diff options
Diffstat (limited to 'debian/patches/gssapi.patch')
-rw-r--r-- | debian/patches/gssapi.patch | 268 |
1 files changed, 132 insertions, 136 deletions
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index 416e2f16c..85c6722f0 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch | |||
@@ -13,7 +13,7 @@ Description: GSSAPI key exchange support | |||
13 | security history. | 13 | security history. |
14 | Author: Simon Wilkinson <simon@sxw.org.uk> | 14 | Author: Simon Wilkinson <simon@sxw.org.uk> |
15 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 | 15 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 |
16 | Last-Updated: 2013-05-16 | 16 | Last-Updated: 2013-09-14 |
17 | 17 | ||
18 | Index: b/ChangeLog.gssapi | 18 | Index: b/ChangeLog.gssapi |
19 | =================================================================== | 19 | =================================================================== |
@@ -158,7 +158,7 @@ Index: b/auth-krb5.c | |||
158 | =================================================================== | 158 | =================================================================== |
159 | --- a/auth-krb5.c | 159 | --- a/auth-krb5.c |
160 | +++ b/auth-krb5.c | 160 | +++ b/auth-krb5.c |
161 | @@ -170,8 +170,13 @@ | 161 | @@ -181,8 +181,13 @@ |
162 | 162 | ||
163 | len = strlen(authctxt->krb5_ticket_file) + 6; | 163 | len = strlen(authctxt->krb5_ticket_file) + 6; |
164 | authctxt->krb5_ccname = xmalloc(len); | 164 | authctxt->krb5_ccname = xmalloc(len); |
@@ -172,7 +172,7 @@ Index: b/auth-krb5.c | |||
172 | 172 | ||
173 | #ifdef USE_PAM | 173 | #ifdef USE_PAM |
174 | if (options.use_pam) | 174 | if (options.use_pam) |
175 | @@ -226,15 +231,22 @@ | 175 | @@ -239,15 +244,22 @@ |
176 | #ifndef HEIMDAL | 176 | #ifndef HEIMDAL |
177 | krb5_error_code | 177 | krb5_error_code |
178 | ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { | 178 | ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { |
@@ -197,7 +197,7 @@ Index: b/auth-krb5.c | |||
197 | old_umask = umask(0177); | 197 | old_umask = umask(0177); |
198 | tmpfd = mkstemp(ccname + strlen("FILE:")); | 198 | tmpfd = mkstemp(ccname + strlen("FILE:")); |
199 | oerrno = errno; | 199 | oerrno = errno; |
200 | @@ -251,6 +263,7 @@ | 200 | @@ -264,6 +276,7 @@ |
201 | return oerrno; | 201 | return oerrno; |
202 | } | 202 | } |
203 | close(tmpfd); | 203 | close(tmpfd); |
@@ -210,7 +210,7 @@ Index: b/auth2-gss.c | |||
210 | --- a/auth2-gss.c | 210 | --- a/auth2-gss.c |
211 | +++ b/auth2-gss.c | 211 | +++ b/auth2-gss.c |
212 | @@ -1,7 +1,7 @@ | 212 | @@ -1,7 +1,7 @@ |
213 | /* $OpenBSD: auth2-gss.c,v 1.18 2012/12/02 20:34:09 djm Exp $ */ | 213 | /* $OpenBSD: auth2-gss.c,v 1.20 2013/05/17 00:13:13 djm Exp $ */ |
214 | 214 | ||
215 | /* | 215 | /* |
216 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 216 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
@@ -251,7 +251,7 @@ Index: b/auth2-gss.c | |||
251 | + authctxt->pw)); | 251 | + authctxt->pw)); |
252 | + | 252 | + |
253 | + buffer_free(&b); | 253 | + buffer_free(&b); |
254 | + xfree(mic.value); | 254 | + free(mic.value); |
255 | + | 255 | + |
256 | + return (authenticated); | 256 | + return (authenticated); |
257 | +} | 257 | +} |
@@ -259,7 +259,7 @@ Index: b/auth2-gss.c | |||
259 | /* | 259 | /* |
260 | * We only support those mechanisms that we know about (ie ones that we know | 260 | * We only support those mechanisms that we know about (ie ones that we know |
261 | * how to check local user kuserok and the like) | 261 | * how to check local user kuserok and the like) |
262 | @@ -244,7 +278,8 @@ | 262 | @@ -240,7 +274,8 @@ |
263 | 263 | ||
264 | packet_check_eom(); | 264 | packet_check_eom(); |
265 | 265 | ||
@@ -269,7 +269,7 @@ Index: b/auth2-gss.c | |||
269 | 269 | ||
270 | authctxt->postponed = 0; | 270 | authctxt->postponed = 0; |
271 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); | 271 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); |
272 | @@ -279,7 +314,8 @@ | 272 | @@ -275,7 +310,8 @@ |
273 | gssbuf.length = buffer_len(&b); | 273 | gssbuf.length = buffer_len(&b); |
274 | 274 | ||
275 | if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) | 275 | if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) |
@@ -279,7 +279,7 @@ Index: b/auth2-gss.c | |||
279 | else | 279 | else |
280 | logit("GSSAPI MIC check failed"); | 280 | logit("GSSAPI MIC check failed"); |
281 | 281 | ||
282 | @@ -294,6 +330,12 @@ | 282 | @@ -290,6 +326,12 @@ |
283 | userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); | 283 | userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); |
284 | } | 284 | } |
285 | 285 | ||
@@ -327,7 +327,7 @@ Index: b/clientloop.c | |||
327 | /* import options */ | 327 | /* import options */ |
328 | extern Options options; | 328 | extern Options options; |
329 | 329 | ||
330 | @@ -1599,6 +1603,15 @@ | 330 | @@ -1608,6 +1612,15 @@ |
331 | /* Do channel operations unless rekeying in progress. */ | 331 | /* Do channel operations unless rekeying in progress. */ |
332 | if (!rekeying) { | 332 | if (!rekeying) { |
333 | channel_after_select(readset, writeset); | 333 | channel_after_select(readset, writeset); |
@@ -347,7 +347,7 @@ Index: b/config.h.in | |||
347 | =================================================================== | 347 | =================================================================== |
348 | --- a/config.h.in | 348 | --- a/config.h.in |
349 | +++ b/config.h.in | 349 | +++ b/config.h.in |
350 | @@ -1511,6 +1511,9 @@ | 350 | @@ -1546,6 +1546,9 @@ |
351 | /* Use btmp to log bad logins */ | 351 | /* Use btmp to log bad logins */ |
352 | #undef USE_BTMP | 352 | #undef USE_BTMP |
353 | 353 | ||
@@ -357,7 +357,7 @@ Index: b/config.h.in | |||
357 | /* Use libedit for sftp */ | 357 | /* Use libedit for sftp */ |
358 | #undef USE_LIBEDIT | 358 | #undef USE_LIBEDIT |
359 | 359 | ||
360 | @@ -1526,6 +1529,9 @@ | 360 | @@ -1561,6 +1564,9 @@ |
361 | /* Use PIPES instead of a socketpair() */ | 361 | /* Use PIPES instead of a socketpair() */ |
362 | #undef USE_PIPES | 362 | #undef USE_PIPES |
363 | 363 | ||
@@ -371,7 +371,7 @@ Index: b/configure | |||
371 | =================================================================== | 371 | =================================================================== |
372 | --- a/configure | 372 | --- a/configure |
373 | +++ b/configure | 373 | +++ b/configure |
374 | @@ -6588,6 +6588,63 @@ | 374 | @@ -6780,6 +6780,63 @@ |
375 | 375 | ||
376 | $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h | 376 | $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h |
377 | 377 | ||
@@ -439,7 +439,7 @@ Index: b/configure.ac | |||
439 | =================================================================== | 439 | =================================================================== |
440 | --- a/configure.ac | 440 | --- a/configure.ac |
441 | +++ b/configure.ac | 441 | +++ b/configure.ac |
442 | @@ -533,6 +533,30 @@ | 442 | @@ -548,6 +548,30 @@ |
443 | [Use tunnel device compatibility to OpenBSD]) | 443 | [Use tunnel device compatibility to OpenBSD]) |
444 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], | 444 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], |
445 | [Prepend the address family to IP tunnel traffic]) | 445 | [Prepend the address family to IP tunnel traffic]) |
@@ -475,7 +475,7 @@ Index: b/gss-genr.c | |||
475 | --- a/gss-genr.c | 475 | --- a/gss-genr.c |
476 | +++ b/gss-genr.c | 476 | +++ b/gss-genr.c |
477 | @@ -1,7 +1,7 @@ | 477 | @@ -1,7 +1,7 @@ |
478 | /* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */ | 478 | /* $OpenBSD: gss-genr.c,v 1.21 2013/05/17 00:13:13 djm Exp $ */ |
479 | 479 | ||
480 | /* | 480 | /* |
481 | - * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. | 481 | - * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. |
@@ -549,8 +549,8 @@ Index: b/gss-genr.c | |||
549 | + | 549 | + |
550 | + if (gss_enc2oid != NULL) { | 550 | + if (gss_enc2oid != NULL) { |
551 | + for (i = 0; gss_enc2oid[i].encoded != NULL; i++) | 551 | + for (i = 0; gss_enc2oid[i].encoded != NULL; i++) |
552 | + xfree(gss_enc2oid[i].encoded); | 552 | + free(gss_enc2oid[i].encoded); |
553 | + xfree(gss_enc2oid); | 553 | + free(gss_enc2oid); |
554 | + } | 554 | + } |
555 | + | 555 | + |
556 | + gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping) * | 556 | + gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping) * |
@@ -607,7 +607,7 @@ Index: b/gss-genr.c | |||
607 | + buffer_free(&buf); | 607 | + buffer_free(&buf); |
608 | + | 608 | + |
609 | + if (strlen(mechs) == 0) { | 609 | + if (strlen(mechs) == 0) { |
610 | + xfree(mechs); | 610 | + free(mechs); |
611 | + mechs = NULL; | 611 | + mechs = NULL; |
612 | + } | 612 | + } |
613 | + | 613 | + |
@@ -826,7 +826,7 @@ Index: b/gss-serv-krb5.c | |||
826 | --- a/gss-serv-krb5.c | 826 | --- a/gss-serv-krb5.c |
827 | +++ b/gss-serv-krb5.c | 827 | +++ b/gss-serv-krb5.c |
828 | @@ -1,7 +1,7 @@ | 828 | @@ -1,7 +1,7 @@ |
829 | /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ | 829 | /* $OpenBSD: gss-serv-krb5.c,v 1.8 2013/07/20 01:55:13 djm Exp $ */ |
830 | 830 | ||
831 | /* | 831 | /* |
832 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 832 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
@@ -834,15 +834,15 @@ Index: b/gss-serv-krb5.c | |||
834 | * | 834 | * |
835 | * Redistribution and use in source and binary forms, with or without | 835 | * Redistribution and use in source and binary forms, with or without |
836 | * modification, are permitted provided that the following conditions | 836 | * modification, are permitted provided that the following conditions |
837 | @@ -120,6 +120,7 @@ | 837 | @@ -122,6 +122,7 @@ |
838 | krb5_principal princ; | ||
839 | OM_uint32 maj_status, min_status; | 838 | OM_uint32 maj_status, min_status; |
840 | int len; | 839 | int len; |
840 | const char *errmsg; | ||
841 | + const char *new_ccname; | 841 | + const char *new_ccname; |
842 | 842 | ||
843 | if (client->creds == NULL) { | 843 | if (client->creds == NULL) { |
844 | debug("No credentials stored"); | 844 | debug("No credentials stored"); |
845 | @@ -168,11 +169,16 @@ | 845 | @@ -174,11 +175,16 @@ |
846 | return; | 846 | return; |
847 | } | 847 | } |
848 | 848 | ||
@@ -863,7 +863,7 @@ Index: b/gss-serv-krb5.c | |||
863 | 863 | ||
864 | #ifdef USE_PAM | 864 | #ifdef USE_PAM |
865 | if (options.use_pam) | 865 | if (options.use_pam) |
866 | @@ -184,6 +190,71 @@ | 866 | @@ -190,6 +196,71 @@ |
867 | return; | 867 | return; |
868 | } | 868 | } |
869 | 869 | ||
@@ -935,7 +935,7 @@ Index: b/gss-serv-krb5.c | |||
935 | ssh_gssapi_mech gssapi_kerberos_mech = { | 935 | ssh_gssapi_mech gssapi_kerberos_mech = { |
936 | "toWM5Slw5Ew8Mqkay+al2g==", | 936 | "toWM5Slw5Ew8Mqkay+al2g==", |
937 | "Kerberos", | 937 | "Kerberos", |
938 | @@ -191,7 +262,8 @@ | 938 | @@ -197,7 +268,8 @@ |
939 | NULL, | 939 | NULL, |
940 | &ssh_gssapi_krb5_userok, | 940 | &ssh_gssapi_krb5_userok, |
941 | NULL, | 941 | NULL, |
@@ -950,7 +950,7 @@ Index: b/gss-serv.c | |||
950 | --- a/gss-serv.c | 950 | --- a/gss-serv.c |
951 | +++ b/gss-serv.c | 951 | +++ b/gss-serv.c |
952 | @@ -1,7 +1,7 @@ | 952 | @@ -1,7 +1,7 @@ |
953 | /* $OpenBSD: gss-serv.c,v 1.23 2011/08/01 19:18:15 markus Exp $ */ | 953 | /* $OpenBSD: gss-serv.c,v 1.24 2013/07/20 01:55:13 djm Exp $ */ |
954 | 954 | ||
955 | /* | 955 | /* |
956 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 956 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
@@ -958,7 +958,7 @@ Index: b/gss-serv.c | |||
958 | * | 958 | * |
959 | * Redistribution and use in source and binary forms, with or without | 959 | * Redistribution and use in source and binary forms, with or without |
960 | * modification, are permitted provided that the following conditions | 960 | * modification, are permitted provided that the following conditions |
961 | @@ -45,15 +45,20 @@ | 961 | @@ -45,15 +45,21 @@ |
962 | #include "channels.h" | 962 | #include "channels.h" |
963 | #include "session.h" | 963 | #include "session.h" |
964 | #include "misc.h" | 964 | #include "misc.h" |
@@ -972,8 +972,9 @@ Index: b/gss-serv.c | |||
972 | 972 | ||
973 | static ssh_gssapi_client gssapi_client = | 973 | static ssh_gssapi_client gssapi_client = |
974 | { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, | 974 | { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, |
975 | - GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}}; | 975 | - GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}}; |
976 | + GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, NULL, {NULL, NULL, NULL}, 0, 0}; | 976 | + GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, NULL, |
977 | + {NULL, NULL, NULL, NULL, NULL}, 0, 0}; | ||
977 | 978 | ||
978 | ssh_gssapi_mech gssapi_null_mech = | 979 | ssh_gssapi_mech gssapi_null_mech = |
979 | - { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL}; | 980 | - { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL}; |
@@ -981,7 +982,7 @@ Index: b/gss-serv.c | |||
981 | 982 | ||
982 | #ifdef KRB5 | 983 | #ifdef KRB5 |
983 | extern ssh_gssapi_mech gssapi_kerberos_mech; | 984 | extern ssh_gssapi_mech gssapi_kerberos_mech; |
984 | @@ -81,25 +86,32 @@ | 985 | @@ -81,25 +87,32 @@ |
985 | char lname[MAXHOSTNAMELEN]; | 986 | char lname[MAXHOSTNAMELEN]; |
986 | gss_OID_set oidset; | 987 | gss_OID_set oidset; |
987 | 988 | ||
@@ -1028,7 +1029,7 @@ Index: b/gss-serv.c | |||
1028 | } | 1029 | } |
1029 | 1030 | ||
1030 | /* Privileged */ | 1031 | /* Privileged */ |
1031 | @@ -114,6 +126,29 @@ | 1032 | @@ -114,6 +127,29 @@ |
1032 | } | 1033 | } |
1033 | 1034 | ||
1034 | /* Unprivileged */ | 1035 | /* Unprivileged */ |
@@ -1058,7 +1059,7 @@ Index: b/gss-serv.c | |||
1058 | void | 1059 | void |
1059 | ssh_gssapi_supported_oids(gss_OID_set *oidset) | 1060 | ssh_gssapi_supported_oids(gss_OID_set *oidset) |
1060 | { | 1061 | { |
1061 | @@ -123,7 +158,9 @@ | 1062 | @@ -123,7 +159,9 @@ |
1062 | gss_OID_set supported; | 1063 | gss_OID_set supported; |
1063 | 1064 | ||
1064 | gss_create_empty_oid_set(&min_status, oidset); | 1065 | gss_create_empty_oid_set(&min_status, oidset); |
@@ -1069,7 +1070,7 @@ Index: b/gss-serv.c | |||
1069 | 1070 | ||
1070 | while (supported_mechs[i]->name != NULL) { | 1071 | while (supported_mechs[i]->name != NULL) { |
1071 | if (GSS_ERROR(gss_test_oid_set_member(&min_status, | 1072 | if (GSS_ERROR(gss_test_oid_set_member(&min_status, |
1072 | @@ -249,8 +286,48 @@ | 1073 | @@ -249,8 +287,48 @@ |
1073 | ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) | 1074 | ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) |
1074 | { | 1075 | { |
1075 | int i = 0; | 1076 | int i = 0; |
@@ -1119,7 +1120,7 @@ Index: b/gss-serv.c | |||
1119 | 1120 | ||
1120 | client->mech = NULL; | 1121 | client->mech = NULL; |
1121 | 1122 | ||
1122 | @@ -265,6 +342,13 @@ | 1123 | @@ -265,6 +343,13 @@ |
1123 | if (client->mech == NULL) | 1124 | if (client->mech == NULL) |
1124 | return GSS_S_FAILURE; | 1125 | return GSS_S_FAILURE; |
1125 | 1126 | ||
@@ -1133,7 +1134,7 @@ Index: b/gss-serv.c | |||
1133 | if ((ctx->major = gss_display_name(&ctx->minor, ctx->client, | 1134 | if ((ctx->major = gss_display_name(&ctx->minor, ctx->client, |
1134 | &client->displayname, NULL))) { | 1135 | &client->displayname, NULL))) { |
1135 | ssh_gssapi_error(ctx); | 1136 | ssh_gssapi_error(ctx); |
1136 | @@ -282,6 +366,8 @@ | 1137 | @@ -282,6 +367,8 @@ |
1137 | return (ctx->major); | 1138 | return (ctx->major); |
1138 | } | 1139 | } |
1139 | 1140 | ||
@@ -1142,7 +1143,7 @@ Index: b/gss-serv.c | |||
1142 | /* We can't copy this structure, so we just move the pointer to it */ | 1143 | /* We can't copy this structure, so we just move the pointer to it */ |
1143 | client->creds = ctx->client_creds; | 1144 | client->creds = ctx->client_creds; |
1144 | ctx->client_creds = GSS_C_NO_CREDENTIAL; | 1145 | ctx->client_creds = GSS_C_NO_CREDENTIAL; |
1145 | @@ -329,7 +415,7 @@ | 1146 | @@ -329,7 +416,7 @@ |
1146 | 1147 | ||
1147 | /* Privileged */ | 1148 | /* Privileged */ |
1148 | int | 1149 | int |
@@ -1151,7 +1152,7 @@ Index: b/gss-serv.c | |||
1151 | { | 1152 | { |
1152 | OM_uint32 lmin; | 1153 | OM_uint32 lmin; |
1153 | 1154 | ||
1154 | @@ -339,9 +425,11 @@ | 1155 | @@ -339,9 +426,11 @@ |
1155 | return 0; | 1156 | return 0; |
1156 | } | 1157 | } |
1157 | if (gssapi_client.mech && gssapi_client.mech->userok) | 1158 | if (gssapi_client.mech && gssapi_client.mech->userok) |
@@ -1165,7 +1166,7 @@ Index: b/gss-serv.c | |||
1165 | /* Destroy delegated credentials if userok fails */ | 1166 | /* Destroy delegated credentials if userok fails */ |
1166 | gss_release_buffer(&lmin, &gssapi_client.displayname); | 1167 | gss_release_buffer(&lmin, &gssapi_client.displayname); |
1167 | gss_release_buffer(&lmin, &gssapi_client.exportedname); | 1168 | gss_release_buffer(&lmin, &gssapi_client.exportedname); |
1168 | @@ -354,14 +442,90 @@ | 1169 | @@ -354,14 +443,90 @@ |
1169 | return (0); | 1170 | return (0); |
1170 | } | 1171 | } |
1171 | 1172 | ||
@@ -1277,32 +1278,37 @@ Index: b/kex.c | |||
1277 | #if OPENSSL_VERSION_NUMBER >= 0x00907000L | 1278 | #if OPENSSL_VERSION_NUMBER >= 0x00907000L |
1278 | # if defined(HAVE_EVP_SHA256) | 1279 | # if defined(HAVE_EVP_SHA256) |
1279 | # define evp_ssh_sha256 EVP_sha256 | 1280 | # define evp_ssh_sha256 EVP_sha256 |
1280 | @@ -369,6 +373,20 @@ | 1281 | @@ -82,6 +86,14 @@ |
1281 | k->kex_type = KEX_ECDH_SHA2; | ||
1282 | k->evp_md = kex_ecdh_name_to_evpmd(k->name); | ||
1283 | #endif | 1282 | #endif |
1283 | { NULL, -1, -1, NULL}, | ||
1284 | }; | ||
1285 | +static const struct kexalg kexalg_prefixes[] = { | ||
1284 | +#ifdef GSSAPI | 1286 | +#ifdef GSSAPI |
1285 | + } else if (strncmp(k->name, KEX_GSS_GEX_SHA1_ID, | 1287 | + { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, EVP_sha1 }, |
1286 | + sizeof(KEX_GSS_GEX_SHA1_ID) - 1) == 0) { | 1288 | + { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, EVP_sha1 }, |
1287 | + k->kex_type = KEX_GSS_GEX_SHA1; | 1289 | + { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, EVP_sha1 }, |
1288 | + k->evp_md = EVP_sha1(); | ||
1289 | + } else if (strncmp(k->name, KEX_GSS_GRP1_SHA1_ID, | ||
1290 | + sizeof(KEX_GSS_GRP1_SHA1_ID) - 1) == 0) { | ||
1291 | + k->kex_type = KEX_GSS_GRP1_SHA1; | ||
1292 | + k->evp_md = EVP_sha1(); | ||
1293 | + } else if (strncmp(k->name, KEX_GSS_GRP14_SHA1_ID, | ||
1294 | + sizeof(KEX_GSS_GRP14_SHA1_ID) - 1) == 0) { | ||
1295 | + k->kex_type = KEX_GSS_GRP14_SHA1; | ||
1296 | + k->evp_md = EVP_sha1(); | ||
1297 | +#endif | 1290 | +#endif |
1298 | } else | 1291 | + { NULL, -1, -1, NULL }, |
1299 | fatal("bad kex alg %s", k->name); | 1292 | +}; |
1293 | |||
1294 | char * | ||
1295 | kex_alg_list(void) | ||
1296 | @@ -110,6 +122,10 @@ | ||
1297 | if (strcmp(k->name, name) == 0) | ||
1298 | return k; | ||
1299 | } | ||
1300 | + for (k = kexalg_prefixes; k->name != NULL; k++) { | ||
1301 | + if (strncmp(k->name, name, strlen(k->name)) == 0) | ||
1302 | + return k; | ||
1303 | + } | ||
1304 | return NULL; | ||
1300 | } | 1305 | } |
1306 | |||
1301 | Index: b/kex.h | 1307 | Index: b/kex.h |
1302 | =================================================================== | 1308 | =================================================================== |
1303 | --- a/kex.h | 1309 | --- a/kex.h |
1304 | +++ b/kex.h | 1310 | +++ b/kex.h |
1305 | @@ -73,6 +73,9 @@ | 1311 | @@ -74,6 +74,9 @@ |
1306 | KEX_DH_GEX_SHA1, | 1312 | KEX_DH_GEX_SHA1, |
1307 | KEX_DH_GEX_SHA256, | 1313 | KEX_DH_GEX_SHA256, |
1308 | KEX_ECDH_SHA2, | 1314 | KEX_ECDH_SHA2, |
@@ -1312,10 +1318,10 @@ Index: b/kex.h | |||
1312 | KEX_MAX | 1318 | KEX_MAX |
1313 | }; | 1319 | }; |
1314 | 1320 | ||
1315 | @@ -131,6 +134,12 @@ | 1321 | @@ -133,6 +136,12 @@ |
1316 | sig_atomic_t done; | ||
1317 | int flags; | 1322 | int flags; |
1318 | const EVP_MD *evp_md; | 1323 | const EVP_MD *evp_md; |
1324 | int ec_nid; | ||
1319 | +#ifdef GSSAPI | 1325 | +#ifdef GSSAPI |
1320 | + int gss_deleg_creds; | 1326 | + int gss_deleg_creds; |
1321 | + int gss_trust_dns; | 1327 | + int gss_trust_dns; |
@@ -1325,7 +1331,7 @@ Index: b/kex.h | |||
1325 | char *client_version_string; | 1331 | char *client_version_string; |
1326 | char *server_version_string; | 1332 | char *server_version_string; |
1327 | int (*verify_host_key)(Key *); | 1333 | int (*verify_host_key)(Key *); |
1328 | @@ -158,6 +167,11 @@ | 1334 | @@ -162,6 +171,11 @@ |
1329 | void kexecdh_client(Kex *); | 1335 | void kexecdh_client(Kex *); |
1330 | void kexecdh_server(Kex *); | 1336 | void kexecdh_server(Kex *); |
1331 | 1337 | ||
@@ -1341,7 +1347,7 @@ Index: b/kexgssc.c | |||
1341 | =================================================================== | 1347 | =================================================================== |
1342 | --- /dev/null | 1348 | --- /dev/null |
1343 | +++ b/kexgssc.c | 1349 | +++ b/kexgssc.c |
1344 | @@ -0,0 +1,334 @@ | 1350 | @@ -0,0 +1,333 @@ |
1345 | +/* | 1351 | +/* |
1346 | + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. | 1352 | + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. |
1347 | + * | 1353 | + * |
@@ -1488,7 +1494,7 @@ Index: b/kexgssc.c | |||
1488 | + | 1494 | + |
1489 | + /* If we've got an old receive buffer get rid of it */ | 1495 | + /* If we've got an old receive buffer get rid of it */ |
1490 | + if (token_ptr != GSS_C_NO_BUFFER) | 1496 | + if (token_ptr != GSS_C_NO_BUFFER) |
1491 | + xfree(recv_tok.value); | 1497 | + free(recv_tok.value); |
1492 | + | 1498 | + |
1493 | + if (maj_status == GSS_S_COMPLETE) { | 1499 | + if (maj_status == GSS_S_COMPLETE) { |
1494 | + /* If mutual state flag is not true, kex fails */ | 1500 | + /* If mutual state flag is not true, kex fails */ |
@@ -1605,7 +1611,7 @@ Index: b/kexgssc.c | |||
1605 | + fatal("kexdh_client: BN_bin2bn failed"); | 1611 | + fatal("kexdh_client: BN_bin2bn failed"); |
1606 | + | 1612 | + |
1607 | + memset(kbuf, 0, klen); | 1613 | + memset(kbuf, 0, klen); |
1608 | + xfree(kbuf); | 1614 | + free(kbuf); |
1609 | + | 1615 | + |
1610 | + switch (kex->kex_type) { | 1616 | + switch (kex->kex_type) { |
1611 | + case KEX_GSS_GRP1_SHA1: | 1617 | + case KEX_GSS_GRP1_SHA1: |
@@ -1648,11 +1654,10 @@ Index: b/kexgssc.c | |||
1648 | + if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok))) | 1654 | + if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok))) |
1649 | + packet_disconnect("Hash's MIC didn't verify"); | 1655 | + packet_disconnect("Hash's MIC didn't verify"); |
1650 | + | 1656 | + |
1651 | + xfree(msg_tok.value); | 1657 | + free(msg_tok.value); |
1652 | + | 1658 | + |
1653 | + DH_free(dh); | 1659 | + DH_free(dh); |
1654 | + if (serverhostkey) | 1660 | + free(serverhostkey); |
1655 | + xfree(serverhostkey); | ||
1656 | + BN_clear_free(dh_server_pub); | 1661 | + BN_clear_free(dh_server_pub); |
1657 | + | 1662 | + |
1658 | + /* save session id */ | 1663 | + /* save session id */ |
@@ -1680,7 +1685,7 @@ Index: b/kexgsss.c | |||
1680 | =================================================================== | 1685 | =================================================================== |
1681 | --- /dev/null | 1686 | --- /dev/null |
1682 | +++ b/kexgsss.c | 1687 | +++ b/kexgsss.c |
1683 | @@ -0,0 +1,288 @@ | 1688 | @@ -0,0 +1,289 @@ |
1684 | +/* | 1689 | +/* |
1685 | + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. | 1690 | + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. |
1686 | + * | 1691 | + * |
@@ -1761,9 +1766,10 @@ Index: b/kexgsss.c | |||
1761 | + * in the GSSAPI code are no longer available. This kludges them back | 1766 | + * in the GSSAPI code are no longer available. This kludges them back |
1762 | + * into life | 1767 | + * into life |
1763 | + */ | 1768 | + */ |
1764 | + if (!ssh_gssapi_oid_table_ok()) | 1769 | + if (!ssh_gssapi_oid_table_ok()) { |
1765 | + if ((mechs = ssh_gssapi_server_mechanisms())) | 1770 | + mechs = ssh_gssapi_server_mechanisms(); |
1766 | + xfree(mechs); | 1771 | + free(mechs); |
1772 | + } | ||
1767 | + | 1773 | + |
1768 | + debug2("%s: Identifying %s", __func__, kex->name); | 1774 | + debug2("%s: Identifying %s", __func__, kex->name); |
1769 | + oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type); | 1775 | + oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type); |
@@ -1841,7 +1847,7 @@ Index: b/kexgsss.c | |||
1841 | + maj_status = PRIVSEP(ssh_gssapi_accept_ctx(ctxt, &recv_tok, | 1847 | + maj_status = PRIVSEP(ssh_gssapi_accept_ctx(ctxt, &recv_tok, |
1842 | + &send_tok, &ret_flags)); | 1848 | + &send_tok, &ret_flags)); |
1843 | + | 1849 | + |
1844 | + xfree(recv_tok.value); | 1850 | + free(recv_tok.value); |
1845 | + | 1851 | + |
1846 | + if (maj_status != GSS_S_COMPLETE && send_tok.length == 0) | 1852 | + if (maj_status != GSS_S_COMPLETE && send_tok.length == 0) |
1847 | + fatal("Zero length token output when incomplete"); | 1853 | + fatal("Zero length token output when incomplete"); |
@@ -1890,7 +1896,7 @@ Index: b/kexgsss.c | |||
1890 | + fatal("kexgss_server: BN_bin2bn failed"); | 1896 | + fatal("kexgss_server: BN_bin2bn failed"); |
1891 | + | 1897 | + |
1892 | + memset(kbuf, 0, klen); | 1898 | + memset(kbuf, 0, klen); |
1893 | + xfree(kbuf); | 1899 | + free(kbuf); |
1894 | + | 1900 | + |
1895 | + switch (kex->kex_type) { | 1901 | + switch (kex->kex_type) { |
1896 | + case KEX_GSS_GRP1_SHA1: | 1902 | + case KEX_GSS_GRP1_SHA1: |
@@ -1973,24 +1979,14 @@ Index: b/key.c | |||
1973 | =================================================================== | 1979 | =================================================================== |
1974 | --- a/key.c | 1980 | --- a/key.c |
1975 | +++ b/key.c | 1981 | +++ b/key.c |
1976 | @@ -976,6 +976,8 @@ | 1982 | @@ -933,6 +933,7 @@ |
1977 | } | 1983 | KEY_RSA_CERT_V00, 0, 1 }, |
1978 | break; | 1984 | { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00", |
1979 | #endif /* OPENSSL_HAS_ECC */ | 1985 | KEY_DSA_CERT_V00, 0, 1 }, |
1980 | + case KEY_NULL: | 1986 | + { "null", "null", KEY_NULL, 0, 0 }, |
1981 | + return "null"; | 1987 | { NULL, NULL, -1, -1, 0 } |
1982 | } | 1988 | }; |
1983 | return "ssh-unknown"; | ||
1984 | } | ||
1985 | @@ -1281,6 +1283,8 @@ | ||
1986 | strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) { | ||
1987 | return KEY_ECDSA_CERT; | ||
1988 | #endif | ||
1989 | + } else if (strcmp(name, "null") == 0) { | ||
1990 | + return KEY_NULL; | ||
1991 | } | ||
1992 | 1989 | ||
1993 | debug2("key_type_from_name: unknown key type '%s'", name); | ||
1994 | Index: b/key.h | 1990 | Index: b/key.h |
1995 | =================================================================== | 1991 | =================================================================== |
1996 | --- a/key.h | 1992 | --- a/key.h |
@@ -2007,7 +2003,7 @@ Index: b/monitor.c | |||
2007 | =================================================================== | 2003 | =================================================================== |
2008 | --- a/monitor.c | 2004 | --- a/monitor.c |
2009 | +++ b/monitor.c | 2005 | +++ b/monitor.c |
2010 | @@ -180,6 +180,8 @@ | 2006 | @@ -181,6 +181,8 @@ |
2011 | int mm_answer_gss_accept_ctx(int, Buffer *); | 2007 | int mm_answer_gss_accept_ctx(int, Buffer *); |
2012 | int mm_answer_gss_userok(int, Buffer *); | 2008 | int mm_answer_gss_userok(int, Buffer *); |
2013 | int mm_answer_gss_checkmic(int, Buffer *); | 2009 | int mm_answer_gss_checkmic(int, Buffer *); |
@@ -2016,7 +2012,7 @@ Index: b/monitor.c | |||
2016 | #endif | 2012 | #endif |
2017 | 2013 | ||
2018 | #ifdef SSH_AUDIT_EVENTS | 2014 | #ifdef SSH_AUDIT_EVENTS |
2019 | @@ -252,6 +254,7 @@ | 2015 | @@ -253,6 +255,7 @@ |
2020 | {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, | 2016 | {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, |
2021 | {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, | 2017 | {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, |
2022 | {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, | 2018 | {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, |
@@ -2024,7 +2020,7 @@ Index: b/monitor.c | |||
2024 | #endif | 2020 | #endif |
2025 | #ifdef JPAKE | 2021 | #ifdef JPAKE |
2026 | {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata}, | 2022 | {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata}, |
2027 | @@ -264,6 +267,12 @@ | 2023 | @@ -265,6 +268,12 @@ |
2028 | }; | 2024 | }; |
2029 | 2025 | ||
2030 | struct mon_table mon_dispatch_postauth20[] = { | 2026 | struct mon_table mon_dispatch_postauth20[] = { |
@@ -2037,7 +2033,7 @@ Index: b/monitor.c | |||
2037 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, | 2033 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, |
2038 | {MONITOR_REQ_SIGN, 0, mm_answer_sign}, | 2034 | {MONITOR_REQ_SIGN, 0, mm_answer_sign}, |
2039 | {MONITOR_REQ_PTY, 0, mm_answer_pty}, | 2035 | {MONITOR_REQ_PTY, 0, mm_answer_pty}, |
2040 | @@ -372,6 +381,10 @@ | 2036 | @@ -373,6 +382,10 @@ |
2041 | /* Permit requests for moduli and signatures */ | 2037 | /* Permit requests for moduli and signatures */ |
2042 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 2038 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
2043 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 2039 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
@@ -2059,7 +2055,7 @@ Index: b/monitor.c | |||
2059 | } else { | 2055 | } else { |
2060 | mon_dispatch = mon_dispatch_postauth15; | 2056 | mon_dispatch = mon_dispatch_postauth15; |
2061 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 2057 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
2062 | @@ -1836,6 +1853,13 @@ | 2058 | @@ -1855,6 +1872,13 @@ |
2063 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; | 2059 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; |
2064 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; | 2060 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; |
2065 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; | 2061 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; |
@@ -2073,7 +2069,7 @@ Index: b/monitor.c | |||
2073 | kex->server = 1; | 2069 | kex->server = 1; |
2074 | kex->hostkey_type = buffer_get_int(m); | 2070 | kex->hostkey_type = buffer_get_int(m); |
2075 | kex->kex_type = buffer_get_int(m); | 2071 | kex->kex_type = buffer_get_int(m); |
2076 | @@ -2042,6 +2066,9 @@ | 2072 | @@ -2062,6 +2086,9 @@ |
2077 | OM_uint32 major; | 2073 | OM_uint32 major; |
2078 | u_int len; | 2074 | u_int len; |
2079 | 2075 | ||
@@ -2083,7 +2079,7 @@ Index: b/monitor.c | |||
2083 | goid.elements = buffer_get_string(m, &len); | 2079 | goid.elements = buffer_get_string(m, &len); |
2084 | goid.length = len; | 2080 | goid.length = len; |
2085 | 2081 | ||
2086 | @@ -2069,6 +2096,9 @@ | 2082 | @@ -2089,6 +2116,9 @@ |
2087 | OM_uint32 flags = 0; /* GSI needs this */ | 2083 | OM_uint32 flags = 0; /* GSI needs this */ |
2088 | u_int len; | 2084 | u_int len; |
2089 | 2085 | ||
@@ -2093,7 +2089,7 @@ Index: b/monitor.c | |||
2093 | in.value = buffer_get_string(m, &len); | 2089 | in.value = buffer_get_string(m, &len); |
2094 | in.length = len; | 2090 | in.length = len; |
2095 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); | 2091 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); |
2096 | @@ -2086,6 +2116,7 @@ | 2092 | @@ -2106,6 +2136,7 @@ |
2097 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); | 2093 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); |
2098 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); | 2094 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); |
2099 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); | 2095 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); |
@@ -2101,7 +2097,7 @@ Index: b/monitor.c | |||
2101 | } | 2097 | } |
2102 | return (0); | 2098 | return (0); |
2103 | } | 2099 | } |
2104 | @@ -2097,6 +2128,9 @@ | 2100 | @@ -2117,6 +2148,9 @@ |
2105 | OM_uint32 ret; | 2101 | OM_uint32 ret; |
2106 | u_int len; | 2102 | u_int len; |
2107 | 2103 | ||
@@ -2111,7 +2107,7 @@ Index: b/monitor.c | |||
2111 | gssbuf.value = buffer_get_string(m, &len); | 2107 | gssbuf.value = buffer_get_string(m, &len); |
2112 | gssbuf.length = len; | 2108 | gssbuf.length = len; |
2113 | mic.value = buffer_get_string(m, &len); | 2109 | mic.value = buffer_get_string(m, &len); |
2114 | @@ -2123,7 +2157,11 @@ | 2110 | @@ -2143,7 +2177,11 @@ |
2115 | { | 2111 | { |
2116 | int authenticated; | 2112 | int authenticated; |
2117 | 2113 | ||
@@ -2124,7 +2120,7 @@ Index: b/monitor.c | |||
2124 | 2120 | ||
2125 | buffer_clear(m); | 2121 | buffer_clear(m); |
2126 | buffer_put_int(m, authenticated); | 2122 | buffer_put_int(m, authenticated); |
2127 | @@ -2136,6 +2174,74 @@ | 2123 | @@ -2156,6 +2194,74 @@ |
2128 | /* Monitor loop will terminate if authenticated */ | 2124 | /* Monitor loop will terminate if authenticated */ |
2129 | return (authenticated); | 2125 | return (authenticated); |
2130 | } | 2126 | } |
@@ -2154,7 +2150,7 @@ Index: b/monitor.c | |||
2154 | + } | 2150 | + } |
2155 | + major = ssh_gssapi_sign(gsscontext, &data, &hash); | 2151 | + major = ssh_gssapi_sign(gsscontext, &data, &hash); |
2156 | + | 2152 | + |
2157 | + xfree(data.value); | 2153 | + free(data.value); |
2158 | + | 2154 | + |
2159 | + buffer_clear(m); | 2155 | + buffer_clear(m); |
2160 | + buffer_put_int(m, major); | 2156 | + buffer_put_int(m, major); |
@@ -2184,9 +2180,9 @@ Index: b/monitor.c | |||
2184 | + | 2180 | + |
2185 | + ok = ssh_gssapi_update_creds(&store); | 2181 | + ok = ssh_gssapi_update_creds(&store); |
2186 | + | 2182 | + |
2187 | + xfree(store.filename); | 2183 | + free(store.filename); |
2188 | + xfree(store.envvar); | 2184 | + free(store.envvar); |
2189 | + xfree(store.envval); | 2185 | + free(store.envval); |
2190 | + | 2186 | + |
2191 | + buffer_clear(m); | 2187 | + buffer_clear(m); |
2192 | + buffer_put_int(m, ok); | 2188 | + buffer_put_int(m, ok); |
@@ -2217,7 +2213,7 @@ Index: b/monitor_wrap.c | |||
2217 | =================================================================== | 2213 | =================================================================== |
2218 | --- a/monitor_wrap.c | 2214 | --- a/monitor_wrap.c |
2219 | +++ b/monitor_wrap.c | 2215 | +++ b/monitor_wrap.c |
2220 | @@ -1271,7 +1271,7 @@ | 2216 | @@ -1273,7 +1273,7 @@ |
2221 | } | 2217 | } |
2222 | 2218 | ||
2223 | int | 2219 | int |
@@ -2226,7 +2222,7 @@ Index: b/monitor_wrap.c | |||
2226 | { | 2222 | { |
2227 | Buffer m; | 2223 | Buffer m; |
2228 | int authenticated = 0; | 2224 | int authenticated = 0; |
2229 | @@ -1288,6 +1288,51 @@ | 2225 | @@ -1290,6 +1290,51 @@ |
2230 | debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); | 2226 | debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); |
2231 | return (authenticated); | 2227 | return (authenticated); |
2232 | } | 2228 | } |
@@ -2298,7 +2294,7 @@ Index: b/readconf.c | |||
2298 | =================================================================== | 2294 | =================================================================== |
2299 | --- a/readconf.c | 2295 | --- a/readconf.c |
2300 | +++ b/readconf.c | 2296 | +++ b/readconf.c |
2301 | @@ -129,6 +129,8 @@ | 2297 | @@ -132,6 +132,8 @@ |
2302 | oClearAllForwardings, oNoHostAuthenticationForLocalhost, | 2298 | oClearAllForwardings, oNoHostAuthenticationForLocalhost, |
2303 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, | 2299 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, |
2304 | oAddressFamily, oGssAuthentication, oGssDelegateCreds, | 2300 | oAddressFamily, oGssAuthentication, oGssDelegateCreds, |
@@ -2307,7 +2303,7 @@ Index: b/readconf.c | |||
2307 | oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, | 2303 | oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, |
2308 | oSendEnv, oControlPath, oControlMaster, oControlPersist, | 2304 | oSendEnv, oControlPath, oControlMaster, oControlPersist, |
2309 | oHashKnownHosts, | 2305 | oHashKnownHosts, |
2310 | @@ -169,10 +171,19 @@ | 2306 | @@ -172,10 +174,19 @@ |
2311 | { "afstokenpassing", oUnsupported }, | 2307 | { "afstokenpassing", oUnsupported }, |
2312 | #if defined(GSSAPI) | 2308 | #if defined(GSSAPI) |
2313 | { "gssapiauthentication", oGssAuthentication }, | 2309 | { "gssapiauthentication", oGssAuthentication }, |
@@ -2327,7 +2323,7 @@ Index: b/readconf.c | |||
2327 | #endif | 2323 | #endif |
2328 | { "fallbacktorsh", oDeprecated }, | 2324 | { "fallbacktorsh", oDeprecated }, |
2329 | { "usersh", oDeprecated }, | 2325 | { "usersh", oDeprecated }, |
2330 | @@ -503,10 +514,30 @@ | 2326 | @@ -516,10 +527,30 @@ |
2331 | intptr = &options->gss_authentication; | 2327 | intptr = &options->gss_authentication; |
2332 | goto parse_flag; | 2328 | goto parse_flag; |
2333 | 2329 | ||
@@ -2358,7 +2354,7 @@ Index: b/readconf.c | |||
2358 | case oBatchMode: | 2354 | case oBatchMode: |
2359 | intptr = &options->batch_mode; | 2355 | intptr = &options->batch_mode; |
2360 | goto parse_flag; | 2356 | goto parse_flag; |
2361 | @@ -1158,7 +1189,12 @@ | 2357 | @@ -1168,7 +1199,12 @@ |
2362 | options->pubkey_authentication = -1; | 2358 | options->pubkey_authentication = -1; |
2363 | options->challenge_response_authentication = -1; | 2359 | options->challenge_response_authentication = -1; |
2364 | options->gss_authentication = -1; | 2360 | options->gss_authentication = -1; |
@@ -2371,7 +2367,7 @@ Index: b/readconf.c | |||
2371 | options->password_authentication = -1; | 2367 | options->password_authentication = -1; |
2372 | options->kbd_interactive_authentication = -1; | 2368 | options->kbd_interactive_authentication = -1; |
2373 | options->kbd_interactive_devices = NULL; | 2369 | options->kbd_interactive_devices = NULL; |
2374 | @@ -1258,8 +1294,14 @@ | 2370 | @@ -1268,8 +1304,14 @@ |
2375 | options->challenge_response_authentication = 1; | 2371 | options->challenge_response_authentication = 1; |
2376 | if (options->gss_authentication == -1) | 2372 | if (options->gss_authentication == -1) |
2377 | options->gss_authentication = 0; | 2373 | options->gss_authentication = 0; |
@@ -2407,7 +2403,7 @@ Index: b/servconf.c | |||
2407 | =================================================================== | 2403 | =================================================================== |
2408 | --- a/servconf.c | 2404 | --- a/servconf.c |
2409 | +++ b/servconf.c | 2405 | +++ b/servconf.c |
2410 | @@ -102,7 +102,10 @@ | 2406 | @@ -107,7 +107,10 @@ |
2411 | options->kerberos_ticket_cleanup = -1; | 2407 | options->kerberos_ticket_cleanup = -1; |
2412 | options->kerberos_get_afs_token = -1; | 2408 | options->kerberos_get_afs_token = -1; |
2413 | options->gss_authentication=-1; | 2409 | options->gss_authentication=-1; |
@@ -2418,7 +2414,7 @@ Index: b/servconf.c | |||
2418 | options->password_authentication = -1; | 2414 | options->password_authentication = -1; |
2419 | options->kbd_interactive_authentication = -1; | 2415 | options->kbd_interactive_authentication = -1; |
2420 | options->challenge_response_authentication = -1; | 2416 | options->challenge_response_authentication = -1; |
2421 | @@ -233,8 +236,14 @@ | 2417 | @@ -240,8 +243,14 @@ |
2422 | options->kerberos_get_afs_token = 0; | 2418 | options->kerberos_get_afs_token = 0; |
2423 | if (options->gss_authentication == -1) | 2419 | if (options->gss_authentication == -1) |
2424 | options->gss_authentication = 0; | 2420 | options->gss_authentication = 0; |
@@ -2433,7 +2429,7 @@ Index: b/servconf.c | |||
2433 | if (options->password_authentication == -1) | 2429 | if (options->password_authentication == -1) |
2434 | options->password_authentication = 1; | 2430 | options->password_authentication = 1; |
2435 | if (options->kbd_interactive_authentication == -1) | 2431 | if (options->kbd_interactive_authentication == -1) |
2436 | @@ -327,7 +336,9 @@ | 2432 | @@ -338,7 +347,9 @@ |
2437 | sBanner, sUseDNS, sHostbasedAuthentication, | 2433 | sBanner, sUseDNS, sHostbasedAuthentication, |
2438 | sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, | 2434 | sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, |
2439 | sClientAliveCountMax, sAuthorizedKeysFile, | 2435 | sClientAliveCountMax, sAuthorizedKeysFile, |
@@ -2444,7 +2440,7 @@ Index: b/servconf.c | |||
2444 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, | 2440 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, |
2445 | sUsePrivilegeSeparation, sAllowAgentForwarding, | 2441 | sUsePrivilegeSeparation, sAllowAgentForwarding, |
2446 | sZeroKnowledgePasswordAuthentication, sHostCertificate, | 2442 | sZeroKnowledgePasswordAuthentication, sHostCertificate, |
2447 | @@ -393,10 +404,20 @@ | 2443 | @@ -405,10 +416,20 @@ |
2448 | #ifdef GSSAPI | 2444 | #ifdef GSSAPI |
2449 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, | 2445 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
2450 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, | 2446 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
@@ -2465,7 +2461,7 @@ Index: b/servconf.c | |||
2465 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, | 2461 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, |
2466 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, | 2462 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, |
2467 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, | 2463 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, |
2468 | @@ -1049,10 +1070,22 @@ | 2464 | @@ -1073,10 +1094,22 @@ |
2469 | intptr = &options->gss_authentication; | 2465 | intptr = &options->gss_authentication; |
2470 | goto parse_flag; | 2466 | goto parse_flag; |
2471 | 2467 | ||
@@ -2488,7 +2484,7 @@ Index: b/servconf.c | |||
2488 | case sPasswordAuthentication: | 2484 | case sPasswordAuthentication: |
2489 | intptr = &options->password_authentication; | 2485 | intptr = &options->password_authentication; |
2490 | goto parse_flag; | 2486 | goto parse_flag; |
2491 | @@ -1927,7 +1960,10 @@ | 2487 | @@ -1983,7 +2016,10 @@ |
2492 | #endif | 2488 | #endif |
2493 | #ifdef GSSAPI | 2489 | #ifdef GSSAPI |
2494 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); | 2490 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); |
@@ -2503,7 +2499,7 @@ Index: b/servconf.h | |||
2503 | =================================================================== | 2499 | =================================================================== |
2504 | --- a/servconf.h | 2500 | --- a/servconf.h |
2505 | +++ b/servconf.h | 2501 | +++ b/servconf.h |
2506 | @@ -110,7 +110,10 @@ | 2502 | @@ -111,7 +111,10 @@ |
2507 | int kerberos_get_afs_token; /* If true, try to get AFS token if | 2503 | int kerberos_get_afs_token; /* If true, try to get AFS token if |
2508 | * authenticated with Kerberos. */ | 2504 | * authenticated with Kerberos. */ |
2509 | int gss_authentication; /* If true, permit GSSAPI authentication */ | 2505 | int gss_authentication; /* If true, permit GSSAPI authentication */ |
@@ -2632,7 +2628,7 @@ Index: b/ssh_config.5 | |||
2632 | =================================================================== | 2628 | =================================================================== |
2633 | --- a/ssh_config.5 | 2629 | --- a/ssh_config.5 |
2634 | +++ b/ssh_config.5 | 2630 | +++ b/ssh_config.5 |
2635 | @@ -530,11 +530,43 @@ | 2631 | @@ -529,11 +529,43 @@ |
2636 | The default is | 2632 | The default is |
2637 | .Dq no . | 2633 | .Dq no . |
2638 | Note that this option applies to protocol version 2 only. | 2634 | Note that this option applies to protocol version 2 only. |
@@ -2727,14 +2723,14 @@ Index: b/sshconnect2.c | |||
2727 | + orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]; | 2723 | + orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]; |
2728 | + xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS], | 2724 | + xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS], |
2729 | + "%s,null", orig); | 2725 | + "%s,null", orig); |
2730 | + xfree(gss); | 2726 | + free(gss); |
2731 | + } | 2727 | + } |
2732 | +#endif | 2728 | +#endif |
2733 | + | 2729 | + |
2734 | if (options.rekey_limit) | 2730 | if (options.rekey_limit || options.rekey_interval) |
2735 | packet_set_rekey_limit((u_int32_t)options.rekey_limit); | 2731 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, |
2736 | 2732 | (time_t)options.rekey_interval); | |
2737 | @@ -207,10 +243,30 @@ | 2733 | @@ -208,10 +244,30 @@ |
2738 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; | 2734 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; |
2739 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; | 2735 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; |
2740 | kex->kex[KEX_ECDH_SHA2] = kexecdh_client; | 2736 | kex->kex[KEX_ECDH_SHA2] = kexecdh_client; |
@@ -2765,7 +2761,7 @@ Index: b/sshconnect2.c | |||
2765 | xxx_kex = kex; | 2761 | xxx_kex = kex; |
2766 | 2762 | ||
2767 | dispatch_run(DISPATCH_BLOCK, &kex->done, kex); | 2763 | dispatch_run(DISPATCH_BLOCK, &kex->done, kex); |
2768 | @@ -306,6 +362,7 @@ | 2764 | @@ -307,6 +363,7 @@ |
2769 | void input_gssapi_hash(int type, u_int32_t, void *); | 2765 | void input_gssapi_hash(int type, u_int32_t, void *); |
2770 | void input_gssapi_error(int, u_int32_t, void *); | 2766 | void input_gssapi_error(int, u_int32_t, void *); |
2771 | void input_gssapi_errtok(int, u_int32_t, void *); | 2767 | void input_gssapi_errtok(int, u_int32_t, void *); |
@@ -2773,7 +2769,7 @@ Index: b/sshconnect2.c | |||
2773 | #endif | 2769 | #endif |
2774 | 2770 | ||
2775 | void userauth(Authctxt *, char *); | 2771 | void userauth(Authctxt *, char *); |
2776 | @@ -321,6 +378,11 @@ | 2772 | @@ -322,6 +379,11 @@ |
2777 | 2773 | ||
2778 | Authmethod authmethods[] = { | 2774 | Authmethod authmethods[] = { |
2779 | #ifdef GSSAPI | 2775 | #ifdef GSSAPI |
@@ -2785,7 +2781,7 @@ Index: b/sshconnect2.c | |||
2785 | {"gssapi-with-mic", | 2781 | {"gssapi-with-mic", |
2786 | userauth_gssapi, | 2782 | userauth_gssapi, |
2787 | NULL, | 2783 | NULL, |
2788 | @@ -627,19 +689,31 @@ | 2784 | @@ -625,19 +687,31 @@ |
2789 | static u_int mech = 0; | 2785 | static u_int mech = 0; |
2790 | OM_uint32 min; | 2786 | OM_uint32 min; |
2791 | int ok = 0; | 2787 | int ok = 0; |
@@ -2819,7 +2815,7 @@ Index: b/sshconnect2.c | |||
2819 | ok = 1; /* Mechanism works */ | 2815 | ok = 1; /* Mechanism works */ |
2820 | } else { | 2816 | } else { |
2821 | mech++; | 2817 | mech++; |
2822 | @@ -736,8 +810,8 @@ | 2818 | @@ -734,8 +808,8 @@ |
2823 | { | 2819 | { |
2824 | Authctxt *authctxt = ctxt; | 2820 | Authctxt *authctxt = ctxt; |
2825 | Gssctxt *gssctxt; | 2821 | Gssctxt *gssctxt; |
@@ -2830,9 +2826,9 @@ Index: b/sshconnect2.c | |||
2830 | 2826 | ||
2831 | if (authctxt == NULL) | 2827 | if (authctxt == NULL) |
2832 | fatal("input_gssapi_response: no authentication context"); | 2828 | fatal("input_gssapi_response: no authentication context"); |
2833 | @@ -847,6 +921,48 @@ | 2829 | @@ -844,6 +918,48 @@ |
2834 | xfree(msg); | 2830 | free(msg); |
2835 | xfree(lang); | 2831 | free(lang); |
2836 | } | 2832 | } |
2837 | + | 2833 | + |
2838 | +int | 2834 | +int |
@@ -2883,7 +2879,7 @@ Index: b/sshd.c | |||
2883 | =================================================================== | 2879 | =================================================================== |
2884 | --- a/sshd.c | 2880 | --- a/sshd.c |
2885 | +++ b/sshd.c | 2881 | +++ b/sshd.c |
2886 | @@ -121,6 +121,10 @@ | 2882 | @@ -122,6 +122,10 @@ |
2887 | #include "ssh-sandbox.h" | 2883 | #include "ssh-sandbox.h" |
2888 | #include "version.h" | 2884 | #include "version.h" |
2889 | 2885 | ||
@@ -2894,7 +2890,7 @@ Index: b/sshd.c | |||
2894 | #ifdef LIBWRAP | 2890 | #ifdef LIBWRAP |
2895 | #include <tcpd.h> | 2891 | #include <tcpd.h> |
2896 | #include <syslog.h> | 2892 | #include <syslog.h> |
2897 | @@ -1645,10 +1649,13 @@ | 2893 | @@ -1703,10 +1707,13 @@ |
2898 | logit("Disabling protocol version 1. Could not load host key"); | 2894 | logit("Disabling protocol version 1. Could not load host key"); |
2899 | options.protocol &= ~SSH_PROTO_1; | 2895 | options.protocol &= ~SSH_PROTO_1; |
2900 | } | 2896 | } |
@@ -2908,7 +2904,7 @@ Index: b/sshd.c | |||
2908 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { | 2904 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { |
2909 | logit("sshd: no hostkeys available -- exiting."); | 2905 | logit("sshd: no hostkeys available -- exiting."); |
2910 | exit(1); | 2906 | exit(1); |
2911 | @@ -1976,6 +1983,60 @@ | 2907 | @@ -2035,6 +2042,60 @@ |
2912 | /* Log the connection. */ | 2908 | /* Log the connection. */ |
2913 | verbose("Connection from %.500s port %d", remote_ip, remote_port); | 2909 | verbose("Connection from %.500s port %d", remote_ip, remote_port); |
2914 | 2910 | ||
@@ -2969,7 +2965,7 @@ Index: b/sshd.c | |||
2969 | /* | 2965 | /* |
2970 | * We don't want to listen forever unless the other side | 2966 | * We don't want to listen forever unless the other side |
2971 | * successfully authenticates itself. So we set up an alarm which is | 2967 | * successfully authenticates itself. So we set up an alarm which is |
2972 | @@ -2357,6 +2418,48 @@ | 2968 | @@ -2439,6 +2500,48 @@ |
2973 | 2969 | ||
2974 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); | 2970 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); |
2975 | 2971 | ||
@@ -3018,7 +3014,7 @@ Index: b/sshd.c | |||
3018 | /* start key exchange */ | 3014 | /* start key exchange */ |
3019 | kex = kex_setup(myproposal); | 3015 | kex = kex_setup(myproposal); |
3020 | kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; | 3016 | kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; |
3021 | @@ -2364,6 +2467,13 @@ | 3017 | @@ -2446,6 +2549,13 @@ |
3022 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; | 3018 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; |
3023 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; | 3019 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; |
3024 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; | 3020 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; |
@@ -3036,7 +3032,7 @@ Index: b/sshd_config | |||
3036 | =================================================================== | 3032 | =================================================================== |
3037 | --- a/sshd_config | 3033 | --- a/sshd_config |
3038 | +++ b/sshd_config | 3034 | +++ b/sshd_config |
3039 | @@ -80,6 +80,8 @@ | 3035 | @@ -83,6 +83,8 @@ |
3040 | # GSSAPI options | 3036 | # GSSAPI options |
3041 | #GSSAPIAuthentication no | 3037 | #GSSAPIAuthentication no |
3042 | #GSSAPICleanupCredentials yes | 3038 | #GSSAPICleanupCredentials yes |
@@ -3049,7 +3045,7 @@ Index: b/sshd_config.5 | |||
3049 | =================================================================== | 3045 | =================================================================== |
3050 | --- a/sshd_config.5 | 3046 | --- a/sshd_config.5 |
3051 | +++ b/sshd_config.5 | 3047 | +++ b/sshd_config.5 |
3052 | @@ -481,12 +481,40 @@ | 3048 | @@ -484,12 +484,40 @@ |
3053 | The default is | 3049 | The default is |
3054 | .Dq no . | 3050 | .Dq no . |
3055 | Note that this option applies to protocol version 2 only. | 3051 | Note that this option applies to protocol version 2 only. |