Rebase to latest OpenSSH 7.7p1 (#1563223)
This commit is contained in:
parent
1ce235ac38
commit
3cd4899257
3
.gitignore
vendored
3
.gitignore
vendored
@ -27,3 +27,6 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
|
||||
/pam_ssh_agent_auth-0.10.3.tar.bz2
|
||||
/openssh-7.5p1.tar.gz
|
||||
/openssh-7.6p1.tar.gz
|
||||
/openssh-7.7p1.tar.gz
|
||||
/openssh-7.7p1.tar.gz.asc
|
||||
/DJM-GPG-KEY.gpg
|
||||
|
@ -69,7 +69,7 @@ diff -up openssh-7.4p1/servconf.c.vendor openssh-7.4p1/servconf.c
|
||||
+
|
||||
case sAllowUsers:
|
||||
while ((arg = strdelim(&cp)) && *arg != '\0') {
|
||||
if (options->num_allow_users >= MAX_ALLOW_USERS)
|
||||
if (match_user(NULL, NULL, NULL, arg) == -1)
|
||||
@@ -2269,6 +2277,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
|
||||
dump_cfg_fmtint(sCompression, o->compression);
|
||||
@ -93,8 +93,8 @@ diff -up openssh-7.4p1/sshd_config.0.vendor openssh-7.4p1/sshd_config.0
|
||||
--- openssh-7.4p1/sshd_config.0.vendor 2016-12-23 13:34:51.695253847 +0100
|
||||
+++ openssh-7.4p1/sshd_config.0 2016-12-23 13:36:53.146277511 +0100
|
||||
@@ -792,6 +792,11 @@ DESCRIPTION
|
||||
ssh-keygen(1). For more information on KRLs, see the KEY
|
||||
REVOCATION LISTS section in ssh-keygen(1).
|
||||
rdomain(4). If the routing domain is set to %D, then the domain
|
||||
in which the incoming connection was received will be applied.
|
||||
|
||||
+ ShowPatchLevel
|
||||
+ Specifies whether sshd will display the specific patch level of
|
||||
@ -108,9 +108,9 @@ diff -up openssh-7.4p1/sshd_config.5.vendor openssh-7.4p1/sshd_config.5
|
||||
--- openssh-7.4p1/sshd_config.5.vendor 2016-12-23 13:34:51.695253847 +0100
|
||||
+++ openssh-7.4p1/sshd_config.5 2016-12-23 13:37:17.482282253 +0100
|
||||
@@ -1334,6 +1334,13 @@ an OpenSSH Key Revocation List (KRL) as
|
||||
.Xr ssh-keygen 1 .
|
||||
For more information on KRLs, see the KEY REVOCATION LISTS section in
|
||||
.Xr ssh-keygen 1 .
|
||||
If the routing domain is set to
|
||||
.Cm \&%D ,
|
||||
then the domain in which the incoming connection was received will be applied.
|
||||
+.It Cm ShowPatchLevel
|
||||
+Specifies whether
|
||||
+.Nm sshd
|
||||
|
@ -1,24 +1,75 @@
|
||||
diff --git a/misc.c b/misc.c
|
||||
index 2f11de4..36402d1 100644
|
||||
index 874dcc8a..7b7f7a58 100644
|
||||
--- a/misc.c
|
||||
+++ b/misc.c
|
||||
@@ -396,7 +396,7 @@ hpdelim(char **cp)
|
||||
return NULL;
|
||||
else
|
||||
s++;
|
||||
- } else if ((s = strpbrk(s, ":/")) == NULL)
|
||||
+ } else if ((s = strpbrk(s, ":")) == NULL)
|
||||
s = *cp + strlen(*cp); /* skip to end (see first case below) */
|
||||
@@ -466,7 +466,7 @@ put_host_port(const char *host, u_short port)
|
||||
* The delimiter char, if present, is stored in delim.
|
||||
* If this is the last field, *cp is set to NULL.
|
||||
*/
|
||||
-static char *
|
||||
+char *
|
||||
hpdelim2(char **cp, char *delim)
|
||||
{
|
||||
char *s, *old;
|
||||
diff --git a/misc.h b/misc.h
|
||||
index cdafea73..cf9c8f28 100644
|
||||
--- a/misc.h
|
||||
+++ b/misc.h
|
||||
@@ -54,6 +54,7 @@ int set_rdomain(int, const char *);
|
||||
int a2port(const char *);
|
||||
int a2tun(const char *, int *);
|
||||
char *put_host_port(const char *, u_short);
|
||||
+char *hpdelim2(char **, char *);
|
||||
char *hpdelim(char **);
|
||||
char *cleanhostname(char *);
|
||||
char *colon(char *);
|
||||
diff --git a/servconf.c b/servconf.c
|
||||
index 0f0d0906..1679181e 100644
|
||||
--- a/servconf.c
|
||||
+++ b/servconf.c
|
||||
@@ -821,7 +821,7 @@ process_permitopen(struct ssh *ssh, ServerOptions *options)
|
||||
{
|
||||
u_int i;
|
||||
int port;
|
||||
- char *host, *arg, *oarg;
|
||||
+ char *host, *arg, *oarg, ch;
|
||||
|
||||
switch (*s) {
|
||||
@@ -405,7 +405,6 @@ hpdelim(char **cp)
|
||||
break;
|
||||
|
||||
case ':':
|
||||
- case '/':
|
||||
*s = '\0'; /* terminate */
|
||||
*cp = s + 1;
|
||||
break;
|
||||
--
|
||||
2.1.0
|
||||
|
||||
channel_clear_adm_permitted_opens(ssh);
|
||||
if (options->num_permitted_opens == 0)
|
||||
@@ -839,8 +839,8 @@ process_permitopen(struct ssh *ssh, ServerOptions *options)
|
||||
/* Otherwise treat it as a list of permitted host:port */
|
||||
for (i = 0; i < options->num_permitted_opens; i++) {
|
||||
oarg = arg = xstrdup(options->permitted_opens[i]);
|
||||
- host = hpdelim(&arg);
|
||||
- if (host == NULL)
|
||||
+ host = hpdelim2(&arg, &ch);
|
||||
+ if (host == NULL || ch == '/')
|
||||
fatal("%s: missing host in PermitOpen", __func__);
|
||||
host = cleanhostname(host);
|
||||
if (arg == NULL || ((port = permitopen_port(arg)) < 0))
|
||||
@@ -1244,8 +1244,10 @@ process_server_config_line(ServerOptions *options, char *line,
|
||||
port = 0;
|
||||
p = arg;
|
||||
} else {
|
||||
- p = hpdelim(&arg);
|
||||
- if (p == NULL)
|
||||
+ char ch;
|
||||
+ arg2 = NULL;
|
||||
+ p = hpdelim2(&arg, &ch);
|
||||
+ if (p == NULL || ch == '/')
|
||||
fatal("%s line %d: bad address:port usage",
|
||||
filename, linenum);
|
||||
p = cleanhostname(p);
|
||||
@@ -1815,9 +1817,10 @@ process_server_config_line(ServerOptions *options, char *line,
|
||||
break;
|
||||
}
|
||||
for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
|
||||
+ char ch;
|
||||
arg2 = xstrdup(arg);
|
||||
- p = hpdelim(&arg);
|
||||
- if (p == NULL)
|
||||
+ p = hpdelim2(&arg, &ch);
|
||||
+ if (p == NULL || ch == '/')
|
||||
fatal("%s line %d: missing host in PermitOpen",
|
||||
filename, linenum);
|
||||
p = cleanhostname(p);
|
||||
|
@ -41,14 +41,14 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
|
||||
--- openssh-7.4p1/monitor.c.log-in-chroot 2016-12-23 15:14:33.311168085 +0100
|
||||
+++ openssh-7.4p1/monitor.c 2016-12-23 15:16:42.154193100 +0100
|
||||
@@ -307,6 +307,8 @@ monitor_child_preauth(Authctxt *_authctx
|
||||
close(pmonitor->m_log_sendfd);
|
||||
close(pmonitor->m_log_sendfd);
|
||||
pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1;
|
||||
|
||||
+ pmonitor->m_state = "preauth";
|
||||
+
|
||||
authctxt = _authctxt;
|
||||
memset(authctxt, 0, sizeof(*authctxt));
|
||||
|
||||
ssh->authctxt = authctxt;
|
||||
@@ -405,6 +407,8 @@ monitor_child_postauth(struct monitor *p
|
||||
close(pmonitor->m_recvfd);
|
||||
pmonitor->m_recvfd = -1;
|
||||
@ -165,7 +165,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
|
||||
|
||||
- closefrom(STDERR_FILENO + 1);
|
||||
-
|
||||
do_rc_files(s, shell);
|
||||
do_rc_files(ssh, s, shell);
|
||||
|
||||
/* restore SIGPIPE for child */
|
||||
@@ -1653,9 +1649,17 @@ do_child(Session *s, const char *command
|
||||
|
@ -116,38 +116,3 @@ index 2871fe9..39b9c08 100644
|
||||
#endif
|
||||
|
||||
/* Demote the child */
|
||||
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
|
||||
index 12c014e..c5ef2ff 100644
|
||||
--- a/openbsd-compat/port-linux.c
|
||||
+++ b/openbsd-compat/port-linux.c
|
||||
@@ -35,7 +35,6 @@
|
||||
|
||||
#ifdef WITH_SELINUX
|
||||
#include <selinux/selinux.h>
|
||||
-#include <selinux/flask.h>
|
||||
#include <selinux/get_context_list.h>
|
||||
|
||||
#ifndef SSH_SELINUX_UNCONFINED_TYPE
|
||||
@@ -110,6 +109,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
|
||||
security_context_t new_tty_ctx = NULL;
|
||||
security_context_t user_ctx = NULL;
|
||||
security_context_t old_tty_ctx = NULL;
|
||||
+ security_class_t class;
|
||||
|
||||
if (!ssh_selinux_enabled())
|
||||
return;
|
||||
@@ -129,8 +129,13 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
|
||||
goto out;
|
||||
}
|
||||
|
||||
+ class = string_to_security_class("chr_file");
|
||||
+ if (!class) {
|
||||
+ error("string_to_security_class failed to translate security class context");
|
||||
+ goto out;
|
||||
+ }
|
||||
if (security_compute_relabel(user_ctx, old_tty_ctx,
|
||||
- SECCLASS_CHR_FILE, &new_tty_ctx) != 0) {
|
||||
+ class, &new_tty_ctx) != 0) {
|
||||
error("%s: security_compute_relabel: %s",
|
||||
__func__, strerror(errno));
|
||||
goto out;
|
||||
|
@ -10,14 +10,14 @@ diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in
|
||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
||||
@@ -66,7 +67,7 @@ EXEEXT=@EXEEXT@
|
||||
MANFMT=@MANFMT@
|
||||
MKDIR_P=@MKDIR_P@
|
||||
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
|
||||
|
||||
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
|
||||
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
|
||||
|
||||
LIBOPENSSH_OBJS=\
|
||||
ssh_api.o \
|
||||
XMSS_OBJS=\
|
||||
ssh-xmss.o \
|
||||
@@ -194,6 +195,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
|
||||
ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o
|
||||
$(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(LIBS)
|
||||
|
@ -14,12 +14,13 @@ diff -up openssh-7.4p1/entropy.c.entropy openssh-7.4p1/entropy.c
|
||||
diff -up openssh-7.4p1/openbsd-compat/Makefile.in.entropy openssh-7.4p1/openbsd-compat/Makefile.in
|
||||
--- openssh-7.4p1/openbsd-compat/Makefile.in.entropy 2016-12-23 18:34:53.715762155 +0100
|
||||
+++ openssh-7.4p1/openbsd-compat/Makefile.in 2016-12-23 18:35:15.890769493 +0100
|
||||
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf
|
||||
|
||||
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-err.o bsd-getpagesize.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-malloc.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xcrypt.o kludge-fd_set.o
|
||||
|
||||
-PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o
|
||||
+PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o
|
||||
@@ -20,7 +20,8 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf
|
||||
port-solaris.o \
|
||||
port-net.o \
|
||||
port-uw.o \
|
||||
- port-linux-sshd.o
|
||||
+ port-linux-sshd.o \
|
||||
+ port-linux-prng.o
|
||||
|
||||
.c.o:
|
||||
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
|
||||
|
@ -207,7 +207,7 @@ index 28659ec..9c94d8e 100644
|
||||
--- a/session.c
|
||||
+++ b/session.c
|
||||
@@ -789,6 +789,29 @@ do_exec(Session *s, const char *command)
|
||||
command = forced_command;
|
||||
command = auth_opts->force_command;
|
||||
forced = "(key-option)";
|
||||
}
|
||||
+#ifdef GSSAPI
|
||||
|
@ -1,7 +1,7 @@
|
||||
diff -up openssh/misc.c.keycat openssh/misc.c
|
||||
--- openssh/misc.c.keycat 2015-06-24 10:57:50.158849606 +0200
|
||||
+++ openssh/misc.c 2015-06-24 11:04:23.989868638 +0200
|
||||
@@ -490,6 +490,14 @@ subprocess(const char *tag, struct passw
|
||||
diff -up openssh/auth.c.keycat openssh/misc.c
|
||||
--- openssh/auth.c.keycat 2015-06-24 10:57:50.158849606 +0200
|
||||
+++ openssh/auth.c 2015-06-24 11:04:23.989868638 +0200
|
||||
@@ -966,6 +966,14 @@ subprocess(const char *tag, struct passw
|
||||
_exit(1);
|
||||
}
|
||||
|
||||
@ -52,14 +52,14 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in
|
||||
AR=@AR@
|
||||
AWK=@AWK@
|
||||
@@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@
|
||||
MANFMT=@MANFMT@
|
||||
MKDIR_P=@MKDIR_P@
|
||||
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
|
||||
|
||||
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
|
||||
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
|
||||
|
||||
LIBOPENSSH_OBJS=\
|
||||
ssh_api.o \
|
||||
XMSS_OBJS=\
|
||||
ssh-xmss.o \
|
||||
@@ -190,6 +191,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
|
||||
ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
|
||||
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lfipscheck $(LIBS) $(LDAPLIBS)
|
||||
@ -203,7 +203,7 @@ diff -up openssh/platform.c.keycat openssh/platform.c
|
||||
diff -up openssh/ssh-keycat.c.keycat openssh/ssh-keycat.c
|
||||
--- openssh/ssh-keycat.c.keycat 2015-06-24 10:57:50.161849599 +0200
|
||||
+++ openssh/ssh-keycat.c 2015-06-24 10:57:50.161849599 +0200
|
||||
@@ -0,0 +1,238 @@
|
||||
@@ -0,0 +1,241 @@
|
||||
+/*
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions
|
||||
@ -253,6 +253,9 @@ diff -up openssh/ssh-keycat.c.keycat openssh/ssh-keycat.c
|
||||
+#include <pwd.h>
|
||||
+#include <fcntl.h>
|
||||
+#include <unistd.h>
|
||||
+#ifdef HAVE_STDINT_H
|
||||
+#include <stdint.h>
|
||||
+#endif
|
||||
+
|
||||
+#include <security/pam_appl.h>
|
||||
+
|
||||
|
@ -192,15 +192,16 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
|
||||
if (options->password_authentication == -1)
|
||||
options->password_authentication = 1;
|
||||
if (options->kbd_interactive_authentication == -1)
|
||||
@@ -399,7 +402,7 @@ typedef enum {
|
||||
@@ -399,7 +402,8 @@ typedef enum {
|
||||
sPermitRootLogin, sLogFacility, sLogLevel,
|
||||
sRhostsRSAAuthentication, sRSAAuthentication,
|
||||
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
||||
- sKerberosGetAFSToken,
|
||||
- sKerberosGetAFSToken, sChallengeResponseAuthentication,
|
||||
+ sKerberosGetAFSToken, sKerberosUseKuserok,
|
||||
sKerberosTgtPassing, sChallengeResponseAuthentication,
|
||||
+ sChallengeResponseAuthentication,
|
||||
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
||||
sListenAddress, sAddressFamily,
|
||||
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
|
||||
@@ -478,11 +481,13 @@ static struct {
|
||||
#else
|
||||
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
||||
|
@ -64,7 +64,7 @@ diff -up openssh-7.4p1/sshd_config.5.redhat openssh-7.4p1/sshd_config.5
|
||||
diff -up openssh-7.4p1/sshd_config.redhat openssh-7.4p1/sshd_config
|
||||
--- openssh-7.4p1/sshd_config.redhat 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/sshd_config 2016-12-23 13:33:05.386233133 +0100
|
||||
@@ -10,21 +10,35 @@
|
||||
@@ -10,20 +10,34 @@
|
||||
# possible, but leave them commented. Uncommented options override the
|
||||
# default value.
|
||||
|
||||
@ -79,7 +79,6 @@ diff -up openssh-7.4p1/sshd_config.redhat openssh-7.4p1/sshd_config
|
||||
|
||||
-#HostKey /etc/ssh/ssh_host_rsa_key
|
||||
+HostKey /etc/ssh/ssh_host_rsa_key
|
||||
#HostKey /etc/ssh/ssh_host_dsa_key
|
||||
-#HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
-#HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
+HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
|
@ -93,7 +93,7 @@ diff -up openssh-7.4p1/auth2-hostbased.c.role-mls openssh-7.4p1/auth2-hostbased.
|
||||
+#else
|
||||
+ (r = sshbuf_put_cstring(b, authctxt->user)) != 0 ||
|
||||
+#endif
|
||||
(r = sshbuf_put_cstring(b, service)) != 0 ||
|
||||
(r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
|
||||
(r = sshbuf_put_cstring(b, "hostbased")) != 0 ||
|
||||
(r = sshbuf_put_string(b, pkalg, alen)) != 0 ||
|
||||
diff -up openssh-7.4p1/auth2-pubkey.c.role-mls openssh-7.4p1/auth2-pubkey.c
|
||||
@ -116,7 +116,7 @@ diff -up openssh-7.4p1/auth2-pubkey.c.role-mls openssh-7.4p1/auth2-pubkey.c
|
||||
+#endif
|
||||
if ((r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
|
||||
(r = sshbuf_put_cstring(b, userstyle)) != 0 ||
|
||||
(r = sshbuf_put_cstring(b, ssh->compat & SSH_BUG_PKSERVICE ?
|
||||
(r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
|
||||
diff -up openssh-7.4p1/auth.h.role-mls openssh-7.4p1/auth.h
|
||||
--- openssh-7.4p1/auth.h.role-mls 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/auth.h 2016-12-23 12:19:43.478510375 +0100
|
||||
@ -146,7 +146,7 @@ diff -up openssh-7.4p1/auth-pam.h.role-mls openssh-7.4p1/auth-pam.h
|
||||
--- openssh-7.4p1/auth-pam.h.role-mls 2016-12-23 12:19:43.478510375 +0100
|
||||
+++ openssh-7.4p1/auth-pam.h 2016-12-23 12:21:44.698101234 +0100
|
||||
@@ -31,7 +31,7 @@ u_int do_pam_account(void);
|
||||
void do_pam_session(void);
|
||||
void do_pam_session(struct ssh *);
|
||||
void do_pam_setcred(int );
|
||||
void do_pam_chauthtok(void);
|
||||
-int do_pam_putenv(char *, char *);
|
||||
@ -316,7 +316,7 @@ diff -up openssh-7.4p1/monitor_wrap.c.role-mls openssh-7.4p1/monitor_wrap.c
|
||||
+
|
||||
/* Do the password authentication */
|
||||
int
|
||||
mm_auth_password(Authctxt *authctxt, char *password)
|
||||
mm_auth_password(struct ssh *ssh, char *password)
|
||||
diff -up openssh-7.4p1/monitor_wrap.h.role-mls openssh-7.4p1/monitor_wrap.h
|
||||
--- openssh-7.4p1/monitor_wrap.h.role-mls 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/monitor_wrap.h 2016-12-23 12:19:58.588459376 +0100
|
||||
@ -329,16 +329,17 @@ diff -up openssh-7.4p1/monitor_wrap.h.role-mls openssh-7.4p1/monitor_wrap.h
|
||||
+#endif
|
||||
struct passwd *mm_getpwnamallow(const char *);
|
||||
char *mm_auth2_read_banner(void);
|
||||
int mm_auth_password(struct Authctxt *, char *);
|
||||
int mm_auth_password(struct ssh *, char *);
|
||||
diff -up openssh-7.4p1/openbsd-compat/Makefile.in.role-mls openssh-7.4p1/openbsd-compat/Makefile.in
|
||||
--- openssh-7.4p1/openbsd-compat/Makefile.in.role-mls 2016-12-23 12:19:58.588459376 +0100
|
||||
+++ openssh-7.4p1/openbsd-compat/Makefile.in 2016-12-23 12:24:06.042643938 +0100
|
||||
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf
|
||||
|
||||
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-err.o bsd-getpagesize.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-malloc.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xcrypt.o kludge-fd_set.o
|
||||
|
||||
-PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
|
||||
+PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o
|
||||
@@ -20,7 +20,8 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf
|
||||
port-linux.o \
|
||||
port-solaris.o \
|
||||
port-net.o \
|
||||
- port-uw.o
|
||||
+ port-uw.o \
|
||||
+ port-linux-sshd.o
|
||||
|
||||
.c.o:
|
||||
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
|
||||
|
@ -27,7 +27,7 @@ diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c
|
||||
+ while (pmonitor->m_log_recvfd >= 0 && monitor_read_log(pmonitor) == 0)
|
||||
;
|
||||
|
||||
close(pmonitor->m_sendfd);
|
||||
if (pmonitor->m_recvfd >= 0)
|
||||
diff -up openssh-7.4p1/monitor_wrap.c.coverity openssh-7.4p1/monitor_wrap.c
|
||||
--- openssh-7.4p1/monitor_wrap.c.coverity 2016-12-23 16:40:26.892788689 +0100
|
||||
+++ openssh-7.4p1/monitor_wrap.c 2016-12-23 16:40:26.900788691 +0100
|
||||
@ -127,11 +127,11 @@ diff -up openssh-7.4p1/serverloop.c.coverity openssh-7.4p1/serverloop.c
|
||||
}
|
||||
|
||||
tun = packet_get_int();
|
||||
- if (forced_tun_device != -1) {
|
||||
+ if (forced_tun_device >= 0) {
|
||||
if (tun != SSH_TUNID_ANY && forced_tun_device != tun)
|
||||
- if (auth_opts->force_tun_device != -1) {
|
||||
+ if (auth_opts->force_tun_device >= 0) {
|
||||
if (tun != SSH_TUNID_ANY && auth_opts->force_tun_device != tun)
|
||||
goto done;
|
||||
tun = forced_tun_device;
|
||||
tun = auth_opts->force_tun_device;
|
||||
diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
|
||||
--- openssh-7.4p1/sftp.c.coverity 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/sftp.c 2016-12-23 16:40:26.903788691 +0100
|
||||
|
@ -10,14 +10,14 @@ diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in
|
||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
||||
@@ -67,7 +68,7 @@ EXEEXT=@EXEEXT@
|
||||
MANFMT=@MANFMT@
|
||||
MKDIR_P=@MKDIR_P@
|
||||
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
|
||||
|
||||
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
|
||||
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT)
|
||||
|
||||
LIBOPENSSH_OBJS=\
|
||||
ssh_api.o \
|
||||
XMSS_OBJS=\
|
||||
ssh-xmss.o \
|
||||
@@ -198,6 +199,9 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHD
|
||||
ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
|
||||
$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
|
||||
|
@ -145,16 +145,16 @@ diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in
|
||||
GSSLIBS=@GSSLIBS@
|
||||
SSHLIBS=@SSHLIBS@
|
||||
@@ -61,8 +63,9 @@ XAUTH_PATH=@XAUTH_PATH@
|
||||
LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
|
||||
EXEEXT=@EXEEXT@
|
||||
MANFMT=@MANFMT@
|
||||
MKDIR_P=@MKDIR_P@
|
||||
+INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
|
||||
|
||||
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
|
||||
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
|
||||
|
||||
LIBOPENSSH_OBJS=\
|
||||
ssh_api.o \
|
||||
XMSS_OBJS=\
|
||||
ssh-xmss.o \
|
||||
@@ -112,8 +115,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
|
||||
sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
|
||||
sandbox-solaris.o
|
||||
@ -197,7 +197,7 @@ diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in
|
||||
+ fi
|
||||
|
||||
install-sysconf:
|
||||
if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \
|
||||
$(MKDIR_P) $(DESTDIR)$(sysconfdir)
|
||||
@@ -356,6 +370,13 @@ install-sysconf:
|
||||
else \
|
||||
echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
|
||||
@ -228,7 +228,7 @@ diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in
|
||||
+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
|
||||
|
||||
regress-prep:
|
||||
[ -d `pwd`/regress ] || mkdir -p `pwd`/regress
|
||||
$(MKDIR_P) `pwd`/regress/unittests/test_helper
|
||||
diff -up openssh-6.8p1/configure.ac.ldap openssh-6.8p1/configure.ac
|
||||
--- openssh-6.8p1/configure.ac.ldap 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/configure.ac 2015-03-18 11:11:29.030801464 +0100
|
||||
|
@ -1,24 +0,0 @@
|
||||
diff -up openssh-7.4p1/servconf.c.memory openssh-7.4p1/servconf.c
|
||||
--- openssh-7.4p1/servconf.c.memory 2016-12-23 15:37:48.181422360 +0100
|
||||
+++ openssh-7.4p1/servconf.c 2016-12-23 15:38:30.189429116 +0100
|
||||
@@ -2006,6 +2006,8 @@ copy_set_server_options(ServerOptions *d
|
||||
dst->n = src->n; \
|
||||
} while (0)
|
||||
|
||||
+ u_int i;
|
||||
+
|
||||
M_CP_INTOPT(password_authentication);
|
||||
M_CP_INTOPT(gss_authentication);
|
||||
M_CP_INTOPT(pubkey_authentication);
|
||||
@@ -2058,8 +2060,10 @@ copy_set_server_options(ServerOptions *d
|
||||
} while(0)
|
||||
#define M_CP_STRARRAYOPT(n, num_n) do {\
|
||||
if (src->num_n != 0) { \
|
||||
+ for (i = 0; i < dst->num_n; i++) \
|
||||
+ free(dst->n[i]); \
|
||||
for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \
|
||||
- dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \
|
||||
+ dst->n[dst->num_n] = src->n[dst->num_n]; \
|
||||
} \
|
||||
} while(0)
|
||||
#define M_CP_STRARRAYOPT_ALLOC(n, num_n) do { \
|
@ -238,8 +238,8 @@ diff -up openssh-7.0p1/servconf.c.gsskexalg openssh-7.0p1/servconf.c
|
||||
#include "digest.h"
|
||||
+#include "ssh-gss.h"
|
||||
|
||||
static void add_listen_addr(ServerOptions *, char *, int);
|
||||
static void add_one_listen_addr(ServerOptions *, char *, int);
|
||||
static void add_listen_addr(ServerOptions *, const char *,
|
||||
const char *, int);
|
||||
@@ -121,6 +122,7 @@ initialize_server_options(ServerOptions
|
||||
options->gss_cleanup_creds = -1;
|
||||
options->gss_strict_acceptor = -1;
|
||||
|
@ -86,7 +86,7 @@ diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
|
||||
/*
|
||||
* This is called to fork and execute a command when we have no tty. This
|
||||
@@ -424,6 +430,8 @@ do_exec_no_pty(Session *s, const char *c
|
||||
cray_init_job(s->pw); /* set up cray jid and tmpdir */
|
||||
close(err[0]);
|
||||
#endif
|
||||
|
||||
+ child_destory_sensitive_data();
|
||||
@ -102,8 +102,8 @@ diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
|
||||
+ child_destory_sensitive_data();
|
||||
+
|
||||
/* record login, etc. similar to login(1) */
|
||||
#ifdef _UNICOS
|
||||
cray_init_job(s->pw); /* set up cray jid and tmpdir */
|
||||
#ifndef HAVE_OSF_SIA
|
||||
do_login(ssh, s, command);
|
||||
@@ -717,6 +728,8 @@ do_exec(Session *s, const char *command)
|
||||
}
|
||||
if (s->command != NULL && s->ptyfd == -1)
|
||||
|
@ -673,13 +673,13 @@ diff -up openssh-7.5p1/sshkey.c.fips openssh-7.5p1/sshkey.c
|
||||
|
||||
#include "crypto_api.h"
|
||||
@@ -58,6 +59,7 @@
|
||||
#define SSHKEY_INTERNAL
|
||||
#include "sshkey.h"
|
||||
#include "sshkey-xmss.h"
|
||||
#include "match.h"
|
||||
+#include "log.h"
|
||||
|
||||
/* openssh private key file format */
|
||||
#define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n"
|
||||
#include "xmss_fast.h"
|
||||
|
||||
@@ -1587,6 +1589,8 @@ rsa_generate_private_key(u_int bits, RSA
|
||||
}
|
||||
if (!BN_set_word(f4, RSA_F4) ||
|
||||
|
@ -1729,7 +1729,7 @@ diff -up openssh/monitor.c.gsskex openssh/monitor.c
|
||||
+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
|
||||
+#endif
|
||||
|
||||
if (!no_pty_flag) {
|
||||
if (auth_opts->permit_pty_flag) {
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
|
||||
@@ -1656,6 +1673,13 @@ monitor_apply_keystate(struct monitor *p
|
||||
# endif
|
||||
@ -2086,6 +2086,7 @@ diff -up openssh/regress/cert-userkey.sh.gsskex openssh/regress/cert-userkey.sh
|
||||
|
||||
-PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
|
||||
+PLAIN_TYPES=`$SSH -Q key-plain | grep -v null | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
|
||||
EXTRA_TYPES=""
|
||||
|
||||
if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
|
||||
PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
|
||||
@ -2624,7 +2625,7 @@ diff -up openssh/sshd.c.gsskex openssh/sshd.c
|
||||
|
||||
@@ -871,8 +871,9 @@ notify_hostkeys(struct ssh *ssh)
|
||||
}
|
||||
debug3("%s: sent %d hostkeys", __func__, nkeys);
|
||||
debug3("%s: sent %u hostkeys", __func__, nkeys);
|
||||
if (nkeys == 0)
|
||||
- fatal("%s: no hostkeys", __func__);
|
||||
- packet_send();
|
||||
@ -2864,9 +2865,9 @@ diff -up openssh/sshkey.h.gsskex openssh/sshkey.h
|
||||
--- openssh/sshkey.h.gsskex 2017-09-25 01:48:10.000000000 +0200
|
||||
+++ openssh/sshkey.h 2017-09-27 13:54:53.602534414 +0200
|
||||
@@ -61,6 +61,7 @@ enum sshkey_types {
|
||||
KEY_DSA_CERT,
|
||||
KEY_ECDSA_CERT,
|
||||
KEY_ED25519_CERT,
|
||||
KEY_XMSS,
|
||||
KEY_XMSS_CERT,
|
||||
+ KEY_NULL,
|
||||
KEY_UNSPEC
|
||||
};
|
||||
|
@ -471,7 +471,7 @@ diff -up openssh/kexgexc.c.openssl openssh/kexgexc.c
|
||||
|
||||
debug("got SSH2_MSG_KEX_DH_GEX_GROUP");
|
||||
|
||||
@@ -119,26 +120,30 @@ input_kex_dh_gex_group(int type, u_int32
|
||||
@@ -119,24 +120,30 @@ input_kex_dh_gex_group(int type, u_int32
|
||||
p = g = NULL; /* belong to kex->dh now */
|
||||
|
||||
/* generate and send 'e', client DH public key */
|
||||
@ -497,12 +497,8 @@ diff -up openssh/kexgexc.c.openssl openssh/kexgexc.c
|
||||
ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REPLY, &input_kex_dh_gex_reply);
|
||||
r = 0;
|
||||
out:
|
||||
- if (p)
|
||||
- BN_clear_free(p);
|
||||
- if (g)
|
||||
- BN_clear_free(g);
|
||||
+ BN_clear_free(p);
|
||||
+ BN_clear_free(g);
|
||||
BN_clear_free(p);
|
||||
BN_clear_free(g);
|
||||
+ if (r != 0) {
|
||||
+ DH_free(kex->dh);
|
||||
+ kex->dh = NULL;
|
||||
@ -1419,17 +1415,6 @@ diff -up openssh/sshconnect2.c.openssl openssh/sshconnect2.c
|
||||
}
|
||||
|
||||
/*
|
||||
diff -up openssh/sshconnect.c.openssl openssh/sshconnect.c
|
||||
--- openssh/sshconnect.c.openssl 2017-09-26 13:19:31.759249464 +0200
|
||||
+++ openssh/sshconnect.c 2017-09-26 13:19:31.800249715 +0200
|
||||
@@ -1316,6 +1316,7 @@ ssh_login(Sensitive *sensitive, const ch
|
||||
char *server_user, *local_user;
|
||||
|
||||
local_user = xstrdup(pw->pw_name);
|
||||
+ free(pw);
|
||||
server_user = options.user ? options.user : local_user;
|
||||
|
||||
/* Convert the user-supplied hostname into all lowercase. */
|
||||
diff -up openssh/ssh.c.openssl openssh/ssh.c
|
||||
--- openssh/ssh.c.openssl 2017-09-26 13:19:31.786249629 +0200
|
||||
+++ openssh/ssh.c 2017-09-26 13:19:31.800249715 +0200
|
||||
@ -1443,14 +1428,6 @@ diff -up openssh/ssh.c.openssl openssh/ssh.c
|
||||
if (access("/etc/system-fips", F_OK) == 0)
|
||||
if (! FIPSCHECK_verify(NULL, NULL)){
|
||||
if (FIPS_mode())
|
||||
@@ -1263,6 +1265,7 @@ main(int ac, char **av)
|
||||
free(cp);
|
||||
}
|
||||
free(conn_hash_hex);
|
||||
+ free(host_arg);
|
||||
|
||||
if (config_test) {
|
||||
dump_client_config(&options, host);
|
||||
diff -up openssh/sshd.c.openssl openssh/sshd.c
|
||||
--- openssh/sshd.c.openssl 2017-09-26 13:19:31.792249666 +0200
|
||||
+++ openssh/sshd.c 2017-09-26 13:19:31.801249721 +0200
|
||||
@ -1493,8 +1470,8 @@ diff -up openssh/ssh-dss.c.openssl openssh/ssh-dss.c
|
||||
+ BN_bn2bin(r, sigblob + SIGBLOB_LEN - INTBLOB_LEN - rlen);
|
||||
+ BN_bn2bin(s, sigblob + SIGBLOB_LEN - slen);
|
||||
|
||||
if (compat & SSH_BUG_SIGBLOB) {
|
||||
if (sigp != NULL) {
|
||||
if ((b = sshbuf_new()) == NULL) {
|
||||
ret = SSH_ERR_ALLOC_FAIL;
|
||||
@@ -137,6 +139,7 @@ ssh_dss_verify(const struct sshkey *key,
|
||||
int ret = SSH_ERR_INTERNAL_ERROR;
|
||||
struct sshbuf *b = NULL;
|
||||
@ -1527,15 +1504,13 @@ diff -up openssh/ssh-dss.c.openssl openssh/ssh-dss.c
|
||||
|
||||
/* sha1 the data */
|
||||
if ((ret = ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen,
|
||||
@@ -207,8 +213,9 @@ ssh_dss_verify(const struct sshkey *key,
|
||||
@@ -207,7 +213,9 @@ ssh_dss_verify(const struct sshkey *key,
|
||||
|
||||
out:
|
||||
explicit_bzero(digest, sizeof(digest));
|
||||
- if (sig != NULL)
|
||||
- DSA_SIG_free(sig);
|
||||
+ BN_free(r);
|
||||
+ BN_free(s);
|
||||
+ DSA_SIG_free(sig);
|
||||
DSA_SIG_free(sig);
|
||||
sshbuf_free(b);
|
||||
free(ktype);
|
||||
if (sigblob != NULL) {
|
||||
@ -1597,15 +1572,13 @@ diff -up openssh/ssh-ecdsa.c.openssl openssh/ssh-ecdsa.c
|
||||
if (sshbuf_len(sigbuf) != 0) {
|
||||
ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
|
||||
goto out;
|
||||
@@ -180,8 +191,9 @@ ssh_ecdsa_verify(const struct sshkey *ke
|
||||
@@ -180,7 +191,9 @@ ssh_ecdsa_verify(const struct sshkey *ke
|
||||
explicit_bzero(digest, sizeof(digest));
|
||||
sshbuf_free(sigbuf);
|
||||
sshbuf_free(b);
|
||||
- if (sig != NULL)
|
||||
- ECDSA_SIG_free(sig);
|
||||
+ BN_free(r);
|
||||
+ BN_free(s);
|
||||
+ ECDSA_SIG_free(sig);
|
||||
ECDSA_SIG_free(sig);
|
||||
free(ktype);
|
||||
return ret;
|
||||
}
|
||||
@ -1647,20 +1620,19 @@ diff -up openssh/sshkey.c.openssl openssh/sshkey.c
|
||||
#ifdef OPENSSL_HAS_ECC
|
||||
case KEY_ECDSA_CERT:
|
||||
case KEY_ECDSA:
|
||||
@@ -496,11 +501,7 @@ sshkey_new(int type)
|
||||
@@ -496,10 +501,7 @@ sshkey_new(int type)
|
||||
#ifdef WITH_OPENSSL
|
||||
case KEY_RSA:
|
||||
case KEY_RSA_CERT:
|
||||
- if ((rsa = RSA_new()) == NULL ||
|
||||
- (rsa->n = BN_new()) == NULL ||
|
||||
- (rsa->e = BN_new()) == NULL) {
|
||||
- if (rsa != NULL)
|
||||
- RSA_free(rsa);
|
||||
- RSA_free(rsa);
|
||||
+ if ((rsa = RSA_new()) == NULL) {
|
||||
free(k);
|
||||
return NULL;
|
||||
}
|
||||
@@ -508,13 +509,7 @@ sshkey_new(int type)
|
||||
@@ -508,12 +509,7 @@ sshkey_new(int type)
|
||||
break;
|
||||
case KEY_DSA:
|
||||
case KEY_DSA_CERT:
|
||||
@ -1669,8 +1641,7 @@ diff -up openssh/sshkey.c.openssl openssh/sshkey.c
|
||||
- (dsa->q = BN_new()) == NULL ||
|
||||
- (dsa->g = BN_new()) == NULL ||
|
||||
- (dsa->pub_key = BN_new()) == NULL) {
|
||||
- if (dsa != NULL)
|
||||
- DSA_free(dsa);
|
||||
- DSA_free(dsa);
|
||||
+ if ((dsa = DSA_new()) == NULL) {
|
||||
free(k);
|
||||
return NULL;
|
||||
@ -2491,8 +2462,8 @@ diff -up openssh/sshkey.h.openssl openssh/sshkey.h
|
||||
-int ssh_rsa_generate_additional_parameters(struct sshkey *);
|
||||
+int ssh_rsa_generate_additional_parameters(struct sshkey *, BIGNUM *iqmp);
|
||||
|
||||
#ifdef SSHKEY_INTERNAL
|
||||
int ssh_rsa_sign(const struct sshkey *key,
|
||||
/* stateful keys (e.g. XMSS) */
|
||||
#ifdef NO_ATTRIBUTE_ON_PROTOTYPE_ARGS
|
||||
diff -up openssh/ssh-pkcs11-client.c.openssl openssh/ssh-pkcs11-client.c
|
||||
--- openssh/ssh-pkcs11-client.c.openssl 2017-09-19 06:26:43.000000000 +0200
|
||||
+++ openssh/ssh-pkcs11-client.c 2017-09-26 13:19:31.803249734 +0200
|
||||
@ -2594,7 +2565,7 @@ diff -up openssh/ssh-pkcs11.c.openssl openssh/ssh-pkcs11.c
|
||||
}
|
||||
} else {
|
||||
cp = attribs[2].pValue;
|
||||
@@ -525,17 +538,19 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
|
||||
@@ -525,16 +538,18 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
|
||||
== NULL) {
|
||||
error("d2i_X509 failed");
|
||||
} else if ((evp = X509_get_pubkey(x509)) == NULL ||
|
||||
@ -2608,8 +2579,7 @@ diff -up openssh/ssh-pkcs11.c.openssl openssh/ssh-pkcs11.c
|
||||
== NULL) {
|
||||
error("RSAPublicKey_dup");
|
||||
}
|
||||
if (x509)
|
||||
X509_free(x509);
|
||||
X509_free(x509);
|
||||
}
|
||||
- if (rsa && rsa->n && rsa->e &&
|
||||
+ if (rsa)
|
||||
@ -2621,21 +2591,19 @@ diff -up openssh/ssh-pkcs11.c.openssl openssh/ssh-pkcs11.c
|
||||
diff -up openssh/ssh-rsa.c.openssl openssh/ssh-rsa.c
|
||||
--- openssh/ssh-rsa.c.openssl 2017-09-19 06:26:43.000000000 +0200
|
||||
+++ openssh/ssh-rsa.c 2017-09-26 13:19:31.803249734 +0200
|
||||
@@ -78,37 +78,46 @@ rsa_hash_alg_nid(int type)
|
||||
}
|
||||
@@ -78,38 +78,50 @@ rsa_hash_alg_nid(int type)
|
||||
}
|
||||
|
||||
-/* calculate p-1 and q-1 */
|
||||
+/* calculate d mod p-1 and d mod q-1 */
|
||||
int
|
||||
-ssh_rsa_generate_additional_parameters(struct sshkey *key)
|
||||
+ssh_rsa_generate_additional_parameters(struct sshkey *key, BIGNUM *iqmp)
|
||||
{
|
||||
- RSA *rsa;
|
||||
BIGNUM *aux = NULL;
|
||||
BN_CTX *ctx = NULL;
|
||||
- BIGNUM d;
|
||||
+ BIGNUM *d = NULL;
|
||||
int r;
|
||||
+ const BIGNUM *p, *q, *d;
|
||||
+ const BIGNUM *p, *q, *rsa_d;
|
||||
+ BIGNUM *dmp1 = NULL, *dmq1 = NULL;
|
||||
|
||||
if (key == NULL || key->rsa == NULL ||
|
||||
@ -2646,21 +2614,26 @@ diff -up openssh/ssh-rsa.c.openssl openssh/ssh-rsa.c
|
||||
- return SSH_ERR_ALLOC_FAIL;
|
||||
- if ((aux = BN_new()) == NULL) {
|
||||
+ RSA_get0_factors(key->rsa, &p, &q);
|
||||
+ RSA_get0_key(key->rsa, NULL, NULL, &d);
|
||||
+ RSA_get0_key(key->rsa, NULL, NULL, &rsa_d);
|
||||
+
|
||||
+ if ((ctx = BN_CTX_new()) == NULL ||
|
||||
+ (aux = BN_new()) == NULL ||
|
||||
+ (d = BN_new()) == NULL ||
|
||||
+ (dmp1 = BN_new()) == NULL ||
|
||||
+ (dmq1 = BN_new()) == NULL) {
|
||||
r = SSH_ERR_ALLOC_FAIL;
|
||||
goto out;
|
||||
}
|
||||
- rsa = key->rsa;
|
||||
BN_set_flags(aux, BN_FLG_CONSTTIME);
|
||||
|
||||
- if ((BN_sub(aux, rsa->q, BN_value_one()) == 0) ||
|
||||
- (BN_mod(rsa->dmq1, rsa->d, aux, ctx) == 0) ||
|
||||
- (BN_sub(aux, rsa->p, BN_value_one()) == 0) ||
|
||||
- (BN_mod(rsa->dmp1, rsa->d, aux, ctx) == 0)) {
|
||||
- BN_init(&d);
|
||||
- BN_with_flags(&d, key->rsa->d, BN_FLG_CONSTTIME);
|
||||
+ BN_with_flags(d, rsa_d, BN_FLG_CONSTTIME);
|
||||
|
||||
- if ((BN_sub(aux, key->rsa->q, BN_value_one()) == 0) ||
|
||||
- (BN_mod(key->rsa->dmq1, &d, aux, ctx) == 0) ||
|
||||
- (BN_sub(aux, key->rsa->p, BN_value_one()) == 0) ||
|
||||
- (BN_mod(key->rsa->dmp1, &d, aux, ctx) == 0)) {
|
||||
+ if ((BN_sub(aux, q, BN_value_one()) == 0) ||
|
||||
+ (BN_mod(dmq1, d, aux, ctx) == 0) ||
|
||||
+ (BN_sub(aux, p, BN_value_one()) == 0) ||
|
||||
@ -2673,6 +2646,7 @@ diff -up openssh/ssh-rsa.c.openssl openssh/ssh-rsa.c
|
||||
+ dmq1 = NULL;
|
||||
r = 0;
|
||||
out:
|
||||
+ BN_free(d);
|
||||
BN_clear_free(aux);
|
||||
+ BN_clear_free(dmp1);
|
||||
+ BN_clear_free(dmq1);
|
||||
|
@ -756,7 +756,7 @@ diff -up openssh-7.6p1/auth2-hostbased.c.audit openssh-7.6p1/auth2-hostbased.c
|
||||
if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
|
||||
- PRIVSEP(sshkey_verify(key, sig, slen,
|
||||
+ PRIVSEP(hostbased_key_verify(key, sig, slen,
|
||||
sshbuf_ptr(b), sshbuf_len(b), ssh->compat)) == 0)
|
||||
sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat)) == 0)
|
||||
authenticated = 1;
|
||||
|
||||
@@ -169,6 +169,19 @@ done:
|
||||
@ -765,11 +765,11 @@ diff -up openssh-7.6p1/auth2-hostbased.c.audit openssh-7.6p1/auth2-hostbased.c
|
||||
|
||||
+int
|
||||
+hostbased_key_verify(const struct sshkey *key, const u_char *sig, size_t slen,
|
||||
+ const u_char *data, size_t datalen, u_int compat)
|
||||
+ const u_char *data, size_t datalen, const char *pkalg, u_int compat)
|
||||
+{
|
||||
+ int rv;
|
||||
+
|
||||
+ rv = sshkey_verify(key, sig, slen, data, datalen, compat);
|
||||
+ rv = sshkey_verify(key, sig, slen, data, datalen, pkalg, compat);
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
+ audit_key(0, &rv, key);
|
||||
+#endif
|
||||
@ -785,10 +785,10 @@ diff -up openssh-7.6p1/auth2-pubkey.c.audit openssh-7.6p1/auth2-pubkey.c
|
||||
@@ -206,7 +206,7 @@ userauth_pubkey(struct ssh *ssh)
|
||||
/* test for correct signature */
|
||||
authenticated = 0;
|
||||
if (PRIVSEP(user_key_allowed(authctxt->pw, key, 1)) &&
|
||||
if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) &&
|
||||
- PRIVSEP(sshkey_verify(key, sig, slen, sshbuf_ptr(b),
|
||||
+ PRIVSEP(user_key_verify(key, sig, slen, sshbuf_ptr(b),
|
||||
sshbuf_len(b), ssh->compat)) == 0) {
|
||||
sshbuf_len(b), NULL, ssh->compat)) == 0) {
|
||||
authenticated = 1;
|
||||
}
|
||||
@@ -250,6 +250,19 @@ done:
|
||||
@ -797,11 +797,11 @@ diff -up openssh-7.6p1/auth2-pubkey.c.audit openssh-7.6p1/auth2-pubkey.c
|
||||
|
||||
+int
|
||||
+user_key_verify(const struct sshkey *key, const u_char *sig, size_t slen,
|
||||
+ const u_char *data, size_t datalen, u_int compat)
|
||||
+ const u_char *data, size_t datalen, const char *pkalg, u_int compat)
|
||||
+{
|
||||
+ int rv;
|
||||
+
|
||||
+ rv = sshkey_verify(key, sig, slen, data, datalen, compat);
|
||||
+ rv = sshkey_verify(key, sig, slen, data, datalen, pkalg, compat);
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
+ audit_key(1, &rv, key);
|
||||
+#endif
|
||||
@ -836,22 +836,24 @@ diff -up openssh-7.6p1/auth.c.audit openssh-7.6p1/auth.c
|
||||
diff -up openssh-7.6p1/auth.h.audit openssh-7.6p1/auth.h
|
||||
--- openssh-7.6p1/auth.h.audit 2017-10-04 17:18:32.768504711 +0200
|
||||
+++ openssh-7.6p1/auth.h 2017-10-04 17:18:32.836505059 +0200
|
||||
@@ -198,6 +198,7 @@ struct passwd * getpwnamallow(const char
|
||||
@@ -198,6 +198,8 @@ struct passwd * getpwnamallow(const char
|
||||
|
||||
char *expand_authorized_keys(const char *, struct passwd *pw);
|
||||
char *authorized_principals_file(struct passwd *);
|
||||
+int user_key_verify(const struct sshkey *, const u_char *, size_t, const u_char *, size_t, u_int);
|
||||
+int user_key_verify(const struct sshkey *, const u_char *, size_t,
|
||||
+ const u_char *, size_t, const char *, u_int);
|
||||
|
||||
FILE *auth_openkeyfile(const char *, struct passwd *, int);
|
||||
FILE *auth_openprincipals(const char *, struct passwd *, int);
|
||||
@@ -217,6 +218,7 @@ struct sshkey *get_hostkey_private_by_ty
|
||||
@@ -217,6 +218,8 @@ struct sshkey *get_hostkey_private_by_ty
|
||||
int get_hostkey_index(struct sshkey *, int, struct ssh *);
|
||||
int sshd_hostkey_sign(struct sshkey *, struct sshkey *, u_char **,
|
||||
size_t *, const u_char *, size_t, const char *, u_int);
|
||||
+int hostbased_key_verify(const struct sshkey *, const u_char *, size_t, const u_char *, size_t, u_int);
|
||||
+int hostbased_key_verify(const struct sshkey *, const u_char *, size_t,
|
||||
+ const u_char *, size_t, const char *, u_int);
|
||||
|
||||
/* debug messages during authentication */
|
||||
void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
|
||||
/* Key / cert options linkage to auth layer */
|
||||
const struct sshauthopt *auth_options(struct ssh *);
|
||||
diff -up openssh-7.6p1/cipher.c.audit openssh-7.6p1/cipher.c
|
||||
--- openssh-7.6p1/cipher.c.audit 2017-10-02 21:34:26.000000000 +0200
|
||||
+++ openssh-7.6p1/cipher.c 2017-10-04 17:18:32.836505059 +0200
|
||||
@ -1100,8 +1102,8 @@ diff -up openssh-7.6p1/monitor.c.audit openssh-7.6p1/monitor.c
|
||||
#include "ssherr.h"
|
||||
|
||||
@@ -117,6 +118,8 @@ extern Buffer auth_debug;
|
||||
extern int auth_debug_init;
|
||||
extern Buffer loginmsg;
|
||||
extern struct sshauthopt *auth_opts; /* XXX move to permanent ssh->authctxt? */
|
||||
|
||||
+extern void destroy_sensitive_data(int);
|
||||
+
|
||||
@ -1144,7 +1146,7 @@ diff -up openssh-7.6p1/monitor.c.audit openssh-7.6p1/monitor.c
|
||||
{0, 0, NULL}
|
||||
};
|
||||
@@ -1396,7 +1413,9 @@ mm_answer_keyverify(int sock, struct ssh
|
||||
u_char *signature, *data, *blob;
|
||||
char *sigalg;
|
||||
size_t signaturelen, datalen, bloblen;
|
||||
int r, ret, valid_data = 0, encoded_ret;
|
||||
+ int type = 0;
|
||||
@ -1152,7 +1154,7 @@ diff -up openssh-7.6p1/monitor.c.audit openssh-7.6p1/monitor.c
|
||||
+ type = buffer_get_int(m);
|
||||
if ((r = sshbuf_get_string(m, &blob, &bloblen)) != 0 ||
|
||||
(r = sshbuf_get_string(m, &signature, &signaturelen)) != 0 ||
|
||||
(r = sshbuf_get_string(m, &data, &datalen)) != 0)
|
||||
(r = sshbuf_get_string(m, &data, &datalen)) != 0 ||
|
||||
@@ -1405,6 +1424,8 @@ mm_answer_keyverify(int sock, struct ssh
|
||||
if (hostbased_cuser == NULL || hostbased_chost == NULL ||
|
||||
!monitor_allowed_key(blob, bloblen))
|
||||
@ -1160,20 +1162,20 @@ diff -up openssh-7.6p1/monitor.c.audit openssh-7.6p1/monitor.c
|
||||
+ if (type != key_blobtype)
|
||||
+ fatal("%s: bad key type", __func__);
|
||||
|
||||
/* XXX use sshkey_froms here; need to change key_blob, etc. */
|
||||
if ((r = sshkey_from_blob(blob, bloblen, &key)) != 0)
|
||||
/* Empty signature algorithm means NULL. */
|
||||
if (*sigalg == '\0') {
|
||||
@@ -1414,21 +1435,24 @@ mm_answer_keyverify(int sock, struct ssh
|
||||
case MM_USERKEY:
|
||||
valid_data = monitor_valid_userblob(data, datalen);
|
||||
auth_method = "publickey";
|
||||
+ ret = user_key_verify(key, signature, signaturelen, data,
|
||||
+ datalen, active_state->compat);
|
||||
+ datalen, sigalg, active_state->compat);
|
||||
break;
|
||||
case MM_HOSTKEY:
|
||||
valid_data = monitor_valid_hostbasedblob(data, datalen,
|
||||
hostbased_cuser, hostbased_chost);
|
||||
+ ret = hostbased_key_verify(key, signature, signaturelen, data,
|
||||
+ datalen, active_state->compat);
|
||||
+ datalen, sigalg, active_state->compat);
|
||||
auth_method = "hostbased";
|
||||
break;
|
||||
default:
|
||||
@ -1185,7 +1187,7 @@ diff -up openssh-7.6p1/monitor.c.audit openssh-7.6p1/monitor.c
|
||||
fatal("%s: bad signature data blob", __func__);
|
||||
|
||||
- ret = sshkey_verify(key, signature, signaturelen, data, datalen,
|
||||
- active_state->compat);
|
||||
- sigalg, active_state->compat);
|
||||
debug3("%s: %s %p signature %s", __func__, auth_method, key,
|
||||
(ret == 0) ? "verified" : "unverified");
|
||||
auth2_record_key(authctxt, ret == 0, key);
|
||||
@ -1400,7 +1402,7 @@ diff -up openssh-7.6p1/monitor_wrap.c.audit openssh-7.6p1/monitor_wrap.c
|
||||
int
|
||||
-mm_sshkey_verify(const struct sshkey *key, const u_char *sig, size_t siglen,
|
||||
+mm_sshkey_verify(enum mm_keytype type, const struct sshkey *key, const u_char *sig, size_t siglen,
|
||||
const u_char *data, size_t datalen, u_int compat)
|
||||
const u_char *data, size_t datalen, const char *sigalg, u_int compat)
|
||||
{
|
||||
Buffer m;
|
||||
@@ -478,6 +478,7 @@ mm_sshkey_verify(const struct sshkey *ke
|
||||
@ -1417,16 +1419,16 @@ diff -up openssh-7.6p1/monitor_wrap.c.audit openssh-7.6p1/monitor_wrap.c
|
||||
|
||||
+int
|
||||
+mm_hostbased_key_verify(const struct sshkey *key, const u_char *sig, size_t siglen,
|
||||
+ const u_char *data, size_t datalen, u_int compat)
|
||||
+ const u_char *data, size_t datalen, const char *pkalg, u_int compat)
|
||||
+{
|
||||
+ return mm_sshkey_verify(MM_HOSTKEY, key, sig, siglen, data, datalen, compat);
|
||||
+ return mm_sshkey_verify(MM_HOSTKEY, key, sig, siglen, data, datalen, pkalg, compat);
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+mm_user_key_verify(const struct sshkey *key, const u_char *sig, size_t siglen,
|
||||
+ const u_char *data, size_t datalen, u_int compat)
|
||||
+ const u_char *data, size_t datalen, const char *pkalg, u_int compat)
|
||||
+{
|
||||
+ return mm_sshkey_verify(MM_USERKEY, key, sig, siglen, data, datalen, compat);
|
||||
+ return mm_sshkey_verify(MM_USERKEY, key, sig, siglen, data, datalen, pkalg, compat);
|
||||
+}
|
||||
+
|
||||
void
|
||||
@ -1547,14 +1549,14 @@ diff -up openssh-7.6p1/monitor_wrap.h.audit openssh-7.6p1/monitor_wrap.h
|
||||
--- openssh-7.6p1/monitor_wrap.h.audit 2017-10-04 17:18:32.750504619 +0200
|
||||
+++ openssh-7.6p1/monitor_wrap.h 2017-10-04 17:18:32.838505069 +0200
|
||||
@@ -53,7 +53,9 @@ int mm_key_allowed(enum mm_keytype, cons
|
||||
int mm_user_key_allowed(struct passwd *, struct sshkey *, int);
|
||||
struct sshauthopt **);
|
||||
int mm_hostbased_key_allowed(struct passwd *, const char *,
|
||||
const char *, struct sshkey *);
|
||||
-int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t,
|
||||
+int mm_hostbased_key_verify(const struct sshkey *, const u_char *, size_t,
|
||||
+ const u_char *, size_t, u_int);
|
||||
+ const u_char *, size_t, const char *, u_int);
|
||||
+int mm_user_key_verify(const struct sshkey *, const u_char *, size_t,
|
||||
const u_char *, size_t, u_int);
|
||||
const u_char *, size_t, const char *, u_int);
|
||||
|
||||
#ifdef GSSAPI
|
||||
@@ -78,7 +80,12 @@ void mm_sshpam_free_ctx(void *);
|
||||
@ -1743,8 +1745,8 @@ diff -up openssh-7.6p1/session.c.audit openssh-7.6p1/session.c
|
||||
-extern void destroy_sensitive_data(void);
|
||||
+extern void destroy_sensitive_data(int);
|
||||
extern Buffer loginmsg;
|
||||
|
||||
/* original command from peer. */
|
||||
extern struct sshauthopt *auth_opts;
|
||||
char *tun_fwd_ifnames; /* serverloop.c */
|
||||
@@ -605,6 +605,14 @@ do_exec_pty(struct ssh *ssh, Session *s,
|
||||
/* Parent. Close the slave side of the pseudo tty. */
|
||||
close(ttyfd);
|
||||
@ -1930,8 +1932,8 @@ diff -up openssh-7.6p1/sshd.c.audit openssh-7.6p1/sshd.c
|
||||
#include "monitor_wrap.h"
|
||||
+#include "audit.h"
|
||||
#include "ssh-sandbox.h"
|
||||
#include "auth-options.h"
|
||||
#include "version.h"
|
||||
#include "ssherr.h"
|
||||
@@ -248,7 +249,7 @@ Buffer loginmsg;
|
||||
struct passwd *privsep_pw = NULL;
|
||||
|
||||
@ -1970,7 +1972,7 @@ diff -up openssh-7.6p1/sshd.c.audit openssh-7.6p1/sshd.c
|
||||
-destroy_sensitive_data(void)
|
||||
+destroy_sensitive_data(int privsep)
|
||||
{
|
||||
int i;
|
||||
u_int i;
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
+ pid_t pid;
|
||||
+ uid_t uid;
|
||||
@ -2009,7 +2011,7 @@ diff -up openssh-7.6p1/sshd.c.audit openssh-7.6p1/sshd.c
|
||||
@@ -499,12 +536,30 @@ demote_sensitive_data(void)
|
||||
{
|
||||
struct sshkey *tmp;
|
||||
int i;
|
||||
u_int i;
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
+ pid_t pid;
|
||||
+ uid_t uid;
|
||||
|
@ -9,11 +9,11 @@ diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c
|
||||
+extern int rexeced_flag;
|
||||
+extern Authctxt *the_authctxt;
|
||||
|
||||
static int
|
||||
userauth_pubkey(struct ssh *ssh)
|
||||
static char *
|
||||
format_key(const struct sshkey *key)
|
||||
@@ -432,7 +435,8 @@ match_principals_command(struct passwd *
|
||||
|
||||
if ((pid = subprocess("AuthorizedPrincipalsCommand", pw, command,
|
||||
if ((pid = subprocess("AuthorizedPrincipalsCommand", runas_pw, command,
|
||||
ac, av, &f,
|
||||
- SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0)
|
||||
+ SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
|
||||
@ -23,7 +23,7 @@ diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c
|
||||
uid_swapped = 1;
|
||||
@@ -762,7 +766,8 @@ user_key_command_allowed2(struct passwd
|
||||
|
||||
if ((pid = subprocess("AuthorizedKeysCommand", pw, command,
|
||||
if ((pid = subprocess("AuthorizedKeysCommand", runas_pw, command,
|
||||
ac, av, &f,
|
||||
- SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0)
|
||||
+ SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
|
||||
@ -31,9 +31,9 @@ diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c
|
||||
goto out;
|
||||
|
||||
uid_swapped = 1;
|
||||
diff -up openssh/misc.c.refactor openssh/misc.c
|
||||
--- openssh/misc.c.refactor 2017-09-27 13:10:19.640831071 +0200
|
||||
+++ openssh/misc.c 2017-09-27 13:10:19.678831279 +0200
|
||||
diff -up openssh/auth.c.refactor openssh/auth.c
|
||||
--- openssh/auth.c.refactor 2017-09-27 13:10:19.640831071 +0200
|
||||
+++ openssh/auth.c 2017-09-27 13:10:19.678831279 +0200
|
||||
@@ -1435,7 +1435,8 @@ argv_assemble(int argc, char **argv)
|
||||
*/
|
||||
pid_t
|
||||
@ -53,18 +53,18 @@ diff -up openssh/misc.c.refactor openssh/misc.c
|
||||
error ("failed to copy environment: %s",
|
||||
strerror(errno));
|
||||
_exit(127);
|
||||
diff -up openssh/misc.h.refactor openssh/misc.h
|
||||
--- openssh/misc.h.refactor 2017-09-25 01:48:10.000000000 +0200
|
||||
+++ openssh/misc.h 2017-09-27 13:10:19.678831279 +0200
|
||||
diff -up openssh/auth.h.refactor openssh/auth.h
|
||||
--- openssh/auth.h.refactor 2017-09-25 01:48:10.000000000 +0200
|
||||
+++ openssh/auth.h 2017-09-27 13:10:19.678831279 +0200
|
||||
@@ -144,7 +144,7 @@ int exited_cleanly(pid_t, const char *,
|
||||
#define SSH_SUBPROCESS_STDOUT_CAPTURE (1<<1) /* Redirect stdout */
|
||||
#define SSH_SUBPROCESS_STDERR_DISCARD (1<<2) /* Discard stderr */
|
||||
pid_t subprocess(const char *, struct passwd *,
|
||||
#define SSH_SUBPROCESS_STDOUT_CAPTURE (1<<1) /* Redirect stdout */
|
||||
#define SSH_SUBPROCESS_STDERR_DISCARD (1<<2) /* Discard stderr */
|
||||
pid_t subprocess(const char *, struct passwd *,
|
||||
- const char *, int, char **, FILE **, u_int flags);
|
||||
+ const char *, int, char **, FILE **, u_int flags, int, void *);
|
||||
|
||||
struct stat;
|
||||
int safe_path(const char *, struct stat *, const char *, uid_t,
|
||||
int sys_auth_passwd(struct ssh *, const char *);
|
||||
|
||||
diff -up openssh/openbsd-compat/port-linux.h.refactor openssh/openbsd-compat/port-linux.h
|
||||
--- openssh/openbsd-compat/port-linux.h.refactor 2017-09-27 13:10:19.634831038 +0200
|
||||
+++ openssh/openbsd-compat/port-linux.h 2017-09-27 13:10:54.954025248 +0200
|
||||
|
@ -1,47 +0,0 @@
|
||||
From 7c9613fac3371cf65fb07739212cdd1ebf6575da Mon Sep 17 00:00:00 2001
|
||||
From: "djm@openbsd.org" <djm@openbsd.org>
|
||||
Date: Wed, 4 Oct 2017 18:49:30 +0000
|
||||
Subject: [PATCH] upstream commit
|
||||
|
||||
fix (another) problem in PermitOpen introduced during the
|
||||
channels.c refactor: the third and subsequent arguments to PermitOpen were
|
||||
being silently ignored; ok markus@
|
||||
|
||||
Upstream-ID: 067c89f1f53cbc381628012ba776d6861e6782fd
|
||||
---
|
||||
servconf.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/servconf.c b/servconf.c
|
||||
index 2c321a4ad..956862959 100644
|
||||
--- a/servconf.c
|
||||
+++ b/servconf.c
|
||||
@@ -1,5 +1,5 @@
|
||||
|
||||
-/* $OpenBSD: servconf.c,v 1.312 2017/10/02 19:33:20 djm Exp $ */
|
||||
+/* $OpenBSD: servconf.c,v 1.313 2017/10/04 18:49:30 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
* All rights reserved
|
||||
@@ -1663,9 +1663,9 @@ process_server_config_line(ServerOptions *options, char *line,
|
||||
if (!arg || *arg == '\0')
|
||||
fatal("%s line %d: missing PermitOpen specification",
|
||||
filename, linenum);
|
||||
- i = options->num_permitted_opens; /* modified later */
|
||||
+ value = options->num_permitted_opens; /* modified later */
|
||||
if (strcmp(arg, "any") == 0 || strcmp(arg, "none") == 0) {
|
||||
- if (*activep && i == 0) {
|
||||
+ if (*activep && value == 0) {
|
||||
options->num_permitted_opens = 1;
|
||||
options->permitted_opens = xcalloc(1,
|
||||
sizeof(*options->permitted_opens));
|
||||
@@ -1683,7 +1683,7 @@ process_server_config_line(ServerOptions *options, char *line,
|
||||
if (arg == NULL || ((port = permitopen_port(arg)) < 0))
|
||||
fatal("%s line %d: bad port number in "
|
||||
"PermitOpen", filename, linenum);
|
||||
- if (*activep && i == 0) {
|
||||
+ if (*activep && value == 0) {
|
||||
options->permitted_opens = xrecallocarray(
|
||||
options->permitted_opens,
|
||||
options->num_permitted_opens,
|
||||
|
19
openssh.spec
19
openssh.spec
@ -65,10 +65,10 @@
|
||||
%endif
|
||||
|
||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||
%global openssh_ver 7.6p1
|
||||
%global openssh_rel 7
|
||||
%global openssh_ver 7.7p1
|
||||
%global openssh_rel 1
|
||||
%global pam_ssh_agent_ver 0.10.3
|
||||
%global pam_ssh_agent_rel 3
|
||||
%global pam_ssh_agent_rel 4
|
||||
|
||||
Summary: An open source implementation of SSH protocol version 2
|
||||
Name: openssh
|
||||
@ -77,8 +77,9 @@ Release: %{openssh_rel}%{?dist}%{?rescue_rel}
|
||||
URL: http://www.openssh.com/portable.html
|
||||
#URL1: http://pamsshagentauth.sourceforge.net
|
||||
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
||||
#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
|
||||
Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
|
||||
Source2: sshd.pam
|
||||
Source3: DJM-GPG-KEY.gpg
|
||||
Source4: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.bz2
|
||||
Source5: pam_ssh_agent-rmheaders
|
||||
Source6: ssh-keycat.pam
|
||||
@ -209,9 +210,6 @@ Patch920: openssh-6.6.1p1-ip-port-config-parser.patch
|
||||
Patch922: openssh-6.8p1-sshdT-output.patch
|
||||
# Add sftp option to force mode of created files (#1191055)
|
||||
Patch926: openssh-6.7p1-sftp-force-permission.patch
|
||||
# Memory problems
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2401
|
||||
Patch928: openssh-6.8p1-memory-problems.patch
|
||||
# Restore compatible default (#89216)
|
||||
Patch929: openssh-6.9p1-permit-root-login.patch
|
||||
# Add GSSAPIKexAlgorithms option for server and client application
|
||||
@ -228,8 +226,6 @@ Patch948: openssh-7.4p1-systemd.patch
|
||||
Patch949: openssh-7.6p1-cleanup-selinux.patch
|
||||
# Sandbox adjustments for s390 and audit
|
||||
Patch950: openssh-7.5p1-sandbox.patch
|
||||
# PermitOpen bug in OpenSSH 7.6:
|
||||
Patch951: openssh-7.6p1-permitopen-bug.patch
|
||||
|
||||
|
||||
License: BSD
|
||||
@ -276,6 +272,8 @@ BuildRequires: audit-libs >= 1.0.8
|
||||
%endif
|
||||
|
||||
BuildRequires: xauth
|
||||
# for tarball signature verification
|
||||
BuildRequires: gnupg2
|
||||
|
||||
%package clients
|
||||
Summary: An open source SSH client applications
|
||||
@ -378,6 +376,7 @@ remote ssh-agent instance.
|
||||
The module is most useful for su and sudo service stacks.
|
||||
|
||||
%prep
|
||||
gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0}
|
||||
%setup -q -a 4
|
||||
#Do not enable by default
|
||||
%if 0
|
||||
@ -441,7 +440,6 @@ popd
|
||||
%patch802 -p1 -b .GSSAPIEnablek5users
|
||||
%patch922 -p1 -b .sshdt
|
||||
%patch926 -p1 -b .sftp-force-mode
|
||||
%patch928 -p1 -b .memory
|
||||
%patch929 -p1 -b .root-login
|
||||
%patch932 -p1 -b .gsskexalg
|
||||
%patch933 -p1 -b .fingerprint
|
||||
@ -451,7 +449,6 @@ popd
|
||||
%patch807 -p1 -b .gsskex-ec
|
||||
%patch949 -p1 -b .refactor
|
||||
%patch950 -p1 -b .sandbox
|
||||
%patch951 -p1 -b .permitOpen
|
||||
|
||||
%patch200 -p1 -b .audit
|
||||
%patch201 -p1 -b .audit-race
|
||||
|
@ -154,3 +154,15 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-agent
|
||||
goto user_auth_clean_exit;
|
||||
|
||||
/* test for correct signature */
|
||||
diff -up openssh-7.7p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-sshkey openssh-7.7p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c
|
||||
--- openssh-7.7p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-sshkey 2018-04-04 13:55:02.383899631 +0200
|
||||
+++ openssh-7.7p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c 2018-04-04 13:58:36.759339845 +0200
|
||||
@@ -89,7 +89,7 @@ userauth_pubkey_from_id(const char *ruse
|
||||
goto user_auth_clean_exit;
|
||||
|
||||
/* test for correct signature */
|
||||
- if(key_verify(id->key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1)
|
||||
+ if(sshkey_verify(id->key, sig, slen, buffer_ptr(&b), buffer_len(&b), NULL, 0) == 0)
|
||||
authenticated = 1;
|
||||
|
||||
user_auth_clean_exit:
|
||||
|
4
sources
4
sources
@ -1,2 +1,4 @@
|
||||
SHA512 (openssh-7.6p1.tar.gz) = de17fdcb8239401f76740c8d689a8761802f6df94e68d953f3c70b9f4f8bdb403617c48c1d01cc8c368d88e9d50aee540bf03d5a36687dfb39dfd28d73029d72
|
||||
SHA512 (openssh-7.7p1.tar.gz) = 597252cb48209a0cb98ca1928a67e8d63e4275252f25bc37269204c108f034baade6ba0634e32ae63422fddd280f73096a6b31ad2f2e7a848dde75ca30e14261
|
||||
SHA512 (openssh-7.7p1.tar.gz.asc) = 9445a589a84538fb0b4eae0f7bf6ce46def51b09254d6fffcc6ed64472f10ccf9e4d5d200387725043039d77ca886e2c8e8f3128e7969c582156fafb0783988d
|
||||
SHA512 (DJM-GPG-KEY.gpg) = db1191ed9b6495999e05eed2ef863fb5179bdb63e94850f192dad68eed8579836f88fbcfffd9f28524fe1457aff8cd248ee3e0afc112c8f609b99a34b80ecc0d
|
||||
SHA512 (pam_ssh_agent_auth-0.10.3.tar.bz2) = d75062c4e46b0b011f46aed9704a99049995fea8b5115ff7ee26dad7e93cbcf54a8af7efc6b521109d77dc03c6f5284574d2e1b84c6829cec25610f24fb4bd66
|
||||
|
Loading…
Reference in New Issue
Block a user