diff options
| author | CoprDistGit <infra@openeuler.org> | 2024-07-03 02:42:38 +0000 |
|---|---|---|
| committer | CoprDistGit <infra@openeuler.org> | 2024-07-03 02:42:38 +0000 |
| commit | 3c362eae690284f325824e38431881825e32ffdd (patch) | |
| tree | d2d0e11b92bf88d35c270559d268845d391a4703 | |
| parent | 62f0a34c39a6846b6a86f2bbc7fb8c319bd46d94 (diff) | |
automatic import of openssh
110 files changed, 5440 insertions, 3168 deletions
@@ -1,2 +1,3 @@ /openssh-9.3p1.tar.gz /pam_ssh_agent_auth-0.10.4.tar.gz +/openssh-8.8p1.tar.gz diff --git a/backport-Allow-writev-is-seccomp-sandbox.patch b/backport-Allow-writev-is-seccomp-sandbox.patch new file mode 100644 index 0000000..fe35f7d --- /dev/null +++ b/backport-Allow-writev-is-seccomp-sandbox.patch @@ -0,0 +1,30 @@ +From 6283f4bd83eee714d0f5fc55802eff836b06fea8 Mon Sep 17 00:00:00 2001 +From: Darren Tucker <dtucker@dtucker.net> +Date: Sat, 14 Jan 2023 22:02:44 +1100 +Subject: [PATCH] Allow writev is seccomp sandbox. + +This seems to be used by recent glibcs at least in some configurations. +From bz#3512, ok djm@ +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=6283f4bd83eee714d0f5fc55802eff836b06fea8 +--- + sandbox-seccomp-filter.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index cec43c46..4ab49eb6 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -312,6 +312,9 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_write + SC_ALLOW(__NR_write), + #endif ++#ifdef __NR_writev ++ SC_ALLOW(__NR_writev), ++#endif + #ifdef __NR_socketcall + SC_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN), + SC_DENY(__NR_socketcall, EACCES), +-- +2.27.0 + diff --git a/backport-CVE-2023-48795.patch b/backport-CVE-2023-48795.patch new file mode 100644 index 0000000..689d500 --- /dev/null +++ b/backport-CVE-2023-48795.patch @@ -0,0 +1,466 @@ +From 802a7af111c9ddb438ca4fd8c5cc35534e199fda Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Mon, 18 Dec 2023 14:45:17 +0000 +Subject: upstream: implement "strict key exchange" in ssh and sshd + +This adds a protocol extension to improve the integrity of the SSH +transport protocol, particular in and around the initial key exchange +(KEX) phase. + +Full details of the extension are in the PROTOCOL file. + +with markus@ + +OpenBSD-Commit-ID: 2a66ac962f0a630d7945fee54004ed9e9c439f14 + +Origin: backport, https://anongit.mindrot.org/openssh.git/commit/?id=1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5 +Last-Update: 2023-12-21 + +Patch-Name: CVE-2023-48795.patch + +Reference:https://sources.debian.org/src/openssh/1%3A8.4p1-5%2Bdeb11u3/debian/patches/CVE-2023-48795.patch/ +Conflict:NA +--- + PROTOCOL | 26 +++++++++++++++++ + kex.c | 68 ++++++++++++++++++++++++++++++++----------- + kex.h | 1 + + packet.c | 80 ++++++++++++++++++++++++++++++++++++++------------- + sshconnect2.c | 14 +++------ + sshd.c | 8 ++++-- + 6 files changed, 149 insertions(+), 48 deletions(-) + +diff --git a/PROTOCOL b/PROTOCOL +index f75c1c0..89bddfe 100644 +--- a/PROTOCOL ++++ b/PROTOCOL +@@ -102,6 +102,32 @@ OpenSSH supports the use of ECDH in Curve25519 for key exchange as + described at: + http://git.libssh.org/users/aris/libssh.git/plain/doc/curve25519-sha256@libssh.org.txt?h=curve25519 + ++1.9 transport: strict key exchange extension ++ ++OpenSSH supports a number of transport-layer hardening measures under ++a "strict KEX" feature. This feature is signalled similarly to the ++RFC8308 ext-info feature: by including a additional algorithm in the ++initiial SSH2_MSG_KEXINIT kex_algorithms field. The client may append ++"kex-strict-c-v00@openssh.com" to its kex_algorithms and the server ++may append "kex-strict-s-v00@openssh.com". These pseudo-algorithms ++are only valid in the initial SSH2_MSG_KEXINIT and MUST be ignored ++if they are present in subsequent SSH2_MSG_KEXINIT packets. ++ ++When an endpoint that supports this extension observes this algorithm ++name in a peer's KEXINIT packet, it MUST make the following changes to ++the the protocol: ++ ++a) During initial KEX, terminate the connection if any unexpected or ++ out-of-sequence packet is received. This includes terminating the ++ connection if the first packet received is not SSH2_MSG_KEXINIT. ++ Unexpected packets for the purpose of strict KEX include messages ++ that are otherwise valid at any time during the connection such as ++ SSH2_MSG_DEBUG and SSH2_MSG_IGNORE. ++b) After sending or receiving a SSH2_MSG_NEWKEYS message, reset the ++ packet sequence number to zero. This behaviour persists for the ++ duration of the connection (i.e. not just the first ++ SSH2_MSG_NEWKEYS). ++ + 2. Connection protocol changes + + 2.1. connection: Channel write close extension "eow@openssh.com" +diff --git a/kex.c b/kex.c +index 7c5f635..77eb7c0 100644 +--- a/kex.c ++++ b/kex.c +@@ -72,7 +72,7 @@ + #endif + + /* prototype */ +-static int kex_choose_conf(struct ssh *); ++static int kex_choose_conf(struct ssh *, uint32_t seq); + static int kex_input_newkeys(int, u_int32_t, struct ssh *); + + static const char *proposal_names[PROPOSAL_MAX] = { +@@ -215,6 +215,18 @@ kex_names_valid(const char *names) + return 1; + } + ++/* returns non-zero if proposal contains any algorithm from algs */ ++static int ++has_any_alg(const char *proposal, const char *algs) ++{ ++ char *cp; ++ ++ if ((cp = match_list(proposal, algs, NULL)) == NULL) ++ return 0; ++ free(cp); ++ return 1; ++} ++ + /* + * Concatenate algorithm names, avoiding duplicates in the process. + * Caller must free returned string. +@@ -222,7 +234,7 @@ kex_names_valid(const char *names) + char * + kex_names_cat(const char *a, const char *b) + { +- char *ret = NULL, *tmp = NULL, *cp, *p, *m; ++ char *ret = NULL, *tmp = NULL, *cp, *p; + size_t len; + + if (a == NULL || *a == '\0') +@@ -239,10 +251,8 @@ kex_names_cat(const char *a, const char *b) + } + strlcpy(ret, a, len); + for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) { +- if ((m = match_list(ret, p, NULL)) != NULL) { +- free(m); ++ if (has_any_alg(ret, p)) + continue; /* Algorithm already present */ +- } + if (strlcat(ret, ",", len) >= len || + strlcat(ret, p, len) >= len) { + free(tmp); +@@ -474,7 +484,12 @@ kex_protocol_error(int type, u_int32_t seq, struct ssh *ssh) + { + int r; + +- error("kex protocol error: type %d seq %u", type, seq); ++ /* If in strict mode, any unexpected message is an error */ ++ if ((ssh->kex->flags & KEX_INITIAL) && ssh->kex->kex_strict) { ++ ssh_packet_disconnect(ssh, "strict KEX violation: " ++ "unexpected packet type %u (seqnr %u)", type, seq); ++ } ++ error("%s: type %u seq %u", __func__, type, seq); + if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 || + (r = sshpkt_put_u32(ssh, seq)) != 0 || + (r = sshpkt_send(ssh)) != 0) +@@ -546,6 +561,11 @@ kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh) + ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error); + if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0) + return r; ++ if (ninfo >= 1024) { ++ error("SSH2_MSG_EXT_INFO with too many entries, expected " ++ "<=1024, received %u", ninfo); ++ return dispatch_protocol_error(type, seq, ssh); ++ } + for (i = 0; i < ninfo; i++) { + if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0) + return r; +@@ -646,7 +666,7 @@ kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh) + error_f("no kex"); + return SSH_ERR_INTERNAL_ERROR; + } +- ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL); ++ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_protocol_error); + ptr = sshpkt_ptr(ssh, &dlen); + if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0) + return r; +@@ -682,7 +702,7 @@ kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh) + if (!(kex->flags & KEX_INIT_SENT)) + if ((r = kex_send_kexinit(ssh)) != 0) + return r; +- if ((r = kex_choose_conf(ssh)) != 0) ++ if ((r = kex_choose_conf(ssh, seq)) != 0) + return r; + + if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL) +@@ -960,7 +980,13 @@ proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX]) + } + + static int +-kex_choose_conf(struct ssh *ssh) ++kexalgs_contains(char **peer, const char *ext) ++{ ++ return has_any_alg(peer[PROPOSAL_KEX_ALGS], ext); ++} ++ ++static int ++kex_choose_conf(struct ssh *ssh, uint32_t seq) + { + struct kex *kex = ssh->kex; + struct newkeys *newkeys; +@@ -985,13 +1011,23 @@ kex_choose_conf(struct ssh *ssh) + sprop=peer; + } + +- /* Check whether client supports ext_info_c */ +- if (kex->server && (kex->flags & KEX_INITIAL)) { +- char *ext; +- +- ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL); +- kex->ext_info_c = (ext != NULL); +- free(ext); ++ /* Check whether peer supports ext_info/kex_strict */ ++ if ((kex->flags & KEX_INITIAL) != 0) { ++ if (kex->server) { ++ kex->ext_info_c = kexalgs_contains(peer, "ext-info-c"); ++ kex->kex_strict = kexalgs_contains(peer, ++ "kex-strict-c-v00@openssh.com"); ++ } else { ++ kex->kex_strict = kexalgs_contains(peer, ++ "kex-strict-s-v00@openssh.com"); ++ } ++ if (kex->kex_strict) { ++ debug3("%s: will use strict KEX ordering", __func__); ++ if (seq != 0) ++ ssh_packet_disconnect(ssh, ++ "strict KEX violation: " ++ "KEXINIT was not the first packet"); ++ } + } + + /* Algorithm Negotiation */ +diff --git a/kex.h b/kex.h +index eabae1d..5d3895c 100644 +--- a/kex.h ++++ b/kex.h +@@ -155,6 +155,7 @@ struct kex { + u_int kex_type; + char *server_sig_algs; + int ext_info_c; ++ int kex_strict; + struct sshbuf *my; + struct sshbuf *peer; + struct sshbuf *client_version; +diff --git a/packet.c b/packet.c +index f3231e1..16b87f5 100644 +--- a/packet.c ++++ b/packet.c +@@ -1228,8 +1228,13 @@ ssh_packet_send2_wrapped(struct ssh *ssh) + sshbuf_dump(state->output, stderr); + #endif + /* increment sequence number for outgoing packets */ +- if (++state->p_send.seqnr == 0) ++ if (++state->p_send.seqnr == 0) { ++ if ((ssh->kex->flags & KEX_INITIAL) != 0) { ++ ssh_packet_disconnect(ssh, "outgoing sequence number " ++ "wrapped during initial key exchange"); ++ } + logit("outgoing seqnr wraps around"); ++ } + if (++state->p_send.packets == 0) + if (!(ssh->compat & SSH_BUG_NOREKEY)) + return SSH_ERR_NEED_REKEY; +@@ -1237,6 +1242,12 @@ ssh_packet_send2_wrapped(struct ssh *ssh) + state->p_send.bytes += len; + sshbuf_reset(state->outgoing_packet); + ++ if (type == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) { ++ debug("%s: resetting send seqnr %u", __func__, ++ state->p_send.seqnr); ++ state->p_send.seqnr = 0; ++ } ++ + if (type == SSH2_MSG_NEWKEYS) + r = ssh_set_newkeys(ssh, MODE_OUT); + else if (type == SSH2_MSG_USERAUTH_SUCCESS && state->server_side) +@@ -1370,8 +1381,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) + /* Stay in the loop until we have received a complete packet. */ + for (;;) { + /* Try to read a packet from the buffer. */ +- r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p); +- if (r != 0) ++ if ((r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p)) != 0) + break; + /* If we got a packet, return it. */ + if (*typep != SSH_MSG_NONE) +@@ -1658,10 +1668,16 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) + if ((r = sshbuf_consume(state->input, mac->mac_len)) != 0) + goto out; + } ++ + if (seqnr_p != NULL) + *seqnr_p = state->p_read.seqnr; +- if (++state->p_read.seqnr == 0) ++ if (++state->p_read.seqnr == 0) { ++ if ((ssh->kex->flags & KEX_INITIAL) != 0) { ++ ssh_packet_disconnect(ssh, "incoming sequence number " ++ "wrapped during initial key exchange"); ++ } + logit("incoming seqnr wraps around"); ++ } + if (++state->p_read.packets == 0) + if (!(ssh->compat & SSH_BUG_NOREKEY)) + return SSH_ERR_NEED_REKEY; +@@ -1727,6 +1743,11 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) + #endif + /* reset for next packet */ + state->packlen = 0; ++ if (*typep == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) { ++ debug("%s: resetting read seqnr %u", __func__, ++ state->p_read.seqnr); ++ state->p_read.seqnr = 0; ++ } + + if ((r = ssh_packet_check_rekey(ssh)) != 0) + return r; +@@ -1747,10 +1768,39 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) + r = ssh_packet_read_poll2(ssh, typep, seqnr_p); + if (r != 0) + return r; +- if (*typep) { +- state->keep_alive_timeouts = 0; +- DBG(debug("received packet type %d", *typep)); ++ if (*typep == 0) { ++ /* no message ready */ ++ return 0; ++ } ++ state->keep_alive_timeouts = 0; ++ DBG(debug("received packet type %d", *typep)); ++ ++ /* Always process disconnect messages */ ++ if (*typep == SSH2_MSG_DISCONNECT) { ++ if ((r = sshpkt_get_u32(ssh, &reason)) != 0 || ++ (r = sshpkt_get_string(ssh, &msg, NULL)) != 0) ++ return r; ++ /* Ignore normal client exit notifications */ ++ do_log2(ssh->state->server_side && ++ reason == SSH2_DISCONNECT_BY_APPLICATION ? ++ SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR, ++ "Received disconnect from %s port %d:" ++ "%u: %.400s", ssh_remote_ipaddr(ssh), ++ ssh_remote_port(ssh), reason, msg); ++ free(msg); ++ return SSH_ERR_DISCONNECTED; + } ++ ++ /* ++ * Do not implicitly handle any messages here during initial ++ * KEX when in strict mode. They will be need to be allowed ++ * explicitly by the KEX dispatch table or they will generate ++ * protocol errors. ++ */ ++ if (ssh->kex != NULL && ++ (ssh->kex->flags & KEX_INITIAL) && ssh->kex->kex_strict) ++ return 0; ++ /* Implicitly handle transport-level messages */ + switch (*typep) { + case SSH2_MSG_IGNORE: + debug3("Received SSH2_MSG_IGNORE"); +@@ -1765,19 +1815,6 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) + debug("Remote: %.900s", msg); + free(msg); + break; +- case SSH2_MSG_DISCONNECT: +- if ((r = sshpkt_get_u32(ssh, &reason)) != 0 || +- (r = sshpkt_get_string(ssh, &msg, NULL)) != 0) +- return r; +- /* Ignore normal client exit notifications */ +- do_log2(ssh->state->server_side && +- reason == SSH2_DISCONNECT_BY_APPLICATION ? +- SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR, +- "Received disconnect from %s port %d:" +- "%u: %.400s", ssh_remote_ipaddr(ssh), +- ssh_remote_port(ssh), reason, msg); +- free(msg); +- return SSH_ERR_DISCONNECTED; + case SSH2_MSG_UNIMPLEMENTED: + if ((r = sshpkt_get_u32(ssh, &seqnr)) != 0) + return r; +@@ -2321,6 +2358,7 @@ kex_to_blob(struct sshbuf *m, struct kex *kex) + (r = sshbuf_put_u32(m, kex->hostkey_type)) != 0 || + (r = sshbuf_put_u32(m, kex->hostkey_nid)) != 0 || + (r = sshbuf_put_u32(m, kex->kex_type)) != 0 || ++ (r = sshbuf_put_u32(m, kex->kex_strict)) != 0 || + (r = sshbuf_put_stringb(m, kex->my)) != 0 || + (r = sshbuf_put_stringb(m, kex->peer)) != 0 || + (r = sshbuf_put_stringb(m, kex->client_version)) != 0 || +@@ -2483,6 +2521,7 @@ kex_from_blob(struct sshbuf *m, struct kex **kexp) + (r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_type)) != 0 || + (r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_nid)) != 0 || + (r = sshbuf_get_u32(m, &kex->kex_type)) != 0 || ++ (r = sshbuf_get_u32(m, &kex->kex_strict)) != 0 || + (r = sshbuf_get_stringb(m, kex->my)) != 0 || + (r = sshbuf_get_stringb(m, kex->peer)) != 0 || + (r = sshbuf_get_stringb(m, kex->client_version)) != 0 || +@@ -2810,6 +2849,7 @@ sshpkt_disconnect(struct ssh *ssh, const char *fmt,...) + vsnprintf(buf, sizeof(buf), fmt, args); + va_end(args); + ++ debug2("%s: sending SSH2_MSG_DISCONNECT: %s", __func__, buf); + if ((r = sshpkt_start(ssh, SSH2_MSG_DISCONNECT)) != 0 || + (r = sshpkt_put_u32(ssh, SSH2_DISCONNECT_PROTOCOL_ERROR)) != 0 || + (r = sshpkt_put_cstring(ssh, buf)) != 0 || +diff --git a/sshconnect2.c b/sshconnect2.c +index 82846b5..1827f65 100644 +--- a/sshconnect2.c ++++ b/sshconnect2.c +@@ -236,7 +236,8 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) + fatal_fr(r, "kex_assemble_namelist"); + free(all_key); + +- if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL) ++ if ((s = kex_names_cat(options.kex_algorithms, ++ "ext-info-c,kex-strict-c-v00@openssh.com")) == NULL) + fatal_f("kex_names_cat"); + myproposal[PROPOSAL_KEX_ALGS] = prop_kex = compat_kex_proposal(ssh, s); + myproposal[PROPOSAL_ENC_ALGS_CTOS] = +@@ -430,7 +431,6 @@ struct cauthmethod { + }; + + static int input_userauth_service_accept(int, u_int32_t, struct ssh *); +-static int input_userauth_ext_info(int, u_int32_t, struct ssh *); + static int input_userauth_success(int, u_int32_t, struct ssh *); + static int input_userauth_failure(int, u_int32_t, struct ssh *); + static int input_userauth_banner(int, u_int32_t, struct ssh *); +@@ -554,7 +554,7 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, + + ssh->authctxt = &authctxt; + ssh_dispatch_init(ssh, &input_userauth_error); +- ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &input_userauth_ext_info); ++ ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, kex_input_ext_info); + ssh_dispatch_set(ssh, SSH2_MSG_SERVICE_ACCEPT, &input_userauth_service_accept); + ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &authctxt.success); /* loop until success */ + pubkey_cleanup(ssh); +@@ -602,13 +602,6 @@ input_userauth_service_accept(int type, u_int32_t seq, struct ssh *ssh) + return r; + } + +-/* ARGSUSED */ +-static int +-input_userauth_ext_info(int type, u_int32_t seqnr, struct ssh *ssh) +-{ +- return kex_input_ext_info(type, seqnr, ssh); +-} +- + void + userauth(struct ssh *ssh, char *authlist) + { +@@ -690,6 +683,7 @@ input_userauth_success(int type, u_int32_t seq, struct ssh *ssh) + free(authctxt->methoddata); + authctxt->methoddata = NULL; + authctxt->success = 1; /* break out */ ++ ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, dispatch_protocol_error); + return 0; + } + +diff --git a/sshd.c b/sshd.c +index ed5f075..e544b0c 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -2494,10 +2494,13 @@ do_ssh2_kex(struct ssh *ssh) + char *myproposal[PROPOSAL_MAX] = { KEX_SERVER }; + struct kex *kex; + char *prop_kex = NULL, *prop_enc = NULL, *prop_hostkey = NULL; ++ char *s; + int r; + +- myproposal[PROPOSAL_KEX_ALGS] = prop_kex = compat_kex_proposal(ssh, +- options.kex_algorithms); ++ if ((s = kex_names_cat(options.kex_algorithms, ++ "kex-strict-s-v00@openssh.com")) == NULL) ++ fatal("%s: kex_names_cat", __func__); ++ myproposal[PROPOSAL_KEX_ALGS] = prop_kex = compat_kex_proposal(ssh, s); + myproposal[PROPOSAL_ENC_ALGS_CTOS] = + myproposal[PROPOSAL_ENC_ALGS_STOC] = prop_enc = + compat_cipher_proposal(ssh, options.ciphers); +@@ -2615,6 +2618,7 @@ do_ssh2_kex(struct ssh *ssh) + free(prop_kex); + free(prop_enc); + free(prop_hostkey); ++ free(s); + debug("KEX done"); + } + +-- +2.33.0 + diff --git a/backport-CVE-2023-51385-upstream-ban-user-hostnames-with-most-shell-metachar.patch b/backport-CVE-2023-51385-upstream-ban-user-hostnames-with-most-shell-metachar.patch new file mode 100644 index 0000000..d1af122 --- /dev/null +++ b/backport-CVE-2023-51385-upstream-ban-user-hostnames-with-most-shell-metachar.patch @@ -0,0 +1,101 @@ +From 7ef3787c84b6b524501211b11a26c742f829af1a Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Mon, 18 Dec 2023 14:47:44 +0000 +Subject: [PATCH] upstream: ban user/hostnames with most shell metacharacters + +This makes ssh(1) refuse user or host names provided on the +commandline that contain most shell metacharacters. + +Some programs that invoke ssh(1) using untrusted data do not filter +metacharacters in arguments they supply. This could create +interactions with user-specified ProxyCommand and other directives +that allow shell injection attacks to occur. + +It's a mistake to invoke ssh(1) with arbitrary untrusted arguments, +but getting this stuff right can be tricky, so this should prevent +most obvious ways of creating risky situations. It however is not +and cannot be perfect: ssh(1) has no practical way of interpreting +what shell quoting rules are in use and how they interact with the +user's specified ProxyCommand. + +To allow configurations that use strange user or hostnames to +continue to work, this strictness is applied only to names coming +from the commandline. Names specified using User or Hostname +directives in ssh_config(5) are not affected. + +feedback/ok millert@ markus@ dtucker@ deraadt@ + +OpenBSD-Commit-ID: 3b487348b5964f3e77b6b4d3da4c3b439e94b2d9 + +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=7ef3787c84b6b524501211b11a26c742f829af1a +--- + ssh.c | 41 ++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 40 insertions(+), 1 deletion(-) + +diff --git a/ssh.c b/ssh.c +index 35c48e62d..48d93ddf2 100644 +--- a/ssh.c ++++ b/ssh.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh.c,v 1.578 2022/10/13 09:09:28 jsg Exp $ */ ++/* $OpenBSD: ssh.c,v 1.599 2023/12/18 14:47:44 djm Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -626,6 +626,41 @@ ssh_conn_info_free(struct ssh_conn_info *cinfo) + free(cinfo); + } + ++static int ++valid_hostname(const char *s) ++{ ++ size_t i; ++ ++ if (*s == '-') ++ return 0; ++ for (i = 0; s[i] != 0; i++) { ++ if (strchr("'`\"$\\;&<>|(){}", s[i]) != NULL || ++ isspace((u_char)s[i]) || iscntrl((u_char)s[i])) ++ return 0; ++ } ++ return 1; ++} ++ ++static int ++valid_ruser(const char *s) ++{ ++ size_t i; ++ ++ if (*s == '-') ++ return 0; ++ for (i = 0; s[i] != 0; i++) { ++ if (strchr("'`\";&<>|(){}", s[i]) != NULL) ++ return 0; ++ /* Disallow '-' after whitespace */ ++ if (isspace((u_char)s[i]) && s[i + 1] == '-') ++ return 0; ++ /* Disallow \ in last position */ ++ if (s[i] == '\\' && s[i + 1] == '\0') ++ return 0; ++ } ++ return 1; ++} ++ + /* + * Main program for the ssh client. + */ +@@ -1118,6 +1153,10 @@ main(int ac, char **av) + if (!host) + usage(); + ++ if (!valid_hostname(host)) ++ fatal("hostname contains invalid characters"); ++ if (options.user != NULL && !valid_ruser(options.user)) ++ fatal("remote username contains invalid characters"); + host_arg = xstrdup(host); + + /* Initialize the command to execute on remote host. */ +-- +2.23.0 + diff --git a/backport-Defer-seed_rng-until-after-closefrom-call.patch b/backport-Defer-seed_rng-until-after-closefrom-call.patch new file mode 100644 index 0000000..fd61de3 --- /dev/null +++ b/backport-Defer-seed_rng-until-after-closefrom-call.patch @@ -0,0 +1,39 @@ +From cf1a9852d7fc93e4abc4168aed09529a57427cdc Mon Sep 17 00:00:00 2001 +From: Darren Tucker <dtucker@dtucker.net> +Date: Wed, 9 Nov 2022 09:23:47 +1100 +Subject: [PATCH] Defer seed_rng until after closefrom call. + +seed_rng will initialize OpenSSL, and some engine providers (eg Intel's +QAT) will open descriptors for their own use. bz#3483, patch from +joel.d.schuetze at intel.com, ok djm@ +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=cf1a9852d7fc93e4abc4168aed09529a57427cdc +--- + sshd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sshd.c b/sshd.c +index b4bb7d65..808d91ef 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -1580,8 +1580,6 @@ main(int ac, char **av) + /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ + sanitise_stdfd(); + +- seed_rng(); +- + /* Initialize configuration options to their default values. */ + initialize_server_options(&options); + +@@ -1703,6 +1701,8 @@ main(int ac, char **av) + else + closefrom(REEXEC_DEVCRYPTO_RESERVED_FD); + ++ seed_rng(); ++ + /* If requested, redirect the logs to the specified logfile. */ + if (logfile != NULL) + log_redirect_stderr_to(logfile); +-- +2.27.0 + diff --git a/backport-Don-t-leak-the-strings-allocated-by-order_h.patch b/backport-Don-t-leak-the-strings-allocated-by-order_h.patch new file mode 100644 index 0000000..9b14806 --- /dev/null +++ b/backport-Don-t-leak-the-strings-allocated-by-order_h.patch @@ -0,0 +1,130 @@ +From 6c31ba10e97b6953c4f325f526f3e846dfea647a Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" <dtucker@openbsd.org> +Date: Fri, 1 Jul 2022 03:39:44 +0000 +Subject: upstream: Don't leak the strings allocated by order_hostkeyalgs() + +and list_hostkey_types() that are passed to compat_pkalg_proposal(). Part of +github PR#324 from ZoltanFridrich, ok djm@ + +This is a roll-forward of the previous rollback now that the required +changes in compat.c have been done. + +OpenBSD-Commit-ID: c7cd93730b3b9f53cdad3ae32462922834ef73eb + +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/patch/?id=6c31ba10e97b6953c4f325f526f3e846dfea647a + +--- + sshconnect2.c | 16 ++++++++++------ + sshd.c | 17 +++++++++++------ + 2 files changed, 21 insertions(+), 12 deletions(-) + +diff --git a/sshconnect2.c b/sshconnect2.c +index 150d419..eb0df92 100644 +--- a/sshconnect2.c ++++ b/sshconnect2.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: sshconnect2.c,v 1.351 2021/07/23 05:24:02 djm Exp $ */ ++/* $OpenBSD: sshconnect2.c,v 1.359 2022/07/01 03:39:44 dtucker Exp $ */ + /* + * Copyright (c) 2000 Markus Friedl. All rights reserved. + * Copyright (c) 2008 Damien Miller. All rights reserved. +@@ -218,6 +218,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port, + { + char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT }; + char *s, *all_key; ++ char *prop_kex = NULL, *prop_enc = NULL, *prop_hostkey = NULL; + int r, use_known_hosts_order = 0; + + #if defined(GSSAPI) && defined(WITH_OPENSSL) +@@ -248,10 +249,9 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port, + + if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL) + fatal_f("kex_names_cat"); +- myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh, s); ++ myproposal[PROPOSAL_KEX_ALGS] = prop_kex = compat_kex_proposal(ssh, s); + myproposal[PROPOSAL_ENC_ALGS_CTOS] = +- compat_cipher_proposal(ssh, options.ciphers); +- myproposal[PROPOSAL_ENC_ALGS_STOC] = ++ myproposal[PROPOSAL_ENC_ALGS_STOC] = prop_enc = + compat_cipher_proposal(ssh, options.ciphers); + myproposal[PROPOSAL_COMP_ALGS_CTOS] = + myproposal[PROPOSAL_COMP_ALGS_STOC] = +@@ -260,12 +260,12 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port, + myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; + if (use_known_hosts_order) { + /* Query known_hosts and prefer algorithms that appear there */ +- myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = ++ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey = + compat_pkalg_proposal(ssh, + order_hostkeyalgs(host, hostaddr, port, cinfo)); + } else { + /* Use specified HostkeyAlgorithms exactly */ +- myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = ++ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey = + compat_pkalg_proposal(ssh, options.hostkeyalgorithms); + } + +@@ -380,6 +380,10 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port, + (r = ssh_packet_write_wait(ssh)) != 0) + fatal_fr(r, "send packet"); + #endif ++ /* Free only parts of proposal that were dynamically allocated here. */ ++ free(prop_kex); ++ free(prop_enc); ++ free(prop_hostkey); + } + + /* +diff --git a/sshd.c b/sshd.c +index 98a9754..6c77f07 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: sshd.c,v 1.578 2021/07/19 02:21:50 dtucker Exp $ */ ++/* $OpenBSD: sshd.c,v 1.589 2022/07/01 03:39:44 dtucker Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -2522,12 +2522,14 @@ do_ssh2_kex(struct ssh *ssh) + { + char *myproposal[PROPOSAL_MAX] = { KEX_SERVER }; + struct kex *kex; ++ char *prop_kex = NULL, *prop_enc = NULL, *prop_hostkey = NULL; + int r; + +- myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh, ++ myproposal[PROPOSAL_KEX_ALGS] = prop_kex = compat_kex_proposal(ssh, + options.kex_algorithms); +- myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(ssh, +- options.ciphers); ++ myproposal[PROPOSAL_ENC_ALGS_CTOS] = ++ myproposal[PROPOSAL_ENC_ALGS_STOC] = prop_enc = ++ compat_cipher_proposal(ssh, options.ciphers); + myproposal[PROPOSAL_ENC_ALGS_STOC] = compat_cipher_proposal(ssh, + options.ciphers); + myproposal[PROPOSAL_MAC_ALGS_CTOS] = +@@ -2542,8 +2544,8 @@ do_ssh2_kex(struct ssh *ssh) + ssh_packet_set_rekey_limits(ssh, options.rekey_limit, + options.rekey_interval); + /* coverity[leaked_storage : FALSE]*/ +- myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( +- ssh, list_hostkey_types()); ++ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey = ++ compat_pkalg_proposal(ssh, list_hostkey_types()); + + #if defined(GSSAPI) && defined(WITH_OPENSSL) + { +@@ -2639,6 +2641,9 @@ do_ssh2_kex(struct ssh *ssh) + (r = ssh_packet_write_wait(ssh)) != 0) + fatal_fr(r, "send test"); + #endif ++ free(prop_kex); ++ free(prop_enc); ++ free(prop_hostkey); + debug("KEX done"); + } + +-- +2.33.0 + diff --git a/backport-Return-ERANGE-from-getcwd-if-buffer-size-is-1.patch b/backport-Return-ERANGE-from-getcwd-if-buffer-size-is-1.patch new file mode 100644 index 0000000..17387d2 --- /dev/null +++ b/backport-Return-ERANGE-from-getcwd-if-buffer-size-is-1.patch @@ -0,0 +1,43 @@ +From 527cb43fa1b4e55df661feabbac51b8e608b6519 Mon Sep 17 00:00:00 2001 +From: Darren Tucker <dtucker@dtucker.net> +Date: Thu, 14 Jul 2022 11:22:08 +1000 +Subject: Return ERANGE from getcwd() if buffer size is 1. + +If getcwd() is supplied a buffer size of exactly 1 and a path of "/", it +could result in a nul byte being written out of array bounds. POSIX says +it should return ERANGE if the path will not fit in the available buffer +(with terminating nul). 1 byte cannot fit any possible path with its nul, +so immediately return ERANGE in that case. + +OpenSSH never uses getcwd() with this buffer size, and all current +(and even quite old) platforms that we are currently known to work +on have a native getcwd() so this code is not used on those anyway. +Reported by Qualys, ok djm@ + +Reference:https://anongit.mindrot.org/openssh.git/patch/?id=527cb43fa1b4e55df661feabbac51b8e608b6519 +Conflict:NA +--- + openbsd-compat/getcwd.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/openbsd-compat/getcwd.c b/openbsd-compat/getcwd.c +index e4f7f5a..a403a01 100644 +--- a/openbsd-compat/getcwd.c ++++ b/openbsd-compat/getcwd.c +@@ -71,9 +71,12 @@ getcwd(char *pt, size_t size) + */ + if (pt) { + ptsize = 0; +- if (!size) { ++ if (size == 0) { + errno = EINVAL; + return (NULL); ++ } else if (size == 1) { ++ errno = ERANGE; ++ return (NULL); + } + ept = pt + size; + } else { +-- +2.33.0 + diff --git a/backport-Skip-scp3-test-if-there-s-no-scp-on-remote-path.patch b/backport-Skip-scp3-test-if-there-s-no-scp-on-remote-path.patch new file mode 100644 index 0000000..60f4b9d --- /dev/null +++ b/backport-Skip-scp3-test-if-there-s-no-scp-on-remote-path.patch @@ -0,0 +1,34 @@ +From ea7ecc2c3ae39fdf5c6ad97b7bc0b47a98847f43 Mon Sep 17 00:00:00 2001 +From: Darren Tucker <dtucker@dtucker.net> +Date: Sat, 23 Jul 2022 14:36:38 +1000 +Subject: [PATCH] Skip scp3 test if there's no scp on remote path. + +scp -3 ends up using the scp that's in the remote path and will fail if +one is not available. Based on a patch from rapier at psc.edu. + +Reference:https://github.com/openssh/openssh-portable/commit/ea7ecc2c3ae39fdf5c6ad97b7bc0b47a98847f43 +Conflict:NA +--- + regress/scp3.sh | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/regress/scp3.sh b/regress/scp3.sh +index f71b1567..47db47cd 100644 +--- a/regress/scp3.sh ++++ b/regress/scp3.sh +@@ -9,6 +9,12 @@ COPY2=${OBJ}/copy2 + DIR=${COPY}.dd + DIR2=${COPY}.dd2 + ++$SSH -F $OBJ/ssh_proxy somehost \ ++ 'IFS=":"; for i in $PATH;do [ -x "$i/scp" ] && exit 0; done; exit 1' ++if [ $? -eq 1 ]; then ++ skip "No scp on remote path." ++fi ++ + SRC=`dirname ${SCRIPT}` + cp ${SRC}/scp-ssh-wrapper.sh ${OBJ}/scp-ssh-wrapper.scp + chmod 755 ${OBJ}/scp-ssh-wrapper.scp +-- +2.23.0 + diff --git a/backport-adapt-compat_kex_proposal-test-to-portable.patch b/backport-adapt-compat_kex_proposal-test-to-portable.patch new file mode 100644 index 0000000..2871639 --- /dev/null +++ b/backport-adapt-compat_kex_proposal-test-to-portable.patch @@ -0,0 +1,51 @@ +From 9fe207565b4ab0fe5d1ac5bb85e39188d96fb214 Mon Sep 17 00:00:00 2001 +From: Damien Miller <djm@mindrot.org> +Date: Thu, 2 Feb 2023 23:17:49 +1100 +Subject: [PATCH] adapt compat_kex_proposal() test to portable + +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=9fe207565b4ab0fe5d1ac5bb85e39188d96fb214 +--- + Makefile.in | 1 + + regress/unittests/kex/test_proposal.c | 6 +++++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/Makefile.in b/Makefile.in +index 18f6ac9e..c0ebfa04 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -616,6 +616,7 @@ regress/unittests/conversion/test_conversion$(EXEEXT): \ + UNITTESTS_TEST_KEX_OBJS=\ + regress/unittests/kex/tests.o \ + regress/unittests/kex/test_kex.o \ ++ regress/unittests/kex/test_proposal.o \ + $(SKOBJS) + + regress/unittests/kex/test_kex$(EXEEXT): ${UNITTESTS_TEST_KEX_OBJS} \ +diff --git a/regress/unittests/kex/test_proposal.c b/regress/unittests/kex/test_proposal.c +index b89ff59b..d6cf0f5d 100644 +--- a/regress/unittests/kex/test_proposal.c ++++ b/regress/unittests/kex/test_proposal.c +@@ -5,14 +5,18 @@ + * Placed in the public domain + */ + ++#include "includes.h" ++ + #include <sys/types.h> + #include <signal.h> + #include <stdio.h> ++#ifdef HAVE_STDINT_H + #include <stdint.h> ++#endif + #include <stdlib.h> + #include <string.h> + +-#include "test_helper.h" ++#include "../test_helper/test_helper.h" + + #include "compat.h" + #include "ssherr.h" +-- +2.27.0 + diff --git a/backport-don-t-test-IPv6-addresses-if-platform-lacks-support.patch b/backport-don-t-test-IPv6-addresses-if-platform-lacks-support.patch new file mode 100644 index 0000000..4ae1885 --- /dev/null +++ b/backport-don-t-test-IPv6-addresses-if-platform-lacks-support.patch @@ -0,0 +1,52 @@ +From dd1249bd5c45128a908395c61b26996a70f82205 Mon Sep 17 00:00:00 2001 +From: Damien Miller <djm@mindrot.org> +Date: Sun, 8 Jan 2023 12:08:59 +1100 +Subject: [PATCH] don't test IPv6 addresses if platform lacks support + +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=dd1249bd5c45128a908395c61b26996a70f82205 + +--- + regress/dynamic-forward.sh | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh +index f6c2393..1bfe05a 100644 +--- a/regress/dynamic-forward.sh ++++ b/regress/dynamic-forward.sh +@@ -17,6 +17,11 @@ else + fi + trace "will use ProxyCommand $proxycmd" + ++# This is a reasonable proxy for IPv6 support. ++if ! config_defined HAVE_STRUCT_IN6_ADDR ; then ++ SKIP_IPV6=yes ++fi ++ + start_ssh() { + direction="$1" + arg="$2" +@@ -96,14 +101,16 @@ for d in D R; do + stop_ssh + + verbose "PermitRemoteOpen=explicit" +- start_ssh $d \ +- PermitRemoteOpen="127.0.0.1:$PORT [::1]:$PORT localhost:$PORT" ++ permit="127.0.0.1:$PORT [::1]:$PORT localhost:$PORT" ++ test -z "$SKIP_IPV6" || permit="127.0.0.1:$PORT localhost:$PORT" ++ start_ssh $d PermitRemoteOpen="$permit" + check_socks $d Y + stop_ssh + + verbose "PermitRemoteOpen=disallowed" +- start_ssh $d \ +- PermitRemoteOpen="127.0.0.1:1 [::1]:1 localhost:1" ++ permit="127.0.0.1:1 [::1]:1 localhost:1" ++ test -z "$SKIP_IPV6" || permit="127.0.0.1:1 localhost:1" ++ start_ssh $d PermitRemoteOpen="$permit" + check_socks $d N + stop_ssh + done +-- +2.27.0 + diff --git a/backport-fix-CVE-2023-38408-upstream-terminate-process.patch b/backport-fix-CVE-2023-38408-upstream-terminate-process.patch new file mode 100644 index 0000000..f78551c --- /dev/null +++ b/backport-fix-CVE-2023-38408-upstream-terminate-process.patch @@ -0,0 +1,43 @@ +From 892506b13654301f69f9545f48213fc210e5c5cc Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Wed, 19 Jul 2023 13:55:53 +0000 +Subject: [PATCH] upstream: terminate process if requested to load a +PKCS#11 + provider + +that isn't a PKCS#11 provider; from / ok markus@ + +OpenBSD-Commit-ID: 39532cf18b115881bb4cfaee32084497aadfa05c + +Reference:https://anongit.mindrot.org/openssh.git/patch/?id=892506b1365 +Conflict:pkcs11_initialize_provider +--- + ssh-pkcs11.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c +index 995841f..b96021f 100644 +--- a/ssh-pkcs11.c ++++ b/ssh-pkcs11.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh-pkcs11.c,v 1.54 2021/08/11 05:20:17 djm Exp $ */ ++/* $OpenBSD: ssh-pkcs11.c,v 1.57 2023/07/19 13:55:53 djm Exp $ */ + /* + * Copyright (c) 2010 Markus Friedl. All rights reserved. + * Copyright (c) 2014 Pedro Martelletto. All rights reserved. +@@ -1743,10 +1743,8 @@ pkcs11_initialize_provider(struct pkcs11_uri *uri, struct pkcs11_provider **prov + error("dlopen %s failed: %s", provider_module, dlerror()); + goto fail; + } +- if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) { +- error("dlsym(C_GetFunctionList) failed: %s", dlerror()); +- goto fail; +- } ++ if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) ++ fatal("dlsym(C_GetFunctionList) failed: %s", dlerror()); + + p->module->handle = handle; + /* setup the pkcs11 callbacks */ +-- +2.23.0 + diff --git a/backport-fix-CVE-2024-6387.patch b/backport-fix-CVE-2024-6387.patch new file mode 100644 index 0000000..993151b --- /dev/null +++ b/backport-fix-CVE-2024-6387.patch @@ -0,0 +1,28 @@ +Reference:https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt +Conflict:NA +--- + log.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/log.c b/log.c +index dca08e4..5ca403a 100644 +--- a/log.c ++++ b/log.c +@@ -458,12 +458,14 @@ void + sshsigdie(const char *file, const char *func, int line, int showfunc, + LogLevel level, const char *suffix, const char *fmt, ...) + { ++#if 0 + va_list args; + + va_start(args, fmt); + sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL, + suffix, fmt, args); + va_end(args); ++#endif + _exit(1); + } + +-- +2.33.0 + diff --git a/backport-fix-possible-NULL-deref-when-built-without-FIDO.patch b/backport-fix-possible-NULL-deref-when-built-without-FIDO.patch new file mode 100644 index 0000000..125a41b --- /dev/null +++ b/backport-fix-possible-NULL-deref-when-built-without-FIDO.patch @@ -0,0 +1,30 @@ +From 7d25b37fb2a5ff4dadabcbdac6087a97479434f5 Mon Sep 17 00:00:00 2001 +From: Damien Miller <djm@mindrot.org> +Date: Fri, 24 Jun 2022 13:46:39 +1000 +Subject: [PATCH] fix possible NULL deref when built without FIDO + +Analysis/fix from kircher in bz3443; ok dtucker@ +--- + ssh-sk.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ssh-sk.c b/ssh-sk.c +index d254e77..79bc682 100644 +--- a/ssh-sk.c ++++ b/ssh-sk.c +@@ -118,10 +118,11 @@ sshsk_open(const char *path) + ret->sk_enroll = ssh_sk_enroll; + ret->sk_sign = ssh_sk_sign; + ret->sk_load_resident_keys = ssh_sk_load_resident_keys; ++ return ret; + #else + error("internal security key support not enabled"); ++ goto fail; + #endif +- return ret; + } + if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) { + error("Provider \"%s\" dlopen failed: %s", path, dlerror()); +-- +1.8.3.1 + diff --git a/openssh-4.3p2-askpass-grab-info.patch b/backport-openssh-4.3p2-askpass-grab-info.patch index 120ed1b..5a21289 100644 --- a/openssh-4.3p2-askpass-grab-info.patch +++ b/backport-openssh-4.3p2-askpass-grab-info.patch @@ -1,6 +1,7 @@ diff -up openssh-8.6p1/contrib/gnome-ssh-askpass2.c.grab-info openssh-8.6p1/contrib/gnome-ssh-askpass2.c --- openssh-8.6p1/contrib/gnome-ssh-askpass2.c.grab-info 2021-04-19 13:57:11.720113536 +0200 +++ openssh-8.6p1/contrib/gnome-ssh-askpass2.c 2021-04-19 13:59:29.842163204 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-4.3p2-askpass-grab-info.patch @@ -70,8 +70,12 @@ report_failed_grab (GtkWidget *parent_wi err = gtk_message_dialog_new(GTK_WINDOW(parent_window), 0, diff --git a/openssh-5.1p1-askpass-progress.patch b/backport-openssh-5.1p1-askpass-progress.patch index ff609da..ec1ce07 100644 --- a/openssh-5.1p1-askpass-progress.patch +++ b/backport-openssh-5.1p1-askpass-progress.patch @@ -1,6 +1,7 @@ diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contrib/gnome-ssh-askpass2.c --- openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress 2016-12-19 05:59:41.000000000 +0100 +++ openssh-7.4p1/contrib/gnome-ssh-askpass2.c 2016-12-23 13:31:16.545211926 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-5.1p1-askpass-progress.patch @@ -53,6 +53,7 @@ #include <unistd.h> diff --git a/openssh-5.8p2-sigpipe.patch b/backport-openssh-5.8p2-sigpipe.patch index 554e346..df830b6 100644 --- a/openssh-5.8p2-sigpipe.patch +++ b/backport-openssh-5.8p2-sigpipe.patch @@ -1,14 +1,13 @@ diff -up openssh-5.8p2/ssh-keyscan.c.sigpipe openssh-5.8p2/ssh-keyscan.c --- openssh-5.8p2/ssh-keyscan.c.sigpipe 2011-08-23 18:30:33.873025916 +0200 +++ openssh-5.8p2/ssh-keyscan.c 2011-08-23 18:32:24.574025362 +0200 -@@ -715,6 +715,9 @@ main(int argc, char **argv) - if (maxfd > fdlim_get(0)) +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-5.8p2-sigpipe.patch +@@ -715,6 +715,8 @@ main(int argc, char **argv) fdlim_set(maxfd); fdcon = xcalloc(maxfd, sizeof(con)); -+ + + signal(SIGPIPE, SIG_IGN); + - read_wait = xcalloc(maxfd, sizeof(struct pollfd)); - for (j = 0; j < maxfd; j++) - read_wait[j].fd = -1; + read_wait_nfdset = howmany(maxfd, NFDBITS); + read_wait = xcalloc(read_wait_nfdset, sizeof(fd_mask)); diff --git a/openssh-5.9p1-ipv6man.patch b/backport-openssh-5.9p1-ipv6man.patch index ece1a73..1bc42a8 100644 --- a/openssh-5.9p1-ipv6man.patch +++ b/backport-openssh-5.9p1-ipv6man.patch @@ -1,6 +1,7 @@ diff -up openssh-5.9p0/ssh.1.ipv6man openssh-5.9p0/ssh.1 --- openssh-5.9p0/ssh.1.ipv6man 2011-08-05 22:17:32.000000000 +0200 +++ openssh-5.9p0/ssh.1 2011-08-31 13:08:34.880024485 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-5.9p1-ipv6man.patch @@ -1400,6 +1400,8 @@ manual page for more information. .Nm exits with the exit status of the remote command or with 255 @@ -13,6 +14,7 @@ diff -up openssh-5.9p0/ssh.1.ipv6man openssh-5.9p0/ssh.1 diff -up openssh-5.9p0/sshd.8.ipv6man openssh-5.9p0/sshd.8 --- openssh-5.9p0/sshd.8.ipv6man 2011-08-05 22:17:32.000000000 +0200 +++ openssh-5.9p0/sshd.8 2011-08-31 13:10:34.129039094 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-5.9p1-ipv6man.patch @@ -940,6 +940,8 @@ concurrently for different ports, this c started last). The content of this file is not sensitive; it can be world-readable. diff --git a/backport-openssh-6.3p1-ctr-evp-fast.patch b/backport-openssh-6.3p1-ctr-evp-fast.patch new file mode 100644 index 0000000..e430043 --- /dev/null +++ b/backport-openssh-6.3p1-ctr-evp-fast.patch @@ -0,0 +1,102 @@ +diff -up openssh-5.9p1/cipher-ctr.c.ctr-evp openssh-5.9p1/cipher-ctr.c +--- openssh-5.9p1/cipher-ctr.c.ctr-evp 2012-01-11 09:24:06.000000000 +0100 ++++ openssh-5.9p1/cipher-ctr.c 2012-01-11 15:54:04.675956600 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.3p1-ctr-evp-fast.patch +@@ -38,7 +38,7 @@ void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, in + + struct ssh_aes_ctr_ctx + { +- AES_KEY aes_ctx; ++ EVP_CIPHER_CTX ecbctx; + u_char aes_counter[AES_BLOCK_SIZE]; + }; + +@@ -63,21 +63,42 @@ ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char + { + struct ssh_aes_ctr_ctx *c; + size_t n = 0; +- u_char buf[AES_BLOCK_SIZE]; ++ u_char ctrbuf[AES_BLOCK_SIZE*256]; ++ u_char buf[AES_BLOCK_SIZE*256]; + + if (len == 0) + return (1); + if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) + return (0); + +- while ((len--) > 0) { ++ for (; len > 0; len -= sizeof(u_int)) { ++ u_int r,a,b; ++ + if (n == 0) { +- AES_encrypt(c->aes_counter, buf, &c->aes_ctx); +- ssh_ctr_inc(c->aes_counter, AES_BLOCK_SIZE); ++ int outl, i, buflen; ++ ++ buflen = MIN(len, sizeof(ctrbuf)); ++ ++ for(i = 0; i < buflen; i += AES_BLOCK_SIZE) { ++ memcpy(&ctrbuf[i], c->aes_counter, AES_BLOCK_SIZE); ++ ssh_ctr_inc(c->aes_counter, AES_BLOCK_SIZE); ++ } ++ ++ EVP_EncryptUpdate(&c->ecbctx, buf, &outl, ++ ctrbuf, buflen); + } +- *(dest++) = *(src++) ^ buf[n]; +- n = (n + 1) % AES_BLOCK_SIZE; ++ ++ memcpy(&a, src, sizeof(a)); ++ memcpy(&b, &buf[n], sizeof(b)); ++ r = a ^ b; ++ memcpy(dest, &r, sizeof(r)); ++ src += sizeof(a); ++ dest += sizeof(r); ++ ++ n = (n + sizeof(b)) % sizeof(buf); + } ++ memset(ctrbuf, '\0', sizeof(ctrbuf)); ++ memset(buf, '\0', sizeof(buf)); + return (1); + } + +@@ -91,9 +112,28 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, co + c = xmalloc(sizeof(*c)); + EVP_CIPHER_CTX_set_app_data(ctx, c); + } +- if (key != NULL) +- AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8, +- &c->aes_ctx); ++ ++ EVP_CIPHER_CTX_init(&c->ecbctx); ++ ++ if (key != NULL) { ++ const EVP_CIPHER *cipher; ++ switch(EVP_CIPHER_CTX_key_length(ctx)*8) { ++ case 128: ++ cipher = EVP_aes_128_ecb(); ++ break; ++ case 192: ++ cipher = EVP_aes_192_ecb(); ++ break; ++ case 256: ++ cipher = EVP_aes_256_ecb(); ++ break; ++ default: ++ fatal("ssh_aes_ctr_init: wrong aes key length"); ++ } ++ if(!EVP_EncryptInit_ex(&c->ecbctx, cipher, NULL, key, NULL)) ++ fatal("ssh_aes_ctr_init: cannot initialize aes encryption"); ++ EVP_CIPHER_CTX_set_padding(&c->ecbctx, 0); ++ } + if (iv != NULL) + memcpy(c->aes_counter, iv, AES_BLOCK_SIZE); + return (1); +@@ -105,6 +145,7 @@ ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx) + struct ssh_aes_ctr_ctx *c; + + if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) { ++ EVP_CIPHER_CTX_cleanup(&c->ecbctx); + memset(c, 0, sizeof(*c)); + free(c); + EVP_CIPHER_CTX_set_app_data(ctx, NULL); diff --git a/openssh-6.4p1-fromto-remote.patch b/backport-openssh-6.4p1-fromto-remote.patch index 4a7d849..347e2aa 100644 --- a/openssh-6.4p1-fromto-remote.patch +++ b/backport-openssh-6.4p1-fromto-remote.patch @@ -2,6 +2,7 @@ diff --git a/scp.c b/scp.c index d98fa67..25d347b 100644 --- a/scp.c +++ b/scp.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.4p1-fromto-remote.patch @@ -638,7 +638,10 @@ toremote(char *targ, int argc, char **argv) addargs(&alist, "%s", ssh_program); addargs(&alist, "-x"); diff --git a/openssh-6.6.1p1-log-in-chroot.patch b/backport-openssh-6.6.1p1-log-in-chroot.patch index 941c694..54a384e 100644 --- a/openssh-6.6.1p1-log-in-chroot.patch +++ b/backport-openssh-6.6.1p1-log-in-chroot.patch @@ -1,6 +1,7 @@ diff -up openssh-8.6p1/log.c.log-in-chroot openssh-8.6p1/log.c --- openssh-8.6p1/log.c.log-in-chroot 2021-04-16 05:55:25.000000000 +0200 +++ openssh-8.6p1/log.c 2021-04-19 14:43:08.544843434 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6.1p1-log-in-chroot.patch @@ -194,6 +194,11 @@ void log_init(const char *av0, LogLevel level, SyslogFacility facility, int on_stderr) @@ -29,6 +30,7 @@ diff -up openssh-8.6p1/log.c.log-in-chroot openssh-8.6p1/log.c diff -up openssh-8.6p1/log.h.log-in-chroot openssh-8.6p1/log.h --- openssh-8.6p1/log.h.log-in-chroot 2021-04-19 14:43:08.544843434 +0200 +++ openssh-8.6p1/log.h 2021-04-19 14:56:46.931042176 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6.1p1-log-in-chroot.patch @@ -52,6 +52,7 @@ typedef enum { typedef void (log_handler_fn)(LogLevel, int, const char *, void *); @@ -40,6 +42,7 @@ diff -up openssh-8.6p1/log.h.log-in-chroot openssh-8.6p1/log.h diff -up openssh-8.6p1/monitor.c.log-in-chroot openssh-8.6p1/monitor.c --- openssh-8.6p1/monitor.c.log-in-chroot 2021-04-19 14:43:08.526843298 +0200 +++ openssh-8.6p1/monitor.c 2021-04-19 14:55:25.286424043 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6.1p1-log-in-chroot.patch @@ -297,6 +297,8 @@ monitor_child_preauth(struct ssh *ssh, s close(pmonitor->m_log_sendfd); pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1; @@ -101,6 +104,7 @@ diff -up openssh-8.6p1/monitor.c.log-in-chroot openssh-8.6p1/monitor.c diff -up openssh-8.6p1/monitor.h.log-in-chroot openssh-8.6p1/monitor.h --- openssh-8.6p1/monitor.h.log-in-chroot 2021-04-19 14:43:08.527843305 +0200 +++ openssh-8.6p1/monitor.h 2021-04-19 14:43:08.545843441 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6.1p1-log-in-chroot.patch @@ -80,10 +80,11 @@ struct monitor { int m_log_sendfd; struct kex **m_pkex; @@ -117,6 +121,7 @@ diff -up openssh-8.6p1/monitor.h.log-in-chroot openssh-8.6p1/monitor.h diff -up openssh-8.6p1/session.c.log-in-chroot openssh-8.6p1/session.c --- openssh-8.6p1/session.c.log-in-chroot 2021-04-19 14:43:08.534843358 +0200 +++ openssh-8.6p1/session.c 2021-04-19 14:43:08.545843441 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6.1p1-log-in-chroot.patch @@ -160,6 +160,7 @@ login_cap_t *lc; static int is_child = 0; @@ -190,6 +195,7 @@ diff -up openssh-8.6p1/session.c.log-in-chroot openssh-8.6p1/session.c diff -up openssh-8.6p1/sftp.h.log-in-chroot openssh-8.6p1/sftp.h --- openssh-8.6p1/sftp.h.log-in-chroot 2021-04-16 05:55:25.000000000 +0200 +++ openssh-8.6p1/sftp.h 2021-04-19 14:43:08.545843441 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6.1p1-log-in-chroot.patch @@ -97,5 +97,5 @@ struct passwd; @@ -200,6 +206,7 @@ diff -up openssh-8.6p1/sftp.h.log-in-chroot openssh-8.6p1/sftp.h diff -up openssh-8.6p1/sftp-server.c.log-in-chroot openssh-8.6p1/sftp-server.c --- openssh-8.6p1/sftp-server.c.log-in-chroot 2021-04-16 05:55:25.000000000 +0200 +++ openssh-8.6p1/sftp-server.c 2021-04-19 14:43:08.545843441 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6.1p1-log-in-chroot.patch @@ -1644,7 +1644,7 @@ sftp_server_usage(void) } @@ -207,8 +214,8 @@ diff -up openssh-8.6p1/sftp-server.c.log-in-chroot openssh-8.6p1/sftp-server.c -sftp_server_main(int argc, char **argv, struct passwd *user_pw) +sftp_server_main(int argc, char **argv, struct passwd *user_pw, int reset_handler) { - int i, r, in, out, ch, skipargs = 0, log_stderr = 0; - ssize_t len, olen; + fd_set *rset, *wset; + int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0; @@ -1657,7 +1657,7 @@ sftp_server_main(int argc, char **argv, extern char *__progname; @@ -230,6 +237,7 @@ diff -up openssh-8.6p1/sftp-server.c.log-in-chroot openssh-8.6p1/sftp-server.c diff -up openssh-8.6p1/sftp-server-main.c.log-in-chroot openssh-8.6p1/sftp-server-main.c --- openssh-8.6p1/sftp-server-main.c.log-in-chroot 2021-04-16 05:55:25.000000000 +0200 +++ openssh-8.6p1/sftp-server-main.c 2021-04-19 14:43:08.545843441 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6.1p1-log-in-chroot.patch @@ -50,5 +50,5 @@ main(int argc, char **argv) return 1; } @@ -240,6 +248,7 @@ diff -up openssh-8.6p1/sftp-server-main.c.log-in-chroot openssh-8.6p1/sftp-serve diff -up openssh-8.6p1/sshd.c.log-in-chroot openssh-8.6p1/sshd.c --- openssh-8.6p1/sshd.c.log-in-chroot 2021-04-19 14:43:08.543843426 +0200 +++ openssh-8.6p1/sshd.c 2021-04-19 14:43:08.545843441 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6.1p1-log-in-chroot.patch @@ -559,7 +559,7 @@ privsep_postauth(struct ssh *ssh, Authct } diff --git a/openssh-6.6.1p1-scp-non-existing-directory.patch b/backport-openssh-6.6.1p1-scp-non-existing-directory.patch index bb55c0b..9e45ae6 100644 --- a/openssh-6.6.1p1-scp-non-existing-directory.patch +++ b/backport-openssh-6.6.1p1-scp-non-existing-directory.patch @@ -1,5 +1,6 @@ --- a/scp.c +++ a/scp.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6.1p1-scp-non-existing-directory.patch @@ -1084,6 +1084,10 @@ sink(int argc, char **argv) free(vect[0]); continue; diff --git a/openssh-6.6.1p1-selinux-contexts.patch b/backport-openssh-6.6.1p1-selinux-contexts.patch index fa9d591..b5347ae 100644 --- a/openssh-6.6.1p1-selinux-contexts.patch +++ b/backport-openssh-6.6.1p1-selinux-contexts.patch @@ -2,6 +2,7 @@ diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c index 8f32464..18a2ca4 100644 --- a/openbsd-compat/port-linux-sshd.c +++ b/openbsd-compat/port-linux-sshd.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6.1p1-selinux-contexts.patch @@ -32,6 +32,7 @@ #include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */ #include "servconf.h" @@ -96,6 +97,7 @@ diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c index 22ea8ef..1fc963d 100644 --- a/openbsd-compat/port-linux.c +++ b/openbsd-compat/port-linux.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6.1p1-selinux-contexts.patch @@ -179,7 +179,7 @@ ssh_selinux_change_context(const char *newname) strlcpy(newctx + len, newname, newlen - len); if ((cx = index(cx + 1, ':'))) @@ -110,6 +112,7 @@ diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h index cb51f99..8b7cda2 100644 --- a/openbsd-compat/port-linux.h +++ b/openbsd-compat/port-linux.h +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6.1p1-selinux-contexts.patch @@ -29,6 +29,7 @@ int sshd_selinux_enabled(void); void sshd_selinux_copy_context(void); void sshd_selinux_setup_exec_context(char *); @@ -122,6 +125,7 @@ diff --git a/sshd.c b/sshd.c index 2871fe9..39b9c08 100644 --- a/sshd.c +++ b/sshd.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6.1p1-selinux-contexts.patch @@ -629,7 +629,7 @@ privsep_preauth_child(void) demote_sensitive_data(); diff --git a/openssh-6.6p1-GSSAPIEnablek5users.patch b/backport-openssh-6.6p1-GSSAPIEnablek5users.patch index cccb3e0..5da5e64 100644 --- a/openssh-6.6p1-GSSAPIEnablek5users.patch +++ b/backport-openssh-6.6p1-GSSAPIEnablek5users.patch @@ -1,6 +1,7 @@ diff -up openssh-7.4p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-7.4p1/gss-serv-krb5.c --- openssh-7.4p1/gss-serv-krb5.c.GSSAPIEnablek5users 2016-12-23 15:18:40.615216100 +0100 +++ openssh-7.4p1/gss-serv-krb5.c 2016-12-23 15:18:40.628216102 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-GSSAPIEnablek5users.patch @@ -279,7 +279,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri FILE *fp; char file[MAXPATHLEN]; @@ -21,6 +22,7 @@ diff -up openssh-7.4p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-7.4p1/gss-ser diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c --- openssh-7.4p1/servconf.c.GSSAPIEnablek5users 2016-12-23 15:18:40.615216100 +0100 +++ openssh-7.4p1/servconf.c 2016-12-23 15:35:36.354401156 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-GSSAPIEnablek5users.patch @@ -168,6 +168,7 @@ initialize_server_options(ServerOptions options->gss_store_rekey = -1; options->gss_kex_algorithms = NULL; @@ -94,6 +96,7 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c diff -up openssh-7.4p1/servconf.h.GSSAPIEnablek5users openssh-7.4p1/servconf.h --- openssh-7.4p1/servconf.h.GSSAPIEnablek5users 2016-12-23 15:18:40.616216100 +0100 +++ openssh-7.4p1/servconf.h 2016-12-23 15:18:40.629216102 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-GSSAPIEnablek5users.patch @@ -174,6 +174,7 @@ typedef struct { int kerberos_unique_ccache; /* If true, the acquired ticket will * be stored in per-session ccache */ @@ -105,6 +108,7 @@ diff -up openssh-7.4p1/servconf.h.GSSAPIEnablek5users openssh-7.4p1/servconf.h diff -up openssh-7.4p1/sshd_config.5.GSSAPIEnablek5users openssh-7.4p1/sshd_config.5 --- openssh-7.4p1/sshd_config.5.GSSAPIEnablek5users 2016-12-23 15:18:40.630216103 +0100 +++ openssh-7.4p1/sshd_config.5 2016-12-23 15:36:21.607408435 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-GSSAPIEnablek5users.patch @@ -628,6 +628,12 @@ Specifies whether to automatically destr on logout. The default is @@ -121,6 +125,7 @@ diff -up openssh-7.4p1/sshd_config.5.GSSAPIEnablek5users openssh-7.4p1/sshd_conf diff -up openssh-7.4p1/sshd_config.GSSAPIEnablek5users openssh-7.4p1/sshd_config --- openssh-7.4p1/sshd_config.GSSAPIEnablek5users 2016-12-23 15:18:40.616216100 +0100 +++ openssh-7.4p1/sshd_config 2016-12-23 15:18:40.631216103 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-GSSAPIEnablek5users.patch @@ -80,6 +80,7 @@ GSSAPIAuthentication yes #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes diff --git a/openssh-6.6p1-allow-ip-opts.patch b/backport-openssh-6.6p1-allow-ip-opts.patch index be8d340..c0bed90 100644 --- a/openssh-6.6p1-allow-ip-opts.patch +++ b/backport-openssh-6.6p1-allow-ip-opts.patch @@ -1,7 +1,8 @@ diff -up openssh/sshd.c.ip-opts openssh/sshd.c --- openssh/sshd.c.ip-opts 2016-07-25 13:58:48.998507834 +0200 +++ openssh/sshd.c 2016-07-25 14:01:28.346469878 +0200 -@@ -1507,12 +1507,32 @@ check_ip_options(struct ssh *ssh) +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-allow-ip-opts.patch +@@ -1507,12 +1507,29 @@ check_ip_options(struct ssh *ssh) if (getsockopt(sock_in, IPPROTO_IP, IP_OPTIONS, opts, &option_size) >= 0 && option_size != 0) { @@ -21,14 +22,11 @@ diff -up openssh/sshd.c.ip-opts openssh/sshd.c + case 130: + case 133: + case 134: -+ if (i + 1 < option_size && opts[i + 1] >= 2) { -+ i += opts[i + 1]; -+ break; -+ } -+ /* FALLTHROUGH */ ++ i += opts[i + 1]; ++ break; + default: + /* Fail, fatally, if we detect either loose or strict -+ * or incorrect source routing options. */ ++ * source routing options. */ + text[0] = '\0'; + for (i = 0; i < option_size; i++) + snprintf(text + i*3, sizeof(text) - i*3, diff --git a/openssh-6.6p1-force_krb.patch b/backport-openssh-6.6p1-force_krb.patch index 90f8322..abb2a9f 100644 --- a/openssh-6.6p1-force_krb.patch +++ b/backport-openssh-6.6p1-force_krb.patch @@ -2,6 +2,7 @@ diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c index 413b845..54dd383 100644 --- a/gss-serv-krb5.c +++ b/gss-serv-krb5.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-force_krb.patch @@ -32,7 +32,9 @@ #include <sys/types.h> @@ -208,6 +209,7 @@ diff --git a/session.c b/session.c index 28659ec..9c94d8e 100644 --- a/session.c +++ b/session.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-force_krb.patch @@ -789,6 +789,29 @@ do_exec(Session *s, const char *command) command = auth_opts->force_command; forced = "(key-option)"; @@ -242,6 +244,7 @@ diff --git a/ssh-gss.h b/ssh-gss.h index 0374c88..509109a 100644 --- a/ssh-gss.h +++ b/ssh-gss.h +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-force_krb.patch @@ -49,6 +49,10 @@ # endif /* !HAVE_DECL_GSS_C_NT_... */ @@ -257,6 +260,7 @@ diff --git a/sshd.8 b/sshd.8 index adcaaf9..824163b 100644 --- a/sshd.8 +++ b/sshd.8 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-force_krb.patch @@ -324,6 +324,7 @@ Finally, the server and the client enter an authentication dialog. The client tries to authenticate itself using host-based authentication, diff --git a/openssh-6.6p1-keycat.patch b/backport-openssh-6.6p1-keycat.patch index 529b508..26b3f30 100644 --- a/openssh-6.6p1-keycat.patch +++ b/backport-openssh-6.6p1-keycat.patch @@ -1,6 +1,7 @@ diff -up openssh/misc.c.keycat openssh/misc.c --- openssh/misc.c.keycat 2015-06-24 10:57:50.158849606 +0200 +++ openssh/misc.c 2015-06-24 11:04:23.989868638 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-keycat.patch @@ -966,6 +966,13 @@ subprocess(const char *tag, struct passw error("%s: dup2: %s", tag, strerror(errno)); _exit(1); @@ -18,6 +19,7 @@ diff -up openssh/misc.c.keycat openssh/misc.c diff -up openssh/HOWTO.ssh-keycat.keycat openssh/HOWTO.ssh-keycat --- openssh/HOWTO.ssh-keycat.keycat 2015-06-24 10:57:50.157849608 +0200 +++ openssh/HOWTO.ssh-keycat 2015-06-24 10:57:50.157849608 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-keycat.patch @@ -0,0 +1,12 @@ +The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys +of an user in any environment. This includes environments with @@ -34,6 +36,7 @@ diff -up openssh/HOWTO.ssh-keycat.keycat openssh/HOWTO.ssh-keycat diff -up openssh/Makefile.in.keycat openssh/Makefile.in --- openssh/Makefile.in.keycat 2015-06-24 10:57:50.152849621 +0200 +++ openssh/Makefile.in 2015-06-24 10:57:50.157849608 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-keycat.patch @@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass SFTP_SERVER=$(libexecdir)/sftp-server @@ -61,13 +64,13 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in ssh-xmss.o \ @@ -190,6 +191,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS) - $(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2) $(CHANNELLIBS) + $(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2) +ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o + $(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS) + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) - $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(CHANNELLIBS) + $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) @@ -321,6 +325,7 @@ install-files: $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) @@ -80,6 +83,7 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in diff -up openssh/openbsd-compat/port-linux.h.keycat openssh/openbsd-compat/port-linux.h --- openssh/openbsd-compat/port-linux.h.keycat 2015-06-24 10:57:50.150849626 +0200 +++ openssh/openbsd-compat/port-linux.h 2015-06-24 10:57:50.160849601 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-keycat.patch @@ -25,8 +25,10 @@ void ssh_selinux_setup_pty(char *, const void ssh_selinux_change_context(const char *); void ssh_selinux_setfscreatecon(const char *); @@ -94,6 +98,7 @@ diff -up openssh/openbsd-compat/port-linux.h.keycat openssh/openbsd-compat/port- diff -up openssh/openbsd-compat/port-linux-sshd.c.keycat openssh/openbsd-compat/port-linux-sshd.c --- openssh/openbsd-compat/port-linux-sshd.c.keycat 2015-06-24 10:57:50.150849626 +0200 +++ openssh/openbsd-compat/port-linux-sshd.c 2015-06-24 10:57:50.159849603 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-keycat.patch @@ -54,6 +54,20 @@ extern Authctxt *the_authctxt; extern int inetd_flag; extern int rexeced_flag; @@ -190,6 +195,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.keycat openssh/openbsd-compat/ diff -up openssh/platform.c.keycat openssh/platform.c --- openssh/platform.c.keycat 2015-06-24 10:57:50.147849633 +0200 +++ openssh/platform.c 2015-06-24 10:57:50.160849601 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-keycat.patch @@ -103,7 +103,7 @@ platform_setusercontext(struct passwd *p { #ifdef WITH_SELINUX @@ -202,6 +208,7 @@ diff -up openssh/platform.c.keycat openssh/platform.c diff -up openssh/ssh-keycat.c.keycat openssh/ssh-keycat.c --- openssh/ssh-keycat.c.keycat 2015-06-24 10:57:50.161849599 +0200 +++ openssh/ssh-keycat.c 2015-06-24 10:57:50.161849599 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-keycat.patch @@ -0,0 +1,241 @@ +/* + * Redistribution and use in source and binary forms, with or without @@ -448,6 +455,7 @@ diff --git a/configure.ac b/configure.ac index 3bbccfd..6481f1f 100644 --- a/configure.ac +++ b/configure.ac +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-keycat.patch @@ -2952,6 +2952,7 @@ AC_ARG_WITH([pam], PAM_MSG="yes" diff --git a/backport-openssh-6.6p1-keyperm.patch b/backport-openssh-6.6p1-keyperm.patch new file mode 100644 index 0000000..c243707 --- /dev/null +++ b/backport-openssh-6.6p1-keyperm.patch @@ -0,0 +1,32 @@ +diff -up openssh-8.2p1/authfile.c.keyperm openssh-8.2p1/authfile.c +--- openssh-8.2p1/authfile.c.keyperm 2020-02-14 01:40:54.000000000 +0100 ++++ openssh-8.2p1/authfile.c 2020-02-17 11:55:12.841729758 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-keyperm.patch +@@ -31,6 +31,7 @@ + + #include <errno.h> + #include <fcntl.h> ++#include <grp.h> + #include <stdio.h> + #include <stdarg.h> + #include <stdlib.h> +@@ -101,7 +102,19 @@ sshkey_perm_ok(int fd, const char *filen + #ifdef HAVE_CYGWIN + if (check_ntsec(filename)) + #endif ++ + if ((st.st_uid == getuid()) && (st.st_mode & 077) != 0) { ++ if (st.st_mode & 040) { ++ struct group *gr; ++ ++ if ((gr = getgrnam("ssh_keys")) && (st.st_gid == gr->gr_gid)) { ++ /* The only additional bit is read ++ * for ssh_keys group, which is fine */ ++ if ((st.st_mode & 077) == 040 ) { ++ return 0; ++ } ++ } ++ } + error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); + error("@ WARNING: UNPROTECTED PRIVATE KEY FILE! @"); + error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); diff --git a/openssh-6.6p1-kuserok.patch b/backport-openssh-6.6p1-kuserok.patch index 6e2c76a..6bab715 100644 --- a/openssh-6.6p1-kuserok.patch +++ b/backport-openssh-6.6p1-kuserok.patch @@ -1,6 +1,7 @@ diff -up openssh-7.4p1/auth-krb5.c.kuserok openssh-7.4p1/auth-krb5.c --- openssh-7.4p1/auth-krb5.c.kuserok 2016-12-23 14:36:07.640465939 +0100 +++ openssh-7.4p1/auth-krb5.c 2016-12-23 14:36:07.644465936 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-kuserok.patch @@ -56,6 +56,21 @@ extern ServerOptions options; @@ -38,6 +39,7 @@ diff -up openssh-7.4p1/auth-krb5.c.kuserok openssh-7.4p1/auth-krb5.c diff -up openssh-7.4p1/gss-serv-krb5.c.kuserok openssh-7.4p1/gss-serv-krb5.c --- openssh-7.4p1/gss-serv-krb5.c.kuserok 2016-12-23 14:36:07.640465939 +0100 +++ openssh-7.4p1/gss-serv-krb5.c 2016-12-23 14:36:07.644465936 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-kuserok.patch @@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr int); @@ -91,7 +93,7 @@ diff -up openssh-7.4p1/gss-serv-krb5.c.kuserok openssh-7.4p1/gss-serv-krb5.c + * configuring krb5.conf or using a suitable plugin to meet the needs of the + * given environment. + * -+ * The openEuler version of openssh contain two patches which modify the ++ * The Fedora and RHEL version of openssh contain two patches which modify the + * access control behavior: + * - openssh-6.6p1-kuserok.patch + * - openssh-6.6p1-force_krb.patch @@ -106,8 +108,8 @@ diff -up openssh-7.4p1/gss-serv-krb5.c.kuserok openssh-7.4p1/gss-serv-krb5.c + * rejected. Nevertheless the patch ignores the fact that krb5_kuserok() does + * no only check .k5login but other sources as well and checking .k5login can + * be disabled for all applications in krb5.conf as well. With this new -+ * option KerberosUseKuserok set to 'no' (and this is the default for -+ * openEuler) openssh can only use krb5_aname_to_localname() with the ++ * option KerberosUseKuserok set to 'no' (and this is the default for RHEL7 ++ * and Fedora 21) openssh can only use krb5_aname_to_localname() with the + * restrictions mentioned above. + * + * openssh-6.6p1-force_krb.patch adds a ksu like behaviour to ssh, i.e. when @@ -175,6 +177,7 @@ diff -up openssh-7.4p1/gss-serv-krb5.c.kuserok openssh-7.4p1/gss-serv-krb5.c diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c --- openssh-7.4p1/servconf.c.kuserok 2016-12-23 14:36:07.630465944 +0100 +++ openssh-7.4p1/servconf.c 2016-12-23 15:11:52.278133344 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-kuserok.patch @@ -116,6 +116,7 @@ initialize_server_options(ServerOptions options->gss_strict_acceptor = -1; options->gss_store_rekey = -1; @@ -196,11 +199,11 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c sPort, sHostKeyFile, sLoginGraceTime, sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, -- sKerberosGetAFSToken, sKerberosUniqueCCache, sPasswordAuthentication, -+ sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok, sPasswordAuthentication, - sKbdInteractiveAuthentication, sListenAddress, sAddressFamily, - sPrintMotd, sPrintLastLog, sIgnoreRhosts, - sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, +- sKerberosGetAFSToken, sKerberosUniqueCCache, ++ sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok, + sPasswordAuthentication, + sKbdInteractiveAuthentication, sListenAddress, sAddressFamily, + sPrintMotd, sPrintLastLog, sIgnoreRhosts, @@ -478,12 +481,14 @@ static struct { { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, #endif @@ -246,6 +249,7 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c diff -up openssh-7.4p1/servconf.h.kuserok openssh-7.4p1/servconf.h --- openssh-7.4p1/servconf.h.kuserok 2016-12-23 14:36:07.630465944 +0100 +++ openssh-7.4p1/servconf.h 2016-12-23 14:36:07.645465936 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-kuserok.patch @@ -118,6 +118,7 @@ typedef struct { * authenticated with Kerberos. */ int kerberos_unique_ccache; /* If true, the acquired ticket will @@ -257,6 +261,7 @@ diff -up openssh-7.4p1/servconf.h.kuserok openssh-7.4p1/servconf.h diff -up openssh-7.4p1/sshd_config.5.kuserok openssh-7.4p1/sshd_config.5 --- openssh-7.4p1/sshd_config.5.kuserok 2016-12-23 14:36:07.637465940 +0100 +++ openssh-7.4p1/sshd_config.5 2016-12-23 15:14:03.117162222 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-kuserok.patch @@ -850,6 +850,10 @@ Specifies whether to automatically destr .Cm no can lead to overwriting previous tickets by subseqent connections to the same @@ -279,6 +284,7 @@ diff -up openssh-7.4p1/sshd_config.5.kuserok openssh-7.4p1/sshd_config.5 diff -up openssh-7.4p1/sshd_config.kuserok openssh-7.4p1/sshd_config --- openssh-7.4p1/sshd_config.kuserok 2016-12-23 14:36:07.631465943 +0100 +++ openssh-7.4p1/sshd_config 2016-12-23 14:36:07.646465935 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-kuserok.patch @@ -73,6 +73,7 @@ ChallengeResponseAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes diff --git a/openssh-6.6p1-privsep-selinux.patch b/backport-openssh-6.6p1-privsep-selinux.patch index 8047fc3..a14fd62 100644 --- a/openssh-6.6p1-privsep-selinux.patch +++ b/backport-openssh-6.6p1-privsep-selinux.patch @@ -1,6 +1,7 @@ diff -up openssh-7.4p1/openbsd-compat/port-linux.h.privsep-selinux openssh-7.4p1/openbsd-compat/port-linux.h --- openssh-7.4p1/openbsd-compat/port-linux.h.privsep-selinux 2016-12-23 18:58:52.972122201 +0100 +++ openssh-7.4p1/openbsd-compat/port-linux.h 2016-12-23 18:58:52.974122201 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-privsep-selinux.patch @@ -23,6 +23,7 @@ void ssh_selinux_setup_pty(char *, const void ssh_selinux_change_context(const char *); void ssh_selinux_setfscreatecon(const char *); @@ -12,6 +13,7 @@ diff -up openssh-7.4p1/openbsd-compat/port-linux.h.privsep-selinux openssh-7.4p1 diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux openssh-7.4p1/openbsd-compat/port-linux-sshd.c --- openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux 2016-12-23 18:58:52.973122201 +0100 +++ openssh-7.4p1/openbsd-compat/port-linux-sshd.c 2016-12-23 18:58:52.974122201 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-privsep-selinux.patch @@ -419,6 +419,28 @@ sshd_selinux_setup_exec_context(char *pw debug3_f("done"); } @@ -44,6 +46,7 @@ diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux openssh- diff -up openssh-7.4p1/session.c.privsep-selinux openssh-7.4p1/session.c --- openssh-7.4p1/session.c.privsep-selinux 2016-12-19 05:59:41.000000000 +0100 +++ openssh-7.4p1/session.c 2016-12-23 18:58:52.974122201 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-privsep-selinux.patch @@ -1331,7 +1331,7 @@ do_setusercontext(struct passwd *pw) platform_setusercontext(pw); @@ -98,6 +101,7 @@ diff -up openssh-7.4p1/session.c.privsep-selinux openssh-7.4p1/session.c diff -up openssh-7.4p1/sshd.c.privsep-selinux openssh-7.4p1/sshd.c --- openssh-7.4p1/sshd.c.privsep-selinux 2016-12-23 18:58:52.973122201 +0100 +++ openssh-7.4p1/sshd.c 2016-12-23 18:59:13.808124269 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-privsep-selinux.patch @@ -540,6 +540,10 @@ privsep_preauth_child(void) /* Demote the private keys to public keys. */ demote_sensitive_data(); diff --git a/openssh-6.7p1-coverity.patch b/backport-openssh-6.7p1-coverity.patch index 494f4c6..f1a8d2b 100644 --- a/openssh-6.7p1-coverity.patch +++ b/backport-openssh-6.7p1-coverity.patch @@ -1,6 +1,42 @@ +diff -up openssh-8.5p1/addr.c.coverity openssh-8.5p1/addr.c +--- openssh-8.5p1/addr.c.coverity 2021-03-02 11:31:47.000000000 +0100 ++++ openssh-8.5p1/addr.c 2021-03-24 12:03:33.782968159 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch +@@ -312,8 +312,10 @@ addr_pton(const char *p, struct xaddr *n + if (p == NULL || getaddrinfo(p, NULL, &hints, &ai) != 0) + return -1; + +- if (ai == NULL || ai->ai_addr == NULL) ++ if (ai == NULL || ai->ai_addr == NULL) { ++ freeaddrinfo(ai); + return -1; ++ } + + if (n != NULL && addr_sa_to_xaddr(ai->ai_addr, ai->ai_addrlen, + n) == -1) { +@@ -336,12 +338,16 @@ addr_sa_pton(const char *h, const char * + if (h == NULL || getaddrinfo(h, s, &hints, &ai) != 0) + return -1; + +- if (ai == NULL || ai->ai_addr == NULL) ++ if (ai == NULL || ai->ai_addr == NULL) { ++ freeaddrinfo(ai); + return -1; ++ } + + if (sa != NULL) { +- if (slen < ai->ai_addrlen) ++ if (slen < ai->ai_addrlen) { ++ freeaddrinfo(ai); + return -1; ++ } + memcpy(sa, &ai->ai_addr, ai->ai_addrlen); + } + diff -up openssh-8.5p1/auth-krb5.c.coverity openssh-8.5p1/auth-krb5.c --- openssh-8.5p1/auth-krb5.c.coverity 2021-03-24 12:03:33.724967756 +0100 +++ openssh-8.5p1/auth-krb5.c 2021-03-24 12:03:33.782968159 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch @@ -426,6 +426,7 @@ ssh_krb5_cc_new_unique(krb5_context ctx, umask(old_umask); if (tmpfd == -1) { @@ -20,6 +56,7 @@ diff -up openssh-8.5p1/auth-krb5.c.coverity openssh-8.5p1/auth-krb5.c diff -up openssh-8.5p1/auth-options.c.coverity openssh-8.5p1/auth-options.c --- openssh-8.5p1/auth-options.c.coverity 2021-03-02 11:31:47.000000000 +0100 +++ openssh-8.5p1/auth-options.c 2021-03-24 12:03:33.782968159 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch @@ -706,6 +708,7 @@ serialise_array(struct sshbuf *m, char * return r; } @@ -28,9 +65,53 @@ diff -up openssh-8.5p1/auth-options.c.coverity openssh-8.5p1/auth-options.c return 0; } +diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c +--- openssh-7.4p1/channels.c.coverity 2016-12-23 16:40:26.881788686 +0100 ++++ openssh-7.4p1/channels.c 2016-12-23 16:42:36.244818763 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch +@@ -1875,7 +1875,7 @@ channel_post_connecting(struct ssh *ssh, + debug("channel %d: connection failed: %s", + c->self, strerror(err)); + /* Try next address, if any */ +- if ((sock = connect_next(&c->connect_ctx)) > 0) { ++ if ((sock = connect_next(&c->connect_ctx)) >= 0) { + close(c->sock); + c->sock = c->rfd = c->wfd = sock; + channel_find_maxfd(ssh->chanctxt); + +diff -up openssh-8.5p1/compat.c.coverity openssh-8.5p1/compat.c +--- openssh-8.5p1/compat.c.coverity 2021-03-24 12:03:33.768968062 +0100 ++++ openssh-8.5p1/compat.c 2021-03-24 12:03:33.783968166 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch +@@ -191,10 +191,12 @@ compat_kex_proposal(struct ssh *ssh, cha + return p; + debug2_f("original KEX proposal: %s", p); + if ((ssh->compat & SSH_BUG_CURVE25519PAD) != 0) ++ /* coverity[overwrite_var : FALSE] */ + if ((p = match_filter_denylist(p, + "curve25519-sha256@libssh.org")) == NULL) + fatal("match_filter_denylist failed"); + if ((ssh->compat & SSH_OLD_DHGEX) != 0) { ++ /* coverity[overwrite_var : FALSE] */ + if ((p = match_filter_denylist(p, + "diffie-hellman-group-exchange-sha256," + "diffie-hellman-group-exchange-sha1")) == NULL) +diff -up openssh-8.5p1/dns.c.coverity openssh-8.5p1/dns.c +--- openssh-8.5p1/dns.c.coverity 2021-03-02 11:31:47.000000000 +0100 ++++ openssh-8.5p1/dns.c 2021-03-24 12:03:33.783968166 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch +@@ -282,6 +282,7 @@ verify_host_key_dns(const char *hostname + &hostkey_digest, &hostkey_digest_len, hostkey)) { + error("Error calculating key fingerprint."); + freerrset(fingerprints); ++ free(dnskey_digest); + return -1; + } + diff -up openssh-8.5p1/gss-genr.c.coverity openssh-8.5p1/gss-genr.c --- openssh-8.5p1/gss-genr.c.coverity 2021-03-26 11:52:46.613942552 +0100 +++ openssh-8.5p1/gss-genr.c 2021-03-26 11:54:37.881726318 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch @@ -167,8 +167,9 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup enclen = __b64_ntop(digest, ssh_digest_bytes(SSH_DIGEST_MD5), encoded, @@ -45,6 +126,7 @@ diff -up openssh-8.5p1/gss-genr.c.coverity openssh-8.5p1/gss-genr.c diff -up openssh-8.5p1/kexgssc.c.coverity openssh-8.5p1/kexgssc.c --- openssh-8.5p1/kexgssc.c.coverity 2021-03-24 12:03:33.711967665 +0100 +++ openssh-8.5p1/kexgssc.c 2021-03-24 12:03:33.783968166 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch @@ -98,8 +98,10 @@ kexgss_client(struct ssh *ssh) default: fatal_f("Unexpected KEX type %d", kex->kex_type); @@ -60,6 +142,7 @@ diff -up openssh-8.5p1/kexgssc.c.coverity openssh-8.5p1/kexgssc.c diff -up openssh-8.5p1/krl.c.coverity openssh-8.5p1/krl.c --- openssh-8.5p1/krl.c.coverity 2021-03-02 11:31:47.000000000 +0100 +++ openssh-8.5p1/krl.c 2021-03-24 12:03:33.783968166 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch @@ -1209,6 +1209,7 @@ ssh_krl_from_blob(struct sshbuf *buf, st sshkey_free(key); sshbuf_free(copy); @@ -95,6 +178,7 @@ diff -up openssh-8.5p1/krl.c.coverity openssh-8.5p1/krl.c diff -up openssh-8.5p1/loginrec.c.coverity openssh-8.5p1/loginrec.c --- openssh-8.5p1/loginrec.c.coverity 2021-03-24 13:18:53.793225885 +0100 +++ openssh-8.5p1/loginrec.c 2021-03-24 13:21:27.948404751 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch @@ -690,9 +690,11 @@ construct_utmp(struct logininfo *li, */ @@ -126,6 +210,7 @@ diff -up openssh-8.5p1/loginrec.c.coverity openssh-8.5p1/loginrec.c diff -up openssh-8.5p1/misc.c.coverity openssh-8.5p1/misc.c --- openssh-8.5p1/misc.c.coverity 2021-03-24 12:03:33.745967902 +0100 +++ openssh-8.5p1/misc.c 2021-03-24 13:31:47.037079617 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch @@ -1425,6 +1425,8 @@ sanitise_stdfd(void) } if (nullfd > STDERR_FILENO) @@ -143,9 +228,22 @@ diff -up openssh-8.5p1/misc.c.coverity openssh-8.5p1/misc.c return ret; } +diff -up openssh-8.5p1/moduli.c.coverity openssh-8.5p1/moduli.c +--- openssh-8.5p1/moduli.c.coverity 2021-03-02 11:31:47.000000000 +0100 ++++ openssh-8.5p1/moduli.c 2021-03-24 12:03:33.784968173 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch +@@ -476,6 +476,7 @@ write_checkpoint(char *cpfile, u_int32_t + else + logit("failed to write to checkpoint file '%s': %s", cpfile, + strerror(errno)); ++ /* coverity[leaked_storage : FALSE] */ + } + + static unsigned long diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c --- openssh-7.4p1/monitor.c.coverity 2016-12-23 16:40:26.888788688 +0100 +++ openssh-7.4p1/monitor.c 2016-12-23 16:40:26.900788691 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch @@ -411,7 +411,7 @@ monitor_child_preauth(Authctxt *_authctx mm_get_keystate(ssh, pmonitor); @@ -167,6 +265,7 @@ diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c diff -up openssh-7.4p1/monitor_wrap.c.coverity openssh-7.4p1/monitor_wrap.c --- openssh-7.4p1/monitor_wrap.c.coverity 2016-12-23 16:40:26.892788689 +0100 +++ openssh-7.4p1/monitor_wrap.c 2016-12-23 16:40:26.900788691 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch @@ -525,10 +525,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd, if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 || (tmp2 = dup(pmonitor->m_recvfd)) == -1) { @@ -184,6 +283,7 @@ diff -up openssh-7.4p1/monitor_wrap.c.coverity openssh-7.4p1/monitor_wrap.c diff -up openssh-7.4p1/openbsd-compat/bindresvport.c.coverity openssh-7.4p1/openbsd-compat/bindresvport.c --- openssh-7.4p1/openbsd-compat/bindresvport.c.coverity 2016-12-19 05:59:41.000000000 +0100 +++ openssh-7.4p1/openbsd-compat/bindresvport.c 2016-12-23 16:40:26.901788691 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch @@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr struct sockaddr_in6 *in6; u_int16_t *portp; @@ -196,6 +296,7 @@ diff -up openssh-7.4p1/openbsd-compat/bindresvport.c.coverity openssh-7.4p1/open diff -up openssh-8.7p1/openbsd-compat/bsd-pselect.c.coverity openssh-8.7p1/openbsd-compat/bsd-pselect.c --- openssh-8.7p1/openbsd-compat/bsd-pselect.c.coverity 2021-08-30 16:36:11.357288009 +0200 +++ openssh-8.7p1/openbsd-compat/bsd-pselect.c 2021-08-30 16:37:21.791897976 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch @@ -113,13 +113,13 @@ pselect_notify_setup(void) static void pselect_notify_parent(void) @@ -226,6 +327,7 @@ diff -up openssh-8.7p1/openbsd-compat/bsd-pselect.c.coverity openssh-8.7p1/openb diff -up openssh-8.5p1/readconf.c.coverity openssh-8.5p1/readconf.c --- openssh-8.5p1/readconf.c.coverity 2021-03-24 12:03:33.778968131 +0100 +++ openssh-8.5p1/readconf.c 2021-03-24 12:03:33.785968180 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch @@ -1847,6 +1847,7 @@ parse_pubkey_algos: } else if (r != 0) { error("%.200s line %d: glob failed for %s.", @@ -237,6 +339,7 @@ diff -up openssh-8.5p1/readconf.c.coverity openssh-8.5p1/readconf.c diff -up openssh-8.7p1/scp.c.coverity openssh-8.7p1/scp.c --- openssh-8.7p1/scp.c.coverity 2021-08-30 16:23:35.389741329 +0200 +++ openssh-8.7p1/scp.c 2021-08-30 16:27:04.854555296 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch @@ -186,11 +186,11 @@ killchild(int signo) { if (do_cmd_pid > 1) { @@ -254,6 +357,7 @@ diff -up openssh-8.7p1/scp.c.coverity openssh-8.7p1/scp.c diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c --- openssh-7.4p1/servconf.c.coverity 2016-12-23 16:40:26.896788690 +0100 +++ openssh-7.4p1/servconf.c 2016-12-23 16:40:26.901788691 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch @@ -1638,8 +1638,9 @@ process_server_config_line(ServerOptions if (*activep && *charptr == NULL) { *charptr = tilde_expand_filename(arg, getuid()); @@ -269,6 +373,7 @@ diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c diff -up openssh-8.7p1/serverloop.c.coverity openssh-8.7p1/serverloop.c --- openssh-8.7p1/serverloop.c.coverity 2021-08-20 06:03:49.000000000 +0200 +++ openssh-8.7p1/serverloop.c 2021-08-30 16:28:22.416226981 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch @@ -547,7 +547,7 @@ server_request_tun(struct ssh *ssh) debug_f("invalid tun"); goto done; @@ -278,9 +383,29 @@ diff -up openssh-8.7p1/serverloop.c.coverity openssh-8.7p1/serverloop.c if (tun != SSH_TUNID_ANY && auth_opts->force_tun_device != (int)tun) goto done; +diff -up openssh-8.5p1/session.c.coverity openssh-8.5p1/session.c +--- openssh-8.5p1/session.c.coverity 2021-03-24 12:03:33.777968124 +0100 ++++ openssh-8.5p1/session.c 2021-03-24 12:03:33.786968187 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch +@@ -1223,12 +1223,14 @@ do_setup_env(struct ssh *ssh, Session *s + /* Environment specified by admin */ + for (i = 0; i < options.num_setenv; i++) { + cp = xstrdup(options.setenv[i]); ++ /* coverity[overwrite_var : FALSE] */ + if ((value = strchr(cp, '=')) == NULL) { + /* shouldn't happen; vars are checked in servconf.c */ + fatal("Invalid config SetEnv: %s", options.setenv[i]); + } + *value++ = '\0'; + child_set_env(&env, &envsize, cp, value); ++ free(cp); + } + + /* SSH_CLIENT deprecated */ diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c --- openssh-7.4p1/sftp.c.coverity 2016-12-19 05:59:41.000000000 +0100 +++ openssh-7.4p1/sftp.c 2016-12-23 16:40:26.903788691 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch @@ -224,7 +224,7 @@ killchild(int signo) pid = sshpid; if (pid > 1) { @@ -290,9 +415,39 @@ diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c } _exit(1); +@@ -762,6 +762,8 @@ process_put(struct sftp_conn *conn, cons + fflag || global_fflag) == -1) + err = -1; + } ++ free(abs_dst); ++ abs_dst = NULL; + } + + out: +@@ -985,6 +987,7 @@ do_globbed_ls(struct sftp_conn *conn, co + if (lflag & LS_LONG_VIEW) { + if (g.gl_statv[i] == NULL) { + error("no stat information for %s", fname); ++ free(fname); + continue; + } + lname = ls_file(fname, g.gl_statv[i], 1, +diff -up openssh-8.5p1/sk-usbhid.c.coverity openssh-8.5p1/sk-usbhid.c +--- openssh-8.5p1/sk-usbhid.c.coverity 2021-03-02 11:31:47.000000000 +0100 ++++ openssh-8.5p1/sk-usbhid.c 2021-03-24 12:03:33.786968187 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch +@@ -1256,6 +1256,7 @@ sk_load_resident_keys(const char *pin, s + freezero(rks[i], sizeof(*rks[i])); + } + free(rks); ++ free(device); + return ret; + } + diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c --- openssh-7.4p1/ssh-agent.c.coverity 2016-12-19 05:59:41.000000000 +0100 +++ openssh-7.4p1/ssh-agent.c 2016-12-23 16:40:26.903788691 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch @@ -869,6 +869,7 @@ sanitize_pkcs11_provider(const char *pro if (pkcs11_uri_parse(provider, uri) != 0) { @@ -315,6 +470,7 @@ diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c diff -up openssh-8.5p1/ssh.c.coverity openssh-8.5p1/ssh.c --- openssh-8.5p1/ssh.c.coverity 2021-03-24 12:03:33.779968138 +0100 +++ openssh-8.5p1/ssh.c 2021-03-24 12:03:33.786968187 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch @@ -1746,6 +1746,7 @@ control_persist_detach(void) close(muxserver_sock); muxserver_sock = -1; @@ -326,6 +482,7 @@ diff -up openssh-8.5p1/ssh.c.coverity openssh-8.5p1/ssh.c diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c --- openssh-7.4p1/sshd.c.coverity 2016-12-23 16:40:26.897788690 +0100 +++ openssh-7.4p1/sshd.c 2016-12-23 16:40:26.904788692 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch @@ -691,8 +691,10 @@ privsep_preauth(Authctxt *authctxt) privsep_preauth_child(ssh); @@ -338,6 +495,25 @@ diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c return 0; } +@@ -1386,6 +1388,9 @@ server_accept_loop(int *sock_in, int *so + explicit_bzero(rnd, sizeof(rnd)); + } + } ++ ++ if (fdset != NULL) ++ free(fdset); + } + + /* +@@ -2474,7 +2479,7 @@ do_ssh2_kex(struct ssh *ssh) + if (options.rekey_limit || options.rekey_interval) + ssh_packet_set_rekey_limits(ssh, options.rekey_limit, + options.rekey_interval); +- ++ /* coverity[leaked_storage : FALSE]*/ + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( + ssh, list_hostkey_types()); + @@ -2519,8 +2524,11 @@ do_ssh2_kex(struct ssh *ssh) if (newstr) @@ -354,6 +530,7 @@ diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c diff -up openssh-8.5p1/ssh-keygen.c.coverity openssh-8.5p1/ssh-keygen.c --- openssh-8.5p1/ssh-keygen.c.coverity 2021-03-24 12:03:33.780968145 +0100 +++ openssh-8.5p1/ssh-keygen.c 2021-03-24 12:03:33.787968194 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch @@ -2332,6 +2332,9 @@ update_krl_from_file(struct passwd *pw, r = ssh_krl_revoke_key_sha256(krl, blob, blen); if (r != 0) @@ -364,3 +541,33 @@ diff -up openssh-8.5p1/ssh-keygen.c.coverity openssh-8.5p1/ssh-keygen.c } else { if (strncasecmp(cp, "key:", 4) == 0) { cp += 4; +@@ -2879,6 +2882,7 @@ do_moduli_screen(const char *out_file, c + } else if (strncmp(opts[i], "start-line=", 11) == 0) { + start_lineno = strtoul(opts[i]+11, NULL, 10); + } else if (strncmp(opts[i], "checkpoint=", 11) == 0) { ++ free(checkpoint); + checkpoint = xstrdup(opts[i]+11); + } else if (strncmp(opts[i], "generator=", 10) == 0) { + generator_wanted = (u_int32_t)strtonum( +@@ -2920,6 +2924,9 @@ do_moduli_screen(const char *out_file, c + #else /* WITH_OPENSSL */ + fatal("Moduli screening is not supported"); + #endif /* WITH_OPENSSL */ ++ free(checkpoint); ++ if (in != stdin) ++ fclose(in); + } + + static char * +diff -up openssh-8.5p1/sshsig.c.coverity openssh-8.5p1/sshsig.c +--- openssh-8.5p1/sshsig.c.coverity 2021-03-02 11:31:47.000000000 +0100 ++++ openssh-8.5p1/sshsig.c 2021-03-24 12:03:33.787968194 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch +@@ -515,6 +515,7 @@ hash_file(int fd, const char *hashalg, s + oerrno = errno; + error_f("read: %s", strerror(errno)); + ssh_digest_free(ctx); ++ ctx = NULL; + errno = oerrno; + r = SSH_ERR_SYSTEM_ERROR; + goto out; diff --git a/openssh-6.7p1-sftp-force-permission.patch b/backport-openssh-6.7p1-sftp-force-permission.patch index 1cfa309..6f4a0db 100644 --- a/openssh-6.7p1-sftp-force-permission.patch +++ b/backport-openssh-6.7p1-sftp-force-permission.patch @@ -1,6 +1,7 @@ diff -up openssh-7.2p2/sftp-server.8.sftp-force-mode openssh-7.2p2/sftp-server.8 --- openssh-7.2p2/sftp-server.8.sftp-force-mode 2016-03-09 19:04:48.000000000 +0100 +++ openssh-7.2p2/sftp-server.8 2016-06-23 16:18:20.463854117 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-sftp-force-permission.patch @@ -38,6 +38,7 @@ .Op Fl P Ar denied_requests .Op Fl p Ar allowed_requests @@ -25,6 +26,7 @@ diff -up openssh-7.2p2/sftp-server.8.sftp-force-mode openssh-7.2p2/sftp-server.8 diff -up openssh-7.2p2/sftp-server.c.sftp-force-mode openssh-7.2p2/sftp-server.c --- openssh-7.2p2/sftp-server.c.sftp-force-mode 2016-06-23 16:18:20.446854128 +0200 +++ openssh-7.2p2/sftp-server.c 2016-06-23 16:20:37.950766082 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-sftp-force-permission.patch @@ -69,6 +69,10 @@ struct sshbuf *oqueue; /* Version of client */ static u_int version; diff --git a/openssh-6.8p1-sshdT-output.patch b/backport-openssh-6.8p1-sshdT-output.patch index 156e66d..646e7f1 100644 --- a/openssh-6.8p1-sshdT-output.patch +++ b/backport-openssh-6.8p1-sshdT-output.patch @@ -1,6 +1,7 @@ diff -up openssh/servconf.c.sshdt openssh/servconf.c --- openssh/servconf.c.sshdt 2015-06-24 11:42:29.041078704 +0200 +++ openssh/servconf.c 2015-06-24 11:44:39.734745802 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.8p1-sshdT-output.patch @@ -2317,7 +2317,7 @@ dump_config(ServerOptions *o) dump_cfg_string(sXAuthLocation, o->xauth_location); dump_cfg_string(sCiphers, o->ciphers); diff --git a/openssh-7.1p2-audit-race-condition.patch b/backport-openssh-7.1p2-audit-race-condition.patch index b5895f7..05d2609 100644 --- a/openssh-7.1p2-audit-race-condition.patch +++ b/backport-openssh-7.1p2-audit-race-condition.patch @@ -1,6 +1,7 @@ diff -up openssh-7.4p1/monitor_wrap.c.audit-race openssh-7.4p1/monitor_wrap.c --- openssh-7.4p1/monitor_wrap.c.audit-race 2016-12-23 16:35:52.694685771 +0100 +++ openssh-7.4p1/monitor_wrap.c 2016-12-23 16:35:52.697685772 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.1p2-audit-race-condition.patch @@ -1107,4 +1107,50 @@ mm_audit_destroy_sensitive_data(const ch mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, m); sshbuf_free(m); @@ -55,6 +56,7 @@ diff -up openssh-7.4p1/monitor_wrap.c.audit-race openssh-7.4p1/monitor_wrap.c diff -up openssh-7.4p1/monitor_wrap.h.audit-race openssh-7.4p1/monitor_wrap.h --- openssh-7.4p1/monitor_wrap.h.audit-race 2016-12-23 16:35:52.694685771 +0100 +++ openssh-7.4p1/monitor_wrap.h 2016-12-23 16:35:52.698685772 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.1p2-audit-race-condition.patch @@ -83,6 +83,8 @@ void mm_audit_unsupported_body(int); void mm_audit_kex_body(struct ssh *, int, char *, char *, char *, char *, pid_t, uid_t); void mm_audit_session_key_free_body(struct ssh *, int, pid_t, uid_t); @@ -67,6 +69,7 @@ diff -up openssh-7.4p1/monitor_wrap.h.audit-race openssh-7.4p1/monitor_wrap.h diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c --- openssh-7.4p1/session.c.audit-race 2016-12-23 16:35:52.695685771 +0100 +++ openssh-7.4p1/session.c 2016-12-23 16:37:26.339730596 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.1p2-audit-race-condition.patch @@ -162,6 +162,10 @@ static Session *sessions = NULL; login_cap_t *lc; #endif diff --git a/openssh-7.2p2-k5login_directory.patch b/backport-openssh-7.2p2-k5login_directory.patch index 80e7678..c9f50c5 100644 --- a/openssh-7.2p2-k5login_directory.patch +++ b/backport-openssh-7.2p2-k5login_directory.patch @@ -2,6 +2,7 @@ diff --git a/auth-krb5.c b/auth-krb5.c index 2b02a04..19b9364 100644 --- a/auth-krb5.c +++ b/auth-krb5.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.2p2-k5login_directory.patch @@ -375,5 +375,21 @@ cleanup: return (krb5_cc_resolve(ctx, ccname, ccache)); } @@ -28,6 +29,7 @@ diff --git a/auth.h b/auth.h index f9d191c..c432d2f 100644 --- a/auth.h +++ b/auth.h +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.2p2-k5login_directory.patch @@ -222,6 +222,8 @@ int sys_auth_passwd(Authctxt *, const char *); #if defined(KRB5) && !defined(HEIMDAL) @@ -41,6 +43,7 @@ diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c index a7c0c5f..df8cc9a 100644 --- a/gss-serv-krb5.c +++ b/gss-serv-krb5.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.2p2-k5login_directory.patch @@ -244,8 +244,27 @@ ssh_gssapi_k5login_exists() { char file[MAXPATHLEN]; @@ -74,6 +77,7 @@ diff --git a/sshd.8 b/sshd.8 index 5c4f15b..135e290 100644 --- a/sshd.8 +++ b/sshd.8 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.2p2-k5login_directory.patch @@ -806,6 +806,10 @@ rlogin/rsh. These files enforce GSSAPI/Kerberos authentication access control. Further details are described in diff --git a/openssh-7.2p2-s390-closefrom.patch b/backport-openssh-7.2p2-s390-closefrom.patch index 363538c..0cb2aa6 100644 --- a/openssh-7.2p2-s390-closefrom.patch +++ b/backport-openssh-7.2p2-s390-closefrom.patch @@ -11,10 +11,12 @@ Author: Harald Freudenberger <freude@de.ibm.com> --- openbsd-compat/bsd-closefrom.c | 26 ++++++++++++++++++++++++++ +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.2p2-s390-closefrom.patch 1 file changed, 26 insertions(+) --- a/openbsd-compat/bsd-closefrom.c +++ b/openbsd-compat/bsd-closefrom.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.2p2-s390-closefrom.patch @@ -82,7 +82,33 @@ closefrom(int lowfd) fd = strtol(dent->d_name, &endp, 10); if (dent->d_name != endp && *endp == '\0' && diff --git a/openssh-7.2p2-x11.patch b/backport-openssh-7.2p2-x11.patch index 0a19ecb..3bfc69f 100644 --- a/openssh-7.2p2-x11.patch +++ b/backport-openssh-7.2p2-x11.patch @@ -1,6 +1,7 @@ diff -up openssh-7.2p2/channels.c.x11 openssh-7.2p2/channels.c --- openssh-7.2p2/channels.c.x11 2016-03-09 19:04:48.000000000 +0100 +++ openssh-7.2p2/channels.c 2016-06-03 10:42:04.775164520 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.2p2-x11.patch @@ -3990,21 +3990,24 @@ x11_create_display_inet(int x11_display_ } diff --git a/openssh-7.3p1-x11-max-displays.patch b/backport-openssh-7.3p1-x11-max-displays.patch index 2b702d4..526289f 100644 --- a/openssh-7.3p1-x11-max-displays.patch +++ b/backport-openssh-7.3p1-x11-max-displays.patch @@ -1,6 +1,7 @@ diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c --- openssh-7.4p1/channels.c.x11max 2016-12-23 15:46:32.071506625 +0100 +++ openssh-7.4p1/channels.c 2016-12-23 15:46:32.139506636 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.3p1-x11-max-displays.patch @@ -152,8 +152,8 @@ static int all_opens_permitted = 0; #define FWD_PERMIT_ANY_HOST "*" @@ -10,8 +11,8 @@ diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c +/* Minimum port number for X11 forwarding */ +#define X11_PORT_MIN 6000 - /* Per-channel callback for pre/post IO actions */ - typedef void chan_fn(struct ssh *, Channel *c); + /* Per-channel callback for pre/post select() actions */ + typedef void chan_fn(struct ssh *, Channel *c, @@ -4228,7 +4228,7 @@ channel_send_window_changes(void) */ int @@ -80,9 +81,10 @@ diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c diff -up openssh-7.4p1/channels.h.x11max openssh-7.4p1/channels.h --- openssh-7.4p1/channels.h.x11max 2016-12-19 05:59:41.000000000 +0100 +++ openssh-7.4p1/channels.h 2016-12-23 15:46:32.139506636 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.3p1-x11-max-displays.patch @@ -293,7 +293,7 @@ int permitopen_port(const char *); - void channel_set_x11_refuse_time(struct ssh *, time_t); + void channel_set_x11_refuse_time(struct ssh *, u_int); int x11_connect_display(struct ssh *); -int x11_create_display_inet(struct ssh *, int, int, int, u_int *, int **); +int x11_create_display_inet(struct ssh *, int, int, int, int, u_int *, int **); @@ -92,6 +94,7 @@ diff -up openssh-7.4p1/channels.h.x11max openssh-7.4p1/channels.h diff -up openssh-7.4p1/servconf.c.x11max openssh-7.4p1/servconf.c --- openssh-7.4p1/servconf.c.x11max 2016-12-23 15:46:32.133506635 +0100 +++ openssh-7.4p1/servconf.c 2016-12-23 15:47:27.320519121 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.3p1-x11-max-displays.patch @@ -95,6 +95,7 @@ initialize_server_options(ServerOptions options->print_lastlog = -1; options->x11_forwarding = -1; @@ -110,9 +113,9 @@ diff -up openssh-7.4p1/servconf.c.x11max openssh-7.4p1/servconf.c options->x11_use_localhost = 1; if (options->xauth_location == NULL) @@ -419,7 +422,7 @@ typedef enum { - sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok, sPasswordAuthentication, - sKbdInteractiveAuthentication, sListenAddress, sAddressFamily, - sPrintMotd, sPrintLastLog, sIgnoreRhosts, + sPasswordAuthentication, + sKbdInteractiveAuthentication, sListenAddress, sAddressFamily, + sPrintMotd, sPrintLastLog, sIgnoreRhosts, - sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, + sX11Forwarding, sX11DisplayOffset, sX11MaxDisplays, sX11UseLocalhost, sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive, @@ -156,6 +159,7 @@ diff -up openssh-7.4p1/servconf.c.x11max openssh-7.4p1/servconf.c diff -up openssh-7.4p1/servconf.h.x11max openssh-7.4p1/servconf.h --- openssh-7.4p1/servconf.h.x11max 2016-12-23 15:46:32.133506635 +0100 +++ openssh-7.4p1/servconf.h 2016-12-23 15:46:32.140506636 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.3p1-x11-max-displays.patch @@ -55,6 +55,7 @@ #define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */ @@ -175,6 +179,7 @@ diff -up openssh-7.4p1/servconf.h.x11max openssh-7.4p1/servconf.h diff -up openssh-7.4p1/session.c.x11max openssh-7.4p1/session.c --- openssh-7.4p1/session.c.x11max 2016-12-23 15:46:32.136506636 +0100 +++ openssh-7.4p1/session.c 2016-12-23 15:46:32.141506636 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.3p1-x11-max-displays.patch @@ -2518,8 +2518,9 @@ session_setup_x11fwd(Session *s) return 0; } @@ -190,9 +195,10 @@ diff -up openssh-7.4p1/session.c.x11max openssh-7.4p1/session.c diff -up openssh-7.4p1/sshd_config.5.x11max openssh-7.4p1/sshd_config.5 --- openssh-7.4p1/sshd_config.5.x11max 2016-12-23 15:46:32.134506635 +0100 +++ openssh-7.4p1/sshd_config.5 2016-12-23 15:46:32.141506636 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.3p1-x11-max-displays.patch @@ -1133,6 +1133,7 @@ Available keywords are + .Cm StreamLocalBindUnlink , .Cm TrustedUserCAKeys , - .Cm UnusedConnectionTimeout , .Cm X11DisplayOffset , +.Cm X11MaxDisplays , .Cm X11Forwarding diff --git a/openssh-7.4p1-systemd.patch b/backport-openssh-7.4p1-systemd.patch index 1242aac..c760b9a 100644 --- a/openssh-7.4p1-systemd.patch +++ b/backport-openssh-7.4p1-systemd.patch @@ -8,9 +8,10 @@ diff --git a/configure.ac b/configure.ac index 2ffc369..162ce92 100644 --- a/configure.ac +++ b/configure.ac +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.4p1-systemd.patch @@ -4265,6 +4265,30 @@ AC_ARG_WITH([kerberos5], + AC_SUBST([GSSLIBS]) AC_SUBST([K5LIBS]) - AC_SUBST([CHANNELLIBS]) +# Check whether user wants systemd support +SYSTEMD_MSG="no" @@ -52,6 +53,7 @@ new file mode 100644 index 0000000..e0d4923 --- /dev/null +++ b/contrib/sshd.service +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.4p1-systemd.patch @@ -0,0 +1,16 @@ +[Unit] +Description=OpenSSH server daemon @@ -73,6 +75,7 @@ diff --git a/sshd.c b/sshd.c index 816611c..b8b9d13 100644 --- a/sshd.c +++ b/sshd.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.4p1-systemd.patch @@ -85,6 +85,10 @@ #include <prot.h> #endif diff --git a/openssh-7.5p1-sandbox.patch b/backport-openssh-7.5p1-sandbox.patch index 90640a0..e0c4109 100644 --- a/openssh-7.5p1-sandbox.patch +++ b/backport-openssh-7.5p1-sandbox.patch @@ -7,12 +7,14 @@ this is only need on s390 architecture. Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx> --- sandbox-seccomp-filter.c | 6 ++++++ +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.5p1-sandbox.patch 1 file changed, 6 insertions(+) diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index ca75cc7..6e7de31 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.5p1-sandbox.patch @@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = { #ifdef __NR_exit_group SC_ALLOW(__NR_exit_group), @@ -21,7 +23,7 @@ index ca75cc7..6e7de31 100644 + SC_ALLOW(__NR_flock), +#endif #ifdef __NR_futex - SC_FUTEX(__NR_futex), + SC_ALLOW(__NR_futex), #endif @@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = { #ifdef __NR_gettimeofday @@ -43,12 +45,14 @@ Those syscalls are also needed by the distros for audit code. Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx> --- sandbox-seccomp-filter.c | 12 ++++++++++++ +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.5p1-sandbox.patch 1 file changed, 12 insertions(+) diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index 6e7de31..e86aa2c 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.5p1-sandbox.patch @@ -175,6 +175,18 @@ static const struct sock_filter preauth_insns[] = { #ifdef __NR_getpid SC_ALLOW(__NR_getpid), @@ -73,6 +77,7 @@ index 6e7de31..e86aa2c 100644 diff -up openssh-7.6p1/sandbox-seccomp-filter.c.sandbox openssh-7.6p1/sandbox-seccomp-filter.c --- openssh-7.6p1/sandbox-seccomp-filter.c.sandbox 2017-12-12 13:59:30.563874059 +0100 +++ openssh-7.6p1/sandbox-seccomp-filter.c 2017-12-12 13:59:14.842784083 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.5p1-sandbox.patch @@ -190,6 +190,9 @@ static const struct sock_filter preauth_ #ifdef __NR_geteuid32 SC_ALLOW(__NR_geteuid32), diff --git a/openssh-7.6p1-audit.patch b/backport-openssh-7.6p1-audit.patch index 748c4b6..7f68f36 100644 --- a/openssh-7.6p1-audit.patch +++ b/backport-openssh-7.6p1-audit.patch @@ -1,6 +1,7 @@ diff -up openssh-8.6p1/audit-bsm.c.audit openssh-8.6p1/audit-bsm.c --- openssh-8.6p1/audit-bsm.c.audit 2021-04-16 05:55:25.000000000 +0200 +++ openssh-8.6p1/audit-bsm.c 2021-04-19 16:47:35.753062106 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-audit.patch @@ -373,13 +373,26 @@ audit_connection_from(const char *host, #endif } @@ -74,6 +75,7 @@ diff -up openssh-8.6p1/audit-bsm.c.audit openssh-8.6p1/audit-bsm.c diff -up openssh-8.6p1/audit.c.audit openssh-8.6p1/audit.c --- openssh-8.6p1/audit.c.audit 2021-04-16 05:55:25.000000000 +0200 +++ openssh-8.6p1/audit.c 2021-04-19 16:47:35.753062106 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-audit.patch @@ -34,6 +34,12 @@ #include "log.h" #include "hostfile.h" @@ -254,6 +256,7 @@ diff -up openssh-8.6p1/audit.c.audit openssh-8.6p1/audit.c diff -up openssh-8.6p1/audit.h.audit openssh-8.6p1/audit.h --- openssh-8.6p1/audit.h.audit 2021-04-16 05:55:25.000000000 +0200 +++ openssh-8.6p1/audit.h 2021-04-19 16:47:35.753062106 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-audit.patch @@ -26,6 +26,7 @@ # define _SSH_AUDIT_H @@ -299,6 +302,7 @@ diff -up openssh-8.6p1/audit.h.audit openssh-8.6p1/audit.h diff -up openssh-8.6p1/audit-linux.c.audit openssh-8.6p1/audit-linux.c --- openssh-8.6p1/audit-linux.c.audit 2021-04-16 05:55:25.000000000 +0200 +++ openssh-8.6p1/audit-linux.c 2021-04-19 16:47:35.753062106 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-audit.patch @@ -33,27 +33,40 @@ #include "log.h" @@ -672,6 +676,7 @@ diff -up openssh-8.6p1/audit-linux.c.audit openssh-8.6p1/audit-linux.c diff -up openssh-8.6p1/auditstub.c.audit openssh-8.6p1/auditstub.c --- openssh-8.6p1/auditstub.c.audit 2021-04-19 16:47:35.754062114 +0200 +++ openssh-8.6p1/auditstub.c 2021-04-19 16:47:35.754062114 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-audit.patch @@ -0,0 +1,52 @@ +/* $Id: auditstub.c,v 1.1 jfch Exp $ */ + @@ -728,8 +733,9 @@ diff -up openssh-8.6p1/auditstub.c.audit openssh-8.6p1/auditstub.c diff -up openssh-8.6p1/auth2.c.audit openssh-8.6p1/auth2.c --- openssh-8.6p1/auth2.c.audit 2021-04-19 16:47:35.682061561 +0200 +++ openssh-8.6p1/auth2.c 2021-04-19 16:47:35.754062114 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-audit.patch @@ -298,9 +298,6 @@ input_userauth_request(int type, u_int32 - authctxt->valid = 0; + } else { /* Invalid user, fake password information */ authctxt->pw = fakepw(); -#ifdef SSH_AUDIT_EVENTS @@ -741,6 +747,7 @@ diff -up openssh-8.6p1/auth2.c.audit openssh-8.6p1/auth2.c diff -up openssh-8.6p1/auth2-hostbased.c.audit openssh-8.6p1/auth2-hostbased.c --- openssh-8.6p1/auth2-hostbased.c.audit 2021-04-19 16:47:35.656061361 +0200 +++ openssh-8.6p1/auth2-hostbased.c 2021-04-19 16:47:35.754062114 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-audit.patch @@ -158,7 +158,7 @@ userauth_hostbased(struct ssh *ssh) authenticated = 0; if (PRIVSEP(hostbased_key_allowed(ssh, authctxt->pw, cuser, @@ -774,6 +781,7 @@ diff -up openssh-8.6p1/auth2-hostbased.c.audit openssh-8.6p1/auth2-hostbased.c diff -up openssh-8.6p1/auth2-pubkey.c.audit openssh-8.6p1/auth2-pubkey.c --- openssh-8.6p1/auth2-pubkey.c.audit 2021-04-19 16:47:35.726061899 +0200 +++ openssh-8.6p1/auth2-pubkey.c 2021-04-19 16:47:35.754062114 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-audit.patch @@ -213,7 +213,7 @@ userauth_pubkey(struct ssh *ssh) /* test for correct signature */ authenticated = 0; @@ -802,11 +810,12 @@ diff -up openssh-8.6p1/auth2-pubkey.c.audit openssh-8.6p1/auth2-pubkey.c +} + static int - match_principals_file(struct passwd *pw, char *file, - struct sshkey_cert *cert, struct sshauthopt **authoptsp) + match_principals_option(const char *principal_list, struct sshkey_cert *cert) + { diff -up openssh-8.6p1/auth.c.audit openssh-8.6p1/auth.c --- openssh-8.6p1/auth.c.audit 2021-04-19 16:47:35.681061553 +0200 +++ openssh-8.6p1/auth.c 2021-04-19 16:47:35.754062114 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-audit.patch @@ -597,9 +597,6 @@ getpwnamallow(struct ssh *ssh, const cha record_failed_login(ssh, user, auth_get_canonical_hostname(ssh, options.use_dns), "ssh"); @@ -820,6 +829,16 @@ diff -up openssh-8.6p1/auth.c.audit openssh-8.6p1/auth.c diff -up openssh-8.6p1/auth.h.audit openssh-8.6p1/auth.h --- openssh-8.6p1/auth.h.audit 2021-04-19 16:47:35.697061676 +0200 +++ openssh-8.6p1/auth.h 2021-04-19 16:47:35.754062114 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-audit.patch +@@ -193,6 +193,8 @@ struct passwd * getpwnamallow(struct ssh + + char *expand_authorized_keys(const char *, struct passwd *pw); + char *authorized_principals_file(struct passwd *); ++int user_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t, ++ const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **); + + FILE *auth_openkeyfile(const char *, struct passwd *, int); + FILE *auth_openprincipals(const char *, struct passwd *, int); @@ -212,6 +214,8 @@ struct sshkey *get_hostkey_private_by_ty int get_hostkey_index(struct sshkey *, int, struct ssh *); int sshd_hostkey_sign(struct ssh *, struct sshkey *, struct sshkey *, @@ -829,18 +848,10 @@ diff -up openssh-8.6p1/auth.h.audit openssh-8.6p1/auth.h /* Key / cert options linkage to auth layer */ const struct sshauthopt *auth_options(struct ssh *); -@@ -239,6 +241,8 @@ struct passwd * getpwnamallow(struct ssh - char *, const char *, const char *, const char *, struct sshauthopt **); - int auth_check_authkeys_file(struct passwd *, FILE *, char *, - struct sshkey *, const char *, const char *, struct sshauthopt **); -+int user_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t, -+ const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **); - FILE *auth_openkeyfile(const char *, struct passwd *, int); - FILE *auth_openprincipals(const char *, struct passwd *, int); - diff -up openssh-8.6p1/cipher.c.audit openssh-8.6p1/cipher.c --- openssh-8.6p1/cipher.c.audit 2021-04-16 05:55:25.000000000 +0200 +++ openssh-8.6p1/cipher.c 2021-04-19 16:47:35.755062122 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-audit.patch @@ -64,25 +64,6 @@ struct sshcipher_ctx { const struct sshcipher *cipher; }; @@ -879,6 +890,7 @@ diff -up openssh-8.6p1/cipher.c.audit openssh-8.6p1/cipher.c diff -up openssh-8.6p1/cipher.h.audit openssh-8.6p1/cipher.h --- openssh-8.6p1/cipher.h.audit 2021-04-16 05:55:25.000000000 +0200 +++ openssh-8.6p1/cipher.h 2021-04-19 16:47:35.755062122 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-audit.patch @@ -47,7 +47,25 @@ #define CIPHER_ENCRYPT 1 #define CIPHER_DECRYPT 0 @@ -909,10 +921,11 @@ diff -up openssh-8.6p1/cipher.h.audit openssh-8.6p1/cipher.h diff -up openssh-8.6p1/kex.c.audit openssh-8.6p1/kex.c --- openssh-8.6p1/kex.c.audit 2021-04-19 16:47:35.743062030 +0200 +++ openssh-8.6p1/kex.c 2021-04-19 16:47:35.755062122 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-audit.patch @@ -65,6 +65,7 @@ + #include "ssherr.h" #include "sshbuf.h" #include "digest.h" - #include "xmalloc.h" +#include "audit.h" #ifdef GSSAPI @@ -1038,6 +1051,7 @@ diff -up openssh-8.6p1/kex.c.audit openssh-8.6p1/kex.c diff -up openssh-8.6p1/kex.h.audit openssh-8.6p1/kex.h --- openssh-8.6p1/kex.h.audit 2021-04-19 16:47:35.683061568 +0200 +++ openssh-8.6p1/kex.h 2021-04-19 16:47:35.756062129 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-audit.patch @@ -226,6 +226,8 @@ int kexgss_client(struct ssh *); int kexgss_server(struct ssh *); #endif @@ -1050,6 +1064,7 @@ diff -up openssh-8.6p1/kex.h.audit openssh-8.6p1/kex.h diff -up openssh-8.6p1/mac.c.audit openssh-8.6p1/mac.c --- openssh-8.6p1/mac.c.audit 2021-04-16 05:55:25.000000000 +0200 +++ openssh-8.6p1/mac.c 2021-04-19 16:47:35.756062129 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-audit.patch @@ -239,6 +239,20 @@ mac_clear(struct sshmac *mac) mac->umac_ctx = NULL; } @@ -1074,6 +1089,7 @@ diff -up openssh-8.6p1/mac.c.audit openssh-8.6p1/mac.c diff -up openssh-8.6p1/mac.h.audit openssh-8.6p1/mac.h --- openssh-8.6p1/mac.h.audit 2021-04-16 05:55:25.000000000 +0200 +++ openssh-8.6p1/mac.h 2021-04-19 16:47:35.756062129 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-audit.patch @@ -49,5 +49,6 @@ int mac_compute(struct sshmac *, u_int3 int mac_check(struct sshmac *, u_int32_t, const u_char *, size_t, const u_char *, size_t); @@ -1084,6 +1100,7 @@ diff -up openssh-8.6p1/mac.h.audit openssh-8.6p1/mac.h diff -up openssh-8.6p1/Makefile.in.audit openssh-8.6p1/Makefile.in --- openssh-8.6p1/Makefile.in.audit 2021-04-19 16:47:35.731061937 +0200 +++ openssh-8.6p1/Makefile.in 2021-04-19 16:47:35.756062129 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-audit.patch @@ -112,7 +112,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ kexsntrup761x25519.o sntrup761.o kexgen.o \ kexgssc.o \ @@ -1096,6 +1113,7 @@ diff -up openssh-8.6p1/Makefile.in.audit openssh-8.6p1/Makefile.in diff -up openssh-8.6p1/monitor.c.audit openssh-8.6p1/monitor.c --- openssh-8.6p1/monitor.c.audit 2021-04-19 16:47:35.707061753 +0200 +++ openssh-8.6p1/monitor.c 2021-04-19 16:47:35.756062129 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-audit.patch @@ -93,6 +93,7 @@ #include "compat.h" #include "ssh2.h" @@ -1195,9 +1213,9 @@ diff -up openssh-8.6p1/monitor.c.audit openssh-8.6p1/monitor.c - ret = sshkey_verify(key, signature, signaturelen, data, datalen, - sigalg, ssh->compat, &sig_details); - debug3_f("%s %s signature using %s %s%s%s", auth_method, - sshkey_type(key), sigalg == NULL ? "default" : sigalg, + debug3_f("%s %s signature %s%s%s", auth_method, sshkey_type(key), (ret == 0) ? "verified" : "unverified", + (ret != 0) ? ": " : "", (ret != 0) ? ssh_err(ret) : ""); @@ -1576,13 +1600,19 @@ mm_record_login(struct ssh *ssh, Session } @@ -1429,6 +1447,7 @@ diff -up openssh-8.6p1/monitor.c.audit openssh-8.6p1/monitor.c diff -up openssh-8.6p1/monitor.h.audit openssh-8.6p1/monitor.h --- openssh-8.6p1/monitor.h.audit 2021-04-19 16:47:35.707061753 +0200 +++ openssh-8.6p1/monitor.h 2021-04-19 16:47:35.757062137 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-audit.patch @@ -65,7 +65,13 @@ enum monitor_reqtype { MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107, MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109, @@ -1447,6 +1466,7 @@ diff -up openssh-8.6p1/monitor.h.audit openssh-8.6p1/monitor.h diff -up openssh-8.6p1/monitor_wrap.c.audit openssh-8.6p1/monitor_wrap.c --- openssh-8.6p1/monitor_wrap.c.audit 2021-04-19 16:47:35.685061584 +0200 +++ openssh-8.6p1/monitor_wrap.c 2021-04-19 16:47:35.757062137 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-audit.patch @@ -520,7 +520,7 @@ mm_key_allowed(enum mm_keytype type, con */ @@ -1622,6 +1642,7 @@ diff -up openssh-8.6p1/monitor_wrap.c.audit openssh-8.6p1/monitor_wrap.c diff -up openssh-8.6p1/monitor_wrap.h.audit openssh-8.6p1/monitor_wrap.h --- openssh-8.6p1/monitor_wrap.h.audit 2021-04-19 16:47:35.685061584 +0200 +++ openssh-8.6p1/monitor_wrap.h 2021-04-19 16:47:35.757062137 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-audit.patch @@ -61,7 +61,9 @@ int mm_user_key_allowed(struct ssh *, st struct sshauthopt **); int mm_hostbased_key_allowed(struct ssh *, struct passwd *, const char *, @@ -1650,6 +1671,7 @@ diff -up openssh-8.6p1/monitor_wrap.h.audit openssh-8.6p1/monitor_wrap.h diff -up openssh-8.6p1/packet.c.audit openssh-8.6p1/packet.c --- openssh-8.6p1/packet.c.audit 2021-04-16 05:55:25.000000000 +0200 +++ openssh-8.6p1/packet.c 2021-04-19 16:48:46.885608837 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-audit.patch @@ -81,6 +81,7 @@ #endif @@ -1803,6 +1825,7 @@ diff -up openssh-8.6p1/packet.c.audit openssh-8.6p1/packet.c diff -up openssh-8.6p1/packet.h.audit openssh-8.6p1/packet.h --- openssh-8.6p1/packet.h.audit 2021-04-16 05:55:25.000000000 +0200 +++ openssh-8.6p1/packet.h 2021-04-19 16:47:35.758062145 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-audit.patch @@ -218,4 +218,5 @@ const u_char *sshpkt_ptr(struct ssh *, s # undef EC_POINT #endif @@ -1812,6 +1835,7 @@ diff -up openssh-8.6p1/packet.h.audit openssh-8.6p1/packet.h diff -up openssh-8.6p1/session.c.audit openssh-8.6p1/session.c --- openssh-8.6p1/session.c.audit 2021-04-19 16:47:35.722061868 +0200 +++ openssh-8.6p1/session.c 2021-04-19 16:47:35.758062145 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-audit.patch @@ -136,7 +136,7 @@ extern char *__progname; extern int debug_flag; extern u_int utmp_len; @@ -1990,6 +2014,7 @@ diff -up openssh-8.6p1/session.c.audit openssh-8.6p1/session.c diff -up openssh-8.6p1/session.h.audit openssh-8.6p1/session.h --- openssh-8.6p1/session.h.audit 2021-04-16 05:55:25.000000000 +0200 +++ openssh-8.6p1/session.h 2021-04-19 16:47:35.758062145 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-audit.patch @@ -61,6 +61,12 @@ struct Session { char *name; char *val; @@ -2006,7 +2031,7 @@ diff -up openssh-8.6p1/session.h.audit openssh-8.6p1/session.h @@ -71,10 +77,12 @@ void session_unused(int); int session_input_channel_req(struct ssh *, Channel *, const char *); void session_close_by_pid(struct ssh *ssh, pid_t, int); - void session_close_by_channel(struct ssh *, int, int, void *); + void session_close_by_channel(struct ssh *, int, void *); -void session_destroy_all(struct ssh *, void (*)(Session *)); +void session_destroy_all(struct ssh *, void (*)(struct ssh*, Session *)); void session_pty_cleanup2(Session *); @@ -2020,6 +2045,7 @@ diff -up openssh-8.6p1/session.h.audit openssh-8.6p1/session.h diff -up openssh-8.6p1/sshd.c.audit openssh-8.6p1/sshd.c --- openssh-8.6p1/sshd.c.audit 2021-04-19 16:47:35.727061907 +0200 +++ openssh-8.6p1/sshd.c 2021-04-19 16:47:35.759062152 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-audit.patch @@ -122,6 +122,7 @@ #include "ssh-gss.h" #endif @@ -2040,7 +2066,7 @@ diff -up openssh-8.6p1/sshd.c.audit openssh-8.6p1/sshd.c static char *listener_proctitle; @@ -279,6 +280,15 @@ close_listen_socks(void) - num_listen_socks = 0; + num_listen_socks = -1; } +/* @@ -2049,16 +2075,16 @@ diff -up openssh-8.6p1/sshd.c.audit openssh-8.6p1/sshd.c + */ +int listening_for_clients(void) +{ -+ return num_listen_socks > 0; ++ return num_listen_socks >= 0; +} + static void close_startup_pipes(void) { @@ -377,18 +387,45 @@ grace_alarm_handler(int sig) - ssh_remote_port(the_active_state)); + } } - + -/* Destroy the host and server keys. They will no longer be needed. */ +/* + * Destroy the host and server keys. They will no longer be needed. Careful, @@ -2196,8 +2222,8 @@ diff -up openssh-8.6p1/sshd.c.audit openssh-8.6p1/sshd.c -server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) +server_accept_loop(struct ssh *ssh, int *sock_in, int *sock_out, int *newsock, int *config_s) { - struct pollfd *pfd = NULL; - int i, j, ret, npfd; + fd_set *fdset; + int i, j, ret, maxfd; @@ -1204,6 +1259,7 @@ server_accept_loop(int *sock_in, int *so if (received_sigterm) { logit("Received signal %d; terminating.", @@ -2262,6 +2288,7 @@ diff -up openssh-8.6p1/sshd.c.audit openssh-8.6p1/sshd.c diff -up openssh-8.6p1/sshkey.c.audit openssh-8.6p1/sshkey.c --- openssh-8.6p1/sshkey.c.audit 2021-04-19 16:47:35.741062014 +0200 +++ openssh-8.6p1/sshkey.c 2021-04-19 16:47:35.759062152 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-audit.patch @@ -371,6 +371,38 @@ sshkey_type_is_valid_ca(int type) } @@ -2304,6 +2331,7 @@ diff -up openssh-8.6p1/sshkey.c.audit openssh-8.6p1/sshkey.c diff -up openssh-8.6p1/sshkey.h.audit openssh-8.6p1/sshkey.h --- openssh-8.6p1/sshkey.h.audit 2021-04-19 16:47:35.741062014 +0200 +++ openssh-8.6p1/sshkey.h 2021-04-19 16:47:35.759062152 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-audit.patch @@ -189,6 +189,7 @@ int sshkey_shield_private(struct sshke int sshkey_unshield_private(struct sshkey *); diff --git a/openssh-7.6p1-cleanup-selinux.patch b/backport-openssh-7.6p1-cleanup-selinux.patch index f7cd50f..b514bd0 100644 --- a/openssh-7.6p1-cleanup-selinux.patch +++ b/backport-openssh-7.6p1-cleanup-selinux.patch @@ -1,6 +1,7 @@ diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c --- openssh/auth2-pubkey.c.refactor 2019-04-04 13:19:12.188821236 +0200 +++ openssh/auth2-pubkey.c 2019-04-04 13:19:12.276822078 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-cleanup-selinux.patch @@ -72,6 +72,9 @@ /* import */ @@ -34,6 +35,7 @@ diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c diff -up openssh/misc.c.refactor openssh/misc.c --- openssh/misc.c.refactor 2019-04-04 13:19:12.235821686 +0200 +++ openssh/misc.c 2019-04-04 13:19:12.276822078 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-cleanup-selinux.patch @@ -756,7 +756,8 @@ auth_get_canonical_hostname(struct ssh * pid_t subprocess(const char *tag, const char *command, @@ -56,6 +58,7 @@ diff -up openssh/misc.c.refactor openssh/misc.c diff -up openssh/misc.h.refactor openssh/misc.h --- openssh/misc.h.refactor 2019-04-04 13:19:12.251821839 +0200 +++ openssh/misc.h 2019-04-04 13:19:12.276822078 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-cleanup-selinux.patch @@ -235,7 +235,7 @@ struct passwd *fakepw(void); #define SSH_SUBPROCESS_UNSAFE_PATH (1<<3) /* Don't check for safe cmd */ #define SSH_SUBPROCESS_PRESERVE_ENV (1<<4) /* Keep parent environment */ @@ -68,6 +71,7 @@ diff -up openssh/misc.h.refactor openssh/misc.h diff -up openssh/openbsd-compat/port-linux.h.refactor openssh/openbsd-compat/port-linux.h --- openssh/openbsd-compat/port-linux.h.refactor 2019-04-04 13:19:12.256821887 +0200 +++ openssh/openbsd-compat/port-linux.h 2019-04-04 13:19:12.276822078 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-cleanup-selinux.patch @@ -26,8 +26,8 @@ void ssh_selinux_setfscreatecon(const ch int sshd_selinux_enabled(void); @@ -82,6 +86,7 @@ diff -up openssh/openbsd-compat/port-linux.h.refactor openssh/openbsd-compat/por diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compat/port-linux-sshd.c --- openssh/openbsd-compat/port-linux-sshd.c.refactor 2019-04-04 13:19:12.256821887 +0200 +++ openssh/openbsd-compat/port-linux-sshd.c 2019-04-04 13:19:12.276822078 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-cleanup-selinux.patch @@ -49,11 +49,6 @@ #include <unistd.h> #endif @@ -216,6 +221,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compa diff -up openssh/platform.c.refactor openssh/platform.c --- openssh/platform.c.refactor 2019-04-04 13:19:12.204821389 +0200 +++ openssh/platform.c 2019-04-04 13:19:12.277822088 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-cleanup-selinux.patch @@ -32,6 +32,9 @@ extern int use_privsep; @@ -240,6 +246,7 @@ diff -up openssh/platform.c.refactor openssh/platform.c diff -up openssh/sshd.c.refactor openssh/sshd.c --- openssh/sshd.c.refactor 2019-04-04 13:19:12.275822068 +0200 +++ openssh/sshd.c 2019-04-04 13:19:51.270195262 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-cleanup-selinux.patch @@ -158,7 +158,7 @@ int debug_flag = 0; static int test_flag = 0; @@ -272,6 +279,7 @@ diff -up openssh/sshd.c.refactor openssh/sshd.c diff -up openssh/sshconnect.c.refactor openssh/sshconnect.c --- openssh/sshconnect.c.refactor 2021-02-24 00:12:03.065325046 +0100 +++ openssh/sshconnect.c 2021-02-24 00:12:12.126449544 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-cleanup-selinux.patch @@ -892,7 +892,7 @@ load_hostkeys_command(struct hostkeys *h if ((pid = subprocess(tag, command, ac, av, &f, diff --git a/backport-openssh-7.7p1-fips.patch b/backport-openssh-7.7p1-fips.patch new file mode 100644 index 0000000..3661818 --- /dev/null +++ b/backport-openssh-7.7p1-fips.patch @@ -0,0 +1,466 @@ +diff -up openssh-8.6p1/cipher-ctr.c.fips openssh-8.6p1/cipher-ctr.c +--- openssh-8.6p1/cipher-ctr.c.fips 2021-04-19 16:53:02.994577324 +0200 ++++ openssh-8.6p1/cipher-ctr.c 2021-04-19 16:53:03.064577862 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-fips.patch +@@ -179,7 +179,8 @@ evp_aes_128_ctr(void) + aes_ctr.do_cipher = ssh_aes_ctr; + #ifndef SSH_OLD_EVP + aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | +- EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV; ++ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV | ++ EVP_CIPH_FLAG_FIPS; + #endif + return (&aes_ctr); + } +diff -up openssh-8.6p1/dh.c.fips openssh-8.6p1/dh.c +--- openssh-8.6p1/dh.c.fips 2021-04-16 05:55:25.000000000 +0200 ++++ openssh-8.6p1/dh.c 2021-04-19 16:58:47.750263410 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-fips.patch +@@ -164,6 +164,12 @@ choose_dh(int min, int wantbits, int max + int best, bestcount, which, linenum; + struct dhgroup dhg; + ++ if (FIPS_mode()) { ++ logit("Using arbitrary primes is not allowed in FIPS mode." ++ " Falling back to known groups."); ++ return (dh_new_group_fallback(max)); ++ } ++ + if ((f = fopen(get_moduli_filename(), "r")) == NULL) { + logit("WARNING: could not open %s (%s), using fixed modulus", + get_moduli_filename(), strerror(errno)); +@@ -502,4 +508,38 @@ dh_estimate(int bits) + return 8192; + } + ++/* ++ * Compares the received DH parameters with known-good groups, ++ * which might be either from group14, group16 or group18. ++ */ ++int ++dh_is_known_group(const DH *dh) ++{ ++ const BIGNUM *p, *g; ++ const BIGNUM *known_p, *known_g; ++ DH *known = NULL; ++ int bits = 0, rv = 0; ++ ++ DH_get0_pqg(dh, &p, NULL, &g); ++ bits = BN_num_bits(p); ++ ++ if (bits <= 3072) { ++ known = dh_new_group14(); ++ } else if (bits <= 6144) { ++ known = dh_new_group16(); ++ } else { ++ known = dh_new_group18(); ++ } ++ ++ DH_get0_pqg(known, &known_p, NULL, &known_g); ++ ++ if (BN_cmp(g, known_g) == 0 && ++ BN_cmp(p, known_p) == 0) { ++ rv = 1; ++ } ++ ++ DH_free(known); ++ return rv; ++} ++ + #endif /* WITH_OPENSSL */ +diff -up openssh-8.6p1/dh.h.fips openssh-8.6p1/dh.h +--- openssh-8.6p1/dh.h.fips 2021-04-19 16:53:03.064577862 +0200 ++++ openssh-8.6p1/dh.h 2021-04-19 16:59:31.951616078 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-fips.patch +@@ -45,6 +45,7 @@ DH *dh_new_group_fallback(int); + + int dh_gen_key(DH *, int); + int dh_pub_is_valid(const DH *, const BIGNUM *); ++int dh_is_known_group(const DH *); + + u_int dh_estimate(int); + void dh_set_moduli_file(const char *); +diff -up openssh-8.6p1/kex.c.fips openssh-8.6p1/kex.c +--- openssh-8.6p1/kex.c.fips 2021-04-19 16:53:03.058577815 +0200 ++++ openssh-8.6p1/kex.c 2021-04-19 16:53:03.065577869 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-fips.patch +@@ -203,7 +203,10 @@ kex_names_valid(const char *names) + for ((p = strsep(&cp, ",")); p && *p != '\0'; + (p = strsep(&cp, ","))) { + if (kex_alg_by_name(p) == NULL) { +- error("Unsupported KEX algorithm \"%.100s\"", p); ++ if (FIPS_mode()) ++ error("\"%.100s\" is not allowed in FIPS mode", p); ++ else ++ error("Unsupported KEX algorithm \"%.100s\"", p); + free(s); + return 0; + } +diff -up openssh-8.6p1/kexgexc.c.fips openssh-8.6p1/kexgexc.c +--- openssh-8.6p1/kexgexc.c.fips 2021-04-16 05:55:25.000000000 +0200 ++++ openssh-8.6p1/kexgexc.c 2021-04-19 16:53:03.065577869 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-fips.patch +@@ -28,6 +28,7 @@ + + #ifdef WITH_OPENSSL + ++#include <openssl/crypto.h> + #include <sys/types.h> + + #include <openssl/dh.h> +@@ -115,6 +116,10 @@ input_kex_dh_gex_group(int type, u_int32 + r = SSH_ERR_ALLOC_FAIL; + goto out; + } ++ if (FIPS_mode() && dh_is_known_group(kex->dh) == 0) { ++ r = SSH_ERR_INVALID_ARGUMENT; ++ goto out; ++ } + p = g = NULL; /* belong to kex->dh now */ + + /* generate and send 'e', client DH public key */ +diff -up openssh-8.6p1/myproposal.h.fips openssh-8.6p1/myproposal.h +--- openssh-8.6p1/myproposal.h.fips 2021-04-16 05:55:25.000000000 +0200 ++++ openssh-8.6p1/myproposal.h 2021-04-19 16:53:03.065577869 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-fips.patch +@@ -57,6 +57,18 @@ + "rsa-sha2-512," \ + "rsa-sha2-256" + ++#define KEX_FIPS_PK_ALG \ ++ "ecdsa-sha2-nistp256-cert-v01@openssh.com," \ ++ "ecdsa-sha2-nistp384-cert-v01@openssh.com," \ ++ "ecdsa-sha2-nistp521-cert-v01@openssh.com," \ ++ "rsa-sha2-512-cert-v01@openssh.com," \ ++ "rsa-sha2-256-cert-v01@openssh.com," \ ++ "ecdsa-sha2-nistp256," \ ++ "ecdsa-sha2-nistp384," \ ++ "ecdsa-sha2-nistp521," \ ++ "rsa-sha2-512," \ ++ "rsa-sha2-256," \ ++ + #define KEX_SERVER_ENCRYPT \ + "chacha20-poly1305@openssh.com," \ + "aes128-ctr,aes192-ctr,aes256-ctr," \ +@@ -78,6 +92,27 @@ + + #define KEX_CLIENT_MAC KEX_SERVER_MAC + ++#define KEX_FIPS_ENCRYPT \ ++ "aes128-ctr,aes192-ctr,aes256-ctr," \ ++ "aes128-cbc,3des-cbc," \ ++ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se," \ ++ "aes128-gcm@openssh.com,aes256-gcm@openssh.com" ++#define KEX_DEFAULT_KEX_FIPS \ ++ "ecdh-sha2-nistp256," \ ++ "ecdh-sha2-nistp384," \ ++ "ecdh-sha2-nistp521," \ ++ "diffie-hellman-group-exchange-sha256," \ ++ "diffie-hellman-group16-sha512," \ ++ "diffie-hellman-group18-sha512," \ ++ "diffie-hellman-group14-sha256" ++#define KEX_FIPS_MAC \ ++ "hmac-sha1," \ ++ "hmac-sha2-256," \ ++ "hmac-sha2-512," \ ++ "hmac-sha1-etm@openssh.com," \ ++ "hmac-sha2-256-etm@openssh.com," \ ++ "hmac-sha2-512-etm@openssh.com" ++ + /* Not a KEX value, but here so all the algorithm defaults are together */ + #define SSH_ALLOWED_CA_SIGALGS \ + "ssh-ed25519," \ +diff -up openssh-8.6p1/readconf.c.fips openssh-8.6p1/readconf.c +--- openssh-8.6p1/readconf.c.fips 2021-04-19 16:53:02.999577362 +0200 ++++ openssh-8.6p1/readconf.c 2021-04-19 16:53:03.065577869 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-fips.patch +@@ -2538,11 +2538,16 @@ fill_default_options(Options * options) + all_key = sshkey_alg_list(0, 0, 1, ','); + all_sig = sshkey_alg_list(0, 1, 1, ','); + /* remove unsupported algos from default lists */ +- def_cipher = match_filter_allowlist(KEX_CLIENT_ENCRYPT, all_cipher); +- def_mac = match_filter_allowlist(KEX_CLIENT_MAC, all_mac); +- def_kex = match_filter_allowlist(KEX_CLIENT_KEX, all_kex); +- def_key = match_filter_allowlist(KEX_DEFAULT_PK_ALG, all_key); +- def_sig = match_filter_allowlist(SSH_ALLOWED_CA_SIGALGS, all_sig); ++ def_cipher = match_filter_allowlist((FIPS_mode() ? ++ KEX_FIPS_ENCRYPT : KEX_CLIENT_ENCRYPT), all_cipher); ++ def_mac = match_filter_allowlist((FIPS_mode() ? ++ KEX_FIPS_MAC : KEX_CLIENT_MAC), all_mac); ++ def_kex = match_filter_allowlist((FIPS_mode() ? ++ KEX_DEFAULT_KEX_FIPS : KEX_CLIENT_KEX), all_kex); ++ def_key = match_filter_allowlist((FIPS_mode() ? ++ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key); ++ def_sig = match_filter_allowlist((FIPS_mode() ? ++ KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig); + #define ASSEMBLE(what, defaults, all) \ + do { \ + if ((r = kex_assemble_names(&options->what, \ +diff -up openssh-8.6p1/sandbox-seccomp-filter.c.fips openssh-8.6p1/sandbox-seccomp-filter.c +--- openssh-8.6p1/sandbox-seccomp-filter.c.fips 2021-04-19 16:53:03.034577631 +0200 ++++ openssh-8.6p1/sandbox-seccomp-filter.c 2021-04-19 16:53:03.065577869 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-fips.patch +@@ -160,6 +160,9 @@ static const struct sock_filter preauth_ + #ifdef __NR_open + SC_DENY(__NR_open, EACCES), + #endif ++#ifdef __NR_socket ++ SC_DENY(__NR_socket, EACCES), ++#endif + #ifdef __NR_openat + SC_DENY(__NR_openat, EACCES), + #endif +diff -up openssh-8.6p1/servconf.c.fips openssh-8.6p1/servconf.c +--- openssh-8.6p1/servconf.c.fips 2021-04-19 16:53:03.027577577 +0200 ++++ openssh-8.6p1/servconf.c 2021-04-19 16:53:03.066577877 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-fips.patch +@@ -226,11 +226,16 @@ assemble_algorithms(ServerOptions *o) + all_key = sshkey_alg_list(0, 0, 1, ','); + all_sig = sshkey_alg_list(0, 1, 1, ','); + /* remove unsupported algos from default lists */ +- def_cipher = match_filter_allowlist(KEX_SERVER_ENCRYPT, all_cipher); +- def_mac = match_filter_allowlist(KEX_SERVER_MAC, all_mac); +- def_kex = match_filter_allowlist(KEX_SERVER_KEX, all_kex); +- def_key = match_filter_allowlist(KEX_DEFAULT_PK_ALG, all_key); +- def_sig = match_filter_allowlist(SSH_ALLOWED_CA_SIGALGS, all_sig); ++ def_cipher = match_filter_allowlist((FIPS_mode() ? ++ KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT), all_cipher); ++ def_mac = match_filter_allowlist((FIPS_mode() ? ++ KEX_FIPS_MAC : KEX_SERVER_MAC), all_mac); ++ def_kex = match_filter_allowlist((FIPS_mode() ? ++ KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX), all_kex); ++ def_key = match_filter_allowlist((FIPS_mode() ? ++ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key); ++ def_sig = match_filter_allowlist((FIPS_mode() ? ++ KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig); + #define ASSEMBLE(what, defaults, all) \ + do { \ + if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \ +diff -up openssh-8.6p1/ssh.c.fips openssh-8.6p1/ssh.c +--- openssh-8.6p1/ssh.c.fips 2021-04-19 16:53:03.038577662 +0200 ++++ openssh-8.6p1/ssh.c 2021-04-19 16:53:03.066577877 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-fips.patch +@@ -77,6 +77,7 @@ + #include <openssl/evp.h> + #include <openssl/err.h> + #endif ++#include <openssl/crypto.h> + #include "openbsd-compat/openssl-compat.h" + #include "openbsd-compat/sys-queue.h" + +@@ -1516,6 +1517,10 @@ main(int ac, char **av) + exit(0); + } + ++ if (FIPS_mode()) { ++ debug("FIPS mode initialized"); ++ } ++ + /* Expand SecurityKeyProvider if it refers to an environment variable */ + if (options.sk_provider != NULL && *options.sk_provider == '$' && + strlen(options.sk_provider) > 1) { +diff -up openssh-8.6p1/sshconnect2.c.fips openssh-8.6p1/sshconnect2.c +--- openssh-8.6p1/sshconnect2.c.fips 2021-04-19 16:53:03.055577792 +0200 ++++ openssh-8.6p1/sshconnect2.c 2021-04-19 16:53:03.066577877 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-fips.patch +@@ -45,6 +45,8 @@ + #include <vis.h> + #endif + ++#include <openssl/crypto.h> ++ + #include "openbsd-compat/sys-queue.h" + + #include "xmalloc.h" +@@ -269,36 +271,41 @@ ssh_kex2(struct ssh *ssh, char *host, st + + #if defined(GSSAPI) && defined(WITH_OPENSSL) + if (options.gss_keyex) { +- /* Add the GSSAPI mechanisms currently supported on this +- * client to the key exchange algorithm proposal */ +- orig = myproposal[PROPOSAL_KEX_ALGS]; +- +- if (options.gss_server_identity) { +- gss_host = xstrdup(options.gss_server_identity); +- } else if (options.gss_trust_dns) { +- gss_host = remote_hostname(ssh); +- /* Fall back to specified host if we are using proxy command +- * and can not use DNS on that socket */ +- if (strcmp(gss_host, "UNKNOWN") == 0) { +- free(gss_host); ++ if (FIPS_mode()) { ++ logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode"); ++ options.gss_keyex = 0; ++ } else { ++ /* Add the GSSAPI mechanisms currently supported on this ++ * client to the key exchange algorithm proposal */ ++ orig = myproposal[PROPOSAL_KEX_ALGS]; ++ ++ if (options.gss_server_identity) { ++ gss_host = xstrdup(options.gss_server_identity); ++ } else if (options.gss_trust_dns) { ++ gss_host = remote_hostname(ssh); ++ /* Fall back to specified host if we are using proxy command ++ * and can not use DNS on that socket */ ++ if (strcmp(gss_host, "UNKNOWN") == 0) { ++ free(gss_host); ++ gss_host = xstrdup(host); ++ } ++ } else { + gss_host = xstrdup(host); + } +- } else { +- gss_host = xstrdup(host); +- } + +- gss = ssh_gssapi_client_mechanisms(gss_host, +- options.gss_client_identity, options.gss_kex_algorithms); +- if (gss) { +- debug("Offering GSSAPI proposal: %s", gss); +- xasprintf(&myproposal[PROPOSAL_KEX_ALGS], +- "%s,%s", gss, orig); +- +- /* If we've got GSSAPI algorithms, then we also support the +- * 'null' hostkey, as a last resort */ +- orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]; +- xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS], +- "%s,null", orig); ++ gss = ssh_gssapi_client_mechanisms(gss_host, ++ options.gss_client_identity, options.gss_kex_algorithms); ++ if (gss) { ++ debug("Offering GSSAPI proposal: %s", gss); ++ xasprintf(&myproposal[PROPOSAL_KEX_ALGS], ++ "%s,%s", gss, orig); ++ ++ /* If we've got GSSAPI algorithms, then we also support the ++ * 'null' hostkey, as a last resort */ ++ orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]; ++ xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS], ++ "%s,null", orig); ++ } + } + } + #endif +diff -up openssh-8.6p1/sshd.c.fips openssh-8.6p1/sshd.c +--- openssh-8.6p1/sshd.c.fips 2021-04-19 16:53:03.060577831 +0200 ++++ openssh-8.6p1/sshd.c 2021-04-19 16:57:45.827769340 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-fips.patch +@@ -66,6 +66,7 @@ + #include <grp.h> + #include <pwd.h> + #include <signal.h> ++#include <syslog.h> + #include <stdarg.h> + #include <stdio.h> + #include <stdlib.h> +@@ -77,6 +78,7 @@ + #include <openssl/dh.h> + #include <openssl/bn.h> + #include <openssl/rand.h> ++#include <openssl/crypto.h> + #include "openbsd-compat/openssl-compat.h" + #endif + +@@ -1619,6 +1621,7 @@ main(int ac, char **av) + #endif + __progname = ssh_get_progname(av[0]); + ++ OpenSSL_add_all_algorithms(); + /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ + saved_argc = ac; + rexec_argc = ac; +@@ -2110,6 +2113,10 @@ main(int ac, char **av) + /* Reinitialize the log (because of the fork above). */ + log_init(__progname, options.log_level, options.log_facility, log_stderr); + ++ if (FIPS_mode()) { ++ debug("FIPS mode initialized"); ++ } ++ + /* + * Chdir to the root directory so that the current disk can be + * unmounted if desired. +@@ -2494,10 +2501,14 @@ do_ssh2_kex(struct ssh *ssh) + if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0) + orig = NULL; + +- if (options.gss_keyex) +- gss = ssh_gssapi_server_mechanisms(); +- else +- gss = NULL; ++ if (options.gss_keyex) { ++ if (FIPS_mode()) { ++ logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode"); ++ options.gss_keyex = 0; ++ } else { ++ gss = ssh_gssapi_server_mechanisms(); ++ } ++ } + + if (gss && orig) + xasprintf(&newstr, "%s,%s", gss, orig); +diff -up openssh-8.6p1/sshkey.c.fips openssh-8.6p1/sshkey.c +--- openssh-8.6p1/sshkey.c.fips 2021-04-19 16:53:03.061577838 +0200 ++++ openssh-8.6p1/sshkey.c 2021-04-19 16:53:03.067577885 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-fips.patch +@@ -34,6 +34,7 @@ + #include <openssl/evp.h> + #include <openssl/err.h> + #include <openssl/pem.h> ++#include <openssl/crypto.h> + #endif + + #include "crypto_api.h" +@@ -57,6 +58,7 @@ + #define SSHKEY_INTERNAL + #include "sshkey.h" + #include "match.h" ++#include "log.h" + #include "ssh-sk.h" + + #ifdef WITH_XMSS +@@ -1705,6 +1707,8 @@ rsa_generate_private_key(u_int bits, RSA + } + if (!BN_set_word(f4, RSA_F4) || + !RSA_generate_key_ex(private, bits, f4, NULL)) { ++ if (FIPS_mode()) ++ logit_f("the key length might be unsupported by FIPS mode approved key generation method"); + ret = SSH_ERR_LIBCRYPTO_ERROR; + goto out; + } +diff -up openssh-8.6p1/ssh-keygen.c.fips openssh-8.6p1/ssh-keygen.c +--- openssh-8.6p1/ssh-keygen.c.fips 2021-04-19 16:53:03.038577662 +0200 ++++ openssh-8.6p1/ssh-keygen.c 2021-04-19 16:53:03.068577892 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-fips.patch +@@ -205,6 +205,12 @@ type_bits_valid(int type, const char *na + #endif + } + #ifdef WITH_OPENSSL ++ if (FIPS_mode()) { ++ if (type == KEY_DSA) ++ fatal("DSA keys are not allowed in FIPS mode"); ++ if (type == KEY_ED25519) ++ fatal("ED25519 keys are not allowed in FIPS mode"); ++ } + switch (type) { + case KEY_DSA: + if (*bitsp != 1024) +@@ -1098,9 +1104,17 @@ do_gen_all_hostkeys(struct passwd *pw) + first = 1; + printf("%s: generating new host keys: ", __progname); + } ++ type = sshkey_type_from_name(key_types[i].key_type); ++ ++ /* Skip the keys that are not supported in FIPS mode */ ++ if (FIPS_mode() && (type == KEY_DSA || type == KEY_ED25519)) { ++ logit("Skipping %s key in FIPS mode", ++ key_types[i].key_type_display); ++ goto next; ++ } ++ + printf("%s ", key_types[i].key_type_display); + fflush(stdout); +- type = sshkey_type_from_name(key_types[i].key_type); + if ((fd = mkstemp(prv_tmp)) == -1) { + error("Could not save your private key in %s: %s", + prv_tmp, strerror(errno)); diff --git a/openssh-7.7p1-gssapi-new-unique.patch b/backport-openssh-7.7p1-gssapi-new-unique.patch index 544932b..3ff1b89 100644 --- a/openssh-7.7p1-gssapi-new-unique.patch +++ b/backport-openssh-7.7p1-gssapi-new-unique.patch @@ -1,6 +1,7 @@ diff -up openssh-8.6p1/auth.h.ccache_name openssh-8.6p1/auth.h --- openssh-8.6p1/auth.h.ccache_name 2021-04-19 14:05:10.820744325 +0200 +++ openssh-8.6p1/auth.h 2021-04-19 14:05:10.853744569 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-gssapi-new-unique.patch @@ -83,6 +83,7 @@ struct Authctxt { krb5_principal krb5_user; char *krb5_ticket_file; @@ -21,6 +22,7 @@ diff -up openssh-8.6p1/auth.h.ccache_name openssh-8.6p1/auth.h diff -up openssh-8.6p1/auth-krb5.c.ccache_name openssh-8.6p1/auth-krb5.c --- openssh-8.6p1/auth-krb5.c.ccache_name 2021-04-16 05:55:25.000000000 +0200 +++ openssh-8.6p1/auth-krb5.c 2021-04-19 14:40:55.142832954 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-gssapi-new-unique.patch @@ -51,6 +51,7 @@ #include <unistd.h> #include <string.h> @@ -340,6 +342,7 @@ diff -up openssh-8.6p1/auth-krb5.c.ccache_name openssh-8.6p1/auth-krb5.c diff -up openssh-8.6p1/gss-serv.c.ccache_name openssh-8.6p1/gss-serv.c --- openssh-8.6p1/gss-serv.c.ccache_name 2021-04-19 14:05:10.844744503 +0200 +++ openssh-8.6p1/gss-serv.c 2021-04-19 14:05:10.854744577 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-gssapi-new-unique.patch @@ -413,13 +413,15 @@ ssh_gssapi_cleanup_creds(void) } @@ -372,6 +375,7 @@ diff -up openssh-8.6p1/gss-serv.c.ccache_name openssh-8.6p1/gss-serv.c diff -up openssh-8.6p1/gss-serv-krb5.c.ccache_name openssh-8.6p1/gss-serv-krb5.c --- openssh-8.6p1/gss-serv-krb5.c.ccache_name 2021-04-19 14:05:10.852744562 +0200 +++ openssh-8.6p1/gss-serv-krb5.c 2021-04-19 14:05:10.854744577 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-gssapi-new-unique.patch @@ -267,7 +267,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri /* This writes out any forwarded credentials from the structure populated * during userauth. Called after we have setuid to the user */ @@ -486,6 +490,7 @@ diff -up openssh-8.6p1/gss-serv-krb5.c.ccache_name openssh-8.6p1/gss-serv-krb5.c diff -up openssh-8.6p1/servconf.c.ccache_name openssh-8.6p1/servconf.c --- openssh-8.6p1/servconf.c.ccache_name 2021-04-19 14:05:10.848744532 +0200 +++ openssh-8.6p1/servconf.c 2021-04-19 14:05:10.854744577 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-gssapi-new-unique.patch @@ -136,6 +136,7 @@ initialize_server_options(ServerOptions options->kerberos_or_local_passwd = -1; options->kerberos_ticket_cleanup = -1; @@ -503,12 +508,13 @@ diff -up openssh-8.6p1/servconf.c.ccache_name openssh-8.6p1/servconf.c if (options->gss_authentication == -1) options->gss_authentication = 0; if (options->gss_keyex == -1) -@@ -506,7 +509,7 @@ typedef enum { +@@ -506,7 +509,8 @@ typedef enum { sPort, sHostKeyFile, sLoginGraceTime, sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, - sKerberosGetAFSToken, sPasswordAuthentication, -+ sKerberosGetAFSToken, sKerberosUniqueCCache, sPasswordAuthentication, ++ sKerberosGetAFSToken, sKerberosUniqueCCache, ++ sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sAddressFamily, sPrintMotd, sPrintLastLog, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, @@ -548,6 +554,7 @@ diff -up openssh-8.6p1/servconf.c.ccache_name openssh-8.6p1/servconf.c diff -up openssh-8.6p1/servconf.h.ccache_name openssh-8.6p1/servconf.h --- openssh-8.6p1/servconf.h.ccache_name 2021-04-19 14:05:10.848744532 +0200 +++ openssh-8.6p1/servconf.h 2021-04-19 14:05:10.855744584 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-gssapi-new-unique.patch @@ -140,6 +140,8 @@ typedef struct { * file on logout. */ int kerberos_get_afs_token; /* If true, try to get AFS token if @@ -560,6 +567,7 @@ diff -up openssh-8.6p1/servconf.h.ccache_name openssh-8.6p1/servconf.h diff -up openssh-8.6p1/session.c.ccache_name openssh-8.6p1/session.c --- openssh-8.6p1/session.c.ccache_name 2021-04-19 14:05:10.852744562 +0200 +++ openssh-8.6p1/session.c 2021-04-19 14:05:10.855744584 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-gssapi-new-unique.patch @@ -1038,7 +1038,8 @@ do_setup_env(struct ssh *ssh, Session *s /* Allow any GSSAPI methods that we've used to alter * the child's environment as they see fit @@ -582,6 +590,7 @@ diff -up openssh-8.6p1/session.c.ccache_name openssh-8.6p1/session.c diff -up openssh-8.6p1/sshd.c.ccache_name openssh-8.6p1/sshd.c --- openssh-8.6p1/sshd.c.ccache_name 2021-04-19 14:05:10.849744540 +0200 +++ openssh-8.6p1/sshd.c 2021-04-19 14:05:10.855744584 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-gssapi-new-unique.patch @@ -2284,7 +2284,7 @@ main(int ac, char **av) #ifdef GSSAPI if (options.gss_authentication) { @@ -594,6 +603,7 @@ diff -up openssh-8.6p1/sshd.c.ccache_name openssh-8.6p1/sshd.c diff -up openssh-8.6p1/sshd_config.5.ccache_name openssh-8.6p1/sshd_config.5 --- openssh-8.6p1/sshd_config.5.ccache_name 2021-04-19 14:05:10.849744540 +0200 +++ openssh-8.6p1/sshd_config.5 2021-04-19 14:05:10.856744592 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-gssapi-new-unique.patch @@ -939,6 +939,14 @@ Specifies whether to automatically destr file on logout. The default is @@ -612,6 +622,7 @@ diff -up openssh-8.6p1/sshd_config.5.ccache_name openssh-8.6p1/sshd_config.5 diff -up openssh-8.6p1/ssh-gss.h.ccache_name openssh-8.6p1/ssh-gss.h --- openssh-8.6p1/ssh-gss.h.ccache_name 2021-04-19 14:05:10.852744562 +0200 +++ openssh-8.6p1/ssh-gss.h 2021-04-19 14:05:10.855744584 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-gssapi-new-unique.patch @@ -114,7 +114,7 @@ typedef struct ssh_gssapi_mech_struct { int (*dochild) (ssh_gssapi_client *); int (*userok) (ssh_gssapi_client *, char *); diff --git a/openssh-7.7p1.patch b/backport-openssh-7.7p1.patch index 85ebc82..34da347 100644 --- a/openssh-7.7p1.patch +++ b/backport-openssh-7.7p1.patch @@ -1,6 +1,7 @@ diff -up openssh/ssh_config.redhat openssh/ssh_config --- openssh/ssh_config.redhat 2020-02-11 23:28:35.000000000 +0100 +++ openssh/ssh_config 2020-02-13 18:13:39.180641839 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1.patch @@ -43,3 +43,10 @@ # ProxyCommand ssh -q -W %h:%p gateway.example.com # RekeyLimit 1G 1h @@ -15,7 +16,8 @@ diff -up openssh/ssh_config.redhat openssh/ssh_config diff -up openssh/ssh_config_redhat.redhat openssh/ssh_config_redhat --- openssh/ssh_config_redhat.redhat 2020-02-13 18:13:39.180641839 +0100 +++ openssh/ssh_config_redhat 2020-02-13 18:13:39.180641839 +0100 -@@ -0,0 +1,15 @@ +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1.patch +@@ -0,0 +1,21 @@ +# The options here are in the "Match final block" to be applied as the last +# options and could be potentially overwritten by the user configuration +Match final all @@ -29,11 +31,18 @@ diff -up openssh/ssh_config_redhat.redhat openssh/ssh_config_redhat +# mode correctly we set this to yes. + ForwardX11Trusted yes + ++# Send locale-related environment variables ++ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES ++ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT ++ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE ++ SendEnv XMODIFIERS ++ +# Uncomment this if you want to use .local domain +# Host *.local diff -up openssh/sshd_config.0.redhat openssh/sshd_config.0 --- openssh/sshd_config.0.redhat 2020-02-12 14:30:04.000000000 +0100 +++ openssh/sshd_config.0 2020-02-13 18:13:39.181641855 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1.patch @@ -970,9 +970,9 @@ DESCRIPTION SyslogFacility @@ -50,6 +59,7 @@ diff -up openssh/sshd_config.0.redhat openssh/sshd_config.0 diff -up openssh/sshd_config.5.redhat openssh/sshd_config.5 --- openssh/sshd_config.5.redhat 2020-02-11 23:28:35.000000000 +0100 +++ openssh/sshd_config.5 2020-02-13 18:13:39.181641855 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1.patch @@ -1614,7 +1614,7 @@ By default no subsystems are defined. .It Cm SyslogFacility Gives the facility code that is used when logging messages from @@ -62,6 +72,7 @@ diff -up openssh/sshd_config.5.redhat openssh/sshd_config.5 diff -up openssh/sshd_config.redhat openssh/sshd_config --- openssh/sshd_config.redhat 2020-02-11 23:28:35.000000000 +0100 +++ openssh/sshd_config 2020-02-13 18:20:16.349913681 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1.patch @@ -10,6 +10,14 @@ # possible, but leave them commented. Uncommented options override the # default value. @@ -80,7 +91,8 @@ diff -up openssh/sshd_config.redhat openssh/sshd_config diff -up openssh/sshd_config_redhat.redhat openssh/sshd_config_redhat --- openssh/sshd_config_redhat.redhat 2020-02-13 18:14:02.268006439 +0100 +++ openssh/sshd_config_redhat 2020-02-13 18:19:20.765035947 +0100 -@@ -0,0 +1,22 @@ +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1.patch +@@ -0,0 +1,28 @@ +# This system is following system-wide crypto policy. The changes to +# crypto properties (Ciphers, MACs, ...) will not have any effect in +# this or following included files. To override some configuration option, @@ -103,3 +115,9 @@ diff -up openssh/sshd_config_redhat.redhat openssh/sshd_config_redhat +# as it is more configurable and versatile than the built-in version. +PrintMotd no + ++# Accept locale-related environment variables ++AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES ++AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT ++AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE ++AcceptEnv XMODIFIERS ++ diff --git a/openssh-7.8p1-UsePAM-warning.patch b/backport-openssh-7.8p1-UsePAM-warning.patch index 48d2b32..9b60622 100644 --- a/openssh-7.8p1-UsePAM-warning.patch +++ b/backport-openssh-7.8p1-UsePAM-warning.patch @@ -1,13 +1,14 @@ diff -up openssh-8.6p1/sshd.c.log-usepam-no openssh-8.6p1/sshd.c --- openssh-8.6p1/sshd.c.log-usepam-no 2021-04-19 14:00:45.099735129 +0200 +++ openssh-8.6p1/sshd.c 2021-04-19 14:03:21.140920974 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-UsePAM-warning.patch @@ -1749,6 +1749,10 @@ main(int ac, char **av) parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name, - cfg, &includes, NULL, rexeced_flag); + cfg, &includes, NULL); -+ /* 'UsePAM no' is not supported in openEuler */ ++ /* 'UsePAM no' is not supported in Fedora */ + if (! options.use_pam) -+ logit("WARNING: 'UsePAM no' is not supported in openEuler and may cause several problems."); ++ logit("WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems."); + #ifdef WITH_OPENSSL if (options.moduli_file != NULL) @@ -15,11 +16,12 @@ diff -up openssh-8.6p1/sshd.c.log-usepam-no openssh-8.6p1/sshd.c diff -up openssh-8.6p1/sshd_config.log-usepam-no openssh-8.6p1/sshd_config --- openssh-8.6p1/sshd_config.log-usepam-no 2021-04-19 14:00:45.098735121 +0200 +++ openssh-8.6p1/sshd_config 2021-04-19 14:00:45.099735129 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-UsePAM-warning.patch @@ -87,6 +87,8 @@ AuthorizedKeysFile .ssh/authorized_keys # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and KbdInteractiveAuthentication to 'no'. -+# WARNING: 'UsePAM no' is not supported in openEuler and may cause several ++# WARNING: 'UsePAM no' is not supported in Fedora and may cause several +# problems. #UsePAM no diff --git a/openssh-7.8p1-role-mls.patch b/backport-openssh-7.8p1-role-mls.patch index 4dc460a..db189eb 100644 --- a/openssh-7.8p1-role-mls.patch +++ b/backport-openssh-7.8p1-role-mls.patch @@ -1,6 +1,7 @@ diff -up openssh/auth2.c.role-mls openssh/auth2.c --- openssh/auth2.c.role-mls 2018-08-20 07:57:29.000000000 +0200 +++ openssh/auth2.c 2018-08-22 11:14:56.815430916 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-role-mls.patch @@ -256,6 +256,9 @@ input_userauth_request(int type, u_int32 Authctxt *authctxt = ssh->authctxt; Authmethod *m = NULL; @@ -43,6 +44,7 @@ diff -up openssh/auth2.c.role-mls openssh/auth2.c diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c --- openssh/auth2-gss.c.role-mls 2018-08-20 07:57:29.000000000 +0200 +++ openssh/auth2-gss.c 2018-08-22 11:15:42.459799171 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-role-mls.patch @@ -281,6 +281,7 @@ input_gssapi_mic(int type, u_int32_t ple Authctxt *authctxt = ssh->authctxt; Gssctxt *gssctxt; @@ -78,6 +80,7 @@ diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c diff -up openssh/auth2-hostbased.c.role-mls openssh/auth2-hostbased.c --- openssh/auth2-hostbased.c.role-mls 2018-08-20 07:57:29.000000000 +0200 +++ openssh/auth2-hostbased.c 2018-08-22 11:14:56.816430924 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-role-mls.patch @@ -123,7 +123,16 @@ userauth_hostbased(struct ssh *ssh) /* reconstruct packet */ if ((r = sshbuf_put_stringb(b, ssh->kex->session_id)) != 0 || @@ -93,11 +96,12 @@ diff -up openssh/auth2-hostbased.c.role-mls openssh/auth2-hostbased.c (r = sshbuf_put_cstring(b, authctxt->user)) != 0 || +#endif (r = sshbuf_put_cstring(b, authctxt->service)) != 0 || - (r = sshbuf_put_cstring(b, method)) != 0 || + (r = sshbuf_put_cstring(b, "hostbased")) != 0 || (r = sshbuf_put_string(b, pkalg, alen)) != 0 || diff -up openssh/auth2-pubkey.c.role-mls openssh/auth2-pubkey.c --- openssh/auth2-pubkey.c.role-mls 2018-08-22 11:14:56.816430924 +0200 +++ openssh/auth2-pubkey.c 2018-08-22 11:17:07.331483958 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-role-mls.patch @@ -169,9 +169,16 @@ userauth_pubkey(struct ssh *ssh) goto done; } @@ -120,6 +124,7 @@ diff -up openssh/auth2-pubkey.c.role-mls openssh/auth2-pubkey.c diff -up openssh/auth.h.role-mls openssh/auth.h --- openssh/auth.h.role-mls 2018-08-20 07:57:29.000000000 +0200 +++ openssh/auth.h 2018-08-22 11:14:56.816430924 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-role-mls.patch @@ -65,6 +65,9 @@ struct Authctxt { char *service; struct passwd *pw; /* set if 'valid' */ @@ -133,6 +138,7 @@ diff -up openssh/auth.h.role-mls openssh/auth.h diff -up openssh/auth-pam.c.role-mls openssh/auth-pam.c --- openssh/auth-pam.c.role-mls 2018-08-20 07:57:29.000000000 +0200 +++ openssh/auth-pam.c 2018-08-22 11:14:56.816430924 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-role-mls.patch @@ -1172,7 +1172,7 @@ is_pam_session_open(void) * during the ssh authentication process. */ @@ -145,6 +151,7 @@ diff -up openssh/auth-pam.c.role-mls openssh/auth-pam.c diff -up openssh/auth-pam.h.role-mls openssh/auth-pam.h --- openssh/auth-pam.h.role-mls 2018-08-20 07:57:29.000000000 +0200 +++ openssh/auth-pam.h 2018-08-22 11:14:56.817430932 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-role-mls.patch @@ -33,7 +33,7 @@ u_int do_pam_account(void); void do_pam_session(struct ssh *); void do_pam_setcred(int ); @@ -157,6 +164,7 @@ diff -up openssh/auth-pam.h.role-mls openssh/auth-pam.h diff -up openssh/misc.c.role-mls openssh/misc.c --- openssh/misc.c.role-mls 2018-08-20 07:57:29.000000000 +0200 +++ openssh/misc.c 2018-08-22 11:14:56.817430932 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-role-mls.patch @@ -542,6 +542,7 @@ char * colon(char *cp) { @@ -182,6 +190,7 @@ diff -up openssh/misc.c.role-mls openssh/misc.c diff -up openssh-8.6p1/monitor.c.role-mls openssh-8.6p1/monitor.c --- openssh-8.6p1/monitor.c.role-mls 2021-04-16 05:55:25.000000000 +0200 +++ openssh-8.6p1/monitor.c 2021-05-21 14:21:56.719414087 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-role-mls.patch @@ -117,6 +117,9 @@ int mm_answer_sign(struct ssh *, int, st int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *); int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *); @@ -240,14 +249,14 @@ diff -up openssh-8.6p1/monitor.c.role-mls openssh-8.6p1/monitor.c mm_answer_authpassword(struct ssh *ssh, int sock, struct sshbuf *m) { @@ -1251,7 +1280,7 @@ monitor_valid_userblob(struct ssh *ssh, + { struct sshbuf *b; - struct sshkey *hostkey = NULL; const u_char *p; - char *userstyle, *cp; + char *userstyle, *s, *cp; size_t len; u_char type; - int hostbound = 0, r, fail = 0; + int r, fail = 0; @@ -1282,6 +1311,8 @@ monitor_valid_userblob(struct ssh *ssh, fail++; if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0) @@ -278,6 +287,7 @@ diff -up openssh-8.6p1/monitor.c.role-mls openssh-8.6p1/monitor.c diff -up openssh/monitor.h.role-mls openssh/monitor.h --- openssh/monitor.h.role-mls 2018-08-20 07:57:29.000000000 +0200 +++ openssh/monitor.h 2018-08-22 11:14:56.818430941 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-role-mls.patch @@ -55,6 +55,10 @@ enum monitor_reqtype { MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49, MONITOR_REQ_TERM = 50, @@ -292,6 +302,7 @@ diff -up openssh/monitor.h.role-mls openssh/monitor.h diff -up openssh/monitor_wrap.c.role-mls openssh/monitor_wrap.c --- openssh/monitor_wrap.c.role-mls 2018-08-22 11:14:56.818430941 +0200 +++ openssh/monitor_wrap.c 2018-08-22 11:21:47.938747968 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-role-mls.patch @@ -390,6 +390,27 @@ mm_inform_authserv(char *service, char * sshbuf_free(m); } @@ -323,6 +334,7 @@ diff -up openssh/monitor_wrap.c.role-mls openssh/monitor_wrap.c diff -up openssh/monitor_wrap.h.role-mls openssh/monitor_wrap.h --- openssh/monitor_wrap.h.role-mls 2018-08-22 11:14:56.818430941 +0200 +++ openssh/monitor_wrap.h 2018-08-22 11:22:10.439929513 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-role-mls.patch @@ -44,6 +44,9 @@ DH *mm_choose_dh(int, int, int); const u_char *, size_t, const char *, const char *, const char *, u_int compat); @@ -336,6 +348,7 @@ diff -up openssh/monitor_wrap.h.role-mls openssh/monitor_wrap.h diff -up openssh/openbsd-compat/Makefile.in.role-mls openssh/openbsd-compat/Makefile.in --- openssh/openbsd-compat/Makefile.in.role-mls 2018-08-20 07:57:29.000000000 +0200 +++ openssh/openbsd-compat/Makefile.in 2018-08-22 11:14:56.819430949 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-role-mls.patch @@ -92,7 +92,8 @@ PORTS= port-aix.o \ port-prngd.o \ port-solaris.o \ @@ -349,6 +362,7 @@ diff -up openssh/openbsd-compat/Makefile.in.role-mls openssh/openbsd-compat/Make diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/port-linux.c --- openssh/openbsd-compat/port-linux.c.role-mls 2018-08-20 07:57:29.000000000 +0200 +++ openssh/openbsd-compat/port-linux.c 2018-08-22 11:14:56.819430949 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-role-mls.patch @@ -100,37 +100,6 @@ ssh_selinux_getctxbyname(char *pwname) return sc; } @@ -403,6 +417,7 @@ diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/por diff -up openssh/openbsd-compat/port-linux.h.role-mls openssh/openbsd-compat/port-linux.h --- openssh/openbsd-compat/port-linux.h.role-mls 2018-08-20 07:57:29.000000000 +0200 +++ openssh/openbsd-compat/port-linux.h 2018-08-22 11:14:56.819430949 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-role-mls.patch @@ -20,9 +20,10 @@ #ifdef WITH_SELINUX int ssh_selinux_enabled(void); @@ -418,6 +433,7 @@ diff -up openssh/openbsd-compat/port-linux.h.role-mls openssh/openbsd-compat/por diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compat/port-linux-sshd.c --- openssh/openbsd-compat/port-linux-sshd.c.role-mls 2018-08-22 11:14:56.819430949 +0200 +++ openssh/openbsd-compat/port-linux-sshd.c 2018-08-22 11:14:56.819430949 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-role-mls.patch @@ -0,0 +1,421 @@ +/* + * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com> @@ -843,6 +859,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa diff -up openssh/platform.c.role-mls openssh/platform.c --- openssh/platform.c.role-mls 2018-08-20 07:57:29.000000000 +0200 +++ openssh/platform.c 2018-08-22 11:14:56.819430949 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-role-mls.patch @@ -183,7 +183,7 @@ platform_setusercontext_post_groups(stru } #endif /* HAVE_SETPCRED */ @@ -855,6 +872,7 @@ diff -up openssh/platform.c.role-mls openssh/platform.c diff -up openssh/sshd.c.role-mls openssh/sshd.c --- openssh/sshd.c.role-mls 2018-08-20 07:57:29.000000000 +0200 +++ openssh/sshd.c 2018-08-22 11:14:56.820430957 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-role-mls.patch @@ -2186,6 +2186,9 @@ main(int ac, char **av) restore_uid(); } diff --git a/openssh-7.8p1-scp-ipv6.patch b/backport-openssh-7.8p1-scp-ipv6.patch index 8ae0948..b4c2c15 100644 --- a/openssh-7.8p1-scp-ipv6.patch +++ b/backport-openssh-7.8p1-scp-ipv6.patch @@ -2,6 +2,7 @@ diff --git a/scp.c b/scp.c index 60682c68..9344806e 100644 --- a/scp.c +++ b/scp.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-scp-ipv6.patch @@ -714,7 +714,9 @@ toremote(int argc, char **argv) addargs(&alist, "%s", host); addargs(&alist, "%s", cmd); diff --git a/openssh-8.0p1-crypto-policies.patch b/backport-openssh-8.0p1-crypto-policies.patch index 86c08db..12b251d 100644 --- a/openssh-8.0p1-crypto-policies.patch +++ b/backport-openssh-8.0p1-crypto-policies.patch @@ -1,13 +1,14 @@ -diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.3p1/ssh_config.5 openssh-9.3p1-patched/ssh_config.5 ---- openssh-9.3p1/ssh_config.5 2023-06-07 10:26:48.284590156 +0200 -+++ openssh-9.3p1-patched/ssh_config.5 2023-06-07 10:26:00.623052194 +0200 -@@ -378,17 +378,13 @@ +diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5 +--- openssh-8.7p1/ssh_config.5.crypto-policies 2021-08-30 13:29:00.174292872 +0200 ++++ openssh-8.7p1/ssh_config.5 2021-08-30 13:31:32.009548808 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-crypto-policies.patch +@@ -373,17 +373,13 @@ or causes no CNAMEs to be considered for canonicalization. This is the default behaviour. .It Cm CASignatureAlgorithms +The default is handled system-wide by +.Xr crypto-policies 7 . -+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page ++To see the defaults and how to modify this default, see manual page +.Xr update-crypto-policies 8 . +.Pp Specifies which algorithms are allowed for signing of certificates @@ -24,13 +25,13 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x If the specified list begins with a .Sq + character, then the specified algorithms will be appended to the default set -@@ -450,20 +446,25 @@ +@@ -445,20 +441,25 @@ If the option is set to (the default), the check will not be executed. .It Cm Ciphers +The default is handled system-wide by +.Xr crypto-policies 7 . -+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page ++To see the defaults and how to modify this default, see manual page +.Xr update-crypto-policies 8 . +.Pp Specifies the ciphers allowed and their order of preference. @@ -54,7 +55,7 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x .Pp The supported ciphers are: .Bd -literal -offset indent -@@ -479,13 +480,6 @@ +@@ -474,13 +475,6 @@ aes256-gcm@openssh.com chacha20-poly1305@openssh.com .Ed .Pp @@ -68,19 +69,19 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x The list of available ciphers may also be obtained using .Qq ssh -Q cipher . .It Cm ClearAllForwardings -@@ -885,6 +879,11 @@ +@@ -874,6 +868,11 @@ command line will be passed untouched to The default is .Dq no . .It Cm GSSAPIKexAlgorithms +The default is handled system-wide by +.Xr crypto-policies 7 . -+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page ++To see the defaults and how to modify this default, see manual page +.Xr update-crypto-policies 8 . +.Pp The list of key exchange algorithms that are offered for GSSAPI key exchange. Possible values are .Bd -literal -offset 3n -@@ -897,10 +896,8 @@ +@@ -886,10 +885,8 @@ gss-nistp256-sha256-, gss-curve25519-sha256- .Ed .Pp @@ -92,76 +93,13 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x .It Cm HashKnownHosts Indicates that .Xr ssh 1 -@@ -919,36 +916,25 @@ - but may be manually hashed using - .Xr ssh-keygen 1 . - .It Cm HostbasedAcceptedAlgorithms -+The default is handled system-wide by -+.Xr crypto-policies 7 . -+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page -+.Xr update-crypto-policies 8 . -+.Pp - Specifies the signature algorithms that will be used for hostbased - authentication as a comma-separated list of patterns. - Alternately if the specified list begins with a - .Sq + - character, then the specified signature algorithms will be appended --to the default set instead of replacing them. -+to the built-in openssh default set instead of replacing them. - If the specified list begins with a - .Sq - - character, then the specified signature algorithms (including wildcards) --will be removed from the default set instead of replacing them. -+will be removed from the built-in openssh default set instead of replacing them. - If the specified list begins with a - .Sq ^ - character, then the specified signature algorithms will be placed --at the head of the default set. --The default for this option is: --.Bd -literal -offset 3n --ssh-ed25519-cert-v01@openssh.com, --ecdsa-sha2-nistp256-cert-v01@openssh.com, --ecdsa-sha2-nistp384-cert-v01@openssh.com, --ecdsa-sha2-nistp521-cert-v01@openssh.com, --sk-ssh-ed25519-cert-v01@openssh.com, --sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, --rsa-sha2-512-cert-v01@openssh.com, --rsa-sha2-256-cert-v01@openssh.com, --ssh-ed25519, --ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, --sk-ssh-ed25519@openssh.com, --sk-ecdsa-sha2-nistp256@openssh.com, --rsa-sha2-512,rsa-sha2-256 --.Ed -+at the head of the built-in openssh default set. - .Pp - The - .Fl Q -@@ -1001,6 +987,17 @@ - .Pp - The list of available signature algorithms may also be obtained using - .Qq ssh -Q HostKeyAlgorithms . -+.Pp -+The proposed -+.Cm HostKeyAlgorithms -+during KEX are limited to the set of algorithms that is defined in -+.Cm PubkeyAcceptedAlgorithms -+and therefore they are indirectly affected by system-wide -+.Xr crypto_policies 7 . -+.Xr crypto_policies 7 can not handle the list of host key algorithms directly as doing so -+would break the order given by the -+.Pa known_hosts -+file. - .It Cm HostKeyAlias - Specifies an alias that should be used instead of the - real host name when looking up or saving the host key -@@ -1232,30 +1229,25 @@ +@@ -1219,29 +1216,25 @@ it may be zero or more of: and .Cm pam . .It Cm KexAlgorithms +The default is handled system-wide by +.Xr crypto-policies 7 . -+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page ++To see the defaults and how to modify this default, see manual page +.Xr update-crypto-policies 8 . +.Pp Specifies the available KEX (Key Exchange) algorithms. @@ -170,7 +108,7 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x .Sq + -character, then the specified algorithms will be appended to the default set -instead of replacing them. -+character, then the specified methods will be appended to the built-in ++character, then the specified algorithms will be appended to the built-in +openssh default set instead of replacing them. If the specified list begins with a .Sq - @@ -183,7 +121,6 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x -default set. -The default is: -.Bd -literal -offset indent --sntrup761x25519-sha512@openssh.com, -curve25519-sha256,curve25519-sha256@libssh.org, -ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, -diffie-hellman-group-exchange-sha256, @@ -195,13 +132,13 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x .Pp The list of available key exchange algorithms may also be obtained using .Qq ssh -Q kex . -@@ -1365,37 +1357,33 @@ +@@ -1351,37 +1344,33 @@ function, and all code in the file. This option is intended for debugging and no overrides are enabled by default. .It Cm MACs +The default is handled system-wide by +.Xr crypto-policies 7 . -+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page ++To see the defaults and how to modify this default, see manual page +.Xr update-crypto-policies 8 . +.Pp Specifies the MAC (message authentication code) algorithms @@ -242,13 +179,13 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x The list of available MAC algorithms may also be obtained using .Qq ssh -Q mac . .It Cm NoHostAuthenticationForLocalhost -@@ -1567,39 +1555,31 @@ +@@ -1553,36 +1542,25 @@ instead of continuing to execute and pas The default is .Cm no . .It Cm PubkeyAcceptedAlgorithms +The default is handled system-wide by +.Xr crypto-policies 7 . -+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page ++To see the defaults and how to modify this default, see manual page +.Xr update-crypto-policies 8 . +.Pp Specifies the signature algorithms that will be used for public key @@ -288,33 +225,17 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x .Pp The list of available signature algorithms may also be obtained using .Qq ssh -Q PubkeyAcceptedAlgorithms . -+.Pp -+This option affects also -+.Cm HostKeyAlgorithms - .It Cm PubkeyAuthentication - Specifies whether to try public key authentication. - The argument to this keyword must be -@@ -2265,7 +2245,9 @@ - This file must be world-readable. - .El - .Sh SEE ALSO --.Xr ssh 1 -+.Xr ssh 1 , -+.Xr crypto-policies 7 , -+.Xr update-crypto-policies 8 - .Sh AUTHORS - .An -nosplit - OpenSSH is a derivative of the original and free -diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.3p1/sshd_config.5 openssh-9.3p1-patched/sshd_config.5 ---- openssh-9.3p1/sshd_config.5 2023-06-07 10:26:48.277590077 +0200 -+++ openssh-9.3p1-patched/sshd_config.5 2023-06-07 10:26:00.592051845 +0200 -@@ -379,17 +379,13 @@ +diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5 +--- openssh-8.7p1/sshd_config.5.crypto-policies 2021-08-30 13:29:00.157292731 +0200 ++++ openssh-8.7p1/sshd_config.5 2021-08-30 13:32:16.263918533 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-crypto-policies.patch +@@ -373,17 +373,13 @@ If the argument is then no banner is displayed. By default, no banner is displayed. .It Cm CASignatureAlgorithms +The default is handled system-wide by +.Xr crypto-policies 7 . -+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page ++To see the defaults and how to modify this default, see manual page +.Xr update-crypto-policies 8 . +.Pp Specifies which algorithms are allowed for signing of certificates @@ -331,13 +252,13 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x If the specified list begins with a .Sq + character, then the specified algorithms will be appended to the default set -@@ -525,20 +521,25 @@ +@@ -450,20 +446,25 @@ The default is indicating not to .Xr chroot 2 . .It Cm Ciphers +The default is handled system-wide by +.Xr crypto-policies 7 . -+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page ++To see the defaults and how to modify this default, see manual page +.Xr update-crypto-policies 8 . +.Pp Specifies the ciphers allowed. @@ -361,7 +282,7 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x .Pp The supported ciphers are: .Pp -@@ -565,13 +566,6 @@ +@@ -490,13 +491,6 @@ aes256-gcm@openssh.com chacha20-poly1305@openssh.com .El .Pp @@ -375,13 +296,13 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x The list of available ciphers may also be obtained using .Qq ssh -Q cipher . .It Cm ClientAliveCountMax -@@ -766,53 +760,43 @@ +@@ -685,21 +679,22 @@ For this to work .Cm GSSAPIKeyExchange needs to be enabled in the server and also used by the client. .It Cm GSSAPIKexAlgorithms +The default is handled system-wide by +.Xr crypto-policies 7 . -+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page ++To see the defaults and how to modify this default, see manual page +.Xr update-crypto-policies 8 . +.Pp The list of key exchange algorithms that are accepted by GSSAPI @@ -407,59 +328,19 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x -gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- . This option only applies to connections using GSSAPI. .It Cm HostbasedAcceptedAlgorithms -+The default is handled system-wide by -+.Xr crypto-policies 7 . -+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page -+.Xr update-crypto-policies 8 . -+.Pp Specifies the signature algorithms that will be accepted for hostbased - authentication as a list of comma-separated patterns. - Alternately if the specified list begins with a - .Sq + - character, then the specified signature algorithms will be appended to --the default set instead of replacing them. -+the built-in openssh default set instead of replacing them. - If the specified list begins with a - .Sq - - character, then the specified signature algorithms (including wildcards) --will be removed from the default set instead of replacing them. -+will be removed from the built-in openssh default set instead of replacing them. - If the specified list begins with a - .Sq ^ - character, then the specified signature algorithms will be placed at --the head of the default set. --The default for this option is: --.Bd -literal -offset 3n --ssh-ed25519-cert-v01@openssh.com, --ecdsa-sha2-nistp256-cert-v01@openssh.com, --ecdsa-sha2-nistp384-cert-v01@openssh.com, --ecdsa-sha2-nistp521-cert-v01@openssh.com, --sk-ssh-ed25519-cert-v01@openssh.com, --sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, --rsa-sha2-512-cert-v01@openssh.com, --rsa-sha2-256-cert-v01@openssh.com, --ssh-ed25519, --ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, --sk-ssh-ed25519@openssh.com, --sk-ecdsa-sha2-nistp256@openssh.com, --rsa-sha2-512,rsa-sha2-256 --.Ed -+the head of the built-in openssh default set. - .Pp - The list of available signature algorithms may also be obtained using - .Qq ssh -Q HostbasedAcceptedAlgorithms . -@@ -879,25 +863,14 @@ +@@ -799,26 +794,13 @@ is specified, the location of the socket .Ev SSH_AUTH_SOCK environment variable. .It Cm HostKeyAlgorithms +The default is handled system-wide by +.Xr crypto-policies 7 . -+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page ++To see the defaults and how to modify this default, see manual page +.Xr update-crypto-policies 8 . +.Pp Specifies the host key signature algorithms that the server offers. - The default for this option is: +-The default for this option is: -.Bd -literal -offset 3n -ssh-ed25519-cert-v01@openssh.com, -ecdsa-sha2-nistp256-cert-v01@openssh.com, @@ -469,23 +350,24 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x -sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, -rsa-sha2-512-cert-v01@openssh.com, -rsa-sha2-256-cert-v01@openssh.com, +-ssh-rsa-cert-v01@openssh.com, -ssh-ed25519, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -sk-ssh-ed25519@openssh.com, -sk-ecdsa-sha2-nistp256@openssh.com, --rsa-sha2-512,rsa-sha2-256 +-rsa-sha2-512,rsa-sha2-256,ssh-rsa -.Ed -.Pp The list of available signature algorithms may also be obtained using .Qq ssh -Q HostKeyAlgorithms . .It Cm IgnoreRhosts -@@ -1044,20 +1017,25 @@ +@@ -965,20 +947,25 @@ Specifies whether to look at .k5login fi The default is .Cm yes . .It Cm KexAlgorithms +The default is handled system-wide by +.Xr crypto-policies 7 . -+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page ++To see the defaults and how to modify this default, see manual page +.Xr update-crypto-policies 8 . +.Pp Specifies the available KEX (Key Exchange) algorithms. @@ -494,7 +376,7 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x .Sq + -character, then the specified algorithms will be appended to the default set -instead of replacing them. -+character, then the specified methods will be appended to the built-in ++character, then the specified algorithms will be appended to the built-in +openssh default set instead of replacing them. If the specified list begins with a .Sq - @@ -509,13 +391,12 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x The supported algorithms are: .Pp .Bl -item -compact -offset indent -@@ -1089,16 +1067,6 @@ +@@ -1010,15 +997,6 @@ ecdh-sha2-nistp521 sntrup761x25519-sha512@openssh.com .El .Pp -The default is: -.Bd -literal -offset indent --sntrup761x25519-sha512@openssh.com, -curve25519-sha256,curve25519-sha256@libssh.org, -ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, -diffie-hellman-group-exchange-sha256, @@ -526,13 +407,13 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x The list of available key exchange algorithms may also be obtained using .Qq ssh -Q KexAlgorithms . .It Cm ListenAddress -@@ -1184,21 +1152,26 @@ +@@ -1104,21 +1082,26 @@ function, and all code in the file. This option is intended for debugging and no overrides are enabled by default. .It Cm MACs +The default is handled system-wide by +.Xr crypto-policies 7 . -+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page ++To see the defaults and how to modify this default, see manual page +.Xr update-crypto-policies 8 . +.Pp Specifies the available MAC (message authentication code) algorithms. @@ -557,7 +438,7 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x .Pp The algorithms that contain .Qq -etm -@@ -1241,15 +1214,6 @@ +@@ -1161,15 +1144,6 @@ umac-64-etm@openssh.com umac-128-etm@openssh.com .El .Pp @@ -573,13 +454,13 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x The list of available MAC algorithms may also be obtained using .Qq ssh -Q mac . .It Cm Match -@@ -1633,36 +1597,25 @@ +@@ -1548,37 +1522,25 @@ or equivalent.) The default is .Cm yes . .It Cm PubkeyAcceptedAlgorithms +The default is handled system-wide by +.Xr crypto-policies 7 . -+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page ++To see the defaults and how to modify this default, see manual page +.Xr update-crypto-policies 8 . +.Pp Specifies the signature algorithms that will be accepted for public key @@ -609,24 +490,14 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x -sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, -rsa-sha2-512-cert-v01@openssh.com, -rsa-sha2-256-cert-v01@openssh.com, +-ssh-rsa-cert-v01@openssh.com, -ssh-ed25519, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -sk-ssh-ed25519@openssh.com, -sk-ecdsa-sha2-nistp256@openssh.com, --rsa-sha2-512,rsa-sha2-256 +-rsa-sha2-512,rsa-sha2-256,ssh-rsa -.Ed +built-in openssh default set. .Pp The list of available signature algorithms may also be obtained using .Qq ssh -Q PubkeyAcceptedAlgorithms . -@@ -2131,7 +2084,9 @@ - .El - .Sh SEE ALSO - .Xr sftp-server 8 , --.Xr sshd 8 -+.Xr sshd 8 , -+.Xr crypto-policies 7 , -+.Xr update-crypto-policies 8 - .Sh AUTHORS - .An -nosplit - OpenSSH is a derivative of the original and free diff --git a/openssh-8.0p1-gssapi-keyex.patch b/backport-openssh-8.0p1-gssapi-keyex.patch index f3e3f52..02b3e8b 100644 --- a/openssh-8.0p1-gssapi-keyex.patch +++ b/backport-openssh-8.0p1-gssapi-keyex.patch @@ -2,6 +2,7 @@ diff --git a/Makefile.in b/Makefile.in index e7549470..b68c1710 100644 --- a/Makefile.in +++ b/Makefile.in +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-gssapi-keyex.patch @@ -109,6 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \ kexgexc.o kexgexs.o \ @@ -12,25 +13,17 @@ index e7549470..b68c1710 100644 @@ -125,7 +126,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \ auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ - auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-pubkeyfile.o \ + auth2-none.o auth2-passwd.o auth2-pubkey.o \ monitor.o monitor_wrap.o auth-krb5.o \ - auth2-gss.o gss-serv.o gss-serv-krb5.o \ + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ - loginrec.o auth-pam.o auth-shadow.o auth-sia.o \ + loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ srclimit.o sftp-server.o sftp-common.o \ sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ -@@ -523,7 +523,7 @@ regress-prep: - ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile - - REGRESSLIBS=libssh.a $(LIBCOMPAT) --TESTLIBS=$(LIBS) $(CHANNELLIBS) -+TESTLIBS=$(LIBS) $(CHANNELLIBS) $(GSSLIBS) - - regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c $(REGRESSLIBS) - $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $(srcdir)/regress/modpipe.c \ diff -up a/auth.c.gsskex b/auth.c --- a/auth.c.gsskex 2021-08-20 06:03:49.000000000 +0200 +++ b/auth.c 2021-08-27 12:41:51.262788953 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-gssapi-keyex.patch @@ -402,7 +402,8 @@ auth_root_allowed(struct ssh *ssh, const case PERMIT_NO_PASSWD: if (strcmp(method, "publickey") == 0 || @@ -143,8 +136,9 @@ diff --git a/auth2-gss.c b/auth2-gss.c index 9351e042..d6446c0c 100644 --- a/auth2-gss.c +++ b/auth2-gss.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-gssapi-keyex.patch @@ -1,7 +1,7 @@ - /* $OpenBSD: auth2-gss.c,v 1.33 2021/12/19 22:12:07 djm Exp $ */ + /* $OpenBSD: auth2-gss.c,v 1.32 2021/01/27 10:15:08 djm Exp $ */ /* - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -233,11 +227,12 @@ index 9351e042..d6446c0c 100644 + Authmethod method_gssapi = { "gssapi-with-mic", - NULL, + userauth_gssapi, diff --git a/auth2.c b/auth2.c index 0e776224..1c217268 100644 --- a/auth2.c +++ b/auth2.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-gssapi-keyex.patch @@ -73,6 +73,7 @@ extern Authmethod method_passwd; extern Authmethod method_kbdint; extern Authmethod method_hostbased; @@ -258,6 +253,7 @@ diff --git a/canohost.c b/canohost.c index abea9c6e..8e81b519 100644 --- a/canohost.c +++ b/canohost.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-gssapi-keyex.patch @@ -35,6 +35,99 @@ #include "canohost.h" #include "misc.h" @@ -362,6 +358,7 @@ diff --git a/canohost.h b/canohost.h index 26d62855..0cadc9f1 100644 --- a/canohost.h +++ b/canohost.h +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-gssapi-keyex.patch @@ -15,6 +15,9 @@ #ifndef _CANOHOST_H #define _CANOHOST_H @@ -376,6 +373,7 @@ diff --git a/clientloop.c b/clientloop.c index ebd0dbca..1bdac6a4 100644 --- a/clientloop.c +++ b/clientloop.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-gssapi-keyex.patch @@ -112,6 +112,10 @@ #include "ssherr.h" #include "hostfile.h" @@ -384,12 +382,16 @@ index ebd0dbca..1bdac6a4 100644 +#include "ssh-gss.h" +#endif + - /* Permitted RSA signature algorithms for UpdateHostkeys proofs */ - #define HOSTKEY_PROOF_RSA_ALGS "rsa-sha2-512,rsa-sha2-256" + /* import options */ + extern Options options; + +@@ -1379,9 +1383,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, + break; -@@ -1379,6 +1383,14 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, - /* Do channel operations. */ - channel_after_poll(ssh, pfd, npfd_active); + /* Do channel operations unless rekeying in progress. */ +- if (!ssh_packet_is_rekeying(ssh)) ++ if (!ssh_packet_is_rekeying(ssh)) { + channel_after_select(ssh, readset, writeset); +#ifdef GSSAPI + if (options.gss_renewal_rekey && @@ -398,14 +400,16 @@ index ebd0dbca..1bdac6a4 100644 + need_rekeying = 1; + } +#endif ++ } + /* Buffer input from the connection. */ - if (conn_in_ready) - client_process_net_input(ssh); + client_process_net_input(ssh, readset); + diff --git a/configure.ac b/configure.ac index b689db4b..efafb6bd 100644 --- a/configure.ac +++ b/configure.ac +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-gssapi-keyex.patch @@ -674,6 +674,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) [Use tunnel device compatibility to OpenBSD]) AC_DEFINE([SSH_TUN_PREPEND_AF], [1], @@ -441,6 +445,7 @@ diff --git a/gss-genr.c b/gss-genr.c index d56257b4..763a63ff 100644 --- a/gss-genr.c +++ b/gss-genr.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-gssapi-keyex.patch @@ -1,7 +1,7 @@ /* $OpenBSD: gss-genr.c,v 1.28 2021/01/27 10:05:28 djm Exp $ */ @@ -818,6 +823,7 @@ diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c index a151bc1e..8d2b677f 100644 --- a/gss-serv-krb5.c +++ b/gss-serv-krb5.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-gssapi-keyex.patch @@ -1,7 +1,7 @@ /* $OpenBSD: gss-serv-krb5.c,v 1.9 2018/07/09 21:37:55 markus Exp $ */ @@ -958,6 +964,7 @@ diff --git a/gss-serv.c b/gss-serv.c index ab3a15f0..6ce56e92 100644 --- a/gss-serv.c +++ b/gss-serv.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-gssapi-keyex.patch @@ -1,7 +1,7 @@ /* $OpenBSD: gss-serv.c,v 1.32 2020/03/13 03:17:07 djm Exp $ */ @@ -1258,9 +1265,16 @@ diff --git a/kex.c b/kex.c index ce85f043..574c7609 100644 --- a/kex.c +++ b/kex.c -@@ -57,6 +57,10 @@ +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-gssapi-keyex.patch +@@ -57,11 +57,16 @@ + #include "misc.h" + #include "dispatch.h" + #include "monitor.h" ++#include "xmalloc.h" + + #include "ssherr.h" + #include "sshbuf.h" #include "digest.h" - #include "xmalloc.h" +#ifdef GSSAPI +#include "ssh-gss.h" @@ -1358,9 +1372,9 @@ index ce85f043..574c7609 100644 + return 1; +} + - /* - * Fill out a proposal array with dynamically allocated values, which may - * be modified as required for compatibility reasons. + /* put algorithm proposal into buffer */ + int + kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX]) @@ -698,6 +755,9 @@ kex_free(struct kex *kex) sshbuf_free(kex->server_version); sshbuf_free(kex->client_pub); @@ -1368,13 +1382,14 @@ index ce85f043..574c7609 100644 +#ifdef GSSAPI + free(kex->gss_host); +#endif /* GSSAPI */ - sshbuf_free(kex->initial_sig); - sshkey_free(kex->initial_hostkey); free(kex->failed_choice); + free(kex->hostkey_alg); + free(kex->name); diff --git a/kex.h b/kex.h index a5ae6ac0..fe714141 100644 --- a/kex.h +++ b/kex.h +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-gssapi-keyex.patch @@ -102,6 +102,15 @@ enum kex_exchange { KEX_ECDH_SHA2, KEX_C25519_SHA256, @@ -1412,9 +1427,9 @@ index a5ae6ac0..fe714141 100644 char *kex_names_cat(const char *, const char *); int kex_assemble_names(char **, const char *, const char *); +int kex_gss_names_valid(const char *); - void kex_proposal_populate_entries(struct ssh *, char *prop[PROPOSAL_MAX], - const char *, const char *, const char *, const char *, const char *); - void kex_proposal_free_entries(char *prop[PROPOSAL_MAX]); + + int kex_exchange_identification(struct ssh *, int, const char *); + @@ -202,6 +219,12 @@ int kexgex_client(struct ssh *); int kexgex_server(struct ssh *); int kex_gen_client(struct ssh *); @@ -1445,6 +1460,7 @@ diff --git a/kexdh.c b/kexdh.c index 67133e33..edaa4676 100644 --- a/kexdh.c +++ b/kexdh.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-gssapi-keyex.patch @@ -48,13 +48,23 @@ kex_dh_keygen(struct kex *kex) { switch (kex->kex_type) { @@ -1473,6 +1489,7 @@ diff --git a/kexgen.c b/kexgen.c index 69348b96..c0e8c2f4 100644 --- a/kexgen.c +++ b/kexgen.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-gssapi-keyex.patch @@ -44,7 +44,7 @@ static int input_kex_gen_init(int, u_int32_t, struct ssh *); static int input_kex_gen_reply(int type, u_int32_t seq, struct ssh *ssh); @@ -1487,7 +1504,8 @@ new file mode 100644 index 00000000..f6e1405e --- /dev/null +++ b/kexgssc.c -@@ -0,0 +1,600 @@ +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-gssapi-keyex.patch +@@ -0,0 +1,599 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * @@ -2086,13 +2104,13 @@ index 00000000..f6e1405e + sshbuf_free(server_host_key_blob); + return r; +} -+ +#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */ diff --git a/kexgsss.c b/kexgsss.c new file mode 100644 index 00000000..60bc02de --- /dev/null +++ b/kexgsss.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-gssapi-keyex.patch @@ -0,0 +1,474 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. @@ -2572,6 +2590,7 @@ diff --git a/monitor.c b/monitor.c index 2ce89fe9..ebf76c7f 100644 --- a/monitor.c +++ b/monitor.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-gssapi-keyex.patch @@ -148,6 +148,8 @@ int mm_answer_gss_setup_ctx(struct ssh *, int, struct sshbuf *); int mm_answer_gss_accept_ctx(struct ssh *, int, struct sshbuf *); int mm_answer_gss_userok(struct ssh *, int, struct sshbuf *); @@ -2611,23 +2630,6 @@ index 2ce89fe9..ebf76c7f 100644 /* The first few requests do not require asynchronous access */ while (!authenticated) { -@@ -376,8 +376,15 @@ monitor_child_preauth(struct ssh *ssh, s - if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { - auth_log(ssh, authenticated, partial, - auth_method, auth_submethod); -- if (!partial && !authenticated) -+ if (!partial && !authenticated) { -+#ifdef GSSAPI -+ /* If gssapi-with-mic failed, MONITOR_REQ_GSSCHECKMIC is disabled. -+ * We have to reenable it to try again for gssapi-keyex */ -+ if (strcmp(auth_method, "gssapi-with-mic") == 0 && options.gss_keyex) -+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); -+#endif - authctxt->failures++; -+ } - if (authenticated || partial) { - auth2_update_session_info(authctxt, - auth_method, auth_submethod); @@ -406,6 +419,10 @@ monitor_child_postauth(struct ssh *ssh, struct monitor *pmonitor) monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); @@ -2822,6 +2824,7 @@ diff --git a/monitor.h b/monitor.h index 683e5e07..2b1a2d59 100644 --- a/monitor.h +++ b/monitor.h +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-gssapi-keyex.patch @@ -63,6 +63,8 @@ enum monitor_reqtype { MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111, MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113, @@ -2835,6 +2838,7 @@ diff --git a/monitor_wrap.c b/monitor_wrap.c index 001a8fa1..6edb509a 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-gssapi-keyex.patch @@ -993,13 +993,15 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) } @@ -2914,6 +2918,7 @@ diff --git a/monitor_wrap.h b/monitor_wrap.h index 23ab096a..485590c1 100644 --- a/monitor_wrap.h +++ b/monitor_wrap.h +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-gssapi-keyex.patch @@ -64,8 +64,10 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t, OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, @@ -2929,6 +2934,7 @@ index 23ab096a..485590c1 100644 diff -up a/readconf.c.gsskex b/readconf.c --- a/readconf.c.gsskex 2021-08-20 06:03:49.000000000 +0200 +++ b/readconf.c 2021-08-27 12:25:42.556421509 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-gssapi-keyex.patch @@ -67,6 +67,7 @@ #include "uidswap.h" #include "myproposal.h" @@ -3027,7 +3033,7 @@ diff -up a/readconf.c.gsskex b/readconf.c options->kbd_interactive_authentication = -1; options->kbd_interactive_devices = NULL; @@ -2463,8 +2516,18 @@ fill_default_options(Options * options) - options->pubkey_authentication = SSH_PUBKEY_AUTH_ALL; + options->pubkey_authentication = 1; if (options->gss_authentication == -1) options->gss_authentication = 0; + if (options->gss_keyex == -1) @@ -3063,6 +3069,7 @@ diff -up a/readconf.c.gsskex b/readconf.c diff -up a/readconf.h.gsskex b/readconf.h --- a/readconf.h.gsskex 2021-08-27 12:05:29.248142431 +0200 +++ b/readconf.h 2021-08-27 12:22:19.270679852 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-gssapi-keyex.patch @@ -39,7 +39,13 @@ typedef struct { int pubkey_authentication; /* Try ssh2 pubkey authentication. */ int hostbased_authentication; /* ssh2's rhosts_rsa */ @@ -3080,6 +3087,7 @@ diff -up a/readconf.h.gsskex b/readconf.h diff -up a/servconf.c.gsskex b/servconf.c --- a/servconf.c.gsskex 2021-08-20 06:03:49.000000000 +0200 +++ b/servconf.c 2021-08-27 12:28:15.887735189 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-gssapi-keyex.patch @@ -70,6 +70,7 @@ #include "auth.h" #include "myproposal.h" @@ -3199,6 +3207,7 @@ diff --git a/servconf.h b/servconf.h index 4202a2d0..3f47ea25 100644 --- a/servconf.h +++ b/servconf.h +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-gssapi-keyex.patch @@ -132,8 +132,11 @@ typedef struct { int kerberos_get_afs_token; /* If true, try to get AFS token if * authenticated with Kerberos. */ @@ -3215,6 +3224,7 @@ diff --git a/session.c b/session.c index 8c0e54f7..06a33442 100644 --- a/session.c +++ b/session.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-gssapi-keyex.patch @@ -2678,13 +2678,19 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt) #ifdef KRB5 @@ -3241,6 +3251,7 @@ diff --git a/ssh-gss.h b/ssh-gss.h index 36180d07..70dd3665 100644 --- a/ssh-gss.h +++ b/ssh-gss.h +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-gssapi-keyex.patch @@ -1,6 +1,6 @@ /* $OpenBSD: ssh-gss.h,v 1.15 2021/01/27 10:05:28 djm Exp $ */ /* @@ -3365,6 +3376,7 @@ diff --git a/ssh.1 b/ssh.1 index 60de6087..db5c65bc 100644 --- a/ssh.1 +++ b/ssh.1 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-gssapi-keyex.patch @@ -503,7 +503,13 @@ For full details of the options listed below, and their possible values, see .It GatewayPorts .It GlobalKnownHostsFile @@ -3392,6 +3404,7 @@ diff --git a/ssh.c b/ssh.c index 15aee569..110cf9c1 100644 --- a/ssh.c +++ b/ssh.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-gssapi-keyex.patch @@ -747,6 +747,8 @@ main(int ac, char **av) else if (strcmp(optarg, "kex") == 0 || strcasecmp(optarg, "KexAlgorithms") == 0) @@ -3416,6 +3429,7 @@ diff --git a/ssh_config b/ssh_config index 5e8ef548..1ff999b6 100644 --- a/ssh_config +++ b/ssh_config +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-gssapi-keyex.patch @@ -24,6 +24,8 @@ # HostbasedAuthentication no # GSSAPIAuthentication no @@ -3429,6 +3443,7 @@ diff --git a/ssh_config.5 b/ssh_config.5 index 06a32d31..3f490697 100644 --- a/ssh_config.5 +++ b/ssh_config.5 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-gssapi-keyex.patch @@ -766,10 +766,68 @@ The default is Specifies whether user authentication based on GSSAPI is allowed. The default is @@ -3502,6 +3517,7 @@ diff --git a/sshconnect2.c b/sshconnect2.c index af00fb30..03bc87eb 100644 --- a/sshconnect2.c +++ b/sshconnect2.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-gssapi-keyex.patch @@ -80,8 +80,6 @@ #endif @@ -3512,7 +3528,7 @@ index af00fb30..03bc87eb 100644 /* @@ -163,6 +161,11 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) - char *s, *all_key, *hkalgs = NULL; + char *s, *all_key; int r, use_known_hosts_order = 0; +#if defined(GSSAPI) && defined(WITH_OPENSSL) @@ -3524,10 +3540,9 @@ index af00fb30..03bc87eb 100644 xxx_hostaddr = hostaddr; xxx_conn_info = cinfo; @@ -206,6 +209,42 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) - kex_proposal_populate_entries(ssh, myproposal, s, options.ciphers, - options.macs, compression_alg_list(options.compression), - hkalgs ? hkalgs : options.hostkeyalgorithms); -+ + compat_pkalg_proposal(ssh, options.hostkeyalgorithms); + } + +#if defined(GSSAPI) && defined(WITH_OPENSSL) + if (options.gss_keyex) { + /* Add the GSSAPI mechanisms currently supported on this @@ -3563,10 +3578,11 @@ index af00fb30..03bc87eb 100644 + } + } +#endif - - free(hkalgs); - -@@ -224,17 +256,47 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) ++ + if (options.rekey_limit || options.rekey_interval) + ssh_packet_set_rekey_limits(ssh, options.rekey_limit, + options.rekey_interval); +@@ -224,16 +256,46 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) # ifdef OPENSSL_HAS_ECC ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client; # endif @@ -3599,7 +3615,6 @@ index af00fb30..03bc87eb 100644 ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &ssh->kex->done); /* remove ext-info from the KEX proposals for rekeying */ - free(myproposal[PROPOSAL_KEX_ALGS]); myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh, options.kex_algorithms); +#if defined(GSSAPI) && defined(WITH_OPENSSL) @@ -3746,6 +3761,7 @@ diff --git a/sshd.c b/sshd.c index 60b2aaf7..d92f03aa 100644 --- a/sshd.c +++ b/sshd.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-gssapi-keyex.patch @@ -817,8 +817,8 @@ notify_hostkeys(struct ssh *ssh) } debug3_f("sent %u hostkeys", nkeys); @@ -3768,8 +3784,8 @@ index 60b2aaf7..d92f03aa 100644 exit(1); } @@ -2347,6 +2348,48 @@ do_ssh2_kex(struct ssh *ssh) - - free(hkalgs); + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( + ssh, list_hostkey_types()); +#if defined(GSSAPI) && defined(WITH_OPENSSL) + { @@ -3840,6 +3856,7 @@ diff --git a/sshd_config b/sshd_config index 19b7c91a..2c48105f 100644 --- a/sshd_config +++ b/sshd_config +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-gssapi-keyex.patch @@ -69,6 +69,8 @@ AuthorizedKeysFile .ssh/authorized_keys # GSSAPI options #GSSAPIAuthentication no @@ -3853,6 +3870,7 @@ diff --git a/sshd_config.5 b/sshd_config.5 index 70ccea44..f6b41a2f 100644 --- a/sshd_config.5 +++ b/sshd_config.5 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-gssapi-keyex.patch @@ -646,6 +646,11 @@ Specifies whether to automatically destroy the user's credentials cache on logout. The default is @@ -3902,103 +3920,29 @@ diff --git a/sshkey.c b/sshkey.c index 57995ee6..fd5b7724 100644 --- a/sshkey.c +++ b/sshkey.c -@@ -127,6 +127,75 @@ static const struct keytype keytypes[] = { - extern const struct sshkey_impl sshkey_xmss_impl; - extern const struct sshkey_impl sshkey_xmss_cert_impl; - #endif -+ -+static int ssh_gss_equal(const struct sshkey *, const struct sshkey *) -+{ -+ return SSH_ERR_FEATURE_UNSUPPORTED; -+} -+ -+static int ssh_gss_serialize_public(const struct sshkey *, struct sshbuf *, -+ enum sshkey_serialize_rep) -+{ -+ return SSH_ERR_FEATURE_UNSUPPORTED; -+} -+ -+static int ssh_gss_deserialize_public(const char *, struct sshbuf *, -+ struct sshkey *) -+{ -+ return SSH_ERR_FEATURE_UNSUPPORTED; -+} -+ -+static int ssh_gss_serialize_private(const struct sshkey *, struct sshbuf *, -+ enum sshkey_serialize_rep) -+{ -+ return SSH_ERR_FEATURE_UNSUPPORTED; -+} -+ -+static int ssh_gss_deserialize_private(const char *, struct sshbuf *, -+ struct sshkey *) -+{ -+ return SSH_ERR_FEATURE_UNSUPPORTED; -+} -+ -+static int ssh_gss_copy_public(const struct sshkey *, struct sshkey *) -+{ -+ return SSH_ERR_FEATURE_UNSUPPORTED; -+} -+ -+static int ssh_gss_verify(const struct sshkey *, const u_char *, size_t, -+ const u_char *, size_t, const char *, u_int, -+ struct sshkey_sig_details **) -+{ -+ return SSH_ERR_FEATURE_UNSUPPORTED; -+} -+ -+static const struct sshkey_impl_funcs sshkey_gss_funcs = { -+ /* .size = */ NULL, -+ /* .alloc = */ NULL, -+ /* .cleanup = */ NULL, -+ /* .equal = */ ssh_gss_equal, -+ /* .ssh_serialize_public = */ ssh_gss_serialize_public, -+ /* .ssh_deserialize_public = */ ssh_gss_deserialize_public, -+ /* .ssh_serialize_private = */ ssh_gss_serialize_private, -+ /* .ssh_deserialize_private = */ ssh_gss_deserialize_private, -+ /* .generate = */ NULL, -+ /* .copy_public = */ ssh_gss_copy_public, -+ /* .sign = */ NULL, -+ /* .verify = */ ssh_gss_verify, -+}; -+ -+/* The struct is intentionally dummy and has no gss calls */ -+static const struct sshkey_impl sshkey_gss_kex_impl = { -+ /* .name = */ "null", -+ /* .shortname = */ "null", -+ /* .sigalg = */ NULL, -+ /* .type = */ KEY_NULL, -+ /* .nid = */ 0, -+ /* .cert = */ 0, -+ /* .sigonly = */ 0, -+ /* .keybits = */ 0, /* FIXME */ -+ /* .funcs = */ &sshkey_gss_funcs, -+}; - - const struct sshkey_impl * const keyimpls[] = { - &sshkey_ed25519_impl, +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-gssapi-keyex.patch @@ -154,6 +154,7 @@ static const struct keytype keytypes[] = { - &sshkey_xmss_impl, - &sshkey_xmss_cert_impl, - #endif -+ &sshkey_gss_kex_impl, - NULL + KEY_ECDSA_SK_CERT, NID_X9_62_prime256v1, 1, 0 }, + # endif /* OPENSSL_HAS_ECC */ + #endif /* WITH_OPENSSL */ ++ { "null", "null", NULL, KEY_NULL, 0, 0, 0 }, + { NULL, NULL, NULL, -1, -1, 0, 0 } }; @@ -255,7 +256,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) + const struct keytype *kt; - for (i = 0; keyimpls[i] != NULL; i++) { - impl = keyimpls[i]; -- if (impl->name == NULL) -+ if (impl->name == NULL || impl->type == KEY_NULL) + for (kt = keytypes; kt->type != -1; kt++) { +- if (kt->name == NULL) ++ if (kt->name == NULL || kt->type == KEY_NULL) continue; - if (!include_sigonly && impl->sigonly) + if (!include_sigonly && kt->sigonly) continue; diff --git a/sshkey.h b/sshkey.h index 71a3fddc..37a43a67 100644 --- a/sshkey.h +++ b/sshkey.h +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-gssapi-keyex.patch @@ -69,6 +69,7 @@ enum sshkey_types { KEY_ECDSA_SK_CERT, KEY_ED25519_SK, diff --git a/openssh-8.0p1-keygen-strip-doseol.patch b/backport-openssh-8.0p1-keygen-strip-doseol.patch index 3117a7a..7e697fc 100644 --- a/openssh-8.0p1-keygen-strip-doseol.patch +++ b/backport-openssh-8.0p1-keygen-strip-doseol.patch @@ -1,6 +1,7 @@ diff -up openssh-8.0p1/ssh-keygen.c.strip-doseol openssh-8.0p1/ssh-keygen.c --- openssh-8.0p1/ssh-keygen.c.strip-doseol 2021-03-18 17:41:34.472404994 +0100 +++ openssh-8.0p1/ssh-keygen.c 2021-03-18 17:41:55.255538761 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-keygen-strip-doseol.patch @@ -901,7 +901,7 @@ do_fingerprint(struct passwd *pw) while (getline(&line, &linesize, f) != -1) { lnum++; diff --git a/backport-openssh-8.0p1-openssl-evp.patch b/backport-openssh-8.0p1-openssl-evp.patch new file mode 100644 index 0000000..f05196c --- /dev/null +++ b/backport-openssh-8.0p1-openssl-evp.patch @@ -0,0 +1,732 @@ +From ed7ec0cdf577ffbb0b15145340cf51596ca3eb89 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen <jjelen@redhat.com> +Date: Tue, 14 May 2019 10:45:45 +0200 +Subject: [PATCH] Use high-level OpenSSL API for signatures + +--- + digest-openssl.c | 16 ++++ +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-openssl-evp.patch + digest.h | 6 ++ + ssh-dss.c | 65 ++++++++++------ +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-openssl-evp.patch + ssh-ecdsa.c | 69 ++++++++++------- +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-openssl-evp.patch + ssh-rsa.c | 193 +++++++++-------------------------------------- +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-openssl-evp.patch + sshkey.c | 77 +++++++++++++++++++ +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-openssl-evp.patch + sshkey.h | 4 + + 7 files changed, 221 insertions(+), 209 deletions(-) + +diff --git a/digest-openssl.c b/digest-openssl.c +index da7ed72bc..6a21d8adb 100644 +--- a/digest-openssl.c ++++ b/digest-openssl.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-openssl-evp.patch +@@ -63,6 +63,22 @@ const struct ssh_digest digests[] = { + { -1, NULL, 0, NULL }, + }; + ++const EVP_MD * ++ssh_digest_to_md(int digest_type) ++{ ++ switch (digest_type) { ++ case SSH_DIGEST_SHA1: ++ return EVP_sha1(); ++ case SSH_DIGEST_SHA256: ++ return EVP_sha256(); ++ case SSH_DIGEST_SHA384: ++ return EVP_sha384(); ++ case SSH_DIGEST_SHA512: ++ return EVP_sha512(); ++ } ++ return NULL; ++} ++ + static const struct ssh_digest * + ssh_digest_by_alg(int alg) + { +diff --git a/digest.h b/digest.h +index 274574d0e..c7ceeb36f 100644 +--- a/digest.h ++++ b/digest.h +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-openssl-evp.patch +@@ -32,6 +32,12 @@ + struct sshbuf; + struct ssh_digest_ctx; + ++#ifdef WITH_OPENSSL ++#include <openssl/evp.h> ++/* Converts internal digest representation to the OpenSSL one */ ++const EVP_MD *ssh_digest_to_md(int digest_type); ++#endif ++ + /* Looks up a digest algorithm by name */ + int ssh_digest_alg_by_name(const char *name); + +diff --git a/ssh-dss.c b/ssh-dss.c +index a23c383dc..ea45e7275 100644 +--- a/ssh-dss.c ++++ b/ssh-dss.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-openssl-evp.patch +@@ -52,11 +52,15 @@ int + ssh_dss_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, + const u_char *data, size_t datalen, u_int compat) + { ++ EVP_PKEY *pkey = NULL; + DSA_SIG *sig = NULL; + const BIGNUM *sig_r, *sig_s; +- u_char digest[SSH_DIGEST_MAX_LENGTH], sigblob[SIGBLOB_LEN]; +- size_t rlen, slen, len, dlen = ssh_digest_bytes(SSH_DIGEST_SHA1); ++ u_char sigblob[SIGBLOB_LEN]; ++ size_t rlen, slen; ++ int len; + struct sshbuf *b = NULL; ++ u_char *sigb = NULL; ++ const u_char *psig = NULL; + int ret = SSH_ERR_INVALID_ARGUMENT; + + if (lenp != NULL) +@@ -67,17 +71,24 @@ ssh_dss_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, + if (key == NULL || key->dsa == NULL || + sshkey_type_plain(key->type) != KEY_DSA) + return SSH_ERR_INVALID_ARGUMENT; +- if (dlen == 0) +- return SSH_ERR_INTERNAL_ERROR; + +- if ((ret = ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen, +- digest, sizeof(digest))) != 0) ++ if ((pkey = EVP_PKEY_new()) == NULL || ++ EVP_PKEY_set1_DSA(pkey, key->dsa) != 1) ++ return SSH_ERR_ALLOC_FAIL; ++ ret = sshkey_calculate_signature(pkey, SSH_DIGEST_SHA1, &sigb, &len, ++ data, datalen); ++ EVP_PKEY_free(pkey); ++ if (ret < 0) { + goto out; ++ } + +- if ((sig = DSA_do_sign(digest, dlen, key->dsa)) == NULL) { ++ psig = sigb; ++ if ((sig = d2i_DSA_SIG(NULL, &psig, len)) == NULL) { + ret = SSH_ERR_LIBCRYPTO_ERROR; + goto out; + } ++ free(sigb); ++ sigb = NULL; + + DSA_SIG_get0(sig, &sig_r, &sig_s); + rlen = BN_num_bytes(sig_r); +@@ -110,7 +121,7 @@ ssh_dss_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, + *lenp = len; + ret = 0; + out: +- explicit_bzero(digest, sizeof(digest)); ++ free(sigb); + DSA_SIG_free(sig); + sshbuf_free(b); + return ret; +@@ -121,20 +132,20 @@ ssh_dss_verify(const struct sshkey *key, + const u_char *signature, size_t signaturelen, + const u_char *data, size_t datalen, u_int compat) + { ++ EVP_PKEY *pkey = NULL; + DSA_SIG *sig = NULL; + BIGNUM *sig_r = NULL, *sig_s = NULL; +- u_char digest[SSH_DIGEST_MAX_LENGTH], *sigblob = NULL; +- size_t len, dlen = ssh_digest_bytes(SSH_DIGEST_SHA1); ++ u_char *sigblob = NULL; ++ size_t len, slen; + int ret = SSH_ERR_INTERNAL_ERROR; + struct sshbuf *b = NULL; + char *ktype = NULL; ++ u_char *sigb = NULL, *psig = NULL; + + if (key == NULL || key->dsa == NULL || + sshkey_type_plain(key->type) != KEY_DSA || + signature == NULL || signaturelen == 0) + return SSH_ERR_INVALID_ARGUMENT; +- if (dlen == 0) +- return SSH_ERR_INTERNAL_ERROR; + + /* fetch signature */ + if ((b = sshbuf_from(signature, signaturelen)) == NULL) +@@ -176,25 +187,31 @@ ssh_dss_verify(const struct sshkey *key, + } + sig_r = sig_s = NULL; /* transferred */ + +- /* sha1 the data */ +- if ((ret = ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen, +- digest, sizeof(digest))) != 0) ++ if ((slen = i2d_DSA_SIG(sig, NULL)) == 0) { ++ ret = SSH_ERR_LIBCRYPTO_ERROR; + goto out; +- +- switch (DSA_do_verify(digest, dlen, sig, key->dsa)) { +- case 1: +- ret = 0; +- break; +- case 0: +- ret = SSH_ERR_SIGNATURE_INVALID; ++ } ++ if ((sigb = malloc(slen)) == NULL) { ++ ret = SSH_ERR_ALLOC_FAIL; + goto out; +- default: ++ } ++ psig = sigb; ++ if ((slen = i2d_DSA_SIG(sig, &psig)) == 0) { + ret = SSH_ERR_LIBCRYPTO_ERROR; + goto out; + } + ++ if ((pkey = EVP_PKEY_new()) == NULL || ++ EVP_PKEY_set1_DSA(pkey, key->dsa) != 1) { ++ ret = SSH_ERR_ALLOC_FAIL; ++ goto out; ++ } ++ ret = sshkey_verify_signature(pkey, SSH_DIGEST_SHA1, data, datalen, ++ sigb, slen); ++ EVP_PKEY_free(pkey); ++ + out: +- explicit_bzero(digest, sizeof(digest)); ++ free(sigb); + DSA_SIG_free(sig); + BN_clear_free(sig_r); + BN_clear_free(sig_s); +diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c +index 599c7199d..b036796e8 100644 +--- a/ssh-ecdsa.c ++++ b/ssh-ecdsa.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-openssl-evp.patch +@@ -50,11 +50,13 @@ int + ssh_ecdsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, + const u_char *data, size_t datalen, u_int compat) + { ++ EVP_PKEY *pkey = NULL; + ECDSA_SIG *sig = NULL; ++ unsigned char *sigb = NULL; ++ const unsigned char *psig; + const BIGNUM *sig_r, *sig_s; + int hash_alg; +- u_char digest[SSH_DIGEST_MAX_LENGTH]; +- size_t len, dlen; ++ int len; + struct sshbuf *b = NULL, *bb = NULL; + int ret = SSH_ERR_INTERNAL_ERROR; + +@@ -67,18 +69,24 @@ ssh_ecdsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, + sshkey_type_plain(key->type) != KEY_ECDSA) + return SSH_ERR_INVALID_ARGUMENT; + +- if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1 || +- (dlen = ssh_digest_bytes(hash_alg)) == 0) ++ if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1) + return SSH_ERR_INTERNAL_ERROR; +- if ((ret = ssh_digest_memory(hash_alg, data, datalen, +- digest, sizeof(digest))) != 0) ++ ++ if ((pkey = EVP_PKEY_new()) == NULL || ++ EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa) != 1) ++ return SSH_ERR_ALLOC_FAIL; ++ ret = sshkey_calculate_signature(pkey, hash_alg, &sigb, &len, data, ++ datalen); ++ EVP_PKEY_free(pkey); ++ if (ret < 0) { + goto out; ++ } + +- if ((sig = ECDSA_do_sign(digest, dlen, key->ecdsa)) == NULL) { ++ psig = sigb; ++ if ((sig = d2i_ECDSA_SIG(NULL, &psig, len)) == NULL) { + ret = SSH_ERR_LIBCRYPTO_ERROR; + goto out; + } +- + if ((bb = sshbuf_new()) == NULL || (b = sshbuf_new()) == NULL) { + ret = SSH_ERR_ALLOC_FAIL; + goto out; +@@ -102,7 +110,7 @@ ssh_ecdsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, + *lenp = len; + ret = 0; + out: +- explicit_bzero(digest, sizeof(digest)); ++ free(sigb); + sshbuf_free(b); + sshbuf_free(bb); + ECDSA_SIG_free(sig); +@@ -115,22 +123,21 @@ ssh_ecdsa_verify(const struct sshkey *key, + const u_char *signature, size_t signaturelen, + const u_char *data, size_t datalen, u_int compat) + { ++ EVP_PKEY *pkey = NULL; + ECDSA_SIG *sig = NULL; + BIGNUM *sig_r = NULL, *sig_s = NULL; +- int hash_alg; +- u_char digest[SSH_DIGEST_MAX_LENGTH]; +- size_t dlen; ++ int hash_alg, len; + int ret = SSH_ERR_INTERNAL_ERROR; + struct sshbuf *b = NULL, *sigbuf = NULL; + char *ktype = NULL; ++ unsigned char *sigb = NULL, *psig = NULL; + + if (key == NULL || key->ecdsa == NULL || + sshkey_type_plain(key->type) != KEY_ECDSA || + signature == NULL || signaturelen == 0) + return SSH_ERR_INVALID_ARGUMENT; + +- if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1 || +- (dlen = ssh_digest_bytes(hash_alg)) == 0) ++ if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1) + return SSH_ERR_INTERNAL_ERROR; + + /* fetch signature */ +@@ -166,28 +173,36 @@ ssh_ecdsa_verify(const struct sshkey *key, + } + sig_r = sig_s = NULL; /* transferred */ + +- if (sshbuf_len(sigbuf) != 0) { +- ret = SSH_ERR_UNEXPECTED_TRAILING_DATA; ++ /* Figure out the length */ ++ if ((len = i2d_ECDSA_SIG(sig, NULL)) == 0) { ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if ((sigb = malloc(len)) == NULL) { ++ ret = SSH_ERR_ALLOC_FAIL; + goto out; + } +- if ((ret = ssh_digest_memory(hash_alg, data, datalen, +- digest, sizeof(digest))) != 0) ++ psig = sigb; ++ if ((len = i2d_ECDSA_SIG(sig, &psig)) == 0) { ++ ret = SSH_ERR_LIBCRYPTO_ERROR; + goto out; ++ } + +- switch (ECDSA_do_verify(digest, dlen, sig, key->ecdsa)) { +- case 1: +- ret = 0; +- break; +- case 0: +- ret = SSH_ERR_SIGNATURE_INVALID; ++ if (sshbuf_len(sigbuf) != 0) { ++ ret = SSH_ERR_UNEXPECTED_TRAILING_DATA; + goto out; +- default: +- ret = SSH_ERR_LIBCRYPTO_ERROR; ++ } ++ ++ if ((pkey = EVP_PKEY_new()) == NULL || ++ EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa) != 1) { ++ ret = SSH_ERR_ALLOC_FAIL; + goto out; + } ++ ret = sshkey_verify_signature(pkey, hash_alg, data, datalen, sigb, len); ++ EVP_PKEY_free(pkey); + + out: +- explicit_bzero(digest, sizeof(digest)); ++ free(sigb); + sshbuf_free(sigbuf); + sshbuf_free(b); + ECDSA_SIG_free(sig); +diff --git a/ssh-rsa.c b/ssh-rsa.c +index 9b14f9a9a..8ef3a6aca 100644 +--- a/ssh-rsa.c ++++ b/ssh-rsa.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-openssl-evp.patch +@@ -37,7 +37,7 @@ + + #include "openbsd-compat/openssl-compat.h" + +-static int openssh_RSA_verify(int, u_char *, size_t, u_char *, size_t, RSA *); ++static int openssh_RSA_verify(int, const u_char *, size_t, u_char *, size_t, EVP_PKEY *); + + static const char * + rsa_hash_alg_ident(int hash_alg) +@@ -90,21 +90,6 @@ rsa_hash_id_from_keyname(const char *alg) + return -1; + } + +-static int +-rsa_hash_alg_nid(int type) +-{ +- switch (type) { +- case SSH_DIGEST_SHA1: +- return NID_sha1; +- case SSH_DIGEST_SHA256: +- return NID_sha256; +- case SSH_DIGEST_SHA512: +- return NID_sha512; +- default: +- return -1; +- } +-} +- + int + ssh_rsa_complete_crt_parameters(struct sshkey *key, const BIGNUM *iqmp) + { +@@ -164,11 +149,10 @@ int + ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, + const u_char *data, size_t datalen, const char *alg_ident) + { +- const BIGNUM *rsa_n; +- u_char digest[SSH_DIGEST_MAX_LENGTH], *sig = NULL; +- size_t slen = 0; +- u_int dlen, len; +- int nid, hash_alg, ret = SSH_ERR_INTERNAL_ERROR; ++ EVP_PKEY *pkey = NULL; ++ u_char *sig = NULL; ++ int len, slen = 0; ++ int hash_alg, ret = SSH_ERR_INTERNAL_ERROR; + struct sshbuf *b = NULL; + + if (lenp != NULL) +@@ -180,33 +164,24 @@ ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, + hash_alg = SSH_DIGEST_SHA1; + else + hash_alg = rsa_hash_id_from_keyname(alg_ident); ++ + if (key == NULL || key->rsa == NULL || hash_alg == -1 || + sshkey_type_plain(key->type) != KEY_RSA) + return SSH_ERR_INVALID_ARGUMENT; +- RSA_get0_key(key->rsa, &rsa_n, NULL, NULL); +- if (BN_num_bits(rsa_n) < SSH_RSA_MINIMUM_MODULUS_SIZE) +- return SSH_ERR_KEY_LENGTH; + slen = RSA_size(key->rsa); +- if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM) +- return SSH_ERR_INVALID_ARGUMENT; +- +- /* hash the data */ +- nid = rsa_hash_alg_nid(hash_alg); +- if ((dlen = ssh_digest_bytes(hash_alg)) == 0) +- return SSH_ERR_INTERNAL_ERROR; +- if ((ret = ssh_digest_memory(hash_alg, data, datalen, +- digest, sizeof(digest))) != 0) +- goto out; ++ if (RSA_bits(key->rsa) < SSH_RSA_MINIMUM_MODULUS_SIZE) ++ return SSH_ERR_KEY_LENGTH; + +- if ((sig = malloc(slen)) == NULL) { +- ret = SSH_ERR_ALLOC_FAIL; ++ if ((pkey = EVP_PKEY_new()) == NULL || ++ EVP_PKEY_set1_RSA(pkey, key->rsa) != 1) ++ return SSH_ERR_ALLOC_FAIL; ++ ret = sshkey_calculate_signature(pkey, hash_alg, &sig, &len, data, ++ datalen); ++ EVP_PKEY_free(pkey); ++ if (ret < 0) { + goto out; + } + +- if (RSA_sign(nid, digest, dlen, sig, &len, key->rsa) != 1) { +- ret = SSH_ERR_LIBCRYPTO_ERROR; +- goto out; +- } + if (len < slen) { + size_t diff = slen - len; + memmove(sig + diff, sig, len); +@@ -215,6 +190,7 @@ ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, + ret = SSH_ERR_INTERNAL_ERROR; + goto out; + } ++ + /* encode signature */ + if ((b = sshbuf_new()) == NULL) { + ret = SSH_ERR_ALLOC_FAIL; +@@ -235,7 +211,6 @@ ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, + *lenp = len; + ret = 0; + out: +- explicit_bzero(digest, sizeof(digest)); + freezero(sig, slen); + sshbuf_free(b); + return ret; +@@ -246,10 +221,10 @@ ssh_rsa_verify(const struct sshkey *key, + const u_char *sig, size_t siglen, const u_char *data, size_t datalen, + const char *alg) + { +- const BIGNUM *rsa_n; ++ EVP_PKEY *pkey = NULL; + char *sigtype = NULL; + int hash_alg, want_alg, ret = SSH_ERR_INTERNAL_ERROR; +- size_t len = 0, diff, modlen, dlen; ++ size_t len = 0, diff, modlen; + struct sshbuf *b = NULL; + u_char digest[SSH_DIGEST_MAX_LENGTH], *osigblob, *sigblob = NULL; + +@@ -257,8 +232,7 @@ ssh_rsa_verify(const struct sshkey *key, + sshkey_type_plain(key->type) != KEY_RSA || + sig == NULL || siglen == 0) + return SSH_ERR_INVALID_ARGUMENT; +- RSA_get0_key(key->rsa, &rsa_n, NULL, NULL); +- if (BN_num_bits(rsa_n) < SSH_RSA_MINIMUM_MODULUS_SIZE) ++ if (RSA_bits(key->rsa) < SSH_RSA_MINIMUM_MODULUS_SIZE) + return SSH_ERR_KEY_LENGTH; + + if ((b = sshbuf_from(sig, siglen)) == NULL) +@@ -310,16 +284,15 @@ ssh_rsa_verify(const struct sshkey *key, + explicit_bzero(sigblob, diff); + len = modlen; + } +- if ((dlen = ssh_digest_bytes(hash_alg)) == 0) { +- ret = SSH_ERR_INTERNAL_ERROR; ++ ++ if ((pkey = EVP_PKEY_new()) == NULL || ++ EVP_PKEY_set1_RSA(pkey, key->rsa) != 1) { ++ ret = SSH_ERR_ALLOC_FAIL; + goto out; + } +- if ((ret = ssh_digest_memory(hash_alg, data, datalen, +- digest, sizeof(digest))) != 0) +- goto out; ++ ret = openssh_RSA_verify(hash_alg, data, datalen, sigblob, len, pkey); ++ EVP_PKEY_free(pkey); + +- ret = openssh_RSA_verify(hash_alg, digest, dlen, sigblob, len, +- key->rsa); + out: + freezero(sigblob, len); + free(sigtype); +@@ -328,122 +301,26 @@ ssh_rsa_verify(const struct sshkey *key, + return ret; + } + +-/* +- * See: +- * http://www.rsasecurity.com/rsalabs/pkcs/pkcs-1/ +- * ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1.asn +- */ +- +-/* +- * id-sha1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) +- * oiw(14) secsig(3) algorithms(2) 26 } +- */ +-static const u_char id_sha1[] = { +- 0x30, 0x21, /* type Sequence, length 0x21 (33) */ +- 0x30, 0x09, /* type Sequence, length 0x09 */ +- 0x06, 0x05, /* type OID, length 0x05 */ +- 0x2b, 0x0e, 0x03, 0x02, 0x1a, /* id-sha1 OID */ +- 0x05, 0x00, /* NULL */ +- 0x04, 0x14 /* Octet string, length 0x14 (20), followed by sha1 hash */ +-}; +- +-/* +- * See http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/algorithms.html +- * id-sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) +- * organization(1) gov(101) csor(3) nistAlgorithm(4) hashAlgs(2) +- * id-sha256(1) } +- */ +-static const u_char id_sha256[] = { +- 0x30, 0x31, /* type Sequence, length 0x31 (49) */ +- 0x30, 0x0d, /* type Sequence, length 0x0d (13) */ +- 0x06, 0x09, /* type OID, length 0x09 */ +- 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, /* id-sha256 */ +- 0x05, 0x00, /* NULL */ +- 0x04, 0x20 /* Octet string, length 0x20 (32), followed by sha256 hash */ +-}; +- +-/* +- * See http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/algorithms.html +- * id-sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) +- * organization(1) gov(101) csor(3) nistAlgorithm(4) hashAlgs(2) +- * id-sha256(3) } +- */ +-static const u_char id_sha512[] = { +- 0x30, 0x51, /* type Sequence, length 0x51 (81) */ +- 0x30, 0x0d, /* type Sequence, length 0x0d (13) */ +- 0x06, 0x09, /* type OID, length 0x09 */ +- 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, /* id-sha512 */ +- 0x05, 0x00, /* NULL */ +- 0x04, 0x40 /* Octet string, length 0x40 (64), followed by sha512 hash */ +-}; +- + static int +-rsa_hash_alg_oid(int hash_alg, const u_char **oidp, size_t *oidlenp) ++openssh_RSA_verify(int hash_alg, const u_char *data, size_t datalen, ++ u_char *sigbuf, size_t siglen, EVP_PKEY *pkey) + { +- switch (hash_alg) { +- case SSH_DIGEST_SHA1: +- *oidp = id_sha1; +- *oidlenp = sizeof(id_sha1); +- break; +- case SSH_DIGEST_SHA256: +- *oidp = id_sha256; +- *oidlenp = sizeof(id_sha256); +- break; +- case SSH_DIGEST_SHA512: +- *oidp = id_sha512; +- *oidlenp = sizeof(id_sha512); +- break; +- default: +- return SSH_ERR_INVALID_ARGUMENT; +- } +- return 0; +-} ++ size_t rsasize = 0; ++ const RSA *rsa; ++ int ret; + +-static int +-openssh_RSA_verify(int hash_alg, u_char *hash, size_t hashlen, +- u_char *sigbuf, size_t siglen, RSA *rsa) +-{ +- size_t rsasize = 0, oidlen = 0, hlen = 0; +- int ret, len, oidmatch, hashmatch; +- const u_char *oid = NULL; +- u_char *decrypted = NULL; +- +- if ((ret = rsa_hash_alg_oid(hash_alg, &oid, &oidlen)) != 0) +- return ret; +- ret = SSH_ERR_INTERNAL_ERROR; +- hlen = ssh_digest_bytes(hash_alg); +- if (hashlen != hlen) { +- ret = SSH_ERR_INVALID_ARGUMENT; +- goto done; +- } ++ rsa = EVP_PKEY_get0_RSA(pkey); + rsasize = RSA_size(rsa); + if (rsasize <= 0 || rsasize > SSHBUF_MAX_BIGNUM || + siglen == 0 || siglen > rsasize) { + ret = SSH_ERR_INVALID_ARGUMENT; + goto done; + } +- if ((decrypted = malloc(rsasize)) == NULL) { +- ret = SSH_ERR_ALLOC_FAIL; +- goto done; +- } +- if ((len = RSA_public_decrypt(siglen, sigbuf, decrypted, rsa, +- RSA_PKCS1_PADDING)) < 0) { +- ret = SSH_ERR_LIBCRYPTO_ERROR; +- goto done; +- } +- if (len < 0 || (size_t)len != hlen + oidlen) { +- ret = SSH_ERR_INVALID_FORMAT; +- goto done; +- } +- oidmatch = timingsafe_bcmp(decrypted, oid, oidlen) == 0; +- hashmatch = timingsafe_bcmp(decrypted + oidlen, hash, hlen) == 0; +- if (!oidmatch || !hashmatch) { +- ret = SSH_ERR_SIGNATURE_INVALID; +- goto done; +- } +- ret = 0; ++ ++ ret = sshkey_verify_signature(pkey, hash_alg, data, datalen, ++ sigbuf, siglen); ++ + done: +- freezero(decrypted, rsasize); + return ret; + } + #endif /* WITH_OPENSSL */ +diff --git a/sshkey.c b/sshkey.c +index ad1957762..b95ed0b10 100644 +--- a/sshkey.c ++++ b/sshkey.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-openssl-evp.patch +@@ -358,6 +358,83 @@ sshkey_type_plain(int type) + } + + #ifdef WITH_OPENSSL ++int ++sshkey_calculate_signature(EVP_PKEY *pkey, int hash_alg, u_char **sigp, ++ int *lenp, const u_char *data, size_t datalen) ++{ ++ EVP_MD_CTX *ctx = NULL; ++ u_char *sig = NULL; ++ int ret, slen, len; ++ ++ if (sigp == NULL || lenp == NULL) { ++ return SSH_ERR_INVALID_ARGUMENT; ++ } ++ ++ slen = EVP_PKEY_size(pkey); ++ if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM) ++ return SSH_ERR_INVALID_ARGUMENT; ++ ++ len = slen; ++ if ((sig = malloc(slen)) == NULL) { ++ return SSH_ERR_ALLOC_FAIL; ++ } ++ ++ if ((ctx = EVP_MD_CTX_new()) == NULL) { ++ ret = SSH_ERR_ALLOC_FAIL; ++ goto error; ++ } ++ if (EVP_SignInit_ex(ctx, ssh_digest_to_md(hash_alg), NULL) <= 0 || ++ EVP_SignUpdate(ctx, data, datalen) <= 0 || ++ EVP_SignFinal(ctx, sig, &len, pkey) <= 0) { ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto error; ++ } ++ ++ *sigp = sig; ++ *lenp = len; ++ /* Now owned by the caller */ ++ sig = NULL; ++ ret = 0; ++ ++error: ++ EVP_MD_CTX_free(ctx); ++ free(sig); ++ return ret; ++} ++ ++int ++sshkey_verify_signature(EVP_PKEY *pkey, int hash_alg, const u_char *data, ++ size_t datalen, u_char *sigbuf, int siglen) ++{ ++ EVP_MD_CTX *ctx = NULL; ++ int ret; ++ ++ if ((ctx = EVP_MD_CTX_new()) == NULL) { ++ return SSH_ERR_ALLOC_FAIL; ++ } ++ if (EVP_VerifyInit_ex(ctx, ssh_digest_to_md(hash_alg), NULL) <= 0 || ++ EVP_VerifyUpdate(ctx, data, datalen) <= 0) { ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto done; ++ } ++ ret = EVP_VerifyFinal(ctx, sigbuf, siglen, pkey); ++ switch (ret) { ++ case 1: ++ ret = 0; ++ break; ++ case 0: ++ ret = SSH_ERR_SIGNATURE_INVALID; ++ break; ++ default: ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ break; ++ } ++ ++done: ++ EVP_MD_CTX_free(ctx); ++ return ret; ++} ++ + /* XXX: these are really begging for a table-driven approach */ + int + sshkey_curve_name_to_nid(const char *name) +diff --git a/sshkey.h b/sshkey.h +index a91e60436..270901a87 100644 +--- a/sshkey.h ++++ b/sshkey.h +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-openssl-evp.patch +@@ -179,6 +179,10 @@ const char *sshkey_ssh_name(const struct sshkey *); + const char *sshkey_ssh_name_plain(const struct sshkey *); + int sshkey_names_valid2(const char *, int); + char *sshkey_alg_list(int, int, int, char); ++int sshkey_calculate_signature(EVP_PKEY*, int, u_char **, ++ int *, const u_char *, size_t); ++int sshkey_verify_signature(EVP_PKEY *, int, const u_char *, ++ size_t, u_char *, int); + + int sshkey_from_blob(const u_char *, size_t, struct sshkey **); + int sshkey_fromb(struct sshbuf *, struct sshkey **); + diff --git a/openssh-8.0p1-openssl-kdf.patch b/backport-openssh-8.0p1-openssl-kdf.patch index 5d76a4f..e478501 100644 --- a/openssh-8.0p1-openssl-kdf.patch +++ b/backport-openssh-8.0p1-openssl-kdf.patch @@ -8,6 +8,7 @@ diff --git a/configure.ac b/configure.ac index 2a455e4e..e01c3d43 100644 --- a/configure.ac +++ b/configure.ac +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-openssl-kdf.patch @@ -2712,6 +2712,7 @@ if test "x$openssl" = "xyes" ; then HMAC_CTX_init \ RSA_generate_key_ex \ @@ -20,6 +21,7 @@ diff --git a/kex.c b/kex.c index b6f041f4..1fbce2bb 100644 --- a/kex.c +++ b/kex.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-openssl-kdf.patch @@ -38,6 +38,9 @@ #ifdef WITH_OPENSSL #include <openssl/crypto.h> diff --git a/openssh-8.0p1-pkcs11-uri.patch b/backport-openssh-8.0p1-pkcs11-uri.patch index affdd72..2b2f166 100644 --- a/openssh-8.0p1-pkcs11-uri.patch +++ b/backport-openssh-8.0p1-pkcs11-uri.patch @@ -1,6 +1,7 @@ diff -up openssh-8.7p1/configure.ac.pkcs11-uri openssh-8.7p1/configure.ac --- openssh-8.7p1/configure.ac.pkcs11-uri 2021-08-30 13:07:43.646699953 +0200 +++ openssh-8.7p1/configure.ac 2021-08-30 13:07:43.662700088 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-pkcs11-uri.patch @@ -1985,12 +1985,14 @@ AC_LINK_IFELSE( [AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).]) ]) @@ -68,6 +69,7 @@ diff -up openssh-8.7p1/configure.ac.pkcs11-uri openssh-8.7p1/configure.ac diff -up openssh-8.7p1/Makefile.in.pkcs11-uri openssh-8.7p1/Makefile.in --- openssh-8.7p1/Makefile.in.pkcs11-uri 2021-08-30 13:07:43.571699324 +0200 +++ openssh-8.7p1/Makefile.in 2021-08-30 13:07:43.663700096 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-pkcs11-uri.patch @@ -103,7 +103,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-ecdsa-sk.o \ ssh-ed25519-sk.o ssh-rsa.o dh.o \ @@ -76,7 +78,7 @@ diff -up openssh-8.7p1/Makefile.in.pkcs11-uri openssh-8.7p1/Makefile.in + ssh-pkcs11.o ssh-pkcs11-uri.o smult_curve25519_ref.o \ poly1305.o chacha.o cipher-chachapoly.o cipher-chachapoly-libcrypto.o \ ssh-ed25519.o digest-openssl.o digest-libc.o \ - hmac.o ed25519.o hash.o \ + hmac.o sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o \ @@ -302,6 +302,8 @@ clean: regressclean rm -f regress/unittests/sshsig/test_sshsig$(EXEEXT) rm -f regress/unittests/utf8/*.o @@ -92,9 +94,9 @@ diff -up openssh-8.7p1/Makefile.in.pkcs11-uri openssh-8.7p1/Makefile.in rm -f regress/unittests/utf8/test_utf8 + rm -f regress/unittests/pkcs11/*.o + rm -f regress/unittests/pkcs11/test_pkcs11 - rm -f regress/misc/sk-dummy/*.o - rm -f regress/misc/sk-dummy/*.lo - rm -f regress/misc/sk-dummy/sk-dummy.so + (cd openbsd-compat && $(MAKE) distclean) + if test -d pkg ; then \ + rm -fr pkg ; \ @@ -513,6 +517,7 @@ regress-prep: $(MKDIR_P) `pwd`/regress/unittests/sshkey $(MKDIR_P) `pwd`/regress/unittests/sshsig @@ -105,7 +107,7 @@ diff -up openssh-8.7p1/Makefile.in.pkcs11-uri openssh-8.7p1/Makefile.in ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile @@ -677,6 +682,16 @@ regress/unittests/utf8/test_utf8$(EXEEXT regress/unittests/test_helper/libtest_helper.a \ - -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(TESTLIBS) + -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) +UNITTESTS_TEST_PKCS11_OBJS=\ + regress/unittests/pkcs11/tests.o @@ -115,7 +117,7 @@ diff -up openssh-8.7p1/Makefile.in.pkcs11-uri openssh-8.7p1/Makefile.in + regress/unittests/test_helper/libtest_helper.a libssh.a + $(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_PKCS11_OBJS) \ + regress/unittests/test_helper/libtest_helper.a \ -+ -lssh -lopenbsd-compat -lcrypto $(LIBS) ++ -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) + # These all need to be compiled -fPIC, so they are treated differently. SK_DUMMY_OBJS=\ @@ -133,6 +135,7 @@ diff -up openssh-8.7p1/Makefile.in.pkcs11-uri openssh-8.7p1/Makefile.in diff -up openssh-8.7p1/regress/agent-pkcs11.sh.pkcs11-uri openssh-8.7p1/regress/agent-pkcs11.sh --- openssh-8.7p1/regress/agent-pkcs11.sh.pkcs11-uri 2021-08-20 06:03:49.000000000 +0200 +++ openssh-8.7p1/regress/agent-pkcs11.sh 2021-08-30 13:07:43.663700096 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-pkcs11-uri.patch @@ -113,7 +113,7 @@ else done @@ -145,6 +148,7 @@ diff -up openssh-8.7p1/regress/agent-pkcs11.sh.pkcs11-uri openssh-8.7p1/regress/ diff -up openssh-8.7p1/regress/Makefile.pkcs11-uri openssh-8.7p1/regress/Makefile --- openssh-8.7p1/regress/Makefile.pkcs11-uri 2021-08-20 06:03:49.000000000 +0200 +++ openssh-8.7p1/regress/Makefile 2021-08-30 13:07:43.663700096 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-pkcs11-uri.patch @@ -122,7 +122,8 @@ CLEANFILES= *.core actual agent-key.* au known_hosts known_hosts-cert known_hosts.* krl-* ls.copy \ modpipe netcat no_identity_config \ @@ -170,6 +174,7 @@ diff -up openssh-8.7p1/regress/Makefile.pkcs11-uri openssh-8.7p1/regress/Makefil diff -up openssh-8.7p1/regress/pkcs11.sh.pkcs11-uri openssh-8.7p1/regress/pkcs11.sh --- openssh-8.7p1/regress/pkcs11.sh.pkcs11-uri 2021-08-30 13:07:43.663700096 +0200 +++ openssh-8.7p1/regress/pkcs11.sh 2021-08-30 13:07:43.663700096 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-pkcs11-uri.patch @@ -0,0 +1,349 @@ +# +# Copyright (c) 2017 Red Hat @@ -523,6 +528,7 @@ diff -up openssh-8.7p1/regress/pkcs11.sh.pkcs11-uri openssh-8.7p1/regress/pkcs11 diff -up openssh-8.7p1/regress/unittests/Makefile.pkcs11-uri openssh-8.7p1/regress/unittests/Makefile --- openssh-8.7p1/regress/unittests/Makefile.pkcs11-uri 2021-08-20 06:03:49.000000000 +0200 +++ openssh-8.7p1/regress/unittests/Makefile 2021-08-30 13:07:43.663700096 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-pkcs11-uri.patch @@ -2,6 +2,6 @@ REGRESS_FAIL_EARLY?= yes @@ -534,6 +540,7 @@ diff -up openssh-8.7p1/regress/unittests/Makefile.pkcs11-uri openssh-8.7p1/regre diff -up openssh-8.7p1/regress/unittests/pkcs11/tests.c.pkcs11-uri openssh-8.7p1/regress/unittests/pkcs11/tests.c --- openssh-8.7p1/regress/unittests/pkcs11/tests.c.pkcs11-uri 2021-08-30 13:07:43.664700104 +0200 +++ openssh-8.7p1/regress/unittests/pkcs11/tests.c 2021-08-30 13:07:43.664700104 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-pkcs11-uri.patch @@ -0,0 +1,337 @@ +/* + * Copyright (c) 2017 Red Hat @@ -875,24 +882,24 @@ diff -up openssh-8.7p1/regress/unittests/pkcs11/tests.c.pkcs11-uri openssh-8.7p1 diff -up openssh-8.7p1/ssh-add.c.pkcs11-uri openssh-8.7p1/ssh-add.c --- openssh-8.7p1/ssh-add.c.pkcs11-uri 2021-08-20 06:03:49.000000000 +0200 +++ openssh-8.7p1/ssh-add.c 2021-08-30 13:07:43.664700104 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-pkcs11-uri.patch @@ -68,6 +68,7 @@ + #include "digest.h" #include "ssh-sk.h" #include "sk-api.h" - #include "hostfile.h" +#include "ssh-pkcs11-uri.h" /* argv0 */ extern char *__progname; -@@ -229,6 +230,34 @@ delete_all(int agent_fd, int qflag) +@@ -229,6 +230,32 @@ delete_all(int agent_fd, int qflag) return ret; } +#ifdef ENABLE_PKCS11 -+static int update_card(int, int, const char *, int, struct dest_constraint **, size_t, char *); ++static int update_card(int, int, const char *, int, char *); + +int -+update_pkcs11_uri(int agent_fd, int adding, const char *pkcs11_uri, int qflag, -+ struct dest_constraint **dest_constraints, size_t ndest_constraints) ++update_pkcs11_uri(int agent_fd, int adding, const char *pkcs11_uri, int qflag) +{ + char *pin = NULL; + struct pkcs11_uri *uri; @@ -910,20 +917,19 @@ diff -up openssh-8.7p1/ssh-add.c.pkcs11-uri openssh-8.7p1/ssh-add.c + } + pkcs11_uri_cleanup(uri); + -+ return update_card(agent_fd, adding, pkcs11_uri, qflag, -+ dest_constraints, ndest_constraints, pin); ++ return update_card(agent_fd, adding, pkcs11_uri, qflag, pin); +} +#endif + static int add_file(int agent_fd, const char *filename, int key_only, int qflag, - const char *skprovider, struct dest_constraint **dest_constraints, + const char *skprovider) @@ -445,12 +472,11 @@ add_file(int agent_fd, const char *filen + } static int - update_card(int agent_fd, int add, const char *id, int qflag, -- struct dest_constraint **dest_constraints, size_t ndest_constraints) -+ struct dest_constraint **dest_constraints, size_t ndest_constraints, char *pin) +-update_card(int agent_fd, int add, const char *id, int qflag) ++update_card(int agent_fd, int add, const char *id, int qflag, char *pin) { - char *pin = NULL; int r, ret = -1; @@ -933,16 +939,15 @@ diff -up openssh-8.7p1/ssh-add.c.pkcs11-uri openssh-8.7p1/ssh-add.c if ((pin = read_passphrase("Enter passphrase for PKCS#11: ", RP_ALLOW_STDIN)) == NULL) return -1; -@@ -630,6 +656,14 @@ static int - const char *skprovider, struct dest_constraint **dest_constraints, - size_t ndest_constraints) +@@ -630,6 +656,13 @@ static int + do_file(int agent_fd, int deleting, int key_only, char *file, int qflag, + const char *skprovider) { +#ifdef ENABLE_PKCS11 + if (strlen(file) >= strlen(PKCS11_URI_SCHEME) && + strncmp(file, PKCS11_URI_SCHEME, + strlen(PKCS11_URI_SCHEME)) == 0) { -+ return update_pkcs11_uri(agent_fd, !deleting, file, qflag, -+ dest_constraints, ndest_constraints); ++ return update_pkcs11_uri(agent_fd, !deleting, file, qflag); + } +#endif if (deleting) { @@ -952,14 +957,15 @@ diff -up openssh-8.7p1/ssh-add.c.pkcs11-uri openssh-8.7p1/ssh-add.c } if (pkcs11provider != NULL) { if (update_card(agent_fd, !deleting, pkcs11provider, -- qflag, dest_constraints, ndest_constraints) == -1) -+ qflag, dest_constraints, ndest_constraints, NULL) == -1) +- qflag) == -1) ++ qflag, NULL) == -1) ret = 1; goto done; } diff -up openssh-8.7p1/ssh-agent.c.pkcs11-uri openssh-8.7p1/ssh-agent.c --- openssh-8.7p1/ssh-agent.c.pkcs11-uri 2021-08-20 06:03:49.000000000 +0200 +++ openssh-8.7p1/ssh-agent.c 2021-08-30 13:07:43.664700104 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-pkcs11-uri.patch @@ -847,10 +847,72 @@ no_identities(SocketEntry *e) } @@ -1083,7 +1089,7 @@ diff -up openssh-8.7p1/ssh-agent.c.pkcs11-uri openssh-8.7p1/ssh-agent.c + free(sane_uri); free(keys); free(comments); - free_dest_constraints(dest_constraints, ndest_constraints); + send_status(e, success); @@ -918,7 +976,7 @@ send: static void process_remove_smartcard_key(SocketEntry *e) @@ -1133,6 +1139,7 @@ diff -up openssh-8.7p1/ssh-agent.c.pkcs11-uri openssh-8.7p1/ssh-agent.c diff -up openssh-8.7p1/ssh_config.5.pkcs11-uri openssh-8.7p1/ssh_config.5 --- openssh-8.7p1/ssh_config.5.pkcs11-uri 2021-08-30 13:07:43.578699383 +0200 +++ openssh-8.7p1/ssh_config.5 2021-08-30 13:07:43.664700104 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-pkcs11-uri.patch @@ -1111,6 +1111,21 @@ may also be used in conjunction with .Cm CertificateFile in order to provide any certificate also needed for authentication with @@ -1158,6 +1165,7 @@ diff -up openssh-8.7p1/ssh_config.5.pkcs11-uri openssh-8.7p1/ssh_config.5 diff -up openssh-8.7p1/ssh.c.pkcs11-uri openssh-8.7p1/ssh.c --- openssh-8.7p1/ssh.c.pkcs11-uri 2021-08-30 13:07:43.578699383 +0200 +++ openssh-8.7p1/ssh.c 2021-08-30 13:07:43.666700121 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-pkcs11-uri.patch @@ -826,6 +826,14 @@ main(int ac, char **av) options.gss_deleg_creds = 1; break; @@ -1308,6 +1316,7 @@ diff -up openssh-8.7p1/ssh.c.pkcs11-uri openssh-8.7p1/ssh.c diff -up openssh-8.7p1/ssh-keygen.c.pkcs11-uri openssh-8.7p1/ssh-keygen.c --- openssh-8.7p1/ssh-keygen.c.pkcs11-uri 2021-08-20 06:03:49.000000000 +0200 +++ openssh-8.7p1/ssh-keygen.c 2021-08-30 13:07:43.666700121 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-pkcs11-uri.patch @@ -860,8 +860,11 @@ do_download(struct passwd *pw) free(fp); } else { @@ -1325,6 +1334,7 @@ diff -up openssh-8.7p1/ssh-keygen.c.pkcs11-uri openssh-8.7p1/ssh-keygen.c diff -up openssh-8.7p1/ssh-pkcs11-client.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11-client.c --- openssh-8.7p1/ssh-pkcs11-client.c.pkcs11-uri 2021-08-20 06:03:49.000000000 +0200 +++ openssh-8.7p1/ssh-pkcs11-client.c 2021-08-30 13:07:43.666700121 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-pkcs11-uri.patch @@ -323,6 +323,8 @@ pkcs11_add_provider(char *name, char *pi u_int nkeys, i; struct sshbuf *msg; @@ -1345,6 +1355,7 @@ diff -up openssh-8.7p1/ssh-pkcs11-client.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11-c diff -up openssh-8.7p1/ssh-pkcs11.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11.c --- openssh-8.7p1/ssh-pkcs11.c.pkcs11-uri 2021-08-20 06:03:49.000000000 +0200 +++ openssh-8.7p1/ssh-pkcs11.c 2021-08-30 13:12:27.709084157 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-pkcs11-uri.patch @@ -55,8 +55,8 @@ struct pkcs11_slotinfo { int logged_in; }; @@ -1547,7 +1558,7 @@ diff -up openssh-8.7p1/ssh-pkcs11.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11.c static RSA_METHOD *rsa_method; @@ -195,6 +286,55 @@ static EC_KEY_METHOD *ec_key_method; static int ec_key_idx = 0; - #endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ + #endif +/* + * This can't be in the ssh-pkcs11-uri, becase we can not depend on @@ -1742,9 +1753,9 @@ diff -up openssh-8.7p1/ssh-pkcs11.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11.c struct pkcs11_key *k11; @@ -614,6 +764,12 @@ pkcs11_ecdsa_wrap(struct pkcs11_provider - k11->keyid = xmalloc(k11->keyid_len); - memcpy(k11->keyid, keyid_attrib->pValue, k11->keyid_len); - } + k11->keyid = xmalloc(k11->keyid_len); + memcpy(k11->keyid, keyid_attrib->pValue, k11->keyid_len); + + if (label_attrib->ulValueLen > 0 ) { + k11->label = xmalloc(label_attrib->ulValueLen+1); + memcpy(k11->label, label_attrib->pValue, label_attrib->ulValueLen); @@ -2573,6 +2584,7 @@ diff -up openssh-8.7p1/ssh-pkcs11.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11.c diff -up openssh-8.7p1/ssh-pkcs11.h.pkcs11-uri openssh-8.7p1/ssh-pkcs11.h --- openssh-8.7p1/ssh-pkcs11.h.pkcs11-uri 2021-08-20 06:03:49.000000000 +0200 +++ openssh-8.7p1/ssh-pkcs11.h 2021-08-30 13:07:43.666700121 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-pkcs11-uri.patch @@ -22,10 +22,14 @@ #define SSH_PKCS11_ERR_PIN_REQUIRED 4 #define SSH_PKCS11_ERR_PIN_LOCKED 5 @@ -2591,6 +2603,7 @@ diff -up openssh-8.7p1/ssh-pkcs11.h.pkcs11-uri openssh-8.7p1/ssh-pkcs11.h diff -up openssh-8.7p1/ssh-pkcs11-uri.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11-uri.c --- openssh-8.7p1/ssh-pkcs11-uri.c.pkcs11-uri 2021-08-30 13:07:43.667700130 +0200 +++ openssh-8.7p1/ssh-pkcs11-uri.c 2021-08-30 13:07:43.667700130 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-pkcs11-uri.patch @@ -0,0 +1,419 @@ +/* + * Copyright (c) 2017 Red Hat @@ -3014,6 +3027,7 @@ diff -up openssh-8.7p1/ssh-pkcs11-uri.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11-uri. diff -up openssh-8.7p1/ssh-pkcs11-uri.h.pkcs11-uri openssh-8.7p1/ssh-pkcs11-uri.h --- openssh-8.7p1/ssh-pkcs11-uri.h.pkcs11-uri 2021-08-30 13:07:43.667700130 +0200 +++ openssh-8.7p1/ssh-pkcs11-uri.h 2021-08-30 13:07:43.667700130 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-pkcs11-uri.patch @@ -0,0 +1,42 @@ +/* + * Copyright (c) 2017 Red Hat diff --git a/openssh-8.2p1-visibility.patch b/backport-openssh-8.2p1-visibility.patch index 89c35ef..1961ca0 100644 --- a/openssh-8.2p1-visibility.patch +++ b/backport-openssh-8.2p1-visibility.patch @@ -2,6 +2,7 @@ diff --git a/regress/misc/sk-dummy/sk-dummy.c b/regress/misc/sk-dummy/sk-dummy.c index dca158de..afdcb1d2 100644 --- a/regress/misc/sk-dummy/sk-dummy.c +++ b/regress/misc/sk-dummy/sk-dummy.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.2p1-visibility.patch @@ -71,7 +71,7 @@ skdebug(const char *func, const char *fmt, ...) #endif } diff --git a/openssh-8.2p1-x11-without-ipv6.patch b/backport-openssh-8.2p1-x11-without-ipv6.patch index 8b83bc3..a0eaec2 100644 --- a/openssh-8.2p1-x11-without-ipv6.patch +++ b/backport-openssh-8.2p1-x11-without-ipv6.patch @@ -1,6 +1,7 @@ diff --git a/channels.c b/channels.c --- a/channels.c +++ b/channels.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.2p1-x11-without-ipv6.patch @@ -3933,16 +3933,26 @@ x11_create_display_inet(int x11_display_ if (ai->ai_family == AF_INET6) sock_set_v6only(sock); diff --git a/openssh-8.7p1-scp-kill-switch.patch b/backport-openssh-8.7p1-scp-kill-switch.patch index 161ab2d..5e7067e 100644 --- a/openssh-8.7p1-scp-kill-switch.patch +++ b/backport-openssh-8.7p1-scp-kill-switch.patch @@ -1,6 +1,7 @@ diff -up openssh-8.7p1/pathnames.h.kill-scp openssh-8.7p1/pathnames.h --- openssh-8.7p1/pathnames.h.kill-scp 2021-09-16 11:37:57.240171687 +0200 +++ openssh-8.7p1/pathnames.h 2021-09-16 11:42:29.183427917 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.7p1-scp-kill-switch.patch @@ -42,6 +42,7 @@ #define _PATH_HOST_XMSS_KEY_FILE SSHDIR "/ssh_host_xmss_key" #define _PATH_HOST_RSA_KEY_FILE SSHDIR "/ssh_host_rsa_key" @@ -12,9 +13,10 @@ diff -up openssh-8.7p1/pathnames.h.kill-scp openssh-8.7p1/pathnames.h diff -up openssh-8.7p1/scp.1.kill-scp openssh-8.7p1/scp.1 --- openssh-8.7p1/scp.1.kill-scp 2021-09-16 12:09:02.646714578 +0200 +++ openssh-8.7p1/scp.1 2021-09-16 12:26:49.978628226 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.7p1-scp-kill-switch.patch @@ -278,6 +278,13 @@ to print debugging messages about their - By default a 32KB buffer is used. - .El + This is helpful in + debugging connection, authentication, and configuration problems. .El +.Pp +Usage of SCP protocol can be blocked by creating a world-readable @@ -29,6 +31,7 @@ diff -up openssh-8.7p1/scp.1.kill-scp openssh-8.7p1/scp.1 diff -up openssh-8.7p1/scp.c.kill-scp openssh-8.7p1/scp.c --- openssh-8.7p1/scp.c.kill-scp 2021-09-16 11:42:56.013650519 +0200 +++ openssh-8.7p1/scp.c 2021-09-16 11:53:03.249713836 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.7p1-scp-kill-switch.patch @@ -596,6 +596,14 @@ main(int argc, char **argv) if (iamremote) mode = MODE_SCP; diff --git a/pam_ssh_agent_auth-0.10.2-compat.patch b/backport-pam_ssh_agent_auth-0.10.2-compat.patch index 0822b61..7dd3912 100644 --- a/pam_ssh_agent_auth-0.10.2-compat.patch +++ b/backport-pam_ssh_agent_auth-0.10.2-compat.patch @@ -1,6 +1,7 @@ diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/get_command_line.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/get_command_line.c --- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/get_command_line.c.psaa-compat 2019-07-08 18:36:13.000000000 +0200 +++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/get_command_line.c 2020-09-23 10:52:16.424001475 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.10.2-compat.patch @@ -27,6 +27,7 @@ * or implied, of Jamie Beverly. */ @@ -35,6 +36,7 @@ diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/get_command_line.c diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/identity.h.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/identity.h --- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/identity.h.psaa-compat 2019-07-08 18:36:13.000000000 +0200 +++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/identity.h 2020-09-23 10:52:16.424001475 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.10.2-compat.patch @@ -30,8 +30,8 @@ #include "openbsd-compat/sys-queue.h" #include "xmalloc.h" @@ -58,6 +60,7 @@ diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/identity.h.psaa-co diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/iterate_ssh_agent_keys.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/iterate_ssh_agent_keys.c --- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/iterate_ssh_agent_keys.c.psaa-compat 2020-09-23 10:52:16.421001434 +0200 +++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/iterate_ssh_agent_keys.c 2020-09-23 10:52:16.424001475 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.10.2-compat.patch @@ -36,8 +36,8 @@ #include "openbsd-compat/sys-queue.h" #include "xmalloc.h" @@ -288,6 +291,7 @@ diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/iterate_ssh_agent_ diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_ssh_agent_auth.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_ssh_agent_auth.c --- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_ssh_agent_auth.c.psaa-compat 2020-09-23 10:52:16.423001461 +0200 +++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_ssh_agent_auth.c 2020-09-23 10:53:10.631727657 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.10.2-compat.patch @@ -106,7 +106,7 @@ pam_sm_authenticate(pam_handle_t * pamh, * a patch 8-) */ @@ -393,6 +397,7 @@ diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_ssh_agent_auth diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.c --- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.c.psaa-compat 2019-07-08 18:36:13.000000000 +0200 +++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.c 2020-09-23 10:52:16.424001475 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.10.2-compat.patch @@ -66,8 +66,8 @@ #include "xmalloc.h" #include "match.h" @@ -460,6 +465,7 @@ diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorize diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.h.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.h --- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.h.psaa-compat 2019-07-08 18:36:13.000000000 +0200 +++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.h 2020-09-23 10:52:16.424001475 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.10.2-compat.patch @@ -32,7 +32,7 @@ #define _PAM_USER_KEY_ALLOWED_H @@ -472,6 +478,7 @@ diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorize diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.c --- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.c.psaa-compat 2019-07-08 18:36:13.000000000 +0200 +++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.c 2020-09-23 10:52:16.424001475 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.10.2-compat.patch @@ -45,44 +45,46 @@ #include "xmalloc.h" #include "ssh.h" @@ -749,6 +756,7 @@ diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allow diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.h.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.h --- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.h.psaa-compat 2019-07-08 18:36:13.000000000 +0200 +++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.h 2020-09-23 10:52:16.424001475 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.10.2-compat.patch @@ -32,7 +32,7 @@ #define _PAM_USER_KEY_ALLOWED_H @@ -762,6 +770,7 @@ diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allow diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/secure_filename.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/secure_filename.c --- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/secure_filename.c.psaa-compat 2019-07-08 18:36:13.000000000 +0200 +++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/secure_filename.c 2020-09-23 10:52:16.424001475 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.10.2-compat.patch @@ -53,8 +53,8 @@ #include "xmalloc.h" #include "match.h" @@ -806,6 +815,7 @@ diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/secure_filename.c. diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.c --- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.c.psaa-compat 2019-07-08 18:36:13.000000000 +0200 +++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.c 2020-09-23 10:52:16.424001475 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.10.2-compat.patch @@ -37,10 +37,11 @@ #include "xmalloc.h" #include "ssh.h" @@ -905,6 +915,7 @@ diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_fr diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.h.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.h --- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.h.psaa-compat 2019-07-08 18:36:13.000000000 +0200 +++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.h 2020-09-23 10:52:16.424001475 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.10.2-compat.patch @@ -31,7 +31,7 @@ #ifndef _USERAUTH_PUBKEY_FROM_ID_H #define _USERAUTH_PUBKEY_FROM_ID_H @@ -918,6 +929,7 @@ diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_fr diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/uuencode.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/uuencode.c --- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/uuencode.c.psaa-compat 2019-07-08 18:36:13.000000000 +0200 +++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/uuencode.c 2020-09-23 10:52:16.424001475 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.10.2-compat.patch @@ -56,7 +56,7 @@ pamsshagentauth_uudecode(const char *src /* and remove trailing whitespace because __b64_pton needs this */ *p = '\0'; @@ -945,6 +957,7 @@ diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/uuencode.c.psaa-co } --- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_pam.c.compat 2020-09-23 11:32:30.783695267 +0200 +++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_pam.c 2020-09-23 11:33:21.383389036 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.10.2-compat.patch @@ -33,7 +33,8 @@ #include <string.h> diff --git a/pam_ssh_agent_auth-0.10.2-dereference.patch b/backport-pam_ssh_agent_auth-0.10.2-dereference.patch index bf49c37..d5a9793 100644 --- a/pam_ssh_agent_auth-0.10.2-dereference.patch +++ b/backport-pam_ssh_agent_auth-0.10.2-dereference.patch @@ -1,6 +1,7 @@ diff --git a/pam_ssh_agent_auth-0.10.2/pam_user_authorized_keys.c b/pam_ssh_agent_auth-0.10.2/pam_user_authorized_keys.c --- a/pam_ssh_agent_auth-0.10.2/pam_user_authorized_keys.c +++ b/pam_ssh_agent_auth-0.10.2/pam_user_authorized_keys.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.10.2-dereference.patch @@ -158,11 +158,12 @@ parse_authorized_key_file(const char *user, int pam_user_key_allowed(const char *ruser, struct sshkey * key) diff --git a/pam_ssh_agent_auth-0.10.3-seteuid.patch b/backport-pam_ssh_agent_auth-0.10.3-seteuid.patch index be1f8e5..b39db01 100644 --- a/pam_ssh_agent_auth-0.10.3-seteuid.patch +++ b/backport-pam_ssh_agent_auth-0.10.3-seteuid.patch @@ -1,6 +1,7 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-seteuid openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c --- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-seteuid 2017-02-07 15:41:53.172334151 +0100 +++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c 2017-02-07 15:41:53.174334149 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.10.3-seteuid.patch @@ -238,17 +238,26 @@ ssh_get_authentication_socket_for_uid(ui } diff --git a/pam_ssh_agent_auth-0.9.2-visibility.patch b/backport-pam_ssh_agent_auth-0.9.2-visibility.patch index aea068d..4524131 100644 --- a/pam_ssh_agent_auth-0.9.2-visibility.patch +++ b/backport-pam_ssh_agent_auth-0.9.2-visibility.patch @@ -1,6 +1,7 @@ diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_ssh_agent_auth.c.psaa-visibility openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_ssh_agent_auth.c --- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_ssh_agent_auth.c.psaa-visibility 2014-03-31 19:35:17.000000000 +0200 +++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_ssh_agent_auth.c 2016-01-22 15:22:40.984469774 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.9.2-visibility.patch @@ -72,7 +72,7 @@ char *__progname; extern char *__progname; #endif diff --git a/pam_ssh_agent_auth-0.9.3-agent_structure.patch b/backport-pam_ssh_agent_auth-0.9.3-agent_structure.patch index 1f2c02c..95fbbeb 100644 --- a/pam_ssh_agent_auth-0.9.3-agent_structure.patch +++ b/backport-pam_ssh_agent_auth-0.9.3-agent_structure.patch @@ -1,6 +1,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-agent openssh/pam_ssh_agent_auth-0.10.3/identity.h --- openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-agent 2016-11-13 04:24:32.000000000 +0100 +++ openssh/pam_ssh_agent_auth-0.10.3/identity.h 2017-09-27 14:25:49.421739027 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.9.3-agent_structure.patch @@ -38,6 +38,12 @@ typedef struct identity Identity; typedef struct idlist Idlist; @@ -17,6 +18,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-agent openssh/pam_ssh diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-agent openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c --- openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-agent 2017-09-27 14:25:49.420739021 +0200 +++ openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c 2017-09-27 14:25:49.421739027 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.9.3-agent_structure.patch @@ -39,6 +39,7 @@ #include "sshbuf.h" #include "sshkey.h" @@ -85,6 +87,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-agent o diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-agent openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c --- openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-agent 2017-09-27 14:25:49.420739021 +0200 +++ openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c 2017-09-27 14:25:49.422739032 +0200 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.9.3-agent_structure.patch @@ -84,7 +85,7 @@ userauth_pubkey_from_id(const char *ruse (r = sshbuf_put_string(b, pkblob, blen)) != 0) fatal("%s: buffer error: %s", __func__, ssh_err(r)); diff --git a/pam_ssh_agent_auth-0.9.3-build.patch b/backport-pam_ssh_agent_auth-0.9.3-build.patch index 4018c4d..e931eb7 100644 --- a/pam_ssh_agent_auth-0.9.3-build.patch +++ b/backport-pam_ssh_agent_auth-0.9.3-build.patch @@ -1,6 +1,7 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-build openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c --- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-build 2016-11-13 04:24:32.000000000 +0100 +++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c 2017-02-07 14:29:41.626116675 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.9.3-build.patch @@ -43,12 +43,31 @@ #include <openssl/evp.h> #include "ssh2.h" @@ -150,6 +151,7 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-b diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/Makefile.in.psaa-build openssh-7.4p1/pam_ssh_agent_auth-0.10.3/Makefile.in --- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/Makefile.in.psaa-build 2016-11-13 04:24:32.000000000 +0100 +++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/Makefile.in 2017-02-07 14:40:14.407566921 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.9.3-build.patch @@ -52,7 +52,7 @@ PATHS= CC=@CC@ LD=@LD@ diff --git a/backport-upstream-Add-scp-s-path-to-test-sshd-s-PATH.patch b/backport-upstream-Add-scp-s-path-to-test-sshd-s-PATH.patch new file mode 100644 index 0000000..ff5a0c9 --- /dev/null +++ b/backport-upstream-Add-scp-s-path-to-test-sshd-s-PATH.patch @@ -0,0 +1,37 @@ +From 6e6f88647042b3cde54a628545c2f5fb656a9327 Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" <dtucker@openbsd.org> +Date: Fri, 13 Jan 2023 04:23:00 +0000 +Subject: [PATCH] upstream: Add scp's path to test sshd's PATH. + +If the scp we're testing is fully qualified (eg it's not in the system +PATH) then add its path to the under-test sshd's PATH so we can find +it. Prompted by bz#3518. + +OpenBSD-Regress-ID: 7df4f5a0be3aa135495b7e5a6719d3cbc26cc4c0 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=6e6f88647042b3cde54a628545c2f5fb656a9327 +--- + regress/test-exec.sh | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/regress/test-exec.sh b/regress/test-exec.sh +index c51f8eac..5a6afac5 100644 +--- a/regress/test-exec.sh ++++ b/regress/test-exec.sh +@@ -529,6 +529,13 @@ cat << EOF > $OBJ/sshd_config + Subsystem sftp $SFTPSERVER + EOF + ++# If we're testing a non-installed scp, add its directory to sshd's PATH ++# so we can test it. ++case "$SCP" in ++/*) PATH_WITH_SCP="`dirname $SCP`:$PATH" ++ echo " SetEnv PATH='$PATH_WITH_SCP'" >>$OBJ/sshd_config ;; ++esac ++ + # This may be necessary if /usr/src and/or /usr/obj are group-writable, + # but if you aren't careful with permissions then the unit tests could + # be abused to locally escalate privileges. +-- +2.27.0 + diff --git a/backport-upstream-Always-return-allocated-strings-from-the-ke.patch b/backport-upstream-Always-return-allocated-strings-from-the-ke.patch new file mode 100644 index 0000000..b7febc9 --- /dev/null +++ b/backport-upstream-Always-return-allocated-strings-from-the-ke.patch @@ -0,0 +1,88 @@ +From 486c4dc3b83b4b67d663fb0fa62bc24138ec3946 Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" <dtucker@openbsd.org> +Date: Fri, 1 Jul 2022 03:35:45 +0000 +Subject: upstream: Always return allocated strings from the kex filtering so + +that we can free them later. Fix one leak in compat_kex_proposal. Based on +github PR#324 from ZoltanFridrich with some simplications by me. ok djm@ + +OpenBSD-Commit-ID: 9171616da3307612d0ede086fd511142f91246e4 + +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/patch/?id=486c4dc3b83b4b67d663fb0fa62bc24138ec3946 +--- + compat.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/compat.c b/compat.c +index 9120bd2..1d50349 100644 +--- a/compat.c ++++ b/compat.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: compat.c,v 1.119 2021/09/10 05:46:09 djm Exp $ */ ++/* $OpenBSD: compat.c,v 1.120 2022/07/01 03:35:45 dtucker Exp $ */ + /* + * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. + * +@@ -156,11 +156,12 @@ compat_banner(struct ssh *ssh, const char *version) + debug_f("no match: %s", version); + } + ++/* Always returns pointer to allocated memory, caller must free. */ + char * + compat_cipher_proposal(struct ssh *ssh, char *cipher_prop) + { + if (!(ssh->compat & SSH_BUG_BIGENDIANAES)) +- return cipher_prop; ++ return xstrdup(cipher_prop); + debug2_f("original cipher proposal: %s", cipher_prop); + if ((cipher_prop = match_filter_denylist(cipher_prop, "aes*")) == NULL) + fatal("match_filter_denylist failed"); +@@ -170,11 +171,12 @@ compat_cipher_proposal(struct ssh *ssh, char *cipher_prop) + return cipher_prop; + } + ++/* Always returns pointer to allocated memory, caller must free. */ + char * + compat_pkalg_proposal(struct ssh *ssh, char *pkalg_prop) + { + if (!(ssh->compat & SSH_BUG_RSASIGMD5)) +- return pkalg_prop; ++ return xstrdup(pkalg_prop); + debug2_f("original public key proposal: %s", pkalg_prop); + if ((pkalg_prop = match_filter_denylist(pkalg_prop, "ssh-rsa")) == NULL) + fatal("match_filter_denylist failed"); +@@ -184,11 +186,15 @@ compat_pkalg_proposal(struct ssh *ssh, char *pkalg_prop) + return pkalg_prop; + } + ++/* Always returns pointer to allocated memory, caller must free. */ + char * + compat_kex_proposal(struct ssh *ssh, char *p) + { ++ char *cp = NULL; ++ ++ + if ((ssh->compat & (SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX)) == 0) +- return p; ++ return xstrdup(p); + debug2_f("original KEX proposal: %s", p); + if ((ssh->compat & SSH_BUG_CURVE25519PAD) != 0) + /* coverity[overwrite_var : FALSE] */ +@@ -196,11 +202,13 @@ compat_kex_proposal(struct ssh *ssh, char *p) + "curve25519-sha256@libssh.org")) == NULL) + fatal("match_filter_denylist failed"); + if ((ssh->compat & SSH_OLD_DHGEX) != 0) { ++ cp = p; + /* coverity[overwrite_var : FALSE] */ + if ((p = match_filter_denylist(p, + "diffie-hellman-group-exchange-sha256," + "diffie-hellman-group-exchange-sha1")) == NULL) + fatal("match_filter_denylist failed"); ++ free(cp); + } + debug2_f("compat KEX proposal: %s", p); + if (*p == '\0') +-- +2.33.0 + diff --git a/backport-upstream-CVE-2023-25136-fix-double-free-caused.patch b/backport-upstream-CVE-2023-25136-fix-double-free-caused.patch new file mode 100644 index 0000000..ee6d98d --- /dev/null +++ b/backport-upstream-CVE-2023-25136-fix-double-free-caused.patch @@ -0,0 +1,67 @@ +From 12da7823336434a403f25c7cc0c2c6aed0737a35 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Thu, 2 Feb 2023 12:10:05 +0000 +Subject: [PATCH] upstream: fix double-free caused by +compat_kex_proposal(); + bz3522 + +by dtucker@, ok me + +OpenBSD-Commit-ID: 2bfc37cd2d41f67dad64c17a64cf2cd3806a5c80 + +Reference:https://anongit.mindrot.org/openssh.git/patch/?id=12da7823336434a403f25c7cc0c2c6aed0737a35 +Conflict:NA +--- + compat.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/compat.c b/compat.c +index 1d50349..4fbb6f0 100644 +--- a/compat.c ++++ b/compat.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: compat.c,v 1.120 2022/07/01 03:35:45 dtucker Exp $ */ ++/* $OpenBSD: compat.c,v 1.121 2023/02/02 12:10:05 djm Exp $ */ + /* + * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. + * +@@ -190,29 +190,28 @@ compat_pkalg_proposal(struct ssh *ssh, char *pkalg_prop) + char * + compat_kex_proposal(struct ssh *ssh, char *p) + { +- char *cp = NULL; +- ++ char *cp = NULL, *cp2 = NULL; + + if ((ssh->compat & (SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX)) == 0) + return xstrdup(p); + debug2_f("original KEX proposal: %s", p); + if ((ssh->compat & SSH_BUG_CURVE25519PAD) != 0) + /* coverity[overwrite_var : FALSE] */ +- if ((p = match_filter_denylist(p, ++ if ((cp = match_filter_denylist(p, + "curve25519-sha256@libssh.org")) == NULL) + fatal("match_filter_denylist failed"); + if ((ssh->compat & SSH_OLD_DHGEX) != 0) { +- cp = p; + /* coverity[overwrite_var : FALSE] */ +- if ((p = match_filter_denylist(p, ++ if ((cp2 = match_filter_denylist(cp ? cp : p, + "diffie-hellman-group-exchange-sha256," + "diffie-hellman-group-exchange-sha1")) == NULL) + fatal("match_filter_denylist failed"); + free(cp); ++ cp = cp2; + } +- debug2_f("compat KEX proposal: %s", p); +- if (*p == '\0') ++ if (cp == NULL || *cp == '\0') + fatal("No supported key exchange algorithms found"); +- return p; ++ debug2_f("compat KEX proposal: %s", cp); ++ return cp; + } + +-- +2.23.0 + diff --git a/backport-upstream-Clear-signal-mask-early-in-main-sshd-may-ha.patch b/backport-upstream-Clear-signal-mask-early-in-main-sshd-may-ha.patch new file mode 100644 index 0000000..22db428 --- /dev/null +++ b/backport-upstream-Clear-signal-mask-early-in-main-sshd-may-ha.patch @@ -0,0 +1,53 @@ +From 93f2ce8c050a7a2a628646c00b40b9b53fef93ef Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Fri, 16 Dec 2022 06:56:47 +0000 +Subject: [PATCH] upstream: Clear signal mask early in main(); sshd may have + been + +started with one or more signals masked (sigprocmask(2) is not cleared +on fork/exec) and this could interfere with various things, e.g. the +login grace timer. + +Execution environments that fail to clear the signal mask before running +sshd are clearly broken, but apparently they do exist. + +Reported by Sreedhar Balasubramanian; ok dtucker@ + +OpenBSD-Commit-ID: 77078c0b1c53c780269fc0c416f121d05e3010ae +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=93f2ce8c050a7a2a628646c00b40b9b53fef93ef +--- + sshd.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/sshd.c b/sshd.c +index 6bb3a962..72525525 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: sshd.c,v 1.589 2022/07/01 03:39:44 dtucker Exp $ */ ++/* $OpenBSD: sshd.c,v 1.594 2022/12/16 06:56:47 djm Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -1546,13 +1546,17 @@ main(int ac, char **av) + int keytype; + Authctxt *authctxt; + struct connection_info *connection_info = NULL; ++ sigset_t sigmask; + + #ifdef HAVE_SECUREWARE + (void)set_auth_parameters(ac, av); + #endif + __progname = ssh_get_progname(av[0]); + ++ sigemptyset(&sigmask); ++ sigprocmask(SIG_SETMASK, &sigmask, NULL); ++ + OpenSSL_add_all_algorithms(); + /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ + saved_argc = ac; + rexec_argc = ac; +-- +2.27.0 + diff --git a/backport-upstream-Copy-bytes-from-the_banana-rather-than-bana.patch b/backport-upstream-Copy-bytes-from-the_banana-rather-than-bana.patch new file mode 100644 index 0000000..f1c5b50 --- /dev/null +++ b/backport-upstream-Copy-bytes-from-the_banana-rather-than-bana.patch @@ -0,0 +1,32 @@ +From 018d671d78145f03d6f07ae9d64d51321da70325 Mon Sep 17 00:00:00 2001 +From: "tb@openbsd.org" <tb@openbsd.org> +Date: Wed, 4 Jan 2023 22:48:57 +0000 +Subject: [PATCH] upstream: Copy bytes from the_banana[] rather than banana() + +Fixes test failure due to segfault seen on arm64 with xonly snap. + +ok djm + +OpenBSD-Regress-ID: 86e2aa4bbd1dff1bc4ebb2969c0d6474485be046 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=018d671d78145f03d6f07ae9d64d51321da70325 +--- + regress/unittests/sshkey/test_sshkey.c | 2 +- + 1 file changed, 1 insertions(+), 1 deletions(-) + +diff --git a/regress/unittests/sshkey/test_sshkey.c b/regress/unittests/sshkey/test_sshkey.c +index 982907ce..cc359aea 100644 +--- a/regress/unittests/sshkey/test_sshkey.c ++++ b/regress/unittests/sshkey/test_sshkey.c +@@ -144,7 +144,7 @@ banana(u_char *s, size_t l) + memcpy(s + o, "nanananana", l - o); + break; + } +- memcpy(s + o, banana, sizeof(the_banana)); ++ memcpy(s + o, the_banana, sizeof(the_banana)); + } + } + +-- +2.27.0 + diff --git a/backport-upstream-Donot-attempt-to-fprintf-a-null-identity-co.patch b/backport-upstream-Donot-attempt-to-fprintf-a-null-identity-co.patch new file mode 100644 index 0000000..66f2f90 --- /dev/null +++ b/backport-upstream-Donot-attempt-to-fprintf-a-null-identity-co.patch @@ -0,0 +1,37 @@ +From f29d6cf98c25bf044079032d22c1a57c63ab9d8e Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" <dtucker@openbsd.org> +Date: Sat, 18 Jun 2022 02:17:16 +0000 +Subject: upstream: Don't attempt to fprintf a null identity comment. From + +Martin Vahlensieck via tech@. + +OpenBSD-Commit-ID: 4c54d20a8e8e4e9912c38a7b4ef5bfc5ca2e05c2 + +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/patch/?id=f29d6cf98c25bf044079032d22c1a57c63ab9d8e +--- + ssh-add.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ssh-add.c b/ssh-add.c +index 29c0b17..d60bafc 100644 +--- a/ssh-add.c ++++ b/ssh-add.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh-add.c,v 1.160 2021/04/03 06:18:41 djm Exp $ */ ++/* $OpenBSD: ssh-add.c,v 1.166 2022/06/18 02:17:16 dtucker Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -125,7 +125,7 @@ delete_one(int agent_fd, const struct sshkey *key, const char *comment, + } + if (!qflag) { + fprintf(stderr, "Identity removed: %s %s (%s)\n", path, +- sshkey_type(key), comment); ++ sshkey_type(key), comment ? comment : "no comment"); + } + return 0; + } +-- +2.33.0 + diff --git a/backport-upstream-Ensure-that-there-is-a-terminating-newline-.patch b/backport-upstream-Ensure-that-there-is-a-terminating-newline-.patch new file mode 100644 index 0000000..a577b15 --- /dev/null +++ b/backport-upstream-Ensure-that-there-is-a-terminating-newline-.patch @@ -0,0 +1,48 @@ +From 3c379c9a849a635cc7f05cbe49fe473ccf469ef9 Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" <dtucker@openbsd.org> +Date: Thu, 9 Feb 2023 09:54:11 +0000 +Subject: [PATCH] upstream: Ensure that there is a terminating newline when + adding a new + +entry to known_hosts. bz#3529, with git+openssh at limpsquid.nl, ok deraadt@ +markus@ + +OpenBSD-Commit-ID: fa8d90698da1886570512b96f051e266eac105e0 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=3c379c9a849a635cc7f05cbe49fe473ccf469ef9 +--- + hostfile.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/hostfile.c b/hostfile.c +index bd49e3ac..f5fa8084 100644 +--- a/hostfile.c ++++ b/hostfile.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: hostfile.c,v 1.91 2021/07/05 01:16:46 dtucker Exp $ */ ++/* $OpenBSD: hostfile.c,v 1.94 2023/02/09 09:54:11 dtucker Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -520,9 +520,17 @@ add_host_to_hostfile(const char *filename, const char *host, + if (key == NULL) + return 1; /* XXX ? */ + hostfile_create_user_ssh_dir(filename, 0); +- f = fopen(filename, "a"); ++ f = fopen(filename, "a+"); + if (!f) + return 0; ++ /* Make sure we have a terminating newline. */ ++ if (fseek(f, -1L, SEEK_END) == 0 && fgetc(f) != '\n') ++ if (fputc('\n', f) != '\n') { ++ error("Failed to add terminating newline to %s: %s", ++ filename, strerror(errno)); ++ fclose(f); ++ return 0; ++ } + success = write_host_entry(f, host, NULL, key, store_hash); + fclose(f); + return success; +-- +2.27.0 + diff --git a/backport-upstream-Handle-dynamic-remote-port-forwarding-in-es.patch b/backport-upstream-Handle-dynamic-remote-port-forwarding-in-es.patch new file mode 100644 index 0000000..3abd870 --- /dev/null +++ b/backport-upstream-Handle-dynamic-remote-port-forwarding-in-es.patch @@ -0,0 +1,46 @@ +From 650de7ecd3567b5a5dbf16dd1eb598bd8c20bca8 Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" <dtucker@openbsd.org> +Date: Thu, 10 Nov 2022 23:03:10 +0000 +Subject: [PATCH] upstream: Handle dynamic remote port forwarding in escape + commandline's + +-R processing. bz#3499, ok djm@ + +OpenBSD-Commit-ID: 194ee4cfe7ed0e2b8ad0727f493c798a50454208 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=650de7ecd3567b5a5dbf16dd1eb598bd8c20bca8 +--- + clientloop.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/clientloop.c b/clientloop.c +index 289d0b68..02349ccb 100644 +--- a/clientloop.c ++++ b/clientloop.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: clientloop.c,v 1.370 2021/08/29 23:44:07 djm Exp $ */ ++/* $OpenBSD: clientloop.c,v 1.382 2022/11/10 23:03:10 dtucker Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -846,8 +846,15 @@ process_cmdline(struct ssh *ssh) + } + logit("Canceled forwarding."); + } else { +- if (!parse_forward(&fwd, s, dynamic, remote)) { +- logit("Bad forwarding specification."); ++ /* -R specs can be both dynamic or not, so check both. */ ++ if (remote) { ++ if (!parse_forward(&fwd, s, 0, remote) && ++ !parse_forward(&fwd, s, 1, remote)) { ++ logit("Bad remote forwarding specification."); ++ goto out; ++ } ++ } else if (!parse_forward(&fwd, s, dynamic, remote)) { ++ logit("Bad local forwarding specification."); + goto out; + } + if (local || dynamic) { +-- +2.27.0 + diff --git a/backport-upstream-In-channel_request_remote_forwarding-the-pa.patch b/backport-upstream-In-channel_request_remote_forwarding-the-pa.patch new file mode 100644 index 0000000..369e432 --- /dev/null +++ b/backport-upstream-In-channel_request_remote_forwarding-the-pa.patch @@ -0,0 +1,62 @@ +From d323f7ecf52e3d4ec1f4939bf31693e02f891dca Mon Sep 17 00:00:00 2001 +From: "mbuhl@openbsd.org" <mbuhl@openbsd.org> +Date: Fri, 18 Nov 2022 19:47:40 +0000 +Subject: [PATCH] upstream: In channel_request_remote_forwarding the parameters + for + +permission_set_add are leaked as they are also duplicated in the call. Found +by CodeChecker. ok djm + +OpenBSD-Commit-ID: 4aef50fa9be7c0b138188814c8fe3dccc196f61e + +Reference:https://github.com/openssh/openssh-portable/commit/d323f7ecf52e3d4ec1f4939bf31693e02f891dca +Conflict:NA +--- + channels.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/channels.c b/channels.c +index e75a0cf9..7c2c882d 100644 +--- a/channels.c ++++ b/channels.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: channels.c,v 1.420 2022/09/19 08:49:50 djm Exp $ */ ++/* $OpenBSD: channels.c,v 1.421 2022/11/18 19:47:40 mbuhl Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -4081,7 +4081,7 @@ int + channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd) + { + int r, success = 0, idx = -1; +- char *host_to_connect, *listen_host, *listen_path; ++ const char *host_to_connect, *listen_host, *listen_path; + int port_to_connect, listen_port; + + /* Send the forward request to the remote side. */ +@@ -4112,18 +4112,17 @@ channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd) + host_to_connect = listen_host = listen_path = NULL; + port_to_connect = listen_port = 0; + if (fwd->connect_path != NULL) { +- host_to_connect = xstrdup(fwd->connect_path); ++ host_to_connect = fwd->connect_path; + port_to_connect = PORT_STREAMLOCAL; + } else { +- host_to_connect = xstrdup(fwd->connect_host); ++ host_to_connect = fwd->connect_host; + port_to_connect = fwd->connect_port; + } + if (fwd->listen_path != NULL) { +- listen_path = xstrdup(fwd->listen_path); ++ listen_path = fwd->listen_path; + listen_port = PORT_STREAMLOCAL; + } else { +- if (fwd->listen_host != NULL) +- listen_host = xstrdup(fwd->listen_host); ++ listen_host = fwd->listen_host; + listen_port = fwd->listen_port; + } + idx = permission_set_add(ssh, FORWARD_USER, FORWARD_LOCAL, +-- +2.23.0 + diff --git a/backport-upstream-Instead-of-skipping-the-all-tokens-test-if-.patch b/backport-upstream-Instead-of-skipping-the-all-tokens-test-if-.patch new file mode 100644 index 0000000..6e8d770 --- /dev/null +++ b/backport-upstream-Instead-of-skipping-the-all-tokens-test-if-.patch @@ -0,0 +1,44 @@ +From 4d87a00f704e0365e11c3c38b170c1275ec461fc Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" <dtucker@openbsd.org> +Date: Sat, 14 Jan 2023 09:57:08 +0000 +Subject: [PATCH] upstream: Instead of skipping the all-tokens test if we don't + have + +OpenSSL (since we use it to compute the hash), put the hash at the end and +just omit it if we don't have it. Prompted by bz#3521. + +OpenBSD-Regress-ID: c79ecba64250ed3b6417294b6c965e6b12ca5eea +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=4d87a00f704e0365e11c3c38b170c1275ec461fc +--- +diff --git a/regress/percent.sh b/regress/percent.sh +index ed5c604d..3dfa8d2d 100644 +--- a/regress/percent.sh ++++ b/regress/percent.sh +@@ -12,6 +12,7 @@ USER=`id -u -n` + USERID=`id -u` + HOST=`hostname | cut -f1 -d.` + HOSTNAME=`hostname` ++HASH="" + + # Localcommand is evaluated after connection because %T is not available + # until then. Because of this we use a different method of exercising it, +@@ -98,10 +99,13 @@ for i in matchexec localcommand remotecommand controlpath identityagent \ + # containing %d for UserKnownHostsFile + if [ "$i" != "userknownhostsfile" ]; then + trial $i '%d' $HOME ++ in='%%/%i/%h/%d/%L/%l/%n/%p/%r/%u' ++ out="%/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER" + if [ ! -z "${HASH}" ]; then +- trial $i '%%/%C/%i/%h/%d/%L/%l/%n/%p/%r/%u' \ +- "%/$HASH/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER" ++ in="$in/%C" ++ out="$out/$HASH" + fi ++ trial $i "$in" "$out" + fi + done + +-- +2.27.0 + diff --git a/backport-upstream-Make-sure-not-to-fclose-the-same-fd-twice-i.patch b/backport-upstream-Make-sure-not-to-fclose-the-same-fd-twice-i.patch new file mode 100644 index 0000000..1b7739f --- /dev/null +++ b/backport-upstream-Make-sure-not-to-fclose-the-same-fd-twice-i.patch @@ -0,0 +1,63 @@ +From 17904f05802988d0bb9ed3c8d1d37411e8f459c3 Mon Sep 17 00:00:00 2001 +From: "tobhe@openbsd.org" <tobhe@openbsd.org> +Date: Tue, 21 Jun 2022 14:52:13 +0000 +Subject: upstream: Make sure not to fclose() the same fd twice in case of an + +error. + +ok dtucker@ + +OpenBSD-Commit-ID: e384c4e05d5521e7866b3d53ca59acd2a86eef99 + +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/patch/?id=17904f05802988d0bb9ed3c8d1d37411e8f459c3 + +--- + authfile.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +diff --git a/authfile.c b/authfile.c +index 8990137..dce1e84 100644 +--- a/authfile.c ++++ b/authfile.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: authfile.c,v 1.141 2020/06/18 23:33:38 djm Exp $ */ ++/* $OpenBSD: authfile.c,v 1.143 2022/06/21 14:52:13 tobhe Exp $ */ + /* + * Copyright (c) 2000, 2013 Markus Friedl. All rights reserved. + * +@@ -515,20 +515,25 @@ sshkey_save_public(const struct sshkey *key, const char *path, + return SSH_ERR_SYSTEM_ERROR; + if ((f = fdopen(fd, "w")) == NULL) { + r = SSH_ERR_SYSTEM_ERROR; ++ close(fd); + goto fail; + } + if ((r = sshkey_write(key, f)) != 0) + goto fail; + fprintf(f, " %s\n", comment); +- if (ferror(f) || fclose(f) != 0) { ++ if (ferror(f)) { + r = SSH_ERR_SYSTEM_ERROR; ++ goto fail; ++ } ++ if (fclose(f) != 0) { ++ r = SSH_ERR_SYSTEM_ERROR; ++ f = NULL; + fail: +- oerrno = errno; +- if (f != NULL) ++ if (f != NULL) { ++ oerrno = errno; + fclose(f); +- else +- close(fd); +- errno = oerrno; ++ errno = oerrno; ++ } + return r; + } + return 0; +-- +2.33.0 + diff --git a/backport-upstream-Shell-syntax-fix.-From-ren-mingshuai-vi-git.patch b/backport-upstream-Shell-syntax-fix.-From-ren-mingshuai-vi-git.patch new file mode 100644 index 0000000..9262ca5 --- /dev/null +++ b/backport-upstream-Shell-syntax-fix.-From-ren-mingshuai-vi-git.patch @@ -0,0 +1,26 @@ +From 923c3f437f439cfca238fba37e97a7041782f615 Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" <dtucker@openbsd.org> +Date: Sat, 14 Jan 2023 10:05:54 +0000 +Subject: [PATCH] upstream: Shell syntax fix. From ren mingshuai vi github + PR#369. + +OpenBSD-Regress-ID: 6696b2eeefe128099fc3d7ea9f23252cc35156f9 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=923c3f437f439cfca238fba37e97a7041782f615 +--- +diff --git a/regress/yes-head.sh b/regress/yes-head.sh +index 2759eb8c..1bde504f 100644 +--- a/regress/yes-head.sh ++++ b/regress/yes-head.sh +@@ -6,7 +6,7 @@ tid="yes pipe head" + lines=`${SSH} -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -2000"' | (sleep 3 ; wc -l)` + if [ $? -ne 0 ]; then + fail "yes|head test failed" +- lines = 0; +++ lines=0 + fi + if [ $lines -ne 2000 ]; then + fail "yes|head returns $lines lines instead of 2000" +-- +2.27.0 + diff --git a/backport-upstream-The-idiomatic-way-of-coping-with-signed-cha.patch b/backport-upstream-The-idiomatic-way-of-coping-with-signed-cha.patch new file mode 100644 index 0000000..e7a24fe --- /dev/null +++ b/backport-upstream-The-idiomatic-way-of-coping-with-signed-cha.patch @@ -0,0 +1,40 @@ +From 5a7a7acab2f466dc1d7467b5d05d35268c3137aa Mon Sep 17 00:00:00 2001 +From: "deraadt@openbsd.org" <deraadt@openbsd.org> +Date: Thu, 15 Dec 2022 18:20:39 +0000 +Subject: [PATCH] upstream: The idiomatic way of coping with signed char vs + unsigned + +char (which did not come from stdio read functions) in the presence of +ctype macros, is to always cast to (unsigned char). casting to (int) +for a "macro" which is documented to take int, is weird. And sadly wrong, +because of the sing extension risk.. same diff from florian + +OpenBSD-Commit-ID: 65b9a49a68e22ff3a0ebd593f363e9f22dd73fea +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=5a7a7acab2f466dc1d7467b5d05d35268c3137aa +--- + misc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/misc.c b/misc.c +index 977c097e..41244da9 100644 +--- a/misc.c ++++ b/misc.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: misc.c,v 1.170 2021/09/26 14:01:03 djm Exp $ */ ++/* $OpenBSD: misc.c,v 1.179 2022/12/15 18:20:39 deraadt Exp $ */ + /* + * Copyright (c) 2000 Markus Friedl. All rights reserved. + * Copyright (c) 2005-2020 Damien Miller. All rights reserved. +@@ -95,7 +95,7 @@ rtrim(char *s) + if ((i = strlen(s)) == 0) + return; + for (i--; i > 0; i--) { +- if (isspace((int)s[i])) ++ if (isspace((unsigned char)s[i])) + s[i] = '\0'; + } + } +-- +2.27.0 + diff --git a/backport-upstream-When-OpenSSL-is-not-available-skip-parts-of.patch b/backport-upstream-When-OpenSSL-is-not-available-skip-parts-of.patch new file mode 100644 index 0000000..5d59c1d --- /dev/null +++ b/backport-upstream-When-OpenSSL-is-not-available-skip-parts-of.patch @@ -0,0 +1,51 @@ +From d77fc611a62f2dfee0b654c31a50a814b13310dd Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" <dtucker@openbsd.org> +Date: Fri, 6 Jan 2023 12:33:33 +0000 +Subject: [PATCH] upstream: When OpenSSL is not available, skip parts of + percent test + +that require it. Based on github pr#368 from ren mingshuai. + +OpenBSD-Regress-ID: 49a375b2cf61ccb95b52e75e2e025cd10988ebb2 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=d77fc611a62f2dfee0b654c31a50a814b13310dd +--- + regress/percent.sh | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/regress/percent.sh b/regress/percent.sh +index bb81779a..ed5c604d 100644 +--- a/regress/percent.sh ++++ b/regress/percent.sh +@@ -79,10 +79,12 @@ for i in matchexec localcommand remotecommand controlpath identityagent \ + trial $i '%T' NONE + fi + # Matches implementation in readconf.c:ssh_connection_hash() +- HASH=`printf "${HOSTNAME}127.0.0.1${PORT}$REMUSER" | +- $OPENSSL_BIN sha1 | cut -f2 -d' '` ++ if [ ! -z "${OPENSSL_BIN}" ]; then ++ HASH=`printf "${HOSTNAME}127.0.0.1${PORT}$REMUSER" | ++ $OPENSSL_BIN sha1 | cut -f2 -d' '` ++ trial $i '%C' $HASH ++ fi + trial $i '%%' '%' +- trial $i '%C' $HASH + trial $i '%i' $USERID + trial $i '%h' 127.0.0.1 + trial $i '%L' $HOST +@@ -96,8 +98,10 @@ for i in matchexec localcommand remotecommand controlpath identityagent \ + # containing %d for UserKnownHostsFile + if [ "$i" != "userknownhostsfile" ]; then + trial $i '%d' $HOME +- trial $i '%%/%C/%i/%h/%d/%L/%l/%n/%p/%r/%u' \ +- "%/$HASH/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER" ++ if [ ! -z "${HASH}" ]; then ++ trial $i '%%/%C/%i/%h/%d/%L/%l/%n/%p/%r/%u' \ ++ "%/$HASH/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER" ++ fi + fi + done + +-- +2.27.0 + diff --git a/backport-upstream-a-little-extra-debugging.patch b/backport-upstream-a-little-extra-debugging.patch new file mode 100644 index 0000000..32701d4 --- /dev/null +++ b/backport-upstream-a-little-extra-debugging.patch @@ -0,0 +1,34 @@ +From 940dc10729cb5a95b7ee82c10184e2b9621c8a1d Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Wed, 14 Sep 2022 00:13:13 +0000 +Subject: [PATCH] upstream: a little extra debugging + +OpenBSD-Commit-ID: edf1601c1d0905f6da4c713f4d9cecc7d1c0295a + +Reference:https://github.com/openssh/openssh-portable/commit/940dc10729cb5a95b7ee82c10184e2b9621c8a1d +Conflict:NA +--- + ssh-agent.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ssh-agent.c b/ssh-agent.c +index ddda4d77..0aef07eb 100644 +--- a/ssh-agent.c ++++ b/ssh-agent.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh-agent.c,v 1.278 2021/04/03 06:18:41 djm Exp $ */ ++/* $OpenBSD: ssh-agent.c,v 1.291 2022/09/14 00:13:13 djm Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -845,6 +845,7 @@ process_sign_request2(SocketEntry *e) + /* Success */ + ok = 0; + send: ++ debug_f("good signature"); + notify_complete(notifier, "User presence confirmed"); + + if (ok == 0) { +-- +2.23.0 + diff --git a/backport-upstream-avoid-integer-overflow-of-auth-attempts-har.patch b/backport-upstream-avoid-integer-overflow-of-auth-attempts-har.patch new file mode 100644 index 0000000..66ecfda --- /dev/null +++ b/backport-upstream-avoid-integer-overflow-of-auth-attempts-har.patch @@ -0,0 +1,44 @@ +From 32ebaa0dbca5d0bb86e384e72bebc153f48413e4 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Wed, 23 Feb 2022 11:18:13 +0000 +Subject: [PATCH] upstream: avoid integer overflow of auth attempts +(harmless,caught by monitor) + +OpenBSD-Commit-ID: 488ad570b003b21e0cd9e7a00349cfc1003b4d86 + +Reference:https://github.com/openssh/openssh-portable/commit/32ebaa0dbca5d0 +Conflict:NA +--- + auth2.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/auth2.c b/auth2.c +index 7290d54..0de58e6 100644 +--- a/auth2.c ++++ b/auth2.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: auth2.c,v 1.161 2021/04/03 06:18:40 djm Exp $ */ ++/* $OpenBSD: auth2.c,v 1.164 2022/02/23 11:18:13 djm Exp $ */ + /* + * Copyright (c) 2000 Markus Friedl. All rights reserved. + * +@@ -290,6 +290,8 @@ if (options.check_user_splash) + if ((style = strchr(user, ':')) != NULL) + *style++ = 0; + ++ if (authctxt->attempt >= 1024) ++ auth_maxtries_exceeded(ssh); + if (authctxt->attempt++ == 0) { + /* setup auth context */ + authctxt->pw = PRIVSEP(getpwnamallow(ssh, user)); +@@ -298,6 +300,7 @@ if (options.check_user_splash) + authctxt->valid = 1; + debug2_f("setting up authctxt for %s", user); + } else { ++ authctxt->valid = 0; + /* Invalid user, fake password information */ + authctxt->pw = fakepw(); + } +-- +2.23.0 + diff --git a/backport-upstream-avoid-printf-s-NULL-if-using-ssh.patch b/backport-upstream-avoid-printf-s-NULL-if-using-ssh.patch new file mode 100644 index 0000000..d1c920c --- /dev/null +++ b/backport-upstream-avoid-printf-s-NULL-if-using-ssh.patch @@ -0,0 +1,42 @@ +From f673b49f3be3eb51074fbb8a405beb6cd0f7d93e Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Fri, 13 Jan 2023 02:44:02 +0000 +Subject: [PATCH] upstream: avoid printf("%s", NULL) if using ssh + +-oUserKnownHostsFile=none and a hostkey in one of the system known hosts file +changes; ok dtucker@ + +OpenBSD-Commit-ID: 7ca87614bfc6da491315536a7f2301434a9fe614 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=f673b49f3be3eb51074fbb8a405beb6cd0f7d93e +--- + sshconnect.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/sshconnect.c b/sshconnect.c +index 0fca52b2..792bc34b 100644 +--- a/sshconnect.c ++++ b/sshconnect.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: sshconnect.c,v 1.355 2021/07/02 05:11:21 dtucker Exp $ */ ++/* $OpenBSD: sshconnect.c,v 1.361 2023/01/13 02:44:02 djm Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -1276,8 +1276,11 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo, + } + /* The host key has changed. */ + warn_changed_key(host_key); +- error("Add correct host key in %.100s to get rid of this message.", +- user_hostfiles[0]); ++ if (num_user_hostfiles > 0 || num_system_hostfiles > 0) { ++ error("Add correct host key in %.100s to get rid " ++ "of this message.", num_user_hostfiles > 0 ? ++ user_hostfiles[0] : system_hostfiles[0]); ++ } + error("Offending %s key in %s:%lu", + sshkey_type(host_found->key), + host_found->file, host_found->line); +-- +2.27.0 + diff --git a/backport-upstream-better-debugging-for-connect_next.patch b/backport-upstream-better-debugging-for-connect_next.patch new file mode 100644 index 0000000..7d4509b --- /dev/null +++ b/backport-upstream-better-debugging-for-connect_next.patch @@ -0,0 +1,66 @@ +From 231a346c0c67cc7ca098360f9a554fa7d4f1eddb Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Mon, 19 Sep 2022 08:49:50 +0000 +Subject: [PATCH] upstream: better debugging for connect_next() + +OpenBSD-Commit-ID: d16a307a0711499c971807f324484ed3a6036640 + +Reference:https://github.com/openssh/openssh-portable/commit/231a346c0c67cc7ca098360f9a554fa7d4f1eddb +Conflict:NA +--- + channels.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/channels.c b/channels.c +index 3ac51bac..6a78de9d 100644 +--- a/channels.c ++++ b/channels.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: channels.c,v 1.408 2021/09/14 11:04:21 mbuhl Exp $ */ ++/* $OpenBSD: channels.c,v 1.420 2022/09/19 08:49:50 djm Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -4403,13 +4403,15 @@ connect_next(struct channel_connect *cctx) + if (getnameinfo(cctx->ai->ai_addr, cctx->ai->ai_addrlen, + ntop, sizeof(ntop), strport, sizeof(strport), + NI_NUMERICHOST|NI_NUMERICSERV) != 0) { +- error("connect_next: getnameinfo failed"); ++ error_f("getnameinfo failed"); + continue; + } + break; + default: + continue; + } ++ debug_f("start for host %.100s ([%.100s]:%s)", ++ cctx->host, ntop, strport); + if ((sock = socket(cctx->ai->ai_family, cctx->ai->ai_socktype, + cctx->ai->ai_protocol)) == -1) { + if (cctx->ai->ai_next == NULL) +@@ -4422,9 +4424,8 @@ connect_next(struct channel_connect *cctx) + fatal_f("set_nonblock(%d)", sock); + if (connect(sock, cctx->ai->ai_addr, + cctx->ai->ai_addrlen) == -1 && errno != EINPROGRESS) { +- debug("connect_next: host %.100s ([%.100s]:%s): " +- "%.100s", cctx->host, ntop, strport, +- strerror(errno)); ++ debug_f("host %.100s ([%.100s]:%s): %.100s", ++ cctx->host, ntop, strport, strerror(errno)); + saved_errno = errno; + close(sock); + errno = saved_errno; +@@ -4432,8 +4433,8 @@ connect_next(struct channel_connect *cctx) + } + if (cctx->ai->ai_family != AF_UNIX) + set_nodelay(sock); +- debug("connect_next: host %.100s ([%.100s]:%s) " +- "in progress, fd=%d", cctx->host, ntop, strport, sock); ++ debug_f("connect host %.100s ([%.100s]:%s) in progress, fd=%d", ++ cctx->host, ntop, strport, sock); + cctx->ai = cctx->ai->ai_next; + return sock; + } +-- +2.23.0 + diff --git a/backport-upstream-double-free-in-error-path-from-Eusgor-via-G.patch b/backport-upstream-double-free-in-error-path-from-Eusgor-via-G.patch new file mode 100644 index 0000000..b0e27bb --- /dev/null +++ b/backport-upstream-double-free-in-error-path-from-Eusgor-via-G.patch @@ -0,0 +1,56 @@ +From 5062ad48814b06162511c4f5924a33d97b6b2566 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Fri, 19 Aug 2022 03:06:30 +0000 +Subject: upstream: double free() in error path; from Eusgor via GHPR333 + +OpenBSD-Commit-ID: 39f35e16ba878c8d02b4d01d8826d9b321be26d4 + +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/patch/?id=5062ad48814b06162511c4f5924a33d97b6b2566 + +--- + sshsig.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/sshsig.c b/sshsig.c +index 0e8abf1..58c7df4 100644 +--- a/sshsig.c ++++ b/sshsig.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: sshsig.c,v 1.21 2021/07/23 04:00:59 djm Exp $ */ ++/* $OpenBSD: sshsig.c,v 1.30 2022/08/19 03:06:30 djm Exp $ */ + /* + * Copyright (c) 2019 Google LLC + * +@@ -491,7 +491,7 @@ hash_file(int fd, const char *hashalg, struct sshbuf **bp) + { + char *hex, rbuf[8192], hash[SSH_DIGEST_MAX_LENGTH]; + ssize_t n, total = 0; +- struct ssh_digest_ctx *ctx; ++ struct ssh_digest_ctx *ctx = NULL; + int alg, oerrno, r = SSH_ERR_INTERNAL_ERROR; + struct sshbuf *b = NULL; + +@@ -514,7 +514,6 @@ hash_file(int fd, const char *hashalg, struct sshbuf **bp) + continue; + oerrno = errno; + error_f("read: %s", strerror(errno)); +- ssh_digest_free(ctx); + ctx = NULL; + errno = oerrno; + r = SSH_ERR_SYSTEM_ERROR; +@@ -550,9 +549,11 @@ hash_file(int fd, const char *hashalg, struct sshbuf **bp) + /* success */ + r = 0; + out: ++ oerrno = errno; + sshbuf_free(b); + ssh_digest_free(ctx); + explicit_bzero(hash, sizeof(hash)); ++ errno = oerrno; + return r; + } + +-- +2.33.0 + diff --git a/backport-upstream-fix-bug-in-PermitRemoteOpen-which-caused-it.patch b/backport-upstream-fix-bug-in-PermitRemoteOpen-which-caused-it.patch new file mode 100644 index 0000000..d27f45e --- /dev/null +++ b/backport-upstream-fix-bug-in-PermitRemoteOpen-which-caused-it.patch @@ -0,0 +1,109 @@ +From b3daa8dc582348d6ab8150bc1e571b7aa08c5388 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Mon, 2 Jan 2023 07:03:30 +0000 +Subject: [PATCH] upstream: fix bug in PermitRemoteOpen which caused it to + ignore its + +first argument unless it was one of the special keywords "any" or "none". + +Reported by Georges Chaudy in bz3515; ok dtucker@ + +OpenBSD-Commit-ID: c5678a39f1ff79993d5ae3cfac5746a4ae148ea5 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=b3daa8dc582348d6ab8150bc1e571b7aa08c5388 +--- + readconf.c | 62 +++++++++++++++++++++++++++++------------------------- + 1 file changed, 33 insertions(+), 29 deletions(-) + +diff --git a/readconf.c b/readconf.c +index 45c1c22..aa106eb 100644 +--- a/readconf.c ++++ b/readconf.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: readconf.c,v 1.363 2021/09/16 05:36:03 djm Exp $ */ ++/* $OpenBSD: readconf.c,v 1.371 2023/01/02 07:03:30 djm Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -1611,38 +1611,38 @@ parse_pubkey_algos: + case oPermitRemoteOpen: + uintptr = &options->num_permitted_remote_opens; + cppptr = &options->permitted_remote_opens; +- arg = argv_next(&ac, &av); +- if (!arg || *arg == '\0') +- fatal("%s line %d: missing %s specification", +- filename, linenum, lookup_opcode_name(opcode)); + uvalue = *uintptr; /* modified later */ +- if (strcmp(arg, "any") == 0 || strcmp(arg, "none") == 0) { +- if (*activep && uvalue == 0) { +- *uintptr = 1; +- *cppptr = xcalloc(1, sizeof(**cppptr)); +- (*cppptr)[0] = xstrdup(arg); +- } +- break; +- } ++ i = 0; + while ((arg = argv_next(&ac, &av)) != NULL) { + arg2 = xstrdup(arg); + ch = '\0'; +- p = hpdelim2(&arg, &ch); +- if (p == NULL || ch == '/') { +- fatal("%s line %d: missing host in %s", +- filename, linenum, +- lookup_opcode_name(opcode)); +- } +- p = cleanhostname(p); +- /* +- * don't want to use permitopen_port to avoid +- * dependency on channels.[ch] here. +- */ +- if (arg == NULL || +- (strcmp(arg, "*") != 0 && a2port(arg) <= 0)) { +- fatal("%s line %d: bad port number in %s", +- filename, linenum, +- lookup_opcode_name(opcode)); ++ /* Allow any/none only in first position */ ++ if (strcasecmp(arg, "none") == 0 || ++ strcasecmp(arg, "any") == 0) { ++ if (i > 0 || ac > 0) { ++ error("%s line %d: keyword %s \"%s\" " ++ "argument must appear alone.", ++ filename, linenum, keyword, arg); ++ goto out; ++ } ++ } else { ++ p = hpdelim(&arg); ++ if (p == NULL) { ++ fatal("%s line %d: missing host in %s", ++ filename, linenum, ++ lookup_opcode_name(opcode)); ++ } ++ p = cleanhostname(p); ++ /* ++ * don't want to use permitopen_port to avoid ++ * dependency on channels.[ch] here. ++ */ ++ if (arg == NULL || (strcmp(arg, "*") != 0 && ++ a2port(arg) <= 0)) { ++ fatal("%s line %d: bad port number " ++ "in %s", filename, linenum, ++ lookup_opcode_name(opcode)); ++ } + } + if (*activep && uvalue == 0) { + opt_array_append(filename, linenum, +@@ -1650,7 +1650,11 @@ parse_pubkey_algos: + cppptr, uintptr, arg2); + } + free(arg2); ++ i++; + } ++ if (i == 0) ++ fatal("%s line %d: missing %s specification", ++ filename, linenum, lookup_opcode_name(opcode)); + break; + + case oClearAllForwardings: +-- +2.27.0 + diff --git a/backport-upstream-honour-user-s-umask-if-it-is-more-restricti.patch b/backport-upstream-honour-user-s-umask-if-it-is-more-restricti.patch new file mode 100644 index 0000000..d3ac67e --- /dev/null +++ b/backport-upstream-honour-user-s-umask-if-it-is-more-restricti.patch @@ -0,0 +1,37 @@ +From 5ee2b8ccfcf4b606f450eb0ff2305e311f68b0be Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Thu, 6 Oct 2022 22:42:37 +0000 +Subject: [PATCH] upstream: honour user's umask if it is more restrictive then + the ssh + +default (022); based on patch from Alex Henrie, ok dtucker@ deraadt@ + +OpenBSD-Commit-ID: fe1b9e15fc9a4f49fc338e848ce14d8727abe82d +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=5ee2b8ccfcf4b606f450eb0ff2305e311f68b0be +--- + ssh.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ssh.c b/ssh.c +index 25be53d5..e711dbd2 100644 +--- a/ssh.c ++++ b/ssh.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh.c,v 1.575 2022/07/01 00:36:30 djm Exp $ */ ++/* $OpenBSD: ssh.c,v 1.577 2022/10/06 22:42:37 djm Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -679,7 +679,7 @@ main(int ac, char **av) + * writable only by the owner, which is ok for all files for which we + * don't set the modes explicitly. + */ +- umask(022); ++ umask(022 | umask(077)); + + msetlocale(); + +-- +2.27.0 + diff --git a/backport-upstream-if-sshpkt-functions-fail-then-password-is-n.patch b/backport-upstream-if-sshpkt-functions-fail-then-password-is-n.patch new file mode 100644 index 0000000..618601c --- /dev/null +++ b/backport-upstream-if-sshpkt-functions-fail-then-password-is-n.patch @@ -0,0 +1,54 @@ +From 2c334fd36f80cb91cc42e4b978b10aa35e0df236 Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" <dtucker@openbsd.org> +Date: Fri, 27 May 2022 04:29:40 +0000 +Subject: upstream: f sshpkt functions fail, then password is not cleared + +with freezero. Unconditionally call freezero to guarantee that password is +removed from RAM. + +From tobias@ and c3h2_ctf via github PR#286, ok djm@ + +OpenBSD-Commit-ID: 6b093619c9515328e25b0f8093779c52402c89cd + +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=2c334fd36f80cb91cc42e4b978b10aa35e0df236 + +--- + auth2-passwd.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/auth2-passwd.c b/auth2-passwd.c +index be4b860..1d80481 100644 +--- a/auth2-passwd.c ++++ b/auth2-passwd.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: auth2-passwd.c,v 1.19 2020/10/18 11:32:01 djm Exp $ */ ++/* $OpenBSD: auth2-passwd.c,v 1.21 2022/05/27 04:29:40 dtucker Exp $ */ + /* + * Copyright (c) 2000 Markus Friedl. All rights reserved. + * +@@ -51,16 +51,18 @@ extern ServerOptions options; + static int + userauth_passwd(struct ssh *ssh) + { +- char *password; ++ char *password = NULL; + int authenticated = 0, r; + u_char change; +- size_t len; ++ size_t len = 0; + + if ((r = sshpkt_get_u8(ssh, &change)) != 0 || + (r = sshpkt_get_cstring(ssh, &password, &len)) != 0 || + (change && (r = sshpkt_get_cstring(ssh, NULL, NULL)) != 0) || +- (r = sshpkt_get_end(ssh)) != 0) ++ (r = sshpkt_get_end(ssh)) != 0) { ++ freezero(password, len); + fatal_fr(r, "parse packet"); ++ } + + if (change) + logit("password change not supported"); +-- +2.33.0 + diff --git a/backport-upstream-ignore-SIGPIPE-earlier-in-main-specifically.patch b/backport-upstream-ignore-SIGPIPE-earlier-in-main-specifically.patch new file mode 100644 index 0000000..1a540c6 --- /dev/null +++ b/backport-upstream-ignore-SIGPIPE-earlier-in-main-specifically.patch @@ -0,0 +1,46 @@ +From 96faa0de6c673a2ce84736eba37fc9fb723d9e5c Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Fri, 1 Jul 2022 00:36:30 +0000 +Subject: upstream: ignore SIGPIPE earlier in main(), specifically before + +muxclient() which performs operations that could cause one; Reported by Noam +Lewis via bz3454, ok dtucker@ + +OpenBSD-Commit-ID: 63d8e13276869eebac6d7a05d5a96307f9026e47 + +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/patch/?id=96faa0de6c673a2ce84736eba37fc9fb723d9e5c +--- + ssh.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/ssh.c b/ssh.c +index f55ff73..e987cd5 100644 +--- a/ssh.c ++++ b/ssh.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh.c,v 1.569 2021/09/20 04:02:13 dtucker Exp $ */ ++/* $OpenBSD: ssh.c,v 1.575 2022/07/01 00:36:30 djm Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -1135,6 +1135,8 @@ main(int ac, char **av) + } + } + ++ ssh_signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */ ++ + /* + * Initialize "log" output. Since we are the client all output + * goes to stderr unless otherwise specified by -y or -E. +@@ -1660,7 +1662,6 @@ main(int ac, char **av) + options.num_system_hostfiles); + tilde_expand_paths(options.user_hostfiles, options.num_user_hostfiles); + +- ssh_signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */ + ssh_signal(SIGCHLD, main_sigchld_handler); + + /* Log into the remote system. Never returns if the login fails. */ +-- +2.33.0 + diff --git a/backport-upstream-regression-test-for-PermitRemoteOpen.patch b/backport-upstream-regression-test-for-PermitRemoteOpen.patch new file mode 100644 index 0000000..cfe6105 --- /dev/null +++ b/backport-upstream-regression-test-for-PermitRemoteOpen.patch @@ -0,0 +1,138 @@ +From 845ceecea2ac311b0c267f9ecbd34862e1876fc6 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Mon, 2 Jan 2023 07:03:57 +0000 +Subject: [PATCH] upstream: regression test for PermitRemoteOpen + +OpenBSD-Regress-ID: 8271aafbf5c21950cd5bf966f08e585cebfe630c +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=845ceecea2ac311b0c267f9ecbd34862e1876fc6 +--- + regress/dynamic-forward.sh | 84 ++++++++++++++++++++++++++++++-------- + 1 file changed, 66 insertions(+), 18 deletions(-) + +diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh +index 84f8ee19..f6c2393d 100644 +--- a/regress/dynamic-forward.sh ++++ b/regress/dynamic-forward.sh +@@ -1,10 +1,12 @@ +-# $OpenBSD: dynamic-forward.sh,v 1.13 2017/09/21 19:18:12 markus Exp $ ++# $OpenBSD: dynamic-forward.sh,v 1.14 2023/01/02 07:03:57 djm Exp $ + # Placed in the Public Domain. + + tid="dynamic forwarding" + + FWDPORT=`expr $PORT + 1` + ++cp $OBJ/ssh_config $OBJ/ssh_config.orig ++ + if have_prog nc && nc -h 2>&1 | grep "proxy address" >/dev/null; then + proxycmd="nc -x 127.0.0.1:$FWDPORT -X" + elif have_prog connect; then +@@ -15,16 +17,16 @@ else + fi + trace "will use ProxyCommand $proxycmd" + +-start_sshd +- +-for d in D R; do ++start_ssh() { ++ direction="$1" ++ arg="$2" + n=0 + error="1" +- trace "start dynamic forwarding, fork to background" +- ++ trace "start dynamic -$direction forwarding, fork to background" ++ (cat $OBJ/ssh_config.orig ; echo "$arg") > $OBJ/ssh_config + while [ "$error" -ne 0 -a "$n" -lt 3 ]; do + n=`expr $n + 1` +- ${SSH} -F $OBJ/ssh_config -f -$d $FWDPORT -q \ ++ ${SSH} -F $OBJ/ssh_config -f -$direction $FWDPORT -q \ + -oExitOnForwardFailure=yes somehost exec sh -c \ + \'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\' + error=$? +@@ -36,18 +38,9 @@ for d in D R; do + if [ "$error" -ne 0 ]; then + fatal "failed to start dynamic forwarding" + fi ++} + +- for s in 4 5; do +- for h in 127.0.0.1 localhost; do +- trace "testing ssh socks version $s host $h (-$d)" +- ${SSH} -F $OBJ/ssh_config \ +- -o "ProxyCommand ${proxycmd}${s} $h $PORT" \ +- somehost cat ${DATA} > ${COPY} +- test -f ${COPY} || fail "failed copy ${DATA}" +- cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" +- done +- done +- ++stop_ssh() { + if [ -f $OBJ/remote_pid ]; then + remote=`cat $OBJ/remote_pid` + trace "terminate remote shell, pid $remote" +@@ -57,5 +50,60 @@ for d in D R; do + else + fail "no pid file: $OBJ/remote_pid" + fi ++} ++ ++check_socks() { ++ direction=$1 ++ expect_success=$2 ++ for s in 4 5; do ++ for h in 127.0.0.1 localhost; do ++ trace "testing ssh socks version $s host $h (-$direction)" ++ ${SSH} -F $OBJ/ssh_config \ ++ -o "ProxyCommand ${proxycmd}${s} $h $PORT 2>/dev/null" \ ++ somehost cat ${DATA} > ${COPY} ++ r=$? ++ if [ "x$expect_success" = "xY" ] ; then ++ if [ $r -ne 0 ] ; then ++ fail "ssh failed with exit status $r" ++ fi ++ test -f ${COPY} || fail "failed copy ${DATA}" ++ cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" ++ elif [ $r -eq 0 ] ; then ++ fail "ssh unexpectedly succeeded" ++ fi ++ done ++ done ++} ++ ++start_sshd ++ ++for d in D R; do ++ verbose "test -$d forwarding" ++ start_ssh $d ++ check_socks $d Y ++ stop_ssh ++ test "x$d" = "xR" || continue ++ ++ # Test PermitRemoteOpen ++ verbose "PermitRemoteOpen=any" ++ start_ssh $d PermitRemoteOpen=any ++ check_socks $d Y ++ stop_ssh ++ ++ verbose "PermitRemoteOpen=none" ++ start_ssh $d PermitRemoteOpen=none ++ check_socks $d N ++ stop_ssh ++ ++ verbose "PermitRemoteOpen=explicit" ++ start_ssh $d \ ++ PermitRemoteOpen="127.0.0.1:$PORT [::1]:$PORT localhost:$PORT" ++ check_socks $d Y ++ stop_ssh + ++ verbose "PermitRemoteOpen=disallowed" ++ start_ssh $d \ ++ PermitRemoteOpen="127.0.0.1:1 [::1]:1 localhost:1" ++ check_socks $d N ++ stop_ssh + done +-- +2.27.0 + diff --git a/backport-upstream-ssh-keygen-Y-check-novalidate-requires-name.patch b/backport-upstream-ssh-keygen-Y-check-novalidate-requires-name.patch new file mode 100644 index 0000000..aa9f80c --- /dev/null +++ b/backport-upstream-ssh-keygen-Y-check-novalidate-requires-name.patch @@ -0,0 +1,41 @@ +From a0b5816f8f1f645acdf74f7bc11b34455ec30bac Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Fri, 18 Mar 2022 02:31:25 +0000 +Subject: [PATCH] upstream: ssh-keygen -Y check-novalidate requires namespace + or SEGV + +will ensue. Patch from Mateusz Adamowski via GHPR#307 + +OpenBSD-Commit-ID: 99e8ec38f9feb38bce6de240335be34aedeba5fd +Reference:https://github.com/openssh/openssh-portable/commit/a0b5816f8f1f645acdf74f7bc11b34455ec30bac +Conflict:NA +--- + ssh-keygen.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/ssh-keygen.c b/ssh-keygen.c +index 7fc616c..bd6ea16 100644 +--- a/ssh-keygen.c ++++ b/ssh-keygen.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh-keygen.c,v 1.437 2021/09/08 03:23:44 djm Exp $ */ ++/* $OpenBSD: ssh-keygen.c,v 1.449 2022/03/18 02:31:25 djm Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -3489,6 +3489,12 @@ main(int argc, char **argv) + return sig_sign(identity_file, cert_principals, + argc, argv); + } else if (strncmp(sign_op, "check-novalidate", 16) == 0) { ++ if (cert_principals == NULL || ++ *cert_principals == '\0') { ++ error("Too few arguments for check-novalidate: " ++ "missing namespace"); ++ exit(1); ++ } + if (ca_key_path == NULL) { + error("Too few arguments for check-novalidate: " + "missing signature file"); +-- +2.23.0 + diff --git a/backport-upstream-test-compat_kex_proposal-by-dtucker.patch b/backport-upstream-test-compat_kex_proposal-by-dtucker.patch new file mode 100644 index 0000000..a20af60 --- /dev/null +++ b/backport-upstream-test-compat_kex_proposal-by-dtucker.patch @@ -0,0 +1,125 @@ +From 903c556b938fff2d7bff8da2cc460254430963c5 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Thu, 2 Feb 2023 12:12:52 +0000 +Subject: [PATCH] upstream: test compat_kex_proposal(); by dtucker@ + +OpenBSD-Regress-ID: 0e404ee264db546f9fdbf53390689ab5f8d38bf2 + +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=903c556b938fff2d7bff8da2cc460254430963c5 +--- + regress/unittests/kex/test_proposal.c | 79 +++++++++++++++++++++++++++ + regress/unittests/kex/tests.c | 4 +- + 2 files changed, 82 insertions(+), 1 deletion(-) + create mode 100644 regress/unittests/kex/test_proposal.c + +diff --git a/regress/unittests/kex/test_proposal.c b/regress/unittests/kex/test_proposal.c +new file mode 100644 +index 0000000..b89ff59 +--- /dev/null ++++ b/regress/unittests/kex/test_proposal.c +@@ -0,0 +1,79 @@ ++/* $OpenBSD: test_proposal.c,v 1.1 2023/02/02 12:12:52 djm Exp $ */ ++/* ++ * Regress test KEX ++ * ++ * Placed in the public domain ++ */ ++ ++#include <sys/types.h> ++#include <signal.h> ++#include <stdio.h> ++#include <stdint.h> ++#include <stdlib.h> ++#include <string.h> ++ ++#include "test_helper.h" ++ ++#include "compat.h" ++#include "ssherr.h" ++#include "sshbuf.h" ++#include "kex.h" ++#include "packet.h" ++#include "xmalloc.h" ++ ++void kex_proposal(void); ++ ++#define CURVE25519 "curve25519-sha256@libssh.org" ++#define DHGEX1 "diffie-hellman-group-exchange-sha1" ++#define DHGEX256 "diffie-hellman-group-exchange-sha256" ++#define KEXALGOS CURVE25519","DHGEX256","DHGEX1 ++void ++kex_proposal(void) ++{ ++ size_t i; ++ struct ssh ssh; ++ char *result, *out, *in; ++ struct { ++ char *in; /* TODO: make this const */ ++ char *out; ++ int compat; ++ } tests[] = { ++ { KEXALGOS, KEXALGOS, 0}, ++ { KEXALGOS, DHGEX256","DHGEX1, SSH_BUG_CURVE25519PAD }, ++ { KEXALGOS, CURVE25519, SSH_OLD_DHGEX }, ++ { "a,"KEXALGOS, "a", SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX }, ++ /* TODO: enable once compat_kex_proposal doesn't fatal() */ ++ /* { KEXALGOS, "", SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX }, */ ++ }; ++ ++ TEST_START("compat_kex_proposal"); ++ for (i = 0; i < sizeof(tests) / sizeof(*tests); i++) { ++ ssh.compat = tests[i].compat; ++ /* match entire string */ ++ result = compat_kex_proposal(&ssh, tests[i].in); ++ ASSERT_STRING_EQ(result, tests[i].out); ++ free(result); ++ /* match at end */ ++ in = kex_names_cat("a", tests[i].in); ++ out = kex_names_cat("a", tests[i].out); ++ result = compat_kex_proposal(&ssh, in); ++ ASSERT_STRING_EQ(result, out); ++ free(result); free(in); free(out); ++ /* match at start */ ++ in = kex_names_cat(tests[i].in, "a"); ++ out = kex_names_cat(tests[i].out, "a"); ++ result = compat_kex_proposal(&ssh, in); ++ ASSERT_STRING_EQ(result, out); ++ free(result); free(in); free(out); ++ /* match in middle */ ++ xasprintf(&in, "a,%s,b", tests[i].in); ++ if (*(tests[i].out) == '\0') ++ out = xstrdup("a,b"); ++ else ++ xasprintf(&out, "a,%s,b", tests[i].out); ++ result = compat_kex_proposal(&ssh, in); ++ ASSERT_STRING_EQ(result, out); ++ free(result); free(in); free(out); ++ } ++ TEST_DONE(); ++} +diff --git a/regress/unittests/kex/tests.c b/regress/unittests/kex/tests.c +index e7036ec..2a83daf 100644 +--- a/regress/unittests/kex/tests.c ++++ b/regress/unittests/kex/tests.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: tests.c,v 1.1 2015/01/15 23:41:29 markus Exp $ */ ++/* $OpenBSD: tests.c,v 1.2 2023/02/02 12:12:52 djm Exp $ */ + /* + * Placed in the public domain + */ +@@ -6,9 +6,11 @@ + #include "../test_helper/test_helper.h" + + void kex_tests(void); ++void kex_proposal(void); + + void + tests(void) + { + kex_tests(); ++ kex_proposal(); + } +-- +2.27.0 + diff --git a/backport-upstream-use-correct-type-with-sizeof-ok-djm.patch b/backport-upstream-use-correct-type-with-sizeof-ok-djm.patch new file mode 100644 index 0000000..bdd6ac7 --- /dev/null +++ b/backport-upstream-use-correct-type-with-sizeof-ok-djm.patch @@ -0,0 +1,34 @@ +From 18376847b8043ba967eabbe23692ef74c9a3fddc Mon Sep 17 00:00:00 2001 +From: "jsg@openbsd.org" <jsg@openbsd.org> +Date: Thu, 13 Oct 2022 09:09:28 +0000 +Subject: [PATCH] upstream: use correct type with sizeof ok djm@ + +OpenBSD-Commit-ID: d6c882c2e8a42ff831a5b3cbc2c961ecb2dd6143 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=18376847b8043ba967eabbe23692ef74c9a3fddc +--- + ssh.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ssh.c b/ssh.c +index e711dbd2..21cbd7c3 100644 +--- a/ssh.c ++++ b/ssh.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh.c,v 1.577 2022/10/06 22:42:37 djm Exp $ */ ++/* $OpenBSD: ssh.c,v 1.578 2022/10/13 09:09:28 jsg Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -1579,7 +1579,7 @@ main(int ac, char **av) + if (options.hostbased_authentication) { + sensitive_data.nkeys = 10; + sensitive_data.keys = xcalloc(sensitive_data.nkeys, +- sizeof(struct sshkey)); ++ sizeof(*sensitive_data.keys)); + + /* XXX check errors? */ + #define L_PUBKEY(p,o) do { \ +-- +2.27.0 + diff --git a/bugfix-openssh-6.6p1-log-usepam-no.patch b/bugfix-openssh-6.6p1-log-usepam-no.patch new file mode 100644 index 0000000..de7fe4d --- /dev/null +++ b/bugfix-openssh-6.6p1-log-usepam-no.patch @@ -0,0 +1,42 @@ +From 31883f21eff4265b68bb36f67b254adb524db6ae Mon Sep 17 00:00:00 2001 +From: guoxiaoqi <guoxiaoqi2@huawei.com> +Date: Thu, 16 Apr 2020 14:51:44 +0800 +Subject: [PATCH] bugfix-openssh-6.6p1-log-usepam-no + +--- + sshd.c | 4 ++-- + sshd_config | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/sshd.c b/sshd.c +index c6c03ae..c291a5e 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -1812,9 +1812,9 @@ main(int ac, char **av) + parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name, + cfg, &includes, NULL); + +- /* 'UsePAM no' is not supported in Fedora */ ++ /* 'UsePAM no' is not supported in openEuler */ + if (! options.use_pam) +- logit("WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems."); ++ logit("WARNING: 'UsePAM no' is not supported in openEuler and may cause several problems."); + + #ifdef WITH_OPENSSL + if (options.moduli_file != NULL) +diff --git a/sshd_config b/sshd_config +index e125992..ebc28b3 100644 +--- a/sshd_config ++++ b/sshd_config +@@ -87,7 +87,7 @@ AuthorizedKeysFile .ssh/authorized_keys + # If you just want the PAM account and session checks to run without + # PAM authentication, then enable this but set PasswordAuthentication + # and KbdInteractiveAuthentication to 'no'. +-# WARNING: 'UsePAM no' is not supported in Fedora and may cause several ++# WARNING: 'UsePAM no' is not supported in openEuler and may cause several + # problems. + #UsePAM no + +-- +2.23.0 + diff --git a/bugfix-openssh-add-option-check-username-splash.patch b/bugfix-openssh-add-option-check-username-splash.patch index 1c8af38..9293230 100644 --- a/bugfix-openssh-add-option-check-username-splash.patch +++ b/bugfix-openssh-add-option-check-username-splash.patch @@ -6,6 +6,7 @@ Subject: [PATCH] openssh: add option check username splash add a check to inhibit username contains splash add an option 'CheckUserSplash' so that user can turn off this check + --- auth2.c | 4 +++- servconf.c | 8 ++++++++ @@ -14,10 +15,10 @@ this check 4 files changed, 14 insertions(+), 1 deletion(-) diff --git a/auth2.c b/auth2.c -index 4d574bb..c480aab 100644 +index 4adc502..956b9cf 100644 --- a/auth2.c +++ b/auth2.c -@@ -278,11 +278,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) +@@ -282,11 +282,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) debug("userauth-request for user %s service %s method %s", user, service, method); debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); @@ -33,10 +34,10 @@ index 4d574bb..c480aab 100644 *style++ = 0; diff --git a/servconf.c b/servconf.c -index bcf69fd..b8340d8 100644 +index 7001d56..76147f9 100644 --- a/servconf.c +++ b/servconf.c -@@ -199,6 +199,7 @@ initialize_server_options(ServerOptions *options) +@@ -195,6 +195,7 @@ initialize_server_options(ServerOptions *options) options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; options->version_addendum = NULL; @@ -44,7 +45,7 @@ index bcf69fd..b8340d8 100644 options->fingerprint_hash = -1; options->disable_forwarding = -1; options->expose_userauth_info = -1; -@@ -456,6 +457,8 @@ fill_default_server_options(ServerOptions *options) +@@ -473,6 +474,8 @@ fill_default_server_options(ServerOptions *options) options->ip_qos_bulk = IPTOS_DSCP_CS1; if (options->version_addendum == NULL) options->version_addendum = xstrdup(""); @@ -53,15 +54,15 @@ index bcf69fd..b8340d8 100644 if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) options->fwd_opts.streamlocal_bind_mask = 0177; if (options->fwd_opts.streamlocal_bind_unlink == -1) -@@ -557,6 +560,7 @@ typedef enum { +@@ -574,6 +577,7 @@ typedef enum { + sStreamLocalBindMask, sStreamLocalBindUnlink, sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider, - sRequiredRSASize, sChannelTimeout, sUnusedConnectionTimeout, -+ sCheckUserSplash, ++ sCheckUserSplash, sDeprecated, sIgnore, sUnsupported } ServerOpCodes; -@@ -730,6 +734,7 @@ static struct { +@@ -740,6 +744,7 @@ static struct { { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, { "disableforwarding", sDisableForwarding, SSHCFG_ALL }, { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, @@ -69,7 +70,7 @@ index bcf69fd..b8340d8 100644 { "rdomain", sRDomain, SSHCFG_ALL }, { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, { "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL }, -@@ -1443,6 +1448,9 @@ process_server_config_line_depth(ServerOptions *options, char *line, +@@ -1360,6 +1365,9 @@ process_server_config_line_depth(ServerOptions *options, char *line, case sUsePAM: intptr = &options->use_pam; goto parse_flag; @@ -80,22 +81,25 @@ index bcf69fd..b8340d8 100644 /* Standard Options */ case sBadOption: diff --git a/servconf.h b/servconf.h -index ccc0181..cb57dac 100644 +index a3827e5..2c16b5a 100644 --- a/servconf.h +++ b/servconf.h -@@ -237,6 +237,7 @@ typedef struct { +@@ -226,6 +226,7 @@ typedef struct { int fingerprint_hash; int expose_userauth_info; u_int64_t timing_secret; -+ int check_user_splash; /* check whether splash exists in username, if exist, disable login */ ++ int check_user_splash; /* check whether splash exists in username, if exist, disable login */ char *sk_provider; - int required_rsa_size; /* minimum size of RSA keys */ + } ServerOptions; diff --git a/sshd_config b/sshd_config -index 9851748..d57f11d 100644 +index ebc28b3..b121450 100644 --- a/sshd_config +++ b/sshd_config -@@ -128,3 +128,5 @@ Subsystem sftp /usr/libexec/sftp-server +@@ -125,6 +125,8 @@ Subsystem sftp /usr/libexec/sftp-server + # Example of overriding settings on a per-user basis + #Match User anoncvs + # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server diff --git a/feature-add-SMx-support.patch b/feature-add-SMx-support.patch index e8b0f3c..d7fe61c 100644 --- a/feature-add-SMx-support.patch +++ b/feature-add-SMx-support.patch @@ -1,7 +1,13 @@ -From d2e28809c673f914b49147ca3fa31e08b9e885d7 Mon Sep 17 00:00:00 2001 -From: renmingshuai <renmingshuai@huawei.com> -Date: Sat, 29 Jul 2023 10:50:29 +0800 -Subject: [PATCH] feature add sm2 +From 93b312c0263cbf40f66448ff7ddbea7a2def1953 Mon Sep 17 00:00:00 2001 +From: kircher <majun65@huawei.com> +Date: Fri, 29 Jul 2022 10:45:08 +0800 +Subject: [PATCH] add SMx support in openssh +HostKeyAlgorithms sm2 +KexAlgorithms sm2-sm3 +MACs hmac-sm3 +Ciphers sm4-ctr +PubkeyAcceptedAlgorithms sm2 +FingerprintHash sm3 --- Makefile.in | 4 +- @@ -25,21 +31,21 @@ Subject: [PATCH] feature add sm2 ssh-ecdsa.c | 6 +- ssh-keygen.c | 12 +- ssh-keyscan.c | 12 +- - ssh-sm2.c | 381 ++++++++++++++++++++++++ + ssh-sm2.c | 230 +++++++++++++++ ssh_api.c | 2 + sshconnect2.c | 1 + sshd.c | 7 + - sshkey.c | 21 ++ - sshkey.h | 2 + - 27 files changed, 899 insertions(+), 14 deletions(-) + sshkey.c | 62 +++- + sshkey.h | 9 + + 27 files changed, 794 insertions(+), 16 deletions(-) create mode 100644 kexsm2.c create mode 100644 ssh-sm2.c diff --git a/Makefile.in b/Makefile.in -index 5fec5b3..7dcda3e 100644 +index 07bf440..1393190 100644 --- a/Makefile.in +++ b/Makefile.in -@@ -102,14 +102,14 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ +@@ -100,14 +100,14 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ log.o match.o moduli.o nchan.o packet.o \ readpass.o ttymodes.o xmalloc.o addr.o addrmatch.o \ atomicio.o dispatch.o mac.o misc.o utf8.o \ @@ -50,17 +56,17 @@ index 5fec5b3..7dcda3e 100644 ssh-pkcs11.o ssh-pkcs11-uri.o smult_curve25519_ref.o \ poly1305.o chacha.o cipher-chachapoly.o cipher-chachapoly-libcrypto.o \ ssh-ed25519.o digest-openssl.o digest-libc.o \ - hmac.o ed25519.o hash.o \ + hmac.o sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o \ - kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \ + kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o kexsm2.o \ kexgexc.o kexgexs.o \ kexsntrup761x25519.o sntrup761.o kexgen.o \ kexgssc.o \ diff --git a/authfd.c b/authfd.c -index 25a3636..bcc25a7 100644 +index 9f092f7..163b4b5 100644 --- a/authfd.c +++ b/authfd.c -@@ -583,6 +583,8 @@ ssh_add_identity_constrained(int sock, struct sshkey *key, +@@ -512,6 +512,8 @@ ssh_add_identity_constrained(int sock, struct sshkey *key, case KEY_DSA_CERT: case KEY_ECDSA: case KEY_ECDSA_CERT: @@ -70,10 +76,10 @@ index 25a3636..bcc25a7 100644 case KEY_ECDSA_SK_CERT: #endif diff --git a/authfile.c b/authfile.c -index 445f2dd..3884031 100644 +index 666730b..dce1e84 100644 --- a/authfile.c +++ b/authfile.c -@@ -332,6 +332,7 @@ sshkey_load_private_cert(int type, const char *filename, const char *passphrase, +@@ -343,6 +343,7 @@ sshkey_load_private_cert(int type, const char *filename, const char *passphrase, case KEY_RSA: case KEY_DSA: case KEY_ECDSA: @@ -82,10 +88,10 @@ index 445f2dd..3884031 100644 case KEY_ED25519: case KEY_XMSS: diff --git a/cipher.c b/cipher.c -index 609450d..7f98413 100644 +index b54b994..039e414 100644 --- a/cipher.c +++ b/cipher.c -@@ -86,6 +86,7 @@ static const struct sshcipher ciphers[] = { +@@ -88,6 +88,7 @@ static const struct sshcipher ciphers[] = { #endif { "chacha20-poly1305@openssh.com", 8, 64, 0, 16, CFLAG_CHACHAPOLY, NULL }, @@ -120,10 +126,10 @@ index c7ceeb3..520722c 100644 struct sshbuf; struct ssh_digest_ctx; diff --git a/kex.c b/kex.c -index 0fbd0ca..e9dfcc2 100644 +index d0a9dee..6284f90 100644 --- a/kex.c +++ b/kex.c -@@ -125,6 +125,7 @@ static const struct kexalg kexalgs[] = { +@@ -124,6 +124,7 @@ static const struct kexalg kexalgs[] = { SSH_DIGEST_SHA512 }, #endif #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ @@ -132,7 +138,7 @@ index 0fbd0ca..e9dfcc2 100644 }; static const struct kexalg gss_kexalgs[] = { diff --git a/kex.h b/kex.h -index 0fac9d3..044ec18 100644 +index d26ba26..8b95227 100644 --- a/kex.h +++ b/kex.h @@ -102,6 +102,7 @@ enum kex_exchange { @@ -143,7 +149,7 @@ index 0fac9d3..044ec18 100644 #ifdef GSSAPI KEX_GSS_GRP1_SHA1, KEX_GSS_GRP14_SHA1, -@@ -287,6 +288,8 @@ int kexc25519_shared_key_ext(const u_char key[CURVE25519_SIZE], +@@ -277,6 +278,8 @@ int kexc25519_shared_key_ext(const u_char key[CURVE25519_SIZE], __attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE))) __attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE))); @@ -217,7 +223,7 @@ index efb2e55..69ec13b 100644 kex->ec_client_key = NULL; return r; diff --git a/kexgen.c b/kexgen.c -index ca70484..4855d5c 100644 +index 31f90f5..f3eff47 100644 --- a/kexgen.c +++ b/kexgen.c @@ -111,6 +111,7 @@ kex_gen_client(struct ssh *ssh) @@ -236,7 +242,7 @@ index ca70484..4855d5c 100644 r = kex_ecdh_dec(kex, server_blob, &shared_secret); break; #endif -@@ -298,6 +300,7 @@ input_kex_gen_init(int type, u_int32_t seq, struct ssh *ssh) +@@ -280,6 +282,7 @@ input_kex_gen_init(int type, u_int32_t seq, struct ssh *ssh) &shared_secret); break; case KEX_ECDH_SHA2: @@ -681,7 +687,7 @@ index a094888..0a805ad 100644 /* * Configuration file in user's home directory. This file need not be diff --git a/regress/agent.sh b/regress/agent.sh -index 5f10606..3ab40b4 100644 +index f187b67..42a5124 100644 --- a/regress/agent.sh +++ b/regress/agent.sh @@ -87,9 +87,18 @@ fi @@ -758,10 +764,10 @@ index b32502b..f260692 100644 sshkey_verify(ed25519, sig, slen, (const u_char *)data, dlen, NULL, 0, &details); sshkey_sig_details_free(details); diff --git a/regress/unittests/kex/test_kex.c b/regress/unittests/kex/test_kex.c -index c26761e..d335b29 100644 +index 3bd71a9..312e8f2 100644 --- a/regress/unittests/kex/test_kex.c +++ b/regress/unittests/kex/test_kex.c -@@ -151,6 +151,7 @@ do_kex_with_key(char *kex, int keytype, int bits) +@@ -152,6 +152,7 @@ do_kex_with_key(char *kex, int keytype, int bits) #endif /* OPENSSL_HAS_ECC */ #endif /* WITH_OPENSSL */ server2->kex->kex[KEX_C25519_SHA256] = kex_gen_server; @@ -769,7 +775,7 @@ index c26761e..d335b29 100644 server2->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server; server2->kex->load_host_public_key = server->kex->load_host_public_key; server2->kex->load_host_private_key = server->kex->load_host_private_key; -@@ -185,6 +186,7 @@ do_kex(char *kex) +@@ -186,6 +187,7 @@ do_kex(char *kex) #endif /* OPENSSL_HAS_ECC */ #endif /* WITH_OPENSSL */ do_kex_with_key(kex, KEY_ED25519, 256); @@ -777,7 +783,7 @@ index c26761e..d335b29 100644 } void -@@ -201,6 +203,7 @@ kex_tests(void) +@@ -202,6 +204,7 @@ kex_tests(void) do_kex("diffie-hellman-group-exchange-sha1"); do_kex("diffie-hellman-group14-sha1"); do_kex("diffie-hellman-group1-sha1"); @@ -786,10 +792,10 @@ index c26761e..d335b29 100644 do_kex("sntrup761x25519-sha512@openssh.com"); # endif /* USE_SNTRUP761X25519 */ diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c -index b705157..5445ab5 100644 +index b036796..6697be6 100644 --- a/ssh-ecdsa.c +++ b/ssh-ecdsa.c -@@ -256,7 +256,8 @@ ssh_ecdsa_sign(struct sshkey *key, +@@ -66,7 +66,8 @@ ssh_ecdsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, *sigp = NULL; if (key == NULL || key->ecdsa == NULL || @@ -799,21 +805,21 @@ index b705157..5445ab5 100644 return SSH_ERR_INVALID_ARGUMENT; if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1) -@@ -332,7 +333,8 @@ ssh_ecdsa_verify(const struct sshkey *key, +@@ -133,7 +134,8 @@ ssh_ecdsa_verify(const struct sshkey *key, unsigned char *sigb = NULL, *psig = NULL; if (key == NULL || key->ecdsa == NULL || - sshkey_type_plain(key->type) != KEY_ECDSA || -+ (sshkey_type_plain(key->type) != KEY_ECDSA && -+ sshkey_type_plain(key->type) != KEY_SM2) || - sig == NULL || siglen == 0) ++ (sshkey_type_plain(key->type) != KEY_ECDSA && ++ sshkey_type_plain(key->type) != KEY_SM2) || + signature == NULL || signaturelen == 0) return SSH_ERR_INVALID_ARGUMENT; diff --git a/ssh-keygen.c b/ssh-keygen.c -index 0bff209..46f4998 100644 +index b9c4dce..bd6ea16 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c -@@ -193,6 +193,7 @@ type_bits_valid(int type, const char *name, u_int32_t *bitsp) +@@ -192,6 +192,7 @@ type_bits_valid(int type, const char *name, u_int32_t *bitsp) *bitsp = DEFAULT_BITS_DSA; break; case KEY_ECDSA: @@ -821,7 +827,7 @@ index 0bff209..46f4998 100644 if (name != NULL && (nid = sshkey_ecdsa_nid_from_name(name)) > 0) *bitsp = sshkey_curve_nid_to_bits(nid); -@@ -219,6 +220,10 @@ type_bits_valid(int type, const char *name, u_int32_t *bitsp) +@@ -224,6 +225,10 @@ type_bits_valid(int type, const char *name, u_int32_t *bitsp) fatal("Invalid RSA key length: maximum is %d bits", OPENSSL_RSA_MAX_MODULUS_BITS); break; @@ -832,7 +838,7 @@ index 0bff209..46f4998 100644 case KEY_ECDSA: if (sshkey_ecdsa_bits_to_nid(*bitsp) == -1) #ifdef OPENSSL_HAS_NISTP521 -@@ -275,6 +280,9 @@ ask_filename(struct passwd *pw, const char *prompt) +@@ -280,6 +285,9 @@ ask_filename(struct passwd *pw, const char *prompt) case KEY_ECDSA: name = _PATH_SSH_CLIENT_ID_ECDSA; break; @@ -842,7 +848,7 @@ index 0bff209..46f4998 100644 case KEY_ECDSA_SK_CERT: case KEY_ECDSA_SK: name = _PATH_SSH_CLIENT_ID_ECDSA_SK; -@@ -386,6 +394,7 @@ do_convert_to_pkcs8(struct sshkey *k) +@@ -391,6 +399,7 @@ do_convert_to_pkcs8(struct sshkey *k) break; #ifdef OPENSSL_HAS_ECC case KEY_ECDSA: @@ -850,7 +856,7 @@ index 0bff209..46f4998 100644 if (!PEM_write_EC_PUBKEY(stdout, k->ecdsa)) fatal("PEM_write_EC_PUBKEY failed"); break; -@@ -410,6 +419,7 @@ do_convert_to_pem(struct sshkey *k) +@@ -415,6 +424,7 @@ do_convert_to_pem(struct sshkey *k) break; #ifdef OPENSSL_HAS_ECC case KEY_ECDSA: @@ -858,7 +864,7 @@ index 0bff209..46f4998 100644 if (!PEM_write_EC_PUBKEY(stdout, k->ecdsa)) fatal("PEM_write_EC_PUBKEY failed"); break; -@@ -3280,7 +3290,7 @@ usage(void) +@@ -3148,7 +3158,7 @@ usage(void) fprintf(stderr, "usage: ssh-keygen [-q] [-a rounds] [-b bits] [-C comment] [-f output_keyfile]\n" " [-m format] [-N new_passphrase] [-O option]\n" @@ -868,10 +874,10 @@ index 0bff209..46f4998 100644 " ssh-keygen -p [-a rounds] [-f keyfile] [-m format] [-N new_passphrase]\n" " [-P old_passphrase] [-Z cipher]\n" diff --git a/ssh-keyscan.c b/ssh-keyscan.c -index 245c73d..b402a21 100644 +index 9ec4d9a..be2af0a 100644 --- a/ssh-keyscan.c +++ b/ssh-keyscan.c -@@ -68,9 +68,10 @@ int ssh_port = SSH_DEFAULT_PORT; +@@ -63,9 +63,10 @@ int ssh_port = SSH_DEFAULT_PORT; #define KT_XMSS (1<<4) #define KT_ECDSA_SK (1<<5) #define KT_ED25519_SK (1<<6) @@ -883,7 +889,7 @@ index 245c73d..b402a21 100644 int get_cert = 0; int get_keytypes = KT_RSA|KT_ECDSA|KT_ED25519|KT_ECDSA_SK|KT_ED25519_SK; -@@ -267,6 +268,11 @@ keygrab_ssh2(con *c) +@@ -261,6 +262,11 @@ keygrab_ssh2(con *c) "ecdsa-sha2-nistp384," "ecdsa-sha2-nistp521"; break; @@ -895,7 +901,7 @@ index 245c73d..b402a21 100644 case KT_ECDSA_SK: myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ? "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com" : -@@ -296,6 +302,7 @@ keygrab_ssh2(con *c) +@@ -290,6 +296,7 @@ keygrab_ssh2(con *c) c->c_ssh->kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; # ifdef OPENSSL_HAS_ECC c->c_ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client; @@ -903,7 +909,7 @@ index 245c73d..b402a21 100644 # endif #endif c->c_ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client; -@@ -789,6 +796,9 @@ main(int argc, char **argv) +@@ -730,6 +737,9 @@ main(int argc, char **argv) case KEY_ECDSA: get_keytypes |= KT_ECDSA; break; @@ -915,10 +921,10 @@ index 245c73d..b402a21 100644 break; diff --git a/ssh-sm2.c b/ssh-sm2.c new file mode 100644 -index 0000000..75e9731 +index 0000000..c242139 --- /dev/null +++ b/ssh-sm2.c -@@ -0,0 +1,381 @@ +@@ -0,0 +1,230 @@ +#include "includes.h" +#include <sys/types.h> +#include <openssl/bn.h> @@ -933,167 +939,30 @@ index 0000000..75e9731 + +#include "openbsd-compat/openssl-compat.h" + -+/* Reuse some ECDSA internals */ -+extern struct sshkey_impl_funcs sshkey_ecdsa_funcs; -+ +const unsigned char *sm2_id = (const unsigned char *)"1234567812345678"; + -+static void -+ssh_sm2_cleanup(struct sshkey *k) -+{ -+ EC_KEY_free(k->ecdsa); -+ k->ecdsa = NULL; -+} -+ -+static int -+ssh_sm2_equal(const struct sshkey *a, const struct sshkey *b) -+{ -+ if (!sshkey_ecdsa_funcs.equal(a, b)) -+ return 0; -+ return 1; -+} -+ -+static int -+ssh_sm2_serialize_public(const struct sshkey *key, struct sshbuf *b, -+ enum sshkey_serialize_rep opts) -+{ -+ int r; -+ -+ if ((r = sshkey_ecdsa_funcs.serialize_public(key, b, opts)) != 0) -+ return r; -+ -+ return 0; -+} -+ -+static int -+ssh_sm2_deserialize_public(const char *ktype, struct sshbuf *b, -+ struct sshkey *key) -+{ -+ int r; -+ -+ if ((r = sshkey_ecdsa_funcs.deserialize_public(ktype, b, key)) != 0) -+ return r; -+ return 0; -+} -+ -+static int -+ssh_sm2_serialize_private(const struct sshkey *key, struct sshbuf *b, -+ enum sshkey_serialize_rep opts) -+{ -+ int r; -+ -+ if ((r = sshkey_ecdsa_funcs.serialize_private(key, b, opts)) != 0) -+ return r; -+ -+ return 0; -+} -+ -+static int -+ssh_sm2_deserialize_private(const char *ktype, struct sshbuf *b, -+ struct sshkey *key) -+{ -+ int r; -+ -+ if ((r = sshkey_ecdsa_funcs.deserialize_private(ktype, b, key)) != 0) -+ return r; -+ -+ return 0; -+} -+ -+static int -+ssh_sm2_generate(struct sshkey *k, int bits) -+{ -+ EC_KEY *private; -+ -+ k->ecdsa_nid = NID_sm2; -+ if ((private = EC_KEY_new_by_curve_name(k->ecdsa_nid)) == NULL) -+ return SSH_ERR_ALLOC_FAIL; -+ if (EC_KEY_generate_key(private) != 1) { -+ EC_KEY_free(private); -+ return SSH_ERR_LIBCRYPTO_ERROR; -+ } -+ EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE); -+ k->ecdsa = private; -+ return 0; -+} -+ -+static int -+ssh_sm2_copy_public(const struct sshkey *from, struct sshkey *to) -+{ -+ int r; -+ -+ if ((r = sshkey_ecdsa_funcs.copy_public(from, to)) != 0) -+ return r; -+ return 0; -+} -+ -+static int -+sm2_get_sig(EVP_PKEY *pkey, const u_char *data, -+ size_t datalen, u_char *sig, size_t *slen) -+{ -+ EVP_PKEY_CTX *pctx = NULL; -+ EVP_MD_CTX *mctx = NULL; -+ int ret = SSH_ERR_INTERNAL_ERROR; -+ -+ if ((pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) { -+ ret = SSH_ERR_ALLOC_FAIL; -+ goto out; -+ } -+ if ((mctx = EVP_MD_CTX_new()) == NULL) { -+ ret = SSH_ERR_ALLOC_FAIL; -+ goto out; -+ } -+ if (EVP_PKEY_CTX_set1_id(pctx, sm2_id, 16) != 1) { -+ ret = SSH_ERR_INTERNAL_ERROR; -+ goto out; -+ } -+ -+ EVP_MD_CTX_set_pkey_ctx(mctx, pctx); -+ -+ if ((EVP_DigestSignInit(mctx, NULL, EVP_sm3(), NULL, pkey)) != 1) { -+ ret = SSH_ERR_INTERNAL_ERROR; -+ goto out; -+ } -+ -+ if ((EVP_DigestSignUpdate(mctx, data, datalen)) != 1) { -+ ret = SSH_ERR_INTERNAL_ERROR; -+ goto out; -+ } -+ -+ if ((EVP_DigestSignFinal(mctx, sig, slen)) != 1) { -+ ret = SSH_ERR_INTERNAL_ERROR; -+ goto out; -+ } -+ ret = 0; -+ -+out: -+ EVP_PKEY_CTX_free(pctx); -+ EVP_MD_CTX_free(mctx); -+ return ret; -+} -+ -+static int -+ssh_sm2_sign(struct sshkey *key, -+ u_char **sigp, size_t *lenp, -+ const u_char *data, size_t datalen, -+ const char *alg, const char *sk_provider, const char *sk_pin, u_int compat) ++int ++ssh_sm2_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, ++ const u_char *data, size_t datalen, u_int compat) +{ + u_char *sig = NULL; -+ size_t slen = 0; ++ size_t slen = 0; + int pkey_len = 0; + int r = 0; + int len = 0; + EVP_PKEY *key_sm2 = NULL; -+ struct sshbuf *b = NULL; -+ int ret = SSH_ERR_INTERNAL_ERROR; ++ struct sshbuf *b = NULL; ++ EVP_PKEY_CTX *pctx = NULL; ++ EVP_MD_CTX *mctx = NULL; ++ int ret = SSH_ERR_INTERNAL_ERROR; + -+ if (lenp != NULL) -+ *lenp = 0; -+ if (sigp != NULL) -+ *sigp = NULL; ++ if (lenp != NULL) ++ *lenp = 0; ++ if (sigp != NULL) ++ *sigp = NULL; + + if (key == NULL || key->ecdsa == NULL || -+ sshkey_type_plain(key->type) != KEY_SM2) ++ sshkey_type_plain(key->type) != KEY_SM2) + return SSH_ERR_INVALID_ARGUMENT; + + if ((key_sm2 = EVP_PKEY_new()) == NULL) { @@ -1105,201 +974,187 @@ index 0000000..75e9731 + goto out; + } + -+ if ((pkey_len = EVP_PKEY_size(key_sm2)) == 0) { -+ ret = SSH_ERR_INVALID_ARGUMENT; ++ if ((pkey_len = EVP_PKEY_size(key_sm2)) == 0) { ++ ret = SSH_ERR_INVALID_ARGUMENT; + goto out; -+ } ++ } + + slen = pkey_len; -+ -+ if ((sig = OPENSSL_malloc(pkey_len)) == NULL) { -+ ret = SSH_ERR_ALLOC_FAIL; -+ goto out; -+ } -+ -+ if (ret = sm2_get_sig(key_sm2, data, datalen, sig, &slen)) { ++ ++ if ((EVP_PKEY_set_alias_type(key_sm2, EVP_PKEY_SM2)) != 1) { ++ ret = SSH_ERR_INTERNAL_ERROR; + goto out; + } + -+ if ((b = sshbuf_new()) == NULL) { ++ if ((sig = OPENSSL_malloc(pkey_len)) == NULL) { + ret = SSH_ERR_ALLOC_FAIL; + goto out; -+ } -+ -+ if ((r = sshbuf_put_cstring(b, "sm2")) != 0 || -+ (r = sshbuf_put_string(b, sig, slen)) != 0) -+ goto out; -+ len = sshbuf_len(b); -+ if (sigp != NULL) { -+ if ((*sigp = malloc(len)) == NULL) { -+ ret = SSH_ERR_ALLOC_FAIL; -+ goto out; -+ } -+ memcpy(*sigp, sshbuf_ptr(b), len); -+ } -+ if (lenp != NULL) -+ *lenp = len; -+ ret = 0; -+ -+out: -+ EVP_PKEY_free(key_sm2); -+ if (sig != NULL) { -+ explicit_bzero(sig, slen); -+ OPENSSL_free(sig); -+ } -+ sshbuf_free(b); -+ return ret; -+} -+ -+static int -+sm2_verify_sig(EVP_PKEY *pkey, const u_char *data, -+ size_t datalen, const u_char *sig, size_t slen) -+{ -+ EVP_PKEY_CTX *pctx = NULL; -+ EVP_MD_CTX *mctx = NULL; -+ int ret = SSH_ERR_INTERNAL_ERROR; ++ } + -+ if ((pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) { ++ if ((pctx = EVP_PKEY_CTX_new(key_sm2, NULL)) == NULL) { + ret = SSH_ERR_ALLOC_FAIL; -+ goto out; -+ } -+ -+ if ((mctx = EVP_MD_CTX_new()) == NULL) { -+ ret = SSH_ERR_ALLOC_FAIL; -+ goto out; ++ goto out; + } + + if (EVP_PKEY_CTX_set1_id(pctx, sm2_id, 16) != 1) { + ret = SSH_ERR_INTERNAL_ERROR; -+ goto out; ++ goto out; + } ++ ++ if ((mctx = EVP_MD_CTX_new()) == NULL) { ++ ret = SSH_ERR_ALLOC_FAIL; ++ goto out; ++ } ++ + EVP_MD_CTX_set_pkey_ctx(mctx, pctx); + -+ if ((EVP_DigestVerifyInit(mctx, NULL, EVP_sm3(), NULL, pkey)) != 1) { ++ if ((EVP_DigestSignInit(mctx, NULL, EVP_sm3(), NULL, key_sm2)) != 1) { + ret = SSH_ERR_INTERNAL_ERROR; + goto out; + } + -+ if ((EVP_DigestVerifyUpdate(mctx, data, datalen)) != 1) { ++ if ((EVP_DigestSignUpdate(mctx, data, datalen)) != 1) { + ret = SSH_ERR_INTERNAL_ERROR; -+ goto out; ++ goto out; + } -+ -+ if ((EVP_DigestVerifyFinal(mctx, sig, slen)) != 1) { ++ ++ if ((EVP_DigestSignFinal(mctx, sig, &slen)) != 1) { + ret = SSH_ERR_INTERNAL_ERROR; -+ goto out; ++ goto out; + } + ++ if ((b = sshbuf_new()) == NULL) { ++ ret = SSH_ERR_ALLOC_FAIL; ++ goto out; ++ } ++ ++ if ((r = sshbuf_put_cstring(b, "sm2")) != 0 || ++ (r = sshbuf_put_string(b, sig, slen)) != 0) ++ goto out; ++ len = sshbuf_len(b); ++ if (sigp != NULL) { ++ if ((*sigp = malloc(len)) == NULL) { ++ ret = SSH_ERR_ALLOC_FAIL; ++ goto out; ++ } ++ memcpy(*sigp, sshbuf_ptr(b), len); ++ } ++ if (lenp != NULL) ++ *lenp = len; + ret = 0; ++ +out: ++ EVP_PKEY_free(key_sm2); ++ if (sig != NULL) { ++ explicit_bzero(sig, slen); ++ OPENSSL_free(sig); ++ } + EVP_PKEY_CTX_free(pctx); + EVP_MD_CTX_free(mctx); ++ sshbuf_free(b); + return ret; +} + -+static int ++int +ssh_sm2_verify(const struct sshkey *key, + const u_char *signature, size_t signaturelen, -+ const u_char *data, size_t datalen, const char *alg, u_int compat, -+ struct sshkey_sig_details **detailsp) ++ const u_char *data, size_t datalen, u_int compat) +{ + const u_char *sig = NULL; + char *ktype = NULL; + size_t slen = 0; -+ int pkey_len = 0; -+ int r = 0; -+ int len = 0; ++ int pkey_len = 0; ++ int r = 0; ++ int len = 0; + EVP_PKEY *key_sm2 = NULL; -+ struct sshbuf *b = NULL; -+ int ret = SSH_ERR_INTERNAL_ERROR; ++ struct sshbuf *b = NULL; ++ EVP_PKEY_CTX *pctx = NULL; ++ EVP_MD_CTX *mctx = NULL; ++ int ret = SSH_ERR_INTERNAL_ERROR; + -+ if (key == NULL || -+ sshkey_type_plain(key->type) != KEY_SM2 || -+ signature == NULL || signaturelen == 0) -+ return SSH_ERR_INVALID_ARGUMENT; ++ if (key == NULL || ++ sshkey_type_plain(key->type) != KEY_SM2 || ++ signature == NULL || signaturelen == 0) ++ return SSH_ERR_INVALID_ARGUMENT; + -+ if ((b = sshbuf_from(signature, signaturelen)) == NULL) -+ return SSH_ERR_ALLOC_FAIL; ++ if ((b = sshbuf_from(signature, signaturelen)) == NULL) ++ return SSH_ERR_ALLOC_FAIL; + -+ if ((r = sshbuf_get_cstring(b, &ktype, NULL)) != 0 || -+ (r = sshbuf_get_string_direct(b, &sig, &slen)) != 0) -+ goto out; ++ if ((r = sshbuf_get_cstring(b, &ktype, NULL)) != 0 || ++ (r = sshbuf_get_string_direct(b, &sig, &slen)) != 0) ++ goto out; + + if (strcmp("sm2", ktype) != 0) { -+ ret = SSH_ERR_KEY_TYPE_MISMATCH; -+ goto out; ++ ret = SSH_ERR_KEY_TYPE_MISMATCH; ++ goto out; + } + -+ if (sshbuf_len(b) != 0) { -+ ret = SSH_ERR_UNEXPECTED_TRAILING_DATA; -+ goto out; -+ } ++ if (sshbuf_len(b) != 0) { ++ ret = SSH_ERR_UNEXPECTED_TRAILING_DATA; ++ goto out; ++ } + -+ if ((key_sm2 = EVP_PKEY_new()) == NULL) { -+ ret = SSH_ERR_ALLOC_FAIL; -+ goto out; -+ } ++ if ((key_sm2 = EVP_PKEY_new()) == NULL) { ++ ret = SSH_ERR_ALLOC_FAIL; ++ goto out; ++ } + -+ if ((EVP_PKEY_set1_EC_KEY(key_sm2, key->ecdsa)) != 1) { ++ if ((EVP_PKEY_set1_EC_KEY(key_sm2, key->ecdsa)) != 1) { ++ ret = SSH_ERR_INTERNAL_ERROR; ++ goto out; ++ } ++ ++ if ((pkey_len = EVP_PKEY_size(key_sm2)) == 0) { ++ ret = SSH_ERR_INVALID_ARGUMENT; ++ goto out; ++ } ++ ++ if ((EVP_PKEY_set_alias_type(key_sm2, EVP_PKEY_SM2)) != 1) { ++ ret = SSH_ERR_INTERNAL_ERROR; ++ goto out; ++ } ++ ++ if ((pctx = EVP_PKEY_CTX_new(key_sm2, NULL)) == NULL) { ++ ret = SSH_ERR_ALLOC_FAIL; ++ goto out; ++ } ++ ++ if (EVP_PKEY_CTX_set1_id(pctx, sm2_id, 16) != 1) { ++ ret = SSH_ERR_INTERNAL_ERROR; ++ goto out; ++ } ++ ++ if ((mctx = EVP_MD_CTX_new()) == NULL) { ++ ret = SSH_ERR_ALLOC_FAIL; ++ goto out; ++ } ++ ++ EVP_MD_CTX_set_pkey_ctx(mctx, pctx); ++ ++ if ((EVP_DigestVerifyInit(mctx, NULL, EVP_sm3(), NULL, key_sm2)) != 1) { + ret = SSH_ERR_INTERNAL_ERROR; -+ goto out; ++ goto out; + } -+ -+ if ((pkey_len = EVP_PKEY_size(key_sm2)) == 0) { -+ ret = SSH_ERR_INVALID_ARGUMENT; -+ goto out; ++ ++ if ((EVP_DigestVerifyUpdate(mctx, data, datalen)) != 1) { ++ ret = SSH_ERR_INTERNAL_ERROR; ++ goto out; + } -+ -+ if (ret = sm2_verify_sig(key_sm2, data, datalen, sig, slen)) { -+ goto out; ++ ++ if ((EVP_DigestVerifyFinal(mctx, sig, slen)) != 1) { ++ ret = SSH_ERR_INTERNAL_ERROR; ++ goto out; + } + + ret = 0; +out: + EVP_PKEY_free(key_sm2); -+ sshbuf_free(b); ++ EVP_PKEY_CTX_free(pctx); ++ EVP_MD_CTX_free(mctx); ++ sshbuf_free(b); + free(ktype); + return ret; +} -+ -+static const struct sshkey_impl_funcs sshkey_sm2_funcs = { -+ /* .size = */ NULL, -+ /* .alloc = */ NULL, -+ /* .cleanup = */ ssh_sm2_cleanup, -+ /* .equal = */ ssh_sm2_equal, -+ /* .ssh_serialize_public = */ ssh_sm2_serialize_public, -+ /* .ssh_deserialize_public = */ ssh_sm2_deserialize_public, -+ /* .ssh_serialize_private = */ ssh_sm2_serialize_private, -+ /* .ssh_deserialize_private = */ssh_sm2_deserialize_private, -+ /* .generate = */ ssh_sm2_generate, -+ /* .copy_public = */ ssh_sm2_copy_public, -+ /* .sign = */ ssh_sm2_sign, -+ /* .verify = */ ssh_sm2_verify, -+}; -+ -+const struct sshkey_impl sshkey_sm2_impl = { -+ /* .name = */ "sm2", -+ /* .shortname = */ "SM2", -+ /* .sigalg = */ NULL, -+ /* .type = */ KEY_SM2, -+ /* .nid = */ NID_sm2, -+ /* .cert = */ 0, -+ /* .sigonly = */ 0, -+ /* .keybits = */ 256, -+ /* .funcs = */ &sshkey_sm2_funcs, -+}; -+ -+const struct sshkey_impl sshkey_sm2_cert_impl = { -+ /* .name = */ "sm2-cert", -+ /* .shortname = */ "SM2-CERT", -+ /* .sigalg = */ NULL, -+ /* .type = */ KEY_SM2_CERT, -+ /* .nid = */ NID_sm2, -+ /* .cert = */ 1, -+ /* .sigonly = */ 0, -+ /* .keybits = */ 256, -+ /* .funcs = */ &sshkey_sm2_funcs, -+}; diff --git a/ssh_api.c b/ssh_api.c index d3c6617..adc2598 100644 --- a/ssh_api.c @@ -1321,10 +1176,10 @@ index d3c6617..adc2598 100644 #endif /* WITH_OPENSSL */ ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client; diff --git a/sshconnect2.c b/sshconnect2.c -index 3acfdb6..3fbff57 100644 +index fafc0a2..9a01f1a 100644 --- a/sshconnect2.c +++ b/sshconnect2.c -@@ -326,6 +326,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port, +@@ -327,6 +327,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port, ssh->kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; # ifdef OPENSSL_HAS_ECC ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client; @@ -1333,10 +1188,10 @@ index 3acfdb6..3fbff57 100644 # ifdef GSSAPI if (options.gss_keyex) { diff --git a/sshd.c b/sshd.c -index f366457..52c66ed 100644 +index 8424e33..57d70fe 100644 --- a/sshd.c +++ b/sshd.c -@@ -695,6 +695,7 @@ list_hostkey_types(void) +@@ -706,6 +706,7 @@ list_hostkey_types(void) /* FALLTHROUGH */ case KEY_DSA: case KEY_ECDSA: @@ -1344,7 +1199,7 @@ index f366457..52c66ed 100644 case KEY_ED25519: case KEY_ECDSA_SK: case KEY_ED25519_SK: -@@ -716,6 +717,7 @@ list_hostkey_types(void) +@@ -727,6 +728,7 @@ list_hostkey_types(void) /* FALLTHROUGH */ case KEY_DSA_CERT: case KEY_ECDSA_CERT: @@ -1352,7 +1207,7 @@ index f366457..52c66ed 100644 case KEY_ED25519_CERT: case KEY_ECDSA_SK_CERT: case KEY_ED25519_SK_CERT: -@@ -742,6 +744,7 @@ get_hostkey_by_type(int type, int nid, int need_private, struct ssh *ssh) +@@ -753,6 +755,7 @@ get_hostkey_by_type(int type, int nid, int need_private, struct ssh *ssh) case KEY_RSA_CERT: case KEY_DSA_CERT: case KEY_ECDSA_CERT: @@ -1360,7 +1215,7 @@ index f366457..52c66ed 100644 case KEY_ED25519_CERT: case KEY_ECDSA_SK_CERT: case KEY_ED25519_SK_CERT: -@@ -758,8 +761,10 @@ get_hostkey_by_type(int type, int nid, int need_private, struct ssh *ssh) +@@ -769,8 +772,10 @@ get_hostkey_by_type(int type, int nid, int need_private, struct ssh *ssh) continue; switch (type) { case KEY_ECDSA: @@ -1371,7 +1226,7 @@ index f366457..52c66ed 100644 case KEY_ECDSA_SK_CERT: if (key->ecdsa_nid != nid) continue; -@@ -2012,6 +2017,7 @@ main(int ac, char **av) +@@ -1983,6 +1988,7 @@ main(int ac, char **av) case KEY_RSA: case KEY_DSA: case KEY_ECDSA: @@ -1379,7 +1234,7 @@ index f366457..52c66ed 100644 case KEY_ED25519: case KEY_ECDSA_SK: case KEY_ED25519_SK: -@@ -2573,6 +2579,7 @@ do_ssh2_kex(struct ssh *ssh) +@@ -2572,6 +2578,7 @@ do_ssh2_kex(struct ssh *ssh) kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; # ifdef OPENSSL_HAS_ECC kex->kex[KEX_ECDH_SHA2] = kex_gen_server; @@ -1388,28 +1243,19 @@ index f366457..52c66ed 100644 # ifdef GSSAPI if (options.gss_keyex) { diff --git a/sshkey.c b/sshkey.c -index 1735159..1aee244 100644 +index b0c2189..51f8e51 100644 --- a/sshkey.c +++ b/sshkey.c -@@ -130,6 +130,8 @@ extern const struct sshkey_impl sshkey_dsa_cert_impl; - extern const struct sshkey_impl sshkey_xmss_impl; - extern const struct sshkey_impl sshkey_xmss_cert_impl; - #endif -+extern const struct sshkey_impl sshkey_sm2_impl; -+extern const struct sshkey_impl sshkey_sm2_cert_impl; - - static int ssh_gss_equal(const struct sshkey *, const struct sshkey *) - { -@@ -237,6 +239,8 @@ const struct sshkey_impl * const keyimpls[] = { - &sshkey_xmss_cert_impl, - #endif - &sshkey_gss_kex_impl, -+ &sshkey_sm2_impl, -+ &sshkey_sm2_cert_impl, - NULL +@@ -159,6 +159,8 @@ static const struct keytype keytypes[] = { + # endif /* OPENSSL_HAS_ECC */ + #endif /* WITH_OPENSSL */ + { "null", "null", NULL, KEY_NULL, 0, 0, 0 }, ++ { "sm2", "SM2", NULL, KEY_SM2, NID_sm2, 0, 0 }, ++ { "sm2-cert", "SM2-CERT", NULL, KEY_SM2_CERT, NID_sm2, 1, 0 }, + { NULL, NULL, NULL, -1, -1, 0, 0 } }; -@@ -340,6 +344,8 @@ key_type_is_ecdsa_variant(int type) +@@ -233,6 +235,8 @@ key_type_is_ecdsa_variant(int type) case KEY_ECDSA_CERT: case KEY_ECDSA_SK: case KEY_ECDSA_SK_CERT: @@ -1418,7 +1264,25 @@ index 1735159..1aee244 100644 return 1; } return 0; -@@ -548,6 +554,8 @@ sshkey_type_plain(int type) +@@ -342,6 +346,8 @@ sshkey_size(const struct sshkey *k) + case KEY_ECDSA_CERT: + case KEY_ECDSA_SK: + case KEY_ECDSA_SK_CERT: ++ case KEY_SM2: ++ case KEY_SM2_CERT: + return sshkey_curve_nid_to_bits(k->ecdsa_nid); + #endif /* WITH_OPENSSL */ + case KEY_ED25519: +@@ -366,6 +372,8 @@ sshkey_type_is_valid_ca(int type) + case KEY_ED25519: + case KEY_ED25519_SK: + case KEY_XMSS: ++ case KEY_SM2: ++ case KEY_SM2_CERT: + return 1; + default: + return 0; +@@ -445,6 +453,8 @@ sshkey_type_plain(int type) return KEY_ED25519_SK; case KEY_XMSS_CERT: return KEY_XMSS; @@ -1427,16 +1291,7 @@ index 1735159..1aee244 100644 default: return type; } -@@ -564,6 +572,8 @@ sshkey_type_certified(int type) - return KEY_DSA_CERT; - case KEY_ECDSA: - return KEY_ECDSA_CERT; -+ case KEY_SM2: -+ return KEY_SM2_CERT; - case KEY_ECDSA_SK: - return KEY_ECDSA_SK_CERT; - case KEY_ED25519: -@@ -670,6 +680,8 @@ sshkey_curve_name_to_nid(const char *name) +@@ -540,6 +550,8 @@ sshkey_curve_name_to_nid(const char *name) else if (strcmp(name, "nistp521") == 0) return NID_secp521r1; # endif /* OPENSSL_HAS_NISTP521 */ @@ -1445,7 +1300,7 @@ index 1735159..1aee244 100644 else return -1; } -@@ -686,6 +698,8 @@ sshkey_curve_nid_to_bits(int nid) +@@ -556,6 +568,8 @@ sshkey_curve_nid_to_bits(int nid) case NID_secp521r1: return 521; # endif /* OPENSSL_HAS_NISTP521 */ @@ -1454,7 +1309,7 @@ index 1735159..1aee244 100644 default: return 0; } -@@ -720,6 +734,8 @@ sshkey_curve_nid_to_name(int nid) +@@ -590,6 +604,8 @@ sshkey_curve_nid_to_name(int nid) case NID_secp521r1: return "nistp521"; # endif /* OPENSSL_HAS_NISTP521 */ @@ -1463,7 +1318,195 @@ index 1735159..1aee244 100644 default: return NULL; } -@@ -3424,6 +3440,7 @@ sshkey_private_to_blob_pem_pkcs8(struct sshkey *key, struct sshbuf *buf, +@@ -695,6 +711,8 @@ sshkey_new(int type) + case KEY_ECDSA_CERT: + case KEY_ECDSA_SK: + case KEY_ECDSA_SK_CERT: ++ case KEY_SM2: ++ case KEY_SM2_CERT: + /* Cannot do anything until we know the group */ + break; + #endif /* WITH_OPENSSL */ +@@ -749,6 +767,8 @@ sshkey_free(struct sshkey *k) + /* FALLTHROUGH */ + case KEY_ECDSA: + case KEY_ECDSA_CERT: ++ case KEY_SM2: ++ case KEY_SM2_CERT: + EC_KEY_free(k->ecdsa); + k->ecdsa = NULL; + break; +@@ -858,6 +878,8 @@ sshkey_equal_public(const struct sshkey *a, const struct sshkey *b) + /* FALLTHROUGH */ + case KEY_ECDSA_CERT: + case KEY_ECDSA: ++ case KEY_SM2: ++ case KEY_SM2_CERT: + if (a->ecdsa == NULL || b->ecdsa == NULL || + EC_KEY_get0_public_key(a->ecdsa) == NULL || + EC_KEY_get0_public_key(b->ecdsa) == NULL) +@@ -933,6 +955,7 @@ to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain, + #ifdef WITH_OPENSSL + case KEY_DSA_CERT: + case KEY_ECDSA_CERT: ++ case KEY_SM2_CERT: + case KEY_ECDSA_SK_CERT: + case KEY_RSA_CERT: + #endif /* WITH_OPENSSL */ +@@ -962,6 +985,7 @@ to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain, + # ifdef OPENSSL_HAS_ECC + case KEY_ECDSA: + case KEY_ECDSA_SK: ++ case KEY_SM2: + if (key->ecdsa == NULL) + return SSH_ERR_INVALID_ARGUMENT; + if ((ret = sshbuf_put_cstring(b, typename)) != 0 || +@@ -1436,6 +1460,8 @@ sshkey_read(struct sshkey *ret, char **cpp) + case KEY_DSA: + case KEY_ECDSA: + case KEY_ECDSA_SK: ++ case KEY_SM2: ++ case KEY_SM2_CERT: + case KEY_ED25519: + case KEY_ED25519_SK: + case KEY_DSA_CERT: +@@ -1535,6 +1561,7 @@ sshkey_read(struct sshkey *ret, char **cpp) + break; + # ifdef OPENSSL_HAS_ECC + case KEY_ECDSA: ++ case KEY_SM2: + EC_KEY_free(ret->ecdsa); + ret->ecdsa = k->ecdsa; + ret->ecdsa_nid = k->ecdsa_nid; +@@ -1795,7 +1822,7 @@ sshkey_ecdsa_key_to_nid(EC_KEY *k) + } + + static int +-ecdsa_generate_private_key(u_int bits, int *nid, EC_KEY **ecdsap) ++ecdsa_generate_private_key(u_int bits, int *nid, EC_KEY **ecdsap, int sm2) + { + EC_KEY *private; + int ret = SSH_ERR_INTERNAL_ERROR; +@@ -1804,6 +1831,9 @@ ecdsa_generate_private_key(u_int bits, int *nid, EC_KEY **ecdsap) + return SSH_ERR_INVALID_ARGUMENT; + if ((*nid = sshkey_ecdsa_bits_to_nid(bits)) == -1) + return SSH_ERR_KEY_LENGTH; ++ if (sm2 && bits == 256) { ++ *nid = NID_sm2; ++ } + *ecdsap = NULL; + if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL) { + ret = SSH_ERR_ALLOC_FAIL; +@@ -1857,7 +1887,11 @@ sshkey_generate(int type, u_int bits, struct sshkey **keyp) + # ifdef OPENSSL_HAS_ECC + case KEY_ECDSA: + ret = ecdsa_generate_private_key(bits, &k->ecdsa_nid, +- &k->ecdsa); ++ &k->ecdsa, 0); ++ break; ++ case KEY_SM2: ++ ret = ecdsa_generate_private_key(bits, &k->ecdsa_nid, ++ &k->ecdsa, 1); + break; + # endif /* OPENSSL_HAS_ECC */ + case KEY_RSA: +@@ -1993,6 +2027,8 @@ sshkey_from_private(const struct sshkey *k, struct sshkey **pkp) + case KEY_ECDSA_CERT: + case KEY_ECDSA_SK: + case KEY_ECDSA_SK_CERT: ++ case KEY_SM2: ++ case KEY_SM2_CERT: + n->ecdsa_nid = k->ecdsa_nid; + n->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); + if (n->ecdsa == NULL) { +@@ -2548,6 +2584,7 @@ sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp, + break; + # ifdef OPENSSL_HAS_ECC + case KEY_ECDSA_CERT: ++ case KEY_SM2_CERT: + case KEY_ECDSA_SK_CERT: + /* Skip nonce */ + if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { +@@ -2557,6 +2594,7 @@ sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp, + /* FALLTHROUGH */ + case KEY_ECDSA: + case KEY_ECDSA_SK: ++ case KEY_SM2: + if ((key = sshkey_new(type)) == NULL) { + ret = SSH_ERR_ALLOC_FAIL; + goto out; +@@ -2865,6 +2903,10 @@ sshkey_sign(struct sshkey *key, + case KEY_ECDSA: + r = ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat); + break; ++ case KEY_SM2: ++ case KEY_SM2_CERT: ++ r = ssh_sm2_sign(key, sigp, lenp, data, datalen, compat); ++ break; + # endif /* OPENSSL_HAS_ECC */ + case KEY_RSA_CERT: + case KEY_RSA: +@@ -2920,6 +2962,9 @@ sshkey_verify(const struct sshkey *key, + case KEY_ECDSA_CERT: + case KEY_ECDSA: + return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat); ++ case KEY_SM2: ++ case KEY_SM2_CERT: ++ return ssh_sm2_verify(key, sig, siglen, data, dlen, compat); + case KEY_ECDSA_SK_CERT: + case KEY_ECDSA_SK: + return ssh_ecdsa_sk_verify(key, sig, siglen, data, dlen, +@@ -2963,6 +3008,9 @@ sshkey_to_certified(struct sshkey *k) + case KEY_ECDSA: + newtype = KEY_ECDSA_CERT; + break; ++ case KEY_SM2: ++ newtype = KEY_SM2_CERT; ++ break; + case KEY_ECDSA_SK: + newtype = KEY_ECDSA_SK_CERT; + break; +@@ -3067,6 +3115,7 @@ sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg, + break; + # ifdef OPENSSL_HAS_ECC + case KEY_ECDSA_CERT: ++ case KEY_SM2_CERT: + case KEY_ECDSA_SK_CERT: + if ((ret = sshbuf_put_cstring(cert, + sshkey_curve_nid_to_name(k->ecdsa_nid))) != 0 || +@@ -3380,6 +3429,7 @@ sshkey_private_serialize_opt(struct sshkey *key, struct sshbuf *buf, + break; + # ifdef OPENSSL_HAS_ECC + case KEY_ECDSA: ++ case KEY_SM2: + if ((r = sshbuf_put_cstring(b, + sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || + (r = sshbuf_put_eckey(b, key->ecdsa)) != 0 || +@@ -3388,6 +3438,7 @@ sshkey_private_serialize_opt(struct sshkey *key, struct sshbuf *buf, + goto out; + break; + case KEY_ECDSA_CERT: ++ case KEY_SM2_CERT: + if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { + r = SSH_ERR_INVALID_ARGUMENT; + goto out; +@@ -3605,6 +3656,7 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) + break; + # ifdef OPENSSL_HAS_ECC + case KEY_ECDSA: ++ case KEY_SM2: + if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) { + r = SSH_ERR_INVALID_ARGUMENT; + goto out; +@@ -3624,6 +3676,7 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) + goto out; + /* FALLTHROUGH */ + case KEY_ECDSA_CERT: ++ case KEY_SM2_CERT: + if ((r = sshbuf_get_bignum2(buf, &exponent)) != 0) + goto out; + if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) { +@@ -4519,6 +4572,7 @@ sshkey_private_to_blob_pem_pkcs8(struct sshkey *key, struct sshbuf *buf, break; #ifdef OPENSSL_HAS_ECC case KEY_ECDSA: @@ -1471,7 +1514,7 @@ index 1735159..1aee244 100644 if (format == SSHKEY_PRIVATE_PEM) { success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa, cipher, passphrase, len, NULL, NULL); -@@ -3485,6 +3502,7 @@ sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob, +@@ -4580,6 +4634,7 @@ sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob, #ifdef WITH_OPENSSL case KEY_DSA: case KEY_ECDSA: @@ -1479,7 +1522,7 @@ index 1735159..1aee244 100644 case KEY_RSA: break; /* see below */ #endif /* WITH_OPENSSL */ -@@ -3665,6 +3683,9 @@ sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, +@@ -4760,6 +4815,9 @@ sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, prv->ecdsa = EVP_PKEY_get1_EC_KEY(pk); prv->type = KEY_ECDSA; prv->ecdsa_nid = sshkey_ecdsa_key_to_nid(prv->ecdsa); @@ -1490,10 +1533,18 @@ index 1735159..1aee244 100644 sshkey_curve_nid_to_name(prv->ecdsa_nid) == NULL || sshkey_ec_validate_public(EC_KEY_get0_group(prv->ecdsa), diff --git a/sshkey.h b/sshkey.h -index 8d662d1..c8d2662 100644 +index 43eef5e..3b84096 100644 --- a/sshkey.h +++ b/sshkey.h -@@ -68,6 +68,8 @@ enum sshkey_types { +@@ -31,6 +31,7 @@ + #ifdef WITH_OPENSSL + #include <openssl/rsa.h> + #include <openssl/dsa.h> ++#include <openssl/evp.h> + # ifdef OPENSSL_HAS_ECC + # include <openssl/ec.h> + # include <openssl/ecdsa.h> +@@ -65,6 +66,8 @@ enum sshkey_types { KEY_DSA_CERT, KEY_ECDSA_CERT, KEY_ED25519_CERT, @@ -1502,6 +1553,19 @@ index 8d662d1..c8d2662 100644 KEY_XMSS, KEY_XMSS_CERT, KEY_ECDSA_SK, +@@ -323,6 +326,12 @@ int ssh_xmss_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, + int ssh_xmss_verify(const struct sshkey *key, + const u_char *signature, size_t signaturelen, + const u_char *data, size_t datalen, u_int compat); ++int ssh_sm2_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, ++ const u_char *data, size_t datalen, u_int compat); ++int ssh_sm2_verify(const struct sshkey *key, ++ const u_char *signature, size_t signaturelen, ++ const u_char *data, size_t datalen, u_int compat); ++ + #endif + + #if !defined(WITH_OPENSSL) -- 2.23.0 diff --git a/feature-openssh-7.4-hima-sftpserver-oom-and-fix.patch b/feature-openssh-7.4-hima-sftpserver-oom-and-fix.patch index 7af483c..3fa984d 100644 --- a/feature-openssh-7.4-hima-sftpserver-oom-and-fix.patch +++ b/feature-openssh-7.4-hima-sftpserver-oom-and-fix.patch @@ -1,20 +1,19 @@ From 6d98c61e18fe65a52e21df9cece74675f9c18125 Mon Sep 17 00:00:00 2001 -From: shenyining <shenyining@huawei.com> +From: s00467541 <shenyining@huawei.com> Date: Thu, 16 Apr 2020 17:13:24 +0800 Subject: [PATCH] sync patch, add new judgement and delete default sftp-put-check.cfg -Signed-off-by: shenyining <shenyining@huawei.com> - +Signed-off-by: s00467541 <shenyining@huawei.com> --- - sftp-server.c | 702 +++++++++++++++++++++++++++++++++++++++++++++++++- - 1 file changed, 690 insertions(+), 12 deletions(-) + sftp-server.c | 703 +++++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 691 insertions(+), 12 deletions(-) diff --git a/sftp-server.c b/sftp-server.c -index 5677aa3..4eb06d1 100644 +index 01d6f8f..682c19a 100644 --- a/sftp-server.c +++ b/sftp-server.c -@@ -30,6 +30,12 @@ +@@ -29,6 +29,12 @@ #include <sys/statvfs.h> #endif @@ -27,7 +26,7 @@ index 5677aa3..4eb06d1 100644 #include <dirent.h> #include <errno.h> #include <fcntl.h> -@@ -57,6 +63,17 @@ +@@ -51,6 +57,17 @@ #include "sftp.h" #include "sftp-common.h" @@ -45,7 +44,7 @@ index 5677aa3..4eb06d1 100644 char *sftp_realpath(const char *, char *); /* sftp-realpath.c */ /* Maximum data read that we are willing to accept */ -@@ -98,6 +115,452 @@ struct Stat { +@@ -89,6 +106,452 @@ struct Stat { Attrib attrib; }; @@ -498,7 +497,7 @@ index 5677aa3..4eb06d1 100644 /* Packet handlers */ static void process_open(u_int32_t id); static void process_close(u_int32_t id); -@@ -755,6 +1218,15 @@ process_open(u_int32_t id) +@@ -695,6 +1158,15 @@ process_open(u_int32_t id) (r = sshbuf_get_u32(iqueue, &pflags)) != 0 || /* portable flags */ (r = decode_attrib(iqueue, &a)) != 0) fatal_fr(r, "parse"); @@ -514,7 +513,7 @@ index 5677aa3..4eb06d1 100644 debug3("request %u: open flags %d", id, pflags); flags = flags_from_portable(pflags); -@@ -788,6 +1260,8 @@ process_open(u_int32_t id) +@@ -728,6 +1200,8 @@ process_open(u_int32_t id) (void) umask(old_umask); /* restore umask to something sane */ if (status != SSH2_FX_OK) send_status(id, status); @@ -523,7 +522,7 @@ index 5677aa3..4eb06d1 100644 free(name); } -@@ -820,6 +1294,17 @@ process_read(u_int32_t id) +@@ -759,6 +1233,17 @@ process_read(u_int32_t id) (r = sshbuf_get_u32(iqueue, &len)) != 0) fatal_fr(r, "parse"); @@ -541,7 +540,7 @@ index 5677aa3..4eb06d1 100644 debug("request %u: read \"%s\" (handle %d) off %llu len %u", id, handle_to_name(handle), handle, (unsigned long long)off, len); if ((fd = handle_to_fd(handle)) == -1) -@@ -874,6 +1359,18 @@ process_write(u_int32_t id) +@@ -800,6 +1285,18 @@ process_write(u_int32_t id) (r = sshbuf_get_string(iqueue, &data, &len)) != 0) fatal_fr(r, "parse"); @@ -560,7 +559,7 @@ index 5677aa3..4eb06d1 100644 debug("request %u: write \"%s\" (handle %d) off %llu len %zu", id, handle_to_name(handle), handle, (unsigned long long)off, len); fd = handle_to_fd(handle); -@@ -888,17 +1385,30 @@ process_write(u_int32_t id) +@@ -813,17 +1310,30 @@ process_write(u_int32_t id) strerror(errno)); } else { /* XXX ATOMICIO ? */ @@ -601,7 +600,7 @@ index 5677aa3..4eb06d1 100644 } } } -@@ -917,6 +1427,16 @@ process_do_stat(u_int32_t id, int do_lstat) +@@ -841,6 +1352,16 @@ process_do_stat(u_int32_t id, int do_lstat) if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0) fatal_fr(r, "parse"); @@ -618,7 +617,7 @@ index 5677aa3..4eb06d1 100644 debug3("request %u: %sstat", id, do_lstat ? "l" : ""); verbose("%sstat name \"%s\"", do_lstat ? "l" : "", name); r = do_lstat ? lstat(name, &st) : stat(name, &st); -@@ -953,6 +1473,16 @@ process_fstat(u_int32_t id) +@@ -877,6 +1398,16 @@ process_fstat(u_int32_t id) if ((r = get_handle(iqueue, &handle)) != 0) fatal_fr(r, "parse"); @@ -635,7 +634,7 @@ index 5677aa3..4eb06d1 100644 debug("request %u: fstat \"%s\" (handle %u)", id, handle_to_name(handle), handle); fd = handle_to_fd(handle); -@@ -1005,6 +1535,14 @@ process_setstat(u_int32_t id) +@@ -929,6 +1460,14 @@ process_setstat(u_int32_t id) (r = decode_attrib(iqueue, &a)) != 0) fatal_fr(r, "parse"); @@ -650,7 +649,7 @@ index 5677aa3..4eb06d1 100644 debug("request %u: setstat name \"%s\"", id, name); if (a.flags & SSH2_FILEXFER_ATTR_SIZE) { logit("set \"%s\" size %llu", -@@ -1059,6 +1597,13 @@ process_fsetstat(u_int32_t id) +@@ -983,6 +1522,13 @@ process_fsetstat(u_int32_t id) else { char *name = handle_to_name(handle); @@ -664,7 +663,7 @@ index 5677aa3..4eb06d1 100644 if (a.flags & SSH2_FILEXFER_ATTR_SIZE) { logit("set \"%s\" size %llu", name, (unsigned long long)a.size); -@@ -1116,6 +1661,14 @@ process_opendir(u_int32_t id) +@@ -1040,6 +1586,14 @@ process_opendir(u_int32_t id) if ((r = sshbuf_get_cstring(iqueue, &path, NULL)) != 0) fatal_fr(r, "parse"); @@ -679,17 +678,18 @@ index 5677aa3..4eb06d1 100644 debug3("request %u: opendir", id); logit("opendir \"%s\"", path); dirp = opendir(path); -@@ -1170,6 +1723,9 @@ process_readdir(u_int32_t id) +@@ -1094,6 +1648,10 @@ process_readdir(u_int32_t id) strcmp(path, "/") ? "/" : "", dp->d_name); if (lstat(pathname, &st) == -1) continue; -+ if (RETURN_OK != path_permition_check(pathname,FLAG_PERMITOP)) { -+ continue; -+ } ++ if (RETURN_OK != path_permition_check(pathname,FLAG_PERMITOP)) ++ { ++ continue; ++ } stat_to_attrib(&st, &(stats[count].attrib)); stats[count].name = xstrdup(dp->d_name); - stats[count].long_name = ls_file(dp->d_name, &st, -@@ -1202,6 +1758,14 @@ process_remove(u_int32_t id) + stats[count].long_name = ls_file(dp->d_name, &st, 0, 0); +@@ -1125,6 +1683,14 @@ process_remove(u_int32_t id) if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0) fatal_fr(r, "parse"); @@ -704,7 +704,7 @@ index 5677aa3..4eb06d1 100644 debug3("request %u: remove", id); logit("remove name \"%s\"", name); r = unlink(name); -@@ -1221,6 +1785,14 @@ process_mkdir(u_int32_t id) +@@ -1144,6 +1710,14 @@ process_mkdir(u_int32_t id) (r = decode_attrib(iqueue, &a)) != 0) fatal_fr(r, "parse"); @@ -719,7 +719,7 @@ index 5677aa3..4eb06d1 100644 mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm & 07777 : 0777; debug3("request %u: mkdir", id); -@@ -1240,6 +1812,14 @@ process_rmdir(u_int32_t id) +@@ -1163,6 +1737,14 @@ process_rmdir(u_int32_t id) if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0) fatal_fr(r, "parse"); @@ -734,7 +734,7 @@ index 5677aa3..4eb06d1 100644 debug3("request %u: rmdir", id); logit("rmdir name \"%s\"", name); r = rmdir(name); -@@ -1264,8 +1844,12 @@ process_realpath(u_int32_t id) +@@ -1187,8 +1769,12 @@ process_realpath(u_int32_t id) } debug3("request %u: realpath", id); verbose("realpath \"%s\"", path); @@ -749,7 +749,7 @@ index 5677aa3..4eb06d1 100644 } else { Stat s; attrib_clear(&s.attrib); -@@ -1286,6 +1870,16 @@ process_rename(u_int32_t id) +@@ -1209,6 +1795,16 @@ process_rename(u_int32_t id) (r = sshbuf_get_cstring(iqueue, &newpath, NULL)) != 0) fatal_fr(r, "parse"); @@ -766,7 +766,7 @@ index 5677aa3..4eb06d1 100644 debug3("request %u: rename", id); logit("rename old \"%s\" new \"%s\"", oldpath, newpath); status = SSH2_FX_FAILURE; -@@ -1345,6 +1939,14 @@ process_readlink(u_int32_t id) +@@ -1268,6 +1864,14 @@ process_readlink(u_int32_t id) if ((r = sshbuf_get_cstring(iqueue, &path, NULL)) != 0) fatal_fr(r, "parse"); @@ -781,7 +781,7 @@ index 5677aa3..4eb06d1 100644 debug3("request %u: readlink", id); verbose("readlink \"%s\"", path); if ((len = readlink(path, buf, sizeof(buf) - 1)) == -1) -@@ -1370,6 +1972,16 @@ process_symlink(u_int32_t id) +@@ -1293,6 +1897,16 @@ process_symlink(u_int32_t id) (r = sshbuf_get_cstring(iqueue, &newpath, NULL)) != 0) fatal_fr(r, "parse"); @@ -798,7 +798,7 @@ index 5677aa3..4eb06d1 100644 debug3("request %u: symlink", id); logit("symlink old \"%s\" new \"%s\"", oldpath, newpath); /* this will fail if 'newpath' exists */ -@@ -1390,6 +2002,16 @@ process_extended_posix_rename(u_int32_t id) +@@ -1313,6 +1927,16 @@ process_extended_posix_rename(u_int32_t id) (r = sshbuf_get_cstring(iqueue, &newpath, NULL)) != 0) fatal_fr(r, "parse"); @@ -815,7 +815,7 @@ index 5677aa3..4eb06d1 100644 debug3("request %u: posix-rename", id); logit("posix-rename old \"%s\" new \"%s\"", oldpath, newpath); r = rename(oldpath, newpath); -@@ -1408,6 +2030,15 @@ process_extended_statvfs(u_int32_t id) +@@ -1331,6 +1955,15 @@ process_extended_statvfs(u_int32_t id) if ((r = sshbuf_get_cstring(iqueue, &path, NULL)) != 0) fatal_fr(r, "parse"); @@ -831,7 +831,7 @@ index 5677aa3..4eb06d1 100644 debug3("request %u: statvfs", id); logit("statvfs \"%s\"", path); -@@ -1426,6 +2057,17 @@ process_extended_fstatvfs(u_int32_t id) +@@ -1349,6 +1982,17 @@ process_extended_fstatvfs(u_int32_t id) if ((r = get_handle(iqueue, &handle)) != 0) fatal_fr(r, "parse"); @@ -849,7 +849,7 @@ index 5677aa3..4eb06d1 100644 debug("request %u: fstatvfs \"%s\" (handle %u)", id, handle_to_name(handle), handle); if ((fd = handle_to_fd(handle)) < 0) { -@@ -1448,6 +2090,15 @@ process_extended_hardlink(u_int32_t id) +@@ -1371,6 +2015,15 @@ process_extended_hardlink(u_int32_t id) (r = sshbuf_get_cstring(iqueue, &newpath, NULL)) != 0) fatal_fr(r, "parse"); @@ -865,7 +865,7 @@ index 5677aa3..4eb06d1 100644 debug3("request %u: hardlink", id); logit("hardlink old \"%s\" new \"%s\"", oldpath, newpath); r = link(oldpath, newpath); -@@ -1464,6 +2115,17 @@ process_extended_fsync(u_int32_t id) +@@ -1387,6 +2040,17 @@ process_extended_fsync(u_int32_t id) if ((r = get_handle(iqueue, &handle)) != 0) fatal_fr(r, "parse"); @@ -883,7 +883,7 @@ index 5677aa3..4eb06d1 100644 debug3("request %u: fsync (handle %u)", id, handle); verbose("fsync \"%s\"", handle_to_name(handle)); if ((fd = handle_to_fd(handle)) < 0) -@@ -2006,6 +2668,22 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw, int reset_handle +@@ -1672,6 +2336,22 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw, int reset_handle log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler); @@ -907,5 +907,5 @@ index 5677aa3..4eb06d1 100644 * On platforms where we can, avoid making /proc/self/{mem,maps} * available to the user so that sftp access doesn't automatically -- -2.27.0 +2.23.0 diff --git a/fix-memory-leak-in-kex-exchange.patch b/fix-memory-leak-in-kex-exchange.patch new file mode 100644 index 0000000..c742434 --- /dev/null +++ b/fix-memory-leak-in-kex-exchange.patch @@ -0,0 +1,25 @@ +From 7a7862590cbe1f7a9d8957fdc78f324a1bdfc520 Mon Sep 17 00:00:00 2001 +From: songjuntao <songjuntao@kylinos.cn> +Date: Fri, 2 Feb 2024 15:55:13 +0800 +Subject: [PATCH] fix memory leak in kex exchange function + +Signed-off-by: songjuntao <songjuntao@kylinos.cn> +--- + sshconnect2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sshconnect2.c b/sshconnect2.c +index b6e2197..d3ceee4 100644 +--- a/sshconnect2.c ++++ b/sshconnect2.c +@@ -385,6 +385,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port, + free(prop_kex); + free(prop_enc); + free(prop_hostkey); ++ free(s); + } + + /* +-- +2.33.0 + diff --git a/openssh-8.0p1-preserve-pam-errors.patch b/openssh-8.0p1-preserve-pam-errors.patch deleted file mode 100644 index dbdbe93..0000000 --- a/openssh-8.0p1-preserve-pam-errors.patch +++ /dev/null @@ -1,44 +0,0 @@ -diff -up openssh-8.0p1/auth-pam.c.preserve-pam-errors openssh-8.0p1/auth-pam.c ---- openssh-8.0p1/auth-pam.c.preserve-pam-errors 2021-03-31 17:03:15.618592347 +0200 -+++ openssh-8.0p1/auth-pam.c 2021-03-31 17:06:58.115220014 +0200 -@@ -511,7 +511,11 @@ sshpam_thread(void *ctxtp) - goto auth_fail; - - if (!do_pam_account()) { -- sshpam_err = PAM_ACCT_EXPIRED; -+ /* Preserve PAM_PERM_DENIED and PAM_USER_UNKNOWN. -+ * Backward compatibility for other errors. */ -+ if (sshpam_err != PAM_PERM_DENIED -+ && sshpam_err != PAM_USER_UNKNOWN) -+ sshpam_err = PAM_ACCT_EXPIRED; - goto auth_fail; - } - if (sshpam_authctxt->force_pwchange) { -@@ -568,8 +572,10 @@ sshpam_thread(void *ctxtp) - pam_strerror(sshpam_handle, sshpam_err))) != 0) - fatal("%s: buffer error: %s", __func__, ssh_err(r)); - /* XXX - can't do much about an error here */ -- if (sshpam_err == PAM_ACCT_EXPIRED) -- ssh_msg_send(ctxt->pam_csock, PAM_ACCT_EXPIRED, buffer); -+ if (sshpam_err == PAM_PERM_DENIED -+ || sshpam_err == PAM_USER_UNKNOWN -+ || sshpam_err == PAM_ACCT_EXPIRED) -+ ssh_msg_send(ctxt->pam_csock, sshpam_err, buffer); - else if (sshpam_maxtries_reached) - ssh_msg_send(ctxt->pam_csock, PAM_MAXTRIES, buffer); - else -@@ -856,10 +862,12 @@ sshpam_query(void *ctx, char **name, cha - plen++; - free(msg); - break; -+ case PAM_USER_UNKNOWN: -+ case PAM_PERM_DENIED: - case PAM_ACCT_EXPIRED: -+ sshpam_account_status = 0; -+ /* FALLTHROUGH */ - case PAM_MAXTRIES: -- if (type == PAM_ACCT_EXPIRED) -- sshpam_account_status = 0; - if (type == PAM_MAXTRIES) - sshpam_set_maxtries_reached(1); - /* FALLTHROUGH */ diff --git a/openssh-8.7p1-ibmca.patch b/openssh-8.7p1-ibmca.patch deleted file mode 100644 index 2f2556e..0000000 --- a/openssh-8.7p1-ibmca.patch +++ /dev/null @@ -1,12 +0,0 @@ -Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.7p1-ibmca.patch ---- openssh-8.7p1/openbsd-compat/bsd-closefrom.c.orig 2022-04-12 15:47:03.815044607 +0200 -+++ openssh-8.7p1/openbsd-compat/bsd-closefrom.c 2022-04-12 15:48:12.464963511 +0200 -@@ -16,7 +16,7 @@ - - #include "includes.h" - --#if !defined(HAVE_CLOSEFROM) || defined(BROKEN_CLOSEFROM) -+#if !defined(HAVE_CLOSEFROM) || defined(BROKEN_CLOSEFROM) || (defined __s390__) - - #include <sys/types.h> - #include <unistd.h> diff --git a/openssh-8.7p1-minrsabits.patch b/openssh-8.7p1-minrsabits.patch deleted file mode 100644 index 2ed59a3..0000000 --- a/openssh-8.7p1-minrsabits.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff --git a/readconf.c b/readconf.c -index 7f26c680..42be690b 100644 ---- a/readconf.c -+++ b/readconf.c -@@ -320,6 +320,7 @@ static struct { - { "securitykeyprovider", oSecurityKeyProvider }, - { "knownhostscommand", oKnownHostsCommand }, - { "requiredrsasize", oRequiredRSASize }, -+ { "rsaminsize", oRequiredRSASize }, /* alias */ - { "enableescapecommandline", oEnableEscapeCommandline }, - - { NULL, oBadOption } -diff --git a/servconf.c b/servconf.c -index 29df0463..423772b1 100644 ---- a/servconf.c -+++ b/servconf.c -@@ -676,6 +680,7 @@ static struct { - { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, - { "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL }, - { "requiredrsasize", sRequiredRSASize, SSHCFG_ALL }, -+ { "rsaminsize", sRequiredRSASize, SSHCFG_ALL }, /* alias */ - { "channeltimeout", sChannelTimeout, SSHCFG_ALL }, - { "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL }, - { NULL, sBadOption, 0 } diff --git a/openssh-8.7p1-negotiate-supported-algs.patch b/openssh-8.7p1-negotiate-supported-algs.patch deleted file mode 100644 index ee3637f..0000000 --- a/openssh-8.7p1-negotiate-supported-algs.patch +++ /dev/null @@ -1,117 +0,0 @@ -diff -up openssh-9.3p1/regress/hostkey-agent.sh.xxx openssh-9.3p1/regress/hostkey-agent.sh ---- openssh-9.3p1/regress/hostkey-agent.sh.xxx 2023-05-29 18:15:56.311236887 +0200 -+++ openssh-9.3p1/regress/hostkey-agent.sh 2023-05-29 18:16:07.598503551 +0200 -@@ -17,8 +17,21 @@ trace "make CA key" - - ${SSHKEYGEN} -qt ed25519 -f $OBJ/agent-ca -N '' || fatal "ssh-keygen CA" - -+PUBKEY_ACCEPTED_ALGOS=`$SSH -G "example.com" | \ -+ grep -i "PubkeyAcceptedAlgorithms" | cut -d ' ' -f2- | tr "," "|"` -+SSH_ACCEPTED_KEYTYPES=`echo "$SSH_KEYTYPES" | egrep "$PUBKEY_ACCEPTED_ALGOS"` -+echo $PUBKEY_ACCEPTED_ALGOS | grep "rsa" -+r=$? -+if [ $r == 0 ]; then -+echo $SSH_ACCEPTED_KEYTYPES | grep "rsa" -+r=$? -+if [ $r -ne 0 ]; then -+SSH_ACCEPTED_KEYTYPES="$SSH_ACCEPTED_KEYTYPES ssh-rsa" -+fi -+fi -+ - trace "load hostkeys" --for k in $SSH_KEYTYPES ; do -+for k in $SSH_ACCEPTED_KEYTYPES ; do - ${SSHKEYGEN} -qt $k -f $OBJ/agent-key.$k -N '' || fatal "ssh-keygen $k" - ${SSHKEYGEN} -s $OBJ/agent-ca -qh -n localhost-with-alias \ - -I localhost-with-alias $OBJ/agent-key.$k.pub || \ -@@ -32,12 +48,16 @@ rm $OBJ/agent-ca # Don't need CA private - - unset SSH_AUTH_SOCK - --for k in $SSH_KEYTYPES ; do -+for k in $SSH_ACCEPTED_KEYTYPES ; do - verbose "key type $k" -+ hka=$k -+ if [ $k = "ssh-rsa" ]; then -+ hka="rsa-sha2-512" -+ fi - cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy -- echo "HostKeyAlgorithms $k" >> $OBJ/sshd_proxy -+ echo "HostKeyAlgorithms $hka" >> $OBJ/sshd_proxy - echo "Hostkey $OBJ/agent-key.${k}" >> $OBJ/sshd_proxy -- opts="-oHostKeyAlgorithms=$k -F $OBJ/ssh_proxy" -+ opts="-oHostKeyAlgorithms=$hka -F $OBJ/ssh_proxy" - ( printf 'localhost-with-alias,127.0.0.1,::1 ' ; - cat $OBJ/agent-key.$k.pub) > $OBJ/known_hosts - SSH_CONNECTION=`${SSH} $opts host 'echo $SSH_CONNECTION'` -@@ -50,15 +70,16 @@ for k in $SSH_KEYTYPES ; do - done - - SSH_CERTTYPES=`ssh -Q key-sig | grep 'cert-v01@openssh.com'` -+SSH_ACCEPTED_CERTTYPES=`echo "$SSH_CERTTYPES" | egrep "$PUBKEY_ACCEPTED_ALGOS"` - - # Prepare sshd_proxy for certificates. - cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy - HOSTKEYALGS="" --for k in $SSH_CERTTYPES ; do -+for k in $SSH_ACCEPTED_CERTTYPES ; do - test -z "$HOSTKEYALGS" || HOSTKEYALGS="${HOSTKEYALGS}," - HOSTKEYALGS="${HOSTKEYALGS}${k}" - done --for k in $SSH_KEYTYPES ; do -+for k in $SSH_ACCEPTED_KEYTYPES ; do - echo "Hostkey $OBJ/agent-key.${k}.pub" >> $OBJ/sshd_proxy - echo "HostCertificate $OBJ/agent-key.${k}-cert.pub" >> $OBJ/sshd_proxy - test -f $OBJ/agent-key.${k}.pub || fatal "no $k key" -@@ -70,7 +93,7 @@ echo "HostKeyAlgorithms $HOSTKEYALGS" >> - ( printf '@cert-authority localhost-with-alias ' ; - cat $OBJ/agent-ca.pub) > $OBJ/known_hosts - --for k in $SSH_CERTTYPES ; do -+for k in $SSH_ACCEPTED_CERTTYPES ; do - verbose "cert type $k" - opts="-oHostKeyAlgorithms=$k -F $OBJ/ssh_proxy" - SSH_CONNECTION=`${SSH} $opts host 'echo $SSH_CONNECTION'` -diff -up openssh-9.3p1/sshconnect2.c.xxx openssh-9.3p1/sshconnect2.c ---- openssh-9.3p1/sshconnect2.c.xxx 2023-04-26 17:37:35.100827792 +0200 -+++ openssh-9.3p1/sshconnect2.c 2023-04-26 17:50:31.860748877 +0200 -@@ -221,7 +221,7 @@ ssh_kex2(struct ssh *ssh, char *host, st - const struct ssh_conn_info *cinfo) - { - char *myproposal[PROPOSAL_MAX]; -- char *s, *all_key, *hkalgs = NULL; -+ char *s, *all_key, *hkalgs = NULL, *filtered_algs = NULL; - int r, use_known_hosts_order = 0; - - #if defined(GSSAPI) && defined(WITH_OPENSSL) -@@ -260,9 +260,21 @@ ssh_kex2(struct ssh *ssh, char *host, st - if (use_known_hosts_order) - hkalgs = order_hostkeyalgs(host, hostaddr, port, cinfo); - -+ filtered_algs = hkalgs ? match_filter_allowlist(hkalgs, options.pubkey_accepted_algos) -+ : match_filter_allowlist(options.hostkeyalgorithms, -+ options.pubkey_accepted_algos); -+ if (filtered_algs == NULL) { -+ if (hkalgs) -+ fatal_f("No match between algorithms for %s (host %s) and pubkey accepted algorithms %s", -+ hkalgs, host, options.pubkey_accepted_algos); -+ else -+ fatal_f("No match between host key algorithms %s and pubkey accepted algorithms %s", -+ options.hostkeyalgorithms, options.pubkey_accepted_algos); -+ } -+ - kex_proposal_populate_entries(ssh, myproposal, s, options.ciphers, - options.macs, compression_alg_list(options.compression), -- hkalgs ? hkalgs : options.hostkeyalgorithms); -+ filtered_algs); - - #if defined(GSSAPI) && defined(WITH_OPENSSL) - if (options.gss_keyex) { -@@ -303,6 +315,7 @@ ssh_kex2(struct ssh *ssh, char *host, st - #endif - - free(hkalgs); -+ free(filtered_algs); - - /* start key exchange */ - if ((r = kex_setup(ssh, myproposal)) != 0) diff --git a/openssh-8.7p1-recursive-scp.patch b/openssh-8.7p1-recursive-scp.patch deleted file mode 100644 index f0d9b0f..0000000 --- a/openssh-8.7p1-recursive-scp.patch +++ /dev/null @@ -1,181 +0,0 @@ -diff -up openssh-8.7p1/scp.c.scp-sftpdirs openssh-8.7p1/scp.c ---- openssh-8.7p1/scp.c.scp-sftpdirs 2022-02-07 12:31:07.407740407 +0100 -+++ openssh-8.7p1/scp.c 2022-02-07 12:31:07.409740424 +0100 -@@ -1324,7 +1324,7 @@ source_sftp(int argc, char *src, char *t - - if (src_is_dir && iamrecursive) { - if (upload_dir(conn, src, abs_dst, pflag, -- SFTP_PROGRESS_ONLY, 0, 0, 1, 1) != 0) { -+ SFTP_PROGRESS_ONLY, 0, 0, 1, 1, 1) != 0) { - error("failed to upload directory %s to %s", src, targ); - errs = 1; - } -diff -up openssh-8.7p1/sftp-client.c.scp-sftpdirs openssh-8.7p1/sftp-client.c ---- openssh-8.7p1/sftp-client.c.scp-sftpdirs 2021-08-20 06:03:49.000000000 +0200 -+++ openssh-8.7p1/sftp-client.c 2022-02-07 12:47:59.117516131 +0100 -@@ -971,7 +971,7 @@ do_fsetstat(struct sftp_conn *conn, cons - - /* Implements both the realpath and expand-path operations */ - static char * --do_realpath_expand(struct sftp_conn *conn, const char *path, int expand) -+do_realpath_expand(struct sftp_conn *conn, const char *path, int expand, int create_dir) - { - struct sshbuf *msg; - u_int expected_id, count, id; -@@ -1033,11 +1033,43 @@ do_realpath_expand(struct sftp_conn *con - if ((r = sshbuf_get_u32(msg, &status)) != 0 || - (r = sshbuf_get_cstring(msg, &errmsg, NULL)) != 0) - fatal_fr(r, "parse status"); -- error("%s %s: %s", expand ? "expand" : "realpath", -- path, *errmsg == '\0' ? fx2txt(status) : errmsg); -- free(errmsg); -- sshbuf_free(msg); -- return NULL; -+ if ((status == SSH2_FX_NO_SUCH_FILE) && create_dir) { -+ memset(&a, '\0', sizeof(a)); -+ if ((r = do_mkdir(conn, path, &a, 0)) != 0) { -+ sshbuf_free(msg); -+ return NULL; -+ } -+ debug2("Sending SSH2_FXP_REALPATH \"%s\" - create dir", path); -+ send_string_request(conn, id, SSH2_FXP_REALPATH, -+ path, strlen(path)); -+ -+ get_msg(conn, msg); -+ if ((r = sshbuf_get_u8(msg, &type)) != 0 || -+ (r = sshbuf_get_u32(msg, &id)) != 0) -+ fatal_fr(r, "parse"); -+ -+ if (id != expected_id) -+ fatal("ID mismatch (%u != %u)", id, expected_id); -+ -+ if (type == SSH2_FXP_STATUS) { -+ free(errmsg); -+ -+ if ((r = sshbuf_get_u32(msg, &status)) != 0 || -+ (r = sshbuf_get_cstring(msg, &errmsg, NULL)) != 0) -+ fatal_fr(r, "parse status"); -+ error("%s %s: %s", expand ? "expand" : "realpath", -+ path, *errmsg == '\0' ? fx2txt(status) : errmsg); -+ free(errmsg); -+ sshbuf_free(msg); -+ return NULL; -+ } -+ } else { -+ error("%s %s: %s", expand ? "expand" : "realpath", -+ path, *errmsg == '\0' ? fx2txt(status) : errmsg); -+ free(errmsg); -+ sshbuf_free(msg); -+ return NULL; -+ } - } else if (type != SSH2_FXP_NAME) - fatal("Expected SSH2_FXP_NAME(%u) packet, got %u", - SSH2_FXP_NAME, type); -@@ -1039,9 +1067,9 @@ do_realpath_expand(struct sftp_conn *con - } - - char * --do_realpath(struct sftp_conn *conn, const char *path) -+do_realpath(struct sftp_conn *conn, const char *path, int create_dir) - { -- return do_realpath_expand(conn, path, 0); -+ return do_realpath_expand(conn, path, 0, create_dir); - } - - int -@@ -1055,9 +1083,9 @@ do_expand_path(struct sftp_conn *conn, c - { - if (!can_expand_path(conn)) { - debug3_f("no server support, fallback to realpath"); -- return do_realpath_expand(conn, path, 0); -+ return do_realpath_expand(conn, path, 0, 0); - } -- return do_realpath_expand(conn, path, 1); -+ return do_realpath_expand(conn, path, 1, 0); - } - - int -@@ -1807,7 +1835,7 @@ download_dir(struct sftp_conn *conn, con - char *src_canon; - int ret; - -- if ((src_canon = do_realpath(conn, src)) == NULL) { -+ if ((src_canon = do_realpath(conn, src, 0)) == NULL) { - error("download \"%s\": path canonicalization failed", src); - return -1; - } -@@ -2115,12 +2143,12 @@ upload_dir_internal(struct sftp_conn *co - int - upload_dir(struct sftp_conn *conn, const char *src, const char *dst, - int preserve_flag, int print_flag, int resume, int fsync_flag, -- int follow_link_flag, int inplace_flag) -+ int follow_link_flag, int inplace_flag, int create_dir) - { - char *dst_canon; - int ret; - -- if ((dst_canon = do_realpath(conn, dst)) == NULL) { -+ if ((dst_canon = do_realpath(conn, dst, create_dir)) == NULL) { - error("upload \"%s\": path canonicalization failed", dst); - return -1; - } -@@ -2557,7 +2585,7 @@ crossload_dir(struct sftp_conn *from, st - char *from_path_canon; - int ret; - -- if ((from_path_canon = do_realpath(from, from_path)) == NULL) { -+ if ((from_path_canon = do_realpath(from, from_path, 0)) == NULL) { - error("crossload \"%s\": path canonicalization failed", - from_path); - return -1; -diff -up openssh-8.7p1/sftp-client.h.scp-sftpdirs openssh-8.7p1/sftp-client.h ---- openssh-8.7p1/sftp-client.h.scp-sftpdirs 2021-08-20 06:03:49.000000000 +0200 -+++ openssh-8.7p1/sftp-client.h 2022-02-07 12:31:07.410740433 +0100 -@@ -111,7 +111,7 @@ int do_fsetstat(struct sftp_conn *, cons - int do_lsetstat(struct sftp_conn *conn, const char *path, Attrib *a); - - /* Canonicalise 'path' - caller must free result */ --char *do_realpath(struct sftp_conn *, const char *); -+char *do_realpath(struct sftp_conn *, const char *, int); - - /* Canonicalisation with tilde expansion (requires server extension) */ - char *do_expand_path(struct sftp_conn *, const char *); -@@ -159,7 +159,7 @@ int do_upload(struct sftp_conn *, const - * times if 'pflag' is set - */ - int upload_dir(struct sftp_conn *, const char *, const char *, -- int, int, int, int, int, int); -+ int, int, int, int, int, int, int); - - /* - * Download a 'from_path' from the 'from' connection and upload it to -diff -up openssh-8.7p1/sftp.c.scp-sftpdirs openssh-8.7p1/sftp.c ---- openssh-8.7p1/sftp.c.scp-sftpdirs 2021-08-20 06:03:49.000000000 +0200 -+++ openssh-8.7p1/sftp.c 2022-02-07 12:31:07.411740442 +0100 -@@ -760,7 +760,7 @@ process_put(struct sftp_conn *conn, cons - if (globpath_is_dir(g.gl_pathv[i]) && (rflag || global_rflag)) { - if (upload_dir(conn, g.gl_pathv[i], abs_dst, - pflag || global_pflag, 1, resume, -- fflag || global_fflag, 0, 0) == -1) -+ fflag || global_fflag, 0, 0, 0) == -1) - err = -1; - } else { - if (do_upload(conn, g.gl_pathv[i], abs_dst, -@@ -1577,7 +1577,7 @@ parse_dispatch_command(struct sftp_conn - if (path1 == NULL || *path1 == '\0') - path1 = xstrdup(startdir); - path1 = make_absolute(path1, *pwd); -- if ((tmp = do_realpath(conn, path1)) == NULL) { -+ if ((tmp = do_realpath(conn, path1, 0)) == NULL) { - err = 1; - break; - } -@@ -2160,7 +2160,7 @@ interactive_loop(struct sftp_conn *conn, - } - #endif /* USE_LIBEDIT */ - -- remote_path = do_realpath(conn, "."); -+ remote_path = do_realpath(conn, ".", 0); - if (remote_path == NULL) - fatal("Need cwd"); - startdir = xstrdup(remote_path); diff --git a/openssh-8.7p1-ssh-manpage.patch b/openssh-8.7p1-ssh-manpage.patch deleted file mode 100644 index c7f6f1e..0000000 --- a/openssh-8.7p1-ssh-manpage.patch +++ /dev/null @@ -1,53 +0,0 @@ -diff --color -ru a/ssh.1 b/ssh.1 ---- a/ssh.1 2022-07-12 11:47:51.307295880 +0200 -+++ b/ssh.1 2022-07-12 11:50:28.793363263 +0200 -@@ -493,6 +493,7 @@ - .It AddressFamily - .It BatchMode - .It BindAddress -+.It BindInterface - .It CanonicalDomains - .It CanonicalizeFallbackLocal - .It CanonicalizeHostname -@@ -510,6 +511,7 @@ - .It ControlPath - .It ControlPersist - .It DynamicForward -+.It EnableSSHKeysign - .It EnableEscapeCommandline - .It EscapeChar - .It ExitOnForwardFailure -@@ -538,6 +540,8 @@ - .It IdentitiesOnly - .It IdentityAgent - .It IdentityFile -+.It IgnoreUnknown -+.It Include - .It IPQoS - .It KbdInteractiveAuthentication - .It KbdInteractiveDevices -@@ -546,6 +550,7 @@ - .It LocalCommand - .It LocalForward - .It LogLevel -+.It LogVerbose - .It MACs - .It Match - .It NoHostAuthenticationForLocalhost -@@ -566,6 +571,8 @@ - .It RemoteCommand - .It RemoteForward - .It RequestTTY -+.It RevokedHostKeys -+.It SecurityKeyProvider - .It RequiredRSASize - .It SendEnv - .It ServerAliveInterval -@@ -575,6 +582,7 @@ - .It StreamLocalBindMask - .It StreamLocalBindUnlink - .It StrictHostKeyChecking -+.It SyslogFacility - .It TCPKeepAlive - .It Tunnel - .It TunnelDevice diff --git a/openssh-8.8p1.tar.gz.asc b/openssh-8.8p1.tar.gz.asc new file mode 100644 index 0000000..9a1fd8e --- /dev/null +++ b/openssh-8.8p1.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmFQfp8ACgkQKj9BTnNg +YLq2SQ/8C3iOHTkyqX82FYt0SKkybebe9b2iBPr91HQOUmx+U3I+vgrSWArXabWJ +uSu0b685RQKlcr7UjEtPk6g0cm45NoJFjju9ljvnOFfZw73V3a5qX15Lx4xRnkRx +v1LJn6Yh12PKLWL4/A1qPQnfAObVwq/BF0BR01FfXLAOt5+lFwYvg79HpE+69b0r +KtcIEpsyTEn2lSKSWD7q4lpe6Z/iR+XzBKfnB6JJXhKyHiDV63hlAJk9Pt3mIvS6 +tnE9/7GDawvi+Tsl018kw3wsf6aHVSQ+O+vzcDgfy0vDJVGjD6Ec9it9FvikXJh6 +3pSTBYuUJdt+CAQYvmEui73v4nrkfouHXsxqgzEDZaTwIZC4wPrvNYxUaIyirWlc +l4/YSnxSxSiYbvPa5eYRBvXvoWbnQXjPOkuhjETxz/KTcHirQpWE9eldi0jHcKUa +FVu9YqMPAjIUd1Jj4vC5bgH7v5cLeEMm/AetMvKsJs+rhY9NZaKpiqOqU2m6Geb+ +sQSXHNTeA8uOlrHim4SmYHtmfglVbH5lIroiUqtRzjbOhMhqUb+yN9+aAxe0bwmN +VcFMSThlbmYokb9bkQryY2I/FfXb997vxgF6v15Z8d9e8HH2zc2Irj1HYXG4Bf3o +WCiSvd8+Tr/FxS2Gn8qj/vgSPWXT0d0Hy4zHW9JeT/jn3RtIYhU= +=EnoG +-----END PGP SIGNATURE----- diff --git a/openssh-9.3p1-merged-openssl-evp.patch b/openssh-9.3p1-merged-openssl-evp.patch deleted file mode 100644 index d8c2ca3..0000000 --- a/openssh-9.3p1-merged-openssl-evp.patch +++ /dev/null @@ -1,1228 +0,0 @@ -diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.3p1/digest.h openssh-9.3p1-patched/digest.h ---- openssh-9.3p1/digest.h 2023-03-15 22:28:19.000000000 +0100 -+++ openssh-9.3p1-patched/digest.h 2023-06-06 15:52:25.602551466 +0200 -@@ -32,6 +32,12 @@ - struct sshbuf; - struct ssh_digest_ctx; - -+#ifdef WITH_OPENSSL -+#include <openssl/evp.h> -+/* Converts internal digest representation to the OpenSSL one */ -+const EVP_MD *ssh_digest_to_md(int digest_type); -+#endif -+ - /* Looks up a digest algorithm by name */ - int ssh_digest_alg_by_name(const char *name); - -diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.3p1/digest-openssl.c openssh-9.3p1-patched/digest-openssl.c ---- openssh-9.3p1/digest-openssl.c 2023-03-15 22:28:19.000000000 +0100 -+++ openssh-9.3p1-patched/digest-openssl.c 2023-06-06 15:52:25.601551454 +0200 -@@ -64,6 +64,22 @@ - { -1, NULL, 0, NULL }, - }; - -+const EVP_MD * -+ssh_digest_to_md(int digest_type) -+{ -+ switch (digest_type) { -+ case SSH_DIGEST_SHA1: -+ return EVP_sha1(); -+ case SSH_DIGEST_SHA256: -+ return EVP_sha256(); -+ case SSH_DIGEST_SHA384: -+ return EVP_sha384(); -+ case SSH_DIGEST_SHA512: -+ return EVP_sha512(); -+ } -+ return NULL; -+} -+ - static const struct ssh_digest * - ssh_digest_by_alg(int alg) - { -diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.3p1/ssh-dss.c openssh-9.3p1-patched/ssh-dss.c ---- openssh-9.3p1/ssh-dss.c 2023-03-15 22:28:19.000000000 +0100 -+++ openssh-9.3p1-patched/ssh-dss.c 2023-06-06 15:52:25.624551743 +0200 -@@ -32,6 +32,8 @@ - #include <openssl/bn.h> - #include <openssl/dsa.h> - #include <openssl/evp.h> -+#include <openssl/core_names.h> -+#include <openssl/param_build.h> - - #include <stdarg.h> - #include <string.h> -@@ -261,11 +263,15 @@ - const u_char *data, size_t datalen, - const char *alg, const char *sk_provider, const char *sk_pin, u_int compat) - { -+ EVP_PKEY *pkey = NULL; - DSA_SIG *sig = NULL; - const BIGNUM *sig_r, *sig_s; -- u_char digest[SSH_DIGEST_MAX_LENGTH], sigblob[SIGBLOB_LEN]; -- size_t rlen, slen, len, dlen = ssh_digest_bytes(SSH_DIGEST_SHA1); -+ u_char sigblob[SIGBLOB_LEN]; -+ size_t rlen, slen; -+ int len; - struct sshbuf *b = NULL; -+ u_char *sigb = NULL; -+ const u_char *psig = NULL; - int ret = SSH_ERR_INVALID_ARGUMENT; - - if (lenp != NULL) -@@ -276,17 +282,23 @@ - if (key == NULL || key->dsa == NULL || - sshkey_type_plain(key->type) != KEY_DSA) - return SSH_ERR_INVALID_ARGUMENT; -- if (dlen == 0) -- return SSH_ERR_INTERNAL_ERROR; - -- if ((ret = ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen, -- digest, sizeof(digest))) != 0) -+ if ((ret = ssh_create_evp_dss(key, &pkey)) != 0) -+ return ret; -+ ret = sshkey_calculate_signature(pkey, SSH_DIGEST_SHA1, &sigb, &len, -+ data, datalen); -+ EVP_PKEY_free(pkey); -+ if (ret < 0) { - goto out; -+ } - -- if ((sig = DSA_do_sign(digest, dlen, key->dsa)) == NULL) { -+ psig = sigb; -+ if ((sig = d2i_DSA_SIG(NULL, &psig, len)) == NULL) { - ret = SSH_ERR_LIBCRYPTO_ERROR; - goto out; - } -+ free(sigb); -+ sigb = NULL; - - DSA_SIG_get0(sig, &sig_r, &sig_s); - rlen = BN_num_bytes(sig_r); -@@ -319,7 +331,7 @@ - *lenp = len; - ret = 0; - out: -- explicit_bzero(digest, sizeof(digest)); -+ free(sigb); - DSA_SIG_free(sig); - sshbuf_free(b); - return ret; -@@ -331,20 +343,20 @@ - const u_char *data, size_t dlen, const char *alg, u_int compat, - struct sshkey_sig_details **detailsp) - { -+ EVP_PKEY *pkey = NULL; - DSA_SIG *dsig = NULL; - BIGNUM *sig_r = NULL, *sig_s = NULL; -- u_char digest[SSH_DIGEST_MAX_LENGTH], *sigblob = NULL; -- size_t len, hlen = ssh_digest_bytes(SSH_DIGEST_SHA1); -+ u_char *sigblob = NULL; -+ size_t len, slen; - int ret = SSH_ERR_INTERNAL_ERROR; - struct sshbuf *b = NULL; - char *ktype = NULL; -+ u_char *sigb = NULL, *psig = NULL; - - if (key == NULL || key->dsa == NULL || - sshkey_type_plain(key->type) != KEY_DSA || - sig == NULL || siglen == 0) - return SSH_ERR_INVALID_ARGUMENT; -- if (hlen == 0) -- return SSH_ERR_INTERNAL_ERROR; - - /* fetch signature */ - if ((b = sshbuf_from(sig, siglen)) == NULL) -@@ -386,25 +398,28 @@ - } - sig_r = sig_s = NULL; /* transferred */ - -- /* sha1 the data */ -- if ((ret = ssh_digest_memory(SSH_DIGEST_SHA1, data, dlen, -- digest, sizeof(digest))) != 0) -+ if ((slen = i2d_DSA_SIG(dsig, NULL)) == 0) { -+ ret = SSH_ERR_LIBCRYPTO_ERROR; - goto out; -- -- switch (DSA_do_verify(digest, hlen, dsig, key->dsa)) { -- case 1: -- ret = 0; -- break; -- case 0: -- ret = SSH_ERR_SIGNATURE_INVALID; -+ } -+ if ((sigb = malloc(slen)) == NULL) { -+ ret = SSH_ERR_ALLOC_FAIL; - goto out; -- default: -+ } -+ psig = sigb; -+ if ((slen = i2d_DSA_SIG(dsig, &psig)) == 0) { - ret = SSH_ERR_LIBCRYPTO_ERROR; - goto out; - } - -+ if ((ret = ssh_create_evp_dss(key, &pkey)) != 0) -+ goto out; -+ ret = sshkey_verify_signature(pkey, SSH_DIGEST_SHA1, data, dlen, -+ sigb, slen); -+ EVP_PKEY_free(pkey); -+ - out: -- explicit_bzero(digest, sizeof(digest)); -+ free(sigb); - DSA_SIG_free(dsig); - BN_clear_free(sig_r); - BN_clear_free(sig_s); -@@ -415,6 +430,65 @@ - return ret; - } - -+int -+ssh_create_evp_dss(const struct sshkey *k, EVP_PKEY **pkey) -+{ -+ OSSL_PARAM_BLD *param_bld = NULL; -+ EVP_PKEY_CTX *ctx = NULL; -+ const BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub = NULL, *priv = NULL; -+ int ret = 0; -+ -+ if (k == NULL) -+ return SSH_ERR_INVALID_ARGUMENT; -+ if ((ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL)) == NULL || -+ (param_bld = OSSL_PARAM_BLD_new()) == NULL) { -+ ret = SSH_ERR_ALLOC_FAIL; -+ goto out; -+ } -+ -+ DSA_get0_pqg(k->dsa, &p, &q, &g); -+ DSA_get0_key(k->dsa, &pub, &priv); -+ -+ if (p != NULL && -+ OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, p) != 1) { -+ ret = SSH_ERR_LIBCRYPTO_ERROR; -+ goto out; -+ } -+ if (q != NULL && -+ OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, q) != 1) { -+ ret = SSH_ERR_LIBCRYPTO_ERROR; -+ goto out; -+ } -+ if (g != NULL && -+ OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, g) != 1) { -+ ret = SSH_ERR_LIBCRYPTO_ERROR; -+ goto out; -+ } -+ if (pub != NULL && -+ OSSL_PARAM_BLD_push_BN(param_bld, -+ OSSL_PKEY_PARAM_PUB_KEY, -+ pub) != 1) { -+ ret = SSH_ERR_LIBCRYPTO_ERROR; -+ goto out; -+ } -+ if (priv != NULL && -+ OSSL_PARAM_BLD_push_BN(param_bld, -+ OSSL_PKEY_PARAM_PRIV_KEY, -+ priv) != 1) { -+ ret = SSH_ERR_LIBCRYPTO_ERROR; -+ goto out; -+ } -+ if ((*pkey = sshkey_create_evp(param_bld, ctx)) == NULL) { -+ ret = SSH_ERR_LIBCRYPTO_ERROR; -+ goto out; -+ } -+ -+out: -+ OSSL_PARAM_BLD_free(param_bld); -+ EVP_PKEY_CTX_free(ctx); -+ return ret; -+} -+ - static const struct sshkey_impl_funcs sshkey_dss_funcs = { - /* .size = */ ssh_dss_size, - /* .alloc = */ ssh_dss_alloc, -diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.3p1/ssh-ecdsa.c openssh-9.3p1-patched/ssh-ecdsa.c ---- openssh-9.3p1/ssh-ecdsa.c 2023-03-15 22:28:19.000000000 +0100 -+++ openssh-9.3p1-patched/ssh-ecdsa.c 2023-06-06 15:52:25.626551768 +0200 -@@ -34,6 +34,8 @@ - #include <openssl/ec.h> - #include <openssl/ecdsa.h> - #include <openssl/evp.h> -+#include <openssl/core_names.h> -+#include <openssl/param_build.h> - - #include <string.h> - -@@ -126,19 +128,29 @@ - static int - ssh_ecdsa_generate(struct sshkey *k, int bits) - { -- EC_KEY *private; -+ EVP_PKEY_CTX *ctx = NULL; -+ EVP_PKEY *res = NULL; - - if ((k->ecdsa_nid = sshkey_ecdsa_bits_to_nid(bits)) == -1) - return SSH_ERR_KEY_LENGTH; -- if ((private = EC_KEY_new_by_curve_name(k->ecdsa_nid)) == NULL) -+ -+ if ((ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) == NULL) - return SSH_ERR_ALLOC_FAIL; -- if (EC_KEY_generate_key(private) != 1) { -- EC_KEY_free(private); -+ -+ if (EVP_PKEY_keygen_init(ctx) <= 0 || EVP_PKEY_CTX_set_group_name(ctx, OBJ_nid2sn(k->ecdsa_nid)) <= 0 -+ || EVP_PKEY_keygen(ctx, &res) <= 0) { -+ EVP_PKEY_CTX_free(ctx); -+ EVP_PKEY_free(res); - return SSH_ERR_LIBCRYPTO_ERROR; - } -- EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE); -- k->ecdsa = private; -- return 0; -+ /* This function is deprecated in OpenSSL 3.0 but OpenSSH doesn't worry about it*/ -+ k->ecdsa = EVP_PKEY_get1_EC_KEY(res); -+ if (k->ecdsa) -+ EC_KEY_set_asn1_flag(k->ecdsa, OPENSSL_EC_NAMED_CURVE); -+ -+ EVP_PKEY_CTX_free(ctx); -+ EVP_PKEY_free(res); -+ return (k->ecdsa) ? 0 : SSH_ERR_LIBCRYPTO_ERROR; - } - - static int -@@ -228,11 +240,13 @@ - const u_char *data, size_t dlen, - const char *alg, const char *sk_provider, const char *sk_pin, u_int compat) - { -+ EVP_PKEY *pkey = NULL; - ECDSA_SIG *esig = NULL; -+ unsigned char *sigb = NULL; -+ const unsigned char *psig; - const BIGNUM *sig_r, *sig_s; - int hash_alg; -- u_char digest[SSH_DIGEST_MAX_LENGTH]; -- size_t len, hlen; -+ int len; - struct sshbuf *b = NULL, *bb = NULL; - int ret = SSH_ERR_INTERNAL_ERROR; - -@@ -245,18 +259,33 @@ - sshkey_type_plain(key->type) != KEY_ECDSA) - return SSH_ERR_INVALID_ARGUMENT; - -- if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1 || -- (hlen = ssh_digest_bytes(hash_alg)) == 0) -+ if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1) - return SSH_ERR_INTERNAL_ERROR; -- if ((ret = ssh_digest_memory(hash_alg, data, dlen, -- digest, sizeof(digest))) != 0) -+ -+#ifdef ENABLE_PKCS11 -+ if (is_ecdsa_pkcs11(key->ecdsa)) { -+ if ((pkey = EVP_PKEY_new()) == NULL || -+ EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa) != 1) -+ return SSH_ERR_ALLOC_FAIL; -+ } else { -+#endif -+ if ((ret = ssh_create_evp_ec(key->ecdsa, key->ecdsa_nid, &pkey)) != 0) -+ return ret; -+#ifdef ENABLE_PKCS11 -+ } -+#endif -+ ret = sshkey_calculate_signature(pkey, hash_alg, &sigb, &len, data, -+ dlen); -+ EVP_PKEY_free(pkey); -+ if (ret < 0) { - goto out; -+ } - -- if ((esig = ECDSA_do_sign(digest, hlen, key->ecdsa)) == NULL) { -+ psig = sigb; -+ if (d2i_ECDSA_SIG(&esig, &psig, len) == NULL) { - ret = SSH_ERR_LIBCRYPTO_ERROR; - goto out; - } -- - if ((bb = sshbuf_new()) == NULL || (b = sshbuf_new()) == NULL) { - ret = SSH_ERR_ALLOC_FAIL; - goto out; -@@ -280,7 +309,7 @@ - *lenp = len; - ret = 0; - out: -- explicit_bzero(digest, sizeof(digest)); -+ free(sigb); - sshbuf_free(b); - sshbuf_free(bb); - ECDSA_SIG_free(esig); -@@ -293,22 +322,21 @@ - const u_char *data, size_t dlen, const char *alg, u_int compat, - struct sshkey_sig_details **detailsp) - { -+ EVP_PKEY *pkey = NULL; - ECDSA_SIG *esig = NULL; - BIGNUM *sig_r = NULL, *sig_s = NULL; -- int hash_alg; -- u_char digest[SSH_DIGEST_MAX_LENGTH]; -- size_t hlen; -+ int hash_alg, len; - int ret = SSH_ERR_INTERNAL_ERROR; - struct sshbuf *b = NULL, *sigbuf = NULL; - char *ktype = NULL; -+ unsigned char *sigb = NULL, *psig = NULL; - - if (key == NULL || key->ecdsa == NULL || - sshkey_type_plain(key->type) != KEY_ECDSA || - sig == NULL || siglen == 0) - return SSH_ERR_INVALID_ARGUMENT; - -- if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1 || -- (hlen = ssh_digest_bytes(hash_alg)) == 0) -+ if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1) - return SSH_ERR_INTERNAL_ERROR; - - /* fetch signature */ -@@ -344,28 +372,33 @@ - } - sig_r = sig_s = NULL; /* transferred */ - -- if (sshbuf_len(sigbuf) != 0) { -- ret = SSH_ERR_UNEXPECTED_TRAILING_DATA; -+ /* Figure out the length */ -+ if ((len = i2d_ECDSA_SIG(esig, NULL)) == 0) { -+ ret = SSH_ERR_LIBCRYPTO_ERROR; - goto out; - } -- if ((ret = ssh_digest_memory(hash_alg, data, dlen, -- digest, sizeof(digest))) != 0) -- goto out; -- -- switch (ECDSA_do_verify(digest, hlen, esig, key->ecdsa)) { -- case 1: -- ret = 0; -- break; -- case 0: -- ret = SSH_ERR_SIGNATURE_INVALID; -+ if ((sigb = malloc(len)) == NULL) { -+ ret = SSH_ERR_ALLOC_FAIL; - goto out; -- default: -+ } -+ psig = sigb; -+ if ((len = i2d_ECDSA_SIG(esig, &psig)) == 0) { - ret = SSH_ERR_LIBCRYPTO_ERROR; - goto out; - } - -+ if (sshbuf_len(sigbuf) != 0) { -+ ret = SSH_ERR_UNEXPECTED_TRAILING_DATA; -+ goto out; -+ } -+ -+ if (ssh_create_evp_ec(key->ecdsa, key->ecdsa_nid, &pkey) != 0) -+ goto out; -+ ret = sshkey_verify_signature(pkey, hash_alg, data, dlen, sigb, len); -+ EVP_PKEY_free(pkey); -+ - out: -- explicit_bzero(digest, sizeof(digest)); -+ free(sigb); - sshbuf_free(sigbuf); - sshbuf_free(b); - ECDSA_SIG_free(esig); -@@ -375,6 +408,79 @@ - return ret; - } - -+int -+ssh_create_evp_ec(EC_KEY *k, int ecdsa_nid, EVP_PKEY **pkey) -+{ -+ OSSL_PARAM_BLD *param_bld = NULL; -+ EVP_PKEY_CTX *ctx = NULL; -+ BN_CTX *bn_ctx = NULL; -+ uint8_t *pub_ser = NULL; -+ const char *group_name; -+ const EC_POINT *pub = NULL; -+ const BIGNUM *priv = NULL; -+ int ret = 0; -+ -+ if (k == NULL) -+ return SSH_ERR_INVALID_ARGUMENT; -+ if ((ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) == NULL || -+ (param_bld = OSSL_PARAM_BLD_new()) == NULL || -+ (bn_ctx = BN_CTX_new()) == NULL) { -+ ret = SSH_ERR_ALLOC_FAIL; -+ goto out; -+ } -+ -+ if ((group_name = OSSL_EC_curve_nid2name(ecdsa_nid)) == NULL || -+ OSSL_PARAM_BLD_push_utf8_string(param_bld, -+ OSSL_PKEY_PARAM_GROUP_NAME, -+ group_name, -+ strlen(group_name)) != 1) { -+ ret = SSH_ERR_LIBCRYPTO_ERROR; -+ goto out; -+ } -+ if ((pub = EC_KEY_get0_public_key(k)) != NULL) { -+ const EC_GROUP *group; -+ size_t len; -+ -+ group = EC_KEY_get0_group(k); -+ len = EC_POINT_point2oct(group, pub, -+ POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL); -+ if ((pub_ser = malloc(len)) == NULL) { -+ ret = SSH_ERR_ALLOC_FAIL; -+ goto out; -+ } -+ EC_POINT_point2oct(group, -+ pub, -+ POINT_CONVERSION_UNCOMPRESSED, -+ pub_ser, -+ len, -+ bn_ctx); -+ if (OSSL_PARAM_BLD_push_octet_string(param_bld, -+ OSSL_PKEY_PARAM_PUB_KEY, -+ pub_ser, -+ len) != 1) { -+ ret = SSH_ERR_LIBCRYPTO_ERROR; -+ goto out; -+ } -+ } -+ if ((priv = EC_KEY_get0_private_key(k)) != NULL && -+ OSSL_PARAM_BLD_push_BN(param_bld, -+ OSSL_PKEY_PARAM_PRIV_KEY, priv) != 1) { -+ ret = SSH_ERR_LIBCRYPTO_ERROR; -+ goto out; -+ } -+ if ((*pkey = sshkey_create_evp(param_bld, ctx)) == NULL) { -+ ret = SSH_ERR_LIBCRYPTO_ERROR; -+ goto out; -+ } -+ -+out: -+ OSSL_PARAM_BLD_free(param_bld); -+ EVP_PKEY_CTX_free(ctx); -+ BN_CTX_free(bn_ctx); -+ free(pub_ser); -+ return ret; -+} -+ - /* NB. not static; used by ECDSA-SK */ - const struct sshkey_impl_funcs sshkey_ecdsa_funcs = { - /* .size = */ ssh_ecdsa_size, -diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.3p1/sshkey.c openssh-9.3p1-patched/sshkey.c ---- openssh-9.3p1/sshkey.c 2023-06-06 15:53:36.608444190 +0200 -+++ openssh-9.3p1-patched/sshkey.c 2023-06-06 15:52:25.625551756 +0200 -@@ -34,6 +34,8 @@ - #include <openssl/evp.h> - #include <openssl/err.h> - #include <openssl/pem.h> -+#include <openssl/core_names.h> -+#include <openssl/param_build.h> - #endif - - #include "crypto_api.h" -@@ -57,6 +59,7 @@ - #define SSHKEY_INTERNAL - #include "sshkey.h" - #include "match.h" -+#include "log.h" - #include "ssh-sk.h" - - #ifdef WITH_XMSS -@@ -575,6 +577,86 @@ - } - - #ifdef WITH_OPENSSL -+int -+sshkey_calculate_signature(EVP_PKEY *pkey, int hash_alg, u_char **sigp, -+ int *lenp, const u_char *data, size_t datalen) -+{ -+ EVP_MD_CTX *ctx = NULL; -+ u_char *sig = NULL; -+ int ret, slen; -+ size_t len; -+ -+ if (sigp == NULL || lenp == NULL) { -+ return SSH_ERR_INVALID_ARGUMENT; -+ } -+ -+ slen = EVP_PKEY_get_size(pkey); -+ if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM) -+ return SSH_ERR_INVALID_ARGUMENT; -+ -+ len = slen; -+ if ((sig = malloc(slen)) == NULL) { -+ return SSH_ERR_ALLOC_FAIL; -+ } -+ -+ if ((ctx = EVP_MD_CTX_new()) == NULL) { -+ ret = SSH_ERR_ALLOC_FAIL; -+ goto error; -+ } -+ if (EVP_DigestSignInit(ctx, NULL, ssh_digest_to_md(hash_alg), -+ NULL, pkey) != 1 || -+ EVP_DigestSignUpdate(ctx, data, datalen) != 1 || -+ EVP_DigestSignFinal(ctx, sig, &len) != 1) { -+ ret = SSH_ERR_LIBCRYPTO_ERROR; -+ goto error; -+ } -+ -+ *sigp = sig; -+ *lenp = len; -+ /* Now owned by the caller */ -+ sig = NULL; -+ ret = 0; -+ -+error: -+ EVP_MD_CTX_free(ctx); -+ free(sig); -+ return ret; -+} -+ -+int -+sshkey_verify_signature(EVP_PKEY *pkey, int hash_alg, const u_char *data, -+ size_t datalen, u_char *sigbuf, int siglen) -+{ -+ EVP_MD_CTX *ctx = NULL; -+ int ret; -+ -+ if ((ctx = EVP_MD_CTX_new()) == NULL) { -+ return SSH_ERR_ALLOC_FAIL; -+ } -+ if (EVP_DigestVerifyInit(ctx, NULL, ssh_digest_to_md(hash_alg), -+ NULL, pkey) != 1 || -+ EVP_DigestVerifyUpdate(ctx, data, datalen) != 1) { -+ ret = SSH_ERR_LIBCRYPTO_ERROR; -+ goto done; -+ } -+ ret = EVP_DigestVerifyFinal(ctx, sigbuf, siglen); -+ switch (ret) { -+ case 1: -+ ret = 0; -+ break; -+ case 0: -+ ret = SSH_ERR_SIGNATURE_INVALID; -+ break; -+ default: -+ ret = SSH_ERR_LIBCRYPTO_ERROR; -+ break; -+ } -+ -+done: -+ EVP_MD_CTX_free(ctx); -+ return ret; -+} -+ - /* XXX: these are really begging for a table-driven approach */ - int - sshkey_curve_name_to_nid(const char *name) -@@ -3763,3 +3845,27 @@ - return 0; - } - #endif /* WITH_XMSS */ -+ -+#ifdef WITH_OPENSSL -+EVP_PKEY * -+sshkey_create_evp(OSSL_PARAM_BLD *param_bld, EVP_PKEY_CTX *ctx) -+{ -+ EVP_PKEY *ret = NULL; -+ OSSL_PARAM *params = NULL; -+ if (param_bld == NULL || ctx == NULL) { -+ debug2_f("param_bld or ctx is NULL"); -+ return NULL; -+ } -+ if ((params = OSSL_PARAM_BLD_to_param(param_bld)) == NULL) { -+ debug2_f("Could not build param list"); -+ return NULL; -+ } -+ if (EVP_PKEY_fromdata_init(ctx) != 1 || -+ EVP_PKEY_fromdata(ctx, &ret, EVP_PKEY_KEYPAIR, params) != 1) { -+ debug2_f("EVP_PKEY_fromdata failed"); -+ OSSL_PARAM_free(params); -+ return NULL; -+ } -+ return ret; -+} -+#endif /* WITH_OPENSSL */ -diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.3p1/sshkey.h openssh-9.3p1-patched/sshkey.h ---- openssh-9.3p1/sshkey.h 2023-06-06 15:53:36.608444190 +0200 -+++ openssh-9.3p1-patched/sshkey.h 2023-06-06 15:52:25.626551768 +0200 -@@ -31,6 +31,9 @@ - #ifdef WITH_OPENSSL - #include <openssl/rsa.h> - #include <openssl/dsa.h> -+#include <openssl/evp.h> -+#include <openssl/param_build.h> -+#include <openssl/core_names.h> - # ifdef OPENSSL_HAS_ECC - # include <openssl/ec.h> - # include <openssl/ecdsa.h> -@@ -268,6 +271,10 @@ - const char *sshkey_ssh_name_plain(const struct sshkey *); - int sshkey_names_valid2(const char *, int); - char *sshkey_alg_list(int, int, int, char); -+int sshkey_calculate_signature(EVP_PKEY*, int, u_char **, -+ int *, const u_char *, size_t); -+int sshkey_verify_signature(EVP_PKEY *, int, const u_char *, -+ size_t, u_char *, int); - - int sshkey_from_blob(const u_char *, size_t, struct sshkey **); - int sshkey_fromb(struct sshbuf *, struct sshkey **); -@@ -324,6 +331,13 @@ - - void sshkey_sig_details_free(struct sshkey_sig_details *); - -+#ifdef WITH_OPENSSL -+EVP_PKEY *sshkey_create_evp(OSSL_PARAM_BLD *, EVP_PKEY_CTX *); -+int ssh_create_evp_dss(const struct sshkey *, EVP_PKEY **); -+int ssh_create_evp_rsa(const struct sshkey *, EVP_PKEY **); -+int ssh_create_evp_ec(EC_KEY *, int, EVP_PKEY **); -+#endif /* WITH_OPENSSL */ -+ - #ifdef SSHKEY_INTERNAL - int sshkey_sk_fields_equal(const struct sshkey *a, const struct sshkey *b); - void sshkey_sk_cleanup(struct sshkey *k); -@@ -338,6 +352,10 @@ - #endif - #endif - -+#ifdef ENABLE_PKCS11 -+int pkcs11_get_ecdsa_idx(void); -+#endif -+ - #if !defined(WITH_OPENSSL) - # undef RSA - # undef DSA -diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.3p1/ssh-pkcs11.c openssh-9.3p1-patched/ssh-pkcs11.c ---- openssh-9.3p1/ssh-pkcs11.c 2023-06-06 15:53:36.592443989 +0200 -+++ openssh-9.3p1-patched/ssh-pkcs11.c 2023-06-06 15:52:25.626551768 +0200 -@@ -777,8 +777,24 @@ - - return (0); - } -+ -+int -+is_ecdsa_pkcs11(EC_KEY *ecdsa) -+{ -+ if (EC_KEY_get_ex_data(ecdsa, ec_key_idx) != NULL) -+ return 1; -+ return 0; -+} - #endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ - -+int -+is_rsa_pkcs11(RSA *rsa) -+{ -+ if (RSA_get_ex_data(rsa, rsa_idx) != NULL) -+ return 1; -+ return 0; -+} -+ - /* remove trailing spaces */ - static void - rmspace(u_char *buf, size_t len) -diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.3p1/ssh-pkcs11-client.c openssh-9.3p1-patched/ssh-pkcs11-client.c ---- openssh-9.3p1/ssh-pkcs11-client.c 2023-06-06 15:53:36.591443976 +0200 -+++ openssh-9.3p1-patched/ssh-pkcs11-client.c 2023-06-06 15:52:25.626551768 +0200 -@@ -225,8 +225,36 @@ - static RSA_METHOD *helper_rsa; - #if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) - static EC_KEY_METHOD *helper_ecdsa; -+ -+int -+is_ecdsa_pkcs11(EC_KEY *ecdsa) -+{ -+ const EC_KEY_METHOD *meth; -+ ECDSA_SIG *(*sign_sig)(const unsigned char *dgst, int dgstlen, -+ const BIGNUM *kinv, const BIGNUM *rp, EC_KEY *eckey) = NULL; -+ -+ meth = EC_KEY_get_method(ecdsa); -+ EC_KEY_METHOD_get_sign(meth, NULL, NULL, &sign_sig); -+ if (sign_sig == ecdsa_do_sign) -+ return 1; -+ return 0; -+} - #endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ - -+int -+is_rsa_pkcs11(RSA *rsa) -+{ -+ const RSA_METHOD *meth; -+ int (*priv_enc)(int flen, const unsigned char *from, -+ unsigned char *to, RSA *rsa, int padding) = NULL; -+ -+ meth = RSA_get_method(rsa); -+ priv_enc = RSA_meth_get_priv_enc(meth); -+ if (priv_enc == rsa_encrypt) -+ return 1; -+ return 0; -+} -+ - /* redirect private key crypto operations to the ssh-pkcs11-helper */ - static void - wrap_key(struct sshkey *k) -diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.3p1/ssh-pkcs11.h openssh-9.3p1-patched/ssh-pkcs11.h ---- openssh-9.3p1/ssh-pkcs11.h 2023-06-06 15:53:36.592443989 +0200 -+++ openssh-9.3p1-patched/ssh-pkcs11.h 2023-06-06 15:52:25.626551768 +0200 -@@ -39,6 +39,11 @@ - u_int32_t *); - #endif - -+#ifdef HAVE_EC_KEY_METHOD_NEW -+int is_ecdsa_pkcs11(EC_KEY *ecdsa); -+#endif -+int is_rsa_pkcs11(RSA *rsa); -+ - #if !defined(WITH_OPENSSL) && defined(ENABLE_PKCS11) - #undef ENABLE_PKCS11 - #endif -diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.3p1/ssh-rsa.c openssh-9.3p1-patched/ssh-rsa.c ---- openssh-9.3p1/ssh-rsa.c 2023-03-15 22:28:19.000000000 +0100 -+++ openssh-9.3p1-patched/ssh-rsa.c 2023-06-06 15:52:25.627551781 +0200 -@@ -23,6 +23,8 @@ - - #include <openssl/evp.h> - #include <openssl/err.h> -+#include <openssl/core_names.h> -+#include <openssl/param_build.h> - - #include <stdarg.h> - #include <string.h> -@@ -36,7 +38,7 @@ - - #include "openbsd-compat/openssl-compat.h" - --static int openssh_RSA_verify(int, u_char *, size_t, u_char *, size_t, RSA *); -+static int openssh_RSA_verify(int, const u_char *, size_t, u_char *, size_t, EVP_PKEY *); - - static u_int - ssh_rsa_size(const struct sshkey *key) -@@ -131,27 +133,50 @@ - static int - ssh_rsa_generate(struct sshkey *k, int bits) - { -- RSA *private = NULL; -+ EVP_PKEY_CTX *ctx = NULL; -+ EVP_PKEY *res = NULL; - BIGNUM *f4 = NULL; - int ret = SSH_ERR_INTERNAL_ERROR; - - if (bits < SSH_RSA_MINIMUM_MODULUS_SIZE || - bits > SSHBUF_MAX_BIGNUM * 8) - return SSH_ERR_KEY_LENGTH; -- if ((private = RSA_new()) == NULL || (f4 = BN_new()) == NULL) { -+ -+ if ((ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL)) == NULL -+ || (f4 = BN_new()) == NULL || !BN_set_word(f4, RSA_F4)) { - ret = SSH_ERR_ALLOC_FAIL; - goto out; - } -- if (!BN_set_word(f4, RSA_F4) || -- !RSA_generate_key_ex(private, bits, f4, NULL)) { -+ -+ if (EVP_PKEY_keygen_init(ctx) <= 0) { -+ ret = SSH_ERR_LIBCRYPTO_ERROR; -+ goto out; -+ } -+ -+ if (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, bits) <= 0) { -+ ret = SSH_ERR_KEY_LENGTH; -+ goto out; -+ } -+ -+ if (EVP_PKEY_CTX_set1_rsa_keygen_pubexp(ctx, f4) <= 0) -+ goto out; -+ -+ if (EVP_PKEY_keygen(ctx, &res) <= 0) { -+ ret = SSH_ERR_LIBCRYPTO_ERROR; -+ goto out; -+ } -+ -+ /* This function is deprecated in OpenSSL 3.0 but OpenSSH doesn't worry about it*/ -+ k->rsa = EVP_PKEY_get1_RSA(res); -+ if (k->rsa) { -+ ret = 0; -+ } else { - ret = SSH_ERR_LIBCRYPTO_ERROR; - goto out; - } -- k->rsa = private; -- private = NULL; -- ret = 0; - out: -- RSA_free(private); -+ EVP_PKEY_CTX_free(ctx); -+ EVP_PKEY_free(res); - BN_free(f4); - return ret; - } -@@ -317,21 +342,6 @@ - return -1; - } - --static int --rsa_hash_alg_nid(int type) --{ -- switch (type) { -- case SSH_DIGEST_SHA1: -- return NID_sha1; -- case SSH_DIGEST_SHA256: -- return NID_sha256; -- case SSH_DIGEST_SHA512: -- return NID_sha512; -- default: -- return -1; -- } --} -- - int - ssh_rsa_complete_crt_parameters(struct sshkey *key, const BIGNUM *iqmp) - { -@@ -393,11 +403,10 @@ - const u_char *data, size_t datalen, - const char *alg, const char *sk_provider, const char *sk_pin, u_int compat) - { -- const BIGNUM *rsa_n; -- u_char digest[SSH_DIGEST_MAX_LENGTH], *sig = NULL; -- size_t slen = 0; -- u_int hlen, len; -- int nid, hash_alg, ret = SSH_ERR_INTERNAL_ERROR; -+ EVP_PKEY *pkey = NULL; -+ u_char *sig = NULL; -+ int len, slen = 0; -+ int hash_alg, ret = SSH_ERR_INTERNAL_ERROR; - struct sshbuf *b = NULL; - - if (lenp != NULL) -@@ -409,33 +418,33 @@ - hash_alg = SSH_DIGEST_SHA1; - else - hash_alg = rsa_hash_id_from_keyname(alg); -+ - if (key == NULL || key->rsa == NULL || hash_alg == -1 || - sshkey_type_plain(key->type) != KEY_RSA) - return SSH_ERR_INVALID_ARGUMENT; -- RSA_get0_key(key->rsa, &rsa_n, NULL, NULL); -- if (BN_num_bits(rsa_n) < SSH_RSA_MINIMUM_MODULUS_SIZE) -- return SSH_ERR_KEY_LENGTH; - slen = RSA_size(key->rsa); -- if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM) -- return SSH_ERR_INVALID_ARGUMENT; -- -- /* hash the data */ -- nid = rsa_hash_alg_nid(hash_alg); -- if ((hlen = ssh_digest_bytes(hash_alg)) == 0) -- return SSH_ERR_INTERNAL_ERROR; -- if ((ret = ssh_digest_memory(hash_alg, data, datalen, -- digest, sizeof(digest))) != 0) -- goto out; -+ if (RSA_bits(key->rsa) < SSH_RSA_MINIMUM_MODULUS_SIZE) -+ return SSH_ERR_KEY_LENGTH; - -- if ((sig = malloc(slen)) == NULL) { -- ret = SSH_ERR_ALLOC_FAIL; -- goto out; -+#ifdef ENABLE_PKCS11 -+ if (is_rsa_pkcs11(key->rsa)) { -+ if ((pkey = EVP_PKEY_new()) == NULL || -+ EVP_PKEY_set1_RSA(pkey, key->rsa) != 1) -+ return SSH_ERR_ALLOC_FAIL; -+ } else { -+#endif -+ if ((ret = ssh_create_evp_rsa(key, &pkey)) != 0) -+ return ret; -+#ifdef ENABLE_PKCS11 - } -- -- if (RSA_sign(nid, digest, hlen, sig, &len, key->rsa) != 1) { -- ret = SSH_ERR_LIBCRYPTO_ERROR; -+#endif -+ ret = sshkey_calculate_signature(pkey, hash_alg, &sig, &len, data, -+ datalen); -+ EVP_PKEY_free(pkey); -+ if (ret < 0) { - goto out; - } -+ - if (len < slen) { - size_t diff = slen - len; - memmove(sig + diff, sig, len); -@@ -444,6 +453,7 @@ - ret = SSH_ERR_INTERNAL_ERROR; - goto out; - } -+ - /* encode signature */ - if ((b = sshbuf_new()) == NULL) { - ret = SSH_ERR_ALLOC_FAIL; -@@ -464,7 +474,6 @@ - *lenp = len; - ret = 0; - out: -- explicit_bzero(digest, sizeof(digest)); - freezero(sig, slen); - sshbuf_free(b); - return ret; -@@ -476,10 +485,10 @@ - const u_char *data, size_t dlen, const char *alg, u_int compat, - struct sshkey_sig_details **detailsp) - { -- const BIGNUM *rsa_n; -+ EVP_PKEY *pkey = NULL; - char *sigtype = NULL; - int hash_alg, want_alg, ret = SSH_ERR_INTERNAL_ERROR; -- size_t len = 0, diff, modlen, hlen; -+ size_t len = 0, diff, modlen; - struct sshbuf *b = NULL; - u_char digest[SSH_DIGEST_MAX_LENGTH], *osigblob, *sigblob = NULL; - -@@ -487,8 +496,7 @@ - sshkey_type_plain(key->type) != KEY_RSA || - sig == NULL || siglen == 0) - return SSH_ERR_INVALID_ARGUMENT; -- RSA_get0_key(key->rsa, &rsa_n, NULL, NULL); -- if (BN_num_bits(rsa_n) < SSH_RSA_MINIMUM_MODULUS_SIZE) -+ if (RSA_bits(key->rsa) < SSH_RSA_MINIMUM_MODULUS_SIZE) - return SSH_ERR_KEY_LENGTH; - - if ((b = sshbuf_from(sig, siglen)) == NULL) -@@ -540,16 +548,13 @@ - explicit_bzero(sigblob, diff); - len = modlen; - } -- if ((hlen = ssh_digest_bytes(hash_alg)) == 0) { -- ret = SSH_ERR_INTERNAL_ERROR; -- goto out; -- } -- if ((ret = ssh_digest_memory(hash_alg, data, dlen, -- digest, sizeof(digest))) != 0) -+ -+ if ((ret = ssh_create_evp_rsa(key, &pkey)) != 0) - goto out; - -- ret = openssh_RSA_verify(hash_alg, digest, hlen, sigblob, len, -- key->rsa); -+ ret = openssh_RSA_verify(hash_alg, data, dlen, sigblob, len, pkey); -+ EVP_PKEY_free(pkey); -+ - out: - freezero(sigblob, len); - free(sigtype); -@@ -558,125 +563,110 @@ - return ret; - } - --/* -- * See: -- * http://www.rsasecurity.com/rsalabs/pkcs/pkcs-1/ -- * ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1.asn -- */ -- --/* -- * id-sha1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) -- * oiw(14) secsig(3) algorithms(2) 26 } -- */ --static const u_char id_sha1[] = { -- 0x30, 0x21, /* type Sequence, length 0x21 (33) */ -- 0x30, 0x09, /* type Sequence, length 0x09 */ -- 0x06, 0x05, /* type OID, length 0x05 */ -- 0x2b, 0x0e, 0x03, 0x02, 0x1a, /* id-sha1 OID */ -- 0x05, 0x00, /* NULL */ -- 0x04, 0x14 /* Octet string, length 0x14 (20), followed by sha1 hash */ --}; -- --/* -- * See http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/algorithms.html -- * id-sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) -- * organization(1) gov(101) csor(3) nistAlgorithm(4) hashAlgs(2) -- * id-sha256(1) } -- */ --static const u_char id_sha256[] = { -- 0x30, 0x31, /* type Sequence, length 0x31 (49) */ -- 0x30, 0x0d, /* type Sequence, length 0x0d (13) */ -- 0x06, 0x09, /* type OID, length 0x09 */ -- 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, /* id-sha256 */ -- 0x05, 0x00, /* NULL */ -- 0x04, 0x20 /* Octet string, length 0x20 (32), followed by sha256 hash */ --}; -- --/* -- * See http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/algorithms.html -- * id-sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) -- * organization(1) gov(101) csor(3) nistAlgorithm(4) hashAlgs(2) -- * id-sha256(3) } -- */ --static const u_char id_sha512[] = { -- 0x30, 0x51, /* type Sequence, length 0x51 (81) */ -- 0x30, 0x0d, /* type Sequence, length 0x0d (13) */ -- 0x06, 0x09, /* type OID, length 0x09 */ -- 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, /* id-sha512 */ -- 0x05, 0x00, /* NULL */ -- 0x04, 0x40 /* Octet string, length 0x40 (64), followed by sha512 hash */ --}; -- - static int --rsa_hash_alg_oid(int hash_alg, const u_char **oidp, size_t *oidlenp) -+openssh_RSA_verify(int hash_alg, const u_char *data, size_t datalen, -+ u_char *sigbuf, size_t siglen, EVP_PKEY *pkey) - { -- switch (hash_alg) { -- case SSH_DIGEST_SHA1: -- *oidp = id_sha1; -- *oidlenp = sizeof(id_sha1); -- break; -- case SSH_DIGEST_SHA256: -- *oidp = id_sha256; -- *oidlenp = sizeof(id_sha256); -- break; -- case SSH_DIGEST_SHA512: -- *oidp = id_sha512; -- *oidlenp = sizeof(id_sha512); -- break; -- default: -- return SSH_ERR_INVALID_ARGUMENT; -- } -- return 0; --} -+ size_t rsasize = 0; -+ int ret; - --static int --openssh_RSA_verify(int hash_alg, u_char *hash, size_t hashlen, -- u_char *sigbuf, size_t siglen, RSA *rsa) --{ -- size_t rsasize = 0, oidlen = 0, hlen = 0; -- int ret, len, oidmatch, hashmatch; -- const u_char *oid = NULL; -- u_char *decrypted = NULL; -- -- if ((ret = rsa_hash_alg_oid(hash_alg, &oid, &oidlen)) != 0) -- return ret; -- ret = SSH_ERR_INTERNAL_ERROR; -- hlen = ssh_digest_bytes(hash_alg); -- if (hashlen != hlen) { -- ret = SSH_ERR_INVALID_ARGUMENT; -- goto done; -- } -- rsasize = RSA_size(rsa); -+ rsasize = EVP_PKEY_get_size(pkey); - if (rsasize <= 0 || rsasize > SSHBUF_MAX_BIGNUM || - siglen == 0 || siglen > rsasize) { - ret = SSH_ERR_INVALID_ARGUMENT; - goto done; - } -- if ((decrypted = malloc(rsasize)) == NULL) { -- ret = SSH_ERR_ALLOC_FAIL; -- goto done; -- } -- if ((len = RSA_public_decrypt(siglen, sigbuf, decrypted, rsa, -- RSA_PKCS1_PADDING)) < 0) { -- ret = SSH_ERR_LIBCRYPTO_ERROR; -- goto done; -- } -- if (len < 0 || (size_t)len != hlen + oidlen) { -- ret = SSH_ERR_INVALID_FORMAT; -- goto done; -- } -- oidmatch = timingsafe_bcmp(decrypted, oid, oidlen) == 0; -- hashmatch = timingsafe_bcmp(decrypted + oidlen, hash, hlen) == 0; -- if (!oidmatch || !hashmatch) { -- ret = SSH_ERR_SIGNATURE_INVALID; -- goto done; -- } -- ret = 0; -+ -+ ret = sshkey_verify_signature(pkey, hash_alg, data, datalen, -+ sigbuf, siglen); -+ - done: -- freezero(decrypted, rsasize); - return ret; - } - -+int -+ssh_create_evp_rsa(const struct sshkey *k, EVP_PKEY **pkey) -+{ -+ OSSL_PARAM_BLD *param_bld = NULL; -+ EVP_PKEY_CTX *ctx = NULL; -+ int ret = 0; -+ const BIGNUM *n = NULL, *e = NULL, *d = NULL, *p = NULL, *q = NULL; -+ const BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL; -+ -+ if (k == NULL) -+ return SSH_ERR_INVALID_ARGUMENT; -+ if ((ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL)) == NULL || -+ (param_bld = OSSL_PARAM_BLD_new()) == NULL) { -+ ret = SSH_ERR_ALLOC_FAIL; -+ goto out; -+ } -+ -+ RSA_get0_key(k->rsa, &n, &e, &d); -+ RSA_get0_factors(k->rsa, &p, &q); -+ RSA_get0_crt_params(k->rsa, &dmp1, &dmq1, &iqmp); -+ -+ if (n != NULL && -+ OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n) != 1) { -+ ret = SSH_ERR_LIBCRYPTO_ERROR; -+ goto out; -+ } -+ if (e != NULL && -+ OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, e) != 1) { -+ ret = SSH_ERR_LIBCRYPTO_ERROR; -+ goto out; -+ } -+ if (d != NULL && -+ OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_D, d) != 1) { -+ ret = SSH_ERR_LIBCRYPTO_ERROR; -+ goto out; -+ } -+ -+ if ((*pkey = sshkey_create_evp(param_bld, ctx)) == NULL) { -+ ret = SSH_ERR_LIBCRYPTO_ERROR; -+ goto out; -+ } -+ -+ /* setting this to param_build makes the creation process fail */ -+ if (p != NULL && -+ EVP_PKEY_set_bn_param(*pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, p) != 1) { -+ debug2_f("failed to add 'p' param"); -+ ret = SSH_ERR_LIBCRYPTO_ERROR; -+ goto out; -+ } -+ if (q != NULL && -+ EVP_PKEY_set_bn_param(*pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, q) != 1) { -+ debug2_f("failed to add 'q' param"); -+ ret = SSH_ERR_LIBCRYPTO_ERROR; -+ goto out; -+ } -+ if (dmp1 != NULL && -+ EVP_PKEY_set_bn_param(*pkey, -+ OSSL_PKEY_PARAM_RSA_EXPONENT1, dmp1) != 1) { -+ debug2_f("failed to add 'dmp1' param"); -+ ret = SSH_ERR_LIBCRYPTO_ERROR; -+ goto out; -+ } -+ if (dmq1 != NULL && -+ EVP_PKEY_set_bn_param(*pkey, -+ OSSL_PKEY_PARAM_RSA_EXPONENT2, dmq1) != 1) { -+ debug2_f("failed to add 'dmq1' param"); -+ ret = SSH_ERR_LIBCRYPTO_ERROR; -+ goto out; -+ } -+ if (iqmp != NULL && -+ EVP_PKEY_set_bn_param(*pkey, -+ OSSL_PKEY_PARAM_RSA_COEFFICIENT1, iqmp) != 1) { -+ debug2_f("failed to add 'iqmp' param"); -+ ret = SSH_ERR_LIBCRYPTO_ERROR; -+ goto out; -+ } -+ -+out: -+ OSSL_PARAM_BLD_free(param_bld); -+ EVP_PKEY_CTX_free(ctx); -+ return ret; -+} -+ - static const struct sshkey_impl_funcs sshkey_rsa_funcs = { - /* .size = */ ssh_rsa_size, - /* .alloc = */ ssh_rsa_alloc, diff --git a/openssh-9.3p1-upstream-cve-2023-38408.patch b/openssh-9.3p1-upstream-cve-2023-38408.patch deleted file mode 100644 index e9ac2ae..0000000 --- a/openssh-9.3p1-upstream-cve-2023-38408.patch +++ /dev/null @@ -1,130 +0,0 @@ -diff --git a/ssh-agent.c b/ssh-agent.c -index 618bb198..8ea831f4 100644 -diff -up openssh-9.3p1/ssh-agent.c.cve openssh-9.3p1/ssh-agent.c ---- openssh-9.3p1/ssh-agent.c.cve 2023-07-21 15:38:13.237276580 +0200 -+++ openssh-9.3p1/ssh-agent.c 2023-07-21 15:41:30.269943569 +0200 -@@ -169,6 +169,12 @@ char socket_dir[PATH_MAX]; - /* Pattern-list of allowed PKCS#11/Security key paths */ - static char *allowed_providers; - -+/* -+ * Allows PKCS11 providers or SK keys that use non-internal providers to -+ * be added over a remote connection (identified by session-bind@openssh.com). -+ */ -+static int remote_add_provider; -+ - /* locking */ - #define LOCK_SIZE 32 - #define LOCK_SALT_SIZE 16 -@@ -1228,6 +1234,12 @@ process_add_identity(SocketEntry *e) - if (strcasecmp(sk_provider, "internal") == 0) { - debug_f("internal provider"); - } else { -+ if (e->nsession_ids != 0 && !remote_add_provider) { -+ verbose("failed add of SK provider \"%.100s\": " -+ "remote addition of providers is disabled", -+ sk_provider); -+ goto out; -+ } - if (realpath(sk_provider, canonical_provider) == NULL) { - verbose("failed provider \"%.100s\": " - "realpath: %s", sk_provider, -@@ -1368,7 +1380,7 @@ no_identities(SocketEntry *e) - - #ifdef ENABLE_PKCS11 - static char * --sanitize_pkcs11_provider(const char *provider) -+sanitize_pkcs11_provider(SocketEntry *e, const char *provider) - { - struct pkcs11_uri *uri = NULL; - char *sane_uri, *module_path = NULL; /* default path */ -@@ -1399,6 +1411,11 @@ sanitize_pkcs11_provider(const char *pro - module_path = strdup(provider); /* simple path */ - - if (module_path != NULL) { /* do not validate default NULL path in URI */ -+ if (e->nsession_ids != 0 && !remote_add_provider) { -+ verbose("failed PKCS#11 add of \"%.100s\": remote addition of " -+ "providers is disabled", provider); -+ return NULL; -+ } - if (realpath(module_path, canonical_provider) == NULL) { - verbose("failed PKCS#11 provider \"%.100s\": realpath: %s", - module_path, strerror(errno)); -@@ -1455,7 +1472,7 @@ process_add_smartcard_key(SocketEntry *e - goto send; - } - -- sane_uri = sanitize_pkcs11_provider(provider); -+ sane_uri = sanitize_pkcs11_provider(e, provider); - if (sane_uri == NULL) - goto send; - -@@ -1516,7 +1533,7 @@ process_remove_smartcard_key(SocketEntry - } - free(pin); - -- sane_uri = sanitize_pkcs11_provider(provider); -+ sane_uri = sanitize_pkcs11_provider(e, provider); - if (sane_uri == NULL) - goto send; - -@@ -2108,7 +2125,9 @@ main(int ac, char **av) - break; - case 'O': - if (strcmp(optarg, "no-restrict-websafe") == 0) -- restrict_websafe = 0; -+ restrict_websafe = 0; -+ else if (strcmp(optarg, "allow-remote-pkcs11") == 0) -+ remote_add_provider = 1; - else - fatal("Unknown -O option"); - break; -diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c -index 6be647ec..ebddf6c3 100644 ---- a/ssh-pkcs11.c -+++ b/ssh-pkcs11.c -@@ -1537,10 +1537,8 @@ pkcs11_register_provider(char *provider_id, char *pin, - error("dlopen %s failed: %s", provider_module, dlerror()); - goto fail; - } -- if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) { -- error("dlsym(C_GetFunctionList) failed: %s", dlerror()); -- goto fail; -- } -+ if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) -+ fatal("dlsym(C_GetFunctionList) failed: %s", dlerror()); - - p->module->handle = handle; - /* setup the pkcs11 callbacks */ ---- a/ssh-agent.1 2023-03-15 22:28:19.000000000 +0100 -+++ b/ssh-agent.1 2023-07-19 21:39:17.981406432 +0200 -@@ -107,9 +107,27 @@ - .It Fl O Ar option - Specify an option when starting - .Nm . --Currently only one option is supported: -+Currently two options are supported: -+.Cm allow-remote-pkcs11 -+and - .Cm no-restrict-websafe . --This instructs -+.Pp -+The -+.Cm allow-remote-pkcs11 -+option allows clients of a forwarded -+.Nm -+to load PKCS#11 or FIDO provider libraries. -+By default only local clients may perform this operation. -+Note that signalling that a -+.Nm -+client remote is performed by -+.Xr ssh 1 , -+and use of other tools to forward access to the agent socket may circumvent -+this restriction. -+.Pp -+The -+.Cm no-restrict-websafe , -+instructs - .Nm - to permit signatures using FIDO keys that might be web authentication - requests. diff --git a/openssh-9.3p1.tar.gz.asc b/openssh-9.3p1.tar.gz.asc deleted file mode 100644 index 13b4da9..0000000 --- a/openssh-9.3p1.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmQSOZYACgkQKj9BTnNg -YLrKJg//fSKjNlnb3l75ZwLoWhwpEZQp7poEq5qCCRNvu4dleuU1sMxNPl9/Ow1i -iZVW67OGNjIsJ7FJmHNF3UOgkH50c6OHivmDaTywDtyCLZvUVmaSfOe0own8s8KB -OV7czHqd9giHQlGWWTxg9eVAfOaqpzXugkzo7UoTVqEqJ3Ru/FQ4RGSIjTGzuM/0 -EC+JkKyO+0pP3mr4XfZdxsbYc9WVEG9ZIlT153y9I5MfiWM1SC/0gg4NLz025Xaa -ment5c+BdhIwYjC2f5F/9s0J6+lFHiFBHLQVGx4qq/Tx3XGfP0xBcS1V9Mkhyjzf -ZXj6acQ+T50H8p3OWZyrWn11YNtGjzkwuQWrj8Ue4NPFGqgPbANeH32yOiIWpIh0 -CtpGnRGQP1zF14hEAR5gKangTNCp/IVMBhIs4UL3zI6uS2yRLTGOWcgrnjJv26vg -jb2WmL0AeqYLZw41pbq+zmVizhhg8qk7KPQQsFxnalSFHz35tnHN8oQD5TCDxqtu -f/roTbZhW/nnlaMlEAnB09LO6e1nyDIcJ6hj0CK9cSgIn8pb1q9GdjYx5PNKwsoa -NuD+bqlzF5krjiOHJh+vDw0GKFusflL46Dmry5a4K0vLUGBn6uAUPtuwMdBsLofU -k3a4zBMlOCm6o3WqgAug4fSwCfYkJ9Dc+FaedGC1X4fys4lV/6k= -=deVJ ------END PGP SIGNATURE----- diff --git a/openssh.spec b/openssh.spec index 7839045..c87d68a 100644 --- a/openssh.spec +++ b/openssh.spec @@ -6,10 +6,10 @@ %{?no_gtk2:%global gtk2 0} %global sshd_uid 74 -%global openssh_release 2.1 +%global openssh_release 31 Name: openssh -Version: 9.3p1 +Version: 8.8p1 Release: %{openssh_release} URL: http://www.openssh.com/portable.html License: BSD @@ -18,86 +18,120 @@ Summary: An open source implementation of SSH protocol version 2 Source0: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz Source1: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc Source2: sshd.pam -Source3: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/pam_ssh_agent_auth-0.10.4.tar.gz -Source4: pam_ssh_agent-rmheaders -Source5: ssh-keycat.pam -Source6: sshd.sysconfig -Source7: sshd@.service -Source8: sshd.socket -Source9: sshd.service -Source10: sshd-keygen@.service -Source11: sshd-keygen -Source12: sshd.tmpfiles -Source13: sshd-keygen.target -Source14: ssh-agent.service -Source15: ssh-agent.socket -Source16: ssh-keygen-bash-completion.sh -Patch0: openssh-6.7p1-coverity.patch -Patch1: openssh-7.6p1-audit.patch -Patch2: openssh-7.1p2-audit-race-condition.patch -Patch3: pam_ssh_agent_auth-0.9.3-build.patch -Patch4: pam_ssh_agent_auth-0.10.3-seteuid.patch -Patch5: pam_ssh_agent_auth-0.9.2-visibility.patch -Patch6: pam_ssh_agent_auth-0.9.3-agent_structure.patch -Patch7: pam_ssh_agent_auth-0.10.2-compat.patch -Patch8: pam_ssh_agent_auth-0.10.2-dereference.patch -Patch9: pam_ssh_agent_auth-0.10.4-rsasha2.patch -Patch10: pam_ssh_agent-configure-c99.patch -Patch11: openssh-7.8p1-role-mls.patch -Patch12: openssh-6.6p1-privsep-selinux.patch -Patch14: openssh-6.6p1-keycat.patch -Patch15: openssh-6.6p1-allow-ip-opts.patch -Patch17: openssh-5.9p1-ipv6man.patch -Patch18: openssh-5.8p2-sigpipe.patch -Patch19: openssh-7.2p2-x11.patch -Patch21: openssh-5.1p1-askpass-progress.patch -Patch22: openssh-4.3p2-askpass-grab-info.patch -Patch23: openssh-7.7p1.patch -Patch24: openssh-7.8p1-UsePAM-warning.patch -Patch28: openssh-8.0p1-gssapi-keyex.patch -Patch29: openssh-6.6p1-force_krb.patch -Patch30: openssh-6.6p1-GSSAPIEnablek5users.patch -Patch31: openssh-7.7p1-gssapi-new-unique.patch -Patch32: openssh-7.2p2-k5login_directory.patch -Patch33: openssh-6.6p1-kuserok.patch -Patch34: openssh-6.4p1-fromto-remote.patch -Patch35: openssh-6.6.1p1-selinux-contexts.patch -Patch36: openssh-6.6.1p1-log-in-chroot.patch -Patch37: openssh-6.6.1p1-scp-non-existing-directory.patch -Patch38: openssh-6.8p1-sshdT-output.patch -Patch39: openssh-6.7p1-sftp-force-permission.patch -Patch40: openssh-7.2p2-s390-closefrom.patch -Patch41: openssh-7.3p1-x11-max-displays.patch -Patch42: openssh-7.4p1-systemd.patch -Patch43: openssh-7.6p1-cleanup-selinux.patch -Patch44: openssh-7.5p1-sandbox.patch -Patch45: openssh-8.0p1-pkcs11-uri.patch -Patch46: openssh-7.8p1-scp-ipv6.patch -Patch48: openssh-8.0p1-crypto-policies.patch -Patch49: openssh-9.3p1-merged-openssl-evp.patch -Patch50: openssh-8.0p1-openssl-kdf.patch -Patch51: openssh-8.2p1-visibility.patch -Patch52: openssh-8.2p1-x11-without-ipv6.patch -Patch53: openssh-8.0p1-keygen-strip-doseol.patch -Patch54: openssh-8.0p1-preserve-pam-errors.patch -Patch55: openssh-8.7p1-scp-kill-switch.patch -Patch56: openssh-8.7p1-recursive-scp.patch -Patch57: openssh-8.7p1-minrsabits.patch -Patch58: openssh-8.7p1-ibmca.patch -Patch60: openssh-8.7p1-ssh-manpage.patch -Patch61: openssh-8.7p1-negotiate-supported-algs.patch -Patch65: openssh-9.3p1-upstream-cve-2023-38408.patch -Patch66: bugfix-sftp-when-parse_user_host_path-empty-path-should-be-allowed.patch -Patch67: bugfix-openssh-add-option-check-username-splash.patch -Patch68: feature-openssh-7.4-hima-sftpserver-oom-and-fix.patch -Patch69: bugfix-openssh-fix-sftpserver.patch -Patch70: set-sshd-config.patch -Patch71: feature-add-SMx-support.patch -Patch72: add-loongarch.patch -Patch73: openssh-Add-sw64-architecture.patch +Source4: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/pam_ssh_agent_auth-0.10.4.tar.gz +Source5: pam_ssh_agent-rmheaders +Source6: ssh-keycat.pam +Source7: sshd.sysconfig +Source9: sshd@.service +Source10: sshd.socket +Source11: sshd.service +Source12: sshd-keygen@.service +Source13: sshd-keygen +Source14: sshd.tmpfiles +Source15: sshd-keygen.target +Source16: ssh-agent.service +Source17: ssh-keygen-bash-completion.sh +Patch0: backport-openssh-6.7p1-coverity.patch +Patch1: backport-openssh-7.6p1-audit.patch +Patch2: backport-openssh-7.1p2-audit-race-condition.patch +Patch3: backport-pam_ssh_agent_auth-0.9.3-build.patch +Patch4: backport-pam_ssh_agent_auth-0.10.3-seteuid.patch +Patch5: backport-pam_ssh_agent_auth-0.9.2-visibility.patch +Patch6: backport-pam_ssh_agent_auth-0.9.3-agent_structure.patch +Patch7: backport-pam_ssh_agent_auth-0.10.2-compat.patch +Patch8: backport-pam_ssh_agent_auth-0.10.2-dereference.patch +Patch9: backport-openssh-7.8p1-role-mls.patch +Patch10: backport-openssh-6.6p1-privsep-selinux.patch +Patch12: backport-openssh-6.6p1-keycat.patch +Patch13: backport-openssh-6.6p1-allow-ip-opts.patch +Patch14: backport-openssh-6.6p1-keyperm.patch +Patch15: backport-openssh-5.9p1-ipv6man.patch +Patch16: backport-openssh-5.8p2-sigpipe.patch +Patch17: backport-openssh-7.2p2-x11.patch +Patch18: backport-openssh-7.7p1-fips.patch +Patch19: backport-openssh-5.1p1-askpass-progress.patch +Patch20: backport-openssh-4.3p2-askpass-grab-info.patch +Patch21: backport-openssh-7.7p1.patch +Patch22: backport-openssh-7.8p1-UsePAM-warning.patch +Patch23: backport-openssh-6.3p1-ctr-evp-fast.patch +Patch26: backport-openssh-8.0p1-gssapi-keyex.patch +Patch27: backport-openssh-6.6p1-force_krb.patch +Patch28: backport-openssh-6.6p1-GSSAPIEnablek5users.patch +Patch29: backport-openssh-7.7p1-gssapi-new-unique.patch +Patch30: backport-openssh-7.2p2-k5login_directory.patch +Patch31: backport-openssh-6.6p1-kuserok.patch +Patch32: backport-openssh-6.4p1-fromto-remote.patch +Patch33: backport-openssh-6.6.1p1-selinux-contexts.patch +Patch34: backport-openssh-6.6.1p1-log-in-chroot.patch +Patch35: backport-openssh-6.6.1p1-scp-non-existing-directory.patch +Patch36: backport-openssh-6.8p1-sshdT-output.patch +Patch37: backport-openssh-6.7p1-sftp-force-permission.patch +Patch38: backport-openssh-7.2p2-s390-closefrom.patch +Patch39: backport-openssh-7.3p1-x11-max-displays.patch +Patch40: backport-openssh-7.4p1-systemd.patch +Patch41: backport-openssh-7.6p1-cleanup-selinux.patch +Patch42: backport-openssh-7.5p1-sandbox.patch +Patch43: backport-openssh-8.0p1-pkcs11-uri.patch +Patch44: backport-openssh-7.8p1-scp-ipv6.patch +Patch46: backport-openssh-8.0p1-crypto-policies.patch +Patch47: backport-openssh-8.0p1-openssl-evp.patch +Patch48: backport-openssh-8.0p1-openssl-kdf.patch +Patch49: backport-openssh-8.2p1-visibility.patch +Patch50: backport-openssh-8.2p1-x11-without-ipv6.patch +Patch51: backport-openssh-8.0p1-keygen-strip-doseol.patch +Patch53: backport-openssh-8.7p1-scp-kill-switch.patch +Patch54: bugfix-sftp-when-parse_user_host_path-empty-path-should-be-allowed.patch +Patch55: bugfix-openssh-6.6p1-log-usepam-no.patch +Patch56: bugfix-openssh-add-option-check-username-splash.patch +Patch57: feature-openssh-7.4-hima-sftpserver-oom-and-fix.patch +Patch58: bugfix-openssh-fix-sftpserver.patch +Patch59: set-sshd-config.patch +Patch60: backport-fix-possible-NULL-deref-when-built-without-FIDO.patch +Patch61: feature-add-SMx-support.patch +Patch62: backport-upstream-a-little-extra-debugging.patch +Patch63: backport-upstream-better-debugging-for-connect_next.patch +Patch64: openssh-Add-sw64-architecture.patch +Patch65: add-loongarch.patch +Patch66: backport-upstream-if-sshpkt-functions-fail-then-password-is-n.patch +Patch67: backport-upstream-Make-sure-not-to-fclose-the-same-fd-twice-i.patch +Patch68: backport-upstream-Donot-attempt-to-fprintf-a-null-identity-co.patch +Patch69: backport-upstream-ignore-SIGPIPE-earlier-in-main-specifically.patch +Patch70: backport-upstream-Always-return-allocated-strings-from-the-ke.patch +Patch71: backport-Don-t-leak-the-strings-allocated-by-order_h.patch +Patch72: backport-Return-ERANGE-from-getcwd-if-buffer-size-is-1.patch +Patch73: backport-upstream-double-free-in-error-path-from-Eusgor-via-G.patch Patch74: add-strict-scp-check-for-CVE-2020-15778.patch -Patch75: skip-scp-test-if-there-is-no-scp-on-remote-path-as-s.patch -Patch77: set-ssh-config.patch +Patch75: backport-upstream-ssh-keygen-Y-check-novalidate-requires-name.patch +Patch76: backport-upstream-avoid-integer-overflow-of-auth-attempts-har.patch +Patch77: backport-Skip-scp3-test-if-there-s-no-scp-on-remote-path.patch +Patch78: skip-scp-test-if-there-is-no-scp-on-remote-path-as-s.patch +Patch79: backport-upstream-CVE-2023-25136-fix-double-free-caused.patch +Patch80: set-ssh-config.patch +Patch81: backport-upstream-honour-user-s-umask-if-it-is-more-restricti.patch +Patch82: backport-upstream-use-correct-type-with-sizeof-ok-djm.patch +Patch83: backport-Defer-seed_rng-until-after-closefrom-call.patch +Patch84: backport-upstream-Handle-dynamic-remote-port-forwarding-in-es.patch +Patch85: backport-upstream-The-idiomatic-way-of-coping-with-signed-cha.patch +Patch86: backport-upstream-Clear-signal-mask-early-in-main-sshd-may-ha.patch +Patch87: backport-upstream-fix-bug-in-PermitRemoteOpen-which-caused-it.patch +Patch88: backport-upstream-regression-test-for-PermitRemoteOpen.patch +Patch89: backport-upstream-Copy-bytes-from-the_banana-rather-than-bana.patch +Patch90: backport-upstream-When-OpenSSL-is-not-available-skip-parts-of.patch +Patch91: backport-don-t-test-IPv6-addresses-if-platform-lacks-support.patch +Patch92: backport-upstream-avoid-printf-s-NULL-if-using-ssh.patch +Patch93: backport-upstream-Add-scp-s-path-to-test-sshd-s-PATH.patch +Patch94: backport-upstream-Instead-of-skipping-the-all-tokens-test-if-.patch +Patch95: backport-upstream-Shell-syntax-fix.-From-ren-mingshuai-vi-git.patch +Patch96: backport-Allow-writev-is-seccomp-sandbox.patch +Patch97: backport-upstream-Ensure-that-there-is-a-terminating-newline-.patch +Patch98: backport-upstream-test-compat_kex_proposal-by-dtucker.patch +Patch99: backport-adapt-compat_kex_proposal-test-to-portable.patch +Patch100: backport-fix-CVE-2023-38408-upstream-terminate-process.patch +Patch101: backport-upstream-In-channel_request_remote_forwarding-the-pa.patch +Patch102: backport-CVE-2023-51385-upstream-ban-user-hostnames-with-most-shell-metachar.patch +Patch103: backport-CVE-2023-48795.patch +Patch104: fix-memory-leak-in-kex-exchange.patch +Patch105: backport-fix-CVE-2024-6387.patch Requires: /sbin/nologin Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8 @@ -105,7 +139,7 @@ Requires: openssh-server = %{version}-%{release} BuildRequires: gtk2-devel libX11-devel openldap-devel autoconf automake perl-interpreter perl-generators BuildRequires: zlib-devel audit-libs-devel >= 2.0.5 util-linux groff pam-devel -BuildRequires: openssl3 perl-podlators systemd-devel gcc p11-kit-devel krb5-devel +BuildRequires: openssl-devel >= 0.9.8j perl-podlators systemd-devel gcc p11-kit-devel krb5-devel BuildRequires: libedit-devel ncurses-devel libselinux-devel >= 2.3-5 audit-libs >= 1.0.8 xauth gnupg2 Recommends: p11-kit @@ -114,7 +148,6 @@ Recommends: p11-kit Summary: An open source SSH client applications Requires: openssh = %{version}-%{release} Requires: crypto-policies >= 20180306-1 -Requires: openssl3 %package server Summary: An open source SSH server daemon @@ -122,7 +155,6 @@ Requires: openssh = %{version}-%{release} Requires(pre): shadow Requires: pam >= 1.0.1-3 Requires: crypto-policies >= 20180306-1 -Requires: openssl3 %{?systemd_requires} %package keycat @@ -173,7 +205,7 @@ instance. The module is most useful for su and sudo service stacks. %package_help %prep -%setup -q -a 3 +%setup -q -a 4 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4 %patch3 -p2 -b .psaa-build @@ -182,60 +214,66 @@ pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4 %patch7 -p2 -b .psaa-compat %patch6 -p2 -b .psaa-agent %patch8 -p2 -b .psaa-deref -%patch9 -p2 -b .rsasha2 -%patch10 -p1 -b .psaa-configure-c99 # Remove duplicate headers and library files -rm -f $(cat %{SOURCE4}) +rm -f $(cat %{SOURCE5}) popd -%patch11 -p1 -b .role-mls -%patch12 -p1 -b .privsep-selinux -%patch14 -p1 -b .keycat -%patch15 -p1 -b .ip-opts -%patch17 -p1 -b .ipv6man -%patch18 -p1 -b .sigpipe -%patch19 -p1 -b .x11 -%patch21 -p1 -b .progress -%patch22 -p1 -b .grab-info -%patch23 -p1 -%patch24 -p1 -b .log-usepam-no -%patch28 -p1 -b .gsskex -%patch29 -p1 -b .force_krb -%patch31 -p1 -b .ccache_name -%patch32 -p1 -b .k5login -%patch33 -p1 -b .kuserok -%patch34 -p1 -b .fromto-remote -%patch35 -p1 -b .contexts -%patch36 -p1 -b .log-in-chroot -%patch37 -p1 -b .scp -%patch30 -p1 -b .GSSAPIEnablek5users -%patch38 -p1 -b .sshdt -%patch39 -p1 -b .sftp-force-mode -%patch40 -p1 -b .s390-dev -%patch41 -p1 -b .x11max -%patch42 -p1 -b .systemd -%patch43 -p1 -b .refactor -%patch44 -p1 -b .sandbox -%patch45 -p1 -b .pkcs11-uri -%patch46 -p1 -b .scp-ipv6 -%patch48 -p1 -b .crypto-policies -%patch49 -p1 -b .openssl-evp -%patch50 -p1 -b .openssl-kdf -%patch51 -p1 -b .visibility -%patch52 -p1 -b .x11-ipv6 -%patch53 -p1 -b .keygen-strip-doseol -%patch54 -p1 -b .preserve-pam-errors -%patch55 -p1 -b .kill-scp -%patch56 -p1 -b .scp-sftpdirs -%patch57 -p1 -b .minrsabits -%patch58 -p1 -b .ibmca -%patch60 -p1 -b .ssh-manpage -%patch61 -p1 -b .negotiate-supported-algs -%patch65 -p1 -b .cve-2023-38408 +%patch9 -p1 -b .role-mls +%patch10 -p1 -b .privsep-selinux +%patch12 -p1 -b .keycat +%patch13 -p1 -b .ip-opts +%patch14 -p1 -b .keyperm +%patch15 -p1 -b .ipv6man +%patch16 -p1 -b .sigpipe +%patch17 -p1 -b .x11 +%patch19 -p1 -b .progress +%patch20 -p1 -b .grab-info +%patch21 -p1 +%patch22 -p1 -b .log-usepam-no +%patch23 -p1 -b .evp-ctr +%patch26 -p1 -b .gsskex +%patch27 -p1 -b .force_krb +%patch29 -p1 -b .ccache_name +%patch30 -p1 -b .k5login +%patch31 -p1 -b .kuserok +%patch32 -p1 -b .fromto-remote +%patch33 -p1 -b .contexts +%patch34 -p1 -b .log-in-chroot +%patch35 -p1 -b .scp +%patch28 -p1 -b .GSSAPIEnablek5users +%patch36 -p1 -b .sshdt +%patch37 -p1 -b .sftp-force-mode +%patch38 -p1 -b .s390-dev +%patch39 -p1 -b .x11max +%patch40 -p1 -b .systemd +%patch41 -p1 -b .refactor +%patch42 -p1 -b .sandbox +%patch43 -p1 -b .pkcs11-uri +%patch44 -p1 -b .scp-ipv6 +%patch46 -p1 -b .crypto-policies +%patch47 -p1 -b .openssl-evp +%patch48 -p1 -b .openssl-kdf +%patch49 -p1 -b .visibility +%patch50 -p1 -b .x11-ipv6 +%patch51 -p1 -b .keygen-strip-doseol +%patch53 -p1 -b .kill-scp %patch1 -p1 -b .audit %patch2 -p1 -b .audit-race +%patch18 -p1 -b .fips %patch0 -p1 -b .coverity +%patch54 -p1 +%patch55 -p1 +%patch56 -p1 +%patch57 -p1 +%patch58 -p1 +%patch59 -p1 +%patch60 -p1 +%patch61 -p1 +%patch62 -p1 +%patch63 -p1 +%patch64 -p1 +%patch65 -p1 %patch66 -p1 %patch67 -p1 %patch68 -p1 @@ -246,7 +284,36 @@ popd %patch73 -p1 %patch74 -p1 %patch75 -p1 +%patch76 -p1 %patch77 -p1 +%patch78 -p1 +%patch79 -p1 +%patch80 -p1 +%patch81 -p1 +%patch82 -p1 +%patch83 -p1 +%patch84 -p1 +%patch85 -p1 +%patch86 -p1 +%patch87 -p1 +%patch88 -p1 +%patch89 -p1 +%patch90 -p1 +%patch91 -p1 +%patch92 -p1 +%patch93 -p1 +%patch94 -p1 +%patch95 -p1 +%patch96 -p1 +%patch97 -p1 +%patch98 -p1 +%patch99 -p1 +%patch100 -p1 +%patch101 -p1 +%patch102 -p1 +%patch103 -p1 +%patch104 -p1 +%patch105 -p1 autoreconf pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4 @@ -282,10 +349,7 @@ else CFLAGS="$CFLAGS -I%{_includedir}/gssapi" fi -LDFLAGS="$LDFLAGS -L/opt/openssl3/%{_lib} -Wl,-rpath=/opt/openssl3/%{_lib}" -CFLAGS="$CFLAGS -I/opt/openssl3/include" %configure \ - --with-ssl-dir=/opt/openssl3 \ --sysconfdir=%{_sysconfdir}/ssh --libexecdir=%{_libexecdir}/openssh \ --datadir=%{_datadir}/openssh --with-default-path=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin \ --with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \ @@ -293,10 +357,11 @@ CFLAGS="$CFLAGS -I/opt/openssl3/include" --without-zlib-version-check --with-ssl-engine --with-ipaddr-display \ --with-pie=no --without-hardening --with-systemd --with-default-pkcs11-provider=yes \ --with-pam --with-selinux --with-audit=linux --with-security-key-buildin=yes \ -%ifnarch riscv64 loongarch64 sw_64 +%ifnarch riscv64 sw_64 loongarch64 --with-sandbox=seccomp_filter \ %endif - --with-kerberos5${krb5_prefix:+=${krb5_prefix}} --with-libedit || cat config.log + --with-kerberos5${krb5_prefix:+=${krb5_prefix}} --with-libedit + make gtk2=yes @@ -320,7 +385,17 @@ make popd %check +if [ -e /sys/fs/selinux/enforce ]; then + # Store the SElinux state + cat /sys/fs/selinux/enforce > selinux.tmp + setenforce 0 +fi make tests +if [ -e /sys/fs/selinux/enforce ]; then + # Restore the SElinux state + cat selinux.tmp > /sys/fs/selinux/enforce + rm -rf selinux.tmp +fi %install mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh @@ -335,23 +410,22 @@ install -d $RPM_BUILD_ROOT/etc/pam.d/ install -d $RPM_BUILD_ROOT/etc/sysconfig/ install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd -install -m644 %{SOURCE5} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat -install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/sysconfig/sshd +install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat +install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd install -d -m755 $RPM_BUILD_ROOT/%{_unitdir} -install -m644 %{SOURCE7} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service -install -m644 %{SOURCE8} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket -install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service -install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen@.service -install -m644 %{SOURCE13} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.target +install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service +install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket +install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service +install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen@.service +install -m644 %{SOURCE15} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.target install -d -m755 $RPM_BUILD_ROOT/%{_userunitdir} -install -m644 %{SOURCE14} $RPM_BUILD_ROOT/%{_userunitdir}/ssh-agent.service -install -m644 %{SOURCE15} $RPM_BUILD_ROOT/%{_userunitdir}/ssh-agent.socket -install -m744 %{SOURCE11} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen +install -m644 %{SOURCE16} $RPM_BUILD_ROOT/%{_userunitdir}/ssh-agent.service +install -m744 %{SOURCE13} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/ install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/ -install -m644 -D %{SOURCE12} $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf +install -m644 -D %{SOURCE14} $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass -install -m644 %{SOURCE16} $RPM_BUILD_ROOT/etc/bash_completion.d/ssh-keygen-bash-completion.sh +install -m644 %{SOURCE17} $RPM_BUILD_ROOT/etc/bash_completion.d/ssh-keygen-bash-completion.sh ln -s gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ @@ -382,14 +456,6 @@ getent passwd sshd >/dev/null || \ %postun server %systemd_postun_with_restart sshd.service -%post clients -%systemd_user_post ssh-agent.service -%systemd_user_post ssh-agent.socket - -%preun clients -%systemd_user_preun ssh-agent.service -%systemd_user_preun ssh-agent.socket - %files %license LICENCE %doc CREDITS README.platform @@ -411,8 +477,7 @@ getent passwd sshd >/dev/null || \ %attr(0755,root,root) %{_bindir}/ssh-copy-id %attr(0755,root,root) %{_libexecdir}/openssh/ssh-pkcs11-helper %attr(0755,root,root) %{_libexecdir}/openssh/ssh-sk-helper -%attr(0644,root,root) %{_userunitdir}/ssh-agent.service -%attr(0644,root,root) %{_userunitdir}/ssh-agent.socket +%attr(0755,root,root) %{_userunitdir}/ssh-agent.service %files server %dir %attr(0711,root,root) %{_var}/empty/sshd @@ -441,6 +506,7 @@ getent passwd sshd >/dev/null || \ %files -n pam_ssh_agent_auth %license pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/OPENSSH_LICENSE %attr(0755,root,root) %{_libdir}/security/pam_ssh_agent_auth.so +%attr(0644,root,root) %{_mandir}/man8/pam_ssh_agent_auth.8* %files help %doc ChangeLog OVERVIEW PROTOCOL* README README.privsep README.tun README.dns TODO @@ -451,175 +517,201 @@ getent passwd sshd >/dev/null || \ %attr(0644,root,root) %{_mandir}/man5/ssh*.5* %attr(0644,root,root) %{_mandir}/man5/moduli.5* %attr(0644,root,root) %{_mandir}/man8/ssh*.8* -%attr(0644,root,root) %{_mandir}/man8/pam_ssh_agent_auth.8* %attr(0644,root,root) %{_mandir}/man8/sftp-server.8* %changelog -* Mon Oct 02 2023 Funda Wang <fundawang@yeah.net> - 9.3p1-2.1 -- Try building with openssl3 +* Tue Jul 2 2024 renmingshuai<renmingshuai@huawei.com> - 8.8p1-31 +- Type:CVE +- CVE:CVE-2024-6387 +- SUG:NA +- DESC:Fix CVE-2024-6387 -* Fri Aug 25 2023 renmingshuai<renmingshuai@huawei.com> - 9.3p1-2 +* Mon Apr 29 2024 renmingshuai<renmingshuai@huawei.com> - 8.8p1-30 - Type:bugfix -- CVE:NA +- CVE: - SUG:NA -- DESC:use correct ssh-agent.socket name +- DESC:Disable SElinux when make tests -* Thu Jul 27 2023 renmingshuai<renmingshuai@huawei.com> - 9.3p1-1 -- Type:requirement +* Thu Mar 14 2024 renmingshuai<renmingshuai@huawei.com> - 8.8p1-29 +- Type:bugfix +- CVE: +- SUG:NA +- DESC:fix setting the number of authentication attempts failed + +* Fri Feb 2 2024 songjuntao<songjuntao@kylinos.cn> - 8.8p1-28 +- Type:bugfix +- CVE: +- SUG:NA +- DESC: fix memory leak in kex2 exchange function + +* Wed Jan 31 2024 renmingshuai<renmingshuai@huawei.com> - 8.8p1-27 +- Type:bugfix +- CVE: +- SUG:NA +- DESC:move pam_ssh_agent_auth man page to sub-package + +* Wed Jan 10 2024 renmingshuai<renmingshuai@huawei.com> - 8.8p1-26 +- Type:CVE +- CVE:CVE-2023-48795 +- SUG:NA +- DESC:fix CVE-2023-48795 by using the other patch instead + +* Sat Dec 23 2023 renmingshuai<renmingshuai@huawei.com> - 8.8p1-25 +- Type:CVE +- CVE:CVE-2023-48795,CVE-2023-51385 +- SUG:NA +- DESC:fix CVE-2023-48795 and CVE-2023-51385 + +* Tue Aug 15 2023 renmingshuai<renmingshuai@huawei.com> - 8.8p1-24 +- Type:bugfix - CVE:NA - SUG:NA -- DESC:update to 9.3p1 +- DESC:In channel_request_remote_forwarding the parameters -* Tue Jun 13 2023 renmingshuai<renmingshuai@huawei.com> - 9.1p1-6 +* Thu Jul 27 2023 renmingshuai<renmingshuai@huawei.com> - 8.8p1-23 +- Type:CVE +- CVE:CVE-2023-38408 +- SUG:NA +- DESC:fix CVE-2023-38408 + +* Wed Jun 7 2023 renmingshuai<renmingshuai@huawei.com> - 8.8p1-22 - Type:bugfix - CVE:NA - SUG:NA - DESC:fix misspelling -* Sat May 27 2023 renmingshuai<renmingshuai@huawei.com> - 9.1p1-5 +* Sat May 27 2023 renmingshuai<renmingshuai@huawei.com> - 8.8p1-21 - Type:bugfix - CVE:NA - SUG:NA - DESC:fix environment variable -* Sat Mar 18 2023 renmingshuai<renmingshuai@huawei.com> - 9.1p1-4 +* Thu Mar 23 2023 renmingshuai<renmingshuai@huawei.com> - 8.8p1-20 - Type:bugfix - CVE:NA - SUG:NA -- DESC:backport some upstreams patches and delete unused patches +- DESC:backport some upstream patches and modify some patches numbers -* Tue Feb 28 2023 renmingshuai<renmingshuai@huawei.com> - 9.1p1-3 +* Thu Mar 09 2023 renmingshuai<renmingshuai@huawei.com> - 8.8p1-19 - Type:bugfix - CVE:NA - SUG:NA -- DESC:set default ssh_config +- DESC:set default ssh config -* Mon Feb 06 2023 renmingshuai<renmingshuai@huawei.com> - 9.1p1-2 +* Mon Feb 06 2023 renmingshuai<renmingshuai@huawei.com> - 8.8p1-18 - Type:CVE - CVE:CVE-2023-25136 - SUG:NA - DESC:fix CVE-2023-25136 -* Mon Jan 30 2023 renmingshuai<renmingshuai@huawei.com> - 9.1p1-1 +* Fri Jan 06 2023 renmingshuai<renmingshuai@huawei.com> - 8.8p1-17 - Type:bugfix - CVE:NA - SUG:NA -- DESC:update to openssh-9.1p1 +- DESC:fix test failure and enable make tests -* Mon Jan 9 2023 renmingshuai <renmingshuai@huawei.com> - 8.8p1-17 +* Tue Jan 03 2023 renmingshuai<renmingshuai@huawei.com> - 8.8p1-16 - Type:bugfix - CVE:NA - SUG:NA -- DESC:fix possible NULL deref when built without FIDO +- DESC:always make tests -* Tue Jan 3 2023 renmingshuai <renmingshuai@huawei.com> - 8.8p1-16 +* Thu Dec 29 2022 renmingshuai<renmingshuai@huawei.com> - 8.8p1-15 - Type:bugfix - CVE:NA - SUG:NA -- DESC:fix test failure and always make tests +- DESC:avoid integer overflow of auth attempts har -* Thu Dec 29 2022 renmingshuai <renmingshuai@huawei.com> - 8.8p1-15 +* Fri Dec 16 2022 renmingshuai<renmingshuai@huawei.com> - 8.8p1-14 - Type:bugfix - CVE:NA - SUG:NA -- DESC:avoid integer overflow of auth attempts +- DESC:Fix ssh-keygen -Y check novalidate requires name -* Thu Dec 29 2022 renmingshuai <renmingshuai@huawei.com> - 8.8p1-14 +* Tue Dec 13 2022 renmingshuai<renmingshuai@huawei.com> - 8.8p1-13 - Type:bugfix - CVE:NA - SUG:NA -- DESC:PubkeyAcceptedKeyTypes has been renamed to PubkeyAcceptedAlgorithms in openssh-8.5p1 +- DESC:add strict scp check for CVE-2020-15778 -* Thu Dec 29 2022 renmingshuai <renmingshuai@huawei.com> - 8.8p1-13 +* Tue Dec 13 2022 renmingshuai<renmingshuai@huawei.com> - 8.8p1-12 - Type:bugfix - CVE:NA - SUG:NA -- DESC:add strict scp check for CVE-2020-15778 +- DESC:backport some upstream patches -* Thu Dec 29 2022 renmingshuai <renmingshuai@huawei.com> - 8.8p1-12 -- Type:bugfix +* Tue Dec 13 2022 renmingshuai<renmingshuai@huawei.com> - 8.8p1-11 +- Type:feature - CVE:NA - SUG:NA -- DESC:backport some upstream patches +- DESC:Add loongarch64 architecture -* Thu Dec 29 2022 renmingshuai <renmingshuai@huawei.com> - 8.8p1-11 -- Type:requirement +* Tue Dec 13 2022 renmingshuai<renmingshuai@huawei.com> - 8.8p1-10 +- Type:feature - CVE:NA - SUG:NA -- DESC:add sw_64 +- DESC:Add sw64 architecture -* Fri Dec 16 2022 renmingshuai <renmingshuai@huawei.com> - 8.8p1-10 +* Wed Dec 7 2022 duyiwei<duyiwei@kylinos.cn> - 8.8P1-9 - Type:bugfix - CVE:NA - SUG:NA -- DESC:Fix ssh-keygen -Y check novalidate requires name +- DESC:enable "include /etc/ssh/sshd_config.d/*.config" again -* Mon Nov 28 2022 zhaozhen <zhaozhen@loongson.cn> - 8.8p1-9 -- Type:feature +* Mon Nov 28 2022 renmingshuai<renmingshuai@huawei.com> - 8.8p1-8 +- Type:bugfix - CVE:NA - SUG:NA -- DESC:Add loongarch64 support +- DESC:PubkeyAcceptedKeyTypes has been renamed to PubkeyAcceptedAlgorithms in openssh-8.5p1 -* Mon Nov 28 2022 renmingshuai<renmingshuai@huawei.com> - 8.8p1-8 +* Mon Nov 28 2022 renmingshuai<renmingshuai@huawei.com> - 8.8p1-7 - Type:bugfix - CVE:NA - SUG:NA - DESC:add better debugging -* Wed Nov 2 2022 renmingshuai<renmingshuai@huawei.com> - 8.8p1-7 +* Wed Nov 2 2022 renmingshuai<renmingshuai@huawei.com> - 8.8p1-6 - Type:requirement - CVE:NA - SUG:NA - DESC:add ssh-keygen bash completion -* Thu Sep 01 2022 duyiwei<duyiwei@kylinos.cn> - 8.8P1-6 +* Tue Oct 18 2022 majun<majun65@huawei.com> - 8.8p1-5 - Type:bugfix - CVE:NA - SUG:NA -- DESC:enable "include /etc/ssh/sshd_config.d/*.config" again - -* Fri Jul 29 2022 kircher<majun65@huawei.com> - 8.8p1-5 -- Type:bugfix -- CVE:Na -- SUG:NA -- DESC:add SMx support in openssh +- DESC:add smx support in openssh -* Thu May 05 2022 seuzw<930zhaowei@163.com> - 8.8p1-4 +* Sat Jun 25 2022 Rimsky<349157738@qq.com> - 8.8p1-4 - Type:bugfix - CVE:NA - SUG:NA -- DESC:fix incorrect sftp-server binary path in /etc/ssh/sshd_config +- DESC:fix possible NULL deref when built without FIDO -* Wed Mar 09 2022 duyiwei<duyiwei@kylinos.cn> - 8.8P1-3 +* Thu May 05 2022 seuzw<930zhaowei@163.com> - 8.8p1-3 - Type:bugfix - CVE:NA - SUG:NA -- DESC:enable "include /etc/ssh/sshd_config.d/*.config" +- DESC:fix incorrect sftp-server binary path in /etc/ssh/sshd_config -* Mon Mar 07 2022 kircher<majun65@huawei.com> - 8.8P1-2 +* Tue Mar 08 2022 kircher<majun65@huawei.com> - 8.8P1-2 - Type:bugfix - CVE:NA - SUG:NA - DESC:add sshd.tmpfiles -* Thu Oct 28 2021 kircher<kircherlike@outlook.com> - 8.8P1-1 +* Wed Dec 8 2021 renmingshuai<renmingshuai@huawei.com> - 8.8P1-1 - Type:bugfix - CVE:NA - SUG:NA - DESC:update to openssh-8.8p1 -* Fri Oct 8 2021 renmingshuai<renmingshuai@hauwei.com> - 8.2P1-15 -- Type:cves +* Fri Oct 29 2021 kircher<majun65@huawei.com> - 8.2P1-14 +- Type:CVE - CVE:CVE-2021-41617 - SUG:NA - DESC:fix CVE-2021-41617 -* Sat Sep 18 2021 kircher<kircherlike@outlook.com> - 8.2P1-14 -- Type:bugfix -- CVE:NA -- SUG:NA -- DESC:backport patch from github to fix NULL ref - * Fri Jul 30 2021 kircher<majun65@huawei.com> - 8.2P1-13 - Type:bugfix - CVE:NA diff --git a/pam_ssh_agent-configure-c99.patch b/pam_ssh_agent-configure-c99.patch deleted file mode 100644 index bc40434..0000000 --- a/pam_ssh_agent-configure-c99.patch +++ /dev/null @@ -1,249 +0,0 @@ -configure.ac: Improve C99 compatibility - -Future compilers will not support implicit declarations and implicit -ints by default. This means that configure probes which rely on them -will fail unconditionally, without actually testing anything. - -The changes mostly mirror what has been implemented in the openssh -repository, but had to be adapted somewhat because of drift between -the two versions of configure.ac. - -Sam James has submitted similar fixes upstream: - - <https://github.com/jbeverly/pam_ssh_agent_auth/pull/41> - -diff --git a/configure.ac b/configure.ac -index 6496679..d927b62 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -500,10 +500,10 @@ int main(void) { exit(0); } - AC_DEFINE(HAVE_BUNDLE, 1, [Define if your system uses bundles instead of ELF shared objects]) - AC_MSG_CHECKING(if we have working getaddrinfo) - AC_TRY_RUN([#include <mach-o/dyld.h> --main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) -- exit(0); -+int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) -+ return 0; - else -- exit(1); -+ return 1; - }], [AC_MSG_RESULT(working)], - [AC_MSG_RESULT(buggy) - AC_DEFINE(BROKEN_GETADDRINFO, 1, [getaddrinfo is broken (if present)])], -@@ -917,8 +917,8 @@ AC_SUBST(LDFLAGS_SHARED) - AC_MSG_CHECKING(compiler and flags for sanity) - AC_RUN_IFELSE( - [AC_LANG_SOURCE([ --#include <stdio.h> --int main(){exit(0);} -+#include <stdlib.h> -+int main(void){exit(0);} - ])], - [ AC_MSG_RESULT(yes) ], - [ -@@ -951,9 +951,9 @@ int main(int argc, char **argv) { - strncpy(buf,"/etc", 32); - s = dirname(buf); - if (!s || strncmp(s, "/", 32) != 0) { -- exit(1); -+ return 1; - } else { -- exit(0); -+ return 0; - } - } - ]])], -@@ -1102,7 +1102,7 @@ AC_RUN_IFELSE( - [AC_LANG_SOURCE([[ - #include <sys/types.h> - #include <dirent.h> --int main(void){struct dirent d;exit(sizeof(d.d_name)<=sizeof(char));} -+int main(void){struct dirent d;return sizeof(d.d_name)<=sizeof(char);} - ]])], - [AC_MSG_RESULT(yes)], - [ -@@ -1327,8 +1327,10 @@ AC_CHECK_FUNCS(setresuid, [ - AC_MSG_CHECKING(if setresuid seems to work) - AC_RUN_IFELSE( - [AC_LANG_SOURCE([[ -+#define _GNU_SOURCE - #include <stdlib.h> - #include <errno.h> -+#include <unistd.h> - int main(){errno=0; setresuid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);} - ]])], - [AC_MSG_RESULT(yes)], -@@ -1344,8 +1346,10 @@ AC_CHECK_FUNCS(setresgid, [ - AC_MSG_CHECKING(if setresgid seems to work) - AC_RUN_IFELSE( - [AC_LANG_SOURCE([[ -+#define _GNU_SOURCE - #include <stdlib.h> - #include <errno.h> -+#include <unistd.h> - int main(){errno=0; setresgid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);} - ]])], - [AC_MSG_RESULT(yes)], -@@ -1384,7 +1388,7 @@ if test "x$ac_cv_func_snprintf" = "xyes" ; then - AC_RUN_IFELSE( - [AC_LANG_SOURCE([[ - #include <stdio.h> --int main(void){char b[5];snprintf(b,5,"123456789");exit(b[4]!='\0');} -+int main(void){char b[5];snprintf(b,5,"123456789");return b[4]!='\0';} - ]])], - [AC_MSG_RESULT(yes)], - [ -@@ -1418,7 +1422,7 @@ int x_snprintf(char *str,size_t count,const char *fmt,...) - int main(void) - { - char x[1]; -- exit(x_snprintf(x, 1, "%s %d", "hello", 12345) == 11 ? 0 : 1); -+ return x_snprintf(x, 1, "%s %d", "hello", 12345) == 11 ? 0 : 1; - } ]])], - [AC_MSG_RESULT(yes)], - [ -@@ -1467,7 +1471,8 @@ AC_MSG_CHECKING([for (overly) strict mkstemp]) - AC_RUN_IFELSE( - [AC_LANG_SOURCE([[ - #include <stdlib.h> --main() { char template[]="conftest.mkstemp-test"; -+#include <unistd.h> -+int main(void) { char template[]="conftest.mkstemp-test"; - if (mkstemp(template) == -1) - exit(1); - unlink(template); exit(0); -@@ -1492,10 +1497,14 @@ if test ! -z "$check_for_openpty_ctty_bug"; then - AC_MSG_CHECKING(if openpty correctly handles controlling tty) - AC_RUN_IFELSE( - [AC_LANG_SOURCE([[ -+#include <stdlib.h> - #include <stdio.h> - #include <sys/fcntl.h> - #include <sys/types.h> - #include <sys/wait.h> -+#ifdef HAVE_PTY_H -+#include <pty.h> -+#endif - - int - main() -@@ -1543,6 +1552,7 @@ if test "x$ac_cv_func_getaddrinfo" = "xyes" && \ - AC_RUN_IFELSE( - [AC_LANG_SOURCE([[ - #include <stdio.h> -+#include <stdlib.h> - #include <sys/socket.h> - #include <netdb.h> - #include <errno.h> -@@ -1748,6 +1758,7 @@ AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE(HAVE_OPENSSL, 1, - AC_MSG_CHECKING([OpenSSL header version]) - AC_RUN_IFELSE( - [AC_LANG_SOURCE([[ -+#include <stdlib.h> - #include <stdio.h> - #include <string.h> - #include <openssl/opensslv.h> -@@ -1794,12 +1805,12 @@ int main(void) { - - fd = fopen(DATA,"w"); - if(fd == NULL) -- exit(1); -+ return 1; - - if ((rc = fprintf(fd ,"%x (%s)\n", SSLeay(), SSLeay_version(SSLEAY_VERSION))) <0) -- exit(1); -+ return 1; - -- exit(0); -+ return 0; - } - ]])], - [ -@@ -1829,7 +1840,7 @@ AC_RUN_IFELSE( - [AC_LANG_SOURCE([[ - #include <string.h> - #include <openssl/opensslv.h> --int main(void) { exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1); } -+int main(void) { return SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1; } - ]])], - [ - AC_MSG_RESULT(yes) -@@ -2598,7 +2609,7 @@ dnl test snprintf (broken on SCO w/gcc) - #include <stdio.h> - #include <string.h> - #ifdef HAVE_SNPRINTF --main() -+int main(void) - { - char buf[50]; - char expected_out[50]; -@@ -2611,11 +2622,11 @@ main() - strcpy(expected_out, "9223372036854775807"); - snprintf(buf, mazsize, "%lld", num); - if(strcmp(buf, expected_out) != 0) -- exit(1); -- exit(0); -+ return 1; -+ return 0; - } - #else --main() { exit(0); } -+int main(void) { return 0; } - #endif - ]])], [ true ], [ AC_DEFINE(BROKEN_SNPRINTF) ], - AC_MSG_WARN([cross compiling: Assuming working snprintf()]) -@@ -2746,11 +2757,11 @@ AC_CACHE_CHECK([for msg_accrights field in struct msghdr], - int main() { - #ifdef msg_accrights - #error "msg_accrights is a macro" --exit(1); -+return 1; - #endif - struct msghdr m; - m.msg_accrights = 0; --exit(0); -+return 0; - } - ])], - [ ac_cv_have_accrights_in_msghdr="yes" ], -@@ -2773,11 +2784,11 @@ AC_CACHE_CHECK([for msg_control field in struct msghdr], - int main() { - #ifdef msg_control - #error "msg_control is a macro" --exit(1); -+return 1; - #endif - struct msghdr m; - m.msg_control = 0; --exit(0); -+return 0; - } - ])], - [ ac_cv_have_control_in_msghdr="yes" ], -@@ -2791,7 +2802,7 @@ if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then - fi - - AC_CACHE_CHECK([if libc defines __progname], ac_cv_libc_defines___progname, [ -- AC_TRY_LINK([], -+ AC_TRY_LINK([#include <stdio.h>], - [ extern char *__progname; printf("%s", __progname); ], - [ ac_cv_libc_defines___progname="yes" ], - [ ac_cv_libc_defines___progname="no" ] -@@ -2871,7 +2882,7 @@ if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then - fi - - AC_CACHE_CHECK([if libc defines sys_errlist], ac_cv_libc_defines_sys_errlist, [ -- AC_TRY_LINK([], -+ AC_TRY_LINK([#include <stdio.h>], - [ extern const char *const sys_errlist[]; printf("%s", sys_errlist[0]);], - [ ac_cv_libc_defines_sys_errlist="yes" ], - [ ac_cv_libc_defines_sys_errlist="no" ] -@@ -2884,7 +2895,7 @@ fi - - - AC_CACHE_CHECK([if libc defines sys_nerr], ac_cv_libc_defines_sys_nerr, [ -- AC_TRY_LINK([], -+ AC_TRY_LINK([#include <stdio.h>], - [ extern int sys_nerr; printf("%i", sys_nerr);], - [ ac_cv_libc_defines_sys_nerr="yes" ], - [ ac_cv_libc_defines_sys_nerr="no" ] diff --git a/pam_ssh_agent_auth-0.10.4-rsasha2.patch b/pam_ssh_agent_auth-0.10.4-rsasha2.patch deleted file mode 100644 index c8815bb..0000000 --- a/pam_ssh_agent_auth-0.10.4-rsasha2.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff -up openssh-8.7p1/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.c.rsasha2 openssh-8.7p1/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.c ---- openssh-8.7p1/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.c.rsasha2 2022-07-15 15:08:12.865585410 +0200 -+++ openssh-8.7p1/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.c 2022-07-15 15:16:25.164282372 +0200 -@@ -87,8 +87,13 @@ userauth_pubkey_from_id(const char *ruse - (r = sshbuf_put_string(b, pkblob, blen)) != 0) - fatal("%s: buffer error: %s", __func__, ssh_err(r)); - -- if (ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, sshbuf_ptr(b), sshbuf_len(b), NULL, 0) != 0) -- goto user_auth_clean_exit; -+ if (sshkey_type_plain(id->key->type) == KEY_RSA -+ && ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, sshbuf_ptr(b), sshbuf_len(b), "rsa-sha2-256", 0) == 0) { -+ /* Do nothing */ -+ } else { -+ if (ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, sshbuf_ptr(b), sshbuf_len(b), NULL, 0) != 0) -+ goto user_auth_clean_exit; -+ } - - /* test for correct signature */ - if (sshkey_verify(id->key, sig, slen, sshbuf_ptr(b), sshbuf_len(b), NULL, 0, NULL) == 0) @@ -1,2 +1,2 @@ -3430d5e6e71419e28f440a42563cb553 openssh-9.3p1.tar.gz +8ce5f390958baeeab635aafd0ef41453 openssh-8.8p1.tar.gz 42f87c6cce9bcf8cfd46ed4605b779f5 pam_ssh_agent_auth-0.10.4.tar.gz diff --git a/ssh-agent.service b/ssh-agent.service index 311f91d..c215022 100644 --- a/ssh-agent.service +++ b/ssh-agent.service @@ -5,15 +5,10 @@ ConditionEnvironment=!SSH_AGENT_PID Description=OpenSSH key agent Documentation=man:ssh-agent(1) man:ssh-add(1) man:ssh(1) -Requires=ssh-agent.socket [Service] Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket -ExecStartPre=/usr/bin/rm -f $SSH_AUTH_SOCK ExecStart=/usr/bin/ssh-agent -a $SSH_AUTH_SOCK PassEnvironment=SSH_AGENT_PID SuccessExitStatus=2 Type=forking - -[Install] -Also=ssh-agent.socket diff --git a/ssh-agent.socket b/ssh-agent.socket deleted file mode 100644 index d589cbc..0000000 --- a/ssh-agent.socket +++ /dev/null @@ -1,14 +0,0 @@ -[Unit] -Description=OpenSSH key agent -Documentation=man:ssh-agent(1) man:ssh-add(1) man:ssh(1) - -[Socket] -ListenStream=%t/ssh-agent.socket -Service=ssh-agent.service -Priority=6 -Backlog=5 -SocketMode=0600 -DirectoryMode=0700 - -[Install] -WantedBy=sockets.target |