6.8p1-1 + 0.9.3-5

This commit is contained in:
Jakub Jelen 2015-03-20 14:56:04 +01:00
parent 7b82d087e1
commit 132f8f8686
26 changed files with 1345 additions and 3694 deletions

1
.gitignore vendored
View File

@ -14,3 +14,4 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
/openssh-6.4p1.tar.gz
/openssh-6.6p1.tar.gz
/openssh-6.7p1.tar.gz
/openssh-6.8p1.tar.gz

View File

@ -1,12 +1,12 @@
diff -up openssh-5.8p1/packet.c.packet openssh-5.8p1/packet.c
--- openssh-5.8p1/packet.c.packet 2011-04-05 13:29:06.998648899 +0200
+++ openssh-5.8p1/packet.c 2011-04-05 13:30:32.967648596 +0200
@@ -294,6 +294,8 @@ packet_connection_is_on_socket(void)
diff -up openssh-6.8p1/packet.c.packet openssh-6.8p1/packet.c
--- openssh-6.8p1/packet.c.packet 2015-03-18 10:56:32.286930601 +0100
+++ openssh-6.8p1/packet.c 2015-03-18 10:58:38.535629739 +0100
@@ -371,6 +371,8 @@ ssh_packet_connection_is_on_socket(struc
struct sockaddr_storage from, to;
socklen_t fromlen, tolen;
+ if (!active_state)
+ if (!state)
+ return 0;
/* filedescriptors in and out are the same, so it's a socket */
if (active_state->connection_in == active_state->connection_out)
if (state->connection_in == state->connection_out)
return 1;

View File

@ -1,18 +0,0 @@
diff -up openssh-6.1p1/contrib/Makefile.askpass-ld openssh-6.1p1/contrib/Makefile
--- openssh-6.1p1/contrib/Makefile.askpass-ld 2012-05-19 07:24:37.000000000 +0200
+++ openssh-6.1p1/contrib/Makefile 2012-09-14 20:35:47.565704718 +0200
@@ -4,12 +4,12 @@ all:
@echo "Valid targets: gnome-ssh-askpass1 gnome-ssh-askpass2"
gnome-ssh-askpass1: gnome-ssh-askpass1.c
- $(CC) `gnome-config --cflags gnome gnomeui` \
+ $(CC) ${CFLAGS} `gnome-config --cflags gnome gnomeui` \
gnome-ssh-askpass1.c -o gnome-ssh-askpass1 \
`gnome-config --libs gnome gnomeui`
gnome-ssh-askpass2: gnome-ssh-askpass2.c
- $(CC) `$(PKG_CONFIG) --cflags gtk+-2.0` \
+ $(CC) ${CFLAGS} `$(PKG_CONFIG) --cflags gtk+-2.0` \
gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \
`$(PKG_CONFIG) --libs gtk+-2.0 x11`

View File

@ -1,8 +1,7 @@
diff --git a/configure.ac b/configure.ac
index 6553074..8dedb95 100644
--- a/configure.ac
+++ b/configure.ac
@@ -4676,6 +4676,12 @@ AC_ARG_WITH([lastlog],
diff -up openssh-6.8p1/configure.ac.vendor openssh-6.8p1/configure.ac
--- openssh-6.8p1/configure.ac.vendor 2015-03-18 11:17:56.670880303 +0100
+++ openssh-6.8p1/configure.ac 2015-03-18 11:17:56.695880243 +0100
@@ -4743,6 +4743,12 @@ AC_ARG_WITH([lastlog],
fi
]
)
@ -15,7 +14,7 @@ index 6553074..8dedb95 100644
dnl lastlog, [uw]tmpx? detection
dnl NOTE: set the paths in the platform section to avoid the
@@ -4938,6 +4944,7 @@ echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
@@ -5005,6 +5011,7 @@ echo " Translate v4 in v6 hack
echo " BSD Auth support: $BSD_AUTH_MSG"
echo " Random number source: $RAND_MSG"
echo " Privsep sandbox style: $SANDBOX_STYLE"
@ -23,11 +22,10 @@ index 6553074..8dedb95 100644
echo ""
diff --git a/servconf.c b/servconf.c
index e3ebaac..c8a3f28 100644
--- a/servconf.c
+++ b/servconf.c
@@ -141,6 +141,7 @@ initialize_server_options(ServerOptions *options)
diff -up openssh-6.8p1/servconf.c.vendor openssh-6.8p1/servconf.c
--- openssh-6.8p1/servconf.c.vendor 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/servconf.c 2015-03-18 11:19:16.279691126 +0100
@@ -145,6 +145,7 @@ initialize_server_options(ServerOptions
options->max_authtries = -1;
options->max_sessions = -1;
options->banner = NULL;
@ -35,7 +33,7 @@ index e3ebaac..c8a3f28 100644
options->use_dns = -1;
options->client_alive_interval = -1;
options->client_alive_count_max = -1;
@@ -310,6 +311,8 @@ fill_default_server_options(ServerOptions *options)
@@ -327,6 +328,8 @@ fill_default_server_options(ServerOption
options->ip_qos_bulk = IPTOS_THROUGHPUT;
if (options->version_addendum == NULL)
options->version_addendum = xstrdup("");
@ -44,16 +42,16 @@ index e3ebaac..c8a3f28 100644
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
options->fwd_opts.streamlocal_bind_mask = 0177;
if (options->fwd_opts.streamlocal_bind_unlink == -1)
@@ -353,7 +356,7 @@ typedef enum {
@@ -388,7 +391,7 @@ typedef enum {
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
sMaxStartups, sMaxAuthTries, sMaxSessions,
sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
- sBanner, sUseDNS, sHostbasedAuthentication,
+ sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile,
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
@@ -467,6 +470,7 @@ static struct {
@@ -504,6 +507,7 @@ static struct {
{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
{ "maxsessions", sMaxSessions, SSHCFG_ALL },
{ "banner", sBanner, SSHCFG_ALL },
@ -61,7 +59,7 @@ index e3ebaac..c8a3f28 100644
{ "usedns", sUseDNS, SSHCFG_GLOBAL },
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
@@ -1263,6 +1267,10 @@ process_server_config_line(ServerOptions *options, char *line,
@@ -1320,6 +1324,10 @@ process_server_config_line(ServerOptions
multistate_ptr = multistate_privsep;
goto parse_multistate;
@ -72,7 +70,7 @@ index e3ebaac..c8a3f28 100644
case sAllowUsers:
while ((arg = strdelim(&cp)) && *arg != '\0') {
if (options->num_allow_users >= MAX_ALLOW_USERS)
@@ -2081,6 +2089,7 @@ dump_config(ServerOptions *o)
@@ -2145,6 +2153,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sUseLogin, o->use_login);
dump_cfg_fmtint(sCompression, o->compression);
dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
@ -80,11 +78,10 @@ index e3ebaac..c8a3f28 100644
dump_cfg_fmtint(sUseDNS, o->use_dns);
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
diff --git a/servconf.h b/servconf.h
index 49b228b..21719e2 100644
--- a/servconf.h
+++ b/servconf.h
@@ -149,6 +149,7 @@ typedef struct {
diff -up openssh-6.8p1/servconf.h.vendor openssh-6.8p1/servconf.h
--- openssh-6.8p1/servconf.h.vendor 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/servconf.h 2015-03-18 11:17:56.696880241 +0100
@@ -151,6 +151,7 @@ typedef struct {
int max_authtries;
int max_sessions;
char *banner; /* SSH-2 banner message */
@ -92,11 +89,10 @@ index 49b228b..21719e2 100644
int use_dns;
int client_alive_interval; /*
* poke the client this often to
diff --git a/sshd.c b/sshd.c
index afe9afa..193b206 100644
--- a/sshd.c
+++ b/sshd.c
@@ -432,7 +432,7 @@ sshd_exchange_identification(int sock_in, int sock_out)
diff -up openssh-6.8p1/sshd.c.vendor openssh-6.8p1/sshd.c
--- openssh-6.8p1/sshd.c.vendor 2015-03-18 11:17:56.669880305 +0100
+++ openssh-6.8p1/sshd.c 2015-03-18 11:17:56.697880239 +0100
@@ -431,7 +431,7 @@ sshd_exchange_identification(int sock_in
}
xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
@ -105,7 +101,7 @@ index afe9afa..193b206 100644
*options.version_addendum == '\0' ? "" : " ",
options.version_addendum, newline);
@@ -1677,7 +1677,8 @@ main(int ac, char **av)
@@ -1737,7 +1737,8 @@ main(int ac, char **av)
exit(1);
}
@ -115,23 +111,21 @@ index afe9afa..193b206 100644
#ifdef WITH_OPENSSL
SSLeay_version(SSLEAY_VERSION)
#else
diff --git a/sshd_config b/sshd_config
index 3092ac6..da3db5d 100644
--- a/sshd_config
+++ b/sshd_config
@@ -119,6 +119,7 @@ UsePrivilegeSeparation sandbox # Default for new installations.
diff -up openssh-6.8p1/sshd_config.vendor openssh-6.8p1/sshd_config
--- openssh-6.8p1/sshd_config.vendor 2015-03-18 11:17:56.697880239 +0100
+++ openssh-6.8p1/sshd_config 2015-03-18 11:20:15.552550274 +0100
@@ -119,6 +119,7 @@ UsePrivilegeSeparation sandbox # Defaul
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
+#ShowPatchLevel no
#UseDNS yes
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
diff --git a/sshd_config.0 b/sshd_config.0
index 43867d3..a3898c3 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -700,6 +700,11 @@ DESCRIPTION
diff -up openssh-6.8p1/sshd_config.0.vendor openssh-6.8p1/sshd_config.0
--- openssh-6.8p1/sshd_config.0.vendor 2015-03-18 11:17:56.691880253 +0100
+++ openssh-6.8p1/sshd_config.0 2015-03-18 11:17:56.697880239 +0100
@@ -740,6 +740,11 @@ DESCRIPTION
Defines the number of bits in the ephemeral protocol version 1
server key. The minimum value is 512, and the default is 1024.
@ -143,11 +137,10 @@ index 43867d3..a3898c3 100644
StreamLocalBindMask
Sets the octal file creation mode mask (umask) used when creating
a Unix-domain socket file for local or remote port forwarding.
diff --git a/sshd_config.5 b/sshd_config.5
index 89a0cf2..cccb310 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -1200,6 +1200,13 @@ This option applies to protocol version 1 only.
diff -up openssh-6.8p1/sshd_config.5.vendor openssh-6.8p1/sshd_config.5
--- openssh-6.8p1/sshd_config.5.vendor 2015-03-18 11:17:56.691880253 +0100
+++ openssh-6.8p1/sshd_config.5 2015-03-18 11:17:56.697880239 +0100
@@ -1276,6 +1276,13 @@ This option applies to protocol version
.It Cm ServerKeyBits
Defines the number of bits in the ephemeral protocol version 1 server key.
The minimum value is 512, and the default is 1024.

View File

@ -1,7 +1,6 @@
diff --git a/compat.c b/compat.c
index 2709dc5..7412a54 100644
--- a/compat.c
+++ b/compat.c
diff -up openssh-6.8p1/compat.c.cisco-dh openssh-6.8p1/compat.c
--- openssh-6.8p1/compat.c.cisco-dh 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/compat.c 2015-03-19 12:57:58.862606969 +0100
@@ -167,6 +167,7 @@ compat_datafellows(const char *version)
SSH_BUG_SCANNER },
{ "Probe-*",
@ -10,10 +9,9 @@ index 2709dc5..7412a54 100644
{ NULL, 0 }
};
diff --git a/compat.h b/compat.h
index a6c3f3d..d8def7d 100644
--- a/compat.h
+++ b/compat.h
diff -up openssh-6.8p1/compat.h.cisco-dh openssh-6.8p1/compat.h
--- openssh-6.8p1/compat.h.cisco-dh 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/compat.h 2015-03-19 12:57:58.862606969 +0100
@@ -60,6 +60,7 @@
#define SSH_NEW_OPENSSH 0x04000000
#define SSH_BUG_DYNAMIC_RPORT 0x08000000
@ -22,49 +20,35 @@ index a6c3f3d..d8def7d 100644
void enable_compat13(void);
void enable_compat20(void);
diff --git a/kexgexc.c b/kexgexc.c
index 355b7ba..0a91bdd 100644
--- a/kexgexc.c
+++ b/kexgexc.c
@@ -58,20 +58,37 @@ kexgex_client(Kex *kex)
int min, max, nbits;
DH *dh;
diff -up openssh-6.8p1/kexgexc.c.cisco-dh openssh-6.8p1/kexgexc.c
--- openssh-6.8p1/kexgexc.c.cisco-dh 2015-03-19 12:57:58.862606969 +0100
+++ openssh-6.8p1/kexgexc.c 2015-03-19 13:11:52.320519969 +0100
@@ -64,8 +64,27 @@ kexgex_client(struct ssh *ssh)
+ min = DH_GRP_MIN;
+ max = DH_GRP_MAX;
kex->min = DH_GRP_MIN;
kex->max = DH_GRP_MAX;
+
+ /* Servers with MAX4096DH need a preferred size (nbits) <= 4096.
+ * We need to also ensure that min < nbits < max */
+
+ if (datafellows & SSH_BUG_MAX4096DH) {
+ /* The largest min for these servers is 4096 */
+ min = MIN(min, 4096);
+ kex->min = MIN(kex->min, 4096);
+ }
+
nbits = dh_estimate(kex->dh_need * 8);
+ nbits = MIN(nbits, max);
+ nbits = MAX(nbits, min);
kex->nbits = nbits;
- if (ssh->compat & SSH_OLD_DHGEX) {
+ kex->nbits = MIN(nbits, kex->max);
+ kex->nbits = MAX(nbits, kex->min);
+
+ if (datafellows & SSH_BUG_MAX4096DH) {
+ if (ssh->compat & SSH_BUG_MAX4096DH) {
+ /* Cannot have a nbits > 4096 for these servers */
+ nbits = MIN(nbits, 4096);
+ kex->nbits = MIN(kex->nbits, 4096);
+ /* nbits has to be powers of two */
+ if (nbits == 3072)
+ nbits = 4096;
+ if (kex->nbits == 3072)
+ kex->nbits = 4096;
+ }
if (datafellows & SSH_OLD_DHGEX) {
+ if (ssh->compat & SSH_OLD_DHGEX) { /* Old GEX request */
/* Old GEX request */
packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST_OLD);
packet_put_int(nbits);
- min = DH_GRP_MIN;
- max = DH_GRP_MAX;
debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD(%u) sent", nbits);
} else {
/* New GEX request */
- min = DH_GRP_MIN;
- max = DH_GRP_MAX;
packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST);
packet_put_int(min);
packet_put_int(nbits);
if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST_OLD))
!= 0 ||

View File

@ -1,7 +1,6 @@
diff --git a/log.c b/log.c
index 32e1d2e..d4caeb5 100644
--- a/log.c
+++ b/log.c
diff -up openssh-6.8p1/log.c.log-in-chroot openssh-6.8p1/log.c
--- openssh-6.8p1/log.c.log-in-chroot 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/log.c 2015-03-18 12:59:29.694022313 +0100
@@ -241,6 +241,11 @@ debug3(const char *fmt,...)
void
log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr)
@ -14,7 +13,7 @@ index 32e1d2e..d4caeb5 100644
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
struct syslog_data sdata = SYSLOG_DATA_INIT;
#endif
@@ -264,8 +269,10 @@ log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr)
@@ -264,8 +269,10 @@ log_init(char *av0, LogLevel level, Sysl
exit(1);
}
@ -27,10 +26,9 @@ index 32e1d2e..d4caeb5 100644
log_on_stderr = on_stderr;
if (on_stderr)
diff --git a/log.h b/log.h
index ae7df25..30c3310 100644
--- a/log.h
+++ b/log.h
diff -up openssh-6.8p1/log.h.log-in-chroot openssh-6.8p1/log.h
--- openssh-6.8p1/log.h.log-in-chroot 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/log.h 2015-03-18 12:59:29.694022313 +0100
@@ -49,6 +49,7 @@ typedef enum {
typedef void (log_handler_fn)(LogLevel, const char *, void *);
@ -39,11 +37,10 @@ index ae7df25..30c3310 100644
void log_change_level(LogLevel);
int log_is_on_stderr(void);
void log_redirect_stderr_to(const char *);
diff --git a/monitor.c b/monitor.c
index 7ebc76e..d97e640 100644
--- a/monitor.c
+++ b/monitor.c
@@ -378,6 +378,8 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
diff -up openssh-6.8p1/monitor.c.log-in-chroot openssh-6.8p1/monitor.c
--- openssh-6.8p1/monitor.c.log-in-chroot 2015-03-18 12:59:29.669022374 +0100
+++ openssh-6.8p1/monitor.c 2015-03-18 13:01:52.894671198 +0100
@@ -357,6 +357,8 @@ monitor_child_preauth(Authctxt *_authctx
close(pmonitor->m_log_sendfd);
pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1;
@ -52,7 +49,7 @@ index 7ebc76e..d97e640 100644
authctxt = _authctxt;
memset(authctxt, 0, sizeof(*authctxt));
@@ -486,6 +488,8 @@ monitor_child_postauth(struct monitor *pmonitor)
@@ -465,6 +467,8 @@ monitor_child_postauth(struct monitor *p
close(pmonitor->m_recvfd);
pmonitor->m_recvfd = -1;
@ -61,7 +58,7 @@ index 7ebc76e..d97e640 100644
monitor_set_child_handler(pmonitor->m_pid);
signal(SIGHUP, &monitor_child_handler);
signal(SIGTERM, &monitor_child_handler);
@@ -566,7 +570,7 @@ monitor_read_log(struct monitor *pmonitor)
@@ -566,7 +570,7 @@ monitor_read_log(struct monitor *pmonito
if (log_level_name(level) == NULL)
fatal("%s: invalid log level %u (corrupted message?)",
__func__, level);
@ -70,8 +67,8 @@ index 7ebc76e..d97e640 100644
buffer_free(&logmsg);
free(msg);
@@ -2107,13 +2111,28 @@ monitor_init(void)
mm_init_compression(mon->m_zlib);
@@ -1998,13 +2002,28 @@ monitor_init(void)
(ssh_packet_comp_free_func *)mm_zfree);
}
+ mon->m_state = "";
@ -101,13 +98,12 @@ index 7ebc76e..d97e640 100644
}
#ifdef GSSAPI
diff --git a/monitor.h b/monitor.h
index ff79fbb..00c2028 100644
--- a/monitor.h
+++ b/monitor.h
diff -up openssh-6.8p1/monitor.h.log-in-chroot openssh-6.8p1/monitor.h
--- openssh-6.8p1/monitor.h.log-in-chroot 2015-03-18 12:59:29.695022310 +0100
+++ openssh-6.8p1/monitor.h 2015-03-18 13:02:56.926514197 +0100
@@ -83,10 +83,11 @@ struct monitor {
struct mm_master *m_zlib;
struct Kex **m_pkex;
struct kex **m_pkex;
pid_t m_pid;
+ char *m_state;
};
@ -118,11 +114,10 @@ index ff79fbb..00c2028 100644
void monitor_sync(struct monitor *);
struct Authctxt;
diff --git a/session.c b/session.c
index 9c94d8e..40a681e 100644
--- a/session.c
+++ b/session.c
@@ -160,6 +160,8 @@ login_cap_t *lc;
diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c
--- openssh-6.8p1/session.c.log-in-chroot 2015-03-18 12:59:29.675022359 +0100
+++ openssh-6.8p1/session.c 2015-03-18 12:59:29.696022308 +0100
@@ -161,6 +161,8 @@ login_cap_t *lc;
static int is_child = 0;
@ -131,7 +126,7 @@ index 9c94d8e..40a681e 100644
/* Name and directory of socket for authentication agent forwarding. */
static char *auth_sock_name = NULL;
static char *auth_sock_dir = NULL;
@@ -505,8 +507,8 @@ do_exec_no_pty(Session *s, const char *command)
@@ -506,8 +508,8 @@ do_exec_no_pty(Session *s, const char *c
is_child = 1;
/* Child. Reinitialize the log since the pid has changed. */
@ -142,7 +137,7 @@ index 9c94d8e..40a681e 100644
/*
* Create a new session and process group since the 4.4BSD
@@ -674,8 +676,8 @@ do_exec_pty(Session *s, const char *command)
@@ -675,8 +677,8 @@ do_exec_pty(Session *s, const char *comm
close(ptymaster);
/* Child. Reinitialize the log because the pid has changed. */
@ -153,7 +148,7 @@ index 9c94d8e..40a681e 100644
/* Close the master side of the pseudo tty. */
close(ptyfd);
@@ -779,6 +781,7 @@ do_exec(Session *s, const char *command)
@@ -780,6 +782,7 @@ do_exec(Session *s, const char *command)
int ret;
const char *forced = NULL;
char session_type[1024], *tty = NULL;
@ -161,7 +156,7 @@ index 9c94d8e..40a681e 100644
if (options.adm_forced_command) {
original_command = command;
@@ -836,6 +839,10 @@ do_exec(Session *s, const char *command)
@@ -837,6 +840,10 @@ do_exec(Session *s, const char *command)
tty += 5;
}
@ -172,7 +167,7 @@ index 9c94d8e..40a681e 100644
verbose("Starting session: %s%s%s for %s from %.200s port %d",
session_type,
tty == NULL ? "" : " on ",
@@ -1677,14 +1684,6 @@ child_close_fds(void)
@@ -1678,14 +1685,6 @@ child_close_fds(void)
* descriptors left by system functions. They will be closed later.
*/
endpwent();
@ -187,7 +182,7 @@ index 9c94d8e..40a681e 100644
}
/*
@@ -1830,8 +1829,6 @@ do_child(Session *s, const char *command)
@@ -1831,8 +1830,6 @@ do_child(Session *s, const char *command
exit(1);
}
@ -196,7 +191,7 @@ index 9c94d8e..40a681e 100644
if (!options.use_login)
do_rc_files(s, shell);
@@ -1855,9 +1852,17 @@ do_child(Session *s, const char *command)
@@ -1856,9 +1853,17 @@ do_child(Session *s, const char *command
argv[i] = NULL;
optind = optreset = 1;
__progname = argv[0];
@ -215,10 +210,9 @@ index 9c94d8e..40a681e 100644
fflush(NULL);
if (options.use_login) {
diff --git a/sftp-server-main.c b/sftp-server-main.c
index 7e644ab..e162b7a 100644
--- a/sftp-server-main.c
+++ b/sftp-server-main.c
diff -up openssh-6.8p1/sftp-server-main.c.log-in-chroot openssh-6.8p1/sftp-server-main.c
--- openssh-6.8p1/sftp-server-main.c.log-in-chroot 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/sftp-server-main.c 2015-03-18 12:59:29.696022308 +0100
@@ -47,5 +47,5 @@ main(int argc, char **argv)
return 1;
}
@ -226,11 +220,10 @@ index 7e644ab..e162b7a 100644
- return (sftp_server_main(argc, argv, user_pw));
+ return (sftp_server_main(argc, argv, user_pw, 0));
}
diff --git a/sftp-server.c b/sftp-server.c
index 0177130..8fa7fc7 100644
--- a/sftp-server.c
+++ b/sftp-server.c
@@ -1440,7 +1440,7 @@ sftp_server_usage(void)
diff -up openssh-6.8p1/sftp-server.c.log-in-chroot openssh-6.8p1/sftp-server.c
--- openssh-6.8p1/sftp-server.c.log-in-chroot 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/sftp-server.c 2015-03-18 13:03:52.510377911 +0100
@@ -1502,7 +1502,7 @@ sftp_server_usage(void)
}
int
@ -238,8 +231,8 @@ index 0177130..8fa7fc7 100644
+sftp_server_main(int argc, char **argv, struct passwd *user_pw, int reset_handler)
{
fd_set *rset, *wset;
int i, in, out, max, ch, skipargs = 0, log_stderr = 0;
@@ -1453,7 +1453,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0;
@@ -1515,7 +1515,7 @@ sftp_server_main(int argc, char **argv,
extern char *__progname;
__progname = ssh_get_progname(argv[0]);
@ -248,7 +241,7 @@ index 0177130..8fa7fc7 100644
pw = pwcopy(user_pw);
@@ -1524,7 +1524,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
@@ -1586,7 +1586,7 @@ sftp_server_main(int argc, char **argv,
}
}
@ -257,10 +250,9 @@ index 0177130..8fa7fc7 100644
#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
/*
diff --git a/sftp.h b/sftp.h
index 2bde8bb..ddf1a39 100644
--- a/sftp.h
+++ b/sftp.h
diff -up openssh-6.8p1/sftp.h.log-in-chroot openssh-6.8p1/sftp.h
--- openssh-6.8p1/sftp.h.log-in-chroot 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/sftp.h 2015-03-18 12:59:29.696022308 +0100
@@ -97,5 +97,5 @@
struct passwd;
@ -268,11 +260,10 @@ index 2bde8bb..ddf1a39 100644
-int sftp_server_main(int, char **, struct passwd *);
+int sftp_server_main(int, char **, struct passwd *, int);
void sftp_server_cleanup_exit(int) __attribute__((noreturn));
diff --git a/sshd.c b/sshd.c
index 39b9c08..ca55d7f 100644
--- a/sshd.c
+++ b/sshd.c
@@ -737,7 +737,7 @@ privsep_postauth(Authctxt *authctxt)
diff -up openssh-6.8p1/sshd.c.log-in-chroot openssh-6.8p1/sshd.c
--- openssh-6.8p1/sshd.c.log-in-chroot 2015-03-18 12:59:29.691022320 +0100
+++ openssh-6.8p1/sshd.c 2015-03-18 12:59:29.697022305 +0100
@@ -744,7 +744,7 @@ privsep_postauth(Authctxt *authctxt)
}
/* New socket pair */
@ -281,7 +272,7 @@ index 39b9c08..ca55d7f 100644
pmonitor->m_pid = fork();
if (pmonitor->m_pid == -1)
@@ -755,6 +755,11 @@ privsep_postauth(Authctxt *authctxt)
@@ -762,6 +762,11 @@ privsep_postauth(Authctxt *authctxt)
close(pmonitor->m_sendfd);
pmonitor->m_sendfd = -1;

View File

@ -1,16 +0,0 @@
diff --git a/auth2.c b/auth2.c
index d9b440a..ec0bf12 100644
--- a/auth2.c
+++ b/auth2.c
@@ -355,8 +355,9 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
authctxt->success = 1;
} else {
- /* Allow initial try of "none" auth without failure penalty */
- if (!authctxt->server_caused_failure &&
+ /* Allow initial try of "none" auth without failure penalty
+ * Partial succes is not failure */
+ if (!authctxt->server_caused_failure && !partial &&
(authctxt->attempt > 1 || strcmp(method, "none") != 0))
authctxt->failures++;
if (authctxt->failures >= options.max_authtries) {

View File

@ -1,21 +1,19 @@
diff --git a/Makefile.in b/Makefile.in
index 2ad26ff..0f0d39f 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -81,7 +81,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
diff -up openssh-6.8p1/Makefile.in.utf8-banner openssh-6.8p1/Makefile.in
--- openssh-6.8p1/Makefile.in.utf8-banner 2015-03-18 12:41:28.174713188 +0100
+++ openssh-6.8p1/Makefile.in 2015-03-18 12:45:52.723048114 +0100
@@ -94,7 +94,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
ssh-pkcs11.o krl.o smult_curve25519_ref.o \
kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \
- ssh-ed25519.o digest-openssl.o hmac.o \
+ ssh-ed25519.o digest-openssl.o hmac.o utf8_stringprep.o \
sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
diff --git a/misc.h b/misc.h
index d4df619..d98b83d 100644
--- a/misc.h
+++ b/misc.h
@@ -106,4 +106,7 @@ char *read_passphrase(const char *, int);
ssh-pkcs11.o smult_curve25519_ref.o \
poly1305.o chacha.o cipher-chachapoly.o \
- ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \
+ ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o utf8_stringprep.o \
sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
diff -up openssh-6.8p1/misc.h.utf8-banner openssh-6.8p1/misc.h
--- openssh-6.8p1/misc.h.utf8-banner 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/misc.h 2015-03-18 12:41:28.175713185 +0100
@@ -135,4 +135,7 @@ char *read_passphrase(const char *, int)
int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);
@ -23,10 +21,9 @@ index d4df619..d98b83d 100644
+int utf8_stringprep(const char *, char *, size_t);
+
#endif /* _MISC_H */
diff --git a/sshconnect2.c b/sshconnect2.c
index b00658b..08064f4 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
diff -up openssh-6.8p1/sshconnect2.c.utf8-banner openssh-6.8p1/sshconnect2.c
--- openssh-6.8p1/sshconnect2.c.utf8-banner 2015-03-18 12:41:28.161713220 +0100
+++ openssh-6.8p1/sshconnect2.c 2015-03-18 12:44:05.483317714 +0100
@@ -33,6 +33,8 @@
#include <errno.h>
@ -36,8 +33,8 @@ index b00658b..08064f4 100644
#include <netdb.h>
#include <pwd.h>
#include <signal.h>
@@ -519,21 +521,51 @@ input_userauth_error(int type, u_int32_t seq, void *ctxt)
"type %d", type);
@@ -532,21 +534,51 @@ input_userauth_error(int type, u_int32_t
return 0;
}
+/* Check whether we can display UTF-8 safely */
@ -56,7 +53,7 @@ index b00658b..08064f4 100644
+}
+
/* ARGSUSED */
void
int
input_userauth_banner(int type, u_int32_t seq, void *ctxt)
{
char *msg, *raw, *lang;
@ -90,11 +87,9 @@ index b00658b..08064f4 100644
fprintf(stderr, "%s", msg);
free(msg);
}
diff --git a/stringprep-tables.c b/stringprep-tables.c
new file mode 100644
index 0000000..49f4d9d
--- /dev/null
+++ b/stringprep-tables.c
diff -up openssh-6.8p1/stringprep-tables.c.utf8-banner openssh-6.8p1/stringprep-tables.c
--- openssh-6.8p1/stringprep-tables.c.utf8-banner 2015-03-18 12:41:28.175713185 +0100
+++ openssh-6.8p1/stringprep-tables.c 2015-03-18 12:41:28.175713185 +0100
@@ -0,0 +1,661 @@
+/* Public domain. */
+
@ -757,11 +752,9 @@ index 0000000..49f4d9d
+ { 0xE0020, 0xE007F },
+};
+
diff --git a/utf8_stringprep.c b/utf8_stringprep.c
new file mode 100644
index 0000000..bcafae7
--- /dev/null
+++ b/utf8_stringprep.c
diff -up openssh-6.8p1/utf8_stringprep.c.utf8-banner openssh-6.8p1/utf8_stringprep.c
--- openssh-6.8p1/utf8_stringprep.c.utf8-banner 2015-03-18 12:41:28.175713185 +0100
+++ openssh-6.8p1/utf8_stringprep.c 2015-03-18 12:41:28.175713185 +0100
@@ -0,0 +1,229 @@
+/*
+ * Copyright (c) 2013 Damien Miller <djm@mindrot.org>

View File

@ -1,8 +1,7 @@
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
index 961c564..0fcfd7b 100644
--- a/gss-serv-krb5.c
+++ b/gss-serv-krb5.c
@@ -260,7 +260,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name,
diff -up openssh-6.8p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-6.8p1/gss-serv-krb5.c
--- openssh-6.8p1/gss-serv-krb5.c.GSSAPIEnablek5users 2015-03-18 13:04:21.505306818 +0100
+++ openssh-6.8p1/gss-serv-krb5.c 2015-03-18 13:04:21.527306764 +0100
@@ -260,7 +260,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
FILE *fp;
char file[MAXPATHLEN];
char line[BUFSIZ] = "";
@ -10,7 +9,7 @@ index 961c564..0fcfd7b 100644
struct stat st;
struct passwd *pw = the_authctxt->pw;
int found_principal = 0;
@@ -269,7 +268,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name,
@@ -269,7 +268,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
/* If both .k5login and .k5users DNE, self-login is ok. */
@ -19,19 +18,18 @@ index 961c564..0fcfd7b 100644
return ssh_krb5_kuserok(krb_context, principal, luser,
k5login_exists);
}
diff --git a/servconf.c b/servconf.c
index e4164b1..87a311b 100644
--- a/servconf.c
+++ b/servconf.c
@@ -164,6 +164,7 @@ initialize_server_options(ServerOptions *options)
diff -up openssh-6.8p1/servconf.c.GSSAPIEnablek5users openssh-6.8p1/servconf.c
--- openssh-6.8p1/servconf.c.GSSAPIEnablek5users 2015-03-18 13:04:21.516306791 +0100
+++ openssh-6.8p1/servconf.c 2015-03-18 13:05:26.846146608 +0100
@@ -168,6 +168,7 @@ initialize_server_options(ServerOptions
options->version_addendum = NULL;
options->fingerprint_hash = -1;
options->use_kuserok = -1;
+ options->enable_k5users = -1;
}
void
@@ -331,6 +332,8 @@ fill_default_server_options(ServerOptions *options)
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
@@ -348,6 +349,8 @@ fill_default_server_options(ServerOption
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
if (options->use_kuserok == -1)
options->use_kuserok = 1;
@ -40,16 +38,16 @@ index e4164b1..87a311b 100644
/* Turn privilege separation on by default */
if (use_privsep == -1)
use_privsep = PRIVSEP_NOSANDBOX;
@@ -371,7 +374,7 @@ typedef enum {
@@ -406,7 +409,7 @@ typedef enum {
sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile,
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
- sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
+ sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
@@ -447,6 +450,7 @@ static struct {
@@ -484,6 +487,7 @@ static struct {
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
@ -57,7 +55,7 @@ index e4164b1..87a311b 100644
#else
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
@@ -454,6 +458,7 @@ static struct {
@@ -491,6 +495,7 @@ static struct {
{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
@ -65,7 +63,7 @@ index e4164b1..87a311b 100644
#endif
{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
@@ -1566,6 +1571,10 @@ process_server_config_line(ServerOptions *options, char *line,
@@ -1623,6 +1628,10 @@ process_server_config_line(ServerOptions
intptr = &options->use_kuserok;
goto parse_flag;
@ -76,7 +74,7 @@ index e4164b1..87a311b 100644
case sPermitOpen:
arg = strdelim(&cp);
if (!arg || *arg == '\0')
@@ -1884,6 +1893,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
@@ -1947,6 +1956,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(ip_qos_interactive);
M_CP_INTOPT(ip_qos_bulk);
M_CP_INTOPT(use_kuserok);
@ -84,7 +82,7 @@ index e4164b1..87a311b 100644
M_CP_INTOPT(rekey_limit);
M_CP_INTOPT(rekey_interval);
@@ -2143,6 +2153,7 @@ dump_config(ServerOptions *o)
@@ -2207,6 +2217,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
@ -92,11 +90,10 @@ index e4164b1..87a311b 100644
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
diff --git a/servconf.h b/servconf.h
index cf2a505..070a8ed 100644
--- a/servconf.h
+++ b/servconf.h
@@ -175,7 +175,8 @@ typedef struct {
diff -up openssh-6.8p1/servconf.h.GSSAPIEnablek5users openssh-6.8p1/servconf.h
--- openssh-6.8p1/servconf.h.GSSAPIEnablek5users 2015-03-18 13:04:21.506306815 +0100
+++ openssh-6.8p1/servconf.h 2015-03-18 13:04:21.528306762 +0100
@@ -177,7 +177,8 @@ typedef struct {
int num_permitted_opens;
@ -106,10 +103,9 @@ index cf2a505..070a8ed 100644
char *chroot_directory;
char *revoked_keys_file;
char *trusted_user_ca_keys;
diff --git a/sshd_config b/sshd_config
index 0d9454d..e731de1 100644
--- a/sshd_config
+++ b/sshd_config
diff -up openssh-6.8p1/sshd_config.GSSAPIEnablek5users openssh-6.8p1/sshd_config
--- openssh-6.8p1/sshd_config.GSSAPIEnablek5users 2015-03-18 13:04:21.506306815 +0100
+++ openssh-6.8p1/sshd_config 2015-03-18 13:04:21.528306762 +0100
@@ -94,6 +94,7 @@ GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
@ -118,11 +114,10 @@ index 0d9454d..e731de1 100644
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
diff --git a/sshd_config.5 b/sshd_config.5
index eb4dd9e..ce1229b 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -548,6 +548,12 @@ on logout.
diff -up openssh-6.8p1/sshd_config.5.GSSAPIEnablek5users openssh-6.8p1/sshd_config.5
--- openssh-6.8p1/sshd_config.5.GSSAPIEnablek5users 2015-03-18 13:04:21.506306815 +0100
+++ openssh-6.8p1/sshd_config.5 2015-03-18 13:04:21.528306762 +0100
@@ -576,6 +576,12 @@ on logout.
The default is
.Dq yes .
Note that this option applies to protocol version 2 only.

View File

@ -1,7 +1,6 @@
diff --git a/Makefile.in b/Makefile.in
index b225217..bbc3034 100644
--- a/Makefile.in
+++ b/Makefile.in
diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in
--- openssh-6.8p1/Makefile.in.ctr-cavs 2015-03-18 11:22:05.493289018 +0100
+++ openssh-6.8p1/Makefile.in 2015-03-18 11:22:44.504196316 +0100
@@ -28,6 +28,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
@ -14,12 +13,12 @@ index b225217..bbc3034 100644
MANFMT=@MANFMT@
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
LIBOPENSSH_OBJS=\
ssherr.o \
@@ -190,6 +191,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o
ssh_api.o \
@@ -194,6 +195,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o
$(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(SSHLIBS)
@ -29,7 +28,7 @@ index b225217..bbc3034 100644
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@@ -310,6 +314,7 @@ install-files:
@@ -326,6 +330,7 @@ install-files:
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
fi
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
@ -37,11 +36,9 @@ index b225217..bbc3034 100644
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
diff --git a/ctr-cavstest.c b/ctr-cavstest.c
new file mode 100644
index 0000000..bbcbe8a
--- /dev/null
+++ b/ctr-cavstest.c
diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
--- openssh-6.8p1/ctr-cavstest.c.ctr-cavs 2015-03-18 11:22:05.521288952 +0100
+++ openssh-6.8p1/ctr-cavstest.c 2015-03-18 11:22:05.521288952 +0100
@@ -0,0 +1,208 @@
+/*
+ *

File diff suppressed because it is too large Load Diff

View File

@ -1,8 +1,6 @@
diff --git a/HOWTO.ssh-keycat b/HOWTO.ssh-keycat
new file mode 100644
index 0000000..630ec62
--- /dev/null
+++ b/HOWTO.ssh-keycat
diff -up openssh-6.8p1/HOWTO.ssh-keycat.keycat openssh-6.8p1/HOWTO.ssh-keycat
--- openssh-6.8p1/HOWTO.ssh-keycat.keycat 2015-03-18 11:13:43.063482958 +0100
+++ openssh-6.8p1/HOWTO.ssh-keycat 2015-03-18 11:13:43.063482958 +0100
@@ -0,0 +1,12 @@
+The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys
+of an user in any environment. This includes environments with
@ -16,10 +14,9 @@ index 0000000..630ec62
+ PubkeyAuthentication yes
+
+
diff --git a/Makefile.in b/Makefile.in
index f02aa1e..b225217 100644
--- a/Makefile.in
+++ b/Makefile.in
diff -up openssh-6.8p1/Makefile.in.keycat openssh-6.8p1/Makefile.in
--- openssh-6.8p1/Makefile.in.keycat 2015-03-18 11:13:43.061482963 +0100
+++ openssh-6.8p1/Makefile.in 2015-03-18 11:14:22.480389291 +0100
@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
@ -33,13 +30,13 @@ index f02aa1e..b225217 100644
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
LIBOPENSSH_OBJS=\
ssherr.o \
@@ -186,6 +187,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11
ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh_api.o \
@@ -190,6 +191,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o sshbuf-getput-basic.o ssherr.o
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o sshbuf-getput-basic.o ssherr.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o
+ $(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(SSHLIBS)
@ -47,7 +44,7 @@ index f02aa1e..b225217 100644
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@@ -305,6 +309,7 @@ install-files:
@@ -321,6 +325,7 @@ install-files:
$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
fi
@ -55,11 +52,10 @@ index f02aa1e..b225217 100644
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 12f5afd..269e642 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -602,6 +602,14 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
diff -up openssh-6.8p1/auth2-pubkey.c.keycat openssh-6.8p1/auth2-pubkey.c
--- openssh-6.8p1/auth2-pubkey.c.keycat 2015-03-18 11:13:43.053482982 +0100
+++ openssh-6.8p1/auth2-pubkey.c 2015-03-18 11:13:43.063482958 +0100
@@ -623,6 +623,14 @@ user_key_command_allowed2(struct passwd
_exit(1);
}
@ -74,10 +70,9 @@ index 12f5afd..269e642 100644
execl(options.authorized_keys_command,
options.authorized_keys_command, user_pw->pw_name, NULL);
diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c
index 265bd3a..8f32464 100644
--- a/openbsd-compat/port-linux-sshd.c
+++ b/openbsd-compat/port-linux-sshd.c
diff -up openssh-6.8p1/openbsd-compat/port-linux-sshd.c.keycat openssh-6.8p1/openbsd-compat/port-linux-sshd.c
--- openssh-6.8p1/openbsd-compat/port-linux-sshd.c.keycat 2015-03-18 11:13:43.057482972 +0100
+++ openssh-6.8p1/openbsd-compat/port-linux-sshd.c 2015-03-18 11:13:43.063482958 +0100
@@ -54,6 +54,20 @@ extern Authctxt *the_authctxt;
extern int inetd_flag;
extern int rexeced_flag;
@ -153,7 +148,7 @@ index 265bd3a..8f32464 100644
/* Set the execution context to the default for the specified user */
void
sshd_selinux_setup_exec_context(char *pwname)
@@ -344,7 +376,7 @@ sshd_selinux_setup_exec_context(char *pwname)
@@ -344,7 +376,7 @@ sshd_selinux_setup_exec_context(char *pw
int r = 0;
security_context_t default_ctx = NULL;
@ -171,11 +166,10 @@ index 265bd3a..8f32464 100644
return;
if (getexeccon((security_context_t *)&ctx) != 0) {
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
index b18893c..cb51f99 100644
--- a/openbsd-compat/port-linux.h
+++ b/openbsd-compat/port-linux.h
@@ -25,8 +25,10 @@ void ssh_selinux_setup_pty(char *, const char *);
diff -up openssh-6.8p1/openbsd-compat/port-linux.h.keycat openssh-6.8p1/openbsd-compat/port-linux.h
--- openssh-6.8p1/openbsd-compat/port-linux.h.keycat 2015-03-18 11:13:43.057482972 +0100
+++ openssh-6.8p1/openbsd-compat/port-linux.h 2015-03-18 11:13:43.063482958 +0100
@@ -25,8 +25,10 @@ void ssh_selinux_setup_pty(char *, const
void ssh_selinux_change_context(const char *);
void ssh_selinux_setfscreatecon(const char *);
@ -186,11 +180,10 @@ index b18893c..cb51f99 100644
#endif
#ifdef LINUX_OOM_ADJUST
diff --git a/platform.c b/platform.c
index 84c47fa..6d876cb 100644
--- a/platform.c
+++ b/platform.c
@@ -103,7 +103,7 @@ platform_setusercontext(struct passwd *pw)
diff -up openssh-6.8p1/platform.c.keycat openssh-6.8p1/platform.c
--- openssh-6.8p1/platform.c.keycat 2015-03-18 11:13:43.055482977 +0100
+++ openssh-6.8p1/platform.c 2015-03-18 11:13:43.063482958 +0100
@@ -103,7 +103,7 @@ platform_setusercontext(struct passwd *p
{
#ifdef WITH_SELINUX
/* Cache selinux status for later use */
@ -199,11 +192,9 @@ index 84c47fa..6d876cb 100644
#endif
#ifdef USE_SOLARIS_PROJECTS
diff --git a/ssh-keycat.c b/ssh-keycat.c
new file mode 100644
index 0000000..f8ed7af
--- /dev/null
+++ b/ssh-keycat.c
diff -up openssh-6.8p1/ssh-keycat.c.keycat openssh-6.8p1/ssh-keycat.c
--- openssh-6.8p1/ssh-keycat.c.keycat 2015-03-18 11:13:43.064482956 +0100
+++ openssh-6.8p1/ssh-keycat.c 2015-03-18 11:13:43.064482956 +0100
@@ -0,0 +1,238 @@
+/*
+ * Redistribution and use in source and binary forms, with or without

View File

@ -1,7 +1,6 @@
diff --git a/auth-krb5.c b/auth-krb5.c
index 0089b18..8480261 100644
--- a/auth-krb5.c
+++ b/auth-krb5.c
diff -up openssh-6.8p1/auth-krb5.c.kuserok openssh-6.8p1/auth-krb5.c
--- openssh-6.8p1/auth-krb5.c.kuserok 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/auth-krb5.c 2015-03-18 12:37:14.349351304 +0100
@@ -55,6 +55,21 @@
extern ServerOptions options;
@ -24,7 +23,7 @@ index 0089b18..8480261 100644
static int
krb5_init(void *context)
{
@@ -158,8 +173,9 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
@@ -158,8 +173,9 @@ auth_krb5_password(Authctxt *authctxt, c
if (problem)
goto out;
@ -36,11 +35,10 @@ index 0089b18..8480261 100644
problem = -1;
goto out;
}
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
index 54dd383..961c564 100644
--- a/gss-serv-krb5.c
+++ b/gss-serv-krb5.c
@@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_principal, const char *, const char *,
diff -up openssh-6.8p1/gss-serv-krb5.c.kuserok openssh-6.8p1/gss-serv-krb5.c
--- openssh-6.8p1/gss-serv-krb5.c.kuserok 2015-03-18 12:37:14.346351312 +0100
+++ openssh-6.8p1/gss-serv-krb5.c 2015-03-18 12:37:14.349351304 +0100
@@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr
int);
static krb5_context krb_context = NULL;
@ -152,7 +150,7 @@ index 54dd383..961c564 100644
static int
ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
{
@@ -116,7 +214,8 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
@@ -116,7 +214,8 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
/* NOTE: .k5login and .k5users must opened as root, not the user,
* because if they are on a krb5-protected filesystem, user credentials
* to access these files aren't available yet. */
@ -162,7 +160,7 @@ index 54dd383..961c564 100644
retval = 1;
logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
name, (char *)client->displayname.value);
@@ -171,9 +270,8 @@ ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name,
@@ -171,9 +270,8 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
/* If both .k5login and .k5users DNE, self-login is ok. */
if (!k5login_exists && (access(file, F_OK) == -1)) {
@ -174,19 +172,18 @@ index 54dd383..961c564 100644
}
if ((fp = fopen(file, "r")) == NULL) {
int saved_errno = errno;
diff --git a/servconf.c b/servconf.c
index 179c20d..d17ed04 100644
--- a/servconf.c
+++ b/servconf.c
@@ -163,6 +163,7 @@ initialize_server_options(ServerOptions *options)
diff -up openssh-6.8p1/servconf.c.kuserok openssh-6.8p1/servconf.c
--- openssh-6.8p1/servconf.c.kuserok 2015-03-18 12:37:14.342351322 +0100
+++ openssh-6.8p1/servconf.c 2015-03-18 12:38:36.133145700 +0100
@@ -167,6 +167,7 @@ initialize_server_options(ServerOptions
options->ip_qos_bulk = -1;
options->version_addendum = NULL;
options->fingerprint_hash = -1;
+ options->use_kuserok = -1;
}
void
@@ -328,6 +329,8 @@ fill_default_server_options(ServerOptions *options)
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
@@ -345,6 +346,8 @@ fill_default_server_options(ServerOption
options->fwd_opts.streamlocal_bind_unlink = 0;
if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
@ -195,8 +192,8 @@ index 179c20d..d17ed04 100644
/* Turn privilege separation on by default */
if (use_privsep == -1)
use_privsep = PRIVSEP_NOSANDBOX;
@@ -353,7 +356,7 @@ typedef enum {
sPermitRootLogin, sLogFacility, sLogLevel,
@@ -388,7 +391,7 @@ typedef enum {
sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel,
sRhostsRSAAuthentication, sRSAAuthentication,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
- sKerberosGetAFSToken,
@ -204,7 +201,7 @@ index 179c20d..d17ed04 100644
sKerberosTgtPassing, sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily,
@@ -427,11 +430,13 @@ static struct {
@@ -464,11 +467,13 @@ static struct {
#else
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
#endif
@ -218,7 +215,7 @@ index 179c20d..d17ed04 100644
#endif
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
@@ -1557,6 +1562,10 @@ process_server_config_line(ServerOptions *options, char *line,
@@ -1614,6 +1619,10 @@ process_server_config_line(ServerOptions
*activep = value;
break;
@ -229,7 +226,7 @@ index 179c20d..d17ed04 100644
case sPermitOpen:
arg = strdelim(&cp);
if (!arg || *arg == '\0')
@@ -1872,6 +1881,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
@@ -1935,6 +1944,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(max_authtries);
M_CP_INTOPT(ip_qos_interactive);
M_CP_INTOPT(ip_qos_bulk);
@ -237,7 +234,7 @@ index 179c20d..d17ed04 100644
M_CP_INTOPT(rekey_limit);
M_CP_INTOPT(rekey_interval);
@@ -2130,6 +2140,7 @@ dump_config(ServerOptions *o)
@@ -2194,6 +2204,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
@ -245,11 +242,10 @@ index 179c20d..d17ed04 100644
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
diff --git a/servconf.h b/servconf.h
index 397698b..cf2a505 100644
--- a/servconf.h
+++ b/servconf.h
@@ -175,6 +175,7 @@ typedef struct {
diff -up openssh-6.8p1/servconf.h.kuserok openssh-6.8p1/servconf.h
--- openssh-6.8p1/servconf.h.kuserok 2015-03-18 12:37:14.342351322 +0100
+++ openssh-6.8p1/servconf.h 2015-03-18 12:37:14.350351302 +0100
@@ -177,6 +177,7 @@ typedef struct {
int num_permitted_opens;
@ -257,10 +253,9 @@ index 397698b..cf2a505 100644
char *chroot_directory;
char *revoked_keys_file;
char *trusted_user_ca_keys;
diff --git a/sshd_config b/sshd_config
index f4796fc..0d9454d 100644
--- a/sshd_config
+++ b/sshd_config
diff -up openssh-6.8p1/sshd_config.kuserok openssh-6.8p1/sshd_config
--- openssh-6.8p1/sshd_config.kuserok 2015-03-18 12:37:14.344351317 +0100
+++ openssh-6.8p1/sshd_config 2015-03-18 12:37:14.350351302 +0100
@@ -87,6 +87,7 @@ ChallengeResponseAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
@ -269,11 +264,10 @@ index f4796fc..0d9454d 100644
# GSSAPI options
GSSAPIAuthentication yes
diff --git a/sshd_config.5 b/sshd_config.5
index 8ad79d9..eb4dd9e 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -740,6 +740,10 @@ Specifies whether to automatically destroy the user's ticket cache
diff -up openssh-6.8p1/sshd_config.5.kuserok openssh-6.8p1/sshd_config.5
--- openssh-6.8p1/sshd_config.5.kuserok 2015-03-18 12:37:14.343351319 +0100
+++ openssh-6.8p1/sshd_config.5 2015-03-18 12:39:23.373026939 +0100
@@ -779,6 +779,10 @@ Specifies whether to automatically destr
file on logout.
The default is
.Dq yes .
@ -284,8 +278,8 @@ index 8ad79d9..eb4dd9e 100644
.It Cm KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated.
@@ -961,6 +965,7 @@ Available keywords are
.Cm HostbasedUsesNameFromPacketOnly ,
@@ -1017,6 +1021,7 @@ Available keywords are
.Cm IPQoS ,
.Cm KbdInteractiveAuthentication ,
.Cm KerberosAuthentication ,
+.Cm KerberosUseKuserok ,

View File

@ -1,7 +1,6 @@
diff --git a/auth-pam.c b/auth-pam.c
index d789bad..cd1a775 100644
--- a/auth-pam.c
+++ b/auth-pam.c
diff -up openssh-6.8p1/auth-pam.c.role-mls openssh-6.8p1/auth-pam.c
--- openssh-6.8p1/auth-pam.c.role-mls 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/auth-pam.c 2015-03-18 11:04:21.045817122 +0100
@@ -1068,7 +1068,7 @@ is_pam_session_open(void)
* during the ssh authentication process.
*/
@ -11,10 +10,9 @@ index d789bad..cd1a775 100644
{
int ret = 1;
#ifdef HAVE_PAM_PUTENV
diff --git a/auth-pam.h b/auth-pam.h
index a1a2b52..b109a5a 100644
--- a/auth-pam.h
+++ b/auth-pam.h
diff -up openssh-6.8p1/auth-pam.h.role-mls openssh-6.8p1/auth-pam.h
--- openssh-6.8p1/auth-pam.h.role-mls 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/auth-pam.h 2015-03-18 11:04:21.045817122 +0100
@@ -38,7 +38,7 @@ void do_pam_session(void);
void do_pam_set_tty(const char *);
void do_pam_setcred(int );
@ -24,11 +22,10 @@ index a1a2b52..b109a5a 100644
char ** fetch_pam_environment(void);
char ** fetch_pam_child_environment(void);
void free_pam_environment(char **);
diff --git a/auth.h b/auth.h
index d081c94..847cffd 100644
--- a/auth.h
+++ b/auth.h
@@ -59,6 +59,9 @@ struct Authctxt {
diff -up openssh-6.8p1/auth.h.role-mls openssh-6.8p1/auth.h
--- openssh-6.8p1/auth.h.role-mls 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/auth.h 2015-03-18 11:04:21.045817122 +0100
@@ -62,6 +62,9 @@ struct Authctxt {
char *service;
struct passwd *pw; /* set if 'valid' */
char *style;
@ -38,11 +35,10 @@ index d081c94..847cffd 100644
void *kbdintctxt;
char *info; /* Extra info for next auth_log */
#ifdef BSD_AUTH
diff --git a/auth1.c b/auth1.c
index 5038828..f0a98d2 100644
--- a/auth1.c
+++ b/auth1.c
@@ -382,6 +382,9 @@ do_authentication(Authctxt *authctxt)
diff -up openssh-6.8p1/auth1.c.role-mls openssh-6.8p1/auth1.c
--- openssh-6.8p1/auth1.c.role-mls 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/auth1.c 2015-03-18 11:04:21.046817119 +0100
@@ -384,6 +384,9 @@ do_authentication(Authctxt *authctxt)
{
u_int ulen;
char *user, *style = NULL;
@ -52,7 +48,7 @@ index 5038828..f0a98d2 100644
/* Get the name of the user that we wish to log in as. */
packet_read_expect(SSH_CMSG_USER);
@@ -390,11 +393,24 @@ do_authentication(Authctxt *authctxt)
@@ -392,11 +395,24 @@ do_authentication(Authctxt *authctxt)
user = packet_get_cstring(&ulen);
packet_check_eom();
@ -77,11 +73,10 @@ index 5038828..f0a98d2 100644
/* Verify that the user is a valid user. */
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
diff --git a/auth2-gss.c b/auth2-gss.c
index 447f896..4803e7e 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -252,6 +252,7 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
diff -up openssh-6.8p1/auth2-gss.c.role-mls openssh-6.8p1/auth2-gss.c
--- openssh-6.8p1/auth2-gss.c.role-mls 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/auth2-gss.c 2015-03-18 11:04:21.046817119 +0100
@@ -255,6 +255,7 @@ input_gssapi_mic(int type, u_int32_t ple
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt;
int authenticated = 0;
@ -89,7 +84,7 @@ index 447f896..4803e7e 100644
Buffer b;
gss_buffer_desc mic, gssbuf;
u_int len;
@@ -264,7 +265,13 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
@@ -267,7 +268,13 @@ input_gssapi_mic(int type, u_int32_t ple
mic.value = packet_get_string(&len);
mic.length = len;
@ -104,7 +99,7 @@ index 447f896..4803e7e 100644
"gssapi-with-mic");
gssbuf.value = buffer_ptr(&b);
@@ -276,6 +283,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
@@ -279,6 +286,8 @@ input_gssapi_mic(int type, u_int32_t ple
logit("GSSAPI MIC check failed");
buffer_free(&b);
@ -113,11 +108,10 @@ index 447f896..4803e7e 100644
free(mic.value);
authctxt->postponed = 0;
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
index b7ae353..41f1a3f 100644
--- a/auth2-hostbased.c
+++ b/auth2-hostbased.c
@@ -113,7 +113,15 @@ userauth_hostbased(Authctxt *authctxt)
diff -up openssh-6.8p1/auth2-hostbased.c.role-mls openssh-6.8p1/auth2-hostbased.c
--- openssh-6.8p1/auth2-hostbased.c.role-mls 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/auth2-hostbased.c 2015-03-18 11:04:21.046817119 +0100
@@ -122,7 +122,15 @@ userauth_hostbased(Authctxt *authctxt)
buffer_put_string(&b, session_id2, session_id2_len);
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
@ -134,11 +128,10 @@ index b7ae353..41f1a3f 100644
buffer_put_cstring(&b, service);
buffer_put_cstring(&b, "hostbased");
buffer_put_string(&b, pkalg, alen);
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 3f4f789..12f5afd 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -133,9 +133,11 @@ userauth_pubkey(Authctxt *authctxt)
diff -up openssh-6.8p1/auth2-pubkey.c.role-mls openssh-6.8p1/auth2-pubkey.c
--- openssh-6.8p1/auth2-pubkey.c.role-mls 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/auth2-pubkey.c 2015-03-18 11:04:21.046817119 +0100
@@ -145,9 +145,11 @@ userauth_pubkey(Authctxt *authctxt)
}
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
@ -152,11 +145,10 @@ index 3f4f789..12f5afd 100644
buffer_put_cstring(&b, userstyle);
free(userstyle);
buffer_put_cstring(&b,
diff --git a/auth2.c b/auth2.c
index d9b440a..d6fbc93 100644
--- a/auth2.c
+++ b/auth2.c
@@ -216,6 +216,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
diff -up openssh-6.8p1/auth2.c.role-mls openssh-6.8p1/auth2.c
--- openssh-6.8p1/auth2.c.role-mls 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/auth2.c 2015-03-18 11:04:21.046817119 +0100
@@ -215,6 +215,9 @@ input_userauth_request(int type, u_int32
Authctxt *authctxt = ctxt;
Authmethod *m = NULL;
char *user, *service, *method, *style = NULL;
@ -166,7 +158,7 @@ index d9b440a..d6fbc93 100644
int authenticated = 0;
if (authctxt == NULL)
@@ -227,6 +230,11 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
@@ -226,6 +229,11 @@ input_userauth_request(int type, u_int32
debug("userauth-request for user %s service %s method %s", user, service, method);
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
@ -178,7 +170,7 @@ index d9b440a..d6fbc93 100644
if ((style = strchr(user, ':')) != NULL)
*style++ = 0;
@@ -252,8 +260,15 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
@@ -251,8 +259,15 @@ input_userauth_request(int type, u_int32
use_privsep ? " [net]" : "");
authctxt->service = xstrdup(service);
authctxt->style = style ? xstrdup(style) : NULL;
@ -195,10 +187,9 @@ index d9b440a..d6fbc93 100644
userauth_banner();
if (auth2_setup_methods_lists(authctxt) != 0)
packet_disconnect("no authentication methods enabled");
diff --git a/misc.c b/misc.c
index 94b05b0..651c21b 100644
--- a/misc.c
+++ b/misc.c
diff -up openssh-6.8p1/misc.c.role-mls openssh-6.8p1/misc.c
--- openssh-6.8p1/misc.c.role-mls 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/misc.c 2015-03-18 11:04:21.046817119 +0100
@@ -431,6 +431,7 @@ char *
colon(char *cp)
{
@ -221,11 +212,10 @@ index 94b05b0..651c21b 100644
}
return NULL;
}
diff --git a/monitor.c b/monitor.c
index dbe29f1..d3f87e1 100644
--- a/monitor.c
+++ b/monitor.c
@@ -148,6 +148,9 @@ int mm_answer_sign(int, Buffer *);
diff -up openssh-6.8p1/monitor.c.role-mls openssh-6.8p1/monitor.c
--- openssh-6.8p1/monitor.c.role-mls 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/monitor.c 2015-03-18 11:04:21.047817117 +0100
@@ -127,6 +127,9 @@ int mm_answer_sign(int, Buffer *);
int mm_answer_pwnamallow(int, Buffer *);
int mm_answer_auth2_read_banner(int, Buffer *);
int mm_answer_authserv(int, Buffer *);
@ -235,7 +225,7 @@ index dbe29f1..d3f87e1 100644
int mm_answer_authpassword(int, Buffer *);
int mm_answer_bsdauthquery(int, Buffer *);
int mm_answer_bsdauthrespond(int, Buffer *);
@@ -227,6 +230,9 @@ struct mon_table mon_dispatch_proto20[] = {
@@ -206,6 +209,9 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@ -245,7 +235,7 @@ index dbe29f1..d3f87e1 100644
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM
@@ -824,6 +830,9 @@ mm_answer_pwnamallow(int sock, Buffer *m)
@@ -862,6 +868,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
else {
/* Allow service/style information on the auth context */
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@ -255,7 +245,7 @@ index dbe29f1..d3f87e1 100644
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
}
#ifdef USE_PAM
@@ -865,6 +874,25 @@ mm_answer_authserv(int sock, Buffer *m)
@@ -903,6 +912,25 @@ mm_answer_authserv(int sock, Buffer *m)
return (0);
}
@ -281,7 +271,7 @@ index dbe29f1..d3f87e1 100644
int
mm_answer_authpassword(int sock, Buffer *m)
{
@@ -1241,7 +1269,7 @@ static int
@@ -1291,7 +1319,7 @@ static int
monitor_valid_userblob(u_char *data, u_int datalen)
{
Buffer b;
@ -290,7 +280,7 @@ index dbe29f1..d3f87e1 100644
u_int len;
int fail = 0;
@@ -1267,6 +1295,8 @@ monitor_valid_userblob(u_char *data, u_int datalen)
@@ -1317,6 +1345,8 @@ monitor_valid_userblob(u_char *data, u_i
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++;
p = buffer_get_cstring(&b, NULL);
@ -299,7 +289,7 @@ index dbe29f1..d3f87e1 100644
xasprintf(&userstyle, "%s%s%s", authctxt->user,
authctxt->style ? ":" : "",
authctxt->style ? authctxt->style : "");
@@ -1302,7 +1332,7 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
@@ -1352,7 +1382,7 @@ monitor_valid_hostbasedblob(u_char *data
char *chost)
{
Buffer b;
@ -308,7 +298,7 @@ index dbe29f1..d3f87e1 100644
u_int len;
int fail = 0;
@@ -1319,6 +1349,8 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
@@ -1369,6 +1399,8 @@ monitor_valid_hostbasedblob(u_char *data
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++;
p = buffer_get_cstring(&b, NULL);
@ -317,10 +307,9 @@ index dbe29f1..d3f87e1 100644
xasprintf(&userstyle, "%s%s%s", authctxt->user,
authctxt->style ? ":" : "",
authctxt->style ? authctxt->style : "");
diff --git a/monitor.h b/monitor.h
index 5bc41b5..20e2b4a 100644
--- a/monitor.h
+++ b/monitor.h
diff -up openssh-6.8p1/monitor.h.role-mls openssh-6.8p1/monitor.h
--- openssh-6.8p1/monitor.h.role-mls 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/monitor.h 2015-03-18 11:04:21.047817117 +0100
@@ -57,6 +57,10 @@ enum monitor_reqtype {
MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49,
MONITOR_REQ_TERM = 50,
@ -332,11 +321,10 @@ index 5bc41b5..20e2b4a 100644
MONITOR_REQ_PAM_START = 100,
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
diff --git a/monitor_wrap.c b/monitor_wrap.c
index 45dc169..82f114c 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -342,6 +342,25 @@ mm_inform_authserv(char *service, char *style)
diff -up openssh-6.8p1/monitor_wrap.c.role-mls openssh-6.8p1/monitor_wrap.c
--- openssh-6.8p1/monitor_wrap.c.role-mls 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/monitor_wrap.c 2015-03-18 11:04:21.047817117 +0100
@@ -347,6 +347,25 @@ mm_inform_authserv(char *service, char *
buffer_free(&m);
}
@ -362,13 +350,12 @@ index 45dc169..82f114c 100644
/* Do the password authentication */
int
mm_auth_password(Authctxt *authctxt, char *password)
diff --git a/monitor_wrap.h b/monitor_wrap.h
index 18c2501..9d5e5ba 100644
--- a/monitor_wrap.h
+++ b/monitor_wrap.h
diff -up openssh-6.8p1/monitor_wrap.h.role-mls openssh-6.8p1/monitor_wrap.h
--- openssh-6.8p1/monitor_wrap.h.role-mls 2015-03-18 11:04:21.047817117 +0100
+++ openssh-6.8p1/monitor_wrap.h 2015-03-18 11:10:32.343936171 +0100
@@ -42,6 +42,9 @@ int mm_is_monitor(void);
DH *mm_choose_dh(int, int, int);
int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
int mm_key_sign(Key *, u_char **, u_int *, const u_char *, u_int);
void mm_inform_authserv(char *, char *);
+#ifdef WITH_SELINUX
+void mm_inform_authrole(char *);
@ -376,11 +363,10 @@ index 18c2501..9d5e5ba 100644
struct passwd *mm_getpwnamallow(const char *);
char *mm_auth2_read_banner(void);
int mm_auth_password(struct Authctxt *, char *);
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
index ab1a3e3..843225d 100644
--- a/openbsd-compat/Makefile.in
+++ b/openbsd-compat/Makefile.in
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o di
diff -up openssh-6.8p1/openbsd-compat/Makefile.in.role-mls openssh-6.8p1/openbsd-compat/Makefile.in
--- openssh-6.8p1/openbsd-compat/Makefile.in.role-mls 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/openbsd-compat/Makefile.in 2015-03-18 11:04:21.047817117 +0100
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o
@ -389,11 +375,9 @@ index ab1a3e3..843225d 100644
.c.o:
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c
new file mode 100644
index 0000000..6310717
--- /dev/null
+++ b/openbsd-compat/port-linux-sshd.c
diff -up openssh-6.8p1/openbsd-compat/port-linux-sshd.c.role-mls openssh-6.8p1/openbsd-compat/port-linux-sshd.c
--- openssh-6.8p1/openbsd-compat/port-linux-sshd.c.role-mls 2015-03-18 11:04:21.048817114 +0100
+++ openssh-6.8p1/openbsd-compat/port-linux-sshd.c 2015-03-18 11:04:21.048817114 +0100
@@ -0,0 +1,415 @@
+/*
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
@ -810,10 +794,9 @@ index 0000000..6310717
+#endif
+#endif
+
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
index 4637a7a..22ea8ef 100644
--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
diff -up openssh-6.8p1/openbsd-compat/port-linux.c.role-mls openssh-6.8p1/openbsd-compat/port-linux.c
--- openssh-6.8p1/openbsd-compat/port-linux.c.role-mls 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/openbsd-compat/port-linux.c 2015-03-18 11:04:21.048817114 +0100
@@ -103,37 +103,6 @@ ssh_selinux_getctxbyname(char *pwname)
return sc;
}
@ -852,10 +835,9 @@ index 4637a7a..22ea8ef 100644
/* Set the TTY context for the specified user */
void
ssh_selinux_setup_pty(char *pwname, const char *tty)
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
index e3d1004..8ef6cc4 100644
--- a/openbsd-compat/port-linux.h
+++ b/openbsd-compat/port-linux.h
diff -up openssh-6.8p1/openbsd-compat/port-linux.h.role-mls openssh-6.8p1/openbsd-compat/port-linux.h
--- openssh-6.8p1/openbsd-compat/port-linux.h.role-mls 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/openbsd-compat/port-linux.h 2015-03-18 11:04:21.048817114 +0100
@@ -22,9 +22,10 @@
#ifdef WITH_SELINUX
int ssh_selinux_enabled(void);
@ -868,11 +850,10 @@ index e3d1004..8ef6cc4 100644
#endif
#ifdef LINUX_OOM_ADJUST
diff --git a/platform.c b/platform.c
index ee313da..84c47fa 100644
--- a/platform.c
+++ b/platform.c
@@ -184,7 +184,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
diff -up openssh-6.8p1/platform.c.role-mls openssh-6.8p1/platform.c
--- openssh-6.8p1/platform.c.role-mls 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/platform.c 2015-03-18 11:04:21.048817114 +0100
@@ -184,7 +184,7 @@ platform_setusercontext_post_groups(stru
}
#endif /* HAVE_SETPCRED */
#ifdef WITH_SELINUX
@ -881,11 +862,10 @@ index ee313da..84c47fa 100644
#endif
}
diff --git a/sshd.c b/sshd.c
index 481d001..41b317b 100644
--- a/sshd.c
+++ b/sshd.c
@@ -2144,6 +2144,9 @@ main(int ac, char **av)
diff -up openssh-6.8p1/sshd.c.role-mls openssh-6.8p1/sshd.c
--- openssh-6.8p1/sshd.c.role-mls 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/sshd.c 2015-03-18 11:04:21.048817114 +0100
@@ -2220,6 +2220,9 @@ main(int ac, char **av)
restore_uid();
}
#endif

View File

@ -1,8 +1,7 @@
diff --git a/canohost.c b/canohost.c
index 97ce58c..1f9320a 100644
--- a/canohost.c
+++ b/canohost.c
@@ -338,6 +338,21 @@ clear_cached_addr(void)
diff -up openssh-6.8p1/canohost.c.set_remote_ipaddr openssh-6.8p1/canohost.c
--- openssh-6.8p1/canohost.c.set_remote_ipaddr 2015-03-18 12:40:03.702925550 +0100
+++ openssh-6.8p1/canohost.c 2015-03-18 12:40:03.749925432 +0100
@@ -349,6 +349,21 @@ clear_cached_addr(void)
cached_port = -1;
}
@ -24,7 +23,7 @@ index 97ce58c..1f9320a 100644
/*
* Returns the IP-address of the remote host as a string. The returned
* string must not be freed.
@@ -347,17 +362,9 @@ const char *
@@ -358,17 +373,9 @@ const char *
get_remote_ipaddr(void)
{
/* Check whether we have cached the ipaddr. */
@ -45,10 +44,9 @@ index 97ce58c..1f9320a 100644
return canonical_host_ip;
}
diff --git a/canohost.h b/canohost.h
index 4c8636f..4079953 100644
--- a/canohost.h
+++ b/canohost.h
diff -up openssh-6.8p1/canohost.h.set_remote_ipaddr openssh-6.8p1/canohost.h
--- openssh-6.8p1/canohost.h.set_remote_ipaddr 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/canohost.h 2015-03-18 12:40:03.749925432 +0100
@@ -13,6 +13,7 @@
*/
@ -57,19 +55,18 @@ index 4c8636f..4079953 100644
const char *get_remote_ipaddr(void);
const char *get_remote_name_or_ip(u_int, int);
diff --git a/sshconnect.c b/sshconnect.c
index e636f33..451a58b 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -62,6 +62,7 @@
#include "monitor_fdpass.h"
#include "ssh2.h"
diff -up openssh-6.8p1/sshconnect.c.set_remote_ipaddr openssh-6.8p1/sshconnect.c
--- openssh-6.8p1/sshconnect.c.set_remote_ipaddr 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/sshconnect.c 2015-03-18 12:40:58.096788804 +0100
@@ -65,6 +65,7 @@
#include "version.h"
#include "authfile.h"
#include "ssherr.h"
+#include "canohost.h"
char *client_version_string = NULL;
char *server_version_string = NULL;
@@ -170,6 +171,7 @@ ssh_proxy_fdpass_connect(const char *host, u_short port,
@@ -174,6 +175,7 @@ ssh_proxy_fdpass_connect(const char *hos
/* Set the connection file descriptors. */
packet_set_connection(sock, sock);
@ -77,7 +74,7 @@ index e636f33..451a58b 100644
return 0;
}
@@ -492,6 +494,7 @@ ssh_connect_direct(const char *host, struct addrinfo *aitop,
@@ -496,6 +498,7 @@ ssh_connect_direct(const char *host, str
/* Set the connection. */
packet_set_connection(sock, sock);

File diff suppressed because it is too large Load Diff

View File

@ -1,8 +1,7 @@
diff --git a/auth-pam.c b/auth-pam.c
index cd1a775..2fff267 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -216,7 +216,12 @@ pthread_join(sp_pthread_t thread, void **value)
diff -up openssh-6.8p1/auth-pam.c.coverity openssh-6.8p1/auth-pam.c
--- openssh-6.8p1/auth-pam.c.coverity 2015-03-18 17:21:51.792265051 +0100
+++ openssh-6.8p1/auth-pam.c 2015-03-18 17:21:51.895264835 +0100
@@ -216,7 +216,12 @@ pthread_join(sp_pthread_t thread, void *
if (sshpam_thread_status != -1)
return (sshpam_thread_status);
signal(SIGCHLD, sshpam_oldsig);
@ -16,11 +15,10 @@ index cd1a775..2fff267 100644
return (status);
}
#endif
diff --git a/channels.c b/channels.c
index 51a221d..0ef1d90 100644
--- a/channels.c
+++ b/channels.c
@@ -239,11 +239,11 @@ channel_register_fds(Channel *c, int rfd, int wfd, int efd,
diff -up openssh-6.8p1/channels.c.coverity openssh-6.8p1/channels.c
--- openssh-6.8p1/channels.c.coverity 2015-03-18 17:21:51.815265002 +0100
+++ openssh-6.8p1/channels.c 2015-03-18 17:21:51.896264833 +0100
@@ -243,11 +243,11 @@ channel_register_fds(Channel *c, int rfd
channel_max_fd = MAX(channel_max_fd, wfd);
channel_max_fd = MAX(channel_max_fd, efd);
@ -35,7 +33,7 @@ index 51a221d..0ef1d90 100644
fcntl(efd, F_SETFD, FD_CLOEXEC);
c->rfd = rfd;
@@ -261,11 +261,11 @@ channel_register_fds(Channel *c, int rfd, int wfd, int efd,
@@ -265,11 +265,11 @@ channel_register_fds(Channel *c, int rfd
/* enable nonblocking mode */
if (nonblock) {
@ -50,7 +48,7 @@ index 51a221d..0ef1d90 100644
set_nonblock(efd);
}
}
@@ -3959,13 +3959,13 @@ connect_local_xsocket_path(const char *pathname, int len)
@@ -3972,13 +3972,13 @@ connect_local_xsocket_path(const char *p
int sock;
struct sockaddr_un addr;
@ -66,35 +64,10 @@ index 51a221d..0ef1d90 100644
if (len > sizeof addr.sun_path)
len = sizeof addr.sun_path;
memcpy(addr.sun_path, pathname, len);
diff --git a/clientloop.c b/clientloop.c
index 20ce0b5..65cb26a 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -2090,15 +2090,16 @@ client_input_global_request(int type, u_int32_t seq, void *ctxt)
{
char *rtype;
int want_reply;
- int success = 0;
+/* int success = 0;
+ success is still 0 the packet is allways SSH2_MSG_REQUEST_FAILURE, isn't it? */
rtype = packet_get_string(NULL);
want_reply = packet_get_char();
debug("client_input_global_request: rtype %s want_reply %d",
rtype, want_reply);
if (want_reply) {
- packet_start(success ?
- SSH2_MSG_REQUEST_SUCCESS : SSH2_MSG_REQUEST_FAILURE);
+ packet_start(/*success ?
+ SSH2_MSG_REQUEST_SUCCESS :*/ SSH2_MSG_REQUEST_FAILURE);
packet_send();
packet_write_wait();
}
diff --git a/entropy.c b/entropy.c
index 06b0095..a4097da 100644
--- a/entropy.c
+++ b/entropy.c
@@ -44,6 +44,7 @@
diff -up openssh-6.8p1/entropy.c.coverity openssh-6.8p1/entropy.c
--- openssh-6.8p1/entropy.c.coverity 2015-03-18 17:21:51.891264843 +0100
+++ openssh-6.8p1/entropy.c 2015-03-18 17:21:51.897264831 +0100
@@ -46,6 +46,7 @@
#include <openssl/err.h>
#include "openbsd-compat/openssl-compat.h"
@ -102,11 +75,10 @@ index 06b0095..a4097da 100644
#include "ssh.h"
#include "misc.h"
diff --git a/monitor.c b/monitor.c
index 07fa655..b8e6e06 100644
--- a/monitor.c
+++ b/monitor.c
@@ -488,7 +488,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
diff -up openssh-6.8p1/monitor.c.coverity openssh-6.8p1/monitor.c
--- openssh-6.8p1/monitor.c.coverity 2015-03-18 17:21:51.887264852 +0100
+++ openssh-6.8p1/monitor.c 2015-03-18 17:21:51.897264831 +0100
@@ -444,7 +444,7 @@ monitor_child_preauth(Authctxt *_authctx
mm_get_keystate(pmonitor);
/* Drain any buffered messages from the child */
@ -115,7 +87,7 @@ index 07fa655..b8e6e06 100644
;
close(pmonitor->m_sendfd);
@@ -1276,6 +1276,10 @@ mm_answer_keyallowed(int sock, Buffer *m)
@@ -1303,6 +1303,10 @@ mm_answer_keyallowed(int sock, Buffer *m
break;
}
}
@ -126,7 +98,7 @@ index 07fa655..b8e6e06 100644
if (key != NULL)
key_free(key);
@@ -1297,9 +1301,6 @@ mm_answer_keyallowed(int sock, Buffer *m)
@@ -1324,9 +1328,6 @@ mm_answer_keyallowed(int sock, Buffer *m
free(chost);
}
@ -136,11 +108,10 @@ index 07fa655..b8e6e06 100644
buffer_clear(m);
buffer_put_int(m, allowed);
buffer_put_int(m, forced_command != NULL);
diff --git a/monitor_wrap.c b/monitor_wrap.c
index ba4ecd7..b3e4ca1 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -749,10 +749,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, size_t namebuflen)
diff -up openssh-6.8p1/monitor_wrap.c.coverity openssh-6.8p1/monitor_wrap.c
--- openssh-6.8p1/monitor_wrap.c.coverity 2015-03-18 17:21:51.888264849 +0100
+++ openssh-6.8p1/monitor_wrap.c 2015-03-18 17:21:51.897264831 +0100
@@ -533,10 +533,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
(tmp2 = dup(pmonitor->m_recvfd)) == -1) {
error("%s: cannot allocate fds for pty", __func__);
@ -154,11 +125,10 @@ index ba4ecd7..b3e4ca1 100644
return 0;
}
close(tmp1);
diff --git a/openbsd-compat/bindresvport.c b/openbsd-compat/bindresvport.c
index c89f214..80115c2 100644
--- a/openbsd-compat/bindresvport.c
+++ b/openbsd-compat/bindresvport.c
@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr *sa)
diff -up openssh-6.8p1/openbsd-compat/bindresvport.c.coverity openssh-6.8p1/openbsd-compat/bindresvport.c
--- openssh-6.8p1/openbsd-compat/bindresvport.c.coverity 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/openbsd-compat/bindresvport.c 2015-03-18 17:21:51.897264831 +0100
@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr
struct sockaddr_in6 *in6;
u_int16_t *portp;
u_int16_t port;
@ -167,10 +137,9 @@ index c89f214..80115c2 100644
int i;
if (sa == NULL) {
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
index 8b7cda2..e2ca8a1 100644
--- a/openbsd-compat/port-linux.h
+++ b/openbsd-compat/port-linux.h
diff -up openssh-6.8p1/openbsd-compat/port-linux.h.coverity openssh-6.8p1/openbsd-compat/port-linux.h
--- openssh-6.8p1/openbsd-compat/port-linux.h.coverity 2015-03-18 17:21:51.861264906 +0100
+++ openssh-6.8p1/openbsd-compat/port-linux.h 2015-03-18 17:21:51.897264831 +0100
@@ -37,4 +37,6 @@ void oom_adjust_restore(void);
void oom_adjust_setup(void);
#endif
@ -178,23 +147,10 @@ index 8b7cda2..e2ca8a1 100644
+void linux_seed(void);
+
#endif /* ! _PORT_LINUX_H */
diff --git a/packet.c b/packet.c
index 8ec353e..dbc2c33 100644
--- a/packet.c
+++ b/packet.c
@@ -1246,6 +1246,7 @@ packet_read_poll1(void)
case DEATTACK_DETECTED:
packet_disconnect("crc32 compensation attack: "
"network attack detected");
+ break;
case DEATTACK_DOS_DETECTED:
packet_disconnect("deattack denial of "
"service detected");
diff --git a/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c b/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c
index 8ba6d87..a7808c7 100644
--- a/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c
+++ b/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c
@@ -87,7 +87,7 @@ pam_user_key_allowed2(struct passwd *pw, Key *key, char *file)
diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c.coverity openssh-6.8p1/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c
--- openssh-6.8p1/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c.coverity 2015-03-18 17:21:51.788265059 +0100
+++ openssh-6.8p1/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c 2015-03-18 17:21:51.898264829 +0100
@@ -87,7 +87,7 @@ pam_user_key_allowed2(struct passwd *pw,
found = key_new(key->type);
while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
@ -203,7 +159,7 @@ index 8ba6d87..a7808c7 100644
/* Skip leading whitespace, empty and comment lines. */
for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
@@ -99,7 +99,6 @@ pam_user_key_allowed2(struct passwd *pw, Key *key, char *file)
@@ -99,7 +99,6 @@ pam_user_key_allowed2(struct passwd *pw,
/* no key? check if there are options for this key */
int quoted = 0;
verbose("user_key_allowed: check options: '%s'", cp);
@ -211,10 +167,9 @@ index 8ba6d87..a7808c7 100644
for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
if (*cp == '\\' && cp[1] == '"')
cp++; /* Skip both */
diff --git a/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c b/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c
index e14eb27..323817a 100644
--- a/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c
+++ b/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c
diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c.coverity openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c
--- openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c.coverity 2015-03-18 17:21:51.786265063 +0100
+++ openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c 2015-03-18 17:21:51.898264829 +0100
@@ -89,8 +89,7 @@ userauth_pubkey_from_id(Identity * id)
authenticated = 1;
@ -225,44 +180,10 @@ index e14eb27..323817a 100644
if(sig != NULL)
free(sig);
if(pkblob != NULL)
diff --git a/progressmeter.c b/progressmeter.c
index bbbc706..ae6d1aa 100644
--- a/progressmeter.c
+++ b/progressmeter.c
@@ -65,7 +65,7 @@ static void update_progress_meter(int);
static time_t start; /* start progress */
static time_t last_update; /* last progress update */
-static char *file; /* name of the file being transferred */
+static const char *file; /* name of the file being transferred */
static off_t start_pos; /* initial position of transfer */
static off_t end_pos; /* ending position of transfer */
static off_t cur_pos; /* transfer position as of last refresh */
@@ -248,7 +248,7 @@ update_progress_meter(int ignore)
}
void
-start_progress_meter(char *f, off_t filesize, off_t *ctr)
+start_progress_meter(const char *f, off_t filesize, off_t *ctr)
{
start = last_update = monotime();
file = f;
diff --git a/progressmeter.h b/progressmeter.h
index 10bab99..e9ca8f0 100644
--- a/progressmeter.h
+++ b/progressmeter.h
@@ -23,5 +23,5 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
-void start_progress_meter(char *, off_t, off_t *);
+void start_progress_meter(const char *, off_t, off_t *);
void stop_progress_meter(void);
diff --git a/scp.c b/scp.c
index cbd904d..e4e9fa1 100644
--- a/scp.c
+++ b/scp.c
@@ -155,7 +155,7 @@ killchild(int signo)
diff -up openssh-6.8p1/scp.c.coverity openssh-6.8p1/scp.c
--- openssh-6.8p1/scp.c.coverity 2015-03-18 17:21:51.868264891 +0100
+++ openssh-6.8p1/scp.c 2015-03-18 17:21:58.281251460 +0100
@@ -156,7 +156,7 @@ killchild(int signo)
{
if (do_cmd_pid > 1) {
kill(do_cmd_pid, signo ? signo : SIGTERM);
@ -271,11 +192,10 @@ index cbd904d..e4e9fa1 100644
}
if (signo)
diff --git a/servconf.c b/servconf.c
index 87a311b..895cdca 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1418,7 +1418,7 @@ process_server_config_line(ServerOptions *options, char *line,
diff -up openssh-6.8p1/servconf.c.coverity openssh-6.8p1/servconf.c
--- openssh-6.8p1/servconf.c.coverity 2015-03-18 17:21:51.893264839 +0100
+++ openssh-6.8p1/servconf.c 2015-03-18 17:21:58.281251460 +0100
@@ -1475,7 +1475,7 @@ process_server_config_line(ServerOptions
fatal("%s line %d: Missing subsystem name.",
filename, linenum);
if (!*activep) {
@ -284,7 +204,7 @@ index 87a311b..895cdca 100644
break;
}
for (i = 0; i < options->num_subsystems; i++)
@@ -1509,8 +1509,9 @@ process_server_config_line(ServerOptions *options, char *line,
@@ -1566,8 +1566,9 @@ process_server_config_line(ServerOptions
if (*activep && *charptr == NULL) {
*charptr = tilde_expand_filename(arg, getuid());
/* increase optional counter */
@ -296,10 +216,9 @@ index 87a311b..895cdca 100644
}
break;
diff --git a/serverloop.c b/serverloop.c
index e92f9e2..3cad041 100644
--- a/serverloop.c
+++ b/serverloop.c
diff -up openssh-6.8p1/serverloop.c.coverity openssh-6.8p1/serverloop.c
--- openssh-6.8p1/serverloop.c.coverity 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/serverloop.c 2015-03-18 17:28:45.616436080 +0100
@@ -147,13 +147,13 @@ notify_setup(void)
static void
notify_parent(void)
@ -327,7 +246,7 @@ index e92f9e2..3cad041 100644
debug2("notify_done: reading");
}
@@ -337,7 +337,7 @@ wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp,
@@ -337,7 +337,7 @@ wait_until_can_do_something(fd_set **rea
* If we have buffered data, try to write some of that data
* to the program.
*/
@ -345,7 +264,7 @@ index e92f9e2..3cad041 100644
data = buffer_ptr(&stdin_buffer);
dlen = buffer_len(&stdin_buffer);
len = write(fdin, data, dlen);
@@ -590,7 +590,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
@@ -590,7 +590,7 @@ server_loop(pid_t pid, int fdin_arg, int
set_nonblock(fdin);
set_nonblock(fdout);
/* we don't have stderr for interactive terminal sessions, see below */
@ -354,7 +273,7 @@ index e92f9e2..3cad041 100644
set_nonblock(fderr);
if (!(datafellows & SSH_BUG_IGNOREMSG) && isatty(fdin))
@@ -614,7 +614,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
@@ -614,7 +614,7 @@ server_loop(pid_t pid, int fdin_arg, int
max_fd = MAX(connection_in, connection_out);
max_fd = MAX(max_fd, fdin);
max_fd = MAX(max_fd, fdout);
@ -363,7 +282,7 @@ index e92f9e2..3cad041 100644
max_fd = MAX(max_fd, fderr);
#endif
@@ -644,7 +644,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
@@ -644,7 +644,7 @@ server_loop(pid_t pid, int fdin_arg, int
* If we have received eof, and there is no more pending
* input data, cause a real eof by closing fdin.
*/
@ -372,7 +291,7 @@ index e92f9e2..3cad041 100644
if (fdin != fdout)
close(fdin);
else
@@ -740,15 +740,15 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
@@ -740,15 +740,15 @@ server_loop(pid_t pid, int fdin_arg, int
buffer_free(&stderr_buffer);
/* Close the file descriptors. */
@ -391,16 +310,16 @@ index e92f9e2..3cad041 100644
close(fdin);
fdin = -1;
@@ -947,7 +947,7 @@ server_input_window_size(int type, u_int32_t seq, void *ctxt)
@@ -950,7 +950,7 @@ server_input_window_size(int type, u_int
debug("Window change received.");
packet_check_eom();
- if (fdin != -1)
+ if (fdin >= 0)
pty_change_window_size(fdin, row, col, xpixel, ypixel);
return 0;
}
@@ -1039,7 +1039,7 @@ server_request_tun(void)
@@ -1043,7 +1043,7 @@ server_request_tun(void)
}
tun = packet_get_int();
@ -409,361 +328,10 @@ index e92f9e2..3cad041 100644
if (tun != SSH_TUNID_ANY && forced_tun_device != tun)
goto done;
tun = forced_tun_device;
diff --git a/sftp-client.c b/sftp-client.c
index 990b58d..3d0f22b 100644
--- a/sftp-client.c
+++ b/sftp-client.c
@@ -151,7 +151,7 @@ get_msg(struct sftp_conn *conn, Buffer *m)
}
static void
-send_string_request(struct sftp_conn *conn, u_int id, u_int code, char *s,
+send_string_request(struct sftp_conn *conn, u_int id, u_int code, const char *s,
u_int len)
{
Buffer msg;
@@ -167,7 +167,7 @@ send_string_request(struct sftp_conn *conn, u_int id, u_int code, char *s,
static void
send_string_attrs_request(struct sftp_conn *conn, u_int id, u_int code,
- char *s, u_int len, Attrib *a)
+ const char *s, u_int len, Attrib *a)
{
Buffer msg;
@@ -429,7 +429,7 @@ sftp_proto_version(struct sftp_conn *conn)
}
int
-do_close(struct sftp_conn *conn, char *handle, u_int handle_len)
+do_close(struct sftp_conn *conn, const char *handle, u_int handle_len)
{
u_int id, status;
Buffer msg;
@@ -454,7 +454,7 @@ do_close(struct sftp_conn *conn, char *handle, u_int handle_len)
static int
-do_lsreaddir(struct sftp_conn *conn, char *path, int print_flag,
+do_lsreaddir(struct sftp_conn *conn, const char *path, int print_flag,
SFTP_DIRENT ***dir)
{
Buffer msg;
@@ -577,7 +577,7 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int print_flag,
}
int
-do_readdir(struct sftp_conn *conn, char *path, SFTP_DIRENT ***dir)
+do_readdir(struct sftp_conn *conn, const char *path, SFTP_DIRENT ***dir)
{
return(do_lsreaddir(conn, path, 0, dir));
}
@@ -597,7 +597,7 @@ void free_sftp_dirents(SFTP_DIRENT **s)
}
int
-do_rm(struct sftp_conn *conn, char *path)
+do_rm(struct sftp_conn *conn, const char *path)
{
u_int status, id;
@@ -612,7 +612,7 @@ do_rm(struct sftp_conn *conn, char *path)
}
int
-do_mkdir(struct sftp_conn *conn, char *path, Attrib *a, int print_flag)
+do_mkdir(struct sftp_conn *conn, const char *path, Attrib *a, int print_flag)
{
u_int status, id;
@@ -628,7 +628,7 @@ do_mkdir(struct sftp_conn *conn, char *path, Attrib *a, int print_flag)
}
int
-do_rmdir(struct sftp_conn *conn, char *path)
+do_rmdir(struct sftp_conn *conn, const char *path)
{
u_int status, id;
@@ -644,7 +644,7 @@ do_rmdir(struct sftp_conn *conn, char *path)
}
Attrib *
-do_stat(struct sftp_conn *conn, char *path, int quiet)
+do_stat(struct sftp_conn *conn, const char *path, int quiet)
{
u_int id;
@@ -658,7 +658,7 @@ do_stat(struct sftp_conn *conn, char *path, int quiet)
}
Attrib *
-do_lstat(struct sftp_conn *conn, char *path, int quiet)
+do_lstat(struct sftp_conn *conn, const char *path, int quiet)
{
u_int id;
@@ -679,7 +679,7 @@ do_lstat(struct sftp_conn *conn, char *path, int quiet)
#ifdef notyet
Attrib *
-do_fstat(struct sftp_conn *conn, char *handle, u_int handle_len, int quiet)
+do_fstat(struct sftp_conn *conn, const char *handle, u_int handle_len, int quiet)
{
u_int id;
@@ -692,7 +692,7 @@ do_fstat(struct sftp_conn *conn, char *handle, u_int handle_len, int quiet)
#endif
int
-do_setstat(struct sftp_conn *conn, char *path, Attrib *a)
+do_setstat(struct sftp_conn *conn, const char *path, Attrib *a)
{
u_int status, id;
@@ -709,7 +709,7 @@ do_setstat(struct sftp_conn *conn, char *path, Attrib *a)
}
int
-do_fsetstat(struct sftp_conn *conn, char *handle, u_int handle_len,
+do_fsetstat(struct sftp_conn *conn, const char *handle, u_int handle_len,
Attrib *a)
{
u_int status, id;
@@ -726,7 +726,7 @@ do_fsetstat(struct sftp_conn *conn, char *handle, u_int handle_len,
}
char *
-do_realpath(struct sftp_conn *conn, char *path)
+do_realpath(struct sftp_conn *conn, const char *path)
{
Buffer msg;
u_int type, expected_id, count, id;
@@ -775,7 +775,7 @@ do_realpath(struct sftp_conn *conn, char *path)
}
int
-do_rename(struct sftp_conn *conn, char *oldpath, char *newpath,
+do_rename(struct sftp_conn *conn, const char *oldpath, const char *newpath,
int force_legacy)
{
Buffer msg;
@@ -811,7 +811,7 @@ do_rename(struct sftp_conn *conn, char *oldpath, char *newpath,
}
int
-do_hardlink(struct sftp_conn *conn, char *oldpath, char *newpath)
+do_hardlink(struct sftp_conn *conn, const char *oldpath, const char *newpath)
{
Buffer msg;
u_int status, id;
@@ -844,7 +844,7 @@ do_hardlink(struct sftp_conn *conn, char *oldpath, char *newpath)
}
int
-do_symlink(struct sftp_conn *conn, char *oldpath, char *newpath)
+do_symlink(struct sftp_conn *conn, const char *oldpath, const char *newpath)
{
Buffer msg;
u_int status, id;
@@ -876,7 +876,7 @@ do_symlink(struct sftp_conn *conn, char *oldpath, char *newpath)
}
int
-do_fsync(struct sftp_conn *conn, char *handle, u_int handle_len)
+do_fsync(struct sftp_conn *conn, const char *handle, u_int handle_len)
{
Buffer msg;
u_int status, id;
@@ -907,7 +907,7 @@ do_fsync(struct sftp_conn *conn, char *handle, u_int handle_len)
#ifdef notyet
char *
-do_readlink(struct sftp_conn *conn, char *path)
+do_readlink(struct sftp_conn *conn, const char *path)
{
Buffer msg;
u_int type, expected_id, count, id;
@@ -1010,7 +1010,7 @@ do_fstatvfs(struct sftp_conn *conn, const char *handle, u_int handle_len,
static void
send_read_request(struct sftp_conn *conn, u_int id, u_int64_t offset,
- u_int len, char *handle, u_int handle_len)
+ u_int len, const char *handle, u_int handle_len)
{
Buffer msg;
@@ -1026,7 +1026,7 @@ send_read_request(struct sftp_conn *conn, u_int id, u_int64_t offset,
}
int
-do_download(struct sftp_conn *conn, char *remote_path, char *local_path,
+do_download(struct sftp_conn *conn, const char *remote_path, const char *local_path,
Attrib *a, int preserve_flag, int resume_flag, int fsync_flag)
{
Attrib junk;
@@ -1308,7 +1308,7 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path,
}
static int
-download_dir_internal(struct sftp_conn *conn, char *src, char *dst, int depth,
+download_dir_internal(struct sftp_conn *conn, const char *src, const char *dst, int depth,
Attrib *dirattrib, int preserve_flag, int print_flag, int resume_flag,
int fsync_flag)
{
@@ -1400,7 +1400,7 @@ download_dir_internal(struct sftp_conn *conn, char *src, char *dst, int depth,
}
int
-download_dir(struct sftp_conn *conn, char *src, char *dst,
+download_dir(struct sftp_conn *conn, const char *src, const char *dst,
Attrib *dirattrib, int preserve_flag, int print_flag,
int resume_flag, int fsync_flag)
{
@@ -1419,7 +1419,7 @@ download_dir(struct sftp_conn *conn, char *src, char *dst,
}
int
-do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
+do_upload(struct sftp_conn *conn, const char *local_path, const char *remote_path,
int preserve_flag, int resume, int fsync_flag)
{
int local_fd;
@@ -1628,7 +1628,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
}
static int
-upload_dir_internal(struct sftp_conn *conn, char *src, char *dst, int depth,
+upload_dir_internal(struct sftp_conn *conn, const char *src, const char *dst, int depth,
int preserve_flag, int print_flag, int resume, int fsync_flag)
{
int ret = 0, status;
@@ -1721,7 +1721,7 @@ upload_dir_internal(struct sftp_conn *conn, char *src, char *dst, int depth,
}
int
-upload_dir(struct sftp_conn *conn, char *src, char *dst, int preserve_flag,
+upload_dir(struct sftp_conn *conn, const char *src, const char *dst, int preserve_flag,
int print_flag, int resume, int fsync_flag)
{
char *dst_canon;
@@ -1740,7 +1740,7 @@ upload_dir(struct sftp_conn *conn, char *src, char *dst, int preserve_flag,
}
char *
-path_append(char *p1, char *p2)
+path_append(const char *p1, const char *p2)
{
char *ret;
size_t len = strlen(p1) + strlen(p2) + 2;
diff --git a/sftp-client.h b/sftp-client.h
index 967840b..ffbcade 100644
--- a/sftp-client.h
+++ b/sftp-client.h
@@ -56,79 +56,79 @@ struct sftp_conn *do_init(int, int, u_int, u_int, u_int64_t);
u_int sftp_proto_version(struct sftp_conn *);
/* Close file referred to by 'handle' */
-int do_close(struct sftp_conn *, char *, u_int);
+int do_close(struct sftp_conn *, const char *, u_int);
/* Read contents of 'path' to NULL-terminated array 'dir' */
-int do_readdir(struct sftp_conn *, char *, SFTP_DIRENT ***);
+int do_readdir(struct sftp_conn *, const char *, SFTP_DIRENT ***);
/* Frees a NULL-terminated array of SFTP_DIRENTs (eg. from do_readdir) */
void free_sftp_dirents(SFTP_DIRENT **);
/* Delete file 'path' */
-int do_rm(struct sftp_conn *, char *);
+int do_rm(struct sftp_conn *, const char *);
/* Create directory 'path' */
-int do_mkdir(struct sftp_conn *, char *, Attrib *, int);
+int do_mkdir(struct sftp_conn *, const char *, Attrib *, int);
/* Remove directory 'path' */
-int do_rmdir(struct sftp_conn *, char *);
+int do_rmdir(struct sftp_conn *, const char *);
/* Get file attributes of 'path' (follows symlinks) */
-Attrib *do_stat(struct sftp_conn *, char *, int);
+Attrib *do_stat(struct sftp_conn *, const char *, int);
/* Get file attributes of 'path' (does not follow symlinks) */
-Attrib *do_lstat(struct sftp_conn *, char *, int);
+Attrib *do_lstat(struct sftp_conn *, const char *, int);
/* Set file attributes of 'path' */
-int do_setstat(struct sftp_conn *, char *, Attrib *);
+int do_setstat(struct sftp_conn *, const char *, Attrib *);
/* Set file attributes of open file 'handle' */
-int do_fsetstat(struct sftp_conn *, char *, u_int, Attrib *);
+int do_fsetstat(struct sftp_conn *, const char *, u_int, Attrib *);
/* Canonicalise 'path' - caller must free result */
-char *do_realpath(struct sftp_conn *, char *);
+char *do_realpath(struct sftp_conn *, const char *);
/* Get statistics for filesystem hosting file at "path" */
int do_statvfs(struct sftp_conn *, const char *, struct sftp_statvfs *, int);
/* Rename 'oldpath' to 'newpath' */
-int do_rename(struct sftp_conn *, char *, char *m, int force_legacy);
+int do_rename(struct sftp_conn *, const char *, const char *m, int force_legacy);
/* Link 'oldpath' to 'newpath' */
-int do_hardlink(struct sftp_conn *, char *, char *);
+int do_hardlink(struct sftp_conn *, const char *, const char *);
/* Rename 'oldpath' to 'newpath' */
-int do_symlink(struct sftp_conn *, char *, char *);
+int do_symlink(struct sftp_conn *, const char *, const char *);
/* Call fsync() on open file 'handle' */
-int do_fsync(struct sftp_conn *conn, char *, u_int);
+int do_fsync(struct sftp_conn *conn, const char *, u_int);
/*
* Download 'remote_path' to 'local_path'. Preserve permissions and times
* if 'pflag' is set
*/
-int do_download(struct sftp_conn *, char *, char *, Attrib *, int, int, int);
+int do_download(struct sftp_conn *, const char *, const char *, Attrib *, int, int, int);
/*
* Recursively download 'remote_directory' to 'local_directory'. Preserve
* times if 'pflag' is set
*/
-int download_dir(struct sftp_conn *, char *, char *, Attrib *, int,
+int download_dir(struct sftp_conn *, const char *, const char *, Attrib *, int,
int, int, int);
/*
* Upload 'local_path' to 'remote_path'. Preserve permissions and times
* if 'pflag' is set
*/
-int do_upload(struct sftp_conn *, char *, char *, int, int, int);
+int do_upload(struct sftp_conn *, const char *, const char *, int, int, int);
/*
* Recursively upload 'local_directory' to 'remote_directory'. Preserve
* times if 'pflag' is set
*/
-int upload_dir(struct sftp_conn *, char *, char *, int, int, int, int);
+int upload_dir(struct sftp_conn *, const char *, const char *, int, int, int, int);
/* Concatenate paths, taking care of slashes. Caller must free result. */
-char *path_append(char *, char *);
+char *path_append(const char *, const char *);
#endif
diff --git a/sftp.c b/sftp.c
index ff4d63d..4439100 100644
--- a/sftp.c
+++ b/sftp.c
@@ -220,7 +220,7 @@ killchild(int signo)
diff -up openssh-6.8p1/sftp.c.coverity openssh-6.8p1/sftp.c
--- openssh-6.8p1/sftp.c.coverity 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/sftp.c 2015-03-18 17:21:58.283251456 +0100
@@ -223,7 +223,7 @@ killchild(int signo)
{
if (sshpid > 1) {
kill(sshpid, SIGTERM);
@ -772,7 +340,7 @@ index ff4d63d..4439100 100644
}
_exit(1);
@@ -332,7 +332,7 @@ local_do_ls(const char *args)
@@ -335,7 +335,7 @@ local_do_ls(const char *args)
/* Strip one path (usually the pwd) from the start of another */
static char *
@ -781,7 +349,7 @@ index ff4d63d..4439100 100644
{
size_t len;
@@ -350,7 +350,7 @@ path_strip(char *path, char *strip)
@@ -353,7 +353,7 @@ path_strip(char *path, char *strip)
}
static char *
@ -790,7 +358,7 @@ index ff4d63d..4439100 100644
{
char *abs_str;
@@ -548,7 +548,7 @@ parse_no_flags(const char *cmd, char **argv, int argc)
@@ -551,7 +551,7 @@ parse_no_flags(const char *cmd, char **a
}
static int
@ -799,7 +367,7 @@ index ff4d63d..4439100 100644
{
struct stat sb;
@@ -560,7 +560,7 @@ is_dir(char *path)
@@ -563,7 +563,7 @@ is_dir(char *path)
}
static int
@ -808,7 +376,7 @@ index ff4d63d..4439100 100644
{
Attrib *a;
@@ -574,7 +574,7 @@ remote_is_dir(struct sftp_conn *conn, char *path)
@@ -577,7 +577,7 @@ remote_is_dir(struct sftp_conn *conn, ch
/* Check whether path returned from glob(..., GLOB_MARK, ...) is a directory */
static int
@ -817,7 +385,7 @@ index ff4d63d..4439100 100644
{
size_t l = strlen(pathname);
@@ -582,7 +582,7 @@ pathname_is_dir(char *pathname)
@@ -585,7 +585,7 @@ pathname_is_dir(char *pathname)
}
static int
@ -826,7 +394,7 @@ index ff4d63d..4439100 100644
int pflag, int rflag, int resume, int fflag)
{
char *abs_src = NULL;
@@ -666,7 +666,7 @@ out:
@@ -669,7 +669,7 @@ out:
}
static int
@ -835,7 +403,7 @@ index ff4d63d..4439100 100644
int pflag, int rflag, int resume, int fflag)
{
char *tmp_dst = NULL;
@@ -776,7 +776,7 @@ sdirent_comp(const void *aa, const void *bb)
@@ -779,7 +779,7 @@ sdirent_comp(const void *aa, const void
/* sftp ls.1 replacement for directories */
static int
@ -844,7 +412,7 @@ index ff4d63d..4439100 100644
{
int n;
u_int c = 1, colspace = 0, columns = 1;
@@ -861,7 +861,7 @@ do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
@@ -864,7 +864,7 @@ do_ls_dir(struct sftp_conn *conn, char *
/* sftp ls.1 replacement which handles path globs */
static int
@ -853,7 +421,7 @@ index ff4d63d..4439100 100644
int lflag)
{
char *fname, *lname;
@@ -946,7 +946,7 @@ do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
@@ -949,7 +949,7 @@ do_globbed_ls(struct sftp_conn *conn, ch
}
static int
@ -862,11 +430,10 @@ index ff4d63d..4439100 100644
{
struct sftp_statvfs st;
char s_used[FMT_SCALED_STRSIZE];
diff --git a/ssh-agent.c b/ssh-agent.c
index c8036c8..4da3bb6 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1056,8 +1056,8 @@ main(int ac, char **av)
diff -up openssh-6.8p1/ssh-agent.c.coverity openssh-6.8p1/ssh-agent.c
--- openssh-6.8p1/ssh-agent.c.coverity 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/ssh-agent.c 2015-03-18 17:21:58.284251454 +0100
@@ -1166,8 +1166,8 @@ main(int ac, char **av)
sanitise_stdfd();
/* drop */
@ -877,29 +444,10 @@ index c8036c8..4da3bb6 100644
#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
/* Disable ptrace on Linux without sgid bit */
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 64fa217..635e8fd 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -687,11 +687,11 @@ do_convert_from(struct passwd *pw)
fatal("%s: unknown key format %d", __func__, convert_format);
}
- if (!private)
+ if (!private) {
ok = key_write(k, stdout);
if (ok)
fprintf(stdout, "\n");
- else {
+ } else {
switch (k->type) {
case KEY_DSA:
ok = PEM_write_DSAPrivateKey(stdout, k->dsa, NULL,
diff --git a/sshd.c b/sshd.c
index 783abe3..eaade2a 100644
--- a/sshd.c
+++ b/sshd.c
@@ -771,8 +771,10 @@ privsep_preauth(Authctxt *authctxt)
diff -up openssh-6.8p1/sshd.c.coverity openssh-6.8p1/sshd.c
--- openssh-6.8p1/sshd.c.coverity 2015-03-18 17:21:51.893264839 +0100
+++ openssh-6.8p1/sshd.c 2015-03-18 17:21:58.284251454 +0100
@@ -778,8 +778,10 @@ privsep_preauth(Authctxt *authctxt)
if (getuid() == 0 || geteuid() == 0)
privsep_preauth_child();
setproctitle("%s", "[net]");
@ -911,7 +459,7 @@ index 783abe3..eaade2a 100644
return 0;
}
@@ -1458,6 +1460,9 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
@@ -1518,6 +1520,9 @@ server_accept_loop(int *sock_in, int *so
if (num_listen_socks < 0)
break;
}
@ -921,15 +469,14 @@ index 783abe3..eaade2a 100644
}
diff --git a/sshkey.c b/sshkey.c
index 5e3d97f..dae8270 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -54,6 +54,7 @@
diff -up openssh-6.8p1/sshkey.c.coverity openssh-6.8p1/sshkey.c
--- openssh-6.8p1/sshkey.c.coverity 2015-03-18 17:21:58.285251452 +0100
+++ openssh-6.8p1/sshkey.c 2015-03-18 17:45:32.232705363 +0100
@@ -58,6 +58,7 @@
#include "digest.h"
#define SSHKEY_INTERNAL
#include "sshkey.h"
+#include "log.h"
#include "match.h"
/* openssh private key file format */
#define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n"

View File

@ -1,7 +1,7 @@
diff -up openssh-6.7p1/configure.ac.tcp_wrappers openssh-6.7p1/configure.ac
--- openssh-6.7p1/configure.ac.tcp_wrappers 2015-01-20 16:58:39.829111746 +0100
+++ openssh-6.7p1/configure.ac 2015-01-20 16:58:39.870111159 +0100
@@ -1404,6 +1404,62 @@ AC_ARG_WITH([skey],
diff -up openssh-6.8p1/configure.ac.tcp_wrappers openssh-6.8p1/configure.ac
--- openssh-6.8p1/configure.ac.tcp_wrappers 2015-03-18 13:05:57.365071779 +0100
+++ openssh-6.8p1/configure.ac 2015-03-18 13:05:57.408071673 +0100
@@ -1440,6 +1440,62 @@ AC_ARG_WITH([skey],
]
)
@ -64,7 +64,7 @@ diff -up openssh-6.7p1/configure.ac.tcp_wrappers openssh-6.7p1/configure.ac
# Check whether user wants to use ldns
LDNS_MSG="no"
AC_ARG_WITH(ldns,
@@ -4959,6 +5015,7 @@ echo " KerberosV support
@@ -5026,6 +5082,7 @@ echo " KerberosV support
echo " SELinux support: $SELINUX_MSG"
echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG"
@ -72,9 +72,9 @@ diff -up openssh-6.7p1/configure.ac.tcp_wrappers openssh-6.7p1/configure.ac
echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG"
echo " Solaris process contract support: $SPC_MSG"
diff -up openssh-6.7p1/sshd.8.tcp_wrappers openssh-6.7p1/sshd.8
--- openssh-6.7p1/sshd.8.tcp_wrappers 2015-01-20 16:58:39.838111617 +0100
+++ openssh-6.7p1/sshd.8 2015-01-20 16:58:39.871111145 +0100
diff -up openssh-6.8p1/sshd.8.tcp_wrappers openssh-6.8p1/sshd.8
--- openssh-6.8p1/sshd.8.tcp_wrappers 2015-03-18 13:05:57.377071749 +0100
+++ openssh-6.8p1/sshd.8 2015-03-18 13:05:57.408071673 +0100
@@ -858,6 +858,12 @@ the user's home directory becomes access
This file should be writable only by the user, and need not be
readable by anyone else.
@ -96,12 +96,12 @@ diff -up openssh-6.7p1/sshd.8.tcp_wrappers openssh-6.7p1/sshd.8
.Xr login.conf 5 ,
.Xr moduli 5 ,
.Xr sshd_config 5 ,
diff -up openssh-6.7p1/sshd.c.tcp_wrappers openssh-6.7p1/sshd.c
--- openssh-6.7p1/sshd.c.tcp_wrappers 2015-01-20 16:58:39.863111259 +0100
+++ openssh-6.7p1/sshd.c 2015-01-20 16:59:12.992636776 +0100
@@ -123,6 +123,13 @@
#include "ssh-sandbox.h"
diff -up openssh-6.8p1/sshd.c.tcp_wrappers openssh-6.8p1/sshd.c
--- openssh-6.8p1/sshd.c.tcp_wrappers 2015-03-18 13:05:57.402071688 +0100
+++ openssh-6.8p1/sshd.c 2015-03-18 13:06:48.199947136 +0100
@@ -125,6 +125,13 @@
#include "version.h"
#include "ssherr.h"
+#ifdef LIBWRAP
+#include <tcpd.h>
@ -113,7 +113,7 @@ diff -up openssh-6.7p1/sshd.c.tcp_wrappers openssh-6.7p1/sshd.c
#ifndef O_NOCTTY
#define O_NOCTTY 0
#endif
@@ -2078,6 +2085,24 @@ main(int ac, char **av)
@@ -2150,6 +2157,24 @@ main(int ac, char **av)
#ifdef SSH_AUDIT_EVENTS
audit_connection_from(remote_ip, remote_port);
#endif

File diff suppressed because it is too large Load Diff

View File

@ -1,8 +1,7 @@
diff --git a/Makefile.in b/Makefile.in
index 9311e16..1eb2b45 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -164,25 +164,25 @@ libssh.a: $(LIBSSH_OBJS)
diff -up openssh-6.8p1/Makefile.in.fips openssh-6.8p1/Makefile.in
--- openssh-6.8p1/Makefile.in.fips 2015-03-19 13:14:22.221212174 +0100
+++ openssh-6.8p1/Makefile.in 2015-03-19 13:14:22.230212157 +0100
@@ -168,25 +168,25 @@ libssh.a: $(LIBSSH_OBJS)
$(RANLIB) $@
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
@ -34,7 +33,7 @@ index 9311e16..1eb2b45 100644
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
@@ -197,7 +197,7 @@ ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
@@ -204,7 +204,7 @@ ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a
$(LD) -o $@ ssh-cavs.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
@ -43,10 +42,9 @@ index 9311e16..1eb2b45 100644
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff --git a/cipher-ctr.c b/cipher-ctr.c
index 73e9c7c..40ee395 100644
--- a/cipher-ctr.c
+++ b/cipher-ctr.c
diff -up openssh-6.8p1/cipher-ctr.c.fips openssh-6.8p1/cipher-ctr.c
--- openssh-6.8p1/cipher-ctr.c.fips 2015-03-19 13:14:22.155212302 +0100
+++ openssh-6.8p1/cipher-ctr.c 2015-03-19 13:14:22.230212157 +0100
@@ -179,7 +179,8 @@ evp_aes_128_ctr(void)
aes_ctr.do_cipher = ssh_aes_ctr;
#ifndef SSH_OLD_EVP
@ -57,10 +55,9 @@ index 73e9c7c..40ee395 100644
#endif
return (&aes_ctr);
}
diff --git a/cipher.c b/cipher.c
index 9cc7cf8..5ebfa84 100644
--- a/cipher.c
+++ b/cipher.c
diff -up openssh-6.8p1/cipher.c.fips openssh-6.8p1/cipher.c
--- openssh-6.8p1/cipher.c.fips 2015-03-19 13:14:22.224212169 +0100
+++ openssh-6.8p1/cipher.c 2015-03-19 13:14:22.230212157 +0100
@@ -39,6 +39,8 @@
#include <sys/types.h>
@ -70,7 +67,7 @@ index 9cc7cf8..5ebfa84 100644
#include <string.h>
#include <stdarg.h>
#include <stdio.h>
@@ -99,6 +101,26 @@ static const struct sshcipher ciphers[] = {
@@ -99,6 +101,26 @@ static const struct sshcipher ciphers[]
{ NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
};
@ -133,11 +130,10 @@ index 9cc7cf8..5ebfa84 100644
if (strcasecmp(c->name, name) == 0)
return c->number;
return -1;
diff --git a/dh.h b/dh.h
index 48f7b68..9ff39f4 100644
--- a/dh.h
+++ b/dh.h
@@ -45,6 +45,7 @@ int dh_estimate(int);
diff -up openssh-6.8p1/dh.h.fips openssh-6.8p1/dh.h
--- openssh-6.8p1/dh.h.fips 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/dh.h 2015-03-19 13:14:22.230212157 +0100
@@ -45,6 +45,7 @@ u_int dh_estimate(int);
/* Min and max values from RFC4419. */
#define DH_GRP_MIN 1024
@ -145,11 +141,10 @@ index 48f7b68..9ff39f4 100644
#define DH_GRP_MAX 8192
/*
diff --git a/entropy.c b/entropy.c
index d24e724..06b0095 100644
--- a/entropy.c
+++ b/entropy.c
@@ -215,6 +215,9 @@ seed_rng(void)
diff -up openssh-6.8p1/entropy.c.fips openssh-6.8p1/entropy.c
--- openssh-6.8p1/entropy.c.fips 2015-03-19 13:14:22.147212317 +0100
+++ openssh-6.8p1/entropy.c 2015-03-19 13:14:22.230212157 +0100
@@ -217,6 +217,9 @@ seed_rng(void)
fatal("OpenSSL version mismatch. Built against %lx, you "
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
@ -159,10 +154,9 @@ index d24e724..06b0095 100644
#ifndef OPENSSL_PRNG_ONLY
if (RAND_status() == 1) {
debug3("RNG is ready, skipping seeding");
diff --git a/kex.c b/kex.c
index e0cf3de..e11198f 100644
--- a/kex.c
+++ b/kex.c
diff -up openssh-6.8p1/kex.c.fips openssh-6.8p1/kex.c
--- openssh-6.8p1/kex.c.fips 2015-03-19 13:14:22.165212282 +0100
+++ openssh-6.8p1/kex.c 2015-03-19 13:14:22.230212157 +0100
@@ -35,6 +35,7 @@
#ifdef WITH_OPENSSL
@ -170,7 +164,7 @@ index e0cf3de..e11198f 100644
+#include <openssl/fips.h>
#endif
#include "xmalloc.h"
#include "ssh2.h"
@@ -107,6 +108,25 @@ static const struct kexalg kexalgs[] = {
{ NULL, -1, -1, -1},
};
@ -197,7 +191,7 @@ index e0cf3de..e11198f 100644
char *
kex_alg_list(char sep)
{
@@ -130,7 +150,7 @@ kex_alg_by_name(const char *name)
@@ -134,7 +154,7 @@ kex_alg_by_name(const char *name)
{
const struct kexalg *k;
@ -206,7 +200,7 @@ index e0cf3de..e11198f 100644
if (strcmp(k->name, name) == 0)
return k;
#ifdef GSSAPI
@@ -155,7 +175,10 @@ kex_names_valid(const char *names)
@@ -160,7 +180,10 @@ kex_names_valid(const char *names)
for ((p = strsep(&cp, ",")); p && *p != '\0';
(p = strsep(&cp, ","))) {
if (kex_alg_by_name(p) == NULL) {
@ -218,60 +212,34 @@ index e0cf3de..e11198f 100644
free(s);
return 0;
}
diff --git a/kexecdhc.c b/kexecdhc.c
index 2f7629c..20c9946 100644
--- a/kexecdhc.c
+++ b/kexecdhc.c
@@ -154,6 +154,7 @@ kexecdh_client(Kex *kex)
diff -up openssh-6.8p1/kexgexc.c.fips openssh-6.8p1/kexgexc.c
--- openssh-6.8p1/kexgexc.c.fips 2015-03-19 13:14:22.196212223 +0100
+++ openssh-6.8p1/kexgexc.c 2015-03-19 13:15:11.462117016 +0100
@@ -28,6 +28,8 @@
kex_derive_keys_bn(kex, hash, hashlen, shared_secret);
BN_clear_free(shared_secret);
+ memset(hash, 0, hashlen);
kex_finish(kex);
}
#else /* OPENSSL_HAS_ECC */
diff --git a/kexecdhs.c b/kexecdhs.c
index 2700b72..0820894 100644
--- a/kexecdhs.c
+++ b/kexecdhs.c
@@ -150,6 +150,7 @@ kexecdh_server(Kex *kex)
kex_derive_keys_bn(kex, hash, hashlen, shared_secret);
BN_clear_free(shared_secret);
+ memset(hash, 0, hashlen);
kex_finish(kex);
}
#else /* OPENSSL_HAS_ECC */
diff --git a/kexgexc.c b/kexgexc.c
index 0a91bdd..b75930b 100644
--- a/kexgexc.c
+++ b/kexgexc.c
@@ -26,6 +26,8 @@
#include "includes.h"
#ifdef WITH_OPENSSL
+#include <openssl/fips.h>
+
#include <sys/types.h>
#include <openssl/dh.h>
@@ -58,7 +60,7 @@ kexgex_client(Kex *kex)
int min, max, nbits;
DH *dh;
@@ -62,7 +64,7 @@ kexgex_client(struct ssh *ssh)
- min = DH_GRP_MIN;
+ min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
max = DH_GRP_MAX;
nbits = dh_estimate(kex->dh_need * 8);
- kex->min = DH_GRP_MIN;
+ kex->min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
kex->max = DH_GRP_MAX;
/* Servers with MAX4096DH need a preferred size (nbits) <= 4096.
diff --git a/kexgexs.c b/kexgexs.c
index 770ad28..9d4fc6d 100644
--- a/kexgexs.c
+++ b/kexgexs.c
@@ -76,16 +76,16 @@ kexgex_server(Kex *kex)
omin = min = packet_get_int();
onbits = nbits = packet_get_int();
omax = max = packet_get_int();
diff -up openssh-6.8p1/kexgexs.c.fips openssh-6.8p1/kexgexs.c
--- openssh-6.8p1/kexgexs.c.fips 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/kexgexs.c 2015-03-19 13:14:22.231212155 +0100
@@ -87,9 +87,9 @@ input_kex_dh_gex_request(int type, u_int
kex->nbits = nbits;
kex->min = min;
kex->max = max;
- min = MAX(DH_GRP_MIN, min);
+ min = MAX(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, min);
max = MIN(DH_GRP_MAX, max);
@ -280,28 +248,28 @@ index 770ad28..9d4fc6d 100644
nbits = MIN(DH_GRP_MAX, nbits);
break;
case SSH2_MSG_KEX_DH_GEX_REQUEST_OLD:
debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received");
onbits = nbits = packet_get_int();
@@ -99,7 +99,7 @@ input_kex_dh_gex_request(int type, u_int
goto out;
kex->nbits = nbits;
/* unused for old GEX */
- omin = min = DH_GRP_MIN;
+ omin = min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
omax = max = DH_GRP_MAX;
- kex->min = min = DH_GRP_MIN;
+ kex->min = min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
kex->max = max = DH_GRP_MAX;
break;
default:
diff --git a/mac.c b/mac.c
index fd07bf2..fedfbb2 100644
--- a/mac.c
+++ b/mac.c
diff -up openssh-6.8p1/mac.c.fips openssh-6.8p1/mac.c
--- openssh-6.8p1/mac.c.fips 2015-03-19 13:14:22.224212169 +0100
+++ openssh-6.8p1/mac.c 2015-03-19 13:14:22.231212155 +0100
@@ -27,6 +27,8 @@
#include <sys/types.h>
+#include <openssl/fips.h>
+
#include <stdarg.h>
#include <string.h>
#include <signal.h>
@@ -60,7 +62,7 @@ struct macalg {
#include <stdio.h>
@@ -54,7 +56,7 @@ struct macalg {
int etm; /* Encrypt-then-MAC */
};
@ -310,7 +278,7 @@ index fd07bf2..fedfbb2 100644
/* Encrypt-and-MAC (encrypt-and-authenticate) variants */
{ "hmac-sha1", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 },
{ "hmac-sha1-96", SSH_DIGEST, SSH_DIGEST_SHA1, 96, 0, 0, 0 },
@@ -91,6 +93,24 @@ static const struct macalg macs[] = {
@@ -85,6 +87,24 @@ static const struct macalg macs[] = {
{ NULL, 0, 0, 0, 0, 0, 0 }
};
@ -335,7 +303,7 @@ index fd07bf2..fedfbb2 100644
/* Returns a list of supported MACs separated by the specified char. */
char *
mac_alg_list(char sep)
@@ -99,7 +119,7 @@ mac_alg_list(char sep)
@@ -93,7 +113,7 @@ mac_alg_list(char sep)
size_t nlen, rlen = 0;
const struct macalg *m;
@ -344,7 +312,7 @@ index fd07bf2..fedfbb2 100644
if (ret != NULL)
ret[rlen++] = sep;
nlen = strlen(m->name);
@@ -133,7 +153,7 @@ mac_setup(Mac *mac, char *name)
@@ -132,7 +152,7 @@ mac_setup(struct sshmac *mac, char *name
{
const struct macalg *m;
@ -352,11 +320,10 @@ index fd07bf2..fedfbb2 100644
+ for (m = FIPS_mode() ? fips_macs : all_macs; m->name != NULL; m++) {
if (strcmp(name, m->name) != 0)
continue;
if (mac != NULL) {
diff --git a/myproposal.h b/myproposal.h
index b35b2b8..a608d27 100644
--- a/myproposal.h
+++ b/myproposal.h
if (mac != NULL)
diff -up openssh-6.8p1/myproposal.h.fips openssh-6.8p1/myproposal.h
--- openssh-6.8p1/myproposal.h.fips 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/myproposal.h 2015-03-19 13:14:22.231212155 +0100
@@ -140,6 +140,28 @@
"hmac-sha1-96," \
"hmac-md5-96"
@ -386,10 +353,9 @@ index b35b2b8..a608d27 100644
#else
#define KEX_SERVER_KEX \
diff --git a/ssh.c b/ssh.c
index 26e9681..a0a7c29 100644
--- a/ssh.c
+++ b/ssh.c
diff -up openssh-6.8p1/ssh.c.fips openssh-6.8p1/ssh.c
--- openssh-6.8p1/ssh.c.fips 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/ssh.c 2015-03-19 13:14:22.232212153 +0100
@@ -75,6 +75,8 @@
#include <openssl/evp.h>
#include <openssl/err.h>
@ -399,7 +365,7 @@ index 26e9681..a0a7c29 100644
#include "openbsd-compat/openssl-compat.h"
#include "openbsd-compat/sys-queue.h"
@@ -433,6 +435,14 @@ main(int ac, char **av)
@@ -523,6 +525,14 @@ main(int ac, char **av)
sanitise_stdfd();
__progname = ssh_get_progname(av[0]);
@ -414,8 +380,8 @@ index 26e9681..a0a7c29 100644
#ifndef HAVE_SETPROCTITLE
/* Prepare for later setproctitle emulation */
@@ -510,6 +519,9 @@ main(int ac, char **av)
"ACD:E:F:I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
@@ -600,6 +610,9 @@ main(int ac, char **av)
"ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
switch (opt) {
case '1':
+ if (FIPS_mode()) {
@ -424,7 +390,7 @@ index 26e9681..a0a7c29 100644
options.protocol = SSH_PROTO_1;
break;
case '2':
@@ -841,7 +853,6 @@ main(int ac, char **av)
@@ -941,7 +954,6 @@ main(int ac, char **av)
host_arg = xstrdup(host);
#ifdef WITH_OPENSSL
@ -432,7 +398,7 @@ index 26e9681..a0a7c29 100644
ERR_load_crypto_strings();
#endif
@@ -997,6 +1008,10 @@ main(int ac, char **av)
@@ -1115,6 +1127,10 @@ main(int ac, char **av)
seed_rng();
@ -443,7 +409,7 @@ index 26e9681..a0a7c29 100644
if (options.user == NULL)
options.user = xstrdup(pw->pw_name);
@@ -1069,6 +1084,12 @@ main(int ac, char **av)
@@ -1192,6 +1208,12 @@ main(int ac, char **av)
timeout_ms = options.connection_timeout * 1000;
@ -456,10 +422,9 @@ index 26e9681..a0a7c29 100644
/* Open a connection to the remote host. */
if (ssh_connect(host, addrs, &hostaddr, options.port,
options.address_family, options.connection_attempts,
diff --git a/sshconnect2.c b/sshconnect2.c
index efe6158..5631f39 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
diff -up openssh-6.8p1/sshconnect2.c.fips openssh-6.8p1/sshconnect2.c
--- openssh-6.8p1/sshconnect2.c.fips 2015-03-19 13:14:22.188212238 +0100
+++ openssh-6.8p1/sshconnect2.c 2015-03-19 13:14:22.232212153 +0100
@@ -46,6 +46,8 @@
#include <vis.h>
#endif
@ -469,13 +434,24 @@ index efe6158..5631f39 100644
#include "openbsd-compat/sys-queue.h"
#include "xmalloc.h"
@@ -171,20 +173,25 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
@@ -172,20 +174,25 @@ ssh_kex2(char *host, struct sockaddr *ho
#ifdef GSSAPI
if (options.gss_keyex) {
- /* Add the GSSAPI mechanisms currently supported on this
- * client to the key exchange algorithm proposal */
- orig = myproposal[PROPOSAL_KEX_ALGS];
-
- if (options.gss_trust_dns)
- gss_host = (char *)get_canonical_hostname(1);
- else
- gss_host = host;
-
- gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity);
- if (gss) {
- debug("Offering GSSAPI proposal: %s", gss);
- xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
- "%s,%s", gss, orig);
+ if (FIPS_mode()) {
+ logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode");
+ options.gss_keyex = 0;
@ -483,21 +459,12 @@ index efe6158..5631f39 100644
+ /* Add the GSSAPI mechanisms currently supported on this
+ * client to the key exchange algorithm proposal */
+ orig = myproposal[PROPOSAL_KEX_ALGS];
- if (options.gss_trust_dns)
- gss_host = (char *)get_canonical_hostname(1);
- else
- gss_host = host;
+
+ if (options.gss_trust_dns)
+ gss_host = (char *)get_canonical_hostname(1);
+ else
+ gss_host = host;
- gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity);
- if (gss) {
- debug("Offering GSSAPI proposal: %s", gss);
- xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
- "%s,%s", gss, orig);
+
+ gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity);
+ if (gss) {
+ debug("Offering GSSAPI proposal: %s", gss);
@ -507,7 +474,7 @@ index efe6158..5631f39 100644
}
}
#endif
@@ -196,6 +203,10 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
@@ -197,6 +204,10 @@ ssh_kex2(char *host, struct sockaddr *ho
if (options.ciphers != NULL) {
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
@ -518,7 +485,7 @@ index efe6158..5631f39 100644
}
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
@@ -211,7 +222,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
@@ -212,7 +223,11 @@ ssh_kex2(char *host, struct sockaddr *ho
if (options.macs != NULL) {
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
@ -530,7 +497,7 @@ index efe6158..5631f39 100644
if (options.hostkeyalgorithms != NULL)
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
compat_pkalg_proposal(options.hostkeyalgorithms);
@@ -223,9 +238,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
@@ -224,9 +239,11 @@ ssh_kex2(char *host, struct sockaddr *ho
}
if (options.kex_algorithms != NULL)
myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
@ -543,10 +510,9 @@ index efe6158..5631f39 100644
#ifdef GSSAPI
/* If we've got GSSAPI algorithms, then we also support the
* 'null' hostkey, as a last resort */
diff --git a/sshd.c b/sshd.c
index db23ce2..3ce59f0 100644
--- a/sshd.c
+++ b/sshd.c
diff -up openssh-6.8p1/sshd.c.fips openssh-6.8p1/sshd.c
--- openssh-6.8p1/sshd.c.fips 2015-03-19 13:14:22.226212165 +0100
+++ openssh-6.8p1/sshd.c 2015-03-19 13:14:22.232212153 +0100
@@ -66,6 +66,7 @@
#include <grp.h>
#include <pwd.h>
@ -555,7 +521,7 @@ index db23ce2..3ce59f0 100644
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
@@ -76,6 +77,8 @@
@@ -77,6 +78,8 @@
#include <openssl/dh.h>
#include <openssl/bn.h>
#include <openssl/rand.h>
@ -564,7 +530,7 @@ index db23ce2..3ce59f0 100644
#include "openbsd-compat/openssl-compat.h"
#endif
@@ -1479,6 +1482,18 @@ main(int ac, char **av)
@@ -1543,6 +1546,18 @@ main(int ac, char **av)
#endif
__progname = ssh_get_progname(av[0]);
@ -583,7 +549,7 @@ index db23ce2..3ce59f0 100644
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
saved_argc = ac;
rexec_argc = ac;
@@ -1630,7 +1645,7 @@ main(int ac, char **av)
@@ -1694,7 +1709,7 @@ main(int ac, char **av)
else
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
@ -592,9 +558,9 @@ index db23ce2..3ce59f0 100644
OpenSSL_add_all_algorithms();
#endif
@@ -1816,6 +1831,10 @@ main(int ac, char **av)
debug("private host key: #%d type %d %s", i, keytype,
key_type(key ? key : pubkey));
@@ -1890,6 +1905,10 @@ main(int ac, char **av)
sshkey_type(pubkey) : sshkey_ssh_name(pubkey), fp);
free(fp);
}
+ if ((options.protocol & SSH_PROTO_1) && FIPS_mode()) {
+ logit("Disabling protocol version 1. Not allowed in the FIPS mode.");
@ -603,7 +569,7 @@ index db23ce2..3ce59f0 100644
if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
logit("Disabling protocol version 1. Could not load host key");
options.protocol &= ~SSH_PROTO_1;
@@ -1982,6 +2001,10 @@ main(int ac, char **av)
@@ -2058,6 +2077,10 @@ main(int ac, char **av)
/* Reinitialize the log (because of the fork above). */
log_init(__progname, options.log_level, options.log_facility, log_stderr);
@ -614,7 +580,7 @@ index db23ce2..3ce59f0 100644
/* Chdir to the root directory so that the current disk can be
unmounted if desired. */
if (chdir("/") == -1)
@@ -2541,6 +2564,9 @@ do_ssh2_kex(void)
@@ -2642,6 +2665,9 @@ do_ssh2_kex(void)
if (options.ciphers != NULL) {
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
@ -624,7 +590,7 @@ index db23ce2..3ce59f0 100644
}
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
@@ -2550,6 +2576,9 @@ do_ssh2_kex(void)
@@ -2651,6 +2677,9 @@ do_ssh2_kex(void)
if (options.macs != NULL) {
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
@ -634,7 +600,7 @@ index db23ce2..3ce59f0 100644
}
if (options.compression == COMP_NONE) {
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
@@ -2560,6 +2589,8 @@ do_ssh2_kex(void)
@@ -2661,6 +2690,8 @@ do_ssh2_kex(void)
}
if (options.kex_algorithms != NULL)
myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
@ -643,7 +609,7 @@ index db23ce2..3ce59f0 100644
myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
myproposal[PROPOSAL_KEX_ALGS]);
@@ -2586,10 +2617,14 @@ do_ssh2_kex(void)
@@ -2687,10 +2718,14 @@ do_ssh2_kex(void)
if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
orig = NULL;
@ -662,19 +628,18 @@ index db23ce2..3ce59f0 100644
if (gss && orig)
xasprintf(&newstr, "%s,%s", gss, orig);
diff --git a/sshkey.c b/sshkey.c
index f078e11..5e3d97f 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -34,6 +34,7 @@
diff -up openssh-6.8p1/sshkey.c.fips openssh-6.8p1/sshkey.c
--- openssh-6.8p1/sshkey.c.fips 2015-03-19 13:14:22.227212163 +0100
+++ openssh-6.8p1/sshkey.c 2015-03-19 13:14:22.233212151 +0100
@@ -35,6 +35,7 @@
#include <openssl/evp.h>
#include <openssl/err.h>
#include <openssl/pem.h>
+#include <openssl/fips.h>
#endif
#include "crypto_api.h"
@@ -1523,6 +1524,8 @@ rsa_generate_private_key(u_int bits, RSA **rsap)
@@ -1562,6 +1563,8 @@ rsa_generate_private_key(u_int bits, RSA
}
if (!BN_set_word(f4, RSA_F4) ||
!RSA_generate_key_ex(private, bits, f4, NULL)) {
@ -683,9 +648,10 @@ index f078e11..5e3d97f 100644
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
--- a/servconf.c 2015-01-30 12:24:12.388337643 +0100
+++ b/servconf.c 2015-01-30 12:26:36.229229751 +0100
@@ -2159,8 +2162,10 @@
diff -up openssh-6.8p1/servconf.c.fips openssh-6.8p1/servconf.c
--- openssh-6.8p1/servconf.c.fips 2015-03-19 13:14:22.210212196 +0100
+++ openssh-6.8p1/servconf.c 2015-03-19 13:14:22.233212151 +0100
@@ -2226,8 +2226,10 @@ dump_config(ServerOptions *o)
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
dump_cfg_string(sXAuthLocation, o->xauth_location);
@ -698,12 +664,14 @@ index f078e11..5e3d97f 100644
dump_cfg_string(sBanner, o->banner);
dump_cfg_string(sForceCommand, o->adm_forced_command);
dump_cfg_string(sChrootDirectory, o->chroot_directory);
@@ -2180,7 +2180,7 @@
@@ -2240,8 +2242,8 @@ dump_config(ServerOptions *o)
dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
dump_cfg_string(sHostKeyAgent, o->host_key_agent);
dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms :
- KEX_SERVER_KEX);
- dump_cfg_string(sKexAlgorithms,
- o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
+ dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms :
+ FIPS_mode() ? KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX);
/* string arguments requiring a lookup */
dump_cfg_string(sLogLevel, log_level_name(o->log_level));
dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?

View File

@ -1,8 +1,7 @@
diff --git a/Makefile.in b/Makefile.in
index 1eb2b45..cfa89a1 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -29,6 +29,7 @@ SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in
--- openssh-6.8p1/Makefile.in.kdf-cavs 2015-03-18 11:23:46.346049359 +0100
+++ openssh-6.8p1/Makefile.in 2015-03-18 11:24:20.395968445 +0100
@@ -29,6 +29,7 @@ SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-h
SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
SSH_KEYCAT=$(libexecdir)/ssh-keycat
CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
@ -18,8 +17,8 @@ index 1eb2b45..cfa89a1 100644
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT)
LIBOPENSSH_OBJS=\
ssherr.o \
@@ -196,6 +196,9 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o
ssh_api.o \
@@ -198,6 +199,9 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHD
ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
@ -29,7 +28,7 @@ index 1eb2b45..cfa89a1 100644
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@@ -320,6 +321,8 @@ install-files:
@@ -331,6 +335,8 @@ install-files:
fi
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
@ -38,12 +37,10 @@ index 1eb2b45..cfa89a1 100644
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
diff --git a/ssh-cavs.c b/ssh-cavs.c
new file mode 100644
index 0000000..928ff80
--- /dev/null
+++ b/ssh-cavs.c
@@ -0,0 +1,374 @@
diff -up openssh-6.8p1/ssh-cavs.c.kdf-cavs openssh-6.8p1/ssh-cavs.c
--- openssh-6.8p1/ssh-cavs.c.kdf-cavs 2015-03-18 11:23:46.348049354 +0100
+++ openssh-6.8p1/ssh-cavs.c 2015-03-18 11:23:46.348049354 +0100
@@ -0,0 +1,383 @@
+/*
+ * Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
+ *
@ -95,6 +92,7 @@ index 0000000..928ff80
+#include "key.h"
+#include "cipher.h"
+#include "kex.h"
+#include "packet.h"
+
+static int bin_char(unsigned char hex)
+{
@ -208,16 +206,17 @@ index 0000000..928ff80
+static int sshkdf_cavs(struct kdf_cavs *test)
+{
+ int ret = 0;
+ Kex kex;
+ struct kex kex;
+ BIGNUM *Kbn = NULL;
+ int mode = 0;
+ Newkeys *ctoskeys;
+ Newkeys *stockeys;
+ struct newkeys *ctoskeys;
+ struct newkeys *stockeys;
+ struct ssh *ssh = NULL;
+
+#define HEXOUTLEN 500
+ char hex[HEXOUTLEN];
+
+ memset(&kex, 0, sizeof(Kex));
+ memset(&kex, 0, sizeof(struct kex));
+
+ Kbn = BN_new();
+ BN_bin2bn(test->K, test->Klen, Kbn);
@ -254,7 +253,7 @@ index 0000000..928ff80
+
+ /* implement choose_enc */
+ for (mode = 0; mode < 2; mode++) {
+ kex.newkeys[mode] = calloc(1, sizeof(Newkeys));
+ kex.newkeys[mode] = calloc(1, sizeof(struct newkeys));
+ if (!kex.newkeys[mode]) {
+ printf("allocation of newkeys failed\n");
+ ret = 1;
@ -280,10 +279,15 @@ index 0000000..928ff80
+ kex.server = 1;
+
+ /* do it */
+ kex_derive_keys_bn(&kex, test->H, test->Hlen, Kbn);
+ if ((ssh = ssh_packet_set_connection(NULL, -1, -1)) == NULL){
+ printf("Allocation error\n");
+ goto out;
+ }
+ ssh->kex = &kex;
+ kex_derive_keys_bn(ssh, test->H, test->Hlen, Kbn);
+
+ ctoskeys = kex_get_newkeys(0);
+ stockeys = kex_get_newkeys(1);
+ ctoskeys = kex.newkeys[0];
+ stockeys = kex.newkeys[1];
+
+ /* get data */
+ memset(hex, 0, HEXOUTLEN);
@ -323,6 +327,8 @@ index 0000000..928ff80
+ free(kex.newkeys[0]);
+ if (kex.newkeys[1])
+ free(kex.newkeys[1]);
+ if (ssh)
+ ssh_packet_close(ssh);
+ return ret;
+}
+
@ -418,11 +424,9 @@ index 0000000..928ff80
+ return ret;
+
+}
diff --git a/ssh-cavs_driver.pl b/ssh-cavs_driver.pl
new file mode 100644
index 0000000..6ed8f26
--- /dev/null
+++ b/ssh-cavs_driver.pl
diff -up openssh-6.8p1/ssh-cavs_driver.pl.kdf-cavs openssh-6.8p1/ssh-cavs_driver.pl
--- openssh-6.8p1/ssh-cavs_driver.pl.kdf-cavs 2015-03-18 11:23:46.348049354 +0100
+++ openssh-6.8p1/ssh-cavs_driver.pl 2015-03-18 11:23:46.348049354 +0100
@@ -0,0 +1,184 @@
+#!/usr/bin/env perl
+#

View File

@ -1,8 +1,6 @@
diff --git a/HOWTO.ldap-keys b/HOWTO.ldap-keys
new file mode 100644
index 0000000..dd5f5cc
--- /dev/null
+++ b/HOWTO.ldap-keys
diff -up openssh-6.8p1/HOWTO.ldap-keys.ldap openssh-6.8p1/HOWTO.ldap-keys
--- openssh-6.8p1/HOWTO.ldap-keys.ldap 2015-03-18 11:11:29.029801467 +0100
+++ openssh-6.8p1/HOWTO.ldap-keys 2015-03-18 11:11:29.029801467 +0100
@@ -0,0 +1,119 @@
+
+HOW TO START
@ -123,10 +121,9 @@ index 0000000..dd5f5cc
+5) Author
+ Jan F. Chadima <jchadima@redhat.com>
+
diff --git a/Makefile.in b/Makefile.in
index 06be3d5..f02aa1e 100644
--- a/Makefile.in
+++ b/Makefile.in
diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in
--- openssh-6.8p1/Makefile.in.ldap 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/Makefile.in 2015-03-18 11:13:10.147561177 +0100
@@ -25,6 +25,8 @@ SSH_PROGRAM=@bindir@/ssh
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
SFTP_SERVER=$(libexecdir)/sftp-server
@ -146,8 +143,8 @@ index 06be3d5..f02aa1e 100644
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
LIBOPENSSH_OBJS=\
ssherr.o \
@@ -108,8 +111,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
ssh_api.o \
@@ -112,8 +115,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
sandbox-seccomp-filter.o sandbox-capsicum.o
@ -158,17 +155,17 @@ index 06be3d5..f02aa1e 100644
MANTYPE = @MANTYPE@
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
@@ -180,6 +183,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readco
@@ -184,6 +187,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
+ $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o sshbuf-getput-basic.o ssherr.o
+ $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o sshbuf-getput-basic.o ssherr.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@@ -295,6 +301,10 @@ install-files:
@@ -311,6 +317,10 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
@ -179,7 +176,7 @@ index 06be3d5..f02aa1e 100644
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
@@ -311,6 +321,10 @@ install-files:
@@ -327,6 +337,10 @@ install-files:
$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@ -190,7 +187,7 @@ index 06be3d5..f02aa1e 100644
-rm -f $(DESTDIR)$(bindir)/slogin
ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
@@ -340,6 +354,13 @@ install-sysconf:
@@ -356,6 +370,13 @@ install-sysconf:
else \
echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
fi
@ -204,7 +201,7 @@ index 06be3d5..f02aa1e 100644
host-key: ssh-keygen$(EXEEXT)
@if [ -z "$(DESTDIR)" ] ; then \
@@ -403,6 +424,8 @@ uninstall:
@@ -419,6 +440,8 @@ uninstall:
-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
@ -213,7 +210,7 @@ index 06be3d5..f02aa1e 100644
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
@@ -414,6 +437,7 @@ uninstall:
@@ -430,6 +453,7 @@ uninstall:
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@ -221,11 +218,10 @@ index 06be3d5..f02aa1e 100644
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
regress-prep:
diff --git a/configure.ac b/configure.ac
index 67c4486..6553074 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1569,6 +1569,106 @@ if test "x$use_pie" != "xno"; then
diff -up openssh-6.8p1/configure.ac.ldap openssh-6.8p1/configure.ac
--- openssh-6.8p1/configure.ac.ldap 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/configure.ac 2015-03-18 11:11:29.030801464 +0100
@@ -1605,6 +1605,106 @@ if test "x$use_pie" != "xno"; then
fi
fi
@ -332,11 +328,9 @@ index 67c4486..6553074 100644
dnl Checks for library functions. Please keep in alphabetical order
AC_CHECK_FUNCS([ \
Blowfish_initstate \
diff --git a/ldap-helper.c b/ldap-helper.c
new file mode 100644
index 0000000..e95a94a
--- /dev/null
+++ b/ldap-helper.c
diff -up openssh-6.8p1/ldap-helper.c.ldap openssh-6.8p1/ldap-helper.c
--- openssh-6.8p1/ldap-helper.c.ldap 2015-03-18 11:11:29.030801464 +0100
+++ openssh-6.8p1/ldap-helper.c 2015-03-18 11:11:29.030801464 +0100
@@ -0,0 +1,155 @@
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -493,11 +487,9 @@ index 0000000..e95a94a
+void *buffer_get_string(Buffer *b, u_int *l) { return NULL; }
+void buffer_put_string(Buffer *b, const void *f, u_int l) {}
+
diff --git a/ldap-helper.h b/ldap-helper.h
new file mode 100644
index 0000000..14cb29a
--- /dev/null
+++ b/ldap-helper.h
diff -up openssh-6.8p1/ldap-helper.h.ldap openssh-6.8p1/ldap-helper.h
--- openssh-6.8p1/ldap-helper.h.ldap 2015-03-18 11:11:29.031801462 +0100
+++ openssh-6.8p1/ldap-helper.h 2015-03-18 11:11:29.031801462 +0100
@@ -0,0 +1,32 @@
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -531,11 +523,9 @@ index 0000000..14cb29a
+extern int config_warning_config_file;
+
+#endif /* LDAP_HELPER_H */
diff --git a/ldap.conf b/ldap.conf
new file mode 100644
index 0000000..42e38d3
--- /dev/null
+++ b/ldap.conf
diff -up openssh-6.8p1/ldap.conf.ldap openssh-6.8p1/ldap.conf
--- openssh-6.8p1/ldap.conf.ldap 2015-03-18 11:11:29.031801462 +0100
+++ openssh-6.8p1/ldap.conf 2015-03-18 11:11:29.031801462 +0100
@@ -0,0 +1,95 @@
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
+#
@ -632,11 +622,9 @@ index 0000000..42e38d3
+
+#AccountClass posixAccount
+
diff --git a/ldapbody.c b/ldapbody.c
new file mode 100644
index 0000000..3029108
--- /dev/null
+++ b/ldapbody.c
diff -up openssh-6.8p1/ldapbody.c.ldap openssh-6.8p1/ldapbody.c
--- openssh-6.8p1/ldapbody.c.ldap 2015-03-18 11:11:29.031801462 +0100
+++ openssh-6.8p1/ldapbody.c 2015-03-18 11:11:29.031801462 +0100
@@ -0,0 +1,493 @@
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -1131,11 +1119,9 @@ index 0000000..3029108
+ return;
+}
+
diff --git a/ldapbody.h b/ldapbody.h
new file mode 100644
index 0000000..665dca2
--- /dev/null
+++ b/ldapbody.h
diff -up openssh-6.8p1/ldapbody.h.ldap openssh-6.8p1/ldapbody.h
--- openssh-6.8p1/ldapbody.h.ldap 2015-03-18 11:11:29.031801462 +0100
+++ openssh-6.8p1/ldapbody.h 2015-03-18 11:11:29.031801462 +0100
@@ -0,0 +1,37 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -1174,11 +1160,9 @@ index 0000000..665dca2
+
+#endif /* LDAPBODY_H */
+
diff --git a/ldapconf.c b/ldapconf.c
new file mode 100644
index 0000000..b49cae6
--- /dev/null
+++ b/ldapconf.c
diff -up openssh-6.8p1/ldapconf.c.ldap openssh-6.8p1/ldapconf.c
--- openssh-6.8p1/ldapconf.c.ldap 2015-03-18 11:11:29.032801460 +0100
+++ openssh-6.8p1/ldapconf.c 2015-03-18 11:11:29.032801460 +0100
@@ -0,0 +1,728 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -1908,11 +1892,9 @@ index 0000000..b49cae6
+ dump_cfg_string(lAccountClass, options.account_class);
+}
+
diff --git a/ldapconf.h b/ldapconf.h
new file mode 100644
index 0000000..2cb550c
--- /dev/null
+++ b/ldapconf.h
diff -up openssh-6.8p1/ldapconf.h.ldap openssh-6.8p1/ldapconf.h
--- openssh-6.8p1/ldapconf.h.ldap 2015-03-18 11:11:29.032801460 +0100
+++ openssh-6.8p1/ldapconf.h 2015-03-18 11:11:29.032801460 +0100
@@ -0,0 +1,73 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -1987,11 +1969,9 @@ index 0000000..2cb550c
+void dump_config(void);
+
+#endif /* LDAPCONF_H */
diff --git a/ldapincludes.h b/ldapincludes.h
new file mode 100644
index 0000000..8539bdc
--- /dev/null
+++ b/ldapincludes.h
diff -up openssh-6.8p1/ldapincludes.h.ldap openssh-6.8p1/ldapincludes.h
--- openssh-6.8p1/ldapincludes.h.ldap 2015-03-18 11:11:29.032801460 +0100
+++ openssh-6.8p1/ldapincludes.h 2015-03-18 11:11:29.032801460 +0100
@@ -0,0 +1,41 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -2034,11 +2014,9 @@ index 0000000..8539bdc
+#endif
+
+#endif /* LDAPINCLUDES_H */
diff --git a/ldapmisc.c b/ldapmisc.c
new file mode 100644
index 0000000..de23c0c
--- /dev/null
+++ b/ldapmisc.c
diff -up openssh-6.8p1/ldapmisc.c.ldap openssh-6.8p1/ldapmisc.c
--- openssh-6.8p1/ldapmisc.c.ldap 2015-03-18 11:11:29.032801460 +0100
+++ openssh-6.8p1/ldapmisc.c 2015-03-18 11:11:29.032801460 +0100
@@ -0,0 +1,79 @@
+
+#include "ldapincludes.h"
@ -2119,11 +2097,9 @@ index 0000000..de23c0c
+}
+#endif
+
diff --git a/ldapmisc.h b/ldapmisc.h
new file mode 100644
index 0000000..4c271df
--- /dev/null
+++ b/ldapmisc.h
diff -up openssh-6.8p1/ldapmisc.h.ldap openssh-6.8p1/ldapmisc.h
--- openssh-6.8p1/ldapmisc.h.ldap 2015-03-18 11:11:29.032801460 +0100
+++ openssh-6.8p1/ldapmisc.h 2015-03-18 11:11:29.032801460 +0100
@@ -0,0 +1,35 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -2160,11 +2136,9 @@ index 0000000..4c271df
+
+#endif /* LDAPMISC_H */
+
diff --git a/openssh-lpk-openldap.schema b/openssh-lpk-openldap.schema
new file mode 100644
index 0000000..c84f90f
--- /dev/null
+++ b/openssh-lpk-openldap.schema
diff -up openssh-6.8p1/openssh-lpk-openldap.schema.ldap openssh-6.8p1/openssh-lpk-openldap.schema
--- openssh-6.8p1/openssh-lpk-openldap.schema.ldap 2015-03-18 11:11:29.033801457 +0100
+++ openssh-6.8p1/openssh-lpk-openldap.schema 2015-03-18 11:11:29.033801457 +0100
@@ -0,0 +1,21 @@
+#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2187,11 +2161,9 @@ index 0000000..c84f90f
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
+ MUST ( sshPublicKey $ uid )
+ )
diff --git a/openssh-lpk-sun.schema b/openssh-lpk-sun.schema
new file mode 100644
index 0000000..3136673
--- /dev/null
+++ b/openssh-lpk-sun.schema
diff -up openssh-6.8p1/openssh-lpk-sun.schema.ldap openssh-6.8p1/openssh-lpk-sun.schema
--- openssh-6.8p1/openssh-lpk-sun.schema.ldap 2015-03-18 11:11:29.033801457 +0100
+++ openssh-6.8p1/openssh-lpk-sun.schema 2015-03-18 11:11:29.033801457 +0100
@@ -0,0 +1,23 @@
+#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2216,11 +2188,9 @@ index 0000000..3136673
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
+ MUST ( sshPublicKey $ uid )
+ )
diff --git a/ssh-ldap-helper.8 b/ssh-ldap-helper.8
new file mode 100644
index 0000000..5d2d7be
--- /dev/null
+++ b/ssh-ldap-helper.8
diff -up openssh-6.8p1/ssh-ldap-helper.8.ldap openssh-6.8p1/ssh-ldap-helper.8
--- openssh-6.8p1/ssh-ldap-helper.8.ldap 2015-03-18 11:11:29.033801457 +0100
+++ openssh-6.8p1/ssh-ldap-helper.8 2015-03-18 11:11:29.033801457 +0100
@@ -0,0 +1,79 @@
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\"
@ -2301,21 +2271,17 @@ index 0000000..5d2d7be
+OpenSSH 5.5 + PKA-LDAP .
+.Sh AUTHORS
+.An Jan F. Chadima Aq jchadima@redhat.com
diff --git a/ssh-ldap-wrapper b/ssh-ldap-wrapper
new file mode 100644
index 0000000..cb500aa
--- /dev/null
+++ b/ssh-ldap-wrapper
diff -up openssh-6.8p1/ssh-ldap-wrapper.ldap openssh-6.8p1/ssh-ldap-wrapper
--- openssh-6.8p1/ssh-ldap-wrapper.ldap 2015-03-18 11:11:29.033801457 +0100
+++ openssh-6.8p1/ssh-ldap-wrapper 2015-03-18 11:11:29.033801457 +0100
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+exec /usr/libexec/openssh/ssh-ldap-helper -s "$1"
+
diff --git a/ssh-ldap.conf.5 b/ssh-ldap.conf.5
new file mode 100644
index 0000000..f7081b8
--- /dev/null
+++ b/ssh-ldap.conf.5
diff -up openssh-6.8p1/ssh-ldap.conf.5.ldap openssh-6.8p1/ssh-ldap.conf.5
--- openssh-6.8p1/ssh-ldap.conf.5.ldap 2015-03-18 11:11:29.033801457 +0100
+++ openssh-6.8p1/ssh-ldap.conf.5 2015-03-18 11:11:29.033801457 +0100
@@ -0,0 +1,385 @@
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\"

View File

@ -1,6 +1,7 @@
--- openssh-5.3p1/sftp-server.8 2015-02-10 10:08:09.611849984 +0100
+++ openssh-5.3p1/sftp-server.8.perms 2015-02-10 10:08:52.204120509 +0100
@@ -33,6 +33,7 @@
diff -up openssh-6.8p1/sftp-server.8.sftp-force-mode openssh-6.8p1/sftp-server.8
--- openssh-6.8p1/sftp-server.8.sftp-force-mode 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/sftp-server.8 2015-03-18 13:18:05.898306477 +0100
@@ -38,6 +38,7 @@
.Op Fl P Ar blacklisted_requests
.Op Fl p Ar whitelisted_requests
.Op Fl u Ar umask
@ -8,7 +9,7 @@
.Ek
.Nm
.Fl Q Ar protocol_feature
@@ -77,6 +78,10 @@ Sets an explicit
@@ -138,6 +139,10 @@ Sets an explicit
.Xr umask 2
to be applied to newly-created files and directories, instead of the
user's default mask.
@ -19,9 +20,10 @@
.El
.Pp
On some systems,
--- openssh-5.3p1/sftp-server.c 2015-02-10 10:08:09.611849984 +0100
+++ openssh-5.3p1/sftp-server.c.perms 2015-02-10 10:39:00.855453028 +0100
@@ -70,6 +70,10 @@ Buffer oqueue;
diff -up openssh-6.8p1/sftp-server.c.sftp-force-mode openssh-6.8p1/sftp-server.c
--- openssh-6.8p1/sftp-server.c.sftp-force-mode 2015-03-18 13:18:05.883306513 +0100
+++ openssh-6.8p1/sftp-server.c 2015-03-18 13:18:36.697232193 +0100
@@ -70,6 +70,10 @@ struct sshbuf *oqueue;
/* Version of client */
static u_int version;
@ -32,10 +34,10 @@
/* SSH2_FXP_INIT received */
static int init_done;
@@ -551,6 +555,10 @@ process_open(void)
a = get_attrib();
@@ -693,6 +697,10 @@ process_open(u_int32_t id)
debug3("request %u: open flags %d", id, pflags);
flags = flags_from_portable(pflags);
mode = (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a->perm : 0666;
mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm : 0666;
+ if (permforce == 1) { /* Force perm if -m is set */
+ mode = permforcemode;
+ (void)umask(0); /* so umask does not interfere */
@ -43,7 +45,7 @@
logit("open \"%s\" flags %s mode 0%o",
name, string_from_portable(pflags), mode);
if (readonly &&
@@ -1322,7 +1330,7 @@ sftp_server_usage(void)
@@ -1495,7 +1503,7 @@ sftp_server_usage(void)
fprintf(stderr,
"usage: %s [-ehR] [-d start_directory] [-f log_facility] "
"[-l log_level]\n\t[-P blacklisted_requests] "
@ -52,7 +54,7 @@
" %s -Q protocol_feature\n",
__progname, __progname);
exit(1);
@@ -1343,7 +1351,7 @@ sftp_server_main(int argc, char **argv,
@@ -1520,7 +1528,7 @@ sftp_server_main(int argc, char **argv,
pw = pwcopy(user_pw);
while (!skipargs && (ch = getopt(argc, argv,
@ -61,7 +63,7 @@
switch (ch) {
case 'Q':
if (strcasecmp(optarg, "requests") != 0) {
@@ -1373,6 +1381,15 @@ sftp_server_main(int argc, char **argv,
@@ -1580,6 +1588,15 @@ sftp_server_main(int argc, char **argv,
fatal("Invalid umask \"%s\"", optarg);
(void)umask((mode_t)mask);
break;

View File

@ -1,14 +1,7 @@
--- a/servconf.c 2015-01-30 12:24:12.388337643 +0100
+++ b/servconf.c 2015-01-30 12:26:36.229229751 +0100
@@ -55,6 +55,7 @@
#include "hostfile.h"
#include "auth.h"
#include "digest.h"
+#include "myproposal.h"
static void add_listen_addr(ServerOptions *, char *, int);
static void add_one_listen_addr(ServerOptions *, char *, int);
@@ -1974,6 +1974,8 @@ dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
diff -up openssh-6.8p1/servconf.c.sshdt openssh-6.8p1/servconf.c
--- openssh-6.8p1/servconf.c.sshdt 2015-03-18 13:07:24.457858235 +0100
+++ openssh-6.8p1/servconf.c 2015-03-18 13:09:27.253557396 +0100
@@ -2118,6 +2118,8 @@ dump_cfg_strarray_oneline(ServerOpCodes
{
u_int i;
@ -17,7 +10,7 @@
printf("%s", lookup_opcode_name(code));
for (i = 0; i < count; i++)
printf(" %s", vals[i]);
@@ -2093,7 +2094,7 @@
@@ -2156,7 +2158,7 @@ dump_config(ServerOptions *o)
/* integer arguments */
#ifdef USE_PAM
@ -26,7 +19,7 @@
#endif
dump_cfg_int(sServerKeyBits, o->server_key_bits);
dump_cfg_int(sLoginGraceTime, o->login_grace_time);
@@ -2103,6 +2104,7 @@
@@ -2166,6 +2168,7 @@ dump_config(ServerOptions *o)
dump_cfg_int(sMaxSessions, o->max_sessions);
dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
@ -34,7 +27,7 @@
/* formatted integer arguments */
dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
@@ -2150,6 +2152,7 @@
@@ -2213,6 +2216,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel);
dump_cfg_fmtint(sUseDNS, o->use_dns);
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
@ -42,19 +35,7 @@
dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
@@ -2159,9 +2162,8 @@
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
dump_cfg_string(sXAuthLocation, o->xauth_location);
- dump_cfg_string(sCiphers, o->ciphers ? o->ciphers :
- cipher_alg_list(',', 0));
- dump_cfg_string(sMacs, o->macs ? o->macs : mac_alg_list(','));
+ dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
+ dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
dump_cfg_string(sBanner, o->banner);
dump_cfg_string(sForceCommand, o->adm_forced_command);
dump_cfg_string(sChrootDirectory, o->chroot_directory);
@@ -2169,12 +2171,13 @@
@@ -2231,7 +2235,8 @@ dump_config(ServerOptions *o)
dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
dump_cfg_string(sAuthorizedPrincipalsFile,
o->authorized_principals_file);
@ -64,14 +45,7 @@
dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
dump_cfg_string(sHostKeyAgent, o->host_key_agent);
- dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms :
- kex_alg_list(','));
+ dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms :
+ KEX_SERVER_KEX);
/* string arguments requiring a lookup */
dump_cfg_string(sLogLevel, log_level_name(o->log_level));
@@ -2096,7 +2101,7 @@ dump_config(ServerOptions *o)
@@ -2251,7 +2256,7 @@ dump_config(ServerOptions *o)
o->authorized_keys_files);
dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
o->host_key_files);

View File

@ -65,10 +65,10 @@
%endif
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%define openssh_ver 6.7p1
%define openssh_rel 11
%define openssh_ver 6.8p1
%define openssh_rel 1
%define pam_ssh_agent_ver 0.9.3
%define pam_ssh_agent_rel 4
%define pam_ssh_agent_rel 5
Summary: An open source implementation of SSH protocol versions 1 and 2
Name: openssh
@ -96,8 +96,6 @@ Patch0: openssh-5.9p1-wIm.patch
#?
Patch100: openssh-6.7p1-coverity.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1872
Patch101: openssh-6.7p1-fingerprint.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1894
#https://bugzilla.redhat.com/show_bug.cgi?id=735889
Patch102: openssh-5.8p1-getaddrinfo.patch
@ -140,8 +138,6 @@ Patch604: openssh-6.6p1-keyperm.patch
Patch606: openssh-5.9p1-ipv6man.patch
#?
Patch607: openssh-5.8p2-sigpipe.patch
#?
Patch608: openssh-6.1p1-askpass-ld.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1789
Patch609: openssh-5.5p1-x11.patch
@ -193,9 +189,6 @@ Patch911: openssh-6.6p1-set_remote_ipaddr.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2058
# slightly changed patch from comment 10
Patch912: openssh-6.6.1p1-utf8-banner.patch
# don't consider a partial success as a failure
# https://bugzilla.mindrot.org/show_bug.cgi?id=2270
Patch913: openssh-6.6.1p1-partial-success.patch
# fix parsing of empty options in sshd_conf
# https://bugzilla.mindrot.org/show_bug.cgi?id=2281
Patch914: openssh-6.6.1p1-servconf-parser.patch
@ -377,7 +370,6 @@ The module is most useful for su and sudo service stacks.
%patch0 -p1 -b .wIm
%endif
%patch101 -p1 -b .fingerprint
# investigate %patch102 -p1 -b .getaddrinfo
%patch103 -p1 -b .packet
@ -408,7 +400,6 @@ popd
%patch604 -p1 -b .keyperm
%patch606 -p1 -b .ipv6man
%patch607 -p1 -b .sigpipe
%patch608 -p1 -b .askpass-ld
%patch609 -p1 -b .x11
%patch702 -p1 -b .progress
%patch703 -p1 -b .grab-info
@ -431,7 +422,6 @@ popd
%patch906 -p1 -b .fromto-remote
%patch911 -p1 -b .set_remote_ipaddr
%patch912 -p1 -b .utf8-banner
%patch913 -p1 -b .partial-success
%patch914 -p1 -b .servconf
%patch916 -p1 -b .contexts
%patch917 -p1 -b .cisco-dh
@ -764,6 +754,9 @@ getent passwd sshd >/dev/null || \
%endif
%changelog
* Fri Mar 20 2015 Jakub Jelen <jjelen@redhat.com> 6.8p1-1 + 0.9.3.5
- new upstream release openssh-6.8p1
* Thu Mar 12 2015 Jakub Jelen <jjelen@redhat.com> 6.7p1-11 + 0.9.3-4
- Ability to specify LDAP filter in ldap.conf for ssh-ldap-helper
- Fix auditing when using combination of ForceCommand and PTY

View File

@ -1,2 +1,2 @@
9872ca1983e566ff5a89c240529e223d pam_ssh_agent_auth-0.9.3.tar.bz2
3246aa79317b1d23cae783a3bf8275d6 openssh-6.7p1.tar.gz
08f72de6751acfbd0892b5f003922701 openssh-6.8p1.tar.gz