From 8f4d190341106780a711ea6dfef8f60f2c5905d2 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Fri, 27 Aug 2021 13:59:51 +0200 Subject: [PATCH] OpenSSH 8.7p1 patches rebase --- openssh-6.6p1-GSSAPIEnablek5users.patch | 8 +- openssh-6.6p1-kuserok.patch | 20 +- openssh-6.7p1-coverity.patch | 113 ++++----- openssh-7.6p1-audit.patch | 17 +- openssh-7.7p1-gssapi-new-unique.patch | 12 +- openssh-7.8p1-UsePAM-warning.patch | 2 +- openssh-7.8p1-role-mls.patch | 2 +- openssh-8.0p1-crypto-policies.patch | 72 +++--- openssh-8.0p1-gssapi-keyex.patch | 88 +++---- openssh-8.0p1-pkcs11-uri.patch | 257 ++++++++++--------- openssh-8.0p1-restore-nonblock.patch | 320 ------------------------ openssh-8.4p1-debian-compat.patch | 57 ----- 12 files changed, 283 insertions(+), 685 deletions(-) delete mode 100644 openssh-8.0p1-restore-nonblock.patch delete mode 100644 openssh-8.4p1-debian-compat.patch diff --git a/openssh-6.6p1-GSSAPIEnablek5users.patch b/openssh-6.6p1-GSSAPIEnablek5users.patch index 6ee2535..cccb3e0 100644 --- a/openssh-6.6p1-GSSAPIEnablek5users.patch +++ b/openssh-6.6p1-GSSAPIEnablek5users.patch @@ -28,7 +28,7 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c + options->enable_k5users = -1; options->password_authentication = -1; options->kbd_interactive_authentication = -1; - options->challenge_response_authentication = -1; + options->permit_empty_passwd = -1; @@ -345,6 +346,8 @@ fill_default_server_options(ServerOption #endif if (options->use_kuserok == -1) @@ -72,9 +72,9 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c + intptr = &options->enable_k5users; + goto parse_flag; + - case sPermitListen: - case sPermitOpen: - if (opcode == sPermitListen) { + case sMatch: + if (cmdline) + fatal("Match directive not supported as a command-line " @@ -2026,6 +2035,7 @@ copy_set_server_options(ServerOptions *d M_CP_INTOPT(ip_qos_interactive); M_CP_INTOPT(ip_qos_bulk); diff --git a/openssh-6.6p1-kuserok.patch b/openssh-6.6p1-kuserok.patch index 407ff4c..1831f27 100644 --- a/openssh-6.6p1-kuserok.patch +++ b/openssh-6.6p1-kuserok.patch @@ -182,7 +182,7 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c + options->use_kuserok = -1; options->password_authentication = -1; options->kbd_interactive_authentication = -1; - options->challenge_response_authentication = -1; + options->permit_empty_passwd = -1; @@ -278,6 +279,8 @@ fill_default_server_options(ServerOption if (options->gss_kex_algorithms == NULL) options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX); @@ -193,9 +193,9 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) @@ -399,7 +402,7 @@ typedef enum { - sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, - sRhostsRSAAuthentication, sRSAAuthentication, - sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, + sPort, sHostKeyFile, sLoginGraceTime, + sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, + sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, - sKerberosGetAFSToken, sKerberosUniqueCCache, + sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok, sChallengeResponseAuthentication, @@ -217,16 +217,16 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, @@ -1644,6 +1649,10 @@ process_server_config_line(ServerOptions - *inc_flags &= ~SSHCFG_MATCH_ONLY; - break; - + } + break; + + case sKerberosUseKuserok: + intptr = &options->use_kuserok; + goto parse_flag; + - case sPermitListen: - case sPermitOpen: - if (opcode == sPermitListen) { + case sMatch: + if (cmdline) + fatal("Match directive not supported as a command-line " @@ -2016,6 +2025,7 @@ copy_set_server_options(ServerOptions *d M_CP_INTOPT(client_alive_interval); M_CP_INTOPT(ip_qos_interactive); diff --git a/openssh-6.7p1-coverity.patch b/openssh-6.7p1-coverity.patch index 2814c6f..930de69 100644 --- a/openssh-6.7p1-coverity.patch +++ b/openssh-6.7p1-coverity.patch @@ -54,18 +54,6 @@ diff -up openssh-8.5p1/auth-krb5.c.coverity openssh-8.5p1/auth-krb5.c diff -up openssh-8.5p1/auth-options.c.coverity openssh-8.5p1/auth-options.c --- openssh-8.5p1/auth-options.c.coverity 2021-03-02 11:31:47.000000000 +0100 +++ openssh-8.5p1/auth-options.c 2021-03-24 12:03:33.782968159 +0100 -@@ -409,8 +409,10 @@ sshauthopt_parse(const char *opts, const - errstr = "invalid environment string"; - goto fail; - } -- if ((cp = strdup(opt)) == NULL) -+ if ((cp = strdup(opt)) == NULL) { -+ free(opt); - goto alloc_fail; -+ } - cp[tmp - opt] = '\0'; /* truncate at '=' */ - if (!valid_env_name(cp)) { - free(cp); @@ -706,6 +708,7 @@ serialise_array(struct sshbuf *m, char * return r; } @@ -133,13 +121,13 @@ diff -up openssh-8.5p1/dns.c.coverity openssh-8.5p1/dns.c --- openssh-8.5p1/dns.c.coverity 2021-03-02 11:31:47.000000000 +0100 +++ openssh-8.5p1/dns.c 2021-03-24 12:03:33.783968166 +0100 @@ -282,6 +282,7 @@ verify_host_key_dns(const char *hostname - &hostkey_digest_len, hostkey)) { - error("Error calculating key fingerprint."); - freerrset(fingerprints); + &hostkey_digest, &hostkey_digest_len, hostkey)) { + error("Error calculating key fingerprint."); + freerrset(fingerprints); + free(dnskey_digest); - return -1; - } - } + return -1; + } + diff -up openssh-8.5p1/gss-genr.c.coverity openssh-8.5p1/gss-genr.c --- openssh-8.5p1/gss-genr.c.coverity 2021-03-26 11:52:46.613942552 +0100 +++ openssh-8.5p1/gss-genr.c 2021-03-26 11:54:37.881726318 +0100 @@ -316,6 +304,36 @@ diff -up openssh-7.4p1/openbsd-compat/bindresvport.c.coverity openssh-7.4p1/open int i; if (sa == NULL) { +diff -up openssh-8.7p1/openbsd-compat/bsd-pselect.c.coverity openssh-8.7p1/openbsd-compat/bsd-pselect.c +--- openssh-8.7p1/openbsd-compat/bsd-pselect.c.coverity 2021-08-30 16:36:11.357288009 +0200 ++++ openssh-8.7p1/openbsd-compat/bsd-pselect.c 2021-08-30 16:37:21.791897976 +0200 +@@ -113,13 +113,13 @@ pselect_notify_setup(void) + static void + pselect_notify_parent(void) + { +- if (notify_pipe[1] != -1) ++ if (notify_pipe[1] >= 0) + (void)write(notify_pipe[1], "", 1); + } + static void + pselect_notify_prepare(fd_set *readset) + { +- if (notify_pipe[0] != -1) ++ if (notify_pipe[0] >= 0) + FD_SET(notify_pipe[0], readset); + } + static void +@@ -127,8 +127,8 @@ pselect_notify_done(fd_set *readset) + { + char c; + +- if (notify_pipe[0] != -1 && FD_ISSET(notify_pipe[0], readset)) { +- while (read(notify_pipe[0], &c, 1) != -1) ++ if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset)) { ++ while (read(notify_pipe[0], &c, 1) >= 0) + debug2_f("reading"); + FD_CLR(notify_pipe[0], readset); + } diff -up openssh-8.5p1/readconf.c.coverity openssh-8.5p1/readconf.c --- openssh-8.5p1/readconf.c.coverity 2021-03-24 12:03:33.778968131 +0100 +++ openssh-8.5p1/readconf.c 2021-03-24 12:03:33.785968180 +0100 @@ -324,33 +342,29 @@ diff -up openssh-8.5p1/readconf.c.coverity openssh-8.5p1/readconf.c error("%.200s line %d: glob failed for %s.", filename, linenum, arg2); + free(arg2); - return -1; + goto out; } free(arg2); -diff -up openssh-7.4p1/scp.c.coverity openssh-7.4p1/scp.c ---- openssh-7.4p1/scp.c.coverity 2016-12-23 16:40:26.856788681 +0100 -+++ openssh-7.4p1/scp.c 2016-12-23 16:40:26.901788691 +0100 -@@ -157,7 +157,7 @@ killchild(int signo) +diff -up openssh-8.7p1/scp.c.coverity openssh-8.7p1/scp.c +--- openssh-8.7p1/scp.c.coverity 2021-08-30 16:23:35.389741329 +0200 ++++ openssh-8.7p1/scp.c 2021-08-30 16:27:04.854555296 +0200 +@@ -186,11 +186,11 @@ killchild(int signo) { if (do_cmd_pid > 1) { kill(do_cmd_pid, signo ? signo : SIGTERM); - waitpid(do_cmd_pid, NULL, 0); + (void) waitpid(do_cmd_pid, NULL, 0); } + if (do_cmd_pid2 > 1) { + kill(do_cmd_pid2, signo ? signo : SIGTERM); +- waitpid(do_cmd_pid2, NULL, 0); ++ (void) waitpid(do_cmd_pid2, NULL, 0); + } if (signo) diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c --- openssh-7.4p1/servconf.c.coverity 2016-12-23 16:40:26.896788690 +0100 +++ openssh-7.4p1/servconf.c 2016-12-23 16:40:26.901788691 +0100 -@@ -1547,7 +1547,7 @@ process_server_config_line(ServerOptions - fatal("%s line %d: Missing subsystem name.", - filename, linenum); - if (!*activep) { -- arg = strdelim(&cp); -+ /*arg =*/ (void) strdelim(&cp); - break; - } - for (i = 0; i < options->num_subsystems; i++) @@ -1638,8 +1638,9 @@ process_server_config_line(ServerOptions if (*activep && *charptr == NULL) { *charptr = tilde_expand_filename(arg, getuid()); @@ -363,37 +377,10 @@ diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c } break; -diff -up openssh-7.4p1/serverloop.c.coverity openssh-7.4p1/serverloop.c ---- openssh-7.4p1/serverloop.c.coverity 2016-12-19 05:59:41.000000000 +0100 -+++ openssh-7.4p1/serverloop.c 2016-12-23 16:40:26.902788691 +0100 -@@ -125,13 +125,13 @@ notify_setup(void) - static void - notify_parent(void) - { -- if (notify_pipe[1] != -1) -+ if (notify_pipe[1] >= 0) - (void)write(notify_pipe[1], "", 1); - } - static void - notify_prepare(fd_set *readset) - { -- if (notify_pipe[0] != -1) -+ if (notify_pipe[0] >= 0) - FD_SET(notify_pipe[0], readset); - } - static void -@@ -139,8 +139,8 @@ notify_done(fd_set *readset) - { - char c; - -- if (notify_pipe[0] != -1 && FD_ISSET(notify_pipe[0], readset)) -- while (read(notify_pipe[0], &c, 1) != -1) -+ if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset)) -+ while (read(notify_pipe[0], &c, 1) >= 0) - debug2_f("reading"); - } - -@@ -518,7 +518,7 @@ server_request_tun(void) +diff -up openssh-8.7p1/serverloop.c.coverity openssh-8.7p1/serverloop.c +--- openssh-8.7p1/serverloop.c.coverity 2021-08-20 06:03:49.000000000 +0200 ++++ openssh-8.7p1/serverloop.c 2021-08-30 16:28:22.416226981 +0200 +@@ -547,7 +547,7 @@ server_request_tun(struct ssh *ssh) debug_f("invalid tun"); goto done; } diff --git a/openssh-7.6p1-audit.patch b/openssh-7.6p1-audit.patch index f3b1334..4473518 100644 --- a/openssh-7.6p1-audit.patch +++ b/openssh-7.6p1-audit.patch @@ -807,15 +807,6 @@ diff -up openssh-8.6p1/auth2-pubkey.c.audit openssh-8.6p1/auth2-pubkey.c diff -up openssh-8.6p1/auth.c.audit openssh-8.6p1/auth.c --- openssh-8.6p1/auth.c.audit 2021-04-19 16:47:35.681061553 +0200 +++ openssh-8.6p1/auth.c 2021-04-19 16:47:35.754062114 +0200 -@@ -367,7 +367,7 @@ auth_log(struct ssh *ssh, int authentica - # endif - #endif - #ifdef SSH_AUDIT_EVENTS -- if (authenticated == 0 && !authctxt->postponed) -+ if (authenticated == 0 && !authctxt->postponed && !partial) - audit_event(ssh, audit_classify_auth(method)); - #endif - } @@ -597,9 +597,6 @@ getpwnamallow(struct ssh *ssh, const cha record_failed_login(ssh, user, auth_get_canonical_hostname(ssh, options.use_dns), "ssh"); @@ -1204,9 +1195,9 @@ diff -up openssh-8.6p1/monitor.c.audit openssh-8.6p1/monitor.c - ret = sshkey_verify(key, signature, signaturelen, data, datalen, - sigalg, ssh->compat, &sig_details); - debug3_f("%s %p signature %s%s%s", auth_method, key, - (ret == 0) ? "verified" : "unverified", - (ret != 0) ? ": " : "", (ret != 0) ? ssh_err(ret) : ""); + debug3_f("%s %s signature %s%s%s", auth_method, sshkey_type(key), + (ret == 0) ? "verified" : "unverified", + (ret != 0) ? ": " : "", (ret != 0) ? ssh_err(ret) : ""); @@ -1576,13 +1600,19 @@ mm_record_login(struct ssh *ssh, Session } @@ -2065,7 +2056,7 @@ diff -up openssh-8.6p1/sshd.c.audit openssh-8.6p1/sshd.c close_startup_pipes(void) { @@ -377,18 +387,45 @@ grace_alarm_handler(int sig) - ssh_remote_port(the_active_state)); + } } -/* Destroy the host and server keys. They will no longer be needed. */ diff --git a/openssh-7.7p1-gssapi-new-unique.patch b/openssh-7.7p1-gssapi-new-unique.patch index 387b7a0..c130022 100644 --- a/openssh-7.7p1-gssapi-new-unique.patch +++ b/openssh-7.7p1-gssapi-new-unique.patch @@ -504,15 +504,15 @@ diff -up openssh-8.6p1/servconf.c.ccache_name openssh-8.6p1/servconf.c options->gss_authentication = 0; if (options->gss_keyex == -1) @@ -506,7 +509,8 @@ typedef enum { - sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, - sRhostsRSAAuthentication, sRSAAuthentication, - sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, + sPort, sHostKeyFile, sLoginGraceTime, + sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, + sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, - sKerberosGetAFSToken, sChallengeResponseAuthentication, + sKerberosGetAFSToken, sKerberosUniqueCCache, + sChallengeResponseAuthentication, - sPasswordAuthentication, sKbdInteractiveAuthentication, - sListenAddress, sAddressFamily, - sPrintMotd, sPrintLastLog, sIgnoreRhosts, + sPasswordAuthentication, sKbdInteractiveAuthentication, + sListenAddress, sAddressFamily, + sPrintMotd, sPrintLastLog, sIgnoreRhosts, @@ -593,11 +597,13 @@ static struct { #else { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, diff --git a/openssh-7.8p1-UsePAM-warning.patch b/openssh-7.8p1-UsePAM-warning.patch index 519ee29..8560c9f 100644 --- a/openssh-7.8p1-UsePAM-warning.patch +++ b/openssh-7.8p1-UsePAM-warning.patch @@ -18,7 +18,7 @@ diff -up openssh-8.6p1/sshd_config.log-usepam-no openssh-8.6p1/sshd_config @@ -87,6 +87,8 @@ AuthorizedKeysFile .ssh/authorized_keys # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication - # and ChallengeResponseAuthentication to 'no'. + # and KbdInteractiveAuthentication to 'no'. +# WARNING: 'UsePAM no' is not supported in Fedora and may cause several +# problems. #UsePAM no diff --git a/openssh-7.8p1-role-mls.patch b/openssh-7.8p1-role-mls.patch index 145eac0..48f9f10 100644 --- a/openssh-7.8p1-role-mls.patch +++ b/openssh-7.8p1-role-mls.patch @@ -337,7 +337,7 @@ diff -up openssh/openbsd-compat/Makefile.in.role-mls openssh/openbsd-compat/Make --- openssh/openbsd-compat/Makefile.in.role-mls 2018-08-20 07:57:29.000000000 +0200 +++ openssh/openbsd-compat/Makefile.in 2018-08-22 11:14:56.819430949 +0200 @@ -92,7 +92,8 @@ PORTS= port-aix.o \ - port-linux.o \ + port-prngd.o \ port-solaris.o \ port-net.o \ - port-uw.o diff --git a/openssh-8.0p1-crypto-policies.patch b/openssh-8.0p1-crypto-policies.patch index 4baa024..762825e 100644 --- a/openssh-8.0p1-crypto-policies.patch +++ b/openssh-8.0p1-crypto-policies.patch @@ -1,7 +1,7 @@ -diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5 ---- openssh-8.6p1/ssh_config.5.crypto-policies 2021-04-19 15:18:32.071920379 +0200 -+++ openssh-8.6p1/ssh_config.5 2021-04-19 15:21:18.400179265 +0200 -@@ -368,15 +368,13 @@ or +diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5 +--- openssh-8.7p1/ssh_config.5.crypto-policies 2021-08-30 13:29:00.174292872 +0200 ++++ openssh-8.7p1/ssh_config.5 2021-08-30 13:31:32.009548808 +0200 +@@ -373,17 +373,13 @@ or .Qq *.c.example.com domains. .It Cm CASignatureAlgorithms @@ -14,15 +14,17 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5 by certificate authorities (CAs). -The default is: -.Bd -literal -offset indent --ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, --sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com, +-ssh-ed25519,ecdsa-sha2-nistp256, +-ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +-sk-ssh-ed25519@openssh.com, +-sk-ecdsa-sha2-nistp256@openssh.com, -rsa-sha2-512,rsa-sha2-256 -.Ed -.Pp - .Xr ssh 1 - will not accept host certificates signed using algorithms other than those - specified. -@@ -436,20 +434,25 @@ If the option is set to + If the specified list begins with a + .Sq + + character, then the specified algorithms will be appended to the default set +@@ -445,20 +441,25 @@ If the option is set to (the default), the check will not be executed. .It Cm Ciphers @@ -52,7 +54,7 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5 .Pp The supported ciphers are: .Bd -literal -offset indent -@@ -465,13 +468,6 @@ aes256-gcm@openssh.com +@@ -474,13 +475,6 @@ aes256-gcm@openssh.com chacha20-poly1305@openssh.com .Ed .Pp @@ -66,7 +68,7 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5 The list of available ciphers may also be obtained using .Qq ssh -Q cipher . .It Cm ClearAllForwardings -@@ -826,6 +822,11 @@ command line will be passed untouched to +@@ -874,6 +868,11 @@ command line will be passed untouched to The default is .Dq no . .It Cm GSSAPIKexAlgorithms @@ -78,7 +80,7 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5 The list of key exchange algorithms that are offered for GSSAPI key exchange. Possible values are .Bd -literal -offset 3n -@@ -838,10 +839,8 @@ gss-nistp256-sha256-, +@@ -886,10 +885,8 @@ gss-nistp256-sha256-, gss-curve25519-sha256- .Ed .Pp @@ -90,7 +92,7 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5 .It Cm HashKnownHosts Indicates that .Xr ssh 1 -@@ -1169,29 +1168,25 @@ it may be zero or more of: +@@ -1219,29 +1216,25 @@ it may be zero or more of: and .Cm pam . .It Cm KexAlgorithms @@ -129,7 +131,7 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5 .Pp The list of available key exchange algorithms may also be obtained using .Qq ssh -Q kex . -@@ -1301,37 +1296,33 @@ function, and all code in the +@@ -1351,37 +1344,33 @@ function, and all code in the file. This option is intended for debugging and no overrides are enabled by default. .It Cm MACs @@ -176,7 +178,7 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5 The list of available MAC algorithms may also be obtained using .Qq ssh -Q mac . .It Cm NoHostAuthenticationForLocalhost -@@ -1503,37 +1494,25 @@ instead of continuing to execute and pas +@@ -1553,37 +1542,25 @@ instead of continuing to execute and pas The default is .Cm no . .It Cm PubkeyAcceptedAlgorithms @@ -223,10 +225,10 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5 .Pp The list of available signature algorithms may also be obtained using .Qq ssh -Q PubkeyAcceptedAlgorithms . -diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5 ---- openssh-8.6p1/sshd_config.5.crypto-policies 2021-04-19 15:18:32.062920311 +0200 -+++ openssh-8.6p1/sshd_config.5 2021-04-19 15:20:42.591908243 +0200 -@@ -373,15 +373,13 @@ If the argument is +diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5 +--- openssh-8.7p1/sshd_config.5.crypto-policies 2021-08-30 13:29:00.157292731 +0200 ++++ openssh-8.7p1/sshd_config.5 2021-08-30 13:32:16.263918533 +0200 +@@ -373,17 +373,13 @@ If the argument is then no banner is displayed. By default, no banner is displayed. .It Cm CASignatureAlgorithms @@ -239,15 +241,17 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5 by certificate authorities (CAs). -The default is: -.Bd -literal -offset indent --ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, --sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com, +-ssh-ed25519,ecdsa-sha2-nistp256, +-ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +-sk-ssh-ed25519@openssh.com, +-sk-ecdsa-sha2-nistp256@openssh.com, -rsa-sha2-512,rsa-sha2-256 -.Ed -.Pp - Certificates signed using other algorithms will not be accepted for - public key or host-based authentication. - .It Cm ChallengeResponseAuthentication -@@ -445,20 +443,25 @@ The default is + If the specified list begins with a + .Sq + + character, then the specified algorithms will be appended to the default set +@@ -450,20 +446,25 @@ The default is indicating not to .Xr chroot 2 . .It Cm Ciphers @@ -277,7 +281,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5 .Pp The supported ciphers are: .Pp -@@ -485,13 +488,6 @@ aes256-gcm@openssh.com +@@ -490,13 +491,6 @@ aes256-gcm@openssh.com chacha20-poly1305@openssh.com .El .Pp @@ -291,7 +295,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5 The list of available ciphers may also be obtained using .Qq ssh -Q cipher . .It Cm ClientAliveCountMax -@@ -680,21 +676,22 @@ For this to work +@@ -685,21 +679,22 @@ For this to work .Cm GSSAPIKeyExchange needs to be enabled in the server and also used by the client. .It Cm GSSAPIKexAlgorithms @@ -324,7 +328,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5 This option only applies to connections using GSSAPI. .It Cm HostbasedAcceptedAlgorithms Specifies the signature algorithms that will be accepted for hostbased -@@ -794,26 +791,13 @@ is specified, the location of the socket +@@ -799,26 +794,13 @@ is specified, the location of the socket .Ev SSH_AUTH_SOCK environment variable. .It Cm HostKeyAlgorithms @@ -356,7 +360,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5 The list of available signature algorithms may also be obtained using .Qq ssh -Q HostKeyAlgorithms . .It Cm IgnoreRhosts -@@ -958,20 +942,25 @@ Specifies whether to look at .k5login fi +@@ -965,20 +947,25 @@ Specifies whether to look at .k5login fi The default is .Cm yes . .It Cm KexAlgorithms @@ -386,7 +390,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5 The supported algorithms are: .Pp .Bl -item -compact -offset indent -@@ -1003,15 +992,6 @@ ecdh-sha2-nistp521 +@@ -1010,15 +997,6 @@ ecdh-sha2-nistp521 sntrup761x25519-sha512@openssh.com .El .Pp @@ -402,7 +406,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5 The list of available key exchange algorithms may also be obtained using .Qq ssh -Q KexAlgorithms . .It Cm ListenAddress -@@ -1097,21 +1077,26 @@ function, and all code in the +@@ -1104,21 +1082,26 @@ function, and all code in the file. This option is intended for debugging and no overrides are enabled by default. .It Cm MACs @@ -433,7 +437,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5 .Pp The algorithms that contain .Qq -etm -@@ -1154,15 +1139,6 @@ umac-64-etm@openssh.com +@@ -1161,15 +1144,6 @@ umac-64-etm@openssh.com umac-128-etm@openssh.com .El .Pp @@ -449,7 +453,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5 The list of available MAC algorithms may also be obtained using .Qq ssh -Q mac . .It Cm Match -@@ -1541,37 +1517,25 @@ or equivalent.) +@@ -1548,37 +1522,25 @@ or equivalent.) The default is .Cm yes . .It Cm PubkeyAcceptedAlgorithms diff --git a/openssh-8.0p1-gssapi-keyex.patch b/openssh-8.0p1-gssapi-keyex.patch index 2c29486..e26bebd 100644 --- a/openssh-8.0p1-gssapi-keyex.patch +++ b/openssh-8.0p1-gssapi-keyex.patch @@ -19,11 +19,10 @@ index e7549470..b68c1710 100644 loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ srclimit.o sftp-server.o sftp-common.o \ sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ -diff --git a/auth.c b/auth.c -index 086b8ebb..687c57b4 100644 ---- a/auth.c -+++ b/auth.c -@@ -400,7 +400,8 @@ auth_root_allowed(struct ssh *ssh, const char *method) +diff -up a/auth.c.gsskex b/auth.c +--- a/auth.c.gsskex 2021-08-20 06:03:49.000000000 +0200 ++++ b/auth.c 2021-08-27 12:41:51.262788953 +0200 +@@ -402,7 +402,8 @@ auth_root_allowed(struct ssh *ssh, const case PERMIT_NO_PASSWD: if (strcmp(method, "publickey") == 0 || strcmp(method, "hostbased") == 0 || @@ -33,18 +32,15 @@ index 086b8ebb..687c57b4 100644 return 1; break; case PERMIT_FORCED_ONLY: -@@ -724,99 +725,6 @@ fakepw(void) - return (&fake); +@@ -730,97 +731,6 @@ fakepw(void) } --/* + /* - * Returns the remote DNS hostname as a string. The returned string must not - * be freed. NB. this will usually trigger a DNS query the first time it is - * called. - * This function does additional checks on the hostname to mitigate some -- * attacks on legacy rhosts-style authentication. -- * XXX is RhostsRSAAuthentication vulnerable to these? -- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) +- * attacks on based on conflation of hostnames and IP addresses. - */ - -static char * @@ -130,9 +126,10 @@ index 086b8ebb..687c57b4 100644 - return xstrdup(name); -} - - /* +-/* * Return the canonical name of the host in the other side of the current * connection. The host name is cached, so it is efficient to call this + * several times. diff --git a/auth2-gss.c b/auth2-gss.c index 9351e042..d6446c0c 100644 --- a/auth2-gss.c @@ -2913,10 +2910,9 @@ index 23ab096a..485590c1 100644 #endif #ifdef USE_PAM -diff --git a/readconf.c b/readconf.c -index f3cac6b3..da8022dd 100644 ---- a/readconf.c -+++ b/readconf.c +diff -up a/readconf.c.gsskex b/readconf.c +--- a/readconf.c.gsskex 2021-08-20 06:03:49.000000000 +0200 ++++ b/readconf.c 2021-08-27 12:25:42.556421509 +0200 @@ -67,6 +67,7 @@ #include "uidswap.h" #include "myproposal.h" @@ -2925,7 +2921,7 @@ index f3cac6b3..da8022dd 100644 /* Format of the configuration file: -@@ -160,6 +161,8 @@ typedef enum { +@@ -161,6 +162,8 @@ typedef enum { oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, oAddressFamily, oGssAuthentication, oGssDelegateCreds, @@ -2934,7 +2930,7 @@ index f3cac6b3..da8022dd 100644 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist, oHashKnownHosts, -@@ -204,10 +207,22 @@ static struct { +@@ -206,10 +209,22 @@ static struct { /* Sometimes-unsupported options */ #if defined(GSSAPI) { "gssapiauthentication", oGssAuthentication }, @@ -2957,7 +2953,7 @@ index f3cac6b3..da8022dd 100644 #endif #ifdef ENABLE_PKCS11 { "pkcs11provider", oPKCS11Provider }, -@@ -1029,10 +1044,42 @@ parse_time: +@@ -1113,10 +1128,42 @@ parse_time: intptr = &options->gss_authentication; goto parse_flag; @@ -2986,7 +2982,7 @@ index f3cac6b3..da8022dd 100644 + goto parse_flag; + + case oGssKexAlgorithms: -+ arg = strdelim(&s); ++ arg = argv_next(&ac, &av); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing argument.", + filename, linenum); @@ -3000,9 +2996,9 @@ index f3cac6b3..da8022dd 100644 case oBatchMode: intptr = &options->batch_mode; goto parse_flag; -@@ -1911,7 +1958,13 @@ initialize_options(Options * options) +@@ -2306,7 +2353,13 @@ initialize_options(Options * options) + options->fwd_opts.streamlocal_bind_unlink = -1; options->pubkey_authentication = -1; - options->challenge_response_authentication = -1; options->gss_authentication = -1; + options->gss_keyex = -1; options->gss_deleg_creds = -1; @@ -3014,8 +3010,8 @@ index f3cac6b3..da8022dd 100644 options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->kbd_interactive_devices = NULL; -@@ -2059,8 +2112,18 @@ fill_default_options(Options * options) - options->challenge_response_authentication = 1; +@@ -2463,8 +2516,18 @@ fill_default_options(Options * options) + options->pubkey_authentication = 1; if (options->gss_authentication == -1) options->gss_authentication = 0; + if (options->gss_keyex == -1) @@ -3033,7 +3029,7 @@ index f3cac6b3..da8022dd 100644 if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -@@ -2702,7 +2765,14 @@ dump_client_config(Options *o, const char *host) +@@ -3246,7 +3309,14 @@ dump_client_config(Options *o, const cha dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports); #ifdef GSSAPI dump_cfg_fmtint(oGssAuthentication, o->gss_authentication); @@ -3048,13 +3044,12 @@ index f3cac6b3..da8022dd 100644 #endif /* GSSAPI */ dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts); dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication); -diff --git a/readconf.h b/readconf.h -index feedb3d2..a8a8870d 100644 ---- a/readconf.h -+++ b/readconf.h -@@ -41,7 +41,13 @@ typedef struct { - int challenge_response_authentication; - /* Try S/Key or TIS, authentication. */ +diff -up a/readconf.h.gsskex b/readconf.h +--- a/readconf.h.gsskex 2021-08-27 12:05:29.248142431 +0200 ++++ b/readconf.h 2021-08-27 12:22:19.270679852 +0200 +@@ -39,7 +39,13 @@ typedef struct { + int pubkey_authentication; /* Try ssh2 pubkey authentication. */ + int hostbased_authentication; /* ssh2's rhosts_rsa */ int gss_authentication; /* Try GSS authentication */ + int gss_keyex; /* Try GSS key exchange */ int gss_deleg_creds; /* Delegate GSS credentials */ @@ -3066,11 +3061,10 @@ index feedb3d2..a8a8870d 100644 int password_authentication; /* Try password * authentication. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ -diff --git a/servconf.c b/servconf.c -index 70f5f73f..191575a1 100644 ---- a/servconf.c -+++ b/servconf.c -@@ -69,6 +69,7 @@ +diff -up a/servconf.c.gsskex b/servconf.c +--- a/servconf.c.gsskex 2021-08-20 06:03:49.000000000 +0200 ++++ b/servconf.c 2021-08-27 12:28:15.887735189 +0200 +@@ -70,6 +70,7 @@ #include "auth.h" #include "myproposal.h" #include "digest.h" @@ -3078,7 +3072,7 @@ index 70f5f73f..191575a1 100644 static void add_listen_addr(ServerOptions *, const char *, const char *, int); -@@ -133,8 +134,11 @@ initialize_server_options(ServerOptions *options) +@@ -136,8 +137,11 @@ initialize_server_options(ServerOptions options->kerberos_ticket_cleanup = -1; options->kerberos_get_afs_token = -1; options->gss_authentication=-1; @@ -3089,8 +3083,8 @@ index 70f5f73f..191575a1 100644 + options->gss_kex_algorithms = NULL; options->password_authentication = -1; options->kbd_interactive_authentication = -1; - options->challenge_response_authentication = -1; -@@ -375,10 +379,18 @@ fill_default_server_options(ServerOptions *options) + options->permit_empty_passwd = -1; +@@ -356,10 +360,18 @@ fill_default_server_options(ServerOption options->kerberos_get_afs_token = 0; if (options->gss_authentication == -1) options->gss_authentication = 0; @@ -3109,7 +3103,7 @@ index 70f5f73f..191575a1 100644 if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -@@ -531,6 +543,7 @@ typedef enum { +@@ -506,6 +518,7 @@ typedef enum { sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, @@ -3117,7 +3111,7 @@ index 70f5f73f..191575a1 100644 sAcceptEnv, sSetEnv, sPermitTunnel, sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sAllowAgentForwarding, -@@ -607,12 +620,22 @@ static struct { +@@ -587,12 +600,22 @@ static struct { #ifdef GSSAPI { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, @@ -3139,8 +3133,8 @@ index 70f5f73f..191575a1 100644 + { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL }, { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, - { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, -@@ -1548,6 +1571,10 @@ process_server_config_line_depth(ServerOptions *options, char *line, + { "challengeresponseauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */ +@@ -1576,6 +1599,10 @@ process_server_config_line_depth(ServerO intptr = &options->gss_authentication; goto parse_flag; @@ -3151,7 +3145,7 @@ index 70f5f73f..191575a1 100644 case sGssCleanupCreds: intptr = &options->gss_cleanup_creds; goto parse_flag; -@@ -1556,6 +1583,22 @@ process_server_config_line_depth(ServerOptions *options, char *line, +@@ -1584,6 +1611,22 @@ process_server_config_line_depth(ServerO intptr = &options->gss_strict_acceptor; goto parse_flag; @@ -3160,7 +3154,7 @@ index 70f5f73f..191575a1 100644 + goto parse_flag; + + case sGssKexAlgorithms: -+ arg = strdelim(&cp); ++ arg = argv_next(&ac, &av); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing argument.", + filename, linenum); @@ -3174,7 +3168,7 @@ index 70f5f73f..191575a1 100644 case sPasswordAuthentication: intptr = &options->password_authentication; goto parse_flag; -@@ -2777,6 +2820,10 @@ dump_config(ServerOptions *o) +@@ -2892,6 +2935,10 @@ dump_config(ServerOptions *o) #ifdef GSSAPI dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); diff --git a/openssh-8.0p1-pkcs11-uri.patch b/openssh-8.0p1-pkcs11-uri.patch index dc8a7d0..8592607 100644 --- a/openssh-8.0p1-pkcs11-uri.patch +++ b/openssh-8.0p1-pkcs11-uri.patch @@ -1,7 +1,7 @@ -diff -up openssh-8.6p1/configure.ac.pkcs11-uri openssh-8.6p1/configure.ac ---- openssh-8.6p1/configure.ac.pkcs11-uri 2021-04-19 14:57:30.307370482 +0200 -+++ openssh-8.6p1/configure.ac 2021-04-19 14:57:30.315370543 +0200 -@@ -1974,12 +1974,14 @@ AC_LINK_IFELSE( +diff -up openssh-8.7p1/configure.ac.pkcs11-uri openssh-8.7p1/configure.ac +--- openssh-8.7p1/configure.ac.pkcs11-uri 2021-08-30 13:07:43.646699953 +0200 ++++ openssh-8.7p1/configure.ac 2021-08-30 13:07:43.662700088 +0200 +@@ -1985,12 +1985,14 @@ AC_LINK_IFELSE( [AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).]) ]) @@ -16,7 +16,7 @@ diff -up openssh-8.6p1/configure.ac.pkcs11-uri openssh-8.6p1/configure.ac fi ] ) -@@ -2008,6 +2010,40 @@ AC_SEARCH_LIBS([dlopen], [dl]) +@@ -2019,6 +2021,40 @@ AC_SEARCH_LIBS([dlopen], [dl]) AC_CHECK_FUNCS([dlopen]) AC_CHECK_DECL([RTLD_NOW], [], [], [#include ]) @@ -57,7 +57,7 @@ diff -up openssh-8.6p1/configure.ac.pkcs11-uri openssh-8.6p1/configure.ac # IRIX has a const char return value for gai_strerror() AC_CHECK_FUNCS([gai_strerror], [ AC_DEFINE([HAVE_GAI_STRERROR]) -@@ -5564,6 +5600,7 @@ echo " BSD Auth support +@@ -5624,6 +5660,7 @@ echo " BSD Auth support echo " Random number source: $RAND_MSG" echo " Privsep sandbox style: $SANDBOX_STYLE" echo " PKCS#11 support: $enable_pkcs11" @@ -65,9 +65,9 @@ diff -up openssh-8.6p1/configure.ac.pkcs11-uri openssh-8.6p1/configure.ac echo " U2F/FIDO support: $enable_sk" echo "" -diff -up openssh-8.6p1/Makefile.in.pkcs11-uri openssh-8.6p1/Makefile.in ---- openssh-8.6p1/Makefile.in.pkcs11-uri 2021-04-19 14:57:30.261370134 +0200 -+++ openssh-8.6p1/Makefile.in 2021-04-19 15:14:38.916155695 +0200 +diff -up openssh-8.7p1/Makefile.in.pkcs11-uri openssh-8.7p1/Makefile.in +--- openssh-8.7p1/Makefile.in.pkcs11-uri 2021-08-30 13:07:43.571699324 +0200 ++++ openssh-8.7p1/Makefile.in 2021-08-30 13:07:43.663700096 +0200 @@ -103,7 +103,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-ecdsa-sk.o \ ssh-ed25519-sk.o ssh-rsa.o dh.o \ @@ -77,7 +77,7 @@ diff -up openssh-8.6p1/Makefile.in.pkcs11-uri openssh-8.6p1/Makefile.in poly1305.o chacha.o cipher-chachapoly.o cipher-chachapoly-libcrypto.o \ ssh-ed25519.o digest-openssl.o digest-libc.o \ hmac.o sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o \ -@@ -300,6 +300,8 @@ clean: regressclean +@@ -302,6 +302,8 @@ clean: regressclean rm -f regress/unittests/sshsig/test_sshsig$(EXEEXT) rm -f regress/unittests/utf8/*.o rm -f regress/unittests/utf8/test_utf8$(EXEEXT) @@ -86,7 +86,7 @@ diff -up openssh-8.6p1/Makefile.in.pkcs11-uri openssh-8.6p1/Makefile.in rm -f regress/misc/sk-dummy/*.o rm -f regress/misc/sk-dummy/*.lo rm -f regress/misc/sk-dummy/sk-dummy.so -@@ -337,6 +339,8 @@ distclean: regressclean +@@ -339,6 +341,8 @@ distclean: regressclean rm -f regress/unittests/sshsig/test_sshsig rm -f regress/unittests/utf8/*.o rm -f regress/unittests/utf8/test_utf8 @@ -95,7 +95,7 @@ diff -up openssh-8.6p1/Makefile.in.pkcs11-uri openssh-8.6p1/Makefile.in (cd openbsd-compat && $(MAKE) distclean) if test -d pkg ; then \ rm -fr pkg ; \ -@@ -511,6 +515,7 @@ regress-prep: +@@ -513,6 +517,7 @@ regress-prep: $(MKDIR_P) `pwd`/regress/unittests/sshkey $(MKDIR_P) `pwd`/regress/unittests/sshsig $(MKDIR_P) `pwd`/regress/unittests/utf8 @@ -103,7 +103,7 @@ diff -up openssh-8.6p1/Makefile.in.pkcs11-uri openssh-8.6p1/Makefile.in $(MKDIR_P) `pwd`/regress/misc/sk-dummy [ -f `pwd`/regress/Makefile ] || \ ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile -@@ -674,6 +679,16 @@ regress/unittests/utf8/test_utf8$(EXEEXT +@@ -677,6 +682,16 @@ regress/unittests/utf8/test_utf8$(EXEEXT regress/unittests/test_helper/libtest_helper.a \ -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) @@ -120,17 +120,19 @@ diff -up openssh-8.6p1/Makefile.in.pkcs11-uri openssh-8.6p1/Makefile.in # These all need to be compiled -fPIC, so they are treated differently. SK_DUMMY_OBJS=\ regress/misc/sk-dummy/sk-dummy.lo \ -@@ -709,6 +724,7 @@ regress-unit-binaries: regress-prep $(RE +@@ -711,7 +726,8 @@ regress-unit-binaries: regress-prep $(RE + regress/unittests/sshbuf/test_sshbuf$(EXEEXT) \ regress/unittests/sshkey/test_sshkey$(EXEEXT) \ regress/unittests/sshsig/test_sshsig$(EXEEXT) \ - regress/unittests/utf8/test_utf8$(EXEEXT) \ +- regress/unittests/utf8/test_utf8$(EXEEXT) ++ regress/unittests/utf8/test_utf8$(EXEEXT) \ + regress/unittests/pkcs11/test_pkcs11$(EXEEXT) \ tests: file-tests t-exec interop-tests unit echo all tests passed -diff -up openssh-8.6p1/regress/agent-pkcs11.sh.pkcs11-uri openssh-8.6p1/regress/agent-pkcs11.sh ---- openssh-8.6p1/regress/agent-pkcs11.sh.pkcs11-uri 2021-04-16 05:55:25.000000000 +0200 -+++ openssh-8.6p1/regress/agent-pkcs11.sh 2021-04-19 14:57:30.316370550 +0200 +diff -up openssh-8.7p1/regress/agent-pkcs11.sh.pkcs11-uri openssh-8.7p1/regress/agent-pkcs11.sh +--- openssh-8.7p1/regress/agent-pkcs11.sh.pkcs11-uri 2021-08-20 06:03:49.000000000 +0200 ++++ openssh-8.7p1/regress/agent-pkcs11.sh 2021-08-30 13:07:43.663700096 +0200 @@ -113,7 +113,7 @@ else done @@ -140,10 +142,10 @@ diff -up openssh-8.6p1/regress/agent-pkcs11.sh.pkcs11-uri openssh-8.6p1/regress/ r=$? if [ $r -ne 0 ]; then fail "ssh-add -e failed: exit code $r" -diff -up openssh-8.6p1/regress/Makefile.pkcs11-uri openssh-8.6p1/regress/Makefile ---- openssh-8.6p1/regress/Makefile.pkcs11-uri 2021-04-16 05:55:25.000000000 +0200 -+++ openssh-8.6p1/regress/Makefile 2021-04-19 15:15:44.411651410 +0200 -@@ -119,7 +119,8 @@ CLEANFILES= *.core actual agent-key.* au +diff -up openssh-8.7p1/regress/Makefile.pkcs11-uri openssh-8.7p1/regress/Makefile +--- openssh-8.7p1/regress/Makefile.pkcs11-uri 2021-08-20 06:03:49.000000000 +0200 ++++ openssh-8.7p1/regress/Makefile 2021-08-30 13:07:43.663700096 +0200 +@@ -122,7 +122,8 @@ CLEANFILES= *.core actual agent-key.* au known_hosts known_hosts-cert known_hosts.* krl-* ls.copy \ modpipe netcat no_identity_config \ pidfile putty.rsa2 ready regress.log remote_pid \ @@ -153,7 +155,7 @@ diff -up openssh-8.6p1/regress/Makefile.pkcs11-uri openssh-8.6p1/regress/Makefil rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \ scp-ssh-wrapper.scp setuid-allowed sftp-server.log \ sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \ -@@ -249,8 +250,9 @@ unit: +@@ -252,8 +253,9 @@ unit: V="" ; \ test "x${USE_VALGRIND}" = "x" || \ V=${.CURDIR}/valgrind-unit.sh ; \ @@ -165,9 +167,9 @@ diff -up openssh-8.6p1/regress/Makefile.pkcs11-uri openssh-8.6p1/regress/Makefil -d ${.CURDIR}/unittests/sshkey/testdata ; \ $$V ${.OBJDIR}/unittests/sshsig/test_sshsig \ -d ${.CURDIR}/unittests/sshsig/testdata ; \ -diff -up openssh-8.6p1/regress/pkcs11.sh.pkcs11-uri openssh-8.6p1/regress/pkcs11.sh ---- openssh-8.6p1/regress/pkcs11.sh.pkcs11-uri 2021-04-19 14:57:30.316370550 +0200 -+++ openssh-8.6p1/regress/pkcs11.sh 2021-04-19 14:57:30.316370550 +0200 +diff -up openssh-8.7p1/regress/pkcs11.sh.pkcs11-uri openssh-8.7p1/regress/pkcs11.sh +--- openssh-8.7p1/regress/pkcs11.sh.pkcs11-uri 2021-08-30 13:07:43.663700096 +0200 ++++ openssh-8.7p1/regress/pkcs11.sh 2021-08-30 13:07:43.663700096 +0200 @@ -0,0 +1,349 @@ +# +# Copyright (c) 2017 Red Hat @@ -518,9 +520,9 @@ diff -up openssh-8.6p1/regress/pkcs11.sh.pkcs11-uri openssh-8.6p1/regress/pkcs11 + trace "kill agent" + ${SSHAGENT} -k > /dev/null +fi -diff -up openssh-8.6p1/regress/unittests/Makefile.pkcs11-uri openssh-8.6p1/regress/unittests/Makefile ---- openssh-8.6p1/regress/unittests/Makefile.pkcs11-uri 2021-04-16 05:55:25.000000000 +0200 -+++ openssh-8.6p1/regress/unittests/Makefile 2021-04-19 14:57:30.316370550 +0200 +diff -up openssh-8.7p1/regress/unittests/Makefile.pkcs11-uri openssh-8.7p1/regress/unittests/Makefile +--- openssh-8.7p1/regress/unittests/Makefile.pkcs11-uri 2021-08-20 06:03:49.000000000 +0200 ++++ openssh-8.7p1/regress/unittests/Makefile 2021-08-30 13:07:43.663700096 +0200 @@ -2,6 +2,6 @@ REGRESS_FAIL_EARLY?= yes @@ -529,9 +531,9 @@ diff -up openssh-8.6p1/regress/unittests/Makefile.pkcs11-uri openssh-8.6p1/regre +SUBDIR+=authopt misc sshsig pkcs11 .include -diff -up openssh-8.6p1/regress/unittests/pkcs11/tests.c.pkcs11-uri openssh-8.6p1/regress/unittests/pkcs11/tests.c ---- openssh-8.6p1/regress/unittests/pkcs11/tests.c.pkcs11-uri 2021-04-19 14:57:30.317370558 +0200 -+++ openssh-8.6p1/regress/unittests/pkcs11/tests.c 2021-04-19 14:57:30.317370558 +0200 +diff -up openssh-8.7p1/regress/unittests/pkcs11/tests.c.pkcs11-uri openssh-8.7p1/regress/unittests/pkcs11/tests.c +--- openssh-8.7p1/regress/unittests/pkcs11/tests.c.pkcs11-uri 2021-08-30 13:07:43.664700104 +0200 ++++ openssh-8.7p1/regress/unittests/pkcs11/tests.c 2021-08-30 13:07:43.664700104 +0200 @@ -0,0 +1,337 @@ +/* + * Copyright (c) 2017 Red Hat @@ -870,9 +872,9 @@ diff -up openssh-8.6p1/regress/unittests/pkcs11/tests.c.pkcs11-uri openssh-8.6p1 + test_parse_invalid(); + test_generate_valid(); +} -diff -up openssh-8.6p1/ssh-add.c.pkcs11-uri openssh-8.6p1/ssh-add.c ---- openssh-8.6p1/ssh-add.c.pkcs11-uri 2021-04-16 05:55:25.000000000 +0200 -+++ openssh-8.6p1/ssh-add.c 2021-04-19 14:57:30.317370558 +0200 +diff -up openssh-8.7p1/ssh-add.c.pkcs11-uri openssh-8.7p1/ssh-add.c +--- openssh-8.7p1/ssh-add.c.pkcs11-uri 2021-08-20 06:03:49.000000000 +0200 ++++ openssh-8.7p1/ssh-add.c 2021-08-30 13:07:43.664700104 +0200 @@ -68,6 +68,7 @@ #include "digest.h" #include "ssh-sk.h" @@ -952,9 +954,9 @@ diff -up openssh-8.6p1/ssh-add.c.pkcs11-uri openssh-8.6p1/ssh-add.c ret = 1; goto done; } -diff -up openssh-8.6p1/ssh-agent.c.pkcs11-uri openssh-8.6p1/ssh-agent.c ---- openssh-8.6p1/ssh-agent.c.pkcs11-uri 2021-04-16 05:55:25.000000000 +0200 -+++ openssh-8.6p1/ssh-agent.c 2021-04-19 14:57:30.317370558 +0200 +diff -up openssh-8.7p1/ssh-agent.c.pkcs11-uri openssh-8.7p1/ssh-agent.c +--- openssh-8.7p1/ssh-agent.c.pkcs11-uri 2021-08-20 06:03:49.000000000 +0200 ++++ openssh-8.7p1/ssh-agent.c 2021-08-30 13:07:43.664700104 +0200 @@ -847,10 +847,72 @@ no_identities(SocketEntry *e) } @@ -1125,10 +1127,10 @@ diff -up openssh-8.6p1/ssh-agent.c.pkcs11-uri openssh-8.6p1/ssh-agent.c send_status(e, success); } #endif /* ENABLE_PKCS11 */ -diff -up openssh-8.6p1/ssh_config.5.pkcs11-uri openssh-8.6p1/ssh_config.5 ---- openssh-8.6p1/ssh_config.5.pkcs11-uri 2021-04-19 14:57:30.269370194 +0200 -+++ openssh-8.6p1/ssh_config.5 2021-04-19 14:57:30.321370588 +0200 -@@ -1063,6 +1063,21 @@ may also be used in conjunction with +diff -up openssh-8.7p1/ssh_config.5.pkcs11-uri openssh-8.7p1/ssh_config.5 +--- openssh-8.7p1/ssh_config.5.pkcs11-uri 2021-08-30 13:07:43.578699383 +0200 ++++ openssh-8.7p1/ssh_config.5 2021-08-30 13:07:43.664700104 +0200 +@@ -1111,6 +1111,21 @@ may also be used in conjunction with .Cm CertificateFile in order to provide any certificate also needed for authentication with the identity. @@ -1150,10 +1152,10 @@ diff -up openssh-8.6p1/ssh_config.5.pkcs11-uri openssh-8.6p1/ssh_config.5 .It Cm IgnoreUnknown Specifies a pattern-list of unknown options to be ignored if they are encountered in configuration parsing. -diff -up openssh-8.6p1/ssh.c.pkcs11-uri openssh-8.6p1/ssh.c ---- openssh-8.6p1/ssh.c.pkcs11-uri 2021-04-19 14:57:30.269370194 +0200 -+++ openssh-8.6p1/ssh.c 2021-04-19 15:17:05.804267447 +0200 -@@ -843,6 +843,14 @@ main(int ac, char **av) +diff -up openssh-8.7p1/ssh.c.pkcs11-uri openssh-8.7p1/ssh.c +--- openssh-8.7p1/ssh.c.pkcs11-uri 2021-08-30 13:07:43.578699383 +0200 ++++ openssh-8.7p1/ssh.c 2021-08-30 13:07:43.666700121 +0200 +@@ -826,6 +826,14 @@ main(int ac, char **av) options.gss_deleg_creds = 1; break; case 'i': @@ -1168,7 +1170,7 @@ diff -up openssh-8.6p1/ssh.c.pkcs11-uri openssh-8.6p1/ssh.c p = tilde_expand_filename(optarg, getuid()); if (stat(p, &st) == -1) fprintf(stderr, "Warning: Identity file %s " -@@ -1695,6 +1703,7 @@ main(int ac, char **av) +@@ -1681,6 +1689,7 @@ main(int ac, char **av) #ifdef ENABLE_PKCS11 (void)pkcs11_del_provider(options.pkcs11_provider); #endif @@ -1176,7 +1178,7 @@ diff -up openssh-8.6p1/ssh.c.pkcs11-uri openssh-8.6p1/ssh.c skip_connect: exit_status = ssh_session2(ssh, cinfo); -@@ -2211,6 +2220,45 @@ ssh_session2(struct ssh *ssh, const stru +@@ -2197,6 +2206,45 @@ ssh_session2(struct ssh *ssh, const stru options.escape_char : SSH_ESCAPECHAR_NONE, id); } @@ -1222,7 +1224,7 @@ diff -up openssh-8.6p1/ssh.c.pkcs11-uri openssh-8.6p1/ssh.c /* Loads all IdentityFile and CertificateFile keys */ static void load_public_identity_files(const struct ssh_conn_info *cinfo) -@@ -2225,11 +2273,6 @@ load_public_identity_files(const struct +@@ -2211,11 +2259,6 @@ load_public_identity_files(const struct char *certificate_files[SSH_MAX_CERTIFICATE_FILES]; struct sshkey *certificates[SSH_MAX_CERTIFICATE_FILES]; int certificate_file_userprovided[SSH_MAX_CERTIFICATE_FILES]; @@ -1234,7 +1236,7 @@ diff -up openssh-8.6p1/ssh.c.pkcs11-uri openssh-8.6p1/ssh.c n_ids = n_certs = 0; memset(identity_files, 0, sizeof(identity_files)); -@@ -2242,33 +2285,46 @@ load_public_identity_files(const struct +@@ -2228,33 +2271,46 @@ load_public_identity_files(const struct sizeof(certificate_file_userprovided)); #ifdef ENABLE_PKCS11 @@ -1300,9 +1302,9 @@ diff -up openssh-8.6p1/ssh.c.pkcs11-uri openssh-8.6p1/ssh.c filename = default_client_percent_dollar_expand(cp, cinfo); free(cp); check_load(sshkey_load_public(filename, &public, NULL), -diff -up openssh-8.6p1/ssh-keygen.c.pkcs11-uri openssh-8.6p1/ssh-keygen.c ---- openssh-8.6p1/ssh-keygen.c.pkcs11-uri 2021-04-16 05:55:25.000000000 +0200 -+++ openssh-8.6p1/ssh-keygen.c 2021-04-19 14:57:30.318370565 +0200 +diff -up openssh-8.7p1/ssh-keygen.c.pkcs11-uri openssh-8.7p1/ssh-keygen.c +--- openssh-8.7p1/ssh-keygen.c.pkcs11-uri 2021-08-20 06:03:49.000000000 +0200 ++++ openssh-8.7p1/ssh-keygen.c 2021-08-30 13:07:43.666700121 +0200 @@ -860,8 +860,11 @@ do_download(struct passwd *pw) free(fp); } else { @@ -1317,9 +1319,9 @@ diff -up openssh-8.6p1/ssh-keygen.c.pkcs11-uri openssh-8.6p1/ssh-keygen.c } free(comments[i]); sshkey_free(keys[i]); -diff -up openssh-8.6p1/ssh-pkcs11-client.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11-client.c ---- openssh-8.6p1/ssh-pkcs11-client.c.pkcs11-uri 2021-04-16 05:55:25.000000000 +0200 -+++ openssh-8.6p1/ssh-pkcs11-client.c 2021-04-19 14:57:30.318370565 +0200 +diff -up openssh-8.7p1/ssh-pkcs11-client.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11-client.c +--- openssh-8.7p1/ssh-pkcs11-client.c.pkcs11-uri 2021-08-20 06:03:49.000000000 +0200 ++++ openssh-8.7p1/ssh-pkcs11-client.c 2021-08-30 13:07:43.666700121 +0200 @@ -323,6 +323,8 @@ pkcs11_add_provider(char *name, char *pi u_int nkeys, i; struct sshbuf *msg; @@ -1337,9 +1339,9 @@ diff -up openssh-8.6p1/ssh-pkcs11-client.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11-c for (i = 0; i < nkeys; i++) { /* XXX clean up properly instead of fatal() */ if ((r = sshbuf_get_string(msg, &blob, &blen)) != 0 || -diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c ---- openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri 2021-04-16 05:55:25.000000000 +0200 -+++ openssh-8.6p1/ssh-pkcs11.c 2021-04-19 14:57:30.320370580 +0200 +diff -up openssh-8.7p1/ssh-pkcs11.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11.c +--- openssh-8.7p1/ssh-pkcs11.c.pkcs11-uri 2021-08-20 06:03:49.000000000 +0200 ++++ openssh-8.7p1/ssh-pkcs11.c 2021-08-30 13:12:27.709084157 +0200 @@ -55,8 +55,8 @@ struct pkcs11_slotinfo { int logged_in; }; @@ -1383,8 +1385,8 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c CK_RV rv; CK_ULONG i; -- debug("pkcs11_provider_finalize: %p refcount %d valid %d", -- p, p->refcount, p->valid); +- debug_f("provider \"%s\" refcount %d valid %d", +- p->name, p->refcount, p->valid); - if (!p->valid) + debug_f("%p refcount %d valid %d", m, m->refcount, m->valid); + if (!m->valid) @@ -1427,9 +1429,9 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c +} + +/* -+ * finalize a provider shared libarary, it's no longer usable. ++ * finalize a provider shared library, it's no longer usable. + * however, there might still be keys referencing this provider, -+ * so the actuall freeing of memory is handled by pkcs11_provider_unref(). ++ * so the actual freeing of memory is handled by pkcs11_provider_unref(). + * this is called when a provider gets unregistered. + */ +static void @@ -1446,15 +1448,12 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c } /* -@@ -135,13 +178,11 @@ pkcs11_provider_finalize(struct pkcs11_p - static void - pkcs11_provider_unref(struct pkcs11_provider *p) +@@ -137,11 +180,9 @@ pkcs11_provider_unref(struct pkcs11_prov { -- debug("pkcs11_provider_unref: %p refcount %d", p, p->refcount); -+ debug_f("%p refcount %d", p, p->refcount); + debug_f("provider \"%s\" refcount %d", p->name, p->refcount); if (--p->refcount <= 0) { - if (p->valid) -- error("pkcs11_provider_unref: %p still valid", p); +- error_f("provider \"%s\" still valid", p->name); free(p->name); - free(p->slotlist); - free(p->slotinfo); @@ -1543,7 +1542,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c } static RSA_METHOD *rsa_method; -@@ -195,6 +283,55 @@ static EC_KEY_METHOD *ec_key_method; +@@ -195,6 +286,55 @@ static EC_KEY_METHOD *ec_key_method; static int ec_key_idx = 0; #endif @@ -1599,7 +1598,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c /* release a wrapped object */ static void pkcs11_k11_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int idx, -@@ -208,6 +345,7 @@ pkcs11_k11_free(void *parent, void *ptr, +@@ -208,6 +348,7 @@ pkcs11_k11_free(void *parent, void *ptr, if (k11->provider) pkcs11_provider_unref(k11->provider); free(k11->keyid); @@ -1607,7 +1606,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c free(k11); } -@@ -222,8 +360,8 @@ pkcs11_find(struct pkcs11_provider *p, C +@@ -222,8 +363,8 @@ pkcs11_find(struct pkcs11_provider *p, C CK_RV rv; int ret = -1; @@ -1618,7 +1617,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c if ((rv = f->C_FindObjectsInit(session, attr, nattr)) != CKR_OK) { error("C_FindObjectsInit failed (nattr %lu): %lu", nattr, rv); return (-1); -@@ -262,12 +400,12 @@ pkcs11_login_slot(struct pkcs11_provider +@@ -262,12 +403,12 @@ pkcs11_login_slot(struct pkcs11_provider else { snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ", si->token.label); @@ -1633,7 +1632,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c (pin != NULL) ? strlen(pin) : 0); if (pin != NULL) freezero(pin, strlen(pin)); -@@ -297,13 +435,14 @@ pkcs11_login_slot(struct pkcs11_provider +@@ -297,13 +438,14 @@ pkcs11_login_slot(struct pkcs11_provider static int pkcs11_login(struct pkcs11_key *k11, CK_USER_TYPE type) { @@ -1650,7 +1649,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c } -@@ -319,13 +458,14 @@ pkcs11_check_obj_bool_attrib(struct pkcs +@@ -319,13 +461,14 @@ pkcs11_check_obj_bool_attrib(struct pkcs *val = 0; @@ -1668,7 +1667,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c attr.type = type; attr.pValue = &flag; -@@ -356,13 +496,14 @@ pkcs11_get_key(struct pkcs11_key *k11, C +@@ -356,13 +499,14 @@ pkcs11_get_key(struct pkcs11_key *k11, C int always_auth = 0; int did_login = 0; @@ -1686,7 +1685,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) { if (pkcs11_login(k11, CKU_USER) < 0) { -@@ -439,8 +580,8 @@ pkcs11_rsa_private_encrypt(int flen, con +@@ -439,8 +583,8 @@ pkcs11_rsa_private_encrypt(int flen, con return (-1); } @@ -1697,7 +1696,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c tlen = RSA_size(rsa); /* XXX handle CKR_BUFFER_TOO_SMALL */ -@@ -484,7 +625,7 @@ pkcs11_rsa_start_wrapper(void) +@@ -484,7 +628,7 @@ pkcs11_rsa_start_wrapper(void) /* redirect private key operations for rsa key to pkcs11 token */ static int pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx, @@ -1706,7 +1705,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c { struct pkcs11_key *k11; -@@ -502,6 +643,12 @@ pkcs11_rsa_wrap(struct pkcs11_provider * +@@ -502,6 +646,12 @@ pkcs11_rsa_wrap(struct pkcs11_provider * memcpy(k11->keyid, keyid_attrib->pValue, k11->keyid_len); } @@ -1719,7 +1718,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c RSA_set_method(rsa, rsa_method); RSA_set_ex_data(rsa, rsa_idx, k11); return (0); -@@ -532,8 +679,8 @@ ecdsa_do_sign(const unsigned char *dgst, +@@ -532,8 +682,8 @@ ecdsa_do_sign(const unsigned char *dgst, return (NULL); } @@ -1730,7 +1729,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c siglen = ECDSA_size(ec); sig = xmalloc(siglen); -@@ -598,7 +745,7 @@ pkcs11_ecdsa_start_wrapper(void) +@@ -598,7 +748,7 @@ pkcs11_ecdsa_start_wrapper(void) static int pkcs11_ecdsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx, @@ -1739,7 +1738,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c { struct pkcs11_key *k11; -@@ -614,6 +761,12 @@ pkcs11_ecdsa_wrap(struct pkcs11_provider +@@ -614,6 +764,12 @@ pkcs11_ecdsa_wrap(struct pkcs11_provider k11->keyid = xmalloc(k11->keyid_len); memcpy(k11->keyid, keyid_attrib->pValue, k11->keyid_len); @@ -1752,7 +1751,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c EC_KEY_set_method(ec, ec_key_method); EC_KEY_set_ex_data(ec, ec_key_idx, k11); -@@ -650,8 +803,8 @@ pkcs11_open_session(struct pkcs11_provid +@@ -650,8 +806,8 @@ pkcs11_open_session(struct pkcs11_provid CK_SESSION_HANDLE session; int login_required, ret; @@ -1763,7 +1762,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c login_required = si->token.flags & CKF_LOGIN_REQUIRED; -@@ -661,9 +814,9 @@ pkcs11_open_session(struct pkcs11_provid +@@ -661,9 +817,9 @@ pkcs11_open_session(struct pkcs11_provid error("pin required"); return (-SSH_PKCS11_ERR_PIN_REQUIRED); } @@ -1775,7 +1774,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c return (-1); } if (login_required && pin != NULL && strlen(pin) != 0) { -@@ -699,7 +852,8 @@ static struct sshkey * +@@ -699,7 +855,8 @@ static struct sshkey * pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, CK_OBJECT_HANDLE *obj) { @@ -1785,7 +1784,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c CK_SESSION_HANDLE session; CK_FUNCTION_LIST *f = NULL; CK_RV rv; -@@ -713,14 +867,15 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_ +@@ -713,14 +870,15 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_ memset(&key_attr, 0, sizeof(key_attr)); key_attr[0].type = CKA_ID; @@ -1806,7 +1805,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c if (rv != CKR_OK) { error("C_GetAttributeValue failed: %lu", rv); return (NULL); -@@ -731,19 +886,19 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_ +@@ -731,19 +889,19 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_ * ensure that none of the others are zero length. * XXX assumes CKA_ID is always first. */ @@ -1830,7 +1829,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c if (rv != CKR_OK) { error("C_GetAttributeValue failed: %lu", rv); goto fail; -@@ -755,8 +910,8 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_ +@@ -755,8 +913,8 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_ goto fail; } @@ -1841,7 +1840,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c if (group == NULL) { ossl_error("d2i_ECPKParameters failed"); goto fail; -@@ -767,13 +922,13 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_ +@@ -767,13 +925,13 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_ goto fail; } @@ -1858,7 +1857,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c if (octet == NULL) { ossl_error("d2i_ASN1_OCTET_STRING failed"); goto fail; -@@ -790,7 +945,7 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_ +@@ -790,7 +948,7 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_ goto fail; } @@ -1867,7 +1866,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c goto fail; key = sshkey_new(KEY_UNSPEC); -@@ -806,7 +961,7 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_ +@@ -806,7 +964,7 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_ ec = NULL; /* now owned by key */ fail: @@ -1876,7 +1875,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c free(key_attr[i].pValue); if (ec) EC_KEY_free(ec); -@@ -823,7 +978,8 @@ static struct sshkey * +@@ -823,7 +981,8 @@ static struct sshkey * pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, CK_OBJECT_HANDLE *obj) { @@ -1886,7 +1885,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c CK_SESSION_HANDLE session; CK_FUNCTION_LIST *f = NULL; CK_RV rv; -@@ -834,14 +990,15 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_pr +@@ -834,14 +993,15 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_pr memset(&key_attr, 0, sizeof(key_attr)); key_attr[0].type = CKA_ID; @@ -1907,7 +1906,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c if (rv != CKR_OK) { error("C_GetAttributeValue failed: %lu", rv); return (NULL); -@@ -852,19 +1009,19 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_pr +@@ -852,19 +1012,19 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_pr * ensure that none of the others are zero length. * XXX assumes CKA_ID is always first. */ @@ -1931,7 +1930,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c if (rv != CKR_OK) { error("C_GetAttributeValue failed: %lu", rv); goto fail; -@@ -876,8 +1033,8 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_pr +@@ -876,8 +1036,8 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_pr goto fail; } @@ -1942,7 +1941,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c if (rsa_n == NULL || rsa_e == NULL) { error("BN_bin2bn failed"); goto fail; -@@ -886,7 +1043,7 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_pr +@@ -886,7 +1046,7 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_pr fatal_f("set key"); rsa_n = rsa_e = NULL; /* transferred */ @@ -1951,7 +1950,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c goto fail; key = sshkey_new(KEY_UNSPEC); -@@ -901,7 +1058,7 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_pr +@@ -901,7 +1061,7 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_pr rsa = NULL; /* now owned by key */ fail: @@ -1960,7 +1959,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c free(key_attr[i].pValue); RSA_free(rsa); -@@ -912,7 +1069,8 @@ static int +@@ -912,7 +1072,8 @@ static int pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, CK_OBJECT_HANDLE *obj, struct sshkey **keyp, char **labelp) { @@ -1970,7 +1969,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c CK_SESSION_HANDLE session; CK_FUNCTION_LIST *f = NULL; CK_RV rv; -@@ -936,14 +1094,15 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_p +@@ -936,14 +1097,15 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_p memset(&cert_attr, 0, sizeof(cert_attr)); cert_attr[0].type = CKA_ID; @@ -1991,7 +1990,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c if (rv != CKR_OK) { error("C_GetAttributeValue failed: %lu", rv); return -1; -@@ -955,18 +1114,19 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_p +@@ -955,18 +1117,19 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_p * XXX assumes CKA_ID is always first. */ if (cert_attr[1].ulValueLen == 0 || @@ -2014,7 +2013,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c if (rv != CKR_OK) { error("C_GetAttributeValue failed: %lu", rv); goto out; -@@ -980,8 +1140,8 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_p +@@ -980,8 +1143,8 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_p subject = xstrdup("invalid subject"); X509_NAME_free(x509_name); @@ -2025,7 +2024,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c error("d2i_x509 failed"); goto out; } -@@ -1001,7 +1161,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_p +@@ -1001,7 +1164,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_p goto out; } @@ -2034,7 +2033,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c goto out; key = sshkey_new(KEY_UNSPEC); -@@ -1031,7 +1191,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_p +@@ -1031,7 +1194,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_p goto out; } @@ -2043,7 +2042,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c goto out; key = sshkey_new(KEY_UNSPEC); -@@ -1051,7 +1211,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_p +@@ -1051,7 +1214,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_p goto out; } out: @@ -2052,7 +2051,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c free(cert_attr[i].pValue); X509_free(x509); RSA_free(rsa); -@@ -1102,11 +1262,12 @@ note_key(struct pkcs11_provider *p, CK_U +@@ -1102,11 +1265,12 @@ note_key(struct pkcs11_provider *p, CK_U */ static int pkcs11_fetch_certs(struct pkcs11_provider *p, CK_ULONG slotidx, @@ -2067,7 +2066,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c CK_SESSION_HANDLE session; CK_FUNCTION_LIST *f = NULL; CK_RV rv; -@@ -1123,10 +1284,23 @@ pkcs11_fetch_certs(struct pkcs11_provide +@@ -1123,10 +1287,23 @@ pkcs11_fetch_certs(struct pkcs11_provide key_attr[0].pValue = &key_class; key_attr[0].ulValueLen = sizeof(key_class); @@ -2094,7 +2093,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c if (rv != CKR_OK) { error("C_FindObjectsInit failed: %lu", rv); goto fail; -@@ -1207,11 +1381,12 @@ fail: +@@ -1207,11 +1384,12 @@ fail: */ static int pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, @@ -2109,7 +2108,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c CK_SESSION_HANDLE session; CK_FUNCTION_LIST *f = NULL; CK_RV rv; -@@ -1227,10 +1402,23 @@ pkcs11_fetch_keys(struct pkcs11_provider +@@ -1227,10 +1405,23 @@ pkcs11_fetch_keys(struct pkcs11_provider key_attr[0].pValue = &key_class; key_attr[0].ulValueLen = sizeof(key_class); @@ -2127,16 +2126,16 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c + key_attr[nattr].ulValueLen = strlen(uri->object); + nattr++; + } -+ -+ session = p->module->slotinfo[slotidx].session; -+ f = p->module->function_list; - rv = f->C_FindObjectsInit(session, key_attr, 1); ++ session = p->module->slotinfo[slotidx].session; ++ f = p->module->function_list; ++ + rv = f->C_FindObjectsInit(session, key_attr, nattr); if (rv != CKR_OK) { error("C_FindObjectsInit failed: %lu", rv); goto fail; -@@ -1499,16 +1687,10 @@ pkcs11_ecdsa_generate_private_key(struct +@@ -1499,16 +1690,10 @@ pkcs11_ecdsa_generate_private_key(struct } #endif /* WITH_PKCS11_KEYGEN */ @@ -2155,7 +2154,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c int ret = -1; struct pkcs11_provider *p = NULL; void *handle = NULL; -@@ -1517,164 +1699,298 @@ pkcs11_register_provider(char *provider_ +@@ -1517,164 +1702,298 @@ pkcs11_register_provider(char *provider_ CK_FUNCTION_LIST *f = NULL; CK_TOKEN_INFO *token; CK_ULONG i; @@ -2241,17 +2240,17 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c error("C_GetInfo for provider %s failed: %lu", - provider_id, rv); + provider_module, rv); - goto fail; - } -- rmspace(p->info.manufacturerID, sizeof(p->info.manufacturerID)); -- rmspace(p->info.libraryDescription, sizeof(p->info.libraryDescription)); ++ goto fail; ++ } + rmspace(m->info.manufacturerID, sizeof(m->info.manufacturerID)); + if (uri->lib_manuf != NULL && + strcmp(uri->lib_manuf, m->info.manufacturerID)) { + debug_f("Skipping provider %s not matching library_manufacturer", + m->info.manufacturerID); -+ goto fail; -+ } + goto fail; + } +- rmspace(p->info.manufacturerID, sizeof(p->info.manufacturerID)); +- rmspace(p->info.libraryDescription, sizeof(p->info.libraryDescription)); + rmspace(m->info.libraryDescription, sizeof(m->info.libraryDescription)); debug("provider %s: manufacturerID <%s> cryptokiVersion %d.%d" " libraryDescription <%s> libraryVersion %d.%d", @@ -2529,7 +2528,7 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c /* no keys found or some other error, de-register provider */ if (nkeys <= 0 && p != NULL) { -@@ -1683,7 +1999,37 @@ pkcs11_add_provider(char *provider_id, c +@@ -1683,7 +2002,37 @@ pkcs11_add_provider(char *provider_id, c pkcs11_provider_unref(p); } if (nkeys == 0) @@ -2568,9 +2567,9 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c return (nkeys); } -diff -up openssh-8.6p1/ssh-pkcs11.h.pkcs11-uri openssh-8.6p1/ssh-pkcs11.h ---- openssh-8.6p1/ssh-pkcs11.h.pkcs11-uri 2021-04-16 05:55:25.000000000 +0200 -+++ openssh-8.6p1/ssh-pkcs11.h 2021-04-19 14:57:30.320370580 +0200 +diff -up openssh-8.7p1/ssh-pkcs11.h.pkcs11-uri openssh-8.7p1/ssh-pkcs11.h +--- openssh-8.7p1/ssh-pkcs11.h.pkcs11-uri 2021-08-20 06:03:49.000000000 +0200 ++++ openssh-8.7p1/ssh-pkcs11.h 2021-08-30 13:07:43.666700121 +0200 @@ -22,10 +22,14 @@ #define SSH_PKCS11_ERR_PIN_REQUIRED 4 #define SSH_PKCS11_ERR_PIN_LOCKED 5 @@ -2586,9 +2585,9 @@ diff -up openssh-8.6p1/ssh-pkcs11.h.pkcs11-uri openssh-8.6p1/ssh-pkcs11.h #ifdef WITH_PKCS11_KEYGEN struct sshkey * pkcs11_gakp(char *, char *, unsigned int, char *, unsigned int, -diff -up openssh-8.6p1/ssh-pkcs11-uri.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11-uri.c ---- openssh-8.6p1/ssh-pkcs11-uri.c.pkcs11-uri 2021-04-19 14:57:30.318370565 +0200 -+++ openssh-8.6p1/ssh-pkcs11-uri.c 2021-04-19 14:57:30.318370565 +0200 +diff -up openssh-8.7p1/ssh-pkcs11-uri.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11-uri.c +--- openssh-8.7p1/ssh-pkcs11-uri.c.pkcs11-uri 2021-08-30 13:07:43.667700130 +0200 ++++ openssh-8.7p1/ssh-pkcs11-uri.c 2021-08-30 13:07:43.667700130 +0200 @@ -0,0 +1,419 @@ +/* + * Copyright (c) 2017 Red Hat @@ -3009,9 +3008,9 @@ diff -up openssh-8.6p1/ssh-pkcs11-uri.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11-uri. +} + +#endif /* ENABLE_PKCS11 */ -diff -up openssh-8.6p1/ssh-pkcs11-uri.h.pkcs11-uri openssh-8.6p1/ssh-pkcs11-uri.h ---- openssh-8.6p1/ssh-pkcs11-uri.h.pkcs11-uri 2021-04-19 14:57:30.318370565 +0200 -+++ openssh-8.6p1/ssh-pkcs11-uri.h 2021-04-19 14:57:30.318370565 +0200 +diff -up openssh-8.7p1/ssh-pkcs11-uri.h.pkcs11-uri openssh-8.7p1/ssh-pkcs11-uri.h +--- openssh-8.7p1/ssh-pkcs11-uri.h.pkcs11-uri 2021-08-30 13:07:43.667700130 +0200 ++++ openssh-8.7p1/ssh-pkcs11-uri.h 2021-08-30 13:07:43.667700130 +0200 @@ -0,0 +1,42 @@ +/* + * Copyright (c) 2017 Red Hat diff --git a/openssh-8.0p1-restore-nonblock.patch b/openssh-8.0p1-restore-nonblock.patch deleted file mode 100644 index dbdf7ed..0000000 --- a/openssh-8.0p1-restore-nonblock.patch +++ /dev/null @@ -1,320 +0,0 @@ -diff --git a/channels.c b/channels.c -index 32d1f617..0024f751 100644 ---- a/channels.c -+++ b/channels.c -@@ -333,7 +333,27 @@ channel_register_fds(struct ssh *ssh, Channel *c, int rfd, int wfd, int efd, - #endif - - /* enable nonblocking mode */ -- if (nonblock) { -+ c->restore_block = 0; -+ if (nonblock == CHANNEL_NONBLOCK_STDIO) { -+ /* -+ * Special handling for stdio file descriptors: do not set -+ * non-blocking mode if they are TTYs. Otherwise prepare to -+ * restore their blocking state on exit to avoid interfering -+ * with other programs that follow. -+ */ -+ if (rfd != -1 && !isatty(rfd) && fcntl(rfd, F_GETFL) == 0) { -+ c->restore_block |= CHANNEL_RESTORE_RFD; -+ set_nonblock(rfd); -+ } -+ if (wfd != -1 && !isatty(wfd) && fcntl(wfd, F_GETFL) == 0) { -+ c->restore_block |= CHANNEL_RESTORE_WFD; -+ set_nonblock(wfd); -+ } -+ if (efd != -1 && !isatty(efd) && fcntl(efd, F_GETFL) == 0) { -+ c->restore_block |= CHANNEL_RESTORE_EFD; -+ set_nonblock(efd); -+ } -+ } else if (nonblock) { - if (rfd != -1) - set_nonblock(rfd); - if (wfd != -1) -@@ -422,17 +442,23 @@ channel_find_maxfd(struct ssh_channels *sc) - } - - int --channel_close_fd(struct ssh *ssh, int *fdp) -+channel_close_fd(struct ssh *ssh, Channel *c, int *fdp) - { - struct ssh_channels *sc = ssh->chanctxt; -- int ret = 0, fd = *fdp; -+ int ret, fd = *fdp; - -- if (fd != -1) { -- ret = close(fd); -- *fdp = -1; -- if (fd == sc->channel_max_fd) -- channel_find_maxfd(sc); -- } -+ if (fd == -1) -+ return 0; -+ -+ if ((*fdp == c->rfd && (c->restore_block & CHANNEL_RESTORE_RFD) != 0) || -+ (*fdp == c->wfd && (c->restore_block & CHANNEL_RESTORE_WFD) != 0) || -+ (*fdp == c->efd && (c->restore_block & CHANNEL_RESTORE_EFD) != 0)) -+ (void)fcntl(*fdp, F_SETFL, 0); /* restore blocking */ -+ -+ ret = close(fd); -+ *fdp = -1; -+ if (fd == sc->channel_max_fd) -+ channel_find_maxfd(sc); - return ret; - } - -@@ -442,13 +468,13 @@ channel_close_fds(struct ssh *ssh, Channel *c) - { - int sock = c->sock, rfd = c->rfd, wfd = c->wfd, efd = c->efd; - -- channel_close_fd(ssh, &c->sock); -+ channel_close_fd(ssh, c, &c->sock); - if (rfd != sock) -- channel_close_fd(ssh, &c->rfd); -+ channel_close_fd(ssh, c, &c->rfd); - if (wfd != sock && wfd != rfd) -- channel_close_fd(ssh, &c->wfd); -+ channel_close_fd(ssh, c, &c->wfd); - if (efd != sock && efd != rfd && efd != wfd) -- channel_close_fd(ssh, &c->efd); -+ channel_close_fd(ssh, c, &c->efd); - } - - static void -@@ -702,7 +728,7 @@ channel_stop_listening(struct ssh *ssh) - case SSH_CHANNEL_X11_LISTENER: - case SSH_CHANNEL_UNIX_LISTENER: - case SSH_CHANNEL_RUNIX_LISTENER: -- channel_close_fd(ssh, &c->sock); -+ channel_close_fd(ssh, c, &c->sock); - channel_free(ssh, c); - break; - } -@@ -1491,7 +1517,8 @@ channel_decode_socks5(Channel *c, struct sshbuf *input, struct sshbuf *output) - - Channel * - channel_connect_stdio_fwd(struct ssh *ssh, -- const char *host_to_connect, u_short port_to_connect, int in, int out) -+ const char *host_to_connect, u_short port_to_connect, -+ int in, int out, int nonblock) - { - Channel *c; - -@@ -1499,7 +1526,7 @@ channel_connect_stdio_fwd(struct ssh *ssh, - - c = channel_new(ssh, "stdio-forward", SSH_CHANNEL_OPENING, in, out, - -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, -- 0, "stdio-forward", /*nonblock*/0); -+ 0, "stdio-forward", nonblock); - - c->path = xstrdup(host_to_connect); - c->host_port = port_to_connect; -@@ -1649,7 +1676,7 @@ channel_post_x11_listener(struct ssh *ssh, Channel *c, - if (c->single_connection) { - oerrno = errno; - debug2("single_connection: closing X11 listener."); -- channel_close_fd(ssh, &c->sock); -+ channel_close_fd(ssh, c, &c->sock); - chan_mark_dead(ssh, c); - errno = oerrno; - } -@@ -2058,7 +2085,7 @@ channel_handle_efd_write(struct ssh *ssh, Channel *c, - return 1; - if (len <= 0) { - debug2("channel %d: closing write-efd %d", c->self, c->efd); -- channel_close_fd(ssh, &c->efd); -+ channel_close_fd(ssh, c, &c->efd); - } else { - if ((r = sshbuf_consume(c->extended, len)) != 0) - fatal_fr(r, "channel %i: consume", c->self); -@@ -2087,7 +2114,7 @@ channel_handle_efd_read(struct ssh *ssh, Channel *c, - return 1; - if (len <= 0) { - debug2("channel %d: closing read-efd %d", c->self, c->efd); -- channel_close_fd(ssh, &c->efd); -+ channel_close_fd(ssh, c, &c->efd); - } else if (c->extended_usage == CHAN_EXTENDED_IGNORE) - debug3("channel %d: discard efd", c->self); - else if ((r = sshbuf_put(c->extended, buf, len)) != 0) -diff --git a/channels.h b/channels.h -index 378d987c..6bf86b00 100644 ---- a/channels.h -+++ b/channels.h -@@ -63,6 +63,16 @@ - - #define CHANNEL_CANCEL_PORT_STATIC -1 - -+/* nonblocking flags for channel_new */ -+#define CHANNEL_NONBLOCK_LEAVE 0 /* don't modify non-blocking state */ -+#define CHANNEL_NONBLOCK_SET 1 /* set non-blocking state */ -+#define CHANNEL_NONBLOCK_STDIO 2 /* set non-blocking and restore on close */ -+ -+/* c->restore_block mask flags */ -+#define CHANNEL_RESTORE_RFD 0x01 -+#define CHANNEL_RESTORE_WFD 0x02 -+#define CHANNEL_RESTORE_EFD 0x04 -+ - /* TCP forwarding */ - #define FORWARD_DENY 0 - #define FORWARD_REMOTE (1) -@@ -139,6 +149,7 @@ struct Channel { - * to a matching pre-select handler. - * this way post-select handlers are not - * accidentally called if a FD gets reused */ -+ int restore_block; /* fd mask to restore blocking status */ - struct sshbuf *input; /* data read from socket, to be sent over - * encrypted connection */ - struct sshbuf *output; /* data received over encrypted connection for -@@ -266,7 +277,7 @@ void channel_register_filter(struct ssh *, int, channel_infilter_fn *, - void channel_register_status_confirm(struct ssh *, int, - channel_confirm_cb *, channel_confirm_abandon_cb *, void *); - void channel_cancel_cleanup(struct ssh *, int); --int channel_close_fd(struct ssh *, int *); -+int channel_close_fd(struct ssh *, Channel *, int *); - void channel_send_window_changes(struct ssh *); - - /* mux proxy support */ -@@ -313,7 +324,7 @@ Channel *channel_connect_to_port(struct ssh *, const char *, u_short, - char *, char *, int *, const char **); - Channel *channel_connect_to_path(struct ssh *, const char *, char *, char *); - Channel *channel_connect_stdio_fwd(struct ssh *, const char*, -- u_short, int, int); -+ u_short, int, int, int); - Channel *channel_connect_by_listen_address(struct ssh *, const char *, - u_short, char *, char *); - Channel *channel_connect_by_listen_path(struct ssh *, const char *, -diff --git a/clientloop.c b/clientloop.c -index 219f0e90..bdd67686 100644 ---- a/clientloop.c -+++ b/clientloop.c -@@ -1405,14 +1405,6 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, - if (have_pty) - leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE); - -- /* restore blocking io */ -- if (!isatty(fileno(stdin))) -- unset_nonblock(fileno(stdin)); -- if (!isatty(fileno(stdout))) -- unset_nonblock(fileno(stdout)); -- if (!isatty(fileno(stderr))) -- unset_nonblock(fileno(stderr)); -- - /* - * If there was no shell or command requested, there will be no remote - * exit status to be returned. In that case, clear error code if the -diff --git a/mux.c b/mux.c -index faf4ef1e..9454bfed 100644 ---- a/mux.c -+++ b/mux.c -@@ -452,14 +452,6 @@ mux_master_process_new_session(struct ssh *ssh, u_int rid, - if (cctx->want_tty && tcgetattr(new_fd[0], &cctx->tio) == -1) - error_f("tcgetattr: %s", strerror(errno)); - -- /* enable nonblocking unless tty */ -- if (!isatty(new_fd[0])) -- set_nonblock(new_fd[0]); -- if (!isatty(new_fd[1])) -- set_nonblock(new_fd[1]); -- if (!isatty(new_fd[2])) -- set_nonblock(new_fd[2]); -- - window = CHAN_SES_WINDOW_DEFAULT; - packetmax = CHAN_SES_PACKET_DEFAULT; - if (cctx->want_tty) { -@@ -469,7 +461,7 @@ mux_master_process_new_session(struct ssh *ssh, u_int rid, - - nc = channel_new(ssh, "session", SSH_CHANNEL_OPENING, - new_fd[0], new_fd[1], new_fd[2], window, packetmax, -- CHAN_EXTENDED_WRITE, "client-session", /*nonblock*/0); -+ CHAN_EXTENDED_WRITE, "client-session", CHANNEL_NONBLOCK_STDIO); - - nc->ctl_chan = c->self; /* link session -> control channel */ - c->remote_id = nc->self; /* link control -> session channel */ -@@ -1025,13 +1017,8 @@ mux_master_process_stdio_fwd(struct ssh *ssh, u_int rid, - } - } - -- /* enable nonblocking unless tty */ -- if (!isatty(new_fd[0])) -- set_nonblock(new_fd[0]); -- if (!isatty(new_fd[1])) -- set_nonblock(new_fd[1]); -- -- nc = channel_connect_stdio_fwd(ssh, chost, cport, new_fd[0], new_fd[1]); -+ nc = channel_connect_stdio_fwd(ssh, chost, cport, new_fd[0], new_fd[1], -+ CHANNEL_NONBLOCK_STDIO); - free(chost); - - nc->ctl_chan = c->self; /* link session -> control channel */ -diff --git a/nchan.c b/nchan.c -index 4a4494b8..7ef3a350 100644 ---- a/nchan.c -+++ b/nchan.c -@@ -384,7 +384,7 @@ chan_shutdown_write(struct ssh *ssh, Channel *c) - c->istate, c->ostate, strerror(errno)); - } - } else { -- if (channel_close_fd(ssh, &c->wfd) < 0) { -+ if (channel_close_fd(ssh, c, &c->wfd) < 0) { - logit_f("channel %d: close() failed for " - "fd %d [i%d o%d]: %.100s", c->self, c->wfd, - c->istate, c->ostate, strerror(errno)); -@@ -412,7 +412,7 @@ chan_shutdown_read(struct ssh *ssh, Channel *c) - c->istate, c->ostate, strerror(errno)); - } - } else { -- if (channel_close_fd(ssh, &c->rfd) < 0) { -+ if (channel_close_fd(ssh, c, &c->rfd) < 0) { - logit_f("channel %d: close() failed for " - "fd %d [i%d o%d]: %.100s", c->self, c->rfd, - c->istate, c->ostate, strerror(errno)); -@@ -431,7 +431,7 @@ chan_shutdown_extended_read(struct ssh *ssh, Channel *c) - debug_f("channel %d: (i%d o%d sock %d wfd %d efd %d [%s])", - c->self, c->istate, c->ostate, c->sock, c->rfd, c->efd, - channel_format_extended_usage(c)); -- if (channel_close_fd(ssh, &c->efd) < 0) { -+ if (channel_close_fd(ssh, c, &c->efd) < 0) { - logit_f("channel %d: close() failed for " - "extended fd %d [i%d o%d]: %.100s", c->self, c->efd, - c->istate, c->ostate, strerror(errno)); -diff --git a/ssh.c b/ssh.c -index 696dc3bc..6243db76 100644 ---- a/ssh.c -+++ b/ssh.c -@@ -1876,9 +1876,10 @@ ssh_init_stdio_forwarding(struct ssh *ssh) - - if ((in = dup(STDIN_FILENO)) == -1 || - (out = dup(STDOUT_FILENO)) == -1) -- fatal("channel_connect_stdio_fwd: dup() in/out failed"); -+ fatal_f("dup() in/out failed"); - if ((c = channel_connect_stdio_fwd(ssh, options.stdio_forward_host, -- options.stdio_forward_port, in, out)) == NULL) -+ options.stdio_forward_port, in, out, -+ CHANNEL_NONBLOCK_STDIO)) == NULL) - fatal_f("channel_connect_stdio_fwd failed"); - channel_register_cleanup(ssh, c->self, client_cleanup_stdio_fwd, 0); - channel_register_open_confirm(ssh, c->self, ssh_stdio_confirm, NULL); -@@ -2074,14 +2075,6 @@ ssh_session2_open(struct ssh *ssh) - if (in == -1 || out == -1 || err == -1) - fatal("dup() in/out/err failed"); - -- /* enable nonblocking unless tty */ -- if (!isatty(in)) -- set_nonblock(in); -- if (!isatty(out)) -- set_nonblock(out); -- if (!isatty(err)) -- set_nonblock(err); -- - window = CHAN_SES_WINDOW_DEFAULT; - packetmax = CHAN_SES_PACKET_DEFAULT; - if (tty_flag) { -@@ -2091,7 +2084,7 @@ ssh_session2_open(struct ssh *ssh) - c = channel_new(ssh, - "session", SSH_CHANNEL_OPENING, in, out, err, - window, packetmax, CHAN_EXTENDED_WRITE, -- "client-session", /*nonblock*/0); -+ "client-session", CHANNEL_NONBLOCK_STDIO); - - debug3_f("channel_new: %d", c->self); - diff --git a/openssh-8.4p1-debian-compat.patch b/openssh-8.4p1-debian-compat.patch deleted file mode 100644 index 1285979..0000000 --- a/openssh-8.4p1-debian-compat.patch +++ /dev/null @@ -1,57 +0,0 @@ ---- compat.h.orig 2020-10-05 10:09:02.953505129 -0700 -+++ compat.h 2020-10-05 10:10:17.587733113 -0700 -@@ -34,7 +34,7 @@ - - #define SSH_BUG_UTF8TTYMODE 0x00000001 - #define SSH_BUG_SIGTYPE 0x00000002 --/* #define unused 0x00000004 */ -+#define SSH_BUG_SIGTYPE74 0x00000004 - /* #define unused 0x00000008 */ - #define SSH_OLD_SESSIONID 0x00000010 - /* #define unused 0x00000020 */ ---- compat.c.orig 2020-10-05 10:25:02.088720562 -0700 -+++ compat.c 2020-10-05 10:13:11.637282492 -0700 -@@ -65,11 +65,12 @@ - { "OpenSSH_6.5*," - "OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD| - SSH_BUG_SIGTYPE}, -+ { "OpenSSH_7.4*", SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE| -+ SSH_BUG_SIGTYPE74}, - { "OpenSSH_7.0*," - "OpenSSH_7.1*," - "OpenSSH_7.2*," - "OpenSSH_7.3*," -- "OpenSSH_7.4*," - "OpenSSH_7.5*," - "OpenSSH_7.6*," - "OpenSSH_7.7*", SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE}, ---- sshconnect2.c.orig 2020-09-26 07:26:37.618010545 -0700 -+++ sshconnect2.c 2020-10-05 10:47:22.116315148 -0700 -@@ -1305,6 +1305,26 @@ - break; - } - free(oallowed); -+ /* -+ * OpenSSH 7.4 supports SHA2 sig types, but fails to indicate its -+ * support. For that release, check the local policy against the -+ * SHA2 signature types. -+ */ -+ if (alg == NULL && -+ (key->type == KEY_RSA && (ssh->compat & SSH_BUG_SIGTYPE74))) { -+ oallowed = allowed = xstrdup(options.pubkey_accepted_algos); -+ while ((cp = strsep(&allowed, ",")) != NULL) { -+ if (sshkey_type_from_name(cp) != key->type) -+ continue; -+ tmp = match_list(sshkey_sigalg_by_name(cp), "rsa-sha2-256,rsa-sha2-512", NULL); -+ if (tmp != NULL) -+ alg = xstrdup(cp); -+ free(tmp); -+ if (alg != NULL) -+ break; -+ } -+ free(oallowed); -+ } - return alg; - } - -