Bug 206346 - security/openssh-portable: fix GSSAPI key exchange for 7.x
Summary: security/openssh-portable: fix GSSAPI key exchange for 7.x
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Bryan Drewery
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-01-17 22:36 UTC by Garrett Wollman
Modified: 2016-01-20 02:19 UTC (History)
0 users

See Also:
bugzilla: maintainer-feedback? (bdrewery)


Attachments
patch for port Makefile (3.14 KB, application/mbox)
2016-01-17 22:36 UTC, Garrett Wollman
no flags Details
GSSAPI patch without HPN (92.09 KB, patch)
2016-01-17 22:37 UTC, Garrett Wollman
no flags Details | Diff
GSSAPI patch with HPN (91.68 KB, patch)
2016-01-17 22:37 UTC, Garrett Wollman
no flags Details | Diff
poudriere testport output (278.20 KB, text/plain)
2016-01-17 22:38 UTC, Garrett Wollman
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Garrett Wollman freebsd_committer 2016-01-17 22:36:18 UTC
Created attachment 165727 [details]
patch for port Makefile

Simon Wilkinson's GSSAPI enhancements patch has been updated for OpenSSH 7.1p2.  I got the updated patch from Debian, but they credit Red Hat for the actual porting work.  Attached are two versions of the patch (they differ only in one file, sshconnect2.c, depending on whether HPN/NONECIPHER options are enabled).  I modified the Makefile to treat this as an "extra" rather than "distribution" patch, and to choose the right version of the patch depending on which options are enabled.  This is tested with all three possible combinations of options.

(I would note in passing that security/krb5 now installs shared libraries with SONAME bogusly set to libfoo.so.X.Y rather than the proper libfoo.so.X.)
Comment 1 Garrett Wollman freebsd_committer 2016-01-17 22:37:07 UTC
Created attachment 165728 [details]
GSSAPI patch without HPN
Comment 2 Bryan Drewery freebsd_committer 2016-01-17 22:37:20 UTC
Nice. I'll look at getting this in tomorrow or Tuesday.
Comment 3 Garrett Wollman freebsd_committer 2016-01-17 22:37:59 UTC
Created attachment 165729 [details]
GSSAPI patch with HPN
Comment 4 Garrett Wollman freebsd_committer 2016-01-17 22:38:40 UTC
Created attachment 165730 [details]
poudriere testport output
Comment 5 Bryan Drewery freebsd_committer 2016-01-20 02:14:08 UTC
I prefer to keep large patches mirrored rather than checked in. I have the HPN patch checked in purely for review since I tend to modify it from upstream.

I modified the files/extra-patch-hpn to avoid one of the conflicts.

The other conflict I handled with some glue between the GSS and HPN patch to move some variable definitions to a different place that works for C99.

~/svn/ports/security/openssh-portable # cat files/extra-patch-hpn-gss-glue
--- sshconnect2.c.orig  2016-01-19 18:10:12.550854000 -0800
+++ sshconnect2.c       2016-01-19 18:10:27.290409000 -0800
@@ -160,11 +160,6 @@ ssh_kex2(char *host, struct sockaddr *ho
        struct kex *kex;
        int r;

-#ifdef GSSAPI
-       char *orig = NULL, *gss = NULL;
-       char *gss_host = NULL;
-#endif
-
        xxx_host = host;
        xxx_hostaddr = hostaddr;

@@ -199,6 +194,9 @@ ssh_kex2(char *host, struct sockaddr *ho
        }

 #ifdef GSSAPI
+       char *orig = NULL, *gss = NULL;
+       char *gss_host = NULL;
+
        if (options.gss_keyex) {
                /* Add the GSSAPI mechanisms currently supported on this
                 * client to the key exchange algorithm proposal */
Comment 6 Bryan Drewery freebsd_committer 2016-01-20 02:16:47 UTC
(In reply to Garrett Wollman from comment #0)
> (I would note in passing that security/krb5 now installs shared libraries
> with SONAME bogusly set to libfoo.so.X.Y rather than the proper libfoo.so.X.)

You should open a separate bug for that for cy@ to look at.
Comment 7 commit-hook freebsd_committer 2016-01-20 02:18:48 UTC
A commit references this bug:

Author: bdrewery
Date: Wed Jan 20 02:18:42 UTC 2016
New revision: 406725
URL: https://svnweb.freebsd.org/changeset/ports/406725

Log:
  Fix the KERB_GSSAPI option using the latest patch from Debian.

  This slightly refactors some of the HPN patch to avoid a conflict.

  PR:		206346
  Submitted by:	Garret Wollman

Changes:
  head/security/openssh-portable/Makefile
  head/security/openssh-portable/distinfo
  head/security/openssh-portable/files/extra-patch-hpn
  head/security/openssh-portable/files/extra-patch-hpn-gss-glue
Comment 8 Bryan Drewery freebsd_committer 2016-01-20 02:19:03 UTC
Thanks for tracking down the latest patch!