Hello community,
here is the log from the commit of package openssh for openSUSE:Leap:15.2
checked in at 2020-02-13 14:40:36
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Leap:15.2/openssh (Old)
and /work/SRC/openSUSE:Leap:15.2/.openssh.new.26092 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssh"
Thu Feb 13 14:40:36 2020 rev:62 rq:773207 version:8.1p1
Changes:
--------
--- /work/SRC/openSUSE:Leap:15.2/openssh/openssh-askpass-gnome.changes
2020-01-15 15:37:13.811019463 +0100
+++
/work/SRC/openSUSE:Leap:15.2/.openssh.new.26092/openssh-askpass-gnome.changes
2020-02-13 14:40:39.305650671 +0100
@@ -1,0 +2,6 @@
+Thu Jul 18 14:07:56 UTC 2019 - Fabian Vogt <[email protected]>
+
+- Supplement libgtk-3-0 instead to avoid installation on a textmode install
+ (boo#1142000)
+
+-------------------------------------------------------------------
--- /work/SRC/openSUSE:Leap:15.2/openssh/openssh.changes 2020-01-15
15:37:13.887019516 +0100
+++ /work/SRC/openSUSE:Leap:15.2/.openssh.new.26092/openssh.changes
2020-02-13 14:40:39.405650726 +0100
@@ -7,0 +8,7 @@
+Fri Nov 8 18:05:37 UTC 2019 - Cristian RodrÃguez <[email protected]>
+
+- Add openssh-8.1p1-seccomp-clock_nanosleep.patch, allow clock_nanosleep
+ glibc master implements multiple functions using that syscall making
+ the privsep sandbox kill the preauth process.
+
+-------------------------------------------------------------------
@@ -11 +18,3 @@
- by Enzo Matsumiya ([email protected]).
+ by Enzo Matsumiya ([email protected]). This was integrated in
+ a separate code stream merged with the Oct. 10 update; the patch
+ was also rebased and renamed to openssh-8.1p1-audit.patch.
@@ -14 +23 @@
-Fri Sep 27 00:42:26 UTC 2019 - Hans Petter Jansson <[email protected]>
+Mon Oct 14 23:58:39 UTC 2019 - Hans Petter Jansson <[email protected]>
@@ -19,0 +29,3 @@
+- Added openssh-7.9p1-revert-new-qos-defaults.patch, which reverts
+ an upstream commit that caused compatibility issues with other
+ software (bsc#1136402).
@@ -22 +34 @@
-Tue Sep 24 01:43:26 UTC 2019 - Hans Petter Jansson <[email protected]>
+Mon Oct 14 23:56:42 UTC 2019 - Hans Petter Jansson <[email protected]>
@@ -29 +41 @@
-Thu Jun 20 22:09:21 UTC 2019 - Hans Petter Jansson <[email protected]>
+Mon Oct 14 23:50:04 UTC 2019 - Hans Petter Jansson <[email protected]>
@@ -31,3 +43,125 @@
-- Added openssh-7.9p1-revert-new-qos-defaults.patch, which reverts
- an upstream commit that caused compatibility issues with other
- software (bsc#1136402).
+- Add openssh-7.9p1-keygen-preserve-perms.patch (bsc#1150574).
+ This attempts to preserve the permissions of any existing
+ known_hosts file when modified by ssh-keygen (for instance,
+ with -R).
+
+-------------------------------------------------------------------
+Thu Oct 10 00:41:18 UTC 2019 - Hans Petter Jansson <[email protected]>
+
+- Version update to 8.1p1:
+ * ssh-keygen(1): when acting as a CA and signing certificates with
+ an RSA key, default to using the rsa-sha2-512 signature algorithm.
+ Certificates signed by RSA keys will therefore be incompatible
+ with OpenSSH versions prior to 7.2 unless the default is
+ overridden (using "ssh-keygen -t ssh-rsa -s ...").
+ * ssh(1): Allow %n to be expanded in ProxyCommand strings
+ * ssh(1), sshd(8): Allow prepending a list of algorithms to the
+ default set by starting the list with the '^' character, E.g.
+ "HostKeyAlgorithms ^ssh-ed25519"
+ * ssh-keygen(1): add an experimental lightweight signature and
+ verification ability. Signatures may be made using regular ssh keys
+ held on disk or stored in a ssh-agent and verified against an
+ authorized_keys-like list of allowed keys. Signatures embed a
+ namespace that prevents confusion and attacks between different
+ usage domains (e.g. files vs email).
+ * ssh-keygen(1): print key comment when extracting public key from a
+ private key.
+ * ssh-keygen(1): accept the verbose flag when searching for host keys
+ in known hosts (i.e. "ssh-keygen -vF host") to print the matching
+ host's random-art signature too.
+ * All: support PKCS8 as an optional format for storage of private
+ keys to disk. The OpenSSH native key format remains the default,
+ but PKCS8 is a superior format to PEM if interoperability with
+ non-OpenSSH software is required, as it may use a less insecure
+ key derivation function than PEM's.
+
+- Additional changes from 8.0p1 release:
+ * scp(1): Add "-T" flag to disable client-side filtering of
+ server file list.
+ * sshd(8): Remove support for obsolete "host/port" syntax.
+ * ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in
+ PKCS#11 tokens.
+ * ssh(1), sshd(8): Add experimental quantum-computing resistant
+ key exchange method, based on a combination of Streamlined NTRU
+ Prime 4591^761 and X25519.
+ * ssh-keygen(1): Increase the default RSA key size to 3072 bits,
+ following NIST Special Publication 800-57's guidance for a
+ 128-bit equivalent symmetric security level.
+ * ssh(1): Allow "PKCS11Provider=none" to override later instances of
+ the PKCS11Provider directive in ssh_config,
+ * sshd(8): Add a log message for situations where a connection is
+ dropped for attempting to run a command but a sshd_config
+ ForceCommand=internal-sftp restriction is in effect.
+ * ssh(1): When prompting whether to record a new host key, accept
+ the key fingerprint as a synonym for "yes". This allows the user
+ to paste a fingerprint obtained out of band at the prompt and
+ have the client do the comparison for you.
+ * ssh-keygen(1): When signing multiple certificates on a single
+ command-line invocation, allow automatically incrementing the
+ certificate serial number.
+ * scp(1), sftp(1): Accept -J option as an alias to ProxyJump on
+ the scp and sftp command-lines.
+ * ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v"
+ command-line flags to increase the verbosity of output; pass
+ verbose flags though to subprocesses, such as ssh-pkcs11-helper
+ started from ssh-agent.
+ * ssh-add(1): Add a "-T" option to allowing testing whether keys in
+ an agent are usable by performing a signature and a verification.
+ * sftp-server(8): Add a "[email protected]" protocol extension
+ that replicates the functionality of the existing SSH2_FXP_SETSTAT
+ operation but does not follow symlinks.
+ * sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request
+ they do not follow symlinks.
+ * sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes
+ the connection 4-tuple available to PAM modules that wish to use
+ it in decision-making.
+ * sshd(8): Add a ssh_config "Match final" predicate Matches in same
+ pass as "Match canonical" but doesn't require hostname
+ canonicalisation be enabled.
+ * sftp(1): Support a prefix of '@' to suppress echo of sftp batch
+ commands.
+ * ssh-keygen(1): When printing certificate contents using
+ "ssh-keygen -Lf /path/certificate", include the algorithm that
+ the CA used to sign the cert.
+
+- Rebased patches:
+ * openssh-7.7p1-IPv6_X_forwarding.patch
+ * openssh-7.7p1-X_forward_with_disabled_ipv6.patch
+ * openssh-7.7p1-cavstest-ctr.patch
+ * openssh-7.7p1-cavstest-kdf.patch
+ * openssh-7.7p1-disable_openssl_abi_check.patch
+ * openssh-7.7p1-fips.patch
+ * openssh-7.7p1-fips_checks.patch
+ * openssh-7.7p1-hostname_changes_when_forwarding_X.patch
+ * openssh-7.7p1-ldap.patch
+ * openssh-7.7p1-seed-prng.patch
+ * openssh-7.7p1-sftp_force_permissions.patch
+ * openssh-7.7p1-sftp_print_diagnostic_messages.patch
+ * openssh-8.0p1-gssapi-keyex.patch (formerly
+ openssh-7.7p1-gssapi_key_exchange.patch)
+ * openssh-8.1p1-audit.patch (formerly openssh-7.7p1-audit.patch)
+
+- Removed patches (integrated upstream):
+ * 0001-upstream-Fix-two-race-conditions-in-sshd-relating-to.patch
+ * openssh-7.7p1-seccomp_ioctl_s390_EP11.patch
+ * openssh-7.9p1-CVE-2018-20685.patch
+ * openssh-7.9p1-brace-expansion.patch
+ * openssh-CVE-2019-6109-force-progressmeter-update.patch
+ * openssh-CVE-2019-6109-sanitize-scp-filenames.patch
+ * openssh-CVE-2019-6111-scp-client-wildcard.patch
+
+- Removed patches (obsolete):
+ * openssh-openssl-1_0_0-compatibility.patch
+
+-------------------------------------------------------------------
+Mon Aug 19 11:24:36 CEST 2019 - [email protected]
+
+- don't install SuSEfirewall2 service on Factory, since SuSEfirewall2
+ has been replaced by firewalld, see [1].
+
+ [1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html
+
+-------------------------------------------------------------------
+Mon Jul 22 16:55:25 UTC 2019 - Fabian Vogt <[email protected]>
+
+- ssh-askpass: Try a fallback if the other option is not available
Old:
----
0001-upstream-Fix-two-race-conditions-in-sshd-relating-to.patch
openssh-7.7p1-audit.patch
openssh-7.7p1-gssapi_key_exchange.patch
openssh-7.7p1-seccomp_ioctl_s390_EP11.patch
openssh-7.9p1-CVE-2018-20685.patch
openssh-7.9p1-brace-expansion.patch
openssh-7.9p1.tar.gz
openssh-7.9p1.tar.gz.asc
openssh-CVE-2019-6109-force-progressmeter-update.patch
openssh-CVE-2019-6109-sanitize-scp-filenames.patch
openssh-CVE-2019-6111-scp-client-wildcard.patch
openssh-openssl-1_0_0-compatibility.patch
New:
----
openssh-8.0p1-gssapi-keyex.patch
openssh-8.1p1-audit.patch
openssh-8.1p1-seccomp-clock_nanosleep.patch
openssh-8.1p1.tar.gz
openssh-8.1p1.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openssh-askpass-gnome.spec ++++++
--- /var/tmp/diff_new_pack.mNRO2C/_old 2020-02-13 14:40:40.337651236 +0100
+++ /var/tmp/diff_new_pack.mNRO2C/_new 2020-02-13 14:40:40.341651239 +0100
@@ -1,7 +1,7 @@
#
# spec file for package openssh-askpass-gnome
#
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LLC.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -18,7 +18,7 @@
%define _name openssh
Name: openssh-askpass-gnome
-Version: 7.9p1
+Version: 8.1p1
Release: 0
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
License: BSD-2-Clause
@@ -27,7 +27,7 @@
Source:
http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz
Source42:
http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz.asc
Requires: %{_name} = %{version}
-Supplements: packageand(openssh:libX11-6)
+Supplements: packageand(openssh:libgtk-3-0)
%if 0%{?suse_version} >= 1550
BuildRequires: gtk3-devel
%else
++++++ openssh.spec ++++++
--- /var/tmp/diff_new_pack.mNRO2C/_old 2020-02-13 14:40:40.369651254 +0100
+++ /var/tmp/diff_new_pack.mNRO2C/_new 2020-02-13 14:40:40.369651254 +0100
@@ -1,7 +1,7 @@
#
# spec file for package openssh
#
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LLC.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -37,7 +37,7 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: openssh
-Version: 7.9p1
+Version: 8.1p1
Release: 0
Summary: Secure Shell Client and Server (Remote Login Program)
License: BSD-2-Clause AND MIT
@@ -69,8 +69,6 @@
Patch14: openssh-7.7p1-seccomp_stat.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
Patch15: openssh-7.7p1-seccomp_ipc_flock.patch
-# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
-Patch16: openssh-7.7p1-seccomp_ioctl_s390_EP11.patch
# Local FIPS patchset
Patch17: openssh-7.7p1-fips.patch
# Local cavs patchset
@@ -82,9 +80,9 @@
Patch21: openssh-7.7p1-seed-prng.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2641
Patch22: openssh-7.7p1-systemd-notify.patch
-Patch23: openssh-7.7p1-gssapi_key_exchange.patch
+Patch23: openssh-8.0p1-gssapi-keyex.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=1402
-Patch24: openssh-7.7p1-audit.patch
+Patch24: openssh-8.1p1-audit.patch
# Local patch to disable runtime abi SSL checks, quite pointless for us
Patch26: openssh-7.7p1-disable_openssl_abi_check.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2641
@@ -98,15 +96,9 @@
# https://bugzilla.mindrot.org/show_bug.cgi?id=2213
Patch32: openssh-7.7p1-IPv6_X_forwarding.patch
Patch33: openssh-7.7p1-sftp_print_diagnostic_messages.patch
-Patch34: openssh-openssl-1_0_0-compatibility.patch
-Patch35: openssh-7.9p1-CVE-2018-20685.patch
-Patch36: openssh-CVE-2019-6109-sanitize-scp-filenames.patch
-Patch37: openssh-CVE-2019-6109-force-progressmeter-update.patch
-Patch38: openssh-CVE-2019-6111-scp-client-wildcard.patch
-Patch39: openssh-7.9p1-brace-expansion.patch
-Patch40: 0001-upstream-Fix-two-race-conditions-in-sshd-relating-to.patch
-Patch41: openssh-7.9p1-revert-new-qos-defaults.patch
-Patch42: openssh-7.9p1-keygen-preserve-perms.patch
+Patch34: openssh-7.9p1-keygen-preserve-perms.patch
+Patch35: openssh-7.9p1-revert-new-qos-defaults.patch
+Patch36: openssh-8.1p1-seccomp-clock_nanosleep.patch
BuildRequires: audit-devel
BuildRequires: autoconf
BuildRequires: groff
@@ -238,9 +230,11 @@
install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1
sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g
%{buildroot}%{_sysconfdir}/ssh/sshd_config
+%if 0%{?suse_version} < 1550
# install firewall definitions
mkdir -p %{buildroot}%{_fwdefdir}
install -m 644 %{SOURCE7} %{buildroot}%{_fwdefdir}/sshd
+%endif
# askpass wrapper
sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE6} >
%{buildroot}%{_libexecdir}/ssh/ssh-askpass
@@ -320,9 +314,11 @@
%dir %{_sysconfdir}/slp.reg.d
%config %{_sysconfdir}/slp.reg.d/ssh.reg
%{_fillupdir}/sysconfig.ssh
+%if 0%{?suse_version} < 1550
%dir %{_fwdir}
%dir %{_fwdefdir}
%config %{_fwdefdir}/sshd
+%endif
%files helpers
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
++++++ openssh-7.7p1-X_forward_with_disabled_ipv6.patch ++++++
--- /var/tmp/diff_new_pack.mNRO2C/_old 2020-02-13 14:40:40.465651306 +0100
+++ /var/tmp/diff_new_pack.mNRO2C/_new 2020-02-13 14:40:40.465651306 +0100
@@ -3,15 +3,11 @@
Do not throw away already open sockets for X11 forwarding if another socket
family is not available for bind()
-diff --git a/openssh-7.7p1/channels.c b/openssh-7.7p1/channels.c
---- openssh-7.7p1/channels.c
-+++ openssh-7.7p1/channels.c
-@@ -4421,16 +4421,23 @@ x11_create_display_inet(struct ssh *ssh,
- if (ai->ai_family == AF_INET6)
- sock_set_v6only(sock);
- if (x11_use_localhost)
- set_reuseaddr(sock);
- if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
+diff --git a/channels.c b/channels.c
+index f51b7e3..95af47e 100644
+--- a/channels.c
++++ b/channels.c
+@@ -4637,6 +4637,13 @@ x11_create_display_inet(struct ssh *ssh, int
x11_display_offset,
debug2("%s: bind port %d: %.100s", __func__,
port, strerror(errno));
close(sock);
@@ -21,12 +17,7 @@
+ * disabled while being supported)
+ */
+ if (EADDRNOTAVAIL == errno)
-+ continue;
++ continue;
for (n = 0; n < num_socks; n++)
close(socks[n]);
num_socks = 0;
- break;
- }
- socks[num_socks++] = sock;
- if (num_socks == NUM_SOCKS)
- break;
++++++ openssh-7.7p1-cavstest-ctr.patch ++++++
--- /var/tmp/diff_new_pack.mNRO2C/_old 2020-02-13 14:40:40.473651311 +0100
+++ /var/tmp/diff_new_pack.mNRO2C/_new 2020-02-13 14:40:40.473651311 +0100
@@ -2,11 +2,11 @@
# Parent cc1022edba2c5eeb0facba08468f65afc2466b63
CAVS test for OpenSSH's own CTR encryption mode implementation
-Index: openssh-7.9p1/Makefile.in
-===================================================================
---- openssh-7.9p1.orig/Makefile.in
-+++ openssh-7.9p1/Makefile.in
-@@ -24,6 +24,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas
+diff --git a/Makefile.in b/Makefile.in
+index 7488595..d426006 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -24,6 +24,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
@@ -23,7 +23,7 @@
XMSS_OBJS=\
ssh-xmss.o \
sshkey-xmss.o \
-@@ -204,6 +207,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libss
+@@ -210,6 +213,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o
sftp-common.o sftp-server.o s
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o
sftp-glob.o progressmeter.o
$(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o
sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
@@ -34,7 +34,7 @@
# test driver for the loginrec code - not built by default
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh
$(LIBS)
-@@ -348,6 +355,7 @@ install-files:
+@@ -354,6 +361,7 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT)
$(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT)
$(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT)
$(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
@@ -42,10 +42,11 @@
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
$(INSTALL) -m 644 ssh-add.1.out
$(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-Index: openssh-7.9p1/cavstest-ctr.c
-===================================================================
+diff --git a/cavstest-ctr.c b/cavstest-ctr.c
+new file mode 100644
+index 0000000..f81cb72
--- /dev/null
-+++ openssh-7.9p1/cavstest-ctr.c
++++ b/cavstest-ctr.c
@@ -0,0 +1,214 @@
+/*
+ *
@@ -261,13 +262,13 @@
+ printf("\n");
+ return 0;
+}
-Index: openssh-7.9p1/cipher.c
-===================================================================
---- openssh-7.9p1.orig/cipher.c
-+++ openssh-7.9p1/cipher.c
-@@ -54,15 +54,6 @@
- #include "fips.h"
- #include "log.h"
+diff --git a/cipher.c b/cipher.c
+index acca752..b67a4ff 100644
+--- a/cipher.c
++++ b/cipher.c
+@@ -58,15 +58,6 @@
+ #define EVP_CIPHER_CTX void
+ #endif
-struct sshcipher_ctx {
- int plaintext;
@@ -281,11 +282,11 @@
struct sshcipher {
char *name;
u_int block_size;
-Index: openssh-7.9p1/cipher.h
-===================================================================
---- openssh-7.9p1.orig/cipher.h
-+++ openssh-7.9p1/cipher.h
-@@ -46,7 +46,15 @@
+diff --git a/cipher.h b/cipher.h
+index 5843aab..d7d8c89 100644
+--- a/cipher.h
++++ b/cipher.h
+@@ -48,7 +48,15 @@
#define CIPHER_DECRYPT 0
struct sshcipher;
++++++ openssh-7.7p1-cavstest-kdf.patch ++++++
--- /var/tmp/diff_new_pack.mNRO2C/_old 2020-02-13 14:40:40.481651316 +0100
+++ /var/tmp/diff_new_pack.mNRO2C/_new 2020-02-13 14:40:40.481651316 +0100
@@ -2,10 +2,10 @@
# Parent 1e1d5a2ab8bddfc800f570755f9ea1addcc878c1
CAVS test for KDF implementation in OpenSSH
-Index: openssh-7.9p1/Makefile.in
-===================================================================
---- openssh-7.9p1.orig/Makefile.in 2019-03-12 16:12:42.213142294 +0100
-+++ openssh-7.9p1/Makefile.in 2019-03-28 13:49:37.150166231 +0100
+diff --git a/Makefile.in b/Makefile.in
+index d426006..85818f4 100644
+--- a/Makefile.in
++++ b/Makefile.in
@@ -25,6 +25,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
@@ -23,7 +23,7 @@
XMSS_OBJS=\
ssh-xmss.o \
-@@ -211,6 +212,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sft
+@@ -217,6 +218,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o
sftp-common.o sftp-glo
cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-ctr.o
$(LD) -o $@ cavstest-ctr.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh
$(LIBS)
@@ -33,7 +33,7 @@
# test driver for the loginrec code - not built by default
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh
$(LIBS)
-@@ -356,6 +360,7 @@ install-files:
+@@ -362,6 +366,7 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT)
$(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT)
$(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT)
$(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
@@ -41,11 +41,12 @@
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
$(INSTALL) -m 644 ssh-add.1.out
$(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-Index: openssh-7.9p1/cavstest-kdf.c
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ openssh-7.9p1/cavstest-kdf.c 2019-03-28 13:54:20.047709759 +0100
-@@ -0,0 +1,384 @@
+diff --git a/cavstest-kdf.c b/cavstest-kdf.c
+new file mode 100644
+index 0000000..a6ecf45
+--- /dev/null
++++ b/cavstest-kdf.c
+@@ -0,0 +1,402 @@
+/*
+ * Copyright (C) 2015, Stephan Mueller <[email protected]>
+ *
@@ -93,6 +94,7 @@
+#include <openssl/bn.h>
+
+#include "xmalloc.h"
++#include "ssherr.h"
+#include "sshbuf.h"
+#include "sshkey.h"
+#include "cipher.h"
@@ -208,6 +210,23 @@
+ unsigned int ik_len;
+};
+
++#ifdef WITH_OPENSSL
++static int
++kex_derive_keys_bn(struct ssh *ssh, u_char *hash, u_int hashlen,
++ const BIGNUM *secret)
++{
++ struct sshbuf *shared_secret;
++ int r;
++
++ if ((shared_secret = sshbuf_new()) == NULL)
++ return SSH_ERR_ALLOC_FAIL;
++ if ((r = sshbuf_put_bignum2(shared_secret, secret)) == 0)
++ r = kex_derive_keys(ssh, hash, hashlen, shared_secret);
++ sshbuf_free(shared_secret);
++ return r;
++}
++#endif
++
+static int sshkdf_cavs(struct kdf_cavs *test)
+{
+ int ret = 0;
++++++ openssh-7.7p1-disable_openssl_abi_check.patch ++++++
--- /var/tmp/diff_new_pack.mNRO2C/_old 2020-02-13 14:40:40.485651317 +0100
+++ /var/tmp/diff_new_pack.mNRO2C/_new 2020-02-13 14:40:40.485651317 +0100
@@ -4,15 +4,11 @@
reliable indicator of ABI changes and doesn't make much sense in a
distribution package
-diff --git a/openssh-7.7p1/configure.ac b/openssh-7.7p1/configure.ac
---- openssh-7.7p1/configure.ac
-+++ openssh-7.7p1/configure.ac
-@@ -4895,16 +4895,29 @@ AC_ARG_WITH([bsd-auth],
- if test "x$withval" != "xno" ; then
- AC_DEFINE([BSD_AUTH], [1],
- [Define if you have BSD auth support])
- BSD_AUTH_MSG=yes
- fi
+diff --git a/configure.ac b/configure.ac
+index 42ffd95..20a1884 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -4878,6 +4878,19 @@ AC_ARG_WITH([bsd-auth],
]
)
@@ -32,33 +28,21 @@
# Where to place sshd.pid
piddir=/var/run
# make sure the directory exists
- if test ! -d $piddir ; then
- piddir=`eval echo ${sysconfdir}`
- case $piddir in
- NONE/*) piddir=`echo $piddir | sed
"s~NONE~$ac_default_prefix~"` ;;
- esac
-diff --git a/openssh-7.7p1/entropy.c b/openssh-7.7p1/entropy.c
---- openssh-7.7p1/entropy.c
-+++ openssh-7.7p1/entropy.c
-@@ -209,19 +209,21 @@ rexec_recv_rng_seed(Buffer *m)
- #endif /* OPENSSL_PRNG_ONLY */
+diff --git a/entropy.c b/entropy.c
+index f8b9f42..4957b23 100644
+--- a/entropy.c
++++ b/entropy.c
+@@ -223,11 +223,13 @@ seed_rng(void)
+ /* Initialise libcrypto */
+ ssh_libcrypto_init();
- void
- seed_rng(void)
- {
- #ifndef OPENSSL_PRNG_ONLY
- unsigned char buf[RANDOM_SEED_SIZE];
- #endif
+#ifndef DISTRO_SSL
- if (!ssh_compatible_openssl(OPENSSL_VERSION_NUMBER, SSLeay()))
+ if (!ssh_compatible_openssl(OPENSSL_VERSION_NUMBER,
+ OpenSSL_version_num()))
fatal("OpenSSL version mismatch. Built against %lx, you "
- "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
+ "have %lx", (u_long)OPENSSL_VERSION_NUMBER,
+ OpenSSL_version_num());
+#endif
#ifndef OPENSSL_PRNG_ONLY
- if (RAND_status() == 1) {
- debug3("RNG is ready, skipping seeding");
- return;
- }
-
- if (seed_from_prngd(buf, sizeof(buf)) == -1)
+ if (RAND_status() == 1)
++++++ openssh-7.7p1-fips.patch ++++++
--- /var/tmp/diff_new_pack.mNRO2C/_old 2020-02-13 14:40:40.497651324 +0100
+++ /var/tmp/diff_new_pack.mNRO2C/_new 2020-02-13 14:40:40.497651324 +0100
@@ -3,23 +3,23 @@
FIPS 140-2 compliance. Perform selftests on start and use only FIPS approved
algorithms.
-Index: openssh-7.9p1/Makefile.in
-===================================================================
---- openssh-7.9p1.orig/Makefile.in 2019-02-28 17:20:15.767164591 +0100
-+++ openssh-7.9p1/Makefile.in 2019-03-12 11:41:49.662894934 +0100
-@@ -102,6 +102,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
- kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
+diff --git a/Makefile.in b/Makefile.in
+index 1d2b2d9..7488595 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -103,6 +103,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
platform-pledge.o platform-tracing.o platform-misc.o
+
+LIBSSH_OBJS += fips.o
+
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect2.o mux.o
-Index: openssh-7.9p1/cipher-ctr.c
-===================================================================
---- openssh-7.9p1.orig/cipher-ctr.c 2018-10-17 02:01:20.000000000 +0200
-+++ openssh-7.9p1/cipher-ctr.c 2019-02-28 17:20:15.919165544 +0100
+diff --git a/cipher-ctr.c b/cipher-ctr.c
+index 32771f2..b66f92f 100644
+--- a/cipher-ctr.c
++++ b/cipher-ctr.c
@@ -27,6 +27,8 @@
#include "xmalloc.h"
#include "log.h"
@@ -38,20 +38,21 @@
#endif
return (&aes_ctr);
}
-Index: openssh-7.9p1/cipher.c
-===================================================================
---- openssh-7.9p1.orig/cipher.c 2018-10-17 02:01:20.000000000 +0200
-+++ openssh-7.9p1/cipher.c 2019-03-12 11:41:49.662894934 +0100
-@@ -51,6 +51,8 @@
+diff --git a/cipher.c b/cipher.c
+index 25f98ba..acca752 100644
+--- a/cipher.c
++++ b/cipher.c
+@@ -51,6 +51,9 @@
#include "openbsd-compat/openssl-compat.h"
+#include "fips.h"
+#include "log.h"
-
- struct sshcipher_ctx {
- int plaintext;
-@@ -80,7 +82,7 @@ struct sshcipher {
++
+ #ifndef WITH_OPENSSL
+ #define EVP_CIPHER_CTX void
+ #endif
+@@ -83,7 +86,7 @@ struct sshcipher {
#endif
};
@@ -60,7 +61,7 @@
#ifdef WITH_OPENSSL
#ifndef OPENSSL_NO_DES
{ "3des-cbc", 8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc },
-@@ -111,8 +113,52 @@ static const struct sshcipher ciphers[]
+@@ -114,8 +117,52 @@ static const struct sshcipher ciphers[] = {
{ NULL, 0, 0, 0, 0, 0, NULL }
};
@@ -113,7 +114,7 @@
/* Returns a comma-separated list of supported ciphers. */
char *
cipher_alg_list(char sep, int auth_only)
-@@ -121,7 +167,7 @@ cipher_alg_list(char sep, int auth_only)
+@@ -124,7 +171,7 @@ cipher_alg_list(char sep, int auth_only)
size_t nlen, rlen = 0;
const struct sshcipher *c;
@@ -122,7 +123,7 @@
if ((c->flags & CFLAG_INTERNAL) != 0)
continue;
if (auth_only && c->auth_len == 0)
-@@ -193,7 +239,7 @@ const struct sshcipher *
+@@ -196,7 +243,7 @@ const struct sshcipher *
cipher_by_name(const char *name)
{
const struct sshcipher *c;
@@ -131,10 +132,11 @@
if (strcmp(c->name, name) == 0)
return c;
return NULL;
-Index: openssh-7.9p1/fips.c
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ openssh-7.9p1/fips.c 2019-03-12 11:42:10.971006569 +0100
+diff --git a/fips.c b/fips.c
+new file mode 100644
+index 0000000..23e3876
+--- /dev/null
++++ b/fips.c
@@ -0,0 +1,212 @@
+/*
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
@@ -348,10 +350,11 @@
+ return dgst;
+}
+
-Index: openssh-7.9p1/fips.h
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ openssh-7.9p1/fips.h 2019-03-12 11:41:49.514894158 +0100
+diff --git a/fips.h b/fips.h
+new file mode 100644
+index 0000000..a115a61
+--- /dev/null
++++ b/fips.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
@@ -397,11 +400,11 @@
+
+#endif
+
-Index: openssh-7.9p1/hmac.c
-===================================================================
---- openssh-7.9p1.orig/hmac.c 2018-10-17 02:01:20.000000000 +0200
-+++ openssh-7.9p1/hmac.c 2019-02-28 17:20:15.919165544 +0100
-@@ -144,7 +144,7 @@ hmac_test(void *key, size_t klen, void *
+diff --git a/hmac.c b/hmac.c
+index 3268887..b905a1e 100644
+--- a/hmac.c
++++ b/hmac.c
+@@ -146,7 +146,7 @@ hmac_test(void *key, size_t klen, void *m, size_t mlen,
u_char *e, size_t elen)
size_t i;
u_char digest[16];
@@ -410,11 +413,11 @@
printf("ssh_hmac_start failed");
if (ssh_hmac_init(ctx, key, klen) < 0 ||
ssh_hmac_update(ctx, m, mlen) < 0 ||
-Index: openssh-7.9p1/kex.c
-===================================================================
---- openssh-7.9p1.orig/kex.c 2018-10-17 02:01:20.000000000 +0200
-+++ openssh-7.9p1/kex.c 2019-02-28 17:20:15.919165544 +0100
-@@ -54,6 +54,8 @@
+diff --git a/kex.c b/kex.c
+index 49d7015..1f82c2e 100644
+--- a/kex.c
++++ b/kex.c
+@@ -60,6 +60,8 @@
#include "sshbuf.h"
#include "digest.h"
@@ -423,7 +426,7 @@
/* prototype */
static int kex_choose_conf(struct ssh *);
static int kex_input_newkeys(int, u_int32_t, struct ssh *);
-@@ -77,7 +79,7 @@ struct kexalg {
+@@ -83,7 +85,7 @@ struct kexalg {
int ec_nid;
int hash_alg;
};
@@ -432,8 +435,8 @@
#ifdef WITH_OPENSSL
{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
-@@ -106,6 +108,47 @@ static const struct kexalg kexalgs[] = {
- { NULL, -1, -1, -1},
+@@ -114,6 +116,47 @@ static const struct kexalg kexalgs[] = {
+ { NULL, 0, -1, -1},
};
+static const struct kexalg kexalgs_fips140_2[] = {
@@ -480,7 +483,7 @@
char *
kex_alg_list(char sep)
{
-@@ -113,7 +156,7 @@ kex_alg_list(char sep)
+@@ -121,7 +164,7 @@ kex_alg_list(char sep)
size_t nlen, rlen = 0;
const struct kexalg *k;
@@ -489,7 +492,7 @@
if (ret != NULL)
ret[rlen++] = sep;
nlen = strlen(k->name);
-@@ -133,7 +176,7 @@ kex_alg_by_name(const char *name)
+@@ -141,7 +184,7 @@ kex_alg_by_name(const char *name)
{
const struct kexalg *k;
@@ -498,7 +501,7 @@
if (strcmp(k->name, name) == 0)
return k;
}
-@@ -153,7 +196,10 @@ kex_names_valid(const char *names)
+@@ -161,7 +204,10 @@ kex_names_valid(const char *names)
for ((p = strsep(&cp, ",")); p && *p != '\0';
(p = strsep(&cp, ","))) {
if (kex_alg_by_name(p) == NULL) {
@@ -509,11 +512,11 @@
free(s);
return 0;
}
-Index: openssh-7.9p1/mac.c
-===================================================================
---- openssh-7.9p1.orig/mac.c 2018-10-17 02:01:20.000000000 +0200
-+++ openssh-7.9p1/mac.c 2019-02-28 17:20:15.923165569 +0100
-@@ -40,6 +40,9 @@
+diff --git a/mac.c b/mac.c
+index f3dda66..90d71c8 100644
+--- a/mac.c
++++ b/mac.c
+@@ -41,6 +41,9 @@
#include "openbsd-compat/openssl-compat.h"
@@ -523,7 +526,7 @@
#define SSH_DIGEST 1 /* SSH_DIGEST_XXX */
#define SSH_UMAC 2 /* UMAC (not integrated with OpenSSL) */
#define SSH_UMAC128 3
-@@ -54,7 +57,7 @@ struct macalg {
+@@ -55,7 +58,7 @@ struct macalg {
int etm; /* Encrypt-then-MAC */
};
@@ -532,7 +535,7 @@
/* Encrypt-and-MAC (encrypt-and-authenticate) variants */
{ "hmac-sha1", SSH_DIGEST, SSH_DIGEST_SHA1, 0,
0, 0, 0 },
{ "hmac-sha1-96", SSH_DIGEST, SSH_DIGEST_SHA1,
96, 0, 0, 0 },
-@@ -82,6 +85,41 @@ static const struct macalg macs[] = {
+@@ -79,6 +82,41 @@ static const struct macalg macs[] = {
{ NULL, 0, 0, 0, 0, 0, 0 }
};
@@ -574,7 +577,7 @@
/* Returns a list of supported MACs separated by the specified char. */
char *
mac_alg_list(char sep)
-@@ -90,7 +128,7 @@ mac_alg_list(char sep)
+@@ -87,7 +125,7 @@ mac_alg_list(char sep)
size_t nlen, rlen = 0;
const struct macalg *m;
@@ -583,7 +586,7 @@
if (ret != NULL)
ret[rlen++] = sep;
nlen = strlen(m->name);
-@@ -129,7 +167,7 @@ mac_setup(struct sshmac *mac, char *name
+@@ -126,7 +164,7 @@ mac_setup(struct sshmac *mac, char *name)
{
const struct macalg *m;
@@ -592,11 +595,11 @@
if (strcmp(name, m->name) != 0)
continue;
if (mac != NULL)
-Index: openssh-7.9p1/myproposal.h
-===================================================================
---- openssh-7.9p1.orig/myproposal.h 2018-10-17 02:01:20.000000000 +0200
-+++ openssh-7.9p1/myproposal.h 2019-02-28 17:20:15.923165569 +0100
-@@ -151,6 +151,8 @@
+diff --git a/myproposal.h b/myproposal.h
+index 34bd10c..e6be484 100644
+--- a/myproposal.h
++++ b/myproposal.h
+@@ -144,6 +144,8 @@
#else /* WITH_OPENSSL */
@@ -605,10 +608,10 @@
#define KEX_SERVER_KEX \
"curve25519-sha256," \
"[email protected]"
-Index: openssh-7.9p1/readconf.c
-===================================================================
---- openssh-7.9p1.orig/readconf.c 2018-10-17 02:01:20.000000000 +0200
-+++ openssh-7.9p1/readconf.c 2019-02-28 20:20:19.619112418 +0100
+diff --git a/readconf.c b/readconf.c
+index f78b4d6..228f481 100644
+--- a/readconf.c
++++ b/readconf.c
@@ -68,6 +68,8 @@
#include "myproposal.h"
#include "digest.h"
@@ -618,7 +621,7 @@
/* Format of the configuration file:
# Configuration data is parsed as follows:
-@@ -1816,6 +1818,23 @@ option_clear_or_none(const char *o)
+@@ -1837,6 +1839,23 @@ option_clear_or_none(const char *o)
return o == NULL || strcasecmp(o, "none") == 0;
}
@@ -642,7 +645,7 @@
/*
* Initializes options to special values that indicate that they have not yet
* been set. Read_config_file will only set options with this value. Options
-@@ -2095,6 +2114,8 @@ fill_default_options(Options * options)
+@@ -2116,6 +2135,8 @@ fill_default_options(Options * options)
options->canonicalize_hostname = SSH_CANONICALISE_NO;
if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
@@ -651,7 +654,7 @@
if (options->update_hostkeys == -1)
options->update_hostkeys = 0;
-@@ -2122,6 +2143,7 @@ fill_default_options(Options * options)
+@@ -2143,6 +2164,7 @@ fill_default_options(Options * options)
free(all_kex);
free(all_key);
free(all_sig);
@@ -659,10 +662,10 @@
#define CLEAR_ON_NONE(v) \
do { \
-Index: openssh-7.9p1/readconf.h
-===================================================================
---- openssh-7.9p1.orig/readconf.h 2018-10-17 02:01:20.000000000 +0200
-+++ openssh-7.9p1/readconf.h 2019-02-28 17:20:15.923165569 +0100
+diff --git a/readconf.h b/readconf.h
+index 8e36bf3..67111e9 100644
+--- a/readconf.h
++++ b/readconf.h
@@ -197,6 +197,7 @@ typedef struct {
#define SSH_STRICT_HOSTKEY_YES 2
#define SSH_STRICT_HOSTKEY_ASK 3
@@ -671,10 +674,10 @@
void initialize_options(Options *);
void fill_default_options(Options *);
void fill_default_options_for_canonicalization(Options *);
-Index: openssh-7.9p1/servconf.c
-===================================================================
---- openssh-7.9p1.orig/servconf.c 2019-02-28 17:20:15.851165117 +0100
-+++ openssh-7.9p1/servconf.c 2019-02-28 17:20:15.923165569 +0100
+diff --git a/servconf.c b/servconf.c
+index f58fecb..a8833a9 100644
+--- a/servconf.c
++++ b/servconf.c
@@ -64,6 +64,7 @@
#include "auth.h"
#include "myproposal.h"
@@ -716,7 +719,7 @@
}
static void
-@@ -410,6 +430,8 @@ fill_default_server_options(ServerOption
+@@ -424,6 +444,8 @@ fill_default_server_options(ServerOptions *options)
options->fwd_opts.streamlocal_bind_unlink = 0;
if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
@@ -725,20 +728,20 @@
if (options->disable_forwarding == -1)
options->disable_forwarding = 0;
if (options->expose_userauth_info == -1)
-Index: openssh-7.9p1/ssh-keygen.c
-===================================================================
---- openssh-7.9p1.orig/ssh-keygen.c 2018-10-17 02:01:20.000000000 +0200
-+++ openssh-7.9p1/ssh-keygen.c 2019-02-28 17:20:15.923165569 +0100
-@@ -61,6 +61,8 @@
- #include "utf8.h"
+diff --git a/ssh-keygen.c b/ssh-keygen.c
+index 8c829ca..da63fb0 100644
+--- a/ssh-keygen.c
++++ b/ssh-keygen.c
+@@ -64,6 +64,8 @@
#include "authfd.h"
+ #include "sshsig.h"
+#include "fips.h"
+
#ifdef WITH_OPENSSL
# define DEFAULT_KEY_TYPE_NAME "rsa"
#else
-@@ -996,11 +998,13 @@ do_fingerprint(struct passwd *pw)
+@@ -1002,11 +1004,13 @@ do_fingerprint(struct passwd *pw)
static void
do_gen_all_hostkeys(struct passwd *pw)
{
@@ -754,7 +757,7 @@
#ifdef WITH_OPENSSL
{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
{ "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
-@@ -1015,6 +1019,17 @@ do_gen_all_hostkeys(struct passwd *pw)
+@@ -1021,6 +1025,17 @@ do_gen_all_hostkeys(struct passwd *pw)
{ NULL, NULL, NULL }
};
@@ -769,10 +772,10 @@
+ };
+
+ struct Key_types *key_types;
+ u_int32_t bits = 0;
int first = 0;
struct stat st;
- struct sshkey *private, *public;
-@@ -1022,6 +1037,12 @@ do_gen_all_hostkeys(struct passwd *pw)
+@@ -1029,6 +1044,12 @@ do_gen_all_hostkeys(struct passwd *pw)
int i, type, fd, r;
FILE *f;
@@ -785,7 +788,7 @@
for (i = 0; key_types[i].key_type; i++) {
public = private = NULL;
prv_tmp = pub_tmp = prv_file = pub_file = NULL;
-@@ -2817,6 +2838,15 @@ main(int argc, char **argv)
+@@ -3215,6 +3236,15 @@ main(int argc, char **argv)
key_type_name = DEFAULT_KEY_TYPE_NAME;
type = sshkey_type_from_name(key_type_name);
@@ -801,35 +804,11 @@
type_bits_valid(type, key_type_name, &bits);
if (!quiet)
-Index: openssh-7.9p1/ssh_config.0
-===================================================================
---- openssh-7.9p1.orig/ssh_config.0 2018-10-19 03:06:19.000000000 +0200
-+++ openssh-7.9p1/ssh_config.0 2019-02-28 17:20:15.923165569 +0100
-@@ -353,6 +353,9 @@ DESCRIPTION
- Specifies the hash algorithm used when displaying key
- fingerprints. Valid options are: md5 and sha256 (the default).
-
-+ In the FIPS mode the minimum of SHA-1 is enforced (which means
-+ sha256).
-+
- ForwardAgent
- Specifies whether the connection to the authentication agent (if
- any) will be forwarded to the remote machine. The argument must
-@@ -610,6 +613,9 @@ DESCRIPTION
- The list of available key exchange algorithms may also be
- obtained using "ssh -Q kex".
-
-+ In the FIPS mode the FIPS standard takes precedence over RFC and
-+ forces the minimum to a higher value, currently 2048 bits.
-+
- LocalCommand
- Specifies a command to execute on the local machine after
- successfully connecting to the server. The command string
-Index: openssh-7.9p1/ssh_config.5
-===================================================================
---- openssh-7.9p1.orig/ssh_config.5 2018-10-17 02:01:20.000000000 +0200
-+++ openssh-7.9p1/ssh_config.5 2019-02-28 17:20:15.923165569 +0100
-@@ -642,6 +642,8 @@ Valid options are:
+diff --git a/ssh_config.5 b/ssh_config.5
+index 02a8789..f0cb291 100644
+--- a/ssh_config.5
++++ b/ssh_config.5
+@@ -664,6 +664,8 @@ Valid options are:
and
.Cm sha256
(the default).
@@ -838,11 +817,11 @@
.It Cm ForwardAgent
Specifies whether the connection to the authentication agent (if any)
will be forwarded to the remote machine.
-Index: openssh-7.9p1/sshd.c
-===================================================================
---- openssh-7.9p1.orig/sshd.c 2018-10-17 02:01:20.000000000 +0200
-+++ openssh-7.9p1/sshd.c 2019-03-12 11:41:49.514894158 +0100
-@@ -123,6 +123,8 @@
+diff --git a/sshd.c b/sshd.c
+index 6b55ef7..c8086cd 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -127,6 +127,8 @@
#include "version.h"
#include "ssherr.h"
@@ -851,35 +830,11 @@
/* Re-exec fds */
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
-Index: openssh-7.9p1/sshd_config.0
-===================================================================
---- openssh-7.9p1.orig/sshd_config.0 2019-02-28 17:20:15.851165117 +0100
-+++ openssh-7.9p1/sshd_config.0 2019-02-28 17:20:15.927165594 +0100
-@@ -348,6 +348,9 @@ DESCRIPTION
- Specifies the hash algorithm used when logging key fingerprints.
- Valid options are: md5 and sha256. The default is sha256.
-
-+ In the FIPS mode the minimum of SHA-1 is enforced (which means
-+ sha256).
-+
- ForceCommand
- Forces the execution of the command specified by ForceCommand,
- ignoring any command supplied by the client and ~/.ssh/rc if
-@@ -555,6 +558,9 @@ DESCRIPTION
- The list of available key exchange algorithms may also be
- obtained using "ssh -Q kex".
-
-+ In the FIPS mode the FIPS standard takes precedence over RFC and
-+ forces the minimum to a higher value, currently 2048 bits.
-+
- ListenAddress
- Specifies the local addresses sshd(8) should listen on. The
- following forms may be used:
-Index: openssh-7.9p1/sshd_config.5
-===================================================================
---- openssh-7.9p1.orig/sshd_config.5 2019-02-28 17:20:15.851165117 +0100
-+++ openssh-7.9p1/sshd_config.5 2019-02-28 17:20:15.927165594 +0100
-@@ -603,6 +603,8 @@ and
+diff --git a/sshd_config.5 b/sshd_config.5
+index 0707b47..8818ea5 100644
+--- a/sshd_config.5
++++ b/sshd_config.5
+@@ -605,6 +605,8 @@ and
.Cm sha256 .
The default is
.Cm sha256 .
++++++ openssh-7.7p1-fips_checks.patch ++++++
--- /var/tmp/diff_new_pack.mNRO2C/_old 2020-02-13 14:40:40.501651327 +0100
+++ /var/tmp/diff_new_pack.mNRO2C/_new 2020-02-13 14:40:40.505651328 +0100
@@ -14,10 +14,11 @@
# file is not found (or the hash matches), proceed in non-FIPS mode and abort
# otherwise.
-Index: openssh-7.9p1/fips-check.c
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ openssh-7.9p1/fips-check.c 2019-03-12 11:42:19.299050200 +0100
+diff --git a/fips-check.c b/fips-check.c
+new file mode 100644
+index 0000000..eceb031
+--- /dev/null
++++ b/fips-check.c
@@ -0,0 +1,34 @@
+#include "includes.h"
+#include <fcntl.h>
@@ -53,10 +54,10 @@
+ fips_ssh_init();
+ return 0;
+}
-Index: openssh-7.9p1/fips.c
-===================================================================
---- openssh-7.9p1.orig/fips.c 2019-03-12 11:42:19.299050200 +0100
-+++ openssh-7.9p1/fips.c 2019-03-12 11:43:02.363275819 +0100
+diff --git a/fips.c b/fips.c
+index 23e3876..297ae99 100644
+--- a/fips.c
++++ b/fips.c
@@ -35,30 +35,293 @@
#include "log.h"
#include "xmalloc.h"
@@ -245,9 +246,7 @@
{
int fips_required = 0;
- char *env = getenv(SSH_FORCE_FIPS_ENV);
-+ int fips_fd;
-+ char fips_sys = 0;
-
+-
- if (env) {
- errno = 0;
- fips_required = strtol(env, NULL, 10);
@@ -257,6 +256,9 @@
- fips_required = 0;
- } else
- fips_required = 1;
++ int fips_fd;
++ char fips_sys = 0;
++
+ struct stat dummy;
+ if (-1 == stat(FIPS_PROC_PATH, &dummy)) {
+ switch (errno) {
@@ -362,10 +364,10 @@
int
fips_mode(void)
{
-Index: openssh-7.9p1/fips.h
-===================================================================
---- openssh-7.9p1.orig/fips.h 2019-03-12 11:42:13.819021490 +0100
-+++ openssh-7.9p1/fips.h 2019-03-12 11:42:19.303050221 +0100
+diff --git a/fips.h b/fips.h
+index a115a61..3404684 100644
+--- a/fips.h
++++ b/fips.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2012 Petr Cerny. All rights reserved.
@@ -402,38 +404,38 @@
int fips_mode(void);
int fips_correct_dgst(int);
int fips_dgst_min(void);
-@@ -41,4 +56,3 @@ enum fp_type fips_correct_fp_type(enum
+@@ -41,4 +56,3 @@ enum fp_type fips_correct_fp_type(enum fp_type);
int fips_filter_crypto(char **, fips_filters);
#endif
-
-Index: openssh-7.9p1/sftp-server.c
-===================================================================
---- openssh-7.9p1.orig/sftp-server.c 2019-03-12 11:42:13.819021490 +0100
-+++ openssh-7.9p1/sftp-server.c 2019-03-12 11:42:19.303050221 +0100
-@@ -51,6 +51,8 @@
- #include "sftp.h"
- #include "sftp-common.h"
+diff --git a/sftp-server.c b/sftp-server.c
+index b133cbc..c3086b6 100644
+--- a/sftp-server.c
++++ b/sftp-server.c
+@@ -53,6 +53,8 @@
+
+ char *sftp_realpath(const char *, char *); /* sftp-realpath.c */
+#include "fips.h"
+
/* Our verbosity */
static LogLevel log_level = SYSLOG_LEVEL_ERROR;
-@@ -1509,6 +1511,9 @@ sftp_server_main(int argc, char **argv,
+@@ -1595,6 +1597,9 @@ sftp_server_main(int argc, char **argv, struct passwd
*user_pw)
extern char *optarg;
extern char *__progname;
+ /* initialize fips */
+ fips_ssh_init();
+
- ssh_malloc_init(); /* must be called before any mallocs */
__progname = ssh_get_progname(argv[0]);
log_init(__progname, log_level, log_facility, log_stderr);
-Index: openssh-7.9p1/ssh.c
-===================================================================
---- openssh-7.9p1.orig/ssh.c 2019-03-12 11:42:13.823021511 +0100
-+++ openssh-7.9p1/ssh.c 2019-03-12 11:42:19.303050221 +0100
+
+diff --git a/ssh.c b/ssh.c
+index ee51823..882d1da 100644
+--- a/ssh.c
++++ b/ssh.c
@@ -113,6 +113,8 @@
#include "ssh-pkcs11.h"
#endif
@@ -443,29 +445,29 @@
extern char *__progname;
/* Saves a copy of argv for setproctitle emulation */
-@@ -593,6 +595,10 @@ main(int ac, char **av)
+@@ -596,6 +598,10 @@ main(int ac, char **av)
struct ssh_digest_ctx *md;
u_char conn_hash[SSH_DIGEST_MAX_LENGTH];
-+ /* initialize fips - can go before ssh_malloc_init(), since that is a
-+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
++ /* initialize fips - can go before ssh_malloc_init(), since that is a
++ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
+ fips_ssh_init();
+
- ssh_malloc_init(); /* must be called before any mallocs */
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();
-Index: openssh-7.9p1/sshd.c
-===================================================================
---- openssh-7.9p1.orig/sshd.c 2019-03-12 11:42:13.823021511 +0100
-+++ openssh-7.9p1/sshd.c 2019-03-12 11:42:19.303050221 +0100
-@@ -1485,6 +1485,10 @@ main(int ac, char **av)
+
+diff --git a/sshd.c b/sshd.c
+index c8086cd..bb20eec 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -1443,6 +1443,10 @@ main(int ac, char **av)
Authctxt *authctxt;
struct connection_info *connection_info = NULL;
-+ /* initialize fips - can go before ssh_malloc_init(), since that is a
-+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
++ /* initialize fips - can go before ssh_malloc_init(), since that is a
++ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
+ fips_ssh_init();
+
- ssh_malloc_init(); /* must be called before any mallocs */
-
#ifdef HAVE_SECUREWARE
+ (void)set_auth_parameters(ac, av);
+ #endif
++++++ openssh-7.7p1-hostname_changes_when_forwarding_X.patch ++++++
--- /var/tmp/diff_new_pack.mNRO2C/_old 2020-02-13 14:40:40.517651335 +0100
+++ /var/tmp/diff_new_pack.mNRO2C/_new 2020-02-13 14:40:40.517651335 +0100
@@ -5,11 +5,11 @@
bnc#98627
-Index: openssh-7.8p1/session.c
-===================================================================
---- openssh-7.8p1.orig/session.c
-+++ openssh-7.8p1/session.c
-@@ -1009,7 +1009,7 @@ copy_environment(char **source, char ***
+diff --git a/session.c b/session.c
+index 94d7438..d81060c 100644
+--- a/session.c
++++ b/session.c
+@@ -981,7 +981,7 @@ copy_environment(char **source, char ***env, u_int
*envsize)
}
static char **
@@ -18,7 +18,7 @@
{
char buf[256];
size_t n;
-@@ -1213,6 +1213,8 @@ do_setup_env(struct ssh *ssh, Session *s
+@@ -1191,6 +1191,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char
*shell)
for (i = 0; env[i]; i++)
fprintf(stderr, " %.200s\n", env[i]);
}
@@ -27,7 +27,7 @@
return env;
}
-@@ -1221,7 +1223,7 @@ do_setup_env(struct ssh *ssh, Session *s
+@@ -1199,7 +1201,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char
*shell)
* first in this order).
*/
static void
@@ -36,7 +36,7 @@
{
FILE *f = NULL;
char cmd[1024];
-@@ -1276,12 +1278,20 @@ do_rc_files(struct ssh *ssh, Session *s,
+@@ -1254,12 +1256,20 @@ do_rc_files(struct ssh *ssh, Session *s, const char
*shell)
options.xauth_location);
f = popen(cmd, "w");
if (f) {
@@ -57,15 +57,15 @@
} else {
fprintf(stderr, "Could not run %s\n",
cmd);
-@@ -1534,6 +1544,7 @@ do_child(struct ssh *ssh, Session *s, co
- {
- extern char **environ;
- char **env;
-+ int env_size;
- char *argv[ARGV_MAX];
+@@ -1515,6 +1525,7 @@ do_child(struct ssh *ssh, Session *s, const char
*command)
+ char **env, *argv[ARGV_MAX], remote_id[512];
const char *shell, *shell0;
struct passwd *pw = s->pw;
-@@ -1591,7 +1602,7 @@ do_child(struct ssh *ssh, Session *s, co
++ int env_size;
+ int r = 0;
+
+ sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
+@@ -1571,7 +1582,7 @@ do_child(struct ssh *ssh, Session *s, const char
*command)
* Make sure $SHELL points to the shell from the password file,
* even if shell is overridden from login.conf
*/
@@ -74,7 +74,7 @@
#ifdef HAVE_LOGIN_CAP
shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
-@@ -1655,7 +1666,7 @@ do_child(struct ssh *ssh, Session *s, co
+@@ -1635,7 +1646,7 @@ do_child(struct ssh *ssh, Session *s, const char
*command)
closefrom(STDERR_FILENO + 1);
++++++ openssh-7.7p1-ldap.patch ++++++
--- /var/tmp/diff_new_pack.mNRO2C/_old 2020-02-13 14:40:40.521651338 +0100
+++ /var/tmp/diff_new_pack.mNRO2C/_new 2020-02-13 14:40:40.521651338 +0100
@@ -10,10 +10,11 @@
# internal versions. ssh-keyconverter consequently fails to link as it lacks
# the proper flags, and libopenbsd-compat doesn't contain the b64_* functions)
-Index: openssh-7.9p1/HOWTO.ldap-keys
-===================================================================
+diff --git a/HOWTO.ldap-keys b/HOWTO.ldap-keys
+new file mode 100644
+index 0000000..831d399
--- /dev/null
-+++ openssh-7.9p1/HOWTO.ldap-keys
++++ b/HOWTO.ldap-keys
@@ -0,0 +1,108 @@
+
+HOW TO START
@@ -123,11 +124,11 @@
+ - frederic peters.
+ - Finlay dobbie.
+ - Stefan Fisher.
-Index: openssh-7.9p1/Makefile.in
-===================================================================
---- openssh-7.9p1.orig/Makefile.in
-+++ openssh-7.9p1/Makefile.in
-@@ -24,6 +24,8 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas
+diff --git a/Makefile.in b/Makefile.in
+index 750aada..1baf5c6 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -24,6 +24,8 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
@@ -136,7 +137,7 @@
CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
CAVSTEST_KDF=$(libexecdir)/cavstest-kdf
PRIVSEP_PATH=@PRIVSEP_PATH@
-@@ -66,6 +68,9 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-a
+@@ -66,6 +68,9 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT)
ssh-keygen$(EXEEXT) ssh-keys
TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
@@ -146,7 +147,7 @@
XMSS_OBJS=\
ssh-xmss.o \
sshkey-xmss.o \
-@@ -130,8 +135,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
+@@ -127,8 +132,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \
sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
sandbox-solaris.o uidswap.o
@@ -157,17 +158,17 @@
MANTYPE = @MANTYPE@
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
-@@ -206,6 +211,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
+@@ -208,6 +213,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a
ssh-pkcs11-helper.o ssh-pkcs11
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh
$(LIBS)
+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o
ldapmisc.o ldap-helper.o
+ $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS)
-lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+
- sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o
sftp-server.o sftp-server-main.o
- $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS)
-lssh -lopenbsd-compat $(LIBS)
+ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o
sftp-server.o sftp-realpath.o sftp-server-main.o
+ $(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o
sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat
$(LIBS)
-@@ -361,6 +369,10 @@ install-files:
+@@ -363,6 +371,10 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT)
$(DESTDIR)$(sbindir)/sshd$(EXEEXT)
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT)
$(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT)
$(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
@@ -178,7 +179,7 @@
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT)
$(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT)
$(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT)
$(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
-@@ -379,6 +391,10 @@ install-files:
+@@ -381,6 +393,10 @@ install-files:
$(INSTALL) -m 644 sftp-server.8.out
$(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
$(INSTALL) -m 644 ssh-keysign.8.out
$(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
$(INSTALL) -m 644 ssh-pkcs11-helper.8.out
$(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@@ -189,7 +190,7 @@
install-sysconf:
$(MKDIR_P) $(DESTDIR)$(sysconfdir)
-@@ -402,6 +418,13 @@ install-sysconf:
+@@ -404,6 +420,13 @@ install-sysconf:
else \
echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install
will not overwrite"; \
fi
@@ -203,7 +204,7 @@
host-key: ssh-keygen$(EXEEXT)
@if [ -z "$(DESTDIR)" ] ; then \
-@@ -439,6 +462,8 @@ uninstall:
+@@ -441,6 +464,8 @@ uninstall:
-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
@@ -212,7 +213,7 @@
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-@@ -450,6 +475,7 @@ uninstall:
+@@ -452,6 +477,7 @@ uninstall:
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@@ -220,11 +221,11 @@
regress-prep:
$(MKDIR_P) `pwd`/regress/unittests/test_helper
-Index: openssh-7.9p1/configure.ac
-===================================================================
---- openssh-7.9p1.orig/configure.ac
-+++ openssh-7.9p1/configure.ac
-@@ -1671,6 +1671,106 @@ AC_ARG_WITH([audit],
+diff --git a/configure.ac b/configure.ac
+index 20a1884..ff9c11a 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1651,6 +1651,106 @@ AC_ARG_WITH([audit],
esac ]
)
@@ -331,10 +332,11 @@
AC_ARG_WITH([pie],
[ --with-pie Build Position Independent Executables if
possible], [
if test "x$withval" = "xno"; then
-Index: openssh-7.9p1/ldap-helper.c
-===================================================================
+diff --git a/ldap-helper.c b/ldap-helper.c
+new file mode 100644
+index 0000000..0efff1f
--- /dev/null
-+++ openssh-7.9p1/ldap-helper.c
++++ b/ldap-helper.c
@@ -0,0 +1,155 @@
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -491,10 +493,11 @@
+void *buffer_get_string(struct sshbuf *b, u_int *l) { return NULL; }
+void buffer_put_string(struct sshbuf *b, const void *f, u_int l) {}
+
-Index: openssh-7.9p1/ldap-helper.h
-===================================================================
+diff --git a/ldap-helper.h b/ldap-helper.h
+new file mode 100644
+index 0000000..14cb29a
--- /dev/null
-+++ openssh-7.9p1/ldap-helper.h
++++ b/ldap-helper.h
@@ -0,0 +1,32 @@
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -528,10 +531,11 @@
+extern int config_warning_config_file;
+
+#endif /* LDAP_HELPER_H */
-Index: openssh-7.9p1/ldap.conf
-===================================================================
+diff --git a/ldap.conf b/ldap.conf
+new file mode 100644
+index 0000000..42e38d3
--- /dev/null
-+++ openssh-7.9p1/ldap.conf
++++ b/ldap.conf
@@ -0,0 +1,88 @@
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
+#
@@ -621,10 +625,11 @@
+#tls_cert
+#tls_key
+
-Index: openssh-7.9p1/ldapbody.c
-===================================================================
+diff --git a/ldapbody.c b/ldapbody.c
+new file mode 100644
+index 0000000..032cc89
--- /dev/null
-+++ openssh-7.9p1/ldapbody.c
++++ b/ldapbody.c
@@ -0,0 +1,494 @@
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -1120,10 +1125,11 @@
+ return;
+}
+
-Index: openssh-7.9p1/ldapbody.h
-===================================================================
+diff --git a/ldapbody.h b/ldapbody.h
+new file mode 100644
+index 0000000..665dca2
--- /dev/null
-+++ openssh-7.9p1/ldapbody.h
++++ b/ldapbody.h
@@ -0,0 +1,37 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -1162,10 +1168,11 @@
+
+#endif /* LDAPBODY_H */
+
-Index: openssh-7.9p1/ldapconf.c
-===================================================================
+diff --git a/ldapconf.c b/ldapconf.c
+new file mode 100644
+index 0000000..2e22438
--- /dev/null
-+++ openssh-7.9p1/ldapconf.c
++++ b/ldapconf.c
@@ -0,0 +1,711 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -1878,10 +1885,11 @@
+ dump_cfg_string(lSSH_Filter, options.ssh_filter);
+}
+
-Index: openssh-7.9p1/ldapconf.h
-===================================================================
+diff --git a/ldapconf.h b/ldapconf.h
+new file mode 100644
+index 0000000..c2aa704
--- /dev/null
-+++ openssh-7.9p1/ldapconf.h
++++ b/ldapconf.h
@@ -0,0 +1,71 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -1954,10 +1962,11 @@
+void dump_config(void);
+
+#endif /* LDAPCONF_H */
-Index: openssh-7.9p1/ldapincludes.h
-===================================================================
+diff --git a/ldapincludes.h b/ldapincludes.h
+new file mode 100644
+index 0000000..8539bdc
--- /dev/null
-+++ openssh-7.9p1/ldapincludes.h
++++ b/ldapincludes.h
@@ -0,0 +1,41 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -2000,10 +2009,11 @@
+#endif
+
+#endif /* LDAPINCLUDES_H */
-Index: openssh-7.9p1/ldapmisc.c
-===================================================================
+diff --git a/ldapmisc.c b/ldapmisc.c
+new file mode 100644
+index 0000000..de23c0c
--- /dev/null
-+++ openssh-7.9p1/ldapmisc.c
++++ b/ldapmisc.c
@@ -0,0 +1,79 @@
+
+#include "ldapincludes.h"
@@ -2084,10 +2094,11 @@
+}
+#endif
+
-Index: openssh-7.9p1/ldapmisc.h
-===================================================================
+diff --git a/ldapmisc.h b/ldapmisc.h
+new file mode 100644
+index 0000000..4c271df
--- /dev/null
-+++ openssh-7.9p1/ldapmisc.h
++++ b/ldapmisc.h
@@ -0,0 +1,35 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -2124,10 +2135,10 @@
+
+#endif /* LDAPMISC_H */
+
-Index: openssh-7.9p1/openbsd-compat/base64.c
-===================================================================
---- openssh-7.9p1.orig/openbsd-compat/base64.c
-+++ openssh-7.9p1/openbsd-compat/base64.c
+diff --git a/openbsd-compat/base64.c b/openbsd-compat/base64.c
+index 9e74667..14824be 100644
+--- a/openbsd-compat/base64.c
++++ b/openbsd-compat/base64.c
@@ -46,7 +46,7 @@
#include "includes.h"
@@ -2146,7 +2157,7 @@
int
b64_ntop(u_char const *src, size_t srclength, char *target, size_t targsize)
{
-@@ -185,7 +185,7 @@ b64_ntop(u_char const *src, size_t srcle
+@@ -185,7 +185,7 @@ b64_ntop(u_char const *src, size_t srclength, char
*target, size_t targsize)
}
#endif /* !defined(HAVE_B64_NTOP) && !defined(HAVE___B64_NTOP) */
@@ -2155,10 +2166,10 @@
/* skips all whitespace anywhere.
converts characters, four at a time, starting at (or after)
-Index: openssh-7.9p1/openbsd-compat/base64.h
-===================================================================
---- openssh-7.9p1.orig/openbsd-compat/base64.h
-+++ openssh-7.9p1/openbsd-compat/base64.h
+diff --git a/openbsd-compat/base64.h b/openbsd-compat/base64.h
+index bd77293..e27df9a 100644
+--- a/openbsd-compat/base64.h
++++ b/openbsd-compat/base64.h
@@ -45,16 +45,16 @@
#include "includes.h"
@@ -2180,10 +2191,11 @@
int b64_pton(char const *src, u_char *target, size_t targsize);
# endif /* !HAVE_B64_PTON */
# define __b64_pton(a,b,c) b64_pton(a,b,c)
-Index: openssh-7.9p1/openssh-lpk-openldap.schema
-===================================================================
+diff --git a/openssh-lpk-openldap.schema b/openssh-lpk-openldap.schema
+new file mode 100644
+index 0000000..c84f90f
--- /dev/null
-+++ openssh-7.9p1/openssh-lpk-openldap.schema
++++ b/openssh-lpk-openldap.schema
@@ -0,0 +1,21 @@
+#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
@@ -2206,10 +2218,11 @@
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
+ MUST ( sshPublicKey $ uid )
+ )
-Index: openssh-7.9p1/openssh-lpk-sun.schema
-===================================================================
+diff --git a/openssh-lpk-sun.schema b/openssh-lpk-sun.schema
+new file mode 100644
+index 0000000..3136673
--- /dev/null
-+++ openssh-7.9p1/openssh-lpk-sun.schema
++++ b/openssh-lpk-sun.schema
@@ -0,0 +1,23 @@
+#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
@@ -2234,10 +2247,11 @@
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
+ MUST ( sshPublicKey $ uid )
+ )
-Index: openssh-7.9p1/ssh-ldap-helper.8
-===================================================================
+diff --git a/ssh-ldap-helper.8 b/ssh-ldap-helper.8
+new file mode 100644
+index 0000000..f8440e4
--- /dev/null
-+++ openssh-7.9p1/ssh-ldap-helper.8
++++ b/ssh-ldap-helper.8
@@ -0,0 +1,79 @@
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\"
@@ -2318,19 +2332,21 @@
+OpenSSH 5.5 + PKA-LDAP .
+.Sh AUTHORS
+.An Jan F. Chadima Aq [email protected]
-Index: openssh-7.9p1/ssh-ldap-wrapper
-===================================================================
+diff --git a/ssh-ldap-wrapper b/ssh-ldap-wrapper
+new file mode 100644
+index 0000000..9fdfc37
--- /dev/null
-+++ openssh-7.9p1/ssh-ldap-wrapper
++++ b/ssh-ldap-wrapper
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+exec @LIBEXECDIR@/ssh-ldap-helper -s "$1"
+
-Index: openssh-7.9p1/ssh-ldap.conf.5
-===================================================================
+diff --git a/ssh-ldap.conf.5 b/ssh-ldap.conf.5
+new file mode 100644
+index 0000000..15eb03d
--- /dev/null
-+++ openssh-7.9p1/ssh-ldap.conf.5
++++ b/ssh-ldap.conf.5
@@ -0,0 +1,376 @@
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\"
++++++ openssh-7.7p1-seed-prng.patch ++++++
--- /var/tmp/diff_new_pack.mNRO2C/_old 2020-02-13 14:40:40.541651349 +0100
+++ /var/tmp/diff_new_pack.mNRO2C/_new 2020-02-13 14:40:40.541651349 +0100
@@ -3,25 +3,71 @@
# extended support for (re-)seeding the OpenSSL PRNG from /dev/random
# bnc#703221, FATE#312172
-Index: openssh-7.8p1/entropy.c
-===================================================================
---- openssh-7.8p1.orig/entropy.c
-+++ openssh-7.8p1/entropy.c
-@@ -235,6 +235,9 @@ seed_rng(void)
- memset(buf, '\0', sizeof(buf));
+diff --git a/Makefile.in b/Makefile.in
+index 85818f4..750aada 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -182,13 +182,13 @@ libssh.a: $(LIBSSH_OBJS)
+ $(RANLIB) $@
+ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
+- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS)
$(LIBS) $(GSSLIBS)
++ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh
$(SSHLIBS) $(LIBS) $(GSSLIBS)
+
+ sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
+- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS)
$(LIBS) $(GSSLIBS) $(K5LIBS)
++ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh
$(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
+
+ scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
+- $(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat
$(LIBS)
++ $(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat
-lssh -lopenbsd-compat $(LIBS)
+
+ ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
+ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+@@ -197,10 +197,10 @@ ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o
ssh-pkcs11-client.o
+ $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh
-lopenbsd-compat $(LIBS)
+
+ ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o sshsig.o
+- $(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat
$(LIBS)
++ $(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat
-lssh -lopenbsd-compat $(LIBS)
+
+ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o
uidswap.o compat.o
+- $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh
-lopenbsd-compat $(LIBS)
++ $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh
-lopenbsd-compat -lssh $(LIBS)
+
+ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o
ssh-pkcs11.o
+ $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh
-lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+@@ -209,10 +209,10 @@ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
+ $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh
$(LIBS)
+
+ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o
sftp-server.o sftp-realpath.o sftp-server-main.o
+- $(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o
sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++ $(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o
sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat
$(LIBS)
+
+ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o
sftp-glob.o progressmeter.o
+- $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o
sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
++ $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o
sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
$(LIBEDIT)
+
+ # FIPS tests
+ cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-ctr.o
+diff --git a/entropy.c b/entropy.c
+index 5de6801..f8b9f42 100644
+--- a/entropy.c
++++ b/entropy.c
+@@ -239,6 +239,8 @@ seed_rng(void)
+ }
#endif /* OPENSSL_PRNG_ONLY */
-+
+
+ linux_seed();
+
if (RAND_status() != 1)
fatal("PRNG is not seeded");
- }
-Index: openssh-7.8p1/openbsd-compat/Makefile.in
-===================================================================
---- openssh-7.8p1.orig/openbsd-compat/Makefile.in
-+++ openssh-7.8p1/openbsd-compat/Makefile.in
-@@ -90,6 +90,7 @@ COMPAT= arc4random.o \
+
+diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
+index 1162dc5..80fd688 100644
+--- a/openbsd-compat/Makefile.in
++++ b/openbsd-compat/Makefile.in
+@@ -91,6 +91,7 @@ COMPAT= arc4random.o \
PORTS= port-aix.o \
port-irix.o \
port-linux.o \
@@ -29,10 +75,11 @@
port-solaris.o \
port-net.o \
port-uw.o
-Index: openssh-7.8p1/openbsd-compat/port-linux-prng.c
-===================================================================
+diff --git a/openbsd-compat/port-linux-prng.c
b/openbsd-compat/port-linux-prng.c
+new file mode 100644
+index 0000000..dfc4bdb
--- /dev/null
-+++ openssh-7.8p1/openbsd-compat/port-linux-prng.c
++++ b/openbsd-compat/port-linux-prng.c
@@ -0,0 +1,81 @@
+/*
+ * Copyright (c) 2011 Jan F. Chadima <[email protected]>
@@ -115,10 +162,10 @@
+ fatal ("EOF reading %s", rand_file);
+ }
+}
-Index: openssh-7.8p1/openbsd-compat/port-linux.h
-===================================================================
---- openssh-7.8p1.orig/openbsd-compat/port-linux.h
-+++ openssh-7.8p1/openbsd-compat/port-linux.h
+diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
+index 3c22a85..2dc1fd0 100644
+--- a/openbsd-compat/port-linux.h
++++ b/openbsd-compat/port-linux.h
@@ -17,6 +17,10 @@
#ifndef _PORT_LINUX_H
#define _PORT_LINUX_H
@@ -130,11 +177,11 @@
#ifdef WITH_SELINUX
int ssh_selinux_enabled(void);
void ssh_selinux_setup_pty(char *, const char *);
-Index: openssh-7.8p1/ssh-add.1
-===================================================================
---- openssh-7.8p1.orig/ssh-add.1
-+++ openssh-7.8p1/ssh-add.1
-@@ -172,6 +172,20 @@ to make this work.)
+diff --git a/ssh-add.1 b/ssh-add.1
+index d4e1c60..6f76900 100644
+--- a/ssh-add.1
++++ b/ssh-add.1
+@@ -189,6 +189,20 @@ to make this work.)
Identifies the path of a
.Ux Ns -domain
socket used to communicate with the agent.
@@ -155,11 +202,11 @@
.El
.Sh FILES
.Bl -tag -width Ds
-Index: openssh-7.8p1/ssh-agent.1
-===================================================================
---- openssh-7.8p1.orig/ssh-agent.1
-+++ openssh-7.8p1/ssh-agent.1
-@@ -214,6 +214,23 @@ sockets used to contain the connection t
+diff --git a/ssh-agent.1 b/ssh-agent.1
+index 83b2b41..9e187f2 100644
+--- a/ssh-agent.1
++++ b/ssh-agent.1
+@@ -214,6 +214,23 @@ sockets used to contain the connection to the
authentication agent.
These sockets should only be readable by the owner.
The sockets should get automatically removed when the agent exits.
.El
@@ -183,11 +230,11 @@
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-add 1 ,
-Index: openssh-7.8p1/ssh-keygen.1
-===================================================================
---- openssh-7.8p1.orig/ssh-keygen.1
-+++ openssh-7.8p1/ssh-keygen.1
-@@ -869,6 +869,23 @@ Contains Diffie-Hellman groups used for
+diff --git a/ssh-keygen.1 b/ssh-keygen.1
+index 957d2f0..70c4a28 100644
+--- a/ssh-keygen.1
++++ b/ssh-keygen.1
+@@ -1054,6 +1054,23 @@ Contains Diffie-Hellman groups used for DH-GEX.
The file format is described in
.Xr moduli 5 .
.El
@@ -211,11 +258,11 @@
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-add 1 ,
-Index: openssh-7.8p1/ssh-keysign.8
-===================================================================
---- openssh-7.8p1.orig/ssh-keysign.8
-+++ openssh-7.8p1/ssh-keysign.8
-@@ -80,6 +80,23 @@ must be set-uid root if host-based authe
+diff --git a/ssh-keysign.8 b/ssh-keysign.8
+index 19b0dbc..639b56e 100644
+--- a/ssh-keysign.8
++++ b/ssh-keysign.8
+@@ -80,6 +80,23 @@ must be set-uid root if host-based authentication is used.
If these files exist they are assumed to contain public certificate
information corresponding with the private keys above.
.El
@@ -239,11 +286,11 @@
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-keygen 1 ,
-Index: openssh-7.8p1/ssh.1
-===================================================================
---- openssh-7.8p1.orig/ssh.1
-+++ openssh-7.8p1/ssh.1
-@@ -1432,6 +1432,20 @@ For more information, see the
+diff --git a/ssh.1 b/ssh.1
+index 424d6c3..899a339 100644
+--- a/ssh.1
++++ b/ssh.1
+@@ -1433,6 +1433,20 @@ For more information, see the
.Cm PermitUserEnvironment
option in
.Xr sshd_config 5 .
@@ -264,11 +311,11 @@
.Sh FILES
.Bl -tag -width Ds -compact
.It Pa ~/.rhosts
-Index: openssh-7.8p1/sshd.8
-===================================================================
---- openssh-7.8p1.orig/sshd.8
-+++ openssh-7.8p1/sshd.8
-@@ -966,6 +966,23 @@ concurrently for different ports, this c
+diff --git a/sshd.8 b/sshd.8
+index fb133c1..2f1d3ab 100644
+--- a/sshd.8
++++ b/sshd.8
+@@ -966,6 +966,23 @@ concurrently for different ports, this contains the
process ID of the one
started last).
The content of this file is not sensitive; it can be world-readable.
.El
@@ -292,10 +339,10 @@
.Sh SEE ALSO
.Xr scp 1 ,
.Xr sftp 1 ,
-Index: openssh-7.8p1/sshd.c
-===================================================================
---- openssh-7.8p1.orig/sshd.c
-+++ openssh-7.8p1/sshd.c
+diff --git a/sshd.c b/sshd.c
+index bb20eec..c562094 100644
+--- a/sshd.c
++++ b/sshd.c
@@ -55,6 +55,8 @@
#endif
#include "openbsd-compat/sys-tree.h"
@@ -305,7 +352,7 @@
#include <sys/wait.h>
#include <errno.h>
-@@ -208,6 +210,13 @@ struct {
+@@ -205,6 +207,13 @@ struct {
int have_ssh2_key;
} sensitive_data;
@@ -319,8 +366,8 @@
/* This is set to true when a signal is received. */
static volatile sig_atomic_t received_sighup = 0;
static volatile sig_atomic_t received_sigterm = 0;
-@@ -1252,6 +1261,10 @@ server_accept_loop(int *sock_in, int *so
- startups++;
+@@ -1201,6 +1210,10 @@ server_accept_loop(int *sock_in, int *sock_out, int
*newsock, int *config_s)
+ startup_flags[j] = 1;
break;
}
+ if(!(--re_seeding_counter)) {
++++++ openssh-7.7p1-sftp_print_diagnostic_messages.patch ++++++
--- /var/tmp/diff_new_pack.mNRO2C/_old 2020-02-13 14:40:40.557651357 +0100
+++ /var/tmp/diff_new_pack.mNRO2C/_new 2020-02-13 14:40:40.557651357 +0100
@@ -3,26 +3,11 @@
Put back sftp client diagnostic messages in batch mode
bsc#1023275
-
-Index: openssh-7.8p1/sftp.0
-===================================================================
---- openssh-7.8p1.orig/sftp.0
-+++ openssh-7.8p1/sftp.0
-@@ -160,6 +160,9 @@ DESCRIPTION
- -p Preserves modification times, access times, and modes from the
- original files transferred.
-
-+ -Q Not-so-quiet batch mode: forces printing of diagnostic messages
-+ in batch mode.
-+
- -q Quiet mode: disables the progress meter as well as warning and
- diagnostic messages from ssh(1).
-
-Index: openssh-7.8p1/sftp.1
-===================================================================
---- openssh-7.8p1.orig/sftp.1
-+++ openssh-7.8p1/sftp.1
-@@ -256,6 +256,9 @@ Specifies the port to connect to on the
+diff --git a/sftp.1 b/sftp.1
+index a52c1cf..7333de8 100644
+--- a/sftp.1
++++ b/sftp.1
+@@ -278,6 +278,9 @@ Specifies the port to connect to on the remote host.
.It Fl p
Preserves modification times, access times, and modes from the
original files transferred.
@@ -32,11 +17,11 @@
.It Fl q
Quiet mode: disables the progress meter as well as warning and
diagnostic messages from
-Index: openssh-7.8p1/sftp.c
-===================================================================
---- openssh-7.8p1.orig/sftp.c
-+++ openssh-7.8p1/sftp.c
-@@ -86,6 +86,9 @@ static volatile pid_t sshpid = -1;
+diff --git a/sftp.c b/sftp.c
+index b66037f..6c94a38 100644
+--- a/sftp.c
++++ b/sftp.c
+@@ -85,6 +85,9 @@ static volatile pid_t sshpid = -1;
/* Suppress diagnositic messages */
int quiet = 0;
@@ -46,16 +31,16 @@
/* This is set to 0 if the progressmeter is not desired. */
int showprogress = 1;
-@@ -2373,7 +2376,7 @@ main(int argc, char **argv)
+@@ -2406,7 +2409,7 @@ main(int argc, char **argv)
infile = stdin;
while ((ch = getopt(argc, argv,
-- "1246afhpqrvCc:D:i:l:o:s:S:b:B:F:P:R:")) != -1) {
-+ "1246afhpQqrvCc:D:i:l:o:s:S:b:B:F:P:R:")) != -1) {
+- "1246afhpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
++ "1246afhpQqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
switch (ch) {
/* Passed through to ssh(1) */
case '4':
-@@ -2389,6 +2392,9 @@ main(int argc, char **argv)
+@@ -2423,6 +2426,9 @@ main(int argc, char **argv)
addargs(&args, "-%c", ch);
addargs(&args, "%s", optarg);
break;
@@ -65,7 +50,7 @@
case 'q':
ll = SYSLOG_LEVEL_ERROR;
quiet = 1;
-@@ -2472,6 +2478,8 @@ main(int argc, char **argv)
+@@ -2506,6 +2512,8 @@ main(int argc, char **argv)
usage();
}
}
++++++ openssh-7.9p1-revert-new-qos-defaults.patch ++++++
--- /var/tmp/diff_new_pack.mNRO2C/_old 2020-02-13 14:40:40.565651361 +0100
+++ /var/tmp/diff_new_pack.mNRO2C/_new 2020-02-13 14:40:40.565651361 +0100
@@ -1,22 +1,16 @@
-From a4c5f99fe57390b5a80e914817df92f4fadaf4a5 Mon Sep 17 00:00:00 2001
-From: Hans Petter Jansson <[email protected]>
-Date: Thu, 20 Jun 2019 23:54:11 +0200
-Subject: [PATCH] Revert IPQoS DSCP AF21/CS1 from upstream due to bugs in other
- software
+commit 101aa2f70c937abb428c9433c39ba0fd9a91fe6b
+Author: Hans Petter Jansson <[email protected]>
+Date: Thu Jun 20 23:54:11 2019 +0200
-Reverts OpenBSD-Commit-ID: d11d2a4484f461524ef0c20870523dfcdeb52181
----
- readconf.c | 4 ++--
- servconf.c | 4 ++--
- ssh_config.5 | 6 ++----
- sshd_config.5 | 6 ++----
- 4 files changed, 8 insertions(+), 12 deletions(-)
+ Revert IPQoS DSCP AF21/CS1 from upstream due to bugs in other software
+
+ Reverts OpenBSD-Commit-ID: d11d2a4484f461524ef0c20870523dfcdeb52181
diff --git a/readconf.c b/readconf.c
-index 97f48bb..49bffc9 100644
+index 24f2cb1..bbdea0d 100644
--- a/readconf.c
+++ b/readconf.c
-@@ -2142,9 +2142,9 @@ fill_default_options(Options * options)
+@@ -2183,9 +2183,9 @@ fill_default_options(Options * options)
if (options->visual_host_key == -1)
options->visual_host_key = 0;
if (options->ip_qos_interactive == -1)
@@ -29,10 +23,10 @@
options->request_tty = REQUEST_TTY_AUTO;
if (options->proxy_use_fdpass == -1)
diff --git a/servconf.c b/servconf.c
-index 31543e6..c04d910 100644
+index 13cf154..766ac6b 100644
--- a/servconf.c
+++ b/servconf.c
-@@ -425,9 +425,9 @@ fill_default_server_options(ServerOptions *options)
+@@ -445,9 +445,9 @@ fill_default_server_options(ServerOptions *options)
if (options->permit_tun == -1)
options->permit_tun = SSH_TUNMODE_NO;
if (options->ip_qos_interactive == -1)
@@ -45,10 +39,10 @@
options->version_addendum = xstrdup("");
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
diff --git a/ssh_config.5 b/ssh_config.5
-index 36e3ba5..d0adf60 100644
+index 3bf0502..10246f8 100644
--- a/ssh_config.5
+++ b/ssh_config.5
-@@ -1031,11 +1031,9 @@ If one argument is specified, it is used as the packet
class unconditionally.
+@@ -1088,11 +1088,9 @@ If one argument is specified, it is used as the packet
class unconditionally.
If two values are specified, the first is automatically selected for
interactive sessions and the second for non-interactive sessions.
The default is
@@ -63,10 +57,10 @@
.It Cm KbdInteractiveAuthentication
Specifies whether to use keyboard-interactive authentication.
diff --git a/sshd_config.5 b/sshd_config.5
-index 0f1a7cd..3b875d2 100644
+index 50a4917..a276fcb 100644
--- a/sshd_config.5
+++ b/sshd_config.5
-@@ -842,11 +842,9 @@ If one argument is specified, it is used as the packet
class unconditionally.
+@@ -868,11 +868,9 @@ If one argument is specified, it is used as the packet
class unconditionally.
If two values are specified, the first is automatically selected for
interactive sessions and the second for non-interactive sessions.
The default is
@@ -80,6 +74,3 @@
for non-interactive sessions.
.It Cm KbdInteractiveAuthentication
Specifies whether to allow keyboard-interactive authentication.
---
-2.21.0
-
++++++ openssh-8.0p1-gssapi-keyex.patch ++++++
++++ 3922 lines (skipped)
++++++ openssh-7.7p1-audit.patch -> openssh-8.1p1-audit.patch ++++++
++++ 2532 lines (skipped)
++++ between /work/SRC/openSUSE:Leap:15.2/openssh/openssh-7.7p1-audit.patch
++++ and
/work/SRC/openSUSE:Leap:15.2/.openssh.new.26092/openssh-8.1p1-audit.patch
++++++ openssh-8.1p1-seccomp-clock_nanosleep.patch ++++++
Index: openssh-8.1p1/sandbox-seccomp-filter.c
===================================================================
--- openssh-8.1p1.orig/sandbox-seccomp-filter.c
+++ openssh-8.1p1/sandbox-seccomp-filter.c
@@ -248,6 +248,9 @@ static const struct sock_filter preauth_
#ifdef __NR_nanosleep
SC_ALLOW(__NR_nanosleep),
#endif
+#ifdef __NR_clock_nanosleep
+ SC_ALLOW(__NR_clock_nanosleep),
+#endif
#ifdef __NR__newselect
SC_ALLOW(__NR__newselect),
#endif
++++++ openssh-7.9p1.tar.gz -> openssh-8.1p1.tar.gz ++++++
++++ 50238 lines of diff (skipped)
++++++ ssh-askpass ++++++
--- /var/tmp/diff_new_pack.mNRO2C/_old 2020-02-13 14:40:41.061651634 +0100
+++ /var/tmp/diff_new_pack.mNRO2C/_new 2020-02-13 14:40:41.065651635 +0100
@@ -15,10 +15,12 @@
case "$SESSION" in
kde)
- exec $KDE_SSH_ASKPASS ${1+"$@"}
+ [ -e $KDE_SSH_ASKPASS ] && exec $KDE_SSH_ASKPASS ${1+"$@"}
+ exec $GNOME_SSH_ASKPASS ${1+"$@"}
;;
*)
- exec $GNOME_SSH_ASKPASS ${1+"$@"}
+ [ -e $GNOME_SSH_ASKPASS ] && exec $GNOME_SSH_ASKPASS ${1+"$@"}
+ exec $KDE_SSH_ASKPASS ${1+"$@"}
;;
esac
