Update gssapi-keyex patch for OpenSSH 9.0+

userauth_gsskeyex must have the same argument as userauth_gssapi method_gsskeyex must have the same members as method_gssapi
2023-07-26 23:28:39 +02:00 · 2023-07-26 23:28:39 +02:00 · c04e468b07
commit c04e468b07
parent c3494feffe
2 changed files with 15 additions and 11 deletions
--- a/openssh-8.0p1-gssapi-keyex.patch
+++ b/openssh-8.0p1-gssapi-keyex.patch
@ -160,7 +160,7 @@ index 9351e042..d6446c0c 100644
 + * The 'gssapi_keyex' userauth mechanism.
 + */
 +static int
-+userauth_gsskeyex(struct ssh *ssh)
+userauth_gsskeyex(struct ssh *ssh, const char *method)
 +{
 +	Authctxt *authctxt = ssh->authctxt;
 +	int r, authenticated = 0;
@ -221,19 +221,20 @@ index 9351e042..d6446c0c 100644
 	else
 		logit("GSSAPI MIC check failed");
-@@ -326,6 +370,12 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
+@@ -326,6 +370,13 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
 	return 0;
 }
 +Authmethod method_gsskeyex = {
 +	"gssapi-keyex",
 +	NULL,
 +	userauth_gsskeyex,
 +	&options.gss_authentication
 +};
 +
 Authmethod method_gssapi = {
 	"gssapi-with-mic",
-	NULL,
+ 	NULL,
 diff --git a/auth2.c b/auth2.c
 index 0e776224..1c217268 100644
 --- a/auth2.c
@ -400,8 +401,8 @@ index ebd0dbca..1bdac6a4 100644
 +#endif
 +
 		/* Buffer input from the connection.  */
-		if (conn_in_ready)
+ 		if (conn_in_ready)
-			client_process_net_input(ssh);
+ 			client_process_net_input(ssh);
 diff --git a/configure.ac b/configure.ac
 index b689db4b..efafb6bd 100644
 --- a/configure.ac
@ -1368,8 +1369,8 @@ index ce85f043..574c7609 100644
 +#ifdef GSSAPI
 +	free(kex->gss_host);
 +#endif /* GSSAPI */
-	sshbuf_free(kex->initial_sig);
+ 	sshbuf_free(kex->initial_sig);
-	sshkey_free(kex->initial_hostkey);
+ 	sshkey_free(kex->initial_hostkey);
 	free(kex->failed_choice);
 diff --git a/kex.h b/kex.h
 index a5ae6ac0..fe714141 100644
@ -3584,7 +3585,7 @@ index af00fb30..03bc87eb 100644
 +# endif
 +#endif /* WITH_OPENSSL */
 	ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client;
-	ssh->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_client;
+ 	ssh->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_client;
 	ssh->kex->verify_host_key=&verify_host_key_callback;
 +#if defined(GSSAPI) && defined(WITH_OPENSSL)
--- a/openssh.spec
+++ b/openssh.spec
@ -47,14 +47,14 @@
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 9.3p1
-%global openssh_rel 5
+%global openssh_rel 6
 %global pam_ssh_agent_ver 0.10.4
 %global pam_ssh_agent_rel 9
 Summary: An open source implementation of SSH protocol version 2
 Name: openssh
 Version: %{openssh_ver}
-Release: %{openssh_rel}%{?dist}.1
+Release: %{openssh_rel}%{?dist}
 URL: http://www.openssh.com/portable.html
 #URL1: https://github.com/jbeverly/pam_ssh_agent_auth/
 Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
@ -304,7 +304,7 @@ Requires: openssh = %{version}-%{release}
 %package -n pam_ssh_agent_auth
 Summary: PAM module for authentication with ssh-agent
 Version: %{pam_ssh_agent_ver}
-Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}.1
+Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}
 License: BSD
 %description
@ -739,6 +739,9 @@ test -f %{sysconfig_anaconda} && \
 %endif
 %changelog
 * Wed Jul 26 2023 Mattias Ellert <mattias.ellert@physics.uu.se> - 9.3p1-6
 - Update gssapi-keyex patch for OpenSSH 9.0+
 * Fri Jul 21 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.3p1-5
 - Fix remote code execution in ssh-agent PKCS#11 support
  Resolves: CVE-2023-38408