components/openssh/patches/023-gsskex.patch
author Tomas Kuthan <tomas.kuthan@oracle.com>
Fri, 27 Jan 2017 14:23:05 -0800
branchs11u3-sru
changeset 7621 c11a68c3a63d
parent 7620 c60efbddf9c8
child 7946 165bf092aa9c
permissions -rw-r--r--
18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
     1
#
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
     2
# GSS-API key exchange support
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
     3
#
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
     4
# Based on https://github.com/SimonWilkinson/gss-openssh/commit/ffae842
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
     5
# Updated to apply to OpenSSH 6.5.
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
     6
# Default value for GSSAPIKeyExchange changed to yes to match SunSSH behavior.
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
     7
# New files kexgssc.c and kexgsss.c moved to ../sources/ and made cstyle clean.
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
     8
#
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
     9
# Update Sep 5, 2016:
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    10
# Upstream renamed and moved canohost.c`get_canonical_hostname to sshd-specific
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    11
# auth.c`auth_get_canonical_hostname. In Solaris specific GSS-API key exchange
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    12
# code we need this functionality on the client side too, for canonicalizing
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    13
# server hostbased service principal. We have moved remote_hostname back to
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    14
# canohost.c.
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    15
#
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    16
# TODO:
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    17
# When we upgrade Kerberos in Solaris to future version 1.15, we will use
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    18
# krb5_expand_hostname for hostname canonicalization instead.
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    19
#
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
    20
# Upstream rejected GSS-API key exchange several times before.
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
    21
#
7621
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
    22
diff -pur old/Makefile.in new/Makefile.in
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
    23
--- old/Makefile.in
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
    24
+++ new/Makefile.in
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    25
@@ -85,6 +85,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    26
 	atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o utf8.o \
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
    27
 	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
    28
 	msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
    29
+	kexgssc.o \
7621
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
    30
 	sftp_provider.o \
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
    31
 	ssh-pkcs11.o smult_curve25519_ref.o \
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
    32
 	poly1305.o chacha.o cipher-chachapoly.o \
7621
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
    33
@@ -106,7 +107,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
    34
 	auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
    35
 	auth2-none.o auth2-passwd.o auth2-pubkey.o \
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
    36
 	monitor_mm.o monitor.o monitor_wrap.o auth-krb5.o \
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
    37
-	auth2-gss.o gss-serv.o gss-serv-krb5.o \
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
    38
+	auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
    39
 	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
7621
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
    40
 	sftp-server.o sftp-common.o sftp_provider.o \
6076
0d5715bee554 PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates
Zdenek Kotala <Zdenek.Kotala@oracle.com>
parents: 5324
diff changeset
    41
 	sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
7621
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
    42
diff -pur old/auth.c new/auth.c
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
    43
--- old/auth.c
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
    44
+++ new/auth.c
7594
022a611ded2d 25135484 auth_root_allowed: clasify 'gssapi-keyex' method as passwordless
Jan Parcel <jan.parcel@oracle.com>
parents: 7320
diff changeset
    45
@@ -363,6 +363,7 @@ auth_root_allowed(const char *method)
022a611ded2d 25135484 auth_root_allowed: clasify 'gssapi-keyex' method as passwordless
Jan Parcel <jan.parcel@oracle.com>
parents: 7320
diff changeset
    46
 	case PERMIT_NO_PASSWD:
022a611ded2d 25135484 auth_root_allowed: clasify 'gssapi-keyex' method as passwordless
Jan Parcel <jan.parcel@oracle.com>
parents: 7320
diff changeset
    47
 		if (strcmp(method, "publickey") == 0 ||
022a611ded2d 25135484 auth_root_allowed: clasify 'gssapi-keyex' method as passwordless
Jan Parcel <jan.parcel@oracle.com>
parents: 7320
diff changeset
    48
 		    strcmp(method, "hostbased") == 0 ||
022a611ded2d 25135484 auth_root_allowed: clasify 'gssapi-keyex' method as passwordless
Jan Parcel <jan.parcel@oracle.com>
parents: 7320
diff changeset
    49
+		    strcmp(method, "gssapi-keyex") == 0 ||
022a611ded2d 25135484 auth_root_allowed: clasify 'gssapi-keyex' method as passwordless
Jan Parcel <jan.parcel@oracle.com>
parents: 7320
diff changeset
    50
 		    strcmp(method, "gssapi-with-mic") == 0)
022a611ded2d 25135484 auth_root_allowed: clasify 'gssapi-keyex' method as passwordless
Jan Parcel <jan.parcel@oracle.com>
parents: 7320
diff changeset
    51
 			return 1;
022a611ded2d 25135484 auth_root_allowed: clasify 'gssapi-keyex' method as passwordless
Jan Parcel <jan.parcel@oracle.com>
parents: 7320
diff changeset
    52
 		break;
022a611ded2d 25135484 auth_root_allowed: clasify 'gssapi-keyex' method as passwordless
Jan Parcel <jan.parcel@oracle.com>
parents: 7320
diff changeset
    53
@@ -786,99 +787,6 @@ fakepw(void)
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    54
 }
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    55
 
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    56
 /*
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    57
- * Returns the remote DNS hostname as a string. The returned string must not
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    58
- * be freed. NB. this will usually trigger a DNS query the first time it is
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    59
- * called.
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    60
- * This function does additional checks on the hostname to mitigate some
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    61
- * attacks on legacy rhosts-style authentication.
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    62
- * XXX is RhostsRSAAuthentication vulnerable to these?
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    63
- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    64
- */
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    65
-
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    66
-static char *
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    67
-remote_hostname(struct ssh *ssh)
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    68
-{
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    69
-	struct sockaddr_storage from;
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    70
-	socklen_t fromlen;
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    71
-	struct addrinfo hints, *ai, *aitop;
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    72
-	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    73
-	const char *ntop = ssh_remote_ipaddr(ssh);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    74
-
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    75
-	/* Get IP address of client. */
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    76
-	fromlen = sizeof(from);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    77
-	memset(&from, 0, sizeof(from));
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    78
-	if (getpeername(ssh_packet_get_connection_in(ssh),
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    79
-	    (struct sockaddr *)&from, &fromlen) < 0) {
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    80
-		debug("getpeername failed: %.100s", strerror(errno));
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    81
-		return strdup(ntop);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    82
-	}
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    83
-
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    84
-	ipv64_normalise_mapped(&from, &fromlen);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    85
-	if (from.ss_family == AF_INET6)
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    86
-		fromlen = sizeof(struct sockaddr_in6);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    87
-
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    88
-	debug3("Trying to reverse map address %.100s.", ntop);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    89
-	/* Map the IP address to a host name. */
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    90
-	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    91
-	    NULL, 0, NI_NAMEREQD) != 0) {
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    92
-		/* Host name not found.  Use ip address. */
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    93
-		return strdup(ntop);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    94
-	}
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    95
-
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    96
-	/*
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    97
-	 * if reverse lookup result looks like a numeric hostname,
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    98
-	 * someone is trying to trick us by PTR record like following:
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
    99
-	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   100
-	 */
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   101
-	memset(&hints, 0, sizeof(hints));
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   102
-	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   103
-	hints.ai_flags = AI_NUMERICHOST;
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   104
-	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   105
-		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   106
-		    name, ntop);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   107
-		freeaddrinfo(ai);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   108
-		return strdup(ntop);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   109
-	}
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   110
-
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   111
-	/* Names are stored in lowercase. */
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   112
-	lowercase(name);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   113
-
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   114
-	/*
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   115
-	 * Map it back to an IP address and check that the given
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   116
-	 * address actually is an address of this host.  This is
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   117
-	 * necessary because anyone with access to a name server can
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   118
-	 * define arbitrary names for an IP address. Mapping from
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   119
-	 * name to IP address can be trusted better (but can still be
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   120
-	 * fooled if the intruder has access to the name server of
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   121
-	 * the domain).
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   122
-	 */
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   123
-	memset(&hints, 0, sizeof(hints));
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   124
-	hints.ai_family = from.ss_family;
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   125
-	hints.ai_socktype = SOCK_STREAM;
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   126
-	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   127
-		logit("reverse mapping checking getaddrinfo for %.700s "
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   128
-		    "[%s] failed.", name, ntop);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   129
-		return strdup(ntop);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   130
-	}
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   131
-	/* Look for the address from the list of addresses. */
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   132
-	for (ai = aitop; ai; ai = ai->ai_next) {
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   133
-		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   134
-		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   135
-		    (strcmp(ntop, ntop2) == 0))
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   136
-				break;
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   137
-	}
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   138
-	freeaddrinfo(aitop);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   139
-	/* If we reached the end of the list, the address was not there. */
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   140
-	if (ai == NULL) {
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   141
-		/* Address not found for the host name. */
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   142
-		logit("Address %.100s maps to %.600s, but this does not "
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   143
-		    "map back to the address.", ntop, name);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   144
-		return strdup(ntop);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   145
-	}
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   146
-	return strdup(name);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   147
-}
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   148
-
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   149
-/*
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   150
  * Return the canonical name of the host in the other side of the current
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   151
  * connection.  The host name is cached, so it is efficient to call this
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   152
  * several times.
7621
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
   153
diff -pur old/auth2-gss.c new/auth2-gss.c
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
   154
--- old/auth2-gss.c
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
   155
+++ new/auth2-gss.c
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   156
@@ -1,7 +1,7 @@
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   157
 /* $OpenBSD: auth2-gss.c,v 1.22 2015/01/19 20:07:45 markus Exp $ */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   158
 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   159
 /*
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   160
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   161
+ * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   162
  *
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   163
  * Redistribution and use in source and binary forms, with or without
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   164
  * modification, are permitted provided that the following conditions
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   165
@@ -53,6 +53,39 @@ static int input_gssapi_mic(int type, u_
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   166
 static int input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   167
 static int input_gssapi_errtok(int, u_int32_t, void *);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   168
 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   169
+/* 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   170
+ * The 'gssapi_keyex' userauth mechanism.
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   171
+ */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   172
+static int
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   173
+userauth_gsskeyex(Authctxt *authctxt)
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   174
+{
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   175
+	int authenticated = 0;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   176
+	Buffer b;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   177
+	gss_buffer_desc mic, gssbuf;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   178
+	u_int len;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   179
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   180
+	mic.value = packet_get_string(&len);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   181
+	mic.length = len;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   182
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   183
+	packet_check_eom();
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   184
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   185
+	ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   186
+	    "gssapi-keyex");
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   187
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   188
+	gssbuf.value = buffer_ptr(&b);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   189
+	gssbuf.length = buffer_len(&b);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   190
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   191
+	/* gss_kex_context is NULL with privsep, so we can't check it here */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   192
+	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context, 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   193
+	    &gssbuf, &mic))))
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   194
+		authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   195
+	
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   196
+	buffer_free(&b);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   197
+	free(mic.value);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   198
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   199
+	return (authenticated);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   200
+}
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   201
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   202
 /*
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   203
  * We only support those mechanisms that we know about (ie ones that we know
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   204
  * how to check local user kuserok and the like)
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   205
@@ -290,6 +323,12 @@ input_gssapi_mic(int type, u_int32_t ple
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   206
 	return 0;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   207
 }
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   208
 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   209
+Authmethod method_gsskeyex = {
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   210
+	"gssapi-keyex",
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   211
+	userauth_gsskeyex,
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   212
+	&options.gss_authentication
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   213
+};
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   214
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   215
 Authmethod method_gssapi = {
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   216
 	"gssapi-with-mic",
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   217
 	userauth_gssapi,
7621
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
   218
diff -pur old/auth2.c new/auth2.c
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
   219
--- old/auth2.c
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
   220
+++ new/auth2.c
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   221
@@ -70,6 +70,7 @@ extern Authmethod method_passwd;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   222
 extern Authmethod method_kbdint;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   223
 extern Authmethod method_hostbased;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   224
 #ifdef GSSAPI
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   225
+extern Authmethod method_gsskeyex;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   226
 extern Authmethod method_gssapi;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   227
 #endif
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   228
 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   229
@@ -77,6 +78,7 @@ Authmethod *authmethods[] = {
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   230
 	&method_none,
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   231
 	&method_pubkey,
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   232
 #ifdef GSSAPI
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   233
+	&method_gsskeyex,
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   234
 	&method_gssapi,
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   235
 #endif
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   236
 	&method_passwd,
7621
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
   237
diff -pur old/canohost.c new/canohost.c
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
   238
--- old/canohost.c
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
   239
+++ new/canohost.c
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   240
@@ -202,3 +202,97 @@ get_local_port(int sock)
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   241
 {
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   242
 	return get_sock_port(sock, 1);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   243
 }
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   244
+
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   245
+/*
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   246
+ * Returns the remote DNS hostname as a string. The returned string must not
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   247
+ * be freed. NB. this will usually trigger a DNS query the first time it is
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   248
+ * called.
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   249
+ * This function does additional checks on the hostname to mitigate some
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   250
+ * attacks on legacy rhosts-style authentication.
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   251
+ * XXX is RhostsRSAAuthentication vulnerable to these?
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   252
+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   253
+ */
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   254
+
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   255
+/* Oracle Solaris - moved out of auth.c for use in GSSKEX in sshconnect2.c */
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   256
+char *
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   257
+remote_hostname(struct ssh *ssh)
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   258
+{
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   259
+	struct sockaddr_storage from;
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   260
+	socklen_t fromlen;
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   261
+	struct addrinfo hints, *ai, *aitop;
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   262
+	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   263
+	const char *ntop = ssh_remote_ipaddr(ssh);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   264
+
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   265
+	/* Get IP address of client. */
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   266
+	fromlen = sizeof(from);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   267
+	memset(&from, 0, sizeof(from));
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   268
+	if (getpeername(ssh_packet_get_connection_in(ssh),
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   269
+	    (struct sockaddr *)&from, &fromlen) < 0) {
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   270
+		debug("getpeername failed: %.100s", strerror(errno));
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   271
+		return strdup(ntop);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   272
+	}
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   273
+
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   274
+	ipv64_normalise_mapped(&from, &fromlen);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   275
+	if (from.ss_family == AF_INET6)
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   276
+		fromlen = sizeof(struct sockaddr_in6);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   277
+
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   278
+	debug3("Trying to reverse map address %.100s.", ntop);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   279
+	/* Map the IP address to a host name. */
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   280
+	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   281
+	    NULL, 0, NI_NAMEREQD) != 0) {
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   282
+		/* Host name not found.  Use ip address. */
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   283
+		return strdup(ntop);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   284
+	}
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   285
+
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   286
+	/*
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   287
+	 * if reverse lookup result looks like a numeric hostname,
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   288
+	 * someone is trying to trick us by PTR record like following:
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   289
+	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   290
+	 */
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   291
+	memset(&hints, 0, sizeof(hints));
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   292
+	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   293
+	hints.ai_flags = AI_NUMERICHOST;
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   294
+	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   295
+		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   296
+		    name, ntop);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   297
+		freeaddrinfo(ai);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   298
+		return strdup(ntop);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   299
+	}
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   300
+
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   301
+	/* Names are stored in lowercase. */
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   302
+	lowercase(name);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   303
+
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   304
+	/*
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   305
+	 * Map it back to an IP address and check that the given
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   306
+	 * address actually is an address of this host.  This is
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   307
+	 * necessary because anyone with access to a name server can
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   308
+	 * define arbitrary names for an IP address. Mapping from
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   309
+	 * name to IP address can be trusted better (but can still be
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   310
+	 * fooled if the intruder has access to the name server of
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   311
+	 * the domain).
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   312
+	 */
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   313
+	memset(&hints, 0, sizeof(hints));
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   314
+	hints.ai_family = from.ss_family;
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   315
+	hints.ai_socktype = SOCK_STREAM;
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   316
+	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   317
+		logit("reverse mapping checking getaddrinfo for %.700s "
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   318
+		    "[%s] failed.", name, ntop);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   319
+		return strdup(ntop);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   320
+	}
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   321
+	/* Look for the address from the list of addresses. */
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   322
+	for (ai = aitop; ai; ai = ai->ai_next) {
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   323
+		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   324
+		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   325
+		    (strcmp(ntop, ntop2) == 0))
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   326
+				break;
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   327
+	}
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   328
+	freeaddrinfo(aitop);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   329
+	/* If we reached the end of the list, the address was not there. */
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   330
+	if (ai == NULL) {
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   331
+		/* Address not found for the host name. */
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   332
+		logit("Address %.100s maps to %.600s, but this does not "
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   333
+		    "map back to the address.", ntop, name);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   334
+		return strdup(ntop);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   335
+	}
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   336
+	return strdup(name);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   337
+}
7621
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
   338
diff -pur old/canohost.h new/canohost.h
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
   339
--- old/canohost.h
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
   340
+++ new/canohost.h
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   341
@@ -21,6 +21,9 @@ char		*get_local_ipaddr(int);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   342
 char		*get_local_name(int);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   343
 int		get_local_port(int);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   344
 
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   345
+#include "packet.h"
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   346
+char		*remote_hostname(struct ssh *);
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   347
+
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   348
 #endif /* _CANOHOST_H */
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   349
 
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   350
 void		 ipv64_normalise_mapped(struct sockaddr_storage *, socklen_t *);
7621
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
   351
diff -pur old/gss-genr.c new/gss-genr.c
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
   352
--- old/gss-genr.c
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
   353
+++ new/gss-genr.c
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   354
@@ -1,7 +1,7 @@
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   355
 /* $OpenBSD: gss-genr.c,v 1.23 2015/01/20 23:14:00 deraadt Exp $ */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   356
 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   357
 /*
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   358
- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   359
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   360
  *
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   361
  * Redistribution and use in source and binary forms, with or without
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   362
  * modification, are permitted provided that the following conditions
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   363
@@ -41,12 +41,167 @@
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   364
 #include "buffer.h"
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   365
 #include "log.h"
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   366
 #include "ssh2.h"
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   367
+#include "cipher.h"
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   368
+#include "key.h"
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   369
+#include "kex.h"
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   370
+#include <openssl/evp.h>
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   371
 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   372
 #include "ssh-gss.h"
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   373
 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   374
 extern u_char *session_id2;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   375
 extern u_int session_id2_len;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   376
 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   377
+typedef struct {
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   378
+	char *encoded;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   379
+	gss_OID oid;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   380
+} ssh_gss_kex_mapping;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   381
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   382
+/*
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   383
+ * XXX - It would be nice to find a more elegant way of handling the
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   384
+ * XXX   passing of the key exchange context to the userauth routines
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   385
+ */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   386
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   387
+Gssctxt *gss_kex_context = NULL;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   388
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   389
+static ssh_gss_kex_mapping *gss_enc2oid = NULL;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   390
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   391
+int 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   392
+ssh_gssapi_oid_table_ok() {
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   393
+	return (gss_enc2oid != NULL);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   394
+}
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   395
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   396
+/*
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   397
+ * Return a list of the gss-group1-sha1 mechanisms supported by this program
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   398
+ *
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   399
+ * We test mechanisms to ensure that we can use them, to avoid starting
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   400
+ * a key exchange with a bad mechanism
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   401
+ */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   402
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   403
+char *
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   404
+ssh_gssapi_client_mechanisms(const char *host) {
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   405
+	gss_OID_set gss_supported;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   406
+	OM_uint32 min_status;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   407
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   408
+	if (GSS_ERROR(gss_indicate_mechs(&min_status, &gss_supported)))
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   409
+		return NULL;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   410
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   411
+	return(ssh_gssapi_kex_mechs(gss_supported, ssh_gssapi_check_mechanism,
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   412
+	    host));
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   413
+}
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   414
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   415
+char *
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   416
+ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   417
+    const char *data) {
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   418
+	Buffer buf;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   419
+	size_t i;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   420
+	int oidpos, enclen;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   421
+	char *mechs, *encoded;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   422
+	u_char digest[EVP_MAX_MD_SIZE];
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   423
+	char deroid[2];
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   424
+	const EVP_MD *evp_md = EVP_md5();
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   425
+	EVP_MD_CTX md;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   426
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   427
+	if (gss_enc2oid != NULL) {
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   428
+		for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   429
+			free(gss_enc2oid[i].encoded);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   430
+		free(gss_enc2oid);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   431
+	}
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   432
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   433
+	gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping) *
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   434
+	    (gss_supported->count + 1));
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   435
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   436
+	buffer_init(&buf);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   437
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   438
+	oidpos = 0;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   439
+	for (i = 0; i < gss_supported->count; i++) {
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   440
+		if (gss_supported->elements[i].length < 128 &&
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   441
+		    (*check)(NULL, &(gss_supported->elements[i]), data)) {
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   442
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   443
+			deroid[0] = SSH_GSS_OIDTYPE;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   444
+			deroid[1] = gss_supported->elements[i].length;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   445
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   446
+			EVP_DigestInit(&md, evp_md);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   447
+			EVP_DigestUpdate(&md, deroid, 2);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   448
+			EVP_DigestUpdate(&md,
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   449
+			    gss_supported->elements[i].elements,
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   450
+			    gss_supported->elements[i].length);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   451
+			EVP_DigestFinal(&md, digest, NULL);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   452
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   453
+			encoded = xmalloc(EVP_MD_size(evp_md) * 2);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   454
+			enclen = __b64_ntop(digest, EVP_MD_size(evp_md),
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   455
+			    encoded, EVP_MD_size(evp_md) * 2);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   456
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   457
+			if (oidpos != 0)
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   458
+				buffer_put_char(&buf, ',');
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   459
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   460
+			buffer_append(&buf, KEX_GSS_GEX_SHA1_ID,
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   461
+			    sizeof(KEX_GSS_GEX_SHA1_ID) - 1);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   462
+			buffer_append(&buf, encoded, enclen);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   463
+			buffer_put_char(&buf, ',');
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   464
+			buffer_append(&buf, KEX_GSS_GRP1_SHA1_ID, 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   465
+			    sizeof(KEX_GSS_GRP1_SHA1_ID) - 1);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   466
+			buffer_append(&buf, encoded, enclen);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   467
+			buffer_put_char(&buf, ',');
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   468
+			buffer_append(&buf, KEX_GSS_GRP14_SHA1_ID,
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   469
+			    sizeof(KEX_GSS_GRP14_SHA1_ID) - 1);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   470
+			buffer_append(&buf, encoded, enclen);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   471
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   472
+			gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   473
+			gss_enc2oid[oidpos].encoded = encoded;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   474
+			oidpos++;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   475
+		}
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   476
+	}
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   477
+	gss_enc2oid[oidpos].oid = NULL;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   478
+	gss_enc2oid[oidpos].encoded = NULL;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   479
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   480
+	buffer_put_char(&buf, '\0');
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   481
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   482
+	mechs = xmalloc(buffer_len(&buf));
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   483
+	buffer_get(&buf, mechs, buffer_len(&buf));
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   484
+	buffer_free(&buf);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   485
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   486
+	if (strlen(mechs) == 0) {
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   487
+		free(mechs);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   488
+		mechs = NULL;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   489
+	}
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   490
+	
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   491
+	return (mechs);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   492
+}
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   493
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   494
+gss_OID
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   495
+ssh_gssapi_id_kex(Gssctxt *ctx, char *name, int kex_type) {
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   496
+	int i = 0;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   497
+	
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   498
+	switch (kex_type) {
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   499
+	case KEX_GSS_GRP1_SHA1:
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   500
+		if (strlen(name) < sizeof(KEX_GSS_GRP1_SHA1_ID))
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   501
+			return GSS_C_NO_OID;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   502
+		name += sizeof(KEX_GSS_GRP1_SHA1_ID) - 1;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   503
+		break;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   504
+	case KEX_GSS_GRP14_SHA1:
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   505
+		if (strlen(name) < sizeof(KEX_GSS_GRP14_SHA1_ID))
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   506
+			return GSS_C_NO_OID;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   507
+		name += sizeof(KEX_GSS_GRP14_SHA1_ID) - 1;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   508
+		break;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   509
+	case KEX_GSS_GEX_SHA1:
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   510
+		if (strlen(name) < sizeof(KEX_GSS_GEX_SHA1_ID))
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   511
+			return GSS_C_NO_OID;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   512
+		name += sizeof(KEX_GSS_GEX_SHA1_ID) - 1;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   513
+		break;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   514
+	default:
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   515
+		return GSS_C_NO_OID;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   516
+	}
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   517
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   518
+	while (gss_enc2oid[i].encoded != NULL &&
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   519
+	    strcmp(name, gss_enc2oid[i].encoded) != 0)
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   520
+		i++;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   521
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   522
+	if (gss_enc2oid[i].oid != NULL && ctx != NULL)
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   523
+		ssh_gssapi_set_oid(ctx, gss_enc2oid[i].oid);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   524
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   525
+	return gss_enc2oid[i].oid;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   526
+}
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   527
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   528
 /* Check that the OID in a data stream matches that in the context */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   529
 int
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   530
 ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len)
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   531
@@ -231,6 +386,9 @@ ssh_gssapi_import_name(Gssctxt *ctx, con
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   532
 OM_uint32
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   533
 ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   534
 {
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   535
+	if (ctx == NULL) 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   536
+		return -1;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   537
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   538
 	if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   539
 	    GSS_C_QOP_DEFAULT, buffer, hash)))
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   540
 		ssh_gssapi_error(ctx);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   541
@@ -238,6 +396,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   542
 	return (ctx->major);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   543
 }
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   544
 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   545
+/* Priviledged when used by server */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   546
+OM_uint32
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   547
+ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   548
+{
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   549
+	if (ctx == NULL)
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   550
+		return -1;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   551
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   552
+	ctx->major = gss_verify_mic(&ctx->minor, ctx->context,
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   553
+	    gssbuf, gssmic, NULL);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   554
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   555
+	return (ctx->major);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   556
+}
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   557
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   558
 void
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   559
 ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   560
     const char *context)
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   561
@@ -256,6 +427,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   562
 	gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   563
 	OM_uint32 major, minor;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   564
 	gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"};
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   565
+	Gssctxt *intctx = NULL;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   566
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   567
+	if (ctx == NULL)
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   568
+		ctx = &intctx;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   569
 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   570
 	/* RFC 4462 says we MUST NOT do SPNEGO */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   571
 	if (oid->length == spnego_oid.length && 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   572
@@ -274,7 +449,7 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   573
 			    GSS_C_NO_BUFFER);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   574
 	}
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   575
 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   576
-	if (GSS_ERROR(major)) 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   577
+	if (GSS_ERROR(major) || intctx != NULL) 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   578
 		ssh_gssapi_delete_ctx(ctx);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   579
 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   580
 	return (!GSS_ERROR(major));
7621
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
   581
diff -pur old/gss-serv.c new/gss-serv.c
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
   582
--- old/gss-serv.c
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
   583
+++ new/gss-serv.c
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   584
@@ -1,7 +1,7 @@
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   585
 /* $OpenBSD: gss-serv.c,v 1.29 2015/05/22 03:50:02 djm Exp $ */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   586
 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   587
 /*
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   588
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   589
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   590
  *
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   591
  * Redistribution and use in source and binary forms, with or without
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   592
  * modification, are permitted provided that the following conditions
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   593
@@ -47,6 +47,7 @@
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   594
 #include "servconf.h"
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   595
 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   596
 #include "ssh-gss.h"
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   597
+#include "monitor_wrap.h"
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   598
 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   599
 extern ServerOptions options;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   600
 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   601
@@ -142,6 +143,28 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   602
 }
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   603
 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   604
 /* Unprivileged */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   605
+char *
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   606
+ssh_gssapi_server_mechanisms() {
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   607
+	gss_OID_set	supported;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   608
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   609
+	ssh_gssapi_supported_oids(&supported);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   610
+	return (ssh_gssapi_kex_mechs(supported, &ssh_gssapi_server_check_mech,
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   611
+	    NULL));
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   612
+}
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   613
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   614
+/* Unprivileged */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   615
+int
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   616
+ssh_gssapi_server_check_mech(Gssctxt **dum, gss_OID oid, const char *data) {
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   617
+	Gssctxt *ctx = NULL;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   618
+	int res;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   619
+ 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   620
+	res = !GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctx, oid)));
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   621
+	ssh_gssapi_delete_ctx(&ctx);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   622
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   623
+	return (res);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   624
+}
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   625
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   626
+/* Unprivileged */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   627
 void
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   628
 ssh_gssapi_supported_oids(gss_OID_set *oidset)
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   629
 {
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   630
@@ -151,7 +174,9 @@ ssh_gssapi_supported_oids(gss_OID_set *o
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   631
 	gss_OID_set supported;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   632
 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   633
 	gss_create_empty_oid_set(&min_status, oidset);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   634
-	gss_indicate_mechs(&min_status, &supported);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   635
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   636
+	if (GSS_ERROR(gss_indicate_mechs(&min_status, &supported)))
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   637
+		return;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   638
 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   639
 	while (supported_mechs[i]->name != NULL) {
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   640
 		if (GSS_ERROR(gss_test_oid_set_member(&min_status,
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   641
@@ -427,14 +452,4 @@ ssh_gssapi_userok(char *user)
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   642
 	return (0);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   643
 }
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   644
 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   645
-/* Privileged */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   646
-OM_uint32
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   647
-ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   648
-{
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   649
-	ctx->major = gss_verify_mic(&ctx->minor, ctx->context,
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   650
-	    gssbuf, gssmic, NULL);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   651
-
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   652
-	return (ctx->major);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   653
-}
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   654
-
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   655
 #endif
7621
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
   656
diff -pur old/kex.c new/kex.c
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
   657
--- old/kex.c
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
   658
+++ new/kex.c
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   659
@@ -55,6 +55,10 @@
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   660
 #include "sshbuf.h"
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   661
 #include "digest.h"
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   662
 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   663
+#ifdef GSSAPI
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   664
+#include "ssh-gss.h"
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   665
+#endif
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   666
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   667
 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   668
 # if defined(HAVE_EVP_SHA256)
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   669
 # define evp_ssh_sha256 EVP_sha256
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   670
@@ -111,6 +115,11 @@ static const struct kexalg kexalgs[] = {
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   671
 #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   672
 	{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   673
 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   674
+#ifdef GSSAPI
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   675
+	{ KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   676
+	{ KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   677
+	{ KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   678
+#endif
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   679
 	{ NULL, -1, -1, -1},
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   680
 };
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   681
 
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   682
@@ -142,7 +151,7 @@ kex_alg_by_name(const char *name)
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   683
 	const struct kexalg *k;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   684
 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   685
 	for (k = kexalgs; k->name != NULL; k++) {
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   686
-		if (strcmp(k->name, name) == 0)
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   687
+		if (strncmp(k->name, name, strlen(k->name)) == 0)
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   688
 			return k;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   689
 	}
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   690
 	return NULL;
7621
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
   691
diff -pur old/kex.h new/kex.h
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
   692
--- old/kex.h
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
   693
+++ new/kex.h
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   694
@@ -98,6 +98,9 @@ enum kex_exchange {
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   695
 	KEX_DH_GEX_SHA256,
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   696
 	KEX_ECDH_SHA2,
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   697
 	KEX_C25519_SHA256,
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   698
+	KEX_GSS_GRP1_SHA1,
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   699
+	KEX_GSS_GRP14_SHA1,
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   700
+	KEX_GSS_GEX_SHA1,
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   701
 	KEX_MAX
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   702
 };
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   703
 
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   704
@@ -146,6 +149,10 @@ struct kex {
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   705
 	u_int	flags;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   706
 	int	hash_alg;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   707
 	int	ec_nid;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   708
+#ifdef GSSAPI
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   709
+	int	gss_deleg_creds;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   710
+	char    *gss_host;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   711
+#endif
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   712
 	char	*client_version_string;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   713
 	char	*server_version_string;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   714
 	char	*failed_choice;
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   715
@@ -195,6 +202,10 @@ int	 kexecdh_client(struct ssh *);
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   716
 int	 kexecdh_server(struct ssh *);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   717
 int	 kexc25519_client(struct ssh *);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   718
 int	 kexc25519_server(struct ssh *);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   719
+#ifdef GSSAPI
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   720
+int	 kexgss_client(struct ssh *);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   721
+int	 kexgss_server(struct ssh *);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   722
+#endif
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   723
 
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   724
 int	 kex_dh_hash(int, const char *, const char *,
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   725
     const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
7621
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
   726
diff -pur old/monitor.c new/monitor.c
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
   727
--- old/monitor.c
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
   728
+++ new/monitor.c
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   729
@@ -161,6 +161,7 @@ int mm_answer_gss_setup_ctx(int, Buffer 
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   730
 int mm_answer_gss_accept_ctx(int, Buffer *);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   731
 int mm_answer_gss_userok(int, Buffer *);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   732
 int mm_answer_gss_checkmic(int, Buffer *);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   733
+int mm_answer_gss_sign(int, Buffer *);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   734
 #endif
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   735
 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   736
 #ifdef SSH_AUDIT_EVENTS
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   737
@@ -245,11 +246,17 @@ struct mon_table mon_dispatch_proto20[] 
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   738
     {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   739
     {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   740
     {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   741
+    {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   742
 #endif
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   743
     {0, 0, NULL}
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   744
 };
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   745
 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   746
 struct mon_table mon_dispatch_postauth20[] = {
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   747
+#ifdef GSSAPI
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   748
+    {MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   749
+    {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   750
+    {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   751
+#endif
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   752
 #ifdef WITH_OPENSSL
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   753
     {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   754
 #endif
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   755
@@ -364,6 +371,10 @@ monitor_child_preauth(Authctxt *_authctx
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   756
 		/* Permit requests for moduli and signatures */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   757
 		monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   758
 		monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   759
+#ifdef GSSAPI
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   760
+		/* and for the GSSAPI key exchange */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   761
+		monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   762
+#endif
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   763
 	} else {
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   764
 		mon_dispatch = mon_dispatch_proto15;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   765
 
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   766
@@ -503,6 +514,10 @@ monitor_child_postauth(struct monitor *p
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   767
 		monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   768
 		monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   769
 		monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   770
+#ifdef GSSAPI
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   771
+		/* and for the GSSAPI key exchange */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   772
+		monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   773
+#endif		
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   774
 	} else {
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   775
 		mon_dispatch = mon_dispatch_postauth15;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   776
 		monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   777
@@ -1939,6 +1954,13 @@ monitor_apply_keystate(struct monitor *p
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   778
 # endif
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   779
 #endif /* WITH_OPENSSL */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   780
 		kex->kex[KEX_C25519_SHA256] = kexc25519_server;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   781
+#ifdef GSSAPI
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   782
+		if (options.gss_keyex) {
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   783
+			kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   784
+			kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   785
+			kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   786
+		}
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   787
+#endif
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   788
 		kex->load_host_public_key=&get_hostkey_public_by_type;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   789
 		kex->load_host_private_key=&get_hostkey_private_by_type;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   790
 		kex->host_key_index=&get_hostkey_index;
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   791
@@ -2038,6 +2060,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   792
 	OM_uint32 major;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   793
 	u_int len;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   794
 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   795
+	if (!options.gss_authentication && !options.gss_keyex)
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   796
+		fatal("In GSSAPI monitor when GSSAPI is disabled");
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   797
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   798
 	goid.elements = buffer_get_string(m, &len);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   799
 	goid.length = len;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   800
 
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   801
@@ -2065,6 +2090,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   802
 	OM_uint32 flags = 0; /* GSI needs this */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   803
 	u_int len;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   804
 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   805
+	if (!options.gss_authentication && !options.gss_keyex)
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   806
+		fatal("In GSSAPI monitor when GSSAPI is disabled");
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   807
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   808
 	in.value = buffer_get_string(m, &len);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   809
 	in.length = len;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   810
 	major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   811
@@ -2082,6 +2110,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   812
 		monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   813
 		monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   814
 		monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   815
+		monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   816
 	}
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   817
 	return (0);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   818
 }
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   819
@@ -2093,6 +2122,9 @@ mm_answer_gss_checkmic(int sock, Buffer 
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   820
 	OM_uint32 ret;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   821
 	u_int len;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   822
 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   823
+	if (!options.gss_authentication && !options.gss_keyex)
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   824
+		fatal("In GSSAPI monitor when GSSAPI is disabled");
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   825
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   826
 	gssbuf.value = buffer_get_string(m, &len);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   827
 	gssbuf.length = len;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   828
 	mic.value = buffer_get_string(m, &len);
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   829
@@ -2119,6 +2151,9 @@ mm_answer_gss_userok(int sock, Buffer *m
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   830
 {
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   831
 	int authenticated;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   832
 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   833
+	if (!options.gss_authentication && !options.gss_keyex)
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   834
+		fatal("In GSSAPI monitor when GSSAPI is disabled");
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   835
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   836
 	authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   837
 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   838
 	buffer_clear(m);
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   839
@@ -2132,5 +2167,47 @@ mm_answer_gss_userok(int sock, Buffer *m
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   840
 	/* Monitor loop will terminate if authenticated */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   841
 	return (authenticated);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   842
 }
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   843
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   844
+int 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   845
+mm_answer_gss_sign(int socket, Buffer *m)
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   846
+{
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   847
+	gss_buffer_desc data;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   848
+	gss_buffer_desc hash = GSS_C_EMPTY_BUFFER;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   849
+	OM_uint32 major, minor;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   850
+	u_int len;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   851
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   852
+	if (!options.gss_authentication && !options.gss_keyex)
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   853
+		fatal("In GSSAPI monitor when GSSAPI is disabled");
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   854
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   855
+	data.value = buffer_get_string(m, &len);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   856
+	data.length = len;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   857
+	if (data.length != 20) 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   858
+		fatal("%s: data length incorrect: %d", __func__, 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   859
+		    (int) data.length);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   860
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   861
+	/* Save the session ID on the first time around */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   862
+	if (session_id2_len == 0) {
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   863
+		session_id2_len = data.length;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   864
+		session_id2 = xmalloc(session_id2_len);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   865
+		memcpy(session_id2, data.value, session_id2_len);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   866
+	}
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   867
+	major = ssh_gssapi_sign(gsscontext, &data, &hash);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   868
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   869
+	free(data.value);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   870
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   871
+	buffer_clear(m);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   872
+	buffer_put_int(m, major);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   873
+	buffer_put_string(m, hash.value, hash.length);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   874
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   875
+	mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   876
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   877
+	gss_release_buffer(&minor, &hash);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   878
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   879
+	/* Turn on getpwnam permissions */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   880
+	monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   881
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   882
+	return (0);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   883
+}
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   884
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   885
 #endif /* GSSAPI */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   886
 
7621
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
   887
diff -pur old/monitor.h new/monitor.h
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
   888
--- old/monitor.h
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
   889
+++ new/monitor.h
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   890
@@ -68,6 +68,9 @@ enum monitor_reqtype {
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   891
 #ifdef PAM_ENHANCEMENT
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   892
         MONITOR_REQ_AUTHMETHOD = 114,
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   893
 #endif        
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   894
+#ifdef GSSAPI
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   895
+	MONITOR_REQ_GSSSIGN = 130, MONITOR_ANS_GSSSIGN = 131,
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   896
+#endif        
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   897
 };
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   898
 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   899
 struct mm_master;
7621
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
   900
diff -pur old/monitor_wrap.c new/monitor_wrap.c
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
   901
--- old/monitor_wrap.c
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
   902
+++ new/monitor_wrap.c
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   903
@@ -1108,5 +1108,28 @@ mm_ssh_gssapi_userok(char *user)
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   904
 	debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   905
 	return (authenticated);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   906
 }
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   907
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   908
+OM_uint32
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   909
+mm_ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *data, gss_buffer_desc *hash)
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   910
+{
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   911
+	Buffer m;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   912
+	OM_uint32 major;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   913
+	u_int len;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   914
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   915
+	buffer_init(&m);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   916
+	buffer_put_string(&m, data->value, data->length);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   917
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   918
+	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSIGN, &m);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   919
+	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, &m);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   920
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   921
+	major = buffer_get_int(&m);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   922
+	hash->value = buffer_get_string(&m, &len);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   923
+	hash->length = len;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   924
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   925
+	buffer_free(&m);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   926
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   927
+	return(major);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   928
+}
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   929
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   930
 #endif /* GSSAPI */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   931
 
7621
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
   932
diff -pur old/monitor_wrap.h new/monitor_wrap.h
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
   933
--- old/monitor_wrap.h
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
   934
+++ new/monitor_wrap.h
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   935
@@ -62,6 +62,7 @@ OM_uint32 mm_ssh_gssapi_accept_ctx(Gssct
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   936
    gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   937
 int mm_ssh_gssapi_userok(char *user);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   938
 OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   939
+OM_uint32 mm_ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   940
 #endif
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   941
 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   942
 #ifdef USE_PAM
7621
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
   943
diff -pur old/readconf.c new/readconf.c
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
   944
--- old/readconf.c
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
   945
+++ new/readconf.c
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   946
@@ -160,6 +160,7 @@ typedef enum {
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   947
 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   948
 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   949
 	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   950
+	oGssKeyEx,
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   951
 	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   952
 	oSendEnv, oControlPath, oControlMaster, oControlPersist,
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   953
 	oHashKnownHosts,
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   954
@@ -211,11 +212,15 @@ static struct {
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   955
 	{ "gssauthentication", oGssAuthentication },                /* alias */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   956
 	{ "gssapidelegatecredentials", oGssDelegateCreds },
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   957
 	{ "gssdelegatecreds", oGssDelegateCreds },                  /* alias */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   958
+	{ "gssapikeyexchange", oGssKeyEx },
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   959
+	{ "gsskeyex", oGssKeyEx },                                  /* alias */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   960
 #else
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   961
 	{ "gssapiauthentication", oUnsupported },
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   962
 	{ "gssauthentication", oUnsupported },
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   963
 	{ "gssapidelegatecredentials", oUnsupported },
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   964
 	{ "gssdelegatecreds", oUnsupported },
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   965
+	{ "gssapikeyexchange", oUnsupported },
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   966
+	{ "gsskeyex", oUnsupported },
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   967
 #endif
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   968
 	{ "fallbacktorsh", oDeprecated },
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   969
 	{ "usersh", oDeprecated },
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   970
@@ -1002,6 +1007,10 @@ parse_time:
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   971
 		intptr = &options->gss_authentication;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   972
 		goto parse_flag;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   973
 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   974
+	case oGssKeyEx:
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   975
+		intptr = &options->gss_keyex;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   976
+		goto parse_flag;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   977
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   978
 	case oGssDelegateCreds:
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   979
 		intptr = &options->gss_deleg_creds;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   980
 		goto parse_flag;
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   981
@@ -1824,6 +1833,7 @@ initialize_options(Options * options)
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   982
 	options->pubkey_authentication = -1;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   983
 	options->challenge_response_authentication = -1;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   984
 	options->gss_authentication = -1;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   985
+	options->gss_keyex = -1;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   986
 	options->gss_deleg_creds = -1;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   987
 	options->password_authentication = -1;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   988
 	options->kbd_interactive_authentication = -1;
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
   989
@@ -1979,6 +1989,12 @@ fill_default_options(Options * options)
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   990
 #else
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   991
 		options->gss_authentication = 0;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   992
 #endif
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   993
+	if (options->gss_keyex == -1)
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   994
+#ifdef OPTION_DEFAULT_VALUE
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   995
+		options->gss_keyex = 1;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   996
+#else
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   997
+		options->gss_keyex = 0;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   998
+#endif
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
   999
 	if (options->gss_deleg_creds == -1)
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1000
 		options->gss_deleg_creds = 0;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1001
 	if (options->password_authentication == -1)
7621
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
  1002
diff -pur old/readconf.h new/readconf.h
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
  1003
--- old/readconf.h
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
  1004
+++ new/readconf.h
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1005
@@ -45,6 +45,7 @@ typedef struct {
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1006
 	int     challenge_response_authentication;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1007
 					/* Try S/Key or TIS, authentication. */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1008
 	int     gss_authentication;	/* Try GSS authentication */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1009
+	int     gss_keyex;		/* Try GSS key exchange */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1010
 	int     gss_deleg_creds;	/* Delegate GSS credentials */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1011
 	int     password_authentication;	/* Try password
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1012
 						 * authentication. */
7621
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
  1013
diff -pur old/servconf.c new/servconf.c
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
  1014
--- old/servconf.c
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
  1015
+++ new/servconf.c
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
  1016
@@ -117,6 +117,7 @@ initialize_server_options(ServerOptions 
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1017
 	options->kerberos_ticket_cleanup = -1;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1018
 	options->kerberos_get_afs_token = -1;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1019
 	options->gss_authentication=-1;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1020
+	options->gss_keyex = -1;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1021
 	options->gss_cleanup_creds = -1;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1022
 	options->gss_strict_acceptor = -1;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1023
 	options->password_authentication = -1;
6076
0d5715bee554 PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates
Zdenek Kotala <Zdenek.Kotala@oracle.com>
parents: 5324
diff changeset
  1024
@@ -312,6 +313,12 @@ fill_default_server_options(ServerOption
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1025
 #else
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1026
 		options->gss_authentication = 0;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1027
 #endif
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1028
+	if (options->gss_keyex == -1)
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1029
+#ifdef OPTION_DEFAULT_VALUE
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1030
+		options->gss_keyex = 1;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1031
+#else
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1032
+		options->gss_keyex = 0;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1033
+#endif
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1034
 	if (options->gss_cleanup_creds == -1)
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1035
 		options->gss_cleanup_creds = 1;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1036
 	if (options->gss_strict_acceptor == -1)
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
  1037
@@ -457,6 +464,7 @@ typedef enum {
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1038
 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1039
 	sHostKeyAlgorithms,
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1040
 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1041
+	sGssKeyEx,
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1042
 	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1043
 	sAcceptEnv, sPermitTunnel,
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1044
 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
  1045
@@ -534,6 +542,8 @@ static struct {
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1046
 #ifdef GSSAPI
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1047
 	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1048
 	{ "gssauthentication", sGssAuthentication, SSHCFG_ALL },   /* alias */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1049
+	{ "gssapikeyexchange", sGssKeyEx, SSHCFG_ALL },
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1050
+	{ "gsskeyex", sGssKeyEx, SSHCFG_ALL },                     /* alias */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1051
 #ifdef USE_GSS_STORE_CRED
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1052
 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1053
 #else /* USE_GSS_STORE_CRED */
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
  1054
@@ -543,6 +553,8 @@ static struct {
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1055
 #else
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1056
 	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1057
 	{ "gssauthentication", sUnsupported, SSHCFG_ALL },          /* alias */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1058
+	{ "gssapikeyexchange", sUnsupported,, SSHCFG_ALL },
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1059
+	{ "gsskeyex", sUnsupported,, SSHCFG_ALL },
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1060
 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1061
 	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1062
 #endif
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
  1063
@@ -1328,6 +1340,10 @@ process_server_config_line(ServerOptions
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1064
 		intptr = &options->gss_authentication;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1065
 		goto parse_flag;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1066
 
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1067
+	case sGssKeyEx:
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1068
+		intptr = &options->gss_keyex;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1069
+		goto parse_flag;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1070
+
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1071
 	case sGssCleanupCreds:
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1072
 		intptr = &options->gss_cleanup_creds;
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1073
 		goto parse_flag;
7320
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1
Jan Parcel <jan.parcel@oracle.com>
parents: 6076
diff changeset
  1074
@@ -2416,6 +2432,7 @@ dump_config(ServerOptions *o)
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1075
 #endif
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1076
 #ifdef GSSAPI
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1077
 	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1078
+	dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1079
 #ifndef USE_GSS_STORE_CRED
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1080
 	dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1081
 #endif /* !USE_GSS_STORE_CRED */
7621
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
  1082
diff -pur old/servconf.h new/servconf.h
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
  1083
--- old/servconf.h
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
  1084
+++ new/servconf.h
5324
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1085
@@ -122,6 +122,7 @@ typedef struct {
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1086
 	int     kerberos_get_afs_token;		/* If true, try to get AFS token if
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1087
 						 * authenticated with Kerberos. */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1088
 	int     gss_authentication;	/* If true, permit GSSAPI authentication */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1089
+	int     gss_keyex;		/* If true, permit GSSAPI key exchange */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1090
 	int     gss_cleanup_creds;	/* If true, destroy cred cache on logout */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1091
 	int     gss_strict_acceptor;	/* If true, restrict the GSSAPI acceptor name */
5683175b6e99 PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
diff changeset
  1092
 	int     password_authentication;	/* If true, permit password
7621
c11a68c3a63d 18127340 migrate the sftp dtrace provider feature from SunSSH to OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents: 7620
diff changeset
  1093
diff -pur old/ssh-gss.h new/ssh-gss.h