Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2020-06-11 10:00:58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.3606 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssh" Thu Jun 11 10:00:58 2020 rev:140 rq:812018 version:8.3p1 Changes: -------- --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2020-06-05 20:09:44.169646097 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.3606/openssh.changes 2020-06-11 10:01:17.782503214 +0200 @@ -1,0 +2,103 @@ +Fri Jun 5 00:36:08 UTC 2020 - Hans Petter Jansson <h...@suse.com> + +- Version update to 8.3p1: + = Potentially-incompatible changes + * sftp(1): reject an argument of "-1" in the same way as ssh(1) and + scp(1) do instead of accepting and silently ignoring it. + + = New features + * sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore + rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only" + to allow .shosts files but not .rhosts. + * sshd(8): allow the IgnoreRhosts directive to appear anywhere in a + sshd_config, not just before any Match blocks. + * ssh(1): add %TOKEN percent expansion for the LocalFoward and + RemoteForward keywords when used for Unix domain socket forwarding. + * all: allow loading public keys from the unencrypted envelope of a + private key file if no corresponding public key file is present. + * ssh(1), sshd(8): prefer to use chacha20 from libcrypto where + possible instead of the (slower) portable C implementation included + in OpenSSH. + * ssh-keygen(1): add ability to dump the contents of a binary key + revocation list via "ssh-keygen -lQf /path". + +- Additional changes from 8.2p1 release: + = Potentially-incompatible changes + * ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" + (RSA/SHA1) algorithm from those accepted for certificate signatures + (i.e. the client and server CASignatureAlgorithms option) and will + use the rsa-sha2-512 signature algorithm by default when the + ssh-keygen(1) CA signs new certificates. + * ssh(1), sshd(8): this release removes diffie-hellman-group14-sha1 + from the default key exchange proposal for both the client and + server. + * ssh-keygen(1): the command-line options related to the generation + and screening of safe prime numbers used by the + diffie-hellman-group-exchange-* key exchange algorithms have + changed. Most options have been folded under the -O flag. + * sshd(8): the sshd listener process title visible to ps(1) has + changed to include information about the number of connections that + are currently attempting authentication and the limits configured + by MaxStartups. + * ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F + support to provide address-space isolation for token middleware + libraries (including the internal one). It needs to be installed + in the expected path, typically under /usr/libexec or similar. + + = New features + * This release adds support for FIDO/U2F hardware authenticators to + OpenSSH. U2F/FIDO are open standards for inexpensive two-factor + authentication hardware that are widely used for website + authentication. In OpenSSH FIDO devices are supported by new public + key types "ecdsa-sk" and "ed25519-sk", along with corresponding + certificate types. + * sshd(8): add an Include sshd_config keyword that allows including + additional configuration files via glob(3) patterns. + * ssh(1)/sshd(8): make the LE (low effort) DSCP code point available + via the IPQoS directive. + * ssh(1): when AddKeysToAgent=yes is set and the key contains no + comment, add the key to the agent with the key's path as the + comment. + * ssh-keygen(1), ssh-agent(1): expose PKCS#11 key labels and X.509 + subjects as key comments, rather than simply listing the PKCS#11 + provider library path. + * ssh-keygen(1): allow PEM export of DSA and ECDSA keys. + * ssh(1), sshd(8): make zlib compile-time optional, available via the + Makefile.inc ZLIB flag on OpenBSD or via the --with-zlib configure + option for OpenSSH portable. + * sshd(8): when clients get denied by MaxStartups, send a + notification prior to the SSH2 protocol banner according to + RFC4253 section 4.2. + * ssh(1), ssh-agent(1): when invoking the $SSH_ASKPASS prompt + program, pass a hint to the program to describe the type of + desired prompt. The possible values are "confirm" (indicating + that a yes/no confirmation dialog with no text entry should be + shown), "none" (to indicate an informational message only), or + blank for the original ssh-askpass behaviour of requesting a + password/phrase. + * ssh(1): allow forwarding a different agent socket to the path + specified by $SSH_AUTH_SOCK, by extending the existing ForwardAgent + option to accepting an explicit path or the name of an environment + variable in addition to yes/no. + * ssh-keygen(1): add a new signature operations "find-principals" to + look up the principal associated with a signature from an allowed- + signers file. + * sshd(8): expose the number of currently-authenticating connections + along with the MaxStartups limit in the process title visible to + "ps". + +- Rebased patches: + * openssh-7.7p1-cavstest-ctr.patch + * openssh-7.7p1-cavstest-kdf.patch + * openssh-7.7p1-fips.patch + * openssh-7.7p1-fips_checks.patch + * openssh-7.7p1-ldap.patch + * openssh-7.7p1-no_fork-no_pid_file.patch + * openssh-7.7p1-sftp_print_diagnostic_messages.patch + * openssh-8.0p1-gssapi-keyex.patch + * openssh-8.1p1-audit.patch + * openssh-8.1p1-seccomp-clock_nanosleep.patch + +- Removed openssh-7.7p1-seed-prng.patch (bsc#1165158). + +------------------------------------------------------------------- Old: ---- openssh-7.7p1-seed-prng.patch openssh-8.1p1.tar.gz openssh-8.1p1.tar.gz.asc New: ---- openssh-8.3p1.tar.gz openssh-8.3p1.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssh-askpass-gnome.spec ++++++ --- /var/tmp/diff_new_pack.FXHzoJ/_old 2020-06-11 10:01:19.766509604 +0200 +++ /var/tmp/diff_new_pack.FXHzoJ/_new 2020-06-11 10:01:19.770509617 +0200 @@ -1,7 +1,7 @@ # # spec file for package openssh-askpass-gnome # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,7 +18,7 @@ %define _name openssh Name: openssh-askpass-gnome -Version: 8.1p1 +Version: 8.3p1 Release: 0 Summary: A GNOME-Based Passphrase Dialog for OpenSSH License: BSD-2-Clause ++++++ openssh.spec ++++++ --- /var/tmp/diff_new_pack.FXHzoJ/_old 2020-06-11 10:01:19.798509707 +0200 +++ /var/tmp/diff_new_pack.FXHzoJ/_new 2020-06-11 10:01:19.802509720 +0200 @@ -1,7 +1,7 @@ # # spec file for package openssh # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -35,7 +35,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: openssh -Version: 8.1p1 +Version: 8.3p1 Release: 0 Summary: Secure Shell Client and Server (Remote Login Program) License: BSD-2-Clause AND MIT @@ -77,7 +77,6 @@ Patch19: openssh-7.7p1-cavstest-kdf.patch # Local FIPS patchset Patch20: openssh-7.7p1-fips_checks.patch -Patch21: openssh-7.7p1-seed-prng.patch # https://bugzilla.mindrot.org/show_bug.cgi?id=2641 Patch22: openssh-7.7p1-systemd-notify.patch Patch23: openssh-8.0p1-gssapi-keyex.patch @@ -112,6 +111,7 @@ BuildRequires: pam-devel BuildRequires: pkgconfig BuildRequires: zlib-devel +BuildRequires: pkgconfig(libfido2) BuildRequires: pkgconfig(libsystemd) Requires(post): %fillup_prereq Requires(pre): shadow @@ -211,6 +211,7 @@ --with-ldap \ --with-xauth=%{_bindir}/xauth \ --with-libedit \ + --with-security-key-builtin \ --target=%{_target_cpu}-suse-linux %make_build ++++++ openssh-7.7p1-cavstest-ctr.patch ++++++ --- /var/tmp/diff_new_pack.FXHzoJ/_old 2020-06-11 10:01:19.910510068 +0200 +++ /var/tmp/diff_new_pack.FXHzoJ/_new 2020-06-11 10:01:19.910510068 +0200 @@ -3,29 +3,29 @@ CAVS test for OpenSSH's own CTR encryption mode implementation diff --git a/Makefile.in b/Makefile.in -index 7488595..d426006 100644 +index d5c37b5..5d4fcd2 100644 --- a/Makefile.in +++ b/Makefile.in -@@ -24,6 +24,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass - SFTP_SERVER=$(libexecdir)/sftp-server +@@ -25,6 +25,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server SSH_KEYSIGN=$(libexecdir)/ssh-keysign SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper + SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper +CAVSTEST_CTR=$(libexecdir)/cavstest-ctr PRIVSEP_PATH=@PRIVSEP_PATH@ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ STRIP_OPT=@STRIP_OPT@ -@@ -62,6 +63,8 @@ MKDIR_P=@MKDIR_P@ +@@ -70,6 +71,8 @@ MKDIR_P=@MKDIR_P@ - TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) + TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) +TARGETS += cavstest-ctr$(EXEEXT) + XMSS_OBJS=\ ssh-xmss.o \ sshkey-xmss.o \ -@@ -210,6 +213,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o s - sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o - $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT) +@@ -244,6 +247,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS) + sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS) + $(LD) -o $@ $(SFTP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT) +# FIPS tests +cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-ctr.o @@ -34,8 +34,8 @@ # test driver for the loginrec code - not built by default logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) -@@ -354,6 +361,7 @@ install-files: - $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) +@@ -398,6 +405,7 @@ install-files: + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT) @@ -263,7 +263,7 @@ + return 0; +} diff --git a/cipher.c b/cipher.c -index acca752..b67a4ff 100644 +index 2f5430b..599b54a 100644 --- a/cipher.c +++ b/cipher.c @@ -58,15 +58,6 @@ @@ -274,7 +274,7 @@ - int plaintext; - int encrypt; - EVP_CIPHER_CTX *evp; -- struct chachapoly_ctx cp_ctx; /* XXX union with evp? */ +- struct chachapoly_ctx *cp_ctx; - struct aesctr_ctx ac_ctx; /* XXX union with evp? */ - const struct sshcipher *cipher; -}; @@ -283,7 +283,7 @@ char *name; u_int block_size; diff --git a/cipher.h b/cipher.h -index 5843aab..d7d8c89 100644 +index 1a591cd..10ccb28 100644 --- a/cipher.h +++ b/cipher.h @@ -48,7 +48,15 @@ @@ -295,7 +295,7 @@ + int plaintext; + int encrypt; + EVP_CIPHER_CTX *evp; -+ struct chachapoly_ctx cp_ctx; /* XXX union with evp? */ ++ struct chachapoly_ctx *cp_ctx; /* XXX union with evp? */ + struct aesctr_ctx ac_ctx; /* XXX union with evp? */ + const struct sshcipher *cipher; +}; ++++++ openssh-7.7p1-cavstest-kdf.patch ++++++ --- /var/tmp/diff_new_pack.FXHzoJ/_old 2020-06-11 10:01:19.926510119 +0200 +++ /var/tmp/diff_new_pack.FXHzoJ/_new 2020-06-11 10:01:19.926510119 +0200 @@ -3,27 +3,27 @@ CAVS test for KDF implementation in OpenSSH diff --git a/Makefile.in b/Makefile.in -index d426006..85818f4 100644 +index 5d4fcd2..9eab827 100644 --- a/Makefile.in +++ b/Makefile.in -@@ -25,6 +25,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server - SSH_KEYSIGN=$(libexecdir)/ssh-keysign +@@ -26,6 +26,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper + SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper CAVSTEST_CTR=$(libexecdir)/cavstest-ctr +CAVSTEST_KDF=$(libexecdir)/cavstest-kdf PRIVSEP_PATH=@PRIVSEP_PATH@ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ STRIP_OPT=@STRIP_OPT@ -@@ -63,7 +64,7 @@ MKDIR_P=@MKDIR_P@ +@@ -71,7 +72,7 @@ MKDIR_P=@MKDIR_P@ - TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) + TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) -TARGETS += cavstest-ctr$(EXEEXT) +TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT) XMSS_OBJS=\ ssh-xmss.o \ -@@ -217,6 +218,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glo +@@ -251,6 +252,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS) cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-ctr.o $(LD) -o $@ cavstest-ctr.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) @@ -33,7 +33,7 @@ # test driver for the loginrec code - not built by default logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) -@@ -362,6 +366,7 @@ install-files: +@@ -406,6 +410,7 @@ install-files: $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT) ++++++ openssh-7.7p1-fips.patch ++++++ --- /var/tmp/diff_new_pack.FXHzoJ/_old 2020-06-11 10:01:19.958510222 +0200 +++ /var/tmp/diff_new_pack.FXHzoJ/_new 2020-06-11 10:01:19.962510235 +0200 @@ -4,17 +4,17 @@ algorithms. diff --git a/Makefile.in b/Makefile.in -index 1d2b2d9..7488595 100644 +index 62cd072..d5c37b5 100644 --- a/Makefile.in +++ b/Makefile.in -@@ -103,6 +103,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ - platform-pledge.o platform-tracing.o platform-misc.o +@@ -114,6 +114,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ + SKOBJS= ssh-sk-client.o +LIBSSH_OBJS += fips.o + SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ - sshconnect.o sshconnect2.o mux.o + sshconnect.o sshconnect2.o mux.o $(SKOBJS) diff --git a/cipher-ctr.c b/cipher-ctr.c index 32771f2..b66f92f 100644 @@ -39,7 +39,7 @@ return (&aes_ctr); } diff --git a/cipher.c b/cipher.c -index 25f98ba..acca752 100644 +index 8195199..2f5430b 100644 --- a/cipher.c +++ b/cipher.c @@ -51,6 +51,9 @@ @@ -123,7 +123,7 @@ if ((c->flags & CFLAG_INTERNAL) != 0) continue; if (auth_only && c->auth_len == 0) -@@ -196,7 +243,7 @@ const struct sshcipher * +@@ -207,7 +254,7 @@ const struct sshcipher * cipher_by_name(const char *name) { const struct sshcipher *c; @@ -401,10 +401,10 @@ +#endif + diff --git a/hmac.c b/hmac.c -index 3268887..b905a1e 100644 +index 7b58801..5a92074 100644 --- a/hmac.c +++ b/hmac.c -@@ -146,7 +146,7 @@ hmac_test(void *key, size_t klen, void *m, size_t mlen, u_char *e, size_t elen) +@@ -145,7 +145,7 @@ hmac_test(void *key, size_t klen, void *m, size_t mlen, u_char *e, size_t elen) size_t i; u_char digest[16]; @@ -414,10 +414,10 @@ if (ssh_hmac_init(ctx, key, klen) < 0 || ssh_hmac_update(ctx, m, mlen) < 0 || diff --git a/kex.c b/kex.c -index 49d7015..1f82c2e 100644 +index b09fbac..a5e4be7 100644 --- a/kex.c +++ b/kex.c -@@ -60,6 +60,8 @@ +@@ -63,6 +63,8 @@ #include "sshbuf.h" #include "digest.h" @@ -426,7 +426,7 @@ /* prototype */ static int kex_choose_conf(struct ssh *); static int kex_input_newkeys(int, u_int32_t, struct ssh *); -@@ -83,7 +85,7 @@ struct kexalg { +@@ -86,7 +88,7 @@ struct kexalg { int ec_nid; int hash_alg; }; @@ -435,7 +435,7 @@ #ifdef WITH_OPENSSL { KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 }, { KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 }, -@@ -114,6 +116,47 @@ static const struct kexalg kexalgs[] = { +@@ -117,6 +119,47 @@ static const struct kexalg kexalgs[] = { { NULL, 0, -1, -1}, }; @@ -483,7 +483,7 @@ char * kex_alg_list(char sep) { -@@ -121,7 +164,7 @@ kex_alg_list(char sep) +@@ -124,7 +167,7 @@ kex_alg_list(char sep) size_t nlen, rlen = 0; const struct kexalg *k; @@ -492,7 +492,7 @@ if (ret != NULL) ret[rlen++] = sep; nlen = strlen(k->name); -@@ -141,7 +184,7 @@ kex_alg_by_name(const char *name) +@@ -144,7 +187,7 @@ kex_alg_by_name(const char *name) { const struct kexalg *k; @@ -501,7 +501,7 @@ if (strcmp(k->name, name) == 0) return k; } -@@ -161,7 +204,10 @@ kex_names_valid(const char *names) +@@ -164,7 +207,10 @@ kex_names_valid(const char *names) for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) { if (kex_alg_by_name(p) == NULL) { @@ -595,21 +595,8 @@ if (strcmp(name, m->name) != 0) continue; if (mac != NULL) -diff --git a/myproposal.h b/myproposal.h -index 34bd10c..e6be484 100644 ---- a/myproposal.h -+++ b/myproposal.h -@@ -144,6 +144,8 @@ - - #else /* WITH_OPENSSL */ - -+#error "OpenSSL support is needed for FIPS mode to compile" -+ - #define KEX_SERVER_KEX \ - "curve25519-sha256," \ - "curve25519-sha...@libssh.org" diff --git a/readconf.c b/readconf.c -index f78b4d6..228f481 100644 +index 26e80c5..595f053 100644 --- a/readconf.c +++ b/readconf.c @@ -68,6 +68,8 @@ @@ -621,7 +608,7 @@ /* Format of the configuration file: # Configuration data is parsed as follows: -@@ -1837,6 +1839,23 @@ option_clear_or_none(const char *o) +@@ -1908,6 +1910,23 @@ option_clear_or_none(const char *o) return o == NULL || strcasecmp(o, "none") == 0; } @@ -645,40 +632,50 @@ /* * Initializes options to special values that indicate that they have not yet * been set. Read_config_file will only set options with this value. Options -@@ -2116,6 +2135,8 @@ fill_default_options(Options * options) +@@ -2196,6 +2215,9 @@ fill_default_options(Options * options) options->canonicalize_hostname = SSH_CANONICALISE_NO; if (options->fingerprint_hash == -1) options->fingerprint_hash = SSH_FP_HASH_DEFAULT; + options->fingerprint_hash = + fips_correct_dgst(options->fingerprint_hash); - if (options->update_hostkeys == -1) - options->update_hostkeys = 0; - -@@ -2143,6 +2164,7 @@ fill_default_options(Options * options) ++ + #ifdef ENABLE_SK_INTERNAL + if (options->sk_provider == NULL) + options->sk_provider = xstrdup("internal"); +@@ -2229,6 +2251,7 @@ fill_default_options(Options * options) + ASSEMBLE(pubkey_key_types, def_key, all_key); + ASSEMBLE(ca_sign_algorithms, def_sig, all_sig); + #undef ASSEMBLE ++ + free(all_cipher); + free(all_mac); free(all_kex); - free(all_key); - free(all_sig); -+ filter_fips_algorithms(options); +@@ -2240,6 +2263,8 @@ fill_default_options(Options * options) + kex_default_pk_alg_filtered = def_key; /* save for later use */ + free(def_sig); ++ filter_fips_algorithms(options); ++ #define CLEAR_ON_NONE(v) \ do { \ + if (option_clear_or_none(v)) { \ diff --git a/readconf.h b/readconf.h -index 8e36bf3..67111e9 100644 +index e143a10..ef18d5c 100644 --- a/readconf.h +++ b/readconf.h -@@ -197,6 +197,7 @@ typedef struct { +@@ -199,6 +199,7 @@ typedef struct { #define SSH_STRICT_HOSTKEY_YES 2 #define SSH_STRICT_HOSTKEY_ASK 3 +void filter_fips_algorithms(Options *o); - void initialize_options(Options *); - void fill_default_options(Options *); - void fill_default_options_for_canonicalization(Options *); + const char *kex_default_pk_alg(void); + char *ssh_connection_hash(const char *thishost, const char *host, + const char *portstr, const char *user); diff --git a/servconf.c b/servconf.c -index f58fecb..a8833a9 100644 +index 6be7274..9a51bfb 100644 --- a/servconf.c +++ b/servconf.c -@@ -64,6 +64,7 @@ +@@ -69,6 +69,7 @@ #include "auth.h" #include "myproposal.h" #include "digest.h" @@ -686,7 +683,7 @@ static void add_listen_addr(ServerOptions *, const char *, const char *, int); -@@ -190,6 +191,23 @@ option_clear_or_none(const char *o) +@@ -200,6 +201,23 @@ option_clear_or_none(const char *o) return o == NULL || strcasecmp(o, "none") == 0; } @@ -710,16 +707,16 @@ static void assemble_algorithms(ServerOptions *o) { -@@ -219,6 +237,8 @@ assemble_algorithms(ServerOptions *o) - free(all_kex); - free(all_key); - free(all_sig); +@@ -241,6 +259,8 @@ assemble_algorithms(ServerOptions *o) + free(def_kex); + free(def_key); + free(def_sig); + + filter_fips_algorithms_s(o); } static void -@@ -424,6 +444,8 @@ fill_default_server_options(ServerOptions *options) +@@ -453,6 +473,8 @@ fill_default_server_options(ServerOptions *options) options->fwd_opts.streamlocal_bind_unlink = 0; if (options->fingerprint_hash == -1) options->fingerprint_hash = SSH_FP_HASH_DEFAULT; @@ -729,19 +726,19 @@ options->disable_forwarding = 0; if (options->expose_userauth_info == -1) diff --git a/ssh-keygen.c b/ssh-keygen.c -index 8c829ca..da63fb0 100644 +index 944faca..c1ecc54 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c -@@ -64,6 +64,8 @@ - #include "authfd.h" - #include "sshsig.h" +@@ -66,6 +66,8 @@ + #include "ssh-sk.h" + #include "sk-api.h" /* XXX for SSH_SK_USER_PRESENCE_REQD; remove */ +#include "fips.h" + #ifdef WITH_OPENSSL # define DEFAULT_KEY_TYPE_NAME "rsa" #else -@@ -1002,11 +1004,13 @@ do_fingerprint(struct passwd *pw) +@@ -1032,11 +1034,13 @@ do_fingerprint(struct passwd *pw) static void do_gen_all_hostkeys(struct passwd *pw) { @@ -757,7 +754,7 @@ #ifdef WITH_OPENSSL { "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE }, { "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE }, -@@ -1021,6 +1025,17 @@ do_gen_all_hostkeys(struct passwd *pw) +@@ -1051,6 +1055,17 @@ do_gen_all_hostkeys(struct passwd *pw) { NULL, NULL, NULL } }; @@ -775,9 +772,9 @@ u_int32_t bits = 0; int first = 0; struct stat st; -@@ -1029,6 +1044,12 @@ do_gen_all_hostkeys(struct passwd *pw) +@@ -1058,6 +1073,12 @@ do_gen_all_hostkeys(struct passwd *pw) + char comment[1024], *prv_tmp, *pub_tmp, *prv_file, *pub_file; int i, type, fd, r; - FILE *f; + if (fips_mode()) { + key_types = key_types_fips140_2; @@ -788,7 +785,7 @@ for (i = 0; key_types[i].key_type; i++) { public = private = NULL; prv_tmp = pub_tmp = prv_file = pub_file = NULL; -@@ -3215,6 +3236,15 @@ main(int argc, char **argv) +@@ -3532,6 +3553,15 @@ main(int argc, char **argv) key_type_name = DEFAULT_KEY_TYPE_NAME; type = sshkey_type_from_name(key_type_name); @@ -805,10 +802,10 @@ if (!quiet) diff --git a/ssh_config.5 b/ssh_config.5 -index 02a8789..f0cb291 100644 +index c45fb8d..55d4b5e 100644 --- a/ssh_config.5 +++ b/ssh_config.5 -@@ -664,6 +664,8 @@ Valid options are: +@@ -669,6 +669,8 @@ Valid options are: and .Cm sha256 (the default). @@ -818,12 +815,12 @@ Specifies whether the connection to the authentication agent (if any) will be forwarded to the remote machine. diff --git a/sshd.c b/sshd.c -index 6b55ef7..c8086cd 100644 +index a24241c..e18078f 100644 --- a/sshd.c +++ b/sshd.c -@@ -127,6 +127,8 @@ - #include "version.h" +@@ -128,6 +128,8 @@ #include "ssherr.h" + #include "sk-api.h" +#include "fips.h" + @@ -831,10 +828,10 @@ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) diff --git a/sshd_config.5 b/sshd_config.5 -index 0707b47..8818ea5 100644 +index 52552d2..35affe5 100644 --- a/sshd_config.5 +++ b/sshd_config.5 -@@ -605,6 +605,8 @@ and +@@ -594,6 +594,8 @@ and .Cm sha256 . The default is .Cm sha256 . ++++++ openssh-7.7p1-fips_checks.patch ++++++ --- /var/tmp/diff_new_pack.FXHzoJ/_old 2020-06-11 10:01:19.974510274 +0200 +++ /var/tmp/diff_new_pack.FXHzoJ/_new 2020-06-11 10:01:19.978510287 +0200 @@ -7,7 +7,7 @@ # FIPS mode). SHA-2 seems to be a reasonable choice. # # The logic of the checks is as follows: decide whether FIPS mode is mandated -# (either by checking /proc/sys/crypto/fips_enabled or envoroinment variable +# (either by checking /proc/sys/crypto/fips_enabled or environment variable # SSH_FORCE_FIPS. In FIPS mode, checksums are required to match (inability to # retrieve pre-calculated hash is a fatal error). In non-FIPS mode the checks # still must be performed, unless the hashes are not installed. Thus if the hash @@ -410,7 +410,7 @@ #endif - diff --git a/sftp-server.c b/sftp-server.c -index b133cbc..c3086b6 100644 +index 359204f..d6395fd 100644 --- a/sftp-server.c +++ b/sftp-server.c @@ -53,6 +53,8 @@ @@ -422,7 +422,7 @@ /* Our verbosity */ static LogLevel log_level = SYSLOG_LEVEL_ERROR; -@@ -1595,6 +1597,9 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) +@@ -1576,6 +1578,9 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) extern char *optarg; extern char *__progname; @@ -433,7 +433,7 @@ log_init(__progname, log_level, log_facility, log_stderr); diff --git a/ssh.c b/ssh.c -index ee51823..882d1da 100644 +index 98b6ce7..dce28fd 100644 --- a/ssh.c +++ b/ssh.c @@ -113,6 +113,8 @@ @@ -445,9 +445,9 @@ extern char *__progname; /* Saves a copy of argv for setproctitle emulation */ -@@ -596,6 +598,10 @@ main(int ac, char **av) - struct ssh_digest_ctx *md; - u_char conn_hash[SSH_DIGEST_MAX_LENGTH]; +@@ -630,6 +632,10 @@ main(int ac, char **av) + struct addrinfo *addrs = NULL; + size_t n, len; + /* initialize fips - can go before ssh_malloc_init(), since that is a + * OpenBSD-only thing (as of OpenSSH 7.6p1) */ @@ -457,10 +457,10 @@ sanitise_stdfd(); diff --git a/sshd.c b/sshd.c -index c8086cd..bb20eec 100644 +index b2146a6..6092f0f 100644 --- a/sshd.c +++ b/sshd.c -@@ -1443,6 +1443,10 @@ main(int ac, char **av) +@@ -1505,6 +1505,10 @@ main(int ac, char **av) Authctxt *authctxt; struct connection_info *connection_info = NULL; ++++++ openssh-7.7p1-hostname_changes_when_forwarding_X.patch ++++++ --- /var/tmp/diff_new_pack.FXHzoJ/_old 2020-06-11 10:01:19.994510338 +0200 +++ /var/tmp/diff_new_pack.FXHzoJ/_new 2020-06-11 10:01:19.998510351 +0200 @@ -3,14 +3,12 @@ # -- uset do be called '-xauthlocalhostname' handle hostname changes when forwarding X -bnc#98627 - diff --git a/session.c b/session.c -index 94d7438..d81060c 100644 +index 18cdfa8..85a9ee2 100644 --- a/session.c +++ b/session.c -@@ -981,7 +981,7 @@ copy_environment(char **source, char ***env, u_int *envsize) - } +@@ -985,7 +985,7 @@ copy_environment(char **source, char ***env, u_int *envsize) + #endif static char ** -do_setup_env(struct ssh *ssh, Session *s, const char *shell) @@ -18,7 +16,7 @@ { char buf[256]; size_t n; -@@ -1191,6 +1191,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) +@@ -1195,6 +1195,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) for (i = 0; env[i]; i++) fprintf(stderr, " %.200s\n", env[i]); } @@ -27,7 +25,7 @@ return env; } -@@ -1199,7 +1201,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) +@@ -1203,7 +1205,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) * first in this order). */ static void @@ -36,7 +34,7 @@ { FILE *f = NULL; char cmd[1024]; -@@ -1254,12 +1256,20 @@ do_rc_files(struct ssh *ssh, Session *s, const char *shell) +@@ -1258,12 +1260,20 @@ do_rc_files(struct ssh *ssh, Session *s, const char *shell) options.xauth_location); f = popen(cmd, "w"); if (f) { @@ -57,7 +55,7 @@ } else { fprintf(stderr, "Could not run %s\n", cmd); -@@ -1515,6 +1525,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) +@@ -1519,6 +1529,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) char **env, *argv[ARGV_MAX], remote_id[512]; const char *shell, *shell0; struct passwd *pw = s->pw; @@ -65,7 +63,7 @@ int r = 0; sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id)); -@@ -1571,7 +1582,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) +@@ -1575,7 +1586,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) * Make sure $SHELL points to the shell from the password file, * even if shell is overridden from login.conf */ @@ -74,7 +72,7 @@ #ifdef HAVE_LOGIN_CAP shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell); -@@ -1635,7 +1646,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) +@@ -1639,7 +1650,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) closefrom(STDERR_FILENO + 1); @@ -82,4 +80,4 @@ + do_rc_files(ssh, s, shell, env, &env_size); /* restore SIGPIPE for child */ - signal(SIGPIPE, SIG_DFL); + ssh_signal(SIGPIPE, SIG_DFL); ++++++ openssh-7.7p1-ldap.patch ++++++ --- /var/tmp/diff_new_pack.FXHzoJ/_old 2020-06-11 10:01:20.010510390 +0200 +++ /var/tmp/diff_new_pack.FXHzoJ/_new 2020-06-11 10:01:20.010510390 +0200 @@ -125,19 +125,19 @@ + - Finlay dobbie. + - Stefan Fisher. diff --git a/Makefile.in b/Makefile.in -index 750aada..1baf5c6 100644 +index 6010d1c..f54348b 100644 --- a/Makefile.in +++ b/Makefile.in -@@ -24,6 +24,8 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass - SFTP_SERVER=$(libexecdir)/sftp-server +@@ -25,6 +25,8 @@ SFTP_SERVER=$(libexecdir)/sftp-server SSH_KEYSIGN=$(libexecdir)/ssh-keysign SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper + SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper +SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper +SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper CAVSTEST_CTR=$(libexecdir)/cavstest-ctr CAVSTEST_KDF=$(libexecdir)/cavstest-kdf PRIVSEP_PATH=@PRIVSEP_PATH@ -@@ -66,6 +68,9 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keys +@@ -74,6 +76,9 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keys TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT) @@ -147,28 +147,28 @@ XMSS_OBJS=\ ssh-xmss.o \ sshkey-xmss.o \ -@@ -127,8 +132,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \ - sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \ - sandbox-solaris.o uidswap.o - --MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out --MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 -+MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap-helper.8.out ssh-ldap.conf.5.out -+MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 ssh-ldap-helper.8 ssh-ldap.conf.5 +@@ -158,8 +163,8 @@ SFTPSERVER_OBJS=sftp-common.o sftp-server.o sftp-server-main.o + + SFTP_OBJS= sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o + +-MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out sshd_config.5.out ssh_config.5.out +-MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5 ++MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap-helper.8.out ssh-ldap.conf.5.out ++MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5 ssh-ldap-helper.8 ssh-ldap.conf.5 MANTYPE = @MANTYPE@ CONFIGFILES=sshd_config.out ssh_config.out moduli.out -@@ -208,6 +213,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11 - ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o - $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) +@@ -242,6 +247,9 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS) + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) + $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) +ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o + $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) + - sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-realpath.o sftp-server-main.o - $(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) + sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS) + $(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -@@ -363,6 +371,10 @@ install-files: +@@ -406,6 +414,10 @@ install-files: $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT) $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) @@ -176,10 +176,10 @@ + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \ + $(INSTALL) -m 0755 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \ + fi + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) - $(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT) -@@ -381,6 +393,10 @@ install-files: +@@ -425,6 +437,10 @@ install-files: $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 @@ -187,10 +187,10 @@ + $(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \ + $(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \ + fi + $(INSTALL) -m 644 ssh-sk-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8 install-sysconf: - $(MKDIR_P) $(DESTDIR)$(sysconfdir) -@@ -404,6 +420,13 @@ install-sysconf: +@@ -449,6 +465,13 @@ install-sysconf: else \ echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \ fi @@ -204,28 +204,28 @@ host-key: ssh-keygen$(EXEEXT) @if [ -z "$(DESTDIR)" ] ; then \ -@@ -441,6 +464,8 @@ uninstall: - -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) +@@ -487,6 +510,8 @@ uninstall: -rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) -rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) + -rm -f $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT) + -rm -f $(DESTDIR)$(SSH_LDAP_HELPER)$(EXEEXT) + -rm -f $(DESTDIR)$(SSH_LDAP_WRAPPER)$(EXEEXT) -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 -@@ -452,6 +477,7 @@ uninstall: - -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 +@@ -499,6 +524,7 @@ uninstall: -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 regress-prep: $(MKDIR_P) `pwd`/regress/unittests/test_helper diff --git a/configure.ac b/configure.ac -index 20a1884..ff9c11a 100644 +index 4ddf539..1fd0b17 100644 --- a/configure.ac +++ b/configure.ac -@@ -1651,6 +1651,106 @@ AC_ARG_WITH([audit], +@@ -1688,6 +1688,106 @@ AC_ARG_WITH([audit], esac ] ) ++++++ openssh-7.7p1-no_fork-no_pid_file.patch ++++++ --- /var/tmp/diff_new_pack.FXHzoJ/_old 2020-06-11 10:01:20.030510454 +0200 +++ /var/tmp/diff_new_pack.FXHzoJ/_new 2020-06-11 10:01:20.030510454 +0200 @@ -2,15 +2,11 @@ # Parent bad0c8b3b8d72abb6960ed85b57ee42352371738 Do not write a PID file when not daemonizing (e.g. when running from systemd) -diff --git a/openssh-7.7p1/sshd.c b/openssh-7.7p1/sshd.c ---- openssh-7.7p1/sshd.c -+++ openssh-7.7p1/sshd.c -@@ -1996,17 +1996,17 @@ main(int ac, char **av) - signal(SIGCHLD, main_sigchld_handler); - signal(SIGTERM, sigterm_handler); - signal(SIGQUIT, sigterm_handler); - - /* +diff --git a/sshd.c b/sshd.c +index f3ccc3a..eadc1b3 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -2076,7 +2076,7 @@ main(int ac, char **av) * Write out the pid file after the sigterm handler * is setup and the listen sockets are bound */ @@ -19,8 +15,3 @@ FILE *f = fopen(options.pid_file, "w"); if (f == NULL) { - error("Couldn't create pid file \"%s\": %s", - options.pid_file, strerror(errno)); - } else { - fprintf(f, "%ld\n", (long) getpid()); - fclose(f); ++++++ openssh-7.7p1-sftp_print_diagnostic_messages.patch ++++++ --- /var/tmp/diff_new_pack.FXHzoJ/_old 2020-06-11 10:01:20.062510557 +0200 +++ /var/tmp/diff_new_pack.FXHzoJ/_new 2020-06-11 10:01:20.066510570 +0200 @@ -2,12 +2,11 @@ # Parent 60bdbe6dd8d6bc011883472363d56e1d97f68835 Put back sftp client diagnostic messages in batch mode -bsc#1023275 diff --git a/sftp.1 b/sftp.1 -index a52c1cf..7333de8 100644 +index a305b37..6e802ec 100644 --- a/sftp.1 +++ b/sftp.1 -@@ -278,6 +278,9 @@ Specifies the port to connect to on the remote host. +@@ -282,6 +282,9 @@ Specifies the port to connect to on the remote host. .It Fl p Preserves modification times, access times, and modes from the original files transferred. @@ -18,7 +17,7 @@ Quiet mode: disables the progress meter as well as warning and diagnostic messages from diff --git a/sftp.c b/sftp.c -index b66037f..6c94a38 100644 +index 2799e4a..52b2c23 100644 --- a/sftp.c +++ b/sftp.c @@ -85,6 +85,9 @@ static volatile pid_t sshpid = -1; @@ -31,16 +30,16 @@ /* This is set to 0 if the progressmeter is not desired. */ int showprogress = 1; -@@ -2406,7 +2409,7 @@ main(int argc, char **argv) +@@ -2409,7 +2412,7 @@ main(int argc, char **argv) infile = stdin; while ((ch = getopt(argc, argv, -- "1246afhpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) { -+ "1246afhpQqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) { +- "1246afhNpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) { ++ "1246afhNpQqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) { switch (ch) { /* Passed through to ssh(1) */ case '4': -@@ -2423,6 +2426,9 @@ main(int argc, char **argv) +@@ -2426,6 +2429,9 @@ main(int argc, char **argv) addargs(&args, "-%c", ch); addargs(&args, "%s", optarg); break; @@ -50,7 +49,7 @@ case 'q': ll = SYSLOG_LEVEL_ERROR; quiet = 1; -@@ -2506,6 +2512,8 @@ main(int argc, char **argv) +@@ -2510,6 +2516,8 @@ main(int argc, char **argv) usage(); } } ++++++ openssh-8.0p1-gssapi-keyex.patch ++++++ ++++ 874 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/openssh/openssh-8.0p1-gssapi-keyex.patch ++++ and /work/SRC/openSUSE:Factory/.openssh.new.3606/openssh-8.0p1-gssapi-keyex.patch ++++++ openssh-8.1p1-audit.patch ++++++ ++++ 895 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/openssh/openssh-8.1p1-audit.patch ++++ and /work/SRC/openSUSE:Factory/.openssh.new.3606/openssh-8.1p1-audit.patch ++++++ openssh-8.1p1-seccomp-clock_nanosleep.patch ++++++ --- /var/tmp/diff_new_pack.FXHzoJ/_old 2020-06-11 10:01:20.122510750 +0200 +++ /var/tmp/diff_new_pack.FXHzoJ/_new 2020-06-11 10:01:20.122510750 +0200 @@ -1,10 +1,10 @@ -Index: openssh-8.1p1/sandbox-seccomp-filter.c -=================================================================== ---- openssh-8.1p1.orig/sandbox-seccomp-filter.c -+++ openssh-8.1p1/sandbox-seccomp-filter.c -@@ -248,6 +248,9 @@ static const struct sock_filter preauth_ - #ifdef __NR_nanosleep - SC_ALLOW(__NR_nanosleep), +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index c1e689e..74f69bc 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -264,6 +264,9 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_clock_gettime64 + SC_ALLOW(__NR_clock_gettime64), #endif +#ifdef __NR_clock_nanosleep + SC_ALLOW(__NR_clock_nanosleep), ++++++ openssh-8.1p1.tar.gz -> openssh-8.3p1.tar.gz ++++++ ++++ 43411 lines of diff (skipped)