tomcat-11: fix mediator version and license

[oi-userland.git] / components / network / hpn-ssh / patches / 0006-GSS-store-creds-for-Solaris.patch

--- hpn-ssh-hpn-18.4.2/configure.ac.orig
+++ hpn-ssh-hpn-18.4.2/configure.ac
@@ -1169,6 +1169,9 @@
                ],
        )
        TEST_SHELL=$SHELL       # let configure find us a capable shell
+       AC_DEFINE([USE_GSS_STORE_CRED], [1], [Use the Solaris-style GSS cred store])
+       AC_DEFINE([GSSAPI_STORECREDS_NEEDS_RUID], [1], [GSSAPI storecreds needs ruid])
+       AC_DEFINE([HAVE_PAM_AUSER], [1], [pam_auser])
        ;;
 *-*-sunos4*)
        CPPFLAGS="$CPPFLAGS -DSUNOS4"
--- hpn-ssh-hpn-18.4.2/gss-serv-krb5.c.orig
+++ hpn-ssh-hpn-18.4.2/gss-serv-krb5.c
@@ -109,7 +109,7 @@
        return retval;
 }
 
-
+#ifndef USE_GSS_STORE_CRED
 /* This writes out any forwarded credentials from the structure populated
  * during userauth. Called after we have setuid to the user */
 
@@ -195,6 +195,7 @@
 
        return;
 }
+#endif /* #ifndef USE_GSS_STORE_CRED */
 
 ssh_gssapi_mech gssapi_kerberos_mech = {
        "toWM5Slw5Ew8Mqkay+al2g==",
@@ -203,7 +204,11 @@
        NULL,
        &ssh_gssapi_krb5_userok,
        NULL,
+#ifdef USE_GSS_STORE_CRED
+       NULL
+#else
        &ssh_gssapi_krb5_storecreds
+#endif
 };
 
 #endif /* KRB5 */
--- hpn-ssh-hpn-18.4.2/gss-serv.c.orig
+++ hpn-ssh-hpn-18.4.2/gss-serv.c
@@ -44,6 +44,7 @@
 #include "session.h"
 #include "misc.h"
 #include "servconf.h"
+#include "sshbuf.h"
 
 #include "ssh-gss.h"
 
@@ -319,22 +320,66 @@
 void
 ssh_gssapi_cleanup_creds(void)
 {
+#ifdef USE_GSS_STORE_CRED
+       debug("removing gssapi cred file not implemented");
+#else
        if (gssapi_client.store.filename != NULL) {
                /* Unlink probably isn't sufficient */
                debug("removing gssapi cred file\"%s\"",
                    gssapi_client.store.filename);
                unlink(gssapi_client.store.filename);
        }
+#endif /* USE_GSS_STORE_CRED */
 }
 
 /* As user */
 void
 ssh_gssapi_storecreds(void)
 {
+#ifdef USE_GSS_STORE_CRED
+       OM_uint32 maj_status, min_status;
+
+       if (gssapi_client.creds == NULL) {
+               debug("No credentials stored");
+               return;
+       }
+
+       maj_status = gss_store_cred(&min_status, gssapi_client.creds,
+           GSS_C_INITIATE, &gssapi_client.mech->oid, 1, 1, NULL, NULL);
+
+       if (GSS_ERROR(maj_status)) {
+               struct sshbuf *b;
+               gss_buffer_desc msg;
+               OM_uint32 lmin;
+               OM_uint32 more = 0;
+               if ((b = sshbuf_new()) == NULL) fatal("malloc");
+               /* GSS-API error */
+               do {
+                       gss_display_status(&lmin, maj_status, GSS_C_GSS_CODE,
+                           GSS_C_NULL_OID, &more, &msg);
+                       sshbuf_put(b, msg.value, msg.length);
+                       sshbuf_put(b, "\n", 1);
+                       gss_release_buffer(&lmin, &msg);
+               } while (more != 0);
+               /* Mechanism specific error */
+               do {
+                       gss_display_status(&lmin, min_status, GSS_C_MECH_CODE,
+                           &gssapi_client.mech->oid, &more, &msg);
+                       sshbuf_put(b, msg.value, msg.length);
+                       sshbuf_put(b, "\n", 1);
+                       gss_release_buffer(&lmin, &msg);
+               } while (more != 0);
+               sshbuf_put(b, "\0", 1);
+               error("GSS-API error while storing delegated credentials: %s",
+                   sshbuf_ptr(b));
+               sshbuf_free(b);
+       }
+#else  /* #ifdef USE_GSS_STORE_CRED */
        if (gssapi_client.mech && gssapi_client.mech->storecreds) {
                (*gssapi_client.mech->storecreds)(&gssapi_client);
        } else
                debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");
+#endif /* #ifdef USE_GSS_STORE_CRED */
 }
 
 /* This allows GSSAPI methods to do things to the child's environment based
--- hpn-ssh-hpn-18.4.2/servconf.c.orig
+++ hpn-ssh-hpn-18.4.2/servconf.c
@@ -620,7 +620,11 @@
        { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
 #ifdef GSSAPI
        { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
+#ifdef USE_GSS_STORE_CRED
+       { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
+#else /* USE_GSS_STORE_CRED */
        { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
+#endif /* USE_GSS_STORE_CRED */
        { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
 #else
        { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
--- hpn-ssh-hpn-18.4.2/sshd.c.orig
+++ hpn-ssh-hpn-18.4.2/sshd.c
@@ -2313,9 +2313,23 @@
 
 #ifdef GSSAPI
        if (options.gss_authentication) {
+#ifdef GSSAPI_STORECREDS_NEEDS_RUID
+               if (setreuid(authctxt->pw->pw_uid, -1) != 0) {
+                       debug("setreuid %u: %.100s",
+                           (u_int) authctxt->pw->pw_uid, strerror(errno));
+                       goto bail_storecred;
+               }
+#endif
                temporarily_use_uid(authctxt->pw);
                ssh_gssapi_storecreds();
                restore_uid();
+#ifdef GSSAPI_STORECREDS_NEEDS_RUID
+               if (setuid(geteuid()) != 0) {
+                       fatal("setuid %u: %.100s", (u_int) geteuid(),
+                           strerror(errno));
+               }
+ bail_storecred: ;
+#endif
        }
 #endif
 #ifdef USE_PAM