<pre style='margin:0'>
Blair Zajac (blair) pushed a commit to branch master
in repository macports-ports.
</pre>
<p><a href="https://github.com/macports/macports-ports/commit/f34c23137ff37bd006dd2aba16be237f1c496b53">https://github.com/macports/macports-ports/commit/f34c23137ff37bd006dd2aba16be237f1c496b53</a></p>
<pre style="white-space: pre; background: #F8F8F8">The following commit(s) were added to refs/heads/master by this push:
<span style='display:block; white-space:pre;color:#404040;'> new f34c23137ff openssh: fix support for +gsskex
</span>f34c23137ff is described below
<span style='display:block; white-space:pre;color:#808000;'>commit f34c23137ff37bd006dd2aba16be237f1c496b53
</span>Author: Blair Zajac <blair@macports.org>
AuthorDate: Sun Oct 10 21:25:28 2021 -0700
<span style='display:block; white-space:pre;color:#404040;'> openssh: fix support for +gsskex
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> Closes: https://trac.macports.org/ticket/63598
</span>---
net/openssh/Portfile | 2 +-
...p-20201216.patch => openssh-8.8p1-gsskex.patch} | 3049 ++++++++++----------
net/openssh/files/series | 2 +-
net/openssh/files/series-gsskex | 2 +-
4 files changed, 1542 insertions(+), 1513 deletions(-)
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/openssh/Portfile b/net/openssh/Portfile
</span><span style='display:block; white-space:pre;color:#808080;'>index 8dd8436b67a..b30c1be55f8 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/openssh/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/openssh/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -161,7 +161,7 @@ if {${name} eq ${subport}} {
</span> }
variant gsskex requires kerberos5 description "Add OpenSSH GSSAPI key exchange patch" {
<span style='display:block; white-space:pre;background:#ffe0e0;'>- patchfiles-append openssh-8.1p1-gsskex-all-20141021-mp-20201216.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ patchfiles-append openssh-8.8p1-gsskex.patch
</span> configure.ldflags-append \
-Wl,-pie
configure.cflags-append -fPIE
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/openssh/files/openssh-8.1p1-gsskex-all-20141021-mp-20201216.patch b/net/openssh/files/openssh-8.8p1-gsskex.patch
</span>similarity index 67%
rename from net/openssh/files/openssh-8.1p1-gsskex-all-20141021-mp-20201216.patch
rename to net/openssh/files/openssh-8.8p1-gsskex.patch
<span style='display:block; white-space:pre;color:#808080;'>index 71fdde0608f..ef073f651d0 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/openssh/files/openssh-8.1p1-gsskex-all-20141021-mp-20201216.patch
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/openssh/files/openssh-8.8p1-gsskex.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1,3 +1,10 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+====== OVERVIEW SECTION ======
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+This file has some content from the previous version of the patch that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+applied cleanly to 8.4p1.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+====== TEXT FROM 8.4p1 VERSION ======
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span> From 1c1b6fa17982eb622e2c4e8f4a279f2113f57413 Mon Sep 17 00:00:00 2001
From: Simon Wilkinson <simon@sxw.org.uk>
Date: Sun, 9 Feb 2014 16:09:48 +0000
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -21,269 +28,237 @@ Last-Updated: 2014-10-07
</span>
Patch-Name: gssapi.patch
<span style='display:block; white-space:pre;background:#ffe0e0;'>-====== MACPORTS SECTION ======
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+====== PATCH SECTION ======
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+The below was created using the following commands:
</span>
<span style='display:block; white-space:pre;background:#ffe0e0;'>-Updated by: Mihai Moldovan <ionic@macports.org>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-Patch-Name: openssh-8.1p1-gsskex-all-20141021-mp-20201216.patch
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-Abstract: Updated for OpenSSH 8.1p1 with MacPorts patches for integration
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- with Apple's launchd, pam, sandbox and Keychain.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- WARNING: the commit ID does NOT match this patch. It is merely
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- provided for reference.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- This patch is a COMBINATION of both the GSSAPI patches included
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- in Fedora and Debian. Neither standalone path is particularly
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- stellar, both have their rough edges. The idea is to base upon
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- the Fedora patch and fix small issues or add other features by
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- pulling in specific changes from the Debian version.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Sometimes, I also rewrite code to avoid copy-pasting madness
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- or the like.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-Last-Updated: 2019-10-15
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-X-Ref (Old): http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/tree/openssh-6.1p1-gssapi-canohost.patch?id=b487a6d746c5bff2889ce09f98535d3b5e1e7e65
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-X-Ref (Old): http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/tree/openssh-7.0p1-gssKexAlgorithms.patch?id=13073f8d9ccec27646453f729aaa2952ae86ad01
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-X-Ref (Old): http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/tree/openssh-7.1p1-gssapi-documentation.patch?id=d9d9575f0065dc0cf84743fa8c163df70c0623b8
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-X-Ref (Old): http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/tree/openssh-7.2p1-gsskex.patch?id=b487a6d746c5bff2889ce09f98535d3b5e1e7e65
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-X-Ref (Old): http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/tree/openssh-7.2p1-gsskex.patch?id=17b491b3075c078c75ca0fa5ad7438e52747b3b0
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-X-Ref: https://src.fedoraproject.org/rpms/openssh/blob/def1debf2eba5b7877e54548c1749322e68740a6/f/openssh-8.0p1-gssapi-keyex.patch
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-X-Ref (Old): http://sources.debian.net/data/main/o/openssh/1:7.3p1-1/debian/patches/gssapi.patch
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-X-Ref (Old): https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/gssapi.patch?id=477bb7636238c106f8cd7c868a8c0c5eabcfb3db
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-X-Ref (Old): https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/tree/debian/patches/gssapi.patch?id=0556ea972b15607b7e13ff31bc05840881c91dd3
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5c167a9ab866df9/debian/patches/gssapi.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+$ git clone https://github.com/openssh-gsskex/openssh-gsskex.git
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+$ cd openssh-gsskex
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+$ git diff bf944e37..261d3de3
</span>
<span style='display:block; white-space:pre;background:#ffe0e0;'>-====== MACPORTS SECTION ======
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>----
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ChangeLog.gssapi | 113 +++++++++++++++++++
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Makefile.in | 3 +-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- auth-krb5.c | 17 ++-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- auth2-gss.c | 48 +++++++-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- auth2.c | 2 +
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- clientloop.c | 13 +++
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- config.h.in | 6 +
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- configure | 57 ++++++++++
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- configure.ac | 24 ++++
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- gss-genr.c | 275 ++++++++++++++++++++++++++++++++++++++++++++-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- gss-serv-krb5.c | 85 ++++++++++++--
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- gss-serv.c | 221 +++++++++++++++++++++++++++++++-----
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kex.c | 16 +++
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kex.h | 14 +++
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kexgssc.c | 332 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kexgsss.c | 290 ++++++++++++++++++++++++++++++++++++++++++++++++
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- monitor.c | 108 +++++++++++++++++-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- monitor.h | 3 +
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- monitor_wrap.c | 47 +++++++-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- monitor_wrap.h | 4 +-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- readconf.c | 42 +++++++
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- readconf.h | 5 +
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- servconf.c | 38 ++++++-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- servconf.h | 3 +
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh-gss.h | 41 ++++++-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_config | 2 +
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_config.5 | 34 +++++-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sshconnect2.c | 124 ++++++++++++++++++++-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sshd.c | 110 ++++++++++++++++++
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sshd_config | 2 +
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sshd_config.5 | 28 +++++
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sshkey.c | 3 +-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sshkey.h | 1 +
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- 33 files changed, 2052 insertions(+), 59 deletions(-)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- create mode 100644 ChangeLog.gssapi
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- create mode 100644 kexgssc.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- create mode 100644 kexgsss.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# bf944e37 corresponds to the upstream V_8_8_P1 tags in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# https://github.com/openssh/openssh-portable.git
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 261d3de3 corresponds to the proposed commit from
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# https://github.com/openssh-gsskex/openssh-gsskex/pull/23
</span>
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- /dev/null 1970-01-01 00:00:00.000000000 +0000
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/ChangeLog.gssapi 2019-11-08 15:37:23.000000000 +0100
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -0,0 +1,113 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+20110101
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - Finally update for OpenSSH 5.6p1
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - Add GSSAPIServerIdentity option from Jim Basney
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+20100308
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ Makefile.in, key.c, key.h ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Updates for OpenSSH 5.4p1
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ servconf.c ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Include GSSAPI options in the sshd -T configuration dump, and flag
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ some older configuration options as being unsupported. Thanks to Colin
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Watson.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ -
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+20100124
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ sshconnect2.c ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Adapt to deal with additional element in Authmethod structure. Thanks to
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Colin Watson
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+20090615
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sshd.c ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Fix issues identified by Greg Hudson following a code review
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Check return value of gss_indicate_mechs
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Protect GSSAPI calls in monitor, so they can only be used if enabled
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Check return values of bignum functions in key exchange
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Use BN_clear_free to clear other side's DH value
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Make ssh_gssapi_id_kex more robust
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Only configure kex table pointers if GSSAPI is enabled
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Don't leak mechanism list, or gss mechanism list
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Cast data.length before printing
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ If serverkey isn't provided, use an empty string, rather than NULL
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+20090201
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ gss-genr.c gss-serv.c kex.h kexgssc.c readconf.c readconf.h ssh-gss.h
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_config.5 sshconnet2.c ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Add support for the GSSAPIClientIdentity option, which allows the user
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ to specify which GSSAPI identity to use to contact a given server
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+20080404
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ gss-serv.c ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Add code to actually implement GSSAPIStrictAcceptCheck, which had somehow
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ been omitted from a previous version of this patch. Reported by Borislav
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Stoichkov
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+20070317
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ gss-serv-krb5.c ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Remove C99ism, where new_ccname was being declared in the middle of a
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ function
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+20061220
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ servconf.c ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Make default for GSSAPIStrictAcceptorCheck be Yes, to match previous, and
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ documented, behaviour. Reported by Dan Watson.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+20060910
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ gss-genr.c kexgssc.c kexgsss.c kex.h monitor.c sshconnect2.c sshd.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh-gss.h ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ add support for gss-group14-sha1 key exchange mechanisms
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ gss-serv.c servconf.c servconf.h sshd_config sshd_config.5 ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Add GSSAPIStrictAcceptorCheck option to allow the disabling of
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ acceptor principal checking on multi-homed machines.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ <Bugzilla #928>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ sshd_config ssh_config ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Add settings for GSSAPIKeyExchange and GSSAPITrustDNS to the sample
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ configuration files
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ kexgss.c kegsss.c sshconnect2.c sshd.c ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Code cleanup. Replace strlen/xmalloc/snprintf sequences with xasprintf()
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Limit length of error messages displayed by client
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+20060909
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ gss-genr.c gss-serv.c ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ move ssh_gssapi_acquire_cred() and ssh_gssapi_server_ctx to be server
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ only, where they belong
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ <Bugzilla #1225>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+20060829
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ gss-serv-krb5.c ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Fix CCAPI credentials cache name when creating KRB5CCNAME environment
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ variable
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+20060828
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ gss-genr.c ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Avoid Heimdal context freeing problem
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ <Fixed upstream 20060829>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+20060818
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ gss-genr.c ssh-gss.h sshconnect2.c ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Make sure that SPENGO is disabled
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ <Bugzilla #1218 - Fixed upstream 20060818>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+20060421
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ gssgenr.c, sshconnect2.c ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ a few type changes (signed versus unsigned, int versus size_t) to
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fix compiler errors/warnings
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (from jbasney AT ncsa.uiuc.edu)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ kexgssc.c, sshconnect2.c ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fix uninitialized variable warnings
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (from jbasney AT ncsa.uiuc.edu)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ gssgenr.c ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pass oid to gss_display_status (helpful when using GSSAPI mechglue)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (from jbasney AT ncsa.uiuc.edu)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ <Bugzilla #1220 >
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ gss-serv-krb5.c ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ #ifdef HAVE_GSSAPI_KRB5 should be #ifdef HAVE_GSSAPI_KRB5_H
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (from jbasney AT ncsa.uiuc.edu)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ <Fixed upstream 20060304>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ readconf.c, readconf.h, ssh_config.5, sshconnect2.c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ add client-side GssapiKeyExchange option
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (from jbasney AT ncsa.uiuc.edu)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ - [ sshconnect2.c ]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ add support for GssapiTrustDns option for gssapi-with-mic
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (from jbasney AT ncsa.uiuc.edu)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ <gssapi-with-mic support is Bugzilla #1008>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/Makefile.in.orig 2020-09-27 02:25:01.000000000 -0500
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/Makefile.in 2020-12-16 18:31:47.000000000 -0600
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -91,6 +91,7 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- authfd.o authfile.o \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ auth-compat.o \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- canohost.o channels.o cipher.o cipher-aes.o cipher-aesctr.o \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- cipher-ctr.o cleanup.o \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- compat.o fatal.o hostfile.o \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -106,6 +107,7 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- hmac.o sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/.travis.yml b/.travis.yml
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+new file mode 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 00000000..5ba9985d
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/.travis.yml
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -0,0 +1,27 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++language: c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++dist: bionic
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++compiler:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ - clang
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ - gcc
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# Run only unit tests. Without OpenSSL, some additional tests in makefile do not work
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++env:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ - CONFIGURE=--with-kerberos5=auto TESTS="file-tests"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ - CONFIGURE=--without-kerberos5 TESTS="file-tests"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ - CONFIGURE=--with-kerberos5=auto --without-openssl TESTS=""
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ - CONFIGURE=--without-kerberos5 --without-openssl TESTS=""
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++addons:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ apt_packages:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ - libssl-dev
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ - libkrb5-dev
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++before_script:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ - autoreconf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ - ./configure $CONFIGURE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++script:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ - make
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ - # make tests
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ - make unit $TESTS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/Makefile.in b/Makefile.in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index b0293841..b0e76f01 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/Makefile.in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/Makefile.in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -108,6 +108,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
</span> kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
kexgexc.o kexgexs.o \
<span style='display:block; white-space:pre;background:#e0ffe0;'>+ kexsntrup761x25519.o sntrup761.o kexgen.o \
</span> + kexgssc.o \
<span style='display:block; white-space:pre;background:#ffe0e0;'>- sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \
</span> sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
sshbuf-io.o
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -123,7 +125,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -124,7 +125,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \
</span> auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
auth2-none.o auth2-passwd.o auth2-pubkey.o \
monitor.o monitor_wrap.o auth-krb5.o \
- auth2-gss.o gss-serv.o gss-serv-krb5.o \
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
<span style='display:block; white-space:pre;background:#ffe0e0;'>- sftp-server.o sftp-common.o \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ srclimit.o sftp-server.o sftp-common.o \
</span> sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/auth-krb5.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/auth-krb5.c 2019-11-08 15:37:23.000000000 +0100
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -182,8 +182,13 @@ auth_krb5_password(Authctxt *authctxt, c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- len = strlen(authctxt->krb5_ticket_file) + 6;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- authctxt->krb5_ccname = xmalloc(len);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef USE_CCAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ snprintf(authctxt->krb5_ccname, len, "API:%s",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ authctxt->krb5_ticket_file);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- snprintf(authctxt->krb5_ccname, len, "FILE:%s",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- authctxt->krb5_ticket_file);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #ifdef USE_PAM
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options.use_pam)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -240,15 +245,22 @@ krb5_cleanup_proc(Authctxt *authctxt)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #ifndef HEIMDAL
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- krb5_error_code
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- int tmpfd, ret, oerrno;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int ret, oerrno;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- char ccname[40];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- mode_t old_umask;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef USE_CCAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char cctemplate[] = "API:krb5cc_%d";
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char cctemplate[] = "FILE:/tmp/krb5cc_%d_XXXXXXXXXX";
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int tmpfd;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ret = snprintf(ccname, sizeof(ccname),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ cctemplate, geteuid());
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (ret < 0 || (size_t)ret >= sizeof(ccname))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return ENOMEM;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifndef USE_CCAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- old_umask = umask(0177);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- tmpfd = mkstemp(ccname + strlen("FILE:"));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- oerrno = errno;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -265,6 +277,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_c
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return oerrno;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- close(tmpfd);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/README.md b/README.md
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index de471773..53d98ade 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/README.md
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/README.md
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1,3 +1,39 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Portable OpenSSH with GSSAPI Key Exchange patches
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++=================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++[](https://lgtm.com/projects/g/openssh-gsskex/openssh-gsskex/context:cpp)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Currently, there are two branches with gssapi key exchange related
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++patches:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * fedora/master: Changes that are shipped in Fedora [](https://travis-ci.org/openssh-gsskex/openssh-gsskex)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * debian/master: Changes that are shipped in Debian [](https://travis-ci.org/openssh-gsskex/openssh-gsskex)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++The target is to converge to a shared repository with single master
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++branch from where we could build releases for both OSes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++What is in:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * The original patch implementing missing parts of RFC4462 by Simon Wilkinson
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ adapted to the current OpenSSH versions and with several fixes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * New methods for GSSAPI Kex from IETF draft [1] from Jakub Jelen
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Missing kerberos-related parts:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * .k5login and .kusers support available in Fedora [2] [3].
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Improved handling of kerberos ccache location [4]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++[1] https://tools.ietf.org/html/draft-ietf-curdle-gss-keyex-sha2-08
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++[2] https://src.fedoraproject.org/rpms/openssh/blob/master/f/openssh-6.6p1-kuserok.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++[3] https://src.fedoraproject.org/rpms/openssh/blob/master/f/openssh-6.6p1-GSSAPIEnablek5users.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++[4] https://bugzilla.mindrot.org/show_bug.cgi?id=2775
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++-------------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Portable OpenSSH
</span>
<span style='display:block; white-space:pre;background:#ffe0e0;'>- return (krb5_cc_resolve(ctx, ccname, ccache));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ [](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/auth.c b/auth.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 00b168b4..704dc2e7 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/auth.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/auth.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -402,7 +402,8 @@ auth_root_allowed(struct ssh *ssh, const char *method)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case PERMIT_NO_PASSWD:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (strcmp(method, "publickey") == 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ strcmp(method, "hostbased") == 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- strcmp(method, "gssapi-with-mic") == 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ strcmp(method, "gssapi-with-mic") == 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ strcmp(method, "gssapi-keyex") == 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case PERMIT_FORCED_ONLY:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -729,97 +730,6 @@ fakepw(void)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return (&fake);
</span> }
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/auth2-gss.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/auth2-gss.c 2019-11-08 15:37:23.000000000 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-/*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * Returns the remote DNS hostname as a string. The returned string must not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * be freed. NB. this will usually trigger a DNS query the first time it is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * called.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * This function does additional checks on the hostname to mitigate some
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * attacks on based on conflation of hostnames and IP addresses.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-static char *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-remote_hostname(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- struct sockaddr_storage from;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- socklen_t fromlen;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- struct addrinfo hints, *ai, *aitop;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- char name[NI_MAXHOST], ntop2[NI_MAXHOST];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- const char *ntop = ssh_remote_ipaddr(ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- /* Get IP address of client. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- fromlen = sizeof(from);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- memset(&from, 0, sizeof(from));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (getpeername(ssh_packet_get_connection_in(ssh),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- (struct sockaddr *)&from, &fromlen) == -1) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- debug("getpeername failed: %.100s", strerror(errno));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- return xstrdup(ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- ipv64_normalise_mapped(&from, &fromlen);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (from.ss_family == AF_INET6)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- fromlen = sizeof(struct sockaddr_in6);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- debug3("Trying to reverse map address %.100s.", ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- /* Map the IP address to a host name. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- NULL, 0, NI_NAMEREQD) != 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- /* Host name not found. Use ip address. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- return xstrdup(ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * if reverse lookup result looks like a numeric hostname,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * someone is trying to trick us by PTR record like following:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- memset(&hints, 0, sizeof(hints));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- hints.ai_socktype = SOCK_DGRAM; /*dummy*/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- hints.ai_flags = AI_NUMERICHOST;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- name, ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- freeaddrinfo(ai);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- return xstrdup(ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- /* Names are stored in lowercase. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- lowercase(name);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * Map it back to an IP address and check that the given
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * address actually is an address of this host. This is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * necessary because anyone with access to a name server can
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * define arbitrary names for an IP address. Mapping from
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * name to IP address can be trusted better (but can still be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * fooled if the intruder has access to the name server of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * the domain).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- memset(&hints, 0, sizeof(hints));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- hints.ai_family = from.ss_family;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- hints.ai_socktype = SOCK_STREAM;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- logit("reverse mapping checking getaddrinfo for %.700s "
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- "[%s] failed.", name, ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- return xstrdup(ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- /* Look for the address from the list of addresses. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- for (ai = aitop; ai; ai = ai->ai_next) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- (strcmp(ntop, ntop2) == 0))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- freeaddrinfo(aitop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- /* If we reached the end of the list, the address was not there. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (ai == NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- /* Address not found for the host name. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- logit("Address %.100s maps to %.600s, but this does not "
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- "map back to the address.", ntop, name);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- return xstrdup(ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- return xstrdup(name);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * Return the canonical name of the host in the other side of the current
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * connection. The host name is cached, so it is efficient to call this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/auth2-gss.c b/auth2-gss.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 60e36961..2e9aad3f 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/auth2-gss.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/auth2-gss.c
</span> @@ -1,7 +1,7 @@
<span style='display:block; white-space:pre;background:#ffe0e0;'>- /* $OpenBSD: auth2-gss.c,v 1.29 2018/07/31 03:10:27 djm Exp $ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* $OpenBSD: auth2-gss.c,v 1.32 2021/01/27 10:15:08 djm Exp $ */
</span>
/*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -291,37 +266,38 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -55,6 +55,48 @@ static int input_gssapi_exchange_complet
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -55,6 +55,48 @@ static int input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static int input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh);
</span> static int input_gssapi_errtok(int, u_int32_t, struct ssh *);
<span style='display:block; white-space:pre;background:#ffe0e0;'>- /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/*
</span> + * The 'gssapi_keyex' userauth mechanism.
+ */
+static int
+userauth_gsskeyex(struct ssh *ssh)
+{
+ Authctxt *authctxt = ssh->authctxt;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int r = -1, authenticated = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int r, authenticated = 0;
</span> + struct sshbuf *b = NULL;
+ gss_buffer_desc mic, gssbuf;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ u_char *p = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_char *p;
</span> + size_t len;
+
+ if ((r = sshpkt_get_string(ssh, &p, &len)) != 0 ||
+ (r = sshpkt_get_end(ssh)) != 0)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal_fr(r, "parsing");
</span> +
+ if ((b = sshbuf_new()) == NULL)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: sshbuf_new failed", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal_f("sshbuf_new failed");
</span> +
+ mic.value = p;
+ mic.length = len;
+
+ ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ "gssapi-keyex");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "gssapi-keyex", ssh->kex->session_id);
</span> +
+ if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: sshbuf_mutable_ptr failed", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal_f("sshbuf_mutable_ptr failed");
</span> + gssbuf.length = sshbuf_len(b);
+
+ /* gss_kex_context is NULL with privsep, so we can't check it here */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -336,13 +312,12 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + return (authenticated);
+}
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+/*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*
</span> * We only support those mechanisms that we know about (ie ones that we know
* how to check local user kuserok and the like)
<span style='display:block; white-space:pre;background:#ffe0e0;'>- */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -260,7 +302,8 @@ input_gssapi_exchange_complete(int type,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -261,7 +303,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh)
</span> if ((r = sshpkt_get_end(ssh)) != 0)
<span style='display:block; white-space:pre;background:#ffe0e0;'>- fatal("%s: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fatal_fr(r, "parse packet");
</span>
- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -350,7 +325,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span>
if ((!use_privsep || mm_is_monitor()) &&
(displayname = ssh_gssapi_displayname()) != NULL)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -306,7 +349,8 @@ input_gssapi_mic(int type, u_int32_t ple
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -307,7 +350,8 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
</span> gssbuf.length = sshbuf_len(b);
if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -360,7 +335,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> else
logit("GSSAPI MIC check failed");
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -326,6 +370,12 @@ input_gssapi_mic(int type, u_int32_t ple
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -327,6 +371,12 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
</span> return 0;
}
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -373,9 +348,11 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> Authmethod method_gssapi = {
"gssapi-with-mic",
userauth_gssapi,
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/auth2.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/auth2.c 2019-11-08 15:37:23.000000000 +0100
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -73,6 +73,7 @@ extern Authmethod method_passwd;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/auth2.c b/auth2.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 84d0ed16..f905d5a3 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/auth2.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/auth2.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -71,6 +71,7 @@ extern Authmethod method_passwd;
</span> extern Authmethod method_kbdint;
extern Authmethod method_hostbased;
#ifdef GSSAPI
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -383,7 +360,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> extern Authmethod method_gssapi;
#endif
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -80,6 +81,7 @@ Authmethod *authmethods[] = {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -78,6 +79,7 @@ Authmethod *authmethods[] = {
</span> &method_none,
&method_pubkey,
#ifdef GSSAPI
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -391,8 +368,126 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> &method_gssapi,
#endif
&method_passwd,
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/clientloop.c 2019-11-08 14:18:24.000000000 +0100
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/clientloop.c 2019-11-08 15:37:23.000000000 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/canohost.c b/canohost.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index a810da0e..99f1cd40 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/canohost.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/canohost.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -35,6 +35,97 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "canohost.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include "misc.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Returns the remote DNS hostname as a string. The returned string must not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * be freed. NB. this will usually trigger a DNS query the first time it is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * called.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * This function does additional checks on the hostname to mitigate some
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * attacks on legacy rhosts-style authentication.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++char *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++remote_hostname(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct sockaddr_storage from;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ socklen_t fromlen;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct addrinfo hints, *ai, *aitop;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char name[NI_MAXHOST], ntop2[NI_MAXHOST];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const char *ntop = ssh_remote_ipaddr(ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Get IP address of client. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fromlen = sizeof(from);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ memset(&from, 0, sizeof(from));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (getpeername(ssh_packet_get_connection_in(ssh),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (struct sockaddr *)&from, &fromlen) == -1) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("getpeername failed: %.100s", strerror(errno));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return xstrdup(ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ipv64_normalise_mapped(&from, &fromlen);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (from.ss_family == AF_INET6)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fromlen = sizeof(struct sockaddr_in6);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug3("Trying to reverse map address %.100s.", ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Map the IP address to a host name. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ NULL, 0, NI_NAMEREQD) != 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Host name not found. Use ip address. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return xstrdup(ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * if reverse lookup result looks like a numeric hostname,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * someone is trying to trick us by PTR record like following:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ memset(&hints, 0, sizeof(hints));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ hints.ai_socktype = SOCK_DGRAM; /*dummy*/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ hints.ai_flags = AI_NUMERICHOST;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ name, ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ freeaddrinfo(ai);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return xstrdup(ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Names are stored in lowercase. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ lowercase(name);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Map it back to an IP address and check that the given
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * address actually is an address of this host. This is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * necessary because anyone with access to a name server can
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * define arbitrary names for an IP address. Mapping from
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * name to IP address can be trusted better (but can still be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * fooled if the intruder has access to the name server of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * the domain).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ memset(&hints, 0, sizeof(hints));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ hints.ai_family = from.ss_family;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ hints.ai_socktype = SOCK_STREAM;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ logit("reverse mapping checking getaddrinfo for %.700s "
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "[%s] failed.", name, ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return xstrdup(ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Look for the address from the list of addresses. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ for (ai = aitop; ai; ai = ai->ai_next) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (strcmp(ntop, ntop2) == 0))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ freeaddrinfo(aitop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* If we reached the end of the list, the address was not there. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (ai == NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Address not found for the host name. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ logit("Address %.100s maps to %.600s, but this does not "
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "map back to the address.", ntop, name);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return xstrdup(ntop);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return xstrdup(name);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/canohost.h b/canohost.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 26d62855..0cadc9f1 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/canohost.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/canohost.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -15,6 +15,9 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifndef _CANOHOST_H
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define _CANOHOST_H
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++struct ssh;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++char *remote_hostname(struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char *get_peer_ipaddr(int);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int get_peer_port(int);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char *get_local_ipaddr(int);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/clientloop.c b/clientloop.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index da14d150..d784ddc9 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/clientloop.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/clientloop.c
</span> @@ -112,6 +112,10 @@
#include "ssherr.h"
#include "hostfile.h"
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -404,7 +499,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> /* import options */
extern Options options;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1393,9 +1397,18 @@ client_loop(struct ssh *ssh, int have_pt
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1343,9 +1347,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
</span> break;
/* Do channel operations unless rekeying in progress. */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -424,31 +519,11 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> /* Buffer input from the connection. */
client_process_net_input(ssh, readset);
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/config.h.in 2019-10-09 02:39:34.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/config.h.in 2019-11-08 15:37:23.000000000 +0100
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1884,6 +1884,9 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Use btmp to log bad logins */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #undef USE_BTMP
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* platform uses an in-memory credentials cache */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#undef USE_CCAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Use libedit for sftp */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #undef USE_LIBEDIT
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1902,6 +1905,9 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Define if you have Solaris privileges */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #undef USE_SOLARIS_PRIVS
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* platform has the Security Authorization Session API */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#undef USE_SECURITY_SESSION_API
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Define if you have Solaris process contracts */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #undef USE_SOLARIS_PROCESS_CONTRACTS
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/configure.ac 2019-11-08 15:37:14.000000000 +0100
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/configure.ac 2019-11-08 15:37:23.000000000 +0100
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -667,6 +667,30 @@ main() { if (NSVersionOfRunTimeLibrary("
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/configure.ac b/configure.ac
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 413913a7..29de0ef0 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/configure.ac
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/configure.ac
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -709,6 +709,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
</span> [Use tunnel device compatibility to OpenBSD])
AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
[Prepend the address family to IP tunnel traffic])
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -477,12 +552,14 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + [AC_MSG_RESULT([no])]
+ )
m4_pattern_allow([AU_IPv])
<span style='display:block; white-space:pre;background:#ffe0e0;'>- AC_CHECK_DECL([AU_IPv4],
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- AC_DEFINE([LASTLOG_WRITE_PUTUTXLINE], [1],
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/gss-genr.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/gss-genr.c 2019-11-08 15:37:23.000000000 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ AC_CHECK_DECL([AU_IPv4], [],
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/gss-genr.c b/gss-genr.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 68528051..cede661b 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/gss-genr.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/gss-genr.c
</span> @@ -1,7 +1,7 @@
<span style='display:block; white-space:pre;background:#ffe0e0;'>- /* $OpenBSD: gss-genr.c,v 1.26 2018/07/10 09:13:30 djm Exp $ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* $OpenBSD: gss-genr.c,v 1.28 2021/01/27 10:05:28 djm Exp $ */
</span>
/*
- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -490,7 +567,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -41,12 +41,36 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -41,9 +41,33 @@
</span> #include "sshbuf.h"
#include "log.h"
#include "ssh2.h"
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -502,9 +579,6 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span>
#include "ssh-gss.h"
<span style='display:block; white-space:pre;background:#ffe0e0;'>- extern u_char *session_id2;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- extern u_int session_id2_len;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span> +typedef struct {
+ char *encoded;
+ gss_OID oid;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -527,7 +601,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> /* sshbuf_get for gss_buffer_desc */
int
ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -62,6 +86,160 @@ ssh_gssapi_get_buffer_desc(struct sshbuf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -59,6 +83,159 @@ ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g)
</span> return 0;
}
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -539,7 +613,6 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + u_char *p;
+ size_t len;
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span> + if ((r = sshpkt_get_string(ssh, &p, &len)) != 0)
+ return r;
+ g->value = p;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -563,8 +636,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + if (GSS_ERROR(gss_indicate_mechs(&min_status, &gss_supported)))
+ return NULL;
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return(ssh_gssapi_kex_mechs(gss_supported, ssh_gssapi_check_mechanism,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ host, client, kex));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return ssh_gssapi_kex_mechs(gss_supported, ssh_gssapi_check_mechanism,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ host, client, kex);
</span> +}
+
+char *
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -572,7 +645,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + const char *host, const char *client, const char *kex) {
+ struct sshbuf *buf = NULL;
+ size_t i;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int r, oidpos, enclen;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int r = SSH_ERR_ALLOC_FAIL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int oidpos, enclen;
</span> + char *mechs, *encoded;
+ u_char digest[SSH_DIGEST_MAX_LENGTH];
+ char deroid[2];
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -589,7 +663,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + (gss_supported->count + 1));
+
+ if ((buf = sshbuf_new()) == NULL)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: sshbuf_new failed", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal_f("sshbuf_new failed");
</span> +
+ oidpos = 0;
+ s = cp = xstrdup(kex);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -606,12 +680,12 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + gss_supported->elements[i].elements,
+ gss_supported->elements[i].length)) != 0 ||
+ (r = ssh_digest_final(md, digest, sizeof(digest))) != 0)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: digest failed: %s", __func__,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal_fr(r, "digest failed");
</span> + ssh_digest_free(md);
+ md = NULL;
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ encoded = xmalloc(ssh_digest_bytes(SSH_DIGEST_MD5) * 2);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ encoded = xmalloc(ssh_digest_bytes(SSH_DIGEST_MD5)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * 2);
</span> + enclen = __b64_ntop(digest,
+ ssh_digest_bytes(SSH_DIGEST_MD5), encoded,
+ ssh_digest_bytes(SSH_DIGEST_MD5) * 2);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -621,12 +695,10 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + (p = strsep(&cp, ","))) {
+ if (sshbuf_len(buf) != 0 &&
+ (r = sshbuf_put_u8(buf, ',')) != 0)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: sshbuf_put_u8 error: %s",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal_fr(r, "sshbuf_put_u8 error");
</span> + if ((r = sshbuf_put(buf, p, strlen(p))) != 0 ||
+ (r = sshbuf_put(buf, encoded, enclen)) != 0)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: sshbuf_put error: %s",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal_fr(r, "sshbuf_put error");
</span> + }
+
+ gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -639,7 +711,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + gss_enc2oid[oidpos].encoded = NULL;
+
+ if ((mechs = sshbuf_dup_string(buf)) == NULL)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: sshbuf_dup_string failed", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal_f("sshbuf_dup_string failed");
</span> +
+ sshbuf_free(buf);
+
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -673,6 +745,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + default:
+ return GSS_C_NO_OID;
+ }
<span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span> +#undef SKIP_KEX_NAME
+
+ while (gss_enc2oid[i].encoded != NULL &&
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -688,7 +761,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> /* Check that the OID in a data stream matches that in the context */
int
ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -218,7 +396,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int de
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -215,7 +392,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok,
</span> }
ctx->major = gss_init_sec_context(&ctx->minor,
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -697,10 +770,11 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,
0, NULL, recv_tok, NULL, send_tok, flags, NULL);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -248,8 +426,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, con
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -244,9 +421,43 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return (ctx->major);
</span> }
<span style='display:block; white-space:pre;background:#ffe0e0;'>- OM_uint32
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++OM_uint32
</span> +ssh_gssapi_client_identity(Gssctxt *ctx, const char *name)
+{
+ gss_buffer_desc gssbuf;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -731,7 +805,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + return(ctx->major);
+}
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+OM_uint32
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ OM_uint32
</span> ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
{
+ if (ctx == NULL)
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -740,7 +814,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
GSS_C_QOP_DEFAULT, buffer, hash)))
ssh_gssapi_error(ctx);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -257,6 +469,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -254,6 +465,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
</span> return (ctx->major);
}
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -759,8 +833,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> +
void
ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service,
<span style='display:block; white-space:pre;background:#ffe0e0;'>- const char *context)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -273,11 +498,16 @@ ssh_gssapi_buildmic(struct sshbuf *b, co
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ const char *context, const struct sshbuf *session_id)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -270,11 +494,16 @@ ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service,
</span> }
int
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -778,7 +852,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span>
/* RFC 4462 says we MUST NOT do SPNEGO */
if (oid->length == spnego_oid.length &&
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -287,6 +517,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -284,6 +513,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
</span> ssh_gssapi_build_ctx(ctx);
ssh_gssapi_set_oid(*ctx, oid);
major = ssh_gssapi_import_name(*ctx, host);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -789,7 +863,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> if (!GSS_ERROR(major)) {
major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token,
NULL);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -296,10 +530,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -293,10 +526,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
</span> GSS_C_NO_BUFFER);
}
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -857,8 +931,10 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> +}
+
#endif /* GSSAPI */
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/gss-serv-krb5.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/gss-serv-krb5.c 2019-11-08 15:37:23.000000000 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index a151bc1e..ef20401e 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/gss-serv-krb5.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/gss-serv-krb5.c
</span> @@ -1,7 +1,7 @@
/* $OpenBSD: gss-serv-krb5.c,v 1.9 2018/07/09 21:37:55 markus Exp $ */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -868,21 +944,20 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -120,7 +120,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -120,7 +120,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
</span> krb5_error_code problem;
krb5_principal princ;
OM_uint32 maj_status, min_status;
- int len;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ const char *new_ccname, *new_cctype;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const char *new_ccname;
</span> const char *errmsg;
if (client->creds == NULL) {
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -180,11 +180,26 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -180,11 +180,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
</span> return;
}
- client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ new_cctype = krb5_cc_get_type(krb_context, ccache);
</span> + new_ccname = krb5_cc_get_name(krb_context, ccache);
+
client->store.envvar = "KRB5CCNAME";
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -893,22 +968,13 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + xasprintf(&client->store.envval, "API:%s", new_ccname);
+ client->store.filename = NULL;
+#else
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (new_ccname[0] == ':')
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ new_ccname++;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ xasprintf(&client->store.envval, "%s:%s", new_cctype, new_ccname);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (strcmp(new_cctype, "DIR") == 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char *p;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ p = strrchr(client->store.envval, '/');
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (p)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ *p = '\0';
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((strcmp(new_cctype, "FILE") == 0) || (strcmp(new_cctype, "DIR") == 0))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ client->store.filename = xstrdup(new_ccname);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ xasprintf(&client->store.envval, "FILE:%s", new_ccname);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ client->store.filename = xstrdup(new_ccname);
</span> +#endif
#ifdef USE_PAM
if (options.use_pam)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -193,9 +208,76 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -193,9 +198,76 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
</span>
krb5_cc_close(krb_context, ccache);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -928,9 +994,9 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + OM_uint32 maj_status, min_status;
+
+ if ((problem = krb5_cc_resolve(krb_context, store->envval, &ccache))) {
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ logit("krb5_cc_resolve(): %.100s",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ krb5_get_err_text(krb_context, problem));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ logit("krb5_cc_resolve(): %.100s",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ krb5_get_err_text(krb_context, problem));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 0;
</span> + }
+
+ /* Find out who the principal in this cache is */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -985,7 +1051,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> ssh_gssapi_mech gssapi_kerberos_mech = {
"toWM5Slw5Ew8Mqkay+al2g==",
"Kerberos",
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -203,7 +285,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -203,7 +275,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
</span> NULL,
&ssh_gssapi_krb5_userok,
NULL,
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -995,10 +1061,12 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> };
#endif /* KRB5 */
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/gss-serv.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/gss-serv.c 2019-11-08 15:37:23.000000000 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/gss-serv.c b/gss-serv.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index b5d4bb2d..4287579a 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/gss-serv.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/gss-serv.c
</span> @@ -1,7 +1,7 @@
<span style='display:block; white-space:pre;background:#ffe0e0;'>- /* $OpenBSD: gss-serv.c,v 1.31 2018/07/09 21:37:55 markus Exp $ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* $OpenBSD: gss-serv.c,v 1.32 2020/03/13 03:17:07 djm Exp $ */
</span>
/*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1006,7 +1074,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -44,17 +44,20 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -44,17 +44,19 @@
</span> #include "session.h"
#include "misc.h"
#include "servconf.h"
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1018,10 +1086,10 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> extern ServerOptions options;
static ssh_gssapi_client gssapi_client =
<span style='display:block; white-space:pre;background:#ffe0e0;'>- { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
</span> - GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}};
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, NULL,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ {NULL, NULL, NULL, NULL, NULL}, 0, 0};
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, GSS_C_NO_CREDENTIAL,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ GSS_C_NO_NAME, NULL, {NULL, NULL, NULL, NULL, NULL}, 0, 0};
</span>
ssh_gssapi_mech gssapi_null_mech =
- { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL};
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1029,10 +1097,11 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span>
#ifdef KRB5
extern ssh_gssapi_mech gssapi_kerberos_mech;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -141,6 +144,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -140,6 +142,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return (ssh_gssapi_acquire_cred(*ctx));
</span> }
<span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Unprivileged */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* Unprivileged */
</span> +char *
+ssh_gssapi_server_mechanisms(void) {
+ if (supported_oids == NULL)
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1055,11 +1124,10 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + return (res);
+}
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+/* Unprivileged */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Unprivileged */
</span> void
ssh_gssapi_supported_oids(gss_OID_set *oidset)
<span style='display:block; white-space:pre;background:#ffe0e0;'>- {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -150,7 +176,9 @@ ssh_gssapi_supported_oids(gss_OID_set *o
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -150,7 +175,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset)
</span> gss_OID_set supported;
gss_create_empty_oid_set(&min_status, oidset);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1070,7 +1138,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span>
while (supported_mechs[i]->name != NULL) {
if (GSS_ERROR(gss_test_oid_set_member(&min_status,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -276,8 +304,48 @@ OM_uint32
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -276,8 +303,48 @@ OM_uint32
</span> ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
{
int i = 0;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1092,7 +1160,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + ssh_gssapi_error(ctx);
+ return (ctx->major);
+ }
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- gss_buffer_desc ename;
</span> + ctx->major = gss_compare_name(&ctx->minor, client->name,
+ new_name, &equal);
+
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1105,8 +1174,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + debug("Rekeyed credentials have different name");
+ return GSS_S_COMPLETE;
+ }
<span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- gss_buffer_desc ename;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span> + debug("Marking rekeyed credentials for export");
+
+ gss_release_name(&ctx->minor, &client->name);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1120,7 +1188,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span>
client->mech = NULL;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -292,6 +360,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -292,6 +359,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
</span> if (client->mech == NULL)
return GSS_S_FAILURE;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1134,7 +1202,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> if ((ctx->major = gss_display_name(&ctx->minor, ctx->client,
&client->displayname, NULL))) {
ssh_gssapi_error(ctx);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -309,6 +384,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -309,6 +383,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
</span> return (ctx->major);
}
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1143,7 +1211,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> /* We can't copy this structure, so we just move the pointer to it */
client->creds = ctx->client_creds;
ctx->client_creds = GSS_C_NO_CREDENTIAL;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -319,11 +396,20 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -319,11 +395,20 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
</span> void
ssh_gssapi_cleanup_creds(void)
{
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1157,10 +1225,10 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> +
+ if (gssapi_client.store.data != NULL) {
+ if ((problem = krb5_cc_resolve(gssapi_client.store.data, gssapi_client.store.envval, &ccache))) {
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("%s: krb5_cc_resolve(): %.100s", __func__,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug_f("krb5_cc_resolve(): %.100s",
</span> + krb5_get_err_text(gssapi_client.store.data, problem));
+ } else if ((problem = krb5_cc_destroy(gssapi_client.store.data, ccache))) {
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("%s: krb5_cc_resolve(): %.100s", __func__,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug_f("krb5_cc_destroy(): %.100s",
</span> + krb5_get_err_text(gssapi_client.store.data, problem));
+ } else {
+ krb5_free_context(gssapi_client.store.data);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1169,7 +1237,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> }
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -356,19 +442,23 @@ ssh_gssapi_do_child(char ***envp, u_int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -356,19 +441,23 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep)
</span>
/* Privileged */
int
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1196,7 +1264,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> /* Destroy delegated credentials if userok fails */
gss_release_buffer(&lmin, &gssapi_client.displayname);
gss_release_buffer(&lmin, &gssapi_client.exportedname);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -382,14 +472,90 @@ ssh_gssapi_userok(char *user)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -382,14 +471,90 @@ ssh_gssapi_userok(char *user)
</span> return (0);
}
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1250,14 +1318,14 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + * be next to impossible. In any case, we may want different options
+ * for rekeying. So, use our own :)
+ */
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef USE_PAM
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef USE_PAM
</span> + if (!use_privsep) {
+ debug("Not even going to try and do PAM with privsep disabled");
+ return;
+ }
+
+ ret = pam_start("sshd-rekey", gssapi_client.store.owner->pw_name,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &pamconv, &pamh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &pamconv, &pamh);
</span> + if (ret)
+ return;
+
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1293,9 +1361,11 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> }
/* Privileged */
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/kex.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/kex.c 2019-11-08 15:37:23.000000000 +0100
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -55,11 +55,16 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/kex.c b/kex.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 709a0ec6..d369c46b 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/kex.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/kex.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -57,11 +57,16 @@
</span> #include "misc.h"
#include "dispatch.h"
#include "monitor.h"
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1312,7 +1382,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> /* prototype */
static int kex_choose_conf(struct ssh *);
static int kex_input_newkeys(int, u_int32_t, struct ssh *);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -113,15 +118,27 @@ static const struct kexalg kexalgs[] = {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -117,15 +122,28 @@ static const struct kexalg kexalgs[] = {
</span> #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
{ NULL, 0, -1, -1},
};
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1321,12 +1391,13 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
+ { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
+ { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ { KEX_GSS_GRP14_SHA256_ID, KEX_GSS_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
</span> + { KEX_GSS_GRP16_SHA512_ID, KEX_GSS_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
+ { KEX_GSS_NISTP256_SHA256_ID, KEX_GSS_NISTP256_SHA256,
+ NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
+ { KEX_GSS_C25519_SHA256_ID, KEX_GSS_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
+#endif
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ { NULL, -1, -1, -1 },
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ { NULL, 0, -1, -1},
</span> +};
-char *
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1343,7 +1414,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> if (ret != NULL)
ret[rlen++] = sep;
nlen = strlen(k->name);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -136,6 +153,18 @@ kex_alg_list(char sep)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -140,6 +158,18 @@ kex_alg_list(char sep)
</span> return ret;
}
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1362,20 +1433,18 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> static const struct kexalg *
kex_alg_by_name(const char *name)
{
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -145,6 +174,12 @@ kex_alg_by_name(const char *name)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -149,6 +179,10 @@ kex_alg_by_name(const char *name)
</span> if (strcmp(k->name, name) == 0)
return k;
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef GSSAPI
</span> + for (k = gss_kexalgs; k->name != NULL; k++) {
+ if (strncmp(k->name, name, strlen(k->name)) == 0)
+ return k;
+ }
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span> return NULL;
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -313,6 +348,29 @@ kex_assemble_names(char **listp, const c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -317,6 +351,29 @@ kex_assemble_names(char **listp, const char *def, const char *all)
</span> return r;
}
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1405,22 +1474,24 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> /* put algorithm proposal into buffer */
int
kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -696,6 +754,9 @@ kex_free(struct kex *kex)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -699,6 +756,9 @@ kex_free(struct kex *kex)
</span> sshbuf_free(kex->server_version);
sshbuf_free(kex->client_pub);
<span style='display:block; white-space:pre;background:#ffe0e0;'>- free(kex->session_id);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sshbuf_free(kex->session_id);
</span> +#ifdef GSSAPI
+ free(kex->gss_host);
+#endif /* GSSAPI */
free(kex->failed_choice);
free(kex->hostkey_alg);
free(kex->name);
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/kex.h 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/kex.h 2019-11-08 15:37:23.000000000 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/kex.h b/kex.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 9605ed52..0677208a 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/kex.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/kex.h
</span> @@ -102,6 +102,15 @@ enum kex_exchange {
KEX_ECDH_SHA2,
KEX_C25519_SHA256,
<span style='display:block; white-space:pre;background:#ffe0e0;'>- KEX_KEM_SNTRUP4591761X25519_SHA512,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ KEX_KEM_SNTRUP761X25519_SHA512,
</span> +#ifdef GSSAPI
+ KEX_GSS_GRP1_SHA1,
+ KEX_GSS_GRP14_SHA1,
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1433,20 +1504,20 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> KEX_MAX
};
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -153,6 +162,12 @@ struct kex {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -152,6 +161,12 @@ struct kex {
</span> u_int flags;
int hash_alg;
int ec_nid;
+#ifdef GSSAPI
+ int gss_deleg_creds;
+ int gss_trust_dns;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char *gss_host;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char *gss_host;
</span> + char *gss_client;
+#endif
char *failed_choice;
int (*verify_host_key)(struct sshkey *, struct ssh *);
struct sshkey *(*load_host_public_key)(int, int, struct ssh *);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -174,8 +189,10 @@ struct kex {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -173,8 +188,10 @@ struct kex {
</span>
int kex_names_valid(const char *);
char *kex_alg_list(char);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1457,18 +1528,20 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span>
int kex_exchange_identification(struct ssh *, int, const char *);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -202,6 +219,10 @@ int kexgex_client(struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -202,6 +219,12 @@ int kexgex_client(struct ssh *);
</span> int kexgex_server(struct ssh *);
int kex_gen_client(struct ssh *);
int kex_gen_server(struct ssh *);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#if defined(GSSAPI) && defined(WITH_OPENSSL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int kexgssgex_client(struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int kexgssgex_server(struct ssh *);
</span> +int kexgss_client(struct ssh *);
+int kexgss_server(struct ssh *);
+#endif
int kex_dh_keypair(struct kex *);
int kex_dh_enc(struct kex *, const struct sshbuf *, struct sshbuf **,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -234,6 +255,12 @@ int kexgex_hash(int, const struct sshbu
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -234,6 +257,12 @@ int kexgex_hash(int, const struct sshbuf *, const struct sshbuf *,
</span> const BIGNUM *, const u_char *, size_t,
u_char *, size_t *);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1481,9 +1554,53 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> void kexc25519_keygen(u_char key[CURVE25519_SIZE], u_char pub[CURVE25519_SIZE])
__attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE)))
__attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE)));
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- /dev/null 1970-01-01 00:00:00.000000000 +0000
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/kexgssc.c 2019-11-08 15:37:23.000000000 +0100
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -0,0 +1,405 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/kexdh.c b/kexdh.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index c1084f21..0faab21b 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/kexdh.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/kexdh.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -49,13 +49,23 @@ kex_dh_keygen(struct kex *kex)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ switch (kex->kex_type) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case KEX_DH_GRP1_SHA1:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case KEX_GSS_GRP1_SHA1:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kex->dh = dh_new_group1();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case KEX_DH_GRP14_SHA1:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case KEX_DH_GRP14_SHA256:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case KEX_GSS_GRP14_SHA1:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case KEX_GSS_GRP14_SHA256:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kex->dh = dh_new_group14();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case KEX_DH_GRP16_SHA512:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case KEX_GSS_GRP16_SHA512:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kex->dh = dh_new_group16();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case KEX_DH_GRP18_SHA512:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/kexgen.c b/kexgen.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index bde28053..31f90f50 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/kexgen.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/kexgen.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -44,7 +44,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static int input_kex_gen_init(int, u_int32_t, struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static int input_kex_gen_reply(int type, u_int32_t seq, struct ssh *ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-static int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kex_gen_hash(
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int hash_alg,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ const struct sshbuf *client_version,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/kexgssc.c b/kexgssc.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+new file mode 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 00000000..1c62740e
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/kexgssc.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -0,0 +1,599 @@
</span> +/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
+ *
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1512,6 +1629,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> +
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
+
<span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "includes.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span> +#include <openssl/crypto.h>
+#include <openssl/bn.h>
+
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1532,22 +1651,18 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> +#include "ssh-gss.h"
+
+int
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+kexgss_client(struct ssh *ssh) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++kexgss_client(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span> + struct kex *kex = ssh->kex;
+ gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER,
+ recv_tok = GSS_C_EMPTY_BUFFER,
+ gssbuf, msg_tok = GSS_C_EMPTY_BUFFER, *token_ptr;
+ Gssctxt *ctxt;
+ OM_uint32 maj_status, min_status, ret_flags;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ BIGNUM *p = NULL, *g = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ struct sshbuf *buf = NULL;
</span> + struct sshbuf *server_blob = NULL;
+ struct sshbuf *shared_secret = NULL;
+ struct sshbuf *server_host_key_blob = NULL;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ struct sshbuf *empty = sshbuf_new();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ BIGNUM *dh_server_pub = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ const BIGNUM *pub_key, *dh_p, *dh_g;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int nbits = 0, min = DH_GRP_MIN, max = DH_GRP_MAX;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct sshbuf *empty = NULL;
</span> + u_char *msg;
+ int type = 0;
+ int first = 1;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1583,42 +1698,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + case KEX_GSS_C25519_SHA256:
+ r = kex_c25519_keypair(kex);
+ break;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case KEX_GSS_GEX_SHA1:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Doing group exchange");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ nbits = dh_estimate(kex->dh_need * 8);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->min = DH_GRP_MIN;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->max = DH_GRP_MAX;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->nbits = nbits;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((r = sshpkt_start(ssh, SSH2_MSG_KEXGSS_GROUPREQ)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshpkt_put_u32(ssh, min)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshpkt_put_u32(ssh, nbits)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshpkt_put_u32(ssh, max)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshpkt_send(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("Failed to construct a packet: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((r = ssh_packet_read_expect(ssh, SSH2_MSG_KEXGSS_GROUP)) != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("Error: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((r = sshpkt_get_bignum2(ssh, &p)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshpkt_get_bignum2(ssh, &g)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshpkt_get_end(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("shpkt_get_bignum2 failed: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (BN_num_bits(p) < min || BN_num_bits(p) > max)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("GSSGRP_GEX group out of range: %d !< %d !< %d",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ min, BN_num_bits(p), max);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((kex->dh = dh_new_group(g, p)) == NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("dn_new_group() failed");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ p = g = NULL; /* belong to kex->dh now */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((r = dh_gen_key(kex->dh, kex->we_need * 8)) != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto out;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ DH_get0_key(kex->dh, &pub_key, NULL);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ break;
</span> + default:
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal_f("Unexpected KEX type %d", kex->kex_type);
</span> + }
+ if (r != 0)
+ return r;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1626,7 +1707,6 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + token_ptr = GSS_C_NO_BUFFER;
+
+ do {
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Step 2 - call GSS_Init_sec_context() */
</span> + debug("Calling gss_init_sec_context");
+
+ maj_status = ssh_gssapi_init_ctx(ctxt,
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1668,10 +1748,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + if ((r = sshpkt_start(ssh, SSH2_MSG_KEXGSS_INIT)) != 0 ||
+ (r = sshpkt_put_string(ssh, send_tok.value,
+ send_tok.length)) != 0 ||
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (KEX_GSS_GEX_SHA1 == kex->kex_type &&
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshpkt_put_bignum2(ssh, pub_key)) != 0) ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (KEX_GSS_GEX_SHA1 != kex->kex_type &&
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshpkt_put_stringb(ssh, kex->client_pub)) != 0))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_stringb(ssh, kex->client_pub)) != 0)
</span> + fatal("failed to construct packet: %s", ssh_err(r));
+ first = 0;
+ } else {
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1701,8 +1778,6 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + debug("Received GSSAPI_CONTINUE");
+ if (maj_status == GSS_S_COMPLETE)
+ fatal("GSSAPI Continue received from server when complete");
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (maj_status == GSS_S_COMPLETE)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("GSSAPI Continue received from server when complete");
</span> + if ((r = ssh_gssapi_sshpkt_get_buffer_desc(ssh,
+ &recv_tok)) != 0 ||
+ (r = sshpkt_get_end(ssh)) != 0)
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1722,9 +1797,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + fatal("sshpkt failed: %s", ssh_err(r));
+ if (c) {
+ if ((r = ssh_gssapi_sshpkt_get_buffer_desc(
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh, &recv_tok)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (KEX_GSS_GEX_SHA1 == kex->kex_type &&
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshpkt_get_end(ssh)) != 0))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh, &recv_tok)) != 0)
</span> + fatal("Failed to read token: %s", ssh_err(r));
+ /* If we're already complete - protocol error */
+ if (maj_status == GSS_S_COMPLETE)
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1761,14 +1834,13 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> +
+ /*
+ * We _must_ have received a COMPLETE message in reply from the
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * server, which will have set dh_server_pub and msg_tok
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * server, which will have set server_blob and msg_tok
</span> + */
+
+ if (type != SSH2_MSG_KEXGSS_COMPLETE)
+ fatal("Didn't receive a SSH2_MSG_KEXGSS_COMPLETE when I expected it");
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* 7. C verifies that the key Q_S is valid */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* 8. C computes shared secret */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* compute shared secret */
</span> + switch (kex->kex_type) {
+ case KEX_GSS_GRP1_SHA1:
+ case KEX_GSS_GRP14_SHA1:
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1791,20 +1863,6 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> +
+ r = kex_ecdh_dec(kex, server_blob, &shared_secret);
+ break;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case KEX_GSS_GEX_SHA1:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((buf = sshbuf_new()) == NULL ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshbuf_put_stringb(buf, server_blob)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshbuf_get_bignum2(buf, &dh_server_pub)) != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto out;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sshbuf_free(buf);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((shared_secret = sshbuf_new()) == NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ r = SSH_ERR_ALLOC_FAIL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto out;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ r = kex_dh_compute_key(kex, dh_server_pub, shared_secret);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ break;
</span> + default:
+ r = SSH_ERR_INVALID_ARGUMENT;
+ break;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1812,39 +1870,25 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + if (r != 0)
+ goto out;
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ hashlen = sizeof(hash);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (KEX_GSS_GEX_SHA1 == kex->kex_type) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ DH_get0_pqg(kex->dh, &dh_p, NULL, &dh_g);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((r = kexgex_hash(
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->hash_alg,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->client_version,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->server_version,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->my,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->peer,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (server_host_key_blob ? server_host_key_blob : empty),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->min, kex->nbits, kex->max,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dh_p, dh_g,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pub_key,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dh_server_pub,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sshbuf_ptr(shared_secret), sshbuf_len(shared_secret),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ hash, &hashlen)) != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("Failed to calculate hash: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((r = kex_gen_hash(
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->hash_alg,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->client_version,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->server_version,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->my,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->peer,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (server_host_key_blob ? server_host_key_blob : empty),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->client_pub,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ server_blob,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ shared_secret,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ hash, &hashlen)) != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((empty = sshbuf_new()) == NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ r = SSH_ERR_ALLOC_FAIL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto out;
</span> + }
+
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ hashlen = sizeof(hash);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = kex_gen_hash(
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->hash_alg,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->client_version,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->server_version,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->my,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->peer,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (server_host_key_blob ? server_host_key_blob : empty),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->client_pub,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ server_blob,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ shared_secret,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ hash, &hashlen)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal_f("Unexpected KEX type %d", kex->kex_type);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span> + gssbuf.value = hash;
+ gssbuf.length = hashlen;
+
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1854,13 +1898,6 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> +
+ gss_release_buffer(&min_status, &msg_tok);
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* save session id */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((KEX_GSS_GEX_SHA1 == kex->kex_type) && (kex->session_id == NULL)) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->session_id_len = hashlen;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->session_id = xmalloc(kex->session_id_len);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ memcpy(kex->session_id, hash, kex->session_id_len);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span> + if (kex->gss_deleg_creds)
+ ssh_gssapi_credentials_updated(ctxt);
+
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1869,16 +1906,12 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + else
+ ssh_gssapi_delete_ctx(&ctxt);
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Finally derive the keys and send them */
</span> + if ((r = kex_derive_keys(ssh, hash, hashlen, shared_secret)) == 0)
+ r = kex_send_newkeys(ssh);
+
+out:
+ explicit_bzero(hash, sizeof(hash));
+ explicit_bzero(kex->c25519_client_key, sizeof(kex->c25519_client_key));
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ DH_free(kex->dh);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->dh = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ BN_clear_free(dh_server_pub);
</span> + sshbuf_free(empty);
+ sshbuf_free(server_host_key_blob);
+ sshbuf_free(server_blob);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1888,181 +1921,406 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + return r;
+}
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- /dev/null 1970-01-01 00:00:00.000000000 +0000
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/kexgsss.c 2019-11-08 15:37:23.000000000 +0100
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -0,0 +1,345 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Redistribution and use in source and binary forms, with or without
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * modification, are permitted provided that the following conditions
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * are met:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * 1. Redistributions of source code must retain the above copyright
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * notice, this list of conditions and the following disclaimer.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * 2. Redistributions in binary form must reproduce the above copyright
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * notice, this list of conditions and the following disclaimer in the
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * documentation and/or other materials provided with the distribution.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "includes.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#if defined(GSSAPI) && defined(WITH_OPENSSL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <string.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <openssl/crypto.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <openssl/bn.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "xmalloc.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "sshbuf.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "ssh2.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "sshkey.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "cipher.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "kex.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "log.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "packet.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "dh.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "ssh-gss.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "monitor_wrap.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "servconf.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "digest.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "ssherr.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+extern ServerOptions options;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span> +int
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+kexgss_server(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++kexgssgex_client(struct ssh *ssh)
</span> +{
+ struct kex *kex = ssh->kex;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int r = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ OM_uint32 maj_status, min_status;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Some GSSAPI implementations use the input value of ret_flags (an
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * output variable) as a means of triggering mechanism specific
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * features. Initializing it to zero avoids inadvertently
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * activating this non-standard behaviour.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ OM_uint32 ret_flags = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_buffer_desc gssbuf, recv_tok, msg_tok;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ Gssctxt *ctxt = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ recv_tok = GSS_C_EMPTY_BUFFER, gssbuf,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ msg_tok = GSS_C_EMPTY_BUFFER, *token_ptr;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Gssctxt *ctxt;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ OM_uint32 maj_status, min_status, ret_flags;
</span> + struct sshbuf *shared_secret = NULL;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ struct sshbuf *client_pubkey = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ struct sshbuf *server_pubkey = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ struct sshbuf *empty = sshbuf_new();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int min = -1, max = -1, nbits = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int cmin = -1, cmax = -1; /* client proposal */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ BIGNUM *dh_client_pub = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ const BIGNUM *pub_key, *dh_p, *dh_g;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ BIGNUM *p = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ BIGNUM *g = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct sshbuf *buf = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct sshbuf *server_host_key_blob = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct sshbuf *server_blob = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ BIGNUM *dh_server_pub = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_char *msg;
</span> + int type = 0;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_OID oid;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char *mechs;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int first = 1;
</span> + u_char hash[SSH_DIGEST_MAX_LENGTH];
+ size_t hashlen;
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ const BIGNUM *pub_key, *dh_p, *dh_g;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int nbits = 0, min = DH_GRP_MIN, max = DH_GRP_MAX;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct sshbuf *empty = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_char c;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int r;
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Initialise GSSAPI */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Initialise our GSSAPI world */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_gssapi_build_ctx(&ctxt);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (ssh_gssapi_id_kex(ctxt, kex->name, kex->kex_type)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ == GSS_C_NO_OID)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Couldn't identify host exchange");
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* If we're rekeying, privsep means that some of the private structures
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * in the GSSAPI code are no longer available. This kludges them back
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * into life
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!ssh_gssapi_oid_table_ok()) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ mechs = ssh_gssapi_server_mechanisms();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ free(mechs);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (ssh_gssapi_import_name(ctxt, kex->gss_host))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Couldn't import hostname");
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug2("%s: Identifying %s", __func__, kex->name);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (oid == GSS_C_NO_OID)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("Unknown gssapi mechanism");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (kex->gss_client &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_gssapi_client_identity(ctxt, kex->gss_client))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Couldn't acquire client credentials");
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug2("%s: Acquiring credentials", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Doing group exchange");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ nbits = dh_estimate(kex->dh_need * 8);
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid))))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("Unable to acquire credentials for the server");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->min = DH_GRP_MIN;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->max = DH_GRP_MAX;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->nbits = nbits;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_start(ssh, SSH2_MSG_KEXGSS_GROUPREQ)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_u32(ssh, min)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_u32(ssh, nbits)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_u32(ssh, max)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_send(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Failed to construct a packet: %s", ssh_err(r));
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (KEX_GSS_GEX_SHA1 == kex->kex_type) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* 5. S generates an ephemeral key pair (do the allocations early) */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Doing group exchange");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh_packet_read_expect(ssh, SSH2_MSG_KEXGSS_GROUPREQ);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* store client proposal to provide valid signature */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((r = sshpkt_get_u32(ssh, &cmin)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshpkt_get_u32(ssh, &nbits)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshpkt_get_u32(ssh, &cmax)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshpkt_get_end(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("sshpkt failed: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->nbits = nbits;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->min = cmin;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->max = cmax;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ min = MAX(DH_GRP_MIN, cmin);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ max = MIN(DH_GRP_MAX, cmax);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ nbits = MAXIMUM(DH_GRP_MIN, nbits);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ nbits = MINIMUM(DH_GRP_MAX, nbits);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (max < min || nbits < min || max < nbits)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("GSS_GEX, bad parameters: %d !< %d !< %d",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ min, nbits, max);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->dh = PRIVSEP(choose_dh(min, nbits, max));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (kex->dh == NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sshpkt_disconnect(ssh, "Protocol error: no matching group found");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("Protocol error: no matching group found");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = ssh_packet_read_expect(ssh, SSH2_MSG_KEXGSS_GROUP)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Error: %s", ssh_err(r));
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ DH_get0_pqg(kex->dh, &dh_p, NULL, &dh_g);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((r = sshpkt_start(ssh, SSH2_MSG_KEXGSS_GROUP)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshpkt_put_bignum2(ssh, dh_p)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshpkt_put_bignum2(ssh, dh_g)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshpkt_send(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("sshpkt failed: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_get_bignum2(ssh, &p)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_get_bignum2(ssh, &g)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_get_end(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("shpkt_get_bignum2 failed: %s", ssh_err(r));
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((r = ssh_packet_write_wait(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("ssh_packet_write_wait: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (BN_num_bits(p) < min || BN_num_bits(p) > max)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("GSSGRP_GEX group out of range: %d !< %d !< %d",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ min, BN_num_bits(p), max);
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Compute our exchange value in parallel with the client */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((r = dh_gen_key(kex->dh, kex->we_need * 8)) != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto out;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((kex->dh = dh_new_group(g, p)) == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("dn_new_group() failed");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ p = g = NULL; /* belong to kex->dh now */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = dh_gen_key(kex->dh, kex->we_need * 8)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto out;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ DH_get0_key(kex->dh, &pub_key, NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ token_ptr = GSS_C_NO_BUFFER;
</span> +
+ do {
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Wait SSH2_MSG_KEXGSS_INIT");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ type = ssh_packet_read(ssh);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ switch(type) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case SSH2_MSG_KEXGSS_INIT:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (KEX_GSS_GEX_SHA1 == kex->kex_type) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (dh_client_pub != NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("Received KEXGSS_INIT after initialising");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((r = ssh_gssapi_sshpkt_get_buffer_desc(ssh,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &recv_tok)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshpkt_get_bignum2(ssh, &dh_client_pub)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshpkt_get_end(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Step 2 - call GSS_Init_sec_context() */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Calling gss_init_sec_context");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ maj_status = ssh_gssapi_init_ctx(ctxt,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->gss_deleg_creds, token_ptr, &send_tok,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &ret_flags);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (GSS_ERROR(maj_status)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* XXX Useles code: Missing send? */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (send_tok.length != 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_start(ssh,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ SSH2_MSG_KEXGSS_CONTINUE)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_string(ssh, send_tok.value,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ send_tok.length)) != 0)
</span> + fatal("sshpkt failed: %s", ssh_err(r));
+ }
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (client_pubkey != NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("Received KEXGSS_INIT after initialising");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((r = ssh_gssapi_sshpkt_get_buffer_desc(ssh,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &recv_tok)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshpkt_getb_froms(ssh, &client_pubkey)) != 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshpkt_get_end(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("gss_init_context failed");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* If we've got an old receive buffer get rid of it */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (token_ptr != GSS_C_NO_BUFFER)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_release_buffer(&min_status, &recv_tok);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (maj_status == GSS_S_COMPLETE) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* If mutual state flag is not true, kex fails */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!(ret_flags & GSS_C_MUTUAL_FLAG))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Mutual authentication failed");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* If integ avail flag is not true kex fails */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!(ret_flags & GSS_C_INTEG_FLAG))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Integrity check failed");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * If we have data to send, then the last message that we
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * received cannot have been a 'complete'.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (send_tok.length != 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (first) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_start(ssh, SSH2_MSG_KEXGSS_INIT)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_string(ssh, send_tok.value,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ send_tok.length)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_bignum2(ssh, pub_key)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("sshpkt failed: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ first = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_start(ssh, SSH2_MSG_KEXGSS_CONTINUE)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_string(ssh,send_tok.value,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ send_tok.length)) != 0)
</span> + fatal("sshpkt failed: %s", ssh_err(r));
+ }
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_send(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("sshpkt_send failed: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_release_buffer(&min_status, &send_tok);
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ switch (kex->kex_type) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* If we've sent them data, they should reply */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ do {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ type = ssh_packet_read(ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (type == SSH2_MSG_KEXGSS_HOSTKEY) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Received KEXGSS_HOSTKEY");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (server_host_key_blob)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Server host key received more than once");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_getb_froms(ssh, &server_host_key_blob)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("sshpkt failed: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } while (type == SSH2_MSG_KEXGSS_HOSTKEY);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ switch (type) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case SSH2_MSG_KEXGSS_CONTINUE:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Received GSSAPI_CONTINUE");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (maj_status == GSS_S_COMPLETE)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("GSSAPI Continue received from server when complete");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = ssh_gssapi_sshpkt_get_buffer_desc(ssh,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &recv_tok)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_get_end(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("sshpkt failed: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case SSH2_MSG_KEXGSS_COMPLETE:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Received GSSAPI_COMPLETE");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (msg_tok.value != NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Received GSSAPI_COMPLETE twice?");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_getb_froms(ssh, &server_blob)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = ssh_gssapi_sshpkt_get_buffer_desc(ssh,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &msg_tok)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("sshpkt failed: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Is there a token included? */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_get_u8(ssh, &c)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("sshpkt failed: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (c) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = ssh_gssapi_sshpkt_get_buffer_desc(
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh, &recv_tok)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_get_end(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("sshpkt failed: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* If we're already complete - protocol error */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (maj_status == GSS_S_COMPLETE)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshpkt_disconnect(ssh, "Protocol error: received token when complete");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* No token included */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (maj_status != GSS_S_COMPLETE)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshpkt_disconnect(ssh, "Protocol error: did not receive final token");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case SSH2_MSG_KEXGSS_ERROR:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Received Error");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_get_u32(ssh, &maj_status)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_get_u32(ssh, &min_status)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_get_string(ssh, &msg, NULL)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_get_string(ssh, NULL, NULL)) != 0 || /* lang tag */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_get_end(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("sshpkt failed: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("GSSAPI Error: \n%.400s", msg);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshpkt_disconnect(ssh, "Protocol error: didn't expect packet type %d",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ type);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ token_ptr = &recv_tok;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* No data, and not complete */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (maj_status != GSS_S_COMPLETE)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Not complete, and no token output");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } while (maj_status & GSS_S_CONTINUE_NEEDED);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * We _must_ have received a COMPLETE message in reply from the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * server, which will have set dh_server_pub and msg_tok
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (type != SSH2_MSG_KEXGSS_COMPLETE)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Didn't receive a SSH2_MSG_KEXGSS_COMPLETE when I expected it");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* 7. C verifies that the key Q_S is valid */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* 8. C computes shared secret */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((buf = sshbuf_new()) == NULL ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshbuf_put_stringb(buf, server_blob)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshbuf_get_bignum2(buf, &dh_server_pub)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto out;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_free(buf);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ buf = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((shared_secret = sshbuf_new()) == NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ r = SSH_ERR_ALLOC_FAIL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto out;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = kex_dh_compute_key(kex, dh_server_pub, shared_secret)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto out;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((empty = sshbuf_new()) == NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ r = SSH_ERR_ALLOC_FAIL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto out;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ DH_get0_pqg(kex->dh, &dh_p, NULL, &dh_g);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ hashlen = sizeof(hash);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = kexgex_hash(
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->hash_alg,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->client_version,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->server_version,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->my,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->peer,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (server_host_key_blob ? server_host_key_blob : empty),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->min, kex->nbits, kex->max,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ dh_p, dh_g,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pub_key,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ dh_server_pub,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_ptr(shared_secret), sshbuf_len(shared_secret),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ hash, &hashlen)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Failed to calculate hash: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gssbuf.value = hash;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gssbuf.length = hashlen;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Verify that the hash matches the MIC we just got. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok)))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshpkt_disconnect(ssh, "Hash's MIC didn't verify");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_release_buffer(&min_status, &msg_tok);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (kex->gss_deleg_creds)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_gssapi_credentials_updated(ctxt);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (gss_kex_context == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_kex_context = ctxt;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_gssapi_delete_ctx(&ctxt);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Finally derive the keys and send them */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = kex_derive_keys(ssh, hash, hashlen, shared_secret)) == 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ r = kex_send_newkeys(ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++out:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_free(buf);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_free(server_blob);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_free(empty);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ explicit_bzero(hash, sizeof(hash));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ DH_free(kex->dh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->dh = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ BN_clear_free(dh_server_pub);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_free(shared_secret);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_free(server_host_key_blob);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return r;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/kexgsss.c b/kexgsss.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+new file mode 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 00000000..a2c02148
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/kexgsss.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -0,0 +1,474 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Redistribution and use in source and binary forms, with or without
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * modification, are permitted provided that the following conditions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * are met:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * 1. Redistributions of source code must retain the above copyright
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * notice, this list of conditions and the following disclaimer.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * 2. Redistributions in binary form must reproduce the above copyright
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * notice, this list of conditions and the following disclaimer in the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * documentation and/or other materials provided with the distribution.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "includes.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#if defined(GSSAPI) && defined(WITH_OPENSSL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include <string.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include <openssl/crypto.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include <openssl/bn.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "xmalloc.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "sshbuf.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "ssh2.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "sshkey.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "cipher.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "kex.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "log.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "packet.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "dh.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "ssh-gss.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "monitor_wrap.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "servconf.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "ssh-gss.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "digest.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include "ssherr.h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++extern ServerOptions options;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++kexgss_server(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct kex *kex = ssh->kex;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ OM_uint32 maj_status, min_status;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Some GSSAPI implementations use the input value of ret_flags (an
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * output variable) as a means of triggering mechanism specific
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * features. Initializing it to zero avoids inadvertently
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * activating this non-standard behaviour.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ OM_uint32 ret_flags = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_buffer_desc gssbuf, recv_tok, msg_tok;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Gssctxt *ctxt = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct sshbuf *shared_secret = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct sshbuf *client_pubkey = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct sshbuf *server_pubkey = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct sshbuf *empty = sshbuf_new();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int type = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_OID oid;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char *mechs;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_char hash[SSH_DIGEST_MAX_LENGTH];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ size_t hashlen;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int r;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Initialise GSSAPI */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* If we're rekeying, privsep means that some of the private structures
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * in the GSSAPI code are no longer available. This kludges them back
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * into life
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!ssh_gssapi_oid_table_ok()) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ mechs = ssh_gssapi_server_mechanisms();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ free(mechs);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug2_f("Identifying %s", kex->name);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (oid == GSS_C_NO_OID)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Unknown gssapi mechanism");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug2_f("Acquiring credentials");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid))))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Unable to acquire credentials for the server");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ do {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Wait SSH2_MSG_KEXGSS_INIT");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ type = ssh_packet_read(ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ switch(type) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case SSH2_MSG_KEXGSS_INIT:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (client_pubkey != NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Received KEXGSS_INIT after initialising");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = ssh_gssapi_sshpkt_get_buffer_desc(ssh,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &recv_tok)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_getb_froms(ssh, &client_pubkey)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_get_end(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("sshpkt failed: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ switch (kex->kex_type) {
</span> + case KEX_GSS_GRP1_SHA1:
+ case KEX_GSS_GRP14_SHA1:
+ case KEX_GSS_GRP14_SHA256:
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2078,10 +2336,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + r = kex_c25519_enc(kex, client_pubkey, &server_pubkey,
+ &shared_secret);
+ break;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case KEX_GSS_GEX_SHA1:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ break;
</span> + default:
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal_f("Unexpected KEX type %d", kex->kex_type);
</span> + }
+ if (r != 0)
+ goto out;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2108,8 +2364,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + if (maj_status != GSS_S_COMPLETE && send_tok.length == 0)
+ fatal("Zero length token output when incomplete");
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (((KEX_GSS_GEX_SHA1 == kex->kex_type) && (dh_client_pub == NULL)) ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ((KEX_GSS_GEX_SHA1 != kex->kex_type) && (client_pubkey == NULL)))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (client_pubkey == NULL)
</span> + fatal("No client public key");
+
+ if (maj_status & GSS_S_CONTINUE_NEEDED) {
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2138,50 +2393,19 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + if (!(ret_flags & GSS_C_INTEG_FLAG))
+ fatal("Integrity flag wasn't set");
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (KEX_GSS_GEX_SHA1 == kex->kex_type) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* calculate shared secret */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((shared_secret = sshbuf_new()) == NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ r = SSH_ERR_ALLOC_FAIL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto out;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((r = kex_dh_compute_key(kex, dh_client_pub, shared_secret)) != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto out;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ DH_get0_key(kex->dh, &pub_key, NULL);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ DH_get0_pqg(kex->dh, &dh_p, NULL, &dh_g);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span> + hashlen = sizeof(hash);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (KEX_GSS_GEX_SHA1 == kex->kex_type) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((r = kexgex_hash(
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->hash_alg,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->client_version,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->server_version,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->peer,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->my,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ empty,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ cmin, nbits, cmax,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dh_p, dh_g,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dh_client_pub,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ pub_key,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sshbuf_ptr(shared_secret), sshbuf_len(shared_secret),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ hash, &hashlen)) != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("kexgex_hash failed: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if ((r = kex_gen_hash(
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->hash_alg,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->client_version,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->server_version,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->peer,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->my,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ empty,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ client_pubkey,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ server_pubkey,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ shared_secret,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ hash, &hashlen)) != 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ goto out;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = kex_gen_hash(
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->hash_alg,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->client_version,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->server_version,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->peer,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->my,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ empty,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ client_pubkey,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ server_pubkey,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ shared_secret,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ hash, &hashlen)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto out;
</span> +
+ gssbuf.value = hash;
+ gssbuf.length = hashlen;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2190,10 +2414,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + fatal("Couldn't get MIC");
+
+ if ((r = sshpkt_start(ssh, SSH2_MSG_KEXGSS_COMPLETE)) != 0 ||
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ((KEX_GSS_GEX_SHA1 == kex->kex_type) &&
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshpkt_put_bignum2(ssh, pub_key)) != 0) ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ((KEX_GSS_GEX_SHA1 != kex->kex_type) &&
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (r = sshpkt_put_stringb(ssh, server_pubkey)) != 0) ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_stringb(ssh, server_pubkey)) != 0 ||
</span> + (r = sshpkt_put_string(ssh, msg_tok.value, msg_tok.length)) != 0)
+ fatal("sshpkt failed: %s", ssh_err(r));
+
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2206,7 +2427,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + fatal("sshpkt failed: %s", ssh_err(r));
+ }
+ if ((r = sshpkt_send(ssh)) != 0)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("sshpkt failed: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("sshpkt_send failed: %s", ssh_err(r));
</span> +
+ gss_release_buffer(&min_status, &send_tok);
+ gss_release_buffer(&min_status, &msg_tok);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2216,40 +2437,264 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + else
+ ssh_gssapi_delete_ctx(&ctxt);
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Finally derive the keys and send them */
</span> + if ((r = kex_derive_keys(ssh, hash, hashlen, shared_secret)) == 0)
+ r = kex_send_newkeys(ssh);
+
+ /* If this was a rekey, then save out any delegated credentials we
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * just exchanged. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * just exchanged. */
</span> + if (options.gss_store_rekey)
+ ssh_gssapi_rekey_creds();
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span> +out:
+ sshbuf_free(empty);
+ explicit_bzero(hash, sizeof(hash));
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ DH_free(kex->dh);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->dh = NULL;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ BN_clear_free(dh_client_pub);
</span> + sshbuf_free(shared_secret);
+ sshbuf_free(client_pubkey);
+ sshbuf_free(server_pubkey);
+ return r;
+}
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/monitor.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/monitor.c 2019-11-08 15:37:23.000000000 +0100
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -147,6 +147,8 @@ int mm_answer_gss_setup_ctx(struct ssh *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int mm_answer_gss_accept_ctx(struct ssh *, int, struct sshbuf *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int mm_answer_gss_userok(struct ssh *, int, struct sshbuf *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int mm_answer_gss_checkmic(struct ssh *, int, struct sshbuf *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int mm_answer_gss_sign(struct ssh *, int, struct sshbuf *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int mm_answer_gss_updatecreds(struct ssh *, int, struct sshbuf *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #ifdef SSH_AUDIT_EVENTS
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -219,11 +221,18 @@ struct mon_table mon_dispatch_proto20[]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++kexgssgex_server(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct kex *kex = ssh->kex;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ OM_uint32 maj_status, min_status;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Some GSSAPI implementations use the input value of ret_flags (an
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * output variable) as a means of triggering mechanism specific
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * features. Initializing it to zero avoids inadvertently
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * activating this non-standard behaviour.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ OM_uint32 ret_flags = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_buffer_desc gssbuf, recv_tok, msg_tok;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Gssctxt *ctxt = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct sshbuf *shared_secret = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int type = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_OID oid;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char *mechs;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ u_char hash[SSH_DIGEST_MAX_LENGTH];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ size_t hashlen;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ BIGNUM *dh_client_pub = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const BIGNUM *pub_key, *dh_p, *dh_g;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int min = -1, max = -1, nbits = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int cmin = -1, cmax = -1; /* client proposal */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ struct sshbuf *empty = sshbuf_new();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int r;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Initialise GSSAPI */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* If we're rekeying, privsep means that some of the private structures
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * in the GSSAPI code are no longer available. This kludges them back
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * into life
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!ssh_gssapi_oid_table_ok())
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((mechs = ssh_gssapi_server_mechanisms()))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ free(mechs);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug2_f("Identifying %s", kex->name);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (oid == GSS_C_NO_OID)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Unknown gssapi mechanism");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug2_f("Acquiring credentials");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid))))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Unable to acquire credentials for the server");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* 5. S generates an ephemeral key pair (do the allocations early) */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Doing group exchange");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_packet_read_expect(ssh, SSH2_MSG_KEXGSS_GROUPREQ);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* store client proposal to provide valid signature */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_get_u32(ssh, &cmin)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_get_u32(ssh, &nbits)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_get_u32(ssh, &cmax)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_get_end(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("sshpkt failed: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->nbits = nbits;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->min = cmin;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->max = cmax;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ min = MAX(DH_GRP_MIN, cmin);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ max = MIN(DH_GRP_MAX, cmax);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ nbits = MAXIMUM(DH_GRP_MIN, nbits);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ nbits = MINIMUM(DH_GRP_MAX, nbits);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (max < min || nbits < min || max < nbits)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("GSS_GEX, bad parameters: %d !< %d !< %d",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ min, nbits, max);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->dh = PRIVSEP(choose_dh(min, nbits, max));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (kex->dh == NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshpkt_disconnect(ssh, "Protocol error: no matching group found");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Protocol error: no matching group found");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ DH_get0_pqg(kex->dh, &dh_p, NULL, &dh_g);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_start(ssh, SSH2_MSG_KEXGSS_GROUP)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_bignum2(ssh, dh_p)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_bignum2(ssh, dh_g)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_send(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("sshpkt failed: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = ssh_packet_write_wait(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("ssh_packet_write_wait: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Compute our exchange value in parallel with the client */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = dh_gen_key(kex->dh, kex->we_need * 8)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto out;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ do {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Wait SSH2_MSG_GSSAPI_INIT");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ type = ssh_packet_read(ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ switch(type) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case SSH2_MSG_KEXGSS_INIT:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (dh_client_pub != NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Received KEXGSS_INIT after initialising");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = ssh_gssapi_sshpkt_get_buffer_desc(ssh,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &recv_tok)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_get_bignum2(ssh, &dh_client_pub)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_get_end(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("sshpkt failed: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Send SSH_MSG_KEXGSS_HOSTKEY here, if we want */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case SSH2_MSG_KEXGSS_CONTINUE:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = ssh_gssapi_sshpkt_get_buffer_desc(ssh,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &recv_tok)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_get_end(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("sshpkt failed: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshpkt_disconnect(ssh,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "Protocol error: didn't expect packet type %d",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ type);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ maj_status = PRIVSEP(ssh_gssapi_accept_ctx(ctxt, &recv_tok,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &send_tok, &ret_flags));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_release_buffer(&min_status, &recv_tok);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (maj_status != GSS_S_COMPLETE && send_tok.length == 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Zero length token output when incomplete");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (dh_client_pub == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("No client public key");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (maj_status & GSS_S_CONTINUE_NEEDED) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug("Sending GSSAPI_CONTINUE");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_start(ssh, SSH2_MSG_KEXGSS_CONTINUE)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_string(ssh, send_tok.value, send_tok.length)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_send(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("sshpkt failed: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_release_buffer(&min_status, &send_tok);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } while (maj_status & GSS_S_CONTINUE_NEEDED);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (GSS_ERROR(maj_status)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (send_tok.length > 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_start(ssh, SSH2_MSG_KEXGSS_CONTINUE)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_string(ssh, send_tok.value, send_tok.length)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_send(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("sshpkt failed: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("accept_ctx died");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!(ret_flags & GSS_C_MUTUAL_FLAG))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Mutual Authentication flag wasn't set");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!(ret_flags & GSS_C_INTEG_FLAG))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Integrity flag wasn't set");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* calculate shared secret */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((shared_secret = sshbuf_new()) == NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ r = SSH_ERR_ALLOC_FAIL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto out;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = kex_dh_compute_key(kex, dh_client_pub, shared_secret)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto out;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ DH_get0_key(kex->dh, &pub_key, NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ DH_get0_pqg(kex->dh, &dh_p, NULL, &dh_g);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ hashlen = sizeof(hash);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = kexgex_hash(
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->hash_alg,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->client_version,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->server_version,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->peer,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->my,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ empty,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cmin, nbits, cmax,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ dh_p, dh_g,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ dh_client_pub,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pub_key,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_ptr(shared_secret), sshbuf_len(shared_secret),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ hash, &hashlen)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("kexgex_hash failed: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gssbuf.value = hash;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gssbuf.length = hashlen;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (GSS_ERROR(PRIVSEP(ssh_gssapi_sign(ctxt, &gssbuf, &msg_tok))))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("Couldn't get MIC");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_start(ssh, SSH2_MSG_KEXGSS_COMPLETE)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_bignum2(ssh, pub_key)) != 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_string(ssh, msg_tok.value, msg_tok.length)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("sshpkt failed: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (send_tok.length != 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_put_u8(ssh, 1)) != 0 || /* true */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (r = sshpkt_put_string(ssh, send_tok.value, send_tok.length)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("sshpkt failed: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_put_u8(ssh, 0)) != 0) /* false */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("sshpkt failed: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = sshpkt_send(ssh)) != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal("sshpkt failed: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_release_buffer(&min_status, &send_tok);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_release_buffer(&min_status, &msg_tok);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (gss_kex_context == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_kex_context = ctxt;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_gssapi_delete_ctx(&ctxt);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Finally derive the keys and send them */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((r = kex_derive_keys(ssh, hash, hashlen, shared_secret)) == 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ r = kex_send_newkeys(ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* If this was a rekey, then save out any delegated credentials we
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * just exchanged. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options.gss_store_rekey)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_gssapi_rekey_creds();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++out:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_free(empty);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ explicit_bzero(hash, sizeof(hash));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ DH_free(kex->dh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->dh = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ BN_clear_free(dh_client_pub);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sshbuf_free(shared_secret);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return r;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/monitor.c b/monitor.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 74c803e1..d8e447fe 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/monitor.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/monitor.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -145,6 +145,8 @@ int mm_answer_gss_setup_ctx(struct ssh *, int, struct sshbuf *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int mm_answer_gss_accept_ctx(struct ssh *, int, struct sshbuf *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int mm_answer_gss_userok(struct ssh *, int, struct sshbuf *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int mm_answer_gss_checkmic(struct ssh *, int, struct sshbuf *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int mm_answer_gss_sign(struct ssh *, int, struct sshbuf *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int mm_answer_gss_updatecreds(struct ssh *, int, struct sshbuf *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef SSH_AUDIT_EVENTS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -217,11 +219,18 @@ struct mon_table mon_dispatch_proto20[] = {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
</span> {MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok},
{MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic},
+ {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2267,7 +2712,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> #ifdef WITH_OPENSSL
{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
#endif
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -292,6 +301,10 @@ monitor_child_preauth(struct ssh *ssh, s
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -290,6 +299,10 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor)
</span> /* Permit requests for moduli and signatures */
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2278,7 +2723,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span>
/* The first few requests do not require asynchronous access */
while (!authenticated) {
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -405,6 +418,10 @@ monitor_child_postauth(struct ssh *ssh,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -401,6 +414,10 @@ monitor_child_postauth(struct ssh *ssh, struct monitor *pmonitor)
</span> monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2289,47 +2734,47 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span>
if (auth_opts->permit_pty_flag) {
monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1689,6 +1706,17 @@ monitor_apply_keystate(struct ssh *ssh,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1730,6 +1747,17 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # ifdef OPENSSL_HAS_ECC
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
</span> # endif
<span style='display:block; white-space:pre;background:#e0ffe0;'>++# ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options.gss_keyex) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->kex[KEX_GSS_GRP14_SHA256] = kexgss_server;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->kex[KEX_GSS_GRP16_SHA512] = kexgss_server;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->kex[KEX_GSS_GEX_SHA1] = kexgssgex_server;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->kex[KEX_GSS_NISTP256_SHA256] = kexgss_server;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->kex[KEX_GSS_C25519_SHA256] = kexgss_server;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# endif
</span> #endif /* WITH_OPENSSL */
<span style='display:block; white-space:pre;background:#ffe0e0;'>- kex->kex[KEX_C25519_SHA256] = kex_gen_server;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options.gss_keyex) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->kex[KEX_GSS_GRP14_SHA256] = kexgss_server;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->kex[KEX_GSS_GRP16_SHA512] = kexgss_server;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->kex[KEX_GSS_NISTP256_SHA256] = kexgss_server;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->kex[KEX_GSS_C25519_SHA256] = kexgss_server;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kex->load_host_public_key=&get_hostkey_public_by_type;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kex->load_host_private_key=&get_hostkey_private_by_type;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1780,8 +1808,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kex->kex[KEX_C25519_SHA256] = kex_gen_server;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1822,8 +1850,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
</span> u_char *p;
int r;
- if (!options.gss_authentication)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-- fatal("%s: GSSAPI authentication not enabled", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- fatal_f("GSSAPI authentication not enabled");
</span> + if (!options.gss_authentication && !options.gss_keyex)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: GSSAPI not enabled", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal_f("GSSAPI not enabled");
</span>
if ((r = sshbuf_get_string(m, &p, &len)) != 0)
<span style='display:block; white-space:pre;background:#ffe0e0;'>- fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1813,8 +1841,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fatal_fr(r, "parse");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1855,8 +1883,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
</span> OM_uint32 flags = 0; /* GSI needs this */
int r;
- if (!options.gss_authentication)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-- fatal("%s: GSSAPI authentication not enabled", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- fatal_f("GSSAPI authentication not enabled");
</span> + if (!options.gss_authentication && !options.gss_keyex)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: GSSAPI not enabled", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal_f("GSSAPI not enabled");
</span>
if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0)
<span style='display:block; white-space:pre;background:#ffe0e0;'>- fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1834,6 +1862,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fatal_fr(r, "ssh_gssapi_get_buffer_desc");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1876,6 +1904,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
</span> monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2337,18 +2782,18 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> }
return (0);
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1845,8 +1874,8 @@ mm_answer_gss_checkmic(struct ssh *ssh,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1887,8 +1916,8 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m)
</span> OM_uint32 ret;
int r;
- if (!options.gss_authentication)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-- fatal("%s: GSSAPI authentication not enabled", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- fatal_f("GSSAPI authentication not enabled");
</span> + if (!options.gss_authentication && !options.gss_keyex)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: GSSAPI not enabled", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal_f("GSSAPI not enabled");
</span>
if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 ||
(r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1872,13 +1901,17 @@ mm_answer_gss_checkmic(struct ssh *ssh,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1914,13 +1943,17 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m)
</span> int
mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
{
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2357,21 +2802,21 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> const char *displayname;
- if (!options.gss_authentication)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-- fatal("%s: GSSAPI authentication not enabled", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- fatal_f("GSSAPI authentication not enabled");
</span> + if (!options.gss_authentication && !options.gss_keyex)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: GSSAPI not enabled", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal_f("GSSAPI not enabled");
</span>
- authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
+ if ((r = sshbuf_get_u32(m, &kex)) != 0)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal_fr(r, "buffer error");
</span> +
+ authenticated = authctxt->valid &&
+ ssh_gssapi_userok(authctxt->user, authctxt->pw, kex);
sshbuf_reset(m);
if ((r = sshbuf_put_u32(m, authenticated)) != 0)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1887,7 +1920,11 @@ mm_answer_gss_userok(struct ssh *ssh, in
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- debug3("%s: sending result %d", __func__, authenticated);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1929,7 +1962,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debug3_f("sending result %d", authenticated);
</span> mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
- auth_method = "gssapi-with-mic";
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2383,11 +2828,12 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span>
if ((displayname = ssh_gssapi_displayname()) != NULL)
auth2_record_info(authctxt, "%s", displayname);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1895,5 +1932,85 @@ mm_answer_gss_userok(struct ssh *ssh, in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1937,5 +1974,83 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
</span> /* Monitor loop will terminate if authenticated */
return (authenticated);
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-#endif /* GSSAPI */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span> +int
+mm_answer_gss_sign(struct ssh *ssh, int socket, struct sshbuf *m)
+{
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2399,16 +2845,15 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + int r;
+
+ if (!options.gss_authentication && !options.gss_keyex)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: GSSAPI not enabled", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal_f("GSSAPI not enabled");
</span> +
+ if ((r = sshbuf_get_string(m, &p, &len)) != 0)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal_fr(r, "buffer error");
</span> + data.value = p;
+ data.length = len;
+ /* Lengths of SHA-1, SHA-256 and SHA-512 hashes that are used */
+ if (data.length != 20 && data.length != 32 && data.length != 64)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: data length incorrect: %d", __func__,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (int) data.length);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal_f("data length incorrect: %d", (int) data.length);
</span> +
+ /* Save the session ID on the first time around */
+ if (session_id2_len == 0) {
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2424,7 +2869,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> +
+ if ((r = sshbuf_put_u32(m, major)) != 0 ||
+ (r = sshbuf_put_string(m, hash.value, hash.length)) != 0)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal_fr(r, "buffer error");
</span> +
+ mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
+
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2445,12 +2890,12 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + int r, ok;
+
+ if (!options.gss_authentication && !options.gss_keyex)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: GSSAPI not enabled", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal_f("GSSAPI not enabled");
</span> +
+ if ((r = sshbuf_get_string(m, (u_char **)&store.filename, NULL)) != 0 ||
+ (r = sshbuf_get_string(m, (u_char **)&store.envvar, NULL)) != 0 ||
+ (r = sshbuf_get_string(m, (u_char **)&store.envval, NULL)) != 0)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal_fr(r, "buffer error");
</span> +
+ ok = ssh_gssapi_update_creds(&store);
+
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2460,30 +2905,32 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> +
+ sshbuf_reset(m);
+ if ((r = sshbuf_put_u32(m, ok)) != 0)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal_fr(r, "buffer error");
</span> +
+ mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m);
+
+ return(0);
+}
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif /* GSSAPI */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/monitor.h 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/monitor.h 2019-11-08 15:37:23.000000000 +0100
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -63,6 +63,9 @@ enum monitor_reqtype {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /* GSSAPI */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/monitor.h b/monitor.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 683e5e07..2b1a2d59 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/monitor.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/monitor.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -63,6 +63,8 @@ enum monitor_reqtype {
</span> MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113,
+ MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151,
+ MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span> };
struct ssh;
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/monitor_wrap.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/monitor_wrap.c 2019-11-08 15:37:23.000000000 +0100
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -978,13 +978,15 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/monitor_wrap.c b/monitor_wrap.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 748333c7..3310ad3f 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/monitor_wrap.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/monitor_wrap.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -999,13 +999,15 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
</span> }
int
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2494,14 +2941,14 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> int r, authenticated = 0;
if ((m = sshbuf_new()) == NULL)
<span style='display:block; white-space:pre;background:#ffe0e0;'>- fatal("%s: sshbuf_new failed", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fatal_f("sshbuf_new failed");
</span> + if ((r = sshbuf_put_u32(m, kex)) != 0)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal_fr(r, "buffer error");
</span>
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, m);
mm_request_receive_expect(pmonitor->m_recvfd,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -997,4 +999,57 @@ mm_ssh_gssapi_userok(char *user)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1018,4 +1020,57 @@ mm_ssh_gssapi_userok(char *user)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debug3_f("user %sauthenticated", authenticated ? "" : "not ");
</span> return (authenticated);
}
+
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2513,16 +2960,16 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + int r;
+
+ if ((m = sshbuf_new()) == NULL)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: sshbuf_new failed", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal_f("sshbuf_new failed");
</span> + if ((r = sshbuf_put_string(m, data->value, data->length)) != 0)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal_fr(r, "buffer error");
</span> +
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSIGN, m);
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, m);
+
+ if ((r = sshbuf_get_u32(m, &major)) != 0 ||
+ (r = ssh_gssapi_get_buffer_desc(m, hash)) != 0)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal_fr(r, "buffer error");
</span> +
+ sshbuf_free(m);
+
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2536,7 +2983,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + int r, ok;
+
+ if ((m = sshbuf_new()) == NULL)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: sshbuf_new failed", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal_f("sshbuf_new failed");
</span> +
+ if ((r = sshbuf_put_cstring(m,
+ store->filename ? store->filename : "")) != 0 ||
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2544,13 +2991,13 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + store->envvar ? store->envvar : "")) != 0 ||
+ (r = sshbuf_put_cstring(m,
+ store->envval ? store->envval : "")) != 0)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal_fr(r, "buffer error");
</span> +
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUPCREDS, m);
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUPCREDS, m);
+
+ if ((r = sshbuf_get_u32(m, &ok)) != 0)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal_fr(r, "buffer error");
</span> +
+ sshbuf_free(m);
+
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2558,9 +3005,11 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> +}
+
#endif /* GSSAPI */
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/monitor_wrap.h 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/monitor_wrap.h 2019-11-08 15:37:23.000000000 +0100
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -63,8 +63,10 @@ int mm_sshkey_verify(const struct sshkey
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/monitor_wrap.h b/monitor_wrap.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index a163b67d..f51bcca0 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/monitor_wrap.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/monitor_wrap.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -65,8 +65,10 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t,
</span> OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2572,8 +3021,10 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> #endif
#ifdef USE_PAM
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/readconf.c 2019-11-08 15:37:14.000000000 +0100
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/readconf.c 2019-11-08 15:37:23.000000000 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/readconf.c b/readconf.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index bcca6ed4..dc7ece37 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/readconf.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/readconf.c
</span> @@ -67,6 +67,7 @@
#include "uidswap.h"
#include "myproposal.h"
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2582,7 +3033,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span>
/* Format of the configuration file:
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -162,6 +163,8 @@ typedef enum {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -161,6 +162,8 @@ typedef enum {
</span> oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2591,7 +3042,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -205,10 +208,21 @@ static struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -206,10 +209,22 @@ static struct {
</span> /* Sometimes-unsupported options */
#if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication },
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2608,12 +3059,13 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> { "gssapidelegatecredentials", oUnsupported },
+ { "gssapitrustdns", oUnsupported },
+ { "gssapiclientidentity", oUnsupported },
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ { "gssapiserveridentity", oUnsupported },
</span> + { "gssapirenewalforcesrekey", oUnsupported },
+ { "gssapikexalgorithms", oUnsupported },
#endif
#ifdef ENABLE_PKCS11
{ "pkcs11provider", oPKCS11Provider },
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -994,10 +1008,42 @@ parse_time:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1113,10 +1128,46 @@ parse_time:
</span> intptr = &options->gss_authentication;
goto parse_flag;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2642,13 +3094,17 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + goto parse_flag;
+
+ case oGssKexAlgorithms:
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ arg = strdelim(&s);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!arg || *arg == '\0')
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%.200s line %d: Missing argument.",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ arg = argv_next(&ac, &av);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!arg || *arg == '\0') {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ error("%.200s line %d: Missing argument.",
</span> + filename, linenum);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!kex_gss_names_valid(arg))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%.200s line %d: Bad GSSAPI KexAlgorithms '%s'.",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto out;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!kex_gss_names_valid(arg)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ error("%.200s line %d: Bad GSSAPI KexAlgorithms '%s'.",
</span> + filename, linenum, arg ? arg : "<NONE>");
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto out;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span> + if (*activep && options->gss_kex_algorithms == NULL)
+ options->gss_kex_algorithms = xstrdup(arg);
+ break;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2656,9 +3112,9 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1875,7 +1921,13 @@ initialize_options(Options * options)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2333,7 +2384,13 @@ initialize_options(Options * options)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->fwd_opts.streamlocal_bind_unlink = -1;
</span> options->pubkey_authentication = -1;
<span style='display:block; white-space:pre;background:#ffe0e0;'>- options->challenge_response_authentication = -1;
</span> options->gss_authentication = -1;
+ options->gss_keyex = -1;
options->gss_deleg_creds = -1;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2670,8 +3126,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2024,8 +2076,18 @@ fill_default_options(Options * options)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- options->challenge_response_authentication = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2490,8 +2547,18 @@ fill_default_options(Options * options)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->pubkey_authentication = 1;
</span> if (options->gss_authentication == -1)
options->gss_authentication = 0;
+ if (options->gss_keyex == -1)
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2689,7 +3145,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2645,7 +2707,14 @@ dump_client_config(Options *o, const cha
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -3282,7 +3349,14 @@ dump_client_config(Options *o, const char *host)
</span> dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);
#ifdef GSSAPI
dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2704,25 +3160,29 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> #endif /* GSSAPI */
dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/readconf.h 2019-11-08 15:37:14.000000000 +0100
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/readconf.h 2019-11-08 15:37:23.000000000 +0100
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -40,7 +40,13 @@ typedef struct {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int challenge_response_authentication;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Try S/Key or TIS, authentication. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/readconf.h b/readconf.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index f24719f9..00895ad8 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/readconf.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/readconf.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -39,7 +39,13 @@ typedef struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int pubkey_authentication; /* Try ssh2 pubkey authentication. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int hostbased_authentication; /* ssh2's rhosts_rsa */
</span> int gss_authentication; /* Try GSS authentication */
+ int gss_keyex; /* Try GSS key exchange */
int gss_deleg_creds; /* Delegate GSS credentials */
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int gss_renewal_rekey; /* Credential renewal forces rekey */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char *gss_client_identity; /* Principal to initiate GSSAPI with */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char *gss_server_identity; /* GSSAPI target principal */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int gss_renewal_rekey; /* Credential renewal forces rekey */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char *gss_client_identity; /* Principal to initiate GSSAPI with */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char *gss_server_identity; /* GSSAPI target principal */
</span> + char *gss_kex_algorithms; /* GSSAPI kex methods to be offered by client. */
int password_authentication; /* Try password
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/servconf.c 2019-11-08 14:18:25.000000000 +0100
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/servconf.c 2019-11-08 15:37:23.000000000 +0100
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -64,6 +64,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/servconf.c b/servconf.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index b2fbf0b2..d78fbb67 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/servconf.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/servconf.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -70,6 +70,7 @@
</span> #include "auth.h"
#include "myproposal.h"
#include "digest.h"
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2730,7 +3190,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span>
static void add_listen_addr(ServerOptions *, const char *,
const char *, int);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -124,8 +125,11 @@ initialize_server_options(ServerOptions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -136,8 +137,11 @@ initialize_server_options(ServerOptions *options)
</span> options->kerberos_ticket_cleanup = -1;
options->kerberos_get_afs_token = -1;
options->gss_authentication=-1;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2741,8 +3201,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + options->gss_kex_algorithms = NULL;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
<span style='display:block; white-space:pre;background:#ffe0e0;'>- options->challenge_response_authentication = -1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -351,10 +355,18 @@ fill_default_server_options(ServerOption
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options->permit_empty_passwd = -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -356,10 +360,18 @@ fill_default_server_options(ServerOptions *options)
</span> options->kerberos_get_afs_token = 0;
if (options->gss_authentication == -1)
options->gss_authentication = 0;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2761,15 +3221,15 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -498,6 +510,7 @@ typedef enum {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sHostKeyAlgorithms,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -505,6 +517,7 @@ typedef enum {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
</span> sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
+ sGssKeyEx, sGssKexAlgorithms, sGssStoreRekey,
sAcceptEnv, sSetEnv, sPermitTunnel,
sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -572,12 +585,22 @@ static struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -586,12 +599,22 @@ static struct {
</span> #ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2791,8 +3251,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
<span style='display:block; white-space:pre;background:#ffe0e0;'>- { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1488,6 +1511,10 @@ process_server_config_line(ServerOptions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ { "challengeresponseauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1575,6 +1598,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
</span> intptr = &options->gss_authentication;
goto parse_flag;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2803,7 +3263,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> case sGssCleanupCreds:
intptr = &options->gss_cleanup_creds;
goto parse_flag;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1496,6 +1523,22 @@ process_server_config_line(ServerOptions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1583,6 +1610,22 @@ process_server_config_line_depth(ServerOptions *options, char *line,
</span> intptr = &options->gss_strict_acceptor;
goto parse_flag;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2812,7 +3272,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + goto parse_flag;
+
+ case sGssKexAlgorithms:
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ arg = strdelim(&cp);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ arg = argv_next(&ac, &av);
</span> + if (!arg || *arg == '\0')
+ fatal("%.200s line %d: Missing argument.",
+ filename, linenum);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2826,7 +3286,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> case sPasswordAuthentication:
intptr = &options->password_authentication;
goto parse_flag;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2585,6 +2628,10 @@ dump_config(ServerOptions *o)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2891,6 +2934,10 @@ dump_config(ServerOptions *o)
</span> #ifdef GSSAPI
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2837,52 +3297,86 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> #endif
dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
dump_cfg_fmtint(sKbdInteractiveAuthentication,
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/servconf.h 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/servconf.h 2019-11-08 15:37:23.000000000 +0100
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -126,8 +126,11 @@ typedef struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/servconf.h b/servconf.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index dd5cbc15..413413e9 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/servconf.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/servconf.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -141,8 +141,11 @@ typedef struct {
</span> int kerberos_get_afs_token; /* If true, try to get AFS token if
* authenticated with Kerberos. */
int gss_authentication; /* If true, permit GSSAPI authentication */
+ int gss_keyex; /* If true, permit GSSAPI key exchange */
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ int gss_store_rekey;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int gss_store_rekey;
</span> + char *gss_kex_algorithms; /* GSSAPI kex methods to be offered by client. */
int password_authentication; /* If true, permit password
* authentication. */
int kbd_interactive_authentication; /* If true, permit */
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/ssh-gss.h 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/ssh-gss.h 2019-11-08 15:37:23.000000000 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/session.c b/session.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 5f423f9f..165b8782 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/session.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/session.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2670,13 +2670,19 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef KRB5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (options.kerberos_ticket_cleanup &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- authctxt->krb5_ctx)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ authctxt->krb5_ctx) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ temporarily_use_uid(authctxt->pw);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ krb5_cleanup_proc(authctxt);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ restore_uid();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (options.gss_cleanup_creds)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options.gss_cleanup_creds) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ temporarily_use_uid(authctxt->pw);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_gssapi_cleanup_creds();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ restore_uid();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* remove agent socket */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/ssh-gss.h b/ssh-gss.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index a8af117d..6303ce18 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/ssh-gss.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh-gss.h
</span> @@ -1,6 +1,6 @@
<span style='display:block; white-space:pre;background:#ffe0e0;'>- /* $OpenBSD: ssh-gss.h,v 1.14 2018/07/10 09:13:30 djm Exp $ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* $OpenBSD: ssh-gss.h,v 1.15 2021/01/27 10:05:28 djm Exp $ */
</span> /*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -61,10 +61,30 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -61,10 +61,34 @@
</span>
#define SSH_GSS_OIDTYPE 0x06
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#define SSH2_MSG_KEXGSS_INIT 30
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#define SSH2_MSG_KEXGSS_CONTINUE 31
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#define SSH2_MSG_KEXGSS_COMPLETE 32
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#define SSH2_MSG_KEXGSS_HOSTKEY 33
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#define SSH2_MSG_KEXGSS_ERROR 34
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define SSH2_MSG_KEXGSS_INIT 30
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define SSH2_MSG_KEXGSS_CONTINUE 31
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define SSH2_MSG_KEXGSS_COMPLETE 32
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define SSH2_MSG_KEXGSS_HOSTKEY 33
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define SSH2_MSG_KEXGSS_ERROR 34
</span> +#define SSH2_MSG_KEXGSS_GROUPREQ 40
+#define SSH2_MSG_KEXGSS_GROUP 41
+#define KEX_GSS_GRP1_SHA1_ID "gss-group1-sha1-"
+#define KEX_GSS_GRP14_SHA1_ID "gss-group14-sha1-"
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#define KEX_GSS_GRP14_SHA256_ID "gss-group14-sha256-"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#define KEX_GSS_GRP16_SHA512_ID "gss-group16-sha512-"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define KEX_GSS_GRP14_SHA256_ID "gss-group14-sha256-"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define KEX_GSS_GRP16_SHA512_ID "gss-group16-sha512-"
</span> +#define KEX_GSS_GEX_SHA1_ID "gss-gex-sha1-"
+#define KEX_GSS_NISTP256_SHA256_ID "gss-nistp256-sha256-"
+#define KEX_GSS_C25519_SHA256_ID "gss-curve25519-sha256-"
+
+#define GSS_KEX_DEFAULT_KEX \
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ KEX_GSS_GEX_SHA1_ID "," \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ KEX_GSS_GRP14_SHA1_ID
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ KEX_GSS_GRP14_SHA256_ID "," \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ KEX_GSS_GRP16_SHA512_ID "," \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ KEX_GSS_NISTP256_SHA256_ID "," \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ KEX_GSS_C25519_SHA256_ID "," \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ KEX_GSS_GRP14_SHA1_ID "," \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ KEX_GSS_GEX_SHA1_ID
</span> +
typedef struct {
char *filename;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2892,7 +3386,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> void *data;
} ssh_gssapi_ccache;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -72,8 +92,11 @@ typedef struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -72,8 +96,11 @@ typedef struct {
</span> gss_buffer_desc displayname;
gss_buffer_desc exportedname;
gss_cred_id_t creds;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2904,7 +3398,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> } ssh_gssapi_client;
typedef struct ssh_gssapi_mech_struct {
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -84,6 +107,7 @@ typedef struct ssh_gssapi_mech_struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -84,6 +111,7 @@ typedef struct ssh_gssapi_mech_struct {
</span> int (*userok) (ssh_gssapi_client *, char *);
int (*localname) (ssh_gssapi_client *, char **);
void (*storecreds) (ssh_gssapi_client *);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2912,7 +3406,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> } ssh_gssapi_mech;
typedef struct {
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -94,10 +118,11 @@ typedef struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -94,10 +122,11 @@ typedef struct {
</span> gss_OID oid; /* client */
gss_cred_id_t creds; /* server */
gss_name_t client; /* server */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2925,7 +3419,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span>
int ssh_gssapi_check_oid(Gssctxt *, void *, size_t);
void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -109,6 +134,7 @@ OM_uint32 ssh_gssapi_test_oid_supported(
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -109,6 +138,7 @@ OM_uint32 ssh_gssapi_test_oid_supported(OM_uint32 *, gss_OID, int *);
</span>
struct sshbuf;
int ssh_gssapi_get_buffer_desc(struct sshbuf *, gss_buffer_desc *);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2933,10 +3427,10 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span>
OM_uint32 ssh_gssapi_import_name(Gssctxt *, const char *);
OM_uint32 ssh_gssapi_init_ctx(Gssctxt *, int,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -123,17 +149,33 @@ void ssh_gssapi_delete_ctx(Gssctxt **);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -123,17 +153,33 @@ void ssh_gssapi_delete_ctx(Gssctxt **);
</span> OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
void ssh_gssapi_buildmic(struct sshbuf *, const char *,
<span style='display:block; white-space:pre;background:#ffe0e0;'>- const char *, const char *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ const char *, const char *, const struct sshbuf *);
</span> -int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *);
+int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *, const char *);
+OM_uint32 ssh_gssapi_client_identity(Gssctxt *, const char *);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2969,9 +3463,62 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> #endif /* GSSAPI */
#endif /* _SSH_GSS_H */
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/ssh_config 2019-11-08 15:37:17.000000000 +0100
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/ssh_config 2019-11-08 15:37:23.000000000 +0100
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -24,6 +24,8 @@ Host *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/ssh.1 b/ssh.1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 7efb2382..67ea50aa 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/ssh.1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh.1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -530,7 +530,13 @@ For full details of the options listed below, and their possible values, see
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .It GatewayPorts
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .It GlobalKnownHostsFile
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .It GSSAPIAuthentication
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.It GSSAPIKeyExchange
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.It GSSAPIClientIdentity
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .It GSSAPIDelegateCredentials
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.It GSSAPIKexAlgorithms
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.It GSSAPIRenewalForcesRekey
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.It GSSAPIServerIdentity
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.It GSSAPITrustDns
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .It HashKnownHosts
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .It Host
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .It HostbasedAcceptedAlgorithms
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -607,6 +613,8 @@ flag),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (supported message integrity codes),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .Ar kex
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (key exchange algorithms),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Ar kex-gss
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++(GSSAPI key exchange algorithms),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .Ar key
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (key types),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .Ar key-cert
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/ssh.c b/ssh.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index e6fe8090..519b7a23 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/ssh.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -775,6 +775,8 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ else if (strcmp(optarg, "kex") == 0 ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ strcasecmp(optarg, "KexAlgorithms") == 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ cp = kex_alg_list('\n');
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else if (strcmp(optarg, "kex-gss") == 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cp = kex_gss_alg_list('\n');
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ else if (strcmp(optarg, "key") == 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ cp = sshkey_alg_list(0, 0, 0, '\n');
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ else if (strcmp(optarg, "key-cert") == 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -802,8 +804,8 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } else if (strcmp(optarg, "help") == 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ cp = xstrdup(
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "cipher\ncipher-auth\ncompression\nkex\n"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- "key\nkey-cert\nkey-plain\nkey-sig\nmac\n"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- "protocol-version\nsig");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "kex-gss\nkey\nkey-cert\nkey-plain\n"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "key-sig\nmac\nprotocol-version\nsig");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (cp == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fatal("Unsupported query \"%s\"", optarg);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/ssh_config b/ssh_config
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 842ea866..52aae869 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/ssh_config
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh_config
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -24,6 +24,8 @@
</span> # HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2980,23 +3527,14 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> # BatchMode no
# CheckHostIP yes
# AddressFamily any
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/ssh_config.5 2019-11-08 15:37:17.000000000 +0100
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/ssh_config.5 2019-11-08 15:37:23.000000000 +0100
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1,4 +1,4 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--.\"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+kex-gss\n.\"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .\" All rights reserved
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -767,10 +767,66 @@ The default is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/ssh_config.5 b/ssh_config.5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 170125a0..2bac0a75 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/ssh_config.5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh_config.5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -833,10 +833,67 @@ The default is
</span> Specifies whether user authentication based on GSSAPI is allowed.
The default is
.Cm no .
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+.It Cm GSSAPIKeyExchange
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+Specifies whether key exchange based on GSSAPI may be used. When using
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+GSSAPI key exchange the server need not have a host key.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+The default is
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+.Cm no .
</span> +.It Cm GSSAPIClientIdentity
+If set, specifies the GSSAPI client identity that ssh should use when
+connecting to the server. The default is unset, which means that the default
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3005,11 +3543,16 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> Forward (delegate) credentials to the server.
The default is
.Cm no .
<span style='display:block; white-space:pre;background:#e0ffe0;'>++.It Cm GSSAPIKeyExchange
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Specifies whether key exchange based on GSSAPI may be used. When using
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++GSSAPI key exchange the server need not have a host key.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++The default is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Dq no .
</span> +.It Cm GSSAPIRenewalForcesRekey
+If set to
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+.Cm yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Dq yes
</span> +then renewal of the client's GSSAPI credentials will force the rekeying of the
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ssh connection. With a compatible server, this can delegate the renewed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssh connection. With a compatible server, this will delegate the renewed
</span> +credentials to a session on the server.
+.Pp
+Checks are made to ensure that credentials are only propagated when the new
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3017,7 +3560,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> +receiving server still has the old set in its cache.
+.Pp
+The default is
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+.Cm no .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Dq no .
</span> +.Pp
+For this to work
+.Cm GSSAPIKeyExchange
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3029,14 +3572,14 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> +hostname.
+.It Cm GSSAPITrustDns
+Set to
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+.Cm yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Dq yes
</span> +to indicate that the DNS is trusted to securely canonicalize
+the name of the host being connected to. If
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+.Cm no ,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Dq no ,
</span> +the hostname entered on the
+command line will be passed untouched to the GSSAPI library.
+The default is
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+.Cm no .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Dq no .
</span> +.It Cm GSSAPIKexAlgorithms
+The list of key exchange algorithms that are offered for GSSAPI
+key exchange. Possible values are
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3051,34 +3594,38 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> +.Ed
+.Pp
+The default is
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+.Dq gss-gex-sha1-,gss-group14-sha1- .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-gex-sha1-,gss-group14-sha1- .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++This option only applies to connections using GSSAPI.
</span> .It Cm HashKnownHosts
Indicates that
.Xr ssh 1
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshconnect2.c.orig 2020-09-27 02:25:01.000000000 -0500
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshconnect2.c 2021-02-19 13:12:38.000000000 -0600
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -58,6 +58,7 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "myproposal.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "sshconnect.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "authfile.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "auth-compat.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "dh.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "authfd.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "log.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -210,6 +211,11 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/sshconnect2.c b/sshconnect2.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index fea50fab..9837b212 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshconnect2.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshconnect2.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -81,8 +81,6 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* import */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-extern char *client_version_string;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-extern char *server_version_string;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ extern Options options;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -220,6 +218,11 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
</span> char *s, *all_key;
int r, use_known_hosts_order = 0;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#if defined(GSSAPI) && defined(WITH_OPENSSL)
</span> + char *orig = NULL, *gss = NULL;
+ char *gss_host = NULL;
+#endif
+
xxx_host = host;
xxx_hostaddr = hostaddr;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -253,6 +259,35 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- compat_pkalg_proposal(options.hostkeyalgorithms);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xxx_conn_info = cinfo;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -264,6 +267,42 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ compat_pkalg_proposal(ssh, options.hostkeyalgorithms);
</span> }
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3087,12 +3634,19 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + * client to the key exchange algorithm proposal */
+ orig = myproposal[PROPOSAL_KEX_ALGS];
+
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options.gss_server_identity)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options.gss_server_identity) {
</span> + gss_host = xstrdup(options.gss_server_identity);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options.gss_trust_dns)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_host = xstrdup(auth_get_canonical_hostname(ssh, 1));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else if (options.gss_trust_dns) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_host = remote_hostname(ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Fall back to specified host if we are using proxy command
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * and can not use DNS on that socket */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (strcmp(gss_host, "UNKNOWN") == 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ free(gss_host);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_host = xstrdup(host);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span> + gss_host = xstrdup(host);
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span> +
+ gss = ssh_gssapi_client_mechanisms(gss_host,
+ options.gss_client_identity, options.gss_kex_algorithms);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3113,7 +3667,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> if (options.rekey_limit || options.rekey_interval)
ssh_packet_set_rekey_limits(ssh, options.rekey_limit,
options.rekey_interval);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -271,16 +306,46 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -282,16 +321,46 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
</span> # ifdef OPENSSL_HAS_ECC
ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client;
# endif
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3124,14 +3678,14 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + ssh->kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_client;
+ ssh->kex->kex[KEX_GSS_GRP14_SHA256] = kexgss_client;
+ ssh->kex->kex[KEX_GSS_GRP16_SHA512] = kexgss_client;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ssh->kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh->kex->kex[KEX_GSS_GEX_SHA1] = kexgssgex_client;
</span> + ssh->kex->kex[KEX_GSS_NISTP256_SHA256] = kexgss_client;
+ ssh->kex->kex[KEX_GSS_C25519_SHA256] = kexgss_client;
+ }
+# endif
+#endif /* WITH_OPENSSL */
ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client;
<span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh->kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_client;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_client;
</span> ssh->kex->verify_host_key=&verify_host_key_callback;
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3147,7 +3701,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span>
/* remove ext-info from the KEX proposals for rekeying */
myproposal[PROPOSAL_KEX_ALGS] =
<span style='display:block; white-space:pre;background:#ffe0e0;'>- compat_kex_proposal(options.kex_algorithms);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ compat_kex_proposal(ssh, options.kex_algorithms);
</span> +#if defined(GSSAPI) && defined(WITH_OPENSSL)
+ /* repair myproposal after it was crumpled by the */
+ /* ext-info removal above */
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3159,17 +3713,17 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + }
+#endif
if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0)
<span style='display:block; white-space:pre;background:#ffe0e0;'>- fatal("kex_prop2buf: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fatal_r(r, "kex_prop2buf");
</span>
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -377,6 +442,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -385,6 +454,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *);
</span> static int input_gssapi_token(int type, u_int32_t, struct ssh *);
static int input_gssapi_error(int, u_int32_t, struct ssh *);
static int input_gssapi_errtok(int, u_int32_t, struct ssh *);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+int userauth_gsskeyex(struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static int userauth_gsskeyex(struct ssh *);
</span> #endif
void userauth(struct ssh *, char *);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -393,6 +459,11 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -401,6 +471,11 @@ static char *authmethods_get(void);
</span>
Authmethod authmethods[] = {
#ifdef GSSAPI
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3181,25 +3735,33 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> {"gssapi-with-mic",
userauth_gssapi,
userauth_gssapi_cleanup,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -763,12 +834,24 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -776,12 +851,32 @@ userauth_gssapi(struct ssh *ssh)
</span> OM_uint32 min;
int r, ok = 0;
gss_OID mech = NULL;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char *gss_host;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char *gss_host = NULL;
</span> +
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options.gss_server_identity)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (options.gss_server_identity) {
</span> + gss_host = xstrdup(options.gss_server_identity);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else if (options.gss_trust_dns)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ gss_host = xstrdup(auth_get_canonical_hostname(ssh, 1));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else if (options.gss_trust_dns) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_host = remote_hostname(ssh);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Fall back to specified host if we are using proxy command
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * and can not use DNS on that socket */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (strcmp(gss_host, "UNKNOWN") == 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ free(gss_host);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gss_host = xstrdup(authctxt->host);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span> + gss_host = xstrdup(authctxt->host);
<span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span>
/* Try one GSSAPI method at a time, rather than sending them all at
* once. */
if (authctxt->gss_supported_mechs == NULL)
- gss_indicate_mechs(&min, &authctxt->gss_supported_mechs);
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (GSS_ERROR(gss_indicate_mechs(&min, &authctxt->gss_supported_mechs))) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (GSS_ERROR(gss_indicate_mechs(&min,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ &authctxt->gss_supported_mechs))) {
</span> + authctxt->gss_supported_mechs = NULL;
+ free(gss_host);
+ return 0;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3207,7 +3769,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span>
/* Check to see whether the mechanism is usable before we offer it */
while (authctxt->mech_tried < authctxt->gss_supported_mechs->count &&
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -777,13 +860,15 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -790,13 +885,15 @@ userauth_gssapi(struct ssh *ssh)
</span> elements[authctxt->mech_tried];
/* My DER encoding requires length<128 */
if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3224,7 +3786,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> if (!ok || mech == NULL)
return 0;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1023,6 +1108,55 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1037,6 +1134,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh)
</span> free(lang);
return r;
}
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3249,13 +3811,13 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + }
+
+ if ((b = sshbuf_new()) == NULL)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: sshbuf_new failed", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal_f("sshbuf_new failed");
</span> +
+ ssh_gssapi_buildmic(b, authctxt->server_user, authctxt->service,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ "gssapi-keyex");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "gssapi-keyex", ssh->kex->session_id);
</span> +
+ if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: sshbuf_mutable_ptr failed", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal_f("sshbuf_mutable_ptr failed");
</span> + gssbuf.length = sshbuf_len(b);
+
+ if (GSS_ERROR(ssh_gssapi_sign(gss_kex_context, &gssbuf, &mic))) {
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3269,7 +3831,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + (r = sshpkt_put_cstring(ssh, authctxt->method->name)) != 0 ||
+ (r = sshpkt_put_string(ssh, mic.value, mic.length)) != 0 ||
+ (r = sshpkt_send(ssh)) != 0)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fatal("%s: %s", __func__, ssh_err(r));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fatal_fr(r, "parsing");
</span> +
+ sshbuf_free(b);
+ gss_release_buffer(&ms, &mic);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3280,31 +3842,22 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> #endif /* GSSAPI */
static int
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshd.c 2019-11-08 15:36:59.000000000 +0100
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshd.c 2019-11-08 15:37:23.000000000 +0100
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -123,6 +123,10 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "version.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include "ssherr.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef USE_SECURITY_SESSION_API
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <Security/AuthSession.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /* Re-exec fds */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -865,8 +869,8 @@ notify_hostkeys(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/sshd.c b/sshd.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index ea63d030..eb884efd 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshd.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshd.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -807,8 +807,8 @@ notify_hostkeys(struct ssh *ssh)
</span> }
<span style='display:block; white-space:pre;background:#ffe0e0;'>- debug3("%s: sent %u hostkeys", __func__, nkeys);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debug3_f("sent %u hostkeys", nkeys);
</span> if (nkeys == 0)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-- fatal("%s: no hostkeys", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- fatal_f("no hostkeys");
</span> - if ((r = sshpkt_send(ssh)) != 0)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug3("%s: no hostkeys", __func__);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ debug3_f("no hostkeys");
</span> + else if ((r = sshpkt_send(ssh)) != 0)
sshpkt_fatal(ssh, r, "%s: send", __func__);
sshbuf_free(buf);
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1842,7 +1846,8 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1898,7 +1898,8 @@ main(int ac, char **av)
</span> free(fp);
}
accumulate_host_timing_secret(cfg, NULL);
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3314,72 +3867,11 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> logit("sshd: no hostkeys available -- exiting.");
exit(1);
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2138,6 +2143,60 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- rdomain == NULL ? "" : "\"");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- free(laddr);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef USE_SECURITY_SESSION_API
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Create a new security session for use by the new user login if
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * the current session is the root session or we are not launched
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * by inetd (eg: debugging mode or server mode). We do not
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * necessarily need to create a session if we are launched from
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * inetd because Panther xinetd will create a session for us.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * The only case where this logic will fail is if there is an
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * inetd running in a non-root session which is not creating
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * new sessions for us. Then all the users will end up in the
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * same session (bad).
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * When the client exits, the session will be destroyed for us
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * automatically.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * We must create the session before any credentials are stored
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * (including AFS pags, which happens a few lines below).
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ OSStatus err = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ SecuritySessionId sid = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ SessionAttributeBits sattrs = 0;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ err = SessionGetInfo(callerSecuritySession, &sid, &sattrs);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (err)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ error("SessionGetInfo() failed with error %.8X",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (unsigned) err);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Current Session ID is %.8X / Session Attributes are %.8X",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (unsigned) sid, (unsigned) sattrs);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (inetd_flag && !(sattrs & sessionIsRoot))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Running in inetd mode in a non-root session... "
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ "assuming inetd created the session for us.");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("Creating new security session...");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ err = SessionCreate(0, sessionHasTTY | sessionIsRemote);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (err)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ error("SessionCreate() failed with error %.8X",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (unsigned) err);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ err = SessionGetInfo(callerSecuritySession, &sid,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ &sattrs);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (err)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ error("SessionGetInfo() failed with error %.8X",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (unsigned) err);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("New Session ID is %.8X / Session Attributes are %.8X",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (unsigned) sid, (unsigned) sattrs);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * We don't want to listen forever unless the other side
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * successfully authenticates itself. So we set up an alarm which is
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2334,6 +2393,48 @@ do_ssh2_kex(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2388,6 +2389,48 @@ do_ssh2_kex(struct ssh *ssh)
</span> myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
<span style='display:block; white-space:pre;background:#ffe0e0;'>- list_hostkey_types());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh, list_hostkey_types());
</span>
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#if defined(GSSAPI) && defined(WITH_OPENSSL)
</span> + {
+ char *orig;
+ char *gss = NULL;
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3423,8 +3915,8 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> +
/* start key exchange */
if ((r = kex_setup(ssh, myproposal)) != 0)
<span style='display:block; white-space:pre;background:#ffe0e0;'>- fatal("kex_setup: %s", ssh_err(r));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2349,7 +2450,18 @@ do_ssh2_kex(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fatal_r(r, "kex_setup");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2403,7 +2446,18 @@ do_ssh2_kex(struct ssh *ssh)
</span> # ifdef OPENSSL_HAS_ECC
kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
# endif
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3435,17 +3927,19 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> + kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
+ kex->kex[KEX_GSS_GRP14_SHA256] = kexgss_server;
+ kex->kex[KEX_GSS_GRP16_SHA512] = kexgss_server;
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+ kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ kex->kex[KEX_GSS_GEX_SHA1] = kexgssgex_server;
</span> + kex->kex[KEX_GSS_NISTP256_SHA256] = kexgss_server;
+ kex->kex[KEX_GSS_C25519_SHA256] = kexgss_server;
+ }
+# endif
+#endif /* WITH_OPENSSL */
kex->kex[KEX_C25519_SHA256] = kex_gen_server;
<span style='display:block; white-space:pre;background:#ffe0e0;'>- kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
</span> kex->load_host_public_key=&get_hostkey_public_by_type;
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshd_config 2019-11-08 15:37:17.000000000 +0100
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshd_config 2019-11-08 15:37:23.000000000 +0100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/sshd_config b/sshd_config
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index c423eba1..f91d293c 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshd_config
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshd_config
</span> @@ -69,6 +69,8 @@ AuthorizedKeysFile .ssh/authorized_keys
# GSSAPI options
#GSSAPIAuthentication no
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3455,21 +3949,23 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span>
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshd_config.5 2019-11-08 15:37:17.000000000 +0100
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshd_config.5 2019-11-08 15:37:23.000000000 +0100
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -659,6 +659,11 @@ The default is
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Specifies whether user authentication based on GSSAPI is allowed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/sshd_config.5 b/sshd_config.5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index a8d0545c..6076df94 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshd_config.5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshd_config.5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -650,6 +650,11 @@ Specifies whether to automatically destroy the user's credentials cache
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ on logout.
</span> The default is
<span style='display:block; white-space:pre;background:#ffe0e0;'>- .Cm no .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .Cm yes .
</span> +.It Cm GSSAPIKeyExchange
+Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
+doesn't rely on ssh keys to verify host identity.
+The default is
+.Cm no .
<span style='display:block; white-space:pre;background:#ffe0e0;'>- .It Cm GSSAPICleanupCredentials
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Specifies whether to automatically destroy the user's credentials cache
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- on logout.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -678,6 +683,30 @@ machine's default store.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .It Cm GSSAPIStrictAcceptorCheck
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Determines whether to be strict about the identity of the GSSAPI acceptor
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ a client authenticates against.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -664,6 +669,31 @@ machine's default store.
</span> This facility is provided to assist with operation on multi homed machines.
The default is
.Cm yes .
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3477,7 +3973,7 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> +Controls whether the user's GSSAPI credentials should be updated following a
+successful connection rekeying. This option can be used to accepted renewed
+or updated credentials from a compatible client. The default is
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+.Cm no .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Dq no .
</span> +.Pp
+For this to work
+.Cm GSSAPIKeyExchange
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3496,21 +3992,24 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> +.Ed
+.Pp
+The default is
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+.Dq gss-gex-sha1-,gss-group14-sha1- .
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .It Cm HostbasedAcceptedKeyTypes
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Specifies the key types that will be accepted for hostbased authentication
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- as a list of comma-separated patterns.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshkey.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshkey.c 2019-11-08 15:37:23.000000000 +0100
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -145,6 +145,7 @@ static const struct keytype keytypes[] =
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # endif /* OPENSSL_HAS_NISTP521 */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-gex-sha1-,gss-group14-sha1- .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++This option only applies to connections using GSSAPI.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .It Cm HostbasedAcceptedAlgorithms
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Specifies the signature algorithms that will be accepted for hostbased
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ authentication as a list of comma-separated patterns.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/sshkey.c b/sshkey.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 0dbc0d87..17f8aa91 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshkey.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshkey.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -156,6 +156,7 @@ static const struct keytype keytypes[] = {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ KEY_ECDSA_SK_CERT, NID_X9_62_prime256v1, 1, 0 },
</span> # endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */
+ { "null", "null", NULL, KEY_NULL, 0, 0, 0 },
{ NULL, NULL, NULL, -1, -1, 0, 0 }
};
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -233,7 +234,7 @@ sshkey_alg_list(int certs_only, int plai
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -257,7 +258,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
</span> const struct keytype *kt;
for (kt = keytypes; kt->type != -1; kt++) {
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3519,486 +4018,16 @@ X-Ref: https://salsa.debian.org/ssh-team/openssh/blob/767ee84d3465b6d244a9108de5
</span> continue;
if (!include_sigonly && kt->sigonly)
continue;
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/sshkey.h.orig 2020-09-27 02:25:01.000000000 -0500
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/sshkey.h 2020-12-16 18:42:50.000000000 -0600
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -65,6 +65,7 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- KEY_ED25519_CERT,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- KEY_XMSS,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- KEY_XMSS_CERT,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ KEY_NULL,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- KEY_ECDSA_SK,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/sshkey.h b/sshkey.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 6edc6c5a..94501115 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshkey.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshkey.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -71,6 +71,7 @@ enum sshkey_types {
</span> KEY_ECDSA_SK_CERT,
KEY_ED25519_SK,
<span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/auth.c.orig 2020-09-27 02:25:01.000000000 -0500
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/auth.c 2020-12-16 18:45:58.000000000 -0600
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -400,7 +400,8 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- case PERMIT_NO_PASSWD:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (strcmp(method, "publickey") == 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- strcmp(method, "hostbased") == 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- strcmp(method, "gssapi-with-mic") == 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ strcmp(method, "gssapi-with-mic") == 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ strcmp(method, "gssapi-keyex") == 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- return 1;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- case PERMIT_FORCED_ONLY:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -725,120 +726,6 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * Returns the remote DNS hostname as a string. The returned string must not
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * be freed. NB. this will usually trigger a DNS query the first time it is
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * called.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * This function does additional checks on the hostname to mitigate some
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * attacks on legacy rhosts-style authentication.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * XXX is RhostsRSAAuthentication vulnerable to these?
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--static char *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--remote_hostname(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- struct sockaddr_storage from;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- socklen_t fromlen;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- struct addrinfo hints, *ai, *aitop;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- char name[NI_MAXHOST], ntop2[NI_MAXHOST];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- const char *ntop = ssh_remote_ipaddr(ssh);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- /* Get IP address of client. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- fromlen = sizeof(from);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- memset(&from, 0, sizeof(from));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- if (getpeername(ssh_packet_get_connection_in(ssh),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- (struct sockaddr *)&from, &fromlen) == -1) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- debug("getpeername failed: %.100s", strerror(errno));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- return xstrdup(ntop);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- ipv64_normalise_mapped(&from, &fromlen);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- if (from.ss_family == AF_INET6)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- fromlen = sizeof(struct sockaddr_in6);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- debug3("Trying to reverse map address %.100s.", ntop);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- /* Map the IP address to a host name. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- NULL, 0, NI_NAMEREQD) != 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- /* Host name not found. Use ip address. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- return xstrdup(ntop);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * if reverse lookup result looks like a numeric hostname,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * someone is trying to trick us by PTR record like following:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- memset(&hints, 0, sizeof(hints));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- hints.ai_socktype = SOCK_DGRAM; /*dummy*/
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- hints.ai_flags = AI_NUMERICHOST;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- name, ntop);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- freeaddrinfo(ai);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- return xstrdup(ntop);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- /* Names are stored in lowercase. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- lowercase(name);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * Map it back to an IP address and check that the given
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * address actually is an address of this host. This is
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * necessary because anyone with access to a name server can
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * define arbitrary names for an IP address. Mapping from
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * name to IP address can be trusted better (but can still be
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * fooled if the intruder has access to the name server of
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * the domain).
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- memset(&hints, 0, sizeof(hints));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- hints.ai_family = from.ss_family;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- hints.ai_socktype = SOCK_STREAM;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- logit("reverse mapping checking getaddrinfo for %.700s "
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- "[%s] failed.", name, ntop);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- return xstrdup(ntop);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- /* Look for the address from the list of addresses. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- for (ai = aitop; ai; ai = ai->ai_next) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- (strcmp(ntop, ntop2) == 0))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- freeaddrinfo(aitop);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- /* If we reached the end of the list, the address was not there. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- if (ai == NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- /* Address not found for the host name. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- logit("Address %.100s maps to %.600s, but this does not "
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- "map back to the address.", ntop, name);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- return xstrdup(ntop);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- return xstrdup(name);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--/*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * Return the canonical name of the host in the other side of the current
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * connection. The host name is cached, so it is efficient to call this
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- * several times.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--const char *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- static char *dnsname;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- if (!use_dns)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- return ssh_remote_ipaddr(ssh);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- else if (dnsname != NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- return dnsname;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- dnsname = remote_hostname(ssh);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- return dnsname;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--/*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * Runs command in a subprocess with a minimal environment.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * Returns pid on success, 0 on failure.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- * The child stdout and stderr maybe captured, left attached or sent to
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- /dev/null 1970-01-01 00:00:00.000000000 +0000
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/auth-compat.c 2019-11-08 15:37:23.000000000 +0100
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -0,0 +1,174 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Copyright (c) 2000 Markus Friedl. All rights reserved.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Redistribution and use in source and binary forms, with or without
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * modification, are permitted provided that the following conditions
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * are met:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * 1. Redistributions of source code must retain the above copyright
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * notice, this list of conditions and the following disclaimer.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * 2. Redistributions in binary form must reproduce the above copyright
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * notice, this list of conditions and the following disclaimer in the
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * documentation and/or other materials provided with the distribution.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "includes.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <sys/types.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <sys/stat.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <sys/socket.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <netinet/in.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <errno.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <fcntl.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HAVE_PATHS_H
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+# include <paths.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <pwd.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HAVE_LOGIN_H
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <login.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef USE_SHADOW
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <shadow.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef HAVE_LIBGEN_H
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <libgen.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <stdarg.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <stdio.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <string.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <unistd.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <limits.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include <netdb.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "auth-compat.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "log.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "canohost.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "misc.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/**************** XXX moved from auth.c ****************/
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Returns the remote DNS hostname as a string. The returned string must not
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * be freed. NB. this will usually trigger a DNS query the first time it is
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * called.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * This function does additional checks on the hostname to mitigate some
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * attacks on legacy rhosts-style authentication.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * XXX is RhostsRSAAuthentication vulnerable to these?
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+char *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+remote_hostname(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ struct sockaddr_storage from;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ socklen_t fromlen;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ struct addrinfo hints, *ai, *aitop;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ char name[NI_MAXHOST], ntop2[NI_MAXHOST];
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ const char *ntop = ssh_remote_ipaddr(ssh);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Get IP address of client. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fromlen = sizeof(from);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ memset(&from, 0, sizeof(from));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (getpeername(ssh_packet_get_connection_in(ssh),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (struct sockaddr *)&from, &fromlen) == -1) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug("getpeername failed: %.100s", strerror(errno));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return strdup(ntop);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ ipv64_normalise_mapped(&from, &fromlen);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (from.ss_family == AF_INET6)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ fromlen = sizeof(struct sockaddr_in6);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ debug3("Trying to reverse map address %.100s.", ntop);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Map the IP address to a host name. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ NULL, 0, NI_NAMEREQD) != 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Host name not found. Use ip address. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return strdup(ntop);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * if reverse lookup result looks like a numeric hostname,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * someone is trying to trick us by PTR record like following:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ memset(&hints, 0, sizeof(hints));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ hints.ai_socktype = SOCK_DGRAM; /*dummy*/
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ hints.ai_flags = AI_NUMERICHOST;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ name, ntop);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ freeaddrinfo(ai);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return strdup(ntop);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Names are stored in lowercase. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ lowercase(name);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Map it back to an IP address and check that the given
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * address actually is an address of this host. This is
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * necessary because anyone with access to a name server can
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * define arbitrary names for an IP address. Mapping from
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * name to IP address can be trusted better (but can still be
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * fooled if the intruder has access to the name server of
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * the domain).
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ memset(&hints, 0, sizeof(hints));
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ hints.ai_family = from.ss_family;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ hints.ai_socktype = SOCK_STREAM;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ logit("reverse mapping checking getaddrinfo for %.700s "
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ "[%s] failed.", name, ntop);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return strdup(ntop);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Look for the address from the list of addresses. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ for (ai = aitop; ai; ai = ai->ai_next) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ (strcmp(ntop, ntop2) == 0))
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ freeaddrinfo(aitop);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* If we reached the end of the list, the address was not there. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (ai == NULL) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ /* Address not found for the host name. */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ logit("Address %.100s maps to %.600s, but this does not "
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ "map back to the address.", ntop, name);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return strdup(ntop);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return strdup(name);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Return the canonical name of the host in the other side of the current
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * connection. The host name is cached, so it is efficient to call this
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * several times.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+const char *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+{
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ static char *dnsname;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (!use_dns)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return ssh_remote_ipaddr(ssh);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else if (dnsname != NULL)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return dnsname;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ dnsname = remote_hostname(ssh);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ return dnsname;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+}
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- /dev/null 1970-01-01 00:00:00.000000000 +0000
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/auth-compat.h 2019-11-08 15:37:23.000000000 +0100
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -0,0 +1,34 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+/*
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Copyright (c) 2000 Markus Friedl. All rights reserved.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * Redistribution and use in source and binary forms, with or without
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * modification, are permitted provided that the following conditions
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * are met:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * 1. Redistributions of source code must retain the above copyright
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * notice, this list of conditions and the following disclaimer.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * 2. Redistributions in binary form must reproduce the above copyright
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * notice, this list of conditions and the following disclaimer in the
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * documentation and/or other materials provided with the distribution.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ *
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifndef AUTH_COMPAT_H
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#define AUTH_COMPAT_H
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "packet.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+char *remote_hostname(struct ssh *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+const char *auth_get_canonical_hostname(struct ssh *, int);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/auth.h 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/auth.h 2019-11-08 15:37:23.000000000 +0100
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -40,6 +40,8 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #include <krb5.h>
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#include "auth-compat.h"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- struct passwd;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- struct ssh;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- struct sshbuf;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -194,8 +196,6 @@ FILE *auth_openkeyfile(const char *, str
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- FILE *auth_openprincipals(const char *, struct passwd *, int);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int auth_key_is_revoked(struct sshkey *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--const char *auth_get_canonical_hostname(struct ssh *, int);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- HostStatus
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- check_key_in_hostfiles(struct passwd *, struct sshkey *, const char *,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- const char *, const char *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/kexdh.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/kexdh.c 2019-11-08 15:37:23.000000000 +0100
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -48,13 +48,23 @@ kex_dh_keygen(struct kex *kex)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- switch (kex->kex_type) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- case KEX_DH_GRP1_SHA1:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case KEX_GSS_GRP1_SHA1:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kex->dh = dh_new_group1();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- case KEX_DH_GRP14_SHA1:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- case KEX_DH_GRP14_SHA256:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case KEX_GSS_GRP14_SHA1:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case KEX_GSS_GRP14_SHA256:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kex->dh = dh_new_group14();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- case KEX_DH_GRP16_SHA512:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ case KEX_GSS_GRP16_SHA512:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+#endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kex->dh = dh_new_group16();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- break;
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- case KEX_DH_GRP18_SHA512:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/kexgen.c 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/kexgen.c 2019-11-08 15:37:23.000000000 +0100
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -44,7 +44,7 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static int input_kex_gen_init(int, u_int32_t, struct ssh *);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- static int input_kex_gen_reply(int type, u_int32_t seq, struct ssh *ssh);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--static int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+int
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- kex_gen_hash(
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- int hash_alg,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- const struct sshbuf *client_version,
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/session.c 2019-11-08 15:37:14.000000000 +0100
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/session.c 2019-11-08 15:37:23.000000000 +0100
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2689,13 +2689,19 @@ do_cleanup(struct ssh *ssh, Authctxt *au
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #ifdef KRB5
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- if (options.kerberos_ticket_cleanup &&
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- authctxt->krb5_ctx)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ authctxt->krb5_ctx) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ temporarily_use_uid(authctxt->pw);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- krb5_cleanup_proc(authctxt);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ restore_uid();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #ifdef GSSAPI
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- if (options.gss_cleanup_creds)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ if (options.gss_cleanup_creds) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ temporarily_use_uid(authctxt->pw);
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- ssh_gssapi_cleanup_creds();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ restore_uid();
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ }
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ KEY_ED25519_SK_CERT,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ KEY_NULL,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ KEY_UNSPEC
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ };
</span>
<span style='display:block; white-space:pre;background:#ffe0e0;'>- /* remove agent socket */
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/ssh.1 2019-10-09 02:31:03.000000000 +0200
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/ssh.1 2019-11-08 15:37:23.000000000 +0100
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -497,7 +497,13 @@ For full details of the options listed b
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .It GatewayPorts
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .It GlobalKnownHostsFile
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .It GSSAPIAuthentication
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+.It GSSAPIKeyExchange
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+.It GSSAPIClientIdentity
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .It GSSAPIDelegateCredentials
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+.It GSSAPIKexAlgorithms
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+.It GSSAPIRenewalForcesRekey
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+.It GSSAPIServerIdentity
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+.It GSSAPITrustDns
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .It HashKnownHosts
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .It Host
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .It HostbasedAuthentication
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -573,6 +579,8 @@ flag),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- (supported message integrity codes),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .Ar kex
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- (key exchange algorithms),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+.Ar kex-gss
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+(GSSAPI key exchange algorithms),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .Ar key
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- (key types),
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- .Ar key-cert
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- a/ssh.c.orig 2020-09-27 02:25:01.000000000 -0500
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ b/ssh.c 2020-12-16 18:50:05.000000000 -0600
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -801,6 +801,8 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- else if (strcmp(optarg, "kex") == 0 ||
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- strcasecmp(optarg, "KexAlgorithms") == 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- cp = kex_alg_list('\n');
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ else if (strcmp(optarg, "kex-gss") == 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ cp = kex_gss_alg_list('\n');
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- else if (strcmp(optarg, "key") == 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- cp = sshkey_alg_list(0, 0, 0, '\n');
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- else if (strcmp(optarg, "key-cert") == 0)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -825,7 +827,7 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- cp[n] = '\n';
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- } else if (strcmp(optarg, "help") == 0) {
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- cp = xstrdup(
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-- "cipher\ncipher-auth\ncompression\nkex\n"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+ "cipher\ncipher-auth\ncompression\nkex-gss\nkex\n"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- "key\nkey-cert\nkey-plain\nkey-sig\nmac\n"
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- "protocol-version\nsig");
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/openssh/files/series b/net/openssh/files/series
</span><span style='display:block; white-space:pre;color:#808080;'>index 9152056444c..86f0232ffb0 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/openssh/files/series
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/openssh/files/series
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -5,4 +5,4 @@ patch-sshd.c-apple-sandbox-named-external.diff
</span> 0002-Apple-keychain-integration-other-changes.patch
macports-config.patch
patch-openbsd_compat-memmem-bug.diff
<span style='display:block; white-space:pre;background:#ffe0e0;'>-openssh-8.1p1-gsskex-all-20141021-mp-20201216.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+openssh-8.8p1-gsskex.patch
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/openssh/files/series-gsskex b/net/openssh/files/series-gsskex
</span><span style='display:block; white-space:pre;color:#808080;'>index 9152056444c..86f0232ffb0 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/openssh/files/series-gsskex
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/openssh/files/series-gsskex
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -5,4 +5,4 @@ patch-sshd.c-apple-sandbox-named-external.diff
</span> 0002-Apple-keychain-integration-other-changes.patch
macports-config.patch
patch-openbsd_compat-memmem-bug.diff
<span style='display:block; white-space:pre;background:#ffe0e0;'>-openssh-8.1p1-gsskex-all-20141021-mp-20201216.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+openssh-8.8p1-gsskex.patch
</span></pre><pre style='margin:0'>
</pre>