cleanup working directory, spec file and unused patches after rebase

openssh-5.1p1-scp-manpage.patch

@@ -1,18 +0,0 @@
-diff -up openssh-5.1p1/scp.1.manpage openssh-5.1p1/scp.1
---- openssh-5.1p1/scp.1.manpage	2008-07-12 09:12:49.000000000 +0200
-+++ openssh-5.1p1/scp.1	2008-07-23 19:18:15.000000000 +0200
-@@ -66,6 +66,14 @@ treating file names containing
- as host specifiers.
- Copies between two remote hosts are also permitted.
- .Pp
-+When copying a source file to a target file which already exists,
-+.Nm 
-+will replace the contents of the target file (keeping the inode).
-+.Pp
-+If the target file does not yet exist, an empty file with the target
-+file name is created, then filled with the source file contents.
-+No attempt is made at "near-atomic" transfer using temporary files.
-+.Pp
- The options are as follows:
- .Bl -tag -width Ds
- .It Fl 1

openssh-5618210618256bbf5f4f71b2887ff186fd451736.patch

@@ -1,177 +0,0 @@
-From 5618210618256bbf5f4f71b2887ff186fd451736 Mon Sep 17 00:00:00 2001
-From: Damien Miller <djm@mindrot.org>
-Date: Sun, 20 Apr 2014 13:44:47 +1000
-Subject: [PATCH]  - (djm) [bufaux.c compat.c compat.h sshconnect2.c sshd.c
- version.h]    OpenSSH 6.5 and 6.6 sometimes encode a value used in the
- curve25519    key exchange incorrectly, causing connection failures about
- 0.2% of    the time when this method is used against a peer that implements  
-  the method properly.
-
-   Fix the problem and disable the curve25519 KEX when speaking to
-   OpenSSH 6.5 or 6.6. This version will identify itself as 6.6.1
-   to enable the compatability code.
----
- ChangeLog     | 11 +++++++++++
- bufaux.c      |  5 ++++-
- compat.c      | 17 ++++++++++++++++-
- compat.h      |  2 ++
- sshconnect2.c |  2 ++
- sshd.c        |  3 +++
- version.h     |  2 +-
- 7 files changed, 39 insertions(+), 3 deletions(-)
-
-diff --git a/ChangeLog b/ChangeLog
-index 1603a07..928999d 100644
---- a/ChangeLog
-+++ b/ChangeLog
-@@ -1,13 +1,23 @@
- 20140420
--   - djm@cvs.openbsd.org 2014/04/01 03:34:10
--     [sshconnect.c]
--     When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any
--     certificate keys to plain keys and attempt SSHFP resolution.
--     
--     Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
--     dialog by offering only certificate keys.
--     
--     Reported by mcv21 AT cam.ac.uk
-+ - (djm) [bufaux.c compat.c compat.h sshconnect2.c sshd.c version.h]
-+   OpenSSH 6.5 and 6.6 sometimes encode a value used in the curve25519
-+   key exchange incorrectly, causing connection failures about 0.2% of
-+   the time when this method is used against a peer that implements
-+   the method properly.
-+
-+   Fix the problem and disable the curve25519 KEX when speaking to
-+   OpenSSH 6.5 or 6.6. This version will identify itself as 6.6.1
-+   to enable the compatability code.
-+
-+ - djm@cvs.openbsd.org 2014/04/01 03:34:10
-+   [sshconnect.c]
-+   When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any
-+   certificate keys to plain keys and attempt SSHFP resolution.
-+   
-+   Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
-+   dialog by offering only certificate keys.
-+   
-+   Reported by mcv21 AT cam.ac.uk
- 
- 20140313
-  - (djm) Release OpenSSH 6.6
-diff --git a/bufaux.c b/bufaux.c
-index e24b5fc..f6a6f2a 100644
---- a/bufaux.c
-+++ b/bufaux.c
-@@ -1,4 +1,4 @@
--/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */
-+/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */
- /*
-  * Author: Tatu Ylonen <ylo@cs.hut.fi>
-  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
-@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *buffer, const u_char *s, u_int l)
- 
- 	if (l > 8 * 1024)
- 		fatal("%s: length %u too long", __func__, l);
-+	/* Skip leading zero bytes */
-+	for (; l > 0 && *s == 0; l--, s++)
-+		;
- 	p = buf = xmalloc(l + 1);
- 	/*
- 	 * If most significant bit is set then prepend a zero byte to
-diff --git a/compat.c b/compat.c
-index 9d9fabe..2709dc5 100644
---- a/compat.c
-+++ b/compat.c
-@@ -95,6 +95,9 @@ compat_datafellows(const char *version)
- 		{ "Sun_SSH_1.0*",	SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
- 		{ "OpenSSH_4*",		0 },
- 		{ "OpenSSH_5*",		SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT},
-+		{ "OpenSSH_6.6.1*",	SSH_NEW_OPENSSH},
-+		{ "OpenSSH_6.5*,"
-+		  "OpenSSH_6.6*",	SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD},
- 		{ "OpenSSH*",		SSH_NEW_OPENSSH },
- 		{ "*MindTerm*",		0 },
- 		{ "2.1.0*",		SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
-@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop)
- 	return cipher_prop;
- }
- 
--
- char *
- compat_pkalg_proposal(char *pkalg_prop)
- {
-@@ -265,3 +267,16 @@ compat_pkalg_proposal(char *pkalg_prop)
- 	return pkalg_prop;
- }
- 
-+char *
-+compat_kex_proposal(char *kex_prop)
-+{
-+	if (!(datafellows & SSH_BUG_CURVE25519PAD))
-+		return kex_prop;
-+	debug2("%s: original KEX proposal: %s", __func__, kex_prop);
-+	kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org");
-+	debug2("%s: compat KEX proposal: %s", __func__, kex_prop);
-+	if (*kex_prop == '\0')
-+		fatal("No supported key exchange algorithms found");
-+	return kex_prop;
-+}
-+
-diff --git a/compat.h b/compat.h
-index b174fa1..a6c3f3d 100644
---- a/compat.h
-+++ b/compat.h
-@@ -59,6 +59,7 @@
- #define SSH_BUG_RFWD_ADDR	0x02000000
- #define SSH_NEW_OPENSSH		0x04000000
- #define SSH_BUG_DYNAMIC_RPORT	0x08000000
-+#define SSH_BUG_CURVE25519PAD	0x10000000
- 
- void     enable_compat13(void);
- void     enable_compat20(void);
-@@ -66,6 +67,7 @@ void     compat_datafellows(const char *);
- int	 proto_spec(const char *);
- char	*compat_cipher_proposal(char *);
- char	*compat_pkalg_proposal(char *);
-+char	*compat_kex_proposal(char *);
- 
- extern int compat13;
- extern int compat20;
-diff --git a/sshconnect2.c b/sshconnect2.c
-index bb9292f..b00658b 100644
---- a/sshconnect2.c
-+++ b/sshconnect2.c
-@@ -220,6 +220,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
- 	}
- 	if (options.kex_algorithms != NULL)
- 		myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
-+	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
-+	    myproposal[PROPOSAL_KEX_ALGS]);
- 
- #ifdef GSSAPI
- 	/* If we've got GSSAPI algorithms, then we also support the
-diff --git a/sshd.c b/sshd.c
-index e4e406e..512c7ed 100644
---- a/sshd.c
-+++ b/sshd.c
-@@ -2488,6 +2488,9 @@ do_ssh2_kex(void)
- 	if (options.kex_algorithms != NULL)
- 		myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
- 
-+	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
-+	    myproposal[PROPOSAL_KEX_ALGS]);
-+
- 	if (options.rekey_limit || options.rekey_interval)
- 		packet_set_rekey_limits((u_int32_t)options.rekey_limit,
- 		    (time_t)options.rekey_interval);
-diff --git a/version.h b/version.h
-index a1579ac..a33e77c 100644
---- a/version.h
-+++ b/version.h
-@@ -1,6 +1,6 @@
- /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */
- 
--#define SSH_VERSION	"OpenSSH_6.6"
-+#define SSH_VERSION	"OpenSSH_6.6.1"
- 
- #define SSH_PORTABLE	"p1"
- #define SSH_RELEASE	SSH_VERSION SSH_PORTABLE

openssh-6.4p1-CLOCK_BOOTTIME.patch

@@ -1,29 +0,0 @@
---- a/misc.c
-+++ b/misc.c
-@@ -865,17 +865,24 @@ ms_to_timeval(struct timeval *tv, int ms
- time_t
- monotime(void)
- {
--#if defined(HAVE_CLOCK_GETTIME) && defined(CLOCK_MONOTONIC)
-+#if defined(HAVE_CLOCK_GETTIME) && \
-+    (defined(CLOCK_MONOTONIC) || defined(CLOCK_BOOTTIME))
- 	struct timespec ts;
- 	static int gettime_failed = 0;
- 
- 	if (!gettime_failed) {
-+#if defined(CLOCK_BOOTTIME)
-+		if (clock_gettime(CLOCK_BOOTTIME, &ts) == 0)
-+			return (ts.tv_sec);
-+#endif
-+#if defined(CLOCK_MONOTONIC)
- 		if (clock_gettime(CLOCK_MONOTONIC, &ts) == 0)
- 			return (ts.tv_sec);
-+#endif
- 		debug3("clock_gettime: %s", strerror(errno));
- 		gettime_failed = 1;
- 	}
--#endif
-+#endif /* HAVE_CLOCK_GETTIME && (CLOCK_MONOTONIC || CLOCK_BOOTTIME */
- 
- 	return time(NULL);
- }

openssh-6.6.1p1-NI_MAXHOST.patch

@@ -1,76 +0,0 @@
-diff --git a/ChangeLog b/ChangeLog
-index 928999d..3887495 100644
---- a/ChangeLog
-+++ b/ChangeLog
-@@ -1,3 +1,10 @@
-+20140703
-+ - OpenBSD CVS Sync
-+   - djm@cvs.openbsd.org 2014/07/03 03:34:09
-+     [gss-serv.c session.c ssh-keygen.c]
-+     standardise on NI_MAXHOST for gethostname() string lengths; about
-+     1/2 the cases were using it already. Fixes bz#2239 en passant
-+
- 20140420
-  - (djm) [bufaux.c compat.c compat.h sshconnect2.c sshd.c version.h]
-    OpenSSH 6.5 and 6.6 sometimes encode a value used in the curve25519
-diff --git a/gss-serv.c b/gss-serv.c
-index 14f540e..29916d3 100644
---- a/gss-serv.c
-+++ b/gss-serv.c
-@@ -1,4 +1,4 @@
--/* $OpenBSD: gss-serv.c,v 1.26 2014/02/26 20:28:44 djm Exp $ */
-+/* $OpenBSD: gss-serv.c,v 1.27 2014/07/03 03:34:09 djm Exp $ */
- 
- /*
-  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
-@@ -102,14 +102,14 @@ static OM_uint32
- ssh_gssapi_acquire_cred(Gssctxt *ctx)
- {
- 	OM_uint32 status;
--	char lname[MAXHOSTNAMELEN];
-+	char lname[NI_MAXHOST];
- 	gss_OID_set oidset;
- 
- 	if (options.gss_strict_acceptor) {
- 		gss_create_empty_oid_set(&status, &oidset);
- 		gss_add_oid_set_member(&status, ctx->oid, &oidset);
- 
--		if (gethostname(lname, MAXHOSTNAMELEN)) {
-+		if (gethostname(lname, sizeof(lname))) {
- 			gss_release_oid_set(&status, &oidset);
- 			return (-1);
- 		}
-diff --git a/session.c b/session.c
-index ba4589b..e4add93 100644
---- a/session.c
-+++ b/session.c
-@@ -49,6 +49,7 @@
- #include <errno.h>
- #include <fcntl.h>
- #include <grp.h>
-+#include <netdb.h>
- #ifdef HAVE_PATHS_H
- #include <paths.h>
- #endif
-@@ -2669,7 +2670,7 @@ session_setup_x11fwd(Session *s)
- {
- 	struct stat st;
- 	char display[512], auth_display[512];
--	char hostname[MAXHOSTNAMELEN];
-+	char hostname[NI_MAXHOST];
- 	u_int i;
- 
- 	if (no_x11_forwarding_flag) {
-diff --git a/ssh-keygen.c b/ssh-keygen.c
-index 482dc1c..66198e6 100644
---- a/ssh-keygen.c
-+++ b/ssh-keygen.c
-@@ -165,7 +165,7 @@ int rounds = 0;
- /* argv0 */
- extern char *__progname;
- 
--char hostname[MAXHOSTNAMELEN];
-+char hostname[NI_MAXHOST];
- 
- /* moduli.c */
- int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *);

openssh-6.6.1p1-ignore-SIGXFSZ-in-postauth.patch

@@ -1,28 +0,0 @@
-diff --git a/ChangeLog b/ChangeLog
-index 3887495..a4dc72f 100644
---- a/ChangeLog
-+++ b/ChangeLog
-@@ -1,3 +1,9 @@
-+20140823
-+ - (djm) [sshd.c] Ignore SIGXFSZ in preauth monitor child; can explode on
-+   lastlog writing on platforms with high UIDs; bz#2263
-+ - (djm) [monitor.c sshd.c] SIGXFSZ needs to be ignored in postauth
-+   monitor, not preauth; bz#2263
-+
- 20140703
-  - OpenBSD CVS Sync
-    - djm@cvs.openbsd.org 2014/07/03 03:34:09
-diff --git a/monitor.c b/monitor.c
-index bdabe21..5a65114 100644
---- a/monitor.c
-+++ b/monitor.c
-@@ -501,6 +501,9 @@ monitor_child_postauth(struct monitor *pmonitor)
- 	signal(SIGHUP, &monitor_child_handler);
- 	signal(SIGTERM, &monitor_child_handler);
- 	signal(SIGINT, &monitor_child_handler);
-+#ifdef SIGXFSZ
-+	signal(SIGXFSZ, SIG_IGN);
-+#endif
- 
- 	if (compat20) {
- 		mon_dispatch = mon_dispatch_postauth20;

openssh-6.6p1-CVE-2014-2653.patch

@@ -1,80 +0,0 @@
-diff --git a/ChangeLog b/ChangeLog
-index 38de846..1603a07 100644
---- a/ChangeLog
-+++ b/ChangeLog
-@@ -1,3 +1,14 @@
-+20140420
-+   - djm@cvs.openbsd.org 2014/04/01 03:34:10
-+     [sshconnect.c]
-+     When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any
-+     certificate keys to plain keys and attempt SSHFP resolution.
-+     
-+     Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
-+     dialog by offering only certificate keys.
-+     
-+     Reported by mcv21 AT cam.ac.uk
-+
- 20140313
-  - (djm) Release OpenSSH 6.6
- 
-diff --git a/sshconnect.c b/sshconnect.c
-index 394cca8..e636f33 100644
---- a/sshconnect.c
-+++ b/sshconnect.c
-@@ -1219,30 +1219,40 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
- {
- 	int flags = 0;
- 	char *fp;
-+	Key *plain = NULL;
- 
- 	fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
- 	debug("Server host key: %s %s%s", key_type(host_key),
- 	    key_fingerprint_prefix(), fp);
- 	free(fp);
- 
--	/* XXX certs are not yet supported for DNS */
--	if (!key_is_cert(host_key) && options.verify_host_key_dns &&
--	    verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
--		if (flags & DNS_VERIFY_FOUND) {
--
--			if (options.verify_host_key_dns == 1 &&
--			    flags & DNS_VERIFY_MATCH &&
--			    flags & DNS_VERIFY_SECURE)
--				return 0;
--
--			if (flags & DNS_VERIFY_MATCH) {
--				matching_host_key_dns = 1;
--			} else {
--				warn_changed_key(host_key);
--				error("Update the SSHFP RR in DNS with the new "
--				    "host key to get rid of this message.");
-+	if (options.verify_host_key_dns) {
-+		/*
-+		 * XXX certs are not yet supported for DNS, so downgrade
-+		 * them and try the plain key.
-+		 */
-+		plain = key_from_private(host_key);
-+		if (key_is_cert(plain))
-+			key_drop_cert(plain);
-+		if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
-+			if (flags & DNS_VERIFY_FOUND) {
-+				if (options.verify_host_key_dns == 1 &&
-+				    flags & DNS_VERIFY_MATCH &&
-+				    flags & DNS_VERIFY_SECURE) {
-+					key_free(plain);
-+					return 0;
-+				}
-+				if (flags & DNS_VERIFY_MATCH) {
-+					matching_host_key_dns = 1;
-+				} else {
-+					warn_changed_key(plain);
-+					error("Update the SSHFP RR in DNS "
-+					    "with the new host key to get rid "
-+					    "of this message.");
-+				}
- 			}
- 		}
-+		key_free(plain);
- 	}
- 
- 	return check_host_key(host, hostaddr, options.port, host_key, RDRW,

openssh.spec

@@ -151,8 +151,6 @@ Patch702: openssh-5.1p1-askpass-progress.patch
 #?
 Patch703: openssh-4.3p2-askpass-grab-info.patch
 #?
-Patch705: openssh-5.1p1-scp-manpage.patch
-#?
 Patch706: openssh-6.6.1p1-localdomain.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX)
 Patch707: openssh-6.6p1-redhat.patch
@@ -187,16 +185,6 @@ Patch902: openssh-6.3p1-krb5-use-default_ccache_name.patch
 Patch905: openssh-6.4p1-legacy-ssh-copy-id.patch
 # Use tty allocation for a remote scp (#985650)
 Patch906: openssh-6.4p1-fromto-remote.patch
-# Try CLOCK_BOOTTIME with fallback (#1091992)
-Patch907: openssh-6.4p1-CLOCK_BOOTTIME.patch
-# Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
-# dialog by offering only certificate keys. (#1081338)
-Patch908: openssh-6.6p1-CVE-2014-2653.patch
-# OpenSSH 6.5 and 6.6 sometimes encode a value used in the curve25519 key exchange incorrectly
-# Disable the curve25519 KEX when speaking to OpenSSH 6.5 or 6.6
-Patch909: openssh-5618210618256bbf5f4f71b2887ff186fd451736.patch
-# standardise on NI_MAXHOST for gethostname() string lengths (#1051490)
-Patch910: openssh-6.6.1p1-NI_MAXHOST.patch
 # set a client's address right after a connection is set
 # http://bugzilla.mindrot.org/show_bug.cgi?id=2257
 Patch911: openssh-6.6p1-set_remote_ipaddr.patch
@@ -210,9 +198,6 @@ Patch913: openssh-6.6.1p1-partial-success.patch
 # fix parsing of empty options in sshd_conf
 # https://bugzilla.mindrot.org/show_bug.cgi?id=2281
 Patch914: openssh-6.6.1p1-servconf-parser.patch
-# Ignore SIGXFSZ in postauth monitor
-# https://bugzilla.mindrot.org/show_bug.cgi?id=2263
-Patch915: openssh-6.6.1p1-ignore-SIGXFSZ-in-postauth.patch
 # privsep_preauth: use SELinux context from selinux-policy (#1008580)
 Patch916: openssh-6.6.1p1-selinux-contexts.patch
 # use different values for DH for Cisco servers (#1026430)