* New upstream release (closes: #395507, #397961, #420035). Important

  changes not previously backported to 4.3p2:
  - 4.4/4.4p1 (http://www.openssh.org/txt/release-4.4):
    + On portable OpenSSH, fix a GSSAPI authentication abort that could be
      used to determine the validity of usernames on some platforms.
    + Implemented conditional configuration in sshd_config(5) using the
      "Match" directive. This allows some configuration options to be
      selectively overridden if specific criteria (based on user, group,
      hostname and/or address) are met. So far a useful subset of
      post-authentication options are supported and more are expected to
      be added in future releases.
    + Add support for Diffie-Hellman group exchange key agreement with a
      final hash of SHA256.
    + Added a "ForceCommand" directive to sshd_config(5). Similar to the
      command="..." option accepted in ~/.ssh/authorized_keys, this forces
      the execution of the specified command regardless of what the user
      requested. This is very useful in conjunction with the new "Match"
      option.
    + Add a "PermitOpen" directive to sshd_config(5). This mirrors the
      permitopen="..." authorized_keys option, allowing fine-grained
      control over the port-forwardings that a user is allowed to
      establish.
    + Add optional logging of transactions to sftp-server(8).
    + ssh(1) will now record port numbers for hosts stored in
      ~/.ssh/known_hosts when a non-standard port has been requested
      (closes: #50612).
    + Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with a
      non-zero exit code) when requested port forwardings could not be
      established.
    + Extend sshd_config(5) "SubSystem" declarations to allow the
      specification of command-line arguments.
    + Replacement of all integer overflow susceptible invocations of
      malloc(3) and realloc(3) with overflow-checking equivalents.
    + Many manpage fixes and improvements.
    + Add optional support for OpenSSL hardware accelerators (engines),
      enabled using the --with-ssl-engine configure option.
    + Tokens in configuration files may be double-quoted in order to
      contain spaces (closes: #319639).
    + Move a debug() call out of a SIGCHLD handler, fixing a hang when the
      session exits very quickly (closes: #307890).
    + Fix some incorrect buffer allocation calculations (closes: #410599).
    + ssh-add doesn't ask for a passphrase if key file permissions are too
      liberal (closes: #103677).
    + Likewise, ssh doesn't ask either (closes: #99675).
  - 4.6/4.6p1 (http://www.openssh.org/txt/release-4.6):
    + sshd now allows the enabling and disabling of authentication methods
      on a per user, group, host and network basis via the Match directive
      in sshd_config.
    + Fixed an inconsistent check for a terminal when displaying scp
      progress meter (closes: #257524).
    + Fix "hang on exit" when background processes are running at the time
      of exit on a ttyful/login session (closes: #88337).
* Update to current GSSAPI patch from
  http://www.sxw.org.uk/computing/patches/openssh-4.6p1-gsskex-20070312.patch;
  install ChangeLog.gssapi.

1 files changed, 75 insertions, 12 deletions

diff --git a/gss-serv.c b/gss-serv.c
index 190f56fc0..841d8bb2f 100644
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -1,7 +1,7 @@
-/*      $OpenBSD: gss-serv.c,v 1.13 2005/10/13 22:24:31 stevesk Exp $   */
+/* $OpenBSD: gss-serv.c,v 1.20 2006/08/03 03:34:42 deraadt Exp $ */
 
 /*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2006 Simon Wilkinson. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -28,17 +28,27 @@
 
 #ifdef GSSAPI
 
-#include "bufaux.h"
+#include <sys/types.h>
+
+#include <stdarg.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "xmalloc.h"
+#include "buffer.h"
+#include "key.h"
+#include "hostfile.h"
 #include "auth.h"
 #include "log.h"
 #include "channels.h"
 #include "session.h"
+#include "misc.h"
 #include "servconf.h"
-#include "xmalloc.h"
-#include "getput.h"
-#include "monitor_wrap.h"
 
 #include "ssh-gss.h"
+#include "monitor_wrap.h"
+
+extern ServerOptions options;
 
 static ssh_gssapi_client gssapi_client =
     { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
@@ -70,8 +80,8 @@ ssh_gssapi_server_mechanisms() {
 
 /* Unprivileged */
 int
-ssh_gssapi_server_check_mech(gss_OID oid, void *data) {
-        Gssctxt * ctx = NULL;
+ssh_gssapi_server_check_mech(Gssctxt **dum, gss_OID oid, const char *data) {
+        Gssctxt *ctx = NULL;
         int res;
  
         res = !GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctx, oid)));
@@ -101,6 +111,58 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset)
                             &supported_mechs[i]->oid, oidset);
                 i++;
         }
+
+        gss_release_oid_set(&min_status, &supported);
+}
+
+OM_uint32
+ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
+{
+        if (*ctx)
+                ssh_gssapi_delete_ctx(ctx);
+        ssh_gssapi_build_ctx(ctx);
+        ssh_gssapi_set_oid(*ctx, oid);
+        return (ssh_gssapi_acquire_cred(*ctx));
+}
+
+/* Acquire credentials for a server running on the current host.
+ * Requires that the context structure contains a valid OID
+ */
+
+/* Returns a GSSAPI error code */
+OM_uint32
+ssh_gssapi_acquire_cred(Gssctxt *ctx)
+{
+        OM_uint32 status;
+        char lname[MAXHOSTNAMELEN];
+        gss_OID_set oidset;
+
+        if (options.gss_strict_acceptor) {
+                gss_create_empty_oid_set(&status, &oidset);
+                gss_add_oid_set_member(&status, ctx->oid, &oidset);
+
+                if (gethostname(lname, MAXHOSTNAMELEN)) {
+                        gss_release_oid_set(&status, &oidset);
+                        return (-1);
+                }
+
+                if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
+                        gss_release_oid_set(&status, &oidset);
+                        return (ctx->major);
+                }
+
+                if ((ctx->major = gss_acquire_cred(&ctx->minor,
+                    ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, 
+                    NULL, NULL)))
+                        ssh_gssapi_error(ctx);
+
+                gss_release_oid_set(&status, &oidset);
+                return (ctx->major);
+        } else {
+                ctx->name = GSS_C_NO_NAME;
+                ctx->creds = GSS_C_NO_CREDENTIAL;
+        }
+        return GSS_S_COMPLETE;
 }
 
 
@@ -174,7 +236,7 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name)
          * second without.
          */
 
-        oidl = GET_16BIT(tok+2); /* length including next two bytes */
+        oidl = get_u16(tok+2); /* length including next two bytes */
         oidl = oidl-2; /* turn it into the _real_ length of the variable OID */
 
         /*
@@ -191,14 +253,14 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name)
         if (ename->length < offset+4)
                 return GSS_S_FAILURE;
 
-        name->length = GET_32BIT(tok+offset);
+        name->length = get_u32(tok+offset);
         offset += 4;
 
         if (ename->length < offset+name->length)
                 return GSS_S_FAILURE;
 
         name->value = xmalloc(name->length+1);
-        memcpy(name->value, tok+offset,name->length);
+        memcpy(name->value, tok+offset, name->length);
         ((char *)name->value)[name->length] = 0;
 
         return GSS_S_COMPLETE;
@@ -257,7 +319,8 @@ ssh_gssapi_cleanup_creds(void)
 {
         if (gssapi_client.store.filename != NULL) {
                 /* Unlink probably isn't sufficient */
-                debug("removing gssapi cred file\"%s\"", gssapi_client.store.filename);
+                debug("removing gssapi cred file\"%s\"",
+                    gssapi_client.store.filename);
                 unlink(gssapi_client.store.filename);
         }
 }