diff options
Diffstat (limited to 'debian/patches/gssapi.patch')
-rw-r--r-- | debian/patches/gssapi.patch | 75 |
1 files changed, 43 insertions, 32 deletions
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index 3f6fccfff..90a21db99 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From cd404114ded78fc51d5d9cbd458d55c9b2f67daa Mon Sep 17 00:00:00 2001 | 1 | From 429c595dbaff7f7c2b3a53fe4235211f6d788025 Mon Sep 17 00:00:00 2001 |
2 | From: Simon Wilkinson <simon@sxw.org.uk> | 2 | From: Simon Wilkinson <simon@sxw.org.uk> |
3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 |
4 | Subject: GSSAPI key exchange support | 4 | Subject: GSSAPI key exchange support |
@@ -17,7 +17,7 @@ have it merged into the main openssh package rather than having separate | |||
17 | security history. | 17 | security history. |
18 | 18 | ||
19 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 | 19 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 |
20 | Last-Updated: 2014-02-10 | 20 | Last-Updated: 2014-03-19 |
21 | 21 | ||
22 | Patch-Name: gssapi.patch | 22 | Patch-Name: gssapi.patch |
23 | --- | 23 | --- |
@@ -30,14 +30,14 @@ Patch-Name: gssapi.patch | |||
30 | config.h.in | 6 + | 30 | config.h.in | 6 + |
31 | configure | 57 ++++++++++ | 31 | configure | 57 ++++++++++ |
32 | configure.ac | 24 ++++ | 32 | configure.ac | 24 ++++ |
33 | gss-genr.c | 276 ++++++++++++++++++++++++++++++++++++++++++++- | 33 | gss-genr.c | 275 ++++++++++++++++++++++++++++++++++++++++++++- |
34 | gss-serv-krb5.c | 84 +++++++++++++- | 34 | gss-serv-krb5.c | 85 ++++++++++++-- |
35 | gss-serv.c | 221 +++++++++++++++++++++++++++++++----- | 35 | gss-serv.c | 221 +++++++++++++++++++++++++++++++----- |
36 | kex.c | 16 +++ | 36 | kex.c | 16 +++ |
37 | kex.h | 14 +++ | 37 | kex.h | 14 +++ |
38 | kexgssc.c | 333 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ | 38 | kexgssc.c | 332 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
39 | kexgsss.c | 289 +++++++++++++++++++++++++++++++++++++++++++++++ | 39 | kexgsss.c | 289 ++++++++++++++++++++++++++++++++++++++++++++++++ |
40 | key.c | 1 + | 40 | key.c | 3 +- |
41 | key.h | 1 + | 41 | key.h | 1 + |
42 | monitor.c | 108 +++++++++++++++++- | 42 | monitor.c | 108 +++++++++++++++++- |
43 | monitor.h | 3 + | 43 | monitor.h | 3 + |
@@ -47,14 +47,14 @@ Patch-Name: gssapi.patch | |||
47 | readconf.h | 5 + | 47 | readconf.h | 5 + |
48 | servconf.c | 38 ++++++- | 48 | servconf.c | 38 ++++++- |
49 | servconf.h | 3 + | 49 | servconf.h | 3 + |
50 | ssh-gss.h | 39 ++++++- | 50 | ssh-gss.h | 41 ++++++- |
51 | ssh_config | 2 + | 51 | ssh_config | 2 + |
52 | ssh_config.5 | 34 +++++- | 52 | ssh_config.5 | 34 +++++- |
53 | sshconnect2.c | 124 ++++++++++++++++++++- | 53 | sshconnect2.c | 124 ++++++++++++++++++++- |
54 | sshd.c | 110 ++++++++++++++++++ | 54 | sshd.c | 110 ++++++++++++++++++ |
55 | sshd_config | 2 + | 55 | sshd_config | 2 + |
56 | sshd_config.5 | 28 +++++ | 56 | sshd_config.5 | 28 +++++ |
57 | 33 files changed, 2050 insertions(+), 57 deletions(-) | 57 | 33 files changed, 2051 insertions(+), 59 deletions(-) |
58 | create mode 100644 ChangeLog.gssapi | 58 | create mode 100644 ChangeLog.gssapi |
59 | create mode 100644 kexgssc.c | 59 | create mode 100644 kexgssc.c |
60 | create mode 100644 kexgsss.c | 60 | create mode 100644 kexgsss.c |
@@ -358,7 +358,7 @@ index f0cab8c..6ed8f04 100644 | |||
358 | #endif | 358 | #endif |
359 | #ifdef JPAKE | 359 | #ifdef JPAKE |
360 | diff --git a/clientloop.c b/clientloop.c | 360 | diff --git a/clientloop.c b/clientloop.c |
361 | index f30c8b6..6d02b0b 100644 | 361 | index f30c8b6..cc23e35 100644 |
362 | --- a/clientloop.c | 362 | --- a/clientloop.c |
363 | +++ b/clientloop.c | 363 | +++ b/clientloop.c |
364 | @@ -111,6 +111,10 @@ | 364 | @@ -111,6 +111,10 @@ |
@@ -379,7 +379,7 @@ index f30c8b6..6d02b0b 100644 | |||
379 | + | 379 | + |
380 | +#ifdef GSSAPI | 380 | +#ifdef GSSAPI |
381 | + if (options.gss_renewal_rekey && | 381 | + if (options.gss_renewal_rekey && |
382 | + ssh_gssapi_credentials_updated(GSS_C_NO_CONTEXT)) { | 382 | + ssh_gssapi_credentials_updated(NULL)) { |
383 | + debug("credentials updated - forcing rekey"); | 383 | + debug("credentials updated - forcing rekey"); |
384 | + need_rekeying = 1; | 384 | + need_rekeying = 1; |
385 | + } | 385 | + } |
@@ -516,7 +516,7 @@ index dfd32cd..90eebf5 100644 | |||
516 | AC_CHECK_DECL([AU_IPv4], [], | 516 | AC_CHECK_DECL([AU_IPv4], [], |
517 | AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) | 517 | AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) |
518 | diff --git a/gss-genr.c b/gss-genr.c | 518 | diff --git a/gss-genr.c b/gss-genr.c |
519 | index b39281b..b7d1b7d 100644 | 519 | index b39281b..1e569ad 100644 |
520 | --- a/gss-genr.c | 520 | --- a/gss-genr.c |
521 | +++ b/gss-genr.c | 521 | +++ b/gss-genr.c |
522 | @@ -1,7 +1,7 @@ | 522 | @@ -1,7 +1,7 @@ |
@@ -557,7 +557,7 @@ index b39281b..b7d1b7d 100644 | |||
557 | +static ssh_gss_kex_mapping *gss_enc2oid = NULL; | 557 | +static ssh_gss_kex_mapping *gss_enc2oid = NULL; |
558 | + | 558 | + |
559 | +int | 559 | +int |
560 | +ssh_gssapi_oid_table_ok() { | 560 | +ssh_gssapi_oid_table_ok(void) { |
561 | + return (gss_enc2oid != NULL); | 561 | + return (gss_enc2oid != NULL); |
562 | +} | 562 | +} |
563 | + | 563 | + |
@@ -797,7 +797,7 @@ index b39281b..b7d1b7d 100644 | |||
797 | if (!GSS_ERROR(major)) { | 797 | if (!GSS_ERROR(major)) { |
798 | major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, | 798 | major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, |
799 | NULL); | 799 | NULL); |
800 | @@ -272,10 +483,67 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) | 800 | @@ -272,10 +483,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) |
801 | GSS_C_NO_BUFFER); | 801 | GSS_C_NO_BUFFER); |
802 | } | 802 | } |
803 | 803 | ||
@@ -817,7 +817,6 @@ index b39281b..b7d1b7d 100644 | |||
817 | + static OM_uint32 last_call = 0; | 817 | + static OM_uint32 last_call = 0; |
818 | + OM_uint32 lifetime, now, major, minor; | 818 | + OM_uint32 lifetime, now, major, minor; |
819 | + int equal; | 819 | + int equal; |
820 | + gss_cred_usage_t usage = GSS_C_INITIATE; | ||
821 | + | 820 | + |
822 | + now = time(NULL); | 821 | + now = time(NULL); |
823 | + | 822 | + |
@@ -867,7 +866,7 @@ index b39281b..b7d1b7d 100644 | |||
867 | + | 866 | + |
868 | #endif /* GSSAPI */ | 867 | #endif /* GSSAPI */ |
869 | diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c | 868 | diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c |
870 | index 759fa10..959a77e 100644 | 869 | index 759fa10..e678a27 100644 |
871 | --- a/gss-serv-krb5.c | 870 | --- a/gss-serv-krb5.c |
872 | +++ b/gss-serv-krb5.c | 871 | +++ b/gss-serv-krb5.c |
873 | @@ -1,7 +1,7 @@ | 872 | @@ -1,7 +1,7 @@ |
@@ -879,15 +878,17 @@ index 759fa10..959a77e 100644 | |||
879 | * | 878 | * |
880 | * Redistribution and use in source and binary forms, with or without | 879 | * Redistribution and use in source and binary forms, with or without |
881 | * modification, are permitted provided that the following conditions | 880 | * modification, are permitted provided that the following conditions |
882 | @@ -122,6 +122,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) | 881 | @@ -120,8 +120,8 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) |
882 | krb5_error_code problem; | ||
883 | krb5_principal princ; | ||
883 | OM_uint32 maj_status, min_status; | 884 | OM_uint32 maj_status, min_status; |
884 | int len; | 885 | - int len; |
885 | const char *errmsg; | 886 | const char *errmsg; |
886 | + const char *new_ccname; | 887 | + const char *new_ccname; |
887 | 888 | ||
888 | if (client->creds == NULL) { | 889 | if (client->creds == NULL) { |
889 | debug("No credentials stored"); | 890 | debug("No credentials stored"); |
890 | @@ -180,11 +181,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) | 891 | @@ -180,11 +180,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) |
891 | return; | 892 | return; |
892 | } | 893 | } |
893 | 894 | ||
@@ -908,7 +909,7 @@ index 759fa10..959a77e 100644 | |||
908 | 909 | ||
909 | #ifdef USE_PAM | 910 | #ifdef USE_PAM |
910 | if (options.use_pam) | 911 | if (options.use_pam) |
911 | @@ -196,6 +202,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) | 912 | @@ -196,6 +201,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) |
912 | return; | 913 | return; |
913 | } | 914 | } |
914 | 915 | ||
@@ -980,7 +981,7 @@ index 759fa10..959a77e 100644 | |||
980 | ssh_gssapi_mech gssapi_kerberos_mech = { | 981 | ssh_gssapi_mech gssapi_kerberos_mech = { |
981 | "toWM5Slw5Ew8Mqkay+al2g==", | 982 | "toWM5Slw5Ew8Mqkay+al2g==", |
982 | "Kerberos", | 983 | "Kerberos", |
983 | @@ -203,7 +274,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = { | 984 | @@ -203,7 +273,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = { |
984 | NULL, | 985 | NULL, |
985 | &ssh_gssapi_krb5_userok, | 986 | &ssh_gssapi_krb5_userok, |
986 | NULL, | 987 | NULL, |
@@ -991,7 +992,7 @@ index 759fa10..959a77e 100644 | |||
991 | 992 | ||
992 | #endif /* KRB5 */ | 993 | #endif /* KRB5 */ |
993 | diff --git a/gss-serv.c b/gss-serv.c | 994 | diff --git a/gss-serv.c b/gss-serv.c |
994 | index 95348e2..97f366f 100644 | 995 | index 95348e2..feb1ed7 100644 |
995 | --- a/gss-serv.c | 996 | --- a/gss-serv.c |
996 | +++ b/gss-serv.c | 997 | +++ b/gss-serv.c |
997 | @@ -1,7 +1,7 @@ | 998 | @@ -1,7 +1,7 @@ |
@@ -1079,7 +1080,7 @@ index 95348e2..97f366f 100644 | |||
1079 | 1080 | ||
1080 | /* Unprivileged */ | 1081 | /* Unprivileged */ |
1081 | +char * | 1082 | +char * |
1082 | +ssh_gssapi_server_mechanisms() { | 1083 | +ssh_gssapi_server_mechanisms(void) { |
1083 | + gss_OID_set supported; | 1084 | + gss_OID_set supported; |
1084 | + | 1085 | + |
1085 | + ssh_gssapi_supported_oids(&supported); | 1086 | + ssh_gssapi_supported_oids(&supported); |
@@ -1240,7 +1241,7 @@ index 95348e2..97f366f 100644 | |||
1240 | 1241 | ||
1241 | - return (ctx->major); | 1242 | - return (ctx->major); |
1242 | +void | 1243 | +void |
1243 | +ssh_gssapi_rekey_creds() { | 1244 | +ssh_gssapi_rekey_creds(void) { |
1244 | + int ok; | 1245 | + int ok; |
1245 | + int ret; | 1246 | + int ret; |
1246 | +#ifdef USE_PAM | 1247 | +#ifdef USE_PAM |
@@ -1390,10 +1391,10 @@ index 1aa3ec2..8fbcb2b 100644 | |||
1390 | BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); | 1391 | BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); |
1391 | diff --git a/kexgssc.c b/kexgssc.c | 1392 | diff --git a/kexgssc.c b/kexgssc.c |
1392 | new file mode 100644 | 1393 | new file mode 100644 |
1393 | index 0000000..14f5598 | 1394 | index 0000000..92a31c5 |
1394 | --- /dev/null | 1395 | --- /dev/null |
1395 | +++ b/kexgssc.c | 1396 | +++ b/kexgssc.c |
1396 | @@ -0,0 +1,333 @@ | 1397 | @@ -0,0 +1,332 @@ |
1397 | +/* | 1398 | +/* |
1398 | + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. | 1399 | + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. |
1399 | + * | 1400 | + * |
@@ -1457,7 +1458,6 @@ index 0000000..14f5598 | |||
1457 | + u_char *serverhostkey = NULL; | 1458 | + u_char *serverhostkey = NULL; |
1458 | + u_char *empty = ""; | 1459 | + u_char *empty = ""; |
1459 | + char *msg; | 1460 | + char *msg; |
1460 | + char *lang; | ||
1461 | + int type = 0; | 1461 | + int type = 0; |
1462 | + int first = 1; | 1462 | + int first = 1; |
1463 | + int nbits = 0, min = DH_GRP_MIN, max = DH_GRP_MAX; | 1463 | + int nbits = 0, min = DH_GRP_MIN, max = DH_GRP_MAX; |
@@ -1616,7 +1616,7 @@ index 0000000..14f5598 | |||
1616 | + maj_status = packet_get_int(); | 1616 | + maj_status = packet_get_int(); |
1617 | + min_status = packet_get_int(); | 1617 | + min_status = packet_get_int(); |
1618 | + msg = packet_get_string(NULL); | 1618 | + msg = packet_get_string(NULL); |
1619 | + lang = packet_get_string(NULL); | 1619 | + (void) packet_get_string_ptr(NULL); |
1620 | + fatal("GSSAPI Error: \n%.400s",msg); | 1620 | + fatal("GSSAPI Error: \n%.400s",msg); |
1621 | + default: | 1621 | + default: |
1622 | + packet_disconnect("Protocol error: didn't expect packet type %d", | 1622 | + packet_disconnect("Protocol error: didn't expect packet type %d", |
@@ -2023,7 +2023,7 @@ index 0000000..8095259 | |||
2023 | +} | 2023 | +} |
2024 | +#endif /* GSSAPI */ | 2024 | +#endif /* GSSAPI */ |
2025 | diff --git a/key.c b/key.c | 2025 | diff --git a/key.c b/key.c |
2026 | index 9142338..3867eb3 100644 | 2026 | index 9142338..7ac844c 100644 |
2027 | --- a/key.c | 2027 | --- a/key.c |
2028 | +++ b/key.c | 2028 | +++ b/key.c |
2029 | @@ -985,6 +985,7 @@ static const struct keytype keytypes[] = { | 2029 | @@ -985,6 +985,7 @@ static const struct keytype keytypes[] = { |
@@ -2034,6 +2034,15 @@ index 9142338..3867eb3 100644 | |||
2034 | { NULL, NULL, -1, -1, 0 } | 2034 | { NULL, NULL, -1, -1, 0 } |
2035 | }; | 2035 | }; |
2036 | 2036 | ||
2037 | @@ -1063,7 +1064,7 @@ key_alg_list(int certs_only, int plain_only) | ||
2038 | const struct keytype *kt; | ||
2039 | |||
2040 | for (kt = keytypes; kt->type != -1; kt++) { | ||
2041 | - if (kt->name == NULL) | ||
2042 | + if (kt->name == NULL || kt->type == KEY_NULL) | ||
2043 | continue; | ||
2044 | if ((certs_only && !kt->cert) || (plain_only && kt->cert)) | ||
2045 | continue; | ||
2037 | diff --git a/key.h b/key.h | 2046 | diff --git a/key.h b/key.h |
2038 | index d8ad13d..c8aeba2 100644 | 2047 | index d8ad13d..c8aeba2 100644 |
2039 | --- a/key.h | 2048 | --- a/key.h |
@@ -2558,7 +2567,7 @@ index 8812c5a..eba76ee 100644 | |||
2558 | * authentication. */ | 2567 | * authentication. */ |
2559 | int kbd_interactive_authentication; /* If true, permit */ | 2568 | int kbd_interactive_authentication; /* If true, permit */ |
2560 | diff --git a/ssh-gss.h b/ssh-gss.h | 2569 | diff --git a/ssh-gss.h b/ssh-gss.h |
2561 | index 077e13c..bc6e8f9 100644 | 2570 | index 077e13c..885e481 100644 |
2562 | --- a/ssh-gss.h | 2571 | --- a/ssh-gss.h |
2563 | +++ b/ssh-gss.h | 2572 | +++ b/ssh-gss.h |
2564 | @@ -1,6 +1,6 @@ | 2573 | @@ -1,6 +1,6 @@ |
@@ -2625,7 +2634,7 @@ index 077e13c..bc6e8f9 100644 | |||
2625 | 2634 | ||
2626 | int ssh_gssapi_check_oid(Gssctxt *, void *, size_t); | 2635 | int ssh_gssapi_check_oid(Gssctxt *, void *, size_t); |
2627 | void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t); | 2636 | void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t); |
2628 | @@ -117,16 +134,30 @@ void ssh_gssapi_build_ctx(Gssctxt **); | 2637 | @@ -117,16 +134,32 @@ void ssh_gssapi_build_ctx(Gssctxt **); |
2629 | void ssh_gssapi_delete_ctx(Gssctxt **); | 2638 | void ssh_gssapi_delete_ctx(Gssctxt **); |
2630 | OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); | 2639 | OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); |
2631 | void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *); | 2640 | void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *); |
@@ -2652,9 +2661,11 @@ index 077e13c..bc6e8f9 100644 | |||
2652 | void ssh_gssapi_storecreds(void); | 2661 | void ssh_gssapi_storecreds(void); |
2653 | 2662 | ||
2654 | +char *ssh_gssapi_server_mechanisms(void); | 2663 | +char *ssh_gssapi_server_mechanisms(void); |
2655 | +int ssh_gssapi_oid_table_ok(); | 2664 | +int ssh_gssapi_oid_table_ok(void); |
2656 | + | 2665 | + |
2657 | +int ssh_gssapi_update_creds(ssh_gssapi_ccache *store); | 2666 | +int ssh_gssapi_update_creds(ssh_gssapi_ccache *store); |
2667 | +void ssh_gssapi_rekey_creds(void); | ||
2668 | + | ||
2658 | #endif /* GSSAPI */ | 2669 | #endif /* GSSAPI */ |
2659 | 2670 | ||
2660 | #endif /* _SSH_GSS_H */ | 2671 | #endif /* _SSH_GSS_H */ |