Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package openssh for openSUSE:Factory checked 
in at 2023-06-06 19:54:55
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openssh (Old)
 and      /work/SRC/openSUSE:Factory/.openssh.new.15902 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "openssh"

Tue Jun  6 19:54:55 2023 rev:164 rq:1090577 version:9.3p1

Changes:
--------
--- /work/SRC/openSUSE:Factory/openssh/openssh-askpass-gnome.changes    
2021-10-11 16:48:39.866172377 +0200
+++ /work/SRC/openSUSE:Factory/.openssh.new.15902/openssh-askpass-gnome.changes 
2023-06-06 19:55:08.426075279 +0200
@@ -1,0 +2,14 @@
+Sun May 28 09:16:44 UTC 2023 - Andreas Stieger <andreas.stie...@gmx.de>
+
+- openssh-askpass-gnome: require only openssh-clients, not the full
+  openssh (including -server), to avoid pulling in excessive
+  dependencies when installing git on Gnome (boo#1211446)
+
+-------------------------------------------------------------------
+Thu May 11 07:01:54 UTC 2023 - Antonio Larrosa <alarr...@suse.com>
+
+- Update to openssh 9.3p1
+  * No changes for askpass, see main package changelog for
+    details
+
+-------------------------------------------------------------------
--- /work/SRC/openSUSE:Factory/openssh/openssh.changes  2023-04-15 
22:32:05.581173030 +0200
+++ /work/SRC/openSUSE:Factory/.openssh.new.15902/openssh.changes       
2023-06-06 19:55:08.530075896 +0200
@@ -1,0 +2,476 @@
+Thu May 11 07:01:54 UTC 2023 - Antonio Larrosa <alarr...@suse.com>
+
+- Update to openssh 9.3p1:
+  = Security
+  * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
+   per-hop destination constraints (ssh-add -h ...) added in
+   OpenSSH 8.9, a logic error prevented the constraints from being
+   communicated to the agent. This resulted in the keys being added
+   without constraints. The common cases of non-smartcard keys and
+   keys without destination constraints are unaffected. This
+   problem was reported by Luci Stanescu.
+
+ * ssh(1): Portable OpenSSH provides an implementation of the
+   getrrsetbyname(3) function if the standard library does not
+   provide it, for use by the VerifyHostKeyDNS feature. A
+   specifically crafted DNS response could cause this function to
+   perform an out-of-bounds read of adjacent stack data, but this
+   condition does not appear to be exploitable beyond denial-of-
+   service to the ssh(1) client.
+   The getrrsetbyname(3) replacement is only included if the
+   system's standard library lacks this function and portable
+   OpenSSH was not compiled with the ldns library (--with-ldns).
+   getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to
+   fetch SSHFP records. This problem was found by the Coverity
+   static analyzer.
+
+  = New features
+  * ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256
+    when outputting SSHFP fingerprints to allow algorithm
+    selection. bz3493
+  * sshd(8): add a `sshd -G` option that parses and prints the
+    effective configuration without attempting to load private keys
+    and perform other checks. This allows usage of the option
+    before keys have been generated and for configuration
+    evaluation and verification by unprivileged users.
+
+  = Bugfixes
+  * scp(1), sftp(1): fix progressmeter corruption on wide displays;
+    bz3534
+  * ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing
+    usability of private keys as some systems are starting to
+    disable RSA/SHA1 in libcrypto.
+  * sftp-server(8): fix a memory leak. GHPR363
+  * ssh(1), sshd(8), ssh-keyscan(1): remove vestigal protocol
+    compatibility code and simplify what's left.
+  * Fix a number of low-impact Coverity static analysis findings.
+    These include several reported via bz2687
+  * ssh_config(5), sshd_config(5): mention that some options are
+    not first-match-wins.
+  * Rework logging for the regression tests. Regression tests will
+    now capture separate logs for each ssh and sshd invocation in
+    a test.
+  * ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage
+    says it should; bz3532.
+  * ssh(1): ensure that there is a terminating newline when adding
+    a new entry to known_hosts; bz3529
+
+  = Portability
+  * sshd(8): harden Linux seccomp sandbox. Move to an allowlist of
+    mmap(2), madvise(2) and futex(2) flags, removing some
+    concerning kernel attack surface.
+  * sshd(8): improve Linux seccomp-bpf sandbox for older systems;
+    bz3537
+
+- Update to openssh 9.2p1:
+  = Security
+  * sshd(8): fix a pre-authentication double-free memory fault
+    introduced in OpenSSH 9.1. This is not believed to be
+    exploitable, and it occurs in the unprivileged pre-auth process
+    that is subject to chroot(2) and is further sandboxed on most
+    major platforms.
+  * ssh(8): in OpenSSH releases after 8.7, the PermitRemoteOpen
+    option would ignore its first argument unless it was one of the
+    special keywords "any" or "none", causing the permission list
+    to fail open if only one permission was specified. bz3515
+  * ssh(1): if the CanonicalizeHostname and
+    CanonicalizePermittedCNAMEs options were enabled, and the
+    system/libc resolver did not check that names in DNS responses
+    were valid, then use of these options could allow an attacker
+    with control of DNS to include invalid characters (possibly
+    including wildcards) in names added to known_hosts files when
+    they were updated. These names would still have to match the
+    CanonicalizePermittedCNAMEs allow-list, so practical
+    exploitation appears unlikely.
+
+  = Potentially-incompatible changes
+  * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option
+    that controls whether the client-side ~C escape sequence that
+    provides a  command-line is available. Among other things, the
+    ~C command-line could be used to add additional port-forwards
+    at runtime.
+    This option defaults to "no", disabling the ~C command-line
+    that was previously enabled by default. Turning off the
+    command-line allows platforms that support sandboxing of the
+    ssh(1) client (currently only OpenBSD) to use a stricter
+    default sandbox policy.
+
+  = New features
+  * sshd(8): add support for channel inactivity timeouts via a new
+    sshd_config(5) ChannelTimeout directive. This allows channels
+    that have not seen traffic in a configurable interval to be
+    automatically closed. Different timeouts may be applied to
+    session, X11, agent and TCP forwarding channels.
+  * sshd(8): add a sshd_config UnusedConnectionTimeout option to
+    terminate client connections that have no open channels for a
+    length of time. This complements the ChannelTimeout option
+    above.
+  * sshd(8): add a -V (version) option to sshd like the ssh client
+    has.
+  * ssh(1): add a "Host" line to the output of ssh -G showing the
+    original hostname argument. bz3343
+  * scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to
+    allow control over some SFTP protocol parameters: the copy
+    buffer length and the number of in-flight requests, both of
+    which are used during upload/download. Previously these could
+    be controlled in sftp(1) only. This makes them available in
+    both SFTP protocol clients using the same option character
+    sequence.
+  * ssh-keyscan(1): allow scanning of complete CIDR address ranges,
+    e.g.  "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed,
+    then it will be expanded to all possible addresses in the range
+    including the all-0s and all-1s addresses. bz#976
+  * ssh(1): support dynamic remote port forwarding in escape
+    command-line's -R processing. bz#3499
+ 
+  = Bugfixes
+  * ssh(1): when restoring non-blocking mode to stdio fds, restore
+    exactly the flags that ssh started with and don't just clobber
+    them with zero, as this could also remove the append flag from
+    the set. bz3523
+  * ssh(1): avoid printf("%s", NULL) if using
+    UserKnownHostsFile=none and a hostkey in one of the system
+    known hosts file changes.
+  * scp(1): switch scp from using pipes to a socket-pair for
+    communication with its ssh sub-processes, matching how sftp(1)
+    operates.
+  * sshd(8): clear signal mask early in main(); sshd may have been
+    started with one or more signals masked (sigprocmask(2) is not
+    cleared on fork/exec) and this could interfere with various
+    things, e.g. the login grace timer. Execution environments that
+    fail to clear the signal mask before running sshd are clearly
+    broken, but apparently they do exist.
+  * ssh(1): warn if no host keys for hostbased auth can be loaded.
+  * sshd(8): Add server debugging for hostbased auth that is queued
+    and sent to the client after successful authentication, but
+    also logged to assist in diagnosis of HostbasedAuthentication
+    problems. bz3507
+  * ssh(1): document use of the IdentityFile option as being usable
+    to list public keys as well as private keys. GHPR352
+  * sshd(8): check for and disallow MaxStartups values less than or
+    equal to zero during config parsing, rather than failing later
+    at runtime.  bz3489
+  * ssh-keygen(1): fix parsing of hex cert expiry times specified
+    on the command-line when acting as a CA.
+  * scp(1): when scp(1) is using the SFTP protocol for transport
+    (the default), better match scp/rcp's handling of globs that
+    don't match the globbed characters but do match literally (e.g.
+    trying to transfer a file named "foo.[1]"). Previously scp(1)
+    in SFTP mode would not match these pathnames but legacy scp/rcp
+    mode would. bz3488
+  * ssh-agent(1): document the "-O no-restrict-websafe"
+    command-line option.
+  * ssh(1): honour user's umask(2) if it is more restrictive then
+    the ssh default (022).
+ 
+  = Portability
+  * sshd(8): allow writev(2) in the Linux seccomp sandbox. This
+    seems to be used by recent glibcs at least in some
+    configurations during error conditions. bz3512.
+  * sshd(8): simply handling of SSH_CONNECTION PAM env var,
+    removing global variable and checking the return value from
+    pam_putenv. bz3508
+  * sshd(8): disable SANDBOX_SECCOMP_FILTER_DEBUG that was
+    mistakenly enabled during the OpenSSH 9.1 release cycle.
+  * misc: update autotools and regenerate the config files using
+    the latest autotools
+  * all: use -fzero-call-used-regs=used on clang 15 instead of
+    -fzero-call-used-reg=all, as some versions of clang 15 have
+    miscompile code when it was enabled. bz3475
+  * sshd(8): defer PRNG seeding until after the initial
+    closefrom(2) call. PRNG seeding will initialize OpenSSL, and
+    some engine providers (e.g. Intel's QAT) will open descriptors
+    for their own use that closefrom(2) could clobber. bz3483
+  * misc: in the poll(2)/ppoll(2) compatibility code, avoid
+    assuming the layout of fd_set.
+  * sftp-server(8), ssh-agent(1): fix ptrace(2) disabling on older
+    FreeBSD kernels. Some versions do not support using id 0 to
+    refer to the current PID for procctl, so try again with
+    getpid() explicitly before failing.
+  * configure.ac: fix -Wstrict-prototypes in configure test code.
+    Clang 16 now warns on this and legacy prototypes will be
+    removed in C23. GHPR355
+  * configure.ac: fix setres*id checks to work with clang-16. glibc
+    has the prototypes for setresuid behind _GNU_SOURCE, and
+    clang 16 will error out on implicit function definitions.
+    bz3497
+
++++ 279 more lines (skipped)
++++ between /work/SRC/openSUSE:Factory/openssh/openssh.changes
++++ and /work/SRC/openSUSE:Factory/.openssh.new.15902/openssh.changes

Old:
----
  openssh-8.9p1.tar.gz
  openssh-8.9p1.tar.gz.asc

New:
----
  _multibuild
  fix-missing-lz.patch
  openssh-9.3p1.tar.gz
  openssh-9.3p1.tar.gz.asc
  wtmpdb.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ openssh-askpass-gnome.spec ++++++
--- /var/tmp/diff_new_pack.7IQSvn/_old  2023-06-06 19:55:10.670088583 +0200
+++ /var/tmp/diff_new_pack.7IQSvn/_new  2023-06-06 19:55:10.674088607 +0200
@@ -18,7 +18,7 @@
 
 %define _name openssh
 Name:           openssh-askpass-gnome
-Version:        8.9p1
+Version:        9.3p1
 Release:        0
 Summary:        A GNOME-Based Passphrase Dialog for OpenSSH
 License:        BSD-2-Clause
@@ -26,7 +26,7 @@
 URL:            https://www.openssh.com/
 Source:         
https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz
 Source42:       
https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz.asc
-Requires:       %{_name} = %{version}
+Requires:       %{_name}-clients = %{version}
 Supplements:    packageand(openssh-clients:libgtk-3-0)
 %if 0%{?suse_version} >= 1550
 BuildRequires:  gtk3-devel

++++++ openssh.spec ++++++
--- /var/tmp/diff_new_pack.7IQSvn/_old  2023-06-06 19:55:10.718088867 +0200
+++ /var/tmp/diff_new_pack.7IQSvn/_new  2023-06-06 19:55:10.726088915 +0200
@@ -24,13 +24,20 @@
 %define _appdefdir  %( grep "configdirspec=" $( which xmkmf ) | sed -r 
's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' )
 %define CHECKSUM_SUFFIX .hmac
 %define CHECKSUM_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE"
+%bcond_without ldap
+
+%if 0%{?suse_version} >= 1550
+%bcond_without wtmpdb
+%else
+%bcond_with wtmpdb
+%endif
 
 #Compat macro for new _fillupdir macro introduced in Nov 2017
 %if ! %{defined _fillupdir}
   %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
 Name:           openssh
-Version:        8.9p1
+Version:        9.3p1
 Release:        0
 Summary:        Secure Shell Client and Server (Remote Login Program)
 License:        BSD-2-Clause AND MIT
@@ -107,17 +114,21 @@
 Patch48:        openssh-8.4p1-pam_motd.patch
 Patch49:        openssh-do-not-send-empty-message.patch
 Patch50:        openssh-openssl-3.patch
+Patch51:        wtmpdb.patch
+Patch100:       fix-missing-lz.patch
 BuildRequires:  audit-devel
 BuildRequires:  automake
 BuildRequires:  groff
 BuildRequires:  libedit-devel
 BuildRequires:  libselinux-devel
+%if %{with ldap}
 BuildRequires:  openldap2-devel
+%endif
 BuildRequires:  openssl-devel
 BuildRequires:  pam-devel
 BuildRequires:  pkgconfig
 BuildRequires:  zlib-devel
-BuildRequires:  pkgconfig(libfido2)
+BuildRequires:  pkgconfig(libfido2) >= 1.2.0
 BuildRequires:  pkgconfig(libsystemd)
 BuildRequires:  sysuser-shadow
 BuildRequires:  sysuser-tools
@@ -128,6 +139,9 @@
 %else
 BuildRequires:  krb5-mini-devel
 %endif
+%if %{with wtmpdb}
+BuildRequires:  pkgconfig(libwtmpdb)
+%endif
 Requires(pre):  findutils
 Requires(pre):  grep
 
@@ -215,6 +229,7 @@
 This package contains clients for making secure connections to Secure
 Shell servers.
 
+%if %{with ldap}
 %package helpers
 Summary:        OpenSSH AuthorizedKeysCommand helpers
 Group:          Productivity/Networking/SSH
@@ -231,6 +246,7 @@
 
 This package contains helper applications for OpenSSH which retrieve
 keys from various sources.
+%endif
 
 %package fips
 Summary:        OpenSSH FIPS crypto module HMACs
@@ -262,7 +278,7 @@
 # set libexec dir in the LDAP patch
 sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
     $( grep -Rl @LIBEXECDIR@ \
-        $( grep "^+++" openssh-7.7p1-ldap.patch | sed -r 's@^.+/([^/\t 
]+).*$@\1@' )
+        $( grep "^+++" %{PATCH31} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
     )
 
 %build
@@ -294,9 +310,14 @@
 %endif
     --disable-strip \
     --with-audit=linux \
+%if %{with ldap}
     --with-ldap \
+%endif
     --with-xauth=%{_bindir}/xauth \
     --with-libedit \
+%if %{with wtmpdb}
+    --with-wtmpdb \
+%endif
     --with-security-key-builtin \
     --target=%{_target_cpu}-suse-linux
 
@@ -327,12 +348,16 @@
 install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1
 sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g 
%{buildroot}%{_sysconfdir}/ssh/sshd_config
 
+echo "PermitRootLogin yes" > 
%{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
+
 # Move /etc to /usr/etc/ssh
+%if %{defined _distconfdir}
 mkdir -p %{buildroot}%{_distconfdir}/ssh/ssh{,d}_config.d
 mv %{buildroot}%{_sysconfdir}/ssh/moduli %{buildroot}%{_distconfdir}/ssh/
 mv %{buildroot}%{_sysconfdir}/ssh/ssh_config %{buildroot}%{_distconfdir}/ssh/
 mv %{buildroot}%{_sysconfdir}/ssh/sshd_config %{buildroot}%{_distconfdir}/ssh/
-echo "PermitRootLogin yes" > 
%{buildroot}%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
+mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf 
%{buildroot}%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
+%endif
 
 %if 0%{?suse_version} < 1550
 # install firewall definitions
@@ -426,9 +451,15 @@
 %license LICENCE
 %doc README.SUSE README.kerberos README.FIPS ChangeLog OVERVIEW README TODO 
CREDITS
 %attr(0755,root,root) %dir %{_sysconfdir}/ssh
+%if %{defined _distconfdir}
 %attr(0755,root,root) %dir %{_distconfdir}/ssh
-%attr(0755,root,root) %dir /usr/etc/ssh/ssh_config.d
 %attr(0600,root,root) %{_distconfdir}/ssh/moduli
+%attr(0755,root,root) %dir %{_distconfdir}/ssh/ssh_config.d
+%else
+%attr(0755,root,root) %dir %{_sysconfdir}/ssh
+%attr(0600,root,root) %{_sysconfdir}/ssh/moduli
+%attr(0755,root,root) %dir %{_sysconfdir}/ssh/ssh_config.d
+%endif
 %attr(0444,root,root) %{_mandir}/man1/ssh-keygen.1*
 %attr(0444,root,root) %{_mandir}/man5/moduli.5*
 %attr(0755,root,root) %{_bindir}/ssh-keygen*
@@ -439,12 +470,13 @@
 %attr(0755,root,root) %{_sbindir}/sshd-gen-keys-start
 %dir %attr(0755,root,root) %{_localstatedir}/lib/sshd
 %dir %attr(0755,root,root) %{_sysconfdir}/ssh/sshd_config.d
+%if %{defined _distconfdir}
 %attr(0755,root,root) %dir %{_distconfdir}/ssh
-%attr(0755,root,root) %dir /usr/etc/ssh/sshd_config.d
+%attr(0755,root,root) %dir %{_distconfdir}/ssh/sshd_config.d
 %attr(0640,root,root) %{_distconfdir}/ssh/sshd_config
-%if %{defined _distconfdir}
 %attr(0644,root,root) %{_pam_vendordir}/sshd
 %else
+%attr(0640,root,root) %{_sysconfdir}/ssh/sshd_config
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd
 %endif
 %attr(0644,root,root) %{_unitdir}/sshd.service
@@ -463,11 +495,19 @@
 %endif
 
 %files server-config-rootlogin
+%if %{defined _distconfdir}
 %{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
+%else
+%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
+%endif
 
 %files clients
 %dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d
+%if %{defined _distconfdir}
 %attr(0644,root,root) %{_distconfdir}/ssh/ssh_config
+%else
+%attr(0644,root,root) %{_sysconfdir}/ssh/ssh_config
+%endif
 %attr(0755,root,root) %{_bindir}/ssh
 %attr(0755,root,root) %{_bindir}/scp*
 %attr(0755,root,root) %{_bindir}/sftp*
@@ -492,6 +532,7 @@
 %attr(0444,root,root) %{_mandir}/man8/ssh-sk-helper.8*
 %attr(0444,root,root) %{_mandir}/man8/ssh-keysign.8*
 
+%if %{with ldap}
 %files helpers
 %attr(0755,root,root) %dir %{_sysconfdir}/ssh
 %verify(not mode) %attr(0644,root,root) %config(noreplace) 
%{_sysconfdir}/ssh/ldap.conf
@@ -500,6 +541,7 @@
 %attr(0444,root,root) %{_mandir}/man5/ssh-ldap*
 %attr(0444,root,root) %{_mandir}/man8/ssh-ldap*
 %doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema
+%endif
 
 %files fips
 %attr(0444,root,root) %{_bindir}/ssh%{CHECKSUM_SUFFIX}

++++++ _multibuild ++++++
<multibuild>
  <package>openssh-askpass-gnome</package>
</multibuild>

++++++ fix-missing-lz.patch ++++++
Index: openssh-9.3p1/Makefile.in
===================================================================
--- openssh-9.3p1.orig/Makefile.in
+++ openssh-9.3p1/Makefile.in
@@ -250,17 +250,17 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
        $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) 
-lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
 
 sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o 
$(SFTPSERVER_OBJS)
-       $(LD) -o $@ $(SFTPSERVER_OBJS) ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh 
-lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
+       $(LD) -o $@ $(SFTPSERVER_OBJS) ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh 
-lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
 
 sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS)
        $(LD) -o $@ $(SFTP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) 
$(LIBEDIT)
 
 # FIPS tests
 cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o 
cavstest-ctr.o
-       $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh 
-lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
+       $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh 
-lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
 
 cavstest-kdf$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o 
cavstest-kdf.o
-       $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh 
-lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
+       $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh 
-lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
 
 # test driver for the loginrec code - not built by default
 logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o

++++++ openssh-7.7p1-fips.patch ++++++
--- /var/tmp/diff_new_pack.7IQSvn/_old  2023-06-06 19:55:10.926090101 +0200
+++ /var/tmp/diff_new_pack.7IQSvn/_new  2023-06-06 19:55:10.930090124 +0200
@@ -16,28 +16,28 @@
  SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
        sshconnect.o sshconnect2.o mux.o $(SKOBJS)
  
-Index: openssh-8.8p1/cipher-ctr.c
-===================================================================
---- openssh-8.8p1.orig/cipher-ctr.c
-+++ openssh-8.8p1/cipher-ctr.c
-@@ -27,6 +27,8 @@
- #include "xmalloc.h"
- #include "log.h"
- 
-+#include "fips.h"
-+
- /* compatibility with old or broken OpenSSL versions */
- #include "openbsd-compat/openssl-compat.h"
- 
-@@ -139,6 +141,8 @@ evp_aes_128_ctr(void)
- #ifndef SSH_OLD_EVP
-       aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
-           EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
-+      if (fips_mode())
-+              aes_ctr.flags |= EVP_CIPH_FLAG_FIPS;
- #endif
-       return (&aes_ctr);
- }
+#Index: openssh-8.8p1/cipher-ctr.c
+#===================================================================
+#--- openssh-8.8p1.orig/cipher-ctr.c
+#+++ openssh-8.8p1/cipher-ctr.c
+#@@ -27,6 +27,8 @@
+# #include "xmalloc.h"
+# #include "log.h"
+# 
+#+#include "fips.h"
+#+
+# /* compatibility with old or broken OpenSSL versions */
+# #include "openbsd-compat/openssl-compat.h"
+# 
+#@@ -139,6 +141,8 @@ evp_aes_128_ctr(void)
+# #ifndef SSH_OLD_EVP
+#      aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
+#          EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
+#+     if (fips_mode())
+#+             aes_ctr.flags |= EVP_CIPH_FLAG_FIPS;
+# #endif
+#      return (&aes_ctr);
+# }
 Index: openssh-8.8p1/cipher.c
 ===================================================================
 --- openssh-8.8p1.orig/cipher.c
@@ -416,8 +416,8 @@
 --- openssh-8.8p1.orig/kex.c
 +++ openssh-8.8p1/kex.c
 @@ -62,6 +62,8 @@
- #include "sshbuf.h"
  #include "digest.h"
+ #include "xmalloc.h"
  
 +#include "fips.h"
 +
@@ -743,7 +743,8 @@
 +      struct Key_types key_types_all[] = {
  #ifdef WITH_OPENSSL
                { "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
-               { "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
+ #ifdef OPENSSL_HAS_ECC
+#              { "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
 @@ -1056,6 +1060,17 @@ do_gen_all_hostkeys(struct passwd *pw)
                { NULL, NULL, NULL }
        };

++++++ openssh-7.7p1-fips_checks.patch ++++++
--- /var/tmp/diff_new_pack.7IQSvn/_old  2023-06-06 19:55:10.962090314 +0200
+++ /var/tmp/diff_new_pack.7IQSvn/_new  2023-06-06 19:55:10.970090361 +0200
@@ -459,8 +459,8 @@
 --- openssh-8.8p1.orig/sshd.c
 +++ openssh-8.8p1/sshd.c
 @@ -1547,6 +1547,10 @@ main(int ac, char **av)
-       Authctxt *authctxt;
        struct connection_info *connection_info = NULL;
+       sigset_t sigmask;
  
 +      /* initialize fips - can go before ssh_malloc_init(), since that is a
 +       * OpenBSD-only thing (as of OpenSSH 7.6p1) */

++++++ openssh-7.7p1-ldap.patch ++++++
--- /var/tmp/diff_new_pack.7IQSvn/_old  2023-06-06 19:55:10.994090504 +0200
+++ /var/tmp/diff_new_pack.7IQSvn/_new  2023-06-06 19:55:10.998090527 +0200
@@ -148,7 +148,7 @@
        sshkey-xmss.o \
 @@ -162,8 +167,8 @@ SFTPSERVER_OBJS=sftp-common.o sftp-serve
  
- SFTP_OBJS=    sftp.o progressmeter.o $(SFTP_CLIENT_OBJS)
+ SFTP_OBJS=    sftp.o sftp-usergroup.o progressmeter.o $(SFTP_CLIENT_OBJS)
  
 -MANPAGES      = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out 
ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out 
sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out 
sshd_config.5.out ssh_config.5.out
 -MANPAGES_IN   = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 
ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 
ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5
@@ -159,7 +159,7 @@
  CONFIGFILES=sshd_config.out ssh_config.out moduli.out
 @@ -246,6 +251,9 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) lib
  ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
-       $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh 
$(LIBS)
+       $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh 
$(LIBS) $(CHANNELLIBS)
  
 +ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o 
ldapmisc.o ldap-helper.o
 +      $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) 
-lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)

++++++ openssh-7.7p1-pam_check_locks.patch ++++++
--- /var/tmp/diff_new_pack.7IQSvn/_old  2023-06-06 19:55:11.014090622 +0200
+++ /var/tmp/diff_new_pack.7IQSvn/_new  2023-06-06 19:55:11.018090646 +0200
@@ -10,23 +10,23 @@
 --- openssh-8.8p1.orig/auth.c
 +++ openssh-8.8p1/auth.c
 @@ -113,7 +113,7 @@ allowed_user(struct ssh *ssh, struct pas
+       if (!pw || !pw->pw_name)
                return 0;
  
- #ifdef USE_SHADOW
--      if (!options.use_pam)
-+      if (!options.use_pam || options.use_pam_check_locks)
-               spw = getspnam(pw->pw_name);
- #ifdef HAS_SHADOW_EXPIRE
-       if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw))
-@@ -133,7 +133,7 @@ allowed_user(struct ssh *ssh, struct pas
- #endif
- 
-       /* check for locked account */
--      if (!options.use_pam && passwd && *passwd) {
-+      if ((!options.use_pam || options.use_pam_check_locks) && passwd && 
*passwd) {
-               int locked = 0;
- 
- #ifdef LOCKED_PASSWD_STRING
+-      if (!options.use_pam && platform_locked_account(pw)) {
++      if ((!options.use_pam || options.use_pam_check_locks) && 
platform_locked_account(pw)) {
+               logit("User %.100s not allowed because account is locked",
+                   pw->pw_name);
+               return 0;
+#@@ -133,7 +133,7 @@ allowed_user(struct ssh *ssh, struct pas
+# #endif
+# 
+#      /* check for locked account */
+#-     if (!options.use_pam && passwd && *passwd) {
+#+     if ((!options.use_pam || options.use_pam_check_locks) && passwd && 
*passwd) {
+#              int locked = 0;
+# 
+# #ifdef LOCKED_PASSWD_STRING
 Index: openssh-8.8p1/servconf.c
 ===================================================================
 --- openssh-8.8p1.orig/servconf.c

++++++ openssh-7.7p1-seccomp_ipc_flock.patch ++++++
--- /var/tmp/diff_new_pack.7IQSvn/_old  2023-06-06 19:55:11.038090765 +0200
+++ /var/tmp/diff_new_pack.7IQSvn/_new  2023-06-06 19:55:11.046090812 +0200
@@ -37,6 +37,6 @@
 +      SC_ALLOW(__NR_ipc),
 +#endif
  #ifdef __NR_madvise
-       SC_ALLOW(__NR_madvise),
- #endif
+       SC_ALLOW_ARG(__NR_madvise, 2, MADV_NORMAL),
+ # ifdef MADV_FREE
 

++++++ openssh-7.7p1-sftp_print_diagnostic_messages.patch ++++++
--- /var/tmp/diff_new_pack.7IQSvn/_old  2023-06-06 19:55:11.070090955 +0200
+++ /var/tmp/diff_new_pack.7IQSvn/_new  2023-06-06 19:55:11.070090955 +0200
@@ -34,8 +34,8 @@
        infile = stdin;
  
        while ((ch = getopt(argc, argv,
--          "1246AafhNpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
-+          "1246AafhNpQqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
+-          "1246AafhNpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:X:")) != -1) {
++          "1246AafhNpQqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:X:")) != -1) {
                switch (ch) {
                /* Passed through to ssh(1) */
                case 'A':

++++++ openssh-7.7p1-systemd-notify.patch ++++++
--- /var/tmp/diff_new_pack.7IQSvn/_old  2023-06-06 19:55:11.082091026 +0200
+++ /var/tmp/diff_new_pack.7IQSvn/_new  2023-06-06 19:55:11.086091049 +0200
@@ -8,8 +8,9 @@
 --- openssh-8.8p1.orig/configure.ac
 +++ openssh-8.8p1/configure.ac
 @@ -4751,6 +4751,30 @@ AC_ARG_WITH([kerberos5],
- AC_SUBST([GSSLIBS])
+# AC_SUBST([GSSLIBS])
  AC_SUBST([K5LIBS])
+ AC_SUBST([CHANNELLIBS])
  
 +# Check whether user wants systemd support
 +SYSTEMD_MSG="no"

++++++ openssh-8.0p1-gssapi-keyex.patch ++++++
--- /var/tmp/diff_new_pack.7IQSvn/_old  2023-06-06 19:55:11.110091192 +0200
+++ /var/tmp/diff_new_pack.7IQSvn/_new  2023-06-06 19:55:11.114091215 +0200
@@ -12,7 +12,8 @@
  
 @@ -132,7 +133,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
        auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
-       auth2-none.o auth2-passwd.o auth2-pubkey.o \
+#      auth2-none.o auth2-passwd.o auth2-pubkey.o \
+       auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-pubkeyfile.o \
        monitor.o monitor_wrap.o auth-krb5.o \
 -      auth2-gss.o gss-serv.o gss-serv-krb5.o \
 +      auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
@@ -379,22 +380,38 @@
  /* import options */
  extern Options options;
  
-@@ -1349,9 +1353,18 @@ client_loop(struct ssh *ssh, int have_pt
-                       break;
- 
-               /* Do channel operations unless rekeying in progress. */
--              if (!ssh_packet_is_rekeying(ssh))
-+              if (!ssh_packet_is_rekeying(ssh)) {
-                       channel_after_poll(ssh, pfd, npfd_active);
+#@@ -1349,9 +1353,18 @@ client_loop(struct ssh *ssh, int have_pt
+## Replaced with the section below
+#                      break;
+# 
+#              /* Do channel operations unless rekeying in progress. */
+#-             if (!ssh_packet_is_rekeying(ssh))
+#+             if (!ssh_packet_is_rekeying(ssh)) {
+#                      channel_after_poll(ssh, pfd, npfd_active);
+# 
+#+#ifdef GSSAPI
+#+                     if (options.gss_renewal_rekey &&
+#+                         ssh_gssapi_credentials_updated(NULL)) {
+#+                             debug("credentials updated - forcing rekey");
+#+                             need_rekeying = 1;
+#+                     }
+#+#endif
+#+             }
+#+
+#              /* Buffer input from the connection.  */
+#              if (conn_in_ready)
+#                      client_process_net_input(ssh);
+@@ -1349,6 +1353,14 @@ client_loop(struct ssh *ssh, int have_pt
+               /* Do channel operations. */
+               channel_after_poll(ssh, pfd, npfd_active);
  
 +#ifdef GSSAPI
-+                      if (options.gss_renewal_rekey &&
-+                          ssh_gssapi_credentials_updated(NULL)) {
-+                              debug("credentials updated - forcing rekey");
-+                              need_rekeying = 1;
-+                      }
-+#endif
++              if (options.gss_renewal_rekey &&
++                  ssh_gssapi_credentials_updated(NULL)) {
++                      debug("credentials updated - forcing rekey");
++                      need_rekeying = 1;
 +              }
++#endif
 +
                /* Buffer input from the connection.  */
                if (conn_in_ready)
@@ -1257,15 +1274,9 @@
 ===================================================================
 --- openssh-8.9p1.orig/kex.c
 +++ openssh-8.9p1/kex.c
-@@ -57,11 +57,16 @@
- #include "misc.h"
- #include "dispatch.h"
- #include "monitor.h"
-+#include "xmalloc.h"
- 
- #include "ssherr.h"
- #include "sshbuf.h"
+@@ -57,6 +57,10 @@
  #include "digest.h"
+ #include "xmalloc.h"
  
 +#ifdef GSSAPI
 +#include "ssh-gss.h"
@@ -1274,7 +1285,7 @@
  #include "fips.h"
  
  /* prototype */
-@@ -119,6 +124,19 @@ static const struct kexalg kexalgs_all[]
+@@ -119,6 +123,19 @@ static const struct kexalg kexalgs_all[]
  #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
        { NULL, 0, -1, -1},
  };
@@ -1294,7 +1305,7 @@
  
  static const struct kexalg kexalgs_fips140_2[] = {
  #ifdef WITH_OPENSSL
-@@ -146,12 +164,12 @@ static const struct kexalg kexalgs_fips1
+@@ -146,12 +163,12 @@ static const struct kexalg kexalgs_fips1
  
  /* Returns array of macs available depending on selected FIPS mode */
  static const struct kexalg *
@@ -1309,7 +1320,7 @@
                case 1:
                        return kexalgs_fips140_2;
                default:
-@@ -162,13 +180,13 @@ fips_select_kexalgs(void)
+@@ -162,13 +179,13 @@ fips_select_kexalgs(void)
  }
  
  char *
@@ -1325,7 +1336,7 @@
                if (ret != NULL)
                        ret[rlen++] = sep;
                nlen = strlen(k->name);
-@@ -183,15 +201,31 @@ kex_alg_list(char sep)
+@@ -183,15 +200,31 @@ kex_alg_list(char sep)
        return ret;
  }
  
@@ -1358,7 +1369,7 @@
        return NULL;
  }
  
-@@ -363,6 +397,29 @@ kex_assemble_names(char **listp, const c
+@@ -363,6 +396,29 @@ kex_assemble_names(char **listp, const c
        return r;
  }
  
@@ -1385,10 +1396,10 @@
 +      return 1;
 +}
 +
- /* put algorithm proposal into buffer */
- int
- kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
-@@ -765,6 +822,9 @@ kex_free(struct kex *kex)
+ /*
+  * Fill out a proposal array with dynamically allocated values, which may
+  * be modified as required for compatibility reasons.
+@@ -765,6 +821,9 @@ kex_free(struct kex *kex)
        sshbuf_free(kex->session_id);
        sshbuf_free(kex->initial_sig);
        sshkey_free(kex->initial_hostkey);
@@ -1439,9 +1450,9 @@
  char  *kex_names_cat(const char *, const char *);
  int    kex_assemble_names(char **, const char *, const char *);
 +int    kex_gss_names_valid(const char *);
- 
- int    kex_exchange_identification(struct ssh *, int, const char *);
- 
+ void   kex_proposal_populate_entries(struct ssh *, char *prop[PROPOSAL_MAX],
+     const char *, const char *, const char *, const char *, const char *);
+ void   kex_proposal_free_entries(char *prop[PROPOSAL_MAX]);
 @@ -209,6 +226,12 @@ int        kexgex_client(struct ssh *);
  int    kexgex_server(struct ssh *);
  int    kex_gen_client(struct ssh *);
@@ -3511,8 +3522,8 @@
  extern Options options;
  
  /*
-@@ -220,6 +218,11 @@ ssh_kex2(struct ssh *ssh, char *host, st
-       char *s, *all_key;
+@@ -220,10 +218,44 @@ ssh_kex2(struct ssh *ssh, char *host, st
+       char *s, *all_key, *hkalgs = NULL;
        int r, use_known_hosts_order = 0;
  
 +#if defined(GSSAPI) && defined(WITH_OPENSSL)
@@ -3523,9 +3534,6 @@
        xxx_host = host;
        xxx_hostaddr = hostaddr;
        xxx_conn_info = cinfo;
-@@ -264,6 +267,35 @@ ssh_kex2(struct ssh *ssh, char *host, st
-                   compat_pkalg_proposal(ssh, options.hostkeyalgorithms);
-       }
  
 +#if defined(GSSAPI) && defined(WITH_OPENSSL)
 +      if (options.gss_keyex) {
@@ -3559,7 +3567,7 @@
        if (options.rekey_limit || options.rekey_interval)
                ssh_packet_set_rekey_limits(ssh, options.rekey_limit,
                    options.rekey_interval);
-@@ -282,16 +314,46 @@ ssh_kex2(struct ssh *ssh, char *host, st
+@@ -282,17 +314,47 @@ ssh_kex2(struct ssh *ssh, char *host, st
  # ifdef OPENSSL_HAS_ECC
        ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client;
  # endif
@@ -3592,6 +3600,7 @@
        ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &ssh->kex->done);
  
        /* remove ext-info from the KEX proposals for rekeying */
+       free(myproposal[PROPOSAL_KEX_ALGS]);
        myproposal[PROPOSAL_KEX_ALGS] =
            compat_kex_proposal(ssh, options.kex_algorithms);
 +#if defined(GSSAPI) && defined(WITH_OPENSSL)
@@ -3751,8 +3760,13 @@
                exit(1);
        }
 @@ -2397,6 +2398,48 @@ do_ssh2_kex(struct ssh *ssh)
-       myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
-           ssh, list_hostkey_types());
+#      myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
+#          ssh, list_hostkey_types());
+#      myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey =
+#         compat_pkalg_proposal(ssh, list_hostkey_types());
+# 
+ 
+       free(hkalgs);
  
 +#if defined(GSSAPI) && defined(WITH_OPENSSL)
 +      {
@@ -3884,22 +3898,40 @@
 ===================================================================
 --- openssh-8.9p1.orig/sshkey.c
 +++ openssh-8.9p1/sshkey.c
-@@ -162,6 +162,7 @@ static const struct keytype keytypes[] =
- #  endif /* ENABLE_SK */
- # endif /* OPENSSL_HAS_ECC */
- #endif /* WITH_OPENSSL */
-+      { "null", "null", NULL, KEY_NULL, 0, 0, 0 },
-       { NULL, NULL, NULL, -1, -1, 0, 0 }
+@@ -127,6 +127,17 @@
+ extern const struct sshkey_impl sshkey_xmss_impl;
+ extern const struct sshkey_impl sshkey_xmss_cert_impl;
+ #endif
++const struct sshkey_impl sshkey_null_impl = {
++      /* .name = */           "null",
++      /* .shortname = */      "null",
++      /* .sigalg = */         NULL,
++      /* .type = */           KEY_NULL,
++      /* .nid = */            0,
++      /* .cert = */           0,
++      /* .sigonly = */        0,
++      /* .keybits = */        0,
++      /* .funcs = */          NULL,
++};
+ 
+ const struct sshkey_impl * const keyimpls[] = {
+       &sshkey_ed25519_impl,
+@@ -162,6 +179,7 @@ static const struct keytype keytypes[] =
+       &sshkey_xmss_impl,
+       &sshkey_xmss_cert_impl,
+ #endif
++        &sshkey_null_impl,
+       NULL
  };
  
-@@ -286,7 +287,7 @@ sshkey_alg_list(int certs_only, int plai
-       const struct keytype *kt;
+@@ -286,7 +304,7 @@ sshkey_alg_list(int certs_only, int plai
  
-       for (kt = keytypes; kt->type != -1; kt++) {
--              if (kt->name == NULL)
-+              if (kt->name == NULL || kt->type == KEY_NULL)
+       for (i = 0; keyimpls[i] != NULL; i++) {
+               impl = keyimpls[i];
+-              if (impl->name == NULL)
++              if (impl->name == NULL || impl->type == KEY_NULL)
                        continue;
-               if (!include_sigonly && kt->sigonly)
+               if (!include_sigonly && impl->sigonly)
                        continue;
 Index: openssh-8.9p1/sshkey.h
 ===================================================================

++++++ openssh-8.1p1-audit.patch ++++++
--- /var/tmp/diff_new_pack.7IQSvn/_old  2023-06-06 19:55:11.130091310 +0200
+++ /var/tmp/diff_new_pack.7IQSvn/_new  2023-06-06 19:55:11.134091334 +0200
@@ -768,8 +768,8 @@
 +int    user_key_verify(struct ssh *, const struct sshkey *, const u_char *, 
size_t,
 +    const u_char *, size_t, const char *, u_int, struct sshkey_sig_details 
**);
  
- FILE  *auth_openkeyfile(const char *, struct passwd *, int);
- FILE  *auth_openprincipals(const char *, struct passwd *, int);
+ int    auth_key_is_revoked(struct sshkey *);
+ 
 @@ -209,6 +211,8 @@ struct sshkey      *get_hostkey_private_by_ty
  int    get_hostkey_index(struct sshkey *, int, struct ssh *);
  int    sshd_hostkey_sign(struct ssh *, struct sshkey *, struct sshkey *,
@@ -843,8 +843,8 @@
 +}
 +
  static int
- match_principals_option(const char *principal_list, struct sshkey_cert *cert)
- {
+ match_principals_file(struct passwd *pw, char *file,
+     struct sshkey_cert *cert, struct sshauthopt **authoptsp)
 Index: openssh-8.9p1/auth2.c
 ===================================================================
 --- openssh-8.9p1.orig/auth2.c
@@ -934,9 +934,9 @@
 --- openssh-8.9p1.orig/kex.c
 +++ openssh-8.9p1/kex.c
 @@ -62,6 +62,7 @@
- #include "ssherr.h"
  #include "sshbuf.h"
  #include "digest.h"
+ #include "xmalloc.h"
 +#include "audit.h"
  
  #ifdef GSSAPI
@@ -2165,7 +2165,7 @@
 @@ -71,10 +77,12 @@ void        session_unused(int);
  int    session_input_channel_req(struct ssh *, Channel *, const char *);
  void   session_close_by_pid(struct ssh *ssh, pid_t, int);
- void   session_close_by_channel(struct ssh *, int, void *);
+ void   session_close_by_channel(struct ssh *, int, int, void *);
 -void   session_destroy_all(struct ssh *, void (*)(Session *));
 +void   session_destroy_all(struct ssh *, void (*)(struct ssh*, Session *));
  void   session_pty_cleanup2(Session *);
@@ -2357,7 +2357,7 @@
 +server_accept_loop(struct ssh *ssh, int *sock_in, int *sock_out, int 
*newsock, int *config_s)
  {
        struct pollfd *pfd = NULL;
-       int i, j, ret;
+       int i, j, ret, npfd;
 @@ -1179,6 +1234,7 @@ server_accept_loop(int *sock_in, int *so
                if (received_sigterm) {
                        logit("Received signal %d; terminating.",

++++++ openssh-8.1p1-ed25519-use-openssl-rng.patch ++++++
--- /var/tmp/diff_new_pack.7IQSvn/_old  2023-06-06 19:55:11.150091429 +0200
+++ /var/tmp/diff_new_pack.7IQSvn/_new  2023-06-06 19:55:11.154091452 +0200
@@ -9,7 +9,7 @@
 --- a/ed25519.c
 +++ b/ed25519.c
 @@ -9,6 +9,13 @@
- #include "includes.h"
+ 
  #include "crypto_api.h"
  
 +#ifdef WITH_OPENSSL
@@ -19,12 +19,12 @@
 +
 +#include "log.h"
 +
- #include "ge25519.h"
- 
- static void get_hram(unsigned char *hram, const unsigned char *sm, const 
unsigned char *pk, unsigned char *playground, unsigned long long smlen)
+ #define int8 crypto_int8
+ #define uint8 crypto_uint8
+ #define int16 crypto_int16
 @@ -33,7 +40,15 @@ int crypto_sign_ed25519_keypair(
-   unsigned char extsk[64];
-   int i;
+   sc25519 scsk;
+   ge25519 gepk;
  
 +#ifdef WITH_OPENSSL
 +  /* Use FIPS approved RNG */
@@ -32,12 +32,12 @@
 +    fatal("Couldn't obtain random bytes (error 0x%lx)",
 +          (unsigned long)ERR_get_error());
 +#else
-   randombytes(sk, 32);
+   randombytes(sk,32);
 +#endif
 +
-   crypto_hash_sha512(extsk, sk, 32);
-   extsk[0] &= 248;
-   extsk[31] &= 127;
+   crypto_hash_sha512(az,sk,32);
+   az[0] &= 248;
+   az[31] &= 127;
 diff --git a/kexc25519.c b/kexc25519.c
 index f13d766..2604eda 100644
 --- a/kexc25519.c

++++++ openssh-8.4p1-vendordir.patch ++++++
--- /var/tmp/diff_new_pack.7IQSvn/_old  2023-06-06 19:55:11.182091618 +0200
+++ /var/tmp/diff_new_pack.7IQSvn/_new  2023-06-06 19:55:11.194091689 +0200
@@ -106,7 +106,7 @@
 +.Pq Pa /usr/etc/ssh/ssh_config
  .El
  .Pp
- For each parameter, the first obtained value
+ Unless noted otherwise, for each parameter, the first obtained value
 @@ -2220,6 +2223,11 @@ This file provides defaults for those
  values that are not specified in the user's configuration file, and
  for those users who do not have a configuration file.

++++++ openssh-8.9p1.tar.gz -> openssh-9.3p1.tar.gz ++++++
++++ 73040 lines of diff (skipped)

++++++ openssh-reenable-dh-group14-sha1-default.patch ++++++
--- /var/tmp/diff_new_pack.7IQSvn/_old  2023-06-06 19:55:11.846095555 +0200
+++ /var/tmp/diff_new_pack.7IQSvn/_new  2023-06-06 19:55:11.846095555 +0200
@@ -31,7 +31,7 @@
 --- openssh-8.9p1.orig/sshd_config.5
 +++ openssh-8.9p1/sshd_config.5
 @@ -996,7 +996,7 @@ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec
- sntrup761x25519-sha...@openssh.com,
+ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
  diffie-hellman-group-exchange-sha256,
  diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
 -diffie-hellman-group14-sha256

++++++ openssh-whitelist-syscalls.patch ++++++
--- /var/tmp/diff_new_pack.7IQSvn/_old  2023-06-06 19:55:11.858095626 +0200
+++ /var/tmp/diff_new_pack.7IQSvn/_new  2023-06-06 19:55:11.862095650 +0200
@@ -14,7 +14,7 @@
  #endif
 @@ -213,6 +216,9 @@ static const struct sock_filter preauth_
  #ifdef __NR_futex_time64
-       SC_ALLOW(__NR_futex_time64),
+       SC_FUTEX(__NR_futex_time64),
  #endif
 +#ifdef __NR_futex_time64
 +      SC_ALLOW(__NR_futex_time64),


++++++ wtmpdb.patch ++++++
diff -ur openssh-8.9p1.old/configure.ac openssh-8.9p1/configure.ac
--- openssh-8.9p1.old/configure.ac      2022-02-23 12:31:11.000000000 +0100
+++ openssh-8.9p1/configure.ac  2023-04-17 14:52:21.499002203 +0200
@@ -1703,6 +1703,49 @@
        fi ]
 )
 
+# Check whether user wants wtmpdb support
+WTMPDB_MSG="no"
+AC_ARG_WITH([wtmpdb],
+       [  --with-wtmpdb[[=PATH]]   Enable wtmpdb support for sshd],
+       [ if test "x$withval" != "xno" ; then
+               if test "x$withval" = "xyes" ; then
+                       AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
+                       if test "x$PKGCONFIG" != "xno"; then
+                               AC_MSG_CHECKING([if $PKGCONFIG knows about 
wtmpdb])
+                               if "$PKGCONFIG" libwtmpdb; then
+                                       AC_MSG_RESULT([yes])
+                                       use_pkgconfig_for_libwtmpdb=yes
+                               else
+                                       AC_MSG_RESULT([no])
+                               fi
+                       fi
+               else
+                       CPPFLAGS="$CPPFLAGS -I${withval}/include"
+                       if test -n "${rpath_opt}"; then
+                               LDFLAGS="-L${withval}/lib 
${rpath_opt}${withval}/lib ${LDFLAGS}"
+                       else
+                               LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+                       fi
+               fi
+               if test "x$use_pkgconfig_for_libwtmpdb" = "xyes"; then
+                       LIBWTMPDB=`$PKGCONFIG --libs libwtmpdb`
+                       CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libwtmpdb`"
+               else
+                       LIBWTMPDB="-lwtmpdb"
+               fi
+               OTHERLIBS=`echo $LIBWTMPDB | sed 's/-lwtmpdb//'`
+               AC_CHECK_LIB([wtmpdb], [wtmpdb_login],
+                       [ AC_DEFINE([USE_WTMPDB], [1], [Use libwtmpdb for sshd])
+                         WTMPDB_MSG="yes"
+                         AC_SUBST([LIBWTMPDB])
+                       ],
+                       [ AC_MSG_ERROR([libwtmpdb not found]) ],
+                       [ $OTHERLIBS ]
+               )
+       fi ]
+)
+
+
 AUDIT_MODULE=none
 AC_ARG_WITH([audit],
        [  --with-audit=module     Enable audit support 
(modules=debug,bsm,linux)],
diff -ur openssh-8.9p1.old/loginrec.c openssh-8.9p1/loginrec.c
--- openssh-8.9p1.old/loginrec.c        2022-02-23 12:31:11.000000000 +0100
+++ openssh-8.9p1/loginrec.c    2023-04-18 10:05:04.311193333 +0200
@@ -187,6 +187,10 @@
 # include <util.h>
 #endif
 
+#ifdef USE_WTMPDB
+# include <wtmpdb.h>
+#endif
+
 /**
  ** prototypes for helper functions in this file
  **/
@@ -207,6 +211,9 @@
 int wtmpx_write_entry(struct logininfo *li);
 int lastlog_write_entry(struct logininfo *li);
 int syslogin_write_entry(struct logininfo *li);
+#ifdef USE_WTMPDB
+int wtmpdb_write_entry(struct logininfo *li);
+#endif
 
 int getlast_entry(struct logininfo *li);
 int lastlog_get_entry(struct logininfo *li);
@@ -467,6 +474,9 @@
 #ifdef USE_WTMPX
        wtmpx_write_entry(li);
 #endif
+#ifdef USE_WTMPDB
+       wtmpdb_write_entry(li);
+#endif
 #ifdef CUSTOM_SYS_AUTH_RECORD_LOGIN
        if (li->type == LTYPE_LOGIN &&
            !sys_auth_record_login(li->username,li->hostname,li->line,
@@ -1409,6 +1419,64 @@
 }
 #endif /* USE_WTMPX */
 
+#ifdef USE_WTMPDB
+static int
+wtmpdb_perform_login(struct logininfo *li)
+{
+       uint64_t login_time = li->tv_sec * ((uint64_t) 1000000ULL) + 
li->tv_usec;
+       const char *tty;
+
+       if (strncmp(li->line, "/dev/", 5) == 0)
+               tty = &(li->line[5]);
+       else
+               tty = li->line;
+
+       li->wtmpdb_id = wtmpdb_login(NULL, USER_PROCESS, li->username,
+                                    login_time, tty, li->hostname, 0, 0);
+       if (li->wtmpdb_id < 0)
+               return (0);
+
+       return (1);
+}
+
+
+static int
+wtmpdb_perform_logout(struct logininfo *li)
+{
+       uint64_t logout_time = li->tv_sec * ((uint64_t) 1000000ULL) + 
li->tv_usec;
+
+       if (li->wtmpdb_id == 0) {
+               const char *tty;
+
+         if (strncmp(li->line, "/dev/", 5) == 0)
+               tty = &(li->line[5]);
+         else
+               tty = li->line;
+
+         li->wtmpdb_id = wtmpdb_get_id(NULL, tty, NULL);
+       }
+       wtmpdb_logout(NULL, li->wtmpdb_id, logout_time, NULL);
+
+       return (1);
+}
+
+
+int
+wtmpdb_write_entry(struct logininfo *li)
+{
+       switch(li->type) {
+       case LTYPE_LOGIN:
+               return (wtmpdb_perform_login(li));
+       case LTYPE_LOGOUT:
+               return (wtmpdb_perform_logout(li));
+       default:
+               logit("%s: invalid type field", __func__);
+               return (0);
+       }
+}
+#endif
+
+
 /**
  ** Low-level libutil login() functions
  **/
diff -ur openssh-8.9p1.old/loginrec.h openssh-8.9p1/loginrec.h
--- openssh-8.9p1.old/loginrec.h        2022-02-23 12:31:11.000000000 +0100
+++ openssh-8.9p1/loginrec.h    2023-04-17 14:58:20.808850750 +0200
@@ -79,6 +79,9 @@
        unsigned int tv_sec;
        unsigned int tv_usec;
        union login_netinfo hostaddr;       /* caller's host address(es) */
+#ifdef USE_WTMPDB
+       int64_t wtmpdb_id;                  /* ID for wtmpdb_logout */
+#endif
 }; /* struct logininfo */
 
 /*
diff -ur openssh-8.9p1.old/Makefile.in openssh-8.9p1/Makefile.in
--- openssh-8.9p1.old/Makefile.in       2022-02-23 12:31:11.000000000 +0100
+++ openssh-8.9p1/Makefile.in   2023-04-17 14:44:32.156538001 +0200
@@ -55,6 +55,7 @@
 SSHDLIBS=@SSHDLIBS@
 LIBEDIT=@LIBEDIT@
 LIBFIDO2=@LIBFIDO2@
+LIBWTMPDB=@LIBWTMPDB@
 AR=@AR@
 AWK=@AWK@
 RANLIB=@RANLIB@
@@ -212,7 +213,7 @@
        $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) 
$(GSSLIBS) $(CHANNELLIBS)
 
 sshd$(EXEEXT): libssh.a        $(LIBCOMPAT) $(SSHDOBJS)
-       $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) 
$(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS)
+       $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) 
$(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
 
 scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS)
        $(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)

Reply via email to