<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[117112] trunk/dports/net/openssh/files</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="https://trac.macports.org/changeset/117112">117112</a></dd>
<dt>Author</dt> <dd>cal@macports.org</dd>
<dt>Date</dt> <dd>2014-02-16 13:57:11 -0800 (Sun, 16 Feb 2014)</dd>
</dl>
<h3>Log Message</h3>
<pre>openssh: Fix +gsskex variant, closes #42523, #42479</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkdportsnetopensshfiles0002Applekeychainintegrationotherchangespatch">trunk/dports/net/openssh/files/0002-Apple-keychain-integration-other-changes.patch</a></li>
<li><a href="#trunkdportsnetopensshfilesopenssh63p1gsskexall20130920patch">trunk/dports/net/openssh/files/openssh-6.3p1-gsskex-all-20130920.patch</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkdportsnetopensshfiles0002Applekeychainintegrationotherchangespatch"></a>
<div class="modfile"><h4>Modified: trunk/dports/net/openssh/files/0002-Apple-keychain-integration-other-changes.patch (117111 => 117112)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/dports/net/openssh/files/0002-Apple-keychain-integration-other-changes.patch 2014-02-16 21:40:49 UTC (rev 117111)
+++ trunk/dports/net/openssh/files/0002-Apple-keychain-integration-other-changes.patch 2014-02-16 21:57:11 UTC (rev 117112)
</span><span class="lines">@@ -1,26 +1,7 @@
</span><del>-# HG changeset patch
-# User Sean Farley <sean.michael.farley@gmail.com>
-# Date 1382624667 -28800
-# Thu Oct 24 22:24:27 2013 +0800
-# Node ID dd6d51b7e12be5fab94a8779e890c5558e4d4001
-# Parent 86a3bc5c8ff689a291e86950a3d8fd327f42b870
-partial import
-
-
-wiggled scp
-
-
-wiggled readconf
-
-
-wiggled readconf.c
-
-diff --git a/Makefile.in b/Makefile.in
---- a/Makefile.in
-+++ b/Makefile.in
-@@ -56,10 +56,11 @@
- PERL=@PERL@
- SED=@SED@
</del><ins>+diff -urp openssh-6.5p1/Makefile.in openssh-6.5p1.patched/Makefile.in
+--- openssh-6.5p1/Makefile.in 2014-01-26 22:35:04.000000000 -0800
++++ openssh-6.5p1.patched/Makefile.in 2014-02-15 16:27:53.000000000 -0800
+@@ -58,6 +58,7 @@ SED=@SED@
</ins><span class="cx"> ENT=@ENT@
</span><span class="cx"> XAUTH_PATH=@XAUTH_PATH@
</span><span class="cx"> LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
</span><span class="lines">@@ -28,24 +9,16 @@
</span><span class="cx"> EXEEXT=@EXEEXT@
</span><span class="cx"> MANFMT=@MANFMT@
</span><span class="cx">
</span><del>- TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
-
-@@ -93,10 +94,12 @@
- sftp-server.o sftp-common.o \
- roaming_common.o roaming_serv.o \
</del><ins>+@@ -98,6 +99,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
</ins><span class="cx"> sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
</span><del>- sandbox-seccomp-filter.o
</del><ins>+ sandbox-seccomp-filter.o sandbox-capsicum.o
</ins><span class="cx">
</span><span class="cx"> +KEYCHAINOBJS=keychain.o
</span><span class="cx"> +
</span><span class="cx"> MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
</span><span class="cx"> MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
</span><span class="cx"> MANTYPE = @MANTYPE@
</span><del>-
- CONFIGFILES=sshd_config.out ssh_config.out moduli.out
-@@ -127,10 +130,11 @@
- all: $(CONFIGFILES) $(MANPAGES) $(TARGETS)
-
</del><ins>+@@ -133,6 +136,7 @@ all: $(CONFIGFILES) $(MANPAGES) $(TARGET
</ins><span class="cx"> $(LIBSSH_OBJS): Makefile.in config.h
</span><span class="cx"> $(SSHOBJS): Makefile.in config.h
</span><span class="cx"> $(SSHDOBJS): Makefile.in config.h
</span><span class="lines">@@ -53,11 +26,7 @@
</span><span class="cx">
</span><span class="cx"> .c.o:
</span><span class="cx"> $(CC) $(CFLAGS) $(CPPFLAGS) -c $<
</span><del>-
- LIBCOMPAT=openbsd-compat/libopenbsd-compat.a
-@@ -140,24 +144,24 @@
-
- libssh.a: $(LIBSSH_OBJS)
</del><ins>+@@ -146,8 +150,8 @@ libssh.a: $(LIBSSH_OBJS)
</ins><span class="cx"> $(AR) rv $@ $(LIBSSH_OBJS)
</span><span class="cx"> $(RANLIB) $@
</span><span class="cx">
</span><span class="lines">@@ -68,7 +37,7 @@
</span><span class="cx">
</span><span class="cx"> sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
</span><span class="cx"> $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
</span><del>-
</del><ins>+@@ -155,11 +159,11 @@ sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(S
</ins><span class="cx"> scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
</span><span class="cx"> $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
</span><span class="cx">
</span><span class="lines">@@ -84,11 +53,7 @@
</span><span class="cx">
</span><span class="cx"> ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
</span><span class="cx"> $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
</span><del>-
- ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o
-@@ -265,11 +269,11 @@
- $(INSTALL) -m 0755 $(STRIP_OPT) ssh-add$(EXEEXT) $(DESTDIR)$(bindir)/ssh-add$(EXEEXT)
- $(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT) $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
</del><ins>+@@ -271,7 +275,7 @@ install-files:
</ins><span class="cx"> $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
</span><span class="cx"> $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
</span><span class="cx"> $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
</span><span class="lines">@@ -97,14 +62,12 @@
</span><span class="cx"> $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
</span><span class="cx"> $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
</span><span class="cx"> $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
</span><del>- $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
- $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
-diff --git a/audit-bsm.c b/audit-bsm.c
---- a/audit-bsm.c
-+++ b/audit-bsm.c
-@@ -261,11 +261,16 @@
- uid_t uid = -1;
- gid_t gid = -1;
</del><ins>+Only in openssh-6.5p1.patched: Makefile.in.orig
+Only in openssh-6.5p1.patched: Makefile.in.rej
+diff -urp openssh-6.5p1/audit-bsm.c openssh-6.5p1.patched/audit-bsm.c
+--- openssh-6.5p1/audit-bsm.c 2012-02-23 15:40:43.000000000 -0800
++++ openssh-6.5p1.patched/audit-bsm.c 2014-02-15 16:25:56.000000000 -0800
+@@ -263,7 +263,12 @@ bsm_audit_record(int typ, char *string,
</ins><span class="cx"> pid_t pid = getpid();
</span><span class="cx"> AuditInfoTermID tid = ssh_bsm_tid;
</span><span class="cx">
</span><span class="lines">@@ -118,14 +81,10 @@
</span><span class="cx"> uid = the_authctxt->pw->pw_uid;
</span><span class="cx"> gid = the_authctxt->pw->pw_gid;
</span><span class="cx"> }
</span><del>-
- rc = (typ == 0) ? 0 : -1;
-diff --git a/auth-pam.c b/auth-pam.c
---- a/auth-pam.c
-+++ b/auth-pam.c
-@@ -789,14 +789,15 @@
- **echo_on = 0;
- ctxt->pam_done = 1;
</del><ins>+diff -urp openssh-6.5p1/auth-pam.c openssh-6.5p1.patched/auth-pam.c
+--- openssh-6.5p1/auth-pam.c 2013-12-18 16:31:45.000000000 -0800
++++ openssh-6.5p1.patched/auth-pam.c 2014-02-15 16:25:56.000000000 -0800
+@@ -793,10 +793,11 @@ sshpam_query(void *ctx, char **name, cha
</ins><span class="cx"> free(msg);
</span><span class="cx"> return (0);
</span><span class="cx"> }
</span><span class="lines">@@ -139,14 +98,11 @@
</span><span class="cx"> /* FALLTHROUGH */
</span><span class="cx"> default:
</span><span class="cx"> *num = 0;
</span><del>- **echo_on = 0;
- free(msg);
-diff --git a/auth.c b/auth.c
---- a/auth.c
-+++ b/auth.c
-@@ -209,11 +209,11 @@
- return 0;
- }
</del><ins>+Only in openssh-6.5p1.patched: auth-pam.c.orig
+diff -urp openssh-6.5p1/auth.c openssh-6.5p1.patched/auth.c
+--- openssh-6.5p1/auth.c 2013-06-01 14:41:51.000000000 -0700
++++ openssh-6.5p1.patched/auth.c 2014-02-15 16:25:56.000000000 -0800
+@@ -211,7 +211,7 @@ allowed_user(struct passwd * pw)
</ins><span class="cx"> }
</span><span class="cx"> if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
</span><span class="cx"> /* Get the user's group access list (primary and supplementary) */
</span><span class="lines">@@ -155,14 +111,10 @@
</span><span class="cx"> logit("User %.100s from %.100s not allowed because "
</span><span class="cx"> "not in any group", pw->pw_name, hostname);
</span><span class="cx"> return 0;
</span><del>- }
-
-diff --git a/authfd.c b/authfd.c
---- a/authfd.c
-+++ b/authfd.c
-@@ -687,10 +687,33 @@
- type = buffer_get_char(&msg);
- buffer_free(&msg);
</del><ins>+diff -urp openssh-6.5p1/authfd.c openssh-6.5p1.patched/authfd.c
+--- openssh-6.5p1/authfd.c 2013-12-28 22:49:56.000000000 -0800
++++ openssh-6.5p1.patched/authfd.c 2014-02-15 16:25:56.000000000 -0800
+@@ -638,6 +638,29 @@ ssh_remove_all_identities(Authentication
</ins><span class="cx"> return decode_reply(type);
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -192,14 +144,11 @@
</span><span class="cx"> int
</span><span class="cx"> decode_reply(int type)
</span><span class="cx"> {
</span><del>- switch (type) {
- case SSH_AGENT_FAILURE:
-diff --git a/authfd.h b/authfd.h
---- a/authfd.h
-+++ b/authfd.h
-@@ -47,10 +47,13 @@
- /* add key with constraints */
- #define SSH_AGENTC_ADD_RSA_ID_CONSTRAINED 24
</del><ins>+Only in openssh-6.5p1.patched: authfd.c.orig
+diff -urp openssh-6.5p1/authfd.h openssh-6.5p1.patched/authfd.h
+--- openssh-6.5p1/authfd.h 2009-10-06 14:47:02.000000000 -0700
++++ openssh-6.5p1.patched/authfd.h 2014-02-15 16:25:56.000000000 -0800
+@@ -49,6 +49,9 @@
</ins><span class="cx"> #define SSH2_AGENTC_ADD_ID_CONSTRAINED 25
</span><span class="cx"> #define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26
</span><span class="cx">
</span><span class="lines">@@ -209,15 +158,11 @@
</span><span class="cx"> #define SSH_AGENT_CONSTRAIN_LIFETIME 1
</span><span class="cx"> #define SSH_AGENT_CONSTRAIN_CONFIRM 2
</span><span class="cx">
</span><del>- /* extended failure messages */
- #define SSH2_AGENT_FAILURE 30
-diff --git a/config.h.in b/config.h.in
---- a/config.h.in
-+++ b/config.h.in
-@@ -75,10 +75,22 @@
- #undef BROKEN_SNPRINTF
-
- /* FreeBSD strnvis does not do what we need */
</del><ins>+diff -urp openssh-6.5p1/config.h.in openssh-6.5p1.patched/config.h.in
+--- openssh-6.5p1/config.h.in 2014-01-29 17:52:44.000000000 -0800
++++ openssh-6.5p1.patched/config.h.in 2014-02-15 16:28:51.000000000 -0800
+@@ -81,6 +81,18 @@
+ /* FreeBSD strnvis argument order is swapped compared to OpenBSD */
</ins><span class="cx"> #undef BROKEN_STRNVIS
</span><span class="cx">
</span><span class="cx"> +/* platform uses an in-memory credentials cache */
</span><span class="lines">@@ -235,14 +180,12 @@
</span><span class="cx"> /* tcgetattr with ICANON may hang */
</span><span class="cx"> #undef BROKEN_TCGETATTR_ICANON
</span><span class="cx">
</span><del>- /* updwtmpx is broken (if present) */
- #undef BROKEN_UPDWTMPX
-diff --git a/configure.ac b/configure.ac
---- a/configure.ac
-+++ b/configure.ac
-@@ -4548,14 +4548,44 @@
- #ifdef HAVE_LASTLOG_H
- #include <lastlog.h>
</del><ins>+Only in openssh-6.5p1.patched: config.h.in.orig
+Only in openssh-6.5p1.patched: config.h.in.rej
+diff -urp openssh-6.5p1/configure.ac openssh-6.5p1.patched/configure.ac
+--- openssh-6.5p1/configure.ac 2014-01-29 16:26:46.000000000 -0800
++++ openssh-6.5p1.patched/configure.ac 2014-02-15 16:25:56.000000000 -0800
+@@ -4779,10 +4779,40 @@ AC_CHECK_MEMBER([struct utmp.ut_line], [
</ins><span class="cx"> #endif
</span><span class="cx"> ])
</span><span class="cx">
</span><span class="lines">@@ -283,14 +226,11 @@
</span><span class="cx"> if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
</span><span class="cx"> TEST_SSH_IPV6=no
</span><span class="cx"> else
</span><del>- TEST_SSH_IPV6=yes
- fi
-diff --git a/groupaccess.c b/groupaccess.c
---- a/groupaccess.c
-+++ b/groupaccess.c
-@@ -32,62 +32,107 @@
- #include <unistd.h>
- #include <stdarg.h>
</del><ins>+Only in openssh-6.5p1.patched: configure.ac.orig
+diff -urp openssh-6.5p1/groupaccess.c openssh-6.5p1.patched/groupaccess.c
+--- openssh-6.5p1/groupaccess.c 2013-06-01 15:07:32.000000000 -0700
++++ openssh-6.5p1.patched/groupaccess.c 2014-02-15 16:25:56.000000000 -0800
+@@ -34,38 +34,67 @@
</ins><span class="cx"> #include <stdlib.h>
</span><span class="cx"> #include <string.h>
</span><span class="cx">
</span><span class="lines">@@ -340,17 +280,17 @@
</span><span class="cx"> ngroups = NGROUPS_MAX;
</span><span class="cx"> #if defined(HAVE_SYSCONF) && defined(_SC_NGROUPS_MAX)
</span><span class="cx"> ngroups = MAX(NGROUPS_MAX, sysconf(_SC_NGROUPS_MAX));
</span><ins>+-#endif
+-
</ins><span class="cx"> +#endif
</span><del>-+ groups_bygid = xcalloc(ngroups, sizeof(*groups_bygid));
</del><ins>+ groups_bygid = xcalloc(ngroups, sizeof(*groups_bygid));
</ins><span class="cx"> +#else
</span><span class="cx"> + if (-1 == (ngroups = getgrouplist_2(pw->pw_name, pw->pw_gid,
</span><span class="cx"> + &groups_bygid))) {
</span><span class="cx"> + logit("getgrouplist_2 failed");
</span><span class="cx"> + return 0;
</span><span class="cx"> + }
</span><del>- #endif
--
-- groups_bygid = xcalloc(ngroups, sizeof(*groups_bygid));
</del><ins>++#endif
</ins><span class="cx"> groups_byname = xcalloc(ngroups, sizeof(*groups_byname));
</span><span class="cx"> -
</span><span class="cx"> - if (getgrouplist(user, base, groups_bygid, &ngroups) == -1)
</span><span class="lines">@@ -365,10 +305,7 @@
</span><span class="cx"> for (i = 0, j = 0; i < ngroups; i++)
</span><span class="cx"> if ((gr = getgrgid(groups_bygid[i])) != NULL)
</span><span class="cx"> groups_byname[j++] = xstrdup(gr->gr_name);
</span><del>- free(groups_bygid);
- return (ngroups = j);
- }
-
</del><ins>+@@ -76,16 +105,32 @@ ga_init(const char *user, gid_t base)
</ins><span class="cx"> /*
</span><span class="cx"> * Return 1 if one of user's groups is contained in groups.
</span><span class="cx"> * Return 0 otherwise. Use match_pattern() for string comparison.
</span><span class="lines">@@ -401,14 +338,10 @@
</span><span class="cx"> return 0;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- /*
- * Return 1 if one of user's groups matches group_pattern list.
-diff --git a/groupaccess.h b/groupaccess.h
---- a/groupaccess.h
-+++ b/groupaccess.h
-@@ -25,11 +25,11 @@
- */
-
</del><ins>+diff -urp openssh-6.5p1/groupaccess.h openssh-6.5p1.patched/groupaccess.h
+--- openssh-6.5p1/groupaccess.h 2008-07-03 20:51:12.000000000 -0700
++++ openssh-6.5p1.patched/groupaccess.h 2014-02-15 16:25:56.000000000 -0800
+@@ -27,7 +27,7 @@
</ins><span class="cx"> #ifndef GROUPACCESS_H
</span><span class="cx"> #define GROUPACCESS_H
</span><span class="cx">
</span><span class="lines">@@ -417,8 +350,6 @@
</span><span class="cx"> int ga_match(char * const *, int);
</span><span class="cx"> int ga_match_pattern_list(const char *);
</span><span class="cx"> void ga_free(void);
</span><del>-
- #endif
</del><span class="cx"> diff --git a/keychain.c b/keychain.c
</span><span class="cx"> new file mode 100644
</span><span class="cx"> --- /dev/null
</span><span class="lines">@@ -1168,41 +1099,30 @@
</span><span class="cx"> +int add_identities_using_keychain(
</span><span class="cx"> + int (*add_identity)(const char *, const char *));
</span><span class="cx"> +char *keychain_read_passphrase(const char *filename, int oAskPassGUI);
</span><del>-diff --git a/readconf.c b/readconf.c
---- a/readconf.c
-+++ b/readconf.c
-@@ -136,10 +136,13 @@
- oSendEnv, oControlPath, oControlMaster, oControlPersist,
- oHashKnownHosts,
- oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
- oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
- oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown,
</del><ins>+diff -urp openssh-6.5p1/readconf.c openssh-6.5p1.patched/readconf.c
+--- openssh-6.5p1/readconf.c 2014-01-17 05:03:57.000000000 -0800
++++ openssh-6.5p1.patched/readconf.c 2014-02-15 16:30:49.000000000 -0800
+@@ -148,6 +148,9 @@ typedef enum {
+ oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
+ oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
+ oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
</ins><span class="cx"> +#ifdef __APPLE_KEYCHAIN__
</span><span class="cx"> + oAskPassGUI,
</span><span class="cx"> +#endif
</span><span class="cx"> oIgnoredUnknownOption, oDeprecated, oUnsupported
</span><span class="cx"> } OpCodes;
</span><span class="cx">
</span><del>- /* Textual representations of the tokens. */
-
-@@ -248,11 +251,13 @@
- #endif
- { "kexalgorithms", oKexAlgorithms },
- { "ipqos", oIPQoS },
- { "requesttty", oRequestTTY },
</del><ins>+@@ -267,6 +270,9 @@ static struct {
+ { "canonicalizemaxdots", oCanonicalizeMaxDots },
+ { "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs },
</ins><span class="cx"> { "ignoreunknown", oIgnoreUnknown },
</span><del>--
</del><span class="cx"> +#ifdef __APPLE_KEYCHAIN__
</span><span class="cx"> + { "askpassgui", oAskPassGUI },
</span><span class="cx"> +#endif
</span><ins>+
</ins><span class="cx"> { NULL, oBadOption }
</span><span class="cx"> };
</span><del>-
- /*
- * Adds a local TCP/IP port forward to options. Never returns if there is an
-@@ -1070,10 +1075,16 @@
-
- case oIgnoreUnknown:
</del><ins>+@@ -1332,6 +1338,12 @@ parse_int:
</ins><span class="cx"> charptr = &options->ignored_unknown;
</span><span class="cx"> goto parse_string;
</span><span class="cx">
</span><span class="lines">@@ -1212,28 +1132,20 @@
</span><span class="cx"> + goto parse_flag;
</span><span class="cx"> +#endif
</span><span class="cx"> +
</span><del>- case oDeprecated:
- debug("%s line %d: Deprecated option \"%s\"",
- filename, linenum, keyword);
- return 0;
-
-@@ -1232,10 +1243,13 @@
- options->zero_knowledge_password_authentication = -1;
- options->ip_qos_interactive = -1;
- options->ip_qos_bulk = -1;
</del><ins>+ case oProxyUseFdpass:
+ intptr = &options->proxy_use_fdpass;
+ goto parse_flag;
+@@ -1555,6 +1567,9 @@ initialize_options(Options * options)
</ins><span class="cx"> options->request_tty = -1;
</span><ins>+ options->proxy_use_fdpass = -1;
</ins><span class="cx"> options->ignored_unknown = NULL;
</span><span class="cx"> +#ifdef __APPLE_KEYCHAIN__
</span><span class="cx"> + options->ask_pass_gui = -1;
</span><span class="cx"> +#endif
</span><del>- }
-
- /*
- * Called after processing other sources of option data, this fills those
- * options for which no value has been specified with their default values.
-@@ -1383,10 +1397,14 @@
- options->ip_qos_interactive = IPTOS_LOWDELAY;
- if (options->ip_qos_bulk == -1)
</del><ins>+ options->num_canonical_domains = 0;
+ options->num_permitted_cnames = 0;
+ options->canonicalize_max_dots = -1;
+@@ -1713,6 +1728,10 @@ fill_default_options(Options * options)
</ins><span class="cx"> options->ip_qos_bulk = IPTOS_THROUGHPUT;
</span><span class="cx"> if (options->request_tty == -1)
</span><span class="cx"> options->request_tty = REQUEST_TTY_AUTO;
</span><span class="lines">@@ -1241,19 +1153,17 @@
</span><span class="cx"> + if (options->ask_pass_gui == -1)
</span><span class="cx"> + options->ask_pass_gui = 1;
</span><span class="cx"> +#endif
</span><del>- /* options->local_command should not be set by default */
- /* options->proxy_command should not be set by default */
- /* options->user will be set in the main program if appropriate */
- /* options->hostname will be set in the main program if appropriate */
- /* options->host_key_alias should not be set by default */
-diff --git a/readconf.h b/readconf.h
---- a/readconf.h
-+++ b/readconf.h
-@@ -137,10 +137,14 @@
- int use_roaming;
</del><ins>+ if (options->proxy_use_fdpass == -1)
+ options->proxy_use_fdpass = 0;
+ if (options->canonicalize_max_dots == -1)
+Only in openssh-6.5p1.patched: readconf.c.orig
+Only in openssh-6.5p1.patched: readconf.c.rej
+diff -urp openssh-6.5p1/readconf.h openssh-6.5p1.patched/readconf.h
+--- openssh-6.5p1/readconf.h 2013-10-16 17:48:14.000000000 -0700
++++ openssh-6.5p1.patched/readconf.h 2014-02-15 16:31:29.000000000 -0800
+@@ -155,6 +155,10 @@ typedef struct {
+ struct allowed_cname permitted_cnames[MAX_CANON_DOMAINS];
</ins><span class="cx">
</span><del>- int request_tty;
-
</del><span class="cx"> char *ignored_unknown; /* Pattern list of unknown tokens to ignore */
</span><span class="cx"> +
</span><span class="cx"> +#ifdef __APPLE_KEYCHAIN__
</span><span class="lines">@@ -1261,15 +1171,13 @@
</span><span class="cx"> +#endif
</span><span class="cx"> } Options;
</span><span class="cx">
</span><del>- #define SSHCTL_MASTER_NO 0
- #define SSHCTL_MASTER_YES 1
- #define SSHCTL_MASTER_AUTO 2
-diff --git a/scp.1 b/scp.1
---- a/scp.1
-+++ b/scp.1
-@@ -17,11 +17,11 @@
- .Nm scp
- .Nd secure copy (remote file copy program)
</del><ins>+ #define SSH_CANONICALISE_NO 0
+Only in openssh-6.5p1.patched: readconf.h.orig
+Only in openssh-6.5p1.patched: readconf.h.rej
+diff -urp openssh-6.5p1/scp.1 openssh-6.5p1.patched/scp.1
+--- openssh-6.5p1/scp.1 2013-10-22 22:30:00.000000000 -0700
++++ openssh-6.5p1.patched/scp.1 2014-02-15 16:25:56.000000000 -0800
+@@ -19,7 +19,7 @@
</ins><span class="cx"> .Sh SYNOPSIS
</span><span class="cx"> .Nm scp
</span><span class="cx"> .Bk -words
</span><span class="lines">@@ -1278,11 +1186,7 @@
</span><span class="cx"> .Op Fl c Ar cipher
</span><span class="cx"> .Op Fl F Ar ssh_config
</span><span class="cx"> .Op Fl i Ar identity_file
</span><del>- .Op Fl l Ar limit
- .Op Fl o Ar ssh_option
-@@ -95,10 +95,12 @@
- Passes the
- .Fl C
</del><ins>+@@ -97,6 +97,8 @@ Passes the
</ins><span class="cx"> flag to
</span><span class="cx"> .Xr ssh 1
</span><span class="cx"> to enable compression.
</span><span class="lines">@@ -1291,14 +1195,10 @@
</span><span class="cx"> .It Fl c Ar cipher
</span><span class="cx"> Selects the cipher to use for encrypting the data transfer.
</span><span class="cx"> This option is directly passed to
</span><del>- .Xr ssh 1 .
- .It Fl F Ar ssh_config
-diff --git a/scp.c b/scp.c
---- a/scp.c
-+++ b/scp.c
-@@ -76,10 +76,13 @@
- #include <sys/types.h>
- #include <sys/param.h>
</del><ins>+diff -urp openssh-6.5p1/scp.c openssh-6.5p1.patched/scp.c
+--- openssh-6.5p1/scp.c 2013-11-20 18:56:49.000000000 -0800
++++ openssh-6.5p1.patched/scp.c 2014-02-15 16:25:56.000000000 -0800
+@@ -78,6 +78,9 @@
</ins><span class="cx"> #ifdef HAVE_SYS_STAT_H
</span><span class="cx"> # include <sys/stat.h>
</span><span class="cx"> #endif
</span><span class="lines">@@ -1308,11 +1208,7 @@
</span><span class="cx"> #ifdef HAVE_POLL_H
</span><span class="cx"> #include <poll.h>
</span><span class="cx"> #else
</span><del>- # ifdef HAVE_SYS_POLL_H
- # include <sys/poll.h>
-@@ -112,10 +115,15 @@
- #include "pathnames.h"
- #include "log.h"
</del><ins>+@@ -114,6 +117,11 @@
</ins><span class="cx"> #include "misc.h"
</span><span class="cx"> #include "progressmeter.h"
</span><span class="cx">
</span><span class="lines">@@ -1324,11 +1220,7 @@
</span><span class="cx"> extern char *__progname;
</span><span class="cx">
</span><span class="cx"> #define COPY_BUFLEN 16384
</span><del>-
- int do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout);
-@@ -148,10 +156,16 @@
- char *ssh_program = _PATH_SSH_PROGRAM;
-
</del><ins>+@@ -150,6 +158,12 @@ char *ssh_program = _PATH_SSH_PROGRAM;
</ins><span class="cx"> /* This is used to store the pid of ssh_program */
</span><span class="cx"> pid_t do_cmd_pid = -1;
</span><span class="cx">
</span><span class="lines">@@ -1341,11 +1233,7 @@
</span><span class="cx"> static void
</span><span class="cx"> killchild(int signo)
</span><span class="cx"> {
</span><del>- if (do_cmd_pid > 1) {
- kill(do_cmd_pid, signo ? signo : SIGTERM);
-@@ -393,11 +407,15 @@
- addargs(&args, "-oForwardAgent=no");
- addargs(&args, "-oPermitLocalCommand=no");
</del><ins>+@@ -395,7 +409,11 @@ main(int argc, char **argv)
</ins><span class="cx"> addargs(&args, "-oClearAllForwardings=yes");
</span><span class="cx">
</span><span class="cx"> fflag = tflag = 0;
</span><span class="lines">@@ -1357,11 +1245,7 @@
</span><span class="cx"> switch (ch) {
</span><span class="cx"> /* User-visible flags. */
</span><span class="cx"> case '1':
</span><del>- case '2':
- case '4':
-@@ -454,10 +472,15 @@
- addargs(&args, "-q");
- addargs(&remote_remote_args, "-q");
</del><ins>+@@ -456,6 +474,11 @@ main(int argc, char **argv)
</ins><span class="cx"> showprogress = 0;
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="lines">@@ -1373,11 +1257,7 @@
</span><span class="cx"> /* Server options. */
</span><span class="cx"> case 'd':
</span><span class="cx"> targetshouldbedirectory = 1;
</span><del>- break;
- case 'f': /* "from" */
-@@ -503,11 +526,16 @@
- targetshouldbedirectory = 1;
-
</del><ins>+@@ -505,7 +528,12 @@ main(int argc, char **argv)
</ins><span class="cx"> remin = remout = -1;
</span><span class="cx"> do_cmd_pid = -1;
</span><span class="cx"> /* Command to be executed on remote system using "ssh". */
</span><span class="lines">@@ -1390,11 +1270,7 @@
</span><span class="cx"> verbose_mode ? " -v" : "",
</span><span class="cx"> iamrecursive ? " -r" : "", pflag ? " -p" : "",
</span><span class="cx"> targetshouldbedirectory ? " -d" : "");
</span><del>-
- (void) signal(SIGPIPE, lostconn);
-@@ -749,23 +777,41 @@
- off_t i, statbytes;
- size_t amt;
</del><ins>+@@ -751,6 +779,10 @@ source(int argc, char **argv)
</ins><span class="cx"> int fd = -1, haderr, indx;
</span><span class="cx"> char *last, *name, buf[2048], encname[MAXPATHLEN];
</span><span class="cx"> int len;
</span><span class="lines">@@ -1405,7 +1281,7 @@
</span><span class="cx">
</span><span class="cx"> for (indx = 0; indx < argc; ++indx) {
</span><span class="cx"> name = argv[indx];
</span><del>- statbytes = 0;
</del><ins>+@@ -758,12 +790,26 @@ source(int argc, char **argv)
</ins><span class="cx"> len = strlen(name);
</span><span class="cx"> while (len > 1 && name[len-1] == '/')
</span><span class="cx"> name[--len] = '\0';
</span><span class="lines">@@ -1432,11 +1308,7 @@
</span><span class="cx"> if (fstat(fd, &stb) < 0) {
</span><span class="cx"> syserr: run_err("%s: %s", name, strerror(errno));
</span><span class="cx"> goto next;
</span><del>- }
- if (stb.st_size < 0) {
-@@ -844,10 +890,40 @@
- if (!haderr)
- (void) atomicio(vwrite, remout, "", 1);
</del><ins>+@@ -846,6 +892,36 @@ next: if (fd != -1) {
</ins><span class="cx"> else
</span><span class="cx"> run_err("%s: %s", name, strerror(haderr));
</span><span class="cx"> (void) response();
</span><span class="lines">@@ -1473,11 +1345,7 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><del>- void
- rsource(char *name, struct stat *statp)
-@@ -935,10 +1011,14 @@
-
- (void) atomicio(vwrite, remout, "", 1);
</del><ins>+@@ -937,6 +1013,10 @@ sink(int argc, char **argv)
</ins><span class="cx"> if (stat(targ, &stb) == 0 && S_ISDIR(stb.st_mode))
</span><span class="cx"> targisdir = 1;
</span><span class="cx"> for (first = 1;; first = 0) {
</span><span class="lines">@@ -1488,11 +1356,7 @@
</span><span class="cx"> cp = buf;
</span><span class="cx"> if (atomicio(read, remin, cp, 1) != 1)
</span><span class="cx"> return;
</span><del>- if (*cp++ == '\n')
- SCREWUP("unexpected <newline>");
-@@ -1080,14 +1160,55 @@
- free(vect[0]);
- continue;
</del><ins>+@@ -1082,10 +1162,51 @@ sink(int argc, char **argv)
</ins><span class="cx"> }
</span><span class="cx"> omode = mode;
</span><span class="cx"> mode |= S_IWUSR;
</span><span class="lines">@@ -1544,11 +1408,7 @@
</span><span class="cx"> (void) atomicio(vwrite, remout, "", 1);
</span><span class="cx"> if ((bp = allocbuf(&buffer, ofd, COPY_BUFLEN)) == NULL) {
</span><span class="cx"> (void) close(ofd);
</span><del>- continue;
- }
-@@ -1168,10 +1289,33 @@
- if (close(ofd) == -1) {
- wrerr = YES;
</del><ins>+@@ -1170,6 +1291,29 @@ bad: run_err("%s: %s", np, strerror(er
</ins><span class="cx"> wrerrno = errno;
</span><span class="cx"> }
</span><span class="cx"> (void) response();
</span><span class="lines">@@ -1578,11 +1438,7 @@
</span><span class="cx"> if (setimes && wrerr == NO) {
</span><span class="cx"> setimes = 0;
</span><span class="cx"> if (utimes(np, tv) < 0) {
</span><del>- run_err("%s: set times: %s",
- np, strerror(errno));
-@@ -1229,11 +1373,15 @@
-
- void
</del><ins>+@@ -1231,7 +1375,11 @@ void
</ins><span class="cx"> usage(void)
</span><span class="cx"> {
</span><span class="cx"> (void) fprintf(stderr,
</span><span class="lines">@@ -1594,27 +1450,10 @@
</span><span class="cx"> " [-l limit] [-o ssh_option] [-P port] [-S program]\n"
</span><span class="cx"> " [[user@]host1:]file1 ... [[user@]host2:]file2\n");
</span><span class="cx"> exit(1);
</span><del>- }
-
-diff --git a/servconf.c b/servconf.c
---- a/servconf.c
-+++ b/servconf.c
-@@ -158,11 +158,11 @@
- void
- fill_default_server_options(ServerOptions *options)
- {
- /* Portable-specific options */
- if (options->use_pam == -1)
-- options->use_pam = 0;
-+ options->use_pam = 1;
-
- /* Standard Options */
- if (options->protocol == SSH_PROTO_UNKNOWN)
- options->protocol = SSH_PROTO_2;
- if (options->num_host_key_files == 0) {
-@@ -241,11 +241,11 @@
- if (options->gss_authentication == -1)
- options->gss_authentication = 0;
</del><ins>+diff -urp openssh-6.5p1/servconf.c openssh-6.5p1.patched/servconf.c
+--- openssh-6.5p1/servconf.c 2013-12-06 16:24:02.000000000 -0800
++++ openssh-6.5p1.patched/servconf.c 2014-02-15 16:25:56.000000000 -0800
+@@ -248,7 +248,7 @@ fill_default_server_options(ServerOption
</ins><span class="cx"> if (options->gss_cleanup_creds == -1)
</span><span class="cx"> options->gss_cleanup_creds = 1;
</span><span class="cx"> if (options->password_authentication == -1)
</span><span class="lines">@@ -1623,11 +1462,7 @@
</span><span class="cx"> if (options->kbd_interactive_authentication == -1)
</span><span class="cx"> options->kbd_interactive_authentication = 0;
</span><span class="cx"> if (options->challenge_response_authentication == -1)
</span><del>- options->challenge_response_authentication = 1;
- if (options->permit_empty_passwd == -1)
-@@ -621,11 +621,11 @@
- goto out;
-
</del><ins>+@@ -629,7 +629,7 @@ match_cfg_line_group(const char *grps, i
</ins><span class="cx"> if ((pw = getpwnam(user)) == NULL) {
</span><span class="cx"> debug("Can't match group at line %d because user %.100s does "
</span><span class="cx"> "not exist", line, user);
</span><span class="lines">@@ -1636,14 +1471,11 @@
</span><span class="cx"> debug("Can't Match group because user %.100s not in any group "
</span><span class="cx"> "at line %d", user, line);
</span><span class="cx"> } else if (ga_match_pattern_list(grps) != 1) {
</span><del>- debug("user %.100s does not match group list %.100s at line %d",
- user, grps, line);
-diff --git a/session.c b/session.c
---- a/session.c
-+++ b/session.c
-@@ -2081,12 +2081,14 @@
- /* for SSH1 the tty modes length is not given */
- if (!compat20)
</del><ins>+Only in openssh-6.5p1.patched: servconf.c.orig
+diff -urp openssh-6.5p1/session.c openssh-6.5p1.patched/session.c
+--- openssh-6.5p1/session.c 2014-01-22 19:16:10.000000000 -0800
++++ openssh-6.5p1.patched/session.c 2014-02-15 16:25:56.000000000 -0800
+@@ -2111,8 +2111,10 @@ session_pty_req(Session *s)
</ins><span class="cx"> n_bytes = packet_remaining();
</span><span class="cx"> tty_parse_modes(s->ttyfd, &n_bytes);
</span><span class="cx">
</span><span class="lines">@@ -1654,11 +1486,7 @@
</span><span class="cx">
</span><span class="cx"> /* Set window size from the packet. */
</span><span class="cx"> pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
</span><del>-
- packet_check_eom();
-@@ -2322,13 +2324,15 @@
-
- /* Record that the user has logged out. */
</del><ins>+@@ -2352,9 +2354,11 @@ session_pty_cleanup2(Session *s)
</ins><span class="cx"> if (s->pid != 0)
</span><span class="cx"> record_logout(s->pid, s->tty, s->pw->pw_name);
</span><span class="cx">
</span><span class="lines">@@ -1670,14 +1498,11 @@
</span><span class="cx">
</span><span class="cx"> /*
</span><span class="cx"> * Close the server side of the socket pairs. We must do this after
</span><del>- * the pty cleanup, so that another process doesn't get this pty
- * while we're still cleaning up.
-diff --git a/ssh-add.0 b/ssh-add.0
---- a/ssh-add.0
-+++ b/ssh-add.0
-@@ -2,11 +2,11 @@
-
- NAME
</del><ins>+Only in openssh-6.5p1.patched: session.c.orig
+diff -urp openssh-6.5p1/ssh-add.0 openssh-6.5p1.patched/ssh-add.0
+--- openssh-6.5p1/ssh-add.0 2014-01-29 17:52:47.000000000 -0800
++++ openssh-6.5p1.patched/ssh-add.0 2014-02-15 16:25:56.000000000 -0800
+@@ -4,7 +4,7 @@ NAME
</ins><span class="cx"> ssh-add - adds private key identities to the authentication agent
</span><span class="cx">
</span><span class="cx"> SYNOPSIS
</span><span class="lines">@@ -1686,11 +1511,7 @@
</span><span class="cx"> ssh-add -s pkcs11
</span><span class="cx"> ssh-add -e pkcs11
</span><span class="cx">
</span><del>- DESCRIPTION
- ssh-add adds private key identities to the authentication agent,
-@@ -53,10 +53,17 @@
- represented by the agent.
-
</del><ins>+@@ -55,6 +55,13 @@ DESCRIPTION
</ins><span class="cx"> -l Lists fingerprints of all identities currently represented by the
</span><span class="cx"> agent.
</span><span class="cx">
</span><span class="lines">@@ -1704,14 +1525,10 @@
</span><span class="cx"> -s pkcs11
</span><span class="cx"> Add keys provided by the PKCS#11 shared library pkcs11.
</span><span class="cx">
</span><del>- -t life
- Set a maximum lifetime when adding identities to an agent. The
-diff --git a/ssh-add.1 b/ssh-add.1
---- a/ssh-add.1
-+++ b/ssh-add.1
-@@ -41,11 +41,11 @@
- .Sh NAME
- .Nm ssh-add
</del><ins>+diff -urp openssh-6.5p1/ssh-add.1 openssh-6.5p1.patched/ssh-add.1
+--- openssh-6.5p1/ssh-add.1 2013-12-17 22:46:28.000000000 -0800
++++ openssh-6.5p1.patched/ssh-add.1 2014-02-15 16:25:56.000000000 -0800
+@@ -43,7 +43,7 @@
</ins><span class="cx"> .Nd adds private key identities to the authentication agent
</span><span class="cx"> .Sh SYNOPSIS
</span><span class="cx"> .Nm ssh-add
</span><span class="lines">@@ -1720,11 +1537,7 @@
</span><span class="cx"> .Op Fl t Ar life
</span><span class="cx"> .Op Ar
</span><span class="cx"> .Nm ssh-add
</span><del>- .Fl s Ar pkcs11
- .Nm ssh-add
-@@ -116,10 +116,17 @@
- .It Fl L
- Lists public key parameters of all identities currently represented
</del><ins>+@@ -119,6 +119,13 @@ Lists public key parameters of all ident
</ins><span class="cx"> by the agent.
</span><span class="cx"> .It Fl l
</span><span class="cx"> Lists fingerprints of all identities currently represented by the agent.
</span><span class="lines">@@ -1738,14 +1551,11 @@
</span><span class="cx"> .It Fl s Ar pkcs11
</span><span class="cx"> Add keys provided by the PKCS#11 shared library
</span><span class="cx"> .Ar pkcs11 .
</span><del>- .It Fl t Ar life
- Set a maximum lifetime when adding identities to an agent.
-diff --git a/ssh-add.c b/ssh-add.c
---- a/ssh-add.c
-+++ b/ssh-add.c
-@@ -60,10 +60,11 @@
- #include "buffer.h"
- #include "authfd.h"
</del><ins>+Only in openssh-6.5p1.patched: ssh-add.1.orig
+diff -urp openssh-6.5p1/ssh-add.c openssh-6.5p1.patched/ssh-add.c
+--- openssh-6.5p1/ssh-add.c 2013-12-28 22:44:07.000000000 -0800
++++ openssh-6.5p1.patched/ssh-add.c 2014-02-15 16:25:56.000000000 -0800
+@@ -62,6 +62,7 @@
</ins><span class="cx"> #include "authfile.h"
</span><span class="cx"> #include "pathnames.h"
</span><span class="cx"> #include "misc.h"
</span><span class="lines">@@ -1753,11 +1563,7 @@
</span><span class="cx">
</span><span class="cx"> /* argv0 */
</span><span class="cx"> extern char *__progname;
</span><del>-
- /* Default files to add */
-@@ -94,16 +95,28 @@
- pass = NULL;
- }
</del><ins>+@@ -97,12 +98,24 @@ clear_pass(void)
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> static int
</span><span class="lines">@@ -1783,11 +1589,7 @@
</span><span class="cx"> public = key_load_public(filename, &comment);
</span><span class="cx"> if (public == NULL) {
</span><span class="cx"> printf("Bad key file %s\n", filename);
</span><del>- return -1;
- }
-@@ -162,11 +175,11 @@
-
- return ret;
</del><ins>+@@ -165,7 +178,7 @@ delete_all(AuthenticationConnection *ac)
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> static int
</span><span class="lines">@@ -1796,11 +1598,7 @@
</span><span class="cx"> {
</span><span class="cx"> Key *private, *cert;
</span><span class="cx"> char *comment = NULL;
</span><del>- char msg[1024], *certpath = NULL;
- int fd, perms_ok, ret = -1;
-@@ -199,15 +212,20 @@
- }
- close(fd);
</del><ins>+@@ -202,11 +215,16 @@ add_file(AuthenticationConnection *ac, c
</ins><span class="cx">
</span><span class="cx"> /* At first, try empty passphrase */
</span><span class="cx"> private = key_parse_private(&keyblob, filename, "", &comment);
</span><span class="lines">@@ -1818,11 +1616,7 @@
</span><span class="cx"> if (private == NULL) {
</span><span class="cx"> /* clear passphrase since it did not work */
</span><span class="cx"> clear_pass();
</span><del>- snprintf(msg, sizeof msg, "Enter passphrase for %.200s: ",
- comment);
-@@ -219,12 +237,15 @@
- buffer_free(&keyblob);
- return -1;
</del><ins>+@@ -222,8 +240,11 @@ add_file(AuthenticationConnection *ac, c
</ins><span class="cx"> }
</span><span class="cx"> private = key_parse_private(&keyblob, filename, pass,
</span><span class="cx"> &comment);
</span><span class="lines">@@ -1835,11 +1629,7 @@
</span><span class="cx"> clear_pass();
</span><span class="cx"> snprintf(msg, sizeof msg,
</span><span class="cx"> "Bad passphrase, try again for %.200s: ", comment);
</span><del>- }
- }
-@@ -374,17 +395,17 @@
- free(p1);
- return (ret);
</del><ins>+@@ -380,13 +401,13 @@ lock_agent(AuthenticationConnection *ac,
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> static int
</span><span class="lines">@@ -1856,11 +1646,7 @@
</span><span class="cx"> return -1;
</span><span class="cx"> }
</span><span class="cx"> return 0;
</span><del>- }
-
-@@ -402,20 +423,26 @@
- fprintf(stderr, " -D Delete all identities.\n");
- fprintf(stderr, " -x Lock agent.\n");
</del><ins>+@@ -408,6 +429,11 @@ usage(void)
</ins><span class="cx"> fprintf(stderr, " -X Unlock agent.\n");
</span><span class="cx"> fprintf(stderr, " -s pkcs11 Add keys from PKCS#11 provider.\n");
</span><span class="cx"> fprintf(stderr, " -e pkcs11 Remove keys provided by PKCS#11 provider.\n");
</span><span class="lines">@@ -1872,10 +1658,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> int
</span><del>- main(int argc, char **argv)
- {
- extern char *optarg;
- extern int optind;
</del><ins>+@@ -418,6 +444,7 @@ main(int argc, char **argv)
</ins><span class="cx"> AuthenticationConnection *ac = NULL;
</span><span class="cx"> char *pkcs11provider = NULL;
</span><span class="cx"> int i, ch, deleting = 0, ret = 0, key_only = 0;
</span><span class="lines">@@ -1883,11 +1666,7 @@
</span><span class="cx">
</span><span class="cx"> /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
</span><span class="cx"> sanitise_stdfd();
</span><del>-
- __progname = ssh_get_progname(argv[0]);
-@@ -428,11 +455,11 @@
- if (ac == NULL) {
- fprintf(stderr,
</del><ins>+@@ -434,7 +461,7 @@ main(int argc, char **argv)
</ins><span class="cx"> "Could not open a connection to your authentication agent.\n");
</span><span class="cx"> exit(2);
</span><span class="cx"> }
</span><span class="lines">@@ -1896,11 +1675,7 @@
</span><span class="cx"> switch (ch) {
</span><span class="cx"> case 'k':
</span><span class="cx"> key_only = 1;
</span><del>- break;
- case 'l':
-@@ -467,10 +494,17 @@
- fprintf(stderr, "Invalid lifetime\n");
- ret = 1;
</del><ins>+@@ -473,6 +500,13 @@ main(int argc, char **argv)
</ins><span class="cx"> goto done;
</span><span class="cx"> }
</span><span class="cx"> break;
</span><span class="lines">@@ -1914,11 +1689,7 @@
</span><span class="cx"> default:
</span><span class="cx"> usage();
</span><span class="cx"> ret = 1;
</span><del>- goto done;
- }
-@@ -498,20 +532,20 @@
- for (i = 0; default_files[i]; i++) {
- snprintf(buf, sizeof(buf), "%s/%s", pw->pw_dir,
</del><ins>+@@ -504,7 +538,7 @@ main(int argc, char **argv)
</ins><span class="cx"> default_files[i]);
</span><span class="cx"> if (stat(buf, &st) < 0)
</span><span class="cx"> continue;
</span><span class="lines">@@ -1927,8 +1698,7 @@
</span><span class="cx"> ret = 1;
</span><span class="cx"> else
</span><span class="cx"> count++;
</span><del>- }
- if (count == 0)
</del><ins>+@@ -513,7 +547,7 @@ main(int argc, char **argv)
</ins><span class="cx"> ret = 1;
</span><span class="cx"> } else {
</span><span class="cx"> for (i = 0; i < argc; i++) {
</span><span class="lines">@@ -1937,14 +1707,11 @@
</span><span class="cx"> ret = 1;
</span><span class="cx"> }
</span><span class="cx"> }
</span><del>- clear_pass();
-
-diff --git a/ssh-agent.c b/ssh-agent.c
---- a/ssh-agent.c
-+++ b/ssh-agent.c
-@@ -63,20 +63,25 @@
- #include <stdio.h>
- #include <stdlib.h>
</del><ins>+Only in openssh-6.5p1.patched: ssh-add.c.orig
+diff -urp openssh-6.5p1/ssh-agent.c openssh-6.5p1.patched/ssh-agent.c
+--- openssh-6.5p1/ssh-agent.c 2013-12-28 22:45:52.000000000 -0800
++++ openssh-6.5p1.patched/ssh-agent.c 2014-02-15 16:25:56.000000000 -0800
+@@ -65,6 +65,9 @@
</ins><span class="cx"> #include <time.h>
</span><span class="cx"> #include <string.h>
</span><span class="cx"> #include <unistd.h>
</span><span class="lines">@@ -1954,7 +1721,7 @@
</span><span class="cx">
</span><span class="cx"> #include "xmalloc.h"
</span><span class="cx"> #include "ssh.h"
</span><del>- #include "rsa.h"
</del><ins>+@@ -72,9 +75,11 @@
</ins><span class="cx"> #include "buffer.h"
</span><span class="cx"> #include "key.h"
</span><span class="cx"> #include "authfd.h"
</span><span class="lines">@@ -1966,11 +1733,7 @@
</span><span class="cx">
</span><span class="cx"> #ifdef ENABLE_PKCS11
</span><span class="cx"> #include "ssh-pkcs11.h"
</span><del>- #endif
-
-@@ -788,10 +793,65 @@
- buffer_put_char(&e->output,
- success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
</del><ins>+@@ -682,6 +687,61 @@ process_remove_smartcard_key(SocketEntry
</ins><span class="cx"> }
</span><span class="cx"> #endif /* ENABLE_PKCS11 */
</span><span class="cx">
</span><span class="lines">@@ -2032,11 +1795,7 @@
</span><span class="cx"> /* dispatch incoming messages */
</span><span class="cx">
</span><span class="cx"> static void
</span><del>- process_message(SocketEntry *e)
- {
-@@ -880,10 +940,13 @@
- break;
- case SSH_AGENTC_REMOVE_SMARTCARD_KEY:
</del><ins>+@@ -774,6 +834,9 @@ process_message(SocketEntry *e)
</ins><span class="cx"> process_remove_smartcard_key(e);
</span><span class="cx"> break;
</span><span class="cx"> #endif /* ENABLE_PKCS11 */
</span><span class="lines">@@ -2046,11 +1805,7 @@
</span><span class="cx"> default:
</span><span class="cx"> /* Unknown message. Respond with failure. */
</span><span class="cx"> error("Unknown message %d", type);
</span><del>- buffer_clear(&e->request);
- buffer_put_int(&e->output, 1);
-@@ -1120,11 +1183,15 @@
- }
-
</del><ins>+@@ -1014,7 +1077,11 @@ usage(void)
</ins><span class="cx"> int
</span><span class="cx"> main(int ac, char **av)
</span><span class="cx"> {
</span><span class="lines">@@ -2062,11 +1817,7 @@
</span><span class="cx"> int sock, fd, ch, result, saved_errno;
</span><span class="cx"> u_int nalloc;
</span><span class="cx"> char *shell, *format, *pidstr, *agentsocket = NULL;
</span><del>- fd_set *readsetp = NULL, *writesetp = NULL;
- struct sockaddr_un sunaddr;
-@@ -1154,20 +1221,29 @@
- OpenSSL_add_all_algorithms();
-
</del><ins>+@@ -1048,7 +1115,11 @@ main(int ac, char **av)
</ins><span class="cx"> __progname = ssh_get_progname(av[0]);
</span><span class="cx"> seed_rng();
</span><span class="cx">
</span><span class="lines">@@ -2078,9 +1829,7 @@
</span><span class="cx"> switch (ch) {
</span><span class="cx"> case 'c':
</span><span class="cx"> if (s_flag)
</span><del>- usage();
- c_flag++;
- break;
</del><ins>+@@ -1058,6 +1129,11 @@ main(int ac, char **av)
</ins><span class="cx"> case 'k':
</span><span class="cx"> k_flag++;
</span><span class="cx"> break;
</span><span class="lines">@@ -2092,11 +1841,7 @@
</span><span class="cx"> case 's':
</span><span class="cx"> if (c_flag)
</span><span class="cx"> usage();
</span><del>- s_flag++;
- break;
-@@ -1190,11 +1266,15 @@
- }
- }
</del><ins>+@@ -1084,7 +1160,11 @@ main(int ac, char **av)
</ins><span class="cx"> ac -= optind;
</span><span class="cx"> av += optind;
</span><span class="cx">
</span><span class="lines">@@ -2108,11 +1853,7 @@
</span><span class="cx"> usage();
</span><span class="cx">
</span><span class="cx"> if (ac == 0 && !c_flag && !s_flag) {
</span><del>- shell = getenv("SHELL");
- if (shell != NULL && (len = strlen(shell)) > 2 &&
-@@ -1246,10 +1326,57 @@
-
- /*
</del><ins>+@@ -1140,6 +1220,53 @@ main(int ac, char **av)
</ins><span class="cx"> * Create socket early so it will exist before command gets run from
</span><span class="cx"> * the parent.
</span><span class="cx"> */
</span><span class="lines">@@ -2166,11 +1907,7 @@
</span><span class="cx"> sock = socket(AF_UNIX, SOCK_STREAM, 0);
</span><span class="cx"> if (sock < 0) {
</span><span class="cx"> perror("socket");
</span><del>- *socket_name = '\0'; /* Don't unlink any existing file */
- cleanup_exit(1);
-@@ -1267,10 +1394,18 @@
- umask(prev_mask);
- if (listen(sock, SSH_LISTEN_BACKLOG) < 0) {
</del><ins>+@@ -1161,6 +1288,14 @@ main(int ac, char **av)
</ins><span class="cx"> perror("listen");
</span><span class="cx"> cleanup_exit(1);
</span><span class="cx"> }
</span><span class="lines">@@ -2185,11 +1922,7 @@
</span><span class="cx">
</span><span class="cx"> /*
</span><span class="cx"> * Fork, and have the parent execute the command, if any, or present
</span><del>- * the socket data. The child continues as the authentication agent.
- */
-@@ -1339,19 +1474,24 @@
-
- #ifdef ENABLE_PKCS11
</del><ins>+@@ -1233,6 +1368,7 @@ skip:
</ins><span class="cx"> pkcs11_init(0);
</span><span class="cx"> #endif
</span><span class="cx"> new_socket(AUTH_SOCKET, sock);
</span><span class="lines">@@ -2197,9 +1930,7 @@
</span><span class="cx"> if (ac > 0)
</span><span class="cx"> parent_alive_interval = 10;
</span><span class="cx"> idtab_init();
</span><del>- signal(SIGPIPE, SIG_IGN);
- signal(SIGINT, d_flag ? cleanup_handler : SIG_IGN);
- signal(SIGHUP, cleanup_handler);
</del><ins>+@@ -1242,6 +1378,10 @@ skip:
</ins><span class="cx"> signal(SIGTERM, cleanup_handler);
</span><span class="cx"> nalloc = 0;
</span><span class="cx">
</span><span class="lines">@@ -2210,14 +1941,11 @@
</span><span class="cx"> while (1) {
</span><span class="cx"> prepare_select(&readsetp, &writesetp, &max_fd, &nalloc, &tvp);
</span><span class="cx"> result = select(max_fd + 1, readsetp, writesetp, NULL, tvp);
</span><del>- saved_errno = errno;
- if (parent_alive_interval != 0)
-diff --git a/ssh-keysign.8 b/ssh-keysign.8
---- a/ssh-keysign.8
-+++ b/ssh-keysign.8
-@@ -69,10 +69,13 @@
- They should be owned by root, readable only by root, and not
- accessible to others.
</del><ins>+Only in openssh-6.5p1.patched: ssh-agent.c.orig
+diff -urp openssh-6.5p1/ssh-keysign.8 openssh-6.5p1.patched/ssh-keysign.8
+--- openssh-6.5p1/ssh-keysign.8 2013-12-17 22:46:28.000000000 -0800
++++ openssh-6.5p1.patched/ssh-keysign.8 2014-02-15 16:25:56.000000000 -0800
+@@ -72,6 +72,9 @@ accessible to others.
</ins><span class="cx"> Since they are readable only by root,
</span><span class="cx"> .Nm
</span><span class="cx"> must be set-uid root if host-based authentication is used.
</span><span class="lines">@@ -2227,14 +1955,11 @@
</span><span class="cx"> .Pp
</span><span class="cx"> .It Pa /etc/ssh/ssh_host_dsa_key-cert.pub
</span><span class="cx"> .It Pa /etc/ssh/ssh_host_ecdsa_key-cert.pub
</span><del>- .It Pa /etc/ssh/ssh_host_rsa_key-cert.pub
- If these files exist they are assumed to contain public certificate
-diff --git a/sshconnect1.c b/sshconnect1.c
---- a/sshconnect1.c
-+++ b/sshconnect1.c
-@@ -45,10 +45,11 @@
- #include "authfile.h"
- #include "misc.h"
</del><ins>+Only in openssh-6.5p1.patched: ssh-keysign.8.orig
+diff -urp openssh-6.5p1/sshconnect1.c openssh-6.5p1.patched/sshconnect1.c
+--- openssh-6.5p1/sshconnect1.c 2013-10-25 16:05:47.000000000 -0700
++++ openssh-6.5p1.patched/sshconnect1.c 2014-02-15 16:25:56.000000000 -0800
+@@ -47,6 +47,7 @@
</ins><span class="cx"> #include "canohost.h"
</span><span class="cx"> #include "hostfile.h"
</span><span class="cx"> #include "auth.h"
</span><span class="lines">@@ -2242,11 +1967,7 @@
</span><span class="cx">
</span><span class="cx"> /* Session id for the current session. */
</span><span class="cx"> u_char session_id[16];
</span><del>- u_int supported_authentications = 0;
-
-@@ -258,10 +259,14 @@
- &perm_ok);
- if (private == NULL && !options.batch_mode && perm_ok) {
</del><ins>+@@ -260,6 +261,10 @@ try_rsa_authentication(int idx)
</ins><span class="cx"> snprintf(buf, sizeof(buf),
</span><span class="cx"> "Enter passphrase for RSA key '%.100s': ", comment);
</span><span class="cx"> for (i = 0; i < options.number_of_password_prompts; i++) {
</span><span class="lines">@@ -2257,14 +1978,10 @@
</span><span class="cx"> passphrase = read_passphrase(buf, 0);
</span><span class="cx"> if (strcmp(passphrase, "") != 0) {
</span><span class="cx"> private = key_load_private_type(KEY_RSA1,
</span><del>- authfile, passphrase, NULL, NULL);
- quit = 0;
-diff --git a/sshconnect2.c b/sshconnect2.c
---- a/sshconnect2.c
-+++ b/sshconnect2.c
-@@ -70,10 +70,11 @@
- #include "pathnames.h"
- #include "uidswap.h"
</del><ins>+diff -urp openssh-6.5p1/sshconnect2.c openssh-6.5p1.patched/sshconnect2.c
+--- openssh-6.5p1/sshconnect2.c 2014-01-09 15:58:53.000000000 -0800
++++ openssh-6.5p1.patched/sshconnect2.c 2014-02-15 16:25:56.000000000 -0800
+@@ -72,6 +72,7 @@
</ins><span class="cx"> #include "hostfile.h"
</span><span class="cx"> #include "schnorr.h"
</span><span class="cx"> #include "jpake.h"
</span><span class="lines">@@ -2272,11 +1989,7 @@
</span><span class="cx">
</span><span class="cx"> #ifdef GSSAPI
</span><span class="cx"> #include "ssh-gss.h"
</span><del>- #endif
-
-@@ -1331,10 +1332,14 @@
- if (options.batch_mode)
- return NULL;
</del><ins>+@@ -1335,6 +1336,10 @@ load_identity_file(char *filename, int u
</ins><span class="cx"> snprintf(prompt, sizeof prompt,
</span><span class="cx"> "Enter passphrase for key '%.100s': ", filename);
</span><span class="cx"> for (i = 0; i < options.number_of_password_prompts; i++) {
</span><span class="lines">@@ -2287,14 +2000,11 @@
</span><span class="cx"> passphrase = read_passphrase(prompt, 0);
</span><span class="cx"> if (strcmp(passphrase, "") != 0) {
</span><span class="cx"> private = key_load_private_type(KEY_UNSPEC,
</span><del>- filename, passphrase, NULL, NULL);
- quit = 0;
-diff --git a/sshd.0 b/sshd.0
---- a/sshd.0
-+++ b/sshd.0
-@@ -620,12 +620,12 @@
- The content of this file is not sensitive; it can be world-
- readable.
</del><ins>+Only in openssh-6.5p1.patched: sshconnect2.c.orig
+diff -urp openssh-6.5p1/sshd.0 openssh-6.5p1.patched/sshd.0
+--- openssh-6.5p1/sshd.0 2014-01-29 17:52:47.000000000 -0800
++++ openssh-6.5p1.patched/sshd.0 2014-02-15 16:25:56.000000000 -0800
+@@ -625,8 +625,8 @@ FILES
</ins><span class="cx">
</span><span class="cx"> SEE ALSO
</span><span class="cx"> scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1),
</span><span class="lines">@@ -2305,14 +2015,11 @@
</span><span class="cx">
</span><span class="cx"> AUTHORS
</span><span class="cx"> OpenSSH is a derivative of the original and free ssh 1.2.12 release by
</span><del>- Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
- de Raadt and Dug Song removed many bugs, re-added newer features and
-diff --git a/sshd.8 b/sshd.8
---- a/sshd.8
-+++ b/sshd.8
-@@ -954,14 +954,11 @@
- .Xr ssh-agent 1 ,
- .Xr ssh-keygen 1 ,
</del><ins>+Only in openssh-6.5p1.patched: sshd.0.orig
+diff -urp openssh-6.5p1/sshd.8 openssh-6.5p1.patched/sshd.8
+--- openssh-6.5p1/sshd.8 2013-12-17 22:46:28.000000000 -0800
++++ openssh-6.5p1.patched/sshd.8 2014-02-15 16:25:56.000000000 -0800
+@@ -961,10 +961,7 @@ The content of this file is not sensitiv
</ins><span class="cx"> .Xr ssh-keyscan 1 ,
</span><span class="cx"> .Xr chroot 2 ,
</span><span class="cx"> .Xr hosts_access 5 ,
</span><span class="lines">@@ -2323,14 +2030,11 @@
</span><span class="cx"> .Xr sftp-server 8
</span><span class="cx"> .Sh AUTHORS
</span><span class="cx"> OpenSSH is a derivative of the original and free
</span><del>- ssh 1.2.12 release by Tatu Ylonen.
- Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
-diff --git a/sshd.c b/sshd.c
---- a/sshd.c
-+++ b/sshd.c
-@@ -2106,23 +2106,23 @@
-
- #ifdef SSH_AUDIT_EVENTS
</del><ins>+Only in openssh-6.5p1.patched: sshd.8.orig
+diff -urp openssh-6.5p1/sshd.c openssh-6.5p1.patched/sshd.c
+--- openssh-6.5p1/sshd.c 2014-01-27 20:08:13.000000000 -0800
++++ openssh-6.5p1.patched/sshd.c 2014-02-15 16:25:56.000000000 -0800
+@@ -2124,6 +2124,12 @@ main(int ac, char **av)
</ins><span class="cx"> audit_event(SSH_AUTH_SUCCESS);
</span><span class="cx"> #endif
</span><span class="cx">
</span><span class="lines">@@ -2343,7 +2047,7 @@
</span><span class="cx"> #ifdef GSSAPI
</span><span class="cx"> if (options.gss_authentication) {
</span><span class="cx"> temporarily_use_uid(authctxt->pw);
</span><del>- ssh_gssapi_storecreds();
</del><ins>+@@ -2131,12 +2137,6 @@ main(int ac, char **av)
</ins><span class="cx"> restore_uid();
</span><span class="cx"> }
</span><span class="cx"> #endif
</span><span class="lines">@@ -2356,14 +2060,11 @@
</span><span class="cx">
</span><span class="cx"> /*
</span><span class="cx"> * In privilege separation, we fork another child and prepare
</span><del>- * file descriptor passing.
- */
-diff --git a/sshd_config b/sshd_config
---- a/sshd_config
-+++ b/sshd_config
-@@ -32,11 +32,11 @@
- # Ciphers and keying
- #RekeyLimit default none
</del><ins>+Only in openssh-6.5p1.patched: sshd.c.orig
+diff -urp openssh-6.5p1/sshd_config openssh-6.5p1.patched/sshd_config
+--- openssh-6.5p1/sshd_config 2014-01-12 00:20:47.000000000 -0800
++++ openssh-6.5p1.patched/sshd_config 2014-02-15 16:25:56.000000000 -0800
+@@ -35,7 +35,7 @@
</ins><span class="cx">
</span><span class="cx"> # Logging
</span><span class="cx"> # obsoletes QuietMode and FascistLogging
</span><span class="lines">@@ -2372,11 +2073,7 @@
</span><span class="cx"> #LogLevel INFO
</span><span class="cx">
</span><span class="cx"> # Authentication:
</span><del>-
- #LoginGraceTime 2m
-@@ -65,12 +65,13 @@
- # RhostsRSAAuthentication and HostbasedAuthentication
- #IgnoreUserKnownHosts no
</del><ins>+@@ -68,8 +68,9 @@ AuthorizedKeysFile .ssh/authorized_keys
</ins><span class="cx"> # Don't read the user's ~/.rhosts and ~/.shosts files
</span><span class="cx"> #IgnoreRhosts yes
</span><span class="cx">
</span><span class="lines">@@ -2388,11 +2085,7 @@
</span><span class="cx"> #PermitEmptyPasswords no
</span><span class="cx">
</span><span class="cx"> # Change to no to disable s/key passwords
</span><del>- #ChallengeResponseAuthentication yes
-
-@@ -91,11 +92,14 @@
- # PAM authentication via ChallengeResponseAuthentication may bypass
- # the setting of "PermitRootLogin without-password".
</del><ins>+@@ -94,7 +95,10 @@ AuthorizedKeysFile .ssh/authorized_keys
</ins><span class="cx"> # If you just want the PAM account and session checks to run without
</span><span class="cx"> # PAM authentication, then enable this but set PasswordAuthentication
</span><span class="cx"> # and ChallengeResponseAuthentication to 'no'.
</span><span class="lines">@@ -2404,14 +2097,10 @@
</span><span class="cx">
</span><span class="cx"> #AllowAgentForwarding yes
</span><span class="cx"> #AllowTcpForwarding yes
</span><del>- #GatewayPorts no
- #X11Forwarding no
-diff --git a/sshd_config.0 b/sshd_config.0
---- a/sshd_config.0
-+++ b/sshd_config.0
-@@ -505,11 +505,11 @@
- increases linearly and all connection attempts are refused if the
- number of unauthenticated connections reaches ``full'' (60).
</del><ins>+diff -urp openssh-6.5p1/sshd_config.0 openssh-6.5p1.patched/sshd_config.0
+--- openssh-6.5p1/sshd_config.0 2014-01-29 17:52:48.000000000 -0800
++++ openssh-6.5p1.patched/sshd_config.0 2014-02-15 16:25:56.000000000 -0800
+@@ -517,7 +517,7 @@ DESCRIPTION
</ins><span class="cx">
</span><span class="cx"> PasswordAuthentication
</span><span class="cx"> Specifies whether password authentication is allowed. The
</span><span class="lines">@@ -2420,11 +2109,7 @@
</span><span class="cx">
</span><span class="cx"> PermitEmptyPasswords
</span><span class="cx"> When password authentication is allowed, it specifies whether the
</span><del>- server allows login to accounts with empty password strings. The
- default is ``no''.
-@@ -707,11 +707,11 @@
- Because PAM challenge-response authentication usually serves an
- equivalent role to password authentication, you should disable
</del><ins>+@@ -723,7 +723,7 @@ DESCRIPTION
</ins><span class="cx"> either PasswordAuthentication or ChallengeResponseAuthentication.
</span><span class="cx">
</span><span class="cx"> If UsePAM is enabled, you will not be able to run sshd(8) as a
</span><span class="lines">@@ -2433,14 +2118,11 @@
</span><span class="cx">
</span><span class="cx"> UsePrivilegeSeparation
</span><span class="cx"> Specifies whether sshd(8) separates privileges by creating an
</span><del>- unprivileged child process to deal with incoming network traffic.
- After successful authentication, another process will be created
-diff --git a/sshd_config.5 b/sshd_config.5
---- a/sshd_config.5
-+++ b/sshd_config.5
-@@ -854,11 +854,11 @@
- .Dq full
- (60).
</del><ins>+Only in openssh-6.5p1.patched: sshd_config.0.orig
+diff -urp openssh-6.5p1/sshd_config.5 openssh-6.5p1.patched/sshd_config.5
+--- openssh-6.5p1/sshd_config.5 2013-12-17 22:47:03.000000000 -0800
++++ openssh-6.5p1.patched/sshd_config.5 2014-02-15 16:25:56.000000000 -0800
+@@ -871,7 +871,7 @@ are refused if the number of unauthentic
</ins><span class="cx"> .It Cm PasswordAuthentication
</span><span class="cx"> Specifies whether password authentication is allowed.
</span><span class="cx"> The default is
</span><span class="lines">@@ -2449,11 +2131,7 @@
</span><span class="cx"> .It Cm PermitEmptyPasswords
</span><span class="cx"> When password authentication is allowed, it specifies whether the
</span><span class="cx"> server allows login to accounts with empty password strings.
</span><del>- The default is
- .Dq no .
-@@ -1181,11 +1181,11 @@
- .Cm UsePAM
- is enabled, you will not be able to run
</del><ins>+@@ -1204,7 +1204,7 @@ is enabled, you will not be able to run
</ins><span class="cx"> .Xr sshd 8
</span><span class="cx"> as a non-root user.
</span><span class="cx"> The default is
</span><span class="lines">@@ -2462,5 +2140,5 @@
</span><span class="cx"> .It Cm UsePrivilegeSeparation
</span><span class="cx"> Specifies whether
</span><span class="cx"> .Xr sshd 8
</span><del>- separates privileges by creating an unprivileged child process
- to deal with incoming network traffic.
</del><ins>+Only in openssh-6.5p1.patched: sshd_config.5.orig
+Only in openssh-6.5p1.patched: sshd_config.orig
</ins></span></pre></div>
<a id="trunkdportsnetopensshfilesopenssh63p1gsskexall20130920patch"></a>
<div class="modfile"><h4>Modified: trunk/dports/net/openssh/files/openssh-6.3p1-gsskex-all-20130920.patch (117111 => 117112)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/dports/net/openssh/files/openssh-6.3p1-gsskex-all-20130920.patch 2014-02-16 21:40:49 UTC (rev 117111)
+++ trunk/dports/net/openssh/files/openssh-6.3p1-gsskex-all-20130920.patch 2014-02-16 21:57:11 UTC (rev 117112)
</span><span class="lines">@@ -1,6 +1,6 @@
</span><del>-diff --speed-large-files --minimal -Nru openssh-5.8p1/ChangeLog.gssapi openssh-5.8p1.new/ChangeLog.gssapi
---- openssh-5.8p1/ChangeLog.gssapi 1970-01-01 01:00:00.000000000 +0100
-+++ openssh-5.8p1.new/ChangeLog.gssapi 2011-02-12 18:07:10.948345760 +0100
</del><ins>+diff -Nrup openssh-6.5p1/ChangeLog.gssapi openssh-6.5p1.patched/ChangeLog.gssapi
+--- openssh-6.5p1/ChangeLog.gssapi 1969-12-31 16:00:00.000000000 -0800
++++ openssh-6.5p1.patched/ChangeLog.gssapi 2014-02-15 16:50:46.000000000 -0800
</ins><span class="cx"> @@ -0,0 +1,113 @@
</span><span class="cx"> +20110101
</span><span class="cx"> + - Finally update for OpenSSH 5.6p1
</span><span class="lines">@@ -115,30 +115,30 @@
</span><span class="cx"> + add support for GssapiTrustDns option for gssapi-with-mic
</span><span class="cx"> + (from jbasney AT ncsa.uiuc.edu)
</span><span class="cx"> + <gssapi-with-mic support is Bugzilla #1008>
</span><del>-diff --speed-large-files --minimal -Nru openssh-5.8p1/Makefile.in openssh-5.8p1.new/Makefile.in
---- openssh-5.8p1/Makefile.in 2011-02-04 01:42:13.000000000 +0100
-+++ openssh-5.8p1.new/Makefile.in 2011-02-12 18:07:10.990611445 +0100
-@@ -75,6 +75,7 @@
</del><ins>+diff -Nrup openssh-6.5p1/Makefile.in openssh-6.5p1.patched/Makefile.in
+--- openssh-6.5p1/Makefile.in 2014-01-26 22:35:04.000000000 -0800
++++ openssh-6.5p1.patched/Makefile.in 2014-02-15 16:51:24.000000000 -0800
+@@ -72,6 +72,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
</ins><span class="cx"> atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
</span><span class="cx"> monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
</span><span class="cx"> kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
</span><span class="cx"> + kexgssc.o \
</span><span class="cx"> msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
</span><del>- jpake.o schnorr.o ssh-pkcs11.o kr1.o
-
-@@ -91,7 +92,7 @@
</del><ins>+ jpake.o schnorr.o ssh-pkcs11.o krl.o smult_curve25519_ref.o \
+ kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \
+@@ -91,7 +92,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
</ins><span class="cx"> auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
</span><span class="cx"> monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
</span><del>- auth-krb5.o \
</del><ins>+ kexc25519s.o auth-krb5.o \
</ins><span class="cx"> - auth2-gss.o gss-serv.o gss-serv-krb5.o \
</span><del>-+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\
</del><ins>++ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
</ins><span class="cx"> loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
</span><span class="cx"> sftp-server.o sftp-common.o \
</span><del>- roaming_common.o roaming_serv.o
-diff --speed-large-files --minimal -Nru openssh-5.8p1/auth-krb5.c openssh-5.8p1.new/auth-krb5.c
---- openssh-5.8p1/auth-krb5.c 2009-12-21 00:49:22.000000000 +0100
-+++ openssh-5.8p1.new/auth-krb5.c 2011-02-12 18:07:11.002529804 +0100
-@@ -170,8 +170,13 @@
</del><ins>+ roaming_common.o roaming_serv.o \
+diff -Nrup openssh-6.5p1/auth-krb5.c openssh-6.5p1.patched/auth-krb5.c
+--- openssh-6.5p1/auth-krb5.c 2013-10-23 16:53:02.000000000 -0700
++++ openssh-6.5p1.patched/auth-krb5.c 2014-02-15 16:50:46.000000000 -0800
+@@ -182,8 +182,13 @@ auth_krb5_password(Authctxt *authctxt, c
</ins><span class="cx">
</span><span class="cx"> len = strlen(authctxt->krb5_ticket_file) + 6;
</span><span class="cx"> authctxt->krb5_ccname = xmalloc(len);
</span><span class="lines">@@ -152,7 +152,7 @@
</span><span class="cx">
</span><span class="cx"> #ifdef USE_PAM
</span><span class="cx"> if (options.use_pam)
</span><del>-@@ -226,15 +231,22 @@
</del><ins>+@@ -240,15 +245,22 @@ krb5_cleanup_proc(Authctxt *authctxt)
</ins><span class="cx"> #ifndef HEIMDAL
</span><span class="cx"> krb5_error_code
</span><span class="cx"> ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
</span><span class="lines">@@ -177,7 +177,7 @@
</span><span class="cx"> old_umask = umask(0177);
</span><span class="cx"> tmpfd = mkstemp(ccname + strlen("FILE:"));
</span><span class="cx"> oerrno = errno;
</span><del>-@@ -249,6 +261,7 @@
</del><ins>+@@ -265,6 +277,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_c
</ins><span class="cx"> return oerrno;
</span><span class="cx"> }
</span><span class="cx"> close(tmpfd);
</span><span class="lines">@@ -185,11 +185,11 @@
</span><span class="cx">
</span><span class="cx"> return (krb5_cc_resolve(ctx, ccname, ccache));
</span><span class="cx"> }
</span><del>-diff --speed-large-files --minimal -Nru openssh-5.8p1/auth2-gss.c openssh-5.8p1.new/auth2-gss.c
---- openssh-5.8p1/auth2-gss.c 2007-12-02 12:59:45.000000000 +0100
-+++ openssh-5.8p1.new/auth2-gss.c 2011-02-12 18:07:11.030761708 +0100
</del><ins>+diff -Nrup openssh-6.5p1/auth2-gss.c openssh-6.5p1.patched/auth2-gss.c
+--- openssh-6.5p1/auth2-gss.c 2013-06-01 14:31:18.000000000 -0700
++++ openssh-6.5p1.patched/auth2-gss.c 2014-02-15 16:50:46.000000000 -0800
</ins><span class="cx"> @@ -1,7 +1,7 @@
</span><del>- /* $OpenBSD: auth2-gss.c,v 1.16 2007/10/29 00:52:45 dtucker Exp $ */
</del><ins>+ /* $OpenBSD: auth2-gss.c,v 1.20 2013/05/17 00:13:13 djm Exp $ */
</ins><span class="cx">
</span><span class="cx"> /*
</span><span class="cx"> - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
</span><span class="lines">@@ -197,7 +197,7 @@
</span><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><del>-@@ -52,6 +52,40 @@
</del><ins>+@@ -52,6 +52,40 @@ static void input_gssapi_mic(int type, u
</ins><span class="cx"> static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
</span><span class="cx"> static void input_gssapi_errtok(int, u_int32_t, void *);
</span><span class="cx">
</span><span class="lines">@@ -238,7 +238,7 @@
</span><span class="cx"> /*
</span><span class="cx"> * We only support those mechanisms that we know about (ie ones that we know
</span><span class="cx"> * how to check local user kuserok and the like)
</span><del>-@@ -242,7 +278,8 @@
</del><ins>+@@ -240,7 +274,8 @@ input_gssapi_exchange_complete(int type,
</ins><span class="cx">
</span><span class="cx"> packet_check_eom();
</span><span class="cx">
</span><span class="lines">@@ -248,7 +248,7 @@
</span><span class="cx">
</span><span class="cx"> authctxt->postponed = 0;
</span><span class="cx"> dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
</span><del>-@@ -277,7 +314,8 @@
</del><ins>+@@ -275,7 +310,8 @@ input_gssapi_mic(int type, u_int32_t ple
</ins><span class="cx"> gssbuf.length = buffer_len(&b);
</span><span class="cx">
</span><span class="cx"> if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
</span><span class="lines">@@ -258,8 +258,8 @@
</span><span class="cx"> else
</span><span class="cx"> logit("GSSAPI MIC check failed");
</span><span class="cx">
</span><del>-@@ -292,6 +330,12 @@
- userauth_finish(authctxt, authenticated, "gssapi-with-mic");
</del><ins>+@@ -290,6 +326,12 @@ input_gssapi_mic(int type, u_int32_t ple
+ userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> +Authmethod method_gsskeyex = {
</span><span class="lines">@@ -271,10 +271,10 @@
</span><span class="cx"> Authmethod method_gssapi = {
</span><span class="cx"> "gssapi-with-mic",
</span><span class="cx"> userauth_gssapi,
</span><del>-diff --speed-large-files --minimal -Nru openssh-5.8p1/auth2.c openssh-5.8p1.new/auth2.c
---- openssh-5.8p1/auth2.c 2010-08-31 14:36:39.000000000 +0200
-+++ openssh-5.8p1.new/auth2.c 2011-02-12 18:07:11.043418162 +0100
-@@ -69,6 +69,7 @@
</del><ins>+diff -Nrup openssh-6.5p1/auth2.c openssh-6.5p1.patched/auth2.c
+--- openssh-6.5p1/auth2.c 2013-06-01 14:41:51.000000000 -0700
++++ openssh-6.5p1.patched/auth2.c 2014-02-15 16:50:46.000000000 -0800
+@@ -69,6 +69,7 @@ extern Authmethod method_passwd;
</ins><span class="cx"> extern Authmethod method_kbdint;
</span><span class="cx"> extern Authmethod method_hostbased;
</span><span class="cx"> #ifdef GSSAPI
</span><span class="lines">@@ -282,7 +282,7 @@
</span><span class="cx"> extern Authmethod method_gssapi;
</span><span class="cx"> #endif
</span><span class="cx"> #ifdef JPAKE
</span><del>-@@ -79,6 +80,7 @@
</del><ins>+@@ -79,6 +80,7 @@ Authmethod *authmethods[] = {
</ins><span class="cx"> &method_none,
</span><span class="cx"> &method_pubkey,
</span><span class="cx"> #ifdef GSSAPI
</span><span class="lines">@@ -290,9 +290,9 @@
</span><span class="cx"> &method_gssapi,
</span><span class="cx"> #endif
</span><span class="cx"> #ifdef JPAKE
</span><del>-diff --speed-large-files --minimal -Nru openssh-5.8p1/clientloop.c openssh-5.8p1.new/clientloop.c
---- openssh-5.8p1/clientloop.c 2011-01-16 13:18:35.000000000 +0100
-+++ openssh-5.8p1.new/clientloop.c 2011-02-12 18:07:11.063578136 +0100
</del><ins>+diff -Nrup openssh-6.5p1/clientloop.c openssh-6.5p1.patched/clientloop.c
+--- openssh-6.5p1/clientloop.c 2013-11-20 18:57:15.000000000 -0800
++++ openssh-6.5p1.patched/clientloop.c 2014-02-15 16:50:46.000000000 -0800
</ins><span class="cx"> @@ -111,6 +111,10 @@
</span><span class="cx"> #include "msg.h"
</span><span class="cx"> #include "roaming.h"
</span><span class="lines">@@ -304,7 +304,7 @@
</span><span class="cx"> /* import options */
</span><span class="cx"> extern Options options;
</span><span class="cx">
</span><del>-@@ -1483,6 +1487,15 @@
</del><ins>+@@ -1608,6 +1612,15 @@ client_loop(int have_pty, int escape_cha
</ins><span class="cx"> /* Do channel operations unless rekeying in progress. */
</span><span class="cx"> if (!rekeying) {
</span><span class="cx"> channel_after_select(readset, writeset);
</span><span class="lines">@@ -320,10 +320,10 @@
</span><span class="cx"> if (need_rekeying || packet_need_rekeying()) {
</span><span class="cx"> debug("need rekeying");
</span><span class="cx"> xxx_kex->done = 0;
</span><del>-diff --speed-large-files --minimal -Nru openssh-5.8p1/configure.ac openssh-5.8p1.new/configure.ac
---- openssh-5.8p1/configure.ac 2011-02-04 01:42:14.000000000 +0100
-+++ openssh-5.8p1.new/configure.ac 2011-02-12 18:07:11.092748915 +0100
-@@ -514,6 +514,30 @@
</del><ins>+diff -Nrup openssh-6.5p1/configure.ac openssh-6.5p1.patched/configure.ac
+--- openssh-6.5p1/configure.ac 2014-01-29 16:26:46.000000000 -0800
++++ openssh-6.5p1.patched/configure.ac 2014-02-15 16:50:46.000000000 -0800
+@@ -584,6 +584,30 @@ main() { if (NSVersionOfRunTimeLibrary("
</ins><span class="cx"> [Use tunnel device compatibility to OpenBSD])
</span><span class="cx"> AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
</span><span class="cx"> [Prepend the address family to IP tunnel traffic])
</span><span class="lines">@@ -353,12 +353,12 @@
</span><span class="cx"> + )
</span><span class="cx"> m4_pattern_allow([AU_IPv])
</span><span class="cx"> AC_CHECK_DECL([AU_IPv4], [],
</span><del>- AC_DEFINE([AU_IPv4], 0, [System only supports IPv4 audit records])
-diff --speed-large-files --minimal -Nru openssh-5.8p1/gss-genr.c openssh-5.8p1.new/gss-genr.c
---- openssh-5.8p1/gss-genr.c 2009-06-22 08:11:07.000000000 +0200
-+++ openssh-5.8p1.new/gss-genr.c 2011-02-12 18:07:11.108432434 +0100
</del><ins>+ AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
+diff -Nrup openssh-6.5p1/gss-genr.c openssh-6.5p1.patched/gss-genr.c
+--- openssh-6.5p1/gss-genr.c 2013-11-07 17:19:57.000000000 -0800
++++ openssh-6.5p1.patched/gss-genr.c 2014-02-15 17:23:28.000000000 -0800
</ins><span class="cx"> @@ -1,7 +1,7 @@
</span><del>- /* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */
</del><ins>+ /* $OpenBSD: gss-genr.c,v 1.22 2013/11/08 00:39:15 djm Exp $ */
</ins><span class="cx">
</span><span class="cx"> /*
</span><span class="cx"> - * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
</span><span class="lines">@@ -534,7 +534,7 @@
</span><span class="cx"> /* Check that the OID in a data stream matches that in the context */
</span><span class="cx"> int
</span><span class="cx"> ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len)
</span><del>-@@ -197,7 +352,7 @@
</del><ins>+@@ -197,7 +352,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int de
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> ctx->major = gss_init_sec_context(&ctx->minor,
</span><span class="lines">@@ -543,7 +543,7 @@
</span><span class="cx"> GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,
</span><span class="cx"> 0, NULL, recv_tok, NULL, send_tok, flags, NULL);
</span><span class="cx">
</span><del>-@@ -227,8 +382,42 @@
</del><ins>+@@ -227,8 +382,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, con
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> OM_uint32
</span><span class="lines">@@ -586,7 +586,7 @@
</span><span class="cx"> if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
</span><span class="cx"> GSS_C_QOP_DEFAULT, buffer, hash)))
</span><span class="cx"> ssh_gssapi_error(ctx);
</span><del>-@@ -236,6 +425,19 @@
</del><ins>+@@ -236,6 +425,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer
</ins><span class="cx"> return (ctx->major);
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -606,7 +606,7 @@
</span><span class="cx"> void
</span><span class="cx"> ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
</span><span class="cx"> const char *context)
</span><del>-@@ -249,11 +451,16 @@
</del><ins>+@@ -249,11 +451,16 @@ ssh_gssapi_buildmic(Buffer *b, const cha
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> int
</span><span class="lines">@@ -624,7 +624,7 @@
</span><span class="cx">
</span><span class="cx"> /* RFC 4462 says we MUST NOT do SPNEGO */
</span><span class="cx"> if (oid->length == spnego_oid.length &&
</span><del>-@@ -263,6 +470,10 @@
</del><ins>+@@ -263,6 +470,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
</ins><span class="cx"> ssh_gssapi_build_ctx(ctx);
</span><span class="cx"> ssh_gssapi_set_oid(*ctx, oid);
</span><span class="cx"> major = ssh_gssapi_import_name(*ctx, host);
</span><span class="lines">@@ -635,7 +635,7 @@
</span><span class="cx"> if (!GSS_ERROR(major)) {
</span><span class="cx"> major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token,
</span><span class="cx"> NULL);
</span><del>-@@ -272,10 +483,67 @@
</del><ins>+@@ -272,10 +483,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
</ins><span class="cx"> GSS_C_NO_BUFFER);
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -655,8 +655,7 @@
</span><span class="cx"> + static OM_uint32 last_call = 0;
</span><span class="cx"> + OM_uint32 lifetime, now, major, minor;
</span><span class="cx"> + int equal;
</span><del>-+ gss_cred_usage_t usage = GSS_C_INITIATE;
-+
</del><ins>++
</ins><span class="cx"> + now = time(NULL);
</span><span class="cx"> +
</span><span class="cx"> + if (ctxt) {
</span><span class="lines">@@ -704,11 +703,11 @@
</span><span class="cx"> +}
</span><span class="cx"> +
</span><span class="cx"> #endif /* GSSAPI */
</span><del>-diff --speed-large-files --minimal -Nru openssh-5.8p1/gss-serv-krb5.c openssh-5.8p1.new/gss-serv-krb5.c
---- openssh-5.8p1/gss-serv-krb5.c 2006-09-01 07:38:36.000000000 +0200
-+++ openssh-5.8p1.new/gss-serv-krb5.c 2011-02-12 18:07:11.123072516 +0100
</del><ins>+diff -Nrup openssh-6.5p1/gss-serv-krb5.c openssh-6.5p1.patched/gss-serv-krb5.c
+--- openssh-6.5p1/gss-serv-krb5.c 2014-01-19 18:18:09.000000000 -0800
++++ openssh-6.5p1.patched/gss-serv-krb5.c 2014-02-15 16:50:46.000000000 -0800
</ins><span class="cx"> @@ -1,7 +1,7 @@
</span><del>- /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
</del><ins>+ /* $OpenBSD: gss-serv-krb5.c,v 1.8 2013/07/20 01:55:13 djm Exp $ */
</ins><span class="cx">
</span><span class="cx"> /*
</span><span class="cx"> - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
</span><span class="lines">@@ -716,15 +715,15 @@
</span><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><del>-@@ -120,6 +120,7 @@
</del><ins>+@@ -122,6 +122,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
</ins><span class="cx"> OM_uint32 maj_status, min_status;
</span><span class="cx"> int len;
</span><del>- const char *errmsg;
</del><ins>+ const char *errmsg;
</ins><span class="cx"> + const char *new_ccname;
</span><span class="cx">
</span><span class="cx"> if (client->creds == NULL) {
</span><span class="cx"> debug("No credentials stored");
</span><del>-@@ -168,11 +169,16 @@
</del><ins>+@@ -180,11 +181,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
</ins><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -745,7 +744,7 @@
</span><span class="cx">
</span><span class="cx"> #ifdef USE_PAM
</span><span class="cx"> if (options.use_pam)
</span><del>-@@ -184,6 +190,71 @@
</del><ins>+@@ -196,6 +202,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
</ins><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -817,7 +816,7 @@
</span><span class="cx"> ssh_gssapi_mech gssapi_kerberos_mech = {
</span><span class="cx"> "toWM5Slw5Ew8Mqkay+al2g==",
</span><span class="cx"> "Kerberos",
</span><del>-@@ -191,7 +262,8 @@
</del><ins>+@@ -203,7 +274,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
</ins><span class="cx"> NULL,
</span><span class="cx"> &ssh_gssapi_krb5_userok,
</span><span class="cx"> NULL,
</span><span class="lines">@@ -827,11 +826,11 @@
</span><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> #endif /* KRB5 */
</span><del>-diff --speed-large-files --minimal -Nru openssh-5.8p1/gss-serv.c openssh-5.8p1.new/gss-serv.c
---- openssh-5.8p1/gss-serv.c 2008-05-19 07:05:07.000000000 +0200
-+++ openssh-5.8p1.new/gss-serv.c 2011-02-12 18:07:11.135178913 +0100
</del><ins>+diff -Nrup openssh-6.5p1/gss-serv.c openssh-6.5p1.patched/gss-serv.c
+--- openssh-6.5p1/gss-serv.c 2013-07-19 20:35:45.000000000 -0700
++++ openssh-6.5p1.patched/gss-serv.c 2014-02-15 16:50:46.000000000 -0800
</ins><span class="cx"> @@ -1,7 +1,7 @@
</span><del>- /* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */
</del><ins>+ /* $OpenBSD: gss-serv.c,v 1.24 2013/07/20 01:55:13 djm Exp $ */
</ins><span class="cx">
</span><span class="cx"> /*
</span><span class="cx"> - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
</span><span class="lines">@@ -862,7 +861,7 @@
</span><span class="cx">
</span><span class="cx"> #ifdef KRB5
</span><span class="cx"> extern ssh_gssapi_mech gssapi_kerberos_mech;
</span><del>-@@ -81,25 +86,32 @@
</del><ins>+@@ -81,25 +86,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
</ins><span class="cx"> char lname[MAXHOSTNAMELEN];
</span><span class="cx"> gss_OID_set oidset;
</span><span class="cx">
</span><span class="lines">@@ -871,16 +870,16 @@
</span><span class="cx"> + if (options.gss_strict_acceptor) {
</span><span class="cx"> + gss_create_empty_oid_set(&status, &oidset);
</span><span class="cx"> + gss_add_oid_set_member(&status, ctx->oid, &oidset);
</span><ins>++
++ if (gethostname(lname, MAXHOSTNAMELEN)) {
++ gss_release_oid_set(&status, &oidset);
++ return (-1);
++ }
</ins><span class="cx">
</span><span class="cx"> - if (gethostname(lname, MAXHOSTNAMELEN)) {
</span><span class="cx"> - gss_release_oid_set(&status, &oidset);
</span><span class="cx"> - return (-1);
</span><span class="cx"> - }
</span><del>-+ if (gethostname(lname, MAXHOSTNAMELEN)) {
-+ gss_release_oid_set(&status, &oidset);
-+ return (-1);
-+ }
-+
</del><span class="cx"> + if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
</span><span class="cx"> + gss_release_oid_set(&status, &oidset);
</span><span class="cx"> + return (ctx->major);
</span><span class="lines">@@ -909,7 +908,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> /* Privileged */
</span><del>-@@ -114,6 +126,29 @@
</del><ins>+@@ -114,6 +126,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> /* Unprivileged */
</span><span class="lines">@@ -939,7 +938,7 @@
</span><span class="cx"> void
</span><span class="cx"> ssh_gssapi_supported_oids(gss_OID_set *oidset)
</span><span class="cx"> {
</span><del>-@@ -123,7 +158,9 @@
</del><ins>+@@ -123,7 +158,9 @@ ssh_gssapi_supported_oids(gss_OID_set *o
</ins><span class="cx"> gss_OID_set supported;
</span><span class="cx">
</span><span class="cx"> gss_create_empty_oid_set(&min_status, oidset);
</span><span class="lines">@@ -950,15 +949,14 @@
</span><span class="cx">
</span><span class="cx"> while (supported_mechs[i]->name != NULL) {
</span><span class="cx"> if (GSS_ERROR(gss_test_oid_set_member(&min_status,
</span><del>-@@ -247,8 +284,48 @@
</del><ins>+@@ -249,8 +286,48 @@ OM_uint32
</ins><span class="cx"> ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
</span><span class="cx"> {
</span><span class="cx"> int i = 0;
</span><span class="cx"> + int equal = 0;
</span><span class="cx"> + gss_name_t new_name = GSS_C_NO_NAME;
</span><span class="cx"> + gss_buffer_desc ename = GSS_C_EMPTY_BUFFER;
</span><del>-
-- gss_buffer_desc ename;
</del><ins>++
</ins><span class="cx"> + if (options.gss_store_rekey && client->used && ctx->client_creds) {
</span><span class="cx"> + if (client->mech->oid.length != ctx->oid->length ||
</span><span class="cx"> + (memcmp(client->mech->oid.elements,
</span><span class="lines">@@ -976,7 +974,8 @@
</span><span class="cx"> +
</span><span class="cx"> + ctx->major = gss_compare_name(&ctx->minor, client->name,
</span><span class="cx"> + new_name, &equal);
</span><del>-+
</del><ins>+
+- gss_buffer_desc ename;
</ins><span class="cx"> + if (GSS_ERROR(ctx->major)) {
</span><span class="cx"> + ssh_gssapi_error(ctx);
</span><span class="cx"> + return (ctx->major);
</span><span class="lines">@@ -1000,7 +999,7 @@
</span><span class="cx">
</span><span class="cx"> client->mech = NULL;
</span><span class="cx">
</span><del>-@@ -263,6 +340,13 @@
</del><ins>+@@ -265,6 +342,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g
</ins><span class="cx"> if (client->mech == NULL)
</span><span class="cx"> return GSS_S_FAILURE;
</span><span class="cx">
</span><span class="lines">@@ -1014,7 +1013,7 @@
</span><span class="cx"> if ((ctx->major = gss_display_name(&ctx->minor, ctx->client,
</span><span class="cx"> &client->displayname, NULL))) {
</span><span class="cx"> ssh_gssapi_error(ctx);
</span><del>-@@ -280,6 +364,8 @@
</del><ins>+@@ -282,6 +366,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g
</ins><span class="cx"> return (ctx->major);
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -1023,7 +1022,7 @@
</span><span class="cx"> /* We can't copy this structure, so we just move the pointer to it */
</span><span class="cx"> client->creds = ctx->client_creds;
</span><span class="cx"> ctx->client_creds = GSS_C_NO_CREDENTIAL;
</span><del>-@@ -327,7 +413,7 @@
</del><ins>+@@ -329,7 +415,7 @@ ssh_gssapi_do_child(char ***envp, u_int
</ins><span class="cx">
</span><span class="cx"> /* Privileged */
</span><span class="cx"> int
</span><span class="lines">@@ -1032,7 +1031,7 @@
</span><span class="cx"> {
</span><span class="cx"> OM_uint32 lmin;
</span><span class="cx">
</span><del>-@@ -337,9 +423,11 @@
</del><ins>+@@ -339,9 +425,11 @@ ssh_gssapi_userok(char *user)
</ins><span class="cx"> return 0;
</span><span class="cx"> }
</span><span class="cx"> if (gssapi_client.mech && gssapi_client.mech->userok)
</span><span class="lines">@@ -1046,7 +1045,7 @@
</span><span class="cx"> /* Destroy delegated credentials if userok fails */
</span><span class="cx"> gss_release_buffer(&lmin, &gssapi_client.displayname);
</span><span class="cx"> gss_release_buffer(&lmin, &gssapi_client.exportedname);
</span><del>-@@ -352,14 +440,90 @@
</del><ins>+@@ -354,14 +442,90 @@ ssh_gssapi_userok(char *user)
</ins><span class="cx"> return (0);
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -1143,12 +1142,12 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> #endif
</span><del>-diff --speed-large-files --minimal -Nru openssh-5.8p1/kex.c openssh-5.8p1.new/kex.c
---- openssh-5.8p1/kex.c 2010-09-24 14:11:14.000000000 +0200
-+++ openssh-5.8p1.new/kex.c 2011-02-12 18:07:11.149564726 +0100
-@@ -50,6 +50,10 @@
- #include "monitor.h"
</del><ins>+diff -Nrup openssh-6.5p1/kex.c openssh-6.5p1.patched/kex.c
+--- openssh-6.5p1/kex.c 2014-01-25 14:38:04.000000000 -0800
++++ openssh-6.5p1.patched/kex.c 2014-02-15 17:24:33.000000000 -0800
+@@ -51,6 +51,10 @@
</ins><span class="cx"> #include "roaming.h"
</span><ins>+ #include "digest.h"
</ins><span class="cx">
</span><span class="cx"> +#ifdef GSSAPI
</span><span class="cx"> +#include "ssh-gss.h"
</span><span class="lines">@@ -1157,34 +1156,34 @@
</span><span class="cx"> #if OPENSSL_VERSION_NUMBER >= 0x00907000L
</span><span class="cx"> # if defined(HAVE_EVP_SHA256)
</span><span class="cx"> # define evp_ssh_sha256 EVP_sha256
</span><del>-@@ -80,6 +84,11 @@
- { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1, EVP_sha384 },
- { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1, EVP_sha512 },
</del><ins>+@@ -90,6 +94,11 @@ static const struct kexalg kexalgs[] = {
+ #ifdef HAVE_EVP_SHA256
+ { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
</ins><span class="cx"> #endif
</span><span class="cx"> +#ifdef GSSAPI
</span><del>-+ { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, EVP_sha1 },
-+ { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, EVP_sha1 },
-+ { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, EVP_sha1 },
</del><ins>++ { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
++ { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
++ { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
</ins><span class="cx"> +#endif
</span><del>- { NULL, -1, -1, NULL},
</del><ins>+ { NULL, -1, -1, -1},
</ins><span class="cx"> };
</span><span class="cx">
</span><del>-diff --speed-large-files --minimal -Nru openssh-5.8p1/kex.h openssh-5.8p1.new/kex.h
---- openssh-5.8p1/kex.h 2010-09-24 14:11:14.000000000 +0200
-+++ openssh-5.8p1.new/kex.h 2011-02-12 18:07:11.161650596 +0100
-@@ -73,6 +73,9 @@
- KEX_DH_GEX_SHA1,
</del><ins>+diff -Nrup openssh-6.5p1/kex.h openssh-6.5p1.patched/kex.h
+--- openssh-6.5p1/kex.h 2014-01-25 14:37:26.000000000 -0800
++++ openssh-6.5p1.patched/kex.h 2014-02-15 16:52:30.000000000 -0800
+@@ -76,6 +76,9 @@ enum kex_exchange {
</ins><span class="cx"> KEX_DH_GEX_SHA256,
</span><span class="cx"> KEX_ECDH_SHA2,
</span><ins>+ KEX_C25519_SHA256,
</ins><span class="cx"> + KEX_GSS_GRP1_SHA1,
</span><span class="cx"> + KEX_GSS_GRP14_SHA1,
</span><span class="cx"> + KEX_GSS_GEX_SHA1,
</span><span class="cx"> KEX_MAX
</span><span class="cx"> };
</span><span class="cx">
</span><del>-@@ -129,6 +132,12 @@
</del><ins>+@@ -136,6 +139,12 @@ struct Kex {
</ins><span class="cx"> int flags;
</span><del>- const EVP_MD *evp_md;
</del><ins>+ int hash_alg;
</ins><span class="cx"> int ec_nid;
</span><span class="cx"> +#ifdef GSSAPI
</span><span class="cx"> + int gss_deleg_creds;
</span><span class="lines">@@ -1195,9 +1194,9 @@
</span><span class="cx"> char *client_version_string;
</span><span class="cx"> char *server_version_string;
</span><span class="cx"> int (*verify_host_key)(Key *);
</span><del>-@@ -156,6 +165,11 @@
- void kexecdh_client(Kex *);
- void kexecdh_server(Kex *);
</del><ins>+@@ -168,6 +177,11 @@ void kexecdh_server(Kex *);
+ void kexc25519_client(Kex *);
+ void kexc25519_server(Kex *);
</ins><span class="cx">
</span><span class="cx"> +#ifdef GSSAPI
</span><span class="cx"> +void kexgss_client(Kex *);
</span><span class="lines">@@ -1207,10 +1206,10 @@
</span><span class="cx"> void
</span><span class="cx"> kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
</span><span class="cx"> BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
</span><del>-diff --speed-large-files --minimal -Nru openssh-5.8p1/kexgssc.c openssh-5.8p1.new/kexgssc.c
---- openssh-5.8p1/kexgssc.c 1970-01-01 01:00:00.000000000 +0100
-+++ openssh-5.8p1.new/kexgssc.c 2011-02-12 18:07:11.176741991 +0100
-@@ -0,0 +1,334 @@
</del><ins>+diff -Nrup openssh-6.5p1/kexgssc.c openssh-6.5p1.patched/kexgssc.c
+--- openssh-6.5p1/kexgssc.c 1969-12-31 16:00:00.000000000 -0800
++++ openssh-6.5p1.patched/kexgssc.c 2014-02-15 17:17:35.000000000 -0800
+@@ -0,0 +1,339 @@
</ins><span class="cx"> +/*
</span><span class="cx"> + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
</span><span class="cx"> + *
</span><span class="lines">@@ -1268,6 +1267,7 @@
</span><span class="cx"> + DH *dh;
</span><span class="cx"> + BIGNUM *dh_server_pub = NULL;
</span><span class="cx"> + BIGNUM *shared_secret = NULL;
</span><ins>++ Buffer shared_secret_buffer;
</ins><span class="cx"> + BIGNUM *p = NULL;
</span><span class="cx"> + BIGNUM *g = NULL;
</span><span class="cx"> + u_char *kbuf, *hash;
</span><span class="lines">@@ -1492,7 +1492,7 @@
</span><span class="cx"> + break;
</span><span class="cx"> + case KEX_GSS_GEX_SHA1:
</span><span class="cx"> + kexgex_hash(
</span><del>-+ kex->evp_md,
</del><ins>++ kex->hash_alg,
</ins><span class="cx"> + kex->client_version_string,
</span><span class="cx"> + kex->server_version_string,
</span><span class="cx"> + buffer_ptr(&kex->my), buffer_len(&kex->my),
</span><span class="lines">@@ -1539,16 +1539,20 @@
</span><span class="cx"> + else
</span><span class="cx"> + ssh_gssapi_delete_ctx(&ctxt);
</span><span class="cx"> +
</span><del>-+ kex_derive_keys(kex, hash, hashlen, shared_secret);
</del><ins>++ buffer_init(&shared_secret_buffer);
++ buffer_put_bignum2(&shared_secret_buffer, shared_secret);
++ kex_derive_keys(kex, hash, hashlen, buffer_ptr(&shared_secret_buffer),
++ buffer_len(&shared_secret_buffer));
++ buffer_free(&shared_secret_buffer);
</ins><span class="cx"> + BN_clear_free(shared_secret);
</span><span class="cx"> + kex_finish(kex);
</span><span class="cx"> +}
</span><span class="cx"> +
</span><span class="cx"> +#endif /* GSSAPI */
</span><del>-diff --speed-large-files --minimal -Nru openssh-5.8p1/kexgsss.c openssh-5.8p1.new/kexgsss.c
---- openssh-5.8p1/kexgsss.c 1970-01-01 01:00:00.000000000 +0100
-+++ openssh-5.8p1.new/kexgsss.c 2011-02-12 18:07:11.186584789 +0100
-@@ -0,0 +1,288 @@
</del><ins>+diff -Nrup openssh-6.5p1/kexgsss.c openssh-6.5p1.patched/kexgsss.c
+--- openssh-6.5p1/kexgsss.c 1969-12-31 16:00:00.000000000 -0800
++++ openssh-6.5p1.patched/kexgsss.c 2014-02-15 17:31:24.000000000 -0800
+@@ -0,0 +1,293 @@
</ins><span class="cx"> +/*
</span><span class="cx"> + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
</span><span class="cx"> + *
</span><span class="lines">@@ -1618,6 +1622,7 @@
</span><span class="cx"> + DH *dh;
</span><span class="cx"> + int min = -1, max = -1, nbits = -1;
</span><span class="cx"> + BIGNUM *shared_secret = NULL;
</span><ins>++ Buffer shared_secret_buffer;
</ins><span class="cx"> + BIGNUM *dh_client_pub = NULL;
</span><span class="cx"> + int type = 0;
</span><span class="cx"> + gss_OID oid;
</span><span class="lines">@@ -1774,7 +1779,7 @@
</span><span class="cx"> + break;
</span><span class="cx"> + case KEX_GSS_GEX_SHA1:
</span><span class="cx"> + kexgex_hash(
</span><del>-+ kex->evp_md,
</del><ins>++ kex->hash_alg,
</ins><span class="cx"> + kex->client_version_string, kex->server_version_string,
</span><span class="cx"> + buffer_ptr(&kex->peer), buffer_len(&kex->peer),
</span><span class="cx"> + buffer_ptr(&kex->my), buffer_len(&kex->my),
</span><span class="lines">@@ -1827,7 +1832,11 @@
</span><span class="cx"> +
</span><span class="cx"> + DH_free(dh);
</span><span class="cx"> +
</span><del>-+ kex_derive_keys(kex, hash, hashlen, shared_secret);
</del><ins>++ buffer_init(&shared_secret_buffer);
++ buffer_put_bignum2(&shared_secret_buffer, shared_secret);
++ kex_derive_keys(kex, hash, hashlen, buffer_ptr(&shared_secret_buffer),
++ buffer_len(&shared_secret_buffer));
++ buffer_free(&shared_secret_buffer);
</ins><span class="cx"> + BN_clear_free(shared_secret);
</span><span class="cx"> + kex_finish(kex);
</span><span class="cx"> +
</span><span class="lines">@@ -1837,32 +1846,32 @@
</span><span class="cx"> + ssh_gssapi_rekey_creds();
</span><span class="cx"> +}
</span><span class="cx"> +#endif /* GSSAPI */
</span><del>-diff --speed-large-files --minimal -Nru openssh-5.8p1/key.c openssh-5.8p1.new/key.c
---- openssh-5.8p1/key.c 2011-02-04 01:48:34.000000000 +0100
-+++ openssh-5.8p1.new/key.c 2011-02-12 18:07:11.202089386 +0100
-@@ -929,6 +929,7 @@
- { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT",
</del><ins>+diff -Nrup openssh-6.5p1/key.c openssh-6.5p1.patched/key.c
+--- openssh-6.5p1/key.c 2014-01-09 15:58:53.000000000 -0800
++++ openssh-6.5p1.patched/key.c 2014-02-15 16:50:46.000000000 -0800
+@@ -979,6 +979,7 @@ static const struct keytype keytypes[] =
</ins><span class="cx"> KEY_ECDSA_CERT, NID_secp521r1, 1 },
</span><ins>+ # endif
</ins><span class="cx"> #endif /* OPENSSL_HAS_ECC */
</span><span class="cx"> + { "null", "null", KEY_NULL, 0, 0 },
</span><span class="cx"> { "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00",
</span><span class="cx"> KEY_RSA_CERT_V00, 0, 1 },
</span><span class="cx"> { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00",
</span><del>-diff --speed-large-files --minimal -Nru openssh-5.8p1/key.h openssh-5.8p1.new/key.h
---- openssh-5.8p1/key.h 2010-11-05 00:19:49.000000000 +0100
-+++ openssh-5.8p1.new/key.h 2011-02-12 18:07:11.216270794 +0100
-@@ -44,6 +44,7 @@
- KEY_ECDSA_CERT,
</del><ins>+diff -Nrup openssh-6.5p1/key.h openssh-6.5p1.patched/key.h
+--- openssh-6.5p1/key.h 2014-01-09 15:58:53.000000000 -0800
++++ openssh-6.5p1.patched/key.h 2014-02-15 16:50:46.000000000 -0800
+@@ -46,6 +46,7 @@ enum types {
+ KEY_ED25519_CERT,
</ins><span class="cx"> KEY_RSA_CERT_V00,
</span><span class="cx"> KEY_DSA_CERT_V00,
</span><span class="cx"> + KEY_NULL,
</span><span class="cx"> KEY_UNSPEC
</span><span class="cx"> };
</span><span class="cx"> enum fp_type {
</span><del>-diff --speed-large-files --minimal -Nru openssh-5.8p1/monitor.c openssh-5.8p1.new/monitor.c
---- openssh-5.8p1/monitor.c 2010-09-10 03:23:34.000000000 +0200
-+++ openssh-5.8p1.new/monitor.c 2011-02-12 18:07:11.241713537 +0100
-@@ -172,6 +172,8 @@
</del><ins>+diff -Nrup openssh-6.5p1/monitor.c openssh-6.5p1.patched/monitor.c
+--- openssh-6.5p1/monitor.c 2013-11-06 18:32:52.000000000 -0800
++++ openssh-6.5p1.patched/monitor.c 2014-02-15 16:53:04.000000000 -0800
+@@ -181,6 +181,8 @@ int mm_answer_gss_setup_ctx(int, Buffer
</ins><span class="cx"> int mm_answer_gss_accept_ctx(int, Buffer *);
</span><span class="cx"> int mm_answer_gss_userok(int, Buffer *);
</span><span class="cx"> int mm_answer_gss_checkmic(int, Buffer *);
</span><span class="lines">@@ -1871,7 +1880,7 @@
</span><span class="cx"> #endif
</span><span class="cx">
</span><span class="cx"> #ifdef SSH_AUDIT_EVENTS
</span><del>-@@ -241,6 +243,7 @@
</del><ins>+@@ -253,6 +255,7 @@ struct mon_table mon_dispatch_proto20[]
</ins><span class="cx"> {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
</span><span class="cx"> {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
</span><span class="cx"> {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
</span><span class="lines">@@ -1879,7 +1888,7 @@
</span><span class="cx"> #endif
</span><span class="cx"> #ifdef JPAKE
</span><span class="cx"> {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},
</span><del>-@@ -253,6 +256,12 @@
</del><ins>+@@ -265,6 +268,12 @@ struct mon_table mon_dispatch_proto20[]
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> struct mon_table mon_dispatch_postauth20[] = {
</span><span class="lines">@@ -1892,7 +1901,7 @@
</span><span class="cx"> {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
</span><span class="cx"> {MONITOR_REQ_SIGN, 0, mm_answer_sign},
</span><span class="cx"> {MONITOR_REQ_PTY, 0, mm_answer_pty},
</span><del>-@@ -357,6 +366,10 @@
</del><ins>+@@ -373,6 +382,10 @@ monitor_child_preauth(Authctxt *_authctx
</ins><span class="cx"> /* Permit requests for moduli and signatures */
</span><span class="cx"> monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
</span><span class="cx"> monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
</span><span class="lines">@@ -1903,7 +1912,7 @@
</span><span class="cx"> } else {
</span><span class="cx"> mon_dispatch = mon_dispatch_proto15;
</span><span class="cx">
</span><del>-@@ -443,6 +456,10 @@
</del><ins>+@@ -487,6 +500,10 @@ monitor_child_postauth(struct monitor *p
</ins><span class="cx"> monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
</span><span class="cx"> monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
</span><span class="cx"> monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
</span><span class="lines">@@ -1914,10 +1923,10 @@
</span><span class="cx"> } else {
</span><span class="cx"> mon_dispatch = mon_dispatch_postauth15;
</span><span class="cx"> monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
</span><del>-@@ -1692,6 +1709,13 @@
- kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
</del><ins>+@@ -1856,6 +1873,13 @@ mm_get_kex(Buffer *m)
</ins><span class="cx"> kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
</span><span class="cx"> kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
</span><ins>+ kex->kex[KEX_C25519_SHA256] = kexc25519_server;
</ins><span class="cx"> +#ifdef GSSAPI
</span><span class="cx"> + if (options.gss_keyex) {
</span><span class="cx"> + kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
</span><span class="lines">@@ -1928,7 +1937,7 @@
</span><span class="cx"> kex->server = 1;
</span><span class="cx"> kex->hostkey_type = buffer_get_int(m);
</span><span class="cx"> kex->kex_type = buffer_get_int(m);
</span><del>-@@ -1898,6 +1922,9 @@
</del><ins>+@@ -2063,6 +2087,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
</ins><span class="cx"> OM_uint32 major;
</span><span class="cx"> u_int len;
</span><span class="cx">
</span><span class="lines">@@ -1938,7 +1947,7 @@
</span><span class="cx"> goid.elements = buffer_get_string(m, &len);
</span><span class="cx"> goid.length = len;
</span><span class="cx">
</span><del>-@@ -1925,6 +1952,9 @@
</del><ins>+@@ -2090,6 +2117,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
</ins><span class="cx"> OM_uint32 flags = 0; /* GSI needs this */
</span><span class="cx"> u_int len;
</span><span class="cx">
</span><span class="lines">@@ -1948,7 +1957,7 @@
</span><span class="cx"> in.value = buffer_get_string(m, &len);
</span><span class="cx"> in.length = len;
</span><span class="cx"> major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
</span><del>-@@ -1942,6 +1972,7 @@
</del><ins>+@@ -2107,6 +2137,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
</ins><span class="cx"> monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
</span><span class="cx"> monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
</span><span class="cx"> monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
</span><span class="lines">@@ -1956,7 +1965,7 @@
</span><span class="cx"> }
</span><span class="cx"> return (0);
</span><span class="cx"> }
</span><del>-@@ -1953,6 +1984,9 @@
</del><ins>+@@ -2118,6 +2149,9 @@ mm_answer_gss_checkmic(int sock, Buffer
</ins><span class="cx"> OM_uint32 ret;
</span><span class="cx"> u_int len;
</span><span class="cx">
</span><span class="lines">@@ -1966,7 +1975,7 @@
</span><span class="cx"> gssbuf.value = buffer_get_string(m, &len);
</span><span class="cx"> gssbuf.length = len;
</span><span class="cx"> mic.value = buffer_get_string(m, &len);
</span><del>-@@ -1979,7 +2013,11 @@
</del><ins>+@@ -2144,7 +2178,11 @@ mm_answer_gss_userok(int sock, Buffer *m
</ins><span class="cx"> {
</span><span class="cx"> int authenticated;
</span><span class="cx">
</span><span class="lines">@@ -1979,7 +1988,7 @@
</span><span class="cx">
</span><span class="cx"> buffer_clear(m);
</span><span class="cx"> buffer_put_int(m, authenticated);
</span><del>-@@ -1992,6 +2030,74 @@
</del><ins>+@@ -2157,6 +2195,74 @@ mm_answer_gss_userok(int sock, Buffer *m
</ins><span class="cx"> /* Monitor loop will terminate if authenticated */
</span><span class="cx"> return (authenticated);
</span><span class="cx"> }
</span><span class="lines">@@ -2054,24 +2063,23 @@
</span><span class="cx"> #endif /* GSSAPI */
</span><span class="cx">
</span><span class="cx"> #ifdef JPAKE
</span><del>-diff --speed-large-files --minimal -Nru openssh-5.8p1/monitor.h openssh-5.8p1.new/monitor.h
---- openssh-5.8p1/monitor.h 2008-11-05 06:20:46.000000000 +0100
-+++ openssh-5.8p1.new/monitor.h 2011-02-12 18:07:11.311728071 +0100
-@@ -53,6 +53,9 @@
- MONITOR_REQ_JPAKE_STEP2 = 56, MONITOR_ANS_JPAKE_STEP2 = 57,
- MONITOR_REQ_JPAKE_KEY_CONFIRM = 58, MONITOR_ANS_JPAKE_KEY_CONFIRM = 59,
- MONITOR_REQ_JPAKE_CHECK_CONFIRM = 60, MONITOR_ANS_JPAKE_CHECK_CONFIRM = 61,
-+
</del><ins>+diff -Nrup openssh-6.5p1/monitor.h openssh-6.5p1.patched/monitor.h
+--- openssh-6.5p1/monitor.h 2012-12-02 14:53:21.000000000 -0800
++++ openssh-6.5p1.patched/monitor.h 2014-02-15 16:50:46.000000000 -0800
+@@ -62,6 +62,9 @@ enum monitor_reqtype {
+ MONITOR_REQ_JPAKE_KEY_CONFIRM = 58, MONITOR_ANS_JPAKE_KEY_CONFIRM = 59,
+ MONITOR_REQ_JPAKE_CHECK_CONFIRM = 60, MONITOR_ANS_JPAKE_CHECK_CONFIRM = 61,
+
</ins><span class="cx"> + MONITOR_REQ_GSSSIGN = 62, MONITOR_ANS_GSSSIGN = 63,
</span><span class="cx"> + MONITOR_REQ_GSSUPCREDS = 64, MONITOR_ANS_GSSUPCREDS = 65,
</span><del>-
- MONITOR_REQ_PAM_START = 100,
- MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
- MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
-diff --speed-large-files --minimal -Nru openssh-5.8p1/monitor_wrap.c openssh-5.8p1.new/monitor_wrap.c
---- openssh-5.8p1/monitor_wrap.c 2010-08-31 14:41:14.000000000 +0200
-+++ openssh-5.8p1.new/monitor_wrap.c 2011-02-12 18:07:11.359631731 +0100
-@@ -1232,7 +1232,7 @@
</del><ins>++
+ MONITOR_REQ_PAM_START = 100,
+ MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
+ MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
+diff -Nrup openssh-6.5p1/monitor_wrap.c openssh-6.5p1.patched/monitor_wrap.c
+--- openssh-6.5p1/monitor_wrap.c 2013-11-06 18:35:39.000000000 -0800
++++ openssh-6.5p1.patched/monitor_wrap.c 2014-02-15 16:50:46.000000000 -0800
+@@ -1273,7 +1273,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> int
</span><span class="lines">@@ -2080,7 +2088,7 @@
</span><span class="cx"> {
</span><span class="cx"> Buffer m;
</span><span class="cx"> int authenticated = 0;
</span><del>-@@ -1249,6 +1249,51 @@
</del><ins>+@@ -1290,6 +1290,51 @@ mm_ssh_gssapi_userok(char *user)
</ins><span class="cx"> debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
</span><span class="cx"> return (authenticated);
</span><span class="cx"> }
</span><span class="lines">@@ -2132,10 +2140,10 @@
</span><span class="cx"> #endif /* GSSAPI */
</span><span class="cx">
</span><span class="cx"> #ifdef JPAKE
</span><del>-diff --speed-large-files --minimal -Nru openssh-5.8p1/monitor_wrap.h openssh-5.8p1.new/monitor_wrap.h
---- openssh-5.8p1/monitor_wrap.h 2009-03-05 14:58:22.000000000 +0100
-+++ openssh-5.8p1.new/monitor_wrap.h 2011-02-12 18:07:11.407619296 +0100
-@@ -57,8 +57,10 @@
</del><ins>+diff -Nrup openssh-6.5p1/monitor_wrap.h openssh-6.5p1.patched/monitor_wrap.h
+--- openssh-6.5p1/monitor_wrap.h 2011-06-19 21:42:23.000000000 -0700
++++ openssh-6.5p1.patched/monitor_wrap.h 2014-02-15 16:50:46.000000000 -0800
+@@ -58,8 +58,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K
</ins><span class="cx"> OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
</span><span class="cx"> OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
</span><span class="cx"> gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
</span><span class="lines">@@ -2147,10 +2155,10 @@
</span><span class="cx"> #endif
</span><span class="cx">
</span><span class="cx"> #ifdef USE_PAM
</span><del>-diff --speed-large-files --minimal -Nru openssh-5.8p1/readconf.c openssh-5.8p1.new/readconf.c
---- openssh-5.8p1/readconf.c 2010-11-20 05:19:38.000000000 +0100
-+++ openssh-5.8p1.new/readconf.c 2011-02-12 18:07:11.460306621 +0100
-@@ -129,6 +129,8 @@
</del><ins>+diff -Nrup openssh-6.5p1/readconf.c openssh-6.5p1.patched/readconf.c
+--- openssh-6.5p1/readconf.c 2014-01-17 05:03:57.000000000 -0800
++++ openssh-6.5p1.patched/readconf.c 2014-02-15 16:50:46.000000000 -0800
+@@ -140,6 +140,8 @@ typedef enum {
</ins><span class="cx"> oClearAllForwardings, oNoHostAuthenticationForLocalhost,
</span><span class="cx"> oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
</span><span class="cx"> oAddressFamily, oGssAuthentication, oGssDelegateCreds,
</span><span class="lines">@@ -2159,7 +2167,7 @@
</span><span class="cx"> oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
</span><span class="cx"> oSendEnv, oControlPath, oControlMaster, oControlPersist,
</span><span class="cx"> oHashKnownHosts,
</span><del>-@@ -169,10 +171,19 @@
</del><ins>+@@ -182,10 +184,19 @@ static struct {
</ins><span class="cx"> { "afstokenpassing", oUnsupported },
</span><span class="cx"> #if defined(GSSAPI)
</span><span class="cx"> { "gssapiauthentication", oGssAuthentication },
</span><span class="lines">@@ -2179,7 +2187,7 @@
</span><span class="cx"> #endif
</span><span class="cx"> { "fallbacktorsh", oDeprecated },
</span><span class="cx"> { "usersh", oDeprecated },
</span><del>-@@ -479,10 +490,30 @@
</del><ins>+@@ -839,10 +850,30 @@ parse_time:
</ins><span class="cx"> intptr = &options->gss_authentication;
</span><span class="cx"> goto parse_flag;
</span><span class="cx">
</span><span class="lines">@@ -2210,7 +2218,7 @@
</span><span class="cx"> case oBatchMode:
</span><span class="cx"> intptr = &options->batch_mode;
</span><span class="cx"> goto parse_flag;
</span><del>-@@ -1092,7 +1123,12 @@
</del><ins>+@@ -1488,7 +1519,12 @@ initialize_options(Options * options)
</ins><span class="cx"> options->pubkey_authentication = -1;
</span><span class="cx"> options->challenge_response_authentication = -1;
</span><span class="cx"> options->gss_authentication = -1;
</span><span class="lines">@@ -2223,7 +2231,7 @@
</span><span class="cx"> options->password_authentication = -1;
</span><span class="cx"> options->kbd_interactive_authentication = -1;
</span><span class="cx"> options->kbd_interactive_devices = NULL;
</span><del>-@@ -1193,8 +1229,14 @@
</del><ins>+@@ -1594,8 +1630,14 @@ fill_default_options(Options * options)
</ins><span class="cx"> options->challenge_response_authentication = 1;
</span><span class="cx"> if (options->gss_authentication == -1)
</span><span class="cx"> options->gss_authentication = 0;
</span><span class="lines">@@ -2238,10 +2246,10 @@
</span><span class="cx"> if (options->password_authentication == -1)
</span><span class="cx"> options->password_authentication = 1;
</span><span class="cx"> if (options->kbd_interactive_authentication == -1)
</span><del>-diff --speed-large-files --minimal -Nru openssh-5.8p1/readconf.h openssh-5.8p1.new/readconf.h
---- openssh-5.8p1/readconf.h 2010-11-20 05:19:38.000000000 +0100
-+++ openssh-5.8p1.new/readconf.h 2011-02-12 18:07:11.507187275 +0100
-@@ -46,7 +46,12 @@
</del><ins>+diff -Nrup openssh-6.5p1/readconf.h openssh-6.5p1.patched/readconf.h
+--- openssh-6.5p1/readconf.h 2013-10-16 17:48:14.000000000 -0700
++++ openssh-6.5p1.patched/readconf.h 2014-02-15 16:50:46.000000000 -0800
+@@ -54,7 +54,12 @@ typedef struct {
</ins><span class="cx"> int challenge_response_authentication;
</span><span class="cx"> /* Try S/Key or TIS, authentication. */
</span><span class="cx"> int gss_authentication; /* Try GSS authentication */
</span><span class="lines">@@ -2254,10 +2262,10 @@
</span><span class="cx"> int password_authentication; /* Try password
</span><span class="cx"> * authentication. */
</span><span class="cx"> int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
</span><del>-diff --speed-large-files --minimal -Nru openssh-5.8p1/servconf.c openssh-5.8p1.new/servconf.c
---- openssh-5.8p1/servconf.c 2010-11-20 05:19:38.000000000 +0100
-+++ openssh-5.8p1.new/servconf.c 2011-02-12 18:07:11.533252334 +0100
-@@ -97,7 +97,10 @@
</del><ins>+diff -Nrup openssh-6.5p1/servconf.c openssh-6.5p1.patched/servconf.c
+--- openssh-6.5p1/servconf.c 2013-12-06 16:24:02.000000000 -0800
++++ openssh-6.5p1.patched/servconf.c 2014-02-15 16:50:46.000000000 -0800
+@@ -108,7 +108,10 @@ initialize_server_options(ServerOptions
</ins><span class="cx"> options->kerberos_ticket_cleanup = -1;
</span><span class="cx"> options->kerberos_get_afs_token = -1;
</span><span class="cx"> options->gss_authentication=-1;
</span><span class="lines">@@ -2268,7 +2276,7 @@
</span><span class="cx"> options->password_authentication = -1;
</span><span class="cx"> options->kbd_interactive_authentication = -1;
</span><span class="cx"> options->challenge_response_authentication = -1;
</span><del>-@@ -226,8 +229,14 @@
</del><ins>+@@ -245,8 +248,14 @@ fill_default_server_options(ServerOption
</ins><span class="cx"> options->kerberos_get_afs_token = 0;
</span><span class="cx"> if (options->gss_authentication == -1)
</span><span class="cx"> options->gss_authentication = 0;
</span><span class="lines">@@ -2283,7 +2291,7 @@
</span><span class="cx"> if (options->password_authentication == -1)
</span><span class="cx"> options->password_authentication = 1;
</span><span class="cx"> if (options->kbd_interactive_authentication == -1)
</span><del>-@@ -322,7 +331,9 @@
</del><ins>+@@ -343,7 +352,9 @@ typedef enum {
</ins><span class="cx"> sBanner, sUseDNS, sHostbasedAuthentication,
</span><span class="cx"> sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
</span><span class="cx"> sClientAliveCountMax, sAuthorizedKeysFile,
</span><span class="lines">@@ -2294,7 +2302,7 @@
</span><span class="cx"> sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
</span><span class="cx"> sUsePrivilegeSeparation, sAllowAgentForwarding,
</span><span class="cx"> sZeroKnowledgePasswordAuthentication, sHostCertificate,
</span><del>-@@ -386,10 +397,20 @@
</del><ins>+@@ -410,10 +421,20 @@ static struct {
</ins><span class="cx"> #ifdef GSSAPI
</span><span class="cx"> { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
</span><span class="cx"> { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
</span><span class="lines">@@ -2315,7 +2323,7 @@
</span><span class="cx"> { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
</span><span class="cx"> { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
</span><span class="cx"> { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
</span><del>-@@ -944,10 +965,22 @@
</del><ins>+@@ -1094,10 +1115,22 @@ process_server_config_line(ServerOptions
</ins><span class="cx"> intptr = &options->gss_authentication;
</span><span class="cx"> goto parse_flag;
</span><span class="cx">
</span><span class="lines">@@ -2338,7 +2346,7 @@
</span><span class="cx"> case sPasswordAuthentication:
</span><span class="cx"> intptr = &options->password_authentication;
</span><span class="cx"> goto parse_flag;
</span><del>-@@ -1704,7 +1737,10 @@
</del><ins>+@@ -2008,7 +2041,10 @@ dump_config(ServerOptions *o)
</ins><span class="cx"> #endif
</span><span class="cx"> #ifdef GSSAPI
</span><span class="cx"> dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
</span><span class="lines">@@ -2349,10 +2357,10 @@
</span><span class="cx"> #endif
</span><span class="cx"> #ifdef JPAKE
</span><span class="cx"> dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
</span><del>-diff --speed-large-files --minimal -Nru openssh-5.8p1/servconf.h openssh-5.8p1.new/servconf.h
---- openssh-5.8p1/servconf.h 2010-11-20 05:19:38.000000000 +0100
-+++ openssh-5.8p1.new/servconf.h 2011-02-12 18:07:11.548572408 +0100
-@@ -97,7 +97,10 @@
</del><ins>+diff -Nrup openssh-6.5p1/servconf.h openssh-6.5p1.patched/servconf.h
+--- openssh-6.5p1/servconf.h 2013-12-04 19:07:28.000000000 -0800
++++ openssh-6.5p1.patched/servconf.h 2014-02-15 16:50:46.000000000 -0800
+@@ -112,7 +112,10 @@ typedef struct {
</ins><span class="cx"> int kerberos_get_afs_token; /* If true, try to get AFS token if
</span><span class="cx"> * authenticated with Kerberos. */
</span><span class="cx"> int gss_authentication; /* If true, permit GSSAPI authentication */
</span><span class="lines">@@ -2363,9 +2371,9 @@
</span><span class="cx"> int password_authentication; /* If true, permit password
</span><span class="cx"> * authentication. */
</span><span class="cx"> int kbd_interactive_authentication; /* If true, permit */
</span><del>-diff --speed-large-files --minimal -Nru openssh-5.8p1/ssh-gss.h openssh-5.8p1.new/ssh-gss.h
---- openssh-5.8p1/ssh-gss.h 2007-06-12 15:40:39.000000000 +0200
-+++ openssh-5.8p1.new/ssh-gss.h 2011-02-12 18:07:11.567306608 +0100
</del><ins>+diff -Nrup openssh-6.5p1/ssh-gss.h openssh-6.5p1.patched/ssh-gss.h
+--- openssh-6.5p1/ssh-gss.h 2013-02-24 16:24:44.000000000 -0800
++++ openssh-6.5p1.patched/ssh-gss.h 2014-02-15 16:50:46.000000000 -0800
</ins><span class="cx"> @@ -1,6 +1,6 @@
</span><span class="cx"> /* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
</span><span class="cx"> /*
</span><span class="lines">@@ -2374,7 +2382,7 @@
</span><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><del>-@@ -60,10 +60,22 @@
</del><ins>+@@ -61,10 +61,22 @@
</ins><span class="cx">
</span><span class="cx"> #define SSH_GSS_OIDTYPE 0x06
</span><span class="cx">
</span><span class="lines">@@ -2397,7 +2405,7 @@
</span><span class="cx"> void *data;
</span><span class="cx"> } ssh_gssapi_ccache;
</span><span class="cx">
</span><del>-@@ -71,8 +83,11 @@
</del><ins>+@@ -72,8 +84,11 @@ typedef struct {
</ins><span class="cx"> gss_buffer_desc displayname;
</span><span class="cx"> gss_buffer_desc exportedname;
</span><span class="cx"> gss_cred_id_t creds;
</span><span class="lines">@@ -2409,7 +2417,7 @@
</span><span class="cx"> } ssh_gssapi_client;
</span><span class="cx">
</span><span class="cx"> typedef struct ssh_gssapi_mech_struct {
</span><del>-@@ -83,6 +98,7 @@
</del><ins>+@@ -84,6 +99,7 @@ typedef struct ssh_gssapi_mech_struct {
</ins><span class="cx"> int (*userok) (ssh_gssapi_client *, char *);
</span><span class="cx"> int (*localname) (ssh_gssapi_client *, char **);
</span><span class="cx"> void (*storecreds) (ssh_gssapi_client *);
</span><span class="lines">@@ -2417,7 +2425,7 @@
</span><span class="cx"> } ssh_gssapi_mech;
</span><span class="cx">
</span><span class="cx"> typedef struct {
</span><del>-@@ -93,10 +109,11 @@
</del><ins>+@@ -94,10 +110,11 @@ typedef struct {
</ins><span class="cx"> gss_OID oid; /* client */
</span><span class="cx"> gss_cred_id_t creds; /* server */
</span><span class="cx"> gss_name_t client; /* server */
</span><span class="lines">@@ -2430,7 +2438,7 @@
</span><span class="cx">
</span><span class="cx"> int ssh_gssapi_check_oid(Gssctxt *, void *, size_t);
</span><span class="cx"> void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t);
</span><del>-@@ -116,16 +133,30 @@
</del><ins>+@@ -117,16 +134,30 @@ void ssh_gssapi_build_ctx(Gssctxt **);
</ins><span class="cx"> void ssh_gssapi_delete_ctx(Gssctxt **);
</span><span class="cx"> OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
</span><span class="cx"> void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *);
</span><span class="lines">@@ -2463,9 +2471,9 @@
</span><span class="cx"> #endif /* GSSAPI */
</span><span class="cx">
</span><span class="cx"> #endif /* _SSH_GSS_H */
</span><del>-diff --speed-large-files --minimal -Nru openssh-5.8p1/ssh_config openssh-5.8p1.new/ssh_config
---- openssh-5.8p1/ssh_config 2010-01-12 09:40:27.000000000 +0100
-+++ openssh-5.8p1.new/ssh_config 2011-02-12 18:07:11.580240516 +0100
</del><ins>+diff -Nrup openssh-6.5p1/ssh_config openssh-6.5p1.patched/ssh_config
+--- openssh-6.5p1/ssh_config 2013-10-09 16:24:12.000000000 -0700
++++ openssh-6.5p1.patched/ssh_config 2014-02-15 16:50:46.000000000 -0800
</ins><span class="cx"> @@ -26,6 +26,8 @@
</span><span class="cx"> # HostbasedAuthentication no
</span><span class="cx"> # GSSAPIAuthentication no
</span><span class="lines">@@ -2475,10 +2483,10 @@
</span><span class="cx"> # BatchMode no
</span><span class="cx"> # CheckHostIP yes
</span><span class="cx"> # AddressFamily any
</span><del>-diff --speed-large-files --minimal -Nru openssh-5.8p1/ssh_config.5 openssh-5.8p1.new/ssh_config.5
---- openssh-5.8p1/ssh_config.5 2010-12-26 04:26:48.000000000 +0100
-+++ openssh-5.8p1.new/ssh_config.5 2011-02-12 18:07:11.600266821 +0100
-@@ -508,11 +508,43 @@
</del><ins>+diff -Nrup openssh-6.5p1/ssh_config.5 openssh-6.5p1.patched/ssh_config.5
+--- openssh-6.5p1/ssh_config.5 2014-01-19 03:36:14.000000000 -0800
++++ openssh-6.5p1.patched/ssh_config.5 2014-02-15 16:50:46.000000000 -0800
+@@ -676,11 +676,43 @@ Specifies whether user authentication ba
</ins><span class="cx"> The default is
</span><span class="cx"> .Dq no .
</span><span class="cx"> Note that this option applies to protocol version 2 only.
</span><span class="lines">@@ -2523,10 +2531,10 @@
</span><span class="cx"> .It Cm HashKnownHosts
</span><span class="cx"> Indicates that
</span><span class="cx"> .Xr ssh 1
</span><del>-diff --speed-large-files --minimal -Nru openssh-5.8p1/sshconnect2.c openssh-5.8p1.new/sshconnect2.c
---- openssh-5.8p1/sshconnect2.c 2010-12-01 02:21:51.000000000 +0100
-+++ openssh-5.8p1.new/sshconnect2.c 2011-02-12 18:07:11.623078773 +0100
-@@ -159,9 +159,34 @@
</del><ins>+diff -Nrup openssh-6.5p1/sshconnect2.c openssh-6.5p1.patched/sshconnect2.c
+--- openssh-6.5p1/sshconnect2.c 2014-01-09 15:58:53.000000000 -0800
++++ openssh-6.5p1.patched/sshconnect2.c 2014-02-15 16:54:12.000000000 -0800
+@@ -160,9 +160,34 @@ ssh_kex2(char *host, struct sockaddr *ho
</ins><span class="cx"> {
</span><span class="cx"> Kex *kex;
</span><span class="cx">
</span><span class="lines">@@ -2561,7 +2569,7 @@
</span><span class="cx"> if (options.ciphers == (char *)-1) {
</span><span class="cx"> logit("No valid ciphers for protocol version 2 given, using defaults.");
</span><span class="cx"> options.ciphers = NULL;
</span><del>-@@ -196,6 +221,17 @@
</del><ins>+@@ -198,6 +223,17 @@ ssh_kex2(char *host, struct sockaddr *ho
</ins><span class="cx"> if (options.kex_algorithms != NULL)
</span><span class="cx"> myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
</span><span class="cx">
</span><span class="lines">@@ -2578,8 +2586,8 @@
</span><span class="cx"> +
</span><span class="cx"> if (options.rekey_limit || options.rekey_interval)
</span><span class="cx"> packet_set_rekey_limits((u_int32_t)options.rekey_limit,
</span><del>-
-@@ -206,10 +242,30 @@
</del><ins>+ (time_t)options.rekey_interval);
+@@ -209,11 +245,31 @@ ssh_kex2(char *host, struct sockaddr *ho
</ins><span class="cx"> kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
</span><span class="cx"> kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
</span><span class="cx"> kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
</span><span class="lines">@@ -2590,6 +2598,7 @@
</span><span class="cx"> + kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client;
</span><span class="cx"> + }
</span><span class="cx"> +#endif
</span><ins>+ kex->kex[KEX_C25519_SHA256] = kexc25519_client;
</ins><span class="cx"> kex->client_version_string=client_version_string;
</span><span class="cx"> kex->server_version_string=server_version_string;
</span><span class="cx"> kex->verify_host_key=&verify_host_key_callback;
</span><span class="lines">@@ -2603,14 +2612,14 @@
</span><span class="cx"> + kex->gss_host = options.gss_server_identity;
</span><span class="cx"> + } else {
</span><span class="cx"> + kex->gss_host = gss_host;
</span><del>-+ }
</del><ins>++ }
</ins><span class="cx"> + }
</span><span class="cx"> +#endif
</span><span class="cx"> +
</span><span class="cx"> xxx_kex = kex;
</span><span class="cx">
</span><span class="cx"> dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
</span><del>-@@ -304,6 +360,7 @@
</del><ins>+@@ -309,6 +365,7 @@ void input_gssapi_token(int type, u_int3
</ins><span class="cx"> void input_gssapi_hash(int type, u_int32_t, void *);
</span><span class="cx"> void input_gssapi_error(int, u_int32_t, void *);
</span><span class="cx"> void input_gssapi_errtok(int, u_int32_t, void *);
</span><span class="lines">@@ -2618,7 +2627,7 @@
</span><span class="cx"> #endif
</span><span class="cx">
</span><span class="cx"> void userauth(Authctxt *, char *);
</span><del>-@@ -319,6 +376,11 @@
</del><ins>+@@ -324,6 +381,11 @@ static char *authmethods_get(void);
</ins><span class="cx">
</span><span class="cx"> Authmethod authmethods[] = {
</span><span class="cx"> #ifdef GSSAPI
</span><span class="lines">@@ -2630,7 +2639,7 @@
</span><span class="cx"> {"gssapi-with-mic",
</span><span class="cx"> userauth_gssapi,
</span><span class="cx"> NULL,
</span><del>-@@ -625,19 +687,31 @@
</del><ins>+@@ -627,19 +689,31 @@ userauth_gssapi(Authctxt *authctxt)
</ins><span class="cx"> static u_int mech = 0;
</span><span class="cx"> OM_uint32 min;
</span><span class="cx"> int ok = 0;
</span><span class="lines">@@ -2664,7 +2673,7 @@
</span><span class="cx"> ok = 1; /* Mechanism works */
</span><span class="cx"> } else {
</span><span class="cx"> mech++;
</span><del>-@@ -734,8 +808,8 @@
</del><ins>+@@ -736,8 +810,8 @@ input_gssapi_response(int type, u_int32_
</ins><span class="cx"> {
</span><span class="cx"> Authctxt *authctxt = ctxt;
</span><span class="cx"> Gssctxt *gssctxt;
</span><span class="lines">@@ -2675,7 +2684,7 @@
</span><span class="cx">
</span><span class="cx"> if (authctxt == NULL)
</span><span class="cx"> fatal("input_gssapi_response: no authentication context");
</span><del>-@@ -845,6 +919,48 @@
</del><ins>+@@ -846,6 +920,48 @@ input_gssapi_error(int type, u_int32_t p
</ins><span class="cx"> free(msg);
</span><span class="cx"> free(lang);
</span><span class="cx"> }
</span><span class="lines">@@ -2724,11 +2733,11 @@
</span><span class="cx"> #endif /* GSSAPI */
</span><span class="cx">
</span><span class="cx"> int
</span><del>-diff --speed-large-files --minimal -Nru openssh-5.8p1/sshd.c openssh-5.8p1.new/sshd.c
---- openssh-5.8p1/sshd.c 2011-01-11 07:20:31.000000000 +0100
-+++ openssh-5.8p1.new/sshd.c 2011-02-12 18:07:11.656005267 +0100
-@@ -120,6 +120,10 @@
- #include "roaming.h"
</del><ins>+diff -Nrup openssh-6.5p1/sshd.c openssh-6.5p1.patched/sshd.c
+--- openssh-6.5p1/sshd.c 2014-01-27 20:08:13.000000000 -0800
++++ openssh-6.5p1.patched/sshd.c 2014-02-15 16:54:54.000000000 -0800
+@@ -122,6 +122,10 @@
+ #include "ssh-sandbox.h"
</ins><span class="cx"> #include "version.h"
</span><span class="cx">
</span><span class="cx"> +#ifdef USE_SECURITY_SESSION_API
</span><span class="lines">@@ -2738,7 +2747,7 @@
</span><span class="cx"> #ifdef LIBWRAP
</span><span class="cx"> #include <tcpd.h>
</span><span class="cx"> #include <syslog.h>
</span><del>-@@ -1590,10 +1594,13 @@
</del><ins>+@@ -1721,10 +1725,13 @@ main(int ac, char **av)
</ins><span class="cx"> logit("Disabling protocol version 1. Could not load host key");
</span><span class="cx"> options.protocol &= ~SSH_PROTO_1;
</span><span class="cx"> }
</span><span class="lines">@@ -2752,9 +2761,9 @@
</span><span class="cx"> if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
</span><span class="cx"> logit("sshd: no hostkeys available -- exiting.");
</span><span class="cx"> exit(1);
</span><del>-@@ -1922,6 +1929,60 @@
- /* Log the connection. */
- verbose("Connection from %.500s port %d", remote_ip, remote_port);
</del><ins>+@@ -2051,6 +2058,60 @@ main(int ac, char **av)
+ remote_ip, remote_port,
+ get_local_ipaddr(sock_in), get_local_port());
</ins><span class="cx">
</span><span class="cx"> +#ifdef USE_SECURITY_SESSION_API
</span><span class="cx"> + /*
</span><span class="lines">@@ -2813,10 +2822,10 @@
</span><span class="cx"> /*
</span><span class="cx"> * We don't want to listen forever unless the other side
</span><span class="cx"> * successfully authenticates itself. So we set up an alarm which is
</span><del>-@@ -2303,6 +2364,48 @@
</del><ins>+@@ -2456,6 +2517,48 @@ do_ssh2_kex(void)
+ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
+ list_hostkey_types());
</ins><span class="cx">
</span><del>- myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
-
</del><span class="cx"> +#ifdef GSSAPI
</span><span class="cx"> + {
</span><span class="cx"> + char *orig;
</span><span class="lines">@@ -2862,10 +2871,10 @@
</span><span class="cx"> /* start key exchange */
</span><span class="cx"> kex = kex_setup(myproposal);
</span><span class="cx"> kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
</span><del>-@@ -2310,6 +2413,13 @@
- kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
</del><ins>+@@ -2464,6 +2567,13 @@ do_ssh2_kex(void)
</ins><span class="cx"> kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
</span><span class="cx"> kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
</span><ins>+ kex->kex[KEX_C25519_SHA256] = kexc25519_server;
</ins><span class="cx"> +#ifdef GSSAPI
</span><span class="cx"> + if (options.gss_keyex) {
</span><span class="cx"> + kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
</span><span class="lines">@@ -2876,22 +2885,22 @@
</span><span class="cx"> kex->server = 1;
</span><span class="cx"> kex->client_version_string=client_version_string;
</span><span class="cx"> kex->server_version_string=server_version_string;
</span><del>-diff --speed-large-files --minimal -Nru openssh-5.8p1/sshd_config openssh-5.8p1.new/sshd_config
---- openssh-5.8p1/sshd_config 2010-09-10 03:20:12.000000000 +0200
-+++ openssh-5.8p1.new/sshd_config 2011-02-12 18:07:11.668077725 +0100
-@@ -72,6 +72,8 @@
</del><ins>+diff -Nrup openssh-6.5p1/sshd_config openssh-6.5p1.patched/sshd_config
+--- openssh-6.5p1/sshd_config 2014-01-12 00:20:47.000000000 -0800
++++ openssh-6.5p1.patched/sshd_config 2014-02-15 16:50:46.000000000 -0800
+@@ -84,6 +84,8 @@ AuthorizedKeysFile .ssh/authorized_keys
</ins><span class="cx"> # GSSAPI options
</span><span class="cx"> #GSSAPIAuthentication no
</span><span class="cx"> #GSSAPICleanupCredentials yes
</span><span class="cx"> +#GSSAPIStrictAcceptorCheck yes
</span><span class="cx"> +#GSSAPIKeyExchange no
</span><span class="cx">
</span><del>- # Set this to 'yes' to enable PAM authentication, account processing,
- # and session processing. If this is enabled, PAM authentication will
-diff --speed-large-files --minimal -Nru openssh-5.8p1/sshd_config.5 openssh-5.8p1.new/sshd_config.5
---- openssh-5.8p1/sshd_config.5 2010-12-26 04:26:48.000000000 +0100
-+++ openssh-5.8p1.new/sshd_config.5 2011-02-12 18:07:11.685676774 +0100
-@@ -423,12 +423,40 @@
</del><ins>+ # Set this to 'yes' to enable PAM authentication, account processing,
+ # and session processing. If this is enabled, PAM authentication will
+diff -Nrup openssh-6.5p1/sshd_config.5 openssh-6.5p1.patched/sshd_config.5
+--- openssh-6.5p1/sshd_config.5 2013-12-17 22:47:03.000000000 -0800
++++ openssh-6.5p1.patched/sshd_config.5 2014-02-15 16:50:46.000000000 -0800
+@@ -493,12 +493,40 @@ Specifies whether user authentication ba
</ins><span class="cx"> The default is
</span><span class="cx"> .Dq no .
</span><span class="cx"> Note that this option applies to protocol version 2 only.
</span></span></pre>
</div>
</div>
</body>
</html>