PR#57: Fix keyex patch (f38) - rpms/openssh

rpms / openssh

#57 Fix keyex patch (f38)

Merged a month ago by dbelyavs. Opened a month ago by ellert.

rpms/ ellert/openssh fix-keyex-f38 into f38

Update gssapi-keyex patch for OpenSSH 9.0+

Mattias Ellert • a month ago

b70f344

openssh-8.0p1-gssapi-keyex.patch

file modified

+10 -9

		`@@ -151,7 +151,7 @@`
		`+ * The 'gssapi_keyex' userauth mechanism.`
		`+ */`
		`+static int`
		`- +userauth_gsskeyex(struct ssh *ssh)`
		`+ +userauth_gsskeyex(struct ssh ssh, const char method)`
		`+{`
		`+ Authctxt *authctxt = ssh->authctxt;`
		`+ int r, authenticated = 0;`
		`@@ -212,19 +212,20 @@`
		`else`
		`logit("GSSAPI MIC check failed");`

		`- @@ -326,6 +370,12 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)`
		`+ @@ -326,6 +370,13 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)`
		`return 0;`
		`}`

		`+Authmethod method_gsskeyex = {`
		`+ "gssapi-keyex",`
		`+ + NULL,`
		`+ userauth_gsskeyex,`
		`+ &options.gss_authentication`
		`+};`
		`+`
		`Authmethod method_gssapi = {`
		`"gssapi-with-mic",`
		`- NULL,`
		`+ NULL,`
		`diff --git a/auth2.c b/auth2.c`
		`index 0e776224..1c217268 100644`
		`--- a/auth2.c`
		`@@ -384,7 +385,7 @@`
		`/* Do channel operations unless rekeying in progress. */`
		`- if (!ssh_packet_is_rekeying(ssh))`
		`+ if (!ssh_packet_is_rekeying(ssh)) {`
		`- channel_after_poll(ssh, pfd, npfd_active);`
		`+ channel_after_poll(ssh, pfd, npfd_active);`

		`+#ifdef GSSAPI`
		`+ if (options.gss_renewal_rekey &&`
		`@@ -396,8 +397,8 @@`
		`+ }`
		`+`
		`/* Buffer input from the connection. */`
		`- if (conn_in_ready)`
		`- client_process_net_input(ssh);`
		`+ if (conn_in_ready)`
		`+ client_process_net_input(ssh);`
		`diff --git a/configure.ac b/configure.ac`
		`index b689db4b..efafb6bd 100644`
		`--- a/configure.ac`
		`@@ -1370,8 +1371,8 @@`
		`+#ifdef GSSAPI`
		`+ free(kex->gss_host);`
		`+#endif /* GSSAPI */`
		`- sshbuf_free(kex->initial_sig);`
		`- sshkey_free(kex->initial_hostkey);`
		`+ sshbuf_free(kex->initial_sig);`
		`+ sshkey_free(kex->initial_hostkey);`
		`free(kex->failed_choice);`
		`diff --git a/kex.h b/kex.h`
		`index a5ae6ac0..fe714141 100644`
		`@@ -3568,7 +3569,7 @@`
		`+# endif`
		`+#endif /* WITH_OPENSSL */`
		`ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client;`
		`- ssh->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_client;`
		`+ ssh->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_client;`
		`ssh->kex->verify_host_key=&verify_host_key_callback;`

		`+#if defined(GSSAPI) && defined(WITH_OPENSSL)`

openssh.spec

file modified

+4 -1

		`@@ -47,7 +47,7 @@`

		`# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1`
		`%global openssh_ver 9.0p1`
		`- %global openssh_rel 16`
		`+ %global openssh_rel 17`
		`%global pam_ssh_agent_ver 0.10.4`
		`%global pam_ssh_agent_rel 7`

		`@@ -754,6 +754,9 @@`
		`%endif`

		`%changelog`
		`+ * Wed Jul 26 2023 Mattias Ellert <mattias.ellert@physics.uu.se> - 9.0p1-17`
		`+ - Update gssapi-keyex patch for OpenSSH 9.0+`
		`+`
		`* Fri Jul 21 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.0p1-16`
		`- Fix remote code execution in ssh-agent PKCS#11 support`
		`Resolves: CVE-2023-38408`

ellert commented a month ago

userauth_gsskeyex must have the same argument as userauth_gssapi
method_gsskeyex must have the same members as method_gssapi

zuul commented a month ago

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci
https://fedora.softwarefactory-project.io/zuul/buildset/13165d82c35e439183015c7ae10897d9

check-for-arches : SUCCESS in 1m 50s
rpm-scratch-build : FAILURE in 2m 17s
rpm-scratch-build-s390x : FAILURE in 2m 25s (non-voting)
rpm-scratch-build-ppc64le : FAILURE in 2m 00s (non-voting)
rpm-scratch-build-i686 : FAILURE in 2m 05s (non-voting)
rpm-scratch-build-aarch64 : FAILURE in 2m 26s (non-voting)
rpm-linter : SKIPPED Skipped due to failed job rpm-scratch-build (non-voting)
rpm-rpminspect : SKIPPED Skipped due to failed job rpm-scratch-build (non-voting)
check-for-sti-tests : SKIPPED Skipped due to failed job rpm-scratch-build
check-for-fmf-tests : SKIPPED Skipped due to failed job rpm-scratch-build
rpm-install-test : SKIPPED Skipped due to failed job rpm-scratch-build
rpm-tmt-test : SKIPPED Skipped due to failed job rpm-scratch-build
rpm-sti-test : SKIPPED Skipped due to failed job rpm-scratch-build

dbelyavs commented a month ago

You need to include the changes in openssh.spec at least

rebased onto b70f344

a month ago

zuul commented a month ago

Build succeeded.
https://fedora.softwarefactory-project.io/zuul/buildset/e886e643020446538a685655f1001c07

check-for-arches : SUCCESS in 1m 46s
rpm-scratch-build : SUCCESS in 14m 24s
rpm-scratch-build-s390x : SUCCESS in 13m 45s (non-voting)
rpm-scratch-build-ppc64le : SUCCESS in 16m 07s (non-voting)
rpm-scratch-build-i686 : SUCCESS in 13m 54s (non-voting)
rpm-scratch-build-aarch64 : SUCCESS in 14m 07s (non-voting)
rpm-linter : FAILURE in 11m 39s (non-voting)
rpm-rpminspect : FAILURE in 5m 53s (non-voting)
check-for-sti-tests : SUCCESS in 16s
check-for-fmf-tests : SUCCESS in 16s
rpm-install-test : SUCCESS in 2m 01s
rpm-sti-test : SUCCESS in 7m 20s
Skipped 1 job

dbelyavs commented a month ago

I see many lines with only whitespace changes. Why are they in the diff?

ellert commented a month ago

I see many lines with only whitespace changes. Why are they in the diff?

A patch should have, at the first position on each line, either a + (line added), a - (line removed) or a space (line unchanged). I added the missing space at the beginning of the line to correct the format of the patch. (There are more similar issues in some of the other patches, I only corrected the syntax in the patch changed by this PR.)