import openssh-8.0p1-10.el8

This commit is contained in:
CentOS Sources 2021-10-06 13:03:43 -04:00 committed by Stepan Oksanichenko
parent 75ca0870c6
commit 21c06f7ba4
13 changed files with 734 additions and 31 deletions

View File

@ -1,25 +1,29 @@
diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c
--- openssh-7.4p1/channels.c.coverity 2016-12-23 16:40:26.881788686 +0100
+++ openssh-7.4p1/channels.c 2016-12-23 16:42:36.244818763 +0100
@@ -288,11 +288,11 @@ channel_register_fds(Channel *c, int rfd
/* enable nonblocking mode */
if (nonblock) {
- if (rfd != -1)
+ if (rfd >= 0)
diff -up openssh-8.0p1/channels.c.coverity openssh-8.0p1/channels.c
--- openssh-8.0p1/channels.c.coverity 2021-06-21 10:59:17.297473319 +0200
+++ openssh-8.0p1/channels.c 2021-06-21 11:11:32.467290400 +0200
@@ -341,15 +341,15 @@ channel_register_fds(struct ssh *ssh, Ch
* restore their blocking state on exit to avoid interfering
* with other programs that follow.
*/
- if (rfd != -1 && !isatty(rfd) && fcntl(rfd, F_GETFL) == 0) {
+ if (rfd >= 0 && !isatty(rfd) && fcntl(rfd, F_GETFL) == 0) {
c->restore_block |= CHANNEL_RESTORE_RFD;
set_nonblock(rfd);
- if (wfd != -1)
+ if (wfd >= 0)
}
- if (wfd != -1 && !isatty(wfd) && fcntl(wfd, F_GETFL) == 0) {
+ if (wfd >= 0 && !isatty(wfd) && fcntl(wfd, F_GETFL) == 0) {
c->restore_block |= CHANNEL_RESTORE_WFD;
set_nonblock(wfd);
- if (efd != -1)
+ if (efd >= 0)
}
- if (efd != -1 && !isatty(efd) && fcntl(efd, F_GETFL) == 0) {
+ if (efd >= 0 && !isatty(efd) && fcntl(efd, F_GETFL) == 0) {
c->restore_block |= CHANNEL_RESTORE_EFD;
set_nonblock(efd);
}
}
diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c
--- openssh-7.4p1/monitor.c.coverity 2016-12-23 16:40:26.888788688 +0100
+++ openssh-7.4p1/monitor.c 2016-12-23 16:40:26.900788691 +0100
@@ -411,7 +411,7 @@ monitor_child_preauth(Authctxt *_authctx
}
diff -up openssh-8.0p1/monitor.c.coverity openssh-8.0p1/monitor.c
--- openssh-8.0p1/monitor.c.coverity 2021-06-21 10:59:17.282473202 +0200
+++ openssh-8.0p1/monitor.c 2021-06-21 10:59:17.297473319 +0200
@@ -401,7 +401,7 @@ monitor_child_preauth(struct ssh *ssh, s
mm_get_keystate(ssh, pmonitor);
/* Drain any buffered messages from the child */

View File

@ -296,17 +296,17 @@ diff -up openssh-7.9p1/sshconnect2.c.fips openssh-7.9p1/sshconnect2.c
#include "openbsd-compat/sys-queue.h"
#include "xmalloc.h"
@@ -117,7 +117,8 @@ order_hostkeyalgs(char *host, struct soc
for (i = 0; i < options.num_system_hostfiles; i++)
load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
@@ -148,7 +150,8 @@ order_hostkeyalgs(char *host, struct soc
* Otherwise, prefer the host key algorithms that match known keys
* while keeping the ordering of HostkeyAlgorithms as much as possible.
*/
- oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG);
+ oavail = avail = xstrdup((FIPS_mode()
+ ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG));
maxlen = strlen(avail) + 1;
first = xmalloc(maxlen);
last = xmalloc(maxlen);
@@ -185,14 +185,16 @@ ssh_kex2(char *host, struct sockaddr *ho
@@ -229,14 +232,16 @@ ssh_kex2(struct ssh *ssh, char *host, st
if (options.hostkeyalgorithms != NULL) {
all_key = sshkey_alg_list(0, 0, 1, ',');
if (kex_assemble_names(&options.hostkeyalgorithms,

View File

@ -284,7 +284,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
fail++;
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ if ((s = strchr(p, '/')) != NULL)
+ if ((s = strchr(cp, '/')) != NULL)
+ *s = '\0';
xasprintf(&userstyle, "%s%s%s", authctxt->user,
authctxt->style ? ":" : "",

View File

@ -11,6 +11,17 @@ diff -up openssh-7.9p1/contrib/ssh-copy-id.ssh-copy-id openssh-7.9p1/contrib/ssh
# implement something like getopt to avoid Solaris pain
case "$1" in
-i?*|-o?*|-p?*)
@@ -185,8 +185,8 @@
usage
fi
-# drop trailing colon
-USER_HOST=$(printf "%s\n" "$1" | sed 's/:$//')
+# don't drop trailing colon because it can be a valid ipv6 address
+USER_HOST=$(printf "%s\n" "$1")
# tack the hostname onto SSH_OPTS
SSH_OPTS="${SSH_OPTS:+$SSH_OPTS }'$(quote "$USER_HOST")'"
# and populate "$@" for later use (only way to get proper quoting of options)
@@ -261,7 +262,7 @@ populate_new_ids() {
fi
if [ -z "$NEW_IDS" ] ; then

View File

@ -0,0 +1,33 @@
diff -up openssh-8.0p1/channels.c.channel-limits openssh-8.0p1/channels.c
--- openssh-8.0p1/channels.c.channel-limits 2021-03-16 12:17:58.905576511 +0100
+++ openssh-8.0p1/channels.c 2021-03-16 12:17:58.925576667 +0100
@@ -354,6 +354,7 @@ channel_new(struct ssh *ssh, char *ctype
struct ssh_channels *sc = ssh->chanctxt;
u_int i, found;
Channel *c;
+ int r;
/* Try to find a free slot where to put the new channel. */
for (i = 0; i < sc->channels_alloc; i++) {
@@ -383,6 +384,8 @@ channel_new(struct ssh *ssh, char *ctype
(c->output = sshbuf_new()) == NULL ||
(c->extended = sshbuf_new()) == NULL)
fatal("%s: sshbuf_new failed", __func__);
+ if ((r = sshbuf_set_max_size(c->input, CHAN_INPUT_MAX)) != 0)
+ fatal("%s: sshbuf_set_max_size: %s", __func__, ssh_err(r));
c->ostate = CHAN_OUTPUT_OPEN;
c->istate = CHAN_INPUT_OPEN;
channel_register_fds(ssh, c, rfd, wfd, efd, extusage, nonblock, 0);
diff -up openssh-8.0p1/channels.h.channel-limits openssh-8.0p1/channels.h
--- openssh-8.0p1/channels.h.channel-limits 2021-03-16 12:17:58.868576223 +0100
+++ openssh-8.0p1/channels.h 2021-03-16 12:17:58.907576527 +0100
@@ -215,6 +215,9 @@ struct Channel {
/* Read buffer size */
#define CHAN_RBUF (16*1024)
+/* Maximum channel input buffer size */
+#define CHAN_INPUT_MAX (16*1024*1024)
+
/* Hard limit on number of channels */
#define CHANNELS_MAX_CHANNELS (16*1024)

View File

@ -0,0 +1,127 @@
diff -up openssh-8.0p1/hostfile.c.cve-2020-14145 openssh-8.0p1/hostfile.c
--- openssh-8.0p1/hostfile.c.cve-2020-14145 2019-04-18 00:52:57.000000000 +0200
+++ openssh-8.0p1/hostfile.c 2021-05-17 16:53:38.694577251 +0200
@@ -409,6 +409,18 @@ lookup_key_in_hostkeys_by_type(struct ho
found) == HOST_FOUND);
}
+int
+lookup_marker_in_hostkeys(struct hostkeys *hostkeys, int want_marker)
+{
+ u_int i;
+
+ for (i = 0; i < hostkeys->num_entries; i++) {
+ if (hostkeys->entries[i].marker == (HostkeyMarker)want_marker)
+ return 1;
+ }
+ return 0;
+}
+
static int
write_host_entry(FILE *f, const char *host, const char *ip,
const struct sshkey *key, int store_hash)
diff -up openssh-8.0p1/hostfile.h.cve-2020-14145 openssh-8.0p1/hostfile.h
--- openssh-8.0p1/hostfile.h.cve-2020-14145 2019-04-18 00:52:57.000000000 +0200
+++ openssh-8.0p1/hostfile.h 2021-05-17 16:53:38.694577251 +0200
@@ -39,6 +39,7 @@ HostStatus check_key_in_hostkeys(struct
const struct hostkey_entry **);
int lookup_key_in_hostkeys_by_type(struct hostkeys *, int,
const struct hostkey_entry **);
+int lookup_marker_in_hostkeys(struct hostkeys *, int);
int hostfile_read_key(char **, u_int *, struct sshkey *);
int add_host_to_hostfile(const char *, const char *,
diff -up openssh-8.0p1/sshconnect2.c.cve-2020-14145 openssh-8.0p1/sshconnect2.c
--- openssh-8.0p1/sshconnect2.c.cve-2020-14145 2021-05-17 16:53:38.610576561 +0200
+++ openssh-8.0p1/sshconnect2.c 2021-05-17 16:54:58.169230103 +0200
@@ -98,12 +98,25 @@ verify_host_key_callback(struct sshkey *
return 0;
}
+/* Returns the first item from a comma-separated algorithm list */
+static char *
+first_alg(const char *algs)
+{
+ char *ret, *cp;
+
+ ret = xstrdup(algs);
+ if ((cp = strchr(ret, ',')) != NULL)
+ *cp = '\0';
+ return ret;
+}
+
static char *
order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
{
- char *oavail, *avail, *first, *last, *alg, *hostname, *ret;
+ char *oavail = NULL, *avail = NULL, *first = NULL, *last = NULL;
+ char *alg = NULL, *hostname = NULL, *ret = NULL, *best = NULL;
size_t maxlen;
- struct hostkeys *hostkeys;
+ struct hostkeys *hostkeys = NULL;
int ktype;
u_int i;
@@ -115,6 +128,26 @@ order_hostkeyalgs(char *host, struct soc
for (i = 0; i < options.num_system_hostfiles; i++)
load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
+ /*
+ * If a plain public key exists that matches the type of the best
+ * preference HostkeyAlgorithms, then use the whole list as is.
+ * Note that we ignore whether the best preference algorithm is a
+ * certificate type, as sshconnect.c will downgrade certs to
+ * plain keys if necessary.
+ */
+ best = first_alg(options.hostkeyalgorithms);
+ if (lookup_key_in_hostkeys_by_type(hostkeys,
+ sshkey_type_plain(sshkey_type_from_name(best)), NULL)) {
+ debug3("%s: have matching best-preference key type %s, "
+ "using HostkeyAlgorithms verbatim", __func__, best);
+ ret = xstrdup(options.hostkeyalgorithms);
+ goto out;
+ }
+
+ /*
+ * Otherwise, prefer the host key algorithms that match known keys
+ * while keeping the ordering of HostkeyAlgorithms as much as possible.
+ */
oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG);
maxlen = strlen(avail) + 1;
first = xmalloc(maxlen);
@@ -131,11 +164,23 @@ order_hostkeyalgs(char *host, struct soc
while ((alg = strsep(&avail, ",")) && *alg != '\0') {
if ((ktype = sshkey_type_from_name(alg)) == KEY_UNSPEC)
fatal("%s: unknown alg %s", __func__, alg);
+ /*
+ * If we have a @cert-authority marker in known_hosts then
+ * prefer all certificate algorithms.
+ */
+ if (sshkey_type_is_cert(ktype) &&
+ lookup_marker_in_hostkeys(hostkeys, MRK_CA)) {
+ ALG_APPEND(first, alg);
+ continue;
+ }
+ /* If the key appears in known_hosts then prefer it */
if (lookup_key_in_hostkeys_by_type(hostkeys,
- sshkey_type_plain(ktype), NULL))
+ sshkey_type_plain(ktype), NULL)) {
ALG_APPEND(first, alg);
- else
- ALG_APPEND(last, alg);
+ continue;
+ }
+ /* Otherwise, put it last */
+ ALG_APPEND(last, alg);
}
#undef ALG_APPEND
xasprintf(&ret, "%s%s%s", first,
@@ -143,6 +188,8 @@ order_hostkeyalgs(char *host, struct soc
if (*first != '\0')
debug3("%s: prefer hostkeyalgs: %s", __func__, first);
+ out:
+ free(best);
free(first);
free(last);
free(hostname);

View File

@ -0,0 +1,12 @@
diff -up openssh-8.0p1/ssh-keygen.c.strip-doseol openssh-8.0p1/ssh-keygen.c
--- openssh-8.0p1/ssh-keygen.c.strip-doseol 2021-03-18 17:41:34.472404994 +0100
+++ openssh-8.0p1/ssh-keygen.c 2021-03-18 17:41:55.255538761 +0100
@@ -901,7 +901,7 @@ do_fingerprint(struct passwd *pw)
while (getline(&line, &linesize, f) != -1) {
lnum++;
cp = line;
- cp[strcspn(cp, "\n")] = '\0';
+ cp[strcspn(cp, "\r\n")] = '\0';
/* Trim leading space and comments */
cp = line + strspn(line, " \t");
if (*cp == '#' || *cp == '\0')

View File

@ -1167,7 +1167,7 @@ new file mode 100644
index 00000000..e1a7b4e0
--- /dev/null
+++ b/ssh-pkcs11-uri.c
@@ -0,0 +1,421 @@
@@ -0,0 +1,425 @@
+/*
+ * Copyright (c) 2017 Red Hat
+ *
@ -1419,6 +1419,10 @@ index 00000000..e1a7b4e0
+void
+pkcs11_uri_cleanup(struct pkcs11_uri *pkcs11)
+{
+ if (pkcs11 == NULL) {
+ return;
+ }
+
+ free(pkcs11->id);
+ free(pkcs11->module_path);
+ free(pkcs11->token);
@ -2677,6 +2681,9 @@ index 70f06bff..59332945 100644
+ }
+
+ provider_uri = pkcs11_uri_get(uri);
+ if (pin == NULL && uri->pin != NULL) {
+ pin = uri->pin;
+ }
+ nkeys = 0;
+ for (i = 0; i < p->module->nslots; i++) {
+ token = &p->module->slotinfo[i].token;
@ -2712,9 +2719,6 @@ index 70f06bff..59332945 100644
+ provider_uri, (unsigned long)i,
token->label, token->manufacturerID, token->model,
token->serialNumber, token->flags);
+ if (pin == NULL && uri->pin != NULL) {
+ pin = uri->pin;
+ }
/*
- * open session, login with pin and retrieve public
- * keys (if keyp is provided)
@ -2741,8 +2745,8 @@ index 70f06bff..59332945 100644
+ uri->object = label;
+ }
}
+ pin = NULL; /* Will be cleaned up with URI */
}
+ pin = NULL; /* Will be cleaned up with URI */
/* now owned by caller */
*providerp = p;

View File

@ -0,0 +1,44 @@
diff -up openssh-8.0p1/auth-pam.c.preserve-pam-errors openssh-8.0p1/auth-pam.c
--- openssh-8.0p1/auth-pam.c.preserve-pam-errors 2021-03-31 17:03:15.618592347 +0200
+++ openssh-8.0p1/auth-pam.c 2021-03-31 17:06:58.115220014 +0200
@@ -511,7 +511,11 @@ sshpam_thread(void *ctxtp)
goto auth_fail;
if (!do_pam_account()) {
- sshpam_err = PAM_ACCT_EXPIRED;
+ /* Preserve PAM_PERM_DENIED and PAM_USER_UNKNOWN.
+ * Backward compatibility for other errors. */
+ if (sshpam_err != PAM_PERM_DENIED
+ && sshpam_err != PAM_USER_UNKNOWN)
+ sshpam_err = PAM_ACCT_EXPIRED;
goto auth_fail;
}
if (sshpam_authctxt->force_pwchange) {
@@ -568,8 +572,10 @@ sshpam_thread(void *ctxtp)
pam_strerror(sshpam_handle, sshpam_err))) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
/* XXX - can't do much about an error here */
- if (sshpam_err == PAM_ACCT_EXPIRED)
- ssh_msg_send(ctxt->pam_csock, PAM_ACCT_EXPIRED, buffer);
+ if (sshpam_err == PAM_PERM_DENIED
+ || sshpam_err == PAM_USER_UNKNOWN
+ || sshpam_err == PAM_ACCT_EXPIRED)
+ ssh_msg_send(ctxt->pam_csock, sshpam_err, buffer);
else if (sshpam_maxtries_reached)
ssh_msg_send(ctxt->pam_csock, PAM_MAXTRIES, buffer);
else
@@ -856,10 +862,12 @@ sshpam_query(void *ctx, char **name, cha
plen++;
free(msg);
break;
+ case PAM_USER_UNKNOWN:
+ case PAM_PERM_DENIED:
case PAM_ACCT_EXPIRED:
+ sshpam_account_status = 0;
+ /* FALLTHROUGH */
case PAM_MAXTRIES:
- if (type == PAM_ACCT_EXPIRED)
- sshpam_account_status = 0;
if (type == PAM_MAXTRIES)
sshpam_set_maxtries_reached(1);
/* FALLTHROUGH */

View File

@ -0,0 +1,311 @@
diff -up openssh-8.0p1/channels.c.restore-nonblock openssh-8.0p1/channels.c
--- openssh-8.0p1/channels.c.restore-nonblock 2021-06-21 10:44:26.380559612 +0200
+++ openssh-8.0p1/channels.c 2021-06-21 10:48:47.754579151 +0200
@@ -333,7 +333,27 @@ channel_register_fds(struct ssh *ssh, Ch
#endif
/* enable nonblocking mode */
- if (nonblock) {
+ c->restore_block = 0;
+ if (nonblock == CHANNEL_NONBLOCK_STDIO) {
+ /*
+ * Special handling for stdio file descriptors: do not set
+ * non-blocking mode if they are TTYs. Otherwise prepare to
+ * restore their blocking state on exit to avoid interfering
+ * with other programs that follow.
+ */
+ if (rfd != -1 && !isatty(rfd) && fcntl(rfd, F_GETFL) == 0) {
+ c->restore_block |= CHANNEL_RESTORE_RFD;
+ set_nonblock(rfd);
+ }
+ if (wfd != -1 && !isatty(wfd) && fcntl(wfd, F_GETFL) == 0) {
+ c->restore_block |= CHANNEL_RESTORE_WFD;
+ set_nonblock(wfd);
+ }
+ if (efd != -1 && !isatty(efd) && fcntl(efd, F_GETFL) == 0) {
+ c->restore_block |= CHANNEL_RESTORE_EFD;
+ set_nonblock(efd);
+ }
+ } else if (nonblock) {
if (rfd != -1)
set_nonblock(rfd);
if (wfd != -1)
@@ -422,17 +442,23 @@ channel_find_maxfd(struct ssh_channels *
}
int
-channel_close_fd(struct ssh *ssh, int *fdp)
+channel_close_fd(struct ssh *ssh, Channel *c, int *fdp)
{
struct ssh_channels *sc = ssh->chanctxt;
- int ret = 0, fd = *fdp;
+ int ret, fd = *fdp;
- if (fd != -1) {
- ret = close(fd);
- *fdp = -1;
- if (fd == sc->channel_max_fd)
- channel_find_maxfd(sc);
- }
+ if (fd == -1)
+ return 0;
+
+ if ((*fdp == c->rfd && (c->restore_block & CHANNEL_RESTORE_RFD) != 0) ||
+ (*fdp == c->wfd && (c->restore_block & CHANNEL_RESTORE_WFD) != 0) ||
+ (*fdp == c->efd && (c->restore_block & CHANNEL_RESTORE_EFD) != 0))
+ (void)fcntl(*fdp, F_SETFL, 0); /* restore blocking */
+
+ ret = close(fd);
+ *fdp = -1;
+ if (fd == sc->channel_max_fd)
+ channel_find_maxfd(sc);
return ret;
}
@@ -442,13 +468,13 @@ channel_close_fds(struct ssh *ssh, Chann
{
int sock = c->sock, rfd = c->rfd, wfd = c->wfd, efd = c->efd;
- channel_close_fd(ssh, &c->sock);
+ channel_close_fd(ssh, c, &c->sock);
if (rfd != sock)
- channel_close_fd(ssh, &c->rfd);
+ channel_close_fd(ssh, c, &c->rfd);
if (wfd != sock && wfd != rfd)
- channel_close_fd(ssh, &c->wfd);
+ channel_close_fd(ssh, c, &c->wfd);
if (efd != sock && efd != rfd && efd != wfd)
- channel_close_fd(ssh, &c->efd);
+ channel_close_fd(ssh, c, &c->efd);
}
static void
@@ -681,7 +707,7 @@ channel_stop_listening(struct ssh *ssh)
case SSH_CHANNEL_X11_LISTENER:
case SSH_CHANNEL_UNIX_LISTENER:
case SSH_CHANNEL_RUNIX_LISTENER:
- channel_close_fd(ssh, &c->sock);
+ channel_close_fd(ssh, c, &c->sock);
channel_free(ssh, c);
break;
}
@@ -1487,7 +1513,8 @@ channel_decode_socks5(Channel *c, struct
Channel *
channel_connect_stdio_fwd(struct ssh *ssh,
- const char *host_to_connect, u_short port_to_connect, int in, int out)
+ const char *host_to_connect, u_short port_to_connect,
+ int in, int out, int nonblock)
{
Channel *c;
@@ -1495,7 +1522,7 @@ channel_connect_stdio_fwd(struct ssh *ss
c = channel_new(ssh, "stdio-forward", SSH_CHANNEL_OPENING, in, out,
-1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
- 0, "stdio-forward", /*nonblock*/0);
+ 0, "stdio-forward", nonblock);
c->path = xstrdup(host_to_connect);
c->host_port = port_to_connect;
@@ -1650,7 +1677,7 @@ channel_post_x11_listener(struct ssh *ss
if (c->single_connection) {
oerrno = errno;
debug2("single_connection: closing X11 listener.");
- channel_close_fd(ssh, &c->sock);
+ channel_close_fd(ssh, c, &c->sock);
chan_mark_dead(ssh, c);
errno = oerrno;
}
@@ -2087,7 +2114,7 @@ channel_handle_efd_write(struct ssh *ssh
return 1;
if (len <= 0) {
debug2("channel %d: closing write-efd %d", c->self, c->efd);
- channel_close_fd(ssh, &c->efd);
+ channel_close_fd(ssh, c, &c->efd);
} else {
if ((r = sshbuf_consume(c->extended, len)) != 0) {
fatal("%s: channel %d: consume: %s",
@@ -2119,7 +2146,7 @@ channel_handle_efd_read(struct ssh *ssh,
if (len <= 0) {
debug2("channel %d: closing read-efd %d",
c->self, c->efd);
- channel_close_fd(ssh, &c->efd);
+ channel_close_fd(ssh, c, &c->efd);
} else {
if (c->extended_usage == CHAN_EXTENDED_IGNORE) {
debug3("channel %d: discard efd",
diff -up openssh-8.0p1/channels.h.restore-nonblock openssh-8.0p1/channels.h
--- openssh-8.0p1/channels.h.restore-nonblock 2021-06-21 10:44:26.380559612 +0200
+++ openssh-8.0p1/channels.h 2021-06-21 10:44:26.387559665 +0200
@@ -63,6 +63,16 @@
#define CHANNEL_CANCEL_PORT_STATIC -1
+/* nonblocking flags for channel_new */
+#define CHANNEL_NONBLOCK_LEAVE 0 /* don't modify non-blocking state */
+#define CHANNEL_NONBLOCK_SET 1 /* set non-blocking state */
+#define CHANNEL_NONBLOCK_STDIO 2 /* set non-blocking and restore on close */
+
+/* c->restore_block mask flags */
+#define CHANNEL_RESTORE_RFD 0x01
+#define CHANNEL_RESTORE_WFD 0x02
+#define CHANNEL_RESTORE_EFD 0x04
+
/* TCP forwarding */
#define FORWARD_DENY 0
#define FORWARD_REMOTE (1)
@@ -131,6 +141,7 @@ struct Channel {
* to a matching pre-select handler.
* this way post-select handlers are not
* accidentally called if a FD gets reused */
+ int restore_block; /* fd mask to restore blocking status */
struct sshbuf *input; /* data read from socket, to be sent over
* encrypted connection */
struct sshbuf *output; /* data received over encrypted connection for
@@ -258,7 +269,7 @@ void channel_register_filter(struct ssh
void channel_register_status_confirm(struct ssh *, int,
channel_confirm_cb *, channel_confirm_abandon_cb *, void *);
void channel_cancel_cleanup(struct ssh *, int);
-int channel_close_fd(struct ssh *, int *);
+int channel_close_fd(struct ssh *, Channel *, int *);
void channel_send_window_changes(struct ssh *);
/* mux proxy support */
@@ -305,7 +316,7 @@ Channel *channel_connect_to_port(struct
char *, char *, int *, const char **);
Channel *channel_connect_to_path(struct ssh *, const char *, char *, char *);
Channel *channel_connect_stdio_fwd(struct ssh *, const char*,
- u_short, int, int);
+ u_short, int, int, int);
Channel *channel_connect_by_listen_address(struct ssh *, const char *,
u_short, char *, char *);
Channel *channel_connect_by_listen_path(struct ssh *, const char *,
diff -up openssh-8.0p1/clientloop.c.restore-nonblock openssh-8.0p1/clientloop.c
--- openssh-8.0p1/clientloop.c.restore-nonblock 2021-06-21 10:44:26.290558923 +0200
+++ openssh-8.0p1/clientloop.c 2021-06-21 10:44:26.387559665 +0200
@@ -1436,14 +1436,6 @@ client_loop(struct ssh *ssh, int have_pt
if (have_pty)
leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE);
- /* restore blocking io */
- if (!isatty(fileno(stdin)))
- unset_nonblock(fileno(stdin));
- if (!isatty(fileno(stdout)))
- unset_nonblock(fileno(stdout));
- if (!isatty(fileno(stderr)))
- unset_nonblock(fileno(stderr));
-
/*
* If there was no shell or command requested, there will be no remote
* exit status to be returned. In that case, clear error code if the
diff -up openssh-8.0p1/mux.c.restore-nonblock openssh-8.0p1/mux.c
--- openssh-8.0p1/mux.c.restore-nonblock 2019-04-18 00:52:57.000000000 +0200
+++ openssh-8.0p1/mux.c 2021-06-21 10:50:51.007537336 +0200
@@ -454,14 +454,6 @@ mux_master_process_new_session(struct ss
if (cctx->want_tty && tcgetattr(new_fd[0], &cctx->tio) == -1)
error("%s: tcgetattr: %s", __func__, strerror(errno));
- /* enable nonblocking unless tty */
- if (!isatty(new_fd[0]))
- set_nonblock(new_fd[0]);
- if (!isatty(new_fd[1]))
- set_nonblock(new_fd[1]);
- if (!isatty(new_fd[2]))
- set_nonblock(new_fd[2]);
-
window = CHAN_SES_WINDOW_DEFAULT;
packetmax = CHAN_SES_PACKET_DEFAULT;
if (cctx->want_tty) {
@@ -471,7 +463,7 @@ mux_master_process_new_session(struct ss
nc = channel_new(ssh, "session", SSH_CHANNEL_OPENING,
new_fd[0], new_fd[1], new_fd[2], window, packetmax,
- CHAN_EXTENDED_WRITE, "client-session", /*nonblock*/0);
+ CHAN_EXTENDED_WRITE, "client-session", CHANNEL_NONBLOCK_STDIO);
nc->ctl_chan = c->self; /* link session -> control channel */
c->remote_id = nc->self; /* link control -> session channel */
@@ -1033,13 +1025,8 @@ mux_master_process_stdio_fwd(struct ssh
}
}
- /* enable nonblocking unless tty */
- if (!isatty(new_fd[0]))
- set_nonblock(new_fd[0]);
- if (!isatty(new_fd[1]))
- set_nonblock(new_fd[1]);
-
- nc = channel_connect_stdio_fwd(ssh, chost, cport, new_fd[0], new_fd[1]);
+ nc = channel_connect_stdio_fwd(ssh, chost, cport, new_fd[0], new_fd[1],
+ CHANNEL_NONBLOCK_STDIO);
free(chost);
nc->ctl_chan = c->self; /* link session -> control channel */
diff -up openssh-8.0p1/nchan.c.restore-nonblock openssh-8.0p1/nchan.c
--- openssh-8.0p1/nchan.c.restore-nonblock 2021-06-21 10:44:26.388559673 +0200
+++ openssh-8.0p1/nchan.c 2021-06-21 10:52:42.685405537 +0200
@@ -387,7 +387,7 @@ chan_shutdown_write(struct ssh *ssh, Cha
strerror(errno));
}
} else {
- if (channel_close_fd(ssh, &c->wfd) < 0) {
+ if (channel_close_fd(ssh, c, &c->wfd) < 0) {
logit("channel %d: %s: close() failed for "
"fd %d [i%d o%d]: %.100s",
c->self, __func__, c->wfd, c->istate, c->ostate,
@@ -417,7 +417,7 @@ chan_shutdown_read(struct ssh *ssh, Chan
strerror(errno));
}
} else {
- if (channel_close_fd(ssh, &c->rfd) < 0) {
+ if (channel_close_fd(ssh, c, &c->rfd) < 0) {
logit("channel %d: %s: close() failed for "
"fd %d [i%d o%d]: %.100s",
c->self, __func__, c->rfd, c->istate, c->ostate,
@@ -437,7 +437,7 @@ chan_shutdown_extended_read(struct ssh *
debug2("channel %d: %s (i%d o%d sock %d wfd %d efd %d [%s])",
c->self, __func__, c->istate, c->ostate, c->sock, c->rfd, c->efd,
channel_format_extended_usage(c));
- if (channel_close_fd(ssh, &c->efd) < 0) {
+ if (channel_close_fd(ssh, c, &c->efd) < 0) {
logit("channel %d: %s: close() failed for "
"extended fd %d [i%d o%d]: %.100s",
c->self, __func__, c->efd, c->istate, c->ostate,
diff -up openssh-8.0p1/ssh.c.restore-nonblock openssh-8.0p1/ssh.c
--- openssh-8.0p1/ssh.c.restore-nonblock 2021-06-21 10:44:26.389559681 +0200
+++ openssh-8.0p1/ssh.c 2021-06-21 10:54:47.651377045 +0200
@@ -1709,7 +1709,8 @@ ssh_init_stdio_forwarding(struct ssh *ss
(out = dup(STDOUT_FILENO)) < 0)
fatal("channel_connect_stdio_fwd: dup() in/out failed");
if ((c = channel_connect_stdio_fwd(ssh, options.stdio_forward_host,
- options.stdio_forward_port, in, out)) == NULL)
+ options.stdio_forward_port, in, out,
+ CHANNEL_NONBLOCK_STDIO)) == NULL)
fatal("%s: channel_connect_stdio_fwd failed", __func__);
channel_register_cleanup(ssh, c->self, client_cleanup_stdio_fwd, 0);
channel_register_open_confirm(ssh, c->self, ssh_stdio_confirm, NULL);
@@ -1862,14 +1863,6 @@ ssh_session2_open(struct ssh *ssh)
if (in < 0 || out < 0 || err < 0)
fatal("dup() in/out/err failed");
- /* enable nonblocking unless tty */
- if (!isatty(in))
- set_nonblock(in);
- if (!isatty(out))
- set_nonblock(out);
- if (!isatty(err))
- set_nonblock(err);
-
window = CHAN_SES_WINDOW_DEFAULT;
packetmax = CHAN_SES_PACKET_DEFAULT;
if (tty_flag) {
@@ -1879,7 +1872,7 @@ ssh_session2_open(struct ssh *ssh)
c = channel_new(ssh,
"session", SSH_CHANNEL_OPENING, in, out, err,
window, packetmax, CHAN_EXTENDED_WRITE,
- "client-session", /*nonblock*/0);
+ "client-session", CHANNEL_NONBLOCK_STDIO);
debug3("%s: channel_new: %d", __func__, c->self);

View File

@ -0,0 +1,16 @@
diff -up openssh-8.0p1/sftp.c.original openssh-8.0p1/sftp.c
--- openssh-8.0p1/sftp.c.original 2020-12-22 17:05:02.105698989 +0900
+++ openssh-8.0p1/sftp.c 2020-12-22 17:05:42.922035780 +0900
@@ -937,7 +937,11 @@ sglob_comp(const void *aa, const void *b
return (rmul * strcmp(ap, bp));
else if (sort_flag & LS_TIME_SORT) {
#if defined(HAVE_STRUCT_STAT_ST_MTIM)
- return (rmul * timespeccmp(&as->st_mtim, &bs->st_mtim, <));
+ if (timespeccmp(&as->st_mtim, &bs->st_mtim, <)){
+ return rmul;
+ } else {
+ return -rmul;
+ }
#elif defined(HAVE_STRUCT_STAT_ST_MTIME)
return (rmul * NCMP(as->st_mtime, bs->st_mtime));
#else

View File

@ -0,0 +1,97 @@
diff --git a/servconf.c b/servconf.c
index ffac5d2c..340045b2 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1042,7 +1042,7 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
return -1;
}
if (strcasecmp(attrib, "user") == 0) {
- if (ci == NULL) {
+ if (ci == NULL || (ci->test && ci->user == NULL)) {
result = 0;
continue;
}
@@ -1054,7 +1054,7 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
debug("user %.100s matched 'User %.100s' at "
"line %d", ci->user, arg, line);
} else if (strcasecmp(attrib, "group") == 0) {
- if (ci == NULL) {
+ if (ci == NULL || (ci->test && ci->user == NULL)) {
result = 0;
continue;
}
@@ -1067,7 +1067,7 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
result = 0;
}
} else if (strcasecmp(attrib, "host") == 0) {
- if (ci == NULL) {
+ if (ci == NULL || (ci->test && ci->host == NULL)) {
result = 0;
continue;
}
@@ -1079,7 +1079,7 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
debug("connection from %.100s matched 'Host "
"%.100s' at line %d", ci->host, arg, line);
} else if (strcasecmp(attrib, "address") == 0) {
- if (ci == NULL) {
+ if (ci == NULL || (ci->test && ci->address == NULL)) {
result = 0;
continue;
}
@@ -1098,7 +1098,7 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
return -1;
}
} else if (strcasecmp(attrib, "localaddress") == 0){
- if (ci == NULL) {
+ if (ci == NULL || (ci->test && ci->laddress == NULL)) {
result = 0;
continue;
}
@@ -1124,7 +1124,7 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
arg);
return -1;
}
- if (ci == NULL) {
+ if (ci == NULL || (ci->test && ci->lport == -1)) {
result = 0;
continue;
}
@@ -1138,10 +1138,12 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
else
result = 0;
} else if (strcasecmp(attrib, "rdomain") == 0) {
- if (ci == NULL || ci->rdomain == NULL) {
+ if (ci == NULL || (ci->test && ci->rdomain == NULL)) {
result = 0;
continue;
}
+ if (ci->rdomain == NULL)
+ match_test_missing_fatal("RDomain", "rdomain");
if (match_pattern_list(ci->rdomain, arg, 0) != 1)
result = 0;
else
diff --git a/servconf.h b/servconf.h
index 54e0a8d8..5483da05 100644
--- a/servconf.h
+++ b/servconf.h
@@ -221,6 +221,8 @@ struct connection_info {
const char *laddress; /* local address */
int lport; /* local port */
const char *rdomain; /* routing domain if available */
+ int test; /* test mode, allow some attributes to be
+ * unspecified */
};
diff --git a/sshd.c b/sshd.c
index cbd3bce9..1fcde502 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1843,6 +1843,7 @@ main(int ac, char **av)
*/
if (connection_info == NULL)
connection_info = get_connection_info(ssh, 0, 0);
+ connection_info->test = 1;
parse_server_match_config(&options, connection_info);
dump_config(&options);
}

View File

@ -66,7 +66,7 @@
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%global openssh_ver 8.0p1
%global openssh_rel 5
%global openssh_rel 10
%global pam_ssh_agent_ver 0.10.3
%global pam_ssh_agent_rel 7
@ -230,6 +230,21 @@ Patch970: openssh-8.0p1-rdomain.patch
# Do not fail X11 forwarding if IPv6 is disabled (#1662189)
# https://bugzilla.mindrot.org/show_bug.cgi?id=2143
Patch971: openssh-8.0p1-x11-without-ipv6.patch
# Client window fix (#1913041)
Patch972: openssh-8.0p1-channel-limits.patch
# SFTP sort upon the modification time (#1909988)
# https://bugzilla.mindrot.org/show_bug.cgi?id=3248
Patch973: openssh-8.0p1-sftp-timespeccmp.patch
# ssh-keygen printing fingerprint issue with Windows keys (#1901518)
Patch974: openssh-8.0p1-keygen-strip-doseol.patch
# sshd provides PAM an incorrect error code (#1879503)
Patch975: openssh-8.0p1-preserve-pam-errors.patch
# ssh incorrectly restores the blocking mode on standard output (#1942901)
Patch976: openssh-8.0p1-restore-nonblock.patch
# CVE 2020-14145
Patch977: openssh-8.0p1-cve-2020-14145.patch
# sshd -T requires -C when "Match" is used in sshd_config (#1836277)
Patch978: openssh-8.0p1-sshd_config.patch
License: BSD
Group: Applications/Internet
@ -448,6 +463,13 @@ popd
%patch969 -p1 -b .keygen-sha2
%patch970 -p1 -b .rdomain
%patch971 -p1 -b .x11-ipv6
%patch972 -p1 -b .channel-limits
%patch973 -p1 -b .sftp-timespeccmp
%patch974 -p1 -b .keygen-strip-doseol
%patch975 -p1 -b .preserve-pam-errors
%patch976 -p1 -b .restore-nonblock
%patch977 -p1 -b .cve-2020-14145
%patch978 -p1 -b .sshd_config
%patch200 -p1 -b .audit
%patch201 -p1 -b .audit-race
@ -739,6 +761,28 @@ getent passwd sshd >/dev/null || \
%endif
%changelog
* Mon Jun 21 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-10
- sshd -T requires -C when "Match" is used in sshd_config (#1836277)
* Wed Jun 02 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-9
- CVE-2020-14145 openssh: Observable Discrepancy leading to an information
leak in the algorithm negotiation (#1882252)
- Hostbased ssh authentication fails if session ID contains a '/' (#1944125)
* Mon Apr 26 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-8
- ssh doesn't restore the blocking mode on standard output (#1942901)
* Fri Apr 09 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-7 + 0.10.3-7
- SFTP sort upon the modification time (#1909988)
- ssh-keygen printing fingerprint issue with Windows keys (#1901518)
- PIN is lost when iterating over tokens when adding pkcs11 keys to ssh-agent (#1843372)
- ssh-agent segfaults during ssh-add -s pkcs11 (#1868996)
- ssh-copy-id could not resolve ipv6 address ends with colon (#1933517)
- sshd provides PAM an incorrect error code (#1879503)
* Tue Mar 16 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-6 + 0.10.3-7
- Openssh client window fix (#1913041)
* Tue Mar 24 2020 Jakub Jelen <jjelen@redhat.com> - 8.0p1-5 + 0.10.3-7
- Do not print "no slots" warning by default (#1744220)
- Unbreak connecting using gssapi through proxy commands (#1749862)