1 files changed, 49 insertions, 49 deletions

diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index 269a87c76..5ab339ac9 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
-From cf3f6ac19812e4d32874304b3854b055831c2124 Mon Sep 17 00:00:00 2001
+From 21e3ff3ab4791d3c94bd775da66cde29797fcb36 Mon Sep 17 00:00:00 2001
 From: Manoj Srivastava <srivasta@debian.org>
 Date: Sun, 9 Feb 2014 16:09:49 +0000
 Subject: Handle SELinux authorisation roles
@@ -9,7 +9,7 @@ SELinux maintainer, so we'll keep it until we have something better.
 
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
 Bug-Debian: http://bugs.debian.org/394795
-Last-Update: 2018-08-24
+Last-Update: 2019-06-05
 
 Patch-Name: selinux-role.patch
 ---
@@ -31,7 +31,7 @@ Patch-Name: selinux-role.patch
  15 files changed, 99 insertions(+), 32 deletions(-)
 
 diff --git a/auth.h b/auth.h
-index 977562f0a..90802a5eb 100644
+index bf393e755..8f13bdf48 100644
 --- a/auth.h
 +++ b/auth.h
 @@ -65,6 +65,7 @@ struct Authctxt {
@@ -43,19 +43,19 @@ index 977562f0a..90802a5eb 100644
         /* Method lists for multiple authentication */
         char            **auth_methods; /* modified from server config */
 diff --git a/auth2.c b/auth2.c
-index a77742819..3035926ba 100644
+index 7417eafa4..d60e7f1f2 100644
 --- a/auth2.c
 +++ b/auth2.c
-@@ -257,7 +257,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
+@@ -267,7 +267,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
  {
         Authctxt *authctxt = ssh->authctxt;
         Authmethod *m = NULL;
--       char *user, *service, *method, *style = NULL;
-+       char *user, *service, *method, *style = NULL, *role = NULL;
-        int authenticated = 0;
+-       char *user = NULL, *service = NULL, *method = NULL, *style = NULL;
++       char *user = NULL, *service = NULL, *method = NULL, *style = NULL, *role = NULL;
+        int r, authenticated = 0;
         double tstart = monotime_double();
  
-@@ -270,8 +270,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
+@@ -281,8 +281,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
         debug("userauth-request for user %s service %s method %s", user, service, method);
         debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
  
@@ -69,7 +69,7 @@ index a77742819..3035926ba 100644
  
         if (authctxt->attempt++ == 0) {
                 /* setup auth context */
-@@ -298,8 +303,9 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
+@@ -309,8 +314,9 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
                     use_privsep ? " [net]" : "");
                 authctxt->service = xstrdup(service);
                 authctxt->style = style ? xstrdup(style) : NULL;
@@ -77,22 +77,22 @@ index a77742819..3035926ba 100644
                 if (use_privsep)
 -                       mm_inform_authserv(service, style);
 +                       mm_inform_authserv(service, style, role);
-                userauth_banner();
+                userauth_banner(ssh);
                 if (auth2_setup_methods_lists(authctxt) != 0)
-                        packet_disconnect("no authentication methods enabled");
+                        ssh_packet_disconnect(ssh,
 diff --git a/monitor.c b/monitor.c
-index eabc1e89b..08fddabd7 100644
+index 0766d6ef5..5f84e880d 100644
 --- a/monitor.c
 +++ b/monitor.c
-@@ -117,6 +117,7 @@ int mm_answer_sign(int, struct sshbuf *);
- int mm_answer_pwnamallow(int, struct sshbuf *);
- int mm_answer_auth2_read_banner(int, struct sshbuf *);
- int mm_answer_authserv(int, struct sshbuf *);
-+int mm_answer_authrole(int, struct sshbuf *);
- int mm_answer_authpassword(int, struct sshbuf *);
- int mm_answer_bsdauthquery(int, struct sshbuf *);
- int mm_answer_bsdauthrespond(int, struct sshbuf *);
-@@ -193,6 +194,7 @@ struct mon_table mon_dispatch_proto20[] = {
+@@ -117,6 +117,7 @@ int mm_answer_sign(struct ssh *, int, struct sshbuf *);
+ int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *);
+ int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *);
+ int mm_answer_authserv(struct ssh *, int, struct sshbuf *);
++int mm_answer_authrole(struct ssh *, int, struct sshbuf *);
+ int mm_answer_authpassword(struct ssh *, int, struct sshbuf *);
+ int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *);
+ int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *);
+@@ -197,6 +198,7 @@ struct mon_table mon_dispatch_proto20[] = {
      {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
      {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
      {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -100,7 +100,7 @@ index eabc1e89b..08fddabd7 100644
      {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
      {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
  #ifdef USE_PAM
-@@ -817,6 +819,7 @@ mm_answer_pwnamallow(int sock, struct sshbuf *m)
+@@ -819,6 +821,7 @@ mm_answer_pwnamallow(struct ssh *ssh, int sock, struct sshbuf *m)
  
         /* Allow service/style information on the auth context */
         monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -108,7 +108,7 @@ index eabc1e89b..08fddabd7 100644
         monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
  
  #ifdef USE_PAM
-@@ -850,16 +853,42 @@ mm_answer_authserv(int sock, struct sshbuf *m)
+@@ -852,16 +855,42 @@ mm_answer_authserv(struct ssh *ssh, int sock, struct sshbuf *m)
         monitor_permit_authentications(1);
  
         if ((r = sshbuf_get_cstring(m, &authctxt->service, NULL)) != 0 ||
@@ -135,7 +135,7 @@ index eabc1e89b..08fddabd7 100644
 +}
 +
 +int
-+mm_answer_authrole(int sock, struct sshbuf *m)
++mm_answer_authrole(struct ssh *ssh, int sock, struct sshbuf *m)
 +{
 +       int r;
 +
@@ -154,7 +154,7 @@ index eabc1e89b..08fddabd7 100644
         return (0);
  }
  
-@@ -1501,7 +1530,7 @@ mm_answer_pty(int sock, struct sshbuf *m)
+@@ -1528,7 +1557,7 @@ mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m)
         res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
         if (res == 0)
                 goto error;
@@ -164,23 +164,23 @@ index eabc1e89b..08fddabd7 100644
         if ((r = sshbuf_put_u32(m, 1)) != 0 ||
             (r = sshbuf_put_cstring(m, s->tty)) != 0)
 diff --git a/monitor.h b/monitor.h
-index 44fbed589..8f65e684d 100644
+index 2b1a2d590..4d87284aa 100644
 --- a/monitor.h
 +++ b/monitor.h
-@@ -66,6 +66,8 @@ enum monitor_reqtype {
+@@ -65,6 +65,8 @@ enum monitor_reqtype {
+ 
         MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151,
         MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153,
- 
-+       MONITOR_REQ_AUTHROLE = 154,
 +
++       MONITOR_REQ_AUTHROLE = 154,
  };
  
- struct monitor {
+ struct ssh;
 diff --git a/monitor_wrap.c b/monitor_wrap.c
-index 1865a122a..fd4d7eb3b 100644
+index 8e4c1c1f8..6b3a6251c 100644
 --- a/monitor_wrap.c
 +++ b/monitor_wrap.c
-@@ -369,10 +369,10 @@ mm_auth2_read_banner(void)
+@@ -364,10 +364,10 @@ mm_auth2_read_banner(void)
         return (banner);
  }
  
@@ -193,7 +193,7 @@ index 1865a122a..fd4d7eb3b 100644
  {
         struct sshbuf *m;
         int r;
-@@ -382,7 +382,8 @@ mm_inform_authserv(char *service, char *style)
+@@ -377,7 +377,8 @@ mm_inform_authserv(char *service, char *style)
         if ((m = sshbuf_new()) == NULL)
                 fatal("%s: sshbuf_new failed", __func__);
         if ((r = sshbuf_put_cstring(m, service)) != 0 ||
@@ -203,7 +203,7 @@ index 1865a122a..fd4d7eb3b 100644
                 fatal("%s: buffer error: %s", __func__, ssh_err(r));
  
         mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, m);
-@@ -390,6 +391,26 @@ mm_inform_authserv(char *service, char *style)
+@@ -385,6 +386,26 @@ mm_inform_authserv(char *service, char *style)
         sshbuf_free(m);
  }
  
@@ -231,17 +231,17 @@ index 1865a122a..fd4d7eb3b 100644
  int
  mm_auth_password(struct ssh *ssh, char *password)
 diff --git a/monitor_wrap.h b/monitor_wrap.h
-index 7f93144ff..79e78cc90 100644
+index 69164a8c0..3d0e32d48 100644
 --- a/monitor_wrap.h
 +++ b/monitor_wrap.h
-@@ -43,7 +43,8 @@ int mm_is_monitor(void);
+@@ -44,7 +44,8 @@ int mm_is_monitor(void);
  DH *mm_choose_dh(int, int, int);
- int mm_sshkey_sign(struct sshkey *, u_char **, size_t *, const u_char *, size_t,
-     const char *, u_int compat);
+ int mm_sshkey_sign(struct ssh *, struct sshkey *, u_char **, size_t *,
+     const u_char *, size_t, const char *, u_int compat);
 -void mm_inform_authserv(char *, char *);
 +void mm_inform_authserv(char *, char *, char *);
 +void mm_inform_authrole(char *);
- struct passwd *mm_getpwnamallow(const char *);
+ struct passwd *mm_getpwnamallow(struct ssh *, const char *);
  char *mm_auth2_read_banner(void);
  int mm_auth_password(struct ssh *, char *);
 diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
@@ -363,10 +363,10 @@ index ea4f9c584..60d72ffe7 100644
  char *platform_krb5_get_principal_name(const char *);
  int platform_sys_dir_uid(uid_t);
 diff --git a/session.c b/session.c
-index 2d0958d11..19f38637e 100644
+index ac3d9d19d..d87ea4d44 100644
 --- a/session.c
 +++ b/session.c
-@@ -1380,7 +1380,7 @@ safely_chroot(const char *path, uid_t uid)
+@@ -1356,7 +1356,7 @@ safely_chroot(const char *path, uid_t uid)
  
  /* Set login name, uid, gid, and groups. */
  void
@@ -375,7 +375,7 @@ index 2d0958d11..19f38637e 100644
  {
         char uidstr[32], *chroot_path, *tmp;
  
-@@ -1408,7 +1408,7 @@ do_setusercontext(struct passwd *pw)
+@@ -1384,7 +1384,7 @@ do_setusercontext(struct passwd *pw)
                 endgrent();
  #endif
  
@@ -384,7 +384,7 @@ index 2d0958d11..19f38637e 100644
  
                 if (!in_chroot && options.chroot_directory != NULL &&
                     strcasecmp(options.chroot_directory, "none") != 0) {
-@@ -1547,7 +1547,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
+@@ -1525,7 +1525,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
  
         /* Force a password change */
         if (s->authctxt->force_pwchange) {
@@ -393,7 +393,7 @@ index 2d0958d11..19f38637e 100644
                 child_close_fds(ssh);
                 do_pwchange(s);
                 exit(1);
-@@ -1565,7 +1565,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
+@@ -1543,7 +1543,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
         /* When PAM is enabled we rely on it to do the nologin check */
         if (!options.use_pam)
                 do_nologin(pw);
@@ -402,8 +402,8 @@ index 2d0958d11..19f38637e 100644
         /*
          * PAM session modules in do_setusercontext may have
          * generated messages, so if this in an interactive
-@@ -1955,7 +1955,7 @@ session_pty_req(struct ssh *ssh, Session *s)
-        ssh_tty_parse_modes(ssh, s->ttyfd);
+@@ -1942,7 +1942,7 @@ session_pty_req(struct ssh *ssh, Session *s)
+                sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
  
         if (!use_privsep)
 -               pty_setowner(s->pw, s->tty);
@@ -425,10 +425,10 @@ index ce59dabd9..675c91146 100644
  const char     *session_get_remote_name_or_ip(struct ssh *, u_int, int);
  
 diff --git a/sshd.c b/sshd.c
-index 673db87f6..2bc6679e5 100644
+index 46870d3b5..e3e96426e 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -683,7 +683,7 @@ privsep_postauth(Authctxt *authctxt)
+@@ -594,7 +594,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
         reseed_prngs();
  
         /* Drop privileges */