Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssh for openSUSE:Factory checked
in at 2021-10-11 16:48:36
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openssh (Old)
and /work/SRC/openSUSE:Factory/.openssh.new.2443 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssh"
Mon Oct 11 16:48:36 2021 rev:154 rq:923951 version:8.8p1
Changes:
--------
--- /work/SRC/openSUSE:Factory/openssh/openssh-askpass-gnome.changes
2020-10-18 16:30:20.444729018 +0200
+++ /work/SRC/openSUSE:Factory/.openssh.new.2443/openssh-askpass-gnome.changes
2021-10-11 16:48:39.866172377 +0200
@@ -1,0 +2,7 @@
+Tue Sep 28 19:05:15 UTC 2021 - Hans Petter Jansson <h...@suse.com>
+
+- Version upgrade to 8.8p1
+ * No changes for askpass, see main package changelog for
+ details
+
+-------------------------------------------------------------------
--- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2021-07-22
22:43:29.231189893 +0200
+++ /work/SRC/openSUSE:Factory/.openssh.new.2443/openssh.changes
2021-10-11 16:48:39.962172529 +0200
@@ -1,0 +2,368 @@
+Tue Sep 28 17:50:57 UTC 2021 - Hans Petter Jansson <h...@suse.com>
+
+- Version update to 8.8p1:
+ = Security
+ * sshd(8) from OpenSSH 6.2 through 8.7 failed to correctly initialise
+ supplemental groups when executing an AuthorizedKeysCommand or
+ AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or
+ AuthorizedPrincipalsCommandUser directive has been set to run the
+ command as a different user. Instead these commands would inherit
+ the groups that sshd(8) was started with.
+
+ Depending on system configuration, inherited groups may allow
+ AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to
+ gain unintended privilege.
+
+ Neither AuthorizedKeysCommand nor AuthorizedPrincipalsCommand are
+ enabled by default in sshd_config(5).
+
+ = Potentially-incompatible changes
+ * This release disables RSA signatures using the SHA-1 hash algorithm
+ by default. This change has been made as the SHA-1 hash algorithm is
+ cryptographically broken, and it is possible to create chosen-prefix
+ hash collisions for <USD$50K.
+
+ For most users, this change should be invisible and there is
+ no need to replace ssh-rsa keys. OpenSSH has supported RFC8332
+ RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys
+ will automatically use the stronger algorithm where possible.
+
+ Incompatibility is more likely when connecting to older SSH
+ implementations that have not been upgraded or have not closely tracked
+ improvements in the SSH protocol. For these cases, it may be necessary
+ to selectively re-enable RSA/SHA1 to allow connection and/or user
+ authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms
+ options.
+
+ = New features
+ * ssh(1): allow the ssh_config(5) CanonicalizePermittedCNAMEs
+ directive to accept a "none" argument to specify the default
+ behaviour.
+
+ = Bugfixes
+ * scp(1): when using the SFTP protocol, continue transferring files
+ after a transfer error occurs, better matching original scp/rcp
+ behaviour.
+ * ssh(1): fixed a number of memory leaks in multiplexing,
+ * ssh-keygen(1): avoid crash when using the -Y find-principals
+ command.
+ * A number of documentation and manual improvements, including
+ bz#3340, PR139, PR215, PR241, PR257
+
+- Additional changes from 8.7p1 release:
+ = Potentially-incompatible changes
+ * scp(1): this release changes the behaviour of remote to remote
+ copies (e.g. "scp host-a:/path host-b:") to transfer through the
+ local host by default. This was previously available via the -3
+ flag. This mode avoids the need to expose credentials on the
+ origin hop, avoids triplicate interpretation of filenames by the
+ shell (by the local system, the copy origin and the destination)
+ and, in conjunction with the SFTP support for scp(1) mentioned
+ below, allows use of all authentication methods to the remote
+ hosts (previously, only non-interactive methods could be used).
+ A -R flag has been added to select the old behaviour.
+ * ssh(1)/sshd(8): both the client and server are now using a
+ stricter configuration file parser. The new parser uses more
+ shell-like rules for quotes, space and escape characters. It is
+ also more strict in rejecting configurations that include options
+ lacking arguments. Previously some options (e.g. DenyUsers) could
+ appear on a line with no subsequent arguments. This release will
+ reject such configurations. The new parser will also reject
+ configurations with unterminated quotes and multiple '='
+ characters after the option name.
+ * ssh(1): when using SSHFP DNS records for host key verification,
+ ssh(1) will verify all matching records instead of just those
+ with the specific signature type requested. This may cause host
+ key verification problems if stale SSHFP records of a different
+ or legacy signature type exist alongside other records for a
+ particular host. bz#3322
+ * ssh-keygen(1): when generating a FIDO key and specifying an
+ explicit attestation challenge (using -Ochallenge), the challenge
+ will now be hashed by the builtin security key middleware. This
+ removes the (undocumented) requirement that challenges be exactly
+ 32 bytes in length and matches the expectations of libfido2.
+ * sshd(8): environment="..." directives in authorized_keys files are
+ now first-match-wins and limited to 1024 discrete environment
+ variable names.
+
+ = New features
+ * scp(1): experimental support for transfers using the SFTP protocol
+ as a replacement for the venerable SCP/RCP protocol that it has
+ traditionally used. SFTP offers more predictable filename handling
+ and does not require expansion of glob(3) patterns via the shell
+ on the remote side.
+ * sftp-server(8): add a protocol extension to support expansion of
+ ~/ and ~user/ prefixed paths. This was added to support these
+ paths when used by scp(1) while in SFTP mode.
+ * ssh(1): add a ForkAfterAuthentication ssh_config(5) counterpart to
+ the ssh(1) -f flag. GHPR231
+ * ssh(1): add a StdinNull directive to ssh_config(5) that allows the
+ config file to do the same thing as -n does on the ssh(1) command-
+ line. GHPR231
+ * ssh(1): add a SessionType directive to ssh_config, allowing the
+ configuration file to offer equivalent control to the -N (no
+ session) and -s (subsystem) command-line flags. GHPR231
+ * ssh-keygen(1): allowed signers files used by ssh-keygen(1)
+ signatures now support listing key validity intervals alongside
+ they key, and ssh-keygen(1) can optionally check during signature
+ verification whether a specified time falls inside this interval.
+ This feature is intended for use by git to support signing and
+ verifying objects using ssh keys.
+ * ssh-keygen(8): support printing of the full public key in a sshsig
+ signature via a -Oprint-pubkey flag.
+
+ = Bugfixes
+ * ssh(1)/sshd(8): start time-based re-keying exactly on schedule in
+ the client and server mainloops. Previously the re-key timeout
+ could expire but re-keying would not start until a packet was sent
+ or received, causing a spin in select() if the connection was
+ quiescent.
+ * ssh-keygen(1): avoid Y2038 problem in printing certificate
+ validity lifetimes. Dates past 2^31-1 seconds since epoch were
+ displayed incorrectly on some platforms. bz#3329
+ * scp(1): allow spaces to appear in usernames for local to remote
+ and scp -3 remote to remote copies. bz#1164
+ * ssh(1)/sshd(8): remove references to ChallengeResponseAuthentication
+ in favour of KbdInteractiveAuthentication. The former is what was in
+ SSHv1, the latter is what is in SSHv2 (RFC4256) and they were
+ treated as somewhat but not entirely equivalent. We retain the old
+ name as a deprecated alias so configuration files continue to work
+ as well as a reference in the man page for people looking for it.
+ bz#3303
+ * ssh(1)/ssh-add(1)/ssh-keygen(1): fix decoding of X.509 subject name
+ when extracting a key from a PKCS#11 certificate. bz#3327
+ * ssh(1): restore blocking status on stdio fds before close. ssh(1)
+ needs file descriptors in non-blocking mode to operate but it was
+ not restoring the original state on exit. This could cause
+ problems with fds shared with other programs via the shell,
+ bz#3280 and GHPR246
+ * ssh(1)/sshd(8): switch both client and server mainloops from
+ select(3) to pselect(3). Avoids race conditions where a signal
+ may arrive immediately before select(3) and not be processed until
+ an event fires. bz#2158
+ * ssh(1): sessions started with ControlPersist were incorrectly
+ executing a shell when the -N (no shell) option was specified.
+ bz#3290
+ * ssh(1): check if IPQoS or TunnelDevice are already set before
+ overriding. Prevents values in config files from overriding values
+ supplied on the command line. bz#3319
+ * ssh(1): fix debug message when finding a private key to match a
+ certificate being attempted for user authentication. Previously it
+ would print the certificate's path, whereas it was supposed to be
+ showing the private key's path. GHPR247
+ * sshd(8): match host certificates against host public keys, not
+ private keys. Allows use of certificates with private keys held in
+ a ssh-agent. bz#3524
+ * ssh(1): add a workaround for a bug in OpenSSH 7.4 sshd(8), which
+ allows RSA/SHA2 signatures for public key authentication but fails
+ to advertise this correctly via SSH2_MSG_EXT_INFO. This causes
+ clients of these server to incorrectly match
+ PubkeyAcceptedAlgorithmse and potentially refuse to offer valid
+ keys. bz#3213
+ * sftp(1)/scp(1): degrade gracefully if a sftp-server offers the
+ lim...@openssh.com extension but fails when the client tries to
+ invoke it. bz#3318
+ * ssh(1): allow ssh_config SetEnv to override $TERM, which is
+ otherwise handled specially by the protocol. Useful in ~/.ssh/config
+ to set TERM to something generic (e.g. "xterm" instead of
+ "xterm-256color") for destinations that lack terminfo entries.
+ * sftp-server(8): the lim...@openssh.com extension was incorrectly
+ marked as an operation that writes to the filesystem, which made it
+ unavailable in sftp-server read-only mode. bz#3318
+ * ssh(1): fix SEGV in UpdateHostkeys debug() message, triggered when
+ the update removed more host keys than remain present.
+ * Many manual page fixes.
+
+- Additional changes from 8.6p1 release:
+ = Security
+ * sshd(8): OpenSSH 8.5 introduced the LogVerbose keyword. When this
+ option was enabled with a set of patterns that activated logging
+ in code that runs in the low-privilege sandboxed sshd process, the
+ log messages were constructed in such a way that printf(3) format
+ strings could effectively be specified the low-privilege code.
+
+ = New features
+ * sftp-server(8): add a new lim...@openssh.com protocol extension
+ that allows a client to discover various server limits, including
+ maximum packet size and maximum read/write length.
+ * sftp(1): use the new lim...@openssh.com extension (when available)
+ to select better transfer lengths in the client.
+ * sshd(8): Add ModuliFile keyword to sshd_config to specify the
+ location of the "moduli" file containing the groups for DH-GEX.
+ * unit tests: Add a TEST_SSH_ELAPSED_TIMES environment variable to
+ enable printing of the elapsed time in seconds of each test.
+
+ = Bugfixes
+ * ssh_config(5), sshd_config(5): sync CASignatureAlgorithms lists in
+ manual pages with the current default. GHPR174
++++ 171 more lines (skipped)
++++ between /work/SRC/openSUSE:Factory/openssh/openssh.changes
++++ and /work/SRC/openSUSE:Factory/.openssh.new.2443/openssh.changes
Old:
----
openssh-8.4p1.tar.gz
openssh-8.4p1.tar.gz.asc
openssh-fix-ssh-copy-id.patch
New:
----
openssh-8.8p1.tar.gz
openssh-8.8p1.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openssh-askpass-gnome.spec ++++++
--- /var/tmp/diff_new_pack.oEgcgE/_old 2021-10-11 16:48:41.622175167 +0200
+++ /var/tmp/diff_new_pack.oEgcgE/_new 2021-10-11 16:48:41.626175174 +0200
@@ -18,7 +18,7 @@
%define _name openssh
Name: openssh-askpass-gnome
-Version: 8.4p1
+Version: 8.8p1
Release: 0
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
License: BSD-2-Clause
++++++ openssh.spec ++++++
--- /var/tmp/diff_new_pack.oEgcgE/_old 2021-10-11 16:48:41.646175206 +0200
+++ /var/tmp/diff_new_pack.oEgcgE/_new 2021-10-11 16:48:41.650175212 +0200
@@ -35,7 +35,7 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: openssh
-Version: 8.4p1
+Version: 8.8p1
Release: 0
Summary: Secure Shell Client and Server (Remote Login Program)
License: BSD-2-Clause AND MIT
@@ -105,7 +105,6 @@
Patch41: openssh-fips-ensure-approved-moduli.patch
Patch42: openssh-link-with-sk.patch
Patch43: openssh-reenable-dh-group14-sha1-default.patch
-Patch44: openssh-fix-ssh-copy-id.patch
Patch45: openssh-8.4p1-ssh_config_d.patch
Patch46: openssh-whitelist-syscalls.patch
Patch47: openssh-8.4p1-vendordir.patch
++++++ openssh-7.7p1-IPv6_X_forwarding.patch ++++++
--- /var/tmp/diff_new_pack.oEgcgE/_old 2021-10-11 16:48:41.710175308 +0200
+++ /var/tmp/diff_new_pack.oEgcgE/_new 2021-10-11 16:48:41.710175308 +0200
@@ -5,15 +5,11 @@
bnc#847710 - https://bugzilla.novell.com/show_bug.cgi?id=847710
-diff --git a/openssh-7.7p1/channels.c b/openssh-7.7p1/channels.c
---- openssh-7.7p1/channels.c
-+++ openssh-7.7p1/channels.c
-@@ -4590,33 +4590,42 @@ x11_connect_display(struct ssh *ssh)
- return -1;
-
- /* OK, we now have a connection to the display. */
- return sock;
- }
+Index: openssh-8.8p1/channels.c
+===================================================================
+--- openssh-8.8p1.orig/channels.c
++++ openssh-8.8p1/channels.c
+@@ -4776,9 +4776,10 @@ x11_connect_display(struct ssh *ssh)
/*
* Connect to an inet socket. The DISPLAY value is supposedly
* hostname:d[.s], where hostname may also be numeric IP address.
@@ -25,14 +21,7 @@
if (!cp) {
error("Could not find ':' in DISPLAY: %.100s", display);
return -1;
- }
- *cp = 0;
- /*
- * buf now contains the host name. But first we parse the
- * display number.
- */
- if (sscanf(cp + 1, "%u", &display_number) != 1) {
- error("Could not parse display number from DISPLAY: %.100s",
+@@ -4793,6 +4794,14 @@ x11_connect_display(struct ssh *ssh)
display);
return -1;
}
@@ -47,8 +36,3 @@
/* Look up the host address */
memset(&hints, 0, sizeof(hints));
- hints.ai_family = ssh->chanctxt->IPv4or6;
- hints.ai_socktype = SOCK_STREAM;
- snprintf(strport, sizeof strport, "%u", 6000 + display_number);
- if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
- error("%.100s: unknown host. (%s)", buf,
++++++ openssh-7.7p1-X11_trusted_forwarding.patch ++++++
--- /var/tmp/diff_new_pack.oEgcgE/_old 2021-10-11 16:48:41.718175320 +0200
+++ /var/tmp/diff_new_pack.oEgcgE/_new 2021-10-11 16:48:41.718175320 +0200
@@ -6,10 +6,10 @@
Enable Trusted X11 forwarding by default, since the security benefits of
having it disabled are negligible these days with XI2 being widely used.
-Index: openssh-7.8p1/ssh_config
+Index: openssh-8.8p1/ssh_config
===================================================================
---- openssh-7.8p1.orig/ssh_config
-+++ openssh-7.8p1/ssh_config
+--- openssh-8.8p1.orig/ssh_config
++++ openssh-8.8p1/ssh_config
@@ -17,9 +17,20 @@
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
@@ -32,10 +32,10 @@
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
-Index: openssh-7.8p1/sshd_config
+Index: openssh-8.8p1/sshd_config
===================================================================
---- openssh-7.8p1.orig/sshd_config
-+++ openssh-7.8p1/sshd_config
+--- openssh-8.8p1.orig/sshd_config
++++ openssh-8.8p1/sshd_config
@@ -84,7 +84,7 @@ AuthorizedKeysFile .ssh/authorized_keys
#AllowAgentForwarding yes
#AllowTcpForwarding yes
++++++ openssh-7.7p1-X_forward_with_disabled_ipv6.patch ++++++
--- /var/tmp/diff_new_pack.oEgcgE/_old 2021-10-11 16:48:41.726175333 +0200
+++ /var/tmp/diff_new_pack.oEgcgE/_new 2021-10-11 16:48:41.730175339 +0200
@@ -3,13 +3,13 @@
Do not throw away already open sockets for X11 forwarding if another socket
family is not available for bind()
-diff --git a/channels.c b/channels.c
-index f51b7e3..95af47e 100644
---- a/channels.c
-+++ b/channels.c
-@@ -4637,6 +4637,13 @@ x11_create_display_inet(struct ssh *ssh, int
x11_display_offset,
- debug2("%s: bind port %d: %.100s", __func__,
- port, strerror(errno));
+Index: openssh-8.8p1/channels.c
+===================================================================
+--- openssh-8.8p1.orig/channels.c
++++ openssh-8.8p1/channels.c
+@@ -4607,6 +4607,13 @@ x11_create_display_inet(struct ssh *ssh,
+ debug2_f("bind port %d: %.100s", port,
+ strerror(errno));
close(sock);
+ /* do not remove successfully opened sockets if
+ * the request failed because the protocol
++++++ openssh-7.7p1-cavstest-ctr.patch ++++++
--- /var/tmp/diff_new_pack.oEgcgE/_old 2021-10-11 16:48:41.738175352 +0200
+++ /var/tmp/diff_new_pack.oEgcgE/_new 2021-10-11 16:48:41.738175352 +0200
@@ -2,11 +2,11 @@
# Parent cc1022edba2c5eeb0facba08468f65afc2466b63
CAVS test for OpenSSH's own CTR encryption mode implementation
-Index: openssh-8.4p1/Makefile.in
+Index: openssh-8.8p1/Makefile.in
===================================================================
---- openssh-8.4p1.orig/Makefile.in
-+++ openssh-8.4p1/Makefile.in
-@@ -25,6 +25,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
+--- openssh-8.8p1.orig/Makefile.in
++++ openssh-8.8p1/Makefile.in
+@@ -26,6 +26,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
@@ -14,7 +14,7 @@
PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
STRIP_OPT=@STRIP_OPT@
-@@ -68,6 +69,8 @@ MKDIR_P=@MKDIR_P@
+@@ -69,6 +70,8 @@ MKDIR_P=@MKDIR_P@
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT)
ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT)
ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
ssh-sk-helper$(EXEEXT)
@@ -23,7 +23,7 @@
XMSS_OBJS=\
ssh-xmss.o \
sshkey-xmss.o \
-@@ -242,6 +245,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libss
+@@ -245,6 +248,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libss
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS)
$(LD) -o $@ $(SFTP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
$(LIBEDIT)
@@ -34,7 +34,7 @@
# test driver for the loginrec code - not built by default
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh
$(LIBS)
-@@ -400,6 +407,7 @@ install-files:
+@@ -407,6 +414,7 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT)
$(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT)
$(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT)
$(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
@@ -42,10 +42,10 @@
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
$(INSTALL) -m 644 ssh-add.1.out
$(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-Index: openssh-8.4p1/cavstest-ctr.c
+Index: openssh-8.8p1/cavstest-ctr.c
===================================================================
--- /dev/null
-+++ openssh-8.4p1/cavstest-ctr.c
++++ openssh-8.8p1/cavstest-ctr.c
@@ -0,0 +1,214 @@
+/*
+ *
@@ -261,10 +261,10 @@
+ printf("\n");
+ return 0;
+}
-Index: openssh-8.4p1/cipher.c
+Index: openssh-8.8p1/cipher.c
===================================================================
---- openssh-8.4p1.orig/cipher.c
-+++ openssh-8.4p1/cipher.c
+--- openssh-8.8p1.orig/cipher.c
++++ openssh-8.8p1/cipher.c
@@ -58,15 +58,6 @@
#define EVP_CIPHER_CTX void
#endif
@@ -281,10 +281,10 @@
struct sshcipher {
char *name;
u_int block_size;
-Index: openssh-8.4p1/cipher.h
+Index: openssh-8.8p1/cipher.h
===================================================================
---- openssh-8.4p1.orig/cipher.h
-+++ openssh-8.4p1/cipher.h
+--- openssh-8.8p1.orig/cipher.h
++++ openssh-8.8p1/cipher.h
@@ -48,7 +48,15 @@
#define CIPHER_DECRYPT 0
++++++ openssh-7.7p1-cavstest-kdf.patch ++++++
--- /var/tmp/diff_new_pack.oEgcgE/_old 2021-10-11 16:48:41.746175365 +0200
+++ /var/tmp/diff_new_pack.oEgcgE/_new 2021-10-11 16:48:41.746175365 +0200
@@ -2,11 +2,11 @@
# Parent 1e1d5a2ab8bddfc800f570755f9ea1addcc878c1
CAVS test for KDF implementation in OpenSSH
-Index: openssh-8.4p1/Makefile.in
+Index: openssh-8.8p1/Makefile.in
===================================================================
---- openssh-8.4p1.orig/Makefile.in
-+++ openssh-8.4p1/Makefile.in
-@@ -26,6 +26,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
+--- openssh-8.8p1.orig/Makefile.in
++++ openssh-8.8p1/Makefile.in
+@@ -27,6 +27,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
@@ -14,7 +14,7 @@
PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
STRIP_OPT=@STRIP_OPT@
-@@ -69,7 +70,7 @@ MKDIR_P=@MKDIR_P@
+@@ -70,7 +71,7 @@ MKDIR_P=@MKDIR_P@
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT)
ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT)
ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
ssh-sk-helper$(EXEEXT)
@@ -23,7 +23,7 @@
XMSS_OBJS=\
ssh-xmss.o \
-@@ -249,6 +250,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(S
+@@ -252,6 +253,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(S
cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o
cavstest-ctr.o
$(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh
-lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
@@ -33,7 +33,7 @@
# test driver for the loginrec code - not built by default
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh
$(LIBS)
-@@ -408,6 +412,7 @@ install-files:
+@@ -415,6 +419,7 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT)
$(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT)
$(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT)
$(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
@@ -41,10 +41,10 @@
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
$(INSTALL) -m 644 ssh-add.1.out
$(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-Index: openssh-8.4p1/cavstest-kdf.c
+Index: openssh-8.8p1/cavstest-kdf.c
===================================================================
--- /dev/null
-+++ openssh-8.4p1/cavstest-kdf.c
++++ openssh-8.8p1/cavstest-kdf.c
@@ -0,0 +1,402 @@
+/*
+ * Copyright (C) 2015, Stephan Mueller <smuel...@chronox.de>
@@ -249,8 +249,8 @@
+ goto out;
+ }
+
-+ kex.session_id = test->session_id;
-+ kex.session_id_len = test->session_id_len;
++ kex.session_id = sshbuf_new();
++ sshbuf_put(kex.session_id, test->session_id, test->session_id_len);
+
+ /* setup kex */
+
++++++ openssh-7.7p1-disable_openssl_abi_check.patch ++++++
--- /var/tmp/diff_new_pack.oEgcgE/_old 2021-10-11 16:48:41.754175377 +0200
+++ /var/tmp/diff_new_pack.oEgcgE/_new 2021-10-11 16:48:41.758175384 +0200
@@ -4,11 +4,11 @@
reliable indicator of ABI changes and doesn't make much sense in a
distribution package
-diff --git a/configure.ac b/configure.ac
-index 42ffd95..20a1884 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -4878,6 +4878,19 @@ AC_ARG_WITH([bsd-auth],
+Index: openssh-8.8p1/configure.ac
+===================================================================
+--- openssh-8.8p1.orig/configure.ac
++++ openssh-8.8p1/configure.ac
+@@ -5236,6 +5236,19 @@ AC_ARG_WITH([bsd-auth],
]
)
@@ -28,11 +28,11 @@
# Where to place sshd.pid
piddir=/var/run
# make sure the directory exists
-diff --git a/entropy.c b/entropy.c
-index f8b9f42..4957b23 100644
---- a/entropy.c
-+++ b/entropy.c
-@@ -223,11 +223,13 @@ seed_rng(void)
+Index: openssh-8.8p1/entropy.c
+===================================================================
+--- openssh-8.8p1.orig/entropy.c
++++ openssh-8.8p1/entropy.c
+@@ -100,11 +100,13 @@ seed_rng(void)
/* Initialise libcrypto */
ssh_libcrypto_init();
++++++ openssh-7.7p1-eal3.patch ++++++
--- /var/tmp/diff_new_pack.oEgcgE/_old 2021-10-11 16:48:41.766175396 +0200
+++ /var/tmp/diff_new_pack.oEgcgE/_new 2021-10-11 16:48:41.766175396 +0200
@@ -2,15 +2,11 @@
# Parent 8fd4e445c3a5c823568661a4f71b064cbcb217a9
fix paths and references in sshd man pages
-diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in
---- openssh-7.7p1/Makefile.in
-+++ openssh-7.7p1/Makefile.in
-@@ -127,17 +127,18 @@ MANTYPE = @MANTYPE@
- CONFIGFILES=sshd_config.out ssh_config.out moduli.out
- CONFIGFILES_IN=sshd_config ssh_config moduli
-
- PATHSUBS = \
- -e 's|/etc/ssh/ssh_config|$(sysconfdir)/ssh_config|g' \
+Index: openssh-8.8p1/Makefile.in
+===================================================================
+--- openssh-8.8p1.orig/Makefile.in
++++ openssh-8.8p1/Makefile.in
+@@ -165,7 +165,8 @@ PATHSUBS = \
-e 's|/etc/ssh/ssh_known_hosts|$(sysconfdir)/ssh_known_hosts|g' \
-e 's|/etc/ssh/sshd_config|$(sysconfdir)/sshd_config|g' \
-e 's|/usr/libexec|$(libexecdir)|g' \
@@ -20,8 +16,3 @@
-e 's|/etc/ssh/ssh_host_key|$(sysconfdir)/ssh_host_key|g' \
-e 's|/etc/ssh/ssh_host_ecdsa_key|$(sysconfdir)/ssh_host_ecdsa_key|g' \
-e 's|/etc/ssh/ssh_host_dsa_key|$(sysconfdir)/ssh_host_dsa_key|g' \
- -e 's|/etc/ssh/ssh_host_rsa_key|$(sysconfdir)/ssh_host_rsa_key|g' \
- -e
's|/etc/ssh/ssh_host_ed25519_key|$(sysconfdir)/ssh_host_ed25519_key|g' \
- -e 's|/var/run/sshd.pid|$(piddir)/sshd.pid|g' \
- -e 's|/etc/moduli|$(sysconfdir)/moduli|g' \
- -e 's|/etc/ssh/moduli|$(sysconfdir)/moduli|g' \
++++++ openssh-7.7p1-enable_PAM_by_default.patch ++++++
--- /var/tmp/diff_new_pack.oEgcgE/_old 2021-10-11 16:48:41.774175409 +0200
+++ /var/tmp/diff_new_pack.oEgcgE/_new 2021-10-11 16:48:41.774175409 +0200
@@ -4,25 +4,16 @@
# bnc#46749
# --used to be called '-pam-fix2'
-diff --git a/openssh-7.7p1/sshd_config b/openssh-7.7p1/sshd_config
---- openssh-7.7p1/sshd_config
-+++ openssh-7.7p1/sshd_config
-@@ -74,17 +74,17 @@ AuthorizedKeysFile .ssh/authorized_keys
- # and session processing. If this is enabled, PAM authentication will
- # be allowed through the ChallengeResponseAuthentication and
- # PasswordAuthentication. Depending on your PAM configuration,
- # PAM authentication via ChallengeResponseAuthentication may bypass
- # the setting of "PermitRootLogin without-password".
+Index: openssh-8.8p1/sshd_config
+===================================================================
+--- openssh-8.8p1.orig/sshd_config
++++ openssh-8.8p1/sshd_config
+@@ -79,7 +79,7 @@ AuthorizedKeysFile .ssh/authorized_keys
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
- # and ChallengeResponseAuthentication to 'no'.
+ # and KbdInteractiveAuthentication to 'no'.
-#UsePAM no
+UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
- #GatewayPorts no
- X11Forwarding yes
- #X11DisplayOffset 10
- #X11UseLocalhost yes
- #PermitTTY yes
++++++ openssh-7.7p1-fips.patch ++++++
--- /var/tmp/diff_new_pack.oEgcgE/_old 2021-10-11 16:48:41.782175422 +0200
+++ /var/tmp/diff_new_pack.oEgcgE/_new 2021-10-11 16:48:41.786175428 +0200
@@ -3,11 +3,11 @@
FIPS 140-2 compliance. Perform selftests on start and use only FIPS approved
algorithms.
-Index: openssh-8.4p1/Makefile.in
+Index: openssh-8.8p1/Makefile.in
===================================================================
---- openssh-8.4p1.orig/Makefile.in
-+++ openssh-8.4p1/Makefile.in
-@@ -112,6 +112,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
+--- openssh-8.8p1.orig/Makefile.in
++++ openssh-8.8p1/Makefile.in
+@@ -113,6 +113,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
SKOBJS= ssh-sk-client.o
@@ -16,10 +16,10 @@
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect2.o mux.o $(SKOBJS)
-Index: openssh-8.4p1/cipher-ctr.c
+Index: openssh-8.8p1/cipher-ctr.c
===================================================================
---- openssh-8.4p1.orig/cipher-ctr.c
-+++ openssh-8.4p1/cipher-ctr.c
+--- openssh-8.8p1.orig/cipher-ctr.c
++++ openssh-8.8p1/cipher-ctr.c
@@ -27,6 +27,8 @@
#include "xmalloc.h"
#include "log.h"
@@ -38,10 +38,10 @@
#endif
return (&aes_ctr);
}
-Index: openssh-8.4p1/cipher.c
+Index: openssh-8.8p1/cipher.c
===================================================================
---- openssh-8.4p1.orig/cipher.c
-+++ openssh-8.4p1/cipher.c
+--- openssh-8.8p1.orig/cipher.c
++++ openssh-8.8p1/cipher.c
@@ -51,6 +51,9 @@
#include "openbsd-compat/openssl-compat.h"
@@ -61,7 +61,7 @@
#ifdef WITH_OPENSSL
#ifndef OPENSSL_NO_DES
{ "3des-cbc", 8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc },
-@@ -114,8 +117,52 @@ static const struct sshcipher ciphers[]
+@@ -112,8 +115,52 @@ static const struct sshcipher ciphers[]
{ NULL, 0, 0, 0, 0, 0, NULL }
};
@@ -114,7 +114,7 @@
/* Returns a comma-separated list of supported ciphers. */
char *
cipher_alg_list(char sep, int auth_only)
-@@ -124,7 +171,7 @@ cipher_alg_list(char sep, int auth_only)
+@@ -122,7 +169,7 @@ cipher_alg_list(char sep, int auth_only)
size_t nlen, rlen = 0;
const struct sshcipher *c;
@@ -123,7 +123,7 @@
if ((c->flags & CFLAG_INTERNAL) != 0)
continue;
if (auth_only && c->auth_len == 0)
-@@ -207,7 +254,7 @@ const struct sshcipher *
+@@ -205,7 +252,7 @@ const struct sshcipher *
cipher_by_name(const char *name)
{
const struct sshcipher *c;
@@ -132,10 +132,10 @@
if (strcmp(c->name, name) == 0)
return c;
return NULL;
-Index: openssh-8.4p1/fips.c
+Index: openssh-8.8p1/fips.c
===================================================================
--- /dev/null
-+++ openssh-8.4p1/fips.c
++++ openssh-8.8p1/fips.c
@@ -0,0 +1,212 @@
+/*
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
@@ -349,10 +349,10 @@
+ return dgst;
+}
+
-Index: openssh-8.4p1/fips.h
+Index: openssh-8.8p1/fips.h
===================================================================
--- /dev/null
-+++ openssh-8.4p1/fips.h
++++ openssh-8.8p1/fips.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
@@ -398,10 +398,10 @@
+
+#endif
+
-Index: openssh-8.4p1/hmac.c
+Index: openssh-8.8p1/hmac.c
===================================================================
---- openssh-8.4p1.orig/hmac.c
-+++ openssh-8.4p1/hmac.c
+--- openssh-8.8p1.orig/hmac.c
++++ openssh-8.8p1/hmac.c
@@ -145,7 +145,7 @@ hmac_test(void *key, size_t klen, void *
size_t i;
u_char digest[16];
@@ -411,10 +411,10 @@
printf("ssh_hmac_start failed");
if (ssh_hmac_init(ctx, key, klen) < 0 ||
ssh_hmac_update(ctx, m, mlen) < 0 ||
-Index: openssh-8.4p1/kex.c
+Index: openssh-8.8p1/kex.c
===================================================================
---- openssh-8.4p1.orig/kex.c
-+++ openssh-8.4p1/kex.c
+--- openssh-8.8p1.orig/kex.c
++++ openssh-8.8p1/kex.c
@@ -62,6 +62,8 @@
#include "sshbuf.h"
#include "digest.h"
@@ -433,7 +433,7 @@
#ifdef WITH_OPENSSL
{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
-@@ -116,6 +118,47 @@ static const struct kexalg kexalgs[] = {
+@@ -118,6 +120,47 @@ static const struct kexalg kexalgs[] = {
{ NULL, 0, -1, -1},
};
@@ -481,7 +481,7 @@
char *
kex_alg_list(char sep)
{
-@@ -123,7 +166,7 @@ kex_alg_list(char sep)
+@@ -125,7 +168,7 @@ kex_alg_list(char sep)
size_t nlen, rlen = 0;
const struct kexalg *k;
@@ -490,7 +490,7 @@
if (ret != NULL)
ret[rlen++] = sep;
nlen = strlen(k->name);
-@@ -143,7 +186,7 @@ kex_alg_by_name(const char *name)
+@@ -145,7 +188,7 @@ kex_alg_by_name(const char *name)
{
const struct kexalg *k;
@@ -499,7 +499,7 @@
if (strcmp(k->name, name) == 0)
return k;
}
-@@ -163,7 +206,10 @@ kex_names_valid(const char *names)
+@@ -165,7 +208,10 @@ kex_names_valid(const char *names)
for ((p = strsep(&cp, ",")); p && *p != '\0';
(p = strsep(&cp, ","))) {
if (kex_alg_by_name(p) == NULL) {
@@ -510,10 +510,10 @@
free(s);
return 0;
}
-Index: openssh-8.4p1/mac.c
+Index: openssh-8.8p1/mac.c
===================================================================
---- openssh-8.4p1.orig/mac.c
-+++ openssh-8.4p1/mac.c
+--- openssh-8.8p1.orig/mac.c
++++ openssh-8.8p1/mac.c
@@ -41,6 +41,9 @@
#include "openbsd-compat/openssl-compat.h"
@@ -593,10 +593,10 @@
if (strcmp(name, m->name) != 0)
continue;
if (mac != NULL)
-Index: openssh-8.4p1/readconf.c
+Index: openssh-8.8p1/readconf.c
===================================================================
---- openssh-8.4p1.orig/readconf.c
-+++ openssh-8.4p1/readconf.c
+--- openssh-8.8p1.orig/readconf.c
++++ openssh-8.8p1/readconf.c
@@ -68,6 +68,8 @@
#include "myproposal.h"
#include "digest.h"
@@ -606,8 +606,8 @@
/* Format of the configuration file:
# Configuration data is parsed as follows:
-@@ -1949,6 +1951,23 @@ option_clear_or_none(const char *o)
- return o == NULL || strcasecmp(o, "none") == 0;
+@@ -2307,6 +2309,23 @@ config_has_permitted_cnames(Options *opt
+ return options->num_permitted_cnames > 0;
}
+/* remove algorithms not approved for use in FIPS mode, when running in FIPS
@@ -630,7 +630,7 @@
/*
* Initializes options to special values that indicate that they have not yet
* been set. Read_config_file will only set options with this value. Options
-@@ -2240,6 +2259,9 @@ fill_default_options(Options * options)
+@@ -2618,6 +2637,9 @@ fill_default_options(Options * options)
options->canonicalize_hostname = SSH_CANONICALISE_NO;
if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
@@ -640,28 +640,20 @@
#ifdef ENABLE_SK_INTERNAL
if (options->sk_provider == NULL)
options->sk_provider = xstrdup("internal");
-@@ -2273,6 +2295,7 @@ fill_default_options(Options * options)
- ASSEMBLE(pubkey_key_types, def_key, all_key);
+@@ -2654,6 +2676,8 @@ fill_default_options(Options * options)
ASSEMBLE(ca_sign_algorithms, def_sig, all_sig);
#undef ASSEMBLE
-+
- free(all_cipher);
- free(all_mac);
- free(all_kex);
-@@ -2284,6 +2307,8 @@ fill_default_options(Options * options)
- kex_default_pk_alg_filtered = def_key; /* save for later use */
- free(def_sig);
+ filter_fips_algorithms(options);
+
#define CLEAR_ON_NONE(v) \
do { \
if (option_clear_or_none(v)) { \
-Index: openssh-8.4p1/readconf.h
+Index: openssh-8.8p1/readconf.h
===================================================================
---- openssh-8.4p1.orig/readconf.h
-+++ openssh-8.4p1/readconf.h
-@@ -200,6 +200,7 @@ typedef struct {
+--- openssh-8.8p1.orig/readconf.h
++++ openssh-8.8p1/readconf.h
+@@ -212,6 +212,7 @@ typedef struct {
#define SSH_STRICT_HOSTKEY_YES 2
#define SSH_STRICT_HOSTKEY_ASK 3
@@ -669,10 +661,10 @@
const char *kex_default_pk_alg(void);
char *ssh_connection_hash(const char *thishost, const char *host,
const char *portstr, const char *user);
-Index: openssh-8.4p1/servconf.c
+Index: openssh-8.8p1/servconf.c
===================================================================
---- openssh-8.4p1.orig/servconf.c
-+++ openssh-8.4p1/servconf.c
+--- openssh-8.8p1.orig/servconf.c
++++ openssh-8.8p1/servconf.c
@@ -70,6 +70,7 @@
#include "auth.h"
#include "myproposal.h"
@@ -681,7 +673,7 @@
static void add_listen_addr(ServerOptions *, const char *,
const char *, int);
-@@ -201,6 +202,23 @@ option_clear_or_none(const char *o)
+@@ -205,6 +206,23 @@ option_clear_or_none(const char *o)
return o == NULL || strcasecmp(o, "none") == 0;
}
@@ -705,7 +697,7 @@
static void
assemble_algorithms(ServerOptions *o)
{
-@@ -242,6 +260,8 @@ assemble_algorithms(ServerOptions *o)
+@@ -246,6 +264,8 @@ assemble_algorithms(ServerOptions *o)
free(def_kex);
free(def_key);
free(def_sig);
@@ -713,8 +705,8 @@
+ filter_fips_algorithms_s(o);
}
- static void
-@@ -454,6 +474,8 @@ fill_default_server_options(ServerOption
+ void
+@@ -438,6 +458,8 @@ fill_default_server_options(ServerOption
options->fwd_opts.streamlocal_bind_unlink = 0;
if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
@@ -723,20 +715,20 @@
if (options->disable_forwarding == -1)
options->disable_forwarding = 0;
if (options->expose_userauth_info == -1)
-Index: openssh-8.4p1/ssh-keygen.c
+Index: openssh-8.8p1/ssh-keygen.c
===================================================================
---- openssh-8.4p1.orig/ssh-keygen.c
-+++ openssh-8.4p1/ssh-keygen.c
-@@ -66,6 +66,8 @@
- #include "ssh-sk.h"
+--- openssh-8.8p1.orig/ssh-keygen.c
++++ openssh-8.8p1/ssh-keygen.c
+@@ -67,6 +67,8 @@
#include "sk-api.h" /* XXX for SSH_SK_USER_PRESENCE_REQD; remove */
+ #include "cipher.h"
+#include "fips.h"
+
#ifdef WITH_OPENSSL
# define DEFAULT_KEY_TYPE_NAME "rsa"
#else
-@@ -1036,11 +1038,13 @@ do_fingerprint(struct passwd *pw)
+@@ -1037,11 +1039,13 @@ do_fingerprint(struct passwd *pw)
static void
do_gen_all_hostkeys(struct passwd *pw)
{
@@ -752,7 +744,7 @@
#ifdef WITH_OPENSSL
{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
{ "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
-@@ -1055,6 +1059,17 @@ do_gen_all_hostkeys(struct passwd *pw)
+@@ -1056,6 +1060,17 @@ do_gen_all_hostkeys(struct passwd *pw)
{ NULL, NULL, NULL }
};
@@ -770,7 +762,7 @@
u_int32_t bits = 0;
int first = 0;
struct stat st;
-@@ -1062,6 +1077,12 @@ do_gen_all_hostkeys(struct passwd *pw)
+@@ -1063,6 +1078,12 @@ do_gen_all_hostkeys(struct passwd *pw)
char comment[1024], *prv_tmp, *pub_tmp, *prv_file, *pub_file;
int i, type, fd, r;
@@ -783,7 +775,7 @@
for (i = 0; key_types[i].key_type; i++) {
public = private = NULL;
prv_tmp = pub_tmp = prv_file = pub_file = NULL;
-@@ -3586,6 +3607,15 @@ main(int argc, char **argv)
+@@ -3620,6 +3641,15 @@ main(int argc, char **argv)
key_type_name = DEFAULT_KEY_TYPE_NAME;
type = sshkey_type_from_name(key_type_name);
@@ -799,37 +791,37 @@
type_bits_valid(type, key_type_name, &bits);
if (!quiet)
-Index: openssh-8.4p1/ssh_config.5
+Index: openssh-8.8p1/ssh_config.5
===================================================================
---- openssh-8.4p1.orig/ssh_config.5
-+++ openssh-8.4p1/ssh_config.5
-@@ -682,6 +682,8 @@ Valid options are:
- and
- .Cm sha256
+--- openssh-8.8p1.orig/ssh_config.5
++++ openssh-8.8p1/ssh_config.5
+@@ -736,6 +736,8 @@ The argument to this keyword must be
+ option) or
+ .Cm no
(the default).
+.Pp
+In the FIPS mode the minimum of SHA-1 is enforced (which means sha256).
.It Cm ForwardAgent
Specifies whether the connection to the authentication agent (if any)
will be forwarded to the remote machine.
-Index: openssh-8.4p1/sshd.c
+Index: openssh-8.8p1/sshd.c
===================================================================
---- openssh-8.4p1.orig/sshd.c
-+++ openssh-8.4p1/sshd.c
-@@ -124,6 +124,8 @@
- #include "ssherr.h"
- #include "sk-api.h"
+--- openssh-8.8p1.orig/sshd.c
++++ openssh-8.8p1/sshd.c
+@@ -126,6 +126,8 @@
+ #include "srclimit.h"
+ #include "dh.h"
+#include "fips.h"
+
/* Re-exec fds */
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
-Index: openssh-8.4p1/sshd_config.5
+Index: openssh-8.8p1/sshd_config.5
===================================================================
---- openssh-8.4p1.orig/sshd_config.5
-+++ openssh-8.4p1/sshd_config.5
-@@ -594,6 +594,8 @@ and
+--- openssh-8.8p1.orig/sshd_config.5
++++ openssh-8.8p1/sshd_config.5
+@@ -600,6 +600,8 @@ and
.Cm sha256 .
The default is
.Cm sha256 .
++++++ openssh-7.7p1-fips_checks.patch ++++++
--- /var/tmp/diff_new_pack.oEgcgE/_old 2021-10-11 16:48:41.794175441 +0200
+++ /var/tmp/diff_new_pack.oEgcgE/_new 2021-10-11 16:48:41.794175441 +0200
@@ -14,10 +14,10 @@
# file is not found (or the hash matches), proceed in non-FIPS mode and abort
# otherwise.
-Index: openssh-8.4p1/fips-check.c
+Index: openssh-8.8p1/fips-check.c
===================================================================
--- /dev/null
-+++ openssh-8.4p1/fips-check.c
++++ openssh-8.8p1/fips-check.c
@@ -0,0 +1,34 @@
+#include "includes.h"
+#include <fcntl.h>
@@ -53,10 +53,10 @@
+ fips_ssh_init();
+ return 0;
+}
-Index: openssh-8.4p1/fips.c
+Index: openssh-8.8p1/fips.c
===================================================================
---- openssh-8.4p1.orig/fips.c
-+++ openssh-8.4p1/fips.c
+--- openssh-8.8p1.orig/fips.c
++++ openssh-8.8p1/fips.c
@@ -35,30 +35,293 @@
#include "log.h"
#include "xmalloc.h"
@@ -362,10 +362,10 @@
int
fips_mode(void)
{
-Index: openssh-8.4p1/fips.h
+Index: openssh-8.8p1/fips.h
===================================================================
---- openssh-8.4p1.orig/fips.h
-+++ openssh-8.4p1/fips.h
+--- openssh-8.8p1.orig/fips.h
++++ openssh-8.8p1/fips.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2012 Petr Cerny. All rights reserved.
@@ -407,20 +407,20 @@
#endif
-
-Index: openssh-8.4p1/sftp-server.c
+Index: openssh-8.8p1/sftp-server.c
===================================================================
---- openssh-8.4p1.orig/sftp-server.c
-+++ openssh-8.4p1/sftp-server.c
-@@ -53,6 +53,8 @@
-
- char *sftp_realpath(const char *, char *); /* sftp-realpath.c */
+--- openssh-8.8p1.orig/sftp-server.c
++++ openssh-8.8p1/sftp-server.c
+@@ -57,6 +57,8 @@ char *sftp_realpath(const char *, char *
+ /* Maximum data read that we are willing to accept */
+ #define SFTP_MAX_READ_LENGTH (SFTP_MAX_MSG_LENGTH - 1024)
+#include "fips.h"
+
/* Our verbosity */
static LogLevel log_level = SYSLOG_LEVEL_ERROR;
-@@ -1577,6 +1579,9 @@ sftp_server_main(int argc, char **argv,
+@@ -1717,6 +1719,9 @@ sftp_server_main(int argc, char **argv,
extern char *optarg;
extern char *__progname;
@@ -430,10 +430,10 @@
__progname = ssh_get_progname(argv[0]);
log_init(__progname, log_level, log_facility, log_stderr);
-Index: openssh-8.4p1/ssh.c
+Index: openssh-8.8p1/ssh.c
===================================================================
---- openssh-8.4p1.orig/ssh.c
-+++ openssh-8.4p1/ssh.c
+--- openssh-8.8p1.orig/ssh.c
++++ openssh-8.8p1/ssh.c
@@ -113,6 +113,8 @@
#include "ssh-pkcs11.h"
#endif
@@ -443,9 +443,9 @@
extern char *__progname;
/* Saves a copy of argv for setproctitle emulation */
-@@ -658,6 +660,10 @@ main(int ac, char **av)
- size_t n, len;
+@@ -632,6 +634,10 @@ main(int ac, char **av)
u_int j;
+ struct ssh_conn_info *cinfo = NULL;
+ /* initialize fips - can go before ssh_malloc_init(), since that is a
+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
@@ -454,11 +454,11 @@
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();
-Index: openssh-8.4p1/sshd.c
+Index: openssh-8.8p1/sshd.c
===================================================================
---- openssh-8.4p1.orig/sshd.c
-+++ openssh-8.4p1/sshd.c
-@@ -1545,6 +1545,10 @@ main(int ac, char **av)
+--- openssh-8.8p1.orig/sshd.c
++++ openssh-8.8p1/sshd.c
+@@ -1547,6 +1547,10 @@ main(int ac, char **av)
Authctxt *authctxt;
struct connection_info *connection_info = NULL;
++++++ openssh-7.7p1-host_ident.patch ++++++
--- /var/tmp/diff_new_pack.oEgcgE/_old 2021-10-11 16:48:41.802175453 +0200
+++ /var/tmp/diff_new_pack.oEgcgE/_new 2021-10-11 16:48:41.802175453 +0200
@@ -2,15 +2,11 @@
# Parent 0f731d0b541b8a919d24ac91098f560a49712822
Suggest command line for removal of offending keys from known_hosts file
-diff --git a/openssh-7.7p1/sshconnect.c b/openssh-7.7p1/sshconnect.c
---- openssh-7.7p1/sshconnect.c
-+++ openssh-7.7p1/sshconnect.c
-@@ -1147,16 +1147,21 @@ check_host_key(char *hostname, struct so
- }
- /* The host key has changed. */
- warn_changed_key(host_key);
- error("Add correct host key in %.100s to get rid of this
message.",
- user_hostfiles[0]);
+Index: openssh-8.8p1/sshconnect.c
+===================================================================
+--- openssh-8.8p1.orig/sshconnect.c
++++ openssh-8.8p1/sshconnect.c
+@@ -1270,6 +1270,11 @@ check_host_key(char *hostname, const str
error("Offending %s key in %s:%lu",
sshkey_type(host_found->key),
host_found->file, host_found->line);
@@ -22,8 +18,3 @@
/*
* If strict host key checking is in use, the user will have
- * to edit the key manually and we can only abort.
- */
- if (options.strict_host_key_checking !=
- SSH_STRICT_HOSTKEY_OFF) {
- error("%s host key for %.200s has changed and you have "
++++++ openssh-7.7p1-hostname_changes_when_forwarding_X.patch ++++++
--- /var/tmp/diff_new_pack.oEgcgE/_old 2021-10-11 16:48:41.810175466 +0200
+++ /var/tmp/diff_new_pack.oEgcgE/_new 2021-10-11 16:48:41.810175466 +0200
@@ -3,11 +3,11 @@
# -- uset do be called '-xauthlocalhostname'
handle hostname changes when forwarding X
-Index: openssh-8.4p1/session.c
+Index: openssh-8.8p1/session.c
===================================================================
---- openssh-8.4p1.orig/session.c
-+++ openssh-8.4p1/session.c
-@@ -985,7 +985,7 @@ copy_environment(char **source, char ***
+--- openssh-8.8p1.orig/session.c
++++ openssh-8.8p1/session.c
+@@ -981,7 +981,7 @@ copy_environment(char **source, char ***
#endif
static char **
@@ -16,7 +16,7 @@
{
char buf[256];
size_t n;
-@@ -1195,6 +1195,8 @@ do_setup_env(struct ssh *ssh, Session *s
+@@ -1191,6 +1191,8 @@ do_setup_env(struct ssh *ssh, Session *s
for (i = 0; env[i]; i++)
fprintf(stderr, " %.200s\n", env[i]);
}
@@ -25,7 +25,7 @@
return env;
}
-@@ -1203,7 +1205,7 @@ do_setup_env(struct ssh *ssh, Session *s
+@@ -1199,7 +1201,7 @@ do_setup_env(struct ssh *ssh, Session *s
* first in this order).
*/
static void
@@ -34,8 +34,8 @@
{
FILE *f = NULL;
char *cmd = NULL, *user_rc = NULL;
-@@ -1260,12 +1262,20 @@ do_rc_files(struct ssh *ssh, Session *s,
- fatal("%s: xasprintf: %s", __func__, strerror(errno));
+@@ -1256,12 +1258,20 @@ do_rc_files(struct ssh *ssh, Session *s,
+ fatal_f("xasprintf: %s", strerror(errno));
f = popen(cmd, "w");
if (f) {
+ char hostname[MAXHOSTNAMELEN];
@@ -55,7 +55,7 @@
} else {
fprintf(stderr, "Could not run %s\n",
cmd);
-@@ -1526,6 +1536,7 @@ do_child(struct ssh *ssh, Session *s, co
+@@ -1518,6 +1528,7 @@ do_child(struct ssh *ssh, Session *s, co
char **env, *argv[ARGV_MAX], remote_id[512];
const char *shell, *shell0;
struct passwd *pw = s->pw;
@@ -63,7 +63,7 @@
int r = 0;
sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
-@@ -1582,7 +1593,7 @@ do_child(struct ssh *ssh, Session *s, co
+@@ -1574,7 +1585,7 @@ do_child(struct ssh *ssh, Session *s, co
* Make sure $SHELL points to the shell from the password file,
* even if shell is overridden from login.conf
*/
@@ -72,7 +72,7 @@
#ifdef HAVE_LOGIN_CAP
shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
-@@ -1646,7 +1657,7 @@ do_child(struct ssh *ssh, Session *s, co
+@@ -1638,7 +1649,7 @@ do_child(struct ssh *ssh, Session *s, co
closefrom(STDERR_FILENO + 1);
++++++ openssh-7.7p1-ldap.patch ++++++
--- /var/tmp/diff_new_pack.oEgcgE/_old 2021-10-11 16:48:41.822175486 +0200
+++ /var/tmp/diff_new_pack.oEgcgE/_new 2021-10-11 16:48:41.822175486 +0200
@@ -10,11 +10,10 @@
# internal versions. ssh-keyconverter consequently fails to link as it lacks
# the proper flags, and libopenbsd-compat doesn't contain the b64_* functions)
-diff --git a/HOWTO.ldap-keys b/HOWTO.ldap-keys
-new file mode 100644
-index 0000000..831d399
+Index: openssh-8.8p1/HOWTO.ldap-keys
+===================================================================
--- /dev/null
-+++ b/HOWTO.ldap-keys
++++ openssh-8.8p1/HOWTO.ldap-keys
@@ -0,0 +1,108 @@
+
+HOW TO START
@@ -124,11 +123,11 @@
+ - frederic peters.
+ - Finlay dobbie.
+ - Stefan Fisher.
-diff --git a/Makefile.in b/Makefile.in
-index 6010d1c..f54348b 100644
---- a/Makefile.in
-+++ b/Makefile.in
-@@ -25,6 +25,8 @@ SFTP_SERVER=$(libexecdir)/sftp-server
+Index: openssh-8.8p1/Makefile.in
+===================================================================
+--- openssh-8.8p1.orig/Makefile.in
++++ openssh-8.8p1/Makefile.in
+@@ -26,6 +26,8 @@ SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
@@ -137,7 +136,7 @@
CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
CAVSTEST_KDF=$(libexecdir)/cavstest-kdf
PRIVSEP_PATH=@PRIVSEP_PATH@
-@@ -74,6 +76,9 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT)
ssh-keygen$(EXEEXT) ssh-keys
+@@ -73,6 +75,9 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-a
TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
@@ -147,9 +146,9 @@
XMSS_OBJS=\
ssh-xmss.o \
sshkey-xmss.o \
-@@ -158,8 +163,8 @@ SFTPSERVER_OBJS=sftp-common.o sftp-server.o
sftp-server-main.o
+@@ -160,8 +165,8 @@ SFTPSERVER_OBJS=sftp-common.o sftp-serve
- SFTP_OBJS= sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
+ SFTP_OBJS= sftp.o progressmeter.o $(SFTP_CLIENT_OBJS)
-MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out
ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out
sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out
sshd_config.5.out ssh_config.5.out
-MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1
ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8
ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5
@@ -158,7 +157,7 @@
MANTYPE = @MANTYPE@
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
-@@ -242,6 +247,9 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a
$(SKHELPER_OBJS)
+@@ -244,6 +249,9 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) lib
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh
$(LIBS)
@@ -166,9 +165,9 @@
+ $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS)
-lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS)
- $(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh
$(LIBS)
-@@ -406,6 +414,10 @@ install-files:
+@@ -416,6 +424,10 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT)
$(DESTDIR)$(sbindir)/sshd$(EXEEXT)
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT)
$(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT)
$(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
@@ -179,7 +178,7 @@
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT)
$(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT)
$(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT)
$(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
-@@ -425,6 +437,10 @@ install-files:
+@@ -435,6 +447,10 @@ install-files:
$(INSTALL) -m 644 sftp-server.8.out
$(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
$(INSTALL) -m 644 ssh-keysign.8.out
$(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
$(INSTALL) -m 644 ssh-pkcs11-helper.8.out
$(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@@ -190,7 +189,7 @@
$(INSTALL) -m 644 ssh-sk-helper.8.out
$(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8
install-sysconf:
-@@ -449,6 +465,13 @@ install-sysconf:
+@@ -459,6 +475,13 @@ install-sysconf:
else \
echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install
will not overwrite"; \
fi
@@ -204,7 +203,7 @@
host-key: ssh-keygen$(EXEEXT)
@if [ -z "$(DESTDIR)" ] ; then \
-@@ -487,6 +510,8 @@ uninstall:
+@@ -497,6 +520,8 @@ uninstall:
-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
-rm -f $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
@@ -213,7 +212,7 @@
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-@@ -499,6 +524,7 @@ uninstall:
+@@ -509,6 +534,7 @@ uninstall:
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8
@@ -221,11 +220,11 @@
regress-prep:
$(MKDIR_P) `pwd`/regress/unittests/test_helper
-diff --git a/configure.ac b/configure.ac
-index 4ddf539..1fd0b17 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -1688,6 +1688,106 @@ AC_ARG_WITH([audit],
+Index: openssh-8.8p1/configure.ac
+===================================================================
+--- openssh-8.8p1.orig/configure.ac
++++ openssh-8.8p1/configure.ac
+@@ -1758,6 +1758,106 @@ AC_ARG_WITH([audit],
esac ]
)
@@ -332,11 +331,10 @@
AC_ARG_WITH([pie],
[ --with-pie Build Position Independent Executables if
possible], [
if test "x$withval" = "xno"; then
-diff --git a/ldap-helper.c b/ldap-helper.c
-new file mode 100644
-index 0000000..0efff1f
+Index: openssh-8.8p1/ldap-helper.c
+===================================================================
--- /dev/null
-+++ b/ldap-helper.c
++++ openssh-8.8p1/ldap-helper.c
@@ -0,0 +1,155 @@
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -493,11 +491,10 @@
+void *buffer_get_string(struct sshbuf *b, u_int *l) { return NULL; }
+void buffer_put_string(struct sshbuf *b, const void *f, u_int l) {}
+
-diff --git a/ldap-helper.h b/ldap-helper.h
-new file mode 100644
-index 0000000..14cb29a
+Index: openssh-8.8p1/ldap-helper.h
+===================================================================
--- /dev/null
-+++ b/ldap-helper.h
++++ openssh-8.8p1/ldap-helper.h
@@ -0,0 +1,32 @@
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -531,11 +528,10 @@
+extern int config_warning_config_file;
+
+#endif /* LDAP_HELPER_H */
-diff --git a/ldap.conf b/ldap.conf
-new file mode 100644
-index 0000000..42e38d3
+Index: openssh-8.8p1/ldap.conf
+===================================================================
--- /dev/null
-+++ b/ldap.conf
++++ openssh-8.8p1/ldap.conf
@@ -0,0 +1,88 @@
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
+#
@@ -625,12 +621,11 @@
+#tls_cert
+#tls_key
+
-diff --git a/ldapbody.c b/ldapbody.c
-new file mode 100644
-index 0000000..032cc89
+Index: openssh-8.8p1/ldapbody.c
+===================================================================
--- /dev/null
-+++ b/ldapbody.c
-@@ -0,0 +1,494 @@
++++ openssh-8.8p1/ldapbody.c
+@@ -0,0 +1,503 @@
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
+ * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
@@ -663,8 +658,17 @@
+#include "ldapmisc.h"
+#include "ldapbody.h"
+#include <stdio.h>
++#include <stdlib.h>
+#include <unistd.h>
+
++#ifndef FALSE
++# define FALSE 0
++#endif
++
++#ifndef TRUE
++# define TRUE 1
++#endif
++
+#define LDAPSEARCH_FORMAT
"(&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=%s)%s)"
+#define PUBKEYATTR "sshPublicKey"
+#define LDAP_LOGFILE "%s/ldap.%d"
@@ -1125,11 +1129,10 @@
+ return;
+}
+
-diff --git a/ldapbody.h b/ldapbody.h
-new file mode 100644
-index 0000000..665dca2
+Index: openssh-8.8p1/ldapbody.h
+===================================================================
--- /dev/null
-+++ b/ldapbody.h
++++ openssh-8.8p1/ldapbody.h
@@ -0,0 +1,37 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -1168,11 +1171,10 @@
+
+#endif /* LDAPBODY_H */
+
-diff --git a/ldapconf.c b/ldapconf.c
-new file mode 100644
-index 0000000..2e22438
+Index: openssh-8.8p1/ldapconf.c
+===================================================================
--- /dev/null
-+++ b/ldapconf.c
++++ openssh-8.8p1/ldapconf.c
@@ -0,0 +1,711 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -1885,11 +1887,10 @@
+ dump_cfg_string(lSSH_Filter, options.ssh_filter);
+}
+
-diff --git a/ldapconf.h b/ldapconf.h
-new file mode 100644
-index 0000000..c2aa704
+Index: openssh-8.8p1/ldapconf.h
+===================================================================
--- /dev/null
-+++ b/ldapconf.h
++++ openssh-8.8p1/ldapconf.h
@@ -0,0 +1,71 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -1962,11 +1963,10 @@
+void dump_config(void);
+
+#endif /* LDAPCONF_H */
-diff --git a/ldapincludes.h b/ldapincludes.h
-new file mode 100644
-index 0000000..8539bdc
+Index: openssh-8.8p1/ldapincludes.h
+===================================================================
--- /dev/null
-+++ b/ldapincludes.h
++++ openssh-8.8p1/ldapincludes.h
@@ -0,0 +1,41 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -2009,11 +2009,10 @@
+#endif
+
+#endif /* LDAPINCLUDES_H */
-diff --git a/ldapmisc.c b/ldapmisc.c
-new file mode 100644
-index 0000000..de23c0c
+Index: openssh-8.8p1/ldapmisc.c
+===================================================================
--- /dev/null
-+++ b/ldapmisc.c
++++ openssh-8.8p1/ldapmisc.c
@@ -0,0 +1,79 @@
+
+#include "ldapincludes.h"
@@ -2094,11 +2093,10 @@
+}
+#endif
+
-diff --git a/ldapmisc.h b/ldapmisc.h
-new file mode 100644
-index 0000000..4c271df
+Index: openssh-8.8p1/ldapmisc.h
+===================================================================
--- /dev/null
-+++ b/ldapmisc.h
++++ openssh-8.8p1/ldapmisc.h
@@ -0,0 +1,35 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -2135,10 +2133,10 @@
+
+#endif /* LDAPMISC_H */
+
-diff --git a/openbsd-compat/base64.c b/openbsd-compat/base64.c
-index 9e74667..14824be 100644
---- a/openbsd-compat/base64.c
-+++ b/openbsd-compat/base64.c
+Index: openssh-8.8p1/openbsd-compat/base64.c
+===================================================================
+--- openssh-8.8p1.orig/openbsd-compat/base64.c
++++ openssh-8.8p1/openbsd-compat/base64.c
@@ -46,7 +46,7 @@
#include "includes.h"
@@ -2157,7 +2155,7 @@
int
b64_ntop(u_char const *src, size_t srclength, char *target, size_t targsize)
{
-@@ -185,7 +185,7 @@ b64_ntop(u_char const *src, size_t srclength, char
*target, size_t targsize)
+@@ -185,7 +185,7 @@ b64_ntop(u_char const *src, size_t srcle
}
#endif /* !defined(HAVE_B64_NTOP) && !defined(HAVE___B64_NTOP) */
@@ -2166,10 +2164,10 @@
/* skips all whitespace anywhere.
converts characters, four at a time, starting at (or after)
-diff --git a/openbsd-compat/base64.h b/openbsd-compat/base64.h
-index bd77293..e27df9a 100644
---- a/openbsd-compat/base64.h
-+++ b/openbsd-compat/base64.h
+Index: openssh-8.8p1/openbsd-compat/base64.h
+===================================================================
+--- openssh-8.8p1.orig/openbsd-compat/base64.h
++++ openssh-8.8p1/openbsd-compat/base64.h
@@ -45,16 +45,16 @@
#include "includes.h"
@@ -2191,11 +2189,10 @@
int b64_pton(char const *src, u_char *target, size_t targsize);
# endif /* !HAVE_B64_PTON */
# define __b64_pton(a,b,c) b64_pton(a,b,c)
-diff --git a/openssh-lpk-openldap.schema b/openssh-lpk-openldap.schema
-new file mode 100644
-index 0000000..c84f90f
+Index: openssh-8.8p1/openssh-lpk-openldap.schema
+===================================================================
--- /dev/null
-+++ b/openssh-lpk-openldap.schema
++++ openssh-8.8p1/openssh-lpk-openldap.schema
@@ -0,0 +1,21 @@
+#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
@@ -2218,11 +2215,10 @@
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
+ MUST ( sshPublicKey $ uid )
+ )
-diff --git a/openssh-lpk-sun.schema b/openssh-lpk-sun.schema
-new file mode 100644
-index 0000000..3136673
+Index: openssh-8.8p1/openssh-lpk-sun.schema
+===================================================================
--- /dev/null
-+++ b/openssh-lpk-sun.schema
++++ openssh-8.8p1/openssh-lpk-sun.schema
@@ -0,0 +1,23 @@
+#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
@@ -2247,11 +2243,10 @@
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
+ MUST ( sshPublicKey $ uid )
+ )
-diff --git a/ssh-ldap-helper.8 b/ssh-ldap-helper.8
-new file mode 100644
-index 0000000..f8440e4
+Index: openssh-8.8p1/ssh-ldap-helper.8
+===================================================================
--- /dev/null
-+++ b/ssh-ldap-helper.8
++++ openssh-8.8p1/ssh-ldap-helper.8
@@ -0,0 +1,79 @@
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\"
@@ -2332,21 +2327,19 @@
+OpenSSH 5.5 + PKA-LDAP .
+.Sh AUTHORS
+.An Jan F. Chadima Aq jchad...@redhat.com
-diff --git a/ssh-ldap-wrapper b/ssh-ldap-wrapper
-new file mode 100644
-index 0000000..9fdfc37
+Index: openssh-8.8p1/ssh-ldap-wrapper
+===================================================================
--- /dev/null
-+++ b/ssh-ldap-wrapper
++++ openssh-8.8p1/ssh-ldap-wrapper
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+exec @LIBEXECDIR@/ssh-ldap-helper -s "$1"
+
-diff --git a/ssh-ldap.conf.5 b/ssh-ldap.conf.5
-new file mode 100644
-index 0000000..15eb03d
+Index: openssh-8.8p1/ssh-ldap.conf.5
+===================================================================
--- /dev/null
-+++ b/ssh-ldap.conf.5
++++ openssh-8.8p1/ssh-ldap.conf.5
@@ -0,0 +1,376 @@
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\"
++++++ openssh-7.7p1-no_fork-no_pid_file.patch ++++++
--- /var/tmp/diff_new_pack.oEgcgE/_old 2021-10-11 16:48:41.830175498 +0200
+++ /var/tmp/diff_new_pack.oEgcgE/_new 2021-10-11 16:48:41.830175498 +0200
@@ -2,11 +2,11 @@
# Parent bad0c8b3b8d72abb6960ed85b57ee42352371738
Do not write a PID file when not daemonizing (e.g. when running from systemd)
-diff --git a/sshd.c b/sshd.c
-index f3ccc3a..eadc1b3 100644
---- a/sshd.c
-+++ b/sshd.c
-@@ -2076,7 +2076,7 @@ main(int ac, char **av)
+Index: openssh-8.8p1/sshd.c
+===================================================================
+--- openssh-8.8p1.orig/sshd.c
++++ openssh-8.8p1/sshd.c
+@@ -2129,7 +2129,7 @@ main(int ac, char **av)
* Write out the pid file after the sigterm handler
* is setup and the listen sockets are bound
*/
++++++ openssh-7.7p1-pam_check_locks.patch ++++++
--- /var/tmp/diff_new_pack.oEgcgE/_old 2021-10-11 16:48:41.838175511 +0200
+++ /var/tmp/diff_new_pack.oEgcgE/_new 2021-10-11 16:48:41.842175518 +0200
@@ -5,10 +5,10 @@
bnc#708678, FATE#312033
-Index: openssh-8.4p1/auth.c
+Index: openssh-8.8p1/auth.c
===================================================================
---- openssh-8.4p1.orig/auth.c
-+++ openssh-8.4p1/auth.c
+--- openssh-8.8p1.orig/auth.c
++++ openssh-8.8p1/auth.c
@@ -113,7 +113,7 @@ allowed_user(struct ssh *ssh, struct pas
return 0;
@@ -27,10 +27,10 @@
int locked = 0;
#ifdef LOCKED_PASSWD_STRING
-Index: openssh-8.4p1/servconf.c
+Index: openssh-8.8p1/servconf.c
===================================================================
---- openssh-8.4p1.orig/servconf.c
-+++ openssh-8.4p1/servconf.c
+--- openssh-8.8p1.orig/servconf.c
++++ openssh-8.8p1/servconf.c
@@ -92,6 +92,7 @@ initialize_server_options(ServerOptions
/* Portable-specific options */
@@ -39,7 +39,7 @@
/* Standard Options */
options->num_ports = 0;
-@@ -300,6 +301,8 @@ fill_default_server_options(ServerOption
+@@ -278,6 +279,8 @@ fill_default_server_options(ServerOption
/* Portable-specific options */
if (options->use_pam == -1)
options->use_pam = 0;
@@ -48,7 +48,7 @@
/* Standard Options */
if (options->num_host_key_files == 0) {
-@@ -501,7 +504,7 @@ fill_default_server_options(ServerOption
+@@ -485,7 +488,7 @@ fill_default_server_options(ServerOption
typedef enum {
sBadOption, /* == unknown option */
/* Portable-specific options */
@@ -56,8 +56,8 @@
+ sUsePAM, sUsePAMChecklocks,
/* Standard Options */
sPort, sHostKeyFile, sLoginGraceTime,
- sPermitRootLogin, sLogFacility, sLogLevel,
-@@ -553,8 +556,10 @@ static struct {
+ sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
+@@ -535,8 +538,10 @@ static struct {
/* Portable-specific options */
#ifdef USE_PAM
{ "usepam", sUsePAM, SSHCFG_GLOBAL },
@@ -68,7 +68,7 @@
#endif
{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
/* Standard Options */
-@@ -1318,6 +1323,9 @@ process_server_config_line_depth(ServerO
+@@ -1331,6 +1336,9 @@ process_server_config_line_depth(ServerO
case sUsePAM:
intptr = &options->use_pam;
goto parse_flag;
@@ -78,11 +78,11 @@
/* Standard Options */
case sBadOption:
-Index: openssh-8.4p1/servconf.h
+Index: openssh-8.8p1/servconf.h
===================================================================
---- openssh-8.4p1.orig/servconf.h
-+++ openssh-8.4p1/servconf.h
-@@ -195,6 +195,7 @@ typedef struct {
+--- openssh-8.8p1.orig/servconf.h
++++ openssh-8.8p1/servconf.h
+@@ -200,6 +200,7 @@ typedef struct {
char *adm_forced_command;
int use_pam; /* Enable auth via PAM */
@@ -90,11 +90,11 @@
int permit_tun;
-Index: openssh-8.4p1/sshd_config.0
+Index: openssh-8.8p1/sshd_config.0
===================================================================
---- openssh-8.4p1.orig/sshd_config.0
-+++ openssh-8.4p1/sshd_config.0
-@@ -1032,6 +1032,14 @@ DESCRIPTION
+--- openssh-8.8p1.orig/sshd_config.0
++++ openssh-8.8p1/sshd_config.0
+@@ -1074,6 +1074,14 @@ DESCRIPTION
If UsePAM is enabled, you will not be able to run sshd(8) as a
non-root user. The default is no.
@@ -109,11 +109,11 @@
VersionAddendum
Optionally specifies additional text to append to the SSH
protocol banner sent by the server upon connection. The default
-Index: openssh-8.4p1/sshd_config.5
+Index: openssh-8.8p1/sshd_config.5
===================================================================
---- openssh-8.4p1.orig/sshd_config.5
-+++ openssh-8.4p1/sshd_config.5
-@@ -1718,6 +1718,18 @@ is enabled, you will not be able to run
+--- openssh-8.8p1.orig/sshd_config.5
++++ openssh-8.8p1/sshd_config.5
+@@ -1775,6 +1775,18 @@ is enabled, you will not be able to run
as a non-root user.
The default is
.Cm no .
++++++ openssh-7.7p1-pts_names_formatting.patch ++++++
--- /var/tmp/diff_new_pack.oEgcgE/_old 2021-10-11 16:48:41.850175530 +0200
+++ /var/tmp/diff_new_pack.oEgcgE/_new 2021-10-11 16:48:41.850175530 +0200
@@ -4,15 +4,11 @@
# formats in ?tmp? files)
# --used to be called '-pts'
-diff --git a/openssh-7.7p1/loginrec.c b/openssh-7.7p1/loginrec.c
---- openssh-7.7p1/loginrec.c
-+++ openssh-7.7p1/loginrec.c
-@@ -541,17 +541,17 @@ getlast_entry(struct logininfo *li)
- /*
- * 'line' string utility functions
- *
- * These functions process the 'line' string into one of three forms:
- *
+Index: openssh-8.8p1/loginrec.c
+===================================================================
+--- openssh-8.8p1.orig/loginrec.c
++++ openssh-8.8p1/loginrec.c
+@@ -549,7 +549,7 @@ getlast_entry(struct logininfo *li)
* 1. The full filename (including '/dev')
* 2. The stripped name (excluding '/dev')
* 3. The abbreviated name (e.g. /dev/ttyp00 -> yp00
@@ -21,17 +17,7 @@
*
* Form 3 is used on some systems to identify a .tmp.? entry when
* attempting to remove it. Typically both addition and removal is
- * performed by one application - say, sshd - so as long as the choice
- * uniquely identifies a terminal it's ok.
- */
-
-
-@@ -602,16 +602,20 @@ line_abbrevname(char *dst, const char *s
- /* Always skip prefix if present */
- if (strncmp(src, "/dev/", 5) == 0)
- src += 5;
-
- #ifdef WITH_ABBREV_NO_TTY
+@@ -610,6 +610,10 @@ line_abbrevname(char *dst, const char *s
if (strncmp(src, "tty", 3) == 0)
src += 3;
#endif
@@ -42,8 +28,3 @@
len = strlen(src);
- if (len > 0) {
- if (((int)len - dstsize) > 0)
- src += ((int)len - dstsize);
-
- /* note: _don't_ change this to strlcpy */
++++++ openssh-7.7p1-remove_xauth_cookies_on_exit.patch ++++++
--- /var/tmp/diff_new_pack.oEgcgE/_old 2021-10-11 16:48:41.858175543 +0200
+++ /var/tmp/diff_new_pack.oEgcgE/_new 2021-10-11 16:48:41.858175543 +0200
@@ -5,15 +5,11 @@
bnc#98815
-diff --git a/openssh-7.7p1/session.c b/openssh-7.7p1/session.c
---- openssh-7.7p1/session.c
-+++ openssh-7.7p1/session.c
-@@ -2302,16 +2302,44 @@ session_close(struct ssh *ssh, Session *
- u_int i;
-
- verbose("Close session: user %s from %.200s port %d id %d",
- s->pw->pw_name,
- ssh_remote_ipaddr(ssh),
+Index: openssh-8.8p1/session.c
+===================================================================
+--- openssh-8.8p1.orig/session.c
++++ openssh-8.8p1/session.c
+@@ -2441,6 +2441,34 @@ session_close(struct ssh *ssh, Session *
ssh_remote_port(ssh),
s->self);
@@ -48,8 +44,3 @@
if (s->ttyfd != -1)
session_pty_cleanup(s);
free(s->term);
- free(s->display);
- free(s->x11_chanids);
- free(s->auth_display);
- free(s->auth_data);
- free(s->auth_proto);
++++++ openssh-7.7p1-seccomp_ipc_flock.patch ++++++
--- /var/tmp/diff_new_pack.oEgcgE/_old 2021-10-11 16:48:41.866175556 +0200
+++ /var/tmp/diff_new_pack.oEgcgE/_new 2021-10-11 16:48:41.866175556 +0200
@@ -15,11 +15,11 @@
Signed-off-by: Eduardo Barretto <ebarre...@linux.vnet.ibm.com>
-Index: openssh-7.9p1/sandbox-seccomp-filter.c
+Index: openssh-8.8p1/sandbox-seccomp-filter.c
===================================================================
---- openssh-7.9p1.orig/sandbox-seccomp-filter.c
-+++ openssh-7.9p1/sandbox-seccomp-filter.c
-@@ -175,6 +175,9 @@ static const struct sock_filter preauth_
+--- openssh-8.8p1.orig/sandbox-seccomp-filter.c
++++ openssh-8.8p1/sandbox-seccomp-filter.c
+@@ -219,6 +219,9 @@ static const struct sock_filter preauth_
#ifdef __NR_geteuid32
SC_ALLOW(__NR_geteuid32),
#endif
@@ -29,7 +29,7 @@
#ifdef __NR_getpgid
SC_ALLOW(__NR_getpgid),
#endif
-@@ -193,6 +196,9 @@ static const struct sock_filter preauth_
+@@ -237,6 +240,9 @@ static const struct sock_filter preauth_
#ifdef __NR_getuid32
SC_ALLOW(__NR_getuid32),
#endif
++++++ openssh-7.7p1-seccomp_stat.patch ++++++
--- /var/tmp/diff_new_pack.oEgcgE/_old 2021-10-11 16:48:41.874175568 +0200
+++ /var/tmp/diff_new_pack.oEgcgE/_new 2021-10-11 16:48:41.874175568 +0200
@@ -5,15 +5,11 @@
bnc#912436
-diff --git a/openssh-7.7p1/sandbox-seccomp-filter.c
b/openssh-7.7p1/sandbox-seccomp-filter.c
---- openssh-7.7p1/sandbox-seccomp-filter.c
-+++ openssh-7.7p1/sandbox-seccomp-filter.c
-@@ -224,16 +224,19 @@ static const struct sock_filter preauth_
- SC_ALLOW(__NR_select),
- #endif
- #ifdef __NR_shutdown
- SC_ALLOW(__NR_shutdown),
- #endif
+Index: openssh-8.8p1/sandbox-seccomp-filter.c
+===================================================================
+--- openssh-8.8p1.orig/sandbox-seccomp-filter.c
++++ openssh-8.8p1/sandbox-seccomp-filter.c
+@@ -294,6 +294,9 @@ static const struct sock_filter preauth_
#ifdef __NR_sigprocmask
SC_ALLOW(__NR_sigprocmask),
#endif
@@ -23,8 +19,3 @@
#ifdef __NR_time
SC_ALLOW(__NR_time),
#endif
- #ifdef __NR_write
- SC_ALLOW(__NR_write),
- #endif
- #ifdef __NR_socketcall
- SC_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN),
++++++ openssh-7.7p1-send_locale.patch ++++++
--- /var/tmp/diff_new_pack.oEgcgE/_old 2021-10-11 16:48:41.882175581 +0200
+++ /var/tmp/diff_new_pack.oEgcgE/_new 2021-10-11 16:48:41.886175587 +0200
@@ -3,15 +3,11 @@
send locales in default configuration
bnc#65747
-diff --git a/openssh-7.7p1/ssh_config b/openssh-7.7p1/ssh_config
---- openssh-7.7p1/ssh_config
-+++ openssh-7.7p1/ssh_config
-@@ -26,16 +26,21 @@ Host *
- # security reasons: Someone stealing the authentification data on the
- # remote side (the "spoofed" X-server by the remote sshd) can read your
- # keystrokes as you type, just like any other X11 client could do.
- # Set this to "no" here for global effect or in your own ~/.ssh/config
- # file if you want to have the remote X11 authentification data to
+Index: openssh-8.8p1/ssh_config
+===================================================================
+--- openssh-8.8p1.orig/ssh_config
++++ openssh-8.8p1/ssh_config
+@@ -31,6 +31,11 @@ Host *
# expire after twenty minutes after remote login.
ForwardX11Trusted yes
@@ -23,20 +19,11 @@
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
- # GSSAPIDelegateCredentials no
- # BatchMode no
- # CheckHostIP yes
- # AddressFamily any
- # ConnectTimeout 0
-diff --git a/openssh-7.7p1/sshd_config b/openssh-7.7p1/sshd_config
---- openssh-7.7p1/sshd_config
-+++ openssh-7.7p1/sshd_config
-@@ -104,14 +104,19 @@ X11Forwarding yes
- #VersionAddendum none
-
- # no default banner path
- #Banner none
-
+Index: openssh-8.8p1/sshd_config
+===================================================================
+--- openssh-8.8p1.orig/sshd_config
++++ openssh-8.8p1/sshd_config
+@@ -108,6 +108,11 @@ X11Forwarding yes
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
@@ -48,6 +35,3 @@
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
- # AllowTcpForwarding no
- # PermitTTY no
- # ForceCommand cvs server
++++++ openssh-7.7p1-sftp_force_permissions.patch ++++++
--- /var/tmp/diff_new_pack.oEgcgE/_old 2021-10-11 16:48:41.894175600 +0200
+++ /var/tmp/diff_new_pack.oEgcgE/_new 2021-10-11 16:48:41.894175600 +0200
@@ -1,7 +1,7 @@
-Index: openssh-8.4p1/sftp-server.8
+Index: openssh-8.8p1/sftp-server.8
===================================================================
---- openssh-8.4p1.orig/sftp-server.8
-+++ openssh-8.4p1/sftp-server.8
+--- openssh-8.8p1.orig/sftp-server.8
++++ openssh-8.8p1/sftp-server.8
@@ -38,6 +38,7 @@
.Op Fl P Ar denied_requests
.Op Fl p Ar allowed_requests
@@ -21,11 +21,11 @@
.El
.Pp
On some systems,
-Index: openssh-8.4p1/sftp-server.c
+Index: openssh-8.8p1/sftp-server.c
===================================================================
---- openssh-8.4p1.orig/sftp-server.c
-+++ openssh-8.4p1/sftp-server.c
-@@ -69,6 +69,10 @@ struct sshbuf *oqueue;
+--- openssh-8.8p1.orig/sftp-server.c
++++ openssh-8.8p1/sftp-server.c
+@@ -73,6 +73,10 @@ struct sshbuf *oqueue;
/* Version of client */
static u_int version;
@@ -36,7 +36,7 @@
/* SSH2_FXP_INIT received */
static int init_done;
-@@ -687,6 +691,7 @@ process_open(u_int32_t id)
+@@ -724,6 +728,7 @@ process_open(u_int32_t id)
Attrib a;
char *name;
int r, handle, fd, flags, mode, status = SSH2_FX_FAILURE;
@@ -44,7 +44,7 @@
if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
(r = sshbuf_get_u32(iqueue, &pflags)) != 0 || /* portable flags */
-@@ -696,6 +701,10 @@ process_open(u_int32_t id)
+@@ -733,6 +738,10 @@ process_open(u_int32_t id)
debug3("request %u: open flags %d", id, pflags);
flags = flags_from_portable(pflags);
mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm : 0666;
@@ -55,7 +55,7 @@
logit("open \"%s\" flags %s mode 0%o",
name, string_from_portable(pflags), mode);
if (readonly &&
-@@ -717,6 +726,8 @@ process_open(u_int32_t id)
+@@ -754,6 +763,8 @@ process_open(u_int32_t id)
}
}
}
@@ -64,7 +64,7 @@
if (status != SSH2_FX_OK)
send_status(id, status);
free(name);
-@@ -1131,6 +1142,7 @@ process_mkdir(u_int32_t id)
+@@ -1183,6 +1194,7 @@ process_mkdir(u_int32_t id)
Attrib a;
char *name;
int r, mode, status = SSH2_FX_FAILURE;
@@ -72,7 +72,7 @@
if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
(r = decode_attrib(iqueue, &a)) != 0)
-@@ -1138,9 +1150,16 @@ process_mkdir(u_int32_t id)
+@@ -1190,9 +1202,16 @@ process_mkdir(u_int32_t id)
mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ?
a.perm & 07777 : 0777;
@@ -89,7 +89,7 @@
status = (r == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
send_status(id, status);
free(name);
-@@ -1560,7 +1579,7 @@ sftp_server_usage(void)
+@@ -1700,7 +1719,7 @@ sftp_server_usage(void)
fprintf(stderr,
"usage: %s [-ehR] [-d start_directory] [-f log_facility] "
"[-l log_level]\n\t[-P denied_requests] "
@@ -98,7 +98,7 @@
" %s -Q protocol_feature\n",
__progname, __progname);
exit(1);
-@@ -1588,7 +1607,7 @@ sftp_server_main(int argc, char **argv,
+@@ -1728,7 +1747,7 @@ sftp_server_main(int argc, char **argv,
pw = pwcopy(user_pw);
while (!skipargs && (ch = getopt(argc, argv,
@@ -107,7 +107,7 @@
switch (ch) {
case 'Q':
if (strcasecmp(optarg, "requests") != 0) {
-@@ -1650,6 +1669,15 @@ sftp_server_main(int argc, char **argv,
+@@ -1790,6 +1809,15 @@ sftp_server_main(int argc, char **argv,
fatal("Invalid umask \"%s\"", optarg);
(void)umask((mode_t)mask);
break;
++++++ openssh-7.7p1-sftp_print_diagnostic_messages.patch ++++++
--- /var/tmp/diff_new_pack.oEgcgE/_old 2021-10-11 16:48:41.902175613 +0200
+++ /var/tmp/diff_new_pack.oEgcgE/_new 2021-10-11 16:48:41.902175613 +0200
@@ -2,10 +2,10 @@
# Parent 60bdbe6dd8d6bc011883472363d56e1d97f68835
Put back sftp client diagnostic messages in batch mode
-Index: openssh-8.4p1/sftp.1
+Index: openssh-8.8p1/sftp.1
===================================================================
---- openssh-8.4p1.orig/sftp.1
-+++ openssh-8.4p1/sftp.1
+--- openssh-8.8p1.orig/sftp.1
++++ openssh-8.8p1/sftp.1
@@ -287,6 +287,9 @@ Specifies the port to connect to on the
.It Fl p
Preserves modification times, access times, and modes from the
@@ -16,12 +16,12 @@
.It Fl q
Quiet mode: disables the progress meter as well as warning and
diagnostic messages from
-Index: openssh-8.4p1/sftp.c
+Index: openssh-8.8p1/sftp.c
===================================================================
---- openssh-8.4p1.orig/sftp.c
-+++ openssh-8.4p1/sftp.c
-@@ -85,6 +85,9 @@ static volatile pid_t sshpid = -1;
- /* Suppress diagnositic messages */
+--- openssh-8.8p1.orig/sftp.c
++++ openssh-8.8p1/sftp.c
+@@ -82,6 +82,9 @@ static volatile pid_t sshpid = -1;
+ /* Suppress diagnostic messages */
int quiet = 0;
+/* Force diagnositic messages in batch mode */
@@ -30,7 +30,7 @@
/* This is set to 0 if the progressmeter is not desired. */
int showprogress = 1;
-@@ -2408,7 +2411,7 @@ main(int argc, char **argv)
+@@ -2381,7 +2384,7 @@ main(int argc, char **argv)
infile = stdin;
while ((ch = getopt(argc, argv,
@@ -39,7 +39,7 @@
switch (ch) {
/* Passed through to ssh(1) */
case 'A':
-@@ -2426,6 +2429,9 @@ main(int argc, char **argv)
+@@ -2399,6 +2402,9 @@ main(int argc, char **argv)
addargs(&args, "-%c", ch);
addargs(&args, "%s", optarg);
break;
@@ -49,7 +49,7 @@
case 'q':
ll = SYSLOG_LEVEL_ERROR;
quiet = 1;
-@@ -2510,6 +2516,8 @@ main(int argc, char **argv)
+@@ -2483,6 +2489,8 @@ main(int argc, char **argv)
usage();
}
}
++++++ openssh-7.7p1-systemd-notify.patch ++++++
--- /var/tmp/diff_new_pack.oEgcgE/_old 2021-10-11 16:48:41.910175625 +0200
+++ /var/tmp/diff_new_pack.oEgcgE/_new 2021-10-11 16:48:41.914175632 +0200
@@ -3,11 +3,11 @@
Send signals to systemd to prevent various race conditions
bsc#1048367
-Index: openssh-7.8p1/configure.ac
+Index: openssh-8.8p1/configure.ac
===================================================================
---- openssh-7.8p1.orig/configure.ac
-+++ openssh-7.8p1/configure.ac
-@@ -4378,6 +4378,30 @@ AC_ARG_WITH([kerberos5],
+--- openssh-8.8p1.orig/configure.ac
++++ openssh-8.8p1/configure.ac
+@@ -4751,6 +4751,30 @@ AC_ARG_WITH([kerberos5],
AC_SUBST([GSSLIBS])
AC_SUBST([K5LIBS])
@@ -38,7 +38,7 @@
# Looking for programs, paths and files
PRIVSEP_PATH=/var/empty
-@@ -5183,6 +5207,7 @@ echo " libldns support
+@@ -5564,6 +5588,7 @@ echo " libldns support
echo " Solaris process contract support: $SPC_MSG"
echo " Solaris project support: $SP_MSG"
echo " Solaris privilege support: $SPP_MSG"
@@ -46,11 +46,11 @@
echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
echo " BSD Auth support: $BSD_AUTH_MSG"
-Index: openssh-7.8p1/sshd.c
+Index: openssh-8.8p1/sshd.c
===================================================================
---- openssh-7.8p1.orig/sshd.c
-+++ openssh-7.8p1/sshd.c
-@@ -87,6 +87,10 @@
+--- openssh-8.8p1.orig/sshd.c
++++ openssh-8.8p1/sshd.c
+@@ -85,6 +85,10 @@
#include <prot.h>
#endif
@@ -72,7 +72,7 @@
logit("Received SIGHUP; restarting.");
if (options.pid_file != NULL)
unlink(options.pid_file);
-@@ -1995,6 +2003,11 @@ main(int ac, char **av)
+@@ -2076,6 +2084,11 @@ main(int ac, char **av)
}
}
++++++ openssh-7.9p1-keygen-preserve-perms.patch ++++++
--- /var/tmp/diff_new_pack.oEgcgE/_old 2021-10-11 16:48:41.918175638 +0200
+++ /var/tmp/diff_new_pack.oEgcgE/_new 2021-10-11 16:48:41.922175644 +0200
@@ -8,11 +8,11 @@
just going with what mkstemp() gives us. This is useful in corner
cases where known_hosts is shared between users.
-diff --git a/ssh-keygen.c b/ssh-keygen.c
-index 03a7fe5..ca8a309 100644
---- a/ssh-keygen.c
-+++ b/ssh-keygen.c
-@@ -1338,6 +1338,11 @@ do_known_hosts(struct passwd *pw, const char *name)
+Index: openssh-8.8p1/ssh-keygen.c
+===================================================================
+--- openssh-8.8p1.orig/ssh-keygen.c
++++ openssh-8.8p1/ssh-keygen.c
+@@ -1384,6 +1384,11 @@ do_known_hosts(struct passwd *pw, const
if (inplace)
unlink(tmp);
} else if (inplace) {
@@ -24,7 +24,7 @@
/* Backup existing file */
if (unlink(old) == -1 && errno != ENOENT)
fatal("unlink %.100s: %s", old, strerror(errno));
-@@ -1352,6 +1357,12 @@ do_known_hosts(struct passwd *pw, const char *name)
+@@ -1398,6 +1403,12 @@ do_known_hosts(struct passwd *pw, const
unlink(old);
exit(1);
}
++++++ openssh-7.9p1-revert-new-qos-defaults.patch ++++++
--- /var/tmp/diff_new_pack.oEgcgE/_old 2021-10-11 16:48:41.930175657 +0200
+++ /var/tmp/diff_new_pack.oEgcgE/_new 2021-10-11 16:48:41.930175657 +0200
@@ -6,11 +6,11 @@
Reverts OpenBSD-Commit-ID: d11d2a4484f461524ef0c20870523dfcdeb52181
-diff --git a/readconf.c b/readconf.c
-index 24f2cb1..bbdea0d 100644
---- a/readconf.c
-+++ b/readconf.c
-@@ -2183,9 +2183,9 @@ fill_default_options(Options * options)
+Index: openssh-8.8p1/readconf.c
+===================================================================
+--- openssh-8.8p1.orig/readconf.c
++++ openssh-8.8p1/readconf.c
+@@ -2679,9 +2679,9 @@ fill_default_options(Options * options)
if (options->visual_host_key == -1)
options->visual_host_key = 0;
if (options->ip_qos_interactive == -1)
@@ -21,12 +21,12 @@
+ options->ip_qos_bulk = IPTOS_THROUGHPUT;
if (options->request_tty == -1)
options->request_tty = REQUEST_TTY_AUTO;
- if (options->proxy_use_fdpass == -1)
-diff --git a/servconf.c b/servconf.c
-index 13cf154..766ac6b 100644
---- a/servconf.c
-+++ b/servconf.c
-@@ -445,9 +445,9 @@ fill_default_server_options(ServerOptions *options)
+ if (options->session_type == -1)
+Index: openssh-8.8p1/servconf.c
+===================================================================
+--- openssh-8.8p1.orig/servconf.c
++++ openssh-8.8p1/servconf.c
+@@ -459,9 +459,9 @@ fill_default_server_options(ServerOption
if (options->permit_tun == -1)
options->permit_tun = SSH_TUNMODE_NO;
if (options->ip_qos_interactive == -1)
@@ -38,11 +38,11 @@
if (options->version_addendum == NULL)
options->version_addendum = xstrdup("");
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
-diff --git a/ssh_config.5 b/ssh_config.5
-index 3bf0502..10246f8 100644
---- a/ssh_config.5
-+++ b/ssh_config.5
-@@ -1088,11 +1088,9 @@ If one argument is specified, it is used as the packet
class unconditionally.
+Index: openssh-8.8p1/ssh_config.5
+===================================================================
+--- openssh-8.8p1.orig/ssh_config.5
++++ openssh-8.8p1/ssh_config.5
+@@ -1182,11 +1182,9 @@ If one argument is specified, it is used
If two values are specified, the first is automatically selected for
interactive sessions and the second for non-interactive sessions.
The default is
@@ -56,11 +56,11 @@
for non-interactive sessions.
.It Cm KbdInteractiveAuthentication
Specifies whether to use keyboard-interactive authentication.
-diff --git a/sshd_config.5 b/sshd_config.5
-index 50a4917..a276fcb 100644
---- a/sshd_config.5
-+++ b/sshd_config.5
-@@ -868,11 +868,9 @@ If one argument is specified, it is used as the packet
class unconditionally.
+Index: openssh-8.8p1/sshd_config.5
+===================================================================
+--- openssh-8.8p1.orig/sshd_config.5
++++ openssh-8.8p1/sshd_config.5
+@@ -903,11 +903,9 @@ If one argument is specified, it is used
If two values are specified, the first is automatically selected for
interactive sessions and the second for non-interactive sessions.
The default is
++++++ openssh-8.0p1-gssapi-keyex.patch ++++++
++++ 1565 lines (skipped)
++++ between /work/SRC/openSUSE:Factory/openssh/openssh-8.0p1-gssapi-keyex.patch
++++ and
/work/SRC/openSUSE:Factory/.openssh.new.2443/openssh-8.0p1-gssapi-keyex.patch
++++++ openssh-8.1p1-audit.patch ++++++
++++ 1049 lines (skipped)
++++ between /work/SRC/openSUSE:Factory/openssh/openssh-8.1p1-audit.patch
++++ and /work/SRC/openSUSE:Factory/.openssh.new.2443/openssh-8.1p1-audit.patch
++++++ openssh-8.1p1-seccomp-clock_gettime64.patch ++++++
--- /var/tmp/diff_new_pack.oEgcgE/_old 2021-10-11 16:48:41.962175708 +0200
+++ /var/tmp/diff_new_pack.oEgcgE/_new 2021-10-11 16:48:41.962175708 +0200
@@ -9,11 +9,11 @@
sandbox-seccomp-filter.c | 3 +++
1 file changed, 3 insertions(+)
-diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
-index 3ef30c9d5..999c46c9f 100644
---- a/sandbox-seccomp-filter.c
-+++ b/sandbox-seccomp-filter.c
-@@ -248,6 +248,9 @@ static const struct sock_filter preauth_insns[] = {
+Index: openssh-8.8p1/sandbox-seccomp-filter.c
+===================================================================
+--- openssh-8.8p1.orig/sandbox-seccomp-filter.c
++++ openssh-8.8p1/sandbox-seccomp-filter.c
+@@ -279,6 +279,9 @@ static const struct sock_filter preauth_
#ifdef __NR_clock_nanosleep_time64
SC_ALLOW(__NR_clock_nanosleep_time64),
#endif
++++++ openssh-8.1p1-seccomp-clock_nanosleep.patch ++++++
--- /var/tmp/diff_new_pack.oEgcgE/_old 2021-10-11 16:48:41.970175721 +0200
+++ /var/tmp/diff_new_pack.oEgcgE/_new 2021-10-11 16:48:41.970175721 +0200
@@ -1,8 +1,8 @@
-diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
-index c1e689e..74f69bc 100644
---- a/sandbox-seccomp-filter.c
-+++ b/sandbox-seccomp-filter.c
-@@ -264,6 +264,9 @@ static const struct sock_filter preauth_insns[] = {
+Index: openssh-8.8p1/sandbox-seccomp-filter.c
+===================================================================
+--- openssh-8.8p1.orig/sandbox-seccomp-filter.c
++++ openssh-8.8p1/sandbox-seccomp-filter.c
+@@ -273,6 +273,9 @@ static const struct sock_filter preauth_
#ifdef __NR_clock_gettime64
SC_ALLOW(__NR_clock_gettime64),
#endif
++++++ openssh-8.1p1-seccomp-clock_nanosleep_time64.patch ++++++
--- /var/tmp/diff_new_pack.oEgcgE/_old 2021-10-11 16:48:41.978175734 +0200
+++ /var/tmp/diff_new_pack.oEgcgE/_new 2021-10-11 16:48:41.978175734 +0200
@@ -8,11 +8,11 @@
sandbox-seccomp-filter.c | 3 +++
1 file changed, 3 insertions(+)
-Index: openssh-8.1p1/sandbox-seccomp-filter.c
+Index: openssh-8.8p1/sandbox-seccomp-filter.c
===================================================================
---- openssh-8.1p1.orig/sandbox-seccomp-filter.c
-+++ openssh-8.1p1/sandbox-seccomp-filter.c
-@@ -251,6 +251,9 @@ static const struct sock_filter preauth_
+--- openssh-8.8p1.orig/sandbox-seccomp-filter.c
++++ openssh-8.8p1/sandbox-seccomp-filter.c
+@@ -276,6 +276,9 @@ static const struct sock_filter preauth_
#ifdef __NR_clock_nanosleep
SC_ALLOW(__NR_clock_nanosleep),
#endif
++++++ openssh-8.1p1-use-openssl-kdf.patch ++++++
--- /var/tmp/diff_new_pack.oEgcgE/_old 2021-10-11 16:48:41.986175746 +0200
+++ /var/tmp/diff_new_pack.oEgcgE/_new 2021-10-11 16:48:41.986175746 +0200
@@ -1,8 +1,8 @@
-diff --git a/kex.c b/kex.c
-index 96e44a5..7cd37d6 100644
---- a/kex.c
-+++ b/kex.c
-@@ -38,6 +38,7 @@
+Index: openssh-8.8p1/kex.c
+===================================================================
+--- openssh-8.8p1.orig/kex.c
++++ openssh-8.8p1/kex.c
+@@ -40,6 +40,7 @@
#ifdef WITH_OPENSSL
#include <openssl/crypto.h>
#include <openssl/dh.h>
@@ -10,7 +10,7 @@
#endif
#include "ssh.h"
-@@ -1109,8 +1110,92 @@ kex_choose_conf(struct ssh *ssh)
+@@ -1115,8 +1116,93 @@ kex_choose_conf(struct ssh *ssh)
return r;
}
@@ -69,7 +69,8 @@
+ || EVP_KDF_ctrl (hashctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH,
+ hash, (size_t) hashlen) != 1
+ || EVP_KDF_ctrl (hashctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
-+ kex->session_id, (size_t) kex->session_id_len) !=
1)
++ sshbuf_ptr(kex->session_id),
++ (size_t) sshbuf_len(kex->session_id)) != 1)
+ goto out;
+
+ digest = calloc (1, need);
@@ -104,7 +105,7 @@
const struct sshbuf *shared_secret, u_char **keyp)
{
struct kex *kex = ssh->kex;
-@@ -1174,6 +1259,50 @@ derive_key(struct ssh *ssh, int id, u_int need, u_char
*hash, u_int hashlen,
+@@ -1179,6 +1265,50 @@ derive_key(struct ssh *ssh, int id, u_in
return r;
}
++++++ openssh-8.4p1-vendordir.patch ++++++
--- /var/tmp/diff_new_pack.oEgcgE/_old 2021-10-11 16:48:41.998175765 +0200
+++ /var/tmp/diff_new_pack.oEgcgE/_new 2021-10-11 16:48:42.002175772 +0200
@@ -1,52 +1,31 @@
Gemeinsame Unterverzeichnisse: openssh-8.4p1/contrib und
openssh-8.4p1-vendor/contrib.
-diff -u openssh-8.4p1/dh.c openssh-8.4p1-vendor/dh.c
---- openssh-8.4p1/dh.c 2020-09-27 09:25:01.000000000 +0200
-+++ openssh-8.4p1-vendor/dh.c 2021-01-29 11:49:40.968418136 +0100
-@@ -151,10 +151,18 @@
- size_t linesize = 0;
- int best, bestcount, which, linenum;
- struct dhgroup dhg;
-+ char *dh_moduli_path;
-+ struct stat st;
+Index: openssh-8.8p1/dh.c
+===================================================================
+--- openssh-8.8p1.orig/dh.c
++++ openssh-8.8p1/dh.c
+@@ -54,7 +54,17 @@ void dh_set_moduli_file(const char *file
-- if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL) {
+ static const char * get_moduli_filename(void)
+ {
+- return moduli_filename ? moduli_filename : _PATH_DH_MODULI;
++ struct stat st;
++
++ if (moduli_filename)
++ return moduli_filename;
++
+ if (stat(_PATH_VENDOR_DH_MODULI, &st) == 0 &&
+ stat(_PATH_DH_MODULI, &st) == -1) {
-+ dh_moduli_path = _PATH_VENDOR_DH_MODULI;
-+ } else {
-+ dh_moduli_path = _PATH_DH_MODULI;
++ return _PATH_VENDOR_DH_MODULI;
+ }
-+ if ((f = fopen(dh_moduli_path, "r")) == NULL) {
- logit("WARNING: could not open %s (%s), using fixed modulus",
-- _PATH_DH_MODULI, strerror(errno));
-+ dh_moduli_path, strerror(errno));
- return (dh_new_group_fallback(max));
- }
-
-@@ -185,7 +193,7 @@
-
- if (bestcount == 0) {
- fclose(f);
-- logit("WARNING: no suitable primes in %s", _PATH_DH_MODULI);
-+ logit("WARNING: no suitable primes in %s", dh_moduli_path);
- return (dh_new_group_fallback(max));
- }
- which = arc4random_uniform(bestcount);
-@@ -210,7 +218,7 @@
- fclose(f);
- if (bestcount != which + 1) {
- logit("WARNING: selected prime disappeared in %s, giving up",
-- _PATH_DH_MODULI);
-+ dh_moduli_path);
- return (dh_new_group_fallback(max));
- }
++
++ return _PATH_DH_MODULI;
+ }
-Gemeinsame Unterverzeichnisse: openssh-8.4p1/.github und
openssh-8.4p1-vendor/.github.
-Gemeinsame Unterverzeichnisse: openssh-8.4p1/m4 und openssh-8.4p1-vendor/m4.
-Gemeinsame Unterverzeichnisse: openssh-8.4p1/openbsd-compat und
openssh-8.4p1-vendor/openbsd-compat.
-diff -u openssh-8.4p1/pathnames.h openssh-8.4p1-vendor/pathnames.h
---- openssh-8.4p1/pathnames.h 2020-09-27 09:25:01.000000000 +0200
-+++ openssh-8.4p1-vendor/pathnames.h 2021-01-29 11:35:41.655599046 +0100
+ static int
+Index: openssh-8.8p1/pathnames.h
+===================================================================
+--- openssh-8.8p1.orig/pathnames.h
++++ openssh-8.8p1/pathnames.h
@@ -18,6 +18,8 @@
#define SSHDIR ETCDIR "/ssh"
#endif
@@ -74,11 +53,11 @@
#ifndef _PATH_SSH_PROGRAM
#define _PATH_SSH_PROGRAM "/usr/bin/ssh"
-Gemeinsame Unterverzeichnisse: openssh-8.4p1/regress und
openssh-8.4p1-vendor/regress.
-diff -u openssh-8.4p1/ssh.c openssh-8.4p1-vendor/ssh.c
---- openssh-8.4p1/ssh.c 2020-09-27 09:25:01.000000000 +0200
-+++ openssh-8.4p1-vendor/ssh.c 2021-01-27 18:22:52.322271681 +0100
-@@ -593,6 +593,7 @@
+Index: openssh-8.8p1/ssh.c
+===================================================================
+--- openssh-8.8p1.orig/ssh.c
++++ openssh-8.8p1/ssh.c
+@@ -549,6 +549,7 @@ static void
process_config_files(const char *host_name, struct passwd *pw, int final_pass,
int *want_final_pass)
{
@@ -86,7 +65,7 @@
char buf[PATH_MAX];
int r;
-@@ -611,10 +612,23 @@
+@@ -567,10 +568,23 @@ process_config_files(const char *host_na
&options, SSHCONF_CHECKPERM | SSHCONF_USERCONF |
(final_pass ? SSHCONF_FINAL : 0), want_final_pass);
@@ -114,11 +93,11 @@
}
}
-Nur in openssh-8.4p1-vendor: #ssh_config.5#.
-diff -u openssh-8.4p1/ssh_config.5 openssh-8.4p1-vendor/ssh_config.5
---- openssh-8.4p1/ssh_config.5 2020-09-27 09:25:01.000000000 +0200
-+++ openssh-8.4p1-vendor/ssh_config.5 2021-02-24 12:02:53.935729753 +0100
-@@ -54,6 +54,9 @@
+Index: openssh-8.8p1/ssh_config.5
+===================================================================
+--- openssh-8.8p1.orig/ssh_config.5
++++ openssh-8.8p1/ssh_config.5
+@@ -54,6 +54,9 @@ user's configuration file
.It
system-wide configuration file
.Pq Pa /etc/ssh/ssh_config
@@ -128,7 +107,7 @@
.El
.Pp
For each parameter, the first obtained value
-@@ -1942,6 +1945,11 @@
+@@ -2212,6 +2215,11 @@ This file provides defaults for those
values that are not specified in the user's configuration file, and
for those users who do not have a configuration file.
This file must be world-readable.
@@ -140,11 +119,11 @@
.El
.Sh SEE ALSO
.Xr ssh 1
-Nur in openssh-8.4p1-vendor: ssh_config.5~.
-diff -u openssh-8.4p1/sshd.c openssh-8.4p1-vendor/sshd.c
---- openssh-8.4p1/sshd.c 2020-09-27 09:25:01.000000000 +0200
-+++ openssh-8.4p1-vendor/sshd.c 2021-01-27 18:25:38.370273280 +0100
-@@ -136,7 +136,7 @@
+Index: openssh-8.8p1/sshd.c
+===================================================================
+--- openssh-8.8p1.orig/sshd.c
++++ openssh-8.8p1/sshd.c
+@@ -145,7 +145,7 @@ extern char *__progname;
ServerOptions options;
/* Name of the server configuration file. */
@@ -153,7 +132,7 @@
/*
* Debug mode flag. This can be set on the command line. If debug
-@@ -1526,6 +1526,7 @@
+@@ -1594,6 +1594,7 @@ prepare_proctitle(int ac, char **av)
int
main(int ac, char **av)
{
@@ -161,7 +140,7 @@
struct ssh *ssh = NULL;
extern char *optarg;
extern int optind;
-@@ -1737,7 +1738,21 @@
+@@ -1809,7 +1810,21 @@ main(int ac, char **av)
*/
(void)atomicio(vwrite, startup_pipe, "\0", 1);
}
@@ -183,9 +162,10 @@
load_server_config(config_file_name, cfg);
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
-diff -u openssh-8.4p1/sshd_config.5 openssh-8.4p1-vendor/sshd_config.5
---- openssh-8.4p1/sshd_config.5 2020-09-27 09:25:01.000000000 +0200
-+++ openssh-8.4p1-vendor/sshd_config.5 2021-02-24 14:14:27.912038335 +0100
+Index: openssh-8.8p1/sshd_config.5
+===================================================================
+--- openssh-8.8p1.orig/sshd_config.5
++++ openssh-8.8p1/sshd_config.5
@@ -44,7 +44,9 @@
.Xr sshd 8
reads configuration data from
@@ -197,11 +177,11 @@
.Fl f
on the command line).
The file contains keyword-argument pairs, one per line.
-Nur in openssh-8.4p1-vendor: sshd_config.5~.
-diff -u openssh-8.4p1/ssh-keysign.c openssh-8.4p1-vendor/ssh-keysign.c
---- openssh-8.4p1/ssh-keysign.c 2020-09-27 09:25:01.000000000 +0200
-+++ openssh-8.4p1-vendor/ssh-keysign.c 2021-02-24 11:34:17.684570215 +0100
-@@ -172,6 +172,7 @@
+Index: openssh-8.8p1/ssh-keysign.c
+===================================================================
+--- openssh-8.8p1.orig/ssh-keysign.c
++++ openssh-8.8p1/ssh-keysign.c
+@@ -172,6 +172,7 @@ main(int argc, char **argv)
u_char *signature, *data, rver;
char *host, *fp;
size_t slen, dlen;
@@ -209,19 +189,20 @@
if (pledge("stdio rpath getpw dns id", NULL) != 0)
fatal("%s: pledge: %s", __progname, strerror(errno));
-@@ -205,8 +206,12 @@
+@@ -205,8 +206,14 @@ main(int argc, char **argv)
/* verify that ssh-keysign is enabled by the admin */
initialize_options(&options);
- (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", "",
- &options, 0, NULL);
++
+ if (stat(_PATH_HOST_CONFIG_FILE, &st) == 0)
+ (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", "",
+ &options, 0, NULL);
+ else
-+ (void)read_config_file(_PATH_HOST_VENDOR_CONFIG_FILE, pw,
-+ "", "", &options, 0, NULL);
- fill_default_options(&options);
++ (void)read_config_file(_PATH_HOST_VENDOR_CONFIG_FILE, pw, "",
"",
++ &options, 0, NULL);
++
+ (void)fill_default_options(&options);
if (options.enable_ssh_keysign != 1)
fatal("ssh-keysign not enabled in %s",
-Nur in openssh-8.4p1-vendor: ssh-keysign.c~.
++++++ openssh-8.4p1.tar.gz -> openssh-8.8p1.tar.gz ++++++
++++ 63416 lines of diff (skipped)
++++++ openssh-fips-ensure-approved-moduli.patch ++++++
--- /var/tmp/diff_new_pack.oEgcgE/_old 2021-10-11 16:48:42.386176382 +0200
+++ /var/tmp/diff_new_pack.oEgcgE/_new 2021-10-11 16:48:42.386176382 +0200
@@ -4,11 +4,11 @@
Ensure DHGs are approved in FIPS mode using OpenSSL's DH_check_params()
-diff --git a/dh.c b/dh.c
-index 7cb135d..3fe7f75 100644
---- a/dh.c
-+++ b/dh.c
-@@ -143,6 +143,28 @@ parse_prime(int linenum, char *line, struct dhgroup *dhg)
+Index: openssh-8.8p1/dh.c
+===================================================================
+--- openssh-8.8p1.orig/dh.c
++++ openssh-8.8p1/dh.c
+@@ -155,6 +155,28 @@ parse_prime(int linenum, char *line, str
return 0;
}
@@ -37,7 +37,7 @@
DH *
choose_dh(int min, int wantbits, int max)
{
-@@ -161,12 +183,20 @@ choose_dh(int min, int wantbits, int max)
+@@ -173,12 +195,20 @@ choose_dh(int min, int wantbits, int max
linenum = 0;
best = bestcount = 0;
while (getline(&line, &linesize, f) != -1) {
@@ -58,7 +58,7 @@
if (dhg.size > max || dhg.size < min)
continue;
-@@ -193,10 +223,16 @@ choose_dh(int min, int wantbits, int max)
+@@ -206,10 +236,16 @@ choose_dh(int min, int wantbits, int max
linenum = 0;
bestcount = 0;
while (getline(&line, &linesize, f) != -1) {
++++++ openssh-link-with-sk.patch ++++++
--- /var/tmp/diff_new_pack.oEgcgE/_old 2021-10-11 16:48:42.394176394 +0200
+++ /var/tmp/diff_new_pack.oEgcgE/_new 2021-10-11 16:48:42.394176394 +0200
@@ -1,15 +1,15 @@
-diff --git a/Makefile.in b/Makefile.in
-index 6dec09c..25e74ac 100644
---- a/Makefile.in
-+++ b/Makefile.in
-@@ -251,8 +251,8 @@ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a
$(SSHKEYSCAN_OBJS)
+Index: openssh-8.8p1/Makefile.in
+===================================================================
+--- openssh-8.8p1.orig/Makefile.in
++++ openssh-8.8p1/Makefile.in
+@@ -252,8 +252,8 @@ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libss
ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o
ldapmisc.o ldap-helper.o
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS)
-lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
-sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS)
-- $(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+- $(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh
$(LIBS)
+sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o
$(SFTPSERVER_OBJS)
-+ $(LD) -o $@ $(SFTPSERVER_OBJS) ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh
-lopenbsd-compat $(LIBS) $(LIBFIDO2)
++ $(LD) -o $@ $(SFTPSERVER_OBJS) ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh
-lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS)
$(LD) -o $@ $(SFTP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
$(LIBEDIT)
++++++ openssh-reenable-dh-group14-sha1-default.patch ++++++
--- /var/tmp/diff_new_pack.oEgcgE/_old 2021-10-11 16:48:42.402176407 +0200
+++ /var/tmp/diff_new_pack.oEgcgE/_new 2021-10-11 16:48:42.406176413 +0200
@@ -1,7 +1,7 @@
-diff --git a/myproposal.h b/myproposal.h
-index 5312e60..83fd62d 100644
---- a/myproposal.h
-+++ b/myproposal.h
+Index: openssh-8.8p1/myproposal.h
+===================================================================
+--- openssh-8.8p1.orig/myproposal.h
++++ openssh-8.8p1/myproposal.h
@@ -33,7 +33,8 @@
"diffie-hellman-group-exchange-sha256," \
"diffie-hellman-group16-sha512," \
@@ -12,11 +12,11 @@
#define KEX_CLIENT_KEX KEX_SERVER_KEX
-diff --git a/ssh_config.5 b/ssh_config.5
-index d5888f2..100563e 100644
---- a/ssh_config.5
-+++ b/ssh_config.5
-@@ -1170,7 +1170,8 @@ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
+Index: openssh-8.8p1/ssh_config.5
+===================================================================
+--- openssh-8.8p1.orig/ssh_config.5
++++ openssh-8.8p1/ssh_config.5
+@@ -1227,7 +1227,8 @@ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec
diffie-hellman-group-exchange-sha256,
diffie-hellman-group16-sha512,
diffie-hellman-group18-sha512,
@@ -26,11 +26,11 @@
.Ed
.Pp
The list of available key exchange algorithms may also be obtained using
-diff --git a/sshd_config.5 b/sshd_config.5
-index 0f5fe53..97364f5 100644
---- a/sshd_config.5
-+++ b/sshd_config.5
-@@ -986,7 +986,7 @@ curve25519-sha256,curve25519-sha...@libssh.org,
+Index: openssh-8.8p1/sshd_config.5
+===================================================================
+--- openssh-8.8p1.orig/sshd_config.5
++++ openssh-8.8p1/sshd_config.5
+@@ -997,7 +997,7 @@ curve25519-sha256,curve25519-sha256@libs
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
++++++ openssh-whitelist-syscalls.patch ++++++
--- /var/tmp/diff_new_pack.oEgcgE/_old 2021-10-11 16:48:42.414176426 +0200
+++ /var/tmp/diff_new_pack.oEgcgE/_new 2021-10-11 16:48:42.414176426 +0200
@@ -1,6 +1,8 @@
---- a/sandbox-seccomp-filter.c
-+++ b/sandbox-seccomp-filter.c
-@@ -195,6 +195,9 @@
+Index: openssh-8.8p1/sandbox-seccomp-filter.c
+===================================================================
+--- openssh-8.8p1.orig/sandbox-seccomp-filter.c
++++ openssh-8.8p1/sandbox-seccomp-filter.c
+@@ -201,6 +201,9 @@ static const struct sock_filter preauth_
#ifdef __NR_close
SC_ALLOW(__NR_close),
#endif
@@ -10,9 +12,9 @@
#ifdef __NR_exit
SC_ALLOW(__NR_exit),
#endif
-@@ -204,6 +207,9 @@
- #ifdef __NR_futex
- SC_ALLOW(__NR_futex),
+@@ -213,6 +216,9 @@ static const struct sock_filter preauth_
+ #ifdef __NR_futex_time64
+ SC_ALLOW(__NR_futex_time64),
#endif
+#ifdef __NR_futex_time64
+ SC_ALLOW(__NR_futex_time64),
@@ -20,13 +22,13 @@
#ifdef __NR_geteuid
SC_ALLOW(__NR_geteuid),
#endif
-@@ -282,6 +288,9 @@
- #ifdef __NR_pselect6
- SC_ALLOW(__NR_pselect6),
+@@ -293,6 +299,9 @@ static const struct sock_filter preauth_
#endif
+ #ifdef __NR_pselect6_time64
+ SC_ALLOW(__NR_pselect6_time64),
++#endif
+#ifdef __NR_pselect6_time64
+ SC_ALLOW(__NR_pselect6_time64),
-+#endif
+ #endif
#ifdef __NR_read
SC_ALLOW(__NR_read),
- #endif
++++++ openssh.keyring ++++++
--- /var/tmp/diff_new_pack.oEgcgE/_old 2021-10-11 16:48:42.426176445 +0200
+++ /var/tmp/diff_new_pack.oEgcgE/_new 2021-10-11 16:48:42.426176445 +0200
@@ -1,5 +1,4 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v2.0.22 (OpenBSD)
mQGiBDqa5pwRBADJSEyXXsgXiyytN93prDPTPmrueRP9lQQfgaQvCvqK0bN0AF1Z
Vxxk9wlSXQp3+Qw5+qqsN5ovzsn39r9pqGslfCqQn9ACTmsn42+VCyW4hdwUGSBS
@@ -27,185 +26,328 @@
wmxQFMIxRqgHeLiRHYXCL5Fg+WYFv+EMj/ta5PVot86/iWfrj0MRKZFCpRfDjqTv
t0G0ziOW9kTFK8TpxBacJR7n4whM6SNf6L9onHn7xqx2r0J8TLcua9hTvapuNPdL
y1cxAKMZO8q10AMGkYd03qLlHxtgKXBeWkV/UYAc1zArv4JFdWTraLbIHmi8jpvE
-NM3qcNWuNVyiTi4Kxum+CFd8V7b4X/6yBLRD/U6/dMUy4Li5Ag0EOprm1BAIAPP9
-ecJzKV72GbGDKe2vfllAkrH2Dp+0HDXvwlLAzc7sk04anf3wSHhD2uQSnk0fWpV5
-wb3ncW551P0gBeqvymOnm12oxgJxorL5onRLDXNUPZU5jeHtLJ9TbmlxiIcRrWCt
-8o9WhabncjBYZVW2q4Xl2KYB7vn4PRpfJUI6/QTP3CAlHofr2Wnj9wPYbI1oZqvB
-j0cu8cW9c41jaqb8ZXk6PI5Q7jWCZDinJdCH6ChwUUeszQDO94izCA2knTE1Zdfy
-JcayvdgK+qbsmghT0krENX73pvEMt9N0qmgtgpvrxZ22YDKWyKjn6Jl9a105v9em
-TZjHkt1p3L3/6febpy8ABREIAKu+hVJt3QxHQVZf5sFnQ2NJw0GjeQ9JIKdDqNEe
-iSTPnmv4wd7t2rEInema7tpE6XZ+C6DrChv7v6pd8qR79N1PrC4JvgJ0VLq0+A+t
-9hX6LCrY0H8Fq148aDtnpQAtpQtDSbzcMIRUsk2eN6YR0ii5KF6WKQAA7tAMoyvu
-8CMfyfTPAynBExee8IzrNiVL2LWQ6bwtUBOTRbKKGlAZJpO6R0+MqUbuwrAy7bSy
-wr0MZWk+C6VNnusepeXiO5jwtDaPh081o+gpYbwm4FUKzJ/YPoY1b3s98pBKTMV5
-mxtUHhJFCtVNyGAFJijFFVbd8uT/JzdMLkBuHoamPiLNrBSIRgQYEQIABgUCOprm
-1AAKCRDOjssDhv+cSB+2AJ0chlQNUBYNFrmyJKLwCiz4iLICAACfTbAY6XVaj9gn
-5Fj5zoo3nxOYA8SZAaIEN0f88hEEALFoLiocrbjP/CMKikUkAT2h0U8lTI7Ly6+7
-lCKFtqn9FVQ1cbkl8uCv5ON0P7LMNpw4qVJEu+LzIBs4FEJOASNC5KD0iFaF6Pr+
-uSgkm6zDWJu5Rhje2ZBYOc1g33VRYjeT/7VIPdVH5giO9c6e/EpbcgTPhSzyYQWB
-NHb5Bw4zAKDe+OFwg00TAESSyvAx9Tt3k5BPtQP/W68qSvFRV9fid432Zs+5w9kr
-ffuv65HDPj/Fe2xx7bUlS7MIU2fGzGb+WiY7Msj65xRS5pT3XWkAzQ9X1RXr6xzk
-20pzI7fJSirIeM/hRQkEwfMLaV27NsR458tTsvJMIgp2ArQ693zmJ6KhZAjME9rp
-W3Chmdy+pJ3lBkr1joQEAK6oQ2hsLGX5L84qxvb6PzxQcHXijY/7QzhPtUkGrA09
-C94Hf7X5mSwQnndskO2saaUJUESHDS9uPhh3n02OWPdk+xi1SINnCuSVLTCjJoFo
-97M8l4uTnECsUHYZgYLFrrciY+kpQB0g64xYVWmyHiSrsrmc8Ycr5ks84wbLoLGs
-iFEEIBECAAkFAjqaxWgCHQEAEgkQormJ9RG1dI8HZUdQRwABAescAJ9xcRB9sD1R
-Zc1Sn9PUobsBH7KYmACgpChIU+KlYxkNg+HMILaGdN6UIBC0JURhbWllbiBNaWxs
-ZXIgPGRtaWxsZXJAaWxvZ2ljLmNvbS5hdT6IXwQTEQIAFwUCOiRbBgULBwoDBAMV
-AwIDFgIBAheAABIJEKK5ifURtXSPB2VHUEcAAQFOAQCghSGVq6nzI3PMyoZ36E0h
-ALf6I1MAn3qpCrKTqelKqtbZa9aMmJjeT+WOiEYEEBECAAYFAjgwlv8ACgkQfZ7C
-dhxDQaxfwwCePG3n5ClFBqIF+LT3yAM27vmrlD8AoKeNYojEanqoFm7Btbo6Q51U
-Eaf8tB9EYW1pZW4gTWlsbGVyIDxkam1AbWluZHJvdC5vcmc+iF8EExECABcFAjok
-Wy8FCwcKAwQDFQMCAxYCAQIXgAASCRCiuYn1EbV0jwdlR1BHAAEBv0EAnA/tG5nF
-eWmEW/CUPUPg3iotn6n8AKCdINUw4zfmaSgGjiPecGlYBo2AIYhGBBARAgAGBQI4
-MJcIAAoJEH2ewnYcQ0Gs3TMAnAlm/txIYP8Cup6yHmx2JQwcHGCwAKDFyG6E8a3U
-Ye9Ud/+D3c00fYNr0LQlRGFtaWVuIE1pbGxlciA8ZG1pbGxlckB2aXRuZXQuY29t
-LnNnPohfBBMRAgAXBQI6JFsvBQsHCgMEAxUDAgMWAgECF4AAEgkQormJ9RG1dI8H
-ZUdQRwABAfakAJwM6cxduFeyvOD0EykNFeWtRIhpgQCgyINcD1+2UkQxwawGiyqR
-Iq549TCIRgQQEQIABgUCODCXCAAKCRB9nsJ2HENBrJ32AJsGatu8d4dBFdLftIt4
-+3QpQ+XjFwCcD+AL8rhrss96hjmMVxv9UboaqLm5AQ0EN0f9AhAEAN+bUno4vM9S
-VWkAKSrhClYWQJts2mSxYgLrCqkvv0V1ISBUyOw7v3SUzzg5t6S0BJxeHr6N6oKJ
-Ej+a3+WPviT1H5EujU6J7NvZpwlclj5fPt8iWkz21+9PHvq+WVrjd9HPXZfAa+5h
-8ya7E0bpk/aklT1JJc7++yTgMQRkxIQHAAMFA/9DHpaZ8q2TVRY2v8Tm6Pzi+K+p
-sMDtKcitUKhPALhjt+1INFjukDcYBSykfJfvbKHequCgBAcYQNA4layRTZE7s2uh
-0eYttmOHolTWzwvCKkbheqOCgt83o2YKT6QKaqztJjJqOxl3AaZKQkvL8ydPRL3x
-MWwCwdCZLhkJ+0iJrIhJBCgRAgAJBQI6msQRAh0BAAoJEKK5ifURtXSPfhsAn0xK
-sjiC0ruTcw4XFK6qZJz5V1/2AKCP73w6vJEBtEJXW7VrAvjFkB/c7IhUBBgRAgAM
-BQI3R/0CBQkCx+oAABIJEKK5ifURtXSPB2VHUEcAAQHypgCfRDHTW4PeMEkKx2/K
-ClQCn4xWbUwAoLrF3lPHbjmk4Em/PV6wBgk290x7uQENBDokXxUUBADnpW+TNB42
-/O1nD4iMtlALMTsA56Ox+70fVi36Xyoz8JO16GtOask4Rdi/epHl2WQJueMmqcnl
-4TTxqrhcqmDDsMV/mkMlK9d7h9yk5AGgyjJAuYwAJHGcE5PrRDbAf0rasqmx+fyl
-TqAn8RBRQDFYE210JxBqalC/lhs+AMuiDwAFFwQAoYYPqxV3LADJ3u0CtvNeqeuC
-5uOAQeOp+lnWaEk/OKzqtGTXfn2Eqn0XGjyRx4zuJQBB/tXYEI6asZBL3qHSj7Is
-aC0HR3e+rEkQ3F9eSIVhvjgTQg+JOmNQyy2ITxOW1E6EGJvJD4VUt8rjC7jYbQ57
-TUFEX0C+wScUDNAPP2+ISQQoEQIACQUCOprEFQIdAQAKCRCiuYn1EbV0j9TvAJwN
-wnAyXdWVA9iq/OkPQ0ropkjLgACgl++zOn2nSIsuNeSt7yH2nZf57KuITgQYEQIA
-BgUCOiRfFQASCRCiuYn1EbV0jwdlR1BHAAEB15kAnRGzqB9wxPi/ZHhOTgye4+gr
-xz0YAKCWZueK/xD8yp7vYE7CNCfu6CIe3pkBogQ6mt1BEQQAj4Snp2k7phJXeS9O
-nec+MpeAAn/lbFQ/fCJtLJWXyk3KjG92PVc6uAnbjlW+qeDPcl9m48QpNprZoOYr
-pz7rXhplW2EjXHe8o5vYIqnuhJ8V5MV5gj/wFQNJAdPV2HLI5jBW0RWoV6N8aXRM
-QI8lOiVcQv+tZF/IeKGMY7VsPwcAoM39qozTxF7IRNJcKaBsHMMZOXJ1BACCylZO
-hvq3LrLrKG9gIj483EJwmWDc6B6TTkpMCJ1fzKjej29a3inCUOOERcoevn7HXjTN
-vu4nxfuQ0mQdd/uX4ZrTba8iHjIHx9J2Fbu2JZTxJkpjznREaY4m8V28RI1jPJ+K
-igXu4mFR1rQfo/Tuh8gAd+ph3KK2CLPTbx5e+gP/ZJfngU+Itv44z0EOFeK62F5e
-zORFsaYDEslMM6jP2D2WQlyU6s7+hcVFHOy6a3ThCG80DsiaroCqh80AnpIou23M
-gMLtTa1f82pk4XqzfpdFKiAK41lYdCFWoKV6bRqKFau7J6Hn/Fvys2UEVQta3BEN
-81d0w9yEGZo8fGYFgqm0LkRhbWllbiBNaWxsZXIgKFBlcnNvbmFsIEtleSkgPGRq
-bUBtaW5kcm90Lm9yZz6IXwQTEQIAFwUCOprdQQULBwoDBAMVAwIDFgIBAheAABIJ
-EKgZothpHvjaB2VHUEcAAQFcvQCfUagvlvsWQqJN4HBGTIh8tZW6Mr4AnjEjv5Xe
-m6y3M+KPPzjDMDZ3tiGXiQGsBBABAgAGBQJSpo20AAoJENPl9Wttkg0wpO8Mf0y4
-4KTKxWv7YJPv26AEWhZbACf+DoMomOt9eGG08qmratUVcFh05Z9UCZ/M11qR1Ivb
-HH26MRWKs7yk9YOk1wJINX7uZrogQkzFVQrmsFxA69IlcX7BaAg4yynnDFMasH4/
-YC95IrZG4xmu2HGZ1HADqCzlsbFzbOUGZipf/hNuoihgAdbMv8DFONCo6zhINdn7
-yKA3pnhn1YD3XgoZIaQ5Ju7qQd9lL8w22bCju3h8aAWFtbESctOE8pf4cF5zQn6m
-CeNgbiE65BDkg69+TE2Li8wuZeZdbkF4gmiWcSxojPp4JE++nZFUODnAoKI7g4of
-Gnk/k5DOx2JAqFY3v+meOcDc7BtZU8RPQCkwc6YtGShr+f1lUkNWp7guem4HXw/Y
-4zK4bFcFn5iAjfM6zrWC3DiVerFGvoWcvHnRKmUZLfd2/K9BdlwxFWCHfNHXm3BV
-hMbopdkwzmdJ35IMUQ6vsLcHpuda60XN4Cx9VEfzVrEpgtjL4+40gxngPoCG0RTR
-OvmtmBtWo38TXTAWfzq5AQ0EOprdQxAEAKfycj/ga8be0+b00yUlDFkozgvmgTWT
-RRR2xvSlt8fKqBO3f0mCxiKh17HBkNGuoM6HtNQxYg6L7YqTOoPxWqwj40VTDe9k
-hI7tqb+4ZRq/33Mh4SjmMHMWglRTkHrZZyquM1ayb3NDmQ/57G0Qh9s3t0+cbUkO
-yJSf6w1H/9ibAAMGA/9odnrEBD0MvDEaRYXAWfGd4lWgGdC0oL6GqfESgUps0vUB
-2IJP1ODfZFugRUAX5htNmhjCzflh8vKDDDVRGicZEL11O3r3drzyJPZlvCUnqgBm
-u3ZmUY1ZCjwQ8u/XkqDP2fBm9UxZyifY7vrPqanYtGyT7A7cvsgPvejBTsuXqYhO
-BBgRAgAGBQI6mt1DABIJEKgZothpHvjaB2VHUEcAAQFQxwCeNB/Ncc9JFUnevzVR
-ywxHe/vfF7QAn2Zgc5m8W0NXYZyoN4cQAmbysDCrmQGdBFKmggUBDICUNqm4cNh7
-tdEbwaNhbnwqLiHpILeXT6sddGI0Stz5ofB1uvIHm9kXYG5XUUwlc5ywjIZm2Jeu
-Kqrd/6wAz5laLagFA6k86EZzzuBE3b5FxSQ4EN4K5XZEJo61xASEF7z1mQCiqoA6
-/F407ht7nNoiVE95kOmqJlv4cqbpCw3n8f2VW+mVUH6MYRZVrYAC9NnJWv24rem2
-fjgFhNT1/bx44G7H9bVJqL7hMEGa+xYQBI3YT/ulEu9HYmLFVeiZm1gB1eKXW7jS
-4ctLl5uPrxayA5DX/qNB2yqgVVlIKFwUm8gGPGPOnsNKo0xBseE7E0F/KeGpaT5a
-S9yFgPm9A652Jx9felYgb0e9Ipt3lxriPQwgF/cxLGuP/WEbN5fpWFnuV0Viklus
-uVI2e8GHJGU5bQD5AlzvWu4Sv6oBOcDCabScydY7IxPBk/XBWCF9QDIa2qa32Mc9
-dYc8EnJszPeVCHX5hG23omDRmdLGLwH7F+CuBvCxAKCymZtJl5DhRmnhdzRg9d+0
-VG4hLF7O06ANABEBAAG0H0RhbWllbiBNaWxsZXIgPGRqbUBtaW5kcm90Lm9yZz6J
-Ac0EEwECACcCGwMFCQ1H67ECHgECF4AFAlKmjJwECwkIBwYVCgkICwIFFgIDAQAA
-CgkQ0+X1a22SDTB2TAx9E1ozPJKUGWJPZefqsSr8KsO6Dp3QuPrw2Zwgo2QfeCT+
-uzNA5AKCDIAaYEpVbQsvu4sDy8dAW1+HENCxVrMXWG+SH41lcdAdI4io0PGHVQDl
-42R5jX3e9pfjYCQALVv5BDXddK6054nyxEmudQ3ICFCYXIcqQbA1nfj3Uk06jGhu
-M99B2/akbxCoFSiUX9uHDZKNYAGpU7/FCF9xCZF4Kd9Twvyy17jDIg7km3/Q4Jy+
-+VP8FyvE5JjBdLRQSBzSG9GCjv9fyKWW7S0bMY4D3SKKt/Jm1XchEMgpRr4eBpgC
-s3rxO1hXjzqm3te97uy6/q8CuJUtupJsPKc9Wh4+ogUZifC0ta7UrxZp8yZTRvPS
-UxYrlvDzM32VDLQ3FX6Y2i4VNo48PSJMA+BPUx7DTcZKIXt457zsLD4jF4sRdwOk
-/QF/GXCkH2GAyKHWCPXIOe+jIXgiuajcqZm9cAWjL3hidSohKfefvKkzsg75mDmj
-hvAtDncIbmImJNjXIe2PQU4iY9Vq5i0vlaVKgBgKSohGBBARAgAGBQJSpovfAAoJ
-EM6OywOG/5xInf8An0A7MPrfJIz2e643VEV4AX3dO9+IAJ9MOsQiB4LnqtTcc9NB
-MHf9VLE46IkCHAQQAQIABgUCUxbDcAAKCRDl+qzcmIqkoN2cEACjGFvRgkVSsHfH
-8QSKL6IbA6GDiv6bFKfH/PyCtfmlvRLGHIJ86XfGLjnBGvT1ne/1Pu9P9n8eKsiJ
-HCf6Hyj/VMwbraIKnVtW+FSEgz9LeXDvfgxOJ0iqHdIUHYyTTN+tdZq+pSIcNg+e
-gXSM1riZeXgkg58kEHeog7eY98BC5wSbfGJ2AuE8rSRc4PUe4hX5DjSiWVqWZYI/
-goUrjFTIzKmvZevpmGSsuBVNpmZLOBLy4lmJxkABz41PYfiloKCG01y790XPjWJY
-FxKxAqWWhgfPaIhCB6h+zWuHvoLcTC9v0YKC4FhLDDyQZ7+gJ7l/HFV9RKhiU+QM
-5h1ZlpSR6qUl8PIO8iEY7R2fVCiTiGprR4Q33C6SPJUhsG9KrshfzsAXKW8lpBXT
-oR301fulY7S8B24jwySBFZAn3MiLVvbPZe/FONs6slxbIFDXI670dPTjH9Hl0RFU
-RoKNDuoJWF0cFAxRv0rQrCmBQ1M9iBHuGvTI8xgkgdG1EeZyhVcaJkjTUFcOkKO6
-Hhn17chBv/ys4ZAx7FVilOqikkyuX7pkCFCRxiQgokGumtP+gV3aAvyFT2xYDPzB
-8AI9N9IcmIG+duZdAVQ/fjRGLOGe2V5K3RB0iI9m02g1dlssCGF3G8cKLyZUE/oM
-XgcTKDCX/c8wGOYlQZ/fOTPOTTV76YhGBBARCAAGBQJS6egeAAoJEMmCgMeP9Ppp
-APEAnRXb/PSzZAHtVitoKY3VuJsV1QrFAJsH/fhhVcMevcik18HK779vYJQ9VokC
-HAQQAQIABgUCUxanvwAKCRBLtE+DBgCPha3fD/9DcZIVDDqOz1VigGBANeSUOpr3
-4VJDSPDApTz9q9KA5t4X/7A3YYuz9aSP1qpXP1wFUC2Q7SWX2Rb1OKtHhd2bPbl9
-472YzhhkKL1U54qECFdScR064rnBW5FBGjKnWkIhRQJW9PaiG0GgpSq20mtXfKD/
-hvAOzSCsasMEDA5NCNVCrrNkDeKdHARLhXZ7ZW5MMJ8rHu1q2Uv+ynDRoh3hZPAf
-w+t1ctiEksjkZngU5AO6/KrOBgAfqqzU7PsbBEEwuw8eDc9hbYBJqVzonxNE8XN5
-++tWgHzWqPG2LpCG2xe0sNmb38JxF4pIi95uLmBT3C7Bn09yhUiq2uvVa5vw3WVR
-jgycAC6qNQqT3Vevaqav3uqukik3Sa3OmCnhWTMox0RU+CIVRuyr1AI0JLdEXBte
-yYpzpSduhTB/Z6LFNkZVSbhElCR/cczIFroBeVI+o0JZuYfz1ijRLV/z4xQhY5Gn
-H31s0RjhINZqgfAeju1LbQE27eJjVfwTGRRqjR9CauuETNJ90OU2iIVCFv9I7BEt
-UyqyfelvjJvyYgXerU14wJZOwfpvXiO3xAO8unboJtEKcNfguGiKKUGsmoLj3/4Y
-nEKka/4ILrSrDvr4SfYnunAdWXXPgTRgq5qT6wC5jGypoMO4vWSNYlhNKYo1/JIg
-SaGWk2+Eaj0/LSomC4kCHAQQAQIABgUCUxdiyQAKCRDWl98yR/R/Hz0DD/9DEZde
-4fUDHUkb1E9B8v3FQlMDbOIVoYwOZPnlimXty8To52RBAO0tDotO3MjpSh+6jYPM
-QONijNzTw7RDPFOgr5HSewXLa9TjjFCHS6uOPOQQ7D3HKFXOSfDEX/uARUKHXfAf
-I3pE7/635/3l4ntzNdqY4svGa8ngRaHf9wv1SwkMDBuHjM4Guvmp7nOulOs7XhJx
-tEMkuLnJCYgJXMWKiyt0pulgfxZUfC5kjzwBJfcR+VvIEqwBmUYPcObTlZzjrA1l
-N8nwcc4vF2ZzEXO/ttlzrs5EJUAw0TP6/C+WjOqxoy00VKW79yVNdYH9PuclAKq1
-g/irpoMhnXMVp3xB0UGQO41d3hF6aBNpijomd82gNIGUZhu+OfhPjEveuI0znRMt
-2RCE7kgjrWj44sknm2EqcYbqKnQObCIAv6i34oExA0ImOC5608WadbkBoXG8wShA
-EnCyuphR4zE50xZvYQoZw/FJo3wRaRzYb710uofmXaYC7htlxL9w7S7PDfxO7odM
-zd/JbqV+TK/RgtxDq017Xv01hkFZV1OI+tCdhYlJN/Dka8sgzHdy0uW406mhEZKn
-frsO7rbjO3U1PHKIXDIDPr8Opd3zYPPiN9TKcvTekC0tuqj9G/rmCmaV+VBth/Y/
-npK2e0XgayweLNlSAxwaHOqkW10yOyOkn/xM/YkCHAQQAQIABgUCUxeYtwAKCRAj
-zU+6DAF98gGqD/40lpTfvtEprNFoDeuyRw2YV6VProrpmiktlV12pCHgCrvJK2ui
-iKpk2nZptc0ifN8oa+qt045wmjjC3EghGgnos3jB3lGyz4jNc5XFx946qWcSDydp
-WU7MkngBAEME99DSI8kpTl+QWv2ZJ0PIoqqpGTNTwcamCHIzfIozmOfS+DUJ07HZ
-9JuqQHtZtesw97BpY1byXkLr6MmqsZzhEIc352I84hSJE20SodG5No6txo6WCo5t
-B9Mg869cXBuUd9Q2W/p+bVgyg2FF/j7Q4fMqYM6G0wUNSU5e3tqnrvxKWxXHEarL
-tUvZCcgt48mM6ZNgX/Jn7Hx+mfhVEfABCluu7wUEBUSFdB+FggWsyNpNf4mzaGi6
-iiTQ4dI96fPVwHZV3YnvAq/pHdF0CfxMamgT6U4lVhhXhFcaPXAtfMxb/DfGbzpx
-AcCWe+7moimAIzVBHxPFu0V9G2YJCEuYF3LhUYCw3B6lhIRU2rEjm5jcfK625pGV
-J8rnLQhbt4mAADr6QWTRF158FOUv/xtfYI3zZS0EgXAp+gOHyaNbMz4QvVQ/bLn9
-tRZGWGdnRk9VNQmJsOOsLG+mchvIXeenw91ZDBen7NdtzbgpiicHb+HQgLSl3os5
-tysLqn4iLT6/gmZRe34AUr8UpZRKz930YqOsOrnrv9pzHcav/lakkn4tI4kCHAQQ
-AQIABgUCUxsaxQAKCRBl65Y28CxXBANcEACxYZ3kj/eOJJteSzKq+ABjmkrcUlr/
-ha9zXA7/y1zmfaJTBxmSKwFdspeoVtLzzokFyRjNvrdR+UNoG5LT7fxeSw/5UfHM
-TDgnw21QOZ1M4udpmOyeq79eQJiTc5cTq1LDsRiKdgLgRSPjS3Js1tbwOFTfKGNt
-s3j2ErAMgDTg6WC8M5i71of5+hpG/Q3K+XeTOnJTyZb8go09xzpJiwjwU7/yOJZt
-NOKS1vqXqcH5h4tV6Fw1ywoawVNHGlet/inSCmkpGWnxoYXTknjE9rYurKrvvVQZ
-uoNtO2WlOOsMwE3VXwiZIQD5PBzIv/Od76lz4ZdOlRYtymKy+rbEontF+rzZTH5E
-NaG3Ydih1bakhYTvtKcIy0OhIuV9DCGJNjPFxVCFdUT5kOEXb32zLiaclywcU2Ni
-LQe9GR7xJlzk2C2AIQB/lL0jg6HCD9uCP5ncj24k8YKWFWvKTBcO9GgP9cz1n7WQ
-mFntJffIpnFFtmD5Jy5d28TlfgiOIOVxVv/OKsUtU8ttvLyCuxpp2cdgDMmkgNMP
-OHfcEJ8SXKzUktTN7mLxyyAhK+B1j/pU4/MBXd5HdFEZwfGG3O87Mv0a6MvyjygK
-4Wwh2/TvsPirguX9QbuLmXP6NmXJKec3yiO8bVG1vdeDwfYW6Pk15Ewa3vZ2ZEkI
-zgy+sDyyGp2Bb7kBnQRSpoIFAQyA1OdwfpwXKch+O00W1FsQSMcEjahGmo84WTro
-M/qjTd7Ysld300PMv3wkQn2WdhyTca/EmkW0fVTGSYs7Z3v5SpPf0prYSjmfu8Wl
-Xoz64ApdXqGHjj9KAeq2OuUtWrwobgiQEzU4Hxlz94X/65BgG5k7OTyE3J6bgRcM
-wJCgCkwjK85wbbBkGH+Jo9o/Zw9TPczQcE7BmGYkkLNAXbw7omKBOL4Z6w9sXToz
-9UnQ0EB9s4TvAbHGKX9y2PEQjZN+wkzR3DavWB7ql8vHZIRmspAsDAJvDT1ofsNt
-u8MB8wJcxvZaoZ7j9wULYpnaNYx9xxEhgbB9o1mBcYsdDj3xz5jrgtq/cpdgGC6b
-g+awDc/ylQ1mNglKfY8P9hFIhIANZilnmAlk5GSoWclP/69m+u34KKoHU4Yc3I1p
-PNcL6Nyi0bh8mHqe9WedKfod7Y4yM1S20fXaS4vrLIlKgxbsDpWiWrk0ltV03uyC
-7eqDe3nzzGW/2GLTHj5xsA2+HwGtPom5mmzjvV5PFNpS7a90JQARAQABiQG1BBgB
-AgAPBQJSpoIFAhsMBQkNR+uxAAoJENPl9Wttkg0wEScMf2QjDWm3XawJxNA8pqqx
-rFeTEo+GESznVRTUeprrUFd1GHw33qaAvqLixZ+x8cr+1Gj/fJd5eiIVJfRLYbXl
-C8su8JZXngfX0VhuMcUob/FTikfpcoYkRzriUsJEB3/OmjlLjGgnQm5Gz9TV1ity
-F3bzoHkR8svWEKKKzNoIEPHLU3y7bqSkOrjnY3bZfdVRh618XbjV28NMuoZsV8E4
-pOuQoy+3s5IjmIf/mkSiFE3VJwdaPem23UsXatFb/eoC/Ahi0iCd/8ioFwi+oHT2
-Pnt9HrzVF6E8gBVO3vKo6UJgDTr9Qt27Nc6eHL0O5j50ins9ob/3DoOC3P5A08zh
-l+w466yGEv5+Es/usUAs/4ng4ksI3DTLK9Ygj70l5oBuMFYd3b5KGVfAIlGc5mwI
-OIG41YLIzZTrGuOuTymjwCdC9cUZJ6R2Cv/Vx0htZ0hqDdyaDO0Io9OG/W2s2T71
-60tY9ic4MwBCFemzwFELIBIIHNY/n/wsmxQGkI3Oj86JpOVVgR5lXWR+BrGcBjkS
-Eyg=
-=3za3
+NM3qcNWuNVyiTi4Kxum+CFd8V7b4X/6yBLRD/U6/dMUy4LiIVwQTEQIAFwUCOprm
+nAULBwoDBAMVAwIDFgIBAheAAAoJEM6OywOG/5xIgzIAnjRm47SkL5RQ9lDvVdm5
+SmNw0HX0AKC+AssIfepBFkPIFBSLcNoSWiTkzrkCDQQ6mubUEAgA8/15wnMpXvYZ
+sYMp7a9+WUCSsfYOn7QcNe/CUsDNzuyTThqd/fBIeEPa5BKeTR9alXnBvedxbnnU
+/SAF6q/KY6ebXajGAnGisvmidEsNc1Q9lTmN4e0sn1NuaXGIhxGtYK3yj1aFpudy
+MFhlVbarheXYpgHu+fg9Gl8lQjr9BM/cICUeh+vZaeP3A9hsjWhmq8GPRy7xxb1z
+jWNqpvxleTo8jlDuNYJkOKcl0IfoKHBRR6zNAM73iLMIDaSdMTVl1/IlxrK92Ar6
+puyaCFPSSsQ1fvem8Qy303SqaC2Cm+vFnbZgMpbIqOfomX1rXTm/16ZNmMeS3Wnc
+vf/p95unLwAFEQgAq76FUm3dDEdBVl/mwWdDY0nDQaN5D0kgp0Oo0R6JJM+ea/jB
+3u3asQid6Zru2kTpdn4LoOsKG/u/ql3ypHv03U+sLgm+AnRUurT4D632FfosKtjQ
+fwWrXjxoO2elAC2lC0NJvNwwhFSyTZ43phHSKLkoXpYpAADu0AyjK+7wIx/J9M8D
+KcETF57wjOs2JUvYtZDpvC1QE5NFsooaUBkmk7pHT4ypRu7CsDLttLLCvQxlaT4L
+pU2e6x6l5eI7mPC0No+HTzWj6ClhvCbgVQrMn9g+hjVvez3ykEpMxXmbG1QeEkUK
+1U3IYAUmKMUVVt3y5P8nN0wuQG4ehqY+Is2sFIhGBBgRAgAGBQI6mubUAAoJEM6O
+ywOG/5xIH7YAnRyGVA1QFg0WubIkovAKLPiIsgIAAJ9NsBjpdVqP2CfkWPnOijef
+E5gDxJkBogQ3R/zyEQQAsWguKhytuM/8IwqKRSQBPaHRTyVMjsvLr7uUIoW2qf0V
+VDVxuSXy4K/k43Q/ssw2nDipUkS74vMgGzgUQk4BI0LkoPSIVoXo+v65KCSbrMNY
+m7lGGN7ZkFg5zWDfdVFiN5P/tUg91UfmCI71zp78SltyBM+FLPJhBYE0dvkHDjMA
+oN744XCDTRMARJLK8DH1O3eTkE+1A/9brypK8VFX1+J3jfZmz7nD2St9+6/rkcM+
+P8V7bHHttSVLswhTZ8bMZv5aJjsyyPrnFFLmlPddaQDND1fVFevrHOTbSnMjt8lK
+Ksh4z+FFCQTB8wtpXbs2xHjny1Oy8kwiCnYCtDr3fOYnoqFkCMwT2ulbcKGZ3L6k
+neUGSvWOhAQArqhDaGwsZfkvzirG9vo/PFBwdeKNj/tDOE+1SQasDT0L3gd/tfmZ
+LBCed2yQ7axppQlQRIcNL24+GHefTY5Y92T7GLVIg2cK5JUtMKMmgWj3szyXi5Oc
+QKxQdhmBgsWutyJj6SlAHSDrjFhVabIeJKuyuZzxhyvmSzzjBsugsayIUQQgEQIA
+CQUCOprFaAIdAQASCRCiuYn1EbV0jwdlR1BHAAEB6xwAn3FxEH2wPVFlzVKf09Sh
+uwEfspiYAKCkKEhT4qVjGQ2D4cwgtoZ03pQgELQlRGFtaWVuIE1pbGxlciA8ZG1p
+bGxlckBpbG9naWMuY29tLmF1PohfBBMRAgAXBQI6JFsGBQsHCgMEAxUDAgMWAgEC
+F4AAEgkQormJ9RG1dI8HZUdQRwABAU4BAKCFIZWrqfMjc8zKhnfoTSEAt/ojUwCf
+eqkKspOp6Uqq1tlr1oyYmN5P5Y6IRgQQEQIABgUCODCW/wAKCRB9nsJ2HENBrF/D
+AJ48befkKUUGogX4tPfIAzbu+auUPwCgp41iiMRqeqgWbsG1ujpDnVQRp/y0H0Rh
+bWllbiBNaWxsZXIgPGRqbUBtaW5kcm90Lm9yZz6IXwQTEQIAFwUCOiRbLwULBwoD
+BAMVAwIDFgIBAheAABIJEKK5ifURtXSPB2VHUEcAAQG/QQCcD+0bmcV5aYRb8JQ9
+Q+DeKi2fqfwAoJ0g1TDjN+ZpKAaOI95waVgGjYAhiEYEEBECAAYFAjgwlwgACgkQ
+fZ7CdhxDQazdMwCcCWb+3Ehg/wK6nrIebHYlDBwcYLAAoMXIboTxrdRh71R3/4Pd
+zTR9g2vQtCVEYW1pZW4gTWlsbGVyIDxkbWlsbGVyQHZpdG5ldC5jb20uc2c+iF8E
+ExECABcFAjokWy8FCwcKAwQDFQMCAxYCAQIXgAASCRCiuYn1EbV0jwdlR1BHAAEB
+9qQAnAzpzF24V7K84PQTKQ0V5a1EiGmBAKDIg1wPX7ZSRDHBrAaLKpEirnj1MIhG
+BBARAgAGBQI4MJcIAAoJEH2ewnYcQ0GsnfYAmwZq27x3h0EV0t+0i3j7dClD5eMX
+AJwP4AvyuGuyz3qGOYxXG/1RuhqoubkBDQQ3R/0CEAQA35tSeji8z1JVaQApKuEK
+VhZAm2zaZLFiAusKqS+/RXUhIFTI7Du/dJTPODm3pLQEnF4evo3qgokSP5rf5Y++
+JPUfkS6NTons29mnCVyWPl8+3yJaTPbX708e+r5ZWuN30c9dl8Br7mHzJrsTRumT
+9qSVPUklzv77JOAxBGTEhAcAAwUD/0MelpnyrZNVFja/xObo/OL4r6mwwO0pyK1Q
+qE8AuGO37Ug0WO6QNxgFLKR8l+9sod6q4KAEBxhA0DiVrJFNkTuza6HR5i22Y4ei
+VNbPC8IqRuF6o4KC3zejZgpPpApqrO0mMmo7GXcBpkpCS8vzJ09EvfExbALB0Jku
+GQn7SImsiEkEKBECAAkFAjqaxBECHQEACgkQormJ9RG1dI9+GwCfTEqyOILSu5Nz
+DhcUrqpknPlXX/YAoI/vfDq8kQG0QldbtWsC+MWQH9zsiFQEGBECAAwFAjdH/QIF
+CQLH6gAAEgkQormJ9RG1dI8HZUdQRwABAfKmAJ9EMdNbg94wSQrHb8oKVAKfjFZt
+TACgusXeU8duOaTgSb89XrAGCTb3THu5AQ0EOiRfFRQEAOelb5M0Hjb87WcPiIy2
+UAsxOwDno7H7vR9WLfpfKjPwk7Xoa05qyThF2L96keXZZAm54yapyeXhNPGquFyq
+YMOwxX+aQyUr13uH3KTkAaDKMkC5jAAkcZwTk+tENsB/StqyqbH5/KVOoCfxEFFA
+MVgTbXQnEGpqUL+WGz4Ay6IPAAUXBAChhg+rFXcsAMne7QK2816p64Lm44BB46n6
+WdZoST84rOq0ZNd+fYSqfRcaPJHHjO4lAEH+1dgQjpqxkEveodKPsixoLQdHd76s
+SRDcX15IhWG+OBNCD4k6Y1DLLYhPE5bUToQYm8kPhVS3yuMLuNhtDntNQURfQL7B
+JxQM0A8/b4hJBCgRAgAJBQI6msQVAh0BAAoJEKK5ifURtXSP1O8AnA3CcDJd1ZUD
+2Kr86Q9DSuimSMuAAKCX77M6fadIiy415K3vIfadl/nsq4hOBBgRAgAGBQI6JF8V
+ABIJEKK5ifURtXSPB2VHUEcAAQHXmQCdEbOoH3DE+L9keE5ODJ7j6CvHPRgAoJZm
+54r/EPzKnu9gTsI0J+7oIh7emQGiBDqa3UERBACPhKenaTumEld5L06d5z4yl4AC
+f+VsVD98Im0slZfKTcqMb3Y9Vzq4CduOVb6p4M9yX2bjxCk2mtmg5iunPuteGmVb
+YSNcd7yjm9giqe6EnxXkxXmCP/AVA0kB09XYcsjmMFbRFahXo3xpdExAjyU6JVxC
+/61kX8h4oYxjtWw/BwCgzf2qjNPEXshE0lwpoGwcwxk5cnUEAILKVk6G+rcususo
+b2AiPjzcQnCZYNzoHpNOSkwInV/MqN6Pb1reKcJQ44RFyh6+fsdeNM2+7ifF+5DS
+ZB13+5fhmtNtryIeMgfH0nYVu7YllPEmSmPOdERpjibxXbxEjWM8n4qKBe7iYVHW
+tB+j9O6HyAB36mHcorYIs9NvHl76A/9kl+eBT4i2/jjPQQ4V4rrYXl7M5EWxpgMS
+yUwzqM/YPZZCXJTqzv6FxUUc7LprdOEIbzQOyJqugKqHzQCekii7bcyAwu1NrV/z
+amTherN+l0UqIArjWVh0IVagpXptGooVq7snoef8W/KzZQRVC1rcEQ3zV3TD3IQZ
+mjx8ZgWCqbQuRGFtaWVuIE1pbGxlciAoUGVyc29uYWwgS2V5KSA8ZGptQG1pbmRy
+b3Qub3JnPohfBBMRAgAXBQI6mt1BBQsHCgMEAxUDAgMWAgECF4AAEgkQqBmi2Gke
++NoHZUdQRwABAVy9AJ9RqC+W+xZCok3gcEZMiHy1lboyvgCeMSO/ld6brLcz4o8/
+OMMwNne2IZeJAawEEAECAAYFAlKmjbQACgkQ0+X1a22SDTCk7wx/TLjgpMrFa/tg
+k+/boARaFlsAJ/4OgyiY6314YbTyqatq1RVwWHTln1QJn8zXWpHUi9scfboxFYqz
+vKT1g6TXAkg1fu5muiBCTMVVCuawXEDr0iVxfsFoCDjLKecMUxqwfj9gL3kitkbj
+Ga7YcZnUcAOoLOWxsXNs5QZmKl/+E26iKGAB1sy/wMU40KjrOEg12fvIoDemeGfV
+gPdeChkhpDkm7upB32UvzDbZsKO7eHxoBYW1sRJy04Tyl/hwXnNCfqYJ42BuITrk
+EOSDr35MTYuLzC5l5l1uQXiCaJZxLGiM+ngkT76dkVQ4OcCgojuDih8aeT+TkM7H
+YkCoVje/6Z45wNzsG1lTxE9AKTBzpi0ZKGv5/WVSQ1anuC56bgdfD9jjMrhsVwWf
+mICN8zrOtYLcOJV6sUa+hZy8edEqZRkt93b8r0F2XDEVYId80debcFWExuil2TDO
+Z0nfkgxRDq+wtwem51rrRc3gLH1UR/NWsSmC2Mvj7jSDGeA+gIbRFNE6+a2YG1aj
+fxNdMBZ/OrkBDQQ6mt1DEAQAp/JyP+Brxt7T5vTTJSUMWSjOC+aBNZNFFHbG9KW3
+x8qoE7d/SYLGIqHXscGQ0a6gzoe01DFiDovtipM6g/FarCPjRVMN72SEju2pv7hl
+Gr/fcyHhKOYwcxaCVFOQetlnKq4zVrJvc0OZD/nsbRCH2ze3T5xtSQ7IlJ/rDUf/
+2JsAAwYD/2h2esQEPQy8MRpFhcBZ8Z3iVaAZ0LSgvoap8RKBSmzS9QHYgk/U4N9k
+W6BFQBfmG02aGMLN+WHy8oMMNVEaJxkQvXU7evd2vPIk9mW8JSeqAGa7dmZRjVkK
+PBDy79eSoM/Z8Gb1TFnKJ9ju+s+pqdi0bJPsDty+yA+96MFOy5epiE4EGBECAAYF
+Ajqa3UMAEgkQqBmi2Gke+NoHZUdQRwABAVDHAJ40H81xz0kVSd6/NVHLDEd7+98X
+tACfZmBzmbxbQ1dhnKg3hxACZvKwMKuZAZ0EUqaCBQEMgJQ2qbhw2Hu10RvBo2Fu
+fCouIekgt5dPqx10YjRK3Pmh8HW68geb2RdgbldRTCVznLCMhmbYl64qqt3/rADP
+mVotqAUDqTzoRnPO4ETdvkXFJDgQ3grldkQmjrXEBIQXvPWZAKKqgDr8XjTuG3uc
+2iJUT3mQ6aomW/hypukLDefx/ZVb6ZVQfoxhFlWtgAL02cla/bit6bZ+OAWE1PX9
+vHjgbsf1tUmovuEwQZr7FhAEjdhP+6US70diYsVV6JmbWAHV4pdbuNLhy0uXm4+v
+FrIDkNf+o0HbKqBVWUgoXBSbyAY8Y86ew0qjTEGx4TsTQX8p4alpPlpL3IWA+b0D
+rnYnH196ViBvR70im3eXGuI9DCAX9zEsa4/9YRs3l+lYWe5XRWKSW6y5UjZ7wYck
+ZTltAPkCXO9a7hK/qgE5wMJptJzJ1jsjE8GT9cFYIX1AMhraprfYxz11hzwScmzM
+95UIdfmEbbeiYNGZ0sYvAfsX4K4G8LEAoLKZm0mXkOFGaeF3NGD137RUbiEsXs7T
+oA0AEQEAAbQfRGFtaWVuIE1pbGxlciA8ZGptQG1pbmRyb3Qub3JnPokBzQQTAQIA
+JwIbAwUJDUfrsQIeAQIXgAUCUqaMnAQLCQgHBhUKCQgLAgUWAgMBAAAKCRDT5fVr
+bZINMHZMDH0TWjM8kpQZYk9l5+qxKvwqw7oOndC4+vDZnCCjZB94JP67M0DkAoIM
+gBpgSlVtCy+7iwPLx0BbX4cQ0LFWsxdYb5IfjWVx0B0jiKjQ8YdVAOXjZHmNfd72
+l+NgJAAtW/kENd10rrTnifLESa51DcgIUJhchypBsDWd+PdSTTqMaG4z30Hb9qRv
+EKgVKJRf24cNko1gAalTv8UIX3EJkXgp31PC/LLXuMMiDuSbf9DgnL75U/wXK8Tk
+mMF0tFBIHNIb0YKO/1/IpZbtLRsxjgPdIoq38mbVdyEQyClGvh4GmAKzevE7WFeP
+Oqbe173u7Lr+rwK4lS26kmw8pz1aHj6iBRmJ8LS1rtSvFmnzJlNG89JTFiuW8PMz
+fZUMtDcVfpjaLhU2jjw9IkwD4E9THsNNxkohe3jnvOwsPiMXixF3A6T9AX8ZcKQf
+YYDIodYI9cg576MheCK5qNypmb1wBaMveGJ1KiEp95+8qTOyDvmYOaOG8C0Odwhu
+YiYk2Nch7Y9BTiJj1WrmLS+VpUqAGApKiEYEEBECAAYFAlKmi98ACgkQzo7LA4b/
+nEid/wCfQDsw+t8kjPZ7rjdURXgBfd0734gAn0w6xCIHgueq1Nxz00Ewd/1UsTjo
+iQIcBBABAgAGBQJTFsNwAAoJEOX6rNyYiqSg3ZwQAKMYW9GCRVKwd8fxBIovohsD
+oYOK/psUp8f8/IK1+aW9EsYcgnzpd8YuOcEa9PWd7/U+70/2fx4qyIkcJ/ofKP9U
+zButogqdW1b4VISDP0t5cO9+DE4nSKod0hQdjJNM3611mr6lIhw2D56BdIzWuJl5
+eCSDnyQQd6iDt5j3wELnBJt8YnYC4TytJFzg9R7iFfkONKJZWpZlgj+ChSuMVMjM
+qa9l6+mYZKy4FU2mZks4EvLiWYnGQAHPjU9h+KWgoIbTXLv3Rc+NYlgXErECpZaG
+B89oiEIHqH7Na4e+gtxML2/RgoLgWEsMPJBnv6AnuX8cVX1EqGJT5AzmHVmWlJHq
+pSXw8g7yIRjtHZ9UKJOIamtHhDfcLpI8lSGwb0quyF/OwBcpbyWkFdOhHfTV+6Vj
+tLwHbiPDJIEVkCfcyItW9s9l78U42zqyXFsgUNcjrvR09OMf0eXREVRGgo0O6glY
+XRwUDFG/StCsKYFDUz2IEe4a9MjzGCSB0bUR5nKFVxomSNNQVw6Qo7oeGfXtyEG/
+/KzhkDHsVWKU6qKSTK5fumQIUJHGJCCiQa6a0/6BXdoC/IVPbFgM/MHwAj030hyY
+gb525l0BVD9+NEYs4Z7ZXkrdEHSIj2bTaDV2WywIYXcbxwovJlQT+gxeBxMoMJf9
+zzAY5iVBn985M85NNXvpiEYEEBEIAAYFAlLp6B4ACgkQyYKAx4/0+mkA8QCdFdv8
+9LNkAe1WK2gpjdW4mxXVCsUAmwf9+GFVwx69yKTXwcrvv29glD1WiQIcBBABAgAG
+BQJTFqe/AAoJEEu0T4MGAI+Frd8P/0NxkhUMOo7PVWKAYEA15JQ6mvfhUkNI8MCl
+PP2r0oDm3hf/sDdhi7P1pI/Wqlc/XAVQLZDtJZfZFvU4q0eF3Zs9uX3jvZjOGGQo
+vVTnioQIV1JxHTriucFbkUEaMqdaQiFFAlb09qIbQaClKrbSa1d8oP+G8A7NIKxq
+wwQMDk0I1UKus2QN4p0cBEuFdntlbkwwnyse7WrZS/7KcNGiHeFk8B/D63Vy2ISS
+yORmeBTkA7r8qs4GAB+qrNTs+xsEQTC7Dx4Nz2FtgEmpXOifE0Txc3n761aAfNao
+8bYukIbbF7Sw2ZvfwnEXikiL3m4uYFPcLsGfT3KFSKra69Vrm/DdZVGODJwALqo1
+CpPdV69qpq/e6q6SKTdJrc6YKeFZMyjHRFT4IhVG7KvUAjQkt0RcG17JinOlJ26F
+MH9nosU2RlVJuESUJH9xzMgWugF5Uj6jQlm5h/PWKNEtX/PjFCFjkacffWzRGOEg
+1mqB8B6O7UttATbt4mNV/BMZFGqNH0Jq64RM0n3Q5TaIhUIW/0jsES1TKrJ96W+M
+m/JiBd6tTXjAlk7B+m9eI7fEA7y6dugm0Qpw1+C4aIopQayaguPf/hicQqRr/ggu
+tKsO+vhJ9ie6cB1Zdc+BNGCrmpPrALmMbKmgw7i9ZI1iWE0pijX8kiBJoZaTb4Rq
+PT8tKiYLiQIcBBABAgAGBQJTF2LJAAoJENaX3zJH9H8fPQMP/0MRl17h9QMdSRvU
+T0Hy/cVCUwNs4hWhjA5k+eWKZe3LxOjnZEEA7S0Oi07cyOlKH7qNg8xA42KM3NPD
+tEM8U6CvkdJ7Bctr1OOMUIdLq4485BDsPccoVc5J8MRf+4BFQodd8B8jekTv/rfn
+/eXie3M12pjiy8ZryeBFod/3C/VLCQwMG4eMzga6+anuc66U6zteEnG0QyS4uckJ
+iAlcxYqLK3Sm6WB/FlR8LmSPPAEl9xH5W8gSrAGZRg9w5tOVnOOsDWU3yfBxzi8X
+ZnMRc7+22XOuzkQlQDDRM/r8L5aM6rGjLTRUpbv3JU11gf0+5yUAqrWD+KumgyGd
+cxWnfEHRQZA7jV3eEXpoE2mKOiZ3zaA0gZRmG745+E+MS964jTOdEy3ZEITuSCOt
+aPjiySebYSpxhuoqdA5sIgC/qLfigTEDQiY4LnrTxZp1uQGhcbzBKEAScLK6mFHj
+MTnTFm9hChnD8UmjfBFpHNhvvXS6h+ZdpgLuG2XEv3DtLs8N/E7uh0zN38lupX5M
+r9GC3EOrTXte/TWGQVlXU4j60J2FiUk38ORryyDMd3LS5bjTqaERkqd+uw7utuM7
+dTU8cohcMgM+vw6l3fNg8+I31Mpy9N6QLS26qP0b+uYKZpX5UG2H9j+ekrZ7ReBr
+LB4s2VIDHBoc6qRbXTI7I6Sf/Ez9iQIcBBABAgAGBQJTF5i3AAoJECPNT7oMAX3y
+AaoP/jSWlN++0Sms0WgN67JHDZhXpU+uiumaKS2VXXakIeAKu8kra6KIqmTadmm1
+zSJ83yhr6q3TjnCaOMLcSCEaCeizeMHeUbLPiM1zlcXH3jqpZxIPJ2lZTsySeAEA
+QwT30NIjySlOX5Ba/ZknQ8iiqqkZM1PBxqYIcjN8ijOY59L4NQnTsdn0m6pAe1m1
+6zD3sGljVvJeQuvoyaqxnOEQhzfnYjziFIkTbRKh0bk2jq3GjpYKjm0H0yDzr1xc
+G5R31DZb+n5tWDKDYUX+PtDh8ypgzobTBQ1JTl7e2qeu/EpbFccRqsu1S9kJyC3j
+yYzpk2Bf8mfsfH6Z+FUR8AEKW67vBQQFRIV0H4WCBazI2k1/ibNoaLqKJNDh0j3p
+89XAdlXdie8Cr+kd0XQJ/ExqaBPpTiVWGFeEVxo9cC18zFv8N8ZvOnEBwJZ77uai
+KYAjNUEfE8W7RX0bZgkIS5gXcuFRgLDcHqWEhFTasSObmNx8rrbmkZUnyuctCFu3
+iYAAOvpBZNEXXnwU5S//G19gjfNlLQSBcCn6A4fJo1szPhC9VD9suf21FkZYZ2dG
+T1U1CYmw46wsb6ZyG8hd56fD3VkMF6fs123NuCmKJwdv4dCAtKXeizm3KwuqfiIt
+Pr+CZlF7fgBSvxSllErP3fRio6w6ueu/2nMdxq/+VqSSfi0jiQIcBBABAgAGBQJT
+GxrFAAoJEGXrljbwLFcEA1wQALFhneSP944km15LMqr4AGOaStxSWv+Fr3NcDv/L
+XOZ9olMHGZIrAV2yl6hW0vPOiQXJGM2+t1H5Q2gbktPt/F5LD/lR8cxMOCfDbVA5
+nUzi52mY7J6rv15AmJNzlxOrUsOxGIp2AuBFI+NLcmzW1vA4VN8oY22zePYSsAyA
+NODpYLwzmLvWh/n6Gkb9Dcr5d5M6clPJlvyCjT3HOkmLCPBTv/I4lm004pLW+pep
+wfmHi1XoXDXLChrBU0caV63+KdIKaSkZafGhhdOSeMT2ti6squ+9VBm6g207ZaU4
+6wzATdVfCJkhAPk8HMi/853vqXPhl06VFi3KYrL6tsSie0X6vNlMfkQ1obdh2KHV
+tqSFhO+0pwjLQ6Ei5X0MIYk2M8XFUIV1RPmQ4RdvfbMuJpyXLBxTY2ItB70ZHvEm
+XOTYLYAhAH+UvSODocIP24I/mdyPbiTxgpYVa8pMFw70aA/1zPWftZCYWe0l98im
+cUW2YPknLl3bxOV+CI4g5XFW/84qxS1Ty228vIK7GmnZx2AMyaSA0w84d9wQnxJc
+rNSS1M3uYvHLICEr4HWP+lTj8wFd3kd0URnB8Ybc7zsy/Rroy/KPKArhbCHb9O+w
++KuC5f1Bu4uZc/o2Zckp5zfKI7xtUbW914PB9hbo+TXkTBre9nZkSQjODL6wPLIa
+nYFviQIcBBABAgAGBQJTH7siAAoJEPTXp5Fd6nib42oP/0RJLp8X945IPFd1AMoM
+Q23cy74qBAvh+c+k2pFEPrU+W9nJ2w3Mqwn8ja9MDewUjSq9ZLZxlTz+M8idYpoN
+46VtZLCxpaLXH3Uv8T++Vwdi143UMPipJqf50mWqqciDsl9LbQZR2XolfzM9WTVU
+Vt9ynNVZG+ij4tbeobViZrifY07dfR8y0TZ2LF7mah5lnDAAwSVEUOg/YX7jIgxS
+fP9oD5buD2SYH/4rZFzkN3fCZQiV4uwCMIJl+fDR/adBvOaZrUVnM661vmGcsgOq
+qRUE+hSZ/ih8Jsox65UAfPHdx/SEptBFgoyIpdxR4NPxpgeHZbNnstJ1R/cyKmww
+hMgF11WUJbm1RN1vDPwAZNAcSzDAZhnOmtOsPtiLXDMNm7dufgYWFFxjZUxo87+W
+eHgWG8ACki+AuYJgjW0gXMghVdkVQJYcLxcbZBPcHu2eUJLI83QhVQxUg5IjdOGv
+OS3SuMhtDYx04zEdGB3FSVRwfyIqImjEbyXnMAT0RDhFoWvrhAy/jGsrH4tO9hg5
+1AS4EJ2pwdYme7yCA0h2s1ZG+WHF4lTJ21fvx4H352Ah5tckpmmbpJbB+ZBz+uWv
+rYmQP/W+06kP1axNmjSDcMID7rqoITn7emPJYLpc4vszoGxxl3yFbWM7IL8kLT2P
+QC1FMP5L9SY95T3L9xciMnFTiEYEEBECAAYFAlMkhq8ACgkQi9gubzC5S1zAmwCg
+gBsG5xTQsPG3Ro8GpItuIJBGmZsAoJMRnRC62mQKL700dHk49IFL7sH6iQEcBBAB
+AgAGBQJUmgqLAAoJEF+OLmRrT7LQnV0H+gMxUdmn+eZUN+6fyAf1TMHifp3qvqdK
+05sL2NIY4rz7GgYbb3L7wH45w+ztuE6pmdg4JwCGijp3V8quyICbvU94YTbu/n7E
+3r5U9H4JXUuW99GtML6v0Jnmp7AthmsMVwTFoMj8fzszRTjh0LWxbMIP/BXbr91t
+hf0A9L2OBFeHCXtpr8JnTK4lkDtwRw5PKZHQPUlP07R2Ki6pva96ePgtGnpnL8n9
+Zlwvg5mCSsQOQv8R7+7GcmGqSWOEcUB67GF4AVsGMqEj/9BRYsdjWozE7oq60FwG
+rg+HEaTO7To3EKWI31pZU+u3WgGE7cH82/YgtCQdgKYzDAT9AQFADRCJAhwEEAEC
+AAYFAlS3/EIACgkQni8RbMiXM6uvYBAAoDMezX0JkRWg7GlsHJyF9mneaUMmhLiJ
++yO8Jd9JkJcSsDvy56X0mszyqL3e/mcrSow71fGeAnJbKcTsdMX8T7JpWL26LApb
+PxiO/wo1vGczwJ+bBMDQAGIQgY9OinCL8OEw1C1saM6rLIa3z9vySBmbQA30TXdG
+kRBQETcHGZfDAe7BdzBgqBK+ZlCwoCUoiprP+kidiumZ88cQmmR0LFyB72GDeT2q
+H0E1WOlKRhm0hwqB+Tc7E/wvX3YlufA65azQDjeSC7skDGljHxIl+ze2DSED8p99
+1bbjE5MESIySX7VdJHpp6mJ/Syh0wdiOKBn5Ff8+DxmymtzyBHGYzdYWs/UOVRIw
+VSgjn+BJVpbRPqtlhpAC6PLSots7Mm6f194qJv9SDLfi/HDrKP62PG7p6zYM+zjD
+j5FQBdBdMWK84/fTUT9iQsnCkmrSeaXzIlTRCBH1OUByeIbUaxcngZzGwSzsF4S3
+fOhYpnsaHW/uBzYRvgui4W2bzcoUui0QU87gGEXg5jnJtUhCtVgD3jvVov+pIQCO
+eMMUTSTWzg7w/7uPY8B4+tXf95J7vSJcjYnjr+yM21DrIwjhKbzjmcvsk13FR7tZ
+5f7R9vTuO0CJewIXuCJ0NLaahn/s+8V9RXoNa3TA+R+ZW/KFR/awXrq7SOJ2SbTV
+JQk037siPOaJAhwEEAECAAYFAlS3/GQACgkQxfSDrd7oY4DKLA/+Kncf9t8FLms1
+fo1cflBb9UGgG6YceRx2+O3VZXiCqJSsHFj1Ywk+MyH44mD/JDM/YTKazT8mpnny
+2/lDEzFdfbryZdA0p3pyrFp+8sx4pzKNPZxOubAOqefZ1k/SoTbTa35f3V+L926O
+zIl2ZdU4WOysa13RhoRvUKjekWl94J0jECcBlkBiOI7uL64Rz4WG4VYhXJGV/LRz
+OBot27Umh0sCmb3i24b9FmOu8tvAwf//zlh97ykEH1nLiVz+QU054nmbqVACp2W/
+02Z6cnfWqoLsQIg2Y+6oeCrjCldzlHcOjvE6VwXJpAde7mZfQCw66G9ndEs8Xoa7
+I4D06uGoewKVMJKU5AaFT4Wf69KXDI9YBRSuyZbww+rxESAB9HGfR3O8quDgsmV3
+BKsNRJT7rOPm+Z+UoHS12alJmVcuv+ioh1GpmeWoKiRgjlJOQcXy/TIvTMvGb8oF
+ZN9MEMCZ09x3JoYTiXvx6phrxpW82DLXPqCD7mEHR3/u9898VRWMrSP1WKpNeeyC
+6Wf8Urz1ySinr/wMbafrQu0Z0nycFFbUXLRO8MwJupt0/S0kA0c2WVzlZwYrbWZ4
+XGIxl6G9i+G1D5USOKbLC/bXnZlLERiQbD/85UHpt37s0T2K48lGUhSjCxclGyG7
+UpFf+mzEYbQcNMTkjr1RVURd/DtLeXeJAhwEEAECAAYFAlS3/vcACgkQMn7oMPR2
+HNgGtxAAiQy29MXY+Ljs3V4ZSE9kuhpV9jruyvNQD3y+vGa2fYXvwZbzqvDQIo/N
+TRR+hZngz6Qo7i8NUYfzIp/GHI3nqoZll9idWdWjeg+ioD08XzmoTnTJwJAPTOVp
+2WREzTyRc/FZCD8vW51iFV0xpWZA8a+/Foc1q/P9B/zvBx5UQfYCjMCcKpR3Xkuh
+oRh6vdxSi9M+QuyATk1mXoniOQKhIvAzLTH2DSoAudI3V4E3GSc1NruGt35WDfvP
+cwvcXk7iI4outPfyrG9mEIkiZDukB6MrKG3VKegD0fFIFouQ/eoodWKICY0S3QaP
+HRL3rTOtCNtVEEaVDoaT6jDUvsfOpXreev1UriH24cawD4HmMaOs0p9e+FDTkvJx
+OLErDBvODG/4Pfqai7BFaLrElnjQ6vI1e42fd+XQJlZPbDqjZkk3PD1DGNeWxXfe
+VbQVK3O4G7z9Puj/YTcNyygVxwJPuZQrYX7mSjfetG7J/ZjoSSBKqJSzCyCb529o
+sf2cS5JV/U5e+LQCrq+6i6fXWuUGsTu4ceJpskPahjCvcYVWMtbtBf7XhseJk97k
+g/Qg01zLg8ff4np1nDCExSd8ak7DPEPOOnbedTNtmUpzaQJ1hAEsIHH23scuJMOZ
+WdBHXB8j0l+w7Ssd/Up0+WR6KhYc+7D+U+mRlupXcvtXBgxzeK2JAhwEEAEIAAYF
+AlS4CCsACgkQpLsVjWJqnRcPzg//R1PXrcHYVGO5tMkCpd2EdTEN2KsixMzbQAeW
+C0LCvCgwuNZz5vXRrO8AIf9d5GvGx1xxr7w/aQHdA3fTwQH4VYz5Diya0OgXDWew
+u0+P7AhHJbBTFxikPbX7Pe5J9ri2h9W2QGlNg9xZraF86yjdTOavrDYuc+Ly2OD1
+Ln4xGr1x0LbVLCS9Th8v7rzQMjVpZQghpVUBcZ0Jgk2NFTu4ODMpC40CM7iVX4Nc
+gzPecBTGRO0UJkU9L1ta/DjTh+TWWSif0gQJB396zeX7P9d9vOXbfYwYwVgvNc5x
+rt71agaL6RIRiSR0nVOUu5w7M+rtqw2Goc6rVWk97GaMBxq0hCZvunr2SA5IsGDM
+rFlfLb93/a4up+Tcw+4SeKwoLyRIYMcenPRxjsyYni4bVG9W34uwahQe5It875hT
+ZWdZob/0uHYpEWOH2w+qzmQUtTsquD+W78J3H3SiojLiPHlsRbAk4nr0SN+EX5R3
++YW7jLRrVhrfvr+vYobH1664P7b1LX2Yi2u7ktZcWKVxLr6vZqNVXgdhgQmNyAOX
+VhJurUc7EryV1tnt+EYRj0ruTdi0Je0fE6cNabrkKTnMUHTUbrpJDxJcq0q34SP+
+nnqaHmdtfDvuFVMlAynQrfD7nJOY/fm+l6FY9UvNJCvid71afBV9DdbPtivn0oP9
+L63+pSCJAhwEEwECAAYFAlS3/okACgkQxodfNUHO/eAexBAAl+zTx7FFagVHNlDe
+tN31ErMvImw1oDVyoTAKCJbVK4YOT0AEL/GRM6nbQb2HAW26iWw0tehoKCJjw9uJ
+y0m+1o/psE0nRl97sfZX5VCuFiAaRCyboEu49+KUSoCAQnkOc+r2vEPEvO0pNgZU
+hUsRIwPRP67aDIfb61T9CSwZXmAkukDTuDq+sTGJ0fUpT59aM398O7BBqVnXZoTa
+LHkXAd1sXGbWXNy7vNVXuHEAvebeQDzmAiiTp/RLxlUNrp4nB6bcAK5wn7kaAPJj
+jREXeVk4lEGuUE1QpfdtvSAQ+8Qd47A700z4g7XFwHfXN0kX5JmeScVjrghkOCA5
+sjM9P6uxgCb54iSGnCrNJf57LddvSrI4UNAvFrYHVkek5VvC48xeUME/ldUT+eQv
+1Xs2CJwtX9mxQg8hvuGDr03PP1LfKoxVvAZcJ4iJ+gxD+q7KHae127X0FCbzxrz5
+JQtTXep9UO5L9YskX9jKFH2+t+BrLEpxo6EQ2UsY5zmR3FFpvXu8Dryc28nI7MFl
+uvNj+HPwNlvGt4/jLDxNUr1/qfny4nmH+F0GwJSbvvOysngGZ2R4XtyBOE7MvxEg
+jsspXuLqm1TRyQCidUUOreramtPUUMQ8kbH66T75GAEnD862nlArSTZ76rbTGJ/4
+JN+Tb0gCoT3+8rsFFLIbjbi+SBCJAc8EEwECACkFAlKmggUCGwMFCQ1H67EHCwkI
+BwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRDT5fVrbZINMHp/DH911etPzwZZetcw
+8cKb7UY4UHFHQJ8rQIF91mY1PHpX/fh0VG+kXizlHEZxHpwXHXbJWUevYovymo8D
+hbHB/VKV4kSQLMOR/jVtnbFRRhpkzzGSZhypd85NRODfxqqyFd5M6CPH8+vRikLs
+QbJTV1OxLUhtlm4/3+W4O+h7pl8Q5pFw8HQRESPFrOeugU7z5nB6h3q0XdE+/2kD
+Rf0G2eF+oLrvTBvi16u6ftGYc2Qqzbr4W5D3beWn+9eEvVJrxIb7ZR2iQGn19rV+
+92qB87bADM9yddmiAD0fP0ITDz7DOKxTAw7uMr0pfHaN27C1GCv7duqoHdM8BxR6
+oSxg/Jm0rsCE52uA1t5EbvFwfWJZ/wSiqv03BUlRTnawlQi0W/fFM3wgq2myWDa7
+aU+U+bRUBgt00qb5vtXDeBhS1wFLpKlyrlALsq5g6DStrjKT54pYQfaVnXUjxzxx
+u20yI55QygiKhg7foFNgw6vTPwfo2OSid2XQDm3Hjjee4kSovrtn9jL5h27V0HcY
+YED6vLNauQGdBFKmggUBDIDU53B+nBcpyH47TRbUWxBIxwSNqEaajzhZOugz+qNN
+3tiyV3fTQ8y/fCRCfZZ2HJNxr8SaRbR9VMZJiztne/lKk9/SmthKOZ+7xaVejPrg
+Cl1eoYeOP0oB6rY65S1avChuCJATNTgfGXP3hf/rkGAbmTs5PITcnpuBFwzAkKAK
+TCMrznBtsGQYf4mj2j9nD1M9zNBwTsGYZiSQs0BdvDuiYoE4vhnrD2xdOjP1SdDQ
+QH2zhO8BscYpf3LY8RCNk37CTNHcNq9YHuqXy8dkhGaykCwMAm8NPWh+w227wwHz
+AlzG9lqhnuP3BQtimdo1jH3HESGBsH2jWYFxix0OPfHPmOuC2r9yl2AYLpuD5rAN
+z/KVDWY2CUp9jw/2EUiEgA1mKWeYCWTkZKhZyU//r2b67fgoqgdThhzcjWk81wvo
+3KLRuHyYep71Z50p+h3tjjIzVLbR9dpLi+ssiUqDFuwOlaJauTSW1XTe7ILt6oN7
+efPMZb/YYtMePnGwDb4fAa0+ibmabOO9Xk8U2lLtr3QlABEBAAGJAbUEGAECAA8F
+AlKmggUCGwwFCQ1H67EACgkQ0+X1a22SDTARJwx/ZCMNabddrAnE0DymqrGsV5MS
+j4YRLOdVFNR6mutQV3UYfDfepoC+ouLFn7Hxyv7UaP98l3l6IhUl9EthteULyy7w
+lleeB9fRWG4xxShv8VOKR+lyhiRHOuJSwkQHf86aOUuMaCdCbkbP1NXWK3IXdvOg
+eRHyy9YQoorM2ggQ8ctTfLtupKQ6uOdjdtl91VGHrXxduNXbw0y6hmxXwTik65Cj
+L7ezkiOYh/+aRKIUTdUnB1o96bbdSxdq0Vv96gL8CGLSIJ3/yKgXCL6gdPY+e30e
+vNUXoTyAFU7e8qjpQmANOv1C3bs1zp4cvQ7mPnSKez2hv/cOg4Lc/kDTzOGX7Djr
+rIYS/n4Sz+6xQCz/ieDiSwjcNMsr1iCPvSXmgG4wVh3dvkoZV8AiUZzmbAg4gbjV
+gsjNlOsa465PKaPAJ0L1xRknpHYK/9XHSG1nSGoN3JoM7Qij04b9bazZPvXrS1j2
+JzgzAEIV6bPAUQsgEggc1j+f/CybFAaQjc6Pzomk5VWBHmVdZH4GsZwGORITKJkC
+DQRf7mYNARAAz2vrsO3Cz8vYpaXvc5tN9uloHBpeMl7Fb5A5U4XB36ux3JE03mxI
+WgpVaCtKgwPAwaOprywMBee3jJh2xBIuv3cy1JSB/zCl12erUEQhSqk8wc4SWou/
+h9ecl5L0b3255lbayeTWJaaz2EjVzezbiROqeHTXkd8Agrjbr6IzcdycOZiVK8SL
+jdpCN8A9VzqjD7FLsQ+i4MN9sE+V7QjUASnTEPBgvVhrEX10xQTagoyF2230XlcY
+SKv2rLpgk7J2LzjFWrNZ/m2AriMMg1jQGKijYMHV1f5PQ/DSye/9QTUPLwHziRZe
+k7A3pZGTjv4bq1Tywc8d0VmvE56IfVIsn1cYhYq4mBm2IeWTO+IcxVjAS2ufN8RU
+u8MnFnFHohzKVB6Q7Cg4HhiUgmNn6xnRE59NxuTd30OcTDxQ0SNgJjSRfMMq8nl0
+upQCDH5ksrVSCUPB95GLeO2WtSgMOBsefeZcQU3y0QyxRkBX1sB1H84u9vF25FZH
+HzMJmd+PhWW+V8n00wnr8zpUdvmBzIGz3C91Y0DjJxewmfYvgoBD80cSF9SJQ5Hw
+vk1M/125sfUBN1rBvh08ON3mMvfxds4deT8Gtc8N74ggWYRGgJUkYvTEc8Ho0FGW
+kg/VTNeRTEY7tIzVm2XojWMvdK1733sf1b3mEV3NTyqYuDnnxjoDa0cAEQEAAbQf
+RGFtaWVuIE1pbGxlciA8ZGptQG1pbmRyb3Qub3JnPokCTgQTAQgAOBYhBHFouYOB
+Wl7vWaSt/So/QU5zYGC6BQJf7mYNAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheA
+AAoJECo/QU5zYGC6kI4P/AxEYU8XTuZHYzAim7sHRr+Z1HnknrgN9mGL3HuCy8H8
+cdOZkQLnHSOmYjGfOKRNTzWibr36Cd4ERCXP+blDCtkrFw1QLoLRICZ5nJCcFSr5
+CanrU87wUwCQ0xfkkPl8iF8j1dorIDZOetAKumn87wKYnNphGQifPZF5GS0NS+Xp
+7vmg+R+abTTCSTnxFNPwiQJwRm/lXO+A4bCHcuPL/X1vfVEYOARS+n3l29gpnHUo
+roiWKC/F+HRvr6o4dIAml+jMq6xBMB6j9yYsyzNrq96GMxXDLvPCUkEad96+gR2v
+RJJvFMUMa9tzc4C9n/Ks8t5s7um63l3eSYlHuVL6adI9SlVLbzyudBr7P+mU3r0z
+xvYozTzPALwgohs4bYiWqdtE9y+qLsJrg5zM1g5gFJWAFWNhXkfB10NeoYN0L8Iy
+RZMaBq4154fg99eaQBETzh1qoyAE1wZ5DFzzGMn0Z5gqyYd6pTxYol+6UIFvkuIb
+hvzo7AnEQb9CMzCceJcPaSDoWJn8MXibgcR8zQ+bJL9BoOwevTuPBRRg4dW6IOBD
+EqBjzZysSI7ET36R99WsBq0kxtPjmrbo5G66DkrwDBps7sggRg2Y23tgmrOssDVs
+zN+erC+80XClDTBz8myB3y6d4VU+dWG4n0ZDGJE+w6YNZN/2pCKESlgU8e5K5qUt
+iQHDBBABCAAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAl/uZjAACgkQ0+X1a22S
+DTC/XwyAkFkZcqk56SuA4a4Q1PZydNNkQMKMJME2Kt5L8GB07jQPiTUoCDCEKW7v
+SV5Vxl94HLQs0Wt4G+UhEmI74ZzKU0FZfF+Smnw9PQ/chVdXVAeekeBxQgDP++Mp
+Lur34YveVeQkIBlQ8fbxrvd3RVI6LJ8DSxTUZ+MT34DgTs6+ryJkyA62mcSy5QL2
+ZMH82uZ/1KRN6P2YOUV7UmvWPta5kZ+ocfSoTcYCx/Ms4XOx6g6DbfDZ5AkRfY7c
+qUXwJEA5bEooZXxMIVX3cN6O8CVjhl0lzNyeppoCmsuHBg1/YErsLbyphKzIuY0E
+8Ng5nSKKefZA3+2OlwvRNN4FPVXcf618s+LkMPdedRxuxOj5Lg0m8I33t//4U8xJ
+CjgItN27+C8C+3uAb+oG0JP592z+zweVVjbqgfKKQ0XWJBV8YrdQ7CC65WTBkSKK
+Fk9uVDjfftrsWkkyWttGk1As9yAvPbupZ2swoMEcQLAhyaTLmBYrgIW6g6OMhCHv
+k4BIGUZ0EQmzi11G5Bu7OEKN2/KIlLkCDQRf7mYNARAA2iZs8bBisxr5aQE1gTVX
+wvgtnIOjQ6aDOh9bminaAQtg+ntvNFi6HUzSvB0XTjAw8sH2Bz38CkczuDfd4YfZ
+OzAJRJTG58NAubAMDjJ3yHrfP/uXn+KVEUdDYv+wTbbA4cPztMLhNxNJwgPKjVLj
+9FGkdYLCe+xTD3POiwMOtazpW4udynNCcQ1P+DIPzHuOisJ1AkYqDrShclEUcitO
+44/+8JzhiKH9HxwomOLku7lwjF1nEyvVC6zJXlxqXImbeFFRbKLlItcbrVD1SJWB
+F6EstFgSCFcjG0+KN86LRABfp9804OjHiSBiDOTT0W4W5icDnKOzj+ZlsdSdSIcw
+AnLz7nsgobgjUaRPos013ddcMDFSIS+SNtAE/si4JHdLGUVCKH5RgHyWMjK2MQGx
+3LCaHPVT/Ei0uLdSbKtpLpSsYsNokliw84Czd6sUjjR/IhHjJ7ryD4eJSyXt7vuZ
+6e9twyJumcPJvWw3feFjGqGKmhwpw6viKkYEqDSkS7IJRqdS8My1PMm38Ew61WaS
+YYehueH1yO//Wtlo2hYfFh4N4Hcu9E6NeJBNEc20gz6tTkkybuIuCsZdRr9MEZgc
+EEwH+Mf386Lp+/VqfpmykUaT4XATkzhSHiFFx3y1jD/gClN4zATmS9s21df8Nooc
+qWTJjOjLmKn9nevp4Jrf5NEAEQEAAYkCNgQYAQgAIBYhBHFouYOBWl7vWaSt/So/
+QU5zYGC6BQJf7mYNAhsMAAoJECo/QU5zYGC6a/oQAKjogHiQqRKLsaRj5yipy52i
+s8vXjsDdhv29GTFV/0aLrPcFx5NkHPf5mQsN/k1fYfwHaq2uwGuL/YB6Ra6eZBOP
+/xd0i7JpULrSPTDBWEgqF5UzuabQJY8oYK8RdA5RS6Tc4Q38L9f9RbHYPGvRgDeb
+ZngMVOUQOD0s4EkAYwofOOE/a5S+Ty+12o7t+BTFucjgF/RiogO38HyeUepKiJFU
+vuSRcluIvHaooLvDMvfmZT/nZhZsqAa3nT780Og9aopI36tmUuZSR1fJ5jYgj5dU
+3JA11HWaiwbZiVXEnNDh/WPrzM8k+KGf/dxymLuCbROc+wwjhqiWGn7cKJcVLHzS
+CO0rPVaJvrliTui0ytRLQ5F3A8+nsq84lbHXDZWnYMcGVF0iluQksbQkc9VPunRI
+VA3UfPt7O/rK8LkZlJttKPZL042IC7vrPFZIHDbYl5OEQwohO55v/0MgtaDzc/Pk
+7mnVkcLyvaL1yl8FWe+fKY4Jk8SUCygwxCCjtCv7TWYaNGepelQonwRWxCyf+xUa
+nErOxgAHhLfgrzFW31qU2nrd2Ubbtj6jXwtJNMeP1ZCBL5BgcUpypYUh9DyxsjdS
+mjhmFk4UXBCppf5Po/1qSpr5KPmwuWTd0KGCEnosU9RSpJtE78phxqkKaB8A3HmR
+ePJgyS4h2BL0NgQRIRVW
+=OOF9
-----END PGP PUBLIC KEY BLOCK-----
++++++ sshd-gen-keys-start ++++++
--- /var/tmp/diff_new_pack.oEgcgE/_old 2021-10-11 16:48:42.454176490 +0200
+++ /var/tmp/diff_new_pack.oEgcgE/_new 2021-10-11 16:48:42.454176490 +0200
@@ -1,8 +1,9 @@
#!/bin/sh
-. /etc/sysconfig/ssh
+test -f /etc/sysconfig/ssh && . /etc/sysconfig/ssh
if [ "x$SSHD_AUTO_KEYGEN" != "xno" ]; then
echo "Checking for missing server keys in /etc/ssh"
+ test -d /etc/ssh || mkdir -p /etc/ssh
ssh-keygen -A
fi
