jonathan/openssh
1
0
Fork 0
forked from rpms/openssh
Code Pull Requests Activity

Most of the coverity patch applied upstream, context changes for rebase

Browse Source
This commit is contained in:
Jakub Jelen 2016-07-25 16:21:15 +02:00
parent 70c2ac20bd
commit 5878ebb50e
12 changed files with 72 additions and 235 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
openssh-5.8p1-packet.patch
View File

@ -7,6 +7,6 @@ diff -up openssh-6.8p1/packet.c.packet openssh-6.8p1/packet.c
+ if (!state) + if (!state)
+ return 0; + return 0;
/* filedescriptors in and out are the same, so it's a socket */ if (state->connection_in == -1 || state->connection_out == -1)
if (state->connection_in == state->connection_out) return 0;
return 1;

2
openssh-6.6.1p1-log-in-chroot.patch
View File

@ -247,8 +247,8 @@ diff -up openssh-6.8p1/sftp-server.c.log-in-chroot openssh-6.8p1/sftp-server.c
- log_init(__progname, log_level, log_facility, log_stderr); - log_init(__progname, log_level, log_facility, log_stderr);
+ log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler); + log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler);
#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
/* /*
* On platforms where we can, avoid making /proc/self/{mem,maps}
diff -up openssh-6.8p1/sftp.h.log-in-chroot openssh-6.8p1/sftp.h diff -up openssh-6.8p1/sftp.h.log-in-chroot openssh-6.8p1/sftp.h
--- openssh-6.8p1/sftp.h.log-in-chroot 2015-03-17 06:49:20.000000000 +0100 --- openssh-6.8p1/sftp.h.log-in-chroot 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/sftp.h 2015-03-18 12:59:29.696022308 +0100 +++ openssh-6.8p1/sftp.h 2015-03-18 12:59:29.696022308 +0100

31
openssh-6.6p1-allow-ip-opts.patch
View File

@ -1,20 +1,19 @@
diff --git a/canohost.c b/canohost.c diff -up openssh/sshd.c.ip-opts openssh/sshd.c
index a61a8c9..97ce58c 100644 --- openssh/sshd.c.ip-opts 2016-07-25 13:58:48.998507834 +0200
--- a/canohost.c +++ openssh/sshd.c 2016-07-25 14:01:28.346469878 +0200
+++ b/canohost.c @@ -1507,12 +1507,29 @@ check_ip_options(struct ssh *ssh)
@@ -165,12 +165,29 @@ check_ip_options(int sock, char *ipaddr)
option_size = sizeof(options); if (getsockopt(sock_in, IPPROTO_IP, IP_OPTIONS, opts,
if (getsockopt(sock, ipproto, IP_OPTIONS, options,
&option_size) >= 0 && option_size != 0) { &option_size) >= 0 && option_size != 0) {
- text[0] = '\0'; - text[0] = '\0';
- for (i = 0; i < option_size; i++) - for (i = 0; i < option_size; i++)
- snprintf(text + i*3, sizeof(text) - i*3, - snprintf(text + i*3, sizeof(text) - i*3,
- " %2.2x", options[i]); - " %2.2x", opts[i]);
- fatal("Connection from %.100s with IP options:%.800s", - fatal("Connection from %.100s port %d with IP opts: %.800s",
- ipaddr, text); - ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), text);
+ i = 0; + i = 0;
+ do { + do {
+ switch (options[i]) { + switch (opts[i]) {
+ case 0: + case 0:
+ case 1: + case 1:
+ ++i; + ++i;
@ -22,7 +21,7 @@ index a61a8c9..97ce58c 100644
+ case 130: + case 130:
+ case 133: + case 133:
+ case 134: + case 134:
+ i += options[i + 1]; + i += opts[i + 1];
+ break; + break;
+ default: + default:
+ /* Fail, fatally, if we detect either loose or strict + /* Fail, fatally, if we detect either loose or strict
@ -30,11 +29,11 @@ index a61a8c9..97ce58c 100644
+ text[0] = '\0'; + text[0] = '\0';
+ for (i = 0; i < option_size; i++) + for (i = 0; i < option_size; i++)
+ snprintf(text + i*3, sizeof(text) - i*3, + snprintf(text + i*3, sizeof(text) - i*3,
+ " %2.2x", options[i]); + " %2.2x", opts[i]);
+ fatal("Connection from %.100s with IP options:%.800s", + fatal("Connection from %.100s port %d with IP options:%.800s",
+ ipaddr, text); + ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), text);
+ } + }
+ } while (i < option_size); + } while (i < option_size);
} }
return;
#endif /* IP_OPTIONS */ #endif /* IP_OPTIONS */
}

2
openssh-6.6p1-entropy.patch
View File

@ -18,7 +18,7 @@ index 843225d..041bbab 100644
+++ b/openbsd-compat/Makefile.in +++ b/openbsd-compat/Makefile.in
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o di @@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o di
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-err.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o
-PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o -PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o
+PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o +PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o

2
openssh-6.6p1-kuserok.patch
View File

@ -235,7 +235,7 @@ diff -up openssh-7.0p1/servconf.c.kuserok openssh-7.0p1/servconf.c
M_CP_INTOPT(rekey_interval); M_CP_INTOPT(rekey_interval);
@@ -2304,6 +2314,7 @@ dump_config(ServerOptions *o) @@ -2304,6 +2314,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
+ dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok); + dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);

2
openssh-6.6p1-redhat.patch
View File

@ -52,8 +52,8 @@ index c735429..e68ddee 100644
# Lifetime and size of ephemeral version 1 server key # Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h #KeyRegenerationInterval 1h
@@ -36,6 +40,7 @@ @@ -36,6 +40,7 @@
# Logging # Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH #SyslogFacility AUTH
+SyslogFacility AUTHPRIV +SyslogFacility AUTHPRIV
#LogLevel INFO #LogLevel INFO

134
openssh-6.7p1-coverity.patch
View File

@ -1,20 +1,3 @@
diff -up openssh-6.8p1/auth-pam.c.coverity openssh-6.8p1/auth-pam.c
--- openssh-6.8p1/auth-pam.c.coverity 2015-03-18 17:21:51.792265051 +0100
+++ openssh-6.8p1/auth-pam.c 2015-03-18 17:21:51.895264835 +0100
@@ -216,7 +216,12 @@ pthread_join(sp_pthread_t thread, void *
if (sshpam_thread_status != -1)
return (sshpam_thread_status);
signal(SIGCHLD, sshpam_oldsig);
- waitpid(thread, &status, 0);
+ while (waitpid(thread, &status, 0) < 0) {
+ if (errno == EINTR)
+ continue;
+ fatal("%s: waitpid: %s", __func__,
+ strerror(errno));
+ }
return (status);
}
#endif
diff -up openssh-6.8p1/channels.c.coverity openssh-6.8p1/channels.c diff -up openssh-6.8p1/channels.c.coverity openssh-6.8p1/channels.c
--- openssh-6.8p1/channels.c.coverity 2015-03-18 17:21:51.815265002 +0100 --- openssh-6.8p1/channels.c.coverity 2015-03-18 17:21:51.815265002 +0100
+++ openssh-6.8p1/channels.c 2015-03-18 17:21:51.896264833 +0100 +++ openssh-6.8p1/channels.c 2015-03-18 17:21:51.896264833 +0100
@ -60,27 +43,6 @@ diff -up openssh-6.8p1/monitor.c.coverity openssh-6.8p1/monitor.c
; ;
close(pmonitor->m_sendfd); close(pmonitor->m_sendfd);
@@ -1303,6 +1303,10 @@ mm_answer_keyallowed(int sock, Buffer *m
break;
}
}
+
+ debug3("%s: key %p is %s",
+ __func__, key, allowed ? "allowed" : "not allowed");
+
if (key != NULL)
key_free(key);
@@ -1324,9 +1328,6 @@ mm_answer_keyallowed(int sock, Buffer *m
free(chost);
}
- debug3("%s: key %p is %s",
- __func__, key, allowed ? "allowed" : "not allowed");
-
buffer_clear(m);
buffer_put_int(m, allowed);
buffer_put_int(m, forced_command != NULL);
diff -up openssh-6.8p1/monitor_wrap.c.coverity openssh-6.8p1/monitor_wrap.c diff -up openssh-6.8p1/monitor_wrap.c.coverity openssh-6.8p1/monitor_wrap.c
--- openssh-6.8p1/monitor_wrap.c.coverity 2015-03-18 17:21:51.888264849 +0100 --- openssh-6.8p1/monitor_wrap.c.coverity 2015-03-18 17:21:51.888264849 +0100
+++ openssh-6.8p1/monitor_wrap.c 2015-03-18 17:21:51.897264831 +0100 +++ openssh-6.8p1/monitor_wrap.c 2015-03-18 17:21:51.897264831 +0100
@ -270,96 +232,6 @@ diff -up openssh-6.8p1/sftp.c.coverity openssh-6.8p1/sftp.c
} }
_exit(1); _exit(1);
@@ -335,7 +335,7 @@ local_do_ls(const char *args)
/* Strip one path (usually the pwd) from the start of another */
static char *
-path_strip(char *path, char *strip)
+path_strip(const char *path, const char *strip)
{
size_t len;
@@ -353,7 +353,7 @@ path_strip(char *path, char *strip)
}
static char *
-make_absolute(char *p, char *pwd)
+make_absolute(char *p, const char *pwd)
{
char *abs_str;
@@ -551,7 +551,7 @@ parse_no_flags(const char *cmd, char **a
}
static int
-is_dir(char *path)
+is_dir(const char *path)
{
struct stat sb;
@@ -563,7 +563,7 @@ is_dir(char *path)
}
static int
-remote_is_dir(struct sftp_conn *conn, char *path)
+remote_is_dir(struct sftp_conn *conn, const char *path)
{
Attrib *a;
@@ -577,7 +577,7 @@ remote_is_dir(struct sftp_conn *conn, ch
/* Check whether path returned from glob(..., GLOB_MARK, ...) is a directory */
static int
-pathname_is_dir(char *pathname)
+pathname_is_dir(const char *pathname)
{
size_t l = strlen(pathname);
@@ -585,7 +585,7 @@ pathname_is_dir(char *pathname)
}
static int
-process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd,
+process_get(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
int pflag, int rflag, int resume, int fflag)
{
char *abs_src = NULL;
@@ -669,7 +669,7 @@ out:
}
static int
-process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd,
+process_put(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
int pflag, int rflag, int resume, int fflag)
{
char *tmp_dst = NULL;
@@ -779,7 +779,7 @@ sdirent_comp(const void *aa, const void
/* sftp ls.1 replacement for directories */
static int
-do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
+do_ls_dir(struct sftp_conn *conn, const char *path, const char *strip_path, int lflag)
{
int n;
u_int c = 1, colspace = 0, columns = 1;
@@ -864,7 +864,7 @@ do_ls_dir(struct sftp_conn *conn, char *
/* sftp ls.1 replacement which handles path globs */
static int
-do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
+do_globbed_ls(struct sftp_conn *conn, const char *path, const char *strip_path,
int lflag)
{
char *fname, *lname;
@@ -949,7 +949,7 @@ do_globbed_ls(struct sftp_conn *conn, ch
}
static int
-do_df(struct sftp_conn *conn, char *path, int hflag, int iflag)
+do_df(struct sftp_conn *conn, const char *path, int hflag, int iflag)
{
struct sftp_statvfs st;
char s_used[FMT_SCALED_STRSIZE];
diff -up openssh-6.8p1/ssh-agent.c.coverity openssh-6.8p1/ssh-agent.c diff -up openssh-6.8p1/ssh-agent.c.coverity openssh-6.8p1/ssh-agent.c
--- openssh-6.8p1/ssh-agent.c.coverity 2015-03-17 06:49:20.000000000 +0100 --- openssh-6.8p1/ssh-agent.c.coverity 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/ssh-agent.c 2015-03-18 17:21:58.284251454 +0100 +++ openssh-6.8p1/ssh-agent.c 2015-03-18 17:21:58.284251454 +0100
@ -372,8 +244,8 @@ diff -up openssh-6.8p1/ssh-agent.c.coverity openssh-6.8p1/ssh-agent.c
+ (void) setegid(getgid()); + (void) setegid(getgid());
+ (void) setgid(getgid()); + (void) setgid(getgid());
#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) platform_disable_tracing(0); /* strict=no */
/* Disable ptrace on Linux without sgid bit */
diff -up openssh-6.8p1/sshd.c.coverity openssh-6.8p1/sshd.c diff -up openssh-6.8p1/sshd.c.coverity openssh-6.8p1/sshd.c
--- openssh-6.8p1/sshd.c.coverity 2015-03-18 17:21:51.893264839 +0100 --- openssh-6.8p1/sshd.c.coverity 2015-03-18 17:21:51.893264839 +0100
+++ openssh-6.8p1/sshd.c 2015-03-18 17:21:58.284251454 +0100 +++ openssh-6.8p1/sshd.c 2015-03-18 17:21:58.284251454 +0100
@ -398,4 +270,4 @@ diff -up openssh-6.8p1/sshd.c.coverity openssh-6.8p1/sshd.c
+ free(fdset); + free(fdset);
} }
/*

2
openssh-7.0p1-show-more-fingerprints.patch
View File

@ -127,8 +127,8 @@ index 1d03bdf..6af4c62 100644
{ {
u_int i; u_int i;
@@ -2259,7 +2274,6 @@ dump_client_config(Options *o, const char *host) @@ -2259,7 +2274,6 @@ dump_client_config(Options *o, const char *host)
dump_cfg_fmtint(oControlMaster, o->control_master);
dump_cfg_fmtint(oEnableSSHKeysign, o->enable_ssh_keysign); dump_cfg_fmtint(oEnableSSHKeysign, o->enable_ssh_keysign);
dump_cfg_fmtint(oClearAllForwardings, o->clear_forwardings);
dump_cfg_fmtint(oExitOnForwardFailure, o->exit_on_forward_failure); dump_cfg_fmtint(oExitOnForwardFailure, o->exit_on_forward_failure);
- dump_cfg_fmtint(oFingerprintHash, o->fingerprint_hash); - dump_cfg_fmtint(oFingerprintHash, o->fingerprint_hash);
dump_cfg_fmtint(oForwardAgent, o->forward_agent); dump_cfg_fmtint(oForwardAgent, o->forward_agent);

22
openssh-7.2p1-audit.patch
View File

@ -850,7 +850,7 @@ diff -up openssh-7.2p1/auth.c.audit openssh-7.2p1/auth.c
+++ openssh-7.2p1/auth.c 2016-02-12 18:24:34.220825178 +0100 +++ openssh-7.2p1/auth.c 2016-02-12 18:24:34.220825178 +0100
@@ -646,9 +646,6 @@ getpwnamallow(const char *user) @@ -646,9 +646,6 @@ getpwnamallow(const char *user)
record_failed_login(user, record_failed_login(user,
get_canonical_hostname(options.use_dns), "ssh"); auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
#endif #endif
-#ifdef SSH_AUDIT_EVENTS -#ifdef SSH_AUDIT_EVENTS
- audit_event(SSH_INVALID_USER); - audit_event(SSH_INVALID_USER);
@ -1084,7 +1084,7 @@ diff -up openssh-7.2p1/kex.h.audit openssh-7.2p1/kex.h
+void newkeys_destroy(struct newkeys *newkeys); +void newkeys_destroy(struct newkeys *newkeys);
+ +
int kex_dh_hash(const char *, const char *, int kex_dh_hash(int, const char *, const char *,
const u_char *, size_t, const u_char *, size_t, const u_char *, size_t, const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *); const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *);
diff -up openssh-7.2p1/key.h.audit openssh-7.2p1/key.h diff -up openssh-7.2p1/key.h.audit openssh-7.2p1/key.h
@ -1126,8 +1126,8 @@ diff -up openssh-7.2p1/mac.h.audit openssh-7.2p1/mac.h
--- openssh-7.2p1/mac.h.audit 2016-02-12 11:47:25.000000000 +0100 --- openssh-7.2p1/mac.h.audit 2016-02-12 11:47:25.000000000 +0100
+++ openssh-7.2p1/mac.h 2016-02-12 18:24:34.222825177 +0100 +++ openssh-7.2p1/mac.h 2016-02-12 18:24:34.222825177 +0100
@@ -47,5 +47,6 @@ int mac_init(struct sshmac *); @@ -47,5 +47,6 @@ int mac_init(struct sshmac *);
int mac_compute(struct sshmac *, u_int32_t, const u_char *, int, int mac_check(struct sshmac *, u_int32_t, const u_char *, size_t,
u_char *, size_t); const u_char *, size_t);
void mac_clear(struct sshmac *); void mac_clear(struct sshmac *);
+void mac_destroy(struct sshmac *); +void mac_destroy(struct sshmac *);
@ -1139,8 +1139,8 @@ diff -up openssh-7.2p1/Makefile.in.audit openssh-7.2p1/Makefile.in
kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \ kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \ kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \ kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
- platform-pledge.o - platform-pledge.o platform-tracing.o
+ platform-pledge.o auditstub.o + platform-pledge.o platform-tracing.o auditstub.o
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect1.o sshconnect2.o mux.o sshconnect.o sshconnect1.o sshconnect2.o mux.o
@ -1618,9 +1618,9 @@ diff -up openssh-7.2p1/monitor_wrap.h.audit openssh-7.2p1/monitor_wrap.h
--- openssh-7.2p1/monitor_wrap.h.audit 2016-02-12 18:24:34.152825204 +0100 --- openssh-7.2p1/monitor_wrap.h.audit 2016-02-12 18:24:34.152825204 +0100
+++ openssh-7.2p1/monitor_wrap.h 2016-02-12 18:24:34.224825176 +0100 +++ openssh-7.2p1/monitor_wrap.h 2016-02-12 18:24:34.224825176 +0100
@@ -52,7 +52,8 @@ int mm_key_allowed(enum mm_keytype, char @@ -52,7 +52,8 @@ int mm_key_allowed(enum mm_keytype, char
int mm_user_key_allowed(struct passwd *, Key *, int); const char *, Key *);
int mm_hostbased_key_allowed(struct passwd *, char *, char *, Key *); int mm_auth_rhosts_rsa_key_allowed(struct passwd *, const char *,
int mm_auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *); const char *, Key *);
-int mm_key_verify(Key *, u_char *, u_int, u_char *, u_int); -int mm_key_verify(Key *, u_char *, u_int, u_char *, u_int);
+int mm_hostbased_key_verify(Key *, u_char *, u_int, u_char *, u_int); +int mm_hostbased_key_verify(Key *, u_char *, u_int, u_char *, u_int);
+int mm_user_key_verify(Key *, u_char *, u_int, u_char *, u_int); +int mm_user_key_verify(Key *, u_char *, u_int, u_char *, u_int);
@ -1962,13 +1962,15 @@ diff -up openssh-7.2p1/session.c.audit openssh-7.2p1/session.c
void void
do_cleanup(Authctxt *authctxt) do_cleanup(Authctxt *authctxt)
{ {
@@ -2793,5 +2861,5 @@ do_cleanup(Authctxt *authctxt) @@ -2793,7 +2861,7 @@ do_cleanup(Authctxt *authctxt)
* or if running in monitor. * or if running in monitor.
*/ */
if (!use_privsep || mm_is_monitor()) if (!use_privsep || mm_is_monitor())
- session_destroy_all(session_pty_cleanup2); - session_destroy_all(session_pty_cleanup2);
+ session_destroy_all(do_cleanup_one_session); + session_destroy_all(do_cleanup_one_session);
} }
/* Return a name for the remote host that fits inside utmp_size */
diff -up openssh-7.2p1/session.h.audit openssh-7.2p1/session.h diff -up openssh-7.2p1/session.h.audit openssh-7.2p1/session.h
--- openssh-7.2p1/session.h.audit 2016-02-26 04:40:04.000000000 +0100 --- openssh-7.2p1/session.h.audit 2016-02-26 04:40:04.000000000 +0100
+++ openssh-7.2p1/session.h 2016-03-04 14:25:52.641329882 +0100 +++ openssh-7.2p1/session.h 2016-03-04 14:25:52.641329882 +0100

8
openssh-7.2p1-fips.patch
View File

@ -114,9 +114,9 @@ diff -up openssh-7.2p1/kex.c.fips openssh-7.2p1/kex.c
--- openssh-7.2p1/kex.c.fips 2016-02-12 18:53:56.084665234 +0100 --- openssh-7.2p1/kex.c.fips 2016-02-12 18:53:56.084665234 +0100
+++ openssh-7.2p1/kex.c 2016-02-12 18:53:56.091665235 +0100 +++ openssh-7.2p1/kex.c 2016-02-12 18:53:56.091665235 +0100
@@ -35,6 +35,7 @@ @@ -35,6 +35,7 @@
#ifdef WITH_OPENSSL #ifdef WITH_OPENSSL
#include <openssl/crypto.h> #include <openssl/crypto.h>
#include <openssl/dh.h>
+#include <openssl/fips.h> +#include <openssl/fips.h>
#endif #endif
@ -281,8 +281,8 @@ diff -up openssh-7.2p1/Makefile.in.fips openssh-7.2p1/Makefile.in
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) - $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) + $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o utf8_stringprep.o scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
$(LD) -o $@ scp.o progressmeter.o bufaux.o utf8_stringprep.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) - $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
@ -433,7 +433,7 @@ diff -up openssh-7.2p1/ssh.c.fips openssh-7.2p1/ssh.c
#ifndef HAVE_SETPROCTITLE #ifndef HAVE_SETPROCTITLE
/* Prepare for later setproctitle emulation */ /* Prepare for later setproctitle emulation */
@@ -608,6 +618,9 @@ main(int ac, char **av) @@ -608,6 +618,9 @@ main(int ac, char **av)
"ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
switch (opt) { switch (opt) {
case '1': case '1':
+ if (FIPS_mode()) { + if (FIPS_mode()) {

90
openssh-7.2p1-gsskex.patch
View File

@ -1392,6 +1392,7 @@ diff -up openssh-7.2p1/kexgsss.c.gsskex openssh-7.2p1/kexgsss.c
+ u_char *kbuf; + u_char *kbuf;
+ DH *dh; + DH *dh;
+ int min = -1, max = -1, nbits = -1; + int min = -1, max = -1, nbits = -1;
+ int cmin = -1, cmax = -1; /* client proposal */
+ BIGNUM *shared_secret = NULL; + BIGNUM *shared_secret = NULL;
+ BIGNUM *dh_client_pub = NULL; + BIGNUM *dh_client_pub = NULL;
+ int type = 0; + int type = 0;
@ -1430,11 +1431,12 @@ diff -up openssh-7.2p1/kexgsss.c.gsskex openssh-7.2p1/kexgsss.c
+ case KEX_GSS_GEX_SHA1: + case KEX_GSS_GEX_SHA1:
+ debug("Doing group exchange"); + debug("Doing group exchange");
+ packet_read_expect(SSH2_MSG_KEXGSS_GROUPREQ); + packet_read_expect(SSH2_MSG_KEXGSS_GROUPREQ);
+ min = packet_get_int(); + /* store client proposal to provide valid signature */
+ cmin = packet_get_int();
+ nbits = packet_get_int(); + nbits = packet_get_int();
+ max = packet_get_int(); + cmax = packet_get_int();
+ min = MAX(DH_GRP_MIN, min); + min = MAX(DH_GRP_MIN, cmin);
+ max = MIN(DH_GRP_MAX, max); + max = MIN(DH_GRP_MAX, cmax);
+ packet_check_eom(); + packet_check_eom();
+ if (max < min || nbits < min || max < nbits) + if (max < min || nbits < min || max < nbits)
+ fatal("GSS_GEX, bad parameters: %d !< %d !< %d", + fatal("GSS_GEX, bad parameters: %d !< %d !< %d",
@ -1557,7 +1559,7 @@ diff -up openssh-7.2p1/kexgsss.c.gsskex openssh-7.2p1/kexgsss.c
+ buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer), + buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer),
+ buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my), + buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my),
+ NULL, 0, + NULL, 0,
+ min, nbits, max, + cmin, nbits, cmax,
+ dh->p, dh->g, + dh->p, dh->g,
+ dh_client_pub, + dh_client_pub,
+ dh->pub_key, + dh->pub_key,
@ -1653,14 +1655,14 @@ diff -up openssh-7.2p1/kex.h.gsskex openssh-7.2p1/kex.h
+int kexgss_server(struct ssh *); +int kexgss_server(struct ssh *);
+#endif +#endif
int kex_dh_hash(const char *, const char *, int kex_dh_hash(int, const char *, const char *,
const u_char *, size_t, const u_char *, size_t, const u_char *, size_t, const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
diff -up openssh-7.2p1/Makefile.in.gsskex openssh-7.2p1/Makefile.in diff -up openssh/Makefile.in.gsskex openssh/Makefile.in
--- openssh-7.2p1/Makefile.in.gsskex 2016-02-19 10:01:04.864969325 +0100 --- openssh/Makefile.in.gsskex 2016-07-25 14:11:42.978324182 +0200
+++ openssh-7.2p1/Makefile.in 2016-02-19 10:01:04.868969323 +0100 +++ openssh/Makefile.in 2016-07-25 14:14:15.560289050 +0200
@@ -90,6 +90,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ @@ -90,6 +90,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \ readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o \ atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o utf8.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
+ kexgssc.o \ + kexgssc.o \
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
@ -2064,21 +2066,21 @@ diff -up openssh-7.2p1/readconf.h.gsskex openssh-7.2p1/readconf.h
int password_authentication; /* Try password int password_authentication; /* Try password
* authentication. */ * authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
diff -up openssh-7.2p1/regress/cert-hostkey.sh.gsskex openssh-7.2p1/regress/cert-hostkey.sh diff -up openssh/regress/cert-hostkey.sh.gsskex openssh/regress/cert-hostkey.sh
--- openssh-7.2p1/regress/cert-hostkey.sh.gsskex 2016-02-12 11:47:25.000000000 +0100 --- openssh/regress/cert-hostkey.sh.gsskex 2016-07-25 14:11:42.986324181 +0200
+++ openssh-7.2p1/regress/cert-hostkey.sh 2016-02-19 10:01:04.870969322 +0100 +++ openssh/regress/cert-hostkey.sh 2016-07-25 14:15:17.784274722 +0200
@@ -46,7 +46,7 @@ touch $OBJ/host_revoked_plain @@ -59,7 +59,7 @@ touch $OBJ/host_revoked_plain
touch $OBJ/host_revoked_cert touch $OBJ/host_revoked_cert
cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca
-PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` -PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
+PLAIN_TYPES=`$SSH -Q key-plain | grep -v null | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` +PLAIN_TYPES=`$SSH -Q key-plain | grep -v null | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
# Prepare certificate, plain key and CA KRLs if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed" PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
diff -up openssh-7.2p1/regress/cert-userkey.sh.gsskex openssh-7.2p1/regress/cert-userkey.sh diff -up openssh/regress/cert-userkey.sh.gsskex openssh/regress/cert-userkey.sh
--- openssh-7.2p1/regress/cert-userkey.sh.gsskex 2016-02-12 11:47:25.000000000 +0100 --- openssh/regress/cert-userkey.sh.gsskex 2016-07-25 14:11:42.986324181 +0200
+++ openssh-7.2p1/regress/cert-userkey.sh 2016-02-19 10:01:04.870969322 +0100 +++ openssh/regress/cert-userkey.sh 2016-07-25 14:15:36.769270354 +0200
@@ -7,7 +7,7 @@ rm -f $OBJ/authorized_keys_$USER $OBJ/us @@ -7,7 +7,7 @@ rm -f $OBJ/authorized_keys_$USER $OBJ/us
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
@ -2086,11 +2088,11 @@ diff -up openssh-7.2p1/regress/cert-userkey.sh.gsskex openssh-7.2p1/regress/cert
-PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` -PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
+PLAIN_TYPES=`$SSH -Q key-plain | grep -v null | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` +PLAIN_TYPES=`$SSH -Q key-plain | grep -v null | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
kname() { if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
n=`echo "$1" | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/'` PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
diff -up openssh-7.2p1/regress/kextype.sh.gsskex openssh-7.2p1/regress/kextype.sh diff -up openssh/regress/kextype.sh.gsskex openssh/regress/kextype.sh
--- openssh-7.2p1/regress/kextype.sh.gsskex 2016-02-12 11:47:25.000000000 +0100 --- openssh/regress/kextype.sh.gsskex 2016-07-24 13:50:13.000000000 +0200
+++ openssh-7.2p1/regress/kextype.sh 2016-02-19 10:01:04.870969322 +0100 +++ openssh/regress/kextype.sh 2016-07-25 14:11:42.987324180 +0200
@@ -14,6 +14,9 @@ echo "KexAlgorithms=$KEXOPT" >> $OBJ/ssh @@ -14,6 +14,9 @@ echo "KexAlgorithms=$KEXOPT" >> $OBJ/ssh
tries="1 2 3 4" tries="1 2 3 4"
@ -2739,41 +2741,3 @@ diff -up openssh-7.2p1/sshkey.h.gsskex openssh-7.2p1/sshkey.h
KEY_UNSPEC KEY_UNSPEC
}; };
diff --git a/kexgsss.c b/kexgsss.c
index b2f9658..2d33ff7 100644
--- a/kexgsss.c
+++ b/kexgsss.c
@@ -69,6 +69,7 @@ kexgss_server(struct ssh *ssh)
u_char *kbuf;
DH *dh;
int min = -1, max = -1, nbits = -1;
+ int cmin = -1, cmax = -1; /* client proposal */
BIGNUM *shared_secret = NULL;
BIGNUM *dh_client_pub = NULL;
int type = 0;
@@ -107,11 +108,12 @@ kexgss_server(struct ssh *ssh)
case KEX_GSS_GEX_SHA1:
debug("Doing group exchange");
packet_read_expect(SSH2_MSG_KEXGSS_GROUPREQ);
- min = packet_get_int();
+ /* store client proposal to provide valid signature */
+ cmin = packet_get_int();
nbits = packet_get_int();
- max = packet_get_int();
- min = MAX(DH_GRP_MIN, min);
- max = MIN(DH_GRP_MAX, max);
+ cmax = packet_get_int();
+ min = MAX(DH_GRP_MIN, cmin);
+ max = MIN(DH_GRP_MAX, cmax);
packet_check_eom();
if (max < min || nbits < min || max < nbits)
fatal("GSS_GEX, bad parameters: %d !< %d !< %d",
@@ -234,7 +236,7 @@ kexgss_server(struct ssh *ssh)
buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer),
buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my),
NULL, 0,
- min, nbits, max,
+ cmin, nbits, cmax,
dh->p, dh->g,
dh_client_pub,
dh->pub_key,

4
openssh-7.2p2-expose-pam.patch
View File

@ -331,8 +331,8 @@ diff -up openssh-7.2p2/servconf.c.expose-pam openssh-7.2p2/servconf.c
M_CP_INTOPT(rekey_interval); M_CP_INTOPT(rekey_interval);
+ M_CP_INTOPT(expose_auth_methods); + M_CP_INTOPT(expose_auth_methods);
/* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */ /*
#define M_CP_STROPT(n) do {\ * The bind_mask is a mode_t that may be unsigned, so we can't use
@@ -2181,6 +2198,8 @@ fmt_intarg(ServerOpCodes code, int val) @@ -2181,6 +2198,8 @@ fmt_intarg(ServerOpCodes code, int val)
return fmt_multistate_int(val, multistate_tcpfwd); return fmt_multistate_int(val, multistate_tcpfwd);
case sFingerprintHash: case sFingerprintHash: