gentoo auto-resync : 12:05:2023 - 17:49:26

1 files changed, 0 insertions, 357 deletions

diff --git a/net-misc/openssh/files/openssh-8.7_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-8.7_p1-GSSAPI-dns.patch
deleted file mode 100644
index ffc40b70ae3d..000000000000
--- a/net-misc/openssh/files/openssh-8.7_p1-GSSAPI-dns.patch
+++ /dev/null
@@ -1,357 +0,0 @@
-diff --git a/auth.c b/auth.c
-index 00b168b4..8ee93581 100644
---- a/auth.c
-+++ b/auth.c
-@@ -729,118 +729,6 @@ fakepw(void)
- 	return (&fake);
- }
- 
--/*
-- * Returns the remote DNS hostname as a string. The returned string must not
-- * be freed. NB. this will usually trigger a DNS query the first time it is
-- * called.
-- * This function does additional checks on the hostname to mitigate some
-- * attacks on based on conflation of hostnames and IP addresses.
-- */
--
--static char *
--remote_hostname(struct ssh *ssh)
--{
--	struct sockaddr_storage from;
--	socklen_t fromlen;
--	struct addrinfo hints, *ai, *aitop;
--	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
--	const char *ntop = ssh_remote_ipaddr(ssh);
--
--	/* Get IP address of client. */
--	fromlen = sizeof(from);
--	memset(&from, 0, sizeof(from));
--	if (getpeername(ssh_packet_get_connection_in(ssh),
--	    (struct sockaddr *)&from, &fromlen) == -1) {
--		debug("getpeername failed: %.100s", strerror(errno));
--		return xstrdup(ntop);
--	}
--
--	ipv64_normalise_mapped(&from, &fromlen);
--	if (from.ss_family == AF_INET6)
--		fromlen = sizeof(struct sockaddr_in6);
--
--	debug3("Trying to reverse map address %.100s.", ntop);
--	/* Map the IP address to a host name. */
--	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
--	    NULL, 0, NI_NAMEREQD) != 0) {
--		/* Host name not found.  Use ip address. */
--		return xstrdup(ntop);
--	}
--
--	/*
--	 * if reverse lookup result looks like a numeric hostname,
--	 * someone is trying to trick us by PTR record like following:
--	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
--	 */
--	memset(&hints, 0, sizeof(hints));
--	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
--	hints.ai_flags = AI_NUMERICHOST;
--	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
--		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
--		    name, ntop);
--		freeaddrinfo(ai);
--		return xstrdup(ntop);
--	}
--
--	/* Names are stored in lowercase. */
--	lowercase(name);
--
--	/*
--	 * Map it back to an IP address and check that the given
--	 * address actually is an address of this host.  This is
--	 * necessary because anyone with access to a name server can
--	 * define arbitrary names for an IP address. Mapping from
--	 * name to IP address can be trusted better (but can still be
--	 * fooled if the intruder has access to the name server of
--	 * the domain).
--	 */
--	memset(&hints, 0, sizeof(hints));
--	hints.ai_family = from.ss_family;
--	hints.ai_socktype = SOCK_STREAM;
--	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
--		logit("reverse mapping checking getaddrinfo for %.700s "
--		    "[%s] failed.", name, ntop);
--		return xstrdup(ntop);
--	}
--	/* Look for the address from the list of addresses. */
--	for (ai = aitop; ai; ai = ai->ai_next) {
--		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
--		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
--		    (strcmp(ntop, ntop2) == 0))
--				break;
--	}
--	freeaddrinfo(aitop);
--	/* If we reached the end of the list, the address was not there. */
--	if (ai == NULL) {
--		/* Address not found for the host name. */
--		logit("Address %.100s maps to %.600s, but this does not "
--		    "map back to the address.", ntop, name);
--		return xstrdup(ntop);
--	}
--	return xstrdup(name);
--}
--
--/*
-- * Return the canonical name of the host in the other side of the current
-- * connection.  The host name is cached, so it is efficient to call this
-- * several times.
-- */
--
--const char *
--auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
--{
--	static char *dnsname;
--
--	if (!use_dns)
--		return ssh_remote_ipaddr(ssh);
--	else if (dnsname != NULL)
--		return dnsname;
--	else {
--		dnsname = remote_hostname(ssh);
--		return dnsname;
--	}
--}
--
- /* These functions link key/cert options to the auth framework */
- 
- /* Log sshauthopt options locally and (optionally) for remote transmission */
-diff --git a/canohost.c b/canohost.c
-index a810da0e..18e9d8d4 100644
---- a/canohost.c
-+++ b/canohost.c
-@@ -202,3 +202,117 @@ get_local_port(int sock)
- {
- 	return get_sock_port(sock, 1);
- }
-+
-+/*
-+ * Returns the remote DNS hostname as a string. The returned string must not
-+ * be freed. NB. this will usually trigger a DNS query the first time it is
-+ * called.
-+ * This function does additional checks on the hostname to mitigate some
-+ * attacks on legacy rhosts-style authentication.
-+ * XXX is RhostsRSAAuthentication vulnerable to these?
-+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
-+ */
-+
-+static char *
-+remote_hostname(struct ssh *ssh)
-+{
-+	struct sockaddr_storage from;
-+	socklen_t fromlen;
-+	struct addrinfo hints, *ai, *aitop;
-+	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
-+	const char *ntop = ssh_remote_ipaddr(ssh);
-+
-+	/* Get IP address of client. */
-+	fromlen = sizeof(from);
-+	memset(&from, 0, sizeof(from));
-+	if (getpeername(ssh_packet_get_connection_in(ssh),
-+	    (struct sockaddr *)&from, &fromlen) == -1) {
-+		debug("getpeername failed: %.100s", strerror(errno));
-+		return xstrdup(ntop);
-+	}
-+
-+	ipv64_normalise_mapped(&from, &fromlen);
-+	if (from.ss_family == AF_INET6)
-+		fromlen = sizeof(struct sockaddr_in6);
-+
-+	debug3("Trying to reverse map address %.100s.", ntop);
-+	/* Map the IP address to a host name. */
-+	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
-+	    NULL, 0, NI_NAMEREQD) != 0) {
-+		/* Host name not found.  Use ip address. */
-+		return xstrdup(ntop);
-+	}
-+
-+	/*
-+	 * if reverse lookup result looks like a numeric hostname,
-+	 * someone is trying to trick us by PTR record like following:
-+	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
-+	 */
-+	memset(&hints, 0, sizeof(hints));
-+	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
-+	hints.ai_flags = AI_NUMERICHOST;
-+	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
-+		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
-+		    name, ntop);
-+		freeaddrinfo(ai);
-+		return xstrdup(ntop);
-+	}
-+
-+	/* Names are stored in lowercase. */
-+	lowercase(name);
-+
-+	/*
-+	 * Map it back to an IP address and check that the given
-+	 * address actually is an address of this host.  This is
-+	 * necessary because anyone with access to a name server can
-+	 * define arbitrary names for an IP address. Mapping from
-+	 * name to IP address can be trusted better (but can still be
-+	 * fooled if the intruder has access to the name server of
-+	 * the domain).
-+	 */
-+	memset(&hints, 0, sizeof(hints));
-+	hints.ai_family = from.ss_family;
-+	hints.ai_socktype = SOCK_STREAM;
-+	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
-+		logit("reverse mapping checking getaddrinfo for %.700s "
-+		    "[%s] failed.", name, ntop);
-+		return xstrdup(ntop);
-+	}
-+	/* Look for the address from the list of addresses. */
-+	for (ai = aitop; ai; ai = ai->ai_next) {
-+		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
-+		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
-+		    (strcmp(ntop, ntop2) == 0))
-+				break;
-+	}
-+	freeaddrinfo(aitop);
-+	/* If we reached the end of the list, the address was not there. */
-+	if (ai == NULL) {
-+		/* Address not found for the host name. */
-+		logit("Address %.100s maps to %.600s, but this does not "
-+		    "map back to the address.", ntop, name);
-+		return xstrdup(ntop);
-+	}
-+	return xstrdup(name);
-+}
-+
-+/*
-+ * Return the canonical name of the host in the other side of the current
-+ * connection.  The host name is cached, so it is efficient to call this
-+ * several times.
-+ */
-+
-+const char *
-+auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
-+{
-+	static char *dnsname;
-+
-+	if (!use_dns)
-+		return ssh_remote_ipaddr(ssh);
-+	else if (dnsname != NULL)
-+		return dnsname;
-+	else {
-+		dnsname = remote_hostname(ssh);
-+		return dnsname;
-+	}
-+}
-diff --git a/readconf.c b/readconf.c
-index 03369a08..b45898ce 100644
---- a/readconf.c
-+++ b/readconf.c
-@@ -161,6 +161,7 @@ typedef enum {
- 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
- 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
- 	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
-+	oGssTrustDns,
- 	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
- 	oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
- 	oHashKnownHosts,
-@@ -207,9 +208,11 @@ static struct {
- #if defined(GSSAPI)
- 	{ "gssapiauthentication", oGssAuthentication },
- 	{ "gssapidelegatecredentials", oGssDelegateCreds },
-+	{ "gssapitrustdns", oGssTrustDns },
- # else
- 	{ "gssapiauthentication", oUnsupported },
- 	{ "gssapidelegatecredentials", oUnsupported },
-+	{ "gssapitrustdns", oUnsupported },
- #endif
- #ifdef ENABLE_PKCS11
- 	{ "pkcs11provider", oPKCS11Provider },
-@@ -1117,6 +1120,10 @@ parse_time:
- 		intptr = &options->gss_deleg_creds;
- 		goto parse_flag;
- 
-+	case oGssTrustDns:
-+		intptr = &options->gss_trust_dns;
-+		goto parse_flag;
-+
- 	case oBatchMode:
- 		intptr = &options->batch_mode;
- 		goto parse_flag;
-@@ -2307,6 +2314,7 @@ initialize_options(Options * options)
- 	options->pubkey_authentication = -1;
- 	options->gss_authentication = -1;
- 	options->gss_deleg_creds = -1;
-+	options->gss_trust_dns = -1;
- 	options->password_authentication = -1;
- 	options->kbd_interactive_authentication = -1;
- 	options->kbd_interactive_devices = NULL;
-@@ -2465,6 +2473,8 @@ fill_default_options(Options * options)
- 		options->gss_authentication = 0;
- 	if (options->gss_deleg_creds == -1)
- 		options->gss_deleg_creds = 0;
-+	if (options->gss_trust_dns == -1)
-+		options->gss_trust_dns = 0;
- 	if (options->password_authentication == -1)
- 		options->password_authentication = 1;
- 	if (options->kbd_interactive_authentication == -1)
-diff --git a/readconf.h b/readconf.h
-index f7d53b06..c3a91898 100644
---- a/readconf.h
-+++ b/readconf.h
-@@ -40,6 +40,7 @@ typedef struct {
- 	int     hostbased_authentication;	/* ssh2's rhosts_rsa */
- 	int     gss_authentication;	/* Try GSS authentication */
- 	int     gss_deleg_creds;	/* Delegate GSS credentials */
-+	int	gss_trust_dns;		/* Trust DNS for GSS canonicalization */
- 	int     password_authentication;	/* Try password
- 						 * authentication. */
- 	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
-diff --git a/ssh_config.5 b/ssh_config.5
-index cd0eea86..27101943 100644
---- a/ssh_config.5
-+++ b/ssh_config.5
-@@ -832,6 +832,16 @@ The default is
- Forward (delegate) credentials to the server.
- The default is
- .Cm no .
-+Note that this option applies to protocol version 2 connections using GSSAPI.
-+.It Cm GSSAPITrustDns
-+Set to
-+.Dq yes to indicate that the DNS is trusted to securely canonicalize
-+the name of the host being connected to. If
-+.Dq no, the hostname entered on the
-+command line will be passed untouched to the GSSAPI library.
-+The default is
-+.Dq no .
-+This option only applies to protocol version 2 connections using GSSAPI.
- .It Cm HashKnownHosts
- Indicates that
- .Xr ssh 1
-diff --git a/sshconnect2.c b/sshconnect2.c
-index fea50fab..aeff639b 100644
---- a/sshconnect2.c
-+++ b/sshconnect2.c
-@@ -776,6 +776,13 @@ userauth_gssapi(struct ssh *ssh)
- 	OM_uint32 min;
- 	int r, ok = 0;
- 	gss_OID mech = NULL;
-+	const char *gss_host;
-+
-+	if (options.gss_trust_dns) {
-+		extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
-+		gss_host = auth_get_canonical_hostname(ssh, 1);
-+	} else
-+		gss_host = authctxt->host;
- 
- 	/* Try one GSSAPI method at a time, rather than sending them all at
- 	 * once. */
-@@ -790,7 +797,7 @@ userauth_gssapi(struct ssh *ssh)
- 		    elements[authctxt->mech_tried];
- 		/* My DER encoding requires length<128 */
- 		if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
--		    mech, authctxt->host)) {
-+		    mech, gss_host)) {
- 			ok = 1; /* Mechanism works */
- 		} else {
- 			authctxt->mech_tried++;