SecAccessCreate failed\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto err;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (SecPasswordSetInitialAccess(passRef, initialAccess) != noErr) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "SecPasswordSetInitialAccess failed\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto err;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Request the passphrase from the user. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((path = CFURLCreateFromFileSystemRepresentation(NULL,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (UInt8 *)filename, strlen(filename), false)) == NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "CFURLCreateFromFileSystemRepresentation failed\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto err;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((pathFinal = CFURLCopyLastPathComponent(path)) == NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "CFURLCopyLastPathComponent failed\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto err;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!((bundle_url = CFURLCreateWithFileSystemPath(NULL,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFSTR("/System/Library/CoreServices/"), kCFURLPOSIXPathStyle, true))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ != NULL && (bundle = CFBundleCreate(NULL, bundle_url)) != NULL &&
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (promptTemplate = CFCopyLocalizedStringFromTableInBundle(
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFSTR("Enter your password for the SSH key \"%@\"."),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFSTR("OpenSSH"), bundle, "Text of the dialog asking the user for"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ "their passphrase. The %@ will be replaced with the filename of a"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ "specific key.")) != NULL) &&
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (promptTemplate = CFStringCreateCopy(NULL,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFSTR("Enter your password for the SSH key \"%@\"."))) == NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "CFStringCreateCopy failed\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto err;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((prompt = CFStringCreateWithFormat(NULL, NULL, promptTemplate,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pathFinal)) == NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "CFStringCreateWithFormat failed\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto err;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ switch (SecPasswordAction(passRef, prompt,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kSecPasswordGet|kSecPasswordFail, &length, &data)) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case noErr:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ result = xmalloc(length + 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ memcpy(result, data, length);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ result[length] = '\0';
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Save password in keychain if requested. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (noErr != SecPasswordAction(passRef, CFSTR(""), kSecPasswordSet, &length, &data))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "Saving password to keychain failed\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Add password to agent. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char *comment = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Key *private = key_load_private(filename, result, &comment);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (NULL == private)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (ssh_add_identity_constrained(sock, private, comment, 0, 0))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "Identity added: %s (%s)\n", filename, comment);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "Could not add identity: %s\n", filename);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ free(comment);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ key_free(private);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case errAuthorizationCanceled:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ result = xmalloc(1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ *result = '\0';
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ default:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto err;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (stat([accountString UTF8String], &st) < 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ continue;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (add_identity([accountString UTF8String]))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ret = 1;
</span> + }
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ [searchResults release];
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+err: /* Clean up. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (cfstr_relative_filename)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFRelease(cfstr_relative_filename);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (cfurl_relative_filename)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFRelease(cfurl_relative_filename);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (cfurl_filename)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFRelease(cfurl_filename);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (cfstr_filename)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFRelease(cfstr_filename);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (cfdata_filename)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFRelease(cfdata_filename);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (label)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ free(label);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (passRef)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFRelease(passRef);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (apps[0])
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFRelease(apps[0]);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (apps[1])
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFRelease(apps[1]);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (apps[2])
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFRelease(apps[2]);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (trustedlist)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFRelease(trustedlist);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (initialAccess)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFRelease(initialAccess);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (path)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFRelease(path);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (pathFinal)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFRelease(pathFinal);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (bundle_url)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFRelease(bundle_url);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (bundle)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFRelease(bundle);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (promptTemplate)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFRelease(promptTemplate);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (prompt)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CFRelease(prompt);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (sock != -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_close_authentication_socket(sock);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return result;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * keychain_read_passphrase
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * no implementation
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return ret;
</span> +}
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/keychain.h 2017-10-08 09:09:58.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -0,0 +1,45 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/keychain.h 2019-10-16 10:32:49.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -0,0 +1,36 @@
</span> +/*
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Copyright (c) 2007 Apple Inc. All rights reserved.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Copyright (c) 2007-2016 Apple Inc. All rights reserved.
</span> + *
+ * @APPLE_BSD_LICENSE_HEADER_START@
+ *
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1077,737 +277,477 @@
</span> + * @APPLE_BSD_LICENSE_HEADER_END@
+ */
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+/*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * KEYCHAIN indicates that keychain functionality is present.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * KEYCHAIN_* indicates the implementation to use, and implies KEYCHAIN.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#if defined(__APPLE_KEYCHAIN__)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#define KEYCHAIN
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++void store_in_keychain(const char *filename, const char *passphrase);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++void remove_from_keychain(const char *filename);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++char *keychain_read_passphrase(const char *filename);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int load_identities_from_keychain(int (^add_identity)(const char *identity));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/Makefile.in 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/Makefile.in 2019-10-16 10:32:49.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -41,6 +41,7 @@ PATHS= -DSSHDIR=\"$(sysconfdir)\" \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ CC=@CC@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ LD=@LD@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ CFLAGS=@CFLAGS@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++OBJCFLAGS=@OBJCFLAGS@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ LIBS=@LIBS@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ K5LIBS=@K5LIBS@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -56,6 +57,7 @@ SED=@SED@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ENT=@ENT@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ XAUTH_PATH=@XAUTH_PATH@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++KEYCHAIN_LDFLAGS=@KEYCHAIN_LDFLAGS@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ EXEEXT=@EXEEXT@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ MANFMT=@MANFMT@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ MKDIR_P=@MKDIR_P@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -121,6 +123,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sandbox-solaris.o uidswap.o
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++KEYCHAINOBJS=keychain.o
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ MANTYPE = @MANTYPE@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -156,6 +160,7 @@ all: configure-check $(CONFIGFILES) $(MA
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ $(LIBSSH_OBJS): Makefile.in config.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ $(SSHOBJS): Makefile.in config.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ $(SSHDOBJS): Makefile.in config.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++$(KEYCHAINOBJS): Makefile.in config.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ configure-check: $(srcdir)/configure
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ $(srcdir)/configure: configure.ac aclocal.m4
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -164,6 +169,8 @@ $(srcdir)/configure: configure.ac acloca
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .c.o:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ $(CC) $(CFLAGS) $(CPPFLAGS) -c $< -o $@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.m.o:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ $(CC) $(OBJCFLAGS) $(CFLAGS) $(CPPFLAGS) -c $< -o $@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ LIBCOMPAT=openbsd-compat/libopenbsd-compat.a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ $(LIBCOMPAT): always
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -174,8 +181,8 @@ libssh.a: $(LIBSSH_OBJS)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ $(AR) rv $@ $(LIBSSH_OBJS)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ $(RANLIB) $@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) $(KEYCHAINOBJS)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ $(LD) -o $@ $(SSHOBJS) $(KEYCHAINOBJS) $(LDFLAGS) $(KEYCHAIN_LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -183,11 +190,11 @@ sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(S
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ $(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o $(KEYCHAINOBJS)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ $(LD) -o $@ ssh-add.o $(KEYCHAINOBJS) $(LDFLAGS) $(KEYCHAIN_LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o $(KEYCHAINOBJS)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(KEYCHAINOBJS) $(LDFLAGS) $(KEYCHAIN_LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o sshsig.o
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ $(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/audit-bsm.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/audit-bsm.c 2019-10-16 10:32:49.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -62,6 +62,15 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include <bsm/audit_record.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include <locale.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __APPLE__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include <bsm/audit_session.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "auth-options.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "misc.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "servconf.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++extern ServerOptions options;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++extern struct sshauthopt *auth_opts;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #if defined(HAVE_GETAUDIT_ADDR)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define AuditInfoStruct auditinfo_addr
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define AuditInfoTermID au_tid_addr_t
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -305,6 +314,17 @@ bsm_audit_session_setup(void)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __APPLE__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ bzero(&info, sizeof (info));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ info.ai_flags = AU_SESSION_FLAG_IS_REMOTE;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (the_authctxt->valid) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ info.ai_flags |= AU_SESSION_FLAG_HAS_AUTHENTICATED;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (auth_opts->permit_pty_flag && options.permit_tty) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ info.ai_flags |= AU_SESSION_FLAG_HAS_TTY;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (the_authctxt->valid)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ info.ai_auid = the_authctxt->pw->pw_uid;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/configure.ac 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/configure.ac 2019-10-16 10:32:49.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -20,6 +20,7 @@ AC_LANG([C])
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ AC_CONFIG_HEADER([config.h])
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ AC_PROG_CC([cc gcc])
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++AC_PROG_OBJC([cc clang gcc])
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ AC_CANONICAL_HOST
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ AC_C_BIGENDIAN
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -667,11 +668,11 @@ main() { if (NSVersionOfRunTimeLibrary("
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ [Prepend the address family to IP tunnel traffic])
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ m4_pattern_allow([AU_IPv])
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- AC_CHECK_DECL([AU_IPv4], [],
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- [#include <bsm/audit.h>]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- AC_DEFINE([LASTLOG_WRITE_PUTUTXLINE], [1],
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- [Define if pututxline updates lastlog too])
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ AC_CHECK_DECL([AU_IPv4],
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ AC_DEFINE([LASTLOG_WRITE_PUTUTXLINE], [1],
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ [Define if pututxline updates lastlog too]),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ [[#include <bsm/audit.h>]]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ )
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV],
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ [Define to a Set Process Title type if your system is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -5152,6 +5153,34 @@ AC_CHECK_MEMBER([struct utmp.ut_line], [
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ])
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++dnl Keychain support
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++AC_ARG_WITH(keychain,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ [ --with-keychain=apple Use macOS Keychain],
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ [
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case "$withval" in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ apple|no)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ KEYCHAIN=$withval
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ;;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ AC_MSG_ERROR(invalid keychain type: $withval)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ;;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ esac
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++if test ! -z "$KEYCHAIN" -a "$KEYCHAIN" != "no"; then
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case "$KEYCHAIN" in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ apple)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ AC_CHECK_HEADERS(Security/Security.h, [
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ CPPFLAGS="$CPPFLAGS -D__APPLE_KEYCHAIN__ -D__APPLE_MEMBERSHIP__ -D__APPLE_TMPDIR__ -D__APPLE_LAUNCHD__"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ OBJCFLAGS="$OBJCFLAGS -F/System/Library/Frameworks/Security.framework -F/System/Library/Frameworks/DirectoryService.framework -F/System/Library/Frameworks/CoreFoundation.framework"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ KEYCHAIN_LDFLAGS="-framework Security -framework CoreFoundation -framework Foundation -lobjc"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ AC_SUBST(KEYCHAIN_LDFLAGS)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ],
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ AC_MSG_WARN([Security framework not found. Disabling macOS Keychain support.]))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ;;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ esac
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++fi
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ dnl Adding -Werror to CFLAGS early prevents configure tests from running.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ dnl Add now.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ CFLAGS="$CFLAGS $werror_flags"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/groupaccess.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/groupaccess.c 2019-10-16 10:32:49.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -39,6 +39,10 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "match.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "log.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __APPLE_MEMBERSHIP__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int32_t getgrouplist_2(const char *, gid_t, gid_t **);
</span> +#endif
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+void store_in_keychain(const char *filename, const char *passphrase);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+void remove_from_keychain(const char *filename, int qflag);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int add_identities_using_keychain(
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int (*add_identity)(const char *, const char *));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+char *keychain_read_passphrase(const char *filename, int oAskPassGUI);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/readconf.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/readconf.c 2017-10-08 09:09:59.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -169,6 +169,9 @@ typedef enum {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static int ngroups;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static char **groups_byname;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -56,6 +60,18 @@ ga_init(const char *user, gid_t base)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (ngroups > 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ga_free();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __APPLE_MEMBERSHIP__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (void)retry;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((ngroups = getgrouplist_2(user, base, &groups_bygid)) == -1) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ logit("getgrouplist_2 failed");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * getgrouplist_2 only fails on memory error; in which case
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * groups_bygid will be left NULL so no need to free.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ groups_byname = xcalloc(ngroups, sizeof(*groups_byname));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ngroups = NGROUPS_MAX;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #if defined(HAVE_SYSCONF) && defined(_SC_NGROUPS_MAX)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ngroups = MAX(NGROUPS_MAX, sysconf(_SC_NGROUPS_MAX));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -69,6 +85,7 @@ ga_init(const char *user, gid_t base)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sizeof(*groups_bygid));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ groups_byname = xcalloc(ngroups, sizeof(*groups_byname));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /* __APPLE_MEMBERSHIP__ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ for (i = 0, j = 0; i < ngroups; i++)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ((gr = getgrgid(groups_bygid[i])) != NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/readconf.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/readconf.c 2019-10-16 10:32:49.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -167,6 +167,9 @@ typedef enum {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ oHashKnownHosts,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ oTunnel, oTunnelDevice,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ oLocalCommand, oPermitLocalCommand, oRemoteCommand,
</span> +#ifdef __APPLE_KEYCHAIN__
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ oAskPassGUI,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ oUseKeychain,
</span> +#endif
<span style='display:block; white-space:pre;background:#ffe0e0;'>- oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- oPubkeyAcceptedKeyTypes, oProxyJump,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -305,6 +308,9 @@ static struct {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "ignoreunknown", oIgnoreUnknown },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "proxyjump", oProxyJump },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ oVisualHostKey,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -291,6 +294,9 @@ static struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "localcommand", oLocalCommand },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "permitlocalcommand", oPermitLocalCommand },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "remotecommand", oRemoteCommand },
</span> +#ifdef __APPLE_KEYCHAIN__
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "askpassgui", oAskPassGUI },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "usekeychain", oUseKeychain},
</span> +#endif
<span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { NULL, oBadOption }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- };
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1555,6 +1561,12 @@ parse_keytypes:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- charptr = &options->ignored_unknown;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- goto parse_string;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "visualhostkey", oVisualHostKey },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "kexalgorithms", oKexAlgorithms },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "ipqos", oIPQoS },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1520,6 +1526,12 @@ parse_keytypes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ charptr = &options->remote_command;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ goto parse_command;
</span>
+#ifdef __APPLE_KEYCHAIN__
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case oAskPassGUI:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ intptr = &options->ask_pass_gui;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case oUseKeychain:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ intptr = &options->use_keychain;
</span> + goto parse_flag;
+#endif
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>- case oProxyUseFdpass:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- intptr = &options->proxy_use_fdpass;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case oVisualHostKey:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ intptr = &options->visual_host_key;
</span> goto parse_flag;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1859,6 +1871,9 @@ initialize_options(Options * options)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->request_tty = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->proxy_use_fdpass = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->ignored_unknown = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef __APPLE_KEYCHAIN__
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->ask_pass_gui = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->num_canonical_domains = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->num_permitted_cnames = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->canonicalize_max_dots = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2026,6 +2041,10 @@ fill_default_options(Options * options)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->ip_qos_bulk = IPTOS_THROUGHPUT;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options->request_tty == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->request_tty = REQUEST_TTY_AUTO;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1929,6 +1941,9 @@ initialize_options(Options * options)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->local_command = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->permit_local_command = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->remote_command = NULL;
</span> +#ifdef __APPLE_KEYCHAIN__
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options->ask_pass_gui == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->ask_pass_gui = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->use_keychain = -1;
</span> +#endif
<span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options->proxy_use_fdpass == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->proxy_use_fdpass = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options->canonicalize_max_dots == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/readconf.h 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/readconf.h 2017-10-08 09:09:59.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -164,6 +164,10 @@ typedef struct {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- char *jump_extra;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- char *ignored_unknown; /* Pattern list of unknown tokens to ignore */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->add_keys_to_agent = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->identity_agent = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->visual_host_key = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2168,6 +2183,11 @@ fill_default_options(Options * options)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* options->hostname will be set in the main program if appropriate */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* options->host_key_alias should not be set by default */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* options->preferred_authentications will be set in ssh */
</span> +
+#ifdef __APPLE_KEYCHAIN__
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int ask_pass_gui;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- } Options;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #define SSH_CANONICALISE_NO 0
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/scp.1 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/scp.1 2017-10-08 09:09:58.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -19,7 +19,7 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .Sh SYNOPSIS
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .Nm scp
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .Bk -words
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--.Op Fl 346BCpqrv
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+.Op Fl 346BCEpqrv
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .Op Fl c Ar cipher
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .Op Fl F Ar ssh_config
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .Op Fl i Ar identity_file
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -87,6 +87,8 @@ Passes the
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- flag to
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .Xr ssh 1
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- to enable compression.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+.It Fl E
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Preserves extended attributes, resource forks, and ACLs. Requires both ends to be running Mac OS X 10.4 or later.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .It Fl c Ar cipher
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Selects the cipher to use for encrypting the data transfer.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- This option is directly passed to
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/scp.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/scp.c 2017-10-08 09:09:58.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -77,6 +77,9 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #ifdef HAVE_SYS_STAT_H
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # include <sys/stat.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef __APPLE_XSAN__
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <sys/mount.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->use_keychain == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->use_keychain = 0;
</span> +#endif
<span style='display:block; white-space:pre;background:#ffe0e0;'>- #ifdef HAVE_POLL_H
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include <poll.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -119,6 +122,11 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "progressmeter.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "utf8.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span>
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HAVE_COPYFILE_H
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <libgen.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <copyfile.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ struct fwdarg {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/readconf.h 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/readconf.h 2019-10-16 10:32:49.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -137,6 +137,9 @@ typedef struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char *local_command;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int permit_local_command;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char *remote_command;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __APPLE_KEYCHAIN__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int use_keychain;
</span> +#endif
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- extern char *__progname;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int visual_host_key;
</span>
<span style='display:block; white-space:pre;background:#ffe0e0;'>- #define COPY_BUFLEN 16384
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -155,6 +163,12 @@ char *ssh_program = _PATH_SSH_PROGRAM;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* This is used to store the pid of ssh_program */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- pid_t do_cmd_pid = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int request_tty;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/session.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/session.c 2019-10-16 10:32:49.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1185,6 +1185,21 @@ do_setup_env(struct ssh *ssh, Session *s
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ original_command);
</span>
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HAVE_COPYFILE
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int copy_xattr = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int md_flag = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __APPLE_TMPDIR__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char tmpdir[MAXPATHLEN] = {0};
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ size_t len = 0;
</span> +
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ len = confstr(_CS_DARWIN_USER_TEMP_DIR, tmpdir, sizeof(tmpdir));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (len > 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ child_set_env(&env, &envsize, "TMPDIR", tmpdir);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug2("%s: set TMPDIR", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ // errno is set by confstr
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ errno = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug2("%s: unable to set TMPDIR", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /* __APPLE_TMPDIR__ */
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>- static void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- killchild(int signo)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -402,7 +416,11 @@ main(int argc, char **argv)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- addargs(&args, "-oClearAllForwardings=yes");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fflag = tflag = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#if HAVE_COPYFILE
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ while ((ch = getopt(argc, argv, "dfl:prtvBCEc:i:P:q12346S:o:F:")) != -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q12346S:o:F:")) != -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- switch (ch) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* User-visible flags. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- case '1':
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -467,6 +485,11 @@ main(int argc, char **argv)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- showprogress = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HAVE_COPYFILE
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case 'E':
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ copy_xattr = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Server options. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- case 'd':
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- targetshouldbedirectory = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -526,7 +549,12 @@ main(int argc, char **argv)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- remin = remout = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- do_cmd_pid = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Command to be executed on remote system using "ssh". */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#if HAVE_COPYFILE
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (void) snprintf(cmd, sizeof cmd, "scp%s%s%s%s%s",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ copy_xattr ? " -E" : "",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- (void) snprintf(cmd, sizeof cmd, "scp%s%s%s%s",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- verbose_mode ? " -v" : "",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- iamrecursive ? " -r" : "", pflag ? " -p" : "",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- targetshouldbedirectory ? " -d" : "");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -772,6 +800,10 @@ source(int argc, char **argv)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int fd = -1, haderr, indx;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- char *last, *name, buf[2048], encname[PATH_MAX];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int len;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#if HAVE_COPYFILE
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char md_name[MAXPATHLEN];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char *md_tmp;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- for (indx = 0; indx < argc; ++indx) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- name = argv[indx];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -779,12 +811,26 @@ source(int argc, char **argv)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- len = strlen(name);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- while (len > 1 && name[len-1] == '/')
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- name[--len] = '\0';
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#if HAVE_COPYFILE
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+md_next:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ statbytes = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (md_flag) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fd = open(md_tmp, O_RDONLY, 0);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ unlink(md_tmp);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ free(md_tmp);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (fd < 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto syserr;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if ((fd = open(name, O_RDONLY|O_NONBLOCK, 0)) < 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- goto syserr;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (strchr(name, '\n') != NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- strnvis(encname, name, sizeof(encname), VIS_NL);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- name = encname;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#if HAVE_COPYFILE
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (fstat(fd, &stb) < 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- syserr: run_err("%s: %s", name, strerror(errno));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- goto next;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -868,6 +914,36 @@ next: if (fd != -1) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- run_err("%s: %s", name, strerror(haderr));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- (void) response();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HAVE_COPYFILE
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (copy_xattr && md_flag == 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!copyfile(name, NULL, 0,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ COPYFILE_ACL | COPYFILE_XATTR | COPYFILE_CHECK))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ continue;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * this file will hold the actual metadata
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * to be transferred
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ md_tmp = strdup("/tmp/scp.md.XXXXXX");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ md_tmp = mktemp(md_tmp);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if(copyfile(name, md_tmp, 0,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ COPYFILE_ACL | COPYFILE_XATTR | COPYFILE_PACK) == 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * this is the fake name to display
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ snprintf(md_name, sizeof md_name, "%s/._%s", dirname(name), basename(name));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ name = md_name;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ md_flag = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (verbose_mode)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "copyfile(%s, %s, PACK)\n", name, md_tmp);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto md_next;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ md_flag = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (showprogress)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- stop_progress_meter();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -969,6 +1045,10 @@ sink(int argc, char **argv)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (stat(targ, &stb) == 0 && S_ISDIR(stb.st_mode))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- targisdir = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- for (first = 1;; first = 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#if HAVE_COPYFILE
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char md_src[MAXPATHLEN];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char md_dst[MAXPATHLEN];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- cp = buf;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (atomicio(read, remin, cp, 1) != 1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1120,10 +1200,51 @@ sink(int argc, char **argv)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- omode = mode;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- mode |= S_IWUSR;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#if HAVE_COPYFILE
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (copy_xattr && !strncmp(basename(curfile), "._", 2))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int mdfd;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (targisdir)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ snprintf(md_src, sizeof md_src, "%s.XXXXXX", np);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ snprintf(md_dst, sizeof md_dst, "%s/%s",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dirname(np), basename(np) + 2);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if((mdfd = mkstemp(md_src)) < 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ continue;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ snprintf(md_src, sizeof md_src, "%s/._%s.XXXXXX",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dirname(np), basename(np));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ snprintf(md_dst, sizeof md_dst, "%s", np);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if((mdfd = mkstemp(md_src)) < 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ continue;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (mdfd >= 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ close(mdfd);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ np = md_src;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if ((ofd = open(np, O_WRONLY|O_CREAT, mode)) < 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- bad: run_err("%s: %s", np, strerror(errno));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- continue;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef __APPLE_XSAN__
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Pre-allocate blocks for the destination file.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fstore_t fst;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fst.fst_flags = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fst.fst_posmode = F_PEOFPOSMODE;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fst.fst_offset = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fst.fst_length = size;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (void) fcntl(ofd, F_PREALLOCATE, &fst);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif /* __APPLE_XSAN__ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- (void) atomicio(vwrite, remout, "", 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if ((bp = allocbuf(&buffer, ofd, COPY_BUFLEN)) == NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- (void) close(ofd);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1206,6 +1327,29 @@ bad: run_err("%s: %s", np, strerror(er
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- wrerrno = errno;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- (void) response();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HAVE_COPYFILE
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (copy_xattr && strncmp(basename(np), "._", 2) == 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (verbose_mode)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "copyfile(%s, %s, UNPACK)\n", md_src, md_dst);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if(!copyfile(md_src, md_dst, 0,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ COPYFILE_ACL | COPYFILE_XATTR | COPYFILE_UNPACK) < 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ snprintf(md_dst, sizeof md_dst, "%s/._%s",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dirname(md_dst), basename(md_dst));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ rename(md_src, md_dst);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ unlink(md_src);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (setimes && wrerr == NO) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ setimes = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (utimes(md_dst, tv) < 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ run_err("%s: set times: %s",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ np, strerror(errno));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ wrerr = DISPLAYED;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (showprogress)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- stop_progress_meter();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (setimes && wrerr == NO) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1274,7 +1418,11 @@ void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- usage(void)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- (void) fprintf(stderr,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#if HAVE_COPYFILE
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ "usage: scp [-346BCEpqrv] [-c cipher] [-F ssh_config] [-i identity_file]\n"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- "usage: scp [-346BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file]\n"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- " [-l limit] [-o ssh_option] [-P port] [-S program]\n"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- " [[user@]host1:]file1 ... [[user@]host2:]file2\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- exit(1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/servconf.c 2017-10-08 09:09:58.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/servconf.c 2017-10-08 09:09:59.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -273,7 +273,7 @@ fill_default_server_options(ServerOption
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options->gss_strict_acceptor == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->gss_strict_acceptor = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options->password_authentication == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- options->password_authentication = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->password_authentication = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options->kbd_interactive_authentication == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->kbd_interactive_authentication = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options->challenge_response_authentication == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -795,7 +795,7 @@ match_cfg_line_group(const char *grps, i
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if ((pw = getpwnam(user)) == NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- debug("Can't match group at line %d because user %.100s does "
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- "not exist", line, user);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else if (ga_init(pw) == 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- debug("Can't Match group because user %.100s not in any group "
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- "at line %d", user, line);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- } else if (ga_match_pattern_list(grps) != 1) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/session.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/session.c 2017-10-08 09:09:58.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1890,8 +1890,10 @@ session_pty_req(struct ssh *ssh, Session
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- n_bytes = packet_remaining();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- tty_parse_modes(s->ttyfd, &n_bytes);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifndef __APPLE_PRIVPTY__
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (!use_privsep)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- pty_setowner(s->pw, s->tty);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Set window size from the packet. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2134,9 +2136,11 @@ session_pty_cleanup2(Session *s)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (s->pid != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- record_logout(s->pid, s->tty, s->pw->pw_name);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifndef __APPLE_PRIVPTY__
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Release the pseudo-tty. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (getuid() == 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- pty_release(s->tty);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * Close the server side of the socket pairs. We must do this after
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/ssh-add.0 2017-10-03 18:05:55.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/ssh-add.0 2017-10-08 09:09:58.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (debug_flag) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* dump the environment */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fprintf(stderr, "Environment:\n");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/ssh-add.0 2019-10-09 02:39:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh-add.0 2019-10-16 10:32:49.000000000 +0200
</span> @@ -4,7 +4,7 @@ NAME
ssh-add M-bM-^@M-^S adds private key identities to the authentication agent
SYNOPSIS
<span style='display:block; white-space:pre;background:#ffe0e0;'>-- ssh-add [-cDdkLlqXx] [-E fingerprint_hash] [-t life] [file ...]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh-add [-cDdkLlMmqXx] [-E fingerprint_hash] [-t life] [file ...]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- ssh-add [-cDdkLlqvXx] [-E fingerprint_hash] [-t life] [file ...]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh-add [-AcDdKkLlqvXx] [-E fingerprint_hash] [-t life] [file ...]
</span> ssh-add -s pkcs11
ssh-add -e pkcs11
<span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh-add -T pubkey ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -28,6 +28,9 @@ DESCRIPTION
</span>
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -62,6 +62,13 @@ DESCRIPTION
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- -q Be quiet after a successful operation.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ The options are as follows:
</span>
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ -m Add identities to the agent using any passphrases stored in your
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Mac OS X keychain.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ -A Add identities to the agent using any passphrases stored in your
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ macOS keychain.
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ -M When adding identities, each passphrase will also be stored in
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ your Mac OS X keychain. When removing identities with -d, each
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ passphrase will be removed from your Mac OS X keychain.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -c Indicates that added identities should be subject to confirmation
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ before being used for authentication. Confirmation is performed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ by ssh-askpass(1). Successful confirmation is signaled by a zero
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -52,6 +55,10 @@ DESCRIPTION
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -e pkcs11
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Remove keys provided by the PKCS#11 shared library pkcs11.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ -K When adding identities, each passphrase will also be stored in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ your macOS keychain. When removing identities with -d, each
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ passphrase will be removed from your macOS keychain.
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>- -s pkcs11
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Add keys provided by the PKCS#11 shared library pkcs11.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -k When loading keys into or deleting keys from the agent, process
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ plain private keys only and skip certificates.
</span>
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/ssh-add.1 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/ssh-add.1 2017-10-08 09:09:58.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/ssh-add.1 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh-add.1 2019-10-16 10:32:49.000000000 +0200
</span> @@ -43,7 +43,7 @@
.Nd adds private key identities to the authentication agent
.Sh SYNOPSIS
.Nm ssh-add
<span style='display:block; white-space:pre;background:#ffe0e0;'>--.Op Fl cDdkLlqXx
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+.Op Fl cDdkLlMmqXx
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-.Op Fl cDdkLlqvXx
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Op Fl AcDdKKkLlqvXx
</span> .Op Fl E Ar fingerprint_hash
.Op Fl t Ar life
.Op Ar
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -126,6 +126,13 @@ Lists public key parameters of all ident
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- by the agent.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .It Fl l
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Lists fingerprints of all identities currently represented by the agent.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+.It Fl m
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Add identities to the agent using any passphrases stored in your Mac OS
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+X keychain.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+.It Fl M
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+When adding identities, each passphrase will also be stored in your Mac OS
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Xkeychain. When removing identities with -d, each passphrase will be removed
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+from your Mac OS X keychain.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .It Fl q
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Be quiet after a successful operation.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .It Fl s Ar pkcs11
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/ssh-add.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/ssh-add.c 2017-10-08 09:09:58.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -64,6 +64,7 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "misc.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -87,6 +87,9 @@ to work.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .Pp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ The options are as follows:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .Bl -tag -width Ds
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.It Fl A
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Add identities to the agent using any passphrases stored in your macOS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++keychain.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .It Fl c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Indicates that added identities should be subject to confirmation before
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ being used for authentication.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -121,6 +124,10 @@ The default is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .It Fl e Ar pkcs11
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Remove keys provided by the PKCS#11 shared library
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .Ar pkcs11 .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.It Fl K
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++When adding identities, each passphrase will also be stored in your macOS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++keychain. When removing identities with -d, each passphrase will be removed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++from your macOS keychain.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .It Fl k
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ When loading keys into or deleting keys from the agent, process plain private
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ keys only and skip certificates.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/ssh-add.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh-add.c 2019-10-16 10:32:49.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -67,6 +67,11 @@
</span> #include "ssherr.h"
#include "digest.h"
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "keychain.h"
</span>
<span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __APPLE_KEYCHAIN__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "keychain.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static int use_keychain = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span> /* argv0 */
extern char *__progname;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -102,12 +103,27 @@ clear_pass(void)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span>
<span style='display:block; white-space:pre;background:#ffe0e0;'>- static int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--delete_file(int agent_fd, const char *filename, int key_only, int qflag)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+add_from_keychain(int agent_fd, int qflag)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (ssh_add_from_keychain(agent_fd) == 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!qflag) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "Added keychain identities.\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+static int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+delete_file(int agent_fd, int keychain, const char *filename, int key_only, int qflag)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- struct sshkey *public, *cert = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -115,6 +120,11 @@ delete_file(int agent_fd, const char *fi
</span> char *certpath = NULL, *comment = NULL;
int r, ret = -1;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (keychain)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ remove_from_keychain(filename, qflag);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __APPLE_KEYCHAIN__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (use_keychain)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ remove_from_keychain(filename);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span> +
if ((r = sshkey_load_public(filename, &public, &comment)) != 0) {
printf("Bad key file %s: %s\n", filename, ssh_err(r));
return -1;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -184,7 +200,7 @@ delete_all(int agent_fd)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--add_file(int agent_fd, const char *filename, int key_only, int qflag)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+add_file(int agent_fd, int keychain, const char *filename, int key_only, int qflag)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- struct sshkey *private, *cert;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- char *comment = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -228,6 +244,10 @@ add_file(int agent_fd, const char *filen
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- filename, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- goto fail_load;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (keychain && private != NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ store_in_keychain(filename, "");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* try last */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (private == NULL && pass != NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if ((r = sshkey_parse_private_fileblob(keyblob, pass, &private,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -236,6 +256,8 @@ add_file(int agent_fd, const char *filen
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -246,7 +256,22 @@ add_file(int agent_fd, const char *filen
</span> filename, ssh_err(r));
goto fail_load;
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (keychain && private != NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __APPLE_KEYCHAIN__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (use_keychain && private != NULL)
</span> + store_in_keychain(filename, pass);
<span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __APPLE_KEYCHAIN__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ // try the keychain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (private == NULL && use_keychain) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ clear_pass();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pass = keychain_read_passphrase(filename);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (pass != NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshkey_parse_private_fileblob(keyblob, pass, &private, &comment);
</span> }
<span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span> if (private == NULL) {
/* clear passphrase since it did not work */
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -247,8 +269,13 @@ add_file(int agent_fd, const char *filen
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (strcmp(pass, "") == 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ clear_pass();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -258,7 +283,15 @@ add_file(int agent_fd, const char *filen
</span> goto fail_load;
if ((r = sshkey_parse_private_fileblob(keyblob, pass,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-- &private, &comment)) == 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &private, &comment)) == 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (private != NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (keychain)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ store_in_keychain(filename, pass);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ &private, &comment)) == 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __APPLE_KEYCHAIN__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (use_keychain && private != NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ store_in_keychain(filename, pass);
</span> break;
+ }
<span style='display:block; white-space:pre;background:#e0ffe0;'>++#else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span> else if (r != SSH_ERR_KEY_WRONG_PASSPHRASE) {
fprintf(stderr,
"Error loading key \"%s\": %s\n",
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -432,13 +459,13 @@ lock_agent(int agent_fd, int lock)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--do_file(int agent_fd, int deleting, int key_only, char *file, int qflag)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+do_file(int agent_fd, int deleting, int keychain, int key_only, char *file, int qflag)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (deleting) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- if (delete_file(agent_fd, file, key_only, qflag) == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (delete_file(agent_fd, keychain, file, key_only, qflag) == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- } else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- if (add_file(agent_fd, file, key_only, qflag) == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (add_file(agent_fd, keychain, file, key_only, qflag) == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -462,6 +489,11 @@ usage(void)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fprintf(stderr, " -s pkcs11 Add keys from PKCS#11 provider.\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fprintf(stderr, " -e pkcs11 Remove keys provided by PKCS#11 provider.\n");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -563,6 +596,11 @@ usage(void)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fprintf(stderr, " -T pubkey Test if ssh-agent can access matching private key.\n");
</span> fprintf(stderr, " -q Be quiet after a successful operation.\n");
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef KEYCHAIN
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, " -m Add all identities stored in your Mac OS X keychain.\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, " -M Store passphrases in your Mac OS X keychain.\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, " With -d, remove passphrases from your Mac OS X keychain.\n");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fprintf(stderr, " -v Be more verbose.\n");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __APPLE_KEYCHAIN__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fprintf(stderr, " -A Add all identities stored in your macOS keychain.\n");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fprintf(stderr, " -K Store passphrases in your macOS keychain.\n");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fprintf(stderr, " With -d, remove passphrases from your macOS keychain.\n");
</span> +#endif
}
int
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -473,6 +505,7 @@ main(int argc, char **argv)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- char *pkcs11provider = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int r, i, ch, deleting = 0, ret = 0, key_only = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int xflag = 0, lflag = 0, Dflag = 0, qflag = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int keychain = 0, load_from_keychain = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_malloc_init(); /* must be called before any mallocs */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -500,7 +533,7 @@ main(int argc, char **argv)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- exit(2);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- while ((ch = getopt(argc, argv, "klLcdDxXE:e:qs:t:")) != -1) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ while ((ch = getopt(argc, argv, "klLcdDxXmME:e:qs:t:")) != -1) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- switch (ch) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- case 'E':
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fingerprint_hash = ssh_digest_alg_by_name(optarg);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -548,6 +581,12 @@ main(int argc, char **argv)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- case 'q':
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- qflag = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case 'm':
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ load_from_keychain = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case 'M':
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ keychain = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- default:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- usage();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ret = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -555,6 +594,12 @@ main(int argc, char **argv)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (load_from_keychain) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (add_from_keychain(agent_fd, qflag) == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ret = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto done;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if ((xflag != 0) + (lflag != 0) + (Dflag != 0) > 1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fatal("Invalid combination of actions");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- else if (xflag) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -596,7 +641,7 @@ main(int argc, char **argv)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- default_files[i]);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (stat(buf, &st) < 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- continue;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- if (do_file(agent_fd, deleting, key_only, buf,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (do_file(agent_fd, deleting, keychain, key_only, buf,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- qflag) == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ret = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -606,7 +651,7 @@ main(int argc, char **argv)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ret = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- } else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- for (i = 0; i < argc; i++) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- if (do_file(agent_fd, deleting, key_only,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (do_file(agent_fd, deleting, keychain, key_only,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- argv[i], qflag) == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ret = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/ssh-agent.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/ssh-agent.c 2017-10-08 09:22:41.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -73,18 +73,24 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #ifdef HAVE_UTIL_H
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # include <util.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/ssh-agent.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh-agent.c 2019-10-16 10:34:45.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -70,6 +70,10 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include <time.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include <string.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include <unistd.h>
</span> +#ifdef __APPLE_LAUNCHD__
+#include <launch.h>
<span style='display:block; white-space:pre;background:#e0ffe0;'>++#include <AvailabilityMacros.h>
</span> +#endif
<span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "xmalloc.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "ssh.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "sshbuf.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "sshkey.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "authfd.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "authfile.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "compat.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "log.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "misc.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "digest.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "ssherr.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "match.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "keychain.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "key.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #ifdef ENABLE_PKCS11
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "ssh-pkcs11.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -638,6 +644,56 @@ send:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif /* ENABLE_PKCS11 */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+static int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+add_identity_callback(const char *filename, const char *passphrase)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Key *k;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((k = key_load_private(filename, passphrase, NULL)) == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ switch (k->type) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case KEY_RSA:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (RSA_blinding_on(k->rsa, NULL) != 1) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ key_free(k);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (lookup_identity(k) == NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Identity *id = xmalloc(sizeof(Identity));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ id->key = k;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ id->comment = xstrdup(filename);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (id->comment == NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ key_free(k);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ id->death = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ id->confirm = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ TAILQ_INSERT_TAIL(&idtab->idlist, id, next);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ idtab->nentries++;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ key_free(k);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+static void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+process_add_from_keychain(SocketEntry *e)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int result;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ result = add_identities_using_keychain(&add_identity_callback);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* e will be NULL when ssh-agent adds keys on its own at startup */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (e) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_put_int(e->output, 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_put_char(e->output,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ result ? SSH_AGENT_FAILURE : SSH_AGENT_SUCCESS);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* dispatch incoming messages */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -730,6 +786,9 @@ process_message(u_int socknum)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- process_remove_smartcard_key(e);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif /* ENABLE_PKCS11 */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case SSH_AGENTC_ADD_FROM_KEYCHAIN:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ process_add_from_keychain(e);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- default:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Unknown message. Respond with failure. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- error("Unknown message %d", type);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1016,7 +1075,11 @@ usage(void)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef HAVE_UTIL_H
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # include <util.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1088,6 +1092,9 @@ int
</span> main(int ac, char **av)
{
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef __APPLE_LAUNCHD__
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int c_flag = 0, d_flag = 0, D_flag = 0, k_flag = 0, s_flag = 0, l_flag = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#else
</span> int c_flag = 0, d_flag = 0, D_flag = 0, k_flag = 0, s_flag = 0;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ #ifdef __APPLE_LAUNCHD__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int l_flag = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ #endif
</span> int sock, fd, ch, result, saved_errno;
char *shell, *format, *pidstr, *agentsocket = NULL;
#ifdef HAVE_SETRLIMIT
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1049,7 +1112,11 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1119,7 +1126,11 @@ main(int ac, char **av)
</span> __progname = ssh_get_progname(av[0]);
seed_rng();
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1819,7 +759,7 @@
</span> switch (ch) {
case 'E':
fingerprint_hash = ssh_digest_alg_by_name(optarg);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1069,6 +1136,11 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1139,6 +1150,11 @@ main(int ac, char **av)
</span> fatal("-P option already specified");
pkcs11_whitelist = xstrdup(optarg);
break;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1831,24 +771,33 @@
</span> case 's':
if (c_flag)
usage();
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1100,7 +1172,11 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ac -= optind;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- av += optind;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef __APPPLE_LAUNCHD__
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (ac > 0 && (c_flag || k_flag || s_flag || d_flag || D_flag || l_flag))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (ac > 0 && (c_flag || k_flag || s_flag || d_flag || D_flag))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- usage();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (pkcs11_whitelist == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1159,6 +1235,53 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1241,6 +1257,75 @@ main(int ac, char **av)
</span> * Create socket early so it will exist before command gets run from
* the parent.
*/
+#ifdef __APPLE_LAUNCHD__
+ if (l_flag) {
<span style='display:block; white-space:pre;background:#e0ffe0;'>++#if ((defined (MAC_OS_X_VERSION_10_11)) && (MAC_OS_X_VERSION_MIN_REQUIRED >= MAC_OS_X_VERSION_10_11))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int *fds = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ size_t count = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ result = launch_activate_socket("Listeners", &fds, &count);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (result != 0 || fds == NULL || count < 1) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ errno = result;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ perror("launch_activate_socket()");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ exit(1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ size_t i;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ for (i = 0; i < count; i++) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ new_socket(AUTH_SOCKET, fds[i]);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (fds)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ free(fds);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto skip2;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#else /* ((defined (MAC_OS_X_VERSION_10_11)) && (MAC_OS_X_VERSION_MIN_REQUIRED >= MAC_OS_X_VERSION_10_11)) */
</span> + launch_data_t resp, msg, tmp;
+ size_t listeners_i;
+
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1892,203 +841,177 @@
</span> + }
+
+ launch_data_free(resp);
<span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /* ((defined (MAC_OS_X_VERSION_10_11)) && (MAC_OS_X_VERSION_MIN_REQUIRED >= MAC_OS_X_VERSION_10_11)) */
</span> + } else {
+#endif
prev_mask = umask(0177);
sock = unix_listener(socket_name, SSH_LISTEN_BACKLOG, 0);
if (sock < 0) {
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1167,6 +1290,14 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1248,7 +1333,18 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ *socket_name = '\0'; /* Don't unlink any existing file */
</span> cleanup_exit(1);
}
<span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span> umask(prev_mask);
+#ifdef __APPLE_LAUNCHD__
+ }
+#endif
+
+#ifdef __APPLE_LAUNCHD__
<span style='display:block; white-space:pre;background:#e0ffe0;'>++#if ((!(defined (MAC_OS_X_VERSION_10_11))) || (MAC_OS_X_VERSION_MIN_REQUIRED < MAC_OS_X_VERSION_10_11))
</span> + if (l_flag)
+ goto skip2;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /* ((!(defined (MAC_OS_X_VERSION_10_11))) || (MAC_OS_X_VERSION_MIN_REQUIRED < MAC_OS_X_VERSION_10_11)) */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /* defined (__APPLE_LAUNCHD__) */
</span>
/*
* Fork, and have the parent execute the command, if any, or present
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1244,6 +1375,7 @@ skip:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1326,6 +1422,9 @@ skip:
</span> pkcs11_init(0);
#endif
new_socket(AUTH_SOCKET, sock);
<span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __APPLE_LAUNCHD__
</span> +skip2:
<span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span> if (ac > 0)
parent_alive_interval = 10;
idtab_init();
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1256,6 +1388,10 @@ skip:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fatal("%s: pledge: %s", __progname, strerror(errno));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- platform_pledge_agent();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef KEYCHAIN
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ process_add_from_keychain(NULL);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- while (1) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- prepare_poll(&pfd, &npfd, &timeout);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- result = poll(pfd, npfd, timeout);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/ssh-keysign.8 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/ssh-keysign.8 2017-10-08 09:09:58.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -72,6 +72,9 @@ accessible to others.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Since they are readable only by root,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .Nm
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- must be set-uid root if host-based authentication is used.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Note that
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+.Nm
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+is not set-uid by default on Mac OS X.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .Pp
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .It Pa /etc/ssh/ssh_host_dsa_key-cert.pub
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .It Pa /etc/ssh/ssh_host_ecdsa_key-cert.pub
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshconnect2.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshconnect2.c 2017-10-08 09:09:59.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -72,6 +72,7 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "hostfile.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshconnect2.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshconnect2.c 2019-10-16 10:32:49.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -73,6 +73,11 @@
</span> #include "ssherr.h"
#include "utf8.h"
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "keychain.h"
</span>
<span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __APPLE_KEYCHAIN__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "keychain.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int found_in_keychain = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span> #ifdef GSSAPI
#include "ssh-gss.h"
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1251,6 +1252,10 @@ load_identity_file(Identity *id)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1415,6 +1420,12 @@ load_identity_file(Identity *id)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ snprintf(prompt, sizeof prompt,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "Enter passphrase for key '%.100s': ", id->filename);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ for (i = 0; i <= options.number_of_password_prompts; i++) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __APPLE_KEYCHAIN__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (i == 0 && options.use_keychain && (passphrase = keychain_read_passphrase(id->filename)) != NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ found_in_keychain = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug2("using passphrase from keychain");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span> if (i == 0)
passphrase = "";
else {
<span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1450,6 +1461,14 @@ load_identity_file(Identity *id)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ quit = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span> +#ifdef __APPLE_KEYCHAIN__
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ passphrase = keychain_read_passphrase(id->filename, options.ask_pass_gui);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (passphrase == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- passphrase = read_passphrase(prompt, 0);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (*passphrase == '\0') {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- debug2("no passphrase given, try next key");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshd.0 2017-10-03 18:05:55.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshd.0 2017-10-08 09:09:58.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -618,8 +618,7 @@ FILES
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- SEE ALSO
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- ssh-keyscan(1), chroot(2), login.conf(5), moduli(5), sshd_config(5),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- inetd(8), sftp-server(8)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh-keyscan(1), chroot(2), sshd_config(5), sftp-server(8)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- AUTHORS
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- OpenSSH is a derivative of the original and free ssh 1.2.12 release by
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshd.8 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshd.8 2017-10-08 09:09:58.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -943,10 +943,7 @@ The content of this file is not sensitiv
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .Xr ssh-keygen 1 ,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .Xr ssh-keyscan 1 ,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .Xr chroot 2 ,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--.Xr login.conf 5 ,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--.Xr moduli 5 ,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .Xr sshd_config 5 ,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--.Xr inetd 8 ,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .Xr sftp-server 8
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .Sh AUTHORS
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- OpenSSH is a derivative of the original and free
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshd.c 2017-10-08 09:09:58.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshd.c 2017-10-08 09:09:59.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2063,6 +2063,12 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- audit_event(SSH_AUTH_SUCCESS);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef USE_PAM
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options.use_pam) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ do_pam_setcred(1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ do_pam_session();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!quit && private != NULL && !(id->key && id->isprivate) && options.use_keychain && !found_in_keychain) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug2("storing passphrase in keychain");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ store_in_keychain(id->filename, passphrase);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span> +#endif
<span style='display:block; white-space:pre;background:#ffe0e0;'>- #ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options.gss_authentication) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- temporarily_use_uid(authctxt->pw);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2070,12 +2076,6 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- restore_uid();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--#ifdef USE_PAM
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- if (options.use_pam) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- do_pam_setcred(1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- do_pam_session();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * In privilege separation, we fork another child and prepare
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshd_config 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshd_config 2017-10-08 09:09:59.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -24,7 +24,7 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #RekeyLimit default none
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # Logging
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--#SyslogFacility AUTH
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+SyslogFacility AUTHPRIV
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #LogLevel INFO
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # Authentication:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -54,8 +54,9 @@ AuthorizedKeysFile .ssh/authorized_keys
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # Don't read the user's ~/.rhosts and ~/.shosts files
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #IgnoreRhosts yes
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--# To disable tunneled clear text passwords, change to no here!
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--#PasswordAuthentication yes
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+# To disable tunneled clear text passwords, change to no here! Also,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+# remember to set the UsePAM setting to 'no'.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#PasswordAuthentication no
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #PermitEmptyPasswords no
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # Change to no to disable s/key passwords
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -80,7 +81,10 @@ AuthorizedKeysFile .ssh/authorized_keys
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # If you just want the PAM account and session checks to run without
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # PAM authentication, then enable this but set PasswordAuthentication
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # and ChallengeResponseAuthentication to 'no'.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--#UsePAM no
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+# Also, PAM will deny null passwords by default. If you need to allow
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+# null passwords, add the " nullok" option to the end of the
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+# securityserver.so line in /etc/pam.d/sshd.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#UsePAM yes
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #AllowAgentForwarding yes
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #AllowTcpForwarding yes
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshd_config.0 2017-10-03 18:05:56.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshd_config.0 2017-10-08 09:09:58.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -674,7 +674,7 @@ DESCRIPTION
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- PasswordAuthentication
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Specifies whether password authentication is allowed. The
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- default is yes.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ default is no.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- PermitEmptyPasswords
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- When password authentication is allowed, it specifies whether the
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -904,7 +904,7 @@ DESCRIPTION
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- either PasswordAuthentication or ChallengeResponseAuthentication.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- If UsePAM is enabled, you will not be able to run sshd(8) as a
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- non-root user. The default is no.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ non-root user. The default is yes.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- VersionAddendum
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Optionally specifies additional text to append to the SSH
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshd_config.5 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshd_config.5 2017-10-08 09:09:59.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1143,7 +1143,7 @@ are refused if the number of unauthentic
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .It Cm PasswordAuthentication
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Specifies whether password authentication is allowed.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- The default is
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--.Cm yes .
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+.Cm no .
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .It Cm PermitEmptyPasswords
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- When password authentication is allowed, it specifies whether the
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- server allows login to accounts with empty password strings.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1500,7 +1500,7 @@ is enabled, you will not be able to run
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .Xr sshd 8
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- as a non-root user.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- The default is
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--.Cm no .
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+.Cm yes .
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .It Cm VersionAddendum
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Optionally specifies additional text to append to the SSH protocol banner
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sent by the server upon connection.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!quit && private != NULL && id->agent_fd == -1 &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ !(id->key && id->isprivate))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ maybe_add_key_to_agent(id->filename, private, comment,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/ssh-agent.0 2019-10-09 02:39:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh-agent.0 2019-10-16 10:32:49.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -7,6 +7,7 @@ SYNOPSIS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ [-P pkcs11_whitelist] [-t life] [command [arg ...]]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh-agent [-c | -s] -k
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh-agent -l
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ DESCRIPTION
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh-agent is a program to hold private keys used for public key
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -64,6 +65,9 @@ DESCRIPTION
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ for an identity with ssh-add(1) overrides this value. Without
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ this option the default maximum lifetime is forever.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ -l Start in launchd mode. This feature should only be used by macOS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ itself. It is not very useful to users.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ If a command line is given, this is executed as a subprocess of the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ agent. When the command dies, so does the agent.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/ssh-agent.1 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh-agent.1 2019-10-16 10:32:49.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -52,6 +52,8 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .Nm ssh-agent
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .Op Fl c | s
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .Fl k
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Nm ssh-agent
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Fl l
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .Sh DESCRIPTION
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .Nm
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ is a program to hold private keys used for public key authentication
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -148,6 +150,10 @@ A lifetime specified for an identity wit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .Xr ssh-add 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ overrides this value.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Without this option the default maximum lifetime is forever.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.It Fl l
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Start in launchd mode.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++This feature should only be used by macOS itself.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++It is not very useful to users.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .El
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .Pp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ If a command line is given, this is executed as a subprocess of the agent.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- /dev/null 1970-01-01 00:00:00.000000000 +0000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/SecItemPriv-shim.h 2019-10-16 10:32:49.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -0,0 +1,52 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Copyright (c) 2006-2013 Apple Inc. All Rights Reserved.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * @APPLE_LICENSE_HEADER_START@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * This file contains Original Code and/or Modifications of Original Code
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * as defined in and that are subject to the Apple Public Source License
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Version 2.0 (the 'License'). You may not use this file except in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * compliance with the License. Please obtain a copy of the License at
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * http://www.opensource.apple.com/apsl/ and read it before using this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * file.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * The Original Code and all software distributed under the License are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Please see the License for the specific language governing rights and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * limitations under the License.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * @APPLE_LICENSE_HEADER_END@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ @header SecItemPriv
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ SecItemPriv defines private constants and SPI functions for access to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Security items (certificates, identities, keys, and keychain items.)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ====== MACPORTS NOTICE ======
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Apple uses this private header file for building its OpenSSH keychain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ integration. They are able to do this because they have either converted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ all (or most?) upstream projects into Xcode projects and can then use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ private headers, but our users can't.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Private header files are never installed onto user systems and there
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ aren't any SDKs that users could install to get them.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Luckily, the Security Framework *is* (currently) free software, so we do
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ have access to it via https://opensource.apple.com
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ We can, hence, take a look at it and copy relevant parts/declarations.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ We cannot, however, make sure that the declarations in here are actually
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ defined in the Security Framework binaries/libraries themselves, so
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ building this part, especially on older systems, might still fail.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Luckily, we currently don't need anything out of that private header file,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ so Apple using it to build their keychain integration looks more like an
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ error than actual intent.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ====== MACPORTS NOTICE ======
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++*/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/openssh/files/gssapi.patch b/net/openssh/files/gssapi.patch
</span>deleted file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index f62bf66..0000000
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/openssh/files/gssapi.patch
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1,3353 +0,0 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-From 72b1d308e6400194ef6e4e7dd45bfa48fa39b5e6 Mon Sep 17 00:00:00 2001
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-From: Simon Wilkinson <simon@sxw.org.uk>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-Date: Sun, 9 Feb 2014 16:09:48 +0000
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-Subject: GSSAPI key exchange support
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-This patch has been rejected upstream: "None of the OpenSSH developers are
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-in favour of adding this, and this situation has not changed for several
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-years. This is not a slight on Simon's patch, which is of fine quality, but
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-just that a) we don't trust GSSAPI implementations that much and b) we don't
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-like adding new KEX since they are pre-auth attack surface. This one is
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-particularly scary, since it requires hooks out to typically root-owned
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-system resources."
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-However, quite a lot of people rely on this in Debian, and it's better to
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-have it merged into the main openssh package rather than having separate
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--krb5 packages (as we used to have). It seems to have a generally good
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-security history.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-Last-Updated: 2018-10-20
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-Patch-Name: gssapi.patch
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>----
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ChangeLog.gssapi | 113 ++++++++++++++++
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Makefile.in | 3 +-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- auth-krb5.c | 17 ++-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- auth.c | 96 +------------
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- auth2-gss.c | 54 +++++++-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- auth2.c | 2 +
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- canohost.c | 93 +++++++++++++
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- canohost.h | 3 +
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- clientloop.c | 15 ++-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- config.h.in | 6 +
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- configure.ac | 24 ++++
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- gss-genr.c | 280 +++++++++++++++++++++++++++++++++++++-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- gss-serv-krb5.c | 85 +++++++++++-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- gss-serv.c | 184 +++++++++++++++++++++++--
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kex.c | 19 +++
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kex.h | 14 ++
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kexgssc.c | 341 +++++++++++++++++++++++++++++++++++++++++++++++
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kexgsss.c | 300 +++++++++++++++++++++++++++++++++++++++++
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- monitor.c | 122 +++++++++++++++--
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- monitor.h | 3 +
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- monitor_wrap.c | 53 +++++++-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- monitor_wrap.h | 4 +-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- opacket.c | 2 +-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- opacket.h | 2 +-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- readconf.c | 43 ++++++
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- readconf.h | 5 +
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- servconf.c | 26 ++++
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- servconf.h | 2 +
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh-gss.h | 41 +++++-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_config | 2 +
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_config.5 | 32 +++++
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sshconnect2.c | 133 +++++++++++++++++-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sshd.c | 110 +++++++++++++++
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sshd_config | 2 +
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sshd_config.5 | 10 ++
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sshkey.c | 3 +-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sshkey.h | 1 +
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- 37 files changed, 2099 insertions(+), 146 deletions(-)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- create mode 100644 ChangeLog.gssapi
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- create mode 100644 kexgssc.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- create mode 100644 kexgsss.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-diff --git a/ChangeLog.gssapi b/ChangeLog.gssapi
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-new file mode 100644
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-index 000000000..f117a336a
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- /dev/null
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/ChangeLog.gssapi
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -0,0 +1,113 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+20110101
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - Finally update for OpenSSH 5.6p1
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - Add GSSAPIServerIdentity option from Jim Basney
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+20100308
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ Makefile.in, key.c, key.h ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Updates for OpenSSH 5.4p1
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ servconf.c ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Include GSSAPI options in the sshd -T configuration dump, and flag
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ some older configuration options as being unsupported. Thanks to Colin
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Watson.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ -
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+20100124
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ sshconnect2.c ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Adapt to deal with additional element in Authmethod structure. Thanks to
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Colin Watson
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+20090615
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sshd.c ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Fix issues identified by Greg Hudson following a code review
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Check return value of gss_indicate_mechs
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Protect GSSAPI calls in monitor, so they can only be used if enabled
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Check return values of bignum functions in key exchange
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Use BN_clear_free to clear other side's DH value
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Make ssh_gssapi_id_kex more robust
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Only configure kex table pointers if GSSAPI is enabled
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Don't leak mechanism list, or gss mechanism list
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Cast data.length before printing
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ If serverkey isn't provided, use an empty string, rather than NULL
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+20090201
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ gss-genr.c gss-serv.c kex.h kexgssc.c readconf.c readconf.h ssh-gss.h
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_config.5 sshconnet2.c ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Add support for the GSSAPIClientIdentity option, which allows the user
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ to specify which GSSAPI identity to use to contact a given server
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+20080404
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ gss-serv.c ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Add code to actually implement GSSAPIStrictAcceptCheck, which had somehow
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ been omitted from a previous version of this patch. Reported by Borislav
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Stoichkov
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+20070317
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ gss-serv-krb5.c ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Remove C99ism, where new_ccname was being declared in the middle of a
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ function
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+20061220
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ servconf.c ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Make default for GSSAPIStrictAcceptorCheck be Yes, to match previous, and
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ documented, behaviour. Reported by Dan Watson.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+20060910
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ gss-genr.c kexgssc.c kexgsss.c kex.h monitor.c sshconnect2.c sshd.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh-gss.h ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ add support for gss-group14-sha1 key exchange mechanisms
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ gss-serv.c servconf.c servconf.h sshd_config sshd_config.5 ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Add GSSAPIStrictAcceptorCheck option to allow the disabling of
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ acceptor principal checking on multi-homed machines.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ <Bugzilla #928>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ sshd_config ssh_config ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Add settings for GSSAPIKeyExchange and GSSAPITrustDNS to the sample
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ configuration files
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ kexgss.c kegsss.c sshconnect2.c sshd.c ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Code cleanup. Replace strlen/xmalloc/snprintf sequences with xasprintf()
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Limit length of error messages displayed by client
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+20060909
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ gss-genr.c gss-serv.c ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ move ssh_gssapi_acquire_cred() and ssh_gssapi_server_ctx to be server
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ only, where they belong
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ <Bugzilla #1225>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+20060829
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ gss-serv-krb5.c ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Fix CCAPI credentials cache name when creating KRB5CCNAME environment
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ variable
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+20060828
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ gss-genr.c ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Avoid Heimdal context freeing problem
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ <Fixed upstream 20060829>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+20060818
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ gss-genr.c ssh-gss.h sshconnect2.c ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Make sure that SPENGO is disabled
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ <Bugzilla #1218 - Fixed upstream 20060818>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+20060421
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ gssgenr.c, sshconnect2.c ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ a few type changes (signed versus unsigned, int versus size_t) to
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fix compiler errors/warnings
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (from jbasney AT ncsa.uiuc.edu)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ kexgssc.c, sshconnect2.c ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fix uninitialized variable warnings
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (from jbasney AT ncsa.uiuc.edu)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ gssgenr.c ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pass oid to gss_display_status (helpful when using GSSAPI mechglue)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (from jbasney AT ncsa.uiuc.edu)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ <Bugzilla #1220 >
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ gss-serv-krb5.c ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ #ifdef HAVE_GSSAPI_KRB5 should be #ifdef HAVE_GSSAPI_KRB5_H
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (from jbasney AT ncsa.uiuc.edu)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ <Fixed upstream 20060304>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ readconf.c, readconf.h, ssh_config.5, sshconnect2.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ add client-side GssapiKeyExchange option
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (from jbasney AT ncsa.uiuc.edu)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ sshconnect2.c ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ add support for GssapiTrustDns option for gssapi-with-mic
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (from jbasney AT ncsa.uiuc.edu)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ <gssapi-with-mic support is Bugzilla #1008>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-diff --git a/Makefile.in b/Makefile.in
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-index 126b2c742..70050ffb6 100644
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/Makefile.in
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/Makefile.in
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -100,6 +100,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kexgssc.o \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- platform-pledge.o platform-tracing.o platform-misc.o
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -113,7 +114,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- auth2-none.o auth2-passwd.o auth2-pubkey.o \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- monitor.o monitor_wrap.o auth-krb5.o \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- auth2-gss.o gss-serv.o gss-serv-krb5.o \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sftp-server.o sftp-common.o \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-diff --git a/auth-krb5.c b/auth-krb5.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-index 3096f1c8e..204752e1b 100644
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/auth-krb5.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/auth-krb5.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -182,8 +182,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- len = strlen(authctxt->krb5_ticket_file) + 6;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- authctxt->krb5_ccname = xmalloc(len);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef USE_CCAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ snprintf(authctxt->krb5_ccname, len, "API:%s",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ authctxt->krb5_ticket_file);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- snprintf(authctxt->krb5_ccname, len, "FILE:%s",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- authctxt->krb5_ticket_file);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #ifdef USE_PAM
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options.use_pam)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -240,15 +245,22 @@ krb5_cleanup_proc(Authctxt *authctxt)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #ifndef HEIMDAL
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- krb5_error_code
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- int tmpfd, ret, oerrno;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int ret, oerrno;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- char ccname[40];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- mode_t old_umask;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef USE_CCAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char cctemplate[] = "API:krb5cc_%d";
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char cctemplate[] = "FILE:/tmp/krb5cc_%d_XXXXXXXXXX";
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int tmpfd;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ret = snprintf(ccname, sizeof(ccname),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ cctemplate, geteuid());
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (ret < 0 || (size_t)ret >= sizeof(ccname))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return ENOMEM;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifndef USE_CCAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- old_umask = umask(0177);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- tmpfd = mkstemp(ccname + strlen("FILE:"));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- oerrno = errno;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -265,6 +277,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return oerrno;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- close(tmpfd);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return (krb5_cc_resolve(ctx, ccname, ccache));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-diff --git a/auth.c b/auth.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-index 3ca3762cc..d8e6b4a3d 100644
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/auth.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/auth.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -399,7 +399,8 @@ auth_root_allowed(struct ssh *ssh, const char *method)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- case PERMIT_NO_PASSWD:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (strcmp(method, "publickey") == 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- strcmp(method, "hostbased") == 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- strcmp(method, "gssapi-with-mic") == 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ strcmp(method, "gssapi-with-mic") == 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ strcmp(method, "gssapi-keyex") == 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- case PERMIT_FORCED_ONLY:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -737,99 +738,6 @@ fakepw(void)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return (&fake);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--/*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * Returns the remote DNS hostname as a string. The returned string must not
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * be freed. NB. this will usually trigger a DNS query the first time it is
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * called.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * This function does additional checks on the hostname to mitigate some
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * attacks on legacy rhosts-style authentication.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * XXX is RhostsRSAAuthentication vulnerable to these?
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--static char *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--remote_hostname(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- struct sockaddr_storage from;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- socklen_t fromlen;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- struct addrinfo hints, *ai, *aitop;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- char name[NI_MAXHOST], ntop2[NI_MAXHOST];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- const char *ntop = ssh_remote_ipaddr(ssh);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- /* Get IP address of client. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- fromlen = sizeof(from);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- memset(&from, 0, sizeof(from));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- if (getpeername(ssh_packet_get_connection_in(ssh),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- (struct sockaddr *)&from, &fromlen) < 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- debug("getpeername failed: %.100s", strerror(errno));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- return strdup(ntop);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- ipv64_normalise_mapped(&from, &fromlen);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- if (from.ss_family == AF_INET6)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- fromlen = sizeof(struct sockaddr_in6);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- debug3("Trying to reverse map address %.100s.", ntop);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- /* Map the IP address to a host name. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- NULL, 0, NI_NAMEREQD) != 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- /* Host name not found. Use ip address. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- return strdup(ntop);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * if reverse lookup result looks like a numeric hostname,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * someone is trying to trick us by PTR record like following:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- memset(&hints, 0, sizeof(hints));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- hints.ai_socktype = SOCK_DGRAM; /*dummy*/
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- hints.ai_flags = AI_NUMERICHOST;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- name, ntop);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- freeaddrinfo(ai);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- return strdup(ntop);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- /* Names are stored in lowercase. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- lowercase(name);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * Map it back to an IP address and check that the given
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * address actually is an address of this host. This is
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * necessary because anyone with access to a name server can
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * define arbitrary names for an IP address. Mapping from
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * name to IP address can be trusted better (but can still be
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * fooled if the intruder has access to the name server of
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * the domain).
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- memset(&hints, 0, sizeof(hints));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- hints.ai_family = from.ss_family;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- hints.ai_socktype = SOCK_STREAM;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- logit("reverse mapping checking getaddrinfo for %.700s "
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- "[%s] failed.", name, ntop);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- return strdup(ntop);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- /* Look for the address from the list of addresses. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- for (ai = aitop; ai; ai = ai->ai_next) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- (strcmp(ntop, ntop2) == 0))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- freeaddrinfo(aitop);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- /* If we reached the end of the list, the address was not there. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- if (ai == NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- /* Address not found for the host name. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- logit("Address %.100s maps to %.600s, but this does not "
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- "map back to the address.", ntop, name);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- return strdup(ntop);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- return strdup(name);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * Return the canonical name of the host in the other side of the current
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * connection. The host name is cached, so it is efficient to call this
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-diff --git a/auth2-gss.c b/auth2-gss.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-index 9351e0428..1f12bb113 100644
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/auth2-gss.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/auth2-gss.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1,7 +1,7 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* $OpenBSD: auth2-gss.c,v 1.29 2018/07/31 03:10:27 djm Exp $ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * Redistribution and use in source and binary forms, with or without
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * modification, are permitted provided that the following conditions
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -54,6 +54,46 @@ static int input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static int input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static int input_gssapi_errtok(int, u_int32_t, struct ssh *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * The 'gssapi_keyex' userauth mechanism.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+static int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+userauth_gsskeyex(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Authctxt *authctxt = ssh->authctxt;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int r, authenticated = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ struct sshbuf *b;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_buffer_desc mic, gssbuf;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_char *p;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ size_t len;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((r = sshpkt_get_string(ssh, &p, &len)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshpkt_get_end(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((b = sshbuf_new()) == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: sshbuf_new failed", __func__);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ mic.value = p;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ mic.length = len;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ "gssapi-keyex");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: sshbuf_mutable_ptr failed", __func__);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gssbuf.length = sshbuf_len(b);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* gss_kex_context is NULL with privsep, so we can't check it here */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &gssbuf, &mic))))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ authctxt->pw));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sshbuf_free(b);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ free(mic.value);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return (authenticated);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * We only support those mechanisms that we know about (ie ones that we know
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * how to check local user kuserok and the like)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -260,7 +300,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if ((r = sshpkt_get_end(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fatal("%s: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ authctxt->pw));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if ((!use_privsep || mm_is_monitor()) &&
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- (displayname = ssh_gssapi_displayname()) != NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -306,7 +347,8 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- gssbuf.length = sshbuf_len(b);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ authenticated =
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- logit("GSSAPI MIC check failed");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -326,6 +368,12 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Authmethod method_gsskeyex = {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ "gssapi-keyex",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ userauth_gsskeyex,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &options.gss_authentication
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+};
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Authmethod method_gssapi = {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- "gssapi-with-mic",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- userauth_gssapi,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-diff --git a/auth2.c b/auth2.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-index 4d19957a6..a77742819 100644
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/auth2.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/auth2.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -74,6 +74,7 @@ extern Authmethod method_passwd;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- extern Authmethod method_kbdint;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- extern Authmethod method_hostbased;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+extern Authmethod method_gsskeyex;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- extern Authmethod method_gssapi;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -81,6 +82,7 @@ Authmethod *authmethods[] = {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- &method_none,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- &method_pubkey,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &method_gsskeyex,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- &method_gssapi,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- &method_passwd,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-diff --git a/canohost.c b/canohost.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-index f71a08568..404731d24 100644
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/canohost.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/canohost.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -35,6 +35,99 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "canohost.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "misc.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Returns the remote DNS hostname as a string. The returned string must not
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * be freed. NB. this will usually trigger a DNS query the first time it is
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * called.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * This function does additional checks on the hostname to mitigate some
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * attacks on legacy rhosts-style authentication.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * XXX is RhostsRSAAuthentication vulnerable to these?
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+char *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+remote_hostname(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ struct sockaddr_storage from;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ socklen_t fromlen;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ struct addrinfo hints, *ai, *aitop;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char name[NI_MAXHOST], ntop2[NI_MAXHOST];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ const char *ntop = ssh_remote_ipaddr(ssh);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Get IP address of client. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fromlen = sizeof(from);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ memset(&from, 0, sizeof(from));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (getpeername(ssh_packet_get_connection_in(ssh),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (struct sockaddr *)&from, &fromlen) < 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("getpeername failed: %.100s", strerror(errno));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return strdup(ntop);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ipv64_normalise_mapped(&from, &fromlen);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (from.ss_family == AF_INET6)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fromlen = sizeof(struct sockaddr_in6);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug3("Trying to reverse map address %.100s.", ntop);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Map the IP address to a host name. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ NULL, 0, NI_NAMEREQD) != 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Host name not found. Use ip address. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return strdup(ntop);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * if reverse lookup result looks like a numeric hostname,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * someone is trying to trick us by PTR record like following:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ memset(&hints, 0, sizeof(hints));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ hints.ai_socktype = SOCK_DGRAM; /*dummy*/
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ hints.ai_flags = AI_NUMERICHOST;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ name, ntop);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ freeaddrinfo(ai);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return strdup(ntop);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Names are stored in lowercase. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ lowercase(name);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Map it back to an IP address and check that the given
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * address actually is an address of this host. This is
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * necessary because anyone with access to a name server can
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * define arbitrary names for an IP address. Mapping from
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * name to IP address can be trusted better (but can still be
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * fooled if the intruder has access to the name server of
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * the domain).
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ memset(&hints, 0, sizeof(hints));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ hints.ai_family = from.ss_family;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ hints.ai_socktype = SOCK_STREAM;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ logit("reverse mapping checking getaddrinfo for %.700s "
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ "[%s] failed.", name, ntop);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return strdup(ntop);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Look for the address from the list of addresses. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ for (ai = aitop; ai; ai = ai->ai_next) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (strcmp(ntop, ntop2) == 0))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ freeaddrinfo(aitop);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* If we reached the end of the list, the address was not there. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (ai == NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Address not found for the host name. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ logit("Address %.100s maps to %.600s, but this does not "
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ "map back to the address.", ntop, name);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return strdup(ntop);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return strdup(name);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-diff --git a/canohost.h b/canohost.h
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-index 26d62855a..0cadc9f18 100644
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/canohost.h
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/canohost.h
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -15,6 +15,9 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #ifndef _CANOHOST_H
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #define _CANOHOST_H
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+struct ssh;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+char *remote_hostname(struct ssh *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- char *get_peer_ipaddr(int);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int get_peer_port(int);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- char *get_local_ipaddr(int);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-diff --git a/clientloop.c b/clientloop.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-index 8d312cdaa..1464634b0 100644
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/clientloop.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/clientloop.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -112,6 +112,10 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "ssherr.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "hostfile.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "ssh-gss.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* import options */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- extern Options options;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1370,9 +1374,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Do channel operations unless rekeying in progress. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- if (!ssh_packet_is_rekeying(ssh))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!ssh_packet_is_rekeying(ssh)) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- channel_after_select(ssh, readset, writeset);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options.gss_renewal_rekey &&
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_gssapi_credentials_updated(NULL)) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("credentials updated - forcing rekey");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ need_rekeying = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Buffer input from the connection. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- client_process_net_input(readset);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-diff --git a/config.h.in b/config.h.in
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-index 91b65db8f..209760c7c 100644
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/config.h.in
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/config.h.in
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1845,6 +1845,9 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Use btmp to log bad logins */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #undef USE_BTMP
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* platform uses an in-memory credentials cache */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#undef USE_CCAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Use libedit for sftp */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #undef USE_LIBEDIT
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1860,6 +1863,9 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Use PIPES instead of a socketpair() */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #undef USE_PIPES
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* platform has the Security Authorization Session API */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#undef USE_SECURITY_SESSION_API
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Define if you have Solaris privileges */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #undef USE_SOLARIS_PRIVS
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-diff --git a/configure.ac b/configure.ac
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-index 7379ab358..023e7cc55 100644
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/configure.ac
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/configure.ac
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -664,6 +664,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- [Use tunnel device compatibility to OpenBSD])
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- [Prepend the address family to IP tunnel traffic])
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ AC_MSG_CHECKING([if we have the Security Authorization Session API])
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ AC_TRY_COMPILE([#include <Security/AuthSession.h>],
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ [SessionCreate(0, 0);],
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ [ac_cv_use_security_session_api="yes"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ AC_DEFINE([USE_SECURITY_SESSION_API], [1],
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ [platform has the Security Authorization Session API])
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ LIBS="$LIBS -framework Security"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ AC_MSG_RESULT([yes])],
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ [ac_cv_use_security_session_api="no"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ AC_MSG_RESULT([no])])
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ AC_MSG_CHECKING([if we have an in-memory credentials cache])
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ AC_TRY_COMPILE(
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ [#include <Kerberos/Kerberos.h>],
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ [cc_context_t c;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (void) cc_initialize (&c, 0, NULL, NULL);],
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ [AC_DEFINE([USE_CCAPI], [1],
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ [platform uses an in-memory credentials cache])
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ LIBS="$LIBS -framework Security"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ AC_MSG_RESULT([yes])
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if test "x$ac_cv_use_security_session_api" = "xno"; then
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ AC_MSG_ERROR([*** Need a security framework to use the credentials cache API ***])
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fi],
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ [AC_MSG_RESULT([no])]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ )
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- m4_pattern_allow([AU_IPv])
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- AC_CHECK_DECL([AU_IPv4], [],
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-diff --git a/gss-genr.c b/gss-genr.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-index d56257b4a..491e62cee 100644
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/gss-genr.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/gss-genr.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1,7 +1,7 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* $OpenBSD: gss-genr.c,v 1.26 2018/07/10 09:13:30 djm Exp $ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * Redistribution and use in source and binary forms, with or without
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * modification, are permitted provided that the following conditions
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -39,14 +39,37 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "xmalloc.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "ssherr.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "sshbuf.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "sshkey.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "log.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "ssh2.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "cipher.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "kex.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "digest.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "ssh-gss.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- extern u_char *session_id2;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- extern u_int session_id2_len;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+typedef struct {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char *encoded;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_OID oid;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+} ssh_gss_kex_mapping;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * XXX - It would be nice to find a more elegant way of handling the
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * XXX passing of the key exchange context to the userauth routines
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Gssctxt *gss_kex_context = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+static ssh_gss_kex_mapping *gss_enc2oid = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ssh_gssapi_oid_table_ok(void) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return (gss_enc2oid != NULL);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* sshbuf_get for gss_buffer_desc */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -62,6 +85,143 @@ ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Return a list of the gss-group1-sha1 mechanisms supported by this program
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * We test mechanisms to ensure that we can use them, to avoid starting
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * a key exchange with a bad mechanism
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+char *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ssh_gssapi_client_mechanisms(const char *host, const char *client) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_OID_set gss_supported;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ OM_uint32 min_status;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (GSS_ERROR(gss_indicate_mechs(&min_status, &gss_supported)))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return(ssh_gssapi_kex_mechs(gss_supported, ssh_gssapi_check_mechanism,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ host, client));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+char *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ const char *host, const char *client) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ struct sshbuf *buf;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ size_t i;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int r, oidpos, enclen;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char *mechs, *encoded;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_char digest[SSH_DIGEST_MAX_LENGTH];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char deroid[2];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ struct ssh_digest_ctx *md;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (gss_enc2oid != NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ free(gss_enc2oid[i].encoded);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ free(gss_enc2oid);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping) *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (gss_supported->count + 1));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((buf = sshbuf_new()) == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: sshbuf_new failed", __func__);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ oidpos = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ for (i = 0; i < gss_supported->count; i++) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (gss_supported->elements[i].length < 128 &&
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (*check)(NULL, &(gss_supported->elements[i]), host, client)) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ deroid[0] = SSH_GSS_OIDTYPE;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ deroid[1] = gss_supported->elements[i].length;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((md = ssh_digest_start(SSH_DIGEST_MD5)) == NULL ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_digest_update(md, deroid, 2) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_digest_update(md,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_supported->elements[i].elements,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_supported->elements[i].length) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_digest_final(md, digest, sizeof(digest)) != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: digest failed", __func__);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ encoded = xmalloc(ssh_digest_bytes(SSH_DIGEST_MD5)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * 2);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ enclen = __b64_ntop(digest,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_digest_bytes(SSH_DIGEST_MD5), encoded,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_digest_bytes(SSH_DIGEST_MD5) * 2);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (oidpos != 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((r = sshbuf_put_u8(buf, ',')) != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: buffer error: %s",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((r = sshbuf_put(buf, KEX_GSS_GEX_SHA1_ID,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sizeof(KEX_GSS_GEX_SHA1_ID) - 1)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshbuf_put(buf, encoded, enclen)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshbuf_put_u8(buf, ',')) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshbuf_put(buf, KEX_GSS_GRP1_SHA1_ID,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sizeof(KEX_GSS_GRP1_SHA1_ID) - 1)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshbuf_put(buf, encoded, enclen)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshbuf_put_u8(buf, ',')) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshbuf_put(buf, KEX_GSS_GRP14_SHA1_ID,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sizeof(KEX_GSS_GRP14_SHA1_ID) - 1)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshbuf_put(buf, encoded, enclen)) != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: buffer error: %s",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_enc2oid[oidpos].encoded = encoded;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ oidpos++;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_enc2oid[oidpos].oid = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_enc2oid[oidpos].encoded = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((mechs = sshbuf_dup_string(buf)) == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: sshbuf_dup_string failed", __func__);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (strlen(mechs) == 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ free(mechs);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ mechs = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return (mechs);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+gss_OID
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ssh_gssapi_id_kex(Gssctxt *ctx, char *name, int kex_type) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int i = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ switch (kex_type) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case KEX_GSS_GRP1_SHA1:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (strlen(name) < sizeof(KEX_GSS_GRP1_SHA1_ID))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return GSS_C_NO_OID;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ name += sizeof(KEX_GSS_GRP1_SHA1_ID) - 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case KEX_GSS_GRP14_SHA1:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (strlen(name) < sizeof(KEX_GSS_GRP14_SHA1_ID))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return GSS_C_NO_OID;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ name += sizeof(KEX_GSS_GRP14_SHA1_ID) - 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case KEX_GSS_GEX_SHA1:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (strlen(name) < sizeof(KEX_GSS_GEX_SHA1_ID))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return GSS_C_NO_OID;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ name += sizeof(KEX_GSS_GEX_SHA1_ID) - 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ default:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return GSS_C_NO_OID;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ while (gss_enc2oid[i].encoded != NULL &&
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ strcmp(name, gss_enc2oid[i].encoded) != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ i++;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (gss_enc2oid[i].oid != NULL && ctx != NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_gssapi_set_oid(ctx, gss_enc2oid[i].oid);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return gss_enc2oid[i].oid;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Check that the OID in a data stream matches that in the context */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -218,7 +378,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ctx->major = gss_init_sec_context(&ctx->minor,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- GSS_C_NO_CREDENTIAL, &ctx->context, ctx->name, ctx->oid,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ctx->client_creds, &ctx->context, ctx->name, ctx->oid,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- 0, NULL, recv_tok, NULL, send_tok, flags, NULL);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -247,9 +407,43 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return (ctx->major);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+OM_uint32
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ssh_gssapi_client_identity(Gssctxt *ctx, const char *name)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_buffer_desc gssbuf;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_name_t gssname;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ OM_uint32 status;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_OID_set oidset;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gssbuf.value = (void *) name;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gssbuf.length = strlen(gssbuf.value);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_create_empty_oid_set(&status, &oidset);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_add_oid_set_member(&status, ctx->oid, &oidset);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ctx->major = gss_import_name(&ctx->minor, &gssbuf,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ GSS_C_NT_USER_NAME, &gssname);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!ctx->major)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ctx->major = gss_acquire_cred(&ctx->minor,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gssname, 0, oidset, GSS_C_INITIATE,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &ctx->client_creds, NULL, NULL);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_release_name(&status, &gssname);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_release_oid_set(&status, &oidset);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (ctx->major)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_gssapi_error(ctx);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return(ctx->major);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- OM_uint32
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (ctx == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- GSS_C_QOP_DEFAULT, buffer, hash)))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_gssapi_error(ctx);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -257,6 +451,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return (ctx->major);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* Priviledged when used by server */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+OM_uint32
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (ctx == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ctx->major = gss_verify_mic(&ctx->minor, ctx->context,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gssbuf, gssmic, NULL);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return (ctx->major);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- const char *context)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -273,11 +480,16 @@ ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ const char *client)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- OM_uint32 major, minor;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"};
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Gssctxt *intctx = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (ctx == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ctx = &intctx;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* RFC 4462 says we MUST NOT do SPNEGO */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (oid->length == spnego_oid.length &&
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -287,6 +499,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_gssapi_build_ctx(ctx);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_gssapi_set_oid(*ctx, oid);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- major = ssh_gssapi_import_name(*ctx, host);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!GSS_ERROR(major) && client)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ major = ssh_gssapi_client_identity(*ctx, client);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (!GSS_ERROR(major)) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- NULL);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -296,10 +512,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- GSS_C_NO_BUFFER);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- if (GSS_ERROR(major))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (GSS_ERROR(major) || intctx != NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_gssapi_delete_ctx(ctx);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return (!GSS_ERROR(major));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ssh_gssapi_credentials_updated(Gssctxt *ctxt) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ static gss_name_t saved_name = GSS_C_NO_NAME;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ static OM_uint32 saved_lifetime = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ static gss_OID saved_mech = GSS_C_NO_OID;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ static gss_name_t name;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ static OM_uint32 last_call = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ OM_uint32 lifetime, now, major, minor;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int equal;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ now = time(NULL);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (ctxt) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Rekey has happened - updating saved versions");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (saved_name != GSS_C_NO_NAME)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_release_name(&minor, &saved_name);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ major = gss_inquire_cred(&minor, GSS_C_NO_CREDENTIAL,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &saved_name, &saved_lifetime, NULL, NULL);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!GSS_ERROR(major)) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ saved_mech = ctxt->oid;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ saved_lifetime+= now;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Handle the error */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (now - last_call < 10)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ last_call = now;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (saved_mech == GSS_C_NO_OID)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ major = gss_inquire_cred(&minor, GSS_C_NO_CREDENTIAL,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &name, &lifetime, NULL, NULL);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (major == GSS_S_CREDENTIALS_EXPIRED)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else if (GSS_ERROR(major))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ major = gss_compare_name(&minor, saved_name, name, &equal);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_release_name(&minor, &name);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (GSS_ERROR(major))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (equal && (saved_lifetime < lifetime + now - 10))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif /* GSSAPI */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-index a151bc1e4..90f8692f5 100644
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/gss-serv-krb5.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/gss-serv-krb5.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1,7 +1,7 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* $OpenBSD: gss-serv-krb5.c,v 1.9 2018/07/09 21:37:55 markus Exp $ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * Redistribution and use in source and binary forms, with or without
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * modification, are permitted provided that the following conditions
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -120,8 +120,8 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- krb5_error_code problem;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- krb5_principal princ;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- OM_uint32 maj_status, min_status;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- int len;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- const char *errmsg;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ const char *new_ccname;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (client->creds == NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- debug("No credentials stored");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -180,11 +180,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ new_ccname = krb5_cc_get_name(krb_context, ccache);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- client->store.envvar = "KRB5CCNAME";
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- len = strlen(client->store.filename) + 6;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- client->store.envval = xmalloc(len);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- snprintf(client->store.envval, len, "FILE:%s", client->store.filename);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef USE_CCAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ xasprintf(&client->store.envval, "API:%s", new_ccname);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ client->store.filename = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ xasprintf(&client->store.envval, "FILE:%s", new_ccname);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ client->store.filename = xstrdup(new_ccname);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #ifdef USE_PAM
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options.use_pam)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -196,6 +201,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ssh_gssapi_krb5_updatecreds(ssh_gssapi_ccache *store,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_gssapi_client *client)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ krb5_ccache ccache = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ krb5_principal principal = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char *name = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ krb5_error_code problem;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ OM_uint32 maj_status, min_status;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((problem = krb5_cc_resolve(krb_context, store->envval, &ccache))) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ logit("krb5_cc_resolve(): %.100s",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ krb5_get_err_text(krb_context, problem));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Find out who the principal in this cache is */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((problem = krb5_cc_get_principal(krb_context, ccache,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &principal))) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ logit("krb5_cc_get_principal(): %.100s",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ krb5_get_err_text(krb_context, problem));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ krb5_cc_close(krb_context, ccache);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((problem = krb5_unparse_name(krb_context, principal, &name))) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ logit("krb5_unparse_name(): %.100s",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ krb5_get_err_text(krb_context, problem));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ krb5_free_principal(krb_context, principal);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ krb5_cc_close(krb_context, ccache);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (strcmp(name,client->exportedname.value)!=0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Name in local credentials cache differs. Not storing");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ krb5_free_principal(krb_context, principal);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ krb5_cc_close(krb_context, ccache);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ krb5_free_unparsed_name(krb_context, name);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ krb5_free_unparsed_name(krb_context, name);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Name matches, so lets get on with it! */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((problem = krb5_cc_initialize(krb_context, ccache, principal))) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ logit("krb5_cc_initialize(): %.100s",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ krb5_get_err_text(krb_context, problem));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ krb5_free_principal(krb_context, principal);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ krb5_cc_close(krb_context, ccache);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ krb5_free_principal(krb_context, principal);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((maj_status = gss_krb5_copy_ccache(&min_status, client->creds,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ccache))) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ logit("gss_krb5_copy_ccache() failed. Sorry!");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ krb5_cc_close(krb_context, ccache);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_gssapi_mech gssapi_kerberos_mech = {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- "toWM5Slw5Ew8Mqkay+al2g==",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- "Kerberos",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -203,7 +273,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- NULL,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- &ssh_gssapi_krb5_userok,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- NULL,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- &ssh_gssapi_krb5_storecreds
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &ssh_gssapi_krb5_storecreds,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &ssh_gssapi_krb5_updatecreds
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- };
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif /* KRB5 */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-diff --git a/gss-serv.c b/gss-serv.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-index ab3a15f0f..6c087a1b1 100644
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/gss-serv.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/gss-serv.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1,7 +1,7 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* $OpenBSD: gss-serv.c,v 1.31 2018/07/09 21:37:55 markus Exp $ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * Redistribution and use in source and binary forms, with or without
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * modification, are permitted provided that the following conditions
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -44,17 +44,22 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "session.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "misc.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "servconf.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "uidswap.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "ssh-gss.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "monitor_wrap.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+extern ServerOptions options;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- extern ServerOptions options;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static ssh_gssapi_client gssapi_client =
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}};
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, NULL,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ {NULL, NULL, NULL, NULL, NULL}, 0, 0};
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_gssapi_mech gssapi_null_mech =
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL};
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL, NULL};
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #ifdef KRB5
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- extern ssh_gssapi_mech gssapi_kerberos_mech;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -140,6 +145,28 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return (ssh_gssapi_acquire_cred(*ctx));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* Unprivileged */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+char *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ssh_gssapi_server_mechanisms(void) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (supported_oids == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_gssapi_prepare_supported_oids();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return (ssh_gssapi_kex_mechs(supported_oids,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &ssh_gssapi_server_check_mech, NULL, NULL));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* Unprivileged */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ssh_gssapi_server_check_mech(Gssctxt **dum, gss_OID oid, const char *data,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ const char *dummy) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Gssctxt *ctx = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int res;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ res = !GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctx, oid)));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_gssapi_delete_ctx(&ctx);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return (res);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Unprivileged */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_gssapi_supported_oids(gss_OID_set *oidset)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -150,7 +177,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- gss_OID_set supported;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- gss_create_empty_oid_set(&min_status, oidset);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- gss_indicate_mechs(&min_status, &supported);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (GSS_ERROR(gss_indicate_mechs(&min_status, &supported)))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- while (supported_mechs[i]->name != NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (GSS_ERROR(gss_test_oid_set_member(&min_status,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -276,8 +305,48 @@ OM_uint32
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int i = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int equal = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_name_t new_name = GSS_C_NO_NAME;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_buffer_desc ename = GSS_C_EMPTY_BUFFER;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options.gss_store_rekey && client->used && ctx->client_creds) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (client->mech->oid.length != ctx->oid->length ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (memcmp(client->mech->oid.elements,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ctx->oid->elements, ctx->oid->length) !=0)) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Rekeyed credentials have different mechanism");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return GSS_S_COMPLETE;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((ctx->major = gss_inquire_cred_by_mech(&ctx->minor,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ctx->client_creds, ctx->oid, &new_name,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ NULL, NULL, NULL))) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_gssapi_error(ctx);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return (ctx->major);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ctx->major = gss_compare_name(&ctx->minor, client->name,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ new_name, &equal);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (GSS_ERROR(ctx->major)) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_gssapi_error(ctx);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return (ctx->major);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!equal) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Rekeyed credentials have different name");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return GSS_S_COMPLETE;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- gss_buffer_desc ename;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Marking rekeyed credentials for export");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_release_name(&ctx->minor, &client->name);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_release_cred(&ctx->minor, &client->creds);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ client->name = new_name;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ client->creds = ctx->client_creds;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ctx->client_creds = GSS_C_NO_CREDENTIAL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ client->updated = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return GSS_S_COMPLETE;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- client->mech = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -292,6 +361,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (client->mech == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return GSS_S_FAILURE;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (ctx->client_creds &&
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (ctx->major = gss_inquire_cred_by_mech(&ctx->minor,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ctx->client_creds, ctx->oid, &client->name, NULL, NULL, NULL))) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_gssapi_error(ctx);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return (ctx->major);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if ((ctx->major = gss_display_name(&ctx->minor, ctx->client,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- &client->displayname, NULL))) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_gssapi_error(ctx);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -309,6 +385,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return (ctx->major);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_release_buffer(&ctx->minor, &ename);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* We can't copy this structure, so we just move the pointer to it */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- client->creds = ctx->client_creds;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ctx->client_creds = GSS_C_NO_CREDENTIAL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -356,7 +434,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Privileged */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--ssh_gssapi_userok(char *user)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ssh_gssapi_userok(char *user, struct passwd *pw)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- OM_uint32 lmin;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -366,9 +444,11 @@ ssh_gssapi_userok(char *user)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (gssapi_client.mech && gssapi_client.mech->userok)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- if ((*gssapi_client.mech->userok)(&gssapi_client, user))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((*gssapi_client.mech->userok)(&gssapi_client, user)) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gssapi_client.used = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gssapi_client.store.owner = pw;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Destroy delegated credentials if userok fails */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- gss_release_buffer(&lmin, &gssapi_client.displayname);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- gss_release_buffer(&lmin, &gssapi_client.exportedname);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -382,14 +462,90 @@ ssh_gssapi_userok(char *user)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return (0);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--/* Privileged */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--OM_uint32
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* These bits are only used for rekeying. The unpriviledged child is running
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * as the user, the monitor is root.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * In the child, we want to :
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * *) Ask the monitor to store our credentials into the store we specify
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * *) If it succeeds, maybe do a PAM update
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* Stuff for PAM */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef USE_PAM
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+static int ssh_gssapi_simple_conv(int n, const struct pam_message **msg,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ struct pam_response **resp, void *data)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- ctx->major = gss_verify_mic(&ctx->minor, ctx->context,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- gssbuf, gssmic, NULL);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return (PAM_CONV_ERR);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- return (ctx->major);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ssh_gssapi_rekey_creds(void) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int ok;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int ret;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef USE_PAM
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pam_handle_t *pamh = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ struct pam_conv pamconv = {ssh_gssapi_simple_conv, NULL};
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char *envstr;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (gssapi_client.store.filename == NULL &&
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gssapi_client.store.envval == NULL &&
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gssapi_client.store.envvar == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ok = PRIVSEP(ssh_gssapi_update_creds(&gssapi_client.store));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!ok)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Rekeyed credentials stored successfully");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Actually managing to play with the ssh pam stack from here will
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * be next to impossible. In any case, we may want different options
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * for rekeying. So, use our own :)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef USE_PAM
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!use_privsep) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Not even going to try and do PAM with privsep disabled");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ret = pam_start("sshd-rekey", gssapi_client.store.owner->pw_name,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &pamconv, &pamh);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (ret)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ xasprintf(&envstr, "%s=%s", gssapi_client.store.envvar,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gssapi_client.store.envval);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ret = pam_putenv(pamh, envstr);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!ret)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pam_setcred(pamh, PAM_REINITIALIZE_CRED);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pam_end(pamh, PAM_SUCCESS);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ssh_gssapi_update_creds(ssh_gssapi_ccache *store) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int ok = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Check we've got credentials to store */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!gssapi_client.updated)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gssapi_client.updated = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ temporarily_use_uid(gssapi_client.store.owner);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (gssapi_client.mech && gssapi_client.mech->updatecreds)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ok = (*gssapi_client.mech->updatecreds)(store, &gssapi_client);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("No update function for this mechanism");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ restore_uid();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return ok;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Privileged */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-diff --git a/kex.c b/kex.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-index 25f9f66f6..fb5bfaea5 100644
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/kex.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/kex.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -54,6 +54,10 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "sshbuf.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "digest.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "ssh-gss.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* prototype */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static int kex_choose_conf(struct ssh *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static int kex_input_newkeys(int, u_int32_t, struct ssh *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -105,6 +109,14 @@ static const struct kexalg kexalgs[] = {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { NULL, -1, -1, -1},
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- };
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+static const struct kexalg kexalg_prefixes[] = {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { NULL, -1, -1, -1 },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+};
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- char *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kex_alg_list(char sep)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -137,6 +149,10 @@ kex_alg_by_name(const char *name)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (strcmp(k->name, name) == 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return k;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ for (k = kexalg_prefixes; k->name != NULL; k++) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (strncmp(k->name, name, strlen(k->name)) == 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return k;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -653,6 +669,9 @@ kex_free(struct kex *kex)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sshbuf_free(kex->peer);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sshbuf_free(kex->my);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- free(kex->session_id);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ free(kex->gss_host);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif /* GSSAPI */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- free(kex->client_version_string);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- free(kex->server_version_string);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- free(kex->failed_choice);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-diff --git a/kex.h b/kex.h
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-index 593de1208..4e5ead839 100644
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/kex.h
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/kex.h
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -100,6 +100,9 @@ enum kex_exchange {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- KEX_DH_GEX_SHA256,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- KEX_ECDH_SHA2,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- KEX_C25519_SHA256,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ KEX_GSS_GRP1_SHA1,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ KEX_GSS_GRP14_SHA1,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ KEX_GSS_GEX_SHA1,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- KEX_MAX
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- };
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -148,6 +151,12 @@ struct kex {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- u_int flags;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int hash_alg;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int ec_nid;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int gss_deleg_creds;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int gss_trust_dns;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char *gss_host;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char *gss_client;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- char *client_version_string;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- char *server_version_string;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- char *failed_choice;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -198,6 +207,11 @@ int kexecdh_server(struct ssh *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int kexc25519_client(struct ssh *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int kexc25519_server(struct ssh *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int kexgss_client(struct ssh *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int kexgss_server(struct ssh *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int kex_dh_hash(int, const char *, const char *,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-diff --git a/kexgssc.c b/kexgssc.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-new file mode 100644
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-index 000000000..3c8ae08dd
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- /dev/null
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/kexgssc.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -0,0 +1,341 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Redistribution and use in source and binary forms, with or without
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * modification, are permitted provided that the following conditions
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * are met:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * 1. Redistributions of source code must retain the above copyright
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * notice, this list of conditions and the following disclaimer.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * 2. Redistributions in binary form must reproduce the above copyright
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * notice, this list of conditions and the following disclaimer in the
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * documentation and/or other materials provided with the distribution.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "includes.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "includes.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <openssl/crypto.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <openssl/bn.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <string.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "xmalloc.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "sshbuf.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "ssh2.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "sshkey.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "cipher.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "kex.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "log.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "packet.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "dh.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "digest.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "ssh-gss.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+kexgss_client(struct ssh *ssh) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_buffer_desc recv_tok, gssbuf, msg_tok, *token_ptr;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Gssctxt *ctxt;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ OM_uint32 maj_status, min_status, ret_flags;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_int klen, kout, slen = 0, strlen;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ DH *dh;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ BIGNUM *dh_server_pub = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ BIGNUM *shared_secret = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ const BIGNUM *pub_key, *dh_p, *dh_g;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ BIGNUM *p = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ BIGNUM *g = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_char *kbuf;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_char *serverhostkey = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_char *empty = "";
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char *msg;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int type = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int first = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int nbits = 0, min = DH_GRP_MIN, max = DH_GRP_MAX;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_char hash[SSH_DIGEST_MAX_LENGTH];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ size_t hashlen;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Initialise our GSSAPI world */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_gssapi_build_ctx(&ctxt);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (ssh_gssapi_id_kex(ctxt, ssh->kex->name, ssh->kex->kex_type)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ == GSS_C_NO_OID)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("Couldn't identify host exchange");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (ssh_gssapi_import_name(ctxt, ssh->kex->gss_host))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("Couldn't import hostname");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (ssh->kex->gss_client &&
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_gssapi_client_identity(ctxt, ssh->kex->gss_client))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("Couldn't acquire client credentials");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ switch (ssh->kex->kex_type) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case KEX_GSS_GRP1_SHA1:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dh = dh_new_group1();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case KEX_GSS_GRP14_SHA1:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dh = dh_new_group14();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case KEX_GSS_GEX_SHA1:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Doing group exchange\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ nbits = dh_estimate(ssh->kex->we_need * 8);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_start(SSH2_MSG_KEXGSS_GROUPREQ);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_put_int(min);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_put_int(nbits);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_put_int(max);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_send();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_read_expect(SSH2_MSG_KEXGSS_GROUP);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((p = BN_new()) == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("BN_new() failed");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_get_bignum2(p);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((g = BN_new()) == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("BN_new() failed");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_get_bignum2(g);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_check_eom();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (BN_num_bits(p) < min || BN_num_bits(p) > max)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("GSSGRP_GEX group out of range: %d !< %d !< %d",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ min, BN_num_bits(p), max);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dh = dh_new_group(g, p);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ default:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Step 1 - e is dh->pub_key */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dh_gen_key(dh, ssh->kex->we_need * 8);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ DH_get0_key(dh, &pub_key, NULL);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ DH_get0_pqg(dh, &dh_p, NULL, &dh_g);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* This is f, we initialise it now to make life easier */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dh_server_pub = BN_new();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (dh_server_pub == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("dh_server_pub == NULL");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ token_ptr = GSS_C_NO_BUFFER;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ do {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Calling gss_init_sec_context");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ maj_status = ssh_gssapi_init_ctx(ctxt,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh->kex->gss_deleg_creds, token_ptr, &send_tok,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &ret_flags);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (GSS_ERROR(maj_status)) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (send_tok.length != 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_start(SSH2_MSG_KEXGSS_CONTINUE);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_put_string(send_tok.value,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ send_tok.length);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("gss_init_context failed");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* If we've got an old receive buffer get rid of it */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (token_ptr != GSS_C_NO_BUFFER)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ free(recv_tok.value);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (maj_status == GSS_S_COMPLETE) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* If mutual state flag is not true, kex fails */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!(ret_flags & GSS_C_MUTUAL_FLAG))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("Mutual authentication failed");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* If integ avail flag is not true kex fails */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!(ret_flags & GSS_C_INTEG_FLAG))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("Integrity check failed");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * If we have data to send, then the last message that we
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * received cannot have been a 'complete'.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (send_tok.length != 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (first) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_start(SSH2_MSG_KEXGSS_INIT);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_put_string(send_tok.value,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ send_tok.length);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_put_bignum2(pub_key);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ first = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_start(SSH2_MSG_KEXGSS_CONTINUE);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_put_string(send_tok.value,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ send_tok.length);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_send();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_release_buffer(&min_status, &send_tok);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* If we've sent them data, they should reply */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ do {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ type = packet_read();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (type == SSH2_MSG_KEXGSS_HOSTKEY) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Received KEXGSS_HOSTKEY");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (serverhostkey)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("Server host key received more than once");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ serverhostkey =
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_get_string(&slen);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } while (type == SSH2_MSG_KEXGSS_HOSTKEY);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ switch (type) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case SSH2_MSG_KEXGSS_CONTINUE:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Received GSSAPI_CONTINUE");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (maj_status == GSS_S_COMPLETE)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("GSSAPI Continue received from server when complete");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ recv_tok.value = packet_get_string(&strlen);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ recv_tok.length = strlen;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case SSH2_MSG_KEXGSS_COMPLETE:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Received GSSAPI_COMPLETE");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_get_bignum2(dh_server_pub);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ msg_tok.value = packet_get_string(&strlen);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ msg_tok.length = strlen;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Is there a token included? */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (packet_get_char()) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ recv_tok.value=
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_get_string(&strlen);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ recv_tok.length = strlen;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* If we're already complete - protocol error */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (maj_status == GSS_S_COMPLETE)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_disconnect("Protocol error: received token when complete");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* No token included */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (maj_status != GSS_S_COMPLETE)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_disconnect("Protocol error: did not receive final token");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case SSH2_MSG_KEXGSS_ERROR:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Received Error");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ maj_status = packet_get_int();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ min_status = packet_get_int();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ msg = packet_get_string(NULL);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (void) packet_get_string_ptr(NULL);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("GSSAPI Error: \n%.400s",msg);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ default:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_disconnect("Protocol error: didn't expect packet type %d",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ type);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ token_ptr = &recv_tok;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* No data, and not complete */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (maj_status != GSS_S_COMPLETE)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("Not complete, and no token output");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } while (maj_status & GSS_S_CONTINUE_NEEDED);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * We _must_ have received a COMPLETE message in reply from the
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * server, which will have set dh_server_pub and msg_tok
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (type != SSH2_MSG_KEXGSS_COMPLETE)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("Didn't receive a SSH2_MSG_KEXGSS_COMPLETE when I expected it");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Check f in range [1, p-1] */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!dh_pub_is_valid(dh, dh_server_pub))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_disconnect("bad server public DH value");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* compute K=f^x mod p */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ klen = DH_size(dh);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kbuf = xmalloc(klen);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kout = DH_compute_key(kbuf, dh_server_pub, dh);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (kout < 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("DH_compute_key: failed");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ shared_secret = BN_new();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (shared_secret == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("kexgss_client: BN_new failed");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("kexdh_client: BN_bin2bn failed");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ memset(kbuf, 0, klen);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ free(kbuf);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ hashlen = sizeof(hash);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ switch (ssh->kex->kex_type) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case KEX_GSS_GRP1_SHA1:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case KEX_GSS_GRP14_SHA1:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex_dh_hash(
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh->kex->hash_alg,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh->kex->client_version_string,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh->kex->server_version_string,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (serverhostkey ? serverhostkey : empty), slen,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pub_key, /* e */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dh_server_pub, /* f */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ shared_secret, /* K */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ hash, &hashlen
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ );
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case KEX_GSS_GEX_SHA1:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kexgex_hash(
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh->kex->hash_alg,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh->kex->client_version_string,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh->kex->server_version_string,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (serverhostkey ? serverhostkey : empty), slen,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ min, nbits, max,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dh_p, dh_g,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pub_key,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dh_server_pub,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ shared_secret,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ hash, &hashlen
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ );
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ default:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gssbuf.value = hash;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gssbuf.length = hashlen;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Verify that the hash matches the MIC we just got. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok)))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_disconnect("Hash's MIC didn't verify");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ free(msg_tok.value);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ DH_free(dh);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ free(serverhostkey);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ BN_clear_free(dh_server_pub);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* save session id */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (ssh->kex->session_id == NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh->kex->session_id_len = hashlen;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh->kex->session_id = xmalloc(ssh->kex->session_id_len);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ memcpy(ssh->kex->session_id, hash, ssh->kex->session_id_len);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (ssh->kex->gss_deleg_creds)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_gssapi_credentials_updated(ctxt);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (gss_kex_context == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_kex_context = ctxt;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_gssapi_delete_ctx(&ctxt);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex_derive_keys_bn(ssh, hash, hashlen, shared_secret);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ BN_clear_free(shared_secret);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return kex_send_newkeys(ssh);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif /* GSSAPI */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-diff --git a/kexgsss.c b/kexgsss.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-new file mode 100644
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-index 000000000..18070f1d7
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- /dev/null
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/kexgsss.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -0,0 +1,300 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Redistribution and use in source and binary forms, with or without
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * modification, are permitted provided that the following conditions
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * are met:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * 1. Redistributions of source code must retain the above copyright
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * notice, this list of conditions and the following disclaimer.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * 2. Redistributions in binary form must reproduce the above copyright
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * notice, this list of conditions and the following disclaimer in the
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * documentation and/or other materials provided with the distribution.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "includes.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <string.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <openssl/crypto.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <openssl/bn.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "xmalloc.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "sshbuf.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "ssh2.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "sshkey.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "cipher.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "kex.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "log.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "packet.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "dh.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "ssh-gss.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "monitor_wrap.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "misc.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "servconf.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "digest.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+extern ServerOptions options;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+kexgss_server(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ OM_uint32 maj_status, min_status;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Some GSSAPI implementations use the input value of ret_flags (an
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * output variable) as a means of triggering mechanism specific
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * features. Initializing it to zero avoids inadvertently
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * activating this non-standard behaviour.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ OM_uint32 ret_flags = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_buffer_desc gssbuf, recv_tok, msg_tok;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Gssctxt *ctxt = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_int slen, klen, kout;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_char *kbuf;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ DH *dh;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int min = -1, max = -1, nbits = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ const BIGNUM *pub_key, *dh_p, *dh_g;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ BIGNUM *shared_secret = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ BIGNUM *dh_client_pub = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int type = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_OID oid;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char *mechs;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_char hash[SSH_DIGEST_MAX_LENGTH];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ size_t hashlen;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Initialise GSSAPI */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* If we're rekeying, privsep means that some of the private structures
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * in the GSSAPI code are no longer available. This kludges them back
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * into life
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!ssh_gssapi_oid_table_ok()) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ mechs = ssh_gssapi_server_mechanisms();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ free(mechs);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug2("%s: Identifying %s", __func__, ssh->kex->name);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ oid = ssh_gssapi_id_kex(NULL, ssh->kex->name, ssh->kex->kex_type);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (oid == GSS_C_NO_OID)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("Unknown gssapi mechanism");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug2("%s: Acquiring credentials", __func__);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid))))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("Unable to acquire credentials for the server");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ switch (ssh->kex->kex_type) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case KEX_GSS_GRP1_SHA1:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dh = dh_new_group1();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case KEX_GSS_GRP14_SHA1:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dh = dh_new_group14();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case KEX_GSS_GEX_SHA1:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Doing group exchange");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_read_expect(SSH2_MSG_KEXGSS_GROUPREQ);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ min = packet_get_int();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ nbits = packet_get_int();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ max = packet_get_int();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_check_eom();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (max < min || nbits < min || max < nbits)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("GSS_GEX, bad parameters: %d !< %d !< %d",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ min, nbits, max);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dh = PRIVSEP(choose_dh(MAX(DH_GRP_MIN, min),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ nbits, MIN(DH_GRP_MAX, max)));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (dh == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_disconnect("Protocol error: no matching group found");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ DH_get0_pqg(dh, &dh_p, NULL, &dh_g);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_start(SSH2_MSG_KEXGSS_GROUP);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_put_bignum2(dh_p);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_put_bignum2(dh_g);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_send();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_write_wait();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ default:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dh_gen_key(dh, ssh->kex->we_need * 8);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ do {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Wait SSH2_MSG_GSSAPI_INIT");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ type = packet_read();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ switch(type) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case SSH2_MSG_KEXGSS_INIT:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (dh_client_pub != NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("Received KEXGSS_INIT after initialising");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ recv_tok.value = packet_get_string(&slen);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ recv_tok.length = slen;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((dh_client_pub = BN_new()) == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("dh_client_pub == NULL");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_get_bignum2(dh_client_pub);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Send SSH_MSG_KEXGSS_HOSTKEY here, if we want */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case SSH2_MSG_KEXGSS_CONTINUE:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ recv_tok.value = packet_get_string(&slen);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ recv_tok.length = slen;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ default:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_disconnect(
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ "Protocol error: didn't expect packet type %d",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ type);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ maj_status = PRIVSEP(ssh_gssapi_accept_ctx(ctxt, &recv_tok,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &send_tok, &ret_flags));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ free(recv_tok.value);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (maj_status != GSS_S_COMPLETE && send_tok.length == 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("Zero length token output when incomplete");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (dh_client_pub == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("No client public key");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (maj_status & GSS_S_CONTINUE_NEEDED) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Sending GSSAPI_CONTINUE");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_start(SSH2_MSG_KEXGSS_CONTINUE);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_put_string(send_tok.value, send_tok.length);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_send();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_release_buffer(&min_status, &send_tok);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } while (maj_status & GSS_S_CONTINUE_NEEDED);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (GSS_ERROR(maj_status)) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (send_tok.length > 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_start(SSH2_MSG_KEXGSS_CONTINUE);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_put_string(send_tok.value, send_tok.length);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_send();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("accept_ctx died");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!(ret_flags & GSS_C_MUTUAL_FLAG))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("Mutual Authentication flag wasn't set");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!(ret_flags & GSS_C_INTEG_FLAG))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("Integrity flag wasn't set");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!dh_pub_is_valid(dh, dh_client_pub))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_disconnect("bad client public DH value");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ klen = DH_size(dh);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kbuf = xmalloc(klen);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kout = DH_compute_key(kbuf, dh_client_pub, dh);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (kout < 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("DH_compute_key: failed");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ shared_secret = BN_new();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (shared_secret == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("kexgss_server: BN_new failed");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("kexgss_server: BN_bin2bn failed");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ memset(kbuf, 0, klen);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ free(kbuf);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ DH_get0_key(dh, &pub_key, NULL);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ DH_get0_pqg(dh, &dh_p, NULL, &dh_g);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ hashlen = sizeof(hash);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ switch (ssh->kex->kex_type) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case KEX_GSS_GRP1_SHA1:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case KEX_GSS_GRP14_SHA1:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex_dh_hash(
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh->kex->hash_alg,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh->kex->client_version_string, ssh->kex->server_version_string,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ NULL, 0, /* Change this if we start sending host keys */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dh_client_pub, pub_key, shared_secret,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ hash, &hashlen
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ );
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case KEX_GSS_GEX_SHA1:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kexgex_hash(
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh->kex->hash_alg,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh->kex->client_version_string, ssh->kex->server_version_string,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ NULL, 0,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ min, nbits, max,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dh_p, dh_g,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dh_client_pub,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pub_key,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ shared_secret,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ hash, &hashlen
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ );
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ default:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ BN_clear_free(dh_client_pub);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (ssh->kex->session_id == NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh->kex->session_id_len = hashlen;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh->kex->session_id = xmalloc(ssh->kex->session_id_len);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ memcpy(ssh->kex->session_id, hash, ssh->kex->session_id_len);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gssbuf.value = hash;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gssbuf.length = hashlen;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_sign(ctxt,&gssbuf,&msg_tok))))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("Couldn't get MIC");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_start(SSH2_MSG_KEXGSS_COMPLETE);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_put_bignum2(pub_key);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_put_string(msg_tok.value,msg_tok.length);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (send_tok.length != 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_put_char(1); /* true */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_put_string(send_tok.value, send_tok.length);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_put_char(0); /* false */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_send();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_release_buffer(&min_status, &send_tok);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_release_buffer(&min_status, &msg_tok);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (gss_kex_context == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_kex_context = ctxt;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_gssapi_delete_ctx(&ctxt);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ DH_free(dh);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex_derive_keys_bn(ssh, hash, hashlen, shared_secret);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ BN_clear_free(shared_secret);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex_send_newkeys(ssh);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* If this was a rekey, then save out any delegated credentials we
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * just exchanged. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options.gss_store_rekey)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_gssapi_rekey_creds();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif /* GSSAPI */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-diff --git a/monitor.c b/monitor.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-index 531b2993a..eabc1e89b 100644
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/monitor.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/monitor.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -145,6 +145,8 @@ int mm_answer_gss_setup_ctx(int, struct sshbuf *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int mm_answer_gss_accept_ctx(int, struct sshbuf *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int mm_answer_gss_userok(int, struct sshbuf *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int mm_answer_gss_checkmic(int, struct sshbuf *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int mm_answer_gss_sign(int, struct sshbuf *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int mm_answer_gss_updatecreds(int, struct sshbuf *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #ifdef SSH_AUDIT_EVENTS
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -215,11 +217,18 @@ struct mon_table mon_dispatch_proto20[] = {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok},
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic},
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {0, 0, NULL}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- };
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- struct mon_table mon_dispatch_postauth20[] = {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ {MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds},
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #ifdef WITH_OPENSSL
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -289,6 +298,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Permit requests for moduli and signatures */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* and for the GSSAPI key exchange */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* The first few requests do not require asynchronous access */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- while (!authenticated) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -401,6 +414,10 @@ monitor_child_postauth(struct monitor *pmonitor)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* and for the GSSAPI key exchange */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (auth_opts->permit_pty_flag) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1666,6 +1683,13 @@ monitor_apply_keystate(struct monitor *pmonitor)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif /* WITH_OPENSSL */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kex->kex[KEX_C25519_SHA256] = kexc25519_server;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options.gss_keyex) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kex->load_host_public_key=&get_hostkey_public_by_type;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kex->load_host_private_key=&get_hostkey_private_by_type;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kex->host_key_index=&get_hostkey_index;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1756,8 +1780,8 @@ mm_answer_gss_setup_ctx(int sock, struct sshbuf *m)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- u_char *p;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int r;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- if (!options.gss_authentication)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- fatal("%s: GSSAPI authentication not enabled", __func__);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!options.gss_authentication && !options.gss_keyex)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: GSSAPI not enabled", __func__);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if ((r = sshbuf_get_string(m, &p, &len)) != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1789,8 +1813,8 @@ mm_answer_gss_accept_ctx(int sock, struct sshbuf *m)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- OM_uint32 flags = 0; /* GSI needs this */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int r;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- if (!options.gss_authentication)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- fatal("%s: GSSAPI authentication not enabled", __func__);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!options.gss_authentication && !options.gss_keyex)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: GSSAPI not enabled", __func__);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1810,6 +1834,7 @@ mm_answer_gss_accept_ctx(int sock, struct sshbuf *m)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return (0);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1821,8 +1846,8 @@ mm_answer_gss_checkmic(int sock, struct sshbuf *m)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- OM_uint32 ret;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int r;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- if (!options.gss_authentication)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- fatal("%s: GSSAPI authentication not enabled", __func__);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!options.gss_authentication && !options.gss_keyex)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: GSSAPI not enabled", __func__);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- (r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1851,10 +1876,11 @@ mm_answer_gss_userok(int sock, struct sshbuf *m)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int r, authenticated;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- const char *displayname;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- if (!options.gss_authentication)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- fatal("%s: GSSAPI authentication not enabled", __func__);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!options.gss_authentication && !options.gss_keyex)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: GSSAPI not enabled", __func__);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ authenticated = authctxt->valid &&
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_gssapi_userok(authctxt->user, authctxt->pw);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sshbuf_reset(m);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if ((r = sshbuf_put_u32(m, authenticated)) != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1871,5 +1897,83 @@ mm_answer_gss_userok(int sock, struct sshbuf *m)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Monitor loop will terminate if authenticated */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return (authenticated);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+mm_answer_gss_sign(int socket, struct sshbuf *m)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_buffer_desc data;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_buffer_desc hash = GSS_C_EMPTY_BUFFER;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ OM_uint32 major, minor;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ size_t len;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_char *p;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int r;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!options.gss_authentication && !options.gss_keyex)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: GSSAPI not enabled", __func__);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((r = sshbuf_get_string(m, &p, &len)) != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ data.value = p;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ data.length = len;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (data.length != 20)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: data length incorrect: %d", __func__,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (int) data.length);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Save the session ID on the first time around */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (session_id2_len == 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ session_id2_len = data.length;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ session_id2 = xmalloc(session_id2_len);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ memcpy(session_id2, data.value, session_id2_len);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ major = ssh_gssapi_sign(gsscontext, &data, &hash);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ free(data.value);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sshbuf_reset(m);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((r = sshbuf_put_u32(m, major)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshbuf_put_string(m, hash.value, hash.length)) != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_release_buffer(&minor, &hash);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Turn on getpwnam permissions */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* And credential updating, for when rekeying */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSUPCREDS, 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return (0);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+mm_answer_gss_updatecreds(int socket, struct sshbuf *m) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_gssapi_ccache store;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int r, ok;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!options.gss_authentication && !options.gss_keyex)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: GSSAPI not enabled", __func__);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((r = sshbuf_get_cstring(m, &store.filename, NULL)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshbuf_get_cstring(m, &store.envvar, NULL)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshbuf_get_cstring(m, &store.envval, NULL)) != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ok = ssh_gssapi_update_creds(&store);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ free(store.filename);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ free(store.envvar);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ free(store.envval);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sshbuf_reset(m);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((r = sshbuf_put_u32(m, ok)) != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return(0);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif /* GSSAPI */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-diff --git a/monitor.h b/monitor.h
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-index 16047299f..44fbed589 100644
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/monitor.h
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/monitor.h
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -63,6 +63,9 @@ enum monitor_reqtype {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- };
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- struct monitor {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-diff --git a/monitor_wrap.c b/monitor_wrap.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-index 732fb3476..1865a122a 100644
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/monitor_wrap.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/monitor_wrap.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -984,7 +984,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--mm_ssh_gssapi_userok(char *user)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+mm_ssh_gssapi_userok(char *user, struct passwd *pw)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- struct sshbuf *m;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int r, authenticated = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1003,4 +1003,55 @@ mm_ssh_gssapi_userok(char *user)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return (authenticated);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+OM_uint32
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+mm_ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *data, gss_buffer_desc *hash)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ struct sshbuf *m;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ OM_uint32 major;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int r;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((m = sshbuf_new()) == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: sshbuf_new failed", __func__);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((r = sshbuf_put_string(m, data->value, data->length)) != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSIGN, m);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, m);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((r = sshbuf_get_u32(m, &major)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = ssh_gssapi_get_buffer_desc(m, hash)) != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sshbuf_free(m);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return(major);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ struct sshbuf *m;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int r, ok;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((m = sshbuf_new()) == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: sshbuf_new failed", __func__);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((r = sshbuf_put_cstring(m,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ store->filename ? store->filename : "")) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshbuf_put_cstring(m,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ store->envvar ? store->envvar : "")) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshbuf_put_cstring(m,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ store->envval ? store->envval : "")) != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUPCREDS, m);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUPCREDS, m);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((r = sshbuf_get_u32(m, &ok)) != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sshbuf_free(m);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return (ok);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif /* GSSAPI */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-diff --git a/monitor_wrap.h b/monitor_wrap.h
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-index 644da081d..7f93144ff 100644
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/monitor_wrap.h
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/monitor_wrap.h
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -60,8 +60,10 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--int mm_ssh_gssapi_userok(char *user);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int mm_ssh_gssapi_userok(char *user, struct passwd *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+OM_uint32 mm_ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #ifdef USE_PAM
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-diff --git a/opacket.c b/opacket.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-index e637d7a71..7672c0b59 100644
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/opacket.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/opacket.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -80,7 +80,7 @@ ssh_packet_put_raw(struct ssh *ssh, const void *buf, u_int len)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #ifdef WITH_OPENSSL
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--ssh_packet_put_bignum2(struct ssh *ssh, BIGNUM * value)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ssh_packet_put_bignum2(struct ssh *ssh, const BIGNUM * value)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int r;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-diff --git a/opacket.h b/opacket.h
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-index f92fe586e..1cf66a2d3 100644
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/opacket.h
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/opacket.h
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -7,7 +7,7 @@ void ssh_packet_start(struct ssh *, u_char);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void ssh_packet_put_char(struct ssh *, int ch);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void ssh_packet_put_int(struct ssh *, u_int value);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void ssh_packet_put_int64(struct ssh *, u_int64_t value);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--void ssh_packet_put_bignum2(struct ssh *, BIGNUM * value);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+void ssh_packet_put_bignum2(struct ssh *, const BIGNUM * value);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void ssh_packet_put_ecpoint(struct ssh *, const EC_GROUP *, const EC_POINT *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void ssh_packet_put_string(struct ssh *, const void *buf, u_int len);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void ssh_packet_put_cstring(struct ssh *, const char *str);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-diff --git a/readconf.c b/readconf.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-index 433811521..36bc5e59a 100644
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/readconf.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/readconf.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -161,6 +161,8 @@ typedef enum {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- oClearAllForwardings, oNoHostAuthenticationForLocalhost,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- oAddressFamily, oGssAuthentication, oGssDelegateCreds,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ oGssServerIdentity,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- oHashKnownHosts,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -201,10 +203,20 @@ static struct {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Sometimes-unsupported options */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #if defined(GSSAPI)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "gssapiauthentication", oGssAuthentication },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "gssapikeyexchange", oGssKeyEx },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "gssapidelegatecredentials", oGssDelegateCreds },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "gssapitrustdns", oGssTrustDns },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "gssapiclientidentity", oGssClientIdentity },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "gssapiserveridentity", oGssServerIdentity },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "gssapirenewalforcesrekey", oGssRenewalRekey },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "gssapiauthentication", oUnsupported },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "gssapikeyexchange", oUnsupported },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "gssapidelegatecredentials", oUnsupported },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "gssapitrustdns", oUnsupported },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "gssapiclientidentity", oUnsupported },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "gssapiserveridentity", oUnsupported },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "gssapirenewalforcesrekey", oUnsupported },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #ifdef ENABLE_PKCS11
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "smartcarddevice", oPKCS11Provider },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -974,10 +986,30 @@ parse_time:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- intptr = &options->gss_authentication;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- goto parse_flag;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case oGssKeyEx:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ intptr = &options->gss_keyex;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- case oGssDelegateCreds:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- intptr = &options->gss_deleg_creds;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- goto parse_flag;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case oGssTrustDns:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ intptr = &options->gss_trust_dns;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case oGssClientIdentity:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ charptr = &options->gss_client_identity;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto parse_string;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case oGssServerIdentity:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ charptr = &options->gss_server_identity;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto parse_string;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case oGssRenewalRekey:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ intptr = &options->gss_renewal_rekey;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- case oBatchMode:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- intptr = &options->batch_mode;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- goto parse_flag;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1842,7 +1874,12 @@ initialize_options(Options * options)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->pubkey_authentication = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->challenge_response_authentication = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->gss_authentication = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->gss_keyex = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->gss_deleg_creds = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->gss_trust_dns = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->gss_renewal_rekey = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->gss_client_identity = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->gss_server_identity = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->password_authentication = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->kbd_interactive_authentication = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->kbd_interactive_devices = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1988,8 +2025,14 @@ fill_default_options(Options * options)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->challenge_response_authentication = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options->gss_authentication == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->gss_authentication = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options->gss_keyex == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->gss_keyex = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options->gss_deleg_creds == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->gss_deleg_creds = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options->gss_trust_dns == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->gss_trust_dns = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options->gss_renewal_rekey == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->gss_renewal_rekey = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options->password_authentication == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->password_authentication = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options->kbd_interactive_authentication == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-diff --git a/readconf.h b/readconf.h
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-index fc7e38251..8e4900d01 100644
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/readconf.h
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/readconf.h
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -40,7 +40,12 @@ typedef struct {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int challenge_response_authentication;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Try S/Key or TIS, authentication. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int gss_authentication; /* Try GSS authentication */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int gss_keyex; /* Try GSS key exchange */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int gss_deleg_creds; /* Delegate GSS credentials */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int gss_renewal_rekey; /* Credential renewal forces rekey */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char *gss_client_identity; /* Principal to initiate GSSAPI with */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char *gss_server_identity; /* GSSAPI target principal */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int password_authentication; /* Try password
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * authentication. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-diff --git a/servconf.c b/servconf.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-index 932d363bb..4668b8a45 100644
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/servconf.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/servconf.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -124,8 +124,10 @@ initialize_server_options(ServerOptions *options)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->kerberos_ticket_cleanup = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->kerberos_get_afs_token = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->gss_authentication=-1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->gss_keyex = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->gss_cleanup_creds = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->gss_strict_acceptor = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->gss_store_rekey = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->password_authentication = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->kbd_interactive_authentication = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->challenge_response_authentication = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -337,10 +339,14 @@ fill_default_server_options(ServerOptions *options)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->kerberos_get_afs_token = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options->gss_authentication == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->gss_authentication = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options->gss_keyex == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->gss_keyex = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options->gss_cleanup_creds == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->gss_cleanup_creds = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options->gss_strict_acceptor == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->gss_strict_acceptor = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options->gss_store_rekey == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->gss_store_rekey = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options->password_authentication == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->password_authentication = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options->kbd_interactive_authentication == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -485,6 +491,7 @@ typedef enum {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sHostKeyAlgorithms,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sGssKeyEx, sGssStoreRekey,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sAcceptEnv, sSetEnv, sPermitTunnel,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sUsePrivilegeSeparation, sAllowAgentForwarding,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -559,12 +566,20 @@ static struct {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1468,6 +1483,10 @@ process_server_config_line(ServerOptions *options, char *line,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- intptr = &options->gss_authentication;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- goto parse_flag;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case sGssKeyEx:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ intptr = &options->gss_keyex;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- case sGssCleanupCreds:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- intptr = &options->gss_cleanup_creds;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- goto parse_flag;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1476,6 +1495,10 @@ process_server_config_line(ServerOptions *options, char *line,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- intptr = &options->gss_strict_acceptor;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- goto parse_flag;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case sGssStoreRekey:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ intptr = &options->gss_store_rekey;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- case sPasswordAuthentication:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- intptr = &options->password_authentication;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- goto parse_flag;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2560,7 +2583,10 @@ dump_config(ServerOptions *o)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- dump_cfg_fmtint(sKbdInteractiveAuthentication,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-diff --git a/servconf.h b/servconf.h
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-index 0175e00e8..3b76da816 100644
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/servconf.h
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/servconf.h
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -125,8 +125,10 @@ typedef struct {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int kerberos_get_afs_token; /* If true, try to get AFS token if
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * authenticated with Kerberos. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int gss_authentication; /* If true, permit GSSAPI authentication */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int gss_keyex; /* If true, permit GSSAPI key exchange */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int gss_cleanup_creds; /* If true, destroy cred cache on logout */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int gss_store_rekey;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int password_authentication; /* If true, permit password
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * authentication. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int kbd_interactive_authentication; /* If true, permit */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-diff --git a/ssh-gss.h b/ssh-gss.h
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-index 36180d07a..350ce7882 100644
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/ssh-gss.h
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/ssh-gss.h
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1,6 +1,6 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* $OpenBSD: ssh-gss.h,v 1.14 2018/07/10 09:13:30 djm Exp $ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * Redistribution and use in source and binary forms, with or without
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * modification, are permitted provided that the following conditions
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -61,10 +61,22 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #define SSH_GSS_OIDTYPE 0x06
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#define SSH2_MSG_KEXGSS_INIT 30
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#define SSH2_MSG_KEXGSS_CONTINUE 31
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#define SSH2_MSG_KEXGSS_COMPLETE 32
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#define SSH2_MSG_KEXGSS_HOSTKEY 33
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#define SSH2_MSG_KEXGSS_ERROR 34
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#define SSH2_MSG_KEXGSS_GROUPREQ 40
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#define SSH2_MSG_KEXGSS_GROUP 41
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#define KEX_GSS_GRP1_SHA1_ID "gss-group1-sha1-"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#define KEX_GSS_GRP14_SHA1_ID "gss-group14-sha1-"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#define KEX_GSS_GEX_SHA1_ID "gss-gex-sha1-"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- typedef struct {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- char *filename;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- char *envvar;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- char *envval;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ struct passwd *owner;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void *data;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- } ssh_gssapi_ccache;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -72,8 +84,11 @@ typedef struct {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- gss_buffer_desc displayname;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- gss_buffer_desc exportedname;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- gss_cred_id_t creds;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_name_t name;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- struct ssh_gssapi_mech_struct *mech;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_gssapi_ccache store;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int used;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int updated;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- } ssh_gssapi_client;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- typedef struct ssh_gssapi_mech_struct {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -84,6 +99,7 @@ typedef struct ssh_gssapi_mech_struct {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int (*userok) (ssh_gssapi_client *, char *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int (*localname) (ssh_gssapi_client *, char **);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void (*storecreds) (ssh_gssapi_client *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int (*updatecreds) (ssh_gssapi_ccache *, ssh_gssapi_client *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- } ssh_gssapi_mech;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- typedef struct {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -94,10 +110,11 @@ typedef struct {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- gss_OID oid; /* client */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- gss_cred_id_t creds; /* server */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- gss_name_t client; /* server */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- gss_cred_id_t client_creds; /* server */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_cred_id_t client_creds; /* both */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- } Gssctxt;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- extern ssh_gssapi_mech *supported_mechs[];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+extern Gssctxt *gss_kex_context;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int ssh_gssapi_check_oid(Gssctxt *, void *, size_t);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -123,17 +140,33 @@ void ssh_gssapi_delete_ctx(Gssctxt **);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void ssh_gssapi_buildmic(struct sshbuf *, const char *,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- const char *, const char *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *, const char *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+OM_uint32 ssh_gssapi_client_identity(Gssctxt *, const char *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int ssh_gssapi_credentials_updated(Gssctxt *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* In the server */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+typedef int ssh_gssapi_check_fn(Gssctxt **, gss_OID, const char *,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ const char *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+char *ssh_gssapi_client_mechanisms(const char *, const char *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+char *ssh_gssapi_kex_mechs(gss_OID_set, ssh_gssapi_check_fn *, const char *,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ const char *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+gss_OID ssh_gssapi_id_kex(Gssctxt *, char *, int);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int ssh_gssapi_server_check_mech(Gssctxt **,gss_OID, const char *,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ const char *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--int ssh_gssapi_userok(char *name);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int ssh_gssapi_userok(char *name, struct passwd *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void ssh_gssapi_do_child(char ***, u_int *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void ssh_gssapi_cleanup_creds(void);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void ssh_gssapi_storecreds(void);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- const char *ssh_gssapi_displayname(void);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+char *ssh_gssapi_server_mechanisms(void);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int ssh_gssapi_oid_table_ok(void);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int ssh_gssapi_update_creds(ssh_gssapi_ccache *store);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+void ssh_gssapi_rekey_creds(void);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif /* GSSAPI */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif /* _SSH_GSS_H */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-diff --git a/ssh_config b/ssh_config
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-index c12f5ef52..bcb9f153d 100644
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/ssh_config
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/ssh_config
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -24,6 +24,8 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # HostbasedAuthentication no
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # GSSAPIAuthentication no
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # GSSAPIDelegateCredentials no
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+# GSSAPIKeyExchange no
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+# GSSAPITrustDNS no
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # BatchMode no
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # CheckHostIP yes
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # AddressFamily any
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-diff --git a/ssh_config.5 b/ssh_config.5
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-index 4d5b01d3e..16c79368a 100644
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/ssh_config.5
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/ssh_config.5
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -736,10 +736,42 @@ The default is
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Specifies whether user authentication based on GSSAPI is allowed.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- The default is
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .Cm no .
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+.It Cm GSSAPIKeyExchange
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Specifies whether key exchange based on GSSAPI may be used. When using
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+GSSAPI key exchange the server need not have a host key.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+The default is
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+.Cm no .
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+.It Cm GSSAPIClientIdentity
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+If set, specifies the GSSAPI client identity that ssh should use when
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+connecting to the server. The default is unset, which means that the default
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+identity will be used.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+.It Cm GSSAPIServerIdentity
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+If set, specifies the GSSAPI server identity that ssh should expect when
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+connecting to the server. The default is unset, which means that the
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+expected GSSAPI server identity will be determined from the target
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+hostname.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .It Cm GSSAPIDelegateCredentials
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Forward (delegate) credentials to the server.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- The default is
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .Cm no .
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+.It Cm GSSAPIRenewalForcesRekey
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+If set to
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+.Cm yes
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+then renewal of the client's GSSAPI credentials will force the rekeying of the
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ssh connection. With a compatible server, this can delegate the renewed
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+credentials to a session on the server.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+The default is
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+.Cm no .
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+.It Cm GSSAPITrustDns
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Set to
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+.Cm yes
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+to indicate that the DNS is trusted to securely canonicalize
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+the name of the host being connected to. If
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+.Cm no ,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+the hostname entered on the
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+command line will be passed untouched to the GSSAPI library.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+The default is
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+.Cm no .
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .It Cm HashKnownHosts
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Indicates that
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .Xr ssh 1
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-diff --git a/sshconnect2.c b/sshconnect2.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-index 1675f3935..8c872a4fb 100644
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshconnect2.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshconnect2.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -162,6 +162,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- struct kex *kex;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int r;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char *orig = NULL, *gss = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char *gss_host = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- xxx_host = host;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- xxx_hostaddr = hostaddr;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -194,6 +199,35 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- order_hostkeyalgs(host, hostaddr, port));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options.gss_keyex) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Add the GSSAPI mechanisms currently supported on this
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * client to the key exchange algorithm proposal */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ orig = myproposal[PROPOSAL_KEX_ALGS];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options.gss_server_identity)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_host = xstrdup(options.gss_server_identity);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else if (options.gss_trust_dns)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_host = remote_hostname(active_state);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_host = xstrdup(host);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss = ssh_gssapi_client_mechanisms(gss_host,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options.gss_client_identity);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (gss) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Offering GSSAPI proposal: %s", gss);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ "%s,%s", gss, orig);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* If we've got GSSAPI algorithms, then we also
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * support the 'null' hostkey, as a last resort */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ "%s,null", orig);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options.rekey_limit || options.rekey_interval)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- packet_set_rekey_limits(options.rekey_limit,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options.rekey_interval);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -215,15 +249,41 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kex->kex[KEX_C25519_SHA256] = kexc25519_client;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options.gss_keyex) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_client;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kex->client_version_string=client_version_string;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kex->server_version_string=server_version_string;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kex->verify_host_key=&verify_host_key_callback;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options.gss_keyex) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->gss_deleg_creds = options.gss_deleg_creds;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->gss_trust_dns = options.gss_trust_dns;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->gss_client = options.gss_client_identity;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->gss_host = gss_host;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_dispatch_run_fatal(active_state, DISPATCH_BLOCK, &kex->done);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* remove ext-info from the KEX proposals for rekeying */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- myproposal[PROPOSAL_KEX_ALGS] =
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- compat_kex_proposal(options.kex_algorithms);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* repair myproposal after it was crumpled by the */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* ext-info removal above */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (gss) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ orig = myproposal[PROPOSAL_KEX_ALGS];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ "%s,%s", gss, orig);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ free(gss);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if ((r = kex_prop2buf(kex->my, myproposal)) != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fatal("kex_prop2buf: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -314,6 +374,7 @@ int input_gssapi_token(int type, u_int32_t, struct ssh *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int input_gssapi_hash(int type, u_int32_t, struct ssh *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int input_gssapi_error(int, u_int32_t, struct ssh *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int input_gssapi_errtok(int, u_int32_t, struct ssh *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int userauth_gsskeyex(Authctxt *authctxt);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void userauth(Authctxt *, char *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -330,6 +391,11 @@ static char *authmethods_get(void);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Authmethod authmethods[] = {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ {"gssapi-keyex",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ userauth_gsskeyex,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ NULL,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &options.gss_authentication,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ NULL},
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {"gssapi-with-mic",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- userauth_gssapi,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- NULL,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -686,25 +752,40 @@ userauth_gssapi(Authctxt *authctxt)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static u_int mech = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- OM_uint32 min;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int r, ok = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char *gss_host;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options.gss_server_identity)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_host = xstrdup(options.gss_server_identity);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else if (options.gss_trust_dns)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_host = remote_hostname(active_state);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_host = xstrdup(authctxt->host);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Try one GSSAPI method at a time, rather than sending them all at
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * once. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (gss_supported == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- gss_indicate_mechs(&min, &gss_supported);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (GSS_ERROR(gss_indicate_mechs(&min, &gss_supported))) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_supported = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ free(gss_host);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Check to see if the mechanism is usable before we offer it */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- while (mech < gss_supported->count && !ok) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* My DER encoding requires length<128 */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (gss_supported->elements[mech].length < 128 &&
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_gssapi_check_mechanism(&gssctxt,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- &gss_supported->elements[mech], authctxt->host)) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &gss_supported->elements[mech], gss_host,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options.gss_client_identity)) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ok = 1; /* Mechanism works */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- } else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- mech++;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ free(gss_host);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (!ok)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -935,6 +1016,54 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- free(lang);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return r;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+userauth_gsskeyex(Authctxt *authctxt)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ struct ssh *ssh = active_state; /* XXX */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ struct sshbuf *b;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_buffer_desc gssbuf;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_buffer_desc mic = GSS_C_EMPTY_BUFFER;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ OM_uint32 ms;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int r;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ static int attempt = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (attempt++ >= 1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return (0);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (gss_kex_context == NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("No valid Key exchange context");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return (0);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((b = sshbuf_new()) == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: sshbuf_new failed", __func__);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_gssapi_buildmic(b, authctxt->server_user, authctxt->service,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ "gssapi-keyex");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: sshbuf_mutable_ptr failed", __func__);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gssbuf.length = sshbuf_len(b);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (GSS_ERROR(ssh_gssapi_sign(gss_kex_context, &gssbuf, &mic))) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sshbuf_free(b);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return (0);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshpkt_put_cstring(ssh, authctxt->server_user)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshpkt_put_cstring(ssh, authctxt->service)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshpkt_put_cstring(ssh, authctxt->method->name)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshpkt_put_string(ssh, mic.value, mic.length)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshpkt_send(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sshbuf_free(b);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_release_buffer(&ms, &mic);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return (1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif /* GSSAPI */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-diff --git a/sshd.c b/sshd.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-index ba26287ba..539a000fd 100644
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshd.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshd.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -123,6 +123,10 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "version.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "ssherr.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef USE_SECURITY_SESSION_API
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <Security/AuthSession.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Re-exec fds */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1810,10 +1814,13 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- free(fp);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- accumulate_host_timing_secret(cfg, NULL);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifndef GSSAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* The GSSAPI key exchange can run without a host key */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (!sensitive_data.have_ssh2_key) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- logit("sshd: no hostkeys available -- exiting.");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- exit(1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * Load certificates. They are stored in an array at identical
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2104,6 +2111,60 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- rdomain == NULL ? "" : "\"");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- free(laddr);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef USE_SECURITY_SESSION_API
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Create a new security session for use by the new user login if
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * the current session is the root session or we are not launched
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * by inetd (eg: debugging mode or server mode). We do not
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * necessarily need to create a session if we are launched from
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * inetd because Panther xinetd will create a session for us.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * The only case where this logic will fail is if there is an
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * inetd running in a non-root session which is not creating
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * new sessions for us. Then all the users will end up in the
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * same session (bad).
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * When the client exits, the session will be destroyed for us
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * automatically.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * We must create the session before any credentials are stored
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * (including AFS pags, which happens a few lines below).
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ OSStatus err = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ SecuritySessionId sid = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ SessionAttributeBits sattrs = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ err = SessionGetInfo(callerSecuritySession, &sid, &sattrs);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (err)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ error("SessionGetInfo() failed with error %.8X",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (unsigned) err);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Current Session ID is %.8X / Session Attributes are %.8X",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (unsigned) sid, (unsigned) sattrs);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (inetd_flag && !(sattrs & sessionIsRoot))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Running in inetd mode in a non-root session... "
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ "assuming inetd created the session for us.");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Creating new security session...");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ err = SessionCreate(0, sessionHasTTY | sessionIsRemote);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (err)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ error("SessionCreate() failed with error %.8X",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (unsigned) err);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ err = SessionGetInfo(callerSecuritySession, &sid,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &sattrs);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (err)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ error("SessionGetInfo() failed with error %.8X",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (unsigned) err);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("New Session ID is %.8X / Session Attributes are %.8X",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (unsigned) sid, (unsigned) sattrs);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * We don't want to listen forever unless the other side
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * successfully authenticates itself. So we set up an alarm which is
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2287,6 +2348,48 @@ do_ssh2_kex(void)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- list_hostkey_types());
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char *orig;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char *gss = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char *newstr = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ orig = myproposal[PROPOSAL_KEX_ALGS];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * If we don't have a host key, then there's no point advertising
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * the other key exchange algorithms
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ orig = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options.gss_keyex)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss = ssh_gssapi_server_mechanisms();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (gss && orig)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ xasprintf(&newstr, "%s,%s", gss, orig);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else if (gss)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ newstr = gss;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else if (orig)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ newstr = orig;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * If we've got GSSAPI mechanisms, then we've got the 'null' host
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * key alg, but we can't tell people about it unless its the only
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * host key algorithm we support
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (gss && (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS])) == 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "null";
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (newstr)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ myproposal[PROPOSAL_KEX_ALGS] = newstr;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("No supported key exchange algorithms");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* start key exchange */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if ((r = kex_setup(active_state, myproposal)) != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fatal("kex_setup: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2304,6 +2407,13 @@ do_ssh2_kex(void)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kex->kex[KEX_C25519_SHA256] = kexc25519_server;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options.gss_keyex) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kex->server = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kex->client_version_string=client_version_string;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kex->server_version_string=server_version_string;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-diff --git a/sshd_config b/sshd_config
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-index 19b7c91a1..2c48105f8 100644
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshd_config
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshd_config
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -69,6 +69,8 @@ AuthorizedKeysFile .ssh/authorized_keys
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # GSSAPI options
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #GSSAPIAuthentication no
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #GSSAPICleanupCredentials yes
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#GSSAPIStrictAcceptorCheck yes
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#GSSAPIKeyExchange no
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # Set this to 'yes' to enable PAM authentication, account processing,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # and session processing. If this is enabled, PAM authentication will
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-diff --git a/sshd_config.5 b/sshd_config.5
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-index c6484370b..985eef5a2 100644
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshd_config.5
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshd_config.5
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -648,6 +648,11 @@ The default is
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Specifies whether user authentication based on GSSAPI is allowed.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- The default is
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .Cm no .
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+.It Cm GSSAPIKeyExchange
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+doesn't rely on ssh keys to verify host identity.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+The default is
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+.Cm no .
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .It Cm GSSAPICleanupCredentials
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Specifies whether to automatically destroy the user's credentials cache
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- on logout.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -667,6 +672,11 @@ machine's default store.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- This facility is provided to assist with operation on multi homed machines.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- The default is
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .Cm yes .
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+.It Cm GSSAPIStoreCredentialsOnRekey
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Controls whether the user's GSSAPI credentials should be updated following a
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+successful connection rekeying. This option can be used to accepted renewed
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+or updated credentials from a compatible client. The default is
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+.Cm no .
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .It Cm HostbasedAcceptedKeyTypes
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Specifies the key types that will be accepted for hostbased authentication
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- as a list of comma-separated patterns.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-diff --git a/sshkey.c b/sshkey.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-index 6555c5ef8..a85c185fc 100644
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshkey.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshkey.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -135,6 +135,7 @@ static const struct keytype keytypes[] = {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # endif /* OPENSSL_HAS_NISTP521 */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # endif /* OPENSSL_HAS_ECC */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif /* WITH_OPENSSL */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "null", "null", NULL, KEY_NULL, 0, 0, 0 },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { NULL, NULL, NULL, -1, -1, 0, 0 }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- };
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -223,7 +224,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- const struct keytype *kt;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- for (kt = keytypes; kt->type != -1; kt++) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- if (kt->name == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (kt->name == NULL || kt->type == KEY_NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- continue;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (!include_sigonly && kt->sigonly)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- continue;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-diff --git a/sshkey.h b/sshkey.h
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-index f6a007fdf..f54deb0c0 100644
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshkey.h
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshkey.h
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -64,6 +64,7 @@ enum sshkey_types {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- KEY_ED25519_CERT,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- KEY_XMSS,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- KEY_XMSS_CERT,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ KEY_NULL,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- KEY_UNSPEC
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- };
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/openssh/files/launchd.patch b/net/openssh/files/launchd.patch
</span><span style='display:block; white-space:pre;color:#808080;'>index 0068461..1663e49 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/openssh/files/launchd.patch
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/openssh/files/launchd.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1,6 +1,6 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/clientloop.c 2017-10-07 04:21:42.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/clientloop.c 2017-10-07 04:30:02.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -301,6 +301,10 @@ client_x11_get_proto(struct ssh *ssh, co
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/clientloop.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/clientloop.c 2019-10-11 11:43:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -287,6 +287,10 @@ client_x11_get_proto(struct ssh *ssh, co
</span> struct stat st;
u_int now, x11_timeout_real;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -11,7 +11,7 @@
</span> *_proto = proto;
*_data = data;
proto[0] = data[0] = xauthfile[0] = xauthdir[0] = '\0';
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -317,6 +321,19 @@ client_x11_get_proto(struct ssh *ssh, co
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -303,6 +307,19 @@ client_x11_get_proto(struct ssh *ssh, co
</span> }
if (xauth_path != NULL) {
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -31,7 +31,7 @@
</span> /*
* Handle FamilyLocal case where $DISPLAY does
* not match an authorization entry. For this we
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -428,6 +445,9 @@ client_x11_get_proto(struct ssh *ssh, co
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -426,6 +443,9 @@ client_x11_get_proto(struct ssh *ssh, co
</span> u_int8_t rnd[16];
u_int i;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -41,9 +41,9 @@
</span> logit("Warning: No xauth data; "
"using fake authentication data for X11 forwarding.");
strlcpy(proto, SSH_X11_PROTO, sizeof proto);
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/channels.c 2017-10-07 04:21:42.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/channels.c 2017-10-07 04:26:38.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -4517,7 +4517,7 @@ connect_local_xsocket(u_int dnr)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/channels.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/channels.c 2019-10-11 11:43:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -4710,7 +4710,7 @@ connect_local_xsocket(u_int dnr)
</span> }
#ifdef __APPLE__
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -52,9 +52,9 @@
</span> is_path_to_xsocket(const char *display, char *path, size_t pathlen)
{
struct stat sbuf;
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/channels.h 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/channels.h 2017-10-07 04:26:24.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -316,6 +316,9 @@ int permitopen_port(const char *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/channels.h 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/channels.h 2019-10-11 11:43:27.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -321,6 +321,9 @@ int permitopen_port(const char *);
</span> /* x11 forwarding */
void channel_set_x11_refuse_time(struct ssh *, u_int);
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/openssh/files/openssh-7.9p1-hpnssh14v15.diff b/net/openssh/files/openssh-7.9p1-hpnssh14v15.diff
</span>deleted file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 2fae049..0000000
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/openssh/files/openssh-7.9p1-hpnssh14v15.diff
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1,1310 +0,0 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-diff -urN -x configure -x config.guess -x config.h.in -x config.sub openssh-6.8p1/HPN-README openssh-6.8p1/HPN-README
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- openssh-6.8p1/HPN-README 1969-12-31 18:00:00.000000000 -0600
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ openssh-6.8p1/HPN-README 2015-04-01 22:16:49.869215000 -0500
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -0,0 +1,129 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Notes:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+MULTI-THREADED CIPHER:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+The AES cipher in CTR mode has been multithreaded (MTR-AES-CTR). This will allow ssh installations
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+on hosts with multiple cores to use more than one processing core during encryption.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Tests have show significant throughput performance increases when using MTR-AES-CTR up
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+to and including a full gigabit per second on quad core systems. It should be possible to
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+achieve full line rate on dual core systems but OS and data management overhead makes this
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+more difficult to achieve. The cipher stream from MTR-AES-CTR is entirely compatible with single
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+thread AES-CTR (ST-AES-CTR) implementations and should be 100% backward compatible. Optimal
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+performance requires the MTR-AES-CTR mode be enabled on both ends of the connection.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+The MTR-AES-CTR replaces ST-AES-CTR and is used in exactly the same way with the same
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+nomenclature.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Use examples: ssh -caes128-ctr you@host.com
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ scp -oCipher=aes256-ctr file you@host.com:~/file
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+NONE CIPHER:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+To use the NONE option you must have the NoneEnabled switch set on the server and
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+you *must* have *both* NoneEnabled and NoneSwitch set to yes on the client. The NONE
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+feature works with ALL ssh subsystems (as far as we can tell) *AS LONG AS* a tty is not
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+spawned. If a user uses the -T switch to prevent a tty being created the NONE cipher will
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+be disabled.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+The performance increase will only be as good as the network and TCP stack tuning
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+on the reciever side of the connection allows. As a rule of thumb a user will need
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+at least 10Mb/s connection with a 100ms RTT to see a doubling of performance. The
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+HPN-SSH home page describes this in greater detail.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+http://www.psc.edu/networking/projects/hpn-ssh
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+BUFFER SIZES:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+If HPN is disabled the receive buffer size will be set to the
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+OpenSSH default of 64K.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+If an HPN system connects to a nonHPN system the receive buffer will
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+be set to the HPNBufferSize value. The default is 2MB but user adjustable.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+If an HPN to HPN connection is established a number of different things might
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+happen based on the user options and conditions.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+HPN Buffer Size = up to 64MB
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+This is the default state. The HPN buffer size will grow to a maximum of 64MB
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+as the TCP receive buffer grows. The maximum HPN Buffer size of 64MB is
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+geared towards 10GigE transcontinental connections.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+HPN Buffer Size = TCP receive buffer value.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Users on non-autotuning systesm should disable TCPRcvBufPoll in the
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ssh_cofig and sshd_config
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+HPN Buffer Size = minmum of TCP receive buffer and HPNBufferSize.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+This would be the system defined TCP receive buffer (RWIN).
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf SET
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Generally there is no need to set both.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+HPN Buffer Size = grows to HPNBufferSize
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+The buffer will grow up to the maximum size specified here.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf SET
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Generally there is no need to set both of these, especially on autotuning
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+systems. However, if the users wishes to override the autotuning this would be
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+one way to do it.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf SET
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+HPN Buffer Size = TCPRcvBuf.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+This will override autotuning and set the TCP recieve buffer to the user defined
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+value.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+HPN Specific Configuration options
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+TcpRcvBuf=[int]KB client
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ set the TCP socket receive buffer to n Kilobytes. It can be set up to the
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+maximum socket size allowed by the system. This is useful in situations where
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+the tcp receive window is set low but the maximum buffer size is set
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+higher (as is typical). This works on a per TCP connection basis. You can also
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+use this to artifically limit the transfer rate of the connection. In these
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+cases the throughput will be no more than n/RTT. The minimum buffer size is 1KB.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Default is the current system wide tcp receive buffer size.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+TcpRcvBufPoll=[yes/no] client/server
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ enable of disable the polling of the tcp receive buffer through the life
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+of the connection. You would want to make sure that this option is enabled
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+for systems making use of autotuning kernels (linux 2.4.24+, 2.6, MS Vista)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+default is yes.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+NoneEnabled=[yes/no] client/server
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ enable or disable the use of the None cipher. Care must always be used
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+when enabling this as it will allow users to send data in the clear. However,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+it is important to note that authentication information remains encrypted
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+even if this option is enabled. Set to no by default.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+NoneSwitch=[yes/no] client
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Switch the encryption cipher being used to the None cipher after
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+authentication takes place. NoneEnabled must be enabled on both the client
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+and server side of the connection. When the connection switches to the NONE
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+cipher a warning is sent to STDERR. The connection attempt will fail with an
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+error if a client requests a NoneSwitch from the server that does not explicitly
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+have NoneEnabled set to yes. Note: The NONE cipher cannot be used in
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+interactive (shell) sessions and it will fail silently. Set to no by default.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+HPNDisabled=[yes/no] client/server
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ In some situations, such as transfers on a local area network, the impact
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+of the HPN code produces a net decrease in performance. In these cases it is
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+helpful to disable the HPN functionality. By default HPNDisabled is set to no.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+HPNBufferSize=[int]KB client/server
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ This is the default buffer size the HPN functionality uses when interacting
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+with nonHPN SSH installations. Conceptually this is similar to the TcpRcvBuf
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+option as applied to the internal SSH flow control. This value can range from
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+1KB to 64MB (1-65536). Use of oversized or undersized buffers can cause performance
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+problems depending on the length of the network path. The default size of this buffer
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+is 2MB.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Credits: This patch was conceived, designed, and led by Chris Rapier (rapier@psc.edu)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ The majority of the actual coding for versions up to HPN12v1 was performed
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ by Michael Stevens (mstevens@andrew.cmu.edu). The MT-AES-CTR cipher was
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ implemented by Ben Bennet (ben@psc.edu) and improved by Mike Tasota
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (tasota@gmail.com) an NSF REU grant recipient for 2013.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ This work was financed, in part, by Cisco System, Inc., the National
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Library of Medicine, and the National Science Foundation.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- openssh-7.7p1/channels.c.orig 2018-04-01 22:38:28.000000000 -0700
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ openssh-7.7p1/channels.c 2018-06-27 16:37:07.663857000 -0700
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -215,6 +215,12 @@ static int rdynamic_connect_finish(struct ssh *, Chann
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Setup helper */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static void channel_handler_init(struct ssh_channels *sc);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+static int hpn_disabled = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+static int hpn_buffer_size = 2 * 1024 * 1024;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* -- channel core */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -391,6 +397,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c->local_window = window;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c->local_window_max = window;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c->local_maxpacket = maxpack;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c->dynamic_window = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c->remote_name = xstrdup(remote_name);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c->ctl_chan = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c->delayed = 1; /* prevent call to channel_post handler */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -977,6 +986,30 @@ channel_pre_connecting(struct ssh *ssh, Channel *c,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- FD_SET(c->sock, writeset);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+static int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+channel_tcpwinsz(void)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_int32_t tcpwinsz = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ socklen_t optsz = sizeof(tcpwinsz);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int ret = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* if we aren't on a socket return 128KB */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!packet_connection_is_on_socket())
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 128 * 1024;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ret = getsockopt(packet_get_connection_in(),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* return no more than SSHBUF_SIZE_MAX (currently 256MB) */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((ret == 0) && tcpwinsz > SSHBUF_SIZE_MAX)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ tcpwinsz = SSHBUF_SIZE_MAX;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug2("tcpwinsz: tcp connection %d, Receive window: %d",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_get_connection_in(), tcpwinsz);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return tcpwinsz;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- channel_pre_open(struct ssh *ssh, Channel *c,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fd_set *readset, fd_set *writeset)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2074,21 +2107,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c->local_maxpacket*3) ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c->local_window < c->local_window_max/2) &&
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c->local_consumed > 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_int addition = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_int32_t tcpwinsz = channel_tcpwinsz();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* adjust max window size if we are in a dynamic environment */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (c->dynamic_window && (tcpwinsz > c->local_window_max)) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* grow the window somewhat aggressively to maintain pressure */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ addition = 1.5 * (tcpwinsz - c->local_window_max);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c->local_window_max += addition;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Channel: Window growth to %d by %d bytes", c->local_window_max, addition);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (!c->have_remote_id)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fatal(":%s: channel %d: no remote id",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- __func__, c->self);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if ((r = sshpkt_start(ssh,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- (r = sshpkt_send(ssh)) != 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fatal("%s: channel %i: %s", __func__,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c->self, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- debug2("channel %d: window %d sent adjust %d",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c->self, c->local_window,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- c->local_consumed);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- c->local_window += c->local_consumed;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c->local_consumed + addition);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c->local_window += c->local_consumed + addition;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c->local_consumed = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -3258,6 +3302,17 @@ channel_fwd_bind_addr(const char *listen_addr, int *wi
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return addr;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+channel_set_hpn(int external_hpn_disabled, int external_hpn_buffer_size)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ hpn_disabled = external_hpn_disabled;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ hpn_buffer_size = external_hpn_buffer_size;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("HPN Disabled: %d, HPN Buffer Size: %d", hpn_disabled,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- struct Forward *fwd, int *allocated_listen_port,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -3398,6 +3453,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Allocate a channel number for the socket. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * explicitly test for hpn disabled option. if true use smaller
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * window size.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!hpn_disabled)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c = channel_new(ssh, "port listener", type, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ 0, "port listener", 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c = channel_new(ssh, "port listener", type, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- 0, "port listener", 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -4457,6 +4523,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- *chanids = xcalloc(num_socks + 1, sizeof(**chanids));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- for (n = 0; n < num_socks; n++) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sock = socks[n];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!hpn_disabled)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ nc = channel_new(ssh, "x11 listener",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ hpn_buffer_size, CHAN_X11_PACKET_DEFAULT,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ 0, "X11 inet listener", 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- nc = channel_new(ssh, "x11 listener",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- openssh-7.7p1/channels.h.orig 2018-04-01 22:38:28.000000000 -0700
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ openssh-7.7p1/channels.h 2018-06-27 16:38:40.766588000 -0700
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -143,6 +143,9 @@ struct Channel {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- u_int local_maxpacket;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int extended_usage;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int single_connection;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int dynamic_window;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- char *ctype; /* type */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -335,5 +338,10 @@ void chan_ibuf_empty(struct ssh *, Channel *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void chan_rcvd_ieof(struct ssh *, Channel *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void chan_write_failed(struct ssh *, Channel *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void chan_obuf_empty(struct ssh *, Channel *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* hpn handler */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+void channel_set_hpn(int, int);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- openssh-7.7p1/cipher.c.orig 2018-04-01 22:38:28.000000000 -0700
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ openssh-7.7p1/cipher.c 2018-06-27 16:55:43.165788000 -0700
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -212,7 +212,12 @@ ciphers_valid(const char *names)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- (p = strsep(&cp, CIPHER_SEP))) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c = cipher_by_name(p);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (c == NULL || ((c->flags & CFLAG_INTERNAL) != 0 &&
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (c->flags & CFLAG_NONE) != 0)) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (c == NULL || (c->flags & CFLAG_INTERNAL) != 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- free(cipher_list);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- openssh-7.7p1/clientloop.c.orig 2018-04-01 22:38:28.000000000 -0700
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ openssh-7.7p1/clientloop.c 2018-06-27 16:40:24.560906000 -0700
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1549,6 +1549,15 @@ client_request_x11(struct ssh *ssh, const char *reques
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sock = x11_connect_display(ssh);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (sock < 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* again is this really necessary for X11? */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!options.hpn_disabled)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c = channel_new(ssh, "x11",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ SSH_CHANNEL_X11_OPEN, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options.hpn_buffer_size,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c = channel_new(ssh, "x11",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- SSH_CHANNEL_X11_OPEN, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1574,6 +1583,14 @@ client_request_agent(struct ssh *ssh, const char *requ
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!options.hpn_disabled)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c = channel_new(ssh, "authentication agent connection",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ SSH_CHANNEL_OPEN, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ "authentication agent connection", 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c = channel_new(ssh, "authentication agent connection",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- SSH_CHANNEL_OPEN, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1602,6 +1619,12 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- debug("Tunnel forwarding using interface %s", ifname);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!options.hpn_disabled)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c->datagram = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- openssh-6.8p1/compat.c 2015-03-17 00:49:20.000000000 -0500
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ openssh-6.8p1/compat.c 2015-04-03 16:39:57.665699000 -0500
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -177,6 +177,14 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- debug("match: %s pat %s compat 0x%08x",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- version, check[i].pat, check[i].bugs);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- datafellows = check[i].bugs; /* XXX for now */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Check to see if the remote side is OpenSSH and not HPN */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (strstr(version,"OpenSSH") != NULL &&
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ strstr(version,"hpn") == NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ datafellows |= SSH_BUG_LARGEWINDOW;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Remote is NON-HPN aware");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return check[i].bugs;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- openssh/compat.h.orig 2015-05-29 03:27:21.000000000 -0500
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ openssh/compat.h 2015-06-02 09:55:04.208681000 -0500
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -62,6 +62,9 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #define SSH_BUG_CURVE25519PAD 0x10000000
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #define SSH_BUG_HOSTKEYS 0x20000000
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #define SSH_BUG_DHGEX_LARGE 0x40000000
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#define SSH_BUG_LARGEWINDOW 0x80000000
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void enable_compat13(void);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void enable_compat20(void);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- openssh-6.8p1/configure.ac 2015-03-17 00:49:20.000000000 -0500
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ openssh-6.8p1/configure.ac 2015-04-03 16:36:28.916502000 -0500
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -4238,6 +4238,25 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ) # maildir
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#check whether user wants HPN support
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+HPN_MSG="no"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+AC_ARG_WITH(hpn,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ [ --with-hpn Enable HPN support],
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ [ if test "x$withval" != "xno" ; then
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ AC_DEFINE(HPN_ENABLED,1,[Define if you want HPN support.])
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ HPN_MSG="yes"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fi ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#check whether user wants NONECIPHER support
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+NONECIPHER_MSG="no"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+AC_ARG_WITH(nonecipher,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ [ --with-nonecipher Enable NONECIPHER support],
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ [ if test "x$withval" != "xno" ; then
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ AC_DEFINE(NONE_CIPHER_ENABLED,1,[Define if you want NONECIPHER support.])
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ NONECIPHER_MSG="yes"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fi ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test])
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- disable_ptmx_check=yes
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -4905,6 +4924,8 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- echo " BSD Auth support: $BSD_AUTH_MSG"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- echo " Random number source: $RAND_MSG"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- echo " Privsep sandbox style: $SANDBOX_STYLE"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+echo " HPN support: $HPN_MSG"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+echo " NONECIPHER support: $NONECIPHER_MSG"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- echo ""
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- openssh-7.2p1/kex.c.orig 2016-02-25 19:40:04.000000000 -0800
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ openssh-7.2p1/kex.c 2016-02-29 08:02:25.565288000 -0800
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -822,6 +822,20 @@ kex_choose_conf(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- peer[ncomp] = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- goto out;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (strcmp(newkeys->enc.name, "none") == 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int auth_flag;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ auth_flag = ssh_packet_authentication_state(ssh);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Requesting NONE. Authflag is %d", auth_flag);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (auth_flag == 1) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("None requested post authentication.");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("Pre-authentication none cipher requests are not allowed.");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- debug("kex: %s cipher: %s MAC: %s compression: %s",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ctos ? "client->server" : "server->client",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- newkeys->enc.name,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- openssh-7.7p1/packet.c.orig 2018-04-01 22:38:28.000000000 -0700
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ openssh-7.7p1/packet.c 2018-06-27 16:42:42.739507000 -0700
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -926,6 +926,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* this supports the forced rekeying required for the NONE cipher */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int rekey_requested = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+packet_request_rekeying(void)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ rekey_requested = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ssh_packet_authentication_state(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ struct session_state *state = ssh->state;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return(state->after_authentication);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #define MAX_PACKETS (1U<<31)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -944,6 +962,14 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbou
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Peer can't rekey */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (ssh->compat & SSH_BUG_NOREKEY)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* used to force rekeying when called for by the none
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * cipher switch methods -cjr */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (rekey_requested == 1) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ rekey_requested = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * Permit one packet in or out per rekey - this allows us to
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- openssh-6.8p1/packet.h 2015-03-17 00:49:20.000000000 -0500
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ openssh-6.8p1/packet.h 2015-04-03 16:10:34.728161000 -0500
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -188,6 +188,11 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int sshpkt_get_end(struct ssh *ssh);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- const u_char *sshpkt_ptr(struct ssh *, size_t *lenp);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+void packet_request_rekeying(void);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int ssh_packet_authentication_state(struct ssh *ssh);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* OLD API */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- extern struct ssh *active_state;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "opacket.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- openssh-7.7p1/readconf.c.orig 2018-04-01 22:38:28.000000000 -0700
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ openssh-7.7p1/readconf.c 2018-06-27 16:58:41.109275000 -0700
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -66,6 +66,9 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "uidswap.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "myproposal.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "digest.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "sshbuf.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Format of the configuration file:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -167,6 +170,12 @@ typedef enum {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- oLocalCommand, oPermitLocalCommand, oRemoteCommand,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- oVisualHostKey,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ oHPNDisabled, oHPNBufferSize, oTcpRcvBufPoll, oTcpRcvBuf,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ oNoneSwitch, oNoneEnabled,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -304,6 +313,16 @@ static struct {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "updatehostkeys", oUpdateHostkeys },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "hostbasedkeytypes", oHostbasedKeyTypes },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "noneenabled", oNoneEnabled },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "noneswitch", oNoneSwitch },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "tcprcvbufpoll", oTcpRcvBufPoll },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "tcprcvbuf", oTcpRcvBuf },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "hpndisabled", oHPNDisabled },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "hpnbuffersize", oHPNBufferSize },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "ignoreunknown", oIgnoreUnknown },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "proxyjump", oProxyJump },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -962,6 +981,44 @@ parse_time:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- intptr = &options->check_host_ip;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- goto parse_flag;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case oHPNDisabled:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ intptr = &options->hpn_disabled;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case oHPNBufferSize:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ intptr = &options->hpn_buffer_size;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto parse_int;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case oTcpRcvBufPoll:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ intptr = &options->tcp_rcv_buf_poll;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case oTcpRcvBuf:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ intptr = &options->tcp_rcv_buf;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto parse_int;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case oNoneEnabled:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ intptr = &options->none_enabled;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* we check to see if the command comes from the */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* command line or not. If it does then enable it */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* otherwise fail. NONE should never be a default configuration */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case oNoneSwitch:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if(strcmp(filename,"command-line") == 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ intptr = &options->none_switch;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ error("NoneSwitch is found in %.200s.\nYou may only use this configuration option from the command line", filename);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ error("Continuing...");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("NoneSwitch directive found in %.200s.", filename);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- case oVerifyHostKeyDNS:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- intptr = &options->verify_host_key_dns;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- multistate_ptr = multistate_yesnoask;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1833,6 +1890,16 @@ initialize_options(Options * options)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->ip_qos_interactive = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->ip_qos_bulk = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->request_tty = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->none_switch = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->none_enabled = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->hpn_disabled = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->hpn_buffer_size = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->tcp_rcv_buf_poll = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->tcp_rcv_buf = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->proxy_use_fdpass = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->ignored_unknown = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->num_canonical_domains = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1979,6 +2046,34 @@ fill_default_options(Options * options)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->server_alive_interval = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options->server_alive_count_max == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->server_alive_count_max = 3;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options->none_switch == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->none_switch = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options->none_enabled == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->none_enabled = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options->hpn_disabled == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->hpn_disabled = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options->hpn_buffer_size > -1) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* if a user tries to set the size to 0 set it to 1KB */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options->hpn_buffer_size == 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->hpn_buffer_size = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* limit the buffer to SSHBUF_SIZE_MAX (currently 256MB) */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options->hpn_buffer_size > (SSHBUF_SIZE_MAX / 1024)) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->hpn_buffer_size = SSHBUF_SIZE_MAX;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("User requested buffer larger than 256MB. Request reverted to 256MB");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->hpn_buffer_size *= 1024;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("hpn_buffer_size set to %d", options->hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options->tcp_rcv_buf == 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->tcp_rcv_buf = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options->tcp_rcv_buf > -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->tcp_rcv_buf *=1024;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options->tcp_rcv_buf_poll == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->tcp_rcv_buf_poll = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options->control_master == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->control_master = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options->control_persist == -1) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- openssh-6.8p1/readconf.h 2015-03-17 00:49:20.000000000 -0500
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ openssh-6.8p1/readconf.h 2015-04-03 13:47:45.670125000 -0500
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -105,6 +105,16 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int clear_forwardings;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int enable_ssh_keysign;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int none_switch; /* Use none cipher */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int none_enabled; /* Allow none to be used */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int tcp_rcv_buf; /* user switch to set tcp recv buffer */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int tcp_rcv_buf_poll; /* Option to poll recv buf every window transfer */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int hpn_disabled; /* Switch to disable HPN buffer management */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int hpn_buffer_size; /* User definable size for HPN buffer window */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int64_t rekey_limit;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int rekey_interval;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int no_host_authentication_for_localhost;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- openssh-6.8p1/scp.c 2015-03-17 00:49:20.000000000 -0500
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ openssh-6.8p1/scp.c 2015-04-02 16:51:25.108407000 -0500
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -764,7 +764,7 @@ source(int argc, char **argv)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- off_t i, statbytes;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- size_t amt, nr;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int fd = -1, haderr, indx;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- char *last, *name, buf[2048], encname[PATH_MAX];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char *last, *name, buf[16384], encname[PATH_MAX];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int len;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- for (indx = 0; indx < argc; ++indx) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -932,7 +932,7 @@ sink(int argc, char **argv)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- off_t size, statbytes;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- unsigned long long ull;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int setimes, targisdir, wrerrno = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char ch, *cp, *np, *targ, *why, *vect[1], buf[16384], visbuf[16384];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- struct timeval tv[2];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #define atime tv[0]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- openssh-7.7p1/servconf.c.orig 2018-04-01 22:38:28.000000000 -0700
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ openssh-7.7p1/servconf.c 2018-06-27 17:01:05.276677000 -0700
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -63,6 +63,9 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "auth.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "myproposal.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "digest.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "sshbuf.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static void add_listen_addr(ServerOptions *, const char *,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- const char *, int);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -169,6 +172,14 @@ initialize_server_options(ServerOptions *options)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->authorized_principals_file = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->authorized_principals_command = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->authorized_principals_command_user = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->none_enabled = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->tcp_rcv_buf_poll = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->hpn_disabled = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->hpn_buffer_size = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->ip_qos_interactive = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->ip_qos_bulk = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->version_addendum = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -371,6 +382,57 @@ fill_default_server_options(ServerOptions *options)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options->permit_tun == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->permit_tun = SSH_TUNMODE_NO;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options->none_enabled == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->none_enabled = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options->hpn_disabled == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->hpn_disabled = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options->hpn_buffer_size == -1) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * option not explicitly set. Now we have to figure out
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * what value to use.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options->hpn_disabled == 1) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int sock, socksize;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ socklen_t socksizelen = sizeof(socksize);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * get the current RCV size and set it to that
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * create a socket but don't connect it
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * we use that the get the rcv socket size
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sock = socket(AF_INET, SOCK_STREAM, 0);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &socksize, &socksizelen);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ close(sock);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->hpn_buffer_size = socksize;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug ("HPN Buffer Size: %d", options->hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * we have to do this incase the user sets both values in a
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * contradictory manner. hpn_disabled overrrides
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * hpn_buffer_size
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options->hpn_disabled <= 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options->hpn_buffer_size == 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->hpn_buffer_size = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* limit the maximum buffer to SSHBUF_SIZE_MAX (currently 256MB) */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options->hpn_buffer_size > (SSHBUF_SIZE_MAX / 1024)) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->hpn_buffer_size = SSHBUF_SIZE_MAX;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->hpn_buffer_size *= 1024;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options->ip_qos_interactive == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->ip_qos_interactive = IPTOS_LOWDELAY;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options->ip_qos_bulk == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -466,6 +528,12 @@ typedef enum {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sUsePrivilegeSeparation, sAllowAgentForwarding,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sHostCertificate,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sNoneEnabled,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sKexAlgorithms, sIPQoS, sVersionAddendum,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -603,6 +671,14 @@ static struct {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "noneenabled", sNoneEnabled, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "hpndisabled", sHPNDisabled, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "hpnbuffersize", sHPNBufferSize, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "tcprcvbufpoll", sTcpRcvBufPoll, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "ipqos", sIPQoS, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1351,6 +1427,25 @@ process_server_config_line(ServerOptions *options, cha
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- case sIgnoreUserKnownHosts:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- intptr = &options->ignore_user_known_hosts;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- goto parse_flag;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case sNoneEnabled:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ intptr = &options->none_enabled;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case sTcpRcvBufPoll:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ intptr = &options->tcp_rcv_buf_poll;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case sHPNDisabled:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ intptr = &options->hpn_disabled;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case sHPNBufferSize:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ intptr = &options->hpn_buffer_size;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto parse_int;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- case sHostbasedAuthentication:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- intptr = &options->hostbased_authentication;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- openssh-6.8p1/servconf.h 2015-03-17 00:49:20.000000000 -0500
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ openssh-6.8p1/servconf.h 2015-04-03 13:48:37.316827000 -0500
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -169,6 +169,15 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int use_pam; /* Enable auth via PAM */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int none_enabled; /* enable NONE cipher switch */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int tcp_rcv_buf_poll; /* poll tcp rcv window in autotuning kernels*/
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int hpn_disabled; /* disable hpn functionality. false by default */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int hpn_buffer_size; /* set the hpn buffer size - default 3MB */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int permit_tun;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int num_permitted_opens;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- openssh-7.7p1/serverloop.c.orig 2018-04-01 22:38:28.000000000 -0700
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ openssh-7.7p1/serverloop.c 2018-06-27 16:53:02.246871000 -0700
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -550,6 +550,12 @@ server_request_tun(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- goto done;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- debug("Tunnel forwarding using interface %s", ifname);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!options.hpn_disabled)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c = channel_new(ssh, "tun", SSH_CHANNEL_OPEN, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c = channel_new(ssh, "tun", SSH_CHANNEL_OPEN, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c->datagram = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -600,6 +606,10 @@ server_request_session(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- c = channel_new(ssh, "session", SSH_CHANNEL_LARVAL,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- 0, "server-session", 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options.tcp_rcv_buf_poll && !options.hpn_disabled)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c->dynamic_window = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (session_open(the_authctxt, c->self) != 1) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- debug("session open failed, free channel %d", c->self);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- channel_free(ssh, c);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- openssh-7.7p1/session.c.orig 2018-04-01 22:38:28.000000000 -0700
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ openssh-7.7p1/session.c 2018-06-27 17:01:40.730347000 -0700
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2116,6 +2116,14 @@ session_set_fds(struct ssh *ssh, Session *s,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (s->chanid == -1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fatal("no channel for session %d", s->self);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!options.hpn_disabled)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ channel_set_fds(ssh, s->chanid,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fdout, fdin, fderr,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ 1, is_tty, options.hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- channel_set_fds(ssh, s->chanid,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fdout, fdin, fderr,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- openssh-6.8p1/sftp.1 2015-03-17 00:49:20.000000000 -0500
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ openssh-6.8p1/sftp.1 2015-04-01 22:16:49.921688000 -0500
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -263,7 +263,8 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Specify how many requests may be outstanding at any one time.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Increasing this may slightly improve file transfer speed
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- but will increase memory usage.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--The default is 64 outstanding requests.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+The default is 256 outstanding requests providing for 8MB
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+of outstanding data with a 32KB buffer.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .It Fl r
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Recursively copy entire directories when uploading and downloading.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Note that
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- openssh-6.8p1/sftp.c 2015-03-17 00:49:20.000000000 -0500
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ openssh-6.8p1/sftp.c 2015-04-03 17:16:00.959795000 -0500
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -71,7 +71,11 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "sftp-client.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #define DEFAULT_COPY_BUFLEN 32768 /* Size of buffer for up/download */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#define DEFAULT_NUM_REQUESTS 256 /* # concurrent outstanding requests */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #define DEFAULT_NUM_REQUESTS 64 /* # concurrent outstanding requests */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* File to read commands from */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- FILE* infile;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- openssh-7.7p1/ssh.c.orig 2018-04-01 22:38:28.000000000 -0700
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ openssh-7.7p1/ssh.c 2018-06-27 17:05:30.011979000 -0700
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -954,6 +954,14 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- case 'T':
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options.request_tty = REQUEST_TTY_NO;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * ensure that the user doesn't try to backdoor a
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * null cipher switch on an interactive session
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * so explicitly disable it no matter what.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options.none_switch = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- case 'o':
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- line = xstrdup(optarg);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1833,6 +1841,78 @@ ssh_session2_setup(struct ssh *ssh, int id, int succes
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- NULL, fileno(stdin), &command, environ);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+static void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+hpn_options_init(void)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * We need to check to see if what they want to do about buffer
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * sizes here. In a hpn to nonhpn connection we want to limit
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * the window size to something reasonable in case the far side
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * has the large window bug. In hpn to hpn connection we want to
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * use the max window size but allow the user to override it
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * lastly if they disabled hpn then use the ssh std window size.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * So why don't we just do a getsockopt() here and set the
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * ssh window to that? In the case of a autotuning receive
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * window the window would get stuck at the initial buffer
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * size generally less than 96k. Therefore we need to set the
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * maximum ssh window size to the maximum hpn buffer size
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * unless the user has specifically set the tcprcvbufpoll
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * to no. In which case we *can* just set the window to the
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * minimum of the hpn buffer size and tcp receive buffer size.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (tty_flag)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options.hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options.hpn_buffer_size = 2 * 1024 * 1024;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (datafellows & SSH_BUG_LARGEWINDOW) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("HPN to Non-HPN Connection");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int sock, socksize;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ socklen_t socksizelen;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options.tcp_rcv_buf_poll <= 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sock = socket(AF_INET, SOCK_STREAM, 0);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ socksizelen = sizeof(socksize);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &socksize, &socksizelen);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ close(sock);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("socksize %d", socksize);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options.hpn_buffer_size = socksize;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("HPNBufferSize set to TCP RWIN: %d", options.hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options.tcp_rcv_buf > 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Create a socket but don't connect it:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * we use that the get the rcv socket size
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sock = socket(AF_INET, SOCK_STREAM, 0);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * If they are using the tcp_rcv_buf option,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * attempt to set the buffer size to that.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options.tcp_rcv_buf) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ socksizelen = sizeof(options.tcp_rcv_buf);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ setsockopt(sock, SOL_SOCKET, SO_RCVBUF,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &options.tcp_rcv_buf, socksizelen);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ socksizelen = sizeof(socksize);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &socksize, &socksizelen);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ close(sock);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("socksize %d", socksize);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options.hpn_buffer_size = socksize;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("HPNBufferSize set to user TCPRcvBuf: %d", options.hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Final hpn_buffer_size = %d", options.hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* open new channel for a session */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_session2_open(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1859,9 +1939,17 @@ ssh_session2_open(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (!isatty(err))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- set_nonblock(err);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ window = options.hpn_buffer_size;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- window = CHAN_SES_WINDOW_DEFAULT;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- packetmax = CHAN_SES_PACKET_DEFAULT;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (tty_flag) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ window = CHAN_SES_WINDOW_DEFAULT;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- window >>= 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- packetmax >>= 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1870,6 +1958,12 @@ ssh_session2_open(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- window, packetmax, CHAN_EXTENDED_WRITE,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- "client-session", /*nonblock*/0);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options.tcp_rcv_buf_poll > 0 && !options.hpn_disabled) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ c->dynamic_window = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug ("Enabled Dynamic Window Scaling");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- debug3("%s: channel_new: %d", __func__, c->self);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- channel_send_open(ssh, c->self);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1885,6 +1979,15 @@ ssh_session2(struct ssh *ssh, struct passwd *pw)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int devnull, id = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- char *cp, *tun_fwd_ifname = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * We need to initialize this early because the forwarding logic below
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * might open channels that use the hpn buffer sizes. We can't send a
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * window of -1 (the default) to the server as it breaks things.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ hpn_options_init();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* XXX should be pre-session */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (!options.control_persist)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- openssh-7.7p1/sshbuf.h.orig 2018-06-27 16:11:24.503058000 -0700
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ openssh-7.7p1/sshbuf.h 2018-06-27 16:12:01.359375000 -0700
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -28,7 +28,11 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # endif /* OPENSSL_HAS_ECC */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif /* WITH_OPENSSL */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#define SSHBUF_SIZE_MAX 0xF000000 /* Hard maximum size 256MB */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #define SSHBUF_SIZE_MAX 0x8000000 /* Hard maximum size */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #define SSHBUF_REFS_MAX 0x100000 /* Max child buffers */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #define SSHBUF_MAX_BIGNUM (16384 / 8) /* Max bignum *bytes* */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #define SSHBUF_MAX_ECPOINT ((528 * 2 / 8) + 1) /* Max EC point *bytes* */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- openssh/sshconnect.c.orig 2018-10-16 17:01:20.000000000 -0700
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ openssh/sshconnect.c 2018-11-12 09:04:24.340706000 -0800
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -327,7 +327,32 @@ check_ifaddrs(const char *ifname, int af, const struct
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Set TCP receive buffer if requested.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Note: tuning needs to happen after the socket is
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * created but before the connection happens
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * so winscale is negotiated properly -cjr
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+static void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ssh_set_socket_recvbuf(int sock)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ void *buf = (void *)&options.tcp_rcv_buf;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int sz = sizeof(options.tcp_rcv_buf);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int socksize;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ socklen_t socksizelen = sizeof(socksize);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("setsockopt Attempting to set SO_RCVBUF to %d", options.tcp_rcv_buf);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (setsockopt(sock, SOL_SOCKET, SO_RCVBUF, buf, sz) >= 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ getsockopt(sock, SOL_SOCKET, SO_RCVBUF, &socksize, &socksizelen);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("setsockopt SO_RCVBUF: %.100s %d", strerror(errno), socksize);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ error("Couldn't set socket receive buffer to %d: %.100s",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options.tcp_rcv_buf, strerror(errno));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * Creates a socket for use as the ssh connection.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -349,6 +374,11 @@ ssh_create_socket(struct addrinfo *ai)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fcntl(sock, F_SETFD, FD_CLOEXEC);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options.tcp_rcv_buf > 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_set_socket_recvbuf(sock);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Bind the socket to an alternative local IP address */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options.bind_address == NULL && options.bind_interface == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return sock;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -608,8 +638,14 @@ static void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- send_client_banner(int connection_out, int minor1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Send our own protocol version identification. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s%s\r\n",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options.hpn_disabled ? "" : SSH_HPN
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ""
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ );
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (atomicio(vwrite, connection_out, client_version_string,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- strlen(client_version_string)) != strlen(client_version_string))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fatal("write: %.100s", strerror(errno));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- openssh/sshconnect2.c.orig 2018-10-16 17:01:20.000000000 -0700
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ openssh/sshconnect2.c 2018-11-12 09:06:06.338515000 -0800
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -81,7 +81,13 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- extern char *client_version_string;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- extern char *server_version_string;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- extern Options options;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* tty_flag is set in ssh.c. use this in ssh_userauth2 */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* if it is set then prevent the switch to the null cipher */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+extern int tty_flag;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * SSH2 key exchange
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -154,10 +160,11 @@ order_hostkeyalgs(char *host, struct sockaddr *hostadd
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return ret;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+static char *myproposal[PROPOSAL_MAX];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+static const char *myproposal_default[PROPOSAL_MAX] = { KEX_CLIENT };
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- char *s, *all_key;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- struct kex *kex;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int r;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -165,6 +172,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_shor
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- xxx_host = host;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- xxx_hostaddr = hostaddr;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ memcpy(&myproposal, &myproposal_default, sizeof(myproposal));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fatal("%s: kex_names_cat", __func__);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -412,6 +420,30 @@ ssh_userauth2(const char *local_user, const char *serv
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (!authctxt.success)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fatal("Authentication failed.");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * if the user wants to use the none cipher do it
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * post authentication and only if the right conditions are met
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * both of the NONE commands must be true and there must be no
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * tty allocated.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((options.none_switch == 1) && (options.none_enabled == 1)) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!tty_flag) { /* no null on tty sessions */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Requesting none rekeying...");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ memcpy(&myproposal, &myproposal_default, sizeof(myproposal));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ myproposal[PROPOSAL_ENC_ALGS_STOC] = "none";
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none";
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex_prop2buf(active_state->kex->my, myproposal);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_request_rekeying();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* requested NONE cipher when in a tty */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Cannot switch to NONE cipher with tty allocated");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- debug("Authentication succeeded (%s).", authctxt.method->name);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- openssh-7.7p1/sshd.c.orig 2018-04-01 22:38:28.000000000 -0700
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ openssh-7.7p1/sshd.c 2018-06-27 17:13:03.176633000 -0700
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -372,8 +372,13 @@ sshd_exchange_identification(struct ssh *ssh, int sock
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- char buf[256]; /* Must not be larger than remote_version. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- char remote_version[256]; /* Must be at least as big as buf. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s\r\n",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options.hpn_disabled ? "" : SSH_HPN,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ "",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- *options.version_addendum == '\0' ? "" : " ",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options.version_addendum);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1025,6 +1030,10 @@ listen_on_addrs(struct listenaddr *la)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int ret, listen_sock;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- struct addrinfo *ai;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- char ntop[NI_MAXHOST], strport[NI_MAXSERV];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int socksize;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ socklen_t socksizelen = sizeof(socksize);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- for (ai = la->addrs; ai; ai = ai->ai_next) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1070,6 +1079,13 @@ listen_on_addrs(struct listenaddr *la)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- debug("Bind to port %s on %s.", strport, ntop);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ getsockopt(listen_sock, SOL_SOCKET, SO_RCVBUF,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &socksize, &socksizelen);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Server TCP RWIN socket size: %d", socksize);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("HPN Buffer Size: %d", options.hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Bind the socket to the desired port. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- error("Bind to port %s on %s failed: %.200s.",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1634,6 +1650,15 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Fill in default values for those options not explicitly set. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fill_default_server_options(&options);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options.none_enabled == 1) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char *old_ciphers = options.ciphers;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ xasprintf(&options.ciphers, "%s,none", old_ciphers);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ free(old_ciphers);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* challenge-response is implemented via keyboard interactive */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options.challenge_response_authentication)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options.kbd_interactive_authentication = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2047,6 +2072,11 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- rdomain == NULL ? "" : "\"");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- free(laddr);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HPN_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* set the HPN options for the child */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * We don't want to listen forever unless the other side
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * successfully authenticates itself. So we set up an alarm which is
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2212,6 +2242,11 @@ do_ssh2_kex(void)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- char *myproposal[PROPOSAL_MAX] = { KEX_SERVER };
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- struct kex *kex;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int r;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef NONE_CIPHER_ENABLED
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options.none_enabled == 1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug ("WARNING: None cipher enabled");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options.kex_algorithms);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- openssh-6.8p1/sshd_config 2015-04-01 22:07:18.248858000 -0500
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ openssh-6.8p1/sshd_config 2015-04-01 22:16:49.932279000 -0500
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -111,6 +111,20 @@ AuthorizedKeysFile .ssh/authorized_keys
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # override default of no subsystems
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Subsystem sftp /usr/libexec/sftp-server
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+# the following are HPN related configuration options
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+# tcp receive buffer polling. disable in non autotuning kernels
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#TcpRcvBufPoll yes
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+# disable hpn performance boosts
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#HPNDisabled no
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+# buffer size for hpn to non-hpn connections
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#HPNBufferSize 2048
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+# allow the use of the none cipher
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#NoneEnabled no
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # Example of overriding settings on a per-user basis
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #Match User anoncvs
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # X11Forwarding no
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- openssh-7.7p1/version.h.orig 2018-04-01 22:38:28.000000000 -0700
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ openssh-7.7p1/version.h 2018-06-27 17:13:57.263086000 -0700
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -4,3 +4,4 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #define SSH_PORTABLE "p1"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #define SSH_RELEASE SSH_VERSION SSH_PORTABLE
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#define SSH_HPN "-hpn14v15"
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/openssh/files/openssh-7.6p1-gsskex-all-20141021-mp-20171009.patch b/net/openssh/files/openssh-8.1p1-gsskex-all-20141021-mp-20191015.patch
</span>similarity index 61%
rename from net/openssh/files/openssh-7.6p1-gsskex-all-20141021-mp-20171009.patch
rename to net/openssh/files/openssh-8.1p1-gsskex-all-20141021-mp-20191015.patch
<span style='display:block; white-space:pre;color:#808080;'>index f0b18bc..e65a990 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/openssh/files/openssh-7.6p1-gsskex-all-20141021-mp-20171009.patch
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/openssh/files/openssh-8.1p1-gsskex-all-20141021-mp-20191015.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -21,22 +21,34 @@ Last-Updated: 2014-10-07
</span>
Patch-Name: gssapi.patch
<span style='display:block; white-space:pre;background:#e0ffe0;'>+====== MACPORTS SECTION ======
</span>
Updated by: Mihai Moldovan <ionic@macports.org>
<span style='display:block; white-space:pre;background:#ffe0e0;'>-Patch-Name: openssh-7.6p1-gsskex-all-20141021-mp-20171009.patch
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-Abstract: Updated for OpenSSH 7.6p1 with MacPorts patches for integration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Patch-Name: openssh-8.1p1-gsskex-all-20141021-mp-20191015.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Abstract: Updated for OpenSSH 8.1p1 with MacPorts patches for integration
</span> with Apple's launchd, pam, sandbox and Keychain.
WARNING: the commit ID does NOT match this patch. It is merely
provided for reference.
<span style='display:block; white-space:pre;background:#ffe0e0;'>-Last-Updated: 2017-10-09
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-X-Ref: http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/tree/openssh-6.1p1-gssapi-canohost.patch?id=b487a6d746c5bff2889ce09f98535d3b5e1e7e65
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-X-Ref: http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/tree/openssh-7.0p1-gssKexAlgorithms.patch?id=13073f8d9ccec27646453f729aaa2952ae86ad01
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-X-Ref: http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/tree/openssh-7.1p1-gssapi-documentation.patch?id=d9d9575f0065dc0cf84743fa8c163df70c0623b8
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-X-Ref: http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/tree/openssh-7.2p1-gsskex.patch?id=b487a6d746c5bff2889ce09f98535d3b5e1e7e65
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-X-Ref: http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/tree/openssh-7.2p1-gsskex.patch?id=17b491b3075c078c75ca0fa5ad7438e52747b3b0
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-X-Ref: http://sources.debian.net/data/main/o/openssh/1:7.3p1-1/debian/patches/gssapi.patch
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/gssapi.patch?id=477bb7636238c106f8cd7c868a8c0c5eabcfb3db
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/gssapi.patch?id=0556ea972b15607b7e13ff31bc05840881c91dd3
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ This patch is a COMBINATION of both the GSSAPI patches included
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ in Fedora and Debian. Neither standalone path is particularly
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ stellar, both have their rough edges. The idea is to base upon
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ the Fedora patch and fix small issues or add other features by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ pulling in specific changes from the Debian version.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Sometimes, I also rewrite code to avoid copy-pasting madness
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ or the like.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Last-Updated: 2019-10-15
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+X-Ref (Old): http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/tree/openssh-6.1p1-gssapi-canohost.patch?id=b487a6d746c5bff2889ce09f98535d3b5e1e7e65
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+X-Ref (Old): http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/tree/openssh-7.0p1-gssKexAlgorithms.patch?id=13073f8d9ccec27646453f729aaa2952ae86ad01
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+X-Ref (Old): http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/tree/openssh-7.1p1-gssapi-documentation.patch?id=d9d9575f0065dc0cf84743fa8c163df70c0623b8
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+X-Ref (Old): http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/tree/openssh-7.2p1-gsskex.patch?id=b487a6d746c5bff2889ce09f98535d3b5e1e7e65
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+X-Ref (Old): http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/tree/openssh-7.2p1-gsskex.patch?id=17b491b3075c078c75ca0fa5ad7438e52747b3b0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+X-Ref: https://src.fedoraproject.org/rpms/openssh/blob/def1debf2eba5b7877e54548c1749322e68740a6/f/openssh-8.0p1-gssapi-keyex.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+X-Ref (Old): http://sources.debian.net/data/main/o/openssh/1:7.3p1-1/debian/patches/gssapi.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+X-Ref (Old): https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/gssapi.patch?id=477bb7636238c106f8cd7c868a8c0c5eabcfb3db
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+X-Ref (Old): https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/gssapi.patch?id=0556ea972b15607b7e13ff31bc05840881c91dd3
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5c167a9ab866df9/debian/patches/gssapi.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+====== MACPORTS SECTION ======
</span> ---
ChangeLog.gssapi | 113 +++++++++++++++++++
Makefile.in | 3 +-
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -77,7 +89,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> create mode 100644 kexgsss.c
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/ChangeLog.gssapi 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ChangeLog.gssapi 2019-10-16 06:45:17.000000000 +0200
</span> @@ -0,0 +1,113 @@
+20110101
+ - Finally update for OpenSSH 5.6p1
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -192,36 +204,35 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + add support for GssapiTrustDns option for gssapi-with-mic
+ (from jbasney AT ncsa.uiuc.edu)
+ <gssapi-with-mic support is Bugzilla #1008>
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/Makefile.in 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/Makefile.in 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -77,7 +77,7 @@ LIBOPENSSH_OBJS=\
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- bitmap.o
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/Makefile.in 2019-10-16 06:22:19.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/Makefile.in 2019-10-16 06:45:17.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -87,6 +87,7 @@ LIBOPENSSH_OBJS=\
</span>
LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
<span style='display:block; white-space:pre;background:#ffe0e0;'>-- authfd.o authfile.o bufaux.o bufbn.o bufec.o buffer.o \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ authfd.o authfile.o auth-compat.o bufaux.o bufbn.o bufec.o buffer.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ authfd.o authfile.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ auth-compat.o \
</span> canohost.o channels.o cipher.o cipher-aes.o cipher-aesctr.o \
cipher-ctr.o cleanup.o \
<span style='display:block; white-space:pre;background:#ffe0e0;'>- compat.o crc32.o fatal.o hostfile.o \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -93,6 +93,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ compat.o fatal.o hostfile.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -102,6 +103,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
</span> kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
<span style='display:block; white-space:pre;background:#ffe0e0;'>- kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kexgexc.o kexgexs.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \
</span> + kexgssc.o \
platform-pledge.o platform-tracing.o platform-misc.o
<span style='display:block; white-space:pre;background:#ffe0e0;'>- SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -106,7 +107,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -116,7 +118,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
</span> auth2-none.o auth2-passwd.o auth2-pubkey.o \
monitor.o monitor_wrap.o auth-krb5.o \
- auth2-gss.o gss-serv.o gss-serv-krb5.o \
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
<span style='display:block; white-space:pre;background:#ffe0e0;'>- sftp-server.o sftp-common.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sftp-server.o sftp-common.o sftp-realpath.o \
</span> sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/auth-krb5.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/auth-krb5.c 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/auth-krb5.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/auth-krb5.c 2019-10-16 06:45:17.000000000 +0200
</span> @@ -182,8 +182,13 @@ auth_krb5_password(Authctxt *authctxt, c
len = strlen(authctxt->krb5_ticket_file) + 6;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -269,10 +280,10 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span>
return (krb5_cc_resolve(ctx, ccname, ccache));
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/auth2-gss.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/auth2-gss.c 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/auth2-gss.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/auth2-gss.c 2019-10-16 06:45:17.000000000 +0200
</span> @@ -1,7 +1,7 @@
<span style='display:block; white-space:pre;background:#ffe0e0;'>- /* $OpenBSD: auth2-gss.c,v 1.26 2017/06/24 06:34:38 djm Exp $ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* $OpenBSD: auth2-gss.c,v 1.29 2018/07/31 03:10:27 djm Exp $ */
</span>
/*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -280,7 +291,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -54,6 +54,41 @@ static int input_gssapi_exchange_complet
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -55,6 +55,48 @@ static int input_gssapi_exchange_complet
</span> static int input_gssapi_errtok(int, u_int32_t, struct ssh *);
/*
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -290,29 +301,36 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +userauth_gsskeyex(struct ssh *ssh)
+{
+ Authctxt *authctxt = ssh->authctxt;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int authenticated = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Buffer b;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int r = -1, authenticated = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct sshbuf *b = NULL;
</span> + gss_buffer_desc mic, gssbuf;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_int len;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_char *p = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ size_t len;
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ mic.value = packet_get_string(&len);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ mic.length = len;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_get_string(ssh, &p, &len)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_get_end(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: %s", __func__, ssh_err(r));
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_check_eom();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((b = sshbuf_new()) == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: sshbuf_new failed", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ mic.value = p;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ mic.length = len;
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
</span> + "gssapi-keyex");
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gssbuf.value = buffer_ptr(&b);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gssbuf.length = buffer_len(&b);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: sshbuf_mutable_ptr failed", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gssbuf.length = sshbuf_len(b);
</span> +
+ /* gss_kex_context is NULL with privsep, so we can't check it here */
+ if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context,
+ &gssbuf, &mic))))
+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ authctxt->pw));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ authctxt->pw, 1));
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_free(&b);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_free(b);
</span> + free(mic.value);
+
+ return (authenticated);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -322,27 +340,27 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> * We only support those mechanisms that we know about (ie ones that we know
* how to check local user kuserok and the like)
*/
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -240,7 +275,8 @@ input_gssapi_exchange_complete(int type,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- packet_check_eom();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -260,7 +302,8 @@ input_gssapi_exchange_complete(int type,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ((r = sshpkt_get_end(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fatal("%s: %s", __func__, ssh_err(r));
</span>
- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ authctxt->pw));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ authctxt->pw, 1));
</span>
if ((!use_privsep || mm_is_monitor()) &&
(displayname = ssh_gssapi_displayname()) != NULL)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -281,7 +317,8 @@ input_gssapi_mic(int type, u_int32_t ple
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- gssbuf.length = buffer_len(&b);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -306,7 +349,8 @@ input_gssapi_mic(int type, u_int32_t ple
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ gssbuf.length = sshbuf_len(b);
</span>
if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ authenticated =
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ authctxt->pw, 0));
</span> else
logit("GSSAPI MIC check failed");
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -301,6 +338,12 @@ input_gssapi_mic(int type, u_int32_t ple
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -326,6 +370,12 @@ input_gssapi_mic(int type, u_int32_t ple
</span> return 0;
}
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -355,9 +373,9 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> Authmethod method_gssapi = {
"gssapi-with-mic",
userauth_gssapi,
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/auth2.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/auth2.c 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -72,6 +72,7 @@ extern Authmethod method_passwd;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/auth2.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/auth2.c 2019-10-16 06:45:17.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -73,6 +73,7 @@ extern Authmethod method_passwd;
</span> extern Authmethod method_kbdint;
extern Authmethod method_hostbased;
#ifdef GSSAPI
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -365,7 +383,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> extern Authmethod method_gssapi;
#endif
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -79,6 +80,7 @@ Authmethod *authmethods[] = {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -80,6 +81,7 @@ Authmethod *authmethods[] = {
</span> &method_none,
&method_pubkey,
#ifdef GSSAPI
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -373,8 +391,8 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> &method_gssapi,
#endif
&method_passwd,
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/clientloop.c 2017-10-08 09:42:56.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/clientloop.c 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/clientloop.c 2019-10-16 06:22:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/clientloop.c 2019-10-16 06:45:17.000000000 +0200
</span> @@ -112,6 +112,10 @@
#include "ssherr.h"
#include "hostfile.h"
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -386,7 +404,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> /* import options */
extern Options options;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1369,9 +1373,18 @@ client_loop(struct ssh *ssh, int have_pt
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1393,9 +1397,18 @@ client_loop(struct ssh *ssh, int have_pt
</span> break;
/* Do channel operations unless rekeying in progress. */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -404,11 +422,11 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + }
+
/* Buffer input from the connection. */
<span style='display:block; white-space:pre;background:#ffe0e0;'>- client_process_net_input(readset);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ client_process_net_input(ssh, readset);
</span>
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/config.h.in 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/config.h.in 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1708,6 +1708,9 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/config.h.in 2019-10-09 02:39:34.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/config.h.in 2019-10-16 06:45:17.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1884,6 +1884,9 @@
</span> /* Use btmp to log bad logins */
#undef USE_BTMP
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -418,7 +436,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> /* Use libedit for sftp */
#undef USE_LIBEDIT
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1726,6 +1729,9 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1902,6 +1905,9 @@
</span> /* Define if you have Solaris privileges */
#undef USE_SOLARIS_PRIVS
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -428,9 +446,9 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> /* Define if you have Solaris process contracts */
#undef USE_SOLARIS_PROCESS_CONTRACTS
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/configure.ac 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/configure.ac 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -621,6 +621,30 @@ main() { if (NSVersionOfRunTimeLibrary("
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/configure.ac 2019-10-16 06:22:19.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/configure.ac 2019-10-16 06:45:17.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -667,6 +667,30 @@ main() { if (NSVersionOfRunTimeLibrary("
</span> [Use tunnel device compatibility to OpenBSD])
AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
[Prepend the address family to IP tunnel traffic])
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -461,10 +479,10 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> m4_pattern_allow([AU_IPv])
AC_CHECK_DECL([AU_IPv4], [],
AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/gss-genr.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/gss-genr.c 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/gss-genr.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/gss-genr.c 2019-10-16 06:45:17.000000000 +0200
</span> @@ -1,7 +1,7 @@
<span style='display:block; white-space:pre;background:#ffe0e0;'>- /* $OpenBSD: gss-genr.c,v 1.24 2016/09/12 01:22:38 deraadt Exp $ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* $OpenBSD: gss-genr.c,v 1.26 2018/07/10 09:13:30 djm Exp $ */
</span>
/*
- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -472,14 +490,15 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -40,12 +40,167 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "buffer.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -41,12 +41,36 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "sshbuf.h"
</span> #include "log.h"
#include "ssh2.h"
+#include "cipher.h"
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "key.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "sshkey.h"
</span> +#include "kex.h"
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <openssl/evp.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "digest.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "packet.h"
</span>
#include "ssh-gss.h"
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -505,6 +524,29 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + return (gss_enc2oid != NULL);
+}
+
<span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* sshbuf_get for gss_buffer_desc */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -62,6 +86,160 @@ ssh_gssapi_get_buffer_desc(struct sshbuf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* sshpkt_get of gss_buffer_desc */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssh_gssapi_sshpkt_get_buffer_desc(struct ssh *ssh, gss_buffer_desc *g)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int r;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_char *p;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ size_t len;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_get_string(ssh, &p, &len)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return r;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ g->value = p;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ g->length = len;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span> +/*
+ * Return a list of the gss-group1-sha1 mechanisms supported by this program
+ *
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -513,28 +555,29 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + */
+
+char *
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ssh_gssapi_client_mechanisms(const char *host, const char *client) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_OID_set gss_supported;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssh_gssapi_client_mechanisms(const char *host, const char *client,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const char *kex) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_OID_set gss_supported = NULL;
</span> + OM_uint32 min_status;
+
+ if (GSS_ERROR(gss_indicate_mechs(&min_status, &gss_supported)))
+ return NULL;
+
+ return(ssh_gssapi_kex_mechs(gss_supported, ssh_gssapi_check_mechanism,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ host, client));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ host, client, kex));
</span> +}
+
+char *
+ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ const char *host, const char *client) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Buffer buf;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const char *host, const char *client, const char *kex) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct sshbuf *buf = NULL;
</span> + size_t i;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int oidpos, enclen;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int r, oidpos, enclen;
</span> + char *mechs, *encoded;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_char digest[EVP_MAX_MD_SIZE];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_char digest[SSH_DIGEST_MAX_LENGTH];
</span> + char deroid[2];
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ const EVP_MD *evp_md = EVP_md5();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ EVP_MD_CTX md;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct ssh_digest_ctx *md = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char *s, *cp, *p;
</span> +
+ if (gss_enc2oid != NULL) {
+ for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -545,9 +588,11 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping) *
+ (gss_supported->count + 1));
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_init(&buf);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((buf = sshbuf_new()) == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: sshbuf_new failed", __func__);
</span> +
+ oidpos = 0;
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ s = cp = xstrdup(kex);
</span> + for (i = 0; i < gss_supported->count; i++) {
+ if (gss_supported->elements[i].length < 128 &&
+ (*check)(NULL, &(gss_supported->elements[i]), host, client)) {
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -555,45 +600,48 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + deroid[0] = SSH_GSS_OIDTYPE;
+ deroid[1] = gss_supported->elements[i].length;
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ EVP_DigestInit(&md, evp_md);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ EVP_DigestUpdate(&md, deroid, 2);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ EVP_DigestUpdate(&md,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_supported->elements[i].elements,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_supported->elements[i].length);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ EVP_DigestFinal(&md, digest, NULL);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ encoded = xmalloc(EVP_MD_size(evp_md) * 2);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ enclen = __b64_ntop(digest, EVP_MD_size(evp_md),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ encoded, EVP_MD_size(evp_md) * 2);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (oidpos != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_put_char(&buf, ',');
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_append(&buf, KEX_GSS_GEX_SHA1_ID,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sizeof(KEX_GSS_GEX_SHA1_ID) - 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_append(&buf, encoded, enclen);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_put_char(&buf, ',');
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_append(&buf, KEX_GSS_GRP1_SHA1_ID,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sizeof(KEX_GSS_GRP1_SHA1_ID) - 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_append(&buf, encoded, enclen);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_put_char(&buf, ',');
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_append(&buf, KEX_GSS_GRP14_SHA1_ID,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sizeof(KEX_GSS_GRP14_SHA1_ID) - 1);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_append(&buf, encoded, enclen);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((md = ssh_digest_start(SSH_DIGEST_MD5)) == NULL ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = ssh_digest_update(md, deroid, 2)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = ssh_digest_update(md,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_supported->elements[i].elements,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_supported->elements[i].length)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = ssh_digest_final(md, digest, sizeof(digest))) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: digest failed: %s", __func__,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_digest_free(md);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ md = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ encoded = xmalloc(ssh_digest_bytes(SSH_DIGEST_MD5) * 2);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ enclen = __b64_ntop(digest,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_digest_bytes(SSH_DIGEST_MD5), encoded,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_digest_bytes(SSH_DIGEST_MD5) * 2);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cp = strncpy(s, kex, strlen(kex));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ for ((p = strsep(&cp, ",")); p && *p != '\0';
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (p = strsep(&cp, ","))) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (sshbuf_len(buf) != 0 &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshbuf_put_u8(buf, ',')) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: sshbuf_put_u8 error: %s",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshbuf_put(buf, p, strlen(p))) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshbuf_put(buf, encoded, enclen)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: sshbuf_put error: %s",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span> +
+ gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
+ gss_enc2oid[oidpos].encoded = encoded;
+ oidpos++;
+ }
+ }
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ free(s);
</span> + gss_enc2oid[oidpos].oid = NULL;
+ gss_enc2oid[oidpos].encoded = NULL;
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_put_char(&buf, '\0');
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((mechs = sshbuf_dup_string(buf)) == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: sshbuf_dup_string failed", __func__);
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ mechs = xmalloc(buffer_len(&buf));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_get(&buf, mechs, buffer_len(&buf));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_free(&buf);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_free(buf);
</span> +
+ if (strlen(mechs) == 0) {
+ free(mechs);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -607,25 +655,25 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +ssh_gssapi_id_kex(Gssctxt *ctx, char *name, int kex_type) {
+ int i = 0;
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ switch (kex_type) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case KEX_GSS_GRP1_SHA1:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (strlen(name) < sizeof(KEX_GSS_GRP1_SHA1_ID))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return GSS_C_NO_OID;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ name += sizeof(KEX_GSS_GRP1_SHA1_ID) - 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case KEX_GSS_GRP14_SHA1:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (strlen(name) < sizeof(KEX_GSS_GRP14_SHA1_ID))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return GSS_C_NO_OID;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ name += sizeof(KEX_GSS_GRP14_SHA1_ID) - 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case KEX_GSS_GEX_SHA1:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (strlen(name) < sizeof(KEX_GSS_GEX_SHA1_ID))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return GSS_C_NO_OID;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ name += sizeof(KEX_GSS_GEX_SHA1_ID) - 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define SKIP_KEX_NAME(type) \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case type: \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (strlen(name) < sizeof(type##_ID)) \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return GSS_C_NO_OID; \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ name += sizeof(type##_ID) - 1; \
</span> + break;
<span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ switch (kex_type) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ SKIP_KEX_NAME(KEX_GSS_GRP1_SHA1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ SKIP_KEX_NAME(KEX_GSS_GRP14_SHA1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ SKIP_KEX_NAME(KEX_GSS_GRP14_SHA256)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ SKIP_KEX_NAME(KEX_GSS_GRP16_SHA512)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ SKIP_KEX_NAME(KEX_GSS_GEX_SHA1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ SKIP_KEX_NAME(KEX_GSS_NISTP256_SHA256)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ SKIP_KEX_NAME(KEX_GSS_C25519_SHA256)
</span> + default:
+ return GSS_C_NO_OID;
+ }
<span style='display:block; white-space:pre;background:#e0ffe0;'>++#undef SKIP_KEX_NAME
</span> +
+ while (gss_enc2oid[i].encoded != NULL &&
+ strcmp(name, gss_enc2oid[i].encoded) != 0)
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -640,7 +688,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> /* Check that the OID in a data stream matches that in the context */
int
ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -198,7 +353,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int de
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -218,7 +396,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int de
</span> }
ctx->major = gss_init_sec_context(&ctx->minor,
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -649,7 +697,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,
0, NULL, recv_tok, NULL, send_tok, flags, NULL);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -228,8 +383,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, con
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -248,8 +426,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, con
</span> }
OM_uint32
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -692,7 +740,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
GSS_C_QOP_DEFAULT, buffer, hash)))
ssh_gssapi_error(ctx);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -237,6 +426,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -257,6 +469,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer
</span> return (ctx->major);
}
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -710,9 +758,9 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +}
+
void
<span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service,
</span> const char *context)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -250,11 +452,16 @@ ssh_gssapi_buildmic(Buffer *b, const cha
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -273,11 +498,16 @@ ssh_gssapi_buildmic(struct sshbuf *b, co
</span> }
int
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -730,7 +778,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span>
/* RFC 4462 says we MUST NOT do SPNEGO */
if (oid->length == spnego_oid.length &&
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -264,6 +471,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -287,6 +517,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
</span> ssh_gssapi_build_ctx(ctx);
ssh_gssapi_set_oid(*ctx, oid);
major = ssh_gssapi_import_name(*ctx, host);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -741,7 +789,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> if (!GSS_ERROR(major)) {
major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token,
NULL);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -273,10 +484,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -296,10 +530,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
</span> GSS_C_NO_BUFFER);
}
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -809,10 +857,10 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +}
+
#endif /* GSSAPI */
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/gss-serv-krb5.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/gss-serv-krb5.c 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/gss-serv-krb5.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/gss-serv-krb5.c 2019-10-16 06:45:17.000000000 +0200
</span> @@ -1,7 +1,7 @@
<span style='display:block; white-space:pre;background:#ffe0e0;'>- /* $OpenBSD: gss-serv-krb5.c,v 1.8 2013/07/20 01:55:13 djm Exp $ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* $OpenBSD: gss-serv-krb5.c,v 1.9 2018/07/09 21:37:55 markus Exp $ */
</span>
/*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -820,17 +868,16 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -121,8 +121,8 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -120,7 +120,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
</span> krb5_error_code problem;
krb5_principal princ;
OM_uint32 maj_status, min_status;
- int len;
<span style='display:block; white-space:pre;background:#ffe0e0;'>- const char *errmsg;
</span> + const char *new_ccname, *new_cctype;
<span style='display:block; white-space:pre;background:#e0ffe0;'>+ const char *errmsg;
</span>
if (client->creds == NULL) {
<span style='display:block; white-space:pre;background:#ffe0e0;'>- debug("No credentials stored");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -181,11 +181,26 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -180,11 +180,26 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
</span> return;
}
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -861,7 +908,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span>
#ifdef USE_PAM
if (options.use_pam)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -194,9 +209,76 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -193,9 +208,76 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
</span>
krb5_cc_close(krb_context, ccache);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -938,7 +985,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> ssh_gssapi_mech gssapi_kerberos_mech = {
"toWM5Slw5Ew8Mqkay+al2g==",
"Kerberos",
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -204,7 +286,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -203,7 +285,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
</span> NULL,
&ssh_gssapi_krb5_userok,
NULL,
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -948,10 +995,10 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> };
#endif /* KRB5 */
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/gss-serv.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/gss-serv.c 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/gss-serv.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/gss-serv.c 2019-10-16 06:45:17.000000000 +0200
</span> @@ -1,7 +1,7 @@
<span style='display:block; white-space:pre;background:#ffe0e0;'>- /* $OpenBSD: gss-serv.c,v 1.30 2017/06/24 06:34:38 djm Exp $ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* $OpenBSD: gss-serv.c,v 1.31 2018/07/09 21:37:55 markus Exp $ */
</span>
/*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -959,7 +1006,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -45,17 +45,20 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -44,17 +44,20 @@
</span> #include "session.h"
#include "misc.h"
#include "servconf.h"
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -982,7 +1029,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span>
#ifdef KRB5
extern ssh_gssapi_mech gssapi_kerberos_mech;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -142,6 +145,28 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -141,6 +144,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss
</span> }
/* Unprivileged */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -991,7 +1038,8 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + if (supported_oids == NULL)
+ ssh_gssapi_prepare_supported_oids();
+ return (ssh_gssapi_kex_mechs(supported_oids,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &ssh_gssapi_server_check_mech, NULL, NULL));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &ssh_gssapi_server_check_mech, NULL, NULL,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options.gss_kex_algorithms));
</span> +}
+
+/* Unprivileged */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1011,7 +1059,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> void
ssh_gssapi_supported_oids(gss_OID_set *oidset)
{
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -151,7 +176,9 @@ ssh_gssapi_supported_oids(gss_OID_set *o
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -150,7 +176,9 @@ ssh_gssapi_supported_oids(gss_OID_set *o
</span> gss_OID_set supported;
gss_create_empty_oid_set(&min_status, oidset);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1022,7 +1070,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span>
while (supported_mechs[i]->name != NULL) {
if (GSS_ERROR(gss_test_oid_set_member(&min_status,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -277,8 +304,48 @@ OM_uint32
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -276,8 +304,48 @@ OM_uint32
</span> ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
{
int i = 0;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1072,7 +1120,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span>
client->mech = NULL;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -293,6 +360,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -292,6 +360,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g
</span> if (client->mech == NULL)
return GSS_S_FAILURE;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1086,7 +1134,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> if ((ctx->major = gss_display_name(&ctx->minor, ctx->client,
&client->displayname, NULL))) {
ssh_gssapi_error(ctx);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -310,6 +384,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -309,6 +384,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g
</span> return (ctx->major);
}
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1095,7 +1143,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> /* We can't copy this structure, so we just move the pointer to it */
client->creds = ctx->client_creds;
ctx->client_creds = GSS_C_NO_CREDENTIAL;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -320,11 +396,20 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -319,11 +396,20 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g
</span> void
ssh_gssapi_cleanup_creds(void)
{
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1121,16 +1169,20 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> }
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -357,7 +442,7 @@ ssh_gssapi_do_child(char ***envp, u_int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -356,19 +442,23 @@ ssh_gssapi_do_child(char ***envp, u_int
</span>
/* Privileged */
int
-ssh_gssapi_userok(char *user)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ssh_gssapi_userok(char *user, struct passwd *pw)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssh_gssapi_userok(char *user, struct passwd *pw, int kex)
</span> {
OM_uint32 lmin;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -367,9 +452,11 @@ ssh_gssapi_userok(char *user)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (void) kex; /* used in privilege separation */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (gssapi_client.exportedname.length == 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ gssapi_client.exportedname.value == NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debug("No suitable client data");
</span> return 0;
}
if (gssapi_client.mech && gssapi_client.mech->userok)
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1144,7 +1196,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> /* Destroy delegated credentials if userok fails */
gss_release_buffer(&lmin, &gssapi_client.displayname);
gss_release_buffer(&lmin, &gssapi_client.exportedname);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -383,14 +470,90 @@ ssh_gssapi_userok(char *user)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -382,14 +472,90 @@ ssh_gssapi_userok(char *user)
</span> return (0);
}
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1175,8 +1227,8 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +void
+ssh_gssapi_rekey_creds(void) {
+ int ok;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int ret;
</span> +#ifdef USE_PAM
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ int ret;
</span> + pam_handle_t *pamh = NULL;
+ struct pam_conv pamconv = {ssh_gssapi_simple_conv, NULL};
+ char *envstr;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1205,7 +1257,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + }
+
+ ret = pam_start("sshd-rekey", gssapi_client.store.owner->pw_name,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &pamconv, &pamh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &pamconv, &pamh);
</span> + if (ret)
+ return;
+
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1241,9 +1293,15 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> }
/* Privileged */
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/kex.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/kex.c 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -54,6 +54,10 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/kex.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/kex.c 2019-10-16 06:45:17.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -55,11 +55,16 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "misc.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "dispatch.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "monitor.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "xmalloc.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "ssherr.h"
</span> #include "sshbuf.h"
#include "digest.h"
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1254,27 +1312,62 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> /* prototype */
static int kex_choose_conf(struct ssh *);
static int kex_input_newkeys(int, u_int32_t, struct ssh *);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -105,6 +109,14 @@ static const struct kexalg kexalgs[] = {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -113,15 +118,27 @@ static const struct kexalg kexalgs[] = {
</span> #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
<span style='display:block; white-space:pre;background:#ffe0e0;'>- { NULL, -1, -1, -1},
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { NULL, 0, -1, -1},
</span> };
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+static const struct kexalg kexalg_prefixes[] = {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static const struct kexalg gss_kexalgs[] = {
</span> +#ifdef GSSAPI
+ { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
+ { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
+ { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ { KEX_GSS_GRP16_SHA512_ID, KEX_GSS_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { KEX_GSS_NISTP256_SHA256_ID, KEX_GSS_NISTP256_SHA256,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { KEX_GSS_C25519_SHA256_ID, KEX_GSS_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
</span> +#endif
+ { NULL, -1, -1, -1 },
+};
<span style='display:block; white-space:pre;background:#ffe0e0;'>- char *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kex_alg_list(char sep)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -137,6 +149,12 @@ kex_alg_by_name(const char *name)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-char *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-kex_alg_list(char sep)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static char *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++kex_alg_list_internal(char sep, const struct kexalg *algs)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char *ret = NULL, *tmp;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ size_t nlen, rlen = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ const struct kexalg *k;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- for (k = kexalgs; k->name != NULL; k++) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ for (k = algs; k->name != NULL; k++) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (ret != NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ret[rlen++] = sep;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ nlen = strlen(k->name);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -136,6 +153,18 @@ kex_alg_list(char sep)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return ret;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++char *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++kex_alg_list(char sep)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return kex_alg_list_internal(sep, kexalgs);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++char *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++kex_gss_alg_list(char sep)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return kex_alg_list_internal(sep, gss_kexalgs);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static const struct kexalg *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kex_alg_by_name(const char *name)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -145,6 +174,12 @@ kex_alg_by_name(const char *name)
</span> if (strcmp(k->name, name) == 0)
return k;
}
+#ifdef GSSAPI
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ for (k = kexalg_prefixes; k->name != NULL; k++) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ for (k = gss_kexalgs; k->name != NULL; k++) {
</span> + if (strncmp(k->name, name, strlen(k->name)) == 0)
+ return k;
+ }
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1282,31 +1375,65 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> return NULL;
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -601,6 +619,9 @@ kex_free(struct kex *kex)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sshbuf_free(kex->peer);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sshbuf_free(kex->my);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -313,6 +348,29 @@ kex_assemble_names(char **listp, const c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return r;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* Validate GSS KEX method name list */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++kex_gss_names_valid(const char *names)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char *s, *cp, *p;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (names == NULL || *names == '\0')
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ s = cp = xstrdup(names);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ for ((p = strsep(&cp, ",")); p && *p != '\0';
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (p = strsep(&cp, ","))) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (strncmp(p, "gss-", 4) != 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ || kex_alg_by_name(p) == NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ error("Unsupported KEX algorithm \"%.100s\"", p);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ free(s);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug3("gss kex names ok: [%s]", names);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ free(s);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* put algorithm proposal into buffer */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -696,6 +754,9 @@ kex_free(struct kex *kex)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sshbuf_free(kex->server_version);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sshbuf_free(kex->client_pub);
</span> free(kex->session_id);
+#ifdef GSSAPI
+ free(kex->gss_host);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- free(kex->client_version_string);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- free(kex->server_version_string);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /* GSSAPI */
</span> free(kex->failed_choice);
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/kex.h 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/kex.h 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -99,6 +99,11 @@ enum kex_exchange {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- KEX_DH_GEX_SHA256,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ free(kex->hostkey_alg);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ free(kex->name);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/kex.h 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/kex.h 2019-10-16 06:45:17.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -102,6 +102,15 @@ enum kex_exchange {
</span> KEX_ECDH_SHA2,
KEX_C25519_SHA256,
<span style='display:block; white-space:pre;background:#e0ffe0;'>+ KEX_KEM_SNTRUP4591761X25519_SHA512,
</span> +#ifdef GSSAPI
+ KEX_GSS_GRP1_SHA1,
+ KEX_GSS_GRP14_SHA1,
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ KEX_GSS_GRP14_SHA256,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ KEX_GSS_GRP16_SHA512,
</span> + KEX_GSS_GEX_SHA1,
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ KEX_GSS_NISTP256_SHA256,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ KEX_GSS_C25519_SHA256,
</span> +#endif
KEX_MAX
};
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -147,6 +152,12 @@ struct kex {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -153,6 +162,12 @@ struct kex {
</span> u_int flags;
int hash_alg;
int ec_nid;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1316,24 +1443,47 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + char *gss_host;
+ char *gss_client;
+#endif
<span style='display:block; white-space:pre;background:#ffe0e0;'>- char *client_version_string;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- char *server_version_string;
</span> char *failed_choice;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -197,6 +208,11 @@ int kexecdh_server(struct ssh *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int kexc25519_client(struct ssh *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int kexc25519_server(struct ssh *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int (*verify_host_key)(struct sshkey *, struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ struct sshkey *(*load_host_public_key)(int, int, struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -174,8 +189,10 @@ struct kex {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int kex_names_valid(const char *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char *kex_alg_list(char);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++char *kex_gss_alg_list(char);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char *kex_names_cat(const char *, const char *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int kex_assemble_names(char **, const char *, const char *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int kex_gss_names_valid(const char *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int kex_exchange_identification(struct ssh *, int, const char *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -202,6 +219,10 @@ int kexgex_client(struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int kexgex_server(struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int kex_gen_client(struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int kex_gen_server(struct ssh *);
</span> +#ifdef GSSAPI
+int kexgss_client(struct ssh *);
+int kexgss_server(struct ssh *);
+#endif
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int kex_dh_hash(int, const char *, const char *,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int kex_dh_keypair(struct kex *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int kex_dh_enc(struct kex *, const struct sshbuf *, struct sshbuf **,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -234,6 +255,12 @@ int kexgex_hash(int, const struct sshbu
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ const BIGNUM *, const u_char *, size_t,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ u_char *, size_t *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int kex_gen_hash(int hash_alg, const struct sshbuf *client_version,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const struct sshbuf *server_version, const struct sshbuf *client_kexinit,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const struct sshbuf *server_kexinit, const struct sshbuf *server_host_key_blob,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const struct sshbuf *client_pub, const struct sshbuf *server_pub,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const struct sshbuf *shared_secret, u_char *hash, size_t *hashlen);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void kexc25519_keygen(u_char key[CURVE25519_SIZE], u_char pub[CURVE25519_SIZE])
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ __attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE)))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ __attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE)));
</span> --- /dev/null 1970-01-01 00:00:00.000000000 +0000
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/kexgssc.c 2017-10-08 09:43:13.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -0,0 +1,336 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/kexgssc.c 2019-10-16 06:45:17.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -0,0 +1,405 @@
</span> +/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
+ *
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1360,7 +1510,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +
+#include "includes.h"
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#if defined(GSSAPI) && defined(WITH_OPENSSL)
</span> +
+#include <openssl/crypto.h>
+#include <openssl/bn.h>
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1368,41 +1518,43 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +#include <string.h>
+
+#include "xmalloc.h"
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "buffer.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "sshbuf.h"
</span> +#include "ssh2.h"
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "key.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "sshkey.h"
</span> +#include "cipher.h"
+#include "kex.h"
+#include "log.h"
+#include "packet.h"
+#include "dh.h"
+#include "digest.h"
<span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "ssherr.h"
</span> +
+#include "ssh-gss.h"
+
+int
+kexgss_client(struct ssh *ssh) {
+ struct kex *kex = ssh->kex;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_buffer_desc recv_tok, gssbuf, msg_tok, *token_ptr;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ recv_tok = GSS_C_EMPTY_BUFFER,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gssbuf, msg_tok = GSS_C_EMPTY_BUFFER, *token_ptr;
</span> + Gssctxt *ctxt;
+ OM_uint32 maj_status, min_status, ret_flags;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_int klen, kout, slen = 0, strlen;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ DH *dh;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ BIGNUM *p = NULL, *g = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct sshbuf *buf = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct sshbuf *server_blob = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct sshbuf *shared_secret = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct sshbuf *server_host_key_blob = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct sshbuf *empty = sshbuf_new();
</span> + BIGNUM *dh_server_pub = NULL;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ BIGNUM *shared_secret = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ BIGNUM *p = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ BIGNUM *g = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_char *kbuf;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_char *serverhostkey = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_char *empty = "";
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char *msg;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char *lang;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const BIGNUM *pub_key, *dh_p, *dh_g;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int nbits = 0, min = DH_GRP_MIN, max = DH_GRP_MAX;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_char *msg;
</span> + int type = 0;
+ int first = 1;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int nbits = 0, min = DH_GRP_MIN, max = DH_GRP_MAX;
</span> + u_char hash[SSH_DIGEST_MAX_LENGTH];
+ size_t hashlen;
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_char c;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int r;
</span> +
+ /* Initialise our GSSAPI world */
+ ssh_gssapi_build_ctx(&ctxt);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1417,54 +1569,64 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + ssh_gssapi_client_identity(ctxt, kex->gss_client))
+ fatal("Couldn't acquire client credentials");
+
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Step 1 */
</span> + switch (kex->kex_type) {
+ case KEX_GSS_GRP1_SHA1:
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dh = dh_new_group1();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ break;
</span> + case KEX_GSS_GRP14_SHA1:
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dh = dh_new_group14();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case KEX_GSS_GRP14_SHA256:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case KEX_GSS_GRP16_SHA512:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ r = kex_dh_keypair(kex);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case KEX_GSS_NISTP256_SHA256:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ r = kex_ecdh_keypair(kex);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case KEX_GSS_C25519_SHA256:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ r = kex_c25519_keypair(kex);
</span> + break;
+ case KEX_GSS_GEX_SHA1:
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Doing group exchange\n");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ nbits = dh_estimate(kex->we_need * 8);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_start(SSH2_MSG_KEXGSS_GROUPREQ);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_put_int(min);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_put_int(nbits);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_put_int(max);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_send();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_read_expect(SSH2_MSG_KEXGSS_GROUP);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((p = BN_new()) == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("BN_new() failed");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_get_bignum2(p);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((g = BN_new()) == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("BN_new() failed");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_get_bignum2(g);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_check_eom();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Doing group exchange");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ nbits = dh_estimate(kex->dh_need * 8);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->min = DH_GRP_MIN;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->max = DH_GRP_MAX;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->nbits = nbits;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_start(ssh, SSH2_MSG_KEXGSS_GROUPREQ)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_u32(ssh, min)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_u32(ssh, nbits)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_u32(ssh, max)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_send(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Failed to construct a packet: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = ssh_packet_read_expect(ssh, SSH2_MSG_KEXGSS_GROUP)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Error: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_get_bignum2(ssh, &p)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_get_bignum2(ssh, &g)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_get_end(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("shpkt_get_bignum2 failed: %s", ssh_err(r));
</span> +
+ if (BN_num_bits(p) < min || BN_num_bits(p) > max)
+ fatal("GSSGRP_GEX group out of range: %d !< %d !< %d",
+ min, BN_num_bits(p), max);
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dh = dh_new_group(g, p);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((kex->dh = dh_new_group(g, p)) == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("dn_new_group() failed");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ p = g = NULL; /* belong to kex->dh now */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = dh_gen_key(kex->dh, kex->we_need * 8)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto out;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ DH_get0_key(kex->dh, &pub_key, NULL);
</span> + break;
+ default:
+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
+ }
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Step 1 - e is dh->pub_key */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dh_gen_key(dh, kex->we_need * 8);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* This is f, we initialise it now to make life easier */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dh_server_pub = BN_new();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (dh_server_pub == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("dh_server_pub == NULL");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (r != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return r;
</span> +
+ token_ptr = GSS_C_NO_BUFFER;
+
+ do {
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Step 2 - call GSS_Init_sec_context() */
</span> + debug("Calling gss_init_sec_context");
+
+ maj_status = ssh_gssapi_init_ctx(ctxt,
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1472,17 +1634,20 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + &ret_flags);
+
+ if (GSS_ERROR(maj_status)) {
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* XXX Useles code: Missing send? */
</span> + if (send_tok.length != 0) {
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_start(SSH2_MSG_KEXGSS_CONTINUE);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_put_string(send_tok.value,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ send_tok.length);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_start(ssh,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ SSH2_MSG_KEXGSS_CONTINUE)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_string(ssh, send_tok.value,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ send_tok.length)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("sshpkt failed: %s", ssh_err(r));
</span> + }
+ fatal("gss_init_context failed");
+ }
+
+ /* If we've got an old receive buffer get rid of it */
+ if (token_ptr != GSS_C_NO_BUFFER)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ free(recv_tok.value);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_release_buffer(&min_status, &recv_tok);
</span> +
+ if (maj_status == GSS_S_COMPLETE) {
+ /* If mutual state flag is not true, kex fails */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1500,28 +1665,34 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + */
+ if (send_tok.length != 0) {
+ if (first) {
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_start(SSH2_MSG_KEXGSS_INIT);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_put_string(send_tok.value,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ send_tok.length);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_put_bignum2(dh->pub_key);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_start(ssh, SSH2_MSG_KEXGSS_INIT)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_string(ssh, send_tok.value,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ send_tok.length)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (KEX_GSS_GEX_SHA1 == kex->kex_type &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_bignum2(ssh, pub_key)) != 0) ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (KEX_GSS_GEX_SHA1 != kex->kex_type &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_stringb(ssh, kex->client_pub)) != 0))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("failed to construct packet: %s", ssh_err(r));
</span> + first = 0;
+ } else {
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_start(SSH2_MSG_KEXGSS_CONTINUE);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_put_string(send_tok.value,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ send_tok.length);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_start(ssh, SSH2_MSG_KEXGSS_CONTINUE)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_string(ssh, send_tok.value,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ send_tok.length)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("failed to construct packet: %s", ssh_err(r));
</span> + }
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_send();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_send(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("failed to send packet: %s", ssh_err(r));
</span> + gss_release_buffer(&min_status, &send_tok);
+
+ /* If we've sent them data, they should reply */
+ do {
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ type = packet_read();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ type = ssh_packet_read(ssh);
</span> + if (type == SSH2_MSG_KEXGSS_HOSTKEY) {
+ debug("Received KEXGSS_HOSTKEY");
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (serverhostkey)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (server_host_key_blob)
</span> + fatal("Server host key received more than once");
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ serverhostkey =
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_get_string(&slen);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_getb_froms(ssh, &server_host_key_blob)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Failed to read server host key: %s", ssh_err(r));
</span> + }
+ } while (type == SSH2_MSG_KEXGSS_HOSTKEY);
+
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1530,39 +1701,55 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + debug("Received GSSAPI_CONTINUE");
+ if (maj_status == GSS_S_COMPLETE)
+ fatal("GSSAPI Continue received from server when complete");
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ recv_tok.value = packet_get_string(&strlen);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ recv_tok.length = strlen;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (maj_status == GSS_S_COMPLETE)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("GSSAPI Continue received from server when complete");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = ssh_gssapi_sshpkt_get_buffer_desc(ssh,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &recv_tok)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_get_end(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Failed to read token: %s", ssh_err(r));
</span> + break;
+ case SSH2_MSG_KEXGSS_COMPLETE:
+ debug("Received GSSAPI_COMPLETE");
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_get_bignum2(dh_server_pub);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ msg_tok.value = packet_get_string(&strlen);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ msg_tok.length = strlen;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (msg_tok.value != NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Received GSSAPI_COMPLETE twice?");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_getb_froms(ssh, &server_blob)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = ssh_gssapi_sshpkt_get_buffer_desc(ssh,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &msg_tok)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Failed to read message: %s", ssh_err(r));
</span> +
+ /* Is there a token included? */
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (packet_get_char()) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ recv_tok.value =
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_get_string(&strlen);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ recv_tok.length = strlen;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_get_u8(ssh, &c)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("sshpkt failed: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (c) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = ssh_gssapi_sshpkt_get_buffer_desc(
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh, &recv_tok)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (KEX_GSS_GEX_SHA1 == kex->kex_type &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_get_end(ssh)) != 0))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Failed to read token: %s", ssh_err(r));
</span> + /* If we're already complete - protocol error */
+ if (maj_status == GSS_S_COMPLETE)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_disconnect("Protocol error: received token when complete");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ } else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* No token included */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (maj_status != GSS_S_COMPLETE)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_disconnect("Protocol error: did not receive final token");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshpkt_disconnect(ssh, "Protocol error: received token when complete");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* No token included */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (maj_status != GSS_S_COMPLETE)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshpkt_disconnect(ssh, "Protocol error: did not receive final token");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_get_end(ssh)) != 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Expecting end of packet.");
</span> + }
+ break;
+ case SSH2_MSG_KEXGSS_ERROR:
+ debug("Received Error");
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ maj_status = packet_get_int();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ min_status = packet_get_int();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ msg = packet_get_string(NULL);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ lang = packet_get_string(NULL);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("GSSAPI Error: \n%.400s",msg);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_get_u32(ssh, &maj_status)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_get_u32(ssh, &min_status)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_get_string(ssh, &msg, NULL)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_get_string(ssh, NULL, NULL)) != 0 || /* lang tag */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_get_end(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("sshpkt_get failed: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("GSSAPI Error: \n%.400s", msg);
</span> + default:
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_disconnect("Protocol error: didn't expect packet type %d",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ type);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshpkt_disconnect(ssh, "Protocol error: didn't expect packet type %d",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ type);
</span> + }
+ token_ptr = &recv_tok;
+ } else {
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1580,60 +1767,82 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + if (type != SSH2_MSG_KEXGSS_COMPLETE)
+ fatal("Didn't receive a SSH2_MSG_KEXGSS_COMPLETE when I expected it");
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Check f in range [1, p-1] */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!dh_pub_is_valid(dh, dh_server_pub))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_disconnect("bad server public DH value");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* compute K=f^x mod p */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ klen = DH_size(dh);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kbuf = xmalloc(klen);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kout = DH_compute_key(kbuf, dh_server_pub, dh);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((int)kout < 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("DH_compute_key: failed");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ shared_secret = BN_new();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (shared_secret == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("kexgss_client: BN_new failed");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("kexdh_client: BN_bin2bn failed");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ memset(kbuf, 0, klen);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ free(kbuf);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ hashlen = sizeof(hash);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* 7. C verifies that the key Q_S is valid */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* 8. C computes shared secret */
</span> + switch (kex->kex_type) {
+ case KEX_GSS_GRP1_SHA1:
+ case KEX_GSS_GRP14_SHA1:
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex_dh_hash(kex->hash_alg, kex->client_version_string,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->server_version_string,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_ptr(kex->my), buffer_len(kex->my),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_ptr(kex->peer), buffer_len(kex->peer),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (serverhostkey ? serverhostkey : empty), slen,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dh->pub_key, /* e */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dh_server_pub, /* f */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ shared_secret, /* K */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ hash, &hashlen
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ );
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case KEX_GSS_GRP14_SHA256:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case KEX_GSS_GRP16_SHA512:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ r = kex_dh_dec(kex, server_blob, &shared_secret);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case KEX_GSS_C25519_SHA256:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (sshbuf_ptr(server_blob)[sshbuf_len(server_blob)] & 0x80)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("The received key has MSB of last octet set!");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ r = kex_c25519_dec(kex, server_blob, &shared_secret);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case KEX_GSS_NISTP256_SHA256:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (sshbuf_len(server_blob) != 65)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("The received NIST-P256 key did not match"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "expected length (expected 65, got %zu)", sshbuf_len(server_blob));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (sshbuf_ptr(server_blob)[0] != POINT_CONVERSION_UNCOMPRESSED)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("The received NIST-P256 key does not have first octet 0x04");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ r = kex_ecdh_dec(kex, server_blob, &shared_secret);
</span> + break;
+ case KEX_GSS_GEX_SHA1:
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kexgex_hash(
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((buf = sshbuf_new()) == NULL ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshbuf_put_stringb(buf, server_blob)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshbuf_get_bignum2(buf, &dh_server_pub)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto out;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_free(buf);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((shared_secret = sshbuf_new()) == NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ r = SSH_ERR_ALLOC_FAIL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto out;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ r = kex_dh_compute_key(kex, dh_server_pub, shared_secret);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ r = SSH_ERR_INVALID_ARGUMENT;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (r != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto out;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ hashlen = sizeof(hash);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (KEX_GSS_GEX_SHA1 == kex->kex_type) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ DH_get0_pqg(kex->dh, &dh_p, NULL, &dh_g);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = kexgex_hash(
</span> + kex->hash_alg,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->client_version_string,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->server_version_string,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_ptr(kex->my), buffer_len(kex->my),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_ptr(kex->peer), buffer_len(kex->peer),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (serverhostkey ? serverhostkey : empty), slen,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ min, nbits, max,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dh->p, dh->g,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dh->pub_key,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->client_version,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->server_version,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->my,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->peer,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (server_host_key_blob ? server_host_key_blob : empty),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->min, kex->nbits, kex->max,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ dh_p, dh_g,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pub_key,
</span> + dh_server_pub,
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_ptr(shared_secret), sshbuf_len(shared_secret),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ hash, &hashlen)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Failed to calculate hash: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = kex_gen_hash(
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->hash_alg,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->client_version,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->server_version,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->my,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->peer,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (server_host_key_blob ? server_host_key_blob : empty),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->client_pub,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ server_blob,
</span> + shared_secret,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ hash, &hashlen
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ );
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ default:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ hash, &hashlen)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
</span> + }
+
+ gssbuf.value = hash;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1641,16 +1850,12 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +
+ /* Verify that the hash matches the MIC we just got. */
+ if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok)))
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_disconnect("Hash's MIC didn't verify");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ free(msg_tok.value);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshpkt_disconnect(ssh, "Hash's MIC didn't verify");
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ DH_free(dh);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ free(serverhostkey);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ BN_clear_free(dh_server_pub);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_release_buffer(&min_status, &msg_tok);
</span> +
+ /* save session id */
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (kex->session_id == NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((KEX_GSS_GEX_SHA1 == kex->kex_type) && (kex->session_id == NULL)) {
</span> + kex->session_id_len = hashlen;
+ kex->session_id = xmalloc(kex->session_id_len);
+ memcpy(kex->session_id, hash, kex->session_id_len);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1664,15 +1869,29 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + else
+ ssh_gssapi_delete_ctx(&ctxt);
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex_derive_keys_bn(ssh, hash, hashlen, shared_secret);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ BN_clear_free(shared_secret);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return kex_send_newkeys(ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Finally derive the keys and send them */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = kex_derive_keys(ssh, hash, hashlen, shared_secret)) == 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ r = kex_send_newkeys(ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++out:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ explicit_bzero(hash, sizeof(hash));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ explicit_bzero(kex->c25519_client_key, sizeof(kex->c25519_client_key));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ DH_free(kex->dh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->dh = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ BN_clear_free(dh_server_pub);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_free(empty);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_free(server_host_key_blob);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_free(server_blob);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_free(shared_secret);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_free(kex->client_pub);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->client_pub = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return r;
</span> +}
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif /* GSSAPI */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */
</span> --- /dev/null 1970-01-01 00:00:00.000000000 +0000
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/kexgsss.c 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -0,0 +1,300 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/kexgsss.c 2019-10-16 06:45:17.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -0,0 +1,345 @@
</span> +/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
+ *
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1699,7 +1918,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +
+#include "includes.h"
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#if defined(GSSAPI) && defined(WITH_OPENSSL)
</span> +
+#include <string.h>
+
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1707,9 +1926,9 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +#include <openssl/bn.h>
+
+#include "xmalloc.h"
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "buffer.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "sshbuf.h"
</span> +#include "ssh2.h"
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "key.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "sshkey.h"
</span> +#include "cipher.h"
+#include "kex.h"
+#include "log.h"
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1717,9 +1936,10 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +#include "dh.h"
+#include "ssh-gss.h"
+#include "monitor_wrap.h"
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "misc.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
</span> +#include "servconf.h"
+#include "digest.h"
<span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "ssherr.h"
</span> +
+extern ServerOptions options;
+
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1742,13 +1962,14 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + gss_buffer_desc gssbuf, recv_tok, msg_tok;
+ gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
+ Gssctxt *ctxt = NULL;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_int slen, klen, kout;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_char *kbuf;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ DH *dh;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct sshbuf *shared_secret = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct sshbuf *client_pubkey = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct sshbuf *server_pubkey = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct sshbuf *empty = sshbuf_new();
</span> + int min = -1, max = -1, nbits = -1;
+ int cmin = -1, cmax = -1; /* client proposal */
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ BIGNUM *shared_secret = NULL;
</span> + BIGNUM *dh_client_pub = NULL;
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ const BIGNUM *pub_key, *dh_p, *dh_g;
</span> + int type = 0;
+ gss_OID oid;
+ char *mechs;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1776,66 +1997,105 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid))))
+ fatal("Unable to acquire credentials for the server");
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ switch (kex->kex_type) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case KEX_GSS_GRP1_SHA1:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dh = dh_new_group1();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case KEX_GSS_GRP14_SHA1:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dh = dh_new_group14();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case KEX_GSS_GEX_SHA1:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (KEX_GSS_GEX_SHA1 == kex->kex_type) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* 5. S generates an ephemeral key pair (do the allocations early) */
</span> + debug("Doing group exchange");
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_read_expect(SSH2_MSG_KEXGSS_GROUPREQ);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_packet_read_expect(ssh, SSH2_MSG_KEXGSS_GROUPREQ);
</span> + /* store client proposal to provide valid signature */
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ cmin = packet_get_int();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ nbits = packet_get_int();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ cmax = packet_get_int();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_get_u32(ssh, &cmin)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_get_u32(ssh, &nbits)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_get_u32(ssh, &cmax)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_get_end(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("sshpkt failed: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->nbits = nbits;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->min = cmin;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->max = cmax;
</span> + min = MAX(DH_GRP_MIN, cmin);
+ max = MIN(DH_GRP_MAX, cmax);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_check_eom();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ nbits = MAXIMUM(DH_GRP_MIN, nbits);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ nbits = MINIMUM(DH_GRP_MAX, nbits);
</span> + if (max < min || nbits < min || max < nbits)
+ fatal("GSS_GEX, bad parameters: %d !< %d !< %d",
+ min, nbits, max);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dh = PRIVSEP(choose_dh(min, nbits, max));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (dh == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_disconnect("Protocol error: no matching group found");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->dh = PRIVSEP(choose_dh(min, nbits, max));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (kex->dh == NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshpkt_disconnect(ssh, "Protocol error: no matching group found");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Protocol error: no matching group found");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_start(SSH2_MSG_KEXGSS_GROUP);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_put_bignum2(dh->p);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_put_bignum2(dh->g);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_send();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ DH_get0_pqg(kex->dh, &dh_p, NULL, &dh_g);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_start(ssh, SSH2_MSG_KEXGSS_GROUP)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_bignum2(ssh, dh_p)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_bignum2(ssh, dh_g)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_send(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("sshpkt failed: %s", ssh_err(r));
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_write_wait();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ default:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = ssh_packet_write_wait(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("ssh_packet_write_wait: %s", ssh_err(r));
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dh_gen_key(dh, kex->we_need * 8);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Compute our exchange value in parallel with the client */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = dh_gen_key(kex->dh, kex->we_need * 8)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto out;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span> +
+ do {
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Wait SSH2_MSG_GSSAPI_INIT");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ type = packet_read();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Wait SSH2_MSG_KEXGSS_INIT");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ type = ssh_packet_read(ssh);
</span> + switch(type) {
+ case SSH2_MSG_KEXGSS_INIT:
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (dh_client_pub != NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("Received KEXGSS_INIT after initialising");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ recv_tok.value = packet_get_string(&slen);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ recv_tok.length = slen;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((dh_client_pub = BN_new()) == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("dh_client_pub == NULL");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (KEX_GSS_GEX_SHA1 == kex->kex_type) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (dh_client_pub != NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Received KEXGSS_INIT after initialising");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = ssh_gssapi_sshpkt_get_buffer_desc(ssh,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &recv_tok)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_get_bignum2(ssh, &dh_client_pub)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_get_end(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("sshpkt failed: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (client_pubkey != NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Received KEXGSS_INIT after initialising");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = ssh_gssapi_sshpkt_get_buffer_desc(ssh,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &recv_tok)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_getb_froms(ssh, &client_pubkey)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_get_end(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("sshpkt failed: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_get_bignum2(dh_client_pub);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ switch (kex->kex_type) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case KEX_GSS_GRP1_SHA1:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case KEX_GSS_GRP14_SHA1:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case KEX_GSS_GRP14_SHA256:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case KEX_GSS_GRP16_SHA512:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ r = kex_dh_enc(kex, client_pubkey, &server_pubkey,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &shared_secret);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case KEX_GSS_NISTP256_SHA256:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ r = kex_ecdh_enc(kex, client_pubkey, &server_pubkey,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &shared_secret);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case KEX_GSS_C25519_SHA256:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ r = kex_c25519_enc(kex, client_pubkey, &server_pubkey,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &shared_secret);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case KEX_GSS_GEX_SHA1:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (r != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto out;
</span> +
+ /* Send SSH_MSG_KEXGSS_HOSTKEY here, if we want */
+ break;
+ case SSH2_MSG_KEXGSS_CONTINUE:
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ recv_tok.value = packet_get_string(&slen);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ recv_tok.length = slen;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = ssh_gssapi_sshpkt_get_buffer_desc(ssh,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &recv_tok)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_get_end(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("sshpkt failed: %s", ssh_err(r));
</span> + break;
+ default:
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_disconnect(
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshpkt_disconnect(ssh,
</span> + "Protocol error: didn't expect packet type %d",
+ type);
+ }
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1843,28 +2103,31 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + maj_status = PRIVSEP(ssh_gssapi_accept_ctx(ctxt, &recv_tok,
+ &send_tok, &ret_flags));
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ free(recv_tok.value);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_release_buffer(&min_status, &recv_tok);
</span> +
+ if (maj_status != GSS_S_COMPLETE && send_tok.length == 0)
+ fatal("Zero length token output when incomplete");
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (dh_client_pub == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (((KEX_GSS_GEX_SHA1 == kex->kex_type) && (dh_client_pub == NULL)) ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ((KEX_GSS_GEX_SHA1 != kex->kex_type) && (client_pubkey == NULL)))
</span> + fatal("No client public key");
+
+ if (maj_status & GSS_S_CONTINUE_NEEDED) {
+ debug("Sending GSSAPI_CONTINUE");
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_start(SSH2_MSG_KEXGSS_CONTINUE);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_put_string(send_tok.value, send_tok.length);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_send();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_start(ssh, SSH2_MSG_KEXGSS_CONTINUE)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_string(ssh, send_tok.value, send_tok.length)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_send(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("sshpkt failed: %s", ssh_err(r));
</span> + gss_release_buffer(&min_status, &send_tok);
+ }
+ } while (maj_status & GSS_S_CONTINUE_NEEDED);
+
+ if (GSS_ERROR(maj_status)) {
+ if (send_tok.length > 0) {
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_start(SSH2_MSG_KEXGSS_CONTINUE);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_put_string(send_tok.value, send_tok.length);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_send();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_start(ssh, SSH2_MSG_KEXGSS_CONTINUE)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_string(ssh, send_tok.value, send_tok.length)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_send(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("sshpkt failed: %s", ssh_err(r));
</span> + }
+ fatal("accept_ctx died");
+ }
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1875,82 +2138,75 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + if (!(ret_flags & GSS_C_INTEG_FLAG))
+ fatal("Integrity flag wasn't set");
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!dh_pub_is_valid(dh, dh_client_pub))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_disconnect("bad client public DH value");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ klen = DH_size(dh);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kbuf = xmalloc(klen);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kout = DH_compute_key(kbuf, dh_client_pub, dh);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((int)kout < 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("DH_compute_key: failed");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ shared_secret = BN_new();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (shared_secret == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("kexgss_server: BN_new failed");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("kexgss_server: BN_bin2bn failed");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (KEX_GSS_GEX_SHA1 == kex->kex_type) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* calculate shared secret */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((shared_secret = sshbuf_new()) == NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ r = SSH_ERR_ALLOC_FAIL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto out;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = kex_dh_compute_key(kex, dh_client_pub, shared_secret)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto out;
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ memset(kbuf, 0, klen);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ free(kbuf);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ DH_get0_key(kex->dh, &pub_key, NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ DH_get0_pqg(kex->dh, &dh_p, NULL, &dh_g);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span> +
+ hashlen = sizeof(hash);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ switch (kex->kex_type) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case KEX_GSS_GRP1_SHA1:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case KEX_GSS_GRP14_SHA1:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex_dh_hash(kex->hash_alg,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->client_version_string, kex->server_version_string,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_ptr(kex->peer), buffer_len(kex->peer),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_ptr(kex->my), buffer_len(kex->my),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ NULL, 0, /* Change this if we start sending host keys */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dh_client_pub, dh->pub_key, shared_secret,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ hash, &hashlen
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ );
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case KEX_GSS_GEX_SHA1:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kexgex_hash(
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (KEX_GSS_GEX_SHA1 == kex->kex_type) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = kexgex_hash(
</span> + kex->hash_alg,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->client_version_string, kex->server_version_string,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_ptr(kex->peer), buffer_len(kex->peer),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_ptr(kex->my), buffer_len(kex->my),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ NULL, 0,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->client_version,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->server_version,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->peer,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->my,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ empty,
</span> + cmin, nbits, cmax,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dh->p, dh->g,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ dh_p, dh_g,
</span> + dh_client_pub,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dh->pub_key,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ shared_secret,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ hash, &hashlen
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ );
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ default:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pub_key,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_ptr(shared_secret), sshbuf_len(shared_secret),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ hash, &hashlen)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("kexgex_hash failed: %s", ssh_err(r));
</span> + }
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ BN_clear_free(dh_client_pub);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (kex->session_id == NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->session_id_len = hashlen;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->session_id = xmalloc(kex->session_id_len);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ memcpy(kex->session_id, hash, kex->session_id_len);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = kex_gen_hash(
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->hash_alg,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->client_version,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->server_version,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->peer,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->my,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ empty,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ client_pubkey,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ server_pubkey,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ shared_secret,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ hash, &hashlen)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto out;
</span> + }
+
+ gssbuf.value = hash;
+ gssbuf.length = hashlen;
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_sign(ctxt,&gssbuf,&msg_tok))))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (GSS_ERROR(PRIVSEP(ssh_gssapi_sign(ctxt, &gssbuf, &msg_tok))))
</span> + fatal("Couldn't get MIC");
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_start(SSH2_MSG_KEXGSS_COMPLETE);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_put_bignum2(dh->pub_key);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_put_string(msg_tok.value,msg_tok.length);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_start(ssh, SSH2_MSG_KEXGSS_COMPLETE)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ((KEX_GSS_GEX_SHA1 == kex->kex_type) &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_bignum2(ssh, pub_key)) != 0) ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ((KEX_GSS_GEX_SHA1 != kex->kex_type) &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_stringb(ssh, server_pubkey)) != 0) ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_string(ssh, msg_tok.value, msg_tok.length)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("sshpkt failed: %s", ssh_err(r));
</span> +
+ if (send_tok.length != 0) {
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_put_char(1); /* true */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_put_string(send_tok.value, send_tok.length);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_put_u8(ssh, 1)) != 0 || /* true */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_string(ssh, send_tok.value, send_tok.length)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("sshpkt failed: %s", ssh_err(r));
</span> + } else {
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_put_char(0); /* false */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_put_u8(ssh, 0)) != 0) /* false */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("sshpkt failed: %s", ssh_err(r));
</span> + }
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_send();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_send(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("sshpkt failed: %s", ssh_err(r));
</span> +
+ gss_release_buffer(&min_status, &send_tok);
+ gss_release_buffer(&min_status, &msg_tok);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1960,31 +2216,39 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + else
+ ssh_gssapi_delete_ctx(&ctxt);
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ DH_free(dh);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex_derive_keys_bn(ssh, hash, hashlen, shared_secret);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ BN_clear_free(shared_secret);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ r = kex_send_newkeys(ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Finally derive the keys and send them */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = kex_derive_keys(ssh, hash, hashlen, shared_secret)) == 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ r = kex_send_newkeys(ssh);
</span> +
+ /* If this was a rekey, then save out any delegated credentials we
+ * just exchanged. */
+ if (options.gss_store_rekey)
+ ssh_gssapi_rekey_creds();
<span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++out:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_free(empty);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ explicit_bzero(hash, sizeof(hash));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ DH_free(kex->dh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->dh = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ BN_clear_free(dh_client_pub);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_free(shared_secret);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_free(client_pubkey);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_free(server_pubkey);
</span> + return r;
+}
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif /* GSSAPI */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/monitor.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/monitor.c 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -157,6 +157,8 @@ int mm_answer_gss_setup_ctx(int, Buffer
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int mm_answer_gss_accept_ctx(int, Buffer *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int mm_answer_gss_userok(int, Buffer *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int mm_answer_gss_checkmic(int, Buffer *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int mm_answer_gss_sign(int, Buffer *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int mm_answer_gss_updatecreds(int, Buffer *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/monitor.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/monitor.c 2019-10-16 06:45:17.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -147,6 +147,8 @@ int mm_answer_gss_setup_ctx(struct ssh *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int mm_answer_gss_accept_ctx(struct ssh *, int, struct sshbuf *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int mm_answer_gss_userok(struct ssh *, int, struct sshbuf *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int mm_answer_gss_checkmic(struct ssh *, int, struct sshbuf *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int mm_answer_gss_sign(struct ssh *, int, struct sshbuf *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int mm_answer_gss_updatecreds(struct ssh *, int, struct sshbuf *);
</span> #endif
#ifdef SSH_AUDIT_EVENTS
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -230,11 +232,18 @@ struct mon_table mon_dispatch_proto20[]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -219,11 +221,18 @@ struct mon_table mon_dispatch_proto20[]
</span> {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
{MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok},
{MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic},
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2003,7 +2267,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> #ifdef WITH_OPENSSL
{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
#endif
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -302,6 +311,10 @@ monitor_child_preauth(Authctxt *_authctx
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -292,6 +301,10 @@ monitor_child_preauth(struct ssh *ssh, s
</span> /* Permit requests for moduli and signatures */
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2014,7 +2278,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span>
/* The first few requests do not require asynchronous access */
while (!authenticated) {
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -408,6 +421,10 @@ monitor_child_postauth(struct monitor *p
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -405,6 +418,10 @@ monitor_child_postauth(struct ssh *ssh,
</span> monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2023,45 +2287,49 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
+#endif
<span style='display:block; white-space:pre;background:#ffe0e0;'>- if (!no_pty_flag) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (auth_opts->permit_pty_flag) {
</span> monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1626,6 +1643,13 @@ monitor_apply_keystate(struct monitor *p
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1689,6 +1706,17 @@ monitor_apply_keystate(struct ssh *ssh,
</span> # endif
#endif /* WITH_OPENSSL */
<span style='display:block; white-space:pre;background:#ffe0e0;'>- kex->kex[KEX_C25519_SHA256] = kexc25519_server;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kex->kex[KEX_C25519_SHA256] = kex_gen_server;
</span> +#ifdef GSSAPI
+ if (options.gss_keyex) {
+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
+ kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->kex[KEX_GSS_GRP14_SHA256] = kexgss_server;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->kex[KEX_GSS_GRP16_SHA512] = kexgss_server;
</span> + kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->kex[KEX_GSS_NISTP256_SHA256] = kexgss_server;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->kex[KEX_GSS_C25519_SHA256] = kexgss_server;
</span> + }
+#endif
<span style='display:block; white-space:pre;background:#e0ffe0;'>+ kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server;
</span> kex->load_host_public_key=&get_hostkey_public_by_type;
kex->load_host_private_key=&get_hostkey_private_by_type;
<span style='display:block; white-space:pre;background:#ffe0e0;'>- kex->host_key_index=&get_hostkey_index;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1714,8 +1738,8 @@ mm_answer_gss_setup_ctx(int sock, Buffer
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- OM_uint32 major;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- u_int len;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1780,8 +1808,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ u_char *p;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int r;
</span>
- if (!options.gss_authentication)
- fatal("%s: GSSAPI authentication not enabled", __func__);
+ if (!options.gss_authentication && !options.gss_keyex)
+ fatal("%s: GSSAPI not enabled", __func__);
<span style='display:block; white-space:pre;background:#ffe0e0;'>- goid.elements = buffer_get_string(m, &len);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- goid.length = len;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1744,8 +1768,8 @@ mm_answer_gss_accept_ctx(int sock, Buffe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ((r = sshbuf_get_string(m, &p, &len)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1813,8 +1841,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh
</span> OM_uint32 flags = 0; /* GSI needs this */
<span style='display:block; white-space:pre;background:#ffe0e0;'>- u_int len;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int r;
</span>
- if (!options.gss_authentication)
- fatal("%s: GSSAPI authentication not enabled", __func__);
+ if (!options.gss_authentication && !options.gss_keyex)
+ fatal("%s: GSSAPI not enabled", __func__);
<span style='display:block; white-space:pre;background:#ffe0e0;'>- in.value = buffer_get_string(m, &len);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- in.length = len;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1764,6 +1788,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1834,6 +1862,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh
</span> monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2069,19 +2337,23 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> }
return (0);
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1775,8 +1800,8 @@ mm_answer_gss_checkmic(int sock, Buffer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1845,8 +1874,8 @@ mm_answer_gss_checkmic(struct ssh *ssh,
</span> OM_uint32 ret;
<span style='display:block; white-space:pre;background:#ffe0e0;'>- u_int len;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int r;
</span>
- if (!options.gss_authentication)
- fatal("%s: GSSAPI authentication not enabled", __func__);
+ if (!options.gss_authentication && !options.gss_keyex)
+ fatal("%s: GSSAPI not enabled", __func__);
<span style='display:block; white-space:pre;background:#ffe0e0;'>- gssbuf.value = buffer_get_string(m, &len);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- gssbuf.length = len;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1805,10 +1830,11 @@ mm_answer_gss_userok(int sock, Buffer *m
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int authenticated;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1872,13 +1901,17 @@ mm_answer_gss_checkmic(struct ssh *ssh,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- int r, authenticated;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int r, authenticated, kex;
</span> const char *displayname;
- if (!options.gss_authentication)
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2090,30 +2362,51 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + fatal("%s: GSSAPI not enabled", __func__);
- authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshbuf_get_u32(m, &kex)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span> + authenticated = authctxt->valid &&
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_gssapi_userok(authctxt->user, authctxt->pw);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_gssapi_userok(authctxt->user, authctxt->pw, kex);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sshbuf_reset(m);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ((r = sshbuf_put_u32(m, authenticated)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1887,7 +1920,11 @@ mm_answer_gss_userok(struct ssh *ssh, in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debug3("%s: sending result %d", __func__, authenticated);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
</span>
<span style='display:block; white-space:pre;background:#ffe0e0;'>- buffer_clear(m);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- buffer_put_int(m, authenticated);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1824,5 +1850,76 @@ mm_answer_gss_userok(int sock, Buffer *m
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- auth_method = "gssapi-with-mic";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (kex) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ auth_method = "gssapi-keyex";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ auth_method = "gssapi-with-mic";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ((displayname = ssh_gssapi_displayname()) != NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ auth2_record_info(authctxt, "%s", displayname);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1895,5 +1932,85 @@ mm_answer_gss_userok(struct ssh *ssh, in
</span> /* Monitor loop will terminate if authenticated */
return (authenticated);
}
+
+int
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+mm_answer_gss_sign(int socket, Buffer *m)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++mm_answer_gss_sign(struct ssh *ssh, int socket, struct sshbuf *m)
</span> +{
+ gss_buffer_desc data;
+ gss_buffer_desc hash = GSS_C_EMPTY_BUFFER;
+ OM_uint32 major, minor;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_int len;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ size_t len;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_char *p = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int r;
</span> +
+ if (!options.gss_authentication && !options.gss_keyex)
+ fatal("%s: GSSAPI not enabled", __func__);
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ data.value = buffer_get_string(m, &len);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshbuf_get_string(m, &p, &len)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ data.value = p;
</span> + data.length = len;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (data.length != 20)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Lengths of SHA-1, SHA-256 and SHA-512 hashes that are used */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (data.length != 20 && data.length != 32 && data.length != 64)
</span> + fatal("%s: data length incorrect: %d", __func__,
+ (int) data.length);
+
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2127,9 +2420,11 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +
+ free(data.value);
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_clear(m);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_put_int(m, major);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_put_string(m, hash.value, hash.length);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_reset(m);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshbuf_put_u32(m, major)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshbuf_put_string(m, hash.value, hash.length)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span> +
+ mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
+
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2145,16 +2440,17 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +}
+
+int
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+mm_answer_gss_updatecreds(int socket, Buffer *m) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++mm_answer_gss_updatecreds(struct ssh *ssh, int socket, struct sshbuf *m) {
</span> + ssh_gssapi_ccache store;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int ok;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int r, ok;
</span> +
+ if (!options.gss_authentication && !options.gss_keyex)
+ fatal("%s: GSSAPI not enabled", __func__);
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ store.filename = buffer_get_string(m, NULL);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ store.envvar = buffer_get_string(m, NULL);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ store.envval = buffer_get_string(m, NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshbuf_get_string(m, (u_char **)&store.filename, NULL)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshbuf_get_string(m, (u_char **)&store.envvar, NULL)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshbuf_get_string(m, (u_char **)&store.envval, NULL)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span> +
+ ok = ssh_gssapi_update_creds(&store);
+
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2162,8 +2458,9 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + free(store.envvar);
+ free(store.envval);
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_clear(m);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_put_int(m, ok);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_reset(m);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshbuf_put_u32(m, ok)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span> +
+ mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m);
+
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2172,9 +2469,9 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +
#endif /* GSSAPI */
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/monitor.h 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/monitor.h 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -65,6 +65,9 @@ enum monitor_reqtype {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/monitor.h 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/monitor.h 2019-10-16 06:45:17.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -63,6 +63,9 @@ enum monitor_reqtype {
</span> MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113,
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2183,19 +2480,27 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +
};
<span style='display:block; white-space:pre;background:#ffe0e0;'>- struct monitor {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/monitor_wrap.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/monitor_wrap.c 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -937,7 +937,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ struct ssh;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/monitor_wrap.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/monitor_wrap.c 2019-10-16 06:45:17.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -978,13 +978,15 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
</span> }
int
-mm_ssh_gssapi_userok(char *user)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+mm_ssh_gssapi_userok(char *user, struct passwd *pw)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++mm_ssh_gssapi_userok(char *user, struct passwd *pw, int kex)
</span> {
<span style='display:block; white-space:pre;background:#ffe0e0;'>- Buffer m;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int authenticated = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -954,5 +954,50 @@ mm_ssh_gssapi_userok(char *user)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ struct sshbuf *m;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int r, authenticated = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ((m = sshbuf_new()) == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fatal("%s: sshbuf_new failed", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshbuf_put_u32(m, kex)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, m);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mm_request_receive_expect(pmonitor->m_recvfd,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -997,4 +999,57 @@ mm_ssh_gssapi_userok(char *user)
</span> debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
return (authenticated);
}
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2203,75 +2508,90 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +OM_uint32
+mm_ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *data, gss_buffer_desc *hash)
+{
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Buffer m;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct sshbuf *m;
</span> + OM_uint32 major;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_int len;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int r;
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_init(&m);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_put_string(&m, data->value, data->length);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((m = sshbuf_new()) == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: sshbuf_new failed", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshbuf_put_string(m, data->value, data->length)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSIGN, &m);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, &m);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSIGN, m);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, m);
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ major = buffer_get_int(&m);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ hash->value = buffer_get_string(&m, &len);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ hash->length = len;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshbuf_get_u32(m, &major)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = ssh_gssapi_get_buffer_desc(m, hash)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_free(&m);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_free(m);
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return(major);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return (major);
</span> +}
+
+int
+mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store)
+{
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Buffer m;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int ok;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct sshbuf *m;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int r, ok;
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_init(&m);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((m = sshbuf_new()) == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: sshbuf_new failed", __func__);
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_put_cstring(&m, store->filename ? store->filename : "");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_put_cstring(&m, store->envvar ? store->envvar : "");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_put_cstring(&m, store->envval ? store->envval : "");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshbuf_put_cstring(m,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ store->filename ? store->filename : "")) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshbuf_put_cstring(m,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ store->envvar ? store->envvar : "")) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshbuf_put_cstring(m,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ store->envval ? store->envval : "")) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUPCREDS, &m);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUPCREDS, &m);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUPCREDS, m);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUPCREDS, m);
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ok = buffer_get_int(&m);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshbuf_get_u32(m, &ok)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_free(&m);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_free(m);
</span> +
+ return (ok);
+}
+
#endif /* GSSAPI */
<span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/monitor_wrap.h 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/monitor_wrap.h 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -57,8 +57,10 @@ int mm_sshkey_verify(const struct sshkey
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/monitor_wrap.h 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/monitor_wrap.h 2019-10-16 06:45:17.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -63,8 +63,10 @@ int mm_sshkey_verify(const struct sshkey
</span> OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
-int mm_ssh_gssapi_userok(char *user);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+int mm_ssh_gssapi_userok(char *user, struct passwd *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int mm_ssh_gssapi_userok(char *user, struct passwd *, int kex);
</span> OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
+OM_uint32 mm_ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
+int mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *);
#endif
#ifdef USE_PAM
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/readconf.c 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/readconf.c 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -160,6 +160,8 @@ typedef enum {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/readconf.c 2019-10-16 06:22:19.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/readconf.c 2019-10-16 06:45:17.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -67,6 +67,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "uidswap.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "myproposal.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "digest.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "ssh-gss.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Format of the configuration file:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -162,6 +163,8 @@ typedef enum {
</span> oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+ oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ oGssServerIdentity,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ oGssServerIdentity, oGssKexAlgorithms,
</span> oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
<span style='display:block; white-space:pre;background:#ffe0e0;'>- oSendEnv, oControlPath, oControlMaster, oControlPersist,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
</span> oHashKnownHosts,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -202,10 +204,19 @@ static struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -205,10 +208,21 @@ static struct {
</span> /* Sometimes-unsupported options */
#if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication },
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2281,6 +2601,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + { "gssapiclientidentity", oGssClientIdentity },
+ { "gssapiserveridentity", oGssServerIdentity },
+ { "gssapirenewalforcesrekey", oGssRenewalRekey },
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "gssapikexalgorithms", oGssKexAlgorithms },
</span> # else
{ "gssapiauthentication", oUnsupported },
+ { "gssapikeyexchange", oUnsupported },
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2288,10 +2609,11 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + { "gssapitrustdns", oUnsupported },
+ { "gssapiclientidentity", oUnsupported },
+ { "gssapirenewalforcesrekey", oUnsupported },
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "gssapikexalgorithms", oUnsupported },
</span> #endif
#ifdef ENABLE_PKCS11
<span style='display:block; white-space:pre;background:#ffe0e0;'>- { "smartcarddevice", oPKCS11Provider },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -982,10 +993,30 @@ parse_time:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "pkcs11provider", oPKCS11Provider },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -994,10 +1008,42 @@ parse_time:
</span> intptr = &options->gss_authentication;
goto parse_flag;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2319,10 +2641,22 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + intptr = &options->gss_renewal_rekey;
+ goto parse_flag;
+
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ case oGssKexAlgorithms:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ arg = strdelim(&s);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!arg || *arg == '\0')
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%.200s line %d: Missing argument.",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ filename, linenum);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!kex_gss_names_valid(arg))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%.200s line %d: Bad GSSAPI KexAlgorithms '%s'.",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ filename, linenum, arg ? arg : "<NONE>");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (*activep && options->gss_kex_algorithms == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->gss_kex_algorithms = xstrdup(arg);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span> case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1802,7 +1833,12 @@ initialize_options(Options * options)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1875,7 +1921,13 @@ initialize_options(Options * options)
</span> options->pubkey_authentication = -1;
options->challenge_response_authentication = -1;
options->gss_authentication = -1;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2332,10 +2666,11 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + options->gss_renewal_rekey = -1;
+ options->gss_client_identity = NULL;
+ options->gss_server_identity = NULL;
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->gss_kex_algorithms = NULL;
</span> options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1945,8 +1981,14 @@ fill_default_options(Options * options)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2024,8 +2076,18 @@ fill_default_options(Options * options)
</span> options->challenge_response_authentication = 1;
if (options->gss_authentication == -1)
options->gss_authentication = 0;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2347,12 +2682,31 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + options->gss_trust_dns = 0;
+ if (options->gss_renewal_rekey == -1)
+ options->gss_renewal_rekey = 0;
<span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->gss_kex_algorithms == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span> if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/readconf.h 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/readconf.h 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -42,7 +42,12 @@ typedef struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2645,7 +2707,14 @@ dump_client_config(Options *o, const cha
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ dump_cfg_fmtint(oGssKeyEx, o->gss_keyex);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ dump_cfg_fmtint(oGssDelegateCreds, o->gss_deleg_creds);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ dump_cfg_fmtint(oGssTrustDns, o->gss_trust_dns);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ dump_cfg_fmtint(oGssRenewalRekey, o->gss_renewal_rekey);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ dump_cfg_string(oGssClientIdentity, o->gss_client_identity);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ dump_cfg_string(oGssServerIdentity, o->gss_server_identity);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ dump_cfg_string(oGssKexAlgorithms, o->gss_kex_algorithms ?
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ o->gss_kex_algorithms : GSS_KEX_DEFAULT_KEX);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif /* GSSAPI */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/readconf.h 2019-10-16 06:22:19.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/readconf.h 2019-10-16 06:45:17.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -40,7 +40,13 @@ typedef struct {
</span> int challenge_response_authentication;
/* Try S/Key or TIS, authentication. */
int gss_authentication; /* Try GSS authentication */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2360,14 +2714,23 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> int gss_deleg_creds; /* Delegate GSS credentials */
+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
+ int gss_renewal_rekey; /* Credential renewal forces rekey */
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char *gss_client_identity; /* Principal to initiate GSSAPI with */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char *gss_server_identity; /* GSSAPI target principal */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char *gss_client_identity; /* Principal to initiate GSSAPI with */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char *gss_server_identity; /* GSSAPI target principal */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char *gss_kex_algorithms; /* GSSAPI kex methods to be offered by client. */
</span> int password_authentication; /* Try password
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/servconf.c 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/servconf.c 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -113,8 +113,10 @@ initialize_server_options(ServerOptions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/servconf.c 2019-10-16 06:22:15.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/servconf.c 2019-10-16 06:45:17.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -64,6 +64,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "auth.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "myproposal.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "digest.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "ssh-gss.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static void add_listen_addr(ServerOptions *, const char *,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ const char *, int);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -124,8 +125,11 @@ initialize_server_options(ServerOptions
</span> options->kerberos_ticket_cleanup = -1;
options->kerberos_get_afs_token = -1;
options->gss_authentication=-1;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2375,10 +2738,11 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> options->gss_cleanup_creds = -1;
options->gss_strict_acceptor = -1;
+ options->gss_store_rekey = -1;
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->gss_kex_algorithms = NULL;
</span> options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -268,10 +270,14 @@ fill_default_server_options(ServerOption
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -351,10 +355,18 @@ fill_default_server_options(ServerOption
</span> options->kerberos_get_afs_token = 0;
if (options->gss_authentication == -1)
options->gss_authentication = 0;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2390,36 +2754,45 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> options->gss_strict_acceptor = 1;
+ if (options->gss_store_rekey == -1)
+ options->gss_store_rekey = 0;
<span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->gss_kex_algorithms == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span> if (options->password_authentication == -1)
<span style='display:block; white-space:pre;background:#ffe0e0;'>- options->password_authentication = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->password_authentication = 1;
</span> if (options->kbd_interactive_authentication == -1)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -410,6 +416,7 @@ typedef enum {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -498,6 +510,7 @@ typedef enum {
</span> sHostKeyAlgorithms,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sGssKeyEx, sGssStoreRekey,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sAcceptEnv, sPermitTunnel,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sGssKeyEx, sGssKexAlgorithms, sGssStoreRekey,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sAcceptEnv, sSetEnv, sPermitTunnel,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
</span> sUsePrivilegeSeparation, sAllowAgentForwarding,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -485,11 +492,17 @@ static struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -572,12 +585,22 @@ static struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef GSSAPI
</span> { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
</span> { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
+ { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
+ { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "gssapikexalgorithms", sGssKexAlgorithms, SSHCFG_GLOBAL },
</span> #else
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
</span> { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
+ { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
+ { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "gssapikexalgorithms", sUnsupported, SSHCFG_GLOBAL },
</span> #endif
+ { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
+ { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1253,6 +1266,10 @@ process_server_config_line(ServerOptions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1488,6 +1511,10 @@ process_server_config_line(ServerOptions
</span> intptr = &options->gss_authentication;
goto parse_flag;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2430,7 +2803,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> case sGssCleanupCreds:
intptr = &options->gss_cleanup_creds;
goto parse_flag;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1261,6 +1278,10 @@ process_server_config_line(ServerOptions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1496,6 +1523,22 @@ process_server_config_line(ServerOptions
</span> intptr = &options->gss_strict_acceptor;
goto parse_flag;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2438,23 +2811,35 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + intptr = &options->gss_store_rekey;
+ goto parse_flag;
+
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ case sGssKexAlgorithms:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ arg = strdelim(&cp);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!arg || *arg == '\0')
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%.200s line %d: Missing argument.",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ filename, linenum);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!kex_gss_names_valid(arg))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%.200s line %d: Bad GSSAPI KexAlgorithms '%s'.",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ filename, linenum, arg ? arg : "<NONE>");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (*activep && options->gss_kex_algorithms == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->gss_kex_algorithms = xstrdup(arg);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span> case sPasswordAuthentication:
intptr = &options->password_authentication;
goto parse_flag;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2301,7 +2322,10 @@ dump_config(ServerOptions *o)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2585,6 +2628,10 @@ dump_config(ServerOptions *o)
</span> #ifdef GSSAPI
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
</span> dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
</span> + dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
+ dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ dump_cfg_string(sGssKexAlgorithms, o->gss_kex_algorithms);
</span> #endif
dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
dump_cfg_fmtint(sKbdInteractiveAuthentication,
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/servconf.h 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/servconf.h 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -119,8 +119,10 @@ typedef struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/servconf.h 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/servconf.h 2019-10-16 06:45:17.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -126,8 +126,11 @@ typedef struct {
</span> int kerberos_get_afs_token; /* If true, try to get AFS token if
* authenticated with Kerberos. */
int gss_authentication; /* If true, permit GSSAPI authentication */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2462,20 +2847,21 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> int gss_cleanup_creds; /* If true, destroy cred cache on logout */
int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */
+ int gss_store_rekey;
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ char *gss_kex_algorithms; /* GSSAPI kex methods to be offered by client. */
</span> int password_authentication; /* If true, permit password
* authentication. */
int kbd_interactive_authentication; /* If true, permit */
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/ssh-gss.h 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/ssh-gss.h 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/ssh-gss.h 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh-gss.h 2019-10-16 06:45:17.000000000 +0200
</span> @@ -1,6 +1,6 @@
<span style='display:block; white-space:pre;background:#ffe0e0;'>- /* $OpenBSD: ssh-gss.h,v 1.12 2017/06/24 06:34:38 djm Exp $ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* $OpenBSD: ssh-gss.h,v 1.14 2018/07/10 09:13:30 djm Exp $ */
</span> /*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -61,10 +61,22 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -61,10 +61,30 @@
</span>
#define SSH_GSS_OIDTYPE 0x06
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2488,7 +2874,15 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +#define SSH2_MSG_KEXGSS_GROUP 41
+#define KEX_GSS_GRP1_SHA1_ID "gss-group1-sha1-"
+#define KEX_GSS_GRP14_SHA1_ID "gss-group14-sha1-"
<span style='display:block; white-space:pre;background:#e0ffe0;'>++#define KEX_GSS_GRP14_SHA256_ID "gss-group14-sha256-"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define KEX_GSS_GRP16_SHA512_ID "gss-group16-sha512-"
</span> +#define KEX_GSS_GEX_SHA1_ID "gss-gex-sha1-"
<span style='display:block; white-space:pre;background:#e0ffe0;'>++#define KEX_GSS_NISTP256_SHA256_ID "gss-nistp256-sha256-"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define KEX_GSS_C25519_SHA256_ID "gss-curve25519-sha256-"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define GSS_KEX_DEFAULT_KEX \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ KEX_GSS_GEX_SHA1_ID "," \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ KEX_GSS_GRP14_SHA1_ID
</span> +
typedef struct {
char *filename;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2498,7 +2892,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> void *data;
} ssh_gssapi_ccache;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -72,8 +84,11 @@ typedef struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -72,8 +92,11 @@ typedef struct {
</span> gss_buffer_desc displayname;
gss_buffer_desc exportedname;
gss_cred_id_t creds;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2510,7 +2904,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> } ssh_gssapi_client;
typedef struct ssh_gssapi_mech_struct {
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -84,6 +99,7 @@ typedef struct ssh_gssapi_mech_struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -84,6 +107,7 @@ typedef struct ssh_gssapi_mech_struct {
</span> int (*userok) (ssh_gssapi_client *, char *);
int (*localname) (ssh_gssapi_client *, char **);
void (*storecreds) (ssh_gssapi_client *);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2518,7 +2912,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> } ssh_gssapi_mech;
typedef struct {
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -94,10 +110,11 @@ typedef struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -94,10 +118,11 @@ typedef struct {
</span> gss_OID oid; /* client */
gss_cred_id_t creds; /* server */
gss_name_t client; /* server */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2531,10 +2925,18 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span>
int ssh_gssapi_check_oid(Gssctxt *, void *, size_t);
void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -119,17 +136,33 @@ void ssh_gssapi_build_ctx(Gssctxt **);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- void ssh_gssapi_delete_ctx(Gssctxt **);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -109,6 +134,7 @@ OM_uint32 ssh_gssapi_test_oid_supported(
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ struct sshbuf;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int ssh_gssapi_get_buffer_desc(struct sshbuf *, gss_buffer_desc *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int ssh_gssapi_sshpkt_get_buffer_desc(struct ssh *, gss_buffer_desc *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ OM_uint32 ssh_gssapi_import_name(Gssctxt *, const char *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ OM_uint32 ssh_gssapi_init_ctx(Gssctxt *, int,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -123,17 +149,33 @@ void ssh_gssapi_delete_ctx(Gssctxt **);
</span> OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
<span style='display:block; white-space:pre;background:#ffe0e0;'>- void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void ssh_gssapi_buildmic(struct sshbuf *, const char *,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ const char *, const char *);
</span> -int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *);
+int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *, const char *);
+OM_uint32 ssh_gssapi_client_identity(Gssctxt *, const char *);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2543,15 +2945,15 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> /* In the server */
+typedef int ssh_gssapi_check_fn(Gssctxt **, gss_OID, const char *,
+ const char *);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+char *ssh_gssapi_client_mechanisms(const char *, const char *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++char *ssh_gssapi_client_mechanisms(const char *, const char *, const char *);
</span> +char *ssh_gssapi_kex_mechs(gss_OID_set, ssh_gssapi_check_fn *, const char *,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ const char *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const char *, const char *);
</span> +gss_OID ssh_gssapi_id_kex(Gssctxt *, char *, int);
+int ssh_gssapi_server_check_mech(Gssctxt **,gss_OID, const char *,
+ const char *);
OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
-int ssh_gssapi_userok(char *name);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+int ssh_gssapi_userok(char *name, struct passwd *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int ssh_gssapi_userok(char *name, struct passwd *, int kex);
</span> OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
void ssh_gssapi_do_child(char ***, u_int *);
void ssh_gssapi_cleanup_creds(void);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2567,8 +2969,8 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> #endif /* GSSAPI */
#endif /* _SSH_GSS_H */
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/ssh_config 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/ssh_config 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/ssh_config 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh_config 2019-10-16 06:45:17.000000000 +0200
</span> @@ -24,6 +24,8 @@
# HostbasedAuthentication no
# GSSAPIAuthentication no
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2578,9 +2980,15 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> # BatchMode no
# CheckHostIP yes
# AddressFamily any
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/ssh_config.5 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/ssh_config.5 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -720,10 +720,42 @@ The default is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/ssh_config.5 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh_config.5 2019-10-16 06:45:17.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1,4 +1,4 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-.\"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++kex-gss\n.\"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .\" All rights reserved
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -758,10 +758,66 @@ The default is
</span> Specifies whether user authentication based on GSSAPI is allowed.
The default is
.Cm no .
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2593,11 +3001,6 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +If set, specifies the GSSAPI client identity that ssh should use when
+connecting to the server. The default is unset, which means that the default
+identity will be used.
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+.It Cm GSSAPIServerIdentity
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+If set, specifies the GSSAPI server identity that ssh should expect when
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+connecting to the server. The default is unset, which means that the
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+expected GSSAPI server identity will be determined from the target
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+hostname.
</span> .It Cm GSSAPIDelegateCredentials
Forward (delegate) credentials to the server.
The default is
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2608,8 +3011,22 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +then renewal of the client's GSSAPI credentials will force the rekeying of the
+ssh connection. With a compatible server, this can delegate the renewed
+credentials to a session on the server.
<span style='display:block; white-space:pre;background:#e0ffe0;'>++.Pp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Checks are made to ensure that credentials are only propagated when the new
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++credentials match the old ones on the originating client and where the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++receiving server still has the old set in its cache.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Pp
</span> +The default is
+.Cm no .
<span style='display:block; white-space:pre;background:#e0ffe0;'>++.Pp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++For this to work
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Cm GSSAPIKeyExchange
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++needs to be enabled in the server and also used by the client.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.It Cm GSSAPIServerIdentity
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++If set, specifies the GSSAPI server identity that ssh should expect when
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++connecting to the server. The default is unset, which means that the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++expected GSSAPI server identity will be determined from the target
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++hostname.
</span> +.It Cm GSSAPITrustDns
+Set to
+.Cm yes
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2620,21 +3037,44 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +command line will be passed untouched to the GSSAPI library.
+The default is
+.Cm no .
<span style='display:block; white-space:pre;background:#e0ffe0;'>++.It Cm GSSAPIKexAlgorithms
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++The list of key exchange algorithms that are offered for GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++key exchange. Possible values are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Bd -literal -offset 3n
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++gss-gex-sha1-,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++gss-group1-sha1-,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++gss-group14-sha1-,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++gss-group14-sha256-,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++gss-group16-sha512-,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++gss-nistp256-sha256-,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++gss-curve25519-sha256-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Ed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Pp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++The default is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Dq gss-gex-sha1-,gss-group14-sha1- .
</span> .It Cm HashKnownHosts
Indicates that
.Xr ssh 1
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshconnect2.c 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshconnect2.c 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -73,6 +73,7 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "ssherr.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "utf8.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshconnect2.c 2019-10-16 06:22:19.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshconnect2.c 2019-10-16 06:45:17.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -77,14 +77,13 @@
</span> #include "keychain.h"
<span style='display:block; white-space:pre;background:#e0ffe0;'>+ int found_in_keychain = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span> +#include "auth-compat.h"
#ifdef GSSAPI
#include "ssh-gss.h"
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -163,6 +164,11 @@ ssh_kex2(char *host, struct sockaddr *ho
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- struct kex *kex;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* import */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-extern char *client_version_string;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-extern char *server_version_string;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ extern Options options;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -166,6 +165,11 @@ ssh_kex2(struct ssh *ssh, char *host, st
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char *s, *all_key;
</span> int r;
+#ifdef GSSAPI
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2645,11 +3085,11 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> xxx_host = host;
xxx_hostaddr = hostaddr;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -193,6 +199,35 @@ ssh_kex2(char *host, struct sockaddr *ho
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -198,6 +202,35 @@ ssh_kex2(struct ssh *ssh, char *host, st
</span> order_hostkeyalgs(host, hostaddr, port));
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#if defined(GSSAPI) && defined(WITH_OPENSSL)
</span> + if (options.gss_keyex) {
+ /* Add the GSSAPI mechanisms currently supported on this
+ * client to the key exchange algorithm proposal */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2658,11 +3098,12 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + if (options.gss_server_identity)
+ gss_host = xstrdup(options.gss_server_identity);
+ if (options.gss_trust_dns)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_host = xstrdup(auth_get_canonical_hostname(active_state, 1));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_host = xstrdup(auth_get_canonical_hostname(ssh, 1));
</span> + else
+ gss_host = xstrdup(host);
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss = ssh_gssapi_client_mechanisms(gss_host,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options.gss_client_identity, options.gss_kex_algorithms);
</span> + if (gss) {
+ debug("Offering GSSAPI proposal: %s", gss);
+ xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2673,128 +3114,138 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
+ xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
+ "%s,null", orig);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ free(gss);
</span> + }
+ }
+#endif
+
if (options.rekey_limit || options.rekey_interval)
<span style='display:block; white-space:pre;background:#ffe0e0;'>- packet_set_rekey_limits(options.rekey_limit,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_packet_set_rekey_limits(ssh, options.rekey_limit,
</span> options.rekey_interval);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -214,10 +249,26 @@ ssh_kex2(char *host, struct sockaddr *ho
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -216,16 +249,46 @@ ssh_kex2(struct ssh *ssh, char *host, st
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # ifdef OPENSSL_HAS_ECC
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client;
</span> # endif
<span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kex->kex[KEX_C25519_SHA256] = kexc25519_client;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# ifdef GSSAPI
</span> + if (options.gss_keyex) {
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_client;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh->kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh->kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_client;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh->kex->kex[KEX_GSS_GRP14_SHA256] = kexgss_client;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh->kex->kex[KEX_GSS_GRP16_SHA512] = kexgss_client;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh->kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh->kex->kex[KEX_GSS_NISTP256_SHA256] = kexgss_client;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh->kex->kex[KEX_GSS_C25519_SHA256] = kexgss_client;
</span> + }
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kex->client_version_string=client_version_string;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kex->server_version_string=server_version_string;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kex->verify_host_key=&verify_host_key_callback;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /* WITH_OPENSSL */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh->kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_client;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh->kex->verify_host_key=&verify_host_key_callback;
</span>
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#if defined(GSSAPI) && defined(WITH_OPENSSL)
</span> + if (options.gss_keyex) {
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->gss_deleg_creds = options.gss_deleg_creds;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->gss_trust_dns = options.gss_trust_dns;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->gss_client = options.gss_client_identity;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->gss_host = gss_host;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh->kex->gss_deleg_creds = options.gss_deleg_creds;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh->kex->gss_trust_dns = options.gss_trust_dns;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh->kex->gss_client = options.gss_client_identity;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh->kex->gss_host = gss_host;
</span> + }
+#endif
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_dispatch_run_fatal(active_state, DISPATCH_BLOCK, &kex->done);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &ssh->kex->done);
</span>
/* remove ext-info from the KEX proposals for rekeying */
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -312,6 +363,7 @@ int input_gssapi_token(int type, u_int32
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int input_gssapi_hash(int type, u_int32_t, struct ssh *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int input_gssapi_error(int, u_int32_t, struct ssh *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int input_gssapi_errtok(int, u_int32_t, struct ssh *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int userauth_gsskeyex(Authctxt *authctxt);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ myproposal[PROPOSAL_KEX_ALGS] =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ compat_kex_proposal(options.kex_algorithms);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#if defined(GSSAPI) && defined(WITH_OPENSSL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* repair myproposal after it was crumpled by the */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* ext-info removal above */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (gss) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ orig = myproposal[PROPOSAL_KEX_ALGS];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "%s,%s", gss, orig);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ free(gss);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fatal("kex_prop2buf: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -322,6 +385,7 @@ static int input_gssapi_response(int typ
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static int input_gssapi_token(int type, u_int32_t, struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static int input_gssapi_error(int, u_int32_t, struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static int input_gssapi_errtok(int, u_int32_t, struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int userauth_gsskeyex(struct ssh *);
</span> #endif
<span style='display:block; white-space:pre;background:#ffe0e0;'>- void userauth(Authctxt *, char *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -328,6 +380,11 @@ static char *authmethods_get(void);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void userauth(struct ssh *, char *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -338,6 +402,11 @@ static char *authmethods_get(void);
</span>
Authmethod authmethods[] = {
#ifdef GSSAPI
+ {"gssapi-keyex",
+ userauth_gsskeyex,
+ NULL,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &options.gss_authentication,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &options.gss_keyex,
</span> + NULL},
{"gssapi-with-mic",
userauth_gssapi,
<span style='display:block; white-space:pre;background:#ffe0e0;'>- NULL,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -655,25 +712,40 @@ userauth_gssapi(Authctxt *authctxt)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static u_int mech = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ userauth_gssapi_cleanup,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -702,12 +771,24 @@ userauth_gssapi(struct ssh *ssh)
</span> OM_uint32 min;
<span style='display:block; white-space:pre;background:#ffe0e0;'>- int ok = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int r, ok = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ gss_OID mech = NULL;
</span> + char *gss_host;
+
+ if (options.gss_server_identity)
+ gss_host = xstrdup(options.gss_server_identity);
+ else if (options.gss_trust_dns)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_host = xstrdup(auth_get_canonical_hostname(active_state, 1));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_host = xstrdup(auth_get_canonical_hostname(ssh, 1));
</span> + else
+ gss_host = xstrdup(authctxt->host);
/* Try one GSSAPI method at a time, rather than sending them all at
* once. */
<span style='display:block; white-space:pre;background:#ffe0e0;'>- if (gss_supported == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- gss_indicate_mechs(&min, &gss_supported);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (GSS_ERROR(gss_indicate_mechs(&min, &gss_supported))) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_supported = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (authctxt->gss_supported_mechs == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- gss_indicate_mechs(&min, &authctxt->gss_supported_mechs);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (GSS_ERROR(gss_indicate_mechs(&min, &authctxt->gss_supported_mechs))) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ authctxt->gss_supported_mechs = NULL;
</span> + free(gss_host);
+ return 0;
+ }
<span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Check to see if the mechanism is usable before we offer it */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- while (mech < gss_supported->count && !ok) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Check to see whether the mechanism is usable before we offer it */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ while (authctxt->mech_tried < authctxt->gss_supported_mechs->count &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -716,13 +797,15 @@ userauth_gssapi(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ elements[authctxt->mech_tried];
</span> /* My DER encoding requires length<128 */
<span style='display:block; white-space:pre;background:#ffe0e0;'>- if (gss_supported->elements[mech].length < 128 &&
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- ssh_gssapi_check_mechanism(&gssctxt,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- &gss_supported->elements[mech], authctxt->host)) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_gssapi_check_mechanism(&gssctxt,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &gss_supported->elements[mech], gss_host,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ options.gss_client_identity)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- mech, authctxt->host)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ mech, gss_host, options.gss_client_identity)) {
</span> ok = 1; /* Mechanism works */
} else {
<span style='display:block; white-space:pre;background:#ffe0e0;'>- mech++;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ authctxt->mech_tried++;
</span> }
}
+ free(gss_host);
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>- if (!ok)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!ok || mech == NULL)
</span> return 0;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -764,8 +836,8 @@ input_gssapi_response(int type, u_int32_
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Authctxt *authctxt = ssh->authctxt;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Gssctxt *gssctxt;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- int oidlen;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- char *oidv;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_int oidlen;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_char *oidv;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (authctxt == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- fatal("input_gssapi_response: no authentication context");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -878,6 +950,48 @@ input_gssapi_error(int type, u_int32_t p
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -962,6 +1045,55 @@ input_gssapi_error(int type, u_int32_t p
</span> free(lang);
<span style='display:block; white-space:pre;background:#ffe0e0;'>- return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return r;
</span> }
+
+int
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+userauth_gsskeyex(Authctxt *authctxt)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++userauth_gsskeyex(struct ssh *ssh)
</span> +{
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Buffer b;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct sshbuf *b = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Authctxt *authctxt = ssh->authctxt;
</span> + gss_buffer_desc gssbuf;
+ gss_buffer_desc mic = GSS_C_EMPTY_BUFFER;
+ OM_uint32 ms;
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ int r;
</span> +
+ static int attempt = 0;
+ if (attempt++ >= 1)
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2805,25 +3256,30 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + return (0);
+ }
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_gssapi_buildmic(&b, authctxt->server_user, authctxt->service,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((b = sshbuf_new()) == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: sshbuf_new failed", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_gssapi_buildmic(b, authctxt->server_user, authctxt->service,
</span> + "gssapi-keyex");
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gssbuf.value = buffer_ptr(&b);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gssbuf.length = buffer_len(&b);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: sshbuf_mutable_ptr failed", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gssbuf.length = sshbuf_len(b);
</span> +
+ if (GSS_ERROR(ssh_gssapi_sign(gss_kex_context, &gssbuf, &mic))) {
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_free(&b);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_free(b);
</span> + return (0);
+ }
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_start(SSH2_MSG_USERAUTH_REQUEST);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_put_cstring(authctxt->server_user);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_put_cstring(authctxt->service);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_put_cstring(authctxt->method->name);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_put_string(mic.value, mic.length);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_send();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_cstring(ssh, authctxt->server_user)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_cstring(ssh, authctxt->service)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_cstring(ssh, authctxt->method->name)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_string(ssh, mic.value, mic.length)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_send(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("%s: %s", __func__, ssh_err(r));
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ buffer_free(&b);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_free(b);
</span> + gss_release_buffer(&ms, &mic);
+
+ return (1);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2831,10 +3287,10 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +
#endif /* GSSAPI */
<span style='display:block; white-space:pre;background:#ffe0e0;'>- int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshd.c 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshd.c 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -122,6 +122,10 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshd.c 2019-10-16 06:22:18.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshd.c 2019-10-16 06:45:17.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -123,6 +123,10 @@
</span> #include "version.h"
#include "ssherr.h"
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2845,43 +3301,29 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> /* Re-exec fds */
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -529,7 +533,7 @@ privsep_preauth_child(void)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Cache supported mechanism OIDs for later use */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- if (options.gss_authentication)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options.gss_authentication || options.gss_keyex)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_gssapi_prepare_supported_oids();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -870,8 +874,9 @@ notify_hostkeys(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -803,8 +807,8 @@ notify_hostkeys(struct ssh *ssh)
</span> }
<span style='display:block; white-space:pre;background:#ffe0e0;'>- debug3("%s: sent %d hostkeys", __func__, nkeys);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debug3("%s: sent %u hostkeys", __func__, nkeys);
</span> if (nkeys == 0)
- fatal("%s: no hostkeys", __func__);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-- packet_send();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if ((r = sshpkt_send(ssh)) != 0)
</span> + debug3("%s: no hostkeys", __func__);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ packet_send();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else if ((r = sshpkt_send(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sshpkt_fatal(ssh, r, "%s: send", __func__);
</span> sshbuf_free(buf);
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1715,10 +1720,13 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- key ? "private" : "agent", i, sshkey_ssh_name(pubkey), fp);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1780,7 +1784,8 @@ main(int ac, char **av)
</span> free(fp);
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifndef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ accumulate_host_timing_secret(cfg, NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (!sensitive_data.have_ssh2_key) {
</span> + /* The GSSAPI key exchange can run without a host key */
<span style='display:block; white-space:pre;background:#ffe0e0;'>- if (!sensitive_data.have_ssh2_key) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!sensitive_data.have_ssh2_key && !options.gss_keyex) {
</span> logit("sshd: no hostkeys available -- exiting.");
exit(1);
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * Load certificates. They are stored in an array at identical
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1994,6 +2002,60 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- remote_ip, remote_port, laddr, ssh_local_port(ssh));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2076,6 +2081,60 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ rdomain == NULL ? "" : "\"");
</span> free(laddr);
+#ifdef USE_SECURITY_SESSION_API
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2941,7 +3383,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> /*
* We don't want to listen forever unless the other side
* successfully authenticates itself. So we set up an alarm which is
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2177,6 +2239,48 @@ do_ssh2_kex(void)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2272,6 +2331,48 @@ do_ssh2_kex(struct ssh *ssh)
</span> myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
list_hostkey_types());
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2988,25 +3430,31 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +#endif
+
/* start key exchange */
<span style='display:block; white-space:pre;background:#ffe0e0;'>- if ((r = kex_setup(active_state, myproposal)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ((r = kex_setup(ssh, myproposal)) != 0)
</span> fatal("kex_setup: %s", ssh_err(r));
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2194,6 +2298,13 @@ do_ssh2_kex(void)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2287,7 +2388,18 @@ do_ssh2_kex(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # ifdef OPENSSL_HAS_ECC
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
</span> # endif
<span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kex->kex[KEX_C25519_SHA256] = kexc25519_server;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# ifdef GSSAPI
</span> + if (options.gss_keyex) {
+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
+ kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->kex[KEX_GSS_GRP14_SHA256] = kexgss_server;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->kex[KEX_GSS_GRP16_SHA512] = kexgss_server;
</span> + kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->kex[KEX_GSS_NISTP256_SHA256] = kexgss_server;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->kex[KEX_GSS_C25519_SHA256] = kexgss_server;
</span> + }
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kex->server = 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kex->client_version_string=client_version_string;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kex->server_version_string=server_version_string;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshd_config 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshd_config 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -71,6 +71,8 @@ AuthorizedKeysFile .ssh/authorized_keys
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /* WITH_OPENSSL */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kex->kex[KEX_C25519_SHA256] = kex_gen_server;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kex->load_host_public_key=&get_hostkey_public_by_type;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshd_config 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshd_config 2019-10-16 06:45:17.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -69,6 +69,8 @@ AuthorizedKeysFile .ssh/authorized_keys
</span> # GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3015,9 +3463,9 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span>
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshd_config.5 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshd_config.5 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -635,6 +635,11 @@ The default is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshd_config.5 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshd_config.5 2019-10-16 06:45:17.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -650,6 +650,11 @@ The default is
</span> Specifies whether user authentication based on GSSAPI is allowed.
The default is
.Cm no .
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3029,7 +3477,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> .It Cm GSSAPICleanupCredentials
Specifies whether to automatically destroy the user's credentials cache
on logout.
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -654,6 +659,11 @@ machine's default store.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -669,6 +674,30 @@ machine's default store.
</span> This facility is provided to assist with operation on multi homed machines.
The default is
.Cm yes .
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3038,20 +3486,39 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +successful connection rekeying. This option can be used to accepted renewed
+or updated credentials from a compatible client. The default is
+.Cm no .
<span style='display:block; white-space:pre;background:#e0ffe0;'>++.Pp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++For this to work
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Cm GSSAPIKeyExchange
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++needs to be enabled in the server and also used by the client.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.It Cm GSSAPIKexAlgorithms
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++The list of key exchange algorithms that are accepted by GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++key exchange. Possible values are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Bd -literal -offset 3n
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++gss-gex-sha1-,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++gss-group1-sha1-,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++gss-group14-sha1-,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++gss-group14-sha256-,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++gss-group16-sha512-,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++gss-nistp256-sha256-,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++gss-curve25519-sha256-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Ed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Pp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++The default is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Dq gss-gex-sha1-,gss-group14-sha1- .
</span> .It Cm HostbasedAcceptedKeyTypes
Specifies the key types that will be accepted for hostbased authentication
<span style='display:block; white-space:pre;background:#ffe0e0;'>- as a comma-separated pattern list.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshkey.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshkey.c 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -112,6 +112,7 @@ static const struct keytype keytypes[] =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ as a list of comma-separated patterns.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshkey.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshkey.c 2019-10-16 06:45:17.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -145,6 +145,7 @@ static const struct keytype keytypes[] =
</span> # endif /* OPENSSL_HAS_NISTP521 */
# endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { "null", "null", KEY_NULL, 0, 0, 1 },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- { NULL, NULL, -1, -1, 0, 0 }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "null", "null", NULL, KEY_NULL, 0, 0, 0 },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { NULL, NULL, NULL, -1, -1, 0, 0 }
</span> };
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -200,7 +201,7 @@ sshkey_alg_list(int certs_only, int plai
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -233,7 +234,7 @@ sshkey_alg_list(int certs_only, int plai
</span> const struct keytype *kt;
for (kt = keytypes; kt->type != -1; kt++) {
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3060,19 +3527,19 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> continue;
if (!include_sigonly && kt->sigonly)
continue;
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshkey.h 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshkey.h 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -61,6 +61,7 @@ enum sshkey_types {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- KEY_DSA_CERT,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- KEY_ECDSA_CERT,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshkey.h 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshkey.h 2019-10-16 06:45:17.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -65,6 +65,7 @@ enum sshkey_types {
</span> KEY_ED25519_CERT,
<span style='display:block; white-space:pre;background:#e0ffe0;'>+ KEY_XMSS,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ KEY_XMSS_CERT,
</span> + KEY_NULL,
KEY_UNSPEC
};
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/auth.c 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/auth.c 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -395,7 +395,8 @@ auth_root_allowed(const char *method)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/auth.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/auth.c 2019-10-16 06:45:17.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -399,7 +399,8 @@ auth_root_allowed(struct ssh *ssh, const
</span> case PERMIT_NO_PASSWD:
if (strcmp(method, "publickey") == 0 ||
strcmp(method, "hostbased") == 0 ||
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3082,12 +3549,10 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> return 1;
break;
case PERMIT_FORCED_ONLY:
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -726,117 +727,3 @@ fakepw(void)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return (&fake);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -724,120 +725,6 @@ fakepw(void)
</span> }
<span style='display:block; white-space:pre;background:#ffe0e0;'>--
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--/*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*
</span> - * Returns the remote DNS hostname as a string. The returned string must not
- * be freed. NB. this will usually trigger a DNS query the first time it is
- * called.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3110,7 +3575,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> - fromlen = sizeof(from);
- memset(&from, 0, sizeof(from));
- if (getpeername(ssh_packet_get_connection_in(ssh),
<span style='display:block; white-space:pre;background:#ffe0e0;'>-- (struct sockaddr *)&from, &fromlen) < 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- (struct sockaddr *)&from, &fromlen) == -1) {
</span> - debug("getpeername failed: %.100s", strerror(errno));
- return strdup(ntop);
- }
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3200,9 +3665,14 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> - return dnsname;
- }
-}
<span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-/*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * Runs command in a subprocess with a minimal environment.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * Returns pid on success, 0 on failure.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * The child stdout and stderr maybe captured, left attached or sent to
</span> --- /dev/null 1970-01-01 00:00:00.000000000 +0000
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/auth-compat.c 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -0,0 +1,175 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/auth-compat.c 2019-10-16 06:45:17.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -0,0 +1,174 @@
</span> +/*
+ * Copyright (c) 2000 Markus Friedl. All rights reserved.
+ *
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3287,7 +3757,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + fromlen = sizeof(from);
+ memset(&from, 0, sizeof(from));
+ if (getpeername(ssh_packet_get_connection_in(ssh),
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (struct sockaddr *)&from, &fromlen) < 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (struct sockaddr *)&from, &fromlen) == -1) {
</span> + debug("getpeername failed: %.100s", strerror(errno));
+ return strdup(ntop);
+ }
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3351,8 +3821,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + if (ai == NULL) {
+ /* Address not found for the host name. */
+ logit("Address %.100s maps to %.600s, but this does not "
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ "map back to the address.",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ntop, name);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "map back to the address.", ntop, name);
</span> + return strdup(ntop);
+ }
+ return strdup(name);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3379,7 +3848,7 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> + }
+}
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/auth-compat.h 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/auth-compat.h 2019-10-16 06:45:17.000000000 +0200
</span> @@ -0,0 +1,34 @@
+/*
+ * Copyright (c) 2000 Markus Friedl. All rights reserved.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3415,18 +3884,18 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> +const char *auth_get_canonical_hostname(struct ssh *, int);
+
+#endif
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/auth.h 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/auth.h 2017-10-08 09:42:57.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -42,6 +42,8 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/auth.h 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/auth.h 2019-10-16 06:45:17.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -40,6 +40,8 @@
</span> #include <krb5.h>
#endif
+#include "auth-compat.h"
+
<span style='display:block; white-space:pre;background:#e0ffe0;'>+ struct passwd;
</span> struct ssh;
<span style='display:block; white-space:pre;background:#ffe0e0;'>- struct sshkey;
</span> struct sshbuf;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -199,8 +201,6 @@ FILE *auth_openkeyfile(const char *, str
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -194,8 +196,6 @@ FILE *auth_openkeyfile(const char *, str
</span> FILE *auth_openprincipals(const char *, struct passwd *, int);
int auth_key_is_revoked(struct sshkey *);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3435,3 +3904,109 @@ X-Ref: https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/g
</span> HostStatus
check_key_in_hostfiles(struct passwd *, struct sshkey *, const char *,
const char *, const char *);
<span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/kexdh.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/kexdh.c 2019-10-16 06:45:17.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -48,13 +48,23 @@ kex_dh_keygen(struct kex *kex)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ switch (kex->kex_type) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case KEX_DH_GRP1_SHA1:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case KEX_GSS_GRP1_SHA1:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kex->dh = dh_new_group1();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case KEX_DH_GRP14_SHA1:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case KEX_DH_GRP14_SHA256:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case KEX_GSS_GRP14_SHA1:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case KEX_GSS_GRP14_SHA256:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kex->dh = dh_new_group14();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case KEX_DH_GRP16_SHA512:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case KEX_GSS_GRP16_SHA512:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kex->dh = dh_new_group16();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case KEX_DH_GRP18_SHA512:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/kexgen.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/kexgen.c 2019-10-16 06:45:17.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -44,7 +44,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static int input_kex_gen_init(int, u_int32_t, struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static int input_kex_gen_reply(int type, u_int32_t seq, struct ssh *ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-static int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kex_gen_hash(
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int hash_alg,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ const struct sshbuf *client_version,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/session.c 2019-10-16 06:22:19.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/session.c 2019-10-16 06:45:17.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2689,13 +2689,19 @@ do_cleanup(struct ssh *ssh, Authctxt *au
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef KRB5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (options.kerberos_ticket_cleanup &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- authctxt->krb5_ctx)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ authctxt->krb5_ctx) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ temporarily_use_uid(authctxt->pw);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ krb5_cleanup_proc(authctxt);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ restore_uid();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (options.gss_cleanup_creds)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options.gss_cleanup_creds) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ temporarily_use_uid(authctxt->pw);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_gssapi_cleanup_creds();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ restore_uid();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* remove agent socket */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/ssh.1 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh.1 2019-10-16 06:45:17.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -497,7 +497,13 @@ For full details of the options listed b
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .It GatewayPorts
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .It GlobalKnownHostsFile
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .It GSSAPIAuthentication
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.It GSSAPIKeyExchange
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.It GSSAPIClientIdentity
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .It GSSAPIDelegateCredentials
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.It GSSAPIKexAlgorithms
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.It GSSAPIRenewalForcesRekey
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.It GSSAPIServerIdentity
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.It GSSAPITrustDns
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .It HashKnownHosts
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .It Host
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .It HostbasedAuthentication
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -573,6 +579,8 @@ flag),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (supported message integrity codes),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .Ar kex
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (key exchange algorithms),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Ar kex-gss
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++(GSSAPI key exchange algorithms),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .Ar key
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (key types),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .Ar key-cert
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/ssh.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh.c 2019-10-16 06:45:17.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -736,6 +736,8 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ cp = mac_alg_list('\n');
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ else if (strcmp(optarg, "kex") == 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ cp = kex_alg_list('\n');
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else if (strcmp(optarg, "kex-gss") == 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cp = kex_gss_alg_list('\n');
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ else if (strcmp(optarg, "key") == 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ cp = sshkey_alg_list(0, 0, 0, '\n');
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ else if (strcmp(optarg, "key-cert") == 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -748,7 +750,7 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ cp = xstrdup("2");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ else if (strcmp(optarg, "help") == 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ cp = xstrdup(
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- "cipher\ncipher-auth\nkex\nkey\n"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "cipher\ncipher-auth\nkex\nkex-gss\nkey\n"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "key-cert\nkey-plain\nmac\n"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "protocol-version\nsig");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/openssh/files/openssh-8.1p1-hpnssh14v18-openssl-1.1.diff b/net/openssh/files/openssh-8.1p1-hpnssh14v18-openssl-1.1.diff
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..91cf3c6
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/openssh/files/openssh-8.1p1-hpnssh14v18-openssl-1.1.diff
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,77 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/cipher-ctr-mt.c 2019-10-12 06:16:38.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/cipher-ctr-mt.c 2019-10-12 06:16:40.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -434,7 +434,7 @@ ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ destp.u += AES_BLOCK_SIZE;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ srcp.u += AES_BLOCK_SIZE;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ len -= AES_BLOCK_SIZE;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- ssh_ctr_inc(ctx->iv, AES_BLOCK_SIZE);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_ctr_inc(c->aes_counter, AES_BLOCK_SIZE);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Increment read index, switch queues on rollover */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ((ridx = (ridx + 1) % KQLEN) == 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -547,16 +547,16 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, co
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (iv != NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- memcpy(ctx->iv, iv, AES_BLOCK_SIZE);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ memcpy(c->aes_counter, iv, AES_BLOCK_SIZE);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->state |= HAVE_IV;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (c->state == (HAVE_KEY | HAVE_IV)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Clear queues */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- memcpy(c->q[0].ctr, ctx->iv, AES_BLOCK_SIZE);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ memcpy(c->q[0].ctr, c->aes_counter, AES_BLOCK_SIZE);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->q[0].qstate = KQINIT;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ for (i = 1; i < numkq; i++) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- memcpy(c->q[i].ctr, ctx->iv, AES_BLOCK_SIZE);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ memcpy(c->q[i].ctr, c->aes_counter, AES_BLOCK_SIZE);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_ctr_add(c->q[i].ctr, i * KQLEN, AES_BLOCK_SIZE);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->q[i].qstate = KQEMPTY;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -640,6 +640,21 @@ ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ const EVP_CIPHER *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ evp_aes_ctr_mt(void)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# if OPENSSL_VERSION_NUMBER >= 0x10100000UL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ static EVP_CIPHER *aes_ctr;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ aes_ctr = EVP_CIPHER_meth_new(NID_undef, 16/*block*/, 16/*key*/);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ EVP_CIPHER_meth_set_iv_length(aes_ctr, AES_BLOCK_SIZE);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ EVP_CIPHER_meth_set_init(aes_ctr, ssh_aes_ctr_init);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ EVP_CIPHER_meth_set_cleanup(aes_ctr, ssh_aes_ctr_cleanup);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ EVP_CIPHER_meth_set_do_cipher(aes_ctr, ssh_aes_ctr);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# ifndef SSH_OLD_EVP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ EVP_CIPHER_meth_set_flags(aes_ctr, EVP_CIPH_CBC_MODE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ | EVP_CIPH_VARIABLE_LENGTH
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ | EVP_CIPH_ALWAYS_CALL_INIT
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ | EVP_CIPH_CUSTOM_IV);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# endif /*SSH_OLD_EVP*/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return (aes_ctr);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# else /*earlier version of openssl*/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static EVP_CIPHER aes_ctr;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ memset(&aes_ctr, 0, sizeof(EVP_CIPHER));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -655,6 +670,7 @@ evp_aes_ctr_mt(void)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return &aes_ctr;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# endif /*OPENSSH_VERSION_NUMBER*/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif /* defined(WITH_OPENSSL) */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/cipher.c 2019-10-12 06:16:38.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/cipher.c 2019-10-12 06:16:40.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -329,7 +329,13 @@ cipher_init(struct sshcipher_ctx **ccp,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ goto out;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#if OPENSSH_VERSION_NUMBER <= 0x10100000UL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* in OpenSSL 1.1.0, EVP_CipherInit clears all previous setups;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ use EVP_CipherInit_ex for augmenting */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (EVP_CipherInit_ex(cc->evp, NULL, NULL, (u_char *)key, NULL, -1) == 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (EVP_CipherInit(cc->evp, NULL, (u_char *)key, NULL, -1) == 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ret = SSH_ERR_LIBCRYPTO_ERROR;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ goto out;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/openssh/files/openssh-8.1p1-hpnssh14v18.diff b/net/openssh/files/openssh-8.1p1-hpnssh14v18.diff
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..666b421
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/openssh/files/openssh-8.1p1-hpnssh14v18.diff
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,2458 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- /dev/null 1970-01-01 00:00:00.000000000 +0000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/HPN-README 2019-10-12 13:09:35.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -0,0 +1,130 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++MULTI-THREADED CIPHER:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++The AES cipher in CTR mode has been multithreaded (MTR-AES-CTR). This will allow ssh installations
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++on hosts with multiple cores to use more than one processing core during encryption.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Tests have show significant throughput performance increases when using MTR-AES-CTR up
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++to and including a full gigabit per second on quad core systems. It should be possible to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++achieve full line rate on dual core systems but OS and data management overhead makes this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++more difficult to achieve. The cipher stream from MTR-AES-CTR is entirely compatible with single
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++thread AES-CTR (ST-AES-CTR) implementations and should be 100% backward compatible. Optimal
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++performance requires the MTR-AES-CTR mode be enabled on both ends of the connection.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++The MTR-AES-CTR replaces ST-AES-CTR and is used in exactly the same way with the same
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++nomenclature.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Use examples:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh -caes128-ctr you@host.com
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ scp -oCipher=aes256-ctr file you@host.com:~/file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++NONE CIPHER:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++To use the NONE option you must have the NoneEnabled switch set on the server and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++you *must* have *both* NoneEnabled and NoneSwitch set to yes on the client. The NONE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++feature works with ALL ssh subsystems (as far as we can tell) *AS LONG AS* a tty is not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++spawned. If a user uses the -T switch to prevent a tty being created the NONE cipher will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++be disabled.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++The performance increase will only be as good as the network and TCP stack tuning
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++on the reciever side of the connection allows. As a rule of thumb a user will need
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++at least 10Mb/s connection with a 100ms RTT to see a doubling of performance. The
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++HPN-SSH home page describes this in greater detail.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++http://www.psc.edu/networking/projects/hpn-ssh
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++BUFFER SIZES:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++If HPN is disabled the receive buffer size will be set to the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++OpenSSH default of 64K.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++If an HPN system connects to a nonHPN system the receive buffer will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++be set to the HPNBufferSize value. The default is 2MB but user adjustable.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++If an HPN to HPN connection is established a number of different things might
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++happen based on the user options and conditions.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++HPN Buffer Size = up to 64MB
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++This is the default state. The HPN buffer size will grow to a maximum of 64MB
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++as the TCP receive buffer grows. The maximum HPN Buffer size of 64MB is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++geared towards 10GigE transcontinental connections.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++HPN Buffer Size = TCP receive buffer value.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Users on non-autotuning systems should disable TCPRcvBufPoll in the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssh_config and sshd_config
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++HPN Buffer Size = minimum of TCP receive buffer and HPNBufferSize.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++This would be the system defined TCP receive buffer (RWIN).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf SET
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++HPN Buffer Size = minimum of TCPRcvBuf and HPNBufferSize.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Generally there is no need to set both.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++HPN Buffer Size = grows to HPNBufferSize
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++The buffer will grow up to the maximum size specified here.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf SET
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++HPN Buffer Size = minimum of TCPRcvBuf and HPNBufferSize.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Generally there is no need to set both of these, especially on autotuning
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++systems. However, if the users wishes to override the autotuning this would be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++one way to do it.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf SET
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++HPN Buffer Size = TCPRcvBuf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++This will override autotuning and set the TCP recieve buffer to the user defined
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++value.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++HPN Specific Configuration options
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++TcpRcvBuf=[int]KB client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ set the TCP socket receive buffer to n Kilobytes. It can be set up to the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++maximum socket size allowed by the system. This is useful in situations where
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++the tcp receive window is set low but the maximum buffer size is set
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++higher (as is typical). This works on a per TCP connection basis. You can also
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++use this to artifically limit the transfer rate of the connection. In these
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++cases the throughput will be no more than n/RTT. The minimum buffer size is 1KB.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Default is the current system wide tcp receive buffer size.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++TcpRcvBufPoll=[yes/no] client/server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ enable of disable the polling of the tcp receive buffer through the life
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++of the connection. You would want to make sure that this option is enabled
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++for systems making use of autotuning kernels (linux 2.4.24+, 2.6, MS Vista)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++default is yes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++NoneEnabled=[yes/no] client/server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ enable or disable the use of the None cipher. Care must always be used
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++when enabling this as it will allow users to send data in the clear. However,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++it is important to note that authentication information remains encrypted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++even if this option is enabled. Set to no by default.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++NoneSwitch=[yes/no] client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Switch the encryption cipher being used to the None cipher after
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++authentication takes place. NoneEnabled must be enabled on both the client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++and server side of the connection. When the connection switches to the NONE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++cipher a warning is sent to STDERR. The connection attempt will fail with an
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++error if a client requests a NoneSwitch from the server that does not explicitly
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++have NoneEnabled set to yes. Note: The NONE cipher cannot be used in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++interactive (shell) sessions and it will fail silently. Set to no by default.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++HPNDisabled=[yes/no] client/server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ In some situations, such as transfers on a local area network, the impact
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++of the HPN code produces a net decrease in performance. In these cases it is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++helpful to disable the HPN functionality. By default HPNDisabled is set to no.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++HPNBufferSize=[int]KB client/server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ This is the default buffer size the HPN functionality uses when interacting
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++with nonHPN SSH installations. Conceptually this is similar to the TcpRcvBuf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++option as applied to the internal SSH flow control. This value can range from
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++1KB to 64MB (1-65536). Use of oversized or undersized buffers can cause performance
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++problems depending on the length of the network path. The default size of this buffer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++is 2MB.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Credits: This patch was conceived, designed, and led by Chris Rapier (rapier@psc.edu)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ The majority of the actual coding for versions up to HPN12v1 was performed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ by Michael Stevens (mstevens@andrew.cmu.edu). The MT-AES-CTR cipher was
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ implemented by Ben Bennet (ben@psc.edu) and improved by Mike Tasota
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (tasota@gmail.com) an NSF REU grant recipient for 2013.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ This work was financed, in part, by Cisco System, Inc., the National
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Library of Medicine, and the National Science Foundation.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/Makefile.in 2019-10-12 13:09:11.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/Makefile.in 2019-10-12 13:09:35.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -43,7 +43,7 @@ LD=@LD@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ CFLAGS=@CFLAGS@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ OBJCFLAGS=@OBJCFLAGS@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-LIBS=@LIBS@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++LIBS=@LIBS@ -lpthread
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ K5LIBS=@K5LIBS@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ GSSLIBS=@GSSLIBS@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ SSHLIBS=@SSHLIBS@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -88,7 +88,7 @@ LIBOPENSSH_OBJS=\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ authfd.o authfile.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ canohost.o channels.o cipher.o cipher-aes.o cipher-aesctr.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- cipher-ctr.o cleanup.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cipher-ctr.o cleanup.o cipher-ctr-mt.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ compat.o fatal.o hostfile.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ log.o match.o moduli.o nchan.o packet.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ readpass.o ttymodes.o xmalloc.o addrmatch.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/auth2.c 2019-10-12 13:09:11.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/auth2.c 2019-10-12 13:09:35.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -58,6 +58,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "monitor_wrap.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "digest.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "canohost.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* import */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ extern ServerOptions options;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -76,6 +77,8 @@ extern Authmethod method_hostbased;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ extern Authmethod method_gssapi;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static int log_flag = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Authmethod *authmethods[] = {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ &method_none,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ &method_pubkey,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -275,6 +278,11 @@ input_userauth_request(int type, u_int32
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (r = sshpkt_get_cstring(ssh, &method, NULL)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ goto out;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debug("userauth-request for user %s service %s method %s", user, service, method);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!log_flag) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ logit("SSH: Server;Ltype: Authname;Remote: %s-%d;Name: %s",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), user);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ log_flag = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ((style = strchr(user, ':')) != NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/canohost.h 2019-10-12 13:09:11.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/canohost.h 2019-10-12 13:09:35.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -19,7 +19,7 @@ char *get_peer_ipaddr(int);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int get_peer_port(int);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char *get_local_ipaddr(int);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char *get_local_name(int);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-int get_local_port(int);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int get_local_port(int);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif /* _CANOHOST_H */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/channels.c 2019-10-12 13:09:11.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/channels.c 2019-10-12 13:09:35.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -220,6 +220,9 @@ static int rdynamic_connect_finish(struc
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Setup helper */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static void channel_handler_init(struct ssh_channels *sc);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static int hpn_disabled = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static int hpn_buffer_size = 2 * 1024 * 1024;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* -- channel core */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -392,6 +395,7 @@ channel_new(struct ssh *ssh, char *ctype
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->local_window = window;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->local_window_max = window;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->local_maxpacket = maxpack;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c->dynamic_window = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->remote_name = xstrdup(remote_name);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->ctl_chan = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->delayed = 1; /* prevent call to channel_post handler */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1079,6 +1083,28 @@ channel_pre_connecting(struct ssh *ssh,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ FD_SET(c->sock, writeset);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++channel_tcpwinsz(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_int32_t tcpwinsz = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ socklen_t optsz = sizeof(tcpwinsz);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int ret = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* if we aren't on a socket return 128KB */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!ssh_packet_connection_is_on_socket(ssh))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 128 * 1024;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ret = getsockopt(ssh_packet_get_connection_in(ssh),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* return no more than SSHBUF_SIZE_MAX (currently 256MB) */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((ret == 0) && tcpwinsz > SSHBUF_SIZE_MAX)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ tcpwinsz = SSHBUF_SIZE_MAX;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug2("tcpwinsz: tcp connection %d, Receive window: %d",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_packet_get_connection_in(ssh), tcpwinsz);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return tcpwinsz;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ channel_pre_open(struct ssh *ssh, Channel *c,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fd_set *readset, fd_set *writeset)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2178,21 +2204,30 @@ channel_check_window(struct ssh *ssh, Ch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->local_maxpacket*3) ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->local_window < c->local_window_max/2) &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->local_consumed > 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_int addition = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_int32_t tcpwinsz = channel_tcpwinsz(ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* adjust max window size if we are in a dynamic environment */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (c->dynamic_window && (tcpwinsz > c->local_window_max)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* grow the window somewhat aggressively to maintain pressure */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ addition = 1.5 * (tcpwinsz - c->local_window_max);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c->local_window_max += addition;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Channel: Window growth to %d by %d bytes", c->local_window_max, addition);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!c->have_remote_id)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fatal(":%s: channel %d: no remote id",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ __func__, c->self);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ((r = sshpkt_start(ssh,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (r = sshpkt_send(ssh)) != 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fatal("%s: channel %i: %s", __func__,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->self, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debug2("channel %d: window %d sent adjust %d",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->self, c->local_window,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- c->local_consumed);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- c->local_window += c->local_consumed;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c->local_consumed + addition);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c->local_window += c->local_consumed + addition;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->local_consumed = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2543,7 +2578,7 @@ channel_output_poll_input_open(struct ss
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ size_t len, plen;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ const u_char *pkt;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int r;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ((len = sshbuf_len(c->input)) == 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (c->istate == CHAN_INPUT_WAIT_DRAIN) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2589,7 +2624,6 @@ channel_output_poll_input_open(struct ss
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->self, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->remote_window -= plen;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- return;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Enqueue packet for buffered data. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2661,7 +2695,7 @@ channel_output_poll(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c = sc->channels[i];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (c == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ continue;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * We are only interested in channels that can have buffered
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * incoming data.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2671,10 +2705,10 @@ channel_output_poll(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ((c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD))) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* XXX is this true? */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debug3("channel %d: will not send data after close",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- c->self);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c->self);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ continue;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Get the amount of buffered data for this channel. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (c->istate == CHAN_INPUT_OPEN ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->istate == CHAN_INPUT_WAIT_DRAIN)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -3373,6 +3407,14 @@ channel_fwd_bind_addr(struct ssh *ssh, c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return addr;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++channel_set_hpn(int external_hpn_disabled, int external_hpn_buffer_size)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ hpn_disabled = external_hpn_disabled;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ hpn_buffer_size = external_hpn_buffer_size;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("HPN Disabled: %d, HPN Buffer Size: %d", hpn_disabled, hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ struct Forward *fwd, int *allocated_listen_port,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -3513,9 +3555,11 @@ channel_setup_fwd_listener_tcpip(struct
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Allocate a channel number for the socket. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* explicitly test for hpn disabled option. if true use smaller window size */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c = channel_new(ssh, "port listener", type, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- 0, "port listener", 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : hpn_buffer_size,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ CHAN_TCP_PACKET_DEFAULT,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ 0, "port listener", 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->path = xstrdup(host);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->host_port = fwd->connect_port;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->listening_addr = addr == NULL ? NULL : xstrdup(addr);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -4670,8 +4714,9 @@ x11_create_display_inet(struct ssh *ssh,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sock = socks[n];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ nc = channel_new(ssh, "x11 listener",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- 0, "X11 inet listener", 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : hpn_buffer_size,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ CHAN_X11_PACKET_DEFAULT,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ 0, "X11 inet listener", 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ nc->single_connection = single_connection;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (*chanids)[n] = nc->self;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/channels.h 2019-10-12 13:09:11.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/channels.h 2019-10-12 13:09:35.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -150,8 +150,10 @@ struct Channel {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ u_int local_window_max;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ u_int local_consumed;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ u_int local_maxpacket;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int dynamic_window;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int extended_usage;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int single_connection;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_int tcpwinsz;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char *ctype; /* type */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -344,4 +346,7 @@ void chan_rcvd_ieof(struct ssh *, Chann
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void chan_write_failed(struct ssh *, Channel *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void chan_obuf_empty(struct ssh *, Channel *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* hpn handler */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++void channel_set_hpn(int, int);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- /dev/null 1970-01-01 00:00:00.000000000 +0000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/cipher-ctr-mt.c 2019-10-12 13:09:35.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -0,0 +1,660 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * OpenSSH Multi-threaded AES-CTR Cipher
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Author: Benjamin Bennett <ben@psc.edu>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Author: Mike Tasota <tasota@gmail.com>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Author: Chris Rapier <rapier@psc.edu>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Copyright (c) 2008-2013 Pittsburgh Supercomputing Center. All rights reserved.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Based on original OpenSSH AES-CTR cipher. Small portions remain unchanged,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Copyright (c) 2003 Markus Friedl <markus@openbsd.org>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Permission to use, copy, modify, and distribute this software for any
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * purpose with or without fee is hereby granted, provided that the above
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * copyright notice and this permission notice appear in all copies.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "includes.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#if defined(WITH_OPENSSL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include <sys/types.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include <stdarg.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include <string.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include <openssl/evp.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "xmalloc.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "log.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include <unistd.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* compatibility with old or broken OpenSSL versions */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "openbsd-compat/openssl-compat.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifndef USE_BUILTIN_RIJNDAEL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include <openssl/aes.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include <pthread.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/*-------------------- TUNABLES --------------------*/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* maximum number of threads and queues */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define MAX_THREADS 32
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define MAX_NUMKQ (MAX_THREADS * 2)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* Number of pregen threads to use */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int cipher_threads = 2;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* Number of keystream queues */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int numkq = 4;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* Length of a keystream queue */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define KQLEN 4096
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* Processor cacheline length */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define CACHELINE_LEN 64
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* Collect thread stats and print at cancellation when in debug mode */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define CIPHER_THREAD_STATS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* Can the system do unaligned loads natively? */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#if defined(__aarch64__) || \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ defined(__i386__) || \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ defined(__powerpc__) || \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ defined(__x86_64__)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# define CIPHER_UNALIGNED_OK
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#if defined(__SIZEOF_INT128__)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# define CIPHER_INT128_OK
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/*-------------------- END TUNABLES --------------------*/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++const EVP_CIPHER *evp_aes_ctr_mt(void);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef CIPHER_THREAD_STATS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Struct to collect thread stats
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++struct thread_stats {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_int fills;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_int skips;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_int waits;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_int drains;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++};
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Debug print the thread stats
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Use with pthread_cleanup_push for displaying at thread cancellation
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++thread_loop_stats(void *x)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct thread_stats *s = x;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("AES-CTR MT tid %lu - %u fills, %u skips, %u waits", pthread_self(),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ s->fills, s->skips, s->waits);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# define STATS_STRUCT(s) struct thread_stats s
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# define STATS_INIT(s) { memset(&s, 0, sizeof(s)); }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# define STATS_FILL(s) { s.fills++; }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# define STATS_SKIP(s) { s.skips++; }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# define STATS_WAIT(s) { s.waits++; }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# define STATS_DRAIN(s) { s.drains++; }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# define STATS_STRUCT(s)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# define STATS_INIT(s)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# define STATS_FILL(s)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# define STATS_SKIP(s)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# define STATS_WAIT(s)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# define STATS_DRAIN(s)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* Keystream Queue state */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++enum {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ KQINIT,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ KQEMPTY,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ KQFILLING,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ KQFULL,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ KQDRAINING
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++};
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* Keystream Queue struct */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++struct kq {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_char keys[KQLEN][AES_BLOCK_SIZE];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_char ctr[AES_BLOCK_SIZE];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_char pad0[CACHELINE_LEN];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int qstate;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_mutex_t lock;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_cond_t cond;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_char pad1[CACHELINE_LEN];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++};
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* Context struct */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++struct ssh_aes_ctr_ctx_mt
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int struct_id;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct kq q[MAX_NUMKQ];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ AES_KEY aes_ctx;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ STATS_STRUCT(stats);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_char aes_counter[AES_BLOCK_SIZE];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_t tid[MAX_THREADS];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int id[MAX_THREADS];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_rwlock_t tid_lock;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __APPLE__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_rwlock_t stop_lock;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int exit_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /* __APPLE__ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int state;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int qidx;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int ridx;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++};
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* <friedl>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * increment counter 'ctr',
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * the counter is of size 'len' bytes and stored in network-byte-order.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * (LSB at ctr[len-1], MSB at ctr[0])
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssh_ctr_inc(u_char *ctr, size_t len)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int i;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ for (i = len - 1; i >= 0; i--)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (++ctr[i]) /* continue on overflow */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Add num to counter 'ctr'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssh_ctr_add(u_char *ctr, uint32_t num, u_int len)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int i;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ uint16_t n;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ for (n = 0, i = len - 1; i >= 0 && (num || n); i--) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ n = ctr[i] + (num & 0xff) + n;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ num >>= 8;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ctr[i] = n & 0xff;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ n >>= 8;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Threads may be cancelled in a pthread_cond_wait, we must free the mutex
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++thread_loop_cleanup(void *x)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_mutex_unlock((pthread_mutex_t *)x);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __APPLE__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* Check if we should exit, we are doing both cancel and exit condition
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * since on OSX threads seem to occasionally fail to notice when they have
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * been cancelled. We want to have a backup to make sure that we won't hang
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * when the main process join()-s the cancelled thread.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++thread_loop_check_exit(struct ssh_aes_ctr_ctx_mt *c)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int exit_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_rwlock_rdlock(&c->stop_lock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ exit_flag = c->exit_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_rwlock_unlock(&c->stop_lock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (exit_flag)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_exit(NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# define thread_loop_check_exit(s)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /* __APPLE__ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Helper function to terminate the helper threads
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++stop_and_join_pregen_threads(struct ssh_aes_ctr_ctx_mt *c)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int i;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __APPLE__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* notify threads that they should exit */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_rwlock_wrlock(&c->stop_lock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c->exit_flag = TRUE;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_rwlock_unlock(&c->stop_lock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /* __APPLE__ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Cancel pregen threads */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ for (i = 0; i < cipher_threads; i++) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug ("Canceled %lu (%d,%d)", c->tid[i], c->struct_id, c->id[i]);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_cancel(c->tid[i]);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ for (i = 0; i < numkq; i++) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_mutex_trylock(&c->q[i].lock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_cond_broadcast(&c->q[i].cond);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_mutex_unlock(&c->q[i].lock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ for (i = 0; i < cipher_threads; i++) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (pthread_kill(c->tid[i], 0) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug3("AES-CTR MT pthread_join failure: Invalid thread id %lu in %s", c->tid[i], __FUNCTION__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug ("Joining %lu (%d, %d)", c->tid[i], c->struct_id, c->id[i]);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_join(c->tid[i], NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * The life of a pregen thread:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Find empty keystream queues and fill them using their counter.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * When done, update counter for the next fill.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static void *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++thread_loop(void *x)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ AES_KEY key;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ STATS_STRUCT(stats);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct ssh_aes_ctr_ctx_mt *c = x;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct kq *q;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int i;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int qidx;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_t first_tid;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Threads stats on cancellation */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ STATS_INIT(stats);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef CIPHER_THREAD_STATS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_cleanup_push(thread_loop_stats, &stats);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Thread local copy of AES key */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ memcpy(&key, &c->aes_ctx, sizeof(key));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_rwlock_rdlock(&c->tid_lock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ first_tid = c->tid[0];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_rwlock_unlock(&c->tid_lock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Handle the special case of startup, one thread must fill
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * the first KQ then mark it as draining. Lock held throughout.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (pthread_equal(pthread_self(), first_tid)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ q = &c->q[0];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_mutex_lock(&q->lock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (q->qstate == KQINIT) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ for (i = 0; i < KQLEN; i++) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ AES_encrypt(q->ctr, q->keys[i], &key);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_ctr_inc(q->ctr, AES_BLOCK_SIZE);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_ctr_add(q->ctr, KQLEN * (numkq - 1), AES_BLOCK_SIZE);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ q->qstate = KQDRAINING;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ STATS_FILL(stats);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_cond_broadcast(&q->cond);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_mutex_unlock(&q->lock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ STATS_SKIP(stats);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Normal case is to find empty queues and fill them, skipping over
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * queues already filled by other threads and stopping to wait for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * a draining queue to become empty.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Multiple threads may be waiting on a draining queue and awoken
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * when empty. The first thread to wake will mark it as filling,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * others will move on to fill, skip, or wait on the next queue.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ for (qidx = 1;; qidx = (qidx + 1) % numkq) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Check if I was cancelled, also checked in cond_wait */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_testcancel();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Check if we should exit as well */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ thread_loop_check_exit(c);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Lock queue and block if its draining */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ q = &c->q[qidx];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_mutex_lock(&q->lock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_cleanup_push(thread_loop_cleanup, &q->lock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ while (q->qstate == KQDRAINING || q->qstate == KQINIT) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ STATS_WAIT(stats);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ thread_loop_check_exit(c);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_cond_wait(&q->cond, &q->lock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_cleanup_pop(0);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* If filling or full, somebody else got it, skip */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (q->qstate != KQEMPTY) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_mutex_unlock(&q->lock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ STATS_SKIP(stats);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ continue;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Empty, let's fill it.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Queue lock is relinquished while we do this so others
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * can see that it's being filled.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ q->qstate = KQFILLING;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_cond_broadcast(&q->cond);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_mutex_unlock(&q->lock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ for (i = 0; i < KQLEN; i++) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ AES_encrypt(q->ctr, q->keys[i], &key);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_ctr_inc(q->ctr, AES_BLOCK_SIZE);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Re-lock, mark full and signal consumer */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_mutex_lock(&q->lock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_ctr_add(q->ctr, KQLEN * (numkq - 1), AES_BLOCK_SIZE);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ q->qstate = KQFULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ STATS_FILL(stats);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_cond_broadcast(&q->cond);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_mutex_unlock(&q->lock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef CIPHER_THREAD_STATS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Stats */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_cleanup_pop(1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ LIBCRYPTO_EVP_INL_TYPE len)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ typedef union {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef CIPHER_INT128_OK
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ __uint128_t *u128;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ uint64_t *u64;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ uint32_t *u32;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ uint8_t *u8;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const uint8_t *cu8;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ uintptr_t u;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } ptrs_t;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ptrs_t destp, srcp, bufp;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ uintptr_t align;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct ssh_aes_ctr_ctx_mt *c;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct kq *q, *oldq;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int ridx;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_char *buf;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (len == 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ q = &c->q[c->qidx];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ridx = c->ridx;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* src already padded to block multiple */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ srcp.cu8 = src;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ destp.u8 = dest;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ while (len > 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ buf = q->keys[ridx];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ bufp.u8 = buf;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* figure out the alignment on the fly */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef CIPHER_UNALIGNED_OK
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ align = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ align = destp.u | srcp.u | bufp.u;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef CIPHER_INT128_OK
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((align & 0xf) == 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ destp.u128[0] = srcp.u128[0] ^ bufp.u128[0];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((align & 0x7) == 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ destp.u64[0] = srcp.u64[0] ^ bufp.u64[0];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ destp.u64[1] = srcp.u64[1] ^ bufp.u64[1];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else if ((align & 0x3) == 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ destp.u32[0] = srcp.u32[0] ^ bufp.u32[0];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ destp.u32[1] = srcp.u32[1] ^ bufp.u32[1];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ destp.u32[2] = srcp.u32[2] ^ bufp.u32[2];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ destp.u32[3] = srcp.u32[3] ^ bufp.u32[3];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ size_t i;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ for (i = 0; i < AES_BLOCK_SIZE; ++i)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ dest[i] = src[i] ^ buf[i];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ destp.u += AES_BLOCK_SIZE;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ srcp.u += AES_BLOCK_SIZE;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ len -= AES_BLOCK_SIZE;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_ctr_inc(ctx->iv, AES_BLOCK_SIZE);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Increment read index, switch queues on rollover */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((ridx = (ridx + 1) % KQLEN) == 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ oldq = q;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Mark next queue draining, may need to wait */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c->qidx = (c->qidx + 1) % numkq;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ q = &c->q[c->qidx];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_mutex_lock(&q->lock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ while (q->qstate != KQFULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ STATS_WAIT(c->stats);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_cond_wait(&q->cond, &q->lock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ q->qstate = KQDRAINING;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_cond_broadcast(&q->cond);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_mutex_unlock(&q->lock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Mark consumed queue empty and signal producers */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_mutex_lock(&oldq->lock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ oldq->qstate = KQEMPTY;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ STATS_DRAIN(c->stats);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_cond_broadcast(&oldq->cond);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_mutex_unlock(&oldq->lock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c->ridx = ridx;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define HAVE_NONE 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define HAVE_KEY 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define HAVE_IV 2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int X = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int enc)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct ssh_aes_ctr_ctx_mt *c;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int i;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* get the number of cores in the system */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* if it's not linux it currently defaults to 2 */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* divide by 2 to get threads for each direction (MODE_IN||MODE_OUT) */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __linux__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cipher_threads = sysconf(_SC_NPROCESSORS_ONLN) / 2;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /*__linux__*/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __APPLE__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cipher_threads = sysconf(_SC_NPROCESSORS_ONLN) / 2;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /*__APPLE__*/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __FREEBSD__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int req[2];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ size_t len;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ req[0] = CTL_HW;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ req[1] = HW_NCPU;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ len = sizeof(ncpu);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sysctl(req, 2, &cipher_threads, &len, NULL, 0);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cipher_threads = cipher_threads / 2;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /*__FREEBSD__*/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* if they have less than 4 cores spin up 4 threads anyway */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (cipher_threads < 2)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cipher_threads = 2;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* assure that we aren't trying to create more threads than we have in the struct */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* cipher_threads is half the total of allowable threads hence the odd looking math here */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (cipher_threads * 2 > MAX_THREADS)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cipher_threads = MAX_THREADS / 2;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* set the number of keystream queues */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ numkq = cipher_threads * 2;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c = xmalloc(sizeof(*c));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_rwlock_init(&c->tid_lock, NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __APPLE__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_rwlock_init(&c->stop_lock, NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c->exit_flag = FALSE;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /* __APPLE__ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c->state = HAVE_NONE;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ for (i = 0; i < numkq; i++) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_mutex_init(&c->q[i].lock, NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_cond_init(&c->q[i].cond, NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ STATS_INIT(c->stats);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ EVP_CIPHER_CTX_set_app_data(ctx, c);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (c->state == (HAVE_KEY | HAVE_IV)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* tell the pregen threads to exit */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ stop_and_join_pregen_threads(c);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __APPLE__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* reset the exit flag */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c->exit_flag = FALSE;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /* __APPLE__ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Start over getting key & iv */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c->state = HAVE_NONE;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (key != NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &c->aes_ctx);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c->state |= HAVE_KEY;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (iv != NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ memcpy(ctx->iv, iv, AES_BLOCK_SIZE);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c->state |= HAVE_IV;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (c->state == (HAVE_KEY | HAVE_IV)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Clear queues */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ memcpy(c->q[0].ctr, ctx->iv, AES_BLOCK_SIZE);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c->q[0].qstate = KQINIT;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ for (i = 1; i < numkq; i++) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ memcpy(c->q[i].ctr, ctx->iv, AES_BLOCK_SIZE);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_ctr_add(c->q[i].ctr, i * KQLEN, AES_BLOCK_SIZE);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c->q[i].qstate = KQEMPTY;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c->qidx = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c->ridx = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Start threads */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ for (i = 0; i < cipher_threads; i++) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_rwlock_wrlock(&c->tid_lock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (pthread_create(&c->tid[i], NULL, thread_loop, c) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug ("AES-CTR MT Could not create thread in %s", __FUNCTION__); /*should die here */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!c->struct_id)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c->struct_id = X++;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c->id[i] = i;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug ("AES-CTR MT spawned a thread with id %lu in %s (%d, %d)", c->tid[i], __FUNCTION__, c->struct_id, c->id[i]);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_rwlock_unlock(&c->tid_lock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_mutex_lock(&c->q[0].lock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ while (c->q[0].qstate == KQINIT)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_cond_wait(&c->q[0].cond, &c->q[0].lock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_mutex_unlock(&c->q[0].lock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* this function is no longer used but might prove handy in the future
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * this comment also applies to ssh_aes_ctr_thread_reconstruction
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssh_aes_ctr_thread_destroy(EVP_CIPHER_CTX *ctx)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct ssh_aes_ctr_ctx_mt *c;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c = EVP_CIPHER_CTX_get_app_data(ctx);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ stop_and_join_pregen_threads(c);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssh_aes_ctr_thread_reconstruction(EVP_CIPHER_CTX *ctx)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct ssh_aes_ctr_ctx_mt *c;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int i;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c = EVP_CIPHER_CTX_get_app_data(ctx);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* reconstruct threads */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ for (i = 0; i < cipher_threads; i++) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_rwlock_wrlock(&c->tid_lock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (pthread_create(&c->tid[i], NULL, thread_loop, c) !=0 )
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("AES-CTR MT could not create thread in %s", __FUNCTION__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c->struct_id = X++;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c->id[i] = i;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug ("AES-CTR MT spawned a thread with id %lu in %s (%d, %d)", c->tid[i], __FUNCTION__, c->struct_id, c->id[i]);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("AES-CTR MT spawned a thread with id %lu in %s", c->tid[i], __FUNCTION__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pthread_rwlock_unlock(&c->tid_lock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct ssh_aes_ctr_ctx_mt *c;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef CIPHER_THREAD_STATS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("AES-CTR MT main thread: %u drains, %u waits", c->stats.drains,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c->stats.waits);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ stop_and_join_pregen_threads(c);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ memset(c, 0, sizeof(*c));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ free(c);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ EVP_CIPHER_CTX_set_app_data(ctx, NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* <friedl> */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++const EVP_CIPHER *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++evp_aes_ctr_mt(void)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ static EVP_CIPHER aes_ctr;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ memset(&aes_ctr, 0, sizeof(EVP_CIPHER));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ aes_ctr.nid = NID_undef;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ aes_ctr.block_size = AES_BLOCK_SIZE;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ aes_ctr.iv_len = AES_BLOCK_SIZE;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ aes_ctr.key_len = 16;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ aes_ctr.init = ssh_aes_ctr_init;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ aes_ctr.cleanup = ssh_aes_ctr_cleanup;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ aes_ctr.do_cipher = ssh_aes_ctr;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifndef SSH_OLD_EVP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return &aes_ctr;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /* defined(WITH_OPENSSL) */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/cipher.c 2019-10-12 13:09:11.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/cipher.c 2019-10-12 13:09:35.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -51,6 +51,9 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "openbsd-compat/openssl-compat.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* for multi-threaded aes-ctr cipher */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++extern const EVP_CIPHER *evp_aes_ctr_mt(void);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifndef WITH_OPENSSL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define EVP_CIPHER_CTX void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -83,7 +86,7 @@ struct sshcipher {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ };
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-static const struct sshcipher ciphers[] = {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static struct sshcipher ciphers[] = {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef WITH_OPENSSL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifndef OPENSSL_NO_DES
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "3des-cbc", 8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -143,6 +146,29 @@ cipher_alg_list(char sep, int auth_only)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return ret;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* used to get the cipher name so when force rekeying to handle the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * single to multithreaded ctr cipher swap we only rekey when appropriate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++const char *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++cipher_ctx_name(const struct sshcipher_ctx *cc)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return cc->cipher->name;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* in order to get around sandbox and forking issues with a threaded cipher
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * we set the initial pre-auth aes-ctr cipher to the default OpenSSH cipher
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * post auth we set them to the new evp as defined by cipher-ctr-mt
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef WITH_OPENSSL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++cipher_reset_multithreaded(void)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cipher_by_name("aes128-ctr")->evptype = evp_aes_ctr_mt;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cipher_by_name("aes192-ctr")->evptype = evp_aes_ctr_mt;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cipher_by_name("aes256-ctr")->evptype = evp_aes_ctr_mt;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ u_int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ cipher_blocksize(const struct sshcipher *c)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -192,10 +218,10 @@ cipher_ctx_is_plaintext(struct sshcipher
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return cc->plaintext;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-const struct sshcipher *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++struct sshcipher *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ cipher_by_name(const char *name)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- const struct sshcipher *c;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct sshcipher *c;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ for (c = ciphers; c->name != NULL; c++)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (strcmp(c->name, name) == 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return c;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -217,7 +243,8 @@ ciphers_valid(const char *names)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (p = strsep(&cp, CIPHER_SEP))) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c = cipher_by_name(p);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (c == NULL || (c->flags & CFLAG_INTERNAL) != 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (c == NULL || ((c->flags & CFLAG_INTERNAL) != 0 &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (c->flags & CFLAG_NONE) != 0)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ free(cipher_list);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/cipher.h 2019-10-12 13:09:11.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/cipher.h 2019-10-12 13:09:35.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -50,7 +50,9 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ struct sshcipher;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ struct sshcipher_ctx;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-const struct sshcipher *cipher_by_name(const char *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++void ssh_aes_ctr_thread_destroy(EVP_CIPHER_CTX *ctx); // defined in cipher-ctr-mt.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++void ssh_aes_ctr_thread_reconstruction(EVP_CIPHER_CTX *ctx);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++struct sshcipher *cipher_by_name(const char *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ const char *cipher_warning_message(const struct sshcipher_ctx *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int ciphers_valid(const char *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char *cipher_alg_list(char, int);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -67,6 +69,8 @@ u_int cipher_seclen(const struct sshcip
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ u_int cipher_authlen(const struct sshcipher *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ u_int cipher_ivlen(const struct sshcipher *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ u_int cipher_is_cbc(const struct sshcipher *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++void cipher_reset_multithreaded(void);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++const char *cipher_ctx_name(const struct sshcipher_ctx *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ u_int cipher_ctx_is_plaintext(struct sshcipher_ctx *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/clientloop.c 2019-10-12 13:09:11.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/clientloop.c 2019-10-12 13:09:35.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1619,9 +1619,11 @@ client_request_x11(struct ssh *ssh, cons
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sock = x11_connect_display(ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (sock < 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- c = channel_new(ssh, "x11",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- SSH_CHANNEL_X11_OPEN, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c = channel_new(ssh, "x11",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ SSH_CHANNEL_X11_OPEN, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* again is this really necessary for X11? */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->force_drain = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return c;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1645,9 +1647,10 @@ client_request_agent(struct ssh *ssh, co
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c = channel_new(ssh, "authentication agent connection",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- SSH_CHANNEL_OPEN, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- "authentication agent connection", 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ SSH_CHANNEL_OPEN, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ CHAN_TCP_PACKET_DEFAULT, 0,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "authentication agent connection", 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->force_drain = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return c;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1672,10 +1675,13 @@ client_request_tun_fwd(struct ssh *ssh,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debug("Tunnel forwarding using interface %s", ifname);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->datagram = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #if defined(SSH_TUN_FILTER)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ channel_register_filter(ssh, c->self, sys_tun_infilter,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/compat.c 2019-10-12 13:09:11.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/compat.c 2019-10-12 13:09:35.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -150,6 +150,13 @@ compat_datafellows(const char *version)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debug("match: %s pat %s compat 0x%08x",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ version, check[i].pat, check[i].bugs);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ datafellows = check[i].bugs; /* XXX for now */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Check to see if the remote side is OpenSSH and not HPN */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (strstr(version, "OpenSSH") != NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (strstr(version, "hpn") == NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ datafellows |= SSH_BUG_LARGEWINDOW;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Remote is NON-HPN aware");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return check[i].bugs;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/compat.h 2019-10-12 13:09:11.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/compat.h 2019-10-12 13:09:35.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -62,6 +62,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define SSH_BUG_CURVE25519PAD 0x10000000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define SSH_BUG_HOSTKEYS 0x20000000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define SSH_BUG_DHGEX_LARGE 0x40000000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define SSH_BUG_LARGEWINDOW 0x80000000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ u_int compat_datafellows(const char *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int proto_spec(const char *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/kex.c 2019-10-12 13:09:11.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/kex.c 2019-10-12 13:09:35.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -58,6 +58,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "ssherr.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "sshbuf.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "canohost.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "digest.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* prototype */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -884,6 +885,11 @@ kex_choose_conf(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int nenc, nmac, ncomp;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ u_int mode, ctos, need, dh_need, authlen;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int r, first_kex_follows;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int auth_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int log_flag = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ auth_flag = packet_authentication_state(ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("AUTH STATE IS %d", auth_flag);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debug2("local %s KEXINIT proposal", kex->server ? "server" : "client");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -954,11 +960,35 @@ kex_choose_conf(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ peer[ncomp] = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ goto out;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (strcmp(newkeys->enc.name, "none") == 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Requesting NONE. Authflag is %d", auth_flag);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (auth_flag == 1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("None requested post authentication.");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Pre-authentication none cipher requests are not allowed.");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debug("kex: %s cipher: %s MAC: %s compression: %s",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ctos ? "client->server" : "server->client",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ newkeys->enc.name,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ authlen == 0 ? newkeys->mac.name : "<implicit>",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ newkeys->comp.name);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * client starts with ctos = 0 && log flag = 0 and no log.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * 2nd client pass ctos = 1 and flag = 1 so no log.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * server starts with ctos = 1 && log_flag = 0 so log.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * 2nd sever pass ctos = 1 && log flag = 1 so no log.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * -cjr
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (ctos && !log_flag) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ logit("SSH: Server;Ltype: Kex;Remote: %s-%d;Enc: %s;MAC: %s;Comp: %s",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_remote_ipaddr(ssh),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_remote_port(ssh),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ newkeys->enc.name,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ authlen == 0 ? newkeys->mac.name : "<implicit>",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ newkeys->comp.name);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ log_flag = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ need = dh_need = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ for (mode = 0; mode < MODE_MAX; mode++) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/log.c 2019-10-12 13:09:11.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/log.c 2019-10-12 13:09:35.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -46,6 +46,12 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include <syslog.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include <unistd.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include <errno.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "packet.h" /* needed for host and port look ups */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef HAVE_SYS_TIME_H
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# include <sys/time.h> /* to get current time */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # include <vis.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/packet.c 2019-10-12 13:09:11.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/packet.c 2019-10-12 13:09:35.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -265,6 +265,9 @@ ssh_alloc_session_state(void)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* forward declaration */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++void ssh_final_log_entry (struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_packet_set_input_hook(struct ssh *ssh, ssh_packet_hook_fn *hook, void *ctx)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -286,7 +289,7 @@ struct ssh *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ struct session_state *state;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- const struct sshcipher *none = cipher_by_name("none");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct sshcipher *none = cipher_by_name("none");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int r;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (none == NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -925,6 +928,24 @@ ssh_set_newkeys(struct ssh *ssh, int mod
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* this supports the forced rekeying required for the NONE cipher */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int rekey_requested = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++packet_request_rekeying(void)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ rekey_requested = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* used to determine if pre or post auth when rekeying for aes-ctr
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * and none cipher switch */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++packet_authentication_state(const struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct session_state *state = ssh->state;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return state->after_authentication;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define MAX_PACKETS (1U<<31)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -951,6 +972,13 @@ ssh_packet_need_rekeying(struct ssh *ssh
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (state->p_send.packets == 0 && state->p_read.packets == 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* used to force rekeying when called for by the none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * cipher switch and aes-mt-ctr methods -cjr */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (rekey_requested == 1) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ rekey_requested = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Time-based rekeying */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (state->rekey_interval != 0 &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (int64_t)state->rekey_time + state->rekey_interval <= monotime())
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1807,6 +1835,16 @@ sshpkt_fmt_connection_id(struct ssh *ssh
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* Povide the current time in seconds since epoch */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++double
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++get_current_time(void)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct timeval tv;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gettimeofday(&tv, NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return (double) tv.tv_sec + (double) tv.tv_usec / 1000000.0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * Pretty-print connection-terminating errors and exit.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1820,17 +1858,21 @@ sshpkt_vfatal(struct ssh *ssh, int r, co
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ switch (r) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case SSH_ERR_CONN_CLOSED:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_packet_clear_keys(ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_final_log_entry(ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ logdie("Connection closed by %s", remote_id);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case SSH_ERR_CONN_TIMEOUT:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_packet_clear_keys(ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_final_log_entry(ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ logdie("Connection %s %s timed out",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh->state->server_side ? "from" : "to", remote_id);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case SSH_ERR_DISCONNECTED:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_packet_clear_keys(ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_final_log_entry(ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ logdie("Disconnected from %s", remote_id);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case SSH_ERR_SYSTEM_ERROR:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (errno == ECONNRESET) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_packet_clear_keys(ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_final_log_entry(ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ logdie("Connection reset by %s", remote_id);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* FALLTHROUGH */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1860,6 +1902,24 @@ sshpkt_vfatal(struct ssh *ssh, int r, co
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* this prints out the final log entry - used in sshpkt_fatal -cjr */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssh_final_log_entry (struct ssh *ssh) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ double total_time;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (ssh->start_time < 1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* this will produce a NaN in the output. -cjr */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ total_time = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ total_time = get_current_time() - ssh->start_time;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ logit("SSH: Server;LType: Throughput;Remote: %s-%d;IN: %lu;OUT: %lu;Duration: %.1f;tPut_in: %.1f;tPut_out: %.1f",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh->stdin_bytes, ssh->fdout_bytes, total_time,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh->stdin_bytes / total_time,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh->fdout_bytes / total_time);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sshpkt_fatal(struct ssh *ssh, int r, const char *fmt, ...)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1941,6 +2001,8 @@ ssh_packet_write_poll(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return SSH_ERR_CONN_CLOSED;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ((r = sshbuf_consume(state->output, len)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return r;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh->stdin_bytes += len;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2701,3 +2763,10 @@ sshpkt_add_padding(struct ssh *ssh, u_ch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh->state->extra_pad = pad;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* need this for the moment for the aes-ctr cipher */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++void *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssh_packet_get_send_context(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return ssh->state->send_context;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/packet.h 2019-10-12 13:09:11.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/packet.h 2019-10-12 13:09:35.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -86,6 +86,11 @@ struct ssh {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* APP data */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void *app_data;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* logging data for ServerLogging patch*/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ double start_time;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_long fdout_bytes;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_long stdin_bytes;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ };
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -155,6 +160,10 @@ int ssh_packet_inc_alive_timeouts(struc
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int ssh_packet_set_maxsize(struct ssh *, u_int);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ u_int ssh_packet_get_maxsize(struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* for forced packet rekeying post auth */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++void packet_request_rekeying(void);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int packet_authentication_state(const struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int ssh_packet_get_state(struct ssh *, struct sshbuf *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int ssh_packet_set_state(struct ssh *, struct sshbuf *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -169,6 +178,11 @@ time_t ssh_packet_get_rekey_timeout(str
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void *ssh_packet_get_input(struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void *ssh_packet_get_output(struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++void *ssh_packet_get_receive_context(struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++void *ssh_packet_get_send_context(struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++void packet_request_rekeying(void);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++double get_current_time(void);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* new API */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int sshpkt_start(struct ssh *ssh, u_char type);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/progressmeter.c 2019-10-12 13:09:11.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/progressmeter.c 2019-10-12 13:09:35.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -68,6 +68,8 @@ static const char *file; /* name of the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static off_t start_pos; /* initial position of transfer */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static off_t end_pos; /* ending position of transfer */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static off_t cur_pos; /* transfer position as of last refresh */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static off_t last_pos;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static off_t max_delta_pos = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static volatile off_t *counter; /* progress counter */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static long stalled; /* how long we have been stalled */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static int bytes_per_second; /* current speed in bytes per second */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int cur_speed;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int hours, minutes, seconds;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int file_len;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ off_t delta_pos;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ((!force_update && !alarm_fired && !win_resized) || !can_output())
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -142,6 +145,10 @@ refresh_progress_meter(int force_update)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ now = monotime_double();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ bytes_left = end_pos - cur_pos;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ delta_pos = cur_pos - last_pos;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (delta_pos > max_delta_pos)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ max_delta_pos = delta_pos;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (bytes_left > 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ elapsed = now - last_update;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* filename */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ buf[0] = '\0';
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- file_len = win_size - 36;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ file_len = win_size - 45;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (file_len > 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ buf[0] = '\r';
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (off_t)bytes_per_second);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ strlcat(buf, "/s ", win_size);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* instantaneous rate */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (bytes_left > 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ format_rate(buf + strlen(buf), win_size - strlen(buf),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ delta_pos);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ format_rate(buf + strlen(buf), win_size - strlen(buf),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ max_delta_pos);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ strlcat(buf, "/s ", win_size);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* ETA */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!transferred)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ stalled += elapsed;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -227,6 +243,7 @@ refresh_progress_meter(int force_update)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ atomicio(vwrite, STDOUT_FILENO, buf, win_size - 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ last_update = now;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ last_pos = cur_pos;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*ARGSUSED*/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/readconf.c 2019-10-12 13:09:11.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/readconf.c 2019-10-12 13:10:12.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -67,6 +67,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "uidswap.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "myproposal.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "digest.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "sshbuf.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Format of the configuration file:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -170,6 +171,9 @@ typedef enum {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef __APPLE_KEYCHAIN__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ oUseKeychain,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ oNoneEnabled, oNoneSwitch,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ oDisableMTAES,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ oVisualHostKey,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -301,6 +305,9 @@ static struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "kexalgorithms", oKexAlgorithms },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "ipqos", oIPQoS },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "requesttty", oRequestTTY },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "noneenabled", oNoneEnabled },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "noneswitch", oNoneSwitch },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "disablemtaes", oDisableMTAES },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "proxyusefdpass", oProxyUseFdpass },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "canonicaldomains", oCanonicalDomains },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "canonicalizefallbacklocal", oCanonicalizeFallbackLocal },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -317,6 +324,11 @@ static struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "ignoreunknown", oIgnoreUnknown },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "proxyjump", oProxyJump },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "tcprcvbufpoll", oTcpRcvBufPoll },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "tcprcvbuf", oTcpRcvBuf },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "hpndisabled", oHPNDisabled },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "hpnbuffersize", oHPNBufferSize },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { NULL, oBadOption }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ };
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1006,6 +1018,42 @@ parse_time:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ intptr = &options->check_host_ip;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case oHPNDisabled:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ intptr = &options->hpn_disabled;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case oHPNBufferSize:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ intptr = &options->hpn_buffer_size;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto parse_int;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case oTcpRcvBufPoll:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ intptr = &options->tcp_rcv_buf_poll;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case oNoneEnabled:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ intptr = &options->none_enabled;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case oDisableMTAES:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ intptr = &options->disable_multithreaded;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * We check to see if the command comes from the command
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * line or not. If it does then enable it otherwise fail.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * NONE should never be a default configuration.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case oNoneSwitch:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (strcmp(filename, "command-line") == 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ intptr = &options->none_switch;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ error("NoneSwitch is found in %.200s.\nYou may only use this configuration option from the command line", filename);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ error("Continuing...");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("NoneSwitch directive found in %.200s.", filename);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case oVerifyHostKeyDNS:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ intptr = &options->verify_host_key_dns;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ multistate_ptr = multistate_yesnoask;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1201,6 +1249,10 @@ parse_int:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ *intptr = value;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case oTcpRcvBuf:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ intptr = &options->tcp_rcv_buf;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto parse_int;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case oCiphers:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ arg = strdelim(&s);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!arg || *arg == '\0')
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1950,6 +2002,13 @@ initialize_options(Options * options)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->ip_qos_interactive = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->ip_qos_bulk = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->request_tty = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->none_switch = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->none_enabled = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->disable_multithreaded = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->hpn_disabled = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->hpn_buffer_size = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->tcp_rcv_buf_poll = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->tcp_rcv_buf = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->proxy_use_fdpass = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->ignored_unknown = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->num_canonical_domains = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2097,6 +2156,32 @@ fill_default_options(Options * options)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->server_alive_interval = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (options->server_alive_count_max == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->server_alive_count_max = 3;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->hpn_disabled == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->hpn_disabled = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->hpn_buffer_size > -1) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* if a user tries to set the size to 0 set it to 1KB */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->hpn_buffer_size == 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->hpn_buffer_size = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* limit the buffer to SSHBUF_SIZE_MAX (currently 256MB) */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->hpn_buffer_size > (SSHBUF_SIZE_MAX / 1024)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->hpn_buffer_size = SSHBUF_SIZE_MAX;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("User requested buffer larger than 256MB. Request reverted to 256MB");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->hpn_buffer_size *= 1024;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("hpn_buffer_size set to %d", options->hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->tcp_rcv_buf == 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->tcp_rcv_buf = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->tcp_rcv_buf > -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->tcp_rcv_buf *=1024;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->tcp_rcv_buf_poll == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->tcp_rcv_buf_poll = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->none_switch == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->none_switch = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->none_enabled == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->none_enabled = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->disable_multithreaded == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->disable_multithreaded = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (options->control_master == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->control_master = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (options->control_persist == -1) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/readconf.h 2019-10-12 13:09:11.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/readconf.h 2019-10-12 13:09:35.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -50,6 +50,10 @@ typedef struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int strict_host_key_checking; /* Strict host key checking. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int compression; /* Compress packets in both directions. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int tcp_keep_alive; /* Set SO_KEEPALIVE. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int tcp_rcv_buf; /* user switch to set tcp recv buffer */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int tcp_rcv_buf_poll; /* Option to poll recv buf every window transfer */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int hpn_disabled; /* Switch to disable HPN buffer management */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int hpn_buffer_size; /* User definable size for HPN buffer window */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ SyslogFacility log_facility; /* Facility for system logging. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -112,7 +116,11 @@ typedef struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int enable_ssh_keysign;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int64_t rekey_limit;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int none_switch; /* Use none cipher */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int none_enabled; /* Allow none to be used */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int disable_multithreaded; /*disable multithreaded aes-ctr*/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int rekey_interval;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int no_host_authentication_for_localhost;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int identities_only;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int server_alive_interval;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sandbox-seccomp-filter.c 2019-10-12 13:09:11.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sandbox-seccomp-filter.c 2019-10-12 13:09:35.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -203,6 +203,9 @@ static const struct sock_filter preauth_
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef __NR_geteuid32
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ SC_ALLOW(__NR_geteuid32),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __NR_getpeername /* not defined on archs that go via socketcall(2) */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ SC_ALLOW(__NR_getpeername),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef __NR_getpgid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ SC_ALLOW(__NR_getpgid),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -266,6 +269,9 @@ static const struct sock_filter preauth_
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef __NR_sigprocmask
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ SC_ALLOW(__NR_sigprocmask),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __NR_socketcall
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ SC_ALLOW(__NR_socketcall),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef __NR_time
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ SC_ALLOW(__NR_time),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/scp.c 2019-10-12 13:09:11.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/scp.c 2019-10-12 13:09:35.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1066,7 +1066,7 @@ source(int argc, char **argv)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ off_t i, statbytes;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ size_t amt, nr;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int fd = -1, haderr, indx;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- char *last, *name, buf[PATH_MAX + 128], encname[PATH_MAX];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char *last, *name, buf[16384], encname[PATH_MAX];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int len;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ for (indx = 0; indx < argc; ++indx) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/servconf.c 2019-10-12 13:09:11.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/servconf.c 2019-10-12 13:09:35.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -64,6 +64,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "auth.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "myproposal.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "digest.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "sshbuf.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static void add_listen_addr(ServerOptions *, const char *,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ const char *, int);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -174,6 +175,11 @@ initialize_server_options(ServerOptions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->authorized_principals_file = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->authorized_principals_command = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->authorized_principals_command_user = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->tcp_rcv_buf_poll = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->hpn_disabled = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->hpn_buffer_size = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->none_enabled = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->disable_multithreaded = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->ip_qos_interactive = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->ip_qos_bulk = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->version_addendum = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -273,6 +279,10 @@ void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fill_default_server_options(ServerOptions *options)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ u_int i;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* needed for hpn socket tests */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int sock;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int socksize;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int socksizelen = sizeof(int);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Portable-specific options */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (options->use_pam == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -409,6 +419,45 @@ fill_default_server_options(ServerOption
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (options->permit_tun == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->permit_tun = SSH_TUNMODE_NO;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->none_enabled == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->none_enabled = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->disable_multithreaded == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->disable_multithreaded = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->hpn_disabled == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->hpn_disabled = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->hpn_buffer_size == -1) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* option not explicitly set. Now we have to figure out */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* what value to use */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->hpn_disabled == 1) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* get the current RCV size and set it to that */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*create a socket but don't connect it */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* we use that the get the rcv socket size */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sock = socket(AF_INET, SOCK_STREAM, 0);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &socksize, &socksizelen);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ close(sock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->hpn_buffer_size = socksize;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("HPN Buffer Size: %d", options->hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* we have to do this in case the user sets both values in a contradictory */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* manner. hpn_disabled overrrides hpn_buffer_size*/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->hpn_disabled <= 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->hpn_buffer_size == 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->hpn_buffer_size = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* limit the maximum buffer to SSHBUF_SIZE_MAX (currently 256MB) */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options->hpn_buffer_size > (SSHBUF_SIZE_MAX / 1024)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->hpn_buffer_size = SSHBUF_SIZE_MAX;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->hpn_buffer_size *= 1024;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (options->ip_qos_interactive == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->ip_qos_interactive = IPTOS_DSCP_AF21;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (options->ip_qos_bulk == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -486,6 +535,9 @@ typedef enum {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sPasswordAuthentication, sKbdInteractiveAuthentication,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sListenAddress, sAddressFamily,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sPrintMotd, sPrintLastLog, sIgnoreRhosts,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sNoneEnabled,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sDisableMTAES,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sPermitUserEnvironment, sAllowTcpForwarding, sCompression,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -642,6 +694,11 @@ static struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "hpndisabled", sHPNDisabled, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "hpnbuffersize", sHPNBufferSize, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "tcprcvbufpoll", sTcpRcvBufPoll, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "noneenabled", sNoneEnabled, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "disableMTAES", sDisableMTAES, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "ipqos", sIPQoS, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -698,6 +755,7 @@ parse_token(const char *cp, const char *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ for (i = 0; keywords[i].name; i++)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (strcasecmp(cp, keywords[i].name) == 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Config token is %s", keywords[i].name);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ *flags = keywords[i].flags;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return keywords[i].opcode;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1424,10 +1482,30 @@ process_server_config_line(ServerOptions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ multistate_ptr = multistate_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ goto parse_multistate;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case sTcpRcvBufPoll:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ intptr = &options->tcp_rcv_buf_poll;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case sHPNDisabled:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ intptr = &options->hpn_disabled;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case sHPNBufferSize:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ intptr = &options->hpn_buffer_size;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto parse_int;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case sIgnoreUserKnownHosts:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ intptr = &options->ignore_user_known_hosts;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case sNoneEnabled:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ intptr = &options->none_enabled;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case sDisableMTAES:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ intptr = &options->disable_multithreaded;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case sHostbasedAuthentication:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ intptr = &options->hostbased_authentication;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ goto parse_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/servconf.h 2019-10-12 13:09:11.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/servconf.h 2019-10-12 13:09:35.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -183,6 +183,11 @@ typedef struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char *adm_forced_command;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int use_pam; /* Enable auth via PAM */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int tcp_rcv_buf_poll; /* poll tcp rcv window in autotuning kernels*/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int hpn_disabled; /* disable hpn functionality. false by default */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int hpn_buffer_size; /* set the hpn buffer size - default 3MB */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int none_enabled; /* Enable NONE cipher switch */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int disable_multithreaded; /*disable multithreaded aes-ctr cipher */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int permit_tun;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/serverloop.c 2019-10-12 13:09:11.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/serverloop.c 2019-10-12 13:09:35.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -343,6 +343,7 @@ process_input(struct ssh *ssh, fd_set *r
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fatal("%s: ssh_packet_process_incoming: %s",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh->fdout_bytes += len;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -361,6 +362,7 @@ process_output(struct ssh *ssh, fd_set *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ((r = ssh_packet_write_poll(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fatal("%s: ssh_packet_write_poll: %s",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh->stdin_bytes += ssh_packet_write_poll(ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -401,6 +403,7 @@ server_loop2(struct ssh *ssh, Authctxt *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ u_int64_t rekey_timeout_ms = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debug("Entering interactive session for SSH2.");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh->start_time = get_current_time();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ signal(SIGCHLD, sigchld_handler);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ child_terminated = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -608,7 +611,8 @@ server_request_tun(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debug("Tunnel forwarding using interface %s", ifname);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c = channel_new(ssh, "tun", SSH_CHANNEL_OPEN, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c->datagram = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #if defined(SSH_TUN_FILTER)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (mode == SSH_TUNMODE_POINTOPOINT)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -659,6 +663,8 @@ server_request_session(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ c = channel_new(ssh, "session", SSH_CHANNEL_LARVAL,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 0, "server-session", 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((options.tcp_rcv_buf_poll) && (!options.hpn_disabled))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c->dynamic_window = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (session_open(the_authctxt, c->self) != 1) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debug("session open failed, free channel %d", c->self);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ channel_free(ssh, c);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/serverloop.h 2019-10-12 13:09:11.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/serverloop.h 2019-10-12 13:09:35.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -20,7 +20,6 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifndef SERVERLOOP_H
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define SERVERLOOP_H
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ struct ssh;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void server_loop2(struct ssh *, Authctxt *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/session.c 2019-10-12 13:09:11.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/session.c 2019-10-12 13:09:35.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -97,6 +97,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "sftp.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "atomicio.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #if defined(KRB5) && defined(USE_AFS)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include <kafs.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -223,6 +224,7 @@ auth_input_request_forwarding(struct ssh
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ goto authsock_err;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Allocate a channel for the authentication agent socket. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* this shouldn't matter if its hpn or not - cjr */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ nc = channel_new(ssh, "auth socket",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ SSH_CHANNEL_AUTH_SOCKET, sock, sock, -1,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -460,7 +462,7 @@ do_exec_no_pty(struct ssh *ssh, Session
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case 0:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ is_child = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * Create a new session and process group since the 4.4BSD
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * setlogin() affects the entire process group.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -603,7 +605,7 @@ do_exec_pty(struct ssh *ssh, Session *s,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case 0:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ is_child = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ close(fdout);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ close(ptymaster);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2266,10 +2268,11 @@ session_set_fds(struct ssh *ssh, Session
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (s->chanid == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fatal("no channel for session %d", s->self);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- channel_set_fds(ssh, s->chanid,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- fdout, fdin, fderr,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- 1, is_tty, CHAN_SES_WINDOW_DEFAULT);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ channel_set_fds(ssh, s->chanid,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fdout, fdin, fderr,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ 1, is_tty,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options.hpn_disabled ? CHAN_SES_WINDOW_DEFAULT : options.hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sftp.1 2019-10-12 13:09:11.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sftp.1 2019-10-12 13:09:35.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -286,7 +286,8 @@ diagnostic messages from
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Specify how many requests may be outstanding at any one time.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Increasing this may slightly improve file transfer speed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ but will increase memory usage.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-The default is 64 outstanding requests.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++The default is 256 outstanding requests providing for 8MB
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++of outstanding data with a 32KB buffer.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .It Fl r
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Recursively copy entire directories when uploading and downloading.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Note that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sftp.c 2019-10-12 13:09:11.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sftp.c 2019-10-12 13:09:35.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -71,7 +71,7 @@ typedef void EditLine;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "sftp-client.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define DEFAULT_COPY_BUFLEN 32768 /* Size of buffer for up/download */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-#define DEFAULT_NUM_REQUESTS 64 /* # concurrent outstanding requests */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define DEFAULT_NUM_REQUESTS 256 /* # concurrent outstanding requests */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* File to read commands from */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ FILE* infile;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/ssh.c 2019-10-12 13:09:11.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh.c 2019-10-12 13:09:35.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -960,6 +960,10 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case 'T':
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options.request_tty = REQUEST_TTY_NO;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* ensure that the user doesn't try to backdoor a */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* null cipher switch on an interactive session */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* so explicitly disable it no matter what */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options.none_switch=0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case 'o':
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ line = xstrdup(optarg);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1585,6 +1589,8 @@ control_persist_detach(void)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ setproctitle("%s [mux]", options.control_path);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++extern const EVP_CIPHER *evp_aes_ctr_mt(void);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Do fork() after authentication. Used by "ssh -f" */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fork_postauth(void)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1828,6 +1834,78 @@ ssh_session2_setup(struct ssh *ssh, int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ NULL, fileno(stdin), command, environ);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++hpn_options_init(void)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * We need to check to see if what they want to do about buffer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * sizes here. In a hpn to nonhpn connection we want to limit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * the window size to something reasonable in case the far side
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * has the large window bug. In hpn to hpn connection we want to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * use the max window size but allow the user to override it
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * lastly if they disabled hpn then use the ssh std window size.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * So why don't we just do a getsockopt() here and set the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * ssh window to that? In the case of a autotuning receive
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * window the window would get stuck at the initial buffer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * size generally less than 96k. Therefore we need to set the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * maximum ssh window size to the maximum hpn buffer size
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * unless the user has specifically set the tcprcvbufpoll
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * to no. In which case we *can* just set the window to the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * minimum of the hpn buffer size and tcp receive buffer size.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (tty_flag)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options.hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options.hpn_buffer_size = 2 * 1024 * 1024;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (datafellows & SSH_BUG_LARGEWINDOW) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("HPN to Non-HPN Connection");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int sock, socksize;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ socklen_t socksizelen;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options.tcp_rcv_buf_poll <= 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sock = socket(AF_INET, SOCK_STREAM, 0);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ socksizelen = sizeof(socksize);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &socksize, &socksizelen);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ close(sock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("socksize %d", socksize);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options.hpn_buffer_size = socksize;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("HPNBufferSize set to TCP RWIN: %d", options.hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options.tcp_rcv_buf > 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Create a socket but don't connect it:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * we use that the get the rcv socket size
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sock = socket(AF_INET, SOCK_STREAM, 0);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * If they are using the tcp_rcv_buf option,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * attempt to set the buffer size to that.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options.tcp_rcv_buf) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ socksizelen = sizeof(options.tcp_rcv_buf);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ setsockopt(sock, SOL_SOCKET, SO_RCVBUF,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &options.tcp_rcv_buf, socksizelen);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ socksizelen = sizeof(socksize);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &socksize, &socksizelen);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ close(sock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("socksize %d", socksize);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options.hpn_buffer_size = socksize;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("HPNBufferSize set to user TCPRcvBuf: %d", options.hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Final hpn_buffer_size = %d", options.hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* open new channel for a session */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_session2_open(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1854,9 +1932,11 @@ ssh_session2_open(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!isatty(err))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set_nonblock(err);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- window = CHAN_SES_WINDOW_DEFAULT;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ window = options.hpn_buffer_size;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ packetmax = CHAN_SES_PACKET_DEFAULT;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (tty_flag) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ window = CHAN_SES_WINDOW_DEFAULT;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ window >>= 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ packetmax >>= 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1865,7 +1945,15 @@ ssh_session2_open(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ window, packetmax, CHAN_EXTENDED_WRITE,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "client-session", /*nonblock*/0);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((options.tcp_rcv_buf_poll > 0) && (!options.hpn_disabled)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c->dynamic_window = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Enabled Dynamic Window Scaling");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debug3("%s: channel_new: %d", __func__, c->self);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options.tcp_rcv_buf_poll > 0 && !options.hpn_disabled) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ c->dynamic_window = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Enabled Dynamic Window Scaling");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ channel_send_open(ssh, c->self);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!no_shell_flag)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1881,6 +1969,20 @@ ssh_session2(struct ssh *ssh, struct pas
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int r, devnull, id = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char *cp, *tun_fwd_ifname = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * We need to initialize this early because the forwarding logic below
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * might open channels that use the hpn buffer sizes. We can't send a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * window of -1 (the default) to the server as it breaks things.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ hpn_options_init();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * We need to initialize this early because the forwarding logic below
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * might open channels that use the hpn buffer sizes. We can't send a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * window of -1 (the default) to the server as it breaks things.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ hpn_options_init();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* XXX should be pre-session */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!options.control_persist)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_init_stdio_forwarding(ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/ssh_api.c 2019-10-12 13:09:11.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh_api.c 2019-10-12 13:09:35.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -389,7 +389,10 @@ _ssh_read_banner(struct ssh *ssh, struct
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debug("Remote protocol version %d.%d, remote software version %.100s",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ remote_major, remote_minor, remote_version);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ logit("SSH: Server;Ltype: Version;Remote: %s-%d;Protocol: %d.%d;Client: %.100s",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ remote_major, remote_minor, remote_version);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh->compat = compat_datafellows(remote_version);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (remote_major == 1 && remote_minor == 99) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ remote_major = 2;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/ssh_api.h 2019-10-12 13:09:11.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh_api.h 2019-10-12 13:09:35.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -29,6 +29,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "ssh.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "ssh2.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "packet.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "log.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ struct kex_params {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char *proposal[PROPOSAL_MAX];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshbuf.h 2019-10-12 13:09:11.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshbuf.h 2019-10-12 13:09:35.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -28,7 +28,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # endif /* OPENSSL_HAS_ECC */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif /* WITH_OPENSSL */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-#define SSHBUF_SIZE_MAX 0x8000000 /* Hard maximum size */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define SSHBUF_SIZE_MAX 0xF000000 /* Hard maximum size 256MB */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define SSHBUF_REFS_MAX 0x100000 /* Max child buffers */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define SSHBUF_MAX_BIGNUM (16384 / 8) /* Max bignum *bytes* */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define SSHBUF_MAX_ECPOINT ((528 * 2 / 8) + 1) /* Max EC point *bytes* */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshconnect.c 2019-10-12 13:09:11.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshconnect.c 2019-10-12 13:09:35.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -359,6 +359,30 @@ check_ifaddrs(const char *ifname, int af
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Set TCP receive buffer if requested.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Note: tuning needs to happen after the socket is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * created but before the connection happens
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * so winscale is negotiated properly -cjr
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssh_set_socket_recvbuf(int sock)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ void *buf = (void *)&options.tcp_rcv_buf;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int sz = sizeof(options.tcp_rcv_buf);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int socksize;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int socksizelen = sizeof(int);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("setsockopt Attempting to set SO_RCVBUF to %d", options.tcp_rcv_buf);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (setsockopt(sock, SOL_SOCKET, SO_RCVBUF, buf, sz) >= 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ getsockopt(sock, SOL_SOCKET, SO_RCVBUF, &socksize, &socksizelen);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("setsockopt SO_RCVBUF: %.100s %d", strerror(errno), socksize);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ error("Couldn't set socket receive buffer to %d: %.100s",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options.tcp_rcv_buf, strerror(errno));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * Creates a socket for use as the ssh connection.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -380,6 +404,9 @@ ssh_create_socket(struct addrinfo *ai)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fcntl(sock, F_SETFD, FD_CLOEXEC);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options.tcp_rcv_buf > 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_set_socket_recvbuf(sock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Bind the socket to an alternative local IP address */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (options.bind_address == NULL && options.bind_interface == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return sock;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshconnect2.c 2019-10-12 13:09:11.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshconnect2.c 2019-10-12 13:09:35.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -88,6 +88,13 @@ extern char *server_version_string;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ extern Options options;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * tty_flag is set in ssh.c. Use this in ssh_userauth2:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * if it is set, then prevent the switch to the null cipher.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++extern int tty_flag;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * SSH2 key exchange
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -159,6 +166,8 @@ order_hostkeyalgs(char *host, struct soc
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return ret;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static char *myproposal[PROPOSAL_MAX];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static const char *myproposal_default[PROPOSAL_MAX] = { KEX_CLIENT };
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -166,6 +175,8 @@ ssh_kex2(struct ssh *ssh, char *host, st
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char *s, *all_key;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int r;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ memcpy(&myproposal, &myproposal_default, sizeof(myproposal));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xxx_host = host;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xxx_hostaddr = hostaddr;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -427,6 +438,47 @@ ssh_userauth2(struct ssh *ssh, const cha
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!authctxt.success)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fatal("Authentication failed.");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * If the user wants to use the none cipher, do it post authentication
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * and only if the right conditions are met -- both of the NONE commands
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * must be true and there must be no tty allocated.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((options.none_switch == 1) && (options.none_enabled == 1)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!tty_flag) { /* no null on tty sessions */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Requesting none rekeying...");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ memcpy(&myproposal, &myproposal_default, sizeof(myproposal));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ myproposal[PROPOSAL_ENC_ALGS_STOC] = "none";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex_prop2buf(ssh->kex->my, myproposal);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_request_rekeying();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* requested NONE cipher when in a tty */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Cannot switch to NONE cipher with tty allocated");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef WITH_OPENSSL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options.disable_multithreaded == 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* if we are using aes-ctr there can be issues in either a fork or sandbox
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * so the initial aes-ctr is defined to point to the original single process
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * evp. After authentication we'll be past the fork and the sandboxed privsep
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * so we repoint the define to the multithreaded evp. To start the threads we
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * then force a rekey
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const void *cc = ssh_packet_get_send_context(ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* only do this for the ctr cipher. otherwise gcm mode breaks. Don't know why though */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (strstr(cipher_ctx_name(cc), "ctr")) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Single to Multithread CTR cipher swap - client request");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cipher_reset_multithreaded();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_request_rekeying();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debug("Authentication succeeded (%s).", authctxt.method->name);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshd.c 2019-10-12 13:09:11.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshd.c 2019-10-12 13:09:35.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -957,6 +957,8 @@ listen_on_addrs(struct listenaddr *la)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int ret, listen_sock;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ struct addrinfo *ai;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char ntop[NI_MAXHOST], strport[NI_MAXSERV];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int socksize;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int socksizelen = sizeof(int);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ for (ai = la->addrs; ai; ai = ai->ai_next) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1002,6 +1004,11 @@ listen_on_addrs(struct listenaddr *la)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debug("Bind to port %s on %s.", strport, ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ getsockopt(listen_sock, SOL_SOCKET, SO_RCVBUF,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &socksize, &socksizelen);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Server TCP RWIN socket size: %d", socksize);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("HPN Buffer Size: %d", options.hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Bind the socket to the desired port. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ error("Bind to port %s on %s failed: %.200s.",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1643,6 +1650,13 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Fill in default values for those options not explicitly set. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fill_default_server_options(&options);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options.none_enabled == 1) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char *old_ciphers = options.ciphers;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ xasprintf(&options.ciphers, "%s,none", old_ciphers);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ free(old_ciphers);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* challenge-response is implemented via keyboard interactive */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (options.challenge_response_authentication)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options.kbd_interactive_authentication = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2076,6 +2090,9 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ rdomain == NULL ? "" : "\"");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ free(laddr);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* set the HPN options for the child */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * We don't want to listen forever unless the other side
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * successfully authenticates itself. So we set up an alarm which is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2182,7 +2199,45 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Try to send all our hostkeys to the client */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ notify_hostkeys(ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef WITH_OPENSSL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options.disable_multithreaded == 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* if we are using aes-ctr there can be issues in either a fork or sandbox
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * so the initial aes-ctr is defined to point ot the original single process
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * evp. After authentication we'll be past the fork and the sandboxed privsep
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * so we repoint the define to the multithreaded evp. To start the threads we
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * then force a rekey
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const void *cc = ssh_packet_get_send_context(the_active_state);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* only rekey if necessary. If we don't do this gcm mode cipher breaks */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (strstr(cipher_ctx_name(cc), "ctr")) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Single to Multithreaded CTR cipher swap - server request");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cipher_reset_multithreaded();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_request_rekeying();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Start session. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef WITH_OPENSSL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options.disable_multithreaded == 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* if we are using aes-ctr there can be issues in either a fork or sandbox
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * so the initial aes-ctr is defined to point ot the original single process
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * evp. After authentication we'll be past the fork and the sandboxed privsep
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * so we repoint the define to the multithreaded evp. To start the threads we
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * then force a rekey
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const void *cc = ssh_packet_get_send_context(the_active_state);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* only rekey if necessary. If we don't do this gcm mode cipher breaks */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (strstr(cipher_ctx_name(cc), "ctr")) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Single to Multithreaded CTR cipher swap - server request");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cipher_reset_multithreaded();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ packet_request_rekeying();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ do_authenticated(ssh, authctxt);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* The connection has been terminated. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2251,6 +2306,9 @@ do_ssh2_kex(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ struct kex *kex;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int r;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options.none_enabled == 1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("WARNING: None cipher enabled");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options.kex_algorithms);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshd_config 2019-10-12 13:09:11.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshd_config 2019-10-12 13:09:35.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -108,6 +108,19 @@ AuthorizedKeysFile .ssh/authorized_keys
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # override default of no subsystems
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Subsystem sftp /usr/libexec/sftp-server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# the following are HPN related configuration options
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# tcp receive buffer polling. disable in non autotuning kernels
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#TcpRcvBufPoll yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# disable hpn performance boosts
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#HPNDisabled no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# buffer size for hpn to non-hpn connections
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#HPNBufferSize 2048
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# allow the use of the none cipher
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#NoneEnabled no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Example of overriding settings on a per-user basis
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #Match User anoncvs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # X11Forwarding no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/version.h 2019-10-12 13:09:11.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/version.h 2019-10-12 13:09:35.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -3,4 +3,5 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define SSH_VERSION "OpenSSH_8.1"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define SSH_PORTABLE "p1"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define SSH_HPN "-hpn14v18"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/openssh/files/pam.patch b/net/openssh/files/pam.patch
</span><span style='display:block; white-space:pre;color:#808080;'>index 8669671..0b1ef7a 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/openssh/files/pam.patch
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/openssh/files/pam.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1,6 +1,6 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/servconf.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/servconf.c 2017-10-07 04:34:14.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -195,7 +195,7 @@ fill_default_server_options(ServerOption
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/servconf.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/servconf.c 2019-10-11 11:43:39.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -276,7 +276,7 @@ fill_default_server_options(ServerOption
</span>
/* Portable-specific options */
if (options->use_pam == -1)
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/openssh/files/patch-sandbox-darwin.c-apple-sandbox-named-external.diff b/net/openssh/files/patch-sandbox-darwin.c-apple-sandbox-named-external.diff
</span><span style='display:block; white-space:pre;color:#808080;'>index cf2b56a..dc02cec 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/openssh/files/patch-sandbox-darwin.c-apple-sandbox-named-external.diff
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/openssh/files/patch-sandbox-darwin.c-apple-sandbox-named-external.diff
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1,5 +1,5 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sandbox-darwin.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sandbox-darwin.c 2017-10-07 04:34:48.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sandbox-darwin.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sandbox-darwin.c 2019-10-11 11:43:45.000000000 +0200
</span> @@ -63,8 +63,16 @@ ssh_sandbox_child(struct ssh_sandbox *bo
struct rlimit rl_zero;
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/openssh/files/patch-sshd.c-apple-sandbox-named-external.diff b/net/openssh/files/patch-sshd.c-apple-sandbox-named-external.diff
</span><span style='display:block; white-space:pre;color:#808080;'>index 4b90f65..9427f84 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/openssh/files/patch-sshd.c-apple-sandbox-named-external.diff
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/openssh/files/patch-sshd.c-apple-sandbox-named-external.diff
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1,11 +1,11 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshd.c 2017-10-02 21:34:26.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshd.c 2017-10-07 04:35:20.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -617,10 +617,17 @@ privsep_preauth(Authctxt *authctxt)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshd.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshd.c 2019-10-11 11:43:52.000000000 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -534,10 +534,17 @@ privsep_preauth(struct ssh *ssh)
</span> /* Arrange for logging to be sent to the monitor */
set_log_handler(mm_log_handler, pmonitor);
+#ifdef __APPLE_SANDBOX_NAMED_EXTERNAL__
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* We need to do this before we chroot() so we can read sshd.sb */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* We need to do this before we chroot() so we can read sshd.sb and libsandbox.dylib */
</span> + if (box != NULL)
+ ssh_sandbox_child(box);
+#endif
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/openssh/files/series b/net/openssh/files/series
</span><span style='display:block; white-space:pre;color:#808080;'>index e9540ff..3bc7b76 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/openssh/files/series
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/openssh/files/series
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3,4 +3,4 @@ pam.patch
</span> patch-sandbox-darwin.c-apple-sandbox-named-external.diff
patch-sshd.c-apple-sandbox-named-external.diff
0002-Apple-keychain-integration-other-changes.patch
<span style='display:block; white-space:pre;background:#ffe0e0;'>-openssh-7.6p1-gsskex-all-20141021-mp-20171008.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+openssh-8.1p1-gsskex-all-20141021-mp-20191015.patch
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/openssh/files/series-gsskex b/net/openssh/files/series-gsskex
</span><span style='display:block; white-space:pre;color:#808080;'>index e9540ff..3bc7b76 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/openssh/files/series-gsskex
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/openssh/files/series-gsskex
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3,4 +3,4 @@ pam.patch
</span> patch-sandbox-darwin.c-apple-sandbox-named-external.diff
patch-sshd.c-apple-sandbox-named-external.diff
0002-Apple-keychain-integration-other-changes.patch
<span style='display:block; white-space:pre;background:#ffe0e0;'>-openssh-7.6p1-gsskex-all-20141021-mp-20171008.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+openssh-8.1p1-gsskex-all-20141021-mp-20191015.patch
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/openssh/files/series-hpn b/net/openssh/files/series-hpn
</span><span style='display:block; white-space:pre;color:#808080;'>index 4c94a6c..05220f4 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/openssh/files/series-hpn
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/openssh/files/series-hpn
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2,4 +2,6 @@ launchd.patch
</span> pam.patch
patch-sandbox-darwin.c-apple-sandbox-named-external.diff
patch-sshd.c-apple-sandbox-named-external.diff
<span style='display:block; white-space:pre;background:#ffe0e0;'>-openssh-7.6p1-hpnssh14v13.diff
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+0002-Apple-keychain-integration-other-changes.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+openssh-8.1p1-hpnssh14v18.diff
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+openssh-8.1p1-hpnssh14v18-openssl-1.1.diff
</span></pre><pre style='margin:0'>
</pre>