From 77f453b74de2f328b22e3950a38a5883e2de5f35 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Fri, 20 Feb 2015 15:04:36 +0100 Subject: [PATCH] cleanup working directory, spec file and unused patches after rebase --- openssh-5.1p1-scp-manpage.patch | 18 -- ...210618256bbf5f4f71b2887ff186fd451736.patch | 177 ------------------ openssh-6.4p1-CLOCK_BOOTTIME.patch | 29 --- openssh-6.6.1p1-NI_MAXHOST.patch | 76 -------- ...h-6.6.1p1-ignore-SIGXFSZ-in-postauth.patch | 28 --- openssh-6.6p1-CVE-2014-2653.patch | 80 -------- openssh.spec | 17 +- 7 files changed, 1 insertion(+), 424 deletions(-) delete mode 100644 openssh-5.1p1-scp-manpage.patch delete mode 100644 openssh-5618210618256bbf5f4f71b2887ff186fd451736.patch delete mode 100644 openssh-6.4p1-CLOCK_BOOTTIME.patch delete mode 100644 openssh-6.6.1p1-NI_MAXHOST.patch delete mode 100644 openssh-6.6.1p1-ignore-SIGXFSZ-in-postauth.patch delete mode 100644 openssh-6.6p1-CVE-2014-2653.patch diff --git a/openssh-5.1p1-scp-manpage.patch b/openssh-5.1p1-scp-manpage.patch deleted file mode 100644 index e314a05..0000000 --- a/openssh-5.1p1-scp-manpage.patch +++ /dev/null @@ -1,18 +0,0 @@ -diff -up openssh-5.1p1/scp.1.manpage openssh-5.1p1/scp.1 ---- openssh-5.1p1/scp.1.manpage 2008-07-12 09:12:49.000000000 +0200 -+++ openssh-5.1p1/scp.1 2008-07-23 19:18:15.000000000 +0200 -@@ -66,6 +66,14 @@ treating file names containing - as host specifiers. - Copies between two remote hosts are also permitted. - .Pp -+When copying a source file to a target file which already exists, -+.Nm -+will replace the contents of the target file (keeping the inode). -+.Pp -+If the target file does not yet exist, an empty file with the target -+file name is created, then filled with the source file contents. -+No attempt is made at "near-atomic" transfer using temporary files. -+.Pp - The options are as follows: - .Bl -tag -width Ds - .It Fl 1 diff --git a/openssh-5618210618256bbf5f4f71b2887ff186fd451736.patch b/openssh-5618210618256bbf5f4f71b2887ff186fd451736.patch deleted file mode 100644 index 44da114..0000000 --- a/openssh-5618210618256bbf5f4f71b2887ff186fd451736.patch +++ /dev/null @@ -1,177 +0,0 @@ -From 5618210618256bbf5f4f71b2887ff186fd451736 Mon Sep 17 00:00:00 2001 -From: Damien Miller -Date: Sun, 20 Apr 2014 13:44:47 +1000 -Subject: [PATCH] - (djm) [bufaux.c compat.c compat.h sshconnect2.c sshd.c - version.h] OpenSSH 6.5 and 6.6 sometimes encode a value used in the - curve25519 key exchange incorrectly, causing connection failures about - 0.2% of the time when this method is used against a peer that implements - the method properly. - - Fix the problem and disable the curve25519 KEX when speaking to - OpenSSH 6.5 or 6.6. This version will identify itself as 6.6.1 - to enable the compatability code. ---- - ChangeLog | 11 +++++++++++ - bufaux.c | 5 ++++- - compat.c | 17 ++++++++++++++++- - compat.h | 2 ++ - sshconnect2.c | 2 ++ - sshd.c | 3 +++ - version.h | 2 +- - 7 files changed, 39 insertions(+), 3 deletions(-) - -diff --git a/ChangeLog b/ChangeLog -index 1603a07..928999d 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,13 +1,23 @@ - 20140420 -- - djm@cvs.openbsd.org 2014/04/01 03:34:10 -- [sshconnect.c] -- When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any -- certificate keys to plain keys and attempt SSHFP resolution. -- -- Prevents a server from skipping SSHFP lookup and forcing a new-hostkey -- dialog by offering only certificate keys. -- -- Reported by mcv21 AT cam.ac.uk -+ - (djm) [bufaux.c compat.c compat.h sshconnect2.c sshd.c version.h] -+ OpenSSH 6.5 and 6.6 sometimes encode a value used in the curve25519 -+ key exchange incorrectly, causing connection failures about 0.2% of -+ the time when this method is used against a peer that implements -+ the method properly. -+ -+ Fix the problem and disable the curve25519 KEX when speaking to -+ OpenSSH 6.5 or 6.6. This version will identify itself as 6.6.1 -+ to enable the compatability code. -+ -+ - djm@cvs.openbsd.org 2014/04/01 03:34:10 -+ [sshconnect.c] -+ When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any -+ certificate keys to plain keys and attempt SSHFP resolution. -+ -+ Prevents a server from skipping SSHFP lookup and forcing a new-hostkey -+ dialog by offering only certificate keys. -+ -+ Reported by mcv21 AT cam.ac.uk - - 20140313 - - (djm) Release OpenSSH 6.6 -diff --git a/bufaux.c b/bufaux.c -index e24b5fc..f6a6f2a 100644 ---- a/bufaux.c -+++ b/bufaux.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */ -+/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */ - /* - * Author: Tatu Ylonen - * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland -@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *buffer, const u_char *s, u_int l) - - if (l > 8 * 1024) - fatal("%s: length %u too long", __func__, l); -+ /* Skip leading zero bytes */ -+ for (; l > 0 && *s == 0; l--, s++) -+ ; - p = buf = xmalloc(l + 1); - /* - * If most significant bit is set then prepend a zero byte to -diff --git a/compat.c b/compat.c -index 9d9fabe..2709dc5 100644 ---- a/compat.c -+++ b/compat.c -@@ -95,6 +95,9 @@ compat_datafellows(const char *version) - { "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF}, - { "OpenSSH_4*", 0 }, - { "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT}, -+ { "OpenSSH_6.6.1*", SSH_NEW_OPENSSH}, -+ { "OpenSSH_6.5*," -+ "OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD}, - { "OpenSSH*", SSH_NEW_OPENSSH }, - { "*MindTerm*", 0 }, - { "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| -@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop) - return cipher_prop; - } - -- - char * - compat_pkalg_proposal(char *pkalg_prop) - { -@@ -265,3 +267,16 @@ compat_pkalg_proposal(char *pkalg_prop) - return pkalg_prop; - } - -+char * -+compat_kex_proposal(char *kex_prop) -+{ -+ if (!(datafellows & SSH_BUG_CURVE25519PAD)) -+ return kex_prop; -+ debug2("%s: original KEX proposal: %s", __func__, kex_prop); -+ kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org"); -+ debug2("%s: compat KEX proposal: %s", __func__, kex_prop); -+ if (*kex_prop == '\0') -+ fatal("No supported key exchange algorithms found"); -+ return kex_prop; -+} -+ -diff --git a/compat.h b/compat.h -index b174fa1..a6c3f3d 100644 ---- a/compat.h -+++ b/compat.h -@@ -59,6 +59,7 @@ - #define SSH_BUG_RFWD_ADDR 0x02000000 - #define SSH_NEW_OPENSSH 0x04000000 - #define SSH_BUG_DYNAMIC_RPORT 0x08000000 -+#define SSH_BUG_CURVE25519PAD 0x10000000 - - void enable_compat13(void); - void enable_compat20(void); -@@ -66,6 +67,7 @@ void compat_datafellows(const char *); - int proto_spec(const char *); - char *compat_cipher_proposal(char *); - char *compat_pkalg_proposal(char *); -+char *compat_kex_proposal(char *); - - extern int compat13; - extern int compat20; -diff --git a/sshconnect2.c b/sshconnect2.c -index bb9292f..b00658b 100644 ---- a/sshconnect2.c -+++ b/sshconnect2.c -@@ -220,6 +220,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) - } - if (options.kex_algorithms != NULL) - myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; -+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( -+ myproposal[PROPOSAL_KEX_ALGS]); - - #ifdef GSSAPI - /* If we've got GSSAPI algorithms, then we also support the -diff --git a/sshd.c b/sshd.c -index e4e406e..512c7ed 100644 ---- a/sshd.c -+++ b/sshd.c -@@ -2488,6 +2488,9 @@ do_ssh2_kex(void) - if (options.kex_algorithms != NULL) - myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; - -+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( -+ myproposal[PROPOSAL_KEX_ALGS]); -+ - if (options.rekey_limit || options.rekey_interval) - packet_set_rekey_limits((u_int32_t)options.rekey_limit, - (time_t)options.rekey_interval); -diff --git a/version.h b/version.h -index a1579ac..a33e77c 100644 ---- a/version.h -+++ b/version.h -@@ -1,6 +1,6 @@ - /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */ - --#define SSH_VERSION "OpenSSH_6.6" -+#define SSH_VERSION "OpenSSH_6.6.1" - - #define SSH_PORTABLE "p1" - #define SSH_RELEASE SSH_VERSION SSH_PORTABLE diff --git a/openssh-6.4p1-CLOCK_BOOTTIME.patch b/openssh-6.4p1-CLOCK_BOOTTIME.patch deleted file mode 100644 index 1073a77..0000000 --- a/openssh-6.4p1-CLOCK_BOOTTIME.patch +++ /dev/null @@ -1,29 +0,0 @@ ---- a/misc.c -+++ b/misc.c -@@ -865,17 +865,24 @@ ms_to_timeval(struct timeval *tv, int ms - time_t - monotime(void) - { --#if defined(HAVE_CLOCK_GETTIME) && defined(CLOCK_MONOTONIC) -+#if defined(HAVE_CLOCK_GETTIME) && \ -+ (defined(CLOCK_MONOTONIC) || defined(CLOCK_BOOTTIME)) - struct timespec ts; - static int gettime_failed = 0; - - if (!gettime_failed) { -+#if defined(CLOCK_BOOTTIME) -+ if (clock_gettime(CLOCK_BOOTTIME, &ts) == 0) -+ return (ts.tv_sec); -+#endif -+#if defined(CLOCK_MONOTONIC) - if (clock_gettime(CLOCK_MONOTONIC, &ts) == 0) - return (ts.tv_sec); -+#endif - debug3("clock_gettime: %s", strerror(errno)); - gettime_failed = 1; - } --#endif -+#endif /* HAVE_CLOCK_GETTIME && (CLOCK_MONOTONIC || CLOCK_BOOTTIME */ - - return time(NULL); - } diff --git a/openssh-6.6.1p1-NI_MAXHOST.patch b/openssh-6.6.1p1-NI_MAXHOST.patch deleted file mode 100644 index 7eeee50..0000000 --- a/openssh-6.6.1p1-NI_MAXHOST.patch +++ /dev/null @@ -1,76 +0,0 @@ -diff --git a/ChangeLog b/ChangeLog -index 928999d..3887495 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,3 +1,10 @@ -+20140703 -+ - OpenBSD CVS Sync -+ - djm@cvs.openbsd.org 2014/07/03 03:34:09 -+ [gss-serv.c session.c ssh-keygen.c] -+ standardise on NI_MAXHOST for gethostname() string lengths; about -+ 1/2 the cases were using it already. Fixes bz#2239 en passant -+ - 20140420 - - (djm) [bufaux.c compat.c compat.h sshconnect2.c sshd.c version.h] - OpenSSH 6.5 and 6.6 sometimes encode a value used in the curve25519 -diff --git a/gss-serv.c b/gss-serv.c -index 14f540e..29916d3 100644 ---- a/gss-serv.c -+++ b/gss-serv.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: gss-serv.c,v 1.26 2014/02/26 20:28:44 djm Exp $ */ -+/* $OpenBSD: gss-serv.c,v 1.27 2014/07/03 03:34:09 djm Exp $ */ - - /* - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. -@@ -102,14 +102,14 @@ static OM_uint32 - ssh_gssapi_acquire_cred(Gssctxt *ctx) - { - OM_uint32 status; -- char lname[MAXHOSTNAMELEN]; -+ char lname[NI_MAXHOST]; - gss_OID_set oidset; - - if (options.gss_strict_acceptor) { - gss_create_empty_oid_set(&status, &oidset); - gss_add_oid_set_member(&status, ctx->oid, &oidset); - -- if (gethostname(lname, MAXHOSTNAMELEN)) { -+ if (gethostname(lname, sizeof(lname))) { - gss_release_oid_set(&status, &oidset); - return (-1); - } -diff --git a/session.c b/session.c -index ba4589b..e4add93 100644 ---- a/session.c -+++ b/session.c -@@ -49,6 +49,7 @@ - #include - #include - #include -+#include - #ifdef HAVE_PATHS_H - #include - #endif -@@ -2669,7 +2670,7 @@ session_setup_x11fwd(Session *s) - { - struct stat st; - char display[512], auth_display[512]; -- char hostname[MAXHOSTNAMELEN]; -+ char hostname[NI_MAXHOST]; - u_int i; - - if (no_x11_forwarding_flag) { -diff --git a/ssh-keygen.c b/ssh-keygen.c -index 482dc1c..66198e6 100644 ---- a/ssh-keygen.c -+++ b/ssh-keygen.c -@@ -165,7 +165,7 @@ int rounds = 0; - /* argv0 */ - extern char *__progname; - --char hostname[MAXHOSTNAMELEN]; -+char hostname[NI_MAXHOST]; - - /* moduli.c */ - int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *); diff --git a/openssh-6.6.1p1-ignore-SIGXFSZ-in-postauth.patch b/openssh-6.6.1p1-ignore-SIGXFSZ-in-postauth.patch deleted file mode 100644 index 87434ce..0000000 --- a/openssh-6.6.1p1-ignore-SIGXFSZ-in-postauth.patch +++ /dev/null @@ -1,28 +0,0 @@ -diff --git a/ChangeLog b/ChangeLog -index 3887495..a4dc72f 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,3 +1,9 @@ -+20140823 -+ - (djm) [sshd.c] Ignore SIGXFSZ in preauth monitor child; can explode on -+ lastlog writing on platforms with high UIDs; bz#2263 -+ - (djm) [monitor.c sshd.c] SIGXFSZ needs to be ignored in postauth -+ monitor, not preauth; bz#2263 -+ - 20140703 - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2014/07/03 03:34:09 -diff --git a/monitor.c b/monitor.c -index bdabe21..5a65114 100644 ---- a/monitor.c -+++ b/monitor.c -@@ -501,6 +501,9 @@ monitor_child_postauth(struct monitor *pmonitor) - signal(SIGHUP, &monitor_child_handler); - signal(SIGTERM, &monitor_child_handler); - signal(SIGINT, &monitor_child_handler); -+#ifdef SIGXFSZ -+ signal(SIGXFSZ, SIG_IGN); -+#endif - - if (compat20) { - mon_dispatch = mon_dispatch_postauth20; diff --git a/openssh-6.6p1-CVE-2014-2653.patch b/openssh-6.6p1-CVE-2014-2653.patch deleted file mode 100644 index c3bd0a1..0000000 --- a/openssh-6.6p1-CVE-2014-2653.patch +++ /dev/null @@ -1,80 +0,0 @@ -diff --git a/ChangeLog b/ChangeLog -index 38de846..1603a07 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,3 +1,14 @@ -+20140420 -+ - djm@cvs.openbsd.org 2014/04/01 03:34:10 -+ [sshconnect.c] -+ When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any -+ certificate keys to plain keys and attempt SSHFP resolution. -+ -+ Prevents a server from skipping SSHFP lookup and forcing a new-hostkey -+ dialog by offering only certificate keys. -+ -+ Reported by mcv21 AT cam.ac.uk -+ - 20140313 - - (djm) Release OpenSSH 6.6 - -diff --git a/sshconnect.c b/sshconnect.c -index 394cca8..e636f33 100644 ---- a/sshconnect.c -+++ b/sshconnect.c -@@ -1219,30 +1219,40 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) - { - int flags = 0; - char *fp; -+ Key *plain = NULL; - - fp = key_selected_fingerprint(host_key, SSH_FP_HEX); - debug("Server host key: %s %s%s", key_type(host_key), - key_fingerprint_prefix(), fp); - free(fp); - -- /* XXX certs are not yet supported for DNS */ -- if (!key_is_cert(host_key) && options.verify_host_key_dns && -- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) { -- if (flags & DNS_VERIFY_FOUND) { -- -- if (options.verify_host_key_dns == 1 && -- flags & DNS_VERIFY_MATCH && -- flags & DNS_VERIFY_SECURE) -- return 0; -- -- if (flags & DNS_VERIFY_MATCH) { -- matching_host_key_dns = 1; -- } else { -- warn_changed_key(host_key); -- error("Update the SSHFP RR in DNS with the new " -- "host key to get rid of this message."); -+ if (options.verify_host_key_dns) { -+ /* -+ * XXX certs are not yet supported for DNS, so downgrade -+ * them and try the plain key. -+ */ -+ plain = key_from_private(host_key); -+ if (key_is_cert(plain)) -+ key_drop_cert(plain); -+ if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) { -+ if (flags & DNS_VERIFY_FOUND) { -+ if (options.verify_host_key_dns == 1 && -+ flags & DNS_VERIFY_MATCH && -+ flags & DNS_VERIFY_SECURE) { -+ key_free(plain); -+ return 0; -+ } -+ if (flags & DNS_VERIFY_MATCH) { -+ matching_host_key_dns = 1; -+ } else { -+ warn_changed_key(plain); -+ error("Update the SSHFP RR in DNS " -+ "with the new host key to get rid " -+ "of this message."); -+ } - } - } -+ key_free(plain); - } - - return check_host_key(host, hostaddr, options.port, host_key, RDRW, diff --git a/openssh.spec b/openssh.spec index 2a45c53..7466b72 100644 --- a/openssh.spec +++ b/openssh.spec @@ -151,8 +151,6 @@ Patch702: openssh-5.1p1-askpass-progress.patch #? Patch703: openssh-4.3p2-askpass-grab-info.patch #? -Patch705: openssh-5.1p1-scp-manpage.patch -#? Patch706: openssh-6.6.1p1-localdomain.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX) Patch707: openssh-6.6p1-redhat.patch @@ -187,16 +185,6 @@ Patch902: openssh-6.3p1-krb5-use-default_ccache_name.patch Patch905: openssh-6.4p1-legacy-ssh-copy-id.patch # Use tty allocation for a remote scp (#985650) Patch906: openssh-6.4p1-fromto-remote.patch -# Try CLOCK_BOOTTIME with fallback (#1091992) -Patch907: openssh-6.4p1-CLOCK_BOOTTIME.patch -# Prevents a server from skipping SSHFP lookup and forcing a new-hostkey -# dialog by offering only certificate keys. (#1081338) -Patch908: openssh-6.6p1-CVE-2014-2653.patch -# OpenSSH 6.5 and 6.6 sometimes encode a value used in the curve25519 key exchange incorrectly -# Disable the curve25519 KEX when speaking to OpenSSH 6.5 or 6.6 -Patch909: openssh-5618210618256bbf5f4f71b2887ff186fd451736.patch -# standardise on NI_MAXHOST for gethostname() string lengths (#1051490) -Patch910: openssh-6.6.1p1-NI_MAXHOST.patch # set a client's address right after a connection is set # http://bugzilla.mindrot.org/show_bug.cgi?id=2257 Patch911: openssh-6.6p1-set_remote_ipaddr.patch @@ -210,9 +198,6 @@ Patch913: openssh-6.6.1p1-partial-success.patch # fix parsing of empty options in sshd_conf # https://bugzilla.mindrot.org/show_bug.cgi?id=2281 Patch914: openssh-6.6.1p1-servconf-parser.patch -# Ignore SIGXFSZ in postauth monitor -# https://bugzilla.mindrot.org/show_bug.cgi?id=2263 -Patch915: openssh-6.6.1p1-ignore-SIGXFSZ-in-postauth.patch # privsep_preauth: use SELinux context from selinux-policy (#1008580) Patch916: openssh-6.6.1p1-selinux-contexts.patch # use different values for DH for Cisco servers (#1026430) @@ -486,7 +471,7 @@ export LDFLAGS %endif %if %{kerberos5} if test -r /etc/profile.d/krb5-devel.sh ; then - source /etc/profile.d/krb5-devel.sh + source /etc/profile.d/krb5-devel.sh fi krb5_prefix=`krb5-config --prefix` if test "$krb5_prefix" != "%{_prefix}" ; then