Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssh for openSUSE:Factory checked
in at 2023-06-06 19:54:55
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openssh (Old)
and /work/SRC/openSUSE:Factory/.openssh.new.15902 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssh"
Tue Jun 6 19:54:55 2023 rev:164 rq:1090577 version:9.3p1
Changes:
--------
--- /work/SRC/openSUSE:Factory/openssh/openssh-askpass-gnome.changes
2021-10-11 16:48:39.866172377 +0200
+++ /work/SRC/openSUSE:Factory/.openssh.new.15902/openssh-askpass-gnome.changes
2023-06-06 19:55:08.426075279 +0200
@@ -1,0 +2,14 @@
+Sun May 28 09:16:44 UTC 2023 - Andreas Stieger <andreas.stie...@gmx.de>
+
+- openssh-askpass-gnome: require only openssh-clients, not the full
+ openssh (including -server), to avoid pulling in excessive
+ dependencies when installing git on Gnome (boo#1211446)
+
+-------------------------------------------------------------------
+Thu May 11 07:01:54 UTC 2023 - Antonio Larrosa <alarr...@suse.com>
+
+- Update to openssh 9.3p1
+ * No changes for askpass, see main package changelog for
+ details
+
+-------------------------------------------------------------------
--- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2023-04-15
22:32:05.581173030 +0200
+++ /work/SRC/openSUSE:Factory/.openssh.new.15902/openssh.changes
2023-06-06 19:55:08.530075896 +0200
@@ -1,0 +2,476 @@
+Thu May 11 07:01:54 UTC 2023 - Antonio Larrosa <alarr...@suse.com>
+
+- Update to openssh 9.3p1:
+ = Security
+ * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
+ per-hop destination constraints (ssh-add -h ...) added in
+ OpenSSH 8.9, a logic error prevented the constraints from being
+ communicated to the agent. This resulted in the keys being added
+ without constraints. The common cases of non-smartcard keys and
+ keys without destination constraints are unaffected. This
+ problem was reported by Luci Stanescu.
+
+ * ssh(1): Portable OpenSSH provides an implementation of the
+ getrrsetbyname(3) function if the standard library does not
+ provide it, for use by the VerifyHostKeyDNS feature. A
+ specifically crafted DNS response could cause this function to
+ perform an out-of-bounds read of adjacent stack data, but this
+ condition does not appear to be exploitable beyond denial-of-
+ service to the ssh(1) client.
+ The getrrsetbyname(3) replacement is only included if the
+ system's standard library lacks this function and portable
+ OpenSSH was not compiled with the ldns library (--with-ldns).
+ getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to
+ fetch SSHFP records. This problem was found by the Coverity
+ static analyzer.
+
+ = New features
+ * ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256
+ when outputting SSHFP fingerprints to allow algorithm
+ selection. bz3493
+ * sshd(8): add a `sshd -G` option that parses and prints the
+ effective configuration without attempting to load private keys
+ and perform other checks. This allows usage of the option
+ before keys have been generated and for configuration
+ evaluation and verification by unprivileged users.
+
+ = Bugfixes
+ * scp(1), sftp(1): fix progressmeter corruption on wide displays;
+ bz3534
+ * ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing
+ usability of private keys as some systems are starting to
+ disable RSA/SHA1 in libcrypto.
+ * sftp-server(8): fix a memory leak. GHPR363
+ * ssh(1), sshd(8), ssh-keyscan(1): remove vestigal protocol
+ compatibility code and simplify what's left.
+ * Fix a number of low-impact Coverity static analysis findings.
+ These include several reported via bz2687
+ * ssh_config(5), sshd_config(5): mention that some options are
+ not first-match-wins.
+ * Rework logging for the regression tests. Regression tests will
+ now capture separate logs for each ssh and sshd invocation in
+ a test.
+ * ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage
+ says it should; bz3532.
+ * ssh(1): ensure that there is a terminating newline when adding
+ a new entry to known_hosts; bz3529
+
+ = Portability
+ * sshd(8): harden Linux seccomp sandbox. Move to an allowlist of
+ mmap(2), madvise(2) and futex(2) flags, removing some
+ concerning kernel attack surface.
+ * sshd(8): improve Linux seccomp-bpf sandbox for older systems;
+ bz3537
+
+- Update to openssh 9.2p1:
+ = Security
+ * sshd(8): fix a pre-authentication double-free memory fault
+ introduced in OpenSSH 9.1. This is not believed to be
+ exploitable, and it occurs in the unprivileged pre-auth process
+ that is subject to chroot(2) and is further sandboxed on most
+ major platforms.
+ * ssh(8): in OpenSSH releases after 8.7, the PermitRemoteOpen
+ option would ignore its first argument unless it was one of the
+ special keywords "any" or "none", causing the permission list
+ to fail open if only one permission was specified. bz3515
+ * ssh(1): if the CanonicalizeHostname and
+ CanonicalizePermittedCNAMEs options were enabled, and the
+ system/libc resolver did not check that names in DNS responses
+ were valid, then use of these options could allow an attacker
+ with control of DNS to include invalid characters (possibly
+ including wildcards) in names added to known_hosts files when
+ they were updated. These names would still have to match the
+ CanonicalizePermittedCNAMEs allow-list, so practical
+ exploitation appears unlikely.
+
+ = Potentially-incompatible changes
+ * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option
+ that controls whether the client-side ~C escape sequence that
+ provides a command-line is available. Among other things, the
+ ~C command-line could be used to add additional port-forwards
+ at runtime.
+ This option defaults to "no", disabling the ~C command-line
+ that was previously enabled by default. Turning off the
+ command-line allows platforms that support sandboxing of the
+ ssh(1) client (currently only OpenBSD) to use a stricter
+ default sandbox policy.
+
+ = New features
+ * sshd(8): add support for channel inactivity timeouts via a new
+ sshd_config(5) ChannelTimeout directive. This allows channels
+ that have not seen traffic in a configurable interval to be
+ automatically closed. Different timeouts may be applied to
+ session, X11, agent and TCP forwarding channels.
+ * sshd(8): add a sshd_config UnusedConnectionTimeout option to
+ terminate client connections that have no open channels for a
+ length of time. This complements the ChannelTimeout option
+ above.
+ * sshd(8): add a -V (version) option to sshd like the ssh client
+ has.
+ * ssh(1): add a "Host" line to the output of ssh -G showing the
+ original hostname argument. bz3343
+ * scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to
+ allow control over some SFTP protocol parameters: the copy
+ buffer length and the number of in-flight requests, both of
+ which are used during upload/download. Previously these could
+ be controlled in sftp(1) only. This makes them available in
+ both SFTP protocol clients using the same option character
+ sequence.
+ * ssh-keyscan(1): allow scanning of complete CIDR address ranges,
+ e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed,
+ then it will be expanded to all possible addresses in the range
+ including the all-0s and all-1s addresses. bz#976
+ * ssh(1): support dynamic remote port forwarding in escape
+ command-line's -R processing. bz#3499
+
+ = Bugfixes
+ * ssh(1): when restoring non-blocking mode to stdio fds, restore
+ exactly the flags that ssh started with and don't just clobber
+ them with zero, as this could also remove the append flag from
+ the set. bz3523
+ * ssh(1): avoid printf("%s", NULL) if using
+ UserKnownHostsFile=none and a hostkey in one of the system
+ known hosts file changes.
+ * scp(1): switch scp from using pipes to a socket-pair for
+ communication with its ssh sub-processes, matching how sftp(1)
+ operates.
+ * sshd(8): clear signal mask early in main(); sshd may have been
+ started with one or more signals masked (sigprocmask(2) is not
+ cleared on fork/exec) and this could interfere with various
+ things, e.g. the login grace timer. Execution environments that
+ fail to clear the signal mask before running sshd are clearly
+ broken, but apparently they do exist.
+ * ssh(1): warn if no host keys for hostbased auth can be loaded.
+ * sshd(8): Add server debugging for hostbased auth that is queued
+ and sent to the client after successful authentication, but
+ also logged to assist in diagnosis of HostbasedAuthentication
+ problems. bz3507
+ * ssh(1): document use of the IdentityFile option as being usable
+ to list public keys as well as private keys. GHPR352
+ * sshd(8): check for and disallow MaxStartups values less than or
+ equal to zero during config parsing, rather than failing later
+ at runtime. bz3489
+ * ssh-keygen(1): fix parsing of hex cert expiry times specified
+ on the command-line when acting as a CA.
+ * scp(1): when scp(1) is using the SFTP protocol for transport
+ (the default), better match scp/rcp's handling of globs that
+ don't match the globbed characters but do match literally (e.g.
+ trying to transfer a file named "foo.[1]"). Previously scp(1)
+ in SFTP mode would not match these pathnames but legacy scp/rcp
+ mode would. bz3488
+ * ssh-agent(1): document the "-O no-restrict-websafe"
+ command-line option.
+ * ssh(1): honour user's umask(2) if it is more restrictive then
+ the ssh default (022).
+
+ = Portability
+ * sshd(8): allow writev(2) in the Linux seccomp sandbox. This
+ seems to be used by recent glibcs at least in some
+ configurations during error conditions. bz3512.
+ * sshd(8): simply handling of SSH_CONNECTION PAM env var,
+ removing global variable and checking the return value from
+ pam_putenv. bz3508
+ * sshd(8): disable SANDBOX_SECCOMP_FILTER_DEBUG that was
+ mistakenly enabled during the OpenSSH 9.1 release cycle.
+ * misc: update autotools and regenerate the config files using
+ the latest autotools
+ * all: use -fzero-call-used-regs=used on clang 15 instead of
+ -fzero-call-used-reg=all, as some versions of clang 15 have
+ miscompile code when it was enabled. bz3475
+ * sshd(8): defer PRNG seeding until after the initial
+ closefrom(2) call. PRNG seeding will initialize OpenSSL, and
+ some engine providers (e.g. Intel's QAT) will open descriptors
+ for their own use that closefrom(2) could clobber. bz3483
+ * misc: in the poll(2)/ppoll(2) compatibility code, avoid
+ assuming the layout of fd_set.
+ * sftp-server(8), ssh-agent(1): fix ptrace(2) disabling on older
+ FreeBSD kernels. Some versions do not support using id 0 to
+ refer to the current PID for procctl, so try again with
+ getpid() explicitly before failing.
+ * configure.ac: fix -Wstrict-prototypes in configure test code.
+ Clang 16 now warns on this and legacy prototypes will be
+ removed in C23. GHPR355
+ * configure.ac: fix setres*id checks to work with clang-16. glibc
+ has the prototypes for setresuid behind _GNU_SOURCE, and
+ clang 16 will error out on implicit function definitions.
+ bz3497
+
++++ 279 more lines (skipped)
++++ between /work/SRC/openSUSE:Factory/openssh/openssh.changes
++++ and /work/SRC/openSUSE:Factory/.openssh.new.15902/openssh.changes
Old:
----
openssh-8.9p1.tar.gz
openssh-8.9p1.tar.gz.asc
New:
----
_multibuild
fix-missing-lz.patch
openssh-9.3p1.tar.gz
openssh-9.3p1.tar.gz.asc
wtmpdb.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openssh-askpass-gnome.spec ++++++
--- /var/tmp/diff_new_pack.7IQSvn/_old 2023-06-06 19:55:10.670088583 +0200
+++ /var/tmp/diff_new_pack.7IQSvn/_new 2023-06-06 19:55:10.674088607 +0200
@@ -18,7 +18,7 @@
%define _name openssh
Name: openssh-askpass-gnome
-Version: 8.9p1
+Version: 9.3p1
Release: 0
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
License: BSD-2-Clause
@@ -26,7 +26,7 @@
URL: https://www.openssh.com/
Source:
https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz
Source42:
https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz.asc
-Requires: %{_name} = %{version}
+Requires: %{_name}-clients = %{version}
Supplements: packageand(openssh-clients:libgtk-3-0)
%if 0%{?suse_version} >= 1550
BuildRequires: gtk3-devel
++++++ openssh.spec ++++++
--- /var/tmp/diff_new_pack.7IQSvn/_old 2023-06-06 19:55:10.718088867 +0200
+++ /var/tmp/diff_new_pack.7IQSvn/_new 2023-06-06 19:55:10.726088915 +0200
@@ -24,13 +24,20 @@
%define _appdefdir %( grep "configdirspec=" $( which xmkmf ) | sed -r
's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' )
%define CHECKSUM_SUFFIX .hmac
%define CHECKSUM_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE"
+%bcond_without ldap
+
+%if 0%{?suse_version} >= 1550
+%bcond_without wtmpdb
+%else
+%bcond_with wtmpdb
+%endif
#Compat macro for new _fillupdir macro introduced in Nov 2017
%if ! %{defined _fillupdir}
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: openssh
-Version: 8.9p1
+Version: 9.3p1
Release: 0
Summary: Secure Shell Client and Server (Remote Login Program)
License: BSD-2-Clause AND MIT
@@ -107,17 +114,21 @@
Patch48: openssh-8.4p1-pam_motd.patch
Patch49: openssh-do-not-send-empty-message.patch
Patch50: openssh-openssl-3.patch
+Patch51: wtmpdb.patch
+Patch100: fix-missing-lz.patch
BuildRequires: audit-devel
BuildRequires: automake
BuildRequires: groff
BuildRequires: libedit-devel
BuildRequires: libselinux-devel
+%if %{with ldap}
BuildRequires: openldap2-devel
+%endif
BuildRequires: openssl-devel
BuildRequires: pam-devel
BuildRequires: pkgconfig
BuildRequires: zlib-devel
-BuildRequires: pkgconfig(libfido2)
+BuildRequires: pkgconfig(libfido2) >= 1.2.0
BuildRequires: pkgconfig(libsystemd)
BuildRequires: sysuser-shadow
BuildRequires: sysuser-tools
@@ -128,6 +139,9 @@
%else
BuildRequires: krb5-mini-devel
%endif
+%if %{with wtmpdb}
+BuildRequires: pkgconfig(libwtmpdb)
+%endif
Requires(pre): findutils
Requires(pre): grep
@@ -215,6 +229,7 @@
This package contains clients for making secure connections to Secure
Shell servers.
+%if %{with ldap}
%package helpers
Summary: OpenSSH AuthorizedKeysCommand helpers
Group: Productivity/Networking/SSH
@@ -231,6 +246,7 @@
This package contains helper applications for OpenSSH which retrieve
keys from various sources.
+%endif
%package fips
Summary: OpenSSH FIPS crypto module HMACs
@@ -262,7 +278,7 @@
# set libexec dir in the LDAP patch
sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
$( grep -Rl @LIBEXECDIR@ \
- $( grep "^+++" openssh-7.7p1-ldap.patch | sed -r 's@^.+/([^/\t
]+).*$@\1@' )
+ $( grep "^+++" %{PATCH31} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
)
%build
@@ -294,9 +310,14 @@
%endif
--disable-strip \
--with-audit=linux \
+%if %{with ldap}
--with-ldap \
+%endif
--with-xauth=%{_bindir}/xauth \
--with-libedit \
+%if %{with wtmpdb}
+ --with-wtmpdb \
+%endif
--with-security-key-builtin \
--target=%{_target_cpu}-suse-linux
@@ -327,12 +348,16 @@
install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1
sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g
%{buildroot}%{_sysconfdir}/ssh/sshd_config
+echo "PermitRootLogin yes" >
%{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
+
# Move /etc to /usr/etc/ssh
+%if %{defined _distconfdir}
mkdir -p %{buildroot}%{_distconfdir}/ssh/ssh{,d}_config.d
mv %{buildroot}%{_sysconfdir}/ssh/moduli %{buildroot}%{_distconfdir}/ssh/
mv %{buildroot}%{_sysconfdir}/ssh/ssh_config %{buildroot}%{_distconfdir}/ssh/
mv %{buildroot}%{_sysconfdir}/ssh/sshd_config %{buildroot}%{_distconfdir}/ssh/
-echo "PermitRootLogin yes" >
%{buildroot}%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
+mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
%{buildroot}%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
+%endif
%if 0%{?suse_version} < 1550
# install firewall definitions
@@ -426,9 +451,15 @@
%license LICENCE
%doc README.SUSE README.kerberos README.FIPS ChangeLog OVERVIEW README TODO
CREDITS
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
+%if %{defined _distconfdir}
%attr(0755,root,root) %dir %{_distconfdir}/ssh
-%attr(0755,root,root) %dir /usr/etc/ssh/ssh_config.d
%attr(0600,root,root) %{_distconfdir}/ssh/moduli
+%attr(0755,root,root) %dir %{_distconfdir}/ssh/ssh_config.d
+%else
+%attr(0755,root,root) %dir %{_sysconfdir}/ssh
+%attr(0600,root,root) %{_sysconfdir}/ssh/moduli
+%attr(0755,root,root) %dir %{_sysconfdir}/ssh/ssh_config.d
+%endif
%attr(0444,root,root) %{_mandir}/man1/ssh-keygen.1*
%attr(0444,root,root) %{_mandir}/man5/moduli.5*
%attr(0755,root,root) %{_bindir}/ssh-keygen*
@@ -439,12 +470,13 @@
%attr(0755,root,root) %{_sbindir}/sshd-gen-keys-start
%dir %attr(0755,root,root) %{_localstatedir}/lib/sshd
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/sshd_config.d
+%if %{defined _distconfdir}
%attr(0755,root,root) %dir %{_distconfdir}/ssh
-%attr(0755,root,root) %dir /usr/etc/ssh/sshd_config.d
+%attr(0755,root,root) %dir %{_distconfdir}/ssh/sshd_config.d
%attr(0640,root,root) %{_distconfdir}/ssh/sshd_config
-%if %{defined _distconfdir}
%attr(0644,root,root) %{_pam_vendordir}/sshd
%else
+%attr(0640,root,root) %{_sysconfdir}/ssh/sshd_config
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd
%endif
%attr(0644,root,root) %{_unitdir}/sshd.service
@@ -463,11 +495,19 @@
%endif
%files server-config-rootlogin
+%if %{defined _distconfdir}
%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
+%else
+%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
+%endif
%files clients
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d
+%if %{defined _distconfdir}
%attr(0644,root,root) %{_distconfdir}/ssh/ssh_config
+%else
+%attr(0644,root,root) %{_sysconfdir}/ssh/ssh_config
+%endif
%attr(0755,root,root) %{_bindir}/ssh
%attr(0755,root,root) %{_bindir}/scp*
%attr(0755,root,root) %{_bindir}/sftp*
@@ -492,6 +532,7 @@
%attr(0444,root,root) %{_mandir}/man8/ssh-sk-helper.8*
%attr(0444,root,root) %{_mandir}/man8/ssh-keysign.8*
+%if %{with ldap}
%files helpers
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
%verify(not mode) %attr(0644,root,root) %config(noreplace)
%{_sysconfdir}/ssh/ldap.conf
@@ -500,6 +541,7 @@
%attr(0444,root,root) %{_mandir}/man5/ssh-ldap*
%attr(0444,root,root) %{_mandir}/man8/ssh-ldap*
%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema
+%endif
%files fips
%attr(0444,root,root) %{_bindir}/ssh%{CHECKSUM_SUFFIX}
++++++ _multibuild ++++++
<multibuild>
<package>openssh-askpass-gnome</package>
</multibuild>
++++++ fix-missing-lz.patch ++++++
Index: openssh-9.3p1/Makefile.in
===================================================================
--- openssh-9.3p1.orig/Makefile.in
+++ openssh-9.3p1/Makefile.in
@@ -250,17 +250,17 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS)
-lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o
$(SFTPSERVER_OBJS)
- $(LD) -o $@ $(SFTPSERVER_OBJS) ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh
-lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
+ $(LD) -o $@ $(SFTPSERVER_OBJS) ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh
-lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS)
$(LD) -o $@ $(SFTP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
$(LIBEDIT)
# FIPS tests
cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o
cavstest-ctr.o
- $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh
-lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
+ $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh
-lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
cavstest-kdf$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o
cavstest-kdf.o
- $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh
-lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
+ $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh
-lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
# test driver for the loginrec code - not built by default
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
++++++ openssh-7.7p1-fips.patch ++++++
--- /var/tmp/diff_new_pack.7IQSvn/_old 2023-06-06 19:55:10.926090101 +0200
+++ /var/tmp/diff_new_pack.7IQSvn/_new 2023-06-06 19:55:10.930090124 +0200
@@ -16,28 +16,28 @@
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect2.o mux.o $(SKOBJS)
-Index: openssh-8.8p1/cipher-ctr.c
-===================================================================
---- openssh-8.8p1.orig/cipher-ctr.c
-+++ openssh-8.8p1/cipher-ctr.c
-@@ -27,6 +27,8 @@
- #include "xmalloc.h"
- #include "log.h"
-
-+#include "fips.h"
-+
- /* compatibility with old or broken OpenSSL versions */
- #include "openbsd-compat/openssl-compat.h"
-
-@@ -139,6 +141,8 @@ evp_aes_128_ctr(void)
- #ifndef SSH_OLD_EVP
- aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
- EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
-+ if (fips_mode())
-+ aes_ctr.flags |= EVP_CIPH_FLAG_FIPS;
- #endif
- return (&aes_ctr);
- }
+#Index: openssh-8.8p1/cipher-ctr.c
+#===================================================================
+#--- openssh-8.8p1.orig/cipher-ctr.c
+#+++ openssh-8.8p1/cipher-ctr.c
+#@@ -27,6 +27,8 @@
+# #include "xmalloc.h"
+# #include "log.h"
+#
+#+#include "fips.h"
+#+
+# /* compatibility with old or broken OpenSSL versions */
+# #include "openbsd-compat/openssl-compat.h"
+#
+#@@ -139,6 +141,8 @@ evp_aes_128_ctr(void)
+# #ifndef SSH_OLD_EVP
+# aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
+# EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
+#+ if (fips_mode())
+#+ aes_ctr.flags |= EVP_CIPH_FLAG_FIPS;
+# #endif
+# return (&aes_ctr);
+# }
Index: openssh-8.8p1/cipher.c
===================================================================
--- openssh-8.8p1.orig/cipher.c
@@ -416,8 +416,8 @@
--- openssh-8.8p1.orig/kex.c
+++ openssh-8.8p1/kex.c
@@ -62,6 +62,8 @@
- #include "sshbuf.h"
#include "digest.h"
+ #include "xmalloc.h"
+#include "fips.h"
+
@@ -743,7 +743,8 @@
+ struct Key_types key_types_all[] = {
#ifdef WITH_OPENSSL
{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
- { "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
+ #ifdef OPENSSL_HAS_ECC
+# { "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
@@ -1056,6 +1060,17 @@ do_gen_all_hostkeys(struct passwd *pw)
{ NULL, NULL, NULL }
};
++++++ openssh-7.7p1-fips_checks.patch ++++++
--- /var/tmp/diff_new_pack.7IQSvn/_old 2023-06-06 19:55:10.962090314 +0200
+++ /var/tmp/diff_new_pack.7IQSvn/_new 2023-06-06 19:55:10.970090361 +0200
@@ -459,8 +459,8 @@
--- openssh-8.8p1.orig/sshd.c
+++ openssh-8.8p1/sshd.c
@@ -1547,6 +1547,10 @@ main(int ac, char **av)
- Authctxt *authctxt;
struct connection_info *connection_info = NULL;
+ sigset_t sigmask;
+ /* initialize fips - can go before ssh_malloc_init(), since that is a
+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
++++++ openssh-7.7p1-ldap.patch ++++++
--- /var/tmp/diff_new_pack.7IQSvn/_old 2023-06-06 19:55:10.994090504 +0200
+++ /var/tmp/diff_new_pack.7IQSvn/_new 2023-06-06 19:55:10.998090527 +0200
@@ -148,7 +148,7 @@
sshkey-xmss.o \
@@ -162,8 +167,8 @@ SFTPSERVER_OBJS=sftp-common.o sftp-serve
- SFTP_OBJS= sftp.o progressmeter.o $(SFTP_CLIENT_OBJS)
+ SFTP_OBJS= sftp.o sftp-usergroup.o progressmeter.o $(SFTP_CLIENT_OBJS)
-MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out
ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out
sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out
sshd_config.5.out ssh_config.5.out
-MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1
ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8
ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5
@@ -159,7 +159,7 @@
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
@@ -246,6 +251,9 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) lib
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
- $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh
$(LIBS)
+ $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh
$(LIBS) $(CHANNELLIBS)
+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o
ldapmisc.o ldap-helper.o
+ $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS)
-lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
++++++ openssh-7.7p1-pam_check_locks.patch ++++++
--- /var/tmp/diff_new_pack.7IQSvn/_old 2023-06-06 19:55:11.014090622 +0200
+++ /var/tmp/diff_new_pack.7IQSvn/_new 2023-06-06 19:55:11.018090646 +0200
@@ -10,23 +10,23 @@
--- openssh-8.8p1.orig/auth.c
+++ openssh-8.8p1/auth.c
@@ -113,7 +113,7 @@ allowed_user(struct ssh *ssh, struct pas
+ if (!pw || !pw->pw_name)
return 0;
- #ifdef USE_SHADOW
-- if (!options.use_pam)
-+ if (!options.use_pam || options.use_pam_check_locks)
- spw = getspnam(pw->pw_name);
- #ifdef HAS_SHADOW_EXPIRE
- if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw))
-@@ -133,7 +133,7 @@ allowed_user(struct ssh *ssh, struct pas
- #endif
-
- /* check for locked account */
-- if (!options.use_pam && passwd && *passwd) {
-+ if ((!options.use_pam || options.use_pam_check_locks) && passwd &&
*passwd) {
- int locked = 0;
-
- #ifdef LOCKED_PASSWD_STRING
+- if (!options.use_pam && platform_locked_account(pw)) {
++ if ((!options.use_pam || options.use_pam_check_locks) &&
platform_locked_account(pw)) {
+ logit("User %.100s not allowed because account is locked",
+ pw->pw_name);
+ return 0;
+#@@ -133,7 +133,7 @@ allowed_user(struct ssh *ssh, struct pas
+# #endif
+#
+# /* check for locked account */
+#- if (!options.use_pam && passwd && *passwd) {
+#+ if ((!options.use_pam || options.use_pam_check_locks) && passwd &&
*passwd) {
+# int locked = 0;
+#
+# #ifdef LOCKED_PASSWD_STRING
Index: openssh-8.8p1/servconf.c
===================================================================
--- openssh-8.8p1.orig/servconf.c
++++++ openssh-7.7p1-seccomp_ipc_flock.patch ++++++
--- /var/tmp/diff_new_pack.7IQSvn/_old 2023-06-06 19:55:11.038090765 +0200
+++ /var/tmp/diff_new_pack.7IQSvn/_new 2023-06-06 19:55:11.046090812 +0200
@@ -37,6 +37,6 @@
+ SC_ALLOW(__NR_ipc),
+#endif
#ifdef __NR_madvise
- SC_ALLOW(__NR_madvise),
- #endif
+ SC_ALLOW_ARG(__NR_madvise, 2, MADV_NORMAL),
+ # ifdef MADV_FREE
++++++ openssh-7.7p1-sftp_print_diagnostic_messages.patch ++++++
--- /var/tmp/diff_new_pack.7IQSvn/_old 2023-06-06 19:55:11.070090955 +0200
+++ /var/tmp/diff_new_pack.7IQSvn/_new 2023-06-06 19:55:11.070090955 +0200
@@ -34,8 +34,8 @@
infile = stdin;
while ((ch = getopt(argc, argv,
-- "1246AafhNpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
-+ "1246AafhNpQqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
+- "1246AafhNpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:X:")) != -1) {
++ "1246AafhNpQqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:X:")) != -1) {
switch (ch) {
/* Passed through to ssh(1) */
case 'A':
++++++ openssh-7.7p1-systemd-notify.patch ++++++
--- /var/tmp/diff_new_pack.7IQSvn/_old 2023-06-06 19:55:11.082091026 +0200
+++ /var/tmp/diff_new_pack.7IQSvn/_new 2023-06-06 19:55:11.086091049 +0200
@@ -8,8 +8,9 @@
--- openssh-8.8p1.orig/configure.ac
+++ openssh-8.8p1/configure.ac
@@ -4751,6 +4751,30 @@ AC_ARG_WITH([kerberos5],
- AC_SUBST([GSSLIBS])
+# AC_SUBST([GSSLIBS])
AC_SUBST([K5LIBS])
+ AC_SUBST([CHANNELLIBS])
+# Check whether user wants systemd support
+SYSTEMD_MSG="no"
++++++ openssh-8.0p1-gssapi-keyex.patch ++++++
--- /var/tmp/diff_new_pack.7IQSvn/_old 2023-06-06 19:55:11.110091192 +0200
+++ /var/tmp/diff_new_pack.7IQSvn/_new 2023-06-06 19:55:11.114091215 +0200
@@ -12,7 +12,8 @@
@@ -132,7 +133,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
- auth2-none.o auth2-passwd.o auth2-pubkey.o \
+# auth2-none.o auth2-passwd.o auth2-pubkey.o \
+ auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-pubkeyfile.o \
monitor.o monitor_wrap.o auth-krb5.o \
- auth2-gss.o gss-serv.o gss-serv-krb5.o \
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
@@ -379,22 +380,38 @@
/* import options */
extern Options options;
-@@ -1349,9 +1353,18 @@ client_loop(struct ssh *ssh, int have_pt
- break;
-
- /* Do channel operations unless rekeying in progress. */
-- if (!ssh_packet_is_rekeying(ssh))
-+ if (!ssh_packet_is_rekeying(ssh)) {
- channel_after_poll(ssh, pfd, npfd_active);
+#@@ -1349,9 +1353,18 @@ client_loop(struct ssh *ssh, int have_pt
+## Replaced with the section below
+# break;
+#
+# /* Do channel operations unless rekeying in progress. */
+#- if (!ssh_packet_is_rekeying(ssh))
+#+ if (!ssh_packet_is_rekeying(ssh)) {
+# channel_after_poll(ssh, pfd, npfd_active);
+#
+#+#ifdef GSSAPI
+#+ if (options.gss_renewal_rekey &&
+#+ ssh_gssapi_credentials_updated(NULL)) {
+#+ debug("credentials updated - forcing rekey");
+#+ need_rekeying = 1;
+#+ }
+#+#endif
+#+ }
+#+
+# /* Buffer input from the connection. */
+# if (conn_in_ready)
+# client_process_net_input(ssh);
+@@ -1349,6 +1353,14 @@ client_loop(struct ssh *ssh, int have_pt
+ /* Do channel operations. */
+ channel_after_poll(ssh, pfd, npfd_active);
+#ifdef GSSAPI
-+ if (options.gss_renewal_rekey &&
-+ ssh_gssapi_credentials_updated(NULL)) {
-+ debug("credentials updated - forcing rekey");
-+ need_rekeying = 1;
-+ }
-+#endif
++ if (options.gss_renewal_rekey &&
++ ssh_gssapi_credentials_updated(NULL)) {
++ debug("credentials updated - forcing rekey");
++ need_rekeying = 1;
+ }
++#endif
+
/* Buffer input from the connection. */
if (conn_in_ready)
@@ -1257,15 +1274,9 @@
===================================================================
--- openssh-8.9p1.orig/kex.c
+++ openssh-8.9p1/kex.c
-@@ -57,11 +57,16 @@
- #include "misc.h"
- #include "dispatch.h"
- #include "monitor.h"
-+#include "xmalloc.h"
-
- #include "ssherr.h"
- #include "sshbuf.h"
+@@ -57,6 +57,10 @@
#include "digest.h"
+ #include "xmalloc.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
@@ -1274,7 +1285,7 @@
#include "fips.h"
/* prototype */
-@@ -119,6 +124,19 @@ static const struct kexalg kexalgs_all[]
+@@ -119,6 +123,19 @@ static const struct kexalg kexalgs_all[]
#endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
{ NULL, 0, -1, -1},
};
@@ -1294,7 +1305,7 @@
static const struct kexalg kexalgs_fips140_2[] = {
#ifdef WITH_OPENSSL
-@@ -146,12 +164,12 @@ static const struct kexalg kexalgs_fips1
+@@ -146,12 +163,12 @@ static const struct kexalg kexalgs_fips1
/* Returns array of macs available depending on selected FIPS mode */
static const struct kexalg *
@@ -1309,7 +1320,7 @@
case 1:
return kexalgs_fips140_2;
default:
-@@ -162,13 +180,13 @@ fips_select_kexalgs(void)
+@@ -162,13 +179,13 @@ fips_select_kexalgs(void)
}
char *
@@ -1325,7 +1336,7 @@
if (ret != NULL)
ret[rlen++] = sep;
nlen = strlen(k->name);
-@@ -183,15 +201,31 @@ kex_alg_list(char sep)
+@@ -183,15 +200,31 @@ kex_alg_list(char sep)
return ret;
}
@@ -1358,7 +1369,7 @@
return NULL;
}
-@@ -363,6 +397,29 @@ kex_assemble_names(char **listp, const c
+@@ -363,6 +396,29 @@ kex_assemble_names(char **listp, const c
return r;
}
@@ -1385,10 +1396,10 @@
+ return 1;
+}
+
- /* put algorithm proposal into buffer */
- int
- kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
-@@ -765,6 +822,9 @@ kex_free(struct kex *kex)
+ /*
+ * Fill out a proposal array with dynamically allocated values, which may
+ * be modified as required for compatibility reasons.
+@@ -765,6 +821,9 @@ kex_free(struct kex *kex)
sshbuf_free(kex->session_id);
sshbuf_free(kex->initial_sig);
sshkey_free(kex->initial_hostkey);
@@ -1439,9 +1450,9 @@
char *kex_names_cat(const char *, const char *);
int kex_assemble_names(char **, const char *, const char *);
+int kex_gss_names_valid(const char *);
-
- int kex_exchange_identification(struct ssh *, int, const char *);
-
+ void kex_proposal_populate_entries(struct ssh *, char *prop[PROPOSAL_MAX],
+ const char *, const char *, const char *, const char *, const char *);
+ void kex_proposal_free_entries(char *prop[PROPOSAL_MAX]);
@@ -209,6 +226,12 @@ int kexgex_client(struct ssh *);
int kexgex_server(struct ssh *);
int kex_gen_client(struct ssh *);
@@ -3511,8 +3522,8 @@
extern Options options;
/*
-@@ -220,6 +218,11 @@ ssh_kex2(struct ssh *ssh, char *host, st
- char *s, *all_key;
+@@ -220,10 +218,44 @@ ssh_kex2(struct ssh *ssh, char *host, st
+ char *s, *all_key, *hkalgs = NULL;
int r, use_known_hosts_order = 0;
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
@@ -3523,9 +3534,6 @@
xxx_host = host;
xxx_hostaddr = hostaddr;
xxx_conn_info = cinfo;
-@@ -264,6 +267,35 @@ ssh_kex2(struct ssh *ssh, char *host, st
- compat_pkalg_proposal(ssh, options.hostkeyalgorithms);
- }
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
+ if (options.gss_keyex) {
@@ -3559,7 +3567,7 @@
if (options.rekey_limit || options.rekey_interval)
ssh_packet_set_rekey_limits(ssh, options.rekey_limit,
options.rekey_interval);
-@@ -282,16 +314,46 @@ ssh_kex2(struct ssh *ssh, char *host, st
+@@ -282,17 +314,47 @@ ssh_kex2(struct ssh *ssh, char *host, st
# ifdef OPENSSL_HAS_ECC
ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client;
# endif
@@ -3592,6 +3600,7 @@
ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &ssh->kex->done);
/* remove ext-info from the KEX proposals for rekeying */
+ free(myproposal[PROPOSAL_KEX_ALGS]);
myproposal[PROPOSAL_KEX_ALGS] =
compat_kex_proposal(ssh, options.kex_algorithms);
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
@@ -3751,8 +3760,13 @@
exit(1);
}
@@ -2397,6 +2398,48 @@ do_ssh2_kex(struct ssh *ssh)
- myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
- ssh, list_hostkey_types());
+# myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
+# ssh, list_hostkey_types());
+# myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey =
+# compat_pkalg_proposal(ssh, list_hostkey_types());
+#
+
+ free(hkalgs);
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
+ {
@@ -3884,22 +3898,40 @@
===================================================================
--- openssh-8.9p1.orig/sshkey.c
+++ openssh-8.9p1/sshkey.c
-@@ -162,6 +162,7 @@ static const struct keytype keytypes[] =
- # endif /* ENABLE_SK */
- # endif /* OPENSSL_HAS_ECC */
- #endif /* WITH_OPENSSL */
-+ { "null", "null", NULL, KEY_NULL, 0, 0, 0 },
- { NULL, NULL, NULL, -1, -1, 0, 0 }
+@@ -127,6 +127,17 @@
+ extern const struct sshkey_impl sshkey_xmss_impl;
+ extern const struct sshkey_impl sshkey_xmss_cert_impl;
+ #endif
++const struct sshkey_impl sshkey_null_impl = {
++ /* .name = */ "null",
++ /* .shortname = */ "null",
++ /* .sigalg = */ NULL,
++ /* .type = */ KEY_NULL,
++ /* .nid = */ 0,
++ /* .cert = */ 0,
++ /* .sigonly = */ 0,
++ /* .keybits = */ 0,
++ /* .funcs = */ NULL,
++};
+
+ const struct sshkey_impl * const keyimpls[] = {
+ &sshkey_ed25519_impl,
+@@ -162,6 +179,7 @@ static const struct keytype keytypes[] =
+ &sshkey_xmss_impl,
+ &sshkey_xmss_cert_impl,
+ #endif
++ &sshkey_null_impl,
+ NULL
};
-@@ -286,7 +287,7 @@ sshkey_alg_list(int certs_only, int plai
- const struct keytype *kt;
+@@ -286,7 +304,7 @@ sshkey_alg_list(int certs_only, int plai
- for (kt = keytypes; kt->type != -1; kt++) {
-- if (kt->name == NULL)
-+ if (kt->name == NULL || kt->type == KEY_NULL)
+ for (i = 0; keyimpls[i] != NULL; i++) {
+ impl = keyimpls[i];
+- if (impl->name == NULL)
++ if (impl->name == NULL || impl->type == KEY_NULL)
continue;
- if (!include_sigonly && kt->sigonly)
+ if (!include_sigonly && impl->sigonly)
continue;
Index: openssh-8.9p1/sshkey.h
===================================================================
++++++ openssh-8.1p1-audit.patch ++++++
--- /var/tmp/diff_new_pack.7IQSvn/_old 2023-06-06 19:55:11.130091310 +0200
+++ /var/tmp/diff_new_pack.7IQSvn/_new 2023-06-06 19:55:11.134091334 +0200
@@ -768,8 +768,8 @@
+int user_key_verify(struct ssh *, const struct sshkey *, const u_char *,
size_t,
+ const u_char *, size_t, const char *, u_int, struct sshkey_sig_details
**);
- FILE *auth_openkeyfile(const char *, struct passwd *, int);
- FILE *auth_openprincipals(const char *, struct passwd *, int);
+ int auth_key_is_revoked(struct sshkey *);
+
@@ -209,6 +211,8 @@ struct sshkey *get_hostkey_private_by_ty
int get_hostkey_index(struct sshkey *, int, struct ssh *);
int sshd_hostkey_sign(struct ssh *, struct sshkey *, struct sshkey *,
@@ -843,8 +843,8 @@
+}
+
static int
- match_principals_option(const char *principal_list, struct sshkey_cert *cert)
- {
+ match_principals_file(struct passwd *pw, char *file,
+ struct sshkey_cert *cert, struct sshauthopt **authoptsp)
Index: openssh-8.9p1/auth2.c
===================================================================
--- openssh-8.9p1.orig/auth2.c
@@ -934,9 +934,9 @@
--- openssh-8.9p1.orig/kex.c
+++ openssh-8.9p1/kex.c
@@ -62,6 +62,7 @@
- #include "ssherr.h"
#include "sshbuf.h"
#include "digest.h"
+ #include "xmalloc.h"
+#include "audit.h"
#ifdef GSSAPI
@@ -2165,7 +2165,7 @@
@@ -71,10 +77,12 @@ void session_unused(int);
int session_input_channel_req(struct ssh *, Channel *, const char *);
void session_close_by_pid(struct ssh *ssh, pid_t, int);
- void session_close_by_channel(struct ssh *, int, void *);
+ void session_close_by_channel(struct ssh *, int, int, void *);
-void session_destroy_all(struct ssh *, void (*)(Session *));
+void session_destroy_all(struct ssh *, void (*)(struct ssh*, Session *));
void session_pty_cleanup2(Session *);
@@ -2357,7 +2357,7 @@
+server_accept_loop(struct ssh *ssh, int *sock_in, int *sock_out, int
*newsock, int *config_s)
{
struct pollfd *pfd = NULL;
- int i, j, ret;
+ int i, j, ret, npfd;
@@ -1179,6 +1234,7 @@ server_accept_loop(int *sock_in, int *so
if (received_sigterm) {
logit("Received signal %d; terminating.",
++++++ openssh-8.1p1-ed25519-use-openssl-rng.patch ++++++
--- /var/tmp/diff_new_pack.7IQSvn/_old 2023-06-06 19:55:11.150091429 +0200
+++ /var/tmp/diff_new_pack.7IQSvn/_new 2023-06-06 19:55:11.154091452 +0200
@@ -9,7 +9,7 @@
--- a/ed25519.c
+++ b/ed25519.c
@@ -9,6 +9,13 @@
- #include "includes.h"
+
#include "crypto_api.h"
+#ifdef WITH_OPENSSL
@@ -19,12 +19,12 @@
+
+#include "log.h"
+
- #include "ge25519.h"
-
- static void get_hram(unsigned char *hram, const unsigned char *sm, const
unsigned char *pk, unsigned char *playground, unsigned long long smlen)
+ #define int8 crypto_int8
+ #define uint8 crypto_uint8
+ #define int16 crypto_int16
@@ -33,7 +40,15 @@ int crypto_sign_ed25519_keypair(
- unsigned char extsk[64];
- int i;
+ sc25519 scsk;
+ ge25519 gepk;
+#ifdef WITH_OPENSSL
+ /* Use FIPS approved RNG */
@@ -32,12 +32,12 @@
+ fatal("Couldn't obtain random bytes (error 0x%lx)",
+ (unsigned long)ERR_get_error());
+#else
- randombytes(sk, 32);
+ randombytes(sk,32);
+#endif
+
- crypto_hash_sha512(extsk, sk, 32);
- extsk[0] &= 248;
- extsk[31] &= 127;
+ crypto_hash_sha512(az,sk,32);
+ az[0] &= 248;
+ az[31] &= 127;
diff --git a/kexc25519.c b/kexc25519.c
index f13d766..2604eda 100644
--- a/kexc25519.c
++++++ openssh-8.4p1-vendordir.patch ++++++
--- /var/tmp/diff_new_pack.7IQSvn/_old 2023-06-06 19:55:11.182091618 +0200
+++ /var/tmp/diff_new_pack.7IQSvn/_new 2023-06-06 19:55:11.194091689 +0200
@@ -106,7 +106,7 @@
+.Pq Pa /usr/etc/ssh/ssh_config
.El
.Pp
- For each parameter, the first obtained value
+ Unless noted otherwise, for each parameter, the first obtained value
@@ -2220,6 +2223,11 @@ This file provides defaults for those
values that are not specified in the user's configuration file, and
for those users who do not have a configuration file.
++++++ openssh-8.9p1.tar.gz -> openssh-9.3p1.tar.gz ++++++
++++ 73040 lines of diff (skipped)
++++++ openssh-reenable-dh-group14-sha1-default.patch ++++++
--- /var/tmp/diff_new_pack.7IQSvn/_old 2023-06-06 19:55:11.846095555 +0200
+++ /var/tmp/diff_new_pack.7IQSvn/_new 2023-06-06 19:55:11.846095555 +0200
@@ -31,7 +31,7 @@
--- openssh-8.9p1.orig/sshd_config.5
+++ openssh-8.9p1/sshd_config.5
@@ -996,7 +996,7 @@ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec
- sntrup761x25519-sha...@openssh.com,
+ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
-diffie-hellman-group14-sha256
++++++ openssh-whitelist-syscalls.patch ++++++
--- /var/tmp/diff_new_pack.7IQSvn/_old 2023-06-06 19:55:11.858095626 +0200
+++ /var/tmp/diff_new_pack.7IQSvn/_new 2023-06-06 19:55:11.862095650 +0200
@@ -14,7 +14,7 @@
#endif
@@ -213,6 +216,9 @@ static const struct sock_filter preauth_
#ifdef __NR_futex_time64
- SC_ALLOW(__NR_futex_time64),
+ SC_FUTEX(__NR_futex_time64),
#endif
+#ifdef __NR_futex_time64
+ SC_ALLOW(__NR_futex_time64),
++++++ wtmpdb.patch ++++++
diff -ur openssh-8.9p1.old/configure.ac openssh-8.9p1/configure.ac
--- openssh-8.9p1.old/configure.ac 2022-02-23 12:31:11.000000000 +0100
+++ openssh-8.9p1/configure.ac 2023-04-17 14:52:21.499002203 +0200
@@ -1703,6 +1703,49 @@
fi ]
)
+# Check whether user wants wtmpdb support
+WTMPDB_MSG="no"
+AC_ARG_WITH([wtmpdb],
+ [ --with-wtmpdb[[=PATH]] Enable wtmpdb support for sshd],
+ [ if test "x$withval" != "xno" ; then
+ if test "x$withval" = "xyes" ; then
+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
+ if test "x$PKGCONFIG" != "xno"; then
+ AC_MSG_CHECKING([if $PKGCONFIG knows about
wtmpdb])
+ if "$PKGCONFIG" libwtmpdb; then
+ AC_MSG_RESULT([yes])
+ use_pkgconfig_for_libwtmpdb=yes
+ else
+ AC_MSG_RESULT([no])
+ fi
+ fi
+ else
+ CPPFLAGS="$CPPFLAGS -I${withval}/include"
+ if test -n "${rpath_opt}"; then
+ LDFLAGS="-L${withval}/lib
${rpath_opt}${withval}/lib ${LDFLAGS}"
+ else
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+ fi
+ fi
+ if test "x$use_pkgconfig_for_libwtmpdb" = "xyes"; then
+ LIBWTMPDB=`$PKGCONFIG --libs libwtmpdb`
+ CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libwtmpdb`"
+ else
+ LIBWTMPDB="-lwtmpdb"
+ fi
+ OTHERLIBS=`echo $LIBWTMPDB | sed 's/-lwtmpdb//'`
+ AC_CHECK_LIB([wtmpdb], [wtmpdb_login],
+ [ AC_DEFINE([USE_WTMPDB], [1], [Use libwtmpdb for sshd])
+ WTMPDB_MSG="yes"
+ AC_SUBST([LIBWTMPDB])
+ ],
+ [ AC_MSG_ERROR([libwtmpdb not found]) ],
+ [ $OTHERLIBS ]
+ )
+ fi ]
+)
+
+
AUDIT_MODULE=none
AC_ARG_WITH([audit],
[ --with-audit=module Enable audit support
(modules=debug,bsm,linux)],
diff -ur openssh-8.9p1.old/loginrec.c openssh-8.9p1/loginrec.c
--- openssh-8.9p1.old/loginrec.c 2022-02-23 12:31:11.000000000 +0100
+++ openssh-8.9p1/loginrec.c 2023-04-18 10:05:04.311193333 +0200
@@ -187,6 +187,10 @@
# include <util.h>
#endif
+#ifdef USE_WTMPDB
+# include <wtmpdb.h>
+#endif
+
/**
** prototypes for helper functions in this file
**/
@@ -207,6 +211,9 @@
int wtmpx_write_entry(struct logininfo *li);
int lastlog_write_entry(struct logininfo *li);
int syslogin_write_entry(struct logininfo *li);
+#ifdef USE_WTMPDB
+int wtmpdb_write_entry(struct logininfo *li);
+#endif
int getlast_entry(struct logininfo *li);
int lastlog_get_entry(struct logininfo *li);
@@ -467,6 +474,9 @@
#ifdef USE_WTMPX
wtmpx_write_entry(li);
#endif
+#ifdef USE_WTMPDB
+ wtmpdb_write_entry(li);
+#endif
#ifdef CUSTOM_SYS_AUTH_RECORD_LOGIN
if (li->type == LTYPE_LOGIN &&
!sys_auth_record_login(li->username,li->hostname,li->line,
@@ -1409,6 +1419,64 @@
}
#endif /* USE_WTMPX */
+#ifdef USE_WTMPDB
+static int
+wtmpdb_perform_login(struct logininfo *li)
+{
+ uint64_t login_time = li->tv_sec * ((uint64_t) 1000000ULL) +
li->tv_usec;
+ const char *tty;
+
+ if (strncmp(li->line, "/dev/", 5) == 0)
+ tty = &(li->line[5]);
+ else
+ tty = li->line;
+
+ li->wtmpdb_id = wtmpdb_login(NULL, USER_PROCESS, li->username,
+ login_time, tty, li->hostname, 0, 0);
+ if (li->wtmpdb_id < 0)
+ return (0);
+
+ return (1);
+}
+
+
+static int
+wtmpdb_perform_logout(struct logininfo *li)
+{
+ uint64_t logout_time = li->tv_sec * ((uint64_t) 1000000ULL) +
li->tv_usec;
+
+ if (li->wtmpdb_id == 0) {
+ const char *tty;
+
+ if (strncmp(li->line, "/dev/", 5) == 0)
+ tty = &(li->line[5]);
+ else
+ tty = li->line;
+
+ li->wtmpdb_id = wtmpdb_get_id(NULL, tty, NULL);
+ }
+ wtmpdb_logout(NULL, li->wtmpdb_id, logout_time, NULL);
+
+ return (1);
+}
+
+
+int
+wtmpdb_write_entry(struct logininfo *li)
+{
+ switch(li->type) {
+ case LTYPE_LOGIN:
+ return (wtmpdb_perform_login(li));
+ case LTYPE_LOGOUT:
+ return (wtmpdb_perform_logout(li));
+ default:
+ logit("%s: invalid type field", __func__);
+ return (0);
+ }
+}
+#endif
+
+
/**
** Low-level libutil login() functions
**/
diff -ur openssh-8.9p1.old/loginrec.h openssh-8.9p1/loginrec.h
--- openssh-8.9p1.old/loginrec.h 2022-02-23 12:31:11.000000000 +0100
+++ openssh-8.9p1/loginrec.h 2023-04-17 14:58:20.808850750 +0200
@@ -79,6 +79,9 @@
unsigned int tv_sec;
unsigned int tv_usec;
union login_netinfo hostaddr; /* caller's host address(es) */
+#ifdef USE_WTMPDB
+ int64_t wtmpdb_id; /* ID for wtmpdb_logout */
+#endif
}; /* struct logininfo */
/*
diff -ur openssh-8.9p1.old/Makefile.in openssh-8.9p1/Makefile.in
--- openssh-8.9p1.old/Makefile.in 2022-02-23 12:31:11.000000000 +0100
+++ openssh-8.9p1/Makefile.in 2023-04-17 14:44:32.156538001 +0200
@@ -55,6 +55,7 @@
SSHDLIBS=@SSHDLIBS@
LIBEDIT=@LIBEDIT@
LIBFIDO2=@LIBFIDO2@
+LIBWTMPDB=@LIBWTMPDB@
AR=@AR@
AWK=@AWK@
RANLIB=@RANLIB@
@@ -212,7 +213,7 @@
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
$(GSSLIBS) $(CHANNELLIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS)
$(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS)
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS)
$(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS)
$(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
