From 3cd48992578536a527173db969a455f5dcb8af1c Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Tue, 27 Mar 2018 16:52:07 +0200 Subject: [PATCH] Rebase to latest OpenSSH 7.7p1 (#1563223) --- .gitignore | 3 + openssh-6.2p1-vendor.patch | 12 +-- openssh-6.6.1p1-ip-port-config-parser.patch | 91 ++++++++++++++---- openssh-6.6.1p1-log-in-chroot.patch | 6 +- openssh-6.6.1p1-selinux-contexts.patch | 35 ------- openssh-6.6p1-ctr-cavstest.patch | 6 +- openssh-6.6p1-entropy.patch | 13 +-- openssh-6.6p1-force_krb.patch | 2 +- openssh-6.6p1-keycat.patch | 19 ++-- openssh-6.6p1-kuserok.patch | 7 +- openssh-6.6p1-redhat.patch | 3 +- openssh-6.6p1-role-mls.patch | 23 ++--- openssh-6.7p1-coverity.patch | 10 +- openssh-6.7p1-kdf-cavs.patch | 6 +- openssh-6.7p1-ldap.patch | 10 +- openssh-6.8p1-memory-problems.patch | 24 ----- openssh-7.0p1-gssKexAlgorithms.patch | 4 +- openssh-7.1p2-audit-race-condition.patch | 6 +- openssh-7.2p1-fips.patch | 6 +- openssh-7.2p1-gsskex.patch | 9 +- openssh-7.3p1-openssl-1.1.0.patch | 92 +++++++------------ openssh-7.6p1-audit.patch | 70 +++++++------- openssh-7.6p1-cleanup-selinux.patch | 30 +++--- openssh-7.6p1-permitopen-bug.patch | 47 ---------- openssh.spec | 19 ++-- ...ssh_agent_auth-0.9.3-agent_structure.patch | 12 +++ sources | 4 +- 27 files changed, 255 insertions(+), 314 deletions(-) delete mode 100644 openssh-6.8p1-memory-problems.patch delete mode 100644 openssh-7.6p1-permitopen-bug.patch diff --git a/.gitignore b/.gitignore index f487f4a..09b3faa 100644 --- a/.gitignore +++ b/.gitignore @@ -27,3 +27,6 @@ pam_ssh_agent_auth-0.9.2.tar.bz2 /pam_ssh_agent_auth-0.10.3.tar.bz2 /openssh-7.5p1.tar.gz /openssh-7.6p1.tar.gz +/openssh-7.7p1.tar.gz +/openssh-7.7p1.tar.gz.asc +/DJM-GPG-KEY.gpg diff --git a/openssh-6.2p1-vendor.patch b/openssh-6.2p1-vendor.patch index 02f4540..68abb56 100644 --- a/openssh-6.2p1-vendor.patch +++ b/openssh-6.2p1-vendor.patch @@ -69,7 +69,7 @@ diff -up openssh-7.4p1/servconf.c.vendor openssh-7.4p1/servconf.c + case sAllowUsers: while ((arg = strdelim(&cp)) && *arg != '\0') { - if (options->num_allow_users >= MAX_ALLOW_USERS) + if (match_user(NULL, NULL, NULL, arg) == -1) @@ -2269,6 +2277,7 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env); dump_cfg_fmtint(sCompression, o->compression); @@ -93,8 +93,8 @@ diff -up openssh-7.4p1/sshd_config.0.vendor openssh-7.4p1/sshd_config.0 --- openssh-7.4p1/sshd_config.0.vendor 2016-12-23 13:34:51.695253847 +0100 +++ openssh-7.4p1/sshd_config.0 2016-12-23 13:36:53.146277511 +0100 @@ -792,6 +792,11 @@ DESCRIPTION - ssh-keygen(1). For more information on KRLs, see the KEY - REVOCATION LISTS section in ssh-keygen(1). + rdomain(4). If the routing domain is set to %D, then the domain + in which the incoming connection was received will be applied. + ShowPatchLevel + Specifies whether sshd will display the specific patch level of @@ -108,9 +108,9 @@ diff -up openssh-7.4p1/sshd_config.5.vendor openssh-7.4p1/sshd_config.5 --- openssh-7.4p1/sshd_config.5.vendor 2016-12-23 13:34:51.695253847 +0100 +++ openssh-7.4p1/sshd_config.5 2016-12-23 13:37:17.482282253 +0100 @@ -1334,6 +1334,13 @@ an OpenSSH Key Revocation List (KRL) as - .Xr ssh-keygen 1 . - For more information on KRLs, see the KEY REVOCATION LISTS section in - .Xr ssh-keygen 1 . + If the routing domain is set to + .Cm \&%D , + then the domain in which the incoming connection was received will be applied. +.It Cm ShowPatchLevel +Specifies whether +.Nm sshd diff --git a/openssh-6.6.1p1-ip-port-config-parser.patch b/openssh-6.6.1p1-ip-port-config-parser.patch index d2746bf..88e1ca2 100644 --- a/openssh-6.6.1p1-ip-port-config-parser.patch +++ b/openssh-6.6.1p1-ip-port-config-parser.patch @@ -1,24 +1,75 @@ diff --git a/misc.c b/misc.c -index 2f11de4..36402d1 100644 +index 874dcc8a..7b7f7a58 100644 --- a/misc.c +++ b/misc.c -@@ -396,7 +396,7 @@ hpdelim(char **cp) - return NULL; - else - s++; -- } else if ((s = strpbrk(s, ":/")) == NULL) -+ } else if ((s = strpbrk(s, ":")) == NULL) - s = *cp + strlen(*cp); /* skip to end (see first case below) */ +@@ -466,7 +466,7 @@ put_host_port(const char *host, u_short port) + * The delimiter char, if present, is stored in delim. + * If this is the last field, *cp is set to NULL. + */ +-static char * ++char * + hpdelim2(char **cp, char *delim) + { + char *s, *old; +diff --git a/misc.h b/misc.h +index cdafea73..cf9c8f28 100644 +--- a/misc.h ++++ b/misc.h +@@ -54,6 +54,7 @@ int set_rdomain(int, const char *); + int a2port(const char *); + int a2tun(const char *, int *); + char *put_host_port(const char *, u_short); ++char *hpdelim2(char **, char *); + char *hpdelim(char **); + char *cleanhostname(char *); + char *colon(char *); +diff --git a/servconf.c b/servconf.c +index 0f0d0906..1679181e 100644 +--- a/servconf.c ++++ b/servconf.c +@@ -821,7 +821,7 @@ process_permitopen(struct ssh *ssh, ServerOptions *options) + { + u_int i; + int port; +- char *host, *arg, *oarg; ++ char *host, *arg, *oarg, ch; - switch (*s) { -@@ -405,7 +405,6 @@ hpdelim(char **cp) - break; - - case ':': -- case '/': - *s = '\0'; /* terminate */ - *cp = s + 1; - break; --- -2.1.0 - + channel_clear_adm_permitted_opens(ssh); + if (options->num_permitted_opens == 0) +@@ -839,8 +839,8 @@ process_permitopen(struct ssh *ssh, ServerOptions *options) + /* Otherwise treat it as a list of permitted host:port */ + for (i = 0; i < options->num_permitted_opens; i++) { + oarg = arg = xstrdup(options->permitted_opens[i]); +- host = hpdelim(&arg); +- if (host == NULL) ++ host = hpdelim2(&arg, &ch); ++ if (host == NULL || ch == '/') + fatal("%s: missing host in PermitOpen", __func__); + host = cleanhostname(host); + if (arg == NULL || ((port = permitopen_port(arg)) < 0)) +@@ -1244,8 +1244,10 @@ process_server_config_line(ServerOptions *options, char *line, + port = 0; + p = arg; + } else { +- p = hpdelim(&arg); +- if (p == NULL) ++ char ch; ++ arg2 = NULL; ++ p = hpdelim2(&arg, &ch); ++ if (p == NULL || ch == '/') + fatal("%s line %d: bad address:port usage", + filename, linenum); + p = cleanhostname(p); +@@ -1815,9 +1817,10 @@ process_server_config_line(ServerOptions *options, char *line, + break; + } + for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) { ++ char ch; + arg2 = xstrdup(arg); +- p = hpdelim(&arg); +- if (p == NULL) ++ p = hpdelim2(&arg, &ch); ++ if (p == NULL || ch == '/') + fatal("%s line %d: missing host in PermitOpen", + filename, linenum); + p = cleanhostname(p); diff --git a/openssh-6.6.1p1-log-in-chroot.patch b/openssh-6.6.1p1-log-in-chroot.patch index 44c345b..99e2e03 100644 --- a/openssh-6.6.1p1-log-in-chroot.patch +++ b/openssh-6.6.1p1-log-in-chroot.patch @@ -41,14 +41,14 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c --- openssh-7.4p1/monitor.c.log-in-chroot 2016-12-23 15:14:33.311168085 +0100 +++ openssh-7.4p1/monitor.c 2016-12-23 15:16:42.154193100 +0100 @@ -307,6 +307,8 @@ monitor_child_preauth(Authctxt *_authctx - close(pmonitor->m_log_sendfd); + close(pmonitor->m_log_sendfd); pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1; + pmonitor->m_state = "preauth"; + authctxt = _authctxt; memset(authctxt, 0, sizeof(*authctxt)); - + ssh->authctxt = authctxt; @@ -405,6 +407,8 @@ monitor_child_postauth(struct monitor *p close(pmonitor->m_recvfd); pmonitor->m_recvfd = -1; @@ -165,7 +165,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c - closefrom(STDERR_FILENO + 1); - - do_rc_files(s, shell); + do_rc_files(ssh, s, shell); /* restore SIGPIPE for child */ @@ -1653,9 +1649,17 @@ do_child(Session *s, const char *command diff --git a/openssh-6.6.1p1-selinux-contexts.patch b/openssh-6.6.1p1-selinux-contexts.patch index 5a9233b..ea4cbd1 100644 --- a/openssh-6.6.1p1-selinux-contexts.patch +++ b/openssh-6.6.1p1-selinux-contexts.patch @@ -116,38 +116,3 @@ index 2871fe9..39b9c08 100644 #endif /* Demote the child */ -diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c -index 12c014e..c5ef2ff 100644 ---- a/openbsd-compat/port-linux.c -+++ b/openbsd-compat/port-linux.c -@@ -35,7 +35,6 @@ - - #ifdef WITH_SELINUX - #include --#include - #include - - #ifndef SSH_SELINUX_UNCONFINED_TYPE -@@ -110,6 +109,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty) - security_context_t new_tty_ctx = NULL; - security_context_t user_ctx = NULL; - security_context_t old_tty_ctx = NULL; -+ security_class_t class; - - if (!ssh_selinux_enabled()) - return; -@@ -129,8 +129,13 @@ ssh_selinux_setup_pty(char *pwname, const char *tty) - goto out; - } - -+ class = string_to_security_class("chr_file"); -+ if (!class) { -+ error("string_to_security_class failed to translate security class context"); -+ goto out; -+ } - if (security_compute_relabel(user_ctx, old_tty_ctx, -- SECCLASS_CHR_FILE, &new_tty_ctx) != 0) { -+ class, &new_tty_ctx) != 0) { - error("%s: security_compute_relabel: %s", - __func__, strerror(errno)); - goto out; diff --git a/openssh-6.6p1-ctr-cavstest.patch b/openssh-6.6p1-ctr-cavstest.patch index 8aa6872..08c6a35 100644 --- a/openssh-6.6p1-ctr-cavstest.patch +++ b/openssh-6.6p1-ctr-cavstest.patch @@ -10,14 +10,14 @@ diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in PRIVSEP_PATH=@PRIVSEP_PATH@ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ @@ -66,7 +67,7 @@ EXEEXT=@EXEEXT@ - MANFMT=@MANFMT@ + MKDIR_P=@MKDIR_P@ INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@ -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) - LIBOPENSSH_OBJS=\ - ssh_api.o \ + XMSS_OBJS=\ + ssh-xmss.o \ @@ -194,6 +195,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o $(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(LIBS) diff --git a/openssh-6.6p1-entropy.patch b/openssh-6.6p1-entropy.patch index f1fc6c9..7f6f4d0 100644 --- a/openssh-6.6p1-entropy.patch +++ b/openssh-6.6p1-entropy.patch @@ -14,12 +14,13 @@ diff -up openssh-7.4p1/entropy.c.entropy openssh-7.4p1/entropy.c diff -up openssh-7.4p1/openbsd-compat/Makefile.in.entropy openssh-7.4p1/openbsd-compat/Makefile.in --- openssh-7.4p1/openbsd-compat/Makefile.in.entropy 2016-12-23 18:34:53.715762155 +0100 +++ openssh-7.4p1/openbsd-compat/Makefile.in 2016-12-23 18:35:15.890769493 +0100 -@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf - - COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-err.o bsd-getpagesize.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-malloc.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xcrypt.o kludge-fd_set.o - --PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o -+PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o +@@ -20,7 +20,8 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf + port-solaris.o \ + port-net.o \ + port-uw.o \ +- port-linux-sshd.o ++ port-linux-sshd.o \ ++ port-linux-prng.o .c.o: $(CC) $(CFLAGS) $(CPPFLAGS) -c $< diff --git a/openssh-6.6p1-force_krb.patch b/openssh-6.6p1-force_krb.patch index 19f075e..ae948f7 100644 --- a/openssh-6.6p1-force_krb.patch +++ b/openssh-6.6p1-force_krb.patch @@ -207,7 +207,7 @@ index 28659ec..9c94d8e 100644 --- a/session.c +++ b/session.c @@ -789,6 +789,29 @@ do_exec(Session *s, const char *command) - command = forced_command; + command = auth_opts->force_command; forced = "(key-option)"; } +#ifdef GSSAPI diff --git a/openssh-6.6p1-keycat.patch b/openssh-6.6p1-keycat.patch index 9304c1f..108f461 100644 --- a/openssh-6.6p1-keycat.patch +++ b/openssh-6.6p1-keycat.patch @@ -1,7 +1,7 @@ -diff -up openssh/misc.c.keycat openssh/misc.c ---- openssh/misc.c.keycat 2015-06-24 10:57:50.158849606 +0200 -+++ openssh/misc.c 2015-06-24 11:04:23.989868638 +0200 -@@ -490,6 +490,14 @@ subprocess(const char *tag, struct passw +diff -up openssh/auth.c.keycat openssh/misc.c +--- openssh/auth.c.keycat 2015-06-24 10:57:50.158849606 +0200 ++++ openssh/auth.c 2015-06-24 11:04:23.989868638 +0200 +@@ -966,6 +966,14 @@ subprocess(const char *tag, struct passw _exit(1); } @@ -52,14 +52,14 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in AR=@AR@ AWK=@AWK@ @@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@ - MANFMT=@MANFMT@ + MKDIR_P=@MKDIR_P@ INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@ -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) - LIBOPENSSH_OBJS=\ - ssh_api.o \ + XMSS_OBJS=\ + ssh-xmss.o \ @@ -190,6 +191,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lfipscheck $(LIBS) $(LDAPLIBS) @@ -203,7 +203,7 @@ diff -up openssh/platform.c.keycat openssh/platform.c diff -up openssh/ssh-keycat.c.keycat openssh/ssh-keycat.c --- openssh/ssh-keycat.c.keycat 2015-06-24 10:57:50.161849599 +0200 +++ openssh/ssh-keycat.c 2015-06-24 10:57:50.161849599 +0200 -@@ -0,0 +1,238 @@ +@@ -0,0 +1,241 @@ +/* + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions @@ -253,6 +253,9 @@ diff -up openssh/ssh-keycat.c.keycat openssh/ssh-keycat.c +#include +#include +#include ++#ifdef HAVE_STDINT_H ++#include ++#endif + +#include + diff --git a/openssh-6.6p1-kuserok.patch b/openssh-6.6p1-kuserok.patch index 47768aa..2c65890 100644 --- a/openssh-6.6p1-kuserok.patch +++ b/openssh-6.6p1-kuserok.patch @@ -192,15 +192,16 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -@@ -399,7 +402,7 @@ typedef enum { +@@ -399,7 +402,8 @@ typedef enum { sPermitRootLogin, sLogFacility, sLogLevel, sRhostsRSAAuthentication, sRSAAuthentication, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, -- sKerberosGetAFSToken, +- sKerberosGetAFSToken, sChallengeResponseAuthentication, + sKerberosGetAFSToken, sKerberosUseKuserok, - sKerberosTgtPassing, sChallengeResponseAuthentication, ++ sChallengeResponseAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sAddressFamily, + sPrintMotd, sPrintLastLog, sIgnoreRhosts, @@ -478,11 +481,13 @@ static struct { #else { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, diff --git a/openssh-6.6p1-redhat.patch b/openssh-6.6p1-redhat.patch index 426ba66..0879b51 100644 --- a/openssh-6.6p1-redhat.patch +++ b/openssh-6.6p1-redhat.patch @@ -64,7 +64,7 @@ diff -up openssh-7.4p1/sshd_config.5.redhat openssh-7.4p1/sshd_config.5 diff -up openssh-7.4p1/sshd_config.redhat openssh-7.4p1/sshd_config --- openssh-7.4p1/sshd_config.redhat 2016-12-19 05:59:41.000000000 +0100 +++ openssh-7.4p1/sshd_config 2016-12-23 13:33:05.386233133 +0100 -@@ -10,21 +10,35 @@ +@@ -10,20 +10,34 @@ # possible, but leave them commented. Uncommented options override the # default value. @@ -79,7 +79,6 @@ diff -up openssh-7.4p1/sshd_config.redhat openssh-7.4p1/sshd_config -#HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_rsa_key - #HostKey /etc/ssh/ssh_host_dsa_key -#HostKey /etc/ssh/ssh_host_ecdsa_key -#HostKey /etc/ssh/ssh_host_ed25519_key +HostKey /etc/ssh/ssh_host_ecdsa_key diff --git a/openssh-6.6p1-role-mls.patch b/openssh-6.6p1-role-mls.patch index ad2411f..37ae70d 100644 --- a/openssh-6.6p1-role-mls.patch +++ b/openssh-6.6p1-role-mls.patch @@ -93,7 +93,7 @@ diff -up openssh-7.4p1/auth2-hostbased.c.role-mls openssh-7.4p1/auth2-hostbased. +#else + (r = sshbuf_put_cstring(b, authctxt->user)) != 0 || +#endif - (r = sshbuf_put_cstring(b, service)) != 0 || + (r = sshbuf_put_cstring(b, authctxt->service)) != 0 || (r = sshbuf_put_cstring(b, "hostbased")) != 0 || (r = sshbuf_put_string(b, pkalg, alen)) != 0 || diff -up openssh-7.4p1/auth2-pubkey.c.role-mls openssh-7.4p1/auth2-pubkey.c @@ -116,7 +116,7 @@ diff -up openssh-7.4p1/auth2-pubkey.c.role-mls openssh-7.4p1/auth2-pubkey.c +#endif if ((r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 || (r = sshbuf_put_cstring(b, userstyle)) != 0 || - (r = sshbuf_put_cstring(b, ssh->compat & SSH_BUG_PKSERVICE ? + (r = sshbuf_put_cstring(b, authctxt->service)) != 0 || diff -up openssh-7.4p1/auth.h.role-mls openssh-7.4p1/auth.h --- openssh-7.4p1/auth.h.role-mls 2016-12-19 05:59:41.000000000 +0100 +++ openssh-7.4p1/auth.h 2016-12-23 12:19:43.478510375 +0100 @@ -146,7 +146,7 @@ diff -up openssh-7.4p1/auth-pam.h.role-mls openssh-7.4p1/auth-pam.h --- openssh-7.4p1/auth-pam.h.role-mls 2016-12-23 12:19:43.478510375 +0100 +++ openssh-7.4p1/auth-pam.h 2016-12-23 12:21:44.698101234 +0100 @@ -31,7 +31,7 @@ u_int do_pam_account(void); - void do_pam_session(void); + void do_pam_session(struct ssh *); void do_pam_setcred(int ); void do_pam_chauthtok(void); -int do_pam_putenv(char *, char *); @@ -316,7 +316,7 @@ diff -up openssh-7.4p1/monitor_wrap.c.role-mls openssh-7.4p1/monitor_wrap.c + /* Do the password authentication */ int - mm_auth_password(Authctxt *authctxt, char *password) + mm_auth_password(struct ssh *ssh, char *password) diff -up openssh-7.4p1/monitor_wrap.h.role-mls openssh-7.4p1/monitor_wrap.h --- openssh-7.4p1/monitor_wrap.h.role-mls 2016-12-19 05:59:41.000000000 +0100 +++ openssh-7.4p1/monitor_wrap.h 2016-12-23 12:19:58.588459376 +0100 @@ -329,16 +329,17 @@ diff -up openssh-7.4p1/monitor_wrap.h.role-mls openssh-7.4p1/monitor_wrap.h +#endif struct passwd *mm_getpwnamallow(const char *); char *mm_auth2_read_banner(void); - int mm_auth_password(struct Authctxt *, char *); + int mm_auth_password(struct ssh *, char *); diff -up openssh-7.4p1/openbsd-compat/Makefile.in.role-mls openssh-7.4p1/openbsd-compat/Makefile.in --- openssh-7.4p1/openbsd-compat/Makefile.in.role-mls 2016-12-23 12:19:58.588459376 +0100 +++ openssh-7.4p1/openbsd-compat/Makefile.in 2016-12-23 12:24:06.042643938 +0100 -@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf - - COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-err.o bsd-getpagesize.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-malloc.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xcrypt.o kludge-fd_set.o - --PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o -+PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o +@@ -20,7 +20,8 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf + port-linux.o \ + port-solaris.o \ + port-net.o \ +- port-uw.o ++ port-uw.o \ ++ port-linux-sshd.o .c.o: $(CC) $(CFLAGS) $(CPPFLAGS) -c $< diff --git a/openssh-6.7p1-coverity.patch b/openssh-6.7p1-coverity.patch index 5b12ddd..253e0ee 100644 --- a/openssh-6.7p1-coverity.patch +++ b/openssh-6.7p1-coverity.patch @@ -27,7 +27,7 @@ diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c + while (pmonitor->m_log_recvfd >= 0 && monitor_read_log(pmonitor) == 0) ; - close(pmonitor->m_sendfd); + if (pmonitor->m_recvfd >= 0) diff -up openssh-7.4p1/monitor_wrap.c.coverity openssh-7.4p1/monitor_wrap.c --- openssh-7.4p1/monitor_wrap.c.coverity 2016-12-23 16:40:26.892788689 +0100 +++ openssh-7.4p1/monitor_wrap.c 2016-12-23 16:40:26.900788691 +0100 @@ -127,11 +127,11 @@ diff -up openssh-7.4p1/serverloop.c.coverity openssh-7.4p1/serverloop.c } tun = packet_get_int(); -- if (forced_tun_device != -1) { -+ if (forced_tun_device >= 0) { - if (tun != SSH_TUNID_ANY && forced_tun_device != tun) +- if (auth_opts->force_tun_device != -1) { ++ if (auth_opts->force_tun_device >= 0) { + if (tun != SSH_TUNID_ANY && auth_opts->force_tun_device != tun) goto done; - tun = forced_tun_device; + tun = auth_opts->force_tun_device; diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c --- openssh-7.4p1/sftp.c.coverity 2016-12-19 05:59:41.000000000 +0100 +++ openssh-7.4p1/sftp.c 2016-12-23 16:40:26.903788691 +0100 diff --git a/openssh-6.7p1-kdf-cavs.patch b/openssh-6.7p1-kdf-cavs.patch index 65feb96..4e5c7a5 100644 --- a/openssh-6.7p1-kdf-cavs.patch +++ b/openssh-6.7p1-kdf-cavs.patch @@ -10,14 +10,14 @@ diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in PRIVSEP_PATH=@PRIVSEP_PATH@ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ @@ -67,7 +68,7 @@ EXEEXT=@EXEEXT@ - MANFMT=@MANFMT@ + MKDIR_P=@MKDIR_P@ INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@ -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT) - LIBOPENSSH_OBJS=\ - ssh_api.o \ + XMSS_OBJS=\ + ssh-xmss.o \ @@ -198,6 +199,9 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHD ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) diff --git a/openssh-6.7p1-ldap.patch b/openssh-6.7p1-ldap.patch index 1caa0a6..ddb3974 100644 --- a/openssh-6.7p1-ldap.patch +++ b/openssh-6.7p1-ldap.patch @@ -145,16 +145,16 @@ diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in GSSLIBS=@GSSLIBS@ SSHLIBS=@SSHLIBS@ @@ -61,8 +63,9 @@ XAUTH_PATH=@XAUTH_PATH@ - LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@ EXEEXT=@EXEEXT@ MANFMT=@MANFMT@ + MKDIR_P=@MKDIR_P@ +INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@ -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) - LIBOPENSSH_OBJS=\ - ssh_api.o \ + XMSS_OBJS=\ + ssh-xmss.o \ @@ -112,8 +115,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \ sandbox-solaris.o @@ -197,7 +197,7 @@ diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in + fi install-sysconf: - if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \ + $(MKDIR_P) $(DESTDIR)$(sysconfdir) @@ -356,6 +370,13 @@ install-sysconf: else \ echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \ @@ -228,7 +228,7 @@ diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 regress-prep: - [ -d `pwd`/regress ] || mkdir -p `pwd`/regress + $(MKDIR_P) `pwd`/regress/unittests/test_helper diff -up openssh-6.8p1/configure.ac.ldap openssh-6.8p1/configure.ac --- openssh-6.8p1/configure.ac.ldap 2015-03-17 06:49:20.000000000 +0100 +++ openssh-6.8p1/configure.ac 2015-03-18 11:11:29.030801464 +0100 diff --git a/openssh-6.8p1-memory-problems.patch b/openssh-6.8p1-memory-problems.patch deleted file mode 100644 index b2da05e..0000000 --- a/openssh-6.8p1-memory-problems.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff -up openssh-7.4p1/servconf.c.memory openssh-7.4p1/servconf.c ---- openssh-7.4p1/servconf.c.memory 2016-12-23 15:37:48.181422360 +0100 -+++ openssh-7.4p1/servconf.c 2016-12-23 15:38:30.189429116 +0100 -@@ -2006,6 +2006,8 @@ copy_set_server_options(ServerOptions *d - dst->n = src->n; \ - } while (0) - -+ u_int i; -+ - M_CP_INTOPT(password_authentication); - M_CP_INTOPT(gss_authentication); - M_CP_INTOPT(pubkey_authentication); -@@ -2058,8 +2060,10 @@ copy_set_server_options(ServerOptions *d - } while(0) - #define M_CP_STRARRAYOPT(n, num_n) do {\ - if (src->num_n != 0) { \ -+ for (i = 0; i < dst->num_n; i++) \ -+ free(dst->n[i]); \ - for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \ -- dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \ -+ dst->n[dst->num_n] = src->n[dst->num_n]; \ - } \ - } while(0) - #define M_CP_STRARRAYOPT_ALLOC(n, num_n) do { \ diff --git a/openssh-7.0p1-gssKexAlgorithms.patch b/openssh-7.0p1-gssKexAlgorithms.patch index 6200eaa..57b5eaf 100644 --- a/openssh-7.0p1-gssKexAlgorithms.patch +++ b/openssh-7.0p1-gssKexAlgorithms.patch @@ -238,8 +238,8 @@ diff -up openssh-7.0p1/servconf.c.gsskexalg openssh-7.0p1/servconf.c #include "digest.h" +#include "ssh-gss.h" - static void add_listen_addr(ServerOptions *, char *, int); - static void add_one_listen_addr(ServerOptions *, char *, int); + static void add_listen_addr(ServerOptions *, const char *, + const char *, int); @@ -121,6 +122,7 @@ initialize_server_options(ServerOptions options->gss_cleanup_creds = -1; options->gss_strict_acceptor = -1; diff --git a/openssh-7.1p2-audit-race-condition.patch b/openssh-7.1p2-audit-race-condition.patch index ec274eb..d390f63 100644 --- a/openssh-7.1p2-audit-race-condition.patch +++ b/openssh-7.1p2-audit-race-condition.patch @@ -86,7 +86,7 @@ diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c /* * This is called to fork and execute a command when we have no tty. This @@ -424,6 +430,8 @@ do_exec_no_pty(Session *s, const char *c - cray_init_job(s->pw); /* set up cray jid and tmpdir */ + close(err[0]); #endif + child_destory_sensitive_data(); @@ -102,8 +102,8 @@ diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c + child_destory_sensitive_data(); + /* record login, etc. similar to login(1) */ - #ifdef _UNICOS - cray_init_job(s->pw); /* set up cray jid and tmpdir */ + #ifndef HAVE_OSF_SIA + do_login(ssh, s, command); @@ -717,6 +728,8 @@ do_exec(Session *s, const char *command) } if (s->command != NULL && s->ptyfd == -1) diff --git a/openssh-7.2p1-fips.patch b/openssh-7.2p1-fips.patch index 54616f5..94cbefe 100644 --- a/openssh-7.2p1-fips.patch +++ b/openssh-7.2p1-fips.patch @@ -673,13 +673,13 @@ diff -up openssh-7.5p1/sshkey.c.fips openssh-7.5p1/sshkey.c #include "crypto_api.h" @@ -58,6 +59,7 @@ - #define SSHKEY_INTERNAL #include "sshkey.h" + #include "sshkey-xmss.h" #include "match.h" +#include "log.h" - /* openssh private key file format */ - #define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n" + #include "xmss_fast.h" + @@ -1587,6 +1589,8 @@ rsa_generate_private_key(u_int bits, RSA } if (!BN_set_word(f4, RSA_F4) || diff --git a/openssh-7.2p1-gsskex.patch b/openssh-7.2p1-gsskex.patch index 8c0523b..02436bd 100644 --- a/openssh-7.2p1-gsskex.patch +++ b/openssh-7.2p1-gsskex.patch @@ -1729,7 +1729,7 @@ diff -up openssh/monitor.c.gsskex openssh/monitor.c + monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); +#endif - if (!no_pty_flag) { + if (auth_opts->permit_pty_flag) { monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); @@ -1656,6 +1673,13 @@ monitor_apply_keystate(struct monitor *p # endif @@ -2086,6 +2086,7 @@ diff -up openssh/regress/cert-userkey.sh.gsskex openssh/regress/cert-userkey.sh -PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` +PLAIN_TYPES=`$SSH -Q key-plain | grep -v null | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` + EXTRA_TYPES="" if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512" @@ -2624,7 +2625,7 @@ diff -up openssh/sshd.c.gsskex openssh/sshd.c @@ -871,8 +871,9 @@ notify_hostkeys(struct ssh *ssh) } - debug3("%s: sent %d hostkeys", __func__, nkeys); + debug3("%s: sent %u hostkeys", __func__, nkeys); if (nkeys == 0) - fatal("%s: no hostkeys", __func__); - packet_send(); @@ -2864,9 +2865,9 @@ diff -up openssh/sshkey.h.gsskex openssh/sshkey.h --- openssh/sshkey.h.gsskex 2017-09-25 01:48:10.000000000 +0200 +++ openssh/sshkey.h 2017-09-27 13:54:53.602534414 +0200 @@ -61,6 +61,7 @@ enum sshkey_types { - KEY_DSA_CERT, - KEY_ECDSA_CERT, KEY_ED25519_CERT, + KEY_XMSS, + KEY_XMSS_CERT, + KEY_NULL, KEY_UNSPEC }; diff --git a/openssh-7.3p1-openssl-1.1.0.patch b/openssh-7.3p1-openssl-1.1.0.patch index 0cd907f..83483d4 100644 --- a/openssh-7.3p1-openssl-1.1.0.patch +++ b/openssh-7.3p1-openssl-1.1.0.patch @@ -471,7 +471,7 @@ diff -up openssh/kexgexc.c.openssl openssh/kexgexc.c debug("got SSH2_MSG_KEX_DH_GEX_GROUP"); -@@ -119,26 +120,30 @@ input_kex_dh_gex_group(int type, u_int32 +@@ -119,24 +120,30 @@ input_kex_dh_gex_group(int type, u_int32 p = g = NULL; /* belong to kex->dh now */ /* generate and send 'e', client DH public key */ @@ -497,12 +497,8 @@ diff -up openssh/kexgexc.c.openssl openssh/kexgexc.c ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REPLY, &input_kex_dh_gex_reply); r = 0; out: -- if (p) -- BN_clear_free(p); -- if (g) -- BN_clear_free(g); -+ BN_clear_free(p); -+ BN_clear_free(g); + BN_clear_free(p); + BN_clear_free(g); + if (r != 0) { + DH_free(kex->dh); + kex->dh = NULL; @@ -1419,17 +1415,6 @@ diff -up openssh/sshconnect2.c.openssl openssh/sshconnect2.c } /* -diff -up openssh/sshconnect.c.openssl openssh/sshconnect.c ---- openssh/sshconnect.c.openssl 2017-09-26 13:19:31.759249464 +0200 -+++ openssh/sshconnect.c 2017-09-26 13:19:31.800249715 +0200 -@@ -1316,6 +1316,7 @@ ssh_login(Sensitive *sensitive, const ch - char *server_user, *local_user; - - local_user = xstrdup(pw->pw_name); -+ free(pw); - server_user = options.user ? options.user : local_user; - - /* Convert the user-supplied hostname into all lowercase. */ diff -up openssh/ssh.c.openssl openssh/ssh.c --- openssh/ssh.c.openssl 2017-09-26 13:19:31.786249629 +0200 +++ openssh/ssh.c 2017-09-26 13:19:31.800249715 +0200 @@ -1443,14 +1428,6 @@ diff -up openssh/ssh.c.openssl openssh/ssh.c if (access("/etc/system-fips", F_OK) == 0) if (! FIPSCHECK_verify(NULL, NULL)){ if (FIPS_mode()) -@@ -1263,6 +1265,7 @@ main(int ac, char **av) - free(cp); - } - free(conn_hash_hex); -+ free(host_arg); - - if (config_test) { - dump_client_config(&options, host); diff -up openssh/sshd.c.openssl openssh/sshd.c --- openssh/sshd.c.openssl 2017-09-26 13:19:31.792249666 +0200 +++ openssh/sshd.c 2017-09-26 13:19:31.801249721 +0200 @@ -1493,8 +1470,8 @@ diff -up openssh/ssh-dss.c.openssl openssh/ssh-dss.c + BN_bn2bin(r, sigblob + SIGBLOB_LEN - INTBLOB_LEN - rlen); + BN_bn2bin(s, sigblob + SIGBLOB_LEN - slen); - if (compat & SSH_BUG_SIGBLOB) { - if (sigp != NULL) { + if ((b = sshbuf_new()) == NULL) { + ret = SSH_ERR_ALLOC_FAIL; @@ -137,6 +139,7 @@ ssh_dss_verify(const struct sshkey *key, int ret = SSH_ERR_INTERNAL_ERROR; struct sshbuf *b = NULL; @@ -1527,15 +1504,13 @@ diff -up openssh/ssh-dss.c.openssl openssh/ssh-dss.c /* sha1 the data */ if ((ret = ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen, -@@ -207,8 +213,9 @@ ssh_dss_verify(const struct sshkey *key, +@@ -207,7 +213,9 @@ ssh_dss_verify(const struct sshkey *key, out: explicit_bzero(digest, sizeof(digest)); -- if (sig != NULL) -- DSA_SIG_free(sig); + BN_free(r); + BN_free(s); -+ DSA_SIG_free(sig); + DSA_SIG_free(sig); sshbuf_free(b); free(ktype); if (sigblob != NULL) { @@ -1597,15 +1572,13 @@ diff -up openssh/ssh-ecdsa.c.openssl openssh/ssh-ecdsa.c if (sshbuf_len(sigbuf) != 0) { ret = SSH_ERR_UNEXPECTED_TRAILING_DATA; goto out; -@@ -180,8 +191,9 @@ ssh_ecdsa_verify(const struct sshkey *ke +@@ -180,7 +191,9 @@ ssh_ecdsa_verify(const struct sshkey *ke explicit_bzero(digest, sizeof(digest)); sshbuf_free(sigbuf); sshbuf_free(b); -- if (sig != NULL) -- ECDSA_SIG_free(sig); + BN_free(r); + BN_free(s); -+ ECDSA_SIG_free(sig); + ECDSA_SIG_free(sig); free(ktype); return ret; } @@ -1647,20 +1620,19 @@ diff -up openssh/sshkey.c.openssl openssh/sshkey.c #ifdef OPENSSL_HAS_ECC case KEY_ECDSA_CERT: case KEY_ECDSA: -@@ -496,11 +501,7 @@ sshkey_new(int type) +@@ -496,10 +501,7 @@ sshkey_new(int type) #ifdef WITH_OPENSSL case KEY_RSA: case KEY_RSA_CERT: - if ((rsa = RSA_new()) == NULL || - (rsa->n = BN_new()) == NULL || - (rsa->e = BN_new()) == NULL) { -- if (rsa != NULL) -- RSA_free(rsa); +- RSA_free(rsa); + if ((rsa = RSA_new()) == NULL) { free(k); return NULL; } -@@ -508,13 +509,7 @@ sshkey_new(int type) +@@ -508,12 +509,7 @@ sshkey_new(int type) break; case KEY_DSA: case KEY_DSA_CERT: @@ -1669,8 +1641,7 @@ diff -up openssh/sshkey.c.openssl openssh/sshkey.c - (dsa->q = BN_new()) == NULL || - (dsa->g = BN_new()) == NULL || - (dsa->pub_key = BN_new()) == NULL) { -- if (dsa != NULL) -- DSA_free(dsa); +- DSA_free(dsa); + if ((dsa = DSA_new()) == NULL) { free(k); return NULL; @@ -2491,8 +2462,8 @@ diff -up openssh/sshkey.h.openssl openssh/sshkey.h -int ssh_rsa_generate_additional_parameters(struct sshkey *); +int ssh_rsa_generate_additional_parameters(struct sshkey *, BIGNUM *iqmp); - #ifdef SSHKEY_INTERNAL - int ssh_rsa_sign(const struct sshkey *key, + /* stateful keys (e.g. XMSS) */ + #ifdef NO_ATTRIBUTE_ON_PROTOTYPE_ARGS diff -up openssh/ssh-pkcs11-client.c.openssl openssh/ssh-pkcs11-client.c --- openssh/ssh-pkcs11-client.c.openssl 2017-09-19 06:26:43.000000000 +0200 +++ openssh/ssh-pkcs11-client.c 2017-09-26 13:19:31.803249734 +0200 @@ -2594,7 +2565,7 @@ diff -up openssh/ssh-pkcs11.c.openssl openssh/ssh-pkcs11.c } } else { cp = attribs[2].pValue; -@@ -525,17 +538,19 @@ pkcs11_fetch_keys_filter(struct pkcs11_p +@@ -525,16 +538,18 @@ pkcs11_fetch_keys_filter(struct pkcs11_p == NULL) { error("d2i_X509 failed"); } else if ((evp = X509_get_pubkey(x509)) == NULL || @@ -2608,8 +2579,7 @@ diff -up openssh/ssh-pkcs11.c.openssl openssh/ssh-pkcs11.c == NULL) { error("RSAPublicKey_dup"); } - if (x509) - X509_free(x509); + X509_free(x509); } - if (rsa && rsa->n && rsa->e && + if (rsa) @@ -2621,21 +2591,19 @@ diff -up openssh/ssh-pkcs11.c.openssl openssh/ssh-pkcs11.c diff -up openssh/ssh-rsa.c.openssl openssh/ssh-rsa.c --- openssh/ssh-rsa.c.openssl 2017-09-19 06:26:43.000000000 +0200 +++ openssh/ssh-rsa.c 2017-09-26 13:19:31.803249734 +0200 -@@ -78,37 +78,46 @@ rsa_hash_alg_nid(int type) - } +@@ -78,38 +78,50 @@ rsa_hash_alg_nid(int type) } --/* calculate p-1 and q-1 */ -+/* calculate d mod p-1 and d mod q-1 */ int -ssh_rsa_generate_additional_parameters(struct sshkey *key) +ssh_rsa_generate_additional_parameters(struct sshkey *key, BIGNUM *iqmp) { -- RSA *rsa; BIGNUM *aux = NULL; BN_CTX *ctx = NULL; +- BIGNUM d; ++ BIGNUM *d = NULL; int r; -+ const BIGNUM *p, *q, *d; ++ const BIGNUM *p, *q, *rsa_d; + BIGNUM *dmp1 = NULL, *dmq1 = NULL; if (key == NULL || key->rsa == NULL || @@ -2646,21 +2614,26 @@ diff -up openssh/ssh-rsa.c.openssl openssh/ssh-rsa.c - return SSH_ERR_ALLOC_FAIL; - if ((aux = BN_new()) == NULL) { + RSA_get0_factors(key->rsa, &p, &q); -+ RSA_get0_key(key->rsa, NULL, NULL, &d); ++ RSA_get0_key(key->rsa, NULL, NULL, &rsa_d); + + if ((ctx = BN_CTX_new()) == NULL || + (aux = BN_new()) == NULL || ++ (d = BN_new()) == NULL || + (dmp1 = BN_new()) == NULL || + (dmq1 = BN_new()) == NULL) { r = SSH_ERR_ALLOC_FAIL; goto out; } -- rsa = key->rsa; + BN_set_flags(aux, BN_FLG_CONSTTIME); -- if ((BN_sub(aux, rsa->q, BN_value_one()) == 0) || -- (BN_mod(rsa->dmq1, rsa->d, aux, ctx) == 0) || -- (BN_sub(aux, rsa->p, BN_value_one()) == 0) || -- (BN_mod(rsa->dmp1, rsa->d, aux, ctx) == 0)) { +- BN_init(&d); +- BN_with_flags(&d, key->rsa->d, BN_FLG_CONSTTIME); ++ BN_with_flags(d, rsa_d, BN_FLG_CONSTTIME); + +- if ((BN_sub(aux, key->rsa->q, BN_value_one()) == 0) || +- (BN_mod(key->rsa->dmq1, &d, aux, ctx) == 0) || +- (BN_sub(aux, key->rsa->p, BN_value_one()) == 0) || +- (BN_mod(key->rsa->dmp1, &d, aux, ctx) == 0)) { + if ((BN_sub(aux, q, BN_value_one()) == 0) || + (BN_mod(dmq1, d, aux, ctx) == 0) || + (BN_sub(aux, p, BN_value_one()) == 0) || @@ -2673,6 +2646,7 @@ diff -up openssh/ssh-rsa.c.openssl openssh/ssh-rsa.c + dmq1 = NULL; r = 0; out: ++ BN_free(d); BN_clear_free(aux); + BN_clear_free(dmp1); + BN_clear_free(dmq1); diff --git a/openssh-7.6p1-audit.patch b/openssh-7.6p1-audit.patch index e135a19..c6e30a4 100644 --- a/openssh-7.6p1-audit.patch +++ b/openssh-7.6p1-audit.patch @@ -756,7 +756,7 @@ diff -up openssh-7.6p1/auth2-hostbased.c.audit openssh-7.6p1/auth2-hostbased.c if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) && - PRIVSEP(sshkey_verify(key, sig, slen, + PRIVSEP(hostbased_key_verify(key, sig, slen, - sshbuf_ptr(b), sshbuf_len(b), ssh->compat)) == 0) + sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat)) == 0) authenticated = 1; @@ -169,6 +169,19 @@ done: @@ -765,11 +765,11 @@ diff -up openssh-7.6p1/auth2-hostbased.c.audit openssh-7.6p1/auth2-hostbased.c +int +hostbased_key_verify(const struct sshkey *key, const u_char *sig, size_t slen, -+ const u_char *data, size_t datalen, u_int compat) ++ const u_char *data, size_t datalen, const char *pkalg, u_int compat) +{ + int rv; + -+ rv = sshkey_verify(key, sig, slen, data, datalen, compat); ++ rv = sshkey_verify(key, sig, slen, data, datalen, pkalg, compat); +#ifdef SSH_AUDIT_EVENTS + audit_key(0, &rv, key); +#endif @@ -785,10 +785,10 @@ diff -up openssh-7.6p1/auth2-pubkey.c.audit openssh-7.6p1/auth2-pubkey.c @@ -206,7 +206,7 @@ userauth_pubkey(struct ssh *ssh) /* test for correct signature */ authenticated = 0; - if (PRIVSEP(user_key_allowed(authctxt->pw, key, 1)) && + if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) && - PRIVSEP(sshkey_verify(key, sig, slen, sshbuf_ptr(b), + PRIVSEP(user_key_verify(key, sig, slen, sshbuf_ptr(b), - sshbuf_len(b), ssh->compat)) == 0) { + sshbuf_len(b), NULL, ssh->compat)) == 0) { authenticated = 1; } @@ -250,6 +250,19 @@ done: @@ -797,11 +797,11 @@ diff -up openssh-7.6p1/auth2-pubkey.c.audit openssh-7.6p1/auth2-pubkey.c +int +user_key_verify(const struct sshkey *key, const u_char *sig, size_t slen, -+ const u_char *data, size_t datalen, u_int compat) ++ const u_char *data, size_t datalen, const char *pkalg, u_int compat) +{ + int rv; + -+ rv = sshkey_verify(key, sig, slen, data, datalen, compat); ++ rv = sshkey_verify(key, sig, slen, data, datalen, pkalg, compat); +#ifdef SSH_AUDIT_EVENTS + audit_key(1, &rv, key); +#endif @@ -836,22 +836,24 @@ diff -up openssh-7.6p1/auth.c.audit openssh-7.6p1/auth.c diff -up openssh-7.6p1/auth.h.audit openssh-7.6p1/auth.h --- openssh-7.6p1/auth.h.audit 2017-10-04 17:18:32.768504711 +0200 +++ openssh-7.6p1/auth.h 2017-10-04 17:18:32.836505059 +0200 -@@ -198,6 +198,7 @@ struct passwd * getpwnamallow(const char +@@ -198,6 +198,8 @@ struct passwd * getpwnamallow(const char char *expand_authorized_keys(const char *, struct passwd *pw); char *authorized_principals_file(struct passwd *); -+int user_key_verify(const struct sshkey *, const u_char *, size_t, const u_char *, size_t, u_int); ++int user_key_verify(const struct sshkey *, const u_char *, size_t, ++ const u_char *, size_t, const char *, u_int); FILE *auth_openkeyfile(const char *, struct passwd *, int); FILE *auth_openprincipals(const char *, struct passwd *, int); -@@ -217,6 +218,7 @@ struct sshkey *get_hostkey_private_by_ty +@@ -217,6 +218,8 @@ struct sshkey *get_hostkey_private_by_ty int get_hostkey_index(struct sshkey *, int, struct ssh *); int sshd_hostkey_sign(struct sshkey *, struct sshkey *, u_char **, size_t *, const u_char *, size_t, const char *, u_int); -+int hostbased_key_verify(const struct sshkey *, const u_char *, size_t, const u_char *, size_t, u_int); ++int hostbased_key_verify(const struct sshkey *, const u_char *, size_t, ++ const u_char *, size_t, const char *, u_int); - /* debug messages during authentication */ - void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2))); + /* Key / cert options linkage to auth layer */ + const struct sshauthopt *auth_options(struct ssh *); diff -up openssh-7.6p1/cipher.c.audit openssh-7.6p1/cipher.c --- openssh-7.6p1/cipher.c.audit 2017-10-02 21:34:26.000000000 +0200 +++ openssh-7.6p1/cipher.c 2017-10-04 17:18:32.836505059 +0200 @@ -1100,8 +1102,8 @@ diff -up openssh-7.6p1/monitor.c.audit openssh-7.6p1/monitor.c #include "ssherr.h" @@ -117,6 +118,8 @@ extern Buffer auth_debug; - extern int auth_debug_init; extern Buffer loginmsg; + extern struct sshauthopt *auth_opts; /* XXX move to permanent ssh->authctxt? */ +extern void destroy_sensitive_data(int); + @@ -1144,7 +1146,7 @@ diff -up openssh-7.6p1/monitor.c.audit openssh-7.6p1/monitor.c {0, 0, NULL} }; @@ -1396,7 +1413,9 @@ mm_answer_keyverify(int sock, struct ssh - u_char *signature, *data, *blob; + char *sigalg; size_t signaturelen, datalen, bloblen; int r, ret, valid_data = 0, encoded_ret; + int type = 0; @@ -1152,7 +1154,7 @@ diff -up openssh-7.6p1/monitor.c.audit openssh-7.6p1/monitor.c + type = buffer_get_int(m); if ((r = sshbuf_get_string(m, &blob, &bloblen)) != 0 || (r = sshbuf_get_string(m, &signature, &signaturelen)) != 0 || - (r = sshbuf_get_string(m, &data, &datalen)) != 0) + (r = sshbuf_get_string(m, &data, &datalen)) != 0 || @@ -1405,6 +1424,8 @@ mm_answer_keyverify(int sock, struct ssh if (hostbased_cuser == NULL || hostbased_chost == NULL || !monitor_allowed_key(blob, bloblen)) @@ -1160,20 +1162,20 @@ diff -up openssh-7.6p1/monitor.c.audit openssh-7.6p1/monitor.c + if (type != key_blobtype) + fatal("%s: bad key type", __func__); - /* XXX use sshkey_froms here; need to change key_blob, etc. */ - if ((r = sshkey_from_blob(blob, bloblen, &key)) != 0) + /* Empty signature algorithm means NULL. */ + if (*sigalg == '\0') { @@ -1414,21 +1435,24 @@ mm_answer_keyverify(int sock, struct ssh case MM_USERKEY: valid_data = monitor_valid_userblob(data, datalen); auth_method = "publickey"; + ret = user_key_verify(key, signature, signaturelen, data, -+ datalen, active_state->compat); ++ datalen, sigalg, active_state->compat); break; case MM_HOSTKEY: valid_data = monitor_valid_hostbasedblob(data, datalen, hostbased_cuser, hostbased_chost); + ret = hostbased_key_verify(key, signature, signaturelen, data, -+ datalen, active_state->compat); ++ datalen, sigalg, active_state->compat); auth_method = "hostbased"; break; default: @@ -1185,7 +1187,7 @@ diff -up openssh-7.6p1/monitor.c.audit openssh-7.6p1/monitor.c fatal("%s: bad signature data blob", __func__); - ret = sshkey_verify(key, signature, signaturelen, data, datalen, -- active_state->compat); +- sigalg, active_state->compat); debug3("%s: %s %p signature %s", __func__, auth_method, key, (ret == 0) ? "verified" : "unverified"); auth2_record_key(authctxt, ret == 0, key); @@ -1400,7 +1402,7 @@ diff -up openssh-7.6p1/monitor_wrap.c.audit openssh-7.6p1/monitor_wrap.c int -mm_sshkey_verify(const struct sshkey *key, const u_char *sig, size_t siglen, +mm_sshkey_verify(enum mm_keytype type, const struct sshkey *key, const u_char *sig, size_t siglen, - const u_char *data, size_t datalen, u_int compat) + const u_char *data, size_t datalen, const char *sigalg, u_int compat) { Buffer m; @@ -478,6 +478,7 @@ mm_sshkey_verify(const struct sshkey *ke @@ -1417,16 +1419,16 @@ diff -up openssh-7.6p1/monitor_wrap.c.audit openssh-7.6p1/monitor_wrap.c +int +mm_hostbased_key_verify(const struct sshkey *key, const u_char *sig, size_t siglen, -+ const u_char *data, size_t datalen, u_int compat) ++ const u_char *data, size_t datalen, const char *pkalg, u_int compat) +{ -+ return mm_sshkey_verify(MM_HOSTKEY, key, sig, siglen, data, datalen, compat); ++ return mm_sshkey_verify(MM_HOSTKEY, key, sig, siglen, data, datalen, pkalg, compat); +} + +int +mm_user_key_verify(const struct sshkey *key, const u_char *sig, size_t siglen, -+ const u_char *data, size_t datalen, u_int compat) ++ const u_char *data, size_t datalen, const char *pkalg, u_int compat) +{ -+ return mm_sshkey_verify(MM_USERKEY, key, sig, siglen, data, datalen, compat); ++ return mm_sshkey_verify(MM_USERKEY, key, sig, siglen, data, datalen, pkalg, compat); +} + void @@ -1547,14 +1549,14 @@ diff -up openssh-7.6p1/monitor_wrap.h.audit openssh-7.6p1/monitor_wrap.h --- openssh-7.6p1/monitor_wrap.h.audit 2017-10-04 17:18:32.750504619 +0200 +++ openssh-7.6p1/monitor_wrap.h 2017-10-04 17:18:32.838505069 +0200 @@ -53,7 +53,9 @@ int mm_key_allowed(enum mm_keytype, cons - int mm_user_key_allowed(struct passwd *, struct sshkey *, int); + struct sshauthopt **); int mm_hostbased_key_allowed(struct passwd *, const char *, const char *, struct sshkey *); -int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t, +int mm_hostbased_key_verify(const struct sshkey *, const u_char *, size_t, -+ const u_char *, size_t, u_int); ++ const u_char *, size_t, const char *, u_int); +int mm_user_key_verify(const struct sshkey *, const u_char *, size_t, - const u_char *, size_t, u_int); + const u_char *, size_t, const char *, u_int); #ifdef GSSAPI @@ -78,7 +80,12 @@ void mm_sshpam_free_ctx(void *); @@ -1743,8 +1745,8 @@ diff -up openssh-7.6p1/session.c.audit openssh-7.6p1/session.c -extern void destroy_sensitive_data(void); +extern void destroy_sensitive_data(int); extern Buffer loginmsg; - - /* original command from peer. */ + extern struct sshauthopt *auth_opts; + char *tun_fwd_ifnames; /* serverloop.c */ @@ -605,6 +605,14 @@ do_exec_pty(struct ssh *ssh, Session *s, /* Parent. Close the slave side of the pseudo tty. */ close(ttyfd); @@ -1930,8 +1932,8 @@ diff -up openssh-7.6p1/sshd.c.audit openssh-7.6p1/sshd.c #include "monitor_wrap.h" +#include "audit.h" #include "ssh-sandbox.h" + #include "auth-options.h" #include "version.h" - #include "ssherr.h" @@ -248,7 +249,7 @@ Buffer loginmsg; struct passwd *privsep_pw = NULL; @@ -1970,7 +1972,7 @@ diff -up openssh-7.6p1/sshd.c.audit openssh-7.6p1/sshd.c -destroy_sensitive_data(void) +destroy_sensitive_data(int privsep) { - int i; + u_int i; +#ifdef SSH_AUDIT_EVENTS + pid_t pid; + uid_t uid; @@ -2009,7 +2011,7 @@ diff -up openssh-7.6p1/sshd.c.audit openssh-7.6p1/sshd.c @@ -499,12 +536,30 @@ demote_sensitive_data(void) { struct sshkey *tmp; - int i; + u_int i; +#ifdef SSH_AUDIT_EVENTS + pid_t pid; + uid_t uid; diff --git a/openssh-7.6p1-cleanup-selinux.patch b/openssh-7.6p1-cleanup-selinux.patch index 49510f7..3b5001a 100644 --- a/openssh-7.6p1-cleanup-selinux.patch +++ b/openssh-7.6p1-cleanup-selinux.patch @@ -9,11 +9,11 @@ diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c +extern int rexeced_flag; +extern Authctxt *the_authctxt; - static int - userauth_pubkey(struct ssh *ssh) + static char * + format_key(const struct sshkey *key) @@ -432,7 +435,8 @@ match_principals_command(struct passwd * - if ((pid = subprocess("AuthorizedPrincipalsCommand", pw, command, + if ((pid = subprocess("AuthorizedPrincipalsCommand", runas_pw, command, ac, av, &f, - SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0) + SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD, @@ -23,7 +23,7 @@ diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c uid_swapped = 1; @@ -762,7 +766,8 @@ user_key_command_allowed2(struct passwd - if ((pid = subprocess("AuthorizedKeysCommand", pw, command, + if ((pid = subprocess("AuthorizedKeysCommand", runas_pw, command, ac, av, &f, - SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0) + SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD, @@ -31,9 +31,9 @@ diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c goto out; uid_swapped = 1; -diff -up openssh/misc.c.refactor openssh/misc.c ---- openssh/misc.c.refactor 2017-09-27 13:10:19.640831071 +0200 -+++ openssh/misc.c 2017-09-27 13:10:19.678831279 +0200 +diff -up openssh/auth.c.refactor openssh/auth.c +--- openssh/auth.c.refactor 2017-09-27 13:10:19.640831071 +0200 ++++ openssh/auth.c 2017-09-27 13:10:19.678831279 +0200 @@ -1435,7 +1435,8 @@ argv_assemble(int argc, char **argv) */ pid_t @@ -53,18 +53,18 @@ diff -up openssh/misc.c.refactor openssh/misc.c error ("failed to copy environment: %s", strerror(errno)); _exit(127); -diff -up openssh/misc.h.refactor openssh/misc.h ---- openssh/misc.h.refactor 2017-09-25 01:48:10.000000000 +0200 -+++ openssh/misc.h 2017-09-27 13:10:19.678831279 +0200 +diff -up openssh/auth.h.refactor openssh/auth.h +--- openssh/auth.h.refactor 2017-09-25 01:48:10.000000000 +0200 ++++ openssh/auth.h 2017-09-27 13:10:19.678831279 +0200 @@ -144,7 +144,7 @@ int exited_cleanly(pid_t, const char *, - #define SSH_SUBPROCESS_STDOUT_CAPTURE (1<<1) /* Redirect stdout */ - #define SSH_SUBPROCESS_STDERR_DISCARD (1<<2) /* Discard stderr */ - pid_t subprocess(const char *, struct passwd *, + #define SSH_SUBPROCESS_STDOUT_CAPTURE (1<<1) /* Redirect stdout */ + #define SSH_SUBPROCESS_STDERR_DISCARD (1<<2) /* Discard stderr */ + pid_t subprocess(const char *, struct passwd *, - const char *, int, char **, FILE **, u_int flags); + const char *, int, char **, FILE **, u_int flags, int, void *); - struct stat; - int safe_path(const char *, struct stat *, const char *, uid_t, + int sys_auth_passwd(struct ssh *, const char *); + diff -up openssh/openbsd-compat/port-linux.h.refactor openssh/openbsd-compat/port-linux.h --- openssh/openbsd-compat/port-linux.h.refactor 2017-09-27 13:10:19.634831038 +0200 +++ openssh/openbsd-compat/port-linux.h 2017-09-27 13:10:54.954025248 +0200 diff --git a/openssh-7.6p1-permitopen-bug.patch b/openssh-7.6p1-permitopen-bug.patch deleted file mode 100644 index 3dd4a57..0000000 --- a/openssh-7.6p1-permitopen-bug.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 7c9613fac3371cf65fb07739212cdd1ebf6575da Mon Sep 17 00:00:00 2001 -From: "djm@openbsd.org" -Date: Wed, 4 Oct 2017 18:49:30 +0000 -Subject: [PATCH] upstream commit - -fix (another) problem in PermitOpen introduced during the -channels.c refactor: the third and subsequent arguments to PermitOpen were -being silently ignored; ok markus@ - -Upstream-ID: 067c89f1f53cbc381628012ba776d6861e6782fd ---- - servconf.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/servconf.c b/servconf.c -index 2c321a4ad..956862959 100644 ---- a/servconf.c -+++ b/servconf.c -@@ -1,5 +1,5 @@ - --/* $OpenBSD: servconf.c,v 1.312 2017/10/02 19:33:20 djm Exp $ */ -+/* $OpenBSD: servconf.c,v 1.313 2017/10/04 18:49:30 djm Exp $ */ - /* - * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland - * All rights reserved -@@ -1663,9 +1663,9 @@ process_server_config_line(ServerOptions *options, char *line, - if (!arg || *arg == '\0') - fatal("%s line %d: missing PermitOpen specification", - filename, linenum); -- i = options->num_permitted_opens; /* modified later */ -+ value = options->num_permitted_opens; /* modified later */ - if (strcmp(arg, "any") == 0 || strcmp(arg, "none") == 0) { -- if (*activep && i == 0) { -+ if (*activep && value == 0) { - options->num_permitted_opens = 1; - options->permitted_opens = xcalloc(1, - sizeof(*options->permitted_opens)); -@@ -1683,7 +1683,7 @@ process_server_config_line(ServerOptions *options, char *line, - if (arg == NULL || ((port = permitopen_port(arg)) < 0)) - fatal("%s line %d: bad port number in " - "PermitOpen", filename, linenum); -- if (*activep && i == 0) { -+ if (*activep && value == 0) { - options->permitted_opens = xrecallocarray( - options->permitted_opens, - options->num_permitted_opens, - diff --git a/openssh.spec b/openssh.spec index 5ca7025..fe0b482 100644 --- a/openssh.spec +++ b/openssh.spec @@ -65,10 +65,10 @@ %endif # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 -%global openssh_ver 7.6p1 -%global openssh_rel 7 +%global openssh_ver 7.7p1 +%global openssh_rel 1 %global pam_ssh_agent_ver 0.10.3 -%global pam_ssh_agent_rel 3 +%global pam_ssh_agent_rel 4 Summary: An open source implementation of SSH protocol version 2 Name: openssh @@ -77,8 +77,9 @@ Release: %{openssh_rel}%{?dist}%{?rescue_rel} URL: http://www.openssh.com/portable.html #URL1: http://pamsshagentauth.sourceforge.net Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz -#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc +Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc Source2: sshd.pam +Source3: DJM-GPG-KEY.gpg Source4: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.bz2 Source5: pam_ssh_agent-rmheaders Source6: ssh-keycat.pam @@ -209,9 +210,6 @@ Patch920: openssh-6.6.1p1-ip-port-config-parser.patch Patch922: openssh-6.8p1-sshdT-output.patch # Add sftp option to force mode of created files (#1191055) Patch926: openssh-6.7p1-sftp-force-permission.patch -# Memory problems -# https://bugzilla.mindrot.org/show_bug.cgi?id=2401 -Patch928: openssh-6.8p1-memory-problems.patch # Restore compatible default (#89216) Patch929: openssh-6.9p1-permit-root-login.patch # Add GSSAPIKexAlgorithms option for server and client application @@ -228,8 +226,6 @@ Patch948: openssh-7.4p1-systemd.patch Patch949: openssh-7.6p1-cleanup-selinux.patch # Sandbox adjustments for s390 and audit Patch950: openssh-7.5p1-sandbox.patch -# PermitOpen bug in OpenSSH 7.6: -Patch951: openssh-7.6p1-permitopen-bug.patch License: BSD @@ -276,6 +272,8 @@ BuildRequires: audit-libs >= 1.0.8 %endif BuildRequires: xauth +# for tarball signature verification +BuildRequires: gnupg2 %package clients Summary: An open source SSH client applications @@ -378,6 +376,7 @@ remote ssh-agent instance. The module is most useful for su and sudo service stacks. %prep +gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0} %setup -q -a 4 #Do not enable by default %if 0 @@ -441,7 +440,6 @@ popd %patch802 -p1 -b .GSSAPIEnablek5users %patch922 -p1 -b .sshdt %patch926 -p1 -b .sftp-force-mode -%patch928 -p1 -b .memory %patch929 -p1 -b .root-login %patch932 -p1 -b .gsskexalg %patch933 -p1 -b .fingerprint @@ -451,7 +449,6 @@ popd %patch807 -p1 -b .gsskex-ec %patch949 -p1 -b .refactor %patch950 -p1 -b .sandbox -%patch951 -p1 -b .permitOpen %patch200 -p1 -b .audit %patch201 -p1 -b .audit-race diff --git a/pam_ssh_agent_auth-0.9.3-agent_structure.patch b/pam_ssh_agent_auth-0.9.3-agent_structure.patch index 99f99f7..6ff49d7 100644 --- a/pam_ssh_agent_auth-0.9.3-agent_structure.patch +++ b/pam_ssh_agent_auth-0.9.3-agent_structure.patch @@ -154,3 +154,15 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-agent goto user_auth_clean_exit; /* test for correct signature */ +diff -up openssh-7.7p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-sshkey openssh-7.7p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c +--- openssh-7.7p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-sshkey 2018-04-04 13:55:02.383899631 +0200 ++++ openssh-7.7p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c 2018-04-04 13:58:36.759339845 +0200 +@@ -89,7 +89,7 @@ userauth_pubkey_from_id(const char *ruse + goto user_auth_clean_exit; + + /* test for correct signature */ +- if(key_verify(id->key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1) ++ if(sshkey_verify(id->key, sig, slen, buffer_ptr(&b), buffer_len(&b), NULL, 0) == 0) + authenticated = 1; + + user_auth_clean_exit: diff --git a/sources b/sources index 8c7b635..b591052 100644 --- a/sources +++ b/sources @@ -1,2 +1,4 @@ -SHA512 (openssh-7.6p1.tar.gz) = de17fdcb8239401f76740c8d689a8761802f6df94e68d953f3c70b9f4f8bdb403617c48c1d01cc8c368d88e9d50aee540bf03d5a36687dfb39dfd28d73029d72 +SHA512 (openssh-7.7p1.tar.gz) = 597252cb48209a0cb98ca1928a67e8d63e4275252f25bc37269204c108f034baade6ba0634e32ae63422fddd280f73096a6b31ad2f2e7a848dde75ca30e14261 +SHA512 (openssh-7.7p1.tar.gz.asc) = 9445a589a84538fb0b4eae0f7bf6ce46def51b09254d6fffcc6ed64472f10ccf9e4d5d200387725043039d77ca886e2c8e8f3128e7969c582156fafb0783988d +SHA512 (DJM-GPG-KEY.gpg) = db1191ed9b6495999e05eed2ef863fb5179bdb63e94850f192dad68eed8579836f88fbcfffd9f28524fe1457aff8cd248ee3e0afc112c8f609b99a34b80ecc0d SHA512 (pam_ssh_agent_auth-0.10.3.tar.bz2) = d75062c4e46b0b011f46aed9704a99049995fea8b5115ff7ee26dad7e93cbcf54a8af7efc6b521109d77dc03c6f5284574d2e1b84c6829cec25610f24fb4bd66