cleanup working directory, spec file and unused patches after rebase

This commit is contained in:
Jakub Jelen 2015-02-20 15:04:36 +01:00
parent 08cb909f5d
commit 77f453b74d
7 changed files with 1 additions and 424 deletions

View File

@ -1,18 +0,0 @@
diff -up openssh-5.1p1/scp.1.manpage openssh-5.1p1/scp.1
--- openssh-5.1p1/scp.1.manpage 2008-07-12 09:12:49.000000000 +0200
+++ openssh-5.1p1/scp.1 2008-07-23 19:18:15.000000000 +0200
@@ -66,6 +66,14 @@ treating file names containing
as host specifiers.
Copies between two remote hosts are also permitted.
.Pp
+When copying a source file to a target file which already exists,
+.Nm
+will replace the contents of the target file (keeping the inode).
+.Pp
+If the target file does not yet exist, an empty file with the target
+file name is created, then filled with the source file contents.
+No attempt is made at "near-atomic" transfer using temporary files.
+.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl 1

View File

@ -1,177 +0,0 @@
From 5618210618256bbf5f4f71b2887ff186fd451736 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Sun, 20 Apr 2014 13:44:47 +1000
Subject: [PATCH] - (djm) [bufaux.c compat.c compat.h sshconnect2.c sshd.c
version.h] OpenSSH 6.5 and 6.6 sometimes encode a value used in the
curve25519 key exchange incorrectly, causing connection failures about
0.2% of the time when this method is used against a peer that implements
the method properly.
Fix the problem and disable the curve25519 KEX when speaking to
OpenSSH 6.5 or 6.6. This version will identify itself as 6.6.1
to enable the compatability code.
---
ChangeLog | 11 +++++++++++
bufaux.c | 5 ++++-
compat.c | 17 ++++++++++++++++-
compat.h | 2 ++
sshconnect2.c | 2 ++
sshd.c | 3 +++
version.h | 2 +-
7 files changed, 39 insertions(+), 3 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 1603a07..928999d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,13 +1,23 @@
20140420
- - djm@cvs.openbsd.org 2014/04/01 03:34:10
- [sshconnect.c]
- When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any
- certificate keys to plain keys and attempt SSHFP resolution.
-
- Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
- dialog by offering only certificate keys.
-
- Reported by mcv21 AT cam.ac.uk
+ - (djm) [bufaux.c compat.c compat.h sshconnect2.c sshd.c version.h]
+ OpenSSH 6.5 and 6.6 sometimes encode a value used in the curve25519
+ key exchange incorrectly, causing connection failures about 0.2% of
+ the time when this method is used against a peer that implements
+ the method properly.
+
+ Fix the problem and disable the curve25519 KEX when speaking to
+ OpenSSH 6.5 or 6.6. This version will identify itself as 6.6.1
+ to enable the compatability code.
+
+ - djm@cvs.openbsd.org 2014/04/01 03:34:10
+ [sshconnect.c]
+ When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any
+ certificate keys to plain keys and attempt SSHFP resolution.
+
+ Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
+ dialog by offering only certificate keys.
+
+ Reported by mcv21 AT cam.ac.uk
20140313
- (djm) Release OpenSSH 6.6
diff --git a/bufaux.c b/bufaux.c
index e24b5fc..f6a6f2a 100644
--- a/bufaux.c
+++ b/bufaux.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */
+/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *buffer, const u_char *s, u_int l)
if (l > 8 * 1024)
fatal("%s: length %u too long", __func__, l);
+ /* Skip leading zero bytes */
+ for (; l > 0 && *s == 0; l--, s++)
+ ;
p = buf = xmalloc(l + 1);
/*
* If most significant bit is set then prepend a zero byte to
diff --git a/compat.c b/compat.c
index 9d9fabe..2709dc5 100644
--- a/compat.c
+++ b/compat.c
@@ -95,6 +95,9 @@ compat_datafellows(const char *version)
{ "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
{ "OpenSSH_4*", 0 },
{ "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT},
+ { "OpenSSH_6.6.1*", SSH_NEW_OPENSSH},
+ { "OpenSSH_6.5*,"
+ "OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD},
{ "OpenSSH*", SSH_NEW_OPENSSH },
{ "*MindTerm*", 0 },
{ "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop)
return cipher_prop;
}
-
char *
compat_pkalg_proposal(char *pkalg_prop)
{
@@ -265,3 +267,16 @@ compat_pkalg_proposal(char *pkalg_prop)
return pkalg_prop;
}
+char *
+compat_kex_proposal(char *kex_prop)
+{
+ if (!(datafellows & SSH_BUG_CURVE25519PAD))
+ return kex_prop;
+ debug2("%s: original KEX proposal: %s", __func__, kex_prop);
+ kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org");
+ debug2("%s: compat KEX proposal: %s", __func__, kex_prop);
+ if (*kex_prop == '\0')
+ fatal("No supported key exchange algorithms found");
+ return kex_prop;
+}
+
diff --git a/compat.h b/compat.h
index b174fa1..a6c3f3d 100644
--- a/compat.h
+++ b/compat.h
@@ -59,6 +59,7 @@
#define SSH_BUG_RFWD_ADDR 0x02000000
#define SSH_NEW_OPENSSH 0x04000000
#define SSH_BUG_DYNAMIC_RPORT 0x08000000
+#define SSH_BUG_CURVE25519PAD 0x10000000
void enable_compat13(void);
void enable_compat20(void);
@@ -66,6 +67,7 @@ void compat_datafellows(const char *);
int proto_spec(const char *);
char *compat_cipher_proposal(char *);
char *compat_pkalg_proposal(char *);
+char *compat_kex_proposal(char *);
extern int compat13;
extern int compat20;
diff --git a/sshconnect2.c b/sshconnect2.c
index bb9292f..b00658b 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -220,6 +220,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
}
if (options.kex_algorithms != NULL)
myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
+ myproposal[PROPOSAL_KEX_ALGS]);
#ifdef GSSAPI
/* If we've got GSSAPI algorithms, then we also support the
diff --git a/sshd.c b/sshd.c
index e4e406e..512c7ed 100644
--- a/sshd.c
+++ b/sshd.c
@@ -2488,6 +2488,9 @@ do_ssh2_kex(void)
if (options.kex_algorithms != NULL)
myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
+ myproposal[PROPOSAL_KEX_ALGS]);
+
if (options.rekey_limit || options.rekey_interval)
packet_set_rekey_limits((u_int32_t)options.rekey_limit,
(time_t)options.rekey_interval);
diff --git a/version.h b/version.h
index a1579ac..a33e77c 100644
--- a/version.h
+++ b/version.h
@@ -1,6 +1,6 @@
/* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */
-#define SSH_VERSION "OpenSSH_6.6"
+#define SSH_VERSION "OpenSSH_6.6.1"
#define SSH_PORTABLE "p1"
#define SSH_RELEASE SSH_VERSION SSH_PORTABLE

View File

@ -1,29 +0,0 @@
--- a/misc.c
+++ b/misc.c
@@ -865,17 +865,24 @@ ms_to_timeval(struct timeval *tv, int ms
time_t
monotime(void)
{
-#if defined(HAVE_CLOCK_GETTIME) && defined(CLOCK_MONOTONIC)
+#if defined(HAVE_CLOCK_GETTIME) && \
+ (defined(CLOCK_MONOTONIC) || defined(CLOCK_BOOTTIME))
struct timespec ts;
static int gettime_failed = 0;
if (!gettime_failed) {
+#if defined(CLOCK_BOOTTIME)
+ if (clock_gettime(CLOCK_BOOTTIME, &ts) == 0)
+ return (ts.tv_sec);
+#endif
+#if defined(CLOCK_MONOTONIC)
if (clock_gettime(CLOCK_MONOTONIC, &ts) == 0)
return (ts.tv_sec);
+#endif
debug3("clock_gettime: %s", strerror(errno));
gettime_failed = 1;
}
-#endif
+#endif /* HAVE_CLOCK_GETTIME && (CLOCK_MONOTONIC || CLOCK_BOOTTIME */
return time(NULL);
}

View File

@ -1,76 +0,0 @@
diff --git a/ChangeLog b/ChangeLog
index 928999d..3887495 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+20140703
+ - OpenBSD CVS Sync
+ - djm@cvs.openbsd.org 2014/07/03 03:34:09
+ [gss-serv.c session.c ssh-keygen.c]
+ standardise on NI_MAXHOST for gethostname() string lengths; about
+ 1/2 the cases were using it already. Fixes bz#2239 en passant
+
20140420
- (djm) [bufaux.c compat.c compat.h sshconnect2.c sshd.c version.h]
OpenSSH 6.5 and 6.6 sometimes encode a value used in the curve25519
diff --git a/gss-serv.c b/gss-serv.c
index 14f540e..29916d3 100644
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gss-serv.c,v 1.26 2014/02/26 20:28:44 djm Exp $ */
+/* $OpenBSD: gss-serv.c,v 1.27 2014/07/03 03:34:09 djm Exp $ */
/*
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -102,14 +102,14 @@ static OM_uint32
ssh_gssapi_acquire_cred(Gssctxt *ctx)
{
OM_uint32 status;
- char lname[MAXHOSTNAMELEN];
+ char lname[NI_MAXHOST];
gss_OID_set oidset;
if (options.gss_strict_acceptor) {
gss_create_empty_oid_set(&status, &oidset);
gss_add_oid_set_member(&status, ctx->oid, &oidset);
- if (gethostname(lname, MAXHOSTNAMELEN)) {
+ if (gethostname(lname, sizeof(lname))) {
gss_release_oid_set(&status, &oidset);
return (-1);
}
diff --git a/session.c b/session.c
index ba4589b..e4add93 100644
--- a/session.c
+++ b/session.c
@@ -49,6 +49,7 @@
#include <errno.h>
#include <fcntl.h>
#include <grp.h>
+#include <netdb.h>
#ifdef HAVE_PATHS_H
#include <paths.h>
#endif
@@ -2669,7 +2670,7 @@ session_setup_x11fwd(Session *s)
{
struct stat st;
char display[512], auth_display[512];
- char hostname[MAXHOSTNAMELEN];
+ char hostname[NI_MAXHOST];
u_int i;
if (no_x11_forwarding_flag) {
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 482dc1c..66198e6 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -165,7 +165,7 @@ int rounds = 0;
/* argv0 */
extern char *__progname;
-char hostname[MAXHOSTNAMELEN];
+char hostname[NI_MAXHOST];
/* moduli.c */
int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *);

View File

@ -1,28 +0,0 @@
diff --git a/ChangeLog b/ChangeLog
index 3887495..a4dc72f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+20140823
+ - (djm) [sshd.c] Ignore SIGXFSZ in preauth monitor child; can explode on
+ lastlog writing on platforms with high UIDs; bz#2263
+ - (djm) [monitor.c sshd.c] SIGXFSZ needs to be ignored in postauth
+ monitor, not preauth; bz#2263
+
20140703
- OpenBSD CVS Sync
- djm@cvs.openbsd.org 2014/07/03 03:34:09
diff --git a/monitor.c b/monitor.c
index bdabe21..5a65114 100644
--- a/monitor.c
+++ b/monitor.c
@@ -501,6 +501,9 @@ monitor_child_postauth(struct monitor *pmonitor)
signal(SIGHUP, &monitor_child_handler);
signal(SIGTERM, &monitor_child_handler);
signal(SIGINT, &monitor_child_handler);
+#ifdef SIGXFSZ
+ signal(SIGXFSZ, SIG_IGN);
+#endif
if (compat20) {
mon_dispatch = mon_dispatch_postauth20;

View File

@ -1,80 +0,0 @@
diff --git a/ChangeLog b/ChangeLog
index 38de846..1603a07 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+20140420
+ - djm@cvs.openbsd.org 2014/04/01 03:34:10
+ [sshconnect.c]
+ When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any
+ certificate keys to plain keys and attempt SSHFP resolution.
+
+ Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
+ dialog by offering only certificate keys.
+
+ Reported by mcv21 AT cam.ac.uk
+
20140313
- (djm) Release OpenSSH 6.6
diff --git a/sshconnect.c b/sshconnect.c
index 394cca8..e636f33 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1219,30 +1219,40 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
{
int flags = 0;
char *fp;
+ Key *plain = NULL;
fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
debug("Server host key: %s %s%s", key_type(host_key),
key_fingerprint_prefix(), fp);
free(fp);
- /* XXX certs are not yet supported for DNS */
- if (!key_is_cert(host_key) && options.verify_host_key_dns &&
- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
- if (flags & DNS_VERIFY_FOUND) {
-
- if (options.verify_host_key_dns == 1 &&
- flags & DNS_VERIFY_MATCH &&
- flags & DNS_VERIFY_SECURE)
- return 0;
-
- if (flags & DNS_VERIFY_MATCH) {
- matching_host_key_dns = 1;
- } else {
- warn_changed_key(host_key);
- error("Update the SSHFP RR in DNS with the new "
- "host key to get rid of this message.");
+ if (options.verify_host_key_dns) {
+ /*
+ * XXX certs are not yet supported for DNS, so downgrade
+ * them and try the plain key.
+ */
+ plain = key_from_private(host_key);
+ if (key_is_cert(plain))
+ key_drop_cert(plain);
+ if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
+ if (flags & DNS_VERIFY_FOUND) {
+ if (options.verify_host_key_dns == 1 &&
+ flags & DNS_VERIFY_MATCH &&
+ flags & DNS_VERIFY_SECURE) {
+ key_free(plain);
+ return 0;
+ }
+ if (flags & DNS_VERIFY_MATCH) {
+ matching_host_key_dns = 1;
+ } else {
+ warn_changed_key(plain);
+ error("Update the SSHFP RR in DNS "
+ "with the new host key to get rid "
+ "of this message.");
+ }
}
}
+ key_free(plain);
}
return check_host_key(host, hostaddr, options.port, host_key, RDRW,

View File

@ -151,8 +151,6 @@ Patch702: openssh-5.1p1-askpass-progress.patch
#? #?
Patch703: openssh-4.3p2-askpass-grab-info.patch Patch703: openssh-4.3p2-askpass-grab-info.patch
#? #?
Patch705: openssh-5.1p1-scp-manpage.patch
#?
Patch706: openssh-6.6.1p1-localdomain.patch Patch706: openssh-6.6.1p1-localdomain.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX) #https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX)
Patch707: openssh-6.6p1-redhat.patch Patch707: openssh-6.6p1-redhat.patch
@ -187,16 +185,6 @@ Patch902: openssh-6.3p1-krb5-use-default_ccache_name.patch
Patch905: openssh-6.4p1-legacy-ssh-copy-id.patch Patch905: openssh-6.4p1-legacy-ssh-copy-id.patch
# Use tty allocation for a remote scp (#985650) # Use tty allocation for a remote scp (#985650)
Patch906: openssh-6.4p1-fromto-remote.patch Patch906: openssh-6.4p1-fromto-remote.patch
# Try CLOCK_BOOTTIME with fallback (#1091992)
Patch907: openssh-6.4p1-CLOCK_BOOTTIME.patch
# Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
# dialog by offering only certificate keys. (#1081338)
Patch908: openssh-6.6p1-CVE-2014-2653.patch
# OpenSSH 6.5 and 6.6 sometimes encode a value used in the curve25519 key exchange incorrectly
# Disable the curve25519 KEX when speaking to OpenSSH 6.5 or 6.6
Patch909: openssh-5618210618256bbf5f4f71b2887ff186fd451736.patch
# standardise on NI_MAXHOST for gethostname() string lengths (#1051490)
Patch910: openssh-6.6.1p1-NI_MAXHOST.patch
# set a client's address right after a connection is set # set a client's address right after a connection is set
# http://bugzilla.mindrot.org/show_bug.cgi?id=2257 # http://bugzilla.mindrot.org/show_bug.cgi?id=2257
Patch911: openssh-6.6p1-set_remote_ipaddr.patch Patch911: openssh-6.6p1-set_remote_ipaddr.patch
@ -210,9 +198,6 @@ Patch913: openssh-6.6.1p1-partial-success.patch
# fix parsing of empty options in sshd_conf # fix parsing of empty options in sshd_conf
# https://bugzilla.mindrot.org/show_bug.cgi?id=2281 # https://bugzilla.mindrot.org/show_bug.cgi?id=2281
Patch914: openssh-6.6.1p1-servconf-parser.patch Patch914: openssh-6.6.1p1-servconf-parser.patch
# Ignore SIGXFSZ in postauth monitor
# https://bugzilla.mindrot.org/show_bug.cgi?id=2263
Patch915: openssh-6.6.1p1-ignore-SIGXFSZ-in-postauth.patch
# privsep_preauth: use SELinux context from selinux-policy (#1008580) # privsep_preauth: use SELinux context from selinux-policy (#1008580)
Patch916: openssh-6.6.1p1-selinux-contexts.patch Patch916: openssh-6.6.1p1-selinux-contexts.patch
# use different values for DH for Cisco servers (#1026430) # use different values for DH for Cisco servers (#1026430)