external/openssh: update to 6.8p1.
In preparation for some updates to external/openssh to make it work with
BoringSSL, this change updates the code to a recent version. The current
version (5.9p1) is coming up on four years old now.
* Confirmed that f5c67b478bef9992de9e9ec91ce10af4f6205e0d matches
OpenSSH 5.9p1 exactly (save for the removal of the scard
subdirectory).
* Downloaded openssh-6.8p1.tar.gz (SHA256:
3ff64ce73ee124480b5bf767b9830d7d3c03bbcb6abe716b78f0192c37ce160e)
and verified with PGP signature. (I've verified Damien's key in
person previously.)
* Applied changes between f5c67b478bef9992de9e9ec91ce10af4f6205e0d and
OpenSSH 5.9p1 to 6.8p1 and updated the build as best I can. The
ugliest change is probably the duplication of umac.c to umac128.c
because Android conditionally compiles that file twice. See the
comment in those files.
Change-Id: I63cb07a8118afb5a377f116087a0882914cea486
diff --git a/auth2-gss.c b/auth2-gss.c
index 0d59b21..1ca8357 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-gss.c,v 1.17 2011/03/10 02:52:57 djm Exp $ */
+/* $OpenBSD: auth2-gss.c,v 1.22 2015/01/19 20:07:45 markus Exp $ */
/*
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -40,6 +40,7 @@
#include "log.h"
#include "dispatch.h"
#include "buffer.h"
+#include "misc.h"
#include "servconf.h"
#include "packet.h"
#include "ssh-gss.h"
@@ -47,10 +48,10 @@
extern ServerOptions options;
-static void input_gssapi_token(int type, u_int32_t plen, void *ctxt);
-static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt);
-static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
-static void input_gssapi_errtok(int, u_int32_t, void *);
+static int input_gssapi_token(int type, u_int32_t plen, void *ctxt);
+static int input_gssapi_mic(int type, u_int32_t plen, void *ctxt);
+static int input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
+static int input_gssapi_errtok(int, u_int32_t, void *);
/*
* We only support those mechanisms that we know about (ie ones that we know
@@ -62,7 +63,6 @@
gss_OID_desc goid = {0, NULL};
Gssctxt *ctxt = NULL;
int mechs;
- gss_OID_set supported;
int present;
OM_uint32 ms;
u_int len;
@@ -77,12 +77,10 @@
return (0);
}
- ssh_gssapi_supported_oids(&supported);
do {
mechs--;
- if (doid)
- xfree(doid);
+ free(doid);
present = 0;
doid = packet_get_string(&len);
@@ -91,17 +89,14 @@
doid[1] == len - 2) {
goid.elements = doid + 2;
goid.length = len - 2;
- gss_test_oid_set_member(&ms, &goid, supported,
- &present);
+ ssh_gssapi_test_oid_supported(&ms, &goid, &present);
} else {
logit("Badly formed OID received");
}
} while (mechs > 0 && !present);
- gss_release_oid_set(&ms, &supported);
-
if (!present) {
- xfree(doid);
+ free(doid);
authctxt->server_caused_failure = 1;
return (0);
}
@@ -109,7 +104,7 @@
if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
if (ctxt != NULL)
ssh_gssapi_delete_ctx(&ctxt);
- xfree(doid);
+ free(doid);
authctxt->server_caused_failure = 1;
return (0);
}
@@ -122,7 +117,7 @@
packet_put_string(doid, len);
packet_send();
- xfree(doid);
+ free(doid);
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token);
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok);
@@ -131,7 +126,7 @@
return (0);
}
-static void
+static int
input_gssapi_token(int type, u_int32_t plen, void *ctxt)
{
Authctxt *authctxt = ctxt;
@@ -153,7 +148,7 @@
maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok,
&send_tok, &flags));
- xfree(recv_tok.value);
+ free(recv_tok.value);
if (GSS_ERROR(maj_status)) {
if (send_tok.length != 0) {
@@ -163,7 +158,7 @@
}
authctxt->postponed = 0;
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
- userauth_finish(authctxt, 0, "gssapi-with-mic");
+ userauth_finish(authctxt, 0, "gssapi-with-mic", NULL);
} else {
if (send_tok.length != 0) {
packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
@@ -183,9 +178,10 @@
}
gss_release_buffer(&min_status, &send_tok);
+ return 0;
}
-static void
+static int
input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
{
Authctxt *authctxt = ctxt;
@@ -208,7 +204,7 @@
maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok,
&send_tok, NULL));
- xfree(recv_tok.value);
+ free(recv_tok.value);
/* We can't return anything to the client, even if we wanted to */
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
@@ -217,6 +213,7 @@
/* The client will have already moved on to the next auth */
gss_release_buffer(&maj_status, &send_tok);
+ return 0;
}
/*
@@ -225,18 +222,15 @@
* which only enables it once the GSSAPI exchange is complete.
*/
-static void
+static int
input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
{
Authctxt *authctxt = ctxt;
- Gssctxt *gssctxt;
int authenticated;
if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
fatal("No authentication or GSSAPI context");
- gssctxt = authctxt->methoddata;
-
/*
* We don't need to check the status, because we're only enabled in
* the dispatcher once the exchange is complete
@@ -251,10 +245,11 @@
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
- userauth_finish(authctxt, authenticated, "gssapi-with-mic");
+ userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
+ return 0;
}
-static void
+static int
input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
{
Authctxt *authctxt = ctxt;
@@ -284,14 +279,15 @@
logit("GSSAPI MIC check failed");
buffer_free(&b);
- xfree(mic.value);
+ free(mic.value);
authctxt->postponed = 0;
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
- userauth_finish(authctxt, authenticated, "gssapi-with-mic");
+ userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
+ return 0;
}
Authmethod method_gssapi = {