import UBI openssh-8.0p1-24.el8
This commit is contained in:
parent
b6a876a1a7
commit
6d16bfdb3c
@ -136,18 +136,6 @@ diff -up openssh-7.4p1/serverloop.c.coverity openssh-7.4p1/serverloop.c
|
|||||||
if (tun != SSH_TUNID_ANY &&
|
if (tun != SSH_TUNID_ANY &&
|
||||||
auth_opts->force_tun_device != (int)tun)
|
auth_opts->force_tun_device != (int)tun)
|
||||||
goto done;
|
goto done;
|
||||||
diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
|
|
||||||
--- openssh-7.4p1/sftp.c.coverity 2016-12-19 05:59:41.000000000 +0100
|
|
||||||
+++ openssh-7.4p1/sftp.c 2016-12-23 16:40:26.903788691 +0100
|
|
||||||
@@ -224,7 +224,7 @@ killchild(int signo)
|
|
||||||
{
|
|
||||||
if (sshpid > 1) {
|
|
||||||
kill(sshpid, SIGTERM);
|
|
||||||
- waitpid(sshpid, NULL, 0);
|
|
||||||
+ (void) waitpid(sshpid, NULL, 0);
|
|
||||||
}
|
|
||||||
|
|
||||||
_exit(1);
|
|
||||||
diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
|
diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
|
||||||
--- openssh-7.4p1/ssh-agent.c.coverity 2016-12-19 05:59:41.000000000 +0100
|
--- openssh-7.4p1/ssh-agent.c.coverity 2016-12-19 05:59:41.000000000 +0100
|
||||||
+++ openssh-7.4p1/ssh-agent.c 2016-12-23 16:40:26.903788691 +0100
|
+++ openssh-7.4p1/ssh-agent.c 2016-12-23 16:40:26.903788691 +0100
|
||||||
|
@ -471,12 +471,53 @@ diff -up openssh-7.9p1/sshkey.c.fips openssh-7.9p1/sshkey.c
|
|||||||
|
|
||||||
#include "xmss_fast.h"
|
#include "xmss_fast.h"
|
||||||
|
|
||||||
|
@@ -392,7 +394,8 @@ sshkey_calculate_signature(EVP_PKEY *pkey
|
||||||
|
{
|
||||||
|
EVP_MD_CTX *ctx = NULL;
|
||||||
|
u_char *sig = NULL;
|
||||||
|
- int ret, slen, len;
|
||||||
|
+ int ret, slen;
|
||||||
|
+ size_t len;
|
||||||
|
|
||||||
|
if (sigp == NULL || lenp == NULL) {
|
||||||
|
return SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
@@ -411,9 +414,10 @@ sshkey_calculate_signature(EVP_PKEY *pkey
|
||||||
|
ret = SSH_ERR_ALLOC_FAIL;
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
- if (EVP_SignInit_ex(ctx, ssh_digest_to_md(hash_alg), NULL) <= 0 ||
|
||||||
|
- EVP_SignUpdate(ctx, data, datalen) <= 0 ||
|
||||||
|
- EVP_SignFinal(ctx, sig, &len, pkey) <= 0) {
|
||||||
|
+ if (EVP_DigestSignInit(ctx, NULL, ssh_digest_to_md(hash_alg),
|
||||||
|
+ NULL, pkey) != 1 ||
|
||||||
|
+ EVP_DigestSignUpdate(ctx, data, datalen) != 1 ||
|
||||||
|
+ EVP_DigestSignFinal(ctx, sig, &len) != 1) {
|
||||||
|
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
@@ -440,12 +444,13 @@ sshkey_verify_signature(EVP_PKEY *pkey
|
||||||
|
if ((ctx = EVP_MD_CTX_new()) == NULL) {
|
||||||
|
return SSH_ERR_ALLOC_FAIL;
|
||||||
|
}
|
||||||
|
- if (EVP_VerifyInit_ex(ctx, ssh_digest_to_md(hash_alg), NULL) <= 0 ||
|
||||||
|
- EVP_VerifyUpdate(ctx, data, datalen) <= 0) {
|
||||||
|
+ if (EVP_DigestVerifyInit(ctx, NULL, ssh_digest_to_md(hash_alg),
|
||||||
|
+ NULL, pkey) != 1 ||
|
||||||
|
+ EVP_DigestVerifyUpdate(ctx, data, datalen) != 1) {
|
||||||
|
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
- ret = EVP_VerifyFinal(ctx, sigbuf, siglen, pkey);
|
||||||
|
+ ret = EVP_DigestVerifyFinal(ctx, sigbuf, siglen);
|
||||||
|
switch (ret) {
|
||||||
|
case 1:
|
||||||
|
ret = 0;
|
||||||
@@ -1514,6 +1516,8 @@ rsa_generate_private_key(u_int bits, RSA
|
@@ -1514,6 +1516,8 @@ rsa_generate_private_key(u_int bits, RSA
|
||||||
}
|
}
|
||||||
if (!BN_set_word(f4, RSA_F4) ||
|
if (!BN_set_word(f4, RSA_F4) ||
|
||||||
!RSA_generate_key_ex(private, bits, f4, NULL)) {
|
!RSA_generate_key_ex(private, bits, f4, NULL)) {
|
||||||
+ if (FIPS_mode())
|
+ if (FIPS_mode())
|
||||||
+ logit("%s: the key length might be unsupported by FIPS mode approved key generation method", __func__);
|
+ logit("%s: the key length might be unsupported by FIPS mode approved key generation method", __func__);
|
||||||
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@ -515,3 +556,14 @@ diff -up openssh-7.9p1/ssh-keygen.c.fips openssh-7.9p1/ssh-keygen.c
|
|||||||
if ((fd = mkstemp(prv_tmp)) == -1) {
|
if ((fd = mkstemp(prv_tmp)) == -1) {
|
||||||
error("Could not save your public key in %s: %s",
|
error("Could not save your public key in %s: %s",
|
||||||
prv_tmp, strerror(errno));
|
prv_tmp, strerror(errno));
|
||||||
|
diff -up openssh-8.0p1/sshd_config.xxx openssh-8.0p1/sshd_config
|
||||||
|
--- openssh-8.0p1/sshd_config.xxx 2023-10-30 13:01:59.150952364 +0100
|
||||||
|
+++ openssh-8.0p1/sshd_config 2023-10-30 13:02:56.662231354 +0100
|
||||||
|
@@ -21,6 +21,7 @@
|
||||||
|
|
||||||
|
HostKey /etc/ssh/ssh_host_rsa_key
|
||||||
|
HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||||
|
+#In FIPS mode Ed25519 keys are not supported, please comment out the next line
|
||||||
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||||
|
|
||||||
|
# Ciphers and keying
|
||||||
|
20
SOURCES/openssh-8.0p1-avoidkillall.patch
Normal file
20
SOURCES/openssh-8.0p1-avoidkillall.patch
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
diff --git a/sftp.c b/sftp.c
|
||||||
|
index b66037f1..54538ff9 100644
|
||||||
|
--- a/sftp.c
|
||||||
|
+++ b/sftp.c
|
||||||
|
@@ -220,9 +220,12 @@ static const struct CMD cmds[] = {
|
||||||
|
static void
|
||||||
|
killchild(int signo)
|
||||||
|
{
|
||||||
|
- if (sshpid > 1) {
|
||||||
|
- kill(sshpid, SIGTERM);
|
||||||
|
- waitpid(sshpid, NULL, 0);
|
||||||
|
+ pid_t pid;
|
||||||
|
+
|
||||||
|
+ pid = sshpid;
|
||||||
|
+ if (pid > 1) {
|
||||||
|
+ kill(pid, SIGTERM);
|
||||||
|
+ (void)waitpid(pid, NULL, 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
_exit(1);
|
13
SOURCES/openssh-8.0p1-bigsshdconfig.patch
Normal file
13
SOURCES/openssh-8.0p1-bigsshdconfig.patch
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
diff --git a/msg.c b/msg.c
|
||||||
|
index 99c25cd2..574a566e 100644
|
||||||
|
--- a/msg.c
|
||||||
|
+++ b/msg.c
|
||||||
|
@@ -77,7 +77,7 @@ ssh_msg_recv(int fd, struct sshbuf *m)
|
||||||
|
return (-1);
|
||||||
|
}
|
||||||
|
msg_len = get_u32(buf);
|
||||||
|
- if (msg_len > 256 * 1024) {
|
||||||
|
+ if (msg_len > sshbuf_max_size(m)) {
|
||||||
|
error("ssh_msg_recv: read: bad msg_len %u", msg_len);
|
||||||
|
return (-1);
|
||||||
|
}
|
@ -1509,7 +1509,7 @@ new file mode 100644
|
|||||||
index 00000000..0b2f6a56
|
index 00000000..0b2f6a56
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/kexgssc.c
|
+++ b/kexgssc.c
|
||||||
@@ -0,0 +1,595 @@
|
@@ -0,0 +1,618 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
||||||
+ *
|
+ *
|
||||||
@ -1571,7 +1571,7 @@ index 00000000..0b2f6a56
|
|||||||
+ struct sshbuf *server_blob = NULL;
|
+ struct sshbuf *server_blob = NULL;
|
||||||
+ struct sshbuf *shared_secret = NULL;
|
+ struct sshbuf *shared_secret = NULL;
|
||||||
+ struct sshbuf *server_host_key_blob = NULL;
|
+ struct sshbuf *server_host_key_blob = NULL;
|
||||||
+ struct sshbuf *empty = sshbuf_new();
|
+ struct sshbuf *empty = NULL;
|
||||||
+ u_char *msg;
|
+ u_char *msg;
|
||||||
+ int type = 0;
|
+ int type = 0;
|
||||||
+ int first = 1;
|
+ int first = 1;
|
||||||
@ -1610,8 +1610,10 @@ index 00000000..0b2f6a56
|
|||||||
+ default:
|
+ default:
|
||||||
+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
|
+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
|
||||||
+ }
|
+ }
|
||||||
+ if (r != 0)
|
+ if (r != 0) {
|
||||||
|
+ ssh_gssapi_delete_ctx(&ctxt);
|
||||||
+ return r;
|
+ return r;
|
||||||
|
+ }
|
||||||
+
|
+
|
||||||
+ token_ptr = GSS_C_NO_BUFFER;
|
+ token_ptr = GSS_C_NO_BUFFER;
|
||||||
+
|
+
|
||||||
@ -1674,11 +1676,16 @@ index 00000000..0b2f6a56
|
|||||||
+ do {
|
+ do {
|
||||||
+ type = ssh_packet_read(ssh);
|
+ type = ssh_packet_read(ssh);
|
||||||
+ if (type == SSH2_MSG_KEXGSS_HOSTKEY) {
|
+ if (type == SSH2_MSG_KEXGSS_HOSTKEY) {
|
||||||
|
+ char *tmp = NULL;
|
||||||
|
+ size_t tmp_len = 0;
|
||||||
|
+
|
||||||
+ debug("Received KEXGSS_HOSTKEY");
|
+ debug("Received KEXGSS_HOSTKEY");
|
||||||
+ if (server_host_key_blob)
|
+ if (server_host_key_blob)
|
||||||
+ fatal("Server host key received more than once");
|
+ fatal("Server host key received more than once");
|
||||||
+ if ((r = sshpkt_getb_froms(ssh, &server_host_key_blob)) != 0)
|
+ if ((r = sshpkt_get_string(ssh, &tmp, &tmp_len)) != 0)
|
||||||
+ fatal("Failed to read server host key: %s", ssh_err(r));
|
+ fatal("Failed to read server host key: %s", ssh_err(r));
|
||||||
|
+ if ((server_host_key_blob = sshbuf_from(tmp, tmp_len)) == NULL)
|
||||||
|
+ fatal("sshbuf_from failed");
|
||||||
+ }
|
+ }
|
||||||
+ } while (type == SSH2_MSG_KEXGSS_HOSTKEY);
|
+ } while (type == SSH2_MSG_KEXGSS_HOSTKEY);
|
||||||
+
|
+
|
||||||
@ -1779,6 +1786,11 @@ index 00000000..0b2f6a56
|
|||||||
+ if (r != 0)
|
+ if (r != 0)
|
||||||
+ goto out;
|
+ goto out;
|
||||||
+
|
+
|
||||||
|
+ if ((empty = sshbuf_new()) == NULL) {
|
||||||
|
+ r = SSH_ERR_ALLOC_FAIL;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
+ hashlen = sizeof(hash);
|
+ hashlen = sizeof(hash);
|
||||||
+ if ((r = kex_gen_hash(
|
+ if ((r = kex_gen_hash(
|
||||||
+ kex->hash_alg,
|
+ kex->hash_alg,
|
||||||
@ -1848,7 +1860,7 @@ index 00000000..0b2f6a56
|
|||||||
+ size_t hashlen;
|
+ size_t hashlen;
|
||||||
+ const BIGNUM *pub_key, *dh_p, *dh_g;
|
+ const BIGNUM *pub_key, *dh_p, *dh_g;
|
||||||
+ int nbits = 0, min = DH_GRP_MIN, max = DH_GRP_MAX;
|
+ int nbits = 0, min = DH_GRP_MIN, max = DH_GRP_MAX;
|
||||||
+ struct sshbuf *empty = sshbuf_new();
|
+ struct sshbuf *empty = NULL;
|
||||||
+ u_char c;
|
+ u_char c;
|
||||||
+ int r;
|
+ int r;
|
||||||
+
|
+
|
||||||
@ -1960,11 +1972,16 @@ index 00000000..0b2f6a56
|
|||||||
+ do {
|
+ do {
|
||||||
+ type = ssh_packet_read(ssh);
|
+ type = ssh_packet_read(ssh);
|
||||||
+ if (type == SSH2_MSG_KEXGSS_HOSTKEY) {
|
+ if (type == SSH2_MSG_KEXGSS_HOSTKEY) {
|
||||||
|
+ char *tmp = NULL;
|
||||||
|
+ size_t tmp_len = 0;
|
||||||
|
+
|
||||||
+ debug("Received KEXGSS_HOSTKEY");
|
+ debug("Received KEXGSS_HOSTKEY");
|
||||||
+ if (server_host_key_blob)
|
+ if (server_host_key_blob)
|
||||||
+ fatal("Server host key received more than once");
|
+ fatal("Server host key received more than once");
|
||||||
+ if ((r = sshpkt_getb_froms(ssh, &server_host_key_blob)) != 0)
|
+ if ((r = sshpkt_get_string(ssh, &tmp, &tmp_len)) != 0)
|
||||||
+ fatal("sshpkt failed: %s", ssh_err(r));
|
+ fatal("sshpkt failed: %s", ssh_err(r));
|
||||||
|
+ if ((server_host_key_blob = sshbuf_from(tmp, tmp_len)) == NULL)
|
||||||
|
+ fatal("sshbuf_from failed");
|
||||||
+ }
|
+ }
|
||||||
+ } while (type == SSH2_MSG_KEXGSS_HOSTKEY);
|
+ } while (type == SSH2_MSG_KEXGSS_HOSTKEY);
|
||||||
+
|
+
|
||||||
@ -2040,6 +2057,7 @@ index 00000000..0b2f6a56
|
|||||||
+ (r = sshbuf_get_bignum2(buf, &dh_server_pub)) != 0)
|
+ (r = sshbuf_get_bignum2(buf, &dh_server_pub)) != 0)
|
||||||
+ goto out;
|
+ goto out;
|
||||||
+ sshbuf_free(buf);
|
+ sshbuf_free(buf);
|
||||||
|
+ buf = NULL;
|
||||||
+
|
+
|
||||||
+ if ((shared_secret = sshbuf_new()) == NULL) {
|
+ if ((shared_secret = sshbuf_new()) == NULL) {
|
||||||
+ r = SSH_ERR_ALLOC_FAIL;
|
+ r = SSH_ERR_ALLOC_FAIL;
|
||||||
@ -2048,6 +2066,10 @@ index 00000000..0b2f6a56
|
|||||||
+
|
+
|
||||||
+ if ((r = kex_dh_compute_key(kex, dh_server_pub, shared_secret)) != 0)
|
+ if ((r = kex_dh_compute_key(kex, dh_server_pub, shared_secret)) != 0)
|
||||||
+ goto out;
|
+ goto out;
|
||||||
|
+ if ((empty = sshbuf_new()) == NULL) {
|
||||||
|
+ r = SSH_ERR_ALLOC_FAIL;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
+
|
+
|
||||||
+ DH_get0_pqg(kex->dh, &dh_p, NULL, &dh_g);
|
+ DH_get0_pqg(kex->dh, &dh_p, NULL, &dh_g);
|
||||||
+ hashlen = sizeof(hash);
|
+ hashlen = sizeof(hash);
|
||||||
@ -2094,6 +2116,7 @@ index 00000000..0b2f6a56
|
|||||||
+ if ((r = kex_derive_keys(ssh, hash, hashlen, shared_secret)) == 0)
|
+ if ((r = kex_derive_keys(ssh, hash, hashlen, shared_secret)) == 0)
|
||||||
+ r = kex_send_newkeys(ssh);
|
+ r = kex_send_newkeys(ssh);
|
||||||
+out:
|
+out:
|
||||||
|
+ sshbuf_free(buf);
|
||||||
+ sshbuf_free(server_blob);
|
+ sshbuf_free(server_blob);
|
||||||
+ sshbuf_free(empty);
|
+ sshbuf_free(empty);
|
||||||
+ explicit_bzero(hash, sizeof(hash));
|
+ explicit_bzero(hash, sizeof(hash));
|
||||||
@ -2110,7 +2133,7 @@ new file mode 100644
|
|||||||
index 00000000..60bc02de
|
index 00000000..60bc02de
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/kexgsss.c
|
+++ b/kexgsss.c
|
||||||
@@ -0,0 +1,474 @@
|
@@ -0,0 +1,482 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
||||||
+ *
|
+ *
|
||||||
@ -2177,7 +2200,7 @@ index 00000000..60bc02de
|
|||||||
+ */
|
+ */
|
||||||
+
|
+
|
||||||
+ OM_uint32 ret_flags = 0;
|
+ OM_uint32 ret_flags = 0;
|
||||||
+ gss_buffer_desc gssbuf, recv_tok, msg_tok;
|
+ gss_buffer_desc gssbuf = {0, NULL}, recv_tok, msg_tok;
|
||||||
+ gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
|
+ gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
|
||||||
+ Gssctxt *ctxt = NULL;
|
+ Gssctxt *ctxt = NULL;
|
||||||
+ struct sshbuf *shared_secret = NULL;
|
+ struct sshbuf *shared_secret = NULL;
|
||||||
@ -2217,7 +2240,7 @@ index 00000000..60bc02de
|
|||||||
+ type = ssh_packet_read(ssh);
|
+ type = ssh_packet_read(ssh);
|
||||||
+ switch(type) {
|
+ switch(type) {
|
||||||
+ case SSH2_MSG_KEXGSS_INIT:
|
+ case SSH2_MSG_KEXGSS_INIT:
|
||||||
+ if (client_pubkey != NULL)
|
+ if (gssbuf.value != NULL)
|
||||||
+ fatal("Received KEXGSS_INIT after initialising");
|
+ fatal("Received KEXGSS_INIT after initialising");
|
||||||
+ if ((r = ssh_gssapi_sshpkt_get_buffer_desc(ssh,
|
+ if ((r = ssh_gssapi_sshpkt_get_buffer_desc(ssh,
|
||||||
+ &recv_tok)) != 0 ||
|
+ &recv_tok)) != 0 ||
|
||||||
@ -2248,6 +2271,31 @@ index 00000000..60bc02de
|
|||||||
+ goto out;
|
+ goto out;
|
||||||
+
|
+
|
||||||
+ /* Send SSH_MSG_KEXGSS_HOSTKEY here, if we want */
|
+ /* Send SSH_MSG_KEXGSS_HOSTKEY here, if we want */
|
||||||
|
+
|
||||||
|
+ /* Calculate the hash early so we can free the
|
||||||
|
+ * client_pubkey, which has reference to the parent
|
||||||
|
+ * buffer state->incoming_packet
|
||||||
|
+ */
|
||||||
|
+ hashlen = sizeof(hash);
|
||||||
|
+ if ((r = kex_gen_hash(
|
||||||
|
+ kex->hash_alg,
|
||||||
|
+ kex->client_version,
|
||||||
|
+ kex->server_version,
|
||||||
|
+ kex->peer,
|
||||||
|
+ kex->my,
|
||||||
|
+ empty,
|
||||||
|
+ client_pubkey,
|
||||||
|
+ server_pubkey,
|
||||||
|
+ shared_secret,
|
||||||
|
+ hash, &hashlen)) != 0)
|
||||||
|
+ goto out;
|
||||||
|
+
|
||||||
|
+ gssbuf.value = hash;
|
||||||
|
+ gssbuf.length = hashlen;
|
||||||
|
+
|
||||||
|
+ sshbuf_free(client_pubkey);
|
||||||
|
+ client_pubkey = NULL;
|
||||||
|
+
|
||||||
+ break;
|
+ break;
|
||||||
+ case SSH2_MSG_KEXGSS_CONTINUE:
|
+ case SSH2_MSG_KEXGSS_CONTINUE:
|
||||||
+ if ((r = ssh_gssapi_sshpkt_get_buffer_desc(ssh,
|
+ if ((r = ssh_gssapi_sshpkt_get_buffer_desc(ssh,
|
||||||
@ -2269,7 +2317,7 @@ index 00000000..60bc02de
|
|||||||
+ if (maj_status != GSS_S_COMPLETE && send_tok.length == 0)
|
+ if (maj_status != GSS_S_COMPLETE && send_tok.length == 0)
|
||||||
+ fatal("Zero length token output when incomplete");
|
+ fatal("Zero length token output when incomplete");
|
||||||
+
|
+
|
||||||
+ if (client_pubkey == NULL)
|
+ if (gssbuf.value == NULL)
|
||||||
+ fatal("No client public key");
|
+ fatal("No client public key");
|
||||||
+
|
+
|
||||||
+ if (maj_status & GSS_S_CONTINUE_NEEDED) {
|
+ if (maj_status & GSS_S_CONTINUE_NEEDED) {
|
||||||
@ -2298,23 +2346,6 @@ index 00000000..60bc02de
|
|||||||
+ if (!(ret_flags & GSS_C_INTEG_FLAG))
|
+ if (!(ret_flags & GSS_C_INTEG_FLAG))
|
||||||
+ fatal("Integrity flag wasn't set");
|
+ fatal("Integrity flag wasn't set");
|
||||||
+
|
+
|
||||||
+ hashlen = sizeof(hash);
|
|
||||||
+ if ((r = kex_gen_hash(
|
|
||||||
+ kex->hash_alg,
|
|
||||||
+ kex->client_version,
|
|
||||||
+ kex->server_version,
|
|
||||||
+ kex->peer,
|
|
||||||
+ kex->my,
|
|
||||||
+ empty,
|
|
||||||
+ client_pubkey,
|
|
||||||
+ server_pubkey,
|
|
||||||
+ shared_secret,
|
|
||||||
+ hash, &hashlen)) != 0)
|
|
||||||
+ goto out;
|
|
||||||
+
|
|
||||||
+ gssbuf.value = hash;
|
|
||||||
+ gssbuf.length = hashlen;
|
|
||||||
+
|
|
||||||
+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_sign(ctxt, &gssbuf, &msg_tok))))
|
+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_sign(ctxt, &gssbuf, &msg_tok))))
|
||||||
+ fatal("Couldn't get MIC");
|
+ fatal("Couldn't get MIC");
|
||||||
+
|
+
|
||||||
|
46
SOURCES/openssh-8.7p1-scp-kill-switch.patch
Normal file
46
SOURCES/openssh-8.7p1-scp-kill-switch.patch
Normal file
@ -0,0 +1,46 @@
|
|||||||
|
diff -up openssh-8.7p1/pathnames.h.kill-scp openssh-8.7p1/pathnames.h
|
||||||
|
--- openssh-8.7p1/pathnames.h.kill-scp 2021-09-16 11:37:57.240171687 +0200
|
||||||
|
+++ openssh-8.7p1/pathnames.h 2021-09-16 11:42:29.183427917 +0200
|
||||||
|
@@ -42,6 +42,7 @@
|
||||||
|
#define _PATH_HOST_XMSS_KEY_FILE SSHDIR "/ssh_host_xmss_key"
|
||||||
|
#define _PATH_HOST_RSA_KEY_FILE SSHDIR "/ssh_host_rsa_key"
|
||||||
|
#define _PATH_DH_MODULI SSHDIR "/moduli"
|
||||||
|
+#define _PATH_SCP_KILL_SWITCH SSHDIR "/disable_scp"
|
||||||
|
|
||||||
|
#ifndef _PATH_SSH_PROGRAM
|
||||||
|
#define _PATH_SSH_PROGRAM "/usr/bin/ssh"
|
||||||
|
diff -up openssh-8.7p1/scp.1.kill-scp openssh-8.7p1/scp.1
|
||||||
|
--- openssh-8.7p1/scp.1.kill-scp 2021-09-16 12:09:02.646714578 +0200
|
||||||
|
+++ openssh-8.7p1/scp.1 2021-09-16 12:26:49.978628226 +0200
|
||||||
|
@@ -278,6 +278,13 @@ to print debugging messages about their
|
||||||
|
This is helpful in
|
||||||
|
debugging connection, authentication, and configuration problems.
|
||||||
|
.El
|
||||||
|
+.Pp
|
||||||
|
+Usage of SCP protocol can be blocked by creating a world-readable
|
||||||
|
+.Ar /etc/ssh/disable_scp
|
||||||
|
+file. If this file exists, when SCP protocol is in use (either remotely or
|
||||||
|
+via the
|
||||||
|
+.Fl O
|
||||||
|
+option), the program will exit.
|
||||||
|
.Sh EXIT STATUS
|
||||||
|
.Ex -std scp
|
||||||
|
.Sh SEE ALSO
|
||||||
|
diff -up openssh-8.7p1/scp.c.kill-scp openssh-8.7p1/scp.c
|
||||||
|
--- openssh-8.7p1/scp.c.kill-scp 2021-09-16 11:42:56.013650519 +0200
|
||||||
|
+++ openssh-8.7p1/scp.c 2021-09-16 11:53:03.249713836 +0200
|
||||||
|
@@ -596,6 +596,14 @@ main(int argc, char **argv)
|
||||||
|
argc -= optind;
|
||||||
|
argv += optind;
|
||||||
|
|
||||||
|
+ {
|
||||||
|
+ FILE *f = fopen(_PATH_SCP_KILL_SWITCH, "r");
|
||||||
|
+ if (f != NULL) {
|
||||||
|
+ fclose(f);
|
||||||
|
+ fatal("SCP protocol is forbidden via %s", _PATH_SCP_KILL_SWITCH);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if ((pwd = getpwuid(userid = getuid())) == NULL)
|
||||||
|
fatal("unknown user %u", (u_int) userid);
|
||||||
|
|
33
SOURCES/openssh-9.4p2-limit-delay.patch
Normal file
33
SOURCES/openssh-9.4p2-limit-delay.patch
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
diff -u -p -r1.166 auth2.c
|
||||||
|
--- a/auth2.c 8 Mar 2023 04:43:12 -0000 1.166
|
||||||
|
+++ b/auth2.c 28 Aug 2023 08:32:44 -0000
|
||||||
|
@@ -208,6 +208,7 @@ input_service_request(int type, u_int32_
|
||||||
|
}
|
||||||
|
|
||||||
|
#define MIN_FAIL_DELAY_SECONDS 0.005
|
||||||
|
+#define MAX_FAIL_DELAY_SECONDS 5.0
|
||||||
|
static double
|
||||||
|
user_specific_delay(const char *user)
|
||||||
|
{
|
||||||
|
@@ -233,6 +234,12 @@ ensure_minimum_time_since(double start,
|
||||||
|
struct timespec ts;
|
||||||
|
double elapsed = monotime_double() - start, req = seconds, remain;
|
||||||
|
|
||||||
|
+ if (elapsed > MAX_FAIL_DELAY_SECONDS) {
|
||||||
|
+ debug3("elapsed %0.3lfms exceeded the max delay "
|
||||||
|
+ "requested %0.3lfms)", elapsed*1000, req*1000);
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* if we've already passed the requested time, scale up */
|
||||||
|
while ((remain = seconds - elapsed) < 0.0)
|
||||||
|
seconds *= 2;
|
||||||
|
@@ -317,7 +324,7 @@ input_userauth_request(int type, u_int32
|
||||||
|
debug2("input_userauth_request: try method %s", method);
|
||||||
|
authenticated = m->userauth(ssh);
|
||||||
|
}
|
||||||
|
- if (!authctxt->authenticated)
|
||||||
|
+ if (!authctxt->authenticated && strcmp(method, "none") != 0)
|
||||||
|
ensure_minimum_time_since(tstart,
|
||||||
|
user_specific_delay(authctxt->user));
|
||||||
|
userauth_finish(ssh, authenticated, method, NULL);
|
@ -66,14 +66,14 @@
|
|||||||
|
|
||||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||||
%global openssh_ver 8.0p1
|
%global openssh_ver 8.0p1
|
||||||
%global openssh_rel 19
|
%global openssh_rel 24
|
||||||
%global pam_ssh_agent_ver 0.10.3
|
%global pam_ssh_agent_ver 0.10.3
|
||||||
%global pam_ssh_agent_rel 7
|
%global pam_ssh_agent_rel 7
|
||||||
|
|
||||||
Summary: An open source implementation of SSH protocol version 2
|
Summary: An open source implementation of SSH protocol version 2
|
||||||
Name: openssh
|
Name: openssh
|
||||||
Version: %{openssh_ver}
|
Version: %{openssh_ver}
|
||||||
Release: %{openssh_rel}%{?dist}%{?rescue_rel}.2
|
Release: %{openssh_rel}%{?dist}%{?rescue_rel}
|
||||||
URL: http://www.openssh.com/portable.html
|
URL: http://www.openssh.com/portable.html
|
||||||
#URL1: http://pamsshagentauth.sourceforge.net
|
#URL1: http://pamsshagentauth.sourceforge.net
|
||||||
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
||||||
@ -277,13 +277,21 @@ Patch985: openssh-8.7p1-minimize-sha1-use.patch
|
|||||||
Patch986: openssh-9.1p1-sshbanner.patch
|
Patch986: openssh-9.1p1-sshbanner.patch
|
||||||
# Upstream 25e3bccbaa63d27b9d5e09c123f1eb28594d2bd6
|
# Upstream 25e3bccbaa63d27b9d5e09c123f1eb28594d2bd6
|
||||||
Patch987: openssh-8.0p1-ipv6-process.patch
|
Patch987: openssh-8.0p1-ipv6-process.patch
|
||||||
|
# Upstream 4332b4fe49360679647a8705bc08f4e81323f6b4
|
||||||
|
Patch988: openssh-8.0p1-avoidkillall.patch
|
||||||
|
# Upstream 89b54900ac61986760452f132bbe3fb7249cfdac
|
||||||
|
Patch989: openssh-8.0p1-bigsshdconfig.patch
|
||||||
# upsream commit
|
# upsream commit
|
||||||
# b23fe83f06ee7e721033769cfa03ae840476d280
|
# b23fe83f06ee7e721033769cfa03ae840476d280
|
||||||
Patch1015: openssh-9.3p1-upstream-cve-2023-38408.patch
|
Patch1015: openssh-9.3p1-upstream-cve-2023-38408.patch
|
||||||
|
#upstream commit 01dbf3d46651b7d6ddf5e45d233839bbfffaeaec
|
||||||
|
Patch1017: openssh-9.4p2-limit-delay.patch
|
||||||
#upstream commit 1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5
|
#upstream commit 1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5
|
||||||
Patch1018: openssh-9.6p1-CVE-2023-48795.patch
|
Patch1018: openssh-9.6p1-CVE-2023-48795.patch
|
||||||
#upstream commit 7ef3787c84b6b524501211b11a26c742f829af1a
|
#upstream commit 7ef3787c84b6b524501211b11a26c742f829af1a
|
||||||
Patch1019: openssh-9.6p1-CVE-2023-51385.patch
|
Patch1019: openssh-9.6p1-CVE-2023-51385.patch
|
||||||
|
# SCP kill switch
|
||||||
|
Patch1020: openssh-8.7p1-scp-kill-switch.patch
|
||||||
|
|
||||||
License: BSD
|
License: BSD
|
||||||
Group: Applications/Internet
|
Group: Applications/Internet
|
||||||
@ -376,7 +384,7 @@ Requires: openssh = %{version}-%{release}
|
|||||||
Summary: PAM module for authentication with ssh-agent
|
Summary: PAM module for authentication with ssh-agent
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Version: %{pam_ssh_agent_ver}
|
Version: %{pam_ssh_agent_ver}
|
||||||
Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel}.2
|
Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel}
|
||||||
License: BSD
|
License: BSD
|
||||||
|
|
||||||
%description
|
%description
|
||||||
@ -517,6 +525,8 @@ popd
|
|||||||
%patch985 -p1 -b .minimize-sha1-use
|
%patch985 -p1 -b .minimize-sha1-use
|
||||||
%patch986 -p1 -b .banner
|
%patch986 -p1 -b .banner
|
||||||
%patch987 -p1 -b .sftp_ipv6
|
%patch987 -p1 -b .sftp_ipv6
|
||||||
|
%patch988 -p1 -b .killall
|
||||||
|
%patch989 -p1 -b .bigsshdconfig
|
||||||
|
|
||||||
%patch200 -p1 -b .audit
|
%patch200 -p1 -b .audit
|
||||||
%patch201 -p1 -b .audit-race
|
%patch201 -p1 -b .audit-race
|
||||||
@ -525,8 +535,10 @@ popd
|
|||||||
%patch100 -p1 -b .coverity
|
%patch100 -p1 -b .coverity
|
||||||
|
|
||||||
%patch1015 -p1 -b .cve-2023-38408
|
%patch1015 -p1 -b .cve-2023-38408
|
||||||
|
%patch1017 -p1 -b .limitdelay
|
||||||
%patch1018 -p1 -b .cve-2023-48795
|
%patch1018 -p1 -b .cve-2023-48795
|
||||||
%patch1019 -p1 -b .cve-2023-51385
|
%patch1019 -p1 -b .cve-2023-51385
|
||||||
|
%patch1020 -p1 -b .scp-kill-switch
|
||||||
|
|
||||||
autoreconf
|
autoreconf
|
||||||
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
||||||
@ -812,15 +824,37 @@ getent passwd sshd >/dev/null || \
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Mon Jan 08 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-19.2
|
* Tue Feb 06 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-24
|
||||||
- Fix Terrapin attack
|
- Providing a kill switch for scp to deal with CVE-2020-15778
|
||||||
Resolves: RHEL-19762
|
Resolves: RHEL-22870
|
||||||
|
|
||||||
* Thu Dec 21 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-19.1
|
* Fri Jan 05 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-23
|
||||||
- Fix Terrapin attack
|
- Fix Terrapin attack
|
||||||
Resolves: RHEL-19762
|
Resolves: RHEL-19308
|
||||||
|
|
||||||
|
* Thu Dec 21 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-22
|
||||||
|
- Fix Terrapin attack
|
||||||
|
Resolves: RHEL-19308
|
||||||
- Forbid shell metasymbols in username/hostname
|
- Forbid shell metasymbols in username/hostname
|
||||||
Resolves: RHEL-19820
|
Resolves: RHEL-19788
|
||||||
|
|
||||||
|
* Tue Nov 07 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-21
|
||||||
|
- Using DigestSign/DigestVerify functions for better FIPS compatibility
|
||||||
|
Resolves: RHEL-5217
|
||||||
|
|
||||||
|
* Mon Oct 30 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-20
|
||||||
|
- Limit artificial delays in sshd while login using AD user
|
||||||
|
Resolves: RHEL-1684
|
||||||
|
- Add comment to OpenSSH server config about FIPS-incompatible key
|
||||||
|
Resolves: RHEL-5221
|
||||||
|
- Avoid killing all processes on system in case of race condition
|
||||||
|
Resolves: RHEL-11548
|
||||||
|
- Avoid sshd_config 256K limit
|
||||||
|
Resolves: RHEL-5279
|
||||||
|
- Using DigestSign/DigestVerify functions for better FIPS compatibility
|
||||||
|
Resolves: RHEL-5217
|
||||||
|
- Fix GSS KEX causing ssh failures when connecting to WinSSHD
|
||||||
|
Resolves: RHEL-5321
|
||||||
|
|
||||||
* Thu Aug 24 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-19
|
* Thu Aug 24 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-19
|
||||||
- rebuilt
|
- rebuilt
|
||||||
|
Loading…
Reference in New Issue
Block a user