From 84822b5decc2ddd8415a3167b9ff9f0a368929a3 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Mon, 14 Oct 2013 15:54:41 +0200 Subject: [PATCH] rebase for openssh-6.3p1, remove unused patches (#1007769) --- openssh-6.2p1-aarch64.patch | 1080 --------- openssh-6.2p1-modpipe-cflags.patch | 12 - openssh-6.2p2-sftp-multibyte.patch | 64 - openssh-6.2p2-ssh_gai_strerror.patch | 23 - ...1-audit.patch => openssh-6.3p1-audit.patch | 456 ++-- ...rity.patch => openssh-6.3p1-coverity.patch | 392 ++-- ....patch => openssh-6.3p1-ctr-cavstest.patch | 8 +- ....patch => openssh-6.3p1-ctr-evp-fast.patch | 2 +- ...t.patch => openssh-6.3p1-fingerprint.patch | 375 ++- ...2p1-fips.patch => openssh-6.3p1-fips.patch | 343 +-- ...krb.patch => openssh-6.3p1-force_krb.patch | 90 +- ...gsskex.patch => openssh-6.3p1-gsskex.patch | 2039 ++++++++--------- ...keycat.patch => openssh-6.3p1-keycat.patch | 74 +- ...serok.patch => openssh-6.3p1-kuserok.patch | 88 +- ...2p1-ldap.patch => openssh-6.3p1-ldap.patch | 6 +- ...tch => openssh-6.3p1-privsep-selinux.patch | 44 +- ...redhat.patch => openssh-6.3p1-redhat.patch | 46 +- ...-mls.patch => openssh-6.3p1-role-mls.patch | 317 ++- openssh.spec | 42 +- 19 files changed, 2100 insertions(+), 3401 deletions(-) delete mode 100644 openssh-6.2p1-aarch64.patch delete mode 100644 openssh-6.2p1-modpipe-cflags.patch delete mode 100644 openssh-6.2p2-sftp-multibyte.patch delete mode 100644 openssh-6.2p2-ssh_gai_strerror.patch rename openssh-6.2p1-audit.patch => openssh-6.3p1-audit.patch (83%) rename openssh-6.2p1-coverity.patch => openssh-6.3p1-coverity.patch (75%) rename openssh-6.2p1-ctr-cavstest.patch => openssh-6.3p1-ctr-cavstest.patch (98%) rename openssh-5.9p1-ctr-evp-fast.patch => openssh-6.3p1-ctr-evp-fast.patch (99%) rename openssh-6.2p1-fingerprint.patch => openssh-6.3p1-fingerprint.patch (75%) rename openssh-6.2p1-fips.patch => openssh-6.3p1-fips.patch (66%) rename openssh-6.2p1-force_krb.patch => openssh-6.3p1-force_krb.patch (81%) rename openssh-6.2p1-gsskex.patch => openssh-6.3p1-gsskex.patch (88%) rename openssh-6.2p1-keycat.patch => openssh-6.3p1-keycat.patch (87%) rename openssh-6.2p1-kuserok.patch => openssh-6.3p1-kuserok.patch (63%) rename openssh-6.2p1-ldap.patch => openssh-6.3p1-ldap.patch (99%) rename openssh-6.1p1-privsep-selinux.patch => openssh-6.3p1-privsep-selinux.patch (59%) rename openssh-6.1p1-redhat.patch => openssh-6.3p1-redhat.patch (72%) rename openssh-6.2p1-role-mls.patch => openssh-6.3p1-role-mls.patch (78%) diff --git a/openssh-6.2p1-aarch64.patch b/openssh-6.2p1-aarch64.patch deleted file mode 100644 index 5224fbd..0000000 --- a/openssh-6.2p1-aarch64.patch +++ /dev/null @@ -1,1080 +0,0 @@ -diff --git a/config.guess b/config.guess -index 78553c4..b94cde8 100755 ---- a/config.guess -+++ b/config.guess -@@ -2,9 +2,9 @@ - # Attempt to guess a canonical system name. - # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, - # 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, --# 2011 Free Software Foundation, Inc. -+# 2011, 2012, 2013 Free Software Foundation, Inc. - --timestamp='2011-01-23' -+timestamp='2012-12-23' - - # This file is free software; you can redistribute it and/or modify it - # under the terms of the GNU General Public License as published by -@@ -17,9 +17,7 @@ timestamp='2011-01-23' - # General Public License for more details. - # - # You should have received a copy of the GNU General Public License --# along with this program; if not, write to the Free Software --# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA --# 02110-1301, USA. -+# along with this program; if not, see . - # - # As a special exception to the GNU General Public License, if you - # distribute this file as part of a program that contains a -@@ -57,8 +55,8 @@ GNU config.guess ($timestamp) - - Originally written by Per Bothner. - Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, --2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free --Software Foundation, Inc. -+2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, -+2012, 2013 Free Software Foundation, Inc. - - This is free software; see the source for copying conditions. There is NO - warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." -@@ -145,7 +143,7 @@ UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown - case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in - *:NetBSD:*:*) - # NetBSD (nbsd) targets should (where applicable) match one or -- # more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*, -+ # more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*, - # *-*-netbsdecoff* and *-*-netbsd*. For targets that recently - # switched to ELF, *-*-netbsd* would select the old - # object file format. This provides both forward -@@ -181,7 +179,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in - fi - ;; - *) -- os=netbsd -+ os=netbsd - ;; - esac - # The OS release -@@ -202,6 +200,10 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in - # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. - echo "${machine}-${os}${release}" - exit ;; -+ *:Bitrig:*:*) -+ UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'` -+ echo ${UNAME_MACHINE_ARCH}-unknown-bitrig${UNAME_RELEASE} -+ exit ;; - *:OpenBSD:*:*) - UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'` - echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE} -@@ -224,7 +226,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in - UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'` - ;; - *5.*) -- UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'` -+ UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'` - ;; - esac - # According to Compaq, /usr/sbin/psrinfo has been available on -@@ -299,12 +301,12 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in - echo s390-ibm-zvmoe - exit ;; - *:OS400:*:*) -- echo powerpc-ibm-os400 -+ echo powerpc-ibm-os400 - exit ;; - arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*) - echo arm-acorn-riscix${UNAME_RELEASE} - exit ;; -- arm:riscos:*:*|arm:RISCOS:*:*) -+ arm*:riscos:*:*|arm*:RISCOS:*:*) - echo arm-unknown-riscos - exit ;; - SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*) -@@ -398,23 +400,23 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in - # MiNT. But MiNT is downward compatible to TOS, so this should - # be no problem. - atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*) -- echo m68k-atari-mint${UNAME_RELEASE} -+ echo m68k-atari-mint${UNAME_RELEASE} - exit ;; - atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*) - echo m68k-atari-mint${UNAME_RELEASE} -- exit ;; -+ exit ;; - *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*) -- echo m68k-atari-mint${UNAME_RELEASE} -+ echo m68k-atari-mint${UNAME_RELEASE} - exit ;; - milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*) -- echo m68k-milan-mint${UNAME_RELEASE} -- exit ;; -+ echo m68k-milan-mint${UNAME_RELEASE} -+ exit ;; - hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*) -- echo m68k-hades-mint${UNAME_RELEASE} -- exit ;; -+ echo m68k-hades-mint${UNAME_RELEASE} -+ exit ;; - *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*) -- echo m68k-unknown-mint${UNAME_RELEASE} -- exit ;; -+ echo m68k-unknown-mint${UNAME_RELEASE} -+ exit ;; - m68k:machten:*:*) - echo m68k-apple-machten${UNAME_RELEASE} - exit ;; -@@ -484,8 +486,8 @@ EOF - echo m88k-motorola-sysv3 - exit ;; - AViiON:dgux:*:*) -- # DG/UX returns AViiON for all architectures -- UNAME_PROCESSOR=`/usr/bin/uname -p` -+ # DG/UX returns AViiON for all architectures -+ UNAME_PROCESSOR=`/usr/bin/uname -p` - if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ] - then - if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \ -@@ -498,7 +500,7 @@ EOF - else - echo i586-dg-dgux${UNAME_RELEASE} - fi -- exit ;; -+ exit ;; - M88*:DolphinOS:*:*) # DolphinOS (SVR3) - echo m88k-dolphin-sysv3 - exit ;; -@@ -598,52 +600,52 @@ EOF - 9000/[678][0-9][0-9]) - if [ -x /usr/bin/getconf ]; then - sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` -- sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` -- case "${sc_cpu_version}" in -- 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0 -- 528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1 -- 532) # CPU_PA_RISC2_0 -- case "${sc_kernel_bits}" in -- 32) HP_ARCH="hppa2.0n" ;; -- 64) HP_ARCH="hppa2.0w" ;; -+ sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` -+ case "${sc_cpu_version}" in -+ 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0 -+ 528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1 -+ 532) # CPU_PA_RISC2_0 -+ case "${sc_kernel_bits}" in -+ 32) HP_ARCH="hppa2.0n" ;; -+ 64) HP_ARCH="hppa2.0w" ;; - '') HP_ARCH="hppa2.0" ;; # HP-UX 10.20 -- esac ;; -- esac -+ esac ;; -+ esac - fi - if [ "${HP_ARCH}" = "" ]; then - eval $set_cc_for_build -- sed 's/^ //' << EOF >$dummy.c -+ sed 's/^ //' << EOF >$dummy.c - -- #define _HPUX_SOURCE -- #include -- #include -+ #define _HPUX_SOURCE -+ #include -+ #include - -- int main () -- { -- #if defined(_SC_KERNEL_BITS) -- long bits = sysconf(_SC_KERNEL_BITS); -- #endif -- long cpu = sysconf (_SC_CPU_VERSION); -+ int main () -+ { -+ #if defined(_SC_KERNEL_BITS) -+ long bits = sysconf(_SC_KERNEL_BITS); -+ #endif -+ long cpu = sysconf (_SC_CPU_VERSION); - -- switch (cpu) -- { -- case CPU_PA_RISC1_0: puts ("hppa1.0"); break; -- case CPU_PA_RISC1_1: puts ("hppa1.1"); break; -- case CPU_PA_RISC2_0: -- #if defined(_SC_KERNEL_BITS) -- switch (bits) -- { -- case 64: puts ("hppa2.0w"); break; -- case 32: puts ("hppa2.0n"); break; -- default: puts ("hppa2.0"); break; -- } break; -- #else /* !defined(_SC_KERNEL_BITS) */ -- puts ("hppa2.0"); break; -- #endif -- default: puts ("hppa1.0"); break; -- } -- exit (0); -- } -+ switch (cpu) -+ { -+ case CPU_PA_RISC1_0: puts ("hppa1.0"); break; -+ case CPU_PA_RISC1_1: puts ("hppa1.1"); break; -+ case CPU_PA_RISC2_0: -+ #if defined(_SC_KERNEL_BITS) -+ switch (bits) -+ { -+ case 64: puts ("hppa2.0w"); break; -+ case 32: puts ("hppa2.0n"); break; -+ default: puts ("hppa2.0"); break; -+ } break; -+ #else /* !defined(_SC_KERNEL_BITS) */ -+ puts ("hppa2.0"); break; -+ #endif -+ default: puts ("hppa1.0"); break; -+ } -+ exit (0); -+ } - EOF - (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` - test -z "$HP_ARCH" && HP_ARCH=hppa -@@ -734,22 +736,22 @@ EOF - exit ;; - C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*) - echo c1-convex-bsd -- exit ;; -+ exit ;; - C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*) - if getsysinfo -f scalar_acc - then echo c32-convex-bsd - else echo c2-convex-bsd - fi -- exit ;; -+ exit ;; - C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*) - echo c34-convex-bsd -- exit ;; -+ exit ;; - C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*) - echo c38-convex-bsd -- exit ;; -+ exit ;; - C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*) - echo c4-convex-bsd -- exit ;; -+ exit ;; - CRAY*Y-MP:*:*:*) - echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' - exit ;; -@@ -773,14 +775,14 @@ EOF - exit ;; - F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) - FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` -- FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` -- FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` -- echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" -- exit ;; -+ FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` -+ FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` -+ echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" -+ exit ;; - 5000:UNIX_System_V:4.*:*) -- FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` -- FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'` -- echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" -+ FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` -+ FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'` -+ echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" - exit ;; - i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) - echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE} -@@ -792,30 +794,35 @@ EOF - echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE} - exit ;; - *:FreeBSD:*:*) -- case ${UNAME_MACHINE} in -- pc98) -- echo i386-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; -+ UNAME_PROCESSOR=`/usr/bin/uname -p` -+ case ${UNAME_PROCESSOR} in - amd64) - echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; - *) -- echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; -+ echo ${UNAME_PROCESSOR}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; - esac - exit ;; - i*:CYGWIN*:*) - echo ${UNAME_MACHINE}-pc-cygwin - exit ;; -+ *:MINGW64*:*) -+ echo ${UNAME_MACHINE}-pc-mingw64 -+ exit ;; - *:MINGW*:*) - echo ${UNAME_MACHINE}-pc-mingw32 - exit ;; -+ i*:MSYS*:*) -+ echo ${UNAME_MACHINE}-pc-msys -+ exit ;; - i*:windows32*:*) -- # uname -m includes "-pc" on this system. -- echo ${UNAME_MACHINE}-mingw32 -+ # uname -m includes "-pc" on this system. -+ echo ${UNAME_MACHINE}-mingw32 - exit ;; - i*:PW*:*) - echo ${UNAME_MACHINE}-pc-pw32 - exit ;; - *:Interix*:*) -- case ${UNAME_MACHINE} in -+ case ${UNAME_MACHINE} in - x86) - echo i586-pc-interix${UNAME_RELEASE} - exit ;; -@@ -861,6 +868,13 @@ EOF - i*86:Minix:*:*) - echo ${UNAME_MACHINE}-pc-minix - exit ;; -+ aarch64:Linux:*:*) -+ echo ${UNAME_MACHINE}-unknown-linux-gnu -+ exit ;; -+ aarch64_be:Linux:*:*) -+ UNAME_MACHINE=aarch64_be -+ echo ${UNAME_MACHINE}-unknown-linux-gnu -+ exit ;; - alpha:Linux:*:*) - case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in - EV5) UNAME_MACHINE=alphaev5 ;; -@@ -870,7 +884,7 @@ EOF - EV6) UNAME_MACHINE=alphaev6 ;; - EV67) UNAME_MACHINE=alphaev67 ;; - EV68*) UNAME_MACHINE=alphaev68 ;; -- esac -+ esac - objdump --private-headers /bin/sh | grep -q ld.so.1 - if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi - echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC} -@@ -882,20 +896,29 @@ EOF - then - echo ${UNAME_MACHINE}-unknown-linux-gnu - else -- echo ${UNAME_MACHINE}-unknown-linux-gnueabi -+ if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \ -+ | grep -q __ARM_PCS_VFP -+ then -+ echo ${UNAME_MACHINE}-unknown-linux-gnueabi -+ else -+ echo ${UNAME_MACHINE}-unknown-linux-gnueabihf -+ fi - fi - exit ;; - avr32*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-gnu - exit ;; - cris:Linux:*:*) -- echo cris-axis-linux-gnu -+ echo ${UNAME_MACHINE}-axis-linux-gnu - exit ;; - crisv32:Linux:*:*) -- echo crisv32-axis-linux-gnu -+ echo ${UNAME_MACHINE}-axis-linux-gnu - exit ;; - frv:Linux:*:*) -- echo frv-unknown-linux-gnu -+ echo ${UNAME_MACHINE}-unknown-linux-gnu -+ exit ;; -+ hexagon:Linux:*:*) -+ echo ${UNAME_MACHINE}-unknown-linux-gnu - exit ;; - i*86:Linux:*:*) - LIBC=gnu -@@ -937,7 +960,7 @@ EOF - test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; } - ;; - or32:Linux:*:*) -- echo or32-unknown-linux-gnu -+ echo ${UNAME_MACHINE}-unknown-linux-gnu - exit ;; - padre:Linux:*:*) - echo sparc-unknown-linux-gnu -@@ -963,7 +986,7 @@ EOF - echo ${UNAME_MACHINE}-ibm-linux - exit ;; - sh64*:Linux:*:*) -- echo ${UNAME_MACHINE}-unknown-linux-gnu -+ echo ${UNAME_MACHINE}-unknown-linux-gnu - exit ;; - sh*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-gnu -@@ -972,16 +995,16 @@ EOF - echo ${UNAME_MACHINE}-unknown-linux-gnu - exit ;; - tile*:Linux:*:*) -- echo ${UNAME_MACHINE}-tilera-linux-gnu -+ echo ${UNAME_MACHINE}-unknown-linux-gnu - exit ;; - vax:Linux:*:*) - echo ${UNAME_MACHINE}-dec-linux-gnu - exit ;; - x86_64:Linux:*:*) -- echo x86_64-unknown-linux-gnu -+ echo ${UNAME_MACHINE}-unknown-linux-gnu - exit ;; - xtensa*:Linux:*:*) -- echo ${UNAME_MACHINE}-unknown-linux-gnu -+ echo ${UNAME_MACHINE}-unknown-linux-gnu - exit ;; - i*86:DYNIX/ptx:4*:*) - # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. -@@ -990,11 +1013,11 @@ EOF - echo i386-sequent-sysv4 - exit ;; - i*86:UNIX_SV:4.2MP:2.*) -- # Unixware is an offshoot of SVR4, but it has its own version -- # number series starting with 2... -- # I am not positive that other SVR4 systems won't match this, -+ # Unixware is an offshoot of SVR4, but it has its own version -+ # number series starting with 2... -+ # I am not positive that other SVR4 systems won't match this, - # I just have to hope. -- rms. -- # Use sysv4.2uw... so that sysv4* matches it. -+ # Use sysv4.2uw... so that sysv4* matches it. - echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION} - exit ;; - i*86:OS/2:*:*) -@@ -1026,7 +1049,7 @@ EOF - fi - exit ;; - i*86:*:5:[678]*) -- # UnixWare 7.x, OpenUNIX and OpenServer 6. -+ # UnixWare 7.x, OpenUNIX and OpenServer 6. - case `/bin/uname -X | grep "^Machine"` in - *486*) UNAME_MACHINE=i486 ;; - *Pentium) UNAME_MACHINE=i586 ;; -@@ -1054,13 +1077,13 @@ EOF - exit ;; - pc:*:*:*) - # Left here for compatibility: -- # uname -m prints for DJGPP always 'pc', but it prints nothing about -- # the processor, so we play safe by assuming i586. -+ # uname -m prints for DJGPP always 'pc', but it prints nothing about -+ # the processor, so we play safe by assuming i586. - # Note: whatever this is, it MUST be the same as what config.sub - # prints for the "djgpp" host, or else GDB configury will decide that - # this is a cross-build. - echo i586-pc-msdosdjgpp -- exit ;; -+ exit ;; - Intel:Mach:3*:*) - echo i386-pc-mach3 - exit ;; -@@ -1095,8 +1118,8 @@ EOF - /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ - && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;; - 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*) -- /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ -- && { echo i486-ncr-sysv4; exit; } ;; -+ /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ -+ && { echo i486-ncr-sysv4; exit; } ;; - NCR*:*:4.2:* | MPRAS*:*:4.2:*) - OS_REL='.3' - test -r /etc/.relid \ -@@ -1139,10 +1162,10 @@ EOF - echo ns32k-sni-sysv - fi - exit ;; -- PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort -- # says -- echo i586-unisys-sysv4 -- exit ;; -+ PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort -+ # says -+ echo i586-unisys-sysv4 -+ exit ;; - *:UNIX_System_V:4*:FTX*) - # From Gerald Hewes . - # How about differentiating between stratus architectures? -djm -@@ -1168,11 +1191,11 @@ EOF - exit ;; - R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*) - if [ -d /usr/nec ]; then -- echo mips-nec-sysv${UNAME_RELEASE} -+ echo mips-nec-sysv${UNAME_RELEASE} - else -- echo mips-unknown-sysv${UNAME_RELEASE} -+ echo mips-unknown-sysv${UNAME_RELEASE} - fi -- exit ;; -+ exit ;; - BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only. - echo powerpc-be-beos - exit ;; -@@ -1185,6 +1208,9 @@ EOF - BePC:Haiku:*:*) # Haiku running on Intel PC compatible. - echo i586-pc-haiku - exit ;; -+ x86_64:Haiku:*:*) -+ echo x86_64-unknown-haiku -+ exit ;; - SX-4:SUPER-UX:*:*) - echo sx4-nec-superux${UNAME_RELEASE} - exit ;; -@@ -1240,7 +1266,7 @@ EOF - NEO-?:NONSTOP_KERNEL:*:*) - echo neo-tandem-nsk${UNAME_RELEASE} - exit ;; -- NSE-?:NONSTOP_KERNEL:*:*) -+ NSE-*:NONSTOP_KERNEL:*:*) - echo nse-tandem-nsk${UNAME_RELEASE} - exit ;; - NSR-?:NONSTOP_KERNEL:*:*) -@@ -1285,13 +1311,13 @@ EOF - echo pdp10-unknown-its - exit ;; - SEI:*:*:SEIUX) -- echo mips-sei-seiux${UNAME_RELEASE} -+ echo mips-sei-seiux${UNAME_RELEASE} - exit ;; - *:DragonFly:*:*) - echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` - exit ;; - *:*VMS:*:*) -- UNAME_MACHINE=`(uname -p) 2>/dev/null` -+ UNAME_MACHINE=`(uname -p) 2>/dev/null` - case "${UNAME_MACHINE}" in - A*) echo alpha-dec-vms ; exit ;; - I*) echo ia64-dec-vms ; exit ;; -@@ -1309,11 +1335,11 @@ EOF - i*86:AROS:*:*) - echo ${UNAME_MACHINE}-pc-aros - exit ;; -+ x86_64:VMkernel:*:*) -+ echo ${UNAME_MACHINE}-unknown-esx -+ exit ;; - esac - --#echo '(No uname command or uname output not recognized.)' 1>&2 --#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2 -- - eval $set_cc_for_build - cat >$dummy.c < - printf ("m68k-sony-newsos%s\n", - #ifdef NEWSOS4 -- "4" -+ "4" - #else -- "" -+ "" - #endif -- ); exit (0); -+ ); exit (0); - #endif - #endif - -diff --git a/config.sub b/config.sub -index 2d81696..eee8dcc 100755 ---- a/config.sub -+++ b/config.sub -@@ -2,9 +2,9 @@ - # Configuration validation subroutine script. - # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, - # 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, --# 2011 Free Software Foundation, Inc. -+# 2011, 2012, 2013 Free Software Foundation, Inc. - --timestamp='2011-01-01' -+timestamp='2012-12-23' - - # This file is (in principle) common to ALL GNU software. - # The presence of a machine in this file suggests that SOME GNU software -@@ -21,9 +21,7 @@ timestamp='2011-01-01' - # GNU General Public License for more details. - # - # You should have received a copy of the GNU General Public License --# along with this program; if not, write to the Free Software --# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA --# 02110-1301, USA. -+# along with this program; if not, see . - # - # As a special exception to the GNU General Public License, if you - # distribute this file as part of a program that contains a -@@ -76,8 +74,8 @@ version="\ - GNU config.sub ($timestamp) - - Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, --2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free --Software Foundation, Inc. -+2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, -+2012, 2013 Free Software Foundation, Inc. - - This is free software; see the source for copying conditions. There is NO - warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." -@@ -125,13 +123,17 @@ esac - maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'` - case $maybe_os in - nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \ -- linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \ -+ linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \ - knetbsd*-gnu* | netbsd*-gnu* | \ - kopensolaris*-gnu* | \ - storm-chaos* | os2-emx* | rtmk-nova*) - os=-$maybe_os - basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` - ;; -+ android-linux) -+ os=-linux-android -+ basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`-unknown -+ ;; - *) - basic_machine=`echo $1 | sed 's/-[^-]*$//'` - if [ $basic_machine != $1 ] -@@ -154,12 +156,12 @@ case $os in - -convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\ - -c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \ - -harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \ -- -apple | -axis | -knuth | -cray | -microblaze) -+ -apple | -axis | -knuth | -cray | -microblaze*) - os= - basic_machine=$1 - ;; -- -bluegene*) -- os=-cnk -+ -bluegene*) -+ os=-cnk - ;; - -sim | -cisco | -oki | -wec | -winbond) - os= -@@ -175,10 +177,10 @@ case $os in - os=-chorusos - basic_machine=$1 - ;; -- -chorusrdb) -- os=-chorusrdb -+ -chorusrdb) -+ os=-chorusrdb - basic_machine=$1 -- ;; -+ ;; - -hiux*) - os=-hiuxwe2 - ;; -@@ -223,6 +225,12 @@ case $os in - -isc*) - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; -+ -lynx*178) -+ os=-lynxos178 -+ ;; -+ -lynx*5) -+ os=-lynxos5 -+ ;; - -lynx*) - os=-lynxos - ;; -@@ -247,20 +255,27 @@ case $basic_machine in - # Some are omitted here because they have special meanings below. - 1750a | 580 \ - | a29k \ -+ | aarch64 | aarch64_be \ - | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \ - | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \ - | am33_2.0 \ -- | arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr | avr32 \ -+ | arc \ -+ | arm | arm[bl]e | arme[lb] | armv[2-8] | armv[3-8][lb] | armv7[arm] \ -+ | avr | avr32 \ -+ | be32 | be64 \ - | bfin \ - | c4x | clipper \ - | d10v | d30v | dlx | dsp16xx \ -+ | epiphany \ - | fido | fr30 | frv \ - | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ -+ | hexagon \ - | i370 | i860 | i960 | ia64 \ - | ip2k | iq2000 \ -+ | le32 | le64 \ - | lm32 \ - | m32c | m32r | m32rle | m68000 | m68k | m88k \ -- | maxq | mb | microblaze | mcore | mep | metag \ -+ | maxq | mb | microblaze | microblazeel | mcore | mep | metag \ - | mips | mipsbe | mipseb | mipsel | mipsle \ - | mips16 \ - | mips64 | mips64el \ -@@ -286,22 +301,23 @@ case $basic_machine in - | nds32 | nds32le | nds32be \ - | nios | nios2 \ - | ns16k | ns32k \ -+ | open8 \ - | or32 \ - | pdp10 | pdp11 | pj | pjl \ -- | powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \ -+ | powerpc | powerpc64 | powerpc64le | powerpcle \ - | pyramid \ -- | rx \ -+ | rl78 | rx \ - | score \ - | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ - | sh64 | sh64le \ - | sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \ - | sparcv8 | sparcv9 | sparcv9b | sparcv9v \ -- | spu | strongarm \ -- | tahoe | thumb | tic4x | tic54x | tic55x | tic6x | tic80 | tron \ -+ | spu \ -+ | tahoe | tic4x | tic54x | tic55x | tic6x | tic80 | tron \ - | ubicom32 \ -- | v850 | v850e \ -+ | v850 | v850e | v850e1 | v850e2 | v850es | v850e2v3 \ - | we32k \ -- | x86 | xc16x | xscale | xscalee[bl] | xstormy16 | xtensa \ -+ | x86 | xc16x | xstormy16 | xtensa \ - | z8k | z80) - basic_machine=$basic_machine-unknown - ;; -@@ -314,8 +330,7 @@ case $basic_machine in - c6x) - basic_machine=tic6x-unknown - ;; -- m6811 | m68hc11 | m6812 | m68hc12 | picochip) -- # Motorola 68HC11/12. -+ m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | picochip) - basic_machine=$basic_machine-unknown - os=-none - ;; -@@ -325,6 +340,21 @@ case $basic_machine in - basic_machine=mt-unknown - ;; - -+ strongarm | thumb | xscale) -+ basic_machine=arm-unknown -+ ;; -+ xgate) -+ basic_machine=$basic_machine-unknown -+ os=-none -+ ;; -+ xscaleeb) -+ basic_machine=armeb-unknown -+ ;; -+ -+ xscaleel) -+ basic_machine=armel-unknown -+ ;; -+ - # We use `pc' rather than `unknown' - # because (1) that's what they normally are, and - # (2) the word "unknown" tends to confuse beginning users. -@@ -339,11 +369,13 @@ case $basic_machine in - # Recognize the basic CPU types with company name. - 580-* \ - | a29k-* \ -+ | aarch64-* | aarch64_be-* \ - | alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \ - | alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \ - | alphapca5[67]-* | alpha64pca5[67]-* | arc-* \ - | arm-* | armbe-* | armle-* | armeb-* | armv*-* \ - | avr-* | avr32-* \ -+ | be32-* | be64-* \ - | bfin-* | bs2000-* \ - | c[123]* | c30-* | [cjt]90-* | c4x-* \ - | clipper-* | craynv-* | cydra-* \ -@@ -352,12 +384,15 @@ case $basic_machine in - | f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \ - | h8300-* | h8500-* \ - | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \ -+ | hexagon-* \ - | i*86-* | i860-* | i960-* | ia64-* \ - | ip2k-* | iq2000-* \ -+ | le32-* | le64-* \ - | lm32-* \ - | m32c-* | m32r-* | m32rle-* \ - | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \ -- | m88110-* | m88k-* | maxq-* | mcore-* | metag-* | microblaze-* \ -+ | m88110-* | m88k-* | maxq-* | mcore-* | metag-* \ -+ | microblaze-* | microblazeel-* \ - | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \ - | mips16-* \ - | mips64-* | mips64el-* \ -@@ -382,24 +417,26 @@ case $basic_machine in - | nds32-* | nds32le-* | nds32be-* \ - | nios-* | nios2-* \ - | none-* | np1-* | ns16k-* | ns32k-* \ -+ | open8-* \ - | orion-* \ - | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ -- | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \ -+ | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \ - | pyramid-* \ -- | romp-* | rs6000-* | rx-* \ -+ | rl78-* | romp-* | rs6000-* | rx-* \ - | sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \ - | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ - | sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \ - | sparclite-* \ -- | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | strongarm-* | sv1-* | sx?-* \ -- | tahoe-* | thumb-* \ -+ | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx?-* \ -+ | tahoe-* \ - | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \ -- | tile-* | tilegx-* \ -+ | tile*-* \ - | tron-* \ - | ubicom32-* \ -- | v850-* | v850e-* | vax-* \ -+ | v850-* | v850e-* | v850e1-* | v850es-* | v850e2-* | v850e2v3-* \ -+ | vax-* \ - | we32k-* \ -- | x86-* | x86_64-* | xc16x-* | xps100-* | xscale-* | xscalee[bl]-* \ -+ | x86-* | x86_64-* | xc16x-* | xps100-* \ - | xstormy16-* | xtensa*-* \ - | ymp-* \ - | z8k-* | z80-*) -@@ -424,7 +461,7 @@ case $basic_machine in - basic_machine=a29k-amd - os=-udi - ;; -- abacus) -+ abacus) - basic_machine=abacus-unknown - ;; - adobe68k) -@@ -507,7 +544,7 @@ case $basic_machine in - basic_machine=c90-cray - os=-unicos - ;; -- cegcc) -+ cegcc) - basic_machine=arm-unknown - os=-cegcc - ;; -@@ -697,7 +734,6 @@ case $basic_machine in - i370-ibm* | ibm*) - basic_machine=i370-ibm - ;; --# I'm not sure what "Sysv32" means. Should this be sysv3.2? - i*86v32) - basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` - os=-sysv32 -@@ -755,9 +791,13 @@ case $basic_machine in - basic_machine=ns32k-utek - os=-sysv - ;; -- microblaze) -+ microblaze*) - basic_machine=microblaze-xilinx - ;; -+ mingw64) -+ basic_machine=x86_64-pc -+ os=-mingw64 -+ ;; - mingw32) - basic_machine=i386-pc - os=-mingw32 -@@ -794,10 +834,18 @@ case $basic_machine in - ms1-*) - basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'` - ;; -+ msys) -+ basic_machine=i386-pc -+ os=-msys -+ ;; - mvs) - basic_machine=i370-ibm - os=-mvs - ;; -+ nacl) -+ basic_machine=le32-unknown -+ os=-nacl -+ ;; - ncr3000) - basic_machine=i486-ncr - os=-sysv4 -@@ -862,10 +910,10 @@ case $basic_machine in - np1) - basic_machine=np1-gould - ;; -- neo-tandem) -+ neo-tandem) - basic_machine=neo-tandem - ;; -- nse-tandem) -+ nse-tandem) - basic_machine=nse-tandem - ;; - nsr-tandem) -@@ -950,9 +998,10 @@ case $basic_machine in - ;; - power) basic_machine=power-ibm - ;; -- ppc) basic_machine=powerpc-unknown -+ ppc | ppcbe) basic_machine=powerpc-unknown - ;; -- ppc-*) basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` -+ ppc-* | ppcbe-*) -+ basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - ppcle | powerpclittle | ppc-le | powerpc-little) - basic_machine=powerpcle-unknown -@@ -977,7 +1026,11 @@ case $basic_machine in - basic_machine=i586-unknown - os=-pw32 - ;; -- rdos) -+ rdos | rdos64) -+ basic_machine=x86_64-pc -+ os=-rdos -+ ;; -+ rdos32) - basic_machine=i386-pc - os=-rdos - ;; -@@ -1046,6 +1099,9 @@ case $basic_machine in - basic_machine=i860-stratus - os=-sysv4 - ;; -+ strongarm-* | thumb-*) -+ basic_machine=arm-`echo $basic_machine | sed 's/^[^-]*-//'` -+ ;; - sun2) - basic_machine=m68000-sun - ;; -@@ -1102,13 +1158,8 @@ case $basic_machine in - basic_machine=t90-cray - os=-unicos - ;; -- # This must be matched before tile*. -- tilegx*) -- basic_machine=tilegx-unknown -- os=-linux-gnu -- ;; - tile*) -- basic_machine=tile-unknown -+ basic_machine=$basic_machine-unknown - os=-linux-gnu - ;; - tx39) -@@ -1178,6 +1229,9 @@ case $basic_machine in - xps | xps100) - basic_machine=xps100-honeywell - ;; -+ xscale-* | xscalee[bl]-*) -+ basic_machine=`echo $basic_machine | sed 's/^xscale/arm/'` -+ ;; - ymp) - basic_machine=ymp-cray - os=-unicos -@@ -1275,11 +1329,11 @@ esac - if [ x"$os" != x"" ] - then - case $os in -- # First match some system type aliases -- # that might get confused with valid system types. -+ # First match some system type aliases -+ # that might get confused with valid system types. - # -solaris* is a basic system type, with this one exception. -- -auroraux) -- os=-auroraux -+ -auroraux) -+ os=-auroraux - ;; - -solaris1 | -solaris1.*) - os=`echo $os | sed -e 's|solaris1|sunos4|'` -@@ -1309,15 +1363,15 @@ case $os in - | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ - | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ - | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \ -- | -openbsd* | -solidbsd* \ -+ | -bitrig* | -openbsd* | -solidbsd* \ - | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \ - | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ - | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ - | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ - | -chorusos* | -chorusrdb* | -cegcc* \ -- | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ -- | -mingw32* | -linux-gnu* | -linux-android* \ -- | -linux-newlib* | -linux-uclibc* \ -+ | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ -+ | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \ -+ | -linux-newlib* | -linux-musl* | -linux-uclibc* \ - | -uxpv* | -beos* | -mpeix* | -udk* \ - | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ - | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \ -@@ -1364,7 +1418,7 @@ case $os in - -opened*) - os=-openedition - ;; -- -os400*) -+ -os400*) - os=-os400 - ;; - -wince*) -@@ -1413,7 +1467,7 @@ case $os in - -sinix*) - os=-sysv4 - ;; -- -tpf*) -+ -tpf*) - os=-tpf - ;; - -triton*) -@@ -1458,8 +1512,8 @@ case $os in - -dicos*) - os=-dicos - ;; -- -nacl*) -- ;; -+ -nacl*) -+ ;; - -none) - ;; - *) -@@ -1482,10 +1536,10 @@ else - # system, and we'll never get to this point. - - case $basic_machine in -- score-*) -+ score-*) - os=-elf - ;; -- spu-*) -+ spu-*) - os=-elf - ;; - *-acorn) -@@ -1497,8 +1551,11 @@ case $basic_machine in - arm*-semi) - os=-aout - ;; -- c4x-* | tic4x-*) -- os=-coff -+ c4x-* | tic4x-*) -+ os=-coff -+ ;; -+ hexagon-*) -+ os=-elf - ;; - tic54x-*) - os=-coff -@@ -1527,14 +1584,11 @@ case $basic_machine in - ;; - m68000-sun) - os=-sunos3 -- # This also exists in the configure program, but was not the -- # default. -- # os=-sunos4 - ;; - m68*-cisco) - os=-aout - ;; -- mep-*) -+ mep-*) - os=-elf - ;; - mips*-cisco) -@@ -1561,7 +1615,7 @@ case $basic_machine in - *-ibm) - os=-aix - ;; -- *-knuth) -+ *-knuth) - os=-mmixware - ;; - *-wec) diff --git a/openssh-6.2p1-modpipe-cflags.patch b/openssh-6.2p1-modpipe-cflags.patch deleted file mode 100644 index abcf47a..0000000 --- a/openssh-6.2p1-modpipe-cflags.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up openssh-6.2p1/Makefile.in.modpipe-pie openssh-6.2p1/Makefile.in ---- openssh-6.2p1/Makefile.in.modpipe-pie 2013-04-04 14:44:26.293745777 +0200 -+++ openssh-6.2p1/Makefile.in 2013-04-04 14:44:49.483647020 +0200 -@@ -418,7 +418,7 @@ uninstall: - - regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c - [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \ -- $(CC) $(CPPFLAGS) -o $@ $? \ -+ $(CC) $(CPPFLAGS) $(CFLAGS) -o $@ $? \ - $(LDFLAGS) -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) - - tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT) diff --git a/openssh-6.2p2-sftp-multibyte.patch b/openssh-6.2p2-sftp-multibyte.patch deleted file mode 100644 index 2f9b423..0000000 --- a/openssh-6.2p2-sftp-multibyte.patch +++ /dev/null @@ -1,64 +0,0 @@ -diff --git a/ChangeLog b/ChangeLog -index f5e2df0..74a03f8 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,3 +1,11 @@ -+20130605 -+ - dtucker@cvs.openbsd.org 2013/06/04 20:42:36 -+ [sftp.c] -+ Make sftp's libedit interface marginally multibyte aware by building up -+ the quoted string by character instead of by byte. Prevents failures -+ when linked against a libedit built with wide character support (bz#1990). -+ "looks ok" djm -+ - 20130516 - - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be - executed if mktemp failed; bz#2105 ok dtucker@ -diff --git a/sftp.c b/sftp.c -index 25c35fa..c9a9919 100644 ---- a/sftp.c -+++ b/sftp.c -@@ -38,6 +38,7 @@ - #ifdef HAVE_LIBGEN_H - #include - #endif -+#include - #ifdef USE_LIBEDIT - #include - #else -@@ -1694,8 +1695,9 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, - char *file, int remote, int lastarg, char quote, int terminated) - { - glob_t g; -- char *tmp, *tmp2, ins[3]; -+ char *tmp, *tmp2, ins[8]; - u_int i, hadglob, pwdlen, len, tmplen, filelen, cesc, isesc, isabs; -+ int clen; - const LineInfo *lf; - - /* Glob from "file" location */ -@@ -1764,10 +1766,13 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path, - tmp2 = tmp + filelen - cesc; - len = strlen(tmp2); - /* quote argument on way out */ -- for (i = 0; i < len; i++) { -+ for (i = 0; i < len; i += clen) { -+ if ((clen = mblen(tmp2 + i, len - i)) < 0 || -+ (size_t)clen > sizeof(ins) - 2) -+ fatal("invalid multibyte character"); - ins[0] = '\\'; -- ins[1] = tmp2[i]; -- ins[2] = '\0'; -+ memcpy(ins + 1, tmp2 + i, clen); -+ ins[clen + 1] = '\0'; - switch (tmp2[i]) { - case '\'': - case '"': -@@ -2112,6 +2117,7 @@ main(int argc, char **argv) - - /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ - sanitise_stdfd(); -+ setlocale(LC_CTYPE, ""); - - __progname = ssh_get_progname(argv[0]); - memset(&args, '\0', sizeof(args)); diff --git a/openssh-6.2p2-ssh_gai_strerror.patch b/openssh-6.2p2-ssh_gai_strerror.patch deleted file mode 100644 index 0e433fa..0000000 --- a/openssh-6.2p2-ssh_gai_strerror.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff -U0 openssh-6.2p2/ChangeLog.ssh_gai_strerror openssh-6.2p2/ChangeLog ---- openssh-6.2p2/ChangeLog.ssh_gai_strerror 2013-07-23 12:03:41.467902339 +0200 -+++ openssh-6.2p2/ChangeLog 2013-07-23 12:06:03.414281151 +0200 -@@ -0,0 +1,7 @@ -+20130718 -+ - djm@cvs.openbsd.org 2013/07/12 00:43:50 -+ [misc.c] -+ in ssh_gai_strerror() don't fallback to strerror for EAI_SYSTEM when -+ errno == 0. Avoids confusing error message in some broken resolver -+ cases. bz#2122 patch from plautrba AT redhat.com; ok dtucker -+ -diff -up openssh-6.2p2/misc.c.ssh_gai_strerror openssh-6.2p2/misc.c ---- openssh-6.2p2/misc.c.ssh_gai_strerror 2013-07-23 12:03:41.321902978 +0200 -+++ openssh-6.2p2/misc.c 2013-07-23 12:03:41.467902339 +0200 -@@ -127,7 +127,7 @@ unset_nonblock(int fd) - const char * - ssh_gai_strerror(int gaierr) - { -- if (gaierr == EAI_SYSTEM) -+ if (gaierr == EAI_SYSTEM && errno != 0) - return strerror(errno); - return gai_strerror(gaierr); - } diff --git a/openssh-6.2p1-audit.patch b/openssh-6.3p1-audit.patch similarity index 83% rename from openssh-6.2p1-audit.patch rename to openssh-6.3p1-audit.patch index 9a5d23c..39296c1 100644 --- a/openssh-6.2p1-audit.patch +++ b/openssh-6.3p1-audit.patch @@ -1,8 +1,7 @@ -diff --git a/Makefile.in b/Makefile.in -index d327787..85903be 100644 ---- a/Makefile.in -+++ b/Makefile.in -@@ -73,7 +73,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ +diff -up openssh-6.3p1/Makefile.in.audit openssh-6.3p1/Makefile.in +--- openssh-6.3p1/Makefile.in.audit 2013-06-11 03:26:10.000000000 +0200 ++++ openssh-6.3p1/Makefile.in 2013-10-07 15:53:34.246717277 +0200 +@@ -73,7 +73,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ @@ -11,11 +10,10 @@ index d327787..85903be 100644 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ sshconnect.o sshconnect1.o sshconnect2.o mux.o \ -diff --git a/audit-bsm.c b/audit-bsm.c -index 6135591..5160869 100644 ---- a/audit-bsm.c -+++ b/audit-bsm.c -@@ -375,10 +375,23 @@ audit_connection_from(const char *host, int port) +diff -up openssh-6.3p1/audit-bsm.c.audit openssh-6.3p1/audit-bsm.c +--- openssh-6.3p1/audit-bsm.c.audit 2012-02-24 00:40:43.000000000 +0100 ++++ openssh-6.3p1/audit-bsm.c 2013-10-07 15:53:34.246717277 +0200 +@@ -375,10 +375,23 @@ audit_connection_from(const char *host, #endif } @@ -40,7 +38,7 @@ index 6135591..5160869 100644 } void -@@ -393,6 +406,12 @@ audit_session_close(struct logininfo *li) +@@ -393,6 +406,12 @@ audit_session_close(struct logininfo *li /* not implemented */ } @@ -94,10 +92,9 @@ index 6135591..5160869 100644 + /* not implemented */ +} #endif /* BSM */ -diff --git a/audit-linux.c b/audit-linux.c -index b3ee2f4..43904ee 100644 ---- a/audit-linux.c -+++ b/audit-linux.c +diff -up openssh-6.3p1/audit-linux.c.audit openssh-6.3p1/audit-linux.c +--- openssh-6.3p1/audit-linux.c.audit 2011-01-17 11:15:30.000000000 +0100 ++++ openssh-6.3p1/audit-linux.c 2013-10-07 15:53:34.246717277 +0200 @@ -35,13 +35,24 @@ #include "log.h" @@ -126,7 +123,7 @@ index b3ee2f4..43904ee 100644 { int audit_fd, rc, saved_errno; -@@ -49,11 +60,11 @@ linux_audit_record_event(int uid, const char *username, +@@ -49,11 +60,11 @@ linux_audit_record_event(int uid, const if (audit_fd < 0) { if (errno == EINVAL || errno == EPROTONOSUPPORT || errno == EAFNOSUPPORT) @@ -141,7 +138,7 @@ index b3ee2f4..43904ee 100644 NULL, "login", username ? username : "(unknown)", username == NULL ? uid : -1, hostname, ip, ttyn, success); saved_errno = errno; -@@ -65,35 +76,150 @@ linux_audit_record_event(int uid, const char *username, +@@ -65,35 +76,150 @@ linux_audit_record_event(int uid, const if ((rc == -EPERM) && (geteuid() != 0)) rc = 0; errno = saved_errno; @@ -364,7 +361,7 @@ index b3ee2f4..43904ee 100644 + snprintf(buf, sizeof(buf), "op=unsupported-%s direction=? cipher=? ksize=? rport=%d laddr=%s lport=%d ", + name[what], get_remote_port(), (s = get_local_ipaddr(packet_get_connection_in())), + get_local_port()); -+ xfree(s); ++ free(s); + audit_fd = audit_open(); + if (audit_fd < 0) + /* no problem, the next instruction will be fatal() */ @@ -391,7 +388,7 @@ index b3ee2f4..43904ee 100644 + direction[ctos], enc, cipher ? 8 * cipher->key_len : 0, mac, + (intmax_t)pid, (intmax_t)uid, + get_remote_port(), (s = get_local_ipaddr(packet_get_connection_in())), get_local_port()); -+ xfree(s); ++ free(s); + audit_fd = audit_open(); + if (audit_fd < 0) { + if (errno == EINVAL || errno == EPROTONOSUPPORT || @@ -421,7 +418,7 @@ index b3ee2f4..43904ee 100644 + get_remote_port(), + (s = get_local_ipaddr(packet_get_connection_in())), + get_local_port()); -+ xfree(s); ++ free(s); + audit_fd = audit_open(); + if (audit_fd < 0) { + if (errno != EINVAL && errno != EPROTONOSUPPORT && @@ -484,10 +481,9 @@ index b3ee2f4..43904ee 100644 + error("cannot write into audit"); +} #endif /* USE_LINUX_AUDIT */ -diff --git a/audit.c b/audit.c -index ced57fa..1ccc9e9 100644 ---- a/audit.c -+++ b/audit.c +diff -up openssh-6.3p1/audit.c.audit openssh-6.3p1/audit.c +--- openssh-6.3p1/audit.c.audit 2011-01-17 11:15:30.000000000 +0100 ++++ openssh-6.3p1/audit.c 2013-10-07 15:53:34.246717277 +0200 @@ -28,6 +28,7 @@ #include @@ -523,7 +519,7 @@ index ced57fa..1ccc9e9 100644 + crypto_name = key_ssh_name(key); + if (audit_keyusage(host_user, crypto_name, key_size(key), fp, *rv) == 0) + *rv = 0; -+ xfree(fp); ++ free(fp); +} + +void @@ -565,7 +561,7 @@ index ced57fa..1ccc9e9 100644 * Called when a user session is started. Argument is the tty allocated to * the session, or NULL if no tty was allocated. * -@@ -174,13 +223,91 @@ audit_session_close(struct logininfo *li) +@@ -174,13 +223,91 @@ audit_session_close(struct logininfo *li /* * This will be called when a user runs a non-interactive command. Note that * it may be called multiple times for a single connection since SSH2 allows @@ -659,10 +655,9 @@ index ced57fa..1ccc9e9 100644 } # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */ -diff --git a/audit.h b/audit.h -index 92ede5b..a2dc3ff 100644 ---- a/audit.h -+++ b/audit.h +diff -up openssh-6.3p1/audit.h.audit openssh-6.3p1/audit.h +--- openssh-6.3p1/audit.h.audit 2011-01-17 11:15:30.000000000 +0100 ++++ openssh-6.3p1/audit.h 2013-10-07 15:53:34.246717277 +0200 @@ -28,6 +28,7 @@ # define _SSH_AUDIT_H @@ -698,11 +693,9 @@ index 92ede5b..a2dc3ff 100644 +void audit_generate_ephemeral_server_key(const char *); #endif /* _SSH_AUDIT_H */ -diff --git a/auditstub.c b/auditstub.c -new file mode 100644 -index 0000000..45817e0 ---- /dev/null -+++ b/auditstub.c +diff -up openssh-6.3p1/auditstub.c.audit openssh-6.3p1/auditstub.c +--- openssh-6.3p1/auditstub.c.audit 2013-10-07 15:53:34.247717272 +0200 ++++ openssh-6.3p1/auditstub.c 2013-10-07 15:53:34.247717272 +0200 @@ -0,0 +1,50 @@ +/* $Id: auditstub.c,v 1.1 jfch Exp $ */ + @@ -754,11 +747,10 @@ index 0000000..45817e0 +audit_session_key_free_body(int ctos, pid_t pid, uid_t uid) +{ +} -diff --git a/auth-rsa.c b/auth-rsa.c -index de7c369..7fdd0ae 100644 ---- a/auth-rsa.c -+++ b/auth-rsa.c -@@ -92,7 +92,10 @@ auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16]) +diff -up openssh-6.3p1/auth-rsa.c.audit openssh-6.3p1/auth-rsa.c +--- openssh-6.3p1/auth-rsa.c.audit 2013-07-18 08:12:44.000000000 +0200 ++++ openssh-6.3p1/auth-rsa.c 2013-10-07 15:53:34.247717272 +0200 +@@ -92,7 +92,10 @@ auth_rsa_verify_response(Key *key, BIGNU { u_char buf[32], mdbuf[16]; MD5_CTX md; @@ -770,7 +762,7 @@ index de7c369..7fdd0ae 100644 /* don't allow short keys */ if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) { -@@ -113,12 +116,18 @@ auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16]) +@@ -113,12 +116,18 @@ auth_rsa_verify_response(Key *key, BIGNU MD5_Final(mdbuf, &md); /* Verify that the response is the original challenge. */ @@ -787,18 +779,17 @@ index de7c369..7fdd0ae 100644 } - /* Correct answer. */ - return (1); -+ xfree(fp); ++ free(fp); +#endif + + return rv; } /* -diff --git a/auth.h b/auth.h -index c6fe847..9ecc405 100644 ---- a/auth.h -+++ b/auth.h -@@ -181,6 +181,7 @@ void abandon_challenge_response(Authctxt *); +diff -up openssh-6.3p1/auth.h.audit openssh-6.3p1/auth.h +--- openssh-6.3p1/auth.h.audit 2013-07-20 05:21:53.000000000 +0200 ++++ openssh-6.3p1/auth.h 2013-10-07 16:02:38.629171107 +0200 +@@ -187,6 +187,7 @@ void abandon_challenge_response(Authctxt char *expand_authorized_keys(const char *, struct passwd *pw); char *authorized_principals_file(struct passwd *); @@ -806,19 +797,18 @@ index c6fe847..9ecc405 100644 FILE *auth_openkeyfile(const char *, struct passwd *, int); FILE *auth_openprincipals(const char *, struct passwd *, int); -@@ -196,6 +197,7 @@ Key *get_hostkey_public_by_type(int); - Key *get_hostkey_private_by_type(int); +@@ -204,6 +205,7 @@ Key *get_hostkey_private_by_type(int); int get_hostkey_index(Key *); int ssh1_session_key(BIGNUM *); + void sshd_hostkey_sign(Key *, Key *, u_char **, u_int *, u_char *, u_int); +int hostbased_key_verify(const Key *, const u_char *, u_int, const u_char *, u_int); /* debug messages during authentication */ void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2))); -diff --git a/auth2-hostbased.c b/auth2-hostbased.c -index 69b849b..e535680 100644 ---- a/auth2-hostbased.c -+++ b/auth2-hostbased.c -@@ -119,7 +119,7 @@ userauth_hostbased(Authctxt *authctxt) +diff -up openssh-6.3p1/auth2-hostbased.c.audit openssh-6.3p1/auth2-hostbased.c +--- openssh-6.3p1/auth2-hostbased.c.audit 2013-10-07 15:53:34.223717384 +0200 ++++ openssh-6.3p1/auth2-hostbased.c 2013-10-07 15:53:34.247717272 +0200 +@@ -123,7 +123,7 @@ userauth_hostbased(Authctxt *authctxt) /* test for allowed key and correct signature */ authenticated = 0; if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) && @@ -827,7 +817,7 @@ index 69b849b..e535680 100644 buffer_len(&b))) == 1) authenticated = 1; -@@ -136,6 +136,18 @@ done: +@@ -140,6 +140,18 @@ done: return authenticated; } @@ -846,11 +836,10 @@ index 69b849b..e535680 100644 /* return 1 if given hostkey is allowed */ int hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, -diff --git a/auth2-pubkey.c b/auth2-pubkey.c -index d78381a..8f913ab 100644 ---- a/auth2-pubkey.c -+++ b/auth2-pubkey.c -@@ -146,7 +146,7 @@ userauth_pubkey(Authctxt *authctxt) +diff -up openssh-6.3p1/auth2-pubkey.c.audit openssh-6.3p1/auth2-pubkey.c +--- openssh-6.3p1/auth2-pubkey.c.audit 2013-10-07 15:53:34.224717379 +0200 ++++ openssh-6.3p1/auth2-pubkey.c 2013-10-08 15:11:42.282436972 +0200 +@@ -152,7 +152,7 @@ userauth_pubkey(Authctxt *authctxt) /* test for correct signature */ authenticated = 0; if (PRIVSEP(user_key_allowed(authctxt->pw, key)) && @@ -859,8 +848,8 @@ index d78381a..8f913ab 100644 buffer_len(&b))) == 1) authenticated = 1; buffer_free(&b); -@@ -183,6 +183,18 @@ done: - return authenticated; +@@ -223,6 +223,18 @@ pubkey_auth_info(Authctxt *authctxt, con + free(extra); } +int @@ -878,11 +867,10 @@ index d78381a..8f913ab 100644 static int match_principals_option(const char *principal_list, struct KeyCert *cert) { -diff --git a/auth2.c b/auth2.c -index e367a10..c28638b 100644 ---- a/auth2.c -+++ b/auth2.c -@@ -242,9 +242,6 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) +diff -up openssh-6.3p1/auth2.c.audit openssh-6.3p1/auth2.c +--- openssh-6.3p1/auth2.c.audit 2013-06-01 23:41:51.000000000 +0200 ++++ openssh-6.3p1/auth2.c 2013-10-07 15:53:34.248717268 +0200 +@@ -245,9 +245,6 @@ input_userauth_request(int type, u_int32 } else { logit("input_userauth_request: invalid user %s", user); authctxt->pw = fakepw(); @@ -892,11 +880,10 @@ index e367a10..c28638b 100644 } #ifdef USE_PAM if (options.use_pam) -diff --git a/cipher.c b/cipher.c -index 9ca1d00..e1d716a 100644 ---- a/cipher.c -+++ b/cipher.c -@@ -55,17 +55,7 @@ extern const EVP_CIPHER *evp_ssh1_bf(void); +diff -up openssh-6.3p1/cipher.c.audit openssh-6.3p1/cipher.c +--- openssh-6.3p1/cipher.c.audit 2013-10-07 15:53:34.248717268 +0200 ++++ openssh-6.3p1/cipher.c 2013-10-07 16:06:51.117971891 +0200 +@@ -55,18 +55,6 @@ extern const EVP_CIPHER *evp_ssh1_bf(voi extern const EVP_CIPHER *evp_ssh1_3des(void); extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int); @@ -910,15 +897,14 @@ index 9ca1d00..e1d716a 100644 - u_int discard_len; - u_int cbc_mode; - const EVP_CIPHER *(*evptype)(void); --} ciphers[] = { -+struct Cipher ciphers[] = { +-}; +- + static const struct Cipher ciphers[] = { { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null }, { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc }, - { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des }, -diff --git a/cipher.h b/cipher.h -index 8cb57c3..89b2dc9 100644 ---- a/cipher.h -+++ b/cipher.h +diff -up openssh-6.3p1/cipher.h.audit openssh-6.3p1/cipher.h +--- openssh-6.3p1/cipher.h.audit 2013-04-23 11:24:32.000000000 +0200 ++++ openssh-6.3p1/cipher.h 2013-10-07 15:53:34.248717268 +0200 @@ -61,7 +61,18 @@ typedef struct Cipher Cipher; typedef struct CipherContext CipherContext; @@ -939,10 +925,9 @@ index 8cb57c3..89b2dc9 100644 struct CipherContext { int plaintext; int encrypt; -diff --git a/kex.c b/kex.c -index 57a79dd..922cf9d 100644 ---- a/kex.c -+++ b/kex.c +diff -up openssh-6.3p1/kex.c.audit openssh-6.3p1/kex.c +--- openssh-6.3p1/kex.c.audit 2013-06-01 23:31:18.000000000 +0200 ++++ openssh-6.3p1/kex.c 2013-10-07 15:53:34.249717264 +0200 @@ -49,6 +49,7 @@ #include "dispatch.h" #include "monitor.h" @@ -951,7 +936,7 @@ index 57a79dd..922cf9d 100644 #if OPENSSL_VERSION_NUMBER >= 0x00907000L # if defined(HAVE_EVP_SHA256) -@@ -296,9 +297,13 @@ static void +@@ -341,9 +342,13 @@ static void choose_enc(Enc *enc, char *client, char *server) { char *name = match_list(client, server, NULL); @@ -966,7 +951,7 @@ index 57a79dd..922cf9d 100644 if ((enc->cipher = cipher_by_name(name)) == NULL) fatal("matching cipher is not supported: %s", name); enc->name = name; -@@ -314,9 +319,13 @@ static void +@@ -359,9 +364,13 @@ static void choose_mac(Mac *mac, char *client, char *server) { char *name = match_list(client, server, NULL); @@ -981,7 +966,7 @@ index 57a79dd..922cf9d 100644 if (mac_setup(mac, name) < 0) fatal("unsupported mac %s", name); /* truncate the key */ -@@ -331,8 +340,12 @@ static void +@@ -376,8 +385,12 @@ static void choose_comp(Comp *comp, char *client, char *server) { char *name = match_list(client, server, NULL); @@ -995,7 +980,7 @@ index 57a79dd..922cf9d 100644 if (strcmp(name, "zlib@openssh.com") == 0) { comp->type = COMP_DELAYED; } else if (strcmp(name, "zlib") == 0) { -@@ -460,6 +473,9 @@ kex_choose_conf(Kex *kex) +@@ -492,6 +505,9 @@ kex_choose_conf(Kex *kex) newkeys->enc.name, authlen == 0 ? newkeys->mac.name : "", newkeys->comp.name); @@ -1005,7 +990,7 @@ index 57a79dd..922cf9d 100644 } choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]); choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS], -@@ -624,3 +640,34 @@ dump_digest(char *msg, u_char *digest, int len) +@@ -656,3 +672,34 @@ dump_digest(char *msg, u_char *digest, i fprintf(stderr, "\n"); } #endif @@ -1018,12 +1003,12 @@ index 57a79dd..922cf9d 100644 + + if (enc->key) { + memset(enc->key, 0, enc->key_len); -+ xfree(enc->key); ++ free(enc->key); + } + + if (enc->iv) { + memset(enc->iv, 0, enc->block_size); -+ xfree(enc->iv); ++ free(enc->iv); + } + + memset(enc, 0, sizeof(*enc)); @@ -1040,11 +1025,10 @@ index 57a79dd..922cf9d 100644 + memset(&newkeys->comp, 0, sizeof(newkeys->comp)); +} + -diff --git a/kex.h b/kex.h -index 46731fa..8a59114 100644 ---- a/kex.h -+++ b/kex.h -@@ -158,6 +158,8 @@ void kexgex_server(Kex *); +diff -up openssh-6.3p1/kex.h.audit openssh-6.3p1/kex.h +--- openssh-6.3p1/kex.h.audit 2013-07-20 05:21:53.000000000 +0200 ++++ openssh-6.3p1/kex.h 2013-10-07 15:53:34.249717264 +0200 +@@ -162,6 +162,8 @@ void kexgex_server(Kex *); void kexecdh_client(Kex *); void kexecdh_server(Kex *); @@ -1053,11 +1037,10 @@ index 46731fa..8a59114 100644 void kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int, BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); -diff --git a/key.c b/key.c -index a30e6d1..9d04f11 100644 ---- a/key.c -+++ b/key.c -@@ -1809,6 +1809,30 @@ key_demote(const Key *k) +diff -up openssh-6.3p1/key.c.audit openssh-6.3p1/key.c +--- openssh-6.3p1/key.c.audit 2013-10-07 15:53:34.224717379 +0200 ++++ openssh-6.3p1/key.c 2013-10-07 15:53:34.249717264 +0200 +@@ -1773,6 +1773,30 @@ key_demote(const Key *k) } int @@ -1088,10 +1071,9 @@ index a30e6d1..9d04f11 100644 key_is_cert(const Key *k) { if (k == NULL) -diff --git a/key.h b/key.h -index 09f7b7d..8d9be57 100644 ---- a/key.h -+++ b/key.h +diff -up openssh-6.3p1/key.h.audit openssh-6.3p1/key.h +--- openssh-6.3p1/key.h.audit 2013-10-07 15:53:34.224717379 +0200 ++++ openssh-6.3p1/key.h 2013-10-07 15:53:34.249717264 +0200 @@ -110,6 +110,7 @@ Key *key_generate(int, u_int); Key *key_from_private(const Key *); int key_type_from_name(char *); @@ -1100,11 +1082,10 @@ index 09f7b7d..8d9be57 100644 int key_type_plain(int); int key_to_certified(Key *, int); int key_drop_cert(Key *); -diff --git a/mac.c b/mac.c -index 3f2dc6f..a1e61be 100644 ---- a/mac.c -+++ b/mac.c -@@ -199,6 +199,20 @@ mac_clear(Mac *mac) +diff -up openssh-6.3p1/mac.c.audit openssh-6.3p1/mac.c +--- openssh-6.3p1/mac.c.audit 2013-06-06 00:12:37.000000000 +0200 ++++ openssh-6.3p1/mac.c 2013-10-07 15:53:34.250717259 +0200 +@@ -224,6 +224,20 @@ mac_clear(Mac *mac) mac->umac_ctx = NULL; } @@ -1116,7 +1097,7 @@ index 3f2dc6f..a1e61be 100644 + + if (mac->key) { + memset(mac->key, 0, mac->key_len); -+ xfree(mac->key); ++ free(mac->key); + } + + memset(mac, 0, sizeof(*mac)); @@ -1125,28 +1106,26 @@ index 3f2dc6f..a1e61be 100644 /* XXX copied from ciphers_valid */ #define MAC_SEP "," int -diff --git a/mac.h b/mac.h -index 39f564d..640db0f 100644 ---- a/mac.h -+++ b/mac.h -@@ -28,3 +28,4 @@ int mac_setup(Mac *, char *); +diff -up openssh-6.3p1/mac.h.audit openssh-6.3p1/mac.h +--- openssh-6.3p1/mac.h.audit 2013-04-23 11:24:32.000000000 +0200 ++++ openssh-6.3p1/mac.h 2013-10-07 15:53:34.250717259 +0200 +@@ -29,3 +29,4 @@ int mac_setup(Mac *, char *); int mac_init(Mac *); u_char *mac_compute(Mac *, u_int32_t, u_char *, int); void mac_clear(Mac *); +void mac_destroy(Mac *); -diff --git a/monitor.c b/monitor.c -index 7816a8f..f1c0ba1 100644 ---- a/monitor.c -+++ b/monitor.c -@@ -97,6 +97,7 @@ - #include "ssh2.h" +diff -up openssh-6.3p1/monitor.c.audit openssh-6.3p1/monitor.c +--- openssh-6.3p1/monitor.c.audit 2013-10-07 15:53:34.217717411 +0200 ++++ openssh-6.3p1/monitor.c 2013-10-08 15:10:38.270726936 +0200 +@@ -98,6 +98,7 @@ #include "jpake.h" #include "roaming.h" + #include "authfd.h" +#include "audit.h" #ifdef GSSAPI static Gssctxt *gsscontext = NULL; -@@ -113,6 +114,8 @@ extern Buffer auth_debug; +@@ -114,6 +115,8 @@ extern Buffer auth_debug; extern int auth_debug_init; extern Buffer loginmsg; @@ -1155,7 +1134,7 @@ index 7816a8f..f1c0ba1 100644 /* State exported from the child */ struct { -@@ -185,6 +188,11 @@ int mm_answer_gss_checkmic(int, Buffer *); +@@ -186,6 +189,11 @@ int mm_answer_gss_checkmic(int, Buffer * #ifdef SSH_AUDIT_EVENTS int mm_answer_audit_event(int, Buffer *); int mm_answer_audit_command(int, Buffer *); @@ -1167,7 +1146,7 @@ index 7816a8f..f1c0ba1 100644 #endif static int monitor_read_log(struct monitor *); -@@ -236,6 +244,10 @@ struct mon_table mon_dispatch_proto20[] = { +@@ -237,6 +245,10 @@ struct mon_table mon_dispatch_proto20[] #endif #ifdef SSH_AUDIT_EVENTS {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, @@ -1178,7 +1157,7 @@ index 7816a8f..f1c0ba1 100644 #endif #ifdef BSD_AUTH {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery}, -@@ -272,6 +284,11 @@ struct mon_table mon_dispatch_postauth20[] = { +@@ -273,6 +285,11 @@ struct mon_table mon_dispatch_postauth20 #ifdef SSH_AUDIT_EVENTS {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command}, @@ -1190,7 +1169,7 @@ index 7816a8f..f1c0ba1 100644 #endif {0, 0, NULL} }; -@@ -303,6 +320,10 @@ struct mon_table mon_dispatch_proto15[] = { +@@ -304,6 +321,10 @@ struct mon_table mon_dispatch_proto15[] #endif #ifdef SSH_AUDIT_EVENTS {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, @@ -1201,7 +1180,7 @@ index 7816a8f..f1c0ba1 100644 #endif {0, 0, NULL} }; -@@ -314,6 +335,11 @@ struct mon_table mon_dispatch_postauth15[] = { +@@ -315,6 +336,11 @@ struct mon_table mon_dispatch_postauth15 #ifdef SSH_AUDIT_EVENTS {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command}, @@ -1213,7 +1192,7 @@ index 7816a8f..f1c0ba1 100644 #endif {0, 0, NULL} }; -@@ -1350,9 +1376,11 @@ mm_answer_keyverify(int sock, Buffer *m) +@@ -1365,9 +1391,11 @@ mm_answer_keyverify(int sock, Buffer *m) Key *key; u_char *signature, *data, *blob; u_int signaturelen, datalen, bloblen; @@ -1225,7 +1204,7 @@ index 7816a8f..f1c0ba1 100644 blob = buffer_get_string(m, &bloblen); signature = buffer_get_string(m, &signaturelen); data = buffer_get_string(m, &datalen); -@@ -1360,6 +1388,8 @@ mm_answer_keyverify(int sock, Buffer *m) +@@ -1375,6 +1403,8 @@ mm_answer_keyverify(int sock, Buffer *m) if (hostbased_cuser == NULL || hostbased_chost == NULL || !monitor_allowed_key(blob, bloblen)) fatal("%s: bad key, not previously allowed", __func__); @@ -1234,7 +1213,7 @@ index 7816a8f..f1c0ba1 100644 key = key_from_blob(blob, bloblen); if (key == NULL) -@@ -1380,7 +1410,17 @@ mm_answer_keyverify(int sock, Buffer *m) +@@ -1395,7 +1425,17 @@ mm_answer_keyverify(int sock, Buffer *m) if (!valid_data) fatal("%s: bad signature data blob", __func__); @@ -1253,7 +1232,7 @@ index 7816a8f..f1c0ba1 100644 debug3("%s: key %p signature %s", __func__, key, (verified == 1) ? "verified" : "unverified"); -@@ -1433,6 +1473,12 @@ mm_session_close(Session *s) +@@ -1448,6 +1488,12 @@ mm_session_close(Session *s) debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd); session_pty_cleanup2(s); } @@ -1266,7 +1245,7 @@ index 7816a8f..f1c0ba1 100644 session_unused(s->self); } -@@ -1713,6 +1759,8 @@ mm_answer_term(int sock, Buffer *req) +@@ -1728,6 +1774,8 @@ mm_answer_term(int sock, Buffer *req) sshpam_cleanup(); #endif @@ -1275,7 +1254,7 @@ index 7816a8f..f1c0ba1 100644 while (waitpid(pmonitor->m_pid, &status, 0) == -1) if (errno != EINTR) exit(1); -@@ -1755,11 +1803,44 @@ mm_answer_audit_command(int socket, Buffer *m) +@@ -1770,11 +1818,43 @@ mm_answer_audit_command(int socket, Buff { u_int len; char *cmd; @@ -1317,25 +1296,24 @@ index 7816a8f..f1c0ba1 100644 + strcmp(s->command, cmd) != 0) + fatal("%s: invalid handle", __func__); + mm_session_close(s); -+ - xfree(cmd); + free(cmd); return (0); } -@@ -1890,11 +1971,13 @@ mm_get_keystate(struct monitor *pmonitor) +@@ -1910,11 +1990,13 @@ mm_get_keystate(struct monitor *pmonitor blob = buffer_get_string(&m, &bloblen); current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen); + memset(blob, 0, bloblen); - xfree(blob); + free(blob); debug3("%s: Waiting for second key", __func__); blob = buffer_get_string(&m, &bloblen); current_keys[MODE_IN] = mm_newkeys_from_blob(blob, bloblen); + memset(blob, 0, bloblen); - xfree(blob); + free(blob); /* Now get sequence numbers for the packets */ -@@ -1940,6 +2023,21 @@ mm_get_keystate(struct monitor *pmonitor) +@@ -1960,6 +2042,21 @@ mm_get_keystate(struct monitor *pmonitor } buffer_free(&m); @@ -1357,7 +1335,7 @@ index 7816a8f..f1c0ba1 100644 } -@@ -2341,3 +2439,86 @@ mm_answer_jpake_check_confirm(int sock, Buffer *m) +@@ -2361,3 +2458,86 @@ mm_answer_jpake_check_confirm(int sock, } #endif /* JPAKE */ @@ -1395,9 +1373,9 @@ index 7816a8f..f1c0ba1 100644 + + audit_kex_body(ctos, cipher, mac, compress, pid, uid); + -+ xfree(cipher); -+ xfree(mac); -+ xfree(compress); ++ free(cipher); ++ free(mac); ++ free(compress); + buffer_clear(m); + + mm_request_send(sock, MONITOR_ANS_AUDIT_KEX, m); @@ -1437,17 +1415,16 @@ index 7816a8f..f1c0ba1 100644 + + audit_destroy_sensitive_data(fp, pid, uid); + -+ xfree(fp); ++ free(fp); + buffer_clear(m); + + mm_request_send(sock, MONITOR_ANS_AUDIT_SERVER_KEY_FREE, m); + return 0; +} +#endif /* SSH_AUDIT_EVENTS */ -diff --git a/monitor.h b/monitor.h -index 2caa469..1a15066 100644 ---- a/monitor.h -+++ b/monitor.h +diff -up openssh-6.3p1/monitor.h.audit openssh-6.3p1/monitor.h +--- openssh-6.3p1/monitor.h.audit 2012-12-02 23:53:21.000000000 +0100 ++++ openssh-6.3p1/monitor.h 2013-10-07 15:53:34.251717254 +0200 @@ -68,7 +68,13 @@ enum monitor_reqtype { MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107, MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109, @@ -1463,11 +1440,10 @@ index 2caa469..1a15066 100644 }; -diff --git a/monitor_wrap.c b/monitor_wrap.c -index 350c960..8c3599d 100644 ---- a/monitor_wrap.c -+++ b/monitor_wrap.c -@@ -431,7 +431,7 @@ mm_key_allowed(enum mm_keytype type, char *user, char *host, Key *key) +diff -up openssh-6.3p1/monitor_wrap.c.audit openssh-6.3p1/monitor_wrap.c +--- openssh-6.3p1/monitor_wrap.c.audit 2013-10-07 15:53:34.217717411 +0200 ++++ openssh-6.3p1/monitor_wrap.c 2013-10-07 16:03:16.190993304 +0200 +@@ -433,7 +433,7 @@ mm_key_allowed(enum mm_keytype type, cha */ int @@ -1476,7 +1452,7 @@ index 350c960..8c3599d 100644 { Buffer m; u_char *blob; -@@ -445,6 +445,7 @@ mm_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen) +@@ -447,6 +447,7 @@ mm_key_verify(Key *key, u_char *sig, u_i return (0); buffer_init(&m); @@ -1484,7 +1460,7 @@ index 350c960..8c3599d 100644 buffer_put_string(&m, blob, len); buffer_put_string(&m, sig, siglen); buffer_put_string(&m, data, datalen); -@@ -462,6 +463,19 @@ mm_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen) +@@ -464,6 +465,19 @@ mm_key_verify(Key *key, u_char *sig, u_i return (verified); } @@ -1504,7 +1480,7 @@ index 350c960..8c3599d 100644 /* Export key state after authentication */ Newkeys * mm_newkeys_from_blob(u_char *blob, int blen) -@@ -480,7 +494,7 @@ mm_newkeys_from_blob(u_char *blob, int blen) +@@ -482,7 +496,7 @@ mm_newkeys_from_blob(u_char *blob, int b buffer_init(&b); buffer_append(&b, blob, blen); @@ -1513,22 +1489,22 @@ index 350c960..8c3599d 100644 enc = &newkey->enc; mac = &newkey->mac; comp = &newkey->comp; -@@ -640,12 +654,14 @@ mm_send_keystate(struct monitor *monitor) +@@ -642,12 +656,14 @@ mm_send_keystate(struct monitor *monitor fatal("%s: conversion of newkeys failed", __func__); buffer_put_string(&m, blob, bloblen); + memset(blob, 0, bloblen); - xfree(blob); + free(blob); if (!mm_newkeys_to_blob(MODE_IN, &blob, &bloblen)) fatal("%s: conversion of newkeys failed", __func__); buffer_put_string(&m, blob, bloblen); + memset(blob, 0, bloblen); - xfree(blob); + free(blob); packet_get_state(MODE_OUT, &seqnr, &blocks, &packets, &bytes); -@@ -1189,10 +1205,11 @@ mm_audit_event(ssh_audit_event_t event) +@@ -1191,10 +1207,11 @@ mm_audit_event(ssh_audit_event_t event) buffer_free(&m); } @@ -1541,7 +1517,7 @@ index 350c960..8c3599d 100644 debug3("%s entering command %s", __func__, command); -@@ -1200,6 +1217,26 @@ mm_audit_run_command(const char *command) +@@ -1202,6 +1219,26 @@ mm_audit_run_command(const char *command buffer_put_cstring(&m, command); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, &m); @@ -1568,7 +1544,7 @@ index 350c960..8c3599d 100644 buffer_free(&m); } #endif /* SSH_AUDIT_EVENTS */ -@@ -1451,3 +1488,72 @@ mm_jpake_check_confirm(const BIGNUM *k, +@@ -1453,3 +1490,72 @@ mm_jpake_check_confirm(const BIGNUM *k, return success; } #endif /* JPAKE */ @@ -1641,11 +1617,10 @@ index 350c960..8c3599d 100644 + buffer_free(&m); +} +#endif /* SSH_AUDIT_EVENTS */ -diff --git a/monitor_wrap.h b/monitor_wrap.h -index 0c7f2e3..f47c7df 100644 ---- a/monitor_wrap.h -+++ b/monitor_wrap.h -@@ -49,7 +49,8 @@ int mm_key_allowed(enum mm_keytype, char *, char *, Key *); +diff -up openssh-6.3p1/monitor_wrap.h.audit openssh-6.3p1/monitor_wrap.h +--- openssh-6.3p1/monitor_wrap.h.audit 2011-06-20 06:42:23.000000000 +0200 ++++ openssh-6.3p1/monitor_wrap.h 2013-10-07 15:53:34.252717250 +0200 +@@ -49,7 +49,8 @@ int mm_key_allowed(enum mm_keytype, char int mm_user_key_allowed(struct passwd *, Key *); int mm_hostbased_key_allowed(struct passwd *, char *, char *, Key *); int mm_auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *); @@ -1669,19 +1644,18 @@ index 0c7f2e3..f47c7df 100644 #endif struct Session; -diff --git a/packet.c b/packet.c -index a51c1f2..faa3a85 100644 ---- a/packet.c -+++ b/packet.c -@@ -60,6 +60,7 @@ - #include +diff -up openssh-6.3p1/packet.c.audit openssh-6.3p1/packet.c +--- openssh-6.3p1/packet.c.audit 2013-10-07 15:53:34.231717347 +0200 ++++ openssh-6.3p1/packet.c 2013-10-07 16:08:00.764639577 +0200 +@@ -61,6 +61,7 @@ + #include #include "xmalloc.h" +#include "audit.h" #include "buffer.h" #include "packet.h" #include "crc32.h" -@@ -470,6 +471,13 @@ packet_get_connection_out(void) +@@ -476,6 +477,13 @@ packet_get_connection_out(void) return active_state->connection_out; } @@ -1695,7 +1669,7 @@ index a51c1f2..faa3a85 100644 /* Closes the connection and clears and frees internal data structures. */ void -@@ -478,13 +486,6 @@ packet_close(void) +@@ -484,13 +492,6 @@ packet_close(void) if (!active_state->initialized) return; active_state->initialized = 0; @@ -1709,7 +1683,7 @@ index a51c1f2..faa3a85 100644 buffer_free(&active_state->input); buffer_free(&active_state->output); buffer_free(&active_state->outgoing_packet); -@@ -493,8 +494,18 @@ packet_close(void) +@@ -499,8 +500,18 @@ packet_close(void) buffer_free(&active_state->compression_buffer); buffer_compress_uninit(); } @@ -1730,7 +1704,7 @@ index a51c1f2..faa3a85 100644 } /* Sets remote side protocol flags. */ -@@ -729,6 +740,25 @@ packet_send1(void) +@@ -735,6 +746,25 @@ packet_send1(void) */ } @@ -1740,23 +1714,23 @@ index a51c1f2..faa3a85 100644 + if (newkeys == NULL) + return; + -+ xfree(newkeys->enc.name); ++ free(newkeys->enc.name); + + if (newkeys->mac.enabled) { + mac_clear(&newkeys->mac); -+ xfree(newkeys->mac.name); ++ free(newkeys->mac.name); + } + -+ xfree(newkeys->comp.name); ++ free(newkeys->comp.name); + + newkeys_destroy(newkeys); -+ xfree(newkeys); ++ free(newkeys); +} + void set_newkeys(int mode) { -@@ -754,21 +784,9 @@ set_newkeys(int mode) +@@ -760,21 +790,9 @@ set_newkeys(int mode) } if (active_state->newkeys[mode] != NULL) { debug("set_newkeys: rekeying"); @@ -1769,18 +1743,18 @@ index a51c1f2..faa3a85 100644 - memset(enc->iv, 0, enc->iv_len); - memset(enc->key, 0, enc->key_len); - memset(mac->key, 0, mac->key_len); -- xfree(enc->name); -- xfree(enc->iv); -- xfree(enc->key); -- xfree(mac->name); -- xfree(mac->key); -- xfree(comp->name); -- xfree(active_state->newkeys[mode]); +- free(enc->name); +- free(enc->iv); +- free(enc->key); +- free(mac->name); +- free(mac->key); +- free(comp->name); +- free(active_state->newkeys[mode]); + newkeys_destroy_and_free(active_state->newkeys[mode]); } active_state->newkeys[mode] = kex_get_newkeys(mode); if (active_state->newkeys[mode] == NULL) -@@ -1971,6 +1989,47 @@ packet_get_newkeys(int mode) +@@ -2003,6 +2021,47 @@ packet_get_newkeys(int mode) return (void *)active_state->newkeys[mode]; } @@ -1828,7 +1802,7 @@ index a51c1f2..faa3a85 100644 /* * Save the state for the real connection, and use a separate state when * resuming a suspended connection. -@@ -1978,18 +2037,12 @@ packet_get_newkeys(int mode) +@@ -2010,18 +2069,12 @@ packet_get_newkeys(int mode) void packet_backup_state(void) { @@ -1848,7 +1822,7 @@ index a51c1f2..faa3a85 100644 } /* -@@ -2006,9 +2059,7 @@ packet_restore_state(void) +@@ -2038,9 +2091,7 @@ packet_restore_state(void) backup_state = active_state; active_state = tmp; active_state->connection_in = backup_state->connection_in; @@ -1858,32 +1832,30 @@ index a51c1f2..faa3a85 100644 len = buffer_len(&backup_state->input); if (len > 0) { buf = buffer_ptr(&backup_state->input); -@@ -2016,4 +2067,10 @@ packet_restore_state(void) +@@ -2048,4 +2099,10 @@ packet_restore_state(void) buffer_clear(&backup_state->input); add_recv_bytes(len); } + backup_state->connection_in = -1; + backup_state->connection_out = -1; + packet_destroy_state(backup_state); -+ xfree(backup_state); ++ free(backup_state); + backup_state = NULL; } + -diff --git a/packet.h b/packet.h -index 09ba079..0742f74 100644 ---- a/packet.h -+++ b/packet.h -@@ -123,4 +123,5 @@ void packet_restore_state(void); +diff -up openssh-6.3p1/packet.h.audit openssh-6.3p1/packet.h +--- openssh-6.3p1/packet.h.audit 2013-07-18 08:12:45.000000000 +0200 ++++ openssh-6.3p1/packet.h 2013-10-07 15:53:34.252717250 +0200 +@@ -124,4 +124,5 @@ void packet_restore_state(void); void *packet_get_input(void); void *packet_get_output(void); +void packet_destroy_all(int, int); #endif /* PACKET_H */ -diff --git a/session.c b/session.c -index 19eaa20..dc0a2e2 100644 ---- a/session.c -+++ b/session.c -@@ -136,7 +136,7 @@ extern int log_stderr; +diff -up openssh-6.3p1/session.c.audit openssh-6.3p1/session.c +--- openssh-6.3p1/session.c.audit 2013-07-20 05:21:53.000000000 +0200 ++++ openssh-6.3p1/session.c 2013-10-07 16:03:43.975861636 +0200 +@@ -137,7 +137,7 @@ extern int log_stderr; extern int debug_flag; extern u_int utmp_len; extern int startup_pipe; @@ -1892,7 +1864,7 @@ index 19eaa20..dc0a2e2 100644 extern Buffer loginmsg; /* original command from peer. */ -@@ -745,6 +745,14 @@ do_exec_pty(Session *s, const char *command) +@@ -745,6 +745,14 @@ do_exec_pty(Session *s, const char *comm /* Parent. Close the slave side of the pseudo tty. */ close(ttyfd); @@ -1929,7 +1901,7 @@ index 19eaa20..dc0a2e2 100644 #endif if (s->ttyfd != -1) ret = do_exec_pty(s, command); -@@ -1629,7 +1641,10 @@ do_child(Session *s, const char *command) +@@ -1642,7 +1654,10 @@ do_child(Session *s, const char *command int r = 0; /* remove hostkey from the child's memory */ @@ -1941,7 +1913,7 @@ index 19eaa20..dc0a2e2 100644 /* Force a password change */ if (s->authctxt->force_pwchange) { -@@ -1856,6 +1871,7 @@ session_unused(int id) +@@ -1869,6 +1884,7 @@ session_unused(int id) sessions[id].ttyfd = -1; sessions[id].ptymaster = -1; sessions[id].x11_chanids = NULL; @@ -1949,7 +1921,7 @@ index 19eaa20..dc0a2e2 100644 sessions[id].next_unused = sessions_first_unused; sessions_first_unused = id; } -@@ -1938,6 +1954,19 @@ session_open(Authctxt *authctxt, int chanid) +@@ -1951,6 +1967,19 @@ session_open(Authctxt *authctxt, int cha } Session * @@ -1969,7 +1941,7 @@ index 19eaa20..dc0a2e2 100644 session_by_tty(char *tty) { int i; -@@ -2463,6 +2492,30 @@ session_exit_message(Session *s, int status) +@@ -2467,6 +2496,30 @@ session_exit_message(Session *s, int sta chan_write_failed(c); } @@ -1979,7 +1951,7 @@ index 19eaa20..dc0a2e2 100644 +{ + if (s->command != NULL) { + audit_end_command(s->command_handle, s->command); -+ xfree(s->command); ++ free(s->command); + s->command = NULL; + s->command_handle = -1; + } @@ -1990,7 +1962,7 @@ index 19eaa20..dc0a2e2 100644 +{ + if (s->command != NULL) { + PRIVSEP(audit_end_command(s->command_handle, s->command)); -+ xfree(s->command); ++ free(s->command); + s->command = NULL; + s->command_handle = -1; + } @@ -2000,7 +1972,7 @@ index 19eaa20..dc0a2e2 100644 void session_close(Session *s) { -@@ -2471,6 +2524,10 @@ session_close(Session *s) +@@ -2475,6 +2528,10 @@ session_close(Session *s) debug("session_close: session %d pid %ld", s->self, (long)s->pid); if (s->ttyfd != -1) session_pty_cleanup(s); @@ -2008,10 +1980,10 @@ index 19eaa20..dc0a2e2 100644 + if (s->command) + session_end_command(s); +#endif - if (s->term) - xfree(s->term); - if (s->display) -@@ -2690,6 +2747,15 @@ do_authenticated2(Authctxt *authctxt) + free(s->term); + free(s->display); + free(s->x11_chanids); +@@ -2688,6 +2745,15 @@ do_authenticated2(Authctxt *authctxt) server_loop2(authctxt); } @@ -2027,17 +1999,16 @@ index 19eaa20..dc0a2e2 100644 void do_cleanup(Authctxt *authctxt) { -@@ -2738,5 +2804,5 @@ do_cleanup(Authctxt *authctxt) +@@ -2736,5 +2802,5 @@ do_cleanup(Authctxt *authctxt) * or if running in monitor. */ if (!use_privsep || mm_is_monitor()) - session_destroy_all(session_pty_cleanup2); + session_destroy_all(do_cleanup_one_session); } -diff --git a/session.h b/session.h -index cbb8e3a..fc6a7d3 100644 ---- a/session.h -+++ b/session.h +diff -up openssh-6.3p1/session.h.audit openssh-6.3p1/session.h +--- openssh-6.3p1/session.h.audit 2008-05-19 07:34:50.000000000 +0200 ++++ openssh-6.3p1/session.h 2013-10-07 15:53:34.253717245 +0200 @@ -60,6 +60,12 @@ struct Session { char *name; char *val; @@ -2062,11 +2033,10 @@ index cbb8e3a..fc6a7d3 100644 Session *session_by_tty(char *); void session_close(Session *); void do_setusercontext(struct passwd *); -diff --git a/sshd.c b/sshd.c -index 740ef4b..9aff64c 100644 ---- a/sshd.c -+++ b/sshd.c -@@ -118,6 +118,7 @@ +diff -up openssh-6.3p1/sshd.c.audit openssh-6.3p1/sshd.c +--- openssh-6.3p1/sshd.c.audit 2013-10-07 15:53:34.221717393 +0200 ++++ openssh-6.3p1/sshd.c 2013-10-07 15:53:34.254717240 +0200 +@@ -119,6 +119,7 @@ #endif #include "monitor_wrap.h" #include "roaming.h" @@ -2074,7 +2044,7 @@ index 740ef4b..9aff64c 100644 #include "ssh-sandbox.h" #include "version.h" -@@ -254,7 +255,7 @@ Buffer loginmsg; +@@ -260,7 +261,7 @@ Buffer loginmsg; struct passwd *privsep_pw = NULL; /* Prototypes for various functions defined later in this file. */ @@ -2083,7 +2053,7 @@ index 740ef4b..9aff64c 100644 void demote_sensitive_data(void); static void do_ssh1_kex(void); -@@ -273,6 +274,15 @@ close_listen_socks(void) +@@ -279,6 +280,15 @@ close_listen_socks(void) num_listen_socks = -1; } @@ -2099,7 +2069,7 @@ index 740ef4b..9aff64c 100644 static void close_startup_pipes(void) { -@@ -544,22 +554,47 @@ sshd_exchange_identification(int sock_in, int sock_out) +@@ -550,22 +560,47 @@ sshd_exchange_identification(int sock_in } } @@ -2141,7 +2111,7 @@ index 740ef4b..9aff64c 100644 + else + audit_destroy_sensitive_data(fp, + pid, uid); -+ xfree(fp); ++ free(fp); + } } - if (sensitive_data.host_certificates[i]) { @@ -2150,7 +2120,7 @@ index 740ef4b..9aff64c 100644 key_free(sensitive_data.host_certificates[i]); sensitive_data.host_certificates[i] = NULL; } -@@ -573,6 +608,8 @@ void +@@ -579,6 +614,8 @@ void demote_sensitive_data(void) { Key *tmp; @@ -2159,7 +2129,7 @@ index 740ef4b..9aff64c 100644 int i; if (sensitive_data.server_key) { -@@ -581,13 +618,27 @@ demote_sensitive_data(void) +@@ -587,13 +624,27 @@ demote_sensitive_data(void) sensitive_data.server_key = tmp; } @@ -2182,12 +2152,12 @@ index 740ef4b..9aff64c 100644 sensitive_data.ssh1_host_key = tmp; + if (fp != NULL) { + audit_destroy_sensitive_data(fp, pid, uid); -+ xfree(fp); ++ free(fp); + } } /* Certs do not need demotion */ } -@@ -700,6 +751,8 @@ privsep_preauth(Authctxt *authctxt) +@@ -708,6 +759,8 @@ privsep_preauth(Authctxt *authctxt) } } @@ -2196,7 +2166,7 @@ index 740ef4b..9aff64c 100644 static void privsep_postauth(Authctxt *authctxt) { -@@ -724,6 +777,10 @@ privsep_postauth(Authctxt *authctxt) +@@ -732,6 +785,10 @@ privsep_postauth(Authctxt *authctxt) else if (pmonitor->m_pid != 0) { verbose("User child is on pid %ld", (long)pmonitor->m_pid); buffer_clear(&loginmsg); @@ -2207,7 +2177,7 @@ index 740ef4b..9aff64c 100644 monitor_child_postauth(pmonitor); /* NEVERREACHED */ -@@ -1153,6 +1210,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) +@@ -1178,6 +1235,7 @@ server_accept_loop(int *sock_in, int *so if (received_sigterm) { logit("Received signal %d; terminating.", (int) received_sigterm); @@ -2215,7 +2185,7 @@ index 740ef4b..9aff64c 100644 close_listen_socks(); unlink(options.pid_file); exit(received_sigterm == SIGTERM ? 0 : 255); -@@ -2032,6 +2090,7 @@ main(int ac, char **av) +@@ -2093,6 +2151,7 @@ main(int ac, char **av) */ if (use_privsep) { mm_send_keystate(pmonitor); @@ -2223,7 +2193,7 @@ index 740ef4b..9aff64c 100644 exit(0); } -@@ -2074,7 +2133,7 @@ main(int ac, char **av) +@@ -2135,7 +2194,7 @@ main(int ac, char **av) privsep_postauth(authctxt); /* the monitor process [priv] will not return */ if (!compat20) @@ -2232,7 +2202,7 @@ index 740ef4b..9aff64c 100644 } packet_set_timeout(options.client_alive_interval, -@@ -2084,6 +2143,9 @@ main(int ac, char **av) +@@ -2145,6 +2204,9 @@ main(int ac, char **av) do_authenticated(authctxt); /* The connection has been terminated. */ @@ -2242,7 +2212,7 @@ index 740ef4b..9aff64c 100644 packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes); packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes); verbose("Transferred: sent %llu, received %llu bytes", -@@ -2241,6 +2303,10 @@ do_ssh1_kex(void) +@@ -2302,6 +2364,10 @@ do_ssh1_kex(void) if (cookie[i] != packet_get_char()) packet_disconnect("IP Spoofing check bytes do not match."); @@ -2253,7 +2223,7 @@ index 740ef4b..9aff64c 100644 debug("Encryption type: %.200s", cipher_name(cipher_type)); /* Get the encrypted integer. */ -@@ -2307,7 +2373,7 @@ do_ssh1_kex(void) +@@ -2368,7 +2434,7 @@ do_ssh1_kex(void) session_id[i] = session_key[i] ^ session_key[i + 16]; } /* Destroy the private and public keys. No longer. */ @@ -2262,7 +2232,7 @@ index 740ef4b..9aff64c 100644 if (use_privsep) mm_ssh1_session_id(session_id); -@@ -2397,6 +2463,16 @@ do_ssh2_kex(void) +@@ -2480,6 +2546,16 @@ do_ssh2_kex(void) void cleanup_exit(int i) { @@ -2279,7 +2249,7 @@ index 740ef4b..9aff64c 100644 if (the_authctxt) { do_cleanup(the_authctxt); if (use_privsep && privsep_is_preauth && pmonitor->m_pid > 1) { -@@ -2407,9 +2483,14 @@ cleanup_exit(int i) +@@ -2490,9 +2566,14 @@ cleanup_exit(int i) pmonitor->m_pid, strerror(errno)); } } diff --git a/openssh-6.2p1-coverity.patch b/openssh-6.3p1-coverity.patch similarity index 75% rename from openssh-6.2p1-coverity.patch rename to openssh-6.3p1-coverity.patch index 98e70d3..69bcb81 100644 --- a/openssh-6.2p1-coverity.patch +++ b/openssh-6.3p1-coverity.patch @@ -1,6 +1,6 @@ -diff -up openssh-6.2p1/auth-pam.c.coverity openssh-6.2p1/auth-pam.c ---- openssh-6.2p1/auth-pam.c.coverity 2009-07-12 14:07:21.000000000 +0200 -+++ openssh-6.2p1/auth-pam.c 2013-03-22 09:49:37.341595458 +0100 +diff -up openssh-6.3p1/auth-pam.c.coverity openssh-6.3p1/auth-pam.c +--- openssh-6.3p1/auth-pam.c.coverity 2013-06-02 00:07:32.000000000 +0200 ++++ openssh-6.3p1/auth-pam.c 2013-10-07 13:20:36.288298063 +0200 @@ -216,7 +216,12 @@ pthread_join(sp_pthread_t thread, void * if (sshpam_thread_status != -1) return (sshpam_thread_status); @@ -15,10 +15,10 @@ diff -up openssh-6.2p1/auth-pam.c.coverity openssh-6.2p1/auth-pam.c return (status); } #endif -diff -up openssh-6.2p1/channels.c.coverity openssh-6.2p1/channels.c ---- openssh-6.2p1/channels.c.coverity 2012-12-02 23:50:55.000000000 +0100 -+++ openssh-6.2p1/channels.c 2013-03-22 09:49:37.344595444 +0100 -@@ -232,11 +232,11 @@ channel_register_fds(Channel *c, int rfd +diff -up openssh-6.3p1/channels.c.coverity openssh-6.3p1/channels.c +--- openssh-6.3p1/channels.c.coverity 2013-09-13 08:19:31.000000000 +0200 ++++ openssh-6.3p1/channels.c 2013-10-07 13:20:36.289298058 +0200 +@@ -233,11 +233,11 @@ channel_register_fds(Channel *c, int rfd channel_max_fd = MAX(channel_max_fd, wfd); channel_max_fd = MAX(channel_max_fd, efd); @@ -33,7 +33,7 @@ diff -up openssh-6.2p1/channels.c.coverity openssh-6.2p1/channels.c fcntl(efd, F_SETFD, FD_CLOEXEC); c->rfd = rfd; -@@ -251,11 +251,11 @@ channel_register_fds(Channel *c, int rfd +@@ -255,11 +255,11 @@ channel_register_fds(Channel *c, int rfd /* enable nonblocking mode */ if (nonblock) { @@ -48,10 +48,10 @@ diff -up openssh-6.2p1/channels.c.coverity openssh-6.2p1/channels.c set_nonblock(efd); } } -diff -up openssh-6.2p1/clientloop.c.coverity openssh-6.2p1/clientloop.c ---- openssh-6.2p1/clientloop.c.coverity 2013-01-09 05:55:51.000000000 +0100 -+++ openssh-6.2p1/clientloop.c 2013-03-22 09:49:37.342595453 +0100 -@@ -2061,14 +2061,15 @@ client_input_global_request(int type, u_ +diff -up openssh-6.3p1/clientloop.c.coverity openssh-6.3p1/clientloop.c +--- openssh-6.3p1/clientloop.c.coverity 2013-06-10 05:07:12.000000000 +0200 ++++ openssh-6.3p1/clientloop.c 2013-10-07 13:20:36.289298058 +0200 +@@ -2068,14 +2068,15 @@ client_input_global_request(int type, u_ char *rtype; int want_reply; int success = 0; @@ -69,10 +69,10 @@ diff -up openssh-6.2p1/clientloop.c.coverity openssh-6.2p1/clientloop.c packet_send(); packet_write_wait(); } -diff -up openssh-6.2p1/key.c.coverity openssh-6.2p1/key.c ---- openssh-6.2p1/key.c.coverity 2013-01-18 01:44:05.000000000 +0100 -+++ openssh-6.2p1/key.c 2013-03-22 09:49:37.345595440 +0100 -@@ -808,8 +808,10 @@ key_read(Key *ret, char **cpp) +diff -up openssh-6.3p1/key.c.coverity openssh-6.3p1/key.c +--- openssh-6.3p1/key.c.coverity 2013-06-01 23:41:51.000000000 +0200 ++++ openssh-6.3p1/key.c 2013-10-07 13:20:36.290298054 +0200 +@@ -807,8 +807,10 @@ key_read(Key *ret, char **cpp) success = 1; /*XXXX*/ key_free(k); @@ -83,9 +83,9 @@ diff -up openssh-6.2p1/key.c.coverity openssh-6.2p1/key.c /* advance cp: skip whitespace and data */ while (*cp == ' ' || *cp == '\t') cp++; -diff -up openssh-6.2p1/monitor.c.coverity openssh-6.2p1/monitor.c ---- openssh-6.2p1/monitor.c.coverity 2012-12-12 00:44:39.000000000 +0100 -+++ openssh-6.2p1/monitor.c 2013-03-22 12:19:55.189921353 +0100 +diff -up openssh-6.3p1/monitor.c.coverity openssh-6.3p1/monitor.c +--- openssh-6.3p1/monitor.c.coverity 2013-07-20 05:21:53.000000000 +0200 ++++ openssh-6.3p1/monitor.c 2013-10-07 13:54:36.761314042 +0200 @@ -449,7 +449,7 @@ monitor_child_preauth(Authctxt *_authctx mm_get_keystate(pmonitor); @@ -95,7 +95,7 @@ diff -up openssh-6.2p1/monitor.c.coverity openssh-6.2p1/monitor.c ; close(pmonitor->m_sendfd); -@@ -1194,6 +1194,10 @@ mm_answer_keyallowed(int sock, Buffer *m +@@ -1202,6 +1202,10 @@ mm_answer_keyallowed(int sock, Buffer *m break; } } @@ -106,8 +106,8 @@ diff -up openssh-6.2p1/monitor.c.coverity openssh-6.2p1/monitor.c if (key != NULL) key_free(key); -@@ -1216,9 +1220,6 @@ mm_answer_keyallowed(int sock, Buffer *m - xfree(chost); +@@ -1223,9 +1227,6 @@ mm_answer_keyallowed(int sock, Buffer *m + free(chost); } - debug3("%s: key %p is %s", @@ -116,10 +116,10 @@ diff -up openssh-6.2p1/monitor.c.coverity openssh-6.2p1/monitor.c buffer_clear(m); buffer_put_int(m, allowed); buffer_put_int(m, forced_command != NULL); -diff -up openssh-6.2p1/monitor_wrap.c.coverity openssh-6.2p1/monitor_wrap.c ---- openssh-6.2p1/monitor_wrap.c.coverity 2013-01-09 06:12:19.000000000 +0100 -+++ openssh-6.2p1/monitor_wrap.c 2013-03-22 09:49:37.347595431 +0100 -@@ -708,10 +708,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd, +diff -up openssh-6.3p1/monitor_wrap.c.coverity openssh-6.3p1/monitor_wrap.c +--- openssh-6.3p1/monitor_wrap.c.coverity 2013-06-02 00:07:32.000000000 +0200 ++++ openssh-6.3p1/monitor_wrap.c 2013-10-07 13:20:36.291298049 +0200 +@@ -710,10 +710,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd, if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 || (tmp2 = dup(pmonitor->m_recvfd)) == -1) { error("%s: cannot allocate fds for pty", __func__); @@ -133,9 +133,9 @@ diff -up openssh-6.2p1/monitor_wrap.c.coverity openssh-6.2p1/monitor_wrap.c return 0; } close(tmp1); -diff -up openssh-6.2p1/openbsd-compat/bindresvport.c.coverity openssh-6.2p1/openbsd-compat/bindresvport.c ---- openssh-6.2p1/openbsd-compat/bindresvport.c.coverity 2010-12-03 00:50:26.000000000 +0100 -+++ openssh-6.2p1/openbsd-compat/bindresvport.c 2013-03-22 09:49:37.347595431 +0100 +diff -up openssh-6.3p1/openbsd-compat/bindresvport.c.coverity openssh-6.3p1/openbsd-compat/bindresvport.c +--- openssh-6.3p1/openbsd-compat/bindresvport.c.coverity 2010-12-03 00:50:26.000000000 +0100 ++++ openssh-6.3p1/openbsd-compat/bindresvport.c 2013-10-07 13:20:36.291298049 +0200 @@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr struct sockaddr_in6 *in6; u_int16_t *portp; @@ -145,10 +145,10 @@ diff -up openssh-6.2p1/openbsd-compat/bindresvport.c.coverity openssh-6.2p1/open int i; if (sa == NULL) { -diff -up openssh-6.2p1/packet.c.coverity openssh-6.2p1/packet.c ---- openssh-6.2p1/packet.c.coverity 2013-02-12 01:03:59.000000000 +0100 -+++ openssh-6.2p1/packet.c 2013-03-22 09:49:37.348595426 +0100 -@@ -1192,6 +1192,7 @@ packet_read_poll1(void) +diff -up openssh-6.3p1/packet.c.coverity openssh-6.3p1/packet.c +--- openssh-6.3p1/packet.c.coverity 2013-07-18 08:12:45.000000000 +0200 ++++ openssh-6.3p1/packet.c 2013-10-07 13:20:36.291298049 +0200 +@@ -1199,6 +1199,7 @@ packet_read_poll1(void) case DEATTACK_DETECTED: packet_disconnect("crc32 compensation attack: " "network attack detected"); @@ -156,18 +156,9 @@ diff -up openssh-6.2p1/packet.c.coverity openssh-6.2p1/packet.c case DEATTACK_DOS_DETECTED: packet_disconnect("deattack denial of " "service detected"); -@@ -1728,7 +1729,7 @@ void - packet_write_wait(void) - { - fd_set *setp; -- int ret, ms_remain; -+ int ret, ms_remain = 0; - struct timeval start, timeout, *timeoutp = NULL; - - setp = (fd_set *)xcalloc(howmany(active_state->connection_out + 1, -diff -up openssh-6.2p1/progressmeter.c.coverity openssh-6.2p1/progressmeter.c ---- openssh-6.2p1/progressmeter.c.coverity 2006-08-05 04:39:40.000000000 +0200 -+++ openssh-6.2p1/progressmeter.c 2013-03-22 09:49:37.349595422 +0100 +diff -up openssh-6.3p1/progressmeter.c.coverity openssh-6.3p1/progressmeter.c +--- openssh-6.3p1/progressmeter.c.coverity 2013-06-02 15:46:24.000000000 +0200 ++++ openssh-6.3p1/progressmeter.c 2013-10-07 13:42:32.377850691 +0200 @@ -65,7 +65,7 @@ static void update_progress_meter(int); static time_t start; /* start progress */ @@ -184,11 +175,11 @@ diff -up openssh-6.2p1/progressmeter.c.coverity openssh-6.2p1/progressmeter.c -start_progress_meter(char *f, off_t filesize, off_t *ctr) +start_progress_meter(const char *f, off_t filesize, off_t *ctr) { - start = last_update = time(NULL); + start = last_update = monotime(); file = f; -diff -up openssh-6.2p1/progressmeter.h.coverity openssh-6.2p1/progressmeter.h ---- openssh-6.2p1/progressmeter.h.coverity 2006-03-26 05:30:02.000000000 +0200 -+++ openssh-6.2p1/progressmeter.h 2013-03-22 09:49:37.349595422 +0100 +diff -up openssh-6.3p1/progressmeter.h.coverity openssh-6.3p1/progressmeter.h +--- openssh-6.3p1/progressmeter.h.coverity 2006-03-26 05:30:02.000000000 +0200 ++++ openssh-6.3p1/progressmeter.h 2013-10-07 13:20:36.292298044 +0200 @@ -23,5 +23,5 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ @@ -196,9 +187,9 @@ diff -up openssh-6.2p1/progressmeter.h.coverity openssh-6.2p1/progressmeter.h -void start_progress_meter(char *, off_t, off_t *); +void start_progress_meter(const char *, off_t, off_t *); void stop_progress_meter(void); -diff -up openssh-6.2p1/scp.c.coverity openssh-6.2p1/scp.c ---- openssh-6.2p1/scp.c.coverity 2013-03-20 02:55:15.000000000 +0100 -+++ openssh-6.2p1/scp.c 2013-03-22 09:49:37.349595422 +0100 +diff -up openssh-6.3p1/scp.c.coverity openssh-6.3p1/scp.c +--- openssh-6.3p1/scp.c.coverity 2013-07-18 08:11:25.000000000 +0200 ++++ openssh-6.3p1/scp.c 2013-10-07 13:20:36.292298044 +0200 @@ -155,7 +155,7 @@ killchild(int signo) { if (do_cmd_pid > 1) { @@ -208,10 +199,10 @@ diff -up openssh-6.2p1/scp.c.coverity openssh-6.2p1/scp.c } if (signo) -diff -up openssh-6.2p1/servconf.c.coverity openssh-6.2p1/servconf.c ---- openssh-6.2p1/servconf.c.coverity 2013-02-12 01:02:08.000000000 +0100 -+++ openssh-6.2p1/servconf.c 2013-03-22 09:49:37.350595418 +0100 -@@ -1268,7 +1268,7 @@ process_server_config_line(ServerOptions +diff -up openssh-6.3p1/servconf.c.coverity openssh-6.3p1/servconf.c +--- openssh-6.3p1/servconf.c.coverity 2013-07-20 05:21:53.000000000 +0200 ++++ openssh-6.3p1/servconf.c 2013-10-07 13:20:36.293298039 +0200 +@@ -1323,7 +1323,7 @@ process_server_config_line(ServerOptions fatal("%s line %d: Missing subsystem name.", filename, linenum); if (!*activep) { @@ -220,7 +211,7 @@ diff -up openssh-6.2p1/servconf.c.coverity openssh-6.2p1/servconf.c break; } for (i = 0; i < options->num_subsystems; i++) -@@ -1359,8 +1359,9 @@ process_server_config_line(ServerOptions +@@ -1414,8 +1414,9 @@ process_server_config_line(ServerOptions if (*activep && *charptr == NULL) { *charptr = tilde_expand_filename(arg, getuid()); /* increase optional counter */ @@ -232,16 +223,16 @@ diff -up openssh-6.2p1/servconf.c.coverity openssh-6.2p1/servconf.c } break; -diff -up openssh-6.2p1/serverloop.c.coverity openssh-6.2p1/serverloop.c ---- openssh-6.2p1/serverloop.c.coverity 2012-12-07 03:07:47.000000000 +0100 -+++ openssh-6.2p1/serverloop.c 2013-03-22 09:49:37.351595413 +0100 +diff -up openssh-6.3p1/serverloop.c.coverity openssh-6.3p1/serverloop.c +--- openssh-6.3p1/serverloop.c.coverity 2013-07-18 08:12:45.000000000 +0200 ++++ openssh-6.3p1/serverloop.c 2013-10-07 13:43:36.620537138 +0200 @@ -147,13 +147,13 @@ notify_setup(void) static void notify_parent(void) { - if (notify_pipe[1] != -1) + if (notify_pipe[1] >= 0) - write(notify_pipe[1], "", 1); + (void)write(notify_pipe[1], "", 1); } static void notify_prepare(fd_set *readset) @@ -307,7 +298,7 @@ diff -up openssh-6.2p1/serverloop.c.coverity openssh-6.2p1/serverloop.c if (fdin != fdout) close(fdin); else -@@ -741,15 +741,15 @@ server_loop(pid_t pid, int fdin_arg, int +@@ -739,15 +739,15 @@ server_loop(pid_t pid, int fdin_arg, int buffer_free(&stderr_buffer); /* Close the file descriptors. */ @@ -326,7 +317,7 @@ diff -up openssh-6.2p1/serverloop.c.coverity openssh-6.2p1/serverloop.c close(fdin); fdin = -1; -@@ -943,7 +943,7 @@ server_input_window_size(int type, u_int +@@ -946,7 +946,7 @@ server_input_window_size(int type, u_int debug("Window change received."); packet_check_eom(); @@ -335,7 +326,7 @@ diff -up openssh-6.2p1/serverloop.c.coverity openssh-6.2p1/serverloop.c pty_change_window_size(fdin, row, col, xpixel, ypixel); } -@@ -1003,7 +1003,7 @@ server_request_tun(void) +@@ -1006,7 +1006,7 @@ server_request_tun(void) } tun = packet_get_int(); @@ -344,111 +335,9 @@ diff -up openssh-6.2p1/serverloop.c.coverity openssh-6.2p1/serverloop.c if (tun != SSH_TUNID_ANY && forced_tun_device != tun) goto done; tun = forced_tun_device; -diff -up openssh-6.2p1/sftp.c.coverity openssh-6.2p1/sftp.c ---- openssh-6.2p1/sftp.c.coverity 2013-02-22 23:12:24.000000000 +0100 -+++ openssh-6.2p1/sftp.c 2013-03-22 09:49:37.352595409 +0100 -@@ -202,7 +202,7 @@ killchild(int signo) - { - if (sshpid > 1) { - kill(sshpid, SIGTERM); -- waitpid(sshpid, NULL, 0); -+ (void) waitpid(sshpid, NULL, 0); - } - - _exit(1); -@@ -312,7 +312,7 @@ local_do_ls(const char *args) - - /* Strip one path (usually the pwd) from the start of another */ - static char * --path_strip(char *path, char *strip) -+path_strip(const char *path, const char *strip) - { - size_t len; - -@@ -330,7 +330,7 @@ path_strip(char *path, char *strip) - } - - static char * --make_absolute(char *p, char *pwd) -+make_absolute(char *p, const char *pwd) - { - char *abs_str; - -@@ -478,7 +478,7 @@ parse_df_flags(const char *cmd, char **a - } - - static int --is_dir(char *path) -+is_dir(const char *path) - { - struct stat sb; - -@@ -490,7 +490,7 @@ is_dir(char *path) - } - - static int --remote_is_dir(struct sftp_conn *conn, char *path) -+remote_is_dir(struct sftp_conn *conn, const char *path) - { - Attrib *a; - -@@ -504,7 +504,7 @@ remote_is_dir(struct sftp_conn *conn, ch - - /* Check whether path returned from glob(..., GLOB_MARK, ...) is a directory */ - static int --pathname_is_dir(char *pathname) -+pathname_is_dir(const char *pathname) - { - size_t l = strlen(pathname); - -@@ -512,7 +512,7 @@ pathname_is_dir(char *pathname) - } - - static int --process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd, -+process_get(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd, - int pflag, int rflag) - { - char *abs_src = NULL; -@@ -586,7 +586,7 @@ out: - } - - static int --process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd, -+process_put(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd, - int pflag, int rflag) - { - char *tmp_dst = NULL; -@@ -691,7 +691,7 @@ sdirent_comp(const void *aa, const void - - /* sftp ls.1 replacement for directories */ - static int --do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag) -+do_ls_dir(struct sftp_conn *conn, const char *path, const char *strip_path, int lflag) - { - int n; - u_int c = 1, colspace = 0, columns = 1; -@@ -776,7 +776,7 @@ do_ls_dir(struct sftp_conn *conn, char * - - /* sftp ls.1 replacement which handles path globs */ - static int --do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path, -+do_globbed_ls(struct sftp_conn *conn, const char *path, const char *strip_path, - int lflag) - { - char *fname, *lname; -@@ -857,7 +857,7 @@ do_globbed_ls(struct sftp_conn *conn, ch - } - - static int --do_df(struct sftp_conn *conn, char *path, int hflag, int iflag) -+do_df(struct sftp_conn *conn, const char *path, int hflag, int iflag) - { - struct sftp_statvfs st; - char s_used[FMT_SCALED_STRSIZE]; -diff -up openssh-6.2p1/sftp-client.c.coverity openssh-6.2p1/sftp-client.c ---- openssh-6.2p1/sftp-client.c.coverity 2012-07-02 14:15:39.000000000 +0200 -+++ openssh-6.2p1/sftp-client.c 2013-03-22 09:49:37.353595404 +0100 +diff -up openssh-6.3p1/sftp-client.c.coverity openssh-6.3p1/sftp-client.c +--- openssh-6.3p1/sftp-client.c.coverity 2013-07-26 00:40:00.000000000 +0200 ++++ openssh-6.3p1/sftp-client.c 2013-10-07 13:48:45.885027420 +0200 @@ -149,7 +149,7 @@ get_msg(struct sftp_conn *conn, Buffer * } @@ -599,28 +488,28 @@ diff -up openssh-6.2p1/sftp-client.c.coverity openssh-6.2p1/sftp-client.c int -do_download(struct sftp_conn *conn, char *remote_path, char *local_path, +do_download(struct sftp_conn *conn, const char *remote_path, const char *local_path, - Attrib *a, int pflag) + Attrib *a, int pflag, int resume) { Attrib junk; -@@ -1226,7 +1226,7 @@ do_download(struct sftp_conn *conn, char +@@ -1255,7 +1255,7 @@ do_download(struct sftp_conn *conn, char } static int -download_dir_internal(struct sftp_conn *conn, char *src, char *dst, +download_dir_internal(struct sftp_conn *conn, const char *src, const char *dst, - Attrib *dirattrib, int pflag, int printflag, int depth) + Attrib *dirattrib, int pflag, int printflag, int depth, int resume) { int i, ret = 0; -@@ -1316,7 +1316,7 @@ download_dir_internal(struct sftp_conn * +@@ -1345,7 +1345,7 @@ download_dir_internal(struct sftp_conn * } int -download_dir(struct sftp_conn *conn, char *src, char *dst, +download_dir(struct sftp_conn *conn, const char *src, const char *dst, - Attrib *dirattrib, int pflag, int printflag) + Attrib *dirattrib, int pflag, int printflag, int resume) { char *src_canon; -@@ -1334,7 +1334,7 @@ download_dir(struct sftp_conn *conn, cha +@@ -1363,7 +1363,7 @@ download_dir(struct sftp_conn *conn, cha } int @@ -629,7 +518,7 @@ diff -up openssh-6.2p1/sftp-client.c.coverity openssh-6.2p1/sftp-client.c int pflag) { int local_fd; -@@ -1517,7 +1517,7 @@ do_upload(struct sftp_conn *conn, char * +@@ -1548,7 +1548,7 @@ do_upload(struct sftp_conn *conn, char * } static int @@ -638,7 +527,7 @@ diff -up openssh-6.2p1/sftp-client.c.coverity openssh-6.2p1/sftp-client.c int pflag, int printflag, int depth) { int ret = 0, status; -@@ -1608,7 +1608,7 @@ upload_dir_internal(struct sftp_conn *co +@@ -1639,7 +1639,7 @@ upload_dir_internal(struct sftp_conn *co } int @@ -647,7 +536,7 @@ diff -up openssh-6.2p1/sftp-client.c.coverity openssh-6.2p1/sftp-client.c int pflag) { char *dst_canon; -@@ -1625,7 +1625,7 @@ upload_dir(struct sftp_conn *conn, char +@@ -1656,7 +1656,7 @@ upload_dir(struct sftp_conn *conn, char } char * @@ -656,9 +545,9 @@ diff -up openssh-6.2p1/sftp-client.c.coverity openssh-6.2p1/sftp-client.c { char *ret; size_t len = strlen(p1) + strlen(p2) + 2; -diff -up openssh-6.2p1/sftp-client.h.coverity openssh-6.2p1/sftp-client.h ---- openssh-6.2p1/sftp-client.h.coverity 2010-12-04 23:02:48.000000000 +0100 -+++ openssh-6.2p1/sftp-client.h 2013-03-22 09:49:37.353595404 +0100 +diff -up openssh-6.3p1/sftp-client.h.coverity openssh-6.3p1/sftp-client.h +--- openssh-6.3p1/sftp-client.h.coverity 2013-07-25 03:56:52.000000000 +0200 ++++ openssh-6.3p1/sftp-client.h 2013-10-07 13:45:10.108080813 +0200 @@ -56,49 +56,49 @@ struct sftp_conn *do_init(int, int, u_in u_int sftp_proto_version(struct sftp_conn *); @@ -727,15 +616,15 @@ diff -up openssh-6.2p1/sftp-client.h.coverity openssh-6.2p1/sftp-client.h * Download 'remote_path' to 'local_path'. Preserve permissions and times * if 'pflag' is set */ --int do_download(struct sftp_conn *, char *, char *, Attrib *, int); -+int do_download(struct sftp_conn *, const char *, const char *, Attrib *, int); +-int do_download(struct sftp_conn *, char *, char *, Attrib *, int, int); ++int do_download(struct sftp_conn *, const char *, const char *, Attrib *, int, int); /* * Recursively download 'remote_directory' to 'local_directory'. Preserve * times if 'pflag' is set */ --int download_dir(struct sftp_conn *, char *, char *, Attrib *, int, int); -+int download_dir(struct sftp_conn *, const char *, const char *, Attrib *, int, int); +-int download_dir(struct sftp_conn *, char *, char *, Attrib *, int, int, int); ++int download_dir(struct sftp_conn *, const char *, const char *, Attrib *, int, int, int); /* * Upload 'local_path' to 'remote_path'. Preserve permissions and times @@ -756,10 +645,112 @@ diff -up openssh-6.2p1/sftp-client.h.coverity openssh-6.2p1/sftp-client.h +char *path_append(const char *, const char *); #endif -diff -up openssh-6.2p1/ssh-agent.c.coverity openssh-6.2p1/ssh-agent.c ---- openssh-6.2p1/ssh-agent.c.coverity 2011-06-03 06:14:16.000000000 +0200 -+++ openssh-6.2p1/ssh-agent.c 2013-03-22 09:49:37.354595400 +0100 -@@ -1147,8 +1147,8 @@ main(int ac, char **av) +diff -up openssh-6.3p1/sftp.c.coverity openssh-6.3p1/sftp.c +--- openssh-6.3p1/sftp.c.coverity 2013-07-25 03:56:52.000000000 +0200 ++++ openssh-6.3p1/sftp.c 2013-10-07 13:49:47.322727449 +0200 +@@ -213,7 +213,7 @@ killchild(int signo) + { + if (sshpid > 1) { + kill(sshpid, SIGTERM); +- waitpid(sshpid, NULL, 0); ++ (void) waitpid(sshpid, NULL, 0); + } + + _exit(1); +@@ -324,7 +324,7 @@ local_do_ls(const char *args) + + /* Strip one path (usually the pwd) from the start of another */ + static char * +-path_strip(char *path, char *strip) ++path_strip(const char *path, const char *strip) + { + size_t len; + +@@ -342,7 +342,7 @@ path_strip(char *path, char *strip) + } + + static char * +-make_absolute(char *p, char *pwd) ++make_absolute(char *p, const char *pwd) + { + char *abs_str; + +@@ -493,7 +493,7 @@ parse_df_flags(const char *cmd, char **a + } + + static int +-is_dir(char *path) ++is_dir(const char *path) + { + struct stat sb; + +@@ -505,7 +505,7 @@ is_dir(char *path) + } + + static int +-remote_is_dir(struct sftp_conn *conn, char *path) ++remote_is_dir(struct sftp_conn *conn, const char *path) + { + Attrib *a; + +@@ -519,7 +519,7 @@ remote_is_dir(struct sftp_conn *conn, ch + + /* Check whether path returned from glob(..., GLOB_MARK, ...) is a directory */ + static int +-pathname_is_dir(char *pathname) ++pathname_is_dir(const char *pathname) + { + size_t l = strlen(pathname); + +@@ -527,7 +527,7 @@ pathname_is_dir(char *pathname) + } + + static int +-process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd, ++process_get(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd, + int pflag, int rflag, int resume) + { + char *abs_src = NULL; +@@ -605,7 +605,7 @@ out: + } + + static int +-process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd, ++process_put(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd, + int pflag, int rflag) + { + char *tmp_dst = NULL; +@@ -709,7 +709,7 @@ sdirent_comp(const void *aa, const void + + /* sftp ls.1 replacement for directories */ + static int +-do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag) ++do_ls_dir(struct sftp_conn *conn, const char *path, const char *strip_path, int lflag) + { + int n; + u_int c = 1, colspace = 0, columns = 1; +@@ -794,7 +794,7 @@ do_ls_dir(struct sftp_conn *conn, char * + + /* sftp ls.1 replacement which handles path globs */ + static int +-do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path, ++do_globbed_ls(struct sftp_conn *conn, const char *path, const char *strip_path, + int lflag) + { + char *fname, *lname; +@@ -875,7 +875,7 @@ do_globbed_ls(struct sftp_conn *conn, ch + } + + static int +-do_df(struct sftp_conn *conn, char *path, int hflag, int iflag) ++do_df(struct sftp_conn *conn, const char *path, int hflag, int iflag) + { + struct sftp_statvfs st; + char s_used[FMT_SCALED_STRSIZE]; +diff -up openssh-6.3p1/ssh-agent.c.coverity openssh-6.3p1/ssh-agent.c +--- openssh-6.3p1/ssh-agent.c.coverity 2013-07-20 05:22:49.000000000 +0200 ++++ openssh-6.3p1/ssh-agent.c 2013-10-07 13:20:36.296298024 +0200 +@@ -1143,8 +1143,8 @@ main(int ac, char **av) sanitise_stdfd(); /* drop */ @@ -770,37 +761,28 @@ diff -up openssh-6.2p1/ssh-agent.c.coverity openssh-6.2p1/ssh-agent.c #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) /* Disable ptrace on Linux without sgid bit */ -diff -up openssh-6.2p1/sshd.c.coverity openssh-6.2p1/sshd.c ---- openssh-6.2p1/sshd.c.coverity 2013-02-12 01:04:48.000000000 +0100 -+++ openssh-6.2p1/sshd.c 2013-03-22 09:49:37.355595396 +0100 -@@ -691,8 +691,10 @@ privsep_preauth(Authctxt *authctxt) +diff -up openssh-6.3p1/sshd.c.coverity openssh-6.3p1/sshd.c +--- openssh-6.3p1/sshd.c.coverity 2013-07-20 05:21:53.000000000 +0200 ++++ openssh-6.3p1/sshd.c 2013-10-07 13:20:36.296298024 +0200 +@@ -699,8 +699,10 @@ privsep_preauth(Authctxt *authctxt) if (getuid() == 0 || geteuid() == 0) privsep_preauth_child(); setproctitle("%s", "[net]"); - if (box != NULL) + if (box != NULL) { ssh_sandbox_child(box); -+ xfree(box); ++ free(box); + } return 0; } -@@ -1320,6 +1322,9 @@ server_accept_loop(int *sock_in, int *so +@@ -1345,6 +1347,9 @@ server_accept_loop(int *sock_in, int *so if (num_listen_socks < 0) break; } + + if (fdset != NULL) -+ xfree(fdset); ++ free(fdset); } -@@ -1806,7 +1811,7 @@ main(int ac, char **av) - - /* Chdir to the root directory so that the current disk can be - unmounted if desired. */ -- chdir("/"); -+ (void) chdir("/"); - - /* ignore SIGPIPE */ - signal(SIGPIPE, SIG_IGN); diff --git a/openssh-6.2p1-ctr-cavstest.patch b/openssh-6.3p1-ctr-cavstest.patch similarity index 98% rename from openssh-6.2p1-ctr-cavstest.patch rename to openssh-6.3p1-ctr-cavstest.patch index 1376a3f..5cd9997 100644 --- a/openssh-6.2p1-ctr-cavstest.patch +++ b/openssh-6.3p1-ctr-cavstest.patch @@ -185,8 +185,8 @@ diff -up openssh-6.2p1/ctr-cavstest.c.ctr-cavs openssh-6.2p1/ctr-cavstest.c + + cipher_init(&cc, c, key, keylen, iv, ivlen, encrypt); + -+ xfree(key); -+ xfree(iv); ++ free(key); ++ free(iv); + + outdata = malloc(datalen); + if(outdata == NULL) { @@ -196,7 +196,7 @@ diff -up openssh-6.2p1/ctr-cavstest.c.ctr-cavs openssh-6.2p1/ctr-cavstest.c + + cipher_crypt(&cc, outdata, data, datalen, 0, 0); + -+ xfree(data); ++ free(data); + + cipher_cleanup(&cc); + @@ -204,7 +204,7 @@ diff -up openssh-6.2p1/ctr-cavstest.c.ctr-cavs openssh-6.2p1/ctr-cavstest.c + printf("%02X", (unsigned char)*p); + } + -+ xfree(outdata); ++ free(outdata); + + printf("\n"); + return 0; diff --git a/openssh-5.9p1-ctr-evp-fast.patch b/openssh-6.3p1-ctr-evp-fast.patch similarity index 99% rename from openssh-5.9p1-ctr-evp-fast.patch rename to openssh-6.3p1-ctr-evp-fast.patch index 5d17aab..ddcb7f1 100644 --- a/openssh-5.9p1-ctr-evp-fast.patch +++ b/openssh-6.3p1-ctr-evp-fast.patch @@ -97,5 +97,5 @@ diff -up openssh-5.9p1/cipher-ctr.c.ctr-evp openssh-5.9p1/cipher-ctr.c if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) { + EVP_CIPHER_CTX_cleanup(&c->ecbctx); memset(c, 0, sizeof(*c)); - xfree(c); + free(c); EVP_CIPHER_CTX_set_app_data(ctx, NULL); diff --git a/openssh-6.2p1-fingerprint.patch b/openssh-6.3p1-fingerprint.patch similarity index 75% rename from openssh-6.2p1-fingerprint.patch rename to openssh-6.3p1-fingerprint.patch index 92f8a4c..b9cfbdb 100644 --- a/openssh-6.2p1-fingerprint.patch +++ b/openssh-6.3p1-fingerprint.patch @@ -1,14 +1,31 @@ -diff -up openssh-6.2p1/auth2-hostbased.c.fingerprint openssh-6.2p1/auth2-hostbased.c ---- openssh-6.2p1/auth2-hostbased.c.fingerprint 2010-08-05 05:04:50.000000000 +0200 -+++ openssh-6.2p1/auth2-hostbased.c 2013-03-22 12:20:49.009685008 +0100 -@@ -196,16 +196,18 @@ hostbased_key_allowed(struct passwd *pw, +diff -up openssh-6.3p1/auth-rsa.c.fingerprint openssh-6.3p1/auth-rsa.c +diff -up openssh-6.3p1/auth.c.fingerprint openssh-6.3p1/auth.c +--- openssh-6.3p1/auth.c.fingerprint 2013-10-07 14:02:36.998968153 +0200 ++++ openssh-6.3p1/auth.c 2013-10-07 15:42:05.243812405 +0200 +@@ -685,9 +685,10 @@ auth_key_is_revoked(Key *key) + case 1: + revoked: + /* Key revoked */ +- key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); ++ key_fp = key_selected_fingerprint(key, SSH_FP_HEX); + error("WARNING: authentication attempt with a revoked " +- "%s key %s ", key_type(key), key_fp); ++ "%s key %s%s ", key_type(key), ++ key_fingerprint_prefix(), key_fp); + free(key_fp); + return 1; + } +diff -up openssh-6.3p1/auth2-hostbased.c.fingerprint openssh-6.3p1/auth2-hostbased.c +--- openssh-6.3p1/auth2-hostbased.c.fingerprint 2013-10-07 14:02:36.998968153 +0200 ++++ openssh-6.3p1/auth2-hostbased.c 2013-10-07 15:43:49.747355927 +0200 +@@ -200,16 +200,18 @@ hostbased_key_allowed(struct passwd *pw, if (host_status == HOST_OK) { if (key_is_cert(key)) { - fp = key_fingerprint(key->cert->signature_key, - SSH_FP_MD5, SSH_FP_HEX); + fp = key_selected_fingerprint(key->cert->signature_key, -+ SSH_FP_HEX); ++ SSH_FP_HEX); verbose("Accepted certificate ID \"%s\" signed by " - "%s CA %s from %s@%s", key->cert->key_id, - key_type(key->cert->signature_key), fp, @@ -25,12 +42,12 @@ diff -up openssh-6.2p1/auth2-hostbased.c.fingerprint openssh-6.2p1/auth2-hostbas + key_type(key), key_fingerprint_prefix(), + fp, cuser, lookup); } - xfree(fp); + free(fp); } -diff -up openssh-6.2p1/auth2-pubkey.c.fingerprint openssh-6.2p1/auth2-pubkey.c ---- openssh-6.2p1/auth2-pubkey.c.fingerprint 2013-02-15 00:28:56.000000000 +0100 -+++ openssh-6.2p1/auth2-pubkey.c 2013-03-22 12:20:49.009685008 +0100 -@@ -317,10 +317,10 @@ check_authkeys_file(FILE *f, char *file, +diff -up openssh-6.3p1/auth2-pubkey.c.fingerprint openssh-6.3p1/auth2-pubkey.c +--- openssh-6.3p1/auth2-pubkey.c.fingerprint 2013-07-18 08:10:10.000000000 +0200 ++++ openssh-6.3p1/auth2-pubkey.c 2013-10-07 15:50:44.617495624 +0200 +@@ -359,10 +359,10 @@ check_authkeys_file(FILE *f, char *file, continue; if (!key_is_cert_authority) continue; @@ -45,20 +62,20 @@ diff -up openssh-6.2p1/auth2-pubkey.c.fingerprint openssh-6.2p1/auth2-pubkey.c /* * If the user has specified a list of principals as * a key option, then prefer that list to matching -@@ -360,9 +360,9 @@ check_authkeys_file(FILE *f, char *file, +@@ -400,9 +400,9 @@ check_authkeys_file(FILE *f, char *file, + if (key_is_cert_authority) + continue; found_key = 1; - debug("matching key found: file %s, line %lu", - file, linenum); - fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); -- verbose("Found matching %s key: %s", -- key_type(found), fp); +- debug("matching key found: file %s, line %lu %s %s", +- file, linenum, key_type(found), fp); + fp = key_selected_fingerprint(found, SSH_FP_HEX); + verbose("Found matching %s key: %s%s", + key_type(found), key_fingerprint_prefix(), fp); - xfree(fp); + free(fp); break; } -@@ -384,13 +384,13 @@ user_cert_trusted_ca(struct passwd *pw, +@@ -425,13 +425,13 @@ user_cert_trusted_ca(struct passwd *pw, if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL) return 0; @@ -76,42 +93,10 @@ diff -up openssh-6.2p1/auth2-pubkey.c.fingerprint openssh-6.2p1/auth2-pubkey.c options.trusted_user_ca_keys); goto out; } -diff -up openssh-6.2p1/auth.c.fingerprint openssh-6.2p1/auth.c ---- openssh-6.2p1/auth.c.fingerprint 2013-03-12 01:31:05.000000000 +0100 -+++ openssh-6.2p1/auth.c 2013-03-22 12:22:32.515230386 +0100 -@@ -663,9 +663,10 @@ auth_key_is_revoked(Key *key) - case 1: - revoked: - /* Key revoked */ -- key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); -+ key_fp = key_selected_fingerprint(key, SSH_FP_HEX); - error("WARNING: authentication attempt with a revoked " -- "%s key %s ", key_type(key), key_fp); -+ "%s key %s%s ", key_type(key), -+ key_fingerprint_prefix(), key_fp); - xfree(key_fp); - return 1; - } -diff -up openssh-6.2p1/auth-rsa.c.fingerprint openssh-6.2p1/auth-rsa.c ---- openssh-6.2p1/auth-rsa.c.fingerprint 2012-10-30 22:58:59.000000000 +0100 -+++ openssh-6.2p1/auth-rsa.c 2013-03-22 12:20:49.011684999 +0100 -@@ -328,9 +328,9 @@ auth_rsa(Authctxt *authctxt, BIGNUM *cli - * options; this will be reset if the options cause the - * authentication to be rejected. - */ -- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); -- verbose("Found matching %s key: %s", -- key_type(key), fp); -+ fp = key_selected_fingerprint(key, SSH_FP_HEX); -+ verbose("Found matching %s key: %s%s", -+ key_type(key), key_fingerprint_prefix(), fp); - xfree(fp); - key_free(key); - -diff -up openssh-6.2p1/key.c.fingerprint openssh-6.2p1/key.c ---- openssh-6.2p1/key.c.fingerprint 2013-03-22 12:20:48.971685175 +0100 -+++ openssh-6.2p1/key.c 2013-03-22 12:20:49.012684995 +0100 -@@ -599,6 +599,34 @@ key_fingerprint(Key *k, enum fp_type dgs +diff -up openssh-6.3p1/key.c.fingerprint openssh-6.3p1/key.c +--- openssh-6.3p1/key.c.fingerprint 2013-10-07 14:02:36.971968285 +0200 ++++ openssh-6.3p1/key.c 2013-10-07 14:02:36.999968148 +0200 +@@ -598,6 +598,34 @@ key_fingerprint(const Key *k, enum fp_ty return retval; } @@ -146,12 +131,12 @@ diff -up openssh-6.2p1/key.c.fingerprint openssh-6.2p1/key.c /* * Reads a multiple-precision integer in decimal from the buffer, and advances * the pointer. The integer must already be initialized. This function is -diff -up openssh-6.2p1/key.h.fingerprint openssh-6.2p1/key.h ---- openssh-6.2p1/key.h.fingerprint 2013-01-18 01:44:05.000000000 +0100 -+++ openssh-6.2p1/key.h 2013-03-22 12:23:35.308954528 +0100 +diff -up openssh-6.3p1/key.h.fingerprint openssh-6.3p1/key.h +--- openssh-6.3p1/key.h.fingerprint 2013-10-07 14:02:36.999968148 +0200 ++++ openssh-6.3p1/key.h 2013-10-07 15:44:17.574233450 +0200 @@ -97,6 +97,9 @@ int key_equal_public(const Key *, cons int key_equal(const Key *, const Key *); - char *key_fingerprint(Key *, enum fp_type, enum fp_rep); + char *key_fingerprint(const Key *, enum fp_type, enum fp_rep); u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *); +enum fp_type key_fingerprint_selection(void); +char *key_selected_fingerprint(Key *, enum fp_rep); @@ -159,9 +144,9 @@ diff -up openssh-6.2p1/key.h.fingerprint openssh-6.2p1/key.h const char *key_type(const Key *); const char *key_cert_type(const Key *); int key_write(const Key *, FILE *); -diff -up openssh-6.2p1/ssh-add.c.fingerprint openssh-6.2p1/ssh-add.c ---- openssh-6.2p1/ssh-add.c.fingerprint 2012-12-07 03:07:03.000000000 +0100 -+++ openssh-6.2p1/ssh-add.c 2013-03-22 12:20:49.029684920 +0100 +diff -up openssh-6.3p1/ssh-add.c.fingerprint openssh-6.3p1/ssh-add.c +--- openssh-6.3p1/ssh-add.c.fingerprint 2013-10-07 14:02:37.000968143 +0200 ++++ openssh-6.3p1/ssh-add.c 2013-10-07 14:44:57.466515766 +0200 @@ -326,10 +326,10 @@ list_identities(AuthenticationConnection key = ssh_get_next_identity(ac, &comment, version)) { had_identities = 1; @@ -174,13 +159,13 @@ diff -up openssh-6.2p1/ssh-add.c.fingerprint openssh-6.2p1/ssh-add.c + printf("%d %s%s %s (%s)\n", + key_size(key), key_fingerprint_prefix(), + fp, comment, key_type(key)); - xfree(fp); + free(fp); } else { if (!key_write(key, stdout)) -diff -up openssh-6.2p1/ssh-agent.c.fingerprint openssh-6.2p1/ssh-agent.c ---- openssh-6.2p1/ssh-agent.c.fingerprint 2013-03-22 12:20:48.979685140 +0100 -+++ openssh-6.2p1/ssh-agent.c 2013-03-22 12:20:49.030684916 +0100 -@@ -199,9 +199,9 @@ confirm_key(Identity *id) +diff -up openssh-6.3p1/ssh-agent.c.fingerprint openssh-6.3p1/ssh-agent.c +--- openssh-6.3p1/ssh-agent.c.fingerprint 2013-10-07 14:02:37.000968143 +0200 ++++ openssh-6.3p1/ssh-agent.c 2013-10-07 15:41:11.627044336 +0200 +@@ -198,9 +198,9 @@ confirm_key(Identity *id) char *p; int ret = -1; @@ -191,134 +176,11 @@ diff -up openssh-6.2p1/ssh-agent.c.fingerprint openssh-6.2p1/ssh-agent.c + if (ask_permission("Allow use of key %s?\nKey fingerprint %s%s.", + id->comment, key_fingerprint_prefix(), p)) ret = 0; - xfree(p); + free(p); -diff -up openssh-6.2p1/sshconnect2.c.fingerprint openssh-6.2p1/sshconnect2.c ---- openssh-6.2p1/sshconnect2.c.fingerprint 2013-03-20 02:55:15.000000000 +0100 -+++ openssh-6.2p1/sshconnect2.c 2013-03-22 12:20:49.031684912 +0100 -@@ -592,8 +592,9 @@ input_userauth_pk_ok(int type, u_int32_t - key->type, pktype); - goto done; - } -- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); -- debug2("input_userauth_pk_ok: fp %s", fp); -+ fp = key_selected_fingerprint(key, SSH_FP_HEX); -+ debug2("input_userauth_pk_ok: fp %s%s", -+ key_fingerprint_prefix(), fp); - xfree(fp); - - /* -@@ -1205,8 +1206,9 @@ sign_and_send_pubkey(Authctxt *authctxt, - int have_sig = 1; - char *fp; - -- fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX); -- debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp); -+ fp = key_selected_fingerprint(id->key, SSH_FP_HEX); -+ debug3("sign_and_send_pubkey: %s %s%s", key_type(id->key), -+ key_fingerprint_prefix(), fp); - xfree(fp); - - if (key_to_blob(id->key, &blob, &bloblen) == 0) { -diff -up openssh-6.2p1/sshconnect.c.fingerprint openssh-6.2p1/sshconnect.c ---- openssh-6.2p1/sshconnect.c.fingerprint 2012-09-17 05:25:44.000000000 +0200 -+++ openssh-6.2p1/sshconnect.c 2013-03-22 12:20:49.032684907 +0100 -@@ -824,10 +824,10 @@ check_host_key(char *hostname, struct so - "key for IP address '%.128s' to the list " - "of known hosts.", type, ip); - } else if (options.visual_host_key) { -- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); -- ra = key_fingerprint(host_key, SSH_FP_MD5, -- SSH_FP_RANDOMART); -- logit("Host key fingerprint is %s\n%s\n", fp, ra); -+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX); -+ ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART); -+ logit("Host key fingerprint is %s%s\n%s\n", -+ key_fingerprint_prefix(), fp, ra); - xfree(ra); - xfree(fp); - } -@@ -865,9 +865,8 @@ check_host_key(char *hostname, struct so - else - snprintf(msg1, sizeof(msg1), "."); - /* The default */ -- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); -- ra = key_fingerprint(host_key, SSH_FP_MD5, -- SSH_FP_RANDOMART); -+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX); -+ ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART); - msg2[0] = '\0'; - if (options.verify_host_key_dns) { - if (matching_host_key_dns) -@@ -882,10 +881,11 @@ check_host_key(char *hostname, struct so - snprintf(msg, sizeof(msg), - "The authenticity of host '%.200s (%s)' can't be " - "established%s\n" -- "%s key fingerprint is %s.%s%s\n%s" -+ "%s key fingerprint is %s%s.%s%s\n%s" - "Are you sure you want to continue connecting " - "(yes/no)? ", -- host, ip, msg1, type, fp, -+ host, ip, msg1, type, -+ key_fingerprint_prefix(), fp, - options.visual_host_key ? "\n" : "", - options.visual_host_key ? ra : "", - msg2); -@@ -1130,8 +1130,9 @@ verify_host_key(char *host, struct socka - int flags = 0; - char *fp; - -- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); -- debug("Server host key: %s %s", key_type(host_key), fp); -+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX); -+ debug("Server host key: %s %s%s", key_type(host_key), -+ key_fingerprint_prefix(), fp); - xfree(fp); - - /* XXX certs are not yet supported for DNS */ -@@ -1232,14 +1233,15 @@ show_other_keys(struct hostkeys *hostkey - continue; - if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found)) - continue; -- fp = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_HEX); -- ra = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_RANDOMART); -+ fp = key_selected_fingerprint(found->key, SSH_FP_HEX); -+ ra = key_selected_fingerprint(found->key, SSH_FP_RANDOMART); - logit("WARNING: %s key found for host %s\n" - "in %s:%lu\n" -- "%s key fingerprint %s.", -+ "%s key fingerprint %s%s.", - key_type(found->key), - found->host, found->file, found->line, -- key_type(found->key), fp); -+ key_type(found->key), -+ key_fingerprint_prefix(), fp); - if (options.visual_host_key) - logit("%s", ra); - xfree(ra); -@@ -1254,7 +1256,7 @@ warn_changed_key(Key *host_key) - { - char *fp; - -- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); -+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX); - - error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); - error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @"); -@@ -1262,8 +1264,8 @@ warn_changed_key(Key *host_key) - error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!"); - error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); - error("It is also possible that a host key has just been changed."); -- error("The fingerprint for the %s key sent by the remote host is\n%s.", -- key_type(host_key), fp); -+ error("The fingerprint for the %s key sent by the remote host is\n%s%s.", -+ key_type(host_key),key_fingerprint_prefix(), fp); - error("Please contact your system administrator."); - - xfree(fp); -diff -up openssh-6.2p1/ssh-keygen.c.fingerprint openssh-6.2p1/ssh-keygen.c ---- openssh-6.2p1/ssh-keygen.c.fingerprint 2013-02-12 01:03:36.000000000 +0100 -+++ openssh-6.2p1/ssh-keygen.c 2013-03-22 12:20:49.033684903 +0100 +diff -up openssh-6.3p1/ssh-keygen.c.fingerprint openssh-6.3p1/ssh-keygen.c +--- openssh-6.3p1/ssh-keygen.c.fingerprint 2013-07-20 05:22:32.000000000 +0200 ++++ openssh-6.3p1/ssh-keygen.c 2013-10-07 14:25:52.864145038 +0200 @@ -767,13 +767,14 @@ do_fingerprint(struct passwd *pw) { FILE *f; @@ -378,7 +240,7 @@ diff -up openssh-6.2p1/ssh-keygen.c.fingerprint openssh-6.2p1/ssh-keygen.c key_type(public)); if (log_level >= SYSLOG_LEVEL_VERBOSE) printf("%s\n", ra); -@@ -1854,16 +1857,17 @@ do_show_cert(struct passwd *pw) +@@ -1855,16 +1858,17 @@ do_show_cert(struct passwd *pw) fatal("%s is not a certificate", identity_file); v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00; @@ -402,7 +264,7 @@ diff -up openssh-6.2p1/ssh-keygen.c.fingerprint openssh-6.2p1/ssh-keygen.c printf(" Key ID: \"%s\"\n", key->cert->key_id); if (!v00) { printf(" Serial: %llu\n", -@@ -2651,13 +2655,12 @@ passphrase_again: +@@ -2655,13 +2659,12 @@ passphrase_again: fclose(f); if (!quiet) { @@ -418,4 +280,127 @@ diff -up openssh-6.2p1/ssh-keygen.c.fingerprint openssh-6.2p1/ssh-keygen.c + printf("%s%s %s\n", key_fingerprint_prefix(), fp, comment); printf("The key's randomart image is:\n"); printf("%s\n", ra); - xfree(ra); + free(ra); +diff -up openssh-6.3p1/sshconnect.c.fingerprint openssh-6.3p1/sshconnect.c +--- openssh-6.3p1/sshconnect.c.fingerprint 2013-06-01 23:31:19.000000000 +0200 ++++ openssh-6.3p1/sshconnect.c 2013-10-07 14:43:54.859822036 +0200 +@@ -830,10 +830,10 @@ check_host_key(char *hostname, struct so + "key for IP address '%.128s' to the list " + "of known hosts.", type, ip); + } else if (options.visual_host_key) { +- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); +- ra = key_fingerprint(host_key, SSH_FP_MD5, +- SSH_FP_RANDOMART); +- logit("Host key fingerprint is %s\n%s\n", fp, ra); ++ fp = key_selected_fingerprint(host_key, SSH_FP_HEX); ++ ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART); ++ logit("Host key fingerprint is %s%s\n%s\n", ++ key_fingerprint_prefix(), fp, ra); + free(ra); + free(fp); + } +@@ -871,9 +871,8 @@ check_host_key(char *hostname, struct so + else + snprintf(msg1, sizeof(msg1), "."); + /* The default */ +- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); +- ra = key_fingerprint(host_key, SSH_FP_MD5, +- SSH_FP_RANDOMART); ++ fp = key_selected_fingerprint(host_key, SSH_FP_HEX); ++ ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART); + msg2[0] = '\0'; + if (options.verify_host_key_dns) { + if (matching_host_key_dns) +@@ -888,10 +887,11 @@ check_host_key(char *hostname, struct so + snprintf(msg, sizeof(msg), + "The authenticity of host '%.200s (%s)' can't be " + "established%s\n" +- "%s key fingerprint is %s.%s%s\n%s" ++ "%s key fingerprint is %s%s.%s%s\n%s" + "Are you sure you want to continue connecting " + "(yes/no)? ", +- host, ip, msg1, type, fp, ++ host, ip, msg1, type, ++ key_fingerprint_prefix(), fp, + options.visual_host_key ? "\n" : "", + options.visual_host_key ? ra : "", + msg2); +@@ -1136,8 +1136,9 @@ verify_host_key(char *host, struct socka + int flags = 0; + char *fp; + +- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); +- debug("Server host key: %s %s", key_type(host_key), fp); ++ fp = key_selected_fingerprint(host_key, SSH_FP_HEX); ++ debug("Server host key: %s %s%s", key_type(host_key), ++ key_fingerprint_prefix(), fp); + free(fp); + + /* XXX certs are not yet supported for DNS */ +@@ -1238,14 +1239,15 @@ show_other_keys(struct hostkeys *hostkey + continue; + if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found)) + continue; +- fp = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_HEX); +- ra = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_RANDOMART); ++ fp = key_selected_fingerprint(found->key, SSH_FP_HEX); ++ ra = key_selected_fingerprint(found->key, SSH_FP_RANDOMART); + logit("WARNING: %s key found for host %s\n" + "in %s:%lu\n" +- "%s key fingerprint %s.", ++ "%s key fingerprint %s%s.", + key_type(found->key), + found->host, found->file, found->line, +- key_type(found->key), fp); ++ key_type(found->key), ++ key_fingerprint_prefix(), fp); + if (options.visual_host_key) + logit("%s", ra); + free(ra); +@@ -1260,7 +1262,7 @@ warn_changed_key(Key *host_key) + { + char *fp; + +- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); ++ fp = key_selected_fingerprint(host_key, SSH_FP_HEX); + + error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); + error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @"); +@@ -1268,8 +1270,8 @@ warn_changed_key(Key *host_key) + error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!"); + error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); + error("It is also possible that a host key has just been changed."); +- error("The fingerprint for the %s key sent by the remote host is\n%s.", +- key_type(host_key), fp); ++ error("The fingerprint for the %s key sent by the remote host is\n%s%s.", ++ key_type(host_key),key_fingerprint_prefix(), fp); + error("Please contact your system administrator."); + + free(fp); +diff -up openssh-6.3p1/sshconnect2.c.fingerprint openssh-6.3p1/sshconnect2.c +--- openssh-6.3p1/sshconnect2.c.fingerprint 2013-10-07 14:02:37.001968139 +0200 ++++ openssh-6.3p1/sshconnect2.c 2013-10-07 15:20:09.403234714 +0200 +@@ -590,8 +590,9 @@ input_userauth_pk_ok(int type, u_int32_t + key->type, pktype); + goto done; + } +- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); +- debug2("input_userauth_pk_ok: fp %s", fp); ++ fp = key_selected_fingerprint(key, SSH_FP_HEX); ++ debug2("input_userauth_pk_ok: fp %s%s", ++ key_fingerprint_prefix(), fp); + free(fp); + + /* +@@ -1202,8 +1203,9 @@ sign_and_send_pubkey(Authctxt *authctxt, + int have_sig = 1; + char *fp; + +- fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX); +- debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp); ++ fp = key_selected_fingerprint(id->key, SSH_FP_HEX); ++ debug3("sign_and_send_pubkey: %s %s%s", key_type(id->key), ++ key_fingerprint_prefix(), fp); + free(fp); + + if (key_to_blob(id->key, &blob, &bloblen) == 0) { diff --git a/openssh-6.2p1-fips.patch b/openssh-6.3p1-fips.patch similarity index 66% rename from openssh-6.2p1-fips.patch rename to openssh-6.3p1-fips.patch index fddf0f5..f216d6e 100644 --- a/openssh-6.2p1-fips.patch +++ b/openssh-6.3p1-fips.patch @@ -1,6 +1,50 @@ -diff -up openssh-6.2p1/authfile.c.fips openssh-6.2p1/authfile.c ---- openssh-6.2p1/authfile.c.fips 2013-03-27 13:14:49.164683482 +0100 -+++ openssh-6.2p1/authfile.c 2013-03-27 13:14:49.177683431 +0100 +diff -up openssh-6.3p1/Makefile.in.fips openssh-6.3p1/Makefile.in +--- openssh-6.3p1/Makefile.in.fips 2013-10-11 22:24:32.850031186 +0200 ++++ openssh-6.3p1/Makefile.in 2013-10-11 22:24:32.870031092 +0200 +@@ -147,25 +147,25 @@ libssh.a: $(LIBSSH_OBJS) + $(RANLIB) $@ + + ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) +- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS) ++ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHLIBS) $(LIBS) $(GSSLIBS) + + sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) +- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) ++ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) + + scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o + $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + + ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o +- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + + ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o +- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + + ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o +- $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + + ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o +- $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + + ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o + $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) +@@ -177,7 +177,7 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) libssh + $(LD) -o $@ ssh-keycat.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(SSHDLIBS) + + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o +- $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) ++ $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) + + sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o + $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) +diff -up openssh-6.3p1/authfile.c.fips openssh-6.3p1/authfile.c +--- openssh-6.3p1/authfile.c.fips 2013-10-11 22:24:32.857031153 +0200 ++++ openssh-6.3p1/authfile.c 2013-10-11 22:24:32.870031092 +0200 @@ -148,8 +148,14 @@ key_private_rsa1_to_blob(Key *key, Buffe /* Allocate space for the private part of the key in the buffer. */ cp = buffer_append_space(&encrypted, buffer_len(&buffer)); @@ -34,9 +78,22 @@ diff -up openssh-6.2p1/authfile.c.fips openssh-6.2p1/authfile.c cipher_crypt(&ciphercontext, cp, buffer_ptr(©), buffer_len(©), 0, 0); cipher_cleanup(&ciphercontext); -diff -up openssh-6.2p1/cipher.c.fips openssh-6.2p1/cipher.c ---- openssh-6.2p1/cipher.c.fips 2013-03-27 13:14:49.087683788 +0100 -+++ openssh-6.2p1/cipher.c 2013-03-27 13:14:49.177683431 +0100 +diff -up openssh-6.3p1/cipher-ctr.c.fips openssh-6.3p1/cipher-ctr.c +--- openssh-6.3p1/cipher-ctr.c.fips 2013-06-02 00:07:32.000000000 +0200 ++++ openssh-6.3p1/cipher-ctr.c 2013-10-11 22:24:32.870031092 +0200 +@@ -138,7 +138,8 @@ evp_aes_128_ctr(void) + aes_ctr.do_cipher = ssh_aes_ctr; + #ifndef SSH_OLD_EVP + aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | +- EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV; ++ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV | ++ EVP_CIPH_FLAG_FIPS; + #endif + return (&aes_ctr); + } +diff -up openssh-6.3p1/cipher.c.fips openssh-6.3p1/cipher.c +--- openssh-6.3p1/cipher.c.fips 2013-10-11 22:24:32.820031327 +0200 ++++ openssh-6.3p1/cipher.c 2013-10-11 22:24:32.871031087 +0200 @@ -40,6 +40,7 @@ #include @@ -45,54 +102,63 @@ diff -up openssh-6.2p1/cipher.c.fips openssh-6.2p1/cipher.c #include #include -@@ -89,6 +90,27 @@ struct Cipher ciphers[] = { +@@ -86,6 +87,27 @@ static const struct Cipher ciphers[] = { { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL } }; -+struct Cipher fips_ciphers[] = { -+ { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null }, -+ { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des }, -+ -+ { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc }, -+ { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc }, -+ { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 1, EVP_aes_192_cbc }, -+ { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc }, ++static const struct Cipher fips_ciphers[] = { ++ { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null }, ++ { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc }, ++ { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des }, ++ { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc }, ++ { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc }, ++ { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 1, EVP_aes_192_cbc }, ++ { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc }, + { "rijndael-cbc@lysator.liu.se", -+ SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc }, -+ { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr }, -+ { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_128_ctr }, -+ { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_128_ctr }, ++ SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc }, ++ { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr }, ++ { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr }, ++ { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr }, +#ifdef OPENSSL_HAVE_EVPGCM + { "aes128-gcm@openssh.com", + SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm }, + { "aes256-gcm@openssh.com", + SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm }, +#endif -+ { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, NULL } ++ { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL } +}; /*--*/ - u_int -@@ -143,7 +165,7 @@ Cipher * + /* Returns a comma-separated list of supported ciphers. */ +@@ -96,7 +118,7 @@ cipher_alg_list(void) + size_t nlen, rlen = 0; + const Cipher *c; + +- for (c = ciphers; c->name != NULL; c++) { ++ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++) { + if (c->number != SSH_CIPHER_SSH2) + continue; + if (ret != NULL) +@@ -161,7 +183,7 @@ const Cipher * cipher_by_name(const char *name) { - Cipher *c; + const Cipher *c; - for (c = ciphers; c->name != NULL; c++) + for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++) if (strcmp(c->name, name) == 0) return c; return NULL; -@@ -153,7 +175,7 @@ Cipher * +@@ -171,7 +193,7 @@ const Cipher * cipher_by_number(int id) { - Cipher *c; + const Cipher *c; - for (c = ciphers; c->name != NULL; c++) + for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++) if (c->number == id) return c; return NULL; -@@ -197,7 +219,7 @@ cipher_number(const char *name) - Cipher *c; +@@ -215,7 +237,7 @@ cipher_number(const char *name) + const Cipher *c; if (name == NULL) return -1; - for (c = ciphers; c->name != NULL; c++) @@ -100,13 +166,13 @@ diff -up openssh-6.2p1/cipher.c.fips openssh-6.2p1/cipher.c if (strcasecmp(c->name, name) == 0) return c->number; return -1; -@@ -356,14 +378,15 @@ cipher_cleanup(CipherContext *cc) +@@ -374,14 +396,15 @@ cipher_cleanup(CipherContext *cc) * passphrase and using the resulting 16 bytes as the key. */ -void +int - cipher_set_key_string(CipherContext *cc, Cipher *cipher, + cipher_set_key_string(CipherContext *cc, const Cipher *cipher, const char *passphrase, int do_encrypt) { MD5_CTX md; @@ -118,7 +184,7 @@ diff -up openssh-6.2p1/cipher.c.fips openssh-6.2p1/cipher.c MD5_Update(&md, (const u_char *)passphrase, strlen(passphrase)); MD5_Final(digest, &md); -@@ -371,6 +394,7 @@ cipher_set_key_string(CipherContext *cc, +@@ -389,6 +412,7 @@ cipher_set_key_string(CipherContext *cc, memset(digest, 0, sizeof(digest)); memset(&md, 0, sizeof(md)); @@ -126,34 +192,21 @@ diff -up openssh-6.2p1/cipher.c.fips openssh-6.2p1/cipher.c } /* -diff -up openssh-6.2p1/cipher-ctr.c.fips openssh-6.2p1/cipher-ctr.c ---- openssh-6.2p1/cipher-ctr.c.fips 2013-01-20 12:31:30.000000000 +0100 -+++ openssh-6.2p1/cipher-ctr.c 2013-03-27 13:14:49.177683431 +0100 -@@ -138,7 +138,8 @@ evp_aes_128_ctr(void) - aes_ctr.do_cipher = ssh_aes_ctr; - #ifndef SSH_OLD_EVP - aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | -- EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV; -+ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV | -+ EVP_CIPH_FLAG_FIPS; - #endif - return (&aes_ctr); - } -diff -up openssh-6.2p1/cipher.h.fips openssh-6.2p1/cipher.h ---- openssh-6.2p1/cipher.h.fips 2013-03-27 13:14:49.088683784 +0100 -+++ openssh-6.2p1/cipher.h 2013-03-27 13:14:49.177683431 +0100 -@@ -91,7 +91,7 @@ void cipher_init(CipherContext *, Ciphe +diff -up openssh-6.3p1/cipher.h.fips openssh-6.3p1/cipher.h +--- openssh-6.3p1/cipher.h.fips 2013-10-11 22:24:32.820031327 +0200 ++++ openssh-6.3p1/cipher.h 2013-10-11 22:24:32.871031087 +0200 +@@ -92,7 +92,7 @@ void cipher_init(CipherContext *, const void cipher_crypt(CipherContext *, u_char *, const u_char *, u_int, u_int, u_int); void cipher_cleanup(CipherContext *); --void cipher_set_key_string(CipherContext *, Cipher *, const char *, int); -+int cipher_set_key_string(CipherContext *, Cipher *, const char *, int); +-void cipher_set_key_string(CipherContext *, const Cipher *, const char *, int); ++int cipher_set_key_string(CipherContext *, const Cipher *, const char *, int); u_int cipher_blocksize(const Cipher *); u_int cipher_keylen(const Cipher *); u_int cipher_authlen(const Cipher *); -diff -up openssh-6.2p1/key.c.fips openssh-6.2p1/key.c ---- openssh-6.2p1/key.c.fips 2013-03-27 13:14:49.100683736 +0100 -+++ openssh-6.2p1/key.c 2013-03-27 13:14:49.178683427 +0100 +diff -up openssh-6.3p1/key.c.fips openssh-6.3p1/key.c +--- openssh-6.3p1/key.c.fips 2013-10-11 22:24:32.821031322 +0200 ++++ openssh-6.3p1/key.c 2013-10-11 22:24:32.871031087 +0200 @@ -40,6 +40,7 @@ #include @@ -162,7 +215,7 @@ diff -up openssh-6.2p1/key.c.fips openssh-6.2p1/key.c #include #include -@@ -607,9 +608,13 @@ key_fingerprint_selection(void) +@@ -606,9 +607,13 @@ key_fingerprint_selection(void) char *env; if (!rv_defined) { @@ -179,9 +232,9 @@ diff -up openssh-6.2p1/key.c.fips openssh-6.2p1/key.c rv_defined = 1; } return rv; -diff -up openssh-6.2p1/mac.c.fips openssh-6.2p1/mac.c ---- openssh-6.2p1/mac.c.fips 2013-03-27 13:14:49.093683764 +0100 -+++ openssh-6.2p1/mac.c 2013-03-27 13:16:33.524266158 +0100 +diff -up openssh-6.3p1/mac.c.fips openssh-6.3p1/mac.c +--- openssh-6.3p1/mac.c.fips 2013-10-11 22:24:32.821031322 +0200 ++++ openssh-6.3p1/mac.c 2013-10-11 22:25:35.394737186 +0200 @@ -28,6 +28,7 @@ #include @@ -190,102 +243,56 @@ diff -up openssh-6.2p1/mac.c.fips openssh-6.2p1/mac.c #include #include -@@ -50,7 +51,7 @@ - #define SSH_UMAC 2 /* UMAC (not integrated with OpenSSL) */ - #define SSH_UMAC128 3 - --struct { -+struct Macs { - char *name; - int type; - const EVP_MD * (*mdfunc)(void); -@@ -58,7 +59,9 @@ struct { - int key_len; /* just for UMAC */ - int len; /* just for UMAC */ +@@ -60,7 +61,7 @@ struct macalg { int etm; /* Encrypt-then-MAC */ --} macs[] = { -+}; -+ -+struct Macs all_macs[] = { + }; + +-static const struct macalg macs[] = { ++static const struct macalg all_macs[] = { /* Encrypt-and-MAC (encrypt-and-authenticate) variants */ { "hmac-sha1", SSH_EVP, EVP_sha1, 0, 0, 0, 0 }, { "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, 0, 0, 0 }, -@@ -89,9 +92,19 @@ struct { +@@ -91,6 +92,18 @@ static const struct macalg macs[] = { { NULL, 0, NULL, 0, 0, 0, 0 } }; -+struct Macs fips_macs[] = { -+ { "hmac-sha1", SSH_EVP, EVP_sha1, 0, 0, 0, 0 }, ++static const struct macalg fips_macs[] = { ++ { "hmac-sha1", SSH_EVP, EVP_sha1, 0, 0, 0, 0 }, ++ { "hmac-sha1-etm@openssh.com", SSH_EVP, EVP_sha1, 0, 0, 0, 1 }, +#ifdef HAVE_EVP_SHA256 -+ { "hmac-sha2-256", SSH_EVP, EVP_sha256, 0, 0, 0, 0 }, -+ { "hmac-sha2-512", SSH_EVP, EVP_sha512, 0, 0, 0, 0 }, ++ { "hmac-sha2-256", SSH_EVP, EVP_sha256, 0, 0, 0, 0 }, ++ { "hmac-sha2-512", SSH_EVP, EVP_sha512, 0, 0, 0, 0 }, ++ { "hmac-sha2-256-etm@openssh.com", SSH_EVP, EVP_sha256, 0, 0, 0, 1 }, ++ { "hmac-sha2-512-etm@openssh.com", SSH_EVP, EVP_sha512, 0, 0, 0, 1 }, +#endif -+ { NULL, 0, NULL, 0, -1, -1 } ++ { NULL, 0, NULL, 0, 0, 0, 0 } +}; + - static void - mac_setup_by_id(Mac *mac, int which) + /* Returns a comma-separated list of supported MACs. */ + char * + mac_alg_list(void) +@@ -99,7 +112,7 @@ mac_alg_list(void) + size_t nlen, rlen = 0; + const struct macalg *m; + +- for (m = macs; m->name != NULL; m++) { ++ for (m = FIPS_mode() ? fips_macs : all_macs; m->name != NULL; m++) { + if (ret != NULL) + ret[rlen++] = '\n'; + nlen = strlen(m->name); +@@ -136,7 +149,7 @@ mac_setup(Mac *mac, char *name) { -+ struct Macs *macs = FIPS_mode() ? fips_macs : all_macs; - int evp_len; - mac->type = macs[which].type; - if (mac->type == SSH_EVP) { -@@ -113,6 +126,7 @@ int - mac_setup(Mac *mac, char *name) - { - int i; -+ struct Macs *macs = FIPS_mode() ? fips_macs : all_macs; + const struct macalg *m; - for (i = 0; macs[i].name; i++) { - if (strcmp(name, macs[i].name) == 0) { -diff -up openssh-6.2p1/Makefile.in.fips openssh-6.2p1/Makefile.in ---- openssh-6.2p1/Makefile.in.fips 2013-03-27 13:14:49.155683518 +0100 -+++ openssh-6.2p1/Makefile.in 2013-03-27 13:14:49.178683427 +0100 -@@ -145,25 +145,25 @@ libssh.a: $(LIBSSH_OBJS) - $(RANLIB) $@ - - ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) -- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS) -+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHLIBS) $(LIBS) $(GSSLIBS) - - sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) -- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) -+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) - - scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o - $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) - - ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o -- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -+ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - - ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o -- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -+ $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - - ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o -- $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -+ $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - - ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o -- $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -+ $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - - ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o - $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) -@@ -175,7 +175,7 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) libssh - $(LD) -o $@ ssh-keycat.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(SSHDLIBS) - - ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o -- $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) -+ $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) - - sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o - $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -diff -up openssh-6.2p1/myproposal.h.fips openssh-6.2p1/myproposal.h ---- openssh-6.2p1/myproposal.h.fips 2013-01-09 06:12:19.000000000 +0100 -+++ openssh-6.2p1/myproposal.h 2013-03-27 13:14:49.178683427 +0100 -@@ -106,6 +106,19 @@ +- for (m = macs; m->name != NULL; m++) { ++ for (m = FIPS_mode() ? fips_macs : all_macs; m->name != NULL; m++) { + if (strcmp(name, m->name) != 0) + continue; + if (mac != NULL) +diff -up openssh-6.3p1/myproposal.h.fips openssh-6.3p1/myproposal.h +--- openssh-6.3p1/myproposal.h.fips 2013-06-11 04:10:02.000000000 +0200 ++++ openssh-6.3p1/myproposal.h 2013-10-11 22:24:32.872031082 +0200 +@@ -114,6 +114,19 @@ #define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib" #define KEX_DEFAULT_LANG "" @@ -305,9 +312,9 @@ diff -up openssh-6.2p1/myproposal.h.fips openssh-6.2p1/myproposal.h static char *myproposal[PROPOSAL_MAX] = { KEX_DEFAULT_KEX, -diff -up openssh-6.2p1/openbsd-compat/bsd-arc4random.c.fips openssh-6.2p1/openbsd-compat/bsd-arc4random.c ---- openssh-6.2p1/openbsd-compat/bsd-arc4random.c.fips 2010-03-25 22:52:02.000000000 +0100 -+++ openssh-6.2p1/openbsd-compat/bsd-arc4random.c 2013-03-27 13:14:49.179683423 +0100 +diff -up openssh-6.3p1/openbsd-compat/bsd-arc4random.c.fips openssh-6.3p1/openbsd-compat/bsd-arc4random.c +--- openssh-6.3p1/openbsd-compat/bsd-arc4random.c.fips 2010-03-25 22:52:02.000000000 +0100 ++++ openssh-6.3p1/openbsd-compat/bsd-arc4random.c 2013-10-11 22:24:32.872031082 +0200 @@ -37,25 +37,18 @@ #define REKEY_BYTES (1 << 24) @@ -363,9 +370,9 @@ diff -up openssh-6.2p1/openbsd-compat/bsd-arc4random.c.fips openssh-6.2p1/openbs } #endif /* !HAVE_ARC4RANDOM */ -diff -up openssh-6.2p2/ssh.c.fips openssh-6.2p2/ssh.c ---- openssh-6.2p2/ssh.c.fips 2013-04-05 02:22:36.000000000 +0200 -+++ openssh-6.2p2/ssh.c 2013-10-08 17:21:26.894761211 +0200 +diff -up openssh-6.3p1/ssh.c.fips openssh-6.3p1/ssh.c +--- openssh-6.3p1/ssh.c.fips 2013-07-25 03:55:53.000000000 +0200 ++++ openssh-6.3p1/ssh.c 2013-10-11 22:24:32.872031082 +0200 @@ -73,6 +73,8 @@ #include @@ -389,8 +396,8 @@ diff -up openssh-6.2p2/ssh.c.fips openssh-6.2p2/ssh.c #ifndef HAVE_SETPROCTITLE /* Prepare for later setproctitle emulation */ -@@ -329,6 +338,9 @@ main(int ac, char **av) - "ACD:F:I:KL:MNO:PR:S:TVw:W:XYy")) != -1) { +@@ -330,6 +339,9 @@ main(int ac, char **av) + "ACD:E:F:I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { switch (opt) { case '1': + if (FIPS_mode()) { @@ -399,7 +406,7 @@ diff -up openssh-6.2p2/ssh.c.fips openssh-6.2p2/ssh.c options.protocol = SSH_PROTO_1; break; case '2': -@@ -628,7 +640,6 @@ main(int ac, char **av) +@@ -647,7 +659,6 @@ main(int ac, char **av) if (!host) usage(); @@ -407,7 +414,7 @@ diff -up openssh-6.2p2/ssh.c.fips openssh-6.2p2/ssh.c ERR_load_crypto_strings(); /* Initialize the command to execute on remote host. */ -@@ -719,6 +730,10 @@ main(int ac, char **av) +@@ -748,6 +759,10 @@ main(int ac, char **av) seed_rng(); @@ -418,7 +425,7 @@ diff -up openssh-6.2p2/ssh.c.fips openssh-6.2p2/ssh.c if (options.user == NULL) options.user = xstrdup(pw->pw_name); -@@ -787,6 +802,12 @@ main(int ac, char **av) +@@ -816,6 +831,12 @@ main(int ac, char **av) timeout_ms = options.connection_timeout * 1000; @@ -431,9 +438,9 @@ diff -up openssh-6.2p2/ssh.c.fips openssh-6.2p2/ssh.c /* Open a connection to the remote host. */ if (ssh_connect(host, &hostaddr, options.port, options.address_family, options.connection_attempts, &timeout_ms, -diff -up openssh-6.2p1/sshconnect2.c.fips openssh-6.2p1/sshconnect2.c ---- openssh-6.2p1/sshconnect2.c.fips 2013-03-27 13:14:49.066683871 +0100 -+++ openssh-6.2p1/sshconnect2.c 2013-03-27 13:14:49.179683423 +0100 +diff -up openssh-6.3p1/sshconnect2.c.fips openssh-6.3p1/sshconnect2.c +--- openssh-6.3p1/sshconnect2.c.fips 2013-10-11 22:24:32.810031374 +0200 ++++ openssh-6.3p1/sshconnect2.c 2013-10-11 22:24:32.873031077 +0200 @@ -44,6 +44,8 @@ #include #endif @@ -466,9 +473,9 @@ diff -up openssh-6.2p1/sshconnect2.c.fips openssh-6.2p1/sshconnect2.c if (options.hostkeyalgorithms != NULL) myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = options.hostkeyalgorithms; -diff -up openssh-6.2p2/sshd.c.fips openssh-6.2p2/sshd.c ---- openssh-6.2p2/sshd.c.fips 2013-10-08 17:14:05.455864248 +0200 -+++ openssh-6.2p2/sshd.c 2013-10-08 17:22:15.897527827 +0200 +diff -up openssh-6.3p1/sshd.c.fips openssh-6.3p1/sshd.c +--- openssh-6.3p1/sshd.c.fips 2013-10-11 22:24:32.842031223 +0200 ++++ openssh-6.3p1/sshd.c 2013-10-11 22:24:32.873031077 +0200 @@ -76,6 +76,8 @@ #include #include @@ -478,7 +485,7 @@ diff -up openssh-6.2p2/sshd.c.fips openssh-6.2p2/sshd.c #include "openbsd-compat/openssl-compat.h" #ifdef HAVE_SECUREWARE -@@ -1423,6 +1425,14 @@ main(int ac, char **av) +@@ -1450,6 +1452,14 @@ main(int ac, char **av) #endif __progname = ssh_get_progname(av[0]); @@ -493,18 +500,18 @@ diff -up openssh-6.2p2/sshd.c.fips openssh-6.2p2/sshd.c /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ saved_argc = ac; rexec_argc = ac; -@@ -1571,8 +1581,6 @@ main(int ac, char **av) +@@ -1601,8 +1611,6 @@ main(int ac, char **av) else closefrom(REEXEC_DEVCRYPTO_RESERVED_FD); - OpenSSL_add_all_algorithms(); - - /* - * Force logging to stderr until we have loaded the private host - * key (unless started from inetd) -@@ -1715,6 +1723,10 @@ main(int ac, char **av) - debug("private host key: #%d type %d %s", i, key->type, - key_type(key)); + /* If requested, redirect the logs to the specified logfile. */ + if (logfile != NULL) { + log_redirect_stderr_to(logfile); +@@ -1773,6 +1781,10 @@ main(int ac, char **av) + debug("private host key: #%d type %d %s", i, keytype, + key_type(key ? key : pubkey)); } + if ((options.protocol & SSH_PROTO_1) && FIPS_mode()) { + logit("Disabling protocol version 1. Not allowed in the FIPS mode."); @@ -513,7 +520,7 @@ diff -up openssh-6.2p2/sshd.c.fips openssh-6.2p2/sshd.c if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) { logit("Disabling protocol version 1. Could not load host key"); options.protocol &= ~SSH_PROTO_1; -@@ -1878,6 +1890,10 @@ main(int ac, char **av) +@@ -1936,6 +1948,10 @@ main(int ac, char **av) /* Initialize the random number generator. */ arc4random_stir(); @@ -523,8 +530,8 @@ diff -up openssh-6.2p2/sshd.c.fips openssh-6.2p2/sshd.c + /* Chdir to the root directory so that the current disk can be unmounted if desired. */ - (void) chdir("/"); -@@ -2420,6 +2436,9 @@ do_ssh2_kex(void) + if (chdir("/") == -1) +@@ -2498,6 +2514,9 @@ do_ssh2_kex(void) if (options.ciphers != NULL) { myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; @@ -534,7 +541,7 @@ diff -up openssh-6.2p2/sshd.c.fips openssh-6.2p2/sshd.c } myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); -@@ -2429,6 +2448,9 @@ do_ssh2_kex(void) +@@ -2507,6 +2526,9 @@ do_ssh2_kex(void) if (options.macs != NULL) { myproposal[PROPOSAL_MAC_ALGS_CTOS] = myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; diff --git a/openssh-6.2p1-force_krb.patch b/openssh-6.3p1-force_krb.patch similarity index 81% rename from openssh-6.2p1-force_krb.patch rename to openssh-6.3p1-force_krb.patch index 5423171..695c0eb 100644 --- a/openssh-6.2p1-force_krb.patch +++ b/openssh-6.3p1-force_krb.patch @@ -1,6 +1,6 @@ -diff -up openssh-6.2p1/gss-serv-krb5.c.force_krb openssh-6.2p1/gss-serv-krb5.c ---- openssh-6.2p1/gss-serv-krb5.c.force_krb 2013-03-25 20:04:53.807817333 +0100 -+++ openssh-6.2p1/gss-serv-krb5.c 2013-03-25 20:04:53.818817403 +0100 +diff -up openssh-6.3p1/gss-serv-krb5.c.force_krb openssh-6.3p1/gss-serv-krb5.c +--- openssh-6.3p1/gss-serv-krb5.c.force_krb 2013-10-11 18:58:51.553948159 +0200 ++++ openssh-6.3p1/gss-serv-krb5.c 2013-10-11 21:40:49.972337025 +0200 @@ -32,7 +32,9 @@ #include @@ -11,7 +11,7 @@ diff -up openssh-6.2p1/gss-serv-krb5.c.force_krb openssh-6.2p1/gss-serv-krb5.c #include "xmalloc.h" #include "key.h" -@@ -40,12 +42,11 @@ +@@ -40,10 +42,12 @@ #include "auth.h" #include "log.h" #include "servconf.h" @@ -20,18 +20,14 @@ diff -up openssh-6.2p1/gss-serv-krb5.c.force_krb openssh-6.2p1/gss-serv-krb5.c #include "buffer.h" #include "ssh-gss.h" --extern ServerOptions options; -- ++extern Authctxt *the_authctxt; + extern ServerOptions options; + #ifdef HEIMDAL - # include - #else -@@ -56,6 +57,16 @@ extern ServerOptions options; - # endif +@@ -55,6 +59,13 @@ extern ServerOptions options; + # include #endif -+extern Authctxt *the_authctxt; -+extern ServerOptions options; -+ +/* all commands are allowed by default */ +char **k5users_allowed_cmds = NULL; + @@ -42,21 +38,16 @@ diff -up openssh-6.2p1/gss-serv-krb5.c.force_krb openssh-6.2p1/gss-serv-krb5.c static krb5_context krb_context = NULL; /* Initialise the krb5 library, for the stuff that GSSAPI won't do */ -@@ -83,10 +94,11 @@ ssh_gssapi_krb5_init(void) - */ - - static int --ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name) -+ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *luser) - { +@@ -87,6 +98,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client krb5_principal princ; int retval; + const char *errmsg; + int k5login_exists; if (ssh_gssapi_krb5_init() == 0) return 0; -@@ -97,10 +109,22 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client - krb5_get_err_text(krb_context, retval)); +@@ -98,10 +110,22 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client + krb5_free_error_message(krb_context, errmsg); return 0; } - if (krb5_kuserok(krb_context, princ, name)) { @@ -66,21 +57,20 @@ diff -up openssh-6.2p1/gss-serv-krb5.c.force_krb openssh-6.2p1/gss-serv-krb5.c + /* NOTE: .k5login and .k5users must opened as root, not the user, + * because if they are on a krb5-protected filesystem, user credentials + * to access these files aren't available yet. */ -+ if (krb5_kuserok(krb_context, princ, luser) && k5login_exists) { ++ if (krb5_kuserok(krb_context, princ, name) && k5login_exists) { retval = 1; logit("Authorized to %s, krb5 principal %s (krb5_kuserok)", -- name, (char *)client->displayname.value); -+ luser, (char *)client->displayname.value); + name, (char *)client->displayname.value); + } else if (ssh_gssapi_krb5_cmdok(princ, client->exportedname.value, -+ luser, k5login_exists)) { ++ name, k5login_exists)) { + retval = 1; + logit("Authorized to %s, krb5 principal %s " + "(ssh_gssapi_krb5_cmdok)", -+ luser, (char *)client->displayname.value); ++ name, (char *)client->displayname.value); } else retval = 0; -@@ -108,6 +132,135 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client +@@ -109,6 +133,135 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client return retval; } @@ -216,9 +206,9 @@ diff -up openssh-6.2p1/gss-serv-krb5.c.force_krb openssh-6.2p1/gss-serv-krb5.c /* This writes out any forwarded credentials from the structure populated * during userauth. Called after we have setuid to the user */ -diff -up openssh-6.2p1/session.c.force_krb openssh-6.2p1/session.c ---- openssh-6.2p1/session.c.force_krb 2013-03-25 20:04:53.724816810 +0100 -+++ openssh-6.2p1/session.c 2013-03-25 20:04:53.818817403 +0100 +diff -up openssh-6.3p1/session.c.force_krb openssh-6.3p1/session.c +--- openssh-6.3p1/session.c.force_krb 2013-10-11 18:58:51.487948468 +0200 ++++ openssh-6.3p1/session.c 2013-10-11 18:58:51.563948112 +0200 @@ -823,6 +823,29 @@ do_exec(Session *s, const char *command) debug("Forced command (key option) '%.900s'", command); } @@ -249,10 +239,24 @@ diff -up openssh-6.2p1/session.c.force_krb openssh-6.2p1/session.c #ifdef SSH_AUDIT_EVENTS if (s->command != NULL || s->command_handle != -1) fatal("do_exec: command already set"); -diff -up openssh-6.2p1/sshd.8.force_krb openssh-6.2p1/sshd.8 ---- openssh-6.2p1/sshd.8.force_krb 2013-03-25 20:04:53.787817207 +0100 -+++ openssh-6.2p1/sshd.8 2013-03-25 20:04:53.819817409 +0100 -@@ -323,6 +323,7 @@ Finally, the server and the client enter +diff -up openssh-6.3p1/ssh-gss.h.force_krb openssh-6.3p1/ssh-gss.h +--- openssh-6.3p1/ssh-gss.h.force_krb 2013-10-11 18:58:51.558948136 +0200 ++++ openssh-6.3p1/ssh-gss.h 2013-10-11 18:58:51.563948112 +0200 +@@ -49,6 +49,10 @@ + # endif /* !HAVE_DECL_GSS_C_NT_... */ + + # endif /* !HEIMDAL */ ++ ++/* .k5users support */ ++extern char **k5users_allowed_cmds; ++ + #endif /* KRB5 */ + + /* draft-ietf-secsh-gsskeyex-06 */ +diff -up openssh-6.3p1/sshd.8.force_krb openssh-6.3p1/sshd.8 +--- openssh-6.3p1/sshd.8.force_krb 2013-10-11 18:58:51.537948234 +0200 ++++ openssh-6.3p1/sshd.8 2013-10-11 18:58:51.563948112 +0200 +@@ -326,6 +326,7 @@ Finally, the server and the client enter The client tries to authenticate itself using host-based authentication, public key authentication, @@ -260,7 +264,7 @@ diff -up openssh-6.2p1/sshd.8.force_krb openssh-6.2p1/sshd.8 challenge-response authentication, or password authentication. .Pp -@@ -796,6 +797,12 @@ This file is used in exactly the same wa +@@ -797,6 +798,12 @@ This file is used in exactly the same wa but allows host-based authentication without permitting login with rlogin/rsh. .Pp @@ -273,17 +277,3 @@ diff -up openssh-6.2p1/sshd.8.force_krb openssh-6.2p1/sshd.8 .It Pa ~/.ssh/ This directory is the default location for all user-specific configuration and authentication information. -diff -up openssh-6.2p1/ssh-gss.h.force_krb openssh-6.2p1/ssh-gss.h ---- openssh-6.2p1/ssh-gss.h.force_krb 2013-03-25 20:04:53.819817409 +0100 -+++ openssh-6.2p1/ssh-gss.h 2013-03-25 20:05:26.463023197 +0100 -@@ -49,6 +49,10 @@ - # endif /* !HAVE_DECL_GSS_C_NT_... */ - - # endif /* !HEIMDAL */ -+ -+/* .k5users support */ -+extern char **k5users_allowed_cmds; -+ - #endif /* KRB5 */ - - /* draft-ietf-secsh-gsskeyex-06 */ diff --git a/openssh-6.2p1-gsskex.patch b/openssh-6.3p1-gsskex.patch similarity index 88% rename from openssh-6.2p1-gsskex.patch rename to openssh-6.3p1-gsskex.patch index f1fe8d1..7161b34 100644 --- a/openssh-6.2p1-gsskex.patch +++ b/openssh-6.3p1-gsskex.patch @@ -1,243 +1,6 @@ -diff -up openssh-6.2p1/auth2.c.gsskex openssh-6.2p1/auth2.c ---- openssh-6.2p1/auth2.c.gsskex 2013-03-27 13:19:11.062624591 +0100 -+++ openssh-6.2p1/auth2.c 2013-03-27 13:19:11.140624271 +0100 -@@ -69,6 +69,7 @@ extern Authmethod method_passwd; - extern Authmethod method_kbdint; - extern Authmethod method_hostbased; - #ifdef GSSAPI -+extern Authmethod method_gsskeyex; - extern Authmethod method_gssapi; - #endif - #ifdef JPAKE -@@ -79,6 +80,7 @@ Authmethod *authmethods[] = { - &method_none, - &method_pubkey, - #ifdef GSSAPI -+ &method_gsskeyex, - &method_gssapi, - #endif - #ifdef JPAKE -diff -up openssh-6.2p1/auth2-gss.c.gsskex openssh-6.2p1/auth2-gss.c ---- openssh-6.2p1/auth2-gss.c.gsskex 2013-03-27 13:19:11.062624591 +0100 -+++ openssh-6.2p1/auth2-gss.c 2013-03-27 13:19:11.141624267 +0100 -@@ -52,6 +52,40 @@ static void input_gssapi_mic(int type, u - static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); - static void input_gssapi_errtok(int, u_int32_t, void *); - -+/* -+ * The 'gssapi_keyex' userauth mechanism. -+ */ -+static int -+userauth_gsskeyex(Authctxt *authctxt) -+{ -+ int authenticated = 0; -+ Buffer b; -+ gss_buffer_desc mic, gssbuf; -+ u_int len; -+ -+ mic.value = packet_get_string(&len); -+ mic.length = len; -+ -+ packet_check_eom(); -+ -+ ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service, -+ "gssapi-keyex"); -+ -+ gssbuf.value = buffer_ptr(&b); -+ gssbuf.length = buffer_len(&b); -+ -+ /* gss_kex_context is NULL with privsep, so we can't check it here */ -+ if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context, -+ &gssbuf, &mic)))) -+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, -+ authctxt->pw)); -+ -+ buffer_free(&b); -+ xfree(mic.value); -+ -+ return (authenticated); -+} -+ - /* - * We only support those mechanisms that we know about (ie ones that we know - * how to check local user kuserok and the like) -@@ -244,7 +278,8 @@ input_gssapi_exchange_complete(int type, - - packet_check_eom(); - -- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); -+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, -+ authctxt->pw)); - - authctxt->postponed = 0; - dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); -@@ -286,7 +321,8 @@ input_gssapi_mic(int type, u_int32_t ple - gssbuf.length = buffer_len(&b); - - if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) -- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); -+ authenticated = -+ PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw)); - else - logit("GSSAPI MIC check failed"); - -@@ -303,6 +339,12 @@ input_gssapi_mic(int type, u_int32_t ple - userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); - } - -+Authmethod method_gsskeyex = { -+ "gssapi-keyex", -+ userauth_gsskeyex, -+ &options.gss_authentication -+}; -+ - Authmethod method_gssapi = { - "gssapi-with-mic", - userauth_gssapi, -diff -up openssh-6.2p1/auth-krb5.c.gsskex openssh-6.2p1/auth-krb5.c ---- openssh-6.2p1/auth-krb5.c.gsskex 2012-04-26 01:52:15.000000000 +0200 -+++ openssh-6.2p1/auth-krb5.c 2013-03-27 13:19:11.140624271 +0100 -@@ -50,6 +50,7 @@ - #include - #include - #include -+#include - #include - - extern ServerOptions options; -@@ -77,6 +78,7 @@ auth_krb5_password(Authctxt *authctxt, c - #endif - krb5_error_code problem; - krb5_ccache ccache = NULL; -+ const char *ccache_type; - int len; - char *client, *platform_client; - -@@ -166,12 +168,30 @@ auth_krb5_password(Authctxt *authctxt, c - goto out; - #endif - -+ ccache_type = krb5_cc_get_type(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache); - authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache); - -- len = strlen(authctxt->krb5_ticket_file) + 6; -+ if (authctxt->krb5_ticket_file[0] == ':') -+ authctxt->krb5_ticket_file++; -+ -+ len = strlen(authctxt->krb5_ticket_file) + strlen(ccache_type); - authctxt->krb5_ccname = xmalloc(len); -- snprintf(authctxt->krb5_ccname, len, "FILE:%s", -+ -+#ifdef USE_CCAPI -+ snprintf(authctxt->krb5_ccname, len, "API:%s", - authctxt->krb5_ticket_file); -+#else -+ snprintf(authctxt->krb5_ccname, len, "%s:%s", -+ ccache_type, authctxt->krb5_ticket_file); -+#endif -+ -+ if (strcmp(ccache_type, "DIR") == 0) { -+ char *p; -+ p = strrchr(authctxt->krb5_ccname, '/'); -+ if (p) -+ *p = '\0'; -+ } -+ - - #ifdef USE_PAM - if (options.use_pam) -@@ -208,10 +228,30 @@ auth_krb5_password(Authctxt *authctxt, c - void - krb5_cleanup_proc(Authctxt *authctxt) - { -+ struct stat krb5_ccname_stat; -+ char krb5_ccname[128], *krb5_ccname_dir_start, *krb5_ccname_dir_end; -+ - debug("krb5_cleanup_proc called"); - if (authctxt->krb5_fwd_ccache) { - krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache); - authctxt->krb5_fwd_ccache = NULL; -+ -+ strncpy(krb5_ccname, authctxt->krb5_ccname, sizeof(krb5_ccname) - 10); -+ krb5_ccname_dir_start = strchr(krb5_ccname, ':') + 1; -+ strcat(krb5_ccname_dir_start, "/primary"); -+ -+ if (stat(krb5_ccname_dir_start, &krb5_ccname_stat) == 0) { -+ if (unlink(krb5_ccname_dir_start) == 0) { -+ krb5_ccname_dir_end = strrchr(krb5_ccname_dir_start, '/'); -+ *krb5_ccname_dir_end = '\0'; -+ if (rmdir(krb5_ccname_dir_start) == -1) -+ debug("cache dir '%s' remove failed: %s", krb5_ccname_dir_start, strerror(errno)); -+ } -+ else -+ debug("cache primary file '%s', remove failed: %s", -+ krb5_ccname_dir_start, strerror(errno) -+ ); -+ } - } - if (authctxt->krb5_user) { - krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user); -@@ -226,31 +266,45 @@ krb5_cleanup_proc(Authctxt *authctxt) - #ifndef HEIMDAL - krb5_error_code - ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { -- int tmpfd, ret, oerrno; -- char ccname[40]; -+ int ret, oerrno; -+ char ccname[128]; -+#ifdef USE_CCAPI -+ char cctemplate[] = "API:krb5cc_%d"; -+#else - mode_t old_umask; -+ char cctemplate[] = "DIR:/run/user/%d/krb5cc_XXXXXXXXXX"; -+ char *tmpdir; -+#endif - -- ret = snprintf(ccname, sizeof(ccname), -- "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid()); -+ ret = snprintf(ccname, sizeof(ccname), cctemplate, geteuid()); - if (ret < 0 || (size_t)ret >= sizeof(ccname)) - return ENOMEM; - -- old_umask = umask(0177); -- tmpfd = mkstemp(ccname + strlen("FILE:")); -+#ifndef USE_CCAPI -+ old_umask = umask(0077); -+ tmpdir = mkdtemp(ccname + strlen("DIR:")); - oerrno = errno; -+ if (tmpdir == NULL && errno == ENOENT) { -+ /* /run/user/uid doesn't exist -> fallback to /tmp */ -+ ret = snprintf(ccname, sizeof(ccname), "DIR:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid()); -+ if (ret < 0 || (size_t)ret >= sizeof(ccname)) -+ return ENOMEM; -+ tmpdir = mkdtemp(ccname + strlen("DIR:")); -+ oerrno = errno; -+ } -+ - umask(old_umask); -- if (tmpfd == -1) { -- logit("mkstemp(): %.100s", strerror(oerrno)); -+ if (tmpdir == NULL) { -+ logit("mkdtemp(): %s - %.100s", ccname, strerror(oerrno)); - return oerrno; - } - -- if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) { -+ if (chmod(tmpdir, S_IRUSR | S_IWUSR | S_IXUSR) == -1) { - oerrno = errno; -- logit("fchmod(): %.100s", strerror(oerrno)); -- close(tmpfd); -+ logit("chmod(): %s - %.100s", ccname, strerror(oerrno)); - return oerrno; - } -- close(tmpfd); -+#endif - - return (krb5_cc_resolve(ctx, ccname, ccache)); - } -diff -up openssh-6.2p1/ChangeLog.gssapi.gsskex openssh-6.2p1/ChangeLog.gssapi ---- openssh-6.2p1/ChangeLog.gssapi.gsskex 2013-03-27 13:19:11.143624259 +0100 -+++ openssh-6.2p1/ChangeLog.gssapi 2013-03-27 13:19:11.143624259 +0100 +diff -up openssh-6.3p1/ChangeLog.gssapi.gsskex openssh-6.3p1/ChangeLog.gssapi +--- openssh-6.3p1/ChangeLog.gssapi.gsskex 2013-10-11 15:15:17.284216176 +0200 ++++ openssh-6.3p1/ChangeLog.gssapi 2013-10-11 15:15:17.284216176 +0200 @@ -0,0 +1,113 @@ +20110101 + - Finally update for OpenSSH 5.6p1 @@ -352,9 +115,266 @@ diff -up openssh-6.2p1/ChangeLog.gssapi.gsskex openssh-6.2p1/ChangeLog.gssapi + add support for GssapiTrustDns option for gssapi-with-mic + (from jbasney AT ncsa.uiuc.edu) + -diff -up openssh-6.2p1/clientloop.c.gsskex openssh-6.2p1/clientloop.c ---- openssh-6.2p1/clientloop.c.gsskex 2013-03-27 13:19:11.001624842 +0100 -+++ openssh-6.2p1/clientloop.c 2013-03-27 13:19:11.141624267 +0100 +diff -up openssh-6.3p1/Makefile.in.gsskex openssh-6.3p1/Makefile.in +--- openssh-6.3p1/Makefile.in.gsskex 2013-10-11 15:15:17.281216190 +0200 ++++ openssh-6.3p1/Makefile.in 2013-10-11 15:15:17.289216153 +0200 +@@ -77,6 +77,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o + atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ + monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ + kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ ++ kexgssc.o \ + msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ + jpake.o schnorr.o ssh-pkcs11.o krl.o auditstub.o + +@@ -93,7 +94,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw + auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ + monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ + auth-krb5.o \ +- auth2-gss.o gss-serv.o gss-serv-krb5.o \ ++ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\ + loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ + sftp-server.o sftp-common.o \ + roaming_common.o roaming_serv.o \ +diff -up openssh-6.3p1/auth-krb5.c.gsskex openssh-6.3p1/auth-krb5.c +--- openssh-6.3p1/auth-krb5.c.gsskex 2013-08-04 13:48:41.000000000 +0200 ++++ openssh-6.3p1/auth-krb5.c 2013-10-11 15:43:50.261299742 +0200 +@@ -50,6 +50,7 @@ + #include + #include + #include ++#include + #include + + extern ServerOptions options; +@@ -77,6 +78,7 @@ auth_krb5_password(Authctxt *authctxt, c + #endif + krb5_error_code problem; + krb5_ccache ccache = NULL; ++ const char *ccache_type; + int len; + char *client, *platform_client; + const char *errmsg; +@@ -177,12 +179,30 @@ auth_krb5_password(Authctxt *authctxt, c + goto out; + #endif + ++ ccache_type = krb5_cc_get_type(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache); + authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache); + +- len = strlen(authctxt->krb5_ticket_file) + 6; ++ if (authctxt->krb5_ticket_file[0] == ':') ++ authctxt->krb5_ticket_file++; ++ ++ len = strlen(authctxt->krb5_ticket_file) + strlen(ccache_type); + authctxt->krb5_ccname = xmalloc(len); +- snprintf(authctxt->krb5_ccname, len, "FILE:%s", ++ ++#ifdef USE_CCAPI ++ snprintf(authctxt->krb5_ccname, len, "API:%s", + authctxt->krb5_ticket_file); ++#else ++ snprintf(authctxt->krb5_ccname, len, "%s:%s", ++ ccache_type, authctxt->krb5_ticket_file); ++#endif ++ ++ if (strcmp(ccache_type, "DIR") == 0) { ++ char *p; ++ p = strrchr(authctxt->krb5_ccname, '/'); ++ if (p) ++ *p = '\0'; ++ } ++ + + #ifdef USE_PAM + if (options.use_pam) +@@ -221,10 +241,30 @@ auth_krb5_password(Authctxt *authctxt, c + void + krb5_cleanup_proc(Authctxt *authctxt) + { ++ struct stat krb5_ccname_stat; ++ char krb5_ccname[128], *krb5_ccname_dir_start, *krb5_ccname_dir_end; ++ + debug("krb5_cleanup_proc called"); + if (authctxt->krb5_fwd_ccache) { + krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache); + authctxt->krb5_fwd_ccache = NULL; ++ ++ strncpy(krb5_ccname, authctxt->krb5_ccname, sizeof(krb5_ccname) - 10); ++ krb5_ccname_dir_start = strchr(krb5_ccname, ':') + 1; ++ strcat(krb5_ccname_dir_start, "/primary"); ++ ++ if (stat(krb5_ccname_dir_start, &krb5_ccname_stat) == 0) { ++ if (unlink(krb5_ccname_dir_start) == 0) { ++ krb5_ccname_dir_end = strrchr(krb5_ccname_dir_start, '/'); ++ *krb5_ccname_dir_end = '\0'; ++ if (rmdir(krb5_ccname_dir_start) == -1) ++ debug("cache dir '%s' remove failed: %s", krb5_ccname_dir_start, strerror(errno)); ++ } ++ else ++ debug("cache primary file '%s', remove failed: %s", ++ krb5_ccname_dir_start, strerror(errno) ++ ); ++ } + } + if (authctxt->krb5_user) { + krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user); +@@ -239,31 +279,45 @@ krb5_cleanup_proc(Authctxt *authctxt) + #ifndef HEIMDAL + krb5_error_code + ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { +- int tmpfd, ret, oerrno; +- char ccname[40]; ++ int ret, oerrno; ++ char ccname[128]; ++#ifdef USE_CCAPI ++ char cctemplate[] = "API:krb5cc_%d"; ++#else + mode_t old_umask; ++ char cctemplate[] = "DIR:/run/user/%d/krb5cc_XXXXXXXXXX"; ++ char *tmpdir; ++#endif + +- ret = snprintf(ccname, sizeof(ccname), +- "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid()); ++ ret = snprintf(ccname, sizeof(ccname), cctemplate, geteuid()); + if (ret < 0 || (size_t)ret >= sizeof(ccname)) + return ENOMEM; + +- old_umask = umask(0177); +- tmpfd = mkstemp(ccname + strlen("FILE:")); ++#ifndef USE_CCAPI ++ old_umask = umask(0077); ++ tmpdir = mkdtemp(ccname + strlen("DIR:")); + oerrno = errno; ++ if (tmpdir == NULL && errno == ENOENT) { ++ /* /run/user/uid doesn't exist -> fallback to /tmp */ ++ ret = snprintf(ccname, sizeof(ccname), "DIR:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid()); ++ if (ret < 0 || (size_t)ret >= sizeof(ccname)) ++ return ENOMEM; ++ tmpdir = mkdtemp(ccname + strlen("DIR:")); ++ oerrno = errno; ++ } ++ + umask(old_umask); +- if (tmpfd == -1) { +- logit("mkstemp(): %.100s", strerror(oerrno)); ++ if (tmpdir == NULL) { ++ logit("mkdtemp(): %s - %.100s", ccname, strerror(oerrno)); + return oerrno; + } + +- if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) { ++ if (chmod(tmpdir, S_IRUSR | S_IWUSR | S_IXUSR) == -1) { + oerrno = errno; +- logit("fchmod(): %.100s", strerror(oerrno)); +- close(tmpfd); ++ logit("chmod(): %s - %.100s", ccname, strerror(oerrno)); + return oerrno; + } +- close(tmpfd); ++#endif + + return (krb5_cc_resolve(ctx, ccname, ccache)); + } +diff -up openssh-6.3p1/auth2-gss.c.gsskex openssh-6.3p1/auth2-gss.c +--- openssh-6.3p1/auth2-gss.c.gsskex 2013-10-11 15:15:17.213216506 +0200 ++++ openssh-6.3p1/auth2-gss.c 2013-10-11 15:15:17.283216181 +0200 +@@ -52,6 +52,40 @@ static void input_gssapi_mic(int type, u + static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); + static void input_gssapi_errtok(int, u_int32_t, void *); + ++/* ++ * The 'gssapi_keyex' userauth mechanism. ++ */ ++static int ++userauth_gsskeyex(Authctxt *authctxt) ++{ ++ int authenticated = 0; ++ Buffer b; ++ gss_buffer_desc mic, gssbuf; ++ u_int len; ++ ++ mic.value = packet_get_string(&len); ++ mic.length = len; ++ ++ packet_check_eom(); ++ ++ ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service, ++ "gssapi-keyex"); ++ ++ gssbuf.value = buffer_ptr(&b); ++ gssbuf.length = buffer_len(&b); ++ ++ /* gss_kex_context is NULL with privsep, so we can't check it here */ ++ if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context, ++ &gssbuf, &mic)))) ++ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, ++ authctxt->pw)); ++ ++ buffer_free(&b); ++ free(mic.value); ++ ++ return (authenticated); ++} ++ + /* + * We only support those mechanisms that we know about (ie ones that we know + * how to check local user kuserok and the like) +@@ -240,7 +274,8 @@ input_gssapi_exchange_complete(int type, + + packet_check_eom(); + +- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); ++ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, ++ authctxt->pw)); + + authctxt->postponed = 0; + dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); +@@ -282,7 +317,8 @@ input_gssapi_mic(int type, u_int32_t ple + gssbuf.length = buffer_len(&b); + + if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) +- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); ++ authenticated = ++ PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw)); + else + logit("GSSAPI MIC check failed"); + +@@ -299,6 +335,12 @@ input_gssapi_mic(int type, u_int32_t ple + userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); + } + ++Authmethod method_gsskeyex = { ++ "gssapi-keyex", ++ userauth_gsskeyex, ++ &options.gss_authentication ++}; ++ + Authmethod method_gssapi = { + "gssapi-with-mic", + userauth_gssapi, +diff -up openssh-6.3p1/auth2.c.gsskex openssh-6.3p1/auth2.c +--- openssh-6.3p1/auth2.c.gsskex 2013-10-11 15:15:17.214216502 +0200 ++++ openssh-6.3p1/auth2.c 2013-10-11 15:15:17.283216181 +0200 +@@ -69,6 +69,7 @@ extern Authmethod method_passwd; + extern Authmethod method_kbdint; + extern Authmethod method_hostbased; + #ifdef GSSAPI ++extern Authmethod method_gsskeyex; + extern Authmethod method_gssapi; + #endif + #ifdef JPAKE +@@ -79,6 +80,7 @@ Authmethod *authmethods[] = { + &method_none, + &method_pubkey, + #ifdef GSSAPI ++ &method_gsskeyex, + &method_gssapi, + #endif + #ifdef JPAKE +diff -up openssh-6.3p1/clientloop.c.gsskex openssh-6.3p1/clientloop.c +--- openssh-6.3p1/clientloop.c.gsskex 2013-10-11 15:15:17.178216669 +0200 ++++ openssh-6.3p1/clientloop.c 2013-10-11 15:15:17.284216176 +0200 @@ -111,6 +111,10 @@ #include "msg.h" #include "roaming.h" @@ -366,7 +386,7 @@ diff -up openssh-6.2p1/clientloop.c.gsskex openssh-6.2p1/clientloop.c /* import options */ extern Options options; -@@ -1599,6 +1603,15 @@ client_loop(int have_pty, int escape_cha +@@ -1608,6 +1612,15 @@ client_loop(int have_pty, int escape_cha /* Do channel operations unless rekeying in progress. */ if (!rekeying) { channel_after_select(readset, writeset); @@ -382,10 +402,10 @@ diff -up openssh-6.2p1/clientloop.c.gsskex openssh-6.2p1/clientloop.c if (need_rekeying || packet_need_rekeying()) { debug("need rekeying"); xxx_kex->done = 0; -diff -up openssh-6.2p1/configure.ac.gsskex openssh-6.2p1/configure.ac ---- openssh-6.2p1/configure.ac.gsskex 2013-03-27 13:19:11.128624320 +0100 -+++ openssh-6.2p1/configure.ac 2013-03-27 13:19:11.142624263 +0100 -@@ -533,6 +533,30 @@ main() { if (NSVersionOfRunTimeLibrary(" +diff -up openssh-6.3p1/configure.ac.gsskex openssh-6.3p1/configure.ac +--- openssh-6.3p1/configure.ac.gsskex 2013-10-11 15:15:17.273216227 +0200 ++++ openssh-6.3p1/configure.ac 2013-10-11 15:15:17.285216171 +0200 +@@ -548,6 +548,30 @@ main() { if (NSVersionOfRunTimeLibrary(" [Use tunnel device compatibility to OpenBSD]) AC_DEFINE([SSH_TUN_PREPEND_AF], [1], [Prepend the address family to IP tunnel traffic]) @@ -416,18 +436,9 @@ diff -up openssh-6.2p1/configure.ac.gsskex openssh-6.2p1/configure.ac m4_pattern_allow([AU_IPv]) AC_CHECK_DECL([AU_IPv4], [], AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) -diff -up openssh-6.2p1/gss-genr.c.gsskex openssh-6.2p1/gss-genr.c ---- openssh-6.2p1/gss-genr.c.gsskex 2009-06-22 08:11:07.000000000 +0200 -+++ openssh-6.2p1/gss-genr.c 2013-03-27 13:19:11.142624263 +0100 -@@ -1,7 +1,7 @@ - /* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */ - - /* -- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. -+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions +diff -up openssh-6.3p1/gss-genr.c.gsskex openssh-6.3p1/gss-genr.c +--- openssh-6.3p1/gss-genr.c.gsskex 2013-06-01 23:31:18.000000000 +0200 ++++ openssh-6.3p1/gss-genr.c 2013-10-11 15:15:17.286216167 +0200 @@ -39,12 +39,167 @@ #include "buffer.h" #include "log.h" @@ -494,8 +505,8 @@ diff -up openssh-6.2p1/gss-genr.c.gsskex openssh-6.2p1/gss-genr.c + + if (gss_enc2oid != NULL) { + for (i = 0; gss_enc2oid[i].encoded != NULL; i++) -+ xfree(gss_enc2oid[i].encoded); -+ xfree(gss_enc2oid); ++ free(gss_enc2oid[i].encoded); ++ free(gss_enc2oid); + } + + gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping) * @@ -552,7 +563,7 @@ diff -up openssh-6.2p1/gss-genr.c.gsskex openssh-6.2p1/gss-genr.c + buffer_free(&buf); + + if (strlen(mechs) == 0) { -+ xfree(mechs); ++ free(mechs); + mechs = NULL; + } + @@ -766,9 +777,133 @@ diff -up openssh-6.2p1/gss-genr.c.gsskex openssh-6.2p1/gss-genr.c +} + #endif /* GSSAPI */ -diff -up openssh-6.2p1/gss-serv.c.gsskex openssh-6.2p1/gss-serv.c ---- openssh-6.2p1/gss-serv.c.gsskex 2011-08-05 22:16:46.000000000 +0200 -+++ openssh-6.2p1/gss-serv.c 2013-03-27 13:19:11.142624263 +0100 +diff -up openssh-6.3p1/gss-serv-krb5.c.gsskex openssh-6.3p1/gss-serv-krb5.c +--- openssh-6.3p1/gss-serv-krb5.c.gsskex 2013-07-20 05:35:45.000000000 +0200 ++++ openssh-6.3p1/gss-serv-krb5.c 2013-10-11 15:26:02.165189578 +0200 +@@ -120,7 +120,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl + krb5_error_code problem; + krb5_principal princ; + OM_uint32 maj_status, min_status; +- int len; ++ const char *new_ccname, *new_cctype; + const char *errmsg; + + if (client->creds == NULL) { +@@ -174,11 +174,25 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl + return; + } + +- client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache)); ++ new_cctype = krb5_cc_get_type(krb_context, ccache); ++ new_ccname = krb5_cc_get_name(krb_context, ccache); ++ + client->store.envvar = "KRB5CCNAME"; +- len = strlen(client->store.filename) + 6; +- client->store.envval = xmalloc(len); +- snprintf(client->store.envval, len, "FILE:%s", client->store.filename); ++#ifdef USE_CCAPI ++ xasprintf(&client->store.envval, "API:%s", new_ccname); ++ client->store.filename = NULL; ++#else ++ if (new_ccname[0] == ':') ++ new_ccname++; ++ xasprintf(&client->store.envval, "%s:%s", new_cctype, new_ccname); ++ if (strcmp(new_cctype, "DIR") == 0) { ++ char *p; ++ p = strrchr(client->store.envval, '/'); ++ if (p) ++ *p = '\0'; ++ } ++ client->store.filename = xstrdup(new_ccname); ++#endif + + #ifdef USE_PAM + if (options.use_pam) +@@ -190,6 +204,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl + return; + } + ++int ++ssh_gssapi_krb5_updatecreds(ssh_gssapi_ccache *store, ++ ssh_gssapi_client *client) ++{ ++ krb5_ccache ccache = NULL; ++ krb5_principal principal = NULL; ++ char *name = NULL; ++ krb5_error_code problem; ++ OM_uint32 maj_status, min_status; ++ ++ if ((problem = krb5_cc_resolve(krb_context, store->envval, &ccache))) { ++ logit("krb5_cc_resolve(): %.100s", ++ krb5_get_err_text(krb_context, problem)); ++ return 0; ++ } ++ ++ /* Find out who the principal in this cache is */ ++ if ((problem = krb5_cc_get_principal(krb_context, ccache, ++ &principal))) { ++ logit("krb5_cc_get_principal(): %.100s", ++ krb5_get_err_text(krb_context, problem)); ++ krb5_cc_close(krb_context, ccache); ++ return 0; ++ } ++ ++ if ((problem = krb5_unparse_name(krb_context, principal, &name))) { ++ logit("krb5_unparse_name(): %.100s", ++ krb5_get_err_text(krb_context, problem)); ++ krb5_free_principal(krb_context, principal); ++ krb5_cc_close(krb_context, ccache); ++ return 0; ++ } ++ ++ ++ if (strcmp(name,client->exportedname.value)!=0) { ++ debug("Name in local credentials cache differs. Not storing"); ++ krb5_free_principal(krb_context, principal); ++ krb5_cc_close(krb_context, ccache); ++ krb5_free_unparsed_name(krb_context, name); ++ return 0; ++ } ++ krb5_free_unparsed_name(krb_context, name); ++ ++ /* Name matches, so lets get on with it! */ ++ ++ if ((problem = krb5_cc_initialize(krb_context, ccache, principal))) { ++ logit("krb5_cc_initialize(): %.100s", ++ krb5_get_err_text(krb_context, problem)); ++ krb5_free_principal(krb_context, principal); ++ krb5_cc_close(krb_context, ccache); ++ return 0; ++ } ++ ++ krb5_free_principal(krb_context, principal); ++ ++ if ((maj_status = gss_krb5_copy_ccache(&min_status, client->creds, ++ ccache))) { ++ logit("gss_krb5_copy_ccache() failed. Sorry!"); ++ krb5_cc_close(krb_context, ccache); ++ return 0; ++ } ++ ++ return 1; ++} ++ + ssh_gssapi_mech gssapi_kerberos_mech = { + "toWM5Slw5Ew8Mqkay+al2g==", + "Kerberos", +@@ -197,7 +276,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = { + NULL, + &ssh_gssapi_krb5_userok, + NULL, +- &ssh_gssapi_krb5_storecreds ++ &ssh_gssapi_krb5_storecreds, ++ &ssh_gssapi_krb5_updatecreds + }; + + #endif /* KRB5 */ +diff -up openssh-6.3p1/gss-serv.c.gsskex openssh-6.3p1/gss-serv.c +--- openssh-6.3p1/gss-serv.c.gsskex 2013-07-20 05:35:45.000000000 +0200 ++++ openssh-6.3p1/gss-serv.c 2013-10-11 15:27:32.889763132 +0200 @@ -45,15 +45,20 @@ #include "channels.h" #include "session.h" @@ -783,7 +918,7 @@ diff -up openssh-6.2p1/gss-serv.c.gsskex openssh-6.2p1/gss-serv.c static ssh_gssapi_client gssapi_client = { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, -- GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}}; +- GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}}; + GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, NULL, {NULL, NULL, NULL}, 0, 0}; ssh_gssapi_mech gssapi_null_mech = @@ -1107,142 +1242,9 @@ diff -up openssh-6.2p1/gss-serv.c.gsskex openssh-6.2p1/gss-serv.c } #endif -diff -up openssh-6.2p1/gss-serv-krb5.c.gsskex openssh-6.2p1/gss-serv-krb5.c ---- openssh-6.2p1/gss-serv-krb5.c.gsskex 2006-09-01 07:38:36.000000000 +0200 -+++ openssh-6.2p1/gss-serv-krb5.c 2013-03-27 13:19:11.143624259 +0100 -@@ -1,7 +1,7 @@ - /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ - - /* -- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. -+ * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions -@@ -119,7 +119,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl - krb5_error_code problem; - krb5_principal princ; - OM_uint32 maj_status, min_status; -- int len; -+ const char *new_ccname, *new_cctype; - - if (client->creds == NULL) { - debug("No credentials stored"); -@@ -168,11 +168,25 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl - return; - } - -- client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache)); -+ new_cctype = krb5_cc_get_type(krb_context, ccache); -+ new_ccname = krb5_cc_get_name(krb_context, ccache); -+ - client->store.envvar = "KRB5CCNAME"; -- len = strlen(client->store.filename) + 6; -- client->store.envval = xmalloc(len); -- snprintf(client->store.envval, len, "FILE:%s", client->store.filename); -+#ifdef USE_CCAPI -+ xasprintf(&client->store.envval, "API:%s", new_ccname); -+ client->store.filename = NULL; -+#else -+ if (new_ccname[0] == ':') -+ new_ccname++; -+ xasprintf(&client->store.envval, "%s:%s", new_cctype, new_ccname); -+ if (strcmp(new_cctype, "DIR") == 0) { -+ char *p; -+ p = strrchr(client->store.envval, '/'); -+ if (p) -+ *p = '\0'; -+ } -+ client->store.filename = xstrdup(new_ccname); -+#endif - - #ifdef USE_PAM - if (options.use_pam) -@@ -184,6 +198,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl - return; - } - -+int -+ssh_gssapi_krb5_updatecreds(ssh_gssapi_ccache *store, -+ ssh_gssapi_client *client) -+{ -+ krb5_ccache ccache = NULL; -+ krb5_principal principal = NULL; -+ char *name = NULL; -+ krb5_error_code problem; -+ OM_uint32 maj_status, min_status; -+ -+ if ((problem = krb5_cc_resolve(krb_context, store->envval, &ccache))) { -+ logit("krb5_cc_resolve(): %.100s", -+ krb5_get_err_text(krb_context, problem)); -+ return 0; -+ } -+ -+ /* Find out who the principal in this cache is */ -+ if ((problem = krb5_cc_get_principal(krb_context, ccache, -+ &principal))) { -+ logit("krb5_cc_get_principal(): %.100s", -+ krb5_get_err_text(krb_context, problem)); -+ krb5_cc_close(krb_context, ccache); -+ return 0; -+ } -+ -+ if ((problem = krb5_unparse_name(krb_context, principal, &name))) { -+ logit("krb5_unparse_name(): %.100s", -+ krb5_get_err_text(krb_context, problem)); -+ krb5_free_principal(krb_context, principal); -+ krb5_cc_close(krb_context, ccache); -+ return 0; -+ } -+ -+ -+ if (strcmp(name,client->exportedname.value)!=0) { -+ debug("Name in local credentials cache differs. Not storing"); -+ krb5_free_principal(krb_context, principal); -+ krb5_cc_close(krb_context, ccache); -+ krb5_free_unparsed_name(krb_context, name); -+ return 0; -+ } -+ krb5_free_unparsed_name(krb_context, name); -+ -+ /* Name matches, so lets get on with it! */ -+ -+ if ((problem = krb5_cc_initialize(krb_context, ccache, principal))) { -+ logit("krb5_cc_initialize(): %.100s", -+ krb5_get_err_text(krb_context, problem)); -+ krb5_free_principal(krb_context, principal); -+ krb5_cc_close(krb_context, ccache); -+ return 0; -+ } -+ -+ krb5_free_principal(krb_context, principal); -+ -+ if ((maj_status = gss_krb5_copy_ccache(&min_status, client->creds, -+ ccache))) { -+ logit("gss_krb5_copy_ccache() failed. Sorry!"); -+ krb5_cc_close(krb_context, ccache); -+ return 0; -+ } -+ -+ return 1; -+} -+ - ssh_gssapi_mech gssapi_kerberos_mech = { - "toWM5Slw5Ew8Mqkay+al2g==", - "Kerberos", -@@ -191,7 +270,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = { - NULL, - &ssh_gssapi_krb5_userok, - NULL, -- &ssh_gssapi_krb5_storecreds -+ &ssh_gssapi_krb5_storecreds, -+ &ssh_gssapi_krb5_updatecreds - }; - - #endif /* KRB5 */ -diff -up openssh-6.2p1/kex.c.gsskex openssh-6.2p1/kex.c ---- openssh-6.2p1/kex.c.gsskex 2013-03-27 13:19:11.039624686 +0100 -+++ openssh-6.2p1/kex.c 2013-03-27 13:19:11.143624259 +0100 +diff -up openssh-6.3p1/kex.c.gsskex openssh-6.3p1/kex.c +--- openssh-6.3p1/kex.c.gsskex 2013-10-11 15:15:17.197216581 +0200 ++++ openssh-6.3p1/kex.c 2013-10-11 15:47:41.629242975 +0200 @@ -51,6 +51,10 @@ #include "roaming.h" #include "audit.h" @@ -1254,30 +1256,57 @@ diff -up openssh-6.2p1/kex.c.gsskex openssh-6.2p1/kex.c #if OPENSSL_VERSION_NUMBER >= 0x00907000L # if defined(HAVE_EVP_SHA256) # define evp_ssh_sha256 EVP_sha256 -@@ -382,6 +386,20 @@ choose_kex(Kex *k, char *client, char *s - k->kex_type = KEX_ECDH_SHA2; - k->evp_md = kex_ecdh_name_to_evpmd(k->name); +@@ -81,6 +85,9 @@ static const struct kexalg kexalgs[] = { + { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1, EVP_sha384 }, + { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1, EVP_sha512 }, #endif ++ { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, EVP_sha1 }, ++ { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, EVP_sha1 }, ++ { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, EVP_sha1 }, + { NULL, -1, -1, NULL}, + }; + +diff -up openssh-6.3p1/kex.h.gsskex openssh-6.3p1/kex.h +--- openssh-6.3p1/kex.h.gsskex 2013-10-11 15:15:17.197216581 +0200 ++++ openssh-6.3p1/kex.h 2013-10-11 15:43:21.757429309 +0200 +@@ -74,6 +74,9 @@ enum kex_exchange { + KEX_DH_GEX_SHA1, + KEX_DH_GEX_SHA256, + KEX_ECDH_SHA2, ++ KEX_GSS_GRP1_SHA1, ++ KEX_GSS_GRP14_SHA1, ++ KEX_GSS_GEX_SHA1, + KEX_MAX + }; + +@@ -133,6 +136,12 @@ struct Kex { + int flags; + const EVP_MD *evp_md; + int ec_nid; +#ifdef GSSAPI -+ } else if (strncmp(k->name, KEX_GSS_GEX_SHA1_ID, -+ sizeof(KEX_GSS_GEX_SHA1_ID) - 1) == 0) { -+ k->kex_type = KEX_GSS_GEX_SHA1; -+ k->evp_md = EVP_sha1(); -+ } else if (strncmp(k->name, KEX_GSS_GRP1_SHA1_ID, -+ sizeof(KEX_GSS_GRP1_SHA1_ID) - 1) == 0) { -+ k->kex_type = KEX_GSS_GRP1_SHA1; -+ k->evp_md = EVP_sha1(); -+ } else if (strncmp(k->name, KEX_GSS_GRP14_SHA1_ID, -+ sizeof(KEX_GSS_GRP14_SHA1_ID) - 1) == 0) { -+ k->kex_type = KEX_GSS_GRP14_SHA1; -+ k->evp_md = EVP_sha1(); ++ int gss_deleg_creds; ++ int gss_trust_dns; ++ char *gss_host; ++ char *gss_client; +#endif - } else - fatal("bad kex alg %s", k->name); - } -diff -up openssh-6.2p1/kexgssc.c.gsskex openssh-6.2p1/kexgssc.c ---- openssh-6.2p1/kexgssc.c.gsskex 2013-03-27 13:19:11.143624259 +0100 -+++ openssh-6.2p1/kexgssc.c 2013-03-27 13:19:11.143624259 +0100 + char *client_version_string; + char *server_version_string; + int (*verify_host_key)(Key *); +@@ -162,6 +171,11 @@ void kexgex_server(Kex *); + void kexecdh_client(Kex *); + void kexecdh_server(Kex *); + ++#ifdef GSSAPI ++void kexgss_client(Kex *); ++void kexgss_server(Kex *); ++#endif ++ + void newkeys_destroy(Newkeys *newkeys); + + void +diff -up openssh-6.3p1/kexgssc.c.gsskex openssh-6.3p1/kexgssc.c +--- openssh-6.3p1/kexgssc.c.gsskex 2013-10-11 15:15:17.287216162 +0200 ++++ openssh-6.3p1/kexgssc.c 2013-10-11 15:15:17.287216162 +0200 @@ -0,0 +1,334 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. @@ -1425,7 +1454,7 @@ diff -up openssh-6.2p1/kexgssc.c.gsskex openssh-6.2p1/kexgssc.c + + /* If we've got an old receive buffer get rid of it */ + if (token_ptr != GSS_C_NO_BUFFER) -+ xfree(recv_tok.value); ++ free(recv_tok.value); + + if (maj_status == GSS_S_COMPLETE) { + /* If mutual state flag is not true, kex fails */ @@ -1542,7 +1571,7 @@ diff -up openssh-6.2p1/kexgssc.c.gsskex openssh-6.2p1/kexgssc.c + fatal("kexdh_client: BN_bin2bn failed"); + + memset(kbuf, 0, klen); -+ xfree(kbuf); ++ free(kbuf); + + switch (kex->kex_type) { + case KEX_GSS_GRP1_SHA1: @@ -1585,11 +1614,11 @@ diff -up openssh-6.2p1/kexgssc.c.gsskex openssh-6.2p1/kexgssc.c + if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok))) + packet_disconnect("Hash's MIC didn't verify"); + -+ xfree(msg_tok.value); ++ free(msg_tok.value); + + DH_free(dh); + if (serverhostkey) -+ xfree(serverhostkey); ++ free(serverhostkey); + BN_clear_free(dh_server_pub); + + /* save session id */ @@ -1613,9 +1642,9 @@ diff -up openssh-6.2p1/kexgssc.c.gsskex openssh-6.2p1/kexgssc.c +} + +#endif /* GSSAPI */ -diff -up openssh-6.2p1/kexgsss.c.gsskex openssh-6.2p1/kexgsss.c ---- openssh-6.2p1/kexgsss.c.gsskex 2013-03-27 13:19:11.144624254 +0100 -+++ openssh-6.2p1/kexgsss.c 2013-03-27 13:19:11.144624254 +0100 +diff -up openssh-6.3p1/kexgsss.c.gsskex openssh-6.3p1/kexgsss.c +--- openssh-6.3p1/kexgsss.c.gsskex 2013-10-11 15:15:17.287216162 +0200 ++++ openssh-6.3p1/kexgsss.c 2013-10-11 15:15:17.287216162 +0200 @@ -0,0 +1,288 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. @@ -1699,7 +1728,7 @@ diff -up openssh-6.2p1/kexgsss.c.gsskex openssh-6.2p1/kexgsss.c + */ + if (!ssh_gssapi_oid_table_ok()) + if ((mechs = ssh_gssapi_server_mechanisms())) -+ xfree(mechs); ++ free(mechs); + + debug2("%s: Identifying %s", __func__, kex->name); + oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type); @@ -1777,7 +1806,7 @@ diff -up openssh-6.2p1/kexgsss.c.gsskex openssh-6.2p1/kexgsss.c + maj_status = PRIVSEP(ssh_gssapi_accept_ctx(ctxt, &recv_tok, + &send_tok, &ret_flags)); + -+ xfree(recv_tok.value); ++ free(recv_tok.value); + + if (maj_status != GSS_S_COMPLETE && send_tok.length == 0) + fatal("Zero length token output when incomplete"); @@ -1826,7 +1855,7 @@ diff -up openssh-6.2p1/kexgsss.c.gsskex openssh-6.2p1/kexgsss.c + fatal("kexgss_server: BN_bin2bn failed"); + + memset(kbuf, 0, klen); -+ xfree(kbuf); ++ free(kbuf); + + switch (kex->kex_type) { + case KEX_GSS_GRP1_SHA1: @@ -1905,68 +1934,20 @@ diff -up openssh-6.2p1/kexgsss.c.gsskex openssh-6.2p1/kexgsss.c + ssh_gssapi_rekey_creds(); +} +#endif /* GSSAPI */ -diff -up openssh-6.2p1/kex.h.gsskex openssh-6.2p1/kex.h ---- openssh-6.2p1/kex.h.gsskex 2013-03-27 13:19:11.039624686 +0100 -+++ openssh-6.2p1/kex.h 2013-03-27 13:19:11.144624254 +0100 -@@ -73,6 +73,9 @@ enum kex_exchange { - KEX_DH_GEX_SHA1, - KEX_DH_GEX_SHA256, - KEX_ECDH_SHA2, -+ KEX_GSS_GRP1_SHA1, -+ KEX_GSS_GRP14_SHA1, -+ KEX_GSS_GEX_SHA1, - KEX_MAX +diff -up openssh-6.3p1/key.c.gsskex openssh-6.3p1/key.c +--- openssh-6.3p1/key.c.gsskex 2013-10-11 15:15:17.288216158 +0200 ++++ openssh-6.3p1/key.c 2013-10-11 15:41:44.982868222 +0200 +@@ -968,6 +968,7 @@ static const struct keytype keytypes[] = + KEY_RSA_CERT_V00, 0, 1 }, + { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00", + KEY_DSA_CERT_V00, 0, 1 }, ++ { "null", "null", KEY_NULL, 0, 0 }, + { NULL, NULL, -1, -1, 0 } }; -@@ -131,6 +134,12 @@ struct Kex { - sig_atomic_t done; - int flags; - const EVP_MD *evp_md; -+#ifdef GSSAPI -+ int gss_deleg_creds; -+ int gss_trust_dns; -+ char *gss_host; -+ char *gss_client; -+#endif - char *client_version_string; - char *server_version_string; - int (*verify_host_key)(Key *); -@@ -158,6 +167,11 @@ void kexgex_server(Kex *); - void kexecdh_client(Kex *); - void kexecdh_server(Kex *); - -+#ifdef GSSAPI -+void kexgss_client(Kex *); -+void kexgss_server(Kex *); -+#endif -+ - void newkeys_destroy(Newkeys *newkeys); - - void -diff -up openssh-6.2p1/key.c.gsskex openssh-6.2p1/key.c ---- openssh-6.2p1/key.c.gsskex 2013-03-27 13:19:11.102624427 +0100 -+++ openssh-6.2p1/key.c 2013-03-27 13:19:11.144624254 +0100 -@@ -1011,6 +1011,8 @@ key_ssh_name_from_type_nid(int type, int - } - break; - #endif /* OPENSSL_HAS_ECC */ -+ case KEY_NULL: -+ return "null"; - } - return "ssh-unknown"; - } -@@ -1316,6 +1318,8 @@ key_type_from_name(char *name) - strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) { - return KEY_ECDSA_CERT; - #endif -+ } else if (strcmp(name, "null") == 0) { -+ return KEY_NULL; - } - - debug2("key_type_from_name: unknown key type '%s'", name); -diff -up openssh-6.2p1/key.h.gsskex openssh-6.2p1/key.h ---- openssh-6.2p1/key.h.gsskex 2013-03-27 13:19:11.046624657 +0100 -+++ openssh-6.2p1/key.h 2013-03-27 13:19:11.145624250 +0100 +diff -up openssh-6.3p1/key.h.gsskex openssh-6.3p1/key.h +--- openssh-6.3p1/key.h.gsskex 2013-10-11 15:15:17.198216576 +0200 ++++ openssh-6.3p1/key.h 2013-10-11 15:15:17.289216153 +0200 @@ -44,6 +44,7 @@ enum types { KEY_ECDSA_CERT, KEY_RSA_CERT_V00, @@ -1975,30 +1956,10 @@ diff -up openssh-6.2p1/key.h.gsskex openssh-6.2p1/key.h KEY_UNSPEC }; enum fp_type { -diff -up openssh-6.2p1/Makefile.in.gsskex openssh-6.2p1/Makefile.in ---- openssh-6.2p1/Makefile.in.gsskex 2013-03-27 13:19:11.138624279 +0100 -+++ openssh-6.2p1/Makefile.in 2013-03-27 13:19:11.145624250 +0100 -@@ -77,6 +77,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o - atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ - monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ - kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ -+ kexgssc.o \ - msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ - jpake.o schnorr.o ssh-pkcs11.o krl.o auditstub.o - -@@ -93,7 +94,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw - auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ - monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ - auth-krb5.o \ -- auth2-gss.o gss-serv.o gss-serv-krb5.o \ -+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\ - loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ - sftp-server.o sftp-common.o \ - roaming_common.o roaming_serv.o \ -diff -up openssh-6.2p1/monitor.c.gsskex openssh-6.2p1/monitor.c ---- openssh-6.2p1/monitor.c.gsskex 2013-03-27 13:19:11.063624587 +0100 -+++ openssh-6.2p1/monitor.c 2013-03-27 13:19:11.145624250 +0100 -@@ -186,6 +186,8 @@ int mm_answer_gss_setup_ctx(int, Buffer +diff -up openssh-6.3p1/monitor.c.gsskex openssh-6.3p1/monitor.c +--- openssh-6.3p1/monitor.c.gsskex 2013-10-11 15:15:17.214216502 +0200 ++++ openssh-6.3p1/monitor.c 2013-10-11 15:15:17.290216148 +0200 +@@ -187,6 +187,8 @@ int mm_answer_gss_setup_ctx(int, Buffer int mm_answer_gss_accept_ctx(int, Buffer *); int mm_answer_gss_userok(int, Buffer *); int mm_answer_gss_checkmic(int, Buffer *); @@ -2007,7 +1968,7 @@ diff -up openssh-6.2p1/monitor.c.gsskex openssh-6.2p1/monitor.c #endif #ifdef SSH_AUDIT_EVENTS -@@ -270,6 +272,7 @@ struct mon_table mon_dispatch_proto20[] +@@ -271,6 +273,7 @@ struct mon_table mon_dispatch_proto20[] {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, @@ -2015,7 +1976,7 @@ diff -up openssh-6.2p1/monitor.c.gsskex openssh-6.2p1/monitor.c #endif #ifdef JPAKE {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata}, -@@ -282,6 +285,12 @@ struct mon_table mon_dispatch_proto20[] +@@ -283,6 +286,12 @@ struct mon_table mon_dispatch_proto20[] }; struct mon_table mon_dispatch_postauth20[] = { @@ -2028,7 +1989,7 @@ diff -up openssh-6.2p1/monitor.c.gsskex openssh-6.2p1/monitor.c {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, {MONITOR_REQ_SIGN, 0, mm_answer_sign}, {MONITOR_REQ_PTY, 0, mm_answer_pty}, -@@ -404,6 +413,10 @@ monitor_child_preauth(Authctxt *_authctx +@@ -405,6 +414,10 @@ monitor_child_preauth(Authctxt *_authctx /* Permit requests for moduli and signatures */ monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); @@ -2050,7 +2011,7 @@ diff -up openssh-6.2p1/monitor.c.gsskex openssh-6.2p1/monitor.c } else { mon_dispatch = mon_dispatch_postauth15; monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); -@@ -1950,6 +1967,13 @@ mm_get_kex(Buffer *m) +@@ -1968,6 +1985,13 @@ mm_get_kex(Buffer *m) kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; kex->kex[KEX_ECDH_SHA2] = kexecdh_server; @@ -2064,7 +2025,7 @@ diff -up openssh-6.2p1/monitor.c.gsskex openssh-6.2p1/monitor.c kex->server = 1; kex->hostkey_type = buffer_get_int(m); kex->kex_type = buffer_get_int(m); -@@ -2173,6 +2197,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer +@@ -2192,6 +2216,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer OM_uint32 major; u_int len; @@ -2074,7 +2035,7 @@ diff -up openssh-6.2p1/monitor.c.gsskex openssh-6.2p1/monitor.c goid.elements = buffer_get_string(m, &len); goid.length = len; -@@ -2200,6 +2227,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe +@@ -2219,6 +2246,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe OM_uint32 flags = 0; /* GSI needs this */ u_int len; @@ -2084,7 +2045,7 @@ diff -up openssh-6.2p1/monitor.c.gsskex openssh-6.2p1/monitor.c in.value = buffer_get_string(m, &len); in.length = len; major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); -@@ -2217,6 +2247,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe +@@ -2236,6 +2266,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); @@ -2092,7 +2053,7 @@ diff -up openssh-6.2p1/monitor.c.gsskex openssh-6.2p1/monitor.c } return (0); } -@@ -2228,6 +2259,9 @@ mm_answer_gss_checkmic(int sock, Buffer +@@ -2247,6 +2278,9 @@ mm_answer_gss_checkmic(int sock, Buffer OM_uint32 ret; u_int len; @@ -2102,7 +2063,7 @@ diff -up openssh-6.2p1/monitor.c.gsskex openssh-6.2p1/monitor.c gssbuf.value = buffer_get_string(m, &len); gssbuf.length = len; mic.value = buffer_get_string(m, &len); -@@ -2254,7 +2288,11 @@ mm_answer_gss_userok(int sock, Buffer *m +@@ -2273,7 +2307,11 @@ mm_answer_gss_userok(int sock, Buffer *m { int authenticated; @@ -2115,7 +2076,7 @@ diff -up openssh-6.2p1/monitor.c.gsskex openssh-6.2p1/monitor.c buffer_clear(m); buffer_put_int(m, authenticated); -@@ -2267,6 +2305,74 @@ mm_answer_gss_userok(int sock, Buffer *m +@@ -2286,6 +2324,74 @@ mm_answer_gss_userok(int sock, Buffer *m /* Monitor loop will terminate if authenticated */ return (authenticated); } @@ -2145,7 +2106,7 @@ diff -up openssh-6.2p1/monitor.c.gsskex openssh-6.2p1/monitor.c + } + major = ssh_gssapi_sign(gsscontext, &data, &hash); + -+ xfree(data.value); ++ free(data.value); + + buffer_clear(m); + buffer_put_int(m, major); @@ -2175,9 +2136,9 @@ diff -up openssh-6.2p1/monitor.c.gsskex openssh-6.2p1/monitor.c + + ok = ssh_gssapi_update_creds(&store); + -+ xfree(store.filename); -+ xfree(store.envvar); -+ xfree(store.envval); ++ free(store.filename); ++ free(store.envvar); ++ free(store.envval); + + buffer_clear(m); + buffer_put_int(m, ok); @@ -2190,9 +2151,9 @@ diff -up openssh-6.2p1/monitor.c.gsskex openssh-6.2p1/monitor.c #endif /* GSSAPI */ #ifdef JPAKE -diff -up openssh-6.2p1/monitor.h.gsskex openssh-6.2p1/monitor.h ---- openssh-6.2p1/monitor.h.gsskex 2013-03-27 13:19:11.063624587 +0100 -+++ openssh-6.2p1/monitor.h 2013-03-27 13:19:11.146624246 +0100 +diff -up openssh-6.3p1/monitor.h.gsskex openssh-6.3p1/monitor.h +--- openssh-6.3p1/monitor.h.gsskex 2013-10-11 15:15:17.215216497 +0200 ++++ openssh-6.3p1/monitor.h 2013-10-11 15:15:17.290216148 +0200 @@ -64,6 +64,8 @@ enum monitor_reqtype { #ifdef WITH_SELINUX MONITOR_REQ_AUTHROLE = 80, @@ -2202,10 +2163,10 @@ diff -up openssh-6.2p1/monitor.h.gsskex openssh-6.2p1/monitor.h MONITOR_REQ_PAM_START = 100, MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103, -diff -up openssh-6.2p1/monitor_wrap.c.gsskex openssh-6.2p1/monitor_wrap.c ---- openssh-6.2p1/monitor_wrap.c.gsskex 2013-03-27 13:19:11.064624583 +0100 -+++ openssh-6.2p1/monitor_wrap.c 2013-03-27 13:19:11.146624246 +0100 -@@ -1327,7 +1327,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss +diff -up openssh-6.3p1/monitor_wrap.c.gsskex openssh-6.3p1/monitor_wrap.c +--- openssh-6.3p1/monitor_wrap.c.gsskex 2013-10-11 15:15:17.215216497 +0200 ++++ openssh-6.3p1/monitor_wrap.c 2013-10-11 15:15:17.290216148 +0200 +@@ -1329,7 +1329,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss } int @@ -2214,7 +2175,7 @@ diff -up openssh-6.2p1/monitor_wrap.c.gsskex openssh-6.2p1/monitor_wrap.c { Buffer m; int authenticated = 0; -@@ -1344,6 +1344,51 @@ mm_ssh_gssapi_userok(char *user) +@@ -1346,6 +1346,51 @@ mm_ssh_gssapi_userok(char *user) debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); return (authenticated); } @@ -2266,9 +2227,9 @@ diff -up openssh-6.2p1/monitor_wrap.c.gsskex openssh-6.2p1/monitor_wrap.c #endif /* GSSAPI */ #ifdef JPAKE -diff -up openssh-6.2p1/monitor_wrap.h.gsskex openssh-6.2p1/monitor_wrap.h ---- openssh-6.2p1/monitor_wrap.h.gsskex 2013-03-27 13:19:11.064624583 +0100 -+++ openssh-6.2p1/monitor_wrap.h 2013-03-27 13:19:11.146624246 +0100 +diff -up openssh-6.3p1/monitor_wrap.h.gsskex openssh-6.3p1/monitor_wrap.h +--- openssh-6.3p1/monitor_wrap.h.gsskex 2013-10-11 15:15:17.215216497 +0200 ++++ openssh-6.3p1/monitor_wrap.h 2013-10-11 15:15:17.290216148 +0200 @@ -62,8 +62,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, @@ -2281,10 +2242,10 @@ diff -up openssh-6.2p1/monitor_wrap.h.gsskex openssh-6.2p1/monitor_wrap.h #endif #ifdef USE_PAM -diff -up openssh-6.2p1/readconf.c.gsskex openssh-6.2p1/readconf.c ---- openssh-6.2p1/readconf.c.gsskex 2011-10-02 09:59:03.000000000 +0200 -+++ openssh-6.2p1/readconf.c 2013-03-27 13:19:11.147624242 +0100 -@@ -129,6 +129,8 @@ typedef enum { +diff -up openssh-6.3p1/readconf.c.gsskex openssh-6.3p1/readconf.c +--- openssh-6.3p1/readconf.c.gsskex 2013-07-18 08:09:05.000000000 +0200 ++++ openssh-6.3p1/readconf.c 2013-10-11 15:15:17.291216143 +0200 +@@ -132,6 +132,8 @@ typedef enum { oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, oAddressFamily, oGssAuthentication, oGssDelegateCreds, @@ -2293,7 +2254,7 @@ diff -up openssh-6.2p1/readconf.c.gsskex openssh-6.2p1/readconf.c oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oSendEnv, oControlPath, oControlMaster, oControlPersist, oHashKnownHosts, -@@ -169,10 +171,19 @@ static struct { +@@ -172,10 +174,19 @@ static struct { { "afstokenpassing", oUnsupported }, #if defined(GSSAPI) { "gssapiauthentication", oGssAuthentication }, @@ -2313,7 +2274,7 @@ diff -up openssh-6.2p1/readconf.c.gsskex openssh-6.2p1/readconf.c #endif { "fallbacktorsh", oDeprecated }, { "usersh", oDeprecated }, -@@ -503,10 +514,30 @@ parse_flag: +@@ -516,10 +527,30 @@ parse_flag: intptr = &options->gss_authentication; goto parse_flag; @@ -2344,7 +2305,7 @@ diff -up openssh-6.2p1/readconf.c.gsskex openssh-6.2p1/readconf.c case oBatchMode: intptr = &options->batch_mode; goto parse_flag; -@@ -1158,7 +1189,12 @@ initialize_options(Options * options) +@@ -1168,7 +1199,12 @@ initialize_options(Options * options) options->pubkey_authentication = -1; options->challenge_response_authentication = -1; options->gss_authentication = -1; @@ -2357,7 +2318,7 @@ diff -up openssh-6.2p1/readconf.c.gsskex openssh-6.2p1/readconf.c options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->kbd_interactive_devices = NULL; -@@ -1258,8 +1294,14 @@ fill_default_options(Options * options) +@@ -1268,8 +1304,14 @@ fill_default_options(Options * options) options->challenge_response_authentication = 1; if (options->gss_authentication == -1) options->gss_authentication = 0; @@ -2372,9 +2333,9 @@ diff -up openssh-6.2p1/readconf.c.gsskex openssh-6.2p1/readconf.c if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -diff -up openssh-6.2p1/readconf.h.gsskex openssh-6.2p1/readconf.h ---- openssh-6.2p1/readconf.h.gsskex 2011-10-02 09:59:03.000000000 +0200 -+++ openssh-6.2p1/readconf.h 2013-03-27 13:19:11.147624242 +0100 +diff -up openssh-6.3p1/readconf.h.gsskex openssh-6.3p1/readconf.h +--- openssh-6.3p1/readconf.h.gsskex 2013-05-16 12:30:03.000000000 +0200 ++++ openssh-6.3p1/readconf.h 2013-10-11 15:15:17.291216143 +0200 @@ -48,7 +48,12 @@ typedef struct { int challenge_response_authentication; /* Try S/Key or TIS, authentication. */ @@ -2388,10 +2349,10 @@ diff -up openssh-6.2p1/readconf.h.gsskex openssh-6.2p1/readconf.h int password_authentication; /* Try password * authentication. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ -diff -up openssh-6.2p1/servconf.c.gsskex openssh-6.2p1/servconf.c ---- openssh-6.2p1/servconf.c.gsskex 2013-03-27 13:19:11.128624320 +0100 -+++ openssh-6.2p1/servconf.c 2013-03-27 13:19:11.147624242 +0100 -@@ -102,7 +102,10 @@ initialize_server_options(ServerOptions +diff -up openssh-6.3p1/servconf.c.gsskex openssh-6.3p1/servconf.c +--- openssh-6.3p1/servconf.c.gsskex 2013-10-11 15:15:17.273216227 +0200 ++++ openssh-6.3p1/servconf.c 2013-10-11 15:15:17.292216139 +0200 +@@ -107,7 +107,10 @@ initialize_server_options(ServerOptions options->kerberos_ticket_cleanup = -1; options->kerberos_get_afs_token = -1; options->gss_authentication=-1; @@ -2402,7 +2363,7 @@ diff -up openssh-6.2p1/servconf.c.gsskex openssh-6.2p1/servconf.c options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; -@@ -234,8 +237,14 @@ fill_default_server_options(ServerOption +@@ -241,8 +244,14 @@ fill_default_server_options(ServerOption options->kerberos_get_afs_token = 0; if (options->gss_authentication == -1) options->gss_authentication = 0; @@ -2417,7 +2378,7 @@ diff -up openssh-6.2p1/servconf.c.gsskex openssh-6.2p1/servconf.c if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -@@ -331,7 +340,9 @@ typedef enum { +@@ -342,7 +351,9 @@ typedef enum { sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, @@ -2428,7 +2389,7 @@ diff -up openssh-6.2p1/servconf.c.gsskex openssh-6.2p1/servconf.c sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sAllowAgentForwarding, sZeroKnowledgePasswordAuthentication, sHostCertificate, -@@ -397,10 +408,20 @@ static struct { +@@ -409,10 +420,20 @@ static struct { #ifdef GSSAPI { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, @@ -2449,7 +2410,7 @@ diff -up openssh-6.2p1/servconf.c.gsskex openssh-6.2p1/servconf.c { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, -@@ -1054,10 +1075,22 @@ process_server_config_line(ServerOptions +@@ -1078,10 +1099,22 @@ process_server_config_line(ServerOptions intptr = &options->gss_authentication; goto parse_flag; @@ -2472,7 +2433,7 @@ diff -up openssh-6.2p1/servconf.c.gsskex openssh-6.2p1/servconf.c case sPasswordAuthentication: intptr = &options->password_authentication; goto parse_flag; -@@ -1938,6 +1971,9 @@ dump_config(ServerOptions *o) +@@ -1994,6 +2027,9 @@ dump_config(ServerOptions *o) #ifdef GSSAPI dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); @@ -2482,10 +2443,10 @@ diff -up openssh-6.2p1/servconf.c.gsskex openssh-6.2p1/servconf.c #endif #ifdef JPAKE dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication, -diff -up openssh-6.2p1/servconf.h.gsskex openssh-6.2p1/servconf.h ---- openssh-6.2p1/servconf.h.gsskex 2013-03-27 13:19:11.128624320 +0100 -+++ openssh-6.2p1/servconf.h 2013-03-27 13:19:11.147624242 +0100 -@@ -110,7 +110,10 @@ typedef struct { +diff -up openssh-6.3p1/servconf.h.gsskex openssh-6.3p1/servconf.h +--- openssh-6.3p1/servconf.h.gsskex 2013-10-11 15:15:17.273216227 +0200 ++++ openssh-6.3p1/servconf.h 2013-10-11 15:15:17.292216139 +0200 +@@ -111,7 +111,10 @@ typedef struct { int kerberos_get_afs_token; /* If true, try to get AFS token if * authenticated with Kerberos. */ int gss_authentication; /* If true, permit GSSAPI authentication */ @@ -2496,478 +2457,9 @@ diff -up openssh-6.2p1/servconf.h.gsskex openssh-6.2p1/servconf.h int password_authentication; /* If true, permit password * authentication. */ int kbd_interactive_authentication; /* If true, permit */ -diff -up openssh-6.2p1/ssh_config.5.gsskex openssh-6.2p1/ssh_config.5 ---- openssh-6.2p1/ssh_config.5.gsskex 2013-01-09 06:12:19.000000000 +0100 -+++ openssh-6.2p1/ssh_config.5 2013-03-27 13:19:11.148624238 +0100 -@@ -530,11 +530,43 @@ Specifies whether user authentication ba - The default is - .Dq no . - Note that this option applies to protocol version 2 only. -+.It Cm GSSAPIKeyExchange -+Specifies whether key exchange based on GSSAPI may be used. When using -+GSSAPI key exchange the server need not have a host key. -+The default is -+.Dq no . -+Note that this option applies to protocol version 2 only. -+.It Cm GSSAPIClientIdentity -+If set, specifies the GSSAPI client identity that ssh should use when -+connecting to the server. The default is unset, which means that the default -+identity will be used. -+.It Cm GSSAPIServerIdentity -+If set, specifies the GSSAPI server identity that ssh should expect when -+connecting to the server. The default is unset, which means that the -+expected GSSAPI server identity will be determined from the target -+hostname. - .It Cm GSSAPIDelegateCredentials - Forward (delegate) credentials to the server. - The default is - .Dq no . --Note that this option applies to protocol version 2 only. -+Note that this option applies to protocol version 2 connections using GSSAPI. -+.It Cm GSSAPIRenewalForcesRekey -+If set to -+.Dq yes -+then renewal of the client's GSSAPI credentials will force the rekeying of the -+ssh connection. With a compatible server, this can delegate the renewed -+credentials to a session on the server. -+The default is -+.Dq no . -+.It Cm GSSAPITrustDns -+Set to -+.Dq yes to indicate that the DNS is trusted to securely canonicalize -+the name of the host being connected to. If -+.Dq no, the hostname entered on the -+command line will be passed untouched to the GSSAPI library. -+The default is -+.Dq no . -+This option only applies to protocol version 2 connections using GSSAPI. - .It Cm HashKnownHosts - Indicates that - .Xr ssh 1 -diff -up openssh-6.2p1/ssh_config.gsskex openssh-6.2p1/ssh_config ---- openssh-6.2p1/ssh_config.gsskex 2013-03-27 13:19:11.120624353 +0100 -+++ openssh-6.2p1/ssh_config 2013-03-27 13:19:11.148624238 +0100 -@@ -26,6 +26,8 @@ - # HostbasedAuthentication no - # GSSAPIAuthentication no - # GSSAPIDelegateCredentials no -+# GSSAPIKeyExchange no -+# GSSAPITrustDNS no - # BatchMode no - # CheckHostIP yes - # AddressFamily any -diff -up openssh-6.2p1/sshconnect2.c.gsskex openssh-6.2p1/sshconnect2.c ---- openssh-6.2p1/sshconnect2.c.gsskex 2013-03-27 13:19:11.104624419 +0100 -+++ openssh-6.2p1/sshconnect2.c 2013-03-27 13:19:11.149624234 +0100 -@@ -162,9 +162,34 @@ ssh_kex2(char *host, struct sockaddr *ho - { - Kex *kex; - -+#ifdef GSSAPI -+ char *orig = NULL, *gss = NULL; -+ char *gss_host = NULL; -+#endif -+ - xxx_host = host; - xxx_hostaddr = hostaddr; - -+#ifdef GSSAPI -+ if (options.gss_keyex) { -+ /* Add the GSSAPI mechanisms currently supported on this -+ * client to the key exchange algorithm proposal */ -+ orig = myproposal[PROPOSAL_KEX_ALGS]; -+ -+ if (options.gss_trust_dns) -+ gss_host = (char *)get_canonical_hostname(1); -+ else -+ gss_host = host; -+ -+ gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity); -+ if (gss) { -+ debug("Offering GSSAPI proposal: %s", gss); -+ xasprintf(&myproposal[PROPOSAL_KEX_ALGS], -+ "%s,%s", gss, orig); -+ } -+ } -+#endif -+ - if (options.ciphers == (char *)-1) { - logit("No valid ciphers for protocol version 2 given, using defaults."); - options.ciphers = NULL; -@@ -207,6 +232,17 @@ ssh_kex2(char *host, struct sockaddr *ho - if (options.kex_algorithms != NULL) - myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; - -+#ifdef GSSAPI -+ /* If we've got GSSAPI algorithms, then we also support the -+ * 'null' hostkey, as a last resort */ -+ if (options.gss_keyex && gss) { -+ orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]; -+ xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS], -+ "%s,null", orig); -+ xfree(gss); -+ } -+#endif -+ - if (options.rekey_limit) - packet_set_rekey_limit((u_int32_t)options.rekey_limit); - -@@ -217,10 +253,30 @@ ssh_kex2(char *host, struct sockaddr *ho - kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; - kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; - kex->kex[KEX_ECDH_SHA2] = kexecdh_client; -+#ifdef GSSAPI -+ if (options.gss_keyex) { -+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client; -+ kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_client; -+ kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client; -+ } -+#endif - kex->client_version_string=client_version_string; - kex->server_version_string=server_version_string; - kex->verify_host_key=&verify_host_key_callback; - -+#ifdef GSSAPI -+ if (options.gss_keyex) { -+ kex->gss_deleg_creds = options.gss_deleg_creds; -+ kex->gss_trust_dns = options.gss_trust_dns; -+ kex->gss_client = options.gss_client_identity; -+ if (options.gss_server_identity) { -+ kex->gss_host = options.gss_server_identity; -+ } else { -+ kex->gss_host = gss_host; -+ } -+ } -+#endif -+ - xxx_kex = kex; - - dispatch_run(DISPATCH_BLOCK, &kex->done, kex); -@@ -316,6 +372,7 @@ void input_gssapi_token(int type, u_int3 - void input_gssapi_hash(int type, u_int32_t, void *); - void input_gssapi_error(int, u_int32_t, void *); - void input_gssapi_errtok(int, u_int32_t, void *); -+int userauth_gsskeyex(Authctxt *authctxt); - #endif - - void userauth(Authctxt *, char *); -@@ -331,6 +388,11 @@ static char *authmethods_get(void); - - Authmethod authmethods[] = { - #ifdef GSSAPI -+ {"gssapi-keyex", -+ userauth_gsskeyex, -+ NULL, -+ &options.gss_authentication, -+ NULL}, - {"gssapi-with-mic", - userauth_gssapi, - NULL, -@@ -638,19 +700,31 @@ userauth_gssapi(Authctxt *authctxt) - static u_int mech = 0; - OM_uint32 min; - int ok = 0; -+ const char *gss_host; -+ -+ if (options.gss_server_identity) -+ gss_host = options.gss_server_identity; -+ else if (options.gss_trust_dns) -+ gss_host = get_canonical_hostname(1); -+ else -+ gss_host = authctxt->host; - - /* Try one GSSAPI method at a time, rather than sending them all at - * once. */ - - if (gss_supported == NULL) -- gss_indicate_mechs(&min, &gss_supported); -+ if (GSS_ERROR(gss_indicate_mechs(&min, &gss_supported))) { -+ gss_supported = NULL; -+ return 0; -+ } - - /* Check to see if the mechanism is usable before we offer it */ - while (mech < gss_supported->count && !ok) { - /* My DER encoding requires length<128 */ - if (gss_supported->elements[mech].length < 128 && - ssh_gssapi_check_mechanism(&gssctxt, -- &gss_supported->elements[mech], authctxt->host)) { -+ &gss_supported->elements[mech], gss_host, -+ options.gss_client_identity)) { - ok = 1; /* Mechanism works */ - } else { - mech++; -@@ -747,8 +821,8 @@ input_gssapi_response(int type, u_int32_ - { - Authctxt *authctxt = ctxt; - Gssctxt *gssctxt; -- int oidlen; -- char *oidv; -+ u_int oidlen; -+ u_char *oidv; - - if (authctxt == NULL) - fatal("input_gssapi_response: no authentication context"); -@@ -858,6 +932,48 @@ input_gssapi_error(int type, u_int32_t p - xfree(msg); - xfree(lang); - } -+ -+int -+userauth_gsskeyex(Authctxt *authctxt) -+{ -+ Buffer b; -+ gss_buffer_desc gssbuf; -+ gss_buffer_desc mic = GSS_C_EMPTY_BUFFER; -+ OM_uint32 ms; -+ -+ static int attempt = 0; -+ if (attempt++ >= 1) -+ return (0); -+ -+ if (gss_kex_context == NULL) { -+ debug("No valid Key exchange context"); -+ return (0); -+ } -+ -+ ssh_gssapi_buildmic(&b, authctxt->server_user, authctxt->service, -+ "gssapi-keyex"); -+ -+ gssbuf.value = buffer_ptr(&b); -+ gssbuf.length = buffer_len(&b); -+ -+ if (GSS_ERROR(ssh_gssapi_sign(gss_kex_context, &gssbuf, &mic))) { -+ buffer_free(&b); -+ return (0); -+ } -+ -+ packet_start(SSH2_MSG_USERAUTH_REQUEST); -+ packet_put_cstring(authctxt->server_user); -+ packet_put_cstring(authctxt->service); -+ packet_put_cstring(authctxt->method->name); -+ packet_put_string(mic.value, mic.length); -+ packet_send(); -+ -+ buffer_free(&b); -+ gss_release_buffer(&ms, &mic); -+ -+ return (1); -+} -+ - #endif /* GSSAPI */ - - int -diff -up openssh-6.2p1/sshd.c.gsskex openssh-6.2p1/sshd.c ---- openssh-6.2p1/sshd.c.gsskex 2013-03-27 13:19:11.133624300 +0100 -+++ openssh-6.2p1/sshd.c 2013-03-27 13:19:11.149624234 +0100 -@@ -124,6 +124,10 @@ - #include "ssh-sandbox.h" - #include "version.h" - -+#ifdef USE_SECURITY_SESSION_API -+#include -+#endif -+ - #ifdef LIBWRAP - #include - #include -@@ -1733,10 +1737,13 @@ main(int ac, char **av) - logit("Disabling protocol version 1. Could not load host key"); - options.protocol &= ~SSH_PROTO_1; - } -+#ifndef GSSAPI -+ /* The GSSAPI key exchange can run without a host key */ - if ((options.protocol & SSH_PROTO_2) && !sensitive_data.have_ssh2_key) { - logit("Disabling protocol version 2. Could not load host key"); - options.protocol &= ~SSH_PROTO_2; - } -+#endif - if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { - logit("sshd: no hostkeys available -- exiting."); - exit(1); -@@ -2068,6 +2075,60 @@ main(int ac, char **av) - /* Log the connection. */ - verbose("Connection from %.500s port %d", remote_ip, remote_port); - -+#ifdef USE_SECURITY_SESSION_API -+ /* -+ * Create a new security session for use by the new user login if -+ * the current session is the root session or we are not launched -+ * by inetd (eg: debugging mode or server mode). We do not -+ * necessarily need to create a session if we are launched from -+ * inetd because Panther xinetd will create a session for us. -+ * -+ * The only case where this logic will fail is if there is an -+ * inetd running in a non-root session which is not creating -+ * new sessions for us. Then all the users will end up in the -+ * same session (bad). -+ * -+ * When the client exits, the session will be destroyed for us -+ * automatically. -+ * -+ * We must create the session before any credentials are stored -+ * (including AFS pags, which happens a few lines below). -+ */ -+ { -+ OSStatus err = 0; -+ SecuritySessionId sid = 0; -+ SessionAttributeBits sattrs = 0; -+ -+ err = SessionGetInfo(callerSecuritySession, &sid, &sattrs); -+ if (err) -+ error("SessionGetInfo() failed with error %.8X", -+ (unsigned) err); -+ else -+ debug("Current Session ID is %.8X / Session Attributes are %.8X", -+ (unsigned) sid, (unsigned) sattrs); -+ -+ if (inetd_flag && !(sattrs & sessionIsRoot)) -+ debug("Running in inetd mode in a non-root session... " -+ "assuming inetd created the session for us."); -+ else { -+ debug("Creating new security session..."); -+ err = SessionCreate(0, sessionHasTTY | sessionIsRemote); -+ if (err) -+ error("SessionCreate() failed with error %.8X", -+ (unsigned) err); -+ -+ err = SessionGetInfo(callerSecuritySession, &sid, -+ &sattrs); -+ if (err) -+ error("SessionGetInfo() failed with error %.8X", -+ (unsigned) err); -+ else -+ debug("New Session ID is %.8X / Session Attributes are %.8X", -+ (unsigned) sid, (unsigned) sattrs); -+ } -+ } -+#endif -+ - /* - * We don't want to listen forever unless the other side - * successfully authenticates itself. So we set up an alarm which is -@@ -2466,6 +2526,48 @@ do_ssh2_kex(void) - - myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); - -+#ifdef GSSAPI -+ { -+ char *orig; -+ char *gss = NULL; -+ char *newstr = NULL; -+ orig = myproposal[PROPOSAL_KEX_ALGS]; -+ -+ /* -+ * If we don't have a host key, then there's no point advertising -+ * the other key exchange algorithms -+ */ -+ -+ if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0) -+ orig = NULL; -+ -+ if (options.gss_keyex) -+ gss = ssh_gssapi_server_mechanisms(); -+ else -+ gss = NULL; -+ -+ if (gss && orig) -+ xasprintf(&newstr, "%s,%s", gss, orig); -+ else if (gss) -+ newstr = gss; -+ else if (orig) -+ newstr = orig; -+ -+ /* -+ * If we've got GSSAPI mechanisms, then we've got the 'null' host -+ * key alg, but we can't tell people about it unless its the only -+ * host key algorithm we support -+ */ -+ if (gss && (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS])) == 0) -+ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "null"; -+ -+ if (newstr) -+ myproposal[PROPOSAL_KEX_ALGS] = newstr; -+ else -+ fatal("No supported key exchange algorithms"); -+ } -+#endif -+ - /* start key exchange */ - kex = kex_setup(myproposal); - kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; -@@ -2473,6 +2575,13 @@ do_ssh2_kex(void) - kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; - kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; - kex->kex[KEX_ECDH_SHA2] = kexecdh_server; -+#ifdef GSSAPI -+ if (options.gss_keyex) { -+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; -+ kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server; -+ kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server; -+ } -+#endif - kex->server = 1; - kex->client_version_string=client_version_string; - kex->server_version_string=server_version_string; -diff -up openssh-6.2p1/sshd_config.5.gsskex openssh-6.2p1/sshd_config.5 ---- openssh-6.2p1/sshd_config.5.gsskex 2013-03-27 13:19:11.129624316 +0100 -+++ openssh-6.2p1/sshd_config.5 2013-03-27 13:19:11.150624230 +0100 -@@ -481,12 +481,40 @@ Specifies whether user authentication ba - The default is - .Dq no . - Note that this option applies to protocol version 2 only. -+.It Cm GSSAPIKeyExchange -+Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange -+doesn't rely on ssh keys to verify host identity. -+The default is -+.Dq no . -+Note that this option applies to protocol version 2 only. - .It Cm GSSAPICleanupCredentials - Specifies whether to automatically destroy the user's credentials cache - on logout. - The default is - .Dq yes . - Note that this option applies to protocol version 2 only. -+.It Cm GSSAPIStrictAcceptorCheck -+Determines whether to be strict about the identity of the GSSAPI acceptor -+a client authenticates against. If -+.Dq yes -+then the client must authenticate against the -+.Pa host -+service on the current hostname. If -+.Dq no -+then the client may authenticate against any service key stored in the -+machine's default store. This facility is provided to assist with operation -+on multi homed machines. -+The default is -+.Dq yes . -+Note that this option applies only to protocol version 2 GSSAPI connections, -+and setting it to -+.Dq no -+may only work with recent Kerberos GSSAPI libraries. -+.It Cm GSSAPIStoreCredentialsOnRekey -+Controls whether the user's GSSAPI credentials should be updated following a -+successful connection rekeying. This option can be used to accepted renewed -+or updated credentials from a compatible client. The default is -+.Dq no . - .It Cm HostbasedAuthentication - Specifies whether rhosts or /etc/hosts.equiv authentication together - with successful public key client host authentication is allowed -diff -up openssh-6.2p1/sshd_config.gsskex openssh-6.2p1/sshd_config ---- openssh-6.2p1/sshd_config.gsskex 2013-03-27 13:19:11.133624300 +0100 -+++ openssh-6.2p1/sshd_config 2013-03-27 13:19:11.150624230 +0100 -@@ -89,6 +89,8 @@ ChallengeResponseAuthentication no - GSSAPIAuthentication yes - #GSSAPICleanupCredentials yes - GSSAPICleanupCredentials yes -+#GSSAPIStrictAcceptorCheck yes -+#GSSAPIKeyExchange no - - # Set this to 'yes' to enable PAM authentication, account processing, - # and session processing. If this is enabled, PAM authentication will -diff -up openssh-6.2p1/ssh-gss.h.gsskex openssh-6.2p1/ssh-gss.h ---- openssh-6.2p1/ssh-gss.h.gsskex 2013-02-25 01:24:44.000000000 +0100 -+++ openssh-6.2p1/ssh-gss.h 2013-03-27 13:19:11.150624230 +0100 +diff -up openssh-6.3p1/ssh-gss.h.gsskex openssh-6.3p1/ssh-gss.h +--- openssh-6.3p1/ssh-gss.h.gsskex 2013-02-25 01:24:44.000000000 +0100 ++++ openssh-6.3p1/ssh-gss.h 2013-10-11 15:15:17.294216130 +0200 @@ -1,6 +1,6 @@ /* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */ /* @@ -3065,3 +2557,472 @@ diff -up openssh-6.2p1/ssh-gss.h.gsskex openssh-6.2p1/ssh-gss.h #endif /* GSSAPI */ #endif /* _SSH_GSS_H */ +diff -up openssh-6.3p1/ssh_config.5.gsskex openssh-6.3p1/ssh_config.5 +--- openssh-6.3p1/ssh_config.5.gsskex 2013-07-18 08:11:50.000000000 +0200 ++++ openssh-6.3p1/ssh_config.5 2013-10-11 15:15:17.292216139 +0200 +@@ -529,11 +529,43 @@ Specifies whether user authentication ba + The default is + .Dq no . + Note that this option applies to protocol version 2 only. ++.It Cm GSSAPIKeyExchange ++Specifies whether key exchange based on GSSAPI may be used. When using ++GSSAPI key exchange the server need not have a host key. ++The default is ++.Dq no . ++Note that this option applies to protocol version 2 only. ++.It Cm GSSAPIClientIdentity ++If set, specifies the GSSAPI client identity that ssh should use when ++connecting to the server. The default is unset, which means that the default ++identity will be used. ++.It Cm GSSAPIServerIdentity ++If set, specifies the GSSAPI server identity that ssh should expect when ++connecting to the server. The default is unset, which means that the ++expected GSSAPI server identity will be determined from the target ++hostname. + .It Cm GSSAPIDelegateCredentials + Forward (delegate) credentials to the server. + The default is + .Dq no . +-Note that this option applies to protocol version 2 only. ++Note that this option applies to protocol version 2 connections using GSSAPI. ++.It Cm GSSAPIRenewalForcesRekey ++If set to ++.Dq yes ++then renewal of the client's GSSAPI credentials will force the rekeying of the ++ssh connection. With a compatible server, this can delegate the renewed ++credentials to a session on the server. ++The default is ++.Dq no . ++.It Cm GSSAPITrustDns ++Set to ++.Dq yes to indicate that the DNS is trusted to securely canonicalize ++the name of the host being connected to. If ++.Dq no, the hostname entered on the ++command line will be passed untouched to the GSSAPI library. ++The default is ++.Dq no . ++This option only applies to protocol version 2 connections using GSSAPI. + .It Cm HashKnownHosts + Indicates that + .Xr ssh 1 +diff -up openssh-6.3p1/ssh_config.gsskex openssh-6.3p1/ssh_config +--- openssh-6.3p1/ssh_config.gsskex 2013-10-11 15:15:17.265216264 +0200 ++++ openssh-6.3p1/ssh_config 2013-10-11 15:15:17.292216139 +0200 +@@ -26,6 +26,8 @@ + # HostbasedAuthentication no + # GSSAPIAuthentication no + # GSSAPIDelegateCredentials no ++# GSSAPIKeyExchange no ++# GSSAPITrustDNS no + # BatchMode no + # CheckHostIP yes + # AddressFamily any +diff -up openssh-6.3p1/sshconnect2.c.gsskex openssh-6.3p1/sshconnect2.c +--- openssh-6.3p1/sshconnect2.c.gsskex 2013-10-11 15:15:17.251216330 +0200 ++++ openssh-6.3p1/sshconnect2.c 2013-10-11 15:28:22.617529416 +0200 +@@ -162,9 +162,34 @@ ssh_kex2(char *host, struct sockaddr *ho + { + Kex *kex; + ++#ifdef GSSAPI ++ char *orig = NULL, *gss = NULL; ++ char *gss_host = NULL; ++#endif ++ + xxx_host = host; + xxx_hostaddr = hostaddr; + ++#ifdef GSSAPI ++ if (options.gss_keyex) { ++ /* Add the GSSAPI mechanisms currently supported on this ++ * client to the key exchange algorithm proposal */ ++ orig = myproposal[PROPOSAL_KEX_ALGS]; ++ ++ if (options.gss_trust_dns) ++ gss_host = (char *)get_canonical_hostname(1); ++ else ++ gss_host = host; ++ ++ gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity); ++ if (gss) { ++ debug("Offering GSSAPI proposal: %s", gss); ++ xasprintf(&myproposal[PROPOSAL_KEX_ALGS], ++ "%s,%s", gss, orig); ++ } ++ } ++#endif ++ + if (options.ciphers == (char *)-1) { + logit("No valid ciphers for protocol version 2 given, using defaults."); + options.ciphers = NULL; +@@ -207,6 +232,17 @@ ssh_kex2(char *host, struct sockaddr *ho + if (options.kex_algorithms != NULL) + myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; + ++#ifdef GSSAPI ++ /* If we've got GSSAPI algorithms, then we also support the ++ * 'null' hostkey, as a last resort */ ++ if (options.gss_keyex && gss) { ++ orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]; ++ xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS], ++ "%s,null", orig); ++ free(gss); ++ } ++#endif ++ + if (options.rekey_limit || options.rekey_interval) + packet_set_rekey_limits((u_int32_t)options.rekey_limit, + (time_t)options.rekey_interval); +@@ -218,10 +254,30 @@ ssh_kex2(char *host, struct sockaddr *ho + kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; + kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; + kex->kex[KEX_ECDH_SHA2] = kexecdh_client; ++#ifdef GSSAPI ++ if (options.gss_keyex) { ++ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client; ++ kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_client; ++ kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client; ++ } ++#endif + kex->client_version_string=client_version_string; + kex->server_version_string=server_version_string; + kex->verify_host_key=&verify_host_key_callback; + ++#ifdef GSSAPI ++ if (options.gss_keyex) { ++ kex->gss_deleg_creds = options.gss_deleg_creds; ++ kex->gss_trust_dns = options.gss_trust_dns; ++ kex->gss_client = options.gss_client_identity; ++ if (options.gss_server_identity) { ++ kex->gss_host = options.gss_server_identity; ++ } else { ++ kex->gss_host = gss_host; ++ } ++ } ++#endif ++ + xxx_kex = kex; + + dispatch_run(DISPATCH_BLOCK, &kex->done, kex); +@@ -317,6 +373,7 @@ void input_gssapi_token(int type, u_int3 + void input_gssapi_hash(int type, u_int32_t, void *); + void input_gssapi_error(int, u_int32_t, void *); + void input_gssapi_errtok(int, u_int32_t, void *); ++int userauth_gsskeyex(Authctxt *authctxt); + #endif + + void userauth(Authctxt *, char *); +@@ -332,6 +389,11 @@ static char *authmethods_get(void); + + Authmethod authmethods[] = { + #ifdef GSSAPI ++ {"gssapi-keyex", ++ userauth_gsskeyex, ++ NULL, ++ &options.gss_authentication, ++ NULL}, + {"gssapi-with-mic", + userauth_gssapi, + NULL, +@@ -636,19 +698,31 @@ userauth_gssapi(Authctxt *authctxt) + static u_int mech = 0; + OM_uint32 min; + int ok = 0; ++ const char *gss_host; ++ ++ if (options.gss_server_identity) ++ gss_host = options.gss_server_identity; ++ else if (options.gss_trust_dns) ++ gss_host = get_canonical_hostname(1); ++ else ++ gss_host = authctxt->host; + + /* Try one GSSAPI method at a time, rather than sending them all at + * once. */ + + if (gss_supported == NULL) +- gss_indicate_mechs(&min, &gss_supported); ++ if (GSS_ERROR(gss_indicate_mechs(&min, &gss_supported))) { ++ gss_supported = NULL; ++ return 0; ++ } + + /* Check to see if the mechanism is usable before we offer it */ + while (mech < gss_supported->count && !ok) { + /* My DER encoding requires length<128 */ + if (gss_supported->elements[mech].length < 128 && + ssh_gssapi_check_mechanism(&gssctxt, +- &gss_supported->elements[mech], authctxt->host)) { ++ &gss_supported->elements[mech], gss_host, ++ options.gss_client_identity)) { + ok = 1; /* Mechanism works */ + } else { + mech++; +@@ -745,8 +819,8 @@ input_gssapi_response(int type, u_int32_ + { + Authctxt *authctxt = ctxt; + Gssctxt *gssctxt; +- int oidlen; +- char *oidv; ++ u_int oidlen; ++ u_char *oidv; + + if (authctxt == NULL) + fatal("input_gssapi_response: no authentication context"); +@@ -855,6 +929,48 @@ input_gssapi_error(int type, u_int32_t p + free(msg); + free(lang); + } ++ ++int ++userauth_gsskeyex(Authctxt *authctxt) ++{ ++ Buffer b; ++ gss_buffer_desc gssbuf; ++ gss_buffer_desc mic = GSS_C_EMPTY_BUFFER; ++ OM_uint32 ms; ++ ++ static int attempt = 0; ++ if (attempt++ >= 1) ++ return (0); ++ ++ if (gss_kex_context == NULL) { ++ debug("No valid Key exchange context"); ++ return (0); ++ } ++ ++ ssh_gssapi_buildmic(&b, authctxt->server_user, authctxt->service, ++ "gssapi-keyex"); ++ ++ gssbuf.value = buffer_ptr(&b); ++ gssbuf.length = buffer_len(&b); ++ ++ if (GSS_ERROR(ssh_gssapi_sign(gss_kex_context, &gssbuf, &mic))) { ++ buffer_free(&b); ++ return (0); ++ } ++ ++ packet_start(SSH2_MSG_USERAUTH_REQUEST); ++ packet_put_cstring(authctxt->server_user); ++ packet_put_cstring(authctxt->service); ++ packet_put_cstring(authctxt->method->name); ++ packet_put_string(mic.value, mic.length); ++ packet_send(); ++ ++ buffer_free(&b); ++ gss_release_buffer(&ms, &mic); ++ ++ return (1); ++} ++ + #endif /* GSSAPI */ + + int +diff -up openssh-6.3p1/sshd.c.gsskex openssh-6.3p1/sshd.c +--- openssh-6.3p1/sshd.c.gsskex 2013-10-11 15:15:17.277216209 +0200 ++++ openssh-6.3p1/sshd.c 2013-10-11 15:15:17.294216130 +0200 +@@ -125,6 +125,10 @@ + #include "ssh-sandbox.h" + #include "version.h" + ++#ifdef USE_SECURITY_SESSION_API ++#include ++#endif ++ + #ifdef LIBWRAP + #include + #include +@@ -1794,10 +1798,13 @@ main(int ac, char **av) + logit("Disabling protocol version 1. Could not load host key"); + options.protocol &= ~SSH_PROTO_1; + } ++#ifndef GSSAPI ++ /* The GSSAPI key exchange can run without a host key */ + if ((options.protocol & SSH_PROTO_2) && !sensitive_data.have_ssh2_key) { + logit("Disabling protocol version 2. Could not load host key"); + options.protocol &= ~SSH_PROTO_2; + } ++#endif + if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { + logit("sshd: no hostkeys available -- exiting."); + exit(1); +@@ -2130,6 +2137,60 @@ main(int ac, char **av) + /* Log the connection. */ + verbose("Connection from %.500s port %d", remote_ip, remote_port); + ++#ifdef USE_SECURITY_SESSION_API ++ /* ++ * Create a new security session for use by the new user login if ++ * the current session is the root session or we are not launched ++ * by inetd (eg: debugging mode or server mode). We do not ++ * necessarily need to create a session if we are launched from ++ * inetd because Panther xinetd will create a session for us. ++ * ++ * The only case where this logic will fail is if there is an ++ * inetd running in a non-root session which is not creating ++ * new sessions for us. Then all the users will end up in the ++ * same session (bad). ++ * ++ * When the client exits, the session will be destroyed for us ++ * automatically. ++ * ++ * We must create the session before any credentials are stored ++ * (including AFS pags, which happens a few lines below). ++ */ ++ { ++ OSStatus err = 0; ++ SecuritySessionId sid = 0; ++ SessionAttributeBits sattrs = 0; ++ ++ err = SessionGetInfo(callerSecuritySession, &sid, &sattrs); ++ if (err) ++ error("SessionGetInfo() failed with error %.8X", ++ (unsigned) err); ++ else ++ debug("Current Session ID is %.8X / Session Attributes are %.8X", ++ (unsigned) sid, (unsigned) sattrs); ++ ++ if (inetd_flag && !(sattrs & sessionIsRoot)) ++ debug("Running in inetd mode in a non-root session... " ++ "assuming inetd created the session for us."); ++ else { ++ debug("Creating new security session..."); ++ err = SessionCreate(0, sessionHasTTY | sessionIsRemote); ++ if (err) ++ error("SessionCreate() failed with error %.8X", ++ (unsigned) err); ++ ++ err = SessionGetInfo(callerSecuritySession, &sid, ++ &sattrs); ++ if (err) ++ error("SessionGetInfo() failed with error %.8X", ++ (unsigned) err); ++ else ++ debug("New Session ID is %.8X / Session Attributes are %.8X", ++ (unsigned) sid, (unsigned) sattrs); ++ } ++ } ++#endif ++ + /* + * We don't want to listen forever unless the other side + * successfully authenticates itself. So we set up an alarm which is +@@ -2551,6 +2612,48 @@ do_ssh2_kex(void) + + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); + ++#ifdef GSSAPI ++ { ++ char *orig; ++ char *gss = NULL; ++ char *newstr = NULL; ++ orig = myproposal[PROPOSAL_KEX_ALGS]; ++ ++ /* ++ * If we don't have a host key, then there's no point advertising ++ * the other key exchange algorithms ++ */ ++ ++ if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0) ++ orig = NULL; ++ ++ if (options.gss_keyex) ++ gss = ssh_gssapi_server_mechanisms(); ++ else ++ gss = NULL; ++ ++ if (gss && orig) ++ xasprintf(&newstr, "%s,%s", gss, orig); ++ else if (gss) ++ newstr = gss; ++ else if (orig) ++ newstr = orig; ++ ++ /* ++ * If we've got GSSAPI mechanisms, then we've got the 'null' host ++ * key alg, but we can't tell people about it unless its the only ++ * host key algorithm we support ++ */ ++ if (gss && (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS])) == 0) ++ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "null"; ++ ++ if (newstr) ++ myproposal[PROPOSAL_KEX_ALGS] = newstr; ++ else ++ fatal("No supported key exchange algorithms"); ++ } ++#endif ++ + /* start key exchange */ + kex = kex_setup(myproposal); + kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; +@@ -2558,6 +2661,13 @@ do_ssh2_kex(void) + kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; + kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; + kex->kex[KEX_ECDH_SHA2] = kexecdh_server; ++#ifdef GSSAPI ++ if (options.gss_keyex) { ++ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; ++ kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server; ++ kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server; ++ } ++#endif + kex->server = 1; + kex->client_version_string=client_version_string; + kex->server_version_string=server_version_string; +diff -up openssh-6.3p1/sshd_config.5.gsskex openssh-6.3p1/sshd_config.5 +--- openssh-6.3p1/sshd_config.5.gsskex 2013-10-11 15:15:17.274216223 +0200 ++++ openssh-6.3p1/sshd_config.5 2013-10-11 15:15:17.294216130 +0200 +@@ -484,12 +484,40 @@ Specifies whether user authentication ba + The default is + .Dq no . + Note that this option applies to protocol version 2 only. ++.It Cm GSSAPIKeyExchange ++Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange ++doesn't rely on ssh keys to verify host identity. ++The default is ++.Dq no . ++Note that this option applies to protocol version 2 only. + .It Cm GSSAPICleanupCredentials + Specifies whether to automatically destroy the user's credentials cache + on logout. + The default is + .Dq yes . + Note that this option applies to protocol version 2 only. ++.It Cm GSSAPIStrictAcceptorCheck ++Determines whether to be strict about the identity of the GSSAPI acceptor ++a client authenticates against. If ++.Dq yes ++then the client must authenticate against the ++.Pa host ++service on the current hostname. If ++.Dq no ++then the client may authenticate against any service key stored in the ++machine's default store. This facility is provided to assist with operation ++on multi homed machines. ++The default is ++.Dq yes . ++Note that this option applies only to protocol version 2 GSSAPI connections, ++and setting it to ++.Dq no ++may only work with recent Kerberos GSSAPI libraries. ++.It Cm GSSAPIStoreCredentialsOnRekey ++Controls whether the user's GSSAPI credentials should be updated following a ++successful connection rekeying. This option can be used to accepted renewed ++or updated credentials from a compatible client. The default is ++.Dq no . + .It Cm HostbasedAuthentication + Specifies whether rhosts or /etc/hosts.equiv authentication together + with successful public key client host authentication is allowed +diff -up openssh-6.3p1/sshd_config.gsskex openssh-6.3p1/sshd_config +--- openssh-6.3p1/sshd_config.gsskex 2013-10-11 15:15:17.277216209 +0200 ++++ openssh-6.3p1/sshd_config 2013-10-11 15:15:17.294216130 +0200 +@@ -92,6 +92,8 @@ ChallengeResponseAuthentication no + GSSAPIAuthentication yes + #GSSAPICleanupCredentials yes + GSSAPICleanupCredentials yes ++#GSSAPIStrictAcceptorCheck yes ++#GSSAPIKeyExchange no + + # Set this to 'yes' to enable PAM authentication, account processing, + # and session processing. If this is enabled, PAM authentication will diff --git a/openssh-6.2p1-keycat.patch b/openssh-6.3p1-keycat.patch similarity index 87% rename from openssh-6.2p1-keycat.patch rename to openssh-6.3p1-keycat.patch index 41770b3..90cfb7e 100644 --- a/openssh-6.2p1-keycat.patch +++ b/openssh-6.3p1-keycat.patch @@ -1,24 +1,6 @@ -diff -up openssh-6.2p1/auth2-pubkey.c.keycat openssh-6.2p1/auth2-pubkey.c ---- openssh-6.2p1/auth2-pubkey.c.keycat 2013-03-25 21:34:17.779978851 +0100 -+++ openssh-6.2p1/auth2-pubkey.c 2013-03-25 21:34:17.798978973 +0100 -@@ -573,6 +573,14 @@ user_key_command_allowed2(struct passwd - _exit(1); - } - -+#ifdef WITH_SELINUX -+ if (ssh_selinux_setup_env_variables() < 0) { -+ error ("failed to copy environment: %s", -+ strerror(errno)); -+ _exit(127); -+ } -+#endif -+ - execl(options.authorized_keys_command, - options.authorized_keys_command, user_pw->pw_name, NULL); - -diff -up openssh-6.2p1/HOWTO.ssh-keycat.keycat openssh-6.2p1/HOWTO.ssh-keycat ---- openssh-6.2p1/HOWTO.ssh-keycat.keycat 2013-03-25 21:34:17.798978973 +0100 -+++ openssh-6.2p1/HOWTO.ssh-keycat 2013-03-25 21:34:17.798978973 +0100 +diff -up openssh-6.3p1/HOWTO.ssh-keycat.keycat openssh-6.3p1/HOWTO.ssh-keycat +--- openssh-6.3p1/HOWTO.ssh-keycat.keycat 2013-10-10 15:16:33.445566916 +0200 ++++ openssh-6.3p1/HOWTO.ssh-keycat 2013-10-10 15:16:33.445566916 +0200 @@ -0,0 +1,12 @@ +The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys +of an user in any environment. This includes environments with @@ -32,9 +14,9 @@ diff -up openssh-6.2p1/HOWTO.ssh-keycat.keycat openssh-6.2p1/HOWTO.ssh-keycat + PubkeyAuthentication yes + + -diff -up openssh-6.2p1/Makefile.in.keycat openssh-6.2p1/Makefile.in ---- openssh-6.2p1/Makefile.in.keycat 2013-03-25 21:34:17.793978941 +0100 -+++ openssh-6.2p1/Makefile.in 2013-03-25 21:35:48.282559562 +0100 +diff -up openssh-6.3p1/Makefile.in.keycat openssh-6.3p1/Makefile.in +--- openssh-6.3p1/Makefile.in.keycat 2013-10-10 15:16:33.442566930 +0200 ++++ openssh-6.3p1/Makefile.in 2013-10-10 15:16:33.445566916 +0200 @@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server SSH_KEYSIGN=$(libexecdir)/ssh-keysign SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper @@ -52,7 +34,7 @@ diff -up openssh-6.2p1/Makefile.in.keycat openssh-6.2p1/Makefile.in LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ canohost.o channels.o cipher.o cipher-aes.o \ -@@ -170,6 +171,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) +@@ -172,6 +173,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) @@ -62,7 +44,7 @@ diff -up openssh-6.2p1/Makefile.in.keycat openssh-6.2p1/Makefile.in ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) -@@ -276,6 +280,7 @@ install-files: +@@ -279,6 +283,7 @@ install-files: $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \ $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \ fi @@ -70,10 +52,28 @@ diff -up openssh-6.2p1/Makefile.in.keycat openssh-6.2p1/Makefile.in $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 -diff -up openssh-6.2p1/openbsd-compat/port-linux.c.keycat openssh-6.2p1/openbsd-compat/port-linux.c ---- openssh-6.2p1/openbsd-compat/port-linux.c.keycat 2013-03-25 21:34:17.785978890 +0100 -+++ openssh-6.2p1/openbsd-compat/port-linux.c 2013-03-25 21:34:17.800978986 +0100 -@@ -315,7 +315,7 @@ ssh_selinux_getctxbyname(char *pwname, +diff -up openssh-6.3p1/auth2-pubkey.c.keycat openssh-6.3p1/auth2-pubkey.c +--- openssh-6.3p1/auth2-pubkey.c.keycat 2013-10-10 15:16:33.429566992 +0200 ++++ openssh-6.3p1/auth2-pubkey.c 2013-10-10 15:16:33.445566916 +0200 +@@ -606,6 +606,14 @@ user_key_command_allowed2(struct passwd + _exit(1); + } + ++#ifdef WITH_SELINUX ++ if (ssh_selinux_setup_env_variables() < 0) { ++ error ("failed to copy environment: %s", ++ strerror(errno)); ++ _exit(127); ++ } ++#endif ++ + execl(options.authorized_keys_command, + options.authorized_keys_command, user_pw->pw_name, NULL); + +diff -up openssh-6.3p1/openbsd-compat/port-linux.c.keycat openssh-6.3p1/openbsd-compat/port-linux.c +--- openssh-6.3p1/openbsd-compat/port-linux.c.keycat 2013-10-10 15:16:33.435566964 +0200 ++++ openssh-6.3p1/openbsd-compat/port-linux.c 2013-10-10 15:32:19.946065189 +0200 +@@ -313,7 +313,7 @@ ssh_selinux_getctxbyname(char *pwname, /* Setup environment variables for pam_selinux */ static int @@ -82,13 +82,13 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.keycat openssh-6.2p1/openbsd- { const char *reqlvl; char *role; -@@ -326,16 +326,16 @@ ssh_selinux_setup_pam_variables(void) +@@ -324,16 +324,16 @@ ssh_selinux_setup_pam_variables(void) ssh_selinux_get_role_level(&role, &reqlvl); - rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : ""); + rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : ""); - + if (inetd_flag && !rexeced_flag) { use_current = "1"; } else { @@ -101,8 +101,8 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.keycat openssh-6.2p1/openbsd- + rv = rv || set_it("SELINUX_USE_CURRENT_RANGE", use_current); if (role != NULL) - xfree(role); -@@ -343,6 +343,24 @@ ssh_selinux_setup_pam_variables(void) + free(role); +@@ -341,6 +341,24 @@ ssh_selinux_setup_pam_variables(void) return rv; } @@ -127,9 +127,9 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.keycat openssh-6.2p1/openbsd- /* Set the execution context to the default for the specified user */ void ssh_selinux_setup_exec_context(char *pwname) -diff -up openssh-6.2p1/ssh-keycat.c.keycat openssh-6.2p1/ssh-keycat.c ---- openssh-6.2p1/ssh-keycat.c.keycat 2013-03-25 21:34:17.800978986 +0100 -+++ openssh-6.2p1/ssh-keycat.c 2013-03-25 21:34:17.800978986 +0100 +diff -up openssh-6.3p1/ssh-keycat.c.keycat openssh-6.3p1/ssh-keycat.c +--- openssh-6.3p1/ssh-keycat.c.keycat 2013-10-10 15:16:33.446566911 +0200 ++++ openssh-6.3p1/ssh-keycat.c 2013-10-10 15:16:33.446566911 +0200 @@ -0,0 +1,238 @@ +/* + * Redistribution and use in source and binary forms, with or without diff --git a/openssh-6.2p1-kuserok.patch b/openssh-6.3p1-kuserok.patch similarity index 63% rename from openssh-6.2p1-kuserok.patch rename to openssh-6.3p1-kuserok.patch index 641ad03..60688db 100644 --- a/openssh-6.2p1-kuserok.patch +++ b/openssh-6.3p1-kuserok.patch @@ -1,6 +1,6 @@ -diff -up openssh-6.2p1/auth-krb5.c.kuserok openssh-6.2p1/auth-krb5.c ---- openssh-6.2p1/auth-krb5.c.kuserok 2013-03-25 20:06:51.295558062 +0100 -+++ openssh-6.2p1/auth-krb5.c 2013-03-25 20:06:51.318558207 +0100 +diff -up openssh-6.3p1/auth-krb5.c.kuserok openssh-6.3p1/auth-krb5.c +--- openssh-6.3p1/auth-krb5.c.kuserok 2013-10-11 21:41:42.889087613 +0200 ++++ openssh-6.3p1/auth-krb5.c 2013-10-11 21:41:42.905087537 +0200 @@ -55,6 +55,20 @@ extern ServerOptions options; @@ -22,7 +22,7 @@ diff -up openssh-6.2p1/auth-krb5.c.kuserok openssh-6.2p1/auth-krb5.c static int krb5_init(void *context) { -@@ -147,7 +161,7 @@ auth_krb5_password(Authctxt *authctxt, c +@@ -159,7 +173,7 @@ auth_krb5_password(Authctxt *authctxt, c if (problem) goto out; @@ -31,10 +31,10 @@ diff -up openssh-6.2p1/auth-krb5.c.kuserok openssh-6.2p1/auth-krb5.c problem = -1; goto out; } -diff -up openssh-6.2p1/gss-serv-krb5.c.kuserok openssh-6.2p1/gss-serv-krb5.c ---- openssh-6.2p1/gss-serv-krb5.c.kuserok 2013-03-25 20:06:51.311558163 +0100 -+++ openssh-6.2p1/gss-serv-krb5.c 2013-03-25 20:06:51.319558214 +0100 -@@ -68,6 +68,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr +diff -up openssh-6.3p1/gss-serv-krb5.c.kuserok openssh-6.3p1/gss-serv-krb5.c +--- openssh-6.3p1/gss-serv-krb5.c.kuserok 2013-10-11 21:41:42.901087556 +0200 ++++ openssh-6.3p1/gss-serv-krb5.c 2013-10-11 21:46:42.898673597 +0200 +@@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr int); static krb5_context krb_context = NULL; @@ -42,19 +42,19 @@ diff -up openssh-6.2p1/gss-serv-krb5.c.kuserok openssh-6.2p1/gss-serv-krb5.c /* Initialise the krb5 library, for the stuff that GSSAPI won't do */ -@@ -115,7 +116,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client +@@ -116,7 +117,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client /* NOTE: .k5login and .k5users must opened as root, not the user, * because if they are on a krb5-protected filesystem, user credentials * to access these files aren't available yet. */ -- if (krb5_kuserok(krb_context, princ, luser) && k5login_exists) { -+ if (ssh_krb5_kuserok(krb_context, princ, luser) && k5login_exists) { +- if (krb5_kuserok(krb_context, princ, name) && k5login_exists) { ++ if (ssh_krb5_kuserok(krb_context, princ, name) && k5login_exists) { retval = 1; logit("Authorized to %s, krb5 principal %s (krb5_kuserok)", - luser, (char *)client->displayname.value); -diff -up openssh-6.2p1/servconf.c.kuserok openssh-6.2p1/servconf.c ---- openssh-6.2p1/servconf.c.kuserok 2013-03-25 20:06:51.305558125 +0100 -+++ openssh-6.2p1/servconf.c 2013-03-25 20:06:51.319558214 +0100 -@@ -150,6 +150,7 @@ initialize_server_options(ServerOptions + name, (char *)client->displayname.value); +diff -up openssh-6.3p1/servconf.c.kuserok openssh-6.3p1/servconf.c +--- openssh-6.3p1/servconf.c.kuserok 2013-10-11 21:41:42.896087580 +0200 ++++ openssh-6.3p1/servconf.c 2013-10-11 21:48:24.664194016 +0200 +@@ -157,6 +157,7 @@ initialize_server_options(ServerOptions options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; options->version_addendum = NULL; @@ -62,7 +62,7 @@ diff -up openssh-6.2p1/servconf.c.kuserok openssh-6.2p1/servconf.c } void -@@ -299,6 +300,8 @@ fill_default_server_options(ServerOption +@@ -310,6 +311,8 @@ fill_default_server_options(ServerOption options->version_addendum = xstrdup(""); if (options->show_patchlevel == -1) options->show_patchlevel = 0; @@ -71,7 +71,7 @@ diff -up openssh-6.2p1/servconf.c.kuserok openssh-6.2p1/servconf.c /* Turn privilege separation on by default */ if (use_privsep == -1) -@@ -325,7 +328,7 @@ typedef enum { +@@ -336,7 +339,7 @@ typedef enum { sPermitRootLogin, sLogFacility, sLogLevel, sRhostsRSAAuthentication, sRSAAuthentication, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, @@ -80,7 +80,7 @@ diff -up openssh-6.2p1/servconf.c.kuserok openssh-6.2p1/servconf.c sKerberosTgtPassing, sChallengeResponseAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sAddressFamily, -@@ -397,11 +400,13 @@ static struct { +@@ -409,11 +412,13 @@ static struct { #else { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, #endif @@ -94,7 +94,7 @@ diff -up openssh-6.2p1/servconf.c.kuserok openssh-6.2p1/servconf.c #endif { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, -@@ -1460,6 +1465,10 @@ process_server_config_line(ServerOptions +@@ -1515,6 +1520,10 @@ process_server_config_line(ServerOptions *activep = value; break; @@ -105,15 +105,15 @@ diff -up openssh-6.2p1/servconf.c.kuserok openssh-6.2p1/servconf.c case sPermitOpen: arg = strdelim(&cp); if (!arg || *arg == '\0') -@@ -1761,6 +1770,7 @@ copy_set_server_options(ServerOptions *d +@@ -1815,6 +1824,7 @@ copy_set_server_options(ServerOptions *d M_CP_INTOPT(max_authtries); M_CP_INTOPT(ip_qos_interactive); M_CP_INTOPT(ip_qos_bulk); + M_CP_INTOPT(use_kuserok); + M_CP_INTOPT(rekey_limit); + M_CP_INTOPT(rekey_interval); - /* See comment in servconf.h */ - COPY_MATCH_STRING_OPTS(); -@@ -1999,6 +2009,7 @@ dump_config(ServerOptions *o) +@@ -2055,6 +2065,7 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sUseDNS, o->use_dns); dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); @@ -121,10 +121,10 @@ diff -up openssh-6.2p1/servconf.c.kuserok openssh-6.2p1/servconf.c /* string arguments */ dump_cfg_string(sPidFile, o->pid_file); -diff -up openssh-6.2p1/servconf.h.kuserok openssh-6.2p1/servconf.h ---- openssh-6.2p1/servconf.h.kuserok 2013-03-25 20:06:51.305558125 +0100 -+++ openssh-6.2p1/servconf.h 2013-03-25 20:06:51.320558220 +0100 -@@ -173,6 +173,7 @@ typedef struct { +diff -up openssh-6.3p1/servconf.h.kuserok openssh-6.3p1/servconf.h +--- openssh-6.3p1/servconf.h.kuserok 2013-10-11 21:41:42.896087580 +0200 ++++ openssh-6.3p1/servconf.h 2013-10-11 21:41:42.907087528 +0200 +@@ -174,6 +174,7 @@ typedef struct { int num_permitted_opens; @@ -132,21 +132,10 @@ diff -up openssh-6.2p1/servconf.h.kuserok openssh-6.2p1/servconf.h char *chroot_directory; char *revoked_keys_file; char *trusted_user_ca_keys; -diff -up openssh-6.2p1/sshd_config.kuserok openssh-6.2p1/sshd_config ---- openssh-6.2p1/sshd_config.kuserok 2013-03-25 20:06:51.308558144 +0100 -+++ openssh-6.2p1/sshd_config 2013-03-25 20:06:51.320558220 +0100 -@@ -83,6 +83,7 @@ ChallengeResponseAuthentication no - #KerberosOrLocalPasswd yes - #KerberosTicketCleanup yes - #KerberosGetAFSToken no -+#KerberosUseKuserok yes - - # GSSAPI options - #GSSAPIAuthentication no -diff -up openssh-6.2p1/sshd_config.5.kuserok openssh-6.2p1/sshd_config.5 ---- openssh-6.2p1/sshd_config.5.kuserok 2013-03-25 20:06:51.308558144 +0100 -+++ openssh-6.2p1/sshd_config.5 2013-03-25 20:08:34.249207272 +0100 -@@ -660,6 +660,10 @@ Specifies whether to automatically destr +diff -up openssh-6.3p1/sshd_config.5.kuserok openssh-6.3p1/sshd_config.5 +--- openssh-6.3p1/sshd_config.5.kuserok 2013-10-11 21:41:42.898087571 +0200 ++++ openssh-6.3p1/sshd_config.5 2013-10-11 21:41:42.907087528 +0200 +@@ -675,6 +675,10 @@ Specifies whether to automatically destr file on logout. The default is .Dq yes . @@ -157,7 +146,7 @@ diff -up openssh-6.2p1/sshd_config.5.kuserok openssh-6.2p1/sshd_config.5 .It Cm KexAlgorithms Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. -@@ -819,6 +823,7 @@ Available keywords are +@@ -833,6 +837,7 @@ Available keywords are .Cm HostbasedUsesNameFromPacketOnly , .Cm KbdInteractiveAuthentication , .Cm KerberosAuthentication , @@ -165,3 +154,14 @@ diff -up openssh-6.2p1/sshd_config.5.kuserok openssh-6.2p1/sshd_config.5 .Cm MaxAuthTries , .Cm MaxSessions , .Cm PasswordAuthentication , +diff -up openssh-6.3p1/sshd_config.kuserok openssh-6.3p1/sshd_config +--- openssh-6.3p1/sshd_config.kuserok 2013-10-11 21:41:42.898087571 +0200 ++++ openssh-6.3p1/sshd_config 2013-10-11 21:41:42.907087528 +0200 +@@ -86,6 +86,7 @@ ChallengeResponseAuthentication no + #KerberosOrLocalPasswd yes + #KerberosTicketCleanup yes + #KerberosGetAFSToken no ++#KerberosUseKuserok yes + + # GSSAPI options + #GSSAPIAuthentication no diff --git a/openssh-6.2p1-ldap.patch b/openssh-6.3p1-ldap.patch similarity index 99% rename from openssh-6.2p1-ldap.patch rename to openssh-6.3p1-ldap.patch index 8d717c5..994ef59 100644 --- a/openssh-6.2p1-ldap.patch +++ b/openssh-6.3p1-ldap.patch @@ -383,7 +383,7 @@ diff -up openssh-6.2p1/ldapbody.c.ldap openssh-6.2p1/ldapbody.c + if ((logfile = fopen (logfilename, "a")) == NULL) + fatal ("cannot append to %s: %s", logfilename, strerror (errno)); + debug3 ("LDAP debug into %s", logfilename); -+ xfree (logfilename); ++ free (logfilename); + ber_set_option (NULL, LBER_OPT_LOG_PRINT_FILE, logfile); + } +#endif @@ -672,12 +672,12 @@ diff -up openssh-6.2p1/ldapbody.c.ldap openssh-6.2p1/ldapbody.c + timeout.tv_usec = 0; + if ((rc = ldap_search_st(ld, options.base, options.scope, buffer, attrs, 0, &timeout, &res)) != LDAP_SUCCESS) { + error ("ldap_search_st(): %s", ldap_err2string (rc)); -+ xfree (buffer); ++ free (buffer); + return; + } + + /* free */ -+ xfree (buffer); ++ free (buffer); + + for (e = ldap_first_entry(ld, res); e != NULL; e = ldap_next_entry(ld, e)) { + int num; diff --git a/openssh-6.1p1-privsep-selinux.patch b/openssh-6.3p1-privsep-selinux.patch similarity index 59% rename from openssh-6.1p1-privsep-selinux.patch rename to openssh-6.3p1-privsep-selinux.patch index 881c71a..529468c 100644 --- a/openssh-6.1p1-privsep-selinux.patch +++ b/openssh-6.3p1-privsep-selinux.patch @@ -1,8 +1,8 @@ -diff -up openssh-6.1p1/openbsd-compat/port-linux.c.privsep-selinux openssh-6.1p1/openbsd-compat/port-linux.c ---- openssh-6.1p1/openbsd-compat/port-linux.c.privsep-selinux 2012-11-05 14:46:39.334809203 +0100 -+++ openssh-6.1p1/openbsd-compat/port-linux.c 2012-11-05 14:54:32.614504884 +0100 -@@ -505,6 +505,25 @@ ssh_selinux_change_context(const char *n - xfree(newctx); +diff -up openssh-6.3p1/openbsd-compat/port-linux.c.privsep-selinux openssh-6.3p1/openbsd-compat/port-linux.c +--- openssh-6.3p1/openbsd-compat/port-linux.c.privsep-selinux 2013-10-10 14:58:20.634762245 +0200 ++++ openssh-6.3p1/openbsd-compat/port-linux.c 2013-10-10 15:13:57.864306950 +0200 +@@ -503,6 +503,25 @@ ssh_selinux_change_context(const char *n + free(newctx); } +void @@ -27,9 +27,9 @@ diff -up openssh-6.1p1/openbsd-compat/port-linux.c.privsep-selinux openssh-6.1p1 #endif /* WITH_SELINUX */ #ifdef LINUX_OOM_ADJUST -diff -up openssh-6.1p1/openbsd-compat/port-linux.h.privsep-selinux openssh-6.1p1/openbsd-compat/port-linux.h ---- openssh-6.1p1/openbsd-compat/port-linux.h.privsep-selinux 2011-01-25 02:16:18.000000000 +0100 -+++ openssh-6.1p1/openbsd-compat/port-linux.h 2012-11-05 14:46:39.339809234 +0100 +diff -up openssh-6.3p1/openbsd-compat/port-linux.h.privsep-selinux openssh-6.3p1/openbsd-compat/port-linux.h +--- openssh-6.3p1/openbsd-compat/port-linux.h.privsep-selinux 2011-01-25 02:16:18.000000000 +0100 ++++ openssh-6.3p1/openbsd-compat/port-linux.h 2013-10-10 14:58:20.634762245 +0200 @@ -24,6 +24,7 @@ int ssh_selinux_enabled(void); void ssh_selinux_setup_pty(char *, const char *); void ssh_selinux_setup_exec_context(char *); @@ -38,10 +38,10 @@ diff -up openssh-6.1p1/openbsd-compat/port-linux.h.privsep-selinux openssh-6.1p1 void ssh_selinux_setfscreatecon(const char *); #endif -diff -up openssh-6.1p1/session.c.privsep-selinux openssh-6.1p1/session.c ---- openssh-6.1p1/session.c.privsep-selinux 2012-12-03 09:43:11.727505761 +0100 -+++ openssh-6.1p1/session.c 2012-12-03 09:54:50.455688902 +0100 -@@ -1519,6 +1519,9 @@ do_setusercontext(struct passwd *pw) +diff -up openssh-6.3p1/session.c.privsep-selinux openssh-6.3p1/session.c +--- openssh-6.3p1/session.c.privsep-selinux 2013-10-10 14:58:20.617762326 +0200 ++++ openssh-6.3p1/session.c 2013-10-10 15:13:16.520503590 +0200 +@@ -1522,6 +1522,9 @@ do_setusercontext(struct passwd *pw) pw->pw_uid); chroot_path = percent_expand(tmp, "h", pw->pw_dir, "u", pw->pw_name, (char *)NULL); @@ -51,7 +51,7 @@ diff -up openssh-6.1p1/session.c.privsep-selinux openssh-6.1p1/session.c safely_chroot(chroot_path, pw->pw_uid); free(tmp); free(chroot_path); -@@ -1533,6 +1536,12 @@ do_setusercontext(struct passwd *pw) +@@ -1544,6 +1547,12 @@ do_setusercontext(struct passwd *pw) /* Permanently switch to the desired uid. */ permanently_set_uid(pw); #endif @@ -61,10 +61,10 @@ diff -up openssh-6.1p1/session.c.privsep-selinux openssh-6.1p1/session.c + strcasecmp(options.chroot_directory, "none") == 0) + ssh_selinux_copy_context(); +#endif - } - - if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) -@@ -1787,9 +1796,6 @@ do_child(Session *s, const char *command + } else if (options.chroot_directory != NULL && + strcasecmp(options.chroot_directory, "none") != 0) { + fatal("server lacks privileges to chroot to ChrootDirectory"); +@@ -1808,9 +1817,6 @@ do_child(Session *s, const char *command argv[i] = NULL; optind = optreset = 1; __progname = argv[0]; @@ -74,10 +74,10 @@ diff -up openssh-6.1p1/session.c.privsep-selinux openssh-6.1p1/session.c exit(sftp_server_main(i, argv, s->pw)); } -diff -up openssh-6.1p1/sshd.c.privsep-selinux openssh-6.1p1/sshd.c ---- openssh-6.1p1/sshd.c.privsep-selinux 2013-02-24 11:29:32.997823377 +0100 -+++ openssh-6.1p1/sshd.c 2013-02-24 11:43:34.171182720 +0100 -@@ -653,6 +653,10 @@ privsep_preauth_child(void) +diff -up openssh-6.3p1/sshd.c.privsep-selinux openssh-6.3p1/sshd.c +--- openssh-6.3p1/sshd.c.privsep-selinux 2013-10-10 14:58:20.632762255 +0200 ++++ openssh-6.3p1/sshd.c 2013-10-10 14:58:20.635762241 +0200 +@@ -668,6 +668,10 @@ privsep_preauth_child(void) /* Demote the private keys to public keys. */ demote_sensitive_data(); @@ -88,7 +88,7 @@ diff -up openssh-6.1p1/sshd.c.privsep-selinux openssh-6.1p1/sshd.c /* Change our root directory */ if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, -@@ -794,6 +798,13 @@ privsep_postauth(Authctxt *authctxt) +@@ -811,6 +815,13 @@ privsep_postauth(Authctxt *authctxt) do_setusercontext(authctxt->pw); skip: diff --git a/openssh-6.1p1-redhat.patch b/openssh-6.3p1-redhat.patch similarity index 72% rename from openssh-6.1p1-redhat.patch rename to openssh-6.3p1-redhat.patch index a1fa0e5..5b1ec1d 100644 --- a/openssh-6.1p1-redhat.patch +++ b/openssh-6.3p1-redhat.patch @@ -1,10 +1,10 @@ -diff -up openssh-6.1p1/ssh_config.redhat openssh-6.1p1/ssh_config ---- openssh-6.1p1/ssh_config.redhat 2010-01-12 09:40:27.000000000 +0100 -+++ openssh-6.1p1/ssh_config 2012-10-26 16:28:51.820340584 +0200 -@@ -45,3 +45,14 @@ - # PermitLocalCommand no +diff -up openssh-6.3p1/ssh_config.redhat openssh-6.3p1/ssh_config +--- openssh-6.3p1/ssh_config.redhat 2013-10-11 14:51:18.345876648 +0200 ++++ openssh-6.3p1/ssh_config 2013-10-11 15:13:05.429829266 +0200 +@@ -46,3 +46,14 @@ # VisualHostKey no # ProxyCommand ssh -q -W %h:%p gateway.example.com + # RekeyLimit 1G 1h +Host * + GSSAPIAuthentication yes +# If this option is set to yes then remote X11 clients will have full access @@ -12,14 +12,14 @@ diff -up openssh-6.1p1/ssh_config.redhat openssh-6.1p1/ssh_config +# mode correctly we set this to yes. + ForwardX11Trusted yes +# Send locale-related environment variables -+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT ++ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES ++ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT + SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE + SendEnv XMODIFIERS -diff -up openssh-6.1p1/sshd_config.0.redhat openssh-6.1p1/sshd_config.0 ---- openssh-6.1p1/sshd_config.0.redhat 2012-10-26 16:28:51.762340584 +0200 -+++ openssh-6.1p1/sshd_config.0 2012-10-26 16:28:51.821340584 +0200 -@@ -583,9 +583,9 @@ DESCRIPTION +diff -up openssh-6.3p1/sshd_config.0.redhat openssh-6.3p1/sshd_config.0 +--- openssh-6.3p1/sshd_config.0.redhat 2013-09-13 08:20:43.000000000 +0200 ++++ openssh-6.3p1/sshd_config.0 2013-10-11 14:51:18.345876648 +0200 +@@ -653,9 +653,9 @@ DESCRIPTION SyslogFacility Gives the facility code that is used when logging messages from @@ -32,10 +32,10 @@ diff -up openssh-6.1p1/sshd_config.0.redhat openssh-6.1p1/sshd_config.0 TCPKeepAlive Specifies whether the system should send TCP keepalive messages -diff -up openssh-6.1p1/sshd_config.5.redhat openssh-6.1p1/sshd_config.5 ---- openssh-6.1p1/sshd_config.5.redhat 2012-10-26 16:28:51.763340584 +0200 -+++ openssh-6.1p1/sshd_config.5 2012-10-26 16:28:51.822340584 +0200 -@@ -1015,7 +1015,7 @@ Note that this option applies to protoco +diff -up openssh-6.3p1/sshd_config.5.redhat openssh-6.3p1/sshd_config.5 +--- openssh-6.3p1/sshd_config.5.redhat 2013-07-20 05:21:53.000000000 +0200 ++++ openssh-6.3p1/sshd_config.5 2013-10-11 14:51:18.346876643 +0200 +@@ -1095,7 +1095,7 @@ Note that this option applies to protoco .It Cm SyslogFacility Gives the facility code that is used when logging messages from .Xr sshd 8 . @@ -44,9 +44,9 @@ diff -up openssh-6.1p1/sshd_config.5.redhat openssh-6.1p1/sshd_config.5 LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTH. .It Cm TCPKeepAlive -diff -up openssh-6.1p1/sshd_config.redhat openssh-6.1p1/sshd_config ---- openssh-6.1p1/sshd_config.redhat 2012-10-26 16:28:51.819340584 +0200 -+++ openssh-6.1p1/sshd_config 2012-10-26 16:31:44.773340564 +0200 +diff -up openssh-6.3p1/sshd_config.redhat openssh-6.3p1/sshd_config +--- openssh-6.3p1/sshd_config.redhat 2013-10-11 14:51:18.343876657 +0200 ++++ openssh-6.3p1/sshd_config 2013-10-11 14:51:18.346876643 +0200 @@ -10,6 +10,10 @@ # possible, but leave them commented. Uncommented options override the # default value. @@ -58,7 +58,7 @@ diff -up openssh-6.1p1/sshd_config.redhat openssh-6.1p1/sshd_config #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 -@@ -32,6 +36,7 @@ +@@ -35,6 +39,7 @@ # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH @@ -66,7 +66,7 @@ diff -up openssh-6.1p1/sshd_config.redhat openssh-6.1p1/sshd_config #LogLevel INFO # Authentication: -@@ -67,9 +72,11 @@ AuthorizedKeysFile .ssh/authorized_keys +@@ -70,9 +75,11 @@ AuthorizedKeysFile .ssh/authorized_keys # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no @@ -78,7 +78,7 @@ diff -up openssh-6.1p1/sshd_config.redhat openssh-6.1p1/sshd_config # Kerberos options #KerberosAuthentication no -@@ -79,7 +86,9 @@ AuthorizedKeysFile .ssh/authorized_keys +@@ -82,7 +89,9 @@ AuthorizedKeysFile .ssh/authorized_keys # GSSAPI options #GSSAPIAuthentication no @@ -88,7 +88,7 @@ diff -up openssh-6.1p1/sshd_config.redhat openssh-6.1p1/sshd_config # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will -@@ -91,11 +100,13 @@ AuthorizedKeysFile .ssh/authorized_keys +@@ -94,11 +103,13 @@ AuthorizedKeysFile .ssh/authorized_keys # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM no @@ -102,7 +102,7 @@ diff -up openssh-6.1p1/sshd_config.redhat openssh-6.1p1/sshd_config #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes -@@ -117,6 +128,12 @@ UsePrivilegeSeparation sandbox # Defaul +@@ -120,6 +131,12 @@ UsePrivilegeSeparation sandbox # Defaul # no default banner path #Banner none diff --git a/openssh-6.2p1-role-mls.patch b/openssh-6.3p1-role-mls.patch similarity index 78% rename from openssh-6.2p1-role-mls.patch rename to openssh-6.3p1-role-mls.patch index 3635fef..89d54b3 100644 --- a/openssh-6.2p1-role-mls.patch +++ b/openssh-6.3p1-role-mls.patch @@ -1,20 +1,7 @@ -diff -up openssh-6.2p1/auth.h.role-mls openssh-6.2p1/auth.h ---- openssh-6.2p1/auth.h.role-mls 2013-03-25 17:47:00.565746862 +0100 -+++ openssh-6.2p1/auth.h 2013-03-25 17:47:00.602747073 +0100 -@@ -59,6 +59,9 @@ struct Authctxt { - char *service; - struct passwd *pw; /* set if 'valid' */ - char *style; -+#ifdef WITH_SELINUX -+ char *role; -+#endif - void *kbdintctxt; - void *jpake_ctx; - #ifdef BSD_AUTH -diff -up openssh-6.2p1/auth-pam.c.role-mls openssh-6.2p1/auth-pam.c ---- openssh-6.2p1/auth-pam.c.role-mls 2013-03-25 17:47:00.535746690 +0100 -+++ openssh-6.2p1/auth-pam.c 2013-03-25 17:47:00.602747073 +0100 -@@ -1074,7 +1074,7 @@ is_pam_session_open(void) +diff -up openssh-6.3p1/auth-pam.c.role-mls openssh-6.3p1/auth-pam.c +--- openssh-6.3p1/auth-pam.c.role-mls 2013-10-10 14:34:43.799494546 +0200 ++++ openssh-6.3p1/auth-pam.c 2013-10-10 14:34:43.835494375 +0200 +@@ -1071,7 +1071,7 @@ is_pam_session_open(void) * during the ssh authentication process. */ int @@ -23,9 +10,9 @@ diff -up openssh-6.2p1/auth-pam.c.role-mls openssh-6.2p1/auth-pam.c { int ret = 1; #ifdef HAVE_PAM_PUTENV -diff -up openssh-6.2p1/auth-pam.h.role-mls openssh-6.2p1/auth-pam.h ---- openssh-6.2p1/auth-pam.h.role-mls 2004-09-11 14:17:26.000000000 +0200 -+++ openssh-6.2p1/auth-pam.h 2013-03-25 17:47:00.602747073 +0100 +diff -up openssh-6.3p1/auth-pam.h.role-mls openssh-6.3p1/auth-pam.h +--- openssh-6.3p1/auth-pam.h.role-mls 2004-09-11 14:17:26.000000000 +0200 ++++ openssh-6.3p1/auth-pam.h 2013-10-10 14:34:43.835494375 +0200 @@ -38,7 +38,7 @@ void do_pam_session(void); void do_pam_set_tty(const char *); void do_pam_setcred(int ); @@ -35,10 +22,23 @@ diff -up openssh-6.2p1/auth-pam.h.role-mls openssh-6.2p1/auth-pam.h char ** fetch_pam_environment(void); char ** fetch_pam_child_environment(void); void free_pam_environment(char **); -diff -up openssh-6.2p1/auth1.c.role-mls openssh-6.2p1/auth1.c ---- openssh-6.2p1/auth1.c.role-mls 2012-12-02 23:53:20.000000000 +0100 -+++ openssh-6.2p1/auth1.c 2013-03-25 17:47:00.600747062 +0100 -@@ -386,6 +386,9 @@ do_authentication(Authctxt *authctxt) +diff -up openssh-6.3p1/auth.h.role-mls openssh-6.3p1/auth.h +--- openssh-6.3p1/auth.h.role-mls 2013-10-10 14:34:43.834494379 +0200 ++++ openssh-6.3p1/auth.h 2013-10-10 14:38:45.060348227 +0200 +@@ -59,6 +59,9 @@ struct Authctxt { + char *service; + struct passwd *pw; /* set if 'valid' */ + char *style; ++#ifdef WITH_SELINUX ++ char *role; ++#endif + void *kbdintctxt; + char *info; /* Extra info for next auth_log */ + void *jpake_ctx; +diff -up openssh-6.3p1/auth1.c.role-mls openssh-6.3p1/auth1.c +--- openssh-6.3p1/auth1.c.role-mls 2013-06-02 00:01:24.000000000 +0200 ++++ openssh-6.3p1/auth1.c 2013-10-10 14:34:43.835494375 +0200 +@@ -381,6 +381,9 @@ do_authentication(Authctxt *authctxt) { u_int ulen; char *user, *style = NULL; @@ -48,7 +48,7 @@ diff -up openssh-6.2p1/auth1.c.role-mls openssh-6.2p1/auth1.c /* Get the name of the user that we wish to log in as. */ packet_read_expect(SSH_CMSG_USER); -@@ -394,11 +397,24 @@ do_authentication(Authctxt *authctxt) +@@ -389,11 +392,24 @@ do_authentication(Authctxt *authctxt) user = packet_get_cstring(&ulen); packet_check_eom(); @@ -73,52 +73,10 @@ diff -up openssh-6.2p1/auth1.c.role-mls openssh-6.2p1/auth1.c /* Verify that the user is a valid user. */ if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) -diff -up openssh-6.2p1/auth2.c.role-mls openssh-6.2p1/auth2.c ---- openssh-6.2p1/auth2.c.role-mls 2013-03-25 17:47:00.556746810 +0100 -+++ openssh-6.2p1/auth2.c 2013-03-25 17:47:00.600747062 +0100 -@@ -218,6 +218,9 @@ input_userauth_request(int type, u_int32 - Authctxt *authctxt = ctxt; - Authmethod *m = NULL; - char *user, *service, *method, *style = NULL; -+#ifdef WITH_SELINUX -+ char *role = NULL; -+#endif - int authenticated = 0; - - if (authctxt == NULL) -@@ -229,6 +232,11 @@ input_userauth_request(int type, u_int32 - debug("userauth-request for user %s service %s method %s", user, service, method); - debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); - -+#ifdef WITH_SELINUX -+ if ((role = strchr(user, '/')) != NULL) -+ *role++ = 0; -+#endif -+ - if ((style = strchr(user, ':')) != NULL) - *style++ = 0; - -@@ -251,8 +259,15 @@ input_userauth_request(int type, u_int32 - use_privsep ? " [net]" : ""); - authctxt->service = xstrdup(service); - authctxt->style = style ? xstrdup(style) : NULL; -- if (use_privsep) -+#ifdef WITH_SELINUX -+ authctxt->role = role ? xstrdup(role) : NULL; -+#endif -+ if (use_privsep) { - mm_inform_authserv(service, style); -+#ifdef WITH_SELINUX -+ mm_inform_authrole(role); -+#endif -+ } - userauth_banner(); - if (auth2_setup_methods_lists(authctxt) != 0) - packet_disconnect("no authentication methods enabled"); -diff -up openssh-6.2p1/auth2-gss.c.role-mls openssh-6.2p1/auth2-gss.c ---- openssh-6.2p1/auth2-gss.c.role-mls 2012-12-02 23:53:20.000000000 +0100 -+++ openssh-6.2p1/auth2-gss.c 2013-03-25 17:47:00.601747067 +0100 -@@ -260,6 +260,7 @@ input_gssapi_mic(int type, u_int32_t ple +diff -up openssh-6.3p1/auth2-gss.c.role-mls openssh-6.3p1/auth2-gss.c +--- openssh-6.3p1/auth2-gss.c.role-mls 2013-06-01 23:31:18.000000000 +0200 ++++ openssh-6.3p1/auth2-gss.c 2013-10-10 14:34:43.836494370 +0200 +@@ -256,6 +256,7 @@ input_gssapi_mic(int type, u_int32_t ple Authctxt *authctxt = ctxt; Gssctxt *gssctxt; int authenticated = 0; @@ -126,7 +84,7 @@ diff -up openssh-6.2p1/auth2-gss.c.role-mls openssh-6.2p1/auth2-gss.c Buffer b; gss_buffer_desc mic, gssbuf; u_int len; -@@ -272,7 +273,13 @@ input_gssapi_mic(int type, u_int32_t ple +@@ -268,7 +269,13 @@ input_gssapi_mic(int type, u_int32_t ple mic.value = packet_get_string(&len); mic.length = len; @@ -141,18 +99,18 @@ diff -up openssh-6.2p1/auth2-gss.c.role-mls openssh-6.2p1/auth2-gss.c "gssapi-with-mic"); gssbuf.value = buffer_ptr(&b); -@@ -284,6 +291,8 @@ input_gssapi_mic(int type, u_int32_t ple +@@ -280,6 +287,8 @@ input_gssapi_mic(int type, u_int32_t ple logit("GSSAPI MIC check failed"); buffer_free(&b); + if (micuser != authctxt->user) -+ xfree(micuser); - xfree(mic.value); ++ free(micuser); + free(mic.value); authctxt->postponed = 0; -diff -up openssh-6.2p1/auth2-hostbased.c.role-mls openssh-6.2p1/auth2-hostbased.c ---- openssh-6.2p1/auth2-hostbased.c.role-mls 2013-03-25 17:47:00.565746862 +0100 -+++ openssh-6.2p1/auth2-hostbased.c 2013-03-25 17:47:00.601747067 +0100 +diff -up openssh-6.3p1/auth2-hostbased.c.role-mls openssh-6.3p1/auth2-hostbased.c +--- openssh-6.3p1/auth2-hostbased.c.role-mls 2013-10-10 14:34:43.818494455 +0200 ++++ openssh-6.3p1/auth2-hostbased.c 2013-10-10 14:34:43.836494370 +0200 @@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt) buffer_put_string(&b, session_id2, session_id2_len); /* reconstruct packet */ @@ -170,30 +128,69 @@ diff -up openssh-6.2p1/auth2-hostbased.c.role-mls openssh-6.2p1/auth2-hostbased. buffer_put_cstring(&b, service); buffer_put_cstring(&b, "hostbased"); buffer_put_string(&b, pkalg, alen); -diff -up openssh-6.2p1/auth2-pubkey.c.role-mls openssh-6.2p1/auth2-pubkey.c ---- openssh-6.2p1/auth2-pubkey.c.role-mls 2013-03-25 17:47:00.565746862 +0100 -+++ openssh-6.2p1/auth2-pubkey.c 2013-03-25 17:47:00.601747067 +0100 -@@ -127,7 +127,15 @@ userauth_pubkey(Authctxt *authctxt) +diff -up openssh-6.3p1/auth2-pubkey.c.role-mls openssh-6.3p1/auth2-pubkey.c +--- openssh-6.3p1/auth2-pubkey.c.role-mls 2013-10-10 14:34:43.836494370 +0200 ++++ openssh-6.3p1/auth2-pubkey.c 2013-10-10 14:57:17.452062486 +0200 +@@ -127,9 +127,11 @@ userauth_pubkey(Authctxt *authctxt) } /* reconstruct packet */ buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); -- buffer_put_cstring(&b, authctxt->user); -+#ifdef WITH_SELINUX -+ if (authctxt->role) { -+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1); -+ buffer_append(&b, authctxt->user, strlen(authctxt->user)); -+ buffer_put_char(&b, '/'); -+ buffer_append(&b, authctxt->role, strlen(authctxt->role)); -+ } else -+#endif -+ buffer_put_cstring(&b, authctxt->user); +- xasprintf(&userstyle, "%s%s%s", authctxt->user, ++ xasprintf(&userstyle, "%s%s%s%s%s", authctxt->user, + authctxt->style ? ":" : "", +- authctxt->style ? authctxt->style : ""); ++ authctxt->style ? authctxt->style : "", ++ authctxt->role ? "/" : "", ++ authctxt->role ? authctxt->role : ""); + buffer_put_cstring(&b, userstyle); + free(userstyle); buffer_put_cstring(&b, - datafellows & SSH_BUG_PKSERVICE ? - "ssh-userauth" : -diff -up openssh-6.2p1/misc.c.role-mls openssh-6.2p1/misc.c ---- openssh-6.2p1/misc.c.role-mls 2011-09-22 13:34:36.000000000 +0200 -+++ openssh-6.2p1/misc.c 2013-03-25 17:47:00.603747079 +0100 -@@ -427,6 +427,7 @@ char * +diff -up openssh-6.3p1/auth2.c.role-mls openssh-6.3p1/auth2.c +--- openssh-6.3p1/auth2.c.role-mls 2013-10-10 14:34:43.819494451 +0200 ++++ openssh-6.3p1/auth2.c 2013-10-10 14:34:43.835494375 +0200 +@@ -221,6 +221,9 @@ input_userauth_request(int type, u_int32 + Authctxt *authctxt = ctxt; + Authmethod *m = NULL; + char *user, *service, *method, *style = NULL; ++#ifdef WITH_SELINUX ++ char *role = NULL; ++#endif + int authenticated = 0; + + if (authctxt == NULL) +@@ -232,6 +235,11 @@ input_userauth_request(int type, u_int32 + debug("userauth-request for user %s service %s method %s", user, service, method); + debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); + ++#ifdef WITH_SELINUX ++ if ((role = strchr(user, '/')) != NULL) ++ *role++ = 0; ++#endif ++ + if ((style = strchr(user, ':')) != NULL) + *style++ = 0; + +@@ -254,8 +262,15 @@ input_userauth_request(int type, u_int32 + use_privsep ? " [net]" : ""); + authctxt->service = xstrdup(service); + authctxt->style = style ? xstrdup(style) : NULL; +- if (use_privsep) ++#ifdef WITH_SELINUX ++ authctxt->role = role ? xstrdup(role) : NULL; ++#endif ++ if (use_privsep) { + mm_inform_authserv(service, style); ++#ifdef WITH_SELINUX ++ mm_inform_authrole(role); ++#endif ++ } + userauth_banner(); + if (auth2_setup_methods_lists(authctxt) != 0) + packet_disconnect("no authentication methods enabled"); +diff -up openssh-6.3p1/misc.c.role-mls openssh-6.3p1/misc.c +--- openssh-6.3p1/misc.c.role-mls 2013-08-08 04:50:06.000000000 +0200 ++++ openssh-6.3p1/misc.c 2013-10-10 14:34:43.836494370 +0200 +@@ -429,6 +429,7 @@ char * colon(char *cp) { int flag = 0; @@ -201,7 +198,7 @@ diff -up openssh-6.2p1/misc.c.role-mls openssh-6.2p1/misc.c if (*cp == ':') /* Leading colon is part of file name. */ return NULL; -@@ -442,6 +443,13 @@ colon(char *cp) +@@ -444,6 +445,13 @@ colon(char *cp) return (cp); if (*cp == '/') return NULL; @@ -215,10 +212,10 @@ diff -up openssh-6.2p1/misc.c.role-mls openssh-6.2p1/misc.c } return NULL; } -diff -up openssh-6.2p1/monitor.c.role-mls openssh-6.2p1/monitor.c ---- openssh-6.2p1/monitor.c.role-mls 2013-03-25 17:47:00.587746987 +0100 -+++ openssh-6.2p1/monitor.c 2013-03-25 17:47:00.604747085 +0100 -@@ -148,6 +148,9 @@ int mm_answer_sign(int, Buffer *); +diff -up openssh-6.3p1/monitor.c.role-mls openssh-6.3p1/monitor.c +--- openssh-6.3p1/monitor.c.role-mls 2013-10-10 14:34:43.821494441 +0200 ++++ openssh-6.3p1/monitor.c 2013-10-10 14:54:57.933725463 +0200 +@@ -149,6 +149,9 @@ int mm_answer_sign(int, Buffer *); int mm_answer_pwnamallow(int, Buffer *); int mm_answer_auth2_read_banner(int, Buffer *); int mm_answer_authserv(int, Buffer *); @@ -228,7 +225,7 @@ diff -up openssh-6.2p1/monitor.c.role-mls openssh-6.2p1/monitor.c int mm_answer_authpassword(int, Buffer *); int mm_answer_bsdauthquery(int, Buffer *); int mm_answer_bsdauthrespond(int, Buffer *); -@@ -232,6 +235,9 @@ struct mon_table mon_dispatch_proto20[] +@@ -233,6 +236,9 @@ struct mon_table mon_dispatch_proto20[] {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, @@ -238,7 +235,7 @@ diff -up openssh-6.2p1/monitor.c.role-mls openssh-6.2p1/monitor.c {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, #ifdef USE_PAM -@@ -846,6 +852,9 @@ mm_answer_pwnamallow(int sock, Buffer *m +@@ -853,6 +859,9 @@ mm_answer_pwnamallow(int sock, Buffer *m else { /* Allow service/style information on the auth context */ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); @@ -248,7 +245,7 @@ diff -up openssh-6.2p1/monitor.c.role-mls openssh-6.2p1/monitor.c monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); } #ifdef USE_PAM -@@ -889,6 +898,25 @@ mm_answer_authserv(int sock, Buffer *m) +@@ -894,6 +903,25 @@ mm_answer_authserv(int sock, Buffer *m) return (0); } @@ -263,7 +260,7 @@ diff -up openssh-6.2p1/monitor.c.role-mls openssh-6.2p1/monitor.c + __func__, authctxt->role); + + if (strlen(authctxt->role) == 0) { -+ xfree(authctxt->role); ++ free(authctxt->role); + authctxt->role = NULL; + } + @@ -274,45 +271,45 @@ diff -up openssh-6.2p1/monitor.c.role-mls openssh-6.2p1/monitor.c int mm_answer_authpassword(int sock, Buffer *m) { -@@ -1262,7 +1290,7 @@ static int +@@ -1269,7 +1297,7 @@ static int monitor_valid_userblob(u_char *data, u_int datalen) { Buffer b; -- char *p; -+ char *p, *r; +- char *p, *userstyle; ++ char *p, *r, *userstyle; u_int len; int fail = 0; -@@ -1288,6 +1316,8 @@ monitor_valid_userblob(u_char *data, u_i +@@ -1295,6 +1323,8 @@ monitor_valid_userblob(u_char *data, u_i if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) fail++; - p = buffer_get_string(&b, NULL); + p = buffer_get_cstring(&b, NULL); + if ((r = strchr(p, '/')) != NULL) + *r = '\0'; - if (strcmp(authctxt->user, p) != 0) { - logit("wrong user name passed to monitor: expected %s != %.100s", - authctxt->user, p); -@@ -1319,7 +1349,7 @@ monitor_valid_hostbasedblob(u_char *data + xasprintf(&userstyle, "%s%s%s", authctxt->user, + authctxt->style ? ":" : "", + authctxt->style ? authctxt->style : ""); +@@ -1330,7 +1360,7 @@ monitor_valid_hostbasedblob(u_char *data char *chost) { Buffer b; -- char *p; -+ char *p, *r; +- char *p, *userstyle; ++ char *p, *r, *userstyle; u_int len; int fail = 0; -@@ -1336,6 +1366,8 @@ monitor_valid_hostbasedblob(u_char *data +@@ -1347,6 +1377,8 @@ monitor_valid_hostbasedblob(u_char *data if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) fail++; - p = buffer_get_string(&b, NULL); + p = buffer_get_cstring(&b, NULL); + if ((r = strchr(p, '/')) != NULL) + *r = '\0'; - if (strcmp(authctxt->user, p) != 0) { - logit("wrong user name passed to monitor: expected %s != %.100s", - authctxt->user, p); -diff -up openssh-6.2p1/monitor.h.role-mls openssh-6.2p1/monitor.h ---- openssh-6.2p1/monitor.h.role-mls 2013-03-25 17:47:00.605747090 +0100 -+++ openssh-6.2p1/monitor.h 2013-03-25 17:50:00.824775483 +0100 + xasprintf(&userstyle, "%s%s%s", authctxt->user, + authctxt->style ? ":" : "", + authctxt->style ? authctxt->style : ""); +diff -up openssh-6.3p1/monitor.h.role-mls openssh-6.3p1/monitor.h +--- openssh-6.3p1/monitor.h.role-mls 2013-10-10 14:34:43.821494441 +0200 ++++ openssh-6.3p1/monitor.h 2013-10-10 14:34:43.837494365 +0200 @@ -61,6 +61,9 @@ enum monitor_reqtype { MONITOR_REQ_JPAKE_STEP2 = 56, MONITOR_ANS_JPAKE_STEP2 = 57, MONITOR_REQ_JPAKE_KEY_CONFIRM = 58, MONITOR_ANS_JPAKE_KEY_CONFIRM = 59, @@ -323,10 +320,10 @@ diff -up openssh-6.2p1/monitor.h.role-mls openssh-6.2p1/monitor.h MONITOR_REQ_PAM_START = 100, MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103, -diff -up openssh-6.2p1/monitor_wrap.c.role-mls openssh-6.2p1/monitor_wrap.c ---- openssh-6.2p1/monitor_wrap.c.role-mls 2013-03-25 17:47:00.588746993 +0100 -+++ openssh-6.2p1/monitor_wrap.c 2013-03-25 17:47:00.605747090 +0100 -@@ -336,6 +336,25 @@ mm_inform_authserv(char *service, char * +diff -up openssh-6.3p1/monitor_wrap.c.role-mls openssh-6.3p1/monitor_wrap.c +--- openssh-6.3p1/monitor_wrap.c.role-mls 2013-10-10 14:34:43.822494436 +0200 ++++ openssh-6.3p1/monitor_wrap.c 2013-10-10 14:34:43.838494360 +0200 +@@ -338,6 +338,25 @@ mm_inform_authserv(char *service, char * buffer_free(&m); } @@ -352,9 +349,9 @@ diff -up openssh-6.2p1/monitor_wrap.c.role-mls openssh-6.2p1/monitor_wrap.c /* Do the password authentication */ int mm_auth_password(Authctxt *authctxt, char *password) -diff -up openssh-6.2p1/monitor_wrap.h.role-mls openssh-6.2p1/monitor_wrap.h ---- openssh-6.2p1/monitor_wrap.h.role-mls 2013-03-25 17:47:00.588746993 +0100 -+++ openssh-6.2p1/monitor_wrap.h 2013-03-25 17:47:00.605747090 +0100 +diff -up openssh-6.3p1/monitor_wrap.h.role-mls openssh-6.3p1/monitor_wrap.h +--- openssh-6.3p1/monitor_wrap.h.role-mls 2013-10-10 14:34:43.822494436 +0200 ++++ openssh-6.3p1/monitor_wrap.h 2013-10-10 14:34:43.838494360 +0200 @@ -42,6 +42,9 @@ int mm_is_monitor(void); DH *mm_choose_dh(int, int, int); int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); @@ -365,9 +362,9 @@ diff -up openssh-6.2p1/monitor_wrap.h.role-mls openssh-6.2p1/monitor_wrap.h struct passwd *mm_getpwnamallow(const char *); char *mm_auth2_read_banner(void); int mm_auth_password(struct Authctxt *, char *); -diff -up openssh-6.2p1/openbsd-compat/Makefile.in.role-mls openssh-6.2p1/openbsd-compat/Makefile.in ---- openssh-6.2p1/openbsd-compat/Makefile.in.role-mls 2013-03-25 17:47:00.606747096 +0100 -+++ openssh-6.2p1/openbsd-compat/Makefile.in 2013-03-25 17:50:36.024979473 +0100 +diff -up openssh-6.3p1/openbsd-compat/Makefile.in.role-mls openssh-6.3p1/openbsd-compat/Makefile.in +--- openssh-6.3p1/openbsd-compat/Makefile.in.role-mls 2013-05-10 08:28:56.000000000 +0200 ++++ openssh-6.3p1/openbsd-compat/Makefile.in 2013-10-10 14:34:43.838494360 +0200 @@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o @@ -377,9 +374,9 @@ diff -up openssh-6.2p1/openbsd-compat/Makefile.in.role-mls openssh-6.2p1/openbsd .c.o: $(CC) $(CFLAGS) $(CPPFLAGS) -c $< -diff -up openssh-6.2p1/openbsd-compat/port-linux.c.role-mls openssh-6.2p1/openbsd-compat/port-linux.c ---- openssh-6.2p1/openbsd-compat/port-linux.c.role-mls 2012-03-09 00:25:18.000000000 +0100 -+++ openssh-6.2p1/openbsd-compat/port-linux.c 2013-03-25 17:47:00.606747096 +0100 +diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbsd-compat/port-linux.c +--- openssh-6.3p1/openbsd-compat/port-linux.c.role-mls 2013-06-02 00:07:32.000000000 +0200 ++++ openssh-6.3p1/openbsd-compat/port-linux.c 2013-10-10 14:40:41.841793347 +0200 @@ -31,68 +31,271 @@ #include "log.h" @@ -419,7 +416,8 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.role-mls openssh-6.2p1/openbs +static int +send_audit_message(int success, security_context_t default_context, + security_context_t selected_context) -+{ + { +- static int enabled = -1; + int rc=0; +#ifdef HAVE_LINUX_AUDIT + char *msg = NULL; @@ -465,8 +463,7 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.role-mls openssh-6.2p1/openbs + +static int +mls_range_allowed(security_context_t src, security_context_t dst) - { -- static int enabled = -1; ++{ + struct av_decision avd; + int retval; + unsigned int bit = CONTEXT__CONTAINS; @@ -683,16 +680,16 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.role-mls openssh-6.2p1/openbs } #ifdef HAVE_GETSEUSERBYNAME -@@ -102,7 +305,42 @@ ssh_selinux_getctxbyname(char *pwname) - xfree(lvl); +@@ -100,7 +303,42 @@ ssh_selinux_getctxbyname(char *pwname) + free(lvl); #endif - return sc; + if (role != NULL) -+ xfree(role); ++ free(role); + if (con) + context_free(con); -+ ++ + return (r); +} + @@ -710,7 +707,7 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.role-mls openssh-6.2p1/openbs + ssh_selinux_get_role_level(&role, &reqlvl); + + rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : ""); -+ ++ + if (inetd_flag && !rexeced_flag) { + use_current = "1"; + } else { @@ -721,13 +718,13 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.role-mls openssh-6.2p1/openbs + rv = rv || do_pam_putenv("SELINUX_USE_CURRENT_RANGE", use_current); + + if (role != NULL) -+ xfree(role); -+ ++ free(role); ++ + return rv; } /* Set the execution context to the default for the specified user */ -@@ -110,28 +348,71 @@ void +@@ -108,28 +346,71 @@ void ssh_selinux_setup_exec_context(char *pwname) { security_context_t user_ctx = NULL; @@ -806,7 +803,7 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.role-mls openssh-6.2p1/openbs debug3("%s: done", __func__); } -@@ -149,7 +430,10 @@ ssh_selinux_setup_pty(char *pwname, cons +@@ -147,7 +428,10 @@ ssh_selinux_setup_pty(char *pwname, cons debug3("%s: setting TTY context on %s", __func__, tty); @@ -818,8 +815,8 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.role-mls openssh-6.2p1/openbs /* XXX: should these calls fatal() upon failure in enforcing mode? */ -@@ -221,21 +505,6 @@ ssh_selinux_change_context(const char *n - xfree(newctx); +@@ -219,21 +503,6 @@ ssh_selinux_change_context(const char *n + free(newctx); } -void @@ -840,9 +837,9 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.role-mls openssh-6.2p1/openbs #endif /* WITH_SELINUX */ #ifdef LINUX_OOM_ADJUST -diff -up openssh-6.2p1/openbsd-compat/port-linux_part_2.c.role-mls openssh-6.2p1/openbsd-compat/port-linux_part_2.c ---- openssh-6.2p1/openbsd-compat/port-linux_part_2.c.role-mls 2013-03-25 17:47:00.607747102 +0100 -+++ openssh-6.2p1/openbsd-compat/port-linux_part_2.c 2013-03-25 17:47:00.607747102 +0100 +diff -up openssh-6.3p1/openbsd-compat/port-linux_part_2.c.role-mls openssh-6.3p1/openbsd-compat/port-linux_part_2.c +--- openssh-6.3p1/openbsd-compat/port-linux_part_2.c.role-mls 2013-10-10 14:34:43.839494355 +0200 ++++ openssh-6.3p1/openbsd-compat/port-linux_part_2.c 2013-10-10 14:34:43.839494355 +0200 @@ -0,0 +1,75 @@ +/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */ + @@ -919,10 +916,10 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux_part_2.c.role-mls openssh-6.2p1 +#endif /* WITH_SELINUX */ + +#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */ -diff -up openssh-6.2p1/sshd.c.role-mls openssh-6.2p1/sshd.c ---- openssh-6.2p1/sshd.c.role-mls 2013-03-25 17:47:00.589746999 +0100 -+++ openssh-6.2p1/sshd.c 2013-03-25 17:47:00.607747102 +0100 -@@ -2118,6 +2118,9 @@ main(int ac, char **av) +diff -up openssh-6.3p1/sshd.c.role-mls openssh-6.3p1/sshd.c +--- openssh-6.3p1/sshd.c.role-mls 2013-10-10 14:34:43.824494427 +0200 ++++ openssh-6.3p1/sshd.c 2013-10-10 14:34:43.839494355 +0200 +@@ -2179,6 +2179,9 @@ main(int ac, char **av) restore_uid(); } #endif diff --git a/openssh.spec b/openssh.spec index 4e4558d..d752ee7 100644 --- a/openssh.spec +++ b/openssh.spec @@ -92,9 +92,9 @@ Source13: sshd-keygen Patch0: openssh-5.9p1-wIm.patch #? -Patch100: openssh-6.2p1-coverity.patch +Patch100: openssh-6.3p1-coverity.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1872 -Patch101: openssh-6.2p1-fingerprint.patch +Patch101: openssh-6.3p1-fingerprint.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1894 #https://bugzilla.redhat.com/show_bug.cgi?id=735889 Patch102: openssh-5.8p1-getaddrinfo.patch @@ -102,7 +102,7 @@ Patch102: openssh-5.8p1-getaddrinfo.patch Patch103: openssh-5.8p1-packet.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1402 -Patch200: openssh-6.2p1-audit.patch +Patch200: openssh-6.3p1-audit.patch # --- pam_ssh-agent --- # make it build reusing the openssh sources @@ -112,14 +112,14 @@ Patch301: pam_ssh_agent_auth-0.9.2-seteuid.patch # explicitly make pam callbacks visible Patch302: pam_ssh_agent_auth-0.9.2-visibility.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX) -Patch400: openssh-6.2p1-role-mls.patch +Patch400: openssh-6.3p1-role-mls.patch #https://bugzilla.redhat.com/show_bug.cgi?id=781634 -Patch404: openssh-6.1p1-privsep-selinux.patch +Patch404: openssh-6.3p1-privsep-selinux.patch #?-- unwanted child :( -Patch501: openssh-6.2p1-ldap.patch +Patch501: openssh-6.3p1-ldap.patch #? -Patch502: openssh-6.2p1-keycat.patch +Patch502: openssh-6.3p1-keycat.patch #http6://bugzilla.mindrot.org/show_bug.cgi?id=1644 Patch601: openssh-5.2p1-allow-ip-opts.patch @@ -141,7 +141,7 @@ Patch608: openssh-6.1p1-askpass-ld.patch Patch609: openssh-5.5p1-x11.patch #? -Patch700: openssh-6.2p1-fips.patch +Patch700: openssh-6.3p1-fips.patch #? Patch701: openssh-5.6p1-exit-deadlock.patch #? @@ -155,7 +155,7 @@ Patch705: openssh-5.1p1-scp-manpage.patch #? Patch706: openssh-5.8p1-localdomain.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX) -Patch707: openssh-6.1p1-redhat.patch +Patch707: openssh-6.3p1-redhat.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1890 (WONTFIX) need integration to prng helper which is discontinued :) Patch708: openssh-6.2p1-entropy.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX) @@ -163,29 +163,19 @@ Patch709: openssh-6.2p1-vendor.patch # warn users for unsupported UsePAM=no (#757545) Patch711: openssh-6.1p1-log-usepam-no.patch # make aes-ctr ciphers use EVP engines such as AES-NI from OpenSSL -Patch712: openssh-5.9p1-ctr-evp-fast.patch +Patch712: openssh-6.3p1-ctr-evp-fast.patch # add cavs test binary for the aes-ctr -Patch713: openssh-6.2p1-ctr-cavstest.patch +Patch713: openssh-6.3p1-ctr-cavstest.patch #http://www.sxw.org.uk/computing/patches/openssh.html #changed cache storage type - #848228 -Patch800: openssh-6.2p1-gsskex.patch +Patch800: openssh-6.3p1-gsskex.patch #http://www.mail-archive.com/kerberos@mit.edu/msg17591.html -Patch801: openssh-6.2p1-force_krb.patch +Patch801: openssh-6.3p1-force_krb.patch Patch900: openssh-6.1p1-gssapi-canohost.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1780 -Patch901: openssh-6.2p1-kuserok.patch - -# build regress/modpipe tests with $(CFLAGS), based on -# http://lists.mindrot.org/pipermail/openssh-unix-dev/2013-March/031167.html -Patch905: openssh-6.2p1-modpipe-cflags.patch -# add latest config.{sub,guess} to support aarch64 (#926284) -Patch907: openssh-6.2p1-aarch64.patch -# make sftp's libedit interface marginally multibyte aware (#841771) -Patch908: openssh-6.2p2-sftp-multibyte.patch -# don't show Success for EAI_SYSTEM (#985964) -Patch909: openssh-6.2p2-ssh_gai_strerror.patch +Patch901: openssh-6.3p1-kuserok.patch License: BSD @@ -404,10 +394,6 @@ popd %patch900 -p1 -b .canohost %patch901 -p1 -b .kuserok -%patch905 -p1 -b .modpipe-cflags -%patch907 -p1 -b .aarch64 -%patch908 -p1 -b .sftp-multibyte -%patch909 -p1 -b .ssh_gai_strerror %if 0 # Nothing here yet