Applying patches to rebase to OpenSSH 9.6p1
Based on Damien Milnes' PR https://src.fedoraproject.org/rpms/openssh/pull-request/63 Also rebasing openssh-8.0p1-pkcs11-uri.patch to 9.6 by Dmitry Belyavskiy
This commit is contained in:
		
							parent
							
								
									87ae5d1d5a
								
							
						
					
					
						commit
						f238307bdf
					
				
							
								
								
									
										2
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										2
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							| @ -58,3 +58,5 @@ pam_ssh_agent_auth-0.9.2.tar.bz2 | |||||||
| /openssh-9.0p1.tar.gz.asc | /openssh-9.0p1.tar.gz.asc | ||||||
| /openssh-9.3p1.tar.gz | /openssh-9.3p1.tar.gz | ||||||
| /openssh-9.3p1.tar.gz.asc | /openssh-9.3p1.tar.gz.asc | ||||||
|  | /openssh-9.6p1.tar.gz | ||||||
|  | /openssh-9.6p1.tar.gz.asc | ||||||
|  | |||||||
| @ -93,19 +93,17 @@ index 8f32464..18a2ca4 100644 | |||||||
|  #endif |  #endif | ||||||
|   |   | ||||||
| diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
 | diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
 | ||||||
| index 22ea8ef..1fc963d 100644
 | --- a/openbsd-compat/port-linux.c	(revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
 | ||||||
| --- a/openbsd-compat/port-linux.c
 | +++ b/openbsd-compat/port-linux.c	(date 1703108053912)
 | ||||||
| +++ b/openbsd-compat/port-linux.c
 | @@ -207,7 +207,7 @@
 | ||||||
| @@ -179,7 +179,7 @@ ssh_selinux_change_context(const char *newname)
 |  	xasprintf(&newctx, "%.*s%s%s", (int)(cx - oldctx + 1), oldctx, | ||||||
|  	strlcpy(newctx + len, newname, newlen - len); |  	    newname, cx2 == NULL ? "" : cx2); | ||||||
|  	if ((cx = index(cx + 1, ':'))) | 
 | ||||||
|  		strlcat(newctx, cx, newlen); | -	debug3_f("setting context from '%s' to '%s'", oldctx, newctx);
 | ||||||
| -	debug3("%s: setting context from '%s' to '%s'", __func__,
 | +	debug_f("setting context from '%s' to '%s'", oldctx, newctx);
 | ||||||
| +	debug_f("setting context from '%s' to '%s'",
 |  | ||||||
|  	    oldctx, newctx); |  | ||||||
|  	if (setcon(newctx) < 0) |  	if (setcon(newctx) < 0) | ||||||
|  		do_log2(log_level, "%s: setcon %s from %s failed with %s", |  		do_log2_f(log_level, "setcon %s from %s failed with %s", | ||||||
| 		    __func__, newctx, oldctx, strerror(errno)); |  		    newctx, oldctx, strerror(errno)); | ||||||
| diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
 | diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
 | ||||||
| index cb51f99..8b7cda2 100644
 | index cb51f99..8b7cda2 100644
 | ||||||
| --- a/openbsd-compat/port-linux.h
 | --- a/openbsd-compat/port-linux.h
 | ||||||
|  | |||||||
| @ -17,17 +17,6 @@ diff -up openssh-8.5p1/auth-krb5.c.coverity openssh-8.5p1/auth-krb5.c | |||||||
|  			return oerrno; |  			return oerrno; | ||||||
|  		} |  		} | ||||||
|  		/* make sure the KRB5CCNAME is set for non-standard location */ |  		/* make sure the KRB5CCNAME is set for non-standard location */ | ||||||
| diff -up openssh-8.5p1/auth-options.c.coverity openssh-8.5p1/auth-options.c
 |  | ||||||
| --- openssh-8.5p1/auth-options.c.coverity	2021-03-02 11:31:47.000000000 +0100
 |  | ||||||
| +++ openssh-8.5p1/auth-options.c	2021-03-24 12:03:33.782968159 +0100
 |  | ||||||
| @@ -706,6 +708,7 @@ serialise_array(struct sshbuf *m, char *
 |  | ||||||
|  		return r; |  | ||||||
|  	} |  | ||||||
|  	/* success */ |  | ||||||
| +	sshbuf_free(b);
 |  | ||||||
|  	return 0; |  | ||||||
|  } |  | ||||||
|   |  | ||||||
| diff -up openssh-8.5p1/gss-genr.c.coverity openssh-8.5p1/gss-genr.c
 | diff -up openssh-8.5p1/gss-genr.c.coverity openssh-8.5p1/gss-genr.c
 | ||||||
| --- openssh-8.5p1/gss-genr.c.coverity	2021-03-26 11:52:46.613942552 +0100
 | --- openssh-8.5p1/gss-genr.c.coverity	2021-03-26 11:52:46.613942552 +0100
 | ||||||
| +++ openssh-8.5p1/gss-genr.c	2021-03-26 11:54:37.881726318 +0100
 | +++ openssh-8.5p1/gss-genr.c	2021-03-26 11:54:37.881726318 +0100
 | ||||||
| @ -45,14 +34,6 @@ diff -up openssh-8.5p1/gss-genr.c.coverity openssh-8.5p1/gss-genr.c | |||||||
| diff -up openssh-8.5p1/krl.c.coverity openssh-8.5p1/krl.c
 | diff -up openssh-8.5p1/krl.c.coverity openssh-8.5p1/krl.c
 | ||||||
| --- openssh-8.5p1/krl.c.coverity	2021-03-02 11:31:47.000000000 +0100
 | --- openssh-8.5p1/krl.c.coverity	2021-03-02 11:31:47.000000000 +0100
 | ||||||
| +++ openssh-8.5p1/krl.c	2021-03-24 12:03:33.783968166 +0100
 | +++ openssh-8.5p1/krl.c	2021-03-24 12:03:33.783968166 +0100
 | ||||||
| @@ -1209,6 +1209,7 @@ ssh_krl_from_blob(struct sshbuf *buf, st
 |  | ||||||
|  	sshkey_free(key); |  | ||||||
|  	sshbuf_free(copy); |  | ||||||
|  	sshbuf_free(sect); |  | ||||||
| +	/* coverity[leaked_storage : FALSE] */
 |  | ||||||
|  	return r; |  | ||||||
|  } |  | ||||||
|   |  | ||||||
| @@ -1261,6 +1262,7 @@ is_key_revoked(struct ssh_krl *krl, cons
 | @@ -1261,6 +1262,7 @@ is_key_revoked(struct ssh_krl *krl, cons
 | ||||||
|  		return r; |  		return r; | ||||||
|  	erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb); |  	erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb); | ||||||
| @ -149,23 +130,6 @@ diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c | |||||||
|  	return (0); |  	return (0); | ||||||
|   |   | ||||||
|   error: |   error: | ||||||
| diff -up openssh-7.4p1/monitor_wrap.c.coverity openssh-7.4p1/monitor_wrap.c
 |  | ||||||
| --- openssh-7.4p1/monitor_wrap.c.coverity	2016-12-23 16:40:26.892788689 +0100
 |  | ||||||
| +++ openssh-7.4p1/monitor_wrap.c	2016-12-23 16:40:26.900788691 +0100
 |  | ||||||
| @@ -525,10 +525,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
 |  | ||||||
|  	if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 || |  | ||||||
|  	    (tmp2 = dup(pmonitor->m_recvfd)) == -1) { |  | ||||||
|  		error_f("cannot allocate fds for pty"); |  | ||||||
| -		if (tmp1 > 0)
 |  | ||||||
| +		if (tmp1 >= 0)
 |  | ||||||
|  			close(tmp1); |  | ||||||
| -		if (tmp2 > 0)
 |  | ||||||
| -			close(tmp2);
 |  | ||||||
| +		/*DEAD CODE if (tmp2 >= 0)
 |  | ||||||
| +			close(tmp2);*/
 |  | ||||||
|  		return 0; |  | ||||||
|  	} |  | ||||||
|  	close(tmp1); |  | ||||||
| diff -up openssh-7.4p1/openbsd-compat/bindresvport.c.coverity openssh-7.4p1/openbsd-compat/bindresvport.c
 | diff -up openssh-7.4p1/openbsd-compat/bindresvport.c.coverity openssh-7.4p1/openbsd-compat/bindresvport.c
 | ||||||
| --- openssh-7.4p1/openbsd-compat/bindresvport.c.coverity	2016-12-19 05:59:41.000000000 +0100
 | --- openssh-7.4p1/openbsd-compat/bindresvport.c.coverity	2016-12-19 05:59:41.000000000 +0100
 | ||||||
| +++ openssh-7.4p1/openbsd-compat/bindresvport.c	2016-12-23 16:40:26.901788691 +0100
 | +++ openssh-7.4p1/openbsd-compat/bindresvport.c	2016-12-23 16:40:26.901788691 +0100
 | ||||||
| @ -219,23 +183,6 @@ diff -up openssh-8.5p1/readconf.c.coverity openssh-8.5p1/readconf.c | |||||||
|  				goto out; |  				goto out; | ||||||
|  			} |  			} | ||||||
|  			free(arg2); |  			free(arg2); | ||||||
| diff -up openssh-8.7p1/scp.c.coverity openssh-8.7p1/scp.c
 |  | ||||||
| --- openssh-8.7p1/scp.c.coverity	2021-08-30 16:23:35.389741329 +0200
 |  | ||||||
| +++ openssh-8.7p1/scp.c	2021-08-30 16:27:04.854555296 +0200
 |  | ||||||
| @@ -186,11 +186,11 @@ killchild(int signo)
 |  | ||||||
|  { |  | ||||||
|  	if (do_cmd_pid > 1) { |  | ||||||
|  		kill(do_cmd_pid, signo ? signo : SIGTERM); |  | ||||||
| -		waitpid(do_cmd_pid, NULL, 0);
 |  | ||||||
| +		(void) waitpid(do_cmd_pid, NULL, 0);
 |  | ||||||
|  	} |  | ||||||
|  	if (do_cmd_pid2 > 1) { |  | ||||||
|  		kill(do_cmd_pid2, signo ? signo : SIGTERM); |  | ||||||
| -		waitpid(do_cmd_pid2, NULL, 0);
 |  | ||||||
| +		(void) waitpid(do_cmd_pid2, NULL, 0);
 |  | ||||||
|  	} |  | ||||||
|   |  | ||||||
|  	if (signo) |  | ||||||
| diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c
 | diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c
 | ||||||
| --- openssh-7.4p1/servconf.c.coverity	2016-12-23 16:40:26.896788690 +0100
 | --- openssh-7.4p1/servconf.c.coverity	2016-12-23 16:40:26.896788690 +0100
 | ||||||
| +++ openssh-7.4p1/servconf.c	2016-12-23 16:40:26.901788691 +0100
 | +++ openssh-7.4p1/servconf.c	2016-12-23 16:40:26.901788691 +0100
 | ||||||
| @ -263,18 +210,6 @@ diff -up openssh-8.7p1/serverloop.c.coverity openssh-8.7p1/serverloop.c | |||||||
|  		if (tun != SSH_TUNID_ANY && |  		if (tun != SSH_TUNID_ANY && | ||||||
|  		    auth_opts->force_tun_device != (int)tun) |  		    auth_opts->force_tun_device != (int)tun) | ||||||
|  			goto done; |  			goto done; | ||||||
| diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
 |  | ||||||
| --- openssh-7.4p1/sftp.c.coverity	2016-12-19 05:59:41.000000000 +0100
 |  | ||||||
| +++ openssh-7.4p1/sftp.c	2016-12-23 16:40:26.903788691 +0100
 |  | ||||||
| @@ -224,7 +224,7 @@ killchild(int signo)
 |  | ||||||
|  	pid = sshpid; |  | ||||||
|  	if (pid > 1) { |  | ||||||
|  		kill(pid, SIGTERM); |  | ||||||
| -		waitpid(pid, NULL, 0);
 |  | ||||||
| +		(void) waitpid(pid, NULL, 0);
 |  | ||||||
|  	} |  | ||||||
|   |  | ||||||
|  	_exit(1); |  | ||||||
| diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
 | diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
 | ||||||
| --- openssh-7.4p1/ssh-agent.c.coverity	2016-12-19 05:59:41.000000000 +0100
 | --- openssh-7.4p1/ssh-agent.c.coverity	2016-12-19 05:59:41.000000000 +0100
 | ||||||
| +++ openssh-7.4p1/ssh-agent.c	2016-12-23 16:40:26.903788691 +0100
 | +++ openssh-7.4p1/ssh-agent.c	2016-12-23 16:40:26.903788691 +0100
 | ||||||
| @ -286,28 +221,6 @@ diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c | |||||||
|  			return NULL; |  			return NULL; | ||||||
|  		} |  		} | ||||||
|  		/* validate also provider from URI */ |  		/* validate also provider from URI */ | ||||||
| @@ -1220,8 +1220,8 @@ main(int ac, char **av)
 |  | ||||||
|  	sanitise_stdfd(); |  | ||||||
|   |  | ||||||
|  	/* drop */ |  | ||||||
| -	setegid(getgid());
 |  | ||||||
| -	setgid(getgid());
 |  | ||||||
| +	(void) setegid(getgid());
 |  | ||||||
| +	(void) setgid(getgid());
 |  | ||||||
|   |  | ||||||
|  	platform_disable_tracing(0);	/* strict=no */ |  | ||||||
|   |  | ||||||
| diff -up openssh-8.5p1/ssh.c.coverity openssh-8.5p1/ssh.c
 |  | ||||||
| --- openssh-8.5p1/ssh.c.coverity	2021-03-24 12:03:33.779968138 +0100
 |  | ||||||
| +++ openssh-8.5p1/ssh.c	2021-03-24 12:03:33.786968187 +0100
 |  | ||||||
| @@ -1746,6 +1746,7 @@ control_persist_detach(void)
 |  | ||||||
|  		close(muxserver_sock); |  | ||||||
|  		muxserver_sock = -1; |  | ||||||
|  		options.control_master = SSHCTL_MASTER_NO; |  | ||||||
| +		/* coverity[leaked_handle: FALSE]*/
 |  | ||||||
|  		muxclient(options.control_path); |  | ||||||
|  		/* muxclient() doesn't return on success. */ |  | ||||||
|  		fatal("Failed to connect to new control master"); |  | ||||||
| diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c
 | diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c
 | ||||||
| --- openssh-7.4p1/sshd.c.coverity	2016-12-23 16:40:26.897788690 +0100
 | --- openssh-7.4p1/sshd.c.coverity	2016-12-23 16:40:26.897788690 +0100
 | ||||||
| +++ openssh-7.4p1/sshd.c	2016-12-23 16:40:26.904788692 +0100
 | +++ openssh-7.4p1/sshd.c	2016-12-23 16:40:26.904788692 +0100
 | ||||||
|  | |||||||
| @ -1,7 +1,7 @@ | |||||||
| diff -up openssh-7.2p2/channels.c.x11 openssh-7.2p2/channels.c
 | diff --git a/channels.c b/channels.c
 | ||||||
| --- openssh-7.2p2/channels.c.x11	2016-03-09 19:04:48.000000000 +0100
 | --- a/channels.c	(revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
 | ||||||
| +++ openssh-7.2p2/channels.c	2016-06-03 10:42:04.775164520 +0200
 | +++ b/channels.c	(date 1703026069921)
 | ||||||
| @@ -3990,21 +3990,24 @@ x11_create_display_inet(int x11_display_
 | @@ -5075,11 +5075,13 @@
 | ||||||
|  } |  } | ||||||
| 
 | 
 | ||||||
|  static int |  static int | ||||||
| @ -11,11 +11,13 @@ diff -up openssh-7.2p2/channels.c.x11 openssh-7.2p2/channels.c | |||||||
|  	int sock; |  	int sock; | ||||||
|  	struct sockaddr_un addr; |  	struct sockaddr_un addr; | ||||||
| 
 | 
 | ||||||
| +	if (len <= 0)
 | +    if (len <= 0)
 | ||||||
| +		return -1;
 | +        return -1;
 | ||||||
|  	sock = socket(AF_UNIX, SOCK_STREAM, 0); |  	sock = socket(AF_UNIX, SOCK_STREAM, 0); | ||||||
|  	if (sock == -1) |  	if (sock == -1) { | ||||||
|  		error("socket: %.100s", strerror(errno)); |  		error("socket: %.100s", strerror(errno)); | ||||||
|  | @@ -5087,11 +5089,12 @@
 | ||||||
|  |  	} | ||||||
|  	memset(&addr, 0, sizeof(addr)); |  	memset(&addr, 0, sizeof(addr)); | ||||||
|  	addr.sun_family = AF_UNIX; |  	addr.sun_family = AF_UNIX; | ||||||
| -	strlcpy(addr.sun_path, pathname, sizeof addr.sun_path);
 | -	strlcpy(addr.sun_path, pathname, sizeof addr.sun_path);
 | ||||||
| @ -30,7 +32,7 @@ diff -up openssh-7.2p2/channels.c.x11 openssh-7.2p2/channels.c | |||||||
|  	return -1; |  	return -1; | ||||||
|  } |  } | ||||||
| 
 | 
 | ||||||
| @@ -4012,8 +4015,18 @@ static int
 | @@ -5099,8 +5102,18 @@
 | ||||||
|  connect_local_xsocket(u_int dnr) |  connect_local_xsocket(u_int dnr) | ||||||
|  { |  { | ||||||
|  	char buf[1024]; |  	char buf[1024]; | ||||||
|  | |||||||
| @ -23,7 +23,7 @@ diff -up openssh/auth2.c.role-mls openssh/auth2.c | |||||||
|  	if ((style = strchr(user, ':')) != NULL) |  	if ((style = strchr(user, ':')) != NULL) | ||||||
|  		*style++ = 0; |  		*style++ = 0; | ||||||
|   |   | ||||||
| @@ -296,8 +304,15 @@ input_userauth_request(int type, u_int32
 | @@ -314,8 +314,15 @@ input_userauth_request(int type, u_int32
 | ||||||
|  		    use_privsep ? " [net]" : ""); |  		    use_privsep ? " [net]" : ""); | ||||||
|  		authctxt->service = xstrdup(service); |  		authctxt->service = xstrdup(service); | ||||||
|  		authctxt->style = style ? xstrdup(style) : NULL; |  		authctxt->style = style ? xstrdup(style) : NULL; | ||||||
| @ -34,12 +34,12 @@ diff -up openssh/auth2.c.role-mls openssh/auth2.c | |||||||
| +		if (use_privsep) {
 | +		if (use_privsep) {
 | ||||||
|  			mm_inform_authserv(service, style); |  			mm_inform_authserv(service, style); | ||||||
| +#ifdef WITH_SELINUX
 | +#ifdef WITH_SELINUX
 | ||||||
| +			mm_inform_authrole(role);
 | +         	mm_inform_authrole(role);
 | ||||||
| +#endif
 | +#endif
 | ||||||
| +		}
 | +        }
 | ||||||
|  		userauth_banner(ssh); |  		userauth_banner(ssh); | ||||||
|  		if (auth2_setup_methods_lists(authctxt) != 0) |  		if ((r = kex_server_update_ext_info(ssh)) != 0) | ||||||
|  			ssh_packet_disconnect(ssh, |  			fatal_fr(r, "kex_server_update_ext_info failed"); | ||||||
| diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
 | diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
 | ||||||
| --- openssh/auth2-gss.c.role-mls	2018-08-20 07:57:29.000000000 +0200
 | --- openssh/auth2-gss.c.role-mls	2018-08-20 07:57:29.000000000 +0200
 | ||||||
| +++ openssh/auth2-gss.c	2018-08-22 11:15:42.459799171 +0200
 | +++ openssh/auth2-gss.c	2018-08-22 11:15:42.459799171 +0200
 | ||||||
|  | |||||||
| @ -144,7 +144,7 @@ index 9351e042..d6446c0c 100644 | |||||||
| --- a/auth2-gss.c
 | --- a/auth2-gss.c
 | ||||||
| +++ b/auth2-gss.c
 | +++ b/auth2-gss.c
 | ||||||
| @@ -1,7 +1,7 @@
 | @@ -1,7 +1,7 @@
 | ||||||
|  /* $OpenBSD: auth2-gss.c,v 1.33 2021/12/19 22:12:07 djm Exp $ */ |  /* $OpenBSD: auth2-gss.c,v 1.34 2023/03/31 04:22:27 djm Exp $ */ | ||||||
| 
 | 
 | ||||||
|  /* |  /* | ||||||
| - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
 | ||||||
| @ -1268,7 +1268,7 @@ index ce85f043..574c7609 100644 | |||||||
| +#endif
 | +#endif
 | ||||||
| +
 | +
 | ||||||
|  /* prototype */ |  /* prototype */ | ||||||
|  static int kex_choose_conf(struct ssh *); |  static int kex_choose_conf(struct ssh *, uint32_t seq); | ||||||
|  static int kex_input_newkeys(int, u_int32_t, struct ssh *); |  static int kex_input_newkeys(int, u_int32_t, struct ssh *); | ||||||
| @@ -115,15 +120,28 @@ static const struct kexalg kexalgs[] = {
 | @@ -115,15 +120,28 @@ static const struct kexalg kexalgs[] = {
 | ||||||
|  #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ |  #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ | ||||||
| @ -3400,7 +3400,7 @@ index 60de6087..db5c65bc 100644 | |||||||
|  .It HashKnownHosts |  .It HashKnownHosts | ||||||
|  .It Host |  .It Host | ||||||
|  .It HostbasedAcceptedAlgorithms |  .It HostbasedAcceptedAlgorithms | ||||||
| @@ -579,6 +585,8 @@ flag),
 | @@ -624,6 +624,8 @@
 | ||||||
|  (supported message integrity codes), |  (supported message integrity codes), | ||||||
|  .Ar kex |  .Ar kex | ||||||
|  (key exchange algorithms), |  (key exchange algorithms), | ||||||
| @ -3408,7 +3408,7 @@ index 60de6087..db5c65bc 100644 | |||||||
| +(GSSAPI key exchange algorithms),
 | +(GSSAPI key exchange algorithms),
 | ||||||
|  .Ar key |  .Ar key | ||||||
|  (key types), |  (key types), | ||||||
|  .Ar key-cert |  .Ar key-ca-sign | ||||||
| diff --git a/ssh.c b/ssh.c
 | diff --git a/ssh.c b/ssh.c
 | ||||||
| index 15aee569..110cf9c1 100644
 | index 15aee569..110cf9c1 100644
 | ||||||
| --- a/ssh.c
 | --- a/ssh.c
 | ||||||
| @ -3444,7 +3444,7 @@ index 5e8ef548..1ff999b6 100644 | |||||||
| +#   GSSAPIKeyExchange no
 | +#   GSSAPIKeyExchange no
 | ||||||
| +#   GSSAPITrustDNS no
 | +#   GSSAPITrustDNS no
 | ||||||
|  #   BatchMode no |  #   BatchMode no | ||||||
|  #   CheckHostIP yes |  #   CheckHostIP no | ||||||
|  #   AddressFamily any |  #   AddressFamily any | ||||||
| diff --git a/ssh_config.5 b/ssh_config.5
 | diff --git a/ssh_config.5 b/ssh_config.5
 | ||||||
| index 06a32d31..3f490697 100644
 | index 06a32d31..3f490697 100644
 | ||||||
| @ -4028,3 +4028,47 @@ index 71a3fddc..37a43a67 100644 | |||||||
|  	KEY_UNSPEC |  	KEY_UNSPEC | ||||||
|  }; |  }; | ||||||
|   |   | ||||||
|  | diff --git a/packet.h b/packet.h
 | ||||||
|  | --- a/packet.h	(revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
 | ||||||
|  | +++ b/packet.h	(date 1703172586447)
 | ||||||
|  | @@ -124,6 +124,7 @@
 | ||||||
|  |  int	 ssh_packet_send2(struct ssh *); | ||||||
|  | 
 | ||||||
|  |  int      ssh_packet_read(struct ssh *); | ||||||
|  | +int	 ssh_packet_read_expect(struct ssh *, u_int type);
 | ||||||
|  |  int      ssh_packet_read_poll(struct ssh *); | ||||||
|  |  int ssh_packet_read_poll2(struct ssh *, u_char *, u_int32_t *seqnr_p); | ||||||
|  |  int	 ssh_packet_process_incoming(struct ssh *, const char *buf, u_int len); | ||||||
|  | diff --git a/packet.c b/packet.c
 | ||||||
|  | --- a/packet.c	(revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
 | ||||||
|  | +++ b/packet.c	(date 1703172586447)
 | ||||||
|  | @@ -1425,6 +1416,29 @@
 | ||||||
|  |  	return type; | ||||||
|  |  } | ||||||
|  | 
 | ||||||
|  | +/*
 | ||||||
|  | + * Waits until a packet has been received, verifies that its type matches
 | ||||||
|  | + * that given, and gives a fatal error and exits if there is a mismatch.
 | ||||||
|  | + */
 | ||||||
|  | +
 | ||||||
|  | +int
 | ||||||
|  | +ssh_packet_read_expect(struct ssh *ssh, u_int expected_type)
 | ||||||
|  | +{
 | ||||||
|  | +	int r;
 | ||||||
|  | +	u_char type;
 | ||||||
|  | +
 | ||||||
|  | +	if ((r = ssh_packet_read_seqnr(ssh, &type, NULL)) != 0)
 | ||||||
|  | +		return r;
 | ||||||
|  | +	if (type != expected_type) {
 | ||||||
|  | +		if ((r = sshpkt_disconnect(ssh,
 | ||||||
|  | +		    "Protocol error: expected packet type %d, got %d",
 | ||||||
|  | +		    expected_type, type)) != 0)
 | ||||||
|  | +			return r;
 | ||||||
|  | +		return SSH_ERR_PROTOCOL_ERROR;
 | ||||||
|  | +	}
 | ||||||
|  | +	return 0;
 | ||||||
|  | +}
 | ||||||
|  | +
 | ||||||
|  |  static int | ||||||
|  |  ssh_packet_read_poll2_mux(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) | ||||||
|  |  { | ||||||
|  | |||||||
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							| @ -1,23 +1,21 @@ | |||||||
| diff --git a/readconf.c b/readconf.c
 | diff --git a/readconf.c b/readconf.c
 | ||||||
| index 7f26c680..42be690b 100644
 | --- a/readconf.c	(revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
 | ||||||
| --- a/readconf.c
 | +++ b/readconf.c	(date 1703169891147)
 | ||||||
| +++ b/readconf.c
 | @@ -326,6 +326,7 @@
 | ||||||
| @@ -320,6 +320,7 @@ static struct {
 |  | ||||||
|  	{ "securitykeyprovider", oSecurityKeyProvider }, |  	{ "securitykeyprovider", oSecurityKeyProvider }, | ||||||
|  	{ "knownhostscommand", oKnownHostsCommand }, |  	{ "knownhostscommand", oKnownHostsCommand }, | ||||||
| 	{ "requiredrsasize", oRequiredRSASize }, |  	{ "requiredrsasize", oRequiredRSASize }, | ||||||
| +	{ "rsaminsize", oRequiredRSASize }, /* alias */
 | +	{ "rsaminsize", oRequiredRSASize }, /* alias */
 | ||||||
|  	{ "enableescapecommandline", oEnableEscapeCommandline }, |  	{ "enableescapecommandline", oEnableEscapeCommandline }, | ||||||
|   |  	{ "obscurekeystroketiming", oObscureKeystrokeTiming }, | ||||||
|  	{ NULL, oBadOption } |  	{ "channeltimeout", oChannelTimeout }, | ||||||
| diff --git a/servconf.c b/servconf.c
 | diff --git a/servconf.c b/servconf.c
 | ||||||
| index 29df0463..423772b1 100644
 | --- a/servconf.c	(revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
 | ||||||
| --- a/servconf.c
 | +++ b/servconf.c	(date 1703169891148)
 | ||||||
| +++ b/servconf.c
 | @@ -691,6 +691,7 @@
 | ||||||
| @@ -676,6 +680,7 @@ static struct {
 |  | ||||||
|  	{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, |  	{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, | ||||||
|  	{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL }, |  	{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL }, | ||||||
| 	{ "requiredrsasize", sRequiredRSASize, SSHCFG_ALL }, |  	{ "requiredrsasize", sRequiredRSASize, SSHCFG_ALL }, | ||||||
| +	{ "rsaminsize", sRequiredRSASize, SSHCFG_ALL }, /* alias */
 | +	{ "rsaminsize", sRequiredRSASize, SSHCFG_ALL }, /* alias */
 | ||||||
|  	{ "channeltimeout", sChannelTimeout, SSHCFG_ALL }, |  	{ "channeltimeout", sChannelTimeout, SSHCFG_ALL }, | ||||||
|  	{ "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL }, |  	{ "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL }, | ||||||
|  | |||||||
| @ -1,28 +1,28 @@ | |||||||
| diff -up openssh-8.7p1/scp.c.scp-sftpdirs openssh-8.7p1/scp.c
 | diff --git a/scp.c b/scp.c
 | ||||||
| --- openssh-8.7p1/scp.c.scp-sftpdirs	2022-02-07 12:31:07.407740407 +0100
 | --- a/scp.c	(revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
 | ||||||
| +++ openssh-8.7p1/scp.c	2022-02-07 12:31:07.409740424 +0100
 | +++ b/scp.c	(date 1703111453316)
 | ||||||
| @@ -1324,7 +1324,7 @@ source_sftp(int argc, char *src, char *t
 | @@ -1372,7 +1372,7 @@
 | ||||||
| 
 | 
 | ||||||
|  	if (src_is_dir && iamrecursive) { |  	if (src_is_dir && iamrecursive) { | ||||||
|  		if (upload_dir(conn, src, abs_dst, pflag, |  		if (sftp_upload_dir(conn, src, abs_dst, pflag, | ||||||
| -		    SFTP_PROGRESS_ONLY, 0, 0, 1, 1) != 0) {
 | -		    SFTP_PROGRESS_ONLY, 0, 0, 1, 1) != 0) {
 | ||||||
| +		    SFTP_PROGRESS_ONLY, 0, 0, 1, 1, 1) != 0) {
 | +		    SFTP_PROGRESS_ONLY, 0, 0, 1, 1, 1) != 0) {
 | ||||||
| 			error("failed to upload directory %s to %s", src, targ); |  			error("failed to upload directory %s to %s", src, targ); | ||||||
| 			errs = 1; |  			errs = 1; | ||||||
| 		} |  		} | ||||||
| diff -up openssh-8.7p1/sftp-client.c.scp-sftpdirs openssh-8.7p1/sftp-client.c
 | diff --git a/sftp-client.c b/sftp-client.c
 | ||||||
| --- openssh-8.7p1/sftp-client.c.scp-sftpdirs	2021-08-20 06:03:49.000000000 +0200
 | --- a/sftp-client.c	(revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
 | ||||||
| +++ openssh-8.7p1/sftp-client.c	2022-02-07 12:47:59.117516131 +0100
 | +++ b/sftp-client.c	(date 1703169614263)
 | ||||||
| @@ -971,7 +971,7 @@ do_fsetstat(struct sftp_conn *conn, cons
 | @@ -1003,7 +1003,7 @@
 | ||||||
| 
 | 
 | ||||||
|  /* Implements both the realpath and expand-path operations */ |  /* Implements both the realpath and expand-path operations */ | ||||||
|  static char * |  static char * | ||||||
| -do_realpath_expand(struct sftp_conn *conn, const char *path, int expand)
 | -sftp_realpath_expand(struct sftp_conn *conn, const char *path, int expand)
 | ||||||
| +do_realpath_expand(struct sftp_conn *conn, const char *path, int expand, int create_dir)
 | +sftp_realpath_expand(struct sftp_conn *conn, const char *path, int expand, int create_dir)
 | ||||||
|  { |  { | ||||||
|  	struct sshbuf *msg; |  	struct sshbuf *msg; | ||||||
|  	u_int expected_id, count, id; |  	u_int expected_id, count, id; | ||||||
| @@ -1033,11 +1033,43 @@ do_realpath_expand(struct sftp_conn *con
 | @@ -1049,11 +1049,43 @@
 | ||||||
|  		if ((r = sshbuf_get_u32(msg, &status)) != 0 || |  		if ((r = sshbuf_get_u32(msg, &status)) != 0 || | ||||||
|  		    (r = sshbuf_get_cstring(msg, &errmsg, NULL)) != 0) |  		    (r = sshbuf_get_cstring(msg, &errmsg, NULL)) != 0) | ||||||
|  			fatal_fr(r, "parse status"); |  			fatal_fr(r, "parse status"); | ||||||
| @ -33,7 +33,7 @@ diff -up openssh-8.7p1/sftp-client.c.scp-sftpdirs openssh-8.7p1/sftp-client.c | |||||||
| -		return NULL;
 | -		return NULL;
 | ||||||
| +		if ((status == SSH2_FX_NO_SUCH_FILE) && create_dir)  {
 | +		if ((status == SSH2_FX_NO_SUCH_FILE) && create_dir)  {
 | ||||||
| +			memset(&a, '\0', sizeof(a));
 | +			memset(&a, '\0', sizeof(a));
 | ||||||
| +			if ((r = do_mkdir(conn, path, &a, 0)) != 0) {
 | +			if ((r = sftp_mkdir(conn, path, &a, 0)) != 0) {
 | ||||||
| +				sshbuf_free(msg);
 | +				sshbuf_free(msg);
 | ||||||
| +				return NULL;
 | +				return NULL;
 | ||||||
| +			}
 | +			}
 | ||||||
| @ -71,42 +71,42 @@ diff -up openssh-8.7p1/sftp-client.c.scp-sftpdirs openssh-8.7p1/sftp-client.c | |||||||
|  	} else if (type != SSH2_FXP_NAME) |  	} else if (type != SSH2_FXP_NAME) | ||||||
|  		fatal("Expected SSH2_FXP_NAME(%u) packet, got %u", |  		fatal("Expected SSH2_FXP_NAME(%u) packet, got %u", | ||||||
|  		    SSH2_FXP_NAME, type); |  		    SSH2_FXP_NAME, type); | ||||||
| @@ -1039,9 +1067,9 @@ do_realpath_expand(struct sftp_conn *con
 | @@ -1078,9 +1110,9 @@
 | ||||||
|  } |  } | ||||||
| 
 | 
 | ||||||
|  char * |  char * | ||||||
| -do_realpath(struct sftp_conn *conn, const char *path)
 | -sftp_realpath(struct sftp_conn *conn, const char *path)
 | ||||||
| +do_realpath(struct sftp_conn *conn, const char *path, int create_dir)
 | +sftp_realpath(struct sftp_conn *conn, const char *path, int create_dir)
 | ||||||
|  { |  { | ||||||
| -	return do_realpath_expand(conn, path, 0);
 | -	return sftp_realpath_expand(conn, path, 0);
 | ||||||
| +	return do_realpath_expand(conn, path, 0, create_dir);
 | +	return sftp_realpath_expand(conn, path, 0, create_dir);
 | ||||||
|  } |  } | ||||||
| 
 | 
 | ||||||
|  int |  int | ||||||
| @@ -1055,9 +1083,9 @@ do_expand_path(struct sftp_conn *conn, c
 | @@ -1094,9 +1126,9 @@
 | ||||||
|  { |  { | ||||||
|  	if (!can_expand_path(conn)) { |  	if (!sftp_can_expand_path(conn)) { | ||||||
|  		debug3_f("no server support, fallback to realpath"); |  		debug3_f("no server support, fallback to realpath"); | ||||||
| -		return do_realpath_expand(conn, path, 0);
 | -		return sftp_realpath_expand(conn, path, 0);
 | ||||||
| +		return do_realpath_expand(conn, path, 0, 0);
 | +		return sftp_realpath_expand(conn, path, 0, 0);
 | ||||||
|  	} |  	} | ||||||
| -	return do_realpath_expand(conn, path, 1);
 | -	return sftp_realpath_expand(conn, path, 1);
 | ||||||
| +	return do_realpath_expand(conn, path, 1, 0);
 | +	return sftp_realpath_expand(conn, path, 1, 0);
 | ||||||
|  } |  } | ||||||
| 
 | 
 | ||||||
|  int |  int | ||||||
| @@ -1807,7 +1835,7 @@ download_dir(struct sftp_conn *conn, con
 | @@ -2016,7 +2048,7 @@
 | ||||||
|  	char *src_canon; |  	char *src_canon; | ||||||
|  	int ret; |  	int ret; | ||||||
| 
 | 
 | ||||||
| -	if ((src_canon = do_realpath(conn, src)) == NULL) {
 | -	if ((src_canon = sftp_realpath(conn, src)) == NULL) {
 | ||||||
| +	if ((src_canon = do_realpath(conn, src, 0)) == NULL) {
 | +	if ((src_canon = sftp_realpath(conn, src, 0)) == NULL) {
 | ||||||
| 		error("download \"%s\": path canonicalization failed", src); |  		error("download \"%s\": path canonicalization failed", src); | ||||||
| 		return -1; |  		return -1; | ||||||
| 	} |  	} | ||||||
| @@ -2115,12 +2143,12 @@ upload_dir_internal(struct sftp_conn *co
 | @@ -2365,12 +2397,12 @@
 | ||||||
|  int |  int | ||||||
|  upload_dir(struct sftp_conn *conn, const char *src, const char *dst, |  sftp_upload_dir(struct sftp_conn *conn, const char *src, const char *dst, | ||||||
|      int preserve_flag, int print_flag, int resume, int fsync_flag, |      int preserve_flag, int print_flag, int resume, int fsync_flag, | ||||||
| -    int follow_link_flag, int inplace_flag)
 | -    int follow_link_flag, int inplace_flag)
 | ||||||
| +    int follow_link_flag, int inplace_flag, int create_dir)
 | +    int follow_link_flag, int inplace_flag, int create_dir)
 | ||||||
| @ -114,68 +114,69 @@ diff -up openssh-8.7p1/sftp-client.c.scp-sftpdirs openssh-8.7p1/sftp-client.c | |||||||
|  	char *dst_canon; |  	char *dst_canon; | ||||||
|  	int ret; |  	int ret; | ||||||
| 
 | 
 | ||||||
| -	if ((dst_canon = do_realpath(conn, dst)) == NULL) {
 | -	if ((dst_canon = sftp_realpath(conn, dst)) == NULL) {
 | ||||||
| +	if ((dst_canon = do_realpath(conn, dst, create_dir)) == NULL) {
 | +	if ((dst_canon = sftp_realpath(conn, dst, create_dir)) == NULL) {
 | ||||||
| 		error("upload \"%s\": path canonicalization failed", dst); |  		error("upload \"%s\": path canonicalization failed", dst); | ||||||
| 		return -1; |  		return -1; | ||||||
| 	} |  	} | ||||||
| @@ -2557,7 +2585,7 @@ crossload_dir(struct sftp_conn *from, st
 | @@ -2825,7 +2857,7 @@
 | ||||||
|  	char *from_path_canon; |  	char *from_path_canon; | ||||||
|  	int ret; |  	int ret; | ||||||
| 
 | 
 | ||||||
| -	if ((from_path_canon = do_realpath(from, from_path)) == NULL) {
 | -	if ((from_path_canon = sftp_realpath(from, from_path)) == NULL) {
 | ||||||
| +	if ((from_path_canon = do_realpath(from, from_path, 0)) == NULL) {
 | +	if ((from_path_canon = sftp_realpath(from, from_path, 0)) == NULL) {
 | ||||||
| 		error("crossload \"%s\": path canonicalization failed", |  		error("crossload \"%s\": path canonicalization failed", | ||||||
| 		    from_path); |  		    from_path); | ||||||
| 		return -1; |  		return -1; | ||||||
| diff -up openssh-8.7p1/sftp-client.h.scp-sftpdirs openssh-8.7p1/sftp-client.h
 | diff --git a/sftp-client.h b/sftp-client.h
 | ||||||
| --- openssh-8.7p1/sftp-client.h.scp-sftpdirs	2021-08-20 06:03:49.000000000 +0200
 | --- a/sftp-client.h	(revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
 | ||||||
| +++ openssh-8.7p1/sftp-client.h	2022-02-07 12:31:07.410740433 +0100
 | +++ b/sftp-client.h	(date 1703111691284)
 | ||||||
| @@ -111,7 +111,7 @@ int do_fsetstat(struct sftp_conn *, cons
 | @@ -111,7 +111,7 @@
 | ||||||
|  int do_lsetstat(struct sftp_conn *conn, const char *path, Attrib *a); |  int sftp_lsetstat(struct sftp_conn *conn, const char *path, Attrib *a); | ||||||
| 
 | 
 | ||||||
|  /* Canonicalise 'path' - caller must free result */ |  /* Canonicalise 'path' - caller must free result */ | ||||||
| -char *do_realpath(struct sftp_conn *, const char *);
 | -char *sftp_realpath(struct sftp_conn *, const char *);
 | ||||||
| +char *do_realpath(struct sftp_conn *, const char *, int);
 | +char *sftp_realpath(struct sftp_conn *, const char *, int);
 | ||||||
| 
 | 
 | ||||||
|  /* Canonicalisation with tilde expansion (requires server extension) */ |  /* Canonicalisation with tilde expansion (requires server extension) */ | ||||||
|  char *do_expand_path(struct sftp_conn *, const char *); |  char *sftp_expand_path(struct sftp_conn *, const char *); | ||||||
| @@ -159,7 +159,7 @@ int do_upload(struct sftp_conn *, const
 | @@ -163,7 +163,7 @@
 | ||||||
|   * times if 'pflag' is set |   * times if 'pflag' is set | ||||||
|   */ |   */ | ||||||
|  int upload_dir(struct sftp_conn *, const char *, const char *, |  int sftp_upload_dir(struct sftp_conn *, const char *, const char *, | ||||||
| -    int, int, int, int, int, int);
 | -    int, int, int, int, int, int);
 | ||||||
| +    int, int, int, int, int, int, int);
 | +    int, int, int, int, int, int, int);
 | ||||||
| 
 | 
 | ||||||
|  /* |  /* | ||||||
|   * Download a 'from_path' from the 'from' connection and upload it to |   * Download a 'from_path' from the 'from' connection and upload it to | ||||||
| diff -up openssh-8.7p1/sftp.c.scp-sftpdirs openssh-8.7p1/sftp.c
 | 
 | ||||||
| --- openssh-8.7p1/sftp.c.scp-sftpdirs	2021-08-20 06:03:49.000000000 +0200
 | diff --git a/sftp.c b/sftp.c
 | ||||||
| +++ openssh-8.7p1/sftp.c	2022-02-07 12:31:07.411740442 +0100
 | --- a/sftp.c	(revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
 | ||||||
| @@ -760,7 +760,7 @@ process_put(struct sftp_conn *conn, cons
 | +++ b/sftp.c	(date 1703168795365)
 | ||||||
|  		if (globpath_is_dir(g.gl_pathv[i]) && (rflag || global_rflag)) { | @@ -807,7 +807,7 @@
 | ||||||
|  			if (upload_dir(conn, g.gl_pathv[i], abs_dst, |  		    (rflag || global_rflag)) { | ||||||
|  |  			if (sftp_upload_dir(conn, g.gl_pathv[i], abs_dst, | ||||||
|  			    pflag || global_pflag, 1, resume, |  			    pflag || global_pflag, 1, resume, | ||||||
| -			    fflag || global_fflag, 0, 0) == -1)
 | -			    fflag || global_fflag, 0, 0) == -1)
 | ||||||
| +			    fflag || global_fflag, 0, 0, 0) == -1)
 | +			    fflag || global_fflag, 0, 0, 0) == -1)
 | ||||||
|  				err = -1; |  				err = -1; | ||||||
|  		} else { |  		} else { | ||||||
|  			if (do_upload(conn, g.gl_pathv[i], abs_dst, |  			if (sftp_upload(conn, g.gl_pathv[i], abs_dst, | ||||||
| @@ -1577,7 +1577,7 @@ parse_dispatch_command(struct sftp_conn
 | @@ -1642,7 +1642,7 @@
 | ||||||
|  		if (path1 == NULL || *path1 == '\0') |  		if (path1 == NULL || *path1 == '\0') | ||||||
|  			path1 = xstrdup(startdir); |  			path1 = xstrdup(startdir); | ||||||
|  		path1 = make_absolute(path1, *pwd); |  		path1 = sftp_make_absolute(path1, *pwd); | ||||||
| -		if ((tmp = do_realpath(conn, path1)) == NULL) {
 | -		if ((tmp = sftp_realpath(conn, path1)) == NULL) {
 | ||||||
| +		if ((tmp = do_realpath(conn, path1, 0)) == NULL) {
 | +		if ((tmp = sftp_realpath(conn, path1, 0)) == NULL) {
 | ||||||
|  			err = 1; |  			err = 1; | ||||||
|  			break; |  			break; | ||||||
|  		} |  		} | ||||||
| @@ -2160,7 +2160,7 @@ interactive_loop(struct sftp_conn *conn,
 | @@ -2247,7 +2247,7 @@
 | ||||||
|  	} |  	} | ||||||
|  #endif /* USE_LIBEDIT */ |  #endif /* USE_LIBEDIT */ | ||||||
| 
 | 
 | ||||||
| -	remote_path = do_realpath(conn, ".");
 | -	if ((remote_path = sftp_realpath(conn, ".")) == NULL)
 | ||||||
| +	remote_path = do_realpath(conn, ".", 0);
 | +	if ((remote_path = sftp_realpath(conn, ".", 0)) == NULL)
 | ||||||
|  	if (remote_path == NULL) |  | ||||||
|  		fatal("Need cwd"); |  		fatal("Need cwd"); | ||||||
|  	startdir = xstrdup(remote_path); |  	startdir = xstrdup(remote_path); | ||||||
|  | 
 | ||||||
|  | |||||||
| @ -659,9 +659,9 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x | |||||||
|  # ifdef OPENSSL_HAS_ECC |  # ifdef OPENSSL_HAS_ECC | ||||||
|  #  include <openssl/ec.h> |  #  include <openssl/ec.h> | ||||||
|  #  include <openssl/ecdsa.h> |  #  include <openssl/ecdsa.h> | ||||||
| @@ -268,6 +271,10 @@
 | @@ -266,6 +266,10 @@
 | ||||||
|  const char	*sshkey_ssh_name_plain(const struct sshkey *); |  const char	*sshkey_ssh_name_plain(const struct sshkey *); | ||||||
|  int		 sshkey_names_valid2(const char *, int); |  int		 sshkey_names_valid2(const char *, int, int); | ||||||
|  char		*sshkey_alg_list(int, int, int, char); |  char		*sshkey_alg_list(int, int, int, char); | ||||||
| +int		 sshkey_calculate_signature(EVP_PKEY*, int, u_char **,
 | +int		 sshkey_calculate_signature(EVP_PKEY*, int, u_char **,
 | ||||||
| +    int *, const u_char *, size_t);
 | +    int *, const u_char *, size_t);
 | ||||||
| @ -695,10 +695,10 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x | |||||||
|  #if !defined(WITH_OPENSSL) |  #if !defined(WITH_OPENSSL) | ||||||
|  # undef RSA |  # undef RSA | ||||||
|  # undef DSA |  # undef DSA | ||||||
| diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.3p1/ssh-pkcs11.c openssh-9.3p1-patched/ssh-pkcs11.c
 | diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
 | ||||||
| --- openssh-9.3p1/ssh-pkcs11.c	2023-06-06 15:53:36.592443989 +0200
 | --- a/ssh-pkcs11.c	(revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
 | ||||||
| +++ openssh-9.3p1-patched/ssh-pkcs11.c	2023-06-06 15:52:25.626551768 +0200
 | +++ b/ssh-pkcs11.c	(date 1703110934679)
 | ||||||
| @@ -777,8 +777,24 @@
 | @@ -620,8 +620,24 @@
 | ||||||
| 
 | 
 | ||||||
|  	return (0); |  	return (0); | ||||||
|  } |  } | ||||||
| @ -722,14 +722,14 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x | |||||||
| +
 | +
 | ||||||
|  /* remove trailing spaces. Note, that this does NOT guarantee the buffer |  /* remove trailing spaces. Note, that this does NOT guarantee the buffer | ||||||
|   * will be null terminated if there are no trailing spaces! */ |   * will be null terminated if there are no trailing spaces! */ | ||||||
|  static void |  static char * | ||||||
| diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.3p1/ssh-pkcs11-client.c openssh-9.3p1-patched/ssh-pkcs11-client.c
 | diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c
 | ||||||
| --- openssh-9.3p1/ssh-pkcs11-client.c	2023-06-06 15:53:36.591443976 +0200
 | --- a/ssh-pkcs11-client.c	(revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
 | ||||||
| +++ openssh-9.3p1-patched/ssh-pkcs11-client.c	2023-06-06 15:52:25.626551768 +0200
 | +++ b/ssh-pkcs11-client.c	(date 1703110830967)
 | ||||||
| @@ -225,8 +225,36 @@
 | @@ -402,8 +402,36 @@
 | ||||||
|  static RSA_METHOD	*helper_rsa; |  	if (helper->nrsa == 0 && helper->nec == 0) | ||||||
|  #if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) |  		helper_terminate(helper); | ||||||
|  static EC_KEY_METHOD	*helper_ecdsa; |  } | ||||||
| +
 | +
 | ||||||
| +int
 | +int
 | ||||||
| +is_ecdsa_pkcs11(EC_KEY *ecdsa)
 | +is_ecdsa_pkcs11(EC_KEY *ecdsa)
 | ||||||
| @ -744,7 +744,7 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x | |||||||
| +		return 1;
 | +		return 1;
 | ||||||
| +	return 0;
 | +	return 0;
 | ||||||
| +}
 | +}
 | ||||||
|  #endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ |  #endif /* defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) */ | ||||||
| 
 | 
 | ||||||
| +int
 | +int
 | ||||||
| +is_rsa_pkcs11(RSA *rsa)
 | +is_rsa_pkcs11(RSA *rsa)
 | ||||||
| @ -762,14 +762,15 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x | |||||||
| +
 | +
 | ||||||
|  /* redirect private key crypto operations to the ssh-pkcs11-helper */ |  /* redirect private key crypto operations to the ssh-pkcs11-helper */ | ||||||
|  static void |  static void | ||||||
|  wrap_key(struct sshkey *k) |  wrap_key(struct helper *helper, struct sshkey *k) | ||||||
| diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.3p1/ssh-pkcs11.h openssh-9.3p1-patched/ssh-pkcs11.h
 | diff --git a/ssh-pkcs11.h b/ssh-pkcs11.h
 | ||||||
| --- openssh-9.3p1/ssh-pkcs11.h	2023-06-06 15:53:36.592443989 +0200
 | --- a/ssh-pkcs11.h	(revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
 | ||||||
| +++ openssh-9.3p1-patched/ssh-pkcs11.h	2023-06-06 15:52:25.626551768 +0200
 | +++ b/ssh-pkcs11.h	(date 1703111023334)
 | ||||||
| @@ -39,6 +39,11 @@
 | @@ -38,6 +38,12 @@
 | ||||||
|  	    u_int32_t *); |  /* Only available in ssh-pkcs11-client.c so far */ | ||||||
|  #endif |  int pkcs11_make_cert(const struct sshkey *, | ||||||
|   |      const struct sshkey *, struct sshkey **); | ||||||
|  | +
 | ||||||
| +#ifdef HAVE_EC_KEY_METHOD_NEW
 | +#ifdef HAVE_EC_KEY_METHOD_NEW
 | ||||||
| +int is_ecdsa_pkcs11(EC_KEY *ecdsa);
 | +int is_ecdsa_pkcs11(EC_KEY *ecdsa);
 | ||||||
| +#endif
 | +#endif
 | ||||||
|  | |||||||
							
								
								
									
										18
									
								
								openssh.spec
									
									
									
									
									
								
							
							
						
						
									
										18
									
								
								openssh.spec
									
									
									
									
									
								
							| @ -46,15 +46,15 @@ | |||||||
| %{?static_openssl:%global static_libcrypto 1} | %{?static_openssl:%global static_libcrypto 1} | ||||||
| 
 | 
 | ||||||
| # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 | # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 | ||||||
| %global openssh_ver 9.3p1 | %global openssh_ver 9.6p1 | ||||||
| %global openssh_rel 13 | %global openssh_rel 1 | ||||||
| %global pam_ssh_agent_ver 0.10.4 | %global pam_ssh_agent_ver 0.10.4 | ||||||
| %global pam_ssh_agent_rel 9 | %global pam_ssh_agent_rel 9 | ||||||
| 
 | 
 | ||||||
| Summary: An open source implementation of SSH protocol version 2 | Summary: An open source implementation of SSH protocol version 2 | ||||||
| Name: openssh | Name: openssh | ||||||
| Version: %{openssh_ver} | Version: %{openssh_ver} | ||||||
| Release: %{openssh_rel}%{?dist}.1 | Release: %{openssh_rel}%{?dist} | ||||||
| URL: http://www.openssh.com/portable.html | URL: http://www.openssh.com/portable.html | ||||||
| #URL1: https://github.com/jbeverly/pam_ssh_agent_auth/ | #URL1: https://github.com/jbeverly/pam_ssh_agent_auth/ | ||||||
| Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz | Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz | ||||||
| @ -228,9 +228,6 @@ Patch1006: openssh-8.7p1-negotiate-supported-algs.patch | |||||||
| Patch1012: openssh-9.0p1-evp-fips-dh.patch | Patch1012: openssh-9.0p1-evp-fips-dh.patch | ||||||
| Patch1013: openssh-9.0p1-evp-fips-ecdh.patch | Patch1013: openssh-9.0p1-evp-fips-ecdh.patch | ||||||
| Patch1014: openssh-8.7p1-nohostsha1proof.patch | Patch1014: openssh-8.7p1-nohostsha1proof.patch | ||||||
| Patch1015: openssh-9.3p1-upstream-cve-2023-38408.patch |  | ||||||
| # upstream b7afd8a4ecaca8afd3179b55e9db79c0ff210237 |  | ||||||
| Patch1016: openssh-9.3p1-openssl-compat.patch |  | ||||||
| 
 | 
 | ||||||
| License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant | License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant | ||||||
| Requires: /sbin/nologin | Requires: /sbin/nologin | ||||||
| @ -306,7 +303,7 @@ Requires: openssh = %{version}-%{release} | |||||||
| %package -n pam_ssh_agent_auth | %package -n pam_ssh_agent_auth | ||||||
| Summary: PAM module for authentication with ssh-agent | Summary: PAM module for authentication with ssh-agent | ||||||
| Version: %{pam_ssh_agent_ver} | Version: %{pam_ssh_agent_ver} | ||||||
| Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}.1 | Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist} | ||||||
| License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant AND OpenSSL | License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant AND OpenSSL | ||||||
| 
 | 
 | ||||||
| %description | %description | ||||||
| @ -433,8 +430,6 @@ popd | |||||||
| %patch -P 1012 -p1 -b .evp-fips-dh | %patch -P 1012 -p1 -b .evp-fips-dh | ||||||
| %patch -P 1013 -p1 -b .evp-fips-ecdh | %patch -P 1013 -p1 -b .evp-fips-ecdh | ||||||
| %patch -P 1014 -p1 -b .nosha1hostproof | %patch -P 1014 -p1 -b .nosha1hostproof | ||||||
| %patch -P 1015 -p1 -b .cve-2023-38408 |  | ||||||
| %patch -P 1016 -p1 -b .ossl-version |  | ||||||
| 
 | 
 | ||||||
| %patch -P 100 -p1 -b .coverity | %patch -P 100 -p1 -b .coverity | ||||||
| 
 | 
 | ||||||
| @ -744,6 +739,11 @@ test -f %{sysconfig_anaconda} && \ | |||||||
| %endif | %endif | ||||||
| 
 | 
 | ||||||
| %changelog | %changelog | ||||||
|  | * Tue Dec 26 2023 Daniel Milnes <daniel@daniel-milnes.uk> - 9.6p1-1 | ||||||
|  | - Update to OpenSSH 9.6 | ||||||
|  |   Original patches from https://src.fedoraproject.org/rpms/openssh/pull-request/63 | ||||||
|  |   Tuned by Dmitry Belyavskiy for GSS and PKCS#11 URI processing | ||||||
|  | 
 | ||||||
| * Fri Dec 22 2023 Florian Weimer <fweimer@redhat.com> - 9.3p1-13.1 | * Fri Dec 22 2023 Florian Weimer <fweimer@redhat.com> - 9.3p1-13.1 | ||||||
| - Fix type errors in downstream gssapi-keyex patch | - Fix type errors in downstream gssapi-keyex patch | ||||||
| 
 | 
 | ||||||
|  | |||||||
							
								
								
									
										4
									
								
								sources
									
									
									
									
									
								
							
							
						
						
									
										4
									
								
								sources
									
									
									
									
									
								
							| @ -1,4 +1,4 @@ | |||||||
| SHA512 (openssh-9.3p1.tar.gz) = 087ff6fe5f6caab4c6c3001d906399e02beffad7277280f11187420c2939fd4befdcb14643862a657ce4cad2f115b82a0a1a2c99df6ee54dcd76b53647637c19 | SHA512 (openssh-9.6p1.tar.gz) = 0ebf81e39914c3a90d7777a001ec7376a94b37e6024baf3e972c58f0982b7ddef942315f5e01d56c00ff95603b4a20ee561ab918ecc55511df007ac138160509 | ||||||
| SHA512 (openssh-9.3p1.tar.gz.asc) = 6222378eb24a445c6c1db255392b405f5369b1af0e92f558d4ba05b0d83ab0d084cb8f4b91d7ae8636f333d970638a6635e2bc7af885135dd34992d87f2ef1f4 | SHA512 (openssh-9.6p1.tar.gz.asc) = aec5a5bd6ce480a8e5b5879dc55f8186aec90fe61f085aa92ad7d07f324574aa781be09c83b7443a32848d091fd44fb12c1842d49cee77afc351e550ffcc096d | ||||||
| SHA512 (pam_ssh_agent_auth-0.10.4.tar.gz) = caccf72174d15e43f4c86a459ac6448682e62116557cf1e1e828955f3d1731595b238df42adec57860e7f341e92daf5d8285020bcb5018f3b8a5145aa32ee1c2 | SHA512 (pam_ssh_agent_auth-0.10.4.tar.gz) = caccf72174d15e43f4c86a459ac6448682e62116557cf1e1e828955f3d1731595b238df42adec57860e7f341e92daf5d8285020bcb5018f3b8a5145aa32ee1c2 | ||||||
| SHA512 (gpgkey-736060BA.gpg) = df44f3fdbcd1d596705348c7f5aed3f738c5f626a55955e0642f7c6c082995cf36a1b1891bb41b8715cb2aff34fef1c877e0eff0d3507dd00a055ba695757a21 | SHA512 (gpgkey-736060BA.gpg) = df44f3fdbcd1d596705348c7f5aed3f738c5f626a55955e0642f7c6c082995cf36a1b1891bb41b8715cb2aff34fef1c877e0eff0d3507dd00a055ba695757a21 | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user