Applying patches to rebase to OpenSSH 9.6p1
Based on Damien Milnes' PR https://src.fedoraproject.org/rpms/openssh/pull-request/63 Also rebasing openssh-8.0p1-pkcs11-uri.patch to 9.6 by Dmitry Belyavskiy
This commit is contained in:
parent
87ae5d1d5a
commit
f238307bdf
2
.gitignore
vendored
2
.gitignore
vendored
@ -58,3 +58,5 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
|
|||||||
/openssh-9.0p1.tar.gz.asc
|
/openssh-9.0p1.tar.gz.asc
|
||||||
/openssh-9.3p1.tar.gz
|
/openssh-9.3p1.tar.gz
|
||||||
/openssh-9.3p1.tar.gz.asc
|
/openssh-9.3p1.tar.gz.asc
|
||||||
|
/openssh-9.6p1.tar.gz
|
||||||
|
/openssh-9.6p1.tar.gz.asc
|
||||||
|
@ -93,19 +93,17 @@ index 8f32464..18a2ca4 100644
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
|
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
|
||||||
index 22ea8ef..1fc963d 100644
|
--- a/openbsd-compat/port-linux.c (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
|
||||||
--- a/openbsd-compat/port-linux.c
|
+++ b/openbsd-compat/port-linux.c (date 1703108053912)
|
||||||
+++ b/openbsd-compat/port-linux.c
|
@@ -207,7 +207,7 @@
|
||||||
@@ -179,7 +179,7 @@ ssh_selinux_change_context(const char *newname)
|
xasprintf(&newctx, "%.*s%s%s", (int)(cx - oldctx + 1), oldctx,
|
||||||
strlcpy(newctx + len, newname, newlen - len);
|
newname, cx2 == NULL ? "" : cx2);
|
||||||
if ((cx = index(cx + 1, ':')))
|
|
||||||
strlcat(newctx, cx, newlen);
|
- debug3_f("setting context from '%s' to '%s'", oldctx, newctx);
|
||||||
- debug3("%s: setting context from '%s' to '%s'", __func__,
|
+ debug_f("setting context from '%s' to '%s'", oldctx, newctx);
|
||||||
+ debug_f("setting context from '%s' to '%s'",
|
|
||||||
oldctx, newctx);
|
|
||||||
if (setcon(newctx) < 0)
|
if (setcon(newctx) < 0)
|
||||||
do_log2(log_level, "%s: setcon %s from %s failed with %s",
|
do_log2_f(log_level, "setcon %s from %s failed with %s",
|
||||||
__func__, newctx, oldctx, strerror(errno));
|
newctx, oldctx, strerror(errno));
|
||||||
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
|
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
|
||||||
index cb51f99..8b7cda2 100644
|
index cb51f99..8b7cda2 100644
|
||||||
--- a/openbsd-compat/port-linux.h
|
--- a/openbsd-compat/port-linux.h
|
||||||
|
@ -17,17 +17,6 @@ diff -up openssh-8.5p1/auth-krb5.c.coverity openssh-8.5p1/auth-krb5.c
|
|||||||
return oerrno;
|
return oerrno;
|
||||||
}
|
}
|
||||||
/* make sure the KRB5CCNAME is set for non-standard location */
|
/* make sure the KRB5CCNAME is set for non-standard location */
|
||||||
diff -up openssh-8.5p1/auth-options.c.coverity openssh-8.5p1/auth-options.c
|
|
||||||
--- openssh-8.5p1/auth-options.c.coverity 2021-03-02 11:31:47.000000000 +0100
|
|
||||||
+++ openssh-8.5p1/auth-options.c 2021-03-24 12:03:33.782968159 +0100
|
|
||||||
@@ -706,6 +708,7 @@ serialise_array(struct sshbuf *m, char *
|
|
||||||
return r;
|
|
||||||
}
|
|
||||||
/* success */
|
|
||||||
+ sshbuf_free(b);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff -up openssh-8.5p1/gss-genr.c.coverity openssh-8.5p1/gss-genr.c
|
diff -up openssh-8.5p1/gss-genr.c.coverity openssh-8.5p1/gss-genr.c
|
||||||
--- openssh-8.5p1/gss-genr.c.coverity 2021-03-26 11:52:46.613942552 +0100
|
--- openssh-8.5p1/gss-genr.c.coverity 2021-03-26 11:52:46.613942552 +0100
|
||||||
+++ openssh-8.5p1/gss-genr.c 2021-03-26 11:54:37.881726318 +0100
|
+++ openssh-8.5p1/gss-genr.c 2021-03-26 11:54:37.881726318 +0100
|
||||||
@ -45,14 +34,6 @@ diff -up openssh-8.5p1/gss-genr.c.coverity openssh-8.5p1/gss-genr.c
|
|||||||
diff -up openssh-8.5p1/krl.c.coverity openssh-8.5p1/krl.c
|
diff -up openssh-8.5p1/krl.c.coverity openssh-8.5p1/krl.c
|
||||||
--- openssh-8.5p1/krl.c.coverity 2021-03-02 11:31:47.000000000 +0100
|
--- openssh-8.5p1/krl.c.coverity 2021-03-02 11:31:47.000000000 +0100
|
||||||
+++ openssh-8.5p1/krl.c 2021-03-24 12:03:33.783968166 +0100
|
+++ openssh-8.5p1/krl.c 2021-03-24 12:03:33.783968166 +0100
|
||||||
@@ -1209,6 +1209,7 @@ ssh_krl_from_blob(struct sshbuf *buf, st
|
|
||||||
sshkey_free(key);
|
|
||||||
sshbuf_free(copy);
|
|
||||||
sshbuf_free(sect);
|
|
||||||
+ /* coverity[leaked_storage : FALSE] */
|
|
||||||
return r;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1261,6 +1262,7 @@ is_key_revoked(struct ssh_krl *krl, cons
|
@@ -1261,6 +1262,7 @@ is_key_revoked(struct ssh_krl *krl, cons
|
||||||
return r;
|
return r;
|
||||||
erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb);
|
erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb);
|
||||||
@ -149,23 +130,6 @@ diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c
|
|||||||
return (0);
|
return (0);
|
||||||
|
|
||||||
error:
|
error:
|
||||||
diff -up openssh-7.4p1/monitor_wrap.c.coverity openssh-7.4p1/monitor_wrap.c
|
|
||||||
--- openssh-7.4p1/monitor_wrap.c.coverity 2016-12-23 16:40:26.892788689 +0100
|
|
||||||
+++ openssh-7.4p1/monitor_wrap.c 2016-12-23 16:40:26.900788691 +0100
|
|
||||||
@@ -525,10 +525,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
|
|
||||||
if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
|
|
||||||
(tmp2 = dup(pmonitor->m_recvfd)) == -1) {
|
|
||||||
error_f("cannot allocate fds for pty");
|
|
||||||
- if (tmp1 > 0)
|
|
||||||
+ if (tmp1 >= 0)
|
|
||||||
close(tmp1);
|
|
||||||
- if (tmp2 > 0)
|
|
||||||
- close(tmp2);
|
|
||||||
+ /*DEAD CODE if (tmp2 >= 0)
|
|
||||||
+ close(tmp2);*/
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
close(tmp1);
|
|
||||||
diff -up openssh-7.4p1/openbsd-compat/bindresvport.c.coverity openssh-7.4p1/openbsd-compat/bindresvport.c
|
diff -up openssh-7.4p1/openbsd-compat/bindresvport.c.coverity openssh-7.4p1/openbsd-compat/bindresvport.c
|
||||||
--- openssh-7.4p1/openbsd-compat/bindresvport.c.coverity 2016-12-19 05:59:41.000000000 +0100
|
--- openssh-7.4p1/openbsd-compat/bindresvport.c.coverity 2016-12-19 05:59:41.000000000 +0100
|
||||||
+++ openssh-7.4p1/openbsd-compat/bindresvport.c 2016-12-23 16:40:26.901788691 +0100
|
+++ openssh-7.4p1/openbsd-compat/bindresvport.c 2016-12-23 16:40:26.901788691 +0100
|
||||||
@ -219,23 +183,6 @@ diff -up openssh-8.5p1/readconf.c.coverity openssh-8.5p1/readconf.c
|
|||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
free(arg2);
|
free(arg2);
|
||||||
diff -up openssh-8.7p1/scp.c.coverity openssh-8.7p1/scp.c
|
|
||||||
--- openssh-8.7p1/scp.c.coverity 2021-08-30 16:23:35.389741329 +0200
|
|
||||||
+++ openssh-8.7p1/scp.c 2021-08-30 16:27:04.854555296 +0200
|
|
||||||
@@ -186,11 +186,11 @@ killchild(int signo)
|
|
||||||
{
|
|
||||||
if (do_cmd_pid > 1) {
|
|
||||||
kill(do_cmd_pid, signo ? signo : SIGTERM);
|
|
||||||
- waitpid(do_cmd_pid, NULL, 0);
|
|
||||||
+ (void) waitpid(do_cmd_pid, NULL, 0);
|
|
||||||
}
|
|
||||||
if (do_cmd_pid2 > 1) {
|
|
||||||
kill(do_cmd_pid2, signo ? signo : SIGTERM);
|
|
||||||
- waitpid(do_cmd_pid2, NULL, 0);
|
|
||||||
+ (void) waitpid(do_cmd_pid2, NULL, 0);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (signo)
|
|
||||||
diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c
|
diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c
|
||||||
--- openssh-7.4p1/servconf.c.coverity 2016-12-23 16:40:26.896788690 +0100
|
--- openssh-7.4p1/servconf.c.coverity 2016-12-23 16:40:26.896788690 +0100
|
||||||
+++ openssh-7.4p1/servconf.c 2016-12-23 16:40:26.901788691 +0100
|
+++ openssh-7.4p1/servconf.c 2016-12-23 16:40:26.901788691 +0100
|
||||||
@ -263,18 +210,6 @@ diff -up openssh-8.7p1/serverloop.c.coverity openssh-8.7p1/serverloop.c
|
|||||||
if (tun != SSH_TUNID_ANY &&
|
if (tun != SSH_TUNID_ANY &&
|
||||||
auth_opts->force_tun_device != (int)tun)
|
auth_opts->force_tun_device != (int)tun)
|
||||||
goto done;
|
goto done;
|
||||||
diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
|
|
||||||
--- openssh-7.4p1/sftp.c.coverity 2016-12-19 05:59:41.000000000 +0100
|
|
||||||
+++ openssh-7.4p1/sftp.c 2016-12-23 16:40:26.903788691 +0100
|
|
||||||
@@ -224,7 +224,7 @@ killchild(int signo)
|
|
||||||
pid = sshpid;
|
|
||||||
if (pid > 1) {
|
|
||||||
kill(pid, SIGTERM);
|
|
||||||
- waitpid(pid, NULL, 0);
|
|
||||||
+ (void) waitpid(pid, NULL, 0);
|
|
||||||
}
|
|
||||||
|
|
||||||
_exit(1);
|
|
||||||
diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
|
diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
|
||||||
--- openssh-7.4p1/ssh-agent.c.coverity 2016-12-19 05:59:41.000000000 +0100
|
--- openssh-7.4p1/ssh-agent.c.coverity 2016-12-19 05:59:41.000000000 +0100
|
||||||
+++ openssh-7.4p1/ssh-agent.c 2016-12-23 16:40:26.903788691 +0100
|
+++ openssh-7.4p1/ssh-agent.c 2016-12-23 16:40:26.903788691 +0100
|
||||||
@ -286,28 +221,6 @@ diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
|
|||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
/* validate also provider from URI */
|
/* validate also provider from URI */
|
||||||
@@ -1220,8 +1220,8 @@ main(int ac, char **av)
|
|
||||||
sanitise_stdfd();
|
|
||||||
|
|
||||||
/* drop */
|
|
||||||
- setegid(getgid());
|
|
||||||
- setgid(getgid());
|
|
||||||
+ (void) setegid(getgid());
|
|
||||||
+ (void) setgid(getgid());
|
|
||||||
|
|
||||||
platform_disable_tracing(0); /* strict=no */
|
|
||||||
|
|
||||||
diff -up openssh-8.5p1/ssh.c.coverity openssh-8.5p1/ssh.c
|
|
||||||
--- openssh-8.5p1/ssh.c.coverity 2021-03-24 12:03:33.779968138 +0100
|
|
||||||
+++ openssh-8.5p1/ssh.c 2021-03-24 12:03:33.786968187 +0100
|
|
||||||
@@ -1746,6 +1746,7 @@ control_persist_detach(void)
|
|
||||||
close(muxserver_sock);
|
|
||||||
muxserver_sock = -1;
|
|
||||||
options.control_master = SSHCTL_MASTER_NO;
|
|
||||||
+ /* coverity[leaked_handle: FALSE]*/
|
|
||||||
muxclient(options.control_path);
|
|
||||||
/* muxclient() doesn't return on success. */
|
|
||||||
fatal("Failed to connect to new control master");
|
|
||||||
diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c
|
diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c
|
||||||
--- openssh-7.4p1/sshd.c.coverity 2016-12-23 16:40:26.897788690 +0100
|
--- openssh-7.4p1/sshd.c.coverity 2016-12-23 16:40:26.897788690 +0100
|
||||||
+++ openssh-7.4p1/sshd.c 2016-12-23 16:40:26.904788692 +0100
|
+++ openssh-7.4p1/sshd.c 2016-12-23 16:40:26.904788692 +0100
|
||||||
|
@ -1,21 +1,23 @@
|
|||||||
diff -up openssh-7.2p2/channels.c.x11 openssh-7.2p2/channels.c
|
diff --git a/channels.c b/channels.c
|
||||||
--- openssh-7.2p2/channels.c.x11 2016-03-09 19:04:48.000000000 +0100
|
--- a/channels.c (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
|
||||||
+++ openssh-7.2p2/channels.c 2016-06-03 10:42:04.775164520 +0200
|
+++ b/channels.c (date 1703026069921)
|
||||||
@@ -3990,21 +3990,24 @@ x11_create_display_inet(int x11_display_
|
@@ -5075,11 +5075,13 @@
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
-connect_local_xsocket_path(const char *pathname)
|
-connect_local_xsocket_path(const char *pathname)
|
||||||
+connect_local_xsocket_path(const char *pathname, int len)
|
+connect_local_xsocket_path(const char *pathname, int len)
|
||||||
{
|
{
|
||||||
int sock;
|
int sock;
|
||||||
struct sockaddr_un addr;
|
struct sockaddr_un addr;
|
||||||
|
|
||||||
+ if (len <= 0)
|
+ if (len <= 0)
|
||||||
+ return -1;
|
+ return -1;
|
||||||
sock = socket(AF_UNIX, SOCK_STREAM, 0);
|
sock = socket(AF_UNIX, SOCK_STREAM, 0);
|
||||||
if (sock == -1)
|
if (sock == -1) {
|
||||||
error("socket: %.100s", strerror(errno));
|
error("socket: %.100s", strerror(errno));
|
||||||
|
@@ -5087,11 +5089,12 @@
|
||||||
|
}
|
||||||
memset(&addr, 0, sizeof(addr));
|
memset(&addr, 0, sizeof(addr));
|
||||||
addr.sun_family = AF_UNIX;
|
addr.sun_family = AF_UNIX;
|
||||||
- strlcpy(addr.sun_path, pathname, sizeof addr.sun_path);
|
- strlcpy(addr.sun_path, pathname, sizeof addr.sun_path);
|
||||||
@ -29,8 +31,8 @@ diff -up openssh-7.2p2/channels.c.x11 openssh-7.2p2/channels.c
|
|||||||
- error("connect %.100s: %.100s", addr.sun_path, strerror(errno));
|
- error("connect %.100s: %.100s", addr.sun_path, strerror(errno));
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -4012,8 +4015,18 @@ static int
|
@@ -5099,8 +5102,18 @@
|
||||||
connect_local_xsocket(u_int dnr)
|
connect_local_xsocket(u_int dnr)
|
||||||
{
|
{
|
||||||
char buf[1024];
|
char buf[1024];
|
||||||
|
@ -23,7 +23,7 @@ diff -up openssh/auth2.c.role-mls openssh/auth2.c
|
|||||||
if ((style = strchr(user, ':')) != NULL)
|
if ((style = strchr(user, ':')) != NULL)
|
||||||
*style++ = 0;
|
*style++ = 0;
|
||||||
|
|
||||||
@@ -296,8 +304,15 @@ input_userauth_request(int type, u_int32
|
@@ -314,8 +314,15 @@ input_userauth_request(int type, u_int32
|
||||||
use_privsep ? " [net]" : "");
|
use_privsep ? " [net]" : "");
|
||||||
authctxt->service = xstrdup(service);
|
authctxt->service = xstrdup(service);
|
||||||
authctxt->style = style ? xstrdup(style) : NULL;
|
authctxt->style = style ? xstrdup(style) : NULL;
|
||||||
@ -34,12 +34,12 @@ diff -up openssh/auth2.c.role-mls openssh/auth2.c
|
|||||||
+ if (use_privsep) {
|
+ if (use_privsep) {
|
||||||
mm_inform_authserv(service, style);
|
mm_inform_authserv(service, style);
|
||||||
+#ifdef WITH_SELINUX
|
+#ifdef WITH_SELINUX
|
||||||
+ mm_inform_authrole(role);
|
+ mm_inform_authrole(role);
|
||||||
+#endif
|
+#endif
|
||||||
+ }
|
+ }
|
||||||
userauth_banner(ssh);
|
userauth_banner(ssh);
|
||||||
if (auth2_setup_methods_lists(authctxt) != 0)
|
if ((r = kex_server_update_ext_info(ssh)) != 0)
|
||||||
ssh_packet_disconnect(ssh,
|
fatal_fr(r, "kex_server_update_ext_info failed");
|
||||||
diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
|
diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
|
||||||
--- openssh/auth2-gss.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
--- openssh/auth2-gss.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||||
+++ openssh/auth2-gss.c 2018-08-22 11:15:42.459799171 +0200
|
+++ openssh/auth2-gss.c 2018-08-22 11:15:42.459799171 +0200
|
||||||
|
@ -144,8 +144,8 @@ index 9351e042..d6446c0c 100644
|
|||||||
--- a/auth2-gss.c
|
--- a/auth2-gss.c
|
||||||
+++ b/auth2-gss.c
|
+++ b/auth2-gss.c
|
||||||
@@ -1,7 +1,7 @@
|
@@ -1,7 +1,7 @@
|
||||||
/* $OpenBSD: auth2-gss.c,v 1.33 2021/12/19 22:12:07 djm Exp $ */
|
/* $OpenBSD: auth2-gss.c,v 1.34 2023/03/31 04:22:27 djm Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
||||||
+ * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
|
+ * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
|
||||||
@ -1268,7 +1268,7 @@ index ce85f043..574c7609 100644
|
|||||||
+#endif
|
+#endif
|
||||||
+
|
+
|
||||||
/* prototype */
|
/* prototype */
|
||||||
static int kex_choose_conf(struct ssh *);
|
static int kex_choose_conf(struct ssh *, uint32_t seq);
|
||||||
static int kex_input_newkeys(int, u_int32_t, struct ssh *);
|
static int kex_input_newkeys(int, u_int32_t, struct ssh *);
|
||||||
@@ -115,15 +120,28 @@ static const struct kexalg kexalgs[] = {
|
@@ -115,15 +120,28 @@ static const struct kexalg kexalgs[] = {
|
||||||
#endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
|
#endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
|
||||||
@ -3400,7 +3400,7 @@ index 60de6087..db5c65bc 100644
|
|||||||
.It HashKnownHosts
|
.It HashKnownHosts
|
||||||
.It Host
|
.It Host
|
||||||
.It HostbasedAcceptedAlgorithms
|
.It HostbasedAcceptedAlgorithms
|
||||||
@@ -579,6 +585,8 @@ flag),
|
@@ -624,6 +624,8 @@
|
||||||
(supported message integrity codes),
|
(supported message integrity codes),
|
||||||
.Ar kex
|
.Ar kex
|
||||||
(key exchange algorithms),
|
(key exchange algorithms),
|
||||||
@ -3408,7 +3408,7 @@ index 60de6087..db5c65bc 100644
|
|||||||
+(GSSAPI key exchange algorithms),
|
+(GSSAPI key exchange algorithms),
|
||||||
.Ar key
|
.Ar key
|
||||||
(key types),
|
(key types),
|
||||||
.Ar key-cert
|
.Ar key-ca-sign
|
||||||
diff --git a/ssh.c b/ssh.c
|
diff --git a/ssh.c b/ssh.c
|
||||||
index 15aee569..110cf9c1 100644
|
index 15aee569..110cf9c1 100644
|
||||||
--- a/ssh.c
|
--- a/ssh.c
|
||||||
@ -3444,7 +3444,7 @@ index 5e8ef548..1ff999b6 100644
|
|||||||
+# GSSAPIKeyExchange no
|
+# GSSAPIKeyExchange no
|
||||||
+# GSSAPITrustDNS no
|
+# GSSAPITrustDNS no
|
||||||
# BatchMode no
|
# BatchMode no
|
||||||
# CheckHostIP yes
|
# CheckHostIP no
|
||||||
# AddressFamily any
|
# AddressFamily any
|
||||||
diff --git a/ssh_config.5 b/ssh_config.5
|
diff --git a/ssh_config.5 b/ssh_config.5
|
||||||
index 06a32d31..3f490697 100644
|
index 06a32d31..3f490697 100644
|
||||||
@ -4028,3 +4028,47 @@ index 71a3fddc..37a43a67 100644
|
|||||||
KEY_UNSPEC
|
KEY_UNSPEC
|
||||||
};
|
};
|
||||||
|
|
||||||
|
diff --git a/packet.h b/packet.h
|
||||||
|
--- a/packet.h (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
|
||||||
|
+++ b/packet.h (date 1703172586447)
|
||||||
|
@@ -124,6 +124,7 @@
|
||||||
|
int ssh_packet_send2(struct ssh *);
|
||||||
|
|
||||||
|
int ssh_packet_read(struct ssh *);
|
||||||
|
+int ssh_packet_read_expect(struct ssh *, u_int type);
|
||||||
|
int ssh_packet_read_poll(struct ssh *);
|
||||||
|
int ssh_packet_read_poll2(struct ssh *, u_char *, u_int32_t *seqnr_p);
|
||||||
|
int ssh_packet_process_incoming(struct ssh *, const char *buf, u_int len);
|
||||||
|
diff --git a/packet.c b/packet.c
|
||||||
|
--- a/packet.c (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
|
||||||
|
+++ b/packet.c (date 1703172586447)
|
||||||
|
@@ -1425,6 +1416,29 @@
|
||||||
|
return type;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * Waits until a packet has been received, verifies that its type matches
|
||||||
|
+ * that given, and gives a fatal error and exits if there is a mismatch.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+int
|
||||||
|
+ssh_packet_read_expect(struct ssh *ssh, u_int expected_type)
|
||||||
|
+{
|
||||||
|
+ int r;
|
||||||
|
+ u_char type;
|
||||||
|
+
|
||||||
|
+ if ((r = ssh_packet_read_seqnr(ssh, &type, NULL)) != 0)
|
||||||
|
+ return r;
|
||||||
|
+ if (type != expected_type) {
|
||||||
|
+ if ((r = sshpkt_disconnect(ssh,
|
||||||
|
+ "Protocol error: expected packet type %d, got %d",
|
||||||
|
+ expected_type, type)) != 0)
|
||||||
|
+ return r;
|
||||||
|
+ return SSH_ERR_PROTOCOL_ERROR;
|
||||||
|
+ }
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static int
|
||||||
|
ssh_packet_read_poll2_mux(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
|
||||||
|
{
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -1,23 +1,21 @@
|
|||||||
diff --git a/readconf.c b/readconf.c
|
diff --git a/readconf.c b/readconf.c
|
||||||
index 7f26c680..42be690b 100644
|
--- a/readconf.c (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
|
||||||
--- a/readconf.c
|
+++ b/readconf.c (date 1703169891147)
|
||||||
+++ b/readconf.c
|
@@ -326,6 +326,7 @@
|
||||||
@@ -320,6 +320,7 @@ static struct {
|
|
||||||
{ "securitykeyprovider", oSecurityKeyProvider },
|
{ "securitykeyprovider", oSecurityKeyProvider },
|
||||||
{ "knownhostscommand", oKnownHostsCommand },
|
{ "knownhostscommand", oKnownHostsCommand },
|
||||||
{ "requiredrsasize", oRequiredRSASize },
|
{ "requiredrsasize", oRequiredRSASize },
|
||||||
+ { "rsaminsize", oRequiredRSASize }, /* alias */
|
+ { "rsaminsize", oRequiredRSASize }, /* alias */
|
||||||
{ "enableescapecommandline", oEnableEscapeCommandline },
|
{ "enableescapecommandline", oEnableEscapeCommandline },
|
||||||
|
{ "obscurekeystroketiming", oObscureKeystrokeTiming },
|
||||||
{ NULL, oBadOption }
|
{ "channeltimeout", oChannelTimeout },
|
||||||
diff --git a/servconf.c b/servconf.c
|
diff --git a/servconf.c b/servconf.c
|
||||||
index 29df0463..423772b1 100644
|
--- a/servconf.c (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
|
||||||
--- a/servconf.c
|
+++ b/servconf.c (date 1703169891148)
|
||||||
+++ b/servconf.c
|
@@ -691,6 +691,7 @@
|
||||||
@@ -676,6 +680,7 @@ static struct {
|
|
||||||
{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
|
{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
|
||||||
{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
|
{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
|
||||||
{ "requiredrsasize", sRequiredRSASize, SSHCFG_ALL },
|
{ "requiredrsasize", sRequiredRSASize, SSHCFG_ALL },
|
||||||
+ { "rsaminsize", sRequiredRSASize, SSHCFG_ALL }, /* alias */
|
+ { "rsaminsize", sRequiredRSASize, SSHCFG_ALL }, /* alias */
|
||||||
{ "channeltimeout", sChannelTimeout, SSHCFG_ALL },
|
{ "channeltimeout", sChannelTimeout, SSHCFG_ALL },
|
||||||
{ "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL },
|
{ "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL },
|
||||||
|
@ -1,28 +1,28 @@
|
|||||||
diff -up openssh-8.7p1/scp.c.scp-sftpdirs openssh-8.7p1/scp.c
|
diff --git a/scp.c b/scp.c
|
||||||
--- openssh-8.7p1/scp.c.scp-sftpdirs 2022-02-07 12:31:07.407740407 +0100
|
--- a/scp.c (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
|
||||||
+++ openssh-8.7p1/scp.c 2022-02-07 12:31:07.409740424 +0100
|
+++ b/scp.c (date 1703111453316)
|
||||||
@@ -1324,7 +1324,7 @@ source_sftp(int argc, char *src, char *t
|
@@ -1372,7 +1372,7 @@
|
||||||
|
|
||||||
if (src_is_dir && iamrecursive) {
|
if (src_is_dir && iamrecursive) {
|
||||||
if (upload_dir(conn, src, abs_dst, pflag,
|
if (sftp_upload_dir(conn, src, abs_dst, pflag,
|
||||||
- SFTP_PROGRESS_ONLY, 0, 0, 1, 1) != 0) {
|
- SFTP_PROGRESS_ONLY, 0, 0, 1, 1) != 0) {
|
||||||
+ SFTP_PROGRESS_ONLY, 0, 0, 1, 1, 1) != 0) {
|
+ SFTP_PROGRESS_ONLY, 0, 0, 1, 1, 1) != 0) {
|
||||||
error("failed to upload directory %s to %s", src, targ);
|
error("failed to upload directory %s to %s", src, targ);
|
||||||
errs = 1;
|
errs = 1;
|
||||||
}
|
}
|
||||||
diff -up openssh-8.7p1/sftp-client.c.scp-sftpdirs openssh-8.7p1/sftp-client.c
|
diff --git a/sftp-client.c b/sftp-client.c
|
||||||
--- openssh-8.7p1/sftp-client.c.scp-sftpdirs 2021-08-20 06:03:49.000000000 +0200
|
--- a/sftp-client.c (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
|
||||||
+++ openssh-8.7p1/sftp-client.c 2022-02-07 12:47:59.117516131 +0100
|
+++ b/sftp-client.c (date 1703169614263)
|
||||||
@@ -971,7 +971,7 @@ do_fsetstat(struct sftp_conn *conn, cons
|
@@ -1003,7 +1003,7 @@
|
||||||
|
|
||||||
/* Implements both the realpath and expand-path operations */
|
/* Implements both the realpath and expand-path operations */
|
||||||
static char *
|
static char *
|
||||||
-do_realpath_expand(struct sftp_conn *conn, const char *path, int expand)
|
-sftp_realpath_expand(struct sftp_conn *conn, const char *path, int expand)
|
||||||
+do_realpath_expand(struct sftp_conn *conn, const char *path, int expand, int create_dir)
|
+sftp_realpath_expand(struct sftp_conn *conn, const char *path, int expand, int create_dir)
|
||||||
{
|
{
|
||||||
struct sshbuf *msg;
|
struct sshbuf *msg;
|
||||||
u_int expected_id, count, id;
|
u_int expected_id, count, id;
|
||||||
@@ -1033,11 +1033,43 @@ do_realpath_expand(struct sftp_conn *con
|
@@ -1049,11 +1049,43 @@
|
||||||
if ((r = sshbuf_get_u32(msg, &status)) != 0 ||
|
if ((r = sshbuf_get_u32(msg, &status)) != 0 ||
|
||||||
(r = sshbuf_get_cstring(msg, &errmsg, NULL)) != 0)
|
(r = sshbuf_get_cstring(msg, &errmsg, NULL)) != 0)
|
||||||
fatal_fr(r, "parse status");
|
fatal_fr(r, "parse status");
|
||||||
@ -33,7 +33,7 @@ diff -up openssh-8.7p1/sftp-client.c.scp-sftpdirs openssh-8.7p1/sftp-client.c
|
|||||||
- return NULL;
|
- return NULL;
|
||||||
+ if ((status == SSH2_FX_NO_SUCH_FILE) && create_dir) {
|
+ if ((status == SSH2_FX_NO_SUCH_FILE) && create_dir) {
|
||||||
+ memset(&a, '\0', sizeof(a));
|
+ memset(&a, '\0', sizeof(a));
|
||||||
+ if ((r = do_mkdir(conn, path, &a, 0)) != 0) {
|
+ if ((r = sftp_mkdir(conn, path, &a, 0)) != 0) {
|
||||||
+ sshbuf_free(msg);
|
+ sshbuf_free(msg);
|
||||||
+ return NULL;
|
+ return NULL;
|
||||||
+ }
|
+ }
|
||||||
@ -71,111 +71,112 @@ diff -up openssh-8.7p1/sftp-client.c.scp-sftpdirs openssh-8.7p1/sftp-client.c
|
|||||||
} else if (type != SSH2_FXP_NAME)
|
} else if (type != SSH2_FXP_NAME)
|
||||||
fatal("Expected SSH2_FXP_NAME(%u) packet, got %u",
|
fatal("Expected SSH2_FXP_NAME(%u) packet, got %u",
|
||||||
SSH2_FXP_NAME, type);
|
SSH2_FXP_NAME, type);
|
||||||
@@ -1039,9 +1067,9 @@ do_realpath_expand(struct sftp_conn *con
|
@@ -1078,9 +1110,9 @@
|
||||||
}
|
}
|
||||||
|
|
||||||
char *
|
char *
|
||||||
-do_realpath(struct sftp_conn *conn, const char *path)
|
-sftp_realpath(struct sftp_conn *conn, const char *path)
|
||||||
+do_realpath(struct sftp_conn *conn, const char *path, int create_dir)
|
+sftp_realpath(struct sftp_conn *conn, const char *path, int create_dir)
|
||||||
{
|
{
|
||||||
- return do_realpath_expand(conn, path, 0);
|
- return sftp_realpath_expand(conn, path, 0);
|
||||||
+ return do_realpath_expand(conn, path, 0, create_dir);
|
+ return sftp_realpath_expand(conn, path, 0, create_dir);
|
||||||
}
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
@@ -1055,9 +1083,9 @@ do_expand_path(struct sftp_conn *conn, c
|
@@ -1094,9 +1126,9 @@
|
||||||
{
|
{
|
||||||
if (!can_expand_path(conn)) {
|
if (!sftp_can_expand_path(conn)) {
|
||||||
debug3_f("no server support, fallback to realpath");
|
debug3_f("no server support, fallback to realpath");
|
||||||
- return do_realpath_expand(conn, path, 0);
|
- return sftp_realpath_expand(conn, path, 0);
|
||||||
+ return do_realpath_expand(conn, path, 0, 0);
|
+ return sftp_realpath_expand(conn, path, 0, 0);
|
||||||
}
|
}
|
||||||
- return do_realpath_expand(conn, path, 1);
|
- return sftp_realpath_expand(conn, path, 1);
|
||||||
+ return do_realpath_expand(conn, path, 1, 0);
|
+ return sftp_realpath_expand(conn, path, 1, 0);
|
||||||
}
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
@@ -1807,7 +1835,7 @@ download_dir(struct sftp_conn *conn, con
|
@@ -2016,7 +2048,7 @@
|
||||||
char *src_canon;
|
char *src_canon;
|
||||||
int ret;
|
int ret;
|
||||||
|
|
||||||
- if ((src_canon = do_realpath(conn, src)) == NULL) {
|
- if ((src_canon = sftp_realpath(conn, src)) == NULL) {
|
||||||
+ if ((src_canon = do_realpath(conn, src, 0)) == NULL) {
|
+ if ((src_canon = sftp_realpath(conn, src, 0)) == NULL) {
|
||||||
error("download \"%s\": path canonicalization failed", src);
|
error("download \"%s\": path canonicalization failed", src);
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
@@ -2115,12 +2143,12 @@ upload_dir_internal(struct sftp_conn *co
|
@@ -2365,12 +2397,12 @@
|
||||||
int
|
int
|
||||||
upload_dir(struct sftp_conn *conn, const char *src, const char *dst,
|
sftp_upload_dir(struct sftp_conn *conn, const char *src, const char *dst,
|
||||||
int preserve_flag, int print_flag, int resume, int fsync_flag,
|
int preserve_flag, int print_flag, int resume, int fsync_flag,
|
||||||
- int follow_link_flag, int inplace_flag)
|
- int follow_link_flag, int inplace_flag)
|
||||||
+ int follow_link_flag, int inplace_flag, int create_dir)
|
+ int follow_link_flag, int inplace_flag, int create_dir)
|
||||||
{
|
{
|
||||||
char *dst_canon;
|
char *dst_canon;
|
||||||
int ret;
|
int ret;
|
||||||
|
|
||||||
- if ((dst_canon = do_realpath(conn, dst)) == NULL) {
|
- if ((dst_canon = sftp_realpath(conn, dst)) == NULL) {
|
||||||
+ if ((dst_canon = do_realpath(conn, dst, create_dir)) == NULL) {
|
+ if ((dst_canon = sftp_realpath(conn, dst, create_dir)) == NULL) {
|
||||||
error("upload \"%s\": path canonicalization failed", dst);
|
error("upload \"%s\": path canonicalization failed", dst);
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
@@ -2557,7 +2585,7 @@ crossload_dir(struct sftp_conn *from, st
|
@@ -2825,7 +2857,7 @@
|
||||||
char *from_path_canon;
|
char *from_path_canon;
|
||||||
int ret;
|
int ret;
|
||||||
|
|
||||||
- if ((from_path_canon = do_realpath(from, from_path)) == NULL) {
|
- if ((from_path_canon = sftp_realpath(from, from_path)) == NULL) {
|
||||||
+ if ((from_path_canon = do_realpath(from, from_path, 0)) == NULL) {
|
+ if ((from_path_canon = sftp_realpath(from, from_path, 0)) == NULL) {
|
||||||
error("crossload \"%s\": path canonicalization failed",
|
error("crossload \"%s\": path canonicalization failed",
|
||||||
from_path);
|
from_path);
|
||||||
return -1;
|
return -1;
|
||||||
diff -up openssh-8.7p1/sftp-client.h.scp-sftpdirs openssh-8.7p1/sftp-client.h
|
diff --git a/sftp-client.h b/sftp-client.h
|
||||||
--- openssh-8.7p1/sftp-client.h.scp-sftpdirs 2021-08-20 06:03:49.000000000 +0200
|
--- a/sftp-client.h (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
|
||||||
+++ openssh-8.7p1/sftp-client.h 2022-02-07 12:31:07.410740433 +0100
|
+++ b/sftp-client.h (date 1703111691284)
|
||||||
@@ -111,7 +111,7 @@ int do_fsetstat(struct sftp_conn *, cons
|
@@ -111,7 +111,7 @@
|
||||||
int do_lsetstat(struct sftp_conn *conn, const char *path, Attrib *a);
|
int sftp_lsetstat(struct sftp_conn *conn, const char *path, Attrib *a);
|
||||||
|
|
||||||
/* Canonicalise 'path' - caller must free result */
|
/* Canonicalise 'path' - caller must free result */
|
||||||
-char *do_realpath(struct sftp_conn *, const char *);
|
-char *sftp_realpath(struct sftp_conn *, const char *);
|
||||||
+char *do_realpath(struct sftp_conn *, const char *, int);
|
+char *sftp_realpath(struct sftp_conn *, const char *, int);
|
||||||
|
|
||||||
/* Canonicalisation with tilde expansion (requires server extension) */
|
/* Canonicalisation with tilde expansion (requires server extension) */
|
||||||
char *do_expand_path(struct sftp_conn *, const char *);
|
char *sftp_expand_path(struct sftp_conn *, const char *);
|
||||||
@@ -159,7 +159,7 @@ int do_upload(struct sftp_conn *, const
|
@@ -163,7 +163,7 @@
|
||||||
* times if 'pflag' is set
|
* times if 'pflag' is set
|
||||||
*/
|
*/
|
||||||
int upload_dir(struct sftp_conn *, const char *, const char *,
|
int sftp_upload_dir(struct sftp_conn *, const char *, const char *,
|
||||||
- int, int, int, int, int, int);
|
- int, int, int, int, int, int);
|
||||||
+ int, int, int, int, int, int, int);
|
+ int, int, int, int, int, int, int);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Download a 'from_path' from the 'from' connection and upload it to
|
* Download a 'from_path' from the 'from' connection and upload it to
|
||||||
diff -up openssh-8.7p1/sftp.c.scp-sftpdirs openssh-8.7p1/sftp.c
|
|
||||||
--- openssh-8.7p1/sftp.c.scp-sftpdirs 2021-08-20 06:03:49.000000000 +0200
|
diff --git a/sftp.c b/sftp.c
|
||||||
+++ openssh-8.7p1/sftp.c 2022-02-07 12:31:07.411740442 +0100
|
--- a/sftp.c (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
|
||||||
@@ -760,7 +760,7 @@ process_put(struct sftp_conn *conn, cons
|
+++ b/sftp.c (date 1703168795365)
|
||||||
if (globpath_is_dir(g.gl_pathv[i]) && (rflag || global_rflag)) {
|
@@ -807,7 +807,7 @@
|
||||||
if (upload_dir(conn, g.gl_pathv[i], abs_dst,
|
(rflag || global_rflag)) {
|
||||||
|
if (sftp_upload_dir(conn, g.gl_pathv[i], abs_dst,
|
||||||
pflag || global_pflag, 1, resume,
|
pflag || global_pflag, 1, resume,
|
||||||
- fflag || global_fflag, 0, 0) == -1)
|
- fflag || global_fflag, 0, 0) == -1)
|
||||||
+ fflag || global_fflag, 0, 0, 0) == -1)
|
+ fflag || global_fflag, 0, 0, 0) == -1)
|
||||||
err = -1;
|
err = -1;
|
||||||
} else {
|
} else {
|
||||||
if (do_upload(conn, g.gl_pathv[i], abs_dst,
|
if (sftp_upload(conn, g.gl_pathv[i], abs_dst,
|
||||||
@@ -1577,7 +1577,7 @@ parse_dispatch_command(struct sftp_conn
|
@@ -1642,7 +1642,7 @@
|
||||||
if (path1 == NULL || *path1 == '\0')
|
if (path1 == NULL || *path1 == '\0')
|
||||||
path1 = xstrdup(startdir);
|
path1 = xstrdup(startdir);
|
||||||
path1 = make_absolute(path1, *pwd);
|
path1 = sftp_make_absolute(path1, *pwd);
|
||||||
- if ((tmp = do_realpath(conn, path1)) == NULL) {
|
- if ((tmp = sftp_realpath(conn, path1)) == NULL) {
|
||||||
+ if ((tmp = do_realpath(conn, path1, 0)) == NULL) {
|
+ if ((tmp = sftp_realpath(conn, path1, 0)) == NULL) {
|
||||||
err = 1;
|
err = 1;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
@@ -2160,7 +2160,7 @@ interactive_loop(struct sftp_conn *conn,
|
@@ -2247,7 +2247,7 @@
|
||||||
}
|
}
|
||||||
#endif /* USE_LIBEDIT */
|
#endif /* USE_LIBEDIT */
|
||||||
|
|
||||||
- remote_path = do_realpath(conn, ".");
|
- if ((remote_path = sftp_realpath(conn, ".")) == NULL)
|
||||||
+ remote_path = do_realpath(conn, ".", 0);
|
+ if ((remote_path = sftp_realpath(conn, ".", 0)) == NULL)
|
||||||
if (remote_path == NULL)
|
|
||||||
fatal("Need cwd");
|
fatal("Need cwd");
|
||||||
startdir = xstrdup(remote_path);
|
startdir = xstrdup(remote_path);
|
||||||
|
|
||||||
|
@ -659,15 +659,15 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x
|
|||||||
# ifdef OPENSSL_HAS_ECC
|
# ifdef OPENSSL_HAS_ECC
|
||||||
# include <openssl/ec.h>
|
# include <openssl/ec.h>
|
||||||
# include <openssl/ecdsa.h>
|
# include <openssl/ecdsa.h>
|
||||||
@@ -268,6 +271,10 @@
|
@@ -266,6 +266,10 @@
|
||||||
const char *sshkey_ssh_name_plain(const struct sshkey *);
|
const char *sshkey_ssh_name_plain(const struct sshkey *);
|
||||||
int sshkey_names_valid2(const char *, int);
|
int sshkey_names_valid2(const char *, int, int);
|
||||||
char *sshkey_alg_list(int, int, int, char);
|
char *sshkey_alg_list(int, int, int, char);
|
||||||
+int sshkey_calculate_signature(EVP_PKEY*, int, u_char **,
|
+int sshkey_calculate_signature(EVP_PKEY*, int, u_char **,
|
||||||
+ int *, const u_char *, size_t);
|
+ int *, const u_char *, size_t);
|
||||||
+int sshkey_verify_signature(EVP_PKEY *, int, const u_char *,
|
+int sshkey_verify_signature(EVP_PKEY *, int, const u_char *,
|
||||||
+ size_t, u_char *, int);
|
+ size_t, u_char *, int);
|
||||||
|
|
||||||
int sshkey_from_blob(const u_char *, size_t, struct sshkey **);
|
int sshkey_from_blob(const u_char *, size_t, struct sshkey **);
|
||||||
int sshkey_fromb(struct sshbuf *, struct sshkey **);
|
int sshkey_fromb(struct sshbuf *, struct sshkey **);
|
||||||
@@ -324,6 +331,13 @@
|
@@ -324,6 +331,13 @@
|
||||||
@ -695,11 +695,11 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x
|
|||||||
#if !defined(WITH_OPENSSL)
|
#if !defined(WITH_OPENSSL)
|
||||||
# undef RSA
|
# undef RSA
|
||||||
# undef DSA
|
# undef DSA
|
||||||
diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.3p1/ssh-pkcs11.c openssh-9.3p1-patched/ssh-pkcs11.c
|
diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
|
||||||
--- openssh-9.3p1/ssh-pkcs11.c 2023-06-06 15:53:36.592443989 +0200
|
--- a/ssh-pkcs11.c (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
|
||||||
+++ openssh-9.3p1-patched/ssh-pkcs11.c 2023-06-06 15:52:25.626551768 +0200
|
+++ b/ssh-pkcs11.c (date 1703110934679)
|
||||||
@@ -777,8 +777,24 @@
|
@@ -620,8 +620,24 @@
|
||||||
|
|
||||||
return (0);
|
return (0);
|
||||||
}
|
}
|
||||||
+
|
+
|
||||||
@ -711,7 +711,7 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x
|
|||||||
+ return 0;
|
+ return 0;
|
||||||
+}
|
+}
|
||||||
#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
|
#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
|
||||||
|
|
||||||
+int
|
+int
|
||||||
+is_rsa_pkcs11(RSA *rsa)
|
+is_rsa_pkcs11(RSA *rsa)
|
||||||
+{
|
+{
|
||||||
@ -722,14 +722,14 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x
|
|||||||
+
|
+
|
||||||
/* remove trailing spaces. Note, that this does NOT guarantee the buffer
|
/* remove trailing spaces. Note, that this does NOT guarantee the buffer
|
||||||
* will be null terminated if there are no trailing spaces! */
|
* will be null terminated if there are no trailing spaces! */
|
||||||
static void
|
static char *
|
||||||
diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.3p1/ssh-pkcs11-client.c openssh-9.3p1-patched/ssh-pkcs11-client.c
|
diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c
|
||||||
--- openssh-9.3p1/ssh-pkcs11-client.c 2023-06-06 15:53:36.591443976 +0200
|
--- a/ssh-pkcs11-client.c (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
|
||||||
+++ openssh-9.3p1-patched/ssh-pkcs11-client.c 2023-06-06 15:52:25.626551768 +0200
|
+++ b/ssh-pkcs11-client.c (date 1703110830967)
|
||||||
@@ -225,8 +225,36 @@
|
@@ -402,8 +402,36 @@
|
||||||
static RSA_METHOD *helper_rsa;
|
if (helper->nrsa == 0 && helper->nec == 0)
|
||||||
#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
|
helper_terminate(helper);
|
||||||
static EC_KEY_METHOD *helper_ecdsa;
|
}
|
||||||
+
|
+
|
||||||
+int
|
+int
|
||||||
+is_ecdsa_pkcs11(EC_KEY *ecdsa)
|
+is_ecdsa_pkcs11(EC_KEY *ecdsa)
|
||||||
@ -744,8 +744,8 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x
|
|||||||
+ return 1;
|
+ return 1;
|
||||||
+ return 0;
|
+ return 0;
|
||||||
+}
|
+}
|
||||||
#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
|
#endif /* defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) */
|
||||||
|
|
||||||
+int
|
+int
|
||||||
+is_rsa_pkcs11(RSA *rsa)
|
+is_rsa_pkcs11(RSA *rsa)
|
||||||
+{
|
+{
|
||||||
@ -762,14 +762,15 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x
|
|||||||
+
|
+
|
||||||
/* redirect private key crypto operations to the ssh-pkcs11-helper */
|
/* redirect private key crypto operations to the ssh-pkcs11-helper */
|
||||||
static void
|
static void
|
||||||
wrap_key(struct sshkey *k)
|
wrap_key(struct helper *helper, struct sshkey *k)
|
||||||
diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.3p1/ssh-pkcs11.h openssh-9.3p1-patched/ssh-pkcs11.h
|
diff --git a/ssh-pkcs11.h b/ssh-pkcs11.h
|
||||||
--- openssh-9.3p1/ssh-pkcs11.h 2023-06-06 15:53:36.592443989 +0200
|
--- a/ssh-pkcs11.h (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
|
||||||
+++ openssh-9.3p1-patched/ssh-pkcs11.h 2023-06-06 15:52:25.626551768 +0200
|
+++ b/ssh-pkcs11.h (date 1703111023334)
|
||||||
@@ -39,6 +39,11 @@
|
@@ -38,6 +38,12 @@
|
||||||
u_int32_t *);
|
/* Only available in ssh-pkcs11-client.c so far */
|
||||||
#endif
|
int pkcs11_make_cert(const struct sshkey *,
|
||||||
|
const struct sshkey *, struct sshkey **);
|
||||||
|
+
|
||||||
+#ifdef HAVE_EC_KEY_METHOD_NEW
|
+#ifdef HAVE_EC_KEY_METHOD_NEW
|
||||||
+int is_ecdsa_pkcs11(EC_KEY *ecdsa);
|
+int is_ecdsa_pkcs11(EC_KEY *ecdsa);
|
||||||
+#endif
|
+#endif
|
||||||
|
18
openssh.spec
18
openssh.spec
@ -46,15 +46,15 @@
|
|||||||
%{?static_openssl:%global static_libcrypto 1}
|
%{?static_openssl:%global static_libcrypto 1}
|
||||||
|
|
||||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||||
%global openssh_ver 9.3p1
|
%global openssh_ver 9.6p1
|
||||||
%global openssh_rel 13
|
%global openssh_rel 1
|
||||||
%global pam_ssh_agent_ver 0.10.4
|
%global pam_ssh_agent_ver 0.10.4
|
||||||
%global pam_ssh_agent_rel 9
|
%global pam_ssh_agent_rel 9
|
||||||
|
|
||||||
Summary: An open source implementation of SSH protocol version 2
|
Summary: An open source implementation of SSH protocol version 2
|
||||||
Name: openssh
|
Name: openssh
|
||||||
Version: %{openssh_ver}
|
Version: %{openssh_ver}
|
||||||
Release: %{openssh_rel}%{?dist}.1
|
Release: %{openssh_rel}%{?dist}
|
||||||
URL: http://www.openssh.com/portable.html
|
URL: http://www.openssh.com/portable.html
|
||||||
#URL1: https://github.com/jbeverly/pam_ssh_agent_auth/
|
#URL1: https://github.com/jbeverly/pam_ssh_agent_auth/
|
||||||
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
||||||
@ -228,9 +228,6 @@ Patch1006: openssh-8.7p1-negotiate-supported-algs.patch
|
|||||||
Patch1012: openssh-9.0p1-evp-fips-dh.patch
|
Patch1012: openssh-9.0p1-evp-fips-dh.patch
|
||||||
Patch1013: openssh-9.0p1-evp-fips-ecdh.patch
|
Patch1013: openssh-9.0p1-evp-fips-ecdh.patch
|
||||||
Patch1014: openssh-8.7p1-nohostsha1proof.patch
|
Patch1014: openssh-8.7p1-nohostsha1proof.patch
|
||||||
Patch1015: openssh-9.3p1-upstream-cve-2023-38408.patch
|
|
||||||
# upstream b7afd8a4ecaca8afd3179b55e9db79c0ff210237
|
|
||||||
Patch1016: openssh-9.3p1-openssl-compat.patch
|
|
||||||
|
|
||||||
License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant
|
License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant
|
||||||
Requires: /sbin/nologin
|
Requires: /sbin/nologin
|
||||||
@ -306,7 +303,7 @@ Requires: openssh = %{version}-%{release}
|
|||||||
%package -n pam_ssh_agent_auth
|
%package -n pam_ssh_agent_auth
|
||||||
Summary: PAM module for authentication with ssh-agent
|
Summary: PAM module for authentication with ssh-agent
|
||||||
Version: %{pam_ssh_agent_ver}
|
Version: %{pam_ssh_agent_ver}
|
||||||
Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}.1
|
Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}
|
||||||
License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant AND OpenSSL
|
License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant AND OpenSSL
|
||||||
|
|
||||||
%description
|
%description
|
||||||
@ -433,8 +430,6 @@ popd
|
|||||||
%patch -P 1012 -p1 -b .evp-fips-dh
|
%patch -P 1012 -p1 -b .evp-fips-dh
|
||||||
%patch -P 1013 -p1 -b .evp-fips-ecdh
|
%patch -P 1013 -p1 -b .evp-fips-ecdh
|
||||||
%patch -P 1014 -p1 -b .nosha1hostproof
|
%patch -P 1014 -p1 -b .nosha1hostproof
|
||||||
%patch -P 1015 -p1 -b .cve-2023-38408
|
|
||||||
%patch -P 1016 -p1 -b .ossl-version
|
|
||||||
|
|
||||||
%patch -P 100 -p1 -b .coverity
|
%patch -P 100 -p1 -b .coverity
|
||||||
|
|
||||||
@ -744,6 +739,11 @@ test -f %{sysconfig_anaconda} && \
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Dec 26 2023 Daniel Milnes <daniel@daniel-milnes.uk> - 9.6p1-1
|
||||||
|
- Update to OpenSSH 9.6
|
||||||
|
Original patches from https://src.fedoraproject.org/rpms/openssh/pull-request/63
|
||||||
|
Tuned by Dmitry Belyavskiy for GSS and PKCS#11 URI processing
|
||||||
|
|
||||||
* Fri Dec 22 2023 Florian Weimer <fweimer@redhat.com> - 9.3p1-13.1
|
* Fri Dec 22 2023 Florian Weimer <fweimer@redhat.com> - 9.3p1-13.1
|
||||||
- Fix type errors in downstream gssapi-keyex patch
|
- Fix type errors in downstream gssapi-keyex patch
|
||||||
|
|
||||||
|
4
sources
4
sources
@ -1,4 +1,4 @@
|
|||||||
SHA512 (openssh-9.3p1.tar.gz) = 087ff6fe5f6caab4c6c3001d906399e02beffad7277280f11187420c2939fd4befdcb14643862a657ce4cad2f115b82a0a1a2c99df6ee54dcd76b53647637c19
|
SHA512 (openssh-9.6p1.tar.gz) = 0ebf81e39914c3a90d7777a001ec7376a94b37e6024baf3e972c58f0982b7ddef942315f5e01d56c00ff95603b4a20ee561ab918ecc55511df007ac138160509
|
||||||
SHA512 (openssh-9.3p1.tar.gz.asc) = 6222378eb24a445c6c1db255392b405f5369b1af0e92f558d4ba05b0d83ab0d084cb8f4b91d7ae8636f333d970638a6635e2bc7af885135dd34992d87f2ef1f4
|
SHA512 (openssh-9.6p1.tar.gz.asc) = aec5a5bd6ce480a8e5b5879dc55f8186aec90fe61f085aa92ad7d07f324574aa781be09c83b7443a32848d091fd44fb12c1842d49cee77afc351e550ffcc096d
|
||||||
SHA512 (pam_ssh_agent_auth-0.10.4.tar.gz) = caccf72174d15e43f4c86a459ac6448682e62116557cf1e1e828955f3d1731595b238df42adec57860e7f341e92daf5d8285020bcb5018f3b8a5145aa32ee1c2
|
SHA512 (pam_ssh_agent_auth-0.10.4.tar.gz) = caccf72174d15e43f4c86a459ac6448682e62116557cf1e1e828955f3d1731595b238df42adec57860e7f341e92daf5d8285020bcb5018f3b8a5145aa32ee1c2
|
||||||
SHA512 (gpgkey-736060BA.gpg) = df44f3fdbcd1d596705348c7f5aed3f738c5f626a55955e0642f7c6c082995cf36a1b1891bb41b8715cb2aff34fef1c877e0eff0d3507dd00a055ba695757a21
|
SHA512 (gpgkey-736060BA.gpg) = df44f3fdbcd1d596705348c7f5aed3f738c5f626a55955e0642f7c6c082995cf36a1b1891bb41b8715cb2aff34fef1c877e0eff0d3507dd00a055ba695757a21
|
||||||
|
Loading…
Reference in New Issue
Block a user