Backport several fixes from 7_9 branch (#1665611)
This commit is contained in:
Jakub Jelen
parent
661c7c0582
commit
322896958a
186
openssh-7.9p1-backports.patch
Normal file
186
openssh-7.9p1-backports.patch
Normal file
@ -0,0 +1,186 @@
|
||||
From 631165f6c43d230df9174423aeb19fcf09a67ef4 Mon Sep 17 00:00:00 2001
|
||||
From: Damien Miller <djm@mindrot.org>
|
||||
Date: Mon, 22 Oct 2018 11:22:50 +1100
|
||||
Subject: [PATCH 1/7] fix compile for openssl 1.0.x w/ --with-ssl-engine
|
||||
|
||||
bz#2921, patch from cotequeiroz
|
||||
---
|
||||
openbsd-compat/openssl-compat.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
|
||||
index 8b4a3627..590b66d1 100644
|
||||
--- a/openbsd-compat/openssl-compat.c
|
||||
+++ b/openbsd-compat/openssl-compat.c
|
||||
@@ -76,7 +76,7 @@ ssh_OpenSSL_add_all_algorithms(void)
|
||||
ENGINE_load_builtin_engines();
|
||||
ENGINE_register_all_complete();
|
||||
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x10001000L
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
OPENSSL_config(NULL);
|
||||
#else
|
||||
OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS |
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
||||
From 55d7cdda4dc4e8284ccd276f73440be400250a1e Mon Sep 17 00:00:00 2001
|
||||
From: Darren Tucker <dtucker@dtucker.net>
|
||||
Date: Mon, 22 Oct 2018 20:05:18 +1100
|
||||
Subject: [PATCH 2/7] Include openssl compatibility.
|
||||
|
||||
Patch from rosenp at gmail.com via openssh-unix-dev.
|
||||
---
|
||||
ssh-keysign.c | 1 +
|
||||
ssh_api.c | 2 ++
|
||||
2 files changed, 3 insertions(+)
|
||||
|
||||
diff --git a/ssh-keysign.c b/ssh-keysign.c
|
||||
index 744ecb4f..bcd1508c 100644
|
||||
--- a/ssh-keysign.c
|
||||
+++ b/ssh-keysign.c
|
||||
@@ -40,6 +40,7 @@
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/rand.h>
|
||||
#include <openssl/rsa.h>
|
||||
+#include "openbsd-compat/openssl-compat.h"
|
||||
#endif
|
||||
|
||||
#include "xmalloc.h"
|
||||
diff --git a/ssh_api.c b/ssh_api.c
|
||||
index c84b4e71..e727c0d6 100644
|
||||
--- a/ssh_api.c
|
||||
+++ b/ssh_api.c
|
||||
@@ -29,6 +29,8 @@
|
||||
#include "ssherr.h"
|
||||
#include "sshbuf.h"
|
||||
|
||||
+#include "openbsd-compat/openssl-compat.h"
|
||||
+
|
||||
#include <string.h>
|
||||
|
||||
int _ssh_exchange_banner(struct ssh *);
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
||||
From 22092e375125dc602227afb8b2d3b285203e77c1 Mon Sep 17 00:00:00 2001
|
||||
From: Darren Tucker <dtucker@dtucker.net>
|
||||
Date: Mon, 5 Nov 2018 17:31:24 +1100
|
||||
Subject: [PATCH 3/7] Fix pasto for HAVE_EVP_CIPHER_CTX_SET_IV.
|
||||
|
||||
Prevents unnecessary redefinition. Patch from mforney at mforney.org.
|
||||
---
|
||||
configure.ac | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 7379ab35..1041bf25 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -2850,7 +2850,7 @@ if test "x$openssl" = "xyes" ; then
|
||||
[AC_DEFINE([HAVE_EVP_CIPHER_CTX_GET_IV], [1],
|
||||
[Define if libcrypto has EVP_CIPHER_CTX_get_iv])])
|
||||
AC_SEARCH_LIBS([EVP_CIPHER_CTX_set_iv], [crypto],
|
||||
- [AC_DEFINE([HAVE_EVP_CIPHER_CTX_GET_IV], [1],
|
||||
+ [AC_DEFINE([HAVE_EVP_CIPHER_CTX_SET_IV], [1],
|
||||
[Define if libcrypto has EVP_CIPHER_CTX_set_iv])])
|
||||
|
||||
AC_SEARCH_LIBS([RSA_get0_crt_params], [crypto],
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
||||
From 904d478f07deabb401f741f88c67ab2e07f742bd Mon Sep 17 00:00:00 2001
|
||||
From: Darren Tucker <dtucker@dtucker.net>
|
||||
Date: Sun, 11 Nov 2018 15:54:54 +1100
|
||||
Subject: [PATCH 4/7] Remove hardcoded service name in cygwin setup.
|
||||
|
||||
bz#2922, patch from Christian.Lupien at USherbrooke.ca, sanity check
|
||||
by vinschen at redhat.com.
|
||||
---
|
||||
contrib/cygwin/ssh-host-config | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
|
||||
index 261020af..e9f038db 100644
|
||||
--- a/contrib/cygwin/ssh-host-config
|
||||
+++ b/contrib/cygwin/ssh-host-config
|
||||
@@ -307,7 +307,7 @@ check_service_files_ownership() {
|
||||
|
||||
if [ -z "${run_service_as}" ]
|
||||
then
|
||||
- accnt_name=$(/usr/bin/cygrunsrv -VQ sshd |
|
||||
+ accnt_name=$(/usr/bin/cygrunsrv -VQ "${service_name}" |
|
||||
/usr/bin/sed -ne 's/^Account *: *//gp')
|
||||
if [ "${accnt_name}" = "LocalSystem" ]
|
||||
then
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
||||
From 4608a60cb4893a25490fd88ffdaaae6256381ae3 Mon Sep 17 00:00:00 2001
|
||||
From: Damien Miller <djm@mindrot.org>
|
||||
Date: Fri, 23 Nov 2018 10:45:20 +1100
|
||||
Subject: [PATCH 6/7] fix configure test for OpenSSL version
|
||||
|
||||
square brackets in case statements may be eaten by autoconf.
|
||||
|
||||
Report and fix from Filipp Gunbin; tweaked by naddy@
|
||||
---
|
||||
configure.ac | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 1041bf25..9920ede5 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -2616,7 +2616,7 @@ if test "x$openssl" = "xyes" ; then
|
||||
AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")])
|
||||
;;
|
||||
100*) ;; # 1.0.x
|
||||
- 101000[0123456]*)
|
||||
+ 101000[[0123456]]*)
|
||||
# https://github.com/openssl/openssl/pull/4613
|
||||
AC_MSG_ERROR([OpenSSL 1.1.x versions prior to 1.1.0g have a bug that breaks their use with OpenSSH (have "$ssl_library_ver")])
|
||||
;;
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
||||
From f429c1b2ef631f2855e51a790cf71761d752bbca Mon Sep 17 00:00:00 2001
|
||||
From: "djm@openbsd.org" <djm@openbsd.org>
|
||||
Date: Thu, 27 Dec 2018 23:02:11 +0000
|
||||
Subject: [PATCH 7/7] upstream: Request RSA-SHA2 signatures for
|
||||
|
||||
rsa-sha2-{256|512}-cert-v01@openssh.com cert algorithms; ok markus@
|
||||
|
||||
OpenBSD-Commit-ID: afc6f7ca216ccd821656d1c911d2a3deed685033
|
||||
---
|
||||
authfd.c | 8 +++++---
|
||||
1 file changed, 5 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/authfd.c b/authfd.c
|
||||
index ecdd869a..62cbf8c1 100644
|
||||
--- a/authfd.c
|
||||
+++ b/authfd.c
|
||||
@@ -327,10 +327,12 @@ ssh_free_identitylist(struct ssh_identitylist *idl)
|
||||
static u_int
|
||||
agent_encode_alg(const struct sshkey *key, const char *alg)
|
||||
{
|
||||
- if (alg != NULL && key->type == KEY_RSA) {
|
||||
- if (strcmp(alg, "rsa-sha2-256") == 0)
|
||||
+ if (alg != NULL && sshkey_type_plain(key->type) == KEY_RSA) {
|
||||
+ if (strcmp(alg, "rsa-sha2-256") == 0 ||
|
||||
+ strcmp(alg, "rsa-sha2-256-cert-v01@openssh.com") == 0)
|
||||
return SSH_AGENT_RSA_SHA2_256;
|
||||
- else if (strcmp(alg, "rsa-sha2-512") == 0)
|
||||
+ if (strcmp(alg, "rsa-sha2-512") == 0 ||
|
||||
+ strcmp(alg, "rsa-sha2-512-cert-v01@openssh.com") == 0)
|
||||
return SSH_AGENT_RSA_SHA2_512;
|
||||
}
|
||||
return 0;
|
||||
--
|
||||
2.20.1
|
||||
|
||||
@ -229,6 +229,8 @@ Patch954: openssh-7.9p1-disable-sha1.patch
|
||||
# Backport Match final so the crypto-policies do not break canonicalization (#1630166)
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2906
|
||||
Patch955: openssh-7.9p1-match-final.patch
|
||||
# Backport more after-release fixes (#1665611)
|
||||
Patch956: openssh-7.9p1-backports.patch
|
||||
|
||||
License: BSD
|
||||
Group: Applications/Internet
|
||||
@ -454,6 +456,7 @@ popd
|
||||
%patch808 -p1 -b .gsskex-method
|
||||
%patch954 -p1 -b .disable-sha1
|
||||
%patch955 -p1 -b .match-final
|
||||
%patch956 -p1 -b .backports
|
||||
|
||||
%patch200 -p1 -b .audit
|
||||
%patch201 -p1 -b .audit-race
|
||||
|
||||
Loading…
Reference in New Issue
Block a user