diff --git a/.gitignore b/.gitignore index e407e89..b64821a 100644 --- a/.gitignore +++ b/.gitignore @@ -13,3 +13,4 @@ pam_ssh_agent_auth-0.9.2.tar.bz2 /openssh-6.3p1.tar.gz /openssh-6.4p1.tar.gz /openssh-6.6p1.tar.gz +/openssh-6.7p1.tar.gz diff --git a/openssh-5.6p1-exit-deadlock.patch b/openssh-5.6p1-exit-deadlock.patch deleted file mode 100644 index 278dfa1..0000000 --- a/openssh-5.6p1-exit-deadlock.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff -up openssh-5.6p1/channels.c.exit-deadlock openssh-5.6p1/channels.c ---- openssh-5.6p1/channels.c.exit-deadlock 2010-08-05 15:09:48.000000000 +0200 -+++ openssh-5.6p1/channels.c 2010-08-23 12:41:43.000000000 +0200 -@@ -1647,6 +1647,10 @@ channel_handle_wfd(Channel *c, fd_set *r - u_int dlen, olen = 0; - int len; - -+ if(c->wfd != -1 && buffer_len(&c->output) > 0 && c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { -+ debug("channel %d: forcing write", c->self); -+ FD_SET(c->wfd, writeset); -+ } - /* Send buffered output data to the socket. */ - if (c->wfd != -1 && - FD_ISSET(c->wfd, writeset) && diff --git a/openssh-5.9p1-edns.patch b/openssh-5.9p1-edns.patch deleted file mode 100644 index 34f3851..0000000 --- a/openssh-5.9p1-edns.patch +++ /dev/null @@ -1,72 +0,0 @@ -diff -up openssh-5.9p1/dns.c.edns openssh-5.9p1/dns.c ---- openssh-5.9p1/dns.c.edns 2010-08-31 14:41:14.000000000 +0200 -+++ openssh-5.9p1/dns.c 2011-09-09 08:05:27.782440497 +0200 -@@ -177,6 +177,7 @@ verify_host_key_dns(const char *hostname - { - u_int counter; - int result; -+ unsigned int rrset_flags = 0; - struct rrsetinfo *fingerprints = NULL; - - u_int8_t hostkey_algorithm; -@@ -200,8 +201,19 @@ verify_host_key_dns(const char *hostname - return -1; - } - -+ /* -+ * Original getrrsetbyname function, found on OpenBSD for example, -+ * doesn't accept any flag and prerequisite for obtaining AD bit in -+ * DNS response is set by "options edns0" in resolv.conf. -+ * -+ * Our version is more clever and use RRSET_FORCE_EDNS0 flag. -+ */ -+#ifndef HAVE_GETRRSETBYNAME -+ rrset_flags |= RRSET_FORCE_EDNS0; -+#endif - result = getrrsetbyname(hostname, DNS_RDATACLASS_IN, -- DNS_RDATATYPE_SSHFP, 0, &fingerprints); -+ DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints); -+ - if (result) { - verbose("DNS lookup error: %s", dns_result_totext(result)); - return -1; -diff -up openssh-5.9p1/openbsd-compat/getrrsetbyname.c.edns openssh-5.9p1/openbsd-compat/getrrsetbyname.c ---- openssh-5.9p1/openbsd-compat/getrrsetbyname.c.edns 2009-07-13 03:38:23.000000000 +0200 -+++ openssh-5.9p1/openbsd-compat/getrrsetbyname.c 2011-09-09 15:03:39.930500801 +0200 -@@ -209,8 +209,8 @@ getrrsetbyname(const char *hostname, uns - goto fail; - } - -- /* don't allow flags yet, unimplemented */ -- if (flags) { -+ /* Allow RRSET_FORCE_EDNS0 flag only. */ -+ if ((flags & ~RRSET_FORCE_EDNS0) != 0) { - result = ERRSET_INVAL; - goto fail; - } -@@ -226,9 +226,9 @@ getrrsetbyname(const char *hostname, uns - #endif /* DEBUG */ - - #ifdef RES_USE_DNSSEC -- /* turn on DNSSEC if EDNS0 is configured */ -- if (_resp->options & RES_USE_EDNS0) -- _resp->options |= RES_USE_DNSSEC; -+ /* turn on DNSSEC if required */ -+ if (flags & RRSET_FORCE_EDNS0) -+ _resp->options |= (RES_USE_EDNS0|RES_USE_DNSSEC); - #endif /* RES_USE_DNSEC */ - - /* make query */ -diff -up openssh-5.9p1/openbsd-compat/getrrsetbyname.h.edns openssh-5.9p1/openbsd-compat/getrrsetbyname.h ---- openssh-5.9p1/openbsd-compat/getrrsetbyname.h.edns 2007-10-26 08:26:50.000000000 +0200 -+++ openssh-5.9p1/openbsd-compat/getrrsetbyname.h 2011-09-09 08:05:27.965438689 +0200 -@@ -72,6 +72,9 @@ - #ifndef RRSET_VALIDATED - # define RRSET_VALIDATED 1 - #endif -+#ifndef RRSET_FORCE_EDNS0 -+# define RRSET_FORCE_EDNS0 0x0001 -+#endif - - /* - * Return codes for getrrsetbyname() diff --git a/openssh-6.2p1-vendor.patch b/openssh-6.2p1-vendor.patch index ddccd2c..583a486 100644 --- a/openssh-6.2p1-vendor.patch +++ b/openssh-6.2p1-vendor.patch @@ -1,7 +1,8 @@ -diff -up openssh-6.2p1/configure.ac.vendor openssh-6.2p1/configure.ac ---- openssh-6.2p1/configure.ac.vendor 2013-03-25 19:34:01.277495179 +0100 -+++ openssh-6.2p1/configure.ac 2013-03-25 19:34:01.377495818 +0100 -@@ -4420,6 +4420,12 @@ AC_ARG_WITH([lastlog], +diff --git a/configure.ac b/configure.ac +index 6553074..8dedb95 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -4676,6 +4676,12 @@ AC_ARG_WITH([lastlog], fi ] ) @@ -14,7 +15,7 @@ diff -up openssh-6.2p1/configure.ac.vendor openssh-6.2p1/configure.ac dnl lastlog, [uw]tmpx? detection dnl NOTE: set the paths in the platform section to avoid the -@@ -4681,6 +4687,7 @@ echo " Translate v4 in v6 hack +@@ -4938,6 +4944,7 @@ echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" echo " BSD Auth support: $BSD_AUTH_MSG" echo " Random number source: $RAND_MSG" echo " Privsep sandbox style: $SANDBOX_STYLE" @@ -22,10 +23,11 @@ diff -up openssh-6.2p1/configure.ac.vendor openssh-6.2p1/configure.ac echo "" -diff -up openssh-6.2p1/servconf.c.vendor openssh-6.2p1/servconf.c ---- openssh-6.2p1/servconf.c.vendor 2013-03-25 19:34:01.197494668 +0100 -+++ openssh-6.2p1/servconf.c 2013-03-25 19:34:01.379495831 +0100 -@@ -128,6 +128,7 @@ initialize_server_options(ServerOptions +diff --git a/servconf.c b/servconf.c +index e3ebaac..c8a3f28 100644 +--- a/servconf.c ++++ b/servconf.c +@@ -141,6 +141,7 @@ initialize_server_options(ServerOptions *options) options->max_authtries = -1; options->max_sessions = -1; options->banner = NULL; @@ -33,17 +35,16 @@ diff -up openssh-6.2p1/servconf.c.vendor openssh-6.2p1/servconf.c options->use_dns = -1; options->client_alive_interval = -1; options->client_alive_count_max = -1; -@@ -287,6 +288,9 @@ fill_default_server_options(ServerOption +@@ -310,6 +311,8 @@ fill_default_server_options(ServerOptions *options) options->ip_qos_bulk = IPTOS_THROUGHPUT; if (options->version_addendum == NULL) options->version_addendum = xstrdup(""); + if (options->show_patchlevel == -1) + options->show_patchlevel = 0; -+ - /* Turn privilege separation on by default */ - if (use_privsep == -1) - use_privsep = PRIVSEP_NOSANDBOX; -@@ -324,7 +328,7 @@ typedef enum { + if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) + options->fwd_opts.streamlocal_bind_mask = 0177; + if (options->fwd_opts.streamlocal_bind_unlink == -1) +@@ -353,7 +356,7 @@ typedef enum { sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions, @@ -52,7 +53,7 @@ diff -up openssh-6.2p1/servconf.c.vendor openssh-6.2p1/servconf.c sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, -@@ -439,6 +443,7 @@ static struct { +@@ -467,6 +470,7 @@ static struct { { "maxauthtries", sMaxAuthTries, SSHCFG_ALL }, { "maxsessions", sMaxSessions, SSHCFG_ALL }, { "banner", sBanner, SSHCFG_ALL }, @@ -60,7 +61,7 @@ diff -up openssh-6.2p1/servconf.c.vendor openssh-6.2p1/servconf.c { "usedns", sUseDNS, SSHCFG_GLOBAL }, { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, -@@ -1163,6 +1168,10 @@ process_server_config_line(ServerOptions +@@ -1263,6 +1267,10 @@ process_server_config_line(ServerOptions *options, char *line, multistate_ptr = multistate_privsep; goto parse_multistate; @@ -71,18 +72,19 @@ diff -up openssh-6.2p1/servconf.c.vendor openssh-6.2p1/servconf.c case sAllowUsers: while ((arg = strdelim(&cp)) && *arg != '\0') { if (options->num_allow_users >= MAX_ALLOW_USERS) -@@ -1950,6 +1959,7 @@ dump_config(ServerOptions *o) +@@ -2081,6 +2089,7 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sUseLogin, o->use_login); dump_cfg_fmtint(sCompression, o->compression); - dump_cfg_fmtint(sGatewayPorts, o->gateway_ports); + dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports); + dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel); dump_cfg_fmtint(sUseDNS, o->use_dns); dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); - dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); -diff -up openssh-6.2p1/servconf.h.vendor openssh-6.2p1/servconf.h ---- openssh-6.2p1/servconf.h.vendor 2013-01-09 05:56:45.000000000 +0100 -+++ openssh-6.2p1/servconf.h 2013-03-25 19:34:01.379495831 +0100 -@@ -147,6 +147,7 @@ typedef struct { + dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); +diff --git a/servconf.h b/servconf.h +index 49b228b..21719e2 100644 +--- a/servconf.h ++++ b/servconf.h +@@ -149,6 +149,7 @@ typedef struct { int max_authtries; int max_sessions; char *banner; /* SSH-2 banner message */ @@ -90,10 +92,34 @@ diff -up openssh-6.2p1/servconf.h.vendor openssh-6.2p1/servconf.h int use_dns; int client_alive_interval; /* * poke the client this often to -diff -up openssh-6.2p1/sshd_config.vendor openssh-6.2p1/sshd_config ---- openssh-6.2p1/sshd_config.vendor 2013-03-25 19:34:01.380495837 +0100 -+++ openssh-6.2p1/sshd_config 2013-03-25 19:44:43.471296362 +0100 -@@ -118,6 +118,7 @@ UsePrivilegeSeparation sandbox # Defaul +diff --git a/sshd.c b/sshd.c +index afe9afa..193b206 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -432,7 +432,7 @@ sshd_exchange_identification(int sock_in, int sock_out) + } + + xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", +- major, minor, SSH_VERSION, ++ major, minor, (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION, + *options.version_addendum == '\0' ? "" : " ", + options.version_addendum, newline); + +@@ -1677,7 +1677,8 @@ main(int ac, char **av) + exit(1); + } + +- debug("sshd version %s, %s", SSH_VERSION, ++ debug("sshd version %s, %s", ++ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION, + #ifdef WITH_OPENSSL + SSLeay_version(SSLEAY_VERSION) + #else +diff --git a/sshd_config b/sshd_config +index 3092ac6..da3db5d 100644 +--- a/sshd_config ++++ b/sshd_config +@@ -119,6 +119,7 @@ UsePrivilegeSeparation sandbox # Default for new installations. #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 @@ -101,10 +127,11 @@ diff -up openssh-6.2p1/sshd_config.vendor openssh-6.2p1/sshd_config #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 -diff -up openssh-6.2p1/sshd_config.0.vendor openssh-6.2p1/sshd_config.0 ---- openssh-6.2p1/sshd_config.0.vendor 2013-03-25 19:34:01.361495716 +0100 -+++ openssh-6.2p1/sshd_config.0 2013-03-25 19:34:01.381495844 +0100 -@@ -595,6 +595,11 @@ DESCRIPTION +diff --git a/sshd_config.0 b/sshd_config.0 +index 43867d3..a3898c3 100644 +--- a/sshd_config.0 ++++ b/sshd_config.0 +@@ -700,6 +700,11 @@ DESCRIPTION Defines the number of bits in the ephemeral protocol version 1 server key. The minimum value is 512, and the default is 1024. @@ -113,13 +140,14 @@ diff -up openssh-6.2p1/sshd_config.0.vendor openssh-6.2p1/sshd_config.0 + the binary in the server identification string. The patch level + is set at compile-time. The default is M-bM-^@M-^\noM-bM-^@M-^]. + - StrictModes - Specifies whether sshd(8) should check file modes and ownership - of the user's files and home directory before accepting login. -diff -up openssh-6.2p1/sshd_config.5.vendor openssh-6.2p1/sshd_config.5 ---- openssh-6.2p1/sshd_config.5.vendor 2013-03-25 19:34:01.362495722 +0100 -+++ openssh-6.2p1/sshd_config.5 2013-03-25 19:34:01.382495850 +0100 -@@ -1019,6 +1019,14 @@ This option applies to protocol version + StreamLocalBindMask + Sets the octal file creation mode mask (umask) used when creating + a Unix-domain socket file for local or remote port forwarding. +diff --git a/sshd_config.5 b/sshd_config.5 +index 89a0cf2..cccb310 100644 +--- a/sshd_config.5 ++++ b/sshd_config.5 +@@ -1200,6 +1200,13 @@ This option applies to protocol version 1 only. .It Cm ServerKeyBits Defines the number of bits in the ephemeral protocol version 1 server key. The minimum value is 512, and the default is 1024. @@ -130,29 +158,6 @@ diff -up openssh-6.2p1/sshd_config.5.vendor openssh-6.2p1/sshd_config.5 +The patch level is set at compile-time. +The default is +.Dq no . -+This option applies to protocol version 1 only. - .It Cm StrictModes - Specifies whether - .Xr sshd 8 -diff -up openssh-6.2p1/sshd.c.vendor openssh-6.2p1/sshd.c ---- openssh-6.2p1/sshd.c.vendor 2013-03-25 19:34:01.332495531 +0100 -+++ openssh-6.2p1/sshd.c 2013-03-25 19:44:11.864112092 +0100 -@@ -442,7 +442,7 @@ sshd_exchange_identification(int sock_in - } - - xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", -- major, minor, SSH_VERSION, -+ major, minor, (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION, - *options.version_addendum == '\0' ? "" : " ", - options.version_addendum, newline); - -@@ -1675,7 +1675,8 @@ main(int ac, char **av) - exit(1); - } - -- debug("sshd version %s, %s", SSH_VERSION, -+ debug("sshd version %s, %s", -+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION, - SSLeay_version(SSLEAY_VERSION)); - - /* Store privilege separation user for later use if required. */ + .It Cm StreamLocalBindMask + Sets the octal file creation mode mask + .Pq umask diff --git a/openssh-6.6.1p1-audit-pfs.patch b/openssh-6.6.1p1-audit-pfs.patch deleted file mode 100644 index 35be907..0000000 --- a/openssh-6.6.1p1-audit-pfs.patch +++ /dev/null @@ -1,212 +0,0 @@ -diff --git a/audit-bsm.c b/audit-bsm.c -index 5160869..c7a1b47 100644 ---- a/audit-bsm.c -+++ b/audit-bsm.c -@@ -481,7 +481,7 @@ audit_unsupported_body(int what) - } - - void --audit_kex_body(int ctos, char *enc, char *mac, char *compress, pid_t pid, uid_t uid) -+audit_kex_body(int ctos, char *enc, char *mac, char *compress, char *pfs, pid_t pid, uid_t uid) - { - /* not implemented */ - } -diff --git a/audit-linux.c b/audit-linux.c -index 6954fc1..6686f6a 100644 ---- a/audit-linux.c -+++ b/audit-linux.c -@@ -297,7 +297,7 @@ audit_unsupported_body(int what) - const static char *direction[] = { "from-server", "from-client", "both" }; - - void --audit_kex_body(int ctos, char *enc, char *mac, char *compress, pid_t pid, -+audit_kex_body(int ctos, char *enc, char *mac, char *compress, char *pfs, pid_t pid, - uid_t uid) - { - #ifdef AUDIT_CRYPTO_SESSION -@@ -306,8 +306,8 @@ audit_kex_body(int ctos, char *enc, char *mac, char *compress, pid_t pid, - Cipher *cipher = cipher_by_name(enc); - char *s; - -- snprintf(buf, sizeof(buf), "op=start direction=%s cipher=%s ksize=%d mac=%s spid=%jd suid=%jd rport=%d laddr=%s lport=%d ", -- direction[ctos], enc, cipher ? 8 * cipher->key_len : 0, mac, -+ snprintf(buf, sizeof(buf), "op=start direction=%s cipher=%s ksize=%d mac=%s pfs=%s spid=%jd suid=%jd rport=%d laddr=%s lport=%d ", -+ direction[ctos], enc, cipher ? 8 * cipher->key_len : 0, mac, pfs, - (intmax_t)pid, (intmax_t)uid, - get_remote_port(), (s = get_local_ipaddr(packet_get_connection_in())), get_local_port()); - free(s); -diff --git a/audit.c b/audit.c -index 13c6849..5b49434 100644 ---- a/audit.c -+++ b/audit.c -@@ -135,9 +135,9 @@ audit_unsupported(int what) - } - - void --audit_kex(int ctos, char *enc, char *mac, char *comp) -+audit_kex(int ctos, char *enc, char *mac, char *comp, char *pfs) - { -- PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid())); -+ PRIVSEP(audit_kex_body(ctos, enc, mac, comp, pfs, getpid(), getuid())); - } - - void -@@ -270,11 +270,11 @@ audit_unsupported_body(int what) - * This will be called on succesfull protocol negotiation. - */ - void --audit_kex_body(int ctos, char *enc, char *mac, char *compress, pid_t pid, -+audit_kex_body(int ctos, char *enc, char *mac, char *compress, char *pfs, pid_t pid, - uid_t uid) - { -- debug("audit protocol negotiation euid %d direction %d cipher %s mac %s compresion %s from pid %ld uid %u", -- (unsigned)geteuid(), ctos, enc, mac, compress, (long)pid, -+ debug("audit protocol negotiation euid %d direction %d cipher %s mac %s compresion %s pfs %s from pid %ld uid %u", -+ (unsigned)geteuid(), ctos, enc, mac, compress, pfs, (long)pid, - (unsigned)uid); - } - -diff --git a/audit.h b/audit.h -index a2dc3ff..903df66 100644 ---- a/audit.h -+++ b/audit.h -@@ -61,9 +61,9 @@ ssh_audit_event_t audit_classify_auth(const char *); - int audit_keyusage(int, const char *, unsigned, char *, int); - void audit_key(int, int *, const Key *); - void audit_unsupported(int); --void audit_kex(int, char *, char *, char *); -+void audit_kex(int, char *, char *, char *, char *); - void audit_unsupported_body(int); --void audit_kex_body(int, char *, char *, char *, pid_t, uid_t); -+void audit_kex_body(int, char *, char *, char *, char *, pid_t, uid_t); - void audit_session_key_free(int ctos); - void audit_session_key_free_body(int ctos, pid_t, uid_t); - void audit_destroy_sensitive_data(const char *, pid_t, uid_t); -diff --git a/auditstub.c b/auditstub.c -index 45817e0..116f460 100644 ---- a/auditstub.c -+++ b/auditstub.c -@@ -35,7 +35,7 @@ audit_unsupported(int n) - } - - void --audit_kex(int ctos, char *enc, char *mac, char *comp) -+audit_kex(int ctos, char *enc, char *mac, char *comp, char *pfs) - { - } - -diff --git a/kex.c b/kex.c -index ede7b67..eb5f333 100644 ---- a/kex.c -+++ b/kex.c -@@ -553,13 +553,12 @@ kex_choose_conf(Kex *kex) - newkeys->enc.name, - authlen == 0 ? newkeys->mac.name : "", - newkeys->comp.name); --#ifdef SSH_AUDIT_EVENTS -- audit_kex(ctos, newkeys->enc.name, newkeys->mac.name, newkeys->comp.name); --#endif - } -+ - choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]); - choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS], - sprop[PROPOSAL_SERVER_HOST_KEY_ALGS]); -+ - need = dh_need = 0; - for (mode = 0; mode < MODE_MAX; mode++) { - newkeys = kex->newkeys[mode]; -@@ -571,11 +570,16 @@ kex_choose_conf(Kex *kex) - dh_need = MAX(dh_need, newkeys->enc.block_size); - dh_need = MAX(dh_need, newkeys->enc.iv_len); - dh_need = MAX(dh_need, newkeys->mac.key_len); -+ debug("kex: %s need=%d dh_need=%d", kex->name, need, dh_need); -+#ifdef SSH_AUDIT_EVENTS -+ audit_kex(mode, newkeys->enc.name, newkeys->mac.name, newkeys->comp.name, kex->name); -+#endif - } - /* XXX need runden? */ - kex->we_need = need; - kex->dh_need = dh_need; - -+ - /* ignore the next message if the proposals do not match */ - if (first_kex_follows && !proposals_match(my, peer) && - !(datafellows & SSH_BUG_FIRSTKEX)) { -diff --git a/monitor.c b/monitor.c -index 70b9b4c..81bc9c1 100644 ---- a/monitor.c -+++ b/monitor.c -@@ -2396,7 +2396,7 @@ int - mm_answer_audit_kex_body(int sock, Buffer *m) - { - int ctos, len; -- char *cipher, *mac, *compress; -+ char *cipher, *mac, *compress, *pfs; - pid_t pid; - uid_t uid; - -@@ -2404,14 +2404,16 @@ mm_answer_audit_kex_body(int sock, Buffer *m) - cipher = buffer_get_string(m, &len); - mac = buffer_get_string(m, &len); - compress = buffer_get_string(m, &len); -+ pfs = buffer_get_string(m, &len); - pid = buffer_get_int64(m); - uid = buffer_get_int64(m); - -- audit_kex_body(ctos, cipher, mac, compress, pid, uid); -+ audit_kex_body(ctos, cipher, mac, compress, pfs, pid, uid); - - free(cipher); - free(mac); - free(compress); -+ free(pfs); - buffer_clear(m); - - mm_request_send(sock, MONITOR_ANS_AUDIT_KEX, m); -diff --git a/monitor_wrap.c b/monitor_wrap.c -index 93f6535..69b29d8 100644 ---- a/monitor_wrap.c -+++ b/monitor_wrap.c -@@ -1408,7 +1408,7 @@ mm_audit_unsupported_body(int what) - } - - void --mm_audit_kex_body(int ctos, char *cipher, char *mac, char *compress, pid_t pid, -+mm_audit_kex_body(int ctos, char *cipher, char *mac, char *compress, char *fps, pid_t pid, - uid_t uid) - { - Buffer m; -@@ -1418,6 +1418,7 @@ mm_audit_kex_body(int ctos, char *cipher, char *mac, char *compress, pid_t pid, - buffer_put_cstring(&m, cipher); - buffer_put_cstring(&m, (mac ? mac : "")); - buffer_put_cstring(&m, compress); -+ buffer_put_cstring(&m, fps); - buffer_put_int64(&m, pid); - buffer_put_int64(&m, uid); - -diff --git a/monitor_wrap.h b/monitor_wrap.h -index 4cf0c78..e43109f 100644 ---- a/monitor_wrap.h -+++ b/monitor_wrap.h -@@ -83,7 +83,7 @@ void mm_audit_event(ssh_audit_event_t); - int mm_audit_run_command(const char *); - void mm_audit_end_command(int, const char *); - void mm_audit_unsupported_body(int); --void mm_audit_kex_body(int, char *, char *, char *, pid_t, uid_t); -+void mm_audit_kex_body(int, char *, char *, char *, char *, pid_t, uid_t); - void mm_audit_session_key_free_body(int, pid_t, uid_t); - void mm_audit_destroy_sensitive_data(const char *, pid_t, uid_t); - #endif -diff --git a/sshd.c b/sshd.c -index ee94825..41a94a7 100644 ---- a/sshd.c -+++ b/sshd.c -@@ -2430,7 +2430,7 @@ do_ssh1_kex(void) - packet_disconnect("IP Spoofing check bytes do not match."); - - #ifdef SSH_AUDIT_EVENTS -- audit_kex(2, cipher_name(cipher_type), "crc", "none"); -+ audit_kex(2, cipher_name(cipher_type), "crc", "none", "none"); - #endif - - debug("Encryption type: %.200s", cipher_name(cipher_type)); diff --git a/openssh-6.6.1p1-log-in-chroot.patch b/openssh-6.6.1p1-log-in-chroot.patch index bccf39b..bca27be 100644 --- a/openssh-6.6.1p1-log-in-chroot.patch +++ b/openssh-6.6.1p1-log-in-chroot.patch @@ -40,10 +40,10 @@ index ae7df25..30c3310 100644 int log_is_on_stderr(void); void log_redirect_stderr_to(const char *); diff --git a/monitor.c b/monitor.c -index 7461fae..da2f766 100644 +index 7ebc76e..d97e640 100644 --- a/monitor.c +++ b/monitor.c -@@ -364,6 +364,8 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) +@@ -378,6 +378,8 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) close(pmonitor->m_log_sendfd); pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1; @@ -52,7 +52,7 @@ index 7461fae..da2f766 100644 authctxt = _authctxt; memset(authctxt, 0, sizeof(*authctxt)); -@@ -472,6 +474,8 @@ monitor_child_postauth(struct monitor *pmonitor) +@@ -486,6 +488,8 @@ monitor_child_postauth(struct monitor *pmonitor) close(pmonitor->m_recvfd); pmonitor->m_recvfd = -1; @@ -61,7 +61,7 @@ index 7461fae..da2f766 100644 monitor_set_child_handler(pmonitor->m_pid); signal(SIGHUP, &monitor_child_handler); signal(SIGTERM, &monitor_child_handler); -@@ -552,7 +556,7 @@ monitor_read_log(struct monitor *pmonitor) +@@ -566,7 +570,7 @@ monitor_read_log(struct monitor *pmonitor) if (log_level_name(level) == NULL) fatal("%s: invalid log level %u (corrupted message?)", __func__, level); @@ -70,7 +70,7 @@ index 7461fae..da2f766 100644 buffer_free(&logmsg); free(msg); -@@ -2083,13 +2087,28 @@ monitor_init(void) +@@ -2107,13 +2111,28 @@ monitor_init(void) mm_init_compression(mon->m_zlib); } @@ -119,7 +119,7 @@ index ff79fbb..00c2028 100644 struct Authctxt; diff --git a/session.c b/session.c -index e4add93..bc4a8dd 100644 +index 9c94d8e..40a681e 100644 --- a/session.c +++ b/session.c @@ -160,6 +160,8 @@ login_cap_t *lc; @@ -131,7 +131,7 @@ index e4add93..bc4a8dd 100644 /* Name and directory of socket for authentication agent forwarding. */ static char *auth_sock_name = NULL; static char *auth_sock_dir = NULL; -@@ -523,8 +525,8 @@ do_exec_no_pty(Session *s, const char *command) +@@ -505,8 +507,8 @@ do_exec_no_pty(Session *s, const char *command) is_child = 1; /* Child. Reinitialize the log since the pid has changed. */ @@ -142,7 +142,7 @@ index e4add93..bc4a8dd 100644 /* * Create a new session and process group since the 4.4BSD -@@ -692,8 +694,8 @@ do_exec_pty(Session *s, const char *command) +@@ -674,8 +676,8 @@ do_exec_pty(Session *s, const char *command) close(ptymaster); /* Child. Reinitialize the log because the pid has changed. */ @@ -153,7 +153,7 @@ index e4add93..bc4a8dd 100644 /* Close the master side of the pseudo tty. */ close(ptyfd); -@@ -797,6 +799,7 @@ do_exec(Session *s, const char *command) +@@ -779,6 +781,7 @@ do_exec(Session *s, const char *command) int ret; const char *forced = NULL; char session_type[1024], *tty = NULL; @@ -161,7 +161,7 @@ index e4add93..bc4a8dd 100644 if (options.adm_forced_command) { original_command = command; -@@ -854,6 +857,10 @@ do_exec(Session *s, const char *command) +@@ -836,6 +839,10 @@ do_exec(Session *s, const char *command) tty += 5; } @@ -172,7 +172,7 @@ index e4add93..bc4a8dd 100644 verbose("Starting session: %s%s%s for %s from %.200s port %d", session_type, tty == NULL ? "" : " on ", -@@ -1681,14 +1688,6 @@ child_close_fds(void) +@@ -1677,14 +1684,6 @@ child_close_fds(void) * descriptors left by system functions. They will be closed later. */ endpwent(); @@ -187,7 +187,7 @@ index e4add93..bc4a8dd 100644 } /* -@@ -1834,8 +1833,6 @@ do_child(Session *s, const char *command) +@@ -1830,8 +1829,6 @@ do_child(Session *s, const char *command) exit(1); } @@ -196,7 +196,7 @@ index e4add93..bc4a8dd 100644 if (!options.use_login) do_rc_files(s, shell); -@@ -1859,9 +1856,17 @@ do_child(Session *s, const char *command) +@@ -1855,9 +1852,17 @@ do_child(Session *s, const char *command) argv[i] = NULL; optind = optreset = 1; __progname = argv[0]; @@ -227,10 +227,10 @@ index 7e644ab..e162b7a 100644 + return (sftp_server_main(argc, argv, user_pw, 0)); } diff --git a/sftp-server.c b/sftp-server.c -index b8eb59c..a0e644c 100644 +index 0177130..8fa7fc7 100644 --- a/sftp-server.c +++ b/sftp-server.c -@@ -1437,7 +1437,7 @@ sftp_server_usage(void) +@@ -1440,7 +1440,7 @@ sftp_server_usage(void) } int @@ -239,7 +239,7 @@ index b8eb59c..a0e644c 100644 { fd_set *rset, *wset; int i, in, out, max, ch, skipargs = 0, log_stderr = 0; -@@ -1450,7 +1450,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) +@@ -1453,7 +1453,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) extern char *__progname; __progname = ssh_get_progname(argv[0]); @@ -248,15 +248,15 @@ index b8eb59c..a0e644c 100644 pw = pwcopy(user_pw); -@@ -1521,7 +1521,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) +@@ -1524,7 +1524,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) } } - log_init(__progname, log_level, log_facility, log_stderr); + log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler); - if ((cp = getenv("SSH_CONNECTION")) != NULL) { - client_addr = xstrdup(cp); + #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) + /* diff --git a/sftp.h b/sftp.h index 2bde8bb..ddf1a39 100644 --- a/sftp.h @@ -269,10 +269,10 @@ index 2bde8bb..ddf1a39 100644 +int sftp_server_main(int, char **, struct passwd *, int); void sftp_server_cleanup_exit(int) __attribute__((noreturn)); diff --git a/sshd.c b/sshd.c -index 3eee75a..9c00bcb 100644 +index 39b9c08..ca55d7f 100644 --- a/sshd.c +++ b/sshd.c -@@ -745,7 +745,7 @@ privsep_postauth(Authctxt *authctxt) +@@ -737,7 +737,7 @@ privsep_postauth(Authctxt *authctxt) } /* New socket pair */ @@ -281,7 +281,7 @@ index 3eee75a..9c00bcb 100644 pmonitor->m_pid = fork(); if (pmonitor->m_pid == -1) -@@ -763,6 +763,11 @@ privsep_postauth(Authctxt *authctxt) +@@ -755,6 +755,11 @@ privsep_postauth(Authctxt *authctxt) close(pmonitor->m_sendfd); pmonitor->m_sendfd = -1; diff --git a/openssh-6.6.1p1-selinux-contexts.patch b/openssh-6.6.1p1-selinux-contexts.patch index a831a15..425ffda 100644 --- a/openssh-6.6.1p1-selinux-contexts.patch +++ b/openssh-6.6.1p1-selinux-contexts.patch @@ -1,16 +1,16 @@ diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c -index 0077dd7..e3f2ced 100644 +index 8f32464..18a2ca4 100644 --- a/openbsd-compat/port-linux-sshd.c +++ b/openbsd-compat/port-linux-sshd.c -@@ -31,6 +31,7 @@ - #include "xmalloc.h" +@@ -32,6 +32,7 @@ + #include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */ #include "servconf.h" #include "port-linux.h" +#include "misc.h" #include "key.h" #include "hostfile.h" #include "auth.h" -@@ -444,7 +445,7 @@ sshd_selinux_setup_exec_context(char *pwname) +@@ -445,7 +446,7 @@ sshd_selinux_setup_exec_context(char *pwname) void sshd_selinux_copy_context(void) { @@ -19,7 +19,7 @@ index 0077dd7..e3f2ced 100644 if (!sshd_selinux_enabled()) return; -@@ -460,6 +461,58 @@ sshd_selinux_copy_context(void) +@@ -461,6 +462,58 @@ sshd_selinux_copy_context(void) } } @@ -104,10 +104,10 @@ index cb51f99..8b7cda2 100644 #ifdef LINUX_OOM_ADJUST diff --git a/sshd.c b/sshd.c -index 512c7ed..3eee75a 100644 +index 2871fe9..39b9c08 100644 --- a/sshd.c +++ b/sshd.c -@@ -637,7 +637,7 @@ privsep_preauth_child(void) +@@ -629,7 +629,7 @@ privsep_preauth_child(void) demote_sensitive_data(); #ifdef WITH_SELINUX diff --git a/openssh-6.6p1-GSSAPIEnablek5users.patch b/openssh-6.6p1-GSSAPIEnablek5users.patch index a60d608..a51e199 100644 --- a/openssh-6.6p1-GSSAPIEnablek5users.patch +++ b/openssh-6.6p1-GSSAPIEnablek5users.patch @@ -1,5 +1,5 @@ diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c -index 0a4930e..a7c0c5f 100644 +index 961c564..0fcfd7b 100644 --- a/gss-serv-krb5.c +++ b/gss-serv-krb5.c @@ -260,7 +260,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name, @@ -20,27 +20,27 @@ index 0a4930e..a7c0c5f 100644 k5login_exists); } diff --git a/servconf.c b/servconf.c -index d482e79..ad5869b 100644 +index e4164b1..87a311b 100644 --- a/servconf.c +++ b/servconf.c -@@ -158,6 +158,7 @@ initialize_server_options(ServerOptions *options) - options->ip_qos_bulk = -1; +@@ -164,6 +164,7 @@ initialize_server_options(ServerOptions *options) options->version_addendum = NULL; + options->fingerprint_hash = -1; options->use_kuserok = -1; + options->enable_k5users = -1; } void -@@ -315,6 +316,8 @@ fill_default_server_options(ServerOptions *options) - options->show_patchlevel = 0; +@@ -331,6 +332,8 @@ fill_default_server_options(ServerOptions *options) + options->fingerprint_hash = SSH_FP_HASH_DEFAULT; if (options->use_kuserok == -1) options->use_kuserok = 1; + if (options->enable_k5users == -1) + options->enable_k5users = 0; - /* Turn privilege separation on by default */ if (use_privsep == -1) -@@ -356,7 +359,7 @@ typedef enum { + use_privsep = PRIVSEP_NOSANDBOX; +@@ -371,7 +374,7 @@ typedef enum { sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, @@ -49,7 +49,7 @@ index d482e79..ad5869b 100644 sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel, sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sAllowAgentForwarding, -@@ -430,6 +433,7 @@ static struct { +@@ -447,6 +450,7 @@ static struct { { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL }, @@ -57,7 +57,7 @@ index d482e79..ad5869b 100644 #else { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, -@@ -437,6 +441,7 @@ static struct { +@@ -454,6 +458,7 @@ static struct { { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL }, { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL }, @@ -65,7 +65,7 @@ index d482e79..ad5869b 100644 #endif { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL }, { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL }, -@@ -1536,6 +1541,10 @@ process_server_config_line(ServerOptions *options, char *line, +@@ -1566,6 +1571,10 @@ process_server_config_line(ServerOptions *options, char *line, intptr = &options->use_kuserok; goto parse_flag; @@ -76,7 +76,7 @@ index d482e79..ad5869b 100644 case sPermitOpen: arg = strdelim(&cp); if (!arg || *arg == '\0') -@@ -1824,6 +1833,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) +@@ -1884,6 +1893,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) M_CP_INTOPT(ip_qos_interactive); M_CP_INTOPT(ip_qos_bulk); M_CP_INTOPT(use_kuserok); @@ -84,19 +84,19 @@ index d482e79..ad5869b 100644 M_CP_INTOPT(rekey_limit); M_CP_INTOPT(rekey_interval); -@@ -2076,6 +2086,7 @@ dump_config(ServerOptions *o) - dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); +@@ -2143,6 +2153,7 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); + dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok); + dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users); /* string arguments */ dump_cfg_string(sPidFile, o->pid_file); diff --git a/servconf.h b/servconf.h -index 5117dfa..d63cb71 100644 +index cf2a505..070a8ed 100644 --- a/servconf.h +++ b/servconf.h -@@ -173,7 +173,8 @@ typedef struct { +@@ -175,7 +175,8 @@ typedef struct { int num_permitted_opens; @@ -107,7 +107,7 @@ index 5117dfa..d63cb71 100644 char *revoked_keys_file; char *trusted_user_ca_keys; diff --git a/sshd_config b/sshd_config -index 43671f6..6ab00ed 100644 +index 0d9454d..e731de1 100644 --- a/sshd_config +++ b/sshd_config @@ -94,6 +94,7 @@ GSSAPIAuthentication yes @@ -119,10 +119,10 @@ index 43671f6..6ab00ed 100644 # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will diff --git a/sshd_config.5 b/sshd_config.5 -index e0e5fff..aa9525d 100644 +index eb4dd9e..ce1229b 100644 --- a/sshd_config.5 +++ b/sshd_config.5 -@@ -505,6 +505,12 @@ on logout. +@@ -548,6 +548,12 @@ on logout. The default is .Dq yes . Note that this option applies to protocol version 2 only. diff --git a/openssh-6.6p1-ctr-cavstest.patch b/openssh-6.6p1-ctr-cavstest.patch index 1997fa6..c752d62 100644 --- a/openssh-6.6p1-ctr-cavstest.patch +++ b/openssh-6.6p1-ctr-cavstest.patch @@ -1,5 +1,5 @@ diff --git a/Makefile.in b/Makefile.in -index 4ab6717..581b121 100644 +index b225217..bbc3034 100644 --- a/Makefile.in +++ b/Makefile.in @@ -28,6 +28,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign @@ -10,16 +10,16 @@ index 4ab6717..581b121 100644 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper PRIVSEP_PATH=@PRIVSEP_PATH@ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ -@@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@ +@@ -66,7 +67,7 @@ EXEEXT=@EXEEXT@ MANFMT=@MANFMT@ INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@ --TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) +-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) - LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ - canohost.o channels.o cipher.o cipher-aes.o \ -@@ -180,6 +181,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o + LIBOPENSSH_OBJS=\ + ssherr.o \ +@@ -190,6 +191,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o $(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(SSHLIBS) @@ -29,7 +29,7 @@ index 4ab6717..581b121 100644 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) -@@ -288,6 +292,7 @@ install-files: +@@ -310,6 +314,7 @@ install-files: $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \ fi $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT) diff --git a/openssh-6.6p1-entropy.patch b/openssh-6.6p1-entropy.patch index 67bd30f..6076165 100644 --- a/openssh-6.6p1-entropy.patch +++ b/openssh-6.6p1-entropy.patch @@ -1,8 +1,8 @@ diff --git a/entropy.c b/entropy.c -index 2d483b3..b361a04 100644 +index 1e9d52a..d24e724 100644 --- a/entropy.c +++ b/entropy.c -@@ -234,6 +234,9 @@ seed_rng(void) +@@ -227,6 +227,9 @@ seed_rng(void) memset(buf, '\0', sizeof(buf)); #endif /* OPENSSL_PRNG_ONLY */ @@ -13,12 +13,12 @@ index 2d483b3..b361a04 100644 fatal("PRNG is not seeded"); } diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in -index b912dbe..9206337 100644 +index 843225d..041bbab 100644 --- a/openbsd-compat/Makefile.in +++ b/openbsd-compat/Makefile.in @@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o di - COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o + COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o -PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o +PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o @@ -27,7 +27,7 @@ index b912dbe..9206337 100644 $(CC) $(CFLAGS) $(CPPFLAGS) -c $< diff --git a/openbsd-compat/port-linux-prng.c b/openbsd-compat/port-linux-prng.c new file mode 100644 -index 0000000..92a617c +index 0000000..da84bf2 --- /dev/null +++ b/openbsd-compat/port-linux-prng.c @@ -0,0 +1,59 @@ @@ -63,6 +63,7 @@ index 0000000..92a617c + +#include "log.h" +#include "xmalloc.h" ++#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */ +#include "servconf.h" +#include "port-linux.h" +#include "key.h" @@ -72,10 +73,9 @@ index 0000000..92a617c +void +linux_seed(void) +{ -+ int len; + char *env = getenv("SSH_USE_STRONG_RNG"); + char *random = "/dev/random"; -+ size_t ienv, randlen = 14; ++ size_t len, ienv, randlen = 14; + + if (!env || !strcmp(env, "0")) + random = "/dev/urandom"; @@ -91,7 +91,7 @@ index 0000000..92a617c + } +} diff --git a/ssh-add.0 b/ssh-add.0 -index ba43fee..0b2629a 100644 +index f16165a..17d22cf 100644 --- a/ssh-add.0 +++ b/ssh-add.0 @@ -82,6 +82,16 @@ ENVIRONMENT @@ -112,10 +112,10 @@ index ba43fee..0b2629a 100644 ~/.ssh/identity Contains the protocol version 1 RSA authentication identity of diff --git a/ssh-add.1 b/ssh-add.1 -index 4812448..16305bf 100644 +index 04d1840..db883a4 100644 --- a/ssh-add.1 +++ b/ssh-add.1 -@@ -161,6 +161,20 @@ to make this work.) +@@ -170,6 +170,20 @@ to make this work.) Identifies the path of a .Ux Ns -domain socket used to communicate with the agent. @@ -137,10 +137,10 @@ index 4812448..16305bf 100644 .Sh FILES .Bl -tag -width Ds diff --git a/ssh-agent.1 b/ssh-agent.1 -index 281ecbd..1a9a635 100644 +index d7e791b..7332f0d 100644 --- a/ssh-agent.1 +++ b/ssh-agent.1 -@@ -201,6 +201,24 @@ sockets used to contain the connection to the authentication agent. +@@ -189,6 +189,24 @@ sockets used to contain the connection to the authentication agent. These sockets should only be readable by the owner. The sockets should get automatically removed when the agent exits. .El @@ -166,10 +166,10 @@ index 281ecbd..1a9a635 100644 .Xr ssh 1 , .Xr ssh-add 1 , diff --git a/ssh-keygen.1 b/ssh-keygen.1 -index 12e00d4..1b51a4a 100644 +index 276dacc..a09d9b1 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 -@@ -832,6 +832,24 @@ Contains Diffie-Hellman groups used for DH-GEX. +@@ -841,6 +841,24 @@ Contains Diffie-Hellman groups used for DH-GEX. The file format is described in .Xr moduli 5 . .El @@ -224,10 +224,10 @@ index 69d0829..02d79f8 100644 .Xr ssh 1 , .Xr ssh-keygen 1 , diff --git a/ssh.1 b/ssh.1 -index 929904b..f65e42f 100644 +index 4a476c2..410a04a 100644 --- a/ssh.1 +++ b/ssh.1 -@@ -1309,6 +1309,23 @@ For more information, see the +@@ -1299,6 +1299,23 @@ For more information, see the .Cm PermitUserEnvironment option in .Xr sshd_config 5 . @@ -252,10 +252,10 @@ index 929904b..f65e42f 100644 .Bl -tag -width Ds -compact .It Pa ~/.rhosts diff --git a/sshd.8 b/sshd.8 -index c2c237f..058d37a 100644 +index cb866b5..adcaaf9 100644 --- a/sshd.8 +++ b/sshd.8 -@@ -951,6 +951,24 @@ concurrently for different ports, this contains the process ID of the one +@@ -945,6 +945,24 @@ concurrently for different ports, this contains the process ID of the one started last). The content of this file is not sensitive; it can be world-readable. .El diff --git a/openssh-6.6p1-fingerprint.patch b/openssh-6.6p1-fingerprint.patch deleted file mode 100644 index c5332fb..0000000 --- a/openssh-6.6p1-fingerprint.patch +++ /dev/null @@ -1,415 +0,0 @@ -diff --git a/auth.c b/auth.c -index 9a36f1d..420a85b 100644 ---- a/auth.c -+++ b/auth.c -@@ -685,9 +685,10 @@ auth_key_is_revoked(Key *key) - case 1: - revoked: - /* Key revoked */ -- key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); -+ key_fp = key_selected_fingerprint(key, SSH_FP_HEX); - error("WARNING: authentication attempt with a revoked " -- "%s key %s ", key_type(key), key_fp); -+ "%s key %s%s ", key_type(key), -+ key_fingerprint_prefix(), key_fp); - free(key_fp); - return 1; - } -diff --git a/auth2-hostbased.c b/auth2-hostbased.c -index 488008f..eca0069 100644 ---- a/auth2-hostbased.c -+++ b/auth2-hostbased.c -@@ -206,16 +206,18 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, - - if (host_status == HOST_OK) { - if (key_is_cert(key)) { -- fp = key_fingerprint(key->cert->signature_key, -- SSH_FP_MD5, SSH_FP_HEX); -+ fp = key_selected_fingerprint(key->cert->signature_key, -+ SSH_FP_HEX); - verbose("Accepted certificate ID \"%s\" signed by " -- "%s CA %s from %s@%s", key->cert->key_id, -- key_type(key->cert->signature_key), fp, -+ "%s CA %s%s from %s@%s", key->cert->key_id, -+ key_type(key->cert->signature_key), -+ key_fingerprint_prefix(), fp, - cuser, lookup); - } else { -- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); -- verbose("Accepted %s public key %s from %s@%s", -- key_type(key), fp, cuser, lookup); -+ fp = key_selected_fingerprint(key, SSH_FP_HEX); -+ verbose("Accepted %s public key %s%s from %s@%s", -+ key_type(key), key_fingerprint_prefix(), -+ fp, cuser, lookup); - } - free(fp); - } -diff --git a/auth2-pubkey.c b/auth2-pubkey.c -index 0fd27bb..749b11a 100644 ---- a/auth2-pubkey.c -+++ b/auth2-pubkey.c -@@ -365,10 +365,10 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) - continue; - if (!key_is_cert_authority) - continue; -- fp = key_fingerprint(found, SSH_FP_MD5, -- SSH_FP_HEX); -- debug("matching CA found: file %s, line %lu, %s %s", -- file, linenum, key_type(found), fp); -+ fp = key_selected_fingerprint(found, SSH_FP_HEX); -+ debug("matching CA found: file %s, line %lu, %s %s%s", -+ file, linenum, key_type(found), -+ key_fingerprint_prefix(), fp); - /* - * If the user has specified a list of principals as - * a key option, then prefer that list to matching -@@ -406,9 +406,9 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) - if (key_is_cert_authority) - continue; - found_key = 1; -- fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); -- debug("matching key found: file %s, line %lu %s %s", -- file, linenum, key_type(found), fp); -+ fp = key_selected_fingerprint(found, SSH_FP_HEX); -+ verbose("Found matching %s key: %s%s", -+ key_type(found), key_fingerprint_prefix(), fp); - free(fp); - break; - } -@@ -431,13 +431,13 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) - if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL) - return 0; - -- ca_fp = key_fingerprint(key->cert->signature_key, -- SSH_FP_MD5, SSH_FP_HEX); -+ ca_fp = key_selected_fingerprint(key->cert->signature_key, SSH_FP_HEX); - - if (key_in_file(key->cert->signature_key, - options.trusted_user_ca_keys, 1) != 1) { -- debug2("%s: CA %s %s is not listed in %s", __func__, -- key_type(key->cert->signature_key), ca_fp, -+ debug2("%s: CA %s%s %s is not listed in %s", __func__, -+ key_type(key->cert->signature_key), -+ key_fingerprint_prefix(), ca_fp, - options.trusted_user_ca_keys); - goto out; - } -diff --git a/key.c b/key.c -index 168e1b7..eb98ea8 100644 ---- a/key.c -+++ b/key.c -@@ -628,6 +628,34 @@ key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep) - return retval; - } - -+enum fp_type -+key_fingerprint_selection(void) -+{ -+ static enum fp_type rv; -+ static char rv_defined = 0; -+ char *env; -+ -+ if (!rv_defined) { -+ env = getenv("SSH_FINGERPRINT_TYPE"); -+ rv = (env && !strcmp (env, "sha")) ? -+ SSH_FP_SHA1 : SSH_FP_MD5; -+ rv_defined = 1; -+ } -+ return rv; -+} -+ -+char * -+key_selected_fingerprint(Key *k, enum fp_rep dgst_rep) -+{ -+ return key_fingerprint(k, key_fingerprint_selection(), dgst_rep); -+} -+ -+char * -+key_fingerprint_prefix(void) -+{ -+ return key_fingerprint_selection() == SSH_FP_SHA1 ? "sha1:" : ""; -+} -+ - /* - * Reads a multiple-precision integer in decimal from the buffer, and advances - * the pointer. The integer must already be initialized. This function is -diff --git a/key.h b/key.h -index d8ad13d..0e3eea5 100644 ---- a/key.h -+++ b/key.h -@@ -104,6 +104,9 @@ int key_equal_public(const Key *, const Key *); - int key_equal(const Key *, const Key *); - char *key_fingerprint(const Key *, enum fp_type, enum fp_rep); - u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *); -+enum fp_type key_fingerprint_selection(void); -+char *key_selected_fingerprint(Key *, enum fp_rep); -+char *key_fingerprint_prefix(void); - const char *key_type(const Key *); - const char *key_cert_type(const Key *); - int key_write(const Key *, FILE *); -diff --git a/ssh-add.c b/ssh-add.c -index 3421452..691949f 100644 ---- a/ssh-add.c -+++ b/ssh-add.c -@@ -330,10 +330,10 @@ list_identities(AuthenticationConnection *ac, int do_fp) - key = ssh_get_next_identity(ac, &comment, version)) { - had_identities = 1; - if (do_fp) { -- fp = key_fingerprint(key, SSH_FP_MD5, -- SSH_FP_HEX); -- printf("%d %s %s (%s)\n", -- key_size(key), fp, comment, key_type(key)); -+ fp = key_selected_fingerprint(key, SSH_FP_HEX); -+ printf("%d %s%s %s (%s)\n", -+ key_size(key), key_fingerprint_prefix(), -+ fp, comment, key_type(key)); - free(fp); - } else { - if (!key_write(key, stdout)) -diff --git a/ssh-agent.c b/ssh-agent.c -index ba24612..117fdde 100644 ---- a/ssh-agent.c -+++ b/ssh-agent.c -@@ -198,9 +198,9 @@ confirm_key(Identity *id) - char *p; - int ret = -1; - -- p = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX); -- if (ask_permission("Allow use of key %s?\nKey fingerprint %s.", -- id->comment, p)) -+ p = key_selected_fingerprint(id->key, SSH_FP_HEX); -+ if (ask_permission("Allow use of key %s?\nKey fingerprint %s%s.", -+ id->comment, key_fingerprint_prefix(), p)) - ret = 0; - free(p); - -diff --git a/ssh-keygen.c b/ssh-keygen.c -index 2a316bc..482dc1c 100644 ---- a/ssh-keygen.c -+++ b/ssh-keygen.c -@@ -783,13 +783,14 @@ do_fingerprint(struct passwd *pw) - { - FILE *f; - Key *public; -- char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra; -+ char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra, *pfx; - int i, skip = 0, num = 0, invalid = 1; - enum fp_rep rep; - enum fp_type fptype; - struct stat st; - -- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5; -+ fptype = print_bubblebabble ? SSH_FP_SHA1 : key_fingerprint_selection(); -+ pfx = print_bubblebabble ? "" : key_fingerprint_prefix(); - rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; - - if (!have_identity) -@@ -801,8 +802,8 @@ do_fingerprint(struct passwd *pw) - public = key_load_public(identity_file, &comment); - if (public != NULL) { - fp = key_fingerprint(public, fptype, rep); -- ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART); -- printf("%u %s %s (%s)\n", key_size(public), fp, comment, -+ ra = key_selected_fingerprint(public, SSH_FP_RANDOMART); -+ printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp, comment, - key_type(public)); - if (log_level >= SYSLOG_LEVEL_VERBOSE) - printf("%s\n", ra); -@@ -867,8 +868,8 @@ do_fingerprint(struct passwd *pw) - } - comment = *cp ? cp : comment; - fp = key_fingerprint(public, fptype, rep); -- ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART); -- printf("%u %s %s (%s)\n", key_size(public), fp, -+ ra = key_selected_fingerprint(public, SSH_FP_RANDOMART); -+ printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp, - comment ? comment : "no comment", key_type(public)); - if (log_level >= SYSLOG_LEVEL_VERBOSE) - printf("%s\n", ra); -@@ -986,13 +987,15 @@ printhost(FILE *f, const char *name, Key *public, int ca, int hash) - if (print_fingerprint) { - enum fp_rep rep; - enum fp_type fptype; -- char *fp, *ra; -+ char *fp, *ra, *pfx; - -- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5; -+ fptype = print_bubblebabble ? SSH_FP_SHA1 : key_fingerprint_selection(); -+ pfx = print_bubblebabble ? "" : key_fingerprint_prefix(); - rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; -+ - fp = key_fingerprint(public, fptype, rep); -- ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART); -- printf("%u %s %s (%s)\n", key_size(public), fp, name, -+ ra = key_selected_fingerprint(public, SSH_FP_RANDOMART); -+ printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp, name, - key_type(public)); - if (log_level >= SYSLOG_LEVEL_VERBOSE) - printf("%s\n", ra); -@@ -1878,16 +1881,17 @@ do_show_cert(struct passwd *pw) - fatal("%s is not a certificate", identity_file); - v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00; - -- key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); -- ca_fp = key_fingerprint(key->cert->signature_key, -- SSH_FP_MD5, SSH_FP_HEX); -+ key_fp = key_selected_fingerprint(key, SSH_FP_HEX); -+ ca_fp = key_selected_fingerprint(key->cert->signature_key, SSH_FP_HEX); - - printf("%s:\n", identity_file); - printf(" Type: %s %s certificate\n", key_ssh_name(key), - key_cert_type(key)); -- printf(" Public key: %s %s\n", key_type(key), key_fp); -- printf(" Signing CA: %s %s\n", -- key_type(key->cert->signature_key), ca_fp); -+ printf(" Public key: %s %s%s\n", key_type(key), -+ key_fingerprint_prefix(), key_fp); -+ printf(" Signing CA: %s %s%s\n", -+ key_type(key->cert->signature_key), -+ key_fingerprint_prefix(), ca_fp); - printf(" Key ID: \"%s\"\n", key->cert->key_id); - if (!v00) { - printf(" Serial: %llu\n", -@@ -2686,13 +2690,12 @@ passphrase_again: - fclose(f); - - if (!quiet) { -- char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX); -- char *ra = key_fingerprint(public, SSH_FP_MD5, -- SSH_FP_RANDOMART); -+ char *fp = key_selected_fingerprint(public, SSH_FP_HEX); -+ char *ra = key_selected_fingerprint(public, SSH_FP_RANDOMART); - printf("Your public key has been saved in %s.\n", - identity_file); - printf("The key fingerprint is:\n"); -- printf("%s %s\n", fp, comment); -+ printf("%s%s %s\n", key_fingerprint_prefix(), fp, comment); - printf("The key's randomart image is:\n"); - printf("%s\n", ra); - free(ra); -diff --git a/sshconnect.c b/sshconnect.c -index 573d7a8..394cca8 100644 ---- a/sshconnect.c -+++ b/sshconnect.c -@@ -914,10 +914,10 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, - "key for IP address '%.128s' to the list " - "of known hosts.", type, ip); - } else if (options.visual_host_key) { -- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); -- ra = key_fingerprint(host_key, SSH_FP_MD5, -- SSH_FP_RANDOMART); -- logit("Host key fingerprint is %s\n%s\n", fp, ra); -+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX); -+ ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART); -+ logit("Host key fingerprint is %s%s\n%s\n", -+ key_fingerprint_prefix(), fp, ra); - free(ra); - free(fp); - } -@@ -955,9 +955,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, - else - snprintf(msg1, sizeof(msg1), "."); - /* The default */ -- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); -- ra = key_fingerprint(host_key, SSH_FP_MD5, -- SSH_FP_RANDOMART); -+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX); -+ ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART); - msg2[0] = '\0'; - if (options.verify_host_key_dns) { - if (matching_host_key_dns) -@@ -972,10 +971,11 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, - snprintf(msg, sizeof(msg), - "The authenticity of host '%.200s (%s)' can't be " - "established%s\n" -- "%s key fingerprint is %s.%s%s\n%s" -+ "%s key fingerprint is %s%s.%s%s\n%s" - "Are you sure you want to continue connecting " - "(yes/no)? ", -- host, ip, msg1, type, fp, -+ host, ip, msg1, type, -+ key_fingerprint_prefix(), fp, - options.visual_host_key ? "\n" : "", - options.visual_host_key ? ra : "", - msg2); -@@ -1220,8 +1220,9 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) - int flags = 0; - char *fp; - -- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); -- debug("Server host key: %s %s", key_type(host_key), fp); -+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX); -+ debug("Server host key: %s %s%s", key_type(host_key), -+ key_fingerprint_prefix(), fp); - free(fp); - - /* XXX certs are not yet supported for DNS */ -@@ -1327,14 +1328,15 @@ show_other_keys(struct hostkeys *hostkeys, Key *key) - continue; - if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found)) - continue; -- fp = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_HEX); -- ra = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_RANDOMART); -+ fp = key_selected_fingerprint(found->key, SSH_FP_HEX); -+ ra = key_selected_fingerprint(found->key, SSH_FP_RANDOMART); - logit("WARNING: %s key found for host %s\n" - "in %s:%lu\n" -- "%s key fingerprint %s.", -+ "%s key fingerprint %s%s.", - key_type(found->key), - found->host, found->file, found->line, -- key_type(found->key), fp); -+ key_type(found->key), -+ key_fingerprint_prefix(), fp); - if (options.visual_host_key) - logit("%s", ra); - free(ra); -@@ -1349,7 +1351,7 @@ warn_changed_key(Key *host_key) - { - char *fp; - -- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); -+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX); - - error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); - error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @"); -@@ -1357,8 +1359,8 @@ warn_changed_key(Key *host_key) - error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!"); - error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); - error("It is also possible that a host key has just been changed."); -- error("The fingerprint for the %s key sent by the remote host is\n%s.", -- key_type(host_key), fp); -+ error("The fingerprint for the %s key sent by the remote host is\n%s%s.", -+ key_type(host_key),key_fingerprint_prefix(), fp); - error("Please contact your system administrator."); - - free(fp); -diff --git a/sshconnect2.c b/sshconnect2.c -index 7f4ff41..adbbfc7 100644 ---- a/sshconnect2.c -+++ b/sshconnect2.c -@@ -577,8 +577,9 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt) - key->type, pktype); - goto done; - } -- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); -- debug2("input_userauth_pk_ok: fp %s", fp); -+ fp = key_selected_fingerprint(key, SSH_FP_HEX); -+ debug2("input_userauth_pk_ok: fp %s%s", -+ key_fingerprint_prefix(), fp); - free(fp); - - /* -@@ -986,8 +987,9 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id) - int have_sig = 1; - char *fp; - -- fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX); -- debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp); -+ fp = key_selected_fingerprint(id->key, SSH_FP_HEX); -+ debug3("sign_and_send_pubkey: %s %s%s", key_type(id->key), -+ key_fingerprint_prefix(), fp); - free(fp); - - if (key_to_blob(id->key, &blob, &bloblen) == 0) { diff --git a/openssh-6.6p1-force_krb.patch b/openssh-6.6p1-force_krb.patch index a242394..b7bc826 100644 --- a/openssh-6.6p1-force_krb.patch +++ b/openssh-6.6p1-force_krb.patch @@ -1,5 +1,5 @@ diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c -index 42de994..60de320 100644 +index 413b845..54dd383 100644 --- a/gss-serv-krb5.c +++ b/gss-serv-krb5.c @@ -32,7 +32,9 @@ @@ -12,12 +12,7 @@ index 42de994..60de320 100644 #include "xmalloc.h" #include "key.h" -@@ -40,10 +42,12 @@ - #include "auth.h" - #include "log.h" - #include "servconf.h" -+#include "misc.h" - +@@ -45,6 +47,7 @@ #include "buffer.h" #include "ssh-gss.h" @@ -25,7 +20,7 @@ index 42de994..60de320 100644 extern ServerOptions options; #ifdef HEIMDAL -@@ -55,6 +59,13 @@ extern ServerOptions options; +@@ -56,6 +59,13 @@ extern ServerOptions options; # include #endif @@ -39,7 +34,7 @@ index 42de994..60de320 100644 static krb5_context krb_context = NULL; /* Initialise the krb5 library, for the stuff that GSSAPI won't do */ -@@ -87,6 +98,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name) +@@ -88,6 +98,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name) krb5_principal princ; int retval; const char *errmsg; @@ -47,7 +42,7 @@ index 42de994..60de320 100644 if (ssh_gssapi_krb5_init() == 0) return 0; -@@ -98,10 +110,22 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name) +@@ -99,10 +110,22 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name) krb5_free_error_message(krb_context, errmsg); return 0; } @@ -71,7 +66,7 @@ index 42de994..60de320 100644 } else retval = 0; -@@ -109,6 +133,135 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name) +@@ -110,6 +133,135 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name) return retval; } @@ -208,10 +203,10 @@ index 42de994..60de320 100644 /* This writes out any forwarded credentials from the structure populated * during userauth. Called after we have setuid to the user */ diff --git a/session.c b/session.c -index b5dc144..ba4589b 100644 +index 28659ec..9c94d8e 100644 --- a/session.c +++ b/session.c -@@ -806,6 +806,29 @@ do_exec(Session *s, const char *command) +@@ -789,6 +789,29 @@ do_exec(Session *s, const char *command) command = forced_command; forced = "(key-option)"; } @@ -257,10 +252,10 @@ index 0374c88..509109a 100644 /* draft-ietf-secsh-gsskeyex-06 */ diff --git a/sshd.8 b/sshd.8 -index 058d37a..5c4f15b 100644 +index adcaaf9..824163b 100644 --- a/sshd.8 +++ b/sshd.8 -@@ -327,6 +327,7 @@ Finally, the server and the client enter an authentication dialog. +@@ -324,6 +324,7 @@ Finally, the server and the client enter an authentication dialog. The client tries to authenticate itself using host-based authentication, public key authentication, diff --git a/openssh-6.6p1-gsskex.patch b/openssh-6.6p1-gsskex.patch index 826acd4..6efa67d 100644 --- a/openssh-6.6p1-gsskex.patch +++ b/openssh-6.6p1-gsskex.patch @@ -1,8 +1,8 @@ diff --git a/Makefile.in b/Makefile.in -index 581b121..2ad26ff 100644 +index bbc3034..c9891e0 100644 --- a/Makefile.in +++ b/Makefile.in -@@ -77,6 +77,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ +@@ -87,6 +87,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ @@ -10,7 +10,7 @@ index 581b121..2ad26ff 100644 msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ ssh-pkcs11.o krl.o smult_curve25519_ref.o \ kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \ -@@ -96,7 +97,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ +@@ -106,7 +107,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ auth2-none.o auth2-passwd.o auth2-pubkey.o \ monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ kexc25519s.o auth-krb5.o \ @@ -20,10 +20,10 @@ index 581b121..2ad26ff 100644 sftp-server.o sftp-common.o \ roaming_common.o roaming_serv.o \ diff --git a/auth2-gss.c b/auth2-gss.c -index 4756dd7..ad65059 100644 +index 4803e7e..222e3e0 100644 --- a/auth2-gss.c +++ b/auth2-gss.c -@@ -52,6 +52,40 @@ static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt); +@@ -53,6 +53,40 @@ static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt); static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); static void input_gssapi_errtok(int, u_int32_t, void *); @@ -64,7 +64,7 @@ index 4756dd7..ad65059 100644 /* * We only support those mechanisms that we know about (ie ones that we know * how to check local user kuserok and the like) -@@ -235,7 +269,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) +@@ -236,7 +270,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) packet_check_eom(); @@ -74,7 +74,7 @@ index 4756dd7..ad65059 100644 authctxt->postponed = 0; dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); -@@ -277,7 +312,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) +@@ -278,7 +313,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) gssbuf.length = buffer_len(&b); if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) @@ -84,7 +84,7 @@ index 4756dd7..ad65059 100644 else logit("GSSAPI MIC check failed"); -@@ -294,6 +330,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) +@@ -295,6 +331,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); } @@ -98,10 +98,10 @@ index 4756dd7..ad65059 100644 "gssapi-with-mic", userauth_gssapi, diff --git a/auth2.c b/auth2.c -index 5f4f26f..0f52b68 100644 +index d6fbc93..124d02b 100644 --- a/auth2.c +++ b/auth2.c -@@ -69,6 +69,7 @@ extern Authmethod method_passwd; +@@ -70,6 +70,7 @@ extern Authmethod method_passwd; extern Authmethod method_kbdint; extern Authmethod method_hostbased; #ifdef GSSAPI @@ -109,7 +109,7 @@ index 5f4f26f..0f52b68 100644 extern Authmethod method_gssapi; #endif -@@ -76,6 +77,7 @@ Authmethod *authmethods[] = { +@@ -77,6 +78,7 @@ Authmethod *authmethods[] = { &method_none, &method_pubkey, #ifdef GSSAPI @@ -118,7 +118,7 @@ index 5f4f26f..0f52b68 100644 #endif &method_passwd, diff --git a/clientloop.c b/clientloop.c -index 59ad3a2..9c60108 100644 +index 397c965..20ce0b5 100644 --- a/clientloop.c +++ b/clientloop.c @@ -111,6 +111,10 @@ @@ -132,7 +132,7 @@ index 59ad3a2..9c60108 100644 /* import options */ extern Options options; -@@ -1608,6 +1612,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) +@@ -1596,6 +1600,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) /* Do channel operations unless rekeying in progress. */ if (!rekeying) { channel_after_select(readset, writeset); @@ -149,7 +149,7 @@ index 59ad3a2..9c60108 100644 debug("need rekeying"); xxx_kex->done = 0; diff --git a/configure.ac b/configure.ac -index 74e77db..9bde04e 100644 +index 8dedb95..2c4adac 100644 --- a/configure.ac +++ b/configure.ac @@ -584,6 +584,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) @@ -526,10 +526,10 @@ index b39281b..a3a2289 100644 + #endif /* GSSAPI */ diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c -index 759fa10..42de994 100644 +index 795992d..413b845 100644 --- a/gss-serv-krb5.c +++ b/gss-serv-krb5.c -@@ -120,7 +120,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) +@@ -121,7 +121,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) krb5_error_code problem; krb5_principal princ; OM_uint32 maj_status, min_status; @@ -538,7 +538,7 @@ index 759fa10..42de994 100644 const char *errmsg; if (client->creds == NULL) { -@@ -180,11 +180,26 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) +@@ -181,11 +181,26 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) return; } @@ -569,7 +569,7 @@ index 759fa10..42de994 100644 #ifdef USE_PAM if (options.use_pam) -@@ -193,9 +208,76 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) +@@ -194,9 +209,76 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) krb5_cc_close(krb_context, ccache); @@ -646,7 +646,7 @@ index 759fa10..42de994 100644 ssh_gssapi_mech gssapi_kerberos_mech = { "toWM5Slw5Ew8Mqkay+al2g==", "Kerberos", -@@ -203,7 +285,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = { +@@ -204,7 +286,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = { NULL, &ssh_gssapi_krb5_userok, NULL, @@ -657,7 +657,7 @@ index 759fa10..42de994 100644 #endif /* KRB5 */ diff --git a/gss-serv.c b/gss-serv.c -index e61b37b..14f540e 100644 +index 5c59924..2289e8e 100644 --- a/gss-serv.c +++ b/gss-serv.c @@ -45,15 +45,20 @@ @@ -684,7 +684,7 @@ index e61b37b..14f540e 100644 #ifdef KRB5 extern ssh_gssapi_mech gssapi_kerberos_mech; @@ -100,25 +105,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) - char lname[MAXHOSTNAMELEN]; + char lname[NI_MAXHOST]; gss_OID_set oidset; - gss_create_empty_oid_set(&status, &oidset); @@ -693,40 +693,40 @@ index e61b37b..14f540e 100644 + gss_create_empty_oid_set(&status, &oidset); + gss_add_oid_set_member(&status, ctx->oid, &oidset); -- if (gethostname(lname, MAXHOSTNAMELEN)) { +- if (gethostname(lname, sizeof(lname))) { - gss_release_oid_set(&status, &oidset); - return (-1); - } -+ if (gethostname(lname, MAXHOSTNAMELEN)) { ++ if (gethostname(lname, sizeof(lname))) { + gss_release_oid_set(&status, &oidset); + return (-1); + } -+ ++ + if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { + gss_release_oid_set(&status, &oidset); + return (ctx->major); + } -+ ++ + if ((ctx->major = gss_acquire_cred(&ctx->minor, -+ ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, -+ NULL, NULL))) ++ ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL))) + ssh_gssapi_error(ctx); - if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { gss_release_oid_set(&status, &oidset); return (ctx->major); -+ } else { -+ ctx->name = GSS_C_NO_NAME; -+ ctx->creds = GSS_C_NO_CREDENTIAL; - } +- } - - if ((ctx->major = gss_acquire_cred(&ctx->minor, - ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL))) - ssh_gssapi_error(ctx); -- ++ } else { ++ ctx->name = GSS_C_NO_NAME; ++ ctx->creds = GSS_C_NO_CREDENTIAL; ++ return GSS_S_COMPLETE; ++ } + - gss_release_oid_set(&status, &oidset); - return (ctx->major); -+ return GSS_S_COMPLETE; } /* Privileged */ @@ -796,8 +796,7 @@ index e61b37b..14f540e 100644 + + ctx->major = gss_compare_name(&ctx->minor, client->name, + new_name, &equal); - -- gss_buffer_desc ename; ++ + if (GSS_ERROR(ctx->major)) { + ssh_gssapi_error(ctx); + return (ctx->major); @@ -809,7 +808,8 @@ index e61b37b..14f540e 100644 + } + + debug("Marking rekeyed credentials for export"); -+ + +- gss_buffer_desc ename; + gss_release_name(&ctx->minor, &client->name); + gss_release_cred(&ctx->minor, &client->creds); + client->name = new_name; @@ -991,10 +991,10 @@ index e61b37b..14f540e 100644 #endif diff --git a/kex.c b/kex.c -index 74e2b86..bce2ab8 100644 +index a173e70..4563920 100644 --- a/kex.c +++ b/kex.c -@@ -51,6 +51,10 @@ +@@ -53,6 +53,10 @@ #include "roaming.h" #include "digest.h" @@ -1005,10 +1005,10 @@ index 74e2b86..bce2ab8 100644 #if OPENSSL_VERSION_NUMBER >= 0x00907000L # if defined(HAVE_EVP_SHA256) # define evp_ssh_sha256 EVP_sha256 -@@ -90,6 +94,11 @@ static const struct kexalg kexalgs[] = { +@@ -94,6 +98,11 @@ static const struct kexalg kexalgs[] = { #ifdef HAVE_EVP_SHA256 { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, - #endif + #endif /* HAVE_EVP_SHA256 */ +#ifdef GSSAPI + { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 }, + { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 }, @@ -1017,7 +1017,7 @@ index 74e2b86..bce2ab8 100644 { NULL, -1, -1, -1}, }; -@@ -119,6 +128,12 @@ kex_alg_by_name(const char *name) +@@ -123,6 +132,12 @@ kex_alg_by_name(const char *name) for (k = kexalgs; k->name != NULL; k++) { if (strcmp(k->name, name) == 0) return k; @@ -1031,7 +1031,7 @@ index 74e2b86..bce2ab8 100644 return NULL; } diff --git a/kex.h b/kex.h -index c85680e..313bb51 100644 +index 4c40ec8..1c76c08 100644 --- a/kex.h +++ b/kex.h @@ -76,6 +76,11 @@ enum kex_exchange { @@ -1412,10 +1412,10 @@ index 0000000..e90b567 +#endif /* GSSAPI */ diff --git a/kexgsss.c b/kexgsss.c new file mode 100644 -index 0000000..6d7518c +index 0000000..b880998 --- /dev/null +++ b/kexgsss.c -@@ -0,0 +1,288 @@ +@@ -0,0 +1,289 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * @@ -1460,6 +1460,7 @@ index 0000000..6d7518c +#include "dh.h" +#include "ssh-gss.h" +#include "monitor_wrap.h" ++#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */ +#include "servconf.h" + +extern ServerOptions options; @@ -1704,35 +1705,11 @@ index 0000000..6d7518c + ssh_gssapi_rekey_creds(); +} +#endif /* GSSAPI */ -diff --git a/key.c b/key.c -index eb98ea8..900b9e3 100644 ---- a/key.c -+++ b/key.c -@@ -1013,6 +1013,7 @@ static const struct keytype keytypes[] = { - KEY_DSA_CERT_V00, 0, 1 }, - { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", - KEY_ED25519_CERT, 0, 1 }, -+ { "null", "null", KEY_NULL, 0, 0 }, - { NULL, NULL, -1, -1, 0 } - }; - -diff --git a/key.h b/key.h -index 0e3eea5..d51ed81 100644 ---- a/key.h -+++ b/key.h -@@ -46,6 +46,7 @@ enum types { - KEY_ED25519_CERT, - KEY_RSA_CERT_V00, - KEY_DSA_CERT_V00, -+ KEY_NULL, - KEY_UNSPEC - }; - enum fp_type { diff --git a/monitor.c b/monitor.c -index 229fada..aa70945 100644 +index d3f87e1..7ebc76e 100644 --- a/monitor.c +++ b/monitor.c -@@ -178,6 +178,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); +@@ -181,6 +181,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); int mm_answer_gss_accept_ctx(int, Buffer *); int mm_answer_gss_userok(int, Buffer *); int mm_answer_gss_checkmic(int, Buffer *); @@ -1741,7 +1718,7 @@ index 229fada..aa70945 100644 #endif #ifdef SSH_AUDIT_EVENTS -@@ -253,11 +255,18 @@ struct mon_table mon_dispatch_proto20[] = { +@@ -261,11 +263,18 @@ struct mon_table mon_dispatch_proto20[] = { {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, @@ -1757,10 +1734,10 @@ index 229fada..aa70945 100644 + {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign}, + {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds}, +#endif + #ifdef WITH_OPENSSL {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, - {MONITOR_REQ_SIGN, 0, mm_answer_sign}, - {MONITOR_REQ_PTY, 0, mm_answer_pty}, -@@ -366,6 +375,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) + #endif +@@ -380,6 +389,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) /* Permit requests for moduli and signatures */ monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); @@ -1771,7 +1748,7 @@ index 229fada..aa70945 100644 } else { mon_dispatch = mon_dispatch_proto15; -@@ -471,6 +484,10 @@ monitor_child_postauth(struct monitor *pmonitor) +@@ -488,6 +501,10 @@ monitor_child_postauth(struct monitor *pmonitor) monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); @@ -1782,9 +1759,9 @@ index 229fada..aa70945 100644 } else { mon_dispatch = mon_dispatch_postauth15; monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); -@@ -1866,6 +1883,13 @@ mm_get_kex(Buffer *m) - kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; +@@ -1893,6 +1910,13 @@ mm_get_kex(Buffer *m) kex->kex[KEX_ECDH_SHA2] = kexecdh_server; + #endif kex->kex[KEX_C25519_SHA256] = kexc25519_server; +#ifdef GSSAPI + if (options.gss_keyex) { @@ -1796,7 +1773,7 @@ index 229fada..aa70945 100644 kex->server = 1; kex->hostkey_type = buffer_get_int(m); kex->kex_type = buffer_get_int(m); -@@ -2073,6 +2097,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) +@@ -2100,6 +2124,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) OM_uint32 major; u_int len; @@ -1806,7 +1783,7 @@ index 229fada..aa70945 100644 goid.elements = buffer_get_string(m, &len); goid.length = len; -@@ -2100,6 +2127,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) +@@ -2127,6 +2154,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) OM_uint32 flags = 0; /* GSI needs this */ u_int len; @@ -1816,7 +1793,7 @@ index 229fada..aa70945 100644 in.value = buffer_get_string(m, &len); in.length = len; major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); -@@ -2117,6 +2147,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) +@@ -2144,6 +2174,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); @@ -1824,7 +1801,7 @@ index 229fada..aa70945 100644 } return (0); } -@@ -2128,6 +2159,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m) +@@ -2155,6 +2186,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m) OM_uint32 ret; u_int len; @@ -1834,7 +1811,7 @@ index 229fada..aa70945 100644 gssbuf.value = buffer_get_string(m, &len); gssbuf.length = len; mic.value = buffer_get_string(m, &len); -@@ -2154,7 +2188,11 @@ mm_answer_gss_userok(int sock, Buffer *m) +@@ -2181,7 +2215,11 @@ mm_answer_gss_userok(int sock, Buffer *m) { int authenticated; @@ -1847,7 +1824,7 @@ index 229fada..aa70945 100644 buffer_clear(m); buffer_put_int(m, authenticated); -@@ -2167,5 +2205,73 @@ mm_answer_gss_userok(int sock, Buffer *m) +@@ -2194,5 +2232,73 @@ mm_answer_gss_userok(int sock, Buffer *m) /* Monitor loop will terminate if authenticated */ return (authenticated); } @@ -1935,10 +1912,10 @@ index 20e2b4a..ff79fbb 100644 MONITOR_REQ_PAM_START = 100, MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103, diff --git a/monitor_wrap.c b/monitor_wrap.c -index d1b6d99..d1e1caa 100644 +index 82f114c..7e991e6 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c -@@ -1290,7 +1290,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) +@@ -1300,7 +1300,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) } int @@ -1947,7 +1924,7 @@ index d1b6d99..d1e1caa 100644 { Buffer m; int authenticated = 0; -@@ -1307,5 +1307,50 @@ mm_ssh_gssapi_userok(char *user) +@@ -1317,5 +1317,50 @@ mm_ssh_gssapi_userok(char *user) debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); return (authenticated); } @@ -2015,10 +1992,10 @@ index 9d5e5ba..93929e0 100644 #ifdef USE_PAM diff --git a/readconf.c b/readconf.c -index dc884c9..7613ff2 100644 +index 3f5c58b..1c07766 100644 --- a/readconf.c +++ b/readconf.c -@@ -141,6 +141,8 @@ typedef enum { +@@ -143,6 +143,8 @@ typedef enum { oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, oAddressFamily, oGssAuthentication, oGssDelegateCreds, @@ -2027,7 +2004,7 @@ index dc884c9..7613ff2 100644 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oSendEnv, oControlPath, oControlMaster, oControlPersist, oHashKnownHosts, -@@ -183,10 +185,19 @@ static struct { +@@ -187,10 +189,19 @@ static struct { { "afstokenpassing", oUnsupported }, #if defined(GSSAPI) { "gssapiauthentication", oGssAuthentication }, @@ -2047,7 +2024,7 @@ index dc884c9..7613ff2 100644 #endif { "fallbacktorsh", oDeprecated }, { "usersh", oDeprecated }, -@@ -841,10 +852,30 @@ parse_time: +@@ -868,10 +879,30 @@ parse_time: intptr = &options->gss_authentication; goto parse_flag; @@ -2078,7 +2055,7 @@ index dc884c9..7613ff2 100644 case oBatchMode: intptr = &options->batch_mode; goto parse_flag; -@@ -1497,7 +1528,12 @@ initialize_options(Options * options) +@@ -1553,7 +1584,12 @@ initialize_options(Options * options) options->pubkey_authentication = -1; options->challenge_response_authentication = -1; options->gss_authentication = -1; @@ -2091,7 +2068,7 @@ index dc884c9..7613ff2 100644 options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->kbd_interactive_devices = NULL; -@@ -1616,8 +1652,14 @@ fill_default_options(Options * options) +@@ -1677,8 +1713,14 @@ fill_default_options(Options * options) options->challenge_response_authentication = 1; if (options->gss_authentication == -1) options->gss_authentication = 0; @@ -2107,10 +2084,10 @@ index dc884c9..7613ff2 100644 options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) diff --git a/readconf.h b/readconf.h -index 75e3f8f..5cc97f0 100644 +index a028306..1dbe509 100644 --- a/readconf.h +++ b/readconf.h -@@ -54,7 +54,12 @@ typedef struct { +@@ -45,7 +45,12 @@ typedef struct { int challenge_response_authentication; /* Try S/Key or TIS, authentication. */ int gss_authentication; /* Try GSS authentication */ @@ -2150,10 +2127,10 @@ index b093a91..4c8da00 100644 type_has_legacy() { case $1 in diff --git a/regress/kextype.sh b/regress/kextype.sh -index 8c2ac09..a2a87ca 100644 +index 6f952f4..bcb609b 100644 --- a/regress/kextype.sh +++ b/regress/kextype.sh -@@ -9,6 +9,9 @@ cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak +@@ -14,6 +14,9 @@ echo "KexAlgorithms=$KEXOPT" >> $OBJ/sshd_proxy tries="1 2 3 4" for k in `${SSH} -Q kex`; do @@ -2164,10 +2141,10 @@ index 8c2ac09..a2a87ca 100644 for i in $tries; do ${SSH} -F $OBJ/ssh_proxy -o KexAlgorithms=$k x true diff --git a/regress/rekey.sh b/regress/rekey.sh -index cf9401e..31fb0f7 100644 +index fd452b0..1148197 100644 --- a/regress/rekey.sh +++ b/regress/rekey.sh -@@ -30,6 +30,9 @@ increase_datafile_size 300 +@@ -38,6 +38,9 @@ increase_datafile_size 300 opts="" for i in `${SSH} -Q kex`; do @@ -2177,7 +2154,7 @@ index cf9401e..31fb0f7 100644 opts="$opts KexAlgorithms=$i" done for i in `${SSH} -Q cipher`; do -@@ -48,6 +51,9 @@ done +@@ -56,6 +59,9 @@ done if ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then for c in `${SSH} -Q cipher-auth`; do for kex in `${SSH} -Q kex`; do @@ -2185,13 +2162,13 @@ index cf9401e..31fb0f7 100644 + continue + fi verbose "client rekey $c $kex" - ssh_data_rekeying -oRekeyLimit=256k -oCiphers=$c -oKexAlgorithms=$kex + ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c done diff --git a/servconf.c b/servconf.c -index f763317..68fb9ef 100644 +index c8a3f28..179c20d 100644 --- a/servconf.c +++ b/servconf.c -@@ -108,7 +108,10 @@ initialize_server_options(ServerOptions *options) +@@ -110,7 +110,10 @@ initialize_server_options(ServerOptions *options) options->kerberos_ticket_cleanup = -1; options->kerberos_get_afs_token = -1; options->gss_authentication=-1; @@ -2202,7 +2179,7 @@ index f763317..68fb9ef 100644 options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; -@@ -245,8 +248,14 @@ fill_default_server_options(ServerOptions *options) +@@ -253,8 +256,14 @@ fill_default_server_options(ServerOptions *options) options->kerberos_get_afs_token = 0; if (options->gss_authentication == -1) options->gss_authentication = 0; @@ -2217,7 +2194,7 @@ index f763317..68fb9ef 100644 if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -@@ -344,7 +353,8 @@ typedef enum { +@@ -359,7 +368,8 @@ typedef enum { sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, @@ -2227,7 +2204,7 @@ index f763317..68fb9ef 100644 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sAllowAgentForwarding, sHostCertificate, -@@ -411,10 +421,20 @@ static struct { +@@ -428,10 +438,20 @@ static struct { #ifdef GSSAPI { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, @@ -2248,7 +2225,7 @@ index f763317..68fb9ef 100644 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, -@@ -1091,10 +1111,22 @@ process_server_config_line(ServerOptions *options, char *line, +@@ -1113,10 +1133,22 @@ process_server_config_line(ServerOptions *options, char *line, intptr = &options->gss_authentication; goto parse_flag; @@ -2271,7 +2248,7 @@ index f763317..68fb9ef 100644 case sPasswordAuthentication: intptr = &options->password_authentication; goto parse_flag; -@@ -2005,6 +2037,9 @@ dump_config(ServerOptions *o) +@@ -2070,6 +2102,9 @@ dump_config(ServerOptions *o) #ifdef GSSAPI dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); @@ -2282,10 +2259,10 @@ index f763317..68fb9ef 100644 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); dump_cfg_fmtint(sKbdInteractiveAuthentication, diff --git a/servconf.h b/servconf.h -index 4572066..37cfa9b 100644 +index 21719e2..397698b 100644 --- a/servconf.h +++ b/servconf.h -@@ -112,7 +112,10 @@ typedef struct { +@@ -113,7 +113,10 @@ typedef struct { int kerberos_get_afs_token; /* If true, try to get AFS token if * authenticated with Kerberos. */ int gss_authentication; /* If true, permit GSSAPI authentication */ @@ -2398,7 +2375,7 @@ index a99d7f0..0374c88 100644 #endif /* _SSH_GSS_H */ diff --git a/ssh_config b/ssh_config -index 6d1abaf..b0d343b 100644 +index 3f83c40..4a0fb82 100644 --- a/ssh_config +++ b/ssh_config @@ -26,6 +26,8 @@ @@ -2411,10 +2388,10 @@ index 6d1abaf..b0d343b 100644 # CheckHostIP yes # AddressFamily any diff --git a/ssh_config.5 b/ssh_config.5 -index b580392..e7accd6 100644 +index f9ede7a..e6649ac 100644 --- a/ssh_config.5 +++ b/ssh_config.5 -@@ -682,11 +682,43 @@ Specifies whether user authentication based on GSSAPI is allowed. +@@ -701,11 +701,43 @@ Specifies whether user authentication based on GSSAPI is allowed. The default is .Dq no . Note that this option applies to protocol version 2 only. @@ -2460,11 +2437,11 @@ index b580392..e7accd6 100644 Indicates that .Xr ssh 1 diff --git a/sshconnect2.c b/sshconnect2.c -index adbbfc7..cadf234 100644 +index 4724b66..703f8e4 100644 --- a/sshconnect2.c +++ b/sshconnect2.c -@@ -158,9 +158,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) - { +@@ -159,9 +159,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) + char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT }; Kex *kex; +#ifdef GSSAPI @@ -2498,9 +2475,9 @@ index adbbfc7..cadf234 100644 if (options.ciphers == (char *)-1) { logit("No valid ciphers for protocol version 2 given, using defaults."); options.ciphers = NULL; -@@ -196,6 +221,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) - if (options.kex_algorithms != NULL) - myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; +@@ -199,6 +224,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) + myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( + myproposal[PROPOSAL_KEX_ALGS]); +#ifdef GSSAPI + /* If we've got GSSAPI algorithms, then we also support the @@ -2516,9 +2493,9 @@ index adbbfc7..cadf234 100644 if (options.rekey_limit || options.rekey_interval) packet_set_rekey_limits((u_int32_t)options.rekey_limit, (time_t)options.rekey_interval); -@@ -208,10 +244,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) - kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; +@@ -213,10 +249,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) kex->kex[KEX_ECDH_SHA2] = kexecdh_client; + #endif kex->kex[KEX_C25519_SHA256] = kexc25519_client; +#ifdef GSSAPI + if (options.gss_keyex) { @@ -2547,7 +2524,7 @@ index adbbfc7..cadf234 100644 xxx_kex = kex; dispatch_run(DISPATCH_BLOCK, &kex->done, kex); -@@ -301,6 +357,7 @@ void input_gssapi_token(int type, u_int32_t, void *); +@@ -306,6 +362,7 @@ void input_gssapi_token(int type, u_int32_t, void *); void input_gssapi_hash(int type, u_int32_t, void *); void input_gssapi_error(int, u_int32_t, void *); void input_gssapi_errtok(int, u_int32_t, void *); @@ -2555,7 +2532,7 @@ index adbbfc7..cadf234 100644 #endif void userauth(Authctxt *, char *); -@@ -316,6 +373,11 @@ static char *authmethods_get(void); +@@ -321,6 +378,11 @@ static char *authmethods_get(void); Authmethod authmethods[] = { #ifdef GSSAPI @@ -2567,7 +2544,7 @@ index adbbfc7..cadf234 100644 {"gssapi-with-mic", userauth_gssapi, NULL, -@@ -613,19 +675,31 @@ userauth_gssapi(Authctxt *authctxt) +@@ -617,19 +679,31 @@ userauth_gssapi(Authctxt *authctxt) static u_int mech = 0; OM_uint32 min; int ok = 0; @@ -2601,7 +2578,7 @@ index adbbfc7..cadf234 100644 ok = 1; /* Mechanism works */ } else { mech++; -@@ -722,8 +796,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) +@@ -726,8 +800,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) { Authctxt *authctxt = ctxt; Gssctxt *gssctxt; @@ -2612,7 +2589,7 @@ index adbbfc7..cadf234 100644 if (authctxt == NULL) fatal("input_gssapi_response: no authentication context"); -@@ -832,6 +906,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) +@@ -836,6 +910,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) free(msg); free(lang); } @@ -2662,21 +2639,10 @@ index adbbfc7..cadf234 100644 int diff --git a/sshd.c b/sshd.c -index 24ab272..e4e406e 100644 +index f7b8aba..2871fe9 100644 --- a/sshd.c +++ b/sshd.c -@@ -122,6 +122,10 @@ - #include "ssh-sandbox.h" - #include "version.h" - -+#ifdef USE_SECURITY_SESSION_API -+#include -+#endif -+ - #ifdef LIBWRAP - #include - #include -@@ -1744,10 +1748,13 @@ main(int ac, char **av) +@@ -1761,10 +1761,13 @@ main(int ac, char **av) logit("Disabling protocol version 1. Could not load host key"); options.protocol &= ~SSH_PROTO_1; } @@ -2690,7 +2656,7 @@ index 24ab272..e4e406e 100644 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { logit("sshd: no hostkeys available -- exiting."); exit(1); -@@ -2488,6 +2495,48 @@ do_ssh2_kex(void) +@@ -2501,6 +2504,49 @@ do_ssh2_kex(void) myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( list_hostkey_types()); @@ -2735,13 +2701,14 @@ index 24ab272..e4e406e 100644 + fatal("No supported key exchange algorithms"); + } +#endif ++ + /* start key exchange */ kex = kex_setup(myproposal); - kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; -@@ -2496,6 +2545,13 @@ do_ssh2_kex(void) - kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; + #ifdef WITH_OPENSSL +@@ -2511,6 +2557,13 @@ do_ssh2_kex(void) kex->kex[KEX_ECDH_SHA2] = kexecdh_server; + #endif kex->kex[KEX_C25519_SHA256] = kexc25519_server; +#ifdef GSSAPI + if (options.gss_keyex) { @@ -2754,7 +2721,7 @@ index 24ab272..e4e406e 100644 kex->client_version_string=client_version_string; kex->server_version_string=server_version_string; diff --git a/sshd_config b/sshd_config -index c1b7c03..adfd7b1 100644 +index 7061f75..f4796fc 100644 --- a/sshd_config +++ b/sshd_config @@ -91,6 +91,8 @@ ChallengeResponseAuthentication no @@ -2767,10 +2734,10 @@ index c1b7c03..adfd7b1 100644 # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will diff --git a/sshd_config.5 b/sshd_config.5 -index 95b5f8c..1fb002d 100644 +index cccb310..8ad79d9 100644 --- a/sshd_config.5 +++ b/sshd_config.5 -@@ -493,12 +493,40 @@ Specifies whether user authentication based on GSSAPI is allowed. +@@ -536,12 +536,40 @@ Specifies whether user authentication based on GSSAPI is allowed. The default is .Dq no . Note that this option applies to protocol version 2 only. diff --git a/openssh-6.6p1-keycat.patch b/openssh-6.6p1-keycat.patch index d30dedb..4cbe95d 100644 --- a/openssh-6.6p1-keycat.patch +++ b/openssh-6.6p1-keycat.patch @@ -17,7 +17,7 @@ index 0000000..630ec62 + + diff --git a/Makefile.in b/Makefile.in -index 411eadb..4ab6717 100644 +index f02aa1e..b225217 100644 --- a/Makefile.in +++ b/Makefile.in @@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server @@ -28,16 +28,16 @@ index 411eadb..4ab6717 100644 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper PRIVSEP_PATH=@PRIVSEP_PATH@ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ -@@ -64,7 +65,7 @@ EXEEXT=@EXEEXT@ +@@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@ MANFMT=@MANFMT@ INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@ -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) -+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) - LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ - canohost.o channels.o cipher.o cipher-aes.o \ -@@ -176,6 +177,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11 + LIBOPENSSH_OBJS=\ + ssherr.o \ +@@ -186,6 +187,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11 ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) @@ -47,7 +47,7 @@ index 411eadb..4ab6717 100644 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) -@@ -283,6 +287,7 @@ install-files: +@@ -305,6 +309,7 @@ install-files: $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \ $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \ fi @@ -56,10 +56,10 @@ index 411eadb..4ab6717 100644 $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 diff --git a/auth2-pubkey.c b/auth2-pubkey.c -index c0ae0d4..cb0f931 100644 +index 12f5afd..269e642 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c -@@ -600,6 +600,14 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key) +@@ -602,6 +602,14 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key) _exit(1); } @@ -75,10 +75,10 @@ index c0ae0d4..cb0f931 100644 options.authorized_keys_command, user_pw->pw_name, NULL); diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c -index d04f4ed..0077dd7 100644 +index 265bd3a..8f32464 100644 --- a/openbsd-compat/port-linux-sshd.c +++ b/openbsd-compat/port-linux-sshd.c -@@ -53,6 +53,20 @@ extern Authctxt *the_authctxt; +@@ -54,6 +54,20 @@ extern Authctxt *the_authctxt; extern int inetd_flag; extern int rexeced_flag; @@ -99,7 +99,7 @@ index d04f4ed..0077dd7 100644 /* Send audit message */ static int sshd_selinux_send_audit_message(int success, security_context_t default_context, -@@ -307,7 +321,7 @@ sshd_selinux_getctxbyname(char *pwname, +@@ -308,7 +322,7 @@ sshd_selinux_getctxbyname(char *pwname, /* Setup environment variables for pam_selinux */ static int @@ -108,7 +108,7 @@ index d04f4ed..0077dd7 100644 { const char *reqlvl; char *role; -@@ -318,16 +332,16 @@ sshd_selinux_setup_pam_variables(void) +@@ -319,16 +333,16 @@ sshd_selinux_setup_pam_variables(void) ssh_selinux_get_role_level(&role, &reqlvl); @@ -128,7 +128,7 @@ index d04f4ed..0077dd7 100644 if (role != NULL) free(role); -@@ -335,6 +349,24 @@ sshd_selinux_setup_pam_variables(void) +@@ -336,6 +350,24 @@ sshd_selinux_setup_pam_variables(void) return rv; } @@ -153,7 +153,7 @@ index d04f4ed..0077dd7 100644 /* Set the execution context to the default for the specified user */ void sshd_selinux_setup_exec_context(char *pwname) -@@ -343,7 +375,7 @@ sshd_selinux_setup_exec_context(char *pwname) +@@ -344,7 +376,7 @@ sshd_selinux_setup_exec_context(char *pwname) int r = 0; security_context_t default_ctx = NULL; @@ -162,7 +162,7 @@ index d04f4ed..0077dd7 100644 return; if (options.use_pam) { -@@ -414,7 +446,7 @@ sshd_selinux_copy_context(void) +@@ -415,7 +447,7 @@ sshd_selinux_copy_context(void) { security_context_t *ctx; @@ -187,10 +187,10 @@ index b18893c..cb51f99 100644 #ifdef LINUX_OOM_ADJUST diff --git a/platform.c b/platform.c -index 0d39ab2..0dae387 100644 +index 84c47fa..6d876cb 100644 --- a/platform.c +++ b/platform.c -@@ -102,7 +102,7 @@ platform_setusercontext(struct passwd *pw) +@@ -103,7 +103,7 @@ platform_setusercontext(struct passwd *pw) { #ifdef WITH_SELINUX /* Cache selinux status for later use */ diff --git a/openssh-6.6p1-keyperm.patch b/openssh-6.6p1-keyperm.patch index fccb328..fbe33b0 100644 --- a/openssh-6.6p1-keyperm.patch +++ b/openssh-6.6p1-keyperm.patch @@ -1,15 +1,16 @@ -diff -up openssh-6.6p1/authfile.c.keyperm openssh-6.6p1/authfile.c ---- openssh-6.6p1/authfile.c.keyperm 2014-02-04 01:20:15.000000000 +0100 -+++ openssh-6.6p1/authfile.c 2014-05-05 15:20:43.075246776 +0200 -@@ -54,6 +54,7 @@ +diff --git a/authfile.c b/authfile.c +index e93d867..4fc5b3d 100644 +--- a/authfile.c ++++ b/authfile.c +@@ -32,6 +32,7 @@ #include #include +#include - #include #include + #include #include -@@ -979,6 +980,13 @@ key_perm_ok(int fd, const char *filename +@@ -207,6 +208,13 @@ sshkey_perm_ok(int fd, const char *filename) #ifdef HAVE_CYGWIN if (check_ntsec(filename)) #endif diff --git a/openssh-6.6p1-kuserok.patch b/openssh-6.6p1-kuserok.patch index f7c5a1c..b0b12a6 100644 --- a/openssh-6.6p1-kuserok.patch +++ b/openssh-6.6p1-kuserok.patch @@ -1,8 +1,8 @@ diff --git a/auth-krb5.c b/auth-krb5.c -index 6c62bdf..11c8562 100644 +index 0089b18..8480261 100644 --- a/auth-krb5.c +++ b/auth-krb5.c -@@ -54,6 +54,21 @@ +@@ -55,6 +55,21 @@ extern ServerOptions options; @@ -24,7 +24,7 @@ index 6c62bdf..11c8562 100644 static int krb5_init(void *context) { -@@ -157,8 +172,9 @@ auth_krb5_password(Authctxt *authctxt, const char *password) +@@ -158,8 +173,9 @@ auth_krb5_password(Authctxt *authctxt, const char *password) if (problem) goto out; @@ -37,7 +37,7 @@ index 6c62bdf..11c8562 100644 goto out; } diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c -index 60de320..0a4930e 100644 +index 54dd383..961c564 100644 --- a/gss-serv-krb5.c +++ b/gss-serv-krb5.c @@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_principal, const char *, const char *, @@ -175,27 +175,27 @@ index 60de320..0a4930e 100644 if ((fp = fopen(file, "r")) == NULL) { int saved_errno = errno; diff --git a/servconf.c b/servconf.c -index 68fb9ef..904c869 100644 +index 179c20d..d17ed04 100644 --- a/servconf.c +++ b/servconf.c -@@ -157,6 +157,7 @@ initialize_server_options(ServerOptions *options) - options->ip_qos_interactive = -1; +@@ -163,6 +163,7 @@ initialize_server_options(ServerOptions *options) options->ip_qos_bulk = -1; options->version_addendum = NULL; + options->fingerprint_hash = -1; + options->use_kuserok = -1; } void -@@ -312,6 +313,8 @@ fill_default_server_options(ServerOptions *options) - options->version_addendum = xstrdup(""); - if (options->show_patchlevel == -1) - options->show_patchlevel = 0; +@@ -328,6 +329,8 @@ fill_default_server_options(ServerOptions *options) + options->fwd_opts.streamlocal_bind_unlink = 0; + if (options->fingerprint_hash == -1) + options->fingerprint_hash = SSH_FP_HASH_DEFAULT; + if (options->use_kuserok == -1) + options->use_kuserok = 1; - /* Turn privilege separation on by default */ if (use_privsep == -1) -@@ -338,7 +341,7 @@ typedef enum { + use_privsep = PRIVSEP_NOSANDBOX; +@@ -353,7 +356,7 @@ typedef enum { sPermitRootLogin, sLogFacility, sLogLevel, sRhostsRSAAuthentication, sRSAAuthentication, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, @@ -204,7 +204,7 @@ index 68fb9ef..904c869 100644 sKerberosTgtPassing, sChallengeResponseAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sAddressFamily, -@@ -410,11 +413,13 @@ static struct { +@@ -427,11 +430,13 @@ static struct { #else { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, #endif @@ -218,7 +218,7 @@ index 68fb9ef..904c869 100644 #endif { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, -@@ -1526,6 +1531,10 @@ process_server_config_line(ServerOptions *options, char *line, +@@ -1557,6 +1562,10 @@ process_server_config_line(ServerOptions *options, char *line, *activep = value; break; @@ -229,7 +229,7 @@ index 68fb9ef..904c869 100644 case sPermitOpen: arg = strdelim(&cp); if (!arg || *arg == '\0') -@@ -1811,6 +1820,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) +@@ -1872,6 +1881,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) M_CP_INTOPT(max_authtries); M_CP_INTOPT(ip_qos_interactive); M_CP_INTOPT(ip_qos_bulk); @@ -237,19 +237,19 @@ index 68fb9ef..904c869 100644 M_CP_INTOPT(rekey_limit); M_CP_INTOPT(rekey_interval); -@@ -2062,6 +2072,7 @@ dump_config(ServerOptions *o) - dump_cfg_fmtint(sUseDNS, o->use_dns); - dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); +@@ -2130,6 +2140,7 @@ dump_config(ServerOptions *o) + dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); + dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); + dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok); /* string arguments */ dump_cfg_string(sPidFile, o->pid_file); diff --git a/servconf.h b/servconf.h -index 37cfa9b..5117dfa 100644 +index 397698b..cf2a505 100644 --- a/servconf.h +++ b/servconf.h -@@ -173,6 +173,7 @@ typedef struct { +@@ -175,6 +175,7 @@ typedef struct { int num_permitted_opens; @@ -258,7 +258,7 @@ index 37cfa9b..5117dfa 100644 char *revoked_keys_file; char *trusted_user_ca_keys; diff --git a/sshd_config b/sshd_config -index adfd7b1..e772ed5 100644 +index f4796fc..0d9454d 100644 --- a/sshd_config +++ b/sshd_config @@ -87,6 +87,7 @@ ChallengeResponseAuthentication no @@ -270,10 +270,10 @@ index adfd7b1..e772ed5 100644 # GSSAPI options GSSAPIAuthentication yes diff --git a/sshd_config.5 b/sshd_config.5 -index 1fb002d..e0e5fff 100644 +index 8ad79d9..eb4dd9e 100644 --- a/sshd_config.5 +++ b/sshd_config.5 -@@ -697,6 +697,10 @@ Specifies whether to automatically destroy the user's ticket cache +@@ -740,6 +740,10 @@ Specifies whether to automatically destroy the user's ticket cache file on logout. The default is .Dq yes . @@ -284,7 +284,7 @@ index 1fb002d..e0e5fff 100644 .It Cm KexAlgorithms Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. -@@ -862,6 +866,7 @@ Available keywords are +@@ -961,6 +965,7 @@ Available keywords are .Cm HostbasedUsesNameFromPacketOnly , .Cm KbdInteractiveAuthentication , .Cm KerberosAuthentication , diff --git a/openssh-6.6p1-role-mls.patch b/openssh-6.6p1-role-mls.patch index 4740c99..02e81e6 100644 --- a/openssh-6.6p1-role-mls.patch +++ b/openssh-6.6p1-role-mls.patch @@ -25,7 +25,7 @@ index a1a2b52..b109a5a 100644 char ** fetch_pam_child_environment(void); void free_pam_environment(char **); diff --git a/auth.h b/auth.h -index 124e597..4605588 100644 +index d081c94..847cffd 100644 --- a/auth.h +++ b/auth.h @@ -59,6 +59,9 @@ struct Authctxt { @@ -39,10 +39,10 @@ index 124e597..4605588 100644 char *info; /* Extra info for next auth_log */ #ifdef BSD_AUTH diff --git a/auth1.c b/auth1.c -index 0f870b3..df040bb 100644 +index 5038828..f0a98d2 100644 --- a/auth1.c +++ b/auth1.c -@@ -381,6 +381,9 @@ do_authentication(Authctxt *authctxt) +@@ -382,6 +382,9 @@ do_authentication(Authctxt *authctxt) { u_int ulen; char *user, *style = NULL; @@ -52,7 +52,7 @@ index 0f870b3..df040bb 100644 /* Get the name of the user that we wish to log in as. */ packet_read_expect(SSH_CMSG_USER); -@@ -389,11 +392,24 @@ do_authentication(Authctxt *authctxt) +@@ -390,11 +393,24 @@ do_authentication(Authctxt *authctxt) user = packet_get_cstring(&ulen); packet_check_eom(); @@ -78,10 +78,10 @@ index 0f870b3..df040bb 100644 /* Verify that the user is a valid user. */ if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) diff --git a/auth2-gss.c b/auth2-gss.c -index c28a705..4756dd7 100644 +index 447f896..4803e7e 100644 --- a/auth2-gss.c +++ b/auth2-gss.c -@@ -251,6 +251,7 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) +@@ -252,6 +252,7 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) Authctxt *authctxt = ctxt; Gssctxt *gssctxt; int authenticated = 0; @@ -89,7 +89,7 @@ index c28a705..4756dd7 100644 Buffer b; gss_buffer_desc mic, gssbuf; u_int len; -@@ -263,7 +264,13 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) +@@ -264,7 +265,13 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) mic.value = packet_get_string(&len); mic.length = len; @@ -104,7 +104,7 @@ index c28a705..4756dd7 100644 "gssapi-with-mic"); gssbuf.value = buffer_ptr(&b); -@@ -275,6 +282,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) +@@ -276,6 +283,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) logit("GSSAPI MIC check failed"); buffer_free(&b); @@ -114,10 +114,10 @@ index c28a705..4756dd7 100644 authctxt->postponed = 0; diff --git a/auth2-hostbased.c b/auth2-hostbased.c -index eca0069..95d678e 100644 +index b7ae353..41f1a3f 100644 --- a/auth2-hostbased.c +++ b/auth2-hostbased.c -@@ -112,7 +112,15 @@ userauth_hostbased(Authctxt *authctxt) +@@ -113,7 +113,15 @@ userauth_hostbased(Authctxt *authctxt) buffer_put_string(&b, session_id2, session_id2_len); /* reconstruct packet */ buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); @@ -135,7 +135,7 @@ index eca0069..95d678e 100644 buffer_put_cstring(&b, "hostbased"); buffer_put_string(&b, pkalg, alen); diff --git a/auth2-pubkey.c b/auth2-pubkey.c -index 749b11a..c0ae0d4 100644 +index 3f4f789..12f5afd 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -133,9 +133,11 @@ userauth_pubkey(Authctxt *authctxt) @@ -153,10 +153,10 @@ index 749b11a..c0ae0d4 100644 free(userstyle); buffer_put_cstring(&b, diff --git a/auth2.c b/auth2.c -index a5490c0..5f4f26f 100644 +index d9b440a..d6fbc93 100644 --- a/auth2.c +++ b/auth2.c -@@ -215,6 +215,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) +@@ -216,6 +216,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) Authctxt *authctxt = ctxt; Authmethod *m = NULL; char *user, *service, *method, *style = NULL; @@ -166,7 +166,7 @@ index a5490c0..5f4f26f 100644 int authenticated = 0; if (authctxt == NULL) -@@ -226,6 +229,11 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) +@@ -227,6 +230,11 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) debug("userauth-request for user %s service %s method %s", user, service, method); debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); @@ -178,7 +178,7 @@ index a5490c0..5f4f26f 100644 if ((style = strchr(user, ':')) != NULL) *style++ = 0; -@@ -251,8 +259,15 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) +@@ -252,8 +260,15 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) use_privsep ? " [net]" : ""); authctxt->service = xstrdup(service); authctxt->style = style ? xstrdup(style) : NULL; @@ -196,10 +196,10 @@ index a5490c0..5f4f26f 100644 if (auth2_setup_methods_lists(authctxt) != 0) packet_disconnect("no authentication methods enabled"); diff --git a/misc.c b/misc.c -index e4c8c32..f31cd91 100644 +index 94b05b0..651c21b 100644 --- a/misc.c +++ b/misc.c -@@ -430,6 +430,7 @@ char * +@@ -431,6 +431,7 @@ char * colon(char *cp) { int flag = 0; @@ -207,7 +207,7 @@ index e4c8c32..f31cd91 100644 if (*cp == ':') /* Leading colon is part of file name. */ return NULL; -@@ -445,6 +446,13 @@ colon(char *cp) +@@ -446,6 +447,13 @@ colon(char *cp) return (cp); if (*cp == '/') return NULL; @@ -222,10 +222,10 @@ index e4c8c32..f31cd91 100644 return NULL; } diff --git a/monitor.c b/monitor.c -index 531c4f9..229fada 100644 +index dbe29f1..d3f87e1 100644 --- a/monitor.c +++ b/monitor.c -@@ -145,6 +145,9 @@ int mm_answer_sign(int, Buffer *); +@@ -148,6 +148,9 @@ int mm_answer_sign(int, Buffer *); int mm_answer_pwnamallow(int, Buffer *); int mm_answer_auth2_read_banner(int, Buffer *); int mm_answer_authserv(int, Buffer *); @@ -235,7 +235,7 @@ index 531c4f9..229fada 100644 int mm_answer_authpassword(int, Buffer *); int mm_answer_bsdauthquery(int, Buffer *); int mm_answer_bsdauthrespond(int, Buffer *); -@@ -219,6 +222,9 @@ struct mon_table mon_dispatch_proto20[] = { +@@ -227,6 +230,9 @@ struct mon_table mon_dispatch_proto20[] = { {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, @@ -245,7 +245,7 @@ index 531c4f9..229fada 100644 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, #ifdef USE_PAM -@@ -805,6 +811,9 @@ mm_answer_pwnamallow(int sock, Buffer *m) +@@ -824,6 +830,9 @@ mm_answer_pwnamallow(int sock, Buffer *m) else { /* Allow service/style information on the auth context */ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); @@ -255,7 +255,7 @@ index 531c4f9..229fada 100644 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); } #ifdef USE_PAM -@@ -846,6 +855,25 @@ mm_answer_authserv(int sock, Buffer *m) +@@ -865,6 +874,25 @@ mm_answer_authserv(int sock, Buffer *m) return (0); } @@ -281,7 +281,7 @@ index 531c4f9..229fada 100644 int mm_answer_authpassword(int sock, Buffer *m) { -@@ -1220,7 +1248,7 @@ static int +@@ -1241,7 +1269,7 @@ static int monitor_valid_userblob(u_char *data, u_int datalen) { Buffer b; @@ -290,7 +290,7 @@ index 531c4f9..229fada 100644 u_int len; int fail = 0; -@@ -1246,6 +1274,8 @@ monitor_valid_userblob(u_char *data, u_int datalen) +@@ -1267,6 +1295,8 @@ monitor_valid_userblob(u_char *data, u_int datalen) if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) fail++; p = buffer_get_cstring(&b, NULL); @@ -299,7 +299,7 @@ index 531c4f9..229fada 100644 xasprintf(&userstyle, "%s%s%s", authctxt->user, authctxt->style ? ":" : "", authctxt->style ? authctxt->style : ""); -@@ -1281,7 +1311,7 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser, +@@ -1302,7 +1332,7 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser, char *chost) { Buffer b; @@ -308,7 +308,7 @@ index 531c4f9..229fada 100644 u_int len; int fail = 0; -@@ -1298,6 +1328,8 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser, +@@ -1319,6 +1349,8 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser, if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) fail++; p = buffer_get_cstring(&b, NULL); @@ -333,10 +333,10 @@ index 5bc41b5..20e2b4a 100644 MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103, MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105, diff --git a/monitor_wrap.c b/monitor_wrap.c -index 1a47e41..d1b6d99 100644 +index 45dc169..82f114c 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c -@@ -336,6 +336,25 @@ mm_inform_authserv(char *service, char *style) +@@ -342,6 +342,25 @@ mm_inform_authserv(char *service, char *style) buffer_free(&m); } @@ -377,12 +377,12 @@ index 18c2501..9d5e5ba 100644 char *mm_auth2_read_banner(void); int mm_auth_password(struct Authctxt *, char *); diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in -index 6ecfb93..b912dbe 100644 +index ab1a3e3..843225d 100644 --- a/openbsd-compat/Makefile.in +++ b/openbsd-compat/Makefile.in @@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o di - COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o + COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o -PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o +PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o @@ -391,10 +391,10 @@ index 6ecfb93..b912dbe 100644 $(CC) $(CFLAGS) $(CPPFLAGS) -c $< diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c new file mode 100644 -index 0000000..c18524e +index 0000000..6310717 --- /dev/null +++ b/openbsd-compat/port-linux-sshd.c -@@ -0,0 +1,414 @@ +@@ -0,0 +1,415 @@ +/* + * Copyright (c) 2005 Daniel Walsh + * Copyright (c) 2014 Petr Lautrbach @@ -426,6 +426,7 @@ index 0000000..c18524e + +#include "log.h" +#include "xmalloc.h" ++#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */ +#include "servconf.h" +#include "port-linux.h" +#include "key.h" @@ -868,10 +869,10 @@ index e3d1004..8ef6cc4 100644 #ifdef LINUX_OOM_ADJUST diff --git a/platform.c b/platform.c -index 30fc609..0d39ab2 100644 +index ee313da..84c47fa 100644 --- a/platform.c +++ b/platform.c -@@ -183,7 +183,7 @@ platform_setusercontext_post_groups(struct passwd *pw) +@@ -184,7 +184,7 @@ platform_setusercontext_post_groups(struct passwd *pw) } #endif /* HAVE_SETPCRED */ #ifdef WITH_SELINUX @@ -881,10 +882,10 @@ index 30fc609..0d39ab2 100644 } diff --git a/sshd.c b/sshd.c -index 7523de9..07f9926 100644 +index 481d001..41b317b 100644 --- a/sshd.c +++ b/sshd.c -@@ -2138,6 +2138,9 @@ main(int ac, char **av) +@@ -2144,6 +2144,9 @@ main(int ac, char **av) restore_uid(); } #endif diff --git a/openssh-6.6p1-audit.patch b/openssh-6.7p1-audit.patch similarity index 85% rename from openssh-6.6p1-audit.patch rename to openssh-6.7p1-audit.patch index 2ee2012..4ce4b53 100644 --- a/openssh-6.6p1-audit.patch +++ b/openssh-6.7p1-audit.patch @@ -1,8 +1,8 @@ diff --git a/Makefile.in b/Makefile.in -index 0f0d39f..9d8c2eb 100644 +index 8e11217..9311e16 100644 --- a/Makefile.in +++ b/Makefile.in -@@ -82,7 +82,8 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ +@@ -92,7 +92,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ ssh-pkcs11.o krl.o smult_curve25519_ref.o \ kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \ ssh-ed25519.o digest-openssl.o hmac.o utf8_stringprep.o \ @@ -13,7 +13,7 @@ index 0f0d39f..9d8c2eb 100644 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ sshconnect.o sshconnect1.o sshconnect2.o mux.o \ diff --git a/audit-bsm.c b/audit-bsm.c -index 6135591..5160869 100644 +index 6135591..c7a1b47 100644 --- a/audit-bsm.c +++ b/audit-bsm.c @@ -375,10 +375,23 @@ audit_connection_from(const char *host, int port) @@ -66,7 +66,7 @@ index 6135591..5160869 100644 +} + +void -+audit_kex_body(int ctos, char *enc, char *mac, char *compress, pid_t pid, uid_t uid) ++audit_kex_body(int ctos, char *enc, char *mac, char *compress, char *pfs, pid_t pid, uid_t uid) +{ + /* not implemented */ +} @@ -96,16 +96,17 @@ index 6135591..5160869 100644 +} #endif /* BSM */ diff --git a/audit-linux.c b/audit-linux.c -index b3ee2f4..946f7fa 100644 +index b3ee2f4..bff8180 100644 --- a/audit-linux.c +++ b/audit-linux.c -@@ -35,13 +35,24 @@ +@@ -35,13 +35,25 @@ #include "log.h" #include "audit.h" +#include "key.h" +#include "hostfile.h" +#include "auth.h" ++#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */ +#include "servconf.h" #include "canohost.h" +#include "packet.h" @@ -127,7 +128,7 @@ index b3ee2f4..946f7fa 100644 { int audit_fd, rc, saved_errno; -@@ -49,11 +60,11 @@ linux_audit_record_event(int uid, const char *username, +@@ -49,11 +61,11 @@ linux_audit_record_event(int uid, const char *username, if (audit_fd < 0) { if (errno == EINVAL || errno == EPROTONOSUPPORT || errno == EAFNOSUPPORT) @@ -142,7 +143,7 @@ index b3ee2f4..946f7fa 100644 NULL, "login", username ? username : "(unknown)", username == NULL ? uid : -1, hostname, ip, ttyn, success); saved_errno = errno; -@@ -65,35 +76,150 @@ linux_audit_record_event(int uid, const char *username, +@@ -65,35 +77,154 @@ linux_audit_record_event(int uid, const char *username, if ((rc == -EPERM) && (geteuid() != 0)) rc = 0; errno = saved_errno; @@ -224,8 +225,12 @@ index b3ee2f4..946f7fa 100644 + buf, audit_username(), -1, NULL, get_remote_ipaddr(), NULL, rv); + if ((rc < 0) && ((rc != -1) || (getuid() == 0))) + goto out; ++ /* is the fingerprint_prefix() still needed? + snprintf(buf, sizeof(buf), "key algo=%s size=%d fp=%s%s rport=%d", + type, bits, key_fingerprint_prefix(), fp, get_remote_port()); ++ */ ++ snprintf(buf, sizeof(buf), "key algo=%s size=%d fp=%s rport=%d", ++ type, bits, fp, get_remote_port()); + rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL, + buf, audit_username(), -1, NULL, get_remote_ipaddr(), NULL, rv); +out: @@ -301,7 +306,7 @@ index b3ee2f4..946f7fa 100644 } void -@@ -101,21 +227,43 @@ audit_event(ssh_audit_event_t event) +@@ -101,21 +232,43 @@ audit_event(ssh_audit_event_t event) { switch(event) { case SSH_AUTH_SUCCESS: @@ -349,7 +354,7 @@ index b3ee2f4..946f7fa 100644 break; default: -@@ -123,4 +271,135 @@ audit_event(ssh_audit_event_t event) +@@ -123,4 +276,135 @@ audit_event(ssh_audit_event_t event) } } @@ -379,17 +384,17 @@ index b3ee2f4..946f7fa 100644 +const static char *direction[] = { "from-server", "from-client", "both" }; + +void -+audit_kex_body(int ctos, char *enc, char *mac, char *compress, pid_t pid, ++audit_kex_body(int ctos, char *enc, char *mac, char *compress, char *pfs, pid_t pid, + uid_t uid) +{ +#ifdef AUDIT_CRYPTO_SESSION + char buf[AUDIT_LOG_SIZE]; + int audit_fd, audit_ok; -+ Cipher *cipher = cipher_by_name(enc); ++ const Cipher *cipher = cipher_by_name(enc); + char *s; + -+ snprintf(buf, sizeof(buf), "op=start direction=%s cipher=%s ksize=%d mac=%s spid=%jd suid=%jd rport=%d laddr=%s lport=%d ", -+ direction[ctos], enc, cipher ? 8 * cipher->key_len : 0, mac, ++ snprintf(buf, sizeof(buf), "op=start direction=%s cipher=%s ksize=%d mac=%s pfs=%s spid=%jd suid=%jd rport=%d laddr=%s lport=%d ", ++ direction[ctos], enc, cipher ? 8 * cipher->key_len : 0, mac, pfs, + (intmax_t)pid, (intmax_t)uid, + get_remote_port(), (s = get_local_ipaddr(packet_get_connection_in())), get_local_port()); + free(s); @@ -486,7 +491,7 @@ index b3ee2f4..946f7fa 100644 +} #endif /* USE_LINUX_AUDIT */ diff --git a/audit.c b/audit.c -index ced57fa..ab9fb82 100644 +index ced57fa..18908b4 100644 --- a/audit.c +++ b/audit.c @@ -28,6 +28,7 @@ @@ -497,17 +502,27 @@ index ced57fa..ab9fb82 100644 #ifdef SSH_AUDIT_EVENTS -@@ -36,6 +37,9 @@ +@@ -36,6 +37,11 @@ #include "key.h" #include "hostfile.h" #include "auth.h" +#include "ssh-gss.h" +#include "monitor_wrap.h" +#include "xmalloc.h" ++#include "misc.h" ++#include "servconf.h" /* * Care must be taken when using this since it WILL NOT be initialized when -@@ -71,13 +75,10 @@ audit_classify_auth(const char *method) +@@ -43,6 +49,7 @@ + * audit_event(CONNECTION_ABANDON) is called. Test for NULL before using. + */ + extern Authctxt *the_authctxt; ++extern ServerOptions options; + + /* Maybe add the audit class to struct Authmethod? */ + ssh_audit_event_t +@@ -71,13 +78,10 @@ audit_classify_auth(const char *method) const char * audit_username(void) { @@ -523,7 +538,7 @@ index ced57fa..ab9fb82 100644 return (the_authctxt->user); } -@@ -111,6 +112,40 @@ audit_event_lookup(ssh_audit_event_t ev) +@@ -111,6 +115,40 @@ audit_event_lookup(ssh_audit_event_t ev) return(event_lookup[i].name); } @@ -533,7 +548,7 @@ index ced57fa..ab9fb82 100644 + char *fp; + const char *crypto_name; + -+ fp = key_selected_fingerprint(key, SSH_FP_HEX); ++ fp = key_fingerprint(key, options.fingerprint_hash, SSH_FP_HEX); + if (key->type == KEY_RSA1) + crypto_name = "ssh-rsa1"; + else @@ -550,9 +565,9 @@ index ced57fa..ab9fb82 100644 +} + +void -+audit_kex(int ctos, char *enc, char *mac, char *comp) ++audit_kex(int ctos, char *enc, char *mac, char *comp, char *pfs) +{ -+ PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid())); ++ PRIVSEP(audit_kex_body(ctos, enc, mac, comp, pfs, getpid(), getuid())); +} + +void @@ -564,7 +579,7 @@ index ced57fa..ab9fb82 100644 # ifndef CUSTOM_SSH_AUDIT_EVENTS /* * Null implementations of audit functions. -@@ -140,6 +175,17 @@ audit_event(ssh_audit_event_t event) +@@ -140,6 +178,17 @@ audit_event(ssh_audit_event_t event) } /* @@ -582,7 +597,7 @@ index ced57fa..ab9fb82 100644 * Called when a user session is started. Argument is the tty allocated to * the session, or NULL if no tty was allocated. * -@@ -174,13 +220,91 @@ audit_session_close(struct logininfo *li) +@@ -174,13 +223,91 @@ audit_session_close(struct logininfo *li) /* * This will be called when a user runs a non-interactive command. Note that * it may be called multiple times for a single connection since SSH2 allows @@ -638,11 +653,11 @@ index ced57fa..ab9fb82 100644 + * This will be called on succesfull protocol negotiation. + */ +void -+audit_kex_body(int ctos, char *enc, char *mac, char *compress, pid_t pid, ++audit_kex_body(int ctos, char *enc, char *mac, char *compress, char *pfs, pid_t pid, + uid_t uid) +{ -+ debug("audit protocol negotiation euid %d direction %d cipher %s mac %s compresion %s from pid %ld uid %u", -+ (unsigned)geteuid(), ctos, enc, mac, compress, (long)pid, ++ debug("audit protocol negotiation euid %d direction %d cipher %s mac %s compresion %s pfs %s from pid %ld uid %u", ++ (unsigned)geteuid(), ctos, enc, mac, compress, pfs, (long)pid, + (unsigned)uid); +} + @@ -677,7 +692,7 @@ index ced57fa..ab9fb82 100644 # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */ diff --git a/audit.h b/audit.h -index 92ede5b..a2dc3ff 100644 +index 92ede5b..903df66 100644 --- a/audit.h +++ b/audit.h @@ -28,6 +28,7 @@ @@ -706,9 +721,9 @@ index 92ede5b..a2dc3ff 100644 +int audit_keyusage(int, const char *, unsigned, char *, int); +void audit_key(int, int *, const Key *); +void audit_unsupported(int); -+void audit_kex(int, char *, char *, char *); ++void audit_kex(int, char *, char *, char *, char *); +void audit_unsupported_body(int); -+void audit_kex_body(int, char *, char *, char *, pid_t, uid_t); ++void audit_kex_body(int, char *, char *, char *, char *, pid_t, uid_t); +void audit_session_key_free(int ctos); +void audit_session_key_free_body(int ctos, pid_t, uid_t); +void audit_destroy_sensitive_data(const char *, pid_t, uid_t); @@ -717,7 +732,7 @@ index 92ede5b..a2dc3ff 100644 #endif /* _SSH_AUDIT_H */ diff --git a/auditstub.c b/auditstub.c new file mode 100644 -index 0000000..45817e0 +index 0000000..116f460 --- /dev/null +++ b/auditstub.c @@ -0,0 +1,50 @@ @@ -758,7 +773,7 @@ index 0000000..45817e0 +} + +void -+audit_kex(int ctos, char *enc, char *mac, char *comp) ++audit_kex(int ctos, char *enc, char *mac, char *comp, char *pfs) +{ +} + @@ -772,7 +787,7 @@ index 0000000..45817e0 +{ +} diff --git a/auth-rsa.c b/auth-rsa.c -index 5dad6c3..f225b0b 100644 +index ff7a132..1e12515 100644 --- a/auth-rsa.c +++ b/auth-rsa.c @@ -93,7 +93,10 @@ auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16]) @@ -797,7 +812,7 @@ index 5dad6c3..f225b0b 100644 + rv = timingsafe_bcmp(response, mdbuf, 16) == 0; + +#ifdef SSH_AUDIT_EVENTS -+ fp = key_selected_fingerprint(key, SSH_FP_HEX); ++ fp = key_fingerprint(key, options.fingerprint_hash, SSH_FP_HEX); + if (audit_keyusage(1, "ssh-rsa1", RSA_size(key->rsa) * 8, fp, rv) == 0) { + debug("unsuccessful audit"); + rv = 0; @@ -812,10 +827,10 @@ index 5dad6c3..f225b0b 100644 /* diff --git a/auth.c b/auth.c -index 420a85b..d613f8c 100644 +index 5a9acd3..7eba5d4 100644 --- a/auth.c +++ b/auth.c -@@ -628,9 +628,6 @@ getpwnamallow(const char *user) +@@ -642,9 +642,6 @@ getpwnamallow(const char *user) record_failed_login(user, get_canonical_hostname(options.use_dns), "ssh"); #endif @@ -826,10 +841,10 @@ index 420a85b..d613f8c 100644 } if (!allowed_user(pw)) diff --git a/auth.h b/auth.h -index 4605588..f9d191c 100644 +index 847cffd..19fbcf5 100644 --- a/auth.h +++ b/auth.h -@@ -186,6 +186,7 @@ void abandon_challenge_response(Authctxt *); +@@ -187,6 +187,7 @@ void abandon_challenge_response(Authctxt *); char *expand_authorized_keys(const char *, struct passwd *pw); char *authorized_principals_file(struct passwd *); @@ -837,7 +852,7 @@ index 4605588..f9d191c 100644 FILE *auth_openkeyfile(const char *, struct passwd *, int); FILE *auth_openprincipals(const char *, struct passwd *, int); -@@ -203,6 +204,7 @@ Key *get_hostkey_private_by_type(int); +@@ -204,6 +205,7 @@ Key *get_hostkey_private_by_type(int); int get_hostkey_index(Key *); int ssh1_session_key(BIGNUM *); void sshd_hostkey_sign(Key *, Key *, u_char **, u_int *, u_char *, u_int); @@ -846,10 +861,10 @@ index 4605588..f9d191c 100644 /* debug messages during authentication */ void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2))); diff --git a/auth2-hostbased.c b/auth2-hostbased.c -index 95d678e..48aede4 100644 +index 41f1a3f..80d9802 100644 --- a/auth2-hostbased.c +++ b/auth2-hostbased.c -@@ -137,7 +137,7 @@ userauth_hostbased(Authctxt *authctxt) +@@ -138,7 +138,7 @@ userauth_hostbased(Authctxt *authctxt) /* test for allowed key and correct signature */ authenticated = 0; if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) && @@ -858,7 +873,7 @@ index 95d678e..48aede4 100644 buffer_len(&b))) == 1) authenticated = 1; -@@ -154,6 +154,18 @@ done: +@@ -155,6 +155,18 @@ done: return authenticated; } @@ -878,7 +893,7 @@ index 95d678e..48aede4 100644 int hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, diff --git a/auth2-pubkey.c b/auth2-pubkey.c -index cb0f931..6d1c872 100644 +index 269e642..110ec48 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -160,7 +160,7 @@ userauth_pubkey(Authctxt *authctxt) @@ -890,7 +905,7 @@ index cb0f931..6d1c872 100644 buffer_len(&b))) == 1) authenticated = 1; buffer_free(&b); -@@ -231,6 +231,18 @@ pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...) +@@ -232,6 +232,18 @@ pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...) free(extra); } @@ -907,13 +922,13 @@ index cb0f931..6d1c872 100644 +} + static int - match_principals_option(const char *principal_list, struct KeyCert *cert) + match_principals_option(const char *principal_list, struct sshkey_cert *cert) { diff --git a/auth2.c b/auth2.c -index 426dcd6..436cd60 100644 +index ec4ff8a..9e6e815 100644 --- a/auth2.c +++ b/auth2.c -@@ -249,9 +249,6 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) +@@ -250,9 +250,6 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) } else { logit("input_userauth_request: invalid user %s", user); authctxt->pw = fakepw(); @@ -924,14 +939,14 @@ index 426dcd6..436cd60 100644 #ifdef USE_PAM if (options.use_pam) diff --git a/cipher.c b/cipher.c -index 53d9b4f..226e56d 100644 +index 638ca2d..9cc7cf8 100644 --- a/cipher.c +++ b/cipher.c -@@ -57,20 +57,6 @@ extern const EVP_CIPHER *evp_ssh1_bf(void); - extern const EVP_CIPHER *evp_ssh1_3des(void); - extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int); +@@ -57,26 +57,6 @@ extern const EVP_CIPHER *evp_ssh1_3des(void); + extern int ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int); + #endif --struct Cipher { +-struct sshcipher { - char *name; - int number; /* for ssh1 only */ - u_int block_size; @@ -942,22 +957,28 @@ index 53d9b4f..226e56d 100644 - u_int flags; -#define CFLAG_CBC (1<<0) -#define CFLAG_CHACHAPOLY (1<<1) +-#define CFLAG_AESCTR (1<<2) +-#define CFLAG_NONE (1<<3) +-#ifdef WITH_OPENSSL - const EVP_CIPHER *(*evptype)(void); +-#else +- void *ignored; +-#endif -}; - - static const struct Cipher ciphers[] = { - { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null }, + static const struct sshcipher ciphers[] = { + #ifdef WITH_SSH1 { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc }, diff --git a/cipher.h b/cipher.h -index 133d2e7..d41758e 100644 +index de74c1e..26ed4cb 100644 --- a/cipher.h +++ b/cipher.h -@@ -63,7 +63,20 @@ - typedef struct Cipher Cipher; - typedef struct CipherContext CipherContext; +@@ -62,7 +62,26 @@ + #define CIPHER_ENCRYPT 1 + #define CIPHER_DECRYPT 0 --struct Cipher; -+struct Cipher { +-struct sshcipher; ++struct sshcipher { + char *name; + int number; /* for ssh1 only */ + u_int block_size; @@ -968,17 +989,23 @@ index 133d2e7..d41758e 100644 + u_int flags; +#define CFLAG_CBC (1<<0) +#define CFLAG_CHACHAPOLY (1<<1) ++#define CFLAG_AESCTR (1<<2) ++#define CFLAG_NONE (1<<3) ++#ifdef WITH_OPENSSL + const EVP_CIPHER *(*evptype)(void); ++#else ++ void *ignored; ++#endif +}; + - struct CipherContext { + struct sshcipher_ctx { int plaintext; int encrypt; diff --git a/kex.c b/kex.c -index bce2ab8..bc3e53e 100644 +index 4563920..e0cf3de 100644 --- a/kex.c +++ b/kex.c -@@ -50,6 +50,7 @@ +@@ -52,6 +52,7 @@ #include "monitor.h" #include "roaming.h" #include "digest.h" @@ -986,7 +1013,7 @@ index bce2ab8..bc3e53e 100644 #ifdef GSSAPI #include "ssh-gss.h" -@@ -366,9 +367,13 @@ static void +@@ -370,9 +371,13 @@ static void choose_enc(Enc *enc, char *client, char *server) { char *name = match_list(client, server, NULL); @@ -1001,7 +1028,7 @@ index bce2ab8..bc3e53e 100644 if ((enc->cipher = cipher_by_name(name)) == NULL) fatal("matching cipher is not supported: %s", name); enc->name = name; -@@ -384,9 +389,13 @@ static void +@@ -388,9 +393,13 @@ static void choose_mac(Mac *mac, char *client, char *server) { char *name = match_list(client, server, NULL); @@ -1016,7 +1043,7 @@ index bce2ab8..bc3e53e 100644 if (mac_setup(mac, name) < 0) fatal("unsupported mac %s", name); /* truncate the key */ -@@ -401,8 +410,12 @@ static void +@@ -405,8 +414,12 @@ static void choose_comp(Comp *comp, char *client, char *server) { char *name = match_list(client, server, NULL); @@ -1030,17 +1057,36 @@ index bce2ab8..bc3e53e 100644 if (strcmp(name, "zlib@openssh.com") == 0) { comp->type = COMP_DELAYED; } else if (strcmp(name, "zlib") == 0) { -@@ -517,6 +530,9 @@ kex_choose_conf(Kex *kex) - newkeys->enc.name, +@@ -522,9 +535,11 @@ kex_choose_conf(Kex *kex) authlen == 0 ? newkeys->mac.name : "", newkeys->comp.name); -+#ifdef SSH_AUDIT_EVENTS -+ audit_kex(ctos, newkeys->enc.name, newkeys->mac.name, newkeys->comp.name); -+#endif } ++ choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]); choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS], -@@ -702,3 +718,34 @@ dump_digest(char *msg, u_char *digest, int len) + sprop[PROPOSAL_SERVER_HOST_KEY_ALGS]); ++ + need = dh_need = 0; + for (mode = 0; mode < MODE_MAX; mode++) { + newkeys = kex->newkeys[mode]; +@@ -536,11 +551,16 @@ kex_choose_conf(Kex *kex) + dh_need = MAX(dh_need, newkeys->enc.block_size); + dh_need = MAX(dh_need, newkeys->enc.iv_len); + dh_need = MAX(dh_need, newkeys->mac.key_len); ++ debug("kex: %s need=%d dh_need=%d", kex->name, need, dh_need); ++#ifdef SSH_AUDIT_EVENTS ++ audit_kex(mode, newkeys->enc.name, newkeys->mac.name, newkeys->comp.name, kex->name); ++#endif + } + /* XXX need runden? */ + kex->we_need = need; + kex->dh_need = dh_need; + ++ + /* ignore the next message if the proposals do not match */ + if (first_kex_follows && !proposals_match(my, peer) && + !(datafellows & SSH_BUG_FIRSTKEX)) { +@@ -710,3 +730,34 @@ dump_digest(char *msg, u_char *digest, int len) fprintf(stderr, "\n"); } #endif @@ -1076,7 +1122,7 @@ index bce2ab8..bc3e53e 100644 +} + diff --git a/kex.h b/kex.h -index 313bb51..c643250 100644 +index 1c76c08..e015d27 100644 --- a/kex.h +++ b/kex.h @@ -182,6 +182,8 @@ void kexgss_client(Kex *); @@ -1088,61 +1134,23 @@ index 313bb51..c643250 100644 void kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int, BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); -diff --git a/key.c b/key.c -index 900b9e3..62f3edb 100644 ---- a/key.c -+++ b/key.c -@@ -1925,6 +1925,33 @@ key_demote(const Key *k) - } - - int -+key_is_private(const Key *k) -+{ -+ switch (k->type) { -+ case KEY_RSA_CERT_V00: -+ case KEY_RSA_CERT: -+ case KEY_RSA1: -+ case KEY_RSA: -+ return k->rsa->d != NULL; -+ case KEY_DSA_CERT_V00: -+ case KEY_DSA_CERT: -+ case KEY_DSA: -+ return k->dsa->priv_key != NULL; -+#ifdef OPENSSL_HAS_ECC -+ case KEY_ECDSA_CERT: -+ case KEY_ECDSA: -+ return EC_KEY_get0_private_key(k->ecdsa) != NULL; -+#endif -+ case KEY_ED25519_CERT: -+ case KEY_ED25519: -+ return (k->ed25519_pk != NULL); -+ default: -+ fatal("key_is_private: bad key type %d", k->type); -+ return 1; -+ } -+} -+ -+int - key_is_cert(const Key *k) - { - if (k == NULL) diff --git a/key.h b/key.h -index d51ed81..8f61605 100644 +index e1a3625..4a90e1e 100644 --- a/key.h +++ b/key.h -@@ -118,6 +118,7 @@ Key *key_generate(int, u_int); - Key *key_from_private(const Key *); - int key_type_from_name(char *); - int key_is_cert(const Key *); -+int key_is_private(const Key *k); - int key_type_is_cert(int); - int key_type_plain(int); - int key_to_certified(Key *, int); +@@ -52,6 +52,7 @@ typedef struct sshkey Key; + #define key_ecdsa_key_to_nid sshkey_ecdsa_key_to_nid + #define key_names_valid2 sshkey_names_valid2 + #define key_is_cert sshkey_is_cert ++#define key_is_private sshkey_is_private + #define key_type_plain sshkey_type_plain + #define key_cert_is_legacy sshkey_cert_is_legacy + #define key_curve_name_to_nid sshkey_curve_name_to_nid diff --git a/mac.c b/mac.c -index 0977572..9388af4 100644 +index 402dc98..fd07bf2 100644 --- a/mac.c +++ b/mac.c -@@ -222,6 +222,20 @@ mac_clear(Mac *mac) +@@ -223,6 +223,20 @@ mac_clear(Mac *mac) mac->umac_ctx = NULL; } @@ -1173,10 +1181,10 @@ index fbe18c4..7dc7f43 100644 void mac_clear(Mac *); +void mac_destroy(Mac *); diff --git a/monitor.c b/monitor.c -index 8b18086..5a65114 100644 +index d97e640..07fa655 100644 --- a/monitor.c +++ b/monitor.c -@@ -97,6 +97,7 @@ +@@ -100,6 +100,7 @@ #include "ssh2.h" #include "roaming.h" #include "authfd.h" @@ -1184,7 +1192,7 @@ index 8b18086..5a65114 100644 #ifdef GSSAPI static Gssctxt *gsscontext = NULL; -@@ -113,6 +114,8 @@ extern Buffer auth_debug; +@@ -116,6 +117,8 @@ extern Buffer auth_debug; extern int auth_debug_init; extern Buffer loginmsg; @@ -1193,7 +1201,7 @@ index 8b18086..5a65114 100644 /* State exported from the child */ struct { -@@ -185,6 +188,11 @@ int mm_answer_gss_updatecreds(int, Buffer *); +@@ -188,6 +191,11 @@ int mm_answer_gss_updatecreds(int, Buffer *); #ifdef SSH_AUDIT_EVENTS int mm_answer_audit_event(int, Buffer *); int mm_answer_audit_command(int, Buffer *); @@ -1205,7 +1213,7 @@ index 8b18086..5a65114 100644 #endif static int monitor_read_log(struct monitor *); -@@ -239,6 +247,10 @@ struct mon_table mon_dispatch_proto20[] = { +@@ -247,6 +255,10 @@ struct mon_table mon_dispatch_proto20[] = { #endif #ifdef SSH_AUDIT_EVENTS {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, @@ -1216,7 +1224,7 @@ index 8b18086..5a65114 100644 #endif #ifdef BSD_AUTH {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery}, -@@ -274,6 +286,11 @@ struct mon_table mon_dispatch_postauth20[] = { +@@ -285,6 +297,11 @@ struct mon_table mon_dispatch_postauth20[] = { #ifdef SSH_AUDIT_EVENTS {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command}, @@ -1228,7 +1236,7 @@ index 8b18086..5a65114 100644 #endif {0, 0, NULL} }; -@@ -305,6 +322,10 @@ struct mon_table mon_dispatch_proto15[] = { +@@ -317,6 +334,10 @@ struct mon_table mon_dispatch_proto15[] = { #endif #ifdef SSH_AUDIT_EVENTS {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, @@ -1237,9 +1245,9 @@ index 8b18086..5a65114 100644 + {MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body}, + {MONITOR_REQ_AUDIT_SERVER_KEY_FREE, MON_PERMIT, mm_answer_audit_server_key_free}, #endif + #endif /* WITH_SSH1 */ {0, 0, NULL} - }; -@@ -316,6 +337,11 @@ struct mon_table mon_dispatch_postauth15[] = { +@@ -330,6 +351,11 @@ struct mon_table mon_dispatch_postauth15[] = { #ifdef SSH_AUDIT_EVENTS {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command}, @@ -1249,9 +1257,9 @@ index 8b18086..5a65114 100644 + {MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body}, + {MONITOR_REQ_AUDIT_SERVER_KEY_FREE, MON_PERMIT, mm_answer_audit_server_key_free}, #endif + #endif /* WITH_SSH1 */ {0, 0, NULL} - }; -@@ -1393,9 +1419,11 @@ mm_answer_keyverify(int sock, Buffer *m) +@@ -1416,9 +1442,11 @@ mm_answer_keyverify(int sock, Buffer *m) Key *key; u_char *signature, *data, *blob; u_int signaturelen, datalen, bloblen; @@ -1263,7 +1271,7 @@ index 8b18086..5a65114 100644 blob = buffer_get_string(m, &bloblen); signature = buffer_get_string(m, &signaturelen); data = buffer_get_string(m, &datalen); -@@ -1403,6 +1431,8 @@ mm_answer_keyverify(int sock, Buffer *m) +@@ -1426,6 +1454,8 @@ mm_answer_keyverify(int sock, Buffer *m) if (hostbased_cuser == NULL || hostbased_chost == NULL || !monitor_allowed_key(blob, bloblen)) fatal("%s: bad key, not previously allowed", __func__); @@ -1272,7 +1280,7 @@ index 8b18086..5a65114 100644 key = key_from_blob(blob, bloblen); if (key == NULL) -@@ -1423,7 +1453,17 @@ mm_answer_keyverify(int sock, Buffer *m) +@@ -1446,7 +1476,17 @@ mm_answer_keyverify(int sock, Buffer *m) if (!valid_data) fatal("%s: bad signature data blob", __func__); @@ -1291,7 +1299,7 @@ index 8b18086..5a65114 100644 debug3("%s: key %p signature %s", __func__, key, (verified == 1) ? "verified" : "unverified"); -@@ -1476,6 +1516,12 @@ mm_session_close(Session *s) +@@ -1499,6 +1539,12 @@ mm_session_close(Session *s) debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd); session_pty_cleanup2(s); } @@ -1304,7 +1312,7 @@ index 8b18086..5a65114 100644 session_unused(s->self); } -@@ -1756,6 +1802,8 @@ mm_answer_term(int sock, Buffer *req) +@@ -1781,6 +1827,8 @@ mm_answer_term(int sock, Buffer *req) sshpam_cleanup(); #endif @@ -1313,7 +1321,7 @@ index 8b18086..5a65114 100644 while (waitpid(pmonitor->m_pid, &status, 0) == -1) if (errno != EINTR) exit(1); -@@ -1798,11 +1846,43 @@ mm_answer_audit_command(int socket, Buffer *m) +@@ -1823,11 +1871,43 @@ mm_answer_audit_command(int socket, Buffer *m) { u_int len; char *cmd; @@ -1358,7 +1366,7 @@ index 8b18086..5a65114 100644 free(cmd); return (0); } -@@ -1946,11 +2026,13 @@ mm_get_keystate(struct monitor *pmonitor) +@@ -1975,11 +2055,13 @@ mm_get_keystate(struct monitor *pmonitor) blob = buffer_get_string(&m, &bloblen); current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen); @@ -1372,7 +1380,7 @@ index 8b18086..5a65114 100644 free(blob); /* Now get sequence numbers for the packets */ -@@ -1996,6 +2078,21 @@ mm_get_keystate(struct monitor *pmonitor) +@@ -2025,6 +2107,21 @@ mm_get_keystate(struct monitor *pmonitor) } buffer_free(&m); @@ -1394,7 +1402,7 @@ index 8b18086..5a65114 100644 } -@@ -2277,3 +2374,85 @@ mm_answer_gss_updatecreds(int socket, Buffer *m) { +@@ -2321,3 +2418,87 @@ mm_answer_gss_updatecreds(int socket, Buffer *m) { #endif /* GSSAPI */ @@ -1418,7 +1426,7 @@ index 8b18086..5a65114 100644 +mm_answer_audit_kex_body(int sock, Buffer *m) +{ + int ctos, len; -+ char *cipher, *mac, *compress; ++ char *cipher, *mac, *compress, *pfs; + pid_t pid; + uid_t uid; + @@ -1426,14 +1434,16 @@ index 8b18086..5a65114 100644 + cipher = buffer_get_string(m, &len); + mac = buffer_get_string(m, &len); + compress = buffer_get_string(m, &len); ++ pfs = buffer_get_string(m, &len); + pid = buffer_get_int64(m); + uid = buffer_get_int64(m); + -+ audit_kex_body(ctos, cipher, mac, compress, pid, uid); ++ audit_kex_body(ctos, cipher, mac, compress, pfs, pid, uid); + + free(cipher); + free(mac); + free(compress); ++ free(pfs); + buffer_clear(m); + + mm_request_send(sock, MONITOR_ANS_AUDIT_KEX, m); @@ -1481,7 +1491,7 @@ index 8b18086..5a65114 100644 +} +#endif /* SSH_AUDIT_EVENTS */ diff --git a/monitor.h b/monitor.h -index ff79fbb..6dfb234 100644 +index 00c2028..cc8da6a 100644 --- a/monitor.h +++ b/monitor.h @@ -69,7 +69,13 @@ enum monitor_reqtype { @@ -1500,10 +1510,10 @@ index ff79fbb..6dfb234 100644 }; diff --git a/monitor_wrap.c b/monitor_wrap.c -index d1e1caa..6df236a 100644 +index 7e991e6..ba4ecd7 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c -@@ -450,7 +450,7 @@ mm_key_allowed(enum mm_keytype type, char *user, char *host, Key *key) +@@ -456,7 +456,7 @@ mm_key_allowed(enum mm_keytype type, char *user, char *host, Key *key) */ int @@ -1512,7 +1522,7 @@ index d1e1caa..6df236a 100644 { Buffer m; u_char *blob; -@@ -464,6 +464,7 @@ mm_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen) +@@ -470,6 +470,7 @@ mm_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen) return (0); buffer_init(&m); @@ -1520,7 +1530,7 @@ index d1e1caa..6df236a 100644 buffer_put_string(&m, blob, len); buffer_put_string(&m, sig, siglen); buffer_put_string(&m, data, datalen); -@@ -481,6 +482,19 @@ mm_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen) +@@ -487,6 +488,19 @@ mm_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen) return (verified); } @@ -1540,7 +1550,7 @@ index d1e1caa..6df236a 100644 /* Export key state after authentication */ Newkeys * mm_newkeys_from_blob(u_char *blob, int blen) -@@ -659,12 +673,14 @@ mm_send_keystate(struct monitor *monitor) +@@ -665,12 +679,14 @@ mm_send_keystate(struct monitor *monitor) fatal("%s: conversion of newkeys failed", __func__); buffer_put_string(&m, blob, bloblen); @@ -1555,7 +1565,7 @@ index d1e1caa..6df236a 100644 free(blob); packet_get_state(MODE_OUT, &seqnr, &blocks, &packets, &bytes); -@@ -1208,10 +1224,11 @@ mm_audit_event(ssh_audit_event_t event) +@@ -1218,10 +1234,11 @@ mm_audit_event(ssh_audit_event_t event) buffer_free(&m); } @@ -1568,7 +1578,7 @@ index d1e1caa..6df236a 100644 debug3("%s entering command %s", __func__, command); -@@ -1219,6 +1236,26 @@ mm_audit_run_command(const char *command) +@@ -1229,6 +1246,26 @@ mm_audit_run_command(const char *command) buffer_put_cstring(&m, command); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, &m); @@ -1595,7 +1605,7 @@ index d1e1caa..6df236a 100644 buffer_free(&m); } #endif /* SSH_AUDIT_EVENTS */ -@@ -1354,3 +1391,71 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store) +@@ -1364,3 +1401,72 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store) #endif /* GSSAPI */ @@ -1616,7 +1626,7 @@ index d1e1caa..6df236a 100644 +} + +void -+mm_audit_kex_body(int ctos, char *cipher, char *mac, char *compress, pid_t pid, ++mm_audit_kex_body(int ctos, char *cipher, char *mac, char *compress, char *fps, pid_t pid, + uid_t uid) +{ + Buffer m; @@ -1626,6 +1636,7 @@ index d1e1caa..6df236a 100644 + buffer_put_cstring(&m, cipher); + buffer_put_cstring(&m, (mac ? mac : "")); + buffer_put_cstring(&m, compress); ++ buffer_put_cstring(&m, fps); + buffer_put_int64(&m, pid); + buffer_put_int64(&m, uid); + @@ -1668,7 +1679,7 @@ index d1e1caa..6df236a 100644 +} +#endif /* SSH_AUDIT_EVENTS */ diff --git a/monitor_wrap.h b/monitor_wrap.h -index 93929e0..4cf0c78 100644 +index 93929e0..e43109f 100644 --- a/monitor_wrap.h +++ b/monitor_wrap.h @@ -52,7 +52,8 @@ int mm_key_allowed(enum mm_keytype, char *, char *, Key *); @@ -1689,14 +1700,14 @@ index 93929e0..4cf0c78 100644 +int mm_audit_run_command(const char *); +void mm_audit_end_command(int, const char *); +void mm_audit_unsupported_body(int); -+void mm_audit_kex_body(int, char *, char *, char *, pid_t, uid_t); ++void mm_audit_kex_body(int, char *, char *, char *, char *, pid_t, uid_t); +void mm_audit_session_key_free_body(int, pid_t, uid_t); +void mm_audit_destroy_sensitive_data(const char *, pid_t, uid_t); #endif struct Session; diff --git a/packet.c b/packet.c -index 660a9fc..f5b122b 100644 +index 9b7abd1..f1e00f7 100644 --- a/packet.c +++ b/packet.c @@ -61,6 +61,7 @@ @@ -1707,7 +1718,7 @@ index 660a9fc..f5b122b 100644 #include "buffer.h" #include "packet.h" #include "crc32.h" -@@ -476,6 +477,13 @@ packet_get_connection_out(void) +@@ -483,6 +484,13 @@ packet_get_connection_out(void) return active_state->connection_out; } @@ -1721,7 +1732,7 @@ index 660a9fc..f5b122b 100644 /* Closes the connection and clears and frees internal data structures. */ void -@@ -484,13 +492,6 @@ packet_close(void) +@@ -491,13 +499,6 @@ packet_close(void) if (!active_state->initialized) return; active_state->initialized = 0; @@ -1735,7 +1746,7 @@ index 660a9fc..f5b122b 100644 buffer_free(&active_state->input); buffer_free(&active_state->output); buffer_free(&active_state->outgoing_packet); -@@ -499,8 +500,18 @@ packet_close(void) +@@ -506,8 +507,18 @@ packet_close(void) buffer_free(&active_state->compression_buffer); buffer_compress_uninit(); } @@ -1756,7 +1767,7 @@ index 660a9fc..f5b122b 100644 } /* Sets remote side protocol flags. */ -@@ -736,6 +747,25 @@ packet_send1(void) +@@ -747,6 +758,25 @@ packet_send1(void) */ } @@ -1782,7 +1793,7 @@ index 660a9fc..f5b122b 100644 void set_newkeys(int mode) { -@@ -761,6 +791,7 @@ set_newkeys(int mode) +@@ -772,6 +802,7 @@ set_newkeys(int mode) } if (active_state->newkeys[mode] != NULL) { debug("set_newkeys: rekeying"); @@ -1790,7 +1801,7 @@ index 660a9fc..f5b122b 100644 cipher_cleanup(cc); enc = &active_state->newkeys[mode]->enc; mac = &active_state->newkeys[mode]->mac; -@@ -2011,6 +2042,47 @@ packet_get_newkeys(int mode) +@@ -2025,6 +2056,47 @@ packet_get_newkeys(int mode) return (void *)active_state->newkeys[mode]; } @@ -1838,7 +1849,7 @@ index 660a9fc..f5b122b 100644 /* * Save the state for the real connection, and use a separate state when * resuming a suspended connection. -@@ -2018,18 +2090,12 @@ packet_get_newkeys(int mode) +@@ -2032,18 +2104,12 @@ packet_get_newkeys(int mode) void packet_backup_state(void) { @@ -1858,7 +1869,7 @@ index 660a9fc..f5b122b 100644 } /* -@@ -2046,9 +2112,7 @@ packet_restore_state(void) +@@ -2060,9 +2126,7 @@ packet_restore_state(void) backup_state = active_state; active_state = tmp; active_state->connection_in = backup_state->connection_in; @@ -1868,7 +1879,7 @@ index 660a9fc..f5b122b 100644 len = buffer_len(&backup_state->input); if (len > 0) { buf = buffer_ptr(&backup_state->input); -@@ -2056,4 +2120,10 @@ packet_restore_state(void) +@@ -2070,6 +2134,11 @@ packet_restore_state(void) buffer_clear(&backup_state->input); add_recv_bytes(len); } @@ -1878,19 +1889,20 @@ index 660a9fc..f5b122b 100644 + free(backup_state); + backup_state = NULL; } -+ + + /* Reset after_authentication and reset compression in post-auth privsep */ diff --git a/packet.h b/packet.h -index f8edf85..c36c812 100644 +index e7b5fcb..45a6ce6 100644 --- a/packet.h +++ b/packet.h -@@ -124,4 +124,5 @@ void packet_restore_state(void); +@@ -125,4 +125,5 @@ void packet_set_postauth(void); void *packet_get_input(void); void *packet_get_output(void); +void packet_destroy_all(int, int); #endif /* PACKET_H */ diff --git a/session.c b/session.c -index df43592..b186ca1 100644 +index 40a681e..acd87d5 100644 --- a/session.c +++ b/session.c @@ -138,7 +138,7 @@ extern int log_stderr; @@ -1902,7 +1914,7 @@ index df43592..b186ca1 100644 extern Buffer loginmsg; /* original command from peer. */ -@@ -746,6 +746,14 @@ do_exec_pty(Session *s, const char *command) +@@ -730,6 +730,14 @@ do_exec_pty(Session *s, const char *command) /* Parent. Close the slave side of the pseudo tty. */ close(ttyfd); @@ -1917,7 +1929,7 @@ index df43592..b186ca1 100644 /* Enter interactive session. */ s->ptymaster = ptymaster; packet_set_interactive(1, -@@ -863,15 +871,19 @@ do_exec(Session *s, const char *command) +@@ -852,15 +860,19 @@ do_exec(Session *s, const char *command) get_remote_port()); #ifdef SSH_AUDIT_EVENTS @@ -1939,7 +1951,7 @@ index df43592..b186ca1 100644 #endif if (s->ttyfd != -1) ret = do_exec_pty(s, command); -@@ -1708,7 +1720,10 @@ do_child(Session *s, const char *command) +@@ -1703,7 +1715,10 @@ do_child(Session *s, const char *command) int r = 0; /* remove hostkey from the child's memory */ @@ -2073,10 +2085,10 @@ index 6a2f35e..e9b312e 100644 void session_close(Session *); void do_setusercontext(struct passwd *); diff --git a/sshd.c b/sshd.c -index 8a0740a..2813aa2 100644 +index ca55d7f..db23ce2 100644 --- a/sshd.c +++ b/sshd.c -@@ -119,6 +119,7 @@ +@@ -120,6 +120,7 @@ #endif #include "monitor_wrap.h" #include "roaming.h" @@ -2084,7 +2096,7 @@ index 8a0740a..2813aa2 100644 #include "ssh-sandbox.h" #include "version.h" -@@ -264,7 +265,7 @@ Buffer loginmsg; +@@ -254,7 +255,7 @@ Buffer loginmsg; struct passwd *privsep_pw = NULL; /* Prototypes for various functions defined later in this file. */ @@ -2092,8 +2104,8 @@ index 8a0740a..2813aa2 100644 +void destroy_sensitive_data(int); void demote_sensitive_data(void); - static void do_ssh1_kex(void); -@@ -283,6 +284,15 @@ close_listen_socks(void) + #ifdef WITH_SSH1 +@@ -275,6 +276,15 @@ close_listen_socks(void) num_listen_socks = -1; } @@ -2109,7 +2121,7 @@ index 8a0740a..2813aa2 100644 static void close_startup_pipes(void) { -@@ -562,22 +572,45 @@ sshd_exchange_identification(int sock_in, int sock_out) +@@ -554,22 +564,45 @@ sshd_exchange_identification(int sock_in, int sock_out) } } @@ -2137,7 +2149,7 @@ index 8a0740a..2813aa2 100644 + char *fp; + + if (key_is_private(sensitive_data.host_keys[i])) -+ fp = key_selected_fingerprint(sensitive_data.host_keys[i], SSH_FP_HEX); ++ fp = key_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX); + else + fp = NULL; key_free(sensitive_data.host_keys[i]); @@ -2158,7 +2170,7 @@ index 8a0740a..2813aa2 100644 key_free(sensitive_data.host_certificates[i]); sensitive_data.host_certificates[i] = NULL; } -@@ -591,6 +624,8 @@ void +@@ -583,6 +616,8 @@ void demote_sensitive_data(void) { Key *tmp; @@ -2167,7 +2179,7 @@ index 8a0740a..2813aa2 100644 int i; if (sensitive_data.server_key) { -@@ -599,13 +634,25 @@ demote_sensitive_data(void) +@@ -591,13 +626,25 @@ demote_sensitive_data(void) sensitive_data.server_key = tmp; } @@ -2178,7 +2190,7 @@ index 8a0740a..2813aa2 100644 + char *fp; + + if (key_is_private(sensitive_data.host_keys[i])) -+ fp = key_selected_fingerprint(sensitive_data.host_keys[i], SSH_FP_HEX); ++ fp = key_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX); + else + fp = NULL; tmp = key_demote(sensitive_data.host_keys[i]); @@ -2193,7 +2205,7 @@ index 8a0740a..2813aa2 100644 } /* Certs do not need demotion */ } -@@ -675,7 +722,7 @@ privsep_preauth(Authctxt *authctxt) +@@ -667,7 +714,7 @@ privsep_preauth(Authctxt *authctxt) if (use_privsep == PRIVSEP_ON) box = ssh_sandbox_init(pmonitor); @@ -2202,7 +2214,7 @@ index 8a0740a..2813aa2 100644 if (pid == -1) { fatal("fork of unprivileged child failed"); } else if (pid != 0) { -@@ -729,6 +776,8 @@ privsep_preauth(Authctxt *authctxt) +@@ -721,6 +768,8 @@ privsep_preauth(Authctxt *authctxt) } } @@ -2211,7 +2223,7 @@ index 8a0740a..2813aa2 100644 static void privsep_postauth(Authctxt *authctxt) { -@@ -753,6 +802,10 @@ privsep_postauth(Authctxt *authctxt) +@@ -745,6 +794,10 @@ privsep_postauth(Authctxt *authctxt) else if (pmonitor->m_pid != 0) { verbose("User child is on pid %ld", (long)pmonitor->m_pid); buffer_clear(&loginmsg); @@ -2222,7 +2234,7 @@ index 8a0740a..2813aa2 100644 monitor_child_postauth(pmonitor); /* NEVERREACHED */ -@@ -1211,6 +1264,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) +@@ -1222,6 +1275,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) if (received_sigterm) { logit("Received signal %d; terminating.", (int) received_sigterm); @@ -2230,7 +2242,7 @@ index 8a0740a..2813aa2 100644 close_listen_socks(); unlink(options.pid_file); exit(received_sigterm == SIGTERM ? 0 : 255); -@@ -2134,6 +2188,7 @@ main(int ac, char **av) +@@ -2141,6 +2195,7 @@ main(int ac, char **av) */ if (use_privsep) { mm_send_keystate(pmonitor); @@ -2238,7 +2250,7 @@ index 8a0740a..2813aa2 100644 exit(0); } -@@ -2179,7 +2234,7 @@ main(int ac, char **av) +@@ -2186,7 +2241,7 @@ main(int ac, char **av) privsep_postauth(authctxt); /* the monitor process [priv] will not return */ if (!compat20) @@ -2247,7 +2259,7 @@ index 8a0740a..2813aa2 100644 } packet_set_timeout(options.client_alive_interval, -@@ -2189,6 +2244,9 @@ main(int ac, char **av) +@@ -2196,6 +2251,9 @@ main(int ac, char **av) do_authenticated(authctxt); /* The connection has been terminated. */ @@ -2257,18 +2269,18 @@ index 8a0740a..2813aa2 100644 packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes); packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes); verbose("Transferred: sent %llu, received %llu bytes", -@@ -2346,6 +2404,10 @@ do_ssh1_kex(void) +@@ -2355,6 +2413,10 @@ do_ssh1_kex(void) if (cookie[i] != packet_get_char()) packet_disconnect("IP Spoofing check bytes do not match."); +#ifdef SSH_AUDIT_EVENTS -+ audit_kex(2, cipher_name(cipher_type), "crc", "none"); ++ audit_kex(2, cipher_name(cipher_type), "crc", "none", "none"); +#endif + debug("Encryption type: %.200s", cipher_name(cipher_type)); /* Get the encrypted integer. */ -@@ -2418,7 +2480,7 @@ do_ssh1_kex(void) +@@ -2427,7 +2489,7 @@ do_ssh1_kex(void) session_id[i] = session_key[i] ^ session_key[i + 16]; } /* Destroy the private and public keys. No longer. */ @@ -2277,7 +2289,7 @@ index 8a0740a..2813aa2 100644 if (use_privsep) mm_ssh1_session_id(session_id); -@@ -2584,6 +2646,16 @@ do_ssh2_kex(void) +@@ -2598,6 +2660,16 @@ do_ssh2_kex(void) void cleanup_exit(int i) { @@ -2293,8 +2305,8 @@ index 8a0740a..2813aa2 100644 + if (the_authctxt) { do_cleanup(the_authctxt); - if (use_privsep && privsep_is_preauth && pmonitor->m_pid > 1) { -@@ -2594,9 +2666,14 @@ cleanup_exit(int i) + if (use_privsep && privsep_is_preauth && +@@ -2609,9 +2681,14 @@ cleanup_exit(int i) pmonitor->m_pid, strerror(errno)); } } @@ -2310,3 +2322,53 @@ index 8a0740a..2813aa2 100644 audit_event(SSH_CONNECTION_ABANDON); #endif _exit(i); +diff --git a/sshkey.c b/sshkey.c +index 70df758..f078e11 100644 +--- a/sshkey.c ++++ b/sshkey.c +@@ -291,6 +291,33 @@ sshkey_type_is_valid_ca(int type) + } + + int ++sshkey_is_private(const struct sshkey *k) ++{ ++ switch (k->type) { ++ case KEY_RSA_CERT_V00: ++ case KEY_RSA_CERT: ++ case KEY_RSA1: ++ case KEY_RSA: ++ return k->rsa->d != NULL; ++ case KEY_DSA_CERT_V00: ++ case KEY_DSA_CERT: ++ case KEY_DSA: ++ return k->dsa->priv_key != NULL; ++#ifdef OPENSSL_HAS_ECC ++ case KEY_ECDSA_CERT: ++ case KEY_ECDSA: ++ return EC_KEY_get0_private_key(k->ecdsa) != NULL; ++#endif ++ case KEY_ED25519_CERT: ++ case KEY_ED25519: ++ return (k->ed25519_pk != NULL); ++ default: ++ /* fatal("key_is_private: bad key type %d", k->type); */ ++ return 0; ++ } ++} ++ ++int + sshkey_is_cert(const struct sshkey *k) + { + if (k == NULL) +diff --git a/sshkey.h b/sshkey.h +index 4554b09..226a494 100644 +--- a/sshkey.h ++++ b/sshkey.h +@@ -134,6 +134,7 @@ u_int sshkey_size(const struct sshkey *); + int sshkey_generate(int type, u_int bits, struct sshkey **keyp); + int sshkey_from_private(const struct sshkey *, struct sshkey **); + int sshkey_type_from_name(const char *); ++int sshkey_is_private(const struct sshkey *); + int sshkey_is_cert(const struct sshkey *); + int sshkey_type_is_cert(int); + int sshkey_type_plain(int); diff --git a/openssh-6.7p1-fingerprint.patch b/openssh-6.7p1-fingerprint.patch index da798dd..d29fc9b 100644 --- a/openssh-6.7p1-fingerprint.patch +++ b/openssh-6.7p1-fingerprint.patch @@ -1,13 +1,47 @@ -diff -up openssh-6.7p1/auth2-hostbased.c.fingerprint openssh-6.7p1/auth2-hostbased.c ---- openssh-6.7p1/auth2-hostbased.c.fingerprint 2014-07-18 06:11:25.000000000 +0200 -+++ openssh-6.7p1/auth2-hostbased.c 2014-12-22 13:10:57.961878113 +0100 +diff --git a/auth-rsa.c b/auth-rsa.c +index e9f4ede..ff7a132 100644 +--- a/auth-rsa.c ++++ b/auth-rsa.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: auth-rsa.c,v 1.88 2014/07/15 15:54:14 millert Exp $ */ ++/* $OpenBSD: auth-rsa.c,v 1.89 2014/12/21 22:27:56 djm Exp $ */ + /* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland +@@ -236,7 +236,8 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file, + "actual %d vs. announced %d.", + file, linenum, BN_num_bits(key->rsa->n), bits); + +- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); ++ fp = key_fingerprint(key, options.fingerprint_hash, ++ SSH_FP_DEFAULT); + debug("matching key found: file %s, line %lu %s %s", + file, linenum, key_type(key), fp); + free(fp); +diff --git a/auth.c b/auth.c +index 5e60682..5a9acd3 100644 +--- a/auth.c ++++ b/auth.c +@@ -702,7 +702,7 @@ auth_key_is_revoked(Key *key) + case 1: + revoked: + /* Key revoked */ +- key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); ++ key_fp = key_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT); + error("WARNING: authentication attempt with a revoked " + "%s key %s ", key_type(key), key_fp); + free(key_fp); +diff --git a/auth2-hostbased.c b/auth2-hostbased.c +index 6787e4c..b7ae353 100644 +--- a/auth2-hostbased.c ++++ b/auth2-hostbased.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-hostbased.c,v 1.18 2014/07/15 15:54:14 millert Exp $ */ +/* $OpenBSD: auth2-hostbased.c,v 1.19 2014/12/21 22:27:56 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * -@@ -208,13 +208,14 @@ hostbased_key_allowed(struct passwd *pw, +@@ -208,13 +208,14 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, if (host_status == HOST_OK) { if (key_is_cert(key)) { fp = key_fingerprint(key->cert->signature_key, @@ -24,10 +58,11 @@ diff -up openssh-6.7p1/auth2-hostbased.c.fingerprint openssh-6.7p1/auth2-hostbas verbose("Accepted %s public key %s from %s@%s", key_type(key), fp, cuser, lookup); } -diff -up openssh-6.7p1/auth2-pubkey.c.fingerprint openssh-6.7p1/auth2-pubkey.c ---- openssh-6.7p1/auth2-pubkey.c.fingerprint 2014-07-18 06:11:25.000000000 +0200 -+++ openssh-6.7p1/auth2-pubkey.c 2014-12-22 13:13:56.446258343 +0100 -@@ -213,7 +213,7 @@ pubkey_auth_info(Authctxt *authctxt, con +diff --git a/auth2-pubkey.c b/auth2-pubkey.c +index f3ca965..3f4f789 100644 +--- a/auth2-pubkey.c ++++ b/auth2-pubkey.c +@@ -213,7 +213,7 @@ pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...) if (key_is_cert(key)) { fp = key_fingerprint(key->cert->signature_key, @@ -36,7 +71,7 @@ diff -up openssh-6.7p1/auth2-pubkey.c.fingerprint openssh-6.7p1/auth2-pubkey.c auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s", key_type(key), key->cert->key_id, (unsigned long long)key->cert->serial, -@@ -221,7 +221,8 @@ pubkey_auth_info(Authctxt *authctxt, con +@@ -221,7 +221,8 @@ pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...) extra == NULL ? "" : ", ", extra == NULL ? "" : extra); free(fp); } else { @@ -46,7 +81,7 @@ diff -up openssh-6.7p1/auth2-pubkey.c.fingerprint openssh-6.7p1/auth2-pubkey.c auth_info(authctxt, "%s %s%s%s", key_type(key), fp, extra == NULL ? "" : ", ", extra == NULL ? "" : extra); free(fp); -@@ -365,8 +366,8 @@ check_authkeys_file(FILE *f, char *file, +@@ -365,8 +366,8 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) continue; if (!key_is_cert_authority) continue; @@ -57,7 +92,7 @@ diff -up openssh-6.7p1/auth2-pubkey.c.fingerprint openssh-6.7p1/auth2-pubkey.c debug("matching CA found: file %s, line %lu, %s %s", file, linenum, key_type(found), fp); /* -@@ -406,7 +407,8 @@ check_authkeys_file(FILE *f, char *file, +@@ -406,7 +407,8 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) if (key_is_cert_authority) continue; found_key = 1; @@ -67,7 +102,7 @@ diff -up openssh-6.7p1/auth2-pubkey.c.fingerprint openssh-6.7p1/auth2-pubkey.c debug("matching key found: file %s, line %lu %s %s", file, linenum, key_type(found), fp); free(fp); -@@ -432,7 +434,7 @@ user_cert_trusted_ca(struct passwd *pw, +@@ -432,7 +434,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) return 0; ca_fp = key_fingerprint(key->cert->signature_key, @@ -76,62 +111,10 @@ diff -up openssh-6.7p1/auth2-pubkey.c.fingerprint openssh-6.7p1/auth2-pubkey.c if (key_in_file(key->cert->signature_key, options.trusted_user_ca_keys, 1) != 1) { -diff -up openssh-6.7p1/auth.c.fingerprint openssh-6.7p1/auth.c ---- openssh-6.7p1/auth.c.fingerprint 2014-12-22 13:10:57.961878113 +0100 -+++ openssh-6.7p1/auth.c 2014-12-22 13:27:18.105463774 +0100 -@@ -702,7 +702,7 @@ auth_key_is_revoked(Key *key) - case 1: - revoked: - /* Key revoked */ -- key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); -+ key_fp = key_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT); - error("WARNING: authentication attempt with a revoked " - "%s key %s ", key_type(key), key_fp); - free(key_fp); -diff -up openssh-6.7p1/auth-rsa.c.fingerprint openssh-6.7p1/auth-rsa.c ---- openssh-6.7p1/auth-rsa.c.fingerprint 2014-07-18 06:11:25.000000000 +0200 -+++ openssh-6.7p1/auth-rsa.c 2014-12-22 13:10:57.960878116 +0100 -@@ -1,4 +1,4 @@ --/* $OpenBSD: auth-rsa.c,v 1.88 2014/07/15 15:54:14 millert Exp $ */ -+/* $OpenBSD: auth-rsa.c,v 1.89 2014/12/21 22:27:56 djm Exp $ */ - /* - * Author: Tatu Ylonen - * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland -@@ -236,7 +236,8 @@ rsa_key_allowed_in_file(struct passwd *p - "actual %d vs. announced %d.", - file, linenum, BN_num_bits(key->rsa->n), bits); - -- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); -+ fp = key_fingerprint(key, options.fingerprint_hash, -+ SSH_FP_DEFAULT); - debug("matching key found: file %s, line %lu %s %s", - file, linenum, key_type(key), fp); - free(fp); -diff -up openssh-6.7p1/digest.h.fingerprint openssh-6.7p1/digest.h ---- openssh-6.7p1/digest.h.fingerprint 2014-07-03 13:25:04.000000000 +0200 -+++ openssh-6.7p1/digest.h 2014-12-22 13:10:57.961878113 +0100 -@@ -1,4 +1,4 @@ --/* $OpenBSD: digest.h,v 1.6 2014/07/03 04:36:45 djm Exp $ */ -+/* $OpenBSD: digest.h,v 1.7 2014/12/21 22:27:56 djm Exp $ */ - /* - * Copyright (c) 2013 Damien Miller - * -@@ -33,6 +33,12 @@ - struct sshbuf; - struct ssh_digest_ctx; - -+/* Looks up a digest algorithm by name */ -+int ssh_digest_alg_by_name(const char *name); -+ -+/* Returns the algorithm name for a digest identifier */ -+const char *ssh_digest_alg_name(int alg); -+ - /* Returns the algorithm's digest length in bytes or 0 for invalid algorithm */ - size_t ssh_digest_bytes(int alg); - -diff -up openssh-6.7p1/digest-libc.c.fingerprint openssh-6.7p1/digest-libc.c ---- openssh-6.7p1/digest-libc.c.fingerprint 2014-07-02 07:28:03.000000000 +0200 -+++ openssh-6.7p1/digest-libc.c 2014-12-22 13:10:57.961878113 +0100 +diff --git a/digest-libc.c b/digest-libc.c +index 1b4423a..169ded0 100644 +--- a/digest-libc.c ++++ b/digest-libc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: digest-libc.c,v 1.3 2014/06/24 01:13:21 djm Exp $ */ +/* $OpenBSD: digest-libc.c,v 1.4 2014/12/21 22:27:56 djm Exp $ */ @@ -165,9 +148,10 @@ diff -up openssh-6.7p1/digest-libc.c.fingerprint openssh-6.7p1/digest-libc.c size_t ssh_digest_bytes(int alg) { -diff -up openssh-6.7p1/digest-openssl.c.fingerprint openssh-6.7p1/digest-openssl.c ---- openssh-6.7p1/digest-openssl.c.fingerprint 2014-07-17 01:01:26.000000000 +0200 -+++ openssh-6.7p1/digest-openssl.c 2014-12-22 13:10:57.961878113 +0100 +diff --git a/digest-openssl.c b/digest-openssl.c +index 02b1703..bb58ff2 100644 +--- a/digest-openssl.c ++++ b/digest-openssl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: digest-openssl.c,v 1.4 2014/07/03 03:26:43 djm Exp $ */ +/* $OpenBSD: digest-openssl.c,v 1.5 2014/12/21 22:27:56 djm Exp $ */ @@ -201,9 +185,33 @@ diff -up openssh-6.7p1/digest-openssl.c.fingerprint openssh-6.7p1/digest-openssl size_t ssh_digest_bytes(int alg) { -diff -up openssh-6.7p1/dns.c.fingerprint openssh-6.7p1/dns.c ---- openssh-6.7p1/dns.c.fingerprint 2014-07-02 07:28:03.000000000 +0200 -+++ openssh-6.7p1/dns.c 2014-12-22 13:10:57.962878109 +0100 +diff --git a/digest.h b/digest.h +index 6afb197..3fe0734 100644 +--- a/digest.h ++++ b/digest.h +@@ -1,4 +1,4 @@ +-/* $OpenBSD: digest.h,v 1.6 2014/07/03 04:36:45 djm Exp $ */ ++/* $OpenBSD: digest.h,v 1.7 2014/12/21 22:27:56 djm Exp $ */ + /* + * Copyright (c) 2013 Damien Miller + * +@@ -33,6 +33,12 @@ + struct sshbuf; + struct ssh_digest_ctx; + ++/* Looks up a digest algorithm by name */ ++int ssh_digest_alg_by_name(const char *name); ++ ++/* Returns the algorithm name for a digest identifier */ ++const char *ssh_digest_alg_name(int alg); ++ + /* Returns the algorithm's digest length in bytes or 0 for invalid algorithm */ + size_t ssh_digest_bytes(int alg); + +diff --git a/dns.c b/dns.c +index c4d073c..4b8ae44 100644 +--- a/dns.c ++++ b/dns.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dns.c,v 1.31 2014/06/24 01:13:21 djm Exp $ */ +/* $OpenBSD: dns.c,v 1.32 2014/12/21 22:27:56 djm Exp $ */ @@ -218,7 +226,7 @@ diff -up openssh-6.7p1/dns.c.fingerprint openssh-6.7p1/dns.c static const char *errset_text[] = { "success", /* 0 ERRSET_SUCCESS */ -@@ -80,7 +81,7 @@ dns_read_key(u_int8_t *algorithm, u_int8 +@@ -80,7 +81,7 @@ dns_read_key(u_int8_t *algorithm, u_int8_t *digest_type, u_char **digest, u_int *digest_len, Key *key) { int success = 0; @@ -227,7 +235,7 @@ diff -up openssh-6.7p1/dns.c.fingerprint openssh-6.7p1/dns.c switch (key->type) { case KEY_RSA: -@@ -110,17 +111,17 @@ dns_read_key(u_int8_t *algorithm, u_int8 +@@ -110,17 +111,17 @@ dns_read_key(u_int8_t *algorithm, u_int8_t *digest_type, switch (*digest_type) { case SSHFP_HASH_SHA1: @@ -248,9 +256,10 @@ diff -up openssh-6.7p1/dns.c.fingerprint openssh-6.7p1/dns.c if (*digest == NULL) fatal("dns_read_key: null from key_fingerprint_raw()"); success = 1; -diff -up openssh-6.7p1/key.c.fingerprint openssh-6.7p1/key.c ---- openssh-6.7p1/key.c.fingerprint 2014-07-23 01:40:47.000000000 +0200 -+++ openssh-6.7p1/key.c 2014-12-22 13:10:57.962878109 +0100 +diff --git a/key.c b/key.c +index 2060761..780be1c 100644 +--- a/key.c ++++ b/key.c @@ -40,8 +40,7 @@ key_new_private(int type) } @@ -261,7 +270,7 @@ diff -up openssh-6.7p1/key.c.fingerprint openssh-6.7p1/key.c { u_char *ret = NULL; size_t dlen; -@@ -49,7 +48,7 @@ key_fingerprint_raw(const Key *k, enum f +@@ -49,7 +48,7 @@ key_fingerprint_raw(const Key *k, enum fp_type dgst_type, if (dgst_raw_length != NULL) *dgst_raw_length = 0; @@ -270,9 +279,10 @@ diff -up openssh-6.7p1/key.c.fingerprint openssh-6.7p1/key.c fatal("%s: %s", __func__, ssh_err(r)); if (dlen > INT_MAX) fatal("%s: giant len %zu", __func__, dlen); -diff -up openssh-6.7p1/key.h.fingerprint openssh-6.7p1/key.h ---- openssh-6.7p1/key.h.fingerprint 2014-08-21 02:48:41.000000000 +0200 -+++ openssh-6.7p1/key.h 2014-12-22 13:10:57.962878109 +0100 +diff --git a/key.h b/key.h +index c6401a5..e1a3625 100644 +--- a/key.h ++++ b/key.h @@ -67,7 +67,7 @@ void key_add_private(Key *); Key *key_new_private(int); void key_free(Key *); @@ -282,9 +292,10 @@ diff -up openssh-6.7p1/key.h.fingerprint openssh-6.7p1/key.h int key_write(const Key *, FILE *); int key_read(Key *, char **); -diff -up openssh-6.7p1/krl.c.fingerprint openssh-6.7p1/krl.c ---- openssh-6.7p1/krl.c.fingerprint 2014-12-22 13:10:57.962878109 +0100 -+++ openssh-6.7p1/krl.c 2014-12-22 13:24:45.969002948 +0100 +diff --git a/krl.c b/krl.c +index eb31df9..4abed7e 100644 +--- a/krl.c ++++ b/krl.c @@ -36,6 +36,7 @@ #include "misc.h" #include "log.h" @@ -293,7 +304,7 @@ diff -up openssh-6.7p1/krl.c.fingerprint openssh-6.7p1/krl.c #include "krl.h" -@@ -406,7 +407,7 @@ ssh_krl_revoke_key_sha1(struct ssh_krl * +@@ -406,7 +407,7 @@ ssh_krl_revoke_key_sha1(struct ssh_krl *krl, const Key *key) u_int len; debug3("%s: revoke type %s by sha1", __func__, key_type(key)); @@ -302,7 +313,7 @@ diff -up openssh-6.7p1/krl.c.fingerprint openssh-6.7p1/krl.c return -1; return revoke_blob(&krl->revoked_sha1s, blob, len); } -@@ -1119,7 +1120,7 @@ is_key_revoked(struct ssh_krl *krl, cons +@@ -1119,7 +1120,7 @@ is_key_revoked(struct ssh_krl *krl, const Key *key) /* Check explicitly revoked hashes first */ memset(&rb, 0, sizeof(rb)); @@ -311,9 +322,10 @@ diff -up openssh-6.7p1/krl.c.fingerprint openssh-6.7p1/krl.c return -1; erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb); free(rb.blob); -diff -up openssh-6.7p1/readconf.c.fingerprint openssh-6.7p1/readconf.c ---- openssh-6.7p1/readconf.c.fingerprint 2014-07-18 06:11:26.000000000 +0200 -+++ openssh-6.7p1/readconf.c 2014-12-22 13:20:33.488879658 +0100 +diff --git a/readconf.c b/readconf.c +index 7948ce1..3f5c58b 100644 +--- a/readconf.c ++++ b/readconf.c @@ -56,6 +56,7 @@ #include "kex.h" #include "mac.h" @@ -338,17 +350,7 @@ diff -up openssh-6.7p1/readconf.c.fingerprint openssh-6.7p1/readconf.c { "ignoreunknown", oIgnoreUnknown }, { NULL, oBadOption } -@@ -1097,6 +1100,9 @@ parse_int: - options->hostkeyalgorithms = xstrdup(arg); - break; - -+ case oFingerprintHash: -+ return ssh_digest_alg_name(val); -+ - case oProtocol: - intptr = &options->protocol; - arg = strdelim(&s); -@@ -1433,6 +1439,18 @@ parse_int: +@@ -1433,6 +1436,18 @@ parse_int: intptr = &options->fwd_opts.streamlocal_bind_unlink; goto parse_flag; @@ -367,7 +369,7 @@ diff -up openssh-6.7p1/readconf.c.fingerprint openssh-6.7p1/readconf.c case oDeprecated: debug("%s line %d: Deprecated option \"%s\"", filename, linenum, keyword); -@@ -1609,6 +1627,7 @@ initialize_options(Options * options) +@@ -1609,6 +1624,7 @@ initialize_options(Options * options) options->canonicalize_max_dots = -1; options->canonicalize_fallback_local = -1; options->canonicalize_hostname = -1; @@ -375,7 +377,7 @@ diff -up openssh-6.7p1/readconf.c.fingerprint openssh-6.7p1/readconf.c } /* -@@ -1786,6 +1805,9 @@ fill_default_options(Options * options) +@@ -1786,6 +1802,9 @@ fill_default_options(Options * options) options->canonicalize_fallback_local = 1; if (options->canonicalize_hostname == -1) options->canonicalize_hostname = SSH_CANONICALISE_NO; @@ -385,9 +387,10 @@ diff -up openssh-6.7p1/readconf.c.fingerprint openssh-6.7p1/readconf.c #define CLEAR_ON_NONE(v) \ do { \ if (option_clear_or_none(v)) { \ -diff -up openssh-6.7p1/readconf.h.fingerprint openssh-6.7p1/readconf.h ---- openssh-6.7p1/readconf.h.fingerprint 2014-12-22 13:10:57.963878106 +0100 -+++ openssh-6.7p1/readconf.h 2014-12-22 13:14:24.075162395 +0100 +diff --git a/readconf.h b/readconf.h +index 0b9cb77..a028306 100644 +--- a/readconf.h ++++ b/readconf.h @@ -144,6 +144,8 @@ typedef struct { int num_permitted_cnames; struct allowed_cname permitted_cnames[MAX_CANON_DOMAINS]; @@ -397,9 +400,299 @@ diff -up openssh-6.7p1/readconf.h.fingerprint openssh-6.7p1/readconf.h char *ignored_unknown; /* Pattern list of unknown tokens to ignore */ } Options; -diff -up openssh-6.7p1/servconf.c.fingerprint openssh-6.7p1/servconf.c ---- openssh-6.7p1/servconf.c.fingerprint 2014-07-18 06:11:26.000000000 +0200 -+++ openssh-6.7p1/servconf.c 2014-12-22 13:25:22.626875655 +0100 +diff --git a/regress/Makefile b/regress/Makefile +index 3feb7a9..2905a0d 100644 +--- a/regress/Makefile ++++ b/regress/Makefile +@@ -1,6 +1,6 @@ +-# $OpenBSD: Makefile,v 1.70 2014/06/24 01:14:17 djm Exp $ ++# $OpenBSD: Makefile,v 1.71 2014/12/22 02:15:52 djm Exp $ + +-REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t-exec ++REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t-exec + tests: $(REGRESS_TARGETS) + + # Interop tests are not run by default +@@ -119,7 +119,7 @@ t3: + ${TEST_SSH_SSHKEYGEN} -if $(OBJ)/t3.out | diff - ${.CURDIR}/rsa_openssh.pub + + t4: +- ${TEST_SSH_SSHKEYGEN} -lf ${.CURDIR}/rsa_openssh.pub |\ ++ ${TEST_SSH_SSHKEYGEN} -E md5 -lf ${.CURDIR}/rsa_openssh.pub |\ + awk '{print $$2}' | diff - ${.CURDIR}/t4.ok + + t5: +@@ -164,6 +164,10 @@ t10: $(OBJ)/t10.out + ${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t10.out > /dev/null + ${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t10.out > /dev/null + ++t11: ++ ${TEST_SSH_SSHKEYGEN} -E sha256 -lf ${.CURDIR}/rsa_openssh.pub |\ ++ awk '{print $$2}' | diff - ${.CURDIR}/t11.ok ++ + t-exec: ${LTESTS:=.sh} + @if [ "x$?" = "x" ]; then exit 0; fi; \ + for TEST in ""$?; do \ +diff --git a/regress/t11.ok b/regress/t11.ok +new file mode 100644 +index 0000000..1925bb4 +--- /dev/null ++++ b/regress/t11.ok +@@ -0,0 +1 @@ ++SHA256:4w1rnrek3klTJOTVhwuCIFd5k+pq9Bfo5KTxxb8BqbY +diff --git a/regress/t4.ok b/regress/t4.ok +index 8c4942b..4631ea8 100644 +--- a/regress/t4.ok ++++ b/regress/t4.ok +@@ -1 +1 @@ +-3b:dd:44:e9:49:18:84:95:f1:e7:33:6b:9d:93:b1:36 ++MD5:3b:dd:44:e9:49:18:84:95:f1:e7:33:6b:9d:93:b1:36 +diff --git a/regress/unittests/sshkey/test_file.c b/regress/unittests/sshkey/test_file.c +index 764f7fb..9c38a7c 100644 +--- a/regress/unittests/sshkey/test_file.c ++++ b/regress/unittests/sshkey/test_file.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: test_file.c,v 1.1 2014/06/24 01:14:18 djm Exp $ */ ++/* $OpenBSD: test_file.c,v 1.2 2014/12/22 02:15:52 djm Exp $ */ + /* + * Regress test for sshkey.h key management API + * +@@ -33,6 +33,7 @@ + #include "authfile.h" + #include "sshkey.h" + #include "sshbuf.h" ++#include "digest.h" + + #include "common.h" + +@@ -81,7 +82,7 @@ sshkey_file_tests(void) + + TEST_START("RSA1 key hex fingerprint"); + buf = load_text_file("rsa1_1.fp"); +- cp = sshkey_fingerprint(k1, SSH_FP_MD5, SSH_FP_HEX); ++ cp = sshkey_fingerprint(k1, SSH_DIGEST_MD5, SSH_FP_HEX); + ASSERT_PTR_NE(cp, NULL); + ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); + sshbuf_free(buf); +@@ -90,7 +91,7 @@ sshkey_file_tests(void) + + TEST_START("RSA1 key bubblebabble fingerprint"); + buf = load_text_file("rsa1_1.fp.bb"); +- cp = sshkey_fingerprint(k1, SSH_FP_SHA1, SSH_FP_BUBBLEBABBLE); ++ cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA1, SSH_FP_BUBBLEBABBLE); + ASSERT_PTR_NE(cp, NULL); + ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); + sshbuf_free(buf); +@@ -164,7 +165,7 @@ sshkey_file_tests(void) + + TEST_START("RSA key hex fingerprint"); + buf = load_text_file("rsa_1.fp"); +- cp = sshkey_fingerprint(k1, SSH_FP_MD5, SSH_FP_HEX); ++ cp = sshkey_fingerprint(k1, SSH_DIGEST_MD5, SSH_FP_HEX); + ASSERT_PTR_NE(cp, NULL); + ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); + sshbuf_free(buf); +@@ -173,7 +174,7 @@ sshkey_file_tests(void) + + TEST_START("RSA cert hex fingerprint"); + buf = load_text_file("rsa_1-cert.fp"); +- cp = sshkey_fingerprint(k2, SSH_FP_MD5, SSH_FP_HEX); ++ cp = sshkey_fingerprint(k2, SSH_DIGEST_MD5, SSH_FP_HEX); + ASSERT_PTR_NE(cp, NULL); + ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); + sshbuf_free(buf); +@@ -183,7 +184,7 @@ sshkey_file_tests(void) + + TEST_START("RSA key bubblebabble fingerprint"); + buf = load_text_file("rsa_1.fp.bb"); +- cp = sshkey_fingerprint(k1, SSH_FP_SHA1, SSH_FP_BUBBLEBABBLE); ++ cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA1, SSH_FP_BUBBLEBABBLE); + ASSERT_PTR_NE(cp, NULL); + ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); + sshbuf_free(buf); +@@ -257,7 +258,7 @@ sshkey_file_tests(void) + + TEST_START("DSA key hex fingerprint"); + buf = load_text_file("dsa_1.fp"); +- cp = sshkey_fingerprint(k1, SSH_FP_MD5, SSH_FP_HEX); ++ cp = sshkey_fingerprint(k1, SSH_DIGEST_MD5, SSH_FP_HEX); + ASSERT_PTR_NE(cp, NULL); + ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); + sshbuf_free(buf); +@@ -266,7 +267,7 @@ sshkey_file_tests(void) + + TEST_START("DSA cert hex fingerprint"); + buf = load_text_file("dsa_1-cert.fp"); +- cp = sshkey_fingerprint(k2, SSH_FP_MD5, SSH_FP_HEX); ++ cp = sshkey_fingerprint(k2, SSH_DIGEST_MD5, SSH_FP_HEX); + ASSERT_PTR_NE(cp, NULL); + ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); + sshbuf_free(buf); +@@ -276,7 +277,7 @@ sshkey_file_tests(void) + + TEST_START("DSA key bubblebabble fingerprint"); + buf = load_text_file("dsa_1.fp.bb"); +- cp = sshkey_fingerprint(k1, SSH_FP_SHA1, SSH_FP_BUBBLEBABBLE); ++ cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA1, SSH_FP_BUBBLEBABBLE); + ASSERT_PTR_NE(cp, NULL); + ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); + sshbuf_free(buf); +@@ -357,7 +358,7 @@ sshkey_file_tests(void) + + TEST_START("ECDSA key hex fingerprint"); + buf = load_text_file("ecdsa_1.fp"); +- cp = sshkey_fingerprint(k1, SSH_FP_MD5, SSH_FP_HEX); ++ cp = sshkey_fingerprint(k1, SSH_DIGEST_MD5, SSH_FP_HEX); + ASSERT_PTR_NE(cp, NULL); + ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); + sshbuf_free(buf); +@@ -366,7 +367,7 @@ sshkey_file_tests(void) + + TEST_START("ECDSA cert hex fingerprint"); + buf = load_text_file("ecdsa_1-cert.fp"); +- cp = sshkey_fingerprint(k2, SSH_FP_MD5, SSH_FP_HEX); ++ cp = sshkey_fingerprint(k2, SSH_DIGEST_MD5, SSH_FP_HEX); + ASSERT_PTR_NE(cp, NULL); + ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); + sshbuf_free(buf); +@@ -376,7 +377,7 @@ sshkey_file_tests(void) + + TEST_START("ECDSA key bubblebabble fingerprint"); + buf = load_text_file("ecdsa_1.fp.bb"); +- cp = sshkey_fingerprint(k1, SSH_FP_SHA1, SSH_FP_BUBBLEBABBLE); ++ cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA1, SSH_FP_BUBBLEBABBLE); + ASSERT_PTR_NE(cp, NULL); + ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); + sshbuf_free(buf); +@@ -424,7 +425,7 @@ sshkey_file_tests(void) + + TEST_START("Ed25519 key hex fingerprint"); + buf = load_text_file("ed25519_1.fp"); +- cp = sshkey_fingerprint(k1, SSH_FP_MD5, SSH_FP_HEX); ++ cp = sshkey_fingerprint(k1, SSH_DIGEST_MD5, SSH_FP_HEX); + ASSERT_PTR_NE(cp, NULL); + ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); + sshbuf_free(buf); +@@ -433,7 +434,7 @@ sshkey_file_tests(void) + + TEST_START("Ed25519 cert hex fingerprint"); + buf = load_text_file("ed25519_1-cert.fp"); +- cp = sshkey_fingerprint(k2, SSH_FP_MD5, SSH_FP_HEX); ++ cp = sshkey_fingerprint(k2, SSH_DIGEST_MD5, SSH_FP_HEX); + ASSERT_PTR_NE(cp, NULL); + ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); + sshbuf_free(buf); +@@ -443,7 +444,7 @@ sshkey_file_tests(void) + + TEST_START("Ed25519 key bubblebabble fingerprint"); + buf = load_text_file("ed25519_1.fp.bb"); +- cp = sshkey_fingerprint(k1, SSH_FP_SHA1, SSH_FP_BUBBLEBABBLE); ++ cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA1, SSH_FP_BUBBLEBABBLE); + ASSERT_PTR_NE(cp, NULL); + ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); + sshbuf_free(buf); +diff --git a/regress/unittests/sshkey/testdata/dsa_1-cert.fp b/regress/unittests/sshkey/testdata/dsa_1-cert.fp +index 56ee1f8..b26145b 100644 +--- a/regress/unittests/sshkey/testdata/dsa_1-cert.fp ++++ b/regress/unittests/sshkey/testdata/dsa_1-cert.fp +@@ -1 +1 @@ +-5a:4a:41:8c:4e:fa:4c:52:19:f9:39:49:31:fb:fd:74 ++MD5:5a:4a:41:8c:4e:fa:4c:52:19:f9:39:49:31:fb:fd:74 +diff --git a/regress/unittests/sshkey/testdata/dsa_1.fp b/regress/unittests/sshkey/testdata/dsa_1.fp +index 56ee1f8..b26145b 100644 +--- a/regress/unittests/sshkey/testdata/dsa_1.fp ++++ b/regress/unittests/sshkey/testdata/dsa_1.fp +@@ -1 +1 @@ +-5a:4a:41:8c:4e:fa:4c:52:19:f9:39:49:31:fb:fd:74 ++MD5:5a:4a:41:8c:4e:fa:4c:52:19:f9:39:49:31:fb:fd:74 +diff --git a/regress/unittests/sshkey/testdata/dsa_2.fp b/regress/unittests/sshkey/testdata/dsa_2.fp +index ba9de82..8226574 100644 +--- a/regress/unittests/sshkey/testdata/dsa_2.fp ++++ b/regress/unittests/sshkey/testdata/dsa_2.fp +@@ -1 +1 @@ +-72:5f:50:6b:e5:64:c5:62:21:92:3f:8b:10:9b:9f:1a ++MD5:72:5f:50:6b:e5:64:c5:62:21:92:3f:8b:10:9b:9f:1a +diff --git a/regress/unittests/sshkey/testdata/ecdsa_1-cert.fp b/regress/unittests/sshkey/testdata/ecdsa_1-cert.fp +index a56dbc8..c3d747a 100644 +--- a/regress/unittests/sshkey/testdata/ecdsa_1-cert.fp ++++ b/regress/unittests/sshkey/testdata/ecdsa_1-cert.fp +@@ -1 +1 @@ +-f7:be:4c:02:65:ed:4c:11:af:ab:a8:dd:0a:92:e7:44 ++MD5:f7:be:4c:02:65:ed:4c:11:af:ab:a8:dd:0a:92:e7:44 +diff --git a/regress/unittests/sshkey/testdata/ecdsa_1.fp b/regress/unittests/sshkey/testdata/ecdsa_1.fp +index a56dbc8..c3d747a 100644 +--- a/regress/unittests/sshkey/testdata/ecdsa_1.fp ++++ b/regress/unittests/sshkey/testdata/ecdsa_1.fp +@@ -1 +1 @@ +-f7:be:4c:02:65:ed:4c:11:af:ab:a8:dd:0a:92:e7:44 ++MD5:f7:be:4c:02:65:ed:4c:11:af:ab:a8:dd:0a:92:e7:44 +diff --git a/regress/unittests/sshkey/testdata/ecdsa_2.fp b/regress/unittests/sshkey/testdata/ecdsa_2.fp +index eb4bbdf..fe7526b 100644 +--- a/regress/unittests/sshkey/testdata/ecdsa_2.fp ++++ b/regress/unittests/sshkey/testdata/ecdsa_2.fp +@@ -1 +1 @@ +-51:bd:ff:2b:6d:26:9b:90:f9:e1:4a:ca:a0:29:8e:70 ++MD5:51:bd:ff:2b:6d:26:9b:90:f9:e1:4a:ca:a0:29:8e:70 +diff --git a/regress/unittests/sshkey/testdata/ed25519_1-cert.fp b/regress/unittests/sshkey/testdata/ed25519_1-cert.fp +index e6d23d0..fbde87a 100644 +--- a/regress/unittests/sshkey/testdata/ed25519_1-cert.fp ++++ b/regress/unittests/sshkey/testdata/ed25519_1-cert.fp +@@ -1 +1 @@ +-19:08:8e:7e:4d:e5:de:86:2a:09:47:65:eb:0a:51:2f ++MD5:19:08:8e:7e:4d:e5:de:86:2a:09:47:65:eb:0a:51:2f +diff --git a/regress/unittests/sshkey/testdata/ed25519_1.fp b/regress/unittests/sshkey/testdata/ed25519_1.fp +index e6d23d0..fbde87a 100644 +--- a/regress/unittests/sshkey/testdata/ed25519_1.fp ++++ b/regress/unittests/sshkey/testdata/ed25519_1.fp +@@ -1 +1 @@ +-19:08:8e:7e:4d:e5:de:86:2a:09:47:65:eb:0a:51:2f ++MD5:19:08:8e:7e:4d:e5:de:86:2a:09:47:65:eb:0a:51:2f +diff --git a/regress/unittests/sshkey/testdata/ed25519_2.fp b/regress/unittests/sshkey/testdata/ed25519_2.fp +index 02c684f..ec1cdbb 100644 +--- a/regress/unittests/sshkey/testdata/ed25519_2.fp ++++ b/regress/unittests/sshkey/testdata/ed25519_2.fp +@@ -1 +1 @@ +-5c:c9:ae:a3:0c:aa:28:29:b8:fc:7c:64:ba:6e:e9:c9 ++MD5:5c:c9:ae:a3:0c:aa:28:29:b8:fc:7c:64:ba:6e:e9:c9 +diff --git a/regress/unittests/sshkey/testdata/rsa1_1.fp b/regress/unittests/sshkey/testdata/rsa1_1.fp +index 782ece0..2e1068c 100644 +--- a/regress/unittests/sshkey/testdata/rsa1_1.fp ++++ b/regress/unittests/sshkey/testdata/rsa1_1.fp +@@ -1 +1 @@ +-a8:82:9b:98:c5:e6:19:d6:83:39:9f:4d:3a:8f:7c:80 ++MD5:a8:82:9b:98:c5:e6:19:d6:83:39:9f:4d:3a:8f:7c:80 +diff --git a/regress/unittests/sshkey/testdata/rsa1_2.fp b/regress/unittests/sshkey/testdata/rsa1_2.fp +index c332537..cd00393 100644 +--- a/regress/unittests/sshkey/testdata/rsa1_2.fp ++++ b/regress/unittests/sshkey/testdata/rsa1_2.fp +@@ -1 +1 @@ +-c0:83:1c:97:5f:32:77:7e:e4:e3:e9:29:b9:eb:76:9c ++MD5:c0:83:1c:97:5f:32:77:7e:e4:e3:e9:29:b9:eb:76:9c +diff --git a/regress/unittests/sshkey/testdata/rsa_1-cert.fp b/regress/unittests/sshkey/testdata/rsa_1-cert.fp +index bf9c2e3..1cf780d 100644 +--- a/regress/unittests/sshkey/testdata/rsa_1-cert.fp ++++ b/regress/unittests/sshkey/testdata/rsa_1-cert.fp +@@ -1 +1 @@ +-be:27:4c:16:27:f5:04:03:62:a8:b7:91:df:a5:b1:3b ++MD5:be:27:4c:16:27:f5:04:03:62:a8:b7:91:df:a5:b1:3b +diff --git a/regress/unittests/sshkey/testdata/rsa_1.fp b/regress/unittests/sshkey/testdata/rsa_1.fp +index bf9c2e3..1cf780d 100644 +--- a/regress/unittests/sshkey/testdata/rsa_1.fp ++++ b/regress/unittests/sshkey/testdata/rsa_1.fp +@@ -1 +1 @@ +-be:27:4c:16:27:f5:04:03:62:a8:b7:91:df:a5:b1:3b ++MD5:be:27:4c:16:27:f5:04:03:62:a8:b7:91:df:a5:b1:3b +diff --git a/regress/unittests/sshkey/testdata/rsa_2.fp b/regress/unittests/sshkey/testdata/rsa_2.fp +index 53939f4..8d43676 100644 +--- a/regress/unittests/sshkey/testdata/rsa_2.fp ++++ b/regress/unittests/sshkey/testdata/rsa_2.fp +@@ -1 +1 @@ +-fb:8f:7b:26:3d:42:40:ef:ed:f1:ed:ee:66:9e:ba:b0 ++MD5:fb:8f:7b:26:3d:42:40:ef:ed:f1:ed:ee:66:9e:ba:b0 +diff --git a/servconf.c b/servconf.c +index b7f3294..e3ebaac 100644 +--- a/servconf.c ++++ b/servconf.c @@ -54,6 +54,7 @@ #include "packet.h" #include "hostfile.h" @@ -408,7 +701,7 @@ diff -up openssh-6.7p1/servconf.c.fingerprint openssh-6.7p1/servconf.c static void add_listen_addr(ServerOptions *, char *, int); static void add_one_listen_addr(ServerOptions *, char *, int); -@@ -157,6 +158,7 @@ initialize_server_options(ServerOptions +@@ -157,6 +158,7 @@ initialize_server_options(ServerOptions *options) options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; options->version_addendum = NULL; @@ -416,7 +709,7 @@ diff -up openssh-6.7p1/servconf.c.fingerprint openssh-6.7p1/servconf.c } void -@@ -312,6 +314,8 @@ fill_default_server_options(ServerOption +@@ -312,6 +314,8 @@ fill_default_server_options(ServerOptions *options) options->fwd_opts.streamlocal_bind_mask = 0177; if (options->fwd_opts.streamlocal_bind_unlink == -1) options->fwd_opts.streamlocal_bind_unlink = 0; @@ -442,7 +735,7 @@ diff -up openssh-6.7p1/servconf.c.fingerprint openssh-6.7p1/servconf.c { NULL, sBadOption, 0 } }; -@@ -1663,6 +1668,18 @@ process_server_config_line(ServerOptions +@@ -1663,6 +1668,18 @@ process_server_config_line(ServerOptions *options, char *line, intptr = &options->fwd_opts.streamlocal_bind_unlink; goto parse_flag; @@ -478,9 +771,10 @@ diff -up openssh-6.7p1/servconf.c.fingerprint openssh-6.7p1/servconf.c /* string arguments */ dump_cfg_string(sPidFile, o->pid_file); -diff -up openssh-6.7p1/servconf.h.fingerprint openssh-6.7p1/servconf.h ---- openssh-6.7p1/servconf.h.fingerprint 2014-07-18 06:11:26.000000000 +0200 -+++ openssh-6.7p1/servconf.h 2014-12-22 13:10:57.964878102 +0100 +diff --git a/servconf.h b/servconf.h +index 766db3a..49b228b 100644 +--- a/servconf.h ++++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.114 2014/07/15 15:54:14 millert Exp $ */ +/* $OpenBSD: servconf.h,v 1.115 2014/12/21 22:27:56 djm Exp $ */ @@ -496,21 +790,10 @@ diff -up openssh-6.7p1/servconf.h.fingerprint openssh-6.7p1/servconf.h } ServerOptions; /* Information about the incoming connection as used by Match */ -diff -up openssh-6.7p1/ssh.1.fingerprint openssh-6.7p1/ssh.1 ---- openssh-6.7p1/ssh.1.fingerprint 2014-07-30 04:32:28.000000000 +0200 -+++ openssh-6.7p1/ssh.1 2014-12-22 13:10:57.967878092 +0100 -@@ -1083,7 +1083,7 @@ Fingerprints can be determined using - If the fingerprint is already known, it can be matched - and the key can be accepted or rejected. - Because of the difficulty of comparing host keys --just by looking at hex strings, -+just by looking at fingerprint strings, - there is also support to compare host keys visually, - using - .Em random art . -diff -up openssh-6.7p1/ssh-add.1.fingerprint openssh-6.7p1/ssh-add.1 ---- openssh-6.7p1/ssh-add.1.fingerprint 2013-12-18 07:46:28.000000000 +0100 -+++ openssh-6.7p1/ssh-add.1 2014-12-22 13:10:57.964878102 +0100 +diff --git a/ssh-add.1 b/ssh-add.1 +index 4812448..04d1840 100644 +--- a/ssh-add.1 ++++ b/ssh-add.1 @@ -44,6 +44,7 @@ .Sh SYNOPSIS .Nm ssh-add @@ -519,7 +802,7 @@ diff -up openssh-6.7p1/ssh-add.1.fingerprint openssh-6.7p1/ssh-add.1 .Op Fl t Ar life .Op Ar .Nm ssh-add -@@ -108,6 +109,14 @@ If no public key is found at a given pat +@@ -108,6 +109,14 @@ If no public key is found at a given path, will append .Pa .pub and retry. @@ -534,9 +817,10 @@ diff -up openssh-6.7p1/ssh-add.1.fingerprint openssh-6.7p1/ssh-add.1 .It Fl e Ar pkcs11 Remove keys provided by the PKCS#11 shared library .Ar pkcs11 . -diff -up openssh-6.7p1/ssh-add.c.fingerprint openssh-6.7p1/ssh-add.c ---- openssh-6.7p1/ssh-add.c.fingerprint 2014-07-11 01:19:05.000000000 +0200 -+++ openssh-6.7p1/ssh-add.c 2014-12-22 13:10:57.965878099 +0100 +diff --git a/ssh-add.c b/ssh-add.c +index 78a3359..5d6a5f4 100644 +--- a/ssh-add.c ++++ b/ssh-add.c @@ -63,6 +63,7 @@ #include "pathnames.h" #include "misc.h" @@ -554,7 +838,7 @@ diff -up openssh-6.7p1/ssh-add.c.fingerprint openssh-6.7p1/ssh-add.c /* Default lifetime (0 == forever) */ static int lifetime = 0; -@@ -340,8 +343,8 @@ list_identities(AuthenticationConnection +@@ -340,8 +343,8 @@ list_identities(AuthenticationConnection *ac, int do_fp) key = ssh_get_next_identity(ac, &comment, version)) { had_identities = 1; if (do_fp) { @@ -653,9 +937,10 @@ diff -up openssh-6.7p1/ssh-add.c.fingerprint openssh-6.7p1/ssh-add.c argc -= optind; argv += optind; if (pkcs11provider != NULL) { -diff -up openssh-6.7p1/ssh-agent.1.fingerprint openssh-6.7p1/ssh-agent.1 ---- openssh-6.7p1/ssh-agent.1.fingerprint 2014-04-20 05:25:09.000000000 +0200 -+++ openssh-6.7p1/ssh-agent.1 2014-12-22 13:10:57.965878099 +0100 +diff --git a/ssh-agent.1 b/ssh-agent.1 +index a1e634f..d7e791b 100644 +--- a/ssh-agent.1 ++++ b/ssh-agent.1 @@ -45,6 +45,7 @@ .Op Fl c | s .Op Fl d @@ -679,9 +964,10 @@ diff -up openssh-6.7p1/ssh-agent.1.fingerprint openssh-6.7p1/ssh-agent.1 .It Fl k Kill the current agent (given by the .Ev SSH_AGENT_PID -diff -up openssh-6.7p1/ssh-agent.c.fingerprint openssh-6.7p1/ssh-agent.c ---- openssh-6.7p1/ssh-agent.c.fingerprint 2014-07-30 04:32:46.000000000 +0200 -+++ openssh-6.7p1/ssh-agent.c 2014-12-22 13:10:57.965878099 +0100 +diff --git a/ssh-agent.c b/ssh-agent.c +index 25f10c5..c8036c8 100644 +--- a/ssh-agent.c ++++ b/ssh-agent.c @@ -142,6 +142,8 @@ extern char *__progname; /* Default lifetime in seconds (0 == forever) */ static long lifetime = 0; @@ -724,332 +1010,10 @@ diff -up openssh-6.7p1/ssh-agent.c.fingerprint openssh-6.7p1/ssh-agent.c case 'c': if (s_flag) usage(); -diff -up openssh-6.7p1/sshconnect2.c.fingerprint openssh-6.7p1/sshconnect2.c ---- openssh-6.7p1/sshconnect2.c.fingerprint 2014-07-18 06:11:27.000000000 +0200 -+++ openssh-6.7p1/sshconnect2.c 2014-12-22 13:10:57.968878088 +0100 -@@ -582,7 +582,7 @@ input_userauth_pk_ok(int type, u_int32_t - key->type, pktype); - goto done; - } -- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); -+ fp = key_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT); - debug2("input_userauth_pk_ok: fp %s", fp); - free(fp); - -@@ -991,7 +991,7 @@ sign_and_send_pubkey(Authctxt *authctxt, - int have_sig = 1; - char *fp; - -- fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX); -+ fp = key_fingerprint(id->key, options.fingerprint_hash, SSH_FP_DEFAULT); - debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp); - free(fp); - -diff -up openssh-6.7p1/sshconnect.c.fingerprint openssh-6.7p1/sshconnect.c ---- openssh-6.7p1/sshconnect.c.fingerprint 2014-07-18 06:11:26.000000000 +0200 -+++ openssh-6.7p1/sshconnect.c 2014-12-22 13:15:28.371939131 +0100 -@@ -915,9 +915,10 @@ check_host_key(char *hostname, struct so - "key for IP address '%.128s' to the list " - "of known hosts.", type, ip); - } else if (options.visual_host_key) { -- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); -- ra = key_fingerprint(host_key, SSH_FP_MD5, -- SSH_FP_RANDOMART); -+ fp = key_fingerprint(host_key, -+ options.fingerprint_hash, SSH_FP_DEFAULT); -+ ra = key_fingerprint(host_key, -+ options.fingerprint_hash, SSH_FP_RANDOMART); - logit("Host key fingerprint is %s\n%s\n", fp, ra); - free(ra); - free(fp); -@@ -956,9 +957,10 @@ check_host_key(char *hostname, struct so - else - snprintf(msg1, sizeof(msg1), "."); - /* The default */ -- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); -- ra = key_fingerprint(host_key, SSH_FP_MD5, -- SSH_FP_RANDOMART); -+ fp = key_fingerprint(host_key, -+ options.fingerprint_hash, SSH_FP_DEFAULT); -+ ra = key_fingerprint(host_key, -+ options.fingerprint_hash, SSH_FP_RANDOMART); - msg2[0] = '\0'; - if (options.verify_host_key_dns) { - if (matching_host_key_dns) -@@ -1222,7 +1224,7 @@ verify_host_key(char *host, struct socka - char *fp; - Key *plain = NULL; - -- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); -+ fp = key_fingerprint(host_key, options.fingerprint_hash, SSH_FP_DEFAULT); - debug("Server host key: %s %s", key_type(host_key), fp); - free(fp); - -@@ -1356,8 +1358,10 @@ show_other_keys(struct hostkeys *hostkey - continue; - if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found)) - continue; -- fp = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_HEX); -- ra = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_RANDOMART); -+ fp = key_fingerprint(found->key, -+ options.fingerprint_hash, SSH_FP_DEFAULT); -+ ra = key_fingerprint(found->key, -+ options.fingerprint_hash, SSH_FP_RANDOMART); - logit("WARNING: %s key found for host %s\n" - "in %s:%lu\n" - "%s key fingerprint %s.", -@@ -1378,7 +1382,8 @@ warn_changed_key(Key *host_key) - { - char *fp; - -- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); -+ fp = key_fingerprint(host_key, options.fingerprint_hash, -+ SSH_FP_DEFAULT); - - error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); - error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @"); -diff -up openssh-6.7p1/sshd_config.5.fingerprint openssh-6.7p1/sshd_config.5 ---- openssh-6.7p1/sshd_config.5.fingerprint 2014-10-03 01:24:57.000000000 +0200 -+++ openssh-6.7p1/sshd_config.5 2014-12-22 13:10:57.968878088 +0100 -@@ -483,6 +483,15 @@ and finally - See PATTERNS in - .Xr ssh_config 5 - for more information on patterns. -+.It Cm FingerprintHash -+Specifies the hash algorithm used when logging key fingerprints. -+Valid options are: -+.Dq md5 -+and -+.Dq sha256 . -+The default is -+.Dq sha256 . -+.Pp - .It Cm ForceCommand - Forces the execution of the command specified by - .Cm ForceCommand , -diff -up openssh-6.7p1/sshkey.c.fingerprint openssh-6.7p1/sshkey.c ---- openssh-6.7p1/sshkey.c.fingerprint 2014-07-21 17:07:11.000000000 +0200 -+++ openssh-6.7p1/sshkey.c 2014-12-22 13:10:57.969878085 +0100 -@@ -29,6 +29,7 @@ - - #include - #include -+#include - - #include - #include -@@ -852,29 +853,18 @@ sshkey_plain_to_blob(const struct sshkey - } - - int --sshkey_fingerprint_raw(const struct sshkey *k, enum sshkey_fp_type dgst_type, -+sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg, - u_char **retp, size_t *lenp) - { - u_char *blob = NULL, *ret = NULL; - size_t blob_len = 0; -- int hash_alg = -1, r = SSH_ERR_INTERNAL_ERROR; -+ int r = SSH_ERR_INTERNAL_ERROR; - - if (retp != NULL) - *retp = NULL; - if (lenp != NULL) - *lenp = 0; -- -- switch (dgst_type) { -- case SSH_FP_MD5: -- hash_alg = SSH_DIGEST_MD5; -- break; -- case SSH_FP_SHA1: -- hash_alg = SSH_DIGEST_SHA1; -- break; -- case SSH_FP_SHA256: -- hash_alg = SSH_DIGEST_SHA256; -- break; -- default: -+ if (ssh_digest_bytes(dgst_alg) == 0) { - r = SSH_ERR_INVALID_ARGUMENT; - goto out; - } -@@ -899,7 +889,7 @@ sshkey_fingerprint_raw(const struct sshk - r = SSH_ERR_ALLOC_FAIL; - goto out; - } -- if ((r = ssh_digest_memory(hash_alg, blob, blob_len, -+ if ((r = ssh_digest_memory(dgst_alg, blob, blob_len, - ret, SSH_DIGEST_MAX_LENGTH)) != 0) - goto out; - /* success */ -@@ -908,7 +898,7 @@ sshkey_fingerprint_raw(const struct sshk - ret = NULL; - } - if (lenp != NULL) -- *lenp = ssh_digest_bytes(hash_alg); -+ *lenp = ssh_digest_bytes(dgst_alg); - r = 0; - out: - free(ret); -@@ -920,21 +910,45 @@ sshkey_fingerprint_raw(const struct sshk - } - - static char * --fingerprint_hex(u_char *dgst_raw, size_t dgst_raw_len) -+fingerprint_b64(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) - { -- char *retval; -- size_t i; -+ char *ret; -+ size_t plen = strlen(alg) + 1; -+ size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1; -+ int r; - -- if ((retval = calloc(1, dgst_raw_len * 3 + 1)) == NULL) -+ if (dgst_raw_len > 65536 || (ret = calloc(1, rlen)) == NULL) -+ return NULL; -+ strlcpy(ret, alg, rlen); -+ strlcat(ret, ":", rlen); -+ if (dgst_raw_len == 0) -+ return ret; -+ if ((r = b64_ntop(dgst_raw, dgst_raw_len, -+ ret + plen, rlen - plen)) == -1) { -+ explicit_bzero(ret, rlen); -+ free(ret); - return NULL; -- for (i = 0; i < dgst_raw_len; i++) { -- char hex[4]; -- snprintf(hex, sizeof(hex), "%02x:", dgst_raw[i]); -- strlcat(retval, hex, dgst_raw_len * 3 + 1); - } -+ /* Trim padding characters from end */ -+ ret[strcspn(ret, "=")] = '\0'; -+ return ret; -+} -+ -+static char * -+fingerprint_hex(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) -+{ -+ char *retval, hex[5]; -+ size_t i, rlen = dgst_raw_len * 3 + strlen(alg) + 2; - -- /* Remove the trailing ':' character */ -- retval[(dgst_raw_len * 3) - 1] = '\0'; -+ if (dgst_raw_len > 65536 || (retval = calloc(1, rlen)) == NULL) -+ return NULL; -+ strlcpy(retval, alg, rlen); -+ strlcat(retval, ":", rlen); -+ for (i = 0; i < dgst_raw_len; i++) { -+ snprintf(hex, sizeof(hex), "%s%02x", -+ i > 0 ? ":" : "", dgst_raw[i]); -+ strlcat(retval, hex, rlen); -+ } - return retval; - } - -@@ -1020,7 +1034,7 @@ fingerprint_bubblebabble(u_char *dgst_ra - #define FLDSIZE_Y (FLDBASE + 1) - #define FLDSIZE_X (FLDBASE * 2 + 1) - static char * --fingerprint_randomart(u_char *dgst_raw, size_t dgst_raw_len, -+fingerprint_randomart(const char *alg, u_char *dgst_raw, size_t dgst_raw_len, - const struct sshkey *k) - { - /* -@@ -1028,9 +1042,9 @@ fingerprint_randomart(u_char *dgst_raw, - * intersects with itself. Matter of taste. - */ - char *augmentation_string = " .o+=*BOX@%&#/^SE"; -- char *retval, *p, title[FLDSIZE_X]; -+ char *retval, *p, title[FLDSIZE_X], hash[FLDSIZE_X]; - u_char field[FLDSIZE_X][FLDSIZE_Y]; -- size_t i, tlen; -+ size_t i, tlen, hlen; - u_int b; - int x, y, r; - size_t len = strlen(augmentation_string) - 1; -@@ -1075,8 +1089,12 @@ fingerprint_randomart(u_char *dgst_raw, - sshkey_type(k), sshkey_size(k)); - /* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */ - if (r < 0 || r > (int)sizeof(title)) -- snprintf(title, sizeof(title), "[%s]", sshkey_type(k)); -- tlen = strlen(title); -+ r = snprintf(title, sizeof(title), "[%s]", sshkey_type(k)); -+ tlen = (r <= 0) ? 0 : strlen(title); -+ -+ /* assemble hash ID. */ -+ r = snprintf(hash, sizeof(hash), "[%s]", alg); -+ hlen = (r <= 0) ? 0 : strlen(hash); - - /* output upper border */ - p = retval; -@@ -1085,7 +1103,7 @@ fingerprint_randomart(u_char *dgst_raw, - *p++ = '-'; - memcpy(p, title, tlen); - p += tlen; -- for (i = p - retval - 1; i < FLDSIZE_X; i++) -+ for (i += tlen; i < FLDSIZE_X; i++) - *p++ = '-'; - *p++ = '+'; - *p++ = '\n'; -@@ -1101,7 +1119,11 @@ fingerprint_randomart(u_char *dgst_raw, - - /* output lower border */ - *p++ = '+'; -- for (i = 0; i < FLDSIZE_X; i++) -+ for (i = 0; i < (FLDSIZE_X - hlen) / 2; i++) -+ *p++ = '-'; -+ memcpy(p, hash, hlen); -+ p += hlen; -+ for (i += hlen; i < FLDSIZE_X; i++) - *p++ = '-'; - *p++ = '+'; - -@@ -1109,24 +1131,39 @@ fingerprint_randomart(u_char *dgst_raw, - } - - char * --sshkey_fingerprint(const struct sshkey *k, enum sshkey_fp_type dgst_type, -+sshkey_fingerprint(const struct sshkey *k, int dgst_alg, - enum sshkey_fp_rep dgst_rep) - { - char *retval = NULL; - u_char *dgst_raw; - size_t dgst_raw_len; - -- if (sshkey_fingerprint_raw(k, dgst_type, &dgst_raw, &dgst_raw_len) != 0) -+ if (sshkey_fingerprint_raw(k, dgst_alg, &dgst_raw, &dgst_raw_len) != 0) - return NULL; - switch (dgst_rep) { -+ case SSH_FP_DEFAULT: -+ if (dgst_alg == SSH_DIGEST_MD5) { -+ retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), -+ dgst_raw, dgst_raw_len); -+ } else { -+ retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), -+ dgst_raw, dgst_raw_len); -+ } -+ break; - case SSH_FP_HEX: -- retval = fingerprint_hex(dgst_raw, dgst_raw_len); -+ retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), -+ dgst_raw, dgst_raw_len); -+ break; -+ case SSH_FP_BASE64: -+ retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), -+ dgst_raw, dgst_raw_len); - break; - case SSH_FP_BUBBLEBABBLE: - retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len); - break; - case SSH_FP_RANDOMART: -- retval = fingerprint_randomart(dgst_raw, dgst_raw_len, k); -+ retval = fingerprint_randomart(ssh_digest_alg_name(dgst_alg), -+ dgst_raw, dgst_raw_len, k); - break; - default: - explicit_bzero(dgst_raw, dgst_raw_len); -diff -up openssh-6.7p1/ssh-keygen.1.fingerprint openssh-6.7p1/ssh-keygen.1 ---- openssh-6.7p1/ssh-keygen.1.fingerprint 2014-04-20 05:23:04.000000000 +0200 -+++ openssh-6.7p1/ssh-keygen.1 2014-12-22 13:10:57.966878095 +0100 +diff --git a/ssh-keygen.1 b/ssh-keygen.1 +index 723a016..276dacc 100644 +--- a/ssh-keygen.1 ++++ b/ssh-keygen.1 @@ -73,6 +73,7 @@ .Op Fl f Ar keyfile .Nm ssh-keygen @@ -1073,9 +1037,10 @@ diff -up openssh-6.7p1/ssh-keygen.1.fingerprint openssh-6.7p1/ssh-keygen.1 .It Fl e This option will read a private or public OpenSSH key file and print to stdout the key in one of the formats specified by the -diff -up openssh-6.7p1/ssh-keygen.c.fingerprint openssh-6.7p1/ssh-keygen.c ---- openssh-6.7p1/ssh-keygen.c.fingerprint 2014-07-03 13:24:41.000000000 +0200 -+++ openssh-6.7p1/ssh-keygen.c 2014-12-22 13:10:57.966878095 +0100 +diff --git a/ssh-keygen.c b/ssh-keygen.c +index 23058ee..64fa217 100644 +--- a/ssh-keygen.c ++++ b/ssh-keygen.c @@ -53,6 +53,7 @@ #include "ssh-pkcs11.h" #include "atomicio.h" @@ -1154,7 +1119,7 @@ diff -up openssh-6.7p1/ssh-keygen.c.fingerprint openssh-6.7p1/ssh-keygen.c printf("%u %s %s (%s)\n", key_size(public), fp, comment ? comment : "no comment", key_type(public)); if (log_level >= SYSLOG_LEVEL_VERBOSE) -@@ -991,13 +996,15 @@ printhost(FILE *f, const char *name, Key +@@ -991,13 +996,15 @@ printhost(FILE *f, const char *name, Key *public, int ca, int revoked, int hash) { if (print_fingerprint) { enum fp_rep rep; @@ -1232,9 +1197,364 @@ diff -up openssh-6.7p1/ssh-keygen.c.fingerprint openssh-6.7p1/ssh-keygen.c SSH_FP_RANDOMART); printf("Your public key has been saved in %s.\n", identity_file); -diff -up openssh-6.7p1/sshkey.h.fingerprint openssh-6.7p1/sshkey.h ---- openssh-6.7p1/sshkey.h.fingerprint 2014-08-20 03:06:51.000000000 +0200 -+++ openssh-6.7p1/sshkey.h 2014-12-22 13:10:57.969878085 +0100 +diff --git a/ssh-keysign.c b/ssh-keysign.c +index d95bb7d..3526d7d 100644 +--- a/ssh-keysign.c ++++ b/ssh-keysign.c +@@ -246,7 +246,8 @@ main(int argc, char **argv) + } + } + if (!found) { +- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); ++ fp = key_fingerprint(key, options.fingerprint_hash, ++ SSH_FP_DEFAULT); + fatal("no matching hostkey found for key %s %s", + key_type(key), fp); + } +diff --git a/ssh.1 b/ssh.1 +index fa5cfb2..d3198a1 100644 +--- a/ssh.1 ++++ b/ssh.1 +@@ -1083,7 +1083,7 @@ Fingerprints can be determined using + If the fingerprint is already known, it can be matched + and the key can be accepted or rejected. + Because of the difficulty of comparing host keys +-just by looking at hex strings, ++just by looking at fingerprint strings, + there is also support to compare host keys visually, + using + .Em random art . +diff --git a/sshconnect.c b/sshconnect.c +index ac09eae..7db31e6 100644 +--- a/sshconnect.c ++++ b/sshconnect.c +@@ -915,9 +915,10 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, + "key for IP address '%.128s' to the list " + "of known hosts.", type, ip); + } else if (options.visual_host_key) { +- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); +- ra = key_fingerprint(host_key, SSH_FP_MD5, +- SSH_FP_RANDOMART); ++ fp = key_fingerprint(host_key, ++ options.fingerprint_hash, SSH_FP_DEFAULT); ++ ra = key_fingerprint(host_key, ++ options.fingerprint_hash, SSH_FP_RANDOMART); + logit("Host key fingerprint is %s\n%s\n", fp, ra); + free(ra); + free(fp); +@@ -956,9 +957,10 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, + else + snprintf(msg1, sizeof(msg1), "."); + /* The default */ +- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); +- ra = key_fingerprint(host_key, SSH_FP_MD5, +- SSH_FP_RANDOMART); ++ fp = key_fingerprint(host_key, ++ options.fingerprint_hash, SSH_FP_DEFAULT); ++ ra = key_fingerprint(host_key, ++ options.fingerprint_hash, SSH_FP_RANDOMART); + msg2[0] = '\0'; + if (options.verify_host_key_dns) { + if (matching_host_key_dns) +@@ -1222,7 +1224,7 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) + char *fp; + Key *plain = NULL; + +- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); ++ fp = key_fingerprint(host_key, options.fingerprint_hash, SSH_FP_DEFAULT); + debug("Server host key: %s %s", key_type(host_key), fp); + free(fp); + +@@ -1356,8 +1358,10 @@ show_other_keys(struct hostkeys *hostkeys, Key *key) + continue; + if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found)) + continue; +- fp = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_HEX); +- ra = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_RANDOMART); ++ fp = key_fingerprint(found->key, ++ options.fingerprint_hash, SSH_FP_DEFAULT); ++ ra = key_fingerprint(found->key, ++ options.fingerprint_hash, SSH_FP_RANDOMART); + logit("WARNING: %s key found for host %s\n" + "in %s:%lu\n" + "%s key fingerprint %s.", +@@ -1378,7 +1382,8 @@ warn_changed_key(Key *host_key) + { + char *fp; + +- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); ++ fp = key_fingerprint(host_key, options.fingerprint_hash, ++ SSH_FP_DEFAULT); + + error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); + error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @"); +diff --git a/sshconnect2.c b/sshconnect2.c +index 68f7f4f..4724b66 100644 +--- a/sshconnect2.c ++++ b/sshconnect2.c +@@ -582,7 +582,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt) + key->type, pktype); + goto done; + } +- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); ++ fp = key_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT); + debug2("input_userauth_pk_ok: fp %s", fp); + free(fp); + +@@ -991,7 +991,7 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id) + int have_sig = 1; + char *fp; + +- fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX); ++ fp = key_fingerprint(id->key, options.fingerprint_hash, SSH_FP_DEFAULT); + debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp); + free(fp); + +diff --git a/sshd_config.5 b/sshd_config.5 +index fd44abe..0449eeb 100644 +--- a/sshd_config.5 ++++ b/sshd_config.5 +@@ -483,6 +483,15 @@ and finally + See PATTERNS in + .Xr ssh_config 5 + for more information on patterns. ++.It Cm FingerprintHash ++Specifies the hash algorithm used when logging key fingerprints. ++Valid options are: ++.Dq md5 ++and ++.Dq sha256 . ++The default is ++.Dq sha256 . ++.Pp + .It Cm ForceCommand + Forces the execution of the command specified by + .Cm ForceCommand , +diff --git a/sshkey.c b/sshkey.c +index fdd0c8a..70df758 100644 +--- a/sshkey.c ++++ b/sshkey.c +@@ -29,6 +29,7 @@ + + #include + #include ++#include + + #include + #include +@@ -852,29 +853,18 @@ sshkey_plain_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) + } + + int +-sshkey_fingerprint_raw(const struct sshkey *k, enum sshkey_fp_type dgst_type, ++sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg, + u_char **retp, size_t *lenp) + { + u_char *blob = NULL, *ret = NULL; + size_t blob_len = 0; +- int hash_alg = -1, r = SSH_ERR_INTERNAL_ERROR; ++ int r = SSH_ERR_INTERNAL_ERROR; + + if (retp != NULL) + *retp = NULL; + if (lenp != NULL) + *lenp = 0; +- +- switch (dgst_type) { +- case SSH_FP_MD5: +- hash_alg = SSH_DIGEST_MD5; +- break; +- case SSH_FP_SHA1: +- hash_alg = SSH_DIGEST_SHA1; +- break; +- case SSH_FP_SHA256: +- hash_alg = SSH_DIGEST_SHA256; +- break; +- default: ++ if (ssh_digest_bytes(dgst_alg) == 0) { + r = SSH_ERR_INVALID_ARGUMENT; + goto out; + } +@@ -899,7 +889,7 @@ sshkey_fingerprint_raw(const struct sshkey *k, enum sshkey_fp_type dgst_type, + r = SSH_ERR_ALLOC_FAIL; + goto out; + } +- if ((r = ssh_digest_memory(hash_alg, blob, blob_len, ++ if ((r = ssh_digest_memory(dgst_alg, blob, blob_len, + ret, SSH_DIGEST_MAX_LENGTH)) != 0) + goto out; + /* success */ +@@ -908,7 +898,7 @@ sshkey_fingerprint_raw(const struct sshkey *k, enum sshkey_fp_type dgst_type, + ret = NULL; + } + if (lenp != NULL) +- *lenp = ssh_digest_bytes(hash_alg); ++ *lenp = ssh_digest_bytes(dgst_alg); + r = 0; + out: + free(ret); +@@ -920,21 +910,45 @@ sshkey_fingerprint_raw(const struct sshkey *k, enum sshkey_fp_type dgst_type, + } + + static char * +-fingerprint_hex(u_char *dgst_raw, size_t dgst_raw_len) ++fingerprint_b64(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) + { +- char *retval; +- size_t i; ++ char *ret; ++ size_t plen = strlen(alg) + 1; ++ size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1; ++ int r; + +- if ((retval = calloc(1, dgst_raw_len * 3 + 1)) == NULL) ++ if (dgst_raw_len > 65536 || (ret = calloc(1, rlen)) == NULL) ++ return NULL; ++ strlcpy(ret, alg, rlen); ++ strlcat(ret, ":", rlen); ++ if (dgst_raw_len == 0) ++ return ret; ++ if ((r = b64_ntop(dgst_raw, dgst_raw_len, ++ ret + plen, rlen - plen)) == -1) { ++ explicit_bzero(ret, rlen); ++ free(ret); + return NULL; +- for (i = 0; i < dgst_raw_len; i++) { +- char hex[4]; +- snprintf(hex, sizeof(hex), "%02x:", dgst_raw[i]); +- strlcat(retval, hex, dgst_raw_len * 3 + 1); + } ++ /* Trim padding characters from end */ ++ ret[strcspn(ret, "=")] = '\0'; ++ return ret; ++} + +- /* Remove the trailing ':' character */ +- retval[(dgst_raw_len * 3) - 1] = '\0'; ++static char * ++fingerprint_hex(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) ++{ ++ char *retval, hex[5]; ++ size_t i, rlen = dgst_raw_len * 3 + strlen(alg) + 2; ++ ++ if (dgst_raw_len > 65536 || (retval = calloc(1, rlen)) == NULL) ++ return NULL; ++ strlcpy(retval, alg, rlen); ++ strlcat(retval, ":", rlen); ++ for (i = 0; i < dgst_raw_len; i++) { ++ snprintf(hex, sizeof(hex), "%s%02x", ++ i > 0 ? ":" : "", dgst_raw[i]); ++ strlcat(retval, hex, rlen); ++ } + return retval; + } + +@@ -1020,7 +1034,7 @@ fingerprint_bubblebabble(u_char *dgst_raw, size_t dgst_raw_len) + #define FLDSIZE_Y (FLDBASE + 1) + #define FLDSIZE_X (FLDBASE * 2 + 1) + static char * +-fingerprint_randomart(u_char *dgst_raw, size_t dgst_raw_len, ++fingerprint_randomart(const char *alg, u_char *dgst_raw, size_t dgst_raw_len, + const struct sshkey *k) + { + /* +@@ -1028,9 +1042,9 @@ fingerprint_randomart(u_char *dgst_raw, size_t dgst_raw_len, + * intersects with itself. Matter of taste. + */ + char *augmentation_string = " .o+=*BOX@%&#/^SE"; +- char *retval, *p, title[FLDSIZE_X]; ++ char *retval, *p, title[FLDSIZE_X], hash[FLDSIZE_X]; + u_char field[FLDSIZE_X][FLDSIZE_Y]; +- size_t i, tlen; ++ size_t i, tlen, hlen; + u_int b; + int x, y, r; + size_t len = strlen(augmentation_string) - 1; +@@ -1075,8 +1089,12 @@ fingerprint_randomart(u_char *dgst_raw, size_t dgst_raw_len, + sshkey_type(k), sshkey_size(k)); + /* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */ + if (r < 0 || r > (int)sizeof(title)) +- snprintf(title, sizeof(title), "[%s]", sshkey_type(k)); +- tlen = strlen(title); ++ r = snprintf(title, sizeof(title), "[%s]", sshkey_type(k)); ++ tlen = (r <= 0) ? 0 : strlen(title); ++ ++ /* assemble hash ID. */ ++ r = snprintf(hash, sizeof(hash), "[%s]", alg); ++ hlen = (r <= 0) ? 0 : strlen(hash); + + /* output upper border */ + p = retval; +@@ -1085,7 +1103,7 @@ fingerprint_randomart(u_char *dgst_raw, size_t dgst_raw_len, + *p++ = '-'; + memcpy(p, title, tlen); + p += tlen; +- for (i = p - retval - 1; i < FLDSIZE_X; i++) ++ for (i += tlen; i < FLDSIZE_X; i++) + *p++ = '-'; + *p++ = '+'; + *p++ = '\n'; +@@ -1101,7 +1119,11 @@ fingerprint_randomart(u_char *dgst_raw, size_t dgst_raw_len, + + /* output lower border */ + *p++ = '+'; +- for (i = 0; i < FLDSIZE_X; i++) ++ for (i = 0; i < (FLDSIZE_X - hlen) / 2; i++) ++ *p++ = '-'; ++ memcpy(p, hash, hlen); ++ p += hlen; ++ for (i += hlen; i < FLDSIZE_X; i++) + *p++ = '-'; + *p++ = '+'; + +@@ -1109,24 +1131,39 @@ fingerprint_randomart(u_char *dgst_raw, size_t dgst_raw_len, + } + + char * +-sshkey_fingerprint(const struct sshkey *k, enum sshkey_fp_type dgst_type, ++sshkey_fingerprint(const struct sshkey *k, int dgst_alg, + enum sshkey_fp_rep dgst_rep) + { + char *retval = NULL; + u_char *dgst_raw; + size_t dgst_raw_len; + +- if (sshkey_fingerprint_raw(k, dgst_type, &dgst_raw, &dgst_raw_len) != 0) ++ if (sshkey_fingerprint_raw(k, dgst_alg, &dgst_raw, &dgst_raw_len) != 0) + return NULL; + switch (dgst_rep) { ++ case SSH_FP_DEFAULT: ++ if (dgst_alg == SSH_DIGEST_MD5) { ++ retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), ++ dgst_raw, dgst_raw_len); ++ } else { ++ retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), ++ dgst_raw, dgst_raw_len); ++ } ++ break; + case SSH_FP_HEX: +- retval = fingerprint_hex(dgst_raw, dgst_raw_len); ++ retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), ++ dgst_raw, dgst_raw_len); ++ break; ++ case SSH_FP_BASE64: ++ retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), ++ dgst_raw, dgst_raw_len); + break; + case SSH_FP_BUBBLEBABBLE: + retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len); + break; + case SSH_FP_RANDOMART: +- retval = fingerprint_randomart(dgst_raw, dgst_raw_len, k); ++ retval = fingerprint_randomart(ssh_digest_alg_name(dgst_alg), ++ dgst_raw, dgst_raw_len, k); + break; + default: + explicit_bzero(dgst_raw, dgst_raw_len); +diff --git a/sshkey.h b/sshkey.h +index 450b30c..4554b09 100644 +--- a/sshkey.h ++++ b/sshkey.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sshkey.h,v 1.1 2014/06/24 01:16:58 djm Exp $ */ +/* $OpenBSD: sshkey.h,v 1.2 2014/12/21 22:27:55 djm Exp $ */ @@ -1262,7 +1582,7 @@ diff -up openssh-6.7p1/sshkey.h.fingerprint openssh-6.7p1/sshkey.h SSH_FP_BUBBLEBABBLE, SSH_FP_RANDOMART }; -@@ -124,9 +122,9 @@ int sshkey_equal_public(const struct s +@@ -124,9 +122,9 @@ int sshkey_equal_public(const struct sshkey *, const struct sshkey *); int sshkey_equal(const struct sshkey *, const struct sshkey *); char *sshkey_fingerprint(const struct sshkey *, @@ -1274,16 +1594,3 @@ diff -up openssh-6.7p1/sshkey.h.fingerprint openssh-6.7p1/sshkey.h const char *sshkey_type(const struct sshkey *); const char *sshkey_cert_type(const struct sshkey *); int sshkey_write(const struct sshkey *, FILE *); -diff -up openssh-6.7p1/ssh-keysign.c.fingerprint openssh-6.7p1/ssh-keysign.c ---- openssh-6.7p1/ssh-keysign.c.fingerprint 2014-05-15 06:24:10.000000000 +0200 -+++ openssh-6.7p1/ssh-keysign.c 2014-12-22 13:10:57.967878092 +0100 -@@ -246,7 +246,8 @@ main(int argc, char **argv) - } - } - if (!found) { -- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); -+ fp = key_fingerprint(key, options.fingerprint_hash, -+ SSH_FP_DEFAULT); - fatal("no matching hostkey found for key %s %s", - key_type(key), fp); - } diff --git a/openssh-6.6p1-fips.patch b/openssh-6.7p1-fips.patch similarity index 71% rename from openssh-6.6p1-fips.patch rename to openssh-6.7p1-fips.patch index f97e2ba..ea82670 100644 --- a/openssh-6.6p1-fips.patch +++ b/openssh-6.7p1-fips.patch @@ -1,8 +1,8 @@ diff --git a/Makefile.in b/Makefile.in -index 3bb7f00..294bef5 100644 +index 9311e16..1eb2b45 100644 --- a/Makefile.in +++ b/Makefile.in -@@ -154,25 +154,25 @@ libssh.a: $(LIBSSH_OBJS) +@@ -164,25 +164,25 @@ libssh.a: $(LIBSSH_OBJS) $(RANLIB) $@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) @@ -34,7 +34,7 @@ index 3bb7f00..294bef5 100644 ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) -@@ -187,7 +187,7 @@ ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o +@@ -197,7 +197,7 @@ ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o @@ -43,77 +43,6 @@ index 3bb7f00..294bef5 100644 sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -diff --git a/auth-rsa.c b/auth-rsa.c -index f225b0b..8bafcd6 100644 ---- a/auth-rsa.c -+++ b/auth-rsa.c -@@ -244,7 +244,7 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file, - "actual %d vs. announced %d.", - file, linenum, BN_num_bits(key->rsa->n), bits); - -- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); -+ fp = key_selected_fingerprint(key, SSH_FP_HEX); - debug("matching key found: file %s, line %lu %s %s", - file, linenum, key_type(key), fp); - free(fp); -diff --git a/auth2-pubkey.c b/auth2-pubkey.c -index 6d1c872..3808ec8 100644 ---- a/auth2-pubkey.c -+++ b/auth2-pubkey.c -@@ -214,8 +214,7 @@ pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...) - } - - if (key_is_cert(key)) { -- fp = key_fingerprint(key->cert->signature_key, -- SSH_FP_MD5, SSH_FP_HEX); -+ fp = key_selected_fingerprint(key->cert->signature_key, SSH_FP_HEX); - auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s", - key_type(key), key->cert->key_id, - (unsigned long long)key->cert->serial, -@@ -223,7 +222,7 @@ pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...) - extra == NULL ? "" : ", ", extra == NULL ? "" : extra); - free(fp); - } else { -- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); -+ fp = key_selected_fingerprint(key, SSH_FP_HEX); - auth_info(authctxt, "%s %s%s%s", key_type(key), fp, - extra == NULL ? "" : ", ", extra == NULL ? "" : extra); - free(fp); -diff --git a/authfile.c b/authfile.c -index ec4f4ff..2b3d650 100644 ---- a/authfile.c -+++ b/authfile.c -@@ -46,6 +46,7 @@ - #include - #include - #include -+#include - - /* compatibility with old or broken OpenSSL versions */ - #include "openbsd-compat/openssl-compat.h" -@@ -1068,7 +1069,7 @@ Key * - key_parse_private(Buffer *buffer, const char *filename, - const char *passphrase, char **commentp) - { -- Key *pub, *prv; -+ Key *pub, *prv = NULL; - - /* it's a SSH v1 key if the public key part is readable */ - pub = key_parse_public_rsa1(buffer, commentp); -@@ -1080,9 +1081,10 @@ key_parse_private(Buffer *buffer, const char *filename, - *commentp = xstrdup(filename); - } else { - key_free(pub); -- /* key_parse_public_rsa1() has already loaded the comment */ -- prv = key_parse_private_type(buffer, KEY_RSA1, passphrase, -- NULL); -+ if (! FIPS_mode()) -+ /* key_parse_public_rsa1() has already loaded the comment */ -+ prv = key_parse_private_type(buffer, KEY_RSA1, passphrase, -+ NULL); - } - return prv; - } diff --git a/cipher-ctr.c b/cipher-ctr.c index 73e9c7c..40ee395 100644 --- a/cipher-ctr.c @@ -129,7 +58,7 @@ index 73e9c7c..40ee395 100644 return (&aes_ctr); } diff --git a/cipher.c b/cipher.c -index 226e56d..b19443c 100644 +index 9cc7cf8..5ebfa84 100644 --- a/cipher.c +++ b/cipher.c @@ -39,6 +39,8 @@ @@ -141,11 +70,11 @@ index 226e56d..b19443c 100644 #include #include #include -@@ -90,6 +92,25 @@ static const struct Cipher ciphers[] = { +@@ -99,6 +101,26 @@ static const struct sshcipher ciphers[] = { { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL } }; -+static const struct Cipher fips_ciphers[] = { ++static const struct sshcipher fips_ciphers[] = { + { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null }, + { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc }, + { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc }, @@ -164,38 +93,39 @@ index 226e56d..b19443c 100644 +#endif + { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL } +}; ++ /*--*/ - /* Returns a list of supported ciphers separated by the specified char. */ -@@ -100,7 +121,7 @@ cipher_alg_list(char sep, int auth_only) + /* Returns a comma-separated list of supported ciphers. */ +@@ -109,7 +131,7 @@ cipher_alg_list(char sep, int auth_only) size_t nlen, rlen = 0; - const Cipher *c; + const struct sshcipher *c; - for (c = ciphers; c->name != NULL; c++) { + for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++) { if (c->number != SSH_CIPHER_SSH2) continue; if (auth_only && c->auth_len == 0) -@@ -180,7 +201,7 @@ const Cipher * +@@ -193,7 +215,7 @@ const struct sshcipher * cipher_by_name(const char *name) { - const Cipher *c; + const struct sshcipher *c; - for (c = ciphers; c->name != NULL; c++) + for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++) if (strcmp(c->name, name) == 0) return c; return NULL; -@@ -190,7 +211,7 @@ const Cipher * +@@ -203,7 +225,7 @@ const struct sshcipher * cipher_by_number(int id) { - const Cipher *c; + const struct sshcipher *c; - for (c = ciphers; c->name != NULL; c++) + for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++) if (c->number == id) return c; return NULL; -@@ -232,7 +253,7 @@ cipher_number(const char *name) - const Cipher *c; +@@ -244,7 +266,7 @@ cipher_number(const char *name) + const struct sshcipher *c; if (name == NULL) return -1; - for (c = ciphers; c->name != NULL; c++) @@ -216,10 +146,10 @@ index 48f7b68..9ff39f4 100644 /* diff --git a/entropy.c b/entropy.c -index b361a04..5616643 100644 +index d24e724..06b0095 100644 --- a/entropy.c +++ b/entropy.c -@@ -222,6 +222,9 @@ seed_rng(void) +@@ -215,6 +215,9 @@ seed_rng(void) fatal("OpenSSL version mismatch. Built against %lx, you " "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay()); @@ -230,18 +160,18 @@ index b361a04..5616643 100644 if (RAND_status() == 1) { debug3("RNG is ready, skipping seeding"); diff --git a/kex.c b/kex.c -index bc3e53e..ede7b67 100644 +index e0cf3de..e11198f 100644 --- a/kex.c +++ b/kex.c -@@ -34,6 +34,7 @@ - #include +@@ -35,6 +35,7 @@ + #ifdef WITH_OPENSSL #include +#include + #endif #include "xmalloc.h" - #include "ssh2.h" -@@ -103,6 +104,25 @@ static const struct kexalg kexalgs[] = { +@@ -107,6 +108,25 @@ static const struct kexalg kexalgs[] = { { NULL, -1, -1, -1}, }; @@ -267,7 +197,7 @@ index bc3e53e..ede7b67 100644 char * kex_alg_list(char sep) { -@@ -126,7 +146,7 @@ kex_alg_by_name(const char *name) +@@ -130,7 +150,7 @@ kex_alg_by_name(const char *name) { const struct kexalg *k; @@ -276,7 +206,7 @@ index bc3e53e..ede7b67 100644 if (strcmp(k->name, name) == 0) return k; #ifdef GSSAPI -@@ -151,7 +171,10 @@ kex_names_valid(const char *names) +@@ -155,7 +175,10 @@ kex_names_valid(const char *names) for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) { if (kex_alg_by_name(p) == NULL) { @@ -313,7 +243,7 @@ index 2700b72..0820894 100644 } #else /* OPENSSL_HAS_ECC */ diff --git a/kexgexc.c b/kexgexc.c -index 355b7ba..427e11f 100644 +index 0a91bdd..b75930b 100644 --- a/kexgexc.c +++ b/kexgexc.c @@ -26,6 +26,8 @@ @@ -358,50 +288,8 @@ index 770ad28..9d4fc6d 100644 omax = max = DH_GRP_MAX; break; default: -diff --git a/key.c b/key.c -index 62f3edb..a2050f6 100644 ---- a/key.c -+++ b/key.c -@@ -42,6 +42,7 @@ - #include "crypto_api.h" - - #include -+#include - #include - - #include -@@ -636,9 +637,13 @@ key_fingerprint_selection(void) - char *env; - - if (!rv_defined) { -- env = getenv("SSH_FINGERPRINT_TYPE"); -- rv = (env && !strcmp (env, "sha")) ? -- SSH_FP_SHA1 : SSH_FP_MD5; -+ if (FIPS_mode()) -+ rv = SSH_FP_SHA1; -+ else { -+ env = getenv("SSH_FINGERPRINT_TYPE"); -+ rv = (env && !strcmp (env, "sha")) ? -+ SSH_FP_SHA1 : SSH_FP_MD5; -+ } - rv_defined = 1; - } - return rv; -@@ -1168,8 +1173,11 @@ rsa_generate_private_key(u_int bits) - fatal("%s: BN_new failed", __func__); - if (!BN_set_word(f4, RSA_F4)) - fatal("%s: BN_new failed", __func__); -- if (!RSA_generate_key_ex(private, bits, f4, NULL)) -+ if (!RSA_generate_key_ex(private, bits, f4, NULL)) { -+ if (FIPS_mode()) -+ logit("%s: the key length might be unsupported by FIPS mode approved key generation method", __func__); - fatal("%s: key generation failed.", __func__); -+ } - BN_free(f4); - return private; - } diff --git a/mac.c b/mac.c -index 9388af4..cd7b034 100644 +index fd07bf2..fedfbb2 100644 --- a/mac.c +++ b/mac.c @@ -27,6 +27,8 @@ @@ -466,26 +354,18 @@ index 9388af4..cd7b034 100644 continue; if (mac != NULL) { diff --git a/myproposal.h b/myproposal.h -index 3a0f5ae..4f35a44 100644 +index b35b2b8..a608d27 100644 --- a/myproposal.h +++ b/myproposal.h -@@ -88,6 +88,12 @@ - "diffie-hellman-group14-sha1," \ - "diffie-hellman-group1-sha1" +@@ -140,6 +140,28 @@ + "hmac-sha1-96," \ + "hmac-md5-96" +#define KEX_DEFAULT_KEX_FIPS \ + KEX_ECDH_METHODS \ + KEX_SHA256_METHODS \ + "diffie-hellman-group-exchange-sha1," \ + "diffie-hellman-group14-sha1" -+ - #define KEX_DEFAULT_PK_ALG \ - HOSTKEY_ECDSA_CERT_METHODS \ - "ssh-ed25519-cert-v01@openssh.com," \ -@@ -133,6 +139,22 @@ - #define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib" - #define KEX_DEFAULT_LANG "" - +#define KEX_FIPS_ENCRYPT \ + "aes128-ctr,aes192-ctr,aes256-ctr," \ + "aes128-cbc,3des-cbc," \ @@ -502,59 +382,24 @@ index 3a0f5ae..4f35a44 100644 +#define KEX_FIPS_MAC \ + "hmac-sha1" +#endif ++ + #else - static char *myproposal[PROPOSAL_MAX] = { - KEX_DEFAULT_KEX, -diff --git a/ssh-keygen.c b/ssh-keygen.c -index 66198e6..ccf22c8 100644 ---- a/ssh-keygen.c -+++ b/ssh-keygen.c -@@ -195,6 +195,12 @@ type_bits_valid(int type, u_int32_t *bitsp) - fprintf(stderr, "key bits exceeds maximum %d\n", maxbits); - exit(1); - } -+ if (FIPS_mode()) { -+ if (type == KEY_DSA) -+ fatal("DSA keys are not allowed in FIPS mode"); -+ if (type == KEY_ED25519) -+ fatal("ED25519 keys are not allowed in FIPS mode"); -+ } - if (type == KEY_DSA && *bitsp != 1024) - fatal("DSA keys must be 1024 bits"); - else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768) -@@ -746,7 +752,7 @@ do_download(struct passwd *pw) - enum fp_type fptype; - char *fp, *ra; - -- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5; -+ fptype = print_bubblebabble ? SSH_FP_SHA1 : key_fingerprint_selection(); - rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; - - pkcs11_init(0); -@@ -756,8 +762,7 @@ do_download(struct passwd *pw) - for (i = 0; i < nkeys; i++) { - if (print_fingerprint) { - fp = key_fingerprint(keys[i], fptype, rep); -- ra = key_fingerprint(keys[i], SSH_FP_MD5, -- SSH_FP_RANDOMART); -+ ra = key_selected_fingerprint(keys[i], SSH_FP_RANDOMART); - printf("%u %s %s (PKCS11 key)\n", key_size(keys[i]), - fp, key_type(keys[i])); - if (log_level >= SYSLOG_LEVEL_VERBOSE) + #define KEX_SERVER_KEX \ diff --git a/ssh.c b/ssh.c -index 1e6cb90..ea9193f 100644 +index 26e9681..a0a7c29 100644 --- a/ssh.c +++ b/ssh.c -@@ -73,6 +73,8 @@ - +@@ -75,6 +75,8 @@ #include #include + #endif +#include +#include #include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/sys-queue.h" -@@ -427,6 +429,13 @@ main(int ac, char **av) +@@ -433,6 +435,13 @@ main(int ac, char **av) sanitise_stdfd(); __progname = ssh_get_progname(av[0]); @@ -568,7 +413,7 @@ index 1e6cb90..ea9193f 100644 #ifndef HAVE_SETPROCTITLE /* Prepare for later setproctitle emulation */ -@@ -504,6 +513,9 @@ main(int ac, char **av) +@@ -510,6 +519,9 @@ main(int ac, char **av) "ACD:E:F:I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { switch (opt) { case '1': @@ -578,15 +423,15 @@ index 1e6cb90..ea9193f 100644 options.protocol = SSH_PROTO_1; break; case '2': -@@ -828,7 +840,6 @@ main(int ac, char **av) - +@@ -841,7 +853,6 @@ main(int ac, char **av) host_arg = xstrdup(host); + #ifdef WITH_OPENSSL - OpenSSL_add_all_algorithms(); ERR_load_crypto_strings(); + #endif - /* Initialize the command to execute on remote host. */ -@@ -973,6 +984,10 @@ main(int ac, char **av) +@@ -997,6 +1008,10 @@ main(int ac, char **av) seed_rng(); @@ -597,7 +442,7 @@ index 1e6cb90..ea9193f 100644 if (options.user == NULL) options.user = xstrdup(pw->pw_name); -@@ -1020,6 +1035,12 @@ main(int ac, char **av) +@@ -1069,6 +1084,12 @@ main(int ac, char **av) timeout_ms = options.connection_timeout * 1000; @@ -611,10 +456,10 @@ index 1e6cb90..ea9193f 100644 if (ssh_connect(host, addrs, &hostaddr, options.port, options.address_family, options.connection_attempts, diff --git a/sshconnect2.c b/sshconnect2.c -index b00658b..6a1562c 100644 +index efe6158..5631f39 100644 --- a/sshconnect2.c +++ b/sshconnect2.c -@@ -44,6 +44,8 @@ +@@ -46,6 +46,8 @@ #include #endif @@ -623,24 +468,13 @@ index b00658b..6a1562c 100644 #include "openbsd-compat/sys-queue.h" #include "xmalloc.h" -@@ -168,20 +170,25 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) +@@ -171,20 +173,25 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) #ifdef GSSAPI if (options.gss_keyex) { - /* Add the GSSAPI mechanisms currently supported on this - * client to the key exchange algorithm proposal */ - orig = myproposal[PROPOSAL_KEX_ALGS]; -- -- if (options.gss_trust_dns) -- gss_host = (char *)get_canonical_hostname(1); -- else -- gss_host = host; -- -- gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity); -- if (gss) { -- debug("Offering GSSAPI proposal: %s", gss); -- xasprintf(&myproposal[PROPOSAL_KEX_ALGS], -- "%s,%s", gss, orig); + if (FIPS_mode()) { + logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode"); + options.gss_keyex = 0; @@ -648,12 +482,21 @@ index b00658b..6a1562c 100644 + /* Add the GSSAPI mechanisms currently supported on this + * client to the key exchange algorithm proposal */ + orig = myproposal[PROPOSAL_KEX_ALGS]; -+ + +- if (options.gss_trust_dns) +- gss_host = (char *)get_canonical_hostname(1); +- else +- gss_host = host; + if (options.gss_trust_dns) + gss_host = (char *)get_canonical_hostname(1); + else + gss_host = host; -+ + +- gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity); +- if (gss) { +- debug("Offering GSSAPI proposal: %s", gss); +- xasprintf(&myproposal[PROPOSAL_KEX_ALGS], +- "%s,%s", gss, orig); + gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity); + if (gss) { + debug("Offering GSSAPI proposal: %s", gss); @@ -663,7 +506,7 @@ index b00658b..6a1562c 100644 } } #endif -@@ -193,6 +200,10 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) +@@ -196,6 +203,10 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) if (options.ciphers != NULL) { myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; @@ -674,7 +517,7 @@ index b00658b..6a1562c 100644 } myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); -@@ -208,7 +219,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) +@@ -211,7 +222,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) if (options.macs != NULL) { myproposal[PROPOSAL_MAC_ALGS_CTOS] = myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; @@ -686,7 +529,7 @@ index b00658b..6a1562c 100644 if (options.hostkeyalgorithms != NULL) myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(options.hostkeyalgorithms); -@@ -220,9 +235,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) +@@ -223,9 +238,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) } if (options.kex_algorithms != NULL) myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; @@ -700,19 +543,27 @@ index b00658b..6a1562c 100644 /* If we've got GSSAPI algorithms, then we also support the * 'null' hostkey, as a last resort */ diff --git a/sshd.c b/sshd.c -index b561ec8..e977de3 100644 +index db23ce2..3ce59f0 100644 --- a/sshd.c +++ b/sshd.c -@@ -75,6 +75,8 @@ +@@ -66,6 +66,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -76,6 +77,8 @@ #include #include #include +#include +#include #include "openbsd-compat/openssl-compat.h" + #endif - #ifdef HAVE_SECUREWARE -@@ -1468,6 +1470,18 @@ main(int ac, char **av) +@@ -1479,6 +1482,18 @@ main(int ac, char **av) #endif __progname = ssh_get_progname(av[0]); @@ -731,16 +582,16 @@ index b561ec8..e977de3 100644 /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ saved_argc = ac; rexec_argc = ac; -@@ -1619,8 +1633,6 @@ main(int ac, char **av) +@@ -1630,7 +1645,7 @@ main(int ac, char **av) else closefrom(REEXEC_DEVCRYPTO_RESERVED_FD); -- OpenSSL_add_all_algorithms(); -- - /* If requested, redirect the logs to the specified logfile. */ - if (logfile != NULL) { - log_redirect_stderr_to(logfile); -@@ -1798,6 +1810,10 @@ main(int ac, char **av) +-#ifdef WITH_OPENSSL ++#if 0 /* FIPS */ + OpenSSL_add_all_algorithms(); + #endif + +@@ -1816,6 +1831,10 @@ main(int ac, char **av) debug("private host key: #%d type %d %s", i, keytype, key_type(key ? key : pubkey)); } @@ -751,7 +602,7 @@ index b561ec8..e977de3 100644 if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) { logit("Disabling protocol version 1. Could not load host key"); options.protocol &= ~SSH_PROTO_1; -@@ -1961,6 +1977,10 @@ main(int ac, char **av) +@@ -1982,6 +2001,10 @@ main(int ac, char **av) /* Reinitialize the log (because of the fork above). */ log_init(__progname, options.log_level, options.log_facility, log_stderr); @@ -762,7 +613,7 @@ index b561ec8..e977de3 100644 /* Chdir to the root directory so that the current disk can be unmounted if desired. */ if (chdir("/") == -1) -@@ -2530,6 +2550,9 @@ do_ssh2_kex(void) +@@ -2541,6 +2564,9 @@ do_ssh2_kex(void) if (options.ciphers != NULL) { myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; @@ -772,7 +623,7 @@ index b561ec8..e977de3 100644 } myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); -@@ -2539,6 +2562,9 @@ do_ssh2_kex(void) +@@ -2550,6 +2576,9 @@ do_ssh2_kex(void) if (options.macs != NULL) { myproposal[PROPOSAL_MAC_ALGS_CTOS] = myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; @@ -782,7 +633,7 @@ index b561ec8..e977de3 100644 } if (options.compression == COMP_NONE) { myproposal[PROPOSAL_COMP_ALGS_CTOS] = -@@ -2549,6 +2575,8 @@ do_ssh2_kex(void) +@@ -2560,6 +2589,8 @@ do_ssh2_kex(void) } if (options.kex_algorithms != NULL) myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; @@ -791,7 +642,7 @@ index b561ec8..e977de3 100644 myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( myproposal[PROPOSAL_KEX_ALGS]); -@@ -2575,10 +2603,14 @@ do_ssh2_kex(void) +@@ -2586,10 +2617,14 @@ do_ssh2_kex(void) if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0) orig = NULL; @@ -810,3 +661,24 @@ index b561ec8..e977de3 100644 if (gss && orig) xasprintf(&newstr, "%s,%s", gss, orig); +diff --git a/sshkey.c b/sshkey.c +index f078e11..5e3d97f 100644 +--- a/sshkey.c ++++ b/sshkey.c +@@ -34,6 +34,7 @@ + #include + #include + #include ++#include + + #include "crypto_api.h" + +@@ -1523,6 +1524,8 @@ rsa_generate_private_key(u_int bits, RSA **rsap) + } + if (!BN_set_word(f4, RSA_F4) || + !RSA_generate_key_ex(private, bits, f4, NULL)) { ++ if (FIPS_mode()) ++ logit("%s: the key length might be unsupported by FIPS mode approved key generation method", __func__); + ret = SSH_ERR_LIBCRYPTO_ERROR; + goto out; + } diff --git a/openssh-6.6p1-ldap.patch b/openssh-6.7p1-ldap.patch similarity index 99% rename from openssh-6.6p1-ldap.patch rename to openssh-6.7p1-ldap.patch index ae3e7cd..51faad6 100644 --- a/openssh-6.6p1-ldap.patch +++ b/openssh-6.7p1-ldap.patch @@ -113,7 +113,7 @@ index 0000000..dd5f5cc + Jan F. Chadima + diff --git a/Makefile.in b/Makefile.in -index 28a8ec4..411eadb 100644 +index 06be3d5..f02aa1e 100644 --- a/Makefile.in +++ b/Makefile.in @@ -25,6 +25,8 @@ SSH_PROGRAM=@bindir@/ssh @@ -125,7 +125,7 @@ index 28a8ec4..411eadb 100644 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper PRIVSEP_PATH=@PRIVSEP_PATH@ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ -@@ -60,8 +62,9 @@ XAUTH_PATH=@XAUTH_PATH@ +@@ -61,8 +63,9 @@ XAUTH_PATH=@XAUTH_PATH@ LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@ EXEEXT=@EXEEXT@ MANFMT=@MANFMT@ @@ -134,9 +134,9 @@ index 28a8ec4..411eadb 100644 -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) - LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ - canohost.o channels.o cipher.o cipher-aes.o \ -@@ -98,8 +101,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ + LIBOPENSSH_OBJS=\ + ssherr.o \ +@@ -108,8 +111,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ sandbox-seccomp-filter.o sandbox-capsicum.o @@ -147,7 +147,7 @@ index 28a8ec4..411eadb 100644 MANTYPE = @MANTYPE@ CONFIGFILES=sshd_config.out ssh_config.out moduli.out -@@ -170,6 +173,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readco +@@ -180,6 +183,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readco ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) @@ -157,7 +157,7 @@ index 28a8ec4..411eadb 100644 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) -@@ -273,6 +279,10 @@ install-files: +@@ -295,6 +301,10 @@ install-files: $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT) $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) @@ -168,7 +168,7 @@ index 28a8ec4..411eadb 100644 $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 -@@ -289,6 +299,10 @@ install-files: +@@ -311,6 +321,10 @@ install-files: $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 @@ -179,7 +179,7 @@ index 28a8ec4..411eadb 100644 -rm -f $(DESTDIR)$(bindir)/slogin ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 -@@ -318,6 +332,13 @@ install-sysconf: +@@ -340,6 +354,13 @@ install-sysconf: else \ echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \ fi @@ -193,7 +193,7 @@ index 28a8ec4..411eadb 100644 host-key: ssh-keygen$(EXEEXT) @if [ -z "$(DESTDIR)" ] ; then \ -@@ -381,6 +402,8 @@ uninstall: +@@ -403,6 +424,8 @@ uninstall: -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) -rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) -rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) @@ -202,19 +202,19 @@ index 28a8ec4..411eadb 100644 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 -@@ -392,6 +415,7 @@ uninstall: +@@ -414,6 +437,7 @@ uninstall: -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 - regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c + regress-prep: diff --git a/configure.ac b/configure.ac -index 7c6ce08..722a19e 100644 +index 67c4486..6553074 100644 --- a/configure.ac +++ b/configure.ac -@@ -1625,6 +1625,106 @@ if test "x$use_pie" != "xno"; then +@@ -1569,6 +1569,106 @@ if test "x$use_pie" != "xno"; then fi fi @@ -1159,7 +1159,7 @@ index 0000000..665dca2 + diff --git a/ldapconf.c b/ldapconf.c new file mode 100644 -index 0000000..525060a +index 0000000..b49cae6 --- /dev/null +++ b/ldapconf.c @@ -0,0 +1,722 @@ diff --git a/openssh.spec b/openssh.spec index 28abea8..86883b1 100644 --- a/openssh.spec +++ b/openssh.spec @@ -63,10 +63,10 @@ %endif # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 -%define openssh_ver 6.6.1p1 -%define openssh_rel 11.1 +%define openssh_ver 6.7p1 +%define openssh_rel 1 %define pam_ssh_agent_ver 0.9.3 -%define pam_ssh_agent_rel 3 +%define pam_ssh_agent_rel 4 Summary: An open source implementation of SSH protocol versions 1 and 2 Name: openssh @@ -74,8 +74,7 @@ Version: %{openssh_ver} Release: %{openssh_rel}%{?dist}%{?rescue_rel} URL: http://www.openssh.com/portable.html #URL1: http://pamsshagentauth.sourceforge.net -# Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz -Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.6p1.tar.gz +Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc Source2: sshd.pam Source3: sshd.init @@ -103,10 +102,9 @@ Patch102: openssh-5.8p1-getaddrinfo.patch Patch103: openssh-5.8p1-packet.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1402 -Patch200: openssh-6.6p1-audit.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1171248 # record pfs= field in CRYPTO_SESSION audit event -Patch201: openssh-6.6.1p1-audit-pfs.patch +Patch200: openssh-6.7p1-audit.patch # --- pam_ssh-agent --- # make it build reusing the openssh sources @@ -117,13 +115,15 @@ Patch301: pam_ssh_agent_auth-0.9.2-seteuid.patch Patch302: pam_ssh_agent_auth-0.9.2-visibility.patch # don't use xfree (#1024965) Patch303: pam_ssh_agent_auth-0.9.3-no-xfree.patch +# use SSH_DIGEST_* for fingerprint hashes +Patch304: pam_ssh_agent_auth-0.9.3-fingerprint-hash.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX) Patch400: openssh-6.6p1-role-mls.patch #https://bugzilla.redhat.com/show_bug.cgi?id=781634 Patch404: openssh-6.6p1-privsep-selinux.patch #?-- unwanted child :( -Patch501: openssh-6.6p1-ldap.patch +Patch501: openssh-6.7p1-ldap.patch #? Patch502: openssh-6.6p1-keycat.patch @@ -143,15 +143,11 @@ Patch608: openssh-6.1p1-askpass-ld.patch Patch609: openssh-5.5p1-x11.patch #? -Patch700: openssh-6.6p1-fips.patch -#? -# drop? Patch701: openssh-5.6p1-exit-deadlock.patch +Patch700: openssh-6.7p1-fips.patch #? Patch702: openssh-5.1p1-askpass-progress.patch #? Patch703: openssh-4.3p2-askpass-grab-info.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=205842 -# drop? Patch704: openssh-5.9p1-edns.patch #? Patch705: openssh-5.1p1-scp-manpage.patch #? @@ -361,7 +357,7 @@ remote ssh-agent instance. The module is most useful for su and sudo service stacks. %prep -%setup -q -a 4 -n openssh-6.6p1 +%setup -q -a 4 #Do not enable by default %if 0 %patch0 -p1 -b .wIm @@ -377,6 +373,7 @@ pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} %patch301 -p1 -b .psaa-seteuid %patch302 -p1 -b .psaa-visibility %patch303 -p1 -b .psaa-xfree +%patch304 -p2 -b .psaa-fingerprint # Remove duplicate headers rm -f $(cat %{SOURCE5}) popd @@ -399,13 +396,8 @@ popd %patch607 -p1 -b .sigpipe %patch608 -p1 -b .askpass-ld %patch609 -p1 -b .x11 -# -# drop? %patch701 -p1 -b .exit-deadlock %patch702 -p1 -b .progress %patch703 -p1 -b .grab-info -# investigate - https://bugzilla.redhat.com/show_bug.cgi?id=205842 -# probably not needed anymore %patch704 -p1 -b .edns -# drop it %patch705 -p1 -b .manpage %patch706 -p1 -b .localdomain %patch707 -p1 -b .redhat %patch708 -p1 -b .entropy @@ -422,15 +414,10 @@ popd %patch902 -p1 -b .ccache_name %patch905 -p1 -b .legacy-ssh-copy-id %patch906 -p1 -b .fromto-remote -%patch907 -p1 -b .CLOCK_BOOTTIME -%patch908 -p1 -b .CVE-2014-2653 -%patch909 -p1 -b .6.6.1 -%patch910 -p1 -b .NI_MAXHOST %patch911 -p1 -b .set_remote_ipaddr %patch912 -p1 -b .utf8-banner %patch913 -p1 -b .partial-success %patch914 -p1 -b .servconf -%patch915 -p1 -b .SIGXFSZ %patch916 -p1 -b .contexts %patch917 -p1 -b .cisco-dh %patch918 -p1 -b .log-in-chroot @@ -439,10 +426,10 @@ popd %patch802 -p1 -b .GSSAPIEnablek5users %patch200 -p1 -b .audit -%patch201 -p1 -b .audit-fps %patch700 -p1 -b .fips -%patch100 -p1 -b .coverity +# FIXME rebase 6.7p1 +# %patch100 -p1 -b .coverity %if 0 # Nothing here yet @@ -751,6 +738,9 @@ getent passwd sshd >/dev/null || \ %endif %changelog +* Tue Jan 20 2015 Petr Lautrbach 6.7p1-1 + 0.9.3-4 +- new upstream release openssh-6.7p1 + * Thu Jan 15 2015 Jakub Jelen 6.6.1p1-11.1 + 0.9.3-3 - error message if scp when directory doesn't exist (#1142223) - parsing configuration file values (#1130733) diff --git a/pam_ssh_agent_auth-0.9.3-fingerprint-hash.patch b/pam_ssh_agent_auth-0.9.3-fingerprint-hash.patch new file mode 100644 index 0000000..6b133ee --- /dev/null +++ b/pam_ssh_agent_auth-0.9.3-fingerprint-hash.patch @@ -0,0 +1,64 @@ +diff --git a/pam_ssh_agent_auth-0.9.3/key.c b/pam_ssh_agent_auth-0.9.3/key.c +index 9555e7e..c17aae6 100644 +--- a/pam_ssh_agent_auth-0.9.3/key.c ++++ b/pam_ssh_agent_auth-0.9.3/key.c +@@ -55,6 +55,7 @@ + #include "uuencode.h" + #include "buffer.h" + #include "log.h" ++#include "digest.h" + + Key * + key_new(int type) +@@ -181,7 +182,7 @@ key_equal(const Key *a, const Key *b) + } + + u_char* +-key_fingerprint_raw(const Key *k, enum fp_type dgst_type, ++key_fingerprint_raw(const Key *k, int dgst_type, + u_int *dgst_raw_length) + { + const EVP_MD *md = NULL; +@@ -194,10 +195,10 @@ key_fingerprint_raw(const Key *k, enum fp_type dgst_type, + *dgst_raw_length = 0; + + switch (dgst_type) { +- case SSH_FP_MD5: ++ case SSH_DIGEST_MD5: + md = EVP_md5(); + break; +- case SSH_FP_SHA1: ++ case SSH_DIGEST_SHA1: + md = EVP_sha1(); + break; + default: +@@ -302,7 +303,7 @@ key_fingerprint_bubblebabble(u_char *dgst_raw, u_int dgst_raw_len) + } + + char * +-key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep) ++key_fingerprint(const Key *k, int dgst_type, enum fp_rep dgst_rep) + { + char *retval = NULL; + u_char *dgst_raw; +diff --git a/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c b/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c +index dddcba9..8ba6d87 100644 +--- a/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c ++++ b/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c +@@ -43,6 +43,7 @@ + #include "buffer.h" + #include "log.h" + #include "compat.h" ++#include "digest.h" + #include "key.h" + #include "pathnames.h" + #include "misc.h" +@@ -118,7 +119,7 @@ pam_user_key_allowed2(struct passwd *pw, Key *key, char *file) + found_key = 1; + logit("matching key found: file %s, line %lu", + file, linenum); +- fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); ++ fp = key_fingerprint(found, SSH_DIGEST_MD5, SSH_FP_HEX); + logit("Found matching %s key: %s", + key_type(found), fp); + free(fp); diff --git a/sources b/sources index fbdb5e4..1215c48 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 9872ca1983e566ff5a89c240529e223d pam_ssh_agent_auth-0.9.3.tar.bz2 -3e9800e6bca1fbac0eea4d41baa7f239 openssh-6.6p1.tar.gz +3246aa79317b1d23cae783a3bf8275d6 openssh-6.7p1.tar.gz