diff --git a/openssh-6.2p1-vendor.patch b/openssh-6.2p1-vendor.patch index cb95e5f..55353c2 100644 --- a/openssh-6.2p1-vendor.patch +++ b/openssh-6.2p1-vendor.patch @@ -1,7 +1,7 @@ -diff -up openssh/configure.ac.vendor openssh/configure.ac ---- openssh/configure.ac.vendor 2015-06-24 11:05:39.805679794 +0200 -+++ openssh/configure.ac 2015-06-24 11:05:39.835679719 +0200 -@@ -4751,6 +4751,12 @@ AC_ARG_WITH([lastlog], +diff -up openssh-7.0p1/configure.ac.vendor openssh-7.0p1/configure.ac +--- openssh-7.0p1/configure.ac.vendor 2015-08-12 11:14:54.102628399 +0200 ++++ openssh-7.0p1/configure.ac 2015-08-12 11:14:54.129628356 +0200 +@@ -4776,6 +4776,12 @@ AC_ARG_WITH([lastlog], fi ] ) @@ -14,7 +14,7 @@ diff -up openssh/configure.ac.vendor openssh/configure.ac dnl lastlog, [uw]tmpx? detection dnl NOTE: set the paths in the platform section to avoid the -@@ -5013,6 +5019,7 @@ echo " Translate v4 in v6 hack +@@ -5038,6 +5044,7 @@ echo " Translate v4 in v6 hack echo " BSD Auth support: $BSD_AUTH_MSG" echo " Random number source: $RAND_MSG" echo " Privsep sandbox style: $SANDBOX_STYLE" @@ -22,10 +22,10 @@ diff -up openssh/configure.ac.vendor openssh/configure.ac echo "" -diff -up openssh/servconf.c.vendor openssh/servconf.c ---- openssh/servconf.c.vendor 2015-06-23 02:34:47.000000000 +0200 -+++ openssh/servconf.c 2015-06-24 11:07:07.689460890 +0200 -@@ -147,6 +147,7 @@ initialize_server_options(ServerOptions +diff -up openssh-7.0p1/servconf.c.vendor openssh-7.0p1/servconf.c +--- openssh-7.0p1/servconf.c.vendor 2015-08-11 10:57:29.000000000 +0200 ++++ openssh-7.0p1/servconf.c 2015-08-12 11:15:33.201565712 +0200 +@@ -149,6 +149,7 @@ initialize_server_options(ServerOptions options->max_authtries = -1; options->max_sessions = -1; options->banner = NULL; @@ -42,16 +42,16 @@ diff -up openssh/servconf.c.vendor openssh/servconf.c if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) options->fwd_opts.streamlocal_bind_mask = 0177; if (options->fwd_opts.streamlocal_bind_unlink == -1) -@@ -397,7 +400,7 @@ typedef enum { +@@ -407,7 +410,7 @@ typedef enum { sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes, sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions, - sBanner, sUseDNS, sHostbasedAuthentication, + sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, + sHostKeyAlgorithms, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, - sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, -@@ -517,6 +520,7 @@ static struct { +@@ -529,6 +532,7 @@ static struct { { "maxauthtries", sMaxAuthTries, SSHCFG_ALL }, { "maxsessions", sMaxSessions, SSHCFG_ALL }, { "banner", sBanner, SSHCFG_ALL }, @@ -59,7 +59,7 @@ diff -up openssh/servconf.c.vendor openssh/servconf.c { "usedns", sUseDNS, SSHCFG_GLOBAL }, { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, -@@ -1372,6 +1376,10 @@ process_server_config_line(ServerOptions +@@ -1389,6 +1393,10 @@ process_server_config_line(ServerOptions multistate_ptr = multistate_privsep; goto parse_multistate; @@ -70,7 +70,7 @@ diff -up openssh/servconf.c.vendor openssh/servconf.c case sAllowUsers: while ((arg = strdelim(&cp)) && *arg != '\0') { if (options->num_allow_users >= MAX_ALLOW_USERS) -@@ -2249,6 +2257,7 @@ dump_config(ServerOptions *o) +@@ -2266,6 +2274,7 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sUseLogin, o->use_login); dump_cfg_fmtint(sCompression, o->compression); dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports); @@ -78,10 +78,10 @@ diff -up openssh/servconf.c.vendor openssh/servconf.c dump_cfg_fmtint(sUseDNS, o->use_dns); dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding); -diff -up openssh/servconf.h.vendor openssh/servconf.h ---- openssh/servconf.h.vendor 2015-06-23 02:34:47.000000000 +0200 -+++ openssh/servconf.h 2015-06-24 11:05:39.837679714 +0200 -@@ -154,6 +154,7 @@ typedef struct { +diff -up openssh-7.0p1/servconf.h.vendor openssh-7.0p1/servconf.h +--- openssh-7.0p1/servconf.h.vendor 2015-08-11 10:57:29.000000000 +0200 ++++ openssh-7.0p1/servconf.h 2015-08-12 11:14:54.130628355 +0200 +@@ -155,6 +155,7 @@ typedef struct { int max_authtries; int max_sessions; char *banner; /* SSH-2 banner message */ @@ -89,45 +89,12 @@ diff -up openssh/servconf.h.vendor openssh/servconf.h int use_dns; int client_alive_interval; /* * poke the client this often to -diff -up openssh-6.8p1/sshd.c.vendor openssh-6.8p1/sshd.c ---- openssh-6.8p1/sshd.c.vendor 2015-03-18 11:17:56.669880305 +0100 -+++ openssh-6.8p1/sshd.c 2015-03-18 11:17:56.697880239 +0100 -@@ -431,7 +431,7 @@ sshd_exchange_identification(int sock_in - } - - xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", -- major, minor, SSH_VERSION, -+ major, minor, (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION, - *options.version_addendum == '\0' ? "" : " ", - options.version_addendum, newline); - -@@ -1737,7 +1737,8 @@ main(int ac, char **av) - exit(1); - } - -- debug("sshd version %s, %s", SSH_VERSION, -+ debug("sshd version %s, %s", -+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION, - #ifdef WITH_OPENSSL - SSLeay_version(SSLEAY_VERSION) - #else -diff -up openssh-6.8p1/sshd_config.vendor openssh-6.8p1/sshd_config ---- openssh-6.8p1/sshd_config.vendor 2015-03-18 11:17:56.697880239 +0100 -+++ openssh-6.8p1/sshd_config 2015-03-18 11:20:15.552550274 +0100 -@@ -119,6 +119,7 @@ UsePrivilegeSeparation sandbox # Defaul - #Compression delayed - #ClientAliveInterval 0 - #ClientAliveCountMax 3 -+#ShowPatchLevel no - #UseDNS no - #PidFile /var/run/sshd.pid - #MaxStartups 10:30:100 -diff -up openssh-6.8p1/sshd_config.0.vendor openssh-6.8p1/sshd_config.0 ---- openssh-6.8p1/sshd_config.0.vendor 2015-03-18 11:17:56.691880253 +0100 -+++ openssh-6.8p1/sshd_config.0 2015-03-18 11:17:56.697880239 +0100 -@@ -740,6 +740,11 @@ DESCRIPTION +diff -up openssh-7.0p1/sshd_config.0.vendor openssh-7.0p1/sshd_config.0 +--- openssh-7.0p1/sshd_config.0.vendor 2015-08-12 11:14:54.125628363 +0200 ++++ openssh-7.0p1/sshd_config.0 2015-08-12 11:14:54.130628355 +0200 +@@ -841,6 +841,11 @@ DESCRIPTION Defines the number of bits in the ephemeral protocol version 1 - server key. The minimum value is 512, and the default is 1024. + server key. The default and minimum value is 1024. + ShowPatchLevel + Specifies whether sshd will display the specific patch level of @@ -137,13 +104,13 @@ diff -up openssh-6.8p1/sshd_config.0.vendor openssh-6.8p1/sshd_config.0 StreamLocalBindMask Sets the octal file creation mode mask (umask) used when creating a Unix-domain socket file for local or remote port forwarding. -diff -up openssh/sshd_config.5.vendor openssh/sshd_config.5 ---- openssh/sshd_config.5.vendor 2015-06-24 11:05:39.831679729 +0200 -+++ openssh/sshd_config.5 2015-06-24 11:05:39.837679714 +0200 -@@ -1344,6 +1344,13 @@ This option applies to protocol version +diff -up openssh-7.0p1/sshd_config.5.vendor openssh-7.0p1/sshd_config.5 +--- openssh-7.0p1/sshd_config.5.vendor 2015-08-12 11:14:54.125628363 +0200 ++++ openssh-7.0p1/sshd_config.5 2015-08-12 11:14:54.131628353 +0200 +@@ -1411,6 +1411,13 @@ This option applies to protocol version .It Cm ServerKeyBits Defines the number of bits in the ephemeral protocol version 1 server key. - The minimum value is 512, and the default is 1024. + The default and minimum value is 1024. +.It Cm ShowPatchLevel +Specifies whether +.Nm sshd @@ -154,3 +121,36 @@ diff -up openssh/sshd_config.5.vendor openssh/sshd_config.5 .It Cm StreamLocalBindMask Sets the octal file creation mode mask .Pq umask +diff -up openssh-7.0p1/sshd_config.vendor openssh-7.0p1/sshd_config +--- openssh-7.0p1/sshd_config.vendor 2015-08-12 11:14:54.125628363 +0200 ++++ openssh-7.0p1/sshd_config 2015-08-12 11:14:54.131628353 +0200 +@@ -119,6 +119,7 @@ UsePrivilegeSeparation sandbox # Defaul + #Compression delayed + #ClientAliveInterval 0 + #ClientAliveCountMax 3 ++#ShowPatchLevel no + #UseDNS no + #PidFile /var/run/sshd.pid + #MaxStartups 10:30:100 +diff -up openssh-7.0p1/sshd.c.vendor openssh-7.0p1/sshd.c +--- openssh-7.0p1/sshd.c.vendor 2015-08-12 11:14:54.100628403 +0200 ++++ openssh-7.0p1/sshd.c 2015-08-12 11:14:54.131628353 +0200 +@@ -432,7 +432,7 @@ sshd_exchange_identification(int sock_in + } + + xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", +- major, minor, SSH_VERSION, ++ major, minor, (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION, + *options.version_addendum == '\0' ? "" : " ", + options.version_addendum, newline); + +@@ -1749,7 +1749,8 @@ main(int ac, char **av) + exit(1); + } + +- debug("sshd version %s, %s", SSH_VERSION, ++ debug("sshd version %s, %s", ++ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION, + #ifdef WITH_OPENSSL + SSLeay_version(SSLEAY_VERSION) + #else diff --git a/openssh-6.6p1-GSSAPIEnablek5users.patch b/openssh-6.6p1-GSSAPIEnablek5users.patch index fc8f59d..ae0e5b2 100644 --- a/openssh-6.6p1-GSSAPIEnablek5users.patch +++ b/openssh-6.6p1-GSSAPIEnablek5users.patch @@ -1,6 +1,6 @@ -diff -up openssh/gss-serv-krb5.c.GSSAPIEnablek5users openssh/gss-serv-krb5.c ---- openssh/gss-serv-krb5.c.GSSAPIEnablek5users 2015-06-24 11:40:03.716448353 +0200 -+++ openssh/gss-serv-krb5.c 2015-06-24 11:40:03.739448295 +0200 +diff -up openssh-7.0p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-7.0p1/gss-serv-krb5.c +--- openssh-7.0p1/gss-serv-krb5.c.GSSAPIEnablek5users 2015-08-12 11:27:44.022407951 +0200 ++++ openssh-7.0p1/gss-serv-krb5.c 2015-08-12 11:27:44.047407912 +0200 @@ -260,7 +260,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri FILE *fp; char file[MAXPATHLEN]; @@ -18,10 +18,10 @@ diff -up openssh/gss-serv-krb5.c.GSSAPIEnablek5users openssh/gss-serv-krb5.c return ssh_krb5_kuserok(krb_context, principal, luser, k5login_exists); } -diff -up openssh/servconf.c.GSSAPIEnablek5users openssh/servconf.c ---- openssh/servconf.c.GSSAPIEnablek5users 2015-06-24 11:40:03.728448323 +0200 -+++ openssh/servconf.c 2015-06-24 11:40:03.740448292 +0200 -@@ -171,6 +171,7 @@ initialize_server_options(ServerOptions +diff -up openssh-7.0p1/servconf.c.GSSAPIEnablek5users openssh-7.0p1/servconf.c +--- openssh-7.0p1/servconf.c.GSSAPIEnablek5users 2015-08-12 11:27:44.036407930 +0200 ++++ openssh-7.0p1/servconf.c 2015-08-12 11:28:49.087306430 +0200 +@@ -173,6 +173,7 @@ initialize_server_options(ServerOptions options->version_addendum = NULL; options->fingerprint_hash = -1; options->use_kuserok = -1; @@ -29,25 +29,25 @@ diff -up openssh/servconf.c.GSSAPIEnablek5users openssh/servconf.c } /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ -@@ -353,6 +354,8 @@ fill_default_server_options(ServerOption +@@ -351,6 +352,8 @@ fill_default_server_options(ServerOption + options->fwd_opts.streamlocal_bind_unlink = 0; + if (options->fingerprint_hash == -1) options->fingerprint_hash = SSH_FP_HASH_DEFAULT; - if (options->use_kuserok == -1) - options->use_kuserok = 1; + if (options->enable_k5users == -1) + options->enable_k5users = 0; - /* Turn privilege separation on by default */ - if (use_privsep == -1) - use_privsep = PRIVSEP_NOSANDBOX; -@@ -412,7 +415,7 @@ typedef enum { - sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication, + if (options->use_kuserok == -1) + options->use_kuserok = 1; + +@@ -423,7 +426,7 @@ typedef enum { sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, + sHostKeyAlgorithms, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, - sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, + sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor, sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel, sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sAllowAgentForwarding, -@@ -490,12 +493,14 @@ static struct { +@@ -502,12 +505,14 @@ static struct { { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL }, @@ -62,7 +62,7 @@ diff -up openssh/servconf.c.GSSAPIEnablek5users openssh/servconf.c #endif { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL }, { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL }, -@@ -1663,6 +1668,10 @@ process_server_config_line(ServerOptions +@@ -1680,6 +1685,10 @@ process_server_config_line(ServerOptions intptr = &options->use_kuserok; goto parse_flag; @@ -73,7 +73,7 @@ diff -up openssh/servconf.c.GSSAPIEnablek5users openssh/servconf.c case sPermitOpen: arg = strdelim(&cp); if (!arg || *arg == '\0') -@@ -2018,6 +2027,7 @@ copy_set_server_options(ServerOptions *d +@@ -2035,6 +2044,7 @@ copy_set_server_options(ServerOptions *d M_CP_INTOPT(ip_qos_interactive); M_CP_INTOPT(ip_qos_bulk); M_CP_INTOPT(use_kuserok); @@ -81,7 +81,7 @@ diff -up openssh/servconf.c.GSSAPIEnablek5users openssh/servconf.c M_CP_INTOPT(rekey_limit); M_CP_INTOPT(rekey_interval); -@@ -2300,6 +2310,7 @@ dump_config(ServerOptions *o) +@@ -2317,6 +2327,7 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok); @@ -89,10 +89,10 @@ diff -up openssh/servconf.c.GSSAPIEnablek5users openssh/servconf.c /* string arguments */ dump_cfg_string(sPidFile, o->pid_file); -diff -up openssh/servconf.h.GSSAPIEnablek5users openssh/servconf.h ---- openssh/servconf.h.GSSAPIEnablek5users 2015-06-24 11:40:03.717448351 +0200 -+++ openssh/servconf.h 2015-06-24 11:40:03.740448292 +0200 -@@ -179,7 +179,8 @@ typedef struct { +diff -up openssh-7.0p1/servconf.h.GSSAPIEnablek5users openssh-7.0p1/servconf.h +--- openssh-7.0p1/servconf.h.GSSAPIEnablek5users 2015-08-12 11:27:44.022407951 +0200 ++++ openssh-7.0p1/servconf.h 2015-08-12 11:27:44.048407911 +0200 +@@ -180,7 +180,8 @@ typedef struct { int num_permitted_opens; @@ -102,10 +102,10 @@ diff -up openssh/servconf.h.GSSAPIEnablek5users openssh/servconf.h char *chroot_directory; char *revoked_keys_file; char *trusted_user_ca_keys; -diff -up openssh/sshd_config.5.GSSAPIEnablek5users openssh/sshd_config.5 ---- openssh/sshd_config.5.GSSAPIEnablek5users 2015-06-24 11:40:03.741448290 +0200 -+++ openssh/sshd_config.5 2015-06-24 11:40:40.707354263 +0200 -@@ -628,6 +628,12 @@ on logout. +diff -up openssh-7.0p1/sshd_config.5.GSSAPIEnablek5users openssh-7.0p1/sshd_config.5 +--- openssh-7.0p1/sshd_config.5.GSSAPIEnablek5users 2015-08-12 11:27:44.023407950 +0200 ++++ openssh-7.0p1/sshd_config.5 2015-08-12 11:27:44.048407911 +0200 +@@ -633,6 +633,12 @@ on logout. The default is .Dq yes . Note that this option applies to protocol version 2 only. @@ -118,9 +118,9 @@ diff -up openssh/sshd_config.5.GSSAPIEnablek5users openssh/sshd_config.5 .It Cm GSSAPIStrictAcceptorCheck Determines whether to be strict about the identity of the GSSAPI acceptor a client authenticates against. -diff -up openssh/sshd_config.GSSAPIEnablek5users openssh/sshd_config ---- openssh/sshd_config.GSSAPIEnablek5users 2015-06-24 11:40:03.717448351 +0200 -+++ openssh/sshd_config 2015-06-24 11:40:03.740448292 +0200 +diff -up openssh-7.0p1/sshd_config.GSSAPIEnablek5users openssh-7.0p1/sshd_config +--- openssh-7.0p1/sshd_config.GSSAPIEnablek5users 2015-08-12 11:27:44.023407950 +0200 ++++ openssh-7.0p1/sshd_config 2015-08-12 11:27:44.048407911 +0200 @@ -94,6 +94,7 @@ GSSAPIAuthentication yes GSSAPICleanupCredentials no #GSSAPIStrictAcceptorCheck yes diff --git a/openssh-6.6p1-ctr-cavstest.patch b/openssh-6.6p1-ctr-cavstest.patch index 48bb1d0..db9f47b 100644 --- a/openssh-6.6p1-ctr-cavstest.patch +++ b/openssh-6.6p1-ctr-cavstest.patch @@ -141,8 +141,8 @@ diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c +int main (int argc, char *argv[]) +{ + -+ const Cipher *c; -+ CipherContext cc; ++ const struct sshcipher *c; ++ struct sshcipher_ctx cc; + char *algo = "aes128-ctr"; + char *hexkey = NULL; + char *hexiv = "00000000000000000000000000000000"; diff --git a/openssh-6.6p1-gsskex.patch b/openssh-6.6p1-gsskex.patch index 1cfd53f..cdf70b6 100644 --- a/openssh-6.6p1-gsskex.patch +++ b/openssh-6.6p1-gsskex.patch @@ -1,6 +1,6 @@ -diff -up openssh/auth2.c.gsskex openssh/auth2.c ---- openssh/auth2.c.gsskex 2015-06-24 11:07:36.180389924 +0200 -+++ openssh/auth2.c 2015-06-24 11:07:36.228389804 +0200 +diff -up openssh-7.0p1/auth2.c.gsskex openssh-7.0p1/auth2.c +--- openssh-7.0p1/auth2.c.gsskex 2015-08-12 11:15:43.625548999 +0200 ++++ openssh-7.0p1/auth2.c 2015-08-12 11:15:43.692548892 +0200 @@ -70,6 +70,7 @@ extern Authmethod method_passwd; extern Authmethod method_kbdint; extern Authmethod method_hostbased; @@ -17,9 +17,9 @@ diff -up openssh/auth2.c.gsskex openssh/auth2.c &method_gssapi, #endif &method_passwd, -diff -up openssh/auth2-gss.c.gsskex openssh/auth2-gss.c ---- openssh/auth2-gss.c.gsskex 2015-06-24 11:07:36.179389926 +0200 -+++ openssh/auth2-gss.c 2015-06-24 11:07:36.228389804 +0200 +diff -up openssh-7.0p1/auth2-gss.c.gsskex openssh-7.0p1/auth2-gss.c +--- openssh-7.0p1/auth2-gss.c.gsskex 2015-08-12 11:15:43.624549001 +0200 ++++ openssh-7.0p1/auth2-gss.c 2015-08-12 11:15:43.692548892 +0200 @@ -31,6 +31,7 @@ #include @@ -102,10 +102,10 @@ diff -up openssh/auth2-gss.c.gsskex openssh/auth2-gss.c Authmethod method_gssapi = { "gssapi-with-mic", userauth_gssapi, -diff -up openssh/clientloop.c.gsskex openssh/clientloop.c ---- openssh/clientloop.c.gsskex 2015-06-23 02:34:47.000000000 +0200 -+++ openssh/clientloop.c 2015-06-24 11:07:36.228389804 +0200 -@@ -114,6 +114,10 @@ +diff -up openssh-7.0p1/clientloop.c.gsskex openssh-7.0p1/clientloop.c +--- openssh-7.0p1/clientloop.c.gsskex 2015-08-11 10:57:29.000000000 +0200 ++++ openssh-7.0p1/clientloop.c 2015-08-12 11:15:43.693548890 +0200 +@@ -115,6 +115,10 @@ #include "ssherr.h" #include "hostfile.h" @@ -116,7 +116,7 @@ diff -up openssh/clientloop.c.gsskex openssh/clientloop.c /* import options */ extern Options options; -@@ -1596,6 +1600,15 @@ client_loop(int have_pty, int escape_cha +@@ -1610,6 +1614,15 @@ client_loop(int have_pty, int escape_cha /* Do channel operations unless rekeying in progress. */ if (!rekeying) { channel_after_select(readset, writeset); @@ -132,9 +132,9 @@ diff -up openssh/clientloop.c.gsskex openssh/clientloop.c if (need_rekeying || packet_need_rekeying()) { debug("need rekeying"); active_state->kex->done = 0; -diff -up openssh/configure.ac.gsskex openssh/configure.ac ---- openssh/configure.ac.gsskex 2015-06-24 11:07:36.214389839 +0200 -+++ openssh/configure.ac 2015-06-24 11:07:36.229389802 +0200 +diff -up openssh-7.0p1/configure.ac.gsskex openssh-7.0p1/configure.ac +--- openssh-7.0p1/configure.ac.gsskex 2015-08-12 11:15:43.675548919 +0200 ++++ openssh-7.0p1/configure.ac 2015-08-12 11:15:43.694548889 +0200 @@ -625,6 +625,30 @@ main() { if (NSVersionOfRunTimeLibrary(" [Use tunnel device compatibility to OpenBSD]) AC_DEFINE([SSH_TUN_PREPEND_AF], [1], @@ -166,9 +166,9 @@ diff -up openssh/configure.ac.gsskex openssh/configure.ac m4_pattern_allow([AU_IPv]) AC_CHECK_DECL([AU_IPv4], [], AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) -diff -up openssh/gss-genr.c.gsskex openssh/gss-genr.c ---- openssh/gss-genr.c.gsskex 2015-06-23 02:34:47.000000000 +0200 -+++ openssh/gss-genr.c 2015-06-24 11:07:36.229389802 +0200 +diff -up openssh-7.0p1/gss-genr.c.gsskex openssh-7.0p1/gss-genr.c +--- openssh-7.0p1/gss-genr.c.gsskex 2015-08-11 10:57:29.000000000 +0200 ++++ openssh-7.0p1/gss-genr.c 2015-08-12 11:15:43.694548889 +0200 @@ -41,12 +41,167 @@ #include "buffer.h" #include "log.h" @@ -506,9 +506,9 @@ diff -up openssh/gss-genr.c.gsskex openssh/gss-genr.c +} + #endif /* GSSAPI */ -diff -up openssh/gss-serv.c.gsskex openssh/gss-serv.c ---- openssh/gss-serv.c.gsskex 2015-06-23 02:34:47.000000000 +0200 -+++ openssh/gss-serv.c 2015-06-24 11:11:53.171742794 +0200 +diff -up openssh-7.0p1/gss-serv.c.gsskex openssh-7.0p1/gss-serv.c +--- openssh-7.0p1/gss-serv.c.gsskex 2015-08-11 10:57:29.000000000 +0200 ++++ openssh-7.0p1/gss-serv.c 2015-08-12 11:15:43.694548889 +0200 @@ -45,17 +45,19 @@ #include "session.h" #include "misc.h" @@ -791,9 +791,9 @@ diff -up openssh/gss-serv.c.gsskex openssh/gss-serv.c } #endif -diff -up openssh/gss-serv-krb5.c.gsskex openssh/gss-serv-krb5.c ---- openssh/gss-serv-krb5.c.gsskex 2015-06-23 02:34:47.000000000 +0200 -+++ openssh/gss-serv-krb5.c 2015-06-24 11:07:36.229389802 +0200 +diff -up openssh-7.0p1/gss-serv-krb5.c.gsskex openssh-7.0p1/gss-serv-krb5.c +--- openssh-7.0p1/gss-serv-krb5.c.gsskex 2015-08-11 10:57:29.000000000 +0200 ++++ openssh-7.0p1/gss-serv-krb5.c 2015-08-12 11:15:43.694548889 +0200 @@ -121,7 +121,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl krb5_error_code problem; krb5_principal princ; @@ -921,9 +921,9 @@ diff -up openssh/gss-serv-krb5.c.gsskex openssh/gss-serv-krb5.c }; #endif /* KRB5 */ -diff -up openssh/kex.c.gsskex openssh/kex.c ---- openssh/kex.c.gsskex 2015-06-23 02:34:47.000000000 +0200 -+++ openssh/kex.c 2015-06-24 11:07:36.230389799 +0200 +diff -up openssh-7.0p1/kex.c.gsskex openssh-7.0p1/kex.c +--- openssh-7.0p1/kex.c.gsskex 2015-08-11 10:57:29.000000000 +0200 ++++ openssh-7.0p1/kex.c 2015-08-12 11:15:43.695548887 +0200 @@ -55,6 +55,10 @@ #include "sshbuf.h" #include "digest.h" @@ -960,9 +960,9 @@ diff -up openssh/kex.c.gsskex openssh/kex.c } return NULL; } -diff -up openssh/kexgssc.c.gsskex openssh/kexgssc.c ---- openssh/kexgssc.c.gsskex 2015-06-24 11:07:36.231389797 +0200 -+++ openssh/kexgssc.c 2015-06-24 11:07:36.230389799 +0200 +diff -up openssh-7.0p1/kexgssc.c.gsskex openssh-7.0p1/kexgssc.c +--- openssh-7.0p1/kexgssc.c.gsskex 2015-08-12 11:15:43.695548887 +0200 ++++ openssh-7.0p1/kexgssc.c 2015-08-12 11:15:43.695548887 +0200 @@ -0,0 +1,338 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. @@ -1302,9 +1302,9 @@ diff -up openssh/kexgssc.c.gsskex openssh/kexgssc.c +} + +#endif /* GSSAPI */ -diff -up openssh/kexgsss.c.gsskex openssh/kexgsss.c ---- openssh/kexgsss.c.gsskex 2015-06-24 11:07:36.231389797 +0200 -+++ openssh/kexgsss.c 2015-06-24 11:07:36.231389797 +0200 +diff -up openssh-7.0p1/kexgsss.c.gsskex openssh-7.0p1/kexgsss.c +--- openssh-7.0p1/kexgsss.c.gsskex 2015-08-12 11:15:43.695548887 +0200 ++++ openssh-7.0p1/kexgsss.c 2015-08-12 11:15:43.695548887 +0200 @@ -0,0 +1,295 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. @@ -1601,9 +1601,9 @@ diff -up openssh/kexgsss.c.gsskex openssh/kexgsss.c + return 0; +} +#endif /* GSSAPI */ -diff -up openssh/kex.h.gsskex openssh/kex.h ---- openssh/kex.h.gsskex 2015-06-23 02:34:47.000000000 +0200 -+++ openssh/kex.h 2015-06-24 11:07:36.230389799 +0200 +diff -up openssh-7.0p1/kex.h.gsskex openssh-7.0p1/kex.h +--- openssh-7.0p1/kex.h.gsskex 2015-08-11 10:57:29.000000000 +0200 ++++ openssh-7.0p1/kex.h 2015-08-12 11:17:44.694354889 +0200 @@ -93,6 +93,11 @@ enum kex_exchange { KEX_DH_GEX_SHA256, KEX_ECDH_SHA2, @@ -1628,8 +1628,8 @@ diff -up openssh/kex.h.gsskex openssh/kex.h +#endif char *client_version_string; char *server_version_string; - int (*verify_host_key)(struct sshkey *, struct ssh *); -@@ -183,6 +194,10 @@ int kexecdh_client(struct ssh *); + char *failed_choice; +@@ -186,6 +197,10 @@ int kexecdh_client(struct ssh *); int kexecdh_server(struct ssh *); int kexc25519_client(struct ssh *); int kexc25519_server(struct ssh *); @@ -1640,9 +1640,9 @@ diff -up openssh/kex.h.gsskex openssh/kex.h int kex_dh_hash(const char *, const char *, const u_char *, size_t, const u_char *, size_t, const u_char *, size_t, -diff -up openssh/Makefile.in.gsskex openssh/Makefile.in ---- openssh/Makefile.in.gsskex 2015-06-24 11:07:36.223389817 +0200 -+++ openssh/Makefile.in 2015-06-24 11:07:36.228389804 +0200 +diff -up openssh-7.0p1/Makefile.in.gsskex openssh-7.0p1/Makefile.in +--- openssh-7.0p1/Makefile.in.gsskex 2015-08-12 11:15:43.686548901 +0200 ++++ openssh-7.0p1/Makefile.in 2015-08-12 11:15:43.695548887 +0200 @@ -90,6 +90,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \ atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o \ @@ -1660,9 +1660,9 @@ diff -up openssh/Makefile.in.gsskex openssh/Makefile.in loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ sftp-server.o sftp-common.o \ roaming_common.o roaming_serv.o \ -diff -up openssh/monitor.c.gsskex openssh/monitor.c ---- openssh/monitor.c.gsskex 2015-06-24 11:07:36.180389924 +0200 -+++ openssh/monitor.c 2015-06-24 11:07:36.231389797 +0200 +diff -up openssh-7.0p1/monitor.c.gsskex openssh-7.0p1/monitor.c +--- openssh-7.0p1/monitor.c.gsskex 2015-08-12 11:15:43.626548998 +0200 ++++ openssh-7.0p1/monitor.c 2015-08-12 11:15:43.696548885 +0200 @@ -160,6 +160,8 @@ int mm_answer_gss_setup_ctx(int, Buffer int mm_answer_gss_accept_ctx(int, Buffer *); int mm_answer_gss_userok(int, Buffer *); @@ -1852,9 +1852,9 @@ diff -up openssh/monitor.c.gsskex openssh/monitor.c + #endif /* GSSAPI */ -diff -up openssh/monitor.h.gsskex openssh/monitor.h ---- openssh/monitor.h.gsskex 2015-06-24 11:07:36.181389921 +0200 -+++ openssh/monitor.h 2015-06-24 11:07:36.231389797 +0200 +diff -up openssh-7.0p1/monitor.h.gsskex openssh-7.0p1/monitor.h +--- openssh-7.0p1/monitor.h.gsskex 2015-08-12 11:15:43.626548998 +0200 ++++ openssh-7.0p1/monitor.h 2015-08-12 11:15:43.696548885 +0200 @@ -60,6 +60,8 @@ enum monitor_reqtype { #ifdef WITH_SELINUX MONITOR_REQ_AUTHROLE = 80, @@ -1864,10 +1864,10 @@ diff -up openssh/monitor.h.gsskex openssh/monitor.h MONITOR_REQ_PAM_START = 100, MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103, -diff -up openssh/monitor_wrap.c.gsskex openssh/monitor_wrap.c ---- openssh/monitor_wrap.c.gsskex 2015-06-24 11:07:36.181389921 +0200 -+++ openssh/monitor_wrap.c 2015-06-24 11:07:36.231389797 +0200 -@@ -1088,7 +1088,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss +diff -up openssh-7.0p1/monitor_wrap.c.gsskex openssh-7.0p1/monitor_wrap.c +--- openssh-7.0p1/monitor_wrap.c.gsskex 2015-08-12 11:15:43.626548998 +0200 ++++ openssh-7.0p1/monitor_wrap.c 2015-08-12 11:15:43.697548884 +0200 +@@ -1087,7 +1087,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss } int @@ -1876,7 +1876,7 @@ diff -up openssh/monitor_wrap.c.gsskex openssh/monitor_wrap.c { Buffer m; int authenticated = 0; -@@ -1105,5 +1105,50 @@ mm_ssh_gssapi_userok(char *user) +@@ -1104,5 +1104,50 @@ mm_ssh_gssapi_userok(char *user) debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); return (authenticated); } @@ -1927,9 +1927,9 @@ diff -up openssh/monitor_wrap.c.gsskex openssh/monitor_wrap.c + #endif /* GSSAPI */ -diff -up openssh/monitor_wrap.h.gsskex openssh/monitor_wrap.h ---- openssh/monitor_wrap.h.gsskex 2015-06-24 11:07:36.181389921 +0200 -+++ openssh/monitor_wrap.h 2015-06-24 11:07:36.232389794 +0200 +diff -up openssh-7.0p1/monitor_wrap.h.gsskex openssh-7.0p1/monitor_wrap.h +--- openssh-7.0p1/monitor_wrap.h.gsskex 2015-08-12 11:15:43.626548998 +0200 ++++ openssh-7.0p1/monitor_wrap.h 2015-08-12 11:15:43.697548884 +0200 @@ -61,8 +61,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, @@ -1942,9 +1942,9 @@ diff -up openssh/monitor_wrap.h.gsskex openssh/monitor_wrap.h #endif #ifdef USE_PAM -diff -up openssh/readconf.c.gsskex openssh/readconf.c ---- openssh/readconf.c.gsskex 2015-06-23 02:34:47.000000000 +0200 -+++ openssh/readconf.c 2015-06-24 11:07:36.232389794 +0200 +diff -up openssh-7.0p1/readconf.c.gsskex openssh-7.0p1/readconf.c +--- openssh-7.0p1/readconf.c.gsskex 2015-08-11 10:57:29.000000000 +0200 ++++ openssh-7.0p1/readconf.c 2015-08-12 11:15:43.697548884 +0200 @@ -147,6 +147,8 @@ typedef enum { oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, @@ -1954,7 +1954,7 @@ diff -up openssh/readconf.c.gsskex openssh/readconf.c oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oSendEnv, oControlPath, oControlMaster, oControlPersist, oHashKnownHosts, -@@ -191,10 +193,19 @@ static struct { +@@ -192,10 +194,19 @@ static struct { { "afstokenpassing", oUnsupported }, #if defined(GSSAPI) { "gssapiauthentication", oGssAuthentication }, @@ -1974,7 +1974,7 @@ diff -up openssh/readconf.c.gsskex openssh/readconf.c #endif { "fallbacktorsh", oDeprecated }, { "usersh", oDeprecated }, -@@ -892,10 +903,30 @@ parse_time: +@@ -894,10 +905,30 @@ parse_time: intptr = &options->gss_authentication; goto parse_flag; @@ -2018,7 +2018,7 @@ diff -up openssh/readconf.c.gsskex openssh/readconf.c options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->kbd_interactive_devices = NULL; -@@ -1728,8 +1764,14 @@ fill_default_options(Options * options) +@@ -1729,8 +1765,14 @@ fill_default_options(Options * options) options->challenge_response_authentication = 1; if (options->gss_authentication == -1) options->gss_authentication = 0; @@ -2033,9 +2033,9 @@ diff -up openssh/readconf.c.gsskex openssh/readconf.c if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -diff -up openssh/readconf.h.gsskex openssh/readconf.h ---- openssh/readconf.h.gsskex 2015-06-23 02:34:47.000000000 +0200 -+++ openssh/readconf.h 2015-06-24 11:07:36.232389794 +0200 +diff -up openssh-7.0p1/readconf.h.gsskex openssh-7.0p1/readconf.h +--- openssh-7.0p1/readconf.h.gsskex 2015-08-11 10:57:29.000000000 +0200 ++++ openssh-7.0p1/readconf.h 2015-08-12 11:15:43.697548884 +0200 @@ -45,7 +45,12 @@ typedef struct { int challenge_response_authentication; /* Try S/Key or TIS, authentication. */ @@ -2049,33 +2049,33 @@ diff -up openssh/readconf.h.gsskex openssh/readconf.h int password_authentication; /* Try password * authentication. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ -diff -up openssh/regress/cert-hostkey.sh.gsskex openssh/regress/cert-hostkey.sh ---- openssh/regress/cert-hostkey.sh.gsskex 2015-06-23 02:34:47.000000000 +0200 -+++ openssh/regress/cert-hostkey.sh 2015-06-24 11:07:36.232389794 +0200 -@@ -25,7 +25,7 @@ touch $OBJ/host_revoked_plain +diff -up openssh-7.0p1/regress/cert-hostkey.sh.gsskex openssh-7.0p1/regress/cert-hostkey.sh +--- openssh-7.0p1/regress/cert-hostkey.sh.gsskex 2015-08-12 11:15:43.698548882 +0200 ++++ openssh-7.0p1/regress/cert-hostkey.sh 2015-08-12 11:16:52.511438554 +0200 +@@ -46,7 +46,7 @@ touch $OBJ/host_revoked_plain touch $OBJ/host_revoked_cert cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca -PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` +PLAIN_TYPES=`$SSH -Q key-plain | grep -v null | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` - type_has_legacy() { - case $1 in -diff -up openssh/regress/cert-userkey.sh.gsskex openssh/regress/cert-userkey.sh ---- openssh/regress/cert-userkey.sh.gsskex 2015-06-23 02:34:47.000000000 +0200 -+++ openssh/regress/cert-userkey.sh 2015-06-24 11:07:36.232389794 +0200 -@@ -6,7 +6,7 @@ tid="certified user keys" - rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* + # Prepare certificate, plain key and CA KRLs + ${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed" +diff -up openssh-7.0p1/regress/cert-userkey.sh.gsskex openssh-7.0p1/regress/cert-userkey.sh +--- openssh-7.0p1/regress/cert-userkey.sh.gsskex 2015-08-12 11:15:43.698548882 +0200 ++++ openssh-7.0p1/regress/cert-userkey.sh 2015-08-12 11:20:30.110089677 +0200 +@@ -7,7 +7,7 @@ rm -f $OBJ/authorized_keys_$USER $OBJ/us cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak + cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak -PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` +PLAIN_TYPES=`$SSH -Q key-plain | grep -v null | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` - type_has_legacy() { - case $1 in -diff -up openssh/regress/kextype.sh.gsskex openssh/regress/kextype.sh ---- openssh/regress/kextype.sh.gsskex 2015-06-23 02:34:47.000000000 +0200 -+++ openssh/regress/kextype.sh 2015-06-24 11:07:36.233389792 +0200 + kname() { + n=`echo "$1" | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/'` +diff -up openssh-7.0p1/regress/kextype.sh.gsskex openssh-7.0p1/regress/kextype.sh +--- openssh-7.0p1/regress/kextype.sh.gsskex 2015-08-11 10:57:29.000000000 +0200 ++++ openssh-7.0p1/regress/kextype.sh 2015-08-12 11:15:43.698548882 +0200 @@ -14,6 +14,9 @@ echo "KexAlgorithms=$KEXOPT" >> $OBJ/ssh tries="1 2 3 4" @@ -2086,9 +2086,9 @@ diff -up openssh/regress/kextype.sh.gsskex openssh/regress/kextype.sh verbose "kex $k" for i in $tries; do ${SSH} -F $OBJ/ssh_proxy -o KexAlgorithms=$k x true -diff -up openssh/regress/rekey.sh.gsskex openssh/regress/rekey.sh ---- openssh/regress/rekey.sh.gsskex 2015-06-23 02:34:47.000000000 +0200 -+++ openssh/regress/rekey.sh 2015-06-24 11:07:36.233389792 +0200 +diff -up openssh-7.0p1/regress/rekey.sh.gsskex openssh-7.0p1/regress/rekey.sh +--- openssh-7.0p1/regress/rekey.sh.gsskex 2015-08-11 10:57:29.000000000 +0200 ++++ openssh-7.0p1/regress/rekey.sh 2015-08-12 11:15:43.698548882 +0200 @@ -38,6 +38,9 @@ increase_datafile_size 300 opts="" @@ -2109,10 +2109,10 @@ diff -up openssh/regress/rekey.sh.gsskex openssh/regress/rekey.sh verbose "client rekey $c $kex" ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c done -diff -up openssh/servconf.c.gsskex openssh/servconf.c ---- openssh/servconf.c.gsskex 2015-06-24 11:07:36.214389839 +0200 -+++ openssh/servconf.c 2015-06-24 11:20:08.026487223 +0200 -@@ -115,8 +115,10 @@ initialize_server_options(ServerOptions +diff -up openssh-7.0p1/servconf.c.gsskex openssh-7.0p1/servconf.c +--- openssh-7.0p1/servconf.c.gsskex 2015-08-12 11:15:43.676548918 +0200 ++++ openssh-7.0p1/servconf.c 2015-08-12 11:22:32.686893730 +0200 +@@ -117,8 +117,10 @@ initialize_server_options(ServerOptions options->kerberos_ticket_cleanup = -1; options->kerberos_get_afs_token = -1; options->gss_authentication=-1; @@ -2138,8 +2138,8 @@ diff -up openssh/servconf.c.gsskex openssh/servconf.c if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -@@ -404,7 +410,7 @@ typedef enum { - sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, +@@ -415,7 +421,7 @@ typedef enum { + sHostKeyAlgorithms, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, - sAcceptEnv, sPermitTunnel, @@ -2147,7 +2147,7 @@ diff -up openssh/servconf.c.gsskex openssh/servconf.c sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sAllowAgentForwarding, sHostCertificate, -@@ -477,11 +483,17 @@ static struct { +@@ -489,11 +495,17 @@ static struct { { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, @@ -2165,7 +2165,7 @@ diff -up openssh/servconf.c.gsskex openssh/servconf.c { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, -@@ -1218,6 +1230,10 @@ process_server_config_line(ServerOptions +@@ -1235,6 +1247,10 @@ process_server_config_line(ServerOptions intptr = &options->gss_authentication; goto parse_flag; @@ -2176,7 +2176,7 @@ diff -up openssh/servconf.c.gsskex openssh/servconf.c case sGssCleanupCreds: intptr = &options->gss_cleanup_creds; goto parse_flag; -@@ -1226,6 +1242,10 @@ process_server_config_line(ServerOptions +@@ -1243,6 +1259,10 @@ process_server_config_line(ServerOptions intptr = &options->gss_strict_acceptor; goto parse_flag; @@ -2187,7 +2187,7 @@ diff -up openssh/servconf.c.gsskex openssh/servconf.c case sPasswordAuthentication: intptr = &options->password_authentication; goto parse_flag; -@@ -2238,6 +2258,9 @@ dump_config(ServerOptions *o) +@@ -2255,6 +2275,9 @@ dump_config(ServerOptions *o) #ifdef GSSAPI dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); @@ -2197,10 +2197,10 @@ diff -up openssh/servconf.c.gsskex openssh/servconf.c #endif dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); dump_cfg_fmtint(sKbdInteractiveAuthentication, -diff -up openssh/servconf.h.gsskex openssh/servconf.h ---- openssh/servconf.h.gsskex 2015-06-24 11:07:36.233389792 +0200 -+++ openssh/servconf.h 2015-06-24 11:21:20.888302354 +0200 -@@ -117,8 +117,10 @@ typedef struct { +diff -up openssh-7.0p1/servconf.h.gsskex openssh-7.0p1/servconf.h +--- openssh-7.0p1/servconf.h.gsskex 2015-08-12 11:15:43.676548918 +0200 ++++ openssh-7.0p1/servconf.h 2015-08-12 11:15:43.700548879 +0200 +@@ -118,8 +118,10 @@ typedef struct { int kerberos_get_afs_token; /* If true, try to get AFS token if * authenticated with Kerberos. */ int gss_authentication; /* If true, permit GSSAPI authentication */ @@ -2211,10 +2211,10 @@ diff -up openssh/servconf.h.gsskex openssh/servconf.h int password_authentication; /* If true, permit password * authentication. */ int kbd_interactive_authentication; /* If true, permit */ -diff -up openssh/ssh_config.5.gsskex openssh/ssh_config.5 ---- openssh/ssh_config.5.gsskex 2015-06-23 02:34:47.000000000 +0200 -+++ openssh/ssh_config.5 2015-06-24 11:07:36.234389789 +0200 -@@ -744,11 +744,43 @@ Specifies whether user authentication ba +diff -up openssh-7.0p1/ssh_config.5.gsskex openssh-7.0p1/ssh_config.5 +--- openssh-7.0p1/ssh_config.5.gsskex 2015-08-11 10:57:29.000000000 +0200 ++++ openssh-7.0p1/ssh_config.5 2015-08-12 11:15:43.700548879 +0200 +@@ -749,11 +749,43 @@ Specifies whether user authentication ba The default is .Dq no . Note that this option applies to protocol version 2 only. @@ -2259,9 +2259,9 @@ diff -up openssh/ssh_config.5.gsskex openssh/ssh_config.5 .It Cm HashKnownHosts Indicates that .Xr ssh 1 -diff -up openssh/ssh_config.gsskex openssh/ssh_config ---- openssh/ssh_config.gsskex 2015-06-24 11:07:36.209389852 +0200 -+++ openssh/ssh_config 2015-06-24 11:07:36.234389789 +0200 +diff -up openssh-7.0p1/ssh_config.gsskex openssh-7.0p1/ssh_config +--- openssh-7.0p1/ssh_config.gsskex 2015-08-12 11:15:43.667548932 +0200 ++++ openssh-7.0p1/ssh_config 2015-08-12 11:15:43.700548879 +0200 @@ -26,6 +26,8 @@ # HostbasedAuthentication no # GSSAPIAuthentication no @@ -2271,9 +2271,9 @@ diff -up openssh/ssh_config.gsskex openssh/ssh_config # BatchMode no # CheckHostIP yes # AddressFamily any -diff -up openssh/sshconnect2.c.gsskex openssh/sshconnect2.c ---- openssh/sshconnect2.c.gsskex 2015-06-23 02:34:47.000000000 +0200 -+++ openssh/sshconnect2.c 2015-06-24 11:07:36.234389789 +0200 +diff -up openssh-7.0p1/sshconnect2.c.gsskex openssh-7.0p1/sshconnect2.c +--- openssh-7.0p1/sshconnect2.c.gsskex 2015-08-11 10:57:29.000000000 +0200 ++++ openssh-7.0p1/sshconnect2.c 2015-08-12 11:25:12.486644393 +0200 @@ -160,9 +160,34 @@ ssh_kex2(char *host, struct sockaddr *ho struct kex *kex; int r; @@ -2306,12 +2306,12 @@ diff -up openssh/sshconnect2.c.gsskex openssh/sshconnect2.c + } +#endif + - if (options.ciphers == (char *)-1) { - logit("No valid ciphers for protocol version 2 given, using defaults."); - options.ciphers = NULL; -@@ -200,6 +225,17 @@ ssh_kex2(char *host, struct sockaddr *ho myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( - myproposal[PROPOSAL_KEX_ALGS]); + options.kex_algorithms); + myproposal[PROPOSAL_ENC_ALGS_CTOS] = +@@ -193,6 +218,17 @@ ssh_kex2(char *host, struct sockaddr *ho + order_hostkeyalgs(host, hostaddr, port)); + } +#ifdef GSSAPI + /* If we've got GSSAPI algorithms, then we also support the @@ -2327,7 +2327,7 @@ diff -up openssh/sshconnect2.c.gsskex openssh/sshconnect2.c if (options.rekey_limit || options.rekey_interval) packet_set_rekey_limits((u_int32_t)options.rekey_limit, (time_t)options.rekey_interval); -@@ -217,11 +253,31 @@ ssh_kex2(char *host, struct sockaddr *ho +@@ -210,11 +246,31 @@ ssh_kex2(char *host, struct sockaddr *ho kex->kex[KEX_ECDH_SHA2] = kexecdh_client; # endif #endif @@ -2359,7 +2359,7 @@ diff -up openssh/sshconnect2.c.gsskex openssh/sshconnect2.c dispatch_run(DISPATCH_BLOCK, &kex->done, active_state); if (options.use_roaming && !kex->roaming) { -@@ -313,6 +369,7 @@ int input_gssapi_token(int type, u_int32 +@@ -306,6 +362,7 @@ int input_gssapi_token(int type, u_int32 int input_gssapi_hash(int type, u_int32_t, void *); int input_gssapi_error(int, u_int32_t, void *); int input_gssapi_errtok(int, u_int32_t, void *); @@ -2367,7 +2367,7 @@ diff -up openssh/sshconnect2.c.gsskex openssh/sshconnect2.c #endif void userauth(Authctxt *, char *); -@@ -328,6 +385,11 @@ static char *authmethods_get(void); +@@ -321,6 +378,11 @@ static char *authmethods_get(void); Authmethod authmethods[] = { #ifdef GSSAPI @@ -2379,7 +2379,7 @@ diff -up openssh/sshconnect2.c.gsskex openssh/sshconnect2.c {"gssapi-with-mic", userauth_gssapi, NULL, -@@ -634,19 +696,31 @@ userauth_gssapi(Authctxt *authctxt) +@@ -627,19 +689,31 @@ userauth_gssapi(Authctxt *authctxt) static u_int mech = 0; OM_uint32 min; int ok = 0; @@ -2413,7 +2413,7 @@ diff -up openssh/sshconnect2.c.gsskex openssh/sshconnect2.c ok = 1; /* Mechanism works */ } else { mech++; -@@ -743,8 +817,8 @@ input_gssapi_response(int type, u_int32_ +@@ -736,8 +810,8 @@ input_gssapi_response(int type, u_int32_ { Authctxt *authctxt = ctxt; Gssctxt *gssctxt; @@ -2424,7 +2424,7 @@ diff -up openssh/sshconnect2.c.gsskex openssh/sshconnect2.c if (authctxt == NULL) fatal("input_gssapi_response: no authentication context"); -@@ -857,6 +931,48 @@ input_gssapi_error(int type, u_int32_t p +@@ -850,6 +924,48 @@ input_gssapi_error(int type, u_int32_t p free(lang); return 0; } @@ -2473,10 +2473,10 @@ diff -up openssh/sshconnect2.c.gsskex openssh/sshconnect2.c #endif /* GSSAPI */ int -diff -up openssh/sshd.c.gsskex openssh/sshd.c ---- openssh/sshd.c.gsskex 2015-06-24 11:07:36.217389832 +0200 -+++ openssh/sshd.c 2015-06-24 11:07:36.235389787 +0200 -@@ -1839,10 +1839,13 @@ main(int ac, char **av) +diff -up openssh-7.0p1/sshd.c.gsskex openssh-7.0p1/sshd.c +--- openssh-7.0p1/sshd.c.gsskex 2015-08-12 11:15:43.679548913 +0200 ++++ openssh-7.0p1/sshd.c 2015-08-12 11:15:43.702548876 +0200 +@@ -1843,10 +1843,13 @@ main(int ac, char **av) logit("Disabling protocol version 1. Could not load host key"); options.protocol &= ~SSH_PROTO_1; } @@ -2490,7 +2490,7 @@ diff -up openssh/sshd.c.gsskex openssh/sshd.c if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { logit("sshd: no hostkeys available -- exiting."); exit(1); -@@ -2589,6 +2592,48 @@ do_ssh2_kex(void) +@@ -2582,6 +2585,48 @@ do_ssh2_kex(void) myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( list_hostkey_types()); @@ -2539,7 +2539,7 @@ diff -up openssh/sshd.c.gsskex openssh/sshd.c /* start key exchange */ if ((r = kex_setup(active_state, myproposal)) != 0) fatal("kex_setup: %s", ssh_err(r)); -@@ -2603,6 +2648,13 @@ do_ssh2_kex(void) +@@ -2596,6 +2641,13 @@ do_ssh2_kex(void) # endif #endif kex->kex[KEX_C25519_SHA256] = kexc25519_server; @@ -2553,10 +2553,10 @@ diff -up openssh/sshd.c.gsskex openssh/sshd.c kex->server = 1; kex->client_version_string=client_version_string; kex->server_version_string=server_version_string; -diff -up openssh/sshd_config.5.gsskex openssh/sshd_config.5 ---- openssh/sshd_config.5.gsskex 2015-06-24 11:07:36.235389787 +0200 -+++ openssh/sshd_config.5 2015-06-24 11:23:13.490016656 +0200 -@@ -616,6 +616,12 @@ Specifies whether user authentication ba +diff -up openssh-7.0p1/sshd_config.5.gsskex openssh-7.0p1/sshd_config.5 +--- openssh-7.0p1/sshd_config.5.gsskex 2015-08-12 11:15:43.677548916 +0200 ++++ openssh-7.0p1/sshd_config.5 2015-08-12 11:15:43.702548876 +0200 +@@ -621,6 +621,12 @@ Specifies whether user authentication ba The default is .Dq no . Note that this option applies to protocol version 2 only. @@ -2569,7 +2569,7 @@ diff -up openssh/sshd_config.5.gsskex openssh/sshd_config.5 .It Cm GSSAPICleanupCredentials Specifies whether to automatically destroy the user's credentials cache on logout. -@@ -637,6 +643,11 @@ machine's default store. +@@ -642,6 +648,11 @@ machine's default store. This facility is provided to assist with operation on multi homed machines. The default is .Dq yes . @@ -2581,9 +2581,9 @@ diff -up openssh/sshd_config.5.gsskex openssh/sshd_config.5 .It Cm HostbasedAcceptedKeyTypes Specifies the key types that will be accepted for hostbased authentication as a comma-separated pattern list. -diff -up openssh/sshd_config.gsskex openssh/sshd_config ---- openssh/sshd_config.gsskex 2015-06-24 11:07:36.217389832 +0200 -+++ openssh/sshd_config 2015-06-24 11:07:36.235389787 +0200 +diff -up openssh-7.0p1/sshd_config.gsskex openssh-7.0p1/sshd_config +--- openssh-7.0p1/sshd_config.gsskex 2015-08-12 11:15:43.679548913 +0200 ++++ openssh-7.0p1/sshd_config 2015-08-12 11:15:43.702548876 +0200 @@ -91,6 +91,8 @@ ChallengeResponseAuthentication no # GSSAPI options GSSAPIAuthentication yes @@ -2593,9 +2593,9 @@ diff -up openssh/sshd_config.gsskex openssh/sshd_config # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will -diff -up openssh/ssh-gss.h.gsskex openssh/ssh-gss.h ---- openssh/ssh-gss.h.gsskex 2015-06-23 02:34:47.000000000 +0200 -+++ openssh/ssh-gss.h 2015-06-24 11:07:36.234389789 +0200 +diff -up openssh-7.0p1/ssh-gss.h.gsskex openssh-7.0p1/ssh-gss.h +--- openssh-7.0p1/ssh-gss.h.gsskex 2015-08-11 10:57:29.000000000 +0200 ++++ openssh-7.0p1/ssh-gss.h 2015-08-12 11:15:43.702548876 +0200 @@ -1,6 +1,6 @@ /* $OpenBSD: ssh-gss.h,v 1.11 2014/02/26 20:28:44 djm Exp $ */ /* diff --git a/openssh-6.6p1-kuserok.patch b/openssh-6.6p1-kuserok.patch index 9e93051..0e6215d 100644 --- a/openssh-6.6p1-kuserok.patch +++ b/openssh-6.6p1-kuserok.patch @@ -1,6 +1,6 @@ -diff -up openssh-6.8p1/auth-krb5.c.kuserok openssh-6.8p1/auth-krb5.c ---- openssh-6.8p1/auth-krb5.c.kuserok 2015-03-17 06:49:20.000000000 +0100 -+++ openssh-6.8p1/auth-krb5.c 2015-03-18 12:37:14.349351304 +0100 +diff -up openssh-7.0p1/auth-krb5.c.kuserok openssh-7.0p1/auth-krb5.c +--- openssh-7.0p1/auth-krb5.c.kuserok 2015-08-11 10:57:29.000000000 +0200 ++++ openssh-7.0p1/auth-krb5.c 2015-08-12 11:26:21.874536127 +0200 @@ -55,6 +55,21 @@ extern ServerOptions options; @@ -35,9 +35,9 @@ diff -up openssh-6.8p1/auth-krb5.c.kuserok openssh-6.8p1/auth-krb5.c problem = -1; goto out; } -diff -up openssh-6.8p1/gss-serv-krb5.c.kuserok openssh-6.8p1/gss-serv-krb5.c ---- openssh-6.8p1/gss-serv-krb5.c.kuserok 2015-03-18 12:37:14.346351312 +0100 -+++ openssh-6.8p1/gss-serv-krb5.c 2015-03-18 12:37:14.349351304 +0100 +diff -up openssh-7.0p1/gss-serv-krb5.c.kuserok openssh-7.0p1/gss-serv-krb5.c +--- openssh-7.0p1/gss-serv-krb5.c.kuserok 2015-08-12 11:26:21.868536137 +0200 ++++ openssh-7.0p1/gss-serv-krb5.c 2015-08-12 11:26:21.875536126 +0200 @@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr int); @@ -172,10 +172,10 @@ diff -up openssh-6.8p1/gss-serv-krb5.c.kuserok openssh-6.8p1/gss-serv-krb5.c } if ((fp = fopen(file, "r")) == NULL) { int saved_errno = errno; -diff -up openssh-6.8p1/servconf.c.kuserok openssh-6.8p1/servconf.c ---- openssh-6.8p1/servconf.c.kuserok 2015-03-18 12:37:14.342351322 +0100 -+++ openssh-6.8p1/servconf.c 2015-03-18 12:38:36.133145700 +0100 -@@ -167,6 +167,7 @@ initialize_server_options(ServerOptions +diff -up openssh-7.0p1/servconf.c.kuserok openssh-7.0p1/servconf.c +--- openssh-7.0p1/servconf.c.kuserok 2015-08-12 11:26:21.865536141 +0200 ++++ openssh-7.0p1/servconf.c 2015-08-12 11:27:14.126454598 +0200 +@@ -172,6 +172,7 @@ initialize_server_options(ServerOptions options->ip_qos_bulk = -1; options->version_addendum = NULL; options->fingerprint_hash = -1; @@ -183,16 +183,16 @@ diff -up openssh-6.8p1/servconf.c.kuserok openssh-6.8p1/servconf.c } /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ -@@ -345,6 +346,8 @@ fill_default_server_options(ServerOption +@@ -350,6 +351,8 @@ fill_default_server_options(ServerOption options->fwd_opts.streamlocal_bind_unlink = 0; if (options->fingerprint_hash == -1) options->fingerprint_hash = SSH_FP_HASH_DEFAULT; + if (options->use_kuserok == -1) + options->use_kuserok = 1; - /* Turn privilege separation on by default */ - if (use_privsep == -1) - use_privsep = PRIVSEP_NOSANDBOX; -@@ -388,7 +391,7 @@ typedef enum { + + if (kex_assemble_names(KEX_SERVER_ENCRYPT, &options->ciphers) != 0 || + kex_assemble_names(KEX_SERVER_MAC, &options->macs) != 0 || +@@ -404,7 +407,7 @@ typedef enum { sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel, sRhostsRSAAuthentication, sRSAAuthentication, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, @@ -201,7 +201,7 @@ diff -up openssh-6.8p1/servconf.c.kuserok openssh-6.8p1/servconf.c sKerberosTgtPassing, sChallengeResponseAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sAddressFamily, -@@ -464,11 +467,13 @@ static struct { +@@ -483,11 +486,13 @@ static struct { #else { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, #endif @@ -215,7 +215,7 @@ diff -up openssh-6.8p1/servconf.c.kuserok openssh-6.8p1/servconf.c #endif { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, -@@ -1614,6 +1619,10 @@ process_server_config_line(ServerOptions +@@ -1671,6 +1676,10 @@ process_server_config_line(ServerOptions *activep = value; break; @@ -226,7 +226,7 @@ diff -up openssh-6.8p1/servconf.c.kuserok openssh-6.8p1/servconf.c case sPermitOpen: arg = strdelim(&cp); if (!arg || *arg == '\0') -@@ -1935,6 +1944,7 @@ copy_set_server_options(ServerOptions *d +@@ -2023,6 +2032,7 @@ copy_set_server_options(ServerOptions *d M_CP_INTOPT(max_authtries); M_CP_INTOPT(ip_qos_interactive); M_CP_INTOPT(ip_qos_bulk); @@ -234,7 +234,7 @@ diff -up openssh-6.8p1/servconf.c.kuserok openssh-6.8p1/servconf.c M_CP_INTOPT(rekey_limit); M_CP_INTOPT(rekey_interval); -@@ -2194,6 +2204,7 @@ dump_config(ServerOptions *o) +@@ -2304,6 +2314,7 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); @@ -242,10 +242,10 @@ diff -up openssh-6.8p1/servconf.c.kuserok openssh-6.8p1/servconf.c /* string arguments */ dump_cfg_string(sPidFile, o->pid_file); -diff -up openssh-6.8p1/servconf.h.kuserok openssh-6.8p1/servconf.h ---- openssh-6.8p1/servconf.h.kuserok 2015-03-18 12:37:14.342351322 +0100 -+++ openssh-6.8p1/servconf.h 2015-03-18 12:37:14.350351302 +0100 -@@ -177,6 +177,7 @@ typedef struct { +diff -up openssh-7.0p1/servconf.h.kuserok openssh-7.0p1/servconf.h +--- openssh-7.0p1/servconf.h.kuserok 2015-08-12 11:26:21.865536141 +0200 ++++ openssh-7.0p1/servconf.h 2015-08-12 11:26:21.876536124 +0200 +@@ -180,6 +180,7 @@ typedef struct { int num_permitted_opens; @@ -253,21 +253,10 @@ diff -up openssh-6.8p1/servconf.h.kuserok openssh-6.8p1/servconf.h char *chroot_directory; char *revoked_keys_file; char *trusted_user_ca_keys; -diff -up openssh-6.8p1/sshd_config.kuserok openssh-6.8p1/sshd_config ---- openssh-6.8p1/sshd_config.kuserok 2015-03-18 12:37:14.344351317 +0100 -+++ openssh-6.8p1/sshd_config 2015-03-18 12:37:14.350351302 +0100 -@@ -87,6 +87,7 @@ ChallengeResponseAuthentication no - #KerberosOrLocalPasswd yes - #KerberosTicketCleanup yes - #KerberosGetAFSToken no -+#KerberosUseKuserok yes - - # GSSAPI options - GSSAPIAuthentication yes -diff -up openssh-6.8p1/sshd_config.5.kuserok openssh-6.8p1/sshd_config.5 ---- openssh-6.8p1/sshd_config.5.kuserok 2015-03-18 12:37:14.343351319 +0100 -+++ openssh-6.8p1/sshd_config.5 2015-03-18 12:39:23.373026939 +0100 -@@ -779,6 +779,10 @@ Specifies whether to automatically destr +diff -up openssh-7.0p1/sshd_config.5.kuserok openssh-7.0p1/sshd_config.5 +--- openssh-7.0p1/sshd_config.5.kuserok 2015-08-12 11:26:21.867536138 +0200 ++++ openssh-7.0p1/sshd_config.5 2015-08-12 11:26:21.877536123 +0200 +@@ -872,6 +872,10 @@ Specifies whether to automatically destr file on logout. The default is .Dq yes . @@ -278,7 +267,7 @@ diff -up openssh-6.8p1/sshd_config.5.kuserok openssh-6.8p1/sshd_config.5 .It Cm KexAlgorithms Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. -@@ -1017,6 +1021,7 @@ Available keywords are +@@ -1116,6 +1120,7 @@ Available keywords are .Cm IPQoS , .Cm KbdInteractiveAuthentication , .Cm KerberosAuthentication , @@ -286,3 +275,14 @@ diff -up openssh-6.8p1/sshd_config.5.kuserok openssh-6.8p1/sshd_config.5 .Cm MaxAuthTries , .Cm MaxSessions , .Cm PasswordAuthentication , +diff -up openssh-7.0p1/sshd_config.kuserok openssh-7.0p1/sshd_config +--- openssh-7.0p1/sshd_config.kuserok 2015-08-12 11:26:21.867536138 +0200 ++++ openssh-7.0p1/sshd_config 2015-08-12 11:26:21.876536124 +0200 +@@ -87,6 +87,7 @@ ChallengeResponseAuthentication no + #KerberosOrLocalPasswd yes + #KerberosTicketCleanup yes + #KerberosGetAFSToken no ++#KerberosUseKuserok yes + + # GSSAPI options + GSSAPIAuthentication yes diff --git a/openssh-6.7p1-audit.patch b/openssh-6.7p1-audit.patch index 59584a2..ac59f0a 100644 --- a/openssh-6.7p1-audit.patch +++ b/openssh-6.7p1-audit.patch @@ -1,6 +1,6 @@ -diff -up openssh/audit-bsm.c.audit openssh/audit-bsm.c ---- openssh/audit-bsm.c.audit 2015-06-23 02:34:47.000000000 +0200 -+++ openssh/audit-bsm.c 2015-06-24 11:53:29.780390469 +0200 +diff -up openssh-7.0p1/audit-bsm.c.audit openssh-7.0p1/audit-bsm.c +--- openssh-7.0p1/audit-bsm.c.audit 2015-08-11 10:57:29.000000000 +0200 ++++ openssh-7.0p1/audit-bsm.c 2015-08-12 11:33:00.409914290 +0200 @@ -375,10 +375,23 @@ audit_connection_from(const char *host, #endif } @@ -80,9 +80,9 @@ diff -up openssh/audit-bsm.c.audit openssh/audit-bsm.c + /* not implemented */ +} #endif /* BSM */ -diff -up openssh/audit.c.audit openssh/audit.c ---- openssh/audit.c.audit 2015-06-23 02:34:47.000000000 +0200 -+++ openssh/audit.c 2015-06-24 11:53:29.781390467 +0200 +diff -up openssh-7.0p1/audit.c.audit openssh-7.0p1/audit.c +--- openssh-7.0p1/audit.c.audit 2015-08-11 10:57:29.000000000 +0200 ++++ openssh-7.0p1/audit.c 2015-08-12 11:33:00.410914289 +0200 @@ -28,6 +28,7 @@ #include @@ -280,9 +280,9 @@ diff -up openssh/audit.c.audit openssh/audit.c } # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */ -diff -up openssh/audit.h.audit openssh/audit.h ---- openssh/audit.h.audit 2015-06-23 02:34:47.000000000 +0200 -+++ openssh/audit.h 2015-06-24 11:53:29.781390467 +0200 +diff -up openssh-7.0p1/audit.h.audit openssh-7.0p1/audit.h +--- openssh-7.0p1/audit.h.audit 2015-08-11 10:57:29.000000000 +0200 ++++ openssh-7.0p1/audit.h 2015-08-12 11:33:00.410914289 +0200 @@ -28,6 +28,7 @@ # define _SSH_AUDIT_H @@ -318,9 +318,9 @@ diff -up openssh/audit.h.audit openssh/audit.h +void audit_generate_ephemeral_server_key(const char *); #endif /* _SSH_AUDIT_H */ -diff -up openssh/audit-linux.c.audit openssh/audit-linux.c ---- openssh/audit-linux.c.audit 2015-06-23 02:34:47.000000000 +0200 -+++ openssh/audit-linux.c 2015-06-24 11:53:29.781390467 +0200 +diff -up openssh-7.0p1/audit-linux.c.audit openssh-7.0p1/audit-linux.c +--- openssh-7.0p1/audit-linux.c.audit 2015-08-11 10:57:29.000000000 +0200 ++++ openssh-7.0p1/audit-linux.c 2015-08-12 11:33:00.411914287 +0200 @@ -35,13 +35,25 @@ #include "log.h" @@ -612,7 +612,7 @@ diff -up openssh/audit-linux.c.audit openssh/audit-linux.c +#ifdef AUDIT_CRYPTO_SESSION + char buf[AUDIT_LOG_SIZE]; + int audit_fd, audit_ok; -+ const Cipher *cipher = cipher_by_name(enc); ++ const struct sshcipher *cipher = cipher_by_name(enc); + char *s; + + snprintf(buf, sizeof(buf), "op=start direction=%s cipher=%s ksize=%d mac=%s pfs=%s spid=%jd suid=%jd rport=%d laddr=%s lport=%d ", @@ -712,9 +712,9 @@ diff -up openssh/audit-linux.c.audit openssh/audit-linux.c + error("cannot write into audit"); +} #endif /* USE_LINUX_AUDIT */ -diff -up openssh/auditstub.c.audit openssh/auditstub.c ---- openssh/auditstub.c.audit 2015-06-24 11:53:29.782390464 +0200 -+++ openssh/auditstub.c 2015-06-24 11:53:29.782390464 +0200 +diff -up openssh-7.0p1/auditstub.c.audit openssh-7.0p1/auditstub.c +--- openssh-7.0p1/auditstub.c.audit 2015-08-12 11:33:00.411914287 +0200 ++++ openssh-7.0p1/auditstub.c 2015-08-12 11:33:00.411914287 +0200 @@ -0,0 +1,50 @@ +/* $Id: auditstub.c,v 1.1 jfch Exp $ */ + @@ -766,9 +766,9 @@ diff -up openssh/auditstub.c.audit openssh/auditstub.c +audit_session_key_free_body(int ctos, pid_t pid, uid_t uid) +{ +} -diff -up openssh/auth2.c.audit openssh/auth2.c ---- openssh/auth2.c.audit 2015-06-24 11:53:29.731390595 +0200 -+++ openssh/auth2.c 2015-06-24 11:53:29.783390462 +0200 +diff -up openssh-7.0p1/auth2.c.audit openssh-7.0p1/auth2.c +--- openssh-7.0p1/auth2.c.audit 2015-08-12 11:33:00.349914384 +0200 ++++ openssh-7.0p1/auth2.c 2015-08-12 11:33:00.411914287 +0200 @@ -249,9 +249,6 @@ input_userauth_request(int type, u_int32 } else { logit("input_userauth_request: invalid user %s", user); @@ -779,9 +779,9 @@ diff -up openssh/auth2.c.audit openssh/auth2.c } #ifdef USE_PAM if (options.use_pam) -diff -up openssh/auth2-hostbased.c.audit openssh/auth2-hostbased.c ---- openssh/auth2-hostbased.c.audit 2015-06-24 11:53:29.682390720 +0200 -+++ openssh/auth2-hostbased.c 2015-06-24 11:53:29.782390464 +0200 +diff -up openssh-7.0p1/auth2-hostbased.c.audit openssh-7.0p1/auth2-hostbased.c +--- openssh-7.0p1/auth2-hostbased.c.audit 2015-08-12 11:33:00.303914456 +0200 ++++ openssh-7.0p1/auth2-hostbased.c 2015-08-12 11:33:00.412914286 +0200 @@ -146,7 +146,7 @@ userauth_hostbased(Authctxt *authctxt) /* test for allowed key and correct signature */ authenticated = 0; @@ -810,9 +810,9 @@ diff -up openssh/auth2-hostbased.c.audit openssh/auth2-hostbased.c /* return 1 if given hostkey is allowed */ int hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, -diff -up openssh/auth2-pubkey.c.audit openssh/auth2-pubkey.c ---- openssh/auth2-pubkey.c.audit 2015-06-24 11:53:29.783390462 +0200 -+++ openssh/auth2-pubkey.c 2015-06-24 11:58:49.547572821 +0200 +diff -up openssh-7.0p1/auth2-pubkey.c.audit openssh-7.0p1/auth2-pubkey.c +--- openssh-7.0p1/auth2-pubkey.c.audit 2015-08-12 11:33:00.318914432 +0200 ++++ openssh-7.0p1/auth2-pubkey.c 2015-08-12 11:33:00.412914286 +0200 @@ -175,7 +175,7 @@ userauth_pubkey(Authctxt *authctxt) /* test for correct signature */ authenticated = 0; @@ -841,10 +841,10 @@ diff -up openssh/auth2-pubkey.c.audit openssh/auth2-pubkey.c /* * Splits 's' into an argument vector. Handles quoted string and basic * escape characters (\\, \", \'). Caller must free the argument vector -diff -up openssh/auth.c.audit openssh/auth.c ---- openssh/auth.c.audit 2015-06-23 02:34:47.000000000 +0200 -+++ openssh/auth.c 2015-06-24 11:53:29.782390464 +0200 -@@ -643,9 +643,6 @@ getpwnamallow(const char *user) +diff -up openssh-7.0p1/auth.c.audit openssh-7.0p1/auth.c +--- openssh-7.0p1/auth.c.audit 2015-08-11 10:57:29.000000000 +0200 ++++ openssh-7.0p1/auth.c 2015-08-12 11:33:00.412914286 +0200 +@@ -645,9 +645,6 @@ getpwnamallow(const char *user) record_failed_login(user, get_canonical_hostname(options.use_dns), "ssh"); #endif @@ -854,9 +854,9 @@ diff -up openssh/auth.c.audit openssh/auth.c return (NULL); } if (!allowed_user(pw)) -diff -up openssh/auth.h.audit openssh/auth.h ---- openssh/auth.h.audit 2015-06-24 11:53:29.682390720 +0200 -+++ openssh/auth.h 2015-06-24 11:53:29.782390464 +0200 +diff -up openssh-7.0p1/auth.h.audit openssh-7.0p1/auth.h +--- openssh-7.0p1/auth.h.audit 2015-08-12 11:33:00.302914457 +0200 ++++ openssh-7.0p1/auth.h 2015-08-12 11:33:00.412914286 +0200 @@ -195,6 +195,7 @@ void abandon_challenge_response(Authctxt char *expand_authorized_keys(const char *, struct passwd *pw); @@ -873,9 +873,9 @@ diff -up openssh/auth.h.audit openssh/auth.h /* debug messages during authentication */ void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2))); -diff -up openssh/auth-rsa.c.audit openssh/auth-rsa.c ---- openssh/auth-rsa.c.audit 2015-06-23 02:34:47.000000000 +0200 -+++ openssh/auth-rsa.c 2015-06-24 11:53:29.782390464 +0200 +diff -up openssh-7.0p1/auth-rsa.c.audit openssh-7.0p1/auth-rsa.c +--- openssh-7.0p1/auth-rsa.c.audit 2015-08-11 10:57:29.000000000 +0200 ++++ openssh-7.0p1/auth-rsa.c 2015-08-12 11:33:00.412914286 +0200 @@ -95,7 +95,10 @@ auth_rsa_verify_response(Key *key, BIGNU { u_char buf[32], mdbuf[16]; @@ -912,9 +912,9 @@ diff -up openssh/auth-rsa.c.audit openssh/auth-rsa.c } /* -diff -up openssh/cipher.c.audit openssh/cipher.c ---- openssh/cipher.c.audit 2015-06-23 02:34:47.000000000 +0200 -+++ openssh/cipher.c 2015-06-24 11:53:29.783390462 +0200 +diff -up openssh-7.0p1/cipher.c.audit openssh-7.0p1/cipher.c +--- openssh-7.0p1/cipher.c.audit 2015-08-11 10:57:29.000000000 +0200 ++++ openssh-7.0p1/cipher.c 2015-08-12 11:33:00.412914286 +0200 @@ -57,26 +57,6 @@ extern const EVP_CIPHER *evp_ssh1_3des(v extern int ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int); #endif @@ -942,9 +942,9 @@ diff -up openssh/cipher.c.audit openssh/cipher.c static const struct sshcipher ciphers[] = { #ifdef WITH_SSH1 { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc }, -diff -up openssh/cipher.h.audit openssh/cipher.h ---- openssh/cipher.h.audit 2015-06-23 02:34:47.000000000 +0200 -+++ openssh/cipher.h 2015-06-24 11:53:29.783390462 +0200 +diff -up openssh-7.0p1/cipher.h.audit openssh-7.0p1/cipher.h +--- openssh-7.0p1/cipher.h.audit 2015-08-11 10:57:29.000000000 +0200 ++++ openssh-7.0p1/cipher.h 2015-08-12 11:33:00.413914284 +0200 @@ -62,7 +62,26 @@ #define CIPHER_ENCRYPT 1 #define CIPHER_DECRYPT 0 @@ -973,9 +973,9 @@ diff -up openssh/cipher.h.audit openssh/cipher.h struct sshcipher_ctx { int plaintext; int encrypt; -diff -up openssh/kex.c.audit openssh/kex.c ---- openssh/kex.c.audit 2015-06-24 11:53:29.733390590 +0200 -+++ openssh/kex.c 2015-06-24 11:53:29.783390462 +0200 +diff -up openssh-7.0p1/kex.c.audit openssh-7.0p1/kex.c +--- openssh-7.0p1/kex.c.audit 2015-08-12 11:33:00.351914381 +0200 ++++ openssh-7.0p1/kex.c 2015-08-12 11:33:00.413914284 +0200 @@ -54,6 +54,7 @@ #include "ssherr.h" #include "sshbuf.h" @@ -984,7 +984,7 @@ diff -up openssh/kex.c.audit openssh/kex.c #ifdef GSSAPI #include "ssh-gss.h" -@@ -486,8 +487,12 @@ choose_enc(struct sshenc *enc, char *cli +@@ -549,8 +550,12 @@ choose_enc(struct sshenc *enc, char *cli { char *name = match_list(client, server, NULL); @@ -998,7 +998,7 @@ diff -up openssh/kex.c.audit openssh/kex.c if ((enc->cipher = cipher_by_name(name)) == NULL) return SSH_ERR_INTERNAL_ERROR; enc->name = name; -@@ -505,8 +510,12 @@ choose_mac(struct ssh *ssh, struct sshma +@@ -568,8 +573,12 @@ choose_mac(struct ssh *ssh, struct sshma { char *name = match_list(client, server, NULL); @@ -1012,7 +1012,7 @@ diff -up openssh/kex.c.audit openssh/kex.c if (mac_setup(mac, name) < 0) return SSH_ERR_INTERNAL_ERROR; /* truncate the key */ -@@ -523,8 +532,12 @@ choose_comp(struct sshcomp *comp, char * +@@ -586,8 +595,12 @@ choose_comp(struct sshcomp *comp, char * { char *name = match_list(client, server, NULL); @@ -1026,7 +1026,7 @@ diff -up openssh/kex.c.audit openssh/kex.c if (strcmp(name, "zlib@openssh.com") == 0) { comp->type = COMP_DELAYED; } else if (strcmp(name, "zlib") == 0) { -@@ -674,6 +687,10 @@ kex_choose_conf(struct ssh *ssh) +@@ -753,6 +766,10 @@ kex_choose_conf(struct ssh *ssh) dh_need = MAX(dh_need, newkeys->enc.block_size); dh_need = MAX(dh_need, newkeys->enc.iv_len); dh_need = MAX(dh_need, newkeys->mac.key_len); @@ -1037,7 +1037,7 @@ diff -up openssh/kex.c.audit openssh/kex.c } /* XXX need runden? */ kex->we_need = need; -@@ -849,3 +866,34 @@ dump_digest(char *msg, u_char *digest, i +@@ -928,3 +945,34 @@ dump_digest(char *msg, u_char *digest, i sshbuf_dump_data(digest, len, stderr); } #endif @@ -1072,10 +1072,10 @@ diff -up openssh/kex.c.audit openssh/kex.c + memset(&newkeys->comp, 0, sizeof(newkeys->comp)); +} + -diff -up openssh/kex.h.audit openssh/kex.h ---- openssh/kex.h.audit 2015-06-24 11:53:29.733390590 +0200 -+++ openssh/kex.h 2015-06-24 11:53:29.784390459 +0200 -@@ -199,6 +199,8 @@ int kexgss_client(struct ssh *); +diff -up openssh-7.0p1/kex.h.audit openssh-7.0p1/kex.h +--- openssh-7.0p1/kex.h.audit 2015-08-12 11:33:00.352914379 +0200 ++++ openssh-7.0p1/kex.h 2015-08-12 11:33:00.413914284 +0200 +@@ -202,6 +202,8 @@ int kexgss_client(struct ssh *); int kexgss_server(struct ssh *); #endif @@ -1084,20 +1084,20 @@ diff -up openssh/kex.h.audit openssh/kex.h int kex_dh_hash(const char *, const char *, const u_char *, size_t, const u_char *, size_t, const u_char *, size_t, const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *); -diff -up openssh/key.h.audit openssh/key.h ---- openssh/key.h.audit 2015-06-23 02:34:47.000000000 +0200 -+++ openssh/key.h 2015-06-24 11:53:29.784390459 +0200 +diff -up openssh-7.0p1/key.h.audit openssh-7.0p1/key.h +--- openssh-7.0p1/key.h.audit 2015-08-12 11:33:00.413914284 +0200 ++++ openssh-7.0p1/key.h 2015-08-12 11:33:45.908843298 +0200 @@ -50,6 +50,7 @@ typedef struct sshkey Key; #define key_ecdsa_bits_to_nid sshkey_ecdsa_bits_to_nid #define key_ecdsa_key_to_nid sshkey_ecdsa_key_to_nid #define key_is_cert sshkey_is_cert +#define key_is_private sshkey_is_private #define key_type_plain sshkey_type_plain - #define key_cert_is_legacy sshkey_cert_is_legacy #define key_curve_name_to_nid sshkey_curve_name_to_nid -diff -up openssh/mac.c.audit openssh/mac.c ---- openssh/mac.c.audit 2015-06-23 02:34:47.000000000 +0200 -+++ openssh/mac.c 2015-06-24 11:53:29.784390459 +0200 + #define key_curve_nid_to_bits sshkey_curve_nid_to_bits +diff -up openssh-7.0p1/mac.c.audit openssh-7.0p1/mac.c +--- openssh-7.0p1/mac.c.audit 2015-08-11 10:57:29.000000000 +0200 ++++ openssh-7.0p1/mac.c 2015-08-12 11:33:00.413914284 +0200 @@ -226,6 +226,20 @@ mac_clear(struct sshmac *mac) mac->umac_ctx = NULL; } @@ -1119,9 +1119,9 @@ diff -up openssh/mac.c.audit openssh/mac.c /* XXX copied from ciphers_valid */ #define MAC_SEP "," int -diff -up openssh/mac.h.audit openssh/mac.h ---- openssh/mac.h.audit 2015-06-23 02:34:47.000000000 +0200 -+++ openssh/mac.h 2015-06-24 11:53:29.784390459 +0200 +diff -up openssh-7.0p1/mac.h.audit openssh-7.0p1/mac.h +--- openssh-7.0p1/mac.h.audit 2015-08-11 10:57:29.000000000 +0200 ++++ openssh-7.0p1/mac.h 2015-08-12 11:33:00.413914284 +0200 @@ -47,5 +47,6 @@ int mac_init(struct sshmac *); int mac_compute(struct sshmac *, u_int32_t, const u_char *, int, u_char *, size_t); @@ -1129,9 +1129,9 @@ diff -up openssh/mac.h.audit openssh/mac.h +void mac_destroy(struct sshmac *); #endif /* SSHMAC_H */ -diff -up openssh/Makefile.in.audit openssh/Makefile.in ---- openssh/Makefile.in.audit 2015-06-24 11:53:29.752390541 +0200 -+++ openssh/Makefile.in 2015-06-24 11:53:29.780390469 +0200 +diff -up openssh-7.0p1/Makefile.in.audit openssh-7.0p1/Makefile.in +--- openssh-7.0p1/Makefile.in.audit 2015-08-12 11:33:00.402914301 +0200 ++++ openssh-7.0p1/Makefile.in 2015-08-12 11:33:00.414914283 +0200 @@ -98,7 +98,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \ kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \ @@ -1141,9 +1141,9 @@ diff -up openssh/Makefile.in.audit openssh/Makefile.in SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ sshconnect.o sshconnect1.o sshconnect2.o mux.o \ -diff -up openssh/monitor.c.audit openssh/monitor.c ---- openssh/monitor.c.audit 2015-06-24 11:53:29.759390523 +0200 -+++ openssh/monitor.c 2015-06-24 11:53:29.784390459 +0200 +diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c +--- openssh-7.0p1/monitor.c.audit 2015-08-12 11:33:00.378914339 +0200 ++++ openssh-7.0p1/monitor.c 2015-08-12 11:33:00.414914283 +0200 @@ -102,6 +102,7 @@ #include "ssh2.h" #include "roaming.h" @@ -1443,9 +1443,9 @@ diff -up openssh/monitor.c.audit openssh/monitor.c + return 0; +} +#endif /* SSH_AUDIT_EVENTS */ -diff -up openssh/monitor.h.audit openssh/monitor.h ---- openssh/monitor.h.audit 2015-06-24 11:53:29.759390523 +0200 -+++ openssh/monitor.h 2015-06-24 11:53:29.785390457 +0200 +diff -up openssh-7.0p1/monitor.h.audit openssh-7.0p1/monitor.h +--- openssh-7.0p1/monitor.h.audit 2015-08-12 11:33:00.378914339 +0200 ++++ openssh-7.0p1/monitor.h 2015-08-12 11:33:00.414914283 +0200 @@ -69,7 +69,13 @@ enum monitor_reqtype { MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107, MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109, @@ -1461,9 +1461,9 @@ diff -up openssh/monitor.h.audit openssh/monitor.h }; -diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c ---- openssh/monitor_wrap.c.audit 2015-06-24 11:53:29.734390587 +0200 -+++ openssh/monitor_wrap.c 2015-06-24 11:53:29.785390457 +0200 +diff -up openssh-7.0p1/monitor_wrap.c.audit openssh-7.0p1/monitor_wrap.c +--- openssh-7.0p1/monitor_wrap.c.audit 2015-08-12 11:33:00.353914378 +0200 ++++ openssh-7.0p1/monitor_wrap.c 2015-08-12 11:33:00.414914283 +0200 @@ -462,7 +462,7 @@ mm_key_allowed(enum mm_keytype type, cha */ @@ -1500,7 +1500,7 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c void mm_send_keystate(struct monitor *monitor) { -@@ -1006,10 +1019,11 @@ mm_audit_event(ssh_audit_event_t event) +@@ -1005,10 +1018,11 @@ mm_audit_event(ssh_audit_event_t event) buffer_free(&m); } @@ -1513,7 +1513,7 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c debug3("%s entering command %s", __func__, command); -@@ -1017,6 +1031,26 @@ mm_audit_run_command(const char *command +@@ -1016,6 +1030,26 @@ mm_audit_run_command(const char *command buffer_put_cstring(&m, command); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, &m); @@ -1540,7 +1540,7 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c buffer_free(&m); } #endif /* SSH_AUDIT_EVENTS */ -@@ -1152,3 +1186,70 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_cc +@@ -1151,3 +1185,70 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_cc #endif /* GSSAPI */ @@ -1611,9 +1611,9 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c + buffer_free(&m); +} +#endif /* SSH_AUDIT_EVENTS */ -diff -up openssh/monitor_wrap.h.audit openssh/monitor_wrap.h ---- openssh/monitor_wrap.h.audit 2015-06-24 11:53:29.734390587 +0200 -+++ openssh/monitor_wrap.h 2015-06-24 11:59:45.086430808 +0200 +diff -up openssh-7.0p1/monitor_wrap.h.audit openssh-7.0p1/monitor_wrap.h +--- openssh-7.0p1/monitor_wrap.h.audit 2015-08-12 11:33:00.353914378 +0200 ++++ openssh-7.0p1/monitor_wrap.h 2015-08-12 11:33:00.415914281 +0200 @@ -52,7 +52,8 @@ int mm_key_allowed(enum mm_keytype, char int mm_user_key_allowed(struct passwd *, Key *, int); int mm_hostbased_key_allowed(struct passwd *, char *, char *, Key *); @@ -1638,9 +1638,9 @@ diff -up openssh/monitor_wrap.h.audit openssh/monitor_wrap.h #endif struct Session; -diff -up openssh/packet.c.audit openssh/packet.c ---- openssh/packet.c.audit 2015-06-24 11:53:29.665390763 +0200 -+++ openssh/packet.c 2015-06-24 11:53:29.786390454 +0200 +diff -up openssh-7.0p1/packet.c.audit openssh-7.0p1/packet.c +--- openssh-7.0p1/packet.c.audit 2015-08-12 11:33:00.288914479 +0200 ++++ openssh-7.0p1/packet.c 2015-08-12 11:33:00.415914281 +0200 @@ -67,6 +67,7 @@ #include "key.h" /* typedefs XXX */ @@ -1714,7 +1714,7 @@ diff -up openssh/packet.c.audit openssh/packet.c if ((r = cipher_cleanup(cc)) != 0) return r; enc = &state->newkeys[mode]->enc; -@@ -2281,6 +2293,75 @@ ssh_packet_get_output(struct ssh *ssh) +@@ -2292,6 +2304,75 @@ ssh_packet_get_output(struct ssh *ssh) return (void *)ssh->state->output; } @@ -1790,7 +1790,7 @@ diff -up openssh/packet.c.audit openssh/packet.c /* XXX TODO update roaming to new API (does not work anyway) */ /* * Save the state for the real connection, and use a separate state when -@@ -2290,18 +2371,12 @@ void +@@ -2301,18 +2382,12 @@ void ssh_packet_backup_state(struct ssh *ssh, struct ssh *backup_state) { @@ -1810,7 +1810,7 @@ diff -up openssh/packet.c.audit openssh/packet.c } /* XXX FIXME FIXME FIXME */ -@@ -2320,9 +2395,7 @@ ssh_packet_restore_state(struct ssh *ssh +@@ -2331,9 +2406,7 @@ ssh_packet_restore_state(struct ssh *ssh backup_state = ssh; ssh = tmp; ssh->state->connection_in = backup_state->state->connection_in; @@ -1820,7 +1820,7 @@ diff -up openssh/packet.c.audit openssh/packet.c len = sshbuf_len(backup_state->state->input); if (len > 0) { if ((r = sshbuf_putb(ssh->state->input, -@@ -2331,6 +2404,11 @@ ssh_packet_restore_state(struct ssh *ssh +@@ -2342,6 +2415,11 @@ ssh_packet_restore_state(struct ssh *ssh sshbuf_reset(backup_state->state->input); add_recv_bytes(len); } @@ -1832,9 +1832,9 @@ diff -up openssh/packet.c.audit openssh/packet.c } /* Reset after_authentication and reset compression in post-auth privsep */ -diff -up openssh/packet.h.audit openssh/packet.h ---- openssh/packet.h.audit 2015-06-23 02:34:47.000000000 +0200 -+++ openssh/packet.h 2015-06-24 11:53:29.786390454 +0200 +diff -up openssh-7.0p1/packet.h.audit openssh-7.0p1/packet.h +--- openssh-7.0p1/packet.h.audit 2015-08-11 10:57:29.000000000 +0200 ++++ openssh-7.0p1/packet.h 2015-08-12 11:33:00.415914281 +0200 @@ -189,7 +189,7 @@ int sshpkt_get_end(struct ssh *ssh); const u_char *sshpkt_ptr(struct ssh *, size_t *lenp); @@ -1850,10 +1850,10 @@ diff -up openssh/packet.h.audit openssh/packet.h +void packet_destroy_all(int, int); #endif /* PACKET_H */ -diff -up openssh/sandbox-seccomp-filter.c.audit openssh/sandbox-seccomp-filter.c ---- openssh/sandbox-seccomp-filter.c.audit 2015-06-24 11:53:29.788390449 +0200 -+++ openssh/sandbox-seccomp-filter.c 2015-06-24 12:00:37.459296890 +0200 -@@ -147,6 +147,12 @@ static const struct sock_filter preauth_ +diff -up openssh-7.0p1/sandbox-seccomp-filter.c.audit openssh-7.0p1/sandbox-seccomp-filter.c +--- openssh-7.0p1/sandbox-seccomp-filter.c.audit 2015-08-12 11:33:00.394914314 +0200 ++++ openssh-7.0p1/sandbox-seccomp-filter.c 2015-08-12 11:33:00.415914281 +0200 +@@ -150,6 +150,12 @@ static const struct sock_filter preauth_ #ifdef __NR_gettimeofday SC_ALLOW(gettimeofday), #endif @@ -1866,9 +1866,9 @@ diff -up openssh/sandbox-seccomp-filter.c.audit openssh/sandbox-seccomp-filter.c #ifdef __NR_madvise SC_ALLOW(madvise), #endif -diff -up openssh/session.c.audit openssh/session.c ---- openssh/session.c.audit 2015-06-24 11:53:29.760390520 +0200 -+++ openssh/session.c 2015-06-24 11:53:29.786390454 +0200 +diff -up openssh-7.0p1/session.c.audit openssh-7.0p1/session.c +--- openssh-7.0p1/session.c.audit 2015-08-12 11:33:00.379914337 +0200 ++++ openssh-7.0p1/session.c 2015-08-12 11:33:00.416914280 +0200 @@ -139,7 +139,7 @@ extern int log_stderr; extern int debug_flag; extern u_int utmp_len; @@ -2022,9 +2022,9 @@ diff -up openssh/session.c.audit openssh/session.c - session_destroy_all(session_pty_cleanup2); + session_destroy_all(do_cleanup_one_session); } -diff -up openssh/session.h.audit openssh/session.h ---- openssh/session.h.audit 2015-06-23 02:34:47.000000000 +0200 -+++ openssh/session.h 2015-06-24 11:53:29.786390454 +0200 +diff -up openssh-7.0p1/session.h.audit openssh-7.0p1/session.h +--- openssh-7.0p1/session.h.audit 2015-08-11 10:57:29.000000000 +0200 ++++ openssh-7.0p1/session.h 2015-08-12 11:33:00.416914280 +0200 @@ -61,6 +61,12 @@ struct Session { char *name; char *val; @@ -2049,10 +2049,10 @@ diff -up openssh/session.h.audit openssh/session.h Session *session_by_tty(char *); void session_close(Session *); void do_setusercontext(struct passwd *); -diff -up openssh/sshd.c.audit openssh/sshd.c ---- openssh/sshd.c.audit 2015-06-24 11:53:29.770390495 +0200 -+++ openssh/sshd.c 2015-06-24 11:53:29.787390451 +0200 -@@ -121,6 +121,7 @@ +diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c +--- openssh-7.0p1/sshd.c.audit 2015-08-12 11:33:00.388914323 +0200 ++++ openssh-7.0p1/sshd.c 2015-08-12 11:33:00.417914278 +0200 +@@ -122,6 +122,7 @@ #endif #include "monitor_wrap.h" #include "roaming.h" @@ -2060,7 +2060,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c #include "ssh-sandbox.h" #include "version.h" #include "ssherr.h" -@@ -260,7 +261,7 @@ Buffer loginmsg; +@@ -261,7 +262,7 @@ Buffer loginmsg; struct passwd *privsep_pw = NULL; /* Prototypes for various functions defined later in this file. */ @@ -2069,7 +2069,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c void demote_sensitive_data(void); #ifdef WITH_SSH1 -@@ -281,6 +282,15 @@ close_listen_socks(void) +@@ -282,6 +283,15 @@ close_listen_socks(void) num_listen_socks = -1; } @@ -2085,7 +2085,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c static void close_startup_pipes(void) { -@@ -560,22 +570,45 @@ sshd_exchange_identification(int sock_in +@@ -561,22 +571,45 @@ sshd_exchange_identification(int sock_in } } @@ -2134,7 +2134,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c key_free(sensitive_data.host_certificates[i]); sensitive_data.host_certificates[i] = NULL; } -@@ -589,6 +622,8 @@ void +@@ -590,6 +623,8 @@ void demote_sensitive_data(void) { Key *tmp; @@ -2143,7 +2143,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c int i; if (sensitive_data.server_key) { -@@ -597,13 +632,25 @@ demote_sensitive_data(void) +@@ -598,13 +633,25 @@ demote_sensitive_data(void) sensitive_data.server_key = tmp; } @@ -2169,7 +2169,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c } /* Certs do not need demotion */ } -@@ -675,7 +722,7 @@ privsep_preauth(Authctxt *authctxt) +@@ -676,7 +723,7 @@ privsep_preauth(Authctxt *authctxt) if (use_privsep == PRIVSEP_ON) box = ssh_sandbox_init(pmonitor); @@ -2178,7 +2178,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c if (pid == -1) { fatal("fork of unprivileged child failed"); } else if (pid != 0) { -@@ -759,6 +806,12 @@ privsep_postauth(Authctxt *authctxt) +@@ -760,6 +807,12 @@ privsep_postauth(Authctxt *authctxt) else if (pmonitor->m_pid != 0) { verbose("User child is on pid %ld", (long)pmonitor->m_pid); buffer_clear(&loginmsg); @@ -2191,7 +2191,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c monitor_child_postauth(pmonitor); /* NEVERREACHED */ -@@ -1288,6 +1341,7 @@ server_accept_loop(int *sock_in, int *so +@@ -1292,6 +1345,7 @@ server_accept_loop(int *sock_in, int *so if (received_sigterm) { logit("Received signal %d; terminating.", (int) received_sigterm); @@ -2199,7 +2199,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c close_listen_socks(); if (options.pid_file != NULL) unlink(options.pid_file); -@@ -2251,6 +2305,7 @@ main(int ac, char **av) +@@ -2255,6 +2309,7 @@ main(int ac, char **av) */ if (use_privsep) { mm_send_keystate(pmonitor); @@ -2207,7 +2207,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c exit(0); } -@@ -2296,7 +2351,7 @@ main(int ac, char **av) +@@ -2300,7 +2355,7 @@ main(int ac, char **av) privsep_postauth(authctxt); /* the monitor process [priv] will not return */ if (!compat20) @@ -2216,7 +2216,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c } packet_set_timeout(options.client_alive_interval, -@@ -2310,6 +2365,9 @@ main(int ac, char **av) +@@ -2314,6 +2369,9 @@ main(int ac, char **av) do_authenticated(authctxt); /* The connection has been terminated. */ @@ -2226,7 +2226,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c packet_get_bytes(&ibytes, &obytes); verbose("Transferred: sent %llu, received %llu bytes", (unsigned long long)obytes, (unsigned long long)ibytes); -@@ -2470,6 +2528,10 @@ do_ssh1_kex(void) +@@ -2474,6 +2532,10 @@ do_ssh1_kex(void) if (cookie[i] != packet_get_char()) packet_disconnect("IP Spoofing check bytes do not match."); @@ -2237,7 +2237,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c debug("Encryption type: %.200s", cipher_name(cipher_type)); /* Get the encrypted integer. */ -@@ -2529,7 +2591,7 @@ do_ssh1_kex(void) +@@ -2533,7 +2595,7 @@ do_ssh1_kex(void) } /* Destroy the private and public keys. No longer. */ @@ -2246,7 +2246,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c if (use_privsep) mm_ssh1_session_id(session_id); -@@ -2712,6 +2774,16 @@ do_ssh2_kex(void) +@@ -2705,6 +2767,16 @@ do_ssh2_kex(void) void cleanup_exit(int i) { @@ -2263,7 +2263,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c if (the_authctxt) { do_cleanup(the_authctxt); if (use_privsep && privsep_is_preauth && -@@ -2723,9 +2795,14 @@ cleanup_exit(int i) +@@ -2716,9 +2788,14 @@ cleanup_exit(int i) pmonitor->m_pid, strerror(errno)); } } @@ -2279,22 +2279,20 @@ diff -up openssh/sshd.c.audit openssh/sshd.c audit_event(SSH_CONNECTION_ABANDON); #endif _exit(i); -diff -up openssh/sshkey.c.audit openssh/sshkey.c ---- openssh/sshkey.c.audit 2015-06-23 02:34:47.000000000 +0200 -+++ openssh/sshkey.c 2015-06-24 11:53:29.787390451 +0200 -@@ -317,6 +317,33 @@ sshkey_type_is_valid_ca(int type) +diff -up openssh-7.0p1/sshkey.c.audit openssh-7.0p1/sshkey.c +--- openssh-7.0p1/sshkey.c.audit 2015-08-11 10:57:29.000000000 +0200 ++++ openssh-7.0p1/sshkey.c 2015-08-12 11:33:00.417914278 +0200 +@@ -299,6 +299,31 @@ sshkey_type_is_valid_ca(int type) } int +sshkey_is_private(const struct sshkey *k) +{ + switch (k->type) { -+ case KEY_RSA_CERT_V00: + case KEY_RSA_CERT: + case KEY_RSA1: + case KEY_RSA: + return k->rsa->d != NULL; -+ case KEY_DSA_CERT_V00: + case KEY_DSA_CERT: + case KEY_DSA: + return k->dsa->priv_key != NULL; @@ -2316,10 +2314,10 @@ diff -up openssh/sshkey.c.audit openssh/sshkey.c sshkey_is_cert(const struct sshkey *k) { if (k == NULL) -diff -up openssh/sshkey.h.audit openssh/sshkey.h ---- openssh/sshkey.h.audit 2015-06-23 02:34:47.000000000 +0200 -+++ openssh/sshkey.h 2015-06-24 11:53:29.787390451 +0200 -@@ -134,6 +134,7 @@ u_int sshkey_size(const struct sshkey +diff -up openssh-7.0p1/sshkey.h.audit openssh-7.0p1/sshkey.h +--- openssh-7.0p1/sshkey.h.audit 2015-08-11 10:57:29.000000000 +0200 ++++ openssh-7.0p1/sshkey.h 2015-08-12 11:33:00.417914278 +0200 +@@ -132,6 +132,7 @@ u_int sshkey_size(const struct sshkey int sshkey_generate(int type, u_int bits, struct sshkey **keyp); int sshkey_from_private(const struct sshkey *, struct sshkey **); int sshkey_type_from_name(const char *); diff --git a/openssh-6.7p1-fips.patch b/openssh-6.7p1-fips.patch index bd43f1c..923793d 100644 --- a/openssh-6.7p1-fips.patch +++ b/openssh-6.7p1-fips.patch @@ -1,6 +1,6 @@ -diff -up openssh/cipher.c.fips openssh/cipher.c ---- openssh/cipher.c.fips 2015-06-24 12:00:58.730242500 +0200 -+++ openssh/cipher.c 2015-06-24 12:00:58.737242482 +0200 +diff -up openssh-7.0p1/cipher.c.fips openssh-7.0p1/cipher.c +--- openssh-7.0p1/cipher.c.fips 2015-08-12 11:34:11.722803020 +0200 ++++ openssh-7.0p1/cipher.c 2015-08-12 11:34:11.733803003 +0200 @@ -39,6 +39,8 @@ #include @@ -73,9 +73,9 @@ diff -up openssh/cipher.c.fips openssh/cipher.c if (strcasecmp(c->name, name) == 0) return c->number; return -1; -diff -up openssh/cipher-ctr.c.fips openssh/cipher-ctr.c ---- openssh/cipher-ctr.c.fips 2015-06-24 12:00:58.669242656 +0200 -+++ openssh/cipher-ctr.c 2015-06-24 12:00:58.736242484 +0200 +diff -up openssh-7.0p1/cipher-ctr.c.fips openssh-7.0p1/cipher-ctr.c +--- openssh-7.0p1/cipher-ctr.c.fips 2015-08-12 11:34:11.650803133 +0200 ++++ openssh-7.0p1/cipher-ctr.c 2015-08-12 11:34:11.734803002 +0200 @@ -179,7 +179,8 @@ evp_aes_128_ctr(void) aes_ctr.do_cipher = ssh_aes_ctr; #ifndef SSH_OLD_EVP @@ -86,9 +86,9 @@ diff -up openssh/cipher-ctr.c.fips openssh/cipher-ctr.c #endif return (&aes_ctr); } -diff -up openssh/dh.h.fips openssh/dh.h ---- openssh/dh.h.fips 2015-06-23 02:34:47.000000000 +0200 -+++ openssh/dh.h 2015-06-24 12:00:58.737242482 +0200 +diff -up openssh-7.0p1/dh.h.fips openssh-7.0p1/dh.h +--- openssh-7.0p1/dh.h.fips 2015-08-11 10:57:29.000000000 +0200 ++++ openssh-7.0p1/dh.h 2015-08-12 11:34:11.734803002 +0200 @@ -46,6 +46,7 @@ u_int dh_estimate(int); /* Min and max values from RFC4419. */ @@ -97,9 +97,9 @@ diff -up openssh/dh.h.fips openssh/dh.h #define DH_GRP_MAX 8192 /* -diff -up openssh/entropy.c.fips openssh/entropy.c ---- openssh/entropy.c.fips 2015-06-24 12:00:58.662242674 +0200 -+++ openssh/entropy.c 2015-06-24 12:00:58.737242482 +0200 +diff -up openssh-7.0p1/entropy.c.fips openssh-7.0p1/entropy.c +--- openssh-7.0p1/entropy.c.fips 2015-08-12 11:34:11.643803144 +0200 ++++ openssh-7.0p1/entropy.c 2015-08-12 11:34:11.734803002 +0200 @@ -217,6 +217,9 @@ seed_rng(void) fatal("OpenSSL version mismatch. Built against %lx, you " "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay()); @@ -110,9 +110,9 @@ diff -up openssh/entropy.c.fips openssh/entropy.c #ifndef OPENSSL_PRNG_ONLY if (RAND_status() == 1) { debug3("RNG is ready, skipping seeding"); -diff -up openssh/kex.c.fips openssh/kex.c ---- openssh/kex.c.fips 2015-06-24 12:00:58.730242500 +0200 -+++ openssh/kex.c 2015-06-24 12:00:58.737242482 +0200 +diff -up openssh-7.0p1/kex.c.fips openssh-7.0p1/kex.c +--- openssh-7.0p1/kex.c.fips 2015-08-12 11:34:11.723803019 +0200 ++++ openssh-7.0p1/kex.c 2015-08-12 11:34:11.734803002 +0200 @@ -35,6 +35,7 @@ #ifdef WITH_OPENSSL @@ -168,9 +168,9 @@ diff -up openssh/kex.c.fips openssh/kex.c free(s); return 0; } -diff -up openssh/kexgexc.c.fips openssh/kexgexc.c ---- openssh/kexgexc.c.fips 2015-06-24 12:00:58.737242482 +0200 -+++ openssh/kexgexc.c 2015-06-24 12:02:26.996015709 +0200 +diff -up openssh-7.0p1/kexgexc.c.fips openssh-7.0p1/kexgexc.c +--- openssh-7.0p1/kexgexc.c.fips 2015-08-11 10:57:29.000000000 +0200 ++++ openssh-7.0p1/kexgexc.c 2015-08-12 11:34:11.734803002 +0200 @@ -28,6 +28,7 @@ #ifdef WITH_OPENSSL @@ -188,9 +188,9 @@ diff -up openssh/kexgexc.c.fips openssh/kexgexc.c kex->max = DH_GRP_MAX; kex->nbits = nbits; if (datafellows & SSH_BUG_DHGEX_LARGE) -diff -up openssh/kexgexs.c.fips openssh/kexgexs.c ---- openssh/kexgexs.c.fips 2015-06-24 12:00:58.738242479 +0200 -+++ openssh/kexgexs.c 2015-06-24 13:48:23.735320199 +0200 +diff -up openssh-7.0p1/kexgexs.c.fips openssh-7.0p1/kexgexs.c +--- openssh-7.0p1/kexgexs.c.fips 2015-08-11 10:57:29.000000000 +0200 ++++ openssh-7.0p1/kexgexs.c 2015-08-12 11:34:11.735803000 +0200 @@ -81,11 +81,11 @@ input_kex_dh_gex_request(int type, u_int (r = sshpkt_get_end(ssh)) != 0) goto out; @@ -206,9 +206,9 @@ diff -up openssh/kexgexs.c.fips openssh/kexgexs.c nbits = MIN(DH_GRP_MAX, nbits); if (kex->max < kex->min || kex->nbits < kex->min || -diff -up openssh/mac.c.fips openssh/mac.c ---- openssh/mac.c.fips 2015-06-24 12:00:58.731242497 +0200 -+++ openssh/mac.c 2015-06-24 12:00:58.738242479 +0200 +diff -up openssh-7.0p1/mac.c.fips openssh-7.0p1/mac.c +--- openssh-7.0p1/mac.c.fips 2015-08-12 11:34:11.725803016 +0200 ++++ openssh-7.0p1/mac.c 2015-08-12 11:34:11.735803000 +0200 @@ -27,6 +27,8 @@ #include @@ -270,9 +270,9 @@ diff -up openssh/mac.c.fips openssh/mac.c if (strcmp(name, m->name) != 0) continue; if (mac != NULL) -diff -up openssh/Makefile.in.fips openssh/Makefile.in ---- openssh/Makefile.in.fips 2015-06-24 12:00:58.731242497 +0200 -+++ openssh/Makefile.in 2015-06-24 12:00:58.736242484 +0200 +diff -up openssh-7.0p1/Makefile.in.fips openssh-7.0p1/Makefile.in +--- openssh-7.0p1/Makefile.in.fips 2015-08-12 11:34:11.725803016 +0200 ++++ openssh-7.0p1/Makefile.in 2015-08-12 11:34:11.735803000 +0200 @@ -168,25 +168,25 @@ libssh.a: $(LIBSSH_OBJS) $(RANLIB) $@ @@ -314,10 +314,10 @@ diff -up openssh/Makefile.in.fips openssh/Makefile.in sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -diff -up openssh/myproposal.h.fips openssh/myproposal.h ---- openssh/myproposal.h.fips 2015-06-23 02:34:47.000000000 +0200 -+++ openssh/myproposal.h 2015-06-24 12:00:58.738242479 +0200 -@@ -143,6 +143,28 @@ +diff -up openssh-7.0p1/myproposal.h.fips openssh-7.0p1/myproposal.h +--- openssh-7.0p1/myproposal.h.fips 2015-08-11 10:57:29.000000000 +0200 ++++ openssh-7.0p1/myproposal.h 2015-08-12 11:34:11.735803000 +0200 +@@ -138,6 +138,28 @@ "hmac-sha1-96," \ "hmac-md5-96" @@ -346,10 +346,45 @@ diff -up openssh/myproposal.h.fips openssh/myproposal.h #else #define KEX_SERVER_KEX \ -diff -up openssh/servconf.c.fips openssh/servconf.c ---- openssh/servconf.c.fips 2015-06-24 12:00:58.726242510 +0200 -+++ openssh/servconf.c 2015-06-24 13:49:40.164085648 +0200 -@@ -2319,8 +2319,10 @@ dump_config(ServerOptions *o) +diff -up openssh-7.0p1/readconf.c.fips openssh-7.0p1/readconf.c +--- openssh-7.0p1/readconf.c.fips 2015-08-12 14:37:39.206466634 +0200 ++++ openssh-7.0p1/readconf.c 2015-08-12 14:47:00.342350208 +0200 +@@ -1897,9 +1897,12 @@ fill_default_options(Options * options) + options->fingerprint_hash = SSH_FP_HASH_DEFAULT; + if (options->update_hostkeys == -1) + options->update_hostkeys = 0; +- if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 || +- kex_assemble_names(KEX_CLIENT_MAC, &options->macs) != 0 || +- kex_assemble_names(KEX_CLIENT_KEX, &options->kex_algorithms) != 0 || ++ if (kex_assemble_names((FIPS_mode() ? KEX_FIPS_ENCRYPT ++ : KEX_CLIENT_ENCRYPT), &options->ciphers) != 0 || ++ kex_assemble_names((FIPS_mode() ? KEX_FIPS_MAC ++ : KEX_CLIENT_MAC), &options->macs) != 0 || ++ kex_assemble_names((FIPS_mode() ? KEX_DEFAULT_KEX_FIPS ++ : KEX_CLIENT_KEX), &options->kex_algorithms) != 0 || + kex_assemble_names(KEX_DEFAULT_PK_ALG, + &options->hostbased_key_types) != 0 || + kex_assemble_names(KEX_DEFAULT_PK_ALG, +diff -up openssh-7.0p1/servconf.c.fips openssh-7.0p1/servconf.c +--- openssh-7.0p1/servconf.c.fips 2015-08-12 11:34:11.714803033 +0200 ++++ openssh-7.0p1/servconf.c 2015-08-12 14:50:14.608951396 +0200 +@@ -357,9 +357,12 @@ fill_default_server_options(ServerOption + if (options->use_kuserok == -1) + options->use_kuserok = 1; + +- if (kex_assemble_names(KEX_SERVER_ENCRYPT, &options->ciphers) != 0 || +- kex_assemble_names(KEX_SERVER_MAC, &options->macs) != 0 || +- kex_assemble_names(KEX_SERVER_KEX, &options->kex_algorithms) != 0 || ++ if (kex_assemble_names((FIPS_mode() ? KEX_FIPS_ENCRYPT ++ : KEX_SERVER_ENCRYPT), &options->ciphers) != 0 || ++ kex_assemble_names((FIPS_mode() ? KEX_FIPS_MAC ++ : KEX_SERVER_MAC), &options->macs) != 0 || ++ kex_assemble_names((FIPS_mode() ? KEX_DEFAULT_KEX_FIPS ++ : KEX_SERVER_KEX), &options->kex_algorithms) != 0 || + kex_assemble_names(KEX_DEFAULT_PK_ALG, + &options->hostbased_key_types) != 0 || + kex_assemble_names(KEX_DEFAULT_PK_ALG, +@@ -2336,8 +2339,10 @@ dump_config(ServerOptions *o) /* string arguments */ dump_cfg_string(sPidFile, o->pid_file); dump_cfg_string(sXAuthLocation, o->xauth_location); @@ -362,7 +397,7 @@ diff -up openssh/servconf.c.fips openssh/servconf.c dump_cfg_string(sBanner, o->banner != NULL ? o->banner : "none"); dump_cfg_string(sForceCommand, o->adm_forced_command); dump_cfg_string(sChrootDirectory, o->chroot_directory); -@@ -2335,8 +2337,8 @@ dump_config(ServerOptions *o) +@@ -2352,8 +2357,8 @@ dump_config(ServerOptions *o) dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command); dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user); dump_cfg_string(sHostKeyAgent, o->host_key_agent); @@ -372,10 +407,10 @@ diff -up openssh/servconf.c.fips openssh/servconf.c + FIPS_mode() ? KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX); dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ? o->hostbased_key_types : KEX_DEFAULT_PK_ALG); - dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ? -diff -up openssh/ssh.c.fips openssh/ssh.c ---- openssh/ssh.c.fips 2015-06-23 02:34:47.000000000 +0200 -+++ openssh/ssh.c 2015-06-24 12:00:58.738242479 +0200 + dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ? +diff -up openssh-7.0p1/ssh.c.fips openssh-7.0p1/ssh.c +--- openssh-7.0p1/ssh.c.fips 2015-08-11 10:57:29.000000000 +0200 ++++ openssh-7.0p1/ssh.c 2015-08-12 11:34:11.736802999 +0200 @@ -75,6 +75,8 @@ #include #include @@ -385,7 +420,7 @@ diff -up openssh/ssh.c.fips openssh/ssh.c #include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/sys-queue.h" -@@ -521,6 +523,14 @@ main(int ac, char **av) +@@ -522,6 +524,14 @@ main(int ac, char **av) sanitise_stdfd(); __progname = ssh_get_progname(av[0]); @@ -400,7 +435,7 @@ diff -up openssh/ssh.c.fips openssh/ssh.c #ifndef HAVE_SETPROCTITLE /* Prepare for later setproctitle emulation */ -@@ -598,6 +608,9 @@ main(int ac, char **av) +@@ -599,6 +609,9 @@ main(int ac, char **av) "ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { switch (opt) { case '1': @@ -410,7 +445,7 @@ diff -up openssh/ssh.c.fips openssh/ssh.c options.protocol = SSH_PROTO_1; break; case '2': -@@ -939,7 +952,6 @@ main(int ac, char **av) +@@ -940,7 +953,6 @@ main(int ac, char **av) host_arg = xstrdup(host); #ifdef WITH_OPENSSL @@ -418,7 +453,7 @@ diff -up openssh/ssh.c.fips openssh/ssh.c ERR_load_crypto_strings(); #endif -@@ -1113,6 +1125,10 @@ main(int ac, char **av) +@@ -1114,6 +1126,10 @@ main(int ac, char **av) seed_rng(); @@ -429,7 +464,7 @@ diff -up openssh/ssh.c.fips openssh/ssh.c if (options.user == NULL) options.user = xstrdup(pw->pw_name); -@@ -1190,6 +1206,12 @@ main(int ac, char **av) +@@ -1191,6 +1207,12 @@ main(int ac, char **av) timeout_ms = options.connection_timeout * 1000; @@ -442,10 +477,10 @@ diff -up openssh/ssh.c.fips openssh/ssh.c /* Open a connection to the remote host. */ if (ssh_connect(host, addrs, &hostaddr, options.port, options.address_family, options.connection_attempts, -diff -up openssh/sshconnect2.c.fips openssh/sshconnect2.c ---- openssh/sshconnect2.c.fips 2015-06-24 12:00:58.698242582 +0200 -+++ openssh/sshconnect2.c 2015-06-24 12:00:58.739242477 +0200 -@@ -46,6 +46,8 @@ +diff -up openssh-7.0p1/sshconnect2.c.fips openssh-7.0p1/sshconnect2.c +--- openssh-7.0p1/sshconnect2.c.fips 2015-08-12 11:34:11.678803089 +0200 ++++ openssh-7.0p1/sshconnect2.c 2015-08-12 11:34:11.737802997 +0200 +@@ -44,6 +44,8 @@ #include #endif @@ -454,7 +489,7 @@ diff -up openssh/sshconnect2.c.fips openssh/sshconnect2.c #include "openbsd-compat/sys-queue.h" #include "xmalloc.h" -@@ -172,20 +174,25 @@ ssh_kex2(char *host, struct sockaddr *ho +@@ -170,20 +172,25 @@ ssh_kex2(char *host, struct sockaddr *ho #ifdef GSSAPI if (options.gss_keyex) { @@ -494,45 +529,9 @@ diff -up openssh/sshconnect2.c.fips openssh/sshconnect2.c } } #endif -@@ -197,6 +204,10 @@ ssh_kex2(char *host, struct sockaddr *ho - if (options.ciphers != NULL) { - myproposal[PROPOSAL_ENC_ALGS_CTOS] = - myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; -+ } else if (FIPS_mode()) { -+ myproposal[PROPOSAL_ENC_ALGS_CTOS] = -+ myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_FIPS_ENCRYPT; -+ - } - myproposal[PROPOSAL_ENC_ALGS_CTOS] = - compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); -@@ -212,7 +223,11 @@ ssh_kex2(char *host, struct sockaddr *ho - if (options.macs != NULL) { - myproposal[PROPOSAL_MAC_ALGS_CTOS] = - myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; -+ } else if (FIPS_mode()) { -+ myproposal[PROPOSAL_MAC_ALGS_CTOS] = -+ myproposal[PROPOSAL_MAC_ALGS_STOC] = KEX_FIPS_MAC; - } -+ - if (options.hostkeyalgorithms != NULL) - myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = - compat_pkalg_proposal(options.hostkeyalgorithms); -@@ -224,9 +239,11 @@ ssh_kex2(char *host, struct sockaddr *ho - } - if (options.kex_algorithms != NULL) - myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; -+ else if (FIPS_mode()) -+ myproposal[PROPOSAL_KEX_ALGS] = KEX_DEFAULT_KEX_FIPS; -+ - myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( - myproposal[PROPOSAL_KEX_ALGS]); -- - #ifdef GSSAPI - /* If we've got GSSAPI algorithms, then we also support the - * 'null' hostkey, as a last resort */ -diff -up openssh/sshd.c.fips openssh/sshd.c ---- openssh/sshd.c.fips 2015-06-24 12:00:58.734242489 +0200 -+++ openssh/sshd.c 2015-06-24 12:00:58.739242477 +0200 +diff -up openssh-7.0p1/sshd.c.fips openssh-7.0p1/sshd.c +--- openssh-7.0p1/sshd.c.fips 2015-08-12 11:34:11.729803010 +0200 ++++ openssh-7.0p1/sshd.c 2015-08-12 11:34:11.738802995 +0200 @@ -66,6 +66,7 @@ #include #include @@ -550,7 +549,7 @@ diff -up openssh/sshd.c.fips openssh/sshd.c #include "openbsd-compat/openssl-compat.h" #endif -@@ -1548,6 +1551,18 @@ main(int ac, char **av) +@@ -1552,6 +1555,18 @@ main(int ac, char **av) #endif __progname = ssh_get_progname(av[0]); @@ -569,7 +568,7 @@ diff -up openssh/sshd.c.fips openssh/sshd.c /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ saved_argc = ac; rexec_argc = ac; -@@ -1700,7 +1715,7 @@ main(int ac, char **av) +@@ -1704,7 +1719,7 @@ main(int ac, char **av) else closefrom(REEXEC_DEVCRYPTO_RESERVED_FD); @@ -578,7 +577,7 @@ diff -up openssh/sshd.c.fips openssh/sshd.c OpenSSL_add_all_algorithms(); #endif -@@ -1901,6 +1916,10 @@ main(int ac, char **av) +@@ -1905,6 +1920,10 @@ main(int ac, char **av) sshkey_type(pubkey) : sshkey_ssh_name(pubkey), fp); free(fp); } @@ -589,7 +588,7 @@ diff -up openssh/sshd.c.fips openssh/sshd.c if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) { logit("Disabling protocol version 1. Could not load host key"); options.protocol &= ~SSH_PROTO_1; -@@ -2069,6 +2088,10 @@ main(int ac, char **av) +@@ -2073,6 +2092,10 @@ main(int ac, char **av) /* Reinitialize the log (because of the fork above). */ log_init(__progname, options.log_level, options.log_facility, log_stderr); @@ -600,36 +599,7 @@ diff -up openssh/sshd.c.fips openssh/sshd.c /* Chdir to the root directory so that the current disk can be unmounted if desired. */ if (chdir("/") == -1) -@@ -2654,6 +2677,9 @@ do_ssh2_kex(void) - if (options.ciphers != NULL) { - myproposal[PROPOSAL_ENC_ALGS_CTOS] = - myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; -+ } else if (FIPS_mode()) { -+ myproposal[PROPOSAL_ENC_ALGS_CTOS] = -+ myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_FIPS_ENCRYPT; - } - myproposal[PROPOSAL_ENC_ALGS_CTOS] = - compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); -@@ -2663,6 +2689,9 @@ do_ssh2_kex(void) - if (options.macs != NULL) { - myproposal[PROPOSAL_MAC_ALGS_CTOS] = - myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; -+ } else if (FIPS_mode()) { -+ myproposal[PROPOSAL_MAC_ALGS_CTOS] = -+ myproposal[PROPOSAL_MAC_ALGS_STOC] = KEX_FIPS_MAC; - } - if (options.compression == COMP_NONE) { - myproposal[PROPOSAL_COMP_ALGS_CTOS] = -@@ -2673,6 +2702,8 @@ do_ssh2_kex(void) - } - if (options.kex_algorithms != NULL) - myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; -+ else if (FIPS_mode()) -+ myproposal[PROPOSAL_KEX_ALGS] = KEX_DEFAULT_KEX_FIPS; - - myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( - myproposal[PROPOSAL_KEX_ALGS]); -@@ -2699,10 +2730,14 @@ do_ssh2_kex(void) +@@ -2692,10 +2715,14 @@ do_ssh2_kex(void) if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0) orig = NULL; @@ -648,9 +618,9 @@ diff -up openssh/sshd.c.fips openssh/sshd.c if (gss && orig) xasprintf(&newstr, "%s,%s", gss, orig); -diff -up openssh/sshkey.c.fips openssh/sshkey.c ---- openssh/sshkey.c.fips 2015-06-24 12:00:58.735242487 +0200 -+++ openssh/sshkey.c 2015-06-24 12:00:58.740242474 +0200 +diff -up openssh-7.0p1/sshkey.c.fips openssh-7.0p1/sshkey.c +--- openssh-7.0p1/sshkey.c.fips 2015-08-12 11:34:11.729803010 +0200 ++++ openssh-7.0p1/sshkey.c 2015-08-12 11:34:11.738802995 +0200 @@ -35,6 +35,7 @@ #include #include @@ -659,7 +629,7 @@ diff -up openssh/sshkey.c.fips openssh/sshkey.c #endif #include "crypto_api.h" -@@ -1586,6 +1587,8 @@ rsa_generate_private_key(u_int bits, RSA +@@ -1554,6 +1555,8 @@ rsa_generate_private_key(u_int bits, RSA } if (!BN_set_word(f4, RSA_F4) || !RSA_generate_key_ex(private, bits, f4, NULL)) { diff --git a/openssh-6.9p1-authentication-limits-bypass.patch b/openssh-6.9p1-authentication-limits-bypass.patch deleted file mode 100644 index 10bde94..0000000 --- a/openssh-6.9p1-authentication-limits-bypass.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 5b64f85bb811246c59ebab70aed331f26ba37b18 Mon Sep 17 00:00:00 2001 -From: "djm@openbsd.org" -Date: Sat, 18 Jul 2015 07:57:14 +0000 -Subject: upstream commit - -only query each keyboard-interactive device once per - authentication request regardless of how many times it is listed; ok markus@ - -Upstream-ID: d73fafba6e86030436ff673656ec1f33d9ffeda1 ---- - auth2-chall.c | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/auth2-chall.c b/auth2-chall.c -index ddabe1a..4aff09d 100644 ---- a/auth2-chall.c -+++ b/auth2-chall.c -@@ -83,6 +83,7 @@ struct KbdintAuthctxt - void *ctxt; - KbdintDevice *device; - u_int nreq; -+ u_int devices_done; - }; - - #ifdef USE_PAM -@@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt) - if (len == 0) - break; - for (i = 0; devices[i]; i++) { -- if (!auth2_method_allowed(authctxt, -+ if ((kbdintctxt->devices_done & (1 << i)) != 0 || -+ !auth2_method_allowed(authctxt, - "keyboard-interactive", devices[i]->name)) - continue; -- if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0) -+ if (strncmp(kbdintctxt->devices, devices[i]->name, -+ len) == 0) { - kbdintctxt->device = devices[i]; -+ kbdintctxt->devices_done |= 1 << i; -+ } - } - t = kbdintctxt->devices; - kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL; --- -cgit v0.11.2 - - diff --git a/openssh-6.9p1-permit-root-login.patch b/openssh-6.9p1-permit-root-login.patch index 5d9df7c..6b4c4da 100644 --- a/openssh-6.9p1-permit-root-login.patch +++ b/openssh-6.9p1-permit-root-login.patch @@ -1,27 +1,12 @@ -diff --git a/sshd_config b/sshd_config -index c9042ac..cf7d8e1 100644 ---- a/sshd_config -+++ b/sshd_config -@@ -41,7 +41,7 @@ +diff -up openssh-7.0p1/sshd_config.root-login openssh-7.0p1/sshd_config +--- openssh-7.0p1/sshd_config.root-login 2015-08-12 11:29:12.919269245 +0200 ++++ openssh-7.0p1/sshd_config 2015-08-12 11:31:03.653096466 +0200 +@@ -46,7 +46,7 @@ SyslogFacility AUTHPRIV # Authentication: #LoginGraceTime 2m --#PermitRootLogin no -+#PermitRootLogin yes +-#PermitRootLogin prohibit-password ++PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 -diff --git a/sshd_config.5 b/sshd_config.5 -index 2bc9360..d3148c2 100644 ---- a/sshd_config.5 -+++ b/sshd_config.5 -@@ -1093,7 +1093,7 @@ The argument must be - or - .Dq no . - The default is --.Dq no . -+.Dq yes . - .Pp - If this option is set to - .Dq without-password , - diff --git a/openssh.spec b/openssh.spec index a2b70a0..84fc143 100644 --- a/openssh.spec +++ b/openssh.spec @@ -65,10 +65,10 @@ %endif # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 -%define openssh_ver 6.9p1 -%define openssh_rel 4 +%define openssh_ver 7.0p1 +%define openssh_rel 1 %define pam_ssh_agent_ver 0.9.3 -%define pam_ssh_agent_rel 6 +%define pam_ssh_agent_rel 7 Summary: An open source implementation of SSH protocol versions 1 and 2 Name: openssh @@ -223,8 +223,6 @@ Patch926: openssh-6.7p1-sftp-force-permission.patch Patch928: openssh-6.8p1-memory-problems.patch # Restore compatible default (#89216) Patch929: openssh-6.9p1-permit-root-login.patch -# authentication limits (MaxAuthTries) bypass [security] (#1245971) -Patch930: openssh-6.9p1-authentication-limits-bypass.patch # Handle terminal control characters in scp progressmeter (#1247204) Patch931: openssh-6.9p1-scp-progressmeter.patch @@ -462,7 +460,6 @@ popd %patch926 -p1 -b .sftp-force-mode %patch928 -p1 -b .memory %patch929 -p1 -b .root-login -%patch930 -p1 -b .kbd %patch931 -p1 -b .progressmeter %patch200 -p1 -b .audit @@ -810,6 +807,13 @@ getent passwd sshd >/dev/null || \ %endif %changelog +* Wed Aug 12 2015 Jakub Jelen 7.0p1-1 + 0.9.3.7 +- New upstream release (#1252639) +- Fix pam_ssh_agent_auth package (#1251777) +- Security: Use-after-free bug related to PAM support (#1252853) +- Security: Privilege separation weakness related to PAM support (#1252854) +- Security: Incorrectly set TTYs to be world-writable (#1252862) + * Tue Jul 28 2015 Jakub Jelen 6.9p1-4 + 0.9.3-6 - Handle terminal control characters in scp progressmeter (#1247204)