--- a/components/openssh/patches/023-gsskex.patch Thu Jan 26 15:19:02 2017 -0800
+++ b/components/openssh/patches/023-gsskex.patch Fri Jan 27 11:50:56 2017 -0800
@@ -19,29 +19,29 @@
#
# Upstream rejected GSS-API key exchange several times before.
#
-diff -rupN old/Makefile.in new/Makefile.in
---- old/Makefile.in 2016-09-21 19:40:34.495262333 -0700
-+++ new/Makefile.in 2016-09-21 20:20:17.560532505 -0700
+diff -pur old/Makefile.in new/Makefile.in
+--- old/Makefile.in
++++ new/Makefile.in
@@ -85,6 +85,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o utf8.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
+ kexgssc.o \
+ sftp_provider.o \
ssh-pkcs11.o smult_curve25519_ref.o \
poly1305.o chacha.o cipher-chachapoly.o \
- ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \
-@@ -105,7 +106,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
+@@ -106,7 +107,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
auth2-none.o auth2-passwd.o auth2-pubkey.o \
monitor_mm.o monitor.o monitor_wrap.o auth-krb5.o \
- auth2-gss.o gss-serv.o gss-serv-krb5.o \
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
- sftp-server.o sftp-common.o \
+ sftp-server.o sftp-common.o sftp_provider.o \
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
-diff -rupN old/auth.c new/auth.c
---- old/auth.c 2017-01-11 18:18:17.172126803 -0800
-+++ new/auth.c 2017-01-11 18:21:06.506811958 -0800
+diff -pur old/auth.c new/auth.c
+--- old/auth.c
++++ new/auth.c
@@ -363,6 +363,7 @@ auth_root_allowed(const char *method)
case PERMIT_NO_PASSWD:
if (strcmp(method, "publickey") == 0 ||
@@ -150,9 +150,9 @@
* Return the canonical name of the host in the other side of the current
* connection. The host name is cached, so it is efficient to call this
* several times.
-diff -rupN old/auth2-gss.c new/auth2-gss.c
---- old/auth2-gss.c 2016-09-21 19:40:20.290128383 -0700
-+++ new/auth2-gss.c 2016-09-21 19:25:47.855250807 -0700
+diff -pur old/auth2-gss.c new/auth2-gss.c
+--- old/auth2-gss.c
++++ new/auth2-gss.c
@@ -1,7 +1,7 @@
/* $OpenBSD: auth2-gss.c,v 1.22 2015/01/19 20:07:45 markus Exp $ */
@@ -215,9 +215,9 @@
Authmethod method_gssapi = {
"gssapi-with-mic",
userauth_gssapi,
-diff -rupN old/auth2.c new/auth2.c
---- old/auth2.c 2016-09-21 19:40:20.293020496 -0700
-+++ new/auth2.c 2016-09-21 19:25:47.497355321 -0700
+diff -pur old/auth2.c new/auth2.c
+--- old/auth2.c
++++ new/auth2.c
@@ -70,6 +70,7 @@ extern Authmethod method_passwd;
extern Authmethod method_kbdint;
extern Authmethod method_hostbased;
@@ -234,9 +234,9 @@
&method_gssapi,
#endif
&method_passwd,
-diff -rupN old/canohost.c new/canohost.c
---- old/canohost.c 2016-09-21 19:40:20.295936952 -0700
-+++ new/canohost.c 2016-09-21 19:25:47.908930173 -0700
+diff -pur old/canohost.c new/canohost.c
+--- old/canohost.c
++++ new/canohost.c
@@ -202,3 +202,97 @@ get_local_port(int sock)
{
return get_sock_port(sock, 1);
@@ -335,9 +335,9 @@
+ }
+ return strdup(name);
+}
-diff -rupN old/canohost.h new/canohost.h
---- old/canohost.h 2016-09-21 19:40:20.298804941 -0700
-+++ new/canohost.h 2016-09-21 19:25:47.335129267 -0700
+diff -pur old/canohost.h new/canohost.h
+--- old/canohost.h
++++ new/canohost.h
@@ -21,6 +21,9 @@ char *get_local_ipaddr(int);
char *get_local_name(int);
int get_local_port(int);
@@ -348,9 +348,9 @@
#endif /* _CANOHOST_H */
void ipv64_normalise_mapped(struct sockaddr_storage *, socklen_t *);
-diff -rupN old/gss-genr.c new/gss-genr.c
---- old/gss-genr.c 2016-09-21 19:40:20.301650203 -0700
-+++ new/gss-genr.c 2016-09-21 19:25:47.301737088 -0700
+diff -pur old/gss-genr.c new/gss-genr.c
+--- old/gss-genr.c
++++ new/gss-genr.c
@@ -1,7 +1,7 @@
/* $OpenBSD: gss-genr.c,v 1.23 2015/01/20 23:14:00 deraadt Exp $ */
@@ -578,9 +578,9 @@
ssh_gssapi_delete_ctx(ctx);
return (!GSS_ERROR(major));
-diff -rupN old/gss-serv.c new/gss-serv.c
---- old/gss-serv.c 2016-09-21 19:40:20.304525100 -0700
-+++ new/gss-serv.c 2016-09-21 19:25:47.229908522 -0700
+diff -pur old/gss-serv.c new/gss-serv.c
+--- old/gss-serv.c
++++ new/gss-serv.c
@@ -1,7 +1,7 @@
/* $OpenBSD: gss-serv.c,v 1.29 2015/05/22 03:50:02 djm Exp $ */
@@ -653,9 +653,9 @@
-}
-
#endif
-diff -rupN old/kex.c new/kex.c
---- old/kex.c 2016-09-21 19:40:20.307412118 -0700
-+++ new/kex.c 2016-09-21 19:25:47.559276736 -0700
+diff -pur old/kex.c new/kex.c
+--- old/kex.c
++++ new/kex.c
@@ -55,6 +55,10 @@
#include "sshbuf.h"
#include "digest.h"
@@ -688,9 +688,9 @@
return k;
}
return NULL;
-diff -rupN old/kex.h new/kex.h
---- old/kex.h 2016-09-21 19:40:20.310245128 -0700
-+++ new/kex.h 2016-09-21 19:25:47.142516186 -0700
+diff -pur old/kex.h new/kex.h
+--- old/kex.h
++++ new/kex.h
@@ -98,6 +98,9 @@ enum kex_exchange {
KEX_DH_GEX_SHA256,
KEX_ECDH_SHA2,
@@ -723,9 +723,9 @@
int kex_dh_hash(int, const char *, const char *,
const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
-diff -rupN old/monitor.c new/monitor.c
---- old/monitor.c 2016-09-21 19:40:20.313190151 -0700
-+++ new/monitor.c 2016-09-21 19:25:47.525137447 -0700
+diff -pur old/monitor.c new/monitor.c
+--- old/monitor.c
++++ new/monitor.c
@@ -161,6 +161,7 @@ int mm_answer_gss_setup_ctx(int, Buffer
int mm_answer_gss_accept_ctx(int, Buffer *);
int mm_answer_gss_userok(int, Buffer *);
@@ -884,9 +884,9 @@
+
#endif /* GSSAPI */
-diff -rupN old/monitor.h new/monitor.h
---- old/monitor.h 2016-09-21 19:40:20.316049455 -0700
-+++ new/monitor.h 2016-09-21 19:25:47.113344203 -0700
+diff -pur old/monitor.h new/monitor.h
+--- old/monitor.h
++++ new/monitor.h
@@ -68,6 +68,9 @@ enum monitor_reqtype {
#ifdef PAM_ENHANCEMENT
MONITOR_REQ_AUTHMETHOD = 114,
@@ -897,9 +897,9 @@
};
struct mm_master;
-diff -rupN old/monitor_wrap.c new/monitor_wrap.c
---- old/monitor_wrap.c 2016-09-21 19:40:20.318913737 -0700
-+++ new/monitor_wrap.c 2016-09-21 19:25:47.668505812 -0700
+diff -pur old/monitor_wrap.c new/monitor_wrap.c
+--- old/monitor_wrap.c
++++ new/monitor_wrap.c
@@ -1108,5 +1108,28 @@ mm_ssh_gssapi_userok(char *user)
debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
return (authenticated);
@@ -929,9 +929,9 @@
+
#endif /* GSSAPI */
-diff -rupN old/monitor_wrap.h new/monitor_wrap.h
---- old/monitor_wrap.h 2016-09-21 19:40:20.321783476 -0700
-+++ new/monitor_wrap.h 2016-09-21 19:25:47.026452744 -0700
+diff -pur old/monitor_wrap.h new/monitor_wrap.h
+--- old/monitor_wrap.h
++++ new/monitor_wrap.h
@@ -62,6 +62,7 @@ OM_uint32 mm_ssh_gssapi_accept_ctx(Gssct
gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
int mm_ssh_gssapi_userok(char *user);
@@ -940,9 +940,9 @@
#endif
#ifdef USE_PAM
-diff -rupN old/readconf.c new/readconf.c
---- old/readconf.c 2016-09-21 19:40:20.324827120 -0700
-+++ new/readconf.c 2016-09-21 19:25:47.885753634 -0700
+diff -pur old/readconf.c new/readconf.c
+--- old/readconf.c
++++ new/readconf.c
@@ -160,6 +160,7 @@ typedef enum {
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
@@ -999,9 +999,9 @@
if (options->gss_deleg_creds == -1)
options->gss_deleg_creds = 0;
if (options->password_authentication == -1)
-diff -rupN old/readconf.h new/readconf.h
---- old/readconf.h 2016-09-21 19:40:20.327689956 -0700
-+++ new/readconf.h 2016-09-21 19:25:47.449284716 -0700
+diff -pur old/readconf.h new/readconf.h
+--- old/readconf.h
++++ new/readconf.h
@@ -45,6 +45,7 @@ typedef struct {
int challenge_response_authentication;
/* Try S/Key or TIS, authentication. */
@@ -1010,9 +1010,9 @@
int gss_deleg_creds; /* Delegate GSS credentials */
int password_authentication; /* Try password
* authentication. */
-diff -rupN old/servconf.c new/servconf.c
---- old/servconf.c 2016-09-21 19:40:20.330699306 -0700
-+++ new/servconf.c 2016-09-21 19:25:47.054209571 -0700
+diff -pur old/servconf.c new/servconf.c
+--- old/servconf.c
++++ new/servconf.c
@@ -117,6 +117,7 @@ initialize_server_options(ServerOptions
options->kerberos_ticket_cleanup = -1;
options->kerberos_get_afs_token = -1;
@@ -1079,9 +1079,9 @@
#ifndef USE_GSS_STORE_CRED
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
#endif /* !USE_GSS_STORE_CRED */
-diff -rupN old/servconf.h new/servconf.h
---- old/servconf.h 2016-09-21 19:40:20.333544958 -0700
-+++ new/servconf.h 2016-09-21 19:25:47.739063955 -0700
+diff -pur old/servconf.h new/servconf.h
+--- old/servconf.h
++++ new/servconf.h
@@ -122,6 +122,7 @@ typedef struct {
int kerberos_get_afs_token; /* If true, try to get AFS token if
* authenticated with Kerberos. */
@@ -1090,9 +1090,9 @@
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */
int password_authentication; /* If true, permit password
-diff -rupN old/ssh-gss.h new/ssh-gss.h
---- old/ssh-gss.h 2016-09-21 19:40:20.336386442 -0700
-+++ new/ssh-gss.h 2016-09-21 19:25:47.600702960 -0700
+diff -pur old/ssh-gss.h new/ssh-gss.h
+--- old/ssh-gss.h
++++ new/ssh-gss.h
@@ -61,6 +61,17 @@
#define SSH_GSS_OIDTYPE 0x06
@@ -1140,9 +1140,9 @@
#endif /* GSSAPI */
#endif /* _SSH_GSS_H */
-diff -rupN old/ssh_config.5 new/ssh_config.5
---- old/ssh_config.5 2016-09-21 19:40:20.339307715 -0700
-+++ new/ssh_config.5 2016-09-21 19:25:47.188814608 -0700
+diff -pur old/ssh_config.5 new/ssh_config.5
+--- old/ssh_config.5
++++ new/ssh_config.5
@@ -834,6 +834,12 @@ The default is
Specifies whether user authentication based on GSSAPI is allowed.
The default on Solaris is
@@ -1156,9 +1156,9 @@
.It Cm GSSAPIDelegateCredentials
Forward (delegate) credentials to the server.
The default is
-diff -rupN old/sshconnect2.c new/sshconnect2.c
---- old/sshconnect2.c 2016-09-21 19:40:20.342249196 -0700
-+++ new/sshconnect2.c 2016-09-21 19:25:47.810679787 -0700
+diff -pur old/sshconnect2.c new/sshconnect2.c
+--- old/sshconnect2.c
++++ new/sshconnect2.c
@@ -165,11 +165,35 @@ ssh_kex2(char *host, struct sockaddr *ho
char *s;
struct kex *kex;
@@ -1329,9 +1329,9 @@
#endif /* GSSAPI */
int
-diff -rupN old/sshd.c new/sshd.c
---- old/sshd.c 2016-09-21 19:40:20.345291027 -0700
-+++ new/sshd.c 2016-09-21 19:25:47.376369649 -0700
+diff -pur old/sshd.c new/sshd.c
+--- old/sshd.c
++++ new/sshd.c
@@ -1892,10 +1892,13 @@ main(int ac, char **av)
logit("Disabling protocol version 1. Could not load host key");
options.protocol &= ~SSH_PROTO_1;
@@ -1409,9 +1409,9 @@
kex->server = 1;
kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string;
-diff -rupN old/sshd_config.5 new/sshd_config.5
---- old/sshd_config.5 2016-09-21 19:40:20.348225013 -0700
-+++ new/sshd_config.5 2016-09-21 19:25:47.433470021 -0700
+diff -pur old/sshd_config.5 new/sshd_config.5
+--- old/sshd_config.5
++++ new/sshd_config.5
@@ -632,6 +632,11 @@ The default is
Specifies whether user authentication based on GSSAPI is allowed.
The default on Solaris is
@@ -1424,9 +1424,9 @@
.It Cm GSSAPICleanupCredentials
Specifies whether to automatically destroy the user's credentials cache
on logout.
-diff -rupN old/sshkey.c new/sshkey.c
---- old/sshkey.c 2016-09-21 19:40:20.351243462 -0700
-+++ new/sshkey.c 2016-09-21 19:25:47.271519675 -0700
+diff -pur old/sshkey.c new/sshkey.c
+--- old/sshkey.c
++++ new/sshkey.c
@@ -115,6 +115,7 @@ static const struct keytype keytypes[] =
# endif /* OPENSSL_HAS_NISTP521 */
# endif /* OPENSSL_HAS_ECC */
@@ -1435,9 +1435,9 @@
{ NULL, NULL, -1, -1, 0, 0 }
};
-diff -rupN old/sshkey.h new/sshkey.h
---- old/sshkey.h 2016-09-21 19:40:20.354147713 -0700
-+++ new/sshkey.h 2016-09-21 19:25:47.934179627 -0700
+diff -pur old/sshkey.h new/sshkey.h
+--- old/sshkey.h
++++ new/sshkey.h
@@ -62,6 +62,7 @@ enum sshkey_types {
KEY_DSA_CERT,
KEY_ECDSA_CERT,