From 9a804fa2663b764c9df3fde472c3cc49b958bfa2 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Sep 24 2015 13:57:11 +0000 Subject: Apply GSSAPI key exchange methods in client offered list (#1261414) --- diff --git a/openssh-6.6p1-gsskex.patch b/openssh-6.6p1-gsskex.patch index fa67de1..b2c942c 100644 --- a/openssh-6.6p1-gsskex.patch +++ b/openssh-6.6p1-gsskex.patch @@ -2290,7 +2290,7 @@ diff -up openssh-7.0p1/sshconnect2.c.gsskex openssh-7.0p1/sshconnect2.c + if (options.gss_keyex) { + /* Add the GSSAPI mechanisms currently supported on this + * client to the key exchange algorithm proposal */ -+ orig = myproposal[PROPOSAL_KEX_ALGS]; ++ orig = options.kex_algorithms; + + if (options.gss_trust_dns) + gss_host = (char *)get_canonical_hostname(1); @@ -2300,7 +2300,7 @@ diff -up openssh-7.0p1/sshconnect2.c.gsskex openssh-7.0p1/sshconnect2.c + gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity); + if (gss) { + debug("Offering GSSAPI proposal: %s", gss); -+ xasprintf(&myproposal[PROPOSAL_KEX_ALGS], ++ xasprintf(&options.kex_algorithms, + "%s,%s", gss, orig); + } + } diff --git a/openssh-6.7p1-fips.patch b/openssh-6.7p1-fips.patch index 3427ff5..62f9e26 100644 --- a/openssh-6.7p1-fips.patch +++ b/openssh-6.7p1-fips.patch @@ -492,7 +492,7 @@ diff -up openssh-7.0p1/sshconnect2.c.fips openssh-7.0p1/sshconnect2.c if (options.gss_keyex) { - /* Add the GSSAPI mechanisms currently supported on this - * client to the key exchange algorithm proposal */ -- orig = myproposal[PROPOSAL_KEX_ALGS]; +- orig = options.kex_algorithms; - - if (options.gss_trust_dns) - gss_host = (char *)get_canonical_hostname(1); @@ -503,7 +503,7 @@ diff -up openssh-7.0p1/sshconnect2.c.fips openssh-7.0p1/sshconnect2.c - options.gss_client_identity, options.gss_kex_algorithms); - if (gss) { - debug("Offering GSSAPI proposal: %s", gss); -- xasprintf(&myproposal[PROPOSAL_KEX_ALGS], +- xasprintf(&options.kex_algorithms, - "%s,%s", gss, orig); + if (FIPS_mode()) { + logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode"); @@ -511,7 +511,7 @@ diff -up openssh-7.0p1/sshconnect2.c.fips openssh-7.0p1/sshconnect2.c + } else { + /* Add the GSSAPI mechanisms currently supported on this + * client to the key exchange algorithm proposal */ -+ orig = myproposal[PROPOSAL_KEX_ALGS]; ++ orig = options.kex_algorithms; + + if (options.gss_trust_dns) + gss_host = (char *)get_canonical_hostname(1); @@ -522,7 +522,7 @@ diff -up openssh-7.0p1/sshconnect2.c.fips openssh-7.0p1/sshconnect2.c + options.gss_client_identity, options.gss_kex_algorithms); + if (gss) { + debug("Offering GSSAPI proposal: %s", gss); -+ xasprintf(&myproposal[PROPOSAL_KEX_ALGS], ++ xasprintf(&options.kex_algorithms, + "%s,%s", gss, orig); + } } diff --git a/openssh-7.0p1-gssKexAlgorithms.patch b/openssh-7.0p1-gssKexAlgorithms.patch index b8fe76c..8ecc207 100644 --- a/openssh-7.0p1-gssKexAlgorithms.patch +++ b/openssh-7.0p1-gssKexAlgorithms.patch @@ -362,7 +362,7 @@ diff -up openssh-7.0p1/sshconnect2.c.gsskexalg openssh-7.0p1/sshconnect2.c + options.gss_client_identity, options.gss_kex_algorithms); if (gss) { debug("Offering GSSAPI proposal: %s", gss); - xasprintf(&myproposal[PROPOSAL_KEX_ALGS], + xasprintf(&options.kex_algorithms, diff -up openssh-7.0p1/sshd_config.5.gsskexalg openssh-7.0p1/sshd_config.5 --- openssh-7.0p1/sshd_config.5.gsskexalg 2015-08-19 12:28:38.082518830 +0200 +++ openssh-7.0p1/sshd_config.5 2015-08-19 12:36:25.121471501 +0200