forked from rpms/openssh
rebase patches to openssh-7.9p1
This commit is contained in:
parent
8089081fa9
commit
eaa7af2e41
2
.gitignore
vendored
2
.gitignore
vendored
@ -32,3 +32,5 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
|
||||
/DJM-GPG-KEY.gpg
|
||||
/openssh-7.8p1.tar.gz
|
||||
/openssh-7.8p1.tar.gz.asc
|
||||
/openssh-7.9p1.tar.gz
|
||||
/openssh-7.9p1.tar.gz.asc
|
||||
|
@ -82,14 +82,6 @@ diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
|
||||
index 22ea8ef..1fc963d 100644
|
||||
--- a/openbsd-compat/port-linux.c
|
||||
+++ b/openbsd-compat/port-linux.c
|
||||
@@ -26,6 +26,7 @@
|
||||
#include <stdarg.h>
|
||||
#include <string.h>
|
||||
#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
|
||||
#include "log.h"
|
||||
#include "xmalloc.h"
|
||||
@@ -179,7 +179,7 @@ ssh_selinux_change_context(const char *newname)
|
||||
strlcpy(newctx + len, newname, newlen - len);
|
||||
if ((cx = index(cx + 1, ':')))
|
||||
|
@ -187,7 +187,7 @@ diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
|
||||
+ usage();
|
||||
+ }
|
||||
+
|
||||
+ SSLeay_add_all_algorithms();
|
||||
+ OpenSSL_add_all_algorithms();
|
||||
+
|
||||
+ c = cipher_by_name(algo);
|
||||
+ if (c == NULL) {
|
||||
|
@ -235,9 +235,9 @@ index 28659ec..9c94d8e 100644
|
||||
+#endif
|
||||
+#endif
|
||||
+
|
||||
s->forced = 0;
|
||||
if (forced != NULL) {
|
||||
if (IS_INTERNAL_SFTP(command)) {
|
||||
s->is_subsystem = s->is_subsystem ?
|
||||
s->forced = 1;
|
||||
diff --git a/ssh-gss.h b/ssh-gss.h
|
||||
index 0374c88..509109a 100644
|
||||
--- a/ssh-gss.h
|
||||
|
@ -29,14 +29,14 @@ diff -up openssh-7.0p1/gss-genr.c.gsskexalg openssh-7.0p1/gss-genr.c
|
||||
@@ -100,6 +101,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
|
||||
char deroid[2];
|
||||
const EVP_MD *evp_md = EVP_md5();
|
||||
EVP_MD_CTX md;
|
||||
EVP_MD_CTX *md;
|
||||
+ char *s, *cp, *p;
|
||||
|
||||
if (gss_enc2oid != NULL) {
|
||||
for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
|
||||
@@ -113,6 +115,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
|
||||
fatal("%s: sshbuf_new failed", __func__);
|
||||
|
||||
md = EVP_MD_CTX_new();
|
||||
oidpos = 0;
|
||||
+ s = cp = xstrdup(kex);
|
||||
for (i = 0; i < gss_supported->count; i++) {
|
||||
@ -81,9 +81,9 @@ diff -up openssh-7.0p1/gss-genr.c.gsskexalg openssh-7.0p1/gss-genr.c
|
||||
}
|
||||
}
|
||||
+ free(s);
|
||||
EVP_MD_CTX_free(md);
|
||||
gss_enc2oid[oidpos].oid = NULL;
|
||||
gss_enc2oid[oidpos].encoded = NULL;
|
||||
|
||||
diff -up openssh-7.0p1/gss-serv.c.gsskexalg openssh-7.0p1/gss-serv.c
|
||||
--- openssh-7.0p1/gss-serv.c.gsskexalg 2015-08-19 12:28:38.024518959 +0200
|
||||
+++ openssh-7.0p1/gss-serv.c 2015-08-19 12:28:38.078518839 +0200
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -20,8 +20,8 @@ index ca75cc7..6e7de31 100644
|
||||
+#if defined(__NR_flock) && defined(__s390__)
|
||||
+ SC_ALLOW(__NR_flock),
|
||||
+#endif
|
||||
#ifdef __NR_geteuid
|
||||
SC_ALLOW(__NR_geteuid),
|
||||
#ifdef __NR_futex
|
||||
SC_ALLOW(__NR_futex),
|
||||
#endif
|
||||
@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = {
|
||||
#ifdef __NR_gettimeofday
|
||||
|
@ -2048,12 +2048,12 @@ diff -up openssh-7.6p1/sshd.c.audit openssh-7.6p1/sshd.c
|
||||
+ fp = sshkey_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX);
|
||||
+ else
|
||||
+ fp = NULL;
|
||||
if ((r = sshkey_demote(sensitive_data.host_keys[i],
|
||||
&tmp)) != 0)
|
||||
fatal("could not demote host %s key: %s",
|
||||
sshkey_type(sensitive_data.host_keys[i]),
|
||||
ssh_err(r));
|
||||
sshkey_free(sensitive_data.host_keys[i]);
|
||||
if ((r = sshkey_from_private(
|
||||
sensitive_data.host_keys[i], &tmp)) != 0)
|
||||
fatal("could not demote host %s key: %s",
|
||||
sshkey_type(sensitive_data.host_keys[i]),
|
||||
ssh_err(r));
|
||||
sshkey_free(sensitive_data.host_keys[i]);
|
||||
sensitive_data.host_keys[i] = tmp;
|
||||
+ if (fp != NULL) {
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
@ -2126,7 +2126,7 @@ diff -up openssh-7.6p1/sshd.c.audit openssh-7.6p1/sshd.c
|
||||
diff -up openssh-7.6p1/sshkey.c.audit openssh-7.6p1/sshkey.c
|
||||
--- openssh-7.6p1/sshkey.c.audit 2017-10-04 17:18:32.758504660 +0200
|
||||
+++ openssh-7.6p1/sshkey.c 2017-10-04 17:18:32.839505074 +0200
|
||||
@@ -295,6 +295,32 @@ sshkey_type_is_valid_ca(int type)
|
||||
@@ -295,6 +295,38 @@ sshkey_type_is_valid_ca(int type)
|
||||
}
|
||||
|
||||
int
|
||||
@ -2135,11 +2135,17 @@ diff -up openssh-7.6p1/sshkey.c.audit openssh-7.6p1/sshkey.c
|
||||
+ switch (k->type) {
|
||||
+#ifdef WITH_OPENSSL
|
||||
+ case KEY_RSA_CERT:
|
||||
+ case KEY_RSA:
|
||||
+ return k->rsa->d != NULL;
|
||||
+ case KEY_RSA: {
|
||||
+ const BIGNUM *d;
|
||||
+ RSA_get0_key(k->rsa, NULL, NULL, &d);
|
||||
+ return d != NULL;
|
||||
+ }
|
||||
+ case KEY_DSA_CERT:
|
||||
+ case KEY_DSA:
|
||||
+ return k->dsa->priv_key != NULL;
|
||||
+ case KEY_DSA: {
|
||||
+ const BIGNUM *priv_key;
|
||||
+ DSA_get0_key(k->dsa, NULL, &priv_key);
|
||||
+ return priv_key != NULL;
|
||||
+ }
|
||||
+#ifdef OPENSSL_HAS_ECC
|
||||
+ case KEY_ECDSA_CERT:
|
||||
+ case KEY_ECDSA:
|
||||
|
@ -1,6 +1,6 @@
|
||||
diff -up openssh-7.6p1/ssh-pkcs11-client.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11-client.c
|
||||
--- openssh-7.6p1/ssh-pkcs11-client.c.pkcs11-ecdsa 2018-02-16 13:25:59.426469253 +0100
|
||||
+++ openssh-7.6p1/ssh-pkcs11-client.c 2018-02-16 13:25:59.428469265 +0100
|
||||
diff -up openssh/ssh-pkcs11-client.c.pkcs11-ecdsa openssh/ssh-pkcs11-client.c
|
||||
--- openssh/ssh-pkcs11-client.c.pkcs11-ecdsa 2018-10-12 14:05:55.020656974 +0200
|
||||
+++ openssh/ssh-pkcs11-client.c 2018-10-12 14:05:55.023656999 +0200
|
||||
@@ -31,6 +31,15 @@
|
||||
#include <errno.h>
|
||||
|
||||
@ -15,9 +15,9 @@ diff -up openssh-7.6p1/ssh-pkcs11-client.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11
|
||||
+#endif
|
||||
+#endif
|
||||
|
||||
#include "pathnames.h"
|
||||
#include "xmalloc.h"
|
||||
@@ -139,9 +147,9 @@ pkcs11_rsa_private_encrypt(int flen, con
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
|
||||
@@ -155,9 +164,9 @@ pkcs11_rsa_private_encrypt(int flen, con
|
||||
return (ret);
|
||||
}
|
||||
|
||||
@ -27,9 +27,9 @@ diff -up openssh-7.6p1/ssh-pkcs11-client.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11
|
||||
-wrap_key(RSA *rsa)
|
||||
+wrap_rsa_key(RSA *rsa)
|
||||
{
|
||||
static RSA_METHOD helper_rsa;
|
||||
static RSA_METHOD *helper_rsa;
|
||||
|
||||
@@ -152,6 +160,88 @@ wrap_key(RSA *rsa)
|
||||
@@ -170,6 +179,88 @@ wrap_key(RSA *rsa)
|
||||
return (0);
|
||||
}
|
||||
|
||||
@ -118,7 +118,7 @@ diff -up openssh-7.6p1/ssh-pkcs11-client.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11
|
||||
static int
|
||||
pkcs11_start_helper(void)
|
||||
{
|
||||
@@ -212,7 +281,15 @@ pkcs11_add_provider(char *name, char *pi
|
||||
@@ -238,7 +329,15 @@ pkcs11_add_provider(char *name, char *pi
|
||||
__func__, ssh_err(r));
|
||||
if ((r = sshkey_from_blob(blob, blen, &k)) != 0)
|
||||
fatal("%s: bad key: %s", __func__, ssh_err(r));
|
||||
@ -135,11 +135,11 @@ diff -up openssh-7.6p1/ssh-pkcs11-client.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11
|
||||
(*keysp)[i] = k;
|
||||
free(blob);
|
||||
}
|
||||
diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
|
||||
--- openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa 2018-02-16 13:25:59.427469259 +0100
|
||||
+++ openssh-7.6p1/ssh-pkcs11.c 2018-02-16 13:44:51.270554797 +0100
|
||||
@@ -32,6 +32,16 @@
|
||||
#include "openbsd-compat/sys-queue.h"
|
||||
diff -up openssh/ssh-pkcs11.c.pkcs11-ecdsa openssh/ssh-pkcs11.c
|
||||
--- openssh/ssh-pkcs11.c.pkcs11-ecdsa 2018-10-12 14:05:55.021656982 +0200
|
||||
+++ openssh/ssh-pkcs11.c 2018-10-12 14:11:54.292636679 +0200
|
||||
@@ -33,6 +33,16 @@
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
|
||||
#include <openssl/x509.h>
|
||||
+#include <openssl/rsa.h>
|
||||
@ -155,15 +155,15 @@ diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
|
||||
|
||||
#define CRYPTOKI_COMPAT
|
||||
#include "pkcs11.h"
|
||||
@@ -67,6 +76,7 @@ TAILQ_HEAD(, pkcs11_provider) pkcs11_pro
|
||||
@@ -74,6 +84,7 @@ TAILQ_HEAD(, pkcs11_provider) pkcs11_pro
|
||||
struct pkcs11_key {
|
||||
struct pkcs11_provider *provider;
|
||||
CK_ULONG slotidx;
|
||||
+ CK_ULONG key_type;
|
||||
int (*orig_finish)(RSA *rsa);
|
||||
RSA_METHOD rsa_method;
|
||||
RSA_METHOD *rsa_method;
|
||||
char *keyid;
|
||||
@@ -75,6 +85,9 @@ struct pkcs11_key {
|
||||
@@ -82,6 +93,9 @@ struct pkcs11_key {
|
||||
};
|
||||
|
||||
int pkcs11_interactive = 0;
|
||||
@ -173,7 +173,7 @@ diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
|
||||
|
||||
/*
|
||||
* This can't be in the ssh-pkcs11-uri, becase we can not depend on
|
||||
@@ -289,6 +302,40 @@ pkcs11_find(struct pkcs11_provider *p, C
|
||||
@@ -345,6 +359,40 @@ pkcs11_find(struct pkcs11_provider *p, C
|
||||
return (ret);
|
||||
}
|
||||
|
||||
@ -214,7 +214,7 @@ diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
|
||||
/* openssl callback doing the actual signing operation */
|
||||
static int
|
||||
pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
|
||||
@@ -310,7 +357,6 @@ pkcs11_rsa_private_encrypt(int flen, con
|
||||
@@ -366,7 +414,6 @@ pkcs11_rsa_private_encrypt(int flen, con
|
||||
{CKA_ID, NULL, 0},
|
||||
{CKA_SIGN, NULL, sizeof(true_val) }
|
||||
};
|
||||
@ -222,7 +222,7 @@ diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
|
||||
int rval = -1;
|
||||
|
||||
key_filter[0].pValue = &private_key_class;
|
||||
@@ -326,33 +372,8 @@ pkcs11_rsa_private_encrypt(int flen, con
|
||||
@@ -383,33 +430,8 @@ pkcs11_rsa_private_encrypt(int flen, con
|
||||
}
|
||||
f = k11->provider->module->function_list;
|
||||
si = &k11->provider->module->slotinfo[k11->slotidx];
|
||||
@ -258,7 +258,7 @@ diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
|
||||
}
|
||||
key_filter[1].pValue = k11->keyid;
|
||||
key_filter[1].ulValueLen = k11->keyid_len;
|
||||
@@ -390,6 +411,7 @@ pkcs11_rsa_wrap(struct pkcs11_provider *
|
||||
@@ -447,6 +469,7 @@ pkcs11_rsa_wrap(struct pkcs11_provider *
|
||||
const RSA_METHOD *def = RSA_get_default_method();
|
||||
|
||||
k11 = xcalloc(1, sizeof(*k11));
|
||||
@ -266,7 +266,7 @@ diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
|
||||
k11->provider = provider;
|
||||
provider->refcount++; /* provider referenced by RSA key */
|
||||
k11->slotidx = slotidx;
|
||||
@@ -415,6 +437,184 @@ pkcs11_rsa_wrap(struct pkcs11_provider *
|
||||
@@ -477,6 +500,184 @@ pkcs11_rsa_wrap(struct pkcs11_provider *
|
||||
return (0);
|
||||
}
|
||||
|
||||
@ -451,7 +451,7 @@ diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
|
||||
/* remove trailing spaces */
|
||||
static void
|
||||
rmspace(u_char *buf, size_t len)
|
||||
@@ -482,11 +646,13 @@ static int
|
||||
@@ -544,11 +745,13 @@ static int
|
||||
pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx,
|
||||
struct sshkey ***keysp, int *nkeys, struct pkcs11_uri *uri)
|
||||
{
|
||||
@ -466,7 +466,7 @@ diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
|
||||
{ CKA_ID, NULL, 0 },
|
||||
{ CKA_LABEL, NULL, 0 }
|
||||
};
|
||||
@@ -507,29 +673,60 @@ pkcs11_fetch_keys(struct pkcs11_provider
|
||||
@@ -569,29 +772,60 @@ pkcs11_fetch_keys(struct pkcs11_provider
|
||||
{ CKA_SUBJECT, NULL, 0 },
|
||||
{ CKA_VALUE, NULL, 0 }
|
||||
};
|
||||
@ -533,9 +533,12 @@ diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
|
||||
cert_attribs, keysp, nkeys) < 0)
|
||||
return (-1);
|
||||
return (0);
|
||||
@@ -553,6 +746,11 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
|
||||
@@ -624,8 +858,13 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
|
||||
CK_ATTRIBUTE filter[], size_t filter_size, CK_ATTRIBUTE attribs[4],
|
||||
struct sshkey ***keysp, int *nkeys)
|
||||
{
|
||||
struct sshkey *key;
|
||||
- struct sshkey *key;
|
||||
+ struct sshkey *key = NULL;
|
||||
RSA *rsa;
|
||||
+#ifdef ENABLE_PKCS11_ECDSA
|
||||
+ EC_KEY *ecdsa;
|
||||
@ -545,7 +548,7 @@ diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
|
||||
X509 *x509;
|
||||
EVP_PKEY *evp = NULL;
|
||||
int i;
|
||||
@@ -608,6 +806,9 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
|
||||
@@ -678,6 +917,9 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
|
||||
* or ID, label, subject and value for certificates.
|
||||
*/
|
||||
rsa = NULL;
|
||||
@ -555,9 +558,9 @@ diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
|
||||
if ((rv = f->C_GetAttributeValue(session, obj, attribs, nattribs))
|
||||
!= CKR_OK) {
|
||||
error("C_GetAttributeValue failed: %lu", rv);
|
||||
@@ -620,6 +821,45 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
|
||||
rsa->e = BN_bin2bn(attribs[3].pValue,
|
||||
attribs[3].ulValueLen, NULL);
|
||||
@@ -700,6 +942,45 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
|
||||
BN_free(rsa_n);
|
||||
BN_free(rsa_e);
|
||||
}
|
||||
+#ifdef ENABLE_PKCS11_ECDSA
|
||||
+ } else if (attribs[2].type == CKA_EC_PARAMS ) {
|
||||
@ -601,43 +604,61 @@ diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
|
||||
} else {
|
||||
cp = attribs[3].pValue;
|
||||
if ((x509 = X509_new()) == NULL) {
|
||||
@@ -639,13 +879,28 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
|
||||
@@ -707,13 +988,28 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
|
||||
} else if (d2i_X509(&x509, &cp, attribs[3].ulValueLen)
|
||||
== NULL) {
|
||||
error("d2i_X509 failed");
|
||||
- } else if ((evp = X509_get_pubkey(x509)) == NULL ||
|
||||
- EVP_PKEY_base_id(evp) != EVP_PKEY_RSA ||
|
||||
- EVP_PKEY_get0_RSA(evp) == NULL) {
|
||||
- debug("X509_get_pubkey failed or no rsa");
|
||||
- } else if ((rsa = RSAPublicKey_dup(
|
||||
- EVP_PKEY_get0_RSA(evp))) == NULL) {
|
||||
- error("RSAPublicKey_dup");
|
||||
+ } else if ((evp = X509_get_pubkey(x509)) == NULL) {
|
||||
+ debug("X509_get_pubkey failed");
|
||||
+ } else {
|
||||
+ switch (EVP_PKEY_base_id(evp)) {
|
||||
+ case EVP_PKEY_RSA:
|
||||
+ if (EVP_PKEY_get0_RSA(evp) == NULL)
|
||||
+ debug("Missing RSA key");
|
||||
+ else if ((rsa = RSAPublicKey_dup(
|
||||
+ EVP_PKEY_get0_RSA(evp))) == NULL)
|
||||
+ error("RSAPublicKey_dup failed");
|
||||
+ break;
|
||||
+ case EVP_PKEY_EC:
|
||||
+ if (EVP_PKEY_get0_EC_KEY(evp) == NULL)
|
||||
+ debug("Missing ECDSA key");
|
||||
+ else if ((ecdsa = EC_KEY_dup(
|
||||
+ EVP_PKEY_get0_EC_KEY(evp))) == NULL)
|
||||
+ error("EC_KEY_dup failed");
|
||||
+ break;
|
||||
+ default:
|
||||
+ debug("not a RSA or ECDSA key");
|
||||
+ break;
|
||||
+ }
|
||||
}
|
||||
X509_free(x509);
|
||||
EVP_PKEY_free(evp);
|
||||
}
|
||||
- if (rsa && rsa->n && rsa->e &&
|
||||
- pkcs11_rsa_wrap(p, slotidx, &attribs[0], &attribs[1], rsa) == 0) {
|
||||
- if ((key = sshkey_new(KEY_UNSPEC)) == NULL)
|
||||
- fatal("sshkey_new failed");
|
||||
- key->rsa = rsa;
|
||||
- key->type = KEY_RSA;
|
||||
- key->flags |= SSHKEY_FLAG_EXT;
|
||||
+ key = NULL;
|
||||
+ if (rsa || ecdsa) {
|
||||
+ if (rsa && rsa->n && rsa->e &&
|
||||
+ pkcs11_rsa_wrap(p, slotidx, &attribs[0], &attribs[1], rsa) == 0) {
|
||||
+ if ((key = sshkey_new(KEY_UNSPEC)) == NULL)
|
||||
+ fatal("sshkey_new failed");
|
||||
+ key->rsa = rsa;
|
||||
+ key->type = KEY_RSA;
|
||||
+ key->flags |= SSHKEY_FLAG_EXT;
|
||||
@@ -725,6 +1021,17 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
|
||||
key->rsa = rsa;
|
||||
key->type = KEY_RSA;
|
||||
key->flags |= SSHKEY_FLAG_EXT;
|
||||
+#ifdef ENABLE_PKCS11_ECDSA
|
||||
+ } else if(ecdsa && pkcs11_ecdsa_wrap(p, slotidx, &attribs[0], &attribs[1], ecdsa) == 0) {
|
||||
+ if ((key = sshkey_new(KEY_UNSPEC)) == NULL)
|
||||
+ fatal("sshkey_new failed");
|
||||
+ key->ecdsa = ecdsa;
|
||||
+ key->ecdsa_nid = sshkey_ecdsa_key_to_nid(ecdsa);
|
||||
+ key->type = KEY_ECDSA;
|
||||
+ key->flags |= SSHKEY_FLAG_EXT;
|
||||
+ } else if (ecdsa &&
|
||||
+ pkcs11_ecdsa_wrap(p, slotidx, &attribs[0], &attribs[1], ecdsa) == 0) {
|
||||
+ if ((key = sshkey_new(KEY_UNSPEC)) == NULL)
|
||||
+ fatal("sshkey_new failed");
|
||||
+ key->ecdsa = ecdsa;
|
||||
+ key->type = KEY_ECDSA;
|
||||
+ key->flags |= SSHKEY_FLAG_EXT;
|
||||
+#endif /* ENABLE_PKCS11_ECDSA */
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if(key) {
|
||||
+ if (key) {
|
||||
if (pkcs11_key_included(keysp, nkeys, key)) {
|
||||
sshkey_free(key);
|
||||
} else {
|
||||
@@ -658,6 +913,10 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
|
||||
@@ -737,6 +1044,10 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
|
||||
}
|
||||
} else if (rsa) {
|
||||
RSA_free(rsa);
|
||||
@ -648,9 +669,9 @@ diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
|
||||
}
|
||||
for (i = 0; i < nattribs; i++)
|
||||
free(attribs[i].pValue);
|
||||
diff -up openssh-7.6p1/ssh-pkcs11-helper.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11-helper.c
|
||||
--- openssh-7.6p1/ssh-pkcs11-helper.c.pkcs11-ecdsa 2017-10-02 21:34:26.000000000 +0200
|
||||
+++ openssh-7.6p1/ssh-pkcs11-helper.c 2018-02-16 13:25:59.428469265 +0100
|
||||
diff -up openssh/ssh-pkcs11-helper.c.pkcs11-ecdsa openssh/ssh-pkcs11-helper.c
|
||||
--- openssh/ssh-pkcs11-helper.c.pkcs11-ecdsa 2018-10-11 02:56:36.000000000 +0200
|
||||
+++ openssh/ssh-pkcs11-helper.c 2018-10-12 14:05:55.023656999 +0200
|
||||
@@ -24,6 +24,17 @@
|
||||
|
||||
#include "openbsd-compat/sys-queue.h"
|
||||
@ -669,7 +690,7 @@ diff -up openssh-7.6p1/ssh-pkcs11-helper.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11
|
||||
#include <stdarg.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
@@ -80,7 +90,7 @@ del_keys_by_name(char *name)
|
||||
@@ -77,7 +88,7 @@ del_keys_by_name(char *name)
|
||||
if (!strcmp(ki->providername, name)) {
|
||||
TAILQ_REMOVE(&pkcs11_keylist, ki, next);
|
||||
free(ki->providername);
|
||||
@ -678,7 +699,7 @@ diff -up openssh-7.6p1/ssh-pkcs11-helper.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11
|
||||
free(ki);
|
||||
}
|
||||
}
|
||||
@@ -164,6 +174,20 @@ process_del(void)
|
||||
@@ -172,6 +183,20 @@ process_del(void)
|
||||
sshbuf_free(msg);
|
||||
}
|
||||
|
||||
@ -699,7 +720,7 @@ diff -up openssh-7.6p1/ssh-pkcs11-helper.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11
|
||||
static void
|
||||
process_sign(void)
|
||||
{
|
||||
@@ -180,14 +204,38 @@ process_sign(void)
|
||||
@@ -192,14 +217,38 @@ process_sign(void)
|
||||
else {
|
||||
if ((found = lookup_key(key)) != NULL) {
|
||||
#ifdef WITH_OPENSSL
|
||||
@ -746,9 +767,9 @@ diff -up openssh-7.6p1/ssh-pkcs11-helper.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11
|
||||
}
|
||||
#endif /* WITH_OPENSSL */
|
||||
}
|
||||
diff -up openssh-7.6p1/ssh-pkcs11.h.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.h
|
||||
--- openssh-7.6p1/ssh-pkcs11.h.pkcs11-ecdsa 2018-02-16 13:25:59.429469272 +0100
|
||||
+++ openssh-7.6p1/ssh-pkcs11.h 2018-02-16 13:45:29.623800048 +0100
|
||||
diff -up openssh/ssh-pkcs11.h.pkcs11-ecdsa openssh/ssh-pkcs11.h
|
||||
--- openssh/ssh-pkcs11.h.pkcs11-ecdsa 2018-10-12 14:05:55.021656982 +0200
|
||||
+++ openssh/ssh-pkcs11.h 2018-10-12 14:05:55.023656999 +0200
|
||||
@@ -20,6 +20,7 @@
|
||||
int pkcs11_init(int);
|
||||
void pkcs11_terminate(void);
|
||||
@ -757,45 +778,3 @@ diff -up openssh-7.6p1/ssh-pkcs11.h.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.h
|
||||
int pkcs11_add_provider_by_uri(struct pkcs11_uri *, char *, struct sshkey ***);
|
||||
int pkcs11_del_provider(char *);
|
||||
int pkcs11_uri_write(const struct sshkey *, FILE *);
|
||||
|
||||
|
||||
|
||||
diff -up openssh-7.6p1/ssh-pkcs11.c.old openssh-7.6p1/ssh-pkcs11.c
|
||||
--- openssh-7.6p1/ssh-pkcs11.c.old 2018-02-16 16:43:08.861520255 +0100
|
||||
+++ openssh-7.6p1/ssh-pkcs11.c 2018-02-16 16:56:35.312601451 +0100
|
||||
@@ -917,13 +917,28 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
|
||||
} else if (d2i_X509(&x509, &cp, attribs[3].ulValueLen)
|
||||
== NULL) {
|
||||
error("d2i_X509 failed");
|
||||
- } else if ((evp = X509_get_pubkey(x509)) == NULL ||
|
||||
- evp->type != EVP_PKEY_RSA ||
|
||||
- evp->pkey.rsa == NULL) {
|
||||
- debug("X509_get_pubkey failed or no rsa");
|
||||
- } else if ((rsa = RSAPublicKey_dup(evp->pkey.rsa))
|
||||
- == NULL) {
|
||||
- error("RSAPublicKey_dup");
|
||||
+ } else if ((evp = X509_get_pubkey(x509)) == NULL) {
|
||||
+ debug("X509_get_pubkey failed");
|
||||
+ } else {
|
||||
+ switch (evp->type) {
|
||||
+ case EVP_PKEY_RSA:
|
||||
+ if (evp->pkey.rsa == NULL)
|
||||
+ debug("Missing RSA key");
|
||||
+ else if ((rsa = RSAPublicKey_dup(
|
||||
+ evp->pkey.rsa)) == NULL)
|
||||
+ error("RSAPublicKey_dup failed");
|
||||
+ break;
|
||||
+ case EVP_PKEY_EC:
|
||||
+ if (evp->pkey.ecdsa == NULL)
|
||||
+ debug("Missing ECDSA key");
|
||||
+ else if ((ecdsa = EC_KEY_dup(
|
||||
+ evp->pkey.ecdsa)) == NULL)
|
||||
+ error("EC_KEY_dup failed");
|
||||
+ break;
|
||||
+ default:
|
||||
+ debug("not a RSA or ECDSA key");
|
||||
+ break;
|
||||
+ }
|
||||
}
|
||||
X509_free(x509);
|
||||
EVP_PKEY_free(evp);
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -102,12 +102,14 @@ diff -up openssh-7.7p1/dh.h.fips openssh-7.7p1/dh.h
|
||||
diff -up openssh-7.7p1/entropy.c.fips openssh-7.7p1/entropy.c
|
||||
--- openssh-7.7p1/entropy.c.fips 2018-08-08 10:08:40.698718928 +0200
|
||||
+++ openssh-7.7p1/entropy.c 2018-08-08 10:08:40.822719973 +0200
|
||||
@@ -217,6 +217,9 @@ seed_rng(void)
|
||||
@@ -217,6 +217,11 @@ seed_rng(void)
|
||||
fatal("OpenSSL version mismatch. Built against %lx, you "
|
||||
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
|
||||
|
||||
+ /* clean the PRNG status when exiting the program */
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
+ atexit(RAND_cleanup);
|
||||
+#endif
|
||||
+
|
||||
#ifndef OPENSSL_PRNG_ONLY
|
||||
if (RAND_status() == 1) {
|
||||
@ -377,16 +379,16 @@ diff -up openssh-7.7p1/myproposal.h.fips openssh-7.7p1/myproposal.h
|
||||
+ "hmac-sha1"
|
||||
+#endif
|
||||
+
|
||||
#else /* WITH_OPENSSL */
|
||||
|
||||
#define KEX_SERVER_KEX \
|
||||
/* Not a KEX value, but here so all the algorithm defaults are together */
|
||||
#define SSH_ALLOWED_CA_SIGALGS \
|
||||
"ecdsa-sha2-nistp256," \
|
||||
diff -up openssh-7.7p1/readconf.c.fips openssh-7.7p1/readconf.c
|
||||
--- openssh-7.7p1/readconf.c.fips 2018-08-08 10:08:40.769719527 +0200
|
||||
+++ openssh-7.7p1/readconf.c 2018-08-08 10:08:40.824719990 +0200
|
||||
@@ -2081,17 +2081,18 @@ fill_default_options(Options * options)
|
||||
all_mac = mac_alg_list(',');
|
||||
@@ -2081,18 +2081,19 @@ fill_default_options(Options * options)
|
||||
all_kex = kex_alg_list(',');
|
||||
all_key = sshkey_alg_list(0, 0, 1, ',');
|
||||
all_sig = sshkey_alg_list(0, 1, 1, ',');
|
||||
-#define ASSEMBLE(what, defaults, all) \
|
||||
+#define ASSEMBLE(what, defaults, fips_defaults, all) \
|
||||
do { \
|
||||
@ -401,11 +403,13 @@ diff -up openssh-7.7p1/readconf.c.fips openssh-7.7p1/readconf.c
|
||||
- ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex);
|
||||
- ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
|
||||
- ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
|
||||
- ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
|
||||
+ ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
|
||||
+ ASSEMBLE(macs, KEX_SERVER_MAC, KEX_FIPS_MAC, all_mac);
|
||||
+ ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
|
||||
+ ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
|
||||
+ ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
|
||||
+ ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, KEX_FIPS_PK_ALG, all_sig);
|
||||
#undef ASSEMBLE
|
||||
free(all_cipher);
|
||||
free(all_mac);
|
||||
@ -425,10 +429,10 @@ diff -up openssh-7.7p1/sandbox-seccomp-filter.c.fips openssh-7.7p1/sandbox-secco
|
||||
diff -up openssh-7.7p1/servconf.c.fips openssh-7.7p1/servconf.c
|
||||
--- openssh-7.7p1/servconf.c.fips 2018-08-08 10:08:40.778719603 +0200
|
||||
+++ openssh-7.7p1/servconf.c 2018-08-08 10:08:40.824719990 +0200
|
||||
@@ -196,17 +196,18 @@ option_clear_or_none(const char *o)
|
||||
all_mac = mac_alg_list(',');
|
||||
@@ -196,18 +196,19 @@ option_clear_or_none(const char *o)
|
||||
all_kex = kex_alg_list(',');
|
||||
all_key = sshkey_alg_list(0, 0, 1, ',');
|
||||
all_sig = sshkey_alg_list(0, 1, 1, ',');
|
||||
-#define ASSEMBLE(what, defaults, all) \
|
||||
+#define ASSEMBLE(what, defaults, fips_defaults, all) \
|
||||
do { \
|
||||
@ -443,12 +447,14 @@ diff -up openssh-7.7p1/servconf.c.fips openssh-7.7p1/servconf.c
|
||||
- ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key);
|
||||
- ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
|
||||
- ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
|
||||
- ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
|
||||
+ ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
|
||||
+ ASSEMBLE(macs, KEX_SERVER_MAC, KEX_FIPS_MAC, all_mac);
|
||||
+ ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
|
||||
+ ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
|
||||
+ ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
|
||||
+ ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
|
||||
+ ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, KEX_FIPS_PK_ALG, all_sig);
|
||||
#undef ASSEMBLE
|
||||
free(all_cipher);
|
||||
free(all_mac);
|
||||
@ -464,11 +470,13 @@ diff -up openssh-7.7p1/ssh.c.fips openssh-7.7p1/ssh.c
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
#include "openbsd-compat/sys-queue.h"
|
||||
|
||||
@@ -579,6 +581,14 @@ main(int ac, char **av)
|
||||
@@ -579,6 +581,16 @@ main(int ac, char **av)
|
||||
sanitise_stdfd();
|
||||
|
||||
__progname = ssh_get_progname(av[0]);
|
||||
+ SSLeay_add_all_algorithms();
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
+ SSLeay_add_all_algorithms();
|
||||
+#endif
|
||||
+ if (access("/etc/system-fips", F_OK) == 0)
|
||||
+ if (! FIPSCHECK_verify(NULL, NULL)){
|
||||
+ if (FIPS_mode())
|
||||
@ -605,7 +613,7 @@ diff -up openssh-7.7p1/sshd.c.fips openssh-7.7p1/sshd.c
|
||||
#endif
|
||||
__progname = ssh_get_progname(av[0]);
|
||||
|
||||
+ SSLeay_add_all_algorithms();
|
||||
+ OpenSSL_add_all_algorithms();
|
||||
+ if (access("/etc/system-fips", F_OK) == 0)
|
||||
+ if (! FIPSCHECK_verify(NULL, NULL)) {
|
||||
+ openlog(__progname, LOG_PID, LOG_AUTHPRIV);
|
||||
|
@ -188,7 +188,7 @@ diff -up openssh/configure.ac.gsskex openssh/configure.ac
|
||||
diff -up openssh/gss-genr.c.gsskex openssh/gss-genr.c
|
||||
--- openssh/gss-genr.c.gsskex 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/gss-genr.c 2018-08-22 13:18:47.444383602 +0200
|
||||
@@ -35,18 +35,177 @@
|
||||
@@ -35,18 +35,179 @@
|
||||
#include <string.h>
|
||||
#include <signal.h>
|
||||
#include <unistd.h>
|
||||
@ -256,7 +256,7 @@ diff -up openssh/gss-genr.c.gsskex openssh/gss-genr.c
|
||||
+ u_char digest[EVP_MAX_MD_SIZE];
|
||||
+ char deroid[2];
|
||||
+ const EVP_MD *evp_md = EVP_md5();
|
||||
+ EVP_MD_CTX md;
|
||||
+ EVP_MD_CTX *md;
|
||||
+
|
||||
+ if (gss_enc2oid != NULL) {
|
||||
+ for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
|
||||
@ -270,6 +270,7 @@ diff -up openssh/gss-genr.c.gsskex openssh/gss-genr.c
|
||||
+ if ((buf = sshbuf_new()) == NULL)
|
||||
+ fatal("%s: sshbuf_new failed", __func__);
|
||||
+
|
||||
+ md = EVP_MD_CTX_new();
|
||||
+ oidpos = 0;
|
||||
+ for (i = 0; i < gss_supported->count; i++) {
|
||||
+ if (gss_supported->elements[i].length < 128 &&
|
||||
@ -278,12 +279,12 @@ diff -up openssh/gss-genr.c.gsskex openssh/gss-genr.c
|
||||
+ deroid[0] = SSH_GSS_OIDTYPE;
|
||||
+ deroid[1] = gss_supported->elements[i].length;
|
||||
+
|
||||
+ EVP_DigestInit(&md, evp_md);
|
||||
+ EVP_DigestUpdate(&md, deroid, 2);
|
||||
+ EVP_DigestUpdate(&md,
|
||||
+ EVP_DigestInit(md, evp_md);
|
||||
+ EVP_DigestUpdate(md, deroid, 2);
|
||||
+ EVP_DigestUpdate(md,
|
||||
+ gss_supported->elements[i].elements,
|
||||
+ gss_supported->elements[i].length);
|
||||
+ EVP_DigestFinal(&md, digest, NULL);
|
||||
+ EVP_DigestFinal(md, digest, NULL);
|
||||
+
|
||||
+ encoded = xmalloc(EVP_MD_size(evp_md) * 2);
|
||||
+ enclen = __b64_ntop(digest, EVP_MD_size(evp_md),
|
||||
@ -311,6 +312,7 @@ diff -up openssh/gss-genr.c.gsskex openssh/gss-genr.c
|
||||
+ oidpos++;
|
||||
+ }
|
||||
+ }
|
||||
+ EVP_MD_CTX_free(md);
|
||||
+ gss_enc2oid[oidpos].oid = NULL;
|
||||
+ gss_enc2oid[oidpos].encoded = NULL;
|
||||
+
|
||||
@ -988,7 +990,7 @@ diff -up openssh/kex.c.gsskex openssh/kex.c
|
||||
diff -up openssh/kexgssc.c.gsskex openssh/kexgssc.c
|
||||
--- openssh/kexgssc.c.gsskex 2018-08-22 11:47:33.311216457 +0200
|
||||
+++ openssh/kexgssc.c 2018-08-22 11:47:33.311216457 +0200
|
||||
@@ -0,0 +1,338 @@
|
||||
@@ -0,0 +1,341 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
||||
+ *
|
||||
@ -1049,6 +1051,7 @@ diff -up openssh/kexgssc.c.gsskex openssh/kexgssc.c
|
||||
+ BIGNUM *shared_secret = NULL;
|
||||
+ BIGNUM *p = NULL;
|
||||
+ BIGNUM *g = NULL;
|
||||
+ const BIGNUM *pub_key, *p1, *g1;
|
||||
+ u_char *kbuf;
|
||||
+ u_char *serverhostkey = NULL;
|
||||
+ u_char *empty = "";
|
||||
@ -1110,8 +1113,9 @@ diff -up openssh/kexgssc.c.gsskex openssh/kexgssc.c
|
||||
+ fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type);
|
||||
+ }
|
||||
+
|
||||
+ /* Step 1 - e is dh->pub_key */
|
||||
+ /* Step 1 - e is pub_key */
|
||||
+ dh_gen_key(dh, ssh->kex->we_need * 8);
|
||||
+ DH_get0_key(dh, &pub_key, NULL);
|
||||
+
|
||||
+ /* This is f, we initialise it now to make life easier */
|
||||
+ dh_server_pub = BN_new();
|
||||
@ -1159,7 +1163,7 @@ diff -up openssh/kexgssc.c.gsskex openssh/kexgssc.c
|
||||
+ packet_start(SSH2_MSG_KEXGSS_INIT);
|
||||
+ packet_put_string(send_tok.value,
|
||||
+ send_tok.length);
|
||||
+ packet_put_bignum2(dh->pub_key);
|
||||
+ packet_put_bignum2((BIGNUM *)pub_key);
|
||||
+ first = 0;
|
||||
+ } else {
|
||||
+ packet_start(SSH2_MSG_KEXGSS_CONTINUE);
|
||||
@ -1266,13 +1270,14 @@ diff -up openssh/kexgssc.c.gsskex openssh/kexgssc.c
|
||||
+ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
|
||||
+ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
|
||||
+ (serverhostkey ? serverhostkey : empty), slen,
|
||||
+ dh->pub_key, /* e */
|
||||
+ pub_key, /* e */
|
||||
+ dh_server_pub, /* f */
|
||||
+ shared_secret, /* K */
|
||||
+ hash, &hashlen
|
||||
+ );
|
||||
+ break;
|
||||
+ case KEX_GSS_GEX_SHA1:
|
||||
+ DH_get0_pqg(dh, &p1, NULL, &g1);
|
||||
+ kexgex_hash(
|
||||
+ ssh->kex->hash_alg,
|
||||
+ ssh->kex->client_version_string,
|
||||
@ -1281,8 +1286,8 @@ diff -up openssh/kexgssc.c.gsskex openssh/kexgssc.c
|
||||
+ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
|
||||
+ (serverhostkey ? serverhostkey : empty), slen,
|
||||
+ min, nbits, max,
|
||||
+ dh->p, dh->g,
|
||||
+ dh->pub_key,
|
||||
+ p, g,
|
||||
+ pub_key,
|
||||
+ dh_server_pub,
|
||||
+ shared_secret,
|
||||
+ hash, &hashlen
|
||||
@ -1330,7 +1335,7 @@ diff -up openssh/kexgssc.c.gsskex openssh/kexgssc.c
|
||||
diff -up openssh/kexgsss.c.gsskex openssh/kexgsss.c
|
||||
--- openssh/kexgsss.c.gsskex 2018-08-22 11:47:33.311216457 +0200
|
||||
+++ openssh/kexgsss.c 2018-08-22 11:47:33.311216457 +0200
|
||||
@@ -0,0 +1,297 @@
|
||||
@@ -0,0 +1,300 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
||||
+ *
|
||||
@ -1410,6 +1415,7 @@ diff -up openssh/kexgsss.c.gsskex openssh/kexgsss.c
|
||||
+ char *mechs;
|
||||
+ u_char hash[SSH_DIGEST_MAX_LENGTH];
|
||||
+ size_t hashlen;
|
||||
+ const BIGNUM *p, *g, *pub_key;
|
||||
+
|
||||
+ /* Initialise GSSAPI */
|
||||
+
|
||||
@ -1455,9 +1461,10 @@ diff -up openssh/kexgsss.c.gsskex openssh/kexgsss.c
|
||||
+ if (dh == NULL)
|
||||
+ packet_disconnect("Protocol error: no matching group found");
|
||||
+
|
||||
+ DH_get0_pqg(dh, &p, NULL, &g);
|
||||
+ packet_start(SSH2_MSG_KEXGSS_GROUP);
|
||||
+ packet_put_bignum2(dh->p);
|
||||
+ packet_put_bignum2(dh->g);
|
||||
+ packet_put_bignum2((BIGNUM *)p);
|
||||
+ packet_put_bignum2((BIGNUM *)g);
|
||||
+ packet_send();
|
||||
+
|
||||
+ packet_write_wait();
|
||||
@ -1549,6 +1556,7 @@ diff -up openssh/kexgsss.c.gsskex openssh/kexgsss.c
|
||||
+ memset(kbuf, 0, klen);
|
||||
+ free(kbuf);
|
||||
+
|
||||
+ DH_get0_key(dh, &pub_key, NULL);
|
||||
+ hashlen = sizeof(hash);
|
||||
+ switch (ssh->kex->kex_type) {
|
||||
+ case KEX_GSS_GRP1_SHA1:
|
||||
@ -1558,7 +1566,7 @@ diff -up openssh/kexgsss.c.gsskex openssh/kexgsss.c
|
||||
+ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
|
||||
+ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
|
||||
+ NULL, 0, /* Change this if we start sending host keys */
|
||||
+ dh_client_pub, dh->pub_key, shared_secret,
|
||||
+ dh_client_pub, pub_key, shared_secret,
|
||||
+ hash, &hashlen
|
||||
+ );
|
||||
+ break;
|
||||
@ -1570,9 +1578,9 @@ diff -up openssh/kexgsss.c.gsskex openssh/kexgsss.c
|
||||
+ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
|
||||
+ NULL, 0,
|
||||
+ cmin, nbits, cmax,
|
||||
+ dh->p, dh->g,
|
||||
+ p, g,
|
||||
+ dh_client_pub,
|
||||
+ dh->pub_key,
|
||||
+ pub_key,
|
||||
+ shared_secret,
|
||||
+ hash, &hashlen
|
||||
+ );
|
||||
@ -1596,7 +1604,7 @@ diff -up openssh/kexgsss.c.gsskex openssh/kexgsss.c
|
||||
+ fatal("Couldn't get MIC");
|
||||
+
|
||||
+ packet_start(SSH2_MSG_KEXGSS_COMPLETE);
|
||||
+ packet_put_bignum2(dh->pub_key);
|
||||
+ packet_put_bignum2(pub_key);
|
||||
+ packet_put_string(msg_tok.value,msg_tok.length);
|
||||
+
|
||||
+ if (send_tok.length != 0) {
|
||||
@ -1928,7 +1936,7 @@ diff -up openssh/monitor_wrap.c.gsskex openssh/monitor_wrap.c
|
||||
+
|
||||
+ sshbuf_free(m);
|
||||
+
|
||||
+ return(major);
|
||||
+ return (major);
|
||||
+}
|
||||
+
|
||||
+int
|
||||
@ -2617,16 +2625,6 @@ diff -up openssh/sshconnect2.c.gsskex openssh/sshconnect2.c
|
||||
diff -up openssh/sshd.c.gsskex openssh/sshd.c
|
||||
--- openssh/sshd.c.gsskex 2018-08-22 11:47:33.299216360 +0200
|
||||
+++ openssh/sshd.c 2018-08-22 13:34:28.455975954 +0200
|
||||
@@ -537,8 +537,7 @@ privsep_preauth_child(void)
|
||||
|
||||
#ifdef GSSAPI
|
||||
/* Cache supported mechanism OIDs for later use */
|
||||
- if (options.gss_authentication)
|
||||
- ssh_gssapi_prepare_supported_oids();
|
||||
+ ssh_gssapi_prepare_supported_oids();
|
||||
#endif
|
||||
|
||||
reseed_prngs();
|
||||
@@ -887,8 +887,9 @@ notify_hostkeys(struct ssh *ssh)
|
||||
}
|
||||
debug3("%s: sent %u hostkeys", __func__, nkeys);
|
||||
|
14
openssh.spec
14
openssh.spec
@ -65,10 +65,10 @@
|
||||
%endif
|
||||
|
||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||
%global openssh_ver 7.8p1
|
||||
%global openssh_rel 3
|
||||
%global openssh_ver 7.9p1
|
||||
%global openssh_rel 1
|
||||
%global pam_ssh_agent_ver 0.10.3
|
||||
%global pam_ssh_agent_rel 5
|
||||
%global pam_ssh_agent_rel 6
|
||||
|
||||
Summary: An open source implementation of SSH protocol version 2
|
||||
Name: openssh
|
||||
@ -100,8 +100,6 @@ Patch100: openssh-6.7p1-coverity.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1894
|
||||
#https://bugzilla.redhat.com/show_bug.cgi?id=735889
|
||||
#Patch102: openssh-5.8p1-getaddrinfo.patch
|
||||
# OpenSSL 1.1.0 compatibility
|
||||
Patch104: openssh-7.3p1-openssl-1.1.0.patch
|
||||
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1171248
|
||||
@ -451,7 +449,6 @@ popd
|
||||
%patch700 -p1 -b .fips
|
||||
|
||||
%patch100 -p1 -b .coverity
|
||||
%patch104 -p1 -b .openssl
|
||||
|
||||
%if 0
|
||||
# Nothing here yet
|
||||
@ -568,7 +565,10 @@ popd
|
||||
%if %{pam_ssh_agent}
|
||||
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
||||
LDFLAGS="$SAVE_LDFLAGS"
|
||||
%configure --with-selinux --libexecdir=/%{_libdir}/security --with-mantype=man
|
||||
%configure --with-selinux \
|
||||
--libexecdir=/%{_libdir}/security \
|
||||
--with-mantype=man \
|
||||
--without-openssl-header-check `# The check is broken`
|
||||
make
|
||||
popd
|
||||
%endif
|
||||
|
4
sources
4
sources
@ -1,4 +1,4 @@
|
||||
SHA512 (openssh-7.8p1.tar.gz) = 8e5b0c8682a9243e4e8b7c374ec989dccd1a752eb6f84e593b67141e8b23dcc8b9a7322b1f7525d18e2ce8830a767d0d9793f997486339db201a57986b910705
|
||||
SHA512 (openssh-7.8p1.tar.gz.asc) = 3a7bef84df3c07aa78965a11a6bbd6ca6e5d1e9265ac08871b3e5d304646be651b74f5302a195e86a56e6a83b19d79292e5599c9a9cf6f003a513d4354e8ad2f
|
||||
SHA512 (openssh-7.9p1.tar.gz) = 0412c9c429c9287f0794023951469c8e6ec833cdb55821bfa0300dd90d0879ff60484f620cffd93372641ab69bf0b032c2d700ccc680950892725fb631b7708e
|
||||
SHA512 (openssh-7.9p1.tar.gz.asc) = 881db1b541813136fabd9adb9f5430c4f0fae372c06c99cb049feb8526a573275fe80c129c89511dd4e65f73f41e29364fefaaf8b7c78835224691c488d5da32
|
||||
SHA512 (DJM-GPG-KEY.gpg) = db1191ed9b6495999e05eed2ef863fb5179bdb63e94850f192dad68eed8579836f88fbcfffd9f28524fe1457aff8cd248ee3e0afc112c8f609b99a34b80ecc0d
|
||||
SHA512 (pam_ssh_agent_auth-0.10.3.tar.bz2) = d75062c4e46b0b011f46aed9704a99049995fea8b5115ff7ee26dad7e93cbcf54a8af7efc6b521109d77dc03c6f5284574d2e1b84c6829cec25610f24fb4bd66
|
||||
|
Loading…
Reference in New Issue
Block a user