[gsi-openssh] Based on openssh-6.3p1-1.fc21
Mattias Ellert
ellert at fedoraproject.org
Tue Oct 15 09:35:48 UTC 2013
commit aaf34e54d93e2b1746b8709b8f582da0128f2ece
Author: Mattias Ellert <mattias.ellert at fysast.uu.se>
Date: Tue Oct 15 11:35:20 2013 +0200
Based on openssh-6.3p1-1.fc21
gsi-openssh.spec | 124 +--
gsissh-clients-fips.conf | 1 -
gsissh-server-fips.conf | 1 -
openssh-6.2p1-aarch64.patch | 1080 ---------------
openssh-6.2p1-modpipe-cflags.patch | 12 -
openssh-6.2p1-vendor.patch | 19 +-
openssh-6.2p2-sftp-multibyte.patch | 64 -
openssh-6.2p2-ssh_gai_strerror.patch | 23 -
...-6.2p1-audit.patch => openssh-6.3p1-audit.patch | 456 +++----
...-coverity.patch => openssh-6.3p1-coverity.patch | 392 +++---
...stest.patch => openssh-6.3p1-ctr-cavstest.patch | 8 +-
...-fast.patch => openssh-6.3p1-ctr-evp-fast.patch | 2 +-
...rprint.patch => openssh-6.3p1-fingerprint.patch | 375 +++---
...sh-6.2p1-fips.patch => openssh-6.3p1-fips.patch | 383 +++---
...orce_krb.patch => openssh-6.3p1-force_krb.patch | 90 +-
....2p2-gsissh.patch => openssh-6.3p1-gsissh.patch | 462 ++++----
....2p1-gsskex.patch => openssh-6.3p1-gsskex.patch | 1387 ++++++++++----------
....2p1-keycat.patch => openssh-6.3p1-keycat.patch | 74 +-
...p1-kuserok.patch => openssh-6.3p1-kuserok.patch | 88 +-
...sh-6.2p1-ldap.patch => openssh-6.3p1-ldap.patch | 6 +-
...ux.patch => openssh-6.3p1-privsep-selinux.patch | 44 +-
....1p1-redhat.patch => openssh-6.3p1-redhat.patch | 46 +-
...-role-mls.patch => openssh-6.3p1-role-mls.patch | 315 +++---
sources | 2 +-
24 files changed, 2042 insertions(+), 3412 deletions(-)
---
diff --git a/gsi-openssh.spec b/gsi-openssh.spec
index a3ebcd5..62c7e06 100644
--- a/gsi-openssh.spec
+++ b/gsi-openssh.spec
@@ -28,10 +28,8 @@
# Do we want LDAP support
%global ldap 1
-%global openssh_ver 6.2p2
-%global openssh_rel 3
-
-%define hmac_suffix .%{openssh_ver}-%{openssh_rel}%{?dist}.hmac
+%global openssh_ver 6.3p1
+%global openssh_rel 1
Summary: An implementation of the SSH protocol with GSI authentication
Name: gsi-openssh
@@ -48,14 +46,12 @@ Source10: gsisshd.socket
Source11: gsisshd.service
Source12: gsisshd-keygen.service
Source13: gsisshd-keygen
-Source14: gsissh-clients-fips.conf
-Source15: gsissh-server-fips.conf
Source99: README.sshd-and-gsisshd
#?
-Patch100: openssh-6.2p1-coverity.patch
+Patch100: openssh-6.3p1-coverity.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1872
-Patch101: openssh-6.2p1-fingerprint.patch
+Patch101: openssh-6.3p1-fingerprint.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1894
#https://bugzilla.redhat.com/show_bug.cgi?id=735889
Patch102: openssh-5.8p1-getaddrinfo.patch
@@ -63,17 +59,17 @@ Patch102: openssh-5.8p1-getaddrinfo.patch
Patch103: openssh-5.8p1-packet.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402
-Patch200: openssh-6.2p1-audit.patch
+Patch200: openssh-6.3p1-audit.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX)
-Patch400: openssh-6.2p1-role-mls.patch
+Patch400: openssh-6.3p1-role-mls.patch
#https://bugzilla.redhat.com/show_bug.cgi?id=781634
-Patch404: openssh-6.1p1-privsep-selinux.patch
+Patch404: openssh-6.3p1-privsep-selinux.patch
#?-- unwanted child :(
-Patch501: openssh-6.2p1-ldap.patch
+Patch501: openssh-6.3p1-ldap.patch
#?
-Patch502: openssh-6.2p1-keycat.patch
+Patch502: openssh-6.3p1-keycat.patch
#http6://bugzilla.mindrot.org/show_bug.cgi?id=1644
Patch601: openssh-5.2p1-allow-ip-opts.patch
@@ -95,7 +91,7 @@ Patch608: openssh-6.1p1-askpass-ld.patch
Patch609: openssh-5.5p1-x11.patch
#?
-Patch700: openssh-6.2p1-fips.patch
+Patch700: openssh-6.3p1-fips.patch
#?
Patch701: openssh-5.6p1-exit-deadlock.patch
#?
@@ -109,7 +105,7 @@ Patch705: openssh-5.1p1-scp-manpage.patch
#?
Patch706: openssh-5.8p1-localdomain.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX)
-Patch707: openssh-6.1p1-redhat.patch
+Patch707: openssh-6.3p1-redhat.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1890 (WONTFIX) need integration to prng helper which is discontinued :)
Patch708: openssh-6.2p1-entropy.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX)
@@ -117,31 +113,22 @@ Patch709: openssh-6.2p1-vendor.patch
# warn users for unsupported UsePAM=no (#757545)
Patch711: openssh-6.1p1-log-usepam-no.patch
# make aes-ctr ciphers use EVP engines such as AES-NI from OpenSSL
-Patch712: openssh-5.9p1-ctr-evp-fast.patch
+Patch712: openssh-6.3p1-ctr-evp-fast.patch
# add cavs test binary for the aes-ctr
-Patch713: openssh-6.2p1-ctr-cavstest.patch
+Patch713: openssh-6.3p1-ctr-cavstest.patch
#http://www.sxw.org.uk/computing/patches/openssh.html
#changed cache storage type - #848228
-Patch800: openssh-6.2p1-gsskex.patch
+Patch800: openssh-6.3p1-gsskex.patch
#http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
-Patch801: openssh-6.2p1-force_krb.patch
+Patch801: openssh-6.3p1-force_krb.patch
Patch900: openssh-6.1p1-gssapi-canohost.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1780
-Patch901: openssh-6.2p1-kuserok.patch
-# build regress/modpipe tests with $(CFLAGS), based on
-# http://lists.mindrot.org/pipermail/openssh-unix-dev/2013-March/031167.html
-Patch905: openssh-6.2p1-modpipe-cflags.patch
-# add latest config.{sub,guess} to support aarch64 (#926284)
-Patch907: openssh-6.2p1-aarch64.patch
-# make sftp's libedit interface marginally multibyte aware (#841771)
-Patch908: openssh-6.2p2-sftp-multibyte.patch
-# don't show Success for EAI_SYSTEM (#985964)
-Patch909: openssh-6.2p2-ssh_gai_strerror.patch
+Patch901: openssh-6.3p1-kuserok.patch
# This is the patch that adds GSI support
-# Based on http://grid.ncsa.illinois.edu/ssh/dl/patch/openssh-6.2p2.patch
-Patch98: openssh-6.2p2-gsissh.patch
+# Based on http://grid.ncsa.illinois.edu/ssh/dl/patch/openssh-6.3p1.patch
+Patch98: openssh-6.3p1-gsissh.patch
License: BSD
Group: Applications/Internet
@@ -156,7 +143,7 @@ BuildRequires: audit-libs-devel >= 2.0.5
BuildRequires: util-linux, groff
BuildRequires: pam-devel
BuildRequires: tcp_wrappers-devel
-BuildRequires: fipscheck-devel >= 1.4.1
+BuildRequires: fipscheck-devel >= 1.3.0
BuildRequires: openssl-devel >= 0.9.8j
%if %{kerberos5}
@@ -189,13 +176,7 @@ Provides: gsissh-clients = %{version}-%{release}
Obsoletes: gsissh-clients < 5.8p2-2
Group: Applications/Internet
Requires: %{name} = %{version}-%{release}
-
-%package clients-fips
-Summary: The FIPS module package for the gsissh client
-Group: Applications/Internet
-Requires: gsi-openssh-clients = %{version}-%{release}
-Requires: fipscheck-lib%{_isa} >= 1.4.1
-Requires: openssl-fips
+Requires: fipscheck-lib%{_isa} >= 1.3.0
%package server
Summary: SSH server daemon with GSI authentication
@@ -205,17 +186,11 @@ Group: System Environment/Daemons
Requires: %{name} = %{version}-%{release}
Requires(pre): /usr/sbin/useradd
Requires: pam >= 1.0.1-3
+Requires: fipscheck-lib%{_isa} >= 1.3.0
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
-%package server-fips
-Summary: The FIPS module package for the gsissh server daemon
-Group: System Environment/Daemons
-Requires: gsi-openssh-server = %{version}-%{release}
-Requires: fipscheck-lib%{_isa} >= 1.4.1
-Requires: openssl-fips
-
%description
SSH (Secure SHell) is a program for logging into and executing
commands on a remote machine. SSH is intended to replace rlogin and
@@ -239,14 +214,6 @@ the clients necessary to make encrypted connections to SSH servers.
This version of OpenSSH has been modified to support GSI authentication.
-%description clients-fips
-OpenSSH is a free version of SSH (Secure SHell), a program for logging
-into and executing commands on a remote machine. This package includes
-the files that complete the installation of the OpenSSH client FIPS
-module.
-
-This version of OpenSSH has been modified to support GSI authentication.
-
%description server
OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package contains
@@ -255,14 +222,6 @@ securely connect to your SSH server.
This version of OpenSSH has been modified to support GSI authentication.
-%description server-fips
-OpenSSH is a free version of SSH (Secure SHell), a program for logging
-into and executing commands on a remote machine. This package contains
-the files that complete the installation of the OpenSSH server FIPS
-module.
-
-This version of OpenSSH has been modified to support GSI authentication.
-
%prep
%setup -q -n openssh-%{version}
@@ -312,10 +271,6 @@ This version of OpenSSH has been modified to support GSI authentication.
%patch900 -p1 -b .canohost
%patch901 -p1 -b .kuserok
-%patch905 -p1 -b .modpipe-cflags
-%patch907 -p1 -b .aarch64
-%patch908 -p1 -b .sftp-multibyte
-%patch909 -p1 -b .ssh_gai_strerror
%patch98 -p1 -b .gsi
@@ -393,11 +348,10 @@ fi
--without-gsi \
%endif
%if %{libedit}
- --with-libedit \
+ --with-libedit
%else
- --without-libedit \
+ --without-libedit
%endif
- --enable-hmac-suffix=%{hmac_suffix}
make SSH_PROGRAM=%{_bindir}/gsissh \
ASKPASS_PROGRAM=%{_libexecdir}/openssh/ssh-askpass
@@ -408,8 +362,6 @@ make SSH_PROGRAM=%{_bindir}/gsissh \
%{__arch_install_post} \
%{__os_install_post} \
fipshmac -d $RPM_BUILD_ROOT%{_libdir}/fipscheck $RPM_BUILD_ROOT%{_bindir}/gsissh $RPM_BUILD_ROOT%{_sbindir}/gsisshd \
- mv $RPM_BUILD_ROOT%{_libdir}/fipscheck/gsissh.hmac $RPM_BUILD_ROOT%{_libdir}/fipscheck/gsissh%{hmac_suffix} \
- mv $RPM_BUILD_ROOT%{_libdir}/fipscheck/gsisshd.hmac $RPM_BUILD_ROOT%{_libdir}/fipscheck/gsisshd%{hmac_suffix} \
%{nil}
%install
@@ -433,11 +385,6 @@ install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/gsisshd.socket
install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/gsisshd.service
install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/gsisshd-keygen.service
-#install prelink blacklists
-mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/prelink.conf.d
-install -m644 %{SOURCE14} %{SOURCE15} \
- $RPM_BUILD_ROOT/%{_sysconfdir}/prelink.conf.d
-
rm $RPM_BUILD_ROOT%{_bindir}/ssh-add
rm $RPM_BUILD_ROOT%{_bindir}/ssh-agent
rm $RPM_BUILD_ROOT%{_bindir}/ssh-keyscan
@@ -474,15 +421,9 @@ getent passwd sshd >/dev/null || \
useradd -c "Privilege-separated SSH" -u %{sshd_uid} -g sshd \
-s /sbin/nologin -r -d /var/empty/sshd sshd 2> /dev/null || :
-%pre clients-fips
-prelink -u %{_bindir}/gsissh 2>/dev/null || :
-
%post server
%systemd_post gsisshd.service gsisshd.socket
-%pre server-fips
-prelink -u %{_sbindir}/gsisshd 2>/dev/null || :
-
%preun server
%systemd_preun gsisshd.service gsisshd.socket
@@ -512,6 +453,7 @@ prelink -u %{_sbindir}/gsisshd 2>/dev/null || :
%files clients
%defattr(-,root,root)
%attr(0755,root,root) %{_bindir}/gsissh
+%attr(0644,root,root) %{_libdir}/fipscheck/gsissh.hmac
%attr(0644,root,root) %{_mandir}/man1/gsissh.1*
%attr(0755,root,root) %{_bindir}/gsiscp
%attr(0644,root,root) %{_mandir}/man1/gsiscp.1*
@@ -522,18 +464,12 @@ prelink -u %{_sbindir}/gsisshd 2>/dev/null || :
%attr(0755,root,root) %{_bindir}/gsisftp
%attr(0644,root,root) %{_mandir}/man1/gsisftp.1*
-%files clients-fips
-%defattr(-,root,root)
-%attr(0644,root,root) %{_libdir}/fipscheck/gsissh%{hmac_suffix}
-# We don't want to depend on prelink for this directory
-%dir %{_sysconfdir}/prelink.conf.d
-%{_sysconfdir}/prelink.conf.d/gsissh-clients-fips.conf
-
%files server
%defattr(-,root,root)
%dir %attr(0711,root,root) %{_var}/empty/gsisshd
%attr(0755,root,root) %{_sbindir}/gsisshd
%attr(0755,root,root) %{_sbindir}/gsisshd-keygen
+%attr(0644,root,root) %{_libdir}/fipscheck/gsisshd.hmac
%attr(0755,root,root) %{_libexecdir}/gsissh/sftp-server
%attr(0644,root,root) %{_mandir}/man5/gsisshd_config.5*
%attr(0644,root,root) %{_mandir}/man5/gsimoduli.5*
@@ -547,14 +483,10 @@ prelink -u %{_sbindir}/gsisshd 2>/dev/null || :
%attr(0644,root,root) %{_unitdir}/gsisshd.socket
%attr(0644,root,root) %{_unitdir}/gsisshd-keygen.service
-%files server-fips
-%defattr(-,root,root)
-%attr(0644,root,root) %{_libdir}/fipscheck/gsisshd%{hmac_suffix}
-# We don't want to depend on prelink for this directory
-%dir %{_sysconfdir}/prelink.conf.d
-%{_sysconfdir}/prelink.conf.d/gsissh-server-fips.conf
-
%changelog
+* Tue Oct 15 2013 Mattias Ellert <mattias.ellert at fysast.uu.se> - 6.3p1-1
+- Based on openssh-6.3p1-1.fc21
+
* Wed Oct 02 2013 Mattias Ellert <mattias.ellert at fysast.uu.se> - 6.2p2-3
- Based on openssh-6.2p2-8.fc20
diff --git a/openssh-6.2p1-vendor.patch b/openssh-6.2p1-vendor.patch
index 68d30dc..ddccd2c 100644
--- a/openssh-6.2p1-vendor.patch
+++ b/openssh-6.2p1-vendor.patch
@@ -1,21 +1,20 @@
-diff -up openssh-6.2p2/configure.ac.vendor openssh-6.2p2/configure.ac
---- openssh-6.2p2/configure.ac.vendor 2013-09-10 18:09:06.463326695 +0200
-+++ openssh-6.2p2/configure.ac 2013-09-10 18:10:46.302864218 +0200
-@@ -4427,6 +4427,13 @@ AC_ARG_ENABLE(hmac-suffix,
- [AC_DEFINE(HMAC_SUFFIX, NULL)]
+diff -up openssh-6.2p1/configure.ac.vendor openssh-6.2p1/configure.ac
+--- openssh-6.2p1/configure.ac.vendor 2013-03-25 19:34:01.277495179 +0100
++++ openssh-6.2p1/configure.ac 2013-03-25 19:34:01.377495818 +0100
+@@ -4420,6 +4420,12 @@ AC_ARG_WITH([lastlog],
+ fi
+ ]
)
-
+AC_ARG_ENABLE(vendor-patchlevel,
+ [ --enable-vendor-patchlevel=TAG specify a vendor patch level],
+ [AC_DEFINE_UNQUOTED(SSH_VENDOR_PATCHLEVEL,[SSH_RELEASE "-" "$enableval"],[Define to your vendor patch level, if it has been modified from the upstream source release.])
+ SSH_VENDOR_PATCHLEVEL="$enableval"],
+ [AC_DEFINE(SSH_VENDOR_PATCHLEVEL,SSH_RELEASE,[Define to your vendor patch level, if it has been modified from the upstream source release.])
+ SSH_VENDOR_PATCHLEVEL=none])
-+
+
dnl lastlog, [uw]tmpx? detection
dnl NOTE: set the paths in the platform section to avoid the
- dnl need for command-line parameters
-@@ -4687,6 +4694,7 @@ echo " Translate v4 in v6 hack
+@@ -4681,6 +4687,7 @@ echo " Translate v4 in v6 hack
echo " BSD Auth support: $BSD_AUTH_MSG"
echo " Random number source: $RAND_MSG"
echo " Privsep sandbox style: $SANDBOX_STYLE"
@@ -147,7 +146,7 @@ diff -up openssh-6.2p1/sshd.c.vendor openssh-6.2p1/sshd.c
*options.version_addendum == '\0' ? "" : " ",
options.version_addendum, newline);
-@@ -1676,7 +1676,8 @@ main(int ac, char **av)
+@@ -1675,7 +1675,8 @@ main(int ac, char **av)
exit(1);
}
diff --git a/openssh-6.2p1-audit.patch b/openssh-6.3p1-audit.patch
similarity index 83%
rename from openssh-6.2p1-audit.patch
rename to openssh-6.3p1-audit.patch
index 9a5d23c..39296c1 100644
--- a/openssh-6.2p1-audit.patch
+++ b/openssh-6.3p1-audit.patch
@@ -1,8 +1,7 @@
-diff --git a/Makefile.in b/Makefile.in
-index d327787..85903be 100644
---- a/Makefile.in
-+++ b/Makefile.in
-@@ -73,7 +73,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
+diff -up openssh-6.3p1/Makefile.in.audit openssh-6.3p1/Makefile.in
+--- openssh-6.3p1/Makefile.in.audit 2013-06-11 03:26:10.000000000 +0200
++++ openssh-6.3p1/Makefile.in 2013-10-07 15:53:34.246717277 +0200
+@@ -73,7 +73,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
@@ -11,11 +10,10 @@ index d327787..85903be 100644
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect1.o sshconnect2.o mux.o \
-diff --git a/audit-bsm.c b/audit-bsm.c
-index 6135591..5160869 100644
---- a/audit-bsm.c
-+++ b/audit-bsm.c
-@@ -375,10 +375,23 @@ audit_connection_from(const char *host, int port)
+diff -up openssh-6.3p1/audit-bsm.c.audit openssh-6.3p1/audit-bsm.c
+--- openssh-6.3p1/audit-bsm.c.audit 2012-02-24 00:40:43.000000000 +0100
++++ openssh-6.3p1/audit-bsm.c 2013-10-07 15:53:34.246717277 +0200
+@@ -375,10 +375,23 @@ audit_connection_from(const char *host,
#endif
}
@@ -40,7 +38,7 @@ index 6135591..5160869 100644
}
void
-@@ -393,6 +406,12 @@ audit_session_close(struct logininfo *li)
+@@ -393,6 +406,12 @@ audit_session_close(struct logininfo *li
/* not implemented */
}
@@ -94,10 +92,9 @@ index 6135591..5160869 100644
+ /* not implemented */
+}
#endif /* BSM */
-diff --git a/audit-linux.c b/audit-linux.c
-index b3ee2f4..43904ee 100644
---- a/audit-linux.c
-+++ b/audit-linux.c
+diff -up openssh-6.3p1/audit-linux.c.audit openssh-6.3p1/audit-linux.c
+--- openssh-6.3p1/audit-linux.c.audit 2011-01-17 11:15:30.000000000 +0100
++++ openssh-6.3p1/audit-linux.c 2013-10-07 15:53:34.246717277 +0200
@@ -35,13 +35,24 @@
#include "log.h"
@@ -126,7 +123,7 @@ index b3ee2f4..43904ee 100644
{
int audit_fd, rc, saved_errno;
-@@ -49,11 +60,11 @@ linux_audit_record_event(int uid, const char *username,
+@@ -49,11 +60,11 @@ linux_audit_record_event(int uid, const
if (audit_fd < 0) {
if (errno == EINVAL || errno == EPROTONOSUPPORT ||
errno == EAFNOSUPPORT)
@@ -141,7 +138,7 @@ index b3ee2f4..43904ee 100644
NULL, "login", username ? username : "(unknown)",
username == NULL ? uid : -1, hostname, ip, ttyn, success);
saved_errno = errno;
-@@ -65,35 +76,150 @@ linux_audit_record_event(int uid, const char *username,
+@@ -65,35 +76,150 @@ linux_audit_record_event(int uid, const
if ((rc == -EPERM) && (geteuid() != 0))
rc = 0;
errno = saved_errno;
@@ -364,7 +361,7 @@ index b3ee2f4..43904ee 100644
+ snprintf(buf, sizeof(buf), "op=unsupported-%s direction=? cipher=? ksize=? rport=%d laddr=%s lport=%d ",
+ name[what], get_remote_port(), (s = get_local_ipaddr(packet_get_connection_in())),
+ get_local_port());
-+ xfree(s);
++ free(s);
+ audit_fd = audit_open();
+ if (audit_fd < 0)
+ /* no problem, the next instruction will be fatal() */
@@ -391,7 +388,7 @@ index b3ee2f4..43904ee 100644
+ direction[ctos], enc, cipher ? 8 * cipher->key_len : 0, mac,
+ (intmax_t)pid, (intmax_t)uid,
+ get_remote_port(), (s = get_local_ipaddr(packet_get_connection_in())), get_local_port());
-+ xfree(s);
++ free(s);
+ audit_fd = audit_open();
+ if (audit_fd < 0) {
+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
@@ -421,7 +418,7 @@ index b3ee2f4..43904ee 100644
+ get_remote_port(),
+ (s = get_local_ipaddr(packet_get_connection_in())),
+ get_local_port());
-+ xfree(s);
++ free(s);
+ audit_fd = audit_open();
+ if (audit_fd < 0) {
+ if (errno != EINVAL && errno != EPROTONOSUPPORT &&
@@ -484,10 +481,9 @@ index b3ee2f4..43904ee 100644
+ error("cannot write into audit");
+}
#endif /* USE_LINUX_AUDIT */
-diff --git a/audit.c b/audit.c
-index ced57fa..1ccc9e9 100644
---- a/audit.c
-+++ b/audit.c
+diff -up openssh-6.3p1/audit.c.audit openssh-6.3p1/audit.c
+--- openssh-6.3p1/audit.c.audit 2011-01-17 11:15:30.000000000 +0100
++++ openssh-6.3p1/audit.c 2013-10-07 15:53:34.246717277 +0200
@@ -28,6 +28,7 @@
#include <stdarg.h>
@@ -523,7 +519,7 @@ index ced57fa..1ccc9e9 100644
+ crypto_name = key_ssh_name(key);
+ if (audit_keyusage(host_user, crypto_name, key_size(key), fp, *rv) == 0)
+ *rv = 0;
-+ xfree(fp);
++ free(fp);
+}
+
+void
@@ -565,7 +561,7 @@ index ced57fa..1ccc9e9 100644
* Called when a user session is started. Argument is the tty allocated to
* the session, or NULL if no tty was allocated.
*
-@@ -174,13 +223,91 @@ audit_session_close(struct logininfo *li)
+@@ -174,13 +223,91 @@ audit_session_close(struct logininfo *li
/*
* This will be called when a user runs a non-interactive command. Note that
* it may be called multiple times for a single connection since SSH2 allows
@@ -659,10 +655,9 @@ index ced57fa..1ccc9e9 100644
}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
-diff --git a/audit.h b/audit.h
-index 92ede5b..a2dc3ff 100644
---- a/audit.h
-+++ b/audit.h
+diff -up openssh-6.3p1/audit.h.audit openssh-6.3p1/audit.h
+--- openssh-6.3p1/audit.h.audit 2011-01-17 11:15:30.000000000 +0100
++++ openssh-6.3p1/audit.h 2013-10-07 15:53:34.246717277 +0200
@@ -28,6 +28,7 @@
# define _SSH_AUDIT_H
@@ -698,11 +693,9 @@ index 92ede5b..a2dc3ff 100644
+void audit_generate_ephemeral_server_key(const char *);
#endif /* _SSH_AUDIT_H */
-diff --git a/auditstub.c b/auditstub.c
-new file mode 100644
-index 0000000..45817e0
---- /dev/null
-+++ b/auditstub.c
+diff -up openssh-6.3p1/auditstub.c.audit openssh-6.3p1/auditstub.c
+--- openssh-6.3p1/auditstub.c.audit 2013-10-07 15:53:34.247717272 +0200
++++ openssh-6.3p1/auditstub.c 2013-10-07 15:53:34.247717272 +0200
@@ -0,0 +1,50 @@
+/* $Id: auditstub.c,v 1.1 jfch Exp $ */
+
@@ -754,11 +747,10 @@ index 0000000..45817e0
+audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
+{
+}
-diff --git a/auth-rsa.c b/auth-rsa.c
-index de7c369..7fdd0ae 100644
---- a/auth-rsa.c
-+++ b/auth-rsa.c
-@@ -92,7 +92,10 @@ auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16])
+diff -up openssh-6.3p1/auth-rsa.c.audit openssh-6.3p1/auth-rsa.c
+--- openssh-6.3p1/auth-rsa.c.audit 2013-07-18 08:12:44.000000000 +0200
++++ openssh-6.3p1/auth-rsa.c 2013-10-07 15:53:34.247717272 +0200
+@@ -92,7 +92,10 @@ auth_rsa_verify_response(Key *key, BIGNU
{
u_char buf[32], mdbuf[16];
MD5_CTX md;
@@ -770,7 +762,7 @@ index de7c369..7fdd0ae 100644
/* don't allow short keys */
if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
-@@ -113,12 +116,18 @@ auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16])
+@@ -113,12 +116,18 @@ auth_rsa_verify_response(Key *key, BIGNU
MD5_Final(mdbuf, &md);
/* Verify that the response is the original challenge. */
@@ -787,18 +779,17 @@ index de7c369..7fdd0ae 100644
}
- /* Correct answer. */
- return (1);
-+ xfree(fp);
++ free(fp);
+#endif
+
+ return rv;
}
/*
-diff --git a/auth.h b/auth.h
-index c6fe847..9ecc405 100644
---- a/auth.h
-+++ b/auth.h
-@@ -181,6 +181,7 @@ void abandon_challenge_response(Authctxt *);
+diff -up openssh-6.3p1/auth.h.audit openssh-6.3p1/auth.h
+--- openssh-6.3p1/auth.h.audit 2013-07-20 05:21:53.000000000 +0200
++++ openssh-6.3p1/auth.h 2013-10-07 16:02:38.629171107 +0200
+@@ -187,6 +187,7 @@ void abandon_challenge_response(Authctxt
char *expand_authorized_keys(const char *, struct passwd *pw);
char *authorized_principals_file(struct passwd *);
@@ -806,19 +797,18 @@ index c6fe847..9ecc405 100644
FILE *auth_openkeyfile(const char *, struct passwd *, int);
FILE *auth_openprincipals(const char *, struct passwd *, int);
-@@ -196,6 +197,7 @@ Key *get_hostkey_public_by_type(int);
- Key *get_hostkey_private_by_type(int);
+@@ -204,6 +205,7 @@ Key *get_hostkey_private_by_type(int);
int get_hostkey_index(Key *);
int ssh1_session_key(BIGNUM *);
+ void sshd_hostkey_sign(Key *, Key *, u_char **, u_int *, u_char *, u_int);
+int hostbased_key_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
/* debug messages during authentication */
void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
-diff --git a/auth2-hostbased.c b/auth2-hostbased.c
-index 69b849b..e535680 100644
---- a/auth2-hostbased.c
-+++ b/auth2-hostbased.c
-@@ -119,7 +119,7 @@ userauth_hostbased(Authctxt *authctxt)
+diff -up openssh-6.3p1/auth2-hostbased.c.audit openssh-6.3p1/auth2-hostbased.c
+--- openssh-6.3p1/auth2-hostbased.c.audit 2013-10-07 15:53:34.223717384 +0200
++++ openssh-6.3p1/auth2-hostbased.c 2013-10-07 15:53:34.247717272 +0200
+@@ -123,7 +123,7 @@ userauth_hostbased(Authctxt *authctxt)
/* test for allowed key and correct signature */
authenticated = 0;
if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
@@ -827,7 +817,7 @@ index 69b849b..e535680 100644
buffer_len(&b))) == 1)
authenticated = 1;
-@@ -136,6 +136,18 @@ done:
+@@ -140,6 +140,18 @@ done:
return authenticated;
}
@@ -846,11 +836,10 @@ index 69b849b..e535680 100644
/* return 1 if given hostkey is allowed */
int
hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
-diff --git a/auth2-pubkey.c b/auth2-pubkey.c
-index d78381a..8f913ab 100644
---- a/auth2-pubkey.c
-+++ b/auth2-pubkey.c
-@@ -146,7 +146,7 @@ userauth_pubkey(Authctxt *authctxt)
+diff -up openssh-6.3p1/auth2-pubkey.c.audit openssh-6.3p1/auth2-pubkey.c
+--- openssh-6.3p1/auth2-pubkey.c.audit 2013-10-07 15:53:34.224717379 +0200
++++ openssh-6.3p1/auth2-pubkey.c 2013-10-08 15:11:42.282436972 +0200
+@@ -152,7 +152,7 @@ userauth_pubkey(Authctxt *authctxt)
/* test for correct signature */
authenticated = 0;
if (PRIVSEP(user_key_allowed(authctxt->pw, key)) &&
@@ -859,8 +848,8 @@ index d78381a..8f913ab 100644
buffer_len(&b))) == 1)
authenticated = 1;
buffer_free(&b);
-@@ -183,6 +183,18 @@ done:
- return authenticated;
+@@ -223,6 +223,18 @@ pubkey_auth_info(Authctxt *authctxt, con
+ free(extra);
}
+int
@@ -878,11 +867,10 @@ index d78381a..8f913ab 100644
static int
match_principals_option(const char *principal_list, struct KeyCert *cert)
{
-diff --git a/auth2.c b/auth2.c
-index e367a10..c28638b 100644
---- a/auth2.c
-+++ b/auth2.c
-@@ -242,9 +242,6 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
+diff -up openssh-6.3p1/auth2.c.audit openssh-6.3p1/auth2.c
+--- openssh-6.3p1/auth2.c.audit 2013-06-01 23:41:51.000000000 +0200
++++ openssh-6.3p1/auth2.c 2013-10-07 15:53:34.248717268 +0200
+@@ -245,9 +245,6 @@ input_userauth_request(int type, u_int32
} else {
logit("input_userauth_request: invalid user %s", user);
authctxt->pw = fakepw();
@@ -892,11 +880,10 @@ index e367a10..c28638b 100644
}
#ifdef USE_PAM
if (options.use_pam)
-diff --git a/cipher.c b/cipher.c
-index 9ca1d00..e1d716a 100644
---- a/cipher.c
-+++ b/cipher.c
-@@ -55,17 +55,7 @@ extern const EVP_CIPHER *evp_ssh1_bf(void);
+diff -up openssh-6.3p1/cipher.c.audit openssh-6.3p1/cipher.c
+--- openssh-6.3p1/cipher.c.audit 2013-10-07 15:53:34.248717268 +0200
++++ openssh-6.3p1/cipher.c 2013-10-07 16:06:51.117971891 +0200
+@@ -55,18 +55,6 @@ extern const EVP_CIPHER *evp_ssh1_bf(voi
extern const EVP_CIPHER *evp_ssh1_3des(void);
extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
@@ -910,15 +897,14 @@ index 9ca1d00..e1d716a 100644
- u_int discard_len;
- u_int cbc_mode;
- const EVP_CIPHER *(*evptype)(void);
--} ciphers[] = {
-+struct Cipher ciphers[] = {
+-};
+-
+ static const struct Cipher ciphers[] = {
{ "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
{ "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
- { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des },
-diff --git a/cipher.h b/cipher.h
-index 8cb57c3..89b2dc9 100644
---- a/cipher.h
-+++ b/cipher.h
+diff -up openssh-6.3p1/cipher.h.audit openssh-6.3p1/cipher.h
+--- openssh-6.3p1/cipher.h.audit 2013-04-23 11:24:32.000000000 +0200
++++ openssh-6.3p1/cipher.h 2013-10-07 15:53:34.248717268 +0200
@@ -61,7 +61,18 @@
typedef struct Cipher Cipher;
typedef struct CipherContext CipherContext;
@@ -939,10 +925,9 @@ index 8cb57c3..89b2dc9 100644
struct CipherContext {
int plaintext;
int encrypt;
-diff --git a/kex.c b/kex.c
-index 57a79dd..922cf9d 100644
---- a/kex.c
-+++ b/kex.c
+diff -up openssh-6.3p1/kex.c.audit openssh-6.3p1/kex.c
+--- openssh-6.3p1/kex.c.audit 2013-06-01 23:31:18.000000000 +0200
++++ openssh-6.3p1/kex.c 2013-10-07 15:53:34.249717264 +0200
@@ -49,6 +49,7 @@
#include "dispatch.h"
#include "monitor.h"
@@ -951,7 +936,7 @@ index 57a79dd..922cf9d 100644
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
# if defined(HAVE_EVP_SHA256)
-@@ -296,9 +297,13 @@ static void
+@@ -341,9 +342,13 @@ static void
choose_enc(Enc *enc, char *client, char *server)
{
char *name = match_list(client, server, NULL);
@@ -966,7 +951,7 @@ index 57a79dd..922cf9d 100644
if ((enc->cipher = cipher_by_name(name)) == NULL)
fatal("matching cipher is not supported: %s", name);
enc->name = name;
-@@ -314,9 +319,13 @@ static void
+@@ -359,9 +364,13 @@ static void
choose_mac(Mac *mac, char *client, char *server)
{
char *name = match_list(client, server, NULL);
@@ -981,7 +966,7 @@ index 57a79dd..922cf9d 100644
if (mac_setup(mac, name) < 0)
fatal("unsupported mac %s", name);
/* truncate the key */
-@@ -331,8 +340,12 @@ static void
+@@ -376,8 +385,12 @@ static void
choose_comp(Comp *comp, char *client, char *server)
{
char *name = match_list(client, server, NULL);
@@ -995,7 +980,7 @@ index 57a79dd..922cf9d 100644
if (strcmp(name, "zlib at openssh.com") == 0) {
comp->type = COMP_DELAYED;
} else if (strcmp(name, "zlib") == 0) {
-@@ -460,6 +473,9 @@ kex_choose_conf(Kex *kex)
+@@ -492,6 +505,9 @@ kex_choose_conf(Kex *kex)
newkeys->enc.name,
authlen == 0 ? newkeys->mac.name : "<implicit>",
newkeys->comp.name);
@@ -1005,7 +990,7 @@ index 57a79dd..922cf9d 100644
}
choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
-@@ -624,3 +640,34 @@ dump_digest(char *msg, u_char *digest, int len)
+@@ -656,3 +672,34 @@ dump_digest(char *msg, u_char *digest, i
fprintf(stderr, "\n");
}
#endif
@@ -1018,12 +1003,12 @@ index 57a79dd..922cf9d 100644
+
+ if (enc->key) {
+ memset(enc->key, 0, enc->key_len);
-+ xfree(enc->key);
++ free(enc->key);
+ }
+
+ if (enc->iv) {
+ memset(enc->iv, 0, enc->block_size);
-+ xfree(enc->iv);
++ free(enc->iv);
+ }
+
+ memset(enc, 0, sizeof(*enc));
@@ -1040,11 +1025,10 @@ index 57a79dd..922cf9d 100644
+ memset(&newkeys->comp, 0, sizeof(newkeys->comp));
+}
+
-diff --git a/kex.h b/kex.h
-index 46731fa..8a59114 100644
---- a/kex.h
-+++ b/kex.h
-@@ -158,6 +158,8 @@ void kexgex_server(Kex *);
+diff -up openssh-6.3p1/kex.h.audit openssh-6.3p1/kex.h
+--- openssh-6.3p1/kex.h.audit 2013-07-20 05:21:53.000000000 +0200
++++ openssh-6.3p1/kex.h 2013-10-07 15:53:34.249717264 +0200
+@@ -162,6 +162,8 @@ void kexgex_server(Kex *);
void kexecdh_client(Kex *);
void kexecdh_server(Kex *);
@@ -1053,11 +1037,10 @@ index 46731fa..8a59114 100644
void
kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
-diff --git a/key.c b/key.c
-index a30e6d1..9d04f11 100644
---- a/key.c
-+++ b/key.c
-@@ -1809,6 +1809,30 @@ key_demote(const Key *k)
+diff -up openssh-6.3p1/key.c.audit openssh-6.3p1/key.c
+--- openssh-6.3p1/key.c.audit 2013-10-07 15:53:34.224717379 +0200
++++ openssh-6.3p1/key.c 2013-10-07 15:53:34.249717264 +0200
+@@ -1773,6 +1773,30 @@ key_demote(const Key *k)
}
int
@@ -1088,10 +1071,9 @@ index a30e6d1..9d04f11 100644
key_is_cert(const Key *k)
{
if (k == NULL)
-diff --git a/key.h b/key.h
-index 09f7b7d..8d9be57 100644
---- a/key.h
-+++ b/key.h
+diff -up openssh-6.3p1/key.h.audit openssh-6.3p1/key.h
+--- openssh-6.3p1/key.h.audit 2013-10-07 15:53:34.224717379 +0200
++++ openssh-6.3p1/key.h 2013-10-07 15:53:34.249717264 +0200
@@ -110,6 +110,7 @@ Key *key_generate(int, u_int);
Key *key_from_private(const Key *);
int key_type_from_name(char *);
@@ -1100,11 +1082,10 @@ index 09f7b7d..8d9be57 100644
int key_type_plain(int);
int key_to_certified(Key *, int);
int key_drop_cert(Key *);
-diff --git a/mac.c b/mac.c
-index 3f2dc6f..a1e61be 100644
---- a/mac.c
-+++ b/mac.c
-@@ -199,6 +199,20 @@ mac_clear(Mac *mac)
+diff -up openssh-6.3p1/mac.c.audit openssh-6.3p1/mac.c
+--- openssh-6.3p1/mac.c.audit 2013-06-06 00:12:37.000000000 +0200
++++ openssh-6.3p1/mac.c 2013-10-07 15:53:34.250717259 +0200
+@@ -224,6 +224,20 @@ mac_clear(Mac *mac)
mac->umac_ctx = NULL;
}
@@ -1116,7 +1097,7 @@ index 3f2dc6f..a1e61be 100644
+
+ if (mac->key) {
+ memset(mac->key, 0, mac->key_len);
-+ xfree(mac->key);
++ free(mac->key);
+ }
+
+ memset(mac, 0, sizeof(*mac));
@@ -1125,28 +1106,26 @@ index 3f2dc6f..a1e61be 100644
/* XXX copied from ciphers_valid */
#define MAC_SEP ","
int
-diff --git a/mac.h b/mac.h
-index 39f564d..640db0f 100644
---- a/mac.h
-+++ b/mac.h
-@@ -28,3 +28,4 @@ int mac_setup(Mac *, char *);
+diff -up openssh-6.3p1/mac.h.audit openssh-6.3p1/mac.h
+--- openssh-6.3p1/mac.h.audit 2013-04-23 11:24:32.000000000 +0200
++++ openssh-6.3p1/mac.h 2013-10-07 15:53:34.250717259 +0200
+@@ -29,3 +29,4 @@ int mac_setup(Mac *, char *);
int mac_init(Mac *);
u_char *mac_compute(Mac *, u_int32_t, u_char *, int);
void mac_clear(Mac *);
+void mac_destroy(Mac *);
-diff --git a/monitor.c b/monitor.c
-index 7816a8f..f1c0ba1 100644
---- a/monitor.c
-+++ b/monitor.c
-@@ -97,6 +97,7 @@
- #include "ssh2.h"
+diff -up openssh-6.3p1/monitor.c.audit openssh-6.3p1/monitor.c
+--- openssh-6.3p1/monitor.c.audit 2013-10-07 15:53:34.217717411 +0200
++++ openssh-6.3p1/monitor.c 2013-10-08 15:10:38.270726936 +0200
+@@ -98,6 +98,7 @@
#include "jpake.h"
#include "roaming.h"
+ #include "authfd.h"
+#include "audit.h"
#ifdef GSSAPI
static Gssctxt *gsscontext = NULL;
-@@ -113,6 +114,8 @@ extern Buffer auth_debug;
+@@ -114,6 +115,8 @@ extern Buffer auth_debug;
extern int auth_debug_init;
extern Buffer loginmsg;
@@ -1155,7 +1134,7 @@ index 7816a8f..f1c0ba1 100644
/* State exported from the child */
struct {
-@@ -185,6 +188,11 @@ int mm_answer_gss_checkmic(int, Buffer *);
+@@ -186,6 +189,11 @@ int mm_answer_gss_checkmic(int, Buffer *
#ifdef SSH_AUDIT_EVENTS
int mm_answer_audit_event(int, Buffer *);
int mm_answer_audit_command(int, Buffer *);
@@ -1167,7 +1146,7 @@ index 7816a8f..f1c0ba1 100644
#endif
static int monitor_read_log(struct monitor *);
-@@ -236,6 +244,10 @@ struct mon_table mon_dispatch_proto20[] = {
+@@ -237,6 +245,10 @@ struct mon_table mon_dispatch_proto20[]
#endif
#ifdef SSH_AUDIT_EVENTS
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
@@ -1178,7 +1157,7 @@ index 7816a8f..f1c0ba1 100644
#endif
#ifdef BSD_AUTH
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
-@@ -272,6 +284,11 @@ struct mon_table mon_dispatch_postauth20[] = {
+@@ -273,6 +285,11 @@ struct mon_table mon_dispatch_postauth20
#ifdef SSH_AUDIT_EVENTS
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
@@ -1190,7 +1169,7 @@ index 7816a8f..f1c0ba1 100644
#endif
{0, 0, NULL}
};
-@@ -303,6 +320,10 @@ struct mon_table mon_dispatch_proto15[] = {
+@@ -304,6 +321,10 @@ struct mon_table mon_dispatch_proto15[]
#endif
#ifdef SSH_AUDIT_EVENTS
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
@@ -1201,7 +1180,7 @@ index 7816a8f..f1c0ba1 100644
#endif
{0, 0, NULL}
};
-@@ -314,6 +335,11 @@ struct mon_table mon_dispatch_postauth15[] = {
+@@ -315,6 +336,11 @@ struct mon_table mon_dispatch_postauth15
#ifdef SSH_AUDIT_EVENTS
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
@@ -1213,7 +1192,7 @@ index 7816a8f..f1c0ba1 100644
#endif
{0, 0, NULL}
};
-@@ -1350,9 +1376,11 @@ mm_answer_keyverify(int sock, Buffer *m)
+@@ -1365,9 +1391,11 @@ mm_answer_keyverify(int sock, Buffer *m)
Key *key;
u_char *signature, *data, *blob;
u_int signaturelen, datalen, bloblen;
@@ -1225,7 +1204,7 @@ index 7816a8f..f1c0ba1 100644
blob = buffer_get_string(m, &bloblen);
signature = buffer_get_string(m, &signaturelen);
data = buffer_get_string(m, &datalen);
-@@ -1360,6 +1388,8 @@ mm_answer_keyverify(int sock, Buffer *m)
+@@ -1375,6 +1403,8 @@ mm_answer_keyverify(int sock, Buffer *m)
if (hostbased_cuser == NULL || hostbased_chost == NULL ||
!monitor_allowed_key(blob, bloblen))
fatal("%s: bad key, not previously allowed", __func__);
@@ -1234,7 +1213,7 @@ index 7816a8f..f1c0ba1 100644
key = key_from_blob(blob, bloblen);
if (key == NULL)
-@@ -1380,7 +1410,17 @@ mm_answer_keyverify(int sock, Buffer *m)
+@@ -1395,7 +1425,17 @@ mm_answer_keyverify(int sock, Buffer *m)
if (!valid_data)
fatal("%s: bad signature data blob", __func__);
@@ -1253,7 +1232,7 @@ index 7816a8f..f1c0ba1 100644
debug3("%s: key %p signature %s",
__func__, key, (verified == 1) ? "verified" : "unverified");
-@@ -1433,6 +1473,12 @@ mm_session_close(Session *s)
+@@ -1448,6 +1488,12 @@ mm_session_close(Session *s)
debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);
session_pty_cleanup2(s);
}
@@ -1266,7 +1245,7 @@ index 7816a8f..f1c0ba1 100644
session_unused(s->self);
}
-@@ -1713,6 +1759,8 @@ mm_answer_term(int sock, Buffer *req)
+@@ -1728,6 +1774,8 @@ mm_answer_term(int sock, Buffer *req)
sshpam_cleanup();
#endif
@@ -1275,7 +1254,7 @@ index 7816a8f..f1c0ba1 100644
while (waitpid(pmonitor->m_pid, &status, 0) == -1)
if (errno != EINTR)
exit(1);
-@@ -1755,11 +1803,44 @@ mm_answer_audit_command(int socket, Buffer *m)
+@@ -1770,11 +1818,43 @@ mm_answer_audit_command(int socket, Buff
{
u_int len;
char *cmd;
@@ -1317,25 +1296,24 @@ index 7816a8f..f1c0ba1 100644
+ strcmp(s->command, cmd) != 0)
+ fatal("%s: invalid handle", __func__);
+ mm_session_close(s);
-+
- xfree(cmd);
+ free(cmd);
return (0);
}
-@@ -1890,11 +1971,13 @@ mm_get_keystate(struct monitor *pmonitor)
+@@ -1910,11 +1990,13 @@ mm_get_keystate(struct monitor *pmonitor
blob = buffer_get_string(&m, &bloblen);
current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen);
+ memset(blob, 0, bloblen);
- xfree(blob);
+ free(blob);
debug3("%s: Waiting for second key", __func__);
blob = buffer_get_string(&m, &bloblen);
current_keys[MODE_IN] = mm_newkeys_from_blob(blob, bloblen);
+ memset(blob, 0, bloblen);
- xfree(blob);
+ free(blob);
/* Now get sequence numbers for the packets */
-@@ -1940,6 +2023,21 @@ mm_get_keystate(struct monitor *pmonitor)
+@@ -1960,6 +2042,21 @@ mm_get_keystate(struct monitor *pmonitor
}
buffer_free(&m);
@@ -1357,7 +1335,7 @@ index 7816a8f..f1c0ba1 100644
}
-@@ -2341,3 +2439,86 @@ mm_answer_jpake_check_confirm(int sock, Buffer *m)
+@@ -2361,3 +2458,86 @@ mm_answer_jpake_check_confirm(int sock,
}
#endif /* JPAKE */
@@ -1395,9 +1373,9 @@ index 7816a8f..f1c0ba1 100644
+
+ audit_kex_body(ctos, cipher, mac, compress, pid, uid);
+
-+ xfree(cipher);
-+ xfree(mac);
-+ xfree(compress);
++ free(cipher);
++ free(mac);
++ free(compress);
+ buffer_clear(m);
+
+ mm_request_send(sock, MONITOR_ANS_AUDIT_KEX, m);
@@ -1437,17 +1415,16 @@ index 7816a8f..f1c0ba1 100644
+
+ audit_destroy_sensitive_data(fp, pid, uid);
+
-+ xfree(fp);
++ free(fp);
+ buffer_clear(m);
+
+ mm_request_send(sock, MONITOR_ANS_AUDIT_SERVER_KEY_FREE, m);
+ return 0;
+}
+#endif /* SSH_AUDIT_EVENTS */
-diff --git a/monitor.h b/monitor.h
-index 2caa469..1a15066 100644
---- a/monitor.h
-+++ b/monitor.h
+diff -up openssh-6.3p1/monitor.h.audit openssh-6.3p1/monitor.h
+--- openssh-6.3p1/monitor.h.audit 2012-12-02 23:53:21.000000000 +0100
++++ openssh-6.3p1/monitor.h 2013-10-07 15:53:34.251717254 +0200
@@ -68,7 +68,13 @@ enum monitor_reqtype {
MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107,
MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109,
@@ -1463,11 +1440,10 @@ index 2caa469..1a15066 100644
};
-diff --git a/monitor_wrap.c b/monitor_wrap.c
-index 350c960..8c3599d 100644
---- a/monitor_wrap.c
-+++ b/monitor_wrap.c
-@@ -431,7 +431,7 @@ mm_key_allowed(enum mm_keytype type, char *user, char *host, Key *key)
+diff -up openssh-6.3p1/monitor_wrap.c.audit openssh-6.3p1/monitor_wrap.c
+--- openssh-6.3p1/monitor_wrap.c.audit 2013-10-07 15:53:34.217717411 +0200
++++ openssh-6.3p1/monitor_wrap.c 2013-10-07 16:03:16.190993304 +0200
+@@ -433,7 +433,7 @@ mm_key_allowed(enum mm_keytype type, cha
*/
int
@@ -1476,7 +1452,7 @@ index 350c960..8c3599d 100644
{
Buffer m;
u_char *blob;
-@@ -445,6 +445,7 @@ mm_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen)
+@@ -447,6 +447,7 @@ mm_key_verify(Key *key, u_char *sig, u_i
return (0);
buffer_init(&m);
@@ -1484,7 +1460,7 @@ index 350c960..8c3599d 100644
buffer_put_string(&m, blob, len);
buffer_put_string(&m, sig, siglen);
buffer_put_string(&m, data, datalen);
-@@ -462,6 +463,19 @@ mm_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen)
+@@ -464,6 +465,19 @@ mm_key_verify(Key *key, u_char *sig, u_i
return (verified);
}
@@ -1504,7 +1480,7 @@ index 350c960..8c3599d 100644
/* Export key state after authentication */
Newkeys *
mm_newkeys_from_blob(u_char *blob, int blen)
-@@ -480,7 +494,7 @@ mm_newkeys_from_blob(u_char *blob, int blen)
+@@ -482,7 +496,7 @@ mm_newkeys_from_blob(u_char *blob, int b
buffer_init(&b);
buffer_append(&b, blob, blen);
@@ -1513,22 +1489,22 @@ index 350c960..8c3599d 100644
enc = &newkey->enc;
mac = &newkey->mac;
comp = &newkey->comp;
-@@ -640,12 +654,14 @@ mm_send_keystate(struct monitor *monitor)
+@@ -642,12 +656,14 @@ mm_send_keystate(struct monitor *monitor
fatal("%s: conversion of newkeys failed", __func__);
buffer_put_string(&m, blob, bloblen);
+ memset(blob, 0, bloblen);
- xfree(blob);
+ free(blob);
if (!mm_newkeys_to_blob(MODE_IN, &blob, &bloblen))
fatal("%s: conversion of newkeys failed", __func__);
buffer_put_string(&m, blob, bloblen);
+ memset(blob, 0, bloblen);
- xfree(blob);
+ free(blob);
packet_get_state(MODE_OUT, &seqnr, &blocks, &packets, &bytes);
-@@ -1189,10 +1205,11 @@ mm_audit_event(ssh_audit_event_t event)
+@@ -1191,10 +1207,11 @@ mm_audit_event(ssh_audit_event_t event)
buffer_free(&m);
}
@@ -1541,7 +1517,7 @@ index 350c960..8c3599d 100644
debug3("%s entering command %s", __func__, command);
-@@ -1200,6 +1217,26 @@ mm_audit_run_command(const char *command)
+@@ -1202,6 +1219,26 @@ mm_audit_run_command(const char *command
buffer_put_cstring(&m, command);
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, &m);
@@ -1568,7 +1544,7 @@ index 350c960..8c3599d 100644
buffer_free(&m);
}
#endif /* SSH_AUDIT_EVENTS */
-@@ -1451,3 +1488,72 @@ mm_jpake_check_confirm(const BIGNUM *k,
+@@ -1453,3 +1490,72 @@ mm_jpake_check_confirm(const BIGNUM *k,
return success;
}
#endif /* JPAKE */
@@ -1641,11 +1617,10 @@ index 350c960..8c3599d 100644
+ buffer_free(&m);
+}
+#endif /* SSH_AUDIT_EVENTS */
-diff --git a/monitor_wrap.h b/monitor_wrap.h
-index 0c7f2e3..f47c7df 100644
---- a/monitor_wrap.h
-+++ b/monitor_wrap.h
-@@ -49,7 +49,8 @@ int mm_key_allowed(enum mm_keytype, char *, char *, Key *);
+diff -up openssh-6.3p1/monitor_wrap.h.audit openssh-6.3p1/monitor_wrap.h
+--- openssh-6.3p1/monitor_wrap.h.audit 2011-06-20 06:42:23.000000000 +0200
++++ openssh-6.3p1/monitor_wrap.h 2013-10-07 15:53:34.252717250 +0200
+@@ -49,7 +49,8 @@ int mm_key_allowed(enum mm_keytype, char
int mm_user_key_allowed(struct passwd *, Key *);
int mm_hostbased_key_allowed(struct passwd *, char *, char *, Key *);
int mm_auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *);
@@ -1669,19 +1644,18 @@ index 0c7f2e3..f47c7df 100644
#endif
struct Session;
-diff --git a/packet.c b/packet.c
-index a51c1f2..faa3a85 100644
---- a/packet.c
-+++ b/packet.c
-@@ -60,6 +60,7 @@
- #include <signal.h>
+diff -up openssh-6.3p1/packet.c.audit openssh-6.3p1/packet.c
+--- openssh-6.3p1/packet.c.audit 2013-10-07 15:53:34.231717347 +0200
++++ openssh-6.3p1/packet.c 2013-10-07 16:08:00.764639577 +0200
+@@ -61,6 +61,7 @@
+ #include <time.h>
#include "xmalloc.h"
+#include "audit.h"
#include "buffer.h"
#include "packet.h"
#include "crc32.h"
-@@ -470,6 +471,13 @@ packet_get_connection_out(void)
+@@ -476,6 +477,13 @@ packet_get_connection_out(void)
return active_state->connection_out;
}
@@ -1695,7 +1669,7 @@ index a51c1f2..faa3a85 100644
/* Closes the connection and clears and frees internal data structures. */
void
-@@ -478,13 +486,6 @@ packet_close(void)
+@@ -484,13 +492,6 @@ packet_close(void)
if (!active_state->initialized)
return;
active_state->initialized = 0;
@@ -1709,7 +1683,7 @@ index a51c1f2..faa3a85 100644
buffer_free(&active_state->input);
buffer_free(&active_state->output);
buffer_free(&active_state->outgoing_packet);
-@@ -493,8 +494,18 @@ packet_close(void)
+@@ -499,8 +500,18 @@ packet_close(void)
buffer_free(&active_state->compression_buffer);
buffer_compress_uninit();
}
@@ -1730,7 +1704,7 @@ index a51c1f2..faa3a85 100644
}
/* Sets remote side protocol flags. */
-@@ -729,6 +740,25 @@ packet_send1(void)
+@@ -735,6 +746,25 @@ packet_send1(void)
*/
}
@@ -1740,23 +1714,23 @@ index a51c1f2..faa3a85 100644
+ if (newkeys == NULL)
+ return;
+
-+ xfree(newkeys->enc.name);
++ free(newkeys->enc.name);
+
+ if (newkeys->mac.enabled) {
+ mac_clear(&newkeys->mac);
-+ xfree(newkeys->mac.name);
++ free(newkeys->mac.name);
+ }
+
-+ xfree(newkeys->comp.name);
++ free(newkeys->comp.name);
+
+ newkeys_destroy(newkeys);
-+ xfree(newkeys);
++ free(newkeys);
+}
+
void
set_newkeys(int mode)
{
-@@ -754,21 +784,9 @@ set_newkeys(int mode)
+@@ -760,21 +790,9 @@ set_newkeys(int mode)
}
if (active_state->newkeys[mode] != NULL) {
debug("set_newkeys: rekeying");
@@ -1769,18 +1743,18 @@ index a51c1f2..faa3a85 100644
- memset(enc->iv, 0, enc->iv_len);
- memset(enc->key, 0, enc->key_len);
- memset(mac->key, 0, mac->key_len);
-- xfree(enc->name);
-- xfree(enc->iv);
-- xfree(enc->key);
-- xfree(mac->name);
-- xfree(mac->key);
-- xfree(comp->name);
-- xfree(active_state->newkeys[mode]);
+- free(enc->name);
+- free(enc->iv);
+- free(enc->key);
+- free(mac->name);
+- free(mac->key);
+- free(comp->name);
+- free(active_state->newkeys[mode]);
+ newkeys_destroy_and_free(active_state->newkeys[mode]);
}
active_state->newkeys[mode] = kex_get_newkeys(mode);
if (active_state->newkeys[mode] == NULL)
-@@ -1971,6 +1989,47 @@ packet_get_newkeys(int mode)
+@@ -2003,6 +2021,47 @@ packet_get_newkeys(int mode)
return (void *)active_state->newkeys[mode];
}
@@ -1828,7 +1802,7 @@ index a51c1f2..faa3a85 100644
/*
* Save the state for the real connection, and use a separate state when
* resuming a suspended connection.
-@@ -1978,18 +2037,12 @@ packet_get_newkeys(int mode)
+@@ -2010,18 +2069,12 @@ packet_get_newkeys(int mode)
void
packet_backup_state(void)
{
@@ -1848,7 +1822,7 @@ index a51c1f2..faa3a85 100644
}
/*
-@@ -2006,9 +2059,7 @@ packet_restore_state(void)
+@@ -2038,9 +2091,7 @@ packet_restore_state(void)
backup_state = active_state;
active_state = tmp;
active_state->connection_in = backup_state->connection_in;
@@ -1858,32 +1832,30 @@ index a51c1f2..faa3a85 100644
len = buffer_len(&backup_state->input);
if (len > 0) {
buf = buffer_ptr(&backup_state->input);
-@@ -2016,4 +2067,10 @@ packet_restore_state(void)
+@@ -2048,4 +2099,10 @@ packet_restore_state(void)
buffer_clear(&backup_state->input);
add_recv_bytes(len);
}
+ backup_state->connection_in = -1;
+ backup_state->connection_out = -1;
+ packet_destroy_state(backup_state);
-+ xfree(backup_state);
++ free(backup_state);
+ backup_state = NULL;
}
+
-diff --git a/packet.h b/packet.h
-index 09ba079..0742f74 100644
---- a/packet.h
-+++ b/packet.h
-@@ -123,4 +123,5 @@ void packet_restore_state(void);
+diff -up openssh-6.3p1/packet.h.audit openssh-6.3p1/packet.h
+--- openssh-6.3p1/packet.h.audit 2013-07-18 08:12:45.000000000 +0200
++++ openssh-6.3p1/packet.h 2013-10-07 15:53:34.252717250 +0200
+@@ -124,4 +124,5 @@ void packet_restore_state(void);
void *packet_get_input(void);
void *packet_get_output(void);
+void packet_destroy_all(int, int);
#endif /* PACKET_H */
-diff --git a/session.c b/session.c
-index 19eaa20..dc0a2e2 100644
---- a/session.c
-+++ b/session.c
-@@ -136,7 +136,7 @@ extern int log_stderr;
+diff -up openssh-6.3p1/session.c.audit openssh-6.3p1/session.c
+--- openssh-6.3p1/session.c.audit 2013-07-20 05:21:53.000000000 +0200
++++ openssh-6.3p1/session.c 2013-10-07 16:03:43.975861636 +0200
+@@ -137,7 +137,7 @@ extern int log_stderr;
extern int debug_flag;
extern u_int utmp_len;
extern int startup_pipe;
@@ -1892,7 +1864,7 @@ index 19eaa20..dc0a2e2 100644
extern Buffer loginmsg;
/* original command from peer. */
-@@ -745,6 +745,14 @@ do_exec_pty(Session *s, const char *command)
+@@ -745,6 +745,14 @@ do_exec_pty(Session *s, const char *comm
/* Parent. Close the slave side of the pseudo tty. */
close(ttyfd);
@@ -1929,7 +1901,7 @@ index 19eaa20..dc0a2e2 100644
#endif
if (s->ttyfd != -1)
ret = do_exec_pty(s, command);
-@@ -1629,7 +1641,10 @@ do_child(Session *s, const char *command)
+@@ -1642,7 +1654,10 @@ do_child(Session *s, const char *command
int r = 0;
/* remove hostkey from the child's memory */
@@ -1941,7 +1913,7 @@ index 19eaa20..dc0a2e2 100644
/* Force a password change */
if (s->authctxt->force_pwchange) {
-@@ -1856,6 +1871,7 @@ session_unused(int id)
+@@ -1869,6 +1884,7 @@ session_unused(int id)
sessions[id].ttyfd = -1;
sessions[id].ptymaster = -1;
sessions[id].x11_chanids = NULL;
@@ -1949,7 +1921,7 @@ index 19eaa20..dc0a2e2 100644
sessions[id].next_unused = sessions_first_unused;
sessions_first_unused = id;
}
-@@ -1938,6 +1954,19 @@ session_open(Authctxt *authctxt, int chanid)
+@@ -1951,6 +1967,19 @@ session_open(Authctxt *authctxt, int cha
}
Session *
@@ -1969,7 +1941,7 @@ index 19eaa20..dc0a2e2 100644
session_by_tty(char *tty)
{
int i;
-@@ -2463,6 +2492,30 @@ session_exit_message(Session *s, int status)
+@@ -2467,6 +2496,30 @@ session_exit_message(Session *s, int sta
chan_write_failed(c);
}
@@ -1979,7 +1951,7 @@ index 19eaa20..dc0a2e2 100644
+{
+ if (s->command != NULL) {
+ audit_end_command(s->command_handle, s->command);
-+ xfree(s->command);
++ free(s->command);
+ s->command = NULL;
+ s->command_handle = -1;
+ }
@@ -1990,7 +1962,7 @@ index 19eaa20..dc0a2e2 100644
+{
+ if (s->command != NULL) {
+ PRIVSEP(audit_end_command(s->command_handle, s->command));
-+ xfree(s->command);
++ free(s->command);
+ s->command = NULL;
+ s->command_handle = -1;
+ }
@@ -2000,7 +1972,7 @@ index 19eaa20..dc0a2e2 100644
void
session_close(Session *s)
{
-@@ -2471,6 +2524,10 @@ session_close(Session *s)
+@@ -2475,6 +2528,10 @@ session_close(Session *s)
debug("session_close: session %d pid %ld", s->self, (long)s->pid);
if (s->ttyfd != -1)
session_pty_cleanup(s);
@@ -2008,10 +1980,10 @@ index 19eaa20..dc0a2e2 100644
+ if (s->command)
+ session_end_command(s);
+#endif
- if (s->term)
- xfree(s->term);
- if (s->display)
-@@ -2690,6 +2747,15 @@ do_authenticated2(Authctxt *authctxt)
+ free(s->term);
+ free(s->display);
+ free(s->x11_chanids);
+@@ -2688,6 +2745,15 @@ do_authenticated2(Authctxt *authctxt)
server_loop2(authctxt);
}
@@ -2027,17 +1999,16 @@ index 19eaa20..dc0a2e2 100644
void
do_cleanup(Authctxt *authctxt)
{
-@@ -2738,5 +2804,5 @@ do_cleanup(Authctxt *authctxt)
+@@ -2736,5 +2802,5 @@ do_cleanup(Authctxt *authctxt)
* or if running in monitor.
*/
if (!use_privsep || mm_is_monitor())
- session_destroy_all(session_pty_cleanup2);
+ session_destroy_all(do_cleanup_one_session);
}
-diff --git a/session.h b/session.h
-index cbb8e3a..fc6a7d3 100644
---- a/session.h
-+++ b/session.h
+diff -up openssh-6.3p1/session.h.audit openssh-6.3p1/session.h
+--- openssh-6.3p1/session.h.audit 2008-05-19 07:34:50.000000000 +0200
++++ openssh-6.3p1/session.h 2013-10-07 15:53:34.253717245 +0200
@@ -60,6 +60,12 @@ struct Session {
char *name;
char *val;
@@ -2062,11 +2033,10 @@ index cbb8e3a..fc6a7d3 100644
Session *session_by_tty(char *);
void session_close(Session *);
void do_setusercontext(struct passwd *);
-diff --git a/sshd.c b/sshd.c
-index 740ef4b..9aff64c 100644
---- a/sshd.c
-+++ b/sshd.c
-@@ -118,6 +118,7 @@
+diff -up openssh-6.3p1/sshd.c.audit openssh-6.3p1/sshd.c
+--- openssh-6.3p1/sshd.c.audit 2013-10-07 15:53:34.221717393 +0200
++++ openssh-6.3p1/sshd.c 2013-10-07 15:53:34.254717240 +0200
+@@ -119,6 +119,7 @@
#endif
#include "monitor_wrap.h"
#include "roaming.h"
@@ -2074,7 +2044,7 @@ index 740ef4b..9aff64c 100644
#include "ssh-sandbox.h"
#include "version.h"
-@@ -254,7 +255,7 @@ Buffer loginmsg;
+@@ -260,7 +261,7 @@ Buffer loginmsg;
struct passwd *privsep_pw = NULL;
/* Prototypes for various functions defined later in this file. */
@@ -2083,7 +2053,7 @@ index 740ef4b..9aff64c 100644
void demote_sensitive_data(void);
static void do_ssh1_kex(void);
-@@ -273,6 +274,15 @@ close_listen_socks(void)
+@@ -279,6 +280,15 @@ close_listen_socks(void)
num_listen_socks = -1;
}
@@ -2099,7 +2069,7 @@ index 740ef4b..9aff64c 100644
static void
close_startup_pipes(void)
{
-@@ -544,22 +554,47 @@ sshd_exchange_identification(int sock_in, int sock_out)
+@@ -550,22 +560,47 @@ sshd_exchange_identification(int sock_in
}
}
@@ -2141,7 +2111,7 @@ index 740ef4b..9aff64c 100644
+ else
+ audit_destroy_sensitive_data(fp,
+ pid, uid);
-+ xfree(fp);
++ free(fp);
+ }
}
- if (sensitive_data.host_certificates[i]) {
@@ -2150,7 +2120,7 @@ index 740ef4b..9aff64c 100644
key_free(sensitive_data.host_certificates[i]);
sensitive_data.host_certificates[i] = NULL;
}
-@@ -573,6 +608,8 @@ void
+@@ -579,6 +614,8 @@ void
demote_sensitive_data(void)
{
Key *tmp;
@@ -2159,7 +2129,7 @@ index 740ef4b..9aff64c 100644
int i;
if (sensitive_data.server_key) {
-@@ -581,13 +618,27 @@ demote_sensitive_data(void)
+@@ -587,13 +624,27 @@ demote_sensitive_data(void)
sensitive_data.server_key = tmp;
}
@@ -2182,12 +2152,12 @@ index 740ef4b..9aff64c 100644
sensitive_data.ssh1_host_key = tmp;
+ if (fp != NULL) {
+ audit_destroy_sensitive_data(fp, pid, uid);
-+ xfree(fp);
++ free(fp);
+ }
}
/* Certs do not need demotion */
}
-@@ -700,6 +751,8 @@ privsep_preauth(Authctxt *authctxt)
+@@ -708,6 +759,8 @@ privsep_preauth(Authctxt *authctxt)
}
}
@@ -2196,7 +2166,7 @@ index 740ef4b..9aff64c 100644
static void
privsep_postauth(Authctxt *authctxt)
{
-@@ -724,6 +777,10 @@ privsep_postauth(Authctxt *authctxt)
+@@ -732,6 +785,10 @@ privsep_postauth(Authctxt *authctxt)
else if (pmonitor->m_pid != 0) {
verbose("User child is on pid %ld", (long)pmonitor->m_pid);
buffer_clear(&loginmsg);
@@ -2207,7 +2177,7 @@ index 740ef4b..9aff64c 100644
monitor_child_postauth(pmonitor);
/* NEVERREACHED */
-@@ -1153,6 +1210,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
+@@ -1178,6 +1235,7 @@ server_accept_loop(int *sock_in, int *so
if (received_sigterm) {
logit("Received signal %d; terminating.",
(int) received_sigterm);
@@ -2215,7 +2185,7 @@ index 740ef4b..9aff64c 100644
close_listen_socks();
unlink(options.pid_file);
exit(received_sigterm == SIGTERM ? 0 : 255);
-@@ -2032,6 +2090,7 @@ main(int ac, char **av)
+@@ -2093,6 +2151,7 @@ main(int ac, char **av)
*/
if (use_privsep) {
mm_send_keystate(pmonitor);
@@ -2223,7 +2193,7 @@ index 740ef4b..9aff64c 100644
exit(0);
}
-@@ -2074,7 +2133,7 @@ main(int ac, char **av)
+@@ -2135,7 +2194,7 @@ main(int ac, char **av)
privsep_postauth(authctxt);
/* the monitor process [priv] will not return */
if (!compat20)
@@ -2232,7 +2202,7 @@ index 740ef4b..9aff64c 100644
}
packet_set_timeout(options.client_alive_interval,
-@@ -2084,6 +2143,9 @@ main(int ac, char **av)
+@@ -2145,6 +2204,9 @@ main(int ac, char **av)
do_authenticated(authctxt);
/* The connection has been terminated. */
@@ -2242,7 +2212,7 @@ index 740ef4b..9aff64c 100644
packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes);
packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes);
verbose("Transferred: sent %llu, received %llu bytes",
-@@ -2241,6 +2303,10 @@ do_ssh1_kex(void)
+@@ -2302,6 +2364,10 @@ do_ssh1_kex(void)
if (cookie[i] != packet_get_char())
packet_disconnect("IP Spoofing check bytes do not match.");
@@ -2253,7 +2223,7 @@ index 740ef4b..9aff64c 100644
debug("Encryption type: %.200s", cipher_name(cipher_type));
/* Get the encrypted integer. */
-@@ -2307,7 +2373,7 @@ do_ssh1_kex(void)
+@@ -2368,7 +2434,7 @@ do_ssh1_kex(void)
session_id[i] = session_key[i] ^ session_key[i + 16];
}
/* Destroy the private and public keys. No longer. */
@@ -2262,7 +2232,7 @@ index 740ef4b..9aff64c 100644
if (use_privsep)
mm_ssh1_session_id(session_id);
-@@ -2397,6 +2463,16 @@ do_ssh2_kex(void)
+@@ -2480,6 +2546,16 @@ do_ssh2_kex(void)
void
cleanup_exit(int i)
{
@@ -2279,7 +2249,7 @@ index 740ef4b..9aff64c 100644
if (the_authctxt) {
do_cleanup(the_authctxt);
if (use_privsep && privsep_is_preauth && pmonitor->m_pid > 1) {
-@@ -2407,9 +2483,14 @@ cleanup_exit(int i)
+@@ -2490,9 +2566,14 @@ cleanup_exit(int i)
pmonitor->m_pid, strerror(errno));
}
}
diff --git a/openssh-6.2p1-coverity.patch b/openssh-6.3p1-coverity.patch
similarity index 75%
rename from openssh-6.2p1-coverity.patch
rename to openssh-6.3p1-coverity.patch
index 98e70d3..69bcb81 100644
--- a/openssh-6.2p1-coverity.patch
+++ b/openssh-6.3p1-coverity.patch
@@ -1,6 +1,6 @@
-diff -up openssh-6.2p1/auth-pam.c.coverity openssh-6.2p1/auth-pam.c
---- openssh-6.2p1/auth-pam.c.coverity 2009-07-12 14:07:21.000000000 +0200
-+++ openssh-6.2p1/auth-pam.c 2013-03-22 09:49:37.341595458 +0100
+diff -up openssh-6.3p1/auth-pam.c.coverity openssh-6.3p1/auth-pam.c
+--- openssh-6.3p1/auth-pam.c.coverity 2013-06-02 00:07:32.000000000 +0200
++++ openssh-6.3p1/auth-pam.c 2013-10-07 13:20:36.288298063 +0200
@@ -216,7 +216,12 @@ pthread_join(sp_pthread_t thread, void *
if (sshpam_thread_status != -1)
return (sshpam_thread_status);
@@ -15,10 +15,10 @@ diff -up openssh-6.2p1/auth-pam.c.coverity openssh-6.2p1/auth-pam.c
return (status);
}
#endif
-diff -up openssh-6.2p1/channels.c.coverity openssh-6.2p1/channels.c
---- openssh-6.2p1/channels.c.coverity 2012-12-02 23:50:55.000000000 +0100
-+++ openssh-6.2p1/channels.c 2013-03-22 09:49:37.344595444 +0100
-@@ -232,11 +232,11 @@ channel_register_fds(Channel *c, int rfd
+diff -up openssh-6.3p1/channels.c.coverity openssh-6.3p1/channels.c
+--- openssh-6.3p1/channels.c.coverity 2013-09-13 08:19:31.000000000 +0200
++++ openssh-6.3p1/channels.c 2013-10-07 13:20:36.289298058 +0200
+@@ -233,11 +233,11 @@ channel_register_fds(Channel *c, int rfd
channel_max_fd = MAX(channel_max_fd, wfd);
channel_max_fd = MAX(channel_max_fd, efd);
@@ -33,7 +33,7 @@ diff -up openssh-6.2p1/channels.c.coverity openssh-6.2p1/channels.c
fcntl(efd, F_SETFD, FD_CLOEXEC);
c->rfd = rfd;
-@@ -251,11 +251,11 @@ channel_register_fds(Channel *c, int rfd
+@@ -255,11 +255,11 @@ channel_register_fds(Channel *c, int rfd
/* enable nonblocking mode */
if (nonblock) {
@@ -48,10 +48,10 @@ diff -up openssh-6.2p1/channels.c.coverity openssh-6.2p1/channels.c
set_nonblock(efd);
}
}
-diff -up openssh-6.2p1/clientloop.c.coverity openssh-6.2p1/clientloop.c
---- openssh-6.2p1/clientloop.c.coverity 2013-01-09 05:55:51.000000000 +0100
-+++ openssh-6.2p1/clientloop.c 2013-03-22 09:49:37.342595453 +0100
-@@ -2061,14 +2061,15 @@ client_input_global_request(int type, u_
+diff -up openssh-6.3p1/clientloop.c.coverity openssh-6.3p1/clientloop.c
+--- openssh-6.3p1/clientloop.c.coverity 2013-06-10 05:07:12.000000000 +0200
++++ openssh-6.3p1/clientloop.c 2013-10-07 13:20:36.289298058 +0200
+@@ -2068,14 +2068,15 @@ client_input_global_request(int type, u_
char *rtype;
int want_reply;
int success = 0;
@@ -69,10 +69,10 @@ diff -up openssh-6.2p1/clientloop.c.coverity openssh-6.2p1/clientloop.c
packet_send();
packet_write_wait();
}
-diff -up openssh-6.2p1/key.c.coverity openssh-6.2p1/key.c
---- openssh-6.2p1/key.c.coverity 2013-01-18 01:44:05.000000000 +0100
-+++ openssh-6.2p1/key.c 2013-03-22 09:49:37.345595440 +0100
-@@ -808,8 +808,10 @@ key_read(Key *ret, char **cpp)
+diff -up openssh-6.3p1/key.c.coverity openssh-6.3p1/key.c
+--- openssh-6.3p1/key.c.coverity 2013-06-01 23:41:51.000000000 +0200
++++ openssh-6.3p1/key.c 2013-10-07 13:20:36.290298054 +0200
+@@ -807,8 +807,10 @@ key_read(Key *ret, char **cpp)
success = 1;
/*XXXX*/
key_free(k);
@@ -83,9 +83,9 @@ diff -up openssh-6.2p1/key.c.coverity openssh-6.2p1/key.c
/* advance cp: skip whitespace and data */
while (*cp == ' ' || *cp == '\t')
cp++;
-diff -up openssh-6.2p1/monitor.c.coverity openssh-6.2p1/monitor.c
---- openssh-6.2p1/monitor.c.coverity 2012-12-12 00:44:39.000000000 +0100
-+++ openssh-6.2p1/monitor.c 2013-03-22 12:19:55.189921353 +0100
+diff -up openssh-6.3p1/monitor.c.coverity openssh-6.3p1/monitor.c
+--- openssh-6.3p1/monitor.c.coverity 2013-07-20 05:21:53.000000000 +0200
++++ openssh-6.3p1/monitor.c 2013-10-07 13:54:36.761314042 +0200
@@ -449,7 +449,7 @@ monitor_child_preauth(Authctxt *_authctx
mm_get_keystate(pmonitor);
@@ -95,7 +95,7 @@ diff -up openssh-6.2p1/monitor.c.coverity openssh-6.2p1/monitor.c
;
close(pmonitor->m_sendfd);
-@@ -1194,6 +1194,10 @@ mm_answer_keyallowed(int sock, Buffer *m
+@@ -1202,6 +1202,10 @@ mm_answer_keyallowed(int sock, Buffer *m
break;
}
}
@@ -106,8 +106,8 @@ diff -up openssh-6.2p1/monitor.c.coverity openssh-6.2p1/monitor.c
if (key != NULL)
key_free(key);
-@@ -1216,9 +1220,6 @@ mm_answer_keyallowed(int sock, Buffer *m
- xfree(chost);
+@@ -1223,9 +1227,6 @@ mm_answer_keyallowed(int sock, Buffer *m
+ free(chost);
}
- debug3("%s: key %p is %s",
@@ -116,10 +116,10 @@ diff -up openssh-6.2p1/monitor.c.coverity openssh-6.2p1/monitor.c
buffer_clear(m);
buffer_put_int(m, allowed);
buffer_put_int(m, forced_command != NULL);
-diff -up openssh-6.2p1/monitor_wrap.c.coverity openssh-6.2p1/monitor_wrap.c
---- openssh-6.2p1/monitor_wrap.c.coverity 2013-01-09 06:12:19.000000000 +0100
-+++ openssh-6.2p1/monitor_wrap.c 2013-03-22 09:49:37.347595431 +0100
-@@ -708,10 +708,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
+diff -up openssh-6.3p1/monitor_wrap.c.coverity openssh-6.3p1/monitor_wrap.c
+--- openssh-6.3p1/monitor_wrap.c.coverity 2013-06-02 00:07:32.000000000 +0200
++++ openssh-6.3p1/monitor_wrap.c 2013-10-07 13:20:36.291298049 +0200
+@@ -710,10 +710,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
(tmp2 = dup(pmonitor->m_recvfd)) == -1) {
error("%s: cannot allocate fds for pty", __func__);
@@ -133,9 +133,9 @@ diff -up openssh-6.2p1/monitor_wrap.c.coverity openssh-6.2p1/monitor_wrap.c
return 0;
}
close(tmp1);
-diff -up openssh-6.2p1/openbsd-compat/bindresvport.c.coverity openssh-6.2p1/openbsd-compat/bindresvport.c
---- openssh-6.2p1/openbsd-compat/bindresvport.c.coverity 2010-12-03 00:50:26.000000000 +0100
-+++ openssh-6.2p1/openbsd-compat/bindresvport.c 2013-03-22 09:49:37.347595431 +0100
+diff -up openssh-6.3p1/openbsd-compat/bindresvport.c.coverity openssh-6.3p1/openbsd-compat/bindresvport.c
+--- openssh-6.3p1/openbsd-compat/bindresvport.c.coverity 2010-12-03 00:50:26.000000000 +0100
++++ openssh-6.3p1/openbsd-compat/bindresvport.c 2013-10-07 13:20:36.291298049 +0200
@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr
struct sockaddr_in6 *in6;
u_int16_t *portp;
@@ -145,10 +145,10 @@ diff -up openssh-6.2p1/openbsd-compat/bindresvport.c.coverity openssh-6.2p1/open
int i;
if (sa == NULL) {
-diff -up openssh-6.2p1/packet.c.coverity openssh-6.2p1/packet.c
---- openssh-6.2p1/packet.c.coverity 2013-02-12 01:03:59.000000000 +0100
-+++ openssh-6.2p1/packet.c 2013-03-22 09:49:37.348595426 +0100
-@@ -1192,6 +1192,7 @@ packet_read_poll1(void)
+diff -up openssh-6.3p1/packet.c.coverity openssh-6.3p1/packet.c
+--- openssh-6.3p1/packet.c.coverity 2013-07-18 08:12:45.000000000 +0200
++++ openssh-6.3p1/packet.c 2013-10-07 13:20:36.291298049 +0200
+@@ -1199,6 +1199,7 @@ packet_read_poll1(void)
case DEATTACK_DETECTED:
packet_disconnect("crc32 compensation attack: "
"network attack detected");
@@ -156,18 +156,9 @@ diff -up openssh-6.2p1/packet.c.coverity openssh-6.2p1/packet.c
case DEATTACK_DOS_DETECTED:
packet_disconnect("deattack denial of "
"service detected");
-@@ -1728,7 +1729,7 @@ void
- packet_write_wait(void)
- {
- fd_set *setp;
-- int ret, ms_remain;
-+ int ret, ms_remain = 0;
- struct timeval start, timeout, *timeoutp = NULL;
-
- setp = (fd_set *)xcalloc(howmany(active_state->connection_out + 1,
-diff -up openssh-6.2p1/progressmeter.c.coverity openssh-6.2p1/progressmeter.c
---- openssh-6.2p1/progressmeter.c.coverity 2006-08-05 04:39:40.000000000 +0200
-+++ openssh-6.2p1/progressmeter.c 2013-03-22 09:49:37.349595422 +0100
+diff -up openssh-6.3p1/progressmeter.c.coverity openssh-6.3p1/progressmeter.c
+--- openssh-6.3p1/progressmeter.c.coverity 2013-06-02 15:46:24.000000000 +0200
++++ openssh-6.3p1/progressmeter.c 2013-10-07 13:42:32.377850691 +0200
@@ -65,7 +65,7 @@ static void update_progress_meter(int);
static time_t start; /* start progress */
@@ -184,11 +175,11 @@ diff -up openssh-6.2p1/progressmeter.c.coverity openssh-6.2p1/progressmeter.c
-start_progress_meter(char *f, off_t filesize, off_t *ctr)
+start_progress_meter(const char *f, off_t filesize, off_t *ctr)
{
- start = last_update = time(NULL);
+ start = last_update = monotime();
file = f;
-diff -up openssh-6.2p1/progressmeter.h.coverity openssh-6.2p1/progressmeter.h
---- openssh-6.2p1/progressmeter.h.coverity 2006-03-26 05:30:02.000000000 +0200
-+++ openssh-6.2p1/progressmeter.h 2013-03-22 09:49:37.349595422 +0100
+diff -up openssh-6.3p1/progressmeter.h.coverity openssh-6.3p1/progressmeter.h
+--- openssh-6.3p1/progressmeter.h.coverity 2006-03-26 05:30:02.000000000 +0200
++++ openssh-6.3p1/progressmeter.h 2013-10-07 13:20:36.292298044 +0200
@@ -23,5 +23,5 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
@@ -196,9 +187,9 @@ diff -up openssh-6.2p1/progressmeter.h.coverity openssh-6.2p1/progressmeter.h
-void start_progress_meter(char *, off_t, off_t *);
+void start_progress_meter(const char *, off_t, off_t *);
void stop_progress_meter(void);
-diff -up openssh-6.2p1/scp.c.coverity openssh-6.2p1/scp.c
---- openssh-6.2p1/scp.c.coverity 2013-03-20 02:55:15.000000000 +0100
-+++ openssh-6.2p1/scp.c 2013-03-22 09:49:37.349595422 +0100
+diff -up openssh-6.3p1/scp.c.coverity openssh-6.3p1/scp.c
+--- openssh-6.3p1/scp.c.coverity 2013-07-18 08:11:25.000000000 +0200
++++ openssh-6.3p1/scp.c 2013-10-07 13:20:36.292298044 +0200
@@ -155,7 +155,7 @@ killchild(int signo)
{
if (do_cmd_pid > 1) {
@@ -208,10 +199,10 @@ diff -up openssh-6.2p1/scp.c.coverity openssh-6.2p1/scp.c
}
if (signo)
-diff -up openssh-6.2p1/servconf.c.coverity openssh-6.2p1/servconf.c
---- openssh-6.2p1/servconf.c.coverity 2013-02-12 01:02:08.000000000 +0100
-+++ openssh-6.2p1/servconf.c 2013-03-22 09:49:37.350595418 +0100
-@@ -1268,7 +1268,7 @@ process_server_config_line(ServerOptions
+diff -up openssh-6.3p1/servconf.c.coverity openssh-6.3p1/servconf.c
+--- openssh-6.3p1/servconf.c.coverity 2013-07-20 05:21:53.000000000 +0200
++++ openssh-6.3p1/servconf.c 2013-10-07 13:20:36.293298039 +0200
+@@ -1323,7 +1323,7 @@ process_server_config_line(ServerOptions
fatal("%s line %d: Missing subsystem name.",
filename, linenum);
if (!*activep) {
@@ -220,7 +211,7 @@ diff -up openssh-6.2p1/servconf.c.coverity openssh-6.2p1/servconf.c
break;
}
for (i = 0; i < options->num_subsystems; i++)
-@@ -1359,8 +1359,9 @@ process_server_config_line(ServerOptions
+@@ -1414,8 +1414,9 @@ process_server_config_line(ServerOptions
if (*activep && *charptr == NULL) {
*charptr = tilde_expand_filename(arg, getuid());
/* increase optional counter */
@@ -232,16 +223,16 @@ diff -up openssh-6.2p1/servconf.c.coverity openssh-6.2p1/servconf.c
}
break;
-diff -up openssh-6.2p1/serverloop.c.coverity openssh-6.2p1/serverloop.c
---- openssh-6.2p1/serverloop.c.coverity 2012-12-07 03:07:47.000000000 +0100
-+++ openssh-6.2p1/serverloop.c 2013-03-22 09:49:37.351595413 +0100
+diff -up openssh-6.3p1/serverloop.c.coverity openssh-6.3p1/serverloop.c
+--- openssh-6.3p1/serverloop.c.coverity 2013-07-18 08:12:45.000000000 +0200
++++ openssh-6.3p1/serverloop.c 2013-10-07 13:43:36.620537138 +0200
@@ -147,13 +147,13 @@ notify_setup(void)
static void
notify_parent(void)
{
- if (notify_pipe[1] != -1)
+ if (notify_pipe[1] >= 0)
- write(notify_pipe[1], "", 1);
+ (void)write(notify_pipe[1], "", 1);
}
static void
notify_prepare(fd_set *readset)
@@ -307,7 +298,7 @@ diff -up openssh-6.2p1/serverloop.c.coverity openssh-6.2p1/serverloop.c
if (fdin != fdout)
close(fdin);
else
-@@ -741,15 +741,15 @@ server_loop(pid_t pid, int fdin_arg, int
+@@ -739,15 +739,15 @@ server_loop(pid_t pid, int fdin_arg, int
buffer_free(&stderr_buffer);
/* Close the file descriptors. */
@@ -326,7 +317,7 @@ diff -up openssh-6.2p1/serverloop.c.coverity openssh-6.2p1/serverloop.c
close(fdin);
fdin = -1;
-@@ -943,7 +943,7 @@ server_input_window_size(int type, u_int
+@@ -946,7 +946,7 @@ server_input_window_size(int type, u_int
debug("Window change received.");
packet_check_eom();
@@ -335,7 +326,7 @@ diff -up openssh-6.2p1/serverloop.c.coverity openssh-6.2p1/serverloop.c
pty_change_window_size(fdin, row, col, xpixel, ypixel);
}
-@@ -1003,7 +1003,7 @@ server_request_tun(void)
+@@ -1006,7 +1006,7 @@ server_request_tun(void)
}
tun = packet_get_int();
@@ -344,111 +335,9 @@ diff -up openssh-6.2p1/serverloop.c.coverity openssh-6.2p1/serverloop.c
if (tun != SSH_TUNID_ANY && forced_tun_device != tun)
goto done;
tun = forced_tun_device;
-diff -up openssh-6.2p1/sftp.c.coverity openssh-6.2p1/sftp.c
---- openssh-6.2p1/sftp.c.coverity 2013-02-22 23:12:24.000000000 +0100
-+++ openssh-6.2p1/sftp.c 2013-03-22 09:49:37.352595409 +0100
-@@ -202,7 +202,7 @@ killchild(int signo)
- {
- if (sshpid > 1) {
- kill(sshpid, SIGTERM);
-- waitpid(sshpid, NULL, 0);
-+ (void) waitpid(sshpid, NULL, 0);
- }
-
- _exit(1);
-@@ -312,7 +312,7 @@ local_do_ls(const char *args)
-
- /* Strip one path (usually the pwd) from the start of another */
- static char *
--path_strip(char *path, char *strip)
-+path_strip(const char *path, const char *strip)
- {
- size_t len;
-
-@@ -330,7 +330,7 @@ path_strip(char *path, char *strip)
- }
-
- static char *
--make_absolute(char *p, char *pwd)
-+make_absolute(char *p, const char *pwd)
- {
- char *abs_str;
-
-@@ -478,7 +478,7 @@ parse_df_flags(const char *cmd, char **a
- }
-
- static int
--is_dir(char *path)
-+is_dir(const char *path)
- {
- struct stat sb;
-
-@@ -490,7 +490,7 @@ is_dir(char *path)
- }
-
- static int
--remote_is_dir(struct sftp_conn *conn, char *path)
-+remote_is_dir(struct sftp_conn *conn, const char *path)
- {
- Attrib *a;
-
-@@ -504,7 +504,7 @@ remote_is_dir(struct sftp_conn *conn, ch
-
- /* Check whether path returned from glob(..., GLOB_MARK, ...) is a directory */
- static int
--pathname_is_dir(char *pathname)
-+pathname_is_dir(const char *pathname)
- {
- size_t l = strlen(pathname);
-
-@@ -512,7 +512,7 @@ pathname_is_dir(char *pathname)
- }
-
- static int
--process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd,
-+process_get(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
- int pflag, int rflag)
- {
- char *abs_src = NULL;
-@@ -586,7 +586,7 @@ out:
- }
-
- static int
--process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd,
-+process_put(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
- int pflag, int rflag)
- {
- char *tmp_dst = NULL;
-@@ -691,7 +691,7 @@ sdirent_comp(const void *aa, const void
-
- /* sftp ls.1 replacement for directories */
- static int
--do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
-+do_ls_dir(struct sftp_conn *conn, const char *path, const char *strip_path, int lflag)
- {
- int n;
- u_int c = 1, colspace = 0, columns = 1;
-@@ -776,7 +776,7 @@ do_ls_dir(struct sftp_conn *conn, char *
-
- /* sftp ls.1 replacement which handles path globs */
- static int
--do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
-+do_globbed_ls(struct sftp_conn *conn, const char *path, const char *strip_path,
- int lflag)
- {
- char *fname, *lname;
-@@ -857,7 +857,7 @@ do_globbed_ls(struct sftp_conn *conn, ch
- }
-
- static int
--do_df(struct sftp_conn *conn, char *path, int hflag, int iflag)
-+do_df(struct sftp_conn *conn, const char *path, int hflag, int iflag)
- {
- struct sftp_statvfs st;
- char s_used[FMT_SCALED_STRSIZE];
-diff -up openssh-6.2p1/sftp-client.c.coverity openssh-6.2p1/sftp-client.c
---- openssh-6.2p1/sftp-client.c.coverity 2012-07-02 14:15:39.000000000 +0200
-+++ openssh-6.2p1/sftp-client.c 2013-03-22 09:49:37.353595404 +0100
+diff -up openssh-6.3p1/sftp-client.c.coverity openssh-6.3p1/sftp-client.c
+--- openssh-6.3p1/sftp-client.c.coverity 2013-07-26 00:40:00.000000000 +0200
++++ openssh-6.3p1/sftp-client.c 2013-10-07 13:48:45.885027420 +0200
@@ -149,7 +149,7 @@ get_msg(struct sftp_conn *conn, Buffer *
}
@@ -599,28 +488,28 @@ diff -up openssh-6.2p1/sftp-client.c.coverity openssh-6.2p1/sftp-client.c
int
-do_download(struct sftp_conn *conn, char *remote_path, char *local_path,
+do_download(struct sftp_conn *conn, const char *remote_path, const char *local_path,
- Attrib *a, int pflag)
+ Attrib *a, int pflag, int resume)
{
Attrib junk;
-@@ -1226,7 +1226,7 @@ do_download(struct sftp_conn *conn, char
+@@ -1255,7 +1255,7 @@ do_download(struct sftp_conn *conn, char
}
static int
-download_dir_internal(struct sftp_conn *conn, char *src, char *dst,
+download_dir_internal(struct sftp_conn *conn, const char *src, const char *dst,
- Attrib *dirattrib, int pflag, int printflag, int depth)
+ Attrib *dirattrib, int pflag, int printflag, int depth, int resume)
{
int i, ret = 0;
-@@ -1316,7 +1316,7 @@ download_dir_internal(struct sftp_conn *
+@@ -1345,7 +1345,7 @@ download_dir_internal(struct sftp_conn *
}
int
-download_dir(struct sftp_conn *conn, char *src, char *dst,
+download_dir(struct sftp_conn *conn, const char *src, const char *dst,
- Attrib *dirattrib, int pflag, int printflag)
+ Attrib *dirattrib, int pflag, int printflag, int resume)
{
char *src_canon;
-@@ -1334,7 +1334,7 @@ download_dir(struct sftp_conn *conn, cha
+@@ -1363,7 +1363,7 @@ download_dir(struct sftp_conn *conn, cha
}
int
@@ -629,7 +518,7 @@ diff -up openssh-6.2p1/sftp-client.c.coverity openssh-6.2p1/sftp-client.c
int pflag)
{
int local_fd;
-@@ -1517,7 +1517,7 @@ do_upload(struct sftp_conn *conn, char *
+@@ -1548,7 +1548,7 @@ do_upload(struct sftp_conn *conn, char *
}
static int
@@ -638,7 +527,7 @@ diff -up openssh-6.2p1/sftp-client.c.coverity openssh-6.2p1/sftp-client.c
int pflag, int printflag, int depth)
{
int ret = 0, status;
-@@ -1608,7 +1608,7 @@ upload_dir_internal(struct sftp_conn *co
+@@ -1639,7 +1639,7 @@ upload_dir_internal(struct sftp_conn *co
}
int
@@ -647,7 +536,7 @@ diff -up openssh-6.2p1/sftp-client.c.coverity openssh-6.2p1/sftp-client.c
int pflag)
{
char *dst_canon;
-@@ -1625,7 +1625,7 @@ upload_dir(struct sftp_conn *conn, char
+@@ -1656,7 +1656,7 @@ upload_dir(struct sftp_conn *conn, char
}
char *
@@ -656,9 +545,9 @@ diff -up openssh-6.2p1/sftp-client.c.coverity openssh-6.2p1/sftp-client.c
{
char *ret;
size_t len = strlen(p1) + strlen(p2) + 2;
-diff -up openssh-6.2p1/sftp-client.h.coverity openssh-6.2p1/sftp-client.h
---- openssh-6.2p1/sftp-client.h.coverity 2010-12-04 23:02:48.000000000 +0100
-+++ openssh-6.2p1/sftp-client.h 2013-03-22 09:49:37.353595404 +0100
+diff -up openssh-6.3p1/sftp-client.h.coverity openssh-6.3p1/sftp-client.h
+--- openssh-6.3p1/sftp-client.h.coverity 2013-07-25 03:56:52.000000000 +0200
++++ openssh-6.3p1/sftp-client.h 2013-10-07 13:45:10.108080813 +0200
@@ -56,49 +56,49 @@ struct sftp_conn *do_init(int, int, u_in
u_int sftp_proto_version(struct sftp_conn *);
@@ -727,15 +616,15 @@ diff -up openssh-6.2p1/sftp-client.h.coverity openssh-6.2p1/sftp-client.h
* Download 'remote_path' to 'local_path'. Preserve permissions and times
* if 'pflag' is set
*/
--int do_download(struct sftp_conn *, char *, char *, Attrib *, int);
-+int do_download(struct sftp_conn *, const char *, const char *, Attrib *, int);
+-int do_download(struct sftp_conn *, char *, char *, Attrib *, int, int);
++int do_download(struct sftp_conn *, const char *, const char *, Attrib *, int, int);
/*
* Recursively download 'remote_directory' to 'local_directory'. Preserve
* times if 'pflag' is set
*/
--int download_dir(struct sftp_conn *, char *, char *, Attrib *, int, int);
-+int download_dir(struct sftp_conn *, const char *, const char *, Attrib *, int, int);
+-int download_dir(struct sftp_conn *, char *, char *, Attrib *, int, int, int);
++int download_dir(struct sftp_conn *, const char *, const char *, Attrib *, int, int, int);
/*
* Upload 'local_path' to 'remote_path'. Preserve permissions and times
@@ -756,10 +645,112 @@ diff -up openssh-6.2p1/sftp-client.h.coverity openssh-6.2p1/sftp-client.h
+char *path_append(const char *, const char *);
#endif
-diff -up openssh-6.2p1/ssh-agent.c.coverity openssh-6.2p1/ssh-agent.c
---- openssh-6.2p1/ssh-agent.c.coverity 2011-06-03 06:14:16.000000000 +0200
-+++ openssh-6.2p1/ssh-agent.c 2013-03-22 09:49:37.354595400 +0100
-@@ -1147,8 +1147,8 @@ main(int ac, char **av)
+diff -up openssh-6.3p1/sftp.c.coverity openssh-6.3p1/sftp.c
+--- openssh-6.3p1/sftp.c.coverity 2013-07-25 03:56:52.000000000 +0200
++++ openssh-6.3p1/sftp.c 2013-10-07 13:49:47.322727449 +0200
+@@ -213,7 +213,7 @@ killchild(int signo)
+ {
+ if (sshpid > 1) {
+ kill(sshpid, SIGTERM);
+- waitpid(sshpid, NULL, 0);
++ (void) waitpid(sshpid, NULL, 0);
+ }
+
+ _exit(1);
+@@ -324,7 +324,7 @@ local_do_ls(const char *args)
+
+ /* Strip one path (usually the pwd) from the start of another */
+ static char *
+-path_strip(char *path, char *strip)
++path_strip(const char *path, const char *strip)
+ {
+ size_t len;
+
+@@ -342,7 +342,7 @@ path_strip(char *path, char *strip)
+ }
+
+ static char *
+-make_absolute(char *p, char *pwd)
++make_absolute(char *p, const char *pwd)
+ {
+ char *abs_str;
+
+@@ -493,7 +493,7 @@ parse_df_flags(const char *cmd, char **a
+ }
+
+ static int
+-is_dir(char *path)
++is_dir(const char *path)
+ {
+ struct stat sb;
+
+@@ -505,7 +505,7 @@ is_dir(char *path)
+ }
+
+ static int
+-remote_is_dir(struct sftp_conn *conn, char *path)
++remote_is_dir(struct sftp_conn *conn, const char *path)
+ {
+ Attrib *a;
+
+@@ -519,7 +519,7 @@ remote_is_dir(struct sftp_conn *conn, ch
+
+ /* Check whether path returned from glob(..., GLOB_MARK, ...) is a directory */
+ static int
+-pathname_is_dir(char *pathname)
++pathname_is_dir(const char *pathname)
+ {
+ size_t l = strlen(pathname);
+
+@@ -527,7 +527,7 @@ pathname_is_dir(char *pathname)
+ }
+
+ static int
+-process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd,
++process_get(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
+ int pflag, int rflag, int resume)
+ {
+ char *abs_src = NULL;
+@@ -605,7 +605,7 @@ out:
+ }
+
+ static int
+-process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd,
++process_put(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
+ int pflag, int rflag)
+ {
+ char *tmp_dst = NULL;
+@@ -709,7 +709,7 @@ sdirent_comp(const void *aa, const void
+
+ /* sftp ls.1 replacement for directories */
+ static int
+-do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
++do_ls_dir(struct sftp_conn *conn, const char *path, const char *strip_path, int lflag)
+ {
+ int n;
+ u_int c = 1, colspace = 0, columns = 1;
+@@ -794,7 +794,7 @@ do_ls_dir(struct sftp_conn *conn, char *
+
+ /* sftp ls.1 replacement which handles path globs */
+ static int
+-do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
++do_globbed_ls(struct sftp_conn *conn, const char *path, const char *strip_path,
+ int lflag)
+ {
+ char *fname, *lname;
+@@ -875,7 +875,7 @@ do_globbed_ls(struct sftp_conn *conn, ch
+ }
+
+ static int
+-do_df(struct sftp_conn *conn, char *path, int hflag, int iflag)
++do_df(struct sftp_conn *conn, const char *path, int hflag, int iflag)
+ {
+ struct sftp_statvfs st;
+ char s_used[FMT_SCALED_STRSIZE];
+diff -up openssh-6.3p1/ssh-agent.c.coverity openssh-6.3p1/ssh-agent.c
+--- openssh-6.3p1/ssh-agent.c.coverity 2013-07-20 05:22:49.000000000 +0200
++++ openssh-6.3p1/ssh-agent.c 2013-10-07 13:20:36.296298024 +0200
+@@ -1143,8 +1143,8 @@ main(int ac, char **av)
sanitise_stdfd();
/* drop */
@@ -770,37 +761,28 @@ diff -up openssh-6.2p1/ssh-agent.c.coverity openssh-6.2p1/ssh-agent.c
#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
/* Disable ptrace on Linux without sgid bit */
-diff -up openssh-6.2p1/sshd.c.coverity openssh-6.2p1/sshd.c
---- openssh-6.2p1/sshd.c.coverity 2013-02-12 01:04:48.000000000 +0100
-+++ openssh-6.2p1/sshd.c 2013-03-22 09:49:37.355595396 +0100
-@@ -691,8 +691,10 @@ privsep_preauth(Authctxt *authctxt)
+diff -up openssh-6.3p1/sshd.c.coverity openssh-6.3p1/sshd.c
+--- openssh-6.3p1/sshd.c.coverity 2013-07-20 05:21:53.000000000 +0200
++++ openssh-6.3p1/sshd.c 2013-10-07 13:20:36.296298024 +0200
+@@ -699,8 +699,10 @@ privsep_preauth(Authctxt *authctxt)
if (getuid() == 0 || geteuid() == 0)
privsep_preauth_child();
setproctitle("%s", "[net]");
- if (box != NULL)
+ if (box != NULL) {
ssh_sandbox_child(box);
-+ xfree(box);
++ free(box);
+ }
return 0;
}
-@@ -1320,6 +1322,9 @@ server_accept_loop(int *sock_in, int *so
+@@ -1345,6 +1347,9 @@ server_accept_loop(int *sock_in, int *so
if (num_listen_socks < 0)
break;
}
+
+ if (fdset != NULL)
-+ xfree(fdset);
++ free(fdset);
}
-@@ -1806,7 +1811,7 @@ main(int ac, char **av)
-
- /* Chdir to the root directory so that the current disk can be
- unmounted if desired. */
-- chdir("/");
-+ (void) chdir("/");
-
- /* ignore SIGPIPE */
- signal(SIGPIPE, SIG_IGN);
diff --git a/openssh-6.2p1-ctr-cavstest.patch b/openssh-6.3p1-ctr-cavstest.patch
similarity index 98%
rename from openssh-6.2p1-ctr-cavstest.patch
rename to openssh-6.3p1-ctr-cavstest.patch
index 1376a3f..5cd9997 100644
--- a/openssh-6.2p1-ctr-cavstest.patch
+++ b/openssh-6.3p1-ctr-cavstest.patch
@@ -185,8 +185,8 @@ diff -up openssh-6.2p1/ctr-cavstest.c.ctr-cavs openssh-6.2p1/ctr-cavstest.c
+
+ cipher_init(&cc, c, key, keylen, iv, ivlen, encrypt);
+
-+ xfree(key);
-+ xfree(iv);
++ free(key);
++ free(iv);
+
+ outdata = malloc(datalen);
+ if(outdata == NULL) {
@@ -196,7 +196,7 @@ diff -up openssh-6.2p1/ctr-cavstest.c.ctr-cavs openssh-6.2p1/ctr-cavstest.c
+
+ cipher_crypt(&cc, outdata, data, datalen, 0, 0);
+
-+ xfree(data);
++ free(data);
+
+ cipher_cleanup(&cc);
+
@@ -204,7 +204,7 @@ diff -up openssh-6.2p1/ctr-cavstest.c.ctr-cavs openssh-6.2p1/ctr-cavstest.c
+ printf("%02X", (unsigned char)*p);
+ }
+
-+ xfree(outdata);
++ free(outdata);
+
+ printf("\n");
+ return 0;
diff --git a/openssh-5.9p1-ctr-evp-fast.patch b/openssh-6.3p1-ctr-evp-fast.patch
similarity index 99%
rename from openssh-5.9p1-ctr-evp-fast.patch
rename to openssh-6.3p1-ctr-evp-fast.patch
index 5d17aab..ddcb7f1 100644
--- a/openssh-5.9p1-ctr-evp-fast.patch
+++ b/openssh-6.3p1-ctr-evp-fast.patch
@@ -97,5 +97,5 @@ diff -up openssh-5.9p1/cipher-ctr.c.ctr-evp openssh-5.9p1/cipher-ctr.c
if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
+ EVP_CIPHER_CTX_cleanup(&c->ecbctx);
memset(c, 0, sizeof(*c));
- xfree(c);
+ free(c);
EVP_CIPHER_CTX_set_app_data(ctx, NULL);
diff --git a/openssh-6.2p1-fingerprint.patch b/openssh-6.3p1-fingerprint.patch
similarity index 75%
rename from openssh-6.2p1-fingerprint.patch
rename to openssh-6.3p1-fingerprint.patch
index 92f8a4c..b9cfbdb 100644
--- a/openssh-6.2p1-fingerprint.patch
+++ b/openssh-6.3p1-fingerprint.patch
@@ -1,14 +1,31 @@
-diff -up openssh-6.2p1/auth2-hostbased.c.fingerprint openssh-6.2p1/auth2-hostbased.c
---- openssh-6.2p1/auth2-hostbased.c.fingerprint 2010-08-05 05:04:50.000000000 +0200
-+++ openssh-6.2p1/auth2-hostbased.c 2013-03-22 12:20:49.009685008 +0100
-@@ -196,16 +196,18 @@ hostbased_key_allowed(struct passwd *pw,
+diff -up openssh-6.3p1/auth-rsa.c.fingerprint openssh-6.3p1/auth-rsa.c
+diff -up openssh-6.3p1/auth.c.fingerprint openssh-6.3p1/auth.c
+--- openssh-6.3p1/auth.c.fingerprint 2013-10-07 14:02:36.998968153 +0200
++++ openssh-6.3p1/auth.c 2013-10-07 15:42:05.243812405 +0200
+@@ -685,9 +685,10 @@ auth_key_is_revoked(Key *key)
+ case 1:
+ revoked:
+ /* Key revoked */
+- key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
++ key_fp = key_selected_fingerprint(key, SSH_FP_HEX);
+ error("WARNING: authentication attempt with a revoked "
+- "%s key %s ", key_type(key), key_fp);
++ "%s key %s%s ", key_type(key),
++ key_fingerprint_prefix(), key_fp);
+ free(key_fp);
+ return 1;
+ }
+diff -up openssh-6.3p1/auth2-hostbased.c.fingerprint openssh-6.3p1/auth2-hostbased.c
+--- openssh-6.3p1/auth2-hostbased.c.fingerprint 2013-10-07 14:02:36.998968153 +0200
++++ openssh-6.3p1/auth2-hostbased.c 2013-10-07 15:43:49.747355927 +0200
+@@ -200,16 +200,18 @@ hostbased_key_allowed(struct passwd *pw,
if (host_status == HOST_OK) {
if (key_is_cert(key)) {
- fp = key_fingerprint(key->cert->signature_key,
- SSH_FP_MD5, SSH_FP_HEX);
+ fp = key_selected_fingerprint(key->cert->signature_key,
-+ SSH_FP_HEX);
++ SSH_FP_HEX);
verbose("Accepted certificate ID \"%s\" signed by "
- "%s CA %s from %s@%s", key->cert->key_id,
- key_type(key->cert->signature_key), fp,
@@ -25,12 +42,12 @@ diff -up openssh-6.2p1/auth2-hostbased.c.fingerprint openssh-6.2p1/auth2-hostbas
+ key_type(key), key_fingerprint_prefix(),
+ fp, cuser, lookup);
}
- xfree(fp);
+ free(fp);
}
-diff -up openssh-6.2p1/auth2-pubkey.c.fingerprint openssh-6.2p1/auth2-pubkey.c
---- openssh-6.2p1/auth2-pubkey.c.fingerprint 2013-02-15 00:28:56.000000000 +0100
-+++ openssh-6.2p1/auth2-pubkey.c 2013-03-22 12:20:49.009685008 +0100
-@@ -317,10 +317,10 @@ check_authkeys_file(FILE *f, char *file,
+diff -up openssh-6.3p1/auth2-pubkey.c.fingerprint openssh-6.3p1/auth2-pubkey.c
+--- openssh-6.3p1/auth2-pubkey.c.fingerprint 2013-07-18 08:10:10.000000000 +0200
++++ openssh-6.3p1/auth2-pubkey.c 2013-10-07 15:50:44.617495624 +0200
+@@ -359,10 +359,10 @@ check_authkeys_file(FILE *f, char *file,
continue;
if (!key_is_cert_authority)
continue;
@@ -45,20 +62,20 @@ diff -up openssh-6.2p1/auth2-pubkey.c.fingerprint openssh-6.2p1/auth2-pubkey.c
/*
* If the user has specified a list of principals as
* a key option, then prefer that list to matching
-@@ -360,9 +360,9 @@ check_authkeys_file(FILE *f, char *file,
+@@ -400,9 +400,9 @@ check_authkeys_file(FILE *f, char *file,
+ if (key_is_cert_authority)
+ continue;
found_key = 1;
- debug("matching key found: file %s, line %lu",
- file, linenum);
- fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
-- verbose("Found matching %s key: %s",
-- key_type(found), fp);
+- debug("matching key found: file %s, line %lu %s %s",
+- file, linenum, key_type(found), fp);
+ fp = key_selected_fingerprint(found, SSH_FP_HEX);
+ verbose("Found matching %s key: %s%s",
+ key_type(found), key_fingerprint_prefix(), fp);
- xfree(fp);
+ free(fp);
break;
}
-@@ -384,13 +384,13 @@ user_cert_trusted_ca(struct passwd *pw,
+@@ -425,13 +425,13 @@ user_cert_trusted_ca(struct passwd *pw,
if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL)
return 0;
@@ -76,42 +93,10 @@ diff -up openssh-6.2p1/auth2-pubkey.c.fingerprint openssh-6.2p1/auth2-pubkey.c
options.trusted_user_ca_keys);
goto out;
}
-diff -up openssh-6.2p1/auth.c.fingerprint openssh-6.2p1/auth.c
---- openssh-6.2p1/auth.c.fingerprint 2013-03-12 01:31:05.000000000 +0100
-+++ openssh-6.2p1/auth.c 2013-03-22 12:22:32.515230386 +0100
-@@ -663,9 +663,10 @@ auth_key_is_revoked(Key *key)
- case 1:
- revoked:
- /* Key revoked */
-- key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-+ key_fp = key_selected_fingerprint(key, SSH_FP_HEX);
- error("WARNING: authentication attempt with a revoked "
-- "%s key %s ", key_type(key), key_fp);
-+ "%s key %s%s ", key_type(key),
-+ key_fingerprint_prefix(), key_fp);
- xfree(key_fp);
- return 1;
- }
-diff -up openssh-6.2p1/auth-rsa.c.fingerprint openssh-6.2p1/auth-rsa.c
---- openssh-6.2p1/auth-rsa.c.fingerprint 2012-10-30 22:58:59.000000000 +0100
-+++ openssh-6.2p1/auth-rsa.c 2013-03-22 12:20:49.011684999 +0100
-@@ -328,9 +328,9 @@ auth_rsa(Authctxt *authctxt, BIGNUM *cli
- * options; this will be reset if the options cause the
- * authentication to be rejected.
- */
-- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-- verbose("Found matching %s key: %s",
-- key_type(key), fp);
-+ fp = key_selected_fingerprint(key, SSH_FP_HEX);
-+ verbose("Found matching %s key: %s%s",
-+ key_type(key), key_fingerprint_prefix(), fp);
- xfree(fp);
- key_free(key);
-
-diff -up openssh-6.2p1/key.c.fingerprint openssh-6.2p1/key.c
---- openssh-6.2p1/key.c.fingerprint 2013-03-22 12:20:48.971685175 +0100
-+++ openssh-6.2p1/key.c 2013-03-22 12:20:49.012684995 +0100
-@@ -599,6 +599,34 @@ key_fingerprint(Key *k, enum fp_type dgs
+diff -up openssh-6.3p1/key.c.fingerprint openssh-6.3p1/key.c
+--- openssh-6.3p1/key.c.fingerprint 2013-10-07 14:02:36.971968285 +0200
++++ openssh-6.3p1/key.c 2013-10-07 14:02:36.999968148 +0200
+@@ -598,6 +598,34 @@ key_fingerprint(const Key *k, enum fp_ty
return retval;
}
@@ -146,12 +131,12 @@ diff -up openssh-6.2p1/key.c.fingerprint openssh-6.2p1/key.c
/*
* Reads a multiple-precision integer in decimal from the buffer, and advances
* the pointer. The integer must already be initialized. This function is
-diff -up openssh-6.2p1/key.h.fingerprint openssh-6.2p1/key.h
---- openssh-6.2p1/key.h.fingerprint 2013-01-18 01:44:05.000000000 +0100
-+++ openssh-6.2p1/key.h 2013-03-22 12:23:35.308954528 +0100
+diff -up openssh-6.3p1/key.h.fingerprint openssh-6.3p1/key.h
+--- openssh-6.3p1/key.h.fingerprint 2013-10-07 14:02:36.999968148 +0200
++++ openssh-6.3p1/key.h 2013-10-07 15:44:17.574233450 +0200
@@ -97,6 +97,9 @@ int key_equal_public(const Key *, cons
int key_equal(const Key *, const Key *);
- char *key_fingerprint(Key *, enum fp_type, enum fp_rep);
+ char *key_fingerprint(const Key *, enum fp_type, enum fp_rep);
u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *);
+enum fp_type key_fingerprint_selection(void);
+char *key_selected_fingerprint(Key *, enum fp_rep);
@@ -159,9 +144,9 @@ diff -up openssh-6.2p1/key.h.fingerprint openssh-6.2p1/key.h
const char *key_type(const Key *);
const char *key_cert_type(const Key *);
int key_write(const Key *, FILE *);
-diff -up openssh-6.2p1/ssh-add.c.fingerprint openssh-6.2p1/ssh-add.c
---- openssh-6.2p1/ssh-add.c.fingerprint 2012-12-07 03:07:03.000000000 +0100
-+++ openssh-6.2p1/ssh-add.c 2013-03-22 12:20:49.029684920 +0100
+diff -up openssh-6.3p1/ssh-add.c.fingerprint openssh-6.3p1/ssh-add.c
+--- openssh-6.3p1/ssh-add.c.fingerprint 2013-10-07 14:02:37.000968143 +0200
++++ openssh-6.3p1/ssh-add.c 2013-10-07 14:44:57.466515766 +0200
@@ -326,10 +326,10 @@ list_identities(AuthenticationConnection
key = ssh_get_next_identity(ac, &comment, version)) {
had_identities = 1;
@@ -174,13 +159,13 @@ diff -up openssh-6.2p1/ssh-add.c.fingerprint openssh-6.2p1/ssh-add.c
+ printf("%d %s%s %s (%s)\n",
+ key_size(key), key_fingerprint_prefix(),
+ fp, comment, key_type(key));
- xfree(fp);
+ free(fp);
} else {
if (!key_write(key, stdout))
-diff -up openssh-6.2p1/ssh-agent.c.fingerprint openssh-6.2p1/ssh-agent.c
---- openssh-6.2p1/ssh-agent.c.fingerprint 2013-03-22 12:20:48.979685140 +0100
-+++ openssh-6.2p1/ssh-agent.c 2013-03-22 12:20:49.030684916 +0100
-@@ -199,9 +199,9 @@ confirm_key(Identity *id)
+diff -up openssh-6.3p1/ssh-agent.c.fingerprint openssh-6.3p1/ssh-agent.c
+--- openssh-6.3p1/ssh-agent.c.fingerprint 2013-10-07 14:02:37.000968143 +0200
++++ openssh-6.3p1/ssh-agent.c 2013-10-07 15:41:11.627044336 +0200
+@@ -198,9 +198,9 @@ confirm_key(Identity *id)
char *p;
int ret = -1;
@@ -191,134 +176,11 @@ diff -up openssh-6.2p1/ssh-agent.c.fingerprint openssh-6.2p1/ssh-agent.c
+ if (ask_permission("Allow use of key %s?\nKey fingerprint %s%s.",
+ id->comment, key_fingerprint_prefix(), p))
ret = 0;
- xfree(p);
-
-diff -up openssh-6.2p1/sshconnect2.c.fingerprint openssh-6.2p1/sshconnect2.c
---- openssh-6.2p1/sshconnect2.c.fingerprint 2013-03-20 02:55:15.000000000 +0100
-+++ openssh-6.2p1/sshconnect2.c 2013-03-22 12:20:49.031684912 +0100
-@@ -592,8 +592,9 @@ input_userauth_pk_ok(int type, u_int32_t
- key->type, pktype);
- goto done;
- }
-- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-- debug2("input_userauth_pk_ok: fp %s", fp);
-+ fp = key_selected_fingerprint(key, SSH_FP_HEX);
-+ debug2("input_userauth_pk_ok: fp %s%s",
-+ key_fingerprint_prefix(), fp);
- xfree(fp);
+ free(p);
- /*
-@@ -1205,8 +1206,9 @@ sign_and_send_pubkey(Authctxt *authctxt,
- int have_sig = 1;
- char *fp;
-
-- fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
-- debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);
-+ fp = key_selected_fingerprint(id->key, SSH_FP_HEX);
-+ debug3("sign_and_send_pubkey: %s %s%s", key_type(id->key),
-+ key_fingerprint_prefix(), fp);
- xfree(fp);
-
- if (key_to_blob(id->key, &blob, &bloblen) == 0) {
-diff -up openssh-6.2p1/sshconnect.c.fingerprint openssh-6.2p1/sshconnect.c
---- openssh-6.2p1/sshconnect.c.fingerprint 2012-09-17 05:25:44.000000000 +0200
-+++ openssh-6.2p1/sshconnect.c 2013-03-22 12:20:49.032684907 +0100
-@@ -824,10 +824,10 @@ check_host_key(char *hostname, struct so
- "key for IP address '%.128s' to the list "
- "of known hosts.", type, ip);
- } else if (options.visual_host_key) {
-- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
-- ra = key_fingerprint(host_key, SSH_FP_MD5,
-- SSH_FP_RANDOMART);
-- logit("Host key fingerprint is %s\n%s\n", fp, ra);
-+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
-+ ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART);
-+ logit("Host key fingerprint is %s%s\n%s\n",
-+ key_fingerprint_prefix(), fp, ra);
- xfree(ra);
- xfree(fp);
- }
-@@ -865,9 +865,8 @@ check_host_key(char *hostname, struct so
- else
- snprintf(msg1, sizeof(msg1), ".");
- /* The default */
-- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
-- ra = key_fingerprint(host_key, SSH_FP_MD5,
-- SSH_FP_RANDOMART);
-+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
-+ ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART);
- msg2[0] = '\0';
- if (options.verify_host_key_dns) {
- if (matching_host_key_dns)
-@@ -882,10 +881,11 @@ check_host_key(char *hostname, struct so
- snprintf(msg, sizeof(msg),
- "The authenticity of host '%.200s (%s)' can't be "
- "established%s\n"
-- "%s key fingerprint is %s.%s%s\n%s"
-+ "%s key fingerprint is %s%s.%s%s\n%s"
- "Are you sure you want to continue connecting "
- "(yes/no)? ",
-- host, ip, msg1, type, fp,
-+ host, ip, msg1, type,
-+ key_fingerprint_prefix(), fp,
- options.visual_host_key ? "\n" : "",
- options.visual_host_key ? ra : "",
- msg2);
-@@ -1130,8 +1130,9 @@ verify_host_key(char *host, struct socka
- int flags = 0;
- char *fp;
-
-- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
-- debug("Server host key: %s %s", key_type(host_key), fp);
-+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
-+ debug("Server host key: %s %s%s", key_type(host_key),
-+ key_fingerprint_prefix(), fp);
- xfree(fp);
-
- /* XXX certs are not yet supported for DNS */
-@@ -1232,14 +1233,15 @@ show_other_keys(struct hostkeys *hostkey
- continue;
- if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
- continue;
-- fp = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_HEX);
-- ra = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_RANDOMART);
-+ fp = key_selected_fingerprint(found->key, SSH_FP_HEX);
-+ ra = key_selected_fingerprint(found->key, SSH_FP_RANDOMART);
- logit("WARNING: %s key found for host %s\n"
- "in %s:%lu\n"
-- "%s key fingerprint %s.",
-+ "%s key fingerprint %s%s.",
- key_type(found->key),
- found->host, found->file, found->line,
-- key_type(found->key), fp);
-+ key_type(found->key),
-+ key_fingerprint_prefix(), fp);
- if (options.visual_host_key)
- logit("%s", ra);
- xfree(ra);
-@@ -1254,7 +1256,7 @@ warn_changed_key(Key *host_key)
- {
- char *fp;
-
-- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
-+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
-
- error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
- error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");
-@@ -1262,8 +1264,8 @@ warn_changed_key(Key *host_key)
- error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
- error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
- error("It is also possible that a host key has just been changed.");
-- error("The fingerprint for the %s key sent by the remote host is\n%s.",
-- key_type(host_key), fp);
-+ error("The fingerprint for the %s key sent by the remote host is\n%s%s.",
-+ key_type(host_key),key_fingerprint_prefix(), fp);
- error("Please contact your system administrator.");
-
- xfree(fp);
-diff -up openssh-6.2p1/ssh-keygen.c.fingerprint openssh-6.2p1/ssh-keygen.c
---- openssh-6.2p1/ssh-keygen.c.fingerprint 2013-02-12 01:03:36.000000000 +0100
-+++ openssh-6.2p1/ssh-keygen.c 2013-03-22 12:20:49.033684903 +0100
+diff -up openssh-6.3p1/ssh-keygen.c.fingerprint openssh-6.3p1/ssh-keygen.c
+--- openssh-6.3p1/ssh-keygen.c.fingerprint 2013-07-20 05:22:32.000000000 +0200
++++ openssh-6.3p1/ssh-keygen.c 2013-10-07 14:25:52.864145038 +0200
@@ -767,13 +767,14 @@ do_fingerprint(struct passwd *pw)
{
FILE *f;
@@ -378,7 +240,7 @@ diff -up openssh-6.2p1/ssh-keygen.c.fingerprint openssh-6.2p1/ssh-keygen.c
key_type(public));
if (log_level >= SYSLOG_LEVEL_VERBOSE)
printf("%s\n", ra);
-@@ -1854,16 +1857,17 @@ do_show_cert(struct passwd *pw)
+@@ -1855,16 +1858,17 @@ do_show_cert(struct passwd *pw)
fatal("%s is not a certificate", identity_file);
v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00;
@@ -402,7 +264,7 @@ diff -up openssh-6.2p1/ssh-keygen.c.fingerprint openssh-6.2p1/ssh-keygen.c
printf(" Key ID: \"%s\"\n", key->cert->key_id);
if (!v00) {
printf(" Serial: %llu\n",
-@@ -2651,13 +2655,12 @@ passphrase_again:
+@@ -2655,13 +2659,12 @@ passphrase_again:
fclose(f);
if (!quiet) {
@@ -418,4 +280,127 @@ diff -up openssh-6.2p1/ssh-keygen.c.fingerprint openssh-6.2p1/ssh-keygen.c
+ printf("%s%s %s\n", key_fingerprint_prefix(), fp, comment);
printf("The key's randomart image is:\n");
printf("%s\n", ra);
- xfree(ra);
+ free(ra);
+diff -up openssh-6.3p1/sshconnect.c.fingerprint openssh-6.3p1/sshconnect.c
+--- openssh-6.3p1/sshconnect.c.fingerprint 2013-06-01 23:31:19.000000000 +0200
++++ openssh-6.3p1/sshconnect.c 2013-10-07 14:43:54.859822036 +0200
+@@ -830,10 +830,10 @@ check_host_key(char *hostname, struct so
+ "key for IP address '%.128s' to the list "
+ "of known hosts.", type, ip);
+ } else if (options.visual_host_key) {
+- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
+- ra = key_fingerprint(host_key, SSH_FP_MD5,
+- SSH_FP_RANDOMART);
+- logit("Host key fingerprint is %s\n%s\n", fp, ra);
++ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
++ ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART);
++ logit("Host key fingerprint is %s%s\n%s\n",
++ key_fingerprint_prefix(), fp, ra);
+ free(ra);
+ free(fp);
+ }
+@@ -871,9 +871,8 @@ check_host_key(char *hostname, struct so
+ else
+ snprintf(msg1, sizeof(msg1), ".");
+ /* The default */
+- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
+- ra = key_fingerprint(host_key, SSH_FP_MD5,
+- SSH_FP_RANDOMART);
++ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
++ ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART);
+ msg2[0] = '\0';
+ if (options.verify_host_key_dns) {
+ if (matching_host_key_dns)
+@@ -888,10 +887,11 @@ check_host_key(char *hostname, struct so
+ snprintf(msg, sizeof(msg),
+ "The authenticity of host '%.200s (%s)' can't be "
+ "established%s\n"
+- "%s key fingerprint is %s.%s%s\n%s"
++ "%s key fingerprint is %s%s.%s%s\n%s"
+ "Are you sure you want to continue connecting "
+ "(yes/no)? ",
+- host, ip, msg1, type, fp,
++ host, ip, msg1, type,
++ key_fingerprint_prefix(), fp,
+ options.visual_host_key ? "\n" : "",
+ options.visual_host_key ? ra : "",
+ msg2);
+@@ -1136,8 +1136,9 @@ verify_host_key(char *host, struct socka
+ int flags = 0;
+ char *fp;
+
+- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
+- debug("Server host key: %s %s", key_type(host_key), fp);
++ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
++ debug("Server host key: %s %s%s", key_type(host_key),
++ key_fingerprint_prefix(), fp);
+ free(fp);
+
+ /* XXX certs are not yet supported for DNS */
+@@ -1238,14 +1239,15 @@ show_other_keys(struct hostkeys *hostkey
+ continue;
+ if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
+ continue;
+- fp = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_HEX);
+- ra = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_RANDOMART);
++ fp = key_selected_fingerprint(found->key, SSH_FP_HEX);
++ ra = key_selected_fingerprint(found->key, SSH_FP_RANDOMART);
+ logit("WARNING: %s key found for host %s\n"
+ "in %s:%lu\n"
+- "%s key fingerprint %s.",
++ "%s key fingerprint %s%s.",
+ key_type(found->key),
+ found->host, found->file, found->line,
+- key_type(found->key), fp);
++ key_type(found->key),
++ key_fingerprint_prefix(), fp);
+ if (options.visual_host_key)
+ logit("%s", ra);
+ free(ra);
+@@ -1260,7 +1262,7 @@ warn_changed_key(Key *host_key)
+ {
+ char *fp;
+
+- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
++ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
+
+ error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+ error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");
+@@ -1268,8 +1270,8 @@ warn_changed_key(Key *host_key)
+ error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
+ error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
+ error("It is also possible that a host key has just been changed.");
+- error("The fingerprint for the %s key sent by the remote host is\n%s.",
+- key_type(host_key), fp);
++ error("The fingerprint for the %s key sent by the remote host is\n%s%s.",
++ key_type(host_key),key_fingerprint_prefix(), fp);
+ error("Please contact your system administrator.");
+
+ free(fp);
+diff -up openssh-6.3p1/sshconnect2.c.fingerprint openssh-6.3p1/sshconnect2.c
+--- openssh-6.3p1/sshconnect2.c.fingerprint 2013-10-07 14:02:37.001968139 +0200
++++ openssh-6.3p1/sshconnect2.c 2013-10-07 15:20:09.403234714 +0200
+@@ -590,8 +590,9 @@ input_userauth_pk_ok(int type, u_int32_t
+ key->type, pktype);
+ goto done;
+ }
+- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+- debug2("input_userauth_pk_ok: fp %s", fp);
++ fp = key_selected_fingerprint(key, SSH_FP_HEX);
++ debug2("input_userauth_pk_ok: fp %s%s",
++ key_fingerprint_prefix(), fp);
+ free(fp);
+
+ /*
+@@ -1202,8 +1203,9 @@ sign_and_send_pubkey(Authctxt *authctxt,
+ int have_sig = 1;
+ char *fp;
+
+- fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
+- debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);
++ fp = key_selected_fingerprint(id->key, SSH_FP_HEX);
++ debug3("sign_and_send_pubkey: %s %s%s", key_type(id->key),
++ key_fingerprint_prefix(), fp);
+ free(fp);
+
+ if (key_to_blob(id->key, &blob, &bloblen) == 0) {
diff --git a/openssh-6.2p1-fips.patch b/openssh-6.3p1-fips.patch
similarity index 64%
rename from openssh-6.2p1-fips.patch
rename to openssh-6.3p1-fips.patch
index c2b2e75..f216d6e 100644
--- a/openssh-6.2p1-fips.patch
+++ b/openssh-6.3p1-fips.patch
@@ -1,6 +1,50 @@
-diff -up openssh-6.2p1/authfile.c.fips openssh-6.2p1/authfile.c
---- openssh-6.2p1/authfile.c.fips 2013-03-27 13:14:49.164683482 +0100
-+++ openssh-6.2p1/authfile.c 2013-03-27 13:14:49.177683431 +0100
+diff -up openssh-6.3p1/Makefile.in.fips openssh-6.3p1/Makefile.in
+--- openssh-6.3p1/Makefile.in.fips 2013-10-11 22:24:32.850031186 +0200
++++ openssh-6.3p1/Makefile.in 2013-10-11 22:24:32.870031092 +0200
+@@ -147,25 +147,25 @@ libssh.a: $(LIBSSH_OBJS)
+ $(RANLIB) $@
+
+ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
+- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
++ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHLIBS) $(LIBS) $(GSSLIBS)
+
+ sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
+- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
++ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
+
+ scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
+ $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+
+ ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
+- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+
+ ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
+- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++ $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+
+ ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
+- $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++ $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+
+ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o
+- $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++ $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+
+ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
+ $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+@@ -177,7 +177,7 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) libssh
+ $(LD) -o $@ ssh-keycat.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(SSHDLIBS)
+
+ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
+- $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
++ $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
+
+ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
+ $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+diff -up openssh-6.3p1/authfile.c.fips openssh-6.3p1/authfile.c
+--- openssh-6.3p1/authfile.c.fips 2013-10-11 22:24:32.857031153 +0200
++++ openssh-6.3p1/authfile.c 2013-10-11 22:24:32.870031092 +0200
@@ -148,8 +148,14 @@ key_private_rsa1_to_blob(Key *key, Buffe
/* Allocate space for the private part of the key in the buffer. */
cp = buffer_append_space(&encrypted, buffer_len(&buffer));
@@ -34,9 +78,22 @@ diff -up openssh-6.2p1/authfile.c.fips openssh-6.2p1/authfile.c
cipher_crypt(&ciphercontext, cp,
buffer_ptr(©), buffer_len(©), 0, 0);
cipher_cleanup(&ciphercontext);
-diff -up openssh-6.2p1/cipher.c.fips openssh-6.2p1/cipher.c
---- openssh-6.2p1/cipher.c.fips 2013-03-27 13:14:49.087683788 +0100
-+++ openssh-6.2p1/cipher.c 2013-03-27 13:14:49.177683431 +0100
+diff -up openssh-6.3p1/cipher-ctr.c.fips openssh-6.3p1/cipher-ctr.c
+--- openssh-6.3p1/cipher-ctr.c.fips 2013-06-02 00:07:32.000000000 +0200
++++ openssh-6.3p1/cipher-ctr.c 2013-10-11 22:24:32.870031092 +0200
+@@ -138,7 +138,8 @@ evp_aes_128_ctr(void)
+ aes_ctr.do_cipher = ssh_aes_ctr;
+ #ifndef SSH_OLD_EVP
+ aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
+- EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
++ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV |
++ EVP_CIPH_FLAG_FIPS;
+ #endif
+ return (&aes_ctr);
+ }
+diff -up openssh-6.3p1/cipher.c.fips openssh-6.3p1/cipher.c
+--- openssh-6.3p1/cipher.c.fips 2013-10-11 22:24:32.820031327 +0200
++++ openssh-6.3p1/cipher.c 2013-10-11 22:24:32.871031087 +0200
@@ -40,6 +40,7 @@
#include <sys/types.h>
@@ -45,54 +102,63 @@ diff -up openssh-6.2p1/cipher.c.fips openssh-6.2p1/cipher.c
#include <string.h>
#include <stdarg.h>
-@@ -89,6 +90,27 @@ struct Cipher ciphers[] = {
+@@ -86,6 +87,27 @@ static const struct Cipher ciphers[] = {
{ NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
};
-+struct Cipher fips_ciphers[] = {
-+ { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
-+ { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des },
-+
-+ { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
-+ { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc },
-+ { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 1, EVP_aes_192_cbc },
-+ { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
++static const struct Cipher fips_ciphers[] = {
++ { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
++ { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
++ { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des },
++ { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
++ { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc },
++ { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 1, EVP_aes_192_cbc },
++ { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
+ { "rijndael-cbc at lysator.liu.se",
-+ SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
-+ { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr },
-+ { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_128_ctr },
-+ { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_128_ctr },
++ SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
++ { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr },
++ { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr },
++ { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr },
+#ifdef OPENSSL_HAVE_EVPGCM
+ { "aes128-gcm at openssh.com",
+ SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm },
+ { "aes256-gcm at openssh.com",
+ SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm },
+#endif
-+ { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, NULL }
++ { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
+};
/*--*/
- u_int
-@@ -143,7 +165,7 @@ Cipher *
+ /* Returns a comma-separated list of supported ciphers. */
+@@ -96,7 +118,7 @@ cipher_alg_list(void)
+ size_t nlen, rlen = 0;
+ const Cipher *c;
+
+- for (c = ciphers; c->name != NULL; c++) {
++ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++) {
+ if (c->number != SSH_CIPHER_SSH2)
+ continue;
+ if (ret != NULL)
+@@ -161,7 +183,7 @@ const Cipher *
cipher_by_name(const char *name)
{
- Cipher *c;
+ const Cipher *c;
- for (c = ciphers; c->name != NULL; c++)
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
if (strcmp(c->name, name) == 0)
return c;
return NULL;
-@@ -153,7 +175,7 @@ Cipher *
+@@ -171,7 +193,7 @@ const Cipher *
cipher_by_number(int id)
{
- Cipher *c;
+ const Cipher *c;
- for (c = ciphers; c->name != NULL; c++)
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
if (c->number == id)
return c;
return NULL;
-@@ -197,7 +219,7 @@ cipher_number(const char *name)
- Cipher *c;
+@@ -215,7 +237,7 @@ cipher_number(const char *name)
+ const Cipher *c;
if (name == NULL)
return -1;
- for (c = ciphers; c->name != NULL; c++)
@@ -100,13 +166,13 @@ diff -up openssh-6.2p1/cipher.c.fips openssh-6.2p1/cipher.c
if (strcasecmp(c->name, name) == 0)
return c->number;
return -1;
-@@ -356,14 +378,15 @@ cipher_cleanup(CipherContext *cc)
+@@ -374,14 +396,15 @@ cipher_cleanup(CipherContext *cc)
* passphrase and using the resulting 16 bytes as the key.
*/
-void
+int
- cipher_set_key_string(CipherContext *cc, Cipher *cipher,
+ cipher_set_key_string(CipherContext *cc, const Cipher *cipher,
const char *passphrase, int do_encrypt)
{
MD5_CTX md;
@@ -118,7 +184,7 @@ diff -up openssh-6.2p1/cipher.c.fips openssh-6.2p1/cipher.c
MD5_Update(&md, (const u_char *)passphrase, strlen(passphrase));
MD5_Final(digest, &md);
-@@ -371,6 +394,7 @@ cipher_set_key_string(CipherContext *cc,
+@@ -389,6 +412,7 @@ cipher_set_key_string(CipherContext *cc,
memset(digest, 0, sizeof(digest));
memset(&md, 0, sizeof(md));
@@ -126,34 +192,21 @@ diff -up openssh-6.2p1/cipher.c.fips openssh-6.2p1/cipher.c
}
/*
-diff -up openssh-6.2p1/cipher-ctr.c.fips openssh-6.2p1/cipher-ctr.c
---- openssh-6.2p1/cipher-ctr.c.fips 2013-01-20 12:31:30.000000000 +0100
-+++ openssh-6.2p1/cipher-ctr.c 2013-03-27 13:14:49.177683431 +0100
-@@ -138,7 +138,8 @@ evp_aes_128_ctr(void)
- aes_ctr.do_cipher = ssh_aes_ctr;
- #ifndef SSH_OLD_EVP
- aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
-- EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
-+ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV |
-+ EVP_CIPH_FLAG_FIPS;
- #endif
- return (&aes_ctr);
- }
-diff -up openssh-6.2p1/cipher.h.fips openssh-6.2p1/cipher.h
---- openssh-6.2p1/cipher.h.fips 2013-03-27 13:14:49.088683784 +0100
-+++ openssh-6.2p1/cipher.h 2013-03-27 13:14:49.177683431 +0100
-@@ -91,7 +91,7 @@ void cipher_init(CipherContext *, Ciphe
+diff -up openssh-6.3p1/cipher.h.fips openssh-6.3p1/cipher.h
+--- openssh-6.3p1/cipher.h.fips 2013-10-11 22:24:32.820031327 +0200
++++ openssh-6.3p1/cipher.h 2013-10-11 22:24:32.871031087 +0200
+@@ -92,7 +92,7 @@ void cipher_init(CipherContext *, const
void cipher_crypt(CipherContext *, u_char *, const u_char *,
u_int, u_int, u_int);
void cipher_cleanup(CipherContext *);
--void cipher_set_key_string(CipherContext *, Cipher *, const char *, int);
-+int cipher_set_key_string(CipherContext *, Cipher *, const char *, int);
+-void cipher_set_key_string(CipherContext *, const Cipher *, const char *, int);
++int cipher_set_key_string(CipherContext *, const Cipher *, const char *, int);
u_int cipher_blocksize(const Cipher *);
u_int cipher_keylen(const Cipher *);
u_int cipher_authlen(const Cipher *);
-diff -up openssh-6.2p1/key.c.fips openssh-6.2p1/key.c
---- openssh-6.2p1/key.c.fips 2013-03-27 13:14:49.100683736 +0100
-+++ openssh-6.2p1/key.c 2013-03-27 13:14:49.178683427 +0100
+diff -up openssh-6.3p1/key.c.fips openssh-6.3p1/key.c
+--- openssh-6.3p1/key.c.fips 2013-10-11 22:24:32.821031322 +0200
++++ openssh-6.3p1/key.c 2013-10-11 22:24:32.871031087 +0200
@@ -40,6 +40,7 @@
#include <sys/types.h>
@@ -162,7 +215,7 @@ diff -up openssh-6.2p1/key.c.fips openssh-6.2p1/key.c
#include <openbsd-compat/openssl-compat.h>
#include <stdarg.h>
-@@ -607,9 +608,13 @@ key_fingerprint_selection(void)
+@@ -606,9 +607,13 @@ key_fingerprint_selection(void)
char *env;
if (!rv_defined) {
@@ -179,9 +232,9 @@ diff -up openssh-6.2p1/key.c.fips openssh-6.2p1/key.c
rv_defined = 1;
}
return rv;
-diff -up openssh-6.2p1/mac.c.fips openssh-6.2p1/mac.c
---- openssh-6.2p1/mac.c.fips 2013-03-27 13:14:49.093683764 +0100
-+++ openssh-6.2p1/mac.c 2013-03-27 13:16:33.524266158 +0100
+diff -up openssh-6.3p1/mac.c.fips openssh-6.3p1/mac.c
+--- openssh-6.3p1/mac.c.fips 2013-10-11 22:24:32.821031322 +0200
++++ openssh-6.3p1/mac.c 2013-10-11 22:25:35.394737186 +0200
@@ -28,6 +28,7 @@
#include <sys/types.h>
@@ -190,102 +243,56 @@ diff -up openssh-6.2p1/mac.c.fips openssh-6.2p1/mac.c
#include <stdarg.h>
#include <string.h>
-@@ -50,7 +51,7 @@
- #define SSH_UMAC 2 /* UMAC (not integrated with OpenSSL) */
- #define SSH_UMAC128 3
-
--struct {
-+struct Macs {
- char *name;
- int type;
- const EVP_MD * (*mdfunc)(void);
-@@ -58,7 +59,9 @@ struct {
- int key_len; /* just for UMAC */
- int len; /* just for UMAC */
+@@ -60,7 +61,7 @@ struct macalg {
int etm; /* Encrypt-then-MAC */
--} macs[] = {
-+};
-+
-+struct Macs all_macs[] = {
+ };
+
+-static const struct macalg macs[] = {
++static const struct macalg all_macs[] = {
/* Encrypt-and-MAC (encrypt-and-authenticate) variants */
{ "hmac-sha1", SSH_EVP, EVP_sha1, 0, 0, 0, 0 },
{ "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, 0, 0, 0 },
-@@ -89,9 +92,19 @@ struct {
+@@ -91,6 +92,18 @@ static const struct macalg macs[] = {
{ NULL, 0, NULL, 0, 0, 0, 0 }
};
-+struct Macs fips_macs[] = {
-+ { "hmac-sha1", SSH_EVP, EVP_sha1, 0, 0, 0, 0 },
++static const struct macalg fips_macs[] = {
++ { "hmac-sha1", SSH_EVP, EVP_sha1, 0, 0, 0, 0 },
++ { "hmac-sha1-etm at openssh.com", SSH_EVP, EVP_sha1, 0, 0, 0, 1 },
+#ifdef HAVE_EVP_SHA256
-+ { "hmac-sha2-256", SSH_EVP, EVP_sha256, 0, 0, 0, 0 },
-+ { "hmac-sha2-512", SSH_EVP, EVP_sha512, 0, 0, 0, 0 },
++ { "hmac-sha2-256", SSH_EVP, EVP_sha256, 0, 0, 0, 0 },
++ { "hmac-sha2-512", SSH_EVP, EVP_sha512, 0, 0, 0, 0 },
++ { "hmac-sha2-256-etm at openssh.com", SSH_EVP, EVP_sha256, 0, 0, 0, 1 },
++ { "hmac-sha2-512-etm at openssh.com", SSH_EVP, EVP_sha512, 0, 0, 0, 1 },
+#endif
-+ { NULL, 0, NULL, 0, -1, -1 }
++ { NULL, 0, NULL, 0, 0, 0, 0 }
+};
+
- static void
- mac_setup_by_id(Mac *mac, int which)
- {
-+ struct Macs *macs = FIPS_mode() ? fips_macs : all_macs;
- int evp_len;
- mac->type = macs[which].type;
- if (mac->type == SSH_EVP) {
-@@ -113,6 +126,7 @@ int
- mac_setup(Mac *mac, char *name)
+ /* Returns a comma-separated list of supported MACs. */
+ char *
+ mac_alg_list(void)
+@@ -99,7 +112,7 @@ mac_alg_list(void)
+ size_t nlen, rlen = 0;
+ const struct macalg *m;
+
+- for (m = macs; m->name != NULL; m++) {
++ for (m = FIPS_mode() ? fips_macs : all_macs; m->name != NULL; m++) {
+ if (ret != NULL)
+ ret[rlen++] = '\n';
+ nlen = strlen(m->name);
+@@ -136,7 +149,7 @@ mac_setup(Mac *mac, char *name)
{
- int i;
-+ struct Macs *macs = FIPS_mode() ? fips_macs : all_macs;
-
- for (i = 0; macs[i].name; i++) {
- if (strcmp(name, macs[i].name) == 0) {
-diff -up openssh-6.2p1/Makefile.in.fips openssh-6.2p1/Makefile.in
---- openssh-6.2p1/Makefile.in.fips 2013-03-27 13:14:49.155683518 +0100
-+++ openssh-6.2p1/Makefile.in 2013-03-27 13:14:49.178683427 +0100
-@@ -145,25 +145,25 @@ libssh.a: $(LIBSSH_OBJS)
- $(RANLIB) $@
-
- ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
-- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
-+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHLIBS) $(LIBS) $(GSSLIBS)
-
- sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
-- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
-+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
-
- scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
- $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-
- ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
-- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-+ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
-
- ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
-- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-+ $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
-
- ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
-- $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-+ $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
-
- ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o
-- $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-+ $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
-
- ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
- $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
-@@ -175,7 +175,7 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) libssh
- $(LD) -o $@ ssh-keycat.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(SSHDLIBS)
-
- ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
-- $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
-+ $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
-
- sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
- $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-diff -up openssh-6.2p1/myproposal.h.fips openssh-6.2p1/myproposal.h
---- openssh-6.2p1/myproposal.h.fips 2013-01-09 06:12:19.000000000 +0100
-+++ openssh-6.2p1/myproposal.h 2013-03-27 13:14:49.178683427 +0100
-@@ -106,6 +106,19 @@
+ const struct macalg *m;
+
+- for (m = macs; m->name != NULL; m++) {
++ for (m = FIPS_mode() ? fips_macs : all_macs; m->name != NULL; m++) {
+ if (strcmp(name, m->name) != 0)
+ continue;
+ if (mac != NULL)
+diff -up openssh-6.3p1/myproposal.h.fips openssh-6.3p1/myproposal.h
+--- openssh-6.3p1/myproposal.h.fips 2013-06-11 04:10:02.000000000 +0200
++++ openssh-6.3p1/myproposal.h 2013-10-11 22:24:32.872031082 +0200
+@@ -114,6 +114,19 @@
#define KEX_DEFAULT_COMP "none,zlib at openssh.com,zlib"
#define KEX_DEFAULT_LANG ""
@@ -305,9 +312,9 @@ diff -up openssh-6.2p1/myproposal.h.fips openssh-6.2p1/myproposal.h
static char *myproposal[PROPOSAL_MAX] = {
KEX_DEFAULT_KEX,
-diff -up openssh-6.2p1/openbsd-compat/bsd-arc4random.c.fips openssh-6.2p1/openbsd-compat/bsd-arc4random.c
---- openssh-6.2p1/openbsd-compat/bsd-arc4random.c.fips 2010-03-25 22:52:02.000000000 +0100
-+++ openssh-6.2p1/openbsd-compat/bsd-arc4random.c 2013-03-27 13:14:49.179683423 +0100
+diff -up openssh-6.3p1/openbsd-compat/bsd-arc4random.c.fips openssh-6.3p1/openbsd-compat/bsd-arc4random.c
+--- openssh-6.3p1/openbsd-compat/bsd-arc4random.c.fips 2010-03-25 22:52:02.000000000 +0100
++++ openssh-6.3p1/openbsd-compat/bsd-arc4random.c 2013-10-11 22:24:32.872031082 +0200
@@ -37,25 +37,18 @@
#define REKEY_BYTES (1 << 24)
@@ -363,9 +370,9 @@ diff -up openssh-6.2p1/openbsd-compat/bsd-arc4random.c.fips openssh-6.2p1/openbs
}
#endif /* !HAVE_ARC4RANDOM */
-diff -up openssh-6.2p1/ssh.c.fips openssh-6.2p1/ssh.c
---- openssh-6.2p1/ssh.c.fips 2012-07-06 05:45:01.000000000 +0200
-+++ openssh-6.2p1/ssh.c 2013-03-27 13:14:49.179683423 +0100
+diff -up openssh-6.3p1/ssh.c.fips openssh-6.3p1/ssh.c
+--- openssh-6.3p1/ssh.c.fips 2013-07-25 03:55:53.000000000 +0200
++++ openssh-6.3p1/ssh.c 2013-10-11 22:24:32.872031082 +0200
@@ -73,6 +73,8 @@
#include <openssl/evp.h>
@@ -375,20 +382,22 @@ diff -up openssh-6.2p1/ssh.c.fips openssh-6.2p1/ssh.c
#include "openbsd-compat/openssl-compat.h"
#include "openbsd-compat/sys-queue.h"
-@@ -253,6 +255,11 @@ main(int ac, char **av)
+@@ -253,6 +255,13 @@ main(int ac, char **av)
sanitise_stdfd();
__progname = ssh_get_progname(av[0]);
+ SSLeay_add_all_algorithms();
-+
-+ if (!FIPSCHECK_verify_ex(NULL, NULL, HMAC_SUFFIX, 0)) {
-+ fatal("FIPS integrity verification test failed.");
-+ }
++ if (access("/etc/system-fips", F_OK) == 0)
++ if (! FIPSCHECK_verify(NULL, NULL))
++ if (FIPS_mode())
++ fatal("FIPS integrity verification test failed.");
++ else
++ logit("FIPS integrity verification test failed.");
#ifndef HAVE_SETPROCTITLE
/* Prepare for later setproctitle emulation */
-@@ -329,6 +335,9 @@ main(int ac, char **av)
- "ACD:F:I:KL:MNO:PR:S:TVw:W:XYy")) != -1) {
+@@ -330,6 +339,9 @@ main(int ac, char **av)
+ "ACD:E:F:I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
switch (opt) {
case '1':
+ if (FIPS_mode()) {
@@ -397,7 +406,7 @@ diff -up openssh-6.2p1/ssh.c.fips openssh-6.2p1/ssh.c
options.protocol = SSH_PROTO_1;
break;
case '2':
-@@ -632,7 +641,6 @@ main(int ac, char **av)
+@@ -647,7 +659,6 @@ main(int ac, char **av)
if (!host)
usage();
@@ -405,7 +414,7 @@ diff -up openssh-6.2p1/ssh.c.fips openssh-6.2p1/ssh.c
ERR_load_crypto_strings();
/* Initialize the command to execute on remote host. */
-@@ -722,6 +730,10 @@ main(int ac, char **av)
+@@ -748,6 +759,10 @@ main(int ac, char **av)
seed_rng();
@@ -416,7 +425,7 @@ diff -up openssh-6.2p1/ssh.c.fips openssh-6.2p1/ssh.c
if (options.user == NULL)
options.user = xstrdup(pw->pw_name);
-@@ -790,6 +802,12 @@ main(int ac, char **av)
+@@ -816,6 +831,12 @@ main(int ac, char **av)
timeout_ms = options.connection_timeout * 1000;
@@ -429,9 +438,9 @@ diff -up openssh-6.2p1/ssh.c.fips openssh-6.2p1/ssh.c
/* Open a connection to the remote host. */
if (ssh_connect(host, &hostaddr, options.port,
options.address_family, options.connection_attempts, &timeout_ms,
-diff -up openssh-6.2p1/sshconnect2.c.fips openssh-6.2p1/sshconnect2.c
---- openssh-6.2p1/sshconnect2.c.fips 2013-03-27 13:14:49.066683871 +0100
-+++ openssh-6.2p1/sshconnect2.c 2013-03-27 13:14:49.179683423 +0100
+diff -up openssh-6.3p1/sshconnect2.c.fips openssh-6.3p1/sshconnect2.c
+--- openssh-6.3p1/sshconnect2.c.fips 2013-10-11 22:24:32.810031374 +0200
++++ openssh-6.3p1/sshconnect2.c 2013-10-11 22:24:32.873031077 +0200
@@ -44,6 +44,8 @@
#include <vis.h>
#endif
@@ -464,9 +473,9 @@ diff -up openssh-6.2p1/sshconnect2.c.fips openssh-6.2p1/sshconnect2.c
if (options.hostkeyalgorithms != NULL)
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
options.hostkeyalgorithms;
-diff -up openssh-6.2p1/sshd.c.fips openssh-6.2p1/sshd.c
---- openssh-6.2p1/sshd.c.fips 2013-03-27 13:14:49.146683554 +0100
-+++ openssh-6.2p1/sshd.c 2013-03-27 13:14:49.180683419 +0100
+diff -up openssh-6.3p1/sshd.c.fips openssh-6.3p1/sshd.c
+--- openssh-6.3p1/sshd.c.fips 2013-10-11 22:24:32.842031223 +0200
++++ openssh-6.3p1/sshd.c 2013-10-11 22:24:32.873031077 +0200
@@ -76,6 +76,8 @@
#include <openssl/bn.h>
#include <openssl/md5.h>
@@ -476,31 +485,33 @@ diff -up openssh-6.2p1/sshd.c.fips openssh-6.2p1/sshd.c
#include "openbsd-compat/openssl-compat.h"
#ifdef HAVE_SECUREWARE
-@@ -1423,6 +1425,12 @@ main(int ac, char **av)
+@@ -1450,6 +1452,14 @@ main(int ac, char **av)
#endif
__progname = ssh_get_progname(av[0]);
+ SSLeay_add_all_algorithms();
-+
-+ if (!FIPSCHECK_verify_ex(NULL, NULL, HMAC_SUFFIX, 0)) {
-+ fatal("FIPS integrity verification test failed.");
-+ }
++ if (access("/etc/system-fips", F_OK) == 0)
++ if (! FIPSCHECK_verify(NULL, NULL))
++ if (FIPS_mode())
++ fatal("FIPS integrity verification test failed.");
++ else
++ logit("FIPS integrity verification test failed.");
+
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
saved_argc = ac;
rexec_argc = ac;
-@@ -1571,8 +1578,6 @@ main(int ac, char **av)
+@@ -1601,8 +1611,6 @@ main(int ac, char **av)
else
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
- OpenSSL_add_all_algorithms();
-
- /*
- * Force logging to stderr until we have loaded the private host
- * key (unless started from inetd)
-@@ -1715,6 +1720,10 @@ main(int ac, char **av)
- debug("private host key: #%d type %d %s", i, key->type,
- key_type(key));
+ /* If requested, redirect the logs to the specified logfile. */
+ if (logfile != NULL) {
+ log_redirect_stderr_to(logfile);
+@@ -1773,6 +1781,10 @@ main(int ac, char **av)
+ debug("private host key: #%d type %d %s", i, keytype,
+ key_type(key ? key : pubkey));
}
+ if ((options.protocol & SSH_PROTO_1) && FIPS_mode()) {
+ logit("Disabling protocol version 1. Not allowed in the FIPS mode.");
@@ -509,7 +520,7 @@ diff -up openssh-6.2p1/sshd.c.fips openssh-6.2p1/sshd.c
if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
logit("Disabling protocol version 1. Could not load host key");
options.protocol &= ~SSH_PROTO_1;
-@@ -1878,6 +1887,10 @@ main(int ac, char **av)
+@@ -1936,6 +1948,10 @@ main(int ac, char **av)
/* Initialize the random number generator. */
arc4random_stir();
@@ -519,8 +530,8 @@ diff -up openssh-6.2p1/sshd.c.fips openssh-6.2p1/sshd.c
+
/* Chdir to the root directory so that the current disk can be
unmounted if desired. */
- (void) chdir("/");
-@@ -2420,6 +2433,9 @@ do_ssh2_kex(void)
+ if (chdir("/") == -1)
+@@ -2498,6 +2514,9 @@ do_ssh2_kex(void)
if (options.ciphers != NULL) {
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
@@ -530,7 +541,7 @@ diff -up openssh-6.2p1/sshd.c.fips openssh-6.2p1/sshd.c
}
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
-@@ -2429,6 +2445,9 @@ do_ssh2_kex(void)
+@@ -2507,6 +2526,9 @@ do_ssh2_kex(void)
if (options.macs != NULL) {
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
@@ -540,19 +551,3 @@ diff -up openssh-6.2p1/sshd.c.fips openssh-6.2p1/sshd.c
}
if (options.compression == COMP_NONE) {
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
-diff -up openssh-6.2p2/configure.ac.fips openssh-6.2p2/configure.ac
---- openssh-6.2p2/configure.ac.fips 2013-09-10 17:54:55.092279052 +0200
-+++ openssh-6.2p2/configure.ac 2013-09-10 17:55:18.021172145 +0200
-@@ -4421,6 +4421,12 @@ AC_ARG_WITH([lastlog],
- ]
- )
-
-+AC_ARG_ENABLE(hmac-suffix,
-+ [ --enable-hmac-suffix=suffix specify the full hmac_suffix for fipscheck library],
-+ [AC_DEFINE_UNQUOTED(HMAC_SUFFIX,["$enableval"],[Define to %{version}-%{release}.hmac])],
-+ [AC_DEFINE(HMAC_SUFFIX, NULL)]
-+)
-+
- dnl lastlog, [uw]tmpx? detection
- dnl NOTE: set the paths in the platform section to avoid the
- dnl need for command-line parameters
diff --git a/openssh-6.2p1-force_krb.patch b/openssh-6.3p1-force_krb.patch
similarity index 81%
rename from openssh-6.2p1-force_krb.patch
rename to openssh-6.3p1-force_krb.patch
index 5423171..695c0eb 100644
--- a/openssh-6.2p1-force_krb.patch
+++ b/openssh-6.3p1-force_krb.patch
@@ -1,6 +1,6 @@
-diff -up openssh-6.2p1/gss-serv-krb5.c.force_krb openssh-6.2p1/gss-serv-krb5.c
---- openssh-6.2p1/gss-serv-krb5.c.force_krb 2013-03-25 20:04:53.807817333 +0100
-+++ openssh-6.2p1/gss-serv-krb5.c 2013-03-25 20:04:53.818817403 +0100
+diff -up openssh-6.3p1/gss-serv-krb5.c.force_krb openssh-6.3p1/gss-serv-krb5.c
+--- openssh-6.3p1/gss-serv-krb5.c.force_krb 2013-10-11 18:58:51.553948159 +0200
++++ openssh-6.3p1/gss-serv-krb5.c 2013-10-11 21:40:49.972337025 +0200
@@ -32,7 +32,9 @@
#include <sys/types.h>
@@ -11,7 +11,7 @@ diff -up openssh-6.2p1/gss-serv-krb5.c.force_krb openssh-6.2p1/gss-serv-krb5.c
#include "xmalloc.h"
#include "key.h"
-@@ -40,12 +42,11 @@
+@@ -40,10 +42,12 @@
#include "auth.h"
#include "log.h"
#include "servconf.h"
@@ -20,18 +20,14 @@ diff -up openssh-6.2p1/gss-serv-krb5.c.force_krb openssh-6.2p1/gss-serv-krb5.c
#include "buffer.h"
#include "ssh-gss.h"
--extern ServerOptions options;
--
++extern Authctxt *the_authctxt;
+ extern ServerOptions options;
+
#ifdef HEIMDAL
- # include <krb5.h>
- #else
-@@ -56,6 +57,16 @@ extern ServerOptions options;
- # endif
+@@ -55,6 +59,13 @@ extern ServerOptions options;
+ # include <gssapi/gssapi_krb5.h>
#endif
-+extern Authctxt *the_authctxt;
-+extern ServerOptions options;
-+
+/* all commands are allowed by default */
+char **k5users_allowed_cmds = NULL;
+
@@ -42,21 +38,16 @@ diff -up openssh-6.2p1/gss-serv-krb5.c.force_krb openssh-6.2p1/gss-serv-krb5.c
static krb5_context krb_context = NULL;
/* Initialise the krb5 library, for the stuff that GSSAPI won't do */
-@@ -83,10 +94,11 @@ ssh_gssapi_krb5_init(void)
- */
-
- static int
--ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
-+ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *luser)
- {
+@@ -87,6 +98,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
krb5_principal princ;
int retval;
+ const char *errmsg;
+ int k5login_exists;
if (ssh_gssapi_krb5_init() == 0)
return 0;
-@@ -97,10 +109,22 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
- krb5_get_err_text(krb_context, retval));
+@@ -98,10 +110,22 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
+ krb5_free_error_message(krb_context, errmsg);
return 0;
}
- if (krb5_kuserok(krb_context, princ, name)) {
@@ -66,21 +57,20 @@ diff -up openssh-6.2p1/gss-serv-krb5.c.force_krb openssh-6.2p1/gss-serv-krb5.c
+ /* NOTE: .k5login and .k5users must opened as root, not the user,
+ * because if they are on a krb5-protected filesystem, user credentials
+ * to access these files aren't available yet. */
-+ if (krb5_kuserok(krb_context, princ, luser) && k5login_exists) {
++ if (krb5_kuserok(krb_context, princ, name) && k5login_exists) {
retval = 1;
logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
-- name, (char *)client->displayname.value);
-+ luser, (char *)client->displayname.value);
+ name, (char *)client->displayname.value);
+ } else if (ssh_gssapi_krb5_cmdok(princ, client->exportedname.value,
-+ luser, k5login_exists)) {
++ name, k5login_exists)) {
+ retval = 1;
+ logit("Authorized to %s, krb5 principal %s "
+ "(ssh_gssapi_krb5_cmdok)",
-+ luser, (char *)client->displayname.value);
++ name, (char *)client->displayname.value);
} else
retval = 0;
-@@ -108,6 +132,135 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
+@@ -109,6 +133,135 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
return retval;
}
@@ -216,9 +206,9 @@ diff -up openssh-6.2p1/gss-serv-krb5.c.force_krb openssh-6.2p1/gss-serv-krb5.c
/* This writes out any forwarded credentials from the structure populated
* during userauth. Called after we have setuid to the user */
-diff -up openssh-6.2p1/session.c.force_krb openssh-6.2p1/session.c
---- openssh-6.2p1/session.c.force_krb 2013-03-25 20:04:53.724816810 +0100
-+++ openssh-6.2p1/session.c 2013-03-25 20:04:53.818817403 +0100
+diff -up openssh-6.3p1/session.c.force_krb openssh-6.3p1/session.c
+--- openssh-6.3p1/session.c.force_krb 2013-10-11 18:58:51.487948468 +0200
++++ openssh-6.3p1/session.c 2013-10-11 18:58:51.563948112 +0200
@@ -823,6 +823,29 @@ do_exec(Session *s, const char *command)
debug("Forced command (key option) '%.900s'", command);
}
@@ -249,10 +239,24 @@ diff -up openssh-6.2p1/session.c.force_krb openssh-6.2p1/session.c
#ifdef SSH_AUDIT_EVENTS
if (s->command != NULL || s->command_handle != -1)
fatal("do_exec: command already set");
-diff -up openssh-6.2p1/sshd.8.force_krb openssh-6.2p1/sshd.8
---- openssh-6.2p1/sshd.8.force_krb 2013-03-25 20:04:53.787817207 +0100
-+++ openssh-6.2p1/sshd.8 2013-03-25 20:04:53.819817409 +0100
-@@ -323,6 +323,7 @@ Finally, the server and the client enter
+diff -up openssh-6.3p1/ssh-gss.h.force_krb openssh-6.3p1/ssh-gss.h
+--- openssh-6.3p1/ssh-gss.h.force_krb 2013-10-11 18:58:51.558948136 +0200
++++ openssh-6.3p1/ssh-gss.h 2013-10-11 18:58:51.563948112 +0200
+@@ -49,6 +49,10 @@
+ # endif /* !HAVE_DECL_GSS_C_NT_... */
+
+ # endif /* !HEIMDAL */
++
++/* .k5users support */
++extern char **k5users_allowed_cmds;
++
+ #endif /* KRB5 */
+
+ /* draft-ietf-secsh-gsskeyex-06 */
+diff -up openssh-6.3p1/sshd.8.force_krb openssh-6.3p1/sshd.8
+--- openssh-6.3p1/sshd.8.force_krb 2013-10-11 18:58:51.537948234 +0200
++++ openssh-6.3p1/sshd.8 2013-10-11 18:58:51.563948112 +0200
+@@ -326,6 +326,7 @@ Finally, the server and the client enter
The client tries to authenticate itself using
host-based authentication,
public key authentication,
@@ -260,7 +264,7 @@ diff -up openssh-6.2p1/sshd.8.force_krb openssh-6.2p1/sshd.8
challenge-response authentication,
or password authentication.
.Pp
-@@ -796,6 +797,12 @@ This file is used in exactly the same wa
+@@ -797,6 +798,12 @@ This file is used in exactly the same wa
but allows host-based authentication without permitting login with
rlogin/rsh.
.Pp
@@ -273,17 +277,3 @@ diff -up openssh-6.2p1/sshd.8.force_krb openssh-6.2p1/sshd.8
.It Pa ~/.ssh/
This directory is the default location for all user-specific configuration
and authentication information.
-diff -up openssh-6.2p1/ssh-gss.h.force_krb openssh-6.2p1/ssh-gss.h
---- openssh-6.2p1/ssh-gss.h.force_krb 2013-03-25 20:04:53.819817409 +0100
-+++ openssh-6.2p1/ssh-gss.h 2013-03-25 20:05:26.463023197 +0100
-@@ -49,6 +49,10 @@
- # endif /* !HAVE_DECL_GSS_C_NT_... */
-
- # endif /* !HEIMDAL */
-+
-+/* .k5users support */
-+extern char **k5users_allowed_cmds;
-+
- #endif /* KRB5 */
-
- /* draft-ietf-secsh-gsskeyex-06 */
diff --git a/openssh-6.2p2-gsissh.patch b/openssh-6.3p1-gsissh.patch
similarity index 89%
rename from openssh-6.2p2-gsissh.patch
rename to openssh-6.3p1-gsissh.patch
index 4ddfc24..78cb329 100644
--- a/openssh-6.2p2-gsissh.patch
+++ b/openssh-6.3p1-gsissh.patch
@@ -1,7 +1,7 @@
-diff -Nur openssh-6.2p2.orig/auth2.c openssh-6.2p2/auth2.c
---- openssh-6.2p2.orig/auth2.c 2013-06-24 05:46:18.228123474 +0200
-+++ openssh-6.2p2/auth2.c 2013-06-24 05:47:42.363821161 +0200
-@@ -231,7 +231,27 @@
+diff -Nur openssh-6.3p1.orig/auth2.c openssh-6.3p1/auth2.c
+--- openssh-6.3p1.orig/auth2.c 2013-10-15 09:20:49.442204554 +0200
++++ openssh-6.3p1/auth2.c 2013-10-15 09:37:13.858290808 +0200
+@@ -234,7 +234,27 @@
user = packet_get_cstring(NULL);
service = packet_get_cstring(NULL);
method = packet_get_cstring(NULL);
@@ -14,7 +14,7 @@ diff -Nur openssh-6.2p2.orig/auth2.c openssh-6.2p2/auth2.c
+ char *lname = NULL;
+ PRIVSEP(ssh_gssapi_localname(&lname));
+ if (lname && lname[0] != '\0') {
-+ xfree(user);
++ free(user);
+ user = lname;
+ debug("set username to %s from gssapi context", user);
+ } else {
@@ -30,7 +30,7 @@ diff -Nur openssh-6.2p2.orig/auth2.c openssh-6.2p2/auth2.c
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
#ifdef WITH_SELINUX
-@@ -242,23 +262,48 @@
+@@ -245,23 +265,48 @@
if ((style = strchr(user, ':')) != NULL)
*style++ = 0;
@@ -42,7 +42,7 @@ diff -Nur openssh-6.2p2.orig/auth2.c openssh-6.2p2/auth2.c
+ (strcmp(user, authctxt->user) != 0) ||
+ (strcmp(user, "") == 0)) {
+ if (authctxt->user) {
-+ xfree(authctxt->user);
++ free(authctxt->user);
+ authctxt->user = NULL;
+ }
+ authctxt->valid = 0;
@@ -82,7 +82,7 @@ diff -Nur openssh-6.2p2.orig/auth2.c openssh-6.2p2/auth2.c
authctxt->service = xstrdup(service);
authctxt->style = style ? xstrdup(style) : NULL;
#ifdef WITH_SELINUX
-@@ -273,9 +318,10 @@
+@@ -276,9 +321,10 @@
userauth_banner();
if (auth2_setup_methods_lists(authctxt) != 0)
packet_disconnect("no authentication methods enabled");
@@ -96,9 +96,9 @@ diff -Nur openssh-6.2p2.orig/auth2.c openssh-6.2p2/auth2.c
"(%s,%s) -> (%s,%s)",
authctxt->user, authctxt->service, user, service);
}
-diff -Nur openssh-6.2p2.orig/auth2-gss.c openssh-6.2p2/auth2-gss.c
---- openssh-6.2p2.orig/auth2-gss.c 2013-06-24 05:46:18.228123474 +0200
-+++ openssh-6.2p2/auth2-gss.c 2013-06-24 05:47:42.364821170 +0200
+diff -Nur openssh-6.3p1.orig/auth2-gss.c openssh-6.3p1/auth2-gss.c
+--- openssh-6.3p1.orig/auth2-gss.c 2013-10-15 09:20:49.442204554 +0200
++++ openssh-6.3p1/auth2-gss.c 2013-10-15 09:49:52.037113175 +0200
@@ -47,6 +47,7 @@
extern ServerOptions options;
@@ -146,7 +146,7 @@ diff -Nur openssh-6.2p2.orig/auth2-gss.c openssh-6.2p2/auth2-gss.c
buffer_free(&b);
+ buffer_free(&b2);
- xfree(mic.value);
+ free(mic.value);
return (authenticated);
@@ -102,7 +117,10 @@
@@ -161,7 +161,7 @@ diff -Nur openssh-6.2p2.orig/auth2-gss.c openssh-6.2p2/auth2-gss.c
return (0);
mechs = packet_get_int();
-@@ -172,7 +190,7 @@
+@@ -171,7 +189,7 @@
Gssctxt *gssctxt;
gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
gss_buffer_desc recv_tok;
@@ -170,15 +170,15 @@ diff -Nur openssh-6.2p2.orig/auth2-gss.c openssh-6.2p2/auth2-gss.c
u_int len;
if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
-@@ -190,6 +208,7 @@
- xfree(recv_tok.value);
+@@ -189,6 +207,7 @@
+ free(recv_tok.value);
if (GSS_ERROR(maj_status)) {
+ ssh_gssapi_userauth_error(gssctxt);
if (send_tok.length != 0) {
packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK);
packet_put_string(send_tok.value, send_tok.length);
-@@ -253,6 +272,32 @@
+@@ -252,6 +271,32 @@
gss_release_buffer(&maj_status, &send_tok);
}
@@ -190,7 +190,7 @@ diff -Nur openssh-6.2p2.orig/auth2-gss.c openssh-6.2p2/auth2-gss.c
+ if ((authctxt->user == NULL) || (authctxt->user[0] == '\0')) {
+ PRIVSEP(ssh_gssapi_localname(&lname));
+ if (lname && lname[0] != '\0') {
-+ if (authctxt->user) xfree(authctxt->user);
++ if (authctxt->user) free(authctxt->user);
+ authctxt->user = lname;
+ debug("set username to %s from gssapi context", lname);
+ authctxt->pw = PRIVSEP(getpwnamallow(authctxt->user));
@@ -211,16 +211,16 @@ diff -Nur openssh-6.2p2.orig/auth2-gss.c openssh-6.2p2/auth2-gss.c
/*
* This is called when the client thinks we've completed authentication.
* It should only be enabled in the dispatch handler by the function above,
-@@ -269,6 +314,8 @@
+@@ -267,6 +312,8 @@
if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
fatal("No authentication or GSSAPI context");
+ gssapi_set_username(authctxt);
+
- gssctxt = authctxt->methoddata;
-
/*
-@@ -278,8 +325,13 @@
+ * We don't need to check the status, because we're only enabled in
+ * the dispatcher once the exchange is complete
+@@ -274,8 +321,13 @@
packet_check_eom();
@@ -236,7 +236,7 @@ diff -Nur openssh-6.2p2.orig/auth2-gss.c openssh-6.2p2/auth2-gss.c
authctxt->postponed = 0;
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
-@@ -320,9 +372,16 @@
+@@ -316,9 +368,16 @@
gssbuf.value = buffer_ptr(&b);
gssbuf.length = buffer_len(&b);
@@ -255,7 +255,7 @@ diff -Nur openssh-6.2p2.orig/auth2-gss.c openssh-6.2p2/auth2-gss.c
else
logit("GSSAPI MIC check failed");
-@@ -339,6 +398,23 @@
+@@ -335,6 +394,23 @@
userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
}
@@ -272,19 +272,19 @@ diff -Nur openssh-6.2p2.orig/auth2-gss.c openssh-6.2p2/auth2-gss.c
+ packet_put_cstring("");
+ packet_send();
+ packet_write_wait();
-+ xfree(errstr);
++ free(errstr);
+ }
+}
+
Authmethod method_gsskeyex = {
"gssapi-keyex",
userauth_gsskeyex,
-diff -Nur openssh-6.2p2.orig/auth.c openssh-6.2p2/auth.c
---- openssh-6.2p2.orig/auth.c 2013-06-24 05:46:18.050122003 +0200
-+++ openssh-6.2p2/auth.c 2013-06-24 05:47:42.364821170 +0200
-@@ -73,6 +73,9 @@
- #include "monitor_wrap.h"
+diff -Nur openssh-6.3p1.orig/auth.c openssh-6.3p1/auth.c
+--- openssh-6.3p1.orig/auth.c 2013-10-15 09:20:49.348205691 +0200
++++ openssh-6.3p1/auth.c 2013-10-15 09:21:48.388491376 +0200
+@@ -74,6 +74,9 @@
#include "krl.h"
+ #include "compat.h"
+#include "version.h"
+#include "ssh-globus-usage.h"
@@ -292,7 +292,7 @@ diff -Nur openssh-6.2p2.orig/auth.c openssh-6.2p2/auth.c
/* import */
extern ServerOptions options;
extern int use_privsep;
-@@ -280,7 +283,8 @@
+@@ -298,7 +301,8 @@
method,
submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod,
authctxt->valid ? "" : "invalid user ",
@@ -301,8 +301,8 @@ diff -Nur openssh-6.2p2.orig/auth.c openssh-6.2p2/auth.c
+ authctxt->user : "unknown",
get_remote_ipaddr(),
get_remote_port(),
- info);
-@@ -302,6 +306,21 @@
+ compat20 ? "ssh2" : "ssh1",
+@@ -324,6 +328,21 @@
if (authenticated == 0 && !authctxt->postponed)
audit_event(audit_classify_auth(method));
#endif
@@ -324,7 +324,7 @@ diff -Nur openssh-6.2p2.orig/auth.c openssh-6.2p2/auth.c
}
/*
-@@ -582,6 +601,10 @@
+@@ -604,6 +623,10 @@
#endif
pw = getpwnam(user);
@@ -335,7 +335,7 @@ diff -Nur openssh-6.2p2.orig/auth.c openssh-6.2p2/auth.c
#if defined(_AIX) && defined(HAVE_SETAUTHDB)
aix_restoreauthdb();
-@@ -601,7 +624,8 @@
+@@ -623,7 +646,8 @@
#endif
if (pw == NULL) {
logit("Invalid user %.100s from %.100s",
@@ -345,20 +345,20 @@ diff -Nur openssh-6.2p2.orig/auth.c openssh-6.2p2/auth.c
#ifdef CUSTOM_FAILED_LOGIN
record_failed_login(user,
get_canonical_hostname(options.use_dns), "ssh");
-diff -Nur openssh-6.2p2.orig/auth.h openssh-6.2p2/auth.h
---- openssh-6.2p2.orig/auth.h 2013-06-24 05:46:18.085122292 +0200
-+++ openssh-6.2p2/auth.h 2013-06-24 05:47:42.365821178 +0200
-@@ -155,6 +155,7 @@
- const char *);
+diff -Nur openssh-6.3p1.orig/auth.h openssh-6.3p1/auth.h
+--- openssh-6.3p1.orig/auth.h 2013-10-15 09:20:49.370205425 +0200
++++ openssh-6.3p1/auth.h 2013-10-15 09:21:48.388491376 +0200
+@@ -160,6 +160,7 @@
+ void auth_log(Authctxt *, int, int, const char *, const char *);
void userauth_finish(Authctxt *, int, const char *, const char *);
int auth_root_allowed(const char *);
+char *expand_authorized_keys(const char *filename, struct passwd *pw);
void userauth_send_banner(const char *);
-diff -Nur openssh-6.2p2.orig/auth-pam.c openssh-6.2p2/auth-pam.c
---- openssh-6.2p2.orig/auth-pam.c 2013-06-24 05:46:18.086122301 +0200
-+++ openssh-6.2p2/auth-pam.c 2013-06-24 05:47:42.366821186 +0200
+diff -Nur openssh-6.3p1.orig/auth-pam.c openssh-6.3p1/auth-pam.c
+--- openssh-6.3p1.orig/auth-pam.c 2013-10-15 09:20:49.369205437 +0200
++++ openssh-6.3p1/auth-pam.c 2013-10-15 09:37:13.865290723 +0200
@@ -122,6 +122,10 @@
*/
typedef pthread_t sp_pthread_t;
@@ -414,7 +414,7 @@ diff -Nur openssh-6.2p2.orig/auth-pam.c openssh-6.2p2/auth-pam.c
+ pwfree(sshpam_authctxt->pw);
+ sshpam_authctxt->pw = pwcopy(pw);
+ sshpam_authctxt->valid = allowed_user(pw);
-+ xfree(sshpam_authctxt->user);
++ free(sshpam_authctxt->user);
+ sshpam_authctxt->user = xstrdup(user);
+ debug("PAM: user '%.100s' now %svalid", user,
+ sshpam_authctxt->valid ? "" : "in");
@@ -453,7 +453,7 @@ diff -Nur openssh-6.2p2.orig/auth-pam.c openssh-6.2p2/auth-pam.c
/* Import environment from subprocess */
num_env = buffer_get_int(b);
-@@ -474,6 +538,13 @@
+@@ -473,6 +537,13 @@
if (sshpam_err != PAM_SUCCESS)
goto auth_fail;
@@ -467,7 +467,7 @@ diff -Nur openssh-6.2p2.orig/auth-pam.c openssh-6.2p2/auth-pam.c
if (compat20) {
if (!do_pam_account()) {
sshpam_err = PAM_ACCT_EXPIRED;
-@@ -494,6 +565,11 @@
+@@ -493,6 +564,11 @@
/* Export variables set by do_pam_account */
buffer_put_int(&buffer, sshpam_account_status);
buffer_put_int(&buffer, sshpam_authctxt->force_pwchange);
@@ -479,7 +479,7 @@ diff -Nur openssh-6.2p2.orig/auth-pam.c openssh-6.2p2/auth-pam.c
/* Export any environment strings set in child */
for(i = 0; environ[i] != NULL; i++)
-@@ -912,6 +988,18 @@
+@@ -910,6 +986,18 @@
debug3("PAM: %s pam_acct_mgmt = %d (%s)", __func__, sshpam_err,
pam_strerror(sshpam_handle, sshpam_err));
@@ -498,7 +498,7 @@ diff -Nur openssh-6.2p2.orig/auth-pam.c openssh-6.2p2/auth-pam.c
if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) {
sshpam_account_status = 0;
return (sshpam_account_status);
-@@ -1211,6 +1299,9 @@
+@@ -1207,6 +1295,9 @@
pam_strerror(sshpam_handle, sshpam_err));
sshpam_err = pam_authenticate(sshpam_handle, flags);
@@ -508,9 +508,9 @@ diff -Nur openssh-6.2p2.orig/auth-pam.c openssh-6.2p2/auth-pam.c
sshpam_password = NULL;
if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
debug("PAM: password authentication accepted for %.100s",
-diff -Nur openssh-6.2p2.orig/auth-pam.h openssh-6.2p2/auth-pam.h
---- openssh-6.2p2.orig/auth-pam.h 2013-06-24 05:46:18.086122301 +0200
-+++ openssh-6.2p2/auth-pam.h 2013-06-24 05:47:42.366821186 +0200
+diff -Nur openssh-6.3p1.orig/auth-pam.h openssh-6.3p1/auth-pam.h
+--- openssh-6.3p1.orig/auth-pam.h 2013-10-15 09:20:49.369205437 +0200
++++ openssh-6.3p1/auth-pam.h 2013-10-15 09:21:48.389491364 +0200
@@ -46,5 +46,6 @@
void sshpam_cleanup(void);
int sshpam_auth_passwd(Authctxt *, const char *);
@@ -518,9 +518,9 @@ diff -Nur openssh-6.2p2.orig/auth-pam.h openssh-6.2p2/auth-pam.h
+struct passwd *sshpam_getpw(const char *);
#endif /* USE_PAM */
-diff -Nur openssh-6.2p2.orig/canohost.c openssh-6.2p2/canohost.c
---- openssh-6.2p2.orig/canohost.c 2013-06-24 05:46:18.124122615 +0200
-+++ openssh-6.2p2/canohost.c 2013-06-24 05:47:42.367821195 +0200
+diff -Nur openssh-6.3p1.orig/canohost.c openssh-6.3p1/canohost.c
+--- openssh-6.3p1.orig/canohost.c 2013-10-15 09:20:49.388205207 +0200
++++ openssh-6.3p1/canohost.c 2013-10-15 09:37:13.844290977 +0200
@@ -16,6 +16,7 @@
#include <sys/types.h>
@@ -529,7 +529,7 @@ diff -Nur openssh-6.2p2.orig/canohost.c openssh-6.2p2/canohost.c
#include <netinet/in.h>
#include <arpa/inet.h>
-@@ -453,3 +454,33 @@
+@@ -451,3 +452,33 @@
{
return get_port(1);
}
@@ -554,7 +554,7 @@ diff -Nur openssh-6.2p2.orig/canohost.c openssh-6.2p2/canohost.c
+ return;
+ }
+ hostinfo = gethostbyname(buf);
-+ xfree(*host);
++ free(*host);
+ if (hostinfo == NULL || hostinfo->h_name == NULL) {
+ *host = xstrdup(buf);
+ } else {
@@ -563,9 +563,9 @@ diff -Nur openssh-6.2p2.orig/canohost.c openssh-6.2p2/canohost.c
+ }
+ }
+}
-diff -Nur openssh-6.2p2.orig/canohost.h openssh-6.2p2/canohost.h
---- openssh-6.2p2.orig/canohost.h 2009-06-21 11:50:08.000000000 +0200
-+++ openssh-6.2p2/canohost.h 2013-06-24 05:47:42.367821195 +0200
+diff -Nur openssh-6.3p1.orig/canohost.h openssh-6.3p1/canohost.h
+--- openssh-6.3p1.orig/canohost.h 2009-06-21 11:50:08.000000000 +0200
++++ openssh-6.3p1/canohost.h 2013-10-15 09:21:48.390491352 +0200
@@ -26,4 +26,6 @@
int get_sock_port(int, int);
void clear_cached_addr(void);
@@ -573,10 +573,10 @@ diff -Nur openssh-6.2p2.orig/canohost.h openssh-6.2p2/canohost.h
+void resolve_localhost(char **host);
+
void ipv64_normalise_mapped(struct sockaddr_storage *, socklen_t *);
-diff -Nur openssh-6.2p2.orig/configure.ac openssh-6.2p2/configure.ac
---- openssh-6.2p2.orig/configure.ac 2013-06-24 05:46:18.232123507 +0200
-+++ openssh-6.2p2/configure.ac 2013-06-24 05:47:42.369821211 +0200
-@@ -3867,6 +3867,14 @@
+diff -Nur openssh-6.3p1.orig/configure.ac openssh-6.3p1/configure.ac
+--- openssh-6.3p1.orig/configure.ac 2013-10-15 09:20:49.443204542 +0200
++++ openssh-6.3p1/configure.ac 2013-10-15 09:21:48.391491340 +0200
+@@ -3902,6 +3902,14 @@
AC_CHECK_HEADER([gssapi_krb5.h], ,
[ CPPFLAGS="$oldCPP" ])
@@ -591,7 +591,7 @@ diff -Nur openssh-6.2p2.orig/configure.ac openssh-6.2p2/configure.ac
fi
if test ! -z "$need_dash_r" ; then
LDFLAGS="$LDFLAGS -R${KRB5ROOT}/lib"
-@@ -3901,6 +3909,50 @@
+@@ -3941,6 +3949,50 @@
AC_SUBST([GSSLIBS])
AC_SUBST([K5LIBS])
@@ -642,9 +642,9 @@ diff -Nur openssh-6.2p2.orig/configure.ac openssh-6.2p2/configure.ac
# Looking for programs, paths and files
PRIVSEP_PATH=/var/empty
-diff -Nur openssh-6.2p2.orig/gss-genr.c openssh-6.2p2/gss-genr.c
---- openssh-6.2p2.orig/gss-genr.c 2013-06-24 05:46:18.233123515 +0200
-+++ openssh-6.2p2/gss-genr.c 2013-06-24 05:47:42.370821220 +0200
+diff -Nur openssh-6.3p1.orig/gss-genr.c openssh-6.3p1/gss-genr.c
+--- openssh-6.3p1.orig/gss-genr.c 2013-10-15 09:20:49.443204542 +0200
++++ openssh-6.3p1/gss-genr.c 2013-10-15 09:28:56.674309793 +0200
@@ -38,6 +38,7 @@
#include "xmalloc.h"
#include "buffer.h"
@@ -677,13 +677,13 @@ diff -Nur openssh-6.2p2.orig/gss-genr.c openssh-6.2p2/gss-genr.c
&gssbuf, GSS_C_NT_HOSTBASED_SERVICE, &ctx->name)))
ssh_gssapi_error(ctx);
-+ xfree(xhost);
- xfree(gssbuf.value);
++ free(xhost);
+ free(gssbuf.value);
return (ctx->major);
}
-diff -Nur openssh-6.2p2.orig/gss-serv.c openssh-6.2p2/gss-serv.c
---- openssh-6.2p2.orig/gss-serv.c 2013-06-24 05:46:18.234123524 +0200
-+++ openssh-6.2p2/gss-serv.c 2013-06-24 05:47:42.370821220 +0200
+diff -Nur openssh-6.3p1.orig/gss-serv.c openssh-6.3p1/gss-serv.c
+--- openssh-6.3p1.orig/gss-serv.c 2013-10-15 09:20:49.444204530 +0200
++++ openssh-6.3p1/gss-serv.c 2013-10-15 09:21:48.392491328 +0200
@@ -52,6 +52,7 @@
#include "monitor_wrap.h"
@@ -897,9 +897,9 @@ diff -Nur openssh-6.2p2.orig/gss-serv.c openssh-6.2p2/gss-serv.c
+}
+
#endif
-diff -Nur openssh-6.2p2.orig/gss-serv-gsi.c openssh-6.2p2/gss-serv-gsi.c
---- openssh-6.2p2.orig/gss-serv-gsi.c 1970-01-01 01:00:00.000000000 +0100
-+++ openssh-6.2p2/gss-serv-gsi.c 2013-06-24 05:47:42.371821228 +0200
+diff -Nur openssh-6.3p1.orig/gss-serv-gsi.c openssh-6.3p1/gss-serv-gsi.c
+--- openssh-6.3p1.orig/gss-serv-gsi.c 1970-01-01 01:00:00.000000000 +0100
++++ openssh-6.3p1/gss-serv-gsi.c 2013-10-15 09:37:13.856290832 +0200
@@ -0,0 +1,238 @@
+/*
+ * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -1110,7 +1110,7 @@ diff -Nur openssh-6.2p2.orig/gss-serv-gsi.c openssh-6.2p2/gss-serv-gsi.c
+ if (rename(p, client->store.filename) < 0) {
+ logit("Failed to rename %s to %s: %s", p,
+ client->store.filename, strerror(errno));
-+ xfree(client->store.filename);
++ free(client->store.filename);
+ client->store.filename = strdup(p);
+ } else {
+ p = client->store.filename;
@@ -1139,10 +1139,10 @@ diff -Nur openssh-6.2p2.orig/gss-serv-gsi.c openssh-6.2p2/gss-serv-gsi.c
+
+#endif /* GSI */
+#endif /* GSSAPI */
-diff -Nur openssh-6.2p2.orig/gss-serv-krb5.c openssh-6.2p2/gss-serv-krb5.c
---- openssh-6.2p2.orig/gss-serv-krb5.c 2013-06-24 05:46:18.255123697 +0200
-+++ openssh-6.2p2/gss-serv-krb5.c 2013-06-24 05:47:42.372821236 +0200
-@@ -262,6 +262,34 @@
+diff -Nur openssh-6.3p1.orig/gss-serv-krb5.c openssh-6.3p1/gss-serv-krb5.c
+--- openssh-6.3p1.orig/gss-serv-krb5.c 2013-10-15 09:20:49.457204372 +0200
++++ openssh-6.3p1/gss-serv-krb5.c 2013-10-15 09:37:13.862290759 +0200
+@@ -263,6 +263,34 @@
return found_principal;
}
@@ -1167,7 +1167,7 @@ diff -Nur openssh-6.2p2.orig/gss-serv-krb5.c openssh-6.2p2/gss-serv-krb5.c
+ /* We've got to return a malloc'd string */
+ *user = (char *)xmalloc(256);
+ if (krb5_aname_to_localname(krb_context, princ, 256, *user)) {
-+ xfree(*user);
++ free(*user);
+ *user = NULL;
+ return(0);
+ }
@@ -1177,7 +1177,7 @@ diff -Nur openssh-6.2p2.orig/gss-serv-krb5.c openssh-6.2p2/gss-serv-krb5.c
/* This writes out any forwarded credentials from the structure populated
* during userauth. Called after we have setuid to the user */
-@@ -352,7 +380,7 @@
+@@ -358,7 +386,7 @@
return;
}
@@ -1186,7 +1186,7 @@ diff -Nur openssh-6.2p2.orig/gss-serv-krb5.c openssh-6.2p2/gss-serv-krb5.c
ssh_gssapi_krb5_updatecreds(ssh_gssapi_ccache *store,
ssh_gssapi_client *client)
{
-@@ -423,7 +451,7 @@
+@@ -429,7 +457,7 @@
{9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"},
NULL,
&ssh_gssapi_krb5_userok,
@@ -1195,9 +1195,9 @@ diff -Nur openssh-6.2p2.orig/gss-serv-krb5.c openssh-6.2p2/gss-serv-krb5.c
&ssh_gssapi_krb5_storecreds,
&ssh_gssapi_krb5_updatecreds
};
-diff -Nur openssh-6.2p2.orig/kexgsss.c openssh-6.2p2/kexgsss.c
---- openssh-6.2p2.orig/kexgsss.c 2013-06-24 05:46:18.237123548 +0200
-+++ openssh-6.2p2/kexgsss.c 2013-06-24 05:47:42.373821245 +0200
+diff -Nur openssh-6.3p1.orig/kexgsss.c openssh-6.3p1/kexgsss.c
+--- openssh-6.3p1.orig/kexgsss.c 2013-10-15 09:20:49.445204518 +0200
++++ openssh-6.3p1/kexgsss.c 2013-10-15 09:37:13.859290795 +0200
@@ -44,6 +44,7 @@
#include "monitor_wrap.h"
#include "servconf.h"
@@ -1253,13 +1253,13 @@ diff -Nur openssh-6.2p2.orig/kexgsss.c openssh-6.2p2/kexgsss.c
+ packet_send();
+ packet_write_wait();
+ /* XXX - We should probably log the error locally here */
-+ xfree(errstr);
++ free(errstr);
+ }
+}
#endif /* GSSAPI */
-diff -Nur openssh-6.2p2.orig/LICENSE.globus_usage openssh-6.2p2/LICENSE.globus_usage
---- openssh-6.2p2.orig/LICENSE.globus_usage 1970-01-01 01:00:00.000000000 +0100
-+++ openssh-6.2p2/LICENSE.globus_usage 2013-06-24 05:47:42.373821245 +0200
+diff -Nur openssh-6.3p1.orig/LICENSE.globus_usage openssh-6.3p1/LICENSE.globus_usage
+--- openssh-6.3p1.orig/LICENSE.globus_usage 1970-01-01 01:00:00.000000000 +0100
++++ openssh-6.3p1/LICENSE.globus_usage 2013-10-15 09:21:48.393491316 +0200
@@ -0,0 +1,18 @@
+/*
+ * Portions of the Usage Metrics suport code are derived from the
@@ -1279,9 +1279,9 @@ diff -Nur openssh-6.2p2.orig/LICENSE.globus_usage openssh-6.2p2/LICENSE.globus_u
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
-diff -Nur openssh-6.2p2.orig/Makefile.in openssh-6.2p2/Makefile.in
---- openssh-6.2p2.orig/Makefile.in 2013-06-24 05:46:18.288123970 +0200
-+++ openssh-6.2p2/Makefile.in 2013-06-24 05:47:42.374821253 +0200
+diff -Nur openssh-6.3p1.orig/Makefile.in openssh-6.3p1/Makefile.in
+--- openssh-6.3p1.orig/Makefile.in 2013-10-15 09:20:49.441204566 +0200
++++ openssh-6.3p1/Makefile.in 2013-10-15 09:21:48.393491316 +0200
@@ -95,8 +95,10 @@
monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
auth-krb5.o \
@@ -1293,9 +1293,9 @@ diff -Nur openssh-6.2p2.orig/Makefile.in openssh-6.2p2/Makefile.in
roaming_common.o roaming_serv.o \
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
sandbox-seccomp-filter.o
-diff -Nur openssh-6.2p2.orig/misc.c openssh-6.2p2/misc.c
---- openssh-6.2p2.orig/misc.c 2013-06-24 05:46:18.089122325 +0200
-+++ openssh-6.2p2/misc.c 2013-06-24 05:47:42.375821261 +0200
+diff -Nur openssh-6.3p1.orig/misc.c openssh-6.3p1/misc.c
+--- openssh-6.3p1.orig/misc.c 2013-10-15 09:20:49.371205413 +0200
++++ openssh-6.3p1/misc.c 2013-10-15 09:37:13.855290844 +0200
@@ -158,11 +158,14 @@
#define WHITESPACE " \t\r\n"
#define QUOTE "\""
@@ -1334,31 +1334,31 @@ diff -Nur openssh-6.2p2.orig/misc.c openssh-6.2p2/misc.c
*s = strpbrk(*s, WHITESPACE QUOTE "=");
if (*s == NULL)
return (old);
-@@ -223,6 +241,20 @@
+@@ -225,6 +243,20 @@
return copy;
}
+void
+pwfree(struct passwd *pw)
+{
-+ xfree(pw->pw_name);
-+ xfree(pw->pw_passwd);
-+ xfree(pw->pw_gecos);
++ free(pw->pw_name);
++ free(pw->pw_passwd);
++ free(pw->pw_gecos);
+#ifdef HAVE_PW_CLASS_IN_PASSWD
-+ xfree(pw->pw_class);
++ free(pw->pw_class);
+#endif
-+ xfree(pw->pw_dir);
-+ xfree(pw->pw_shell);
-+ xfree(pw);
++ free(pw->pw_dir);
++ free(pw->pw_shell);
++ free(pw);
+}
+
/*
* Convert ASCII string to TCP/IP port number.
* Port must be >=0 and <=65535.
-diff -Nur openssh-6.2p2.orig/misc.h openssh-6.2p2/misc.h
---- openssh-6.2p2.orig/misc.h 2011-05-05 06:14:34.000000000 +0200
-+++ openssh-6.2p2/misc.h 2013-06-24 05:47:42.375821261 +0200
-@@ -38,6 +38,7 @@
+diff -Nur openssh-6.3p1.orig/misc.h openssh-6.3p1/misc.h
+--- openssh-6.3p1.orig/misc.h 2013-06-01 23:46:16.000000000 +0200
++++ openssh-6.3p1/misc.h 2013-10-15 09:21:48.394491304 +0200
+@@ -39,6 +39,7 @@
void sock_set_v6only(int);
struct passwd *pwcopy(struct passwd *);
@@ -1366,10 +1366,10 @@ diff -Nur openssh-6.2p2.orig/misc.h openssh-6.2p2/misc.h
const char *ssh_gai_strerror(int);
typedef struct arglist arglist;
-diff -Nur openssh-6.2p2.orig/monitor.c openssh-6.2p2/monitor.c
---- openssh-6.2p2.orig/monitor.c 2013-06-24 05:46:18.239123565 +0200
-+++ openssh-6.2p2/monitor.c 2013-06-24 05:47:42.377821278 +0200
-@@ -187,6 +187,9 @@
+diff -Nur openssh-6.3p1.orig/monitor.c openssh-6.3p1/monitor.c
+--- openssh-6.3p1.orig/monitor.c 2013-10-15 09:20:49.446204506 +0200
++++ openssh-6.3p1/monitor.c 2013-10-15 09:37:13.852290880 +0200
+@@ -188,6 +188,9 @@
int mm_answer_gss_userok(int, Buffer *);
int mm_answer_gss_checkmic(int, Buffer *);
int mm_answer_gss_sign(int, Buffer *);
@@ -1379,7 +1379,7 @@ diff -Nur openssh-6.2p2.orig/monitor.c openssh-6.2p2/monitor.c
int mm_answer_gss_updatecreds(int, Buffer *);
#endif
-@@ -235,7 +238,7 @@
+@@ -236,7 +239,7 @@
struct mon_table mon_dispatch_proto20[] = {
{MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli},
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
@@ -1388,7 +1388,7 @@ diff -Nur openssh-6.2p2.orig/monitor.c openssh-6.2p2/monitor.c
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
#ifdef WITH_SELINUX
{MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
-@@ -243,7 +246,7 @@
+@@ -244,7 +247,7 @@
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM
@@ -1397,7 +1397,7 @@ diff -Nur openssh-6.2p2.orig/monitor.c openssh-6.2p2/monitor.c
{MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
{MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
{MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
-@@ -273,6 +276,9 @@
+@@ -274,6 +277,9 @@
{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
{MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
@@ -1407,7 +1407,7 @@ diff -Nur openssh-6.2p2.orig/monitor.c openssh-6.2p2/monitor.c
#endif
#ifdef JPAKE
{MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},
-@@ -289,6 +295,8 @@
+@@ -290,6 +296,8 @@
{MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
{MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
{MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
@@ -1416,7 +1416,7 @@ diff -Nur openssh-6.2p2.orig/monitor.c openssh-6.2p2/monitor.c
{MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds},
#endif
{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
-@@ -326,7 +334,7 @@
+@@ -327,7 +335,7 @@
{MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond},
#endif
#ifdef USE_PAM
@@ -1425,7 +1425,7 @@ diff -Nur openssh-6.2p2.orig/monitor.c openssh-6.2p2/monitor.c
{MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
{MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
{MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
-@@ -416,6 +424,8 @@
+@@ -417,6 +425,8 @@
#ifdef GSSAPI
/* and for the GSSAPI key exchange */
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
@@ -1443,7 +1443,7 @@ diff -Nur openssh-6.2p2.orig/monitor.c openssh-6.2p2/monitor.c
#endif
} else {
mon_dispatch = mon_dispatch_postauth15;
-@@ -800,14 +812,17 @@
+@@ -805,14 +817,17 @@
debug3("%s", __func__);
@@ -1454,7 +1454,7 @@ diff -Nur openssh-6.2p2.orig/monitor.c openssh-6.2p2/monitor.c
pwent = getpwnamallow(username);
-+ if (authctxt->user) xfree(authctxt->user);
++ if (authctxt->user) free(authctxt->user);
authctxt->user = xstrdup(username);
+#ifdef USE_PAM
+ if (options.permit_pam_user_change)
@@ -1462,9 +1462,9 @@ diff -Nur openssh-6.2p2.orig/monitor.c openssh-6.2p2/monitor.c
+ else
+#endif
setproctitle("%s [priv]", pwent ? username : "unknown");
- xfree(username);
+ free(username);
-@@ -2287,12 +2302,15 @@
+@@ -2306,12 +2321,15 @@
mm_answer_gss_userok(int sock, Buffer *m)
{
int authenticated;
@@ -1481,7 +1481,7 @@ diff -Nur openssh-6.2p2.orig/monitor.c openssh-6.2p2/monitor.c
buffer_clear(m);
buffer_put_int(m, authenticated);
-@@ -2300,12 +2318,77 @@
+@@ -2319,12 +2337,77 @@
debug3("%s: sending result %d", __func__, authenticated);
mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
@@ -1508,7 +1508,7 @@ diff -Nur openssh-6.2p2.orig/monitor.c openssh-6.2p2/monitor.c
+
+ mm_request_send(socket, MONITOR_ANS_GSSERR, m);
+
-+ xfree(msg);
++ free(msg);
+
+ return(0);
+}
@@ -1546,7 +1546,7 @@ diff -Nur openssh-6.2p2.orig/monitor.c openssh-6.2p2/monitor.c
+ if (name) {
+ buffer_put_cstring(m, name);
+ debug3("%s: sending result %s", __func__, name);
-+ xfree(name);
++ free(name);
+ } else {
+ buffer_put_cstring(m, "");
+ debug3("%s: sending result \"\"", __func__);
@@ -1560,9 +1560,9 @@ diff -Nur openssh-6.2p2.orig/monitor.c openssh-6.2p2/monitor.c
int
mm_answer_gss_sign(int socket, Buffer *m)
{
-diff -Nur openssh-6.2p2.orig/monitor.h openssh-6.2p2/monitor.h
---- openssh-6.2p2.orig/monitor.h 2013-06-24 05:46:18.239123565 +0200
-+++ openssh-6.2p2/monitor.h 2013-06-24 05:47:42.377821278 +0200
+diff -Nur openssh-6.3p1.orig/monitor.h openssh-6.3p1/monitor.h
+--- openssh-6.3p1.orig/monitor.h 2013-10-15 09:20:49.446204506 +0200
++++ openssh-6.3p1/monitor.h 2013-10-15 09:21:48.395491292 +0200
@@ -79,8 +79,10 @@
MONITOR_REQ_AUDIT_UNSUPPORTED = 118, MONITOR_ANS_AUDIT_UNSUPPORTED = 119,
MONITOR_REQ_AUDIT_KEX = 120, MONITOR_ANS_AUDIT_KEX = 121,
@@ -1576,10 +1576,10 @@ diff -Nur openssh-6.2p2.orig/monitor.h openssh-6.2p2/monitor.h
};
struct mm_master;
-diff -Nur openssh-6.2p2.orig/monitor_wrap.c openssh-6.2p2/monitor_wrap.c
---- openssh-6.2p2.orig/monitor_wrap.c 2013-06-24 05:46:18.240123573 +0200
-+++ openssh-6.2p2/monitor_wrap.c 2013-06-24 05:47:42.377821278 +0200
-@@ -1327,12 +1327,13 @@
+diff -Nur openssh-6.3p1.orig/monitor_wrap.c openssh-6.3p1/monitor_wrap.c
+--- openssh-6.3p1.orig/monitor_wrap.c 2013-10-15 09:20:49.447204493 +0200
++++ openssh-6.3p1/monitor_wrap.c 2013-10-15 09:21:48.396491279 +0200
+@@ -1329,12 +1329,13 @@
}
int
@@ -1594,7 +1594,7 @@ diff -Nur openssh-6.2p2.orig/monitor_wrap.c openssh-6.2p2/monitor_wrap.c
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, &m);
mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUSEROK,
-@@ -1345,6 +1346,83 @@
+@@ -1347,6 +1348,83 @@
return (authenticated);
}
@@ -1678,9 +1678,9 @@ diff -Nur openssh-6.2p2.orig/monitor_wrap.c openssh-6.2p2/monitor_wrap.c
OM_uint32
mm_ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *data, gss_buffer_desc *hash)
{
-diff -Nur openssh-6.2p2.orig/monitor_wrap.h openssh-6.2p2/monitor_wrap.h
---- openssh-6.2p2.orig/monitor_wrap.h 2013-06-24 05:46:18.240123573 +0200
-+++ openssh-6.2p2/monitor_wrap.h 2013-06-24 05:47:42.377821278 +0200
+diff -Nur openssh-6.3p1.orig/monitor_wrap.h openssh-6.3p1/monitor_wrap.h
+--- openssh-6.3p1.orig/monitor_wrap.h 2013-10-15 09:20:49.447204493 +0200
++++ openssh-6.3p1/monitor_wrap.h 2013-10-15 09:21:48.396491279 +0200
@@ -62,9 +62,13 @@
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
@@ -1696,10 +1696,10 @@ diff -Nur openssh-6.2p2.orig/monitor_wrap.h openssh-6.2p2/monitor_wrap.h
int mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *);
#endif
-diff -Nur openssh-6.2p2.orig/readconf.c openssh-6.2p2/readconf.c
---- openssh-6.2p2.orig/readconf.c 2013-06-24 05:46:18.240123573 +0200
-+++ openssh-6.2p2/readconf.c 2013-06-24 05:47:42.378821286 +0200
-@@ -1293,13 +1293,13 @@
+diff -Nur openssh-6.3p1.orig/readconf.c openssh-6.3p1/readconf.c
+--- openssh-6.3p1.orig/readconf.c 2013-10-15 09:20:49.447204493 +0200
++++ openssh-6.3p1/readconf.c 2013-10-15 09:21:48.397491267 +0200
+@@ -1303,13 +1303,13 @@
if (options->challenge_response_authentication == -1)
options->challenge_response_authentication = 1;
if (options->gss_authentication == -1)
@@ -1717,9 +1717,9 @@ diff -Nur openssh-6.2p2.orig/readconf.c openssh-6.2p2/readconf.c
if (options->gss_renewal_rekey == -1)
options->gss_renewal_rekey = 0;
if (options->password_authentication == -1)
-diff -Nur openssh-6.2p2.orig/readconf.h openssh-6.2p2/readconf.h
---- openssh-6.2p2.orig/readconf.h 2013-06-24 05:46:18.240123573 +0200
-+++ openssh-6.2p2/readconf.h 2013-06-24 05:47:42.378821286 +0200
+diff -Nur openssh-6.3p1.orig/readconf.h openssh-6.3p1/readconf.h
+--- openssh-6.3p1.orig/readconf.h 2013-10-15 09:20:49.448204481 +0200
++++ openssh-6.3p1/readconf.h 2013-10-15 09:21:48.397491267 +0200
@@ -88,6 +88,8 @@
char *host_key_alias; /* hostname alias for .ssh/known_hosts */
char *proxy_command; /* Proxy command for connecting the host. */
@@ -1729,10 +1729,10 @@ diff -Nur openssh-6.2p2.orig/readconf.h openssh-6.2p2/readconf.h
int escape_char; /* Escape character; -2 = none */
u_int num_system_hostfiles; /* Paths for /etc/ssh/ssh_known_hosts */
-diff -Nur openssh-6.2p2.orig/servconf.c openssh-6.2p2/servconf.c
---- openssh-6.2p2.orig/servconf.c 2013-06-24 05:46:18.256123705 +0200
-+++ openssh-6.2p2/servconf.c 2013-06-24 05:47:42.379821294 +0200
-@@ -67,6 +67,7 @@
+diff -Nur openssh-6.3p1.orig/servconf.c openssh-6.3p1/servconf.c
+--- openssh-6.3p1.orig/servconf.c 2013-10-15 09:20:49.458204360 +0200
++++ openssh-6.3p1/servconf.c 2013-10-15 09:21:48.398491255 +0200
+@@ -71,6 +71,7 @@
/* Portable-specific options */
options->use_pam = -1;
@@ -1740,7 +1740,7 @@ diff -Nur openssh-6.2p2.orig/servconf.c openssh-6.2p2/servconf.c
/* Standard Options */
options->num_ports = 0;
-@@ -102,9 +103,11 @@
+@@ -107,9 +108,11 @@
options->kerberos_ticket_cleanup = -1;
options->kerberos_get_afs_token = -1;
options->gss_authentication=-1;
@@ -1752,7 +1752,7 @@ diff -Nur openssh-6.2p2.orig/servconf.c openssh-6.2p2/servconf.c
options->gss_store_rekey = -1;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
-@@ -144,6 +147,8 @@
+@@ -151,6 +154,8 @@
options->authorized_keys_command = NULL;
options->authorized_keys_command_user = NULL;
options->zero_knowledge_password_authentication = -1;
@@ -1761,7 +1761,7 @@ diff -Nur openssh-6.2p2.orig/servconf.c openssh-6.2p2/servconf.c
options->revoked_keys_file = NULL;
options->trusted_user_ca_keys = NULL;
options->authorized_principals_file = NULL;
-@@ -159,6 +164,8 @@
+@@ -166,6 +171,8 @@
/* Portable-specific options */
if (options->use_pam == -1)
options->use_pam = 0;
@@ -1770,7 +1770,7 @@ diff -Nur openssh-6.2p2.orig/servconf.c openssh-6.2p2/servconf.c
/* Standard Options */
if (options->protocol == SSH_PROTO_UNKNOWN)
-@@ -237,13 +244,17 @@
+@@ -244,13 +251,17 @@
if (options->kerberos_get_afs_token == -1)
options->kerberos_get_afs_token = 0;
if (options->gss_authentication == -1)
@@ -1790,7 +1790,7 @@ diff -Nur openssh-6.2p2.orig/servconf.c openssh-6.2p2/servconf.c
if (options->gss_store_rekey == -1)
options->gss_store_rekey = 0;
if (options->password_authentication == -1)
-@@ -322,7 +333,7 @@
+@@ -333,7 +344,7 @@
typedef enum {
sBadOption, /* == unknown option */
/* Portable-specific options */
@@ -1799,7 +1799,7 @@ diff -Nur openssh-6.2p2.orig/servconf.c openssh-6.2p2/servconf.c
/* Standard Options */
sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
sPermitRootLogin, sLogFacility, sLogLevel,
-@@ -343,11 +354,15 @@
+@@ -354,11 +365,15 @@
sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile,
@@ -1815,7 +1815,7 @@ diff -Nur openssh-6.2p2.orig/servconf.c openssh-6.2p2/servconf.c
sZeroKnowledgePasswordAuthentication, sHostCertificate,
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
sKexAlgorithms, sIPQoS, sVersionAddendum,
-@@ -369,8 +384,10 @@
+@@ -380,8 +395,10 @@
/* Portable-specific options */
#ifdef USE_PAM
{ "usepam", sUsePAM, SSHCFG_GLOBAL },
@@ -1826,7 +1826,7 @@ diff -Nur openssh-6.2p2.orig/servconf.c openssh-6.2p2/servconf.c
#endif
{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
/* Standard Options */
-@@ -412,15 +429,25 @@
+@@ -424,15 +441,25 @@
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
#ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
@@ -1852,7 +1852,7 @@ diff -Nur openssh-6.2p2.orig/servconf.c openssh-6.2p2/servconf.c
{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
-@@ -484,6 +511,8 @@
+@@ -497,6 +524,8 @@
{ "permitopen", sPermitOpen, SSHCFG_ALL },
{ "forcecommand", sForceCommand, SSHCFG_ALL },
{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
@@ -1861,7 +1861,7 @@ diff -Nur openssh-6.2p2.orig/servconf.c openssh-6.2p2/servconf.c
{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
-@@ -876,6 +905,10 @@
+@@ -889,6 +918,10 @@
intptr = &options->use_pam;
goto parse_flag;
@@ -1872,7 +1872,7 @@ diff -Nur openssh-6.2p2.orig/servconf.c openssh-6.2p2/servconf.c
/* Standard Options */
case sBadOption:
return -1;
-@@ -1080,6 +1113,10 @@
+@@ -1104,6 +1137,10 @@
intptr = &options->gss_authentication;
goto parse_flag;
@@ -1883,7 +1883,7 @@ diff -Nur openssh-6.2p2.orig/servconf.c openssh-6.2p2/servconf.c
case sGssKeyEx:
intptr = &options->gss_keyex;
goto parse_flag;
-@@ -1088,6 +1125,10 @@
+@@ -1112,6 +1149,10 @@
intptr = &options->gss_cleanup_creds;
goto parse_flag;
@@ -1894,7 +1894,7 @@ diff -Nur openssh-6.2p2.orig/servconf.c openssh-6.2p2/servconf.c
case sGssStrictAcceptor:
intptr = &options->gss_strict_acceptor;
goto parse_flag;
-@@ -1096,6 +1137,12 @@
+@@ -1120,6 +1161,12 @@
intptr = &options->gss_store_rekey;
goto parse_flag;
@@ -1907,7 +1907,7 @@ diff -Nur openssh-6.2p2.orig/servconf.c openssh-6.2p2/servconf.c
case sPasswordAuthentication:
intptr = &options->password_authentication;
goto parse_flag;
-@@ -1526,6 +1573,18 @@
+@@ -1581,6 +1628,18 @@
*charptr = xstrdup(arg);
break;
@@ -1926,7 +1926,7 @@ diff -Nur openssh-6.2p2.orig/servconf.c openssh-6.2p2/servconf.c
case sTrustedUserCAKeys:
charptr = &options->trusted_user_ca_keys;
goto parse_filename;
-@@ -1747,6 +1806,7 @@
+@@ -1801,6 +1860,7 @@
{
M_CP_INTOPT(password_authentication);
M_CP_INTOPT(gss_authentication);
@@ -1934,10 +1934,10 @@ diff -Nur openssh-6.2p2.orig/servconf.c openssh-6.2p2/servconf.c
M_CP_INTOPT(rsa_authentication);
M_CP_INTOPT(pubkey_authentication);
M_CP_INTOPT(kerberos_authentication);
-diff -Nur openssh-6.2p2.orig/servconf.h openssh-6.2p2/servconf.h
---- openssh-6.2p2.orig/servconf.h 2013-06-24 05:46:18.256123705 +0200
-+++ openssh-6.2p2/servconf.h 2013-06-24 05:47:42.379821294 +0200
-@@ -109,9 +109,12 @@
+diff -Nur openssh-6.3p1.orig/servconf.h openssh-6.3p1/servconf.h
+--- openssh-6.3p1.orig/servconf.h 2013-10-15 09:20:49.458204360 +0200
++++ openssh-6.3p1/servconf.h 2013-10-15 09:21:48.398491255 +0200
+@@ -110,9 +110,12 @@
* file on logout. */
int kerberos_get_afs_token; /* If true, try to get AFS token if
* authenticated with Kerberos. */
@@ -1950,7 +1950,7 @@ diff -Nur openssh-6.2p2.orig/servconf.h openssh-6.2p2/servconf.h
int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */
int gss_store_rekey;
int password_authentication; /* If true, permit password
-@@ -168,6 +171,7 @@
+@@ -169,6 +172,7 @@
char *adm_forced_command;
int use_pam; /* Enable auth via PAM */
@@ -1958,7 +1958,7 @@ diff -Nur openssh-6.2p2.orig/servconf.h openssh-6.2p2/servconf.h
int permit_tun;
-@@ -175,6 +179,10 @@
+@@ -176,6 +180,10 @@
int use_kuserok;
char *chroot_directory;
@@ -1969,10 +1969,10 @@ diff -Nur openssh-6.2p2.orig/servconf.h openssh-6.2p2/servconf.h
char *revoked_keys_file;
char *trusted_user_ca_keys;
char *authorized_principals_file;
-diff -Nur openssh-6.2p2.orig/ssh.1 openssh-6.2p2/ssh.1
---- openssh-6.2p2.orig/ssh.1 2013-06-24 05:46:18.202123259 +0200
-+++ openssh-6.2p2/ssh.1 2013-06-24 05:47:42.380821303 +0200
-@@ -1263,6 +1263,18 @@
+diff -Nur openssh-6.3p1.orig/ssh.1 openssh-6.3p1/ssh.1
+--- openssh-6.3p1.orig/ssh.1 2013-10-15 09:20:49.427204735 +0200
++++ openssh-6.3p1/ssh.1 2013-10-15 09:21:48.399491243 +0200
+@@ -1281,6 +1281,18 @@
on to new connections).
.It Ev USER
Set to the name of the user logging in.
@@ -1991,10 +1991,10 @@ diff -Nur openssh-6.2p2.orig/ssh.1 openssh-6.2p2/ssh.1
.El
.Pp
Additionally,
-diff -Nur openssh-6.2p2.orig/ssh.c openssh-6.2p2/ssh.c
---- openssh-6.2p2.orig/ssh.c 2013-06-24 05:46:18.163122937 +0200
-+++ openssh-6.2p2/ssh.c 2013-06-24 05:47:42.380821303 +0200
-@@ -686,6 +686,32 @@
+diff -Nur openssh-6.3p1.orig/ssh.c openssh-6.3p1/ssh.c
+--- openssh-6.3p1.orig/ssh.c 2013-10-15 09:20:49.408204965 +0200
++++ openssh-6.3p1/ssh.c 2013-10-15 09:21:48.400491231 +0200
+@@ -718,6 +718,32 @@
fatal("Can't open user config file %.100s: "
"%.100s", config, strerror(errno));
} else {
@@ -2027,7 +2027,7 @@ diff -Nur openssh-6.2p2.orig/ssh.c openssh-6.2p2/ssh.c
r = snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir,
_PATH_SSH_USER_CONFFILE);
if (r > 0 && (size_t)r < sizeof(buf))
-@@ -731,8 +757,12 @@
+@@ -763,8 +789,12 @@
logit("FIPS mode initialized");
}
@@ -2041,9 +2041,9 @@ diff -Nur openssh-6.2p2.orig/ssh.c openssh-6.2p2/ssh.c
/* Get default port if port has not been set. */
if (options.port == 0) {
-diff -Nur openssh-6.2p2.orig/ssh_config openssh-6.2p2/ssh_config
---- openssh-6.2p2.orig/ssh_config 2013-06-24 05:46:18.242123590 +0200
-+++ openssh-6.2p2/ssh_config 2013-06-24 05:47:42.380821303 +0200
+diff -Nur openssh-6.3p1.orig/ssh_config openssh-6.3p1/ssh_config
+--- openssh-6.3p1.orig/ssh_config 2013-10-15 09:20:49.449204469 +0200
++++ openssh-6.3p1/ssh_config 2013-10-15 09:21:48.400491231 +0200
@@ -24,10 +24,10 @@
# RSAAuthentication yes
# PasswordAuthentication yes
@@ -2059,9 +2059,9 @@ diff -Nur openssh-6.2p2.orig/ssh_config openssh-6.2p2/ssh_config
# BatchMode no
# CheckHostIP yes
# AddressFamily any
-diff -Nur openssh-6.2p2.orig/ssh_config.5 openssh-6.2p2/ssh_config.5
---- openssh-6.2p2.orig/ssh_config.5 2013-06-24 05:46:18.242123590 +0200
-+++ openssh-6.2p2/ssh_config.5 2013-06-24 05:47:42.381821311 +0200
+diff -Nur openssh-6.3p1.orig/ssh_config.5 openssh-6.3p1/ssh_config.5
+--- openssh-6.3p1.orig/ssh_config.5 2013-10-15 09:20:49.449204469 +0200
++++ openssh-6.3p1/ssh_config.5 2013-10-15 09:21:48.400491231 +0200
@@ -55,6 +55,12 @@
user's configuration file
.Pq Pa ~/.ssh/config
@@ -2075,10 +2075,10 @@ diff -Nur openssh-6.2p2.orig/ssh_config.5 openssh-6.2p2/ssh_config.5
system-wide configuration file
.Pq Pa /etc/ssh/ssh_config
.El
-diff -Nur openssh-6.2p2.orig/sshconnect2.c openssh-6.2p2/sshconnect2.c
---- openssh-6.2p2.orig/sshconnect2.c 2013-06-24 05:46:18.251123664 +0200
-+++ openssh-6.2p2/sshconnect2.c 2013-06-24 05:47:42.381821311 +0200
-@@ -702,6 +702,11 @@
+diff -Nur openssh-6.3p1.orig/sshconnect2.c openssh-6.3p1/sshconnect2.c
+--- openssh-6.3p1.orig/sshconnect2.c 2013-10-15 09:20:49.456204385 +0200
++++ openssh-6.3p1/sshconnect2.c 2013-10-15 09:21:48.401491219 +0200
+@@ -700,6 +700,11 @@
int ok = 0;
const char *gss_host = NULL;
@@ -2090,8 +2090,8 @@ diff -Nur openssh-6.2p2.orig/sshconnect2.c openssh-6.2p2/sshconnect2.c
if (options.gss_server_identity)
gss_host = options.gss_server_identity;
else if (options.gss_trust_dns) {
-@@ -936,6 +941,15 @@
- xfree(lang);
+@@ -933,6 +938,15 @@
+ free(lang);
}
+#ifdef GSI
@@ -2106,7 +2106,7 @@ diff -Nur openssh-6.2p2.orig/sshconnect2.c openssh-6.2p2/sshconnect2.c
int
userauth_gsskeyex(Authctxt *authctxt)
{
-@@ -953,8 +967,16 @@
+@@ -950,8 +964,16 @@
return (0);
}
@@ -2123,7 +2123,7 @@ diff -Nur openssh-6.2p2.orig/sshconnect2.c openssh-6.2p2/sshconnect2.c
gssbuf.value = buffer_ptr(&b);
gssbuf.length = buffer_len(&b);
-@@ -965,7 +987,15 @@
+@@ -962,7 +984,15 @@
}
packet_start(SSH2_MSG_USERAUTH_REQUEST);
@@ -2139,10 +2139,10 @@ diff -Nur openssh-6.2p2.orig/sshconnect2.c openssh-6.2p2/sshconnect2.c
packet_put_cstring(authctxt->service);
packet_put_cstring(authctxt->method->name);
packet_put_string(mic.value, mic.length);
-diff -Nur openssh-6.2p2.orig/sshd.8 openssh-6.2p2/sshd.8
---- openssh-6.2p2.orig/sshd.8 2013-06-24 05:46:18.247123631 +0200
-+++ openssh-6.2p2/sshd.8 2013-06-24 05:47:42.382821319 +0200
-@@ -762,6 +762,44 @@
+diff -Nur openssh-6.3p1.orig/sshd.8 openssh-6.3p1/sshd.8
+--- openssh-6.3p1.orig/sshd.8 2013-10-15 09:20:49.454204409 +0200
++++ openssh-6.3p1/sshd.8 2013-10-15 09:21:48.402491207 +0200
+@@ -763,6 +763,44 @@
# A CA key, accepted for any host in *.mydomain.com or *.mydomain.org
@cert-authority *.mydomain.org,*.mydomain.com ssh-rsa AAAAB5W...
.Ed
@@ -2187,10 +2187,10 @@ diff -Nur openssh-6.2p2.orig/sshd.8 openssh-6.2p2/sshd.8
.Sh FILES
.Bl -tag -width Ds -compact
.It Pa ~/.hushlogin
-diff -Nur openssh-6.2p2.orig/sshd.c openssh-6.2p2/sshd.c
---- openssh-6.2p2.orig/sshd.c 2013-06-24 05:46:18.243123598 +0200
-+++ openssh-6.2p2/sshd.c 2013-06-24 05:47:42.383821328 +0200
-@@ -123,6 +123,7 @@
+diff -Nur openssh-6.3p1.orig/sshd.c openssh-6.3p1/sshd.c
+--- openssh-6.3p1.orig/sshd.c 2013-10-15 09:20:49.450204457 +0200
++++ openssh-6.3p1/sshd.c 2013-10-15 09:21:48.402491207 +0200
+@@ -124,6 +124,7 @@
#include "audit.h"
#include "ssh-sandbox.h"
#include "version.h"
@@ -2198,7 +2198,7 @@ diff -Nur openssh-6.2p2.orig/sshd.c openssh-6.2p2/sshd.c
#ifdef USE_SECURITY_SESSION_API
#include <Security/AuthSession.h>
-@@ -1643,6 +1644,13 @@
+@@ -1681,6 +1682,13 @@
/* Fill in default values for those options not explicitly set. */
fill_default_server_options(&options);
@@ -2212,7 +2212,7 @@ diff -Nur openssh-6.2p2.orig/sshd.c openssh-6.2p2/sshd.c
/* challenge-response is implemented via keyboard interactive */
if (options.challenge_response_authentication)
options.kbd_interactive_authentication = 1;
-@@ -2202,7 +2210,7 @@
+@@ -2266,7 +2274,7 @@
#endif
#ifdef GSSAPI
@@ -2221,10 +2221,10 @@ diff -Nur openssh-6.2p2.orig/sshd.c openssh-6.2p2/sshd.c
temporarily_use_uid(authctxt->pw);
ssh_gssapi_storecreds();
restore_uid();
-diff -Nur openssh-6.2p2.orig/sshd_config openssh-6.2p2/sshd_config
---- openssh-6.2p2.orig/sshd_config 2013-06-24 05:46:18.256123705 +0200
-+++ openssh-6.2p2/sshd_config 2013-06-24 05:47:42.383821328 +0200
-@@ -86,12 +86,11 @@
+diff -Nur openssh-6.3p1.orig/sshd_config openssh-6.3p1/sshd_config
+--- openssh-6.3p1.orig/sshd_config 2013-10-15 09:20:49.458204360 +0200
++++ openssh-6.3p1/sshd_config 2013-10-15 09:21:48.403491195 +0200
+@@ -89,12 +89,11 @@
#KerberosUseKuserok yes
# GSSAPI options
@@ -2240,7 +2240,7 @@ diff -Nur openssh-6.2p2.orig/sshd_config openssh-6.2p2/sshd_config
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
-@@ -107,6 +106,10 @@
+@@ -110,6 +109,10 @@
#UsePAM no
UsePAM yes
@@ -2251,7 +2251,7 @@ diff -Nur openssh-6.2p2.orig/sshd_config openssh-6.2p2/sshd_config
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
-@@ -152,3 +155,7 @@
+@@ -155,3 +158,7 @@
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
@@ -2259,11 +2259,11 @@ diff -Nur openssh-6.2p2.orig/sshd_config openssh-6.2p2/sshd_config
+# Usage Metrics
+#UsageStatsTargets usage-stats.cilogon.org:4810
+#DisableUsageStats no
-diff -Nur openssh-6.2p2.orig/sshd_config.5 openssh-6.2p2/sshd_config.5
---- openssh-6.2p2.orig/sshd_config.5 2013-06-24 05:46:18.257123714 +0200
-+++ openssh-6.2p2/sshd_config.5 2013-06-24 05:47:42.383821328 +0200
-@@ -437,6 +437,15 @@
- in
+diff -Nur openssh-6.3p1.orig/sshd_config.5 openssh-6.3p1/sshd_config.5
+--- openssh-6.3p1.orig/sshd_config.5 2013-10-15 09:20:49.458204360 +0200
++++ openssh-6.3p1/sshd_config.5 2013-10-15 09:21:48.404491183 +0200
+@@ -440,6 +440,15 @@
+ See PATTERNS in
.Xr ssh_config 5
for more information on patterns.
+.It Cm DisableUsageStats
@@ -2278,7 +2278,7 @@ diff -Nur openssh-6.2p2.orig/sshd_config.5 openssh-6.2p2/sshd_config.5
.It Cm ForceCommand
Forces the execution of the command specified by
.Cm ForceCommand ,
-@@ -481,6 +490,10 @@
+@@ -484,6 +493,10 @@
The default is
.Dq no .
Note that this option applies to protocol version 2 only.
@@ -2289,7 +2289,7 @@ diff -Nur openssh-6.2p2.orig/sshd_config.5 openssh-6.2p2/sshd_config.5
.It Cm GSSAPIKeyExchange
Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
doesn't rely on ssh keys to verify host identity.
-@@ -493,6 +506,22 @@
+@@ -496,6 +509,22 @@
The default is
.Dq yes .
Note that this option applies to protocol version 2 only.
@@ -2312,7 +2312,7 @@ diff -Nur openssh-6.2p2.orig/sshd_config.5 openssh-6.2p2/sshd_config.5
.It Cm GSSAPIStrictAcceptorCheck
Determines whether to be strict about the identity of the GSSAPI acceptor
a client authenticates against. If
-@@ -1121,6 +1150,121 @@
+@@ -1160,6 +1189,121 @@
.Pp
To disable TCP keepalive messages, the value should be set to
.Dq no .
@@ -2434,7 +2434,7 @@ diff -Nur openssh-6.2p2.orig/sshd_config.5 openssh-6.2p2/sshd_config.5
.It Cm TrustedUserCAKeys
Specifies a file containing public keys of certificate authorities that are
trusted to sign user certificates for authentication.
-@@ -1188,6 +1332,12 @@
+@@ -1225,6 +1369,12 @@
as a non-root user.
The default is
.Dq no .
@@ -2447,9 +2447,9 @@ diff -Nur openssh-6.2p2.orig/sshd_config.5 openssh-6.2p2/sshd_config.5
.It Cm UsePrivilegeSeparation
Specifies whether
.Xr sshd 8
-diff -Nur openssh-6.2p2.orig/ssh-globus-usage.c openssh-6.2p2/ssh-globus-usage.c
---- openssh-6.2p2.orig/ssh-globus-usage.c 1970-01-01 01:00:00.000000000 +0100
-+++ openssh-6.2p2/ssh-globus-usage.c 2013-06-24 05:47:42.384821336 +0200
+diff -Nur openssh-6.3p1.orig/ssh-globus-usage.c openssh-6.3p1/ssh-globus-usage.c
+--- openssh-6.3p1.orig/ssh-globus-usage.c 1970-01-01 01:00:00.000000000 +0100
++++ openssh-6.3p1/ssh-globus-usage.c 2013-10-15 09:21:48.404491183 +0200
@@ -0,0 +1,396 @@
+/*
+ * Copyright 2009 The Board of Trustees of the University
@@ -2847,9 +2847,9 @@ diff -Nur openssh-6.2p2.orig/ssh-globus-usage.c openssh-6.2p2/ssh-globus-usage.c
+
+#endif /* HAVE_GLOBUS_USAGE */
+}
-diff -Nur openssh-6.2p2.orig/ssh-globus-usage.h openssh-6.2p2/ssh-globus-usage.h
---- openssh-6.2p2.orig/ssh-globus-usage.h 1970-01-01 01:00:00.000000000 +0100
-+++ openssh-6.2p2/ssh-globus-usage.h 2013-06-24 05:47:42.384821336 +0200
+diff -Nur openssh-6.3p1.orig/ssh-globus-usage.h openssh-6.3p1/ssh-globus-usage.h
+--- openssh-6.3p1.orig/ssh-globus-usage.h 1970-01-01 01:00:00.000000000 +0100
++++ openssh-6.3p1/ssh-globus-usage.h 2013-10-15 09:21:48.404491183 +0200
@@ -0,0 +1,46 @@
+/*
+ * Copyright 2009 The Board of Trustees of the University
@@ -2897,9 +2897,9 @@ diff -Nur openssh-6.2p2.orig/ssh-globus-usage.h openssh-6.2p2/ssh-globus-usage.h
+ char *username, char *userdn);
+
+#endif /* __SSH_GLOBUS_USAGE_H */
-diff -Nur openssh-6.2p2.orig/ssh-gss.h openssh-6.2p2/ssh-gss.h
---- openssh-6.2p2.orig/ssh-gss.h 2013-06-24 05:46:18.247123631 +0200
-+++ openssh-6.2p2/ssh-gss.h 2013-06-24 05:47:42.384821336 +0200
+diff -Nur openssh-6.3p1.orig/ssh-gss.h openssh-6.3p1/ssh-gss.h
+--- openssh-6.3p1.orig/ssh-gss.h 2013-10-15 09:20:49.453204421 +0200
++++ openssh-6.3p1/ssh-gss.h 2013-10-15 09:21:48.404491183 +0200
@@ -91,6 +91,7 @@
gss_name_t name;
struct ssh_gssapi_mech_struct *mech;
@@ -2944,11 +2944,11 @@ diff -Nur openssh-6.2p2.orig/ssh-gss.h openssh-6.2p2/ssh-gss.h
#endif /* GSSAPI */
#endif /* _SSH_GSS_H */
-diff -Nur openssh-6.2p2.orig/version.h openssh-6.2p2/version.h
---- openssh-6.2p2.orig/version.h 2013-05-10 08:02:21.000000000 +0200
-+++ openssh-6.2p2/version.h 2013-06-24 05:47:42.384821336 +0200
+diff -Nur openssh-6.3p1.orig/version.h openssh-6.3p1/version.h
+--- openssh-6.3p1.orig/version.h 2013-07-25 03:57:15.000000000 +0200
++++ openssh-6.3p1/version.h 2013-10-15 09:30:36.116106161 +0200
@@ -1,6 +1,21 @@
- /* $OpenBSD: version.h,v 1.66 2013/02/10 21:19:34 markus Exp $ */
+ /* $OpenBSD: version.h,v 1.67 2013/07/25 00:57:37 djm Exp $ */
+#ifdef GSI
+#define GSI_VERSION " GSI"
@@ -2962,11 +2962,11 @@ diff -Nur openssh-6.2p2.orig/version.h openssh-6.2p2/version.h
+#define KRB5_VERSION ""
+#endif
+
-+#define NCSA_VERSION " GSI_GSSAPI_20130516"
++#define NCSA_VERSION " GSI_GSSAPI_20130916"
+
- #define SSH_VERSION "OpenSSH_6.2"
+ #define SSH_VERSION "OpenSSH_6.3"
- #define SSH_PORTABLE "p2"
+ #define SSH_PORTABLE "p1"
-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE \
+ NCSA_VERSION GSI_VERSION KRB5_VERSION
diff --git a/openssh-6.2p1-gsskex.patch b/openssh-6.3p1-gsskex.patch
similarity index 88%
rename from openssh-6.2p1-gsskex.patch
rename to openssh-6.3p1-gsskex.patch
index f1fe8d1..7161b34 100644
--- a/openssh-6.2p1-gsskex.patch
+++ b/openssh-6.3p1-gsskex.patch
@@ -1,102 +1,143 @@
-diff -up openssh-6.2p1/auth2.c.gsskex openssh-6.2p1/auth2.c
---- openssh-6.2p1/auth2.c.gsskex 2013-03-27 13:19:11.062624591 +0100
-+++ openssh-6.2p1/auth2.c 2013-03-27 13:19:11.140624271 +0100
-@@ -69,6 +69,7 @@ extern Authmethod method_passwd;
- extern Authmethod method_kbdint;
- extern Authmethod method_hostbased;
- #ifdef GSSAPI
-+extern Authmethod method_gsskeyex;
- extern Authmethod method_gssapi;
- #endif
- #ifdef JPAKE
-@@ -79,6 +80,7 @@ Authmethod *authmethods[] = {
- &method_none,
- &method_pubkey,
- #ifdef GSSAPI
-+ &method_gsskeyex,
- &method_gssapi,
- #endif
- #ifdef JPAKE
-diff -up openssh-6.2p1/auth2-gss.c.gsskex openssh-6.2p1/auth2-gss.c
---- openssh-6.2p1/auth2-gss.c.gsskex 2013-03-27 13:19:11.062624591 +0100
-+++ openssh-6.2p1/auth2-gss.c 2013-03-27 13:19:11.141624267 +0100
-@@ -52,6 +52,40 @@ static void input_gssapi_mic(int type, u
- static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
- static void input_gssapi_errtok(int, u_int32_t, void *);
-
-+/*
-+ * The 'gssapi_keyex' userauth mechanism.
-+ */
-+static int
-+userauth_gsskeyex(Authctxt *authctxt)
-+{
-+ int authenticated = 0;
-+ Buffer b;
-+ gss_buffer_desc mic, gssbuf;
-+ u_int len;
+diff -up openssh-6.3p1/ChangeLog.gssapi.gsskex openssh-6.3p1/ChangeLog.gssapi
+--- openssh-6.3p1/ChangeLog.gssapi.gsskex 2013-10-11 15:15:17.284216176 +0200
++++ openssh-6.3p1/ChangeLog.gssapi 2013-10-11 15:15:17.284216176 +0200
+@@ -0,0 +1,113 @@
++20110101
++ - Finally update for OpenSSH 5.6p1
++ - Add GSSAPIServerIdentity option from Jim Basney
++
++20100308
++ - [ Makefile.in, key.c, key.h ]
++ Updates for OpenSSH 5.4p1
++ - [ servconf.c ]
++ Include GSSAPI options in the sshd -T configuration dump, and flag
++ some older configuration options as being unsupported. Thanks to Colin
++ Watson.
++ -
+
-+ mic.value = packet_get_string(&len);
-+ mic.length = len;
++20100124
++ - [ sshconnect2.c ]
++ Adapt to deal with additional element in Authmethod structure. Thanks to
++ Colin Watson
+
-+ packet_check_eom();
++20090615
++ - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c
++ sshd.c ]
++ Fix issues identified by Greg Hudson following a code review
++ Check return value of gss_indicate_mechs
++ Protect GSSAPI calls in monitor, so they can only be used if enabled
++ Check return values of bignum functions in key exchange
++ Use BN_clear_free to clear other side's DH value
++ Make ssh_gssapi_id_kex more robust
++ Only configure kex table pointers if GSSAPI is enabled
++ Don't leak mechanism list, or gss mechanism list
++ Cast data.length before printing
++ If serverkey isn't provided, use an empty string, rather than NULL
+
-+ ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
-+ "gssapi-keyex");
++20090201
++ - [ gss-genr.c gss-serv.c kex.h kexgssc.c readconf.c readconf.h ssh-gss.h
++ ssh_config.5 sshconnet2.c ]
++ Add support for the GSSAPIClientIdentity option, which allows the user
++ to specify which GSSAPI identity to use to contact a given server
+
-+ gssbuf.value = buffer_ptr(&b);
-+ gssbuf.length = buffer_len(&b);
++20080404
++ - [ gss-serv.c ]
++ Add code to actually implement GSSAPIStrictAcceptCheck, which had somehow
++ been omitted from a previous version of this patch. Reported by Borislav
++ Stoichkov
+
-+ /* gss_kex_context is NULL with privsep, so we can't check it here */
-+ if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context,
-+ &gssbuf, &mic))))
-+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
-+ authctxt->pw));
-+
-+ buffer_free(&b);
-+ xfree(mic.value);
++20070317
++ - [ gss-serv-krb5.c ]
++ Remove C99ism, where new_ccname was being declared in the middle of a
++ function
+
-+ return (authenticated);
-+}
++20061220
++ - [ servconf.c ]
++ Make default for GSSAPIStrictAcceptorCheck be Yes, to match previous, and
++ documented, behaviour. Reported by Dan Watson.
+
- /*
- * We only support those mechanisms that we know about (ie ones that we know
- * how to check local user kuserok and the like)
-@@ -244,7 +278,8 @@ input_gssapi_exchange_complete(int type,
-
- packet_check_eom();
-
-- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
-+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
-+ authctxt->pw));
-
- authctxt->postponed = 0;
- dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
-@@ -286,7 +321,8 @@ input_gssapi_mic(int type, u_int32_t ple
- gssbuf.length = buffer_len(&b);
-
- if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
-- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
-+ authenticated =
-+ PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw));
- else
- logit("GSSAPI MIC check failed");
-
-@@ -303,6 +339,12 @@ input_gssapi_mic(int type, u_int32_t ple
- userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
- }
-
-+Authmethod method_gsskeyex = {
-+ "gssapi-keyex",
-+ userauth_gsskeyex,
-+ &options.gss_authentication
-+};
++20060910
++ - [ gss-genr.c kexgssc.c kexgsss.c kex.h monitor.c sshconnect2.c sshd.c
++ ssh-gss.h ]
++ add support for gss-group14-sha1 key exchange mechanisms
++ - [ gss-serv.c servconf.c servconf.h sshd_config sshd_config.5 ]
++ Add GSSAPIStrictAcceptorCheck option to allow the disabling of
++ acceptor principal checking on multi-homed machines.
++ <Bugzilla #928>
++ - [ sshd_config ssh_config ]
++ Add settings for GSSAPIKeyExchange and GSSAPITrustDNS to the sample
++ configuration files
++ - [ kexgss.c kegsss.c sshconnect2.c sshd.c ]
++ Code cleanup. Replace strlen/xmalloc/snprintf sequences with xasprintf()
++ Limit length of error messages displayed by client
+
- Authmethod method_gssapi = {
- "gssapi-with-mic",
- userauth_gssapi,
-diff -up openssh-6.2p1/auth-krb5.c.gsskex openssh-6.2p1/auth-krb5.c
---- openssh-6.2p1/auth-krb5.c.gsskex 2012-04-26 01:52:15.000000000 +0200
-+++ openssh-6.2p1/auth-krb5.c 2013-03-27 13:19:11.140624271 +0100
++20060909
++ - [ gss-genr.c gss-serv.c ]
++ move ssh_gssapi_acquire_cred() and ssh_gssapi_server_ctx to be server
++ only, where they belong
++ <Bugzilla #1225>
++
++20060829
++ - [ gss-serv-krb5.c ]
++ Fix CCAPI credentials cache name when creating KRB5CCNAME environment
++ variable
++
++20060828
++ - [ gss-genr.c ]
++ Avoid Heimdal context freeing problem
++ <Fixed upstream 20060829>
++
++20060818
++ - [ gss-genr.c ssh-gss.h sshconnect2.c ]
++ Make sure that SPENGO is disabled
++ <Bugzilla #1218 - Fixed upstream 20060818>
++
++20060421
++ - [ gssgenr.c, sshconnect2.c ]
++ a few type changes (signed versus unsigned, int versus size_t) to
++ fix compiler errors/warnings
++ (from jbasney AT ncsa.uiuc.edu)
++ - [ kexgssc.c, sshconnect2.c ]
++ fix uninitialized variable warnings
++ (from jbasney AT ncsa.uiuc.edu)
++ - [ gssgenr.c ]
++ pass oid to gss_display_status (helpful when using GSSAPI mechglue)
++ (from jbasney AT ncsa.uiuc.edu)
++ <Bugzilla #1220 >
++ - [ gss-serv-krb5.c ]
++ #ifdef HAVE_GSSAPI_KRB5 should be #ifdef HAVE_GSSAPI_KRB5_H
++ (from jbasney AT ncsa.uiuc.edu)
++ <Fixed upstream 20060304>
++ - [ readconf.c, readconf.h, ssh_config.5, sshconnect2.c
++ add client-side GssapiKeyExchange option
++ (from jbasney AT ncsa.uiuc.edu)
++ - [ sshconnect2.c ]
++ add support for GssapiTrustDns option for gssapi-with-mic
++ (from jbasney AT ncsa.uiuc.edu)
++ <gssapi-with-mic support is Bugzilla #1008>
+diff -up openssh-6.3p1/Makefile.in.gsskex openssh-6.3p1/Makefile.in
+--- openssh-6.3p1/Makefile.in.gsskex 2013-10-11 15:15:17.281216190 +0200
++++ openssh-6.3p1/Makefile.in 2013-10-11 15:15:17.289216153 +0200
+@@ -77,6 +77,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
+ atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
+ monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
+ kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
++ kexgssc.o \
+ msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
+ jpake.o schnorr.o ssh-pkcs11.o krl.o auditstub.o
+
+@@ -93,7 +94,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
+ auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
+ monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
+ auth-krb5.o \
+- auth2-gss.o gss-serv.o gss-serv-krb5.o \
++ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\
+ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
+ sftp-server.o sftp-common.o \
+ roaming_common.o roaming_serv.o \
+diff -up openssh-6.3p1/auth-krb5.c.gsskex openssh-6.3p1/auth-krb5.c
+--- openssh-6.3p1/auth-krb5.c.gsskex 2013-08-04 13:48:41.000000000 +0200
++++ openssh-6.3p1/auth-krb5.c 2013-10-11 15:43:50.261299742 +0200
@@ -50,6 +50,7 @@
#include <errno.h>
#include <unistd.h>
@@ -112,8 +153,8 @@ diff -up openssh-6.2p1/auth-krb5.c.gsskex openssh-6.2p1/auth-krb5.c
+ const char *ccache_type;
int len;
char *client, *platform_client;
-
-@@ -166,12 +168,30 @@ auth_krb5_password(Authctxt *authctxt, c
+ const char *errmsg;
+@@ -177,12 +179,30 @@ auth_krb5_password(Authctxt *authctxt, c
goto out;
#endif
@@ -146,7 +187,7 @@ diff -up openssh-6.2p1/auth-krb5.c.gsskex openssh-6.2p1/auth-krb5.c
#ifdef USE_PAM
if (options.use_pam)
-@@ -208,10 +228,30 @@ auth_krb5_password(Authctxt *authctxt, c
+@@ -221,10 +241,30 @@ auth_krb5_password(Authctxt *authctxt, c
void
krb5_cleanup_proc(Authctxt *authctxt)
{
@@ -177,7 +218,7 @@ diff -up openssh-6.2p1/auth-krb5.c.gsskex openssh-6.2p1/auth-krb5.c
}
if (authctxt->krb5_user) {
krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
-@@ -226,31 +266,45 @@ krb5_cleanup_proc(Authctxt *authctxt)
+@@ -239,31 +279,45 @@ krb5_cleanup_proc(Authctxt *authctxt)
#ifndef HEIMDAL
krb5_error_code
ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
@@ -235,126 +276,105 @@ diff -up openssh-6.2p1/auth-krb5.c.gsskex openssh-6.2p1/auth-krb5.c
return (krb5_cc_resolve(ctx, ccname, ccache));
}
-diff -up openssh-6.2p1/ChangeLog.gssapi.gsskex openssh-6.2p1/ChangeLog.gssapi
---- openssh-6.2p1/ChangeLog.gssapi.gsskex 2013-03-27 13:19:11.143624259 +0100
-+++ openssh-6.2p1/ChangeLog.gssapi 2013-03-27 13:19:11.143624259 +0100
-@@ -0,0 +1,113 @@
-+20110101
-+ - Finally update for OpenSSH 5.6p1
-+ - Add GSSAPIServerIdentity option from Jim Basney
-+
-+20100308
-+ - [ Makefile.in, key.c, key.h ]
-+ Updates for OpenSSH 5.4p1
-+ - [ servconf.c ]
-+ Include GSSAPI options in the sshd -T configuration dump, and flag
-+ some older configuration options as being unsupported. Thanks to Colin
-+ Watson.
-+ -
-+
-+20100124
-+ - [ sshconnect2.c ]
-+ Adapt to deal with additional element in Authmethod structure. Thanks to
-+ Colin Watson
-+
-+20090615
-+ - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c
-+ sshd.c ]
-+ Fix issues identified by Greg Hudson following a code review
-+ Check return value of gss_indicate_mechs
-+ Protect GSSAPI calls in monitor, so they can only be used if enabled
-+ Check return values of bignum functions in key exchange
-+ Use BN_clear_free to clear other side's DH value
-+ Make ssh_gssapi_id_kex more robust
-+ Only configure kex table pointers if GSSAPI is enabled
-+ Don't leak mechanism list, or gss mechanism list
-+ Cast data.length before printing
-+ If serverkey isn't provided, use an empty string, rather than NULL
-+
-+20090201
-+ - [ gss-genr.c gss-serv.c kex.h kexgssc.c readconf.c readconf.h ssh-gss.h
-+ ssh_config.5 sshconnet2.c ]
-+ Add support for the GSSAPIClientIdentity option, which allows the user
-+ to specify which GSSAPI identity to use to contact a given server
-+
-+20080404
-+ - [ gss-serv.c ]
-+ Add code to actually implement GSSAPIStrictAcceptCheck, which had somehow
-+ been omitted from a previous version of this patch. Reported by Borislav
-+ Stoichkov
+diff -up openssh-6.3p1/auth2-gss.c.gsskex openssh-6.3p1/auth2-gss.c
+--- openssh-6.3p1/auth2-gss.c.gsskex 2013-10-11 15:15:17.213216506 +0200
++++ openssh-6.3p1/auth2-gss.c 2013-10-11 15:15:17.283216181 +0200
+@@ -52,6 +52,40 @@ static void input_gssapi_mic(int type, u
+ static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
+ static void input_gssapi_errtok(int, u_int32_t, void *);
+
++/*
++ * The 'gssapi_keyex' userauth mechanism.
++ */
++static int
++userauth_gsskeyex(Authctxt *authctxt)
++{
++ int authenticated = 0;
++ Buffer b;
++ gss_buffer_desc mic, gssbuf;
++ u_int len;
+
-+20070317
-+ - [ gss-serv-krb5.c ]
-+ Remove C99ism, where new_ccname was being declared in the middle of a
-+ function
++ mic.value = packet_get_string(&len);
++ mic.length = len;
+
-+20061220
-+ - [ servconf.c ]
-+ Make default for GSSAPIStrictAcceptorCheck be Yes, to match previous, and
-+ documented, behaviour. Reported by Dan Watson.
++ packet_check_eom();
+
-+20060910
-+ - [ gss-genr.c kexgssc.c kexgsss.c kex.h monitor.c sshconnect2.c sshd.c
-+ ssh-gss.h ]
-+ add support for gss-group14-sha1 key exchange mechanisms
-+ - [ gss-serv.c servconf.c servconf.h sshd_config sshd_config.5 ]
-+ Add GSSAPIStrictAcceptorCheck option to allow the disabling of
-+ acceptor principal checking on multi-homed machines.
-+ <Bugzilla #928>
-+ - [ sshd_config ssh_config ]
-+ Add settings for GSSAPIKeyExchange and GSSAPITrustDNS to the sample
-+ configuration files
-+ - [ kexgss.c kegsss.c sshconnect2.c sshd.c ]
-+ Code cleanup. Replace strlen/xmalloc/snprintf sequences with xasprintf()
-+ Limit length of error messages displayed by client
++ ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
++ "gssapi-keyex");
+
-+20060909
-+ - [ gss-genr.c gss-serv.c ]
-+ move ssh_gssapi_acquire_cred() and ssh_gssapi_server_ctx to be server
-+ only, where they belong
-+ <Bugzilla #1225>
++ gssbuf.value = buffer_ptr(&b);
++ gssbuf.length = buffer_len(&b);
+
-+20060829
-+ - [ gss-serv-krb5.c ]
-+ Fix CCAPI credentials cache name when creating KRB5CCNAME environment
-+ variable
++ /* gss_kex_context is NULL with privsep, so we can't check it here */
++ if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context,
++ &gssbuf, &mic))))
++ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
++ authctxt->pw));
++
++ buffer_free(&b);
++ free(mic.value);
+
-+20060828
-+ - [ gss-genr.c ]
-+ Avoid Heimdal context freeing problem
-+ <Fixed upstream 20060829>
++ return (authenticated);
++}
+
-+20060818
-+ - [ gss-genr.c ssh-gss.h sshconnect2.c ]
-+ Make sure that SPENGO is disabled
-+ <Bugzilla #1218 - Fixed upstream 20060818>
+ /*
+ * We only support those mechanisms that we know about (ie ones that we know
+ * how to check local user kuserok and the like)
+@@ -240,7 +274,8 @@ input_gssapi_exchange_complete(int type,
+
+ packet_check_eom();
+
+- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
++ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
++ authctxt->pw));
+
+ authctxt->postponed = 0;
+ dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
+@@ -282,7 +317,8 @@ input_gssapi_mic(int type, u_int32_t ple
+ gssbuf.length = buffer_len(&b);
+
+ if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
+- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
++ authenticated =
++ PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw));
+ else
+ logit("GSSAPI MIC check failed");
+
+@@ -299,6 +335,12 @@ input_gssapi_mic(int type, u_int32_t ple
+ userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
+ }
+
++Authmethod method_gsskeyex = {
++ "gssapi-keyex",
++ userauth_gsskeyex,
++ &options.gss_authentication
++};
+
-+20060421
-+ - [ gssgenr.c, sshconnect2.c ]
-+ a few type changes (signed versus unsigned, int versus size_t) to
-+ fix compiler errors/warnings
-+ (from jbasney AT ncsa.uiuc.edu)
-+ - [ kexgssc.c, sshconnect2.c ]
-+ fix uninitialized variable warnings
-+ (from jbasney AT ncsa.uiuc.edu)
-+ - [ gssgenr.c ]
-+ pass oid to gss_display_status (helpful when using GSSAPI mechglue)
-+ (from jbasney AT ncsa.uiuc.edu)
-+ <Bugzilla #1220 >
-+ - [ gss-serv-krb5.c ]
-+ #ifdef HAVE_GSSAPI_KRB5 should be #ifdef HAVE_GSSAPI_KRB5_H
-+ (from jbasney AT ncsa.uiuc.edu)
-+ <Fixed upstream 20060304>
-+ - [ readconf.c, readconf.h, ssh_config.5, sshconnect2.c
-+ add client-side GssapiKeyExchange option
-+ (from jbasney AT ncsa.uiuc.edu)
-+ - [ sshconnect2.c ]
-+ add support for GssapiTrustDns option for gssapi-with-mic
-+ (from jbasney AT ncsa.uiuc.edu)
-+ <gssapi-with-mic support is Bugzilla #1008>
-diff -up openssh-6.2p1/clientloop.c.gsskex openssh-6.2p1/clientloop.c
---- openssh-6.2p1/clientloop.c.gsskex 2013-03-27 13:19:11.001624842 +0100
-+++ openssh-6.2p1/clientloop.c 2013-03-27 13:19:11.141624267 +0100
+ Authmethod method_gssapi = {
+ "gssapi-with-mic",
+ userauth_gssapi,
+diff -up openssh-6.3p1/auth2.c.gsskex openssh-6.3p1/auth2.c
+--- openssh-6.3p1/auth2.c.gsskex 2013-10-11 15:15:17.214216502 +0200
++++ openssh-6.3p1/auth2.c 2013-10-11 15:15:17.283216181 +0200
+@@ -69,6 +69,7 @@ extern Authmethod method_passwd;
+ extern Authmethod method_kbdint;
+ extern Authmethod method_hostbased;
+ #ifdef GSSAPI
++extern Authmethod method_gsskeyex;
+ extern Authmethod method_gssapi;
+ #endif
+ #ifdef JPAKE
+@@ -79,6 +80,7 @@ Authmethod *authmethods[] = {
+ &method_none,
+ &method_pubkey,
+ #ifdef GSSAPI
++ &method_gsskeyex,
+ &method_gssapi,
+ #endif
+ #ifdef JPAKE
+diff -up openssh-6.3p1/clientloop.c.gsskex openssh-6.3p1/clientloop.c
+--- openssh-6.3p1/clientloop.c.gsskex 2013-10-11 15:15:17.178216669 +0200
++++ openssh-6.3p1/clientloop.c 2013-10-11 15:15:17.284216176 +0200
@@ -111,6 +111,10 @@
#include "msg.h"
#include "roaming.h"
@@ -366,7 +386,7 @@ diff -up openssh-6.2p1/clientloop.c.gsskex openssh-6.2p1/clientloop.c
/* import options */
extern Options options;
-@@ -1599,6 +1603,15 @@ client_loop(int have_pty, int escape_cha
+@@ -1608,6 +1612,15 @@ client_loop(int have_pty, int escape_cha
/* Do channel operations unless rekeying in progress. */
if (!rekeying) {
channel_after_select(readset, writeset);
@@ -382,10 +402,10 @@ diff -up openssh-6.2p1/clientloop.c.gsskex openssh-6.2p1/clientloop.c
if (need_rekeying || packet_need_rekeying()) {
debug("need rekeying");
xxx_kex->done = 0;
-diff -up openssh-6.2p1/configure.ac.gsskex openssh-6.2p1/configure.ac
---- openssh-6.2p1/configure.ac.gsskex 2013-03-27 13:19:11.128624320 +0100
-+++ openssh-6.2p1/configure.ac 2013-03-27 13:19:11.142624263 +0100
-@@ -533,6 +533,30 @@ main() { if (NSVersionOfRunTimeLibrary("
+diff -up openssh-6.3p1/configure.ac.gsskex openssh-6.3p1/configure.ac
+--- openssh-6.3p1/configure.ac.gsskex 2013-10-11 15:15:17.273216227 +0200
++++ openssh-6.3p1/configure.ac 2013-10-11 15:15:17.285216171 +0200
+@@ -548,6 +548,30 @@ main() { if (NSVersionOfRunTimeLibrary("
[Use tunnel device compatibility to OpenBSD])
AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
[Prepend the address family to IP tunnel traffic])
@@ -416,18 +436,9 @@ diff -up openssh-6.2p1/configure.ac.gsskex openssh-6.2p1/configure.ac
m4_pattern_allow([AU_IPv])
AC_CHECK_DECL([AU_IPv4], [],
AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
-diff -up openssh-6.2p1/gss-genr.c.gsskex openssh-6.2p1/gss-genr.c
---- openssh-6.2p1/gss-genr.c.gsskex 2009-06-22 08:11:07.000000000 +0200
-+++ openssh-6.2p1/gss-genr.c 2013-03-27 13:19:11.142624263 +0100
-@@ -1,7 +1,7 @@
- /* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */
-
- /*
-- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
-+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
+diff -up openssh-6.3p1/gss-genr.c.gsskex openssh-6.3p1/gss-genr.c
+--- openssh-6.3p1/gss-genr.c.gsskex 2013-06-01 23:31:18.000000000 +0200
++++ openssh-6.3p1/gss-genr.c 2013-10-11 15:15:17.286216167 +0200
@@ -39,12 +39,167 @@
#include "buffer.h"
#include "log.h"
@@ -494,8 +505,8 @@ diff -up openssh-6.2p1/gss-genr.c.gsskex openssh-6.2p1/gss-genr.c
+
+ if (gss_enc2oid != NULL) {
+ for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
-+ xfree(gss_enc2oid[i].encoded);
-+ xfree(gss_enc2oid);
++ free(gss_enc2oid[i].encoded);
++ free(gss_enc2oid);
+ }
+
+ gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping) *
@@ -552,7 +563,7 @@ diff -up openssh-6.2p1/gss-genr.c.gsskex openssh-6.2p1/gss-genr.c
+ buffer_free(&buf);
+
+ if (strlen(mechs) == 0) {
-+ xfree(mechs);
++ free(mechs);
+ mechs = NULL;
+ }
+
@@ -705,70 +716,194 @@ diff -up openssh-6.2p1/gss-genr.c.gsskex openssh-6.2p1/gss-genr.c
+ if (GSS_ERROR(major) || intctx != NULL)
ssh_gssapi_delete_ctx(ctx);
- return (!GSS_ERROR(major));
+ return (!GSS_ERROR(major));
+ }
+
++int
++ssh_gssapi_credentials_updated(Gssctxt *ctxt) {
++ static gss_name_t saved_name = GSS_C_NO_NAME;
++ static OM_uint32 saved_lifetime = 0;
++ static gss_OID saved_mech = GSS_C_NO_OID;
++ static gss_name_t name;
++ static OM_uint32 last_call = 0;
++ OM_uint32 lifetime, now, major, minor;
++ int equal;
++ gss_cred_usage_t usage = GSS_C_INITIATE;
++
++ now = time(NULL);
++
++ if (ctxt) {
++ debug("Rekey has happened - updating saved versions");
++
++ if (saved_name != GSS_C_NO_NAME)
++ gss_release_name(&minor, &saved_name);
++
++ major = gss_inquire_cred(&minor, GSS_C_NO_CREDENTIAL,
++ &saved_name, &saved_lifetime, NULL, NULL);
++
++ if (!GSS_ERROR(major)) {
++ saved_mech = ctxt->oid;
++ saved_lifetime+= now;
++ } else {
++ /* Handle the error */
++ }
++ return 0;
++ }
++
++ if (now - last_call < 10)
++ return 0;
++
++ last_call = now;
++
++ if (saved_mech == GSS_C_NO_OID)
++ return 0;
++
++ major = gss_inquire_cred(&minor, GSS_C_NO_CREDENTIAL,
++ &name, &lifetime, NULL, NULL);
++ if (major == GSS_S_CREDENTIALS_EXPIRED)
++ return 0;
++ else if (GSS_ERROR(major))
++ return 0;
++
++ major = gss_compare_name(&minor, saved_name, name, &equal);
++ gss_release_name(&minor, &name);
++ if (GSS_ERROR(major))
++ return 0;
++
++ if (equal && (saved_lifetime < lifetime + now - 10))
++ return 1;
++
++ return 0;
++}
++
+ #endif /* GSSAPI */
+diff -up openssh-6.3p1/gss-serv-krb5.c.gsskex openssh-6.3p1/gss-serv-krb5.c
+--- openssh-6.3p1/gss-serv-krb5.c.gsskex 2013-07-20 05:35:45.000000000 +0200
++++ openssh-6.3p1/gss-serv-krb5.c 2013-10-11 15:26:02.165189578 +0200
+@@ -120,7 +120,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
+ krb5_error_code problem;
+ krb5_principal princ;
+ OM_uint32 maj_status, min_status;
+- int len;
++ const char *new_ccname, *new_cctype;
+ const char *errmsg;
+
+ if (client->creds == NULL) {
+@@ -174,11 +174,25 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
+ return;
+ }
+
+- client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));
++ new_cctype = krb5_cc_get_type(krb_context, ccache);
++ new_ccname = krb5_cc_get_name(krb_context, ccache);
++
+ client->store.envvar = "KRB5CCNAME";
+- len = strlen(client->store.filename) + 6;
+- client->store.envval = xmalloc(len);
+- snprintf(client->store.envval, len, "FILE:%s", client->store.filename);
++#ifdef USE_CCAPI
++ xasprintf(&client->store.envval, "API:%s", new_ccname);
++ client->store.filename = NULL;
++#else
++ if (new_ccname[0] == ':')
++ new_ccname++;
++ xasprintf(&client->store.envval, "%s:%s", new_cctype, new_ccname);
++ if (strcmp(new_cctype, "DIR") == 0) {
++ char *p;
++ p = strrchr(client->store.envval, '/');
++ if (p)
++ *p = '\0';
++ }
++ client->store.filename = xstrdup(new_ccname);
++#endif
+
+ #ifdef USE_PAM
+ if (options.use_pam)
+@@ -190,6 +204,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
+ return;
}
+int
-+ssh_gssapi_credentials_updated(Gssctxt *ctxt) {
-+ static gss_name_t saved_name = GSS_C_NO_NAME;
-+ static OM_uint32 saved_lifetime = 0;
-+ static gss_OID saved_mech = GSS_C_NO_OID;
-+ static gss_name_t name;
-+ static OM_uint32 last_call = 0;
-+ OM_uint32 lifetime, now, major, minor;
-+ int equal;
-+ gss_cred_usage_t usage = GSS_C_INITIATE;
-+
-+ now = time(NULL);
-+
-+ if (ctxt) {
-+ debug("Rekey has happened - updating saved versions");
-+
-+ if (saved_name != GSS_C_NO_NAME)
-+ gss_release_name(&minor, &saved_name);
-+
-+ major = gss_inquire_cred(&minor, GSS_C_NO_CREDENTIAL,
-+ &saved_name, &saved_lifetime, NULL, NULL);
++ssh_gssapi_krb5_updatecreds(ssh_gssapi_ccache *store,
++ ssh_gssapi_client *client)
++{
++ krb5_ccache ccache = NULL;
++ krb5_principal principal = NULL;
++ char *name = NULL;
++ krb5_error_code problem;
++ OM_uint32 maj_status, min_status;
+
-+ if (!GSS_ERROR(major)) {
-+ saved_mech = ctxt->oid;
-+ saved_lifetime+= now;
-+ } else {
-+ /* Handle the error */
-+ }
++ if ((problem = krb5_cc_resolve(krb_context, store->envval, &ccache))) {
++ logit("krb5_cc_resolve(): %.100s",
++ krb5_get_err_text(krb_context, problem));
++ return 0;
++ }
++
++ /* Find out who the principal in this cache is */
++ if ((problem = krb5_cc_get_principal(krb_context, ccache,
++ &principal))) {
++ logit("krb5_cc_get_principal(): %.100s",
++ krb5_get_err_text(krb_context, problem));
++ krb5_cc_close(krb_context, ccache);
+ return 0;
+ }
+
-+ if (now - last_call < 10)
++ if ((problem = krb5_unparse_name(krb_context, principal, &name))) {
++ logit("krb5_unparse_name(): %.100s",
++ krb5_get_err_text(krb_context, problem));
++ krb5_free_principal(krb_context, principal);
++ krb5_cc_close(krb_context, ccache);
+ return 0;
++ }
+
-+ last_call = now;
+
-+ if (saved_mech == GSS_C_NO_OID)
-+ return 0;
-+
-+ major = gss_inquire_cred(&minor, GSS_C_NO_CREDENTIAL,
-+ &name, &lifetime, NULL, NULL);
-+ if (major == GSS_S_CREDENTIALS_EXPIRED)
-+ return 0;
-+ else if (GSS_ERROR(major))
++ if (strcmp(name,client->exportedname.value)!=0) {
++ debug("Name in local credentials cache differs. Not storing");
++ krb5_free_principal(krb_context, principal);
++ krb5_cc_close(krb_context, ccache);
++ krb5_free_unparsed_name(krb_context, name);
+ return 0;
++ }
++ krb5_free_unparsed_name(krb_context, name);
+
-+ major = gss_compare_name(&minor, saved_name, name, &equal);
-+ gss_release_name(&minor, &name);
-+ if (GSS_ERROR(major))
++ /* Name matches, so lets get on with it! */
++
++ if ((problem = krb5_cc_initialize(krb_context, ccache, principal))) {
++ logit("krb5_cc_initialize(): %.100s",
++ krb5_get_err_text(krb_context, problem));
++ krb5_free_principal(krb_context, principal);
++ krb5_cc_close(krb_context, ccache);
+ return 0;
++ }
+
-+ if (equal && (saved_lifetime < lifetime + now - 10))
-+ return 1;
++ krb5_free_principal(krb_context, principal);
+
-+ return 0;
++ if ((maj_status = gss_krb5_copy_ccache(&min_status, client->creds,
++ ccache))) {
++ logit("gss_krb5_copy_ccache() failed. Sorry!");
++ krb5_cc_close(krb_context, ccache);
++ return 0;
++ }
++
++ return 1;
+}
+
- #endif /* GSSAPI */
-diff -up openssh-6.2p1/gss-serv.c.gsskex openssh-6.2p1/gss-serv.c
---- openssh-6.2p1/gss-serv.c.gsskex 2011-08-05 22:16:46.000000000 +0200
-+++ openssh-6.2p1/gss-serv.c 2013-03-27 13:19:11.142624263 +0100
+ ssh_gssapi_mech gssapi_kerberos_mech = {
+ "toWM5Slw5Ew8Mqkay+al2g==",
+ "Kerberos",
+@@ -197,7 +276,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
+ NULL,
+ &ssh_gssapi_krb5_userok,
+ NULL,
+- &ssh_gssapi_krb5_storecreds
++ &ssh_gssapi_krb5_storecreds,
++ &ssh_gssapi_krb5_updatecreds
+ };
+
+ #endif /* KRB5 */
+diff -up openssh-6.3p1/gss-serv.c.gsskex openssh-6.3p1/gss-serv.c
+--- openssh-6.3p1/gss-serv.c.gsskex 2013-07-20 05:35:45.000000000 +0200
++++ openssh-6.3p1/gss-serv.c 2013-10-11 15:27:32.889763132 +0200
@@ -45,15 +45,20 @@
#include "channels.h"
#include "session.h"
@@ -783,7 +918,7 @@ diff -up openssh-6.2p1/gss-serv.c.gsskex openssh-6.2p1/gss-serv.c
static ssh_gssapi_client gssapi_client =
{ GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
-- GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}};
+- GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}};
+ GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, NULL, {NULL, NULL, NULL}, 0, 0};
ssh_gssapi_mech gssapi_null_mech =
@@ -1107,142 +1242,9 @@ diff -up openssh-6.2p1/gss-serv.c.gsskex openssh-6.2p1/gss-serv.c
}
#endif
-diff -up openssh-6.2p1/gss-serv-krb5.c.gsskex openssh-6.2p1/gss-serv-krb5.c
---- openssh-6.2p1/gss-serv-krb5.c.gsskex 2006-09-01 07:38:36.000000000 +0200
-+++ openssh-6.2p1/gss-serv-krb5.c 2013-03-27 13:19:11.143624259 +0100
-@@ -1,7 +1,7 @@
- /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
-
- /*
-- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
-+ * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
-@@ -119,7 +119,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
- krb5_error_code problem;
- krb5_principal princ;
- OM_uint32 maj_status, min_status;
-- int len;
-+ const char *new_ccname, *new_cctype;
-
- if (client->creds == NULL) {
- debug("No credentials stored");
-@@ -168,11 +168,25 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
- return;
- }
-
-- client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));
-+ new_cctype = krb5_cc_get_type(krb_context, ccache);
-+ new_ccname = krb5_cc_get_name(krb_context, ccache);
-+
- client->store.envvar = "KRB5CCNAME";
-- len = strlen(client->store.filename) + 6;
-- client->store.envval = xmalloc(len);
-- snprintf(client->store.envval, len, "FILE:%s", client->store.filename);
-+#ifdef USE_CCAPI
-+ xasprintf(&client->store.envval, "API:%s", new_ccname);
-+ client->store.filename = NULL;
-+#else
-+ if (new_ccname[0] == ':')
-+ new_ccname++;
-+ xasprintf(&client->store.envval, "%s:%s", new_cctype, new_ccname);
-+ if (strcmp(new_cctype, "DIR") == 0) {
-+ char *p;
-+ p = strrchr(client->store.envval, '/');
-+ if (p)
-+ *p = '\0';
-+ }
-+ client->store.filename = xstrdup(new_ccname);
-+#endif
-
- #ifdef USE_PAM
- if (options.use_pam)
-@@ -184,6 +198,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
- return;
- }
-
-+int
-+ssh_gssapi_krb5_updatecreds(ssh_gssapi_ccache *store,
-+ ssh_gssapi_client *client)
-+{
-+ krb5_ccache ccache = NULL;
-+ krb5_principal principal = NULL;
-+ char *name = NULL;
-+ krb5_error_code problem;
-+ OM_uint32 maj_status, min_status;
-+
-+ if ((problem = krb5_cc_resolve(krb_context, store->envval, &ccache))) {
-+ logit("krb5_cc_resolve(): %.100s",
-+ krb5_get_err_text(krb_context, problem));
-+ return 0;
-+ }
-+
-+ /* Find out who the principal in this cache is */
-+ if ((problem = krb5_cc_get_principal(krb_context, ccache,
-+ &principal))) {
-+ logit("krb5_cc_get_principal(): %.100s",
-+ krb5_get_err_text(krb_context, problem));
-+ krb5_cc_close(krb_context, ccache);
-+ return 0;
-+ }
-+
-+ if ((problem = krb5_unparse_name(krb_context, principal, &name))) {
-+ logit("krb5_unparse_name(): %.100s",
-+ krb5_get_err_text(krb_context, problem));
-+ krb5_free_principal(krb_context, principal);
-+ krb5_cc_close(krb_context, ccache);
-+ return 0;
-+ }
-+
-+
-+ if (strcmp(name,client->exportedname.value)!=0) {
-+ debug("Name in local credentials cache differs. Not storing");
-+ krb5_free_principal(krb_context, principal);
-+ krb5_cc_close(krb_context, ccache);
-+ krb5_free_unparsed_name(krb_context, name);
-+ return 0;
-+ }
-+ krb5_free_unparsed_name(krb_context, name);
-+
-+ /* Name matches, so lets get on with it! */
-+
-+ if ((problem = krb5_cc_initialize(krb_context, ccache, principal))) {
-+ logit("krb5_cc_initialize(): %.100s",
-+ krb5_get_err_text(krb_context, problem));
-+ krb5_free_principal(krb_context, principal);
-+ krb5_cc_close(krb_context, ccache);
-+ return 0;
-+ }
-+
-+ krb5_free_principal(krb_context, principal);
-+
-+ if ((maj_status = gss_krb5_copy_ccache(&min_status, client->creds,
-+ ccache))) {
-+ logit("gss_krb5_copy_ccache() failed. Sorry!");
-+ krb5_cc_close(krb_context, ccache);
-+ return 0;
-+ }
-+
-+ return 1;
-+}
-+
- ssh_gssapi_mech gssapi_kerberos_mech = {
- "toWM5Slw5Ew8Mqkay+al2g==",
- "Kerberos",
-@@ -191,7 +270,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
- NULL,
- &ssh_gssapi_krb5_userok,
- NULL,
-- &ssh_gssapi_krb5_storecreds
-+ &ssh_gssapi_krb5_storecreds,
-+ &ssh_gssapi_krb5_updatecreds
- };
-
- #endif /* KRB5 */
-diff -up openssh-6.2p1/kex.c.gsskex openssh-6.2p1/kex.c
---- openssh-6.2p1/kex.c.gsskex 2013-03-27 13:19:11.039624686 +0100
-+++ openssh-6.2p1/kex.c 2013-03-27 13:19:11.143624259 +0100
+diff -up openssh-6.3p1/kex.c.gsskex openssh-6.3p1/kex.c
+--- openssh-6.3p1/kex.c.gsskex 2013-10-11 15:15:17.197216581 +0200
++++ openssh-6.3p1/kex.c 2013-10-11 15:47:41.629242975 +0200
@@ -51,6 +51,10 @@
#include "roaming.h"
#include "audit.h"
@@ -1254,30 +1256,57 @@ diff -up openssh-6.2p1/kex.c.gsskex openssh-6.2p1/kex.c
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
# if defined(HAVE_EVP_SHA256)
# define evp_ssh_sha256 EVP_sha256
-@@ -382,6 +386,20 @@ choose_kex(Kex *k, char *client, char *s
- k->kex_type = KEX_ECDH_SHA2;
- k->evp_md = kex_ecdh_name_to_evpmd(k->name);
+@@ -81,6 +85,9 @@ static const struct kexalg kexalgs[] = {
+ { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1, EVP_sha384 },
+ { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1, EVP_sha512 },
#endif
++ { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, EVP_sha1 },
++ { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, EVP_sha1 },
++ { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, EVP_sha1 },
+ { NULL, -1, -1, NULL},
+ };
+
+diff -up openssh-6.3p1/kex.h.gsskex openssh-6.3p1/kex.h
+--- openssh-6.3p1/kex.h.gsskex 2013-10-11 15:15:17.197216581 +0200
++++ openssh-6.3p1/kex.h 2013-10-11 15:43:21.757429309 +0200
+@@ -74,6 +74,9 @@ enum kex_exchange {
+ KEX_DH_GEX_SHA1,
+ KEX_DH_GEX_SHA256,
+ KEX_ECDH_SHA2,
++ KEX_GSS_GRP1_SHA1,
++ KEX_GSS_GRP14_SHA1,
++ KEX_GSS_GEX_SHA1,
+ KEX_MAX
+ };
+
+@@ -133,6 +136,12 @@ struct Kex {
+ int flags;
+ const EVP_MD *evp_md;
+ int ec_nid;
++#ifdef GSSAPI
++ int gss_deleg_creds;
++ int gss_trust_dns;
++ char *gss_host;
++ char *gss_client;
++#endif
+ char *client_version_string;
+ char *server_version_string;
+ int (*verify_host_key)(Key *);
+@@ -162,6 +171,11 @@ void kexgex_server(Kex *);
+ void kexecdh_client(Kex *);
+ void kexecdh_server(Kex *);
+
+#ifdef GSSAPI
-+ } else if (strncmp(k->name, KEX_GSS_GEX_SHA1_ID,
-+ sizeof(KEX_GSS_GEX_SHA1_ID) - 1) == 0) {
-+ k->kex_type = KEX_GSS_GEX_SHA1;
-+ k->evp_md = EVP_sha1();
-+ } else if (strncmp(k->name, KEX_GSS_GRP1_SHA1_ID,
-+ sizeof(KEX_GSS_GRP1_SHA1_ID) - 1) == 0) {
-+ k->kex_type = KEX_GSS_GRP1_SHA1;
-+ k->evp_md = EVP_sha1();
-+ } else if (strncmp(k->name, KEX_GSS_GRP14_SHA1_ID,
-+ sizeof(KEX_GSS_GRP14_SHA1_ID) - 1) == 0) {
-+ k->kex_type = KEX_GSS_GRP14_SHA1;
-+ k->evp_md = EVP_sha1();
++void kexgss_client(Kex *);
++void kexgss_server(Kex *);
+#endif
- } else
- fatal("bad kex alg %s", k->name);
- }
-diff -up openssh-6.2p1/kexgssc.c.gsskex openssh-6.2p1/kexgssc.c
---- openssh-6.2p1/kexgssc.c.gsskex 2013-03-27 13:19:11.143624259 +0100
-+++ openssh-6.2p1/kexgssc.c 2013-03-27 13:19:11.143624259 +0100
++
+ void newkeys_destroy(Newkeys *newkeys);
+
+ void
+diff -up openssh-6.3p1/kexgssc.c.gsskex openssh-6.3p1/kexgssc.c
+--- openssh-6.3p1/kexgssc.c.gsskex 2013-10-11 15:15:17.287216162 +0200
++++ openssh-6.3p1/kexgssc.c 2013-10-11 15:15:17.287216162 +0200
@@ -0,0 +1,334 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@@ -1425,7 +1454,7 @@ diff -up openssh-6.2p1/kexgssc.c.gsskex openssh-6.2p1/kexgssc.c
+
+ /* If we've got an old receive buffer get rid of it */
+ if (token_ptr != GSS_C_NO_BUFFER)
-+ xfree(recv_tok.value);
++ free(recv_tok.value);
+
+ if (maj_status == GSS_S_COMPLETE) {
+ /* If mutual state flag is not true, kex fails */
@@ -1542,7 +1571,7 @@ diff -up openssh-6.2p1/kexgssc.c.gsskex openssh-6.2p1/kexgssc.c
+ fatal("kexdh_client: BN_bin2bn failed");
+
+ memset(kbuf, 0, klen);
-+ xfree(kbuf);
++ free(kbuf);
+
+ switch (kex->kex_type) {
+ case KEX_GSS_GRP1_SHA1:
@@ -1585,11 +1614,11 @@ diff -up openssh-6.2p1/kexgssc.c.gsskex openssh-6.2p1/kexgssc.c
+ if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok)))
+ packet_disconnect("Hash's MIC didn't verify");
+
-+ xfree(msg_tok.value);
++ free(msg_tok.value);
+
+ DH_free(dh);
+ if (serverhostkey)
-+ xfree(serverhostkey);
++ free(serverhostkey);
+ BN_clear_free(dh_server_pub);
+
+ /* save session id */
@@ -1613,9 +1642,9 @@ diff -up openssh-6.2p1/kexgssc.c.gsskex openssh-6.2p1/kexgssc.c
+}
+
+#endif /* GSSAPI */
-diff -up openssh-6.2p1/kexgsss.c.gsskex openssh-6.2p1/kexgsss.c
---- openssh-6.2p1/kexgsss.c.gsskex 2013-03-27 13:19:11.144624254 +0100
-+++ openssh-6.2p1/kexgsss.c 2013-03-27 13:19:11.144624254 +0100
+diff -up openssh-6.3p1/kexgsss.c.gsskex openssh-6.3p1/kexgsss.c
+--- openssh-6.3p1/kexgsss.c.gsskex 2013-10-11 15:15:17.287216162 +0200
++++ openssh-6.3p1/kexgsss.c 2013-10-11 15:15:17.287216162 +0200
@@ -0,0 +1,288 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@@ -1699,7 +1728,7 @@ diff -up openssh-6.2p1/kexgsss.c.gsskex openssh-6.2p1/kexgsss.c
+ */
+ if (!ssh_gssapi_oid_table_ok())
+ if ((mechs = ssh_gssapi_server_mechanisms()))
-+ xfree(mechs);
++ free(mechs);
+
+ debug2("%s: Identifying %s", __func__, kex->name);
+ oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type);
@@ -1777,7 +1806,7 @@ diff -up openssh-6.2p1/kexgsss.c.gsskex openssh-6.2p1/kexgsss.c
+ maj_status = PRIVSEP(ssh_gssapi_accept_ctx(ctxt, &recv_tok,
+ &send_tok, &ret_flags));
+
-+ xfree(recv_tok.value);
++ free(recv_tok.value);
+
+ if (maj_status != GSS_S_COMPLETE && send_tok.length == 0)
+ fatal("Zero length token output when incomplete");
@@ -1826,7 +1855,7 @@ diff -up openssh-6.2p1/kexgsss.c.gsskex openssh-6.2p1/kexgsss.c
+ fatal("kexgss_server: BN_bin2bn failed");
+
+ memset(kbuf, 0, klen);
-+ xfree(kbuf);
++ free(kbuf);
+
+ switch (kex->kex_type) {
+ case KEX_GSS_GRP1_SHA1:
@@ -1905,68 +1934,20 @@ diff -up openssh-6.2p1/kexgsss.c.gsskex openssh-6.2p1/kexgsss.c
+ ssh_gssapi_rekey_creds();
+}
+#endif /* GSSAPI */
-diff -up openssh-6.2p1/kex.h.gsskex openssh-6.2p1/kex.h
---- openssh-6.2p1/kex.h.gsskex 2013-03-27 13:19:11.039624686 +0100
-+++ openssh-6.2p1/kex.h 2013-03-27 13:19:11.144624254 +0100
-@@ -73,6 +73,9 @@ enum kex_exchange {
- KEX_DH_GEX_SHA1,
- KEX_DH_GEX_SHA256,
- KEX_ECDH_SHA2,
-+ KEX_GSS_GRP1_SHA1,
-+ KEX_GSS_GRP14_SHA1,
-+ KEX_GSS_GEX_SHA1,
- KEX_MAX
+diff -up openssh-6.3p1/key.c.gsskex openssh-6.3p1/key.c
+--- openssh-6.3p1/key.c.gsskex 2013-10-11 15:15:17.288216158 +0200
++++ openssh-6.3p1/key.c 2013-10-11 15:41:44.982868222 +0200
+@@ -968,6 +968,7 @@ static const struct keytype keytypes[] =
+ KEY_RSA_CERT_V00, 0, 1 },
+ { "ssh-dss-cert-v00 at openssh.com", "DSA-CERT-V00",
+ KEY_DSA_CERT_V00, 0, 1 },
++ { "null", "null", KEY_NULL, 0, 0 },
+ { NULL, NULL, -1, -1, 0 }
};
-@@ -131,6 +134,12 @@ struct Kex {
- sig_atomic_t done;
- int flags;
- const EVP_MD *evp_md;
-+#ifdef GSSAPI
-+ int gss_deleg_creds;
-+ int gss_trust_dns;
-+ char *gss_host;
-+ char *gss_client;
-+#endif
- char *client_version_string;
- char *server_version_string;
- int (*verify_host_key)(Key *);
-@@ -158,6 +167,11 @@ void kexgex_server(Kex *);
- void kexecdh_client(Kex *);
- void kexecdh_server(Kex *);
-
-+#ifdef GSSAPI
-+void kexgss_client(Kex *);
-+void kexgss_server(Kex *);
-+#endif
-+
- void newkeys_destroy(Newkeys *newkeys);
-
- void
-diff -up openssh-6.2p1/key.c.gsskex openssh-6.2p1/key.c
---- openssh-6.2p1/key.c.gsskex 2013-03-27 13:19:11.102624427 +0100
-+++ openssh-6.2p1/key.c 2013-03-27 13:19:11.144624254 +0100
-@@ -1011,6 +1011,8 @@ key_ssh_name_from_type_nid(int type, int
- }
- break;
- #endif /* OPENSSL_HAS_ECC */
-+ case KEY_NULL:
-+ return "null";
- }
- return "ssh-unknown";
- }
-@@ -1316,6 +1318,8 @@ key_type_from_name(char *name)
- strcmp(name, "ecdsa-sha2-nistp521-cert-v01 at openssh.com") == 0) {
- return KEY_ECDSA_CERT;
- #endif
-+ } else if (strcmp(name, "null") == 0) {
-+ return KEY_NULL;
- }
-
- debug2("key_type_from_name: unknown key type '%s'", name);
-diff -up openssh-6.2p1/key.h.gsskex openssh-6.2p1/key.h
---- openssh-6.2p1/key.h.gsskex 2013-03-27 13:19:11.046624657 +0100
-+++ openssh-6.2p1/key.h 2013-03-27 13:19:11.145624250 +0100
+diff -up openssh-6.3p1/key.h.gsskex openssh-6.3p1/key.h
+--- openssh-6.3p1/key.h.gsskex 2013-10-11 15:15:17.198216576 +0200
++++ openssh-6.3p1/key.h 2013-10-11 15:15:17.289216153 +0200
@@ -44,6 +44,7 @@ enum types {
KEY_ECDSA_CERT,
KEY_RSA_CERT_V00,
@@ -1975,30 +1956,10 @@ diff -up openssh-6.2p1/key.h.gsskex openssh-6.2p1/key.h
KEY_UNSPEC
};
enum fp_type {
-diff -up openssh-6.2p1/Makefile.in.gsskex openssh-6.2p1/Makefile.in
---- openssh-6.2p1/Makefile.in.gsskex 2013-03-27 13:19:11.138624279 +0100
-+++ openssh-6.2p1/Makefile.in 2013-03-27 13:19:11.145624250 +0100
-@@ -77,6 +77,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
- atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
- monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
- kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
-+ kexgssc.o \
- msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
- jpake.o schnorr.o ssh-pkcs11.o krl.o auditstub.o
-
-@@ -93,7 +94,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
- auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
- monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
- auth-krb5.o \
-- auth2-gss.o gss-serv.o gss-serv-krb5.o \
-+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\
- loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
- sftp-server.o sftp-common.o \
- roaming_common.o roaming_serv.o \
-diff -up openssh-6.2p1/monitor.c.gsskex openssh-6.2p1/monitor.c
---- openssh-6.2p1/monitor.c.gsskex 2013-03-27 13:19:11.063624587 +0100
-+++ openssh-6.2p1/monitor.c 2013-03-27 13:19:11.145624250 +0100
-@@ -186,6 +186,8 @@ int mm_answer_gss_setup_ctx(int, Buffer
+diff -up openssh-6.3p1/monitor.c.gsskex openssh-6.3p1/monitor.c
+--- openssh-6.3p1/monitor.c.gsskex 2013-10-11 15:15:17.214216502 +0200
++++ openssh-6.3p1/monitor.c 2013-10-11 15:15:17.290216148 +0200
+@@ -187,6 +187,8 @@ int mm_answer_gss_setup_ctx(int, Buffer
int mm_answer_gss_accept_ctx(int, Buffer *);
int mm_answer_gss_userok(int, Buffer *);
int mm_answer_gss_checkmic(int, Buffer *);
@@ -2007,7 +1968,7 @@ diff -up openssh-6.2p1/monitor.c.gsskex openssh-6.2p1/monitor.c
#endif
#ifdef SSH_AUDIT_EVENTS
-@@ -270,6 +272,7 @@ struct mon_table mon_dispatch_proto20[]
+@@ -271,6 +273,7 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
@@ -2015,7 +1976,7 @@ diff -up openssh-6.2p1/monitor.c.gsskex openssh-6.2p1/monitor.c
#endif
#ifdef JPAKE
{MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},
-@@ -282,6 +285,12 @@ struct mon_table mon_dispatch_proto20[]
+@@ -283,6 +286,12 @@ struct mon_table mon_dispatch_proto20[]
};
struct mon_table mon_dispatch_postauth20[] = {
@@ -2028,7 +1989,7 @@ diff -up openssh-6.2p1/monitor.c.gsskex openssh-6.2p1/monitor.c
{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
{MONITOR_REQ_SIGN, 0, mm_answer_sign},
{MONITOR_REQ_PTY, 0, mm_answer_pty},
-@@ -404,6 +413,10 @@ monitor_child_preauth(Authctxt *_authctx
+@@ -405,6 +414,10 @@ monitor_child_preauth(Authctxt *_authctx
/* Permit requests for moduli and signatures */
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -2050,7 +2011,7 @@ diff -up openssh-6.2p1/monitor.c.gsskex openssh-6.2p1/monitor.c
} else {
mon_dispatch = mon_dispatch_postauth15;
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
-@@ -1950,6 +1967,13 @@ mm_get_kex(Buffer *m)
+@@ -1968,6 +1985,13 @@ mm_get_kex(Buffer *m)
kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@@ -2064,7 +2025,7 @@ diff -up openssh-6.2p1/monitor.c.gsskex openssh-6.2p1/monitor.c
kex->server = 1;
kex->hostkey_type = buffer_get_int(m);
kex->kex_type = buffer_get_int(m);
-@@ -2173,6 +2197,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
+@@ -2192,6 +2216,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
OM_uint32 major;
u_int len;
@@ -2074,7 +2035,7 @@ diff -up openssh-6.2p1/monitor.c.gsskex openssh-6.2p1/monitor.c
goid.elements = buffer_get_string(m, &len);
goid.length = len;
-@@ -2200,6 +2227,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
+@@ -2219,6 +2246,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
OM_uint32 flags = 0; /* GSI needs this */
u_int len;
@@ -2084,7 +2045,7 @@ diff -up openssh-6.2p1/monitor.c.gsskex openssh-6.2p1/monitor.c
in.value = buffer_get_string(m, &len);
in.length = len;
major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
-@@ -2217,6 +2247,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
+@@ -2236,6 +2266,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2092,7 +2053,7 @@ diff -up openssh-6.2p1/monitor.c.gsskex openssh-6.2p1/monitor.c
}
return (0);
}
-@@ -2228,6 +2259,9 @@ mm_answer_gss_checkmic(int sock, Buffer
+@@ -2247,6 +2278,9 @@ mm_answer_gss_checkmic(int sock, Buffer
OM_uint32 ret;
u_int len;
@@ -2102,7 +2063,7 @@ diff -up openssh-6.2p1/monitor.c.gsskex openssh-6.2p1/monitor.c
gssbuf.value = buffer_get_string(m, &len);
gssbuf.length = len;
mic.value = buffer_get_string(m, &len);
-@@ -2254,7 +2288,11 @@ mm_answer_gss_userok(int sock, Buffer *m
+@@ -2273,7 +2307,11 @@ mm_answer_gss_userok(int sock, Buffer *m
{
int authenticated;
@@ -2115,7 +2076,7 @@ diff -up openssh-6.2p1/monitor.c.gsskex openssh-6.2p1/monitor.c
buffer_clear(m);
buffer_put_int(m, authenticated);
-@@ -2267,6 +2305,74 @@ mm_answer_gss_userok(int sock, Buffer *m
+@@ -2286,6 +2324,74 @@ mm_answer_gss_userok(int sock, Buffer *m
/* Monitor loop will terminate if authenticated */
return (authenticated);
}
@@ -2145,7 +2106,7 @@ diff -up openssh-6.2p1/monitor.c.gsskex openssh-6.2p1/monitor.c
+ }
+ major = ssh_gssapi_sign(gsscontext, &data, &hash);
+
-+ xfree(data.value);
++ free(data.value);
+
+ buffer_clear(m);
+ buffer_put_int(m, major);
@@ -2175,9 +2136,9 @@ diff -up openssh-6.2p1/monitor.c.gsskex openssh-6.2p1/monitor.c
+
+ ok = ssh_gssapi_update_creds(&store);
+
-+ xfree(store.filename);
-+ xfree(store.envvar);
-+ xfree(store.envval);
++ free(store.filename);
++ free(store.envvar);
++ free(store.envval);
+
+ buffer_clear(m);
+ buffer_put_int(m, ok);
@@ -2190,9 +2151,9 @@ diff -up openssh-6.2p1/monitor.c.gsskex openssh-6.2p1/monitor.c
#endif /* GSSAPI */
#ifdef JPAKE
-diff -up openssh-6.2p1/monitor.h.gsskex openssh-6.2p1/monitor.h
---- openssh-6.2p1/monitor.h.gsskex 2013-03-27 13:19:11.063624587 +0100
-+++ openssh-6.2p1/monitor.h 2013-03-27 13:19:11.146624246 +0100
+diff -up openssh-6.3p1/monitor.h.gsskex openssh-6.3p1/monitor.h
+--- openssh-6.3p1/monitor.h.gsskex 2013-10-11 15:15:17.215216497 +0200
++++ openssh-6.3p1/monitor.h 2013-10-11 15:15:17.290216148 +0200
@@ -64,6 +64,8 @@ enum monitor_reqtype {
#ifdef WITH_SELINUX
MONITOR_REQ_AUTHROLE = 80,
@@ -2202,10 +2163,10 @@ diff -up openssh-6.2p1/monitor.h.gsskex openssh-6.2p1/monitor.h
MONITOR_REQ_PAM_START = 100,
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
-diff -up openssh-6.2p1/monitor_wrap.c.gsskex openssh-6.2p1/monitor_wrap.c
---- openssh-6.2p1/monitor_wrap.c.gsskex 2013-03-27 13:19:11.064624583 +0100
-+++ openssh-6.2p1/monitor_wrap.c 2013-03-27 13:19:11.146624246 +0100
-@@ -1327,7 +1327,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
+diff -up openssh-6.3p1/monitor_wrap.c.gsskex openssh-6.3p1/monitor_wrap.c
+--- openssh-6.3p1/monitor_wrap.c.gsskex 2013-10-11 15:15:17.215216497 +0200
++++ openssh-6.3p1/monitor_wrap.c 2013-10-11 15:15:17.290216148 +0200
+@@ -1329,7 +1329,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
}
int
@@ -2214,7 +2175,7 @@ diff -up openssh-6.2p1/monitor_wrap.c.gsskex openssh-6.2p1/monitor_wrap.c
{
Buffer m;
int authenticated = 0;
-@@ -1344,6 +1344,51 @@ mm_ssh_gssapi_userok(char *user)
+@@ -1346,6 +1346,51 @@ mm_ssh_gssapi_userok(char *user)
debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
return (authenticated);
}
@@ -2266,9 +2227,9 @@ diff -up openssh-6.2p1/monitor_wrap.c.gsskex openssh-6.2p1/monitor_wrap.c
#endif /* GSSAPI */
#ifdef JPAKE
-diff -up openssh-6.2p1/monitor_wrap.h.gsskex openssh-6.2p1/monitor_wrap.h
---- openssh-6.2p1/monitor_wrap.h.gsskex 2013-03-27 13:19:11.064624583 +0100
-+++ openssh-6.2p1/monitor_wrap.h 2013-03-27 13:19:11.146624246 +0100
+diff -up openssh-6.3p1/monitor_wrap.h.gsskex openssh-6.3p1/monitor_wrap.h
+--- openssh-6.3p1/monitor_wrap.h.gsskex 2013-10-11 15:15:17.215216497 +0200
++++ openssh-6.3p1/monitor_wrap.h 2013-10-11 15:15:17.290216148 +0200
@@ -62,8 +62,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
@@ -2281,10 +2242,10 @@ diff -up openssh-6.2p1/monitor_wrap.h.gsskex openssh-6.2p1/monitor_wrap.h
#endif
#ifdef USE_PAM
-diff -up openssh-6.2p1/readconf.c.gsskex openssh-6.2p1/readconf.c
---- openssh-6.2p1/readconf.c.gsskex 2011-10-02 09:59:03.000000000 +0200
-+++ openssh-6.2p1/readconf.c 2013-03-27 13:19:11.147624242 +0100
-@@ -129,6 +129,8 @@ typedef enum {
+diff -up openssh-6.3p1/readconf.c.gsskex openssh-6.3p1/readconf.c
+--- openssh-6.3p1/readconf.c.gsskex 2013-07-18 08:09:05.000000000 +0200
++++ openssh-6.3p1/readconf.c 2013-10-11 15:15:17.291216143 +0200
+@@ -132,6 +132,8 @@ typedef enum {
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@@ -2293,7 +2254,7 @@ diff -up openssh-6.2p1/readconf.c.gsskex openssh-6.2p1/readconf.c
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
-@@ -169,10 +171,19 @@ static struct {
+@@ -172,10 +174,19 @@ static struct {
{ "afstokenpassing", oUnsupported },
#if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication },
@@ -2313,7 +2274,7 @@ diff -up openssh-6.2p1/readconf.c.gsskex openssh-6.2p1/readconf.c
#endif
{ "fallbacktorsh", oDeprecated },
{ "usersh", oDeprecated },
-@@ -503,10 +514,30 @@ parse_flag:
+@@ -516,10 +527,30 @@ parse_flag:
intptr = &options->gss_authentication;
goto parse_flag;
@@ -2344,7 +2305,7 @@ diff -up openssh-6.2p1/readconf.c.gsskex openssh-6.2p1/readconf.c
case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
-@@ -1158,7 +1189,12 @@ initialize_options(Options * options)
+@@ -1168,7 +1199,12 @@ initialize_options(Options * options)
options->pubkey_authentication = -1;
options->challenge_response_authentication = -1;
options->gss_authentication = -1;
@@ -2357,7 +2318,7 @@ diff -up openssh-6.2p1/readconf.c.gsskex openssh-6.2p1/readconf.c
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
-@@ -1258,8 +1294,14 @@ fill_default_options(Options * options)
+@@ -1268,8 +1304,14 @@ fill_default_options(Options * options)
options->challenge_response_authentication = 1;
if (options->gss_authentication == -1)
options->gss_authentication = 0;
@@ -2372,9 +2333,9 @@ diff -up openssh-6.2p1/readconf.c.gsskex openssh-6.2p1/readconf.c
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
-diff -up openssh-6.2p1/readconf.h.gsskex openssh-6.2p1/readconf.h
---- openssh-6.2p1/readconf.h.gsskex 2011-10-02 09:59:03.000000000 +0200
-+++ openssh-6.2p1/readconf.h 2013-03-27 13:19:11.147624242 +0100
+diff -up openssh-6.3p1/readconf.h.gsskex openssh-6.3p1/readconf.h
+--- openssh-6.3p1/readconf.h.gsskex 2013-05-16 12:30:03.000000000 +0200
++++ openssh-6.3p1/readconf.h 2013-10-11 15:15:17.291216143 +0200
@@ -48,7 +48,12 @@ typedef struct {
int challenge_response_authentication;
/* Try S/Key or TIS, authentication. */
@@ -2388,10 +2349,10 @@ diff -up openssh-6.2p1/readconf.h.gsskex openssh-6.2p1/readconf.h
int password_authentication; /* Try password
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
-diff -up openssh-6.2p1/servconf.c.gsskex openssh-6.2p1/servconf.c
---- openssh-6.2p1/servconf.c.gsskex 2013-03-27 13:19:11.128624320 +0100
-+++ openssh-6.2p1/servconf.c 2013-03-27 13:19:11.147624242 +0100
-@@ -102,7 +102,10 @@ initialize_server_options(ServerOptions
+diff -up openssh-6.3p1/servconf.c.gsskex openssh-6.3p1/servconf.c
+--- openssh-6.3p1/servconf.c.gsskex 2013-10-11 15:15:17.273216227 +0200
++++ openssh-6.3p1/servconf.c 2013-10-11 15:15:17.292216139 +0200
+@@ -107,7 +107,10 @@ initialize_server_options(ServerOptions
options->kerberos_ticket_cleanup = -1;
options->kerberos_get_afs_token = -1;
options->gss_authentication=-1;
@@ -2402,7 +2363,7 @@ diff -up openssh-6.2p1/servconf.c.gsskex openssh-6.2p1/servconf.c
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1;
-@@ -234,8 +237,14 @@ fill_default_server_options(ServerOption
+@@ -241,8 +244,14 @@ fill_default_server_options(ServerOption
options->kerberos_get_afs_token = 0;
if (options->gss_authentication == -1)
options->gss_authentication = 0;
@@ -2417,7 +2378,7 @@ diff -up openssh-6.2p1/servconf.c.gsskex openssh-6.2p1/servconf.c
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
-@@ -331,7 +340,9 @@ typedef enum {
+@@ -342,7 +351,9 @@ typedef enum {
sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile,
@@ -2428,7 +2389,7 @@ diff -up openssh-6.2p1/servconf.c.gsskex openssh-6.2p1/servconf.c
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
sZeroKnowledgePasswordAuthentication, sHostCertificate,
-@@ -397,10 +408,20 @@ static struct {
+@@ -409,10 +420,20 @@ static struct {
#ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2449,7 +2410,7 @@ diff -up openssh-6.2p1/servconf.c.gsskex openssh-6.2p1/servconf.c
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
-@@ -1054,10 +1075,22 @@ process_server_config_line(ServerOptions
+@@ -1078,10 +1099,22 @@ process_server_config_line(ServerOptions
intptr = &options->gss_authentication;
goto parse_flag;
@@ -2472,7 +2433,7 @@ diff -up openssh-6.2p1/servconf.c.gsskex openssh-6.2p1/servconf.c
case sPasswordAuthentication:
intptr = &options->password_authentication;
goto parse_flag;
-@@ -1938,6 +1971,9 @@ dump_config(ServerOptions *o)
+@@ -1994,6 +2027,9 @@ dump_config(ServerOptions *o)
#ifdef GSSAPI
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
@@ -2482,10 +2443,10 @@ diff -up openssh-6.2p1/servconf.c.gsskex openssh-6.2p1/servconf.c
#endif
#ifdef JPAKE
dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
-diff -up openssh-6.2p1/servconf.h.gsskex openssh-6.2p1/servconf.h
---- openssh-6.2p1/servconf.h.gsskex 2013-03-27 13:19:11.128624320 +0100
-+++ openssh-6.2p1/servconf.h 2013-03-27 13:19:11.147624242 +0100
-@@ -110,7 +110,10 @@ typedef struct {
+diff -up openssh-6.3p1/servconf.h.gsskex openssh-6.3p1/servconf.h
+--- openssh-6.3p1/servconf.h.gsskex 2013-10-11 15:15:17.273216227 +0200
++++ openssh-6.3p1/servconf.h 2013-10-11 15:15:17.292216139 +0200
+@@ -111,7 +111,10 @@ typedef struct {
int kerberos_get_afs_token; /* If true, try to get AFS token if
* authenticated with Kerberos. */
int gss_authentication; /* If true, permit GSSAPI authentication */
@@ -2496,10 +2457,110 @@ diff -up openssh-6.2p1/servconf.h.gsskex openssh-6.2p1/servconf.h
int password_authentication; /* If true, permit password
* authentication. */
int kbd_interactive_authentication; /* If true, permit */
-diff -up openssh-6.2p1/ssh_config.5.gsskex openssh-6.2p1/ssh_config.5
---- openssh-6.2p1/ssh_config.5.gsskex 2013-01-09 06:12:19.000000000 +0100
-+++ openssh-6.2p1/ssh_config.5 2013-03-27 13:19:11.148624238 +0100
-@@ -530,11 +530,43 @@ Specifies whether user authentication ba
+diff -up openssh-6.3p1/ssh-gss.h.gsskex openssh-6.3p1/ssh-gss.h
+--- openssh-6.3p1/ssh-gss.h.gsskex 2013-02-25 01:24:44.000000000 +0100
++++ openssh-6.3p1/ssh-gss.h 2013-10-11 15:15:17.294216130 +0200
+@@ -1,6 +1,6 @@
+ /* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
+ /*
+- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
++ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+@@ -61,10 +61,22 @@
+
+ #define SSH_GSS_OIDTYPE 0x06
+
++#define SSH2_MSG_KEXGSS_INIT 30
++#define SSH2_MSG_KEXGSS_CONTINUE 31
++#define SSH2_MSG_KEXGSS_COMPLETE 32
++#define SSH2_MSG_KEXGSS_HOSTKEY 33
++#define SSH2_MSG_KEXGSS_ERROR 34
++#define SSH2_MSG_KEXGSS_GROUPREQ 40
++#define SSH2_MSG_KEXGSS_GROUP 41
++#define KEX_GSS_GRP1_SHA1_ID "gss-group1-sha1-"
++#define KEX_GSS_GRP14_SHA1_ID "gss-group14-sha1-"
++#define KEX_GSS_GEX_SHA1_ID "gss-gex-sha1-"
++
+ typedef struct {
+ char *filename;
+ char *envvar;
+ char *envval;
++ struct passwd *owner;
+ void *data;
+ } ssh_gssapi_ccache;
+
+@@ -72,8 +84,11 @@ typedef struct {
+ gss_buffer_desc displayname;
+ gss_buffer_desc exportedname;
+ gss_cred_id_t creds;
++ gss_name_t name;
+ struct ssh_gssapi_mech_struct *mech;
+ ssh_gssapi_ccache store;
++ int used;
++ int updated;
+ } ssh_gssapi_client;
+
+ typedef struct ssh_gssapi_mech_struct {
+@@ -84,6 +99,7 @@ typedef struct ssh_gssapi_mech_struct {
+ int (*userok) (ssh_gssapi_client *, char *);
+ int (*localname) (ssh_gssapi_client *, char **);
+ void (*storecreds) (ssh_gssapi_client *);
++ int (*updatecreds) (ssh_gssapi_ccache *, ssh_gssapi_client *);
+ } ssh_gssapi_mech;
+
+ typedef struct {
+@@ -94,10 +110,11 @@ typedef struct {
+ gss_OID oid; /* client */
+ gss_cred_id_t creds; /* server */
+ gss_name_t client; /* server */
+- gss_cred_id_t client_creds; /* server */
++ gss_cred_id_t client_creds; /* both */
+ } Gssctxt;
+
+ extern ssh_gssapi_mech *supported_mechs[];
++extern Gssctxt *gss_kex_context;
+
+ int ssh_gssapi_check_oid(Gssctxt *, void *, size_t);
+ void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t);
+@@ -117,16 +134,30 @@ void ssh_gssapi_build_ctx(Gssctxt **);
+ void ssh_gssapi_delete_ctx(Gssctxt **);
+ OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
+ void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *);
+-int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *);
++int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *, const char *);
++OM_uint32 ssh_gssapi_client_identity(Gssctxt *, const char *);
++int ssh_gssapi_credentials_updated(Gssctxt *);
+
+ /* In the server */
++typedef int ssh_gssapi_check_fn(Gssctxt **, gss_OID, const char *,
++ const char *);
++char *ssh_gssapi_client_mechanisms(const char *, const char *);
++char *ssh_gssapi_kex_mechs(gss_OID_set, ssh_gssapi_check_fn *, const char *,
++ const char *);
++gss_OID ssh_gssapi_id_kex(Gssctxt *, char *, int);
++int ssh_gssapi_server_check_mech(Gssctxt **,gss_OID, const char *,
++ const char *);
+ OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
+-int ssh_gssapi_userok(char *name);
++int ssh_gssapi_userok(char *name, struct passwd *);
+ OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
+ void ssh_gssapi_do_child(char ***, u_int *);
+ void ssh_gssapi_cleanup_creds(void);
+ void ssh_gssapi_storecreds(void);
+
++char *ssh_gssapi_server_mechanisms(void);
++int ssh_gssapi_oid_table_ok();
++
++int ssh_gssapi_update_creds(ssh_gssapi_ccache *store);
+ #endif /* GSSAPI */
+
+ #endif /* _SSH_GSS_H */
+diff -up openssh-6.3p1/ssh_config.5.gsskex openssh-6.3p1/ssh_config.5
+--- openssh-6.3p1/ssh_config.5.gsskex 2013-07-18 08:11:50.000000000 +0200
++++ openssh-6.3p1/ssh_config.5 2013-10-11 15:15:17.292216139 +0200
+@@ -529,11 +529,43 @@ Specifies whether user authentication ba
The default is
.Dq no .
Note that this option applies to protocol version 2 only.
@@ -2544,9 +2605,9 @@ diff -up openssh-6.2p1/ssh_config.5.gsskex openssh-6.2p1/ssh_config.5
.It Cm HashKnownHosts
Indicates that
.Xr ssh 1
-diff -up openssh-6.2p1/ssh_config.gsskex openssh-6.2p1/ssh_config
---- openssh-6.2p1/ssh_config.gsskex 2013-03-27 13:19:11.120624353 +0100
-+++ openssh-6.2p1/ssh_config 2013-03-27 13:19:11.148624238 +0100
+diff -up openssh-6.3p1/ssh_config.gsskex openssh-6.3p1/ssh_config
+--- openssh-6.3p1/ssh_config.gsskex 2013-10-11 15:15:17.265216264 +0200
++++ openssh-6.3p1/ssh_config 2013-10-11 15:15:17.292216139 +0200
@@ -26,6 +26,8 @@
# HostbasedAuthentication no
# GSSAPIAuthentication no
@@ -2556,9 +2617,9 @@ diff -up openssh-6.2p1/ssh_config.gsskex openssh-6.2p1/ssh_config
# BatchMode no
# CheckHostIP yes
# AddressFamily any
-diff -up openssh-6.2p1/sshconnect2.c.gsskex openssh-6.2p1/sshconnect2.c
---- openssh-6.2p1/sshconnect2.c.gsskex 2013-03-27 13:19:11.104624419 +0100
-+++ openssh-6.2p1/sshconnect2.c 2013-03-27 13:19:11.149624234 +0100
+diff -up openssh-6.3p1/sshconnect2.c.gsskex openssh-6.3p1/sshconnect2.c
+--- openssh-6.3p1/sshconnect2.c.gsskex 2013-10-11 15:15:17.251216330 +0200
++++ openssh-6.3p1/sshconnect2.c 2013-10-11 15:28:22.617529416 +0200
@@ -162,9 +162,34 @@ ssh_kex2(char *host, struct sockaddr *ho
{
Kex *kex;
@@ -2605,14 +2666,14 @@ diff -up openssh-6.2p1/sshconnect2.c.gsskex openssh-6.2p1/sshconnect2.c
+ orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
+ xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
+ "%s,null", orig);
-+ xfree(gss);
++ free(gss);
+ }
+#endif
+
- if (options.rekey_limit)
- packet_set_rekey_limit((u_int32_t)options.rekey_limit);
-
-@@ -217,10 +253,30 @@ ssh_kex2(char *host, struct sockaddr *ho
+ if (options.rekey_limit || options.rekey_interval)
+ packet_set_rekey_limits((u_int32_t)options.rekey_limit,
+ (time_t)options.rekey_interval);
+@@ -218,10 +254,30 @@ ssh_kex2(char *host, struct sockaddr *ho
kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
@@ -2643,7 +2704,7 @@ diff -up openssh-6.2p1/sshconnect2.c.gsskex openssh-6.2p1/sshconnect2.c
xxx_kex = kex;
dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
-@@ -316,6 +372,7 @@ void input_gssapi_token(int type, u_int3
+@@ -317,6 +373,7 @@ void input_gssapi_token(int type, u_int3
void input_gssapi_hash(int type, u_int32_t, void *);
void input_gssapi_error(int, u_int32_t, void *);
void input_gssapi_errtok(int, u_int32_t, void *);
@@ -2651,7 +2712,7 @@ diff -up openssh-6.2p1/sshconnect2.c.gsskex openssh-6.2p1/sshconnect2.c
#endif
void userauth(Authctxt *, char *);
-@@ -331,6 +388,11 @@ static char *authmethods_get(void);
+@@ -332,6 +389,11 @@ static char *authmethods_get(void);
Authmethod authmethods[] = {
#ifdef GSSAPI
@@ -2663,7 +2724,7 @@ diff -up openssh-6.2p1/sshconnect2.c.gsskex openssh-6.2p1/sshconnect2.c
{"gssapi-with-mic",
userauth_gssapi,
NULL,
-@@ -638,19 +700,31 @@ userauth_gssapi(Authctxt *authctxt)
+@@ -636,19 +698,31 @@ userauth_gssapi(Authctxt *authctxt)
static u_int mech = 0;
OM_uint32 min;
int ok = 0;
@@ -2697,7 +2758,7 @@ diff -up openssh-6.2p1/sshconnect2.c.gsskex openssh-6.2p1/sshconnect2.c
ok = 1; /* Mechanism works */
} else {
mech++;
-@@ -747,8 +821,8 @@ input_gssapi_response(int type, u_int32_
+@@ -745,8 +819,8 @@ input_gssapi_response(int type, u_int32_
{
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt;
@@ -2708,9 +2769,9 @@ diff -up openssh-6.2p1/sshconnect2.c.gsskex openssh-6.2p1/sshconnect2.c
if (authctxt == NULL)
fatal("input_gssapi_response: no authentication context");
-@@ -858,6 +932,48 @@ input_gssapi_error(int type, u_int32_t p
- xfree(msg);
- xfree(lang);
+@@ -855,6 +929,48 @@ input_gssapi_error(int type, u_int32_t p
+ free(msg);
+ free(lang);
}
+
+int
@@ -2757,10 +2818,10 @@ diff -up openssh-6.2p1/sshconnect2.c.gsskex openssh-6.2p1/sshconnect2.c
#endif /* GSSAPI */
int
-diff -up openssh-6.2p1/sshd.c.gsskex openssh-6.2p1/sshd.c
---- openssh-6.2p1/sshd.c.gsskex 2013-03-27 13:19:11.133624300 +0100
-+++ openssh-6.2p1/sshd.c 2013-03-27 13:19:11.149624234 +0100
-@@ -124,6 +124,10 @@
+diff -up openssh-6.3p1/sshd.c.gsskex openssh-6.3p1/sshd.c
+--- openssh-6.3p1/sshd.c.gsskex 2013-10-11 15:15:17.277216209 +0200
++++ openssh-6.3p1/sshd.c 2013-10-11 15:15:17.294216130 +0200
+@@ -125,6 +125,10 @@
#include "ssh-sandbox.h"
#include "version.h"
@@ -2771,7 +2832,7 @@ diff -up openssh-6.2p1/sshd.c.gsskex openssh-6.2p1/sshd.c
#ifdef LIBWRAP
#include <tcpd.h>
#include <syslog.h>
-@@ -1733,10 +1737,13 @@ main(int ac, char **av)
+@@ -1794,10 +1798,13 @@ main(int ac, char **av)
logit("Disabling protocol version 1. Could not load host key");
options.protocol &= ~SSH_PROTO_1;
}
@@ -2785,7 +2846,7 @@ diff -up openssh-6.2p1/sshd.c.gsskex openssh-6.2p1/sshd.c
if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
logit("sshd: no hostkeys available -- exiting.");
exit(1);
-@@ -2068,6 +2075,60 @@ main(int ac, char **av)
+@@ -2130,6 +2137,60 @@ main(int ac, char **av)
/* Log the connection. */
verbose("Connection from %.500s port %d", remote_ip, remote_port);
@@ -2846,7 +2907,7 @@ diff -up openssh-6.2p1/sshd.c.gsskex openssh-6.2p1/sshd.c
/*
* We don't want to listen forever unless the other side
* successfully authenticates itself. So we set up an alarm which is
-@@ -2466,6 +2526,48 @@ do_ssh2_kex(void)
+@@ -2551,6 +2612,48 @@ do_ssh2_kex(void)
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
@@ -2895,7 +2956,7 @@ diff -up openssh-6.2p1/sshd.c.gsskex openssh-6.2p1/sshd.c
/* start key exchange */
kex = kex_setup(myproposal);
kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
-@@ -2473,6 +2575,13 @@ do_ssh2_kex(void)
+@@ -2558,6 +2661,13 @@ do_ssh2_kex(void)
kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@@ -2909,10 +2970,10 @@ diff -up openssh-6.2p1/sshd.c.gsskex openssh-6.2p1/sshd.c
kex->server = 1;
kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string;
-diff -up openssh-6.2p1/sshd_config.5.gsskex openssh-6.2p1/sshd_config.5
---- openssh-6.2p1/sshd_config.5.gsskex 2013-03-27 13:19:11.129624316 +0100
-+++ openssh-6.2p1/sshd_config.5 2013-03-27 13:19:11.150624230 +0100
-@@ -481,12 +481,40 @@ Specifies whether user authentication ba
+diff -up openssh-6.3p1/sshd_config.5.gsskex openssh-6.3p1/sshd_config.5
+--- openssh-6.3p1/sshd_config.5.gsskex 2013-10-11 15:15:17.274216223 +0200
++++ openssh-6.3p1/sshd_config.5 2013-10-11 15:15:17.294216130 +0200
+@@ -484,12 +484,40 @@ Specifies whether user authentication ba
The default is
.Dq no .
Note that this option applies to protocol version 2 only.
@@ -2953,10 +3014,10 @@ diff -up openssh-6.2p1/sshd_config.5.gsskex openssh-6.2p1/sshd_config.5
.It Cm HostbasedAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication together
with successful public key client host authentication is allowed
-diff -up openssh-6.2p1/sshd_config.gsskex openssh-6.2p1/sshd_config
---- openssh-6.2p1/sshd_config.gsskex 2013-03-27 13:19:11.133624300 +0100
-+++ openssh-6.2p1/sshd_config 2013-03-27 13:19:11.150624230 +0100
-@@ -89,6 +89,8 @@ ChallengeResponseAuthentication no
+diff -up openssh-6.3p1/sshd_config.gsskex openssh-6.3p1/sshd_config
+--- openssh-6.3p1/sshd_config.gsskex 2013-10-11 15:15:17.277216209 +0200
++++ openssh-6.3p1/sshd_config 2013-10-11 15:15:17.294216130 +0200
+@@ -92,6 +92,8 @@ ChallengeResponseAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
@@ -2965,103 +3026,3 @@ diff -up openssh-6.2p1/sshd_config.gsskex openssh-6.2p1/sshd_config
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
-diff -up openssh-6.2p1/ssh-gss.h.gsskex openssh-6.2p1/ssh-gss.h
---- openssh-6.2p1/ssh-gss.h.gsskex 2013-02-25 01:24:44.000000000 +0100
-+++ openssh-6.2p1/ssh-gss.h 2013-03-27 13:19:11.150624230 +0100
-@@ -1,6 +1,6 @@
- /* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
- /*
-- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
-+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
-@@ -61,10 +61,22 @@
-
- #define SSH_GSS_OIDTYPE 0x06
-
-+#define SSH2_MSG_KEXGSS_INIT 30
-+#define SSH2_MSG_KEXGSS_CONTINUE 31
-+#define SSH2_MSG_KEXGSS_COMPLETE 32
-+#define SSH2_MSG_KEXGSS_HOSTKEY 33
-+#define SSH2_MSG_KEXGSS_ERROR 34
-+#define SSH2_MSG_KEXGSS_GROUPREQ 40
-+#define SSH2_MSG_KEXGSS_GROUP 41
-+#define KEX_GSS_GRP1_SHA1_ID "gss-group1-sha1-"
-+#define KEX_GSS_GRP14_SHA1_ID "gss-group14-sha1-"
-+#define KEX_GSS_GEX_SHA1_ID "gss-gex-sha1-"
-+
- typedef struct {
- char *filename;
- char *envvar;
- char *envval;
-+ struct passwd *owner;
- void *data;
- } ssh_gssapi_ccache;
-
-@@ -72,8 +84,11 @@ typedef struct {
- gss_buffer_desc displayname;
- gss_buffer_desc exportedname;
- gss_cred_id_t creds;
-+ gss_name_t name;
- struct ssh_gssapi_mech_struct *mech;
- ssh_gssapi_ccache store;
-+ int used;
-+ int updated;
- } ssh_gssapi_client;
-
- typedef struct ssh_gssapi_mech_struct {
-@@ -84,6 +99,7 @@ typedef struct ssh_gssapi_mech_struct {
- int (*userok) (ssh_gssapi_client *, char *);
- int (*localname) (ssh_gssapi_client *, char **);
- void (*storecreds) (ssh_gssapi_client *);
-+ int (*updatecreds) (ssh_gssapi_ccache *, ssh_gssapi_client *);
- } ssh_gssapi_mech;
-
- typedef struct {
-@@ -94,10 +110,11 @@ typedef struct {
- gss_OID oid; /* client */
- gss_cred_id_t creds; /* server */
- gss_name_t client; /* server */
-- gss_cred_id_t client_creds; /* server */
-+ gss_cred_id_t client_creds; /* both */
- } Gssctxt;
-
- extern ssh_gssapi_mech *supported_mechs[];
-+extern Gssctxt *gss_kex_context;
-
- int ssh_gssapi_check_oid(Gssctxt *, void *, size_t);
- void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t);
-@@ -117,16 +134,30 @@ void ssh_gssapi_build_ctx(Gssctxt **);
- void ssh_gssapi_delete_ctx(Gssctxt **);
- OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
- void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *);
--int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *);
-+int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *, const char *);
-+OM_uint32 ssh_gssapi_client_identity(Gssctxt *, const char *);
-+int ssh_gssapi_credentials_updated(Gssctxt *);
-
- /* In the server */
-+typedef int ssh_gssapi_check_fn(Gssctxt **, gss_OID, const char *,
-+ const char *);
-+char *ssh_gssapi_client_mechanisms(const char *, const char *);
-+char *ssh_gssapi_kex_mechs(gss_OID_set, ssh_gssapi_check_fn *, const char *,
-+ const char *);
-+gss_OID ssh_gssapi_id_kex(Gssctxt *, char *, int);
-+int ssh_gssapi_server_check_mech(Gssctxt **,gss_OID, const char *,
-+ const char *);
- OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
--int ssh_gssapi_userok(char *name);
-+int ssh_gssapi_userok(char *name, struct passwd *);
- OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
- void ssh_gssapi_do_child(char ***, u_int *);
- void ssh_gssapi_cleanup_creds(void);
- void ssh_gssapi_storecreds(void);
-
-+char *ssh_gssapi_server_mechanisms(void);
-+int ssh_gssapi_oid_table_ok();
-+
-+int ssh_gssapi_update_creds(ssh_gssapi_ccache *store);
- #endif /* GSSAPI */
-
- #endif /* _SSH_GSS_H */
diff --git a/openssh-6.2p1-keycat.patch b/openssh-6.3p1-keycat.patch
similarity index 87%
rename from openssh-6.2p1-keycat.patch
rename to openssh-6.3p1-keycat.patch
index 41770b3..90cfb7e 100644
--- a/openssh-6.2p1-keycat.patch
+++ b/openssh-6.3p1-keycat.patch
@@ -1,24 +1,6 @@
-diff -up openssh-6.2p1/auth2-pubkey.c.keycat openssh-6.2p1/auth2-pubkey.c
---- openssh-6.2p1/auth2-pubkey.c.keycat 2013-03-25 21:34:17.779978851 +0100
-+++ openssh-6.2p1/auth2-pubkey.c 2013-03-25 21:34:17.798978973 +0100
-@@ -573,6 +573,14 @@ user_key_command_allowed2(struct passwd
- _exit(1);
- }
-
-+#ifdef WITH_SELINUX
-+ if (ssh_selinux_setup_env_variables() < 0) {
-+ error ("failed to copy environment: %s",
-+ strerror(errno));
-+ _exit(127);
-+ }
-+#endif
-+
- execl(options.authorized_keys_command,
- options.authorized_keys_command, user_pw->pw_name, NULL);
-
-diff -up openssh-6.2p1/HOWTO.ssh-keycat.keycat openssh-6.2p1/HOWTO.ssh-keycat
---- openssh-6.2p1/HOWTO.ssh-keycat.keycat 2013-03-25 21:34:17.798978973 +0100
-+++ openssh-6.2p1/HOWTO.ssh-keycat 2013-03-25 21:34:17.798978973 +0100
+diff -up openssh-6.3p1/HOWTO.ssh-keycat.keycat openssh-6.3p1/HOWTO.ssh-keycat
+--- openssh-6.3p1/HOWTO.ssh-keycat.keycat 2013-10-10 15:16:33.445566916 +0200
++++ openssh-6.3p1/HOWTO.ssh-keycat 2013-10-10 15:16:33.445566916 +0200
@@ -0,0 +1,12 @@
+The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys
+of an user in any environment. This includes environments with
@@ -32,9 +14,9 @@ diff -up openssh-6.2p1/HOWTO.ssh-keycat.keycat openssh-6.2p1/HOWTO.ssh-keycat
+ PubkeyAuthentication yes
+
+
-diff -up openssh-6.2p1/Makefile.in.keycat openssh-6.2p1/Makefile.in
---- openssh-6.2p1/Makefile.in.keycat 2013-03-25 21:34:17.793978941 +0100
-+++ openssh-6.2p1/Makefile.in 2013-03-25 21:35:48.282559562 +0100
+diff -up openssh-6.3p1/Makefile.in.keycat openssh-6.3p1/Makefile.in
+--- openssh-6.3p1/Makefile.in.keycat 2013-10-10 15:16:33.442566930 +0200
++++ openssh-6.3p1/Makefile.in 2013-10-10 15:16:33.445566916 +0200
@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
@@ -52,7 +34,7 @@ diff -up openssh-6.2p1/Makefile.in.keycat openssh-6.2p1/Makefile.in
LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
canohost.o channels.o cipher.o cipher-aes.o \
-@@ -170,6 +171,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
+@@ -172,6 +173,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
@@ -62,7 +44,7 @@ diff -up openssh-6.2p1/Makefile.in.keycat openssh-6.2p1/Makefile.in
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
-@@ -276,6 +280,7 @@ install-files:
+@@ -279,6 +283,7 @@ install-files:
$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
fi
@@ -70,10 +52,28 @@ diff -up openssh-6.2p1/Makefile.in.keycat openssh-6.2p1/Makefile.in
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-diff -up openssh-6.2p1/openbsd-compat/port-linux.c.keycat openssh-6.2p1/openbsd-compat/port-linux.c
---- openssh-6.2p1/openbsd-compat/port-linux.c.keycat 2013-03-25 21:34:17.785978890 +0100
-+++ openssh-6.2p1/openbsd-compat/port-linux.c 2013-03-25 21:34:17.800978986 +0100
-@@ -315,7 +315,7 @@ ssh_selinux_getctxbyname(char *pwname,
+diff -up openssh-6.3p1/auth2-pubkey.c.keycat openssh-6.3p1/auth2-pubkey.c
+--- openssh-6.3p1/auth2-pubkey.c.keycat 2013-10-10 15:16:33.429566992 +0200
++++ openssh-6.3p1/auth2-pubkey.c 2013-10-10 15:16:33.445566916 +0200
+@@ -606,6 +606,14 @@ user_key_command_allowed2(struct passwd
+ _exit(1);
+ }
+
++#ifdef WITH_SELINUX
++ if (ssh_selinux_setup_env_variables() < 0) {
++ error ("failed to copy environment: %s",
++ strerror(errno));
++ _exit(127);
++ }
++#endif
++
+ execl(options.authorized_keys_command,
+ options.authorized_keys_command, user_pw->pw_name, NULL);
+
+diff -up openssh-6.3p1/openbsd-compat/port-linux.c.keycat openssh-6.3p1/openbsd-compat/port-linux.c
+--- openssh-6.3p1/openbsd-compat/port-linux.c.keycat 2013-10-10 15:16:33.435566964 +0200
++++ openssh-6.3p1/openbsd-compat/port-linux.c 2013-10-10 15:32:19.946065189 +0200
+@@ -313,7 +313,7 @@ ssh_selinux_getctxbyname(char *pwname,
/* Setup environment variables for pam_selinux */
static int
@@ -82,13 +82,13 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.keycat openssh-6.2p1/openbsd-
{
const char *reqlvl;
char *role;
-@@ -326,16 +326,16 @@ ssh_selinux_setup_pam_variables(void)
+@@ -324,16 +324,16 @@ ssh_selinux_setup_pam_variables(void)
ssh_selinux_get_role_level(&role, &reqlvl);
- rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");
+ rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : "");
-
+
if (inetd_flag && !rexeced_flag) {
use_current = "1";
} else {
@@ -101,8 +101,8 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.keycat openssh-6.2p1/openbsd-
+ rv = rv || set_it("SELINUX_USE_CURRENT_RANGE", use_current);
if (role != NULL)
- xfree(role);
-@@ -343,6 +343,24 @@ ssh_selinux_setup_pam_variables(void)
+ free(role);
+@@ -341,6 +341,24 @@ ssh_selinux_setup_pam_variables(void)
return rv;
}
@@ -127,9 +127,9 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.keycat openssh-6.2p1/openbsd-
/* Set the execution context to the default for the specified user */
void
ssh_selinux_setup_exec_context(char *pwname)
-diff -up openssh-6.2p1/ssh-keycat.c.keycat openssh-6.2p1/ssh-keycat.c
---- openssh-6.2p1/ssh-keycat.c.keycat 2013-03-25 21:34:17.800978986 +0100
-+++ openssh-6.2p1/ssh-keycat.c 2013-03-25 21:34:17.800978986 +0100
+diff -up openssh-6.3p1/ssh-keycat.c.keycat openssh-6.3p1/ssh-keycat.c
+--- openssh-6.3p1/ssh-keycat.c.keycat 2013-10-10 15:16:33.446566911 +0200
++++ openssh-6.3p1/ssh-keycat.c 2013-10-10 15:16:33.446566911 +0200
@@ -0,0 +1,238 @@
+/*
+ * Redistribution and use in source and binary forms, with or without
diff --git a/openssh-6.2p1-kuserok.patch b/openssh-6.3p1-kuserok.patch
similarity index 63%
rename from openssh-6.2p1-kuserok.patch
rename to openssh-6.3p1-kuserok.patch
index 641ad03..60688db 100644
--- a/openssh-6.2p1-kuserok.patch
+++ b/openssh-6.3p1-kuserok.patch
@@ -1,6 +1,6 @@
-diff -up openssh-6.2p1/auth-krb5.c.kuserok openssh-6.2p1/auth-krb5.c
---- openssh-6.2p1/auth-krb5.c.kuserok 2013-03-25 20:06:51.295558062 +0100
-+++ openssh-6.2p1/auth-krb5.c 2013-03-25 20:06:51.318558207 +0100
+diff -up openssh-6.3p1/auth-krb5.c.kuserok openssh-6.3p1/auth-krb5.c
+--- openssh-6.3p1/auth-krb5.c.kuserok 2013-10-11 21:41:42.889087613 +0200
++++ openssh-6.3p1/auth-krb5.c 2013-10-11 21:41:42.905087537 +0200
@@ -55,6 +55,20 @@
extern ServerOptions options;
@@ -22,7 +22,7 @@ diff -up openssh-6.2p1/auth-krb5.c.kuserok openssh-6.2p1/auth-krb5.c
static int
krb5_init(void *context)
{
-@@ -147,7 +161,7 @@ auth_krb5_password(Authctxt *authctxt, c
+@@ -159,7 +173,7 @@ auth_krb5_password(Authctxt *authctxt, c
if (problem)
goto out;
@@ -31,10 +31,10 @@ diff -up openssh-6.2p1/auth-krb5.c.kuserok openssh-6.2p1/auth-krb5.c
problem = -1;
goto out;
}
-diff -up openssh-6.2p1/gss-serv-krb5.c.kuserok openssh-6.2p1/gss-serv-krb5.c
---- openssh-6.2p1/gss-serv-krb5.c.kuserok 2013-03-25 20:06:51.311558163 +0100
-+++ openssh-6.2p1/gss-serv-krb5.c 2013-03-25 20:06:51.319558214 +0100
-@@ -68,6 +68,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr
+diff -up openssh-6.3p1/gss-serv-krb5.c.kuserok openssh-6.3p1/gss-serv-krb5.c
+--- openssh-6.3p1/gss-serv-krb5.c.kuserok 2013-10-11 21:41:42.901087556 +0200
++++ openssh-6.3p1/gss-serv-krb5.c 2013-10-11 21:46:42.898673597 +0200
+@@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr
int);
static krb5_context krb_context = NULL;
@@ -42,19 +42,19 @@ diff -up openssh-6.2p1/gss-serv-krb5.c.kuserok openssh-6.2p1/gss-serv-krb5.c
/* Initialise the krb5 library, for the stuff that GSSAPI won't do */
-@@ -115,7 +116,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
+@@ -116,7 +117,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
/* NOTE: .k5login and .k5users must opened as root, not the user,
* because if they are on a krb5-protected filesystem, user credentials
* to access these files aren't available yet. */
-- if (krb5_kuserok(krb_context, princ, luser) && k5login_exists) {
-+ if (ssh_krb5_kuserok(krb_context, princ, luser) && k5login_exists) {
+- if (krb5_kuserok(krb_context, princ, name) && k5login_exists) {
++ if (ssh_krb5_kuserok(krb_context, princ, name) && k5login_exists) {
retval = 1;
logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
- luser, (char *)client->displayname.value);
-diff -up openssh-6.2p1/servconf.c.kuserok openssh-6.2p1/servconf.c
---- openssh-6.2p1/servconf.c.kuserok 2013-03-25 20:06:51.305558125 +0100
-+++ openssh-6.2p1/servconf.c 2013-03-25 20:06:51.319558214 +0100
-@@ -150,6 +150,7 @@ initialize_server_options(ServerOptions
+ name, (char *)client->displayname.value);
+diff -up openssh-6.3p1/servconf.c.kuserok openssh-6.3p1/servconf.c
+--- openssh-6.3p1/servconf.c.kuserok 2013-10-11 21:41:42.896087580 +0200
++++ openssh-6.3p1/servconf.c 2013-10-11 21:48:24.664194016 +0200
+@@ -157,6 +157,7 @@ initialize_server_options(ServerOptions
options->ip_qos_interactive = -1;
options->ip_qos_bulk = -1;
options->version_addendum = NULL;
@@ -62,7 +62,7 @@ diff -up openssh-6.2p1/servconf.c.kuserok openssh-6.2p1/servconf.c
}
void
-@@ -299,6 +300,8 @@ fill_default_server_options(ServerOption
+@@ -310,6 +311,8 @@ fill_default_server_options(ServerOption
options->version_addendum = xstrdup("");
if (options->show_patchlevel == -1)
options->show_patchlevel = 0;
@@ -71,7 +71,7 @@ diff -up openssh-6.2p1/servconf.c.kuserok openssh-6.2p1/servconf.c
/* Turn privilege separation on by default */
if (use_privsep == -1)
-@@ -325,7 +328,7 @@ typedef enum {
+@@ -336,7 +339,7 @@ typedef enum {
sPermitRootLogin, sLogFacility, sLogLevel,
sRhostsRSAAuthentication, sRSAAuthentication,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
@@ -80,7 +80,7 @@ diff -up openssh-6.2p1/servconf.c.kuserok openssh-6.2p1/servconf.c
sKerberosTgtPassing, sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily,
-@@ -397,11 +400,13 @@ static struct {
+@@ -409,11 +412,13 @@ static struct {
#else
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
#endif
@@ -94,7 +94,7 @@ diff -up openssh-6.2p1/servconf.c.kuserok openssh-6.2p1/servconf.c
#endif
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
-@@ -1460,6 +1465,10 @@ process_server_config_line(ServerOptions
+@@ -1515,6 +1520,10 @@ process_server_config_line(ServerOptions
*activep = value;
break;
@@ -105,15 +105,15 @@ diff -up openssh-6.2p1/servconf.c.kuserok openssh-6.2p1/servconf.c
case sPermitOpen:
arg = strdelim(&cp);
if (!arg || *arg == '\0')
-@@ -1761,6 +1770,7 @@ copy_set_server_options(ServerOptions *d
+@@ -1815,6 +1824,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(max_authtries);
M_CP_INTOPT(ip_qos_interactive);
M_CP_INTOPT(ip_qos_bulk);
+ M_CP_INTOPT(use_kuserok);
+ M_CP_INTOPT(rekey_limit);
+ M_CP_INTOPT(rekey_interval);
- /* See comment in servconf.h */
- COPY_MATCH_STRING_OPTS();
-@@ -1999,6 +2009,7 @@ dump_config(ServerOptions *o)
+@@ -2055,6 +2065,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sUseDNS, o->use_dns);
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
@@ -121,10 +121,10 @@ diff -up openssh-6.2p1/servconf.c.kuserok openssh-6.2p1/servconf.c
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
-diff -up openssh-6.2p1/servconf.h.kuserok openssh-6.2p1/servconf.h
---- openssh-6.2p1/servconf.h.kuserok 2013-03-25 20:06:51.305558125 +0100
-+++ openssh-6.2p1/servconf.h 2013-03-25 20:06:51.320558220 +0100
-@@ -173,6 +173,7 @@ typedef struct {
+diff -up openssh-6.3p1/servconf.h.kuserok openssh-6.3p1/servconf.h
+--- openssh-6.3p1/servconf.h.kuserok 2013-10-11 21:41:42.896087580 +0200
++++ openssh-6.3p1/servconf.h 2013-10-11 21:41:42.907087528 +0200
+@@ -174,6 +174,7 @@ typedef struct {
int num_permitted_opens;
@@ -132,21 +132,10 @@ diff -up openssh-6.2p1/servconf.h.kuserok openssh-6.2p1/servconf.h
char *chroot_directory;
char *revoked_keys_file;
char *trusted_user_ca_keys;
-diff -up openssh-6.2p1/sshd_config.kuserok openssh-6.2p1/sshd_config
---- openssh-6.2p1/sshd_config.kuserok 2013-03-25 20:06:51.308558144 +0100
-+++ openssh-6.2p1/sshd_config 2013-03-25 20:06:51.320558220 +0100
-@@ -83,6 +83,7 @@ ChallengeResponseAuthentication no
- #KerberosOrLocalPasswd yes
- #KerberosTicketCleanup yes
- #KerberosGetAFSToken no
-+#KerberosUseKuserok yes
-
- # GSSAPI options
- #GSSAPIAuthentication no
-diff -up openssh-6.2p1/sshd_config.5.kuserok openssh-6.2p1/sshd_config.5
---- openssh-6.2p1/sshd_config.5.kuserok 2013-03-25 20:06:51.308558144 +0100
-+++ openssh-6.2p1/sshd_config.5 2013-03-25 20:08:34.249207272 +0100
-@@ -660,6 +660,10 @@ Specifies whether to automatically destr
+diff -up openssh-6.3p1/sshd_config.5.kuserok openssh-6.3p1/sshd_config.5
+--- openssh-6.3p1/sshd_config.5.kuserok 2013-10-11 21:41:42.898087571 +0200
++++ openssh-6.3p1/sshd_config.5 2013-10-11 21:41:42.907087528 +0200
+@@ -675,6 +675,10 @@ Specifies whether to automatically destr
file on logout.
The default is
.Dq yes .
@@ -157,7 +146,7 @@ diff -up openssh-6.2p1/sshd_config.5.kuserok openssh-6.2p1/sshd_config.5
.It Cm KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated.
-@@ -819,6 +823,7 @@ Available keywords are
+@@ -833,6 +837,7 @@ Available keywords are
.Cm HostbasedUsesNameFromPacketOnly ,
.Cm KbdInteractiveAuthentication ,
.Cm KerberosAuthentication ,
@@ -165,3 +154,14 @@ diff -up openssh-6.2p1/sshd_config.5.kuserok openssh-6.2p1/sshd_config.5
.Cm MaxAuthTries ,
.Cm MaxSessions ,
.Cm PasswordAuthentication ,
+diff -up openssh-6.3p1/sshd_config.kuserok openssh-6.3p1/sshd_config
+--- openssh-6.3p1/sshd_config.kuserok 2013-10-11 21:41:42.898087571 +0200
++++ openssh-6.3p1/sshd_config 2013-10-11 21:41:42.907087528 +0200
+@@ -86,6 +86,7 @@ ChallengeResponseAuthentication no
+ #KerberosOrLocalPasswd yes
+ #KerberosTicketCleanup yes
+ #KerberosGetAFSToken no
++#KerberosUseKuserok yes
+
+ # GSSAPI options
+ #GSSAPIAuthentication no
diff --git a/openssh-6.2p1-ldap.patch b/openssh-6.3p1-ldap.patch
similarity index 99%
rename from openssh-6.2p1-ldap.patch
rename to openssh-6.3p1-ldap.patch
index 8d717c5..994ef59 100644
--- a/openssh-6.2p1-ldap.patch
+++ b/openssh-6.3p1-ldap.patch
@@ -383,7 +383,7 @@ diff -up openssh-6.2p1/ldapbody.c.ldap openssh-6.2p1/ldapbody.c
+ if ((logfile = fopen (logfilename, "a")) == NULL)
+ fatal ("cannot append to %s: %s", logfilename, strerror (errno));
+ debug3 ("LDAP debug into %s", logfilename);
-+ xfree (logfilename);
++ free (logfilename);
+ ber_set_option (NULL, LBER_OPT_LOG_PRINT_FILE, logfile);
+ }
+#endif
@@ -672,12 +672,12 @@ diff -up openssh-6.2p1/ldapbody.c.ldap openssh-6.2p1/ldapbody.c
+ timeout.tv_usec = 0;
+ if ((rc = ldap_search_st(ld, options.base, options.scope, buffer, attrs, 0, &timeout, &res)) != LDAP_SUCCESS) {
+ error ("ldap_search_st(): %s", ldap_err2string (rc));
-+ xfree (buffer);
++ free (buffer);
+ return;
+ }
+
+ /* free */
-+ xfree (buffer);
++ free (buffer);
+
+ for (e = ldap_first_entry(ld, res); e != NULL; e = ldap_next_entry(ld, e)) {
+ int num;
diff --git a/openssh-6.1p1-privsep-selinux.patch b/openssh-6.3p1-privsep-selinux.patch
similarity index 59%
rename from openssh-6.1p1-privsep-selinux.patch
rename to openssh-6.3p1-privsep-selinux.patch
index 881c71a..529468c 100644
--- a/openssh-6.1p1-privsep-selinux.patch
+++ b/openssh-6.3p1-privsep-selinux.patch
@@ -1,8 +1,8 @@
-diff -up openssh-6.1p1/openbsd-compat/port-linux.c.privsep-selinux openssh-6.1p1/openbsd-compat/port-linux.c
---- openssh-6.1p1/openbsd-compat/port-linux.c.privsep-selinux 2012-11-05 14:46:39.334809203 +0100
-+++ openssh-6.1p1/openbsd-compat/port-linux.c 2012-11-05 14:54:32.614504884 +0100
-@@ -505,6 +505,25 @@ ssh_selinux_change_context(const char *n
- xfree(newctx);
+diff -up openssh-6.3p1/openbsd-compat/port-linux.c.privsep-selinux openssh-6.3p1/openbsd-compat/port-linux.c
+--- openssh-6.3p1/openbsd-compat/port-linux.c.privsep-selinux 2013-10-10 14:58:20.634762245 +0200
++++ openssh-6.3p1/openbsd-compat/port-linux.c 2013-10-10 15:13:57.864306950 +0200
+@@ -503,6 +503,25 @@ ssh_selinux_change_context(const char *n
+ free(newctx);
}
+void
@@ -27,9 +27,9 @@ diff -up openssh-6.1p1/openbsd-compat/port-linux.c.privsep-selinux openssh-6.1p1
#endif /* WITH_SELINUX */
#ifdef LINUX_OOM_ADJUST
-diff -up openssh-6.1p1/openbsd-compat/port-linux.h.privsep-selinux openssh-6.1p1/openbsd-compat/port-linux.h
---- openssh-6.1p1/openbsd-compat/port-linux.h.privsep-selinux 2011-01-25 02:16:18.000000000 +0100
-+++ openssh-6.1p1/openbsd-compat/port-linux.h 2012-11-05 14:46:39.339809234 +0100
+diff -up openssh-6.3p1/openbsd-compat/port-linux.h.privsep-selinux openssh-6.3p1/openbsd-compat/port-linux.h
+--- openssh-6.3p1/openbsd-compat/port-linux.h.privsep-selinux 2011-01-25 02:16:18.000000000 +0100
++++ openssh-6.3p1/openbsd-compat/port-linux.h 2013-10-10 14:58:20.634762245 +0200
@@ -24,6 +24,7 @@ int ssh_selinux_enabled(void);
void ssh_selinux_setup_pty(char *, const char *);
void ssh_selinux_setup_exec_context(char *);
@@ -38,10 +38,10 @@ diff -up openssh-6.1p1/openbsd-compat/port-linux.h.privsep-selinux openssh-6.1p1
void ssh_selinux_setfscreatecon(const char *);
#endif
-diff -up openssh-6.1p1/session.c.privsep-selinux openssh-6.1p1/session.c
---- openssh-6.1p1/session.c.privsep-selinux 2012-12-03 09:43:11.727505761 +0100
-+++ openssh-6.1p1/session.c 2012-12-03 09:54:50.455688902 +0100
-@@ -1519,6 +1519,9 @@ do_setusercontext(struct passwd *pw)
+diff -up openssh-6.3p1/session.c.privsep-selinux openssh-6.3p1/session.c
+--- openssh-6.3p1/session.c.privsep-selinux 2013-10-10 14:58:20.617762326 +0200
++++ openssh-6.3p1/session.c 2013-10-10 15:13:16.520503590 +0200
+@@ -1522,6 +1522,9 @@ do_setusercontext(struct passwd *pw)
pw->pw_uid);
chroot_path = percent_expand(tmp, "h", pw->pw_dir,
"u", pw->pw_name, (char *)NULL);
@@ -51,7 +51,7 @@ diff -up openssh-6.1p1/session.c.privsep-selinux openssh-6.1p1/session.c
safely_chroot(chroot_path, pw->pw_uid);
free(tmp);
free(chroot_path);
-@@ -1533,6 +1536,12 @@ do_setusercontext(struct passwd *pw)
+@@ -1544,6 +1547,12 @@ do_setusercontext(struct passwd *pw)
/* Permanently switch to the desired uid. */
permanently_set_uid(pw);
#endif
@@ -61,10 +61,10 @@ diff -up openssh-6.1p1/session.c.privsep-selinux openssh-6.1p1/session.c
+ strcasecmp(options.chroot_directory, "none") == 0)
+ ssh_selinux_copy_context();
+#endif
- }
-
- if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
-@@ -1787,9 +1796,6 @@ do_child(Session *s, const char *command
+ } else if (options.chroot_directory != NULL &&
+ strcasecmp(options.chroot_directory, "none") != 0) {
+ fatal("server lacks privileges to chroot to ChrootDirectory");
+@@ -1808,9 +1817,6 @@ do_child(Session *s, const char *command
argv[i] = NULL;
optind = optreset = 1;
__progname = argv[0];
@@ -74,10 +74,10 @@ diff -up openssh-6.1p1/session.c.privsep-selinux openssh-6.1p1/session.c
exit(sftp_server_main(i, argv, s->pw));
}
-diff -up openssh-6.1p1/sshd.c.privsep-selinux openssh-6.1p1/sshd.c
---- openssh-6.1p1/sshd.c.privsep-selinux 2013-02-24 11:29:32.997823377 +0100
-+++ openssh-6.1p1/sshd.c 2013-02-24 11:43:34.171182720 +0100
-@@ -653,6 +653,10 @@ privsep_preauth_child(void)
+diff -up openssh-6.3p1/sshd.c.privsep-selinux openssh-6.3p1/sshd.c
+--- openssh-6.3p1/sshd.c.privsep-selinux 2013-10-10 14:58:20.632762255 +0200
++++ openssh-6.3p1/sshd.c 2013-10-10 14:58:20.635762241 +0200
+@@ -668,6 +668,10 @@ privsep_preauth_child(void)
/* Demote the private keys to public keys. */
demote_sensitive_data();
@@ -88,7 +88,7 @@ diff -up openssh-6.1p1/sshd.c.privsep-selinux openssh-6.1p1/sshd.c
/* Change our root directory */
if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
-@@ -794,6 +798,13 @@ privsep_postauth(Authctxt *authctxt)
+@@ -811,6 +815,13 @@ privsep_postauth(Authctxt *authctxt)
do_setusercontext(authctxt->pw);
skip:
diff --git a/openssh-6.1p1-redhat.patch b/openssh-6.3p1-redhat.patch
similarity index 72%
rename from openssh-6.1p1-redhat.patch
rename to openssh-6.3p1-redhat.patch
index a1fa0e5..5b1ec1d 100644
--- a/openssh-6.1p1-redhat.patch
+++ b/openssh-6.3p1-redhat.patch
@@ -1,10 +1,10 @@
-diff -up openssh-6.1p1/ssh_config.redhat openssh-6.1p1/ssh_config
---- openssh-6.1p1/ssh_config.redhat 2010-01-12 09:40:27.000000000 +0100
-+++ openssh-6.1p1/ssh_config 2012-10-26 16:28:51.820340584 +0200
-@@ -45,3 +45,14 @@
- # PermitLocalCommand no
+diff -up openssh-6.3p1/ssh_config.redhat openssh-6.3p1/ssh_config
+--- openssh-6.3p1/ssh_config.redhat 2013-10-11 14:51:18.345876648 +0200
++++ openssh-6.3p1/ssh_config 2013-10-11 15:13:05.429829266 +0200
+@@ -46,3 +46,14 @@
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
+ # RekeyLimit 1G 1h
+Host *
+ GSSAPIAuthentication yes
+# If this option is set to yes then remote X11 clients will have full access
@@ -12,14 +12,14 @@ diff -up openssh-6.1p1/ssh_config.redhat openssh-6.1p1/ssh_config
+# mode correctly we set this to yes.
+ ForwardX11Trusted yes
+# Send locale-related environment variables
-+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
-+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
++ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
++ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+ SendEnv XMODIFIERS
-diff -up openssh-6.1p1/sshd_config.0.redhat openssh-6.1p1/sshd_config.0
---- openssh-6.1p1/sshd_config.0.redhat 2012-10-26 16:28:51.762340584 +0200
-+++ openssh-6.1p1/sshd_config.0 2012-10-26 16:28:51.821340584 +0200
-@@ -583,9 +583,9 @@ DESCRIPTION
+diff -up openssh-6.3p1/sshd_config.0.redhat openssh-6.3p1/sshd_config.0
+--- openssh-6.3p1/sshd_config.0.redhat 2013-09-13 08:20:43.000000000 +0200
++++ openssh-6.3p1/sshd_config.0 2013-10-11 14:51:18.345876648 +0200
+@@ -653,9 +653,9 @@ DESCRIPTION
SyslogFacility
Gives the facility code that is used when logging messages from
@@ -32,10 +32,10 @@ diff -up openssh-6.1p1/sshd_config.0.redhat openssh-6.1p1/sshd_config.0
TCPKeepAlive
Specifies whether the system should send TCP keepalive messages
-diff -up openssh-6.1p1/sshd_config.5.redhat openssh-6.1p1/sshd_config.5
---- openssh-6.1p1/sshd_config.5.redhat 2012-10-26 16:28:51.763340584 +0200
-+++ openssh-6.1p1/sshd_config.5 2012-10-26 16:28:51.822340584 +0200
-@@ -1015,7 +1015,7 @@ Note that this option applies to protoco
+diff -up openssh-6.3p1/sshd_config.5.redhat openssh-6.3p1/sshd_config.5
+--- openssh-6.3p1/sshd_config.5.redhat 2013-07-20 05:21:53.000000000 +0200
++++ openssh-6.3p1/sshd_config.5 2013-10-11 14:51:18.346876643 +0200
+@@ -1095,7 +1095,7 @@ Note that this option applies to protoco
.It Cm SyslogFacility
Gives the facility code that is used when logging messages from
.Xr sshd 8 .
@@ -44,9 +44,9 @@ diff -up openssh-6.1p1/sshd_config.5.redhat openssh-6.1p1/sshd_config.5
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
The default is AUTH.
.It Cm TCPKeepAlive
-diff -up openssh-6.1p1/sshd_config.redhat openssh-6.1p1/sshd_config
---- openssh-6.1p1/sshd_config.redhat 2012-10-26 16:28:51.819340584 +0200
-+++ openssh-6.1p1/sshd_config 2012-10-26 16:31:44.773340564 +0200
+diff -up openssh-6.3p1/sshd_config.redhat openssh-6.3p1/sshd_config
+--- openssh-6.3p1/sshd_config.redhat 2013-10-11 14:51:18.343876657 +0200
++++ openssh-6.3p1/sshd_config 2013-10-11 14:51:18.346876643 +0200
@@ -10,6 +10,10 @@
# possible, but leave them commented. Uncommented options override the
# default value.
@@ -58,7 +58,7 @@ diff -up openssh-6.1p1/sshd_config.redhat openssh-6.1p1/sshd_config
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
-@@ -32,6 +36,7 @@
+@@ -35,6 +39,7 @@
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
@@ -66,7 +66,7 @@ diff -up openssh-6.1p1/sshd_config.redhat openssh-6.1p1/sshd_config
#LogLevel INFO
# Authentication:
-@@ -67,9 +72,11 @@ AuthorizedKeysFile .ssh/authorized_keys
+@@ -70,9 +75,11 @@ AuthorizedKeysFile .ssh/authorized_keys
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
@@ -78,7 +78,7 @@ diff -up openssh-6.1p1/sshd_config.redhat openssh-6.1p1/sshd_config
# Kerberos options
#KerberosAuthentication no
-@@ -79,7 +86,9 @@ AuthorizedKeysFile .ssh/authorized_keys
+@@ -82,7 +89,9 @@ AuthorizedKeysFile .ssh/authorized_keys
# GSSAPI options
#GSSAPIAuthentication no
@@ -88,7 +88,7 @@ diff -up openssh-6.1p1/sshd_config.redhat openssh-6.1p1/sshd_config
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
-@@ -91,11 +100,13 @@ AuthorizedKeysFile .ssh/authorized_keys
+@@ -94,11 +103,13 @@ AuthorizedKeysFile .ssh/authorized_keys
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
@@ -102,7 +102,7 @@ diff -up openssh-6.1p1/sshd_config.redhat openssh-6.1p1/sshd_config
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
-@@ -117,6 +128,12 @@ UsePrivilegeSeparation sandbox # Defaul
+@@ -120,6 +131,12 @@ UsePrivilegeSeparation sandbox # Defaul
# no default banner path
#Banner none
diff --git a/openssh-6.2p1-role-mls.patch b/openssh-6.3p1-role-mls.patch
similarity index 78%
rename from openssh-6.2p1-role-mls.patch
rename to openssh-6.3p1-role-mls.patch
index 3635fef..89d54b3 100644
--- a/openssh-6.2p1-role-mls.patch
+++ b/openssh-6.3p1-role-mls.patch
@@ -1,20 +1,7 @@
-diff -up openssh-6.2p1/auth.h.role-mls openssh-6.2p1/auth.h
---- openssh-6.2p1/auth.h.role-mls 2013-03-25 17:47:00.565746862 +0100
-+++ openssh-6.2p1/auth.h 2013-03-25 17:47:00.602747073 +0100
-@@ -59,6 +59,9 @@ struct Authctxt {
- char *service;
- struct passwd *pw; /* set if 'valid' */
- char *style;
-+#ifdef WITH_SELINUX
-+ char *role;
-+#endif
- void *kbdintctxt;
- void *jpake_ctx;
- #ifdef BSD_AUTH
-diff -up openssh-6.2p1/auth-pam.c.role-mls openssh-6.2p1/auth-pam.c
---- openssh-6.2p1/auth-pam.c.role-mls 2013-03-25 17:47:00.535746690 +0100
-+++ openssh-6.2p1/auth-pam.c 2013-03-25 17:47:00.602747073 +0100
-@@ -1074,7 +1074,7 @@ is_pam_session_open(void)
+diff -up openssh-6.3p1/auth-pam.c.role-mls openssh-6.3p1/auth-pam.c
+--- openssh-6.3p1/auth-pam.c.role-mls 2013-10-10 14:34:43.799494546 +0200
++++ openssh-6.3p1/auth-pam.c 2013-10-10 14:34:43.835494375 +0200
+@@ -1071,7 +1071,7 @@ is_pam_session_open(void)
* during the ssh authentication process.
*/
int
@@ -23,9 +10,9 @@ diff -up openssh-6.2p1/auth-pam.c.role-mls openssh-6.2p1/auth-pam.c
{
int ret = 1;
#ifdef HAVE_PAM_PUTENV
-diff -up openssh-6.2p1/auth-pam.h.role-mls openssh-6.2p1/auth-pam.h
---- openssh-6.2p1/auth-pam.h.role-mls 2004-09-11 14:17:26.000000000 +0200
-+++ openssh-6.2p1/auth-pam.h 2013-03-25 17:47:00.602747073 +0100
+diff -up openssh-6.3p1/auth-pam.h.role-mls openssh-6.3p1/auth-pam.h
+--- openssh-6.3p1/auth-pam.h.role-mls 2004-09-11 14:17:26.000000000 +0200
++++ openssh-6.3p1/auth-pam.h 2013-10-10 14:34:43.835494375 +0200
@@ -38,7 +38,7 @@ void do_pam_session(void);
void do_pam_set_tty(const char *);
void do_pam_setcred(int );
@@ -35,10 +22,23 @@ diff -up openssh-6.2p1/auth-pam.h.role-mls openssh-6.2p1/auth-pam.h
char ** fetch_pam_environment(void);
char ** fetch_pam_child_environment(void);
void free_pam_environment(char **);
-diff -up openssh-6.2p1/auth1.c.role-mls openssh-6.2p1/auth1.c
---- openssh-6.2p1/auth1.c.role-mls 2012-12-02 23:53:20.000000000 +0100
-+++ openssh-6.2p1/auth1.c 2013-03-25 17:47:00.600747062 +0100
-@@ -386,6 +386,9 @@ do_authentication(Authctxt *authctxt)
+diff -up openssh-6.3p1/auth.h.role-mls openssh-6.3p1/auth.h
+--- openssh-6.3p1/auth.h.role-mls 2013-10-10 14:34:43.834494379 +0200
++++ openssh-6.3p1/auth.h 2013-10-10 14:38:45.060348227 +0200
+@@ -59,6 +59,9 @@ struct Authctxt {
+ char *service;
+ struct passwd *pw; /* set if 'valid' */
+ char *style;
++#ifdef WITH_SELINUX
++ char *role;
++#endif
+ void *kbdintctxt;
+ char *info; /* Extra info for next auth_log */
+ void *jpake_ctx;
+diff -up openssh-6.3p1/auth1.c.role-mls openssh-6.3p1/auth1.c
+--- openssh-6.3p1/auth1.c.role-mls 2013-06-02 00:01:24.000000000 +0200
++++ openssh-6.3p1/auth1.c 2013-10-10 14:34:43.835494375 +0200
+@@ -381,6 +381,9 @@ do_authentication(Authctxt *authctxt)
{
u_int ulen;
char *user, *style = NULL;
@@ -48,7 +48,7 @@ diff -up openssh-6.2p1/auth1.c.role-mls openssh-6.2p1/auth1.c
/* Get the name of the user that we wish to log in as. */
packet_read_expect(SSH_CMSG_USER);
-@@ -394,11 +397,24 @@ do_authentication(Authctxt *authctxt)
+@@ -389,11 +392,24 @@ do_authentication(Authctxt *authctxt)
user = packet_get_cstring(&ulen);
packet_check_eom();
@@ -73,52 +73,10 @@ diff -up openssh-6.2p1/auth1.c.role-mls openssh-6.2p1/auth1.c
/* Verify that the user is a valid user. */
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
-diff -up openssh-6.2p1/auth2.c.role-mls openssh-6.2p1/auth2.c
---- openssh-6.2p1/auth2.c.role-mls 2013-03-25 17:47:00.556746810 +0100
-+++ openssh-6.2p1/auth2.c 2013-03-25 17:47:00.600747062 +0100
-@@ -218,6 +218,9 @@ input_userauth_request(int type, u_int32
- Authctxt *authctxt = ctxt;
- Authmethod *m = NULL;
- char *user, *service, *method, *style = NULL;
-+#ifdef WITH_SELINUX
-+ char *role = NULL;
-+#endif
- int authenticated = 0;
-
- if (authctxt == NULL)
-@@ -229,6 +232,11 @@ input_userauth_request(int type, u_int32
- debug("userauth-request for user %s service %s method %s", user, service, method);
- debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
-
-+#ifdef WITH_SELINUX
-+ if ((role = strchr(user, '/')) != NULL)
-+ *role++ = 0;
-+#endif
-+
- if ((style = strchr(user, ':')) != NULL)
- *style++ = 0;
-
-@@ -251,8 +259,15 @@ input_userauth_request(int type, u_int32
- use_privsep ? " [net]" : "");
- authctxt->service = xstrdup(service);
- authctxt->style = style ? xstrdup(style) : NULL;
-- if (use_privsep)
-+#ifdef WITH_SELINUX
-+ authctxt->role = role ? xstrdup(role) : NULL;
-+#endif
-+ if (use_privsep) {
- mm_inform_authserv(service, style);
-+#ifdef WITH_SELINUX
-+ mm_inform_authrole(role);
-+#endif
-+ }
- userauth_banner();
- if (auth2_setup_methods_lists(authctxt) != 0)
- packet_disconnect("no authentication methods enabled");
-diff -up openssh-6.2p1/auth2-gss.c.role-mls openssh-6.2p1/auth2-gss.c
---- openssh-6.2p1/auth2-gss.c.role-mls 2012-12-02 23:53:20.000000000 +0100
-+++ openssh-6.2p1/auth2-gss.c 2013-03-25 17:47:00.601747067 +0100
-@@ -260,6 +260,7 @@ input_gssapi_mic(int type, u_int32_t ple
+diff -up openssh-6.3p1/auth2-gss.c.role-mls openssh-6.3p1/auth2-gss.c
+--- openssh-6.3p1/auth2-gss.c.role-mls 2013-06-01 23:31:18.000000000 +0200
++++ openssh-6.3p1/auth2-gss.c 2013-10-10 14:34:43.836494370 +0200
+@@ -256,6 +256,7 @@ input_gssapi_mic(int type, u_int32_t ple
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt;
int authenticated = 0;
@@ -126,7 +84,7 @@ diff -up openssh-6.2p1/auth2-gss.c.role-mls openssh-6.2p1/auth2-gss.c
Buffer b;
gss_buffer_desc mic, gssbuf;
u_int len;
-@@ -272,7 +273,13 @@ input_gssapi_mic(int type, u_int32_t ple
+@@ -268,7 +269,13 @@ input_gssapi_mic(int type, u_int32_t ple
mic.value = packet_get_string(&len);
mic.length = len;
@@ -141,18 +99,18 @@ diff -up openssh-6.2p1/auth2-gss.c.role-mls openssh-6.2p1/auth2-gss.c
"gssapi-with-mic");
gssbuf.value = buffer_ptr(&b);
-@@ -284,6 +291,8 @@ input_gssapi_mic(int type, u_int32_t ple
+@@ -280,6 +287,8 @@ input_gssapi_mic(int type, u_int32_t ple
logit("GSSAPI MIC check failed");
buffer_free(&b);
+ if (micuser != authctxt->user)
-+ xfree(micuser);
- xfree(mic.value);
++ free(micuser);
+ free(mic.value);
authctxt->postponed = 0;
-diff -up openssh-6.2p1/auth2-hostbased.c.role-mls openssh-6.2p1/auth2-hostbased.c
---- openssh-6.2p1/auth2-hostbased.c.role-mls 2013-03-25 17:47:00.565746862 +0100
-+++ openssh-6.2p1/auth2-hostbased.c 2013-03-25 17:47:00.601747067 +0100
+diff -up openssh-6.3p1/auth2-hostbased.c.role-mls openssh-6.3p1/auth2-hostbased.c
+--- openssh-6.3p1/auth2-hostbased.c.role-mls 2013-10-10 14:34:43.818494455 +0200
++++ openssh-6.3p1/auth2-hostbased.c 2013-10-10 14:34:43.836494370 +0200
@@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt)
buffer_put_string(&b, session_id2, session_id2_len);
/* reconstruct packet */
@@ -170,30 +128,69 @@ diff -up openssh-6.2p1/auth2-hostbased.c.role-mls openssh-6.2p1/auth2-hostbased.
buffer_put_cstring(&b, service);
buffer_put_cstring(&b, "hostbased");
buffer_put_string(&b, pkalg, alen);
-diff -up openssh-6.2p1/auth2-pubkey.c.role-mls openssh-6.2p1/auth2-pubkey.c
---- openssh-6.2p1/auth2-pubkey.c.role-mls 2013-03-25 17:47:00.565746862 +0100
-+++ openssh-6.2p1/auth2-pubkey.c 2013-03-25 17:47:00.601747067 +0100
-@@ -127,7 +127,15 @@ userauth_pubkey(Authctxt *authctxt)
+diff -up openssh-6.3p1/auth2-pubkey.c.role-mls openssh-6.3p1/auth2-pubkey.c
+--- openssh-6.3p1/auth2-pubkey.c.role-mls 2013-10-10 14:34:43.836494370 +0200
++++ openssh-6.3p1/auth2-pubkey.c 2013-10-10 14:57:17.452062486 +0200
+@@ -127,9 +127,11 @@ userauth_pubkey(Authctxt *authctxt)
}
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
-- buffer_put_cstring(&b, authctxt->user);
+- xasprintf(&userstyle, "%s%s%s", authctxt->user,
++ xasprintf(&userstyle, "%s%s%s%s%s", authctxt->user,
+ authctxt->style ? ":" : "",
+- authctxt->style ? authctxt->style : "");
++ authctxt->style ? authctxt->style : "",
++ authctxt->role ? "/" : "",
++ authctxt->role ? authctxt->role : "");
+ buffer_put_cstring(&b, userstyle);
+ free(userstyle);
+ buffer_put_cstring(&b,
+diff -up openssh-6.3p1/auth2.c.role-mls openssh-6.3p1/auth2.c
+--- openssh-6.3p1/auth2.c.role-mls 2013-10-10 14:34:43.819494451 +0200
++++ openssh-6.3p1/auth2.c 2013-10-10 14:34:43.835494375 +0200
+@@ -221,6 +221,9 @@ input_userauth_request(int type, u_int32
+ Authctxt *authctxt = ctxt;
+ Authmethod *m = NULL;
+ char *user, *service, *method, *style = NULL;
+#ifdef WITH_SELINUX
-+ if (authctxt->role) {
-+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
-+ buffer_append(&b, authctxt->user, strlen(authctxt->user));
-+ buffer_put_char(&b, '/');
-+ buffer_append(&b, authctxt->role, strlen(authctxt->role));
-+ } else
++ char *role = NULL;
+#endif
-+ buffer_put_cstring(&b, authctxt->user);
- buffer_put_cstring(&b,
- datafellows & SSH_BUG_PKSERVICE ?
- "ssh-userauth" :
-diff -up openssh-6.2p1/misc.c.role-mls openssh-6.2p1/misc.c
---- openssh-6.2p1/misc.c.role-mls 2011-09-22 13:34:36.000000000 +0200
-+++ openssh-6.2p1/misc.c 2013-03-25 17:47:00.603747079 +0100
-@@ -427,6 +427,7 @@ char *
+ int authenticated = 0;
+
+ if (authctxt == NULL)
+@@ -232,6 +235,11 @@ input_userauth_request(int type, u_int32
+ debug("userauth-request for user %s service %s method %s", user, service, method);
+ debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
+
++#ifdef WITH_SELINUX
++ if ((role = strchr(user, '/')) != NULL)
++ *role++ = 0;
++#endif
++
+ if ((style = strchr(user, ':')) != NULL)
+ *style++ = 0;
+
+@@ -254,8 +262,15 @@ input_userauth_request(int type, u_int32
+ use_privsep ? " [net]" : "");
+ authctxt->service = xstrdup(service);
+ authctxt->style = style ? xstrdup(style) : NULL;
+- if (use_privsep)
++#ifdef WITH_SELINUX
++ authctxt->role = role ? xstrdup(role) : NULL;
++#endif
++ if (use_privsep) {
+ mm_inform_authserv(service, style);
++#ifdef WITH_SELINUX
++ mm_inform_authrole(role);
++#endif
++ }
+ userauth_banner();
+ if (auth2_setup_methods_lists(authctxt) != 0)
+ packet_disconnect("no authentication methods enabled");
+diff -up openssh-6.3p1/misc.c.role-mls openssh-6.3p1/misc.c
+--- openssh-6.3p1/misc.c.role-mls 2013-08-08 04:50:06.000000000 +0200
++++ openssh-6.3p1/misc.c 2013-10-10 14:34:43.836494370 +0200
+@@ -429,6 +429,7 @@ char *
colon(char *cp)
{
int flag = 0;
@@ -201,7 +198,7 @@ diff -up openssh-6.2p1/misc.c.role-mls openssh-6.2p1/misc.c
if (*cp == ':') /* Leading colon is part of file name. */
return NULL;
-@@ -442,6 +443,13 @@ colon(char *cp)
+@@ -444,6 +445,13 @@ colon(char *cp)
return (cp);
if (*cp == '/')
return NULL;
@@ -215,10 +212,10 @@ diff -up openssh-6.2p1/misc.c.role-mls openssh-6.2p1/misc.c
}
return NULL;
}
-diff -up openssh-6.2p1/monitor.c.role-mls openssh-6.2p1/monitor.c
---- openssh-6.2p1/monitor.c.role-mls 2013-03-25 17:47:00.587746987 +0100
-+++ openssh-6.2p1/monitor.c 2013-03-25 17:47:00.604747085 +0100
-@@ -148,6 +148,9 @@ int mm_answer_sign(int, Buffer *);
+diff -up openssh-6.3p1/monitor.c.role-mls openssh-6.3p1/monitor.c
+--- openssh-6.3p1/monitor.c.role-mls 2013-10-10 14:34:43.821494441 +0200
++++ openssh-6.3p1/monitor.c 2013-10-10 14:54:57.933725463 +0200
+@@ -149,6 +149,9 @@ int mm_answer_sign(int, Buffer *);
int mm_answer_pwnamallow(int, Buffer *);
int mm_answer_auth2_read_banner(int, Buffer *);
int mm_answer_authserv(int, Buffer *);
@@ -228,7 +225,7 @@ diff -up openssh-6.2p1/monitor.c.role-mls openssh-6.2p1/monitor.c
int mm_answer_authpassword(int, Buffer *);
int mm_answer_bsdauthquery(int, Buffer *);
int mm_answer_bsdauthrespond(int, Buffer *);
-@@ -232,6 +235,9 @@ struct mon_table mon_dispatch_proto20[]
+@@ -233,6 +236,9 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -238,7 +235,7 @@ diff -up openssh-6.2p1/monitor.c.role-mls openssh-6.2p1/monitor.c
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM
-@@ -846,6 +852,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
+@@ -853,6 +859,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
else {
/* Allow service/style information on the auth context */
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -248,7 +245,7 @@ diff -up openssh-6.2p1/monitor.c.role-mls openssh-6.2p1/monitor.c
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
}
#ifdef USE_PAM
-@@ -889,6 +898,25 @@ mm_answer_authserv(int sock, Buffer *m)
+@@ -894,6 +903,25 @@ mm_answer_authserv(int sock, Buffer *m)
return (0);
}
@@ -263,7 +260,7 @@ diff -up openssh-6.2p1/monitor.c.role-mls openssh-6.2p1/monitor.c
+ __func__, authctxt->role);
+
+ if (strlen(authctxt->role) == 0) {
-+ xfree(authctxt->role);
++ free(authctxt->role);
+ authctxt->role = NULL;
+ }
+
@@ -274,45 +271,45 @@ diff -up openssh-6.2p1/monitor.c.role-mls openssh-6.2p1/monitor.c
int
mm_answer_authpassword(int sock, Buffer *m)
{
-@@ -1262,7 +1290,7 @@ static int
+@@ -1269,7 +1297,7 @@ static int
monitor_valid_userblob(u_char *data, u_int datalen)
{
Buffer b;
-- char *p;
-+ char *p, *r;
+- char *p, *userstyle;
++ char *p, *r, *userstyle;
u_int len;
int fail = 0;
-@@ -1288,6 +1316,8 @@ monitor_valid_userblob(u_char *data, u_i
+@@ -1295,6 +1323,8 @@ monitor_valid_userblob(u_char *data, u_i
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++;
- p = buffer_get_string(&b, NULL);
+ p = buffer_get_cstring(&b, NULL);
+ if ((r = strchr(p, '/')) != NULL)
+ *r = '\0';
- if (strcmp(authctxt->user, p) != 0) {
- logit("wrong user name passed to monitor: expected %s != %.100s",
- authctxt->user, p);
-@@ -1319,7 +1349,7 @@ monitor_valid_hostbasedblob(u_char *data
+ xasprintf(&userstyle, "%s%s%s", authctxt->user,
+ authctxt->style ? ":" : "",
+ authctxt->style ? authctxt->style : "");
+@@ -1330,7 +1360,7 @@ monitor_valid_hostbasedblob(u_char *data
char *chost)
{
Buffer b;
-- char *p;
-+ char *p, *r;
+- char *p, *userstyle;
++ char *p, *r, *userstyle;
u_int len;
int fail = 0;
-@@ -1336,6 +1366,8 @@ monitor_valid_hostbasedblob(u_char *data
+@@ -1347,6 +1377,8 @@ monitor_valid_hostbasedblob(u_char *data
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++;
- p = buffer_get_string(&b, NULL);
+ p = buffer_get_cstring(&b, NULL);
+ if ((r = strchr(p, '/')) != NULL)
+ *r = '\0';
- if (strcmp(authctxt->user, p) != 0) {
- logit("wrong user name passed to monitor: expected %s != %.100s",
- authctxt->user, p);
-diff -up openssh-6.2p1/monitor.h.role-mls openssh-6.2p1/monitor.h
---- openssh-6.2p1/monitor.h.role-mls 2013-03-25 17:47:00.605747090 +0100
-+++ openssh-6.2p1/monitor.h 2013-03-25 17:50:00.824775483 +0100
+ xasprintf(&userstyle, "%s%s%s", authctxt->user,
+ authctxt->style ? ":" : "",
+ authctxt->style ? authctxt->style : "");
+diff -up openssh-6.3p1/monitor.h.role-mls openssh-6.3p1/monitor.h
+--- openssh-6.3p1/monitor.h.role-mls 2013-10-10 14:34:43.821494441 +0200
++++ openssh-6.3p1/monitor.h 2013-10-10 14:34:43.837494365 +0200
@@ -61,6 +61,9 @@ enum monitor_reqtype {
MONITOR_REQ_JPAKE_STEP2 = 56, MONITOR_ANS_JPAKE_STEP2 = 57,
MONITOR_REQ_JPAKE_KEY_CONFIRM = 58, MONITOR_ANS_JPAKE_KEY_CONFIRM = 59,
@@ -323,10 +320,10 @@ diff -up openssh-6.2p1/monitor.h.role-mls openssh-6.2p1/monitor.h
MONITOR_REQ_PAM_START = 100,
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
-diff -up openssh-6.2p1/monitor_wrap.c.role-mls openssh-6.2p1/monitor_wrap.c
---- openssh-6.2p1/monitor_wrap.c.role-mls 2013-03-25 17:47:00.588746993 +0100
-+++ openssh-6.2p1/monitor_wrap.c 2013-03-25 17:47:00.605747090 +0100
-@@ -336,6 +336,25 @@ mm_inform_authserv(char *service, char *
+diff -up openssh-6.3p1/monitor_wrap.c.role-mls openssh-6.3p1/monitor_wrap.c
+--- openssh-6.3p1/monitor_wrap.c.role-mls 2013-10-10 14:34:43.822494436 +0200
++++ openssh-6.3p1/monitor_wrap.c 2013-10-10 14:34:43.838494360 +0200
+@@ -338,6 +338,25 @@ mm_inform_authserv(char *service, char *
buffer_free(&m);
}
@@ -352,9 +349,9 @@ diff -up openssh-6.2p1/monitor_wrap.c.role-mls openssh-6.2p1/monitor_wrap.c
/* Do the password authentication */
int
mm_auth_password(Authctxt *authctxt, char *password)
-diff -up openssh-6.2p1/monitor_wrap.h.role-mls openssh-6.2p1/monitor_wrap.h
---- openssh-6.2p1/monitor_wrap.h.role-mls 2013-03-25 17:47:00.588746993 +0100
-+++ openssh-6.2p1/monitor_wrap.h 2013-03-25 17:47:00.605747090 +0100
+diff -up openssh-6.3p1/monitor_wrap.h.role-mls openssh-6.3p1/monitor_wrap.h
+--- openssh-6.3p1/monitor_wrap.h.role-mls 2013-10-10 14:34:43.822494436 +0200
++++ openssh-6.3p1/monitor_wrap.h 2013-10-10 14:34:43.838494360 +0200
@@ -42,6 +42,9 @@ int mm_is_monitor(void);
DH *mm_choose_dh(int, int, int);
int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
@@ -365,9 +362,9 @@ diff -up openssh-6.2p1/monitor_wrap.h.role-mls openssh-6.2p1/monitor_wrap.h
struct passwd *mm_getpwnamallow(const char *);
char *mm_auth2_read_banner(void);
int mm_auth_password(struct Authctxt *, char *);
-diff -up openssh-6.2p1/openbsd-compat/Makefile.in.role-mls openssh-6.2p1/openbsd-compat/Makefile.in
---- openssh-6.2p1/openbsd-compat/Makefile.in.role-mls 2013-03-25 17:47:00.606747096 +0100
-+++ openssh-6.2p1/openbsd-compat/Makefile.in 2013-03-25 17:50:36.024979473 +0100
+diff -up openssh-6.3p1/openbsd-compat/Makefile.in.role-mls openssh-6.3p1/openbsd-compat/Makefile.in
+--- openssh-6.3p1/openbsd-compat/Makefile.in.role-mls 2013-05-10 08:28:56.000000000 +0200
++++ openssh-6.3p1/openbsd-compat/Makefile.in 2013-10-10 14:34:43.838494360 +0200
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport
COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
@@ -377,9 +374,9 @@ diff -up openssh-6.2p1/openbsd-compat/Makefile.in.role-mls openssh-6.2p1/openbsd
.c.o:
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
-diff -up openssh-6.2p1/openbsd-compat/port-linux.c.role-mls openssh-6.2p1/openbsd-compat/port-linux.c
---- openssh-6.2p1/openbsd-compat/port-linux.c.role-mls 2012-03-09 00:25:18.000000000 +0100
-+++ openssh-6.2p1/openbsd-compat/port-linux.c 2013-03-25 17:47:00.606747096 +0100
+diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbsd-compat/port-linux.c
+--- openssh-6.3p1/openbsd-compat/port-linux.c.role-mls 2013-06-02 00:07:32.000000000 +0200
++++ openssh-6.3p1/openbsd-compat/port-linux.c 2013-10-10 14:40:41.841793347 +0200
@@ -31,68 +31,271 @@
#include "log.h"
@@ -419,7 +416,8 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.role-mls openssh-6.2p1/openbs
+static int
+send_audit_message(int success, security_context_t default_context,
+ security_context_t selected_context)
-+{
+ {
+- static int enabled = -1;
+ int rc=0;
+#ifdef HAVE_LINUX_AUDIT
+ char *msg = NULL;
@@ -465,8 +463,7 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.role-mls openssh-6.2p1/openbs
+
+static int
+mls_range_allowed(security_context_t src, security_context_t dst)
- {
-- static int enabled = -1;
++{
+ struct av_decision avd;
+ int retval;
+ unsigned int bit = CONTEXT__CONTAINS;
@@ -683,16 +680,16 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.role-mls openssh-6.2p1/openbs
}
#ifdef HAVE_GETSEUSERBYNAME
-@@ -102,7 +305,42 @@ ssh_selinux_getctxbyname(char *pwname)
- xfree(lvl);
+@@ -100,7 +303,42 @@ ssh_selinux_getctxbyname(char *pwname)
+ free(lvl);
#endif
- return sc;
+ if (role != NULL)
-+ xfree(role);
++ free(role);
+ if (con)
+ context_free(con);
-+
++
+ return (r);
+}
+
@@ -710,7 +707,7 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.role-mls openssh-6.2p1/openbs
+ ssh_selinux_get_role_level(&role, &reqlvl);
+
+ rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");
-+
++
+ if (inetd_flag && !rexeced_flag) {
+ use_current = "1";
+ } else {
@@ -721,13 +718,13 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.role-mls openssh-6.2p1/openbs
+ rv = rv || do_pam_putenv("SELINUX_USE_CURRENT_RANGE", use_current);
+
+ if (role != NULL)
-+ xfree(role);
-+
++ free(role);
++
+ return rv;
}
/* Set the execution context to the default for the specified user */
-@@ -110,28 +348,71 @@ void
+@@ -108,28 +346,71 @@ void
ssh_selinux_setup_exec_context(char *pwname)
{
security_context_t user_ctx = NULL;
@@ -806,7 +803,7 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.role-mls openssh-6.2p1/openbs
debug3("%s: done", __func__);
}
-@@ -149,7 +430,10 @@ ssh_selinux_setup_pty(char *pwname, cons
+@@ -147,7 +428,10 @@ ssh_selinux_setup_pty(char *pwname, cons
debug3("%s: setting TTY context on %s", __func__, tty);
@@ -818,8 +815,8 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.role-mls openssh-6.2p1/openbs
/* XXX: should these calls fatal() upon failure in enforcing mode? */
-@@ -221,21 +505,6 @@ ssh_selinux_change_context(const char *n
- xfree(newctx);
+@@ -219,21 +503,6 @@ ssh_selinux_change_context(const char *n
+ free(newctx);
}
-void
@@ -840,9 +837,9 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.role-mls openssh-6.2p1/openbs
#endif /* WITH_SELINUX */
#ifdef LINUX_OOM_ADJUST
-diff -up openssh-6.2p1/openbsd-compat/port-linux_part_2.c.role-mls openssh-6.2p1/openbsd-compat/port-linux_part_2.c
---- openssh-6.2p1/openbsd-compat/port-linux_part_2.c.role-mls 2013-03-25 17:47:00.607747102 +0100
-+++ openssh-6.2p1/openbsd-compat/port-linux_part_2.c 2013-03-25 17:47:00.607747102 +0100
+diff -up openssh-6.3p1/openbsd-compat/port-linux_part_2.c.role-mls openssh-6.3p1/openbsd-compat/port-linux_part_2.c
+--- openssh-6.3p1/openbsd-compat/port-linux_part_2.c.role-mls 2013-10-10 14:34:43.839494355 +0200
++++ openssh-6.3p1/openbsd-compat/port-linux_part_2.c 2013-10-10 14:34:43.839494355 +0200
@@ -0,0 +1,75 @@
+/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
+
@@ -919,10 +916,10 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux_part_2.c.role-mls openssh-6.2p1
+#endif /* WITH_SELINUX */
+
+#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */
-diff -up openssh-6.2p1/sshd.c.role-mls openssh-6.2p1/sshd.c
---- openssh-6.2p1/sshd.c.role-mls 2013-03-25 17:47:00.589746999 +0100
-+++ openssh-6.2p1/sshd.c 2013-03-25 17:47:00.607747102 +0100
-@@ -2118,6 +2118,9 @@ main(int ac, char **av)
+diff -up openssh-6.3p1/sshd.c.role-mls openssh-6.3p1/sshd.c
+--- openssh-6.3p1/sshd.c.role-mls 2013-10-10 14:34:43.824494427 +0200
++++ openssh-6.3p1/sshd.c 2013-10-10 14:34:43.839494355 +0200
+@@ -2179,6 +2179,9 @@ main(int ac, char **av)
restore_uid();
}
#endif
diff --git a/sources b/sources
index e814a99..d790eb8 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-be46174dcbb77ebb4ea88ef140685de1 openssh-6.2p2.tar.gz
+225e75c9856f76011966013163784038 openssh-6.3p1.tar.gz
More information about the scm-commits
mailing list