From 57666dc3be7d7568947e2bfcace171766915c85f Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Nov 12 2014 16:35:37 +0000 Subject: fix gsskex patch to correctly handle MONITOR_REQ_GSSSIGN request (#1118005) --- diff --git a/openssh-6.6p1-gsskex.patch b/openssh-6.6p1-gsskex.patch index 90e84d2..826acd4 100644 --- a/openssh-6.6p1-gsskex.patch +++ b/openssh-6.6p1-gsskex.patch @@ -1741,7 +1741,13 @@ index 229fada..aa70945 100644 #endif #ifdef SSH_AUDIT_EVENTS -@@ -258,6 +260,12 @@ struct mon_table mon_dispatch_proto20[] = { +@@ -253,11 +255,18 @@ struct mon_table mon_dispatch_proto20[] = { + {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, + {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, + {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, ++ {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign}, + #endif + {0, 0, NULL} }; struct mon_table mon_dispatch_postauth20[] = { @@ -1754,7 +1760,7 @@ index 229fada..aa70945 100644 {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, {MONITOR_REQ_SIGN, 0, mm_answer_sign}, {MONITOR_REQ_PTY, 0, mm_answer_pty}, -@@ -366,6 +374,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) +@@ -366,6 +375,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) /* Permit requests for moduli and signatures */ monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); @@ -1765,7 +1771,7 @@ index 229fada..aa70945 100644 } else { mon_dispatch = mon_dispatch_proto15; -@@ -471,6 +483,10 @@ monitor_child_postauth(struct monitor *pmonitor) +@@ -471,6 +484,10 @@ monitor_child_postauth(struct monitor *pmonitor) monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); @@ -1776,7 +1782,7 @@ index 229fada..aa70945 100644 } else { mon_dispatch = mon_dispatch_postauth15; monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); -@@ -1866,6 +1882,13 @@ mm_get_kex(Buffer *m) +@@ -1866,6 +1883,13 @@ mm_get_kex(Buffer *m) kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; kex->kex[KEX_ECDH_SHA2] = kexecdh_server; kex->kex[KEX_C25519_SHA256] = kexc25519_server; @@ -1790,7 +1796,7 @@ index 229fada..aa70945 100644 kex->server = 1; kex->hostkey_type = buffer_get_int(m); kex->kex_type = buffer_get_int(m); -@@ -2073,6 +2096,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) +@@ -2073,6 +2097,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) OM_uint32 major; u_int len; @@ -1800,7 +1806,7 @@ index 229fada..aa70945 100644 goid.elements = buffer_get_string(m, &len); goid.length = len; -@@ -2100,6 +2126,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) +@@ -2100,6 +2127,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) OM_uint32 flags = 0; /* GSI needs this */ u_int len; @@ -1810,7 +1816,7 @@ index 229fada..aa70945 100644 in.value = buffer_get_string(m, &len); in.length = len; major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); -@@ -2117,6 +2146,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) +@@ -2117,6 +2147,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); @@ -1818,7 +1824,7 @@ index 229fada..aa70945 100644 } return (0); } -@@ -2128,6 +2158,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m) +@@ -2128,6 +2159,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m) OM_uint32 ret; u_int len; @@ -1828,7 +1834,7 @@ index 229fada..aa70945 100644 gssbuf.value = buffer_get_string(m, &len); gssbuf.length = len; mic.value = buffer_get_string(m, &len); -@@ -2154,7 +2187,11 @@ mm_answer_gss_userok(int sock, Buffer *m) +@@ -2154,7 +2188,11 @@ mm_answer_gss_userok(int sock, Buffer *m) { int authenticated; @@ -1841,7 +1847,7 @@ index 229fada..aa70945 100644 buffer_clear(m); buffer_put_int(m, authenticated); -@@ -2167,5 +2204,73 @@ mm_answer_gss_userok(int sock, Buffer *m) +@@ -2167,5 +2205,73 @@ mm_answer_gss_userok(int sock, Buffer *m) /* Monitor loop will terminate if authenticated */ return (authenticated); }