Merge manpage crypto-policies related patches

Signed-off-by: Norbert Pocs <npocs@redhat.com>
2023-06-07 10:33:38 +02:00 · 2023-06-07 10:33:38 +02:00 · 2b67ec48c2
commit 2b67ec48c2
parent fb40f0afda
3 changed files with 52 additions and 48 deletions
--- a/openssh-8.0p1-crypto-policies.patch
+++ b/openssh-8.0p1-crypto-policies.patch
@ -1,7 +1,7 @@
-diff --color -ru a/ssh_config.5 b/ssh_config.5
+diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.3p1/ssh_config.5 openssh-9.3p1-patched/ssh_config.5
--- a/ssh_config.5	2022-07-12 15:05:22.550013071 +0200
+--- openssh-9.3p1/ssh_config.5	2023-06-07 10:26:48.284590156 +0200
-+++ b/ssh_config.5	2022-07-12 15:17:20.016704545 +0200
+++ openssh-9.3p1-patched/ssh_config.5	2023-06-07 10:26:00.623052194 +0200
-@@ -373,17 +373,13 @@
+@@ -378,17 +378,13 @@
 causes no CNAMEs to be considered for canonicalization.
 This is the default behaviour.
 .It Cm CASignatureAlgorithms
@ -24,7 +24,7 @@ diff --color -ru a/ssh_config.5 b/ssh_config.5
 If the specified list begins with a
 .Sq +
 character, then the specified algorithms will be appended to the default set
-@@ -445,20 +441,25 @@
+@@ -450,20 +446,25 @@
 (the default),
 the check will not be executed.
 .It Cm Ciphers
@ -54,7 +54,7 @@ diff --color -ru a/ssh_config.5 b/ssh_config.5
 .Pp
 The supported ciphers are:
 .Bd -literal -offset indent
-@@ -474,13 +475,6 @@
+@@ -479,13 +480,6 @@
 chacha20-poly1305@openssh.com
 .Ed
 .Pp
@ -68,7 +68,7 @@ diff --color -ru a/ssh_config.5 b/ssh_config.5
 The list of available ciphers may also be obtained using
 .Qq ssh -Q cipher .
 .It Cm ClearAllForwardings
-@@ -874,6 +868,11 @@
+@@ -885,6 +879,11 @@
 The default is
 .Dq no .
 .It Cm GSSAPIKexAlgorithms
@ -80,7 +80,7 @@ diff --color -ru a/ssh_config.5 b/ssh_config.5
 The list of key exchange algorithms that are offered for GSSAPI
 key exchange. Possible values are
 .Bd -literal -offset 3n
-@@ -886,10 +885,8 @@
+@@ -897,10 +896,8 @@
 gss-curve25519-sha256-
 .Ed
 .Pp
@ -92,7 +92,7 @@ diff --color -ru a/ssh_config.5 b/ssh_config.5
 .It Cm HashKnownHosts
 Indicates that
 .Xr ssh 1
-@@ -913,36 +910,25 @@
+@@ -919,36 +916,25 @@
 but may be manually hashed using
 .Xr ssh-keygen 1 .
 .It Cm HostbasedAcceptedAlgorithms
@ -137,7 +137,25 @@ diff --color -ru a/ssh_config.5 b/ssh_config.5
 .Pp
 The
 .Fl Q
-@@ -1219,30 +1216,25 @@
+@@ -1001,6 +987,17 @@
 .Pp
 The list of available signature algorithms may also be obtained using
 .Qq ssh -Q HostKeyAlgorithms .
 +.Pp
 +The proposed
 +.Cm HostKeyAlgorithms
 +during KEX are limited to the set of algorithms that is defined in
 +.Cm PubkeyAcceptedAlgorithms
 +and therefore they are indirectly affected by system-wide
 +.Xr crypto_policies 7 .
 +.Xr crypto_policies 7 can not handle the list of host key algorithms directly as doing so
 +would break the order given by the
 +.Pa known_hosts
 +file.
 .It Cm HostKeyAlias
 Specifies an alias that should be used instead of the
 real host name when looking up or saving the host key
@@ -1232,30 +1229,25 @@
 and
 .Cm pam .
 .It Cm KexAlgorithms
@ -177,7 +195,7 @@ diff --color -ru a/ssh_config.5 b/ssh_config.5
 .Pp
 The list of available key exchange algorithms may also be obtained using
 .Qq ssh -Q kex .
-@@ -1351,37 +1344,33 @@
+@@ -1365,37 +1357,33 @@
 file.
 This option is intended for debugging and no overrides are enabled by default.
 .It Cm MACs
@ -224,7 +242,7 @@ diff --color -ru a/ssh_config.5 b/ssh_config.5
 The list of available MAC algorithms may also be obtained using
 .Qq ssh -Q mac .
 .It Cm NoHostAuthenticationForLocalhost
-@@ -1553,36 +1542,25 @@
+@@ -1567,39 +1555,31 @@
 The default is
 .Cm no .
 .It Cm PubkeyAcceptedAlgorithms
@ -270,7 +288,13 @@ diff --color -ru a/ssh_config.5 b/ssh_config.5
 .Pp
 The list of available signature algorithms may also be obtained using
 .Qq ssh -Q PubkeyAcceptedAlgorithms .
-@@ -2237,7 +2207,9 @@ for those users who do not have a config
+.Pp
 +This option affects also
 +.Cm HostKeyAlgorithms
 .It Cm PubkeyAuthentication
 Specifies whether to try public key authentication.
 The argument to this keyword must be
@@ -2265,7 +2245,9 @@
 This file must be world-readable.
 .El
 .Sh SEE ALSO
@ -281,10 +305,10 @@ diff --color -ru a/ssh_config.5 b/ssh_config.5
 .Sh AUTHORS
 .An -nosplit
 OpenSSH is a derivative of the original and free
-diff --color -ru a/sshd_config.5 b/sshd_config.5
+diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.3p1/sshd_config.5 openssh-9.3p1-patched/sshd_config.5
--- a/sshd_config.5	2022-07-12 15:05:22.535012771 +0200
+--- openssh-9.3p1/sshd_config.5	2023-06-07 10:26:48.277590077 +0200
-+++ b/sshd_config.5	2022-07-12 15:15:33.394809258 +0200
+++ openssh-9.3p1-patched/sshd_config.5	2023-06-07 10:26:00.592051845 +0200
-@@ -373,17 +373,13 @@
+@@ -379,17 +379,13 @@
 then no banner is displayed.
 By default, no banner is displayed.
 .It Cm CASignatureAlgorithms
@ -307,7 +331,7 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
 If the specified list begins with a
 .Sq +
 character, then the specified algorithms will be appended to the default set
-@@ -450,20 +446,25 @@
+@@ -525,20 +521,25 @@
 indicating not to
 .Xr chroot 2 .
 .It Cm Ciphers
@ -337,7 +361,7 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
 .Pp
 The supported ciphers are:
 .Pp
-@@ -490,13 +491,6 @@
+@@ -565,13 +566,6 @@
 chacha20-poly1305@openssh.com
 .El
 .Pp
@ -351,7 +375,7 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
 The list of available ciphers may also be obtained using
 .Qq ssh -Q cipher .
 .It Cm ClientAliveCountMax
-@@ -685,53 +679,43 @@
+@@ -766,53 +760,43 @@
 .Cm GSSAPIKeyExchange
 needs to be enabled in the server and also used by the client.
 .It Cm GSSAPIKexAlgorithms
@ -424,7 +448,7 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
 .Pp
 The list of available signature algorithms may also be obtained using
 .Qq ssh -Q HostbasedAcceptedAlgorithms .
-@@ -799,25 +794,14 @@
+@@ -879,25 +863,14 @@
 .Ev SSH_AUTH_SOCK
 environment variable.
 .It Cm HostKeyAlgorithms
@ -455,7 +479,7 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
 The list of available signature algorithms may also be obtained using
 .Qq ssh -Q HostKeyAlgorithms .
 .It Cm IgnoreRhosts
-@@ -965,20 +947,25 @@
+@@ -1044,20 +1017,25 @@
 The default is
 .Cm yes .
 .It Cm KexAlgorithms
@ -485,7 +509,7 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
 The supported algorithms are:
 .Pp
 .Bl -item -compact -offset indent
-@@ -1010,16 +997,6 @@
+@@ -1089,16 +1067,6 @@
 sntrup761x25519-sha512@openssh.com
 .El
 .Pp
@ -502,7 +526,7 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
 The list of available key exchange algorithms may also be obtained using
 .Qq ssh -Q KexAlgorithms .
 .It Cm ListenAddress
-@@ -1104,21 +1082,26 @@
+@@ -1184,21 +1152,26 @@
 file.
 This option is intended for debugging and no overrides are enabled by default.
 .It Cm MACs
@ -533,7 +557,7 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
 .Pp
 The algorithms that contain
 .Qq -etm
-@@ -1161,15 +1144,6 @@
+@@ -1241,15 +1214,6 @@
 umac-128-etm@openssh.com
 .El
 .Pp
@ -549,7 +573,7 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
 The list of available MAC algorithms may also be obtained using
 .Qq ssh -Q mac .
 .It Cm Match
-@@ -1548,36 +1522,25 @@
+@@ -1633,36 +1597,25 @@
 The default is
 .Cm yes .
 .It Cm PubkeyAcceptedAlgorithms
@ -595,7 +619,7 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
 .Pp
 The list of available signature algorithms may also be obtained using
 .Qq ssh -Q PubkeyAcceptedAlgorithms .
-@@ -2011,7 +1968,9 @@ This file should be writable by root onl
+@@ -2131,7 +2084,9 @@
 .El
 .Sh SEE ALSO
 .Xr sftp-server 8 ,
--- a/openssh-9.0p1-man-hostkeyalgos.patch
+++ b/openssh-9.0p1-man-hostkeyalgos.patch
@ -1,16 +0,0 @@
 diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-8.7p1/ssh_config.5 openssh-8.7p1-patched/ssh_config.5
 --- openssh-8.7p1/ssh_config.5	2023-05-29 13:41:19.731835097 +0200
 +++ openssh-8.7p1-patched/ssh_config.5	2023-05-29 13:40:58.806604144 +0200
@@ -989,6 +989,12 @@
 .Pp
 The list of available signature algorithms may also be obtained using
 .Qq ssh -Q HostKeyAlgorithms .
 +.Pp
 +.Xr crypto_policies 7 does not handle the list of algorithms as doing so
 +would break the order given by the
 +.Pa known_hosts
 +file. Therefore the list is filtered by
 +.Cm PubkeyAcceptedAlgorithms.
 .It Cm HostKeyAlias
 Specifies an alias that should be used instead of the
 real host name when looking up or saving the host key
--- a/openssh.spec
+++ b/openssh.spec
@ -181,6 +181,7 @@ Patch951: openssh-8.0p1-pkcs11-uri.patch
 # Unbreak scp between two IPv6 hosts (#1620333)
 Patch953: openssh-7.8p1-scp-ipv6.patch
 # Mention crypto-policies in manual pages (#1668325)
 # clarify rhbz#2068423 on the man page of ssh_config
 Patch962: openssh-8.0p1-crypto-policies.patch
 # Use OpenSSL high-level API to produce and verify signatures (#1707485)
 # TODO fix the comment above ^
@ -228,9 +229,6 @@ Patch1012: openssh-9.0p1-evp-fips-dh.patch
 Patch1013: openssh-9.0p1-evp-fips-ecdh.patch
 Patch1014: openssh-8.7p1-nohostsha1proof.patch
 # clarify rhbz#2068423 on the man page of ssh_config
 Patch1016: openssh-9.0p1-man-hostkeyalgos.patch
 License: BSD
 Requires: /sbin/nologin
@ -434,8 +432,6 @@ popd
 %patch -P 1013 -p1 -b .evp-fips-ecdh
 %patch -P 1014 -p1 -b .nosha1hostproof
 %patch -P 1016 -p1 -b .man-hostkeyalgos
 %patch -P 100 -p1 -b .coverity
 autoreconf