From 51f5c1c99f1d20e48328edde666061d0ce0da83b Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Mon, 17 Feb 2020 11:57:13 +0100 Subject: [PATCH] openssh-8.2p1-1 + 0.10.3-9 --- .gitignore | 2 + openssh-5.1p1-askpass-progress.patch | 77 ++-- openssh-6.6.1p1-log-in-chroot.patch | 4 +- openssh-6.6p1-GSSAPIEnablek5users.patch | 2 +- openssh-6.6p1-ctr-cavstest.patch | 14 +- openssh-6.6p1-keycat.patch | 16 +- openssh-6.6p1-kuserok.patch | 4 +- openssh-6.7p1-coverity.patch | 10 +- openssh-6.7p1-kdf-cavs.patch | 18 +- openssh-6.7p1-ldap.patch | 44 +- openssh-6.8p1-sshdT-output.patch | 4 +- openssh-7.6p1-audit.patch | 99 +++-- openssh-7.7p1-fips.patch | 226 ++++------ openssh-7.7p1-redhat.patch | 105 ++--- openssh-7.8p1-UsePAM-warning.patch | 4 +- openssh-7.8p1-role-mls.patch | 4 +- openssh-8.0p1-crypto-policies.patch | 119 ++++-- openssh-8.0p1-gssapi-keyex.patch | 314 +++++++------- openssh-8.0p1-pkcs11-uri.patch | 538 ++++++++++++++---------- openssh-8.1p1-seccomp-nanosleep.patch | 45 -- openssh-8.2p1-visibility.patch | 40 ++ openssh.spec | 32 +- pam_ssh_agent_auth-0.10.2-compat.patch | 73 ++-- pam_ssh_agent_auth-0.9.3-build.patch | 10 +- sources | 4 +- 25 files changed, 932 insertions(+), 876 deletions(-) delete mode 100644 openssh-8.1p1-seccomp-nanosleep.patch create mode 100644 openssh-8.2p1-visibility.patch diff --git a/.gitignore b/.gitignore index ccba8e2..7362d2e 100644 --- a/.gitignore +++ b/.gitignore @@ -38,3 +38,5 @@ pam_ssh_agent_auth-0.9.2.tar.bz2 /openssh-8.0p1.tar.gz.asc /openssh-8.1p1.tar.gz /openssh-8.1p1.tar.gz.asc +/openssh-8.2p1.tar.gz +/openssh-8.2p1.tar.gz.asc diff --git a/openssh-5.1p1-askpass-progress.patch b/openssh-5.1p1-askpass-progress.patch index 6601fbf..21f6502 100644 --- a/openssh-5.1p1-askpass-progress.patch +++ b/openssh-5.1p1-askpass-progress.patch @@ -9,7 +9,7 @@ diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contr #include #include -@@ -81,13 +82,24 @@ ok_dialog(GtkWidget *entry, gpointer dia +@@ -81,14 +82,25 @@ ok_dialog(GtkWidget *entry, gpointer dia gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK); } @@ -25,57 +25,54 @@ diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contr +} + static int - passphrase_dialog(char *message) + passphrase_dialog(char *message, int prompt_type) { const char *failed; char *passphrase, *local; int result, grab_tries, grab_server, grab_pointer; + int buttons, default_response; - GtkWidget *parent_window, *dialog, *entry; + GtkWidget *parent_window, *dialog, *entry, *progress, *hbox; GdkGrabStatus status; grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL); -@@ -104,14 +116,32 @@ passphrase_dialog(char *message) - "%s", - message); +@@ -104,16 +116,37 @@ passphrase_dialog(char *message) + gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE); -+ hbox = gtk_hbox_new(FALSE, 0); -+ gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE, -+ FALSE, 0); -+ gtk_widget_show(hbox); + if (prompt_type == PROMPT_ENTRY) { ++ hbox = gtk_hbox_new(FALSE, 0); ++ gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE, ++ FALSE, 0); ++ gtk_widget_show(hbox); + - entry = gtk_entry_new(); - gtk_box_pack_start( -- GTK_BOX(gtk_dialog_get_content_area(GTK_DIALOG(dialog))), entry, -- FALSE, FALSE, 0); -+ GTK_BOX(hbox), entry, -+ TRUE, FALSE, 0); -+ gtk_entry_set_width_chars(GTK_ENTRY(entry), 2); - gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE); - gtk_widget_grab_focus(entry); - gtk_widget_show(entry); - -+ hbox = gtk_hbox_new(FALSE, 0); -+ gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE, + entry = gtk_entry_new(); + gtk_box_pack_start( +- GTK_BOX(gtk_dialog_get_content_area(GTK_DIALOG(dialog))), +- entry, FALSE, FALSE, 0); ++ GTK_BOX(hbox), entry, ++ TRUE, FALSE, 0); ++ gtk_entry_set_width_chars(GTK_ENTRY(entry), 2); + gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE); + gtk_widget_grab_focus(entry); + gtk_widget_show(entry); + /* Make close dialog */ + g_signal_connect(G_OBJECT(entry), "activate", + G_CALLBACK(ok_dialog), dialog); ++ ++ hbox = gtk_hbox_new(FALSE, 0); ++ gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE, + FALSE, 8); -+ gtk_widget_show(hbox); ++ gtk_widget_show(hbox); + -+ progress = gtk_progress_bar_new(); -+ -+ gtk_progress_bar_set_text(GTK_PROGRESS_BAR(progress), "Passphrase length hidden intentionally"); -+ gtk_box_pack_start(GTK_BOX(hbox), progress, TRUE, -+ TRUE, 5); -+ gtk_widget_show(progress); ++ progress = gtk_progress_bar_new(); + - gtk_window_set_title(GTK_WINDOW(dialog), "OpenSSH"); - gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER); - gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE); -@@ -120,6 +150,8 @@ passphrase_dialog(char *message) - gtk_dialog_set_default_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK); - g_signal_connect(G_OBJECT(entry), "activate", - G_CALLBACK(ok_dialog), dialog); -+ g_signal_connect(G_OBJECT(entry), "changed", -+ G_CALLBACK(move_progress), progress); - - gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE); ++ gtk_progress_bar_set_text(GTK_PROGRESS_BAR(progress), "Passphrase length hidden intentionally"); ++ gtk_box_pack_start(GTK_BOX(hbox), progress, TRUE, ++ TRUE, 5); ++ gtk_widget_show(progress); ++ g_signal_connect(G_OBJECT(entry), "changed", ++ G_CALLBACK(move_progress), progress); ++ + } + /* Grab focus */ diff --git a/openssh-6.6.1p1-log-in-chroot.patch b/openssh-6.6.1p1-log-in-chroot.patch index f3f7cad..1260242 100644 --- a/openssh-6.6.1p1-log-in-chroot.patch +++ b/openssh-6.6.1p1-log-in-chroot.patch @@ -56,8 +56,8 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c + pmonitor->m_state = "postauth"; + monitor_set_child_handler(pmonitor->m_pid); - signal(SIGHUP, &monitor_child_handler); - signal(SIGTERM, &monitor_child_handler); + ssh_signal(SIGHUP, &monitor_child_handler); + ssh_signal(SIGTERM, &monitor_child_handler); @@ -472,7 +476,7 @@ monitor_read_log(struct monitor *pmonito if (log_level_name(level) == NULL) fatal("%s: invalid log level %u (corrupted message?)", diff --git a/openssh-6.6p1-GSSAPIEnablek5users.patch b/openssh-6.6p1-GSSAPIEnablek5users.patch index d943f41..01ea156 100644 --- a/openssh-6.6p1-GSSAPIEnablek5users.patch +++ b/openssh-6.6p1-GSSAPIEnablek5users.patch @@ -122,7 +122,7 @@ diff -up openssh-7.4p1/sshd_config.GSSAPIEnablek5users openssh-7.4p1/sshd_config --- openssh-7.4p1/sshd_config.GSSAPIEnablek5users 2016-12-23 15:18:40.616216100 +0100 +++ openssh-7.4p1/sshd_config 2016-12-23 15:18:40.631216103 +0100 @@ -80,6 +80,7 @@ GSSAPIAuthentication yes - GSSAPICleanupCredentials no + #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no +#GSSAPIEnablek5users no diff --git a/openssh-6.6p1-ctr-cavstest.patch b/openssh-6.6p1-ctr-cavstest.patch index 2e31fbf..9454c50 100644 --- a/openssh-6.6p1-ctr-cavstest.patch +++ b/openssh-6.6p1-ctr-cavstest.patch @@ -7,14 +7,14 @@ diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in SSH_KEYCAT=$(libexecdir)/ssh-keycat +CTR_CAVSTEST=$(libexecdir)/ctr-cavstest SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper + SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper PRIVSEP_PATH=@PRIVSEP_PATH@ - SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ @@ -66,7 +67,7 @@ EXEEXT=@EXEEXT@ - MKDIR_P=@MKDIR_P@ - INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@ --TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) -+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) + .SUFFIXES: .lo + +-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) XMSS_OBJS=\ ssh-xmss.o \ @@ -25,8 +25,8 @@ diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in +ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o + $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) + - ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o - $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) + $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) @@ -326,6 +330,7 @@ install-files: $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \ diff --git a/openssh-6.6p1-keycat.patch b/openssh-6.6p1-keycat.patch index e22a5f3..5fc9b9e 100644 --- a/openssh-6.6p1-keycat.patch +++ b/openssh-6.6p1-keycat.patch @@ -41,22 +41,22 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper +SSH_KEYCAT=$(libexecdir)/ssh-keycat SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper + SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper PRIVSEP_PATH=@PRIVSEP_PATH@ - SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ @@ -52,6 +52,7 @@ K5LIBS=@K5LIBS@ GSSLIBS=@GSSLIBS@ SSHLIBS=@SSHLIBS@ SSHDLIBS=@SSHDLIBS@ +KEYCATLIBS=@KEYCATLIBS@ LIBEDIT=@LIBEDIT@ + LIBFIDO2=@LIBFIDO2@ AR=@AR@ - AWK=@AWK@ @@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@ - MKDIR_P=@MKDIR_P@ - INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@ --TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) -+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) + .SUFFIXES: .lo + +-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) XMSS_OBJS=\ ssh-xmss.o \ @@ -67,8 +67,8 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in +ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o + $(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(LIBS) + - ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o - $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) + $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) @@ -321,6 +325,7 @@ install-files: $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \ diff --git a/openssh-6.6p1-kuserok.patch b/openssh-6.6p1-kuserok.patch index 56a6950..8428c1c 100644 --- a/openssh-6.6p1-kuserok.patch +++ b/openssh-6.6p1-kuserok.patch @@ -217,7 +217,7 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, @@ -1644,6 +1649,10 @@ process_server_config_line(ServerOptions - *activep = value; + *activep = (inc_flags & SSHCFG_NEVERMATCH) ? 0 : value; break; + case sKerberosUseKuserok: @@ -286,4 +286,4 @@ diff -up openssh-7.4p1/sshd_config.kuserok openssh-7.4p1/sshd_config +#KerberosUseKuserok yes # GSSAPI options - GSSAPIAuthentication yes + #GSSAPIAuthentication no diff --git a/openssh-6.7p1-coverity.patch b/openssh-6.7p1-coverity.patch index 15d489d..3f34464 100644 --- a/openssh-6.7p1-coverity.patch +++ b/openssh-6.7p1-coverity.patch @@ -136,11 +136,11 @@ diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c --- openssh-7.4p1/sftp.c.coverity 2016-12-19 05:59:41.000000000 +0100 +++ openssh-7.4p1/sftp.c 2016-12-23 16:40:26.903788691 +0100 @@ -224,7 +224,7 @@ killchild(int signo) - { - if (sshpid > 1) { - kill(sshpid, SIGTERM); -- waitpid(sshpid, NULL, 0); -+ (void) waitpid(sshpid, NULL, 0); + pid = sshpid; + if (pid > 1) { + kill(pid, SIGTERM); +- waitpid(pid, NULL, 0); ++ (void) waitpid(pid, NULL, 0); } _exit(1); diff --git a/openssh-6.7p1-kdf-cavs.patch b/openssh-6.7p1-kdf-cavs.patch index a5beb8c..971ac3d 100644 --- a/openssh-6.7p1-kdf-cavs.patch +++ b/openssh-6.7p1-kdf-cavs.patch @@ -7,14 +7,14 @@ diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in CTR_CAVSTEST=$(libexecdir)/ctr-cavstest +SSH_CAVS=$(libexecdir)/ssh-cavs SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper + SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper PRIVSEP_PATH=@PRIVSEP_PATH@ - SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ @@ -67,7 +68,7 @@ EXEEXT=@EXEEXT@ - MKDIR_P=@MKDIR_P@ - INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@ --TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) -+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT) + .SUFFIXES: .lo + +-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) ++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT) XMSS_OBJS=\ ssh-xmss.o \ @@ -22,11 +22,11 @@ diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) -+ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o -+ $(LD) -o $@ ssh-cavs.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o $(SKOBJS) ++ $(LD) -o $@ ssh-cavs.o $(SKOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + - ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o - $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) + $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) @@ -331,6 +335,8 @@ install-files: fi diff --git a/openssh-6.7p1-ldap.patch b/openssh-6.7p1-ldap.patch index a8770e0..aec4794 100644 --- a/openssh-6.7p1-ldap.patch +++ b/openssh-6.7p1-ldap.patch @@ -134,52 +134,54 @@ diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in +SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper +SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper + SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper PRIVSEP_PATH=@PRIVSEP_PATH@ - SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ @@ -50,6 +50,7 @@ - CFLAGS=@CFLAGS@ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ + PICFLAG=@PICFLAG@ LIBS=@LIBS@ +LDAPLIBS=@LDAPLIBS@ K5LIBS=@K5LIBS@ GSSLIBS=@GSSLIBS@ SSHLIBS=@SSHLIBS@ -@@ -61,8 +63,9 @@ XAUTH_PATH=@XAUTH_PATH@ +@@ -61,10 +63,11 @@ XAUTH_PATH=@XAUTH_PATH@ EXEEXT=@EXEEXT@ MANFMT=@MANFMT@ MKDIR_P=@MKDIR_P@ +INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@ --TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) -+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) + .SUFFIXES: .lo + +-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) XMSS_OBJS=\ ssh-xmss.o \ @@ -112,8 +115,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw - sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \ - sandbox-solaris.o uidswap.o --MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out --MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 -+MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap-helper.8.out ssh-ldap.conf.5.out -+MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 ssh-ldap-helper.8 ssh-ldap.conf.5 + SFTP_OBJS= sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o + +-MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out sshd_config.5.out ssh_config.5.out +-MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5 ++MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap-helper.8.out ssh-ldap.conf.5.out ++MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5 ssh-ldap-helper.8 ssh-ldap.conf.5 MANTYPE = @MANTYPE@ CONFIGFILES=sshd_config.out ssh_config.out moduli.out @@ -184,6 +187,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss - ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o - $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) + ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS) + $(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2) +ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o + $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lfipscheck $(LIBS) $(LDAPLIBS) + - ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o - $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) + $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) @@ -311,6 +317,10 @@ install-files: - $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT) $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT) + if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \ + $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \ + $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \ @@ -188,9 +190,9 @@ diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 @@ -327,6 +337,10 @@ install-files: - $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 + $(INSTALL) -m 644 ssh-sk-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8 + if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \ + $(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \ + $(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \ @@ -213,18 +215,18 @@ diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in host-key: ssh-keygen$(EXEEXT) @if [ -z "$(DESTDIR)" ] ; then \ @@ -419,6 +440,8 @@ uninstall: - -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) -rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) -rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) + -rm -f $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT) + -rm -f $(DESTDIR)$(SSH_LDAP_HELPER)$(EXEEXT) + -rm -f $(DESTDIR)$(SSH_LDAP_WRAPPER)$(EXEEXT) -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 @@ -430,6 +453,7 @@ uninstall: - -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 regress-prep: @@ -233,8 +235,8 @@ diff -up openssh-6.8p1/configure.ac.ldap openssh-6.8p1/configure.ac --- openssh-6.8p1/configure.ac.ldap 2015-03-17 06:49:20.000000000 +0100 +++ openssh-6.8p1/configure.ac 2015-03-18 11:11:29.030801464 +0100 @@ -1605,6 +1605,110 @@ if test "x$use_pie" != "xno"; then - fi - fi + CFLAGS="$SAVED_CFLAGS" + AC_SUBST([PICFLAG]) +# Check whether user wants LDAP support +LDAP_MSG="no" diff --git a/openssh-6.8p1-sshdT-output.patch b/openssh-6.8p1-sshdT-output.patch index ac9169a..156e66d 100644 --- a/openssh-6.8p1-sshdT-output.patch +++ b/openssh-6.8p1-sshdT-output.patch @@ -3,8 +3,8 @@ diff -up openssh/servconf.c.sshdt openssh/servconf.c +++ openssh/servconf.c 2015-06-24 11:44:39.734745802 +0200 @@ -2317,7 +2317,7 @@ dump_config(ServerOptions *o) dump_cfg_string(sXAuthLocation, o->xauth_location); - dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT); - dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC); + dump_cfg_string(sCiphers, o->ciphers); + dump_cfg_string(sMacs, o->macs); - dump_cfg_string(sBanner, o->banner); + dump_cfg_string(sBanner, o->banner != NULL ? o->banner : "none"); dump_cfg_string(sForceCommand, o->adm_forced_command); diff --git a/openssh-7.6p1-audit.patch b/openssh-7.6p1-audit.patch index a59cfc2..024d990 100644 --- a/openssh-7.6p1-audit.patch +++ b/openssh-7.6p1-audit.patch @@ -747,20 +747,21 @@ diff -up openssh/auth2-hostbased.c.audit openssh/auth2-hostbased.c chost, key)) && - PRIVSEP(sshkey_verify(key, sig, slen, + PRIVSEP(hostbased_key_verify(ssh, key, sig, slen, - sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat)) == 0) + sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat, NULL)) == 0) authenticated = 1; -@@ -175,6 +175,19 @@ done: +@@ -175,6 +175,20 @@ done: return authenticated; } +int +hostbased_key_verify(struct ssh *ssh, const struct sshkey *key, const u_char *sig, -+ size_t slen, const u_char *data, size_t datalen, const char *pkalg, u_int compat) ++ size_t slen, const u_char *data, size_t datalen, const char *pkalg, u_int compat, ++ struct sshkey_sig_details **detailsp) +{ + int rv; + -+ rv = sshkey_verify(key, sig, slen, data, datalen, pkalg, compat); ++ rv = sshkey_verify(key, sig, slen, data, datalen, pkalg, compat, detailsp); +#ifdef SSH_AUDIT_EVENTS + audit_key(ssh, 0, &rv, key); +#endif @@ -781,18 +782,19 @@ diff -up openssh/auth2-pubkey.c.audit openssh/auth2-pubkey.c + PRIVSEP(user_key_verify(ssh, key, sig, slen, sshbuf_ptr(b), sshbuf_len(b), (ssh->compat & SSH_BUG_SIGTYPE) == 0 ? pkalg : NULL, - ssh->compat)) == 0) { -@@ -278,6 +278,19 @@ done: + ssh->compat, &sig_details)) == 0) { +@@ -278,6 +278,20 @@ done: return authenticated; } +int +user_key_verify(struct ssh *ssh, const struct sshkey *key, const u_char *sig, -+ size_t slen, const u_char *data, size_t datalen, const char *pkalg, u_int compat) ++ size_t slen, const u_char *data, size_t datalen, const char *pkalg, u_int compat, ++ struct sshkey_sig_details **detailsp) +{ + int rv; + -+ rv = sshkey_verify(key, sig, slen, data, datalen, pkalg, compat); ++ rv = sshkey_verify(key, sig, slen, data, datalen, pkalg, compat, detailsp); +#ifdef SSH_AUDIT_EVENTS + audit_key(ssh, 1, &rv, key); +#endif @@ -832,7 +834,7 @@ diff -up openssh/auth.h.audit openssh/auth.h char *expand_authorized_keys(const char *, struct passwd *pw); char *authorized_principals_file(struct passwd *); +int user_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t, -+ const u_char *, size_t, const char *, u_int); ++ const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **); FILE *auth_openkeyfile(const char *, struct passwd *, int); FILE *auth_openprincipals(const char *, struct passwd *, int); @@ -841,7 +843,7 @@ diff -up openssh/auth.h.audit openssh/auth.h int sshd_hostkey_sign(struct ssh *, struct sshkey *, struct sshkey *, u_char **, size_t *, const u_char *, size_t, const char *); +int hostbased_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t, -+ const u_char *, size_t, const char *, u_int); ++ const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **); /* Key / cert options linkage to auth layer */ const struct sshauthopt *auth_options(struct ssh *); @@ -973,9 +975,9 @@ diff -up openssh/kex.c.audit openssh/kex.c +#endif return SSH_ERR_NO_COMPRESS_ALG_MATCH; + } + #ifdef WITH_ZLIB if (strcmp(name, "zlib@openssh.com") == 0) { comp->type = COMP_DELAYED; - } else if (strcmp(name, "zlib") == 0) { @@ -933,7 +946,7 @@ kex_choose_conf(struct ssh *ssh) nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC; nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC; @@ -1091,16 +1093,15 @@ diff -up openssh/mac.h.audit openssh/mac.h diff -up openssh/Makefile.in.audit openssh/Makefile.in --- openssh/Makefile.in.audit 2019-04-03 17:02:20.705885965 +0200 +++ openssh/Makefile.in 2019-04-03 17:02:20.715886060 +0200 -@@ -109,7 +109,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ - kexgexc.o kexgexs.o \ +@@ -109,7 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \ kexgssc.o \ -- platform-pledge.o platform-tracing.o platform-misc.o -+ platform-pledge.o platform-tracing.o platform-misc.o \ -+ auditstub.o + sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \ +- sshbuf-io.o ++ sshbuf-io.o auditstub.o + SKOBJS= ssh-sk-client.o - SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ diff -up openssh/monitor.c.audit openssh/monitor.c --- openssh/monitor.c.audit 2019-04-03 17:02:20.674885671 +0200 +++ openssh/monitor.c 2019-04-03 17:03:17.201421405 +0200 @@ -1111,7 +1112,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c +#include "audit.h" #include "match.h" #include "ssherr.h" - + #include "sk-api.h" @@ -107,6 +108,8 @@ extern u_char session_id[]; extern struct sshbuf *loginmsg; extern struct sshauthopt *auth_opts; /* XXX move to permanent ssh->authctxt? */ @@ -1157,16 +1158,16 @@ diff -up openssh/monitor.c.audit openssh/monitor.c {0, 0, NULL} }; @@ -1445,8 +1462,10 @@ mm_answer_keyverify(struct ssh *ssh, int - char *sigalg; size_t signaturelen, datalen, bloblen; - int r, ret, valid_data = 0, encoded_ret; + int r, ret, req_presence = 0, valid_data = 0, encoded_ret; + struct sshkey_sig_details *sig_details = NULL; + int type = 0; -- if ((r = sshbuf_get_string(m, &blob, &bloblen)) != 0 || +- if ((r = sshbuf_get_string_direct(m, &blob, &bloblen)) != 0 || + if ((r = sshbuf_get_u32(m, &type)) != 0 || -+ (r = sshbuf_get_string(m, &blob, &bloblen)) != 0 || - (r = sshbuf_get_string(m, &signature, &signaturelen)) != 0 || - (r = sshbuf_get_string(m, &data, &datalen)) != 0 || ++ (r = sshbuf_get_string_direct(m, &blob, &bloblen)) != 0 || + (r = sshbuf_get_string_direct(m, &signature, &signaturelen)) != 0 || + (r = sshbuf_get_string_direct(m, &data, &datalen)) != 0 || (r = sshbuf_get_cstring(m, &sigalg, NULL)) != 0) @@ -1455,6 +1474,8 @@ mm_answer_keyverify(struct ssh *ssh, int if (hostbased_cuser == NULL || hostbased_chost == NULL || @@ -1177,19 +1178,19 @@ diff -up openssh/monitor.c.audit openssh/monitor.c /* Empty signature algorithm means NULL. */ if (*sigalg == '\0') { -@@ -1470,21 +1491,24 @@ mm_answer_keyverify(struct ssh *ssh, int +@@ -1470,25 +1491,28 @@ mm_answer_keyverify(struct ssh *ssh, int case MM_USERKEY: valid_data = monitor_valid_userblob(data, datalen); auth_method = "publickey"; + ret = user_key_verify(ssh, key, signature, signaturelen, data, -+ datalen, sigalg, ssh->compat); ++ datalen, sigalg, ssh->compat, &sig_details); break; case MM_HOSTKEY: valid_data = monitor_valid_hostbasedblob(data, datalen, hostbased_cuser, hostbased_chost); -+ ret = hostbased_key_verify(ssh, key, signature, signaturelen, data, -+ datalen, sigalg, ssh->compat); auth_method = "hostbased"; ++ ret = hostbased_key_verify(ssh, key, signature, signaturelen, data, ++ datalen, sigalg, ssh->compat, &sig_details); break; default: valid_data = 0; @@ -1199,11 +1200,15 @@ diff -up openssh/monitor.c.audit openssh/monitor.c if (!valid_data) fatal("%s: bad signature data blob", __func__); + if ((fp = sshkey_fingerprint(key, options.fingerprint_hash, + SSH_FP_DEFAULT)) == NULL) + fatal("%s: sshkey_fingerprint failed", __func__); + - ret = sshkey_verify(key, signature, signaturelen, data, datalen, -- sigalg, ssh->compat); - debug3("%s: %s %p signature %s", __func__, auth_method, key, - (ret == 0) ? "verified" : "unverified"); - auth2_record_key(authctxt, ret == 0, key); +- sigalg, ssh->compat, &sig_details); + debug3("%s: %s %p signature %s%s%s", __func__, auth_method, key, + (ret == 0) ? "verified" : "unverified", + (ret != 0) ? ": " : "", (ret != 0) ? ssh_err(ret) : ""); @@ -1536,13 +1560,19 @@ mm_record_login(struct ssh *ssh, Session } @@ -1459,11 +1464,11 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c int -mm_sshkey_verify(const struct sshkey *key, const u_char *sig, size_t siglen, +mm_sshkey_verify(enum mm_keytype type, const struct sshkey *key, const u_char *sig, size_t siglen, - const u_char *data, size_t datalen, const char *sigalg, u_int compat) + const u_char *data, size_t datalen, const char *sigalg, u_int compat, + struct sshkey_sig_details **sig_detailsp) { - struct sshbuf *m; @@ -525,7 +525,8 @@ mm_sshkey_verify(const struct sshkey *ke - + *sig_detailsp = NULL; if ((m = sshbuf_new()) == NULL) fatal("%s: sshbuf_new failed", __func__); - if ((r = sshkey_puts(key, m)) != 0 || @@ -1472,22 +1477,24 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c (r = sshbuf_put_string(m, sig, siglen)) != 0 || (r = sshbuf_put_string(m, data, datalen)) != 0 || (r = sshbuf_put_cstring(m, sigalg == NULL ? "" : sigalg)) != 0) -@@ -547,6 +548,20 @@ mm_sshkey_verify(const struct sshkey *ke +@@ -547,6 +548,22 @@ mm_sshkey_verify(const struct sshkey *ke return 0; } +int +mm_hostbased_key_verify(struct ssh *ssh, const struct sshkey *key, const u_char *sig, size_t siglen, -+ const u_char *data, size_t datalen, const char *pkalg, u_int compat) ++ const u_char *data, size_t datalen, const char *pkalg, u_int compat, ++ struct sshkey_sig_details **detailsp) +{ -+ return mm_sshkey_verify(MM_HOSTKEY, key, sig, siglen, data, datalen, pkalg, compat); ++ return mm_sshkey_verify(MM_HOSTKEY, key, sig, siglen, data, datalen, pkalg, compat, detailsp); +} + +int +mm_user_key_verify(struct ssh *ssh, const struct sshkey *key, const u_char *sig, size_t siglen, -+ const u_char *data, size_t datalen, const char *pkalg, u_int compat) ++ const u_char *data, size_t datalen, const char *pkalg, u_int compat, ++ struct sshkey_sig_details **detailsp) +{ -+ return mm_sshkey_verify(MM_USERKEY, key, sig, siglen, data, datalen, pkalg, compat); ++ return mm_sshkey_verify(MM_USERKEY, key, sig, siglen, data, datalen, pkalg, compat, detailsp); +} + void @@ -1632,9 +1639,9 @@ diff -up openssh/monitor_wrap.h.audit openssh/monitor_wrap.h const char *, struct sshkey *); -int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t, +int mm_hostbased_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t, -+ const u_char *, size_t, const char *, u_int); ++ const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **); +int mm_user_key_verify(struct ssh*, const struct sshkey *, const u_char *, size_t, - const u_char *, size_t, const char *, u_int); + const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **); #ifdef GSSAPI @@ -82,7 +84,12 @@ void mm_sshpam_free_ctx(void *); @@ -1655,7 +1662,7 @@ diff -up openssh/packet.c.audit openssh/packet.c --- openssh/packet.c.audit 2019-03-27 23:26:14.000000000 +0100 +++ openssh/packet.c 2019-04-03 17:02:20.716886069 +0200 @@ -77,6 +77,7 @@ - #include + #endif #include "xmalloc.h" +#include "audit.h" @@ -1705,7 +1712,7 @@ diff -up openssh/packet.c.audit openssh/packet.c kex_free_newkeys(state->newkeys[mode]); /* current keys */ state->newkeys[mode] = NULL; @@ -636,8 +641,18 @@ ssh_packet_close_internal(struct ssh *ss - } + #endif /* WITH_ZLIB */ cipher_free(state->send_context); cipher_free(state->receive_context); + if (had_keys && state->server_side) { @@ -2041,7 +2048,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c +void demote_sensitive_data(struct ssh *); static void do_ssh2_kex(struct ssh *); - /* + static char *listener_proctitle; @@ -278,6 +279,15 @@ close_listen_socks(void) num_listen_socks = -1; } @@ -2314,5 +2321,5 @@ diff -up openssh/sshkey.h.audit openssh/sshkey.h int sshkey_type_from_name(const char *); +int sshkey_is_private(const struct sshkey *); int sshkey_is_cert(const struct sshkey *); + int sshkey_is_sk(const struct sshkey *); int sshkey_type_is_cert(int); - int sshkey_type_plain(int); diff --git a/openssh-7.7p1-fips.patch b/openssh-7.7p1-fips.patch index 36eec24..9500cc3 100644 --- a/openssh-7.7p1-fips.patch +++ b/openssh-7.7p1-fips.patch @@ -11,19 +11,6 @@ diff -up openssh-8.0p1/cipher-ctr.c.fips openssh-8.0p1/cipher-ctr.c #endif return (&aes_ctr); } -diff -up openssh-8.0p1/clientloop.c.fips openssh-8.0p1/clientloop.c ---- openssh-8.0p1/clientloop.c.fips 2019-07-23 14:55:45.331525692 +0200 -+++ openssh-8.0p1/clientloop.c 2019-07-23 14:55:45.401526401 +0200 -@@ -2049,7 +2049,8 @@ key_accepted_by_hostkeyalgs(const struct - { - const char *ktype = sshkey_ssh_name(key); - const char *hostkeyalgs = options.hostkeyalgorithms != NULL ? -- options.hostkeyalgorithms : KEX_DEFAULT_PK_ALG; -+ options.hostkeyalgorithms : (FIPS_mode() ? -+ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG); - - if (key == NULL || key->type == KEY_UNSPEC) - return 0; diff -up openssh-8.0p1/dh.c.fips openssh-8.0p1/dh.c --- openssh-8.0p1/dh.c.fips 2019-04-18 00:52:57.000000000 +0200 +++ openssh-8.0p1/dh.c 2019-07-23 14:55:45.401526401 +0200 @@ -141,126 +128,113 @@ diff -up openssh-8.0p1/Makefile.in.fips openssh-8.0p1/Makefile.in - $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) + $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) - scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o - $(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS) + $(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) - ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o -- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -+ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHADD_OBJS) +- $(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o -- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -+ $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHAGENT_OBJS) +- $(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o sshsig.o -- $(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -+ $(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYGEN_OBJS) +- $(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o compat.o -- $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -+ $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSIGN_OBJS) +- $(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o - $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) + ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(P11HELPER_OBJS) + $(LD) -o $@ $(P11HELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) @@ -216,7 +216,7 @@ ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a - $(LD) -o $@ ssh-cavs.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + $(LD) -o $@ ssh-cavs.o $(SKOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) - ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o -- $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) -+ $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) +- $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) ++ $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) - sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-realpath.o sftp-server-main.o - $(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS) + $(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h --- openssh-8.0p1/myproposal.h.fips 2019-04-18 00:52:57.000000000 +0200 +++ openssh-8.0p1/myproposal.h 2019-07-23 14:55:45.402526411 +0200 -@@ -111,6 +111,16 @@ +@@ -111,6 +111,20 @@ "rsa-sha2-256," \ "ssh-rsa" +#define KEX_FIPS_PK_ALG \ -+ HOSTKEY_ECDSA_CERT_METHODS \ ++ "ecdsa-sha2-nistp256-cert-v01@openssh.com," \ ++ "ecdsa-sha2-nistp384-cert-v01@openssh.com," \ ++ "ecdsa-sha2-nistp521-cert-v01@openssh.com," \ + "rsa-sha2-512-cert-v01@openssh.com," \ + "rsa-sha2-256-cert-v01@openssh.com," \ + "ssh-rsa-cert-v01@openssh.com," \ -+ HOSTKEY_ECDSA_METHODS \ ++ "ecdsa-sha2-nistp256," \ ++ "ecdsa-sha2-nistp384," \ ++ "ecdsa-sha2-nistp521," \ + "rsa-sha2-512," \ + "rsa-sha2-256," \ + "ssh-rsa" + - /* the actual algorithms */ - - #define KEX_SERVER_ENCRYPT \ -@@ -134,6 +142,38 @@ + #define KEX_SERVER_ENCRYPT \ + "chacha20-poly1305@openssh.com," \ + "aes128-ctr,aes192-ctr,aes256-ctr," \ +@@ -134,6 +142,27 @@ #define KEX_CLIENT_MAC KEX_SERVER_MAC +#define KEX_FIPS_ENCRYPT \ + "aes128-ctr,aes192-ctr,aes256-ctr," \ + "aes128-cbc,3des-cbc," \ -+ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se" \ -+ AESGCM_CIPHER_MODES -+#ifdef HAVE_EVP_SHA256 -+# define KEX_DEFAULT_KEX_FIPS \ -+ KEX_ECDH_METHODS \ -+ KEX_SHA2_METHODS \ ++ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se," \ ++ "aes128-gcm@openssh.com,aes256-gcm@openssh.com" ++#define KEX_DEFAULT_KEX_FIPS \ ++ "ecdh-sha2-nistp256," \ ++ "ecdh-sha2-nistp384," \ ++ "ecdh-sha2-nistp521," \ ++ "diffie-hellman-group-exchange-sha256," \ ++ "diffie-hellman-group16-sha512," \ ++ "diffie-hellman-group18-sha512," \ + "diffie-hellman-group14-sha256" -+# define KEX_FIPS_MAC \ ++#define KEX_FIPS_MAC \ + "hmac-sha1," \ + "hmac-sha2-256," \ + "hmac-sha2-512," \ + "hmac-sha1-etm@openssh.com," \ + "hmac-sha2-256-etm@openssh.com," \ + "hmac-sha2-512-etm@openssh.com" -+#else -+# ifdef OPENSSL_HAS_NISTP521 -+# define KEX_DEFAULT_KEX_FIPS \ -+ "ecdh-sha2-nistp256," \ -+ "ecdh-sha2-nistp384," \ -+ "ecdh-sha2-nistp521" -+# else -+# define KEX_DEFAULT_KEX_FIPS \ -+ "ecdh-sha2-nistp256," \ -+ "ecdh-sha2-nistp384" -+# endif -+#define KEX_FIPS_MAC \ -+ "hmac-sha1" -+#endif + /* Not a KEX value, but here so all the algorithm defaults are together */ #define SSH_ALLOWED_CA_SIGALGS \ - HOSTKEY_ECDSA_METHODS \ + "ecdsa-sha2-nistp256," \ diff -up openssh-8.0p1/readconf.c.fips openssh-8.0p1/readconf.c --- openssh-8.0p1/readconf.c.fips 2019-07-23 14:55:45.334525723 +0200 +++ openssh-8.0p1/readconf.c 2019-07-23 14:55:45.402526411 +0200 -@@ -2179,18 +2179,19 @@ fill_default_options(Options * options) - all_kex = kex_alg_list(','); +@@ -2179,11 +2179,16 @@ fill_default_options(Options * options) all_key = sshkey_alg_list(0, 0, 1, ','); all_sig = sshkey_alg_list(0, 1, 1, ','); --#define ASSEMBLE(what, defaults, all) \ -+#define ASSEMBLE(what, defaults, fips_defaults, all) \ + /* remove unsupported algos from default lists */ +- def_cipher = match_filter_whitelist(KEX_CLIENT_ENCRYPT, all_cipher); +- def_mac = match_filter_whitelist(KEX_CLIENT_MAC, all_mac); +- def_kex = match_filter_whitelist(KEX_CLIENT_KEX, all_kex); +- def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key); +- def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig); ++ def_cipher = match_filter_whitelist((FIPS_mode() ? ++ KEX_FIPS_ENCRYPT : KEX_CLIENT_ENCRYPT), all_cipher); ++ def_mac = match_filter_whitelist((FIPS_mode() ? ++ KEX_FIPS_MAC : KEX_CLIENT_MAC), all_mac); ++ def_kex = match_filter_whitelist((FIPS_mode() ? ++ KEX_DEFAULT_KEX_FIPS : KEX_CLIENT_KEX), all_kex); ++ def_key = match_filter_whitelist((FIPS_mode() ? ++ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key); ++ def_sig = match_filter_whitelist((FIPS_mode() ? ++ KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig); + #define ASSEMBLE(what, defaults, all) \ do { \ if ((r = kex_assemble_names(&options->what, \ -- defaults, all)) != 0) \ -+ (FIPS_mode() ? fips_defaults : defaults), \ -+ all)) != 0) \ - fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \ - } while (0) -- ASSEMBLE(ciphers, KEX_CLIENT_ENCRYPT, all_cipher); -- ASSEMBLE(macs, KEX_CLIENT_MAC, all_mac); -- ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, all_kex); -- ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key); -- ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key); -- ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig); -+ ASSEMBLE(ciphers, KEX_CLIENT_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher); -+ ASSEMBLE(macs, KEX_CLIENT_MAC, KEX_FIPS_MAC, all_mac); -+ ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, KEX_DEFAULT_KEX_FIPS, all_kex); -+ ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key); -+ ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key); -+ ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, KEX_FIPS_PK_ALG, all_sig); - #undef ASSEMBLE - free(all_cipher); - free(all_mac); diff -up openssh-8.0p1/sandbox-seccomp-filter.c.fips openssh-8.0p1/sandbox-seccomp-filter.c --- openssh-8.0p1/sandbox-seccomp-filter.c.fips 2019-07-23 14:55:45.373526117 +0200 +++ openssh-8.0p1/sandbox-seccomp-filter.c 2019-07-23 14:55:45.402526411 +0200 @@ -277,35 +251,28 @@ diff -up openssh-8.0p1/sandbox-seccomp-filter.c.fips openssh-8.0p1/sandbox-secco diff -up openssh-8.0p1/servconf.c.fips openssh-8.0p1/servconf.c --- openssh-8.0p1/servconf.c.fips 2019-07-23 14:55:45.361525996 +0200 +++ openssh-8.0p1/servconf.c 2019-07-23 14:55:45.403526421 +0200 -@@ -208,18 +208,19 @@ assemble_algorithms(ServerOptions *o) - all_kex = kex_alg_list(','); +@@ -208,11 +208,16 @@ assemble_algorithms(ServerOptions *o) all_key = sshkey_alg_list(0, 0, 1, ','); all_sig = sshkey_alg_list(0, 1, 1, ','); --#define ASSEMBLE(what, defaults, all) \ -+#define ASSEMBLE(what, defaults, fips_defaults, all) \ + /* remove unsupported algos from default lists */ +- def_cipher = match_filter_whitelist(KEX_SERVER_ENCRYPT, all_cipher); +- def_mac = match_filter_whitelist(KEX_SERVER_MAC, all_mac); +- def_kex = match_filter_whitelist(KEX_SERVER_KEX, all_kex); +- def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key); +- def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig); ++ def_cipher = match_filter_whitelist((FIPS_mode() ? ++ KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT), all_cipher); ++ def_mac = match_filter_whitelist((FIPS_mode() ? ++ KEX_FIPS_MAC : KEX_SERVER_MAC), all_mac); ++ def_kex = match_filter_whitelist((FIPS_mode() ? ++ KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX), all_kex); ++ def_key = match_filter_whitelist((FIPS_mode() ? ++ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key); ++ def_sig = match_filter_whitelist((FIPS_mode() ? ++ KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig); + #define ASSEMBLE(what, defaults, all) \ do { \ -- if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \ -+ if ((r = kex_assemble_names(&o->what, (FIPS_mode() \ -+ ? fips_defaults : defaults), all)) != 0) \ - fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \ - } while (0) -- ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, all_cipher); -- ASSEMBLE(macs, KEX_SERVER_MAC, all_mac); -- ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex); -- ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key); -- ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key); -- ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key); -- ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig); -+ ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher); -+ ASSEMBLE(macs, KEX_SERVER_MAC, KEX_FIPS_MAC, all_mac); -+ ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, KEX_DEFAULT_KEX_FIPS, all_kex); -+ ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key); -+ ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key); -+ ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key); -+ ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, KEX_FIPS_PK_ALG, all_sig); - #undef ASSEMBLE - free(all_cipher); - free(all_mac); + if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \ diff -up openssh-8.0p1/ssh.c.fips openssh-8.0p1/ssh.c --- openssh-8.0p1/ssh.c.fips 2019-07-23 14:55:45.378526168 +0200 +++ openssh-8.0p1/ssh.c 2019-07-23 14:55:45.403526421 +0200 @@ -358,35 +325,6 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c #include "openbsd-compat/sys-queue.h" #include "xmalloc.h" -@@ -115,7 +117,8 @@ order_hostkeyalgs(char *host, struct soc - for (i = 0; i < options.num_system_hostfiles; i++) - load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]); - -- oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG); -+ oavail = avail = xstrdup((FIPS_mode() -+ ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG)); - maxlen = strlen(avail) + 1; - first = xmalloc(maxlen); - last = xmalloc(maxlen); -@@ -182,14 +185,16 @@ ssh_kex2(struct ssh *ssh, char *host, st - if (options.hostkeyalgorithms != NULL) { - all_key = sshkey_alg_list(0, 0, 1, ','); - if (kex_assemble_names(&options.hostkeyalgorithms, -- KEX_DEFAULT_PK_ALG, all_key) != 0) -+ (FIPS_mode() ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), -+ all_key) != 0) - fatal("%s: kex_assemble_namelist", __func__); - free(all_key); - myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = - compat_pkalg_proposal(options.hostkeyalgorithms); - } else { - /* Enforce default */ -- options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG); -+ options.hostkeyalgorithms = xstrdup((FIPS_mode() -+ ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG)); - /* Prefer algorithms that we already have keys for */ - myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = - compat_pkalg_proposal( @@ -198,29 +203,34 @@ ssh_kex2(struct ssh *ssh, char *host, st #if defined(GSSAPI) && defined(WITH_OPENSSL) @@ -530,9 +468,9 @@ diff -up openssh-8.0p1/sshkey.c.fips openssh-8.0p1/sshkey.c #include "sshkey.h" #include "match.h" +#include "log.h" + #include "ssh-sk.h" #ifdef WITH_XMSS - #include "sshkey-xmss.h" @@ -1591,6 +1593,8 @@ rsa_generate_private_key(u_int bits, RSA } if (!BN_set_word(f4, RSA_F4) || diff --git a/openssh-7.7p1-redhat.patch b/openssh-7.7p1-redhat.patch index 4e2a5bc..0bf26bd 100644 --- a/openssh-7.7p1-redhat.patch +++ b/openssh-7.7p1-redhat.patch @@ -1,7 +1,7 @@ -diff -up openssh-7.7p1/ssh_config.redhat openssh-7.7p1/ssh_config ---- openssh-7.7p1/ssh_config.redhat 2018-04-02 07:38:28.000000000 +0200 -+++ openssh-7.7p1/ssh_config 2018-07-03 10:44:06.522245125 +0200 -@@ -44,3 +44,7 @@ +diff -up openssh/ssh_config.redhat openssh/ssh_config +--- openssh/ssh_config.redhat 2020-02-11 23:28:35.000000000 +0100 ++++ openssh/ssh_config 2020-02-13 18:13:39.180641839 +0100 +@@ -43,3 +43,7 @@ # VisualHostKey no # ProxyCommand ssh -q -W %h:%p gateway.example.com # RekeyLimit 1G 1h @@ -9,9 +9,9 @@ diff -up openssh-7.7p1/ssh_config.redhat openssh-7.7p1/ssh_config +# To modify the system-wide ssh configuration, create a *.conf file under +# /etc/ssh/ssh_config.d/ which will be automatically included below +Include /etc/ssh/ssh_config.d/*.conf -diff -up openssh-7.7p1/ssh_config_redhat.redhat openssh-7.7p1/ssh_config_redhat ---- openssh-7.7p1/ssh_config_redhat.redhat 2018-07-03 10:44:06.522245125 +0200 -+++ openssh-7.7p1/ssh_config_redhat 2018-07-03 10:44:06.522245125 +0200 +diff -up openssh/ssh_config_redhat.redhat openssh/ssh_config_redhat +--- openssh/ssh_config_redhat.redhat 2020-02-13 18:13:39.180641839 +0100 ++++ openssh/ssh_config_redhat 2020-02-13 18:13:39.180641839 +0100 @@ -0,0 +1,21 @@ +# The options here are in the "Match final block" to be applied as the last +# options and could be potentially overwritten by the user configuration @@ -34,11 +34,10 @@ diff -up openssh-7.7p1/ssh_config_redhat.redhat openssh-7.7p1/ssh_config_redhat + +# Uncomment this if you want to use .local domain +# Host *.local -+# CheckHostIP no -diff -up openssh-7.7p1/sshd_config.0.redhat openssh-7.7p1/sshd_config.0 ---- openssh-7.7p1/sshd_config.0.redhat 2018-04-02 07:39:27.000000000 +0200 -+++ openssh-7.7p1/sshd_config.0 2018-07-03 10:44:06.523245133 +0200 -@@ -872,9 +872,9 @@ DESCRIPTION +diff -up openssh/sshd_config.0.redhat openssh/sshd_config.0 +--- openssh/sshd_config.0.redhat 2020-02-12 14:30:04.000000000 +0100 ++++ openssh/sshd_config.0 2020-02-13 18:13:39.181641855 +0100 +@@ -970,9 +970,9 @@ DESCRIPTION SyslogFacility Gives the facility code that is used when logging messages from @@ -51,10 +50,10 @@ diff -up openssh-7.7p1/sshd_config.0.redhat openssh-7.7p1/sshd_config.0 TCPKeepAlive Specifies whether the system should send TCP keepalive messages -diff -up openssh-7.7p1/sshd_config.5.redhat openssh-7.7p1/sshd_config.5 ---- openssh-7.7p1/sshd_config.5.redhat 2018-04-02 07:38:28.000000000 +0200 -+++ openssh-7.7p1/sshd_config.5 2018-07-03 10:44:06.523245133 +0200 -@@ -1461,7 +1461,7 @@ By default no subsystems are defined. +diff -up openssh/sshd_config.5.redhat openssh/sshd_config.5 +--- openssh/sshd_config.5.redhat 2020-02-11 23:28:35.000000000 +0100 ++++ openssh/sshd_config.5 2020-02-13 18:13:39.181641855 +0100 +@@ -1614,7 +1614,7 @@ By default no subsystems are defined. .It Cm SyslogFacility Gives the facility code that is used when logging messages from .Xr sshd 8 . @@ -63,9 +62,9 @@ diff -up openssh-7.7p1/sshd_config.5.redhat openssh-7.7p1/sshd_config.5 LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTH. .It Cm TCPKeepAlive -diff -up openssh-7.7p1/sshd_config.redhat openssh-7.7p1/sshd_config ---- openssh-7.7p1/sshd_config.redhat 2018-04-02 07:38:28.000000000 +0200 -+++ openssh-7.7p1/sshd_config 2018-07-03 10:45:16.950782466 +0200 +diff -up openssh/sshd_config.redhat openssh/sshd_config +--- openssh/sshd_config.redhat 2020-02-11 23:28:35.000000000 +0100 ++++ openssh/sshd_config 2020-02-13 18:20:16.349913681 +0100 @@ -10,6 +10,10 @@ # possible, but leave them commented. Uncommented options override the # default value. @@ -77,10 +76,18 @@ diff -up openssh-7.7p1/sshd_config.redhat openssh-7.7p1/sshd_config #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 -@@ -16,8 +20,18 @@ - # Ciphers and keying - #RekeyLimit default none - +@@ -114,3 +118,7 @@ Subsystem sftp /usr/libexec/sftp-server + # AllowTcpForwarding no + # PermitTTY no + # ForceCommand cvs server ++ ++# To modify the system-wide ssh configuration, create a *.conf file under ++# /etc/ssh/sshd_config.d/ which will be automatically included below ++Include /etc/ssh/sshd_config.d/*.conf +diff -up openssh/sshd_config_redhat.redhat openssh/sshd_config_redhat +--- openssh/sshd_config_redhat.redhat 2020-02-13 18:14:02.268006439 +0100 ++++ openssh/sshd_config_redhat 2020-02-13 18:19:20.765035947 +0100 +@@ -0,0 +1,31 @@ +# System-wide Crypto policy: +# This system is following system-wide crypto policy. The changes to +# Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any @@ -90,69 +97,25 @@ diff -up openssh-7.7p1/sshd_config.redhat openssh-7.7p1/sshd_config +# variable in /etc/sysconfig/sshd to overwrite the policy. +# For more information, see manual page for update-crypto-policies(8). + - # Logging - #SyslogFacility AUTH +SyslogFacility AUTHPRIV - #LogLevel INFO - - # Authentication: -@@ -56,9 +70,11 @@ AuthorizedKeysFile .ssh/authorized_keys - # To disable tunneled clear text passwords, change to no here! - #PasswordAuthentication yes - #PermitEmptyPasswords no ++ +PasswordAuthentication yes - - # Change to no to disable s/key passwords - #ChallengeResponseAuthentication yes +ChallengeResponseAuthentication no - - # Kerberos options - #KerberosAuthentication no -@@ -67,8 +83,8 @@ AuthorizedKeysFile .ssh/authorized_keys - #KerberosGetAFSToken no - - # GSSAPI options --#GSSAPIAuthentication no --#GSSAPICleanupCredentials yes ++ +GSSAPIAuthentication yes +GSSAPICleanupCredentials no - - # Set this to 'yes' to enable PAM authentication, account processing, - # and session processing. If this is enabled, PAM authentication will -@@ -79,16 +95,20 @@ AuthorizedKeysFile .ssh/authorized_keys - # If you just want the PAM account and session checks to run without - # PAM authentication, then enable this but set PasswordAuthentication - # and ChallengeResponseAuthentication to 'no'. --#UsePAM no ++ +UsePAM yes - - #AllowAgentForwarding yes - #AllowTcpForwarding yes - #GatewayPorts no --#X11Forwarding no ++ +X11Forwarding yes - #X11DisplayOffset 10 - #X11UseLocalhost yes - #PermitTTY yes --#PrintMotd yes + +# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd, +# as it is more configurable and versatile than the built-in version. +PrintMotd no + - #PrintLastLog yes - #TCPKeepAlive yes - #PermitUserEnvironment no -@@ -106,6 +126,12 @@ AuthorizedKeysFile .ssh/authorized_keys - # no default banner path - #Banner none - +# Accept locale-related environment variables +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE +AcceptEnv XMODIFIERS + - # override default of no subsystems - Subsystem sftp /usr/libexec/sftp-server - diff --git a/openssh-7.8p1-UsePAM-warning.patch b/openssh-7.8p1-UsePAM-warning.patch index ef2c737..d4c53db 100644 --- a/openssh-7.8p1-UsePAM-warning.patch +++ b/openssh-7.8p1-UsePAM-warning.patch @@ -3,7 +3,7 @@ diff --git a/sshd.c b/sshd.c +++ b/sshd.c @@ -1701,6 +1701,10 @@ main(int ac, char **av) parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name, - cfg, NULL); + cfg, &includes, NULL); + /* 'UsePAM no' is not supported in Fedora */ + if (! options.use_pam) @@ -21,6 +21,6 @@ diff --git a/sshd_config b/sshd_config # and ChallengeResponseAuthentication to 'no'. +# WARNING: 'UsePAM no' is not supported in Fedora and may cause several +# problems. - UsePAM yes + #UsePAM no #AllowAgentForwarding yes diff --git a/openssh-7.8p1-role-mls.patch b/openssh-7.8p1-role-mls.patch index da0abd7..fb7ce7c 100644 --- a/openssh-7.8p1-role-mls.patch +++ b/openssh-7.8p1-role-mls.patch @@ -339,7 +339,7 @@ diff -up openssh/monitor_wrap.h.role-mls openssh/monitor_wrap.h +++ openssh/monitor_wrap.h 2018-08-22 11:22:10.439929513 +0200 @@ -44,6 +44,9 @@ DH *mm_choose_dh(int, int, int); int mm_sshkey_sign(struct ssh *, struct sshkey *, u_char **, size_t *, - const u_char *, size_t, const char *, u_int compat); + const u_char *, size_t, const char *, const char *, u_int compat); void mm_inform_authserv(char *, char *); +#ifdef WITH_SELINUX +void mm_inform_authrole(char *); @@ -359,7 +359,7 @@ diff -up openssh/openbsd-compat/Makefile.in.role-mls openssh/openbsd-compat/Make + port-linux-sshd.o .c.o: - $(CC) $(CFLAGS) $(CPPFLAGS) -c $< + $(CC) $(CFLAGS_NOPIE) $(PICFLAG) $(CPPFLAGS) -c $< diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/port-linux.c --- openssh/openbsd-compat/port-linux.c.role-mls 2018-08-20 07:57:29.000000000 +0200 +++ openssh/openbsd-compat/port-linux.c 2018-08-22 11:14:56.819430949 +0200 diff --git a/openssh-8.0p1-crypto-policies.patch b/openssh-8.0p1-crypto-policies.patch index 37263a5..89bd369 100644 --- a/openssh-8.0p1-crypto-policies.patch +++ b/openssh-8.0p1-crypto-policies.patch @@ -1,7 +1,29 @@ -diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5 ---- openssh-8.0p1/ssh_config.5.crypto-policies 2019-05-13 14:04:01.999099570 +0200 -+++ openssh-8.0p1/ssh_config.5 2019-05-13 14:12:36.343923071 +0200 -@@ -445,12 +445,10 @@ aes256-gcm@openssh.com +diff -up openssh/ssh_config.5.crypto-policies openssh/ssh_config.5 +--- openssh/ssh_config.5.crypto-policies 2020-02-07 15:05:55.665451715 +0100 ++++ openssh/ssh_config.5 2020-02-07 15:07:11.632641922 +0100 +@@ -361,15 +361,15 @@ domains. + .It Cm CASignatureAlgorithms + Specifies which algorithms are allowed for signing of certificates + by certificate authorities (CAs). +-The default is: +-.Bd -literal -offset indent +-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa +-.Ed +-.Pp + .Xr ssh 1 + will not accept host certificates signed using algorithms other than those + specified. ++.Pp ++The default is handled system-wide by ++.Xr crypto-policies 7 . ++To see the defaults and how to modify this default, see manual page ++.Xr update-crypto-policies 8 . ++.Pp + .It Cm CertificateFile + Specifies a file from which the user's certificate is read. + A corresponding private key must be provided separately in order +@@ -453,12 +453,10 @@ aes256-gcm@openssh.com chacha20-poly1305@openssh.com .Ed .Pp @@ -18,7 +40,7 @@ diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5 .Pp The list of available ciphers may also be obtained using .Qq ssh -Q cipher . -@@ -812,8 +810,10 @@ gss-nistp256-sha256-, +@@ -824,8 +822,10 @@ gss-nistp256-sha256-, gss-curve25519-sha256- .Ed .Pp @@ -31,7 +53,7 @@ diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5 This option only applies to protocol version 2 connections using GSSAPI. .It Cm HashKnownHosts Indicates that -@@ -1123,16 +1123,10 @@ If the specified value begins with a +@@ -1162,15 +1162,10 @@ If the specified list begins with a .Sq ^ character, then the specified methods will be placed at the head of the default set. @@ -42,8 +64,7 @@ diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5 -diffie-hellman-group-exchange-sha256, -diffie-hellman-group16-sha512, -diffie-hellman-group18-sha512, --diffie-hellman-group14-sha256, --diffie-hellman-group14-sha1 +-diffie-hellman-group14-sha256 -.Ed +The default is handled system-wide by +.Xr crypto-policies 7 . @@ -52,7 +73,7 @@ diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5 .Pp The list of available key exchange algorithms may also be obtained using .Qq ssh -Q kex . -@@ -1210,14 +1204,10 @@ The algorithms that contain +@@ -1252,14 +1247,10 @@ The algorithms that contain calculate the MAC after encryption (encrypt-then-mac). These are considered safer and their use recommended. .Pp @@ -71,7 +92,7 @@ diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5 .Pp The list of available MAC algorithms may also be obtained using .Qq ssh -Q mac . -@@ -1361,17 +1351,10 @@ If the specified value begins with a +@@ -1407,22 +1398,10 @@ If the specified list begins with a .Sq ^ character, then the specified key types will be placed at the head of the default set. @@ -80,11 +101,16 @@ diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5 -ecdsa-sha2-nistp256-cert-v01@openssh.com, -ecdsa-sha2-nistp384-cert-v01@openssh.com, -ecdsa-sha2-nistp521-cert-v01@openssh.com, +-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, -ssh-ed25519-cert-v01@openssh.com, --rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, +-sk-ssh-ed25519-cert-v01@openssh.com, +-rsa-sha2-512-cert-v01@openssh.com, +-rsa-sha2-256-cert-v01@openssh.com, -ssh-rsa-cert-v01@openssh.com, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, --ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa +-sk-ecdsa-sha2-nistp256@openssh.com, +-ssh-ed25519,sk-ssh-ed25519@openssh.com, +-rsa-sha2-512,rsa-sha2-256,ssh-rsa -.Ed +The default is handled system-wide by +.Xr crypto-policies 7 . @@ -92,11 +118,32 @@ diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5 +.Xr update-crypto-policies 8 . .Pp The list of available key types may also be obtained using - .Qq ssh -Q key . -diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5 ---- openssh-8.0p1/sshd_config.5.crypto-policies 2019-05-13 14:12:41.226968863 +0200 -+++ openssh-8.0p1/sshd_config.5 2019-05-13 14:15:14.581406997 +0200 -@@ -490,12 +490,10 @@ aes256-gcm@openssh.com + .Qq ssh -Q PubkeyAcceptedKeyTypes . +diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5 +--- openssh/sshd_config.5.crypto-policies 2020-02-07 15:05:55.639451308 +0100 ++++ openssh/sshd_config.5 2020-02-07 15:05:55.672451825 +0100 +@@ -377,14 +377,14 @@ By default, no banner is displayed. + .It Cm CASignatureAlgorithms + Specifies which algorithms are allowed for signing of certificates + by certificate authorities (CAs). +-The default is: +-.Bd -literal -offset indent +-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa +-.Ed +-.Pp + Certificates signed using other algorithms will not be accepted for + public key or host-based authentication. ++.Pp ++The default is handled system-wide by ++.Xr crypto-policies 7 . ++To see the defaults and how to modify this default, see manual page ++.Xr update-crypto-policies 8 . ++.Pp + .It Cm ChallengeResponseAuthentication + Specifies whether challenge-response authentication is allowed (e.g. via + PAM or through authentication styles supported in +@@ -486,12 +486,10 @@ aes256-gcm@openssh.com chacha20-poly1305@openssh.com .El .Pp @@ -113,7 +160,7 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5 .Pp The list of available ciphers may also be obtained using .Qq ssh -Q cipher . -@@ -700,8 +698,10 @@ gss-nistp256-sha256-, +@@ -693,8 +691,10 @@ gss-nistp256-sha256-, gss-curve25519-sha256- .Ed .Pp @@ -126,7 +173,7 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5 This option only applies to protocol version 2 connections using GSSAPI. .It Cm HostbasedAcceptedKeyTypes Specifies the key types that will be accepted for hostbased authentication -@@ -792,17 +792,10 @@ environment variable. +@@ -794,22 +794,10 @@ environment variable. .It Cm HostKeyAlgorithms Specifies the host key algorithms that the server offers. @@ -135,11 +182,16 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5 -ecdsa-sha2-nistp256-cert-v01@openssh.com, -ecdsa-sha2-nistp384-cert-v01@openssh.com, -ecdsa-sha2-nistp521-cert-v01@openssh.com, +-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, -ssh-ed25519-cert-v01@openssh.com, --rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, +-sk-ssh-ed25519-cert-v01@openssh.com, +-rsa-sha2-512-cert-v01@openssh.com, +-rsa-sha2-256-cert-v01@openssh.com, -ssh-rsa-cert-v01@openssh.com, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, --ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa +-sk-ecdsa-sha2-nistp256@openssh.com, +-ssh-ed25519,sk-ssh-ed25519@openssh.com, +-rsa-sha2-512,rsa-sha2-256,ssh-rsa -.Ed +The default is handled system-wide by +.Xr crypto-policies 7 . @@ -147,9 +199,9 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5 +.Xr update-crypto-policies 8 . .Pp The list of available key types may also be obtained using - .Qq ssh -Q key . -@@ -960,14 +953,10 @@ ecdh-sha2-nistp384 - ecdh-sha2-nistp521 + .Qq ssh -Q HostKeyAlgorithms . +@@ -987,14 +975,10 @@ ecdh-sha2-nistp521 + sntrup4591761x25519-sha512@tinyssh.org .El .Pp -The default is: @@ -158,7 +210,7 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5 -ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, -diffie-hellman-group-exchange-sha256, -diffie-hellman-group16-sha512,diffie-hellman-group18-sha512, --diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 +-diffie-hellman-group14-sha256 -.Ed +The default is handled system-wide by +.Xr crypto-policies 7 . @@ -166,8 +218,8 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5 +.Xr update-crypto-policies 8 . .Pp The list of available key exchange algorithms may also be obtained using - .Qq ssh -Q kex . -@@ -1090,14 +1079,10 @@ umac-64-etm@openssh.com + .Qq ssh -Q KexAlgorithms . +@@ -1121,14 +1105,10 @@ umac-64-etm@openssh.com umac-128-etm@openssh.com .El .Pp @@ -186,7 +238,7 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5 .Pp The list of available MAC algorithms may also be obtained using .Qq ssh -Q mac . -@@ -1455,17 +1440,10 @@ If the specified value begins with a +@@ -1492,22 +1472,10 @@ If the specified list begins with a .Sq ^ character, then the specified key types will be placed at the head of the default set. @@ -195,11 +247,16 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5 -ecdsa-sha2-nistp256-cert-v01@openssh.com, -ecdsa-sha2-nistp384-cert-v01@openssh.com, -ecdsa-sha2-nistp521-cert-v01@openssh.com, +-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, -ssh-ed25519-cert-v01@openssh.com, --rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, +-sk-ssh-ed25519-cert-v01@openssh.com, +-rsa-sha2-512-cert-v01@openssh.com, +-rsa-sha2-256-cert-v01@openssh.com, -ssh-rsa-cert-v01@openssh.com, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, --ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa +-sk-ecdsa-sha2-nistp256@openssh.com, +-ssh-ed25519,sk-ssh-ed25519@openssh.com, +-rsa-sha2-512,rsa-sha2-256,ssh-rsa -.Ed +The default is handled system-wide by +.Xr crypto-policies 7 . @@ -207,4 +264,4 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5 +.Xr update-crypto-policies 8 . .Pp The list of available key types may also be obtained using - .Qq ssh -Q key . + .Qq ssh -Q PubkeyAcceptedKeyTypes . diff --git a/openssh-8.0p1-gssapi-keyex.patch b/openssh-8.0p1-gssapi-keyex.patch index 631c824..9e7ea72 100644 --- a/openssh-8.0p1-gssapi-keyex.patch +++ b/openssh-8.0p1-gssapi-keyex.patch @@ -1,29 +1,29 @@ diff --git a/Makefile.in b/Makefile.in -index 6f001bb3..c31821ac 100644 +index e7549470..b68c1710 100644 --- a/Makefile.in +++ b/Makefile.in -@@ -100,6 +100,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ +@@ -109,6 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \ kexgexc.o kexgexs.o \ sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \ + kexgssc.o \ - platform-pledge.o platform-tracing.o platform-misc.o + sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \ + sshbuf-io.o - -@@ -114,7 +115,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \ +@@ -125,7 +126,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \ auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ auth2-none.o auth2-passwd.o auth2-pubkey.o \ monitor.o monitor_wrap.o auth-krb5.o \ - auth2-gss.o gss-serv.o gss-serv-krb5.o \ + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ - sftp-server.o sftp-common.o sftp-realpath.o \ + sftp-server.o sftp-common.o \ sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ diff --git a/auth.c b/auth.c -index 332b6220..7664aaac 100644 +index 086b8ebb..687c57b4 100644 --- a/auth.c +++ b/auth.c -@@ -399,7 +399,8 @@ auth_root_allowed(struct ssh *ssh, const char *method) +@@ -400,7 +400,8 @@ auth_root_allowed(struct ssh *ssh, const char *method) case PERMIT_NO_PASSWD: if (strcmp(method, "publickey") == 0 || strcmp(method, "hostbased") == 0 || @@ -33,7 +33,7 @@ index 332b6220..7664aaac 100644 return 1; break; case PERMIT_FORCED_ONLY: -@@ -723,99 +724,6 @@ fakepw(void) +@@ -724,99 +725,6 @@ fakepw(void) return (&fake); } @@ -62,7 +62,7 @@ index 332b6220..7664aaac 100644 - if (getpeername(ssh_packet_get_connection_in(ssh), - (struct sockaddr *)&from, &fromlen) == -1) { - debug("getpeername failed: %.100s", strerror(errno)); -- return strdup(ntop); +- return xstrdup(ntop); - } - - ipv64_normalise_mapped(&from, &fromlen); @@ -74,7 +74,7 @@ index 332b6220..7664aaac 100644 - if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), - NULL, 0, NI_NAMEREQD) != 0) { - /* Host name not found. Use ip address. */ -- return strdup(ntop); +- return xstrdup(ntop); - } - - /* @@ -89,7 +89,7 @@ index 332b6220..7664aaac 100644 - logit("Nasty PTR record \"%s\" is set up for %s, ignoring", - name, ntop); - freeaddrinfo(ai); -- return strdup(ntop); +- return xstrdup(ntop); - } - - /* Names are stored in lowercase. */ @@ -110,7 +110,7 @@ index 332b6220..7664aaac 100644 - if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { - logit("reverse mapping checking getaddrinfo for %.700s " - "[%s] failed.", name, ntop); -- return strdup(ntop); +- return xstrdup(ntop); - } - /* Look for the address from the list of addresses. */ - for (ai = aitop; ai; ai = ai->ai_next) { @@ -125,9 +125,9 @@ index 332b6220..7664aaac 100644 - /* Address not found for the host name. */ - logit("Address %.100s maps to %.600s, but this does not " - "map back to the address.", ntop, name); -- return strdup(ntop); +- return xstrdup(ntop); - } -- return strdup(name); +- return xstrdup(name); -} - /* @@ -229,10 +229,10 @@ index 9351e042..d6446c0c 100644 "gssapi-with-mic", userauth_gssapi, diff --git a/auth2.c b/auth2.c -index 16ae1a36..7417eafa 100644 +index 0e776224..1c217268 100644 --- a/auth2.c +++ b/auth2.c -@@ -75,6 +75,7 @@ extern Authmethod method_passwd; +@@ -73,6 +73,7 @@ extern Authmethod method_passwd; extern Authmethod method_kbdint; extern Authmethod method_hostbased; #ifdef GSSAPI @@ -240,7 +240,7 @@ index 16ae1a36..7417eafa 100644 extern Authmethod method_gssapi; #endif -@@ -82,6 +83,7 @@ Authmethod *authmethods[] = { +@@ -80,6 +81,7 @@ Authmethod *authmethods[] = { &method_none, &method_pubkey, #ifdef GSSAPI @@ -249,7 +249,7 @@ index 16ae1a36..7417eafa 100644 #endif &method_passwd, diff --git a/canohost.c b/canohost.c -index f71a0856..404731d2 100644 +index abea9c6e..8e81b519 100644 --- a/canohost.c +++ b/canohost.c @@ -35,6 +35,99 @@ @@ -281,7 +281,7 @@ index f71a0856..404731d2 100644 + if (getpeername(ssh_packet_get_connection_in(ssh), + (struct sockaddr *)&from, &fromlen) == -1) { + debug("getpeername failed: %.100s", strerror(errno)); -+ return strdup(ntop); ++ return xstrdup(ntop); + } + + ipv64_normalise_mapped(&from, &fromlen); @@ -293,7 +293,7 @@ index f71a0856..404731d2 100644 + if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), + NULL, 0, NI_NAMEREQD) != 0) { + /* Host name not found. Use ip address. */ -+ return strdup(ntop); ++ return xstrdup(ntop); + } + + /* @@ -308,7 +308,7 @@ index f71a0856..404731d2 100644 + logit("Nasty PTR record \"%s\" is set up for %s, ignoring", + name, ntop); + freeaddrinfo(ai); -+ return strdup(ntop); ++ return xstrdup(ntop); + } + + /* Names are stored in lowercase. */ @@ -329,7 +329,7 @@ index f71a0856..404731d2 100644 + if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { + logit("reverse mapping checking getaddrinfo for %.700s " + "[%s] failed.", name, ntop); -+ return strdup(ntop); ++ return xstrdup(ntop); + } + /* Look for the address from the list of addresses. */ + for (ai = aitop; ai; ai = ai->ai_next) { @@ -344,9 +344,9 @@ index f71a0856..404731d2 100644 + /* Address not found for the host name. */ + logit("Address %.100s maps to %.600s, but this does not " + "map back to the address.", ntop, name); -+ return strdup(ntop); ++ return xstrdup(ntop); + } -+ return strdup(name); ++ return xstrdup(name); +} + void @@ -367,7 +367,7 @@ index 26d62855..0cadc9f1 100644 int get_peer_port(int); char *get_local_ipaddr(int); diff --git a/clientloop.c b/clientloop.c -index 521467bd..a0578e9d 100644 +index ebd0dbca..1bdac6a4 100644 --- a/clientloop.c +++ b/clientloop.c @@ -112,6 +112,10 @@ @@ -381,7 +381,7 @@ index 521467bd..a0578e9d 100644 /* import options */ extern Options options; -@@ -1374,9 +1378,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, +@@ -1379,9 +1383,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, break; /* Do channel operations unless rekeying in progress. */ @@ -402,10 +402,10 @@ index 521467bd..a0578e9d 100644 client_process_net_input(ssh, readset); diff --git a/configure.ac b/configure.ac -index 30be6c18..2869f704 100644 +index b689db4b..efafb6bd 100644 --- a/configure.ac +++ b/configure.ac -@@ -665,6 +665,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) +@@ -674,6 +674,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) [Use tunnel device compatibility to OpenBSD]) AC_DEFINE([SSH_TUN_PREPEND_AF], [1], [Prepend the address family to IP tunnel traffic]) @@ -437,7 +437,7 @@ index 30be6c18..2869f704 100644 AC_CHECK_DECL([AU_IPv4], [], AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) diff --git a/gss-genr.c b/gss-genr.c -index d56257b4..3eaa5fa5 100644 +index d56257b4..763a63ff 100644 --- a/gss-genr.c +++ b/gss-genr.c @@ -1,7 +1,7 @@ @@ -486,7 +486,7 @@ index d56257b4..3eaa5fa5 100644 /* sshbuf_get for gss_buffer_desc */ int ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g) -@@ -62,6 +86,161 @@ ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g) +@@ -62,6 +86,162 @@ ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g) return 0; } @@ -530,7 +530,8 @@ index d56257b4..3eaa5fa5 100644 + const char *host, const char *client, const char *kex) { + struct sshbuf *buf = NULL; + size_t i; -+ int r, oidpos, enclen; ++ int r = SSH_ERR_ALLOC_FAIL; ++ int oidpos, enclen; + char *mechs, *encoded; + u_char digest[SSH_DIGEST_MAX_LENGTH]; + char deroid[2]; @@ -648,7 +649,7 @@ index d56257b4..3eaa5fa5 100644 /* Check that the OID in a data stream matches that in the context */ int ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len) -@@ -218,7 +397,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok, +@@ -218,7 +398,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok, } ctx->major = gss_init_sec_context(&ctx->minor, @@ -657,7 +658,7 @@ index d56257b4..3eaa5fa5 100644 GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, 0, NULL, recv_tok, NULL, send_tok, flags, NULL); -@@ -247,9 +426,43 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host) +@@ -247,9 +427,43 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host) return (ctx->major); } @@ -701,7 +702,7 @@ index d56257b4..3eaa5fa5 100644 if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context, GSS_C_QOP_DEFAULT, buffer, hash))) ssh_gssapi_error(ctx); -@@ -257,6 +470,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash) +@@ -257,6 +471,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash) return (ctx->major); } @@ -721,7 +722,7 @@ index d56257b4..3eaa5fa5 100644 void ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service, const char *context) -@@ -273,11 +499,16 @@ ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service, +@@ -273,11 +500,16 @@ ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service, } int @@ -739,7 +740,7 @@ index d56257b4..3eaa5fa5 100644 /* RFC 4462 says we MUST NOT do SPNEGO */ if (oid->length == spnego_oid.length && -@@ -287,6 +518,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) +@@ -287,6 +519,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) ssh_gssapi_build_ctx(ctx); ssh_gssapi_set_oid(*ctx, oid); major = ssh_gssapi_import_name(*ctx, host); @@ -750,7 +751,7 @@ index d56257b4..3eaa5fa5 100644 if (!GSS_ERROR(major)) { major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, NULL); -@@ -296,10 +531,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) +@@ -296,10 +532,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) GSS_C_NO_BUFFER); } @@ -1259,10 +1260,10 @@ index ab3a15f0..6ce56e92 100644 /* Privileged */ diff --git a/kex.c b/kex.c -index 34808b5c..a2a4794e 100644 +index ce85f043..574c7609 100644 --- a/kex.c +++ b/kex.c -@@ -55,11 +55,16 @@ +@@ -57,11 +57,16 @@ #include "misc.h" #include "dispatch.h" #include "monitor.h" @@ -1279,7 +1280,7 @@ index 34808b5c..a2a4794e 100644 /* prototype */ static int kex_choose_conf(struct ssh *); static int kex_input_newkeys(int, u_int32_t, struct ssh *); -@@ -113,15 +118,28 @@ static const struct kexalg kexalgs[] = { +@@ -115,15 +120,28 @@ static const struct kexalg kexalgs[] = { #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ { NULL, 0, -1, -1}, }; @@ -1294,7 +1295,7 @@ index 34808b5c..a2a4794e 100644 + NID_X9_62_prime256v1, SSH_DIGEST_SHA256 }, + { KEX_GSS_C25519_SHA256_ID, KEX_GSS_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, +#endif -+ { NULL, 0, -1, -1 }, ++ { NULL, 0, -1, -1}, +}; -char * @@ -1311,7 +1312,7 @@ index 34808b5c..a2a4794e 100644 if (ret != NULL) ret[rlen++] = sep; nlen = strlen(k->name); -@@ -136,6 +154,18 @@ kex_alg_list(char sep) +@@ -138,6 +156,18 @@ kex_alg_list(char sep) return ret; } @@ -1330,7 +1331,7 @@ index 34808b5c..a2a4794e 100644 static const struct kexalg * kex_alg_by_name(const char *name) { -@@ -145,6 +175,10 @@ kex_alg_by_name(const char *name) +@@ -147,6 +177,10 @@ kex_alg_by_name(const char *name) if (strcmp(k->name, name) == 0) return k; } @@ -1341,7 +1342,7 @@ index 34808b5c..a2a4794e 100644 return NULL; } -@@ -301,6 +335,29 @@ kex_assemble_names(char **listp, const char *def, const char *all) +@@ -315,6 +349,29 @@ kex_assemble_names(char **listp, const char *def, const char *all) return r; } @@ -1371,7 +1372,7 @@ index 34808b5c..a2a4794e 100644 /* put algorithm proposal into buffer */ int kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX]) -@@ -657,6 +714,9 @@ kex_free(struct kex *kex) +@@ -698,6 +755,9 @@ kex_free(struct kex *kex) sshbuf_free(kex->server_version); sshbuf_free(kex->client_pub); free(kex->session_id); @@ -1382,10 +1383,10 @@ index 34808b5c..a2a4794e 100644 free(kex->hostkey_alg); free(kex->name); diff --git a/kex.h b/kex.h -index 6d446d1c..f95dc02c 100644 +index a5ae6ac0..fe714141 100644 --- a/kex.h +++ b/kex.h -@@ -103,6 +103,15 @@ enum kex_exchange { +@@ -102,6 +102,15 @@ enum kex_exchange { KEX_ECDH_SHA2, KEX_C25519_SHA256, KEX_KEM_SNTRUP4591761X25519_SHA512, @@ -1401,7 +1402,7 @@ index 6d446d1c..f95dc02c 100644 KEX_MAX }; -@@ -154,6 +163,12 @@ struct kex { +@@ -153,6 +162,12 @@ struct kex { u_int flags; int hash_alg; int ec_nid; @@ -1414,7 +1415,7 @@ index 6d446d1c..f95dc02c 100644 char *failed_choice; int (*verify_host_key)(struct sshkey *, struct ssh *); struct sshkey *(*load_host_public_key)(int, int, struct ssh *); -@@ -175,8 +190,10 @@ struct kex { +@@ -174,8 +189,10 @@ struct kex { int kex_names_valid(const char *); char *kex_alg_list(char); @@ -1425,11 +1426,11 @@ index 6d446d1c..f95dc02c 100644 int kex_exchange_identification(struct ssh *, int, const char *); -@@ -203,6 +220,12 @@ int kexgex_client(struct ssh *); +@@ -202,6 +219,12 @@ int kexgex_client(struct ssh *); int kexgex_server(struct ssh *); int kex_gen_client(struct ssh *); int kex_gen_server(struct ssh *); -+#ifdef GSSAPI ++#if defined(GSSAPI) && defined(WITH_OPENSSL) +int kexgssgex_client(struct ssh *); +int kexgssgex_server(struct ssh *); +int kexgss_client(struct ssh *); @@ -1438,7 +1439,7 @@ index 6d446d1c..f95dc02c 100644 int kex_dh_keypair(struct kex *); int kex_dh_enc(struct kex *, const struct sshbuf *, struct sshbuf **, -@@ -235,6 +258,12 @@ int kexgex_hash(int, const struct sshbuf *, const struct sshbuf *, +@@ -234,6 +257,12 @@ int kexgex_hash(int, const struct sshbuf *, const struct sshbuf *, const BIGNUM *, const u_char *, size_t, u_char *, size_t *); @@ -1480,10 +1481,10 @@ index 67133e33..edaa4676 100644 break; case KEX_DH_GRP18_SHA512: diff --git a/kexgen.c b/kexgen.c -index 2abbb9ef..569dc83f 100644 +index 69348b96..c0e8c2f4 100644 --- a/kexgen.c +++ b/kexgen.c -@@ -43,7 +43,7 @@ +@@ -44,7 +44,7 @@ static int input_kex_gen_init(int, u_int32_t, struct ssh *); static int input_kex_gen_reply(int type, u_int32_t seq, struct ssh *ssh); @@ -1494,10 +1495,10 @@ index 2abbb9ef..569dc83f 100644 const struct sshbuf *client_version, diff --git a/kexgssc.c b/kexgssc.c new file mode 100644 -index 00000000..0b2f6a56 +index 00000000..f6e1405e --- /dev/null +++ b/kexgssc.c -@@ -0,0 +1,595 @@ +@@ -0,0 +1,606 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * @@ -1559,7 +1560,7 @@ index 00000000..0b2f6a56 + struct sshbuf *server_blob = NULL; + struct sshbuf *shared_secret = NULL; + struct sshbuf *server_host_key_blob = NULL; -+ struct sshbuf *empty = sshbuf_new(); ++ struct sshbuf *empty = NULL; + u_char *msg; + int type = 0; + int first = 1; @@ -1767,6 +1768,11 @@ index 00000000..0b2f6a56 + if (r != 0) + goto out; + ++ if ((empty = sshbuf_new()) == NULL) { ++ r = SSH_ERR_ALLOC_FAIL; ++ goto out; ++ } ++ + hashlen = sizeof(hash); + if ((r = kex_gen_hash( + kex->hash_alg, @@ -1836,7 +1842,7 @@ index 00000000..0b2f6a56 + size_t hashlen; + const BIGNUM *pub_key, *dh_p, *dh_g; + int nbits = 0, min = DH_GRP_MIN, max = DH_GRP_MAX; -+ struct sshbuf *empty = sshbuf_new(); ++ struct sshbuf *empty = NULL; + u_char c; + int r; + @@ -2028,6 +2034,7 @@ index 00000000..0b2f6a56 + (r = sshbuf_get_bignum2(buf, &dh_server_pub)) != 0) + goto out; + sshbuf_free(buf); ++ buf = NULL; + + if ((shared_secret = sshbuf_new()) == NULL) { + r = SSH_ERR_ALLOC_FAIL; @@ -2036,6 +2043,10 @@ index 00000000..0b2f6a56 + + if ((r = kex_dh_compute_key(kex, dh_server_pub, shared_secret)) != 0) + goto out; ++ if ((empty = sshbuf_new()) == NULL) { ++ r = SSH_ERR_ALLOC_FAIL; ++ goto out; ++ } + + DH_get0_pqg(kex->dh, &dh_p, NULL, &dh_g); + hashlen = sizeof(hash); @@ -2082,6 +2093,7 @@ index 00000000..0b2f6a56 + if ((r = kex_derive_keys(ssh, hash, hashlen, shared_secret)) == 0) + r = kex_send_newkeys(ssh); +out: ++ sshbuf_free(buf); + sshbuf_free(server_blob); + sshbuf_free(empty); + explicit_bzero(hash, sizeof(hash)); @@ -2574,19 +2586,19 @@ index 00000000..60bc02de +} +#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */ diff --git a/monitor.c b/monitor.c -index 60e52944..669cdb4a 100644 +index 2ce89fe9..ebf76c7f 100644 --- a/monitor.c +++ b/monitor.c -@@ -147,6 +147,8 @@ int mm_answer_gss_setup_ctx(struct ssh *, int, struct sshbuf *); +@@ -148,6 +148,8 @@ int mm_answer_gss_setup_ctx(struct ssh *, int, struct sshbuf *); int mm_answer_gss_accept_ctx(struct ssh *, int, struct sshbuf *); int mm_answer_gss_userok(struct ssh *, int, struct sshbuf *); int mm_answer_gss_checkmic(struct ssh *, int, struct sshbuf *); -+int mm_answer_gss_sign(struct ssh*, int, struct sshbuf *); -+int mm_answer_gss_updatecreds(struct ssh*, int, struct sshbuf *); ++int mm_answer_gss_sign(struct ssh *, int, struct sshbuf *); ++int mm_answer_gss_updatecreds(struct ssh *, int, struct sshbuf *); #endif #ifdef SSH_AUDIT_EVENTS -@@ -219,11 +221,18 @@ struct mon_table mon_dispatch_proto20[] = { +@@ -220,11 +222,18 @@ struct mon_table mon_dispatch_proto20[] = { {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx}, {MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok}, {MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic}, @@ -2605,7 +2617,7 @@ index 60e52944..669cdb4a 100644 #ifdef WITH_OPENSSL {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, #endif -@@ -292,6 +301,10 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor) +@@ -293,6 +302,10 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor) /* Permit requests for moduli and signatures */ monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); @@ -2616,7 +2628,7 @@ index 60e52944..669cdb4a 100644 /* The first few requests do not require asynchronous access */ while (!authenticated) { -@@ -405,6 +418,10 @@ monitor_child_postauth(struct ssh *ssh, struct monitor *pmonitor) +@@ -406,6 +419,10 @@ monitor_child_postauth(struct ssh *ssh, struct monitor *pmonitor) monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); @@ -2627,7 +2639,7 @@ index 60e52944..669cdb4a 100644 if (auth_opts->permit_pty_flag) { monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); -@@ -1687,6 +1704,17 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor) +@@ -1713,6 +1730,17 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor) # ifdef OPENSSL_HAS_ECC kex->kex[KEX_ECDH_SHA2] = kex_gen_server; # endif @@ -2645,7 +2657,7 @@ index 60e52944..669cdb4a 100644 #endif /* WITH_OPENSSL */ kex->kex[KEX_C25519_SHA256] = kex_gen_server; kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server; -@@ -1780,8 +1808,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m) +@@ -1806,8 +1834,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m) u_char *p; int r; @@ -2656,7 +2668,7 @@ index 60e52944..669cdb4a 100644 if ((r = sshbuf_get_string(m, &p, &len)) != 0) fatal("%s: buffer error: %s", __func__, ssh_err(r)); -@@ -1813,8 +1841,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m) +@@ -1839,8 +1867,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m) OM_uint32 flags = 0; /* GSI needs this */ int r; @@ -2667,7 +2679,7 @@ index 60e52944..669cdb4a 100644 if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0) fatal("%s: buffer error: %s", __func__, ssh_err(r)); -@@ -1834,6 +1862,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m) +@@ -1860,6 +1888,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m) monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); @@ -2675,7 +2687,7 @@ index 60e52944..669cdb4a 100644 } return (0); } -@@ -1845,8 +1874,8 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m) +@@ -1871,8 +1900,8 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m) OM_uint32 ret; int r; @@ -2686,7 +2698,7 @@ index 60e52944..669cdb4a 100644 if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 || (r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0) -@@ -1872,13 +1901,17 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m) +@@ -1898,13 +1927,17 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m) int mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) { @@ -2708,7 +2720,7 @@ index 60e52944..669cdb4a 100644 sshbuf_reset(m); if ((r = sshbuf_put_u32(m, authenticated)) != 0) -@@ -1887,7 +1920,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) +@@ -1913,7 +1946,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) debug3("%s: sending result %d", __func__, authenticated); mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m); @@ -2721,7 +2733,7 @@ index 60e52944..669cdb4a 100644 if ((displayname = ssh_gssapi_displayname()) != NULL) auth2_record_info(authctxt, "%s", displayname); -@@ -1895,5 +1932,85 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) +@@ -1921,5 +1958,85 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) /* Monitor loop will terminate if authenticated */ return (authenticated); } @@ -2821,10 +2833,10 @@ index 683e5e07..2b1a2d59 100644 struct ssh; diff --git a/monitor_wrap.c b/monitor_wrap.c -index 186e8f02..8e4c1c1f 100644 +index 001a8fa1..6edb509a 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c -@@ -978,13 +978,15 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) +@@ -993,13 +993,15 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) } int @@ -2841,7 +2853,7 @@ index 186e8f02..8e4c1c1f 100644 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, m); mm_request_receive_expect(pmonitor->m_recvfd, -@@ -997,4 +999,57 @@ mm_ssh_gssapi_userok(char *user) +@@ -1012,4 +1014,57 @@ mm_ssh_gssapi_userok(char *user) debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); return (authenticated); } @@ -2900,10 +2912,10 @@ index 186e8f02..8e4c1c1f 100644 + #endif /* GSSAPI */ diff --git a/monitor_wrap.h b/monitor_wrap.h -index fdebb3aa..69164a8c 100644 +index 23ab096a..485590c1 100644 --- a/monitor_wrap.h +++ b/monitor_wrap.h -@@ -61,8 +61,10 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t, +@@ -64,8 +64,10 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t, OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); @@ -2916,7 +2928,7 @@ index fdebb3aa..69164a8c 100644 #ifdef USE_PAM diff --git a/readconf.c b/readconf.c -index ec497e79..4d699e5f 100644 +index f3cac6b3..da8022dd 100644 --- a/readconf.c +++ b/readconf.c @@ -67,6 +67,7 @@ @@ -2927,7 +2939,7 @@ index ec497e79..4d699e5f 100644 /* Format of the configuration file: -@@ -162,6 +163,8 @@ typedef enum { +@@ -160,6 +161,8 @@ typedef enum { oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, oAddressFamily, oGssAuthentication, oGssDelegateCreds, @@ -2936,7 +2948,7 @@ index ec497e79..4d699e5f 100644 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist, oHashKnownHosts, -@@ -202,10 +205,22 @@ static struct { +@@ -204,10 +207,22 @@ static struct { /* Sometimes-unsupported options */ #if defined(GSSAPI) { "gssapiauthentication", oGssAuthentication }, @@ -2959,7 +2971,7 @@ index ec497e79..4d699e5f 100644 #endif #ifdef ENABLE_PKCS11 { "pkcs11provider", oPKCS11Provider }, -@@ -983,10 +998,42 @@ parse_time: +@@ -1029,10 +1044,42 @@ parse_time: intptr = &options->gss_authentication; goto parse_flag; @@ -3002,7 +3014,7 @@ index ec497e79..4d699e5f 100644 case oBatchMode: intptr = &options->batch_mode; goto parse_flag; -@@ -1854,7 +1901,13 @@ initialize_options(Options * options) +@@ -1911,7 +1958,13 @@ initialize_options(Options * options) options->pubkey_authentication = -1; options->challenge_response_authentication = -1; options->gss_authentication = -1; @@ -3016,7 +3028,7 @@ index ec497e79..4d699e5f 100644 options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->kbd_interactive_devices = NULL; -@@ -2000,8 +2053,18 @@ fill_default_options(Options * options) +@@ -2059,8 +2112,18 @@ fill_default_options(Options * options) options->challenge_response_authentication = 1; if (options->gss_authentication == -1) options->gss_authentication = 0; @@ -3035,7 +3047,7 @@ index ec497e79..4d699e5f 100644 if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -@@ -2616,7 +2679,14 @@ dump_client_config(Options *o, const char *host) +@@ -2702,7 +2765,14 @@ dump_client_config(Options *o, const char *host) dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports); #ifdef GSSAPI dump_cfg_fmtint(oGssAuthentication, o->gss_authentication); @@ -3051,10 +3063,10 @@ index ec497e79..4d699e5f 100644 dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts); dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication); diff --git a/readconf.h b/readconf.h -index 8e36bf32..0bff6d80 100644 +index feedb3d2..a8a8870d 100644 --- a/readconf.h +++ b/readconf.h -@@ -40,7 +40,13 @@ typedef struct { +@@ -41,7 +41,13 @@ typedef struct { int challenge_response_authentication; /* Try S/Key or TIS, authentication. */ int gss_authentication; /* Try GSS authentication */ @@ -3069,10 +3081,10 @@ index 8e36bf32..0bff6d80 100644 * authentication. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ diff --git a/servconf.c b/servconf.c -index ffac5d2c..ffdad31e 100644 +index 70f5f73f..191575a1 100644 --- a/servconf.c +++ b/servconf.c -@@ -64,6 +64,7 @@ +@@ -69,6 +69,7 @@ #include "auth.h" #include "myproposal.h" #include "digest.h" @@ -3080,7 +3092,7 @@ index ffac5d2c..ffdad31e 100644 static void add_listen_addr(ServerOptions *, const char *, const char *, int); -@@ -124,8 +125,11 @@ initialize_server_options(ServerOptions *options) +@@ -133,8 +134,11 @@ initialize_server_options(ServerOptions *options) options->kerberos_ticket_cleanup = -1; options->kerberos_get_afs_token = -1; options->gss_authentication=-1; @@ -3092,7 +3104,7 @@ index ffac5d2c..ffdad31e 100644 options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; -@@ -351,10 +355,18 @@ fill_default_server_options(ServerOptions *options) +@@ -375,10 +379,18 @@ fill_default_server_options(ServerOptions *options) options->kerberos_get_afs_token = 0; if (options->gss_authentication == -1) options->gss_authentication = 0; @@ -3111,7 +3123,7 @@ index ffac5d2c..ffdad31e 100644 if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -@@ -498,6 +510,7 @@ typedef enum { +@@ -531,6 +543,7 @@ typedef enum { sHostKeyAlgorithms, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, @@ -3119,7 +3131,7 @@ index ffac5d2c..ffdad31e 100644 sAcceptEnv, sSetEnv, sPermitTunnel, sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sAllowAgentForwarding, -@@ -572,12 +585,22 @@ static struct { +@@ -607,12 +620,22 @@ static struct { #ifdef GSSAPI { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, @@ -3142,7 +3154,7 @@ index ffac5d2c..ffdad31e 100644 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, -@@ -1485,6 +1508,10 @@ process_server_config_line(ServerOptions *options, char *line, +@@ -1548,6 +1571,10 @@ process_server_config_line_depth(ServerOptions *options, char *line, intptr = &options->gss_authentication; goto parse_flag; @@ -3153,7 +3165,7 @@ index ffac5d2c..ffdad31e 100644 case sGssCleanupCreds: intptr = &options->gss_cleanup_creds; goto parse_flag; -@@ -1493,6 +1520,22 @@ process_server_config_line(ServerOptions *options, char *line, +@@ -1556,6 +1583,22 @@ process_server_config_line_depth(ServerOptions *options, char *line, intptr = &options->gss_strict_acceptor; goto parse_flag; @@ -3176,7 +3188,7 @@ index ffac5d2c..ffdad31e 100644 case sPasswordAuthentication: intptr = &options->password_authentication; goto parse_flag; -@@ -2579,6 +2622,10 @@ dump_config(ServerOptions *o) +@@ -2777,6 +2820,10 @@ dump_config(ServerOptions *o) #ifdef GSSAPI dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); @@ -3188,10 +3200,10 @@ index ffac5d2c..ffdad31e 100644 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); dump_cfg_fmtint(sKbdInteractiveAuthentication, diff --git a/servconf.h b/servconf.h -index 54e0a8d8..a476d522 100644 +index 4202a2d0..3f47ea25 100644 --- a/servconf.h +++ b/servconf.h -@@ -126,8 +126,11 @@ typedef struct { +@@ -132,8 +132,11 @@ typedef struct { int kerberos_get_afs_token; /* If true, try to get AFS token if * authenticated with Kerberos. */ int gss_authentication; /* If true, permit GSSAPI authentication */ @@ -3204,10 +3216,10 @@ index 54e0a8d8..a476d522 100644 * authentication. */ int kbd_interactive_authentication; /* If true, permit */ diff --git a/session.c b/session.c -index 48cfaafb..78cc8358 100644 +index 8c0e54f7..06a33442 100644 --- a/session.c +++ b/session.c -@@ -2674,13 +2674,19 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt) +@@ -2678,13 +2678,19 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt) #ifdef KRB5 if (options.kerberos_ticket_cleanup && @@ -3350,10 +3362,10 @@ index 36180d07..70dd3665 100644 #endif /* _SSH_GSS_H */ diff --git a/ssh.1 b/ssh.1 -index 9480eba8..a1c7d230 100644 +index 60de6087..db5c65bc 100644 --- a/ssh.1 +++ b/ssh.1 -@@ -497,7 +497,13 @@ For full details of the options listed below, and their possible values, see +@@ -503,7 +503,13 @@ For full details of the options listed below, and their possible values, see .It GatewayPorts .It GlobalKnownHostsFile .It GSSAPIAuthentication @@ -3367,7 +3379,7 @@ index 9480eba8..a1c7d230 100644 .It HashKnownHosts .It Host .It HostbasedAuthentication -@@ -573,6 +579,8 @@ flag), +@@ -579,6 +585,8 @@ flag), (supported message integrity codes), .Ar kex (key exchange algorithms), @@ -3377,27 +3389,29 @@ index 9480eba8..a1c7d230 100644 (key types), .Ar key-cert diff --git a/ssh.c b/ssh.c -index 91e7c351..42be7d88 100644 +index 15aee569..110cf9c1 100644 --- a/ssh.c +++ b/ssh.c -@@ -736,6 +736,8 @@ main(int ac, char **av) - cp = mac_alg_list('\n'); - else if (strcmp(optarg, "kex") == 0) +@@ -747,6 +747,8 @@ main(int ac, char **av) + else if (strcmp(optarg, "kex") == 0 || + strcasecmp(optarg, "KexAlgorithms") == 0) cp = kex_alg_list('\n'); + else if (strcmp(optarg, "kex-gss") == 0) + cp = kex_gss_alg_list('\n'); else if (strcmp(optarg, "key") == 0) cp = sshkey_alg_list(0, 0, 0, '\n'); else if (strcmp(optarg, "key-cert") == 0) -@@ -748,7 +750,7 @@ main(int ac, char **av) - cp = xstrdup("2"); - else if (strcmp(optarg, "help") == 0) { +@@ -772,8 +774,8 @@ main(int ac, char **av) + } else if (strcmp(optarg, "help") == 0) { cp = xstrdup( -- "cipher\ncipher-auth\nkex\nkey\n" -+ "cipher\ncipher-auth\nkex\nkex-gss\nkey\n" - "key-cert\nkey-plain\nmac\n" - "protocol-version\nsig"); + "cipher\ncipher-auth\ncompression\nkex\n" +- "key\nkey-cert\nkey-plain\nkey-sig\nmac\n" +- "protocol-version\nsig"); ++ "kex-gss\nkey\nkey-cert\nkey-plain\n" ++ "key-sig\nmac\nprotocol-version\nsig"); } + if (cp == NULL) + fatal("Unsupported query \"%s\"", optarg); diff --git a/ssh_config b/ssh_config index 5e8ef548..1ff999b6 100644 --- a/ssh_config @@ -3412,10 +3426,10 @@ index 5e8ef548..1ff999b6 100644 # CheckHostIP yes # AddressFamily any diff --git a/ssh_config.5 b/ssh_config.5 -index 41262963..c3c8b274 100644 +index 06a32d31..3f490697 100644 --- a/ssh_config.5 +++ b/ssh_config.5 -@@ -754,10 +754,67 @@ The default is +@@ -766,10 +766,67 @@ The default is Specifies whether user authentication based on GSSAPI is allowed. The default is .Cm no . @@ -3484,10 +3498,10 @@ index 41262963..c3c8b274 100644 Indicates that .Xr ssh 1 diff --git a/sshconnect2.c b/sshconnect2.c -index dffee90b..0d0a6cb8 100644 +index af00fb30..03bc87eb 100644 --- a/sshconnect2.c +++ b/sshconnect2.c -@@ -78,8 +78,6 @@ +@@ -80,8 +80,6 @@ #endif /* import */ @@ -3496,9 +3510,9 @@ index dffee90b..0d0a6cb8 100644 extern Options options; /* -@@ -161,6 +159,11 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) +@@ -163,6 +161,11 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) char *s, *all_key; - int r; + int r, use_known_hosts_order = 0; +#if defined(GSSAPI) && defined(WITH_OPENSSL) + char *orig = NULL, *gss = NULL; @@ -3508,8 +3522,8 @@ index dffee90b..0d0a6cb8 100644 xxx_host = host; xxx_hostaddr = hostaddr; -@@ -193,6 +196,35 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) - order_hostkeyalgs(host, hostaddr, port)); +@@ -206,6 +209,35 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) + compat_pkalg_proposal(options.hostkeyalgorithms); } +#if defined(GSSAPI) && defined(WITH_OPENSSL) @@ -3544,7 +3558,7 @@ index dffee90b..0d0a6cb8 100644 if (options.rekey_limit || options.rekey_interval) ssh_packet_set_rekey_limits(ssh, options.rekey_limit, options.rekey_interval); -@@ -211,16 +243,46 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) +@@ -224,16 +256,46 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) # ifdef OPENSSL_HAS_ECC ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client; # endif @@ -3592,7 +3606,7 @@ index dffee90b..0d0a6cb8 100644 if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0) fatal("kex_prop2buf: %s", ssh_err(r)); -@@ -317,6 +379,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *); +@@ -330,6 +392,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *); static int input_gssapi_token(int type, u_int32_t, struct ssh *); static int input_gssapi_error(int, u_int32_t, struct ssh *); static int input_gssapi_errtok(int, u_int32_t, struct ssh *); @@ -3600,7 +3614,7 @@ index dffee90b..0d0a6cb8 100644 #endif void userauth(struct ssh *, char *); -@@ -333,6 +396,11 @@ static char *authmethods_get(void); +@@ -346,6 +409,11 @@ static char *authmethods_get(void); Authmethod authmethods[] = { #ifdef GSSAPI @@ -3612,7 +3626,7 @@ index dffee90b..0d0a6cb8 100644 {"gssapi-with-mic", userauth_gssapi, userauth_gssapi_cleanup, -@@ -698,12 +766,23 @@ userauth_gssapi(struct ssh *ssh) +@@ -716,12 +784,25 @@ userauth_gssapi(struct ssh *ssh) OM_uint32 min; int r, ok = 0; gss_OID mech = NULL; @@ -3630,14 +3644,16 @@ index dffee90b..0d0a6cb8 100644 if (authctxt->gss_supported_mechs == NULL) - gss_indicate_mechs(&min, &authctxt->gss_supported_mechs); -+ if (GSS_ERROR(gss_indicate_mechs(&min, &authctxt->gss_supported_mechs))) { ++ if (GSS_ERROR(gss_indicate_mechs(&min, ++ &authctxt->gss_supported_mechs))) { ++ authctxt->gss_supported_mechs = NULL; + free(gss_host); + return 0; + } /* Check to see whether the mechanism is usable before we offer it */ while (authctxt->mech_tried < authctxt->gss_supported_mechs->count && -@@ -712,13 +791,15 @@ userauth_gssapi(struct ssh *ssh) +@@ -730,13 +811,15 @@ userauth_gssapi(struct ssh *ssh) elements[authctxt->mech_tried]; /* My DER encoding requires length<128 */ if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt, @@ -3654,7 +3670,7 @@ index dffee90b..0d0a6cb8 100644 if (!ok || mech == NULL) return 0; -@@ -958,6 +1039,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh) +@@ -976,6 +1059,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh) free(lang); return r; } @@ -3711,10 +3727,10 @@ index dffee90b..0d0a6cb8 100644 static int diff --git a/sshd.c b/sshd.c -index cbd3bce9..8c223f6a 100644 +index 60b2aaf7..d92f03aa 100644 --- a/sshd.c +++ b/sshd.c -@@ -796,8 +796,8 @@ notify_hostkeys(struct ssh *ssh) +@@ -817,8 +817,8 @@ notify_hostkeys(struct ssh *ssh) } debug3("%s: sent %u hostkeys", __func__, nkeys); if (nkeys == 0) @@ -3725,7 +3741,7 @@ index cbd3bce9..8c223f6a 100644 sshpkt_fatal(ssh, r, "%s: send", __func__); sshbuf_free(buf); } -@@ -1769,7 +1769,8 @@ main(int ac, char **av) +@@ -1852,7 +1852,8 @@ main(int ac, char **av) free(fp); } accumulate_host_timing_secret(cfg, NULL); @@ -3735,7 +3751,7 @@ index cbd3bce9..8c223f6a 100644 logit("sshd: no hostkeys available -- exiting."); exit(1); } -@@ -2260,6 +2261,48 @@ do_ssh2_kex(struct ssh *ssh) +@@ -2347,6 +2348,48 @@ do_ssh2_kex(struct ssh *ssh) myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( list_hostkey_types()); @@ -3784,7 +3800,7 @@ index cbd3bce9..8c223f6a 100644 /* start key exchange */ if ((r = kex_setup(ssh, myproposal)) != 0) fatal("kex_setup: %s", ssh_err(r)); -@@ -2275,7 +2318,18 @@ do_ssh2_kex(struct ssh *ssh) +@@ -2362,7 +2405,18 @@ do_ssh2_kex(struct ssh *ssh) # ifdef OPENSSL_HAS_ECC kex->kex[KEX_ECDH_SHA2] = kex_gen_server; # endif @@ -3810,18 +3826,18 @@ index 19b7c91a..2c48105f 100644 +++ b/sshd_config @@ -69,6 +69,8 @@ AuthorizedKeysFile .ssh/authorized_keys # GSSAPI options - GSSAPIAuthentication yes - GSSAPICleanupCredentials no + #GSSAPIAuthentication no + #GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will diff --git a/sshd_config.5 b/sshd_config.5 -index b224f292..2baa6622 100644 +index 70ccea44..f6b41a2f 100644 --- a/sshd_config.5 +++ b/sshd_config.5 -@@ -653,6 +653,11 @@ Specifies whether to automatically destroy the user's credentials cache +@@ -646,6 +646,11 @@ Specifies whether to automatically destroy the user's credentials cache on logout. The default is .Cm yes . @@ -3833,7 +3849,7 @@ index b224f292..2baa6622 100644 .It Cm GSSAPIStrictAcceptorCheck Determines whether to be strict about the identity of the GSSAPI acceptor a client authenticates against. -@@ -667,6 +672,31 @@ machine's default store. +@@ -660,6 +665,31 @@ machine's default store. This facility is provided to assist with operation on multi homed machines. The default is .Cm yes . @@ -3866,18 +3882,18 @@ index b224f292..2baa6622 100644 Specifies the key types that will be accepted for hostbased authentication as a list of comma-separated patterns. diff --git a/sshkey.c b/sshkey.c -index ad195776..789cd61e 100644 +index 57995ee6..fd5b7724 100644 --- a/sshkey.c +++ b/sshkey.c -@@ -135,6 +135,7 @@ static const struct keytype keytypes[] = { - # endif /* OPENSSL_HAS_NISTP521 */ +@@ -154,6 +154,7 @@ static const struct keytype keytypes[] = { + KEY_ECDSA_SK_CERT, NID_X9_62_prime256v1, 1, 0 }, # endif /* OPENSSL_HAS_ECC */ #endif /* WITH_OPENSSL */ + { "null", "null", NULL, KEY_NULL, 0, 0, 0 }, { NULL, NULL, NULL, -1, -1, 0, 0 } }; -@@ -223,7 +224,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) +@@ -255,7 +256,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) const struct keytype *kt; for (kt = keytypes; kt->type != -1; kt++) { @@ -3887,13 +3903,13 @@ index ad195776..789cd61e 100644 if (!include_sigonly && kt->sigonly) continue; diff --git a/sshkey.h b/sshkey.h -index a91e6043..c11106c9 100644 +index 71a3fddc..37a43a67 100644 --- a/sshkey.h +++ b/sshkey.h -@@ -65,6 +65,7 @@ enum sshkey_types { - KEY_ED25519_CERT, - KEY_XMSS, - KEY_XMSS_CERT, +@@ -69,6 +69,7 @@ enum sshkey_types { + KEY_ECDSA_SK_CERT, + KEY_ED25519_SK, + KEY_ED25519_SK_CERT, + KEY_NULL, KEY_UNSPEC }; diff --git a/openssh-8.0p1-pkcs11-uri.patch b/openssh-8.0p1-pkcs11-uri.patch index cd7d0e5..712f703 100644 --- a/openssh-8.0p1-pkcs11-uri.patch +++ b/openssh-8.0p1-pkcs11-uri.patch @@ -1,17 +1,57 @@ +commit ed3eaf7d68c083b6015ca3425b75932999dafaad +Author: Jakub Jelen +Date: Wed Apr 24 17:23:21 2019 +0200 + + PKCS#11 URI from Fedora + + * Print PKCS#11 URIs from ssh-keygen + * Accept PKCS#11 URIs in -i argument to ssh + * Allow PKCS#11 URI specification in ssh_config + * Fallback to p11-kit-proxy + * PKCS#11 URI support for ssh-add and ssh-agent + * internal representation is URI + * Allow to specify pin-value in URI to avoid interactive prompts + + Currently recognized and used parts of PKCS#11 URI: + * path (optional) + * token + * id + * manufacturer + * (library-manufacturer) + * query (optional) + * module-path + * pin-value + + Unit test for PKCS#11 URIs + + * test PKCS#11 URI parser, generator + * test percent_encodeer and decoder + + Regression tests for PKCS#11 URI support + + * soft-pkcs11.so from people.su.se/~lha/soft-pkcs11 + * Return correct CKR for unknown attributes + * Adjust and build it with regress tests (allowing agent-pkcs11 test) + * Test PKCS#11 URIs support with soft-pkcs11 + * Direct usage from commandline (URI, provider and combination) + * Usage from configuration files + * Usage in ssh-agent (add, sign, remove) + * Make sure it is built with correct paths + diff --git a/Makefile.in b/Makefile.in -index adb1977e..9b01a017 100644 +index e7549470..4511f82a 100644 --- a/Makefile.in +++ b/Makefile.in -@@ -93,7 +93,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ - atomicio.o dispatch.o mac.o misc.o utf8.o \ - monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ +@@ -102,7 +102,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ + monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-ecdsa-sk.o \ + ssh-ed25519-sk.o ssh-rsa.o dh.o \ msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ - ssh-pkcs11.o smult_curve25519_ref.o \ + ssh-pkcs11.o ssh-pkcs11-uri.o smult_curve25519_ref.o \ poly1305.o chacha.o cipher-chachapoly.o \ - ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \ - sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o \ -@@ -255,6 +255,8 @@ clean: regressclean + ssh-ed25519.o digest-openssl.o digest-libc.o \ + hmac.o sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o \ +@@ -289,6 +289,8 @@ clean: regressclean rm -f regress/unittests/match/test_match$(EXEEXT) rm -f regress/unittests/utf8/*.o rm -f regress/unittests/utf8/test_utf8$(EXEEXT) @@ -19,8 +59,8 @@ index adb1977e..9b01a017 100644 + rm -f regress/unittests/pkcs11/test_pkcs11$(EXEEXT) rm -f regress/misc/kexfuzz/*.o rm -f regress/misc/kexfuzz/kexfuzz$(EXEEXT) - (cd openbsd-compat && $(MAKE) clean) -@@ -285,6 +287,8 @@ distclean: regressclean + rm -f regress/misc/sk-dummy/*.o +@@ -322,6 +324,8 @@ distclean: regressclean rm -f regress/unittests/match/test_match rm -f regress/unittests/utf8/*.o rm -f regress/unittests/utf8/test_utf8 @@ -29,15 +69,15 @@ index adb1977e..9b01a017 100644 rm -f regress/misc/kexfuzz/*.o rm -f regress/misc/kexfuzz/kexfuzz$(EXEEXT) (cd openbsd-compat && $(MAKE) distclean) -@@ -447,6 +451,7 @@ regress-prep: +@@ -490,6 +494,7 @@ regress-prep: $(MKDIR_P) `pwd`/regress/unittests/kex $(MKDIR_P) `pwd`/regress/unittests/match $(MKDIR_P) `pwd`/regress/unittests/utf8 + $(MKDIR_P) `pwd`/regress/unittests/pkcs11 $(MKDIR_P) `pwd`/regress/misc/kexfuzz + $(MKDIR_P) `pwd`/regress/misc/sk-dummy [ -f `pwd`/regress/Makefile ] || \ - ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile -@@ -570,6 +575,16 @@ regress/unittests/utf8/test_utf8$(EXEEXT): \ +@@ -617,6 +622,16 @@ regress/unittests/utf8/test_utf8$(EXEEXT): \ regress/unittests/test_helper/libtest_helper.a \ -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) @@ -52,9 +92,9 @@ index adb1977e..9b01a017 100644 + -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) + MISC_KEX_FUZZ_OBJS=\ - regress/misc/kexfuzz/kexfuzz.o - -@@ -593,6 +608,7 @@ regress-unit-binaries: regress-prep $(REGRESSLIBS) \ + regress/misc/kexfuzz/kexfuzz.o \ + $(SKOBJS) +@@ -655,6 +670,7 @@ regress-unit-binaries: regress-prep $(REGRESSLIBS) \ regress/unittests/kex/test_kex$(EXEEXT) \ regress/unittests/match/test_match$(EXEEXT) \ regress/unittests/utf8/test_utf8$(EXEEXT) \ @@ -63,10 +103,10 @@ index adb1977e..9b01a017 100644 tests: file-tests t-exec interop-tests unit diff --git a/configure.ac b/configure.ac -index 3e93c027..351f0ba5 100644 +index b689db4b..98d3ce4f 100644 --- a/configure.ac +++ b/configure.ac -@@ -1861,12 +1861,14 @@ AC_LINK_IFELSE( +@@ -1911,12 +1911,14 @@ AC_LINK_IFELSE( [AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).]) ]) @@ -81,9 +121,9 @@ index 3e93c027..351f0ba5 100644 fi ] ) -@@ -1882,6 +1884,40 @@ if test "x$openssl" = "xyes" && test "x$disable_pkcs11" = "x"; then - ) - fi +@@ -1945,6 +1947,40 @@ AC_SEARCH_LIBS([dlopen], [dl]) + AC_CHECK_FUNCS([dlopen]) + AC_CHECK_DECL([RTLD_NOW], [], [], [#include ]) +# Check whether we have a p11-kit, we got default provider on command line +DEFAULT_PKCS11_PROVIDER_MSG="no" @@ -122,19 +162,19 @@ index 3e93c027..351f0ba5 100644 # IRIX has a const char return value for gai_strerror() AC_CHECK_FUNCS([gai_strerror], [ AC_DEFINE([HAVE_GAI_STRERROR]) -@@ -5229,6 +5265,7 @@ echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" - echo " BSD Auth support: $BSD_AUTH_MSG" +@@ -5401,6 +5437,7 @@ echo " BSD Auth support: $BSD_AUTH_MSG" echo " Random number source: $RAND_MSG" echo " Privsep sandbox style: $SANDBOX_STYLE" + echo " PKCS#11 support: $enable_pkcs11" +echo " Default PKCS#11 provider: $DEFAULT_PKCS11_PROVIDER_MSG" + echo " U2F/FIDO support: $enable_sk" echo "" - diff --git a/regress/Makefile b/regress/Makefile -index 34c47e8c..d693aa4a 100644 +index 774c10d4..6bf3b627 100644 --- a/regress/Makefile +++ b/regress/Makefile -@@ -115,7 +115,8 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \ +@@ -116,7 +116,8 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \ known_hosts known_hosts-cert known_hosts.* krl-* ls.copy \ modpipe netcat no_identity_config \ pidfile putty.rsa2 ready regress.log remote_pid \ @@ -144,7 +184,7 @@ index 34c47e8c..d693aa4a 100644 rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \ scp-ssh-wrapper.scp setuid-allowed sftp-server.log \ sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \ -@@ -245,6 +246,7 @@ unit: +@@ -246,6 +247,7 @@ unit: V="" ; \ test "x${USE_VALGRIND}" = "x" || \ V=${.CURDIR}/valgrind-unit.sh ; \ @@ -153,7 +193,7 @@ index 34c47e8c..d693aa4a 100644 $$V ${.OBJDIR}/unittests/sshkey/test_sshkey \ -d ${.CURDIR}/unittests/sshkey/testdata ; \ diff --git a/regress/agent-pkcs11.sh b/regress/agent-pkcs11.sh -index 5205d906..bfbaeb65 100644 +index fbbaea51..5d75d69f 100644 --- a/regress/agent-pkcs11.sh +++ b/regress/agent-pkcs11.sh @@ -113,7 +113,7 @@ else @@ -167,10 +207,10 @@ index 5205d906..bfbaeb65 100644 fail "ssh-add -e failed: exit code $r" diff --git a/regress/pkcs11.sh b/regress/pkcs11.sh new file mode 100644 -index 00000000..f2d6c41c +index 00000000..a91aee94 --- /dev/null +++ b/regress/pkcs11.sh -@@ -0,0 +1,345 @@ +@@ -0,0 +1,349 @@ +# +# Copyright (c) 2017 Red Hat +# @@ -270,130 +310,134 @@ index 00000000..f2d6c41c +trace "List the keys in the ssh-keygen with PKCS#11 URIs" +${SSHKEYGEN} -D ${TEST_SSH_PKCS11} > $OBJ/token_keys +if [ $? -ne 0 ]; then -+ fail "keygen fails to enumerate keys on PKCS#11 token" ++ fail "FAIL: keygen fails to enumerate keys on PKCS#11 token" +fi +grep "pkcs11:" $OBJ/token_keys > /dev/null +if [ $? -ne 0 ]; then -+ fail "The keys from ssh-keygen do not contain PKCS#11 URI as a comment" ++ fail "FAIL: The keys from ssh-keygen do not contain PKCS#11 URI as a comment" +fi -+tail -n 1 $OBJ/token_keys > $OBJ/authorized_keys_$USER ++ ++# Set the ECDSA key to authorized keys ++grep "ECDSA" $OBJ/token_keys > $OBJ/authorized_keys_$USER + +trace "Simple connect with ssh (without PKCS#11 URI)" +echo ${TEST_SSH_PIN} | notty ${SSH} -I ${TEST_SSH_PKCS11} \ + -F $OBJ/ssh_proxy somehost exit 5 +r=$? +if [ $r -ne 5 ]; then -+ fail "ssh connect with pkcs11 failed (exit code $r)" ++ fail "FAIL: ssh connect with pkcs11 failed (exit code $r)" +fi + +trace "Connect with PKCS#11 URI" -+trace " (second key should succeed)" ++trace " (ECDSA key should succeed)" +echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy \ -+ -i "pkcs11:id=${ID2}?module-path=${TEST_SSH_PKCS11}" somehost exit 5 ++ -i "pkcs11:id=%${ID2}?module-path=${TEST_SSH_PKCS11}" somehost exit 5 +r=$? +if [ $r -ne 5 ]; then -+ fail "ssh connect with PKCS#11 URI failed (exit code $r)" ++ fail "FAIL: ssh connect with PKCS#11 URI failed (exit code $r)" +fi + -+trace " (first key should fail)" ++trace " (RSA key should fail)" +echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy \ -+ -i "pkcs11:id=${ID1}?module-path=${TEST_SSH_PKCS11}" somehost exit 5 ++ -i "pkcs11:id=%${ID1}?module-path=${TEST_SSH_PKCS11}" somehost exit 5 +r=$? +if [ $r -eq 5 ]; then -+ fail "ssh connect with PKCS#11 URI succeeded (should fail)" ++ fail "FAIL: ssh connect with PKCS#11 URI succeeded (should fail)" +fi + +trace "Connect with PKCS#11 URI including PIN should not prompt" -+trace " (second key should succeed)" ++trace " (ECDSA key should succeed)" +${SSH} -F $OBJ/ssh_proxy -i \ -+ "pkcs11:id=${ID2}?module-path=${TEST_SSH_PKCS11}&pin-value=${TEST_SSH_PIN}" somehost exit 5 ++ "pkcs11:id=%${ID2}?module-path=${TEST_SSH_PKCS11}&pin-value=${TEST_SSH_PIN}" somehost exit 5 +r=$? +if [ $r -ne 5 ]; then -+ fail "ssh connect with PKCS#11 URI failed (exit code $r)" ++ fail "FAIL: ssh connect with PKCS#11 URI failed (exit code $r)" +fi + -+trace " (first key should fail)" ++trace " (RSA key should fail)" +${SSH} -F $OBJ/ssh_proxy -i \ -+ "pkcs11:id=${ID1}?module-path=${TEST_SSH_PKCS11}&pin-value=${TEST_SSH_PIN}" somehost exit 5 ++ "pkcs11:id=%${ID1}?module-path=${TEST_SSH_PKCS11}&pin-value=${TEST_SSH_PIN}" somehost exit 5 +r=$? +if [ $r -eq 5 ]; then -+ fail "ssh connect with PKCS#11 URI succeeded (should fail)" ++ fail "FAIL: ssh connect with PKCS#11 URI succeeded (should fail)" +fi + +trace "Connect with various filtering options in PKCS#11 URI" -+trace " (by object label, second key should succeed)" ++trace " (by object label, ECDSA should succeed)" +echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy \ -+ -i "pkcs11:object=SSH%20RSA%20Key%202?module-path=${TEST_SSH_PKCS11}" somehost exit 5 ++ -i "pkcs11:object=SSH%20ECDSA%20Key%2004?module-path=${TEST_SSH_PKCS11}" somehost exit 5 +r=$? +if [ $r -ne 5 ]; then -+ fail "ssh connect with PKCS#11 URI failed (exit code $r)" ++ fail "FAIL: ssh connect with PKCS#11 URI failed (exit code $r)" +fi + -+trace " (by object label, first key should fail)" ++trace " (by object label, RSA key should fail)" +echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy \ -+ -i "pkcs11:object=SSH%20RSA%20Key?module-path=${TEST_SSH_PKCS11}" somehost exit 5 ++ -i "pkcs11:object=SSH%20RSA%20Key%2002?module-path=${TEST_SSH_PKCS11}" somehost exit 5 +r=$? +if [ $r -eq 5 ]; then -+ fail "ssh connect with PKCS#11 URI succeeded (should fail)" ++ fail "FAIL: ssh connect with PKCS#11 URI succeeded (should fail)" +fi + -+trace " (by token label, second key should succeed)" ++trace " (by token label, ECDSA key should succeed)" +echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy \ -+ -i "pkcs11:id=${ID2};token=SoftToken%20(token)?module-path=${TEST_SSH_PKCS11}" somehost exit 5 ++ -i "pkcs11:id=%${ID2};token=token-slot-0?module-path=${TEST_SSH_PKCS11}" somehost exit 5 +r=$? +if [ $r -ne 5 ]; then -+ fail "ssh connect with PKCS#11 URI failed (exit code $r)" ++ fail "FAIL: ssh connect with PKCS#11 URI failed (exit code $r)" +fi + +trace " (by wrong token label, should fail)" +echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy \ -+ -i "pkcs11:token=SoftToken?module-path=${TEST_SSH_PKCS11}" somehost exit 5 ++ -i "pkcs11:token=token-slot-99?module-path=${TEST_SSH_PKCS11}" somehost exit 5 +r=$? +if [ $r -eq 5 ]; then -+ fail "ssh connect with PKCS#11 URI succeeded (should fail)" ++ fail "FAIL: ssh connect with PKCS#11 URI succeeded (should fail)" +fi + + + + +trace "Test PKCS#11 URI specification in configuration files" -+echo "IdentityFile \"pkcs11:id=${ID2}?module-path=${TEST_SSH_PKCS11}\"" \ ++echo "IdentityFile \"pkcs11:id=%${ID2}?module-path=${TEST_SSH_PKCS11}\"" \ + >> $OBJ/ssh_proxy -+trace " (second key should succeed)" ++trace " (ECDSA key should succeed)" +echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy somehost exit 5 +r=$? +if [ $r -ne 5 ]; then -+ fail "ssh connect with PKCS#11 URI in config failed (exit code $r)" ++ fail "FAIL: ssh connect with PKCS#11 URI in config failed (exit code $r)" +fi + -+trace " (first key should fail)" -+head -n 1 $OBJ/token_keys > $OBJ/authorized_keys_$USER ++# Set the RSA key as authorized ++grep "RSA" $OBJ/token_keys > $OBJ/authorized_keys_$USER ++ ++trace " (RSA key should fail)" +echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy somehost exit 5 +r=$? +if [ $r -eq 5 ]; then -+ fail "ssh connect with PKCS#11 URI in config succeeded (should fail)" ++ fail "FAIL: ssh connect with PKCS#11 URI in config succeeded (should fail)" +fi +sed -i -e "/IdentityFile/d" $OBJ/ssh_proxy + +trace "Test PKCS#11 URI specification in configuration files with bogus spaces" -+echo "IdentityFile \" pkcs11:id=${ID1}?module-path=${TEST_SSH_PKCS11} \"" \ ++echo "IdentityFile \" pkcs11:?module-path=${TEST_SSH_PKCS11} \"" \ + >> $OBJ/ssh_proxy +echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy somehost exit 5 +r=$? +if [ $r -ne 5 ]; then -+ fail "ssh connect with PKCS#11 URI with bogus spaces in config failed" \ ++ fail "FAIL: ssh connect with PKCS#11 URI with bogus spaces in config failed" \ + "(exit code $r)" +fi +sed -i -e "/IdentityFile/d" $OBJ/ssh_proxy + + +trace "Combination of PKCS11Provider and PKCS11URI on commandline" -+trace " (first key should succeed)" ++trace " (RSA key should succeed)" +echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy \ -+ -i "pkcs11:id=${ID1}" -I ${TEST_SSH_PKCS11} somehost exit 5 ++ -i "pkcs11:id=%${ID1}" -I ${TEST_SSH_PKCS11} somehost exit 5 +r=$? +if [ $r -ne 5 ]; then -+ fail "ssh connect with PKCS#11 URI and provider combination" \ ++ fail "FAIL: ssh connect with PKCS#11 URI and provider combination" \ + "failed (exit code $r)" +fi + @@ -402,14 +446,14 @@ index 00000000..f2d6c41c + -o IdentityFile=\"pkcs11:token=segfault\" somehost exit 5 +r=$? +if [ $r -eq 139 ]; then -+ fail "ssh connect with missing provider_id from configuration option" \ ++ fail "FAIL: ssh connect with missing provider_id from configuration option" \ + "crashed (exit code $r)" +fi + + +trace "SSH Agent can work with PKCS#11 URI" +trace "start the agent" -+eval `${SSHAGENT} -s -P "${OBJ}/*"` > /dev/null ++eval `${SSHAGENT} -s` > /dev/null + +r=$? +if [ $r -ne 0 ]; then @@ -417,100 +461,100 @@ index 00000000..f2d6c41c +else + trace "add whole provider to agent" + echo ${TEST_SSH_PIN} | notty ${SSHADD} \ -+ "pkcs11:?module-path=${TEST_SSH_PKCS11}" > /dev/null 2>&1 ++ "pkcs11:?module-path=${TEST_SSH_PKCS11}" #> /dev/null 2>&1 + r=$? + if [ $r -ne 0 ]; then -+ fail "ssh-add failed with whole provider: exit code $r" ++ fail "FAIL: ssh-add failed with whole provider: exit code $r" + fi + + trace " pkcs11 list via agent (all keys)" + ${SSHADD} -l > /dev/null 2>&1 + r=$? + if [ $r -ne 0 ]; then -+ fail "ssh-add -l failed with whole provider: exit code $r" ++ fail "FAIL: ssh-add -l failed with whole provider: exit code $r" + fi + + trace " pkcs11 connect via agent (all keys)" + ${SSH} -F $OBJ/ssh_proxy somehost exit 5 + r=$? + if [ $r -ne 5 ]; then -+ fail "ssh connect failed with whole provider (exit code $r)" ++ fail "FAIL: ssh connect failed with whole provider (exit code $r)" + fi + + trace " remove pkcs11 keys (all keys)" + ${SSHADD} -d "pkcs11:?module-path=${TEST_SSH_PKCS11}" > /dev/null 2>&1 + r=$? + if [ $r -ne 0 ]; then -+ fail "ssh-add -d failed with whole provider: exit code $r" ++ fail "FAIL: ssh-add -d failed with whole provider: exit code $r" + fi + -+ trace "add only first key to the agent" ++ trace "add only RSA key to the agent" + echo ${TEST_SSH_PIN} | notty ${SSHADD} \ -+ "pkcs11:id=${ID1}?module-path=${TEST_SSH_PKCS11}" > /dev/null 2>&1 ++ "pkcs11:id=%${ID1}?module-path=${TEST_SSH_PKCS11}" > /dev/null 2>&1 + r=$? + if [ $r -ne 0 ]; then -+ fail "ssh-add failed with first key: exit code $r" ++ fail "FAIL ssh-add failed with RSA key: exit code $r" + fi + -+ trace " pkcs11 connect via agent (first key)" ++ trace " pkcs11 connect via agent (RSA key)" + ${SSH} -F $OBJ/ssh_proxy somehost exit 5 + r=$? + if [ $r -ne 5 ]; then -+ fail "ssh connect failed with first key (exit code $r)" ++ fail "FAIL: ssh connect failed with RSA key (exit code $r)" + fi + -+ trace " remove first pkcs11 key" -+ ${SSHADD} -d "pkcs11:id=${ID1}?module-path=${TEST_SSH_PKCS11}" \ ++ trace " remove RSA pkcs11 key" ++ ${SSHADD} -d "pkcs11:id=%${ID1}?module-path=${TEST_SSH_PKCS11}" \ + > /dev/null 2>&1 + r=$? + if [ $r -ne 0 ]; then -+ fail "ssh-add -d failed with first key: exit code $r" ++ fail "FAIL: ssh-add -d failed with RSA key: exit code $r" + fi + -+ trace "add only second key to the agent" ++ trace "add only ECDSA key to the agent" + echo ${TEST_SSH_PIN} | notty ${SSHADD} \ -+ "pkcs11:id=${ID2}?module-path=${TEST_SSH_PKCS11}" > /dev/null 2>&1 ++ "pkcs11:id=%${ID2}?module-path=${TEST_SSH_PKCS11}" > /dev/null 2>&1 + r=$? + if [ $r -ne 0 ]; then -+ fail "ssh-add failed with second key: exit code $r" ++ fail "FAIL: ssh-add failed with second key: exit code $r" + fi + -+ trace " pkcs11 connect via agent (second key should fail)" ++ trace " pkcs11 connect via agent (ECDSA key should fail)" + ${SSH} -F $OBJ/ssh_proxy somehost exit 5 + r=$? + if [ $r -eq 5 ]; then -+ fail "ssh connect passed without key (should fail)" ++ fail "FAIL: ssh connect passed with ECDSA key (should fail)" + fi + -+ trace "add also the first key to the agent" ++ trace "add also the RSA key to the agent" + echo ${TEST_SSH_PIN} | notty ${SSHADD} \ -+ "pkcs11:id=${ID1}?module-path=${TEST_SSH_PKCS11}" > /dev/null 2>&1 ++ "pkcs11:id=%${ID1}?module-path=${TEST_SSH_PKCS11}" > /dev/null 2>&1 + r=$? + if [ $r -ne 0 ]; then -+ fail "ssh-add failed with first key: exit code $r" ++ fail "FAIL: ssh-add failed with first key: exit code $r" + fi + -+ trace " remove second pkcs11 key" -+ ${SSHADD} -d "pkcs11:id=${ID2}?module-path=${TEST_SSH_PKCS11}" \ ++ trace " remove ECDSA pkcs11 key" ++ ${SSHADD} -d "pkcs11:id=%${ID2}?module-path=${TEST_SSH_PKCS11}" \ + > /dev/null 2>&1 + r=$? + if [ $r -ne 0 ]; then -+ fail "ssh-add -d failed with second key: exit code $r" ++ fail "ssh-add -d failed with ECDSA key: exit code $r" + fi + + trace " remove already-removed pkcs11 key should fail" -+ ${SSHADD} -d "pkcs11:id=${ID2}?module-path=${TEST_SSH_PKCS11}" \ ++ ${SSHADD} -d "pkcs11:id=%${ID2}?module-path=${TEST_SSH_PKCS11}" \ + > /dev/null 2>&1 + r=$? + if [ $r -eq 0 ]; then -+ fail "ssh-add -d passed with non-existing key (should fail)" ++ fail "FAIL: ssh-add -d passed with non-existing key (should fail)" + fi + -+ trace " pkcs11 connect via agent (the first key should be still usable)" ++ trace " pkcs11 connect via agent (the RSA key should be still usable)" + ${SSH} -F $OBJ/ssh_proxy somehost exit 5 + r=$? + if [ $r -ne 5 ]; then -+ fail "ssh connect failed with first key (after removing second): exit code $r" ++ fail "ssh connect failed with RSA key (after removing ECDSA): exit code $r" + fi + + trace "kill agent" @@ -872,18 +916,18 @@ index 00000000..b637cb13 + test_generate_valid(); +} diff --git a/ssh-add.c b/ssh-add.c -index ebfb8a32..c32d1cb5 100644 +index 8057eb1f..0c470e32 100644 --- a/ssh-add.c +++ b/ssh-add.c -@@ -66,6 +66,7 @@ - #include "misc.h" +@@ -67,6 +67,7 @@ #include "ssherr.h" #include "digest.h" + #include "ssh-sk.h" +#include "ssh-pkcs11-uri.h" /* argv0 */ extern char *__progname; -@@ -190,6 +191,32 @@ delete_all(int agent_fd, int qflag) +@@ -193,6 +194,32 @@ delete_all(int agent_fd, int qflag) return ret; } @@ -914,9 +958,9 @@ index ebfb8a32..c32d1cb5 100644 +#endif + static int - add_file(int agent_fd, const char *filename, int key_only, int qflag) - { -@@ -392,12 +419,11 @@ add_file(int agent_fd, const char *filename, int key_only, int qflag) + add_file(int agent_fd, const char *filename, int key_only, int qflag, + const char *skprovider) +@@ -402,12 +429,11 @@ add_file(int agent_fd, const char *filename, int key_only, int qflag, } static int @@ -931,9 +975,9 @@ index ebfb8a32..c32d1cb5 100644 if ((pin = read_passphrase("Enter passphrase for PKCS#11: ", RP_ALLOW_STDIN)) == NULL) return -1; -@@ -531,6 +557,13 @@ lock_agent(int agent_fd, int lock) - static int - do_file(int agent_fd, int deleting, int key_only, char *file, int qflag) +@@ -591,6 +617,13 @@ static int + do_file(int agent_fd, int deleting, int key_only, char *file, int qflag, + const char *skprovider) { +#ifdef ENABLE_PKCS11 + if (strlen(file) >= strlen(PKCS11_URI_SCHEME) && @@ -945,7 +989,7 @@ index ebfb8a32..c32d1cb5 100644 if (deleting) { if (delete_file(agent_fd, file, key_only, qflag) == -1) return -1; -@@ -709,7 +742,7 @@ main(int argc, char **argv) +@@ -773,7 +806,7 @@ main(int argc, char **argv) } if (pkcs11provider != NULL) { if (update_card(agent_fd, !deleting, pkcs11provider, @@ -955,10 +999,10 @@ index ebfb8a32..c32d1cb5 100644 goto done; } diff --git a/ssh-agent.c b/ssh-agent.c -index 9c6680a2..e3336073 100644 +index 7eb6f0dc..27d8e4af 100644 --- a/ssh-agent.c +++ b/ssh-agent.c -@@ -556,10 +556,72 @@ no_identities(SocketEntry *e) +@@ -641,10 +641,72 @@ no_identities(SocketEntry *e) } #ifdef ENABLE_PKCS11 @@ -978,7 +1022,7 @@ index 9c6680a2..e3336073 100644 + /* PKCS#11 URI */ + uri = pkcs11_uri_init(); + if (uri == NULL) { -+ error("Failed to init PCKS#11 URI"); ++ error("Failed to init PKCS#11 URI"); + return NULL; + } + @@ -1001,7 +1045,7 @@ index 9c6680a2..e3336073 100644 + return NULL; + } + free(module_path); -+ if (match_pattern_list(canonical_provider, pkcs11_whitelist, 0) != 1) { ++ if (match_pattern_list(canonical_provider, provider_whitelist, 0) != 1) { + verbose("refusing PKCS#11 provider \"%.100s\": " + "not whitelisted", canonical_provider); + pkcs11_uri_cleanup(uri); @@ -1029,10 +1073,10 @@ index 9c6680a2..e3336073 100644 { - char *provider = NULL, *pin = NULL, canonical_provider[PATH_MAX]; + char *provider = NULL, *pin = NULL, *sane_uri = NULL; + char **comments = NULL; int r, i, count = 0, success = 0, confirm = 0; u_int seconds; - time_t death = 0; -@@ -595,28 +657,23 @@ process_add_smartcard_key(SocketEntry *e) +@@ -681,33 +743,28 @@ process_add_smartcard_key(SocketEntry *e) goto send; } } @@ -1041,7 +1085,7 @@ index 9c6680a2..e3336073 100644 - provider, strerror(errno)); - goto send; - } -- if (match_pattern_list(canonical_provider, pkcs11_whitelist, 0) != 1) { +- if (match_pattern_list(canonical_provider, provider_whitelist, 0) != 1) { - verbose("refusing PKCS#11 add of \"%.100s\": " - "provider not whitelisted", canonical_provider); + @@ -1054,30 +1098,35 @@ index 9c6680a2..e3336073 100644 if (lifetime && !death) death = monotime() + lifetime; -- count = pkcs11_add_provider(canonical_provider, pin, &keys); +- count = pkcs11_add_provider(canonical_provider, pin, &keys, &comments); + debug("%s: add %.100s", __func__, sane_uri); -+ count = pkcs11_add_provider(sane_uri, pin, &keys); ++ count = pkcs11_add_provider(sane_uri, pin, &keys, &comments); for (i = 0; i < count; i++) { k = keys[i]; if (lookup_identity(k) == NULL) { id = xcalloc(1, sizeof(Identity)); id->key = k; + keys[i] = NULL; /* transferred */ - id->provider = xstrdup(canonical_provider); -- id->comment = xstrdup(canonical_provider); /* XXX */ + id->provider = xstrdup(sane_uri); -+ id->comment = xstrdup(sane_uri); + if (*comments[i] != '\0') { + id->comment = comments[i]; + comments[i] = NULL; /* transferred */ + } else { +- id->comment = xstrdup(canonical_provider); ++ id->comment = xstrdup(sane_uri); + } id->death = death; id->confirm = confirm; - TAILQ_INSERT_TAIL(&idtab->idlist, id, next); -@@ -630,6 +687,7 @@ process_add_smartcard_key(SocketEntry *e) +@@ -721,6 +778,7 @@ process_add_smartcard_key(SocketEntry *e) send: free(pin); free(provider); + free(sane_uri); free(keys); + free(comments); send_status(e, success); - } -@@ -637,7 +695,7 @@ send: +@@ -729,7 +787,7 @@ send: static void process_remove_smartcard_key(SocketEntry *e) { @@ -1086,7 +1135,7 @@ index 9c6680a2..e3336073 100644 int r, success = 0; Identity *id, *nxt; -@@ -648,30 +706,29 @@ process_remove_smartcard_key(SocketEntry *e) +@@ -740,30 +798,29 @@ process_remove_smartcard_key(SocketEntry *e) } free(pin); @@ -1124,22 +1173,28 @@ index 9c6680a2..e3336073 100644 } #endif /* ENABLE_PKCS11 */ diff --git a/ssh-keygen.c b/ssh-keygen.c -index e039be30..6770fafb 100644 +index 0d6ed1ff..182f4f2b 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c -@@ -829,6 +829,7 @@ do_download(struct passwd *pw) +@@ -855,8 +855,11 @@ do_download(struct passwd *pw) free(fp); } else { (void) sshkey_write(keys[i], stdout); /* XXX check */ +- fprintf(stdout, "%s%s\n", +- *(comments[i]) == '\0' ? "" : " ", comments[i]); ++ if (*(comments[i]) != '\0') { ++ fprintf(stdout, " %s", comments[i]); ++ } + (void) pkcs11_uri_write(keys[i], stdout); - fprintf(stdout, "\n"); ++ fprintf(stdout, "\n"); } + free(comments[i]); sshkey_free(keys[i]); diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c -index e7860de8..7b2a9115 100644 +index 8a0ffef5..ead8a562 100644 --- a/ssh-pkcs11-client.c +++ b/ssh-pkcs11-client.c -@@ -321,6 +321,8 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp) +@@ -323,6 +323,8 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp, u_int nkeys, i; struct sshbuf *msg; @@ -1148,10 +1203,10 @@ index e7860de8..7b2a9115 100644 if (fd < 0 && pkcs11_start_helper() < 0) return (-1); -@@ -338,6 +340,7 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp) - if ((r = sshbuf_get_u32(msg, &nkeys)) != 0) - fatal("%s: buffer error: %s", __func__, ssh_err(r)); +@@ -342,6 +344,7 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp, *keysp = xcalloc(nkeys, sizeof(struct sshkey *)); + if (labelsp) + *labelsp = xcalloc(nkeys, sizeof(char *)); + debug("%s: nkeys = %u", __func__, nkeys); for (i = 0; i < nkeys; i++) { /* XXX clean up properly instead of fatal() */ @@ -1632,7 +1687,7 @@ index 00000000..942a5a5a +char *pkcs11_uri_get(struct pkcs11_uri *uri); + diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c -index 09f1ea34..fceddfe3 100644 +index a302c79c..879fe917 100644 --- a/ssh-pkcs11.c +++ b/ssh-pkcs11.c @@ -54,8 +54,8 @@ struct pkcs11_slotinfo { @@ -1798,7 +1853,7 @@ index 09f1ea34..fceddfe3 100644 + + uri = pkcs11_uri_init(); + if (uri == NULL) -+ fatal("Failed to init PCKS#11 URI"); ++ fatal("Failed to init PKCS#11 URI"); + + if (strlen(provider_id) >= strlen(PKCS11_URI_SCHEME) && + strncmp(provider_id, PKCS11_URI_SCHEME, strlen(PKCS11_URI_SCHEME)) == 0) { @@ -1912,7 +1967,13 @@ index 09f1ea34..fceddfe3 100644 if ((rv = f->C_FindObjectsInit(session, attr, nattr)) != CKR_OK) { error("C_FindObjectsInit failed (nattr %lu): %lu", nattr, rv); return (-1); -@@ -267,7 +407,7 @@ pkcs11_login_slot(struct pkcs11_provider *provider, struct pkcs11_slotinfo *si, +@@ -262,12 +402,12 @@ pkcs11_login_slot(struct pkcs11_provider *provider, struct pkcs11_slotinfo *si, + else { + snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ", + si->token.label); +- if ((pin = read_passphrase(prompt, RP_ALLOW_EOF)) == NULL) { ++ if ((pin = read_passphrase(prompt, RP_ALLOW_EOF|RP_ALLOW_STDIN)) == NULL) { + debug("%s: no pin specified", __func__); return (-1); /* bail out */ } } @@ -2246,9 +2307,9 @@ index 09f1ea34..fceddfe3 100644 free(key_attr[i].pValue); RSA_free(rsa); -@@ -897,7 +1058,8 @@ static struct sshkey * +@@ -897,7 +1058,8 @@ static int pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, - CK_OBJECT_HANDLE *obj) + CK_OBJECT_HANDLE *obj, struct sshkey **keyp, char **labelp) { - CK_ATTRIBUTE cert_attr[3]; + CK_ATTRIBUTE cert_attr[4]; @@ -2256,7 +2317,7 @@ index 09f1ea34..fceddfe3 100644 CK_SESSION_HANDLE session; CK_FUNCTION_LIST *f = NULL; CK_RV rv; -@@ -916,14 +1078,15 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, +@@ -921,14 +1083,15 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, memset(&cert_attr, 0, sizeof(cert_attr)); cert_attr[0].type = CKA_ID; @@ -2276,8 +2337,8 @@ index 09f1ea34..fceddfe3 100644 + rv = f->C_GetAttributeValue(session, *obj, cert_attr, nattr); if (rv != CKR_OK) { error("C_GetAttributeValue failed: %lu", rv); - return (NULL); -@@ -935,18 +1098,19 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, + return -1; +@@ -940,18 +1103,19 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, * XXX assumes CKA_ID is always first. */ if (cert_attr[1].ulValueLen == 0 || @@ -2285,7 +2346,7 @@ index 09f1ea34..fceddfe3 100644 + cert_attr[2].ulValueLen == 0 || + cert_attr[3].ulValueLen == 0) { error("invalid attribute length"); - return (NULL); + return -1; } /* allocate buffers for attributes */ @@ -2299,51 +2360,51 @@ index 09f1ea34..fceddfe3 100644 + rv = f->C_GetAttributeValue(session, *obj, cert_attr, nattr); if (rv != CKR_OK) { error("C_GetAttributeValue failed: %lu", rv); - goto fail; -@@ -958,8 +1122,8 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, - goto fail; - } + goto out; +@@ -965,8 +1129,8 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, + subject = xstrdup("invalid subject"); + X509_NAME_free(x509_name); - cp = cert_attr[2].pValue; -- if (d2i_X509(&x509, &cp, cert_attr[2].ulValueLen) == NULL) { +- if ((x509 = d2i_X509(NULL, &cp, cert_attr[2].ulValueLen)) == NULL) { + cp = cert_attr[3].pValue; -+ if (d2i_X509(&x509, &cp, cert_attr[3].ulValueLen) == NULL) { ++ if ((x509 = d2i_X509(NULL, &cp, cert_attr[3].ulValueLen)) == NULL) { error("d2i_x509 failed"); - goto fail; + goto out; } -@@ -980,7 +1144,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, - goto fail; +@@ -986,7 +1150,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, + goto out; } - if (pkcs11_rsa_wrap(p, slotidx, &cert_attr[0], rsa)) + if (pkcs11_rsa_wrap(p, slotidx, &cert_attr[0], &cert_attr[1], rsa)) - goto fail; + goto out; key = sshkey_new(KEY_UNSPEC); -@@ -1010,7 +1174,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, - goto fail; +@@ -1016,7 +1180,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, + goto out; } - if (pkcs11_ecdsa_wrap(p, slotidx, &cert_attr[0], ec)) + if (pkcs11_ecdsa_wrap(p, slotidx, &cert_attr[0], &cert_attr[1], ec)) - goto fail; + goto out; key = sshkey_new(KEY_UNSPEC); -@@ -1029,7 +1193,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, - error("unknown certificate key type"); - - fail: +@@ -1036,7 +1200,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, + goto out; + } + out: - for (i = 0; i < 3; i++) + for (i = 0; i < nattr; i++) free(cert_attr[i].pValue); X509_free(x509); RSA_free(rsa); -@@ -1058,11 +1222,12 @@ have_rsa_key(const RSA *rsa) +@@ -1071,11 +1235,12 @@ have_rsa_key(const RSA *rsa) */ static int pkcs11_fetch_certs(struct pkcs11_provider *p, CK_ULONG slotidx, -- struct sshkey ***keysp, int *nkeys) -+ struct sshkey ***keysp, int *nkeys, struct pkcs11_uri *uri) +- struct sshkey ***keysp, char ***labelsp, int *nkeys) ++ struct sshkey ***keysp, char ***labelsp, int *nkeys, struct pkcs11_uri *uri) { struct sshkey *key = NULL; CK_OBJECT_CLASS key_class; @@ -2353,7 +2414,7 @@ index 09f1ea34..fceddfe3 100644 CK_SESSION_HANDLE session; CK_FUNCTION_LIST *f = NULL; CK_RV rv; -@@ -1078,10 +1243,23 @@ pkcs11_fetch_certs(struct pkcs11_provider *p, CK_ULONG slotidx, +@@ -1092,10 +1257,23 @@ pkcs11_fetch_certs(struct pkcs11_provider *p, CK_ULONG slotidx, key_attr[0].pValue = &key_class; key_attr[0].ulValueLen = sizeof(key_class); @@ -2371,31 +2432,31 @@ index 09f1ea34..fceddfe3 100644 + key_attr[nattr].ulValueLen = strlen(uri->object); + nattr++; + } - -- rv = f->C_FindObjectsInit(session, key_attr, 1); ++ + session = p->module->slotinfo[slotidx].session; + f = p->module->function_list; -+ + +- rv = f->C_FindObjectsInit(session, key_attr, 1); + rv = f->C_FindObjectsInit(session, key_attr, nattr); if (rv != CKR_OK) { error("C_FindObjectsInit failed: %lu", rv); goto fail; -@@ -1155,11 +1333,12 @@ fail: +@@ -1175,11 +1353,12 @@ fail: */ static int pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, -- struct sshkey ***keysp, int *nkeys) -+ struct sshkey ***keysp, int *nkeys, struct pkcs11_uri *uri) +- struct sshkey ***keysp, char ***labelsp, int *nkeys) ++ struct sshkey ***keysp, char ***labelsp, int *nkeys, struct pkcs11_uri *uri) { struct sshkey *key = NULL; CK_OBJECT_CLASS key_class; -- CK_ATTRIBUTE key_attr[1]; +- CK_ATTRIBUTE key_attr[2]; + CK_ATTRIBUTE key_attr[3]; + int nattr = 1; CK_SESSION_HANDLE session; CK_FUNCTION_LIST *f = NULL; CK_RV rv; -@@ -1175,10 +1354,23 @@ pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, +@@ -1195,10 +1374,23 @@ pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, key_attr[0].pValue = &key_class; key_attr[0].ulValueLen = sizeof(key_class); @@ -2413,16 +2474,16 @@ index 09f1ea34..fceddfe3 100644 + key_attr[nattr].ulValueLen = strlen(uri->object); + nattr++; + } - -- rv = f->C_FindObjectsInit(session, key_attr, 1); ++ + session = p->module->slotinfo[slotidx].session; + f = p->module->function_list; -+ + +- rv = f->C_FindObjectsInit(session, key_attr, 1); + rv = f->C_FindObjectsInit(session, key_attr, nattr); if (rv != CKR_OK) { error("C_FindObjectsInit failed: %lu", rv); goto fail; -@@ -1435,15 +1627,10 @@ pkcs11_ecdsa_generate_private_key(struct pkcs11_provider *p, CK_ULONG slotidx, +@@ -1466,16 +1658,10 @@ pkcs11_ecdsa_generate_private_key(struct pkcs11_provider *p, CK_ULONG slotidx, } #endif /* WITH_PKCS11_KEYGEN */ @@ -2431,7 +2492,8 @@ index 09f1ea34..fceddfe3 100644 - * keyp is provided, fetch keys. - */ static int --pkcs11_register_provider(char *provider_id, char *pin, struct sshkey ***keyp, +-pkcs11_register_provider(char *provider_id, char *pin, +- struct sshkey ***keyp, char ***labelsp, - struct pkcs11_provider **providerp, CK_ULONG user) +pkcs11_initialize_provider(struct pkcs11_uri *uri, struct pkcs11_provider **providerp) { @@ -2440,7 +2502,7 @@ index 09f1ea34..fceddfe3 100644 int ret = -1; struct pkcs11_provider *p = NULL; void *handle = NULL; -@@ -1452,161 +1639,298 @@ pkcs11_register_provider(char *provider_id, char *pin, struct sshkey ***keyp, +@@ -1484,165 +1670,301 @@ pkcs11_register_provider(char *provider_id, char *pin, CK_FUNCTION_LIST *f = NULL; CK_TOKEN_INFO *token; CK_ULONG i; @@ -2460,6 +2522,8 @@ index 09f1ea34..fceddfe3 100644 - - if (keyp != NULL) - *keyp = NULL; +- if (labelsp != NULL) +- *labelsp = NULL; +#endif + } else { + provider_module = strdup(uri->module_path); @@ -2528,17 +2592,17 @@ index 09f1ea34..fceddfe3 100644 error("C_GetInfo for provider %s failed: %lu", - provider_id, rv); + provider_module, rv); -+ goto fail; -+ } + goto fail; + } +- rmspace(p->info.manufacturerID, sizeof(p->info.manufacturerID)); +- rmspace(p->info.libraryDescription, sizeof(p->info.libraryDescription)); + rmspace(m->info.manufacturerID, sizeof(m->info.manufacturerID)); + if (uri->lib_manuf != NULL && + strcmp(uri->lib_manuf, m->info.manufacturerID)) { + debug("%s: Skipping provider %s not matching library_manufacturer", + __func__, m->info.manufacturerID); - goto fail; - } -- rmspace(p->info.manufacturerID, sizeof(p->info.manufacturerID)); -- rmspace(p->info.libraryDescription, sizeof(p->info.libraryDescription)); ++ goto fail; ++ } + rmspace(m->info.libraryDescription, sizeof(m->info.libraryDescription)); debug("provider %s: manufacturerID <%s> cryptokiVersion %d.%d" " libraryDescription <%s> libraryVersion %d.%d", @@ -2636,7 +2700,8 @@ index 09f1ea34..fceddfe3 100644 + */ +static int +pkcs11_register_provider_by_uri(struct pkcs11_uri *uri, char *pin, -+ struct sshkey ***keyp, struct pkcs11_provider **providerp, CK_ULONG user) ++ struct sshkey ***keyp, char ***labelsp, struct pkcs11_provider **providerp, ++ CK_ULONG user) +{ + int nkeys; + int ret = -1; @@ -2706,11 +2771,11 @@ index 09f1ea34..fceddfe3 100644 + (ret = pkcs11_open_session(p, i, pin, user)) != 0) && /* ??? */ keyp == NULL) continue; -- pkcs11_fetch_keys(p, i, keyp, &nkeys); -- pkcs11_fetch_certs(p, i, keyp, &nkeys); +- pkcs11_fetch_keys(p, i, keyp, labelsp, &nkeys); +- pkcs11_fetch_certs(p, i, keyp, labelsp, &nkeys); - if (nkeys == 0 && !p->slotinfo[i].logged_in && -+ pkcs11_fetch_keys(p, i, keyp, &nkeys, uri); -+ pkcs11_fetch_certs(p, i, keyp, &nkeys, uri); ++ pkcs11_fetch_keys(p, i, keyp, labelsp, &nkeys, uri); ++ pkcs11_fetch_certs(p, i, keyp, labelsp, &nkeys, uri); + if (nkeys == 0 && !p->module->slotinfo[i].logged_in && pkcs11_interactive) { /* @@ -2718,26 +2783,28 @@ index 09f1ea34..fceddfe3 100644 * expose keys. */ - if (pkcs11_login_slot(p, &p->slotinfo[i], ++ debug3("%s: Trying to login as there were no keys found", ++ __func__); + if (pkcs11_login_slot(p, &p->module->slotinfo[i], CKU_USER) < 0) { error("login failed"); continue; } -- pkcs11_fetch_keys(p, i, keyp, &nkeys); -- pkcs11_fetch_certs(p, i, keyp, &nkeys); -+ pkcs11_fetch_keys(p, i, keyp, &nkeys, uri); -+ pkcs11_fetch_certs(p, i, keyp, &nkeys, uri); - } +- pkcs11_fetch_keys(p, i, keyp, labelsp, &nkeys); +- pkcs11_fetch_certs(p, i, keyp, labelsp, &nkeys); ++ pkcs11_fetch_keys(p, i, keyp, labelsp, &nkeys, uri); ++ pkcs11_fetch_certs(p, i, keyp, labelsp, &nkeys, uri); ++ } + if (nkeys == 0 && uri->object != NULL) { + debug3("%s: No keys found. Retrying without label (%s) ", + __func__, uri->object); + /* Try once more without the label filter */ + char *label = uri->object; + uri->object = NULL; /* XXX clone uri? */ -+ pkcs11_fetch_keys(p, i, keyp, &nkeys, uri); -+ pkcs11_fetch_certs(p, i, keyp, &nkeys, uri); ++ pkcs11_fetch_keys(p, i, keyp, labelsp, &nkeys, uri); ++ pkcs11_fetch_certs(p, i, keyp, labelsp, &nkeys, uri); + uri->object = label; -+ } + } + pin = NULL; /* Will be cleaned up with URI */ } @@ -2772,7 +2839,7 @@ index 09f1ea34..fceddfe3 100644 - */ +static int +pkcs11_register_provider(char *provider_id, char *pin, struct sshkey ***keyp, -+ struct pkcs11_provider **providerp, CK_ULONG user) ++ char ***labelsp, struct pkcs11_provider **providerp, CK_ULONG user) +{ + struct pkcs11_uri *uri = NULL; + int r; @@ -2791,30 +2858,32 @@ index 09f1ea34..fceddfe3 100644 + uri->module_path = strdup(provider_id); + } + -+ r = pkcs11_register_provider_by_uri(uri, pin, keyp, providerp, user); ++ r = pkcs11_register_provider_by_uri(uri, pin, keyp, labelsp, providerp, user); + pkcs11_uri_cleanup(uri); + + return r; +} + int --pkcs11_add_provider(char *provider_id, char *pin, struct sshkey ***keyp) +-pkcs11_add_provider(char *provider_id, char *pin, struct sshkey ***keyp, +- char ***labelsp) +pkcs11_add_provider_by_uri(struct pkcs11_uri *uri, char *pin, -+ struct sshkey ***keyp) ++ struct sshkey ***keyp, char ***labelsp) { - struct pkcs11_provider *p = NULL; int nkeys; + struct pkcs11_provider *p = NULL; + char *provider_uri = pkcs11_uri_get(uri); - -- nkeys = pkcs11_register_provider(provider_id, pin, keyp, &p, CKU_USER); -+ debug("%s: called, provider_uri = %s", __func__, provider_uri); + -+ nkeys = pkcs11_register_provider_by_uri(uri, pin, keyp, &p, CKU_USER); ++ debug("%s: called, provider_uri = %s", __func__, provider_uri); + +- nkeys = pkcs11_register_provider(provider_id, pin, keyp, labelsp, +- &p, CKU_USER); ++ nkeys = pkcs11_register_provider_by_uri(uri, pin, keyp, labelsp, &p, CKU_USER); /* no keys found or some other error, de-register provider */ if (nkeys <= 0 && p != NULL) { -@@ -1616,7 +1940,36 @@ pkcs11_add_provider(char *provider_id, char *pin, struct sshkey ***keyp) +@@ -1652,7 +1974,37 @@ pkcs11_add_provider(char *provider_id, char *pin, struct sshkey ***keyp, } if (nkeys == 0) debug("%s: provider %s returned no keys", __func__, @@ -2830,14 +2899,15 @@ index 09f1ea34..fceddfe3 100644 + * fails if provider already exists + */ +int -+pkcs11_add_provider(char *provider_id, char *pin, struct sshkey ***keyp) ++pkcs11_add_provider(char *provider_id, char *pin, ++ struct sshkey ***keyp, char ***labelsp) +{ + struct pkcs11_uri *uri; + int nkeys; + + uri = pkcs11_uri_init(); + if (uri == NULL) -+ fatal("Failed to init PCKS#11 URI"); ++ fatal("Failed to init PKCS#11 URI"); + + if (strlen(provider_id) >= strlen(PKCS11_URI_SCHEME) && + strncmp(provider_id, PKCS11_URI_SCHEME, strlen(PKCS11_URI_SCHEME)) == 0) { @@ -2847,33 +2917,33 @@ index 09f1ea34..fceddfe3 100644 + uri->module_path = strdup(provider_id); + } + -+ nkeys = pkcs11_add_provider_by_uri(uri, pin, keyp); ++ nkeys = pkcs11_add_provider_by_uri(uri, pin, keyp, labelsp); + pkcs11_uri_cleanup(uri); return (nkeys); } -@@ -1638,8 +1991,7 @@ pkcs11_gakp(char *provider_id, char *pin, unsigned int slotidx, char *label, +@@ -1674,7 +2026,7 @@ pkcs11_gakp(char *provider_id, char *pin, unsigned int slotidx, char *label, if ((p = pkcs11_provider_lookup(provider_id)) != NULL) debug("%s: provider \"%s\" available", __func__, provider_id); -- else if ((ret = pkcs11_register_provider(provider_id, pin, NULL, &p, -- CKU_SO)) < 0) { -+ else if ((rv = pkcs11_register_provider(provider_id, pin, NULL, &p, CKU_SO)) != 0) { +- else if ((ret = pkcs11_register_provider(provider_id, pin, NULL, NULL, ++ else if ((rv = pkcs11_register_provider(provider_id, pin, NULL, NULL, + &p, CKU_SO)) < 0) { debug("%s: could not register provider %s", __func__, provider_id); - goto out; -@@ -1710,8 +2062,7 @@ pkcs11_destroy_keypair(char *provider_id, char *pin, unsigned long slotidx, +@@ -1746,8 +2098,8 @@ pkcs11_destroy_keypair(char *provider_id, char *pin, unsigned long slotidx, if ((p = pkcs11_provider_lookup(provider_id)) != NULL) { debug("%s: using provider \"%s\"", __func__, provider_id); -- } else if (pkcs11_register_provider(provider_id, pin, NULL, &p, +- } else if (pkcs11_register_provider(provider_id, pin, NULL, NULL, &p, - CKU_SO) < 0) { -+ } else if ((rv = pkcs11_register_provider(provider_id, pin, NULL, &p, CKU_SO)) != 0) { ++ } else if ((rv = pkcs11_register_provider(provider_id, pin, NULL, NULL, ++ &p, CKU_SO)) < 0) { debug("%s: could not register provider %s", __func__, provider_id); goto out; diff --git a/ssh-pkcs11.h b/ssh-pkcs11.h -index b9038450..5a855338 100644 +index 81f1d7c5..feaf74de 100644 --- a/ssh-pkcs11.h +++ b/ssh-pkcs11.h @@ -22,10 +22,14 @@ @@ -2884,18 +2954,18 @@ index b9038450..5a855338 100644 + int pkcs11_init(int); void pkcs11_terminate(void); - int pkcs11_add_provider(char *, char *, struct sshkey ***); -+int pkcs11_add_provider_by_uri(struct pkcs11_uri *, char *, struct sshkey ***); + int pkcs11_add_provider(char *, char *, struct sshkey ***, char ***); ++int pkcs11_add_provider_by_uri(struct pkcs11_uri *, char *, struct sshkey ***, char ***); int pkcs11_del_provider(char *); +int pkcs11_uri_write(const struct sshkey *, FILE *); #ifdef WITH_PKCS11_KEYGEN struct sshkey * pkcs11_gakp(char *, char *, unsigned int, char *, unsigned int, diff --git a/ssh.c b/ssh.c -index ee51823c..2268755b 100644 +index 15aee569..976844cb 100644 --- a/ssh.c +++ b/ssh.c -@@ -772,6 +772,14 @@ main(int ac, char **av) +@@ -795,6 +795,14 @@ main(int ac, char **av) options.gss_deleg_creds = 1; break; case 'i': @@ -2910,7 +2980,7 @@ index ee51823c..2268755b 100644 p = tilde_expand_filename(optarg, getuid()); if (stat(p, &st) == -1) fprintf(stderr, "Warning: Identity file %s " -@@ -1524,6 +1532,7 @@ main(int ac, char **av) +@@ -1603,6 +1611,7 @@ main(int ac, char **av) free(options.certificate_files[i]); options.certificate_files[i] = NULL; } @@ -2918,7 +2988,7 @@ index ee51823c..2268755b 100644 skip_connect: exit_status = ssh_session2(ssh, pw); -@@ -1997,6 +2006,45 @@ ssh_session2(struct ssh *ssh, struct passwd *pw) +@@ -2076,6 +2085,45 @@ ssh_session2(struct ssh *ssh, struct passwd *pw) options.escape_char : SSH_ESCAPECHAR_NONE, id); } @@ -2934,7 +3004,7 @@ index ee51823c..2268755b 100644 + debug("identity file '%s' from pkcs#11", pkcs11_uri); + uri = pkcs11_uri_init(); + if (uri == NULL) -+ fatal("Failed to init PCKS#11 URI"); ++ fatal("Failed to init PKCS#11 URI"); + + if (pkcs11_uri_parse(pkcs11_uri, uri) != 0) + fatal("Failed to parse PKCS#11 URI %s", pkcs11_uri); @@ -2944,7 +3014,7 @@ index ee51823c..2268755b 100644 + uri->module_path = strdup(options.pkcs11_provider); + + if (options.num_identity_files < SSH_MAX_IDENTITY_FILES && -+ (nkeys = pkcs11_add_provider_by_uri(uri, NULL, &keys)) > 0) { ++ (nkeys = pkcs11_add_provider_by_uri(uri, NULL, &keys, NULL)) > 0) { + for (i = 0; i < nkeys; i++) { + if (*n_ids >= SSH_MAX_IDENTITY_FILES) { + sshkey_free(keys[i]); @@ -2964,18 +3034,19 @@ index ee51823c..2268755b 100644 /* Loads all IdentityFile and CertificateFile keys */ static void load_public_identity_files(struct passwd *pw) -@@ -2011,10 +2059,6 @@ load_public_identity_files(struct passwd *pw) +@@ -2090,11 +2138,6 @@ load_public_identity_files(struct passwd *pw) char *certificate_files[SSH_MAX_CERTIFICATE_FILES]; struct sshkey *certificates[SSH_MAX_CERTIFICATE_FILES]; int certificate_file_userprovided[SSH_MAX_CERTIFICATE_FILES]; -#ifdef ENABLE_PKCS11 -- struct sshkey **keys; +- struct sshkey **keys = NULL; +- char **comments = NULL; - int nkeys; -#endif /* PKCS11 */ n_ids = n_certs = 0; memset(identity_files, 0, sizeof(identity_files)); -@@ -2027,32 +2071,46 @@ load_public_identity_files(struct passwd *pw) +@@ -2107,33 +2150,46 @@ load_public_identity_files(struct passwd *pw) sizeof(certificate_file_userprovided)); #ifdef ENABLE_PKCS11 @@ -2983,18 +3054,19 @@ index ee51823c..2268755b 100644 - options.num_identity_files < SSH_MAX_IDENTITY_FILES && - (pkcs11_init(!options.batch_mode) == 0) && - (nkeys = pkcs11_add_provider(options.pkcs11_provider, NULL, -- &keys)) > 0) { +- &keys, &comments)) > 0) { - for (i = 0; i < nkeys; i++) { - if (n_ids >= SSH_MAX_IDENTITY_FILES) { - sshkey_free(keys[i]); +- free(comments[i]); - continue; - } - identity_keys[n_ids] = keys[i]; -- identity_files[n_ids] = -- xstrdup(options.pkcs11_provider); /* XXX */ +- identity_files[n_ids] = comments[i]; /* transferred */ - n_ids++; - } - free(keys); +- free(comments); + /* handle fallback from PKCS11Provider option */ + pkcs11_init(!options.batch_mode); + @@ -3003,7 +3075,7 @@ index ee51823c..2268755b 100644 + + uri = pkcs11_uri_init(); + if (uri == NULL) -+ fatal("Failed to init PCKS#11 URI"); ++ fatal("Failed to init PKCS#11 URI"); + + /* Construct simple PKCS#11 URI to simplify access */ + uri->module_path = strdup(options.pkcs11_provider); @@ -3041,10 +3113,10 @@ index ee51823c..2268755b 100644 "u", pw->pw_name, "l", thishost, "h", host, "r", options.user, (char *)NULL); diff --git a/ssh_config.5 b/ssh_config.5 -index 02a87892..41acfa33 100644 +index 06a32d31..4b2763bd 100644 --- a/ssh_config.5 +++ b/ssh_config.5 -@@ -964,6 +964,21 @@ may also be used in conjunction with +@@ -986,6 +986,21 @@ may also be used in conjunction with .Cm CertificateFile in order to provide any certificate also needed for authentication with the identity. diff --git a/openssh-8.1p1-seccomp-nanosleep.patch b/openssh-8.1p1-seccomp-nanosleep.patch deleted file mode 100644 index a7a16fd..0000000 --- a/openssh-8.1p1-seccomp-nanosleep.patch +++ /dev/null @@ -1,45 +0,0 @@ -commit 7e929163ed40f9ce90060a3ca6df558c3d901379 -Author: Jakub Jelen -Date: Wed Nov 13 12:57:05 2019 +0100 - - seccomp: Allow clock_nanosleep() to make OpenSSH working with latest glibc - -diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c -index b5cda70b..be239767 100644 ---- a/sandbox-seccomp-filter.c -+++ b/sandbox-seccomp-filter.c -@@ -242,6 +242,9 @@ static const struct sock_filter preauth_insns[] = { - #ifdef __NR_nanosleep - SC_ALLOW(__NR_nanosleep), - #endif -+#ifdef __NR_clock_nanosleep -+ SC_ALLOW(__NR_clock_nanosleep), -+#endif - #ifdef __NR__newselect - SC_ALLOW(__NR__newselect), - #endif - -commit 500c30eaf88f26e4a74b06717fe04afec7a7516f -Author: Jakub Jelen -Date: Wed Nov 27 11:06:55 2019 +0100 - - sandbox-seccomp: Allow clock_nanosleep on ARM - -diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c -index be239767..3ef30c9d 100644 ---- a/sandbox-seccomp-filter.c -+++ b/sandbox-seccomp-filter.c -@@ -245,6 +245,12 @@ static const struct sock_filter preauth_insns[] = { - #ifdef __NR_clock_nanosleep - SC_ALLOW(__NR_clock_nanosleep), - #endif -+#ifdef __NR_clock_nanosleep_time64 -+ SC_ALLOW(__NR_clock_nanosleep_time64), -+#endif -+#ifdef __NR_clock_gettime64 -+ SC_ALLOW(__NR_clock_gettime64), -+#endif - #ifdef __NR__newselect - SC_ALLOW(__NR__newselect), - #endif - diff --git a/openssh-8.2p1-visibility.patch b/openssh-8.2p1-visibility.patch new file mode 100644 index 0000000..2f0b191 --- /dev/null +++ b/openssh-8.2p1-visibility.patch @@ -0,0 +1,40 @@ +diff --git a/regress/misc/sk-dummy/sk-dummy.c b/regress/misc/sk-dummy/sk-dummy.c +index dca158de..afdcb1d2 100644 +--- a/regress/misc/sk-dummy/sk-dummy.c ++++ b/regress/misc/sk-dummy/sk-dummy.c +@@ -71,7 +71,7 @@ skdebug(const char *func, const char *fmt, ...) + #endif + } + +-uint32_t ++uint32_t __attribute__((visibility("default"))) + sk_api_version(void) + { + return SSH_SK_VERSION_MAJOR; +@@ -220,7 +220,7 @@ check_options(struct sk_option **options) + return 0; + } + +-int ++int __attribute__((visibility("default"))) + sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len, + const char *application, uint8_t flags, const char *pin, + struct sk_option **options, struct sk_enroll_response **enroll_response) +@@ -467,7 +467,7 @@ sig_ed25519(const uint8_t *message, size_t message_len, + return ret; + } + +-int ++int __attribute__((visibility("default"))) + sk_sign(uint32_t alg, const uint8_t *message, size_t message_len, + const char *application, const uint8_t *key_handle, size_t key_handle_len, + uint8_t flags, const char *pin, struct sk_option **options, +@@ -518,7 +518,7 @@ sk_sign(uint32_t alg, const uint8_t *message, size_t message_len, + return ret; + } + +-int ++int __attribute__((visibility("default"))) + sk_load_resident_keys(const char *pin, struct sk_option **options, + struct sk_resident_key ***rks, size_t *nrks) + { diff --git a/openssh.spec b/openssh.spec index cc077d3..7177972 100644 --- a/openssh.spec +++ b/openssh.spec @@ -65,10 +65,10 @@ %endif # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 -%global openssh_ver 8.1p1 -%global openssh_rel 4 +%global openssh_ver 8.2p1 +%global openssh_rel 1 %global pam_ssh_agent_ver 0.10.3 -%global pam_ssh_agent_rel 8 +%global pam_ssh_agent_rel 9 Summary: An open source implementation of SSH protocol version 2 Name: openssh @@ -196,7 +196,8 @@ Patch949: openssh-7.6p1-cleanup-selinux.patch # Sandbox adjustments for s390 and audit Patch950: openssh-7.5p1-sandbox.patch # PKCS#11 URIs (upstream #2817, 2nd iteration) -# git diff upstream/master > ~/devel/fedora/openssh/openssh-8.0p1-pkcs11-uri.patch +# https://github.com/Jakuje/openssh-portable/commits/jjelen-pkcs11 +# git show > ~/devel/fedora/openssh/openssh-8.0p1-pkcs11-uri.patch Patch951: openssh-8.0p1-pkcs11-uri.patch # Unbreak scp between two IPv6 hosts (#1620333) Patch953: openssh-7.8p1-scp-ipv6.patch @@ -210,8 +211,8 @@ Patch962: openssh-8.0p1-crypto-policies.patch Patch963: openssh-8.0p1-openssl-evp.patch # Use OpenSSL KDF (#1631761) Patch964: openssh-8.0p1-openssl-kdf.patch -# Unbreak seccomp filter with latest glibc (#1771946, #1777054) -Patch965: openssh-8.1p1-seccomp-nanosleep.patch +# sk-dummy.so built with -fvisibility=hidden does not work +Patch965: openssh-8.2p1-visibility.patch License: BSD Requires: /sbin/nologin @@ -295,7 +296,7 @@ Requires: openssh = %{version}-%{release} %package -n pam_ssh_agent_auth Summary: PAM module for authentication with ssh-agent Version: %{pam_ssh_agent_ver} -Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel}.2 +Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel} License: BSD %description @@ -412,7 +413,7 @@ popd %patch962 -p1 -b .crypto-policies %patch963 -p1 -b .openssl-evp %patch964 -p1 -b .openssl-kdf -%patch965 -p1 -b .seccomp-nanosleep +%patch965 -p1 -b .visibility %patch200 -p1 -b .audit %patch201 -p1 -b .audit-race @@ -427,7 +428,7 @@ popd %build # the -fvisibility=hidden is needed for clean build of the pam_ssh_agent_auth -# and it makes the ssh build more clean and even optimized better +# it is needed for lib(open)ssh build too since it is linked to the pam module too CFLAGS="$RPM_OPT_FLAGS -fvisibility=hidden"; export CFLAGS %if %{rescue} CFLAGS="$CFLAGS -Os" @@ -556,6 +557,7 @@ make tests rm -rf $RPM_BUILD_ROOT mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ssh_config.d +mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/sshd_config.d mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd make install DESTDIR=$RPM_BUILD_ROOT @@ -569,6 +571,7 @@ install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd install -m644 ssh_config_redhat $RPM_BUILD_ROOT/etc/ssh/ssh_config.d/05-redhat.conf +install -m644 sshd_config_redhat $RPM_BUILD_ROOT/etc/ssh/sshd_config.d/05-redhat.conf install -d -m755 $RPM_BUILD_ROOT/%{_unitdir} install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket @@ -650,12 +653,14 @@ getent passwd sshd >/dev/null || \ %attr(0755,root,root) %{_bindir}/sftp %attr(0755,root,root) %{_bindir}/ssh-copy-id %attr(0755,root,root) %{_libexecdir}/openssh/ssh-pkcs11-helper +%attr(0755,root,root) %{_libexecdir}/openssh/ssh-sk-helper %attr(0644,root,root) %{_mandir}/man1/ssh-agent.1* %attr(0644,root,root) %{_mandir}/man1/ssh-add.1* %attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1* %attr(0644,root,root) %{_mandir}/man1/sftp.1* %attr(0644,root,root) %{_mandir}/man1/ssh-copy-id.1* %attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8* +%attr(0644,root,root) %{_mandir}/man8/ssh-sk-helper.8* %endif %if ! %{rescue} @@ -670,6 +675,8 @@ getent passwd sshd >/dev/null || \ %attr(0644,root,root) %{_mandir}/man8/sshd.8* %attr(0644,root,root) %{_mandir}/man8/sftp-server.8* %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config +%dir %attr(0700,root,root) %{_sysconfdir}/ssh/sshd_config.d/ +%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/05-redhat.conf %attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd %attr(0640,root,root) %config(noreplace) /etc/sysconfig/sshd %attr(0644,root,root) %{_unitdir}/sshd.service @@ -715,6 +722,13 @@ getent passwd sshd >/dev/null || \ %endif %changelog +* Mon Feb 17 2020 Jakub Jelen - 8.2p1-1 + 0.10.3-9 +- New upstrem reelase (#1803290) +- New /etc/ssh/sshd_config.d drop in directory +- Support for U2F security keys +- Correctly report invalid key permissions (#1801459) +- Do not write bogus information on stderr in FIPS mode (#1778224) + * Mon Feb 03 2020 Jakub Jelen - 8.1p1-4 + 0.10.3-8 - Unbreak seccomp filter on ARM (#1796267) diff --git a/pam_ssh_agent_auth-0.10.2-compat.patch b/pam_ssh_agent_auth-0.10.2-compat.patch index 6352bfa..d1d4f59 100644 --- a/pam_ssh_agent_auth-0.10.2-compat.patch +++ b/pam_ssh_agent_auth-0.10.2-compat.patch @@ -1,6 +1,6 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c --- openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100 -+++ openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c 2018-08-24 10:22:56.281930322 +0200 ++++ openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c 2020-02-07 10:43:05.011757956 +0100 @@ -27,6 +27,7 @@ * or implied, of Jamie Beverly. */ @@ -34,7 +34,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat openss diff -up openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/identity.h --- openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-compat 2016-11-13 04:24:32.000000000 +0100 -+++ openssh/pam_ssh_agent_auth-0.10.3/identity.h 2018-08-24 10:18:05.009393312 +0200 ++++ openssh/pam_ssh_agent_auth-0.10.3/identity.h 2020-02-07 10:43:05.011757956 +0100 @@ -30,8 +30,8 @@ #include "openbsd-compat/sys-queue.h" #include "xmalloc.h" @@ -56,8 +56,8 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-compat openssh/pam_ss int tried; int isprivate; /* key points to the private key */ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c ---- openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat 2018-08-24 10:18:05.007393297 +0200 -+++ openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c 2018-08-24 10:18:32.937612513 +0200 +--- openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat 2020-02-07 10:43:05.009757925 +0100 ++++ openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c 2020-02-07 10:43:05.012757972 +0100 @@ -36,8 +36,8 @@ #include "openbsd-compat/sys-queue.h" #include "xmalloc.h" @@ -119,7 +119,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat const char * ruser, const char * servicename) { u_char *cookie = NULL; -@@ -114,22 +116,23 @@ pamsshagentauth_session_id2_gen(Buffer * +@@ -114,22 +120,23 @@ pamsshagentauth_session_id2_gen(Buffer * char ** reported_argv = NULL; size_t count = 0; char * action_logbuf = NULL; @@ -147,13 +147,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat } cookie[i] = (u_char) rnd; rnd >>= 8; -@@ -139,12 +141,13 @@ pamsshagentauth_session_id2_gen(Buffer * - if (count > 0) { - free_logbuf = 1; - action_logbuf = log_action(reported_argv, count); -- agent_action(&action_agentbuf, reported_argv, count); -+ agent_action(&action_agentbuf, reported_argv, count); - pamsshagentauth_free_command_line(reported_argv, count); +@@ -144,7 +151,8 @@ pamsshagentauth_session_id2_gen(Buffer * } else { action_logbuf = "unknown on this platform"; @@ -163,7 +157,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat } /* -@@ -161,35 +163,39 @@ pamsshagentauth_session_id2_gen(Buffer * +@@ -161,35 +169,39 @@ pamsshagentauth_session_id2_gen(Buffer * retc = getcwd(pwd, sizeof(pwd) - 1); time(&ts); @@ -207,6 +201,14 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat - pamsshagentauth_buffer_free(&action_agentbuf); + free(action_logbuf); + sshbuf_free(action_agentbuf); ++ } ++ /* debug3("hostname: %s", hostname); */ ++ if (reti >= 0) { ++ if ((r = sshbuf_put_cstring(*session_id2, hostname)) != 0) ++ fatal("%s: buffer error: %s", __func__, ssh_err(r)); ++ } else { ++ if ((r = sshbuf_put_cstring(*session_id2, "")) != 0) ++ fatal("%s: buffer error: %s", __func__, ssh_err(r)); } - /* pamsshagentauth_debug3("hostname: %s", hostname); */ - if(reti >= 0) @@ -215,21 +217,13 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat - pamsshagentauth_buffer_put_cstring(session_id2, ""); - /* pamsshagentauth_debug3("ts: %ld", ts); */ - pamsshagentauth_buffer_put_int64(session_id2, (uint64_t) ts); -+ /* debug3("hostname: %s", hostname); */ -+ if (reti >= 0) { -+ if ((r = sshbuf_put_cstring(*session_id2, hostname)) != 0) -+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); -+ } else { -+ if ((r = sshbuf_put_cstring(*session_id2, "")) != 0) -+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); -+ } + /* debug3("ts: %ld", ts); */ + if ((r = sshbuf_put_u64(*session_id2, (uint64_t) ts)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); free(cookie); return; -@@ -278,7 +280,8 @@ ssh_get_authentication_connection_for_ui +@@ -278,7 +290,8 @@ ssh_get_authentication_connection_for_ui auth = xmalloc(sizeof(*auth)); auth->fd = sock; @@ -239,7 +233,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat auth->howmany = 0; return auth; -@@ -287,43 +289,42 @@ ssh_get_authentication_connection_for_ui +@@ -287,9 +300,9 @@ ssh_get_authentication_connection_for_ui int pamsshagentauth_find_authorized_keys(const char * user, const char * ruser, const char * servicename) { @@ -251,11 +245,8 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat AuthenticationConnection *ac; char *comment; uint8_t retval = 0; - uid_t uid = getpwnam(ruser)->pw_uid; - - OpenSSL_add_all_digests(); -- pamsshagentauth_session_id2_gen(&session_id2, user, ruser, servicename); -+ pamsshagentauth_session_id2_gen(&session_id2, user, ruser, servicename); +@@ -299,31 +312,30 @@ pamsshagentauth_find_authorized_keys(con + pamsshagentauth_session_id2_gen(&session_id2, user, ruser, servicename); if ((ac = ssh_get_authentication_connection_for_uid(uid))) { - pamsshagentauth_verbose("Contacted ssh-agent of user %s (%u)", ruser, uid); @@ -295,8 +286,8 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat return retval; } diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c ---- openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat 2018-08-24 10:18:05.008393305 +0200 -+++ openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c 2018-08-24 10:18:05.009393312 +0200 +--- openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat 2020-02-07 10:43:05.010757940 +0100 ++++ openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c 2020-02-07 10:43:05.012757972 +0100 @@ -104,7 +104,7 @@ pam_sm_authenticate(pam_handle_t * pamh, * a patch 8-) */ @@ -386,7 +377,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat open cleanexit: diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c --- openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100 -+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c 2018-08-24 10:18:05.009393312 +0200 ++++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c 2020-02-07 10:43:05.012757972 +0100 @@ -66,8 +66,8 @@ #include "xmalloc.h" #include "match.h" @@ -453,7 +444,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-compa pamsshagentauth_user_key_allowed2(getpwuid(authorized_keys_file_allowed_owner_uid), diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h --- openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h.psaa-compat 2016-11-13 04:24:32.000000000 +0100 -+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h 2018-08-24 10:18:05.010393320 +0200 ++++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h 2020-02-07 10:43:05.012757972 +0100 @@ -32,7 +32,7 @@ #define _PAM_USER_KEY_ALLOWED_H @@ -465,7 +456,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h.psaa-compa #endif diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c --- openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100 -+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c 2018-08-24 10:18:05.010393320 +0200 ++++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c 2020-02-07 10:43:05.012757972 +0100 @@ -45,44 +45,46 @@ #include "xmalloc.h" #include "ssh.h" @@ -742,7 +733,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-compat o } diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h --- openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h.psaa-compat 2016-11-13 04:24:32.000000000 +0100 -+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h 2018-08-24 10:18:05.010393320 +0200 ++++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h 2020-02-07 10:43:05.012757972 +0100 @@ -32,7 +32,7 @@ #define _PAM_USER_KEY_ALLOWED_H @@ -755,7 +746,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h.psaa-compat o #endif diff -up openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c --- openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100 -+++ openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c 2018-08-24 10:18:05.010393320 +0200 ++++ openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c 2020-02-07 10:43:05.012757972 +0100 @@ -53,8 +53,8 @@ #include "xmalloc.h" #include "match.h" @@ -799,7 +790,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat openssh } diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c --- openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100 -+++ openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c 2018-08-24 10:22:13.202657025 +0200 ++++ openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c 2020-02-07 10:43:23.520048960 +0100 @@ -37,10 +37,11 @@ #include "xmalloc.h" #include "ssh.h" @@ -814,7 +805,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat #include "pathnames.h" #include "misc.h" #include "secure_filename.h" -@@ -48,54 +48,59 @@ +@@ -48,54 +49,59 @@ #include "identity.h" #include "pam_user_authorized_keys.h" @@ -833,8 +824,8 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat char *pkalg = NULL; u_char *pkblob = NULL, *sig = NULL; - u_int blen = 0, slen = 0; -+ size_t blen = 0, slen = 0; - int authenticated = 0; ++ size_t blen = 0, slen = 0; + int r, authenticated = 0; - pkalg = (char *) key_ssh_name(id->key); @@ -879,7 +870,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat /* test for correct signature */ - if(pamsshagentauth_key_verify(id->key, sig, slen, pamsshagentauth_buffer_ptr(&b), pamsshagentauth_buffer_len(&b)) == 1) -+ if (sshkey_verify(id->key, sig, slen, sshbuf_ptr(b), sshbuf_len(b), NULL, 0) == 0) ++ if (sshkey_verify(id->key, sig, slen, sshbuf_ptr(b), sshbuf_len(b), NULL, 0, NULL) == 0) authenticated = 1; user_auth_clean_exit: @@ -898,7 +889,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat } diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h --- openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h.psaa-compat 2016-11-13 04:24:32.000000000 +0100 -+++ openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h 2018-08-24 10:18:05.010393320 +0200 ++++ openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h 2020-02-07 10:43:05.013757988 +0100 @@ -31,7 +31,7 @@ #ifndef _USERAUTH_PUBKEY_FROM_ID_H #define _USERAUTH_PUBKEY_FROM_ID_H @@ -911,7 +902,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h.psaa-compat #endif diff -up openssh/pam_ssh_agent_auth-0.10.3/uuencode.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/uuencode.c --- openssh/pam_ssh_agent_auth-0.10.3/uuencode.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100 -+++ openssh/pam_ssh_agent_auth-0.10.3/uuencode.c 2018-08-24 10:18:05.010393320 +0200 ++++ openssh/pam_ssh_agent_auth-0.10.3/uuencode.c 2020-02-07 10:43:05.013757988 +0100 @@ -56,7 +56,7 @@ pamsshagentauth_uudecode(const char *src /* and remove trailing whitespace because __b64_pton needs this */ *p = '\0'; diff --git a/pam_ssh_agent_auth-0.9.3-build.patch b/pam_ssh_agent_auth-0.9.3-build.patch index f269b97..bb9a94d 100644 --- a/pam_ssh_agent_auth-0.9.3-build.patch +++ b/pam_ssh_agent_auth-0.9.3-build.patch @@ -159,15 +159,17 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/Makefile.in.psaa-build openssh- LIBS=@LIBS@ AR=@AR@ AWK=@AWK@ -@@ -61,7 +61,7 @@ INSTALL=@INSTALL@ +@@ -61,8 +61,8 @@ INSTALL=@INSTALL@ PERL=@PERL@ SED=@SED@ ENT=@ENT@ -LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@ +-LDFLAGS_SHARED = @LDFLAGS_SHARED@ +LDFLAGS=-L.. -L../openbsd-compat/ @LDFLAGS@ - LDFLAGS_SHARED = @LDFLAGS_SHARED@ ++LDFLAGS_SHARED =-Wl,-z,defs @LDFLAGS_SHARED@ EXEEXT=@EXEEXT@ + INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@ @@ -74,7 +74,7 @@ SSHOBJS=xmalloc.o atomicio.o authfd.o bu ED25519OBJS=ed25519-donna/ed25519.o @@ -189,8 +191,8 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/Makefile.in.psaa-build openssh- -pam_ssh_agent_auth.so: $(LIBCOMPAT) $(SSHOBJS) $(ED25519OBJS) $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o - $(LD) $(LDFLAGS_SHARED) -o $@ $(SSHOBJS) $(ED25519OBJS) $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lopenbsd-compat pam_ssh_agent_auth.o $(LIBS) -lpam -+pam_ssh_agent_auth.so: $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o ../uidswap.o -+ $(LD) $(LDFLAGS_SHARED) -o $@ $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat pam_ssh_agent_auth.o ../uidswap.o $(LIBS) -lpam ++pam_ssh_agent_auth.so: $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o ../uidswap.o ../ssh-sk-client.o ++ $(LD) $(LDFLAGS_SHARED) -o $@ $(PAM_SSH_AGENT_AUTH_OBJS) ../ssh-sk-client.o $(LDFLAGS) -lssh -lopenbsd-compat pam_ssh_agent_auth.o ../uidswap.o $(LIBS) -lpam $(MANPAGES): $(MANPAGES_IN) pod2man --section=8 --release=v0.10.3 --name=pam_ssh_agent_auth --official --center "PAM" pam_ssh_agent_auth.pod > pam_ssh_agent_auth.8 diff --git a/sources b/sources index 7575af1..c951140 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ -SHA512 (openssh-8.1p1.tar.gz) = b987ea4ffd4ab0c94110723860273b06ed8ffb4d21cbd99ca144a4722dc55f4bf86f6253d500386b6bee7af50f066e2aa2dd095d50746509a10e11221d39d925 -SHA512 (openssh-8.1p1.tar.gz.asc) = f36458ef8822376a5b305cfbc971f5d2db8bf2f48fea9a957e02ef2fc27a48bacb59495587fee81fa2d89bca6250a8fb407e1f5a7dae7ceb361ab332c0771344 +SHA512 (openssh-8.2p1.tar.gz) = c4db64e52a3a4c410de9de49f9cb104dd493b10250af3599b92457dd986277b3fd99a6f51cec94892fd1be5bd0369c5757262ea7805f0de464b245c3d34c120a +SHA512 (openssh-8.2p1.tar.gz.asc) = e6d091289d62d3a01d5978e3c26f72d8ea6979c345fbebc215515185ea567c959f5b17e32052d752829ab4c6bc537fd977f7aa02cf0a23280da63fd9d880f303 SHA512 (DJM-GPG-KEY.gpg) = db1191ed9b6495999e05eed2ef863fb5179bdb63e94850f192dad68eed8579836f88fbcfffd9f28524fe1457aff8cd248ee3e0afc112c8f609b99a34b80ecc0d SHA512 (pam_ssh_agent_auth-0.10.3.tar.bz2) = d75062c4e46b0b011f46aed9704a99049995fea8b5115ff7ee26dad7e93cbcf54a8af7efc6b521109d77dc03c6f5284574d2e1b84c6829cec25610f24fb4bd66