Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2019-10-25 18:39:52 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.2990 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssh" Fri Oct 25 18:39:52 2019 rev:135 rq:738544 version:8.1p1 Changes: -------- --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2019-08-27 15:21:07.276848868 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.2990/openssh.changes 2019-10-25 18:39:55.831772282 +0200 @@ -1,0 +2,132 @@ +Mon Oct 14 23:58:39 UTC 2019 - Hans Petter Jansson <[email protected]> + +- Add openssh-7.9p1-keygen-preserve-perms.patch (bsc#1150574). + This attempts to preserve the permissions of any existing + known_hosts file when modified by ssh-keygen (for instance, + with -R). +- Add patch from upstream openssh-7.9p1-revert-new-qos-defaults.patch + +------------------------------------------------------------------- +Mon Oct 14 23:56:42 UTC 2019 - Hans Petter Jansson <[email protected]> + +- Run 'ssh-keygen -A' on startup only if SSHD_AUTO_KEYGEN="yes" + in /etc/sysconfig/ssh. This is set to "yes" by default, but + can be changed by the system administrator (bsc#1139089). + +------------------------------------------------------------------- +Mon Oct 14 23:50:04 UTC 2019 - Hans Petter Jansson <[email protected]> + +- Add openssh-7.9p1-keygen-preserve-perms.patch (bsc#1150574). + This attempts to preserve the permissions of any existing + known_hosts file when modified by ssh-keygen (for instance, + with -R). + +------------------------------------------------------------------- +Thu Oct 10 00:41:18 UTC 2019 - Hans Petter Jansson <[email protected]> + +- Version update to 8.1p1: + * ssh-keygen(1): when acting as a CA and signing certificates with + an RSA key, default to using the rsa-sha2-512 signature algorithm. + Certificates signed by RSA keys will therefore be incompatible + with OpenSSH versions prior to 7.2 unless the default is + overridden (using "ssh-keygen -t ssh-rsa -s ..."). + * ssh(1): Allow %n to be expanded in ProxyCommand strings + * ssh(1), sshd(8): Allow prepending a list of algorithms to the + default set by starting the list with the '^' character, E.g. + "HostKeyAlgorithms ^ssh-ed25519" + * ssh-keygen(1): add an experimental lightweight signature and + verification ability. Signatures may be made using regular ssh keys + held on disk or stored in a ssh-agent and verified against an + authorized_keys-like list of allowed keys. Signatures embed a + namespace that prevents confusion and attacks between different + usage domains (e.g. files vs email). + * ssh-keygen(1): print key comment when extracting public key from a + private key. + * ssh-keygen(1): accept the verbose flag when searching for host keys + in known hosts (i.e. "ssh-keygen -vF host") to print the matching + host's random-art signature too. + * All: support PKCS8 as an optional format for storage of private + keys to disk. The OpenSSH native key format remains the default, + but PKCS8 is a superior format to PEM if interoperability with + non-OpenSSH software is required, as it may use a less insecure + key derivation function than PEM's. + +- Additional changes from 8.0p1 release: + * scp(1): Add "-T" flag to disable client-side filtering of + server file list. + * sshd(8): Remove support for obsolete "host/port" syntax. + * ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in + PKCS#11 tokens. + * ssh(1), sshd(8): Add experimental quantum-computing resistant + key exchange method, based on a combination of Streamlined NTRU + Prime 4591^761 and X25519. + * ssh-keygen(1): Increase the default RSA key size to 3072 bits, + following NIST Special Publication 800-57's guidance for a + 128-bit equivalent symmetric security level. + * ssh(1): Allow "PKCS11Provider=none" to override later instances of + the PKCS11Provider directive in ssh_config, + * sshd(8): Add a log message for situations where a connection is + dropped for attempting to run a command but a sshd_config + ForceCommand=internal-sftp restriction is in effect. + * ssh(1): When prompting whether to record a new host key, accept + the key fingerprint as a synonym for "yes". This allows the user + to paste a fingerprint obtained out of band at the prompt and + have the client do the comparison for you. + * ssh-keygen(1): When signing multiple certificates on a single + command-line invocation, allow automatically incrementing the + certificate serial number. + * scp(1), sftp(1): Accept -J option as an alias to ProxyJump on + the scp and sftp command-lines. + * ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v" + command-line flags to increase the verbosity of output; pass + verbose flags though to subprocesses, such as ssh-pkcs11-helper + started from ssh-agent. + * ssh-add(1): Add a "-T" option to allowing testing whether keys in + an agent are usable by performing a signature and a verification. + * sftp-server(8): Add a "[email protected]" protocol extension + that replicates the functionality of the existing SSH2_FXP_SETSTAT + operation but does not follow symlinks. + * sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request + they do not follow symlinks. + * sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes + the connection 4-tuple available to PAM modules that wish to use + it in decision-making. + * sshd(8): Add a ssh_config "Match final" predicate Matches in same + pass as "Match canonical" but doesn't require hostname + canonicalisation be enabled. + * sftp(1): Support a prefix of '@' to suppress echo of sftp batch + commands. + * ssh-keygen(1): When printing certificate contents using + "ssh-keygen -Lf /path/certificate", include the algorithm that + the CA used to sign the cert. + +- Rebased patches: + * openssh-7.7p1-IPv6_X_forwarding.patch + * openssh-7.7p1-X_forward_with_disabled_ipv6.patch + * openssh-7.7p1-cavstest-ctr.patch + * openssh-7.7p1-cavstest-kdf.patch + * openssh-7.7p1-disable_openssl_abi_check.patch + * openssh-7.7p1-fips.patch + * openssh-7.7p1-fips_checks.patch + * openssh-7.7p1-hostname_changes_when_forwarding_X.patch + * openssh-7.7p1-ldap.patch + * openssh-7.7p1-seed-prng.patch + * openssh-7.7p1-sftp_force_permissions.patch + * openssh-7.7p1-sftp_print_diagnostic_messages.patch + * openssh-8.0p1-gssapi-keyex.patch (formerly + openssh-7.7p1-gssapi_key_exchange.patch) + * openssh-8.1p1-audit.patch (formerly openssh-7.7p1-audit.patch) + +- Removed patches (integrated upstream): + * 0001-upstream-Fix-two-race-conditions-in-sshd-relating-to.patch + * openssh-7.7p1-seccomp_ioctl_s390_EP11.patch + * openssh-7.9p1-CVE-2018-20685.patch + * openssh-7.9p1-brace-expansion.patch + * openssh-CVE-2019-6109-force-progressmeter-update.patch + * openssh-CVE-2019-6109-sanitize-scp-filenames.patch + * openssh-CVE-2019-6111-scp-client-wildcard.patch + +- Removed patches (obsolete): + * openssh-openssl-1_0_0-compatibility.patch + +------------------------------------------------------------------- Old: ---- 0001-upstream-Fix-two-race-conditions-in-sshd-relating-to.patch openssh-7.7p1-audit.patch openssh-7.7p1-gssapi_key_exchange.patch openssh-7.7p1-seccomp_ioctl_s390_EP11.patch openssh-7.9p1-CVE-2018-20685.patch openssh-7.9p1-brace-expansion.patch openssh-7.9p1.tar.gz openssh-7.9p1.tar.gz.asc openssh-CVE-2019-6109-force-progressmeter-update.patch openssh-CVE-2019-6109-sanitize-scp-filenames.patch openssh-CVE-2019-6111-scp-client-wildcard.patch openssh-openssl-1_0_0-compatibility.patch New: ---- openssh-7.9p1-keygen-preserve-perms.patch openssh-7.9p1-revert-new-qos-defaults.patch openssh-8.0p1-gssapi-keyex.patch openssh-8.1p1-audit.patch openssh-8.1p1.tar.gz openssh-8.1p1.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssh-askpass-gnome.spec ++++++ --- /var/tmp/diff_new_pack.Tr8kM3/_old 2019-10-25 18:39:56.995773378 +0200 +++ /var/tmp/diff_new_pack.Tr8kM3/_new 2019-10-25 18:39:56.999773381 +0200 @@ -18,7 +18,7 @@ %define _name openssh Name: openssh-askpass-gnome -Version: 7.9p1 +Version: 8.1p1 Release: 0 Summary: A GNOME-Based Passphrase Dialog for OpenSSH License: BSD-2-Clause ++++++ openssh.spec ++++++ --- /var/tmp/diff_new_pack.Tr8kM3/_old 2019-10-25 18:39:57.015773397 +0200 +++ /var/tmp/diff_new_pack.Tr8kM3/_new 2019-10-25 18:39:57.015773397 +0200 @@ -37,7 +37,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: openssh -Version: 7.9p1 +Version: 8.1p1 Release: 0 Summary: Secure Shell Client and Server (Remote Login Program) License: BSD-2-Clause AND MIT @@ -70,7 +70,6 @@ # https://bugzilla.mindrot.org/show_bug.cgi?id=2752 Patch15: openssh-7.7p1-seccomp_ipc_flock.patch # https://bugzilla.mindrot.org/show_bug.cgi?id=2752 -Patch16: openssh-7.7p1-seccomp_ioctl_s390_EP11.patch # Local FIPS patchset Patch17: openssh-7.7p1-fips.patch # Local cavs patchset @@ -82,9 +81,9 @@ Patch21: openssh-7.7p1-seed-prng.patch # https://bugzilla.mindrot.org/show_bug.cgi?id=2641 Patch22: openssh-7.7p1-systemd-notify.patch -Patch23: openssh-7.7p1-gssapi_key_exchange.patch +Patch23: openssh-8.0p1-gssapi-keyex.patch # https://bugzilla.mindrot.org/show_bug.cgi?id=1402 -Patch24: openssh-7.7p1-audit.patch +Patch24: openssh-8.1p1-audit.patch # Local patch to disable runtime abi SSL checks, quite pointless for us Patch26: openssh-7.7p1-disable_openssl_abi_check.patch # https://bugzilla.mindrot.org/show_bug.cgi?id=2641 @@ -98,13 +97,8 @@ # https://bugzilla.mindrot.org/show_bug.cgi?id=2213 Patch32: openssh-7.7p1-IPv6_X_forwarding.patch Patch33: openssh-7.7p1-sftp_print_diagnostic_messages.patch -Patch34: openssh-openssl-1_0_0-compatibility.patch -Patch35: openssh-7.9p1-CVE-2018-20685.patch -Patch36: openssh-CVE-2019-6109-sanitize-scp-filenames.patch -Patch37: openssh-CVE-2019-6109-force-progressmeter-update.patch -Patch38: openssh-CVE-2019-6111-scp-client-wildcard.patch -Patch39: openssh-7.9p1-brace-expansion.patch -Patch40: 0001-upstream-Fix-two-race-conditions-in-sshd-relating-to.patch +Patch34: openssh-7.9p1-keygen-preserve-perms.patch +Patch35: openssh-7.9p1-revert-new-qos-defaults.patch BuildRequires: audit-devel BuildRequires: autoconf BuildRequires: groff ++++++ openssh-7.7p1-X_forward_with_disabled_ipv6.patch ++++++ --- /var/tmp/diff_new_pack.Tr8kM3/_old 2019-10-25 18:39:57.087773464 +0200 +++ /var/tmp/diff_new_pack.Tr8kM3/_new 2019-10-25 18:39:57.087773464 +0200 @@ -3,15 +3,11 @@ Do not throw away already open sockets for X11 forwarding if another socket family is not available for bind() -diff --git a/openssh-7.7p1/channels.c b/openssh-7.7p1/channels.c ---- openssh-7.7p1/channels.c -+++ openssh-7.7p1/channels.c -@@ -4421,16 +4421,23 @@ x11_create_display_inet(struct ssh *ssh, - if (ai->ai_family == AF_INET6) - sock_set_v6only(sock); - if (x11_use_localhost) - set_reuseaddr(sock); - if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { +diff --git a/channels.c b/channels.c +index f51b7e3..95af47e 100644 +--- a/channels.c ++++ b/channels.c +@@ -4637,6 +4637,13 @@ x11_create_display_inet(struct ssh *ssh, int x11_display_offset, debug2("%s: bind port %d: %.100s", __func__, port, strerror(errno)); close(sock); @@ -21,12 +17,7 @@ + * disabled while being supported) + */ + if (EADDRNOTAVAIL == errno) -+ continue; ++ continue; for (n = 0; n < num_socks; n++) close(socks[n]); num_socks = 0; - break; - } - socks[num_socks++] = sock; - if (num_socks == NUM_SOCKS) - break; ++++++ openssh-7.7p1-cavstest-ctr.patch ++++++ --- /var/tmp/diff_new_pack.Tr8kM3/_old 2019-10-25 18:39:57.095773472 +0200 +++ /var/tmp/diff_new_pack.Tr8kM3/_new 2019-10-25 18:39:57.095773472 +0200 @@ -2,11 +2,11 @@ # Parent cc1022edba2c5eeb0facba08468f65afc2466b63 CAVS test for OpenSSH's own CTR encryption mode implementation -Index: openssh-7.9p1/Makefile.in -=================================================================== ---- openssh-7.9p1.orig/Makefile.in -+++ openssh-7.9p1/Makefile.in -@@ -24,6 +24,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas +diff --git a/Makefile.in b/Makefile.in +index 7488595..d426006 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -24,6 +24,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass SFTP_SERVER=$(libexecdir)/sftp-server SSH_KEYSIGN=$(libexecdir)/ssh-keysign SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper @@ -23,7 +23,7 @@ XMSS_OBJS=\ ssh-xmss.o \ sshkey-xmss.o \ -@@ -204,6 +207,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libss +@@ -210,6 +213,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o s sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT) @@ -34,7 +34,7 @@ # test driver for the loginrec code - not built by default logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) -@@ -348,6 +355,7 @@ install-files: +@@ -354,6 +361,7 @@ install-files: $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) @@ -42,10 +42,11 @@ $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 -Index: openssh-7.9p1/cavstest-ctr.c -=================================================================== +diff --git a/cavstest-ctr.c b/cavstest-ctr.c +new file mode 100644 +index 0000000..f81cb72 --- /dev/null -+++ openssh-7.9p1/cavstest-ctr.c ++++ b/cavstest-ctr.c @@ -0,0 +1,214 @@ +/* + * @@ -261,13 +262,13 @@ + printf("\n"); + return 0; +} -Index: openssh-7.9p1/cipher.c -=================================================================== ---- openssh-7.9p1.orig/cipher.c -+++ openssh-7.9p1/cipher.c -@@ -54,15 +54,6 @@ - #include "fips.h" - #include "log.h" +diff --git a/cipher.c b/cipher.c +index acca752..b67a4ff 100644 +--- a/cipher.c ++++ b/cipher.c +@@ -58,15 +58,6 @@ + #define EVP_CIPHER_CTX void + #endif -struct sshcipher_ctx { - int plaintext; @@ -281,11 +282,11 @@ struct sshcipher { char *name; u_int block_size; -Index: openssh-7.9p1/cipher.h -=================================================================== ---- openssh-7.9p1.orig/cipher.h -+++ openssh-7.9p1/cipher.h -@@ -46,7 +46,15 @@ +diff --git a/cipher.h b/cipher.h +index 5843aab..d7d8c89 100644 +--- a/cipher.h ++++ b/cipher.h +@@ -48,7 +48,15 @@ #define CIPHER_DECRYPT 0 struct sshcipher; ++++++ openssh-7.7p1-cavstest-kdf.patch ++++++ --- /var/tmp/diff_new_pack.Tr8kM3/_old 2019-10-25 18:39:57.103773480 +0200 +++ /var/tmp/diff_new_pack.Tr8kM3/_new 2019-10-25 18:39:57.103773480 +0200 @@ -2,10 +2,10 @@ # Parent 1e1d5a2ab8bddfc800f570755f9ea1addcc878c1 CAVS test for KDF implementation in OpenSSH -Index: openssh-7.9p1/Makefile.in -=================================================================== ---- openssh-7.9p1.orig/Makefile.in 2019-03-12 16:12:42.213142294 +0100 -+++ openssh-7.9p1/Makefile.in 2019-03-28 13:49:37.150166231 +0100 +diff --git a/Makefile.in b/Makefile.in +index d426006..85818f4 100644 +--- a/Makefile.in ++++ b/Makefile.in @@ -25,6 +25,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server SSH_KEYSIGN=$(libexecdir)/ssh-keysign SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper @@ -23,7 +23,7 @@ XMSS_OBJS=\ ssh-xmss.o \ -@@ -211,6 +212,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sft +@@ -217,6 +218,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glo cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-ctr.o $(LD) -o $@ cavstest-ctr.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) @@ -33,7 +33,7 @@ # test driver for the loginrec code - not built by default logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) -@@ -356,6 +360,7 @@ install-files: +@@ -362,6 +366,7 @@ install-files: $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT) @@ -41,11 +41,12 @@ $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 -Index: openssh-7.9p1/cavstest-kdf.c -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssh-7.9p1/cavstest-kdf.c 2019-03-28 13:54:20.047709759 +0100 -@@ -0,0 +1,384 @@ +diff --git a/cavstest-kdf.c b/cavstest-kdf.c +new file mode 100644 +index 0000000..a6ecf45 +--- /dev/null ++++ b/cavstest-kdf.c +@@ -0,0 +1,402 @@ +/* + * Copyright (C) 2015, Stephan Mueller <[email protected]> + * @@ -93,6 +94,7 @@ +#include <openssl/bn.h> + +#include "xmalloc.h" ++#include "ssherr.h" +#include "sshbuf.h" +#include "sshkey.h" +#include "cipher.h" @@ -208,6 +210,23 @@ + unsigned int ik_len; +}; + ++#ifdef WITH_OPENSSL ++static int ++kex_derive_keys_bn(struct ssh *ssh, u_char *hash, u_int hashlen, ++ const BIGNUM *secret) ++{ ++ struct sshbuf *shared_secret; ++ int r; ++ ++ if ((shared_secret = sshbuf_new()) == NULL) ++ return SSH_ERR_ALLOC_FAIL; ++ if ((r = sshbuf_put_bignum2(shared_secret, secret)) == 0) ++ r = kex_derive_keys(ssh, hash, hashlen, shared_secret); ++ sshbuf_free(shared_secret); ++ return r; ++} ++#endif ++ +static int sshkdf_cavs(struct kdf_cavs *test) +{ + int ret = 0; ++++++ openssh-7.7p1-disable_openssl_abi_check.patch ++++++ --- /var/tmp/diff_new_pack.Tr8kM3/_old 2019-10-25 18:39:57.111773487 +0200 +++ /var/tmp/diff_new_pack.Tr8kM3/_new 2019-10-25 18:39:57.111773487 +0200 @@ -4,15 +4,11 @@ reliable indicator of ABI changes and doesn't make much sense in a distribution package -diff --git a/openssh-7.7p1/configure.ac b/openssh-7.7p1/configure.ac ---- openssh-7.7p1/configure.ac -+++ openssh-7.7p1/configure.ac -@@ -4895,16 +4895,29 @@ AC_ARG_WITH([bsd-auth], - if test "x$withval" != "xno" ; then - AC_DEFINE([BSD_AUTH], [1], - [Define if you have BSD auth support]) - BSD_AUTH_MSG=yes - fi +diff --git a/configure.ac b/configure.ac +index 42ffd95..20a1884 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -4878,6 +4878,19 @@ AC_ARG_WITH([bsd-auth], ] ) @@ -32,33 +28,21 @@ # Where to place sshd.pid piddir=/var/run # make sure the directory exists - if test ! -d $piddir ; then - piddir=`eval echo ${sysconfdir}` - case $piddir in - NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;; - esac -diff --git a/openssh-7.7p1/entropy.c b/openssh-7.7p1/entropy.c ---- openssh-7.7p1/entropy.c -+++ openssh-7.7p1/entropy.c -@@ -209,19 +209,21 @@ rexec_recv_rng_seed(Buffer *m) - #endif /* OPENSSL_PRNG_ONLY */ +diff --git a/entropy.c b/entropy.c +index f8b9f42..4957b23 100644 +--- a/entropy.c ++++ b/entropy.c +@@ -223,11 +223,13 @@ seed_rng(void) + /* Initialise libcrypto */ + ssh_libcrypto_init(); - void - seed_rng(void) - { - #ifndef OPENSSL_PRNG_ONLY - unsigned char buf[RANDOM_SEED_SIZE]; - #endif +#ifndef DISTRO_SSL - if (!ssh_compatible_openssl(OPENSSL_VERSION_NUMBER, SSLeay())) + if (!ssh_compatible_openssl(OPENSSL_VERSION_NUMBER, + OpenSSL_version_num())) fatal("OpenSSL version mismatch. Built against %lx, you " - "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay()); + "have %lx", (u_long)OPENSSL_VERSION_NUMBER, + OpenSSL_version_num()); +#endif #ifndef OPENSSL_PRNG_ONLY - if (RAND_status() == 1) { - debug3("RNG is ready, skipping seeding"); - return; - } - - if (seed_from_prngd(buf, sizeof(buf)) == -1) + if (RAND_status() == 1) ++++++ openssh-7.7p1-fips.patch ++++++ --- /var/tmp/diff_new_pack.Tr8kM3/_old 2019-10-25 18:39:57.123773498 +0200 +++ /var/tmp/diff_new_pack.Tr8kM3/_new 2019-10-25 18:39:57.123773498 +0200 @@ -3,23 +3,23 @@ FIPS 140-2 compliance. Perform selftests on start and use only FIPS approved algorithms. -Index: openssh-7.9p1/Makefile.in -=================================================================== ---- openssh-7.9p1.orig/Makefile.in 2019-02-28 17:20:15.767164591 +0100 -+++ openssh-7.9p1/Makefile.in 2019-03-12 11:41:49.662894934 +0100 -@@ -102,6 +102,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ - kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \ +diff --git a/Makefile.in b/Makefile.in +index 1d2b2d9..7488595 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -103,6 +103,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ platform-pledge.o platform-tracing.o platform-misc.o + +LIBSSH_OBJS += fips.o + SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ sshconnect.o sshconnect2.o mux.o -Index: openssh-7.9p1/cipher-ctr.c -=================================================================== ---- openssh-7.9p1.orig/cipher-ctr.c 2018-10-17 02:01:20.000000000 +0200 -+++ openssh-7.9p1/cipher-ctr.c 2019-02-28 17:20:15.919165544 +0100 +diff --git a/cipher-ctr.c b/cipher-ctr.c +index 32771f2..b66f92f 100644 +--- a/cipher-ctr.c ++++ b/cipher-ctr.c @@ -27,6 +27,8 @@ #include "xmalloc.h" #include "log.h" @@ -38,20 +38,21 @@ #endif return (&aes_ctr); } -Index: openssh-7.9p1/cipher.c -=================================================================== ---- openssh-7.9p1.orig/cipher.c 2018-10-17 02:01:20.000000000 +0200 -+++ openssh-7.9p1/cipher.c 2019-03-12 11:41:49.662894934 +0100 -@@ -51,6 +51,8 @@ +diff --git a/cipher.c b/cipher.c +index 25f98ba..acca752 100644 +--- a/cipher.c ++++ b/cipher.c +@@ -51,6 +51,9 @@ #include "openbsd-compat/openssl-compat.h" +#include "fips.h" +#include "log.h" - - struct sshcipher_ctx { - int plaintext; -@@ -80,7 +82,7 @@ struct sshcipher { ++ + #ifndef WITH_OPENSSL + #define EVP_CIPHER_CTX void + #endif +@@ -83,7 +86,7 @@ struct sshcipher { #endif }; @@ -60,7 +61,7 @@ #ifdef WITH_OPENSSL #ifndef OPENSSL_NO_DES { "3des-cbc", 8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc }, -@@ -111,8 +113,52 @@ static const struct sshcipher ciphers[] +@@ -114,8 +117,52 @@ static const struct sshcipher ciphers[] = { { NULL, 0, 0, 0, 0, 0, NULL } }; @@ -113,7 +114,7 @@ /* Returns a comma-separated list of supported ciphers. */ char * cipher_alg_list(char sep, int auth_only) -@@ -121,7 +167,7 @@ cipher_alg_list(char sep, int auth_only) +@@ -124,7 +171,7 @@ cipher_alg_list(char sep, int auth_only) size_t nlen, rlen = 0; const struct sshcipher *c; @@ -122,7 +123,7 @@ if ((c->flags & CFLAG_INTERNAL) != 0) continue; if (auth_only && c->auth_len == 0) -@@ -193,7 +239,7 @@ const struct sshcipher * +@@ -196,7 +243,7 @@ const struct sshcipher * cipher_by_name(const char *name) { const struct sshcipher *c; @@ -131,10 +132,11 @@ if (strcmp(c->name, name) == 0) return c; return NULL; -Index: openssh-7.9p1/fips.c -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssh-7.9p1/fips.c 2019-03-12 11:42:10.971006569 +0100 +diff --git a/fips.c b/fips.c +new file mode 100644 +index 0000000..23e3876 +--- /dev/null ++++ b/fips.c @@ -0,0 +1,212 @@ +/* + * Copyright (c) 2012 Petr Cerny. All rights reserved. @@ -348,10 +350,11 @@ + return dgst; +} + -Index: openssh-7.9p1/fips.h -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssh-7.9p1/fips.h 2019-03-12 11:41:49.514894158 +0100 +diff --git a/fips.h b/fips.h +new file mode 100644 +index 0000000..a115a61 +--- /dev/null ++++ b/fips.h @@ -0,0 +1,44 @@ +/* + * Copyright (c) 2012 Petr Cerny. All rights reserved. @@ -397,11 +400,11 @@ + +#endif + -Index: openssh-7.9p1/hmac.c -=================================================================== ---- openssh-7.9p1.orig/hmac.c 2018-10-17 02:01:20.000000000 +0200 -+++ openssh-7.9p1/hmac.c 2019-02-28 17:20:15.919165544 +0100 -@@ -144,7 +144,7 @@ hmac_test(void *key, size_t klen, void * +diff --git a/hmac.c b/hmac.c +index 3268887..b905a1e 100644 +--- a/hmac.c ++++ b/hmac.c +@@ -146,7 +146,7 @@ hmac_test(void *key, size_t klen, void *m, size_t mlen, u_char *e, size_t elen) size_t i; u_char digest[16]; @@ -410,11 +413,11 @@ printf("ssh_hmac_start failed"); if (ssh_hmac_init(ctx, key, klen) < 0 || ssh_hmac_update(ctx, m, mlen) < 0 || -Index: openssh-7.9p1/kex.c -=================================================================== ---- openssh-7.9p1.orig/kex.c 2018-10-17 02:01:20.000000000 +0200 -+++ openssh-7.9p1/kex.c 2019-02-28 17:20:15.919165544 +0100 -@@ -54,6 +54,8 @@ +diff --git a/kex.c b/kex.c +index 49d7015..1f82c2e 100644 +--- a/kex.c ++++ b/kex.c +@@ -60,6 +60,8 @@ #include "sshbuf.h" #include "digest.h" @@ -423,7 +426,7 @@ /* prototype */ static int kex_choose_conf(struct ssh *); static int kex_input_newkeys(int, u_int32_t, struct ssh *); -@@ -77,7 +79,7 @@ struct kexalg { +@@ -83,7 +85,7 @@ struct kexalg { int ec_nid; int hash_alg; }; @@ -432,8 +435,8 @@ #ifdef WITH_OPENSSL { KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 }, { KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 }, -@@ -106,6 +108,47 @@ static const struct kexalg kexalgs[] = { - { NULL, -1, -1, -1}, +@@ -114,6 +116,47 @@ static const struct kexalg kexalgs[] = { + { NULL, 0, -1, -1}, }; +static const struct kexalg kexalgs_fips140_2[] = { @@ -480,7 +483,7 @@ char * kex_alg_list(char sep) { -@@ -113,7 +156,7 @@ kex_alg_list(char sep) +@@ -121,7 +164,7 @@ kex_alg_list(char sep) size_t nlen, rlen = 0; const struct kexalg *k; @@ -489,7 +492,7 @@ if (ret != NULL) ret[rlen++] = sep; nlen = strlen(k->name); -@@ -133,7 +176,7 @@ kex_alg_by_name(const char *name) +@@ -141,7 +184,7 @@ kex_alg_by_name(const char *name) { const struct kexalg *k; @@ -498,7 +501,7 @@ if (strcmp(k->name, name) == 0) return k; } -@@ -153,7 +196,10 @@ kex_names_valid(const char *names) +@@ -161,7 +204,10 @@ kex_names_valid(const char *names) for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) { if (kex_alg_by_name(p) == NULL) { @@ -509,11 +512,11 @@ free(s); return 0; } -Index: openssh-7.9p1/mac.c -=================================================================== ---- openssh-7.9p1.orig/mac.c 2018-10-17 02:01:20.000000000 +0200 -+++ openssh-7.9p1/mac.c 2019-02-28 17:20:15.923165569 +0100 -@@ -40,6 +40,9 @@ +diff --git a/mac.c b/mac.c +index f3dda66..90d71c8 100644 +--- a/mac.c ++++ b/mac.c +@@ -41,6 +41,9 @@ #include "openbsd-compat/openssl-compat.h" @@ -523,7 +526,7 @@ #define SSH_DIGEST 1 /* SSH_DIGEST_XXX */ #define SSH_UMAC 2 /* UMAC (not integrated with OpenSSL) */ #define SSH_UMAC128 3 -@@ -54,7 +57,7 @@ struct macalg { +@@ -55,7 +58,7 @@ struct macalg { int etm; /* Encrypt-then-MAC */ }; @@ -532,7 +535,7 @@ /* Encrypt-and-MAC (encrypt-and-authenticate) variants */ { "hmac-sha1", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 }, { "hmac-sha1-96", SSH_DIGEST, SSH_DIGEST_SHA1, 96, 0, 0, 0 }, -@@ -82,6 +85,41 @@ static const struct macalg macs[] = { +@@ -79,6 +82,41 @@ static const struct macalg macs[] = { { NULL, 0, 0, 0, 0, 0, 0 } }; @@ -574,7 +577,7 @@ /* Returns a list of supported MACs separated by the specified char. */ char * mac_alg_list(char sep) -@@ -90,7 +128,7 @@ mac_alg_list(char sep) +@@ -87,7 +125,7 @@ mac_alg_list(char sep) size_t nlen, rlen = 0; const struct macalg *m; @@ -583,7 +586,7 @@ if (ret != NULL) ret[rlen++] = sep; nlen = strlen(m->name); -@@ -129,7 +167,7 @@ mac_setup(struct sshmac *mac, char *name +@@ -126,7 +164,7 @@ mac_setup(struct sshmac *mac, char *name) { const struct macalg *m; @@ -592,11 +595,11 @@ if (strcmp(name, m->name) != 0) continue; if (mac != NULL) -Index: openssh-7.9p1/myproposal.h -=================================================================== ---- openssh-7.9p1.orig/myproposal.h 2018-10-17 02:01:20.000000000 +0200 -+++ openssh-7.9p1/myproposal.h 2019-02-28 17:20:15.923165569 +0100 -@@ -151,6 +151,8 @@ +diff --git a/myproposal.h b/myproposal.h +index 34bd10c..e6be484 100644 +--- a/myproposal.h ++++ b/myproposal.h +@@ -144,6 +144,8 @@ #else /* WITH_OPENSSL */ @@ -605,10 +608,10 @@ #define KEX_SERVER_KEX \ "curve25519-sha256," \ "[email protected]" -Index: openssh-7.9p1/readconf.c -=================================================================== ---- openssh-7.9p1.orig/readconf.c 2018-10-17 02:01:20.000000000 +0200 -+++ openssh-7.9p1/readconf.c 2019-02-28 20:20:19.619112418 +0100 +diff --git a/readconf.c b/readconf.c +index f78b4d6..228f481 100644 +--- a/readconf.c ++++ b/readconf.c @@ -68,6 +68,8 @@ #include "myproposal.h" #include "digest.h" @@ -618,7 +621,7 @@ /* Format of the configuration file: # Configuration data is parsed as follows: -@@ -1816,6 +1818,23 @@ option_clear_or_none(const char *o) +@@ -1837,6 +1839,23 @@ option_clear_or_none(const char *o) return o == NULL || strcasecmp(o, "none") == 0; } @@ -642,7 +645,7 @@ /* * Initializes options to special values that indicate that they have not yet * been set. Read_config_file will only set options with this value. Options -@@ -2095,6 +2114,8 @@ fill_default_options(Options * options) +@@ -2116,6 +2135,8 @@ fill_default_options(Options * options) options->canonicalize_hostname = SSH_CANONICALISE_NO; if (options->fingerprint_hash == -1) options->fingerprint_hash = SSH_FP_HASH_DEFAULT; @@ -651,7 +654,7 @@ if (options->update_hostkeys == -1) options->update_hostkeys = 0; -@@ -2122,6 +2143,7 @@ fill_default_options(Options * options) +@@ -2143,6 +2164,7 @@ fill_default_options(Options * options) free(all_kex); free(all_key); free(all_sig); @@ -659,10 +662,10 @@ #define CLEAR_ON_NONE(v) \ do { \ -Index: openssh-7.9p1/readconf.h -=================================================================== ---- openssh-7.9p1.orig/readconf.h 2018-10-17 02:01:20.000000000 +0200 -+++ openssh-7.9p1/readconf.h 2019-02-28 17:20:15.923165569 +0100 +diff --git a/readconf.h b/readconf.h +index 8e36bf3..67111e9 100644 +--- a/readconf.h ++++ b/readconf.h @@ -197,6 +197,7 @@ typedef struct { #define SSH_STRICT_HOSTKEY_YES 2 #define SSH_STRICT_HOSTKEY_ASK 3 @@ -671,10 +674,10 @@ void initialize_options(Options *); void fill_default_options(Options *); void fill_default_options_for_canonicalization(Options *); -Index: openssh-7.9p1/servconf.c -=================================================================== ---- openssh-7.9p1.orig/servconf.c 2019-02-28 17:20:15.851165117 +0100 -+++ openssh-7.9p1/servconf.c 2019-02-28 17:20:15.923165569 +0100 +diff --git a/servconf.c b/servconf.c +index f58fecb..a8833a9 100644 +--- a/servconf.c ++++ b/servconf.c @@ -64,6 +64,7 @@ #include "auth.h" #include "myproposal.h" @@ -716,7 +719,7 @@ } static void -@@ -410,6 +430,8 @@ fill_default_server_options(ServerOption +@@ -424,6 +444,8 @@ fill_default_server_options(ServerOptions *options) options->fwd_opts.streamlocal_bind_unlink = 0; if (options->fingerprint_hash == -1) options->fingerprint_hash = SSH_FP_HASH_DEFAULT; @@ -725,20 +728,20 @@ if (options->disable_forwarding == -1) options->disable_forwarding = 0; if (options->expose_userauth_info == -1) -Index: openssh-7.9p1/ssh-keygen.c -=================================================================== ---- openssh-7.9p1.orig/ssh-keygen.c 2018-10-17 02:01:20.000000000 +0200 -+++ openssh-7.9p1/ssh-keygen.c 2019-02-28 17:20:15.923165569 +0100 -@@ -61,6 +61,8 @@ - #include "utf8.h" +diff --git a/ssh-keygen.c b/ssh-keygen.c +index 8c829ca..da63fb0 100644 +--- a/ssh-keygen.c ++++ b/ssh-keygen.c +@@ -64,6 +64,8 @@ #include "authfd.h" + #include "sshsig.h" +#include "fips.h" + #ifdef WITH_OPENSSL # define DEFAULT_KEY_TYPE_NAME "rsa" #else -@@ -996,11 +998,13 @@ do_fingerprint(struct passwd *pw) +@@ -1002,11 +1004,13 @@ do_fingerprint(struct passwd *pw) static void do_gen_all_hostkeys(struct passwd *pw) { @@ -754,7 +757,7 @@ #ifdef WITH_OPENSSL { "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE }, { "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE }, -@@ -1015,6 +1019,17 @@ do_gen_all_hostkeys(struct passwd *pw) +@@ -1021,6 +1025,17 @@ do_gen_all_hostkeys(struct passwd *pw) { NULL, NULL, NULL } }; @@ -769,10 +772,10 @@ + }; + + struct Key_types *key_types; + u_int32_t bits = 0; int first = 0; struct stat st; - struct sshkey *private, *public; -@@ -1022,6 +1037,12 @@ do_gen_all_hostkeys(struct passwd *pw) +@@ -1029,6 +1044,12 @@ do_gen_all_hostkeys(struct passwd *pw) int i, type, fd, r; FILE *f; @@ -785,7 +788,7 @@ for (i = 0; key_types[i].key_type; i++) { public = private = NULL; prv_tmp = pub_tmp = prv_file = pub_file = NULL; -@@ -2817,6 +2838,15 @@ main(int argc, char **argv) +@@ -3215,6 +3236,15 @@ main(int argc, char **argv) key_type_name = DEFAULT_KEY_TYPE_NAME; type = sshkey_type_from_name(key_type_name); @@ -801,35 +804,11 @@ type_bits_valid(type, key_type_name, &bits); if (!quiet) -Index: openssh-7.9p1/ssh_config.0 -=================================================================== ---- openssh-7.9p1.orig/ssh_config.0 2018-10-19 03:06:19.000000000 +0200 -+++ openssh-7.9p1/ssh_config.0 2019-02-28 17:20:15.923165569 +0100 -@@ -353,6 +353,9 @@ DESCRIPTION - Specifies the hash algorithm used when displaying key - fingerprints. Valid options are: md5 and sha256 (the default). - -+ In the FIPS mode the minimum of SHA-1 is enforced (which means -+ sha256). -+ - ForwardAgent - Specifies whether the connection to the authentication agent (if - any) will be forwarded to the remote machine. The argument must -@@ -610,6 +613,9 @@ DESCRIPTION - The list of available key exchange algorithms may also be - obtained using "ssh -Q kex". - -+ In the FIPS mode the FIPS standard takes precedence over RFC and -+ forces the minimum to a higher value, currently 2048 bits. -+ - LocalCommand - Specifies a command to execute on the local machine after - successfully connecting to the server. The command string -Index: openssh-7.9p1/ssh_config.5 -=================================================================== ---- openssh-7.9p1.orig/ssh_config.5 2018-10-17 02:01:20.000000000 +0200 -+++ openssh-7.9p1/ssh_config.5 2019-02-28 17:20:15.923165569 +0100 -@@ -642,6 +642,8 @@ Valid options are: +diff --git a/ssh_config.5 b/ssh_config.5 +index 02a8789..f0cb291 100644 +--- a/ssh_config.5 ++++ b/ssh_config.5 +@@ -664,6 +664,8 @@ Valid options are: and .Cm sha256 (the default). @@ -838,11 +817,11 @@ .It Cm ForwardAgent Specifies whether the connection to the authentication agent (if any) will be forwarded to the remote machine. -Index: openssh-7.9p1/sshd.c -=================================================================== ---- openssh-7.9p1.orig/sshd.c 2018-10-17 02:01:20.000000000 +0200 -+++ openssh-7.9p1/sshd.c 2019-03-12 11:41:49.514894158 +0100 -@@ -123,6 +123,8 @@ +diff --git a/sshd.c b/sshd.c +index 6b55ef7..c8086cd 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -127,6 +127,8 @@ #include "version.h" #include "ssherr.h" @@ -851,35 +830,11 @@ /* Re-exec fds */ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) -Index: openssh-7.9p1/sshd_config.0 -=================================================================== ---- openssh-7.9p1.orig/sshd_config.0 2019-02-28 17:20:15.851165117 +0100 -+++ openssh-7.9p1/sshd_config.0 2019-02-28 17:20:15.927165594 +0100 -@@ -348,6 +348,9 @@ DESCRIPTION - Specifies the hash algorithm used when logging key fingerprints. - Valid options are: md5 and sha256. The default is sha256. - -+ In the FIPS mode the minimum of SHA-1 is enforced (which means -+ sha256). -+ - ForceCommand - Forces the execution of the command specified by ForceCommand, - ignoring any command supplied by the client and ~/.ssh/rc if -@@ -555,6 +558,9 @@ DESCRIPTION - The list of available key exchange algorithms may also be - obtained using "ssh -Q kex". - -+ In the FIPS mode the FIPS standard takes precedence over RFC and -+ forces the minimum to a higher value, currently 2048 bits. -+ - ListenAddress - Specifies the local addresses sshd(8) should listen on. The - following forms may be used: -Index: openssh-7.9p1/sshd_config.5 -=================================================================== ---- openssh-7.9p1.orig/sshd_config.5 2019-02-28 17:20:15.851165117 +0100 -+++ openssh-7.9p1/sshd_config.5 2019-02-28 17:20:15.927165594 +0100 -@@ -603,6 +603,8 @@ and +diff --git a/sshd_config.5 b/sshd_config.5 +index 0707b47..8818ea5 100644 +--- a/sshd_config.5 ++++ b/sshd_config.5 +@@ -605,6 +605,8 @@ and .Cm sha256 . The default is .Cm sha256 . ++++++ openssh-7.7p1-fips_checks.patch ++++++ --- /var/tmp/diff_new_pack.Tr8kM3/_old 2019-10-25 18:39:57.131773506 +0200 +++ /var/tmp/diff_new_pack.Tr8kM3/_new 2019-10-25 18:39:57.131773506 +0200 @@ -14,10 +14,11 @@ # file is not found (or the hash matches), proceed in non-FIPS mode and abort # otherwise. -Index: openssh-7.9p1/fips-check.c -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssh-7.9p1/fips-check.c 2019-03-12 11:42:19.299050200 +0100 +diff --git a/fips-check.c b/fips-check.c +new file mode 100644 +index 0000000..eceb031 +--- /dev/null ++++ b/fips-check.c @@ -0,0 +1,34 @@ +#include "includes.h" +#include <fcntl.h> @@ -53,10 +54,10 @@ + fips_ssh_init(); + return 0; +} -Index: openssh-7.9p1/fips.c -=================================================================== ---- openssh-7.9p1.orig/fips.c 2019-03-12 11:42:19.299050200 +0100 -+++ openssh-7.9p1/fips.c 2019-03-12 11:43:02.363275819 +0100 +diff --git a/fips.c b/fips.c +index 23e3876..297ae99 100644 +--- a/fips.c ++++ b/fips.c @@ -35,30 +35,293 @@ #include "log.h" #include "xmalloc.h" @@ -245,9 +246,7 @@ { int fips_required = 0; - char *env = getenv(SSH_FORCE_FIPS_ENV); -+ int fips_fd; -+ char fips_sys = 0; - +- - if (env) { - errno = 0; - fips_required = strtol(env, NULL, 10); @@ -257,6 +256,9 @@ - fips_required = 0; - } else - fips_required = 1; ++ int fips_fd; ++ char fips_sys = 0; ++ + struct stat dummy; + if (-1 == stat(FIPS_PROC_PATH, &dummy)) { + switch (errno) { @@ -362,10 +364,10 @@ int fips_mode(void) { -Index: openssh-7.9p1/fips.h -=================================================================== ---- openssh-7.9p1.orig/fips.h 2019-03-12 11:42:13.819021490 +0100 -+++ openssh-7.9p1/fips.h 2019-03-12 11:42:19.303050221 +0100 +diff --git a/fips.h b/fips.h +index a115a61..3404684 100644 +--- a/fips.h ++++ b/fips.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012 Petr Cerny. All rights reserved. @@ -402,38 +404,38 @@ int fips_mode(void); int fips_correct_dgst(int); int fips_dgst_min(void); -@@ -41,4 +56,3 @@ enum fp_type fips_correct_fp_type(enum +@@ -41,4 +56,3 @@ enum fp_type fips_correct_fp_type(enum fp_type); int fips_filter_crypto(char **, fips_filters); #endif - -Index: openssh-7.9p1/sftp-server.c -=================================================================== ---- openssh-7.9p1.orig/sftp-server.c 2019-03-12 11:42:13.819021490 +0100 -+++ openssh-7.9p1/sftp-server.c 2019-03-12 11:42:19.303050221 +0100 -@@ -51,6 +51,8 @@ - #include "sftp.h" - #include "sftp-common.h" +diff --git a/sftp-server.c b/sftp-server.c +index b133cbc..c3086b6 100644 +--- a/sftp-server.c ++++ b/sftp-server.c +@@ -53,6 +53,8 @@ + + char *sftp_realpath(const char *, char *); /* sftp-realpath.c */ +#include "fips.h" + /* Our verbosity */ static LogLevel log_level = SYSLOG_LEVEL_ERROR; -@@ -1509,6 +1511,9 @@ sftp_server_main(int argc, char **argv, +@@ -1595,6 +1597,9 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) extern char *optarg; extern char *__progname; + /* initialize fips */ + fips_ssh_init(); + - ssh_malloc_init(); /* must be called before any mallocs */ __progname = ssh_get_progname(argv[0]); log_init(__progname, log_level, log_facility, log_stderr); -Index: openssh-7.9p1/ssh.c -=================================================================== ---- openssh-7.9p1.orig/ssh.c 2019-03-12 11:42:13.823021511 +0100 -+++ openssh-7.9p1/ssh.c 2019-03-12 11:42:19.303050221 +0100 + +diff --git a/ssh.c b/ssh.c +index ee51823..882d1da 100644 +--- a/ssh.c ++++ b/ssh.c @@ -113,6 +113,8 @@ #include "ssh-pkcs11.h" #endif @@ -443,29 +445,29 @@ extern char *__progname; /* Saves a copy of argv for setproctitle emulation */ -@@ -593,6 +595,10 @@ main(int ac, char **av) +@@ -596,6 +598,10 @@ main(int ac, char **av) struct ssh_digest_ctx *md; u_char conn_hash[SSH_DIGEST_MAX_LENGTH]; -+ /* initialize fips - can go before ssh_malloc_init(), since that is a -+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */ ++ /* initialize fips - can go before ssh_malloc_init(), since that is a ++ * OpenBSD-only thing (as of OpenSSH 7.6p1) */ + fips_ssh_init(); + - ssh_malloc_init(); /* must be called before any mallocs */ /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd(); -Index: openssh-7.9p1/sshd.c -=================================================================== ---- openssh-7.9p1.orig/sshd.c 2019-03-12 11:42:13.823021511 +0100 -+++ openssh-7.9p1/sshd.c 2019-03-12 11:42:19.303050221 +0100 -@@ -1485,6 +1485,10 @@ main(int ac, char **av) + +diff --git a/sshd.c b/sshd.c +index c8086cd..bb20eec 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -1443,6 +1443,10 @@ main(int ac, char **av) Authctxt *authctxt; struct connection_info *connection_info = NULL; -+ /* initialize fips - can go before ssh_malloc_init(), since that is a -+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */ ++ /* initialize fips - can go before ssh_malloc_init(), since that is a ++ * OpenBSD-only thing (as of OpenSSH 7.6p1) */ + fips_ssh_init(); + - ssh_malloc_init(); /* must be called before any mallocs */ - #ifdef HAVE_SECUREWARE + (void)set_auth_parameters(ac, av); + #endif ++++++ openssh-7.7p1-hostname_changes_when_forwarding_X.patch ++++++ --- /var/tmp/diff_new_pack.Tr8kM3/_old 2019-10-25 18:39:57.139773514 +0200 +++ /var/tmp/diff_new_pack.Tr8kM3/_new 2019-10-25 18:39:57.143773517 +0200 @@ -5,11 +5,11 @@ bnc#98627 -Index: openssh-7.8p1/session.c -=================================================================== ---- openssh-7.8p1.orig/session.c -+++ openssh-7.8p1/session.c -@@ -1009,7 +1009,7 @@ copy_environment(char **source, char *** +diff --git a/session.c b/session.c +index 94d7438..d81060c 100644 +--- a/session.c ++++ b/session.c +@@ -981,7 +981,7 @@ copy_environment(char **source, char ***env, u_int *envsize) } static char ** @@ -18,7 +18,7 @@ { char buf[256]; size_t n; -@@ -1213,6 +1213,8 @@ do_setup_env(struct ssh *ssh, Session *s +@@ -1191,6 +1191,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) for (i = 0; env[i]; i++) fprintf(stderr, " %.200s\n", env[i]); } @@ -27,7 +27,7 @@ return env; } -@@ -1221,7 +1223,7 @@ do_setup_env(struct ssh *ssh, Session *s +@@ -1199,7 +1201,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) * first in this order). */ static void @@ -36,7 +36,7 @@ { FILE *f = NULL; char cmd[1024]; -@@ -1276,12 +1278,20 @@ do_rc_files(struct ssh *ssh, Session *s, +@@ -1254,12 +1256,20 @@ do_rc_files(struct ssh *ssh, Session *s, const char *shell) options.xauth_location); f = popen(cmd, "w"); if (f) { @@ -57,15 +57,15 @@ } else { fprintf(stderr, "Could not run %s\n", cmd); -@@ -1534,6 +1544,7 @@ do_child(struct ssh *ssh, Session *s, co - { - extern char **environ; - char **env; -+ int env_size; - char *argv[ARGV_MAX]; +@@ -1515,6 +1525,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) + char **env, *argv[ARGV_MAX], remote_id[512]; const char *shell, *shell0; struct passwd *pw = s->pw; -@@ -1591,7 +1602,7 @@ do_child(struct ssh *ssh, Session *s, co ++ int env_size; + int r = 0; + + sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id)); +@@ -1571,7 +1582,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) * Make sure $SHELL points to the shell from the password file, * even if shell is overridden from login.conf */ @@ -74,7 +74,7 @@ #ifdef HAVE_LOGIN_CAP shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell); -@@ -1655,7 +1666,7 @@ do_child(struct ssh *ssh, Session *s, co +@@ -1635,7 +1646,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) closefrom(STDERR_FILENO + 1); ++++++ openssh-7.7p1-ldap.patch ++++++ --- /var/tmp/diff_new_pack.Tr8kM3/_old 2019-10-25 18:39:57.147773521 +0200 +++ /var/tmp/diff_new_pack.Tr8kM3/_new 2019-10-25 18:39:57.151773525 +0200 @@ -10,10 +10,11 @@ # internal versions. ssh-keyconverter consequently fails to link as it lacks # the proper flags, and libopenbsd-compat doesn't contain the b64_* functions) -Index: openssh-7.9p1/HOWTO.ldap-keys -=================================================================== +diff --git a/HOWTO.ldap-keys b/HOWTO.ldap-keys +new file mode 100644 +index 0000000..831d399 --- /dev/null -+++ openssh-7.9p1/HOWTO.ldap-keys ++++ b/HOWTO.ldap-keys @@ -0,0 +1,108 @@ + +HOW TO START @@ -123,11 +124,11 @@ + - frederic peters. + - Finlay dobbie. + - Stefan Fisher. -Index: openssh-7.9p1/Makefile.in -=================================================================== ---- openssh-7.9p1.orig/Makefile.in -+++ openssh-7.9p1/Makefile.in -@@ -24,6 +24,8 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas +diff --git a/Makefile.in b/Makefile.in +index 750aada..1baf5c6 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -24,6 +24,8 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass SFTP_SERVER=$(libexecdir)/sftp-server SSH_KEYSIGN=$(libexecdir)/ssh-keysign SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper @@ -136,7 +137,7 @@ CAVSTEST_CTR=$(libexecdir)/cavstest-ctr CAVSTEST_KDF=$(libexecdir)/cavstest-kdf PRIVSEP_PATH=@PRIVSEP_PATH@ -@@ -66,6 +68,9 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-a +@@ -66,6 +68,9 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keys TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT) @@ -146,7 +147,7 @@ XMSS_OBJS=\ ssh-xmss.o \ sshkey-xmss.o \ -@@ -130,8 +135,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw +@@ -127,8 +132,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \ sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \ sandbox-solaris.o uidswap.o @@ -157,17 +158,17 @@ MANTYPE = @MANTYPE@ CONFIGFILES=sshd_config.out ssh_config.out moduli.out -@@ -206,6 +211,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) +@@ -208,6 +213,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) +ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o + $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) + - sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o - $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-realpath.o sftp-server-main.o + $(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) -@@ -361,6 +369,10 @@ install-files: +@@ -363,6 +371,10 @@ install-files: $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT) $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) @@ -178,7 +179,7 @@ $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT) -@@ -379,6 +391,10 @@ install-files: +@@ -381,6 +393,10 @@ install-files: $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 @@ -189,7 +190,7 @@ install-sysconf: $(MKDIR_P) $(DESTDIR)$(sysconfdir) -@@ -402,6 +418,13 @@ install-sysconf: +@@ -404,6 +420,13 @@ install-sysconf: else \ echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \ fi @@ -203,7 +204,7 @@ host-key: ssh-keygen$(EXEEXT) @if [ -z "$(DESTDIR)" ] ; then \ -@@ -439,6 +462,8 @@ uninstall: +@@ -441,6 +464,8 @@ uninstall: -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) -rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) -rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) @@ -212,7 +213,7 @@ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 -@@ -450,6 +475,7 @@ uninstall: +@@ -452,6 +477,7 @@ uninstall: -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 @@ -220,11 +221,11 @@ regress-prep: $(MKDIR_P) `pwd`/regress/unittests/test_helper -Index: openssh-7.9p1/configure.ac -=================================================================== ---- openssh-7.9p1.orig/configure.ac -+++ openssh-7.9p1/configure.ac -@@ -1671,6 +1671,106 @@ AC_ARG_WITH([audit], +diff --git a/configure.ac b/configure.ac +index 20a1884..ff9c11a 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1651,6 +1651,106 @@ AC_ARG_WITH([audit], esac ] ) @@ -331,10 +332,11 @@ AC_ARG_WITH([pie], [ --with-pie Build Position Independent Executables if possible], [ if test "x$withval" = "xno"; then -Index: openssh-7.9p1/ldap-helper.c -=================================================================== +diff --git a/ldap-helper.c b/ldap-helper.c +new file mode 100644 +index 0000000..0efff1f --- /dev/null -+++ openssh-7.9p1/ldap-helper.c ++++ b/ldap-helper.c @@ -0,0 +1,155 @@ +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -491,10 +493,11 @@ +void *buffer_get_string(struct sshbuf *b, u_int *l) { return NULL; } +void buffer_put_string(struct sshbuf *b, const void *f, u_int l) {} + -Index: openssh-7.9p1/ldap-helper.h -=================================================================== +diff --git a/ldap-helper.h b/ldap-helper.h +new file mode 100644 +index 0000000..14cb29a --- /dev/null -+++ openssh-7.9p1/ldap-helper.h ++++ b/ldap-helper.h @@ -0,0 +1,32 @@ +/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -528,10 +531,11 @@ +extern int config_warning_config_file; + +#endif /* LDAP_HELPER_H */ -Index: openssh-7.9p1/ldap.conf -=================================================================== +diff --git a/ldap.conf b/ldap.conf +new file mode 100644 +index 0000000..42e38d3 --- /dev/null -+++ openssh-7.9p1/ldap.conf ++++ b/ldap.conf @@ -0,0 +1,88 @@ +# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $ +# @@ -621,10 +625,11 @@ +#tls_cert +#tls_key + -Index: openssh-7.9p1/ldapbody.c -=================================================================== +diff --git a/ldapbody.c b/ldapbody.c +new file mode 100644 +index 0000000..032cc89 --- /dev/null -+++ openssh-7.9p1/ldapbody.c ++++ b/ldapbody.c @@ -0,0 +1,494 @@ +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1120,10 +1125,11 @@ + return; +} + -Index: openssh-7.9p1/ldapbody.h -=================================================================== +diff --git a/ldapbody.h b/ldapbody.h +new file mode 100644 +index 0000000..665dca2 --- /dev/null -+++ openssh-7.9p1/ldapbody.h ++++ b/ldapbody.h @@ -0,0 +1,37 @@ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1162,10 +1168,11 @@ + +#endif /* LDAPBODY_H */ + -Index: openssh-7.9p1/ldapconf.c -=================================================================== +diff --git a/ldapconf.c b/ldapconf.c +new file mode 100644 +index 0000000..2e22438 --- /dev/null -+++ openssh-7.9p1/ldapconf.c ++++ b/ldapconf.c @@ -0,0 +1,711 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1878,10 +1885,11 @@ + dump_cfg_string(lSSH_Filter, options.ssh_filter); +} + -Index: openssh-7.9p1/ldapconf.h -=================================================================== +diff --git a/ldapconf.h b/ldapconf.h +new file mode 100644 +index 0000000..c2aa704 --- /dev/null -+++ openssh-7.9p1/ldapconf.h ++++ b/ldapconf.h @@ -0,0 +1,71 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1954,10 +1962,11 @@ +void dump_config(void); + +#endif /* LDAPCONF_H */ -Index: openssh-7.9p1/ldapincludes.h -=================================================================== +diff --git a/ldapincludes.h b/ldapincludes.h +new file mode 100644 +index 0000000..8539bdc --- /dev/null -+++ openssh-7.9p1/ldapincludes.h ++++ b/ldapincludes.h @@ -0,0 +1,41 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -2000,10 +2009,11 @@ +#endif + +#endif /* LDAPINCLUDES_H */ -Index: openssh-7.9p1/ldapmisc.c -=================================================================== +diff --git a/ldapmisc.c b/ldapmisc.c +new file mode 100644 +index 0000000..de23c0c --- /dev/null -+++ openssh-7.9p1/ldapmisc.c ++++ b/ldapmisc.c @@ -0,0 +1,79 @@ + +#include "ldapincludes.h" @@ -2084,10 +2094,11 @@ +} +#endif + -Index: openssh-7.9p1/ldapmisc.h -=================================================================== +diff --git a/ldapmisc.h b/ldapmisc.h +new file mode 100644 +index 0000000..4c271df --- /dev/null -+++ openssh-7.9p1/ldapmisc.h ++++ b/ldapmisc.h @@ -0,0 +1,35 @@ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -2124,10 +2135,10 @@ + +#endif /* LDAPMISC_H */ + -Index: openssh-7.9p1/openbsd-compat/base64.c -=================================================================== ---- openssh-7.9p1.orig/openbsd-compat/base64.c -+++ openssh-7.9p1/openbsd-compat/base64.c +diff --git a/openbsd-compat/base64.c b/openbsd-compat/base64.c +index 9e74667..14824be 100644 +--- a/openbsd-compat/base64.c ++++ b/openbsd-compat/base64.c @@ -46,7 +46,7 @@ #include "includes.h" @@ -2146,7 +2157,7 @@ int b64_ntop(u_char const *src, size_t srclength, char *target, size_t targsize) { -@@ -185,7 +185,7 @@ b64_ntop(u_char const *src, size_t srcle +@@ -185,7 +185,7 @@ b64_ntop(u_char const *src, size_t srclength, char *target, size_t targsize) } #endif /* !defined(HAVE_B64_NTOP) && !defined(HAVE___B64_NTOP) */ @@ -2155,10 +2166,10 @@ /* skips all whitespace anywhere. converts characters, four at a time, starting at (or after) -Index: openssh-7.9p1/openbsd-compat/base64.h -=================================================================== ---- openssh-7.9p1.orig/openbsd-compat/base64.h -+++ openssh-7.9p1/openbsd-compat/base64.h +diff --git a/openbsd-compat/base64.h b/openbsd-compat/base64.h +index bd77293..e27df9a 100644 +--- a/openbsd-compat/base64.h ++++ b/openbsd-compat/base64.h @@ -45,16 +45,16 @@ #include "includes.h" @@ -2180,10 +2191,11 @@ int b64_pton(char const *src, u_char *target, size_t targsize); # endif /* !HAVE_B64_PTON */ # define __b64_pton(a,b,c) b64_pton(a,b,c) -Index: openssh-7.9p1/openssh-lpk-openldap.schema -=================================================================== +diff --git a/openssh-lpk-openldap.schema b/openssh-lpk-openldap.schema +new file mode 100644 +index 0000000..c84f90f --- /dev/null -+++ openssh-7.9p1/openssh-lpk-openldap.schema ++++ b/openssh-lpk-openldap.schema @@ -0,0 +1,21 @@ +# +# LDAP Public Key Patch schema for use with openssh-ldappubkey @@ -2206,10 +2218,11 @@ + DESC 'MANDATORY: OpenSSH LPK objectclass' + MUST ( sshPublicKey $ uid ) + ) -Index: openssh-7.9p1/openssh-lpk-sun.schema -=================================================================== +diff --git a/openssh-lpk-sun.schema b/openssh-lpk-sun.schema +new file mode 100644 +index 0000000..3136673 --- /dev/null -+++ openssh-7.9p1/openssh-lpk-sun.schema ++++ b/openssh-lpk-sun.schema @@ -0,0 +1,23 @@ +# +# LDAP Public Key Patch schema for use with openssh-ldappubkey @@ -2234,10 +2247,11 @@ + DESC 'MANDATORY: OpenSSH LPK objectclass' + MUST ( sshPublicKey $ uid ) + ) -Index: openssh-7.9p1/ssh-ldap-helper.8 -=================================================================== +diff --git a/ssh-ldap-helper.8 b/ssh-ldap-helper.8 +new file mode 100644 +index 0000000..f8440e4 --- /dev/null -+++ openssh-7.9p1/ssh-ldap-helper.8 ++++ b/ssh-ldap-helper.8 @@ -0,0 +1,79 @@ +.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" @@ -2318,19 +2332,21 @@ +OpenSSH 5.5 + PKA-LDAP . +.Sh AUTHORS +.An Jan F. Chadima Aq [email protected] -Index: openssh-7.9p1/ssh-ldap-wrapper -=================================================================== +diff --git a/ssh-ldap-wrapper b/ssh-ldap-wrapper +new file mode 100644 +index 0000000..9fdfc37 --- /dev/null -+++ openssh-7.9p1/ssh-ldap-wrapper ++++ b/ssh-ldap-wrapper @@ -0,0 +1,4 @@ +#!/bin/sh + +exec @LIBEXECDIR@/ssh-ldap-helper -s "$1" + -Index: openssh-7.9p1/ssh-ldap.conf.5 -=================================================================== +diff --git a/ssh-ldap.conf.5 b/ssh-ldap.conf.5 +new file mode 100644 +index 0000000..15eb03d --- /dev/null -+++ openssh-7.9p1/ssh-ldap.conf.5 ++++ b/ssh-ldap.conf.5 @@ -0,0 +1,376 @@ +.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" ++++++ openssh-7.7p1-seed-prng.patch ++++++ --- /var/tmp/diff_new_pack.Tr8kM3/_old 2019-10-25 18:39:57.171773544 +0200 +++ /var/tmp/diff_new_pack.Tr8kM3/_new 2019-10-25 18:39:57.171773544 +0200 @@ -3,25 +3,71 @@ # extended support for (re-)seeding the OpenSSL PRNG from /dev/random # bnc#703221, FATE#312172 -Index: openssh-7.8p1/entropy.c -=================================================================== ---- openssh-7.8p1.orig/entropy.c -+++ openssh-7.8p1/entropy.c -@@ -235,6 +235,9 @@ seed_rng(void) - memset(buf, '\0', sizeof(buf)); +diff --git a/Makefile.in b/Makefile.in +index 85818f4..750aada 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -182,13 +182,13 @@ libssh.a: $(LIBSSH_OBJS) + $(RANLIB) $@ + ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) +- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS) ++ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(SSHLIBS) $(LIBS) $(GSSLIBS) + + sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) +- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) ++ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) + + scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o +- $(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) + + ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o + $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) +@@ -197,10 +197,10 @@ ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o + $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + + ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o sshsig.o +- $(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) + + ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o compat.o +- $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) + + ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o + $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) +@@ -209,10 +209,10 @@ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o + $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) + + sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-realpath.o sftp-server-main.o +- $(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) + + sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o +- $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT) ++ $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT) + + # FIPS tests + cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-ctr.o +diff --git a/entropy.c b/entropy.c +index 5de6801..f8b9f42 100644 +--- a/entropy.c ++++ b/entropy.c +@@ -239,6 +239,8 @@ seed_rng(void) + } #endif /* OPENSSL_PRNG_ONLY */ -+ + + linux_seed(); + if (RAND_status() != 1) fatal("PRNG is not seeded"); - } -Index: openssh-7.8p1/openbsd-compat/Makefile.in -=================================================================== ---- openssh-7.8p1.orig/openbsd-compat/Makefile.in -+++ openssh-7.8p1/openbsd-compat/Makefile.in -@@ -90,6 +90,7 @@ COMPAT= arc4random.o \ + +diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in +index 1162dc5..80fd688 100644 +--- a/openbsd-compat/Makefile.in ++++ b/openbsd-compat/Makefile.in +@@ -91,6 +91,7 @@ COMPAT= arc4random.o \ PORTS= port-aix.o \ port-irix.o \ port-linux.o \ @@ -29,10 +75,11 @@ port-solaris.o \ port-net.o \ port-uw.o -Index: openssh-7.8p1/openbsd-compat/port-linux-prng.c -=================================================================== +diff --git a/openbsd-compat/port-linux-prng.c b/openbsd-compat/port-linux-prng.c +new file mode 100644 +index 0000000..dfc4bdb --- /dev/null -+++ openssh-7.8p1/openbsd-compat/port-linux-prng.c ++++ b/openbsd-compat/port-linux-prng.c @@ -0,0 +1,81 @@ +/* + * Copyright (c) 2011 Jan F. Chadima <[email protected]> @@ -115,10 +162,10 @@ + fatal ("EOF reading %s", rand_file); + } +} -Index: openssh-7.8p1/openbsd-compat/port-linux.h -=================================================================== ---- openssh-7.8p1.orig/openbsd-compat/port-linux.h -+++ openssh-7.8p1/openbsd-compat/port-linux.h +diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h +index 3c22a85..2dc1fd0 100644 +--- a/openbsd-compat/port-linux.h ++++ b/openbsd-compat/port-linux.h @@ -17,6 +17,10 @@ #ifndef _PORT_LINUX_H #define _PORT_LINUX_H @@ -130,11 +177,11 @@ #ifdef WITH_SELINUX int ssh_selinux_enabled(void); void ssh_selinux_setup_pty(char *, const char *); -Index: openssh-7.8p1/ssh-add.1 -=================================================================== ---- openssh-7.8p1.orig/ssh-add.1 -+++ openssh-7.8p1/ssh-add.1 -@@ -172,6 +172,20 @@ to make this work.) +diff --git a/ssh-add.1 b/ssh-add.1 +index d4e1c60..6f76900 100644 +--- a/ssh-add.1 ++++ b/ssh-add.1 +@@ -189,6 +189,20 @@ to make this work.) Identifies the path of a .Ux Ns -domain socket used to communicate with the agent. @@ -155,11 +202,11 @@ .El .Sh FILES .Bl -tag -width Ds -Index: openssh-7.8p1/ssh-agent.1 -=================================================================== ---- openssh-7.8p1.orig/ssh-agent.1 -+++ openssh-7.8p1/ssh-agent.1 -@@ -214,6 +214,23 @@ sockets used to contain the connection t +diff --git a/ssh-agent.1 b/ssh-agent.1 +index 83b2b41..9e187f2 100644 +--- a/ssh-agent.1 ++++ b/ssh-agent.1 +@@ -214,6 +214,23 @@ sockets used to contain the connection to the authentication agent. These sockets should only be readable by the owner. The sockets should get automatically removed when the agent exits. .El @@ -183,11 +230,11 @@ .Sh SEE ALSO .Xr ssh 1 , .Xr ssh-add 1 , -Index: openssh-7.8p1/ssh-keygen.1 -=================================================================== ---- openssh-7.8p1.orig/ssh-keygen.1 -+++ openssh-7.8p1/ssh-keygen.1 -@@ -869,6 +869,23 @@ Contains Diffie-Hellman groups used for +diff --git a/ssh-keygen.1 b/ssh-keygen.1 +index 957d2f0..70c4a28 100644 +--- a/ssh-keygen.1 ++++ b/ssh-keygen.1 +@@ -1054,6 +1054,23 @@ Contains Diffie-Hellman groups used for DH-GEX. The file format is described in .Xr moduli 5 . .El @@ -211,11 +258,11 @@ .Sh SEE ALSO .Xr ssh 1 , .Xr ssh-add 1 , -Index: openssh-7.8p1/ssh-keysign.8 -=================================================================== ---- openssh-7.8p1.orig/ssh-keysign.8 -+++ openssh-7.8p1/ssh-keysign.8 -@@ -80,6 +80,23 @@ must be set-uid root if host-based authe +diff --git a/ssh-keysign.8 b/ssh-keysign.8 +index 19b0dbc..639b56e 100644 +--- a/ssh-keysign.8 ++++ b/ssh-keysign.8 +@@ -80,6 +80,23 @@ must be set-uid root if host-based authentication is used. If these files exist they are assumed to contain public certificate information corresponding with the private keys above. .El @@ -239,11 +286,11 @@ .Sh SEE ALSO .Xr ssh 1 , .Xr ssh-keygen 1 , -Index: openssh-7.8p1/ssh.1 -=================================================================== ---- openssh-7.8p1.orig/ssh.1 -+++ openssh-7.8p1/ssh.1 -@@ -1432,6 +1432,20 @@ For more information, see the +diff --git a/ssh.1 b/ssh.1 +index 424d6c3..899a339 100644 +--- a/ssh.1 ++++ b/ssh.1 +@@ -1433,6 +1433,20 @@ For more information, see the .Cm PermitUserEnvironment option in .Xr sshd_config 5 . @@ -264,11 +311,11 @@ .Sh FILES .Bl -tag -width Ds -compact .It Pa ~/.rhosts -Index: openssh-7.8p1/sshd.8 -=================================================================== ---- openssh-7.8p1.orig/sshd.8 -+++ openssh-7.8p1/sshd.8 -@@ -966,6 +966,23 @@ concurrently for different ports, this c +diff --git a/sshd.8 b/sshd.8 +index fb133c1..2f1d3ab 100644 +--- a/sshd.8 ++++ b/sshd.8 +@@ -966,6 +966,23 @@ concurrently for different ports, this contains the process ID of the one started last). The content of this file is not sensitive; it can be world-readable. .El @@ -292,10 +339,10 @@ .Sh SEE ALSO .Xr scp 1 , .Xr sftp 1 , -Index: openssh-7.8p1/sshd.c -=================================================================== ---- openssh-7.8p1.orig/sshd.c -+++ openssh-7.8p1/sshd.c +diff --git a/sshd.c b/sshd.c +index bb20eec..c562094 100644 +--- a/sshd.c ++++ b/sshd.c @@ -55,6 +55,8 @@ #endif #include "openbsd-compat/sys-tree.h" @@ -305,7 +352,7 @@ #include <sys/wait.h> #include <errno.h> -@@ -208,6 +210,13 @@ struct { +@@ -205,6 +207,13 @@ struct { int have_ssh2_key; } sensitive_data; @@ -319,8 +366,8 @@ /* This is set to true when a signal is received. */ static volatile sig_atomic_t received_sighup = 0; static volatile sig_atomic_t received_sigterm = 0; -@@ -1252,6 +1261,10 @@ server_accept_loop(int *sock_in, int *so - startups++; +@@ -1201,6 +1210,10 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) + startup_flags[j] = 1; break; } + if(!(--re_seeding_counter)) { ++++++ openssh-7.7p1-sftp_print_diagnostic_messages.patch ++++++ --- /var/tmp/diff_new_pack.Tr8kM3/_old 2019-10-25 18:39:57.227773597 +0200 +++ /var/tmp/diff_new_pack.Tr8kM3/_new 2019-10-25 18:39:57.227773597 +0200 @@ -3,26 +3,11 @@ Put back sftp client diagnostic messages in batch mode bsc#1023275 - -Index: openssh-7.8p1/sftp.0 -=================================================================== ---- openssh-7.8p1.orig/sftp.0 -+++ openssh-7.8p1/sftp.0 -@@ -160,6 +160,9 @@ DESCRIPTION - -p Preserves modification times, access times, and modes from the - original files transferred. - -+ -Q Not-so-quiet batch mode: forces printing of diagnostic messages -+ in batch mode. -+ - -q Quiet mode: disables the progress meter as well as warning and - diagnostic messages from ssh(1). - -Index: openssh-7.8p1/sftp.1 -=================================================================== ---- openssh-7.8p1.orig/sftp.1 -+++ openssh-7.8p1/sftp.1 -@@ -256,6 +256,9 @@ Specifies the port to connect to on the +diff --git a/sftp.1 b/sftp.1 +index a52c1cf..7333de8 100644 +--- a/sftp.1 ++++ b/sftp.1 +@@ -278,6 +278,9 @@ Specifies the port to connect to on the remote host. .It Fl p Preserves modification times, access times, and modes from the original files transferred. @@ -32,11 +17,11 @@ .It Fl q Quiet mode: disables the progress meter as well as warning and diagnostic messages from -Index: openssh-7.8p1/sftp.c -=================================================================== ---- openssh-7.8p1.orig/sftp.c -+++ openssh-7.8p1/sftp.c -@@ -86,6 +86,9 @@ static volatile pid_t sshpid = -1; +diff --git a/sftp.c b/sftp.c +index b66037f..6c94a38 100644 +--- a/sftp.c ++++ b/sftp.c +@@ -85,6 +85,9 @@ static volatile pid_t sshpid = -1; /* Suppress diagnositic messages */ int quiet = 0; @@ -46,16 +31,16 @@ /* This is set to 0 if the progressmeter is not desired. */ int showprogress = 1; -@@ -2373,7 +2376,7 @@ main(int argc, char **argv) +@@ -2406,7 +2409,7 @@ main(int argc, char **argv) infile = stdin; while ((ch = getopt(argc, argv, -- "1246afhpqrvCc:D:i:l:o:s:S:b:B:F:P:R:")) != -1) { -+ "1246afhpQqrvCc:D:i:l:o:s:S:b:B:F:P:R:")) != -1) { +- "1246afhpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) { ++ "1246afhpQqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) { switch (ch) { /* Passed through to ssh(1) */ case '4': -@@ -2389,6 +2392,9 @@ main(int argc, char **argv) +@@ -2423,6 +2426,9 @@ main(int argc, char **argv) addargs(&args, "-%c", ch); addargs(&args, "%s", optarg); break; @@ -65,7 +50,7 @@ case 'q': ll = SYSLOG_LEVEL_ERROR; quiet = 1; -@@ -2472,6 +2478,8 @@ main(int argc, char **argv) +@@ -2506,6 +2512,8 @@ main(int argc, char **argv) usage(); } } ++++++ openssh-7.9p1-keygen-preserve-perms.patch ++++++ commit 07ffb49749c310b82e44278ae05e081d6f4a82bf Author: Hans Petter Jansson <[email protected]> Date: Fri Sep 27 01:57:16 2019 +0200 ssh-keygen: Preserve known_hosts permissions on rewrite Transfer the permissions of the old known_hosts file instead of just going with what mkstemp() gives us. This is useful in corner cases where known_hosts is shared between users. diff --git a/ssh-keygen.c b/ssh-keygen.c index 03a7fe5..ca8a309 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1338,6 +1338,11 @@ do_known_hosts(struct passwd *pw, const char *name) if (inplace) unlink(tmp); } else if (inplace) { + struct stat st; + + /* Get metadata for existing file */ + r = stat(identity_file, &st); + /* Backup existing file */ if (unlink(old) == -1 && errno != ENOENT) fatal("unlink %.100s: %s", old, strerror(errno)); @@ -1352,6 +1357,12 @@ do_known_hosts(struct passwd *pw, const char *name) unlink(old); exit(1); } + /* Preserve permissions; non-critical */ + if (r != -1) + r = chown(identity_file, st.st_uid, st.st_gid); + if (r != -1) + chmod(identity_file, + st.st_mode & (S_IRWXU | S_IRWXG | S_IRWXO)); printf("%s updated.\n", identity_file); printf("Original contents retained as %s\n", old); ++++++ openssh-7.9p1-revert-new-qos-defaults.patch ++++++ commit 101aa2f70c937abb428c9433c39ba0fd9a91fe6b Author: Hans Petter Jansson <[email protected]> Date: Thu Jun 20 23:54:11 2019 +0200 Revert IPQoS DSCP AF21/CS1 from upstream due to bugs in other software Reverts OpenBSD-Commit-ID: d11d2a4484f461524ef0c20870523dfcdeb52181 diff --git a/readconf.c b/readconf.c index 24f2cb1..bbdea0d 100644 --- a/readconf.c +++ b/readconf.c @@ -2183,9 +2183,9 @@ fill_default_options(Options * options) if (options->visual_host_key == -1) options->visual_host_key = 0; if (options->ip_qos_interactive == -1) - options->ip_qos_interactive = IPTOS_DSCP_AF21; + options->ip_qos_interactive = IPTOS_LOWDELAY; if (options->ip_qos_bulk == -1) - options->ip_qos_bulk = IPTOS_DSCP_CS1; + options->ip_qos_bulk = IPTOS_THROUGHPUT; if (options->request_tty == -1) options->request_tty = REQUEST_TTY_AUTO; if (options->proxy_use_fdpass == -1) diff --git a/servconf.c b/servconf.c index 13cf154..766ac6b 100644 --- a/servconf.c +++ b/servconf.c @@ -445,9 +445,9 @@ fill_default_server_options(ServerOptions *options) if (options->permit_tun == -1) options->permit_tun = SSH_TUNMODE_NO; if (options->ip_qos_interactive == -1) - options->ip_qos_interactive = IPTOS_DSCP_AF21; + options->ip_qos_interactive = IPTOS_LOWDELAY; if (options->ip_qos_bulk == -1) - options->ip_qos_bulk = IPTOS_DSCP_CS1; + options->ip_qos_bulk = IPTOS_THROUGHPUT; if (options->version_addendum == NULL) options->version_addendum = xstrdup(""); if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) diff --git a/ssh_config.5 b/ssh_config.5 index 3bf0502..10246f8 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -1088,11 +1088,9 @@ If one argument is specified, it is used as the packet class unconditionally. If two values are specified, the first is automatically selected for interactive sessions and the second for non-interactive sessions. The default is -.Cm af21 -(Low-Latency Data) +.Cm lowdelay for interactive sessions and -.Cm cs1 -(Lower Effort) +.Cm throughput for non-interactive sessions. .It Cm KbdInteractiveAuthentication Specifies whether to use keyboard-interactive authentication. diff --git a/sshd_config.5 b/sshd_config.5 index 50a4917..a276fcb 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -868,11 +868,9 @@ If one argument is specified, it is used as the packet class unconditionally. If two values are specified, the first is automatically selected for interactive sessions and the second for non-interactive sessions. The default is -.Cm af21 -(Low-Latency Data) +.Cm lowdelay for interactive sessions and -.Cm cs1 -(Lower Effort) +.Cm throughput for non-interactive sessions. .It Cm KbdInteractiveAuthentication Specifies whether to allow keyboard-interactive authentication. ++++++ openssh-8.0p1-gssapi-keyex.patch ++++++ ++++ 3922 lines (skipped) ++++++ openssh-7.7p1-audit.patch -> openssh-8.1p1-audit.patch ++++++ ++++ 2673 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/openssh/openssh-7.7p1-audit.patch ++++ and /work/SRC/openSUSE:Factory/.openssh.new.2990/openssh-8.1p1-audit.patch ++++++ openssh-7.9p1.tar.gz -> openssh-8.1p1.tar.gz ++++++ ++++ 50238 lines of diff (skipped) ++++++ sshd-gen-keys-start ++++++ --- /var/tmp/diff_new_pack.Tr8kM3/_old 2019-10-25 18:39:57.803774139 +0200 +++ /var/tmp/diff_new_pack.Tr8kM3/_new 2019-10-25 18:39:57.815774150 +0200 @@ -1,5 +1,8 @@ #!/bin/sh -if ! grep -q '^[[:space:]]*HostKey[[:space:]]' /etc/ssh/sshd_config; then + +. /etc/sysconfig/ssh + +if [ "$SSHD_AUTO_KEYGEN" = "yes" ]; then echo "Checking for missing server keys in /etc/ssh" ssh-keygen -A fi ++++++ sysconfig.ssh ++++++ --- /var/tmp/diff_new_pack.Tr8kM3/_old 2019-10-25 18:39:57.979774304 +0200 +++ /var/tmp/diff_new_pack.Tr8kM3/_new 2019-10-25 18:39:57.983774308 +0200 @@ -7,3 +7,8 @@ # Options for sshd # SSHD_OPTS="" + +# +# Whether to run ssh-keygen -A +# +SSHD_AUTO_KEYGEN="yes"
