Hello community,
here is the log from the commit of package openssh for openSUSE:Factory checked
in at 2020-06-11 10:00:58
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openssh (Old)
and /work/SRC/openSUSE:Factory/.openssh.new.3606 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssh"
Thu Jun 11 10:00:58 2020 rev:140 rq:812018 version:8.3p1
Changes:
--------
--- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2020-06-05
20:09:44.169646097 +0200
+++ /work/SRC/openSUSE:Factory/.openssh.new.3606/openssh.changes
2020-06-11 10:01:17.782503214 +0200
@@ -1,0 +2,103 @@
+Fri Jun 5 00:36:08 UTC 2020 - Hans Petter Jansson <h...@suse.com>
+
+- Version update to 8.3p1:
+ = Potentially-incompatible changes
+ * sftp(1): reject an argument of "-1" in the same way as ssh(1) and
+ scp(1) do instead of accepting and silently ignoring it.
+
+ = New features
+ * sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore
+ rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only"
+ to allow .shosts files but not .rhosts.
+ * sshd(8): allow the IgnoreRhosts directive to appear anywhere in a
+ sshd_config, not just before any Match blocks.
+ * ssh(1): add %TOKEN percent expansion for the LocalFoward and
+ RemoteForward keywords when used for Unix domain socket forwarding.
+ * all: allow loading public keys from the unencrypted envelope of a
+ private key file if no corresponding public key file is present.
+ * ssh(1), sshd(8): prefer to use chacha20 from libcrypto where
+ possible instead of the (slower) portable C implementation included
+ in OpenSSH.
+ * ssh-keygen(1): add ability to dump the contents of a binary key
+ revocation list via "ssh-keygen -lQf /path".
+
+- Additional changes from 8.2p1 release:
+ = Potentially-incompatible changes
+ * ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
+ (RSA/SHA1) algorithm from those accepted for certificate signatures
+ (i.e. the client and server CASignatureAlgorithms option) and will
+ use the rsa-sha2-512 signature algorithm by default when the
+ ssh-keygen(1) CA signs new certificates.
+ * ssh(1), sshd(8): this release removes diffie-hellman-group14-sha1
+ from the default key exchange proposal for both the client and
+ server.
+ * ssh-keygen(1): the command-line options related to the generation
+ and screening of safe prime numbers used by the
+ diffie-hellman-group-exchange-* key exchange algorithms have
+ changed. Most options have been folded under the -O flag.
+ * sshd(8): the sshd listener process title visible to ps(1) has
+ changed to include information about the number of connections that
+ are currently attempting authentication and the limits configured
+ by MaxStartups.
+ * ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
+ support to provide address-space isolation for token middleware
+ libraries (including the internal one). It needs to be installed
+ in the expected path, typically under /usr/libexec or similar.
+
+ = New features
+ * This release adds support for FIDO/U2F hardware authenticators to
+ OpenSSH. U2F/FIDO are open standards for inexpensive two-factor
+ authentication hardware that are widely used for website
+ authentication. In OpenSSH FIDO devices are supported by new public
+ key types "ecdsa-sk" and "ed25519-sk", along with corresponding
+ certificate types.
+ * sshd(8): add an Include sshd_config keyword that allows including
+ additional configuration files via glob(3) patterns.
+ * ssh(1)/sshd(8): make the LE (low effort) DSCP code point available
+ via the IPQoS directive.
+ * ssh(1): when AddKeysToAgent=yes is set and the key contains no
+ comment, add the key to the agent with the key's path as the
+ comment.
+ * ssh-keygen(1), ssh-agent(1): expose PKCS#11 key labels and X.509
+ subjects as key comments, rather than simply listing the PKCS#11
+ provider library path.
+ * ssh-keygen(1): allow PEM export of DSA and ECDSA keys.
+ * ssh(1), sshd(8): make zlib compile-time optional, available via the
+ Makefile.inc ZLIB flag on OpenBSD or via the --with-zlib configure
+ option for OpenSSH portable.
+ * sshd(8): when clients get denied by MaxStartups, send a
+ notification prior to the SSH2 protocol banner according to
+ RFC4253 section 4.2.
+ * ssh(1), ssh-agent(1): when invoking the $SSH_ASKPASS prompt
+ program, pass a hint to the program to describe the type of
+ desired prompt. The possible values are "confirm" (indicating
+ that a yes/no confirmation dialog with no text entry should be
+ shown), "none" (to indicate an informational message only), or
+ blank for the original ssh-askpass behaviour of requesting a
+ password/phrase.
+ * ssh(1): allow forwarding a different agent socket to the path
+ specified by $SSH_AUTH_SOCK, by extending the existing ForwardAgent
+ option to accepting an explicit path or the name of an environment
+ variable in addition to yes/no.
+ * ssh-keygen(1): add a new signature operations "find-principals" to
+ look up the principal associated with a signature from an allowed-
+ signers file.
+ * sshd(8): expose the number of currently-authenticating connections
+ along with the MaxStartups limit in the process title visible to
+ "ps".
+
+- Rebased patches:
+ * openssh-7.7p1-cavstest-ctr.patch
+ * openssh-7.7p1-cavstest-kdf.patch
+ * openssh-7.7p1-fips.patch
+ * openssh-7.7p1-fips_checks.patch
+ * openssh-7.7p1-ldap.patch
+ * openssh-7.7p1-no_fork-no_pid_file.patch
+ * openssh-7.7p1-sftp_print_diagnostic_messages.patch
+ * openssh-8.0p1-gssapi-keyex.patch
+ * openssh-8.1p1-audit.patch
+ * openssh-8.1p1-seccomp-clock_nanosleep.patch
+
+- Removed openssh-7.7p1-seed-prng.patch (bsc#1165158).
+
+-------------------------------------------------------------------
Old:
----
openssh-7.7p1-seed-prng.patch
openssh-8.1p1.tar.gz
openssh-8.1p1.tar.gz.asc
New:
----
openssh-8.3p1.tar.gz
openssh-8.3p1.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openssh-askpass-gnome.spec ++++++
--- /var/tmp/diff_new_pack.FXHzoJ/_old 2020-06-11 10:01:19.766509604 +0200
+++ /var/tmp/diff_new_pack.FXHzoJ/_new 2020-06-11 10:01:19.770509617 +0200
@@ -1,7 +1,7 @@
#
# spec file for package openssh-askpass-gnome
#
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -18,7 +18,7 @@
%define _name openssh
Name: openssh-askpass-gnome
-Version: 8.1p1
+Version: 8.3p1
Release: 0
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
License: BSD-2-Clause
++++++ openssh.spec ++++++
--- /var/tmp/diff_new_pack.FXHzoJ/_old 2020-06-11 10:01:19.798509707 +0200
+++ /var/tmp/diff_new_pack.FXHzoJ/_new 2020-06-11 10:01:19.802509720 +0200
@@ -1,7 +1,7 @@
#
# spec file for package openssh
#
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -35,7 +35,7 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: openssh
-Version: 8.1p1
+Version: 8.3p1
Release: 0
Summary: Secure Shell Client and Server (Remote Login Program)
License: BSD-2-Clause AND MIT
@@ -77,7 +77,6 @@
Patch19: openssh-7.7p1-cavstest-kdf.patch
# Local FIPS patchset
Patch20: openssh-7.7p1-fips_checks.patch
-Patch21: openssh-7.7p1-seed-prng.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2641
Patch22: openssh-7.7p1-systemd-notify.patch
Patch23: openssh-8.0p1-gssapi-keyex.patch
@@ -112,6 +111,7 @@
BuildRequires: pam-devel
BuildRequires: pkgconfig
BuildRequires: zlib-devel
+BuildRequires: pkgconfig(libfido2)
BuildRequires: pkgconfig(libsystemd)
Requires(post): %fillup_prereq
Requires(pre): shadow
@@ -211,6 +211,7 @@
--with-ldap \
--with-xauth=%{_bindir}/xauth \
--with-libedit \
+ --with-security-key-builtin \
--target=%{_target_cpu}-suse-linux
%make_build
++++++ openssh-7.7p1-cavstest-ctr.patch ++++++
--- /var/tmp/diff_new_pack.FXHzoJ/_old 2020-06-11 10:01:19.910510068 +0200
+++ /var/tmp/diff_new_pack.FXHzoJ/_new 2020-06-11 10:01:19.910510068 +0200
@@ -3,29 +3,29 @@
CAVS test for OpenSSH's own CTR encryption mode implementation
diff --git a/Makefile.in b/Makefile.in
-index 7488595..d426006 100644
+index d5c37b5..5d4fcd2 100644
--- a/Makefile.in
+++ b/Makefile.in
-@@ -24,6 +24,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
- SFTP_SERVER=$(libexecdir)/sftp-server
+@@ -25,6 +25,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
+ SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
+CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
STRIP_OPT=@STRIP_OPT@
-@@ -62,6 +63,8 @@ MKDIR_P=@MKDIR_P@
+@@ -70,6 +71,8 @@ MKDIR_P=@MKDIR_P@
- TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT)
ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT)
ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
+ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT)
ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT)
ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
ssh-sk-helper$(EXEEXT)
+TARGETS += cavstest-ctr$(EXEEXT)
+
XMSS_OBJS=\
ssh-xmss.o \
sshkey-xmss.o \
-@@ -210,6 +213,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o
sftp-common.o sftp-server.o s
- sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o
sftp-glob.o progressmeter.o
- $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o
sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
+@@ -244,6 +247,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a
$(SFTPSERVER_OBJS)
+ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS)
+ $(LD) -o $@ $(SFTP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
$(LIBEDIT)
+# FIPS tests
+cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-ctr.o
@@ -34,8 +34,8 @@
# test driver for the loginrec code - not built by default
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh
$(LIBS)
-@@ -354,6 +361,7 @@ install-files:
- $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT)
$(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
+@@ -398,6 +405,7 @@ install-files:
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT)
$(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT)
$(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT)
$(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT)
$(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
@@ -263,7 +263,7 @@
+ return 0;
+}
diff --git a/cipher.c b/cipher.c
-index acca752..b67a4ff 100644
+index 2f5430b..599b54a 100644
--- a/cipher.c
+++ b/cipher.c
@@ -58,15 +58,6 @@
@@ -274,7 +274,7 @@
- int plaintext;
- int encrypt;
- EVP_CIPHER_CTX *evp;
-- struct chachapoly_ctx cp_ctx; /* XXX union with evp? */
+- struct chachapoly_ctx *cp_ctx;
- struct aesctr_ctx ac_ctx; /* XXX union with evp? */
- const struct sshcipher *cipher;
-};
@@ -283,7 +283,7 @@
char *name;
u_int block_size;
diff --git a/cipher.h b/cipher.h
-index 5843aab..d7d8c89 100644
+index 1a591cd..10ccb28 100644
--- a/cipher.h
+++ b/cipher.h
@@ -48,7 +48,15 @@
@@ -295,7 +295,7 @@
+ int plaintext;
+ int encrypt;
+ EVP_CIPHER_CTX *evp;
-+ struct chachapoly_ctx cp_ctx; /* XXX union with evp? */
++ struct chachapoly_ctx *cp_ctx; /* XXX union with evp? */
+ struct aesctr_ctx ac_ctx; /* XXX union with evp? */
+ const struct sshcipher *cipher;
+};
++++++ openssh-7.7p1-cavstest-kdf.patch ++++++
--- /var/tmp/diff_new_pack.FXHzoJ/_old 2020-06-11 10:01:19.926510119 +0200
+++ /var/tmp/diff_new_pack.FXHzoJ/_new 2020-06-11 10:01:19.926510119 +0200
@@ -3,27 +3,27 @@
CAVS test for KDF implementation in OpenSSH
diff --git a/Makefile.in b/Makefile.in
-index d426006..85818f4 100644
+index 5d4fcd2..9eab827 100644
--- a/Makefile.in
+++ b/Makefile.in
-@@ -25,6 +25,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
- SSH_KEYSIGN=$(libexecdir)/ssh-keysign
+@@ -26,6 +26,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
+ SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
+CAVSTEST_KDF=$(libexecdir)/cavstest-kdf
PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
STRIP_OPT=@STRIP_OPT@
-@@ -63,7 +64,7 @@ MKDIR_P=@MKDIR_P@
+@@ -71,7 +72,7 @@ MKDIR_P=@MKDIR_P@
- TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT)
ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT)
ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
+ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT)
ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT)
ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
ssh-sk-helper$(EXEEXT)
-TARGETS += cavstest-ctr$(EXEEXT)
+TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
XMSS_OBJS=\
ssh-xmss.o \
-@@ -217,6 +218,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o
sftp-common.o sftp-glo
+@@ -251,6 +252,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS)
cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-ctr.o
$(LD) -o $@ cavstest-ctr.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh
$(LIBS)
@@ -33,7 +33,7 @@
# test driver for the loginrec code - not built by default
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh
$(LIBS)
-@@ -362,6 +366,7 @@ install-files:
+@@ -406,6 +410,7 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT)
$(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT)
$(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT)
$(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
++++++ openssh-7.7p1-fips.patch ++++++
--- /var/tmp/diff_new_pack.FXHzoJ/_old 2020-06-11 10:01:19.958510222 +0200
+++ /var/tmp/diff_new_pack.FXHzoJ/_new 2020-06-11 10:01:19.962510235 +0200
@@ -4,17 +4,17 @@
algorithms.
diff --git a/Makefile.in b/Makefile.in
-index 1d2b2d9..7488595 100644
+index 62cd072..d5c37b5 100644
--- a/Makefile.in
+++ b/Makefile.in
-@@ -103,6 +103,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
- platform-pledge.o platform-tracing.o platform-misc.o
+@@ -114,6 +114,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
+ SKOBJS= ssh-sk-client.o
+LIBSSH_OBJS += fips.o
+
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
- sshconnect.o sshconnect2.o mux.o
+ sshconnect.o sshconnect2.o mux.o $(SKOBJS)
diff --git a/cipher-ctr.c b/cipher-ctr.c
index 32771f2..b66f92f 100644
@@ -39,7 +39,7 @@
return (&aes_ctr);
}
diff --git a/cipher.c b/cipher.c
-index 25f98ba..acca752 100644
+index 8195199..2f5430b 100644
--- a/cipher.c
+++ b/cipher.c
@@ -51,6 +51,9 @@
@@ -123,7 +123,7 @@
if ((c->flags & CFLAG_INTERNAL) != 0)
continue;
if (auth_only && c->auth_len == 0)
-@@ -196,7 +243,7 @@ const struct sshcipher *
+@@ -207,7 +254,7 @@ const struct sshcipher *
cipher_by_name(const char *name)
{
const struct sshcipher *c;
@@ -401,10 +401,10 @@
+#endif
+
diff --git a/hmac.c b/hmac.c
-index 3268887..b905a1e 100644
+index 7b58801..5a92074 100644
--- a/hmac.c
+++ b/hmac.c
-@@ -146,7 +146,7 @@ hmac_test(void *key, size_t klen, void *m, size_t mlen,
u_char *e, size_t elen)
+@@ -145,7 +145,7 @@ hmac_test(void *key, size_t klen, void *m, size_t mlen,
u_char *e, size_t elen)
size_t i;
u_char digest[16];
@@ -414,10 +414,10 @@
if (ssh_hmac_init(ctx, key, klen) < 0 ||
ssh_hmac_update(ctx, m, mlen) < 0 ||
diff --git a/kex.c b/kex.c
-index 49d7015..1f82c2e 100644
+index b09fbac..a5e4be7 100644
--- a/kex.c
+++ b/kex.c
-@@ -60,6 +60,8 @@
+@@ -63,6 +63,8 @@
#include "sshbuf.h"
#include "digest.h"
@@ -426,7 +426,7 @@
/* prototype */
static int kex_choose_conf(struct ssh *);
static int kex_input_newkeys(int, u_int32_t, struct ssh *);
-@@ -83,7 +85,7 @@ struct kexalg {
+@@ -86,7 +88,7 @@ struct kexalg {
int ec_nid;
int hash_alg;
};
@@ -435,7 +435,7 @@
#ifdef WITH_OPENSSL
{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
-@@ -114,6 +116,47 @@ static const struct kexalg kexalgs[] = {
+@@ -117,6 +119,47 @@ static const struct kexalg kexalgs[] = {
{ NULL, 0, -1, -1},
};
@@ -483,7 +483,7 @@
char *
kex_alg_list(char sep)
{
-@@ -121,7 +164,7 @@ kex_alg_list(char sep)
+@@ -124,7 +167,7 @@ kex_alg_list(char sep)
size_t nlen, rlen = 0;
const struct kexalg *k;
@@ -492,7 +492,7 @@
if (ret != NULL)
ret[rlen++] = sep;
nlen = strlen(k->name);
-@@ -141,7 +184,7 @@ kex_alg_by_name(const char *name)
+@@ -144,7 +187,7 @@ kex_alg_by_name(const char *name)
{
const struct kexalg *k;
@@ -501,7 +501,7 @@
if (strcmp(k->name, name) == 0)
return k;
}
-@@ -161,7 +204,10 @@ kex_names_valid(const char *names)
+@@ -164,7 +207,10 @@ kex_names_valid(const char *names)
for ((p = strsep(&cp, ",")); p && *p != '\0';
(p = strsep(&cp, ","))) {
if (kex_alg_by_name(p) == NULL) {
@@ -595,21 +595,8 @@
if (strcmp(name, m->name) != 0)
continue;
if (mac != NULL)
-diff --git a/myproposal.h b/myproposal.h
-index 34bd10c..e6be484 100644
---- a/myproposal.h
-+++ b/myproposal.h
-@@ -144,6 +144,8 @@
-
- #else /* WITH_OPENSSL */
-
-+#error "OpenSSL support is needed for FIPS mode to compile"
-+
- #define KEX_SERVER_KEX \
- "curve25519-sha256," \
- "curve25519-sha...@libssh.org"
diff --git a/readconf.c b/readconf.c
-index f78b4d6..228f481 100644
+index 26e80c5..595f053 100644
--- a/readconf.c
+++ b/readconf.c
@@ -68,6 +68,8 @@
@@ -621,7 +608,7 @@
/* Format of the configuration file:
# Configuration data is parsed as follows:
-@@ -1837,6 +1839,23 @@ option_clear_or_none(const char *o)
+@@ -1908,6 +1910,23 @@ option_clear_or_none(const char *o)
return o == NULL || strcasecmp(o, "none") == 0;
}
@@ -645,40 +632,50 @@
/*
* Initializes options to special values that indicate that they have not yet
* been set. Read_config_file will only set options with this value. Options
-@@ -2116,6 +2135,8 @@ fill_default_options(Options * options)
+@@ -2196,6 +2215,9 @@ fill_default_options(Options * options)
options->canonicalize_hostname = SSH_CANONICALISE_NO;
if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
+ options->fingerprint_hash =
+ fips_correct_dgst(options->fingerprint_hash);
- if (options->update_hostkeys == -1)
- options->update_hostkeys = 0;
-
-@@ -2143,6 +2164,7 @@ fill_default_options(Options * options)
++
+ #ifdef ENABLE_SK_INTERNAL
+ if (options->sk_provider == NULL)
+ options->sk_provider = xstrdup("internal");
+@@ -2229,6 +2251,7 @@ fill_default_options(Options * options)
+ ASSEMBLE(pubkey_key_types, def_key, all_key);
+ ASSEMBLE(ca_sign_algorithms, def_sig, all_sig);
+ #undef ASSEMBLE
++
+ free(all_cipher);
+ free(all_mac);
free(all_kex);
- free(all_key);
- free(all_sig);
-+ filter_fips_algorithms(options);
+@@ -2240,6 +2263,8 @@ fill_default_options(Options * options)
+ kex_default_pk_alg_filtered = def_key; /* save for later use */
+ free(def_sig);
++ filter_fips_algorithms(options);
++
#define CLEAR_ON_NONE(v) \
do { \
+ if (option_clear_or_none(v)) { \
diff --git a/readconf.h b/readconf.h
-index 8e36bf3..67111e9 100644
+index e143a10..ef18d5c 100644
--- a/readconf.h
+++ b/readconf.h
-@@ -197,6 +197,7 @@ typedef struct {
+@@ -199,6 +199,7 @@ typedef struct {
#define SSH_STRICT_HOSTKEY_YES 2
#define SSH_STRICT_HOSTKEY_ASK 3
+void filter_fips_algorithms(Options *o);
- void initialize_options(Options *);
- void fill_default_options(Options *);
- void fill_default_options_for_canonicalization(Options *);
+ const char *kex_default_pk_alg(void);
+ char *ssh_connection_hash(const char *thishost, const char *host,
+ const char *portstr, const char *user);
diff --git a/servconf.c b/servconf.c
-index f58fecb..a8833a9 100644
+index 6be7274..9a51bfb 100644
--- a/servconf.c
+++ b/servconf.c
-@@ -64,6 +64,7 @@
+@@ -69,6 +69,7 @@
#include "auth.h"
#include "myproposal.h"
#include "digest.h"
@@ -686,7 +683,7 @@
static void add_listen_addr(ServerOptions *, const char *,
const char *, int);
-@@ -190,6 +191,23 @@ option_clear_or_none(const char *o)
+@@ -200,6 +201,23 @@ option_clear_or_none(const char *o)
return o == NULL || strcasecmp(o, "none") == 0;
}
@@ -710,16 +707,16 @@
static void
assemble_algorithms(ServerOptions *o)
{
-@@ -219,6 +237,8 @@ assemble_algorithms(ServerOptions *o)
- free(all_kex);
- free(all_key);
- free(all_sig);
+@@ -241,6 +259,8 @@ assemble_algorithms(ServerOptions *o)
+ free(def_kex);
+ free(def_key);
+ free(def_sig);
+
+ filter_fips_algorithms_s(o);
}
static void
-@@ -424,6 +444,8 @@ fill_default_server_options(ServerOptions *options)
+@@ -453,6 +473,8 @@ fill_default_server_options(ServerOptions *options)
options->fwd_opts.streamlocal_bind_unlink = 0;
if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
@@ -729,19 +726,19 @@
options->disable_forwarding = 0;
if (options->expose_userauth_info == -1)
diff --git a/ssh-keygen.c b/ssh-keygen.c
-index 8c829ca..da63fb0 100644
+index 944faca..c1ecc54 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
-@@ -64,6 +64,8 @@
- #include "authfd.h"
- #include "sshsig.h"
+@@ -66,6 +66,8 @@
+ #include "ssh-sk.h"
+ #include "sk-api.h" /* XXX for SSH_SK_USER_PRESENCE_REQD; remove */
+#include "fips.h"
+
#ifdef WITH_OPENSSL
# define DEFAULT_KEY_TYPE_NAME "rsa"
#else
-@@ -1002,11 +1004,13 @@ do_fingerprint(struct passwd *pw)
+@@ -1032,11 +1034,13 @@ do_fingerprint(struct passwd *pw)
static void
do_gen_all_hostkeys(struct passwd *pw)
{
@@ -757,7 +754,7 @@
#ifdef WITH_OPENSSL
{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
{ "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
-@@ -1021,6 +1025,17 @@ do_gen_all_hostkeys(struct passwd *pw)
+@@ -1051,6 +1055,17 @@ do_gen_all_hostkeys(struct passwd *pw)
{ NULL, NULL, NULL }
};
@@ -775,9 +772,9 @@
u_int32_t bits = 0;
int first = 0;
struct stat st;
-@@ -1029,6 +1044,12 @@ do_gen_all_hostkeys(struct passwd *pw)
+@@ -1058,6 +1073,12 @@ do_gen_all_hostkeys(struct passwd *pw)
+ char comment[1024], *prv_tmp, *pub_tmp, *prv_file, *pub_file;
int i, type, fd, r;
- FILE *f;
+ if (fips_mode()) {
+ key_types = key_types_fips140_2;
@@ -788,7 +785,7 @@
for (i = 0; key_types[i].key_type; i++) {
public = private = NULL;
prv_tmp = pub_tmp = prv_file = pub_file = NULL;
-@@ -3215,6 +3236,15 @@ main(int argc, char **argv)
+@@ -3532,6 +3553,15 @@ main(int argc, char **argv)
key_type_name = DEFAULT_KEY_TYPE_NAME;
type = sshkey_type_from_name(key_type_name);
@@ -805,10 +802,10 @@
if (!quiet)
diff --git a/ssh_config.5 b/ssh_config.5
-index 02a8789..f0cb291 100644
+index c45fb8d..55d4b5e 100644
--- a/ssh_config.5
+++ b/ssh_config.5
-@@ -664,6 +664,8 @@ Valid options are:
+@@ -669,6 +669,8 @@ Valid options are:
and
.Cm sha256
(the default).
@@ -818,12 +815,12 @@
Specifies whether the connection to the authentication agent (if any)
will be forwarded to the remote machine.
diff --git a/sshd.c b/sshd.c
-index 6b55ef7..c8086cd 100644
+index a24241c..e18078f 100644
--- a/sshd.c
+++ b/sshd.c
-@@ -127,6 +127,8 @@
- #include "version.h"
+@@ -128,6 +128,8 @@
#include "ssherr.h"
+ #include "sk-api.h"
+#include "fips.h"
+
@@ -831,10 +828,10 @@
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
diff --git a/sshd_config.5 b/sshd_config.5
-index 0707b47..8818ea5 100644
+index 52552d2..35affe5 100644
--- a/sshd_config.5
+++ b/sshd_config.5
-@@ -605,6 +605,8 @@ and
+@@ -594,6 +594,8 @@ and
.Cm sha256 .
The default is
.Cm sha256 .
++++++ openssh-7.7p1-fips_checks.patch ++++++
--- /var/tmp/diff_new_pack.FXHzoJ/_old 2020-06-11 10:01:19.974510274 +0200
+++ /var/tmp/diff_new_pack.FXHzoJ/_new 2020-06-11 10:01:19.978510287 +0200
@@ -7,7 +7,7 @@
# FIPS mode). SHA-2 seems to be a reasonable choice.
#
# The logic of the checks is as follows: decide whether FIPS mode is mandated
-# (either by checking /proc/sys/crypto/fips_enabled or envoroinment variable
+# (either by checking /proc/sys/crypto/fips_enabled or environment variable
# SSH_FORCE_FIPS. In FIPS mode, checksums are required to match (inability to
# retrieve pre-calculated hash is a fatal error). In non-FIPS mode the checks
# still must be performed, unless the hashes are not installed. Thus if the
hash
@@ -410,7 +410,7 @@
#endif
-
diff --git a/sftp-server.c b/sftp-server.c
-index b133cbc..c3086b6 100644
+index 359204f..d6395fd 100644
--- a/sftp-server.c
+++ b/sftp-server.c
@@ -53,6 +53,8 @@
@@ -422,7 +422,7 @@
/* Our verbosity */
static LogLevel log_level = SYSLOG_LEVEL_ERROR;
-@@ -1595,6 +1597,9 @@ sftp_server_main(int argc, char **argv, struct passwd
*user_pw)
+@@ -1576,6 +1578,9 @@ sftp_server_main(int argc, char **argv, struct passwd
*user_pw)
extern char *optarg;
extern char *__progname;
@@ -433,7 +433,7 @@
log_init(__progname, log_level, log_facility, log_stderr);
diff --git a/ssh.c b/ssh.c
-index ee51823..882d1da 100644
+index 98b6ce7..dce28fd 100644
--- a/ssh.c
+++ b/ssh.c
@@ -113,6 +113,8 @@
@@ -445,9 +445,9 @@
extern char *__progname;
/* Saves a copy of argv for setproctitle emulation */
-@@ -596,6 +598,10 @@ main(int ac, char **av)
- struct ssh_digest_ctx *md;
- u_char conn_hash[SSH_DIGEST_MAX_LENGTH];
+@@ -630,6 +632,10 @@ main(int ac, char **av)
+ struct addrinfo *addrs = NULL;
+ size_t n, len;
+ /* initialize fips - can go before ssh_malloc_init(), since that is a
+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
@@ -457,10 +457,10 @@
sanitise_stdfd();
diff --git a/sshd.c b/sshd.c
-index c8086cd..bb20eec 100644
+index b2146a6..6092f0f 100644
--- a/sshd.c
+++ b/sshd.c
-@@ -1443,6 +1443,10 @@ main(int ac, char **av)
+@@ -1505,6 +1505,10 @@ main(int ac, char **av)
Authctxt *authctxt;
struct connection_info *connection_info = NULL;
++++++ openssh-7.7p1-hostname_changes_when_forwarding_X.patch ++++++
--- /var/tmp/diff_new_pack.FXHzoJ/_old 2020-06-11 10:01:19.994510338 +0200
+++ /var/tmp/diff_new_pack.FXHzoJ/_new 2020-06-11 10:01:19.998510351 +0200
@@ -3,14 +3,12 @@
# -- uset do be called '-xauthlocalhostname'
handle hostname changes when forwarding X
-bnc#98627
-
diff --git a/session.c b/session.c
-index 94d7438..d81060c 100644
+index 18cdfa8..85a9ee2 100644
--- a/session.c
+++ b/session.c
-@@ -981,7 +981,7 @@ copy_environment(char **source, char ***env, u_int
*envsize)
- }
+@@ -985,7 +985,7 @@ copy_environment(char **source, char ***env, u_int
*envsize)
+ #endif
static char **
-do_setup_env(struct ssh *ssh, Session *s, const char *shell)
@@ -18,7 +16,7 @@
{
char buf[256];
size_t n;
-@@ -1191,6 +1191,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char
*shell)
+@@ -1195,6 +1195,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char
*shell)
for (i = 0; env[i]; i++)
fprintf(stderr, " %.200s\n", env[i]);
}
@@ -27,7 +25,7 @@
return env;
}
-@@ -1199,7 +1201,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char
*shell)
+@@ -1203,7 +1205,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char
*shell)
* first in this order).
*/
static void
@@ -36,7 +34,7 @@
{
FILE *f = NULL;
char cmd[1024];
-@@ -1254,12 +1256,20 @@ do_rc_files(struct ssh *ssh, Session *s, const char
*shell)
+@@ -1258,12 +1260,20 @@ do_rc_files(struct ssh *ssh, Session *s, const char
*shell)
options.xauth_location);
f = popen(cmd, "w");
if (f) {
@@ -57,7 +55,7 @@
} else {
fprintf(stderr, "Could not run %s\n",
cmd);
-@@ -1515,6 +1525,7 @@ do_child(struct ssh *ssh, Session *s, const char
*command)
+@@ -1519,6 +1529,7 @@ do_child(struct ssh *ssh, Session *s, const char
*command)
char **env, *argv[ARGV_MAX], remote_id[512];
const char *shell, *shell0;
struct passwd *pw = s->pw;
@@ -65,7 +63,7 @@
int r = 0;
sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
-@@ -1571,7 +1582,7 @@ do_child(struct ssh *ssh, Session *s, const char
*command)
+@@ -1575,7 +1586,7 @@ do_child(struct ssh *ssh, Session *s, const char
*command)
* Make sure $SHELL points to the shell from the password file,
* even if shell is overridden from login.conf
*/
@@ -74,7 +72,7 @@
#ifdef HAVE_LOGIN_CAP
shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
-@@ -1635,7 +1646,7 @@ do_child(struct ssh *ssh, Session *s, const char
*command)
+@@ -1639,7 +1650,7 @@ do_child(struct ssh *ssh, Session *s, const char
*command)
closefrom(STDERR_FILENO + 1);
@@ -82,4 +80,4 @@
+ do_rc_files(ssh, s, shell, env, &env_size);
/* restore SIGPIPE for child */
- signal(SIGPIPE, SIG_DFL);
+ ssh_signal(SIGPIPE, SIG_DFL);
++++++ openssh-7.7p1-ldap.patch ++++++
--- /var/tmp/diff_new_pack.FXHzoJ/_old 2020-06-11 10:01:20.010510390 +0200
+++ /var/tmp/diff_new_pack.FXHzoJ/_new 2020-06-11 10:01:20.010510390 +0200
@@ -125,19 +125,19 @@
+ - Finlay dobbie.
+ - Stefan Fisher.
diff --git a/Makefile.in b/Makefile.in
-index 750aada..1baf5c6 100644
+index 6010d1c..f54348b 100644
--- a/Makefile.in
+++ b/Makefile.in
-@@ -24,6 +24,8 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
- SFTP_SERVER=$(libexecdir)/sftp-server
+@@ -25,6 +25,8 @@ SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
+ SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
+SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
+SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
CAVSTEST_KDF=$(libexecdir)/cavstest-kdf
PRIVSEP_PATH=@PRIVSEP_PATH@
-@@ -66,6 +68,9 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT)
ssh-keygen$(EXEEXT) ssh-keys
+@@ -74,6 +76,9 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT)
ssh-keygen$(EXEEXT) ssh-keys
TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
@@ -147,28 +147,28 @@
XMSS_OBJS=\
ssh-xmss.o \
sshkey-xmss.o \
-@@ -127,8 +132,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \
- sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
- sandbox-solaris.o uidswap.o
-
--MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out
ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out
sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out
ssh_config.5.out
--MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1
ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8
ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
-+MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out
ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out
sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out
ssh_config.5.out ssh-ldap-helper.8.out ssh-ldap.conf.5.out
-+MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1
ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8
ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 ssh-ldap-helper.8 ssh-ldap.conf.5
+@@ -158,8 +163,8 @@ SFTPSERVER_OBJS=sftp-common.o sftp-server.o
sftp-server-main.o
+
+ SFTP_OBJS= sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
+
+-MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out
ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out
sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out
sshd_config.5.out ssh_config.5.out
+-MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1
ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8
ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5
++MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out
ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out
sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out
sshd_config.5.out ssh_config.5.out ssh-ldap-helper.8.out ssh-ldap.conf.5.out
++MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1
ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8
ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5
ssh-ldap-helper.8 ssh-ldap.conf.5
MANTYPE = @MANTYPE@
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
-@@ -208,6 +213,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a
ssh-pkcs11-helper.o ssh-pkcs11
- ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
- $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh
$(LIBS)
+@@ -242,6 +247,9 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a
$(SKHELPER_OBJS)
+ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
+ $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh
$(LIBS)
+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o
ldapmisc.o ldap-helper.o
+ $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS)
-lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+
- sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o
sftp-server.o sftp-realpath.o sftp-server-main.o
- $(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o
sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat
$(LIBS)
+ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS)
+ $(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-@@ -363,6 +371,10 @@ install-files:
+@@ -406,6 +414,10 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT)
$(DESTDIR)$(sbindir)/sshd$(EXEEXT)
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT)
$(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT)
$(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
@@ -176,10 +176,10 @@
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-ldap-helper
$(DESTDIR)$(SSH_LDAP_HELPER) ; \
+ $(INSTALL) -m 0755 ssh-ldap-wrapper
$(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
+ fi
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT)
$(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT)
$(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT)
$(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
- $(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT)
$(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
-@@ -381,6 +393,10 @@ install-files:
+@@ -425,6 +437,10 @@ install-files:
$(INSTALL) -m 644 sftp-server.8.out
$(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
$(INSTALL) -m 644 ssh-keysign.8.out
$(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
$(INSTALL) -m 644 ssh-pkcs11-helper.8.out
$(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@@ -187,10 +187,10 @@
+ $(INSTALL) -m 644 ssh-ldap-helper.8.out
$(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
+ $(INSTALL) -m 644 ssh-ldap.conf.5.out
$(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \
+ fi
+ $(INSTALL) -m 644 ssh-sk-helper.8.out
$(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8
install-sysconf:
- $(MKDIR_P) $(DESTDIR)$(sysconfdir)
-@@ -404,6 +420,13 @@ install-sysconf:
+@@ -449,6 +465,13 @@ install-sysconf:
else \
echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install
will not overwrite"; \
fi
@@ -204,28 +204,28 @@
host-key: ssh-keygen$(EXEEXT)
@if [ -z "$(DESTDIR)" ] ; then \
-@@ -441,6 +464,8 @@ uninstall:
- -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
+@@ -487,6 +510,8 @@ uninstall:
-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
+ -rm -f $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
+ -rm -f $(DESTDIR)$(SSH_LDAP_HELPER)$(EXEEXT)
+ -rm -f $(DESTDIR)$(SSH_LDAP_WRAPPER)$(EXEEXT)
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-@@ -452,6 +477,7 @@ uninstall:
- -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
+@@ -499,6 +524,7 @@ uninstall:
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8
+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
regress-prep:
$(MKDIR_P) `pwd`/regress/unittests/test_helper
diff --git a/configure.ac b/configure.ac
-index 20a1884..ff9c11a 100644
+index 4ddf539..1fd0b17 100644
--- a/configure.ac
+++ b/configure.ac
-@@ -1651,6 +1651,106 @@ AC_ARG_WITH([audit],
+@@ -1688,6 +1688,106 @@ AC_ARG_WITH([audit],
esac ]
)
++++++ openssh-7.7p1-no_fork-no_pid_file.patch ++++++
--- /var/tmp/diff_new_pack.FXHzoJ/_old 2020-06-11 10:01:20.030510454 +0200
+++ /var/tmp/diff_new_pack.FXHzoJ/_new 2020-06-11 10:01:20.030510454 +0200
@@ -2,15 +2,11 @@
# Parent bad0c8b3b8d72abb6960ed85b57ee42352371738
Do not write a PID file when not daemonizing (e.g. when running from systemd)
-diff --git a/openssh-7.7p1/sshd.c b/openssh-7.7p1/sshd.c
---- openssh-7.7p1/sshd.c
-+++ openssh-7.7p1/sshd.c
-@@ -1996,17 +1996,17 @@ main(int ac, char **av)
- signal(SIGCHLD, main_sigchld_handler);
- signal(SIGTERM, sigterm_handler);
- signal(SIGQUIT, sigterm_handler);
-
- /*
+diff --git a/sshd.c b/sshd.c
+index f3ccc3a..eadc1b3 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -2076,7 +2076,7 @@ main(int ac, char **av)
* Write out the pid file after the sigterm handler
* is setup and the listen sockets are bound
*/
@@ -19,8 +15,3 @@
FILE *f = fopen(options.pid_file, "w");
if (f == NULL) {
- error("Couldn't create pid file \"%s\": %s",
- options.pid_file, strerror(errno));
- } else {
- fprintf(f, "%ld\n", (long) getpid());
- fclose(f);
++++++ openssh-7.7p1-sftp_print_diagnostic_messages.patch ++++++
--- /var/tmp/diff_new_pack.FXHzoJ/_old 2020-06-11 10:01:20.062510557 +0200
+++ /var/tmp/diff_new_pack.FXHzoJ/_new 2020-06-11 10:01:20.066510570 +0200
@@ -2,12 +2,11 @@
# Parent 60bdbe6dd8d6bc011883472363d56e1d97f68835
Put back sftp client diagnostic messages in batch mode
-bsc#1023275
diff --git a/sftp.1 b/sftp.1
-index a52c1cf..7333de8 100644
+index a305b37..6e802ec 100644
--- a/sftp.1
+++ b/sftp.1
-@@ -278,6 +278,9 @@ Specifies the port to connect to on the remote host.
+@@ -282,6 +282,9 @@ Specifies the port to connect to on the remote host.
.It Fl p
Preserves modification times, access times, and modes from the
original files transferred.
@@ -18,7 +17,7 @@
Quiet mode: disables the progress meter as well as warning and
diagnostic messages from
diff --git a/sftp.c b/sftp.c
-index b66037f..6c94a38 100644
+index 2799e4a..52b2c23 100644
--- a/sftp.c
+++ b/sftp.c
@@ -85,6 +85,9 @@ static volatile pid_t sshpid = -1;
@@ -31,16 +30,16 @@
/* This is set to 0 if the progressmeter is not desired. */
int showprogress = 1;
-@@ -2406,7 +2409,7 @@ main(int argc, char **argv)
+@@ -2409,7 +2412,7 @@ main(int argc, char **argv)
infile = stdin;
while ((ch = getopt(argc, argv,
-- "1246afhpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
-+ "1246afhpQqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
+- "1246afhNpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
++ "1246afhNpQqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
switch (ch) {
/* Passed through to ssh(1) */
case '4':
-@@ -2423,6 +2426,9 @@ main(int argc, char **argv)
+@@ -2426,6 +2429,9 @@ main(int argc, char **argv)
addargs(&args, "-%c", ch);
addargs(&args, "%s", optarg);
break;
@@ -50,7 +49,7 @@
case 'q':
ll = SYSLOG_LEVEL_ERROR;
quiet = 1;
-@@ -2506,6 +2512,8 @@ main(int argc, char **argv)
+@@ -2510,6 +2516,8 @@ main(int argc, char **argv)
usage();
}
}
++++++ openssh-8.0p1-gssapi-keyex.patch ++++++
++++ 874 lines (skipped)
++++ between /work/SRC/openSUSE:Factory/openssh/openssh-8.0p1-gssapi-keyex.patch
++++ and
/work/SRC/openSUSE:Factory/.openssh.new.3606/openssh-8.0p1-gssapi-keyex.patch
++++++ openssh-8.1p1-audit.patch ++++++
++++ 895 lines (skipped)
++++ between /work/SRC/openSUSE:Factory/openssh/openssh-8.1p1-audit.patch
++++ and /work/SRC/openSUSE:Factory/.openssh.new.3606/openssh-8.1p1-audit.patch
++++++ openssh-8.1p1-seccomp-clock_nanosleep.patch ++++++
--- /var/tmp/diff_new_pack.FXHzoJ/_old 2020-06-11 10:01:20.122510750 +0200
+++ /var/tmp/diff_new_pack.FXHzoJ/_new 2020-06-11 10:01:20.122510750 +0200
@@ -1,10 +1,10 @@
-Index: openssh-8.1p1/sandbox-seccomp-filter.c
-===================================================================
---- openssh-8.1p1.orig/sandbox-seccomp-filter.c
-+++ openssh-8.1p1/sandbox-seccomp-filter.c
-@@ -248,6 +248,9 @@ static const struct sock_filter preauth_
- #ifdef __NR_nanosleep
- SC_ALLOW(__NR_nanosleep),
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index c1e689e..74f69bc 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -264,6 +264,9 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_clock_gettime64
+ SC_ALLOW(__NR_clock_gettime64),
#endif
+#ifdef __NR_clock_nanosleep
+ SC_ALLOW(__NR_clock_nanosleep),
++++++ openssh-8.1p1.tar.gz -> openssh-8.3p1.tar.gz ++++++
++++ 43411 lines of diff (skipped)
