rpms/openssh
7
0
Fork 1
Code Issues Pull Requests Releases Activity

openssh-7.0p1-1 + 6.9.3-7

Browse Source 
New upstream release (#1252639)
                - allow root login in default config
        Security: Use-after-free bug related to PAM support (#1252853)
        Security: Privilege separation weakness related to PAM support (#1252854)
        Security: Incorrectly set TTYs to be world-writable (#1252862)
This commit is contained in:
Jakub Jelen 2015-08-13 17:43:12 +02:00
parent 2939c322fa
commit 3f55133c24
10 changed files with 507 additions and 597 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

122
openssh-6.2p1-vendor.patch
View File

@ -1,7 +1,7 @@
diff -up openssh/configure.ac.vendor openssh/configure.ac
--- openssh/configure.ac.vendor 2015-06-24 11:05:39.805679794 +0200
+++ openssh/configure.ac 2015-06-24 11:05:39.835679719 +0200
@@ -4751,6 +4751,12 @@ AC_ARG_WITH([lastlog],
diff -up openssh-7.0p1/configure.ac.vendor openssh-7.0p1/configure.ac
--- openssh-7.0p1/configure.ac.vendor 2015-08-12 11:14:54.102628399 +0200
+++ openssh-7.0p1/configure.ac 2015-08-12 11:14:54.129628356 +0200
@@ -4776,6 +4776,12 @@ AC_ARG_WITH([lastlog],
fi
]
)
@ -14,7 +14,7 @@ diff -up openssh/configure.ac.vendor openssh/configure.ac
dnl lastlog, [uw]tmpx? detection
dnl NOTE: set the paths in the platform section to avoid the
@@ -5013,6 +5019,7 @@ echo " Translate v4 in v6 hack
@@ -5038,6 +5044,7 @@ echo " Translate v4 in v6 hack
echo " BSD Auth support: $BSD_AUTH_MSG"
echo " Random number source: $RAND_MSG"
echo " Privsep sandbox style: $SANDBOX_STYLE"
@ -22,10 +22,10 @@ diff -up openssh/configure.ac.vendor openssh/configure.ac
echo ""
diff -up openssh/servconf.c.vendor openssh/servconf.c
--- openssh/servconf.c.vendor 2015-06-23 02:34:47.000000000 +0200
+++ openssh/servconf.c 2015-06-24 11:07:07.689460890 +0200
@@ -147,6 +147,7 @@ initialize_server_options(ServerOptions
diff -up openssh-7.0p1/servconf.c.vendor openssh-7.0p1/servconf.c
--- openssh-7.0p1/servconf.c.vendor 2015-08-11 10:57:29.000000000 +0200
+++ openssh-7.0p1/servconf.c 2015-08-12 11:15:33.201565712 +0200
@@ -149,6 +149,7 @@ initialize_server_options(ServerOptions
options->max_authtries = -1;
options->max_sessions = -1;
options->banner = NULL;
@ -42,16 +42,16 @@ diff -up openssh/servconf.c.vendor openssh/servconf.c
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
options->fwd_opts.streamlocal_bind_mask = 0177;
if (options->fwd_opts.streamlocal_bind_unlink == -1)
@@ -397,7 +400,7 @@ typedef enum {
@@ -407,7 +410,7 @@ typedef enum {
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
- sBanner, sUseDNS, sHostbasedAuthentication,
+ sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
sHostKeyAlgorithms,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
@@ -517,6 +520,7 @@ static struct {
@@ -529,6 +532,7 @@ static struct {
{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
{ "maxsessions", sMaxSessions, SSHCFG_ALL },
{ "banner", sBanner, SSHCFG_ALL },
@ -59,7 +59,7 @@ diff -up openssh/servconf.c.vendor openssh/servconf.c
{ "usedns", sUseDNS, SSHCFG_GLOBAL },
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
@@ -1372,6 +1376,10 @@ process_server_config_line(ServerOptions
@@ -1389,6 +1393,10 @@ process_server_config_line(ServerOptions
multistate_ptr = multistate_privsep;
goto parse_multistate;
@ -70,7 +70,7 @@ diff -up openssh/servconf.c.vendor openssh/servconf.c
case sAllowUsers:
while ((arg = strdelim(&cp)) && *arg != '\0') {
if (options->num_allow_users >= MAX_ALLOW_USERS)
@@ -2249,6 +2257,7 @@ dump_config(ServerOptions *o)
@@ -2266,6 +2274,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sUseLogin, o->use_login);
dump_cfg_fmtint(sCompression, o->compression);
dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
@ -78,10 +78,10 @@ diff -up openssh/servconf.c.vendor openssh/servconf.c
dump_cfg_fmtint(sUseDNS, o->use_dns);
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
diff -up openssh/servconf.h.vendor openssh/servconf.h
--- openssh/servconf.h.vendor 2015-06-23 02:34:47.000000000 +0200
+++ openssh/servconf.h 2015-06-24 11:05:39.837679714 +0200
@@ -154,6 +154,7 @@ typedef struct {
diff -up openssh-7.0p1/servconf.h.vendor openssh-7.0p1/servconf.h
--- openssh-7.0p1/servconf.h.vendor 2015-08-11 10:57:29.000000000 +0200
+++ openssh-7.0p1/servconf.h 2015-08-12 11:14:54.130628355 +0200
@@ -155,6 +155,7 @@ typedef struct {
int max_authtries;
int max_sessions;
char *banner; /* SSH-2 banner message */
@ -89,45 +89,12 @@ diff -up openssh/servconf.h.vendor openssh/servconf.h
int use_dns;
int client_alive_interval; /*
* poke the client this often to
diff -up openssh-6.8p1/sshd.c.vendor openssh-6.8p1/sshd.c
--- openssh-6.8p1/sshd.c.vendor 2015-03-18 11:17:56.669880305 +0100
+++ openssh-6.8p1/sshd.c 2015-03-18 11:17:56.697880239 +0100
@@ -431,7 +431,7 @@ sshd_exchange_identification(int sock_in
}
xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
- major, minor, SSH_VERSION,
+ major, minor, (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
*options.version_addendum == '\0' ? "" : " ",
options.version_addendum, newline);
@@ -1737,7 +1737,8 @@ main(int ac, char **av)
exit(1);
}
- debug("sshd version %s, %s", SSH_VERSION,
+ debug("sshd version %s, %s",
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
#ifdef WITH_OPENSSL
SSLeay_version(SSLEAY_VERSION)
#else
diff -up openssh-6.8p1/sshd_config.vendor openssh-6.8p1/sshd_config
--- openssh-6.8p1/sshd_config.vendor 2015-03-18 11:17:56.697880239 +0100
+++ openssh-6.8p1/sshd_config 2015-03-18 11:20:15.552550274 +0100
@@ -119,6 +119,7 @@ UsePrivilegeSeparation sandbox # Defaul
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
+#ShowPatchLevel no
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
diff -up openssh-6.8p1/sshd_config.0.vendor openssh-6.8p1/sshd_config.0
--- openssh-6.8p1/sshd_config.0.vendor 2015-03-18 11:17:56.691880253 +0100
+++ openssh-6.8p1/sshd_config.0 2015-03-18 11:17:56.697880239 +0100
@@ -740,6 +740,11 @@ DESCRIPTION
diff -up openssh-7.0p1/sshd_config.0.vendor openssh-7.0p1/sshd_config.0
--- openssh-7.0p1/sshd_config.0.vendor 2015-08-12 11:14:54.125628363 +0200
+++ openssh-7.0p1/sshd_config.0 2015-08-12 11:14:54.130628355 +0200
@@ -841,6 +841,11 @@ DESCRIPTION
Defines the number of bits in the ephemeral protocol version 1
server key. The minimum value is 512, and the default is 1024.
server key. The default and minimum value is 1024.
+ ShowPatchLevel
+ Specifies whether sshd will display the specific patch level of
@ -137,13 +104,13 @@ diff -up openssh-6.8p1/sshd_config.0.vendor openssh-6.8p1/sshd_config.0
StreamLocalBindMask
Sets the octal file creation mode mask (umask) used when creating
a Unix-domain socket file for local or remote port forwarding.
diff -up openssh/sshd_config.5.vendor openssh/sshd_config.5
--- openssh/sshd_config.5.vendor 2015-06-24 11:05:39.831679729 +0200
+++ openssh/sshd_config.5 2015-06-24 11:05:39.837679714 +0200
@@ -1344,6 +1344,13 @@ This option applies to protocol version
diff -up openssh-7.0p1/sshd_config.5.vendor openssh-7.0p1/sshd_config.5
--- openssh-7.0p1/sshd_config.5.vendor 2015-08-12 11:14:54.125628363 +0200
+++ openssh-7.0p1/sshd_config.5 2015-08-12 11:14:54.131628353 +0200
@@ -1411,6 +1411,13 @@ This option applies to protocol version
.It Cm ServerKeyBits
Defines the number of bits in the ephemeral protocol version 1 server key.
The minimum value is 512, and the default is 1024.
The default and minimum value is 1024.
+.It Cm ShowPatchLevel
+Specifies whether
+.Nm sshd
@ -154,3 +121,36 @@ diff -up openssh/sshd_config.5.vendor openssh/sshd_config.5
.It Cm StreamLocalBindMask
Sets the octal file creation mode mask
.Pq umask
diff -up openssh-7.0p1/sshd_config.vendor openssh-7.0p1/sshd_config
--- openssh-7.0p1/sshd_config.vendor 2015-08-12 11:14:54.125628363 +0200
+++ openssh-7.0p1/sshd_config 2015-08-12 11:14:54.131628353 +0200
@@ -119,6 +119,7 @@ UsePrivilegeSeparation sandbox # Defaul
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
+#ShowPatchLevel no
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
diff -up openssh-7.0p1/sshd.c.vendor openssh-7.0p1/sshd.c
--- openssh-7.0p1/sshd.c.vendor 2015-08-12 11:14:54.100628403 +0200
+++ openssh-7.0p1/sshd.c 2015-08-12 11:14:54.131628353 +0200
@@ -432,7 +432,7 @@ sshd_exchange_identification(int sock_in
}
xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
- major, minor, SSH_VERSION,
+ major, minor, (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
*options.version_addendum == '\0' ? "" : " ",
options.version_addendum, newline);
@@ -1749,7 +1749,8 @@ main(int ac, char **av)
exit(1);
}
- debug("sshd version %s, %s", SSH_VERSION,
+ debug("sshd version %s, %s",
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
#ifdef WITH_OPENSSL
SSLeay_version(SSLEAY_VERSION)
#else

60
openssh-6.6p1-GSSAPIEnablek5users.patch
View File

@ -1,6 +1,6 @@
diff -up openssh/gss-serv-krb5.c.GSSAPIEnablek5users openssh/gss-serv-krb5.c
--- openssh/gss-serv-krb5.c.GSSAPIEnablek5users 2015-06-24 11:40:03.716448353 +0200
+++ openssh/gss-serv-krb5.c 2015-06-24 11:40:03.739448295 +0200
diff -up openssh-7.0p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-7.0p1/gss-serv-krb5.c
--- openssh-7.0p1/gss-serv-krb5.c.GSSAPIEnablek5users 2015-08-12 11:27:44.022407951 +0200
+++ openssh-7.0p1/gss-serv-krb5.c 2015-08-12 11:27:44.047407912 +0200
@@ -260,7 +260,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
FILE *fp;
char file[MAXPATHLEN];
@ -18,10 +18,10 @@ diff -up openssh/gss-serv-krb5.c.GSSAPIEnablek5users openssh/gss-serv-krb5.c
return ssh_krb5_kuserok(krb_context, principal, luser,
k5login_exists);
}
diff -up openssh/servconf.c.GSSAPIEnablek5users openssh/servconf.c
--- openssh/servconf.c.GSSAPIEnablek5users 2015-06-24 11:40:03.728448323 +0200
+++ openssh/servconf.c 2015-06-24 11:40:03.740448292 +0200
@@ -171,6 +171,7 @@ initialize_server_options(ServerOptions
diff -up openssh-7.0p1/servconf.c.GSSAPIEnablek5users openssh-7.0p1/servconf.c
--- openssh-7.0p1/servconf.c.GSSAPIEnablek5users 2015-08-12 11:27:44.036407930 +0200
+++ openssh-7.0p1/servconf.c 2015-08-12 11:28:49.087306430 +0200
@@ -173,6 +173,7 @@ initialize_server_options(ServerOptions
options->version_addendum = NULL;
options->fingerprint_hash = -1;
options->use_kuserok = -1;
@ -29,25 +29,25 @@ diff -up openssh/servconf.c.GSSAPIEnablek5users openssh/servconf.c
}
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
@@ -353,6 +354,8 @@ fill_default_server_options(ServerOption
@@ -351,6 +352,8 @@ fill_default_server_options(ServerOption
options->fwd_opts.streamlocal_bind_unlink = 0;
if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
if (options->use_kuserok == -1)
options->use_kuserok = 1;
+ if (options->enable_k5users == -1)
+ options->enable_k5users = 0;
/* Turn privilege separation on by default */
if (use_privsep == -1)
use_privsep = PRIVSEP_NOSANDBOX;
@@ -412,7 +415,7 @@ typedef enum {
sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
if (options->use_kuserok == -1)
options->use_kuserok = 1;
@@ -423,7 +426,7 @@ typedef enum {
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
sHostKeyAlgorithms,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
- sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
+ sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
@@ -490,12 +493,14 @@ static struct {
@@ -502,12 +505,14 @@ static struct {
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
@ -62,7 +62,7 @@ diff -up openssh/servconf.c.GSSAPIEnablek5users openssh/servconf.c
#endif
{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
@@ -1663,6 +1668,10 @@ process_server_config_line(ServerOptions
@@ -1680,6 +1685,10 @@ process_server_config_line(ServerOptions
intptr = &options->use_kuserok;
goto parse_flag;
@ -73,7 +73,7 @@ diff -up openssh/servconf.c.GSSAPIEnablek5users openssh/servconf.c
case sPermitOpen:
arg = strdelim(&cp);
if (!arg || *arg == '\0')
@@ -2018,6 +2027,7 @@ copy_set_server_options(ServerOptions *d
@@ -2035,6 +2044,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(ip_qos_interactive);
M_CP_INTOPT(ip_qos_bulk);
M_CP_INTOPT(use_kuserok);
@ -81,7 +81,7 @@ diff -up openssh/servconf.c.GSSAPIEnablek5users openssh/servconf.c
M_CP_INTOPT(rekey_limit);
M_CP_INTOPT(rekey_interval);
@@ -2300,6 +2310,7 @@ dump_config(ServerOptions *o)
@@ -2317,6 +2327,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
@ -89,10 +89,10 @@ diff -up openssh/servconf.c.GSSAPIEnablek5users openssh/servconf.c
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
diff -up openssh/servconf.h.GSSAPIEnablek5users openssh/servconf.h
--- openssh/servconf.h.GSSAPIEnablek5users 2015-06-24 11:40:03.717448351 +0200
+++ openssh/servconf.h 2015-06-24 11:40:03.740448292 +0200
@@ -179,7 +179,8 @@ typedef struct {
diff -up openssh-7.0p1/servconf.h.GSSAPIEnablek5users openssh-7.0p1/servconf.h
--- openssh-7.0p1/servconf.h.GSSAPIEnablek5users 2015-08-12 11:27:44.022407951 +0200
+++ openssh-7.0p1/servconf.h 2015-08-12 11:27:44.048407911 +0200
@@ -180,7 +180,8 @@ typedef struct {
int num_permitted_opens;
@ -102,10 +102,10 @@ diff -up openssh/servconf.h.GSSAPIEnablek5users openssh/servconf.h
char *chroot_directory;
char *revoked_keys_file;
char *trusted_user_ca_keys;
diff -up openssh/sshd_config.5.GSSAPIEnablek5users openssh/sshd_config.5
--- openssh/sshd_config.5.GSSAPIEnablek5users 2015-06-24 11:40:03.741448290 +0200
+++ openssh/sshd_config.5 2015-06-24 11:40:40.707354263 +0200
@@ -628,6 +628,12 @@ on logout.
diff -up openssh-7.0p1/sshd_config.5.GSSAPIEnablek5users openssh-7.0p1/sshd_config.5
--- openssh-7.0p1/sshd_config.5.GSSAPIEnablek5users 2015-08-12 11:27:44.023407950 +0200
+++ openssh-7.0p1/sshd_config.5 2015-08-12 11:27:44.048407911 +0200
@@ -633,6 +633,12 @@ on logout.
The default is
.Dq yes .
Note that this option applies to protocol version 2 only.
@ -118,9 +118,9 @@ diff -up openssh/sshd_config.5.GSSAPIEnablek5users openssh/sshd_config.5
.It Cm GSSAPIStrictAcceptorCheck
Determines whether to be strict about the identity of the GSSAPI acceptor
a client authenticates against.
diff -up openssh/sshd_config.GSSAPIEnablek5users openssh/sshd_config
--- openssh/sshd_config.GSSAPIEnablek5users 2015-06-24 11:40:03.717448351 +0200
+++ openssh/sshd_config 2015-06-24 11:40:03.740448292 +0200
diff -up openssh-7.0p1/sshd_config.GSSAPIEnablek5users openssh-7.0p1/sshd_config
--- openssh-7.0p1/sshd_config.GSSAPIEnablek5users 2015-08-12 11:27:44.023407950 +0200
+++ openssh-7.0p1/sshd_config 2015-08-12 11:27:44.048407911 +0200
@@ -94,6 +94,7 @@ GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes

4
openssh-6.6p1-ctr-cavstest.patch
View File

@ -141,8 +141,8 @@ diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
+int main (int argc, char *argv[])
+{
+
+ const Cipher *c;
+ CipherContext cc;
+ const struct sshcipher *c;
+ struct sshcipher_ctx cc;
+ char *algo = "aes128-ctr";
+ char *hexkey = NULL;
+ char *hexiv = "00000000000000000000000000000000";

268
openssh-6.6p1-gsskex.patch
View File

@ -1,6 +1,6 @@
diff -up openssh/auth2.c.gsskex openssh/auth2.c
--- openssh/auth2.c.gsskex 2015-06-24 11:07:36.180389924 +0200
+++ openssh/auth2.c 2015-06-24 11:07:36.228389804 +0200
diff -up openssh-7.0p1/auth2.c.gsskex openssh-7.0p1/auth2.c
--- openssh-7.0p1/auth2.c.gsskex 2015-08-12 11:15:43.625548999 +0200
+++ openssh-7.0p1/auth2.c 2015-08-12 11:15:43.692548892 +0200
@@ -70,6 +70,7 @@ extern Authmethod method_passwd;
extern Authmethod method_kbdint;
extern Authmethod method_hostbased;
@ -17,9 +17,9 @@ diff -up openssh/auth2.c.gsskex openssh/auth2.c
&method_gssapi,
#endif
&method_passwd,
diff -up openssh/auth2-gss.c.gsskex openssh/auth2-gss.c
--- openssh/auth2-gss.c.gsskex 2015-06-24 11:07:36.179389926 +0200
+++ openssh/auth2-gss.c 2015-06-24 11:07:36.228389804 +0200
diff -up openssh-7.0p1/auth2-gss.c.gsskex openssh-7.0p1/auth2-gss.c
--- openssh-7.0p1/auth2-gss.c.gsskex 2015-08-12 11:15:43.624549001 +0200
+++ openssh-7.0p1/auth2-gss.c 2015-08-12 11:15:43.692548892 +0200
@@ -31,6 +31,7 @@
#include <sys/types.h>
@ -102,10 +102,10 @@ diff -up openssh/auth2-gss.c.gsskex openssh/auth2-gss.c
Authmethod method_gssapi = {
"gssapi-with-mic",
userauth_gssapi,
diff -up openssh/clientloop.c.gsskex openssh/clientloop.c
--- openssh/clientloop.c.gsskex 2015-06-23 02:34:47.000000000 +0200
+++ openssh/clientloop.c 2015-06-24 11:07:36.228389804 +0200
@@ -114,6 +114,10 @@
diff -up openssh-7.0p1/clientloop.c.gsskex openssh-7.0p1/clientloop.c
--- openssh-7.0p1/clientloop.c.gsskex 2015-08-11 10:57:29.000000000 +0200
+++ openssh-7.0p1/clientloop.c 2015-08-12 11:15:43.693548890 +0200
@@ -115,6 +115,10 @@
#include "ssherr.h"
#include "hostfile.h"
@ -116,7 +116,7 @@ diff -up openssh/clientloop.c.gsskex openssh/clientloop.c
/* import options */
extern Options options;
@@ -1596,6 +1600,15 @@ client_loop(int have_pty, int escape_cha
@@ -1610,6 +1614,15 @@ client_loop(int have_pty, int escape_cha
/* Do channel operations unless rekeying in progress. */
if (!rekeying) {
channel_after_select(readset, writeset);
@ -132,9 +132,9 @@ diff -up openssh/clientloop.c.gsskex openssh/clientloop.c
if (need_rekeying || packet_need_rekeying()) {
debug("need rekeying");
active_state->kex->done = 0;
diff -up openssh/configure.ac.gsskex openssh/configure.ac
--- openssh/configure.ac.gsskex 2015-06-24 11:07:36.214389839 +0200
+++ openssh/configure.ac 2015-06-24 11:07:36.229389802 +0200
diff -up openssh-7.0p1/configure.ac.gsskex openssh-7.0p1/configure.ac
--- openssh-7.0p1/configure.ac.gsskex 2015-08-12 11:15:43.675548919 +0200
+++ openssh-7.0p1/configure.ac 2015-08-12 11:15:43.694548889 +0200
@@ -625,6 +625,30 @@ main() { if (NSVersionOfRunTimeLibrary("
[Use tunnel device compatibility to OpenBSD])
AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
@ -166,9 +166,9 @@ diff -up openssh/configure.ac.gsskex openssh/configure.ac
m4_pattern_allow([AU_IPv])
AC_CHECK_DECL([AU_IPv4], [],
AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
diff -up openssh/gss-genr.c.gsskex openssh/gss-genr.c
--- openssh/gss-genr.c.gsskex 2015-06-23 02:34:47.000000000 +0200
+++ openssh/gss-genr.c 2015-06-24 11:07:36.229389802 +0200
diff -up openssh-7.0p1/gss-genr.c.gsskex openssh-7.0p1/gss-genr.c
--- openssh-7.0p1/gss-genr.c.gsskex 2015-08-11 10:57:29.000000000 +0200
+++ openssh-7.0p1/gss-genr.c 2015-08-12 11:15:43.694548889 +0200
@@ -41,12 +41,167 @@
#include "buffer.h"
#include "log.h"
@ -506,9 +506,9 @@ diff -up openssh/gss-genr.c.gsskex openssh/gss-genr.c
+}
+
#endif /* GSSAPI */
diff -up openssh/gss-serv.c.gsskex openssh/gss-serv.c
--- openssh/gss-serv.c.gsskex 2015-06-23 02:34:47.000000000 +0200
+++ openssh/gss-serv.c 2015-06-24 11:11:53.171742794 +0200
diff -up openssh-7.0p1/gss-serv.c.gsskex openssh-7.0p1/gss-serv.c
--- openssh-7.0p1/gss-serv.c.gsskex 2015-08-11 10:57:29.000000000 +0200
+++ openssh-7.0p1/gss-serv.c 2015-08-12 11:15:43.694548889 +0200
@@ -45,17 +45,19 @@
#include "session.h"
#include "misc.h"
@ -791,9 +791,9 @@ diff -up openssh/gss-serv.c.gsskex openssh/gss-serv.c
}
#endif
diff -up openssh/gss-serv-krb5.c.gsskex openssh/gss-serv-krb5.c
--- openssh/gss-serv-krb5.c.gsskex 2015-06-23 02:34:47.000000000 +0200
+++ openssh/gss-serv-krb5.c 2015-06-24 11:07:36.229389802 +0200
diff -up openssh-7.0p1/gss-serv-krb5.c.gsskex openssh-7.0p1/gss-serv-krb5.c
--- openssh-7.0p1/gss-serv-krb5.c.gsskex 2015-08-11 10:57:29.000000000 +0200
+++ openssh-7.0p1/gss-serv-krb5.c 2015-08-12 11:15:43.694548889 +0200
@@ -121,7 +121,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
krb5_error_code problem;
krb5_principal princ;
@ -921,9 +921,9 @@ diff -up openssh/gss-serv-krb5.c.gsskex openssh/gss-serv-krb5.c
};
#endif /* KRB5 */
diff -up openssh/kex.c.gsskex openssh/kex.c
--- openssh/kex.c.gsskex 2015-06-23 02:34:47.000000000 +0200
+++ openssh/kex.c 2015-06-24 11:07:36.230389799 +0200
diff -up openssh-7.0p1/kex.c.gsskex openssh-7.0p1/kex.c
--- openssh-7.0p1/kex.c.gsskex 2015-08-11 10:57:29.000000000 +0200
+++ openssh-7.0p1/kex.c 2015-08-12 11:15:43.695548887 +0200
@@ -55,6 +55,10 @@
#include "sshbuf.h"
#include "digest.h"
@ -960,9 +960,9 @@ diff -up openssh/kex.c.gsskex openssh/kex.c
}
return NULL;
}
diff -up openssh/kexgssc.c.gsskex openssh/kexgssc.c
--- openssh/kexgssc.c.gsskex 2015-06-24 11:07:36.231389797 +0200
+++ openssh/kexgssc.c 2015-06-24 11:07:36.230389799 +0200
diff -up openssh-7.0p1/kexgssc.c.gsskex openssh-7.0p1/kexgssc.c
--- openssh-7.0p1/kexgssc.c.gsskex 2015-08-12 11:15:43.695548887 +0200
+++ openssh-7.0p1/kexgssc.c 2015-08-12 11:15:43.695548887 +0200
@@ -0,0 +1,338 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1302,9 +1302,9 @@ diff -up openssh/kexgssc.c.gsskex openssh/kexgssc.c
+}
+
+#endif /* GSSAPI */
diff -up openssh/kexgsss.c.gsskex openssh/kexgsss.c
--- openssh/kexgsss.c.gsskex 2015-06-24 11:07:36.231389797 +0200
+++ openssh/kexgsss.c 2015-06-24 11:07:36.231389797 +0200
diff -up openssh-7.0p1/kexgsss.c.gsskex openssh-7.0p1/kexgsss.c
--- openssh-7.0p1/kexgsss.c.gsskex 2015-08-12 11:15:43.695548887 +0200
+++ openssh-7.0p1/kexgsss.c 2015-08-12 11:15:43.695548887 +0200
@@ -0,0 +1,295 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1601,9 +1601,9 @@ diff -up openssh/kexgsss.c.gsskex openssh/kexgsss.c
+ return 0;
+}
+#endif /* GSSAPI */
diff -up openssh/kex.h.gsskex openssh/kex.h
--- openssh/kex.h.gsskex 2015-06-23 02:34:47.000000000 +0200
+++ openssh/kex.h 2015-06-24 11:07:36.230389799 +0200
diff -up openssh-7.0p1/kex.h.gsskex openssh-7.0p1/kex.h
--- openssh-7.0p1/kex.h.gsskex 2015-08-11 10:57:29.000000000 +0200
+++ openssh-7.0p1/kex.h 2015-08-12 11:17:44.694354889 +0200
@@ -93,6 +93,11 @@ enum kex_exchange {
KEX_DH_GEX_SHA256,
KEX_ECDH_SHA2,
@ -1628,8 +1628,8 @@ diff -up openssh/kex.h.gsskex openssh/kex.h
+#endif
char *client_version_string;
char *server_version_string;
int (*verify_host_key)(struct sshkey *, struct ssh *);
@@ -183,6 +194,10 @@ int kexecdh_client(struct ssh *);
char *failed_choice;
@@ -186,6 +197,10 @@ int kexecdh_client(struct ssh *);
int kexecdh_server(struct ssh *);
int kexc25519_client(struct ssh *);
int kexc25519_server(struct ssh *);
@ -1640,9 +1640,9 @@ diff -up openssh/kex.h.gsskex openssh/kex.h
int kex_dh_hash(const char *, const char *,
const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
diff -up openssh/Makefile.in.gsskex openssh/Makefile.in
--- openssh/Makefile.in.gsskex 2015-06-24 11:07:36.223389817 +0200
+++ openssh/Makefile.in 2015-06-24 11:07:36.228389804 +0200
diff -up openssh-7.0p1/Makefile.in.gsskex openssh-7.0p1/Makefile.in
--- openssh-7.0p1/Makefile.in.gsskex 2015-08-12 11:15:43.686548901 +0200
+++ openssh-7.0p1/Makefile.in 2015-08-12 11:15:43.695548887 +0200
@@ -90,6 +90,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o \
@ -1660,9 +1660,9 @@ diff -up openssh/Makefile.in.gsskex openssh/Makefile.in
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
sftp-server.o sftp-common.o \
roaming_common.o roaming_serv.o \
diff -up openssh/monitor.c.gsskex openssh/monitor.c
--- openssh/monitor.c.gsskex 2015-06-24 11:07:36.180389924 +0200
+++ openssh/monitor.c 2015-06-24 11:07:36.231389797 +0200
diff -up openssh-7.0p1/monitor.c.gsskex openssh-7.0p1/monitor.c
--- openssh-7.0p1/monitor.c.gsskex 2015-08-12 11:15:43.626548998 +0200
+++ openssh-7.0p1/monitor.c 2015-08-12 11:15:43.696548885 +0200
@@ -160,6 +160,8 @@ int mm_answer_gss_setup_ctx(int, Buffer
int mm_answer_gss_accept_ctx(int, Buffer *);
int mm_answer_gss_userok(int, Buffer *);
@ -1852,9 +1852,9 @@ diff -up openssh/monitor.c.gsskex openssh/monitor.c
+
#endif /* GSSAPI */
diff -up openssh/monitor.h.gsskex openssh/monitor.h
--- openssh/monitor.h.gsskex 2015-06-24 11:07:36.181389921 +0200
+++ openssh/monitor.h 2015-06-24 11:07:36.231389797 +0200
diff -up openssh-7.0p1/monitor.h.gsskex openssh-7.0p1/monitor.h
--- openssh-7.0p1/monitor.h.gsskex 2015-08-12 11:15:43.626548998 +0200
+++ openssh-7.0p1/monitor.h 2015-08-12 11:15:43.696548885 +0200
@@ -60,6 +60,8 @@ enum monitor_reqtype {
#ifdef WITH_SELINUX
MONITOR_REQ_AUTHROLE = 80,
@ -1864,10 +1864,10 @@ diff -up openssh/monitor.h.gsskex openssh/monitor.h
MONITOR_REQ_PAM_START = 100,
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
diff -up openssh/monitor_wrap.c.gsskex openssh/monitor_wrap.c
--- openssh/monitor_wrap.c.gsskex 2015-06-24 11:07:36.181389921 +0200
+++ openssh/monitor_wrap.c 2015-06-24 11:07:36.231389797 +0200
@@ -1088,7 +1088,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
diff -up openssh-7.0p1/monitor_wrap.c.gsskex openssh-7.0p1/monitor_wrap.c
--- openssh-7.0p1/monitor_wrap.c.gsskex 2015-08-12 11:15:43.626548998 +0200
+++ openssh-7.0p1/monitor_wrap.c 2015-08-12 11:15:43.697548884 +0200
@@ -1087,7 +1087,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
}
int
@ -1876,7 +1876,7 @@ diff -up openssh/monitor_wrap.c.gsskex openssh/monitor_wrap.c
{
Buffer m;
int authenticated = 0;
@@ -1105,5 +1105,50 @@ mm_ssh_gssapi_userok(char *user)
@@ -1104,5 +1104,50 @@ mm_ssh_gssapi_userok(char *user)
debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
return (authenticated);
}
@ -1927,9 +1927,9 @@ diff -up openssh/monitor_wrap.c.gsskex openssh/monitor_wrap.c
+
#endif /* GSSAPI */
diff -up openssh/monitor_wrap.h.gsskex openssh/monitor_wrap.h
--- openssh/monitor_wrap.h.gsskex 2015-06-24 11:07:36.181389921 +0200
+++ openssh/monitor_wrap.h 2015-06-24 11:07:36.232389794 +0200
diff -up openssh-7.0p1/monitor_wrap.h.gsskex openssh-7.0p1/monitor_wrap.h
--- openssh-7.0p1/monitor_wrap.h.gsskex 2015-08-12 11:15:43.626548998 +0200
+++ openssh-7.0p1/monitor_wrap.h 2015-08-12 11:15:43.697548884 +0200
@@ -61,8 +61,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
@ -1942,9 +1942,9 @@ diff -up openssh/monitor_wrap.h.gsskex openssh/monitor_wrap.h
#endif
#ifdef USE_PAM
diff -up openssh/readconf.c.gsskex openssh/readconf.c
--- openssh/readconf.c.gsskex 2015-06-23 02:34:47.000000000 +0200
+++ openssh/readconf.c 2015-06-24 11:07:36.232389794 +0200
diff -up openssh-7.0p1/readconf.c.gsskex openssh-7.0p1/readconf.c
--- openssh-7.0p1/readconf.c.gsskex 2015-08-11 10:57:29.000000000 +0200
+++ openssh-7.0p1/readconf.c 2015-08-12 11:15:43.697548884 +0200
@@ -147,6 +147,8 @@ typedef enum {
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
@ -1954,7 +1954,7 @@ diff -up openssh/readconf.c.gsskex openssh/readconf.c
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
@@ -191,10 +193,19 @@ static struct {
@@ -192,10 +194,19 @@ static struct {
{ "afstokenpassing", oUnsupported },
#if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication },
@ -1974,7 +1974,7 @@ diff -up openssh/readconf.c.gsskex openssh/readconf.c
#endif
{ "fallbacktorsh", oDeprecated },
{ "usersh", oDeprecated },
@@ -892,10 +903,30 @@ parse_time:
@@ -894,10 +905,30 @@ parse_time:
intptr = &options->gss_authentication;
goto parse_flag;
@ -2018,7 +2018,7 @@ diff -up openssh/readconf.c.gsskex openssh/readconf.c
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
@@ -1728,8 +1764,14 @@ fill_default_options(Options * options)
@@ -1729,8 +1765,14 @@ fill_default_options(Options * options)
options->challenge_response_authentication = 1;
if (options->gss_authentication == -1)
options->gss_authentication = 0;
@ -2033,9 +2033,9 @@ diff -up openssh/readconf.c.gsskex openssh/readconf.c
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
diff -up openssh/readconf.h.gsskex openssh/readconf.h
--- openssh/readconf.h.gsskex 2015-06-23 02:34:47.000000000 +0200
+++ openssh/readconf.h 2015-06-24 11:07:36.232389794 +0200
diff -up openssh-7.0p1/readconf.h.gsskex openssh-7.0p1/readconf.h
--- openssh-7.0p1/readconf.h.gsskex 2015-08-11 10:57:29.000000000 +0200
+++ openssh-7.0p1/readconf.h 2015-08-12 11:15:43.697548884 +0200
@@ -45,7 +45,12 @@ typedef struct {
int challenge_response_authentication;
/* Try S/Key or TIS, authentication. */
@ -2049,33 +2049,33 @@ diff -up openssh/readconf.h.gsskex openssh/readconf.h
int password_authentication; /* Try password
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
diff -up openssh/regress/cert-hostkey.sh.gsskex openssh/regress/cert-hostkey.sh
--- openssh/regress/cert-hostkey.sh.gsskex 2015-06-23 02:34:47.000000000 +0200
+++ openssh/regress/cert-hostkey.sh 2015-06-24 11:07:36.232389794 +0200
@@ -25,7 +25,7 @@ touch $OBJ/host_revoked_plain
diff -up openssh-7.0p1/regress/cert-hostkey.sh.gsskex openssh-7.0p1/regress/cert-hostkey.sh
--- openssh-7.0p1/regress/cert-hostkey.sh.gsskex 2015-08-12 11:15:43.698548882 +0200
+++ openssh-7.0p1/regress/cert-hostkey.sh 2015-08-12 11:16:52.511438554 +0200
@@ -46,7 +46,7 @@ touch $OBJ/host_revoked_plain
touch $OBJ/host_revoked_cert
cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca
-PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
+PLAIN_TYPES=`$SSH -Q key-plain | grep -v null | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
type_has_legacy() {
case $1 in
diff -up openssh/regress/cert-userkey.sh.gsskex openssh/regress/cert-userkey.sh
--- openssh/regress/cert-userkey.sh.gsskex 2015-06-23 02:34:47.000000000 +0200
+++ openssh/regress/cert-userkey.sh 2015-06-24 11:07:36.232389794 +0200
@@ -6,7 +6,7 @@ tid="certified user keys"
rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
# Prepare certificate, plain key and CA KRLs
${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed"
diff -up openssh-7.0p1/regress/cert-userkey.sh.gsskex openssh-7.0p1/regress/cert-userkey.sh
--- openssh-7.0p1/regress/cert-userkey.sh.gsskex 2015-08-12 11:15:43.698548882 +0200
+++ openssh-7.0p1/regress/cert-userkey.sh 2015-08-12 11:20:30.110089677 +0200
@@ -7,7 +7,7 @@ rm -f $OBJ/authorized_keys_$USER $OBJ/us
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
-PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
+PLAIN_TYPES=`$SSH -Q key-plain | grep -v null | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
type_has_legacy() {
case $1 in
diff -up openssh/regress/kextype.sh.gsskex openssh/regress/kextype.sh
--- openssh/regress/kextype.sh.gsskex 2015-06-23 02:34:47.000000000 +0200
+++ openssh/regress/kextype.sh 2015-06-24 11:07:36.233389792 +0200
kname() {
n=`echo "$1" | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/'`
diff -up openssh-7.0p1/regress/kextype.sh.gsskex openssh-7.0p1/regress/kextype.sh
--- openssh-7.0p1/regress/kextype.sh.gsskex 2015-08-11 10:57:29.000000000 +0200
+++ openssh-7.0p1/regress/kextype.sh 2015-08-12 11:15:43.698548882 +0200
@@ -14,6 +14,9 @@ echo "KexAlgorithms=$KEXOPT" >> $OBJ/ssh
tries="1 2 3 4"
@ -2086,9 +2086,9 @@ diff -up openssh/regress/kextype.sh.gsskex openssh/regress/kextype.sh
verbose "kex $k"
for i in $tries; do
${SSH} -F $OBJ/ssh_proxy -o KexAlgorithms=$k x true
diff -up openssh/regress/rekey.sh.gsskex openssh/regress/rekey.sh
--- openssh/regress/rekey.sh.gsskex 2015-06-23 02:34:47.000000000 +0200
+++ openssh/regress/rekey.sh 2015-06-24 11:07:36.233389792 +0200
diff -up openssh-7.0p1/regress/rekey.sh.gsskex openssh-7.0p1/regress/rekey.sh
--- openssh-7.0p1/regress/rekey.sh.gsskex 2015-08-11 10:57:29.000000000 +0200
+++ openssh-7.0p1/regress/rekey.sh 2015-08-12 11:15:43.698548882 +0200
@@ -38,6 +38,9 @@ increase_datafile_size 300
opts=""
@ -2109,10 +2109,10 @@ diff -up openssh/regress/rekey.sh.gsskex openssh/regress/rekey.sh
verbose "client rekey $c $kex"
ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c
done
diff -up openssh/servconf.c.gsskex openssh/servconf.c
--- openssh/servconf.c.gsskex 2015-06-24 11:07:36.214389839 +0200
+++ openssh/servconf.c 2015-06-24 11:20:08.026487223 +0200
@@ -115,8 +115,10 @@ initialize_server_options(ServerOptions
diff -up openssh-7.0p1/servconf.c.gsskex openssh-7.0p1/servconf.c
--- openssh-7.0p1/servconf.c.gsskex 2015-08-12 11:15:43.676548918 +0200
+++ openssh-7.0p1/servconf.c 2015-08-12 11:22:32.686893730 +0200
@@ -117,8 +117,10 @@ initialize_server_options(ServerOptions
options->kerberos_ticket_cleanup = -1;
options->kerberos_get_afs_token = -1;
options->gss_authentication=-1;
@ -2138,8 +2138,8 @@ diff -up openssh/servconf.c.gsskex openssh/servconf.c
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
@@ -404,7 +410,7 @@ typedef enum {
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
@@ -415,7 +421,7 @@ typedef enum {
sHostKeyAlgorithms,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
- sAcceptEnv, sPermitTunnel,
@ -2147,7 +2147,7 @@ diff -up openssh/servconf.c.gsskex openssh/servconf.c
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
sHostCertificate,
@@ -477,11 +483,17 @@ static struct {
@@ -489,11 +495,17 @@ static struct {
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
@ -2165,7 +2165,7 @@ diff -up openssh/servconf.c.gsskex openssh/servconf.c
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
@@ -1218,6 +1230,10 @@ process_server_config_line(ServerOptions
@@ -1235,6 +1247,10 @@ process_server_config_line(ServerOptions
intptr = &options->gss_authentication;
goto parse_flag;
@ -2176,7 +2176,7 @@ diff -up openssh/servconf.c.gsskex openssh/servconf.c
case sGssCleanupCreds:
intptr = &options->gss_cleanup_creds;
goto parse_flag;
@@ -1226,6 +1242,10 @@ process_server_config_line(ServerOptions
@@ -1243,6 +1259,10 @@ process_server_config_line(ServerOptions
intptr = &options->gss_strict_acceptor;
goto parse_flag;
@ -2187,7 +2187,7 @@ diff -up openssh/servconf.c.gsskex openssh/servconf.c
case sPasswordAuthentication:
intptr = &options->password_authentication;
goto parse_flag;
@@ -2238,6 +2258,9 @@ dump_config(ServerOptions *o)
@@ -2255,6 +2275,9 @@ dump_config(ServerOptions *o)
#ifdef GSSAPI
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
@ -2197,10 +2197,10 @@ diff -up openssh/servconf.c.gsskex openssh/servconf.c
#endif
dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
dump_cfg_fmtint(sKbdInteractiveAuthentication,
diff -up openssh/servconf.h.gsskex openssh/servconf.h
--- openssh/servconf.h.gsskex 2015-06-24 11:07:36.233389792 +0200
+++ openssh/servconf.h 2015-06-24 11:21:20.888302354 +0200
@@ -117,8 +117,10 @@ typedef struct {
diff -up openssh-7.0p1/servconf.h.gsskex openssh-7.0p1/servconf.h
--- openssh-7.0p1/servconf.h.gsskex 2015-08-12 11:15:43.676548918 +0200
+++ openssh-7.0p1/servconf.h 2015-08-12 11:15:43.700548879 +0200
@@ -118,8 +118,10 @@ typedef struct {
int kerberos_get_afs_token; /* If true, try to get AFS token if
* authenticated with Kerberos. */
int gss_authentication; /* If true, permit GSSAPI authentication */
@ -2211,10 +2211,10 @@ diff -up openssh/servconf.h.gsskex openssh/servconf.h
int password_authentication; /* If true, permit password
* authentication. */
int kbd_interactive_authentication; /* If true, permit */
diff -up openssh/ssh_config.5.gsskex openssh/ssh_config.5
--- openssh/ssh_config.5.gsskex 2015-06-23 02:34:47.000000000 +0200
+++ openssh/ssh_config.5 2015-06-24 11:07:36.234389789 +0200
@@ -744,11 +744,43 @@ Specifies whether user authentication ba
diff -up openssh-7.0p1/ssh_config.5.gsskex openssh-7.0p1/ssh_config.5
--- openssh-7.0p1/ssh_config.5.gsskex 2015-08-11 10:57:29.000000000 +0200
+++ openssh-7.0p1/ssh_config.5 2015-08-12 11:15:43.700548879 +0200
@@ -749,11 +749,43 @@ Specifies whether user authentication ba
The default is
.Dq no .
Note that this option applies to protocol version 2 only.
@ -2259,9 +2259,9 @@ diff -up openssh/ssh_config.5.gsskex openssh/ssh_config.5
.It Cm HashKnownHosts
Indicates that
.Xr ssh 1
diff -up openssh/ssh_config.gsskex openssh/ssh_config
--- openssh/ssh_config.gsskex 2015-06-24 11:07:36.209389852 +0200
+++ openssh/ssh_config 2015-06-24 11:07:36.234389789 +0200
diff -up openssh-7.0p1/ssh_config.gsskex openssh-7.0p1/ssh_config
--- openssh-7.0p1/ssh_config.gsskex 2015-08-12 11:15:43.667548932 +0200
+++ openssh-7.0p1/ssh_config 2015-08-12 11:15:43.700548879 +0200
@@ -26,6 +26,8 @@
# HostbasedAuthentication no
# GSSAPIAuthentication no
@ -2271,9 +2271,9 @@ diff -up openssh/ssh_config.gsskex openssh/ssh_config
# BatchMode no
# CheckHostIP yes
# AddressFamily any
diff -up openssh/sshconnect2.c.gsskex openssh/sshconnect2.c
--- openssh/sshconnect2.c.gsskex 2015-06-23 02:34:47.000000000 +0200
+++ openssh/sshconnect2.c 2015-06-24 11:07:36.234389789 +0200
diff -up openssh-7.0p1/sshconnect2.c.gsskex openssh-7.0p1/sshconnect2.c
--- openssh-7.0p1/sshconnect2.c.gsskex 2015-08-11 10:57:29.000000000 +0200
+++ openssh-7.0p1/sshconnect2.c 2015-08-12 11:25:12.486644393 +0200
@@ -160,9 +160,34 @@ ssh_kex2(char *host, struct sockaddr *ho
struct kex *kex;
int r;
@ -2306,12 +2306,12 @@ diff -up openssh/sshconnect2.c.gsskex openssh/sshconnect2.c
+ }
+#endif
+
if (options.ciphers == (char *)-1) {
logit("No valid ciphers for protocol version 2 given, using defaults.");
options.ciphers = NULL;
@@ -200,6 +225,17 @@ ssh_kex2(char *host, struct sockaddr *ho
myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
myproposal[PROPOSAL_KEX_ALGS]);
options.kex_algorithms);
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
@@ -193,6 +218,17 @@ ssh_kex2(char *host, struct sockaddr *ho
order_hostkeyalgs(host, hostaddr, port));
}
+#ifdef GSSAPI
+ /* If we've got GSSAPI algorithms, then we also support the
@ -2327,7 +2327,7 @@ diff -up openssh/sshconnect2.c.gsskex openssh/sshconnect2.c
if (options.rekey_limit || options.rekey_interval)
packet_set_rekey_limits((u_int32_t)options.rekey_limit,
(time_t)options.rekey_interval);
@@ -217,11 +253,31 @@ ssh_kex2(char *host, struct sockaddr *ho
@@ -210,11 +246,31 @@ ssh_kex2(char *host, struct sockaddr *ho
kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
# endif
#endif
@ -2359,7 +2359,7 @@ diff -up openssh/sshconnect2.c.gsskex openssh/sshconnect2.c
dispatch_run(DISPATCH_BLOCK, &kex->done, active_state);
if (options.use_roaming && !kex->roaming) {
@@ -313,6 +369,7 @@ int input_gssapi_token(int type, u_int32
@@ -306,6 +362,7 @@ int input_gssapi_token(int type, u_int32
int input_gssapi_hash(int type, u_int32_t, void *);
int input_gssapi_error(int, u_int32_t, void *);
int input_gssapi_errtok(int, u_int32_t, void *);
@ -2367,7 +2367,7 @@ diff -up openssh/sshconnect2.c.gsskex openssh/sshconnect2.c
#endif
void userauth(Authctxt *, char *);
@@ -328,6 +385,11 @@ static char *authmethods_get(void);
@@ -321,6 +378,11 @@ static char *authmethods_get(void);
Authmethod authmethods[] = {
#ifdef GSSAPI
@ -2379,7 +2379,7 @@ diff -up openssh/sshconnect2.c.gsskex openssh/sshconnect2.c
{"gssapi-with-mic",
userauth_gssapi,
NULL,
@@ -634,19 +696,31 @@ userauth_gssapi(Authctxt *authctxt)
@@ -627,19 +689,31 @@ userauth_gssapi(Authctxt *authctxt)
static u_int mech = 0;
OM_uint32 min;
int ok = 0;
@ -2413,7 +2413,7 @@ diff -up openssh/sshconnect2.c.gsskex openssh/sshconnect2.c
ok = 1; /* Mechanism works */
} else {
mech++;
@@ -743,8 +817,8 @@ input_gssapi_response(int type, u_int32_
@@ -736,8 +810,8 @@ input_gssapi_response(int type, u_int32_
{
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt;
@ -2424,7 +2424,7 @@ diff -up openssh/sshconnect2.c.gsskex openssh/sshconnect2.c
if (authctxt == NULL)
fatal("input_gssapi_response: no authentication context");
@@ -857,6 +931,48 @@ input_gssapi_error(int type, u_int32_t p
@@ -850,6 +924,48 @@ input_gssapi_error(int type, u_int32_t p
free(lang);
return 0;
}
@ -2473,10 +2473,10 @@ diff -up openssh/sshconnect2.c.gsskex openssh/sshconnect2.c
#endif /* GSSAPI */
int
diff -up openssh/sshd.c.gsskex openssh/sshd.c
--- openssh/sshd.c.gsskex 2015-06-24 11:07:36.217389832 +0200
+++ openssh/sshd.c 2015-06-24 11:07:36.235389787 +0200
@@ -1839,10 +1839,13 @@ main(int ac, char **av)
diff -up openssh-7.0p1/sshd.c.gsskex openssh-7.0p1/sshd.c
--- openssh-7.0p1/sshd.c.gsskex 2015-08-12 11:15:43.679548913 +0200
+++ openssh-7.0p1/sshd.c 2015-08-12 11:15:43.702548876 +0200
@@ -1843,10 +1843,13 @@ main(int ac, char **av)
logit("Disabling protocol version 1. Could not load host key");
options.protocol &= ~SSH_PROTO_1;
}
@ -2490,7 +2490,7 @@ diff -up openssh/sshd.c.gsskex openssh/sshd.c
if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
logit("sshd: no hostkeys available -- exiting.");
exit(1);
@@ -2589,6 +2592,48 @@ do_ssh2_kex(void)
@@ -2582,6 +2585,48 @@ do_ssh2_kex(void)
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
list_hostkey_types());
@ -2539,7 +2539,7 @@ diff -up openssh/sshd.c.gsskex openssh/sshd.c
/* start key exchange */
if ((r = kex_setup(active_state, myproposal)) != 0)
fatal("kex_setup: %s", ssh_err(r));
@@ -2603,6 +2648,13 @@ do_ssh2_kex(void)
@@ -2596,6 +2641,13 @@ do_ssh2_kex(void)
# endif
#endif
kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@ -2553,10 +2553,10 @@ diff -up openssh/sshd.c.gsskex openssh/sshd.c
kex->server = 1;
kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string;
diff -up openssh/sshd_config.5.gsskex openssh/sshd_config.5
--- openssh/sshd_config.5.gsskex 2015-06-24 11:07:36.235389787 +0200
+++ openssh/sshd_config.5 2015-06-24 11:23:13.490016656 +0200
@@ -616,6 +616,12 @@ Specifies whether user authentication ba
diff -up openssh-7.0p1/sshd_config.5.gsskex openssh-7.0p1/sshd_config.5
--- openssh-7.0p1/sshd_config.5.gsskex 2015-08-12 11:15:43.677548916 +0200
+++ openssh-7.0p1/sshd_config.5 2015-08-12 11:15:43.702548876 +0200
@@ -621,6 +621,12 @@ Specifies whether user authentication ba
The default is
.Dq no .
Note that this option applies to protocol version 2 only.
@ -2569,7 +2569,7 @@ diff -up openssh/sshd_config.5.gsskex openssh/sshd_config.5
.It Cm GSSAPICleanupCredentials
Specifies whether to automatically destroy the user's credentials cache
on logout.
@@ -637,6 +643,11 @@ machine's default store.
@@ -642,6 +648,11 @@ machine's default store.
This facility is provided to assist with operation on multi homed machines.
The default is
.Dq yes .
@ -2581,9 +2581,9 @@ diff -up openssh/sshd_config.5.gsskex openssh/sshd_config.5
.It Cm HostbasedAcceptedKeyTypes
Specifies the key types that will be accepted for hostbased authentication
as a comma-separated pattern list.
diff -up openssh/sshd_config.gsskex openssh/sshd_config
--- openssh/sshd_config.gsskex 2015-06-24 11:07:36.217389832 +0200
+++ openssh/sshd_config 2015-06-24 11:07:36.235389787 +0200
diff -up openssh-7.0p1/sshd_config.gsskex openssh-7.0p1/sshd_config
--- openssh-7.0p1/sshd_config.gsskex 2015-08-12 11:15:43.679548913 +0200
+++ openssh-7.0p1/sshd_config 2015-08-12 11:15:43.702548876 +0200
@@ -91,6 +91,8 @@ ChallengeResponseAuthentication no
# GSSAPI options
GSSAPIAuthentication yes
@ -2593,9 +2593,9 @@ diff -up openssh/sshd_config.gsskex openssh/sshd_config
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
diff -up openssh/ssh-gss.h.gsskex openssh/ssh-gss.h
--- openssh/ssh-gss.h.gsskex 2015-06-23 02:34:47.000000000 +0200
+++ openssh/ssh-gss.h 2015-06-24 11:07:36.234389789 +0200
diff -up openssh-7.0p1/ssh-gss.h.gsskex openssh-7.0p1/ssh-gss.h
--- openssh-7.0p1/ssh-gss.h.gsskex 2015-08-11 10:57:29.000000000 +0200
+++ openssh-7.0p1/ssh-gss.h 2015-08-12 11:15:43.702548876 +0200
@@ -1,6 +1,6 @@
/* $OpenBSD: ssh-gss.h,v 1.11 2014/02/26 20:28:44 djm Exp $ */
/*

78
openssh-6.6p1-kuserok.patch
View File

@ -1,6 +1,6 @@
diff -up openssh-6.8p1/auth-krb5.c.kuserok openssh-6.8p1/auth-krb5.c
--- openssh-6.8p1/auth-krb5.c.kuserok 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/auth-krb5.c 2015-03-18 12:37:14.349351304 +0100
diff -up openssh-7.0p1/auth-krb5.c.kuserok openssh-7.0p1/auth-krb5.c
--- openssh-7.0p1/auth-krb5.c.kuserok 2015-08-11 10:57:29.000000000 +0200
+++ openssh-7.0p1/auth-krb5.c 2015-08-12 11:26:21.874536127 +0200
@@ -55,6 +55,21 @@
extern ServerOptions options;
@ -35,9 +35,9 @@ diff -up openssh-6.8p1/auth-krb5.c.kuserok openssh-6.8p1/auth-krb5.c
problem = -1;
goto out;
}
diff -up openssh-6.8p1/gss-serv-krb5.c.kuserok openssh-6.8p1/gss-serv-krb5.c
--- openssh-6.8p1/gss-serv-krb5.c.kuserok 2015-03-18 12:37:14.346351312 +0100
+++ openssh-6.8p1/gss-serv-krb5.c 2015-03-18 12:37:14.349351304 +0100
diff -up openssh-7.0p1/gss-serv-krb5.c.kuserok openssh-7.0p1/gss-serv-krb5.c
--- openssh-7.0p1/gss-serv-krb5.c.kuserok 2015-08-12 11:26:21.868536137 +0200
+++ openssh-7.0p1/gss-serv-krb5.c 2015-08-12 11:26:21.875536126 +0200
@@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr
int);
@ -172,10 +172,10 @@ diff -up openssh-6.8p1/gss-serv-krb5.c.kuserok openssh-6.8p1/gss-serv-krb5.c
}
if ((fp = fopen(file, "r")) == NULL) {
int saved_errno = errno;
diff -up openssh-6.8p1/servconf.c.kuserok openssh-6.8p1/servconf.c
--- openssh-6.8p1/servconf.c.kuserok 2015-03-18 12:37:14.342351322 +0100
+++ openssh-6.8p1/servconf.c 2015-03-18 12:38:36.133145700 +0100
@@ -167,6 +167,7 @@ initialize_server_options(ServerOptions
diff -up openssh-7.0p1/servconf.c.kuserok openssh-7.0p1/servconf.c
--- openssh-7.0p1/servconf.c.kuserok 2015-08-12 11:26:21.865536141 +0200
+++ openssh-7.0p1/servconf.c 2015-08-12 11:27:14.126454598 +0200
@@ -172,6 +172,7 @@ initialize_server_options(ServerOptions
options->ip_qos_bulk = -1;
options->version_addendum = NULL;
options->fingerprint_hash = -1;
@ -183,16 +183,16 @@ diff -up openssh-6.8p1/servconf.c.kuserok openssh-6.8p1/servconf.c
}
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
@@ -345,6 +346,8 @@ fill_default_server_options(ServerOption
@@ -350,6 +351,8 @@ fill_default_server_options(ServerOption
options->fwd_opts.streamlocal_bind_unlink = 0;
if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
+ if (options->use_kuserok == -1)
+ options->use_kuserok = 1;
/* Turn privilege separation on by default */
if (use_privsep == -1)
use_privsep = PRIVSEP_NOSANDBOX;
@@ -388,7 +391,7 @@ typedef enum {
if (kex_assemble_names(KEX_SERVER_ENCRYPT, &options->ciphers) != 0 ||
kex_assemble_names(KEX_SERVER_MAC, &options->macs) != 0 ||
@@ -404,7 +407,7 @@ typedef enum {
sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel,
sRhostsRSAAuthentication, sRSAAuthentication,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
@ -201,7 +201,7 @@ diff -up openssh-6.8p1/servconf.c.kuserok openssh-6.8p1/servconf.c
sKerberosTgtPassing, sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily,
@@ -464,11 +467,13 @@ static struct {
@@ -483,11 +486,13 @@ static struct {
#else
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
#endif
@ -215,7 +215,7 @@ diff -up openssh-6.8p1/servconf.c.kuserok openssh-6.8p1/servconf.c
#endif
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
@@ -1614,6 +1619,10 @@ process_server_config_line(ServerOptions
@@ -1671,6 +1676,10 @@ process_server_config_line(ServerOptions
*activep = value;
break;
@ -226,7 +226,7 @@ diff -up openssh-6.8p1/servconf.c.kuserok openssh-6.8p1/servconf.c
case sPermitOpen:
arg = strdelim(&cp);
if (!arg || *arg == '\0')
@@ -1935,6 +1944,7 @@ copy_set_server_options(ServerOptions *d
@@ -2023,6 +2032,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(max_authtries);
M_CP_INTOPT(ip_qos_interactive);
M_CP_INTOPT(ip_qos_bulk);
@ -234,7 +234,7 @@ diff -up openssh-6.8p1/servconf.c.kuserok openssh-6.8p1/servconf.c
M_CP_INTOPT(rekey_limit);
M_CP_INTOPT(rekey_interval);
@@ -2194,6 +2204,7 @@ dump_config(ServerOptions *o)
@@ -2304,6 +2314,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
@ -242,10 +242,10 @@ diff -up openssh-6.8p1/servconf.c.kuserok openssh-6.8p1/servconf.c
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
diff -up openssh-6.8p1/servconf.h.kuserok openssh-6.8p1/servconf.h
--- openssh-6.8p1/servconf.h.kuserok 2015-03-18 12:37:14.342351322 +0100
+++ openssh-6.8p1/servconf.h 2015-03-18 12:37:14.350351302 +0100
@@ -177,6 +177,7 @@ typedef struct {
diff -up openssh-7.0p1/servconf.h.kuserok openssh-7.0p1/servconf.h
--- openssh-7.0p1/servconf.h.kuserok 2015-08-12 11:26:21.865536141 +0200
+++ openssh-7.0p1/servconf.h 2015-08-12 11:26:21.876536124 +0200
@@ -180,6 +180,7 @@ typedef struct {
int num_permitted_opens;
@ -253,21 +253,10 @@ diff -up openssh-6.8p1/servconf.h.kuserok openssh-6.8p1/servconf.h
char *chroot_directory;
char *revoked_keys_file;
char *trusted_user_ca_keys;
diff -up openssh-6.8p1/sshd_config.kuserok openssh-6.8p1/sshd_config
--- openssh-6.8p1/sshd_config.kuserok 2015-03-18 12:37:14.344351317 +0100
+++ openssh-6.8p1/sshd_config 2015-03-18 12:37:14.350351302 +0100
@@ -87,6 +87,7 @@ ChallengeResponseAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
+#KerberosUseKuserok yes
# GSSAPI options
GSSAPIAuthentication yes
diff -up openssh-6.8p1/sshd_config.5.kuserok openssh-6.8p1/sshd_config.5
--- openssh-6.8p1/sshd_config.5.kuserok 2015-03-18 12:37:14.343351319 +0100
+++ openssh-6.8p1/sshd_config.5 2015-03-18 12:39:23.373026939 +0100
@@ -779,6 +779,10 @@ Specifies whether to automatically destr
diff -up openssh-7.0p1/sshd_config.5.kuserok openssh-7.0p1/sshd_config.5
--- openssh-7.0p1/sshd_config.5.kuserok 2015-08-12 11:26:21.867536138 +0200
+++ openssh-7.0p1/sshd_config.5 2015-08-12 11:26:21.877536123 +0200
@@ -872,6 +872,10 @@ Specifies whether to automatically destr
file on logout.
The default is
.Dq yes .
@ -278,7 +267,7 @@ diff -up openssh-6.8p1/sshd_config.5.kuserok openssh-6.8p1/sshd_config.5
.It Cm KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated.
@@ -1017,6 +1021,7 @@ Available keywords are
@@ -1116,6 +1120,7 @@ Available keywords are
.Cm IPQoS ,
.Cm KbdInteractiveAuthentication ,
.Cm KerberosAuthentication ,
@ -286,3 +275,14 @@ diff -up openssh-6.8p1/sshd_config.5.kuserok openssh-6.8p1/sshd_config.5
.Cm MaxAuthTries ,
.Cm MaxSessions ,
.Cm PasswordAuthentication ,
diff -up openssh-7.0p1/sshd_config.kuserok openssh-7.0p1/sshd_config
--- openssh-7.0p1/sshd_config.kuserok 2015-08-12 11:26:21.867536138 +0200
+++ openssh-7.0p1/sshd_config 2015-08-12 11:26:21.876536124 +0200
@@ -87,6 +87,7 @@ ChallengeResponseAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
+#KerberosUseKuserok yes
# GSSAPI options
GSSAPIAuthentication yes

258
openssh-6.7p1-audit.patch
View File

@ -1,6 +1,6 @@
diff -up openssh/audit-bsm.c.audit openssh/audit-bsm.c
--- openssh/audit-bsm.c.audit 2015-06-23 02:34:47.000000000 +0200
+++ openssh/audit-bsm.c 2015-06-24 11:53:29.780390469 +0200
diff -up openssh-7.0p1/audit-bsm.c.audit openssh-7.0p1/audit-bsm.c
--- openssh-7.0p1/audit-bsm.c.audit 2015-08-11 10:57:29.000000000 +0200
+++ openssh-7.0p1/audit-bsm.c 2015-08-12 11:33:00.409914290 +0200
@@ -375,10 +375,23 @@ audit_connection_from(const char *host,
#endif
}
@ -80,9 +80,9 @@ diff -up openssh/audit-bsm.c.audit openssh/audit-bsm.c
+ /* not implemented */
+}
#endif /* BSM */
diff -up openssh/audit.c.audit openssh/audit.c
--- openssh/audit.c.audit 2015-06-23 02:34:47.000000000 +0200
+++ openssh/audit.c 2015-06-24 11:53:29.781390467 +0200
diff -up openssh-7.0p1/audit.c.audit openssh-7.0p1/audit.c
--- openssh-7.0p1/audit.c.audit 2015-08-11 10:57:29.000000000 +0200
+++ openssh-7.0p1/audit.c 2015-08-12 11:33:00.410914289 +0200
@@ -28,6 +28,7 @@
#include <stdarg.h>
@ -280,9 +280,9 @@ diff -up openssh/audit.c.audit openssh/audit.c
}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
diff -up openssh/audit.h.audit openssh/audit.h
--- openssh/audit.h.audit 2015-06-23 02:34:47.000000000 +0200
+++ openssh/audit.h 2015-06-24 11:53:29.781390467 +0200
diff -up openssh-7.0p1/audit.h.audit openssh-7.0p1/audit.h
--- openssh-7.0p1/audit.h.audit 2015-08-11 10:57:29.000000000 +0200
+++ openssh-7.0p1/audit.h 2015-08-12 11:33:00.410914289 +0200
@@ -28,6 +28,7 @@
# define _SSH_AUDIT_H
@ -318,9 +318,9 @@ diff -up openssh/audit.h.audit openssh/audit.h
+void audit_generate_ephemeral_server_key(const char *);
#endif /* _SSH_AUDIT_H */
diff -up openssh/audit-linux.c.audit openssh/audit-linux.c
--- openssh/audit-linux.c.audit 2015-06-23 02:34:47.000000000 +0200
+++ openssh/audit-linux.c 2015-06-24 11:53:29.781390467 +0200
diff -up openssh-7.0p1/audit-linux.c.audit openssh-7.0p1/audit-linux.c
--- openssh-7.0p1/audit-linux.c.audit 2015-08-11 10:57:29.000000000 +0200
+++ openssh-7.0p1/audit-linux.c 2015-08-12 11:33:00.411914287 +0200
@@ -35,13 +35,25 @@
#include "log.h"
@ -612,7 +612,7 @@ diff -up openssh/audit-linux.c.audit openssh/audit-linux.c
+#ifdef AUDIT_CRYPTO_SESSION
+ char buf[AUDIT_LOG_SIZE];
+ int audit_fd, audit_ok;
+ const Cipher *cipher = cipher_by_name(enc);
+ const struct sshcipher *cipher = cipher_by_name(enc);
+ char *s;
+
+ snprintf(buf, sizeof(buf), "op=start direction=%s cipher=%s ksize=%d mac=%s pfs=%s spid=%jd suid=%jd rport=%d laddr=%s lport=%d ",
@ -712,9 +712,9 @@ diff -up openssh/audit-linux.c.audit openssh/audit-linux.c
+ error("cannot write into audit");
+}
#endif /* USE_LINUX_AUDIT */
diff -up openssh/auditstub.c.audit openssh/auditstub.c
--- openssh/auditstub.c.audit 2015-06-24 11:53:29.782390464 +0200
+++ openssh/auditstub.c 2015-06-24 11:53:29.782390464 +0200
diff -up openssh-7.0p1/auditstub.c.audit openssh-7.0p1/auditstub.c
--- openssh-7.0p1/auditstub.c.audit 2015-08-12 11:33:00.411914287 +0200
+++ openssh-7.0p1/auditstub.c 2015-08-12 11:33:00.411914287 +0200
@@ -0,0 +1,50 @@
+/* $Id: auditstub.c,v 1.1 jfch Exp $ */
+
@ -766,9 +766,9 @@ diff -up openssh/auditstub.c.audit openssh/auditstub.c
+audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
+{
+}
diff -up openssh/auth2.c.audit openssh/auth2.c
--- openssh/auth2.c.audit 2015-06-24 11:53:29.731390595 +0200
+++ openssh/auth2.c 2015-06-24 11:53:29.783390462 +0200
diff -up openssh-7.0p1/auth2.c.audit openssh-7.0p1/auth2.c
--- openssh-7.0p1/auth2.c.audit 2015-08-12 11:33:00.349914384 +0200
+++ openssh-7.0p1/auth2.c 2015-08-12 11:33:00.411914287 +0200
@@ -249,9 +249,6 @@ input_userauth_request(int type, u_int32
} else {
logit("input_userauth_request: invalid user %s", user);
@ -779,9 +779,9 @@ diff -up openssh/auth2.c.audit openssh/auth2.c
}
#ifdef USE_PAM
if (options.use_pam)
diff -up openssh/auth2-hostbased.c.audit openssh/auth2-hostbased.c
--- openssh/auth2-hostbased.c.audit 2015-06-24 11:53:29.682390720 +0200
+++ openssh/auth2-hostbased.c 2015-06-24 11:53:29.782390464 +0200
diff -up openssh-7.0p1/auth2-hostbased.c.audit openssh-7.0p1/auth2-hostbased.c
--- openssh-7.0p1/auth2-hostbased.c.audit 2015-08-12 11:33:00.303914456 +0200
+++ openssh-7.0p1/auth2-hostbased.c 2015-08-12 11:33:00.412914286 +0200
@@ -146,7 +146,7 @@ userauth_hostbased(Authctxt *authctxt)
/* test for allowed key and correct signature */
authenticated = 0;
@ -810,9 +810,9 @@ diff -up openssh/auth2-hostbased.c.audit openssh/auth2-hostbased.c
/* return 1 if given hostkey is allowed */
int
hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
diff -up openssh/auth2-pubkey.c.audit openssh/auth2-pubkey.c
--- openssh/auth2-pubkey.c.audit 2015-06-24 11:53:29.783390462 +0200
+++ openssh/auth2-pubkey.c 2015-06-24 11:58:49.547572821 +0200
diff -up openssh-7.0p1/auth2-pubkey.c.audit openssh-7.0p1/auth2-pubkey.c
--- openssh-7.0p1/auth2-pubkey.c.audit 2015-08-12 11:33:00.318914432 +0200
+++ openssh-7.0p1/auth2-pubkey.c 2015-08-12 11:33:00.412914286 +0200
@@ -175,7 +175,7 @@ userauth_pubkey(Authctxt *authctxt)
/* test for correct signature */
authenticated = 0;
@ -841,10 +841,10 @@ diff -up openssh/auth2-pubkey.c.audit openssh/auth2-pubkey.c
/*
* Splits 's' into an argument vector. Handles quoted string and basic
* escape characters (\\, \", \'). Caller must free the argument vector
diff -up openssh/auth.c.audit openssh/auth.c
--- openssh/auth.c.audit 2015-06-23 02:34:47.000000000 +0200
+++ openssh/auth.c 2015-06-24 11:53:29.782390464 +0200
@@ -643,9 +643,6 @@ getpwnamallow(const char *user)
diff -up openssh-7.0p1/auth.c.audit openssh-7.0p1/auth.c
--- openssh-7.0p1/auth.c.audit 2015-08-11 10:57:29.000000000 +0200
+++ openssh-7.0p1/auth.c 2015-08-12 11:33:00.412914286 +0200
@@ -645,9 +645,6 @@ getpwnamallow(const char *user)
record_failed_login(user,
get_canonical_hostname(options.use_dns), "ssh");
#endif
@ -854,9 +854,9 @@ diff -up openssh/auth.c.audit openssh/auth.c
return (NULL);
}
if (!allowed_user(pw))
diff -up openssh/auth.h.audit openssh/auth.h
--- openssh/auth.h.audit 2015-06-24 11:53:29.682390720 +0200
+++ openssh/auth.h 2015-06-24 11:53:29.782390464 +0200
diff -up openssh-7.0p1/auth.h.audit openssh-7.0p1/auth.h
--- openssh-7.0p1/auth.h.audit 2015-08-12 11:33:00.302914457 +0200
+++ openssh-7.0p1/auth.h 2015-08-12 11:33:00.412914286 +0200
@@ -195,6 +195,7 @@ void abandon_challenge_response(Authctxt
char *expand_authorized_keys(const char *, struct passwd *pw);
@ -873,9 +873,9 @@ diff -up openssh/auth.h.audit openssh/auth.h
/* debug messages during authentication */
void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
diff -up openssh/auth-rsa.c.audit openssh/auth-rsa.c
--- openssh/auth-rsa.c.audit 2015-06-23 02:34:47.000000000 +0200
+++ openssh/auth-rsa.c 2015-06-24 11:53:29.782390464 +0200
diff -up openssh-7.0p1/auth-rsa.c.audit openssh-7.0p1/auth-rsa.c
--- openssh-7.0p1/auth-rsa.c.audit 2015-08-11 10:57:29.000000000 +0200
+++ openssh-7.0p1/auth-rsa.c 2015-08-12 11:33:00.412914286 +0200
@@ -95,7 +95,10 @@ auth_rsa_verify_response(Key *key, BIGNU
{
u_char buf[32], mdbuf[16];
@ -912,9 +912,9 @@ diff -up openssh/auth-rsa.c.audit openssh/auth-rsa.c
}
/*
diff -up openssh/cipher.c.audit openssh/cipher.c
--- openssh/cipher.c.audit 2015-06-23 02:34:47.000000000 +0200
+++ openssh/cipher.c 2015-06-24 11:53:29.783390462 +0200
diff -up openssh-7.0p1/cipher.c.audit openssh-7.0p1/cipher.c
--- openssh-7.0p1/cipher.c.audit 2015-08-11 10:57:29.000000000 +0200
+++ openssh-7.0p1/cipher.c 2015-08-12 11:33:00.412914286 +0200
@@ -57,26 +57,6 @@ extern const EVP_CIPHER *evp_ssh1_3des(v
extern int ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
#endif
@ -942,9 +942,9 @@ diff -up openssh/cipher.c.audit openssh/cipher.c
static const struct sshcipher ciphers[] = {
#ifdef WITH_SSH1
{ "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
diff -up openssh/cipher.h.audit openssh/cipher.h
--- openssh/cipher.h.audit 2015-06-23 02:34:47.000000000 +0200
+++ openssh/cipher.h 2015-06-24 11:53:29.783390462 +0200
diff -up openssh-7.0p1/cipher.h.audit openssh-7.0p1/cipher.h
--- openssh-7.0p1/cipher.h.audit 2015-08-11 10:57:29.000000000 +0200
+++ openssh-7.0p1/cipher.h 2015-08-12 11:33:00.413914284 +0200
@@ -62,7 +62,26 @@
#define CIPHER_ENCRYPT 1
#define CIPHER_DECRYPT 0
@ -973,9 +973,9 @@ diff -up openssh/cipher.h.audit openssh/cipher.h
struct sshcipher_ctx {
int plaintext;
int encrypt;
diff -up openssh/kex.c.audit openssh/kex.c
--- openssh/kex.c.audit 2015-06-24 11:53:29.733390590 +0200
+++ openssh/kex.c 2015-06-24 11:53:29.783390462 +0200
diff -up openssh-7.0p1/kex.c.audit openssh-7.0p1/kex.c
--- openssh-7.0p1/kex.c.audit 2015-08-12 11:33:00.351914381 +0200
+++ openssh-7.0p1/kex.c 2015-08-12 11:33:00.413914284 +0200
@@ -54,6 +54,7 @@
#include "ssherr.h"
#include "sshbuf.h"
@ -984,7 +984,7 @@ diff -up openssh/kex.c.audit openssh/kex.c
#ifdef GSSAPI
#include "ssh-gss.h"
@@ -486,8 +487,12 @@ choose_enc(struct sshenc *enc, char *cli
@@ -549,8 +550,12 @@ choose_enc(struct sshenc *enc, char *cli
{
char *name = match_list(client, server, NULL);
@ -998,7 +998,7 @@ diff -up openssh/kex.c.audit openssh/kex.c
if ((enc->cipher = cipher_by_name(name)) == NULL)
return SSH_ERR_INTERNAL_ERROR;
enc->name = name;
@@ -505,8 +510,12 @@ choose_mac(struct ssh *ssh, struct sshma
@@ -568,8 +573,12 @@ choose_mac(struct ssh *ssh, struct sshma
{
char *name = match_list(client, server, NULL);
@ -1012,7 +1012,7 @@ diff -up openssh/kex.c.audit openssh/kex.c
if (mac_setup(mac, name) < 0)
return SSH_ERR_INTERNAL_ERROR;
/* truncate the key */
@@ -523,8 +532,12 @@ choose_comp(struct sshcomp *comp, char *
@@ -586,8 +595,12 @@ choose_comp(struct sshcomp *comp, char *
{
char *name = match_list(client, server, NULL);
@ -1026,7 +1026,7 @@ diff -up openssh/kex.c.audit openssh/kex.c
if (strcmp(name, "zlib@openssh.com") == 0) {
comp->type = COMP_DELAYED;
} else if (strcmp(name, "zlib") == 0) {
@@ -674,6 +687,10 @@ kex_choose_conf(struct ssh *ssh)
@@ -753,6 +766,10 @@ kex_choose_conf(struct ssh *ssh)
dh_need = MAX(dh_need, newkeys->enc.block_size);
dh_need = MAX(dh_need, newkeys->enc.iv_len);
dh_need = MAX(dh_need, newkeys->mac.key_len);
@ -1037,7 +1037,7 @@ diff -up openssh/kex.c.audit openssh/kex.c
}
/* XXX need runden? */
kex->we_need = need;
@@ -849,3 +866,34 @@ dump_digest(char *msg, u_char *digest, i
@@ -928,3 +945,34 @@ dump_digest(char *msg, u_char *digest, i
sshbuf_dump_data(digest, len, stderr);
}
#endif
@ -1072,10 +1072,10 @@ diff -up openssh/kex.c.audit openssh/kex.c
+ memset(&newkeys->comp, 0, sizeof(newkeys->comp));
+}
+
diff -up openssh/kex.h.audit openssh/kex.h
--- openssh/kex.h.audit 2015-06-24 11:53:29.733390590 +0200
+++ openssh/kex.h 2015-06-24 11:53:29.784390459 +0200
@@ -199,6 +199,8 @@ int kexgss_client(struct ssh *);
diff -up openssh-7.0p1/kex.h.audit openssh-7.0p1/kex.h
--- openssh-7.0p1/kex.h.audit 2015-08-12 11:33:00.352914379 +0200
+++ openssh-7.0p1/kex.h 2015-08-12 11:33:00.413914284 +0200
@@ -202,6 +202,8 @@ int kexgss_client(struct ssh *);
int kexgss_server(struct ssh *);
#endif
@ -1084,20 +1084,20 @@ diff -up openssh/kex.h.audit openssh/kex.h
int kex_dh_hash(const char *, const char *,
const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *);
diff -up openssh/key.h.audit openssh/key.h
--- openssh/key.h.audit 2015-06-23 02:34:47.000000000 +0200
+++ openssh/key.h 2015-06-24 11:53:29.784390459 +0200
diff -up openssh-7.0p1/key.h.audit openssh-7.0p1/key.h
--- openssh-7.0p1/key.h.audit 2015-08-12 11:33:00.413914284 +0200
+++ openssh-7.0p1/key.h 2015-08-12 11:33:45.908843298 +0200
@@ -50,6 +50,7 @@ typedef struct sshkey Key;
#define key_ecdsa_bits_to_nid sshkey_ecdsa_bits_to_nid
#define key_ecdsa_key_to_nid sshkey_ecdsa_key_to_nid
#define key_is_cert sshkey_is_cert
+#define key_is_private sshkey_is_private
#define key_type_plain sshkey_type_plain
#define key_cert_is_legacy sshkey_cert_is_legacy
#define key_curve_name_to_nid sshkey_curve_name_to_nid
diff -up openssh/mac.c.audit openssh/mac.c
--- openssh/mac.c.audit 2015-06-23 02:34:47.000000000 +0200
+++ openssh/mac.c 2015-06-24 11:53:29.784390459 +0200
#define key_curve_nid_to_bits sshkey_curve_nid_to_bits
diff -up openssh-7.0p1/mac.c.audit openssh-7.0p1/mac.c
--- openssh-7.0p1/mac.c.audit 2015-08-11 10:57:29.000000000 +0200
+++ openssh-7.0p1/mac.c 2015-08-12 11:33:00.413914284 +0200
@@ -226,6 +226,20 @@ mac_clear(struct sshmac *mac)
mac->umac_ctx = NULL;
}
@ -1119,9 +1119,9 @@ diff -up openssh/mac.c.audit openssh/mac.c
/* XXX copied from ciphers_valid */
#define MAC_SEP ","
int
diff -up openssh/mac.h.audit openssh/mac.h
--- openssh/mac.h.audit 2015-06-23 02:34:47.000000000 +0200
+++ openssh/mac.h 2015-06-24 11:53:29.784390459 +0200
diff -up openssh-7.0p1/mac.h.audit openssh-7.0p1/mac.h
--- openssh-7.0p1/mac.h.audit 2015-08-11 10:57:29.000000000 +0200
+++ openssh-7.0p1/mac.h 2015-08-12 11:33:00.413914284 +0200
@@ -47,5 +47,6 @@ int mac_init(struct sshmac *);
int mac_compute(struct sshmac *, u_int32_t, const u_char *, int,
u_char *, size_t);
@ -1129,9 +1129,9 @@ diff -up openssh/mac.h.audit openssh/mac.h
+void mac_destroy(struct sshmac *);
#endif /* SSHMAC_H */
diff -up openssh/Makefile.in.audit openssh/Makefile.in
--- openssh/Makefile.in.audit 2015-06-24 11:53:29.752390541 +0200
+++ openssh/Makefile.in 2015-06-24 11:53:29.780390469 +0200
diff -up openssh-7.0p1/Makefile.in.audit openssh-7.0p1/Makefile.in
--- openssh-7.0p1/Makefile.in.audit 2015-08-12 11:33:00.402914301 +0200
+++ openssh-7.0p1/Makefile.in 2015-08-12 11:33:00.414914283 +0200
@@ -98,7 +98,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
@ -1141,9 +1141,9 @@ diff -up openssh/Makefile.in.audit openssh/Makefile.in
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect1.o sshconnect2.o mux.o \
diff -up openssh/monitor.c.audit openssh/monitor.c
--- openssh/monitor.c.audit 2015-06-24 11:53:29.759390523 +0200
+++ openssh/monitor.c 2015-06-24 11:53:29.784390459 +0200
diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c
--- openssh-7.0p1/monitor.c.audit 2015-08-12 11:33:00.378914339 +0200
+++ openssh-7.0p1/monitor.c 2015-08-12 11:33:00.414914283 +0200
@@ -102,6 +102,7 @@
#include "ssh2.h"
#include "roaming.h"
@ -1443,9 +1443,9 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
+ return 0;
+}
+#endif /* SSH_AUDIT_EVENTS */
diff -up openssh/monitor.h.audit openssh/monitor.h
--- openssh/monitor.h.audit 2015-06-24 11:53:29.759390523 +0200
+++ openssh/monitor.h 2015-06-24 11:53:29.785390457 +0200
diff -up openssh-7.0p1/monitor.h.audit openssh-7.0p1/monitor.h
--- openssh-7.0p1/monitor.h.audit 2015-08-12 11:33:00.378914339 +0200
+++ openssh-7.0p1/monitor.h 2015-08-12 11:33:00.414914283 +0200
@@ -69,7 +69,13 @@ enum monitor_reqtype {
MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107,
MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109,
@ -1461,9 +1461,9 @@ diff -up openssh/monitor.h.audit openssh/monitor.h
};
diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
--- openssh/monitor_wrap.c.audit 2015-06-24 11:53:29.734390587 +0200
+++ openssh/monitor_wrap.c 2015-06-24 11:53:29.785390457 +0200
diff -up openssh-7.0p1/monitor_wrap.c.audit openssh-7.0p1/monitor_wrap.c
--- openssh-7.0p1/monitor_wrap.c.audit 2015-08-12 11:33:00.353914378 +0200
+++ openssh-7.0p1/monitor_wrap.c 2015-08-12 11:33:00.414914283 +0200
@@ -462,7 +462,7 @@ mm_key_allowed(enum mm_keytype type, cha
*/
@ -1500,7 +1500,7 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
void
mm_send_keystate(struct monitor *monitor)
{
@@ -1006,10 +1019,11 @@ mm_audit_event(ssh_audit_event_t event)
@@ -1005,10 +1018,11 @@ mm_audit_event(ssh_audit_event_t event)
buffer_free(&m);
}
@ -1513,7 +1513,7 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
debug3("%s entering command %s", __func__, command);
@@ -1017,6 +1031,26 @@ mm_audit_run_command(const char *command
@@ -1016,6 +1030,26 @@ mm_audit_run_command(const char *command
buffer_put_cstring(&m, command);
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, &m);
@ -1540,7 +1540,7 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
buffer_free(&m);
}
#endif /* SSH_AUDIT_EVENTS */
@@ -1152,3 +1186,70 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_cc
@@ -1151,3 +1185,70 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_cc
#endif /* GSSAPI */
@ -1611,9 +1611,9 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
+ buffer_free(&m);
+}
+#endif /* SSH_AUDIT_EVENTS */
diff -up openssh/monitor_wrap.h.audit openssh/monitor_wrap.h
--- openssh/monitor_wrap.h.audit 2015-06-24 11:53:29.734390587 +0200
+++ openssh/monitor_wrap.h 2015-06-24 11:59:45.086430808 +0200
diff -up openssh-7.0p1/monitor_wrap.h.audit openssh-7.0p1/monitor_wrap.h
--- openssh-7.0p1/monitor_wrap.h.audit 2015-08-12 11:33:00.353914378 +0200
+++ openssh-7.0p1/monitor_wrap.h 2015-08-12 11:33:00.415914281 +0200
@@ -52,7 +52,8 @@ int mm_key_allowed(enum mm_keytype, char
int mm_user_key_allowed(struct passwd *, Key *, int);
int mm_hostbased_key_allowed(struct passwd *, char *, char *, Key *);
@ -1638,9 +1638,9 @@ diff -up openssh/monitor_wrap.h.audit openssh/monitor_wrap.h
#endif
struct Session;
diff -up openssh/packet.c.audit openssh/packet.c
--- openssh/packet.c.audit 2015-06-24 11:53:29.665390763 +0200
+++ openssh/packet.c 2015-06-24 11:53:29.786390454 +0200
diff -up openssh-7.0p1/packet.c.audit openssh-7.0p1/packet.c
--- openssh-7.0p1/packet.c.audit 2015-08-12 11:33:00.288914479 +0200
+++ openssh-7.0p1/packet.c 2015-08-12 11:33:00.415914281 +0200
@@ -67,6 +67,7 @@
#include "key.h" /* typedefs XXX */
@ -1714,7 +1714,7 @@ diff -up openssh/packet.c.audit openssh/packet.c
if ((r = cipher_cleanup(cc)) != 0)
return r;
enc = &state->newkeys[mode]->enc;
@@ -2281,6 +2293,75 @@ ssh_packet_get_output(struct ssh *ssh)
@@ -2292,6 +2304,75 @@ ssh_packet_get_output(struct ssh *ssh)
return (void *)ssh->state->output;
}
@ -1790,7 +1790,7 @@ diff -up openssh/packet.c.audit openssh/packet.c
/* XXX TODO update roaming to new API (does not work anyway) */
/*
* Save the state for the real connection, and use a separate state when
@@ -2290,18 +2371,12 @@ void
@@ -2301,18 +2382,12 @@ void
ssh_packet_backup_state(struct ssh *ssh,
struct ssh *backup_state)
{
@ -1810,7 +1810,7 @@ diff -up openssh/packet.c.audit openssh/packet.c
}
/* XXX FIXME FIXME FIXME */
@@ -2320,9 +2395,7 @@ ssh_packet_restore_state(struct ssh *ssh
@@ -2331,9 +2406,7 @@ ssh_packet_restore_state(struct ssh *ssh
backup_state = ssh;
ssh = tmp;
ssh->state->connection_in = backup_state->state->connection_in;
@ -1820,7 +1820,7 @@ diff -up openssh/packet.c.audit openssh/packet.c
len = sshbuf_len(backup_state->state->input);
if (len > 0) {
if ((r = sshbuf_putb(ssh->state->input,
@@ -2331,6 +2404,11 @@ ssh_packet_restore_state(struct ssh *ssh
@@ -2342,6 +2415,11 @@ ssh_packet_restore_state(struct ssh *ssh
sshbuf_reset(backup_state->state->input);
add_recv_bytes(len);
}
@ -1832,9 +1832,9 @@ diff -up openssh/packet.c.audit openssh/packet.c
}
/* Reset after_authentication and reset compression in post-auth privsep */
diff -up openssh/packet.h.audit openssh/packet.h
--- openssh/packet.h.audit 2015-06-23 02:34:47.000000000 +0200
+++ openssh/packet.h 2015-06-24 11:53:29.786390454 +0200
diff -up openssh-7.0p1/packet.h.audit openssh-7.0p1/packet.h
--- openssh-7.0p1/packet.h.audit 2015-08-11 10:57:29.000000000 +0200
+++ openssh-7.0p1/packet.h 2015-08-12 11:33:00.415914281 +0200
@@ -189,7 +189,7 @@ int sshpkt_get_end(struct ssh *ssh);
const u_char *sshpkt_ptr(struct ssh *, size_t *lenp);
@ -1850,10 +1850,10 @@ diff -up openssh/packet.h.audit openssh/packet.h
+void packet_destroy_all(int, int);
#endif /* PACKET_H */
diff -up openssh/sandbox-seccomp-filter.c.audit openssh/sandbox-seccomp-filter.c
--- openssh/sandbox-seccomp-filter.c.audit 2015-06-24 11:53:29.788390449 +0200
+++ openssh/sandbox-seccomp-filter.c 2015-06-24 12:00:37.459296890 +0200
@@ -147,6 +147,12 @@ static const struct sock_filter preauth_
diff -up openssh-7.0p1/sandbox-seccomp-filter.c.audit openssh-7.0p1/sandbox-seccomp-filter.c
--- openssh-7.0p1/sandbox-seccomp-filter.c.audit 2015-08-12 11:33:00.394914314 +0200
+++ openssh-7.0p1/sandbox-seccomp-filter.c 2015-08-12 11:33:00.415914281 +0200
@@ -150,6 +150,12 @@ static const struct sock_filter preauth_
#ifdef __NR_gettimeofday
SC_ALLOW(gettimeofday),
#endif
@ -1866,9 +1866,9 @@ diff -up openssh/sandbox-seccomp-filter.c.audit openssh/sandbox-seccomp-filter.c
#ifdef __NR_madvise
SC_ALLOW(madvise),
#endif
diff -up openssh/session.c.audit openssh/session.c
--- openssh/session.c.audit 2015-06-24 11:53:29.760390520 +0200
+++ openssh/session.c 2015-06-24 11:53:29.786390454 +0200
diff -up openssh-7.0p1/session.c.audit openssh-7.0p1/session.c
--- openssh-7.0p1/session.c.audit 2015-08-12 11:33:00.379914337 +0200
+++ openssh-7.0p1/session.c 2015-08-12 11:33:00.416914280 +0200
@@ -139,7 +139,7 @@ extern int log_stderr;
extern int debug_flag;
extern u_int utmp_len;
@ -2022,9 +2022,9 @@ diff -up openssh/session.c.audit openssh/session.c
- session_destroy_all(session_pty_cleanup2);
+ session_destroy_all(do_cleanup_one_session);
}
diff -up openssh/session.h.audit openssh/session.h
--- openssh/session.h.audit 2015-06-23 02:34:47.000000000 +0200
+++ openssh/session.h 2015-06-24 11:53:29.786390454 +0200
diff -up openssh-7.0p1/session.h.audit openssh-7.0p1/session.h
--- openssh-7.0p1/session.h.audit 2015-08-11 10:57:29.000000000 +0200
+++ openssh-7.0p1/session.h 2015-08-12 11:33:00.416914280 +0200
@@ -61,6 +61,12 @@ struct Session {
char *name;
char *val;
@ -2049,10 +2049,10 @@ diff -up openssh/session.h.audit openssh/session.h
Session *session_by_tty(char *);
void session_close(Session *);
void do_setusercontext(struct passwd *);
diff -up openssh/sshd.c.audit openssh/sshd.c
--- openssh/sshd.c.audit 2015-06-24 11:53:29.770390495 +0200
+++ openssh/sshd.c 2015-06-24 11:53:29.787390451 +0200
@@ -121,6 +121,7 @@
diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c
--- openssh-7.0p1/sshd.c.audit 2015-08-12 11:33:00.388914323 +0200
+++ openssh-7.0p1/sshd.c 2015-08-12 11:33:00.417914278 +0200
@@ -122,6 +122,7 @@
#endif
#include "monitor_wrap.h"
#include "roaming.h"
@ -2060,7 +2060,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
#include "ssh-sandbox.h"
#include "version.h"
#include "ssherr.h"
@@ -260,7 +261,7 @@ Buffer loginmsg;
@@ -261,7 +262,7 @@ Buffer loginmsg;
struct passwd *privsep_pw = NULL;
/* Prototypes for various functions defined later in this file. */
@ -2069,7 +2069,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
void demote_sensitive_data(void);
#ifdef WITH_SSH1
@@ -281,6 +282,15 @@ close_listen_socks(void)
@@ -282,6 +283,15 @@ close_listen_socks(void)
num_listen_socks = -1;
}
@ -2085,7 +2085,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
static void
close_startup_pipes(void)
{
@@ -560,22 +570,45 @@ sshd_exchange_identification(int sock_in
@@ -561,22 +571,45 @@ sshd_exchange_identification(int sock_in
}
}
@ -2134,7 +2134,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
key_free(sensitive_data.host_certificates[i]);
sensitive_data.host_certificates[i] = NULL;
}
@@ -589,6 +622,8 @@ void
@@ -590,6 +623,8 @@ void
demote_sensitive_data(void)
{
Key *tmp;
@ -2143,7 +2143,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
int i;
if (sensitive_data.server_key) {
@@ -597,13 +632,25 @@ demote_sensitive_data(void)
@@ -598,13 +633,25 @@ demote_sensitive_data(void)
sensitive_data.server_key = tmp;
}
@ -2169,7 +2169,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
}
/* Certs do not need demotion */
}
@@ -675,7 +722,7 @@ privsep_preauth(Authctxt *authctxt)
@@ -676,7 +723,7 @@ privsep_preauth(Authctxt *authctxt)
if (use_privsep == PRIVSEP_ON)
box = ssh_sandbox_init(pmonitor);
@ -2178,7 +2178,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
if (pid == -1) {
fatal("fork of unprivileged child failed");
} else if (pid != 0) {
@@ -759,6 +806,12 @@ privsep_postauth(Authctxt *authctxt)
@@ -760,6 +807,12 @@ privsep_postauth(Authctxt *authctxt)
else if (pmonitor->m_pid != 0) {
verbose("User child is on pid %ld", (long)pmonitor->m_pid);
buffer_clear(&loginmsg);
@ -2191,7 +2191,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
monitor_child_postauth(pmonitor);
/* NEVERREACHED */
@@ -1288,6 +1341,7 @@ server_accept_loop(int *sock_in, int *so
@@ -1292,6 +1345,7 @@ server_accept_loop(int *sock_in, int *so
if (received_sigterm) {
logit("Received signal %d; terminating.",
(int) received_sigterm);
@ -2199,7 +2199,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
close_listen_socks();
if (options.pid_file != NULL)
unlink(options.pid_file);
@@ -2251,6 +2305,7 @@ main(int ac, char **av)
@@ -2255,6 +2309,7 @@ main(int ac, char **av)
*/
if (use_privsep) {
mm_send_keystate(pmonitor);
@ -2207,7 +2207,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
exit(0);
}
@@ -2296,7 +2351,7 @@ main(int ac, char **av)
@@ -2300,7 +2355,7 @@ main(int ac, char **av)
privsep_postauth(authctxt);
/* the monitor process [priv] will not return */
if (!compat20)
@ -2216,7 +2216,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
}
packet_set_timeout(options.client_alive_interval,
@@ -2310,6 +2365,9 @@ main(int ac, char **av)
@@ -2314,6 +2369,9 @@ main(int ac, char **av)
do_authenticated(authctxt);
/* The connection has been terminated. */
@ -2226,7 +2226,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
packet_get_bytes(&ibytes, &obytes);
verbose("Transferred: sent %llu, received %llu bytes",
(unsigned long long)obytes, (unsigned long long)ibytes);
@@ -2470,6 +2528,10 @@ do_ssh1_kex(void)
@@ -2474,6 +2532,10 @@ do_ssh1_kex(void)
if (cookie[i] != packet_get_char())
packet_disconnect("IP Spoofing check bytes do not match.");
@ -2237,7 +2237,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
debug("Encryption type: %.200s", cipher_name(cipher_type));
/* Get the encrypted integer. */
@@ -2529,7 +2591,7 @@ do_ssh1_kex(void)
@@ -2533,7 +2595,7 @@ do_ssh1_kex(void)
}
/* Destroy the private and public keys. No longer. */
@ -2246,7 +2246,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
if (use_privsep)
mm_ssh1_session_id(session_id);
@@ -2712,6 +2774,16 @@ do_ssh2_kex(void)
@@ -2705,6 +2767,16 @@ do_ssh2_kex(void)
void
cleanup_exit(int i)
{
@ -2263,7 +2263,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
if (the_authctxt) {
do_cleanup(the_authctxt);
if (use_privsep && privsep_is_preauth &&
@@ -2723,9 +2795,14 @@ cleanup_exit(int i)
@@ -2716,9 +2788,14 @@ cleanup_exit(int i)
pmonitor->m_pid, strerror(errno));
}
}
@ -2279,22 +2279,20 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
audit_event(SSH_CONNECTION_ABANDON);
#endif
_exit(i);
diff -up openssh/sshkey.c.audit openssh/sshkey.c
--- openssh/sshkey.c.audit 2015-06-23 02:34:47.000000000 +0200
+++ openssh/sshkey.c 2015-06-24 11:53:29.787390451 +0200
@@ -317,6 +317,33 @@ sshkey_type_is_valid_ca(int type)
diff -up openssh-7.0p1/sshkey.c.audit openssh-7.0p1/sshkey.c
--- openssh-7.0p1/sshkey.c.audit 2015-08-11 10:57:29.000000000 +0200
+++ openssh-7.0p1/sshkey.c 2015-08-12 11:33:00.417914278 +0200
@@ -299,6 +299,31 @@ sshkey_type_is_valid_ca(int type)
}
int
+sshkey_is_private(const struct sshkey *k)
+{
+ switch (k->type) {
+ case KEY_RSA_CERT_V00:
+ case KEY_RSA_CERT:
+ case KEY_RSA1:
+ case KEY_RSA:
+ return k->rsa->d != NULL;
+ case KEY_DSA_CERT_V00:
+ case KEY_DSA_CERT:
+ case KEY_DSA:
+ return k->dsa->priv_key != NULL;
@ -2316,10 +2314,10 @@ diff -up openssh/sshkey.c.audit openssh/sshkey.c
sshkey_is_cert(const struct sshkey *k)
{
if (k == NULL)
diff -up openssh/sshkey.h.audit openssh/sshkey.h
--- openssh/sshkey.h.audit 2015-06-23 02:34:47.000000000 +0200
+++ openssh/sshkey.h 2015-06-24 11:53:29.787390451 +0200
@@ -134,6 +134,7 @@ u_int sshkey_size(const struct sshkey
diff -up openssh-7.0p1/sshkey.h.audit openssh-7.0p1/sshkey.h
--- openssh-7.0p1/sshkey.h.audit 2015-08-11 10:57:29.000000000 +0200
+++ openssh-7.0p1/sshkey.h 2015-08-12 11:33:00.417914278 +0200
@@ -132,6 +132,7 @@ u_int sshkey_size(const struct sshkey
int sshkey_generate(int type, u_int bits, struct sshkey **keyp);
int sshkey_from_private(const struct sshkey *, struct sshkey **);
int sshkey_type_from_name(const char *);

224
openssh-6.7p1-fips.patch
View File

@ -1,6 +1,6 @@
diff -up openssh/cipher.c.fips openssh/cipher.c
--- openssh/cipher.c.fips 2015-06-24 12:00:58.730242500 +0200
+++ openssh/cipher.c 2015-06-24 12:00:58.737242482 +0200
diff -up openssh-7.0p1/cipher.c.fips openssh-7.0p1/cipher.c
--- openssh-7.0p1/cipher.c.fips 2015-08-12 11:34:11.722803020 +0200
+++ openssh-7.0p1/cipher.c 2015-08-12 11:34:11.733803003 +0200
@@ -39,6 +39,8 @@
#include <sys/types.h>
@ -73,9 +73,9 @@ diff -up openssh/cipher.c.fips openssh/cipher.c
if (strcasecmp(c->name, name) == 0)
return c->number;
return -1;
diff -up openssh/cipher-ctr.c.fips openssh/cipher-ctr.c
--- openssh/cipher-ctr.c.fips 2015-06-24 12:00:58.669242656 +0200
+++ openssh/cipher-ctr.c 2015-06-24 12:00:58.736242484 +0200
diff -up openssh-7.0p1/cipher-ctr.c.fips openssh-7.0p1/cipher-ctr.c
--- openssh-7.0p1/cipher-ctr.c.fips 2015-08-12 11:34:11.650803133 +0200
+++ openssh-7.0p1/cipher-ctr.c 2015-08-12 11:34:11.734803002 +0200
@@ -179,7 +179,8 @@ evp_aes_128_ctr(void)
aes_ctr.do_cipher = ssh_aes_ctr;
#ifndef SSH_OLD_EVP
@ -86,9 +86,9 @@ diff -up openssh/cipher-ctr.c.fips openssh/cipher-ctr.c
#endif
return (&aes_ctr);
}
diff -up openssh/dh.h.fips openssh/dh.h
--- openssh/dh.h.fips 2015-06-23 02:34:47.000000000 +0200
+++ openssh/dh.h 2015-06-24 12:00:58.737242482 +0200
diff -up openssh-7.0p1/dh.h.fips openssh-7.0p1/dh.h
--- openssh-7.0p1/dh.h.fips 2015-08-11 10:57:29.000000000 +0200
+++ openssh-7.0p1/dh.h 2015-08-12 11:34:11.734803002 +0200
@@ -46,6 +46,7 @@ u_int dh_estimate(int);
/* Min and max values from RFC4419. */
@ -97,9 +97,9 @@ diff -up openssh/dh.h.fips openssh/dh.h
#define DH_GRP_MAX 8192
/*
diff -up openssh/entropy.c.fips openssh/entropy.c
--- openssh/entropy.c.fips 2015-06-24 12:00:58.662242674 +0200
+++ openssh/entropy.c 2015-06-24 12:00:58.737242482 +0200
diff -up openssh-7.0p1/entropy.c.fips openssh-7.0p1/entropy.c
--- openssh-7.0p1/entropy.c.fips 2015-08-12 11:34:11.643803144 +0200
+++ openssh-7.0p1/entropy.c 2015-08-12 11:34:11.734803002 +0200
@@ -217,6 +217,9 @@ seed_rng(void)
fatal("OpenSSL version mismatch. Built against %lx, you "
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
@ -110,9 +110,9 @@ diff -up openssh/entropy.c.fips openssh/entropy.c
#ifndef OPENSSL_PRNG_ONLY
if (RAND_status() == 1) {
debug3("RNG is ready, skipping seeding");
diff -up openssh/kex.c.fips openssh/kex.c
--- openssh/kex.c.fips 2015-06-24 12:00:58.730242500 +0200
+++ openssh/kex.c 2015-06-24 12:00:58.737242482 +0200
diff -up openssh-7.0p1/kex.c.fips openssh-7.0p1/kex.c
--- openssh-7.0p1/kex.c.fips 2015-08-12 11:34:11.723803019 +0200
+++ openssh-7.0p1/kex.c 2015-08-12 11:34:11.734803002 +0200
@@ -35,6 +35,7 @@
#ifdef WITH_OPENSSL
@ -168,9 +168,9 @@ diff -up openssh/kex.c.fips openssh/kex.c
free(s);
return 0;
}
diff -up openssh/kexgexc.c.fips openssh/kexgexc.c
--- openssh/kexgexc.c.fips 2015-06-24 12:00:58.737242482 +0200
+++ openssh/kexgexc.c 2015-06-24 12:02:26.996015709 +0200
diff -up openssh-7.0p1/kexgexc.c.fips openssh-7.0p1/kexgexc.c
--- openssh-7.0p1/kexgexc.c.fips 2015-08-11 10:57:29.000000000 +0200
+++ openssh-7.0p1/kexgexc.c 2015-08-12 11:34:11.734803002 +0200
@@ -28,6 +28,7 @@
#ifdef WITH_OPENSSL
@ -188,9 +188,9 @@ diff -up openssh/kexgexc.c.fips openssh/kexgexc.c
kex->max = DH_GRP_MAX;
kex->nbits = nbits;
if (datafellows & SSH_BUG_DHGEX_LARGE)
diff -up openssh/kexgexs.c.fips openssh/kexgexs.c
--- openssh/kexgexs.c.fips 2015-06-24 12:00:58.738242479 +0200
+++ openssh/kexgexs.c 2015-06-24 13:48:23.735320199 +0200
diff -up openssh-7.0p1/kexgexs.c.fips openssh-7.0p1/kexgexs.c
--- openssh-7.0p1/kexgexs.c.fips 2015-08-11 10:57:29.000000000 +0200
+++ openssh-7.0p1/kexgexs.c 2015-08-12 11:34:11.735803000 +0200
@@ -81,11 +81,11 @@ input_kex_dh_gex_request(int type, u_int
(r = sshpkt_get_end(ssh)) != 0)
goto out;
@ -206,9 +206,9 @@ diff -up openssh/kexgexs.c.fips openssh/kexgexs.c
nbits = MIN(DH_GRP_MAX, nbits);
if (kex->max < kex->min || kex->nbits < kex->min ||
diff -up openssh/mac.c.fips openssh/mac.c
--- openssh/mac.c.fips 2015-06-24 12:00:58.731242497 +0200
+++ openssh/mac.c 2015-06-24 12:00:58.738242479 +0200
diff -up openssh-7.0p1/mac.c.fips openssh-7.0p1/mac.c
--- openssh-7.0p1/mac.c.fips 2015-08-12 11:34:11.725803016 +0200
+++ openssh-7.0p1/mac.c 2015-08-12 11:34:11.735803000 +0200
@@ -27,6 +27,8 @@
#include <sys/types.h>
@ -270,9 +270,9 @@ diff -up openssh/mac.c.fips openssh/mac.c
if (strcmp(name, m->name) != 0)
continue;
if (mac != NULL)
diff -up openssh/Makefile.in.fips openssh/Makefile.in
--- openssh/Makefile.in.fips 2015-06-24 12:00:58.731242497 +0200
+++ openssh/Makefile.in 2015-06-24 12:00:58.736242484 +0200
diff -up openssh-7.0p1/Makefile.in.fips openssh-7.0p1/Makefile.in
--- openssh-7.0p1/Makefile.in.fips 2015-08-12 11:34:11.725803016 +0200
+++ openssh-7.0p1/Makefile.in 2015-08-12 11:34:11.735803000 +0200
@@ -168,25 +168,25 @@ libssh.a: $(LIBSSH_OBJS)
$(RANLIB) $@
@ -314,10 +314,10 @@ diff -up openssh/Makefile.in.fips openssh/Makefile.in
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff -up openssh/myproposal.h.fips openssh/myproposal.h
--- openssh/myproposal.h.fips 2015-06-23 02:34:47.000000000 +0200
+++ openssh/myproposal.h 2015-06-24 12:00:58.738242479 +0200
@@ -143,6 +143,28 @@
diff -up openssh-7.0p1/myproposal.h.fips openssh-7.0p1/myproposal.h
--- openssh-7.0p1/myproposal.h.fips 2015-08-11 10:57:29.000000000 +0200
+++ openssh-7.0p1/myproposal.h 2015-08-12 11:34:11.735803000 +0200
@@ -138,6 +138,28 @@
"hmac-sha1-96," \
"hmac-md5-96"
@ -346,10 +346,45 @@ diff -up openssh/myproposal.h.fips openssh/myproposal.h
#else
#define KEX_SERVER_KEX \
diff -up openssh/servconf.c.fips openssh/servconf.c
--- openssh/servconf.c.fips 2015-06-24 12:00:58.726242510 +0200
+++ openssh/servconf.c 2015-06-24 13:49:40.164085648 +0200
@@ -2319,8 +2319,10 @@ dump_config(ServerOptions *o)
diff -up openssh-7.0p1/readconf.c.fips openssh-7.0p1/readconf.c
--- openssh-7.0p1/readconf.c.fips 2015-08-12 14:37:39.206466634 +0200
+++ openssh-7.0p1/readconf.c 2015-08-12 14:47:00.342350208 +0200
@@ -1897,9 +1897,12 @@ fill_default_options(Options * options)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
if (options->update_hostkeys == -1)
options->update_hostkeys = 0;
- if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 ||
- kex_assemble_names(KEX_CLIENT_MAC, &options->macs) != 0 ||
- kex_assemble_names(KEX_CLIENT_KEX, &options->kex_algorithms) != 0 ||
+ if (kex_assemble_names((FIPS_mode() ? KEX_FIPS_ENCRYPT
+ : KEX_CLIENT_ENCRYPT), &options->ciphers) != 0 ||
+ kex_assemble_names((FIPS_mode() ? KEX_FIPS_MAC
+ : KEX_CLIENT_MAC), &options->macs) != 0 ||
+ kex_assemble_names((FIPS_mode() ? KEX_DEFAULT_KEX_FIPS
+ : KEX_CLIENT_KEX), &options->kex_algorithms) != 0 ||
kex_assemble_names(KEX_DEFAULT_PK_ALG,
&options->hostbased_key_types) != 0 ||
kex_assemble_names(KEX_DEFAULT_PK_ALG,
diff -up openssh-7.0p1/servconf.c.fips openssh-7.0p1/servconf.c
--- openssh-7.0p1/servconf.c.fips 2015-08-12 11:34:11.714803033 +0200
+++ openssh-7.0p1/servconf.c 2015-08-12 14:50:14.608951396 +0200
@@ -357,9 +357,12 @@ fill_default_server_options(ServerOption
if (options->use_kuserok == -1)
options->use_kuserok = 1;
- if (kex_assemble_names(KEX_SERVER_ENCRYPT, &options->ciphers) != 0 ||
- kex_assemble_names(KEX_SERVER_MAC, &options->macs) != 0 ||
- kex_assemble_names(KEX_SERVER_KEX, &options->kex_algorithms) != 0 ||
+ if (kex_assemble_names((FIPS_mode() ? KEX_FIPS_ENCRYPT
+ : KEX_SERVER_ENCRYPT), &options->ciphers) != 0 ||
+ kex_assemble_names((FIPS_mode() ? KEX_FIPS_MAC
+ : KEX_SERVER_MAC), &options->macs) != 0 ||
+ kex_assemble_names((FIPS_mode() ? KEX_DEFAULT_KEX_FIPS
+ : KEX_SERVER_KEX), &options->kex_algorithms) != 0 ||
kex_assemble_names(KEX_DEFAULT_PK_ALG,
&options->hostbased_key_types) != 0 ||
kex_assemble_names(KEX_DEFAULT_PK_ALG,
@@ -2336,8 +2339,10 @@ dump_config(ServerOptions *o)
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
dump_cfg_string(sXAuthLocation, o->xauth_location);
@ -362,7 +397,7 @@ diff -up openssh/servconf.c.fips openssh/servconf.c
dump_cfg_string(sBanner, o->banner != NULL ? o->banner : "none");
dump_cfg_string(sForceCommand, o->adm_forced_command);
dump_cfg_string(sChrootDirectory, o->chroot_directory);
@@ -2335,8 +2337,8 @@ dump_config(ServerOptions *o)
@@ -2352,8 +2357,8 @@ dump_config(ServerOptions *o)
dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
dump_cfg_string(sHostKeyAgent, o->host_key_agent);
@ -372,10 +407,10 @@ diff -up openssh/servconf.c.fips openssh/servconf.c
+ FIPS_mode() ? KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX);
dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
diff -up openssh/ssh.c.fips openssh/ssh.c
--- openssh/ssh.c.fips 2015-06-23 02:34:47.000000000 +0200
+++ openssh/ssh.c 2015-06-24 12:00:58.738242479 +0200
dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ?
diff -up openssh-7.0p1/ssh.c.fips openssh-7.0p1/ssh.c
--- openssh-7.0p1/ssh.c.fips 2015-08-11 10:57:29.000000000 +0200
+++ openssh-7.0p1/ssh.c 2015-08-12 11:34:11.736802999 +0200
@@ -75,6 +75,8 @@
#include <openssl/evp.h>
#include <openssl/err.h>
@ -385,7 +420,7 @@ diff -up openssh/ssh.c.fips openssh/ssh.c
#include "openbsd-compat/openssl-compat.h"
#include "openbsd-compat/sys-queue.h"
@@ -521,6 +523,14 @@ main(int ac, char **av)
@@ -522,6 +524,14 @@ main(int ac, char **av)
sanitise_stdfd();
__progname = ssh_get_progname(av[0]);
@ -400,7 +435,7 @@ diff -up openssh/ssh.c.fips openssh/ssh.c
#ifndef HAVE_SETPROCTITLE
/* Prepare for later setproctitle emulation */
@@ -598,6 +608,9 @@ main(int ac, char **av)
@@ -599,6 +609,9 @@ main(int ac, char **av)
"ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
switch (opt) {
case '1':
@ -410,7 +445,7 @@ diff -up openssh/ssh.c.fips openssh/ssh.c
options.protocol = SSH_PROTO_1;
break;
case '2':
@@ -939,7 +952,6 @@ main(int ac, char **av)
@@ -940,7 +953,6 @@ main(int ac, char **av)
host_arg = xstrdup(host);
#ifdef WITH_OPENSSL
@ -418,7 +453,7 @@ diff -up openssh/ssh.c.fips openssh/ssh.c
ERR_load_crypto_strings();
#endif
@@ -1113,6 +1125,10 @@ main(int ac, char **av)
@@ -1114,6 +1126,10 @@ main(int ac, char **av)
seed_rng();
@ -429,7 +464,7 @@ diff -up openssh/ssh.c.fips openssh/ssh.c
if (options.user == NULL)
options.user = xstrdup(pw->pw_name);
@@ -1190,6 +1206,12 @@ main(int ac, char **av)
@@ -1191,6 +1207,12 @@ main(int ac, char **av)
timeout_ms = options.connection_timeout * 1000;
@ -442,10 +477,10 @@ diff -up openssh/ssh.c.fips openssh/ssh.c
/* Open a connection to the remote host. */
if (ssh_connect(host, addrs, &hostaddr, options.port,
options.address_family, options.connection_attempts,
diff -up openssh/sshconnect2.c.fips openssh/sshconnect2.c
--- openssh/sshconnect2.c.fips 2015-06-24 12:00:58.698242582 +0200
+++ openssh/sshconnect2.c 2015-06-24 12:00:58.739242477 +0200
@@ -46,6 +46,8 @@
diff -up openssh-7.0p1/sshconnect2.c.fips openssh-7.0p1/sshconnect2.c
--- openssh-7.0p1/sshconnect2.c.fips 2015-08-12 11:34:11.678803089 +0200
+++ openssh-7.0p1/sshconnect2.c 2015-08-12 11:34:11.737802997 +0200
@@ -44,6 +44,8 @@
#include <vis.h>
#endif
@ -454,7 +489,7 @@ diff -up openssh/sshconnect2.c.fips openssh/sshconnect2.c
#include "openbsd-compat/sys-queue.h"
#include "xmalloc.h"
@@ -172,20 +174,25 @@ ssh_kex2(char *host, struct sockaddr *ho
@@ -170,20 +172,25 @@ ssh_kex2(char *host, struct sockaddr *ho
#ifdef GSSAPI
if (options.gss_keyex) {
@ -494,45 +529,9 @@ diff -up openssh/sshconnect2.c.fips openssh/sshconnect2.c
}
}
#endif
@@ -197,6 +204,10 @@ ssh_kex2(char *host, struct sockaddr *ho
if (options.ciphers != NULL) {
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
+ } else if (FIPS_mode()) {
+ myproposal[PROPOSAL_ENC_ALGS_CTOS] =
+ myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_FIPS_ENCRYPT;
+
}
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
@@ -212,7 +223,11 @@ ssh_kex2(char *host, struct sockaddr *ho
if (options.macs != NULL) {
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
+ } else if (FIPS_mode()) {
+ myproposal[PROPOSAL_MAC_ALGS_CTOS] =
+ myproposal[PROPOSAL_MAC_ALGS_STOC] = KEX_FIPS_MAC;
}
+
if (options.hostkeyalgorithms != NULL)
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
compat_pkalg_proposal(options.hostkeyalgorithms);
@@ -224,9 +239,11 @@ ssh_kex2(char *host, struct sockaddr *ho
}
if (options.kex_algorithms != NULL)
myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
+ else if (FIPS_mode())
+ myproposal[PROPOSAL_KEX_ALGS] = KEX_DEFAULT_KEX_FIPS;
+
myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
myproposal[PROPOSAL_KEX_ALGS]);
-
#ifdef GSSAPI
/* If we've got GSSAPI algorithms, then we also support the
* 'null' hostkey, as a last resort */
diff -up openssh/sshd.c.fips openssh/sshd.c
--- openssh/sshd.c.fips 2015-06-24 12:00:58.734242489 +0200
+++ openssh/sshd.c 2015-06-24 12:00:58.739242477 +0200
diff -up openssh-7.0p1/sshd.c.fips openssh-7.0p1/sshd.c
--- openssh-7.0p1/sshd.c.fips 2015-08-12 11:34:11.729803010 +0200
+++ openssh-7.0p1/sshd.c 2015-08-12 11:34:11.738802995 +0200
@@ -66,6 +66,7 @@
#include <grp.h>
#include <pwd.h>
@ -550,7 +549,7 @@ diff -up openssh/sshd.c.fips openssh/sshd.c
#include "openbsd-compat/openssl-compat.h"
#endif
@@ -1548,6 +1551,18 @@ main(int ac, char **av)
@@ -1552,6 +1555,18 @@ main(int ac, char **av)
#endif
__progname = ssh_get_progname(av[0]);
@ -569,7 +568,7 @@ diff -up openssh/sshd.c.fips openssh/sshd.c
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
saved_argc = ac;
rexec_argc = ac;
@@ -1700,7 +1715,7 @@ main(int ac, char **av)
@@ -1704,7 +1719,7 @@ main(int ac, char **av)
else
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
@ -578,7 +577,7 @@ diff -up openssh/sshd.c.fips openssh/sshd.c
OpenSSL_add_all_algorithms();
#endif
@@ -1901,6 +1916,10 @@ main(int ac, char **av)
@@ -1905,6 +1920,10 @@ main(int ac, char **av)
sshkey_type(pubkey) : sshkey_ssh_name(pubkey), fp);
free(fp);
}
@ -589,7 +588,7 @@ diff -up openssh/sshd.c.fips openssh/sshd.c
if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
logit("Disabling protocol version 1. Could not load host key");
options.protocol &= ~SSH_PROTO_1;
@@ -2069,6 +2088,10 @@ main(int ac, char **av)
@@ -2073,6 +2092,10 @@ main(int ac, char **av)
/* Reinitialize the log (because of the fork above). */
log_init(__progname, options.log_level, options.log_facility, log_stderr);
@ -600,36 +599,7 @@ diff -up openssh/sshd.c.fips openssh/sshd.c
/* Chdir to the root directory so that the current disk can be
unmounted if desired. */
if (chdir("/") == -1)
@@ -2654,6 +2677,9 @@ do_ssh2_kex(void)
if (options.ciphers != NULL) {
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
+ } else if (FIPS_mode()) {
+ myproposal[PROPOSAL_ENC_ALGS_CTOS] =
+ myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_FIPS_ENCRYPT;
}
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
@@ -2663,6 +2689,9 @@ do_ssh2_kex(void)
if (options.macs != NULL) {
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
+ } else if (FIPS_mode()) {
+ myproposal[PROPOSAL_MAC_ALGS_CTOS] =
+ myproposal[PROPOSAL_MAC_ALGS_STOC] = KEX_FIPS_MAC;
}
if (options.compression == COMP_NONE) {
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
@@ -2673,6 +2702,8 @@ do_ssh2_kex(void)
}
if (options.kex_algorithms != NULL)
myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
+ else if (FIPS_mode())
+ myproposal[PROPOSAL_KEX_ALGS] = KEX_DEFAULT_KEX_FIPS;
myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
myproposal[PROPOSAL_KEX_ALGS]);
@@ -2699,10 +2730,14 @@ do_ssh2_kex(void)
@@ -2692,10 +2715,14 @@ do_ssh2_kex(void)
if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
orig = NULL;
@ -648,9 +618,9 @@ diff -up openssh/sshd.c.fips openssh/sshd.c
if (gss && orig)
xasprintf(&newstr, "%s,%s", gss, orig);
diff -up openssh/sshkey.c.fips openssh/sshkey.c
--- openssh/sshkey.c.fips 2015-06-24 12:00:58.735242487 +0200
+++ openssh/sshkey.c 2015-06-24 12:00:58.740242474 +0200
diff -up openssh-7.0p1/sshkey.c.fips openssh-7.0p1/sshkey.c
--- openssh-7.0p1/sshkey.c.fips 2015-08-12 11:34:11.729803010 +0200
+++ openssh-7.0p1/sshkey.c 2015-08-12 11:34:11.738802995 +0200
@@ -35,6 +35,7 @@
#include <openssl/evp.h>
#include <openssl/err.h>
@ -659,7 +629,7 @@ diff -up openssh/sshkey.c.fips openssh/sshkey.c
#endif
#include "crypto_api.h"
@@ -1586,6 +1587,8 @@ rsa_generate_private_key(u_int bits, RSA
@@ -1554,6 +1555,8 @@ rsa_generate_private_key(u_int bits, RSA
}
if (!BN_set_word(f4, RSA_F4) ||
!RSA_generate_key_ex(private, bits, f4, NULL)) {

47
openssh-6.9p1-authentication-limits-bypass.patch
View File

@ -1,47 +0,0 @@
From 5b64f85bb811246c59ebab70aed331f26ba37b18 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Sat, 18 Jul 2015 07:57:14 +0000
Subject: upstream commit
only query each keyboard-interactive device once per
authentication request regardless of how many times it is listed; ok markus@
Upstream-ID: d73fafba6e86030436ff673656ec1f33d9ffeda1
---
auth2-chall.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/auth2-chall.c b/auth2-chall.c
index ddabe1a..4aff09d 100644
--- a/auth2-chall.c
+++ b/auth2-chall.c
@@ -83,6 +83,7 @@ struct KbdintAuthctxt
void *ctxt;
KbdintDevice *device;
u_int nreq;
+ u_int devices_done;
};
#ifdef USE_PAM
@@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
if (len == 0)
break;
for (i = 0; devices[i]; i++) {
- if (!auth2_method_allowed(authctxt,
+ if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
+ !auth2_method_allowed(authctxt,
"keyboard-interactive", devices[i]->name))
continue;
- if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
+ if (strncmp(kbdintctxt->devices, devices[i]->name,
+ len) == 0) {
kbdintctxt->device = devices[i];
+ kbdintctxt->devices_done |= 1 << i;
+ }
}
t = kbdintctxt->devices;
kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
--
cgit v0.11.2

27
openssh-6.9p1-permit-root-login.patch
View File

@ -1,27 +1,12 @@
diff --git a/sshd_config b/sshd_config
index c9042ac..cf7d8e1 100644
--- a/sshd_config
+++ b/sshd_config
@@ -41,7 +41,7 @@
diff -up openssh-7.0p1/sshd_config.root-login openssh-7.0p1/sshd_config
--- openssh-7.0p1/sshd_config.root-login 2015-08-12 11:29:12.919269245 +0200
+++ openssh-7.0p1/sshd_config 2015-08-12 11:31:03.653096466 +0200
@@ -46,7 +46,7 @@ SyslogFacility AUTHPRIV
# Authentication:
#LoginGraceTime 2m
-#PermitRootLogin no
+#PermitRootLogin yes
-#PermitRootLogin prohibit-password
+PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
diff --git a/sshd_config.5 b/sshd_config.5
index 2bc9360..d3148c2 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -1093,7 +1093,7 @@ The argument must be
or
.Dq no .
The default is
-.Dq no .
+.Dq yes .
.Pp
If this option is set to
.Dq without-password ,

16
openssh.spec
View File

@ -65,10 +65,10 @@
%endif
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%define openssh_ver 6.9p1
%define openssh_rel 4
%define openssh_ver 7.0p1
%define openssh_rel 1
%define pam_ssh_agent_ver 0.9.3
%define pam_ssh_agent_rel 6
%define pam_ssh_agent_rel 7
Summary: An open source implementation of SSH protocol versions 1 and 2
Name: openssh
@ -223,8 +223,6 @@ Patch926: openssh-6.7p1-sftp-force-permission.patch
Patch928: openssh-6.8p1-memory-problems.patch
# Restore compatible default (#89216)
Patch929: openssh-6.9p1-permit-root-login.patch
# authentication limits (MaxAuthTries) bypass [security] (#1245971)
Patch930: openssh-6.9p1-authentication-limits-bypass.patch
# Handle terminal control characters in scp progressmeter (#1247204)
Patch931: openssh-6.9p1-scp-progressmeter.patch
@ -462,7 +460,6 @@ popd
%patch926 -p1 -b .sftp-force-mode
%patch928 -p1 -b .memory
%patch929 -p1 -b .root-login
%patch930 -p1 -b .kbd
%patch931 -p1 -b .progressmeter
%patch200 -p1 -b .audit
@ -810,6 +807,13 @@ getent passwd sshd >/dev/null || \
%endif
%changelog
* Wed Aug 12 2015 Jakub Jelen <jjelen@redhat.com> 7.0p1-1 + 0.9.3.7
- New upstream release (#1252639)
- Fix pam_ssh_agent_auth package (#1251777)
- Security: Use-after-free bug related to PAM support (#1252853)
- Security: Privilege separation weakness related to PAM support (#1252854)
- Security: Incorrectly set TTYs to be world-writable (#1252862)
* Tue Jul 28 2015 Jakub Jelen <jjelen@redhat.com> 6.9p1-4 + 0.9.3-6
- Handle terminal control characters in scp progressmeter (#1247204)