--- a/components/openssh/patches/041-pam_ctx_preserve.patch	Tue Apr 25 00:30:07 2017 -0700
+++ b/components/openssh/patches/041-pam_ctx_preserve.patch	Tue Apr 25 15:08:28 2017 -0700
@@ -25,7 +25,7 @@
 diff -pur old/auth-pam.c new/auth-pam.c
 --- old/auth-pam.c
 +++ new/auth-pam.c
-@@ -98,6 +98,7 @@
+@@ -103,6 +103,7 @@ extern char *__progname;
  #include "ssh-gss.h"
  #endif
  #include "monitor_wrap.h"
@@ -33,7 +33,7 @@
  
  extern ServerOptions options;
  extern Buffer loginmsg;
-@@ -110,38 +111,26 @@ extern u_int utmp_len;
+@@ -115,38 +116,26 @@ extern u_int utmp_len;
  #endif
  
  /*
@@ -82,7 +82,7 @@
  static mysig_t sshpam_oldsig;
  
  static void
-@@ -150,85 +139,25 @@ sshpam_sigchld_handler(int sig)
+@@ -155,85 +144,25 @@ sshpam_sigchld_handler(int sig)
  	signal(SIGCHLD, SIG_DFL);
  	if (cleanup_ctxt == NULL)
  		return;	/* handler called after PAM cleanup, shouldn't happen */
@@ -180,7 +180,7 @@
  
  static pam_handle_t *sshpam_handle = NULL;
  static int sshpam_err = 0;
-@@ -298,55 +227,11 @@ sshpam_password_change_required(int reqd
+@@ -303,55 +232,11 @@ sshpam_password_change_required(int reqd
  	}
  }
  
@@ -238,7 +238,7 @@
      struct pam_response **resp, void *data)
  {
  	Buffer buffer;
-@@ -411,48 +296,85 @@ sshpam_thread_conv(int n, sshpam_const s
+@@ -416,48 +301,85 @@ sshpam_thread_conv(int n, sshpam_const s
  }
  
  /*
@@ -354,7 +354,7 @@
  	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
  	    (const void *)&sshpam_conv);
  	if (sshpam_err != PAM_SUCCESS)
-@@ -477,63 +399,35 @@ sshpam_thread(void *ctxtp)
+@@ -482,63 +404,35 @@ sshpam_thread(void *ctxtp)
  		}
  	}
  
@@ -438,15 +438,7 @@
  	}
  }
  
-@@ -681,7 +575,6 @@ derive_pam_service_name(Authctxt *authct
- static int
- sshpam_init(Authctxt *authctxt)
- {
--	extern char *__progname;
- 	const char *pam_rhost, *pam_user, *user = authctxt->user;
- 	const char **ptr_pam_user = &pam_user;
- 	struct ssh *ssh = active_state; /* XXX */
-@@ -788,6 +681,7 @@ sshpam_init_ctx(Authctxt *authctxt)
+@@ -792,6 +686,7 @@ sshpam_init_ctx(Authctxt *authctxt)
  {
  	struct pam_ctxt *ctxt;
  	int socks[2];
@@ -454,7 +446,7 @@
  
  	debug3("PAM: %s entering", __func__);
  	/*
-@@ -805,7 +699,7 @@ sshpam_init_ctx(Authctxt *authctxt)
+@@ -809,7 +704,7 @@ sshpam_init_ctx(Authctxt *authctxt)
  
  	ctxt = xcalloc(1, sizeof *ctxt);
  
@@ -463,7 +455,7 @@
  	if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) {
  		error("PAM: failed create sockets: %s", strerror(errno));
  		free(ctxt);
-@@ -813,15 +707,29 @@ sshpam_init_ctx(Authctxt *authctxt)
+@@ -817,15 +712,29 @@ sshpam_init_ctx(Authctxt *authctxt)
  	}
  	ctxt->pam_psock = socks[0];
  	ctxt->pam_csock = socks[1];
@@ -497,7 +489,7 @@
  	return (ctxt);
  }
  
-@@ -836,8 +744,10 @@ sshpam_query(void *ctx, char **name, cha
+@@ -840,8 +749,10 @@ sshpam_query(void *ctx, char **name, cha
  	u_char type;
  	char *msg;
  	size_t len, mlen;
@@ -508,7 +500,7 @@
  	buffer_init(&buffer);
  	*name = xstrdup("");
  	*info = xstrdup("");
-@@ -845,6 +755,17 @@ sshpam_query(void *ctx, char **name, cha
+@@ -849,6 +760,17 @@ sshpam_query(void *ctx, char **name, cha
  	**prompts = NULL;
  	plen = 0;
  	*echo_on = xmalloc(sizeof(u_int));
@@ -526,7 +518,7 @@
  	while (ssh_msg_recv(ctxt->pam_psock, &buffer) == 0) {
  		type = buffer_get_char(&buffer);
  		msg = buffer_get_string(&buffer, NULL);
-@@ -880,15 +801,6 @@ sshpam_query(void *ctx, char **name, cha
+@@ -884,15 +806,6 @@ sshpam_query(void *ctx, char **name, cha
  			/* FALLTHROUGH */
  		case PAM_AUTH_ERR:
  			debug3("PAM: %s", pam_strerror(sshpam_handle, type));
@@ -542,7 +534,7 @@
  			/* FALLTHROUGH */
  		case PAM_SUCCESS:
  			if (**prompts != NULL) {
-@@ -899,25 +811,20 @@ sshpam_query(void *ctx, char **name, cha
+@@ -903,25 +816,20 @@ sshpam_query(void *ctx, char **name, cha
  				free(**prompts);
  				**prompts = NULL;
  			}
@@ -581,7 +573,7 @@
  		default:
  			*num = 0;
  			**echo_on = 0;
-@@ -997,7 +904,7 @@ sshpam_free_ctx(void *ctxtp)
+@@ -1001,7 +909,7 @@ sshpam_free_ctx(void *ctxtp)
  	struct pam_ctxt *ctxt = ctxtp;
  
  	debug3("PAM: %s entering", __func__);
@@ -593,7 +585,7 @@
 diff -pur old/auth-pam.h new/auth-pam.h
 --- old/auth-pam.h
 +++ new/auth-pam.h
-@@ -45,7 +45,8 @@ int do_pam_putenv(char *, char *);
+@@ -38,7 +38,8 @@ int do_pam_putenv(char *, char *);
  char ** fetch_pam_environment(void);
  char ** fetch_pam_child_environment(void);
  void free_pam_environment(char **);
@@ -606,14 +598,15 @@
 diff -pur old/monitor.c new/monitor.c
 --- old/monitor.c
 +++ new/monitor.c
-@@ -1184,12 +1184,39 @@ mm_answer_pam_init_ctx(int sock, Buffer
- 	sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
- 	sshpam_authok = NULL;
- 	buffer_clear(m);
+@@ -1090,6 +1090,7 @@ extern KbdintDevice sshpam_device;
+ int
+ mm_answer_pam_init_ctx(int sock, Buffer *m)
+ {
 +	int pam_done = 0;
- 	if (sshpam_ctxt != NULL) {
- 		monitor_permit(mon_dispatch, MONITOR_REQ_PAM_FREE_CTX, 1);
- 		buffer_put_int(m, 1);
+ 	debug3("%s", __func__);
+ 	if (!options.kbd_interactive_authentication)
+ 		fatal("%s: kbd-int authentication not enabled", __func__);
+@@ -1105,6 +1106,33 @@ mm_answer_pam_init_ctx(int sock, Buffer
  	} else {
  		buffer_put_int(m, 0);
  	}
@@ -621,6 +614,7 @@
 +	/* pam conversation successfully finished in child process */
 +	if (sshpam_ctxt != NULL && 
 +	    (pam_done = get_pam_done(sshpam_ctxt)) != 0) {
++		monitor_permit(mon_dispatch, MONITOR_REQ_PAM_RESPOND, 1);
 +		auth_method = "keyboard-interactive";
 +		auth_submethod = "pam";
 +		/* 
@@ -646,7 +640,7 @@
  	mm_request_send(sock, MONITOR_ANS_PAM_INIT_CTX, m);
  	return (0);
  }
-@@ -1947,7 +1974,8 @@ monitor_apply_keystate(struct monitor *p
+@@ -1671,7 +1699,8 @@ monitor_apply_keystate(struct monitor *p
  	int r;
  
  	debug3("%s: packet_set_state", __func__);
@@ -659,7 +653,7 @@
 diff -pur old/packet.c new/packet.c
 --- old/packet.c
 +++ new/packet.c
-@@ -2449,7 +2449,7 @@ ssh_packet_get_output(struct ssh *ssh)
+@@ -2439,7 +2439,7 @@ ssh_packet_get_output(struct ssh *ssh)
  }
  
  /* Reset after_authentication and reset compression in post-auth privsep */
@@ -667,21 +661,21 @@
 +int
  ssh_packet_set_postauth(struct ssh *ssh)
  {
- 	struct sshcomp *comp;
-@@ -2775,8 +2775,7 @@ ssh_packet_set_state(struct ssh *ssh, st
- 	cipher_set_keycontext(&state->send_context, keyout);
- 	cipher_set_keycontext(&state->receive_context, keyin);
+ 	int r;
+@@ -2754,9 +2754,6 @@ ssh_packet_set_state(struct ssh *ssh, st
+ 	cipher_set_keycontext(state->send_context, keyout);
+ 	cipher_set_keycontext(state->receive_context, keyin);
  
--	if ((r = ssh_packet_set_compress_state(ssh, m)) != 0 ||
--	    (r = ssh_packet_set_postauth(ssh)) != 0)
-+	if ((r = ssh_packet_set_compress_state(ssh, m)) != 0)
- 		return r;
- 
+-	if ((r = ssh_packet_set_postauth(ssh)) != 0)
+-		return r;
+-
  	sshbuf_reset(state->input);
+ 	sshbuf_reset(state->output);
+ 	if ((r = sshbuf_get_string_direct(m, &input, &ilen)) != 0 ||
 diff -pur old/packet.h new/packet.h
 --- old/packet.h
 +++ new/packet.h
-@@ -144,6 +144,7 @@ u_int	 ssh_packet_get_maxsize(struct ssh
+@@ -148,6 +148,7 @@ u_int	 ssh_packet_get_maxsize(struct ssh
  
  int	 ssh_packet_get_state(struct ssh *, struct sshbuf *);
  int	 ssh_packet_set_state(struct ssh *, struct sshbuf *);
@@ -692,7 +686,7 @@
 diff -pur old/servconf.c new/servconf.c
 --- old/servconf.c
 +++ new/servconf.c
-@@ -435,6 +435,18 @@ fill_default_server_options(ServerOption
+@@ -415,6 +415,18 @@ fill_default_server_options(ServerOption
  		options->compression = 0;
  	}
  #endif
@@ -714,7 +708,7 @@
 diff -pur old/session.c new/session.c
 --- old/session.c
 +++ new/session.c
-@@ -2890,7 +2890,7 @@ do_cleanup(Authctxt *authctxt)
+@@ -2645,7 +2645,7 @@ do_cleanup(Authctxt *authctxt)
  #ifdef USE_PAM
  	if (options.use_pam) {
  		sshpam_cleanup();
branch	s11u3-sru
changeset 7946	165bf092aa9c
parent 7320	edeb951aa980