forked from rpms/openssh
rebase patches to openssh-7.9p1
This commit is contained in:
parent
8089081fa9
commit
eaa7af2e41
2
.gitignore
vendored
2
.gitignore
vendored
@ -32,3 +32,5 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
|
|||||||
/DJM-GPG-KEY.gpg
|
/DJM-GPG-KEY.gpg
|
||||||
/openssh-7.8p1.tar.gz
|
/openssh-7.8p1.tar.gz
|
||||||
/openssh-7.8p1.tar.gz.asc
|
/openssh-7.8p1.tar.gz.asc
|
||||||
|
/openssh-7.9p1.tar.gz
|
||||||
|
/openssh-7.9p1.tar.gz.asc
|
||||||
|
@ -82,14 +82,6 @@ diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
|
|||||||
index 22ea8ef..1fc963d 100644
|
index 22ea8ef..1fc963d 100644
|
||||||
--- a/openbsd-compat/port-linux.c
|
--- a/openbsd-compat/port-linux.c
|
||||||
+++ b/openbsd-compat/port-linux.c
|
+++ b/openbsd-compat/port-linux.c
|
||||||
@@ -26,6 +26,7 @@
|
|
||||||
#include <stdarg.h>
|
|
||||||
#include <string.h>
|
|
||||||
#include <stdio.h>
|
|
||||||
+#include <stdlib.h>
|
|
||||||
|
|
||||||
#include "log.h"
|
|
||||||
#include "xmalloc.h"
|
|
||||||
@@ -179,7 +179,7 @@ ssh_selinux_change_context(const char *newname)
|
@@ -179,7 +179,7 @@ ssh_selinux_change_context(const char *newname)
|
||||||
strlcpy(newctx + len, newname, newlen - len);
|
strlcpy(newctx + len, newname, newlen - len);
|
||||||
if ((cx = index(cx + 1, ':')))
|
if ((cx = index(cx + 1, ':')))
|
||||||
|
@ -187,7 +187,7 @@ diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
|
|||||||
+ usage();
|
+ usage();
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ SSLeay_add_all_algorithms();
|
+ OpenSSL_add_all_algorithms();
|
||||||
+
|
+
|
||||||
+ c = cipher_by_name(algo);
|
+ c = cipher_by_name(algo);
|
||||||
+ if (c == NULL) {
|
+ if (c == NULL) {
|
||||||
|
@ -235,9 +235,9 @@ index 28659ec..9c94d8e 100644
|
|||||||
+#endif
|
+#endif
|
||||||
+#endif
|
+#endif
|
||||||
+
|
+
|
||||||
|
s->forced = 0;
|
||||||
if (forced != NULL) {
|
if (forced != NULL) {
|
||||||
if (IS_INTERNAL_SFTP(command)) {
|
s->forced = 1;
|
||||||
s->is_subsystem = s->is_subsystem ?
|
|
||||||
diff --git a/ssh-gss.h b/ssh-gss.h
|
diff --git a/ssh-gss.h b/ssh-gss.h
|
||||||
index 0374c88..509109a 100644
|
index 0374c88..509109a 100644
|
||||||
--- a/ssh-gss.h
|
--- a/ssh-gss.h
|
||||||
|
@ -29,14 +29,14 @@ diff -up openssh-7.0p1/gss-genr.c.gsskexalg openssh-7.0p1/gss-genr.c
|
|||||||
@@ -100,6 +101,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
|
@@ -100,6 +101,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
|
||||||
char deroid[2];
|
char deroid[2];
|
||||||
const EVP_MD *evp_md = EVP_md5();
|
const EVP_MD *evp_md = EVP_md5();
|
||||||
EVP_MD_CTX md;
|
EVP_MD_CTX *md;
|
||||||
+ char *s, *cp, *p;
|
+ char *s, *cp, *p;
|
||||||
|
|
||||||
if (gss_enc2oid != NULL) {
|
if (gss_enc2oid != NULL) {
|
||||||
for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
|
for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
|
||||||
@@ -113,6 +115,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
|
@@ -113,6 +115,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
|
||||||
fatal("%s: sshbuf_new failed", __func__);
|
|
||||||
|
|
||||||
|
md = EVP_MD_CTX_new();
|
||||||
oidpos = 0;
|
oidpos = 0;
|
||||||
+ s = cp = xstrdup(kex);
|
+ s = cp = xstrdup(kex);
|
||||||
for (i = 0; i < gss_supported->count; i++) {
|
for (i = 0; i < gss_supported->count; i++) {
|
||||||
@ -81,9 +81,9 @@ diff -up openssh-7.0p1/gss-genr.c.gsskexalg openssh-7.0p1/gss-genr.c
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
+ free(s);
|
+ free(s);
|
||||||
|
EVP_MD_CTX_free(md);
|
||||||
gss_enc2oid[oidpos].oid = NULL;
|
gss_enc2oid[oidpos].oid = NULL;
|
||||||
gss_enc2oid[oidpos].encoded = NULL;
|
gss_enc2oid[oidpos].encoded = NULL;
|
||||||
|
|
||||||
diff -up openssh-7.0p1/gss-serv.c.gsskexalg openssh-7.0p1/gss-serv.c
|
diff -up openssh-7.0p1/gss-serv.c.gsskexalg openssh-7.0p1/gss-serv.c
|
||||||
--- openssh-7.0p1/gss-serv.c.gsskexalg 2015-08-19 12:28:38.024518959 +0200
|
--- openssh-7.0p1/gss-serv.c.gsskexalg 2015-08-19 12:28:38.024518959 +0200
|
||||||
+++ openssh-7.0p1/gss-serv.c 2015-08-19 12:28:38.078518839 +0200
|
+++ openssh-7.0p1/gss-serv.c 2015-08-19 12:28:38.078518839 +0200
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -20,8 +20,8 @@ index ca75cc7..6e7de31 100644
|
|||||||
+#if defined(__NR_flock) && defined(__s390__)
|
+#if defined(__NR_flock) && defined(__s390__)
|
||||||
+ SC_ALLOW(__NR_flock),
|
+ SC_ALLOW(__NR_flock),
|
||||||
+#endif
|
+#endif
|
||||||
#ifdef __NR_geteuid
|
#ifdef __NR_futex
|
||||||
SC_ALLOW(__NR_geteuid),
|
SC_ALLOW(__NR_futex),
|
||||||
#endif
|
#endif
|
||||||
@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = {
|
@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = {
|
||||||
#ifdef __NR_gettimeofday
|
#ifdef __NR_gettimeofday
|
||||||
|
@ -2048,12 +2048,12 @@ diff -up openssh-7.6p1/sshd.c.audit openssh-7.6p1/sshd.c
|
|||||||
+ fp = sshkey_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX);
|
+ fp = sshkey_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX);
|
||||||
+ else
|
+ else
|
||||||
+ fp = NULL;
|
+ fp = NULL;
|
||||||
if ((r = sshkey_demote(sensitive_data.host_keys[i],
|
if ((r = sshkey_from_private(
|
||||||
&tmp)) != 0)
|
sensitive_data.host_keys[i], &tmp)) != 0)
|
||||||
fatal("could not demote host %s key: %s",
|
fatal("could not demote host %s key: %s",
|
||||||
sshkey_type(sensitive_data.host_keys[i]),
|
sshkey_type(sensitive_data.host_keys[i]),
|
||||||
ssh_err(r));
|
ssh_err(r));
|
||||||
sshkey_free(sensitive_data.host_keys[i]);
|
sshkey_free(sensitive_data.host_keys[i]);
|
||||||
sensitive_data.host_keys[i] = tmp;
|
sensitive_data.host_keys[i] = tmp;
|
||||||
+ if (fp != NULL) {
|
+ if (fp != NULL) {
|
||||||
+#ifdef SSH_AUDIT_EVENTS
|
+#ifdef SSH_AUDIT_EVENTS
|
||||||
@ -2126,7 +2126,7 @@ diff -up openssh-7.6p1/sshd.c.audit openssh-7.6p1/sshd.c
|
|||||||
diff -up openssh-7.6p1/sshkey.c.audit openssh-7.6p1/sshkey.c
|
diff -up openssh-7.6p1/sshkey.c.audit openssh-7.6p1/sshkey.c
|
||||||
--- openssh-7.6p1/sshkey.c.audit 2017-10-04 17:18:32.758504660 +0200
|
--- openssh-7.6p1/sshkey.c.audit 2017-10-04 17:18:32.758504660 +0200
|
||||||
+++ openssh-7.6p1/sshkey.c 2017-10-04 17:18:32.839505074 +0200
|
+++ openssh-7.6p1/sshkey.c 2017-10-04 17:18:32.839505074 +0200
|
||||||
@@ -295,6 +295,32 @@ sshkey_type_is_valid_ca(int type)
|
@@ -295,6 +295,38 @@ sshkey_type_is_valid_ca(int type)
|
||||||
}
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
@ -2135,11 +2135,17 @@ diff -up openssh-7.6p1/sshkey.c.audit openssh-7.6p1/sshkey.c
|
|||||||
+ switch (k->type) {
|
+ switch (k->type) {
|
||||||
+#ifdef WITH_OPENSSL
|
+#ifdef WITH_OPENSSL
|
||||||
+ case KEY_RSA_CERT:
|
+ case KEY_RSA_CERT:
|
||||||
+ case KEY_RSA:
|
+ case KEY_RSA: {
|
||||||
+ return k->rsa->d != NULL;
|
+ const BIGNUM *d;
|
||||||
|
+ RSA_get0_key(k->rsa, NULL, NULL, &d);
|
||||||
|
+ return d != NULL;
|
||||||
|
+ }
|
||||||
+ case KEY_DSA_CERT:
|
+ case KEY_DSA_CERT:
|
||||||
+ case KEY_DSA:
|
+ case KEY_DSA: {
|
||||||
+ return k->dsa->priv_key != NULL;
|
+ const BIGNUM *priv_key;
|
||||||
|
+ DSA_get0_key(k->dsa, NULL, &priv_key);
|
||||||
|
+ return priv_key != NULL;
|
||||||
|
+ }
|
||||||
+#ifdef OPENSSL_HAS_ECC
|
+#ifdef OPENSSL_HAS_ECC
|
||||||
+ case KEY_ECDSA_CERT:
|
+ case KEY_ECDSA_CERT:
|
||||||
+ case KEY_ECDSA:
|
+ case KEY_ECDSA:
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
diff -up openssh-7.6p1/ssh-pkcs11-client.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11-client.c
|
diff -up openssh/ssh-pkcs11-client.c.pkcs11-ecdsa openssh/ssh-pkcs11-client.c
|
||||||
--- openssh-7.6p1/ssh-pkcs11-client.c.pkcs11-ecdsa 2018-02-16 13:25:59.426469253 +0100
|
--- openssh/ssh-pkcs11-client.c.pkcs11-ecdsa 2018-10-12 14:05:55.020656974 +0200
|
||||||
+++ openssh-7.6p1/ssh-pkcs11-client.c 2018-02-16 13:25:59.428469265 +0100
|
+++ openssh/ssh-pkcs11-client.c 2018-10-12 14:05:55.023656999 +0200
|
||||||
@@ -31,6 +31,15 @@
|
@@ -31,6 +31,15 @@
|
||||||
#include <errno.h>
|
#include <errno.h>
|
||||||
|
|
||||||
@ -15,9 +15,9 @@ diff -up openssh-7.6p1/ssh-pkcs11-client.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11
|
|||||||
+#endif
|
+#endif
|
||||||
+#endif
|
+#endif
|
||||||
|
|
||||||
#include "pathnames.h"
|
#include "openbsd-compat/openssl-compat.h"
|
||||||
#include "xmalloc.h"
|
|
||||||
@@ -139,9 +147,9 @@ pkcs11_rsa_private_encrypt(int flen, con
|
@@ -155,9 +164,9 @@ pkcs11_rsa_private_encrypt(int flen, con
|
||||||
return (ret);
|
return (ret);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -27,9 +27,9 @@ diff -up openssh-7.6p1/ssh-pkcs11-client.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11
|
|||||||
-wrap_key(RSA *rsa)
|
-wrap_key(RSA *rsa)
|
||||||
+wrap_rsa_key(RSA *rsa)
|
+wrap_rsa_key(RSA *rsa)
|
||||||
{
|
{
|
||||||
static RSA_METHOD helper_rsa;
|
static RSA_METHOD *helper_rsa;
|
||||||
|
|
||||||
@@ -152,6 +160,88 @@ wrap_key(RSA *rsa)
|
@@ -170,6 +179,88 @@ wrap_key(RSA *rsa)
|
||||||
return (0);
|
return (0);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -118,7 +118,7 @@ diff -up openssh-7.6p1/ssh-pkcs11-client.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11
|
|||||||
static int
|
static int
|
||||||
pkcs11_start_helper(void)
|
pkcs11_start_helper(void)
|
||||||
{
|
{
|
||||||
@@ -212,7 +281,15 @@ pkcs11_add_provider(char *name, char *pi
|
@@ -238,7 +329,15 @@ pkcs11_add_provider(char *name, char *pi
|
||||||
__func__, ssh_err(r));
|
__func__, ssh_err(r));
|
||||||
if ((r = sshkey_from_blob(blob, blen, &k)) != 0)
|
if ((r = sshkey_from_blob(blob, blen, &k)) != 0)
|
||||||
fatal("%s: bad key: %s", __func__, ssh_err(r));
|
fatal("%s: bad key: %s", __func__, ssh_err(r));
|
||||||
@ -135,11 +135,11 @@ diff -up openssh-7.6p1/ssh-pkcs11-client.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11
|
|||||||
(*keysp)[i] = k;
|
(*keysp)[i] = k;
|
||||||
free(blob);
|
free(blob);
|
||||||
}
|
}
|
||||||
diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
|
diff -up openssh/ssh-pkcs11.c.pkcs11-ecdsa openssh/ssh-pkcs11.c
|
||||||
--- openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa 2018-02-16 13:25:59.427469259 +0100
|
--- openssh/ssh-pkcs11.c.pkcs11-ecdsa 2018-10-12 14:05:55.021656982 +0200
|
||||||
+++ openssh-7.6p1/ssh-pkcs11.c 2018-02-16 13:44:51.270554797 +0100
|
+++ openssh/ssh-pkcs11.c 2018-10-12 14:11:54.292636679 +0200
|
||||||
@@ -32,6 +32,16 @@
|
@@ -33,6 +33,16 @@
|
||||||
#include "openbsd-compat/sys-queue.h"
|
#include "openbsd-compat/openssl-compat.h"
|
||||||
|
|
||||||
#include <openssl/x509.h>
|
#include <openssl/x509.h>
|
||||||
+#include <openssl/rsa.h>
|
+#include <openssl/rsa.h>
|
||||||
@ -155,15 +155,15 @@ diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
|
|||||||
|
|
||||||
#define CRYPTOKI_COMPAT
|
#define CRYPTOKI_COMPAT
|
||||||
#include "pkcs11.h"
|
#include "pkcs11.h"
|
||||||
@@ -67,6 +76,7 @@ TAILQ_HEAD(, pkcs11_provider) pkcs11_pro
|
@@ -74,6 +84,7 @@ TAILQ_HEAD(, pkcs11_provider) pkcs11_pro
|
||||||
struct pkcs11_key {
|
struct pkcs11_key {
|
||||||
struct pkcs11_provider *provider;
|
struct pkcs11_provider *provider;
|
||||||
CK_ULONG slotidx;
|
CK_ULONG slotidx;
|
||||||
+ CK_ULONG key_type;
|
+ CK_ULONG key_type;
|
||||||
int (*orig_finish)(RSA *rsa);
|
int (*orig_finish)(RSA *rsa);
|
||||||
RSA_METHOD rsa_method;
|
RSA_METHOD *rsa_method;
|
||||||
char *keyid;
|
char *keyid;
|
||||||
@@ -75,6 +85,9 @@ struct pkcs11_key {
|
@@ -82,6 +93,9 @@ struct pkcs11_key {
|
||||||
};
|
};
|
||||||
|
|
||||||
int pkcs11_interactive = 0;
|
int pkcs11_interactive = 0;
|
||||||
@ -173,7 +173,7 @@ diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
|
|||||||
|
|
||||||
/*
|
/*
|
||||||
* This can't be in the ssh-pkcs11-uri, becase we can not depend on
|
* This can't be in the ssh-pkcs11-uri, becase we can not depend on
|
||||||
@@ -289,6 +302,40 @@ pkcs11_find(struct pkcs11_provider *p, C
|
@@ -345,6 +359,40 @@ pkcs11_find(struct pkcs11_provider *p, C
|
||||||
return (ret);
|
return (ret);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -214,7 +214,7 @@ diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
|
|||||||
/* openssl callback doing the actual signing operation */
|
/* openssl callback doing the actual signing operation */
|
||||||
static int
|
static int
|
||||||
pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
|
pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
|
||||||
@@ -310,7 +357,6 @@ pkcs11_rsa_private_encrypt(int flen, con
|
@@ -366,7 +414,6 @@ pkcs11_rsa_private_encrypt(int flen, con
|
||||||
{CKA_ID, NULL, 0},
|
{CKA_ID, NULL, 0},
|
||||||
{CKA_SIGN, NULL, sizeof(true_val) }
|
{CKA_SIGN, NULL, sizeof(true_val) }
|
||||||
};
|
};
|
||||||
@ -222,7 +222,7 @@ diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
|
|||||||
int rval = -1;
|
int rval = -1;
|
||||||
|
|
||||||
key_filter[0].pValue = &private_key_class;
|
key_filter[0].pValue = &private_key_class;
|
||||||
@@ -326,33 +372,8 @@ pkcs11_rsa_private_encrypt(int flen, con
|
@@ -383,33 +430,8 @@ pkcs11_rsa_private_encrypt(int flen, con
|
||||||
}
|
}
|
||||||
f = k11->provider->module->function_list;
|
f = k11->provider->module->function_list;
|
||||||
si = &k11->provider->module->slotinfo[k11->slotidx];
|
si = &k11->provider->module->slotinfo[k11->slotidx];
|
||||||
@ -258,7 +258,7 @@ diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
|
|||||||
}
|
}
|
||||||
key_filter[1].pValue = k11->keyid;
|
key_filter[1].pValue = k11->keyid;
|
||||||
key_filter[1].ulValueLen = k11->keyid_len;
|
key_filter[1].ulValueLen = k11->keyid_len;
|
||||||
@@ -390,6 +411,7 @@ pkcs11_rsa_wrap(struct pkcs11_provider *
|
@@ -447,6 +469,7 @@ pkcs11_rsa_wrap(struct pkcs11_provider *
|
||||||
const RSA_METHOD *def = RSA_get_default_method();
|
const RSA_METHOD *def = RSA_get_default_method();
|
||||||
|
|
||||||
k11 = xcalloc(1, sizeof(*k11));
|
k11 = xcalloc(1, sizeof(*k11));
|
||||||
@ -266,7 +266,7 @@ diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
|
|||||||
k11->provider = provider;
|
k11->provider = provider;
|
||||||
provider->refcount++; /* provider referenced by RSA key */
|
provider->refcount++; /* provider referenced by RSA key */
|
||||||
k11->slotidx = slotidx;
|
k11->slotidx = slotidx;
|
||||||
@@ -415,6 +437,184 @@ pkcs11_rsa_wrap(struct pkcs11_provider *
|
@@ -477,6 +500,184 @@ pkcs11_rsa_wrap(struct pkcs11_provider *
|
||||||
return (0);
|
return (0);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -451,7 +451,7 @@ diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
|
|||||||
/* remove trailing spaces */
|
/* remove trailing spaces */
|
||||||
static void
|
static void
|
||||||
rmspace(u_char *buf, size_t len)
|
rmspace(u_char *buf, size_t len)
|
||||||
@@ -482,11 +646,13 @@ static int
|
@@ -544,11 +745,13 @@ static int
|
||||||
pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx,
|
pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx,
|
||||||
struct sshkey ***keysp, int *nkeys, struct pkcs11_uri *uri)
|
struct sshkey ***keysp, int *nkeys, struct pkcs11_uri *uri)
|
||||||
{
|
{
|
||||||
@ -466,7 +466,7 @@ diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
|
|||||||
{ CKA_ID, NULL, 0 },
|
{ CKA_ID, NULL, 0 },
|
||||||
{ CKA_LABEL, NULL, 0 }
|
{ CKA_LABEL, NULL, 0 }
|
||||||
};
|
};
|
||||||
@@ -507,29 +673,60 @@ pkcs11_fetch_keys(struct pkcs11_provider
|
@@ -569,29 +772,60 @@ pkcs11_fetch_keys(struct pkcs11_provider
|
||||||
{ CKA_SUBJECT, NULL, 0 },
|
{ CKA_SUBJECT, NULL, 0 },
|
||||||
{ CKA_VALUE, NULL, 0 }
|
{ CKA_VALUE, NULL, 0 }
|
||||||
};
|
};
|
||||||
@ -533,9 +533,12 @@ diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
|
|||||||
cert_attribs, keysp, nkeys) < 0)
|
cert_attribs, keysp, nkeys) < 0)
|
||||||
return (-1);
|
return (-1);
|
||||||
return (0);
|
return (0);
|
||||||
@@ -553,6 +746,11 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
|
@@ -624,8 +858,13 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
|
||||||
|
CK_ATTRIBUTE filter[], size_t filter_size, CK_ATTRIBUTE attribs[4],
|
||||||
|
struct sshkey ***keysp, int *nkeys)
|
||||||
{
|
{
|
||||||
struct sshkey *key;
|
- struct sshkey *key;
|
||||||
|
+ struct sshkey *key = NULL;
|
||||||
RSA *rsa;
|
RSA *rsa;
|
||||||
+#ifdef ENABLE_PKCS11_ECDSA
|
+#ifdef ENABLE_PKCS11_ECDSA
|
||||||
+ EC_KEY *ecdsa;
|
+ EC_KEY *ecdsa;
|
||||||
@ -545,7 +548,7 @@ diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
|
|||||||
X509 *x509;
|
X509 *x509;
|
||||||
EVP_PKEY *evp = NULL;
|
EVP_PKEY *evp = NULL;
|
||||||
int i;
|
int i;
|
||||||
@@ -608,6 +806,9 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
|
@@ -678,6 +917,9 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
|
||||||
* or ID, label, subject and value for certificates.
|
* or ID, label, subject and value for certificates.
|
||||||
*/
|
*/
|
||||||
rsa = NULL;
|
rsa = NULL;
|
||||||
@ -555,9 +558,9 @@ diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
|
|||||||
if ((rv = f->C_GetAttributeValue(session, obj, attribs, nattribs))
|
if ((rv = f->C_GetAttributeValue(session, obj, attribs, nattribs))
|
||||||
!= CKR_OK) {
|
!= CKR_OK) {
|
||||||
error("C_GetAttributeValue failed: %lu", rv);
|
error("C_GetAttributeValue failed: %lu", rv);
|
||||||
@@ -620,6 +821,45 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
|
@@ -700,6 +942,45 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
|
||||||
rsa->e = BN_bin2bn(attribs[3].pValue,
|
BN_free(rsa_n);
|
||||||
attribs[3].ulValueLen, NULL);
|
BN_free(rsa_e);
|
||||||
}
|
}
|
||||||
+#ifdef ENABLE_PKCS11_ECDSA
|
+#ifdef ENABLE_PKCS11_ECDSA
|
||||||
+ } else if (attribs[2].type == CKA_EC_PARAMS ) {
|
+ } else if (attribs[2].type == CKA_EC_PARAMS ) {
|
||||||
@ -601,43 +604,61 @@ diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
|
|||||||
} else {
|
} else {
|
||||||
cp = attribs[3].pValue;
|
cp = attribs[3].pValue;
|
||||||
if ((x509 = X509_new()) == NULL) {
|
if ((x509 = X509_new()) == NULL) {
|
||||||
@@ -639,13 +879,28 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
|
@@ -707,13 +988,28 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
|
||||||
|
} else if (d2i_X509(&x509, &cp, attribs[3].ulValueLen)
|
||||||
|
== NULL) {
|
||||||
|
error("d2i_X509 failed");
|
||||||
|
- } else if ((evp = X509_get_pubkey(x509)) == NULL ||
|
||||||
|
- EVP_PKEY_base_id(evp) != EVP_PKEY_RSA ||
|
||||||
|
- EVP_PKEY_get0_RSA(evp) == NULL) {
|
||||||
|
- debug("X509_get_pubkey failed or no rsa");
|
||||||
|
- } else if ((rsa = RSAPublicKey_dup(
|
||||||
|
- EVP_PKEY_get0_RSA(evp))) == NULL) {
|
||||||
|
- error("RSAPublicKey_dup");
|
||||||
|
+ } else if ((evp = X509_get_pubkey(x509)) == NULL) {
|
||||||
|
+ debug("X509_get_pubkey failed");
|
||||||
|
+ } else {
|
||||||
|
+ switch (EVP_PKEY_base_id(evp)) {
|
||||||
|
+ case EVP_PKEY_RSA:
|
||||||
|
+ if (EVP_PKEY_get0_RSA(evp) == NULL)
|
||||||
|
+ debug("Missing RSA key");
|
||||||
|
+ else if ((rsa = RSAPublicKey_dup(
|
||||||
|
+ EVP_PKEY_get0_RSA(evp))) == NULL)
|
||||||
|
+ error("RSAPublicKey_dup failed");
|
||||||
|
+ break;
|
||||||
|
+ case EVP_PKEY_EC:
|
||||||
|
+ if (EVP_PKEY_get0_EC_KEY(evp) == NULL)
|
||||||
|
+ debug("Missing ECDSA key");
|
||||||
|
+ else if ((ecdsa = EC_KEY_dup(
|
||||||
|
+ EVP_PKEY_get0_EC_KEY(evp))) == NULL)
|
||||||
|
+ error("EC_KEY_dup failed");
|
||||||
|
+ break;
|
||||||
|
+ default:
|
||||||
|
+ debug("not a RSA or ECDSA key");
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
X509_free(x509);
|
X509_free(x509);
|
||||||
EVP_PKEY_free(evp);
|
EVP_PKEY_free(evp);
|
||||||
}
|
@@ -725,6 +1021,17 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
|
||||||
- if (rsa && rsa->n && rsa->e &&
|
key->rsa = rsa;
|
||||||
- pkcs11_rsa_wrap(p, slotidx, &attribs[0], &attribs[1], rsa) == 0) {
|
key->type = KEY_RSA;
|
||||||
- if ((key = sshkey_new(KEY_UNSPEC)) == NULL)
|
key->flags |= SSHKEY_FLAG_EXT;
|
||||||
- fatal("sshkey_new failed");
|
|
||||||
- key->rsa = rsa;
|
|
||||||
- key->type = KEY_RSA;
|
|
||||||
- key->flags |= SSHKEY_FLAG_EXT;
|
|
||||||
+ key = NULL;
|
|
||||||
+ if (rsa || ecdsa) {
|
|
||||||
+ if (rsa && rsa->n && rsa->e &&
|
|
||||||
+ pkcs11_rsa_wrap(p, slotidx, &attribs[0], &attribs[1], rsa) == 0) {
|
|
||||||
+ if ((key = sshkey_new(KEY_UNSPEC)) == NULL)
|
|
||||||
+ fatal("sshkey_new failed");
|
|
||||||
+ key->rsa = rsa;
|
|
||||||
+ key->type = KEY_RSA;
|
|
||||||
+ key->flags |= SSHKEY_FLAG_EXT;
|
|
||||||
+#ifdef ENABLE_PKCS11_ECDSA
|
+#ifdef ENABLE_PKCS11_ECDSA
|
||||||
+ } else if(ecdsa && pkcs11_ecdsa_wrap(p, slotidx, &attribs[0], &attribs[1], ecdsa) == 0) {
|
+ } else if (ecdsa &&
|
||||||
+ if ((key = sshkey_new(KEY_UNSPEC)) == NULL)
|
+ pkcs11_ecdsa_wrap(p, slotidx, &attribs[0], &attribs[1], ecdsa) == 0) {
|
||||||
+ fatal("sshkey_new failed");
|
+ if ((key = sshkey_new(KEY_UNSPEC)) == NULL)
|
||||||
+ key->ecdsa = ecdsa;
|
+ fatal("sshkey_new failed");
|
||||||
+ key->ecdsa_nid = sshkey_ecdsa_key_to_nid(ecdsa);
|
+ key->ecdsa = ecdsa;
|
||||||
+ key->type = KEY_ECDSA;
|
+ key->type = KEY_ECDSA;
|
||||||
+ key->flags |= SSHKEY_FLAG_EXT;
|
+ key->flags |= SSHKEY_FLAG_EXT;
|
||||||
+#endif /* ENABLE_PKCS11_ECDSA */
|
+#endif /* ENABLE_PKCS11_ECDSA */
|
||||||
+ }
|
|
||||||
+ }
|
+ }
|
||||||
+
|
+ if (key) {
|
||||||
+ if(key) {
|
|
||||||
if (pkcs11_key_included(keysp, nkeys, key)) {
|
if (pkcs11_key_included(keysp, nkeys, key)) {
|
||||||
sshkey_free(key);
|
sshkey_free(key);
|
||||||
} else {
|
} else {
|
||||||
@@ -658,6 +913,10 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
|
@@ -737,6 +1044,10 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
|
||||||
}
|
}
|
||||||
} else if (rsa) {
|
} else if (rsa) {
|
||||||
RSA_free(rsa);
|
RSA_free(rsa);
|
||||||
@ -648,9 +669,9 @@ diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
|
|||||||
}
|
}
|
||||||
for (i = 0; i < nattribs; i++)
|
for (i = 0; i < nattribs; i++)
|
||||||
free(attribs[i].pValue);
|
free(attribs[i].pValue);
|
||||||
diff -up openssh-7.6p1/ssh-pkcs11-helper.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11-helper.c
|
diff -up openssh/ssh-pkcs11-helper.c.pkcs11-ecdsa openssh/ssh-pkcs11-helper.c
|
||||||
--- openssh-7.6p1/ssh-pkcs11-helper.c.pkcs11-ecdsa 2017-10-02 21:34:26.000000000 +0200
|
--- openssh/ssh-pkcs11-helper.c.pkcs11-ecdsa 2018-10-11 02:56:36.000000000 +0200
|
||||||
+++ openssh-7.6p1/ssh-pkcs11-helper.c 2018-02-16 13:25:59.428469265 +0100
|
+++ openssh/ssh-pkcs11-helper.c 2018-10-12 14:05:55.023656999 +0200
|
||||||
@@ -24,6 +24,17 @@
|
@@ -24,6 +24,17 @@
|
||||||
|
|
||||||
#include "openbsd-compat/sys-queue.h"
|
#include "openbsd-compat/sys-queue.h"
|
||||||
@ -669,7 +690,7 @@ diff -up openssh-7.6p1/ssh-pkcs11-helper.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11
|
|||||||
#include <stdarg.h>
|
#include <stdarg.h>
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
@@ -80,7 +90,7 @@ del_keys_by_name(char *name)
|
@@ -77,7 +88,7 @@ del_keys_by_name(char *name)
|
||||||
if (!strcmp(ki->providername, name)) {
|
if (!strcmp(ki->providername, name)) {
|
||||||
TAILQ_REMOVE(&pkcs11_keylist, ki, next);
|
TAILQ_REMOVE(&pkcs11_keylist, ki, next);
|
||||||
free(ki->providername);
|
free(ki->providername);
|
||||||
@ -678,7 +699,7 @@ diff -up openssh-7.6p1/ssh-pkcs11-helper.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11
|
|||||||
free(ki);
|
free(ki);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -164,6 +174,20 @@ process_del(void)
|
@@ -172,6 +183,20 @@ process_del(void)
|
||||||
sshbuf_free(msg);
|
sshbuf_free(msg);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -699,7 +720,7 @@ diff -up openssh-7.6p1/ssh-pkcs11-helper.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11
|
|||||||
static void
|
static void
|
||||||
process_sign(void)
|
process_sign(void)
|
||||||
{
|
{
|
||||||
@@ -180,14 +204,38 @@ process_sign(void)
|
@@ -192,14 +217,38 @@ process_sign(void)
|
||||||
else {
|
else {
|
||||||
if ((found = lookup_key(key)) != NULL) {
|
if ((found = lookup_key(key)) != NULL) {
|
||||||
#ifdef WITH_OPENSSL
|
#ifdef WITH_OPENSSL
|
||||||
@ -746,9 +767,9 @@ diff -up openssh-7.6p1/ssh-pkcs11-helper.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11
|
|||||||
}
|
}
|
||||||
#endif /* WITH_OPENSSL */
|
#endif /* WITH_OPENSSL */
|
||||||
}
|
}
|
||||||
diff -up openssh-7.6p1/ssh-pkcs11.h.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.h
|
diff -up openssh/ssh-pkcs11.h.pkcs11-ecdsa openssh/ssh-pkcs11.h
|
||||||
--- openssh-7.6p1/ssh-pkcs11.h.pkcs11-ecdsa 2018-02-16 13:25:59.429469272 +0100
|
--- openssh/ssh-pkcs11.h.pkcs11-ecdsa 2018-10-12 14:05:55.021656982 +0200
|
||||||
+++ openssh-7.6p1/ssh-pkcs11.h 2018-02-16 13:45:29.623800048 +0100
|
+++ openssh/ssh-pkcs11.h 2018-10-12 14:05:55.023656999 +0200
|
||||||
@@ -20,6 +20,7 @@
|
@@ -20,6 +20,7 @@
|
||||||
int pkcs11_init(int);
|
int pkcs11_init(int);
|
||||||
void pkcs11_terminate(void);
|
void pkcs11_terminate(void);
|
||||||
@ -757,45 +778,3 @@ diff -up openssh-7.6p1/ssh-pkcs11.h.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.h
|
|||||||
int pkcs11_add_provider_by_uri(struct pkcs11_uri *, char *, struct sshkey ***);
|
int pkcs11_add_provider_by_uri(struct pkcs11_uri *, char *, struct sshkey ***);
|
||||||
int pkcs11_del_provider(char *);
|
int pkcs11_del_provider(char *);
|
||||||
int pkcs11_uri_write(const struct sshkey *, FILE *);
|
int pkcs11_uri_write(const struct sshkey *, FILE *);
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
diff -up openssh-7.6p1/ssh-pkcs11.c.old openssh-7.6p1/ssh-pkcs11.c
|
|
||||||
--- openssh-7.6p1/ssh-pkcs11.c.old 2018-02-16 16:43:08.861520255 +0100
|
|
||||||
+++ openssh-7.6p1/ssh-pkcs11.c 2018-02-16 16:56:35.312601451 +0100
|
|
||||||
@@ -917,13 +917,28 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
|
|
||||||
} else if (d2i_X509(&x509, &cp, attribs[3].ulValueLen)
|
|
||||||
== NULL) {
|
|
||||||
error("d2i_X509 failed");
|
|
||||||
- } else if ((evp = X509_get_pubkey(x509)) == NULL ||
|
|
||||||
- evp->type != EVP_PKEY_RSA ||
|
|
||||||
- evp->pkey.rsa == NULL) {
|
|
||||||
- debug("X509_get_pubkey failed or no rsa");
|
|
||||||
- } else if ((rsa = RSAPublicKey_dup(evp->pkey.rsa))
|
|
||||||
- == NULL) {
|
|
||||||
- error("RSAPublicKey_dup");
|
|
||||||
+ } else if ((evp = X509_get_pubkey(x509)) == NULL) {
|
|
||||||
+ debug("X509_get_pubkey failed");
|
|
||||||
+ } else {
|
|
||||||
+ switch (evp->type) {
|
|
||||||
+ case EVP_PKEY_RSA:
|
|
||||||
+ if (evp->pkey.rsa == NULL)
|
|
||||||
+ debug("Missing RSA key");
|
|
||||||
+ else if ((rsa = RSAPublicKey_dup(
|
|
||||||
+ evp->pkey.rsa)) == NULL)
|
|
||||||
+ error("RSAPublicKey_dup failed");
|
|
||||||
+ break;
|
|
||||||
+ case EVP_PKEY_EC:
|
|
||||||
+ if (evp->pkey.ecdsa == NULL)
|
|
||||||
+ debug("Missing ECDSA key");
|
|
||||||
+ else if ((ecdsa = EC_KEY_dup(
|
|
||||||
+ evp->pkey.ecdsa)) == NULL)
|
|
||||||
+ error("EC_KEY_dup failed");
|
|
||||||
+ break;
|
|
||||||
+ default:
|
|
||||||
+ debug("not a RSA or ECDSA key");
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
X509_free(x509);
|
|
||||||
EVP_PKEY_free(evp);
|
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -102,12 +102,14 @@ diff -up openssh-7.7p1/dh.h.fips openssh-7.7p1/dh.h
|
|||||||
diff -up openssh-7.7p1/entropy.c.fips openssh-7.7p1/entropy.c
|
diff -up openssh-7.7p1/entropy.c.fips openssh-7.7p1/entropy.c
|
||||||
--- openssh-7.7p1/entropy.c.fips 2018-08-08 10:08:40.698718928 +0200
|
--- openssh-7.7p1/entropy.c.fips 2018-08-08 10:08:40.698718928 +0200
|
||||||
+++ openssh-7.7p1/entropy.c 2018-08-08 10:08:40.822719973 +0200
|
+++ openssh-7.7p1/entropy.c 2018-08-08 10:08:40.822719973 +0200
|
||||||
@@ -217,6 +217,9 @@ seed_rng(void)
|
@@ -217,6 +217,11 @@ seed_rng(void)
|
||||||
fatal("OpenSSL version mismatch. Built against %lx, you "
|
fatal("OpenSSL version mismatch. Built against %lx, you "
|
||||||
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
|
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
|
||||||
|
|
||||||
+ /* clean the PRNG status when exiting the program */
|
+ /* clean the PRNG status when exiting the program */
|
||||||
|
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||||
+ atexit(RAND_cleanup);
|
+ atexit(RAND_cleanup);
|
||||||
|
+#endif
|
||||||
+
|
+
|
||||||
#ifndef OPENSSL_PRNG_ONLY
|
#ifndef OPENSSL_PRNG_ONLY
|
||||||
if (RAND_status() == 1) {
|
if (RAND_status() == 1) {
|
||||||
@ -377,16 +379,16 @@ diff -up openssh-7.7p1/myproposal.h.fips openssh-7.7p1/myproposal.h
|
|||||||
+ "hmac-sha1"
|
+ "hmac-sha1"
|
||||||
+#endif
|
+#endif
|
||||||
+
|
+
|
||||||
#else /* WITH_OPENSSL */
|
/* Not a KEX value, but here so all the algorithm defaults are together */
|
||||||
|
#define SSH_ALLOWED_CA_SIGALGS \
|
||||||
#define KEX_SERVER_KEX \
|
"ecdsa-sha2-nistp256," \
|
||||||
diff -up openssh-7.7p1/readconf.c.fips openssh-7.7p1/readconf.c
|
diff -up openssh-7.7p1/readconf.c.fips openssh-7.7p1/readconf.c
|
||||||
--- openssh-7.7p1/readconf.c.fips 2018-08-08 10:08:40.769719527 +0200
|
--- openssh-7.7p1/readconf.c.fips 2018-08-08 10:08:40.769719527 +0200
|
||||||
+++ openssh-7.7p1/readconf.c 2018-08-08 10:08:40.824719990 +0200
|
+++ openssh-7.7p1/readconf.c 2018-08-08 10:08:40.824719990 +0200
|
||||||
@@ -2081,17 +2081,18 @@ fill_default_options(Options * options)
|
@@ -2081,18 +2081,19 @@ fill_default_options(Options * options)
|
||||||
all_mac = mac_alg_list(',');
|
|
||||||
all_kex = kex_alg_list(',');
|
all_kex = kex_alg_list(',');
|
||||||
all_key = sshkey_alg_list(0, 0, 1, ',');
|
all_key = sshkey_alg_list(0, 0, 1, ',');
|
||||||
|
all_sig = sshkey_alg_list(0, 1, 1, ',');
|
||||||
-#define ASSEMBLE(what, defaults, all) \
|
-#define ASSEMBLE(what, defaults, all) \
|
||||||
+#define ASSEMBLE(what, defaults, fips_defaults, all) \
|
+#define ASSEMBLE(what, defaults, fips_defaults, all) \
|
||||||
do { \
|
do { \
|
||||||
@ -401,11 +403,13 @@ diff -up openssh-7.7p1/readconf.c.fips openssh-7.7p1/readconf.c
|
|||||||
- ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex);
|
- ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex);
|
||||||
- ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
|
- ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
|
||||||
- ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
|
- ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
|
||||||
|
- ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
|
||||||
+ ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
|
+ ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
|
||||||
+ ASSEMBLE(macs, KEX_SERVER_MAC, KEX_FIPS_MAC, all_mac);
|
+ ASSEMBLE(macs, KEX_SERVER_MAC, KEX_FIPS_MAC, all_mac);
|
||||||
+ ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
|
+ ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
|
||||||
+ ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
|
+ ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
|
||||||
+ ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
|
+ ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
|
||||||
|
+ ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, KEX_FIPS_PK_ALG, all_sig);
|
||||||
#undef ASSEMBLE
|
#undef ASSEMBLE
|
||||||
free(all_cipher);
|
free(all_cipher);
|
||||||
free(all_mac);
|
free(all_mac);
|
||||||
@ -425,10 +429,10 @@ diff -up openssh-7.7p1/sandbox-seccomp-filter.c.fips openssh-7.7p1/sandbox-secco
|
|||||||
diff -up openssh-7.7p1/servconf.c.fips openssh-7.7p1/servconf.c
|
diff -up openssh-7.7p1/servconf.c.fips openssh-7.7p1/servconf.c
|
||||||
--- openssh-7.7p1/servconf.c.fips 2018-08-08 10:08:40.778719603 +0200
|
--- openssh-7.7p1/servconf.c.fips 2018-08-08 10:08:40.778719603 +0200
|
||||||
+++ openssh-7.7p1/servconf.c 2018-08-08 10:08:40.824719990 +0200
|
+++ openssh-7.7p1/servconf.c 2018-08-08 10:08:40.824719990 +0200
|
||||||
@@ -196,17 +196,18 @@ option_clear_or_none(const char *o)
|
@@ -196,18 +196,19 @@ option_clear_or_none(const char *o)
|
||||||
all_mac = mac_alg_list(',');
|
|
||||||
all_kex = kex_alg_list(',');
|
all_kex = kex_alg_list(',');
|
||||||
all_key = sshkey_alg_list(0, 0, 1, ',');
|
all_key = sshkey_alg_list(0, 0, 1, ',');
|
||||||
|
all_sig = sshkey_alg_list(0, 1, 1, ',');
|
||||||
-#define ASSEMBLE(what, defaults, all) \
|
-#define ASSEMBLE(what, defaults, all) \
|
||||||
+#define ASSEMBLE(what, defaults, fips_defaults, all) \
|
+#define ASSEMBLE(what, defaults, fips_defaults, all) \
|
||||||
do { \
|
do { \
|
||||||
@ -443,12 +447,14 @@ diff -up openssh-7.7p1/servconf.c.fips openssh-7.7p1/servconf.c
|
|||||||
- ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key);
|
- ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key);
|
||||||
- ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
|
- ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
|
||||||
- ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
|
- ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
|
||||||
|
- ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
|
||||||
+ ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
|
+ ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
|
||||||
+ ASSEMBLE(macs, KEX_SERVER_MAC, KEX_FIPS_MAC, all_mac);
|
+ ASSEMBLE(macs, KEX_SERVER_MAC, KEX_FIPS_MAC, all_mac);
|
||||||
+ ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
|
+ ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
|
||||||
+ ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
|
+ ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
|
||||||
+ ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
|
+ ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
|
||||||
+ ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
|
+ ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
|
||||||
|
+ ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, KEX_FIPS_PK_ALG, all_sig);
|
||||||
#undef ASSEMBLE
|
#undef ASSEMBLE
|
||||||
free(all_cipher);
|
free(all_cipher);
|
||||||
free(all_mac);
|
free(all_mac);
|
||||||
@ -464,11 +470,13 @@ diff -up openssh-7.7p1/ssh.c.fips openssh-7.7p1/ssh.c
|
|||||||
#include "openbsd-compat/openssl-compat.h"
|
#include "openbsd-compat/openssl-compat.h"
|
||||||
#include "openbsd-compat/sys-queue.h"
|
#include "openbsd-compat/sys-queue.h"
|
||||||
|
|
||||||
@@ -579,6 +581,14 @@ main(int ac, char **av)
|
@@ -579,6 +581,16 @@ main(int ac, char **av)
|
||||||
sanitise_stdfd();
|
sanitise_stdfd();
|
||||||
|
|
||||||
__progname = ssh_get_progname(av[0]);
|
__progname = ssh_get_progname(av[0]);
|
||||||
+ SSLeay_add_all_algorithms();
|
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||||
|
+ SSLeay_add_all_algorithms();
|
||||||
|
+#endif
|
||||||
+ if (access("/etc/system-fips", F_OK) == 0)
|
+ if (access("/etc/system-fips", F_OK) == 0)
|
||||||
+ if (! FIPSCHECK_verify(NULL, NULL)){
|
+ if (! FIPSCHECK_verify(NULL, NULL)){
|
||||||
+ if (FIPS_mode())
|
+ if (FIPS_mode())
|
||||||
@ -605,7 +613,7 @@ diff -up openssh-7.7p1/sshd.c.fips openssh-7.7p1/sshd.c
|
|||||||
#endif
|
#endif
|
||||||
__progname = ssh_get_progname(av[0]);
|
__progname = ssh_get_progname(av[0]);
|
||||||
|
|
||||||
+ SSLeay_add_all_algorithms();
|
+ OpenSSL_add_all_algorithms();
|
||||||
+ if (access("/etc/system-fips", F_OK) == 0)
|
+ if (access("/etc/system-fips", F_OK) == 0)
|
||||||
+ if (! FIPSCHECK_verify(NULL, NULL)) {
|
+ if (! FIPSCHECK_verify(NULL, NULL)) {
|
||||||
+ openlog(__progname, LOG_PID, LOG_AUTHPRIV);
|
+ openlog(__progname, LOG_PID, LOG_AUTHPRIV);
|
||||||
|
@ -188,7 +188,7 @@ diff -up openssh/configure.ac.gsskex openssh/configure.ac
|
|||||||
diff -up openssh/gss-genr.c.gsskex openssh/gss-genr.c
|
diff -up openssh/gss-genr.c.gsskex openssh/gss-genr.c
|
||||||
--- openssh/gss-genr.c.gsskex 2018-08-20 07:57:29.000000000 +0200
|
--- openssh/gss-genr.c.gsskex 2018-08-20 07:57:29.000000000 +0200
|
||||||
+++ openssh/gss-genr.c 2018-08-22 13:18:47.444383602 +0200
|
+++ openssh/gss-genr.c 2018-08-22 13:18:47.444383602 +0200
|
||||||
@@ -35,18 +35,177 @@
|
@@ -35,18 +35,179 @@
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
#include <signal.h>
|
#include <signal.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
@ -256,7 +256,7 @@ diff -up openssh/gss-genr.c.gsskex openssh/gss-genr.c
|
|||||||
+ u_char digest[EVP_MAX_MD_SIZE];
|
+ u_char digest[EVP_MAX_MD_SIZE];
|
||||||
+ char deroid[2];
|
+ char deroid[2];
|
||||||
+ const EVP_MD *evp_md = EVP_md5();
|
+ const EVP_MD *evp_md = EVP_md5();
|
||||||
+ EVP_MD_CTX md;
|
+ EVP_MD_CTX *md;
|
||||||
+
|
+
|
||||||
+ if (gss_enc2oid != NULL) {
|
+ if (gss_enc2oid != NULL) {
|
||||||
+ for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
|
+ for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
|
||||||
@ -270,6 +270,7 @@ diff -up openssh/gss-genr.c.gsskex openssh/gss-genr.c
|
|||||||
+ if ((buf = sshbuf_new()) == NULL)
|
+ if ((buf = sshbuf_new()) == NULL)
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
+ fatal("%s: sshbuf_new failed", __func__);
|
||||||
+
|
+
|
||||||
|
+ md = EVP_MD_CTX_new();
|
||||||
+ oidpos = 0;
|
+ oidpos = 0;
|
||||||
+ for (i = 0; i < gss_supported->count; i++) {
|
+ for (i = 0; i < gss_supported->count; i++) {
|
||||||
+ if (gss_supported->elements[i].length < 128 &&
|
+ if (gss_supported->elements[i].length < 128 &&
|
||||||
@ -278,12 +279,12 @@ diff -up openssh/gss-genr.c.gsskex openssh/gss-genr.c
|
|||||||
+ deroid[0] = SSH_GSS_OIDTYPE;
|
+ deroid[0] = SSH_GSS_OIDTYPE;
|
||||||
+ deroid[1] = gss_supported->elements[i].length;
|
+ deroid[1] = gss_supported->elements[i].length;
|
||||||
+
|
+
|
||||||
+ EVP_DigestInit(&md, evp_md);
|
+ EVP_DigestInit(md, evp_md);
|
||||||
+ EVP_DigestUpdate(&md, deroid, 2);
|
+ EVP_DigestUpdate(md, deroid, 2);
|
||||||
+ EVP_DigestUpdate(&md,
|
+ EVP_DigestUpdate(md,
|
||||||
+ gss_supported->elements[i].elements,
|
+ gss_supported->elements[i].elements,
|
||||||
+ gss_supported->elements[i].length);
|
+ gss_supported->elements[i].length);
|
||||||
+ EVP_DigestFinal(&md, digest, NULL);
|
+ EVP_DigestFinal(md, digest, NULL);
|
||||||
+
|
+
|
||||||
+ encoded = xmalloc(EVP_MD_size(evp_md) * 2);
|
+ encoded = xmalloc(EVP_MD_size(evp_md) * 2);
|
||||||
+ enclen = __b64_ntop(digest, EVP_MD_size(evp_md),
|
+ enclen = __b64_ntop(digest, EVP_MD_size(evp_md),
|
||||||
@ -311,6 +312,7 @@ diff -up openssh/gss-genr.c.gsskex openssh/gss-genr.c
|
|||||||
+ oidpos++;
|
+ oidpos++;
|
||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
|
+ EVP_MD_CTX_free(md);
|
||||||
+ gss_enc2oid[oidpos].oid = NULL;
|
+ gss_enc2oid[oidpos].oid = NULL;
|
||||||
+ gss_enc2oid[oidpos].encoded = NULL;
|
+ gss_enc2oid[oidpos].encoded = NULL;
|
||||||
+
|
+
|
||||||
@ -988,7 +990,7 @@ diff -up openssh/kex.c.gsskex openssh/kex.c
|
|||||||
diff -up openssh/kexgssc.c.gsskex openssh/kexgssc.c
|
diff -up openssh/kexgssc.c.gsskex openssh/kexgssc.c
|
||||||
--- openssh/kexgssc.c.gsskex 2018-08-22 11:47:33.311216457 +0200
|
--- openssh/kexgssc.c.gsskex 2018-08-22 11:47:33.311216457 +0200
|
||||||
+++ openssh/kexgssc.c 2018-08-22 11:47:33.311216457 +0200
|
+++ openssh/kexgssc.c 2018-08-22 11:47:33.311216457 +0200
|
||||||
@@ -0,0 +1,338 @@
|
@@ -0,0 +1,341 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
||||||
+ *
|
+ *
|
||||||
@ -1049,6 +1051,7 @@ diff -up openssh/kexgssc.c.gsskex openssh/kexgssc.c
|
|||||||
+ BIGNUM *shared_secret = NULL;
|
+ BIGNUM *shared_secret = NULL;
|
||||||
+ BIGNUM *p = NULL;
|
+ BIGNUM *p = NULL;
|
||||||
+ BIGNUM *g = NULL;
|
+ BIGNUM *g = NULL;
|
||||||
|
+ const BIGNUM *pub_key, *p1, *g1;
|
||||||
+ u_char *kbuf;
|
+ u_char *kbuf;
|
||||||
+ u_char *serverhostkey = NULL;
|
+ u_char *serverhostkey = NULL;
|
||||||
+ u_char *empty = "";
|
+ u_char *empty = "";
|
||||||
@ -1110,8 +1113,9 @@ diff -up openssh/kexgssc.c.gsskex openssh/kexgssc.c
|
|||||||
+ fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type);
|
+ fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type);
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ /* Step 1 - e is dh->pub_key */
|
+ /* Step 1 - e is pub_key */
|
||||||
+ dh_gen_key(dh, ssh->kex->we_need * 8);
|
+ dh_gen_key(dh, ssh->kex->we_need * 8);
|
||||||
|
+ DH_get0_key(dh, &pub_key, NULL);
|
||||||
+
|
+
|
||||||
+ /* This is f, we initialise it now to make life easier */
|
+ /* This is f, we initialise it now to make life easier */
|
||||||
+ dh_server_pub = BN_new();
|
+ dh_server_pub = BN_new();
|
||||||
@ -1159,7 +1163,7 @@ diff -up openssh/kexgssc.c.gsskex openssh/kexgssc.c
|
|||||||
+ packet_start(SSH2_MSG_KEXGSS_INIT);
|
+ packet_start(SSH2_MSG_KEXGSS_INIT);
|
||||||
+ packet_put_string(send_tok.value,
|
+ packet_put_string(send_tok.value,
|
||||||
+ send_tok.length);
|
+ send_tok.length);
|
||||||
+ packet_put_bignum2(dh->pub_key);
|
+ packet_put_bignum2((BIGNUM *)pub_key);
|
||||||
+ first = 0;
|
+ first = 0;
|
||||||
+ } else {
|
+ } else {
|
||||||
+ packet_start(SSH2_MSG_KEXGSS_CONTINUE);
|
+ packet_start(SSH2_MSG_KEXGSS_CONTINUE);
|
||||||
@ -1266,13 +1270,14 @@ diff -up openssh/kexgssc.c.gsskex openssh/kexgssc.c
|
|||||||
+ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
|
+ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
|
||||||
+ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
|
+ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
|
||||||
+ (serverhostkey ? serverhostkey : empty), slen,
|
+ (serverhostkey ? serverhostkey : empty), slen,
|
||||||
+ dh->pub_key, /* e */
|
+ pub_key, /* e */
|
||||||
+ dh_server_pub, /* f */
|
+ dh_server_pub, /* f */
|
||||||
+ shared_secret, /* K */
|
+ shared_secret, /* K */
|
||||||
+ hash, &hashlen
|
+ hash, &hashlen
|
||||||
+ );
|
+ );
|
||||||
+ break;
|
+ break;
|
||||||
+ case KEX_GSS_GEX_SHA1:
|
+ case KEX_GSS_GEX_SHA1:
|
||||||
|
+ DH_get0_pqg(dh, &p1, NULL, &g1);
|
||||||
+ kexgex_hash(
|
+ kexgex_hash(
|
||||||
+ ssh->kex->hash_alg,
|
+ ssh->kex->hash_alg,
|
||||||
+ ssh->kex->client_version_string,
|
+ ssh->kex->client_version_string,
|
||||||
@ -1281,8 +1286,8 @@ diff -up openssh/kexgssc.c.gsskex openssh/kexgssc.c
|
|||||||
+ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
|
+ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
|
||||||
+ (serverhostkey ? serverhostkey : empty), slen,
|
+ (serverhostkey ? serverhostkey : empty), slen,
|
||||||
+ min, nbits, max,
|
+ min, nbits, max,
|
||||||
+ dh->p, dh->g,
|
+ p, g,
|
||||||
+ dh->pub_key,
|
+ pub_key,
|
||||||
+ dh_server_pub,
|
+ dh_server_pub,
|
||||||
+ shared_secret,
|
+ shared_secret,
|
||||||
+ hash, &hashlen
|
+ hash, &hashlen
|
||||||
@ -1330,7 +1335,7 @@ diff -up openssh/kexgssc.c.gsskex openssh/kexgssc.c
|
|||||||
diff -up openssh/kexgsss.c.gsskex openssh/kexgsss.c
|
diff -up openssh/kexgsss.c.gsskex openssh/kexgsss.c
|
||||||
--- openssh/kexgsss.c.gsskex 2018-08-22 11:47:33.311216457 +0200
|
--- openssh/kexgsss.c.gsskex 2018-08-22 11:47:33.311216457 +0200
|
||||||
+++ openssh/kexgsss.c 2018-08-22 11:47:33.311216457 +0200
|
+++ openssh/kexgsss.c 2018-08-22 11:47:33.311216457 +0200
|
||||||
@@ -0,0 +1,297 @@
|
@@ -0,0 +1,300 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
||||||
+ *
|
+ *
|
||||||
@ -1410,6 +1415,7 @@ diff -up openssh/kexgsss.c.gsskex openssh/kexgsss.c
|
|||||||
+ char *mechs;
|
+ char *mechs;
|
||||||
+ u_char hash[SSH_DIGEST_MAX_LENGTH];
|
+ u_char hash[SSH_DIGEST_MAX_LENGTH];
|
||||||
+ size_t hashlen;
|
+ size_t hashlen;
|
||||||
|
+ const BIGNUM *p, *g, *pub_key;
|
||||||
+
|
+
|
||||||
+ /* Initialise GSSAPI */
|
+ /* Initialise GSSAPI */
|
||||||
+
|
+
|
||||||
@ -1455,9 +1461,10 @@ diff -up openssh/kexgsss.c.gsskex openssh/kexgsss.c
|
|||||||
+ if (dh == NULL)
|
+ if (dh == NULL)
|
||||||
+ packet_disconnect("Protocol error: no matching group found");
|
+ packet_disconnect("Protocol error: no matching group found");
|
||||||
+
|
+
|
||||||
|
+ DH_get0_pqg(dh, &p, NULL, &g);
|
||||||
+ packet_start(SSH2_MSG_KEXGSS_GROUP);
|
+ packet_start(SSH2_MSG_KEXGSS_GROUP);
|
||||||
+ packet_put_bignum2(dh->p);
|
+ packet_put_bignum2((BIGNUM *)p);
|
||||||
+ packet_put_bignum2(dh->g);
|
+ packet_put_bignum2((BIGNUM *)g);
|
||||||
+ packet_send();
|
+ packet_send();
|
||||||
+
|
+
|
||||||
+ packet_write_wait();
|
+ packet_write_wait();
|
||||||
@ -1549,6 +1556,7 @@ diff -up openssh/kexgsss.c.gsskex openssh/kexgsss.c
|
|||||||
+ memset(kbuf, 0, klen);
|
+ memset(kbuf, 0, klen);
|
||||||
+ free(kbuf);
|
+ free(kbuf);
|
||||||
+
|
+
|
||||||
|
+ DH_get0_key(dh, &pub_key, NULL);
|
||||||
+ hashlen = sizeof(hash);
|
+ hashlen = sizeof(hash);
|
||||||
+ switch (ssh->kex->kex_type) {
|
+ switch (ssh->kex->kex_type) {
|
||||||
+ case KEX_GSS_GRP1_SHA1:
|
+ case KEX_GSS_GRP1_SHA1:
|
||||||
@ -1558,7 +1566,7 @@ diff -up openssh/kexgsss.c.gsskex openssh/kexgsss.c
|
|||||||
+ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
|
+ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
|
||||||
+ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
|
+ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
|
||||||
+ NULL, 0, /* Change this if we start sending host keys */
|
+ NULL, 0, /* Change this if we start sending host keys */
|
||||||
+ dh_client_pub, dh->pub_key, shared_secret,
|
+ dh_client_pub, pub_key, shared_secret,
|
||||||
+ hash, &hashlen
|
+ hash, &hashlen
|
||||||
+ );
|
+ );
|
||||||
+ break;
|
+ break;
|
||||||
@ -1570,9 +1578,9 @@ diff -up openssh/kexgsss.c.gsskex openssh/kexgsss.c
|
|||||||
+ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
|
+ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
|
||||||
+ NULL, 0,
|
+ NULL, 0,
|
||||||
+ cmin, nbits, cmax,
|
+ cmin, nbits, cmax,
|
||||||
+ dh->p, dh->g,
|
+ p, g,
|
||||||
+ dh_client_pub,
|
+ dh_client_pub,
|
||||||
+ dh->pub_key,
|
+ pub_key,
|
||||||
+ shared_secret,
|
+ shared_secret,
|
||||||
+ hash, &hashlen
|
+ hash, &hashlen
|
||||||
+ );
|
+ );
|
||||||
@ -1596,7 +1604,7 @@ diff -up openssh/kexgsss.c.gsskex openssh/kexgsss.c
|
|||||||
+ fatal("Couldn't get MIC");
|
+ fatal("Couldn't get MIC");
|
||||||
+
|
+
|
||||||
+ packet_start(SSH2_MSG_KEXGSS_COMPLETE);
|
+ packet_start(SSH2_MSG_KEXGSS_COMPLETE);
|
||||||
+ packet_put_bignum2(dh->pub_key);
|
+ packet_put_bignum2(pub_key);
|
||||||
+ packet_put_string(msg_tok.value,msg_tok.length);
|
+ packet_put_string(msg_tok.value,msg_tok.length);
|
||||||
+
|
+
|
||||||
+ if (send_tok.length != 0) {
|
+ if (send_tok.length != 0) {
|
||||||
@ -1928,7 +1936,7 @@ diff -up openssh/monitor_wrap.c.gsskex openssh/monitor_wrap.c
|
|||||||
+
|
+
|
||||||
+ sshbuf_free(m);
|
+ sshbuf_free(m);
|
||||||
+
|
+
|
||||||
+ return(major);
|
+ return (major);
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+int
|
+int
|
||||||
@ -2617,16 +2625,6 @@ diff -up openssh/sshconnect2.c.gsskex openssh/sshconnect2.c
|
|||||||
diff -up openssh/sshd.c.gsskex openssh/sshd.c
|
diff -up openssh/sshd.c.gsskex openssh/sshd.c
|
||||||
--- openssh/sshd.c.gsskex 2018-08-22 11:47:33.299216360 +0200
|
--- openssh/sshd.c.gsskex 2018-08-22 11:47:33.299216360 +0200
|
||||||
+++ openssh/sshd.c 2018-08-22 13:34:28.455975954 +0200
|
+++ openssh/sshd.c 2018-08-22 13:34:28.455975954 +0200
|
||||||
@@ -537,8 +537,7 @@ privsep_preauth_child(void)
|
|
||||||
|
|
||||||
#ifdef GSSAPI
|
|
||||||
/* Cache supported mechanism OIDs for later use */
|
|
||||||
- if (options.gss_authentication)
|
|
||||||
- ssh_gssapi_prepare_supported_oids();
|
|
||||||
+ ssh_gssapi_prepare_supported_oids();
|
|
||||||
#endif
|
|
||||||
|
|
||||||
reseed_prngs();
|
|
||||||
@@ -887,8 +887,9 @@ notify_hostkeys(struct ssh *ssh)
|
@@ -887,8 +887,9 @@ notify_hostkeys(struct ssh *ssh)
|
||||||
}
|
}
|
||||||
debug3("%s: sent %u hostkeys", __func__, nkeys);
|
debug3("%s: sent %u hostkeys", __func__, nkeys);
|
||||||
|
14
openssh.spec
14
openssh.spec
@ -65,10 +65,10 @@
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||||
%global openssh_ver 7.8p1
|
%global openssh_ver 7.9p1
|
||||||
%global openssh_rel 3
|
%global openssh_rel 1
|
||||||
%global pam_ssh_agent_ver 0.10.3
|
%global pam_ssh_agent_ver 0.10.3
|
||||||
%global pam_ssh_agent_rel 5
|
%global pam_ssh_agent_rel 6
|
||||||
|
|
||||||
Summary: An open source implementation of SSH protocol version 2
|
Summary: An open source implementation of SSH protocol version 2
|
||||||
Name: openssh
|
Name: openssh
|
||||||
@ -100,8 +100,6 @@ Patch100: openssh-6.7p1-coverity.patch
|
|||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1894
|
#https://bugzilla.mindrot.org/show_bug.cgi?id=1894
|
||||||
#https://bugzilla.redhat.com/show_bug.cgi?id=735889
|
#https://bugzilla.redhat.com/show_bug.cgi?id=735889
|
||||||
#Patch102: openssh-5.8p1-getaddrinfo.patch
|
#Patch102: openssh-5.8p1-getaddrinfo.patch
|
||||||
# OpenSSL 1.1.0 compatibility
|
|
||||||
Patch104: openssh-7.3p1-openssl-1.1.0.patch
|
|
||||||
|
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402
|
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1171248
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1171248
|
||||||
@ -451,7 +449,6 @@ popd
|
|||||||
%patch700 -p1 -b .fips
|
%patch700 -p1 -b .fips
|
||||||
|
|
||||||
%patch100 -p1 -b .coverity
|
%patch100 -p1 -b .coverity
|
||||||
%patch104 -p1 -b .openssl
|
|
||||||
|
|
||||||
%if 0
|
%if 0
|
||||||
# Nothing here yet
|
# Nothing here yet
|
||||||
@ -568,7 +565,10 @@ popd
|
|||||||
%if %{pam_ssh_agent}
|
%if %{pam_ssh_agent}
|
||||||
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
||||||
LDFLAGS="$SAVE_LDFLAGS"
|
LDFLAGS="$SAVE_LDFLAGS"
|
||||||
%configure --with-selinux --libexecdir=/%{_libdir}/security --with-mantype=man
|
%configure --with-selinux \
|
||||||
|
--libexecdir=/%{_libdir}/security \
|
||||||
|
--with-mantype=man \
|
||||||
|
--without-openssl-header-check `# The check is broken`
|
||||||
make
|
make
|
||||||
popd
|
popd
|
||||||
%endif
|
%endif
|
||||||
|
4
sources
4
sources
@ -1,4 +1,4 @@
|
|||||||
SHA512 (openssh-7.8p1.tar.gz) = 8e5b0c8682a9243e4e8b7c374ec989dccd1a752eb6f84e593b67141e8b23dcc8b9a7322b1f7525d18e2ce8830a767d0d9793f997486339db201a57986b910705
|
SHA512 (openssh-7.9p1.tar.gz) = 0412c9c429c9287f0794023951469c8e6ec833cdb55821bfa0300dd90d0879ff60484f620cffd93372641ab69bf0b032c2d700ccc680950892725fb631b7708e
|
||||||
SHA512 (openssh-7.8p1.tar.gz.asc) = 3a7bef84df3c07aa78965a11a6bbd6ca6e5d1e9265ac08871b3e5d304646be651b74f5302a195e86a56e6a83b19d79292e5599c9a9cf6f003a513d4354e8ad2f
|
SHA512 (openssh-7.9p1.tar.gz.asc) = 881db1b541813136fabd9adb9f5430c4f0fae372c06c99cb049feb8526a573275fe80c129c89511dd4e65f73f41e29364fefaaf8b7c78835224691c488d5da32
|
||||||
SHA512 (DJM-GPG-KEY.gpg) = db1191ed9b6495999e05eed2ef863fb5179bdb63e94850f192dad68eed8579836f88fbcfffd9f28524fe1457aff8cd248ee3e0afc112c8f609b99a34b80ecc0d
|
SHA512 (DJM-GPG-KEY.gpg) = db1191ed9b6495999e05eed2ef863fb5179bdb63e94850f192dad68eed8579836f88fbcfffd9f28524fe1457aff8cd248ee3e0afc112c8f609b99a34b80ecc0d
|
||||||
SHA512 (pam_ssh_agent_auth-0.10.3.tar.bz2) = d75062c4e46b0b011f46aed9704a99049995fea8b5115ff7ee26dad7e93cbcf54a8af7efc6b521109d77dc03c6f5284574d2e1b84c6829cec25610f24fb4bd66
|
SHA512 (pam_ssh_agent_auth-0.10.3.tar.bz2) = d75062c4e46b0b011f46aed9704a99049995fea8b5115ff7ee26dad7e93cbcf54a8af7efc6b521109d77dc03c6f5284574d2e1b84c6829cec25610f24fb4bd66
|
||||||
|
Loading…
Reference in New Issue
Block a user