external/openssh: update to 6.8p1.
In preparation for some updates to external/openssh to make it work with
BoringSSL, this change updates the code to a recent version. The current
version (5.9p1) is coming up on four years old now.
* Confirmed that f5c67b478bef9992de9e9ec91ce10af4f6205e0d matches
OpenSSH 5.9p1 exactly (save for the removal of the scard
subdirectory).
* Downloaded openssh-6.8p1.tar.gz (SHA256:
3ff64ce73ee124480b5bf767b9830d7d3c03bbcb6abe716b78f0192c37ce160e)
and verified with PGP signature. (I've verified Damien's key in
person previously.)
* Applied changes between f5c67b478bef9992de9e9ec91ce10af4f6205e0d and
OpenSSH 5.9p1 to 6.8p1 and updated the build as best I can. The
ugliest change is probably the duplication of umac.c to umac128.c
because Android conditionally compiles that file twice. See the
comment in those files.
Change-Id: I63cb07a8118afb5a377f116087a0882914cea486
diff --git a/auth-krb5.c b/auth-krb5.c
index d019fe2..0089b18 100644
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-krb5.c,v 1.19 2006/08/03 03:34:41 deraadt Exp $ */
+/* $OpenBSD: auth-krb5.c,v 1.20 2013/07/20 01:55:13 djm Exp $ */
/*
* Kerberos v5 authentication and ticket-passing routines.
*
@@ -40,6 +40,7 @@
#include "packet.h"
#include "log.h"
#include "buffer.h"
+#include "misc.h"
#include "servconf.h"
#include "uidswap.h"
#include "key.h"
@@ -79,6 +80,7 @@
krb5_ccache ccache = NULL;
int len;
char *client, *platform_client;
+ const char *errmsg;
/* get platform-specific kerberos client principal name (if it exists) */
platform_client = platform_krb5_get_principal_name(authctxt->pw->pw_name);
@@ -96,7 +98,12 @@
goto out;
#ifdef HEIMDAL
+# ifdef HAVE_KRB5_CC_NEW_UNIQUE
+ problem = krb5_cc_new_unique(authctxt->krb5_ctx,
+ krb5_mcc_ops.prefix, NULL, &ccache);
+# else
problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache);
+# endif
if (problem)
goto out;
@@ -115,8 +122,13 @@
if (problem)
goto out;
+# ifdef HAVE_KRB5_CC_NEW_UNIQUE
+ problem = krb5_cc_new_unique(authctxt->krb5_ctx,
+ krb5_fcc_ops.prefix, NULL, &authctxt->krb5_fwd_ccache);
+# else
problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
&authctxt->krb5_fwd_ccache);
+# endif
if (problem)
goto out;
@@ -146,7 +158,8 @@
if (problem)
goto out;
- if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {
+ if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
+ authctxt->pw->pw_name)) {
problem = -1;
goto out;
}
@@ -181,17 +194,19 @@
out:
restore_uid();
- if (platform_client != NULL)
- xfree(platform_client);
+ free(platform_client);
if (problem) {
if (ccache)
krb5_cc_destroy(authctxt->krb5_ctx, ccache);
- if (authctxt->krb5_ctx != NULL && problem!=-1)
- debug("Kerberos password authentication failed: %s",
- krb5_get_err_text(authctxt->krb5_ctx, problem));
- else
+ if (authctxt->krb5_ctx != NULL && problem!=-1) {
+ errmsg = krb5_get_error_message(authctxt->krb5_ctx,
+ problem);
+ debug("Kerberos password authentication failed: %s",
+ errmsg);
+ krb5_free_error_message(authctxt->krb5_ctx, errmsg);
+ } else
debug("Kerberos password authentication failed: %d",
problem);
@@ -226,7 +241,7 @@
#ifndef HEIMDAL
krb5_error_code
ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
- int tmpfd, ret;
+ int tmpfd, ret, oerrno;
char ccname[40];
mode_t old_umask;
@@ -237,16 +252,18 @@
old_umask = umask(0177);
tmpfd = mkstemp(ccname + strlen("FILE:"));
+ oerrno = errno;
umask(old_umask);
if (tmpfd == -1) {
- logit("mkstemp(): %.100s", strerror(errno));
- return errno;
+ logit("mkstemp(): %.100s", strerror(oerrno));
+ return oerrno;
}
if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
- logit("fchmod(): %.100s", strerror(errno));
+ oerrno = errno;
+ logit("fchmod(): %.100s", strerror(oerrno));
close(tmpfd);
- return errno;
+ return oerrno;
}
close(tmpfd);