Compare commits
No commits in common. "c8" and "c10s" have entirely different histories.
1
.fmf/version
Normal file
1
.fmf/version
Normal file
@ -0,0 +1 @@
|
|||||||
|
1
|
69
.gitignore
vendored
69
.gitignore
vendored
@ -1,3 +1,66 @@
|
|||||||
SOURCES/DJM-GPG-KEY.gpg
|
openssh-5.5p1-noacss.tar.bz2
|
||||||
SOURCES/openssh-8.0p1.tar.gz
|
pam_ssh_agent_auth-0.9.2.tar.bz2
|
||||||
SOURCES/pam_ssh_agent_auth-0.10.3.tar.bz2
|
/openssh-5.6p1-noacss.tar.bz2
|
||||||
|
/pam_ssh_agent_auth-0.9.2.tar.bz2
|
||||||
|
/openssh-5.8p1-noacss.tar.bz2
|
||||||
|
/openssh-5.8p2-noacss.tar.bz2
|
||||||
|
/openssh-5.9p1-noacss.tar.bz2
|
||||||
|
/pam_ssh_agent_auth-0.9.3.tar.bz2
|
||||||
|
/openssh-6.0p1-noacss.tar.bz2
|
||||||
|
/openssh-6.1p1-noacss.tar.bz2
|
||||||
|
/openssh-6.2p1.tar.gz
|
||||||
|
/openssh-6.2p2.tar.gz
|
||||||
|
/openssh-6.3p1.tar.gz
|
||||||
|
/openssh-6.4p1.tar.gz
|
||||||
|
/openssh-6.6p1.tar.gz
|
||||||
|
/openssh-6.7p1.tar.gz
|
||||||
|
/openssh-6.8p1.tar.gz
|
||||||
|
/openssh-6.9p1.tar.gz
|
||||||
|
/openssh-7.0p1.tar.gz
|
||||||
|
/openssh-7.1p1.tar.gz
|
||||||
|
/openssh-7.1p2.tar.gz
|
||||||
|
/pam_ssh_agent_auth-0.10.2.tar.bz2
|
||||||
|
/openssh-7.2p1.tar.gz
|
||||||
|
/openssh-7.2p2.tar.gz
|
||||||
|
/openssh-7.3p1.tar.gz
|
||||||
|
/openssh-7.4p1.tar.gz
|
||||||
|
/pam_ssh_agent_auth-0.10.3.tar.bz2
|
||||||
|
/openssh-7.5p1.tar.gz
|
||||||
|
/openssh-7.6p1.tar.gz
|
||||||
|
/openssh-7.7p1.tar.gz
|
||||||
|
/openssh-7.7p1.tar.gz.asc
|
||||||
|
/DJM-GPG-KEY.gpg
|
||||||
|
/openssh-7.8p1.tar.gz
|
||||||
|
/openssh-7.8p1.tar.gz.asc
|
||||||
|
/openssh-7.9p1.tar.gz
|
||||||
|
/openssh-7.9p1.tar.gz.asc
|
||||||
|
/openssh-8.0p1.tar.gz
|
||||||
|
/openssh-8.0p1.tar.gz.asc
|
||||||
|
/openssh-8.1p1.tar.gz
|
||||||
|
/openssh-8.1p1.tar.gz.asc
|
||||||
|
/openssh-8.2p1.tar.gz
|
||||||
|
/openssh-8.2p1.tar.gz.asc
|
||||||
|
/openssh-8.3p1.tar.gz
|
||||||
|
/openssh-8.3p1.tar.gz.asc
|
||||||
|
/openssh-8.4p1.tar.gz
|
||||||
|
/openssh-8.4p1.tar.gz.asc
|
||||||
|
/pam_ssh_agent_auth-0.10.4.tar.gz
|
||||||
|
/openssh-8.5p1.tar.gz
|
||||||
|
/openssh-8.5p1.tar.gz.asc
|
||||||
|
/gpgkey-736060BA.gpg
|
||||||
|
/openssh-8.6p1.tar.gz
|
||||||
|
/openssh-8.6p1.tar.gz.asc
|
||||||
|
/openssh-8.7p1.tar.gz
|
||||||
|
/openssh-8.7p1.tar.gz.asc
|
||||||
|
/openssh-8.8p1.tar.gz
|
||||||
|
/openssh-8.8p1.tar.gz.asc
|
||||||
|
/openssh-9.0p1.tar.gz
|
||||||
|
/openssh-9.0p1.tar.gz.asc
|
||||||
|
/openssh-9.3p1.tar.gz
|
||||||
|
/openssh-9.3p1.tar.gz.asc
|
||||||
|
/openssh-9.6p1.tar.gz
|
||||||
|
/openssh-9.6p1.tar.gz.asc
|
||||||
|
/openssh-9.8p1.tar.gz
|
||||||
|
/openssh-9.8p1.tar.gz.asc
|
||||||
|
/openssh-9.9p1.tar.gz
|
||||||
|
/openssh-9.9p1.tar.gz.asc
|
||||||
|
@ -1,3 +0,0 @@
|
|||||||
bed7240bb17840b451b8f8457791c33456814d93 SOURCES/DJM-GPG-KEY.gpg
|
|
||||||
756dbb99193f9541c9206a667eaa27b0fa184a4f SOURCES/openssh-8.0p1.tar.gz
|
|
||||||
a4482a050fdad1d012427e45799564136708cf6b SOURCES/pam_ssh_agent_auth-0.10.3.tar.bz2
|
|
@ -1,19 +0,0 @@
|
|||||||
diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.grab-info openssh-7.4p1/contrib/gnome-ssh-askpass2.c
|
|
||||||
--- openssh-7.4p1/contrib/gnome-ssh-askpass2.c.grab-info 2016-12-23 13:31:22.645213115 +0100
|
|
||||||
+++ openssh-7.4p1/contrib/gnome-ssh-askpass2.c 2016-12-23 13:31:40.997216691 +0100
|
|
||||||
@@ -65,9 +65,12 @@ report_failed_grab (GtkWidget *parent_wi
|
|
||||||
err = gtk_message_dialog_new(GTK_WINDOW(parent_window), 0,
|
|
||||||
GTK_MESSAGE_ERROR,
|
|
||||||
GTK_BUTTONS_CLOSE,
|
|
||||||
- "Could not grab %s. "
|
|
||||||
- "A malicious client may be eavesdropping "
|
|
||||||
- "on your session.", what);
|
|
||||||
+ "SSH password dialog could not grab the %s input.\n"
|
|
||||||
+ "This might be caused by application such as screensaver, "
|
|
||||||
+ "however it could also mean that someone may be eavesdropping "
|
|
||||||
+ "on your session.\n"
|
|
||||||
+ "Either close the application which grabs the %s or "
|
|
||||||
+ "log out and log in again to prevent this from happening.", what, what);
|
|
||||||
gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER);
|
|
||||||
|
|
||||||
gtk_dialog_run(GTK_DIALOG(err));
|
|
@ -1,81 +0,0 @@
|
|||||||
diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contrib/gnome-ssh-askpass2.c
|
|
||||||
--- openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress 2016-12-19 05:59:41.000000000 +0100
|
|
||||||
+++ openssh-7.4p1/contrib/gnome-ssh-askpass2.c 2016-12-23 13:31:16.545211926 +0100
|
|
||||||
@@ -53,6 +53,7 @@
|
|
||||||
#include <string.h>
|
|
||||||
#include <unistd.h>
|
|
||||||
#include <X11/Xlib.h>
|
|
||||||
+#include <glib.h>
|
|
||||||
#include <gtk/gtk.h>
|
|
||||||
#include <gdk/gdkx.h>
|
|
||||||
|
|
||||||
@@ -81,13 +82,24 @@ ok_dialog(GtkWidget *entry, gpointer dia
|
|
||||||
gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
|
|
||||||
}
|
|
||||||
|
|
||||||
+static void
|
|
||||||
+move_progress(GtkWidget *entry, gpointer progress)
|
|
||||||
+{
|
|
||||||
+ gdouble step;
|
|
||||||
+ g_return_if_fail(GTK_IS_PROGRESS_BAR(progress));
|
|
||||||
+
|
|
||||||
+ step = g_random_double_range(0.03, 0.1);
|
|
||||||
+ gtk_progress_bar_set_pulse_step(GTK_PROGRESS_BAR(progress), step);
|
|
||||||
+ gtk_progress_bar_pulse(GTK_PROGRESS_BAR(progress));
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static int
|
|
||||||
passphrase_dialog(char *message)
|
|
||||||
{
|
|
||||||
const char *failed;
|
|
||||||
char *passphrase, *local;
|
|
||||||
int result, grab_tries, grab_server, grab_pointer;
|
|
||||||
- GtkWidget *parent_window, *dialog, *entry;
|
|
||||||
+ GtkWidget *parent_window, *dialog, *entry, *progress, *hbox;
|
|
||||||
GdkGrabStatus status;
|
|
||||||
|
|
||||||
grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
|
|
||||||
@@ -104,14 +116,32 @@ passphrase_dialog(char *message)
|
|
||||||
"%s",
|
|
||||||
message);
|
|
||||||
|
|
||||||
+ hbox = gtk_hbox_new(FALSE, 0);
|
|
||||||
+ gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
|
|
||||||
+ FALSE, 0);
|
|
||||||
+ gtk_widget_show(hbox);
|
|
||||||
+
|
|
||||||
entry = gtk_entry_new();
|
|
||||||
gtk_box_pack_start(
|
|
||||||
- GTK_BOX(gtk_dialog_get_content_area(GTK_DIALOG(dialog))), entry,
|
|
||||||
- FALSE, FALSE, 0);
|
|
||||||
+ GTK_BOX(hbox), entry,
|
|
||||||
+ TRUE, FALSE, 0);
|
|
||||||
+ gtk_entry_set_width_chars(GTK_ENTRY(entry), 2);
|
|
||||||
gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
|
|
||||||
gtk_widget_grab_focus(entry);
|
|
||||||
gtk_widget_show(entry);
|
|
||||||
|
|
||||||
+ hbox = gtk_hbox_new(FALSE, 0);
|
|
||||||
+ gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
|
|
||||||
+ FALSE, 8);
|
|
||||||
+ gtk_widget_show(hbox);
|
|
||||||
+
|
|
||||||
+ progress = gtk_progress_bar_new();
|
|
||||||
+
|
|
||||||
+ gtk_progress_bar_set_text(GTK_PROGRESS_BAR(progress), "Passphrase length hidden intentionally");
|
|
||||||
+ gtk_box_pack_start(GTK_BOX(hbox), progress, TRUE,
|
|
||||||
+ TRUE, 5);
|
|
||||||
+ gtk_widget_show(progress);
|
|
||||||
+
|
|
||||||
gtk_window_set_title(GTK_WINDOW(dialog), "OpenSSH");
|
|
||||||
gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER);
|
|
||||||
gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
|
|
||||||
@@ -120,6 +150,8 @@ passphrase_dialog(char *message)
|
|
||||||
gtk_dialog_set_default_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
|
|
||||||
g_signal_connect(G_OBJECT(entry), "activate",
|
|
||||||
G_CALLBACK(ok_dialog), dialog);
|
|
||||||
+ g_signal_connect(G_OBJECT(entry), "changed",
|
|
||||||
+ G_CALLBACK(move_progress), progress);
|
|
||||||
|
|
||||||
gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
|
|
||||||
|
|
@ -1,101 +0,0 @@
|
|||||||
diff -up openssh-5.9p1/cipher-ctr.c.ctr-evp openssh-5.9p1/cipher-ctr.c
|
|
||||||
--- openssh-5.9p1/cipher-ctr.c.ctr-evp 2012-01-11 09:24:06.000000000 +0100
|
|
||||||
+++ openssh-5.9p1/cipher-ctr.c 2012-01-11 15:54:04.675956600 +0100
|
|
||||||
@@ -38,7 +38,7 @@ void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, in
|
|
||||||
|
|
||||||
struct ssh_aes_ctr_ctx
|
|
||||||
{
|
|
||||||
- AES_KEY aes_ctx;
|
|
||||||
+ EVP_CIPHER_CTX ecbctx;
|
|
||||||
u_char aes_counter[AES_BLOCK_SIZE];
|
|
||||||
};
|
|
||||||
|
|
||||||
@@ -63,21 +63,42 @@ ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char
|
|
||||||
{
|
|
||||||
struct ssh_aes_ctr_ctx *c;
|
|
||||||
size_t n = 0;
|
|
||||||
- u_char buf[AES_BLOCK_SIZE];
|
|
||||||
+ u_char ctrbuf[AES_BLOCK_SIZE*256];
|
|
||||||
+ u_char buf[AES_BLOCK_SIZE*256];
|
|
||||||
|
|
||||||
if (len == 0)
|
|
||||||
return (1);
|
|
||||||
if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL)
|
|
||||||
return (0);
|
|
||||||
|
|
||||||
- while ((len--) > 0) {
|
|
||||||
+ for (; len > 0; len -= sizeof(u_int)) {
|
|
||||||
+ u_int r,a,b;
|
|
||||||
+
|
|
||||||
if (n == 0) {
|
|
||||||
- AES_encrypt(c->aes_counter, buf, &c->aes_ctx);
|
|
||||||
- ssh_ctr_inc(c->aes_counter, AES_BLOCK_SIZE);
|
|
||||||
+ int outl, i, buflen;
|
|
||||||
+
|
|
||||||
+ buflen = MIN(len, sizeof(ctrbuf));
|
|
||||||
+
|
|
||||||
+ for(i = 0; i < buflen; i += AES_BLOCK_SIZE) {
|
|
||||||
+ memcpy(&ctrbuf[i], c->aes_counter, AES_BLOCK_SIZE);
|
|
||||||
+ ssh_ctr_inc(c->aes_counter, AES_BLOCK_SIZE);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ EVP_EncryptUpdate(&c->ecbctx, buf, &outl,
|
|
||||||
+ ctrbuf, buflen);
|
|
||||||
}
|
|
||||||
- *(dest++) = *(src++) ^ buf[n];
|
|
||||||
- n = (n + 1) % AES_BLOCK_SIZE;
|
|
||||||
+
|
|
||||||
+ memcpy(&a, src, sizeof(a));
|
|
||||||
+ memcpy(&b, &buf[n], sizeof(b));
|
|
||||||
+ r = a ^ b;
|
|
||||||
+ memcpy(dest, &r, sizeof(r));
|
|
||||||
+ src += sizeof(a);
|
|
||||||
+ dest += sizeof(r);
|
|
||||||
+
|
|
||||||
+ n = (n + sizeof(b)) % sizeof(buf);
|
|
||||||
}
|
|
||||||
+ memset(ctrbuf, '\0', sizeof(ctrbuf));
|
|
||||||
+ memset(buf, '\0', sizeof(buf));
|
|
||||||
return (1);
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -91,9 +112,28 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, co
|
|
||||||
c = xmalloc(sizeof(*c));
|
|
||||||
EVP_CIPHER_CTX_set_app_data(ctx, c);
|
|
||||||
}
|
|
||||||
- if (key != NULL)
|
|
||||||
- AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
|
|
||||||
- &c->aes_ctx);
|
|
||||||
+
|
|
||||||
+ EVP_CIPHER_CTX_init(&c->ecbctx);
|
|
||||||
+
|
|
||||||
+ if (key != NULL) {
|
|
||||||
+ const EVP_CIPHER *cipher;
|
|
||||||
+ switch(EVP_CIPHER_CTX_key_length(ctx)*8) {
|
|
||||||
+ case 128:
|
|
||||||
+ cipher = EVP_aes_128_ecb();
|
|
||||||
+ break;
|
|
||||||
+ case 192:
|
|
||||||
+ cipher = EVP_aes_192_ecb();
|
|
||||||
+ break;
|
|
||||||
+ case 256:
|
|
||||||
+ cipher = EVP_aes_256_ecb();
|
|
||||||
+ break;
|
|
||||||
+ default:
|
|
||||||
+ fatal("ssh_aes_ctr_init: wrong aes key length");
|
|
||||||
+ }
|
|
||||||
+ if(!EVP_EncryptInit_ex(&c->ecbctx, cipher, NULL, key, NULL))
|
|
||||||
+ fatal("ssh_aes_ctr_init: cannot initialize aes encryption");
|
|
||||||
+ EVP_CIPHER_CTX_set_padding(&c->ecbctx, 0);
|
|
||||||
+ }
|
|
||||||
if (iv != NULL)
|
|
||||||
memcpy(c->aes_counter, iv, AES_BLOCK_SIZE);
|
|
||||||
return (1);
|
|
||||||
@@ -105,6 +145,7 @@ ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx)
|
|
||||||
struct ssh_aes_ctr_ctx *c;
|
|
||||||
|
|
||||||
if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
|
|
||||||
+ EVP_CIPHER_CTX_cleanup(&c->ecbctx);
|
|
||||||
memset(c, 0, sizeof(*c));
|
|
||||||
free(c);
|
|
||||||
EVP_CIPHER_CTX_set_app_data(ctx, NULL);
|
|
@ -1,257 +0,0 @@
|
|||||||
diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in
|
|
||||||
--- openssh-6.8p1/Makefile.in.ctr-cavs 2015-03-18 11:22:05.493289018 +0100
|
|
||||||
+++ openssh-6.8p1/Makefile.in 2015-03-18 11:22:44.504196316 +0100
|
|
||||||
@@ -28,6 +28,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
|
||||||
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
|
|
||||||
SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
|
|
||||||
SSH_KEYCAT=$(libexecdir)/ssh-keycat
|
|
||||||
+CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
|
|
||||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
|
||||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
|
||||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
|
||||||
@@ -66,7 +67,7 @@ EXEEXT=@EXEEXT@
|
|
||||||
MKDIR_P=@MKDIR_P@
|
|
||||||
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
|
|
||||||
|
|
||||||
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
|
|
||||||
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
|
|
||||||
|
|
||||||
XMSS_OBJS=\
|
|
||||||
ssh-xmss.o \
|
|
||||||
@@ -194,6 +195,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
|
|
||||||
ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
|
|
||||||
$(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS)
|
|
||||||
|
|
||||||
+ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
|
|
||||||
+ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
|
||||||
+
|
|
||||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
|
|
||||||
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
|
||||||
|
|
||||||
@@ -326,6 +330,7 @@ install-files:
|
|
||||||
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
|
|
||||||
fi
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
|
|
||||||
+ $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
|
||||||
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
|
||||||
diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
|
|
||||||
--- openssh-6.8p1/ctr-cavstest.c.ctr-cavs 2015-03-18 11:22:05.521288952 +0100
|
|
||||||
+++ openssh-6.8p1/ctr-cavstest.c 2015-03-18 11:22:05.521288952 +0100
|
|
||||||
@@ -0,0 +1,215 @@
|
|
||||||
+/*
|
|
||||||
+ *
|
|
||||||
+ * invocation (all of the following are equal):
|
|
||||||
+ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6
|
|
||||||
+ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 --iv 00000000000000000000000000000000
|
|
||||||
+ * echo -n a6deca405eef2e8e4609abf3c3ccf4a6 | ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#include "includes.h"
|
|
||||||
+
|
|
||||||
+#include <sys/types.h>
|
|
||||||
+#include <sys/param.h>
|
|
||||||
+#include <stdarg.h>
|
|
||||||
+#include <stdio.h>
|
|
||||||
+#include <stdlib.h>
|
|
||||||
+#include <string.h>
|
|
||||||
+#include <ctype.h>
|
|
||||||
+
|
|
||||||
+#include "xmalloc.h"
|
|
||||||
+#include "log.h"
|
|
||||||
+#include "ssherr.h"
|
|
||||||
+#include "cipher.h"
|
|
||||||
+
|
|
||||||
+/* compatibility with old or broken OpenSSL versions */
|
|
||||||
+#include "openbsd-compat/openssl-compat.h"
|
|
||||||
+
|
|
||||||
+void usage(void) {
|
|
||||||
+ fprintf(stderr, "Usage: ctr-cavstest --algo <ssh-crypto-algorithm>\n"
|
|
||||||
+ " --key <hexadecimal-key> --mode <encrypt|decrypt>\n"
|
|
||||||
+ " [--iv <hexadecimal-iv>] --data <hexadecimal-data>\n\n"
|
|
||||||
+ "Hexadecimal output is printed to stdout.\n"
|
|
||||||
+ "Hexadecimal input data can be alternatively read from stdin.\n");
|
|
||||||
+ exit(1);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void *fromhex(char *hex, size_t *len)
|
|
||||||
+{
|
|
||||||
+ unsigned char *bin;
|
|
||||||
+ char *p;
|
|
||||||
+ size_t n = 0;
|
|
||||||
+ int shift = 4;
|
|
||||||
+ unsigned char out = 0;
|
|
||||||
+ unsigned char *optr;
|
|
||||||
+
|
|
||||||
+ bin = xmalloc(strlen(hex)/2);
|
|
||||||
+ optr = bin;
|
|
||||||
+
|
|
||||||
+ for (p = hex; *p != '\0'; ++p) {
|
|
||||||
+ unsigned char c;
|
|
||||||
+
|
|
||||||
+ c = *p;
|
|
||||||
+ if (isspace(c))
|
|
||||||
+ continue;
|
|
||||||
+
|
|
||||||
+ if (c >= '0' && c <= '9') {
|
|
||||||
+ c = c - '0';
|
|
||||||
+ } else if (c >= 'A' && c <= 'F') {
|
|
||||||
+ c = c - 'A' + 10;
|
|
||||||
+ } else if (c >= 'a' && c <= 'f') {
|
|
||||||
+ c = c - 'a' + 10;
|
|
||||||
+ } else {
|
|
||||||
+ /* truncate on nonhex cipher */
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ out |= c << shift;
|
|
||||||
+ shift = (shift + 4) % 8;
|
|
||||||
+
|
|
||||||
+ if (shift) {
|
|
||||||
+ *(optr++) = out;
|
|
||||||
+ out = 0;
|
|
||||||
+ ++n;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ *len = n;
|
|
||||||
+ return bin;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+#define READ_CHUNK 4096
|
|
||||||
+#define MAX_READ_SIZE 1024*1024*100
|
|
||||||
+char *read_stdin(void)
|
|
||||||
+{
|
|
||||||
+ char *buf;
|
|
||||||
+ size_t n, total = 0;
|
|
||||||
+
|
|
||||||
+ buf = xmalloc(READ_CHUNK);
|
|
||||||
+
|
|
||||||
+ do {
|
|
||||||
+ n = fread(buf + total, 1, READ_CHUNK, stdin);
|
|
||||||
+ if (n < READ_CHUNK) /* terminate on short read */
|
|
||||||
+ break;
|
|
||||||
+
|
|
||||||
+ total += n;
|
|
||||||
+ buf = xreallocarray(buf, total + READ_CHUNK, 1);
|
|
||||||
+ } while(total < MAX_READ_SIZE);
|
|
||||||
+ return buf;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int main (int argc, char *argv[])
|
|
||||||
+{
|
|
||||||
+
|
|
||||||
+ const struct sshcipher *c;
|
|
||||||
+ struct sshcipher_ctx *cc;
|
|
||||||
+ char *algo = "aes128-ctr";
|
|
||||||
+ char *hexkey = NULL;
|
|
||||||
+ char *hexiv = "00000000000000000000000000000000";
|
|
||||||
+ char *hexdata = NULL;
|
|
||||||
+ char *p;
|
|
||||||
+ int i, r;
|
|
||||||
+ int encrypt = 1;
|
|
||||||
+ void *key;
|
|
||||||
+ size_t keylen;
|
|
||||||
+ void *iv;
|
|
||||||
+ size_t ivlen;
|
|
||||||
+ void *data;
|
|
||||||
+ size_t datalen;
|
|
||||||
+ void *outdata;
|
|
||||||
+
|
|
||||||
+ for (i = 1; i < argc; ++i) {
|
|
||||||
+ if (strcmp(argv[i], "--algo") == 0) {
|
|
||||||
+ algo = argv[++i];
|
|
||||||
+ } else if (strcmp(argv[i], "--key") == 0) {
|
|
||||||
+ hexkey = argv[++i];
|
|
||||||
+ } else if (strcmp(argv[i], "--mode") == 0) {
|
|
||||||
+ ++i;
|
|
||||||
+ if (argv[i] == NULL) {
|
|
||||||
+ usage();
|
|
||||||
+ }
|
|
||||||
+ if (strncmp(argv[i], "enc", 3) == 0) {
|
|
||||||
+ encrypt = 1;
|
|
||||||
+ } else if (strncmp(argv[i], "dec", 3) == 0) {
|
|
||||||
+ encrypt = 0;
|
|
||||||
+ } else {
|
|
||||||
+ usage();
|
|
||||||
+ }
|
|
||||||
+ } else if (strcmp(argv[i], "--iv") == 0) {
|
|
||||||
+ hexiv = argv[++i];
|
|
||||||
+ } else if (strcmp(argv[i], "--data") == 0) {
|
|
||||||
+ hexdata = argv[++i];
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (hexkey == NULL || algo == NULL) {
|
|
||||||
+ usage();
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ OpenSSL_add_all_algorithms();
|
|
||||||
+
|
|
||||||
+ c = cipher_by_name(algo);
|
|
||||||
+ if (c == NULL) {
|
|
||||||
+ fprintf(stderr, "Error: unknown algorithm\n");
|
|
||||||
+ return 2;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (hexdata == NULL) {
|
|
||||||
+ hexdata = read_stdin();
|
|
||||||
+ } else {
|
|
||||||
+ hexdata = xstrdup(hexdata);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ key = fromhex(hexkey, &keylen);
|
|
||||||
+
|
|
||||||
+ if (keylen != 16 && keylen != 24 && keylen == 32) {
|
|
||||||
+ fprintf(stderr, "Error: unsupported key length\n");
|
|
||||||
+ return 2;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ iv = fromhex(hexiv, &ivlen);
|
|
||||||
+
|
|
||||||
+ if (ivlen != 16) {
|
|
||||||
+ fprintf(stderr, "Error: unsupported iv length\n");
|
|
||||||
+ return 2;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ data = fromhex(hexdata, &datalen);
|
|
||||||
+
|
|
||||||
+ if (data == NULL || datalen == 0) {
|
|
||||||
+ fprintf(stderr, "Error: no data to encrypt/decrypt\n");
|
|
||||||
+ return 2;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if ((r = cipher_init(&cc, c, key, keylen, iv, ivlen, encrypt)) != 0) {
|
|
||||||
+ fprintf(stderr, "Error: cipher_init failed: %s\n", ssh_err(r));
|
|
||||||
+ return 2;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ free(key);
|
|
||||||
+ free(iv);
|
|
||||||
+
|
|
||||||
+ outdata = malloc(datalen);
|
|
||||||
+ if(outdata == NULL) {
|
|
||||||
+ fprintf(stderr, "Error: memory allocation failure\n");
|
|
||||||
+ return 2;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if ((r = cipher_crypt(cc, 0, outdata, data, datalen, 0, 0)) != 0) {
|
|
||||||
+ fprintf(stderr, "Error: cipher_crypt failed: %s\n", ssh_err(r));
|
|
||||||
+ return 2;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ free(data);
|
|
||||||
+
|
|
||||||
+ cipher_free(cc);
|
|
||||||
+
|
|
||||||
+ for (p = outdata; datalen > 0; ++p, --datalen) {
|
|
||||||
+ printf("%02X", (unsigned char)*p);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ free(outdata);
|
|
||||||
+
|
|
||||||
+ printf("\n");
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
@ -1,26 +0,0 @@
|
|||||||
diff --git a/authfile.c b/authfile.c
|
|
||||||
index e93d867..4fc5b3d 100644
|
|
||||||
--- a/authfile.c
|
|
||||||
+++ b/authfile.c
|
|
||||||
@@ -32,6 +32,7 @@
|
|
||||||
|
|
||||||
#include <errno.h>
|
|
||||||
#include <fcntl.h>
|
|
||||||
+#include <grp.h>
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <stdarg.h>
|
|
||||||
#include <stdlib.h>
|
|
||||||
@@ -207,6 +208,13 @@ sshkey_perm_ok(int fd, const char *filename)
|
|
||||||
#ifdef HAVE_CYGWIN
|
|
||||||
if (check_ntsec(filename))
|
|
||||||
#endif
|
|
||||||
+ if (st.st_mode & 040) {
|
|
||||||
+ struct group *gr;
|
|
||||||
+
|
|
||||||
+ if ((gr = getgrnam("ssh_keys")) && (st.st_gid == gr->gr_gid))
|
|
||||||
+ st.st_mode &= ~040;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if ((st.st_uid == getuid()) && (st.st_mode & 077) != 0) {
|
|
||||||
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
|
|
||||||
error("@ WARNING: UNPROTECTED PRIVATE KEY FILE! @");
|
|
@ -1,177 +0,0 @@
|
|||||||
diff -up openssh-8.0p1/channels.c.coverity openssh-8.0p1/channels.c
|
|
||||||
--- openssh-8.0p1/channels.c.coverity 2021-06-21 10:59:17.297473319 +0200
|
|
||||||
+++ openssh-8.0p1/channels.c 2021-06-21 11:11:32.467290400 +0200
|
|
||||||
@@ -341,15 +341,15 @@ channel_register_fds(struct ssh *ssh, Ch
|
|
||||||
* restore their blocking state on exit to avoid interfering
|
|
||||||
* with other programs that follow.
|
|
||||||
*/
|
|
||||||
- if (rfd != -1 && !isatty(rfd) && fcntl(rfd, F_GETFL) == 0) {
|
|
||||||
+ if (rfd >= 0 && !isatty(rfd) && fcntl(rfd, F_GETFL) == 0) {
|
|
||||||
c->restore_block |= CHANNEL_RESTORE_RFD;
|
|
||||||
set_nonblock(rfd);
|
|
||||||
}
|
|
||||||
- if (wfd != -1 && !isatty(wfd) && fcntl(wfd, F_GETFL) == 0) {
|
|
||||||
+ if (wfd >= 0 && !isatty(wfd) && fcntl(wfd, F_GETFL) == 0) {
|
|
||||||
c->restore_block |= CHANNEL_RESTORE_WFD;
|
|
||||||
set_nonblock(wfd);
|
|
||||||
}
|
|
||||||
- if (efd != -1 && !isatty(efd) && fcntl(efd, F_GETFL) == 0) {
|
|
||||||
+ if (efd >= 0 && !isatty(efd) && fcntl(efd, F_GETFL) == 0) {
|
|
||||||
c->restore_block |= CHANNEL_RESTORE_EFD;
|
|
||||||
set_nonblock(efd);
|
|
||||||
}
|
|
||||||
diff -up openssh-8.0p1/monitor.c.coverity openssh-8.0p1/monitor.c
|
|
||||||
--- openssh-8.0p1/monitor.c.coverity 2021-06-21 10:59:17.282473202 +0200
|
|
||||||
+++ openssh-8.0p1/monitor.c 2021-06-21 10:59:17.297473319 +0200
|
|
||||||
@@ -401,7 +401,7 @@ monitor_child_preauth(struct ssh *ssh, s
|
|
||||||
mm_get_keystate(ssh, pmonitor);
|
|
||||||
|
|
||||||
/* Drain any buffered messages from the child */
|
|
||||||
- while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0)
|
|
||||||
+ while (pmonitor->m_log_recvfd >= 0 && monitor_read_log(pmonitor) == 0)
|
|
||||||
;
|
|
||||||
|
|
||||||
if (pmonitor->m_recvfd >= 0)
|
|
||||||
diff -up openssh-7.4p1/monitor_wrap.c.coverity openssh-7.4p1/monitor_wrap.c
|
|
||||||
--- openssh-7.4p1/monitor_wrap.c.coverity 2016-12-23 16:40:26.892788689 +0100
|
|
||||||
+++ openssh-7.4p1/monitor_wrap.c 2016-12-23 16:40:26.900788691 +0100
|
|
||||||
@@ -525,10 +525,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
|
|
||||||
if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
|
|
||||||
(tmp2 = dup(pmonitor->m_recvfd)) == -1) {
|
|
||||||
error("%s: cannot allocate fds for pty", __func__);
|
|
||||||
- if (tmp1 > 0)
|
|
||||||
+ if (tmp1 >= 0)
|
|
||||||
close(tmp1);
|
|
||||||
- if (tmp2 > 0)
|
|
||||||
- close(tmp2);
|
|
||||||
+ /*DEAD CODE if (tmp2 >= 0)
|
|
||||||
+ close(tmp2);*/
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
close(tmp1);
|
|
||||||
diff -up openssh-7.4p1/openbsd-compat/bindresvport.c.coverity openssh-7.4p1/openbsd-compat/bindresvport.c
|
|
||||||
--- openssh-7.4p1/openbsd-compat/bindresvport.c.coverity 2016-12-19 05:59:41.000000000 +0100
|
|
||||||
+++ openssh-7.4p1/openbsd-compat/bindresvport.c 2016-12-23 16:40:26.901788691 +0100
|
|
||||||
@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr
|
|
||||||
struct sockaddr_in6 *in6;
|
|
||||||
u_int16_t *portp;
|
|
||||||
u_int16_t port;
|
|
||||||
- socklen_t salen;
|
|
||||||
+ socklen_t salen = sizeof(struct sockaddr_storage);
|
|
||||||
int i;
|
|
||||||
|
|
||||||
if (sa == NULL) {
|
|
||||||
diff -up openssh-7.4p1/scp.c.coverity openssh-7.4p1/scp.c
|
|
||||||
--- openssh-7.4p1/scp.c.coverity 2016-12-23 16:40:26.856788681 +0100
|
|
||||||
+++ openssh-7.4p1/scp.c 2016-12-23 16:40:26.901788691 +0100
|
|
||||||
@@ -157,7 +157,7 @@ killchild(int signo)
|
|
||||||
{
|
|
||||||
if (do_cmd_pid > 1) {
|
|
||||||
kill(do_cmd_pid, signo ? signo : SIGTERM);
|
|
||||||
- waitpid(do_cmd_pid, NULL, 0);
|
|
||||||
+ (void) waitpid(do_cmd_pid, NULL, 0);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (signo)
|
|
||||||
diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c
|
|
||||||
--- openssh-7.4p1/servconf.c.coverity 2016-12-23 16:40:26.896788690 +0100
|
|
||||||
+++ openssh-7.4p1/servconf.c 2016-12-23 16:40:26.901788691 +0100
|
|
||||||
@@ -1547,7 +1547,7 @@ process_server_config_line(ServerOptions
|
|
||||||
fatal("%s line %d: Missing subsystem name.",
|
|
||||||
filename, linenum);
|
|
||||||
if (!*activep) {
|
|
||||||
- arg = strdelim(&cp);
|
|
||||||
+ /*arg =*/ (void) strdelim(&cp);
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
for (i = 0; i < options->num_subsystems; i++)
|
|
||||||
@@ -1638,8 +1638,9 @@ process_server_config_line(ServerOptions
|
|
||||||
if (*activep && *charptr == NULL) {
|
|
||||||
*charptr = tilde_expand_filename(arg, getuid());
|
|
||||||
/* increase optional counter */
|
|
||||||
- if (intptr != NULL)
|
|
||||||
- *intptr = *intptr + 1;
|
|
||||||
+ /* DEAD CODE intptr is still NULL ;)
|
|
||||||
+ if (intptr != NULL)
|
|
||||||
+ *intptr = *intptr + 1; */
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
|
|
||||||
diff -up openssh-7.4p1/serverloop.c.coverity openssh-7.4p1/serverloop.c
|
|
||||||
--- openssh-7.4p1/serverloop.c.coverity 2016-12-19 05:59:41.000000000 +0100
|
|
||||||
+++ openssh-7.4p1/serverloop.c 2016-12-23 16:40:26.902788691 +0100
|
|
||||||
@@ -125,13 +125,13 @@ notify_setup(void)
|
|
||||||
static void
|
|
||||||
notify_parent(void)
|
|
||||||
{
|
|
||||||
- if (notify_pipe[1] != -1)
|
|
||||||
+ if (notify_pipe[1] >= 0)
|
|
||||||
(void)write(notify_pipe[1], "", 1);
|
|
||||||
}
|
|
||||||
static void
|
|
||||||
notify_prepare(fd_set *readset)
|
|
||||||
{
|
|
||||||
- if (notify_pipe[0] != -1)
|
|
||||||
+ if (notify_pipe[0] >= 0)
|
|
||||||
FD_SET(notify_pipe[0], readset);
|
|
||||||
}
|
|
||||||
static void
|
|
||||||
@@ -139,8 +139,8 @@ notify_done(fd_set *readset)
|
|
||||||
{
|
|
||||||
char c;
|
|
||||||
|
|
||||||
- if (notify_pipe[0] != -1 && FD_ISSET(notify_pipe[0], readset))
|
|
||||||
- while (read(notify_pipe[0], &c, 1) != -1)
|
|
||||||
+ if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset))
|
|
||||||
+ while (read(notify_pipe[0], &c, 1) >= 0)
|
|
||||||
debug2("%s: reading", __func__);
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -518,7 +518,7 @@ server_request_tun(void)
|
|
||||||
debug("%s: invalid tun", __func__);
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
- if (auth_opts->force_tun_device != -1) {
|
|
||||||
+ if (auth_opts->force_tun_device >= 0) {
|
|
||||||
if (tun != SSH_TUNID_ANY &&
|
|
||||||
auth_opts->force_tun_device != (int)tun)
|
|
||||||
goto done;
|
|
||||||
diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
|
|
||||||
--- openssh-7.4p1/ssh-agent.c.coverity 2016-12-19 05:59:41.000000000 +0100
|
|
||||||
+++ openssh-7.4p1/ssh-agent.c 2016-12-23 16:40:26.903788691 +0100
|
|
||||||
@@ -1220,8 +1220,8 @@ main(int ac, char **av)
|
|
||||||
sanitise_stdfd();
|
|
||||||
|
|
||||||
/* drop */
|
|
||||||
- setegid(getgid());
|
|
||||||
- setgid(getgid());
|
|
||||||
+ (void) setegid(getgid());
|
|
||||||
+ (void) setgid(getgid());
|
|
||||||
|
|
||||||
platform_disable_tracing(0); /* strict=no */
|
|
||||||
|
|
||||||
diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c
|
|
||||||
--- openssh-7.4p1/sshd.c.coverity 2016-12-23 16:40:26.897788690 +0100
|
|
||||||
+++ openssh-7.4p1/sshd.c 2016-12-23 16:40:26.904788692 +0100
|
|
||||||
@@ -691,8 +691,10 @@ privsep_preauth(Authctxt *authctxt)
|
|
||||||
|
|
||||||
privsep_preauth_child(ssh);
|
|
||||||
setproctitle("%s", "[net]");
|
|
||||||
- if (box != NULL)
|
|
||||||
+ if (box != NULL) {
|
|
||||||
ssh_sandbox_child(box);
|
|
||||||
+ free(box);
|
|
||||||
+ }
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
@@ -1386,6 +1388,9 @@ server_accept_loop(int *sock_in, int *so
|
|
||||||
explicit_bzero(rnd, sizeof(rnd));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ if (fdset != NULL)
|
|
||||||
+ free(fdset);
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
@ -1,618 +0,0 @@
|
|||||||
diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in
|
|
||||||
--- openssh-6.8p1/Makefile.in.kdf-cavs 2015-03-18 11:23:46.346049359 +0100
|
|
||||||
+++ openssh-6.8p1/Makefile.in 2015-03-18 11:24:20.395968445 +0100
|
|
||||||
@@ -29,6 +29,7 @@ SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-h
|
|
||||||
SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
|
|
||||||
SSH_KEYCAT=$(libexecdir)/ssh-keycat
|
|
||||||
CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
|
|
||||||
+SSH_CAVS=$(libexecdir)/ssh-cavs
|
|
||||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
|
||||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
|
||||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
|
||||||
@@ -67,7 +68,7 @@ EXEEXT=@EXEEXT@
|
|
||||||
MKDIR_P=@MKDIR_P@
|
|
||||||
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
|
|
||||||
|
|
||||||
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
|
|
||||||
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT)
|
|
||||||
|
|
||||||
XMSS_OBJS=\
|
|
||||||
ssh-xmss.o \
|
|
||||||
@@ -198,6 +199,9 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHD
|
|
||||||
ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
|
|
||||||
$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
|
||||||
|
|
||||||
+ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o
|
|
||||||
+ $(LD) -o $@ ssh-cavs.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
|
||||||
+
|
|
||||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
|
|
||||||
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
|
||||||
|
|
||||||
@@ -331,6 +335,8 @@ install-files:
|
|
||||||
fi
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
|
|
||||||
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-cavs$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-cavs$(EXEEXT)
|
|
||||||
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-cavs_driver.pl $(DESTDIR)$(libexecdir)/ssh-cavs_driver.pl
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
|
||||||
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
|
||||||
diff -up openssh-6.8p1/ssh-cavs.c.kdf-cavs openssh-6.8p1/ssh-cavs.c
|
|
||||||
--- openssh-6.8p1/ssh-cavs.c.kdf-cavs 2015-03-18 11:23:46.348049354 +0100
|
|
||||||
+++ openssh-6.8p1/ssh-cavs.c 2015-03-18 11:23:46.348049354 +0100
|
|
||||||
@@ -0,0 +1,387 @@
|
|
||||||
+/*
|
|
||||||
+ * Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
|
|
||||||
+ *
|
|
||||||
+ * Redistribution and use in source and binary forms, with or without
|
|
||||||
+ * modification, are permitted provided that the following conditions
|
|
||||||
+ * are met:
|
|
||||||
+ * 1. Redistributions of source code must retain the above copyright
|
|
||||||
+ * notice, and the entire permission notice in its entirety,
|
|
||||||
+ * including the disclaimer of warranties.
|
|
||||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
||||||
+ * notice, this list of conditions and the following disclaimer in the
|
|
||||||
+ * documentation and/or other materials provided with the distribution.
|
|
||||||
+ * 3. The name of the author may not be used to endorse or promote
|
|
||||||
+ * products derived from this software without specific prior
|
|
||||||
+ * written permission.
|
|
||||||
+ *
|
|
||||||
+ * ALTERNATIVELY, this product may be distributed under the terms of
|
|
||||||
+ * the GNU General Public License, in which case the provisions of the GPL2
|
|
||||||
+ * are required INSTEAD OF the above restrictions. (This clause is
|
|
||||||
+ * necessary due to a potential bad interaction between the GPL and
|
|
||||||
+ * the restrictions contained in a BSD-style copyright.)
|
|
||||||
+ *
|
|
||||||
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
|
||||||
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
||||||
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
|
|
||||||
+ * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
|
|
||||||
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
||||||
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
|
|
||||||
+ * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
|
|
||||||
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
|
||||||
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
||||||
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
|
|
||||||
+ * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
|
|
||||||
+ * DAMAGE.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#include "includes.h"
|
|
||||||
+
|
|
||||||
+#include <stdio.h>
|
|
||||||
+#include <stdlib.h>
|
|
||||||
+#include <errno.h>
|
|
||||||
+#include <sys/types.h>
|
|
||||||
+#include <string.h>
|
|
||||||
+
|
|
||||||
+#include <openssl/bn.h>
|
|
||||||
+
|
|
||||||
+#include "xmalloc.h"
|
|
||||||
+#include "sshbuf.h"
|
|
||||||
+#include "sshkey.h"
|
|
||||||
+#include "cipher.h"
|
|
||||||
+#include "kex.h"
|
|
||||||
+#include "packet.h"
|
|
||||||
+#include "digest.h"
|
|
||||||
+
|
|
||||||
+static int bin_char(unsigned char hex)
|
|
||||||
+{
|
|
||||||
+ if (48 <= hex && 57 >= hex)
|
|
||||||
+ return (hex - 48);
|
|
||||||
+ if (65 <= hex && 70 >= hex)
|
|
||||||
+ return (hex - 55);
|
|
||||||
+ if (97 <= hex && 102 >= hex)
|
|
||||||
+ return (hex - 87);
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Convert hex representation into binary string
|
|
||||||
+ * @hex input buffer with hex representation
|
|
||||||
+ * @hexlen length of hex
|
|
||||||
+ * @bin output buffer with binary data
|
|
||||||
+ * @binlen length of already allocated bin buffer (should be at least
|
|
||||||
+ * half of hexlen -- if not, only a fraction of hexlen is converted)
|
|
||||||
+ */
|
|
||||||
+static void hex2bin(const char *hex, size_t hexlen,
|
|
||||||
+ unsigned char *bin, size_t binlen)
|
|
||||||
+{
|
|
||||||
+ size_t i = 0;
|
|
||||||
+ size_t chars = (binlen > (hexlen / 2)) ? (hexlen / 2) : binlen;
|
|
||||||
+
|
|
||||||
+ for (i = 0; i < chars; i++) {
|
|
||||||
+ bin[i] = bin_char(hex[(i*2)]) << 4;
|
|
||||||
+ bin[i] |= bin_char(hex[((i*2)+1)]);
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Allocate sufficient space for binary representation of hex
|
|
||||||
+ * and convert hex into bin
|
|
||||||
+ *
|
|
||||||
+ * Caller must free bin
|
|
||||||
+ * @hex input buffer with hex representation
|
|
||||||
+ * @hexlen length of hex
|
|
||||||
+ * @bin return value holding the pointer to the newly allocated buffer
|
|
||||||
+ * @binlen return value holding the allocated size of bin
|
|
||||||
+ *
|
|
||||||
+ * return: 0 on success, !0 otherwise
|
|
||||||
+ */
|
|
||||||
+static int hex2bin_alloc(const char *hex, size_t hexlen,
|
|
||||||
+ unsigned char **bin, size_t *binlen)
|
|
||||||
+{
|
|
||||||
+ unsigned char *out = NULL;
|
|
||||||
+ size_t outlen = 0;
|
|
||||||
+
|
|
||||||
+ if (!hexlen)
|
|
||||||
+ return -EINVAL;
|
|
||||||
+
|
|
||||||
+ outlen = (hexlen + 1) / 2;
|
|
||||||
+
|
|
||||||
+ out = calloc(1, outlen);
|
|
||||||
+ if (!out)
|
|
||||||
+ return -errno;
|
|
||||||
+
|
|
||||||
+ hex2bin(hex, hexlen, out, outlen);
|
|
||||||
+ *bin = out;
|
|
||||||
+ *binlen = outlen;
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static char hex_char_map_l[] = { '0', '1', '2', '3', '4', '5', '6', '7',
|
|
||||||
+ '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' };
|
|
||||||
+static char hex_char_map_u[] = { '0', '1', '2', '3', '4', '5', '6', '7',
|
|
||||||
+ '8', '9', 'A', 'B', 'C', 'D', 'E', 'F' };
|
|
||||||
+static char hex_char(unsigned int bin, int u)
|
|
||||||
+{
|
|
||||||
+ if (bin < sizeof(hex_char_map_l))
|
|
||||||
+ return (u) ? hex_char_map_u[bin] : hex_char_map_l[bin];
|
|
||||||
+ return 'X';
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Convert binary string into hex representation
|
|
||||||
+ * @bin input buffer with binary data
|
|
||||||
+ * @binlen length of bin
|
|
||||||
+ * @hex output buffer to store hex data
|
|
||||||
+ * @hexlen length of already allocated hex buffer (should be at least
|
|
||||||
+ * twice binlen -- if not, only a fraction of binlen is converted)
|
|
||||||
+ * @u case of hex characters (0=>lower case, 1=>upper case)
|
|
||||||
+ */
|
|
||||||
+static void bin2hex(const unsigned char *bin, size_t binlen,
|
|
||||||
+ char *hex, size_t hexlen, int u)
|
|
||||||
+{
|
|
||||||
+ size_t i = 0;
|
|
||||||
+ size_t chars = (binlen > (hexlen / 2)) ? (hexlen / 2) : binlen;
|
|
||||||
+
|
|
||||||
+ for (i = 0; i < chars; i++) {
|
|
||||||
+ hex[(i*2)] = hex_char((bin[i] >> 4), u);
|
|
||||||
+ hex[((i*2)+1)] = hex_char((bin[i] & 0x0f), u);
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+struct kdf_cavs {
|
|
||||||
+ unsigned char *K;
|
|
||||||
+ size_t Klen;
|
|
||||||
+ unsigned char *H;
|
|
||||||
+ size_t Hlen;
|
|
||||||
+ unsigned char *session_id;
|
|
||||||
+ size_t session_id_len;
|
|
||||||
+
|
|
||||||
+ unsigned int iv_len;
|
|
||||||
+ unsigned int ek_len;
|
|
||||||
+ unsigned int ik_len;
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+static int sshkdf_cavs(struct kdf_cavs *test)
|
|
||||||
+{
|
|
||||||
+ int ret = 0;
|
|
||||||
+ struct kex kex;
|
|
||||||
+ struct sshbuf *Kb = NULL;
|
|
||||||
+ BIGNUM *Kbn = NULL;
|
|
||||||
+ int mode = 0;
|
|
||||||
+ struct newkeys *ctoskeys;
|
|
||||||
+ struct newkeys *stockeys;
|
|
||||||
+ struct ssh *ssh = NULL;
|
|
||||||
+
|
|
||||||
+#define HEXOUTLEN 500
|
|
||||||
+ char hex[HEXOUTLEN];
|
|
||||||
+
|
|
||||||
+ memset(&kex, 0, sizeof(struct kex));
|
|
||||||
+
|
|
||||||
+ Kbn = BN_new();
|
|
||||||
+ BN_bin2bn(test->K, test->Klen, Kbn);
|
|
||||||
+ if (!Kbn) {
|
|
||||||
+ printf("cannot convert K into bignum\n");
|
|
||||||
+ ret = 1;
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+ Kb = sshbuf_new();
|
|
||||||
+ if (!Kb) {
|
|
||||||
+ printf("cannot convert K into sshbuf\n");
|
|
||||||
+ ret = 1;
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+ sshbuf_put_bignum2(Kb, Kbn);
|
|
||||||
+
|
|
||||||
+ kex.session_id = test->session_id;
|
|
||||||
+ kex.session_id_len = test->session_id_len;
|
|
||||||
+
|
|
||||||
+ /* setup kex */
|
|
||||||
+
|
|
||||||
+ /* select the right hash based on struct ssh_digest digests */
|
|
||||||
+ switch (test->ik_len) {
|
|
||||||
+ case 20:
|
|
||||||
+ kex.hash_alg = SSH_DIGEST_SHA1;
|
|
||||||
+ break;
|
|
||||||
+ case 32:
|
|
||||||
+ kex.hash_alg = SSH_DIGEST_SHA256;
|
|
||||||
+ break;
|
|
||||||
+ case 48:
|
|
||||||
+ kex.hash_alg = SSH_DIGEST_SHA384;
|
|
||||||
+ break;
|
|
||||||
+ case 64:
|
|
||||||
+ kex.hash_alg = SSH_DIGEST_SHA512;
|
|
||||||
+ break;
|
|
||||||
+ default:
|
|
||||||
+ printf("Wrong hash type %u\n", test->ik_len);
|
|
||||||
+ ret = 1;
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* implement choose_enc */
|
|
||||||
+ for (mode = 0; mode < 2; mode++) {
|
|
||||||
+ kex.newkeys[mode] = calloc(1, sizeof(struct newkeys));
|
|
||||||
+ if (!kex.newkeys[mode]) {
|
|
||||||
+ printf("allocation of newkeys failed\n");
|
|
||||||
+ ret = 1;
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+ kex.newkeys[mode]->enc.iv_len = test->iv_len;
|
|
||||||
+ kex.newkeys[mode]->enc.key_len = test->ek_len;
|
|
||||||
+ kex.newkeys[mode]->enc.block_size = (test->iv_len == 64) ? 8 : 16;
|
|
||||||
+ kex.newkeys[mode]->mac.key_len = test->ik_len;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* implement kex_choose_conf */
|
|
||||||
+ kex.we_need = kex.newkeys[0]->enc.key_len;
|
|
||||||
+ if (kex.we_need < kex.newkeys[0]->enc.block_size)
|
|
||||||
+ kex.we_need = kex.newkeys[0]->enc.block_size;
|
|
||||||
+ if (kex.we_need < kex.newkeys[0]->enc.iv_len)
|
|
||||||
+ kex.we_need = kex.newkeys[0]->enc.iv_len;
|
|
||||||
+ if (kex.we_need < kex.newkeys[0]->mac.key_len)
|
|
||||||
+ kex.we_need = kex.newkeys[0]->mac.key_len;
|
|
||||||
+
|
|
||||||
+ /* MODE_OUT (1) -> server to client
|
|
||||||
+ * MODE_IN (0) -> client to server */
|
|
||||||
+ kex.server = 1;
|
|
||||||
+
|
|
||||||
+ /* do it */
|
|
||||||
+ if ((ssh = ssh_packet_set_connection(NULL, -1, -1)) == NULL){
|
|
||||||
+ printf("Allocation error\n");
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+ ssh->kex = &kex;
|
|
||||||
+ kex_derive_keys(ssh, test->H, test->Hlen, Kb);
|
|
||||||
+
|
|
||||||
+ ctoskeys = kex.newkeys[0];
|
|
||||||
+ stockeys = kex.newkeys[1];
|
|
||||||
+
|
|
||||||
+ /* get data */
|
|
||||||
+ memset(hex, 0, HEXOUTLEN);
|
|
||||||
+ bin2hex(ctoskeys->enc.iv, (size_t)ctoskeys->enc.iv_len,
|
|
||||||
+ hex, HEXOUTLEN, 0);
|
|
||||||
+ printf("Initial IV (client to server) = %s\n", hex);
|
|
||||||
+ memset(hex, 0, HEXOUTLEN);
|
|
||||||
+ bin2hex(stockeys->enc.iv, (size_t)stockeys->enc.iv_len,
|
|
||||||
+ hex, HEXOUTLEN, 0);
|
|
||||||
+ printf("Initial IV (server to client) = %s\n", hex);
|
|
||||||
+
|
|
||||||
+ memset(hex, 0, HEXOUTLEN);
|
|
||||||
+ bin2hex(ctoskeys->enc.key, (size_t)ctoskeys->enc.key_len,
|
|
||||||
+ hex, HEXOUTLEN, 0);
|
|
||||||
+ printf("Encryption key (client to server) = %s\n", hex);
|
|
||||||
+ memset(hex, 0, HEXOUTLEN);
|
|
||||||
+ bin2hex(stockeys->enc.key, (size_t)stockeys->enc.key_len,
|
|
||||||
+ hex, HEXOUTLEN, 0);
|
|
||||||
+ printf("Encryption key (server to client) = %s\n", hex);
|
|
||||||
+
|
|
||||||
+ memset(hex, 0, HEXOUTLEN);
|
|
||||||
+ bin2hex(ctoskeys->mac.key, (size_t)ctoskeys->mac.key_len,
|
|
||||||
+ hex, HEXOUTLEN, 0);
|
|
||||||
+ printf("Integrity key (client to server) = %s\n", hex);
|
|
||||||
+ memset(hex, 0, HEXOUTLEN);
|
|
||||||
+ bin2hex(stockeys->mac.key, (size_t)stockeys->mac.key_len,
|
|
||||||
+ hex, HEXOUTLEN, 0);
|
|
||||||
+ printf("Integrity key (server to client) = %s\n", hex);
|
|
||||||
+
|
|
||||||
+out:
|
|
||||||
+ if (Kbn)
|
|
||||||
+ BN_free(Kbn);
|
|
||||||
+ if (Kb)
|
|
||||||
+ sshbuf_free(Kb);
|
|
||||||
+ if (ssh)
|
|
||||||
+ ssh_packet_close(ssh);
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void usage(void)
|
|
||||||
+{
|
|
||||||
+ fprintf(stderr, "\nOpenSSH KDF CAVS Test\n\n");
|
|
||||||
+ fprintf(stderr, "Usage:\n");
|
|
||||||
+ fprintf(stderr, "\t-K\tShared secret string\n");
|
|
||||||
+ fprintf(stderr, "\t-H\tHash string\n");
|
|
||||||
+ fprintf(stderr, "\t-s\tSession ID string\n");
|
|
||||||
+ fprintf(stderr, "\t-i\tIV length to be generated\n");
|
|
||||||
+ fprintf(stderr, "\t-e\tEncryption key length to be generated\n");
|
|
||||||
+ fprintf(stderr, "\t-m\tMAC key length to be generated\n");
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Test command example:
|
|
||||||
+ * ./ssh-cavs -K 0055d50f2d163cc07cd8a93cc7c3430c30ce786b572c01ad29fec7597000cf8618d664e2ec3dcbc8bb7a1a7eb7ef67f61cdaf291625da879186ac0a5cb27af571b59612d6a6e0627344d846271959fda61c78354aa498773d59762f8ca2d0215ec590d8633de921f920d41e47b3de6ab9a3d0869e1c826d0e4adebf8e3fb646a15dea20a410b44e969f4b791ed6a67f13f1b74234004d5fa5e87eff7abc32d49bbdf44d7b0107e8f10609233b7e2b7eff74a4daf25641de7553975dac6ac1e5117df6f6dbaa1c263d23a6c3e5a3d7d49ae8a828c1e333ac3f85fbbf57b5c1a45be45e43a7be1a4707eac779b8285522d1f531fe23f890fd38a004339932b93eda4 -H d3ab91a850febb417a25d892ec48ed5952c7a5de -s d3ab91a850febb417a25d892ec48ed5952c7a5de -i 8 -e 24 -m 20
|
|
||||||
+ *
|
|
||||||
+ * Initial IV (client to server) = 4bb320d1679dfd3a
|
|
||||||
+ * Initial IV (server to client) = 43dea6fdf263a308
|
|
||||||
+ * Encryption key (client to server) = 13048cc600b9d3cf9095aa6cf8e2ff9cf1c54ca0520c89ed
|
|
||||||
+ * Encryption key (server to client) = 1e483c5134e901aa11fc4e0a524e7ec7b75556148a222bb0
|
|
||||||
+ * Integrity key (client to server) = ecef63a092b0dcc585bdc757e01b2740af57d640
|
|
||||||
+ * Integrity key (server to client) = 7424b05f3c44a72b4ebd281fb71f9cbe7b64d479
|
|
||||||
+ */
|
|
||||||
+int main(int argc, char *argv[])
|
|
||||||
+{
|
|
||||||
+ struct kdf_cavs test;
|
|
||||||
+ int ret = 1;
|
|
||||||
+ int opt = 0;
|
|
||||||
+
|
|
||||||
+ memset(&test, 0, sizeof(struct kdf_cavs));
|
|
||||||
+ while((opt = getopt(argc, argv, "K:H:s:i:e:m:")) != -1)
|
|
||||||
+ {
|
|
||||||
+ size_t len = 0;
|
|
||||||
+ switch(opt)
|
|
||||||
+ {
|
|
||||||
+ /*
|
|
||||||
+ * CAVS K is MPINT
|
|
||||||
+ * we want a hex (i.e. the caller must ensure the
|
|
||||||
+ * following transformations already happened):
|
|
||||||
+ * 1. cut off first four bytes
|
|
||||||
+ * 2. if most significant bit of value is
|
|
||||||
+ * 1, prepend 0 byte
|
|
||||||
+ */
|
|
||||||
+ case 'K':
|
|
||||||
+ len = strlen(optarg);
|
|
||||||
+ ret = hex2bin_alloc(optarg, len,
|
|
||||||
+ &test.K, &test.Klen);
|
|
||||||
+ if (ret)
|
|
||||||
+ goto out;
|
|
||||||
+ break;
|
|
||||||
+ case 'H':
|
|
||||||
+ len = strlen(optarg);
|
|
||||||
+ ret = hex2bin_alloc(optarg, len,
|
|
||||||
+ &test.H, &test.Hlen);
|
|
||||||
+ if (ret)
|
|
||||||
+ goto out;
|
|
||||||
+ break;
|
|
||||||
+ case 's':
|
|
||||||
+ len = strlen(optarg);
|
|
||||||
+ ret = hex2bin_alloc(optarg, len,
|
|
||||||
+ &test.session_id,
|
|
||||||
+ &test.session_id_len);
|
|
||||||
+ if (ret)
|
|
||||||
+ goto out;
|
|
||||||
+ break;
|
|
||||||
+ case 'i':
|
|
||||||
+ test.iv_len = strtoul(optarg, NULL, 10);
|
|
||||||
+ break;
|
|
||||||
+ case 'e':
|
|
||||||
+ test.ek_len = strtoul(optarg, NULL, 10);
|
|
||||||
+ break;
|
|
||||||
+ case 'm':
|
|
||||||
+ test.ik_len = strtoul(optarg, NULL, 10);
|
|
||||||
+ break;
|
|
||||||
+ default:
|
|
||||||
+ usage();
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = sshkdf_cavs(&test);
|
|
||||||
+
|
|
||||||
+out:
|
|
||||||
+ if (test.session_id)
|
|
||||||
+ free(test.session_id);
|
|
||||||
+ if (test.K)
|
|
||||||
+ free(test.K);
|
|
||||||
+ if (test.H)
|
|
||||||
+ free(test.H);
|
|
||||||
+ return ret;
|
|
||||||
+
|
|
||||||
+}
|
|
||||||
diff -up openssh-6.8p1/ssh-cavs_driver.pl.kdf-cavs openssh-6.8p1/ssh-cavs_driver.pl
|
|
||||||
--- openssh-6.8p1/ssh-cavs_driver.pl.kdf-cavs 2015-03-18 11:23:46.348049354 +0100
|
|
||||||
+++ openssh-6.8p1/ssh-cavs_driver.pl 2015-03-18 11:23:46.348049354 +0100
|
|
||||||
@@ -0,0 +1,184 @@
|
|
||||||
+#!/usr/bin/env perl
|
|
||||||
+#
|
|
||||||
+# CAVS test driver for OpenSSH
|
|
||||||
+#
|
|
||||||
+# Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
|
|
||||||
+#
|
|
||||||
+# Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
||||||
+# of this software and associated documentation files (the "Software"), to deal
|
|
||||||
+# in the Software without restriction, including without limitation the rights
|
|
||||||
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
||||||
+# copies of the Software, and to permit persons to whom the Software is
|
|
||||||
+# furnished to do so, subject to the following conditions:
|
|
||||||
+#
|
|
||||||
+# The above copyright notice and this permission notice shall be included in
|
|
||||||
+# all copies or substantial portions of the Software.
|
|
||||||
+#
|
|
||||||
+# NO WARRANTY
|
|
||||||
+#
|
|
||||||
+# BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
|
|
||||||
+# FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
|
|
||||||
+# OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
|
|
||||||
+# PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
|
|
||||||
+# OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
|
||||||
+# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
|
|
||||||
+# TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
|
|
||||||
+# PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
|
|
||||||
+# REPAIR OR CORRECTION.
|
|
||||||
+#
|
|
||||||
+# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
|
|
||||||
+# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
|
|
||||||
+# REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
|
|
||||||
+# INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
|
|
||||||
+# OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
|
|
||||||
+# TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
|
|
||||||
+# YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
|
|
||||||
+# PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
|
|
||||||
+# POSSIBILITY OF SUCH DAMAGES.
|
|
||||||
+#
|
|
||||||
+use strict;
|
|
||||||
+use warnings;
|
|
||||||
+use IPC::Open2;
|
|
||||||
+
|
|
||||||
+# Executing a program by feeding STDIN and retrieving
|
|
||||||
+# STDOUT
|
|
||||||
+# $1: data string to be piped to the app on STDIN
|
|
||||||
+# rest: program and args
|
|
||||||
+# returns: STDOUT of program as string
|
|
||||||
+sub pipe_through_program($@) {
|
|
||||||
+ my $in = shift;
|
|
||||||
+ my @args = @_;
|
|
||||||
+
|
|
||||||
+ my ($CO, $CI);
|
|
||||||
+ my $pid = open2($CO, $CI, @args);
|
|
||||||
+
|
|
||||||
+ my $out = "";
|
|
||||||
+ my $len = length($in);
|
|
||||||
+ my $first = 1;
|
|
||||||
+ while (1) {
|
|
||||||
+ my $rin = "";
|
|
||||||
+ my $win = "";
|
|
||||||
+ # Output of prog is FD that we read
|
|
||||||
+ vec($rin,fileno($CO),1) = 1;
|
|
||||||
+ # Input of prog is FD that we write
|
|
||||||
+ # check for $first is needed because we can have NULL input
|
|
||||||
+ # that is to be written to the app
|
|
||||||
+ if ( $len > 0 || $first) {
|
|
||||||
+ (vec($win,fileno($CI),1) = 1);
|
|
||||||
+ $first=0;
|
|
||||||
+ }
|
|
||||||
+ # Let us wait for 100ms
|
|
||||||
+ my $nfound = select(my $rout=$rin, my $wout=$win, undef, 0.1);
|
|
||||||
+ if ( $wout ) {
|
|
||||||
+ my $written = syswrite($CI, $in, $len);
|
|
||||||
+ die "broken pipe" if !defined $written;
|
|
||||||
+ $len -= $written;
|
|
||||||
+ substr($in, 0, $written) = "";
|
|
||||||
+ if ($len <= 0) {
|
|
||||||
+ close $CI or die "broken pipe: $!";
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ if ( $rout ) {
|
|
||||||
+ my $tmp_out = "";
|
|
||||||
+ my $bytes_read = sysread($CO, $tmp_out, 4096);
|
|
||||||
+ $out .= $tmp_out;
|
|
||||||
+ last if ($bytes_read == 0);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ close $CO or die "broken pipe: $!";
|
|
||||||
+ waitpid $pid, 0;
|
|
||||||
+
|
|
||||||
+ return $out;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+# Parser of CAVS test vector file
|
|
||||||
+# $1: Test vector file
|
|
||||||
+# $2: Output file for test results
|
|
||||||
+# return: nothing
|
|
||||||
+sub parse($$) {
|
|
||||||
+ my $infile = shift;
|
|
||||||
+ my $outfile = shift;
|
|
||||||
+
|
|
||||||
+ my $out = "";
|
|
||||||
+
|
|
||||||
+ my $K = "";
|
|
||||||
+ my $H = "";
|
|
||||||
+ my $session_id = "";
|
|
||||||
+ my $ivlen = 0;
|
|
||||||
+ my $eklen = "";
|
|
||||||
+ my $iklen = "";
|
|
||||||
+
|
|
||||||
+ open(IN, "<$infile");
|
|
||||||
+ while(<IN>) {
|
|
||||||
+
|
|
||||||
+ my $line = $_;
|
|
||||||
+ chomp($line);
|
|
||||||
+ $line =~ s/\r//;
|
|
||||||
+
|
|
||||||
+ if ($line =~ /\[SHA-1\]/) {
|
|
||||||
+ $iklen = 20;
|
|
||||||
+ } elsif ($line =~ /\[SHA-256\]/) {
|
|
||||||
+ $iklen = 32;
|
|
||||||
+ } elsif ($line =~ /\[SHA-384\]/) {
|
|
||||||
+ $iklen = 48;
|
|
||||||
+ } elsif ($line =~ /\[SHA-512\]/) {
|
|
||||||
+ $iklen = 64;
|
|
||||||
+ } elsif ($line =~ /^\[IV length\s*=\s*(.*)\]/) {
|
|
||||||
+ $ivlen = $1;
|
|
||||||
+ $ivlen = $ivlen / 8;
|
|
||||||
+ } elsif ($line =~ /^\[encryption key length\s*=\s*(.*)\]/) {
|
|
||||||
+ $eklen = $1;
|
|
||||||
+ $eklen = $eklen / 8;
|
|
||||||
+ } elsif ($line =~ /^K\s*=\s*(.*)/) {
|
|
||||||
+ $K = $1;
|
|
||||||
+ $K = substr($K, 8);
|
|
||||||
+ $K = "00" . $K;
|
|
||||||
+ } elsif ($line =~ /^H\s*=\s*(.*)/) {
|
|
||||||
+ $H = $1;
|
|
||||||
+ } elsif ($line =~ /^session_id\s*=\s*(.*)/) {
|
|
||||||
+ $session_id = $1;
|
|
||||||
+ }
|
|
||||||
+ $out .= $line . "\n";
|
|
||||||
+
|
|
||||||
+ if ($K ne "" && $H ne "" && $session_id ne "" &&
|
|
||||||
+ $ivlen ne "" && $eklen ne "" && $iklen > 0) {
|
|
||||||
+ $out .= pipe_through_program("", "./ssh-cavs -H $H -K $K -s $session_id -i $ivlen -e $eklen -m $iklen");
|
|
||||||
+
|
|
||||||
+ $K = "";
|
|
||||||
+ $H = "";
|
|
||||||
+ $session_id = "";
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ close IN;
|
|
||||||
+ $out =~ s/\n/\r\n/g; # make it a dos file
|
|
||||||
+ open(OUT, ">$outfile") or die "Cannot create output file $outfile: $?";
|
|
||||||
+ print OUT $out;
|
|
||||||
+ close OUT;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+############################################################
|
|
||||||
+#
|
|
||||||
+# let us pretend to be C :-)
|
|
||||||
+sub main() {
|
|
||||||
+
|
|
||||||
+ my $infile=$ARGV[0];
|
|
||||||
+ die "Error: Test vector file $infile not found" if (! -f $infile);
|
|
||||||
+
|
|
||||||
+ my $outfile = $infile;
|
|
||||||
+ # let us add .rsp regardless whether we could strip .req
|
|
||||||
+ $outfile =~ s/\.req$//;
|
|
||||||
+ $outfile .= ".rsp";
|
|
||||||
+ if (-f $outfile) {
|
|
||||||
+ die "Output file $outfile could not be removed: $?"
|
|
||||||
+ unless unlink($outfile);
|
|
||||||
+ }
|
|
||||||
+ print STDERR "Performing tests from source file $infile with results stored in destination file $outfile\n";
|
|
||||||
+
|
|
||||||
+ # Do the job
|
|
||||||
+ parse($infile, $outfile);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+###########################################
|
|
||||||
+# Call it
|
|
||||||
+main();
|
|
||||||
+1;
|
|
File diff suppressed because it is too large
Load Diff
@ -1,12 +0,0 @@
|
|||||||
diff -up openssh-7.0p1/sshd_config.root-login openssh-7.0p1/sshd_config
|
|
||||||
--- openssh-7.0p1/sshd_config.root-login 2015-08-12 11:29:12.919269245 +0200
|
|
||||||
+++ openssh-7.0p1/sshd_config 2015-08-12 11:31:03.653096466 +0200
|
|
||||||
@@ -46,7 +46,7 @@ SyslogFacility AUTHPRIV
|
|
||||||
# Authentication:
|
|
||||||
|
|
||||||
#LoginGraceTime 2m
|
|
||||||
-#PermitRootLogin prohibit-password
|
|
||||||
+PermitRootLogin yes
|
|
||||||
#StrictModes yes
|
|
||||||
#MaxAuthTries 6
|
|
||||||
#MaxSessions 10
|
|
@ -1,98 +0,0 @@
|
|||||||
commit 0e22b79bfde45a7cf7a2e51a68ec11c4285f3b31
|
|
||||||
Author: Jakub Jelen <jjelen@redhat.com>
|
|
||||||
Date: Mon Nov 21 15:04:06 2016 +0100
|
|
||||||
|
|
||||||
systemd stuff
|
|
||||||
|
|
||||||
diff --git a/configure.ac b/configure.ac
|
|
||||||
index 2ffc369..162ce92 100644
|
|
||||||
--- a/configure.ac
|
|
||||||
+++ b/configure.ac
|
|
||||||
@@ -4265,6 +4265,30 @@ AC_ARG_WITH([kerberos5],
|
|
||||||
AC_SUBST([GSSLIBS])
|
|
||||||
AC_SUBST([K5LIBS])
|
|
||||||
|
|
||||||
+# Check whether user wants systemd support
|
|
||||||
+SYSTEMD_MSG="no"
|
|
||||||
+AC_ARG_WITH(systemd,
|
|
||||||
+ [ --with-systemd Enable systemd support],
|
|
||||||
+ [ if test "x$withval" != "xno" ; then
|
|
||||||
+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
|
|
||||||
+ if test "$PKGCONFIG" != "no"; then
|
|
||||||
+ AC_MSG_CHECKING([for libsystemd])
|
|
||||||
+ if $PKGCONFIG --exists libsystemd; then
|
|
||||||
+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd`
|
|
||||||
+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
|
|
||||||
+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS"
|
|
||||||
+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
|
|
||||||
+ AC_MSG_RESULT([yes])
|
|
||||||
+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.])
|
|
||||||
+ SYSTEMD_MSG="yes"
|
|
||||||
+ else
|
|
||||||
+ AC_MSG_RESULT([no])
|
|
||||||
+ fi
|
|
||||||
+ fi
|
|
||||||
+ fi ]
|
|
||||||
+)
|
|
||||||
+
|
|
||||||
+
|
|
||||||
# Looking for programs, paths and files
|
|
||||||
|
|
||||||
PRIVSEP_PATH=/var/empty
|
|
||||||
@@ -5097,6 +5121,7 @@ echo " libedit support: $LIBEDIT_MSG"
|
|
||||||
echo " Solaris process contract support: $SPC_MSG"
|
|
||||||
echo " Solaris project support: $SP_MSG"
|
|
||||||
echo " Solaris privilege support: $SPP_MSG"
|
|
||||||
+echo " systemd support: $SYSTEMD_MSG"
|
|
||||||
echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
|
|
||||||
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
|
|
||||||
echo " BSD Auth support: $BSD_AUTH_MSG"
|
|
||||||
diff --git a/contrib/sshd.service b/contrib/sshd.service
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..e0d4923
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/contrib/sshd.service
|
|
||||||
@@ -0,0 +1,16 @@
|
|
||||||
+[Unit]
|
|
||||||
+Description=OpenSSH server daemon
|
|
||||||
+Documentation=man:sshd(8) man:sshd_config(5)
|
|
||||||
+After=network.target
|
|
||||||
+
|
|
||||||
+[Service]
|
|
||||||
+Type=notify
|
|
||||||
+ExecStart=/usr/sbin/sshd -D $OPTIONS
|
|
||||||
+ExecReload=/bin/kill -HUP $MAINPID
|
|
||||||
+KillMode=process
|
|
||||||
+Restart=on-failure
|
|
||||||
+RestartPreventExitStatus=255
|
|
||||||
+
|
|
||||||
+[Install]
|
|
||||||
+WantedBy=multi-user.target
|
|
||||||
+
|
|
||||||
diff --git a/sshd.c b/sshd.c
|
|
||||||
index 816611c..b8b9d13 100644
|
|
||||||
--- a/sshd.c
|
|
||||||
+++ b/sshd.c
|
|
||||||
@@ -85,6 +85,10 @@
|
|
||||||
#include <prot.h>
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+#ifdef HAVE_SYSTEMD
|
|
||||||
+#include <systemd/sd-daemon.h>
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
#include "xmalloc.h"
|
|
||||||
#include "ssh.h"
|
|
||||||
#include "ssh2.h"
|
|
||||||
@@ -1888,6 +1892,11 @@ main(int ac, char **av)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifdef HAVE_SYSTEMD
|
|
||||||
+ /* Signal systemd that we are ready to accept connections */
|
|
||||||
+ sd_notify(0, "READY=1");
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
/* Accept a connection and return in a forked child */
|
|
||||||
server_accept_loop(&sock_in, &sock_out,
|
|
||||||
&newsock, config_s);
|
|
@ -1,569 +0,0 @@
|
|||||||
diff -up openssh-7.9p1/cipher-ctr.c.fips openssh-7.9p1/cipher-ctr.c
|
|
||||||
--- openssh-7.9p1/cipher-ctr.c.fips 2019-03-11 17:06:37.519877082 +0100
|
|
||||||
+++ openssh-7.9p1/cipher-ctr.c 2019-03-11 17:06:37.620878031 +0100
|
|
||||||
@@ -179,7 +179,8 @@ evp_aes_128_ctr(void)
|
|
||||||
aes_ctr.do_cipher = ssh_aes_ctr;
|
|
||||||
#ifndef SSH_OLD_EVP
|
|
||||||
aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
|
|
||||||
- EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
|
|
||||||
+ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV |
|
|
||||||
+ EVP_CIPH_FLAG_FIPS;
|
|
||||||
#endif
|
|
||||||
return (&aes_ctr);
|
|
||||||
}
|
|
||||||
diff -up openssh-7.9p1/clientloop.c.fips openssh-7.9p1/clientloop.c
|
|
||||||
--- openssh-7.9p1/clientloop.c.fips 2019-03-11 17:06:37.523877120 +0100
|
|
||||||
+++ openssh-7.9p1/clientloop.c 2019-03-11 17:06:37.620878031 +0100
|
|
||||||
@@ -2014,7 +2014,8 @@ key_accepted_by_hostkeyalgs(const struct
|
|
||||||
{
|
|
||||||
const char *ktype = sshkey_ssh_name(key);
|
|
||||||
const char *hostkeyalgs = options.hostkeyalgorithms != NULL ?
|
|
||||||
- options.hostkeyalgorithms : KEX_DEFAULT_PK_ALG;
|
|
||||||
+ options.hostkeyalgorithms : (FIPS_mode() ?
|
|
||||||
+ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG);
|
|
||||||
|
|
||||||
if (key == NULL || key->type == KEY_UNSPEC)
|
|
||||||
return 0;
|
|
||||||
diff -up openssh-7.9p1/dh.c.fips openssh-7.9p1/dh.c
|
|
||||||
--- openssh-7.9p1/dh.c.fips 2018-10-17 02:01:20.000000000 +0200
|
|
||||||
+++ openssh-7.9p1/dh.c 2019-03-11 17:08:11.769763057 +0100
|
|
||||||
@@ -152,6 +152,12 @@ choose_dh(int min, int wantbits, int max
|
|
||||||
int best, bestcount, which, linenum;
|
|
||||||
struct dhgroup dhg;
|
|
||||||
|
|
||||||
+ if (FIPS_mode()) {
|
|
||||||
+ verbose("Using arbitrary primes is not allowed in FIPS mode."
|
|
||||||
+ " Falling back to known groups.");
|
|
||||||
+ return (dh_new_group_fallback(max));
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL) {
|
|
||||||
logit("WARNING: could not open %s (%s), using fixed modulus",
|
|
||||||
_PATH_DH_MODULI, strerror(errno));
|
|
||||||
@@ -489,4 +495,38 @@ dh_estimate(int bits)
|
|
||||||
return 8192;
|
|
||||||
}
|
|
||||||
|
|
||||||
+/*
|
|
||||||
+ * Compares the received DH parameters with known-good groups,
|
|
||||||
+ * which might be either from group14, group16 or group18.
|
|
||||||
+ */
|
|
||||||
+int
|
|
||||||
+dh_is_known_group(const DH *dh)
|
|
||||||
+{
|
|
||||||
+ const BIGNUM *p, *g;
|
|
||||||
+ const BIGNUM *known_p, *known_g;
|
|
||||||
+ DH *known = NULL;
|
|
||||||
+ int bits = 0, rv = 0;
|
|
||||||
+
|
|
||||||
+ DH_get0_pqg(dh, &p, NULL, &g);
|
|
||||||
+ bits = BN_num_bits(p);
|
|
||||||
+
|
|
||||||
+ if (bits <= 3072) {
|
|
||||||
+ known = dh_new_group14();
|
|
||||||
+ } else if (bits <= 6144) {
|
|
||||||
+ known = dh_new_group16();
|
|
||||||
+ } else {
|
|
||||||
+ known = dh_new_group18();
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ DH_get0_pqg(known, &known_p, NULL, &known_g);
|
|
||||||
+
|
|
||||||
+ if (BN_cmp(g, known_g) == 0 &&
|
|
||||||
+ BN_cmp(p, known_p) == 0) {
|
|
||||||
+ rv = 1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ DH_free(known);
|
|
||||||
+ return rv;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
#endif /* WITH_OPENSSL */
|
|
||||||
diff -up openssh-7.9p1/dh.h.fips openssh-7.9p1/dh.h
|
|
||||||
--- openssh-7.9p1/dh.h.fips 2018-10-17 02:01:20.000000000 +0200
|
|
||||||
+++ openssh-7.9p1/dh.h 2019-03-11 17:08:18.718828381 +0100
|
|
||||||
@@ -43,6 +43,7 @@ DH *dh_new_group_fallback(int);
|
|
||||||
|
|
||||||
int dh_gen_key(DH *, int);
|
|
||||||
int dh_pub_is_valid(const DH *, const BIGNUM *);
|
|
||||||
+int dh_is_known_group(const DH *);
|
|
||||||
|
|
||||||
u_int dh_estimate(int);
|
|
||||||
|
|
||||||
diff -up openssh-7.9p1/kex.c.fips openssh-7.9p1/kex.c
|
|
||||||
--- openssh-7.9p1/kex.c.fips 2019-03-11 17:06:37.614877975 +0100
|
|
||||||
+++ openssh-7.9p1/kex.c 2019-03-11 17:06:37.621878041 +0100
|
|
||||||
@@ -175,7 +196,10 @@ kex_names_valid(const char *names)
|
|
||||||
for ((p = strsep(&cp, ",")); p && *p != '\0';
|
|
||||||
(p = strsep(&cp, ","))) {
|
|
||||||
if (kex_alg_by_name(p) == NULL) {
|
|
||||||
- error("Unsupported KEX algorithm \"%.100s\"", p);
|
|
||||||
+ if (FIPS_mode())
|
|
||||||
+ error("\"%.100s\" is not allowed in FIPS mode", p);
|
|
||||||
+ else
|
|
||||||
+ error("Unsupported KEX algorithm \"%.100s\"", p);
|
|
||||||
free(s);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
diff -up openssh-7.9p1/kexgexc.c.fips openssh-7.9p1/kexgexc.c
|
|
||||||
--- openssh-7.9p1/kexgexc.c.fips 2018-10-17 02:01:20.000000000 +0200
|
|
||||||
+++ openssh-7.9p1/kexgexc.c 2019-03-11 17:06:37.621878041 +0100
|
|
||||||
@@ -28,6 +28,7 @@
|
|
||||||
|
|
||||||
#ifdef WITH_OPENSSL
|
|
||||||
|
|
||||||
+#include <openssl/crypto.h>
|
|
||||||
#include <sys/types.h>
|
|
||||||
|
|
||||||
#include <openssl/dh.h>
|
|
||||||
@@ -118,6 +119,10 @@ input_kex_dh_gex_group(int type, u_int32
|
|
||||||
r = SSH_ERR_ALLOC_FAIL;
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
+ if (FIPS_mode() && dh_is_known_group(kex->dh) == 0) {
|
|
||||||
+ r = SSH_ERR_INVALID_ARGUMENT;
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
p = g = NULL; /* belong to kex->dh now */
|
|
||||||
|
|
||||||
/* generate and send 'e', client DH public key */
|
|
||||||
diff -up openssh-7.9p1/myproposal.h.fips openssh-7.9p1/myproposal.h
|
|
||||||
--- openssh-7.9p1/myproposal.h.fips 2018-10-17 02:01:20.000000000 +0200
|
|
||||||
+++ openssh-7.9p1/myproposal.h 2019-03-11 17:06:37.621878041 +0100
|
|
||||||
@@ -116,6 +116,16 @@
|
|
||||||
"rsa-sha2-256," \
|
|
||||||
"ssh-rsa"
|
|
||||||
|
|
||||||
+#define KEX_FIPS_PK_ALG \
|
|
||||||
+ HOSTKEY_ECDSA_CERT_METHODS \
|
|
||||||
+ "rsa-sha2-512-cert-v01@openssh.com," \
|
|
||||||
+ "rsa-sha2-256-cert-v01@openssh.com," \
|
|
||||||
+ "ssh-rsa-cert-v01@openssh.com," \
|
|
||||||
+ HOSTKEY_ECDSA_METHODS \
|
|
||||||
+ "rsa-sha2-512," \
|
|
||||||
+ "rsa-sha2-256," \
|
|
||||||
+ "ssh-rsa"
|
|
||||||
+
|
|
||||||
/* the actual algorithms */
|
|
||||||
|
|
||||||
#define KEX_SERVER_ENCRYPT \
|
|
||||||
@@ -139,6 +147,38 @@
|
|
||||||
|
|
||||||
#define KEX_CLIENT_MAC KEX_SERVER_MAC
|
|
||||||
|
|
||||||
+#define KEX_FIPS_ENCRYPT \
|
|
||||||
+ "aes128-ctr,aes192-ctr,aes256-ctr," \
|
|
||||||
+ "aes128-cbc,3des-cbc," \
|
|
||||||
+ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se" \
|
|
||||||
+ AESGCM_CIPHER_MODES
|
|
||||||
+#ifdef HAVE_EVP_SHA256
|
|
||||||
+# define KEX_DEFAULT_KEX_FIPS \
|
|
||||||
+ KEX_ECDH_METHODS \
|
|
||||||
+ KEX_SHA2_METHODS \
|
|
||||||
+ "diffie-hellman-group14-sha256"
|
|
||||||
+# define KEX_FIPS_MAC \
|
|
||||||
+ "hmac-sha1," \
|
|
||||||
+ "hmac-sha2-256," \
|
|
||||||
+ "hmac-sha2-512," \
|
|
||||||
+ "hmac-sha1-etm@openssh.com," \
|
|
||||||
+ "hmac-sha2-256-etm@openssh.com," \
|
|
||||||
+ "hmac-sha2-512-etm@openssh.com"
|
|
||||||
+#else
|
|
||||||
+# ifdef OPENSSL_HAS_NISTP521
|
|
||||||
+# define KEX_DEFAULT_KEX_FIPS \
|
|
||||||
+ "ecdh-sha2-nistp256," \
|
|
||||||
+ "ecdh-sha2-nistp384," \
|
|
||||||
+ "ecdh-sha2-nistp521"
|
|
||||||
+# else
|
|
||||||
+# define KEX_DEFAULT_KEX_FIPS \
|
|
||||||
+ "ecdh-sha2-nistp256," \
|
|
||||||
+ "ecdh-sha2-nistp384"
|
|
||||||
+# endif
|
|
||||||
+#define KEX_FIPS_MAC \
|
|
||||||
+ "hmac-sha1"
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
/* Not a KEX value, but here so all the algorithm defaults are together */
|
|
||||||
#define SSH_ALLOWED_CA_SIGALGS \
|
|
||||||
"ecdsa-sha2-nistp256," \
|
|
||||||
diff -up openssh-7.9p1/readconf.c.fips openssh-7.9p1/readconf.c
|
|
||||||
--- openssh-7.9p1/readconf.c.fips 2019-03-11 17:06:37.601877853 +0100
|
|
||||||
+++ openssh-7.9p1/readconf.c 2019-03-11 17:06:37.622878050 +0100
|
|
||||||
@@ -2178,18 +2178,19 @@ fill_default_options(Options * options)
|
|
||||||
all_kex = kex_alg_list(',');
|
|
||||||
all_key = sshkey_alg_list(0, 0, 1, ',');
|
|
||||||
all_sig = sshkey_alg_list(0, 1, 1, ',');
|
|
||||||
-#define ASSEMBLE(what, defaults, all) \
|
|
||||||
+#define ASSEMBLE(what, defaults, fips_defaults, all) \
|
|
||||||
do { \
|
|
||||||
if ((r = kex_assemble_names(&options->what, \
|
|
||||||
- defaults, all)) != 0) \
|
|
||||||
+ (FIPS_mode() ? fips_defaults : defaults), \
|
|
||||||
+ all)) != 0) \
|
|
||||||
fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \
|
|
||||||
} while (0)
|
|
||||||
- ASSEMBLE(ciphers, KEX_CLIENT_ENCRYPT, all_cipher);
|
|
||||||
- ASSEMBLE(macs, KEX_CLIENT_MAC, all_mac);
|
|
||||||
- ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, all_kex);
|
|
||||||
- ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
|
|
||||||
- ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
|
|
||||||
- ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
|
|
||||||
+ ASSEMBLE(ciphers, KEX_CLIENT_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
|
|
||||||
+ ASSEMBLE(macs, KEX_CLIENT_MAC, KEX_FIPS_MAC, all_mac);
|
|
||||||
+ ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
|
|
||||||
+ ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
|
|
||||||
+ ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
|
|
||||||
+ ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, KEX_FIPS_PK_ALG, all_sig);
|
|
||||||
#undef ASSEMBLE
|
|
||||||
free(all_cipher);
|
|
||||||
free(all_mac);
|
|
||||||
diff -up openssh-7.9p1/sandbox-seccomp-filter.c.fips openssh-7.9p1/sandbox-seccomp-filter.c
|
|
||||||
--- openssh-7.9p1/sandbox-seccomp-filter.c.fips 2019-03-11 17:06:37.586877712 +0100
|
|
||||||
+++ openssh-7.9p1/sandbox-seccomp-filter.c 2019-03-11 17:06:37.622878050 +0100
|
|
||||||
@@ -137,6 +137,9 @@ static const struct sock_filter preauth_
|
|
||||||
#ifdef __NR_open
|
|
||||||
SC_DENY(__NR_open, EACCES),
|
|
||||||
#endif
|
|
||||||
+#ifdef __NR_socket
|
|
||||||
+ SC_DENY(__NR_socket, EACCES),
|
|
||||||
+#endif
|
|
||||||
#ifdef __NR_openat
|
|
||||||
SC_DENY(__NR_openat, EACCES),
|
|
||||||
#endif
|
|
||||||
diff -up openssh-7.9p1/servconf.c.fips openssh-7.9p1/servconf.c
|
|
||||||
--- openssh-7.9p1/servconf.c.fips 2019-03-11 17:06:37.568877543 +0100
|
|
||||||
+++ openssh-7.9p1/servconf.c 2019-03-11 17:06:37.622878050 +0100
|
|
||||||
@@ -209,18 +209,19 @@ assemble_algorithms(ServerOptions *o)
|
|
||||||
all_kex = kex_alg_list(',');
|
|
||||||
all_key = sshkey_alg_list(0, 0, 1, ',');
|
|
||||||
all_sig = sshkey_alg_list(0, 1, 1, ',');
|
|
||||||
-#define ASSEMBLE(what, defaults, all) \
|
|
||||||
+#define ASSEMBLE(what, defaults, fips_defaults, all) \
|
|
||||||
do { \
|
|
||||||
- if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
|
|
||||||
+ if ((r = kex_assemble_names(&o->what, (FIPS_mode() \
|
|
||||||
+ ? fips_defaults : defaults), all)) != 0) \
|
|
||||||
fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \
|
|
||||||
} while (0)
|
|
||||||
- ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, all_cipher);
|
|
||||||
- ASSEMBLE(macs, KEX_SERVER_MAC, all_mac);
|
|
||||||
- ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex);
|
|
||||||
- ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key);
|
|
||||||
- ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
|
|
||||||
- ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
|
|
||||||
- ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
|
|
||||||
+ ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
|
|
||||||
+ ASSEMBLE(macs, KEX_SERVER_MAC, KEX_FIPS_MAC, all_mac);
|
|
||||||
+ ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
|
|
||||||
+ ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
|
|
||||||
+ ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
|
|
||||||
+ ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
|
|
||||||
+ ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, KEX_FIPS_PK_ALG, all_sig);
|
|
||||||
#undef ASSEMBLE
|
|
||||||
free(all_cipher);
|
|
||||||
free(all_mac);
|
|
||||||
diff -up openssh-7.9p1/ssh.c.fips openssh-7.9p1/ssh.c
|
|
||||||
--- openssh-7.9p1/ssh.c.fips 2019-03-11 17:06:37.602877862 +0100
|
|
||||||
+++ openssh-7.9p1/ssh.c 2019-03-11 17:06:37.623878060 +0100
|
|
||||||
@@ -76,6 +76,7 @@
|
|
||||||
#include <openssl/evp.h>
|
|
||||||
#include <openssl/err.h>
|
|
||||||
#endif
|
|
||||||
+#include <openssl/crypto.h>
|
|
||||||
#include "openbsd-compat/openssl-compat.h"
|
|
||||||
#include "openbsd-compat/sys-queue.h"
|
|
||||||
|
|
||||||
@@ -1283,6 +1294,10 @@ main(int ac, char **av)
|
|
||||||
dump_client_config(&options, host);
|
|
||||||
exit(0);
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ if (FIPS_mode()) {
|
|
||||||
+ debug("FIPS mode initialized");
|
|
||||||
+ }
|
|
||||||
|
|
||||||
if (muxclient_command != 0 && options.control_path == NULL)
|
|
||||||
fatal("No ControlPath specified for \"-O\" command");
|
|
||||||
diff -up openssh-7.9p1/sshconnect2.c.fips openssh-7.9p1/sshconnect2.c
|
|
||||||
--- openssh-7.9p1/sshconnect2.c.fips 2019-03-11 17:06:37.580877655 +0100
|
|
||||||
+++ openssh-7.9p1/sshconnect2.c 2019-03-11 17:06:37.623878060 +0100
|
|
||||||
@@ -44,6 +44,8 @@
|
|
||||||
#include <vis.h>
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+#include <openssl/crypto.h>
|
|
||||||
+
|
|
||||||
#include "openbsd-compat/sys-queue.h"
|
|
||||||
|
|
||||||
#include "xmalloc.h"
|
|
||||||
@@ -148,7 +150,8 @@ order_hostkeyalgs(char *host, struct soc
|
|
||||||
* Otherwise, prefer the host key algorithms that match known keys
|
|
||||||
* while keeping the ordering of HostkeyAlgorithms as much as possible.
|
|
||||||
*/
|
|
||||||
- oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG);
|
|
||||||
+ oavail = avail = xstrdup((FIPS_mode()
|
|
||||||
+ ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG));
|
|
||||||
maxlen = strlen(avail) + 1;
|
|
||||||
first = xmalloc(maxlen);
|
|
||||||
last = xmalloc(maxlen);
|
|
||||||
@@ -229,14 +232,16 @@ ssh_kex2(struct ssh *ssh, char *host, st
|
|
||||||
if (options.hostkeyalgorithms != NULL) {
|
|
||||||
all_key = sshkey_alg_list(0, 0, 1, ',');
|
|
||||||
if (kex_assemble_names(&options.hostkeyalgorithms,
|
|
||||||
- KEX_DEFAULT_PK_ALG, all_key) != 0)
|
|
||||||
+ (FIPS_mode() ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG),
|
|
||||||
+ all_key) != 0)
|
|
||||||
fatal("%s: kex_assemble_namelist", __func__);
|
|
||||||
free(all_key);
|
|
||||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
|
|
||||||
compat_pkalg_proposal(options.hostkeyalgorithms);
|
|
||||||
} else {
|
|
||||||
/* Enforce default */
|
|
||||||
- options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
|
|
||||||
+ options.hostkeyalgorithms = xstrdup((FIPS_mode()
|
|
||||||
+ ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG));
|
|
||||||
/* Prefer algorithms that we already have keys for */
|
|
||||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
|
|
||||||
compat_pkalg_proposal(
|
|
||||||
@@ -201,35 +201,40 @@ ssh_kex2(char *host, struct sockaddr *ho
|
|
||||||
|
|
||||||
#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
|
||||||
if (options.gss_keyex) {
|
|
||||||
- /* Add the GSSAPI mechanisms currently supported on this
|
|
||||||
- * client to the key exchange algorithm proposal */
|
|
||||||
- orig = myproposal[PROPOSAL_KEX_ALGS];
|
|
||||||
-
|
|
||||||
- if (options.gss_server_identity) {
|
|
||||||
- gss_host = xstrdup(options.gss_server_identity);
|
|
||||||
- } else if (options.gss_trust_dns) {
|
|
||||||
- gss_host = remote_hostname(ssh);
|
|
||||||
- /* Fall back to specified host if we are using proxy command
|
|
||||||
- * and can not use DNS on that socket */
|
|
||||||
- if (strcmp(gss_host, "UNKNOWN") == 0) {
|
|
||||||
- gss_host = xstrdup(host);
|
|
||||||
- }
|
|
||||||
- } else {
|
|
||||||
- gss_host = xstrdup(host);
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- gss = ssh_gssapi_client_mechanisms(gss_host,
|
|
||||||
- options.gss_client_identity, options.gss_kex_algorithms);
|
|
||||||
- if (gss) {
|
|
||||||
- debug("Offering GSSAPI proposal: %s", gss);
|
|
||||||
- xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
|
|
||||||
- "%s,%s", gss, orig);
|
|
||||||
-
|
|
||||||
- /* If we've got GSSAPI algorithms, then we also support the
|
|
||||||
- * 'null' hostkey, as a last resort */
|
|
||||||
- orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
|
|
||||||
- xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
|
|
||||||
- "%s,null", orig);
|
|
||||||
+ if (FIPS_mode()) {
|
|
||||||
+ logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode");
|
|
||||||
+ options.gss_keyex = 0;
|
|
||||||
+ } else {
|
|
||||||
+ /* Add the GSSAPI mechanisms currently supported on this
|
|
||||||
+ * client to the key exchange algorithm proposal */
|
|
||||||
+ orig = myproposal[PROPOSAL_KEX_ALGS];
|
|
||||||
+
|
|
||||||
+ if (options.gss_server_identity) {
|
|
||||||
+ gss_host = xstrdup(options.gss_server_identity);
|
|
||||||
+ } else if (options.gss_trust_dns) {
|
|
||||||
+ gss_host = remote_hostname(ssh);
|
|
||||||
+ /* Fall back to specified host if we are using proxy command
|
|
||||||
+ * and can not use DNS on that socket */
|
|
||||||
+ if (strcmp(gss_host, "UNKNOWN") == 0) {
|
|
||||||
+ gss_host = xstrdup(host);
|
|
||||||
+ }
|
|
||||||
+ } else {
|
|
||||||
+ gss_host = xstrdup(host);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ gss = ssh_gssapi_client_mechanisms(gss_host,
|
|
||||||
+ options.gss_client_identity, options.gss_kex_algorithms);
|
|
||||||
+ if (gss) {
|
|
||||||
+ debug("Offering GSSAPI proposal: %s", gss);
|
|
||||||
+ xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
|
|
||||||
+ "%s,%s", gss, orig);
|
|
||||||
+
|
|
||||||
+ /* If we've got GSSAPI algorithms, then we also support the
|
|
||||||
+ * 'null' hostkey, as a last resort */
|
|
||||||
+ orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
|
|
||||||
+ xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
|
|
||||||
+ "%s,null", orig);
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
diff -up openssh-7.9p1/sshd.c.fips openssh-7.9p1/sshd.c
|
|
||||||
--- openssh-7.9p1/sshd.c.fips 2019-03-11 17:06:37.617878003 +0100
|
|
||||||
+++ openssh-7.9p1/sshd.c 2019-03-11 17:06:37.624878069 +0100
|
|
||||||
@@ -66,6 +66,7 @@
|
|
||||||
#include <grp.h>
|
|
||||||
#include <pwd.h>
|
|
||||||
#include <signal.h>
|
|
||||||
+#include <syslog.h>
|
|
||||||
#include <stdarg.h>
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <stdlib.h>
|
|
||||||
@@ -77,6 +78,7 @@
|
|
||||||
#include <openssl/dh.h>
|
|
||||||
#include <openssl/bn.h>
|
|
||||||
#include <openssl/rand.h>
|
|
||||||
+#include <openssl/crypto.h>
|
|
||||||
#include "openbsd-compat/openssl-compat.h"
|
|
||||||
#endif
|
|
||||||
|
|
||||||
@@ -1581,6 +1584,7 @@ main(int ac, char **av)
|
|
||||||
#endif
|
|
||||||
__progname = ssh_get_progname(av[0]);
|
|
||||||
|
|
||||||
+ OpenSSL_add_all_algorithms();
|
|
||||||
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
|
|
||||||
saved_argc = ac;
|
|
||||||
rexec_argc = ac;
|
|
||||||
@@ -2036,6 +2051,10 @@ main(int ac, char **av)
|
|
||||||
/* Reinitialize the log (because of the fork above). */
|
|
||||||
log_init(__progname, options.log_level, options.log_facility, log_stderr);
|
|
||||||
|
|
||||||
+ if (FIPS_mode()) {
|
|
||||||
+ debug("FIPS mode initialized");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* Chdir to the root directory so that the current disk can be
|
|
||||||
unmounted if desired. */
|
|
||||||
if (chdir("/") == -1)
|
|
||||||
@@ -2412,10 +2431,14 @@ do_ssh2_kex(void)
|
|
||||||
if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
|
|
||||||
orig = NULL;
|
|
||||||
|
|
||||||
- if (options.gss_keyex)
|
|
||||||
- gss = ssh_gssapi_server_mechanisms();
|
|
||||||
- else
|
|
||||||
- gss = NULL;
|
|
||||||
+ if (options.gss_keyex) {
|
|
||||||
+ if (FIPS_mode()) {
|
|
||||||
+ logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode");
|
|
||||||
+ options.gss_keyex = 0;
|
|
||||||
+ } else {
|
|
||||||
+ gss = ssh_gssapi_server_mechanisms();
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
|
|
||||||
if (gss && orig)
|
|
||||||
xasprintf(&newstr, "%s,%s", gss, orig);
|
|
||||||
diff -up openssh-7.9p1/sshkey.c.fips openssh-7.9p1/sshkey.c
|
|
||||||
--- openssh-7.9p1/sshkey.c.fips 2019-03-11 17:06:37.617878003 +0100
|
|
||||||
+++ openssh-7.9p1/sshkey.c 2019-03-11 17:06:37.624878069 +0100
|
|
||||||
@@ -34,6 +34,7 @@
|
|
||||||
#include <openssl/evp.h>
|
|
||||||
#include <openssl/err.h>
|
|
||||||
#include <openssl/pem.h>
|
|
||||||
+#include <openssl/crypto.h>
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#include "crypto_api.h"
|
|
||||||
@@ -57,6 +58,7 @@
|
|
||||||
#include "sshkey.h"
|
|
||||||
#include "sshkey-xmss.h"
|
|
||||||
#include "match.h"
|
|
||||||
+#include "log.h"
|
|
||||||
|
|
||||||
#include "xmss_fast.h"
|
|
||||||
|
|
||||||
@@ -392,7 +394,8 @@ sshkey_calculate_signature(EVP_PKEY *pkey
|
|
||||||
{
|
|
||||||
EVP_MD_CTX *ctx = NULL;
|
|
||||||
u_char *sig = NULL;
|
|
||||||
- int ret, slen, len;
|
|
||||||
+ int ret, slen;
|
|
||||||
+ size_t len;
|
|
||||||
|
|
||||||
if (sigp == NULL || lenp == NULL) {
|
|
||||||
return SSH_ERR_INVALID_ARGUMENT;
|
|
||||||
@@ -411,9 +414,10 @@ sshkey_calculate_signature(EVP_PKEY *pkey
|
|
||||||
ret = SSH_ERR_ALLOC_FAIL;
|
|
||||||
goto error;
|
|
||||||
}
|
|
||||||
- if (EVP_SignInit_ex(ctx, ssh_digest_to_md(hash_alg), NULL) <= 0 ||
|
|
||||||
- EVP_SignUpdate(ctx, data, datalen) <= 0 ||
|
|
||||||
- EVP_SignFinal(ctx, sig, &len, pkey) <= 0) {
|
|
||||||
+ if (EVP_DigestSignInit(ctx, NULL, ssh_digest_to_md(hash_alg),
|
|
||||||
+ NULL, pkey) != 1 ||
|
|
||||||
+ EVP_DigestSignUpdate(ctx, data, datalen) != 1 ||
|
|
||||||
+ EVP_DigestSignFinal(ctx, sig, &len) != 1) {
|
|
||||||
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
|
||||||
goto error;
|
|
||||||
}
|
|
||||||
@@ -440,12 +444,13 @@ sshkey_verify_signature(EVP_PKEY *pkey
|
|
||||||
if ((ctx = EVP_MD_CTX_new()) == NULL) {
|
|
||||||
return SSH_ERR_ALLOC_FAIL;
|
|
||||||
}
|
|
||||||
- if (EVP_VerifyInit_ex(ctx, ssh_digest_to_md(hash_alg), NULL) <= 0 ||
|
|
||||||
- EVP_VerifyUpdate(ctx, data, datalen) <= 0) {
|
|
||||||
+ if (EVP_DigestVerifyInit(ctx, NULL, ssh_digest_to_md(hash_alg),
|
|
||||||
+ NULL, pkey) != 1 ||
|
|
||||||
+ EVP_DigestVerifyUpdate(ctx, data, datalen) != 1) {
|
|
||||||
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
- ret = EVP_VerifyFinal(ctx, sigbuf, siglen, pkey);
|
|
||||||
+ ret = EVP_DigestVerifyFinal(ctx, sigbuf, siglen);
|
|
||||||
switch (ret) {
|
|
||||||
case 1:
|
|
||||||
ret = 0;
|
|
||||||
@@ -1514,6 +1516,8 @@ rsa_generate_private_key(u_int bits, RSA
|
|
||||||
}
|
|
||||||
if (!BN_set_word(f4, RSA_F4) ||
|
|
||||||
!RSA_generate_key_ex(private, bits, f4, NULL)) {
|
|
||||||
+ if (FIPS_mode())
|
|
||||||
+ logit("%s: the key length might be unsupported by FIPS mode approved key generation method", __func__);
|
|
||||||
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
diff -up openssh-7.9p1/ssh-keygen.c.fips openssh-7.9p1/ssh-keygen.c
|
|
||||||
--- openssh-7.9p1/ssh-keygen.c.fips 2019-03-11 17:06:37.590877750 +0100
|
|
||||||
+++ openssh-7.9p1/ssh-keygen.c 2019-03-11 17:06:37.625878079 +0100
|
|
||||||
@@ -230,6 +230,12 @@ type_bits_valid(int type, const char *na
|
|
||||||
OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS;
|
|
||||||
if (*bitsp > maxbits)
|
|
||||||
fatal("key bits exceeds maximum %d", maxbits);
|
|
||||||
+ if (FIPS_mode()) {
|
|
||||||
+ if (type == KEY_DSA)
|
|
||||||
+ fatal("DSA keys are not allowed in FIPS mode");
|
|
||||||
+ if (type == KEY_ED25519)
|
|
||||||
+ fatal("ED25519 keys are not allowed in FIPS mode");
|
|
||||||
+ }
|
|
||||||
switch (type) {
|
|
||||||
case KEY_DSA:
|
|
||||||
if (*bitsp != 1024)
|
|
||||||
@@ -1029,9 +1035,17 @@ do_gen_all_hostkeys(struct passwd *pw)
|
|
||||||
first = 1;
|
|
||||||
printf("%s: generating new host keys: ", __progname);
|
|
||||||
}
|
|
||||||
+ type = sshkey_type_from_name(key_types[i].key_type);
|
|
||||||
+
|
|
||||||
+ /* Skip the keys that are not supported in FIPS mode */
|
|
||||||
+ if (FIPS_mode() && (type == KEY_DSA || type == KEY_ED25519)) {
|
|
||||||
+ logit("Skipping %s key in FIPS mode",
|
|
||||||
+ key_types[i].key_type_display);
|
|
||||||
+ goto next;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
printf("%s ", key_types[i].key_type_display);
|
|
||||||
fflush(stdout);
|
|
||||||
- type = sshkey_type_from_name(key_types[i].key_type);
|
|
||||||
if ((fd = mkstemp(prv_tmp)) == -1) {
|
|
||||||
error("Could not save your public key in %s: %s",
|
|
||||||
prv_tmp, strerror(errno));
|
|
||||||
diff -up openssh-8.0p1/sshd_config.xxx openssh-8.0p1/sshd_config
|
|
||||||
--- openssh-8.0p1/sshd_config.xxx 2023-10-30 13:01:59.150952364 +0100
|
|
||||||
+++ openssh-8.0p1/sshd_config 2023-10-30 13:02:56.662231354 +0100
|
|
||||||
@@ -21,6 +21,7 @@
|
|
||||||
|
|
||||||
HostKey /etc/ssh/ssh_host_rsa_key
|
|
||||||
HostKey /etc/ssh/ssh_host_ecdsa_key
|
|
||||||
+#In FIPS mode Ed25519 keys are not supported, please comment out the next line
|
|
||||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
|
||||||
|
|
||||||
# Ciphers and keying
|
|
@ -1,164 +0,0 @@
|
|||||||
diff -up openssh-7.7p1/ssh_config.redhat openssh-7.7p1/ssh_config
|
|
||||||
--- openssh-7.7p1/ssh_config.redhat 2018-04-02 07:38:28.000000000 +0200
|
|
||||||
+++ openssh-7.7p1/ssh_config 2018-07-03 10:44:06.522245125 +0200
|
|
||||||
@@ -44,3 +44,8 @@
|
|
||||||
# VisualHostKey no
|
|
||||||
# ProxyCommand ssh -q -W %h:%p gateway.example.com
|
|
||||||
# RekeyLimit 1G 1h
|
|
||||||
+#
|
|
||||||
+# This system is following system-wide crypto policy.
|
|
||||||
+# To modify the system-wide ssh configuration, create a *.conf file under
|
|
||||||
+# /etc/ssh/ssh_config.d/ which will be automatically included below
|
|
||||||
+Include /etc/ssh/ssh_config.d/*.conf
|
|
||||||
diff -up openssh-7.7p1/ssh_config_redhat.redhat openssh-7.7p1/ssh_config_redhat
|
|
||||||
--- openssh-7.7p1/ssh_config_redhat.redhat 2018-07-03 10:44:06.522245125 +0200
|
|
||||||
+++ openssh-7.7p1/ssh_config_redhat 2018-07-03 10:44:06.522245125 +0200
|
|
||||||
@@ -0,0 +1,21 @@
|
|
||||||
+# The options here are in the "Match final block" to be applied as the last
|
|
||||||
+# options and could be potentially overwritten by the user configuration
|
|
||||||
+Match final all
|
|
||||||
+ # Follow system-wide Crypto Policy, if defined:
|
|
||||||
+ Include /etc/crypto-policies/back-ends/openssh.config
|
|
||||||
+
|
|
||||||
+ GSSAPIAuthentication yes
|
|
||||||
+
|
|
||||||
+# If this option is set to yes then remote X11 clients will have full access
|
|
||||||
+# to the original X11 display. As virtually no X11 client supports the untrusted
|
|
||||||
+# mode correctly we set this to yes.
|
|
||||||
+ ForwardX11Trusted yes
|
|
||||||
+
|
|
||||||
+# Send locale-related environment variables
|
|
||||||
+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
|
||||||
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
|
||||||
+ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
|
|
||||||
+ SendEnv XMODIFIERS
|
|
||||||
+
|
|
||||||
+# Uncomment this if you want to use .local domain
|
|
||||||
+# Host *.local
|
|
||||||
+# CheckHostIP no
|
|
||||||
diff -up openssh-7.7p1/sshd_config.0.redhat openssh-7.7p1/sshd_config.0
|
|
||||||
--- openssh-7.7p1/sshd_config.0.redhat 2018-04-02 07:39:27.000000000 +0200
|
|
||||||
+++ openssh-7.7p1/sshd_config.0 2018-07-03 10:44:06.523245133 +0200
|
|
||||||
@@ -872,9 +872,9 @@ DESCRIPTION
|
|
||||||
|
|
||||||
SyslogFacility
|
|
||||||
Gives the facility code that is used when logging messages from
|
|
||||||
- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,
|
|
||||||
- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The
|
|
||||||
- default is AUTH.
|
|
||||||
+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
|
|
||||||
+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
|
||||||
+ The default is AUTH.
|
|
||||||
|
|
||||||
TCPKeepAlive
|
|
||||||
Specifies whether the system should send TCP keepalive messages
|
|
||||||
diff -up openssh-7.7p1/sshd_config.5.redhat openssh-7.7p1/sshd_config.5
|
|
||||||
--- openssh-7.7p1/sshd_config.5.redhat 2018-04-02 07:38:28.000000000 +0200
|
|
||||||
+++ openssh-7.7p1/sshd_config.5 2018-07-03 10:44:06.523245133 +0200
|
|
||||||
@@ -1461,7 +1461,7 @@ By default no subsystems are defined.
|
|
||||||
.It Cm SyslogFacility
|
|
||||||
Gives the facility code that is used when logging messages from
|
|
||||||
.Xr sshd 8 .
|
|
||||||
-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
|
|
||||||
+The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,
|
|
||||||
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
|
||||||
The default is AUTH.
|
|
||||||
.It Cm TCPKeepAlive
|
|
||||||
diff -up openssh-7.7p1/sshd_config.redhat openssh-7.7p1/sshd_config
|
|
||||||
--- openssh-7.7p1/sshd_config.redhat 2018-04-02 07:38:28.000000000 +0200
|
|
||||||
+++ openssh-7.7p1/sshd_config 2018-07-03 10:45:16.950782466 +0200
|
|
||||||
@@ -10,20 +10,31 @@
|
|
||||||
# possible, but leave them commented. Uncommented options override the
|
|
||||||
# default value.
|
|
||||||
|
|
||||||
+# If you want to change the port on a SELinux system, you have to tell
|
|
||||||
+# SELinux about this change.
|
|
||||||
+# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
|
|
||||||
+#
|
|
||||||
#Port 22
|
|
||||||
#AddressFamily any
|
|
||||||
#ListenAddress 0.0.0.0
|
|
||||||
#ListenAddress ::
|
|
||||||
|
|
||||||
-#HostKey /etc/ssh/ssh_host_rsa_key
|
|
||||||
-#HostKey /etc/ssh/ssh_host_ecdsa_key
|
|
||||||
-#HostKey /etc/ssh/ssh_host_ed25519_key
|
|
||||||
+HostKey /etc/ssh/ssh_host_rsa_key
|
|
||||||
+HostKey /etc/ssh/ssh_host_ecdsa_key
|
|
||||||
+HostKey /etc/ssh/ssh_host_ed25519_key
|
|
||||||
|
|
||||||
# Ciphers and keying
|
|
||||||
#RekeyLimit default none
|
|
||||||
|
|
||||||
+# This system is following system-wide crypto policy. The changes to
|
|
||||||
+# crypto properties (Ciphers, MACs, ...) will not have any effect here.
|
|
||||||
+# They will be overridden by command-line options passed to the server
|
|
||||||
+# on command line.
|
|
||||||
+# Please, check manual pages for update-crypto-policies(8) and sshd_config(5).
|
|
||||||
+
|
|
||||||
# Logging
|
|
||||||
#SyslogFacility AUTH
|
|
||||||
+SyslogFacility AUTHPRIV
|
|
||||||
#LogLevel INFO
|
|
||||||
|
|
||||||
# Authentication:
|
|
||||||
@@ -56,9 +70,11 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|
||||||
# To disable tunneled clear text passwords, change to no here!
|
|
||||||
#PasswordAuthentication yes
|
|
||||||
#PermitEmptyPasswords no
|
|
||||||
+PasswordAuthentication yes
|
|
||||||
|
|
||||||
# Change to no to disable s/key passwords
|
|
||||||
#ChallengeResponseAuthentication yes
|
|
||||||
+ChallengeResponseAuthentication no
|
|
||||||
|
|
||||||
# Kerberos options
|
|
||||||
#KerberosAuthentication no
|
|
||||||
@@ -67,8 +83,8 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|
||||||
#KerberosGetAFSToken no
|
|
||||||
|
|
||||||
# GSSAPI options
|
|
||||||
-#GSSAPIAuthentication no
|
|
||||||
-#GSSAPICleanupCredentials yes
|
|
||||||
+GSSAPIAuthentication yes
|
|
||||||
+GSSAPICleanupCredentials no
|
|
||||||
|
|
||||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
|
||||||
# and session processing. If this is enabled, PAM authentication will
|
|
||||||
@@ -79,16 +95,20 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|
||||||
# If you just want the PAM account and session checks to run without
|
|
||||||
# PAM authentication, then enable this but set PasswordAuthentication
|
|
||||||
# and ChallengeResponseAuthentication to 'no'.
|
|
||||||
-#UsePAM no
|
|
||||||
+UsePAM yes
|
|
||||||
|
|
||||||
#AllowAgentForwarding yes
|
|
||||||
#AllowTcpForwarding yes
|
|
||||||
#GatewayPorts no
|
|
||||||
-#X11Forwarding no
|
|
||||||
+X11Forwarding yes
|
|
||||||
#X11DisplayOffset 10
|
|
||||||
#X11UseLocalhost yes
|
|
||||||
#PermitTTY yes
|
|
||||||
-#PrintMotd yes
|
|
||||||
+
|
|
||||||
+# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
|
|
||||||
+# as it is more configurable and versatile than the built-in version.
|
|
||||||
+PrintMotd no
|
|
||||||
+
|
|
||||||
#PrintLastLog yes
|
|
||||||
#TCPKeepAlive yes
|
|
||||||
#PermitUserEnvironment no
|
|
||||||
@@ -106,6 +126,12 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|
||||||
# no default banner path
|
|
||||||
#Banner none
|
|
||||||
|
|
||||||
+# Accept locale-related environment variables
|
|
||||||
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
|
||||||
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
|
||||||
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
|
|
||||||
+AcceptEnv XMODIFIERS
|
|
||||||
+
|
|
||||||
# override default of no subsystems
|
|
||||||
Subsystem sftp /usr/libexec/sftp-server
|
|
||||||
|
|
@ -1,26 +0,0 @@
|
|||||||
diff --git a/sshd.c b/sshd.c
|
|
||||||
--- a/sshd.c
|
|
||||||
+++ b/sshd.c
|
|
||||||
@@ -1701,6 +1701,10 @@ main(int ac, char **av)
|
|
||||||
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
|
|
||||||
cfg, NULL);
|
|
||||||
|
|
||||||
+ /* 'UsePAM no' is not supported in RHEL */
|
|
||||||
+ if (! options.use_pam)
|
|
||||||
+ logit("WARNING: 'UsePAM no' is not supported in RHEL and may cause several problems.");
|
|
||||||
+
|
|
||||||
/* Fill in default values for those options not explicitly set. */
|
|
||||||
fill_default_server_options(&options);
|
|
||||||
|
|
||||||
diff --git a/sshd_config b/sshd_config
|
|
||||||
--- a/sshd_config
|
|
||||||
+++ b/sshd_config
|
|
||||||
@@ -101,6 +101,8 @@ GSSAPICleanupCredentials no
|
|
||||||
# If you just want the PAM account and session checks to run without
|
|
||||||
# PAM authentication, then enable this but set PasswordAuthentication
|
|
||||||
# and ChallengeResponseAuthentication to 'no'.
|
|
||||||
+# WARNING: 'UsePAM no' is not supported in RHEL and may cause several
|
|
||||||
+# problems.
|
|
||||||
UsePAM yes
|
|
||||||
|
|
||||||
#AllowAgentForwarding yes
|
|
@ -1,42 +0,0 @@
|
|||||||
diff -up openssh-7.9p1/contrib/ssh-copy-id.ssh-copy-id openssh-7.9p1/contrib/ssh-copy-id
|
|
||||||
--- openssh-7.9p1/contrib/ssh-copy-id.ssh-copy-id 2018-10-17 02:01:20.000000000 +0200
|
|
||||||
+++ openssh-7.9p1/contrib/ssh-copy-id 2019-01-23 20:49:30.513393667 +0100
|
|
||||||
@@ -112,7 +112,8 @@ do
|
|
||||||
usage
|
|
||||||
}
|
|
||||||
|
|
||||||
- OPT= OPTARG=
|
|
||||||
+ OPT=
|
|
||||||
+ OPTARG=
|
|
||||||
# implement something like getopt to avoid Solaris pain
|
|
||||||
case "$1" in
|
|
||||||
-i?*|-o?*|-p?*)
|
|
||||||
@@ -185,8 +185,8 @@
|
|
||||||
usage
|
|
||||||
fi
|
|
||||||
|
|
||||||
-# drop trailing colon
|
|
||||||
-USER_HOST=$(printf "%s\n" "$1" | sed 's/:$//')
|
|
||||||
+# don't drop trailing colon because it can be a valid ipv6 address
|
|
||||||
+USER_HOST=$(printf "%s\n" "$1")
|
|
||||||
# tack the hostname onto SSH_OPTS
|
|
||||||
SSH_OPTS="${SSH_OPTS:+$SSH_OPTS }'$(quote "$USER_HOST")'"
|
|
||||||
# and populate "$@" for later use (only way to get proper quoting of options)
|
|
||||||
@@ -261,7 +262,7 @@ populate_new_ids() {
|
|
||||||
fi
|
|
||||||
if [ -z "$NEW_IDS" ] ; then
|
|
||||||
printf '\n%s: WARNING: All keys were skipped because they already exist on the remote system.\n' "$0" >&2
|
|
||||||
- printf '\t\t(if you think this is a mistake, you may want to use -f option)\n\n' "$0" >&2
|
|
||||||
+ printf '\t\t(if you think this is a mistake, you may want to use -f option)\n\n' >&2
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
printf '%s: INFO: %d key(s) remain to be installed -- if you are prompted now it is to install the new keys\n' "$0" "$(printf '%s\n' "$NEW_IDS" | wc -l)" >&2
|
|
||||||
@@ -296,7 +297,7 @@ case "$REMOTE_VERSION" in
|
|
||||||
# in ssh below - to defend against quirky remote shells: use 'exec sh -c' to get POSIX;
|
|
||||||
# 'cd' to be at $HOME; add a newline if it's missing; and all on one line, because tcsh.
|
|
||||||
[ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | \
|
|
||||||
- ssh "$@" "exec sh -c 'cd ; umask 077 ; mkdir -p .ssh && { [ -z "'`tail -1c .ssh/authorized_keys 2>/dev/null`'" ] || echo >> .ssh/authorized_keys ; } && cat >> .ssh/authorized_keys || exit 1 ; if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi'" \
|
|
||||||
+ ssh "$@" "exec sh -c 'cd ; umask 077 ; mkdir -p .ssh && { [ -z "'`tail -1c .ssh/authorized_keys 2>/dev/null`'" ] || echo >> .ssh/authorized_keys || exit 1; } && cat >> .ssh/authorized_keys || exit 1 ; if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi'" \
|
|
||||||
|| exit 1
|
|
||||||
ADDED=$(printf '%s\n' "$NEW_IDS" | wc -l)
|
|
||||||
;;
|
|
@ -1,20 +0,0 @@
|
|||||||
diff --git a/sftp.c b/sftp.c
|
|
||||||
index b66037f1..54538ff9 100644
|
|
||||||
--- a/sftp.c
|
|
||||||
+++ b/sftp.c
|
|
||||||
@@ -220,9 +220,12 @@ static const struct CMD cmds[] = {
|
|
||||||
static void
|
|
||||||
killchild(int signo)
|
|
||||||
{
|
|
||||||
- if (sshpid > 1) {
|
|
||||||
- kill(sshpid, SIGTERM);
|
|
||||||
- waitpid(sshpid, NULL, 0);
|
|
||||||
+ pid_t pid;
|
|
||||||
+
|
|
||||||
+ pid = sshpid;
|
|
||||||
+ if (pid > 1) {
|
|
||||||
+ kill(pid, SIGTERM);
|
|
||||||
+ (void)waitpid(pid, NULL, 0);
|
|
||||||
}
|
|
||||||
|
|
||||||
_exit(1);
|
|
@ -1,13 +0,0 @@
|
|||||||
diff --git a/msg.c b/msg.c
|
|
||||||
index 99c25cd2..574a566e 100644
|
|
||||||
--- a/msg.c
|
|
||||||
+++ b/msg.c
|
|
||||||
@@ -77,7 +77,7 @@ ssh_msg_recv(int fd, struct sshbuf *m)
|
|
||||||
return (-1);
|
|
||||||
}
|
|
||||||
msg_len = get_u32(buf);
|
|
||||||
- if (msg_len > 256 * 1024) {
|
|
||||||
+ if (msg_len > sshbuf_max_size(m)) {
|
|
||||||
error("ssh_msg_recv: read: bad msg_len %u", msg_len);
|
|
||||||
return (-1);
|
|
||||||
}
|
|
@ -1,33 +0,0 @@
|
|||||||
diff -up openssh-8.0p1/channels.c.channel-limits openssh-8.0p1/channels.c
|
|
||||||
--- openssh-8.0p1/channels.c.channel-limits 2021-03-16 12:17:58.905576511 +0100
|
|
||||||
+++ openssh-8.0p1/channels.c 2021-03-16 12:17:58.925576667 +0100
|
|
||||||
@@ -354,6 +354,7 @@ channel_new(struct ssh *ssh, char *ctype
|
|
||||||
struct ssh_channels *sc = ssh->chanctxt;
|
|
||||||
u_int i, found;
|
|
||||||
Channel *c;
|
|
||||||
+ int r;
|
|
||||||
|
|
||||||
/* Try to find a free slot where to put the new channel. */
|
|
||||||
for (i = 0; i < sc->channels_alloc; i++) {
|
|
||||||
@@ -383,6 +384,8 @@ channel_new(struct ssh *ssh, char *ctype
|
|
||||||
(c->output = sshbuf_new()) == NULL ||
|
|
||||||
(c->extended = sshbuf_new()) == NULL)
|
|
||||||
fatal("%s: sshbuf_new failed", __func__);
|
|
||||||
+ if ((r = sshbuf_set_max_size(c->input, CHAN_INPUT_MAX)) != 0)
|
|
||||||
+ fatal("%s: sshbuf_set_max_size: %s", __func__, ssh_err(r));
|
|
||||||
c->ostate = CHAN_OUTPUT_OPEN;
|
|
||||||
c->istate = CHAN_INPUT_OPEN;
|
|
||||||
channel_register_fds(ssh, c, rfd, wfd, efd, extusage, nonblock, 0);
|
|
||||||
diff -up openssh-8.0p1/channels.h.channel-limits openssh-8.0p1/channels.h
|
|
||||||
--- openssh-8.0p1/channels.h.channel-limits 2021-03-16 12:17:58.868576223 +0100
|
|
||||||
+++ openssh-8.0p1/channels.h 2021-03-16 12:17:58.907576527 +0100
|
|
||||||
@@ -215,6 +215,9 @@ struct Channel {
|
|
||||||
/* Read buffer size */
|
|
||||||
#define CHAN_RBUF (16*1024)
|
|
||||||
|
|
||||||
+/* Maximum channel input buffer size */
|
|
||||||
+#define CHAN_INPUT_MAX (16*1024*1024)
|
|
||||||
+
|
|
||||||
/* Hard limit on number of channels */
|
|
||||||
#define CHANNELS_MAX_CHANNELS (16*1024)
|
|
||||||
|
|
@ -1,28 +0,0 @@
|
|||||||
diff --git a/serverloop.c b/serverloop.c
|
|
||||||
index e16eabe2..a8c99e2e 100644
|
|
||||||
--- a/serverloop.c
|
|
||||||
+++ b/serverloop.c
|
|
||||||
@@ -184,7 +184,8 @@ client_alive_check(struct ssh *ssh)
|
|
||||||
int r, channel_id;
|
|
||||||
|
|
||||||
/* timeout, check to see how many we have had */
|
|
||||||
- if (ssh_packet_inc_alive_timeouts(ssh) >
|
|
||||||
+ if (options.client_alive_count_max > 0 &&
|
|
||||||
+ ssh_packet_inc_alive_timeouts(ssh) >
|
|
||||||
options.client_alive_count_max) {
|
|
||||||
sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
|
|
||||||
logit("Timeout, client not responding from %s", remote_id);
|
|
||||||
diff --git a/sshd_config.5 b/sshd_config.5
|
|
||||||
index d47cb0d2..2cddbd59 100644
|
|
||||||
--- a/sshd_config.5
|
|
||||||
+++ b/sshd_config.5
|
|
||||||
@@ -519,6 +519,9 @@ is set to 15, and
|
|
||||||
.Cm ClientAliveCountMax
|
|
||||||
is left at the default, unresponsive SSH clients
|
|
||||||
will be disconnected after approximately 45 seconds.
|
|
||||||
+Setting a zero
|
|
||||||
+.Cm ClientAliveCountMax
|
|
||||||
+disables connection termination.
|
|
||||||
.It Cm ClientAliveInterval
|
|
||||||
Sets a timeout interval in seconds after which if no data has been received
|
|
||||||
from the client,
|
|
@ -1,424 +0,0 @@
|
|||||||
diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5
|
|
||||||
--- openssh-8.0p1/ssh_config.5.crypto-policies 2020-03-24 17:32:54.821789205 +0100
|
|
||||||
+++ openssh-8.0p1/ssh_config.5 2020-03-24 17:59:58.174122920 +0100
|
|
||||||
@@ -357,17 +357,17 @@ or
|
|
||||||
.Qq *.c.example.com
|
|
||||||
domains.
|
|
||||||
.It Cm CASignatureAlgorithms
|
|
||||||
+The default is handled system-wide by
|
|
||||||
+.Xr crypto-policies 7 .
|
|
||||||
+To see the current defaults and how to modify them, see manual page
|
|
||||||
+.Xr update-crypto-policies 8 .
|
|
||||||
+.Pp
|
|
||||||
Specifies which algorithms are allowed for signing of certificates
|
|
||||||
by certificate authorities (CAs).
|
|
||||||
-The default is:
|
|
||||||
-.Bd -literal -offset indent
|
|
||||||
-ecdsa-sha2-nistp256.ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
|
||||||
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
|
||||||
-.Ed
|
|
||||||
-.Pp
|
|
||||||
.Xr ssh 1
|
|
||||||
will not accept host certificates signed using algorithms other than those
|
|
||||||
specified.
|
|
||||||
+.Pp
|
|
||||||
.It Cm CertificateFile
|
|
||||||
Specifies a file from which the user's certificate is read.
|
|
||||||
A corresponding private key must be provided separately in order
|
|
||||||
@@ -420,16 +420,21 @@ If the option is set to
|
|
||||||
.Cm no ,
|
|
||||||
the check will not be executed.
|
|
||||||
.It Cm Ciphers
|
|
||||||
+The default is handled system-wide by
|
|
||||||
+.Xr crypto-policies 7 .
|
|
||||||
+To see the current defaults and how to modify them, see manual page
|
|
||||||
+.Xr update-crypto-policies 8 .
|
|
||||||
+.Pp
|
|
||||||
Specifies the ciphers allowed and their order of preference.
|
|
||||||
Multiple ciphers must be comma-separated.
|
|
||||||
If the specified value begins with a
|
|
||||||
.Sq +
|
|
||||||
-character, then the specified ciphers will be appended to the default set
|
|
||||||
+character, then the specified ciphers will be appended to the built-in default set
|
|
||||||
instead of replacing them.
|
|
||||||
If the specified value begins with a
|
|
||||||
.Sq -
|
|
||||||
character, then the specified ciphers (including wildcards) will be removed
|
|
||||||
-from the default set instead of replacing them.
|
|
||||||
+from the built-in default set instead of replacing them.
|
|
||||||
.Pp
|
|
||||||
The supported ciphers are:
|
|
||||||
.Bd -literal -offset indent
|
|
||||||
@@ -445,13 +450,6 @@ aes256-gcm@openssh.com
|
|
||||||
chacha20-poly1305@openssh.com
|
|
||||||
.Ed
|
|
||||||
.Pp
|
|
||||||
-The default is:
|
|
||||||
-.Bd -literal -offset indent
|
|
||||||
-chacha20-poly1305@openssh.com,
|
|
||||||
-aes128-ctr,aes192-ctr,aes256-ctr,
|
|
||||||
-aes128-gcm@openssh.com,aes256-gcm@openssh.com
|
|
||||||
-.Ed
|
|
||||||
-.Pp
|
|
||||||
The list of available ciphers may also be obtained using
|
|
||||||
.Qq ssh -Q cipher .
|
|
||||||
.It Cm ClearAllForwardings
|
|
||||||
@@ -800,6 +798,11 @@ command line will be passed untouched to
|
|
||||||
The default is
|
|
||||||
.Dq no .
|
|
||||||
.It Cm GSSAPIKexAlgorithms
|
|
||||||
+The default is handled system-wide by
|
|
||||||
+.Xr crypto-policies 7 .
|
|
||||||
+To see the current defaults and how to modify them, see manual page
|
|
||||||
+.Xr update-crypto-policies 8 .
|
|
||||||
+.Pp
|
|
||||||
The list of key exchange algorithms that are offered for GSSAPI
|
|
||||||
key exchange. Possible values are
|
|
||||||
.Bd -literal -offset 3n
|
|
||||||
@@ -812,9 +815,8 @@ gss-nistp256-sha256-,
|
|
||||||
gss-curve25519-sha256-
|
|
||||||
.Ed
|
|
||||||
.Pp
|
|
||||||
-The default is
|
|
||||||
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
|
||||||
This option only applies to connections using GSSAPI.
|
|
||||||
+.Pp
|
|
||||||
.It Cm HashKnownHosts
|
|
||||||
Indicates that
|
|
||||||
.Xr ssh 1
|
|
||||||
@@ -1114,26 +1115,21 @@ it may be zero or more of:
|
|
||||||
and
|
|
||||||
.Cm pam .
|
|
||||||
.It Cm KexAlgorithms
|
|
||||||
+The default is handled system-wide by
|
|
||||||
+.Xr crypto-policies 7 .
|
|
||||||
+To see the current defaults and how to modify them, see manual page
|
|
||||||
+.Xr update-crypto-policies 8 .
|
|
||||||
+.Pp
|
|
||||||
Specifies the available KEX (Key Exchange) algorithms.
|
|
||||||
Multiple algorithms must be comma-separated.
|
|
||||||
Alternately if the specified value begins with a
|
|
||||||
.Sq +
|
|
||||||
-character, then the specified methods will be appended to the default set
|
|
||||||
+character, then the specified methods will be appended to the built-in default set
|
|
||||||
instead of replacing them.
|
|
||||||
If the specified value begins with a
|
|
||||||
.Sq -
|
|
||||||
character, then the specified methods (including wildcards) will be removed
|
|
||||||
-from the default set instead of replacing them.
|
|
||||||
-The default is:
|
|
||||||
-.Bd -literal -offset indent
|
|
||||||
-curve25519-sha256,curve25519-sha256@libssh.org,
|
|
||||||
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
|
||||||
-diffie-hellman-group-exchange-sha256,
|
|
||||||
-diffie-hellman-group16-sha512,
|
|
||||||
-diffie-hellman-group18-sha512,
|
|
||||||
-diffie-hellman-group14-sha256,
|
|
||||||
-diffie-hellman-group14-sha1
|
|
||||||
-.Ed
|
|
||||||
+from the built-in default set instead of replacing them.
|
|
||||||
.Pp
|
|
||||||
The list of available key exchange algorithms may also be obtained using
|
|
||||||
.Qq ssh -Q kex .
|
|
||||||
@@ -1193,33 +1189,29 @@ The default is INFO.
|
|
||||||
DEBUG and DEBUG1 are equivalent.
|
|
||||||
DEBUG2 and DEBUG3 each specify higher levels of verbose output.
|
|
||||||
.It Cm MACs
|
|
||||||
+The default is handled system-wide by
|
|
||||||
+.Xr crypto-policies 7 .
|
|
||||||
+To see the current defaults and how to modify them, see manual page
|
|
||||||
+.Xr update-crypto-policies 8 .
|
|
||||||
+.Pp
|
|
||||||
Specifies the MAC (message authentication code) algorithms
|
|
||||||
in order of preference.
|
|
||||||
The MAC algorithm is used for data integrity protection.
|
|
||||||
Multiple algorithms must be comma-separated.
|
|
||||||
If the specified value begins with a
|
|
||||||
.Sq +
|
|
||||||
-character, then the specified algorithms will be appended to the default set
|
|
||||||
+character, then the specified algorithms will be appended to the built-in default set
|
|
||||||
instead of replacing them.
|
|
||||||
If the specified value begins with a
|
|
||||||
.Sq -
|
|
||||||
character, then the specified algorithms (including wildcards) will be removed
|
|
||||||
-from the default set instead of replacing them.
|
|
||||||
+from the built-in default set instead of replacing them.
|
|
||||||
.Pp
|
|
||||||
The algorithms that contain
|
|
||||||
.Qq -etm
|
|
||||||
calculate the MAC after encryption (encrypt-then-mac).
|
|
||||||
These are considered safer and their use recommended.
|
|
||||||
.Pp
|
|
||||||
-The default is:
|
|
||||||
-.Bd -literal -offset indent
|
|
||||||
-umac-64-etm@openssh.com,umac-128-etm@openssh.com,
|
|
||||||
-hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
|
|
||||||
-hmac-sha1-etm@openssh.com,
|
|
||||||
-umac-64@openssh.com,umac-128@openssh.com,
|
|
||||||
-hmac-sha2-256,hmac-sha2-512,hmac-sha1
|
|
||||||
-.Ed
|
|
||||||
-.Pp
|
|
||||||
The list of available MAC algorithms may also be obtained using
|
|
||||||
.Qq ssh -Q mac .
|
|
||||||
.It Cm NoHostAuthenticationForLocalhost
|
|
||||||
@@ -1352,27 +1344,21 @@ instead of continuing to execute and pas
|
|
||||||
The default is
|
|
||||||
.Cm no .
|
|
||||||
.It Cm PubkeyAcceptedKeyTypes
|
|
||||||
+The default is handled system-wide by
|
|
||||||
+.Xr crypto-policies 7 .
|
|
||||||
+To see the current defaults and how to modify them, see manual page
|
|
||||||
+.Xr update-crypto-policies 8 .
|
|
||||||
+.Pp
|
|
||||||
Specifies the key types that will be used for public key authentication
|
|
||||||
as a comma-separated list of patterns.
|
|
||||||
Alternately if the specified value begins with a
|
|
||||||
.Sq +
|
|
||||||
-character, then the key types after it will be appended to the default
|
|
||||||
+character, then the key types after it will be appended to the built-in default
|
|
||||||
instead of replacing it.
|
|
||||||
If the specified value begins with a
|
|
||||||
.Sq -
|
|
||||||
character, then the specified key types (including wildcards) will be removed
|
|
||||||
-from the default set instead of replacing them.
|
|
||||||
-The default for this option is:
|
|
||||||
-.Bd -literal -offset 3n
|
|
||||||
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
|
||||||
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
|
||||||
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
|
||||||
-ssh-ed25519-cert-v01@openssh.com,
|
|
||||||
-rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
|
|
||||||
-ssh-rsa-cert-v01@openssh.com,
|
|
||||||
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
|
||||||
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
|
||||||
-.Ed
|
|
||||||
+from the built-in default set instead of replacing them.
|
|
||||||
.Pp
|
|
||||||
The list of available key types may also be obtained using
|
|
||||||
.Qq ssh -Q key .
|
|
||||||
diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5
|
|
||||||
--- openssh-8.0p1/sshd_config.5.crypto-policies 2020-03-24 17:32:54.802788908 +0100
|
|
||||||
+++ openssh-8.0p1/sshd_config.5 2020-03-24 17:54:13.347740176 +0100
|
|
||||||
@@ -383,16 +383,16 @@ If the argument is
|
|
||||||
then no banner is displayed.
|
|
||||||
By default, no banner is displayed.
|
|
||||||
.It Cm CASignatureAlgorithms
|
|
||||||
+The default is handled system-wide by
|
|
||||||
+.Xr crypto-policies 7 .
|
|
||||||
+To see the current defaults and how to modify them, see manual page
|
|
||||||
+.Xr update-crypto-policies 8 .
|
|
||||||
+.Pp
|
|
||||||
Specifies which algorithms are allowed for signing of certificates
|
|
||||||
by certificate authorities (CAs).
|
|
||||||
-The default is:
|
|
||||||
-.Bd -literal -offset indent
|
|
||||||
-ecdsa-sha2-nistp256.ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
|
||||||
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
|
||||||
-.Ed
|
|
||||||
-.Pp
|
|
||||||
Certificates signed using other algorithms will not be accepted for
|
|
||||||
public key or host-based authentication.
|
|
||||||
+.Pp
|
|
||||||
.It Cm ChallengeResponseAuthentication
|
|
||||||
Specifies whether challenge-response authentication is allowed (e.g. via
|
|
||||||
PAM or through authentication styles supported in
|
|
||||||
@@ -454,16 +454,21 @@ The default is
|
|
||||||
indicating not to
|
|
||||||
.Xr chroot 2 .
|
|
||||||
.It Cm Ciphers
|
|
||||||
+The default is handled system-wide by
|
|
||||||
+.Xr crypto-policies 7 .
|
|
||||||
+To see the current defaults and how to modify them, see manual page
|
|
||||||
+.Xr update-crypto-policies 8 .
|
|
||||||
+.Pp
|
|
||||||
Specifies the ciphers allowed.
|
|
||||||
Multiple ciphers must be comma-separated.
|
|
||||||
If the specified value begins with a
|
|
||||||
.Sq +
|
|
||||||
-character, then the specified ciphers will be appended to the default set
|
|
||||||
+character, then the specified ciphers will be appended to the built-in default set
|
|
||||||
instead of replacing them.
|
|
||||||
If the specified value begins with a
|
|
||||||
.Sq -
|
|
||||||
character, then the specified ciphers (including wildcards) will be removed
|
|
||||||
-from the default set instead of replacing them.
|
|
||||||
+from the built-in default set instead of replacing them.
|
|
||||||
.Pp
|
|
||||||
The supported ciphers are:
|
|
||||||
.Pp
|
|
||||||
@@ -490,13 +495,6 @@ aes256-gcm@openssh.com
|
|
||||||
chacha20-poly1305@openssh.com
|
|
||||||
.El
|
|
||||||
.Pp
|
|
||||||
-The default is:
|
|
||||||
-.Bd -literal -offset indent
|
|
||||||
-chacha20-poly1305@openssh.com,
|
|
||||||
-aes128-ctr,aes192-ctr,aes256-ctr,
|
|
||||||
-aes128-gcm@openssh.com,aes256-gcm@openssh.com
|
|
||||||
-.Ed
|
|
||||||
-.Pp
|
|
||||||
The list of available ciphers may also be obtained using
|
|
||||||
.Qq ssh -Q cipher .
|
|
||||||
.It Cm ClientAliveCountMax
|
|
||||||
@@ -688,6 +686,11 @@ For this to work
|
|
||||||
.Cm GSSAPIKeyExchange
|
|
||||||
needs to be enabled in the server and also used by the client.
|
|
||||||
.It Cm GSSAPIKexAlgorithms
|
|
||||||
+The default is handled system-wide by
|
|
||||||
+.Xr crypto-policies 7 .
|
|
||||||
+To see the current defaults and how to modify them, see manual page
|
|
||||||
+.Xr update-crypto-policies 8 .
|
|
||||||
+.Pp
|
|
||||||
The list of key exchange algorithms that are accepted by GSSAPI
|
|
||||||
key exchange. Possible values are
|
|
||||||
.Bd -literal -offset 3n
|
|
||||||
@@ -700,8 +703,6 @@ gss-nistp256-sha256-,
|
|
||||||
gss-curve25519-sha256-
|
|
||||||
.Ed
|
|
||||||
.Pp
|
|
||||||
-The default is
|
|
||||||
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
|
||||||
This option only applies to connections using GSSAPI.
|
|
||||||
.It Cm HostbasedAcceptedKeyTypes
|
|
||||||
Specifies the key types that will be accepted for hostbased authentication
|
|
||||||
@@ -791,19 +791,13 @@ is specified, the location of the socket
|
|
||||||
.Ev SSH_AUTH_SOCK
|
|
||||||
environment variable.
|
|
||||||
.It Cm HostKeyAlgorithms
|
|
||||||
+The default is handled system-wide by
|
|
||||||
+.Xr crypto-policies 7 .
|
|
||||||
+To see the current defaults and how to modify them, see manual page
|
|
||||||
+.Xr update-crypto-policies 8 .
|
|
||||||
+.Pp
|
|
||||||
Specifies the host key algorithms
|
|
||||||
that the server offers.
|
|
||||||
-The default for this option is:
|
|
||||||
-.Bd -literal -offset 3n
|
|
||||||
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
|
||||||
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
|
||||||
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
|
||||||
-ssh-ed25519-cert-v01@openssh.com,
|
|
||||||
-rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
|
|
||||||
-ssh-rsa-cert-v01@openssh.com,
|
|
||||||
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
|
||||||
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
|
||||||
-.Ed
|
|
||||||
.Pp
|
|
||||||
The list of available key types may also be obtained using
|
|
||||||
.Qq ssh -Q key .
|
|
||||||
@@ -922,16 +916,21 @@ Specifies whether to look at .k5login fi
|
|
||||||
The default is
|
|
||||||
.Cm yes .
|
|
||||||
.It Cm KexAlgorithms
|
|
||||||
+The default is handled system-wide by
|
|
||||||
+.Xr crypto-policies 7 .
|
|
||||||
+To see the current defaults and how to modify them, see manual page
|
|
||||||
+.Xr update-crypto-policies 8 .
|
|
||||||
+.Pp
|
|
||||||
Specifies the available KEX (Key Exchange) algorithms.
|
|
||||||
Multiple algorithms must be comma-separated.
|
|
||||||
Alternately if the specified value begins with a
|
|
||||||
.Sq +
|
|
||||||
-character, then the specified methods will be appended to the default set
|
|
||||||
+character, then the specified methods will be appended to the built-in default set
|
|
||||||
instead of replacing them.
|
|
||||||
If the specified value begins with a
|
|
||||||
.Sq -
|
|
||||||
character, then the specified methods (including wildcards) will be removed
|
|
||||||
-from the default set instead of replacing them.
|
|
||||||
+from the built-in default set instead of replacing them.
|
|
||||||
The supported algorithms are:
|
|
||||||
.Pp
|
|
||||||
.Bl -item -compact -offset indent
|
|
||||||
@@ -961,15 +960,6 @@ ecdh-sha2-nistp384
|
|
||||||
ecdh-sha2-nistp521
|
|
||||||
.El
|
|
||||||
.Pp
|
|
||||||
-The default is:
|
|
||||||
-.Bd -literal -offset indent
|
|
||||||
-curve25519-sha256,curve25519-sha256@libssh.org,
|
|
||||||
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
|
||||||
-diffie-hellman-group-exchange-sha256,
|
|
||||||
-diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
|
|
||||||
-diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
|
|
||||||
-.Ed
|
|
||||||
-.Pp
|
|
||||||
The list of available key exchange algorithms may also be obtained using
|
|
||||||
.Qq ssh -Q kex .
|
|
||||||
.It Cm ListenAddress
|
|
||||||
@@ -1038,17 +1028,22 @@ DEBUG and DEBUG1 are equivalent.
|
|
||||||
DEBUG2 and DEBUG3 each specify higher levels of debugging output.
|
|
||||||
Logging with a DEBUG level violates the privacy of users and is not recommended.
|
|
||||||
.It Cm MACs
|
|
||||||
+The default is handled system-wide by
|
|
||||||
+.Xr crypto-policies 7 .
|
|
||||||
+To see the current defaults and how to modify them, see manual page
|
|
||||||
+.Xr update-crypto-policies 8 .
|
|
||||||
+.Pp
|
|
||||||
Specifies the available MAC (message authentication code) algorithms.
|
|
||||||
The MAC algorithm is used for data integrity protection.
|
|
||||||
Multiple algorithms must be comma-separated.
|
|
||||||
If the specified value begins with a
|
|
||||||
.Sq +
|
|
||||||
-character, then the specified algorithms will be appended to the default set
|
|
||||||
+character, then the specified algorithms will be appended to the built-in default set
|
|
||||||
instead of replacing them.
|
|
||||||
If the specified value begins with a
|
|
||||||
.Sq -
|
|
||||||
character, then the specified algorithms (including wildcards) will be removed
|
|
||||||
-from the default set instead of replacing them.
|
|
||||||
+from the built-in default set instead of replacing them.
|
|
||||||
.Pp
|
|
||||||
The algorithms that contain
|
|
||||||
.Qq -etm
|
|
||||||
@@ -1091,15 +1086,6 @@ umac-64-etm@openssh.com
|
|
||||||
umac-128-etm@openssh.com
|
|
||||||
.El
|
|
||||||
.Pp
|
|
||||||
-The default is:
|
|
||||||
-.Bd -literal -offset indent
|
|
||||||
-umac-64-etm@openssh.com,umac-128-etm@openssh.com,
|
|
||||||
-hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
|
|
||||||
-hmac-sha1-etm@openssh.com,
|
|
||||||
-umac-64@openssh.com,umac-128@openssh.com,
|
|
||||||
-hmac-sha2-256,hmac-sha2-512,hmac-sha1
|
|
||||||
-.Ed
|
|
||||||
-.Pp
|
|
||||||
The list of available MAC algorithms may also be obtained using
|
|
||||||
.Qq ssh -Q mac .
|
|
||||||
.It Cm Match
|
|
||||||
@@ -1446,27 +1432,21 @@ or equivalent.)
|
|
||||||
The default is
|
|
||||||
.Cm yes .
|
|
||||||
.It Cm PubkeyAcceptedKeyTypes
|
|
||||||
+The default is handled system-wide by
|
|
||||||
+.Xr crypto-policies 7 .
|
|
||||||
+To see the current defaults and how to modify them, see manual page
|
|
||||||
+.Xr update-crypto-policies 8 .
|
|
||||||
+.Pp
|
|
||||||
Specifies the key types that will be accepted for public key authentication
|
|
||||||
as a list of comma-separated patterns.
|
|
||||||
Alternately if the specified value begins with a
|
|
||||||
.Sq +
|
|
||||||
-character, then the specified key types will be appended to the default set
|
|
||||||
+character, then the specified key types will be appended to the built-in default set
|
|
||||||
instead of replacing them.
|
|
||||||
If the specified value begins with a
|
|
||||||
.Sq -
|
|
||||||
character, then the specified key types (including wildcards) will be removed
|
|
||||||
-from the default set instead of replacing them.
|
|
||||||
-The default for this option is:
|
|
||||||
-.Bd -literal -offset 3n
|
|
||||||
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
|
||||||
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
|
||||||
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
|
||||||
-ssh-ed25519-cert-v01@openssh.com,
|
|
||||||
-rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
|
|
||||||
-ssh-rsa-cert-v01@openssh.com,
|
|
||||||
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
|
||||||
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
|
||||||
-.Ed
|
|
||||||
+from the built-in default set instead of replacing them.
|
|
||||||
.Pp
|
|
||||||
The list of available key types may also be obtained using
|
|
||||||
.Qq ssh -Q key .
|
|
@ -1,25 +0,0 @@
|
|||||||
diff --color -ru a/sshd.8 b/sshd.8
|
|
||||||
--- a/sshd.8 2022-05-31 13:39:10.231843926 +0200
|
|
||||||
+++ b/sshd.8 2022-05-31 14:34:01.460815420 +0200
|
|
||||||
@@ -78,6 +78,7 @@
|
|
||||||
.Xr sshd_config 5 ) ;
|
|
||||||
command-line options override values specified in the
|
|
||||||
configuration file.
|
|
||||||
+This mechanism is used by systemd to apply system-wide crypto-policies to ssh server.
|
|
||||||
.Nm
|
|
||||||
rereads its configuration file when it receives a hangup signal,
|
|
||||||
.Dv SIGHUP ,
|
|
||||||
@@ -207,6 +208,13 @@
|
|
||||||
rules may be applied by specifying the connection parameters using one or more
|
|
||||||
.Fl C
|
|
||||||
options.
|
|
||||||
+The configuration does not contain the system-wide crypto-policy configuration.
|
|
||||||
+To show the most accurate runtime configuration, use:
|
|
||||||
+.Bd -literal -offset 3n
|
|
||||||
+source /etc/crypto-policies/back-ends/opensshserver.config
|
|
||||||
+source /etc/sysconfig/sshd
|
|
||||||
+sshd -T $OPTIONS $CRYPTO_POLICY
|
|
||||||
+.Ed
|
|
||||||
.It Fl t
|
|
||||||
Test mode.
|
|
||||||
Only check the validity of the configuration file and sanity of the keys.
|
|
@ -1,127 +0,0 @@
|
|||||||
diff -up openssh-8.0p1/hostfile.c.cve-2020-14145 openssh-8.0p1/hostfile.c
|
|
||||||
--- openssh-8.0p1/hostfile.c.cve-2020-14145 2019-04-18 00:52:57.000000000 +0200
|
|
||||||
+++ openssh-8.0p1/hostfile.c 2021-05-17 16:53:38.694577251 +0200
|
|
||||||
@@ -409,6 +409,18 @@ lookup_key_in_hostkeys_by_type(struct ho
|
|
||||||
found) == HOST_FOUND);
|
|
||||||
}
|
|
||||||
|
|
||||||
+int
|
|
||||||
+lookup_marker_in_hostkeys(struct hostkeys *hostkeys, int want_marker)
|
|
||||||
+{
|
|
||||||
+ u_int i;
|
|
||||||
+
|
|
||||||
+ for (i = 0; i < hostkeys->num_entries; i++) {
|
|
||||||
+ if (hostkeys->entries[i].marker == (HostkeyMarker)want_marker)
|
|
||||||
+ return 1;
|
|
||||||
+ }
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static int
|
|
||||||
write_host_entry(FILE *f, const char *host, const char *ip,
|
|
||||||
const struct sshkey *key, int store_hash)
|
|
||||||
diff -up openssh-8.0p1/hostfile.h.cve-2020-14145 openssh-8.0p1/hostfile.h
|
|
||||||
--- openssh-8.0p1/hostfile.h.cve-2020-14145 2019-04-18 00:52:57.000000000 +0200
|
|
||||||
+++ openssh-8.0p1/hostfile.h 2021-05-17 16:53:38.694577251 +0200
|
|
||||||
@@ -39,6 +39,7 @@ HostStatus check_key_in_hostkeys(struct
|
|
||||||
const struct hostkey_entry **);
|
|
||||||
int lookup_key_in_hostkeys_by_type(struct hostkeys *, int,
|
|
||||||
const struct hostkey_entry **);
|
|
||||||
+int lookup_marker_in_hostkeys(struct hostkeys *, int);
|
|
||||||
|
|
||||||
int hostfile_read_key(char **, u_int *, struct sshkey *);
|
|
||||||
int add_host_to_hostfile(const char *, const char *,
|
|
||||||
diff -up openssh-8.0p1/sshconnect2.c.cve-2020-14145 openssh-8.0p1/sshconnect2.c
|
|
||||||
--- openssh-8.0p1/sshconnect2.c.cve-2020-14145 2021-05-17 16:53:38.610576561 +0200
|
|
||||||
+++ openssh-8.0p1/sshconnect2.c 2021-05-17 16:54:58.169230103 +0200
|
|
||||||
@@ -98,12 +98,25 @@ verify_host_key_callback(struct sshkey *
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
+/* Returns the first item from a comma-separated algorithm list */
|
|
||||||
+static char *
|
|
||||||
+first_alg(const char *algs)
|
|
||||||
+{
|
|
||||||
+ char *ret, *cp;
|
|
||||||
+
|
|
||||||
+ ret = xstrdup(algs);
|
|
||||||
+ if ((cp = strchr(ret, ',')) != NULL)
|
|
||||||
+ *cp = '\0';
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static char *
|
|
||||||
order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
|
|
||||||
{
|
|
||||||
- char *oavail, *avail, *first, *last, *alg, *hostname, *ret;
|
|
||||||
+ char *oavail = NULL, *avail = NULL, *first = NULL, *last = NULL;
|
|
||||||
+ char *alg = NULL, *hostname = NULL, *ret = NULL, *best = NULL;
|
|
||||||
size_t maxlen;
|
|
||||||
- struct hostkeys *hostkeys;
|
|
||||||
+ struct hostkeys *hostkeys = NULL;
|
|
||||||
int ktype;
|
|
||||||
u_int i;
|
|
||||||
|
|
||||||
@@ -115,6 +128,26 @@ order_hostkeyalgs(char *host, struct soc
|
|
||||||
for (i = 0; i < options.num_system_hostfiles; i++)
|
|
||||||
load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
|
|
||||||
|
|
||||||
+ /*
|
|
||||||
+ * If a plain public key exists that matches the type of the best
|
|
||||||
+ * preference HostkeyAlgorithms, then use the whole list as is.
|
|
||||||
+ * Note that we ignore whether the best preference algorithm is a
|
|
||||||
+ * certificate type, as sshconnect.c will downgrade certs to
|
|
||||||
+ * plain keys if necessary.
|
|
||||||
+ */
|
|
||||||
+ best = first_alg(options.hostkeyalgorithms);
|
|
||||||
+ if (lookup_key_in_hostkeys_by_type(hostkeys,
|
|
||||||
+ sshkey_type_plain(sshkey_type_from_name(best)), NULL)) {
|
|
||||||
+ debug3("%s: have matching best-preference key type %s, "
|
|
||||||
+ "using HostkeyAlgorithms verbatim", __func__, best);
|
|
||||||
+ ret = xstrdup(options.hostkeyalgorithms);
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * Otherwise, prefer the host key algorithms that match known keys
|
|
||||||
+ * while keeping the ordering of HostkeyAlgorithms as much as possible.
|
|
||||||
+ */
|
|
||||||
oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG);
|
|
||||||
maxlen = strlen(avail) + 1;
|
|
||||||
first = xmalloc(maxlen);
|
|
||||||
@@ -131,11 +164,23 @@ order_hostkeyalgs(char *host, struct soc
|
|
||||||
while ((alg = strsep(&avail, ",")) && *alg != '\0') {
|
|
||||||
if ((ktype = sshkey_type_from_name(alg)) == KEY_UNSPEC)
|
|
||||||
fatal("%s: unknown alg %s", __func__, alg);
|
|
||||||
+ /*
|
|
||||||
+ * If we have a @cert-authority marker in known_hosts then
|
|
||||||
+ * prefer all certificate algorithms.
|
|
||||||
+ */
|
|
||||||
+ if (sshkey_type_is_cert(ktype) &&
|
|
||||||
+ lookup_marker_in_hostkeys(hostkeys, MRK_CA)) {
|
|
||||||
+ ALG_APPEND(first, alg);
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+ /* If the key appears in known_hosts then prefer it */
|
|
||||||
if (lookup_key_in_hostkeys_by_type(hostkeys,
|
|
||||||
- sshkey_type_plain(ktype), NULL))
|
|
||||||
+ sshkey_type_plain(ktype), NULL)) {
|
|
||||||
ALG_APPEND(first, alg);
|
|
||||||
- else
|
|
||||||
- ALG_APPEND(last, alg);
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+ /* Otherwise, put it last */
|
|
||||||
+ ALG_APPEND(last, alg);
|
|
||||||
}
|
|
||||||
#undef ALG_APPEND
|
|
||||||
xasprintf(&ret, "%s%s%s", first,
|
|
||||||
@@ -143,6 +188,8 @@ order_hostkeyalgs(char *host, struct soc
|
|
||||||
if (*first != '\0')
|
|
||||||
debug3("%s: prefer hostkeyalgs: %s", __func__, first);
|
|
||||||
|
|
||||||
+ out:
|
|
||||||
+ free(best);
|
|
||||||
free(first);
|
|
||||||
free(last);
|
|
||||||
free(hostname);
|
|
@ -1,302 +0,0 @@
|
|||||||
diff --git a/entropy.c b/entropy.c
|
|
||||||
index 2d483b3..b361a04 100644
|
|
||||||
--- a/entropy.c
|
|
||||||
+++ b/entropy.c
|
|
||||||
@@ -234,6 +234,9 @@ seed_rng(void)
|
|
||||||
}
|
|
||||||
#endif /* OPENSSL_PRNG_ONLY */
|
|
||||||
|
|
||||||
+#ifdef __linux__
|
|
||||||
+ linux_seed();
|
|
||||||
+#endif /* __linux__ */
|
|
||||||
if (RAND_status() != 1)
|
|
||||||
fatal("PRNG is not seeded");
|
|
||||||
|
|
||||||
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
|
|
||||||
index b912dbe..9206337 100644
|
|
||||||
--- a/openbsd-compat/Makefile.in
|
|
||||||
+++ b/openbsd-compat/Makefile.in
|
|
||||||
@@ -20,6 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o di
|
|
||||||
port-solaris.o \
|
|
||||||
port-net.o \
|
|
||||||
port-uw.o \
|
|
||||||
+ port-linux-prng.o \
|
|
||||||
port-linux-sshd.o
|
|
||||||
|
|
||||||
.c.o:
|
|
||||||
diff -up openssh-7.4p1/openbsd-compat/port-linux.h.entropy openssh-7.4p1/openbsd-compat/port-linux.h
|
|
||||||
--- openssh-7.4p1/openbsd-compat/port-linux.h.entropy 2016-12-23 18:34:27.747753563 +0100
|
|
||||||
+++ openssh-7.4p1/openbsd-compat/port-linux.h 2016-12-23 18:34:27.769753570 +0100
|
|
||||||
@@ -34,4 +34,6 @@ void oom_adjust_restore(void);
|
|
||||||
void oom_adjust_setup(void);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+void linux_seed(void);
|
|
||||||
+
|
|
||||||
#endif /* ! _PORT_LINUX_H */
|
|
||||||
diff --git a/openbsd-compat/port-linux-prng.c b/openbsd-compat/port-linux-prng.c
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..92a617c
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/openbsd-compat/port-linux-prng.c
|
|
||||||
@@ -0,0 +1,78 @@
|
|
||||||
+/*
|
|
||||||
+ * Copyright (c) 2011 - 2020 Red Hat, Inc.
|
|
||||||
+ *
|
|
||||||
+ * Authors:
|
|
||||||
+ * Jan F. Chadima <jchadima@redhat.com>
|
|
||||||
+ * Jakub Jelen <jjelen@redhat.com>
|
|
||||||
+ *
|
|
||||||
+ * Permission to use, copy, modify, and distribute this software for any
|
|
||||||
+ * purpose with or without fee is hereby granted, provided that the above
|
|
||||||
+ * copyright notice and this permission notice appear in all copies.
|
|
||||||
+ *
|
|
||||||
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
||||||
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
||||||
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
||||||
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
||||||
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
||||||
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
||||||
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Linux-specific portability code - prng support
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#include "includes.h"
|
|
||||||
+
|
|
||||||
+#include <errno.h>
|
|
||||||
+#include <string.h>
|
|
||||||
+#include <openssl/rand.h>
|
|
||||||
+#include <sys/random.h>
|
|
||||||
+
|
|
||||||
+#include "log.h"
|
|
||||||
+
|
|
||||||
+void
|
|
||||||
+linux_seed(void)
|
|
||||||
+{
|
|
||||||
+ char *env = NULL;
|
|
||||||
+ size_t randlen = 14, left;
|
|
||||||
+ unsigned int flags = 0;
|
|
||||||
+ unsigned char buf[256], *p;
|
|
||||||
+
|
|
||||||
+ env = getenv("SSH_USE_STRONG_RNG");
|
|
||||||
+ if (env && strcmp(env, "0") != 0) {
|
|
||||||
+ size_t ienv = atoi(env);
|
|
||||||
+
|
|
||||||
+ /* Max on buffer length */
|
|
||||||
+ if (ienv > sizeof(buf))
|
|
||||||
+ ienv = sizeof(buf);
|
|
||||||
+ /* Minimum is always 14 B */
|
|
||||||
+ if (ienv > randlen)
|
|
||||||
+ randlen = ienv;
|
|
||||||
+ flags = GRND_RANDOM;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ errno = 0;
|
|
||||||
+ left = randlen;
|
|
||||||
+ p = buf;
|
|
||||||
+ do {
|
|
||||||
+ ssize_t len = getrandom(p, left, flags);
|
|
||||||
+ if (len == -1) {
|
|
||||||
+ if (errno != EINTR) {
|
|
||||||
+ if (flags) {
|
|
||||||
+ /* With the variable present, this is fatal error */
|
|
||||||
+ fatal("Failed to seed from getrandom: %s", strerror(errno));
|
|
||||||
+ } else {
|
|
||||||
+ /* Otherwise we log the issue drop out from here */
|
|
||||||
+ debug("Failed to seed from getrandom: %s", strerror(errno));
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ } else if (len > 0) {
|
|
||||||
+ left -= len;
|
|
||||||
+ p += len;
|
|
||||||
+ }
|
|
||||||
+ } while (left > 0);
|
|
||||||
+
|
|
||||||
+ RAND_seed(buf, randlen);
|
|
||||||
+}
|
|
||||||
diff --git a/ssh-add.1 b/ssh-add.1
|
|
||||||
index 4812448..16305bf 100644
|
|
||||||
--- a/ssh-add.1
|
|
||||||
+++ b/ssh-add.1
|
|
||||||
@@ -161,6 +161,22 @@ to make this work.)
|
|
||||||
Identifies the path of a
|
|
||||||
.Ux Ns -domain
|
|
||||||
socket used to communicate with the agent.
|
|
||||||
+.It Ev SSH_USE_STRONG_RNG
|
|
||||||
+The reseeding of the OpenSSL random generator is usually done from
|
|
||||||
+.Cm getrandom(1)
|
|
||||||
+without any specific flags.
|
|
||||||
+If the
|
|
||||||
+.Cm SSH_USE_STRONG_RNG
|
|
||||||
+environment variable is set to value other than
|
|
||||||
+.Cm 0
|
|
||||||
+the OpenSSL random generator is reseeded from
|
|
||||||
+.Cm getrandom(1)
|
|
||||||
+with GRND_RANDOM flag specified.
|
|
||||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
|
||||||
+Minimum is 14 bytes.
|
|
||||||
+This setting is not recommended on the computers without the hardware
|
|
||||||
+random generator because insufficient entropy causes the connection to
|
|
||||||
+be blocked until enough entropy is available.
|
|
||||||
.El
|
|
||||||
.Sh FILES
|
|
||||||
.Bl -tag -width Ds
|
|
||||||
diff --git a/ssh-agent.1 b/ssh-agent.1
|
|
||||||
index 281ecbd..1a9a635 100644
|
|
||||||
--- a/ssh-agent.1
|
|
||||||
+++ b/ssh-agent.1
|
|
||||||
@@ -201,6 +201,26 @@ sockets used to contain the connection to the authentication agent.
|
|
||||||
These sockets should only be readable by the owner.
|
|
||||||
The sockets should get automatically removed when the agent exits.
|
|
||||||
.El
|
|
||||||
+.Sh ENVIRONMENT
|
|
||||||
+.Bl -tag -width Ds -compact
|
|
||||||
+.Pp
|
|
||||||
+.It Pa SSH_USE_STRONG_RNG
|
|
||||||
+The reseeding of the OpenSSL random generator is usually done from
|
|
||||||
+.Cm getrandom(1)
|
|
||||||
+without any specific flags.
|
|
||||||
+If the
|
|
||||||
+.Cm SSH_USE_STRONG_RNG
|
|
||||||
+environment variable is set to value other than
|
|
||||||
+.Cm 0
|
|
||||||
+the OpenSSL random generator is reseeded from
|
|
||||||
+.Cm getrandom(1)
|
|
||||||
+with GRND_RANDOM flag specified.
|
|
||||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
|
||||||
+Minimum is 14 bytes.
|
|
||||||
+This setting is not recommended on the computers without the hardware
|
|
||||||
+random generator because insufficient entropy causes the connection to
|
|
||||||
+be blocked until enough entropy is available.
|
|
||||||
+.El
|
|
||||||
.Sh SEE ALSO
|
|
||||||
.Xr ssh 1 ,
|
|
||||||
.Xr ssh-add 1 ,
|
|
||||||
diff --git a/ssh-keygen.1 b/ssh-keygen.1
|
|
||||||
index 12e00d4..1b51a4a 100644
|
|
||||||
--- a/ssh-keygen.1
|
|
||||||
+++ b/ssh-keygen.1
|
|
||||||
@@ -832,6 +832,26 @@ Contains Diffie-Hellman groups used for DH-GEX.
|
|
||||||
The file format is described in
|
|
||||||
.Xr moduli 5 .
|
|
||||||
.El
|
|
||||||
+.Sh ENVIRONMENT
|
|
||||||
+.Bl -tag -width Ds -compact
|
|
||||||
+.Pp
|
|
||||||
+.It Pa SSH_USE_STRONG_RNG
|
|
||||||
+The reseeding of the OpenSSL random generator is usually done from
|
|
||||||
+.Cm getrandom(1)
|
|
||||||
+without any specific flags.
|
|
||||||
+If the
|
|
||||||
+.Cm SSH_USE_STRONG_RNG
|
|
||||||
+environment variable is set to value other than
|
|
||||||
+.Cm 0
|
|
||||||
+the OpenSSL random generator is reseeded from
|
|
||||||
+.Cm getrandom(1)
|
|
||||||
+with GRND_RANDOM flag specified.
|
|
||||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
|
||||||
+Minimum is 14 bytes.
|
|
||||||
+This setting is not recommended on the computers without the hardware
|
|
||||||
+random generator because insufficient entropy causes the connection to
|
|
||||||
+be blocked until enough entropy is available.
|
|
||||||
+.El
|
|
||||||
.Sh SEE ALSO
|
|
||||||
.Xr ssh 1 ,
|
|
||||||
.Xr ssh-add 1 ,
|
|
||||||
diff --git a/ssh-keysign.8 b/ssh-keysign.8
|
|
||||||
index 69d0829..02d79f8 100644
|
|
||||||
--- a/ssh-keysign.8
|
|
||||||
+++ b/ssh-keysign.8
|
|
||||||
@@ -80,6 +80,26 @@ must be set-uid root if host-based authentication is used.
|
|
||||||
If these files exist they are assumed to contain public certificate
|
|
||||||
information corresponding with the private keys above.
|
|
||||||
.El
|
|
||||||
+.Sh ENVIRONMENT
|
|
||||||
+.Bl -tag -width Ds -compact
|
|
||||||
+.Pp
|
|
||||||
+.It Pa SSH_USE_STRONG_RNG
|
|
||||||
+The reseeding of the OpenSSL random generator is usually done from
|
|
||||||
+.Cm getrandom(1)
|
|
||||||
+without any specific flags.
|
|
||||||
+If the
|
|
||||||
+.Cm SSH_USE_STRONG_RNG
|
|
||||||
+environment variable is set to value other than
|
|
||||||
+.Cm 0
|
|
||||||
+the OpenSSL random generator is reseeded from
|
|
||||||
+.Cm getrandom(1)
|
|
||||||
+with GRND_RANDOM flag specified.
|
|
||||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
|
||||||
+Minimum is 14 bytes.
|
|
||||||
+This setting is not recommended on the computers without the hardware
|
|
||||||
+random generator because insufficient entropy causes the connection to
|
|
||||||
+be blocked until enough entropy is available.
|
|
||||||
+.El
|
|
||||||
.Sh SEE ALSO
|
|
||||||
.Xr ssh 1 ,
|
|
||||||
.Xr ssh-keygen 1 ,
|
|
||||||
diff --git a/ssh.1 b/ssh.1
|
|
||||||
index 929904b..f65e42f 100644
|
|
||||||
--- a/ssh.1
|
|
||||||
+++ b/ssh.1
|
|
||||||
@@ -1309,6 +1309,25 @@ For more information, see the
|
|
||||||
.Cm PermitUserEnvironment
|
|
||||||
option in
|
|
||||||
.Xr sshd_config 5 .
|
|
||||||
+.Bl -tag -width "SSH_ORIGINAL_COMMAND"
|
|
||||||
+.Pp
|
|
||||||
+.It Ev SSH_USE_STRONG_RNG
|
|
||||||
+The reseeding of the OpenSSL random generator is usually done from
|
|
||||||
+.Cm getrandom(1)
|
|
||||||
+without any specific flags.
|
|
||||||
+If the
|
|
||||||
+.Cm SSH_USE_STRONG_RNG
|
|
||||||
+environment variable is set to value other than
|
|
||||||
+.Cm 0
|
|
||||||
+the OpenSSL random generator is reseeded from
|
|
||||||
+.Cm getrandom(1)
|
|
||||||
+with GRND_RANDOM flag specified.
|
|
||||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
|
||||||
+Minimum is 14 bytes.
|
|
||||||
+This setting is not recommended on the computers without the hardware
|
|
||||||
+random generator because insufficient entropy causes the connection to
|
|
||||||
+be blocked until enough entropy is available.
|
|
||||||
+.El
|
|
||||||
.Sh FILES
|
|
||||||
.Bl -tag -width Ds -compact
|
|
||||||
.It Pa ~/.rhosts
|
|
||||||
diff --git a/sshd.8 b/sshd.8
|
|
||||||
index c2c237f..058d37a 100644
|
|
||||||
--- a/sshd.8
|
|
||||||
+++ b/sshd.8
|
|
||||||
@@ -951,6 +951,26 @@ concurrently for different ports, this contains the process ID of the one
|
|
||||||
started last).
|
|
||||||
The content of this file is not sensitive; it can be world-readable.
|
|
||||||
.El
|
|
||||||
+.Sh ENVIRONMENT
|
|
||||||
+.Bl -tag -width Ds -compact
|
|
||||||
+.Pp
|
|
||||||
+.It Ev SSH_USE_STRONG_RNG
|
|
||||||
+The reseeding of the OpenSSL random generator is usually done from
|
|
||||||
+.Cm getrandom(1)
|
|
||||||
+without any specific flags.
|
|
||||||
+If the
|
|
||||||
+.Cm SSH_USE_STRONG_RNG
|
|
||||||
+environment variable is set to value other than
|
|
||||||
+.Cm 0
|
|
||||||
+the OpenSSL random generator is reseeded from
|
|
||||||
+.Cm getrandom(1)
|
|
||||||
+with GRND_RANDOM flag specified.
|
|
||||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
|
||||||
+Minimum is 14 bytes.
|
|
||||||
+This setting is not recommended on the computers without the hardware
|
|
||||||
+random generator because insufficient entropy causes the connection to
|
|
||||||
+be blocked until enough entropy is available.
|
|
||||||
+.El
|
|
||||||
.Sh IPV6
|
|
||||||
IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address enclosed in square brackets. Note: The square brackets are metacharacters for the shell and must be escaped in shell.
|
|
||||||
.Sh SEE ALSO
|
|
||||||
|
|
@ -1,27 +0,0 @@
|
|||||||
diff --git a/sftp.c b/sftp.c
|
|
||||||
index 04881c83..03c7a5c7 100644
|
|
||||||
--- a/sftp.c
|
|
||||||
+++ b/sftp.c
|
|
||||||
@@ -2527,12 +2527,17 @@ main(int argc, char **argv)
|
|
||||||
port = tmp;
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
+ /* Try with user, host and path. */
|
|
||||||
if (parse_user_host_path(*argv, &user, &host,
|
|
||||||
- &file1) == -1) {
|
|
||||||
- /* Treat as a plain hostname. */
|
|
||||||
- host = xstrdup(*argv);
|
|
||||||
- host = cleanhostname(host);
|
|
||||||
- }
|
|
||||||
+ &file1) == 0)
|
|
||||||
+ break;
|
|
||||||
+ /* Try with user and host. */
|
|
||||||
+ if (parse_user_host_port(*argv, &user, &host, NULL)
|
|
||||||
+ == 0)
|
|
||||||
+ break;
|
|
||||||
+ /* Treat as a plain hostname. */
|
|
||||||
+ host = xstrdup(*argv);
|
|
||||||
+ host = cleanhostname(host);
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
file2 = *(argv + 1);
|
|
@ -1,107 +0,0 @@
|
|||||||
From 4a41d245d6b13bd3882c8dc058dbd2e2b39a9f67 Mon Sep 17 00:00:00 2001
|
|
||||||
From: "djm@openbsd.org" <djm@openbsd.org>
|
|
||||||
Date: Fri, 24 Jan 2020 00:27:04 +0000
|
|
||||||
Subject: [PATCH] upstream: when signing a certificate with an RSA key, default
|
|
||||||
to
|
|
||||||
|
|
||||||
a safe signature algorithm (rsa-sha-512) if not is explicitly specified by
|
|
||||||
the user; ok markus@
|
|
||||||
|
|
||||||
OpenBSD-Commit-ID: e05f638f0be6c0266e1d3d799716b461011e83a9
|
|
||||||
---
|
|
||||||
ssh-keygen.c | 14 +++++++++-----
|
|
||||||
1 file changed, 9 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ssh-keygen.c b/ssh-keygen.c
|
|
||||||
index 564c3c481..f2192edb9 100644
|
|
||||||
--- a/ssh-keygen.c
|
|
||||||
+++ b/ssh-keygen.c
|
|
||||||
@@ -1788,10 +1788,14 @@ do_ca_sign(struct passwd *pw, const char *ca_key_path, int prefer_agent,
|
|
||||||
}
|
|
||||||
free(tmp);
|
|
||||||
|
|
||||||
- if (key_type_name != NULL &&
|
|
||||||
- sshkey_type_from_name(key_type_name) != ca->type) {
|
|
||||||
- fatal("CA key type %s doesn't match specified %s",
|
|
||||||
- sshkey_ssh_name(ca), key_type_name);
|
|
||||||
+ if (key_type_name != NULL) {
|
|
||||||
+ if (sshkey_type_from_name(key_type_name) != ca->type) {
|
|
||||||
+ fatal("CA key type %s doesn't match specified %s",
|
|
||||||
+ sshkey_ssh_name(ca), key_type_name);
|
|
||||||
+ }
|
|
||||||
+ } else if (ca->type == KEY_RSA) {
|
|
||||||
+ /* Default to a good signature algorithm */
|
|
||||||
+ key_type_name = "rsa-sha2-512";
|
|
||||||
}
|
|
||||||
|
|
||||||
for (i = 0; i < argc; i++) {
|
|
||||||
|
|
||||||
From 476e3551b2952ef73acc43d995e832539bf9bc4d Mon Sep 17 00:00:00 2001
|
|
||||||
From: "djm@openbsd.org" <djm@openbsd.org>
|
|
||||||
Date: Mon, 20 May 2019 00:20:35 +0000
|
|
||||||
Subject: [PATCH] upstream: When signing certificates with an RSA key, default
|
|
||||||
to
|
|
||||||
|
|
||||||
using the rsa-sha2-512 signature algorithm. Certificates signed by RSA keys
|
|
||||||
will therefore be incompatible with OpenSSH < 7.2 unless the default is
|
|
||||||
overridden.
|
|
||||||
|
|
||||||
Document the ability of the ssh-keygen -t flag to override the
|
|
||||||
signature algorithm when signing certificates, and the new default.
|
|
||||||
|
|
||||||
ok deraadt@
|
|
||||||
|
|
||||||
OpenBSD-Commit-ID: 400c9c15013978204c2cb80f294b03ae4cfc8b95
|
|
||||||
---
|
|
||||||
ssh-keygen.1 | 13 +++++++++++--
|
|
||||||
sshkey.c | 9 ++++++++-
|
|
||||||
2 files changed, 19 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ssh-keygen.1 b/ssh-keygen.1
|
|
||||||
index f29774249..673bf6e2f 100644
|
|
||||||
--- a/ssh-keygen.1
|
|
||||||
+++ b/ssh-keygen.1
|
|
||||||
@@ -35,7 +35,7 @@
|
|
||||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
||||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
||||||
.\"
|
|
||||||
-.Dd $Mdocdate: March 5 2019 $
|
|
||||||
+.Dd $Mdocdate: May 20 2019 $
|
|
||||||
.Dt SSH-KEYGEN 1
|
|
||||||
.Os
|
|
||||||
.Sh NAME
|
|
||||||
@@ -577,6 +577,15 @@ The possible values are
|
|
||||||
.Dq ed25519 ,
|
|
||||||
or
|
|
||||||
.Dq rsa .
|
|
||||||
+.Pp
|
|
||||||
+This flag may also be used to specify the desired signature type when
|
|
||||||
+signing certificates using a RSA CA key.
|
|
||||||
+The available RSA signature variants are
|
|
||||||
+.Dq ssh-rsa
|
|
||||||
+(SHA1 signatures, not recommended),
|
|
||||||
+.Dq rsa-sha2-256
|
|
||||||
+.Dq rsa-sha2-512
|
|
||||||
+(the default).
|
|
||||||
.It Fl U
|
|
||||||
When used in combination with
|
|
||||||
.Fl s ,
|
|
||||||
diff --git a/sshkey.c b/sshkey.c
|
|
||||||
index 9849cb237..379a579cf 100644
|
|
||||||
--- a/sshkey.c
|
|
||||||
+++ b/sshkey.c
|
|
||||||
@@ -2528,6 +2528,13 @@ sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg,
|
|
||||||
strcmp(alg, k->cert->signature_type) != 0)
|
|
||||||
return SSH_ERR_INVALID_ARGUMENT;
|
|
||||||
|
|
||||||
+ /*
|
|
||||||
+ * If no signing algorithm or signature_type was specified and we're
|
|
||||||
+ * using a RSA key, then default to a good signature algorithm.
|
|
||||||
+ */
|
|
||||||
+ if (alg == NULL && ca->type == KEY_RSA)
|
|
||||||
+ alg = "rsa-sha2-512";
|
|
||||||
+
|
|
||||||
if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0)
|
|
||||||
return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
|
|
||||||
|
|
||||||
|
|
@ -1,33 +0,0 @@
|
|||||||
From 7250879c72d28275a53f2f220e49646c3e42ef18 Mon Sep 17 00:00:00 2001
|
|
||||||
From: "djm@openbsd.org" <djm@openbsd.org>
|
|
||||||
Date: Fri, 12 Jul 2019 04:08:39 +0000
|
|
||||||
Subject: [PATCH] upstream: include SHA2-variant RSA key algorithms in KEX
|
|
||||||
proposal;
|
|
||||||
|
|
||||||
allows ssh-keyscan to harvest keys from servers that disable olde SHA1
|
|
||||||
ssh-rsa. bz#3029 from Jakub Jelen
|
|
||||||
|
|
||||||
OpenBSD-Commit-ID: 9f95ebf76a150c2f727ca4780fb2599d50bbab7a
|
|
||||||
---
|
|
||||||
ssh-keyscan.c | 9 +++++++--
|
|
||||||
1 file changed, 7 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ssh-keyscan.c b/ssh-keyscan.c
|
|
||||||
index d95ba1b37..d383b57b9 100644
|
|
||||||
--- a/ssh-keyscan.c
|
|
||||||
+++ b/ssh-keyscan.c
|
|
||||||
@@ -233,7 +233,12 @@ keygrab_ssh2(con *c)
|
|
||||||
break;
|
|
||||||
case KT_RSA:
|
|
||||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
|
|
||||||
- "ssh-rsa-cert-v01@openssh.com" : "ssh-rsa";
|
|
||||||
+ "rsa-sha2-512-cert-v01@openssh.com,"
|
|
||||||
+ "rsa-sha2-256-cert-v01@openssh.com,"
|
|
||||||
+ "ssh-rsa-cert-v01@openssh.com" :
|
|
||||||
+ "rsa-sha2-512,"
|
|
||||||
+ "rsa-sha2-256,"
|
|
||||||
+ "ssh-rsa";
|
|
||||||
break;
|
|
||||||
case KT_ED25519:
|
|
||||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
|
|
||||||
|
|
@ -1,720 +0,0 @@
|
|||||||
From ed7ec0cdf577ffbb0b15145340cf51596ca3eb89 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jakub Jelen <jjelen@redhat.com>
|
|
||||||
Date: Tue, 14 May 2019 10:45:45 +0200
|
|
||||||
Subject: [PATCH] Use high-level OpenSSL API for signatures
|
|
||||||
|
|
||||||
---
|
|
||||||
digest-openssl.c | 16 ++++
|
|
||||||
digest.h | 6 ++
|
|
||||||
ssh-dss.c | 65 ++++++++++------
|
|
||||||
ssh-ecdsa.c | 69 ++++++++++-------
|
|
||||||
ssh-rsa.c | 193 +++++++++--------------------------------------
|
|
||||||
sshkey.c | 77 +++++++++++++++++++
|
|
||||||
sshkey.h | 4 +
|
|
||||||
7 files changed, 221 insertions(+), 209 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/digest-openssl.c b/digest-openssl.c
|
|
||||||
index da7ed72bc..6a21d8adb 100644
|
|
||||||
--- a/digest-openssl.c
|
|
||||||
+++ b/digest-openssl.c
|
|
||||||
@@ -63,6 +63,22 @@ const struct ssh_digest digests[] = {
|
|
||||||
{ -1, NULL, 0, NULL },
|
|
||||||
};
|
|
||||||
|
|
||||||
+const EVP_MD *
|
|
||||||
+ssh_digest_to_md(int digest_type)
|
|
||||||
+{
|
|
||||||
+ switch (digest_type) {
|
|
||||||
+ case SSH_DIGEST_SHA1:
|
|
||||||
+ return EVP_sha1();
|
|
||||||
+ case SSH_DIGEST_SHA256:
|
|
||||||
+ return EVP_sha256();
|
|
||||||
+ case SSH_DIGEST_SHA384:
|
|
||||||
+ return EVP_sha384();
|
|
||||||
+ case SSH_DIGEST_SHA512:
|
|
||||||
+ return EVP_sha512();
|
|
||||||
+ }
|
|
||||||
+ return NULL;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static const struct ssh_digest *
|
|
||||||
ssh_digest_by_alg(int alg)
|
|
||||||
{
|
|
||||||
diff --git a/digest.h b/digest.h
|
|
||||||
index 274574d0e..c7ceeb36f 100644
|
|
||||||
--- a/digest.h
|
|
||||||
+++ b/digest.h
|
|
||||||
@@ -32,6 +32,12 @@
|
|
||||||
struct sshbuf;
|
|
||||||
struct ssh_digest_ctx;
|
|
||||||
|
|
||||||
+#ifdef WITH_OPENSSL
|
|
||||||
+#include <openssl/evp.h>
|
|
||||||
+/* Converts internal digest representation to the OpenSSL one */
|
|
||||||
+const EVP_MD *ssh_digest_to_md(int digest_type);
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
/* Looks up a digest algorithm by name */
|
|
||||||
int ssh_digest_alg_by_name(const char *name);
|
|
||||||
|
|
||||||
diff --git a/ssh-dss.c b/ssh-dss.c
|
|
||||||
index a23c383dc..ea45e7275 100644
|
|
||||||
--- a/ssh-dss.c
|
|
||||||
+++ b/ssh-dss.c
|
|
||||||
@@ -52,11 +52,15 @@ int
|
|
||||||
ssh_dss_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
|
|
||||||
const u_char *data, size_t datalen, u_int compat)
|
|
||||||
{
|
|
||||||
+ EVP_PKEY *pkey = NULL;
|
|
||||||
DSA_SIG *sig = NULL;
|
|
||||||
const BIGNUM *sig_r, *sig_s;
|
|
||||||
- u_char digest[SSH_DIGEST_MAX_LENGTH], sigblob[SIGBLOB_LEN];
|
|
||||||
- size_t rlen, slen, len, dlen = ssh_digest_bytes(SSH_DIGEST_SHA1);
|
|
||||||
+ u_char sigblob[SIGBLOB_LEN];
|
|
||||||
+ size_t rlen, slen;
|
|
||||||
+ int len;
|
|
||||||
struct sshbuf *b = NULL;
|
|
||||||
+ u_char *sigb = NULL;
|
|
||||||
+ const u_char *psig = NULL;
|
|
||||||
int ret = SSH_ERR_INVALID_ARGUMENT;
|
|
||||||
|
|
||||||
if (lenp != NULL)
|
|
||||||
@@ -67,17 +71,24 @@ ssh_dss_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
|
|
||||||
if (key == NULL || key->dsa == NULL ||
|
|
||||||
sshkey_type_plain(key->type) != KEY_DSA)
|
|
||||||
return SSH_ERR_INVALID_ARGUMENT;
|
|
||||||
- if (dlen == 0)
|
|
||||||
- return SSH_ERR_INTERNAL_ERROR;
|
|
||||||
|
|
||||||
- if ((ret = ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen,
|
|
||||||
- digest, sizeof(digest))) != 0)
|
|
||||||
+ if ((pkey = EVP_PKEY_new()) == NULL ||
|
|
||||||
+ EVP_PKEY_set1_DSA(pkey, key->dsa) != 1)
|
|
||||||
+ return SSH_ERR_ALLOC_FAIL;
|
|
||||||
+ ret = sshkey_calculate_signature(pkey, SSH_DIGEST_SHA1, &sigb, &len,
|
|
||||||
+ data, datalen);
|
|
||||||
+ EVP_PKEY_free(pkey);
|
|
||||||
+ if (ret < 0) {
|
|
||||||
goto out;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- if ((sig = DSA_do_sign(digest, dlen, key->dsa)) == NULL) {
|
|
||||||
+ psig = sigb;
|
|
||||||
+ if ((sig = d2i_DSA_SIG(NULL, &psig, len)) == NULL) {
|
|
||||||
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
+ free(sigb);
|
|
||||||
+ sigb = NULL;
|
|
||||||
|
|
||||||
DSA_SIG_get0(sig, &sig_r, &sig_s);
|
|
||||||
rlen = BN_num_bytes(sig_r);
|
|
||||||
@@ -110,7 +121,7 @@ ssh_dss_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
|
|
||||||
*lenp = len;
|
|
||||||
ret = 0;
|
|
||||||
out:
|
|
||||||
- explicit_bzero(digest, sizeof(digest));
|
|
||||||
+ free(sigb);
|
|
||||||
DSA_SIG_free(sig);
|
|
||||||
sshbuf_free(b);
|
|
||||||
return ret;
|
|
||||||
@@ -121,20 +132,20 @@ ssh_dss_verify(const struct sshkey *key,
|
|
||||||
const u_char *signature, size_t signaturelen,
|
|
||||||
const u_char *data, size_t datalen, u_int compat)
|
|
||||||
{
|
|
||||||
+ EVP_PKEY *pkey = NULL;
|
|
||||||
DSA_SIG *sig = NULL;
|
|
||||||
BIGNUM *sig_r = NULL, *sig_s = NULL;
|
|
||||||
- u_char digest[SSH_DIGEST_MAX_LENGTH], *sigblob = NULL;
|
|
||||||
- size_t len, dlen = ssh_digest_bytes(SSH_DIGEST_SHA1);
|
|
||||||
+ u_char *sigblob = NULL;
|
|
||||||
+ size_t len, slen;
|
|
||||||
int ret = SSH_ERR_INTERNAL_ERROR;
|
|
||||||
struct sshbuf *b = NULL;
|
|
||||||
char *ktype = NULL;
|
|
||||||
+ u_char *sigb = NULL, *psig = NULL;
|
|
||||||
|
|
||||||
if (key == NULL || key->dsa == NULL ||
|
|
||||||
sshkey_type_plain(key->type) != KEY_DSA ||
|
|
||||||
signature == NULL || signaturelen == 0)
|
|
||||||
return SSH_ERR_INVALID_ARGUMENT;
|
|
||||||
- if (dlen == 0)
|
|
||||||
- return SSH_ERR_INTERNAL_ERROR;
|
|
||||||
|
|
||||||
/* fetch signature */
|
|
||||||
if ((b = sshbuf_from(signature, signaturelen)) == NULL)
|
|
||||||
@@ -176,25 +187,31 @@ ssh_dss_verify(const struct sshkey *key,
|
|
||||||
}
|
|
||||||
sig_r = sig_s = NULL; /* transferred */
|
|
||||||
|
|
||||||
- /* sha1 the data */
|
|
||||||
- if ((ret = ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen,
|
|
||||||
- digest, sizeof(digest))) != 0)
|
|
||||||
+ if ((slen = i2d_DSA_SIG(sig, NULL)) == 0) {
|
|
||||||
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
|
|
||||||
goto out;
|
|
||||||
-
|
|
||||||
- switch (DSA_do_verify(digest, dlen, sig, key->dsa)) {
|
|
||||||
- case 1:
|
|
||||||
- ret = 0;
|
|
||||||
- break;
|
|
||||||
- case 0:
|
|
||||||
- ret = SSH_ERR_SIGNATURE_INVALID;
|
|
||||||
+ }
|
|
||||||
+ if ((sigb = malloc(slen)) == NULL) {
|
|
||||||
+ ret = SSH_ERR_ALLOC_FAIL;
|
|
||||||
goto out;
|
|
||||||
- default:
|
|
||||||
+ }
|
|
||||||
+ psig = sigb;
|
|
||||||
+ if ((slen = i2d_DSA_SIG(sig, &psig)) == 0) {
|
|
||||||
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if ((pkey = EVP_PKEY_new()) == NULL ||
|
|
||||||
+ EVP_PKEY_set1_DSA(pkey, key->dsa) != 1) {
|
|
||||||
+ ret = SSH_ERR_ALLOC_FAIL;
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+ ret = sshkey_verify_signature(pkey, SSH_DIGEST_SHA1, data, datalen,
|
|
||||||
+ sigb, slen);
|
|
||||||
+ EVP_PKEY_free(pkey);
|
|
||||||
+
|
|
||||||
out:
|
|
||||||
- explicit_bzero(digest, sizeof(digest));
|
|
||||||
+ free(sigb);
|
|
||||||
DSA_SIG_free(sig);
|
|
||||||
BN_clear_free(sig_r);
|
|
||||||
BN_clear_free(sig_s);
|
|
||||||
diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c
|
|
||||||
index 599c7199d..b036796e8 100644
|
|
||||||
--- a/ssh-ecdsa.c
|
|
||||||
+++ b/ssh-ecdsa.c
|
|
||||||
@@ -50,11 +50,13 @@ int
|
|
||||||
ssh_ecdsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
|
|
||||||
const u_char *data, size_t datalen, u_int compat)
|
|
||||||
{
|
|
||||||
+ EVP_PKEY *pkey = NULL;
|
|
||||||
ECDSA_SIG *sig = NULL;
|
|
||||||
+ unsigned char *sigb = NULL;
|
|
||||||
+ const unsigned char *psig;
|
|
||||||
const BIGNUM *sig_r, *sig_s;
|
|
||||||
int hash_alg;
|
|
||||||
- u_char digest[SSH_DIGEST_MAX_LENGTH];
|
|
||||||
- size_t len, dlen;
|
|
||||||
+ int len;
|
|
||||||
struct sshbuf *b = NULL, *bb = NULL;
|
|
||||||
int ret = SSH_ERR_INTERNAL_ERROR;
|
|
||||||
|
|
||||||
@@ -67,18 +69,24 @@ ssh_ecdsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
|
|
||||||
sshkey_type_plain(key->type) != KEY_ECDSA)
|
|
||||||
return SSH_ERR_INVALID_ARGUMENT;
|
|
||||||
|
|
||||||
- if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1 ||
|
|
||||||
- (dlen = ssh_digest_bytes(hash_alg)) == 0)
|
|
||||||
+ if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1)
|
|
||||||
return SSH_ERR_INTERNAL_ERROR;
|
|
||||||
- if ((ret = ssh_digest_memory(hash_alg, data, datalen,
|
|
||||||
- digest, sizeof(digest))) != 0)
|
|
||||||
+
|
|
||||||
+ if ((pkey = EVP_PKEY_new()) == NULL ||
|
|
||||||
+ EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa) != 1)
|
|
||||||
+ return SSH_ERR_ALLOC_FAIL;
|
|
||||||
+ ret = sshkey_calculate_signature(pkey, hash_alg, &sigb, &len, data,
|
|
||||||
+ datalen);
|
|
||||||
+ EVP_PKEY_free(pkey);
|
|
||||||
+ if (ret < 0) {
|
|
||||||
goto out;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- if ((sig = ECDSA_do_sign(digest, dlen, key->ecdsa)) == NULL) {
|
|
||||||
+ psig = sigb;
|
|
||||||
+ if ((sig = d2i_ECDSA_SIG(NULL, &psig, len)) == NULL) {
|
|
||||||
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
-
|
|
||||||
if ((bb = sshbuf_new()) == NULL || (b = sshbuf_new()) == NULL) {
|
|
||||||
ret = SSH_ERR_ALLOC_FAIL;
|
|
||||||
goto out;
|
|
||||||
@@ -102,7 +110,7 @@ ssh_ecdsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
|
|
||||||
*lenp = len;
|
|
||||||
ret = 0;
|
|
||||||
out:
|
|
||||||
- explicit_bzero(digest, sizeof(digest));
|
|
||||||
+ free(sigb);
|
|
||||||
sshbuf_free(b);
|
|
||||||
sshbuf_free(bb);
|
|
||||||
ECDSA_SIG_free(sig);
|
|
||||||
@@ -115,22 +123,21 @@ ssh_ecdsa_verify(const struct sshkey *key,
|
|
||||||
const u_char *signature, size_t signaturelen,
|
|
||||||
const u_char *data, size_t datalen, u_int compat)
|
|
||||||
{
|
|
||||||
+ EVP_PKEY *pkey = NULL;
|
|
||||||
ECDSA_SIG *sig = NULL;
|
|
||||||
BIGNUM *sig_r = NULL, *sig_s = NULL;
|
|
||||||
- int hash_alg;
|
|
||||||
- u_char digest[SSH_DIGEST_MAX_LENGTH];
|
|
||||||
- size_t dlen;
|
|
||||||
+ int hash_alg, len;
|
|
||||||
int ret = SSH_ERR_INTERNAL_ERROR;
|
|
||||||
struct sshbuf *b = NULL, *sigbuf = NULL;
|
|
||||||
char *ktype = NULL;
|
|
||||||
+ unsigned char *sigb = NULL, *psig = NULL;
|
|
||||||
|
|
||||||
if (key == NULL || key->ecdsa == NULL ||
|
|
||||||
sshkey_type_plain(key->type) != KEY_ECDSA ||
|
|
||||||
signature == NULL || signaturelen == 0)
|
|
||||||
return SSH_ERR_INVALID_ARGUMENT;
|
|
||||||
|
|
||||||
- if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1 ||
|
|
||||||
- (dlen = ssh_digest_bytes(hash_alg)) == 0)
|
|
||||||
+ if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1)
|
|
||||||
return SSH_ERR_INTERNAL_ERROR;
|
|
||||||
|
|
||||||
/* fetch signature */
|
|
||||||
@@ -166,28 +173,36 @@ ssh_ecdsa_verify(const struct sshkey *key,
|
|
||||||
}
|
|
||||||
sig_r = sig_s = NULL; /* transferred */
|
|
||||||
|
|
||||||
- if (sshbuf_len(sigbuf) != 0) {
|
|
||||||
- ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
|
|
||||||
+ /* Figure out the length */
|
|
||||||
+ if ((len = i2d_ECDSA_SIG(sig, NULL)) == 0) {
|
|
||||||
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+ if ((sigb = malloc(len)) == NULL) {
|
|
||||||
+ ret = SSH_ERR_ALLOC_FAIL;
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
- if ((ret = ssh_digest_memory(hash_alg, data, datalen,
|
|
||||||
- digest, sizeof(digest))) != 0)
|
|
||||||
+ psig = sigb;
|
|
||||||
+ if ((len = i2d_ECDSA_SIG(sig, &psig)) == 0) {
|
|
||||||
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
|
|
||||||
goto out;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- switch (ECDSA_do_verify(digest, dlen, sig, key->ecdsa)) {
|
|
||||||
- case 1:
|
|
||||||
- ret = 0;
|
|
||||||
- break;
|
|
||||||
- case 0:
|
|
||||||
- ret = SSH_ERR_SIGNATURE_INVALID;
|
|
||||||
+ if (sshbuf_len(sigbuf) != 0) {
|
|
||||||
+ ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
|
|
||||||
goto out;
|
|
||||||
- default:
|
|
||||||
- ret = SSH_ERR_LIBCRYPTO_ERROR;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if ((pkey = EVP_PKEY_new()) == NULL ||
|
|
||||||
+ EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa) != 1) {
|
|
||||||
+ ret = SSH_ERR_ALLOC_FAIL;
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
+ ret = sshkey_verify_signature(pkey, hash_alg, data, datalen, sigb, len);
|
|
||||||
+ EVP_PKEY_free(pkey);
|
|
||||||
|
|
||||||
out:
|
|
||||||
- explicit_bzero(digest, sizeof(digest));
|
|
||||||
+ free(sigb);
|
|
||||||
sshbuf_free(sigbuf);
|
|
||||||
sshbuf_free(b);
|
|
||||||
ECDSA_SIG_free(sig);
|
|
||||||
diff --git a/ssh-rsa.c b/ssh-rsa.c
|
|
||||||
index 9b14f9a9a..8ef3a6aca 100644
|
|
||||||
--- a/ssh-rsa.c
|
|
||||||
+++ b/ssh-rsa.c
|
|
||||||
@@ -37,7 +37,7 @@
|
|
||||||
|
|
||||||
#include "openbsd-compat/openssl-compat.h"
|
|
||||||
|
|
||||||
-static int openssh_RSA_verify(int, u_char *, size_t, u_char *, size_t, RSA *);
|
|
||||||
+static int openssh_RSA_verify(int, const u_char *, size_t, u_char *, size_t, EVP_PKEY *);
|
|
||||||
|
|
||||||
static const char *
|
|
||||||
rsa_hash_alg_ident(int hash_alg)
|
|
||||||
@@ -90,21 +90,6 @@ rsa_hash_id_from_keyname(const char *alg)
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static int
|
|
||||||
-rsa_hash_alg_nid(int type)
|
|
||||||
-{
|
|
||||||
- switch (type) {
|
|
||||||
- case SSH_DIGEST_SHA1:
|
|
||||||
- return NID_sha1;
|
|
||||||
- case SSH_DIGEST_SHA256:
|
|
||||||
- return NID_sha256;
|
|
||||||
- case SSH_DIGEST_SHA512:
|
|
||||||
- return NID_sha512;
|
|
||||||
- default:
|
|
||||||
- return -1;
|
|
||||||
- }
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
int
|
|
||||||
ssh_rsa_complete_crt_parameters(struct sshkey *key, const BIGNUM *iqmp)
|
|
||||||
{
|
|
||||||
@@ -164,11 +149,10 @@ int
|
|
||||||
ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
|
|
||||||
const u_char *data, size_t datalen, const char *alg_ident)
|
|
||||||
{
|
|
||||||
- const BIGNUM *rsa_n;
|
|
||||||
- u_char digest[SSH_DIGEST_MAX_LENGTH], *sig = NULL;
|
|
||||||
- size_t slen = 0;
|
|
||||||
- u_int dlen, len;
|
|
||||||
- int nid, hash_alg, ret = SSH_ERR_INTERNAL_ERROR;
|
|
||||||
+ EVP_PKEY *pkey = NULL;
|
|
||||||
+ u_char *sig = NULL;
|
|
||||||
+ int len, slen = 0;
|
|
||||||
+ int hash_alg, ret = SSH_ERR_INTERNAL_ERROR;
|
|
||||||
struct sshbuf *b = NULL;
|
|
||||||
|
|
||||||
if (lenp != NULL)
|
|
||||||
@@ -180,33 +164,24 @@ ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
|
|
||||||
hash_alg = SSH_DIGEST_SHA1;
|
|
||||||
else
|
|
||||||
hash_alg = rsa_hash_id_from_keyname(alg_ident);
|
|
||||||
+
|
|
||||||
if (key == NULL || key->rsa == NULL || hash_alg == -1 ||
|
|
||||||
sshkey_type_plain(key->type) != KEY_RSA)
|
|
||||||
return SSH_ERR_INVALID_ARGUMENT;
|
|
||||||
- RSA_get0_key(key->rsa, &rsa_n, NULL, NULL);
|
|
||||||
- if (BN_num_bits(rsa_n) < SSH_RSA_MINIMUM_MODULUS_SIZE)
|
|
||||||
- return SSH_ERR_KEY_LENGTH;
|
|
||||||
slen = RSA_size(key->rsa);
|
|
||||||
- if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM)
|
|
||||||
- return SSH_ERR_INVALID_ARGUMENT;
|
|
||||||
-
|
|
||||||
- /* hash the data */
|
|
||||||
- nid = rsa_hash_alg_nid(hash_alg);
|
|
||||||
- if ((dlen = ssh_digest_bytes(hash_alg)) == 0)
|
|
||||||
- return SSH_ERR_INTERNAL_ERROR;
|
|
||||||
- if ((ret = ssh_digest_memory(hash_alg, data, datalen,
|
|
||||||
- digest, sizeof(digest))) != 0)
|
|
||||||
- goto out;
|
|
||||||
+ if (RSA_bits(key->rsa) < SSH_RSA_MINIMUM_MODULUS_SIZE)
|
|
||||||
+ return SSH_ERR_KEY_LENGTH;
|
|
||||||
|
|
||||||
- if ((sig = malloc(slen)) == NULL) {
|
|
||||||
- ret = SSH_ERR_ALLOC_FAIL;
|
|
||||||
+ if ((pkey = EVP_PKEY_new()) == NULL ||
|
|
||||||
+ EVP_PKEY_set1_RSA(pkey, key->rsa) != 1)
|
|
||||||
+ return SSH_ERR_ALLOC_FAIL;
|
|
||||||
+ ret = sshkey_calculate_signature(pkey, hash_alg, &sig, &len, data,
|
|
||||||
+ datalen);
|
|
||||||
+ EVP_PKEY_free(pkey);
|
|
||||||
+ if (ret < 0) {
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (RSA_sign(nid, digest, dlen, sig, &len, key->rsa) != 1) {
|
|
||||||
- ret = SSH_ERR_LIBCRYPTO_ERROR;
|
|
||||||
- goto out;
|
|
||||||
- }
|
|
||||||
if (len < slen) {
|
|
||||||
size_t diff = slen - len;
|
|
||||||
memmove(sig + diff, sig, len);
|
|
||||||
@@ -215,6 +190,7 @@ ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
|
|
||||||
ret = SSH_ERR_INTERNAL_ERROR;
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
/* encode signature */
|
|
||||||
if ((b = sshbuf_new()) == NULL) {
|
|
||||||
ret = SSH_ERR_ALLOC_FAIL;
|
|
||||||
@@ -235,7 +211,6 @@ ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
|
|
||||||
*lenp = len;
|
|
||||||
ret = 0;
|
|
||||||
out:
|
|
||||||
- explicit_bzero(digest, sizeof(digest));
|
|
||||||
freezero(sig, slen);
|
|
||||||
sshbuf_free(b);
|
|
||||||
return ret;
|
|
||||||
@@ -246,10 +221,10 @@ ssh_rsa_verify(const struct sshkey *key,
|
|
||||||
const u_char *sig, size_t siglen, const u_char *data, size_t datalen,
|
|
||||||
const char *alg)
|
|
||||||
{
|
|
||||||
- const BIGNUM *rsa_n;
|
|
||||||
+ EVP_PKEY *pkey = NULL;
|
|
||||||
char *sigtype = NULL;
|
|
||||||
int hash_alg, want_alg, ret = SSH_ERR_INTERNAL_ERROR;
|
|
||||||
- size_t len = 0, diff, modlen, dlen;
|
|
||||||
+ size_t len = 0, diff, modlen;
|
|
||||||
struct sshbuf *b = NULL;
|
|
||||||
u_char digest[SSH_DIGEST_MAX_LENGTH], *osigblob, *sigblob = NULL;
|
|
||||||
|
|
||||||
@@ -257,8 +232,7 @@ ssh_rsa_verify(const struct sshkey *key,
|
|
||||||
sshkey_type_plain(key->type) != KEY_RSA ||
|
|
||||||
sig == NULL || siglen == 0)
|
|
||||||
return SSH_ERR_INVALID_ARGUMENT;
|
|
||||||
- RSA_get0_key(key->rsa, &rsa_n, NULL, NULL);
|
|
||||||
- if (BN_num_bits(rsa_n) < SSH_RSA_MINIMUM_MODULUS_SIZE)
|
|
||||||
+ if (RSA_bits(key->rsa) < SSH_RSA_MINIMUM_MODULUS_SIZE)
|
|
||||||
return SSH_ERR_KEY_LENGTH;
|
|
||||||
|
|
||||||
if ((b = sshbuf_from(sig, siglen)) == NULL)
|
|
||||||
@@ -310,16 +284,15 @@ ssh_rsa_verify(const struct sshkey *key,
|
|
||||||
explicit_bzero(sigblob, diff);
|
|
||||||
len = modlen;
|
|
||||||
}
|
|
||||||
- if ((dlen = ssh_digest_bytes(hash_alg)) == 0) {
|
|
||||||
- ret = SSH_ERR_INTERNAL_ERROR;
|
|
||||||
+
|
|
||||||
+ if ((pkey = EVP_PKEY_new()) == NULL ||
|
|
||||||
+ EVP_PKEY_set1_RSA(pkey, key->rsa) != 1) {
|
|
||||||
+ ret = SSH_ERR_ALLOC_FAIL;
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
- if ((ret = ssh_digest_memory(hash_alg, data, datalen,
|
|
||||||
- digest, sizeof(digest))) != 0)
|
|
||||||
- goto out;
|
|
||||||
+ ret = openssh_RSA_verify(hash_alg, data, datalen, sigblob, len, pkey);
|
|
||||||
+ EVP_PKEY_free(pkey);
|
|
||||||
|
|
||||||
- ret = openssh_RSA_verify(hash_alg, digest, dlen, sigblob, len,
|
|
||||||
- key->rsa);
|
|
||||||
out:
|
|
||||||
freezero(sigblob, len);
|
|
||||||
free(sigtype);
|
|
||||||
@@ -328,122 +301,26 @@ ssh_rsa_verify(const struct sshkey *key,
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
-/*
|
|
||||||
- * See:
|
|
||||||
- * http://www.rsasecurity.com/rsalabs/pkcs/pkcs-1/
|
|
||||||
- * ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1.asn
|
|
||||||
- */
|
|
||||||
-
|
|
||||||
-/*
|
|
||||||
- * id-sha1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
|
|
||||||
- * oiw(14) secsig(3) algorithms(2) 26 }
|
|
||||||
- */
|
|
||||||
-static const u_char id_sha1[] = {
|
|
||||||
- 0x30, 0x21, /* type Sequence, length 0x21 (33) */
|
|
||||||
- 0x30, 0x09, /* type Sequence, length 0x09 */
|
|
||||||
- 0x06, 0x05, /* type OID, length 0x05 */
|
|
||||||
- 0x2b, 0x0e, 0x03, 0x02, 0x1a, /* id-sha1 OID */
|
|
||||||
- 0x05, 0x00, /* NULL */
|
|
||||||
- 0x04, 0x14 /* Octet string, length 0x14 (20), followed by sha1 hash */
|
|
||||||
-};
|
|
||||||
-
|
|
||||||
-/*
|
|
||||||
- * See http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/algorithms.html
|
|
||||||
- * id-sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840)
|
|
||||||
- * organization(1) gov(101) csor(3) nistAlgorithm(4) hashAlgs(2)
|
|
||||||
- * id-sha256(1) }
|
|
||||||
- */
|
|
||||||
-static const u_char id_sha256[] = {
|
|
||||||
- 0x30, 0x31, /* type Sequence, length 0x31 (49) */
|
|
||||||
- 0x30, 0x0d, /* type Sequence, length 0x0d (13) */
|
|
||||||
- 0x06, 0x09, /* type OID, length 0x09 */
|
|
||||||
- 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, /* id-sha256 */
|
|
||||||
- 0x05, 0x00, /* NULL */
|
|
||||||
- 0x04, 0x20 /* Octet string, length 0x20 (32), followed by sha256 hash */
|
|
||||||
-};
|
|
||||||
-
|
|
||||||
-/*
|
|
||||||
- * See http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/algorithms.html
|
|
||||||
- * id-sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840)
|
|
||||||
- * organization(1) gov(101) csor(3) nistAlgorithm(4) hashAlgs(2)
|
|
||||||
- * id-sha256(3) }
|
|
||||||
- */
|
|
||||||
-static const u_char id_sha512[] = {
|
|
||||||
- 0x30, 0x51, /* type Sequence, length 0x51 (81) */
|
|
||||||
- 0x30, 0x0d, /* type Sequence, length 0x0d (13) */
|
|
||||||
- 0x06, 0x09, /* type OID, length 0x09 */
|
|
||||||
- 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, /* id-sha512 */
|
|
||||||
- 0x05, 0x00, /* NULL */
|
|
||||||
- 0x04, 0x40 /* Octet string, length 0x40 (64), followed by sha512 hash */
|
|
||||||
-};
|
|
||||||
-
|
|
||||||
static int
|
|
||||||
-rsa_hash_alg_oid(int hash_alg, const u_char **oidp, size_t *oidlenp)
|
|
||||||
+openssh_RSA_verify(int hash_alg, const u_char *data, size_t datalen,
|
|
||||||
+ u_char *sigbuf, size_t siglen, EVP_PKEY *pkey)
|
|
||||||
{
|
|
||||||
- switch (hash_alg) {
|
|
||||||
- case SSH_DIGEST_SHA1:
|
|
||||||
- *oidp = id_sha1;
|
|
||||||
- *oidlenp = sizeof(id_sha1);
|
|
||||||
- break;
|
|
||||||
- case SSH_DIGEST_SHA256:
|
|
||||||
- *oidp = id_sha256;
|
|
||||||
- *oidlenp = sizeof(id_sha256);
|
|
||||||
- break;
|
|
||||||
- case SSH_DIGEST_SHA512:
|
|
||||||
- *oidp = id_sha512;
|
|
||||||
- *oidlenp = sizeof(id_sha512);
|
|
||||||
- break;
|
|
||||||
- default:
|
|
||||||
- return SSH_ERR_INVALID_ARGUMENT;
|
|
||||||
- }
|
|
||||||
- return 0;
|
|
||||||
-}
|
|
||||||
+ size_t rsasize = 0;
|
|
||||||
+ const RSA *rsa;
|
|
||||||
+ int ret;
|
|
||||||
|
|
||||||
-static int
|
|
||||||
-openssh_RSA_verify(int hash_alg, u_char *hash, size_t hashlen,
|
|
||||||
- u_char *sigbuf, size_t siglen, RSA *rsa)
|
|
||||||
-{
|
|
||||||
- size_t rsasize = 0, oidlen = 0, hlen = 0;
|
|
||||||
- int ret, len, oidmatch, hashmatch;
|
|
||||||
- const u_char *oid = NULL;
|
|
||||||
- u_char *decrypted = NULL;
|
|
||||||
-
|
|
||||||
- if ((ret = rsa_hash_alg_oid(hash_alg, &oid, &oidlen)) != 0)
|
|
||||||
- return ret;
|
|
||||||
- ret = SSH_ERR_INTERNAL_ERROR;
|
|
||||||
- hlen = ssh_digest_bytes(hash_alg);
|
|
||||||
- if (hashlen != hlen) {
|
|
||||||
- ret = SSH_ERR_INVALID_ARGUMENT;
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
+ rsa = EVP_PKEY_get0_RSA(pkey);
|
|
||||||
rsasize = RSA_size(rsa);
|
|
||||||
if (rsasize <= 0 || rsasize > SSHBUF_MAX_BIGNUM ||
|
|
||||||
siglen == 0 || siglen > rsasize) {
|
|
||||||
ret = SSH_ERR_INVALID_ARGUMENT;
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
- if ((decrypted = malloc(rsasize)) == NULL) {
|
|
||||||
- ret = SSH_ERR_ALLOC_FAIL;
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
- if ((len = RSA_public_decrypt(siglen, sigbuf, decrypted, rsa,
|
|
||||||
- RSA_PKCS1_PADDING)) < 0) {
|
|
||||||
- ret = SSH_ERR_LIBCRYPTO_ERROR;
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
- if (len < 0 || (size_t)len != hlen + oidlen) {
|
|
||||||
- ret = SSH_ERR_INVALID_FORMAT;
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
- oidmatch = timingsafe_bcmp(decrypted, oid, oidlen) == 0;
|
|
||||||
- hashmatch = timingsafe_bcmp(decrypted + oidlen, hash, hlen) == 0;
|
|
||||||
- if (!oidmatch || !hashmatch) {
|
|
||||||
- ret = SSH_ERR_SIGNATURE_INVALID;
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
- ret = 0;
|
|
||||||
+
|
|
||||||
+ ret = sshkey_verify_signature(pkey, hash_alg, data, datalen,
|
|
||||||
+ sigbuf, siglen);
|
|
||||||
+
|
|
||||||
done:
|
|
||||||
- freezero(decrypted, rsasize);
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
#endif /* WITH_OPENSSL */
|
|
||||||
diff --git a/sshkey.c b/sshkey.c
|
|
||||||
index ad1957762..b95ed0b10 100644
|
|
||||||
--- a/sshkey.c
|
|
||||||
+++ b/sshkey.c
|
|
||||||
@@ -358,6 +358,83 @@ sshkey_type_plain(int type)
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifdef WITH_OPENSSL
|
|
||||||
+int
|
|
||||||
+sshkey_calculate_signature(EVP_PKEY *pkey, int hash_alg, u_char **sigp,
|
|
||||||
+ int *lenp, const u_char *data, size_t datalen)
|
|
||||||
+{
|
|
||||||
+ EVP_MD_CTX *ctx = NULL;
|
|
||||||
+ u_char *sig = NULL;
|
|
||||||
+ int ret, slen, len;
|
|
||||||
+
|
|
||||||
+ if (sigp == NULL || lenp == NULL) {
|
|
||||||
+ return SSH_ERR_INVALID_ARGUMENT;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ slen = EVP_PKEY_size(pkey);
|
|
||||||
+ if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM)
|
|
||||||
+ return SSH_ERR_INVALID_ARGUMENT;
|
|
||||||
+
|
|
||||||
+ len = slen;
|
|
||||||
+ if ((sig = malloc(slen)) == NULL) {
|
|
||||||
+ return SSH_ERR_ALLOC_FAIL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if ((ctx = EVP_MD_CTX_new()) == NULL) {
|
|
||||||
+ ret = SSH_ERR_ALLOC_FAIL;
|
|
||||||
+ goto error;
|
|
||||||
+ }
|
|
||||||
+ if (EVP_SignInit_ex(ctx, ssh_digest_to_md(hash_alg), NULL) <= 0 ||
|
|
||||||
+ EVP_SignUpdate(ctx, data, datalen) <= 0 ||
|
|
||||||
+ EVP_SignFinal(ctx, sig, &len, pkey) <= 0) {
|
|
||||||
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
|
|
||||||
+ goto error;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ *sigp = sig;
|
|
||||||
+ *lenp = len;
|
|
||||||
+ /* Now owned by the caller */
|
|
||||||
+ sig = NULL;
|
|
||||||
+ ret = 0;
|
|
||||||
+
|
|
||||||
+error:
|
|
||||||
+ EVP_MD_CTX_free(ctx);
|
|
||||||
+ free(sig);
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int
|
|
||||||
+sshkey_verify_signature(EVP_PKEY *pkey, int hash_alg, const u_char *data,
|
|
||||||
+ size_t datalen, u_char *sigbuf, int siglen)
|
|
||||||
+{
|
|
||||||
+ EVP_MD_CTX *ctx = NULL;
|
|
||||||
+ int ret;
|
|
||||||
+
|
|
||||||
+ if ((ctx = EVP_MD_CTX_new()) == NULL) {
|
|
||||||
+ return SSH_ERR_ALLOC_FAIL;
|
|
||||||
+ }
|
|
||||||
+ if (EVP_VerifyInit_ex(ctx, ssh_digest_to_md(hash_alg), NULL) <= 0 ||
|
|
||||||
+ EVP_VerifyUpdate(ctx, data, datalen) <= 0) {
|
|
||||||
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ ret = EVP_VerifyFinal(ctx, sigbuf, siglen, pkey);
|
|
||||||
+ switch (ret) {
|
|
||||||
+ case 1:
|
|
||||||
+ ret = 0;
|
|
||||||
+ break;
|
|
||||||
+ case 0:
|
|
||||||
+ ret = SSH_ERR_SIGNATURE_INVALID;
|
|
||||||
+ break;
|
|
||||||
+ default:
|
|
||||||
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+done:
|
|
||||||
+ EVP_MD_CTX_free(ctx);
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/* XXX: these are really begging for a table-driven approach */
|
|
||||||
int
|
|
||||||
sshkey_curve_name_to_nid(const char *name)
|
|
||||||
diff --git a/sshkey.h b/sshkey.h
|
|
||||||
index a91e60436..270901a87 100644
|
|
||||||
--- a/sshkey.h
|
|
||||||
+++ b/sshkey.h
|
|
||||||
@@ -179,6 +179,10 @@ const char *sshkey_ssh_name(const struct sshkey *);
|
|
||||||
const char *sshkey_ssh_name_plain(const struct sshkey *);
|
|
||||||
int sshkey_names_valid2(const char *, int);
|
|
||||||
char *sshkey_alg_list(int, int, int, char);
|
|
||||||
+int sshkey_calculate_signature(EVP_PKEY*, int, u_char **,
|
|
||||||
+ int *, const u_char *, size_t);
|
|
||||||
+int sshkey_verify_signature(EVP_PKEY *, int, const u_char *,
|
|
||||||
+ size_t, u_char *, int);
|
|
||||||
|
|
||||||
int sshkey_from_blob(const u_char *, size_t, struct sshkey **);
|
|
||||||
int sshkey_fromb(struct sshbuf *, struct sshkey **);
|
|
||||||
|
|
@ -1,324 +0,0 @@
|
|||||||
From eb0d8e708a1f958aecd2d6e2ff2450af488d4c2a Mon Sep 17 00:00:00 2001
|
|
||||||
From: "djm@openbsd.org" <djm@openbsd.org>
|
|
||||||
Date: Mon, 15 Jul 2019 13:16:29 +0000
|
|
||||||
Subject: [PATCH] upstream: support PKCS8 as an optional format for storage of
|
|
||||||
|
|
||||||
private keys, enabled via "ssh-keygen -m PKCS8" on operations that save
|
|
||||||
private keys to disk.
|
|
||||||
|
|
||||||
The OpenSSH native key format remains the default, but PKCS8 is a
|
|
||||||
superior format to PEM if interoperability with non-OpenSSH software
|
|
||||||
is required, as it may use a less terrible KDF (IIRC PEM uses a single
|
|
||||||
round of MD5 as a KDF).
|
|
||||||
|
|
||||||
adapted from patch by Jakub Jelen via bz3013; ok markus
|
|
||||||
|
|
||||||
OpenBSD-Commit-ID: 027824e3bc0b1c243dc5188504526d73a55accb1
|
|
||||||
---
|
|
||||||
authfile.c | 6 ++--
|
|
||||||
ssh-keygen.1 | 9 +++---
|
|
||||||
ssh-keygen.c | 25 +++++++++--------
|
|
||||||
sshkey.c | 78 +++++++++++++++++++++++++++++++++++++---------------
|
|
||||||
sshkey.h | 11 ++++++--
|
|
||||||
5 files changed, 87 insertions(+), 42 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/authfile.c b/authfile.c
|
|
||||||
index 2166c1689..851c1a8a1 100644
|
|
||||||
--- a/authfile.c
|
|
||||||
+++ b/authfile.c
|
|
||||||
@@ -74,7 +74,7 @@ sshkey_save_private_blob(struct sshbuf *keybuf, const char *filename)
|
|
||||||
int
|
|
||||||
sshkey_save_private(struct sshkey *key, const char *filename,
|
|
||||||
const char *passphrase, const char *comment,
|
|
||||||
- int force_new_format, const char *new_format_cipher, int new_format_rounds)
|
|
||||||
+ int format, const char *openssh_format_cipher, int openssh_format_rounds)
|
|
||||||
{
|
|
||||||
struct sshbuf *keyblob = NULL;
|
|
||||||
int r;
|
|
||||||
@@ -82,7 +82,7 @@ sshkey_save_private(struct sshkey *key, const char *filename,
|
|
||||||
if ((keyblob = sshbuf_new()) == NULL)
|
|
||||||
return SSH_ERR_ALLOC_FAIL;
|
|
||||||
if ((r = sshkey_private_to_fileblob(key, keyblob, passphrase, comment,
|
|
||||||
- force_new_format, new_format_cipher, new_format_rounds)) != 0)
|
|
||||||
+ format, openssh_format_cipher, openssh_format_rounds)) != 0)
|
|
||||||
goto out;
|
|
||||||
if ((r = sshkey_save_private_blob(keyblob, filename)) != 0)
|
|
||||||
goto out;
|
|
||||||
diff --git a/ssh-keygen.1 b/ssh-keygen.1
|
|
||||||
index f42127c60..8184a1797 100644
|
|
||||||
--- a/ssh-keygen.1
|
|
||||||
+++ b/ssh-keygen.1
|
|
||||||
@@ -419,11 +419,12 @@ The supported key formats are:
|
|
||||||
.Dq RFC4716
|
|
||||||
(RFC 4716/SSH2 public or private key),
|
|
||||||
.Dq PKCS8
|
|
||||||
-(PEM PKCS8 public key)
|
|
||||||
+(PKCS8 public or private key)
|
|
||||||
or
|
|
||||||
.Dq PEM
|
|
||||||
(PEM public key).
|
|
||||||
-The default conversion format is
|
|
||||||
+By default OpenSSH will write newly-generated private keys in its own
|
|
||||||
+format, but when converting public keys for export the default format is
|
|
||||||
.Dq RFC4716 .
|
|
||||||
Setting a format of
|
|
||||||
.Dq PEM
|
|
||||||
diff --git a/ssh-keygen.c b/ssh-keygen.c
|
|
||||||
index b019a02ff..5dcad1f61 100644
|
|
||||||
--- a/ssh-keygen.c
|
|
||||||
+++ b/ssh-keygen.c
|
|
||||||
@@ -147,11 +147,11 @@ static char *key_type_name = NULL;
|
|
||||||
/* Load key from this PKCS#11 provider */
|
|
||||||
static char *pkcs11provider = NULL;
|
|
||||||
|
|
||||||
-/* Use new OpenSSH private key format when writing SSH2 keys instead of PEM */
|
|
||||||
-static int use_new_format = 1;
|
|
||||||
+/* Format for writing private keys */
|
|
||||||
+static int private_key_format = SSHKEY_PRIVATE_OPENSSH;
|
|
||||||
|
|
||||||
/* Cipher for new-format private keys */
|
|
||||||
-static char *new_format_cipher = NULL;
|
|
||||||
+static char *openssh_format_cipher = NULL;
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Number of KDF rounds to derive new format keys /
|
|
||||||
@@ -1048,7 +1048,8 @@ do_gen_all_hostkeys(struct passwd *pw)
|
|
||||||
snprintf(comment, sizeof comment, "%s@%s", pw->pw_name,
|
|
||||||
hostname);
|
|
||||||
if ((r = sshkey_save_private(private, prv_tmp, "",
|
|
||||||
- comment, use_new_format, new_format_cipher, rounds)) != 0) {
|
|
||||||
+ comment, private_key_format, openssh_format_cipher,
|
|
||||||
+ rounds)) != 0) {
|
|
||||||
error("Saving key \"%s\" failed: %s",
|
|
||||||
prv_tmp, ssh_err(r));
|
|
||||||
goto failnext;
|
|
||||||
@@ -1391,7 +1392,7 @@ do_change_passphrase(struct passwd *pw)
|
|
||||||
|
|
||||||
/* Save the file using the new passphrase. */
|
|
||||||
if ((r = sshkey_save_private(private, identity_file, passphrase1,
|
|
||||||
- comment, use_new_format, new_format_cipher, rounds)) != 0) {
|
|
||||||
+ comment, private_key_format, openssh_format_cipher, rounds)) != 0) {
|
|
||||||
error("Saving key \"%s\" failed: %s.",
|
|
||||||
identity_file, ssh_err(r));
|
|
||||||
explicit_bzero(passphrase1, strlen(passphrase1));
|
|
||||||
@@ -1480,7 +1481,7 @@ do_change_comment(struct passwd *pw, const char *identity_comment)
|
|
||||||
}
|
|
||||||
|
|
||||||
if (private->type != KEY_ED25519 && private->type != KEY_XMSS &&
|
|
||||||
- !use_new_format) {
|
|
||||||
+ private_key_format != SSHKEY_PRIVATE_OPENSSH) {
|
|
||||||
error("Comments are only supported for keys stored in "
|
|
||||||
"the new format (-o).");
|
|
||||||
explicit_bzero(passphrase, strlen(passphrase));
|
|
||||||
@@ -1514,7 +1515,8 @@ do_change_comment(struct passwd *pw, const char *identity_comment)
|
|
||||||
|
|
||||||
/* Save the file using the new passphrase. */
|
|
||||||
if ((r = sshkey_save_private(private, identity_file, passphrase,
|
|
||||||
- new_comment, use_new_format, new_format_cipher, rounds)) != 0) {
|
|
||||||
+ new_comment, private_key_format, openssh_format_cipher,
|
|
||||||
+ rounds)) != 0) {
|
|
||||||
error("Saving key \"%s\" failed: %s",
|
|
||||||
identity_file, ssh_err(r));
|
|
||||||
explicit_bzero(passphrase, strlen(passphrase));
|
|
||||||
@@ -2525,11 +2527,12 @@ main(int argc, char **argv)
|
|
||||||
}
|
|
||||||
if (strcasecmp(optarg, "PKCS8") == 0) {
|
|
||||||
convert_format = FMT_PKCS8;
|
|
||||||
+ private_key_format = SSHKEY_PRIVATE_PKCS8;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
if (strcasecmp(optarg, "PEM") == 0) {
|
|
||||||
convert_format = FMT_PEM;
|
|
||||||
- use_new_format = 0;
|
|
||||||
+ private_key_format = SSHKEY_PRIVATE_PEM;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
fatal("Unsupported conversion format \"%s\"", optarg);
|
|
||||||
@@ -2567,7 +2570,7 @@ main(int argc, char **argv)
|
|
||||||
add_cert_option(optarg);
|
|
||||||
break;
|
|
||||||
case 'Z':
|
|
||||||
- new_format_cipher = optarg;
|
|
||||||
+ openssh_format_cipher = optarg;
|
|
||||||
break;
|
|
||||||
case 'C':
|
|
||||||
identity_comment = optarg;
|
|
||||||
@@ -2912,7 +2915,7 @@ main(int argc, char **argv)
|
|
||||||
|
|
||||||
/* Save the key with the given passphrase and comment. */
|
|
||||||
if ((r = sshkey_save_private(private, identity_file, passphrase1,
|
|
||||||
- comment, use_new_format, new_format_cipher, rounds)) != 0) {
|
|
||||||
+ comment, private_key_format, openssh_format_cipher, rounds)) != 0) {
|
|
||||||
error("Saving key \"%s\" failed: %s",
|
|
||||||
identity_file, ssh_err(r));
|
|
||||||
explicit_bzero(passphrase1, strlen(passphrase1));
|
|
||||||
diff --git a/sshkey.c b/sshkey.c
|
|
||||||
index 6b5ff0485..a0cea9257 100644
|
|
||||||
--- a/sshkey.c
|
|
||||||
+++ b/sshkey.c
|
|
||||||
@@ -3975,10 +3975,10 @@ sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase,
|
|
||||||
|
|
||||||
|
|
||||||
#ifdef WITH_OPENSSL
|
|
||||||
-/* convert SSH v2 key in OpenSSL PEM format */
|
|
||||||
+/* convert SSH v2 key to PEM or PKCS#8 format */
|
|
||||||
static int
|
|
||||||
-sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *blob,
|
|
||||||
- const char *_passphrase, const char *comment)
|
|
||||||
+sshkey_private_to_blob_pem_pkcs8(struct sshkey *key, struct sshbuf *blob,
|
|
||||||
+ int format, const char *_passphrase, const char *comment)
|
|
||||||
{
|
|
||||||
int success, r;
|
|
||||||
int blen, len = strlen(_passphrase);
|
|
||||||
@@ -3988,26 +3988,46 @@ sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *buf,
|
|
||||||
const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL;
|
|
||||||
char *bptr;
|
|
||||||
BIO *bio = NULL;
|
|
||||||
+ EVP_PKEY *pkey = NULL;
|
|
||||||
|
|
||||||
if (len > 0 && len <= 4)
|
|
||||||
return SSH_ERR_PASSPHRASE_TOO_SHORT;
|
|
||||||
- if ((bio = BIO_new(BIO_s_mem())) == NULL)
|
|
||||||
- return SSH_ERR_ALLOC_FAIL;
|
|
||||||
+ if ((bio = BIO_new(BIO_s_mem())) == NULL) {
|
|
||||||
+ r = SSH_ERR_ALLOC_FAIL;
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (format == SSHKEY_PRIVATE_PKCS8 && (pkey = EVP_PKEY_new()) == NULL) {
|
|
||||||
+ r = SSH_ERR_ALLOC_FAIL;
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
switch (key->type) {
|
|
||||||
case KEY_DSA:
|
|
||||||
- success = PEM_write_bio_DSAPrivateKey(bio, key->dsa,
|
|
||||||
- cipher, passphrase, len, NULL, NULL);
|
|
||||||
+ if (format == SSHKEY_PRIVATE_PEM) {
|
|
||||||
+ success = PEM_write_bio_DSAPrivateKey(bio, key->dsa,
|
|
||||||
+ cipher, passphrase, len, NULL, NULL);
|
|
||||||
+ } else {
|
|
||||||
+ success = EVP_PKEY_set1_DSA(pkey, key->dsa);
|
|
||||||
+ }
|
|
||||||
break;
|
|
||||||
#ifdef OPENSSL_HAS_ECC
|
|
||||||
case KEY_ECDSA:
|
|
||||||
- success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa,
|
|
||||||
- cipher, passphrase, len, NULL, NULL);
|
|
||||||
+ if (format == SSHKEY_PRIVATE_PEM) {
|
|
||||||
+ success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa,
|
|
||||||
+ cipher, passphrase, len, NULL, NULL);
|
|
||||||
+ } else {
|
|
||||||
+ success = EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa);
|
|
||||||
+ }
|
|
||||||
break;
|
|
||||||
#endif
|
|
||||||
case KEY_RSA:
|
|
||||||
- success = PEM_write_bio_RSAPrivateKey(bio, key->rsa,
|
|
||||||
- cipher, passphrase, len, NULL, NULL);
|
|
||||||
+ if (format == SSHKEY_PRIVATE_PEM) {
|
|
||||||
+ success = PEM_write_bio_RSAPrivateKey(bio, key->rsa,
|
|
||||||
+ cipher, passphrase, len, NULL, NULL);
|
|
||||||
+ } else {
|
|
||||||
+ success = EVP_PKEY_set1_RSA(pkey, key->rsa);
|
|
||||||
+ }
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
success = 0;
|
|
||||||
@@ -4023,6 +4040,13 @@ sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *buf,
|
|
||||||
r = SSH_ERR_LIBCRYPTO_ERROR;
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
+ if (format == SSHKEY_PRIVATE_PKCS8) {
|
|
||||||
+ if ((success = PEM_write_bio_PrivateKey(bio, pkey, cipher,
|
|
||||||
+ passphrase, len, NULL, NULL)) == 0) {
|
|
||||||
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
if ((blen = BIO_get_mem_data(bio, &bptr)) <= 0) {
|
|
||||||
r = SSH_ERR_INTERNAL_ERROR;
|
|
||||||
goto out;
|
|
||||||
@@ -4035,6 +4059,7 @@ sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *buf,
|
|
||||||
goto out;
|
|
||||||
r = 0;
|
|
||||||
out:
|
|
||||||
+ EVP_PKEY_free(pkey);
|
|
||||||
BIO_free(bio);
|
|
||||||
return r;
|
|
||||||
}
|
|
||||||
@@ -4046,29 +4071,38 @@ sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *buf,
|
|
||||||
int
|
|
||||||
sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob,
|
|
||||||
const char *passphrase, const char *comment,
|
|
||||||
- int force_new_format, const char *new_format_cipher, int new_format_rounds)
|
|
||||||
+ int format, const char *openssh_format_cipher, int openssh_format_rounds)
|
|
||||||
{
|
|
||||||
switch (key->type) {
|
|
||||||
#ifdef WITH_OPENSSL
|
|
||||||
case KEY_DSA:
|
|
||||||
case KEY_ECDSA:
|
|
||||||
case KEY_RSA:
|
|
||||||
- if (force_new_format) {
|
|
||||||
- return sshkey_private_to_blob2(key, blob, passphrase,
|
|
||||||
- comment, new_format_cipher, new_format_rounds);
|
|
||||||
- }
|
|
||||||
- return sshkey_private_pem_to_blob(key, blob,
|
|
||||||
- passphrase, comment);
|
|
||||||
+ break; /* see below */
|
|
||||||
#endif /* WITH_OPENSSL */
|
|
||||||
case KEY_ED25519:
|
|
||||||
#ifdef WITH_XMSS
|
|
||||||
case KEY_XMSS:
|
|
||||||
#endif /* WITH_XMSS */
|
|
||||||
return sshkey_private_to_blob2(key, blob, passphrase,
|
|
||||||
- comment, new_format_cipher, new_format_rounds);
|
|
||||||
+ comment, openssh_format_cipher, openssh_format_rounds);
|
|
||||||
default:
|
|
||||||
return SSH_ERR_KEY_TYPE_UNKNOWN;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+#ifdef WITH_OPENSSL
|
|
||||||
+ switch (format) {
|
|
||||||
+ case SSHKEY_PRIVATE_OPENSSH:
|
|
||||||
+ return sshkey_private_to_blob2(key, blob, passphrase,
|
|
||||||
+ comment, openssh_format_cipher, openssh_format_rounds);
|
|
||||||
+ case SSHKEY_PRIVATE_PEM:
|
|
||||||
+ case SSHKEY_PRIVATE_PKCS8:
|
|
||||||
+ return sshkey_private_to_blob_pem_pkcs8(key, blob,
|
|
||||||
+ format, passphrase, comment);
|
|
||||||
+ default:
|
|
||||||
+ return SSH_ERR_INVALID_ARGUMENT;
|
|
||||||
+ }
|
|
||||||
+#endif /* WITH_OPENSSL */
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
diff --git a/sshkey.h b/sshkey.h
|
|
||||||
index 41d159a1b..d30a69cc9 100644
|
|
||||||
--- a/sshkey.h
|
|
||||||
+++ b/sshkey.h
|
|
||||||
@@ -88,6 +88,13 @@ enum sshkey_serialize_rep {
|
|
||||||
SSHKEY_SERIALIZE_INFO = 254,
|
|
||||||
};
|
|
||||||
|
|
||||||
+/* Private key disk formats */
|
|
||||||
+enum sshkey_private_format {
|
|
||||||
+ SSHKEY_PRIVATE_OPENSSH = 0,
|
|
||||||
+ SSHKEY_PRIVATE_PEM = 1,
|
|
||||||
+ SSHKEY_PRIVATE_PKCS8 = 2,
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
/* key is stored in external hardware */
|
|
||||||
#define SSHKEY_FLAG_EXT 0x0001
|
|
||||||
|
|
||||||
@@ -221,7 +228,7 @@ int sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **keyp);
|
|
||||||
/* private key file format parsing and serialisation */
|
|
||||||
int sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob,
|
|
||||||
const char *passphrase, const char *comment,
|
|
||||||
- int force_new_format, const char *new_format_cipher, int new_format_rounds);
|
|
||||||
+ int format, const char *openssh_format_cipher, int openssh_format_rounds);
|
|
||||||
int sshkey_parse_private_fileblob(struct sshbuf *buffer,
|
|
||||||
const char *passphrase, struct sshkey **keyp, char **commentp);
|
|
||||||
int sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type,
|
|
||||||
|
|
@ -1,33 +0,0 @@
|
|||||||
From de1f3564cd85915b3002859873a37cb8d31ac9ce Mon Sep 17 00:00:00 2001
|
|
||||||
From: "dtucker@openbsd.org" <dtucker@openbsd.org>
|
|
||||||
Date: Tue, 18 Feb 2020 08:49:49 +0000
|
|
||||||
Subject: [PATCH] upstream: Detect and prevent simple configuration loops when
|
|
||||||
using
|
|
||||||
|
|
||||||
ProxyJump. bz#3057, ok djm@
|
|
||||||
|
|
||||||
OpenBSD-Commit-ID: 077d21c564c886c98309d871ed6f8ef267b9f037
|
|
||||||
---
|
|
||||||
ssh.c | 10 +++++++++-
|
|
||||||
1 file changed, 9 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/ssh.c b/ssh.c
|
|
||||||
index 15aee569e..a983a108b 100644
|
|
||||||
--- a/ssh.c
|
|
||||||
+++ b/ssh.c
|
|
||||||
@@ -1208,6 +1208,14 @@ main(int ac, char **av)
|
|
||||||
if (options.jump_host != NULL) {
|
|
||||||
char port_s[8];
|
|
||||||
const char *sshbin = argv0;
|
|
||||||
+ int port = options.port, jumpport = options.jump_port;
|
|
||||||
+
|
|
||||||
+ if (port <= 0)
|
|
||||||
+ port = default_ssh_port();
|
|
||||||
+ if (jumpport <= 0)
|
|
||||||
+ jumpport = default_ssh_port();
|
|
||||||
+ if (strcmp(options.jump_host, host) == 0 && port == jumpport)
|
|
||||||
+ fatal("jumphost loop via %s", options.jump_host);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Try to use SSH indicated by argv[0], but fall back to
|
|
||||||
|
|
@ -1,44 +0,0 @@
|
|||||||
commit 5481d0b4036b33b92c372ee36258ed11bff57d5d
|
|
||||||
Author: Jakub Jelen <jjelen@redhat.com>
|
|
||||||
Date: Thu Feb 27 10:07:33 2020 +0100
|
|
||||||
|
|
||||||
Mark the RDomain configuration option unsupported on non-openbsd builds
|
|
||||||
|
|
||||||
diff --git a/servconf.c b/servconf.c
|
|
||||||
index db80e943..153d2525 100644
|
|
||||||
--- a/servconf.c
|
|
||||||
+++ b/servconf.c
|
|
||||||
@@ -698,7 +698,11 @@ static struct {
|
|
||||||
{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
|
|
||||||
{ "disableforwarding", sDisableForwarding, SSHCFG_ALL },
|
|
||||||
{ "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
|
|
||||||
+#if defined(__OpenBSD__)
|
|
||||||
{ "rdomain", sRDomain, SSHCFG_ALL },
|
|
||||||
+#else
|
|
||||||
+ { "rdomain", sUnsupported, SSHCFG_ALL },
|
|
||||||
+#endif
|
|
||||||
{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
|
|
||||||
{ NULL, sBadOption, 0 }
|
|
||||||
};
|
|
||||||
@@ -2841,7 +2845,9 @@ dump_config(ServerOptions *o)
|
|
||||||
o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
|
|
||||||
dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
|
|
||||||
o->pubkey_key_types : KEX_DEFAULT_PK_ALG);
|
|
||||||
+#if defined(__OpenBSD__)
|
|
||||||
dump_cfg_string(sRDomain, o->routing_domain);
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
/* string arguments requiring a lookup */
|
|
||||||
dump_cfg_string(sLogLevel, log_level_name(o->log_level));
|
|
||||||
diff --git a/sshd_config.5 b/sshd_config.5
|
|
||||||
index 5dca8981..766e9b90 100644
|
|
||||||
--- a/sshd_config.5
|
|
||||||
+++ b/sshd_config.5
|
|
||||||
@@ -1542,6 +1542,7 @@ will be bound to this
|
|
||||||
If the routing domain is set to
|
|
||||||
.Cm \&%D ,
|
|
||||||
then the domain in which the incoming connection was received will be applied.
|
|
||||||
+This feature is available on OpenBSD only.
|
|
||||||
.It Cm SetEnv
|
|
||||||
Specifies one or more environment variables to set in child sessions started
|
|
||||||
by
|
|
@ -1,311 +0,0 @@
|
|||||||
diff -up openssh-8.0p1/channels.c.restore-nonblock openssh-8.0p1/channels.c
|
|
||||||
--- openssh-8.0p1/channels.c.restore-nonblock 2021-06-21 10:44:26.380559612 +0200
|
|
||||||
+++ openssh-8.0p1/channels.c 2021-06-21 10:48:47.754579151 +0200
|
|
||||||
@@ -333,7 +333,27 @@ channel_register_fds(struct ssh *ssh, Ch
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* enable nonblocking mode */
|
|
||||||
- if (nonblock) {
|
|
||||||
+ c->restore_block = 0;
|
|
||||||
+ if (nonblock == CHANNEL_NONBLOCK_STDIO) {
|
|
||||||
+ /*
|
|
||||||
+ * Special handling for stdio file descriptors: do not set
|
|
||||||
+ * non-blocking mode if they are TTYs. Otherwise prepare to
|
|
||||||
+ * restore their blocking state on exit to avoid interfering
|
|
||||||
+ * with other programs that follow.
|
|
||||||
+ */
|
|
||||||
+ if (rfd != -1 && !isatty(rfd) && fcntl(rfd, F_GETFL) == 0) {
|
|
||||||
+ c->restore_block |= CHANNEL_RESTORE_RFD;
|
|
||||||
+ set_nonblock(rfd);
|
|
||||||
+ }
|
|
||||||
+ if (wfd != -1 && !isatty(wfd) && fcntl(wfd, F_GETFL) == 0) {
|
|
||||||
+ c->restore_block |= CHANNEL_RESTORE_WFD;
|
|
||||||
+ set_nonblock(wfd);
|
|
||||||
+ }
|
|
||||||
+ if (efd != -1 && !isatty(efd) && fcntl(efd, F_GETFL) == 0) {
|
|
||||||
+ c->restore_block |= CHANNEL_RESTORE_EFD;
|
|
||||||
+ set_nonblock(efd);
|
|
||||||
+ }
|
|
||||||
+ } else if (nonblock) {
|
|
||||||
if (rfd != -1)
|
|
||||||
set_nonblock(rfd);
|
|
||||||
if (wfd != -1)
|
|
||||||
@@ -422,17 +442,23 @@ channel_find_maxfd(struct ssh_channels *
|
|
||||||
}
|
|
||||||
|
|
||||||
int
|
|
||||||
-channel_close_fd(struct ssh *ssh, int *fdp)
|
|
||||||
+channel_close_fd(struct ssh *ssh, Channel *c, int *fdp)
|
|
||||||
{
|
|
||||||
struct ssh_channels *sc = ssh->chanctxt;
|
|
||||||
- int ret = 0, fd = *fdp;
|
|
||||||
+ int ret, fd = *fdp;
|
|
||||||
|
|
||||||
- if (fd != -1) {
|
|
||||||
- ret = close(fd);
|
|
||||||
- *fdp = -1;
|
|
||||||
- if (fd == sc->channel_max_fd)
|
|
||||||
- channel_find_maxfd(sc);
|
|
||||||
- }
|
|
||||||
+ if (fd == -1)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ if ((*fdp == c->rfd && (c->restore_block & CHANNEL_RESTORE_RFD) != 0) ||
|
|
||||||
+ (*fdp == c->wfd && (c->restore_block & CHANNEL_RESTORE_WFD) != 0) ||
|
|
||||||
+ (*fdp == c->efd && (c->restore_block & CHANNEL_RESTORE_EFD) != 0))
|
|
||||||
+ (void)fcntl(*fdp, F_SETFL, 0); /* restore blocking */
|
|
||||||
+
|
|
||||||
+ ret = close(fd);
|
|
||||||
+ *fdp = -1;
|
|
||||||
+ if (fd == sc->channel_max_fd)
|
|
||||||
+ channel_find_maxfd(sc);
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -442,13 +468,13 @@ channel_close_fds(struct ssh *ssh, Chann
|
|
||||||
{
|
|
||||||
int sock = c->sock, rfd = c->rfd, wfd = c->wfd, efd = c->efd;
|
|
||||||
|
|
||||||
- channel_close_fd(ssh, &c->sock);
|
|
||||||
+ channel_close_fd(ssh, c, &c->sock);
|
|
||||||
if (rfd != sock)
|
|
||||||
- channel_close_fd(ssh, &c->rfd);
|
|
||||||
+ channel_close_fd(ssh, c, &c->rfd);
|
|
||||||
if (wfd != sock && wfd != rfd)
|
|
||||||
- channel_close_fd(ssh, &c->wfd);
|
|
||||||
+ channel_close_fd(ssh, c, &c->wfd);
|
|
||||||
if (efd != sock && efd != rfd && efd != wfd)
|
|
||||||
- channel_close_fd(ssh, &c->efd);
|
|
||||||
+ channel_close_fd(ssh, c, &c->efd);
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
|
||||||
@@ -681,7 +707,7 @@ channel_stop_listening(struct ssh *ssh)
|
|
||||||
case SSH_CHANNEL_X11_LISTENER:
|
|
||||||
case SSH_CHANNEL_UNIX_LISTENER:
|
|
||||||
case SSH_CHANNEL_RUNIX_LISTENER:
|
|
||||||
- channel_close_fd(ssh, &c->sock);
|
|
||||||
+ channel_close_fd(ssh, c, &c->sock);
|
|
||||||
channel_free(ssh, c);
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
@@ -1487,7 +1513,8 @@ channel_decode_socks5(Channel *c, struct
|
|
||||||
|
|
||||||
Channel *
|
|
||||||
channel_connect_stdio_fwd(struct ssh *ssh,
|
|
||||||
- const char *host_to_connect, u_short port_to_connect, int in, int out)
|
|
||||||
+ const char *host_to_connect, u_short port_to_connect,
|
|
||||||
+ int in, int out, int nonblock)
|
|
||||||
{
|
|
||||||
Channel *c;
|
|
||||||
|
|
||||||
@@ -1495,7 +1522,7 @@ channel_connect_stdio_fwd(struct ssh *ss
|
|
||||||
|
|
||||||
c = channel_new(ssh, "stdio-forward", SSH_CHANNEL_OPENING, in, out,
|
|
||||||
-1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
|
|
||||||
- 0, "stdio-forward", /*nonblock*/0);
|
|
||||||
+ 0, "stdio-forward", nonblock);
|
|
||||||
|
|
||||||
c->path = xstrdup(host_to_connect);
|
|
||||||
c->host_port = port_to_connect;
|
|
||||||
@@ -1650,7 +1677,7 @@ channel_post_x11_listener(struct ssh *ss
|
|
||||||
if (c->single_connection) {
|
|
||||||
oerrno = errno;
|
|
||||||
debug2("single_connection: closing X11 listener.");
|
|
||||||
- channel_close_fd(ssh, &c->sock);
|
|
||||||
+ channel_close_fd(ssh, c, &c->sock);
|
|
||||||
chan_mark_dead(ssh, c);
|
|
||||||
errno = oerrno;
|
|
||||||
}
|
|
||||||
@@ -2087,7 +2114,7 @@ channel_handle_efd_write(struct ssh *ssh
|
|
||||||
return 1;
|
|
||||||
if (len <= 0) {
|
|
||||||
debug2("channel %d: closing write-efd %d", c->self, c->efd);
|
|
||||||
- channel_close_fd(ssh, &c->efd);
|
|
||||||
+ channel_close_fd(ssh, c, &c->efd);
|
|
||||||
} else {
|
|
||||||
if ((r = sshbuf_consume(c->extended, len)) != 0) {
|
|
||||||
fatal("%s: channel %d: consume: %s",
|
|
||||||
@@ -2119,7 +2146,7 @@ channel_handle_efd_read(struct ssh *ssh,
|
|
||||||
if (len <= 0) {
|
|
||||||
debug2("channel %d: closing read-efd %d",
|
|
||||||
c->self, c->efd);
|
|
||||||
- channel_close_fd(ssh, &c->efd);
|
|
||||||
+ channel_close_fd(ssh, c, &c->efd);
|
|
||||||
} else {
|
|
||||||
if (c->extended_usage == CHAN_EXTENDED_IGNORE) {
|
|
||||||
debug3("channel %d: discard efd",
|
|
||||||
diff -up openssh-8.0p1/channels.h.restore-nonblock openssh-8.0p1/channels.h
|
|
||||||
--- openssh-8.0p1/channels.h.restore-nonblock 2021-06-21 10:44:26.380559612 +0200
|
|
||||||
+++ openssh-8.0p1/channels.h 2021-06-21 10:44:26.387559665 +0200
|
|
||||||
@@ -63,6 +63,16 @@
|
|
||||||
|
|
||||||
#define CHANNEL_CANCEL_PORT_STATIC -1
|
|
||||||
|
|
||||||
+/* nonblocking flags for channel_new */
|
|
||||||
+#define CHANNEL_NONBLOCK_LEAVE 0 /* don't modify non-blocking state */
|
|
||||||
+#define CHANNEL_NONBLOCK_SET 1 /* set non-blocking state */
|
|
||||||
+#define CHANNEL_NONBLOCK_STDIO 2 /* set non-blocking and restore on close */
|
|
||||||
+
|
|
||||||
+/* c->restore_block mask flags */
|
|
||||||
+#define CHANNEL_RESTORE_RFD 0x01
|
|
||||||
+#define CHANNEL_RESTORE_WFD 0x02
|
|
||||||
+#define CHANNEL_RESTORE_EFD 0x04
|
|
||||||
+
|
|
||||||
/* TCP forwarding */
|
|
||||||
#define FORWARD_DENY 0
|
|
||||||
#define FORWARD_REMOTE (1)
|
|
||||||
@@ -131,6 +141,7 @@ struct Channel {
|
|
||||||
* to a matching pre-select handler.
|
|
||||||
* this way post-select handlers are not
|
|
||||||
* accidentally called if a FD gets reused */
|
|
||||||
+ int restore_block; /* fd mask to restore blocking status */
|
|
||||||
struct sshbuf *input; /* data read from socket, to be sent over
|
|
||||||
* encrypted connection */
|
|
||||||
struct sshbuf *output; /* data received over encrypted connection for
|
|
||||||
@@ -258,7 +269,7 @@ void channel_register_filter(struct ssh
|
|
||||||
void channel_register_status_confirm(struct ssh *, int,
|
|
||||||
channel_confirm_cb *, channel_confirm_abandon_cb *, void *);
|
|
||||||
void channel_cancel_cleanup(struct ssh *, int);
|
|
||||||
-int channel_close_fd(struct ssh *, int *);
|
|
||||||
+int channel_close_fd(struct ssh *, Channel *, int *);
|
|
||||||
void channel_send_window_changes(struct ssh *);
|
|
||||||
|
|
||||||
/* mux proxy support */
|
|
||||||
@@ -305,7 +316,7 @@ Channel *channel_connect_to_port(struct
|
|
||||||
char *, char *, int *, const char **);
|
|
||||||
Channel *channel_connect_to_path(struct ssh *, const char *, char *, char *);
|
|
||||||
Channel *channel_connect_stdio_fwd(struct ssh *, const char*,
|
|
||||||
- u_short, int, int);
|
|
||||||
+ u_short, int, int, int);
|
|
||||||
Channel *channel_connect_by_listen_address(struct ssh *, const char *,
|
|
||||||
u_short, char *, char *);
|
|
||||||
Channel *channel_connect_by_listen_path(struct ssh *, const char *,
|
|
||||||
diff -up openssh-8.0p1/clientloop.c.restore-nonblock openssh-8.0p1/clientloop.c
|
|
||||||
--- openssh-8.0p1/clientloop.c.restore-nonblock 2021-06-21 10:44:26.290558923 +0200
|
|
||||||
+++ openssh-8.0p1/clientloop.c 2021-06-21 10:44:26.387559665 +0200
|
|
||||||
@@ -1436,14 +1436,6 @@ client_loop(struct ssh *ssh, int have_pt
|
|
||||||
if (have_pty)
|
|
||||||
leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE);
|
|
||||||
|
|
||||||
- /* restore blocking io */
|
|
||||||
- if (!isatty(fileno(stdin)))
|
|
||||||
- unset_nonblock(fileno(stdin));
|
|
||||||
- if (!isatty(fileno(stdout)))
|
|
||||||
- unset_nonblock(fileno(stdout));
|
|
||||||
- if (!isatty(fileno(stderr)))
|
|
||||||
- unset_nonblock(fileno(stderr));
|
|
||||||
-
|
|
||||||
/*
|
|
||||||
* If there was no shell or command requested, there will be no remote
|
|
||||||
* exit status to be returned. In that case, clear error code if the
|
|
||||||
diff -up openssh-8.0p1/mux.c.restore-nonblock openssh-8.0p1/mux.c
|
|
||||||
--- openssh-8.0p1/mux.c.restore-nonblock 2019-04-18 00:52:57.000000000 +0200
|
|
||||||
+++ openssh-8.0p1/mux.c 2021-06-21 10:50:51.007537336 +0200
|
|
||||||
@@ -454,14 +454,6 @@ mux_master_process_new_session(struct ss
|
|
||||||
if (cctx->want_tty && tcgetattr(new_fd[0], &cctx->tio) == -1)
|
|
||||||
error("%s: tcgetattr: %s", __func__, strerror(errno));
|
|
||||||
|
|
||||||
- /* enable nonblocking unless tty */
|
|
||||||
- if (!isatty(new_fd[0]))
|
|
||||||
- set_nonblock(new_fd[0]);
|
|
||||||
- if (!isatty(new_fd[1]))
|
|
||||||
- set_nonblock(new_fd[1]);
|
|
||||||
- if (!isatty(new_fd[2]))
|
|
||||||
- set_nonblock(new_fd[2]);
|
|
||||||
-
|
|
||||||
window = CHAN_SES_WINDOW_DEFAULT;
|
|
||||||
packetmax = CHAN_SES_PACKET_DEFAULT;
|
|
||||||
if (cctx->want_tty) {
|
|
||||||
@@ -471,7 +463,7 @@ mux_master_process_new_session(struct ss
|
|
||||||
|
|
||||||
nc = channel_new(ssh, "session", SSH_CHANNEL_OPENING,
|
|
||||||
new_fd[0], new_fd[1], new_fd[2], window, packetmax,
|
|
||||||
- CHAN_EXTENDED_WRITE, "client-session", /*nonblock*/0);
|
|
||||||
+ CHAN_EXTENDED_WRITE, "client-session", CHANNEL_NONBLOCK_STDIO);
|
|
||||||
|
|
||||||
nc->ctl_chan = c->self; /* link session -> control channel */
|
|
||||||
c->remote_id = nc->self; /* link control -> session channel */
|
|
||||||
@@ -1033,13 +1025,8 @@ mux_master_process_stdio_fwd(struct ssh
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* enable nonblocking unless tty */
|
|
||||||
- if (!isatty(new_fd[0]))
|
|
||||||
- set_nonblock(new_fd[0]);
|
|
||||||
- if (!isatty(new_fd[1]))
|
|
||||||
- set_nonblock(new_fd[1]);
|
|
||||||
-
|
|
||||||
- nc = channel_connect_stdio_fwd(ssh, chost, cport, new_fd[0], new_fd[1]);
|
|
||||||
+ nc = channel_connect_stdio_fwd(ssh, chost, cport, new_fd[0], new_fd[1],
|
|
||||||
+ CHANNEL_NONBLOCK_STDIO);
|
|
||||||
free(chost);
|
|
||||||
|
|
||||||
nc->ctl_chan = c->self; /* link session -> control channel */
|
|
||||||
diff -up openssh-8.0p1/nchan.c.restore-nonblock openssh-8.0p1/nchan.c
|
|
||||||
--- openssh-8.0p1/nchan.c.restore-nonblock 2021-06-21 10:44:26.388559673 +0200
|
|
||||||
+++ openssh-8.0p1/nchan.c 2021-06-21 10:52:42.685405537 +0200
|
|
||||||
@@ -387,7 +387,7 @@ chan_shutdown_write(struct ssh *ssh, Cha
|
|
||||||
strerror(errno));
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
- if (channel_close_fd(ssh, &c->wfd) < 0) {
|
|
||||||
+ if (channel_close_fd(ssh, c, &c->wfd) < 0) {
|
|
||||||
logit("channel %d: %s: close() failed for "
|
|
||||||
"fd %d [i%d o%d]: %.100s",
|
|
||||||
c->self, __func__, c->wfd, c->istate, c->ostate,
|
|
||||||
@@ -417,7 +417,7 @@ chan_shutdown_read(struct ssh *ssh, Chan
|
|
||||||
strerror(errno));
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
- if (channel_close_fd(ssh, &c->rfd) < 0) {
|
|
||||||
+ if (channel_close_fd(ssh, c, &c->rfd) < 0) {
|
|
||||||
logit("channel %d: %s: close() failed for "
|
|
||||||
"fd %d [i%d o%d]: %.100s",
|
|
||||||
c->self, __func__, c->rfd, c->istate, c->ostate,
|
|
||||||
@@ -437,7 +437,7 @@ chan_shutdown_extended_read(struct ssh *
|
|
||||||
debug2("channel %d: %s (i%d o%d sock %d wfd %d efd %d [%s])",
|
|
||||||
c->self, __func__, c->istate, c->ostate, c->sock, c->rfd, c->efd,
|
|
||||||
channel_format_extended_usage(c));
|
|
||||||
- if (channel_close_fd(ssh, &c->efd) < 0) {
|
|
||||||
+ if (channel_close_fd(ssh, c, &c->efd) < 0) {
|
|
||||||
logit("channel %d: %s: close() failed for "
|
|
||||||
"extended fd %d [i%d o%d]: %.100s",
|
|
||||||
c->self, __func__, c->efd, c->istate, c->ostate,
|
|
||||||
diff -up openssh-8.0p1/ssh.c.restore-nonblock openssh-8.0p1/ssh.c
|
|
||||||
--- openssh-8.0p1/ssh.c.restore-nonblock 2021-06-21 10:44:26.389559681 +0200
|
|
||||||
+++ openssh-8.0p1/ssh.c 2021-06-21 10:54:47.651377045 +0200
|
|
||||||
@@ -1709,7 +1709,8 @@ ssh_init_stdio_forwarding(struct ssh *ss
|
|
||||||
(out = dup(STDOUT_FILENO)) < 0)
|
|
||||||
fatal("channel_connect_stdio_fwd: dup() in/out failed");
|
|
||||||
if ((c = channel_connect_stdio_fwd(ssh, options.stdio_forward_host,
|
|
||||||
- options.stdio_forward_port, in, out)) == NULL)
|
|
||||||
+ options.stdio_forward_port, in, out,
|
|
||||||
+ CHANNEL_NONBLOCK_STDIO)) == NULL)
|
|
||||||
fatal("%s: channel_connect_stdio_fwd failed", __func__);
|
|
||||||
channel_register_cleanup(ssh, c->self, client_cleanup_stdio_fwd, 0);
|
|
||||||
channel_register_open_confirm(ssh, c->self, ssh_stdio_confirm, NULL);
|
|
||||||
@@ -1862,14 +1863,6 @@ ssh_session2_open(struct ssh *ssh)
|
|
||||||
if (in < 0 || out < 0 || err < 0)
|
|
||||||
fatal("dup() in/out/err failed");
|
|
||||||
|
|
||||||
- /* enable nonblocking unless tty */
|
|
||||||
- if (!isatty(in))
|
|
||||||
- set_nonblock(in);
|
|
||||||
- if (!isatty(out))
|
|
||||||
- set_nonblock(out);
|
|
||||||
- if (!isatty(err))
|
|
||||||
- set_nonblock(err);
|
|
||||||
-
|
|
||||||
window = CHAN_SES_WINDOW_DEFAULT;
|
|
||||||
packetmax = CHAN_SES_PACKET_DEFAULT;
|
|
||||||
if (tty_flag) {
|
|
||||||
@@ -1879,7 +1872,7 @@ ssh_session2_open(struct ssh *ssh)
|
|
||||||
c = channel_new(ssh,
|
|
||||||
"session", SSH_CHANNEL_OPENING, in, out, err,
|
|
||||||
window, packetmax, CHAN_EXTENDED_WRITE,
|
|
||||||
- "client-session", /*nonblock*/0);
|
|
||||||
+ "client-session", CHANNEL_NONBLOCK_STDIO);
|
|
||||||
|
|
||||||
debug3("%s: channel_new: %d", __func__, c->self);
|
|
||||||
|
|
@ -1,61 +0,0 @@
|
|||||||
diff --git a/regress/scp-ssh-wrapper.sh b/regress/scp-ssh-wrapper.sh
|
|
||||||
index 59f1ff63..dd48a482 100644
|
|
||||||
--- a/regress/scp-ssh-wrapper.sh
|
|
||||||
+++ b/regress/scp-ssh-wrapper.sh
|
|
||||||
@@ -51,6 +51,18 @@ badserver_4)
|
|
||||||
echo "C755 2 file"
|
|
||||||
echo "X"
|
|
||||||
;;
|
|
||||||
+badserver_5)
|
|
||||||
+ echo "D0555 0 "
|
|
||||||
+ echo "X"
|
|
||||||
+ ;;
|
|
||||||
+badserver_6)
|
|
||||||
+ echo "D0555 0 ."
|
|
||||||
+ echo "X"
|
|
||||||
+ ;;
|
|
||||||
+badserver_7)
|
|
||||||
+ echo "C0755 2 extrafile"
|
|
||||||
+ echo "X"
|
|
||||||
+ ;;
|
|
||||||
*)
|
|
||||||
set -- $arg
|
|
||||||
shift
|
|
||||||
diff --git a/regress/scp.sh b/regress/scp.sh
|
|
||||||
index 57cc7706..104c89e1 100644
|
|
||||||
--- a/regress/scp.sh
|
|
||||||
+++ b/regress/scp.sh
|
|
||||||
@@ -25,6 +25,7 @@ export SCP # used in scp-ssh-wrapper.scp
|
|
||||||
scpclean() {
|
|
||||||
rm -rf ${COPY} ${COPY2} ${DIR} ${DIR2}
|
|
||||||
mkdir ${DIR} ${DIR2}
|
|
||||||
+ chmod 755 ${DIR} ${DIR2}
|
|
||||||
}
|
|
||||||
|
|
||||||
verbose "$tid: simple copy local file to local file"
|
|
||||||
@@ -101,7 +102,7 @@ if [ ! -z "$SUDO" ]; then
|
|
||||||
$SUDO rm ${DIR2}/copy
|
|
||||||
fi
|
|
||||||
|
|
||||||
-for i in 0 1 2 3 4; do
|
|
||||||
+for i in 0 1 2 3 4 5 6 7; do
|
|
||||||
verbose "$tid: disallow bad server #$i"
|
|
||||||
SCPTESTMODE=badserver_$i
|
|
||||||
export DIR SCPTESTMODE
|
|
||||||
@@ -113,6 +114,15 @@ for i in 0 1 2 3 4; do
|
|
||||||
scpclean
|
|
||||||
$SCP -r $scpopts somehost:${DATA} ${DIR2} >/dev/null 2>/dev/null
|
|
||||||
[ -d ${DIR}/dotpathdir ] && fail "allows dir creation outside of subdir"
|
|
||||||
+
|
|
||||||
+ scpclean
|
|
||||||
+ $SCP -pr $scpopts somehost:${DATA} ${DIR2} >/dev/null 2>/dev/null
|
|
||||||
+ [ ! -w ${DIR2} ] && fail "allows target root attribute change"
|
|
||||||
+
|
|
||||||
+ scpclean
|
|
||||||
+ $SCP $scpopts somehost:${DATA} ${DIR2} >/dev/null 2>/dev/null
|
|
||||||
+ [ -e ${DIR2}/extrafile ] && fail "allows extranous object creation"
|
|
||||||
+ rm -f ${DIR2}/extrafile
|
|
||||||
done
|
|
||||||
|
|
||||||
verbose "$tid: detect non-directory target"
|
|
||||||
|
|
@ -1,273 +0,0 @@
|
|||||||
diff --color -ruN a/Makefile.in b/Makefile.in
|
|
||||||
--- a/Makefile.in 2022-06-23 11:31:10.168186838 +0200
|
|
||||||
+++ b/Makefile.in 2022-06-23 11:32:19.146513347 +0200
|
|
||||||
@@ -125,7 +125,7 @@
|
|
||||||
monitor.o monitor_wrap.o auth-krb5.o \
|
|
||||||
auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
|
|
||||||
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
|
|
||||||
- sftp-server.o sftp-common.o \
|
|
||||||
+ sftp-server.o sftp-common.o sftp-realpath.o \
|
|
||||||
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
|
|
||||||
sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
|
|
||||||
sandbox-solaris.o uidswap.o
|
|
||||||
@@ -217,8 +217,8 @@
|
|
||||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
|
|
||||||
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
|
||||||
|
|
||||||
-sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
|
|
||||||
- $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
|
||||||
+sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-realpath.o sftp-server.o sftp-server-main.o
|
|
||||||
+ $(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
|
||||||
|
|
||||||
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
|
|
||||||
$(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
|
|
||||||
diff --color -ruN a/sftp-realpath.c b/sftp-realpath.c
|
|
||||||
--- a/sftp-realpath.c 1970-01-01 01:00:00.000000000 +0100
|
|
||||||
+++ b/sftp-realpath.c 2022-06-23 11:35:33.193244873 +0200
|
|
||||||
@@ -0,0 +1,225 @@
|
|
||||||
+/* $OpenBSD: sftp-realpath.c,v 1.2 2021/09/02 21:03:54 deraadt Exp $ */
|
|
||||||
+/*
|
|
||||||
+ * Copyright (c) 2003 Constantin S. Svintsoff <kostik@iclub.nsu.ru>
|
|
||||||
+ *
|
|
||||||
+ * Redistribution and use in source and binary forms, with or without
|
|
||||||
+ * modification, are permitted provided that the following conditions
|
|
||||||
+ * are met:
|
|
||||||
+ * 1. Redistributions of source code must retain the above copyright
|
|
||||||
+ * notice, this list of conditions and the following disclaimer.
|
|
||||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
||||||
+ * notice, this list of conditions and the following disclaimer in the
|
|
||||||
+ * documentation and/or other materials provided with the distribution.
|
|
||||||
+ * 3. The names of the authors may not be used to endorse or promote
|
|
||||||
+ * products derived from this software without specific prior written
|
|
||||||
+ * permission.
|
|
||||||
+ *
|
|
||||||
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
||||||
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
||||||
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
||||||
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
||||||
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
||||||
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
||||||
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
||||||
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
||||||
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
||||||
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
||||||
+ * SUCH DAMAGE.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#include "includes.h"
|
|
||||||
+
|
|
||||||
+#include <sys/types.h>
|
|
||||||
+#include <sys/stat.h>
|
|
||||||
+
|
|
||||||
+#include <errno.h>
|
|
||||||
+#include <stdlib.h>
|
|
||||||
+#include <stddef.h>
|
|
||||||
+#include <string.h>
|
|
||||||
+#include <unistd.h>
|
|
||||||
+#include <limits.h>
|
|
||||||
+
|
|
||||||
+#ifndef SYMLOOP_MAX
|
|
||||||
+# define SYMLOOP_MAX 32
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+/* XXX rewrite sftp-server to use POSIX realpath and remove this hack */
|
|
||||||
+
|
|
||||||
+char *sftp_realpath(const char *path, char *resolved);
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * char *realpath(const char *path, char resolved[PATH_MAX]);
|
|
||||||
+ *
|
|
||||||
+ * Find the real name of path, by removing all ".", ".." and symlink
|
|
||||||
+ * components. Returns (resolved) on success, or (NULL) on failure,
|
|
||||||
+ * in which case the path which caused trouble is left in (resolved).
|
|
||||||
+ */
|
|
||||||
+char *
|
|
||||||
+sftp_realpath(const char *path, char *resolved)
|
|
||||||
+{
|
|
||||||
+ struct stat sb;
|
|
||||||
+ char *p, *q, *s;
|
|
||||||
+ size_t left_len, resolved_len;
|
|
||||||
+ unsigned symlinks;
|
|
||||||
+ int serrno, slen, mem_allocated;
|
|
||||||
+ char left[PATH_MAX], next_token[PATH_MAX], symlink[PATH_MAX];
|
|
||||||
+
|
|
||||||
+ if (path[0] == '\0') {
|
|
||||||
+ errno = ENOENT;
|
|
||||||
+ return (NULL);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ serrno = errno;
|
|
||||||
+
|
|
||||||
+ if (resolved == NULL) {
|
|
||||||
+ resolved = malloc(PATH_MAX);
|
|
||||||
+ if (resolved == NULL)
|
|
||||||
+ return (NULL);
|
|
||||||
+ mem_allocated = 1;
|
|
||||||
+ } else
|
|
||||||
+ mem_allocated = 0;
|
|
||||||
+
|
|
||||||
+ symlinks = 0;
|
|
||||||
+ if (path[0] == '/') {
|
|
||||||
+ resolved[0] = '/';
|
|
||||||
+ resolved[1] = '\0';
|
|
||||||
+ if (path[1] == '\0')
|
|
||||||
+ return (resolved);
|
|
||||||
+ resolved_len = 1;
|
|
||||||
+ left_len = strlcpy(left, path + 1, sizeof(left));
|
|
||||||
+ } else {
|
|
||||||
+ if (getcwd(resolved, PATH_MAX) == NULL) {
|
|
||||||
+ if (mem_allocated)
|
|
||||||
+ free(resolved);
|
|
||||||
+ else
|
|
||||||
+ strlcpy(resolved, ".", PATH_MAX);
|
|
||||||
+ return (NULL);
|
|
||||||
+ }
|
|
||||||
+ resolved_len = strlen(resolved);
|
|
||||||
+ left_len = strlcpy(left, path, sizeof(left));
|
|
||||||
+ }
|
|
||||||
+ if (left_len >= sizeof(left) || resolved_len >= PATH_MAX) {
|
|
||||||
+ errno = ENAMETOOLONG;
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * Iterate over path components in `left'.
|
|
||||||
+ */
|
|
||||||
+ while (left_len != 0) {
|
|
||||||
+ /*
|
|
||||||
+ * Extract the next path component and adjust `left'
|
|
||||||
+ * and its length.
|
|
||||||
+ */
|
|
||||||
+ p = strchr(left, '/');
|
|
||||||
+ s = p ? p : left + left_len;
|
|
||||||
+ if (s - left >= (ptrdiff_t)sizeof(next_token)) {
|
|
||||||
+ errno = ENAMETOOLONG;
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+ memcpy(next_token, left, s - left);
|
|
||||||
+ next_token[s - left] = '\0';
|
|
||||||
+ left_len -= s - left;
|
|
||||||
+ if (p != NULL)
|
|
||||||
+ memmove(left, s + 1, left_len + 1);
|
|
||||||
+ if (resolved[resolved_len - 1] != '/') {
|
|
||||||
+ if (resolved_len + 1 >= PATH_MAX) {
|
|
||||||
+ errno = ENAMETOOLONG;
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+ resolved[resolved_len++] = '/';
|
|
||||||
+ resolved[resolved_len] = '\0';
|
|
||||||
+ }
|
|
||||||
+ if (next_token[0] == '\0')
|
|
||||||
+ continue;
|
|
||||||
+ else if (strcmp(next_token, ".") == 0)
|
|
||||||
+ continue;
|
|
||||||
+ else if (strcmp(next_token, "..") == 0) {
|
|
||||||
+ /*
|
|
||||||
+ * Strip the last path component except when we have
|
|
||||||
+ * single "/"
|
|
||||||
+ */
|
|
||||||
+ if (resolved_len > 1) {
|
|
||||||
+ resolved[resolved_len - 1] = '\0';
|
|
||||||
+ q = strrchr(resolved, '/') + 1;
|
|
||||||
+ *q = '\0';
|
|
||||||
+ resolved_len = q - resolved;
|
|
||||||
+ }
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * Append the next path component and lstat() it. If
|
|
||||||
+ * lstat() fails we still can return successfully if
|
|
||||||
+ * there are no more path components left.
|
|
||||||
+ */
|
|
||||||
+ resolved_len = strlcat(resolved, next_token, PATH_MAX);
|
|
||||||
+ if (resolved_len >= PATH_MAX) {
|
|
||||||
+ errno = ENAMETOOLONG;
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+ if (lstat(resolved, &sb) != 0) {
|
|
||||||
+ if (errno == ENOENT && p == NULL) {
|
|
||||||
+ errno = serrno;
|
|
||||||
+ return (resolved);
|
|
||||||
+ }
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+ if (S_ISLNK(sb.st_mode)) {
|
|
||||||
+ if (symlinks++ > SYMLOOP_MAX) {
|
|
||||||
+ errno = ELOOP;
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+ slen = readlink(resolved, symlink, sizeof(symlink) - 1);
|
|
||||||
+ if (slen < 0)
|
|
||||||
+ goto err;
|
|
||||||
+ symlink[slen] = '\0';
|
|
||||||
+ if (symlink[0] == '/') {
|
|
||||||
+ resolved[1] = 0;
|
|
||||||
+ resolved_len = 1;
|
|
||||||
+ } else if (resolved_len > 1) {
|
|
||||||
+ /* Strip the last path component. */
|
|
||||||
+ resolved[resolved_len - 1] = '\0';
|
|
||||||
+ q = strrchr(resolved, '/') + 1;
|
|
||||||
+ *q = '\0';
|
|
||||||
+ resolved_len = q - resolved;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * If there are any path components left, then
|
|
||||||
+ * append them to symlink. The result is placed
|
|
||||||
+ * in `left'.
|
|
||||||
+ */
|
|
||||||
+ if (p != NULL) {
|
|
||||||
+ if (symlink[slen - 1] != '/') {
|
|
||||||
+ if (slen + 1 >=
|
|
||||||
+ (ptrdiff_t)sizeof(symlink)) {
|
|
||||||
+ errno = ENAMETOOLONG;
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+ symlink[slen] = '/';
|
|
||||||
+ symlink[slen + 1] = 0;
|
|
||||||
+ }
|
|
||||||
+ left_len = strlcat(symlink, left, sizeof(symlink));
|
|
||||||
+ if (left_len >= sizeof(symlink)) {
|
|
||||||
+ errno = ENAMETOOLONG;
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ left_len = strlcpy(left, symlink, sizeof(left));
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * Remove trailing slash except when the resolved pathname
|
|
||||||
+ * is a single "/".
|
|
||||||
+ */
|
|
||||||
+ if (resolved_len > 1 && resolved[resolved_len - 1] == '/')
|
|
||||||
+ resolved[resolved_len - 1] = '\0';
|
|
||||||
+ return (resolved);
|
|
||||||
+
|
|
||||||
+err:
|
|
||||||
+ if (mem_allocated)
|
|
||||||
+ free(resolved);
|
|
||||||
+ return (NULL);
|
|
||||||
+}
|
|
||||||
diff --color -ruN a/sftp-server.c b/sftp-server.c
|
|
||||||
--- a/sftp-server.c 2022-06-23 11:31:10.147186434 +0200
|
|
||||||
+++ b/sftp-server.c 2022-06-23 11:32:19.147513366 +0200
|
|
||||||
@@ -51,6 +51,8 @@
|
|
||||||
#include "sftp.h"
|
|
||||||
#include "sftp-common.h"
|
|
||||||
|
|
||||||
+char *sftp_realpath(const char *, char *); /* sftp-realpath.c */
|
|
||||||
+
|
|
||||||
/* Our verbosity */
|
|
||||||
static LogLevel log_level = SYSLOG_LEVEL_ERROR;
|
|
||||||
|
|
||||||
@@ -1185,7 +1187,7 @@
|
|
||||||
}
|
|
||||||
debug3("request %u: realpath", id);
|
|
||||||
verbose("realpath \"%s\"", path);
|
|
||||||
- if (realpath(path, resolvedname) == NULL) {
|
|
||||||
+ if (sftp_realpath(path, resolvedname) == NULL) {
|
|
||||||
send_status(id, errno_to_portable(errno));
|
|
||||||
} else {
|
|
||||||
Stat s;
|
|
@ -1,16 +0,0 @@
|
|||||||
diff -up openssh-8.0p1/sftp.c.original openssh-8.0p1/sftp.c
|
|
||||||
--- openssh-8.0p1/sftp.c.original 2020-12-22 17:05:02.105698989 +0900
|
|
||||||
+++ openssh-8.0p1/sftp.c 2020-12-22 17:05:42.922035780 +0900
|
|
||||||
@@ -937,7 +937,11 @@ sglob_comp(const void *aa, const void *b
|
|
||||||
return (rmul * strcmp(ap, bp));
|
|
||||||
else if (sort_flag & LS_TIME_SORT) {
|
|
||||||
#if defined(HAVE_STRUCT_STAT_ST_MTIM)
|
|
||||||
- return (rmul * timespeccmp(&as->st_mtim, &bs->st_mtim, <));
|
|
||||||
+ if (timespeccmp(&as->st_mtim, &bs->st_mtim, <)){
|
|
||||||
+ return rmul;
|
|
||||||
+ } else {
|
|
||||||
+ return -rmul;
|
|
||||||
+ }
|
|
||||||
#elif defined(HAVE_STRUCT_STAT_ST_MTIME)
|
|
||||||
return (rmul * NCMP(as->st_mtime, bs->st_mtime));
|
|
||||||
#else
|
|
@ -1,97 +0,0 @@
|
|||||||
diff --git a/servconf.c b/servconf.c
|
|
||||||
index ffac5d2c..340045b2 100644
|
|
||||||
--- a/servconf.c
|
|
||||||
+++ b/servconf.c
|
|
||||||
@@ -1042,7 +1042,7 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
if (strcasecmp(attrib, "user") == 0) {
|
|
||||||
- if (ci == NULL) {
|
|
||||||
+ if (ci == NULL || (ci->test && ci->user == NULL)) {
|
|
||||||
result = 0;
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
@@ -1054,7 +1054,7 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
|
|
||||||
debug("user %.100s matched 'User %.100s' at "
|
|
||||||
"line %d", ci->user, arg, line);
|
|
||||||
} else if (strcasecmp(attrib, "group") == 0) {
|
|
||||||
- if (ci == NULL) {
|
|
||||||
+ if (ci == NULL || (ci->test && ci->user == NULL)) {
|
|
||||||
result = 0;
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
@@ -1067,7 +1067,7 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
|
|
||||||
result = 0;
|
|
||||||
}
|
|
||||||
} else if (strcasecmp(attrib, "host") == 0) {
|
|
||||||
- if (ci == NULL) {
|
|
||||||
+ if (ci == NULL || (ci->test && ci->host == NULL)) {
|
|
||||||
result = 0;
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
@@ -1079,7 +1079,7 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
|
|
||||||
debug("connection from %.100s matched 'Host "
|
|
||||||
"%.100s' at line %d", ci->host, arg, line);
|
|
||||||
} else if (strcasecmp(attrib, "address") == 0) {
|
|
||||||
- if (ci == NULL) {
|
|
||||||
+ if (ci == NULL || (ci->test && ci->address == NULL)) {
|
|
||||||
result = 0;
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
@@ -1098,7 +1098,7 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
} else if (strcasecmp(attrib, "localaddress") == 0){
|
|
||||||
- if (ci == NULL) {
|
|
||||||
+ if (ci == NULL || (ci->test && ci->laddress == NULL)) {
|
|
||||||
result = 0;
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
@@ -1124,7 +1124,7 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
|
|
||||||
arg);
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
- if (ci == NULL) {
|
|
||||||
+ if (ci == NULL || (ci->test && ci->lport == -1)) {
|
|
||||||
result = 0;
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
@@ -1138,10 +1138,12 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
|
|
||||||
else
|
|
||||||
result = 0;
|
|
||||||
} else if (strcasecmp(attrib, "rdomain") == 0) {
|
|
||||||
- if (ci == NULL || ci->rdomain == NULL) {
|
|
||||||
+ if (ci == NULL || (ci->test && ci->rdomain == NULL)) {
|
|
||||||
result = 0;
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
+ if (ci->rdomain == NULL)
|
|
||||||
+ match_test_missing_fatal("RDomain", "rdomain");
|
|
||||||
if (match_pattern_list(ci->rdomain, arg, 0) != 1)
|
|
||||||
result = 0;
|
|
||||||
else
|
|
||||||
diff --git a/servconf.h b/servconf.h
|
|
||||||
index 54e0a8d8..5483da05 100644
|
|
||||||
--- a/servconf.h
|
|
||||||
+++ b/servconf.h
|
|
||||||
@@ -221,6 +221,8 @@ struct connection_info {
|
|
||||||
const char *laddress; /* local address */
|
|
||||||
int lport; /* local port */
|
|
||||||
const char *rdomain; /* routing domain if available */
|
|
||||||
+ int test; /* test mode, allow some attributes to be
|
|
||||||
+ * unspecified */
|
|
||||||
};
|
|
||||||
|
|
||||||
|
|
||||||
diff --git a/sshd.c b/sshd.c
|
|
||||||
index cbd3bce9..1fcde502 100644
|
|
||||||
--- a/sshd.c
|
|
||||||
+++ b/sshd.c
|
|
||||||
@@ -1843,6 +1843,7 @@ main(int ac, char **av)
|
|
||||||
*/
|
|
||||||
if (connection_info == NULL)
|
|
||||||
connection_info = get_connection_info(ssh, 0, 0);
|
|
||||||
+ connection_info->test = 1;
|
|
||||||
parse_server_match_config(&options, connection_info);
|
|
||||||
dump_config(&options);
|
|
||||||
}
|
|
@ -1,805 +0,0 @@
|
|||||||
diff -up openssh-8.0p1/auth.c.sshdinclude openssh-8.0p1/auth.c
|
|
||||||
--- openssh-8.0p1/auth.c.sshdinclude 2021-10-20 15:18:49.740331098 +0200
|
|
||||||
+++ openssh-8.0p1/auth.c 2021-10-20 15:19:41.324781344 +0200
|
|
||||||
@@ -80,6 +80,7 @@
|
|
||||||
|
|
||||||
/* import */
|
|
||||||
extern ServerOptions options;
|
|
||||||
+extern struct include_list includes;
|
|
||||||
extern int use_privsep;
|
|
||||||
extern struct sshbuf *loginmsg;
|
|
||||||
extern struct passwd *privsep_pw;
|
|
||||||
@@ -573,7 +574,7 @@ getpwnamallow(struct ssh *ssh, const cha
|
|
||||||
|
|
||||||
ci = get_connection_info(ssh, 1, options.use_dns);
|
|
||||||
ci->user = user;
|
|
||||||
- parse_server_match_config(&options, ci);
|
|
||||||
+ parse_server_match_config(&options, &includes, ci);
|
|
||||||
log_change_level(options.log_level);
|
|
||||||
process_permitopen(ssh, &options);
|
|
||||||
|
|
||||||
diff -up openssh-8.0p1/readconf.c.sshdinclude openssh-8.0p1/readconf.c
|
|
||||||
--- openssh-8.0p1/readconf.c.sshdinclude 2021-10-20 15:21:43.541848103 +0200
|
|
||||||
+++ openssh-8.0p1/readconf.c 2021-10-20 15:22:06.302046768 +0200
|
|
||||||
@@ -711,7 +711,7 @@ match_cfg_line(Options *options, char **
|
|
||||||
static void
|
|
||||||
rm_env(Options *options, const char *arg, const char *filename, int linenum)
|
|
||||||
{
|
|
||||||
- int i, j;
|
|
||||||
+ int i, j, onum_send_env = options->num_send_env;
|
|
||||||
char *cp;
|
|
||||||
|
|
||||||
/* Remove an environment variable */
|
|
||||||
@@ -734,6 +734,11 @@ rm_env(Options *options, const char *arg
|
|
||||||
options->num_send_env--;
|
|
||||||
/* NB. don't increment i */
|
|
||||||
}
|
|
||||||
+ if (onum_send_env != options->num_send_env) {
|
|
||||||
+ options->send_env = xrecallocarray(options->send_env,
|
|
||||||
+ onum_send_env, options->num_send_env,
|
|
||||||
+ sizeof(*options->send_env));
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
diff -up openssh-8.0p1/regress/Makefile.sshdinclude openssh-8.0p1/regress/Makefile
|
|
||||||
--- openssh-8.0p1/regress/Makefile.sshdinclude 2021-10-20 15:18:49.742331115 +0200
|
|
||||||
+++ openssh-8.0p1/regress/Makefile 2021-10-20 15:19:41.324781344 +0200
|
|
||||||
@@ -82,6 +82,7 @@ LTESTS= connect \
|
|
||||||
principals-command \
|
|
||||||
cert-file \
|
|
||||||
cfginclude \
|
|
||||||
+ servcfginclude \
|
|
||||||
allow-deny-users \
|
|
||||||
authinfo
|
|
||||||
|
|
||||||
@@ -118,7 +119,7 @@ CLEANFILES= *.core actual agent-key.* au
|
|
||||||
sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \
|
|
||||||
ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \
|
|
||||||
ssh_proxy_envpass sshd.log sshd_config sshd_config_minimal \
|
|
||||||
- sshd_config.orig sshd_proxy sshd_proxy.* sshd_proxy_bak \
|
|
||||||
+ sshd_config.* sshd_proxy sshd_proxy.* sshd_proxy_bak \
|
|
||||||
sshd_proxy_orig t10.out t10.out.pub t12.out t12.out.pub \
|
|
||||||
t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub \
|
|
||||||
t8.out t8.out.pub t9.out t9.out.pub testdata \
|
|
||||||
diff -up openssh-8.0p1/regress/servcfginclude.sh.sshdinclude openssh-8.0p1/regress/servcfginclude.sh
|
|
||||||
--- openssh-8.0p1/regress/servcfginclude.sh.sshdinclude 2021-10-20 15:18:49.744331132 +0200
|
|
||||||
+++ openssh-8.0p1/regress/servcfginclude.sh 2021-10-20 15:22:06.303046777 +0200
|
|
||||||
@@ -0,0 +1,188 @@
|
|
||||||
+# Placed in the Public Domain.
|
|
||||||
+
|
|
||||||
+tid="server config include"
|
|
||||||
+
|
|
||||||
+cat > $OBJ/sshd_config.i << _EOF
|
|
||||||
+HostKey $OBJ/host.ssh-ed25519
|
|
||||||
+Match host a
|
|
||||||
+ Banner /aa
|
|
||||||
+
|
|
||||||
+Match host b
|
|
||||||
+ Banner /bb
|
|
||||||
+ Include $OBJ/sshd_config.i.*
|
|
||||||
+
|
|
||||||
+Match host c
|
|
||||||
+ Include $OBJ/sshd_config.i.*
|
|
||||||
+ Banner /cc
|
|
||||||
+
|
|
||||||
+Match host m
|
|
||||||
+ Include $OBJ/sshd_config.i.*
|
|
||||||
+
|
|
||||||
+Match Host d
|
|
||||||
+ Banner /dd
|
|
||||||
+
|
|
||||||
+Match Host e
|
|
||||||
+ Banner /ee
|
|
||||||
+ Include $OBJ/sshd_config.i.*
|
|
||||||
+
|
|
||||||
+Match Host f
|
|
||||||
+ Include $OBJ/sshd_config.i.*
|
|
||||||
+ Banner /ff
|
|
||||||
+
|
|
||||||
+Match Host n
|
|
||||||
+ Include $OBJ/sshd_config.i.*
|
|
||||||
+_EOF
|
|
||||||
+
|
|
||||||
+cat > $OBJ/sshd_config.i.0 << _EOF
|
|
||||||
+Match host xxxxxx
|
|
||||||
+_EOF
|
|
||||||
+
|
|
||||||
+cat > $OBJ/sshd_config.i.1 << _EOF
|
|
||||||
+Match host a
|
|
||||||
+ Banner /aaa
|
|
||||||
+
|
|
||||||
+Match host b
|
|
||||||
+ Banner /bbb
|
|
||||||
+
|
|
||||||
+Match host c
|
|
||||||
+ Banner /ccc
|
|
||||||
+
|
|
||||||
+Match Host d
|
|
||||||
+ Banner /ddd
|
|
||||||
+
|
|
||||||
+Match Host e
|
|
||||||
+ Banner /eee
|
|
||||||
+
|
|
||||||
+Match Host f
|
|
||||||
+ Banner /fff
|
|
||||||
+_EOF
|
|
||||||
+
|
|
||||||
+cat > $OBJ/sshd_config.i.2 << _EOF
|
|
||||||
+Match host a
|
|
||||||
+ Banner /aaaa
|
|
||||||
+
|
|
||||||
+Match host b
|
|
||||||
+ Banner /bbbb
|
|
||||||
+
|
|
||||||
+Match host c
|
|
||||||
+ Banner /cccc
|
|
||||||
+
|
|
||||||
+Match Host d
|
|
||||||
+ Banner /dddd
|
|
||||||
+
|
|
||||||
+Match Host e
|
|
||||||
+ Banner /eeee
|
|
||||||
+
|
|
||||||
+Match Host f
|
|
||||||
+ Banner /ffff
|
|
||||||
+
|
|
||||||
+Match all
|
|
||||||
+ Banner /xxxx
|
|
||||||
+_EOF
|
|
||||||
+
|
|
||||||
+trial() {
|
|
||||||
+ _host="$1"
|
|
||||||
+ _exp="$2"
|
|
||||||
+ _desc="$3"
|
|
||||||
+ test -z "$_desc" && _desc="test match"
|
|
||||||
+ trace "$_desc host=$_host expect=$_exp"
|
|
||||||
+ ${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i -T \
|
|
||||||
+ -C "host=$_host,user=test,addr=127.0.0.1" > $OBJ/sshd_config.out ||
|
|
||||||
+ fatal "ssh config parse failed: $_desc host=$_host expect=$_exp"
|
|
||||||
+ _got=`grep -i '^banner ' $OBJ/sshd_config.out | awk '{print $2}'`
|
|
||||||
+ if test "x$_exp" != "x$_got" ; then
|
|
||||||
+ fail "$desc_ host $_host include fail: expected $_exp got $_got"
|
|
||||||
+ fi
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+trial a /aa
|
|
||||||
+trial b /bb
|
|
||||||
+trial c /ccc
|
|
||||||
+trial d /dd
|
|
||||||
+trial e /ee
|
|
||||||
+trial f /fff
|
|
||||||
+trial m /xxxx
|
|
||||||
+trial n /xxxx
|
|
||||||
+trial x none
|
|
||||||
+
|
|
||||||
+# Prepare an included config with an error.
|
|
||||||
+
|
|
||||||
+cat > $OBJ/sshd_config.i.3 << _EOF
|
|
||||||
+Banner xxxx
|
|
||||||
+ Junk
|
|
||||||
+_EOF
|
|
||||||
+
|
|
||||||
+trace "disallow invalid config host=a"
|
|
||||||
+${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i \
|
|
||||||
+ -C "host=a,user=test,addr=127.0.0.1" 2>/dev/null && \
|
|
||||||
+ fail "sshd include allowed invalid config"
|
|
||||||
+
|
|
||||||
+trace "disallow invalid config host=x"
|
|
||||||
+${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i \
|
|
||||||
+ -C "host=x,user=test,addr=127.0.0.1" 2>/dev/null && \
|
|
||||||
+ fail "sshd include allowed invalid config"
|
|
||||||
+
|
|
||||||
+rm -f $OBJ/sshd_config.i.*
|
|
||||||
+
|
|
||||||
+# Ensure that a missing include is not fatal.
|
|
||||||
+cat > $OBJ/sshd_config.i << _EOF
|
|
||||||
+HostKey $OBJ/host.ssh-ed25519
|
|
||||||
+Include $OBJ/sshd_config.i.*
|
|
||||||
+Banner /aa
|
|
||||||
+_EOF
|
|
||||||
+
|
|
||||||
+trial a /aa "missing include non-fatal"
|
|
||||||
+
|
|
||||||
+# Ensure that Match/Host in an included config does not affect parent.
|
|
||||||
+cat > $OBJ/sshd_config.i.x << _EOF
|
|
||||||
+Match host x
|
|
||||||
+_EOF
|
|
||||||
+
|
|
||||||
+trial a /aa "included file does not affect match state"
|
|
||||||
+
|
|
||||||
+# Ensure the empty include directive is not accepted
|
|
||||||
+cat > $OBJ/sshd_config.i.x << _EOF
|
|
||||||
+Include
|
|
||||||
+_EOF
|
|
||||||
+
|
|
||||||
+trace "disallow invalid with no argument"
|
|
||||||
+${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i.x -T \
|
|
||||||
+ -C "host=x,user=test,addr=127.0.0.1" 2>/dev/null && \
|
|
||||||
+ fail "sshd allowed Include with no argument"
|
|
||||||
+
|
|
||||||
+# Ensure the Include before any Match block works as expected (bug #3122)
|
|
||||||
+cat > $OBJ/sshd_config.i << _EOF
|
|
||||||
+Banner /xx
|
|
||||||
+HostKey $OBJ/host.ssh-ed25519
|
|
||||||
+Include $OBJ/sshd_config.i.2
|
|
||||||
+Match host a
|
|
||||||
+ Banner /aaaa
|
|
||||||
+_EOF
|
|
||||||
+cat > $OBJ/sshd_config.i.2 << _EOF
|
|
||||||
+Match host a
|
|
||||||
+ Banner /aa
|
|
||||||
+_EOF
|
|
||||||
+
|
|
||||||
+trace "Include before match blocks"
|
|
||||||
+trial a /aa "included file before match blocks is properly evaluated"
|
|
||||||
+
|
|
||||||
+# Port in included file is correctly interpretted (bug #3169)
|
|
||||||
+cat > $OBJ/sshd_config.i << _EOF
|
|
||||||
+Include $OBJ/sshd_config.i.2
|
|
||||||
+Port 7722
|
|
||||||
+_EOF
|
|
||||||
+cat > $OBJ/sshd_config.i.2 << _EOF
|
|
||||||
+HostKey $OBJ/host.ssh-ed25519
|
|
||||||
+_EOF
|
|
||||||
+
|
|
||||||
+trace "Port after included files"
|
|
||||||
+${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i -T \
|
|
||||||
+ -C "host=x,user=test,addr=127.0.0.1" > $OBJ/sshd_config.out || \
|
|
||||||
+ fail "failed to parse Port after included files"
|
|
||||||
+_port=`grep -i '^port ' $OBJ/sshd_config.out | awk '{print $2}'`
|
|
||||||
+if test "x7722" != "x$_port" ; then
|
|
||||||
+ fail "The Port in included file was intertepretted wrongly. Expected 7722, got $_port"
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+# cleanup
|
|
||||||
+rm -f $OBJ/sshd_config.i $OBJ/sshd_config.i.* $OBJ/sshd_config.out
|
|
||||||
diff -up openssh-8.0p1/regress/test-exec.sh.sshdinclude openssh-8.0p1/regress/test-exec.sh
|
|
||||||
--- openssh-8.0p1/regress/test-exec.sh.sshdinclude 2021-10-20 15:18:49.746331150 +0200
|
|
||||||
+++ openssh-8.0p1/regress/test-exec.sh 2021-10-20 15:19:41.324781344 +0200
|
|
||||||
@@ -220,6 +220,7 @@ echo "exec ${SSH} -E${TEST_SSH_LOGFILE}
|
|
||||||
|
|
||||||
chmod a+rx $OBJ/ssh-log-wrapper.sh
|
|
||||||
REAL_SSH="$SSH"
|
|
||||||
+REAL_SSHD="$SSHD"
|
|
||||||
SSH="$SSHLOGWRAP"
|
|
||||||
|
|
||||||
# Some test data. We make a copy because some tests will overwrite it.
|
|
||||||
diff -up openssh-8.0p1/servconf.c.sshdinclude openssh-8.0p1/servconf.c
|
|
||||||
--- openssh-8.0p1/servconf.c.sshdinclude 2021-10-20 15:18:49.748331167 +0200
|
|
||||||
+++ openssh-8.0p1/servconf.c 2021-10-20 15:22:06.303046777 +0200
|
|
||||||
@@ -40,6 +40,11 @@
|
|
||||||
#ifdef HAVE_UTIL_H
|
|
||||||
#include <util.h>
|
|
||||||
#endif
|
|
||||||
+#ifdef USE_SYSTEM_GLOB
|
|
||||||
+# include <glob.h>
|
|
||||||
+#else
|
|
||||||
+# include "openbsd-compat/glob.h"
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
#include "openbsd-compat/sys-queue.h"
|
|
||||||
#include "xmalloc.h"
|
|
||||||
@@ -70,6 +75,9 @@ static void add_listen_addr(ServerOption
|
|
||||||
const char *, int);
|
|
||||||
static void add_one_listen_addr(ServerOptions *, const char *,
|
|
||||||
const char *, int);
|
|
||||||
+static void parse_server_config_depth(ServerOptions *options,
|
|
||||||
+ const char *filename, struct sshbuf *conf, struct include_list *includes,
|
|
||||||
+ struct connection_info *connectinfo, int flags, int *activep, int depth);
|
|
||||||
|
|
||||||
/* Use of privilege separation or not */
|
|
||||||
extern int use_privsep;
|
|
||||||
@@ -528,7 +536,7 @@ typedef enum {
|
|
||||||
sAcceptEnv, sSetEnv, sPermitTunnel,
|
|
||||||
sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
|
|
||||||
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
|
||||||
- sHostCertificate,
|
|
||||||
+ sHostCertificate, sInclude,
|
|
||||||
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
|
|
||||||
sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
|
|
||||||
sKexAlgorithms, sCASignatureAlgorithms, sIPQoS, sVersionAddendum,
|
|
||||||
@@ -540,9 +548,11 @@ typedef enum {
|
|
||||||
sDeprecated, sIgnore, sUnsupported
|
|
||||||
} ServerOpCodes;
|
|
||||||
|
|
||||||
-#define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
|
|
||||||
-#define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
|
|
||||||
-#define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
|
|
||||||
+#define SSHCFG_GLOBAL 0x01 /* allowed in main section of config */
|
|
||||||
+#define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
|
|
||||||
+#define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
|
|
||||||
+#define SSHCFG_NEVERMATCH 0x04 /* Match never matches; internal only */
|
|
||||||
+#define SSHCFG_MATCH_ONLY 0x08 /* Match only in conditional blocks; internal only */
|
|
||||||
|
|
||||||
/* Textual representation of the tokens. */
|
|
||||||
static struct {
|
|
||||||
@@ -687,6 +697,7 @@ static struct {
|
|
||||||
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
|
|
||||||
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
|
|
||||||
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
|
|
||||||
+ { "include", sInclude, SSHCFG_ALL },
|
|
||||||
{ "ipqos", sIPQoS, SSHCFG_ALL },
|
|
||||||
{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
|
|
||||||
{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
|
|
||||||
@@ -1259,13 +1270,14 @@ static const struct multistate multistat
|
|
||||||
{ NULL, -1 }
|
|
||||||
};
|
|
||||||
|
|
||||||
-int
|
|
||||||
-process_server_config_line(ServerOptions *options, char *line,
|
|
||||||
+static int
|
|
||||||
+process_server_config_line_depth(ServerOptions *options, char *line,
|
|
||||||
const char *filename, int linenum, int *activep,
|
|
||||||
- struct connection_info *connectinfo)
|
|
||||||
+ struct connection_info *connectinfo, int *inc_flags, int depth,
|
|
||||||
+ struct include_list *includes)
|
|
||||||
{
|
|
||||||
char ch, *cp, ***chararrayptr, **charptr, *arg, *arg2, *p;
|
|
||||||
- int cmdline = 0, *intptr, value, value2, n, port;
|
|
||||||
+ int cmdline = 0, *intptr, value, value2, n, port, oactive, r, found;
|
|
||||||
SyslogFacility *log_facility_ptr;
|
|
||||||
LogLevel *log_level_ptr;
|
|
||||||
ServerOpCodes opcode;
|
|
||||||
@@ -1274,6 +1286,8 @@ process_server_config_line(ServerOptions
|
|
||||||
long long val64;
|
|
||||||
const struct multistate *multistate_ptr;
|
|
||||||
const char *errstr;
|
|
||||||
+ struct include_item *item;
|
|
||||||
+ glob_t gbuf;
|
|
||||||
|
|
||||||
/* Strip trailing whitespace. Allow \f (form feed) at EOL only */
|
|
||||||
if ((len = strlen(line)) == 0)
|
|
||||||
@@ -1300,7 +1314,7 @@ process_server_config_line(ServerOptions
|
|
||||||
cmdline = 1;
|
|
||||||
activep = &cmdline;
|
|
||||||
}
|
|
||||||
- if (*activep && opcode != sMatch)
|
|
||||||
+ if (*activep && opcode != sMatch && opcode != sInclude)
|
|
||||||
debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
|
|
||||||
if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
|
|
||||||
if (connectinfo == NULL) {
|
|
||||||
@@ -1980,15 +1994,112 @@ process_server_config_line(ServerOptions
|
|
||||||
*intptr = value;
|
|
||||||
break;
|
|
||||||
|
|
||||||
+ case sInclude:
|
|
||||||
+ if (cmdline) {
|
|
||||||
+ fatal("Include directive not supported as a "
|
|
||||||
+ "command-line option");
|
|
||||||
+ }
|
|
||||||
+ value = 0;
|
|
||||||
+ while ((arg2 = strdelim(&cp)) != NULL && *arg2 != '\0') {
|
|
||||||
+ value++;
|
|
||||||
+ found = 0;
|
|
||||||
+ if (*arg2 != '/' && *arg2 != '~') {
|
|
||||||
+ xasprintf(&arg, "%s/%s", SSHDIR, arg2);
|
|
||||||
+ } else
|
|
||||||
+ arg = xstrdup(arg2);
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * Don't let included files clobber the containing
|
|
||||||
+ * file's Match state.
|
|
||||||
+ */
|
|
||||||
+ oactive = *activep;
|
|
||||||
+
|
|
||||||
+ /* consult cache of include files */
|
|
||||||
+ TAILQ_FOREACH(item, includes, entry) {
|
|
||||||
+ if (strcmp(item->selector, arg) != 0)
|
|
||||||
+ continue;
|
|
||||||
+ if (item->filename != NULL) {
|
|
||||||
+ parse_server_config_depth(options,
|
|
||||||
+ item->filename, item->contents,
|
|
||||||
+ includes, connectinfo,
|
|
||||||
+ (*inc_flags & SSHCFG_MATCH_ONLY
|
|
||||||
+ ? SSHCFG_MATCH_ONLY : (oactive
|
|
||||||
+ ? 0 : SSHCFG_NEVERMATCH)),
|
|
||||||
+ activep, depth + 1);
|
|
||||||
+ }
|
|
||||||
+ found = 1;
|
|
||||||
+ *activep = oactive;
|
|
||||||
+ }
|
|
||||||
+ if (found != 0) {
|
|
||||||
+ free(arg);
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* requested glob was not in cache */
|
|
||||||
+ debug2("%s line %d: new include %s",
|
|
||||||
+ filename, linenum, arg);
|
|
||||||
+ if ((r = glob(arg, 0, NULL, &gbuf)) != 0) {
|
|
||||||
+ if (r != GLOB_NOMATCH) {
|
|
||||||
+ fatal("%s line %d: include \"%s\" "
|
|
||||||
+ "glob failed", filename,
|
|
||||||
+ linenum, arg);
|
|
||||||
+ }
|
|
||||||
+ /*
|
|
||||||
+ * If no entry matched then record a
|
|
||||||
+ * placeholder to skip later glob calls.
|
|
||||||
+ */
|
|
||||||
+ debug2("%s line %d: no match for %s",
|
|
||||||
+ filename, linenum, arg);
|
|
||||||
+ item = xcalloc(1, sizeof(*item));
|
|
||||||
+ item->selector = strdup(arg);
|
|
||||||
+ TAILQ_INSERT_TAIL(includes,
|
|
||||||
+ item, entry);
|
|
||||||
+ }
|
|
||||||
+ if (gbuf.gl_pathc > INT_MAX)
|
|
||||||
+ fatal("%s: too many glob results", __func__);
|
|
||||||
+ for (n = 0; n < (int)gbuf.gl_pathc; n++) {
|
|
||||||
+ debug2("%s line %d: including %s",
|
|
||||||
+ filename, linenum, gbuf.gl_pathv[n]);
|
|
||||||
+ item = xcalloc(1, sizeof(*item));
|
|
||||||
+ item->selector = strdup(arg);
|
|
||||||
+ item->filename = strdup(gbuf.gl_pathv[n]);
|
|
||||||
+ if ((item->contents = sshbuf_new()) == NULL) {
|
|
||||||
+ fatal("%s: sshbuf_new failed",
|
|
||||||
+ __func__);
|
|
||||||
+ }
|
|
||||||
+ load_server_config(item->filename,
|
|
||||||
+ item->contents);
|
|
||||||
+ parse_server_config_depth(options,
|
|
||||||
+ item->filename, item->contents,
|
|
||||||
+ includes, connectinfo,
|
|
||||||
+ (*inc_flags & SSHCFG_MATCH_ONLY
|
|
||||||
+ ? SSHCFG_MATCH_ONLY : (oactive
|
|
||||||
+ ? 0 : SSHCFG_NEVERMATCH)),
|
|
||||||
+ activep, depth + 1);
|
|
||||||
+ *activep = oactive;
|
|
||||||
+ TAILQ_INSERT_TAIL(includes, item, entry);
|
|
||||||
+ }
|
|
||||||
+ globfree(&gbuf);
|
|
||||||
+ free(arg);
|
|
||||||
+ }
|
|
||||||
+ if (value == 0) {
|
|
||||||
+ fatal("%s line %d: Include missing filename argument",
|
|
||||||
+ filename, linenum);
|
|
||||||
+ }
|
|
||||||
+ break;
|
|
||||||
+
|
|
||||||
case sMatch:
|
|
||||||
if (cmdline)
|
|
||||||
fatal("Match directive not supported as a command-line "
|
|
||||||
"option");
|
|
||||||
- value = match_cfg_line(&cp, linenum, connectinfo);
|
|
||||||
+ value = match_cfg_line(&cp, linenum,
|
|
||||||
+ (*inc_flags & SSHCFG_NEVERMATCH ? NULL : connectinfo));
|
|
||||||
if (value < 0)
|
|
||||||
fatal("%s line %d: Bad Match condition", filename,
|
|
||||||
linenum);
|
|
||||||
- *activep = value;
|
|
||||||
+ *activep = (*inc_flags & SSHCFG_NEVERMATCH) ? 0 : value;
|
|
||||||
+ /* The MATCH_ONLY is applicable only until the first match block */
|
|
||||||
+ *inc_flags &= ~SSHCFG_MATCH_ONLY;
|
|
||||||
break;
|
|
||||||
|
|
||||||
case sKerberosUseKuserok:
|
|
||||||
@@ -2275,6 +2386,18 @@ process_server_config_line(ServerOptions
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
+int
|
|
||||||
+process_server_config_line(ServerOptions *options, char *line,
|
|
||||||
+ const char *filename, int linenum, int *activep,
|
|
||||||
+ struct connection_info *connectinfo, struct include_list *includes)
|
|
||||||
+{
|
|
||||||
+ int inc_flags = 0;
|
|
||||||
+
|
|
||||||
+ return process_server_config_line_depth(options, line, filename,
|
|
||||||
+ linenum, activep, connectinfo, &inc_flags, 0, includes);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+
|
|
||||||
/* Reads the server configuration file. */
|
|
||||||
|
|
||||||
void
|
|
||||||
@@ -2313,12 +2436,13 @@ load_server_config(const char *filename,
|
|
||||||
|
|
||||||
void
|
|
||||||
parse_server_match_config(ServerOptions *options,
|
|
||||||
- struct connection_info *connectinfo)
|
|
||||||
+ struct include_list *includes, struct connection_info *connectinfo)
|
|
||||||
{
|
|
||||||
ServerOptions mo;
|
|
||||||
|
|
||||||
initialize_server_options(&mo);
|
|
||||||
- parse_server_config(&mo, "reprocess config", cfg, connectinfo);
|
|
||||||
+ parse_server_config(&mo, "reprocess config", cfg, includes,
|
|
||||||
+ connectinfo);
|
|
||||||
copy_set_server_options(options, &mo, 0);
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -2464,28 +2588,44 @@ copy_set_server_options(ServerOptions *d
|
|
||||||
#undef M_CP_STROPT
|
|
||||||
#undef M_CP_STRARRAYOPT
|
|
||||||
|
|
||||||
-void
|
|
||||||
-parse_server_config(ServerOptions *options, const char *filename,
|
|
||||||
- struct sshbuf *conf, struct connection_info *connectinfo)
|
|
||||||
+#define SERVCONF_MAX_DEPTH 16
|
|
||||||
+static void
|
|
||||||
+parse_server_config_depth(ServerOptions *options, const char *filename,
|
|
||||||
+ struct sshbuf *conf, struct include_list *includes,
|
|
||||||
+ struct connection_info *connectinfo, int flags, int *activep, int depth)
|
|
||||||
{
|
|
||||||
- int active, linenum, bad_options = 0;
|
|
||||||
+ int linenum, bad_options = 0;
|
|
||||||
char *cp, *obuf, *cbuf;
|
|
||||||
|
|
||||||
- debug2("%s: config %s len %zu", __func__, filename, sshbuf_len(conf));
|
|
||||||
+ if (depth < 0 || depth > SERVCONF_MAX_DEPTH)
|
|
||||||
+ fatal("Too many recursive configuration includes");
|
|
||||||
+
|
|
||||||
+ debug2("%s: config %s len %zu%s", __func__, filename, sshbuf_len(conf),
|
|
||||||
+ (flags & SSHCFG_NEVERMATCH ? " [checking syntax only]" : ""));
|
|
||||||
|
|
||||||
if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL)
|
|
||||||
fatal("%s: sshbuf_dup_string failed", __func__);
|
|
||||||
- active = connectinfo ? 0 : 1;
|
|
||||||
linenum = 1;
|
|
||||||
while ((cp = strsep(&cbuf, "\n")) != NULL) {
|
|
||||||
- if (process_server_config_line(options, cp, filename,
|
|
||||||
- linenum++, &active, connectinfo) != 0)
|
|
||||||
+ if (process_server_config_line_depth(options, cp,
|
|
||||||
+ filename, linenum++, activep, connectinfo, &flags,
|
|
||||||
+ depth, includes) != 0)
|
|
||||||
bad_options++;
|
|
||||||
}
|
|
||||||
free(obuf);
|
|
||||||
if (bad_options > 0)
|
|
||||||
fatal("%s: terminating, %d bad configuration options",
|
|
||||||
filename, bad_options);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void
|
|
||||||
+parse_server_config(ServerOptions *options, const char *filename,
|
|
||||||
+ struct sshbuf *conf, struct include_list *includes,
|
|
||||||
+ struct connection_info *connectinfo)
|
|
||||||
+{
|
|
||||||
+ int active = connectinfo ? 0 : 1;
|
|
||||||
+ parse_server_config_depth(options, filename, conf, includes,
|
|
||||||
+ connectinfo, (connectinfo ? SSHCFG_MATCH_ONLY : 0), &active, 0);
|
|
||||||
process_queued_listen_addrs(options);
|
|
||||||
}
|
|
||||||
|
|
||||||
diff -up openssh-8.0p1/servconf.h.sshdinclude openssh-8.0p1/servconf.h
|
|
||||||
--- openssh-8.0p1/servconf.h.sshdinclude 2021-10-20 15:18:49.750331185 +0200
|
|
||||||
+++ openssh-8.0p1/servconf.h 2021-10-20 15:19:41.325781353 +0200
|
|
||||||
@@ -16,6 +16,8 @@
|
|
||||||
#ifndef SERVCONF_H
|
|
||||||
#define SERVCONF_H
|
|
||||||
|
|
||||||
+#include <sys/queue.h>
|
|
||||||
+
|
|
||||||
#define MAX_PORTS 256 /* Max # ports. */
|
|
||||||
|
|
||||||
#define MAX_SUBSYSTEMS 256 /* Max # subsystems. */
|
|
||||||
@@ -234,6 +236,15 @@ struct connection_info {
|
|
||||||
* unspecified */
|
|
||||||
};
|
|
||||||
|
|
||||||
+/* List of included files for re-exec from the parsed configuration */
|
|
||||||
+struct include_item {
|
|
||||||
+ char *selector;
|
|
||||||
+ char *filename;
|
|
||||||
+ struct sshbuf *contents;
|
|
||||||
+ TAILQ_ENTRY(include_item) entry;
|
|
||||||
+};
|
|
||||||
+TAILQ_HEAD(include_list, include_item);
|
|
||||||
+
|
|
||||||
|
|
||||||
/*
|
|
||||||
* These are string config options that must be copied between the
|
|
||||||
@@ -273,12 +284,13 @@ struct connection_info *get_connection_i
|
|
||||||
void initialize_server_options(ServerOptions *);
|
|
||||||
void fill_default_server_options(ServerOptions *);
|
|
||||||
int process_server_config_line(ServerOptions *, char *, const char *, int,
|
|
||||||
- int *, struct connection_info *);
|
|
||||||
+ int *, struct connection_info *, struct include_list *includes);
|
|
||||||
void process_permitopen(struct ssh *ssh, ServerOptions *options);
|
|
||||||
void load_server_config(const char *, struct sshbuf *);
|
|
||||||
void parse_server_config(ServerOptions *, const char *, struct sshbuf *,
|
|
||||||
- struct connection_info *);
|
|
||||||
-void parse_server_match_config(ServerOptions *, struct connection_info *);
|
|
||||||
+ struct include_list *includes, struct connection_info *);
|
|
||||||
+void parse_server_match_config(ServerOptions *,
|
|
||||||
+ struct include_list *includes, struct connection_info *);
|
|
||||||
int parse_server_match_testspec(struct connection_info *, char *);
|
|
||||||
int server_match_spec_complete(struct connection_info *);
|
|
||||||
void copy_set_server_options(ServerOptions *, ServerOptions *, int);
|
|
||||||
diff -up openssh-8.0p1/sshd_config.5.sshdinclude openssh-8.0p1/sshd_config.5
|
|
||||||
--- openssh-8.0p1/sshd_config.5.sshdinclude 2021-10-20 15:18:49.754331220 +0200
|
|
||||||
+++ openssh-8.0p1/sshd_config.5 2021-10-20 15:19:41.325781353 +0200
|
|
||||||
@@ -825,7 +825,20 @@ during
|
|
||||||
and use only the system-wide known hosts file
|
|
||||||
.Pa /etc/ssh/known_hosts .
|
|
||||||
The default is
|
|
||||||
-.Cm no .
|
|
||||||
+.Dq no .
|
|
||||||
+.It Cm Include
|
|
||||||
+Include the specified configuration file(s).
|
|
||||||
+Multiple path names may be specified and each pathname may contain
|
|
||||||
+.Xr glob 7
|
|
||||||
+wildcards.
|
|
||||||
+Files without absolute paths are assumed to be in
|
|
||||||
+.Pa /etc/ssh .
|
|
||||||
+A
|
|
||||||
+.Cm Include
|
|
||||||
+directive may appear inside a
|
|
||||||
+.Cm Match
|
|
||||||
+block
|
|
||||||
+to perform conditional inclusion.
|
|
||||||
.It Cm IPQoS
|
|
||||||
Specifies the IPv4 type-of-service or DSCP class for the connection.
|
|
||||||
Accepted values are
|
|
||||||
diff -up openssh-8.0p1/sshd.c.sshdinclude openssh-8.0p1/sshd.c
|
|
||||||
--- openssh-8.0p1/sshd.c.sshdinclude 2021-10-20 15:18:49.752331202 +0200
|
|
||||||
+++ openssh-8.0p1/sshd.c 2021-10-20 15:19:41.325781353 +0200
|
|
||||||
@@ -257,6 +257,9 @@ struct sshauthopt *auth_opts = NULL;
|
|
||||||
/* sshd_config buffer */
|
|
||||||
struct sshbuf *cfg;
|
|
||||||
|
|
||||||
+/* Included files from the configuration file */
|
|
||||||
+struct include_list includes = TAILQ_HEAD_INITIALIZER(includes);
|
|
||||||
+
|
|
||||||
/* message to be displayed after login */
|
|
||||||
struct sshbuf *loginmsg;
|
|
||||||
|
|
||||||
@@ -927,30 +930,45 @@ usage(void)
|
|
||||||
static void
|
|
||||||
send_rexec_state(int fd, struct sshbuf *conf)
|
|
||||||
{
|
|
||||||
- struct sshbuf *m;
|
|
||||||
+ struct sshbuf *m = NULL, *inc = NULL;
|
|
||||||
+ struct include_item *item = NULL;
|
|
||||||
int r;
|
|
||||||
|
|
||||||
debug3("%s: entering fd = %d config len %zu", __func__, fd,
|
|
||||||
sshbuf_len(conf));
|
|
||||||
|
|
||||||
+ if ((m = sshbuf_new()) == NULL || (inc = sshbuf_new()) == NULL)
|
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
|
||||||
+
|
|
||||||
+ /* pack includes into a string */
|
|
||||||
+ TAILQ_FOREACH(item, &includes, entry) {
|
|
||||||
+ if ((r = sshbuf_put_cstring(inc, item->selector)) != 0 ||
|
|
||||||
+ (r = sshbuf_put_cstring(inc, item->filename)) != 0 ||
|
|
||||||
+ (r = sshbuf_put_stringb(inc, item->contents)) != 0)
|
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* Protocol from reexec master to child:
|
|
||||||
* string configuration
|
|
||||||
- * string rngseed (only if OpenSSL is not self-seeded)
|
|
||||||
+ * string included_files[] {
|
|
||||||
+ * string selector
|
|
||||||
+ * string filename
|
|
||||||
+ * string contents
|
|
||||||
+ * }
|
|
||||||
+ * string rng_seed (if required)
|
|
||||||
*/
|
|
||||||
- if ((m = sshbuf_new()) == NULL)
|
|
||||||
- fatal("%s: sshbuf_new failed", __func__);
|
|
||||||
- if ((r = sshbuf_put_stringb(m, conf)) != 0)
|
|
||||||
+ if ((r = sshbuf_put_stringb(m, conf)) != 0 ||
|
|
||||||
+ (r = sshbuf_put_stringb(m, inc)) != 0)
|
|
||||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
|
||||||
-
|
|
||||||
#if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY)
|
|
||||||
rexec_send_rng_seed(m);
|
|
||||||
#endif
|
|
||||||
-
|
|
||||||
if (ssh_msg_send(fd, 0, m) == -1)
|
|
||||||
fatal("%s: ssh_msg_send failed", __func__);
|
|
||||||
|
|
||||||
sshbuf_free(m);
|
|
||||||
+ sshbuf_free(inc);
|
|
||||||
|
|
||||||
debug3("%s: done", __func__);
|
|
||||||
}
|
|
||||||
@@ -958,14 +976,15 @@ send_rexec_state(int fd, struct sshbuf *
|
|
||||||
static void
|
|
||||||
recv_rexec_state(int fd, struct sshbuf *conf)
|
|
||||||
{
|
|
||||||
- struct sshbuf *m;
|
|
||||||
+ struct sshbuf *m, *inc;
|
|
||||||
u_char *cp, ver;
|
|
||||||
size_t len;
|
|
||||||
int r;
|
|
||||||
+ struct include_item *item;
|
|
||||||
|
|
||||||
debug3("%s: entering fd = %d", __func__, fd);
|
|
||||||
|
|
||||||
- if ((m = sshbuf_new()) == NULL)
|
|
||||||
+ if ((m = sshbuf_new()) == NULL || (inc = sshbuf_new()) == NULL)
|
|
||||||
fatal("%s: sshbuf_new failed", __func__);
|
|
||||||
if (ssh_msg_recv(fd, m) == -1)
|
|
||||||
fatal("%s: ssh_msg_recv failed", __func__);
|
|
||||||
@@ -973,14 +992,28 @@ recv_rexec_state(int fd, struct sshbuf *
|
|
||||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
|
||||||
if (ver != 0)
|
|
||||||
fatal("%s: rexec version mismatch", __func__);
|
|
||||||
- if ((r = sshbuf_get_string(m, &cp, &len)) != 0)
|
|
||||||
- fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
|
||||||
- if (conf != NULL && (r = sshbuf_put(conf, cp, len)))
|
|
||||||
+ if ((r = sshbuf_get_string(m, &cp, &len)) != 0 ||
|
|
||||||
+ (r = sshbuf_get_stringb(m, inc)) != 0)
|
|
||||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
|
||||||
+
|
|
||||||
#if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY)
|
|
||||||
rexec_recv_rng_seed(m);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+ if (conf != NULL && (r = sshbuf_put(conf, cp, len)))
|
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
|
||||||
+
|
|
||||||
+ while (sshbuf_len(inc) != 0) {
|
|
||||||
+ item = xcalloc(1, sizeof(*item));
|
|
||||||
+ if ((item->contents = sshbuf_new()) == NULL)
|
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
|
||||||
+ if ((r = sshbuf_get_cstring(inc, &item->selector, NULL)) != 0 ||
|
|
||||||
+ (r = sshbuf_get_cstring(inc, &item->filename, NULL)) != 0 ||
|
|
||||||
+ (r = sshbuf_get_stringb(inc, item->contents)) != 0)
|
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
|
||||||
+ TAILQ_INSERT_TAIL(&includes, item, entry);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
free(cp);
|
|
||||||
sshbuf_free(m);
|
|
||||||
|
|
||||||
@@ -1661,7 +1694,7 @@ main(int ac, char **av)
|
|
||||||
case 'o':
|
|
||||||
line = xstrdup(optarg);
|
|
||||||
if (process_server_config_line(&options, line,
|
|
||||||
- "command-line", 0, NULL, NULL) != 0)
|
|
||||||
+ "command-line", 0, NULL, NULL, &includes) != 0)
|
|
||||||
exit(1);
|
|
||||||
free(line);
|
|
||||||
break;
|
|
||||||
@@ -1692,7 +1725,7 @@ main(int ac, char **av)
|
|
||||||
SYSLOG_LEVEL_INFO : options.log_level,
|
|
||||||
options.log_facility == SYSLOG_FACILITY_NOT_SET ?
|
|
||||||
SYSLOG_FACILITY_AUTH : options.log_facility,
|
|
||||||
- log_stderr || !inetd_flag);
|
|
||||||
+ log_stderr || !inetd_flag || debug_flag);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Unset KRB5CCNAME, otherwise the user's session may inherit it from
|
|
||||||
@@ -1725,12 +1758,11 @@ main(int ac, char **av)
|
|
||||||
*/
|
|
||||||
(void)atomicio(vwrite, startup_pipe, "\0", 1);
|
|
||||||
}
|
|
||||||
- }
|
|
||||||
- else if (strcasecmp(config_file_name, "none") != 0)
|
|
||||||
+ } else if (strcasecmp(config_file_name, "none") != 0)
|
|
||||||
load_server_config(config_file_name, cfg);
|
|
||||||
|
|
||||||
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
|
|
||||||
- cfg, NULL);
|
|
||||||
+ cfg, &includes, NULL);
|
|
||||||
|
|
||||||
/* 'UsePAM no' is not supported in RHEL */
|
|
||||||
if (! options.use_pam)
|
|
||||||
@@ -1946,7 +1978,7 @@ main(int ac, char **av)
|
|
||||||
if (connection_info == NULL)
|
|
||||||
connection_info = get_connection_info(ssh, 0, 0);
|
|
||||||
connection_info->test = 1;
|
|
||||||
- parse_server_match_config(&options, connection_info);
|
|
||||||
+ parse_server_match_config(&options, &includes, connection_info);
|
|
||||||
dump_config(&options);
|
|
||||||
}
|
|
||||||
|
|
||||||
diff -up openssh-8.0p1/sshbuf-getput-basic.c.stringb openssh-8.0p1/sshbuf-getput-basic.c
|
|
||||||
--- openssh-8.0p1/sshbuf-getput-basic.c.stringb 2022-12-21 12:18:43.274799163 +0100
|
|
||||||
+++ openssh-8.0p1/sshbuf-getput-basic.c 2022-12-21 12:19:19.758081516 +0100
|
|
||||||
@@ -371,6 +371,9 @@ sshbuf_put_cstring(struct sshbuf *buf, c
|
|
||||||
int
|
|
||||||
sshbuf_put_stringb(struct sshbuf *buf, const struct sshbuf *v)
|
|
||||||
{
|
|
||||||
+ if (v == NULL)
|
|
||||||
+ return sshbuf_put_string(buf, NULL, 0);
|
|
||||||
+
|
|
||||||
return sshbuf_put_string(buf, sshbuf_ptr(v), sshbuf_len(v));
|
|
||||||
}
|
|
||||||
|
|
@ -1,38 +0,0 @@
|
|||||||
From d33ff14309e33aa79fdf95e1bc4facafa80b90a9 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Stepan Broz <sbroz@redhat.com>
|
|
||||||
Date: Tue, 25 Jun 2024 17:38:22 +0200
|
|
||||||
Subject: [PATCH] upstream: ignore SIGPIPE earlier in main(), specifically
|
|
||||||
before
|
|
||||||
|
|
||||||
muxclient() which performs operations that could cause one; Reported by Noam
|
|
||||||
Lewis via bz3454, ok dtucker@
|
|
||||||
|
|
||||||
OpenBSD-Commit-ID: 63d8e13276869eebac6d7a05d5a96307f9026e47
|
|
||||||
---
|
|
||||||
ssh.c | 3 ++-
|
|
||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/ssh.c b/ssh.c
|
|
||||||
index 786e26d..e037c66 100644
|
|
||||||
--- a/ssh.c
|
|
||||||
+++ b/ssh.c
|
|
||||||
@@ -1115,6 +1115,8 @@ main(int ac, char **av)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* Initialize "log" output. Since we are the client all output
|
|
||||||
* goes to stderr unless otherwise specified by -y or -E.
|
|
||||||
@@ -1545,7 +1547,6 @@ main(int ac, char **av)
|
|
||||||
options.num_system_hostfiles);
|
|
||||||
tilde_expand_paths(options.user_hostfiles, options.num_user_hostfiles);
|
|
||||||
|
|
||||||
- signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */
|
|
||||||
signal(SIGCHLD, main_sigchld_handler);
|
|
||||||
|
|
||||||
/* Log into the remote system. Never returns if the login fails. */
|
|
||||||
--
|
|
||||||
2.45.2
|
|
||||||
|
|
@ -1,14 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAly3ro8ACgkQ0+X1a22S
|
|
||||||
DTCAiAx/W9XHoDs5NijyNIP43W2nFYuf6HG1duoLjdJ8rnsC3e90gx8h5RpUUh24
|
|
||||||
JDACoUFnbJsNgiQBaYpO7bOnf3Vw5Oui1gPeKnQ76KQsXDwD/N/0wLUf55+XdNJ6
|
|
||||||
tcgm6/x1W4b8bWje5bcS3qhxv6t/hSL/OxusA8zoNmnTD5XMg6QtJ0Rp9ZHPriCJ
|
|
||||||
C4eCPdHfmyHCr1IATMX9+n5CO5JUPexaDjQug7k/Z1XA/UlwVfRRs1JMpviBodC+
|
|
||||||
ZUOuk9tH11RKSBcUeR3Ef4iaR3FchryyyBZUZdYBkmDrnHrYpUK5ifdHT+ZXdzPl
|
|
||||||
laX03Kz094LqrP6L3lafk6b1PKOVjKwx1vM5fhnv+pfx4dmao9BwZMuIq6Fa5uMX
|
|
||||||
w2oHGhlIDmeT66Yny5d0APn2wCewyYUGPanSZY/HolHAPs+doOBgI361kMAR9J3e
|
|
||||||
Ii3VKhIdE8i4K3fC19uDkf7xL8UVvRVXjgM7i+GNndh1ou/vDYxmEAsW9IR/D3XC
|
|
||||||
HM/jMdq+UewAiRG46aI5rsi/A8J8/A==
|
|
||||||
=YtoH
|
|
||||||
-----END PGP SIGNATURE-----
|
|
@ -1,166 +0,0 @@
|
|||||||
diff --color -ru a/kex.c b/kex.c
|
|
||||||
--- a/kex.c 2022-06-23 10:25:29.529922670 +0200
|
|
||||||
+++ b/kex.c 2022-06-23 10:26:12.911762100 +0200
|
|
||||||
@@ -906,6 +906,18 @@
|
|
||||||
return (1);
|
|
||||||
}
|
|
||||||
|
|
||||||
+/* returns non-zero if proposal contains any algorithm from algs */
|
|
||||||
+static int
|
|
||||||
+has_any_alg(const char *proposal, const char *algs)
|
|
||||||
+{
|
|
||||||
+ char *cp;
|
|
||||||
+
|
|
||||||
+ if ((cp = match_list(proposal, algs, NULL)) == NULL)
|
|
||||||
+ return 0;
|
|
||||||
+ free(cp);
|
|
||||||
+ return 1;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static int
|
|
||||||
kex_choose_conf(struct ssh *ssh)
|
|
||||||
{
|
|
||||||
@@ -941,6 +953,16 @@
|
|
||||||
free(ext);
|
|
||||||
}
|
|
||||||
|
|
||||||
+ /* Check whether client supports rsa-sha2 algorithms */
|
|
||||||
+ if (kex->server && (kex->flags & KEX_INITIAL)) {
|
|
||||||
+ if (has_any_alg(peer[PROPOSAL_SERVER_HOST_KEY_ALGS],
|
|
||||||
+ "rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com"))
|
|
||||||
+ kex->flags |= KEX_RSA_SHA2_256_SUPPORTED;
|
|
||||||
+ if (has_any_alg(peer[PROPOSAL_SERVER_HOST_KEY_ALGS],
|
|
||||||
+ "rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com"))
|
|
||||||
+ kex->flags |= KEX_RSA_SHA2_512_SUPPORTED;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* Algorithm Negotiation */
|
|
||||||
if ((r = choose_kex(kex, cprop[PROPOSAL_KEX_ALGS],
|
|
||||||
sprop[PROPOSAL_KEX_ALGS])) != 0) {
|
|
||||||
diff --color -ru a/kex.h b/kex.h
|
|
||||||
--- a/kex.h 2022-06-23 10:25:29.511922322 +0200
|
|
||||||
+++ b/kex.h 2022-06-23 10:26:12.902761926 +0200
|
|
||||||
@@ -117,6 +117,8 @@
|
|
||||||
|
|
||||||
#define KEX_INIT_SENT 0x0001
|
|
||||||
#define KEX_INITIAL 0x0002
|
|
||||||
+#define KEX_RSA_SHA2_256_SUPPORTED 0x0008 /* only set in server for now */
|
|
||||||
+#define KEX_RSA_SHA2_512_SUPPORTED 0x0010 /* only set in server for now */
|
|
||||||
|
|
||||||
struct sshenc {
|
|
||||||
char *name;
|
|
||||||
diff --color -ru a/serverloop.c b/serverloop.c
|
|
||||||
--- a/serverloop.c 2022-06-23 10:25:29.537922825 +0200
|
|
||||||
+++ b/serverloop.c 2022-06-23 10:26:12.918762235 +0200
|
|
||||||
@@ -736,16 +736,17 @@
|
|
||||||
struct sshbuf *resp = NULL;
|
|
||||||
struct sshbuf *sigbuf = NULL;
|
|
||||||
struct sshkey *key = NULL, *key_pub = NULL, *key_prv = NULL;
|
|
||||||
- int r, ndx, kexsigtype, use_kexsigtype, success = 0;
|
|
||||||
+ int r, ndx, success = 0;
|
|
||||||
const u_char *blob;
|
|
||||||
+ const char *sigalg, *kex_rsa_sigalg = NULL;
|
|
||||||
u_char *sig = 0;
|
|
||||||
size_t blen, slen;
|
|
||||||
|
|
||||||
if ((resp = sshbuf_new()) == NULL || (sigbuf = sshbuf_new()) == NULL)
|
|
||||||
fatal("%s: sshbuf_new", __func__);
|
|
||||||
-
|
|
||||||
- kexsigtype = sshkey_type_plain(
|
|
||||||
- sshkey_type_from_name(ssh->kex->hostkey_alg));
|
|
||||||
+ if (sshkey_type_plain(sshkey_type_from_name(
|
|
||||||
+ ssh->kex->hostkey_alg)) == KEY_RSA)
|
|
||||||
+ kex_rsa_sigalg = ssh->kex->hostkey_alg;
|
|
||||||
while (ssh_packet_remaining(ssh) > 0) {
|
|
||||||
sshkey_free(key);
|
|
||||||
key = NULL;
|
|
||||||
@@ -780,16 +781,24 @@
|
|
||||||
* For RSA keys, prefer to use the signature type negotiated
|
|
||||||
* during KEX to the default (SHA1).
|
|
||||||
*/
|
|
||||||
- use_kexsigtype = kexsigtype == KEY_RSA &&
|
|
||||||
- sshkey_type_plain(key->type) == KEY_RSA;
|
|
||||||
+ sigalg = NULL;
|
|
||||||
+ if (sshkey_type_plain(key->type) == KEY_RSA) {
|
|
||||||
+ if (kex_rsa_sigalg != NULL)
|
|
||||||
+ sigalg = kex_rsa_sigalg;
|
|
||||||
+ else if (ssh->kex->flags & KEX_RSA_SHA2_512_SUPPORTED)
|
|
||||||
+ sigalg = "rsa-sha2-512";
|
|
||||||
+ else if (ssh->kex->flags & KEX_RSA_SHA2_256_SUPPORTED)
|
|
||||||
+ sigalg = "rsa-sha2-256";
|
|
||||||
+ }
|
|
||||||
+ debug3("%s: sign %s key (index %d) using sigalg %s", __func__,
|
|
||||||
+ sshkey_type(key), ndx, sigalg == NULL ? "default" : sigalg);
|
|
||||||
if ((r = sshbuf_put_cstring(sigbuf,
|
|
||||||
"hostkeys-prove-00@openssh.com")) != 0 ||
|
|
||||||
(r = sshbuf_put_string(sigbuf,
|
|
||||||
ssh->kex->session_id, ssh->kex->session_id_len)) != 0 ||
|
|
||||||
(r = sshkey_puts(key, sigbuf)) != 0 ||
|
|
||||||
(r = ssh->kex->sign(ssh, key_prv, key_pub, &sig, &slen,
|
|
||||||
- sshbuf_ptr(sigbuf), sshbuf_len(sigbuf),
|
|
||||||
- use_kexsigtype ? ssh->kex->hostkey_alg : NULL)) != 0 ||
|
|
||||||
+ sshbuf_ptr(sigbuf), sshbuf_len(sigbuf), sigalg)) != 0 ||
|
|
||||||
(r = sshbuf_put_string(resp, sig, slen)) != 0) {
|
|
||||||
error("%s: couldn't prepare signature: %s",
|
|
||||||
__func__, ssh_err(r));
|
|
||||||
diff --color -ru a/sshkey.c b/sshkey.c
|
|
||||||
--- a/sshkey.c 2022-06-23 10:25:29.532922728 +0200
|
|
||||||
+++ b/sshkey.c 2022-06-23 10:26:12.914762158 +0200
|
|
||||||
@@ -82,7 +82,6 @@
|
|
||||||
struct sshbuf *buf, enum sshkey_serialize_rep);
|
|
||||||
static int sshkey_from_blob_internal(struct sshbuf *buf,
|
|
||||||
struct sshkey **keyp, int allow_cert);
|
|
||||||
-static int get_sigtype(const u_char *sig, size_t siglen, char **sigtypep);
|
|
||||||
|
|
||||||
/* Supported key types */
|
|
||||||
struct keytype {
|
|
||||||
@@ -2092,7 +2091,8 @@
|
|
||||||
if ((ret = sshkey_verify(key->cert->signature_key, sig, slen,
|
|
||||||
sshbuf_ptr(key->cert->certblob), signed_len, NULL, 0)) != 0)
|
|
||||||
goto out;
|
|
||||||
- if ((ret = get_sigtype(sig, slen, &key->cert->signature_type)) != 0)
|
|
||||||
+ if ((ret = sshkey_get_sigtype(sig, slen,
|
|
||||||
+ &key->cert->signature_type)) != 0)
|
|
||||||
goto out;
|
|
||||||
|
|
||||||
/* Success */
|
|
||||||
@@ -2394,8 +2394,8 @@
|
|
||||||
return r;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static int
|
|
||||||
-get_sigtype(const u_char *sig, size_t siglen, char **sigtypep)
|
|
||||||
+int
|
|
||||||
+sshkey_get_sigtype(const u_char *sig, size_t siglen, char **sigtypep)
|
|
||||||
{
|
|
||||||
int r;
|
|
||||||
struct sshbuf *b = NULL;
|
|
||||||
@@ -2477,7 +2477,7 @@
|
|
||||||
return 0;
|
|
||||||
if ((expected_alg = sshkey_sigalg_by_name(requested_alg)) == NULL)
|
|
||||||
return SSH_ERR_INVALID_ARGUMENT;
|
|
||||||
- if ((r = get_sigtype(sig, siglen, &sigtype)) != 0)
|
|
||||||
+ if ((r = sshkey_get_sigtype(sig, siglen, &sigtype)) != 0)
|
|
||||||
return r;
|
|
||||||
r = strcmp(expected_alg, sigtype) == 0;
|
|
||||||
free(sigtype);
|
|
||||||
@@ -2739,7 +2739,7 @@
|
|
||||||
sshbuf_len(cert), alg, 0, signer_ctx)) != 0)
|
|
||||||
goto out;
|
|
||||||
/* Check and update signature_type against what was actually used */
|
|
||||||
- if ((ret = get_sigtype(sig_blob, sig_len, &sigtype)) != 0)
|
|
||||||
+ if ((ret = sshkey_get_sigtype(sig_blob, sig_len, &sigtype)) != 0)
|
|
||||||
goto out;
|
|
||||||
if (alg != NULL && strcmp(alg, sigtype) != 0) {
|
|
||||||
ret = SSH_ERR_SIGN_ALG_UNSUPPORTED;
|
|
||||||
diff --color -ru a/sshkey.h b/sshkey.h
|
|
||||||
--- a/sshkey.h 2022-06-23 10:25:29.521922515 +0200
|
|
||||||
+++ b/sshkey.h 2022-06-23 10:26:12.907762022 +0200
|
|
||||||
@@ -211,6 +211,7 @@
|
|
||||||
const u_char *, size_t, const char *, u_int);
|
|
||||||
int sshkey_check_sigtype(const u_char *, size_t, const char *);
|
|
||||||
const char *sshkey_sigalg_by_name(const char *);
|
|
||||||
+int sshkey_get_sigtype(const u_char *, size_t, char **);
|
|
||||||
|
|
||||||
/* for debug */
|
|
||||||
void sshkey_dump_ec_point(const EC_GROUP *, const EC_POINT *);
|
|
@ -1,25 +0,0 @@
|
|||||||
diff --git a/auth.c b/auth.c
|
|
||||||
index b8d1040d..0134d694 100644
|
|
||||||
--- a/auth.c
|
|
||||||
+++ b/auth.c
|
|
||||||
@@ -56,6 +56,7 @@
|
|
||||||
# include <paths.h>
|
|
||||||
#endif
|
|
||||||
#include <pwd.h>
|
|
||||||
+#include <grp.h>
|
|
||||||
#ifdef HAVE_LOGIN_H
|
|
||||||
#include <login.h>
|
|
||||||
#endif
|
|
||||||
@@ -2695,6 +2696,12 @@ subprocess(const char *tag, const char *command,
|
|
||||||
}
|
|
||||||
closefrom(STDERR_FILENO + 1);
|
|
||||||
|
|
||||||
+ if (geteuid() == 0 &&
|
|
||||||
+ initgroups(pw->pw_name, pw->pw_gid) == -1) {
|
|
||||||
+ error("%s: initgroups(%s, %u): %s", tag,
|
|
||||||
+ pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
|
|
||||||
+ _exit(1);
|
|
||||||
+ }
|
|
||||||
/* Don't use permanently_set_uid() here to avoid fatal() */
|
|
||||||
if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) {
|
|
||||||
error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
|
|
@ -1,32 +0,0 @@
|
|||||||
diff --git a/ssh-keyscan.c b/ssh-keyscan.c
|
|
||||||
index d29a03b4..d7283136 100644
|
|
||||||
--- a/ssh-keyscan.c
|
|
||||||
+++ b/ssh-keyscan.c
|
|
||||||
@@ -490,6 +490,15 @@ congreet(int s)
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ /*
|
|
||||||
+ * Read the server banner as per RFC4253 section 4.2. The "SSH-"
|
|
||||||
+ * protocol identification string may be preceeded by an arbitarily
|
|
||||||
+ * large banner which we must read and ignore. Loop while reading
|
|
||||||
+ * newline-terminated lines until we have one starting with "SSH-".
|
|
||||||
+ * The ID string cannot be longer than 255 characters although the
|
|
||||||
+ * preceeding banner lines may (in which case they'll be discarded
|
|
||||||
+ * in multiple iterations of the outer loop).
|
|
||||||
+ */
|
|
||||||
for (;;) {
|
|
||||||
memset(buf, '\0', sizeof(buf));
|
|
||||||
bufsiz = sizeof(buf);
|
|
||||||
@@ -517,6 +526,11 @@ congreet(int s)
|
|
||||||
conrecycle(s);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
+ if (cp >= buf + sizeof(buf)) {
|
|
||||||
+ error("%s: greeting exceeds allowable length", c->c_name);
|
|
||||||
+ confree(s);
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
if (*cp != '\n' && *cp != '\r') {
|
|
||||||
error("%s: bad greeting", c->c_name);
|
|
||||||
confree(s);
|
|
@ -1,17 +0,0 @@
|
|||||||
diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
|
|
||||||
index 6be647ec..ebddf6c3 100644
|
|
||||||
--- a/ssh-pkcs11.c
|
|
||||||
+++ b/ssh-pkcs11.c
|
|
||||||
@@ -1537,10 +1537,8 @@ pkcs11_register_provider(char *provider_id, char *pin,
|
|
||||||
error("dlopen %s failed: %s", provider_module, dlerror());
|
|
||||||
goto fail;
|
|
||||||
}
|
|
||||||
- if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) {
|
|
||||||
- error("dlsym(C_GetFunctionList) failed: %s", dlerror());
|
|
||||||
- goto fail;
|
|
||||||
- }
|
|
||||||
+ if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL)
|
|
||||||
+ fatal("dlsym(C_GetFunctionList) failed: %s", dlerror());
|
|
||||||
|
|
||||||
p->module->handle = handle;
|
|
||||||
/* setup the pkcs11 callbacks */
|
|
@ -1,33 +0,0 @@
|
|||||||
diff -u -p -r1.166 auth2.c
|
|
||||||
--- a/auth2.c 8 Mar 2023 04:43:12 -0000 1.166
|
|
||||||
+++ b/auth2.c 28 Aug 2023 08:32:44 -0000
|
|
||||||
@@ -208,6 +208,7 @@ input_service_request(int type, u_int32_
|
|
||||||
}
|
|
||||||
|
|
||||||
#define MIN_FAIL_DELAY_SECONDS 0.005
|
|
||||||
+#define MAX_FAIL_DELAY_SECONDS 5.0
|
|
||||||
static double
|
|
||||||
user_specific_delay(const char *user)
|
|
||||||
{
|
|
||||||
@@ -233,6 +234,12 @@ ensure_minimum_time_since(double start,
|
|
||||||
struct timespec ts;
|
|
||||||
double elapsed = monotime_double() - start, req = seconds, remain;
|
|
||||||
|
|
||||||
+ if (elapsed > MAX_FAIL_DELAY_SECONDS) {
|
|
||||||
+ debug3("elapsed %0.3lfms exceeded the max delay "
|
|
||||||
+ "requested %0.3lfms)", elapsed*1000, req*1000);
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* if we've already passed the requested time, scale up */
|
|
||||||
while ((remain = seconds - elapsed) < 0.0)
|
|
||||||
seconds *= 2;
|
|
||||||
@@ -317,7 +324,7 @@ input_userauth_request(int type, u_int32
|
|
||||||
debug2("input_userauth_request: try method %s", method);
|
|
||||||
authenticated = m->userauth(ssh);
|
|
||||||
}
|
|
||||||
- if (!authctxt->authenticated)
|
|
||||||
+ if (!authctxt->authenticated && strcmp(method, "none") != 0)
|
|
||||||
ensure_minimum_time_since(tstart,
|
|
||||||
user_specific_delay(authctxt->user));
|
|
||||||
userauth_finish(ssh, authenticated, method, NULL);
|
|
@ -1,447 +0,0 @@
|
|||||||
diff --git a/PROTOCOL b/PROTOCOL
|
|
||||||
index d453c779..ded935eb 100644
|
|
||||||
--- a/PROTOCOL
|
|
||||||
+++ b/PROTOCOL
|
|
||||||
@@ -137,6 +137,32 @@ than as a named global or channel request to allow pings with very
|
|
||||||
described at:
|
|
||||||
http://git.libssh.org/users/aris/libssh.git/plain/doc/curve25519-sha256@libssh.org.txt?h=curve25519
|
|
||||||
|
|
||||||
+1.9 transport: strict key exchange extension
|
|
||||||
+
|
|
||||||
+OpenSSH supports a number of transport-layer hardening measures under
|
|
||||||
+a "strict KEX" feature. This feature is signalled similarly to the
|
|
||||||
+RFC8308 ext-info feature: by including a additional algorithm in the
|
|
||||||
+initiial SSH2_MSG_KEXINIT kex_algorithms field. The client may append
|
|
||||||
+"kex-strict-c-v00@openssh.com" to its kex_algorithms and the server
|
|
||||||
+may append "kex-strict-s-v00@openssh.com". These pseudo-algorithms
|
|
||||||
+are only valid in the initial SSH2_MSG_KEXINIT and MUST be ignored
|
|
||||||
+if they are present in subsequent SSH2_MSG_KEXINIT packets.
|
|
||||||
+
|
|
||||||
+When an endpoint that supports this extension observes this algorithm
|
|
||||||
+name in a peer's KEXINIT packet, it MUST make the following changes to
|
|
||||||
+the the protocol:
|
|
||||||
+
|
|
||||||
+a) During initial KEX, terminate the connection if any unexpected or
|
|
||||||
+ out-of-sequence packet is received. This includes terminating the
|
|
||||||
+ connection if the first packet received is not SSH2_MSG_KEXINIT.
|
|
||||||
+ Unexpected packets for the purpose of strict KEX include messages
|
|
||||||
+ that are otherwise valid at any time during the connection such as
|
|
||||||
+ SSH2_MSG_DEBUG and SSH2_MSG_IGNORE.
|
|
||||||
+b) After sending or receiving a SSH2_MSG_NEWKEYS message, reset the
|
|
||||||
+ packet sequence number to zero. This behaviour persists for the
|
|
||||||
+ duration of the connection (i.e. not just the first
|
|
||||||
+ SSH2_MSG_NEWKEYS).
|
|
||||||
+
|
|
||||||
2. Connection protocol changes
|
|
||||||
|
|
||||||
2.1. connection: Channel write close extension "eow@openssh.com"
|
|
||||||
diff --git a/kex.c b/kex.c
|
|
||||||
index aa5e792d..d478ff6e 100644
|
|
||||||
--- a/kex.c
|
|
||||||
+++ b/kex.c
|
|
||||||
@@ -65,7 +65,7 @@
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* prototype */
|
|
||||||
-static int kex_choose_conf(struct ssh *);
|
|
||||||
+static int kex_choose_conf(struct ssh *, uint32_t seq);
|
|
||||||
static int kex_input_newkeys(int, u_int32_t, struct ssh *);
|
|
||||||
|
|
||||||
static const char *proposal_names[PROPOSAL_MAX] = {
|
|
||||||
@@ -177,6 +177,18 @@ kex_names_valid(const char *names)
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
+/* returns non-zero if proposal contains any algorithm from algs */
|
|
||||||
+static int
|
|
||||||
+has_any_alg(const char *proposal, const char *algs)
|
|
||||||
+{
|
|
||||||
+ char *cp;
|
|
||||||
+
|
|
||||||
+ if ((cp = match_list(proposal, algs, NULL)) == NULL)
|
|
||||||
+ return 0;
|
|
||||||
+ free(cp);
|
|
||||||
+ return 1;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* Concatenate algorithm names, avoiding duplicates in the process.
|
|
||||||
* Caller must free returned string.
|
|
||||||
@@ -184,7 +196,7 @@ kex_names_valid(const char *names)
|
|
||||||
char *
|
|
||||||
kex_names_cat(const char *a, const char *b)
|
|
||||||
{
|
|
||||||
- char *ret = NULL, *tmp = NULL, *cp, *p, *m;
|
|
||||||
+ char *ret = NULL, *tmp = NULL, *cp, *p;
|
|
||||||
size_t len;
|
|
||||||
|
|
||||||
if (a == NULL || *a == '\0')
|
|
||||||
@@ -201,10 +213,8 @@ kex_names_cat(const char *a, const char *b)
|
|
||||||
}
|
|
||||||
strlcpy(ret, a, len);
|
|
||||||
for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) {
|
|
||||||
- if ((m = match_list(ret, p, NULL)) != NULL) {
|
|
||||||
- free(m);
|
|
||||||
+ if (has_any_alg(ret, p))
|
|
||||||
continue; /* Algorithm already present */
|
|
||||||
- }
|
|
||||||
if (strlcat(ret, ",", len) >= len ||
|
|
||||||
strlcat(ret, p, len) >= len) {
|
|
||||||
free(tmp);
|
|
||||||
@@ -466,7 +485,12 @@ kex_protocol_error(int type, u_int32_t seq, struct ssh *ssh)
|
|
||||||
{
|
|
||||||
int r;
|
|
||||||
|
|
||||||
- error("kex protocol error: type %d seq %u", type, seq);
|
|
||||||
+ /* If in strict mode, any unexpected message is an error */
|
|
||||||
+ if ((ssh->kex->flags & KEX_INITIAL) && ssh->kex->kex_strict) {
|
|
||||||
+ ssh_packet_disconnect(ssh, "strict KEX violation: "
|
|
||||||
+ "unexpected packet type %u (seqnr %u)", type, seq);
|
|
||||||
+ }
|
|
||||||
+ error("type %u seq %u", type, seq);
|
|
||||||
if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 ||
|
|
||||||
(r = sshpkt_put_u32(ssh, seq)) != 0 ||
|
|
||||||
(r = sshpkt_send(ssh)) != 0)
|
|
||||||
@@ -548,6 +572,11 @@ kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh)
|
|
||||||
ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error);
|
|
||||||
if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0)
|
|
||||||
return r;
|
|
||||||
+ if (ninfo >= 1024) {
|
|
||||||
+ error("SSH2_MSG_EXT_INFO with too many entries, expected "
|
|
||||||
+ "<=1024, received %u", ninfo);
|
|
||||||
+ return dispatch_protocol_error(type, seq, ssh);
|
|
||||||
+ }
|
|
||||||
for (i = 0; i < ninfo; i++) {
|
|
||||||
if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0)
|
|
||||||
return r;
|
|
||||||
@@ -681,7 +705,7 @@ kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh)
|
|
||||||
if (kex == NULL)
|
|
||||||
return SSH_ERR_INVALID_ARGUMENT;
|
|
||||||
|
|
||||||
- ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
|
|
||||||
+ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_protocol_error);
|
|
||||||
ptr = sshpkt_ptr(ssh, &dlen);
|
|
||||||
if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
|
|
||||||
return r;
|
|
||||||
@@ -717,7 +741,7 @@ kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh)
|
|
||||||
if (!(kex->flags & KEX_INIT_SENT))
|
|
||||||
if ((r = kex_send_kexinit(ssh)) != 0)
|
|
||||||
return r;
|
|
||||||
- if ((r = kex_choose_conf(ssh)) != 0)
|
|
||||||
+ if ((r = kex_choose_conf(ssh, seq)) != 0)
|
|
||||||
return r;
|
|
||||||
|
|
||||||
if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL)
|
|
||||||
@@ -981,20 +1005,14 @@ proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX])
|
|
||||||
return (1);
|
|
||||||
}
|
|
||||||
|
|
||||||
-/* returns non-zero if proposal contains any algorithm from algs */
|
|
||||||
static int
|
|
||||||
-has_any_alg(const char *proposal, const char *algs)
|
|
||||||
+kexalgs_contains(char **peer, const char *ext)
|
|
||||||
{
|
|
||||||
- char *cp;
|
|
||||||
-
|
|
||||||
- if ((cp = match_list(proposal, algs, NULL)) == NULL)
|
|
||||||
- return 0;
|
|
||||||
- free(cp);
|
|
||||||
- return 1;
|
|
||||||
+ return has_any_alg(peer[PROPOSAL_KEX_ALGS], ext);
|
|
||||||
}
|
|
||||||
|
|
||||||
static int
|
|
||||||
-kex_choose_conf(struct ssh *ssh)
|
|
||||||
+kex_choose_conf(struct ssh *ssh, uint32_t seq)
|
|
||||||
{
|
|
||||||
struct kex *kex = ssh->kex;
|
|
||||||
struct newkeys *newkeys;
|
|
||||||
@@ -1019,13 +1037,23 @@ kex_choose_conf(struct ssh *ssh)
|
|
||||||
sprop=peer;
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* Check whether client supports ext_info_c */
|
|
||||||
- if (kex->server && (kex->flags & KEX_INITIAL)) {
|
|
||||||
- char *ext;
|
|
||||||
-
|
|
||||||
- ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL);
|
|
||||||
- kex->ext_info_c = (ext != NULL);
|
|
||||||
- free(ext);
|
|
||||||
+ /* Check whether peer supports ext_info/kex_strict */
|
|
||||||
+ if ((kex->flags & KEX_INITIAL) != 0) {
|
|
||||||
+ if (kex->server) {
|
|
||||||
+ kex->ext_info_c = kexalgs_contains(peer, "ext-info-c");
|
|
||||||
+ kex->kex_strict = kexalgs_contains(peer,
|
|
||||||
+ "kex-strict-c-v00@openssh.com");
|
|
||||||
+ } else {
|
|
||||||
+ kex->kex_strict = kexalgs_contains(peer,
|
|
||||||
+ "kex-strict-s-v00@openssh.com");
|
|
||||||
+ }
|
|
||||||
+ if (kex->kex_strict) {
|
|
||||||
+ debug3("will use strict KEX ordering");
|
|
||||||
+ if (seq != 0)
|
|
||||||
+ ssh_packet_disconnect(ssh,
|
|
||||||
+ "strict KEX violation: "
|
|
||||||
+ "KEXINIT was not the first packet");
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Check whether client supports rsa-sha2 algorithms */
|
|
||||||
diff --git a/kex.h b/kex.h
|
|
||||||
index 5f7ef784..272ebb43 100644
|
|
||||||
--- a/kex.h
|
|
||||||
+++ b/kex.h
|
|
||||||
@@ -149,6 +149,7 @@ struct kex {
|
|
||||||
u_int kex_type;
|
|
||||||
char *server_sig_algs;
|
|
||||||
int ext_info_c;
|
|
||||||
+ int kex_strict;
|
|
||||||
struct sshbuf *my;
|
|
||||||
struct sshbuf *peer;
|
|
||||||
struct sshbuf *client_version;
|
|
||||||
diff --git a/packet.c b/packet.c
|
|
||||||
index 52017def..beb214f9 100644
|
|
||||||
--- a/packet.c
|
|
||||||
+++ b/packet.c
|
|
||||||
@@ -1207,8 +1207,13 @@ ssh_packet_send2_wrapped(struct ssh *ssh)
|
|
||||||
sshbuf_dump(state->output, stderr);
|
|
||||||
#endif
|
|
||||||
/* increment sequence number for outgoing packets */
|
|
||||||
- if (++state->p_send.seqnr == 0)
|
|
||||||
+ if (++state->p_send.seqnr == 0) {
|
|
||||||
+ if ((ssh->kex->flags & KEX_INITIAL) != 0) {
|
|
||||||
+ ssh_packet_disconnect(ssh, "outgoing sequence number "
|
|
||||||
+ "wrapped during initial key exchange");
|
|
||||||
+ }
|
|
||||||
logit("outgoing seqnr wraps around");
|
|
||||||
+ }
|
|
||||||
if (++state->p_send.packets == 0)
|
|
||||||
if (!(ssh->compat & SSH_BUG_NOREKEY))
|
|
||||||
return SSH_ERR_NEED_REKEY;
|
|
||||||
@@ -1216,6 +1221,11 @@ ssh_packet_send2_wrapped(struct ssh *ssh)
|
|
||||||
state->p_send.bytes += len;
|
|
||||||
sshbuf_reset(state->outgoing_packet);
|
|
||||||
|
|
||||||
+ if (type == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) {
|
|
||||||
+ debug("resetting send seqnr %u", state->p_send.seqnr);
|
|
||||||
+ state->p_send.seqnr = 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (type == SSH2_MSG_NEWKEYS)
|
|
||||||
r = ssh_set_newkeys(ssh, MODE_OUT);
|
|
||||||
else if (type == SSH2_MSG_USERAUTH_SUCCESS && state->server_side)
|
|
||||||
@@ -1344,8 +1354,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
|
|
||||||
/* Stay in the loop until we have received a complete packet. */
|
|
||||||
for (;;) {
|
|
||||||
/* Try to read a packet from the buffer. */
|
|
||||||
- r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p);
|
|
||||||
- if (r != 0)
|
|
||||||
+ if ((r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p)) != 0)
|
|
||||||
break;
|
|
||||||
/* If we got a packet, return it. */
|
|
||||||
if (*typep != SSH_MSG_NONE)
|
|
||||||
@@ -1629,10 +1615,16 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
|
|
||||||
if ((r = sshbuf_consume(state->input, mac->mac_len)) != 0)
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
if (seqnr_p != NULL)
|
|
||||||
*seqnr_p = state->p_read.seqnr;
|
|
||||||
- if (++state->p_read.seqnr == 0)
|
|
||||||
+ if (++state->p_read.seqnr == 0) {
|
|
||||||
+ if ((ssh->kex->flags & KEX_INITIAL) != 0) {
|
|
||||||
+ ssh_packet_disconnect(ssh, "incoming sequence number "
|
|
||||||
+ "wrapped during initial key exchange");
|
|
||||||
+ }
|
|
||||||
logit("incoming seqnr wraps around");
|
|
||||||
+ }
|
|
||||||
if (++state->p_read.packets == 0)
|
|
||||||
if (!(ssh->compat & SSH_BUG_NOREKEY))
|
|
||||||
return SSH_ERR_NEED_REKEY;
|
|
||||||
@@ -1698,6 +1690,10 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
|
|
||||||
#endif
|
|
||||||
/* reset for next packet */
|
|
||||||
state->packlen = 0;
|
|
||||||
+ if (*typep == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) {
|
|
||||||
+ debug("resetting read seqnr %u", state->p_read.seqnr);
|
|
||||||
+ state->p_read.seqnr = 0;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
/* do we need to rekey? */
|
|
||||||
if (ssh_packet_need_rekeying(ssh, 0)) {
|
|
||||||
@@ -1720,10 +1716,39 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
|
|
||||||
r = ssh_packet_read_poll2(ssh, typep, seqnr_p);
|
|
||||||
if (r != 0)
|
|
||||||
return r;
|
|
||||||
- if (*typep) {
|
|
||||||
- state->keep_alive_timeouts = 0;
|
|
||||||
- DBG(debug("received packet type %d", *typep));
|
|
||||||
+ if (*typep == 0) {
|
|
||||||
+ /* no message ready */
|
|
||||||
+ return 0;
|
|
||||||
}
|
|
||||||
+ state->keep_alive_timeouts = 0;
|
|
||||||
+ DBG(debug("received packet type %d", *typep));
|
|
||||||
+
|
|
||||||
+ /* Always process disconnect messages */
|
|
||||||
+ if (*typep == SSH2_MSG_DISCONNECT) {
|
|
||||||
+ if ((r = sshpkt_get_u32(ssh, &reason)) != 0 ||
|
|
||||||
+ (r = sshpkt_get_string(ssh, &msg, NULL)) != 0)
|
|
||||||
+ return r;
|
|
||||||
+ /* Ignore normal client exit notifications */
|
|
||||||
+ do_log2(ssh->state->server_side &&
|
|
||||||
+ reason == SSH2_DISCONNECT_BY_APPLICATION ?
|
|
||||||
+ SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR,
|
|
||||||
+ "Received disconnect from %s port %d:"
|
|
||||||
+ "%u: %.400s", ssh_remote_ipaddr(ssh),
|
|
||||||
+ ssh_remote_port(ssh), reason, msg);
|
|
||||||
+ free(msg);
|
|
||||||
+ return SSH_ERR_DISCONNECTED;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * Do not implicitly handle any messages here during initial
|
|
||||||
+ * KEX when in strict mode. They will be need to be allowed
|
|
||||||
+ * explicitly by the KEX dispatch table or they will generate
|
|
||||||
+ * protocol errors.
|
|
||||||
+ */
|
|
||||||
+ if (ssh->kex != NULL &&
|
|
||||||
+ (ssh->kex->flags & KEX_INITIAL) && ssh->kex->kex_strict)
|
|
||||||
+ return 0;
|
|
||||||
+ /* Implicitly handle transport-level messages */
|
|
||||||
switch (*typep) {
|
|
||||||
case SSH2_MSG_IGNORE:
|
|
||||||
debug3("Received SSH2_MSG_IGNORE");
|
|
||||||
@@ -1738,19 +1763,6 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
|
|
||||||
debug("Remote: %.900s", msg);
|
|
||||||
free(msg);
|
|
||||||
break;
|
|
||||||
- case SSH2_MSG_DISCONNECT:
|
|
||||||
- if ((r = sshpkt_get_u32(ssh, &reason)) != 0 ||
|
|
||||||
- (r = sshpkt_get_string(ssh, &msg, NULL)) != 0)
|
|
||||||
- return r;
|
|
||||||
- /* Ignore normal client exit notifications */
|
|
||||||
- do_log2(ssh->state->server_side &&
|
|
||||||
- reason == SSH2_DISCONNECT_BY_APPLICATION ?
|
|
||||||
- SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR,
|
|
||||||
- "Received disconnect from %s port %d:"
|
|
||||||
- "%u: %.400s", ssh_remote_ipaddr(ssh),
|
|
||||||
- ssh_remote_port(ssh), reason, msg);
|
|
||||||
- free(msg);
|
|
||||||
- return SSH_ERR_DISCONNECTED;
|
|
||||||
case SSH2_MSG_UNIMPLEMENTED:
|
|
||||||
if ((r = sshpkt_get_u32(ssh, &seqnr)) != 0)
|
|
||||||
return r;
|
|
||||||
@@ -2242,6 +2254,7 @@ kex_to_blob(struct sshbuf *m, struct kex *kex)
|
|
||||||
(r = sshbuf_put_u32(m, kex->hostkey_type)) != 0 ||
|
|
||||||
(r = sshbuf_put_u32(m, kex->hostkey_nid)) != 0 ||
|
|
||||||
(r = sshbuf_put_u32(m, kex->kex_type)) != 0 ||
|
|
||||||
+ (r = sshbuf_put_u32(m, kex->kex_strict)) != 0 ||
|
|
||||||
(r = sshbuf_put_stringb(m, kex->my)) != 0 ||
|
|
||||||
(r = sshbuf_put_stringb(m, kex->peer)) != 0 ||
|
|
||||||
(r = sshbuf_put_stringb(m, kex->client_version)) != 0 ||
|
|
||||||
@@ -2404,6 +2417,7 @@ kex_from_blob(struct sshbuf *m, struct kex **kexp)
|
|
||||||
(r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_type)) != 0 ||
|
|
||||||
(r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_nid)) != 0 ||
|
|
||||||
(r = sshbuf_get_u32(m, &kex->kex_type)) != 0 ||
|
|
||||||
+ (r = sshbuf_get_u32(m, &kex->kex_strict)) != 0 ||
|
|
||||||
(r = sshbuf_get_stringb(m, kex->my)) != 0 ||
|
|
||||||
(r = sshbuf_get_stringb(m, kex->peer)) != 0 ||
|
|
||||||
(r = sshbuf_get_stringb(m, kex->client_version)) != 0 ||
|
|
||||||
@@ -2732,6 +2746,7 @@ sshpkt_disconnect(struct ssh *ssh, const char *fmt,...)
|
|
||||||
vsnprintf(buf, sizeof(buf), fmt, args);
|
|
||||||
va_end(args);
|
|
||||||
|
|
||||||
+ debug2("sending SSH2_MSG_DISCONNECT: %s", buf);
|
|
||||||
if ((r = sshpkt_start(ssh, SSH2_MSG_DISCONNECT)) != 0 ||
|
|
||||||
(r = sshpkt_put_u32(ssh, SSH2_DISCONNECT_PROTOCOL_ERROR)) != 0 ||
|
|
||||||
(r = sshpkt_put_cstring(ssh, buf)) != 0 ||
|
|
||||||
diff --git a/sshconnect2.c b/sshconnect2.c
|
|
||||||
index df6caf81..0cccbcc4 100644
|
|
||||||
--- a/sshconnect2.c
|
|
||||||
+++ b/sshconnect2.c
|
|
||||||
@@ -253,7 +253,8 @@ ssh_kex2(struct ssh *ssh, char *host, st
|
|
||||||
xxx_host = host;
|
|
||||||
xxx_hostaddr = hostaddr;
|
|
||||||
|
|
||||||
- if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL)
|
|
||||||
+ if ((s = kex_names_cat(options.kex_algorithms,
|
|
||||||
+ "ext-info-c,kex-strict-c-v00@openssh.com")) == NULL)
|
|
||||||
fatal("%s: kex_names_cat", __func__);
|
|
||||||
myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s);
|
|
||||||
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
|
||||||
@@ -358,7 +358,6 @@ struct cauthmethod {
|
|
||||||
};
|
|
||||||
|
|
||||||
static int input_userauth_service_accept(int, u_int32_t, struct ssh *);
|
|
||||||
-static int input_userauth_ext_info(int, u_int32_t, struct ssh *);
|
|
||||||
static int input_userauth_success(int, u_int32_t, struct ssh *);
|
|
||||||
static int input_userauth_failure(int, u_int32_t, struct ssh *);
|
|
||||||
static int input_userauth_banner(int, u_int32_t, struct ssh *);
|
|
||||||
@@ -472,7 +471,7 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
|
|
||||||
|
|
||||||
ssh->authctxt = &authctxt;
|
|
||||||
ssh_dispatch_init(ssh, &input_userauth_error);
|
|
||||||
- ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &input_userauth_ext_info);
|
|
||||||
+ ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, kex_input_ext_info);
|
|
||||||
ssh_dispatch_set(ssh, SSH2_MSG_SERVICE_ACCEPT, &input_userauth_service_accept);
|
|
||||||
ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &authctxt.success); /* loop until success */
|
|
||||||
pubkey_cleanup(ssh);
|
|
||||||
@@ -531,12 +530,6 @@ input_userauth_service_accept(int type, u_int32_t seq, struct ssh *ssh)
|
|
||||||
}
|
|
||||||
|
|
||||||
/* ARGSUSED */
|
|
||||||
-static int
|
|
||||||
-input_userauth_ext_info(int type, u_int32_t seqnr, struct ssh *ssh)
|
|
||||||
-{
|
|
||||||
- return kex_input_ext_info(type, seqnr, ssh);
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
void
|
|
||||||
userauth(struct ssh *ssh, char *authlist)
|
|
||||||
{
|
|
||||||
@@ -615,6 +608,7 @@ input_userauth_success(int type, u_int32_t seq, struct ssh *ssh)
|
|
||||||
free(authctxt->methoddata);
|
|
||||||
authctxt->methoddata = NULL;
|
|
||||||
authctxt->success = 1; /* break out */
|
|
||||||
+ ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, dispatch_protocol_error);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff -up openssh-8.7p1/sshd.c.kexstrict openssh-8.7p1/sshd.c
|
|
||||||
--- openssh-8.7p1/sshd.c.kexstrict 2023-11-27 13:19:18.855433602 +0100
|
|
||||||
+++ openssh-8.7p1/sshd.c 2023-11-27 13:28:10.441325314 +0100
|
|
||||||
@@ -2531,10 +2531,14 @@ do_ssh2_kex(struct ssh *ssh)
|
|
||||||
{
|
|
||||||
char *myproposal[PROPOSAL_MAX] = { KEX_SERVER };
|
|
||||||
struct kex *kex;
|
|
||||||
+ char *cp;
|
|
||||||
int r;
|
|
||||||
|
|
||||||
- myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
|
|
||||||
- options.kex_algorithms);
|
|
||||||
+ if ((cp = kex_names_cat(options.kex_algorithms,
|
|
||||||
+ "kex-strict-s-v00@openssh.com")) == NULL)
|
|
||||||
+ fatal("kex_names_cat");
|
|
||||||
+
|
|
||||||
+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(cp);
|
|
||||||
myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(
|
|
||||||
options.ciphers);
|
|
||||||
myproposal[PROPOSAL_ENC_ALGS_STOC] = compat_cipher_proposal(
|
|
||||||
@@ -2586,7 +2586,7 @@ do_ssh2_kex(struct ssh *ssh)
|
|
||||||
if (gss && orig)
|
|
||||||
xasprintf(&newstr, "%s,%s", gss, orig);
|
|
||||||
else if (gss)
|
|
||||||
- newstr = gss;
|
|
||||||
+ xasprintf(&newstr, "%s,%s", gss, "kex-strict-s-v00@openssh.com");
|
|
||||||
else if (orig)
|
|
||||||
newstr = orig;
|
|
||||||
|
|
||||||
@@ -2650,6 +2654,7 @@ do_ssh2_kex(struct ssh *ssh)
|
|
||||||
packet_send();
|
|
||||||
packet_write_wait();
|
|
||||||
#endif
|
|
||||||
+ free(cp);
|
|
||||||
debug("KEX done");
|
|
||||||
}
|
|
||||||
|
|
@ -1,57 +0,0 @@
|
|||||||
diff --git a/ssh.c b/ssh.c
|
|
||||||
index 35c48e62..48d93ddf 100644
|
|
||||||
--- a/ssh.c
|
|
||||||
+++ b/ssh.c
|
|
||||||
@@ -626,6 +626,41 @@ ssh_conn_info_free(struct ssh_conn_info *cinfo)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+static int
|
|
||||||
+valid_hostname(const char *s)
|
|
||||||
+{
|
|
||||||
+ size_t i;
|
|
||||||
+
|
|
||||||
+ if (*s == '-')
|
|
||||||
+ return 0;
|
|
||||||
+ for (i = 0; s[i] != 0; i++) {
|
|
||||||
+ if (strchr("'`\"$\\;&<>|(){}", s[i]) != NULL ||
|
|
||||||
+ isspace((u_char)s[i]) || iscntrl((u_char)s[i]))
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+ return 1;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int
|
|
||||||
+valid_ruser(const char *s)
|
|
||||||
+{
|
|
||||||
+ size_t i;
|
|
||||||
+
|
|
||||||
+ if (*s == '-')
|
|
||||||
+ return 0;
|
|
||||||
+ for (i = 0; s[i] != 0; i++) {
|
|
||||||
+ if (strchr("'`\";&<>|(){}", s[i]) != NULL)
|
|
||||||
+ return 0;
|
|
||||||
+ /* Disallow '-' after whitespace */
|
|
||||||
+ if (isspace((u_char)s[i]) && s[i + 1] == '-')
|
|
||||||
+ return 0;
|
|
||||||
+ /* Disallow \ in last position */
|
|
||||||
+ if (s[i] == '\\' && s[i + 1] == '\0')
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+ return 1;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* Main program for the ssh client.
|
|
||||||
*/
|
|
||||||
@@ -1118,6 +1153,10 @@ main(int ac, char **av)
|
|
||||||
if (!host)
|
|
||||||
usage();
|
|
||||||
|
|
||||||
+ if (!valid_hostname(host))
|
|
||||||
+ fatal("hostname contains invalid characters");
|
|
||||||
+ if (options.user != NULL && !valid_ruser(options.user))
|
|
||||||
+ fatal("remote username contains invalid characters");
|
|
||||||
host_arg = xstrdup(host);
|
|
||||||
|
|
||||||
/* Initialize the command to execute on remote host. */
|
|
@ -1,37 +0,0 @@
|
|||||||
authfd.c
|
|
||||||
authfd.h
|
|
||||||
atomicio.c
|
|
||||||
atomicio.h
|
|
||||||
bufaux.c
|
|
||||||
bufbn.c
|
|
||||||
buffer.h
|
|
||||||
buffer.c
|
|
||||||
cleanup.c
|
|
||||||
cipher.h
|
|
||||||
compat.h
|
|
||||||
defines.h
|
|
||||||
entropy.c
|
|
||||||
entropy.h
|
|
||||||
fatal.c
|
|
||||||
includes.h
|
|
||||||
kex.h
|
|
||||||
key.c
|
|
||||||
key.h
|
|
||||||
log.c
|
|
||||||
log.h
|
|
||||||
match.h
|
|
||||||
misc.c
|
|
||||||
misc.h
|
|
||||||
pathnames.h
|
|
||||||
platform.h
|
|
||||||
rsa.h
|
|
||||||
ssh-dss.c
|
|
||||||
ssh-rsa.c
|
|
||||||
ssh.h
|
|
||||||
ssh2.h
|
|
||||||
uidswap.c
|
|
||||||
uidswap.h
|
|
||||||
uuencode.c
|
|
||||||
uuencode.h
|
|
||||||
xmalloc.c
|
|
||||||
xmalloc.h
|
|
@ -1,939 +0,0 @@
|
|||||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c
|
|
||||||
--- openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
|
||||||
+++ openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c 2018-08-24 10:22:56.281930322 +0200
|
|
||||||
@@ -27,6 +27,7 @@
|
|
||||||
* or implied, of Jamie Beverly.
|
|
||||||
*/
|
|
||||||
|
|
||||||
+#include <stdlib.h>
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <errno.h>
|
|
||||||
#include <string.h>
|
|
||||||
@@ -65,8 +66,8 @@ proc_pid_cmdline(char *** inargv)
|
|
||||||
case EOF:
|
|
||||||
case '\0':
|
|
||||||
if (len > 0) {
|
|
||||||
- argv = pamsshagentauth_xrealloc(argv, count + 1, sizeof(*argv));
|
|
||||||
- argv[count] = pamsshagentauth_xcalloc(len + 1, sizeof(*argv[count]));
|
|
||||||
+ argv = xreallocarray(argv, count + 1, sizeof(*argv));
|
|
||||||
+ argv[count] = xcalloc(len + 1, sizeof(*argv[count]));
|
|
||||||
strncpy(argv[count++], argbuf, len);
|
|
||||||
memset(argbuf, '\0', MAX_LEN_PER_CMDLINE_ARG + 1);
|
|
||||||
len = 0;
|
|
||||||
@@ -105,9 +106,9 @@ pamsshagentauth_free_command_line(char *
|
|
||||||
{
|
|
||||||
size_t i;
|
|
||||||
for (i = 0; i < n_args; i++)
|
|
||||||
- pamsshagentauth_xfree(argv[i]);
|
|
||||||
+ free(argv[i]);
|
|
||||||
|
|
||||||
- pamsshagentauth_xfree(argv);
|
|
||||||
+ free(argv);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/identity.h
|
|
||||||
--- openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
|
||||||
+++ openssh/pam_ssh_agent_auth-0.10.3/identity.h 2018-08-24 10:18:05.009393312 +0200
|
|
||||||
@@ -30,8 +30,8 @@
|
|
||||||
#include "openbsd-compat/sys-queue.h"
|
|
||||||
#include "xmalloc.h"
|
|
||||||
#include "log.h"
|
|
||||||
-#include "buffer.h"
|
|
||||||
-#include "key.h"
|
|
||||||
+#include "sshbuf.h"
|
|
||||||
+#include "sshkey.h"
|
|
||||||
#include "authfd.h"
|
|
||||||
#include <stdio.h>
|
|
||||||
|
|
||||||
@@ -41,7 +41,7 @@ typedef struct idlist Idlist;
|
|
||||||
struct identity {
|
|
||||||
TAILQ_ENTRY(identity) next;
|
|
||||||
AuthenticationConnection *ac; /* set if agent supports key */
|
|
||||||
- Key *key; /* public/private key */
|
|
||||||
+ struct sshkey *key; /* public/private key */
|
|
||||||
char *filename; /* comment for agent-only keys */
|
|
||||||
int tried;
|
|
||||||
int isprivate; /* key points to the private key */
|
|
||||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c
|
|
||||||
--- openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat 2018-08-24 10:18:05.007393297 +0200
|
|
||||||
+++ openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c 2018-08-24 10:18:32.937612513 +0200
|
|
||||||
@@ -36,8 +36,8 @@
|
|
||||||
#include "openbsd-compat/sys-queue.h"
|
|
||||||
#include "xmalloc.h"
|
|
||||||
#include "log.h"
|
|
||||||
-#include "buffer.h"
|
|
||||||
-#include "key.h"
|
|
||||||
+#include "sshbuf.h"
|
|
||||||
+#include "sshkey.h"
|
|
||||||
#include "authfd.h"
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <openssl/evp.h>
|
|
||||||
@@ -58,6 +58,8 @@
|
|
||||||
#include "get_command_line.h"
|
|
||||||
extern char **environ;
|
|
||||||
|
|
||||||
+#define PAM_SSH_AGENT_AUTH_REQUESTv1 101
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* Added by Jamie Beverly, ensure socket fd points to a socket owned by the user
|
|
||||||
* A cursory check is done, but to avoid race conditions, it is necessary
|
|
||||||
@@ -77,7 +79,7 @@ log_action(char ** action, size_t count)
|
|
||||||
if (count == 0)
|
|
||||||
return NULL;
|
|
||||||
|
|
||||||
- buf = pamsshagentauth_xcalloc((count * MAX_LEN_PER_CMDLINE_ARG) + (count * 3), sizeof(*buf));
|
|
||||||
+ buf = xcalloc((count * MAX_LEN_PER_CMDLINE_ARG) + (count * 3), sizeof(*buf));
|
|
||||||
for (i = 0; i < count; i++) {
|
|
||||||
strcat(buf, (i > 0) ? " '" : "'");
|
|
||||||
strncat(buf, action[i], MAX_LEN_PER_CMDLINE_ARG);
|
|
||||||
@@ -87,21 +89,25 @@ log_action(char ** action, size_t count)
|
|
||||||
}
|
|
||||||
|
|
||||||
void
|
|
||||||
-agent_action(Buffer *buf, char ** action, size_t count)
|
|
||||||
+agent_action(struct sshbuf **buf, char ** action, size_t count)
|
|
||||||
{
|
|
||||||
size_t i;
|
|
||||||
- pamsshagentauth_buffer_init(buf);
|
|
||||||
+ int r;
|
|
||||||
|
|
||||||
- pamsshagentauth_buffer_put_int(buf, count);
|
|
||||||
+ if ((*buf = sshbuf_new()) == NULL)
|
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
|
||||||
+ if ((r = sshbuf_put_u32(*buf, count)) != 0)
|
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
|
||||||
|
|
||||||
for (i = 0; i < count; i++) {
|
|
||||||
- pamsshagentauth_buffer_put_cstring(buf, action[i]);
|
|
||||||
+ if ((r = sshbuf_put_cstring(*buf, action[i])) != 0)
|
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
-void
|
|
||||||
-pamsshagentauth_session_id2_gen(Buffer * session_id2, const char * user,
|
|
||||||
+static void
|
|
||||||
+pamsshagentauth_session_id2_gen(struct sshbuf ** session_id2, const char * user,
|
|
||||||
const char * ruser, const char * servicename)
|
|
||||||
{
|
|
||||||
u_char *cookie = NULL;
|
|
||||||
@@ -114,22 +116,23 @@ pamsshagentauth_session_id2_gen(Buffer *
|
|
||||||
char ** reported_argv = NULL;
|
|
||||||
size_t count = 0;
|
|
||||||
char * action_logbuf = NULL;
|
|
||||||
- Buffer action_agentbuf;
|
|
||||||
+ struct sshbuf *action_agentbuf = NULL;
|
|
||||||
uint8_t free_logbuf = 0;
|
|
||||||
char * retc;
|
|
||||||
int32_t reti;
|
|
||||||
+ int r;
|
|
||||||
|
|
||||||
- rnd = pamsshagentauth_arc4random();
|
|
||||||
+ rnd = arc4random();
|
|
||||||
cookie_len = ((uint8_t) rnd);
|
|
||||||
while (cookie_len < 16) {
|
|
||||||
cookie_len += 16; /* Add 16 bytes to the size to ensure that while the length is random, the length is always reasonable; ticket #18 */
|
|
||||||
}
|
|
||||||
|
|
||||||
- cookie = pamsshagentauth_xcalloc(1,cookie_len);
|
|
||||||
+ cookie = xcalloc(1, cookie_len);
|
|
||||||
|
|
||||||
for (i = 0; i < cookie_len; i++) {
|
|
||||||
if (i % 4 == 0) {
|
|
||||||
- rnd = pamsshagentauth_arc4random();
|
|
||||||
+ rnd = arc4random();
|
|
||||||
}
|
|
||||||
cookie[i] = (u_char) rnd;
|
|
||||||
rnd >>= 8;
|
|
||||||
@@ -139,12 +141,13 @@ pamsshagentauth_session_id2_gen(Buffer *
|
|
||||||
if (count > 0) {
|
|
||||||
free_logbuf = 1;
|
|
||||||
action_logbuf = log_action(reported_argv, count);
|
|
||||||
- agent_action(&action_agentbuf, reported_argv, count);
|
|
||||||
+ agent_action(&action_agentbuf, reported_argv, count);
|
|
||||||
pamsshagentauth_free_command_line(reported_argv, count);
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
action_logbuf = "unknown on this platform";
|
|
||||||
- pamsshagentauth_buffer_init(&action_agentbuf); /* stays empty, means unavailable */
|
|
||||||
+ if ((action_agentbuf = sshbuf_new()) == NULL) /* stays empty, means unavailable */
|
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
@@ -161,35 +163,39 @@ pamsshagentauth_session_id2_gen(Buffer *
|
|
||||||
retc = getcwd(pwd, sizeof(pwd) - 1);
|
|
||||||
time(&ts);
|
|
||||||
|
|
||||||
- pamsshagentauth_buffer_init(session_id2);
|
|
||||||
+ if ((*session_id2 = sshbuf_new()) == NULL)
|
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
|
||||||
|
|
||||||
- pamsshagentauth_buffer_put_int(session_id2, PAM_SSH_AGENT_AUTH_REQUESTv1);
|
|
||||||
- /* pamsshagentauth_debug3("cookie: %s", pamsshagentauth_tohex(cookie, cookie_len)); */
|
|
||||||
- pamsshagentauth_buffer_put_string(session_id2, cookie, cookie_len);
|
|
||||||
- /* pamsshagentauth_debug3("user: %s", user); */
|
|
||||||
- pamsshagentauth_buffer_put_cstring(session_id2, user);
|
|
||||||
- /* pamsshagentauth_debug3("ruser: %s", ruser); */
|
|
||||||
- pamsshagentauth_buffer_put_cstring(session_id2, ruser);
|
|
||||||
- /* pamsshagentauth_debug3("servicename: %s", servicename); */
|
|
||||||
- pamsshagentauth_buffer_put_cstring(session_id2, servicename);
|
|
||||||
- /* pamsshagentauth_debug3("pwd: %s", pwd); */
|
|
||||||
- if(retc)
|
|
||||||
- pamsshagentauth_buffer_put_cstring(session_id2, pwd);
|
|
||||||
- else
|
|
||||||
- pamsshagentauth_buffer_put_cstring(session_id2, "");
|
|
||||||
- /* pamsshagentauth_debug3("action: %s", action_logbuf); */
|
|
||||||
- pamsshagentauth_buffer_put_string(session_id2, action_agentbuf.buf + action_agentbuf.offset, action_agentbuf.end - action_agentbuf.offset);
|
|
||||||
+ if ((r = sshbuf_put_u32(*session_id2, PAM_SSH_AGENT_AUTH_REQUESTv1)) != 0 ||
|
|
||||||
+ (r = sshbuf_put_string(*session_id2, cookie, cookie_len)) != 0 ||
|
|
||||||
+ (r = sshbuf_put_cstring(*session_id2, user)) != 0 ||
|
|
||||||
+ (r = sshbuf_put_cstring(*session_id2, ruser)) != 0 ||
|
|
||||||
+ (r = sshbuf_put_cstring(*session_id2, servicename)) != 0)
|
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
|
||||||
+ if (retc) {
|
|
||||||
+ if ((r = sshbuf_put_cstring(*session_id2, pwd)) != 0)
|
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
|
||||||
+ } else {
|
|
||||||
+ if ((r = sshbuf_put_cstring(*session_id2, "")) != 0)
|
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
|
||||||
+ }
|
|
||||||
+ if ((r = sshbuf_put_stringb(*session_id2, action_agentbuf)) != 0)
|
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
|
||||||
if (free_logbuf) {
|
|
||||||
- pamsshagentauth_xfree(action_logbuf);
|
|
||||||
- pamsshagentauth_buffer_free(&action_agentbuf);
|
|
||||||
+ free(action_logbuf);
|
|
||||||
+ sshbuf_free(action_agentbuf);
|
|
||||||
}
|
|
||||||
- /* pamsshagentauth_debug3("hostname: %s", hostname); */
|
|
||||||
- if(reti >= 0)
|
|
||||||
- pamsshagentauth_buffer_put_cstring(session_id2, hostname);
|
|
||||||
- else
|
|
||||||
- pamsshagentauth_buffer_put_cstring(session_id2, "");
|
|
||||||
- /* pamsshagentauth_debug3("ts: %ld", ts); */
|
|
||||||
- pamsshagentauth_buffer_put_int64(session_id2, (uint64_t) ts);
|
|
||||||
+ /* debug3("hostname: %s", hostname); */
|
|
||||||
+ if (reti >= 0) {
|
|
||||||
+ if ((r = sshbuf_put_cstring(*session_id2, hostname)) != 0)
|
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
|
||||||
+ } else {
|
|
||||||
+ if ((r = sshbuf_put_cstring(*session_id2, "")) != 0)
|
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
|
||||||
+ }
|
|
||||||
+ /* debug3("ts: %ld", ts); */
|
|
||||||
+ if ((r = sshbuf_put_u64(*session_id2, (uint64_t) ts)) != 0)
|
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
|
||||||
|
|
||||||
free(cookie);
|
|
||||||
return;
|
|
||||||
@@ -278,7 +280,8 @@ ssh_get_authentication_connection_for_ui
|
|
||||||
|
|
||||||
auth = xmalloc(sizeof(*auth));
|
|
||||||
auth->fd = sock;
|
|
||||||
- buffer_init(&auth->identities);
|
|
||||||
+ if ((auth->identities = sshbuf_new()) == NULL)
|
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
|
||||||
auth->howmany = 0;
|
|
||||||
|
|
||||||
return auth;
|
|
||||||
@@ -287,43 +289,42 @@ ssh_get_authentication_connection_for_ui
|
|
||||||
int
|
|
||||||
pamsshagentauth_find_authorized_keys(const char * user, const char * ruser, const char * servicename)
|
|
||||||
{
|
|
||||||
- Buffer session_id2 = { 0 };
|
|
||||||
+ struct sshbuf *session_id2 = NULL;
|
|
||||||
Identity *id;
|
|
||||||
- Key *key;
|
|
||||||
+ struct sshkey *key;
|
|
||||||
AuthenticationConnection *ac;
|
|
||||||
char *comment;
|
|
||||||
uint8_t retval = 0;
|
|
||||||
uid_t uid = getpwnam(ruser)->pw_uid;
|
|
||||||
|
|
||||||
OpenSSL_add_all_digests();
|
|
||||||
- pamsshagentauth_session_id2_gen(&session_id2, user, ruser, servicename);
|
|
||||||
+ pamsshagentauth_session_id2_gen(&session_id2, user, ruser, servicename);
|
|
||||||
|
|
||||||
if ((ac = ssh_get_authentication_connection_for_uid(uid))) {
|
|
||||||
- pamsshagentauth_verbose("Contacted ssh-agent of user %s (%u)", ruser, uid);
|
|
||||||
+ verbose("Contacted ssh-agent of user %s (%u)", ruser, uid);
|
|
||||||
for (key = ssh_get_first_identity(ac, &comment, 2); key != NULL; key = ssh_get_next_identity(ac, &comment, 2))
|
|
||||||
{
|
|
||||||
if(key != NULL) {
|
|
||||||
- id = pamsshagentauth_xcalloc(1, sizeof(*id));
|
|
||||||
+ id = xcalloc(1, sizeof(*id));
|
|
||||||
id->key = key;
|
|
||||||
id->filename = comment;
|
|
||||||
id->ac = ac;
|
|
||||||
- if(userauth_pubkey_from_id(ruser, id, &session_id2)) {
|
|
||||||
+ if(userauth_pubkey_from_id(ruser, id, session_id2)) {
|
|
||||||
retval = 1;
|
|
||||||
}
|
|
||||||
- pamsshagentauth_xfree(id->filename);
|
|
||||||
- pamsshagentauth_key_free(id->key);
|
|
||||||
- pamsshagentauth_xfree(id);
|
|
||||||
+ free(id->filename);
|
|
||||||
+ key_free(id->key);
|
|
||||||
+ free(id);
|
|
||||||
if(retval == 1)
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
- pamsshagentauth_buffer_free(&session_id2);
|
|
||||||
+ sshbuf_free(session_id2);
|
|
||||||
ssh_close_authentication_connection(ac);
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
- pamsshagentauth_verbose("No ssh-agent could be contacted");
|
|
||||||
+ verbose("No ssh-agent could be contacted");
|
|
||||||
}
|
|
||||||
- /* pamsshagentauth_xfree(session_id2); */
|
|
||||||
EVP_cleanup();
|
|
||||||
return retval;
|
|
||||||
}
|
|
||||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c
|
|
||||||
--- openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat 2018-08-24 10:18:05.008393305 +0200
|
|
||||||
+++ openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c 2018-08-24 10:18:05.009393312 +0200
|
|
||||||
@@ -104,7 +104,7 @@ pam_sm_authenticate(pam_handle_t * pamh,
|
|
||||||
* a patch 8-)
|
|
||||||
*/
|
|
||||||
#if ! HAVE___PROGNAME || HAVE_BUNDLE
|
|
||||||
- __progname = pamsshagentauth_xstrdup(servicename);
|
|
||||||
+ __progname = xstrdup(servicename);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
for(i = argc, argv_ptr = (char **) argv; i > 0; ++argv_ptr, i--) {
|
|
||||||
@@ -130,11 +130,11 @@ pam_sm_authenticate(pam_handle_t * pamh,
|
|
||||||
#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
- pamsshagentauth_log_init(__progname, log_lvl, facility, getenv("PAM_SSH_AGENT_AUTH_DEBUG") ? 1 : 0);
|
|
||||||
+ log_init(__progname, log_lvl, facility, getenv("PAM_SSH_AGENT_AUTH_DEBUG") ? 1 : 0);
|
|
||||||
pam_get_item(pamh, PAM_USER, (void *) &user);
|
|
||||||
pam_get_item(pamh, PAM_RUSER, (void *) &ruser_ptr);
|
|
||||||
|
|
||||||
- pamsshagentauth_verbose("Beginning pam_ssh_agent_auth for user %s", user);
|
|
||||||
+ verbose("Beginning pam_ssh_agent_auth for user %s", user);
|
|
||||||
|
|
||||||
if(ruser_ptr) {
|
|
||||||
strncpy(ruser, ruser_ptr, sizeof(ruser) - 1);
|
|
||||||
@@ -149,12 +149,12 @@ pam_sm_authenticate(pam_handle_t * pamh,
|
|
||||||
#ifdef ENABLE_SUDO_HACK
|
|
||||||
if( (strlen(sudo_service_name) > 0) && strncasecmp(servicename, sudo_service_name, sizeof(sudo_service_name) - 1) == 0 && getenv("SUDO_USER") ) {
|
|
||||||
strncpy(ruser, getenv("SUDO_USER"), sizeof(ruser) - 1 );
|
|
||||||
- pamsshagentauth_verbose( "Using environment variable SUDO_USER (%s)", ruser );
|
|
||||||
+ verbose( "Using environment variable SUDO_USER (%s)", ruser );
|
|
||||||
} else
|
|
||||||
#endif
|
|
||||||
{
|
|
||||||
if( ! getpwuid(getuid()) ) {
|
|
||||||
- pamsshagentauth_verbose("Unable to getpwuid(getuid())");
|
|
||||||
+ verbose("Unable to getpwuid(getuid())");
|
|
||||||
goto cleanexit;
|
|
||||||
}
|
|
||||||
strncpy(ruser, getpwuid(getuid())->pw_name, sizeof(ruser) - 1);
|
|
||||||
@@ -163,11 +163,11 @@ pam_sm_authenticate(pam_handle_t * pamh,
|
|
||||||
|
|
||||||
/* Might as well explicitely confirm the user exists here */
|
|
||||||
if(! getpwnam(ruser) ) {
|
|
||||||
- pamsshagentauth_verbose("getpwnam(%s) failed, bailing out", ruser);
|
|
||||||
+ verbose("getpwnam(%s) failed, bailing out", ruser);
|
|
||||||
goto cleanexit;
|
|
||||||
}
|
|
||||||
if( ! getpwnam(user) ) {
|
|
||||||
- pamsshagentauth_verbose("getpwnam(%s) failed, bailing out", user);
|
|
||||||
+ verbose("getpwnam(%s) failed, bailing out", user);
|
|
||||||
goto cleanexit;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -177,8 +177,8 @@ pam_sm_authenticate(pam_handle_t * pamh,
|
|
||||||
*/
|
|
||||||
parse_authorized_key_file(user, authorized_keys_file_input);
|
|
||||||
} else {
|
|
||||||
- pamsshagentauth_verbose("Using default file=/etc/security/authorized_keys");
|
|
||||||
- authorized_keys_file = pamsshagentauth_xstrdup("/etc/security/authorized_keys");
|
|
||||||
+ verbose("Using default file=/etc/security/authorized_keys");
|
|
||||||
+ authorized_keys_file = xstrdup("/etc/security/authorized_keys");
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
@@ -187,19 +187,19 @@ pam_sm_authenticate(pam_handle_t * pamh,
|
|
||||||
*/
|
|
||||||
|
|
||||||
if(user && strlen(ruser) > 0) {
|
|
||||||
- pamsshagentauth_verbose("Attempting authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
|
|
||||||
+ verbose("Attempting authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* this pw_uid is used to validate the SSH_AUTH_SOCK, and so must be the uid of the ruser invoking the program, not the target-user
|
|
||||||
*/
|
|
||||||
if(pamsshagentauth_find_authorized_keys(user, ruser, servicename)) { /* getpwnam(ruser)->pw_uid)) { */
|
|
||||||
- pamsshagentauth_logit("Authenticated: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
|
|
||||||
+ logit("Authenticated: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
|
|
||||||
retval = PAM_SUCCESS;
|
|
||||||
} else {
|
|
||||||
- pamsshagentauth_logit("Failed Authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
|
|
||||||
+ logit("Failed Authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
- pamsshagentauth_logit("No %s specified, cannot continue with this form of authentication", (user) ? "ruser" : "user" );
|
|
||||||
+ logit("No %s specified, cannot continue with this form of authentication", (user) ? "ruser" : "user" );
|
|
||||||
}
|
|
||||||
|
|
||||||
cleanexit:
|
|
||||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c
|
|
||||||
--- openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
|
||||||
+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c 2018-08-24 10:18:05.009393312 +0200
|
|
||||||
@@ -66,8 +66,8 @@
|
|
||||||
#include "xmalloc.h"
|
|
||||||
#include "match.h"
|
|
||||||
#include "log.h"
|
|
||||||
-#include "buffer.h"
|
|
||||||
-#include "key.h"
|
|
||||||
+#include "sshbuf.h"
|
|
||||||
+#include "sshkey.h"
|
|
||||||
#include "misc.h"
|
|
||||||
|
|
||||||
#include "xmalloc.h"
|
|
||||||
@@ -77,7 +77,6 @@
|
|
||||||
#include "pathnames.h"
|
|
||||||
#include "secure_filename.h"
|
|
||||||
|
|
||||||
-#include "identity.h"
|
|
||||||
#include "pam_user_key_allowed2.h"
|
|
||||||
|
|
||||||
extern char *authorized_keys_file;
|
|
||||||
@@ -117,12 +116,12 @@ parse_authorized_key_file(const char *us
|
|
||||||
} else {
|
|
||||||
slash_ptr = strchr(auth_keys_file_buf, '/');
|
|
||||||
if(!slash_ptr)
|
|
||||||
- pamsshagentauth_fatal
|
|
||||||
+ fatal
|
|
||||||
("cannot expand tilde in path without a `/'");
|
|
||||||
|
|
||||||
owner_uname_len = slash_ptr - auth_keys_file_buf - 1;
|
|
||||||
if(owner_uname_len > (sizeof(owner_uname) - 1))
|
|
||||||
- pamsshagentauth_fatal("Username too long");
|
|
||||||
+ fatal("Username too long");
|
|
||||||
|
|
||||||
strncat(owner_uname, auth_keys_file_buf + 1, owner_uname_len);
|
|
||||||
if(!authorized_keys_file_allowed_owner_uid)
|
|
||||||
@@ -130,11 +129,11 @@ parse_authorized_key_file(const char *us
|
|
||||||
getpwnam(owner_uname)->pw_uid;
|
|
||||||
}
|
|
||||||
authorized_keys_file =
|
|
||||||
- pamsshagentauth_tilde_expand_filename(auth_keys_file_buf,
|
|
||||||
+ tilde_expand_filename(auth_keys_file_buf,
|
|
||||||
authorized_keys_file_allowed_owner_uid);
|
|
||||||
strncpy(auth_keys_file_buf, authorized_keys_file,
|
|
||||||
sizeof(auth_keys_file_buf) - 1);
|
|
||||||
- pamsshagentauth_xfree(authorized_keys_file) /* when we
|
|
||||||
+ free(authorized_keys_file) /* when we
|
|
||||||
percent_expand
|
|
||||||
later, we'd step
|
|
||||||
on this, so free
|
|
||||||
@@ -150,13 +149,13 @@ parse_authorized_key_file(const char *us
|
|
||||||
strncat(hostname, fqdn, strcspn(fqdn, "."));
|
|
||||||
#endif
|
|
||||||
authorized_keys_file =
|
|
||||||
- pamsshagentauth_percent_expand(auth_keys_file_buf, "h",
|
|
||||||
+ percent_expand(auth_keys_file_buf, "h",
|
|
||||||
getpwnam(user)->pw_dir, "H", hostname,
|
|
||||||
"f", fqdn, "u", user, NULL);
|
|
||||||
}
|
|
||||||
|
|
||||||
int
|
|
||||||
-pam_user_key_allowed(const char *ruser, Key * key)
|
|
||||||
+pam_user_key_allowed(const char *ruser, struct sshkey * key)
|
|
||||||
{
|
|
||||||
return
|
|
||||||
pamsshagentauth_user_key_allowed2(getpwuid(authorized_keys_file_allowed_owner_uid),
|
|
||||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h
|
|
||||||
--- openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
|
||||||
+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h 2018-08-24 10:18:05.010393320 +0200
|
|
||||||
@@ -32,7 +32,7 @@
|
|
||||||
#define _PAM_USER_KEY_ALLOWED_H
|
|
||||||
|
|
||||||
#include "identity.h"
|
|
||||||
-int pam_user_key_allowed(const char *, Key *);
|
|
||||||
+int pam_user_key_allowed(const char *, struct sshkey *);
|
|
||||||
void parse_authorized_key_file(const char *, const char *);
|
|
||||||
|
|
||||||
#endif
|
|
||||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c
|
|
||||||
--- openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
|
||||||
+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c 2018-08-24 10:18:05.010393320 +0200
|
|
||||||
@@ -45,44 +45,46 @@
|
|
||||||
#include "xmalloc.h"
|
|
||||||
#include "ssh.h"
|
|
||||||
#include "ssh2.h"
|
|
||||||
-#include "buffer.h"
|
|
||||||
+#include "sshbuf.h"
|
|
||||||
#include "log.h"
|
|
||||||
#include "compat.h"
|
|
||||||
-#include "key.h"
|
|
||||||
+#include "digest.h"
|
|
||||||
+#include "sshkey.h"
|
|
||||||
#include "pathnames.h"
|
|
||||||
#include "misc.h"
|
|
||||||
#include "secure_filename.h"
|
|
||||||
#include "uidswap.h"
|
|
||||||
-
|
|
||||||
-#include "identity.h"
|
|
||||||
+#include <unistd.h>
|
|
||||||
|
|
||||||
/* return 1 if user allows given key */
|
|
||||||
/* Modified slightly from original found in auth2-pubkey.c */
|
|
||||||
static int
|
|
||||||
-pamsshagentauth_check_authkeys_file(FILE * f, char *file, Key * key)
|
|
||||||
+pamsshagentauth_check_authkeys_file(FILE * f, char *file, struct sshkey * key)
|
|
||||||
{
|
|
||||||
- char line[SSH_MAX_PUBKEY_BYTES];
|
|
||||||
+ char *line = NULL;
|
|
||||||
int found_key = 0;
|
|
||||||
u_long linenum = 0;
|
|
||||||
- Key *found;
|
|
||||||
+ struct sshkey *found;
|
|
||||||
char *fp;
|
|
||||||
+ size_t linesize = 0;
|
|
||||||
|
|
||||||
found_key = 0;
|
|
||||||
- found = pamsshagentauth_key_new(key->type);
|
|
||||||
+ found = sshkey_new(key->type);
|
|
||||||
|
|
||||||
- while(read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
|
|
||||||
+ while ((getline(&line, &linesize, f)) != -1) {
|
|
||||||
char *cp = NULL; /* *key_options = NULL; */
|
|
||||||
|
|
||||||
+ linenum++;
|
|
||||||
/* Skip leading whitespace, empty and comment lines. */
|
|
||||||
for(cp = line; *cp == ' ' || *cp == '\t'; cp++);
|
|
||||||
if(!*cp || *cp == '\n' || *cp == '#')
|
|
||||||
continue;
|
|
||||||
|
|
||||||
- if(pamsshagentauth_key_read(found, &cp) != 1) {
|
|
||||||
+ if (sshkey_read(found, &cp) != 0) {
|
|
||||||
/* no key? check if there are options for this key */
|
|
||||||
int quoted = 0;
|
|
||||||
|
|
||||||
- pamsshagentauth_verbose("user_key_allowed: check options: '%s'", cp);
|
|
||||||
+ verbose("user_key_allowed: check options: '%s'", cp);
|
|
||||||
/* key_options = cp; */
|
|
||||||
for(; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
|
|
||||||
if(*cp == '\\' && cp[1] == '"')
|
|
||||||
@@ -92,26 +94,27 @@ pamsshagentauth_check_authkeys_file(FILE
|
|
||||||
}
|
|
||||||
/* Skip remaining whitespace. */
|
|
||||||
for(; *cp == ' ' || *cp == '\t'; cp++);
|
|
||||||
- if(pamsshagentauth_key_read(found, &cp) != 1) {
|
|
||||||
- pamsshagentauth_verbose("user_key_allowed: advance: '%s'", cp);
|
|
||||||
+ if(sshkey_read(found, &cp) != 0) {
|
|
||||||
+ verbose("user_key_allowed: advance: '%s'", cp);
|
|
||||||
/* still no key? advance to next line */
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
- if(pamsshagentauth_key_equal(found, key)) {
|
|
||||||
+ if(sshkey_equal(found, key)) {
|
|
||||||
found_key = 1;
|
|
||||||
- pamsshagentauth_logit("matching key found: file/command %s, line %lu", file,
|
|
||||||
+ logit("matching key found: file/command %s, line %lu", file,
|
|
||||||
linenum);
|
|
||||||
- fp = pamsshagentauth_key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
|
|
||||||
- pamsshagentauth_logit("Found matching %s key: %s",
|
|
||||||
- pamsshagentauth_key_type(found), fp);
|
|
||||||
- pamsshagentauth_xfree(fp);
|
|
||||||
+ fp = sshkey_fingerprint(found, SSH_DIGEST_SHA256, SSH_FP_BASE64);
|
|
||||||
+ logit("Found matching %s key: %s",
|
|
||||||
+ sshkey_type(found), fp);
|
|
||||||
+ free(fp);
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
- pamsshagentauth_key_free(found);
|
|
||||||
+ free(line);
|
|
||||||
+ sshkey_free(found);
|
|
||||||
if(!found_key)
|
|
||||||
- pamsshagentauth_verbose("key not found");
|
|
||||||
+ verbose("key not found");
|
|
||||||
return found_key;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -120,19 +123,19 @@ pamsshagentauth_check_authkeys_file(FILE
|
|
||||||
* returns 1 if the key is allowed or 0 otherwise.
|
|
||||||
*/
|
|
||||||
int
|
|
||||||
-pamsshagentauth_user_key_allowed2(struct passwd *pw, Key * key, char *file)
|
|
||||||
+pamsshagentauth_user_key_allowed2(struct passwd *pw, struct sshkey * key, char *file)
|
|
||||||
{
|
|
||||||
FILE *f;
|
|
||||||
int found_key = 0;
|
|
||||||
struct stat st;
|
|
||||||
- char buf[SSH_MAX_PUBKEY_BYTES];
|
|
||||||
+ char buf[256];
|
|
||||||
|
|
||||||
/* Temporarily use the user's uid. */
|
|
||||||
- pamsshagentauth_verbose("trying public key file %s", file);
|
|
||||||
+ verbose("trying public key file %s", file);
|
|
||||||
|
|
||||||
/* Fail not so quietly if file does not exist */
|
|
||||||
if(stat(file, &st) < 0) {
|
|
||||||
- pamsshagentauth_verbose("File not found: %s", file);
|
|
||||||
+ verbose("File not found: %s", file);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -144,7 +147,7 @@ pamsshagentauth_user_key_allowed2(struct
|
|
||||||
|
|
||||||
if(pamsshagentauth_secure_filename(f, file, pw, buf, sizeof(buf)) != 0) {
|
|
||||||
fclose(f);
|
|
||||||
- pamsshagentauth_logit("Authentication refused: %s", buf);
|
|
||||||
+ logit("Authentication refused: %s", buf);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -160,7 +163,7 @@ pamsshagentauth_user_key_allowed2(struct
|
|
||||||
int
|
|
||||||
pamsshagentauth_user_key_command_allowed2(char *authorized_keys_command,
|
|
||||||
char *authorized_keys_command_user,
|
|
||||||
- struct passwd *user_pw, Key * key)
|
|
||||||
+ struct passwd *user_pw, struct sshkey * key)
|
|
||||||
{
|
|
||||||
FILE *f;
|
|
||||||
int ok, found_key = 0;
|
|
||||||
@@ -187,44 +190,44 @@ pamsshagentauth_user_key_command_allowed
|
|
||||||
else {
|
|
||||||
pw = getpwnam(authorized_keys_command_user);
|
|
||||||
if(pw == NULL) {
|
|
||||||
- pamsshagentauth_logerror("authorized_keys_command_user \"%s\" not found: %s",
|
|
||||||
+ error("authorized_keys_command_user \"%s\" not found: %s",
|
|
||||||
authorized_keys_command_user, strerror(errno));
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- pamsshagentauth_temporarily_use_uid(pw);
|
|
||||||
+ temporarily_use_uid(pw);
|
|
||||||
|
|
||||||
if(stat(authorized_keys_command, &st) < 0) {
|
|
||||||
- pamsshagentauth_logerror
|
|
||||||
+ error
|
|
||||||
("Could not stat AuthorizedKeysCommand \"%s\": %s",
|
|
||||||
authorized_keys_command, strerror(errno));
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
if(pamsshagentauth_auth_secure_path
|
|
||||||
(authorized_keys_command, &st, NULL, 0, errmsg, sizeof(errmsg)) != 0) {
|
|
||||||
- pamsshagentauth_logerror("Unsafe AuthorizedKeysCommand: %s", errmsg);
|
|
||||||
+ error("Unsafe AuthorizedKeysCommand: %s", errmsg);
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* open the pipe and read the keys */
|
|
||||||
if(pipe(p) != 0) {
|
|
||||||
- pamsshagentauth_logerror("%s: pipe: %s", __func__, strerror(errno));
|
|
||||||
+ error("%s: pipe: %s", __func__, strerror(errno));
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
- pamsshagentauth_debug("Running AuthorizedKeysCommand: \"%s\" as \"%s\" with argument: \"%s\"",
|
|
||||||
+ debug("Running AuthorizedKeysCommand: \"%s\" as \"%s\" with argument: \"%s\"",
|
|
||||||
authorized_keys_command, pw->pw_name, username);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Don't want to call this in the child, where it can fatal() and
|
|
||||||
* run cleanup_exit() code.
|
|
||||||
*/
|
|
||||||
- pamsshagentauth_restore_uid();
|
|
||||||
+ restore_uid();
|
|
||||||
|
|
||||||
switch ((pid = fork())) {
|
|
||||||
case -1: /* error */
|
|
||||||
- pamsshagentauth_logerror("%s: fork: %s", __func__, strerror(errno));
|
|
||||||
+ error("%s: fork: %s", __func__, strerror(errno));
|
|
||||||
close(p[0]);
|
|
||||||
close(p[1]);
|
|
||||||
return 0;
|
|
||||||
@@ -234,13 +237,13 @@ pamsshagentauth_user_key_command_allowed
|
|
||||||
|
|
||||||
/* do this before the setresuid so thta they can be logged */
|
|
||||||
if((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
|
|
||||||
- pamsshagentauth_logerror("%s: open %s: %s", __func__, _PATH_DEVNULL,
|
|
||||||
+ error("%s: open %s: %s", __func__, _PATH_DEVNULL,
|
|
||||||
strerror(errno));
|
|
||||||
_exit(1);
|
|
||||||
}
|
|
||||||
if(dup2(devnull, STDIN_FILENO) == -1 || dup2(p[1], STDOUT_FILENO) == -1
|
|
||||||
|| dup2(devnull, STDERR_FILENO) == -1) {
|
|
||||||
- pamsshagentauth_logerror("%s: dup2: %s", __func__, strerror(errno));
|
|
||||||
+ error("%s: dup2: %s", __func__, strerror(errno));
|
|
||||||
_exit(1);
|
|
||||||
}
|
|
||||||
#if defined(HAVE_SETRESGID) && !defined(BROKEN_SETRESGID)
|
|
||||||
@@ -248,7 +251,7 @@ pamsshagentauth_user_key_command_allowed
|
|
||||||
#else
|
|
||||||
if (setgid(pw->pw_gid) != 0 || setegid(pw->pw_gid) != 0) {
|
|
||||||
#endif
|
|
||||||
- pamsshagentauth_logerror("setresgid %u: %s", (u_int) pw->pw_gid,
|
|
||||||
+ error("setresgid %u: %s", (u_int) pw->pw_gid,
|
|
||||||
strerror(errno));
|
|
||||||
_exit(1);
|
|
||||||
}
|
|
||||||
@@ -258,7 +261,7 @@ pamsshagentauth_user_key_command_allowed
|
|
||||||
#else
|
|
||||||
if (setuid(pw->pw_uid) != 0 || seteuid(pw->pw_uid) != 0) {
|
|
||||||
#endif
|
|
||||||
- pamsshagentauth_logerror("setresuid %u: %s", (u_int) pw->pw_uid,
|
|
||||||
+ error("setresuid %u: %s", (u_int) pw->pw_uid,
|
|
||||||
strerror(errno));
|
|
||||||
_exit(1);
|
|
||||||
}
|
|
||||||
@@ -270,18 +273,18 @@ pamsshagentauth_user_key_command_allowed
|
|
||||||
|
|
||||||
/* pretty sure this will barf because we are now suid, but since we
|
|
||||||
should't reach this anyway, I'll leave it here */
|
|
||||||
- pamsshagentauth_logerror("AuthorizedKeysCommand %s exec failed: %s",
|
|
||||||
+ error("AuthorizedKeysCommand %s exec failed: %s",
|
|
||||||
authorized_keys_command, strerror(errno));
|
|
||||||
_exit(127);
|
|
||||||
default: /* parent */
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
- pamsshagentauth_temporarily_use_uid(pw);
|
|
||||||
+ temporarily_use_uid(pw);
|
|
||||||
|
|
||||||
close(p[1]);
|
|
||||||
if((f = fdopen(p[0], "r")) == NULL) {
|
|
||||||
- pamsshagentauth_logerror("%s: fdopen: %s", __func__, strerror(errno));
|
|
||||||
+ error("%s: fdopen: %s", __func__, strerror(errno));
|
|
||||||
close(p[0]);
|
|
||||||
/* Don't leave zombie child */
|
|
||||||
while(waitpid(pid, NULL, 0) == -1 && errno == EINTR);
|
|
||||||
@@ -292,22 +295,22 @@ pamsshagentauth_user_key_command_allowed
|
|
||||||
|
|
||||||
while(waitpid(pid, &status, 0) == -1) {
|
|
||||||
if(errno != EINTR) {
|
|
||||||
- pamsshagentauth_logerror("%s: waitpid: %s", __func__,
|
|
||||||
+ error("%s: waitpid: %s", __func__,
|
|
||||||
strerror(errno));
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if(WIFSIGNALED(status)) {
|
|
||||||
- pamsshagentauth_logerror("AuthorizedKeysCommand %s exited on signal %d",
|
|
||||||
+ error("AuthorizedKeysCommand %s exited on signal %d",
|
|
||||||
authorized_keys_command, WTERMSIG(status));
|
|
||||||
goto out;
|
|
||||||
} else if(WEXITSTATUS(status) != 0) {
|
|
||||||
- pamsshagentauth_logerror("AuthorizedKeysCommand %s returned status %d",
|
|
||||||
+ error("AuthorizedKeysCommand %s returned status %d",
|
|
||||||
authorized_keys_command, WEXITSTATUS(status));
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
found_key = ok;
|
|
||||||
out:
|
|
||||||
- pamsshagentauth_restore_uid();
|
|
||||||
+ restore_uid();
|
|
||||||
return found_key;
|
|
||||||
}
|
|
||||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h
|
|
||||||
--- openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
|
||||||
+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h 2018-08-24 10:18:05.010393320 +0200
|
|
||||||
@@ -32,7 +32,7 @@
|
|
||||||
#define _PAM_USER_KEY_ALLOWED_H
|
|
||||||
|
|
||||||
#include "identity.h"
|
|
||||||
-int pamsshagentauth_user_key_allowed2(struct passwd *, Key *, char *);
|
|
||||||
-int pamsshagentauth_user_key_command_allowed2(char *, char *, struct passwd *, Key *);
|
|
||||||
+int pamsshagentauth_user_key_allowed2(struct passwd *, struct sshkey *, char *);
|
|
||||||
+int pamsshagentauth_user_key_command_allowed2(char *, char *, struct passwd *, struct sshkey *);
|
|
||||||
|
|
||||||
#endif
|
|
||||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c
|
|
||||||
--- openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
|
||||||
+++ openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c 2018-08-24 10:18:05.010393320 +0200
|
|
||||||
@@ -53,8 +53,8 @@
|
|
||||||
#include "xmalloc.h"
|
|
||||||
#include "match.h"
|
|
||||||
#include "log.h"
|
|
||||||
-#include "buffer.h"
|
|
||||||
-#include "key.h"
|
|
||||||
+#include "sshbuf.h"
|
|
||||||
+#include "sshkey.h"
|
|
||||||
#include "misc.h"
|
|
||||||
|
|
||||||
|
|
||||||
@@ -80,7 +80,7 @@ pamsshagentauth_auth_secure_path(const c
|
|
||||||
int comparehome = 0;
|
|
||||||
struct stat st;
|
|
||||||
|
|
||||||
- pamsshagentauth_verbose("auth_secure_filename: checking for uid: %u", uid);
|
|
||||||
+ verbose("auth_secure_filename: checking for uid: %u", uid);
|
|
||||||
|
|
||||||
if (realpath(name, buf) == NULL) {
|
|
||||||
snprintf(err, errlen, "realpath %s failed: %s", name,
|
|
||||||
@@ -115,9 +115,9 @@ pamsshagentauth_auth_secure_path(const c
|
|
||||||
snprintf(err, errlen, "dirname() failed");
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
- pamsshagentauth_strlcpy(buf, cp, sizeof(buf));
|
|
||||||
+ strlcpy(buf, cp, sizeof(buf));
|
|
||||||
|
|
||||||
- pamsshagentauth_verbose("secure_filename: checking '%s'", buf);
|
|
||||||
+ verbose("secure_filename: checking '%s'", buf);
|
|
||||||
if (stat(buf, &st) < 0 ||
|
|
||||||
(st.st_uid != 0 && st.st_uid != uid) ||
|
|
||||||
(st.st_mode & 022) != 0) {
|
|
||||||
@@ -128,7 +128,7 @@ pamsshagentauth_auth_secure_path(const c
|
|
||||||
|
|
||||||
/* If are passed the homedir then we can stop */
|
|
||||||
if (comparehome && strcmp(homedir, buf) == 0) {
|
|
||||||
- pamsshagentauth_verbose("secure_filename: terminating check at '%s'",
|
|
||||||
+ verbose("secure_filename: terminating check at '%s'",
|
|
||||||
buf);
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c
|
|
||||||
--- openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
|
||||||
+++ openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c 2018-08-24 10:22:13.202657025 +0200
|
|
||||||
@@ -37,10 +37,11 @@
|
|
||||||
#include "xmalloc.h"
|
|
||||||
#include "ssh.h"
|
|
||||||
#include "ssh2.h"
|
|
||||||
-#include "buffer.h"
|
|
||||||
+#include "sshbuf.h"
|
|
||||||
#include "log.h"
|
|
||||||
#include "compat.h"
|
|
||||||
-#include "key.h"
|
|
||||||
+#include "sshkey.h"
|
|
||||||
+#include "ssherr.h"
|
|
||||||
#include "pathnames.h"
|
|
||||||
#include "misc.h"
|
|
||||||
#include "secure_filename.h"
|
|
||||||
@@ -48,54 +48,59 @@
|
|
||||||
#include "identity.h"
|
|
||||||
#include "pam_user_authorized_keys.h"
|
|
||||||
|
|
||||||
+#define SSH2_MSG_USERAUTH_TRUST_REQUEST 54
|
|
||||||
+
|
|
||||||
/* extern u_char *session_id2;
|
|
||||||
extern uint8_t session_id_len;
|
|
||||||
*/
|
|
||||||
|
|
||||||
int
|
|
||||||
-userauth_pubkey_from_id(const char *ruser, Identity * id, Buffer * session_id2)
|
|
||||||
+userauth_pubkey_from_id(const char *ruser, Identity * id, struct sshbuf * session_id2)
|
|
||||||
{
|
|
||||||
- Buffer b = { 0 };
|
|
||||||
+ struct sshbuf *b = NULL;
|
|
||||||
char *pkalg = NULL;
|
|
||||||
u_char *pkblob = NULL, *sig = NULL;
|
|
||||||
- u_int blen = 0, slen = 0;
|
|
||||||
+ size_t blen = 0, slen = 0;
|
|
||||||
- int authenticated = 0;
|
|
||||||
+ int r, authenticated = 0;
|
|
||||||
|
|
||||||
- pkalg = (char *) key_ssh_name(id->key);
|
|
||||||
+ pkalg = (char *) sshkey_ssh_name(id->key);
|
|
||||||
|
|
||||||
/* first test if this key is even allowed */
|
|
||||||
if(! pam_user_key_allowed(ruser, id->key))
|
|
||||||
- goto user_auth_clean_exit;
|
|
||||||
+ goto user_auth_clean_exit_without_buffer;
|
|
||||||
|
|
||||||
- if(pamsshagentauth_key_to_blob(id->key, &pkblob, &blen) == 0)
|
|
||||||
- goto user_auth_clean_exit;
|
|
||||||
+ if(sshkey_to_blob(id->key, &pkblob, &blen) != 0)
|
|
||||||
+ goto user_auth_clean_exit_without_buffer;
|
|
||||||
|
|
||||||
/* construct packet to sign and test */
|
|
||||||
- pamsshagentauth_buffer_init(&b);
|
|
||||||
+ if ((b = sshbuf_new()) == NULL)
|
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
|
||||||
|
|
||||||
- pamsshagentauth_buffer_put_string(&b, session_id2->buf + session_id2->offset, session_id2->end - session_id2->offset);
|
|
||||||
- pamsshagentauth_buffer_put_char(&b, SSH2_MSG_USERAUTH_TRUST_REQUEST);
|
|
||||||
- pamsshagentauth_buffer_put_cstring(&b, ruser);
|
|
||||||
- pamsshagentauth_buffer_put_cstring(&b, "pam_ssh_agent_auth");
|
|
||||||
- pamsshagentauth_buffer_put_cstring(&b, "publickey");
|
|
||||||
- pamsshagentauth_buffer_put_char(&b, 1);
|
|
||||||
- pamsshagentauth_buffer_put_cstring(&b, pkalg);
|
|
||||||
- pamsshagentauth_buffer_put_string(&b, pkblob, blen);
|
|
||||||
+ if ((r = sshbuf_put_string(b, sshbuf_ptr(session_id2), sshbuf_len(session_id2))) != 0 ||
|
|
||||||
+ (r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_TRUST_REQUEST)) != 0 ||
|
|
||||||
+ (r = sshbuf_put_cstring(b, ruser)) != 0 ||
|
|
||||||
+ (r = sshbuf_put_cstring(b, "pam_ssh_agent_auth")) != 0 ||
|
|
||||||
+ (r = sshbuf_put_cstring(b, "publickey")) != 0 ||
|
|
||||||
+ (r = sshbuf_put_u8(b, 1)) != 0 ||
|
|
||||||
+ (r = sshbuf_put_cstring(b, pkalg)) != 0 ||
|
|
||||||
+ (r = sshbuf_put_string(b, pkblob, blen)) != 0)
|
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
|
||||||
|
|
||||||
- if(ssh_agent_sign(id->ac, id->key, &sig, &slen, pamsshagentauth_buffer_ptr(&b), pamsshagentauth_buffer_len(&b)) != 0)
|
|
||||||
+ if (ssh_agent_sign(id->ac, id->key, &sig, &slen, sshbuf_ptr(b), sshbuf_len(b)) != 0)
|
|
||||||
goto user_auth_clean_exit;
|
|
||||||
|
|
||||||
/* test for correct signature */
|
|
||||||
- if(pamsshagentauth_key_verify(id->key, sig, slen, pamsshagentauth_buffer_ptr(&b), pamsshagentauth_buffer_len(&b)) == 1)
|
|
||||||
+ if (sshkey_verify(id->key, sig, slen, sshbuf_ptr(b), sshbuf_len(b), NULL, 0) == 0)
|
|
||||||
authenticated = 1;
|
|
||||||
|
|
||||||
user_auth_clean_exit:
|
|
||||||
/* if(&b != NULL) */
|
|
||||||
- pamsshagentauth_buffer_free(&b);
|
|
||||||
+ sshbuf_free(b);
|
|
||||||
+ user_auth_clean_exit_without_buffer:
|
|
||||||
if(sig != NULL)
|
|
||||||
- pamsshagentauth_xfree(sig);
|
|
||||||
+ free(sig);
|
|
||||||
if(pkblob != NULL)
|
|
||||||
- pamsshagentauth_xfree(pkblob);
|
|
||||||
+ free(pkblob);
|
|
||||||
CRYPTO_cleanup_all_ex_data();
|
|
||||||
return authenticated;
|
|
||||||
}
|
|
||||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h
|
|
||||||
--- openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
|
||||||
+++ openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h 2018-08-24 10:18:05.010393320 +0200
|
|
||||||
@@ -31,7 +31,7 @@
|
|
||||||
#ifndef _USERAUTH_PUBKEY_FROM_ID_H
|
|
||||||
#define _USERAUTH_PUBKEY_FROM_ID_H
|
|
||||||
|
|
||||||
-#include <identity.h>
|
|
||||||
-int userauth_pubkey_from_id(const char *, Identity *, Buffer *);
|
|
||||||
+#include "identity.h"
|
|
||||||
+int userauth_pubkey_from_id(const char *, Identity *, struct sshbuf *);
|
|
||||||
|
|
||||||
#endif
|
|
||||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/uuencode.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/uuencode.c
|
|
||||||
--- openssh/pam_ssh_agent_auth-0.10.3/uuencode.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
|
||||||
+++ openssh/pam_ssh_agent_auth-0.10.3/uuencode.c 2018-08-24 10:18:05.010393320 +0200
|
|
||||||
@@ -56,7 +56,7 @@ pamsshagentauth_uudecode(const char *src
|
|
||||||
/* and remove trailing whitespace because __b64_pton needs this */
|
|
||||||
*p = '\0';
|
|
||||||
len = pamsshagentauth___b64_pton(encoded, target, targsize);
|
|
||||||
- pamsshagentauth_xfree(encoded);
|
|
||||||
+ xfree(encoded);
|
|
||||||
return len;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -70,7 +70,7 @@ pamsshagentauth_dump_base64(FILE *fp, co
|
|
||||||
fprintf(fp, "dump_base64: len > 65536\n");
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
- buf = pamsshagentauth_xmalloc(2*len);
|
|
||||||
+ buf = malloc(2*len);
|
|
||||||
n = pamsshagentauth_uuencode(data, len, buf, 2*len);
|
|
||||||
for (i = 0; i < n; i++) {
|
|
||||||
fprintf(fp, "%c", buf[i]);
|
|
||||||
@@ -79,5 +79,5 @@ pamsshagentauth_dump_base64(FILE *fp, co
|
|
||||||
}
|
|
||||||
if (i % 70 != 69)
|
|
||||||
fprintf(fp, "\n");
|
|
||||||
- pamsshagentauth_xfree(buf);
|
|
||||||
+ free(buf);
|
|
||||||
}
|
|
@ -1,20 +0,0 @@
|
|||||||
diff --git a/pam_ssh_agent_auth-0.10.2/pam_user_authorized_keys.c b/pam_ssh_agent_auth-0.10.2/pam_user_authorized_keys.c
|
|
||||||
--- a/pam_ssh_agent_auth-0.10.2/pam_user_authorized_keys.c
|
|
||||||
+++ b/pam_ssh_agent_auth-0.10.2/pam_user_authorized_keys.c
|
|
||||||
@@ -158,11 +158,12 @@ parse_authorized_key_file(const char *user,
|
|
||||||
int
|
|
||||||
pam_user_key_allowed(const char *ruser, struct sshkey * key)
|
|
||||||
{
|
|
||||||
+ struct passwd *pw;
|
|
||||||
return
|
|
||||||
- pamsshagentauth_user_key_allowed2(getpwuid(authorized_keys_file_allowed_owner_uid),
|
|
||||||
- key, authorized_keys_file)
|
|
||||||
- || pamsshagentauth_user_key_allowed2(getpwuid(0), key,
|
|
||||||
- authorized_keys_file)
|
|
||||||
+ ( (pw = getpwuid(authorized_keys_file_allowed_owner_uid)) &&
|
|
||||||
+ pamsshagentauth_user_key_allowed2(pw, key, authorized_keys_file))
|
|
||||||
+ || ((pw = getpwuid(0)) &&
|
|
||||||
+ pamsshagentauth_user_key_allowed2(pw, key, authorized_keys_file))
|
|
||||||
|| pamsshagentauth_user_key_command_allowed2(authorized_keys_command,
|
|
||||||
authorized_keys_command_user,
|
|
||||||
getpwnam(ruser), key);
|
|
@ -1,37 +0,0 @@
|
|||||||
diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-seteuid openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c
|
|
||||||
--- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-seteuid 2017-02-07 15:41:53.172334151 +0100
|
|
||||||
+++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c 2017-02-07 15:41:53.174334149 +0100
|
|
||||||
@@ -238,17 +238,26 @@ ssh_get_authentication_socket_for_uid(ui
|
|
||||||
}
|
|
||||||
|
|
||||||
errno = 0;
|
|
||||||
- seteuid(uid); /* To ensure a race condition is not used to circumvent the stat
|
|
||||||
- above, we will temporarily drop UID to the caller */
|
|
||||||
- if (connect(sock, (struct sockaddr *)&sunaddr, sizeof sunaddr) < 0) {
|
|
||||||
+ /* To ensure a race condition is not used to circumvent the stat
|
|
||||||
+ above, we will temporarily drop UID to the caller */
|
|
||||||
+ if (seteuid(uid) == -1) {
|
|
||||||
close(sock);
|
|
||||||
- if(errno == EACCES)
|
|
||||||
- fatal("MAJOR SECURITY WARNING: uid %lu made a deliberate and malicious attempt to open an agent socket owned by another user", (unsigned long) uid);
|
|
||||||
+ error("seteuid(%lu) failed with error: %s",
|
|
||||||
+ (unsigned long) uid, strerror(errno));
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
+ if (connect(sock, (struct sockaddr *)&sunaddr, sizeof sunaddr) < 0) {
|
|
||||||
+ close(sock);
|
|
||||||
+ sock = -1;
|
|
||||||
+ if(errno == EACCES)
|
|
||||||
+ fatal("MAJOR SECURITY WARNING: uid %lu made a deliberate and malicious attempt to open an agent socket owned by another user", (unsigned long) uid);
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- seteuid(0); /* we now continue the regularly scheduled programming */
|
|
||||||
-
|
|
||||||
+ /* we now continue the regularly scheduled programming */
|
|
||||||
+ if (0 != seteuid(0)) {
|
|
||||||
+ fatal("setuid(0) failed with error: %s", strerror(errno));
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
return sock;
|
|
||||||
}
|
|
||||||
|
|
@ -1,21 +0,0 @@
|
|||||||
diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_ssh_agent_auth.c.psaa-visibility openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_ssh_agent_auth.c
|
|
||||||
--- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_ssh_agent_auth.c.psaa-visibility 2014-03-31 19:35:17.000000000 +0200
|
|
||||||
+++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_ssh_agent_auth.c 2016-01-22 15:22:40.984469774 +0100
|
|
||||||
@@ -72,7 +72,7 @@ char *__progname;
|
|
||||||
extern char *__progname;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
-PAM_EXTERN int
|
|
||||||
+PAM_EXTERN int __attribute__ ((visibility ("default")))
|
|
||||||
pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv)
|
|
||||||
{
|
|
||||||
char **argv_ptr;
|
|
||||||
@@ -214,7 +214,7 @@ cleanexit:
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
-PAM_EXTERN int
|
|
||||||
+PAM_EXTERN int __attribute__ ((visibility ("default")))
|
|
||||||
pam_sm_setcred(pam_handle_t * pamh, int flags, int argc, const char **argv)
|
|
||||||
{
|
|
||||||
UNUSED(pamh);
|
|
@ -1,96 +0,0 @@
|
|||||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-agent openssh/pam_ssh_agent_auth-0.10.3/identity.h
|
|
||||||
--- openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-agent 2016-11-13 04:24:32.000000000 +0100
|
|
||||||
+++ openssh/pam_ssh_agent_auth-0.10.3/identity.h 2017-09-27 14:25:49.421739027 +0200
|
|
||||||
@@ -38,6 +38,12 @@
|
|
||||||
typedef struct identity Identity;
|
|
||||||
typedef struct idlist Idlist;
|
|
||||||
|
|
||||||
+typedef struct {
|
|
||||||
+ int fd;
|
|
||||||
+ struct sshbuf *identities;
|
|
||||||
+ int howmany;
|
|
||||||
+} AuthenticationConnection;
|
|
||||||
+
|
|
||||||
struct identity {
|
|
||||||
TAILQ_ENTRY(identity) next;
|
|
||||||
AuthenticationConnection *ac; /* set if agent supports key */
|
|
||||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-agent openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c
|
|
||||||
--- openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-agent 2017-09-27 14:25:49.420739021 +0200
|
|
||||||
+++ openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c 2017-09-27 14:25:49.421739027 +0200
|
|
||||||
@@ -39,6 +39,7 @@
|
|
||||||
#include "sshbuf.h"
|
|
||||||
#include "sshkey.h"
|
|
||||||
#include "authfd.h"
|
|
||||||
+#include "ssherr.h"
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <openssl/evp.h>
|
|
||||||
#include "ssh2.h"
|
|
||||||
@@ -291,36 +292,43 @@ pamsshagentauth_find_authorized_keys(con
|
|
||||||
{
|
|
||||||
struct sshbuf *session_id2 = NULL;
|
|
||||||
Identity *id;
|
|
||||||
- struct sshkey *key;
|
|
||||||
AuthenticationConnection *ac;
|
|
||||||
- char *comment;
|
|
||||||
uint8_t retval = 0;
|
|
||||||
uid_t uid = getpwnam(ruser)->pw_uid;
|
|
||||||
+ struct ssh_identitylist *idlist;
|
|
||||||
+ int r;
|
|
||||||
+ unsigned int i;
|
|
||||||
|
|
||||||
OpenSSL_add_all_digests();
|
|
||||||
pamsshagentauth_session_id2_gen(&session_id2, user, ruser, servicename);
|
|
||||||
|
|
||||||
if ((ac = ssh_get_authentication_connection_for_uid(uid))) {
|
|
||||||
verbose("Contacted ssh-agent of user %s (%u)", ruser, uid);
|
|
||||||
- for (key = ssh_get_first_identity(ac, &comment, 2); key != NULL; key = ssh_get_next_identity(ac, &comment, 2))
|
|
||||||
- {
|
|
||||||
- if(key != NULL) {
|
|
||||||
+ if ((r = ssh_fetch_identitylist(ac->fd, &idlist)) != 0) {
|
|
||||||
+ if (r != SSH_ERR_AGENT_NO_IDENTITIES)
|
|
||||||
+ fprintf(stderr, "error fetching identities for "
|
|
||||||
+ "protocol %d: %s\n", 2, ssh_err(r));
|
|
||||||
+ } else {
|
|
||||||
+ for (i = 0; i < idlist->nkeys; i++)
|
|
||||||
+ {
|
|
||||||
+ if (idlist->keys[i] != NULL) {
|
|
||||||
id = xcalloc(1, sizeof(*id));
|
|
||||||
- id->key = key;
|
|
||||||
- id->filename = comment;
|
|
||||||
+ id->key = idlist->keys[i];
|
|
||||||
+ id->filename = idlist->comments[i];
|
|
||||||
id->ac = ac;
|
|
||||||
if(userauth_pubkey_from_id(ruser, id, session_id2)) {
|
|
||||||
retval = 1;
|
|
||||||
}
|
|
||||||
- free(id->filename);
|
|
||||||
- key_free(id->key);
|
|
||||||
free(id);
|
|
||||||
if(retval == 1)
|
|
||||||
break;
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
- sshbuf_free(session_id2);
|
|
||||||
- ssh_close_authentication_connection(ac);
|
|
||||||
+ sshbuf_free(session_id2);
|
|
||||||
+ ssh_free_identitylist(idlist);
|
|
||||||
+ }
|
|
||||||
+ ssh_close_authentication_socket(ac->fd);
|
|
||||||
+ free(ac);
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
verbose("No ssh-agent could be contacted");
|
|
||||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-agent openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c
|
|
||||||
--- openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-agent 2017-09-27 14:25:49.420739021 +0200
|
|
||||||
+++ openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c 2017-09-27 14:25:49.422739032 +0200
|
|
||||||
@@ -84,7 +85,7 @@ userauth_pubkey_from_id(const char *ruse
|
|
||||||
(r = sshbuf_put_string(b, pkblob, blen)) != 0)
|
|
||||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
|
||||||
|
|
||||||
- if (ssh_agent_sign(id->ac, id->key, &sig, &slen, sshbuf_ptr(b), sshbuf_len(b)) != 0)
|
|
||||||
+ if (ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, sshbuf_ptr(b), sshbuf_len(b), NULL, 0) != 0)
|
|
||||||
goto user_auth_clean_exit;
|
|
||||||
|
|
||||||
/* test for correct signature */
|
|
@ -1,196 +0,0 @@
|
|||||||
diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-build openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c
|
|
||||||
--- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-build 2016-11-13 04:24:32.000000000 +0100
|
|
||||||
+++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c 2017-02-07 14:29:41.626116675 +0100
|
|
||||||
@@ -43,12 +43,31 @@
|
|
||||||
#include <openssl/evp.h>
|
|
||||||
#include "ssh2.h"
|
|
||||||
#include "misc.h"
|
|
||||||
+#include "ssh.h"
|
|
||||||
+#include <sys/types.h>
|
|
||||||
+#include <sys/stat.h>
|
|
||||||
+#include <sys/socket.h>
|
|
||||||
+#include <sys/un.h>
|
|
||||||
+#include <unistd.h>
|
|
||||||
+#include <stdlib.h>
|
|
||||||
+#include <errno.h>
|
|
||||||
+#include <fcntl.h>
|
|
||||||
|
|
||||||
#include "userauth_pubkey_from_id.h"
|
|
||||||
#include "identity.h"
|
|
||||||
#include "get_command_line.h"
|
|
||||||
extern char **environ;
|
|
||||||
|
|
||||||
+/*
|
|
||||||
+ * Added by Jamie Beverly, ensure socket fd points to a socket owned by the user
|
|
||||||
+ * A cursory check is done, but to avoid race conditions, it is necessary
|
|
||||||
+ * to drop effective UID when connecting to the socket.
|
|
||||||
+ *
|
|
||||||
+ * If the cause of error is EACCES, because we verified we would not have that
|
|
||||||
+ * problem initially, we can safely assume that somebody is attempting to find a
|
|
||||||
+ * race condition; so a more "direct" log message is generated.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
static char *
|
|
||||||
log_action(char ** action, size_t count)
|
|
||||||
{
|
|
||||||
@@ -85,7 +104,7 @@ void
|
|
||||||
pamsshagentauth_session_id2_gen(Buffer * session_id2, const char * user,
|
|
||||||
const char * ruser, const char * servicename)
|
|
||||||
{
|
|
||||||
- char *cookie = NULL;
|
|
||||||
+ u_char *cookie = NULL;
|
|
||||||
uint8_t i = 0;
|
|
||||||
uint32_t rnd = 0;
|
|
||||||
uint8_t cookie_len;
|
|
||||||
@@ -112,7 +131,7 @@ pamsshagentauth_session_id2_gen(Buffer *
|
|
||||||
if (i % 4 == 0) {
|
|
||||||
rnd = pamsshagentauth_arc4random();
|
|
||||||
}
|
|
||||||
- cookie[i] = (char) rnd;
|
|
||||||
+ cookie[i] = (u_char) rnd;
|
|
||||||
rnd >>= 8;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -177,6 +196,86 @@ pamsshagentauth_session_id2_gen(Buffer *
|
|
||||||
}
|
|
||||||
|
|
||||||
int
|
|
||||||
+ssh_get_authentication_socket_for_uid(uid_t uid)
|
|
||||||
+{
|
|
||||||
+ const char *authsocket;
|
|
||||||
+ int sock;
|
|
||||||
+ struct sockaddr_un sunaddr;
|
|
||||||
+ struct stat sock_st;
|
|
||||||
+
|
|
||||||
+ authsocket = getenv(SSH_AUTHSOCKET_ENV_NAME);
|
|
||||||
+ if (!authsocket)
|
|
||||||
+ return -1;
|
|
||||||
+
|
|
||||||
+ /* Advisory only; seteuid ensures no race condition; but will only log if we see EACCES */
|
|
||||||
+ if( stat(authsocket,&sock_st) == 0) {
|
|
||||||
+ if(uid != 0 && sock_st.st_uid != uid) {
|
|
||||||
+ fatal("uid %lu attempted to open an agent socket owned by uid %lu", (unsigned long) uid, (unsigned long) sock_st.st_uid);
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * Ensures that the EACCES tested for below can _only_ happen if somebody
|
|
||||||
+ * is attempting to race the stat above to bypass authentication.
|
|
||||||
+ */
|
|
||||||
+ if( (sock_st.st_mode & S_IWUSR) != S_IWUSR || (sock_st.st_mode & S_IRUSR) != S_IRUSR) {
|
|
||||||
+ error("ssh-agent socket has incorrect permissions for owner");
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ sunaddr.sun_family = AF_UNIX;
|
|
||||||
+ strlcpy(sunaddr.sun_path, authsocket, sizeof(sunaddr.sun_path));
|
|
||||||
+
|
|
||||||
+ sock = socket(AF_UNIX, SOCK_STREAM, 0);
|
|
||||||
+ if (sock < 0)
|
|
||||||
+ return -1;
|
|
||||||
+
|
|
||||||
+ /* close on exec */
|
|
||||||
+ if (fcntl(sock, F_SETFD, 1) == -1) {
|
|
||||||
+ close(sock);
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ errno = 0;
|
|
||||||
+ seteuid(uid); /* To ensure a race condition is not used to circumvent the stat
|
|
||||||
+ above, we will temporarily drop UID to the caller */
|
|
||||||
+ if (connect(sock, (struct sockaddr *)&sunaddr, sizeof sunaddr) < 0) {
|
|
||||||
+ close(sock);
|
|
||||||
+ if(errno == EACCES)
|
|
||||||
+ fatal("MAJOR SECURITY WARNING: uid %lu made a deliberate and malicious attempt to open an agent socket owned by another user", (unsigned long) uid);
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ seteuid(0); /* we now continue the regularly scheduled programming */
|
|
||||||
+
|
|
||||||
+ return sock;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+AuthenticationConnection *
|
|
||||||
+ssh_get_authentication_connection_for_uid(uid_t uid)
|
|
||||||
+{
|
|
||||||
+ AuthenticationConnection *auth;
|
|
||||||
+ int sock;
|
|
||||||
+
|
|
||||||
+ sock = ssh_get_authentication_socket_for_uid(uid);
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * Fail if we couldn't obtain a connection. This happens if we
|
|
||||||
+ * exited due to a timeout.
|
|
||||||
+ */
|
|
||||||
+ if (sock < 0)
|
|
||||||
+ return NULL;
|
|
||||||
+
|
|
||||||
+ auth = xmalloc(sizeof(*auth));
|
|
||||||
+ auth->fd = sock;
|
|
||||||
+ buffer_init(&auth->identities);
|
|
||||||
+ auth->howmany = 0;
|
|
||||||
+
|
|
||||||
+ return auth;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int
|
|
||||||
pamsshagentauth_find_authorized_keys(const char * user, const char * ruser, const char * servicename)
|
|
||||||
{
|
|
||||||
Buffer session_id2 = { 0 };
|
|
||||||
@@ -190,7 +289,7 @@ pamsshagentauth_find_authorized_keys(con
|
|
||||||
OpenSSL_add_all_digests();
|
|
||||||
pamsshagentauth_session_id2_gen(&session_id2, user, ruser, servicename);
|
|
||||||
|
|
||||||
- if ((ac = ssh_get_authentication_connection(uid))) {
|
|
||||||
+ if ((ac = ssh_get_authentication_connection_for_uid(uid))) {
|
|
||||||
pamsshagentauth_verbose("Contacted ssh-agent of user %s (%u)", ruser, uid);
|
|
||||||
for (key = ssh_get_first_identity(ac, &comment, 2); key != NULL; key = ssh_get_next_identity(ac, &comment, 2))
|
|
||||||
{
|
|
||||||
diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/Makefile.in.psaa-build openssh-7.4p1/pam_ssh_agent_auth-0.10.3/Makefile.in
|
|
||||||
--- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/Makefile.in.psaa-build 2016-11-13 04:24:32.000000000 +0100
|
|
||||||
+++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/Makefile.in 2017-02-07 14:40:14.407566921 +0100
|
|
||||||
@@ -52,7 +52,7 @@ PATHS=
|
|
||||||
CC=@CC@
|
|
||||||
LD=@LD@
|
|
||||||
CFLAGS=@CFLAGS@
|
|
||||||
-CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
|
|
||||||
+CPPFLAGS=-I.. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
|
|
||||||
LIBS=@LIBS@
|
|
||||||
AR=@AR@
|
|
||||||
AWK=@AWK@
|
|
||||||
@@ -61,7 +61,7 @@ INSTALL=@INSTALL@
|
|
||||||
PERL=@PERL@
|
|
||||||
SED=@SED@
|
|
||||||
ENT=@ENT@
|
|
||||||
-LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
|
|
||||||
+LDFLAGS=-L.. -L../openbsd-compat/ @LDFLAGS@
|
|
||||||
LDFLAGS_SHARED = @LDFLAGS_SHARED@
|
|
||||||
EXEEXT=@EXEEXT@
|
|
||||||
|
|
||||||
@@ -74,7 +74,7 @@ SSHOBJS=xmalloc.o atomicio.o authfd.o bu
|
|
||||||
|
|
||||||
ED25519OBJS=ed25519-donna/ed25519.o
|
|
||||||
|
|
||||||
-PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o get_command_line.o
|
|
||||||
+PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o get_command_line.o secure_filename.o
|
|
||||||
|
|
||||||
|
|
||||||
MANPAGES_IN = pam_ssh_agent_auth.pod
|
|
||||||
@@ -94,13 +94,13 @@ $(PAM_MODULES): Makefile.in config.h
|
|
||||||
.c.o:
|
|
||||||
$(CC) $(CFLAGS) $(CPPFLAGS) -c $< -o $@
|
|
||||||
|
|
||||||
-LIBCOMPAT=openbsd-compat/libopenbsd-compat.a
|
|
||||||
+LIBCOMPAT=../openbsd-compat/libopenbsd-compat.a
|
|
||||||
$(LIBCOMPAT): always
|
|
||||||
(cd openbsd-compat && $(MAKE))
|
|
||||||
always:
|
|
||||||
|
|
||||||
-pam_ssh_agent_auth.so: $(LIBCOMPAT) $(SSHOBJS) $(ED25519OBJS) $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o
|
|
||||||
- $(LD) $(LDFLAGS_SHARED) -o $@ $(SSHOBJS) $(ED25519OBJS) $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lopenbsd-compat pam_ssh_agent_auth.o $(LIBS) -lpam
|
|
||||||
+pam_ssh_agent_auth.so: $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o ../uidswap.o
|
|
||||||
+ $(LD) $(LDFLAGS_SHARED) -o $@ $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat pam_ssh_agent_auth.o ../uidswap.o $(LIBS) -lpam
|
|
||||||
|
|
||||||
$(MANPAGES): $(MANPAGES_IN)
|
|
||||||
pod2man --section=8 --release=v0.10.3 --name=pam_ssh_agent_auth --official --center "PAM" pam_ssh_agent_auth.pod > pam_ssh_agent_auth.8
|
|
@ -1 +0,0 @@
|
|||||||
d /var/empty/sshd 711 root root -
|
|
@ -1,11 +0,0 @@
|
|||||||
[Unit]
|
|
||||||
Description=OpenSSH per-connection server daemon
|
|
||||||
Documentation=man:sshd(8) man:sshd_config(5)
|
|
||||||
Wants=sshd-keygen.target
|
|
||||||
After=sshd-keygen.target
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
EnvironmentFile=-/etc/crypto-policies/back-ends/opensshserver.config
|
|
||||||
EnvironmentFile=-/etc/sysconfig/sshd
|
|
||||||
ExecStart=-/usr/sbin/sshd -i $OPTIONS $CRYPTO_POLICY
|
|
||||||
StandardInput=socket
|
|
9
gating.yaml
Normal file
9
gating.yaml
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
--- !Policy
|
||||||
|
product_versions:
|
||||||
|
- rhel-10
|
||||||
|
decision_context: osci_compose_gate
|
||||||
|
rules:
|
||||||
|
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-disabled-buildroot-enabled.functional}
|
||||||
|
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-enabled-buildroot-enabled.functional}
|
||||||
|
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-disabled-buildroot-disabled.functional}
|
||||||
|
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-enabled-buildroot-disabled.functional}
|
18
openssh-4.3p2-askpass-grab-info.patch
Normal file
18
openssh-4.3p2-askpass-grab-info.patch
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
diff -up openssh-8.6p1/contrib/gnome-ssh-askpass2.c.grab-info openssh-8.6p1/contrib/gnome-ssh-askpass2.c
|
||||||
|
--- openssh-8.6p1/contrib/gnome-ssh-askpass2.c.grab-info 2021-04-19 13:57:11.720113536 +0200
|
||||||
|
+++ openssh-8.6p1/contrib/gnome-ssh-askpass2.c 2021-04-19 13:59:29.842163204 +0200
|
||||||
|
@@ -70,8 +70,12 @@ report_failed_grab (GtkWidget *parent_wi
|
||||||
|
|
||||||
|
err = gtk_message_dialog_new(GTK_WINDOW(parent_window), 0,
|
||||||
|
GTK_MESSAGE_ERROR, GTK_BUTTONS_CLOSE,
|
||||||
|
- "Could not grab %s. A malicious client may be eavesdropping "
|
||||||
|
- "on your session.", what);
|
||||||
|
+ "SSH password dialog could not grab the %s input.\n"
|
||||||
|
+ "This might be caused by application such as screensaver, "
|
||||||
|
+ "however it could also mean that someone may be eavesdropping "
|
||||||
|
+ "on your session.\n"
|
||||||
|
+ "Either close the application which grabs the %s or "
|
||||||
|
+ "log out and log in again to prevent this from happening.", what, what);
|
||||||
|
gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER);
|
||||||
|
|
||||||
|
gtk_dialog_run(GTK_DIALOG(err));
|
83
openssh-5.1p1-askpass-progress.patch
Normal file
83
openssh-5.1p1-askpass-progress.patch
Normal file
@ -0,0 +1,83 @@
|
|||||||
|
diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contrib/gnome-ssh-askpass2.c
|
||||||
|
--- openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress 2016-12-19 05:59:41.000000000 +0100
|
||||||
|
+++ openssh-7.4p1/contrib/gnome-ssh-askpass2.c 2016-12-23 13:31:16.545211926 +0100
|
||||||
|
@@ -53,6 +53,7 @@
|
||||||
|
#include <unistd.h>
|
||||||
|
|
||||||
|
#include <X11/Xlib.h>
|
||||||
|
+#include <glib.h>
|
||||||
|
#include <gtk/gtk.h>
|
||||||
|
#include <gdk/gdkx.h>
|
||||||
|
#include <gdk/gdkkeysyms.h>
|
||||||
|
@@ -81,14 +82,25 @@ ok_dialog(GtkWidget *entry, gpointer dia
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static void
|
||||||
|
+move_progress(GtkWidget *entry, gpointer progress)
|
||||||
|
+{
|
||||||
|
+ gdouble step;
|
||||||
|
+ g_return_if_fail(GTK_IS_PROGRESS_BAR(progress));
|
||||||
|
+
|
||||||
|
+ step = g_random_double_range(0.03, 0.1);
|
||||||
|
+ gtk_progress_bar_set_pulse_step(GTK_PROGRESS_BAR(progress), step);
|
||||||
|
+ gtk_progress_bar_pulse(GTK_PROGRESS_BAR(progress));
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static int
|
||||||
|
passphrase_dialog(char *message, int prompt_type)
|
||||||
|
{
|
||||||
|
const char *failed;
|
||||||
|
char *passphrase, *local;
|
||||||
|
int result, grab_tries, grab_server, grab_pointer;
|
||||||
|
int buttons, default_response;
|
||||||
|
- GtkWidget *parent_window, *dialog, *entry;
|
||||||
|
+ GtkWidget *parent_window, *dialog, *entry, *progress, *hbox;
|
||||||
|
GdkGrabStatus status;
|
||||||
|
GdkColor fg, bg;
|
||||||
|
int fg_set = 0, bg_set = 0;
|
||||||
|
@@ -104,14 +116,19 @@ passphrase_dialog(char *message)
|
||||||
|
gtk_widget_modify_bg(dialog, GTK_STATE_NORMAL, &bg);
|
||||||
|
|
||||||
|
if (prompt_type == PROMPT_ENTRY || prompt_type == PROMPT_NONE) {
|
||||||
|
+ hbox = gtk_hbox_new(FALSE, 0);
|
||||||
|
+ gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
|
||||||
|
+ FALSE, 0);
|
||||||
|
+ gtk_widget_show(hbox);
|
||||||
|
+
|
||||||
|
entry = gtk_entry_new();
|
||||||
|
if (fg_set)
|
||||||
|
gtk_widget_modify_fg(entry, GTK_STATE_NORMAL, &fg);
|
||||||
|
if (bg_set)
|
||||||
|
gtk_widget_modify_bg(entry, GTK_STATE_NORMAL, &bg);
|
||||||
|
gtk_box_pack_start(
|
||||||
|
- GTK_BOX(gtk_dialog_get_content_area(GTK_DIALOG(dialog))),
|
||||||
|
- entry, FALSE, FALSE, 0);
|
||||||
|
+ GTK_BOX(hbox), entry, TRUE, FALSE, 0);
|
||||||
|
+ gtk_entry_set_width_chars(GTK_ENTRY(entry), 2);
|
||||||
|
gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
|
||||||
|
gtk_widget_grab_focus(entry);
|
||||||
|
if (prompt_type == PROMPT_ENTRY) {
|
||||||
|
@@ -130,6 +145,22 @@ passphrase_dialog(char *message)
|
||||||
|
g_signal_connect(G_OBJECT(entry), "key_press_event",
|
||||||
|
G_CALLBACK(check_none), dialog);
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ hbox = gtk_hbox_new(FALSE, 0);
|
||||||
|
+ gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox),
|
||||||
|
+ hbox, FALSE, FALSE, 8);
|
||||||
|
+ gtk_widget_show(hbox);
|
||||||
|
+
|
||||||
|
+ progress = gtk_progress_bar_new();
|
||||||
|
+
|
||||||
|
+ gtk_progress_bar_set_text(GTK_PROGRESS_BAR(progress),
|
||||||
|
+ "Passphrase length hidden intentionally");
|
||||||
|
+ gtk_box_pack_start(GTK_BOX(hbox), progress, TRUE,
|
||||||
|
+ TRUE, 5);
|
||||||
|
+ gtk_widget_show(progress);
|
||||||
|
+ g_signal_connect(G_OBJECT(entry), "changed",
|
||||||
|
+ G_CALLBACK(move_progress), progress);
|
||||||
|
+
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Grab focus */
|
@ -1,12 +1,14 @@
|
|||||||
diff -up openssh-5.8p2/ssh-keyscan.c.sigpipe openssh-5.8p2/ssh-keyscan.c
|
diff -up openssh-5.8p2/ssh-keyscan.c.sigpipe openssh-5.8p2/ssh-keyscan.c
|
||||||
--- openssh-5.8p2/ssh-keyscan.c.sigpipe 2011-08-23 18:30:33.873025916 +0200
|
--- openssh-5.8p2/ssh-keyscan.c.sigpipe 2011-08-23 18:30:33.873025916 +0200
|
||||||
+++ openssh-5.8p2/ssh-keyscan.c 2011-08-23 18:32:24.574025362 +0200
|
+++ openssh-5.8p2/ssh-keyscan.c 2011-08-23 18:32:24.574025362 +0200
|
||||||
@@ -715,6 +715,8 @@ main(int argc, char **argv)
|
@@ -715,6 +715,9 @@ main(int argc, char **argv)
|
||||||
|
if (maxfd > fdlim_get(0))
|
||||||
fdlim_set(maxfd);
|
fdlim_set(maxfd);
|
||||||
fdcon = xcalloc(maxfd, sizeof(con));
|
fdcon = xcalloc(maxfd, sizeof(con));
|
||||||
|
+
|
||||||
+ signal(SIGPIPE, SIG_IGN);
|
+ signal(SIGPIPE, SIG_IGN);
|
||||||
+
|
+
|
||||||
read_wait_nfdset = howmany(maxfd, NFDBITS);
|
read_wait = xcalloc(maxfd, sizeof(struct pollfd));
|
||||||
read_wait = xcalloc(read_wait_nfdset, sizeof(fd_mask));
|
for (j = 0; j < maxfd; j++)
|
||||||
|
read_wait[j].fd = -1;
|
||||||
|
|
@ -1,19 +1,19 @@
|
|||||||
diff -up openssh-7.4p1/log.c.log-in-chroot openssh-7.4p1/log.c
|
diff -up openssh-8.6p1/log.c.log-in-chroot openssh-8.6p1/log.c
|
||||||
--- openssh-7.4p1/log.c.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
|
--- openssh-8.6p1/log.c.log-in-chroot 2021-04-16 05:55:25.000000000 +0200
|
||||||
+++ openssh-7.4p1/log.c 2016-12-23 15:14:33.330168088 +0100
|
+++ openssh-8.6p1/log.c 2021-04-19 14:43:08.544843434 +0200
|
||||||
@@ -250,6 +250,11 @@ debug3(const char *fmt,...)
|
@@ -194,6 +194,11 @@ void
|
||||||
void
|
log_init(const char *av0, LogLevel level, SyslogFacility facility,
|
||||||
log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr)
|
int on_stderr)
|
||||||
{
|
{
|
||||||
+ log_init_handler(av0, level, facility, on_stderr, 1);
|
+ log_init_handler(av0, level, facility, on_stderr, 1);
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+void
|
+void
|
||||||
+log_init_handler(char *av0, LogLevel level, SyslogFacility facility, int on_stderr, int reset_handler) {
|
+log_init_handler(const char *av0, LogLevel level, SyslogFacility facility, int on_stderr, int reset_handler) {
|
||||||
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
|
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
|
||||||
struct syslog_data sdata = SYSLOG_DATA_INIT;
|
struct syslog_data sdata = SYSLOG_DATA_INIT;
|
||||||
#endif
|
#endif
|
||||||
@@ -273,8 +278,10 @@ log_init(char *av0, LogLevel level, Sysl
|
@@ -206,8 +211,10 @@ log_init(const char *av0, LogLevel level
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -26,21 +26,21 @@ diff -up openssh-7.4p1/log.c.log-in-chroot openssh-7.4p1/log.c
|
|||||||
|
|
||||||
log_on_stderr = on_stderr;
|
log_on_stderr = on_stderr;
|
||||||
if (on_stderr)
|
if (on_stderr)
|
||||||
diff -up openssh-7.4p1/log.h.log-in-chroot openssh-7.4p1/log.h
|
diff -up openssh-8.6p1/log.h.log-in-chroot openssh-8.6p1/log.h
|
||||||
--- openssh-7.4p1/log.h.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
|
--- openssh-8.6p1/log.h.log-in-chroot 2021-04-19 14:43:08.544843434 +0200
|
||||||
+++ openssh-7.4p1/log.h 2016-12-23 15:14:33.330168088 +0100
|
+++ openssh-8.6p1/log.h 2021-04-19 14:56:46.931042176 +0200
|
||||||
@@ -49,6 +49,7 @@ typedef enum {
|
@@ -52,6 +52,7 @@ typedef enum {
|
||||||
typedef void (log_handler_fn)(LogLevel, const char *, void *);
|
typedef void (log_handler_fn)(LogLevel, int, const char *, void *);
|
||||||
|
|
||||||
void log_init(char *, LogLevel, SyslogFacility, int);
|
void log_init(const char *, LogLevel, SyslogFacility, int);
|
||||||
+void log_init_handler(char *, LogLevel, SyslogFacility, int, int);
|
+void log_init_handler(const char *, LogLevel, SyslogFacility, int, int);
|
||||||
LogLevel log_level_get(void);
|
LogLevel log_level_get(void);
|
||||||
int log_change_level(LogLevel);
|
int log_change_level(LogLevel);
|
||||||
int log_is_on_stderr(void);
|
int log_is_on_stderr(void);
|
||||||
diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
|
diff -up openssh-8.6p1/monitor.c.log-in-chroot openssh-8.6p1/monitor.c
|
||||||
--- openssh-7.4p1/monitor.c.log-in-chroot 2016-12-23 15:14:33.311168085 +0100
|
--- openssh-8.6p1/monitor.c.log-in-chroot 2021-04-19 14:43:08.526843298 +0200
|
||||||
+++ openssh-7.4p1/monitor.c 2016-12-23 15:16:42.154193100 +0100
|
+++ openssh-8.6p1/monitor.c 2021-04-19 14:55:25.286424043 +0200
|
||||||
@@ -307,6 +307,8 @@ monitor_child_preauth(Authctxt *_authctx
|
@@ -297,6 +297,8 @@ monitor_child_preauth(struct ssh *ssh, s
|
||||||
close(pmonitor->m_log_sendfd);
|
close(pmonitor->m_log_sendfd);
|
||||||
pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1;
|
pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1;
|
||||||
|
|
||||||
@ -49,25 +49,25 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
|
|||||||
authctxt = (Authctxt *)ssh->authctxt;
|
authctxt = (Authctxt *)ssh->authctxt;
|
||||||
memset(authctxt, 0, sizeof(*authctxt));
|
memset(authctxt, 0, sizeof(*authctxt));
|
||||||
ssh->authctxt = authctxt;
|
ssh->authctxt = authctxt;
|
||||||
@@ -405,6 +407,8 @@ monitor_child_postauth(struct monitor *p
|
@@ -408,6 +410,8 @@ monitor_child_postauth(struct ssh *ssh,
|
||||||
close(pmonitor->m_recvfd);
|
close(pmonitor->m_recvfd);
|
||||||
pmonitor->m_recvfd = -1;
|
pmonitor->m_recvfd = -1;
|
||||||
|
|
||||||
+ pmonitor->m_state = "postauth";
|
+ pmonitor->m_state = "postauth";
|
||||||
+
|
+
|
||||||
monitor_set_child_handler(pmonitor->m_pid);
|
monitor_set_child_handler(pmonitor->m_pid);
|
||||||
signal(SIGHUP, &monitor_child_handler);
|
ssh_signal(SIGHUP, &monitor_child_handler);
|
||||||
signal(SIGTERM, &monitor_child_handler);
|
ssh_signal(SIGTERM, &monitor_child_handler);
|
||||||
@@ -472,7 +476,7 @@ monitor_read_log(struct monitor *pmonito
|
@@ -480,7 +484,7 @@ monitor_read_log(struct monitor *pmonito
|
||||||
|
/* Log it */
|
||||||
if (log_level_name(level) == NULL)
|
if (log_level_name(level) == NULL)
|
||||||
fatal("%s: invalid log level %u (corrupted message?)",
|
fatal_f("invalid log level %u (corrupted message?)", level);
|
||||||
__func__, level);
|
- sshlogdirect(level, forced, "%s [preauth]", msg);
|
||||||
- do_log2(level, "%s [preauth]", msg);
|
+ sshlogdirect(level, forced, "%s [%s]", msg, pmonitor->m_state);
|
||||||
+ do_log2(level, "%s [%s]", msg, pmonitor->m_state);
|
|
||||||
|
|
||||||
sshbuf_free(logmsg);
|
sshbuf_free(logmsg);
|
||||||
free(msg);
|
free(msg);
|
||||||
@@ -1719,13 +1723,28 @@ monitor_init(void)
|
@@ -1868,13 +1872,28 @@ monitor_init(void)
|
||||||
mon = xcalloc(1, sizeof(*mon));
|
mon = xcalloc(1, sizeof(*mon));
|
||||||
monitor_openfds(mon, 1);
|
monitor_openfds(mon, 1);
|
||||||
|
|
||||||
@ -89,7 +89,7 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
|
|||||||
+ xasprintf(&dev_log_path, "%s/dev/log", chroot_dir);
|
+ xasprintf(&dev_log_path, "%s/dev/log", chroot_dir);
|
||||||
+
|
+
|
||||||
+ if (stat(dev_log_path, &dev_log_stat) != 0) {
|
+ if (stat(dev_log_path, &dev_log_stat) != 0) {
|
||||||
+ debug("%s: /dev/log doesn't exist in %s chroot - will try to log via monitor using [postauth] suffix", __func__, chroot_dir);
|
+ debug_f("/dev/log doesn't exist in %s chroot - will try to log via monitor using [postauth] suffix", chroot_dir);
|
||||||
+ do_logfds = 1;
|
+ do_logfds = 1;
|
||||||
+ }
|
+ }
|
||||||
+ free(dev_log_path);
|
+ free(dev_log_path);
|
||||||
@ -98,10 +98,10 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
|
|||||||
}
|
}
|
||||||
|
|
||||||
#ifdef GSSAPI
|
#ifdef GSSAPI
|
||||||
diff -up openssh-7.4p1/monitor.h.log-in-chroot openssh-7.4p1/monitor.h
|
diff -up openssh-8.6p1/monitor.h.log-in-chroot openssh-8.6p1/monitor.h
|
||||||
--- openssh-7.4p1/monitor.h.log-in-chroot 2016-12-23 15:14:33.330168088 +0100
|
--- openssh-8.6p1/monitor.h.log-in-chroot 2021-04-19 14:43:08.527843305 +0200
|
||||||
+++ openssh-7.4p1/monitor.h 2016-12-23 15:16:28.372190424 +0100
|
+++ openssh-8.6p1/monitor.h 2021-04-19 14:43:08.545843441 +0200
|
||||||
@@ -83,10 +83,11 @@ struct monitor {
|
@@ -80,10 +80,11 @@ struct monitor {
|
||||||
int m_log_sendfd;
|
int m_log_sendfd;
|
||||||
struct kex **m_pkex;
|
struct kex **m_pkex;
|
||||||
pid_t m_pid;
|
pid_t m_pid;
|
||||||
@ -114,9 +114,9 @@ diff -up openssh-7.4p1/monitor.h.log-in-chroot openssh-7.4p1/monitor.h
|
|||||||
|
|
||||||
struct Authctxt;
|
struct Authctxt;
|
||||||
void monitor_child_preauth(struct ssh *, struct monitor *);
|
void monitor_child_preauth(struct ssh *, struct monitor *);
|
||||||
diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
|
diff -up openssh-8.6p1/session.c.log-in-chroot openssh-8.6p1/session.c
|
||||||
--- openssh-7.4p1/session.c.log-in-chroot 2016-12-23 15:14:33.319168086 +0100
|
--- openssh-8.6p1/session.c.log-in-chroot 2021-04-19 14:43:08.534843358 +0200
|
||||||
+++ openssh-7.4p1/session.c 2016-12-23 15:18:18.742211853 +0100
|
+++ openssh-8.6p1/session.c 2021-04-19 14:43:08.545843441 +0200
|
||||||
@@ -160,6 +160,7 @@ login_cap_t *lc;
|
@@ -160,6 +160,7 @@ login_cap_t *lc;
|
||||||
|
|
||||||
static int is_child = 0;
|
static int is_child = 0;
|
||||||
@ -125,7 +125,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
|
|||||||
|
|
||||||
/* File containing userauth info, if ExposeAuthInfo set */
|
/* File containing userauth info, if ExposeAuthInfo set */
|
||||||
static char *auth_info_file = NULL;
|
static char *auth_info_file = NULL;
|
||||||
@@ -619,6 +620,7 @@ do_exec(Session *s, const char *command)
|
@@ -661,6 +662,7 @@ do_exec(struct ssh *ssh, Session *s, con
|
||||||
int ret;
|
int ret;
|
||||||
const char *forced = NULL, *tty = NULL;
|
const char *forced = NULL, *tty = NULL;
|
||||||
char session_type[1024];
|
char session_type[1024];
|
||||||
@ -133,7 +133,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
|
|||||||
|
|
||||||
if (options.adm_forced_command) {
|
if (options.adm_forced_command) {
|
||||||
original_command = command;
|
original_command = command;
|
||||||
@@ -676,6 +678,10 @@ do_exec(Session *s, const char *command)
|
@@ -720,6 +722,10 @@ do_exec(struct ssh *ssh, Session *s, con
|
||||||
tty += 5;
|
tty += 5;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -144,10 +144,10 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
|
|||||||
verbose("Starting session: %s%s%s for %s from %.200s port %d id %d",
|
verbose("Starting session: %s%s%s for %s from %.200s port %d id %d",
|
||||||
session_type,
|
session_type,
|
||||||
tty == NULL ? "" : " on ",
|
tty == NULL ? "" : " on ",
|
||||||
@@ -1486,14 +1492,6 @@ child_close_fds(void)
|
@@ -1524,14 +1530,6 @@ child_close_fds(struct ssh *ssh)
|
||||||
* descriptors left by system functions. They will be closed later.
|
|
||||||
*/
|
/* Stop directing logs to a high-numbered fd before we close it */
|
||||||
endpwent();
|
log_redirect_stderr_to(NULL);
|
||||||
-
|
-
|
||||||
- /*
|
- /*
|
||||||
- * Close any extra open file descriptors so that we don't have them
|
- * Close any extra open file descriptors so that we don't have them
|
||||||
@ -159,7 +159,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
|
|||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@@ -1629,8 +1627,6 @@ do_child(Session *s, const char *command
|
@@ -1665,8 +1663,6 @@ do_child(struct ssh *ssh, Session *s, co
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -168,7 +168,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
|
|||||||
do_rc_files(ssh, s, shell);
|
do_rc_files(ssh, s, shell);
|
||||||
|
|
||||||
/* restore SIGPIPE for child */
|
/* restore SIGPIPE for child */
|
||||||
@@ -1653,9 +1649,17 @@ do_child(Session *s, const char *command
|
@@ -1691,9 +1687,17 @@ do_child(struct ssh *ssh, Session *s, co
|
||||||
argv[i] = NULL;
|
argv[i] = NULL;
|
||||||
optind = optreset = 1;
|
optind = optreset = 1;
|
||||||
__progname = argv[0];
|
__progname = argv[0];
|
||||||
@ -187,9 +187,9 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
|
|||||||
fflush(NULL);
|
fflush(NULL);
|
||||||
|
|
||||||
/* Get the last component of the shell name. */
|
/* Get the last component of the shell name. */
|
||||||
diff -up openssh-7.4p1/sftp.h.log-in-chroot openssh-7.4p1/sftp.h
|
diff -up openssh-8.6p1/sftp.h.log-in-chroot openssh-8.6p1/sftp.h
|
||||||
--- openssh-7.4p1/sftp.h.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
|
--- openssh-8.6p1/sftp.h.log-in-chroot 2021-04-16 05:55:25.000000000 +0200
|
||||||
+++ openssh-7.4p1/sftp.h 2016-12-23 15:14:33.331168088 +0100
|
+++ openssh-8.6p1/sftp.h 2021-04-19 14:43:08.545843441 +0200
|
||||||
@@ -97,5 +97,5 @@
|
@@ -97,5 +97,5 @@
|
||||||
|
|
||||||
struct passwd;
|
struct passwd;
|
||||||
@ -197,28 +197,28 @@ diff -up openssh-7.4p1/sftp.h.log-in-chroot openssh-7.4p1/sftp.h
|
|||||||
-int sftp_server_main(int, char **, struct passwd *);
|
-int sftp_server_main(int, char **, struct passwd *);
|
||||||
+int sftp_server_main(int, char **, struct passwd *, int);
|
+int sftp_server_main(int, char **, struct passwd *, int);
|
||||||
void sftp_server_cleanup_exit(int) __attribute__((noreturn));
|
void sftp_server_cleanup_exit(int) __attribute__((noreturn));
|
||||||
diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
|
diff -up openssh-8.6p1/sftp-server.c.log-in-chroot openssh-8.6p1/sftp-server.c
|
||||||
--- openssh-7.4p1/sftp-server.c.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
|
--- openssh-8.6p1/sftp-server.c.log-in-chroot 2021-04-16 05:55:25.000000000 +0200
|
||||||
+++ openssh-7.4p1/sftp-server.c 2016-12-23 15:14:33.331168088 +0100
|
+++ openssh-8.6p1/sftp-server.c 2021-04-19 14:43:08.545843441 +0200
|
||||||
@@ -1497,7 +1497,7 @@ sftp_server_usage(void)
|
@@ -1644,7 +1644,7 @@ sftp_server_usage(void)
|
||||||
}
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
-sftp_server_main(int argc, char **argv, struct passwd *user_pw)
|
-sftp_server_main(int argc, char **argv, struct passwd *user_pw)
|
||||||
+sftp_server_main(int argc, char **argv, struct passwd *user_pw, int reset_handler)
|
+sftp_server_main(int argc, char **argv, struct passwd *user_pw, int reset_handler)
|
||||||
{
|
{
|
||||||
fd_set *rset, *wset;
|
int i, r, in, out, ch, skipargs = 0, log_stderr = 0;
|
||||||
int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0;
|
ssize_t len, olen;
|
||||||
@@ -1511,7 +1511,7 @@ sftp_server_main(int argc, char **argv,
|
@@ -1657,7 +1657,7 @@ sftp_server_main(int argc, char **argv,
|
||||||
|
extern char *__progname;
|
||||||
|
|
||||||
ssh_malloc_init(); /* must be called before any mallocs */
|
|
||||||
__progname = ssh_get_progname(argv[0]);
|
__progname = ssh_get_progname(argv[0]);
|
||||||
- log_init(__progname, log_level, log_facility, log_stderr);
|
- log_init(__progname, log_level, log_facility, log_stderr);
|
||||||
+ log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler);
|
+ log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler);
|
||||||
|
|
||||||
pw = pwcopy(user_pw);
|
pw = pwcopy(user_pw);
|
||||||
|
|
||||||
@@ -1582,7 +1582,7 @@ sftp_server_main(int argc, char **argv,
|
@@ -1730,7 +1730,7 @@ sftp_server_main(int argc, char **argv,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -227,21 +227,21 @@ diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
|
|||||||
|
|
||||||
/*
|
/*
|
||||||
* On platforms where we can, avoid making /proc/self/{mem,maps}
|
* On platforms where we can, avoid making /proc/self/{mem,maps}
|
||||||
diff -up openssh-7.4p1/sftp-server-main.c.log-in-chroot openssh-7.4p1/sftp-server-main.c
|
diff -up openssh-8.6p1/sftp-server-main.c.log-in-chroot openssh-8.6p1/sftp-server-main.c
|
||||||
--- openssh-7.4p1/sftp-server-main.c.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
|
--- openssh-8.6p1/sftp-server-main.c.log-in-chroot 2021-04-16 05:55:25.000000000 +0200
|
||||||
+++ openssh-7.4p1/sftp-server-main.c 2016-12-23 15:14:33.331168088 +0100
|
+++ openssh-8.6p1/sftp-server-main.c 2021-04-19 14:43:08.545843441 +0200
|
||||||
@@ -49,5 +49,5 @@ main(int argc, char **argv)
|
@@ -50,5 +50,5 @@ main(int argc, char **argv)
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
- return (sftp_server_main(argc, argv, user_pw));
|
- return (sftp_server_main(argc, argv, user_pw));
|
||||||
+ return (sftp_server_main(argc, argv, user_pw, 0));
|
+ return (sftp_server_main(argc, argv, user_pw, 0));
|
||||||
}
|
}
|
||||||
diff -up openssh-7.4p1/sshd.c.log-in-chroot openssh-7.4p1/sshd.c
|
diff -up openssh-8.6p1/sshd-session.c.log-in-chroot openssh-8.6p1/sshd-session.c
|
||||||
--- openssh-7.4p1/sshd.c.log-in-chroot 2016-12-23 15:14:33.328168088 +0100
|
--- openssh-8.6p1/sshd-session.c.log-in-chroot 2021-04-19 14:43:08.543843426 +0200
|
||||||
+++ openssh-7.4p1/sshd.c 2016-12-23 15:14:33.332168088 +0100
|
+++ openssh-8.6p1/sshd-session.c 2021-04-19 14:43:08.545843441 +0200
|
||||||
@@ -650,7 +650,7 @@ privsep_postauth(Authctxt *authctxt)
|
@@ -559,7 +559,7 @@ privsep_postauth(struct ssh *ssh, Authct
|
||||||
}
|
#endif
|
||||||
|
|
||||||
/* New socket pair */
|
/* New socket pair */
|
||||||
- monitor_reinit(pmonitor);
|
- monitor_reinit(pmonitor);
|
||||||
@ -249,7 +249,7 @@ diff -up openssh-7.4p1/sshd.c.log-in-chroot openssh-7.4p1/sshd.c
|
|||||||
|
|
||||||
pmonitor->m_pid = fork();
|
pmonitor->m_pid = fork();
|
||||||
if (pmonitor->m_pid == -1)
|
if (pmonitor->m_pid == -1)
|
||||||
@@ -668,6 +668,11 @@ privsep_postauth(Authctxt *authctxt)
|
@@ -578,6 +578,11 @@ privsep_postauth(struct ssh *ssh, Authct
|
||||||
|
|
||||||
close(pmonitor->m_sendfd);
|
close(pmonitor->m_sendfd);
|
||||||
pmonitor->m_sendfd = -1;
|
pmonitor->m_sendfd = -1;
|
@ -10,5 +10,5 @@
|
|||||||
+ }
|
+ }
|
||||||
omode = mode;
|
omode = mode;
|
||||||
mode |= S_IWUSR;
|
mode |= S_IWUSR;
|
||||||
if ((ofd = open(np, O_WRONLY|O_CREAT, mode)) < 0) {
|
if ((ofd = open(np, O_WRONLY|O_CREAT, mode)) == -1) {
|
||||||
--
|
--
|
@ -34,19 +34,19 @@ index 8f32464..18a2ca4 100644
|
|||||||
+
|
+
|
||||||
+ contexts_path = selinux_openssh_contexts_path();
|
+ contexts_path = selinux_openssh_contexts_path();
|
||||||
+ if (contexts_path == NULL) {
|
+ if (contexts_path == NULL) {
|
||||||
+ debug3("%s: Failed to get the path to SELinux context", __func__);
|
+ debug3_f("Failed to get the path to SELinux context");
|
||||||
+ return;
|
+ return;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ if ((contexts_file = fopen(contexts_path, "r")) == NULL) {
|
+ if ((contexts_file = fopen(contexts_path, "r")) == NULL) {
|
||||||
+ debug("%s: Failed to open SELinux context file", __func__);
|
+ debug_f("Failed to open SELinux context file");
|
||||||
+ return;
|
+ return;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ if (fstat(fileno(contexts_file), &sb) != 0 ||
|
+ if (fstat(fileno(contexts_file), &sb) != 0 ||
|
||||||
+ sb.st_uid != 0 || (sb.st_mode & 022) != 0) {
|
+ sb.st_uid != 0 || (sb.st_mode & 022) != 0) {
|
||||||
+ logit("%s: SELinux context file needs to be owned by root"
|
+ logit_f("SELinux context file needs to be owned by root"
|
||||||
+ " and not writable by anyone else", __func__);
|
+ " and not writable by anyone else");
|
||||||
+ fclose(contexts_file);
|
+ fclose(contexts_file);
|
||||||
+ return;
|
+ return;
|
||||||
+ }
|
+ }
|
||||||
@ -70,7 +70,7 @@ index 8f32464..18a2ca4 100644
|
|||||||
+ if (arg && strcmp(arg, "privsep_preauth") == 0) {
|
+ if (arg && strcmp(arg, "privsep_preauth") == 0) {
|
||||||
+ arg = strdelim(&cp);
|
+ arg = strdelim(&cp);
|
||||||
+ if (!arg || *arg == '\0') {
|
+ if (!arg || *arg == '\0') {
|
||||||
+ debug("%s: privsep_preauth is empty", __func__);
|
+ debug_f("privsep_preauth is empty");
|
||||||
+ fclose(contexts_file);
|
+ fclose(contexts_file);
|
||||||
+ return;
|
+ return;
|
||||||
+ }
|
+ }
|
||||||
@ -80,8 +80,8 @@ index 8f32464..18a2ca4 100644
|
|||||||
+ fclose(contexts_file);
|
+ fclose(contexts_file);
|
||||||
+
|
+
|
||||||
+ if (preauth_context == NULL) {
|
+ if (preauth_context == NULL) {
|
||||||
+ debug("%s: Unable to find 'privsep_preauth' option in"
|
+ debug_f("Unable to find 'privsep_preauth' option in"
|
||||||
+ " SELinux context file", __func__);
|
+ " SELinux context file");
|
||||||
+ return;
|
+ return;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
@ -93,18 +93,17 @@ index 8f32464..18a2ca4 100644
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
|
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
|
||||||
index 22ea8ef..1fc963d 100644
|
--- a/openbsd-compat/port-linux.c (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
|
||||||
--- a/openbsd-compat/port-linux.c
|
+++ b/openbsd-compat/port-linux.c (date 1703108053912)
|
||||||
+++ b/openbsd-compat/port-linux.c
|
@@ -207,7 +207,7 @@
|
||||||
@@ -179,7 +179,7 @@ ssh_selinux_change_context(const char *newname)
|
xasprintf(&newctx, "%.*s%s%s", (int)(cx - oldctx + 1), oldctx,
|
||||||
strlcpy(newctx + len, newname, newlen - len);
|
newname, cx2 == NULL ? "" : cx2);
|
||||||
if ((cx = index(cx + 1, ':')))
|
|
||||||
strlcat(newctx, cx, newlen);
|
- debug3_f("setting context from '%s' to '%s'", oldctx, newctx);
|
||||||
- debug3("%s: setting context from '%s' to '%s'", __func__,
|
+ debug_f("setting context from '%s' to '%s'", oldctx, newctx);
|
||||||
+ debug("%s: setting context from '%s' to '%s'", __func__,
|
|
||||||
oldctx, newctx);
|
|
||||||
if (setcon(newctx) < 0)
|
if (setcon(newctx) < 0)
|
||||||
switchlog("%s: setcon %s from %s failed with %s", __func__,
|
do_log2_f(log_level, "setcon %s from %s failed with %s",
|
||||||
|
newctx, oldctx, strerror(errno));
|
||||||
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
|
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
|
||||||
index cb51f99..8b7cda2 100644
|
index cb51f99..8b7cda2 100644
|
||||||
--- a/openbsd-compat/port-linux.h
|
--- a/openbsd-compat/port-linux.h
|
||||||
@ -117,10 +116,10 @@ index cb51f99..8b7cda2 100644
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef LINUX_OOM_ADJUST
|
#ifdef LINUX_OOM_ADJUST
|
||||||
diff --git a/sshd.c b/sshd.c
|
diff --git a/sshd-session.c b/sshd-session.c
|
||||||
index 2871fe9..39b9c08 100644
|
index 2871fe9..39b9c08 100644
|
||||||
--- a/sshd.c
|
--- a/sshd-session.c
|
||||||
+++ b/sshd.c
|
+++ b/sshd-session.c
|
||||||
@@ -629,7 +629,7 @@ privsep_preauth_child(void)
|
@@ -629,7 +629,7 @@ privsep_preauth_child(void)
|
||||||
demote_sensitive_data();
|
demote_sensitive_data();
|
||||||
|
|
@ -28,7 +28,7 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
|
|||||||
+ options->enable_k5users = -1;
|
+ options->enable_k5users = -1;
|
||||||
options->password_authentication = -1;
|
options->password_authentication = -1;
|
||||||
options->kbd_interactive_authentication = -1;
|
options->kbd_interactive_authentication = -1;
|
||||||
options->challenge_response_authentication = -1;
|
options->permit_empty_passwd = -1;
|
||||||
@@ -345,6 +346,8 @@ fill_default_server_options(ServerOption
|
@@ -345,6 +346,8 @@ fill_default_server_options(ServerOption
|
||||||
#endif
|
#endif
|
||||||
if (options->use_kuserok == -1)
|
if (options->use_kuserok == -1)
|
||||||
@ -38,16 +38,16 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
|
|||||||
if (options->password_authentication == -1)
|
if (options->password_authentication == -1)
|
||||||
options->password_authentication = 1;
|
options->password_authentication = 1;
|
||||||
if (options->kbd_interactive_authentication == -1)
|
if (options->kbd_interactive_authentication == -1)
|
||||||
@@ -418,7 +421,7 @@ typedef enum {
|
@@ -578,7 +578,7 @@ typedef enum {
|
||||||
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
|
sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
|
||||||
sHostKeyAlgorithms,
|
sPerSourcePenalties, sPerSourcePenaltyExemptList,
|
||||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
||||||
- sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
- sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
||||||
+ sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
|
+ sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
|
||||||
sGssKeyEx, sGssKexAlgorithms, sGssStoreRekey,
|
sGssKeyEx, sGssKexAlgorithms, sGssStoreRekey,
|
||||||
sAcceptEnv, sSetEnv, sPermitTunnel,
|
sAcceptEnv, sSetEnv, sPermitTunnel,
|
||||||
sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
|
sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
|
||||||
@@ -497,14 +500,16 @@ static struct {
|
@@ -600,14 +600,16 @@ static struct {
|
||||||
{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
|
{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
|
||||||
{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
|
{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
|
||||||
{ "gssapikexalgorithms", sGssKexAlgorithms, SSHCFG_GLOBAL },
|
{ "gssapikexalgorithms", sGssKexAlgorithms, SSHCFG_GLOBAL },
|
||||||
@ -72,9 +72,9 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
|
|||||||
+ intptr = &options->enable_k5users;
|
+ intptr = &options->enable_k5users;
|
||||||
+ goto parse_flag;
|
+ goto parse_flag;
|
||||||
+
|
+
|
||||||
case sPermitListen:
|
case sMatch:
|
||||||
case sPermitOpen:
|
if (cmdline)
|
||||||
if (opcode == sPermitListen) {
|
fatal("Match directive not supported as a command-line "
|
||||||
@@ -2026,6 +2035,7 @@ copy_set_server_options(ServerOptions *d
|
@@ -2026,6 +2035,7 @@ copy_set_server_options(ServerOptions *d
|
||||||
M_CP_INTOPT(ip_qos_interactive);
|
M_CP_INTOPT(ip_qos_interactive);
|
||||||
M_CP_INTOPT(ip_qos_bulk);
|
M_CP_INTOPT(ip_qos_bulk);
|
||||||
@ -122,10 +122,13 @@ diff -up openssh-7.4p1/sshd_config.GSSAPIEnablek5users openssh-7.4p1/sshd_config
|
|||||||
--- openssh-7.4p1/sshd_config.GSSAPIEnablek5users 2016-12-23 15:18:40.616216100 +0100
|
--- openssh-7.4p1/sshd_config.GSSAPIEnablek5users 2016-12-23 15:18:40.616216100 +0100
|
||||||
+++ openssh-7.4p1/sshd_config 2016-12-23 15:18:40.631216103 +0100
|
+++ openssh-7.4p1/sshd_config 2016-12-23 15:18:40.631216103 +0100
|
||||||
@@ -80,6 +80,7 @@ GSSAPIAuthentication yes
|
@@ -80,6 +80,7 @@ GSSAPIAuthentication yes
|
||||||
GSSAPICleanupCredentials no
|
#GSSAPICleanupCredentials yes
|
||||||
#GSSAPIStrictAcceptorCheck yes
|
#GSSAPIStrictAcceptorCheck yes
|
||||||
#GSSAPIKeyExchange no
|
#GSSAPIKeyExchange no
|
||||||
+#GSSAPIEnablek5users no
|
+#GSSAPIEnablek5users no
|
||||||
|
|
||||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||||
# and session processing. If this is enabled, PAM authentication will
|
# and session processing. If this is enabled, PAM authentication will
|
||||||
|
diff -up openssh-9.8p1/servconf.c.xxx openssh-9.8p1/servconf.c
|
||||||
|
--- openssh-9.8p1/servconf.c.xxx 2024-07-11 13:51:19.969960781 +0200
|
||||||
|
+++ openssh-9.8p1/servconf.c 2024-07-11 13:51:30.938231250 +0200
|
@ -1,7 +1,7 @@
|
|||||||
diff -up openssh/sshd.c.ip-opts openssh/sshd.c
|
diff -up openssh/sshd.c.ip-opts openssh/sshd.c
|
||||||
--- openssh/sshd.c.ip-opts 2016-07-25 13:58:48.998507834 +0200
|
--- openssh/sshd-session.c.ip-opts 2016-07-25 13:58:48.998507834 +0200
|
||||||
+++ openssh/sshd.c 2016-07-25 14:01:28.346469878 +0200
|
+++ openssh/sshd-session.c 2016-07-25 14:01:28.346469878 +0200
|
||||||
@@ -1507,12 +1507,29 @@ check_ip_options(struct ssh *ssh)
|
@@ -1507,12 +1507,32 @@ check_ip_options(struct ssh *ssh)
|
||||||
|
|
||||||
if (getsockopt(sock_in, IPPROTO_IP, IP_OPTIONS, opts,
|
if (getsockopt(sock_in, IPPROTO_IP, IP_OPTIONS, opts,
|
||||||
&option_size) >= 0 && option_size != 0) {
|
&option_size) >= 0 && option_size != 0) {
|
||||||
@ -21,11 +21,14 @@ diff -up openssh/sshd.c.ip-opts openssh/sshd.c
|
|||||||
+ case 130:
|
+ case 130:
|
||||||
+ case 133:
|
+ case 133:
|
||||||
+ case 134:
|
+ case 134:
|
||||||
+ i += opts[i + 1];
|
+ if (i + 1 < option_size && opts[i + 1] >= 2) {
|
||||||
+ break;
|
+ i += opts[i + 1];
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ /* FALLTHROUGH */
|
||||||
+ default:
|
+ default:
|
||||||
+ /* Fail, fatally, if we detect either loose or strict
|
+ /* Fail, fatally, if we detect either loose or strict
|
||||||
+ * source routing options. */
|
+ * or incorrect source routing options. */
|
||||||
+ text[0] = '\0';
|
+ text[0] = '\0';
|
||||||
+ for (i = 0; i < option_size; i++)
|
+ for (i = 0; i < option_size; i++)
|
||||||
+ snprintf(text + i*3, sizeof(text) - i*3,
|
+ snprintf(text + i*3, sizeof(text) - i*3,
|
||||||
@ -35,5 +38,5 @@ diff -up openssh/sshd.c.ip-opts openssh/sshd.c
|
|||||||
+ }
|
+ }
|
||||||
+ } while (i < option_size);
|
+ } while (i < option_size);
|
||||||
}
|
}
|
||||||
return;
|
|
||||||
#endif /* IP_OPTIONS */
|
#endif /* IP_OPTIONS */
|
||||||
|
}
|
@ -1,10 +1,10 @@
|
|||||||
diff -up openssh/auth.c.keycat openssh/misc.c
|
diff -up openssh/misc.c.keycat openssh/misc.c
|
||||||
--- openssh/auth.c.keycat 2015-06-24 10:57:50.158849606 +0200
|
--- openssh/misc.c.keycat 2015-06-24 10:57:50.158849606 +0200
|
||||||
+++ openssh/auth.c 2015-06-24 11:04:23.989868638 +0200
|
+++ openssh/misc.c 2015-06-24 11:04:23.989868638 +0200
|
||||||
@@ -966,6 +966,14 @@ subprocess(const char *tag, struct passw
|
@@ -966,6 +966,13 @@ subprocess(const char *tag, struct passw
|
||||||
|
error("%s: dup2: %s", tag, strerror(errno));
|
||||||
_exit(1);
|
_exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
+#ifdef WITH_SELINUX
|
+#ifdef WITH_SELINUX
|
||||||
+ if (sshd_selinux_setup_env_variables() < 0) {
|
+ if (sshd_selinux_setup_env_variables() < 0) {
|
||||||
+ error ("failed to copy environment: %s",
|
+ error ("failed to copy environment: %s",
|
||||||
@ -12,10 +12,9 @@ diff -up openssh/auth.c.keycat openssh/misc.c
|
|||||||
+ _exit(127);
|
+ _exit(127);
|
||||||
+ }
|
+ }
|
||||||
+#endif
|
+#endif
|
||||||
+
|
if (env != NULL)
|
||||||
execve(av[0], av, child_env);
|
execve(av[0], av, env);
|
||||||
error("%s exec \"%s\": %s", tag, command, strerror(errno));
|
else
|
||||||
_exit(127);
|
|
||||||
diff -up openssh/HOWTO.ssh-keycat.keycat openssh/HOWTO.ssh-keycat
|
diff -up openssh/HOWTO.ssh-keycat.keycat openssh/HOWTO.ssh-keycat
|
||||||
--- openssh/HOWTO.ssh-keycat.keycat 2015-06-24 10:57:50.157849608 +0200
|
--- openssh/HOWTO.ssh-keycat.keycat 2015-06-24 10:57:50.157849608 +0200
|
||||||
+++ openssh/HOWTO.ssh-keycat 2015-06-24 10:57:50.157849608 +0200
|
+++ openssh/HOWTO.ssh-keycat 2015-06-24 10:57:50.157849608 +0200
|
||||||
@ -36,44 +35,44 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in
|
|||||||
--- openssh/Makefile.in.keycat 2015-06-24 10:57:50.152849621 +0200
|
--- openssh/Makefile.in.keycat 2015-06-24 10:57:50.152849621 +0200
|
||||||
+++ openssh/Makefile.in 2015-06-24 10:57:50.157849608 +0200
|
+++ openssh/Makefile.in 2015-06-24 10:57:50.157849608 +0200
|
||||||
@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
|
@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
|
||||||
|
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
|
||||||
|
SFTP_SERVER=$(libexecdir)/sftp-server
|
||||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||||
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
|
|
||||||
SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
|
|
||||||
+SSH_KEYCAT=$(libexecdir)/ssh-keycat
|
+SSH_KEYCAT=$(libexecdir)/ssh-keycat
|
||||||
|
SSHD_SESSION=$(libexecdir)/sshd-session
|
||||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
|
||||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
|
||||||
@@ -52,6 +52,7 @@ K5LIBS=@K5LIBS@
|
@@ -52,6 +52,7 @@ K5LIBS=@K5LIBS@
|
||||||
|
K5LIBS=@K5LIBS@
|
||||||
GSSLIBS=@GSSLIBS@
|
GSSLIBS=@GSSLIBS@
|
||||||
SSHLIBS=@SSHLIBS@
|
|
||||||
SSHDLIBS=@SSHDLIBS@
|
SSHDLIBS=@SSHDLIBS@
|
||||||
+KEYCATLIBS=@KEYCATLIBS@
|
+KEYCATLIBS=@KEYCATLIBS@
|
||||||
LIBEDIT=@LIBEDIT@
|
LIBEDIT=@LIBEDIT@
|
||||||
|
LIBFIDO2=@LIBFIDO2@
|
||||||
AR=@AR@
|
AR=@AR@
|
||||||
AWK=@AWK@
|
|
||||||
@@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@
|
@@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@
|
||||||
MKDIR_P=@MKDIR_P@
|
|
||||||
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
|
|
||||||
|
|
||||||
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
|
.SUFFIXES: .lo
|
||||||
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
|
|
||||||
|
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
|
||||||
|
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT)
|
||||||
|
|
||||||
XMSS_OBJS=\
|
XMSS_OBJS=\
|
||||||
ssh-xmss.o \
|
ssh-xmss.o \
|
||||||
@@ -190,6 +191,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
|
@@ -190,6 +191,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
|
||||||
ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
|
ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
|
||||||
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LDAPLIBS)
|
$(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2) $(CHANNELLIBS)
|
||||||
|
|
||||||
+ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
|
+ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
|
||||||
+ $(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS)
|
+ $(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS)
|
||||||
+
|
+
|
||||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
|
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
|
||||||
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(CHANNELLIBS)
|
||||||
|
|
||||||
@@ -321,6 +325,7 @@ install-files:
|
@@ -321,6 +325,7 @@ install-files:
|
||||||
$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
|
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
||||||
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
|
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
||||||
fi
|
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
|
||||||
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
|
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||||
@ -96,8 +95,8 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.keycat openssh/openbsd-compat/
|
|||||||
--- openssh/openbsd-compat/port-linux-sshd.c.keycat 2015-06-24 10:57:50.150849626 +0200
|
--- openssh/openbsd-compat/port-linux-sshd.c.keycat 2015-06-24 10:57:50.150849626 +0200
|
||||||
+++ openssh/openbsd-compat/port-linux-sshd.c 2015-06-24 10:57:50.159849603 +0200
|
+++ openssh/openbsd-compat/port-linux-sshd.c 2015-06-24 10:57:50.159849603 +0200
|
||||||
@@ -54,6 +54,20 @@ extern Authctxt *the_authctxt;
|
@@ -54,6 +54,20 @@ extern Authctxt *the_authctxt;
|
||||||
|
extern Authctxt *the_authctxt;
|
||||||
extern int inetd_flag;
|
extern int inetd_flag;
|
||||||
extern int rexeced_flag;
|
|
||||||
|
|
||||||
+/* Wrapper around is_selinux_enabled() to log its return value once only */
|
+/* Wrapper around is_selinux_enabled() to log its return value once only */
|
||||||
+int
|
+int
|
||||||
@ -132,7 +131,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.keycat openssh/openbsd-compat/
|
|||||||
- rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");
|
- rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");
|
||||||
+ rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : "");
|
+ rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : "");
|
||||||
|
|
||||||
if (inetd_flag && !rexeced_flag) {
|
if (inetd_flag) {
|
||||||
use_current = "1";
|
use_current = "1";
|
||||||
} else {
|
} else {
|
||||||
use_current = "";
|
use_current = "";
|
||||||
@ -466,16 +465,16 @@ index 3bbccfd..6481f1f 100644
|
|||||||
esac
|
esac
|
||||||
fi
|
fi
|
||||||
@@ -4042,6 +4044,7 @@ AC_ARG_WITH([selinux],
|
@@ -4042,6 +4044,7 @@ AC_ARG_WITH([selinux],
|
||||||
|
fi ]
|
||||||
)
|
)
|
||||||
AC_SUBST([SSHLIBS])
|
|
||||||
AC_SUBST([SSHDLIBS])
|
AC_SUBST([SSHDLIBS])
|
||||||
+AC_SUBST([KEYCATLIBS])
|
+AC_SUBST([KEYCATLIBS])
|
||||||
|
|
||||||
# Check whether user wants Kerberos 5 support
|
# Check whether user wants Kerberos 5 support
|
||||||
KRB5_MSG="no"
|
KRB5_MSG="no"
|
||||||
@@ -5031,6 +5034,9 @@ fi
|
@@ -5031,6 +5034,9 @@ fi
|
||||||
if test ! -z "${SSHLIBS}"; then
|
if test ! -z "${SSHDLIBS}"; then
|
||||||
echo " +for ssh: ${SSHLIBS}"
|
echo " +for sshd: ${SSHDLIBS}"
|
||||||
fi
|
fi
|
||||||
+if test ! -z "${KEYCATLIBS}"; then
|
+if test ! -z "${KEYCATLIBS}"; then
|
||||||
+echo " +for ssh-keycat: ${KEYCATLIBS}"
|
+echo " +for ssh-keycat: ${KEYCATLIBS}"
|
@ -155,8 +155,8 @@ diff -up openssh-7.4p1/gss-serv-krb5.c.kuserok openssh-7.4p1/gss-serv-krb5.c
|
|||||||
* because if they are on a krb5-protected filesystem, user credentials
|
* because if they are on a krb5-protected filesystem, user credentials
|
||||||
* to access these files aren't available yet. */
|
* to access these files aren't available yet. */
|
||||||
- if (krb5_kuserok(krb_context, princ, name) && k5login_exists) {
|
- if (krb5_kuserok(krb_context, princ, name) && k5login_exists) {
|
||||||
+ if (ssh_krb5_kuserok(krb_context, princ, name, k5login_exists)
|
+ if (k5login_exists &&
|
||||||
+ && k5login_exists) {
|
+ ssh_krb5_kuserok(krb_context, princ, name, k5login_exists)) {
|
||||||
retval = 1;
|
retval = 1;
|
||||||
logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
|
logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
|
||||||
name, (char *)client->displayname.value);
|
name, (char *)client->displayname.value);
|
||||||
@ -182,7 +182,7 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
|
|||||||
+ options->use_kuserok = -1;
|
+ options->use_kuserok = -1;
|
||||||
options->password_authentication = -1;
|
options->password_authentication = -1;
|
||||||
options->kbd_interactive_authentication = -1;
|
options->kbd_interactive_authentication = -1;
|
||||||
options->challenge_response_authentication = -1;
|
options->permit_empty_passwd = -1;
|
||||||
@@ -278,6 +279,8 @@ fill_default_server_options(ServerOption
|
@@ -278,6 +279,8 @@ fill_default_server_options(ServerOption
|
||||||
if (options->gss_kex_algorithms == NULL)
|
if (options->gss_kex_algorithms == NULL)
|
||||||
options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
|
options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
|
||||||
@ -193,14 +193,14 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
|
|||||||
options->password_authentication = 1;
|
options->password_authentication = 1;
|
||||||
if (options->kbd_interactive_authentication == -1)
|
if (options->kbd_interactive_authentication == -1)
|
||||||
@@ -399,7 +402,7 @@ typedef enum {
|
@@ -399,7 +402,7 @@ typedef enum {
|
||||||
sPermitRootLogin, sLogFacility, sLogLevel,
|
sPort, sHostKeyFile, sLoginGraceTime,
|
||||||
sRhostsRSAAuthentication, sRSAAuthentication,
|
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
|
||||||
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
||||||
- sKerberosGetAFSToken, sKerberosUniqueCCache,
|
- sKerberosGetAFSToken, sKerberosUniqueCCache, sPasswordAuthentication,
|
||||||
+ sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok,
|
+ sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok, sPasswordAuthentication,
|
||||||
sChallengeResponseAuthentication,
|
sKbdInteractiveAuthentication, sListenAddress, sAddressFamily,
|
||||||
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
|
||||||
sListenAddress, sAddressFamily,
|
sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
|
||||||
@@ -478,12 +481,14 @@ static struct {
|
@@ -478,12 +481,14 @@ static struct {
|
||||||
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
||||||
#endif
|
#endif
|
||||||
@ -217,16 +217,16 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
|
|||||||
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
|
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||||
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
|
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||||
@@ -1644,6 +1649,10 @@ process_server_config_line(ServerOptions
|
@@ -1644,6 +1649,10 @@ process_server_config_line(ServerOptions
|
||||||
*activep = value;
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
+ case sKerberosUseKuserok:
|
+ case sKerberosUseKuserok:
|
||||||
+ intptr = &options->use_kuserok;
|
+ intptr = &options->use_kuserok;
|
||||||
+ goto parse_flag;
|
+ goto parse_flag;
|
||||||
+
|
+
|
||||||
case sPermitListen:
|
case sMatch:
|
||||||
case sPermitOpen:
|
if (cmdline)
|
||||||
if (opcode == sPermitListen) {
|
fatal("Match directive not supported as a command-line "
|
||||||
@@ -2016,6 +2025,7 @@ copy_set_server_options(ServerOptions *d
|
@@ -2016,6 +2025,7 @@ copy_set_server_options(ServerOptions *d
|
||||||
M_CP_INTOPT(client_alive_interval);
|
M_CP_INTOPT(client_alive_interval);
|
||||||
M_CP_INTOPT(ip_qos_interactive);
|
M_CP_INTOPT(ip_qos_interactive);
|
||||||
@ -266,8 +266,8 @@ diff -up openssh-7.4p1/sshd_config.5.kuserok openssh-7.4p1/sshd_config.5
|
|||||||
+The default is
|
+The default is
|
||||||
+.Cm yes .
|
+.Cm yes .
|
||||||
.It Cm KexAlgorithms
|
.It Cm KexAlgorithms
|
||||||
Specifies the available KEX (Key Exchange) algorithms.
|
Specifies the permitted KEX (Key Exchange) algorithms that the server will
|
||||||
Multiple algorithms must be comma-separated.
|
offer to clients.
|
||||||
@@ -1078,6 +1082,7 @@ Available keywords are
|
@@ -1078,6 +1082,7 @@ Available keywords are
|
||||||
.Cm IPQoS ,
|
.Cm IPQoS ,
|
||||||
.Cm KbdInteractiveAuthentication ,
|
.Cm KbdInteractiveAuthentication ,
|
||||||
@ -286,4 +286,4 @@ diff -up openssh-7.4p1/sshd_config.kuserok openssh-7.4p1/sshd_config
|
|||||||
+#KerberosUseKuserok yes
|
+#KerberosUseKuserok yes
|
||||||
|
|
||||||
# GSSAPI options
|
# GSSAPI options
|
||||||
GSSAPIAuthentication yes
|
#GSSAPIAuthentication no
|
@ -13,7 +13,7 @@ diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux openssh-
|
|||||||
--- openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux 2016-12-23 18:58:52.973122201 +0100
|
--- openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux 2016-12-23 18:58:52.973122201 +0100
|
||||||
+++ openssh-7.4p1/openbsd-compat/port-linux-sshd.c 2016-12-23 18:58:52.974122201 +0100
|
+++ openssh-7.4p1/openbsd-compat/port-linux-sshd.c 2016-12-23 18:58:52.974122201 +0100
|
||||||
@@ -419,6 +419,28 @@ sshd_selinux_setup_exec_context(char *pw
|
@@ -419,6 +419,28 @@ sshd_selinux_setup_exec_context(char *pw
|
||||||
debug3("%s: done", __func__);
|
debug3_f("done");
|
||||||
}
|
}
|
||||||
|
|
||||||
+void
|
+void
|
||||||
@ -25,15 +25,15 @@ diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux openssh-
|
|||||||
+ return;
|
+ return;
|
||||||
+
|
+
|
||||||
+ if (getexeccon((security_context_t *)&ctx) != 0) {
|
+ if (getexeccon((security_context_t *)&ctx) != 0) {
|
||||||
+ logit("%s: getexeccon failed with %s", __func__, strerror(errno));
|
+ logit_f("getexeccon failed with %s", strerror(errno));
|
||||||
+ return;
|
+ return;
|
||||||
+ }
|
+ }
|
||||||
+ if (ctx != NULL) {
|
+ if (ctx != NULL) {
|
||||||
+ /* unset exec context before we will lose this capabililty */
|
+ /* unset exec context before we will lose this capabililty */
|
||||||
+ if (setexeccon(NULL) != 0)
|
+ if (setexeccon(NULL) != 0)
|
||||||
+ fatal("%s: setexeccon failed with %s", __func__, strerror(errno));
|
+ fatal_f("setexeccon failed with %s", strerror(errno));
|
||||||
+ if (setcon(ctx) != 0)
|
+ if (setcon(ctx) != 0)
|
||||||
+ fatal("%s: setcon failed with %s", __func__, strerror(errno));
|
+ fatal_f("setcon failed with %s", strerror(errno));
|
||||||
+ freecon(ctx);
|
+ freecon(ctx);
|
||||||
+ }
|
+ }
|
||||||
+}
|
+}
|
||||||
@ -49,7 +49,7 @@ diff -up openssh-7.4p1/session.c.privsep-selinux openssh-7.4p1/session.c
|
|||||||
platform_setusercontext(pw);
|
platform_setusercontext(pw);
|
||||||
|
|
||||||
- if (platform_privileged_uidswap()) {
|
- if (platform_privileged_uidswap()) {
|
||||||
+ if (platform_privileged_uidswap() && (!is_child || !use_privsep)) {
|
+ if (platform_privileged_uidswap() && !is_child) {
|
||||||
#ifdef HAVE_LOGIN_CAP
|
#ifdef HAVE_LOGIN_CAP
|
||||||
if (setusercontext(lc, pw, pw->pw_uid,
|
if (setusercontext(lc, pw, pw->pw_uid,
|
||||||
(LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
|
(LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
|
||||||
@ -96,8 +96,8 @@ diff -up openssh-7.4p1/session.c.privsep-selinux openssh-7.4p1/session.c
|
|||||||
}
|
}
|
||||||
|
|
||||||
diff -up openssh-7.4p1/sshd.c.privsep-selinux openssh-7.4p1/sshd.c
|
diff -up openssh-7.4p1/sshd.c.privsep-selinux openssh-7.4p1/sshd.c
|
||||||
--- openssh-7.4p1/sshd.c.privsep-selinux 2016-12-23 18:58:52.973122201 +0100
|
--- openssh-7.4p1/sshd-session.c.privsep-selinux 2016-12-23 18:58:52.973122201 +0100
|
||||||
+++ openssh-7.4p1/sshd.c 2016-12-23 18:59:13.808124269 +0100
|
+++ openssh-7.4p1/sshd-session.c 2016-12-23 18:59:13.808124269 +0100
|
||||||
@@ -540,6 +540,10 @@ privsep_preauth_child(void)
|
@@ -540,6 +540,10 @@ privsep_preauth_child(void)
|
||||||
/* Demote the private keys to public keys. */
|
/* Demote the private keys to public keys. */
|
||||||
demote_sensitive_data();
|
demote_sensitive_data();
|
||||||
@ -109,13 +109,12 @@ diff -up openssh-7.4p1/sshd.c.privsep-selinux openssh-7.4p1/sshd.c
|
|||||||
/* Demote the child */
|
/* Demote the child */
|
||||||
if (privsep_chroot) {
|
if (privsep_chroot) {
|
||||||
/* Change our root directory */
|
/* Change our root directory */
|
||||||
@@ -633,6 +637,9 @@ privsep_postauth(Authctxt *authctxt)
|
@@ -403,7 +403,7 @@ privsep_postauth(struct ssh *ssh, Authct
|
||||||
{
|
* fd passing, as AFAIK PTY allocation on this platform doesn't require
|
||||||
#ifdef DISABLE_FD_PASSING
|
* special privileges to begin with.
|
||||||
if (1) {
|
*/
|
||||||
+#elif defined(WITH_SELINUX)
|
-#if defined(DISABLE_FD_PASSING) && !defined(HAVE_CYGWIN)
|
||||||
+ if (0) {
|
+#if defined(DISABLE_FD_PASSING) && !defined(HAVE_CYGWIN) && !defined(WITH_SELINUX)
|
||||||
+ /* even root user can be confined by SELinux */
|
skip_privdrop = 1;
|
||||||
#else
|
|
||||||
if (authctxt->pw->pw_uid == 0) {
|
|
||||||
#endif
|
#endif
|
||||||
|
|
248
openssh-6.7p1-coverity.patch
Normal file
248
openssh-6.7p1-coverity.patch
Normal file
@ -0,0 +1,248 @@
|
|||||||
|
diff -up openssh-8.5p1/auth-krb5.c.coverity openssh-8.5p1/auth-krb5.c
|
||||||
|
--- openssh-8.5p1/auth-krb5.c.coverity 2021-03-24 12:03:33.724967756 +0100
|
||||||
|
+++ openssh-8.5p1/auth-krb5.c 2021-03-24 12:03:33.782968159 +0100
|
||||||
|
@@ -426,6 +426,7 @@ ssh_krb5_cc_new_unique(krb5_context ctx,
|
||||||
|
umask(old_umask);
|
||||||
|
if (tmpfd == -1) {
|
||||||
|
logit("mkstemp(): %.100s", strerror(oerrno));
|
||||||
|
+ free(ccname);
|
||||||
|
return oerrno;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -433,6 +434,7 @@ ssh_krb5_cc_new_unique(krb5_context ctx,
|
||||||
|
oerrno = errno;
|
||||||
|
logit("fchmod(): %.100s", strerror(oerrno));
|
||||||
|
close(tmpfd);
|
||||||
|
+ free(ccname);
|
||||||
|
return oerrno;
|
||||||
|
}
|
||||||
|
/* make sure the KRB5CCNAME is set for non-standard location */
|
||||||
|
diff -up openssh-8.5p1/gss-genr.c.coverity openssh-8.5p1/gss-genr.c
|
||||||
|
--- openssh-8.5p1/gss-genr.c.coverity 2021-03-26 11:52:46.613942552 +0100
|
||||||
|
+++ openssh-8.5p1/gss-genr.c 2021-03-26 11:54:37.881726318 +0100
|
||||||
|
@@ -167,8 +167,9 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
|
||||||
|
enclen = __b64_ntop(digest,
|
||||||
|
ssh_digest_bytes(SSH_DIGEST_MD5), encoded,
|
||||||
|
ssh_digest_bytes(SSH_DIGEST_MD5) * 2);
|
||||||
|
-
|
||||||
|
+#pragma GCC diagnostic ignored "-Wstringop-overflow"
|
||||||
|
cp = strncpy(s, kex, strlen(kex));
|
||||||
|
+#pragma GCC diagnostic pop
|
||||||
|
for ((p = strsep(&cp, ",")); p && *p != '\0';
|
||||||
|
(p = strsep(&cp, ","))) {
|
||||||
|
if (sshbuf_len(buf) != 0 &&
|
||||||
|
diff -up openssh-8.5p1/krl.c.coverity openssh-8.5p1/krl.c
|
||||||
|
--- openssh-8.5p1/krl.c.coverity 2021-03-02 11:31:47.000000000 +0100
|
||||||
|
+++ openssh-8.5p1/krl.c 2021-03-24 12:03:33.783968166 +0100
|
||||||
|
@@ -1261,6 +1262,7 @@ is_key_revoked(struct ssh_krl *krl, cons
|
||||||
|
return r;
|
||||||
|
erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb);
|
||||||
|
free(rb.blob);
|
||||||
|
+ rb.blob = NULL; /* make coverity happy */
|
||||||
|
if (erb != NULL) {
|
||||||
|
KRL_DBG(("revoked by key SHA1"));
|
||||||
|
return SSH_ERR_KEY_REVOKED;
|
||||||
|
@@ -1271,6 +1273,7 @@ is_key_revoked(struct ssh_krl *krl, cons
|
||||||
|
return r;
|
||||||
|
erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha256s, &rb);
|
||||||
|
free(rb.blob);
|
||||||
|
+ rb.blob = NULL; /* make coverity happy */
|
||||||
|
if (erb != NULL) {
|
||||||
|
KRL_DBG(("revoked by key SHA256"));
|
||||||
|
return SSH_ERR_KEY_REVOKED;
|
||||||
|
@@ -1282,6 +1285,7 @@ is_key_revoked(struct ssh_krl *krl, cons
|
||||||
|
return r;
|
||||||
|
erb = RB_FIND(revoked_blob_tree, &krl->revoked_keys, &rb);
|
||||||
|
free(rb.blob);
|
||||||
|
+ rb.blob = NULL; /* make coverity happy */
|
||||||
|
if (erb != NULL) {
|
||||||
|
KRL_DBG(("revoked by explicit key"));
|
||||||
|
return SSH_ERR_KEY_REVOKED;
|
||||||
|
diff -up openssh-8.5p1/loginrec.c.coverity openssh-8.5p1/loginrec.c
|
||||||
|
--- openssh-8.5p1/loginrec.c.coverity 2021-03-24 13:18:53.793225885 +0100
|
||||||
|
+++ openssh-8.5p1/loginrec.c 2021-03-24 13:21:27.948404751 +0100
|
||||||
|
@@ -690,9 +690,11 @@ construct_utmp(struct logininfo *li,
|
||||||
|
*/
|
||||||
|
|
||||||
|
/* Use strncpy because we don't necessarily want null termination */
|
||||||
|
+ /* coverity[buffer_size_warning : FALSE] */
|
||||||
|
strncpy(ut->ut_name, li->username,
|
||||||
|
MIN_SIZEOF(ut->ut_name, li->username));
|
||||||
|
# ifdef HAVE_HOST_IN_UTMP
|
||||||
|
+ /* coverity[buffer_size_warning : FALSE] */
|
||||||
|
strncpy(ut->ut_host, li->hostname,
|
||||||
|
MIN_SIZEOF(ut->ut_host, li->hostname));
|
||||||
|
# endif
|
||||||
|
diff -up openssh-8.5p1/misc.c.coverity openssh-8.5p1/misc.c
|
||||||
|
--- openssh-8.5p1/misc.c.coverity 2021-03-24 12:03:33.745967902 +0100
|
||||||
|
+++ openssh-8.5p1/misc.c 2021-03-24 13:31:47.037079617 +0100
|
||||||
|
@@ -1425,6 +1425,8 @@ sanitise_stdfd(void)
|
||||||
|
}
|
||||||
|
if (nullfd > STDERR_FILENO)
|
||||||
|
close(nullfd);
|
||||||
|
+ /* coverity[leaked_handle : FALSE]*/
|
||||||
|
+ /* coverity[leaked_handle : FALSE]*/
|
||||||
|
}
|
||||||
|
|
||||||
|
char *
|
||||||
|
@@ -2511,6 +2513,7 @@ stdfd_devnull(int do_stdin, int do_stdou
|
||||||
|
}
|
||||||
|
if (devnull > STDERR_FILENO)
|
||||||
|
close(devnull);
|
||||||
|
+ /* coverity[leaked_handle : FALSE]*/
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c
|
||||||
|
--- openssh-7.4p1/monitor.c.coverity 2016-12-23 16:40:26.888788688 +0100
|
||||||
|
+++ openssh-7.4p1/monitor.c 2016-12-23 16:40:26.900788691 +0100
|
||||||
|
@@ -411,7 +411,7 @@ monitor_child_preauth(Authctxt *_authctx
|
||||||
|
mm_get_keystate(ssh, pmonitor);
|
||||||
|
|
||||||
|
/* Drain any buffered messages from the child */
|
||||||
|
- while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0)
|
||||||
|
+ while (pmonitor->m_log_recvfd >= 0 && monitor_read_log(pmonitor) == 0)
|
||||||
|
;
|
||||||
|
|
||||||
|
if (pmonitor->m_recvfd >= 0)
|
||||||
|
@@ -1678,7 +1678,7 @@ mm_answer_pty(struct ssh *ssh, int sock,
|
||||||
|
s->ptymaster = s->ptyfd;
|
||||||
|
|
||||||
|
debug3_f("tty %s ptyfd %d", s->tty, s->ttyfd);
|
||||||
|
-
|
||||||
|
+ /* coverity[leaked_handle : FALSE] */
|
||||||
|
return (0);
|
||||||
|
|
||||||
|
error:
|
||||||
|
diff -up openssh-7.4p1/openbsd-compat/bindresvport.c.coverity openssh-7.4p1/openbsd-compat/bindresvport.c
|
||||||
|
--- openssh-7.4p1/openbsd-compat/bindresvport.c.coverity 2016-12-19 05:59:41.000000000 +0100
|
||||||
|
+++ openssh-7.4p1/openbsd-compat/bindresvport.c 2016-12-23 16:40:26.901788691 +0100
|
||||||
|
@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr
|
||||||
|
struct sockaddr_in6 *in6;
|
||||||
|
u_int16_t *portp;
|
||||||
|
u_int16_t port;
|
||||||
|
- socklen_t salen;
|
||||||
|
+ socklen_t salen = sizeof(struct sockaddr_storage);
|
||||||
|
int i;
|
||||||
|
|
||||||
|
if (sa == NULL) {
|
||||||
|
diff -up openssh-8.7p1/openbsd-compat/bsd-pselect.c.coverity openssh-8.7p1/openbsd-compat/bsd-pselect.c
|
||||||
|
--- openssh-8.7p1/openbsd-compat/bsd-pselect.c.coverity 2021-08-30 16:36:11.357288009 +0200
|
||||||
|
+++ openssh-8.7p1/openbsd-compat/bsd-pselect.c 2021-08-30 16:37:21.791897976 +0200
|
||||||
|
@@ -113,13 +113,13 @@ pselect_notify_setup(void)
|
||||||
|
static void
|
||||||
|
pselect_notify_parent(void)
|
||||||
|
{
|
||||||
|
- if (notify_pipe[1] != -1)
|
||||||
|
+ if (notify_pipe[1] >= 0)
|
||||||
|
(void)write(notify_pipe[1], "", 1);
|
||||||
|
}
|
||||||
|
static void
|
||||||
|
pselect_notify_prepare(fd_set *readset)
|
||||||
|
{
|
||||||
|
- if (notify_pipe[0] != -1)
|
||||||
|
+ if (notify_pipe[0] >= 0)
|
||||||
|
FD_SET(notify_pipe[0], readset);
|
||||||
|
}
|
||||||
|
static void
|
||||||
|
@@ -127,8 +127,8 @@ pselect_notify_done(fd_set *readset)
|
||||||
|
{
|
||||||
|
char c;
|
||||||
|
|
||||||
|
- if (notify_pipe[0] != -1 && FD_ISSET(notify_pipe[0], readset)) {
|
||||||
|
- while (read(notify_pipe[0], &c, 1) != -1)
|
||||||
|
+ if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset)) {
|
||||||
|
+ while (read(notify_pipe[0], &c, 1) >= 0)
|
||||||
|
debug2_f("reading");
|
||||||
|
FD_CLR(notify_pipe[0], readset);
|
||||||
|
}
|
||||||
|
diff -up openssh-8.5p1/readconf.c.coverity openssh-8.5p1/readconf.c
|
||||||
|
--- openssh-8.5p1/readconf.c.coverity 2021-03-24 12:03:33.778968131 +0100
|
||||||
|
+++ openssh-8.5p1/readconf.c 2021-03-24 12:03:33.785968180 +0100
|
||||||
|
@@ -1847,6 +1847,7 @@ parse_pubkey_algos:
|
||||||
|
} else if (r != 0) {
|
||||||
|
error("%.200s line %d: glob failed for %s.",
|
||||||
|
filename, linenum, arg2);
|
||||||
|
+ free(arg2);
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
free(arg2);
|
||||||
|
diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c
|
||||||
|
--- openssh-7.4p1/servconf.c.coverity 2016-12-23 16:40:26.896788690 +0100
|
||||||
|
+++ openssh-7.4p1/servconf.c 2016-12-23 16:40:26.901788691 +0100
|
||||||
|
@@ -1638,8 +1638,9 @@ process_server_config_line(ServerOptions
|
||||||
|
if (*activep && *charptr == NULL) {
|
||||||
|
*charptr = tilde_expand_filename(arg, getuid());
|
||||||
|
/* increase optional counter */
|
||||||
|
- if (intptr != NULL)
|
||||||
|
- *intptr = *intptr + 1;
|
||||||
|
+ /* DEAD CODE intptr is still NULL ;)
|
||||||
|
+ if (intptr != NULL)
|
||||||
|
+ *intptr = *intptr + 1; */
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
|
||||||
|
diff -up openssh-8.7p1/serverloop.c.coverity openssh-8.7p1/serverloop.c
|
||||||
|
--- openssh-8.7p1/serverloop.c.coverity 2021-08-20 06:03:49.000000000 +0200
|
||||||
|
+++ openssh-8.7p1/serverloop.c 2021-08-30 16:28:22.416226981 +0200
|
||||||
|
@@ -547,7 +547,7 @@ server_request_tun(struct ssh *ssh)
|
||||||
|
debug_f("invalid tun");
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
- if (auth_opts->force_tun_device != -1) {
|
||||||
|
+ if (auth_opts->force_tun_device >= 0) {
|
||||||
|
if (tun != SSH_TUNID_ANY &&
|
||||||
|
auth_opts->force_tun_device != (int)tun)
|
||||||
|
goto done;
|
||||||
|
diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
|
||||||
|
--- openssh-7.4p1/ssh-agent.c.coverity 2016-12-19 05:59:41.000000000 +0100
|
||||||
|
+++ openssh-7.4p1/ssh-agent.c 2016-12-23 16:40:26.903788691 +0100
|
||||||
|
@@ -869,6 +869,7 @@ sanitize_pkcs11_provider(const char *pro
|
||||||
|
|
||||||
|
if (pkcs11_uri_parse(provider, uri) != 0) {
|
||||||
|
error("Failed to parse PKCS#11 URI");
|
||||||
|
+ pkcs11_uri_cleanup(uri);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
/* validate also provider from URI */
|
||||||
|
diff -up openssh-7.4p1/sshd-session.c.coverity openssh-7.4p1/sshd-session.c
|
||||||
|
--- openssh-7.4p1/sshd-session.c.coverity 2016-12-23 16:40:26.897788690 +0100
|
||||||
|
+++ openssh-7.4p1/sshd-session.c 2016-12-23 16:40:26.904788692 +0100
|
||||||
|
@@ -691,8 +691,10 @@ privsep_preauth(Authctxt *authctxt)
|
||||||
|
|
||||||
|
privsep_preauth_child(ssh);
|
||||||
|
setproctitle("%s", "[net]");
|
||||||
|
- if (box != NULL)
|
||||||
|
+ if (box != NULL) {
|
||||||
|
ssh_sandbox_child(box);
|
||||||
|
+ free(box);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
@@ -2519,8 +2524,11 @@ do_ssh2_kex(struct ssh *ssh)
|
||||||
|
|
||||||
|
if (newstr)
|
||||||
|
myproposal[PROPOSAL_KEX_ALGS] = newstr;
|
||||||
|
- else
|
||||||
|
+ else {
|
||||||
|
fatal("No supported key exchange algorithms");
|
||||||
|
+ free(gss);
|
||||||
|
+ }
|
||||||
|
+ /* coverity[leaked_storage: FALSE]*/
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
diff -up openssh-8.5p1/ssh-keygen.c.coverity openssh-8.5p1/ssh-keygen.c
|
||||||
|
--- openssh-8.5p1/ssh-keygen.c.coverity 2021-03-24 12:03:33.780968145 +0100
|
||||||
|
+++ openssh-8.5p1/ssh-keygen.c 2021-03-24 12:03:33.787968194 +0100
|
||||||
|
@@ -2332,6 +2332,9 @@ update_krl_from_file(struct passwd *pw,
|
||||||
|
r = ssh_krl_revoke_key_sha256(krl, blob, blen);
|
||||||
|
if (r != 0)
|
||||||
|
fatal_fr(r, "revoke key failed");
|
||||||
|
+ freezero(blob, blen);
|
||||||
|
+ blob = NULL;
|
||||||
|
+ blen = 0;
|
||||||
|
} else {
|
||||||
|
if (strncasecmp(cp, "key:", 4) == 0) {
|
||||||
|
cp += 4;
|
@ -1,15 +1,15 @@
|
|||||||
diff --color -ru a/sftp-server.8 b/sftp-server.8
|
diff -up openssh-7.2p2/sftp-server.8.sftp-force-mode openssh-7.2p2/sftp-server.8
|
||||||
--- a/sftp-server.8 2019-04-18 00:52:57.000000000 +0200
|
--- openssh-7.2p2/sftp-server.8.sftp-force-mode 2016-03-09 19:04:48.000000000 +0100
|
||||||
+++ b/sftp-server.8 2022-06-20 16:03:47.892540068 +0200
|
+++ openssh-7.2p2/sftp-server.8 2016-06-23 16:18:20.463854117 +0200
|
||||||
@@ -38,6 +38,7 @@
|
@@ -38,6 +38,7 @@
|
||||||
.Op Fl P Ar blacklisted_requests
|
.Op Fl P Ar denied_requests
|
||||||
.Op Fl p Ar whitelisted_requests
|
.Op Fl p Ar allowed_requests
|
||||||
.Op Fl u Ar umask
|
.Op Fl u Ar umask
|
||||||
+.Op Fl m Ar force_file_perms
|
+.Op Fl m Ar force_file_perms
|
||||||
.Ek
|
.Ek
|
||||||
.Nm
|
.Nm
|
||||||
.Fl Q Ar protocol_feature
|
.Fl Q Ar protocol_feature
|
||||||
@@ -138,6 +139,12 @@
|
@@ -138,6 +139,12 @@ Sets an explicit
|
||||||
.Xr umask 2
|
.Xr umask 2
|
||||||
to be applied to newly-created files and directories, instead of the
|
to be applied to newly-created files and directories, instead of the
|
||||||
user's default mask.
|
user's default mask.
|
||||||
@ -22,10 +22,10 @@ diff --color -ru a/sftp-server.8 b/sftp-server.8
|
|||||||
.El
|
.El
|
||||||
.Pp
|
.Pp
|
||||||
On some systems,
|
On some systems,
|
||||||
diff --color -ru a/sftp-server.c b/sftp-server.c
|
diff -up openssh-7.2p2/sftp-server.c.sftp-force-mode openssh-7.2p2/sftp-server.c
|
||||||
--- a/sftp-server.c 2022-06-20 16:01:26.183793633 +0200
|
--- openssh-7.2p2/sftp-server.c.sftp-force-mode 2016-06-23 16:18:20.446854128 +0200
|
||||||
+++ b/sftp-server.c 2022-06-20 16:02:12.442690608 +0200
|
+++ openssh-7.2p2/sftp-server.c 2016-06-23 16:20:37.950766082 +0200
|
||||||
@@ -65,6 +65,10 @@
|
@@ -69,6 +69,10 @@ struct sshbuf *oqueue;
|
||||||
/* Version of client */
|
/* Version of client */
|
||||||
static u_int version;
|
static u_int version;
|
||||||
|
|
||||||
@ -36,7 +36,7 @@ diff --color -ru a/sftp-server.c b/sftp-server.c
|
|||||||
/* SSH2_FXP_INIT received */
|
/* SSH2_FXP_INIT received */
|
||||||
static int init_done;
|
static int init_done;
|
||||||
|
|
||||||
@@ -683,6 +687,7 @@
|
@@ -683,6 +687,7 @@ process_open(u_int32_t id)
|
||||||
Attrib a;
|
Attrib a;
|
||||||
char *name;
|
char *name;
|
||||||
int r, handle, fd, flags, mode, status = SSH2_FX_FAILURE;
|
int r, handle, fd, flags, mode, status = SSH2_FX_FAILURE;
|
||||||
@ -44,7 +44,7 @@ diff --color -ru a/sftp-server.c b/sftp-server.c
|
|||||||
|
|
||||||
if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
|
if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
|
||||||
(r = sshbuf_get_u32(iqueue, &pflags)) != 0 || /* portable flags */
|
(r = sshbuf_get_u32(iqueue, &pflags)) != 0 || /* portable flags */
|
||||||
@@ -692,6 +697,10 @@
|
@@ -692,6 +697,10 @@ process_open(u_int32_t id)
|
||||||
debug3("request %u: open flags %d", id, pflags);
|
debug3("request %u: open flags %d", id, pflags);
|
||||||
flags = flags_from_portable(pflags);
|
flags = flags_from_portable(pflags);
|
||||||
mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm : 0666;
|
mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm : 0666;
|
||||||
@ -55,7 +55,7 @@ diff --color -ru a/sftp-server.c b/sftp-server.c
|
|||||||
logit("open \"%s\" flags %s mode 0%o",
|
logit("open \"%s\" flags %s mode 0%o",
|
||||||
name, string_from_portable(pflags), mode);
|
name, string_from_portable(pflags), mode);
|
||||||
if (readonly &&
|
if (readonly &&
|
||||||
@@ -713,6 +722,8 @@
|
@@ -713,6 +722,8 @@ process_open(u_int32_t id)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -64,16 +64,16 @@ diff --color -ru a/sftp-server.c b/sftp-server.c
|
|||||||
if (status != SSH2_FX_OK)
|
if (status != SSH2_FX_OK)
|
||||||
send_status(id, status);
|
send_status(id, status);
|
||||||
free(name);
|
free(name);
|
||||||
@@ -1555,7 +1566,7 @@
|
@@ -1494,7 +1505,7 @@ sftp_server_usage(void)
|
||||||
fprintf(stderr,
|
fprintf(stderr,
|
||||||
"usage: %s [-ehR] [-d start_directory] [-f log_facility] "
|
"usage: %s [-ehR] [-d start_directory] [-f log_facility] "
|
||||||
"[-l log_level]\n\t[-P blacklisted_requests] "
|
"[-l log_level]\n\t[-P denied_requests] "
|
||||||
- "[-p whitelisted_requests] [-u umask]\n"
|
- "[-p allowed_requests] [-u umask]\n"
|
||||||
+ "[-p whitelisted_requests] [-u umask] [-m force_file_perms]\n"
|
+ "[-p allowed_requests] [-u umask] [-m force_file_perms]\n"
|
||||||
" %s -Q protocol_feature\n",
|
" %s -Q protocol_feature\n",
|
||||||
__progname, __progname);
|
__progname, __progname);
|
||||||
exit(1);
|
exit(1);
|
||||||
@@ -1581,7 +1592,7 @@
|
@@ -1520,7 +1531,7 @@ sftp_server_main(int argc, char **argv,
|
||||||
pw = pwcopy(user_pw);
|
pw = pwcopy(user_pw);
|
||||||
|
|
||||||
while (!skipargs && (ch = getopt(argc, argv,
|
while (!skipargs && (ch = getopt(argc, argv,
|
||||||
@ -82,7 +82,7 @@ diff --color -ru a/sftp-server.c b/sftp-server.c
|
|||||||
switch (ch) {
|
switch (ch) {
|
||||||
case 'Q':
|
case 'Q':
|
||||||
if (strcasecmp(optarg, "requests") != 0) {
|
if (strcasecmp(optarg, "requests") != 0) {
|
||||||
@@ -1643,6 +1654,15 @@
|
@@ -1580,6 +1591,15 @@ sftp_server_main(int argc, char **argv,
|
||||||
fatal("Invalid umask \"%s\"", optarg);
|
fatal("Invalid umask \"%s\"", optarg);
|
||||||
(void)umask((mode_t)mask);
|
(void)umask((mode_t)mask);
|
||||||
break;
|
break;
|
@ -3,8 +3,8 @@ diff -up openssh/servconf.c.sshdt openssh/servconf.c
|
|||||||
+++ openssh/servconf.c 2015-06-24 11:44:39.734745802 +0200
|
+++ openssh/servconf.c 2015-06-24 11:44:39.734745802 +0200
|
||||||
@@ -2317,7 +2317,7 @@ dump_config(ServerOptions *o)
|
@@ -2317,7 +2317,7 @@ dump_config(ServerOptions *o)
|
||||||
dump_cfg_string(sXAuthLocation, o->xauth_location);
|
dump_cfg_string(sXAuthLocation, o->xauth_location);
|
||||||
dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
|
dump_cfg_string(sCiphers, o->ciphers);
|
||||||
dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
|
dump_cfg_string(sMacs, o->macs);
|
||||||
- dump_cfg_string(sBanner, o->banner);
|
- dump_cfg_string(sBanner, o->banner);
|
||||||
+ dump_cfg_string(sBanner, o->banner != NULL ? o->banner : "none");
|
+ dump_cfg_string(sBanner, o->banner != NULL ? o->banner : "none");
|
||||||
dump_cfg_string(sForceCommand, o->adm_forced_command);
|
dump_cfg_string(sForceCommand, o->adm_forced_command);
|
@ -13,33 +13,33 @@ diff -up openssh-7.4p1/monitor_wrap.c.audit-race openssh-7.4p1/monitor_wrap.c
|
|||||||
+ struct sshbuf *m;
|
+ struct sshbuf *m;
|
||||||
+ int r, ret = 0;
|
+ int r, ret = 0;
|
||||||
+
|
+
|
||||||
+ debug3("%s: entering", __func__);
|
+ debug3_f("entering");
|
||||||
+ if ((m = sshbuf_new()) == NULL)
|
+ if ((m = sshbuf_new()) == NULL)
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
+ fatal_f("sshbuf_new failed");
|
||||||
+ do {
|
+ do {
|
||||||
+ blen = atomicio(read, fdin, buf, sizeof(buf));
|
+ blen = atomicio(read, fdin, buf, sizeof(buf));
|
||||||
+ if (blen == 0) /* closed pipe */
|
+ if (blen == 0) /* closed pipe */
|
||||||
+ break;
|
+ break;
|
||||||
+ if (blen != sizeof(buf)) {
|
+ if (blen != sizeof(buf)) {
|
||||||
+ error("%s: Failed to read the buffer from child", __func__);
|
+ error_f("Failed to read the buffer from child");
|
||||||
+ ret = -1;
|
+ ret = -1;
|
||||||
+ break;
|
+ break;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ msg_len = get_u32(buf);
|
+ msg_len = get_u32(buf);
|
||||||
+ if (msg_len > 256 * 1024)
|
+ if (msg_len > 256 * 1024)
|
||||||
+ fatal("%s: read: bad msg_len %d", __func__, msg_len);
|
+ fatal_f("read: bad msg_len %d", msg_len);
|
||||||
+ sshbuf_reset(m);
|
+ sshbuf_reset(m);
|
||||||
+ if ((r = sshbuf_reserve(m, msg_len, NULL)) != 0)
|
+ if ((r = sshbuf_reserve(m, msg_len, NULL)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+ if (atomicio(read, fdin, sshbuf_mutable_ptr(m), msg_len) != msg_len) {
|
+ if (atomicio(read, fdin, sshbuf_mutable_ptr(m), msg_len) != msg_len) {
|
||||||
+ error("%s: Failed to read the the buffer content from the child", __func__);
|
+ error_f("Failed to read the the buffer content from the child");
|
||||||
+ ret = -1;
|
+ ret = -1;
|
||||||
+ break;
|
+ break;
|
||||||
+ }
|
+ }
|
||||||
+ if (atomicio(vwrite, pmonitor->m_recvfd, buf, blen) != blen ||
|
+ if (atomicio(vwrite, pmonitor->m_recvfd, buf, blen) != blen ||
|
||||||
+ atomicio(vwrite, pmonitor->m_recvfd, sshbuf_mutable_ptr(m), msg_len) != msg_len) {
|
+ atomicio(vwrite, pmonitor->m_recvfd, sshbuf_mutable_ptr(m), msg_len) != msg_len) {
|
||||||
+ error("%s: Failed to write the message to the monitor", __func__);
|
+ error_f("Failed to write the message to the monitor");
|
||||||
+ ret = -1;
|
+ ret = -1;
|
||||||
+ break;
|
+ break;
|
||||||
+ }
|
+ }
|
||||||
@ -109,7 +109,7 @@ diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
|
|||||||
@@ -717,6 +728,8 @@ do_exec(Session *s, const char *command)
|
@@ -717,6 +728,8 @@ do_exec(Session *s, const char *command)
|
||||||
}
|
}
|
||||||
if (s->command != NULL && s->ptyfd == -1)
|
if (s->command != NULL && s->ptyfd == -1)
|
||||||
s->command_handle = PRIVSEP(audit_run_command(ssh, s->command));
|
s->command_handle = mm_audit_run_command(ssh, s->command);
|
||||||
+ if (pipe(paudit) < 0)
|
+ if (pipe(paudit) < 0)
|
||||||
+ fatal("pipe: %s", strerror(errno));
|
+ fatal("pipe: %s", strerror(errno));
|
||||||
#endif
|
#endif
|
||||||
@ -121,7 +121,7 @@ diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
|
|||||||
|
|
||||||
+#ifdef SSH_AUDIT_EVENTS
|
+#ifdef SSH_AUDIT_EVENTS
|
||||||
+ close(paudit[1]);
|
+ close(paudit[1]);
|
||||||
+ if (use_privsep && ret == 0) {
|
+ if (ret == 0) {
|
||||||
+ /*
|
+ /*
|
||||||
+ * Read the audit messages from forked child and send them
|
+ * Read the audit messages from forked child and send them
|
||||||
+ * back to monitor. We don't want to communicate directly,
|
+ * back to monitor. We don't want to communicate directly,
|
||||||
@ -136,8 +136,8 @@ diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
|
|||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1538,6 +1565,34 @@ child_close_fds(void)
|
@@ -1538,6 +1565,33 @@ child_close_fds(void)
|
||||||
endpwent();
|
log_redirect_stderr_to(NULL);
|
||||||
}
|
}
|
||||||
|
|
||||||
+void
|
+void
|
||||||
@ -147,12 +147,11 @@ diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
|
|||||||
+ int pparent = paudit[1];
|
+ int pparent = paudit[1];
|
||||||
+ close(paudit[0]);
|
+ close(paudit[0]);
|
||||||
+ /* Hack the monitor pipe to avoid race condition with parent */
|
+ /* Hack the monitor pipe to avoid race condition with parent */
|
||||||
+ if (use_privsep)
|
+ mm_set_monitor_pipe(pparent);
|
||||||
+ mm_set_monitor_pipe(pparent);
|
|
||||||
+#endif
|
+#endif
|
||||||
+
|
+
|
||||||
+ /* remove hostkey from the child's memory */
|
+ /* remove hostkey from the child's memory */
|
||||||
+ destroy_sensitive_data(ssh, use_privsep);
|
+ destroy_sensitive_data(ssh);
|
||||||
+ /*
|
+ /*
|
||||||
+ * We can audit this, because we hacked the pipe to direct the
|
+ * We can audit this, because we hacked the pipe to direct the
|
||||||
+ * messages over postauth child. But this message requires answer
|
+ * messages over postauth child. But this message requires answer
|
||||||
@ -176,7 +175,7 @@ diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
|
|||||||
sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
|
sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
|
||||||
|
|
||||||
- /* remove hostkey from the child's memory */
|
- /* remove hostkey from the child's memory */
|
||||||
- destroy_sensitive_data(ssh, 1);
|
- destroy_sensitive_data(ssh);
|
||||||
- ssh_packet_clear_keys(ssh);
|
- ssh_packet_clear_keys(ssh);
|
||||||
- /* Don't audit this - both us and the parent would be talking to the
|
- /* Don't audit this - both us and the parent would be talking to the
|
||||||
- monitor over a single socket, with no synchronization. */
|
- monitor over a single socket, with no synchronization. */
|
@ -28,14 +28,15 @@ diff --git a/auth.h b/auth.h
|
|||||||
index f9d191c..c432d2f 100644
|
index f9d191c..c432d2f 100644
|
||||||
--- a/auth.h
|
--- a/auth.h
|
||||||
+++ b/auth.h
|
+++ b/auth.h
|
||||||
@@ -222,5 +222,7 @@ int sys_auth_passwd(Authctxt *, const char *);
|
@@ -222,6 +222,8 @@ int sys_auth_passwd(Authctxt *, const char *);
|
||||||
|
|
||||||
#if defined(KRB5) && !defined(HEIMDAL)
|
#if defined(KRB5) && !defined(HEIMDAL)
|
||||||
#include <krb5.h>
|
|
||||||
krb5_error_code ssh_krb5_cc_new_unique(krb5_context, krb5_ccache *, int *);
|
krb5_error_code ssh_krb5_cc_new_unique(krb5_context, krb5_ccache *, int *);
|
||||||
+krb5_error_code ssh_krb5_get_k5login_directory(krb5_context ctx,
|
+krb5_error_code ssh_krb5_get_k5login_directory(krb5_context ctx,
|
||||||
+ char **k5login_directory);
|
+ char **k5login_directory);
|
||||||
#endif
|
#endif
|
||||||
#endif
|
|
||||||
|
#endif /* AUTH_H */
|
||||||
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
|
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
|
||||||
index a7c0c5f..df8cc9a 100644
|
index a7c0c5f..df8cc9a 100644
|
||||||
--- a/gss-serv-krb5.c
|
--- a/gss-serv-krb5.c
|
||||||
@ -48,7 +49,7 @@ index a7c0c5f..df8cc9a 100644
|
|||||||
+ int ret = 0;
|
+ int ret = 0;
|
||||||
+
|
+
|
||||||
+ ret = ssh_krb5_get_k5login_directory(krb_context, &k5login_directory);
|
+ ret = ssh_krb5_get_k5login_directory(krb_context, &k5login_directory);
|
||||||
+ debug3("%s: k5login_directory = %s (rv=%d)", __func__, k5login_directory, ret);
|
+ debug3_f("k5login_directory = %s (rv=%d)", k5login_directory, ret);
|
||||||
+ if (k5login_directory == NULL || ret != 0) {
|
+ if (k5login_directory == NULL || ret != 0) {
|
||||||
+ /* If not set, the library will look for k5login
|
+ /* If not set, the library will look for k5login
|
||||||
+ * files in the user's home directory, with the filename .k5login.
|
+ * files in the user's home directory, with the filename .k5login.
|
||||||
@ -63,7 +64,7 @@ index a7c0c5f..df8cc9a 100644
|
|||||||
+ k5login_directory[strlen(k5login_directory)-1] != '/' ? "/" : "",
|
+ k5login_directory[strlen(k5login_directory)-1] != '/' ? "/" : "",
|
||||||
+ pw->pw_name);
|
+ pw->pw_name);
|
||||||
+ }
|
+ }
|
||||||
+ debug("%s: Checking existence of file %s", __func__, file);
|
+ debug_f("Checking existence of file %s", file);
|
||||||
|
|
||||||
- snprintf(file, sizeof(file), "%s/.k5login", pw->pw_dir);
|
- snprintf(file, sizeof(file), "%s/.k5login", pw->pw_dir);
|
||||||
return access(file, F_OK) == 0;
|
return access(file, F_OK) == 0;
|
@ -48,5 +48,5 @@ Author: Harald Freudenberger <freude@de.ibm.com>
|
|||||||
+#endif
|
+#endif
|
||||||
}
|
}
|
||||||
(void) closedir(dirp);
|
(void) closedir(dirp);
|
||||||
} else
|
return;
|
||||||
|
|
@ -1,21 +1,23 @@
|
|||||||
diff -up openssh-7.2p2/channels.c.x11 openssh-7.2p2/channels.c
|
diff --git a/channels.c b/channels.c
|
||||||
--- openssh-7.2p2/channels.c.x11 2016-03-09 19:04:48.000000000 +0100
|
--- a/channels.c (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
|
||||||
+++ openssh-7.2p2/channels.c 2016-06-03 10:42:04.775164520 +0200
|
+++ b/channels.c (date 1703026069921)
|
||||||
@@ -3990,21 +3990,24 @@ x11_create_display_inet(int x11_display_
|
@@ -5075,11 +5075,13 @@
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
-connect_local_xsocket_path(const char *pathname)
|
-connect_local_xsocket_path(const char *pathname)
|
||||||
+connect_local_xsocket_path(const char *pathname, int len)
|
+connect_local_xsocket_path(const char *pathname, int len)
|
||||||
{
|
{
|
||||||
int sock;
|
int sock;
|
||||||
struct sockaddr_un addr;
|
struct sockaddr_un addr;
|
||||||
|
|
||||||
+ if (len <= 0)
|
+ if (len <= 0)
|
||||||
+ return -1;
|
+ return -1;
|
||||||
sock = socket(AF_UNIX, SOCK_STREAM, 0);
|
sock = socket(AF_UNIX, SOCK_STREAM, 0);
|
||||||
if (sock < 0)
|
if (sock == -1) {
|
||||||
error("socket: %.100s", strerror(errno));
|
error("socket: %.100s", strerror(errno));
|
||||||
|
@@ -5087,11 +5089,12 @@
|
||||||
|
}
|
||||||
memset(&addr, 0, sizeof(addr));
|
memset(&addr, 0, sizeof(addr));
|
||||||
addr.sun_family = AF_UNIX;
|
addr.sun_family = AF_UNIX;
|
||||||
- strlcpy(addr.sun_path, pathname, sizeof addr.sun_path);
|
- strlcpy(addr.sun_path, pathname, sizeof addr.sun_path);
|
||||||
@ -29,8 +31,8 @@ diff -up openssh-7.2p2/channels.c.x11 openssh-7.2p2/channels.c
|
|||||||
- error("connect %.100s: %.100s", addr.sun_path, strerror(errno));
|
- error("connect %.100s: %.100s", addr.sun_path, strerror(errno));
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -4012,8 +4015,18 @@ static int
|
@@ -5099,8 +5102,18 @@
|
||||||
connect_local_xsocket(u_int dnr)
|
connect_local_xsocket(u_int dnr)
|
||||||
{
|
{
|
||||||
char buf[1024];
|
char buf[1024];
|
@ -2,7 +2,7 @@ diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
|
|||||||
--- openssh-7.4p1/channels.c.x11max 2016-12-23 15:46:32.071506625 +0100
|
--- openssh-7.4p1/channels.c.x11max 2016-12-23 15:46:32.071506625 +0100
|
||||||
+++ openssh-7.4p1/channels.c 2016-12-23 15:46:32.139506636 +0100
|
+++ openssh-7.4p1/channels.c 2016-12-23 15:46:32.139506636 +0100
|
||||||
@@ -152,8 +152,8 @@ static int all_opens_permitted = 0;
|
@@ -152,8 +152,8 @@ static int all_opens_permitted = 0;
|
||||||
#define FWD_PERMIT_ANY_HOST "*"
|
#define NUM_SOCKS 10
|
||||||
|
|
||||||
/* -- X11 forwarding */
|
/* -- X11 forwarding */
|
||||||
-/* Maximum number of fake X11 displays to try. */
|
-/* Maximum number of fake X11 displays to try. */
|
||||||
@ -10,8 +10,8 @@ diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
|
|||||||
+/* Minimum port number for X11 forwarding */
|
+/* Minimum port number for X11 forwarding */
|
||||||
+#define X11_PORT_MIN 6000
|
+#define X11_PORT_MIN 6000
|
||||||
|
|
||||||
/* Per-channel callback for pre/post select() actions */
|
/* Per-channel callback for pre/post IO actions */
|
||||||
typedef void chan_fn(struct ssh *, Channel *c,
|
typedef void chan_fn(struct ssh *, Channel *c);
|
||||||
@@ -4228,7 +4228,7 @@ channel_send_window_changes(void)
|
@@ -4228,7 +4228,7 @@ channel_send_window_changes(void)
|
||||||
*/
|
*/
|
||||||
int
|
int
|
||||||
@ -59,7 +59,7 @@ diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
|
|||||||
ssh_gai_strerror(gaierr));
|
ssh_gai_strerror(gaierr));
|
||||||
@@ -4457,7 +4463,7 @@ x11_connect_display(void)
|
@@ -4457,7 +4463,7 @@ x11_connect_display(void)
|
||||||
/* Connect it to the display. */
|
/* Connect it to the display. */
|
||||||
if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
|
if (connect(sock, ai->ai_addr, ai->ai_addrlen) == -1) {
|
||||||
debug2("connect %.100s port %u: %.100s", buf,
|
debug2("connect %.100s port %u: %.100s", buf,
|
||||||
- 6000 + display_number, strerror(errno));
|
- 6000 + display_number, strerror(errno));
|
||||||
+ X11_PORT_MIN + display_number, strerror(errno));
|
+ X11_PORT_MIN + display_number, strerror(errno));
|
||||||
@ -82,7 +82,7 @@ diff -up openssh-7.4p1/channels.h.x11max openssh-7.4p1/channels.h
|
|||||||
+++ openssh-7.4p1/channels.h 2016-12-23 15:46:32.139506636 +0100
|
+++ openssh-7.4p1/channels.h 2016-12-23 15:46:32.139506636 +0100
|
||||||
@@ -293,7 +293,7 @@ int permitopen_port(const char *);
|
@@ -293,7 +293,7 @@ int permitopen_port(const char *);
|
||||||
|
|
||||||
void channel_set_x11_refuse_time(struct ssh *, u_int);
|
void channel_set_x11_refuse_time(struct ssh *, time_t);
|
||||||
int x11_connect_display(struct ssh *);
|
int x11_connect_display(struct ssh *);
|
||||||
-int x11_create_display_inet(struct ssh *, int, int, int, u_int *, int **);
|
-int x11_create_display_inet(struct ssh *, int, int, int, u_int *, int **);
|
||||||
+int x11_create_display_inet(struct ssh *, int, int, int, int, u_int *, int **);
|
+int x11_create_display_inet(struct ssh *, int, int, int, int, u_int *, int **);
|
||||||
@ -110,9 +110,9 @@ diff -up openssh-7.4p1/servconf.c.x11max openssh-7.4p1/servconf.c
|
|||||||
options->x11_use_localhost = 1;
|
options->x11_use_localhost = 1;
|
||||||
if (options->xauth_location == NULL)
|
if (options->xauth_location == NULL)
|
||||||
@@ -419,7 +422,7 @@ typedef enum {
|
@@ -419,7 +422,7 @@ typedef enum {
|
||||||
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok, sPasswordAuthentication,
|
||||||
sListenAddress, sAddressFamily,
|
sKbdInteractiveAuthentication, sListenAddress, sAddressFamily,
|
||||||
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
|
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
|
||||||
- sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
|
- sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
|
||||||
+ sX11Forwarding, sX11DisplayOffset, sX11MaxDisplays, sX11UseLocalhost,
|
+ sX11Forwarding, sX11DisplayOffset, sX11MaxDisplays, sX11UseLocalhost,
|
||||||
sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
|
sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
|
||||||
@ -191,13 +191,13 @@ diff -up openssh-7.4p1/sshd_config.5.x11max openssh-7.4p1/sshd_config.5
|
|||||||
--- openssh-7.4p1/sshd_config.5.x11max 2016-12-23 15:46:32.134506635 +0100
|
--- openssh-7.4p1/sshd_config.5.x11max 2016-12-23 15:46:32.134506635 +0100
|
||||||
+++ openssh-7.4p1/sshd_config.5 2016-12-23 15:46:32.141506636 +0100
|
+++ openssh-7.4p1/sshd_config.5 2016-12-23 15:46:32.141506636 +0100
|
||||||
@@ -1133,6 +1133,7 @@ Available keywords are
|
@@ -1133,6 +1133,7 @@ Available keywords are
|
||||||
.Cm StreamLocalBindUnlink ,
|
|
||||||
.Cm TrustedUserCAKeys ,
|
.Cm TrustedUserCAKeys ,
|
||||||
|
.Cm UnusedConnectionTimeout ,
|
||||||
.Cm X11DisplayOffset ,
|
.Cm X11DisplayOffset ,
|
||||||
+.Cm X11MaxDisplays ,
|
+.Cm X11MaxDisplays ,
|
||||||
.Cm X11Forwarding
|
.Cm X11Forwarding
|
||||||
and
|
and
|
||||||
.Cm X11UseLocalHost .
|
.Cm X11UseLocalhost .
|
||||||
@@ -1566,6 +1567,12 @@ Specifies the first display number avail
|
@@ -1566,6 +1567,12 @@ Specifies the first display number avail
|
||||||
X11 forwarding.
|
X11 forwarding.
|
||||||
This prevents sshd from interfering with real X11 servers.
|
This prevents sshd from interfering with real X11 servers.
|
@ -21,7 +21,7 @@ index ca75cc7..6e7de31 100644
|
|||||||
+ SC_ALLOW(__NR_flock),
|
+ SC_ALLOW(__NR_flock),
|
||||||
+#endif
|
+#endif
|
||||||
#ifdef __NR_futex
|
#ifdef __NR_futex
|
||||||
SC_ALLOW(__NR_futex),
|
SC_FUTEX(__NR_futex),
|
||||||
#endif
|
#endif
|
||||||
@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = {
|
@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = {
|
||||||
#ifdef __NR_gettimeofday
|
#ifdef __NR_gettimeofday
|
||||||
@ -69,29 +69,6 @@ index 6e7de31..e86aa2c 100644
|
|||||||
SC_ALLOW(__NR_getrandom),
|
SC_ALLOW(__NR_getrandom),
|
||||||
#endif
|
#endif
|
||||||
-- 1.9.1
|
-- 1.9.1
|
||||||
|
|
||||||
The EP11 crypto card needs to make an ioctl call, which receives an
|
|
||||||
specific argument. This crypto card is for s390 only.
|
|
||||||
|
|
||||||
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
|
|
||||||
---
|
|
||||||
sandbox-seccomp-filter.c | 2 ++
|
|
||||||
1 file changed, 2 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
|
||||||
index e86aa2c..98062f1 100644
|
|
||||||
--- a/sandbox-seccomp-filter.c
|
|
||||||
+++ b/sandbox-seccomp-filter.c
|
|
||||||
@@ -250,6 +250,8 @@ static const struct sock_filter preauth_insns[] = {
|
|
||||||
SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),
|
|
||||||
SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO),
|
|
||||||
SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
|
|
||||||
+ /* Allow ioctls for EP11 crypto card on s390 */
|
|
||||||
+ SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB),
|
|
||||||
#endif
|
|
||||||
#if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
|
|
||||||
/*
|
|
||||||
--
|
|
||||||
1.9.1
|
1.9.1
|
||||||
diff -up openssh-7.6p1/sandbox-seccomp-filter.c.sandbox openssh-7.6p1/sandbox-seccomp-filter.c
|
diff -up openssh-7.6p1/sandbox-seccomp-filter.c.sandbox openssh-7.6p1/sandbox-seccomp-filter.c
|
||||||
--- openssh-7.6p1/sandbox-seccomp-filter.c.sandbox 2017-12-12 13:59:30.563874059 +0100
|
--- openssh-7.6p1/sandbox-seccomp-filter.c.sandbox 2017-12-12 13:59:30.563874059 +0100
|
||||||
@ -107,40 +84,3 @@ diff -up openssh-7.6p1/sandbox-seccomp-filter.c.sandbox openssh-7.6p1/sandbox-se
|
|||||||
SC_ALLOW(__NR_getrandom),
|
SC_ALLOW(__NR_getrandom),
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
|
||||||
From ef34ea4521b042dd8a9c4c7455f5d1a8f8ee5bb2 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Harald Freudenberger <freude@linux.ibm.com>
|
|
||||||
Date: Fri, 24 May 2019 10:11:15 +0200
|
|
||||||
Subject: [PATCH] allow s390 specific ioctl for ecc hardware support
|
|
||||||
|
|
||||||
Adding another s390 specific ioctl to be able to support ECC hardware acceleration
|
|
||||||
to the sandbox seccomp filter rules.
|
|
||||||
|
|
||||||
Now the ibmca openssl engine provides elliptic curve cryptography support with the
|
|
||||||
help of libica and CCA crypto cards. This is done via jet another ioctl call to the zcrypt
|
|
||||||
device driver and so there is a need to enable this on the openssl sandbox.
|
|
||||||
|
|
||||||
Code is s390 specific and has been tested, verified and reviewed.
|
|
||||||
|
|
||||||
Please note that I am also the originator of the previous changes in that area.
|
|
||||||
I posted these changes to Eduardo and he forwarded the patches to the openssl
|
|
||||||
community.
|
|
||||||
|
|
||||||
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
|
|
||||||
Reviewed-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
|
||||||
---
|
|
||||||
sandbox-seccomp-filter.c | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
|
||||||
index 5edbc6946..56eb9317f 100644
|
|
||||||
--- a/sandbox-seccomp-filter.c
|
|
||||||
+++ b/sandbox-seccomp-filter.c
|
|
||||||
@@ -252,6 +252,7 @@ static const struct sock_filter preauth_insns[] = {
|
|
||||||
SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
|
|
||||||
/* Allow ioctls for EP11 crypto card on s390 */
|
|
||||||
SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB),
|
|
||||||
+ SC_ALLOW_ARG(__NR_ioctl, 1, ZSECSENDCPRB),
|
|
||||||
#endif
|
|
||||||
#if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
|
|
||||||
/*
|
|
File diff suppressed because it is too large
Load Diff
@ -1,70 +1,69 @@
|
|||||||
diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c
|
diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c
|
||||||
--- openssh/auth2-pubkey.c.refactor 2019-04-04 13:19:12.188821236 +0200
|
--- openssh/auth2-pubkey.c.refactor 2019-04-04 13:19:12.188821236 +0200
|
||||||
+++ openssh/auth2-pubkey.c 2019-04-04 13:19:12.276822078 +0200
|
+++ openssh/auth2-pubkey.c 2019-04-04 13:19:12.276822078 +0200
|
||||||
@@ -72,6 +72,9 @@
|
@@ -72,6 +72,8 @@
|
||||||
|
|
||||||
|
/* import */
|
||||||
extern ServerOptions options;
|
extern ServerOptions options;
|
||||||
extern u_char *session_id2;
|
|
||||||
extern u_int session_id2_len;
|
|
||||||
+extern int inetd_flag;
|
+extern int inetd_flag;
|
||||||
+extern int rexeced_flag;
|
|
||||||
+extern Authctxt *the_authctxt;
|
+extern Authctxt *the_authctxt;
|
||||||
|
extern struct authmethod_cfg methodcfg_pubkey;
|
||||||
|
|
||||||
static char *
|
static char *
|
||||||
format_key(const struct sshkey *key)
|
|
||||||
@@ -511,7 +514,8 @@ match_principals_command(struct ssh *ssh
|
@@ -511,7 +514,8 @@ match_principals_command(struct ssh *ssh
|
||||||
|
if ((pid = subprocess("AuthorizedPrincipalsCommand", command,
|
||||||
if ((pid = subprocess("AuthorizedPrincipalsCommand", runas_pw, command,
|
|
||||||
ac, av, &f,
|
ac, av, &f,
|
||||||
- SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0)
|
SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
|
||||||
+ SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
|
- runas_pw, temporarily_use_uid, restore_uid)) == 0)
|
||||||
+ (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
|
+ runas_pw, temporarily_use_uid, restore_uid,
|
||||||
|
+ inetd_flag, the_authctxt)) == 0)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
uid_swapped = 1;
|
uid_swapped = 1;
|
||||||
@@ -981,7 +985,8 @@ user_key_command_allowed2(struct ssh *ss
|
@@ -981,7 +985,8 @@ user_key_command_allowed2(struct ssh *ss
|
||||||
|
if ((pid = subprocess("AuthorizedKeysCommand", command,
|
||||||
if ((pid = subprocess("AuthorizedKeysCommand", runas_pw, command,
|
|
||||||
ac, av, &f,
|
ac, av, &f,
|
||||||
- SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0)
|
SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
|
||||||
+ SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
|
- runas_pw, temporarily_use_uid, restore_uid)) == 0)
|
||||||
+ (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
|
+ runas_pw, temporarily_use_uid, restore_uid,
|
||||||
|
+ inetd_flag, the_authctxt)) == 0)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
uid_swapped = 1;
|
uid_swapped = 1;
|
||||||
diff -up openssh/auth.c.refactor openssh/auth.c
|
diff -up openssh/misc.c.refactor openssh/misc.c
|
||||||
--- openssh/auth.c.refactor 2019-04-04 13:19:12.235821686 +0200
|
--- openssh/misc.c.refactor 2019-04-04 13:19:12.235821686 +0200
|
||||||
+++ openssh/auth.c 2019-04-04 13:19:12.276822078 +0200
|
+++ openssh/misc.c 2019-04-04 13:19:12.276822078 +0200
|
||||||
@@ -756,7 +756,8 @@ auth_get_canonical_hostname(struct ssh *
|
@@ -756,7 +756,8 @@ auth_get_canonical_hostname(struct ssh *
|
||||||
*/
|
|
||||||
pid_t
|
pid_t
|
||||||
subprocess(const char *tag, struct passwd *pw, const char *command,
|
subprocess(const char *tag, const char *command,
|
||||||
- int ac, char **av, FILE **child, u_int flags)
|
int ac, char **av, FILE **child, u_int flags,
|
||||||
+ int ac, char **av, FILE **child, u_int flags, int inetd,
|
- struct passwd *pw, privdrop_fn *drop_privs, privrestore_fn *restore_privs)
|
||||||
+ void *the_authctxt)
|
+ struct passwd *pw, privdrop_fn *drop_privs,
|
||||||
|
+ privrestore_fn *restore_privs, int inetd, void *the_authctxt)
|
||||||
{
|
{
|
||||||
FILE *f = NULL;
|
FILE *f = NULL;
|
||||||
struct stat st;
|
struct stat st;
|
||||||
@@ -872,7 +873,7 @@ subprocess(const char *tag, struct passw
|
@@ -872,7 +873,7 @@ subprocess(const char *tag, struct passw
|
||||||
|
_exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef WITH_SELINUX
|
#ifdef WITH_SELINUX
|
||||||
- if (sshd_selinux_setup_env_variables() < 0) {
|
- if (sshd_selinux_setup_env_variables() < 0) {
|
||||||
+ if (sshd_selinux_setup_env_variables(inetd, the_authctxt) < 0) {
|
+ if (sshd_selinux_setup_env_variables(inetd, the_authctxt) < 0) {
|
||||||
error ("failed to copy environment: %s",
|
error ("failed to copy environment: %s",
|
||||||
strerror(errno));
|
strerror(errno));
|
||||||
_exit(127);
|
_exit(127);
|
||||||
diff -up openssh/auth.h.refactor openssh/auth.h
|
diff -up openssh/misc.h.refactor openssh/misc.h
|
||||||
--- openssh/auth.h.refactor 2019-04-04 13:19:12.251821839 +0200
|
--- openssh/misc.h.refactor 2019-04-04 13:19:12.251821839 +0200
|
||||||
+++ openssh/auth.h 2019-04-04 13:19:12.276822078 +0200
|
+++ openssh/misc.h 2019-04-04 13:19:12.276822078 +0200
|
||||||
@@ -235,7 +235,7 @@ struct passwd *fakepw(void);
|
@@ -235,7 +235,7 @@ struct passwd *fakepw(void);
|
||||||
#define SSH_SUBPROCESS_STDOUT_CAPTURE (1<<1) /* Redirect stdout */
|
#define SSH_SUBPROCESS_UNSAFE_PATH (1<<3) /* Don't check for safe cmd */
|
||||||
#define SSH_SUBPROCESS_STDERR_DISCARD (1<<2) /* Discard stderr */
|
#define SSH_SUBPROCESS_PRESERVE_ENV (1<<4) /* Keep parent environment */
|
||||||
pid_t subprocess(const char *, struct passwd *,
|
pid_t subprocess(const char *, const char *, int, char **, FILE **, u_int,
|
||||||
- const char *, int, char **, FILE **, u_int flags);
|
- struct passwd *, privdrop_fn *, privrestore_fn *);
|
||||||
+ const char *, int, char **, FILE **, u_int flags, int, void *);
|
+ struct passwd *, privdrop_fn *, privrestore_fn *, int, void *);
|
||||||
|
|
||||||
int sys_auth_passwd(struct ssh *, const char *);
|
|
||||||
|
|
||||||
|
typedef struct arglist arglist;
|
||||||
|
struct arglist {
|
||||||
diff -up openssh/openbsd-compat/port-linux.h.refactor openssh/openbsd-compat/port-linux.h
|
diff -up openssh/openbsd-compat/port-linux.h.refactor openssh/openbsd-compat/port-linux.h
|
||||||
--- openssh/openbsd-compat/port-linux.h.refactor 2019-04-04 13:19:12.256821887 +0200
|
--- openssh/openbsd-compat/port-linux.h.refactor 2019-04-04 13:19:12.256821887 +0200
|
||||||
+++ openssh/openbsd-compat/port-linux.h 2019-04-04 13:19:12.276822078 +0200
|
+++ openssh/openbsd-compat/port-linux.h 2019-04-04 13:19:12.276822078 +0200
|
||||||
@ -82,14 +81,13 @@ diff -up openssh/openbsd-compat/port-linux.h.refactor openssh/openbsd-compat/por
|
|||||||
diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compat/port-linux-sshd.c
|
diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compat/port-linux-sshd.c
|
||||||
--- openssh/openbsd-compat/port-linux-sshd.c.refactor 2019-04-04 13:19:12.256821887 +0200
|
--- openssh/openbsd-compat/port-linux-sshd.c.refactor 2019-04-04 13:19:12.256821887 +0200
|
||||||
+++ openssh/openbsd-compat/port-linux-sshd.c 2019-04-04 13:19:12.276822078 +0200
|
+++ openssh/openbsd-compat/port-linux-sshd.c 2019-04-04 13:19:12.276822078 +0200
|
||||||
@@ -49,11 +49,6 @@
|
@@ -49,10 +49,6 @@
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
-extern ServerOptions options;
|
-extern ServerOptions options;
|
||||||
-extern Authctxt *the_authctxt;
|
-extern Authctxt *the_authctxt;
|
||||||
-extern int inetd_flag;
|
-extern int inetd_flag;
|
||||||
-extern int rexeced_flag;
|
|
||||||
-
|
-
|
||||||
/* Wrapper around is_selinux_enabled() to log its return value once only */
|
/* Wrapper around is_selinux_enabled() to log its return value once only */
|
||||||
int
|
int
|
||||||
@ -128,7 +126,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compa
|
|||||||
|
|
||||||
if (r == 0) {
|
if (r == 0) {
|
||||||
/* If launched from xinetd, we must use current level */
|
/* If launched from xinetd, we must use current level */
|
||||||
- if (inetd_flag && !rexeced_flag) {
|
- if (inetd_flag) {
|
||||||
+ if (inetd) {
|
+ if (inetd) {
|
||||||
security_context_t sshdsc=NULL;
|
security_context_t sshdsc=NULL;
|
||||||
|
|
||||||
@ -145,14 +143,14 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compa
|
|||||||
char *role;
|
char *role;
|
||||||
@@ -342,11 +339,11 @@ sshd_selinux_setup_variables(int(*set_it
|
@@ -342,11 +339,11 @@ sshd_selinux_setup_variables(int(*set_it
|
||||||
|
|
||||||
debug3("%s: setting execution context", __func__);
|
debug3_f("setting execution context");
|
||||||
|
|
||||||
- ssh_selinux_get_role_level(&role, &reqlvl);
|
- ssh_selinux_get_role_level(&role, &reqlvl);
|
||||||
+ ssh_selinux_get_role_level(&role, &reqlvl, the_authctxt);
|
+ ssh_selinux_get_role_level(&role, &reqlvl, the_authctxt);
|
||||||
|
|
||||||
rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : "");
|
rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : "");
|
||||||
|
|
||||||
- if (inetd_flag && !rexeced_flag) {
|
- if (inetd_flag) {
|
||||||
+ if (inetd) {
|
+ if (inetd) {
|
||||||
use_current = "1";
|
use_current = "1";
|
||||||
} else {
|
} else {
|
||||||
@ -203,10 +201,10 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compa
|
|||||||
+ if (sshd_selinux_setup_pam_variables(inetd, pam_setenv, authctxt)) {
|
+ if (sshd_selinux_setup_pam_variables(inetd, pam_setenv, authctxt)) {
|
||||||
switch (security_getenforce()) {
|
switch (security_getenforce()) {
|
||||||
case -1:
|
case -1:
|
||||||
fatal("%s: security_getenforce() failed", __func__);
|
fatal_f("security_getenforce() failed");
|
||||||
@@ -410,7 +411,7 @@ sshd_selinux_setup_exec_context(char *pw
|
@@ -410,7 +411,7 @@ sshd_selinux_setup_exec_context(char *pw
|
||||||
|
|
||||||
debug3("%s: setting execution context", __func__);
|
debug3_f("setting execution context");
|
||||||
|
|
||||||
- r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
|
- r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
|
||||||
+ r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx, inetd, authctxt);
|
+ r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx, inetd, authctxt);
|
||||||
@ -216,56 +214,58 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compa
|
|||||||
diff -up openssh/platform.c.refactor openssh/platform.c
|
diff -up openssh/platform.c.refactor openssh/platform.c
|
||||||
--- openssh/platform.c.refactor 2019-04-04 13:19:12.204821389 +0200
|
--- openssh/platform.c.refactor 2019-04-04 13:19:12.204821389 +0200
|
||||||
+++ openssh/platform.c 2019-04-04 13:19:12.277822088 +0200
|
+++ openssh/platform.c 2019-04-04 13:19:12.277822088 +0200
|
||||||
@@ -32,6 +32,9 @@
|
@@ -32,6 +32,8 @@
|
||||||
|
#include "openbsd-compat/openbsd-compat.h"
|
||||||
|
|
||||||
extern int use_privsep;
|
|
||||||
extern ServerOptions options;
|
extern ServerOptions options;
|
||||||
+extern int inetd_flag;
|
+extern int inetd_flag;
|
||||||
+extern int rexeced_flag;
|
|
||||||
+extern Authctxt *the_authctxt;
|
+extern Authctxt *the_authctxt;
|
||||||
|
|
||||||
void
|
/* return 1 if we are running with privilege to swap UIDs, 0 otherwise */
|
||||||
platform_pre_listen(void)
|
int
|
||||||
@@ -183,7 +186,9 @@ platform_setusercontext_post_groups(stru
|
@@ -183,7 +186,9 @@ platform_setusercontext_post_groups(stru
|
||||||
}
|
}
|
||||||
#endif /* HAVE_SETPCRED */
|
#endif /* HAVE_SETPCRED */
|
||||||
#ifdef WITH_SELINUX
|
#ifdef WITH_SELINUX
|
||||||
- sshd_selinux_setup_exec_context(pw->pw_name);
|
- sshd_selinux_setup_exec_context(pw->pw_name);
|
||||||
+ sshd_selinux_setup_exec_context(pw->pw_name,
|
+ sshd_selinux_setup_exec_context(pw->pw_name,
|
||||||
+ (inetd_flag && !rexeced_flag), do_pam_putenv, the_authctxt,
|
+ inetd_flag, do_pam_putenv, the_authctxt,
|
||||||
+ options.use_pam);
|
+ options.use_pam);
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
diff -up openssh/sshd.c.refactor openssh/sshd.c
|
diff -up openssh/sshd-session.c.refactor openssh/sshd-session.c
|
||||||
--- openssh/sshd.c.refactor 2019-04-04 13:19:12.275822068 +0200
|
--- openssh/sshd-session.c.refactor 2019-04-04 13:19:12.275822068 +0200
|
||||||
+++ openssh/sshd.c 2019-04-04 13:19:51.270195262 +0200
|
+++ openssh/sshd-session.c 2019-04-04 13:19:51.270195262 +0200
|
||||||
@@ -158,7 +158,7 @@ int debug_flag = 0;
|
@@ -158,7 +158,7 @@ int debug_flag = 0;
|
||||||
static int test_flag = 0;
|
int debug_flag = 0;
|
||||||
|
|
||||||
/* Flag indicating that the daemon is being started from inetd. */
|
/* Flag indicating that the daemon is being started from inetd. */
|
||||||
-static int inetd_flag = 0;
|
-static int inetd_flag = 0;
|
||||||
+int inetd_flag = 0;
|
+int inetd_flag = 0;
|
||||||
|
|
||||||
/* Flag indicating that sshd should not detach and become a daemon. */
|
/* debug goes to stderr unless inetd_flag is set */
|
||||||
static int no_daemon_flag = 0;
|
static int log_stderr = 0;
|
||||||
@@ -171,7 +171,7 @@ static char **saved_argv;
|
|
||||||
static int saved_argc;
|
|
||||||
|
|
||||||
/* re-exec */
|
|
||||||
-static int rexeced_flag = 0;
|
|
||||||
+int rexeced_flag = 0;
|
|
||||||
static int rexec_flag = 1;
|
|
||||||
static int rexec_argc = 0;
|
|
||||||
static char **rexec_argv;
|
|
||||||
@@ -2192,7 +2192,9 @@ main(int ac, char **av)
|
@@ -2192,7 +2192,9 @@ main(int ac, char **av)
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
#ifdef WITH_SELINUX
|
#ifdef WITH_SELINUX
|
||||||
- sshd_selinux_setup_exec_context(authctxt->pw->pw_name);
|
- sshd_selinux_setup_exec_context(authctxt->pw->pw_name);
|
||||||
+ sshd_selinux_setup_exec_context(authctxt->pw->pw_name,
|
+ sshd_selinux_setup_exec_context(authctxt->pw->pw_name,
|
||||||
+ (inetd_flag && !rexeced_flag), do_pam_putenv, the_authctxt,
|
+ inetd_flag, do_pam_putenv, the_authctxt,
|
||||||
+ options.use_pam);
|
+ options.use_pam);
|
||||||
#endif
|
#endif
|
||||||
#ifdef USE_PAM
|
#ifdef USE_PAM
|
||||||
if (options.use_pam) {
|
if (options.use_pam) {
|
||||||
|
diff -up openssh/sshconnect.c.refactor openssh/sshconnect.c
|
||||||
|
--- openssh/sshconnect.c.refactor 2021-02-24 00:12:03.065325046 +0100
|
||||||
|
+++ openssh/sshconnect.c 2021-02-24 00:12:12.126449544 +0100
|
||||||
|
@@ -892,7 +892,7 @@ load_hostkeys_command(struct hostkeys *h
|
||||||
|
|
||||||
|
if ((pid = subprocess(tag, command, ac, av, &f,
|
||||||
|
SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_UNSAFE_PATH|
|
||||||
|
- SSH_SUBPROCESS_PRESERVE_ENV, NULL, NULL, NULL)) == 0)
|
||||||
|
+ SSH_SUBPROCESS_PRESERVE_ENV, NULL, NULL, NULL, 0, NULL)) == 0)
|
||||||
|
goto out;
|
||||||
|
|
||||||
|
load_hostkeys_file(hostkeys, hostfile_hostname, tag, f, 1);
|
766
openssh-7.7p1-fips.patch
Normal file
766
openssh-7.7p1-fips.patch
Normal file
@ -0,0 +1,766 @@
|
|||||||
|
diff -up openssh-8.6p1/dh.c.fips openssh-8.6p1/dh.c
|
||||||
|
--- openssh-8.6p1/dh.c.fips 2021-04-16 05:55:25.000000000 +0200
|
||||||
|
+++ openssh-8.6p1/dh.c 2021-05-06 12:12:10.107634472 +0200
|
||||||
|
@@ -36,6 +36,7 @@
|
||||||
|
|
||||||
|
#include <openssl/bn.h>
|
||||||
|
#include <openssl/dh.h>
|
||||||
|
+#include <openssl/fips.h>
|
||||||
|
|
||||||
|
#include "dh.h"
|
||||||
|
#include "pathnames.h"
|
||||||
|
@@ -164,6 +164,12 @@ choose_dh(int min, int wantbits, int max
|
||||||
|
int best, bestcount, which, linenum;
|
||||||
|
struct dhgroup dhg;
|
||||||
|
|
||||||
|
+ if (FIPS_mode()) {
|
||||||
|
+ verbose("Using arbitrary primes is not allowed in FIPS mode."
|
||||||
|
+ " Falling back to known groups.");
|
||||||
|
+ return (dh_new_group_fallback(max));
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if ((f = fopen(get_moduli_filename(), "r")) == NULL) {
|
||||||
|
logit("WARNING: could not open %s (%s), using fixed modulus",
|
||||||
|
get_moduli_filename(), strerror(errno));
|
||||||
|
@@ -502,4 +508,38 @@ dh_estimate(int bits)
|
||||||
|
return 8192;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * Compares the received DH parameters with known-good groups,
|
||||||
|
+ * which might be either from group14, group16 or group18.
|
||||||
|
+ */
|
||||||
|
+int
|
||||||
|
+dh_is_known_group(const DH *dh)
|
||||||
|
+{
|
||||||
|
+ const BIGNUM *p, *g;
|
||||||
|
+ const BIGNUM *known_p, *known_g;
|
||||||
|
+ DH *known = NULL;
|
||||||
|
+ int bits = 0, rv = 0;
|
||||||
|
+
|
||||||
|
+ DH_get0_pqg(dh, &p, NULL, &g);
|
||||||
|
+ bits = BN_num_bits(p);
|
||||||
|
+
|
||||||
|
+ if (bits <= 3072) {
|
||||||
|
+ known = dh_new_group14();
|
||||||
|
+ } else if (bits <= 6144) {
|
||||||
|
+ known = dh_new_group16();
|
||||||
|
+ } else {
|
||||||
|
+ known = dh_new_group18();
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ DH_get0_pqg(known, &known_p, NULL, &known_g);
|
||||||
|
+
|
||||||
|
+ if (BN_cmp(g, known_g) == 0 &&
|
||||||
|
+ BN_cmp(p, known_p) == 0) {
|
||||||
|
+ rv = 1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ DH_free(known);
|
||||||
|
+ return rv;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
#endif /* WITH_OPENSSL */
|
||||||
|
diff -up openssh-8.6p1/dh.h.fips openssh-8.6p1/dh.h
|
||||||
|
--- openssh-8.6p1/dh.h.fips 2021-05-06 12:08:36.498926877 +0200
|
||||||
|
+++ openssh-8.6p1/dh.h 2021-05-06 12:11:28.393298005 +0200
|
||||||
|
@@ -45,6 +45,7 @@ DH *dh_new_group_fallback(int);
|
||||||
|
|
||||||
|
int dh_gen_key(DH *, int);
|
||||||
|
int dh_pub_is_valid(const DH *, const BIGNUM *);
|
||||||
|
+int dh_is_known_group(const DH *);
|
||||||
|
|
||||||
|
u_int dh_estimate(int);
|
||||||
|
void dh_set_moduli_file(const char *);
|
||||||
|
diff -up openssh-8.6p1/kex-names.c.fips openssh-8.6p1/kex-names.c
|
||||||
|
--- openssh-8.6p1/kex-names.c.fips 2021-05-06 12:08:36.489926807 +0200
|
||||||
|
+++ openssh-8.6p1/kex-names.c 2021-05-06 12:08:36.498926877 +0200
|
||||||
|
@@ -39,6 +39,7 @@
|
||||||
|
|
||||||
|
#ifdef WITH_OPENSSL
|
||||||
|
#include <openssl/crypto.h>
|
||||||
|
+#include <openssl/fips.h>
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
|
@@ -203,7 +203,10 @@ kex_names_valid(const char *names)
|
||||||
|
for ((p = strsep(&cp, ",")); p && *p != '\0';
|
||||||
|
(p = strsep(&cp, ","))) {
|
||||||
|
if (kex_alg_by_name(p) == NULL) {
|
||||||
|
- error("Unsupported KEX algorithm \"%.100s\"", p);
|
||||||
|
+ if (FIPS_mode())
|
||||||
|
+ error("\"%.100s\" is not allowed in FIPS mode", p);
|
||||||
|
+ else
|
||||||
|
+ error("Unsupported KEX algorithm \"%.100s\"", p);
|
||||||
|
free(s);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
diff -up openssh-8.6p1/kexgexc.c.fips openssh-8.6p1/kexgexc.c
|
||||||
|
--- openssh-8.6p1/kexgexc.c.fips 2021-04-16 05:55:25.000000000 +0200
|
||||||
|
+++ openssh-8.6p1/kexgexc.c 2021-05-06 12:08:36.498926877 +0200
|
||||||
|
@@ -28,6 +28,7 @@
|
||||||
|
|
||||||
|
#ifdef WITH_OPENSSL
|
||||||
|
|
||||||
|
+#include <openssl/fips.h>
|
||||||
|
#include <sys/types.h>
|
||||||
|
|
||||||
|
#include <openssl/dh.h>
|
||||||
|
@@ -115,6 +116,10 @@ input_kex_dh_gex_group(int type, u_int32
|
||||||
|
r = SSH_ERR_ALLOC_FAIL;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
+ if (FIPS_mode() && dh_is_known_group(kex->dh) == 0) {
|
||||||
|
+ r = SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
p = g = NULL; /* belong to kex->dh now */
|
||||||
|
|
||||||
|
/* generate and send 'e', client DH public key */
|
||||||
|
diff -up openssh-8.6p1/myproposal.h.fips openssh-8.6p1/myproposal.h
|
||||||
|
--- openssh-8.6p1/myproposal.h.fips 2021-04-16 05:55:25.000000000 +0200
|
||||||
|
+++ openssh-8.6p1/myproposal.h 2021-05-06 12:08:36.498926877 +0200
|
||||||
|
@@ -57,6 +57,18 @@
|
||||||
|
"rsa-sha2-512," \
|
||||||
|
"rsa-sha2-256"
|
||||||
|
|
||||||
|
+#define KEX_FIPS_PK_ALG \
|
||||||
|
+ "ecdsa-sha2-nistp256-cert-v01@openssh.com," \
|
||||||
|
+ "ecdsa-sha2-nistp384-cert-v01@openssh.com," \
|
||||||
|
+ "ecdsa-sha2-nistp521-cert-v01@openssh.com," \
|
||||||
|
+ "rsa-sha2-512-cert-v01@openssh.com," \
|
||||||
|
+ "rsa-sha2-256-cert-v01@openssh.com," \
|
||||||
|
+ "ecdsa-sha2-nistp256," \
|
||||||
|
+ "ecdsa-sha2-nistp384," \
|
||||||
|
+ "ecdsa-sha2-nistp521," \
|
||||||
|
+ "rsa-sha2-512," \
|
||||||
|
+ "rsa-sha2-256"
|
||||||
|
+
|
||||||
|
#define KEX_SERVER_ENCRYPT \
|
||||||
|
"chacha20-poly1305@openssh.com," \
|
||||||
|
"aes128-ctr,aes192-ctr,aes256-ctr," \
|
||||||
|
@@ -78,6 +92,27 @@
|
||||||
|
|
||||||
|
#define KEX_CLIENT_MAC KEX_SERVER_MAC
|
||||||
|
|
||||||
|
+#define KEX_FIPS_ENCRYPT \
|
||||||
|
+ "aes128-ctr,aes192-ctr,aes256-ctr," \
|
||||||
|
+ "aes128-cbc,3des-cbc," \
|
||||||
|
+ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se," \
|
||||||
|
+ "aes128-gcm@openssh.com,aes256-gcm@openssh.com"
|
||||||
|
+#define KEX_DEFAULT_KEX_FIPS \
|
||||||
|
+ "ecdh-sha2-nistp256," \
|
||||||
|
+ "ecdh-sha2-nistp384," \
|
||||||
|
+ "ecdh-sha2-nistp521," \
|
||||||
|
+ "diffie-hellman-group-exchange-sha256," \
|
||||||
|
+ "diffie-hellman-group16-sha512," \
|
||||||
|
+ "diffie-hellman-group18-sha512," \
|
||||||
|
+ "diffie-hellman-group14-sha256"
|
||||||
|
+#define KEX_FIPS_MAC \
|
||||||
|
+ "hmac-sha1," \
|
||||||
|
+ "hmac-sha2-256," \
|
||||||
|
+ "hmac-sha2-512," \
|
||||||
|
+ "hmac-sha1-etm@openssh.com," \
|
||||||
|
+ "hmac-sha2-256-etm@openssh.com," \
|
||||||
|
+ "hmac-sha2-512-etm@openssh.com"
|
||||||
|
+
|
||||||
|
/* Not a KEX value, but here so all the algorithm defaults are together */
|
||||||
|
#define SSH_ALLOWED_CA_SIGALGS \
|
||||||
|
"ssh-ed25519," \
|
||||||
|
diff -up openssh-8.6p1/readconf.c.fips openssh-8.6p1/readconf.c
|
||||||
|
--- openssh-8.6p1/readconf.c.fips 2021-05-06 12:08:36.428926336 +0200
|
||||||
|
+++ openssh-8.6p1/readconf.c 2021-05-06 12:08:36.499926885 +0200
|
||||||
|
@@ -39,6 +39,7 @@
|
||||||
|
#include <string.h>
|
||||||
|
#include <stdarg.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
+#include <openssl/fips.h>
|
||||||
|
#ifdef USE_SYSTEM_GLOB
|
||||||
|
# include <glob.h>
|
||||||
|
#else
|
||||||
|
@@ -2538,11 +2538,16 @@ fill_default_options(Options * options)
|
||||||
|
all_key = sshkey_alg_list(0, 0, 1, ',');
|
||||||
|
all_sig = sshkey_alg_list(0, 1, 1, ',');
|
||||||
|
/* remove unsupported algos from default lists */
|
||||||
|
- def_cipher = match_filter_allowlist(KEX_CLIENT_ENCRYPT, all_cipher);
|
||||||
|
- def_mac = match_filter_allowlist(KEX_CLIENT_MAC, all_mac);
|
||||||
|
- def_kex = match_filter_allowlist(KEX_CLIENT_KEX, all_kex);
|
||||||
|
- def_key = match_filter_allowlist(KEX_DEFAULT_PK_ALG, all_key);
|
||||||
|
- def_sig = match_filter_allowlist(SSH_ALLOWED_CA_SIGALGS, all_sig);
|
||||||
|
+ def_cipher = match_filter_allowlist((FIPS_mode() ?
|
||||||
|
+ KEX_FIPS_ENCRYPT : KEX_CLIENT_ENCRYPT), all_cipher);
|
||||||
|
+ def_mac = match_filter_allowlist((FIPS_mode() ?
|
||||||
|
+ KEX_FIPS_MAC : KEX_CLIENT_MAC), all_mac);
|
||||||
|
+ def_kex = match_filter_allowlist((FIPS_mode() ?
|
||||||
|
+ KEX_DEFAULT_KEX_FIPS : KEX_CLIENT_KEX), all_kex);
|
||||||
|
+ def_key = match_filter_allowlist((FIPS_mode() ?
|
||||||
|
+ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key);
|
||||||
|
+ def_sig = match_filter_allowlist((FIPS_mode() ?
|
||||||
|
+ KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
|
||||||
|
#define ASSEMBLE(what, defaults, all) \
|
||||||
|
do { \
|
||||||
|
if ((r = kex_assemble_names(&options->what, \
|
||||||
|
diff -up openssh-8.6p1/sandbox-seccomp-filter.c.fips openssh-8.6p1/sandbox-seccomp-filter.c
|
||||||
|
--- openssh-8.6p1/sandbox-seccomp-filter.c.fips 2021-05-06 12:08:36.463926606 +0200
|
||||||
|
+++ openssh-8.6p1/sandbox-seccomp-filter.c 2021-05-06 12:08:36.499926885 +0200
|
||||||
|
@@ -160,6 +160,9 @@ static const struct sock_filter preauth_
|
||||||
|
#ifdef __NR_open
|
||||||
|
SC_DENY(__NR_open, EACCES),
|
||||||
|
#endif
|
||||||
|
+#ifdef __NR_socket
|
||||||
|
+ SC_DENY(__NR_socket, EACCES),
|
||||||
|
+#endif
|
||||||
|
#ifdef __NR_openat
|
||||||
|
SC_DENY(__NR_openat, EACCES),
|
||||||
|
#endif
|
||||||
|
diff -up openssh-8.6p1/servconf.c.fips openssh-8.6p1/servconf.c
|
||||||
|
--- openssh-8.6p1/servconf.c.fips 2021-05-06 12:08:36.455926545 +0200
|
||||||
|
+++ openssh-8.6p1/servconf.c 2021-05-06 12:08:36.500926893 +0200
|
||||||
|
@@ -38,6 +38,7 @@
|
||||||
|
#include <limits.h>
|
||||||
|
#include <stdarg.h>
|
||||||
|
#include <errno.h>
|
||||||
|
+#include <openssl/fips.h>
|
||||||
|
#ifdef HAVE_UTIL_H
|
||||||
|
#include <util.h>
|
||||||
|
#endif
|
||||||
|
@@ -226,11 +226,16 @@ assemble_algorithms(ServerOptions *o)
|
||||||
|
all_key = sshkey_alg_list(0, 0, 1, ',');
|
||||||
|
all_sig = sshkey_alg_list(0, 1, 1, ',');
|
||||||
|
/* remove unsupported algos from default lists */
|
||||||
|
- def_cipher = match_filter_allowlist(KEX_SERVER_ENCRYPT, all_cipher);
|
||||||
|
- def_mac = match_filter_allowlist(KEX_SERVER_MAC, all_mac);
|
||||||
|
- def_kex = match_filter_allowlist(KEX_SERVER_KEX, all_kex);
|
||||||
|
- def_key = match_filter_allowlist(KEX_DEFAULT_PK_ALG, all_key);
|
||||||
|
- def_sig = match_filter_allowlist(SSH_ALLOWED_CA_SIGALGS, all_sig);
|
||||||
|
+ def_cipher = match_filter_allowlist((FIPS_mode() ?
|
||||||
|
+ KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT), all_cipher);
|
||||||
|
+ def_mac = match_filter_allowlist((FIPS_mode() ?
|
||||||
|
+ KEX_FIPS_MAC : KEX_SERVER_MAC), all_mac);
|
||||||
|
+ def_kex = match_filter_allowlist((FIPS_mode() ?
|
||||||
|
+ KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX), all_kex);
|
||||||
|
+ def_key = match_filter_allowlist((FIPS_mode() ?
|
||||||
|
+ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key);
|
||||||
|
+ def_sig = match_filter_allowlist((FIPS_mode() ?
|
||||||
|
+ KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
|
||||||
|
#define ASSEMBLE(what, defaults, all) \
|
||||||
|
do { \
|
||||||
|
if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
|
||||||
|
diff -up openssh-8.6p1/ssh.c.fips openssh-8.6p1/ssh.c
|
||||||
|
--- openssh-8.6p1/ssh.c.fips 2021-05-06 12:08:36.467926637 +0200
|
||||||
|
+++ openssh-8.6p1/ssh.c 2021-05-06 12:08:36.500926893 +0200
|
||||||
|
@@ -77,6 +77,7 @@
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
#include <openssl/err.h>
|
||||||
|
#endif
|
||||||
|
+#include <openssl/fips.h>
|
||||||
|
#include "openbsd-compat/openssl-compat.h"
|
||||||
|
#include "openbsd-compat/sys-queue.h"
|
||||||
|
|
||||||
|
@@ -1516,6 +1517,10 @@ main(int ac, char **av)
|
||||||
|
exit(0);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (FIPS_mode()) {
|
||||||
|
+ debug("FIPS mode initialized");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* Expand SecurityKeyProvider if it refers to an environment variable */
|
||||||
|
if (options.sk_provider != NULL && *options.sk_provider == '$' &&
|
||||||
|
strlen(options.sk_provider) > 1) {
|
||||||
|
diff -up openssh-8.6p1/sshconnect2.c.fips openssh-8.6p1/sshconnect2.c
|
||||||
|
--- openssh-8.6p1/sshconnect2.c.fips 2021-05-06 12:08:36.485926777 +0200
|
||||||
|
+++ openssh-8.6p1/sshconnect2.c 2021-05-06 12:08:36.501926900 +0200
|
||||||
|
@@ -45,6 +45,8 @@
|
||||||
|
#include <vis.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+#include <openssl/fips.h>
|
||||||
|
+
|
||||||
|
#include "openbsd-compat/sys-queue.h"
|
||||||
|
|
||||||
|
#include "xmalloc.h"
|
||||||
|
@@ -269,36 +271,41 @@ ssh_kex2(struct ssh *ssh, char *host, st
|
||||||
|
|
||||||
|
#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
||||||
|
if (options.gss_keyex) {
|
||||||
|
- /* Add the GSSAPI mechanisms currently supported on this
|
||||||
|
- * client to the key exchange algorithm proposal */
|
||||||
|
- orig = myproposal[PROPOSAL_KEX_ALGS];
|
||||||
|
-
|
||||||
|
- if (options.gss_server_identity) {
|
||||||
|
- gss_host = xstrdup(options.gss_server_identity);
|
||||||
|
- } else if (options.gss_trust_dns) {
|
||||||
|
- gss_host = remote_hostname(ssh);
|
||||||
|
- /* Fall back to specified host if we are using proxy command
|
||||||
|
- * and can not use DNS on that socket */
|
||||||
|
- if (strcmp(gss_host, "UNKNOWN") == 0) {
|
||||||
|
- free(gss_host);
|
||||||
|
+ if (FIPS_mode()) {
|
||||||
|
+ logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode");
|
||||||
|
+ options.gss_keyex = 0;
|
||||||
|
+ } else {
|
||||||
|
+ /* Add the GSSAPI mechanisms currently supported on this
|
||||||
|
+ * client to the key exchange algorithm proposal */
|
||||||
|
+ orig = myproposal[PROPOSAL_KEX_ALGS];
|
||||||
|
+
|
||||||
|
+ if (options.gss_server_identity) {
|
||||||
|
+ gss_host = xstrdup(options.gss_server_identity);
|
||||||
|
+ } else if (options.gss_trust_dns) {
|
||||||
|
+ gss_host = remote_hostname(ssh);
|
||||||
|
+ /* Fall back to specified host if we are using proxy command
|
||||||
|
+ * and can not use DNS on that socket */
|
||||||
|
+ if (strcmp(gss_host, "UNKNOWN") == 0) {
|
||||||
|
+ free(gss_host);
|
||||||
|
+ gss_host = xstrdup(host);
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
gss_host = xstrdup(host);
|
||||||
|
}
|
||||||
|
- } else {
|
||||||
|
- gss_host = xstrdup(host);
|
||||||
|
- }
|
||||||
|
|
||||||
|
- gss = ssh_gssapi_client_mechanisms(gss_host,
|
||||||
|
- options.gss_client_identity, options.gss_kex_algorithms);
|
||||||
|
- if (gss) {
|
||||||
|
- debug("Offering GSSAPI proposal: %s", gss);
|
||||||
|
- xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
|
||||||
|
- "%s,%s", gss, orig);
|
||||||
|
-
|
||||||
|
- /* If we've got GSSAPI algorithms, then we also support the
|
||||||
|
- * 'null' hostkey, as a last resort */
|
||||||
|
- orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
|
||||||
|
- xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
|
||||||
|
- "%s,null", orig);
|
||||||
|
+ gss = ssh_gssapi_client_mechanisms(gss_host,
|
||||||
|
+ options.gss_client_identity, options.gss_kex_algorithms);
|
||||||
|
+ if (gss) {
|
||||||
|
+ debug("Offering GSSAPI proposal: %s", gss);
|
||||||
|
+ xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
|
||||||
|
+ "%s,%s", gss, orig);
|
||||||
|
+
|
||||||
|
+ /* If we've got GSSAPI algorithms, then we also support the
|
||||||
|
+ * 'null' hostkey, as a last resort */
|
||||||
|
+ orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
|
||||||
|
+ xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
|
||||||
|
+ "%s,null", orig);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
diff -up openssh-8.6p1/sshd.c.fips openssh-8.6p1/sshd.c
|
||||||
|
--- openssh-8.6p1/sshd.c.fips 2021-05-06 12:08:36.493926838 +0200
|
||||||
|
+++ openssh-8.6p1/sshd.c 2021-05-06 12:13:56.501492639 +0200
|
||||||
|
@@ -66,6 +66,7 @@
|
||||||
|
#endif
|
||||||
|
#include <pwd.h>
|
||||||
|
#include <signal.h>
|
||||||
|
+#include <syslog.h>
|
||||||
|
#include <stdarg.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
@@ -77,6 +78,7 @@
|
||||||
|
#ifdef WITH_OPENSSL
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
#include <openssl/rand.h>
|
||||||
|
+#include <openssl/fips.h>
|
||||||
|
#include "openbsd-compat/openssl-compat.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
@@ -1931,6 +1931,13 @@ main(int ac, char **av)
|
||||||
|
&key, NULL)) != 0 && r != SSH_ERR_SYSTEM_ERROR)
|
||||||
|
do_log2_r(r, ll, "Unable to load host key \"%s\"",
|
||||||
|
options.host_key_files[i]);
|
||||||
|
+ if (FIPS_mode() && key != NULL && (sshkey_type_plain(key->type) == KEY_ED25519_SK
|
||||||
|
+ || sshkey_type_plain(key->type) == KEY_ED25519)) {
|
||||||
|
+ logit_f("sshd: Ed25519 keys are not allowed in FIPS mode, skipping %s", options.host_key_files[i]);
|
||||||
|
+ sshkey_free(key);
|
||||||
|
+ key = NULL;
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
if (sshkey_is_sk(key) &&
|
||||||
|
key->sk_flags & SSH_SK_USER_PRESENCE_REQD) {
|
||||||
|
debug("host key %s requires user presence, ignoring",
|
||||||
|
@@ -2110,6 +2113,10 @@ main(int ac, char **av)
|
||||||
|
/* Reinitialize the log (because of the fork above). */
|
||||||
|
log_init(__progname, options.log_level, options.log_facility, log_stderr);
|
||||||
|
|
||||||
|
+ if (FIPS_mode()) {
|
||||||
|
+ debug("FIPS mode initialized");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* Chdir to the root directory so that the current disk can be
|
||||||
|
* unmounted if desired.
|
||||||
|
diff -up openssh-8.6p1/sshd-session.c.fips openssh-8.6p1/sshd-session.c
|
||||||
|
--- a/sshd-session.c.fips 2021-05-06 12:08:36.493926838 +0200
|
||||||
|
+++ b/sshd-session.c 2021-05-06 12:13:56.501492639 +0200
|
||||||
|
@@ -78,6 +79,7 @@
|
||||||
|
#include <openssl/bn.h>
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
#include <openssl/rand.h>
|
||||||
|
+#include <openssl/fips.h>
|
||||||
|
#include "openbsd-compat/openssl-compat.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
@@ -2506,10 +2513,14 @@ do_ssh2_kex(struct ssh *ssh)
|
||||||
|
if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
|
||||||
|
orig = NULL;
|
||||||
|
|
||||||
|
- if (options.gss_keyex)
|
||||||
|
- gss = ssh_gssapi_server_mechanisms();
|
||||||
|
- else
|
||||||
|
- gss = NULL;
|
||||||
|
+ if (options.gss_keyex) {
|
||||||
|
+ if (FIPS_mode()) {
|
||||||
|
+ logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode");
|
||||||
|
+ options.gss_keyex = 0;
|
||||||
|
+ } else {
|
||||||
|
+ gss = ssh_gssapi_server_mechanisms();
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if (gss && orig)
|
||||||
|
xasprintf(&newstr, "%s,%s", gss, orig);
|
||||||
|
diff -up openssh-8.6p1/sshkey.c.fips openssh-8.6p1/sshkey.c
|
||||||
|
--- openssh-8.6p1/sshkey.c.fips 2021-05-06 12:08:36.493926838 +0200
|
||||||
|
+++ openssh-8.6p1/sshkey.c 2021-05-06 12:08:36.502926908 +0200
|
||||||
|
@@ -36,6 +36,7 @@
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
#include <openssl/err.h>
|
||||||
|
#include <openssl/pem.h>
|
||||||
|
+#include <openssl/fips.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#include "crypto_api.h"
|
||||||
|
@@ -57,6 +58,7 @@
|
||||||
|
#define SSHKEY_INTERNAL
|
||||||
|
#include "sshkey.h"
|
||||||
|
#include "match.h"
|
||||||
|
+#include "log.h"
|
||||||
|
#include "ssh-sk.h"
|
||||||
|
|
||||||
|
#ifdef WITH_XMSS
|
||||||
|
@@ -285,6 +285,18 @@ sshkey_alg_list(int certs_only, int plai
|
||||||
|
impl = keyimpls[i];
|
||||||
|
if (impl->name == NULL || impl->type == KEY_NULL)
|
||||||
|
continue;
|
||||||
|
+ if (FIPS_mode()) {
|
||||||
|
+ switch (impl->type) {
|
||||||
|
+ case KEY_ED25519:
|
||||||
|
+ case KEY_ED25519_SK:
|
||||||
|
+ case KEY_ED25519_CERT:
|
||||||
|
+ case KEY_ED25519_SK_CERT:
|
||||||
|
+ continue;
|
||||||
|
+ break;
|
||||||
|
+ default:
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
if (!include_sigonly && impl->sigonly)
|
||||||
|
continue;
|
||||||
|
if ((certs_only && !impl->cert) || (plain_only && impl->cert))
|
||||||
|
@@ -1503,6 +1503,20 @@ sshkey_read(struct sshkey *ret, char **c
|
||||||
|
return SSH_ERR_EC_CURVE_MISMATCH;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ switch (type) {
|
||||||
|
+ case KEY_ED25519:
|
||||||
|
+ case KEY_ED25519_SK:
|
||||||
|
+ case KEY_ED25519_CERT:
|
||||||
|
+ case KEY_ED25519_SK_CERT:
|
||||||
|
+ if (FIPS_mode()) {
|
||||||
|
+ sshkey_free(k);
|
||||||
|
+ logit_f("Ed25519 keys are not allowed in FIPS mode");
|
||||||
|
+ return SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
+ }
|
||||||
|
+ break;
|
||||||
|
+ default:
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
/* Fill in ret from parsed key */
|
||||||
|
sshkey_free_contents(ret);
|
||||||
|
*ret = *k;
|
||||||
|
@@ -2916,6 +2916,11 @@ sshkey_sign(struct sshkey *key,
|
||||||
|
*lenp = 0;
|
||||||
|
if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE)
|
||||||
|
return SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
+ if (FIPS_mode() && ((key->type == KEY_ED25519_SK) || (key->type == KEY_ED25519_SK_CERT))) {
|
||||||
|
+ logit_f("Ed25519 keys are not allowed in FIPS mode");
|
||||||
|
+ return SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
+ }
|
||||||
|
+ /* Fallthrough */
|
||||||
|
if ((impl = sshkey_impl_from_key(key)) == NULL)
|
||||||
|
return SSH_ERR_KEY_TYPE_UNKNOWN;
|
||||||
|
if ((r = sshkey_unshield_private(key)) != 0)
|
||||||
|
@@ -2973,6 +2978,10 @@ sshkey_verify(const struct sshkey *key,
|
||||||
|
*detailsp = NULL;
|
||||||
|
if (siglen == 0 || dlen > SSH_KEY_MAX_SIGN_DATA_SIZE)
|
||||||
|
return SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
+ if (FIPS_mode() && ((key->type == KEY_ED25519_SK) || (key->type == KEY_ED25519_SK_CERT))) {
|
||||||
|
+ logit_f("Ed25519 keys are not allowed in FIPS mode");
|
||||||
|
+ return SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
+ }
|
||||||
|
if ((impl = sshkey_impl_from_key(key)) == NULL)
|
||||||
|
return SSH_ERR_KEY_TYPE_UNKNOWN;
|
||||||
|
return impl->funcs->verify(key, sig, siglen, data, dlen,
|
||||||
|
diff -up openssh-8.6p1/ssh-keygen.c.fips openssh-8.6p1/ssh-keygen.c
|
||||||
|
--- openssh-8.6p1/ssh-keygen.c.fips 2021-05-06 12:08:36.467926637 +0200
|
||||||
|
+++ openssh-8.6p1/ssh-keygen.c 2021-05-06 12:08:36.503926916 +0200
|
||||||
|
@@ -20,6 +20,7 @@
|
||||||
|
|
||||||
|
#ifdef WITH_OPENSSL
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
+#include <openssl/fips.h>
|
||||||
|
#include <openssl/pem.h>
|
||||||
|
#include "openbsd-compat/openssl-compat.h"
|
||||||
|
#endif
|
||||||
|
@@ -69,6 +69,7 @@
|
||||||
|
#include "cipher.h"
|
||||||
|
|
||||||
|
#define DEFAULT_KEY_TYPE_NAME "ed25519"
|
||||||
|
+#define FIPS_DEFAULT_KEY_TYPE_NAME "rsa"
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Default number of bits in the RSA, DSA and ECDSA keys. These value can be
|
||||||
|
@@ -205,6 +205,12 @@ type_bits_valid(int type, const char *na
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
#ifdef WITH_OPENSSL
|
||||||
|
+ if (FIPS_mode()) {
|
||||||
|
+ if (type == KEY_DSA)
|
||||||
|
+ fatal("DSA keys are not allowed in FIPS mode");
|
||||||
|
+ if (type == KEY_ED25519 || type == KEY_ED25519_SK)
|
||||||
|
+ fatal("ED25519 keys are not allowed in FIPS mode");
|
||||||
|
+ }
|
||||||
|
switch (type) {
|
||||||
|
case KEY_DSA:
|
||||||
|
if (*bitsp != 1024)
|
||||||
|
@@ -266,7 +267,7 @@ ask_filename(struct passwd *pw, const ch
|
||||||
|
char *name = NULL;
|
||||||
|
|
||||||
|
if (key_type_name == NULL)
|
||||||
|
- name = _PATH_SSH_CLIENT_ID_ED25519;
|
||||||
|
+ name = FIPS_mode() ? _PATH_SSH_CLIENT_ID_RSA : _PATH_SSH_CLIENT_ID_ED25519;
|
||||||
|
else {
|
||||||
|
switch (sshkey_type_from_shortname(key_type_name)) {
|
||||||
|
#ifdef WITH_DSA
|
||||||
|
@@ -1098,9 +1104,17 @@ do_gen_all_hostkeys(struct passwd *pw)
|
||||||
|
first = 1;
|
||||||
|
printf("%s: generating new host keys: ", __progname);
|
||||||
|
}
|
||||||
|
+ type = sshkey_type_from_shortname(key_types[i].key_type);
|
||||||
|
+
|
||||||
|
+ /* Skip the keys that are not supported in FIPS mode */
|
||||||
|
+ if (FIPS_mode() && (type == KEY_DSA || type == KEY_ED25519)) {
|
||||||
|
+ logit("Skipping %s key in FIPS mode",
|
||||||
|
+ key_types[i].key_type_display);
|
||||||
|
+ goto next;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
printf("%s ", key_types[i].key_type_display);
|
||||||
|
fflush(stdout);
|
||||||
|
- type = sshkey_type_from_shortname(key_types[i].key_type);
|
||||||
|
if ((fd = mkstemp(prv_tmp)) == -1) {
|
||||||
|
error("Could not save your private key in %s: %s",
|
||||||
|
prv_tmp, strerror(errno));
|
||||||
|
@@ -3830,7 +3831,7 @@ main(int argc, char **argv)
|
||||||
|
}
|
||||||
|
|
||||||
|
if (key_type_name == NULL)
|
||||||
|
- key_type_name = DEFAULT_KEY_TYPE_NAME;
|
||||||
|
+ key_type_name = FIPS_mode() ? FIPS_DEFAULT_KEY_TYPE_NAME : DEFAULT_KEY_TYPE_NAME;
|
||||||
|
|
||||||
|
type = sshkey_type_from_shortname(key_type_name);
|
||||||
|
type_bits_valid(type, key_type_name, &bits);
|
||||||
|
diff -up openssh-9.3p1/ssh-rsa.c.evpgenrsa openssh-9.3p1/ssh-rsa.c
|
||||||
|
--- openssh-9.3p1/ssh-rsa.c.evpgenrsa 2022-06-30 15:14:58.200518353 +0200
|
||||||
|
+++ openssh-9.3p1/ssh-rsa.c 2022-06-30 15:24:31.499641196 +0200
|
||||||
|
@@ -33,6 +33,7 @@
|
||||||
|
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
#include <openssl/err.h>
|
||||||
|
+#include <openssl/fips.h>
|
||||||
|
|
||||||
|
#include <stdarg.h>
|
||||||
|
#include <string.h>
|
||||||
|
@@ -1705,6 +1707,8 @@ ssh_rsa_generate(u_int bits, RSA
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
if (EVP_PKEY_keygen(ctx, &res) <= 0 || res == NULL) {
|
||||||
|
+ if (FIPS_mode())
|
||||||
|
+ logit_f("the key length might be unsupported by FIPS mode approved key generation method");
|
||||||
|
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
diff -up openssh-9.9p1/kexgen.c.xxx openssh-9.9p1/kexgen.c
|
||||||
|
--- openssh-9.9p1/kexgen.c.xxx 2024-10-09 10:35:56.285946080 +0200
|
||||||
|
+++ openssh-9.9p1/kexgen.c 2024-10-09 10:41:52.792597194 +0200
|
||||||
|
@@ -31,6 +31,7 @@
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <string.h>
|
||||||
|
#include <signal.h>
|
||||||
|
+#include <openssl/fips.h>
|
||||||
|
|
||||||
|
#include "sshkey.h"
|
||||||
|
#include "kex.h"
|
||||||
|
@@ -115,13 +116,28 @@ kex_gen_client(struct ssh *ssh)
|
||||||
|
break;
|
||||||
|
#endif
|
||||||
|
case KEX_C25519_SHA256:
|
||||||
|
- r = kex_c25519_keypair(kex);
|
||||||
|
+ if (FIPS_mode()) {
|
||||||
|
+ logit_f("Key exchange type c25519 is not allowed in FIPS mode");
|
||||||
|
+ r = SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
+ } else {
|
||||||
|
+ r = kex_c25519_keypair(kex);
|
||||||
|
+ }
|
||||||
|
break;
|
||||||
|
case KEX_KEM_SNTRUP761X25519_SHA512:
|
||||||
|
- r = kex_kem_sntrup761x25519_keypair(kex);
|
||||||
|
+ if (FIPS_mode()) {
|
||||||
|
+ logit_f("Key exchange type sntrup761 is not allowed in FIPS mode");
|
||||||
|
+ r = SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
+ } else {
|
||||||
|
+ r = kex_kem_sntrup761x25519_keypair(kex);
|
||||||
|
+ }
|
||||||
|
break;
|
||||||
|
case KEX_KEM_MLKEM768X25519_SHA256:
|
||||||
|
- r = kex_kem_mlkem768x25519_keypair(kex);
|
||||||
|
+ if (FIPS_mode()) {
|
||||||
|
+ logit_f("Key exchange type mlkem768x25519 is not allowed in FIPS mode");
|
||||||
|
+ r = SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
+ } else {
|
||||||
|
+ r = kex_kem_mlkem768x25519_keypair(kex);
|
||||||
|
+ }
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
r = SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
@@ -189,15 +205,30 @@ input_kex_gen_reply(int type, u_int32_t
|
||||||
|
break;
|
||||||
|
#endif
|
||||||
|
case KEX_C25519_SHA256:
|
||||||
|
- r = kex_c25519_dec(kex, server_blob, &shared_secret);
|
||||||
|
+ if (FIPS_mode()) {
|
||||||
|
+ logit_f("Key exchange type c25519 is not allowed in FIPS mode");
|
||||||
|
+ r = SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
+ } else {
|
||||||
|
+ r = kex_c25519_dec(kex, server_blob, &shared_secret);
|
||||||
|
+ }
|
||||||
|
break;
|
||||||
|
case KEX_KEM_SNTRUP761X25519_SHA512:
|
||||||
|
- r = kex_kem_sntrup761x25519_dec(kex, server_blob,
|
||||||
|
- &shared_secret);
|
||||||
|
+ if (FIPS_mode()) {
|
||||||
|
+ logit_f("Key exchange type sntrup761 is not allowed in FIPS mode");
|
||||||
|
+ r = SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
+ } else {
|
||||||
|
+ r = kex_kem_sntrup761x25519_dec(kex, server_blob,
|
||||||
|
+ &shared_secret);
|
||||||
|
+ }
|
||||||
|
break;
|
||||||
|
case KEX_KEM_MLKEM768X25519_SHA256:
|
||||||
|
- r = kex_kem_mlkem768x25519_dec(kex, server_blob,
|
||||||
|
- &shared_secret);
|
||||||
|
+ if (FIPS_mode()) {
|
||||||
|
+ logit_f("Key exchange type mlkem768x25519 is not allowed in FIPS mode");
|
||||||
|
+ r = SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
+ } else {
|
||||||
|
+ r = kex_kem_mlkem768x25519_dec(kex, server_blob,
|
||||||
|
+ &shared_secret);
|
||||||
|
+ }
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
r = SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
@@ -312,16 +343,31 @@ input_kex_gen_init(int type, u_int32_t s
|
||||||
|
break;
|
||||||
|
#endif
|
||||||
|
case KEX_C25519_SHA256:
|
||||||
|
- r = kex_c25519_enc(kex, client_pubkey, &server_pubkey,
|
||||||
|
- &shared_secret);
|
||||||
|
+ if (FIPS_mode()) {
|
||||||
|
+ logit_f("Key exchange type c25519 is not allowed in FIPS mode");
|
||||||
|
+ r = SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
+ } else {
|
||||||
|
+ r = kex_c25519_enc(kex, client_pubkey, &server_pubkey,
|
||||||
|
+ &shared_secret);
|
||||||
|
+ }
|
||||||
|
break;
|
||||||
|
case KEX_KEM_SNTRUP761X25519_SHA512:
|
||||||
|
- r = kex_kem_sntrup761x25519_enc(kex, client_pubkey,
|
||||||
|
- &server_pubkey, &shared_secret);
|
||||||
|
+ if (FIPS_mode()) {
|
||||||
|
+ logit_f("Key exchange type sntrup761 is not allowed in FIPS mode");
|
||||||
|
+ r = SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
+ } else {
|
||||||
|
+ r = kex_kem_sntrup761x25519_enc(kex, client_pubkey,
|
||||||
|
+ &server_pubkey, &shared_secret);
|
||||||
|
+ }
|
||||||
|
break;
|
||||||
|
case KEX_KEM_MLKEM768X25519_SHA256:
|
||||||
|
- r = kex_kem_mlkem768x25519_enc(kex, client_pubkey,
|
||||||
|
- &server_pubkey, &shared_secret);
|
||||||
|
+ if (FIPS_mode()) {
|
||||||
|
+ logit_f("Key exchange type mlkem768x25519 is not allowed in FIPS mode");
|
||||||
|
+ r = SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
+ } else {
|
||||||
|
+ r = kex_kem_mlkem768x25519_enc(kex, client_pubkey,
|
||||||
|
+ &server_pubkey, &shared_secret);
|
||||||
|
+ }
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
r = SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
diff -up openssh-8.7p1/ssh-ed25519.c.fips3 openssh-8.7p1/ssh-ed25519.c
|
||||||
|
--- openssh-8.7p1/ssh-ed25519.c.fips3 2022-07-11 16:53:41.428343304 +0200
|
||||||
|
+++ openssh-8.7p1/ssh-ed25519.c 2022-07-11 16:56:09.284663661 +0200
|
||||||
|
@@ -24,6 +24,7 @@
|
||||||
|
|
||||||
|
#include <string.h>
|
||||||
|
#include <stdarg.h>
|
||||||
|
+#include <openssl/fips.h>
|
||||||
|
|
||||||
|
#include "log.h"
|
||||||
|
#include "sshbuf.h"
|
||||||
|
@@ -52,6 +53,10 @@ ssh_ed25519_sign(const struct sshkey *ke
|
||||||
|
key->ed25519_sk == NULL ||
|
||||||
|
datalen >= INT_MAX - crypto_sign_ed25519_BYTES)
|
||||||
|
return SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
+ if (FIPS_mode()) {
|
||||||
|
+ logit_f("Ed25519 keys are not allowed in FIPS mode");
|
||||||
|
+ return SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
+ }
|
||||||
|
smlen = slen = datalen + crypto_sign_ed25519_BYTES;
|
||||||
|
if ((sig = malloc(slen)) == NULL)
|
||||||
|
return SSH_ERR_ALLOC_FAIL;
|
||||||
|
@@ -108,6 +113,10 @@ ssh_ed25519_verify(const struct sshkey *
|
||||||
|
dlen >= INT_MAX - crypto_sign_ed25519_BYTES ||
|
||||||
|
sig == NULL || siglen == 0)
|
||||||
|
return SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
+ if (FIPS_mode()) {
|
||||||
|
+ logit_f("Ed25519 keys are not allowed in FIPS mode");
|
||||||
|
+ return SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if ((b = sshbuf_from(sig, siglen)) == NULL)
|
||||||
|
return SSH_ERR_ALLOC_FAIL;
|
||||||
|
diff -up openssh-9.9p1/kex.c.xxx openssh-9.9p1/kex.c
|
||||||
|
--- openssh-9.9p1/kex.c.xxx 2024-10-11 12:44:08.087426597 +0200
|
||||||
|
+++ openssh-9.9p1/kex.c 2024-10-11 14:00:10.404714521 +0200
|
||||||
|
@@ -40,6 +40,7 @@
|
||||||
|
#ifdef WITH_OPENSSL
|
||||||
|
#include <openssl/crypto.h>
|
||||||
|
#include <openssl/dh.h>
|
||||||
|
+#include <openssl/fips.h>
|
||||||
|
# ifdef HAVE_EVP_KDF_CTX_NEW
|
||||||
|
# include <openssl/kdf.h>
|
||||||
|
# include <openssl/param_build.h>
|
||||||
|
@@ -109,7 +110,7 @@ kex_proposal_populate_entries(struct ssh
|
||||||
|
|
||||||
|
/* Append EXT_INFO signalling to KexAlgorithms */
|
||||||
|
if (kexalgos == NULL)
|
||||||
|
- kexalgos = defprop[PROPOSAL_KEX_ALGS];
|
||||||
|
+ kexalgos = FIPS_mode() ? KEX_DEFAULT_KEX_FIPS : defprop[PROPOSAL_KEX_ALGS];
|
||||||
|
if ((cp = kex_names_cat(kexalgos, ssh->kex->server ?
|
||||||
|
"ext-info-s,kex-strict-s-v00@openssh.com" :
|
||||||
|
"ext-info-c,kex-strict-c-v00@openssh.com")) == NULL)
|
@ -1,7 +1,26 @@
|
|||||||
diff --git a/auth-krb5.c b/auth-krb5.c
|
diff -up openssh-8.6p1/auth.h.ccache_name openssh-8.6p1/auth.h
|
||||||
index a5a81ed2..63f877f2 100644
|
--- openssh-8.6p1/auth.h.ccache_name 2021-04-19 14:05:10.820744325 +0200
|
||||||
--- a/auth-krb5.c
|
+++ openssh-8.6p1/auth.h 2021-04-19 14:05:10.853744569 +0200
|
||||||
+++ b/auth-krb5.c
|
@@ -83,6 +83,7 @@ struct Authctxt {
|
||||||
|
krb5_principal krb5_user;
|
||||||
|
char *krb5_ticket_file;
|
||||||
|
char *krb5_ccname;
|
||||||
|
+ int krb5_set_env;
|
||||||
|
#endif
|
||||||
|
struct sshbuf *loginmsg;
|
||||||
|
|
||||||
|
@@ -231,7 +232,7 @@ struct passwd *fakepw(void);
|
||||||
|
int sys_auth_passwd(struct ssh *, const char *);
|
||||||
|
|
||||||
|
#if defined(KRB5) && !defined(HEIMDAL)
|
||||||
|
-krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);
|
||||||
|
+krb5_error_code ssh_krb5_cc_new_unique(krb5_context, krb5_ccache *, int *);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#endif /* AUTH_H */
|
||||||
|
diff -up openssh-8.6p1/auth-krb5.c.ccache_name openssh-8.6p1/auth-krb5.c
|
||||||
|
--- openssh-8.6p1/auth-krb5.c.ccache_name 2021-04-16 05:55:25.000000000 +0200
|
||||||
|
+++ openssh-8.6p1/auth-krb5.c 2021-04-19 14:40:55.142832954 +0200
|
||||||
@@ -51,6 +51,7 @@
|
@@ -51,6 +51,7 @@
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
@ -10,7 +29,7 @@ index a5a81ed2..63f877f2 100644
|
|||||||
|
|
||||||
extern ServerOptions options;
|
extern ServerOptions options;
|
||||||
|
|
||||||
@@ -77,7 +78,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
|
@@ -77,7 +78,7 @@ auth_krb5_password(Authctxt *authctxt, c
|
||||||
#endif
|
#endif
|
||||||
krb5_error_code problem;
|
krb5_error_code problem;
|
||||||
krb5_ccache ccache = NULL;
|
krb5_ccache ccache = NULL;
|
||||||
@ -19,24 +38,18 @@ index a5a81ed2..63f877f2 100644
|
|||||||
char *client, *platform_client;
|
char *client, *platform_client;
|
||||||
const char *errmsg;
|
const char *errmsg;
|
||||||
|
|
||||||
@@ -163,7 +164,8 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
|
@@ -163,8 +164,8 @@ auth_krb5_password(Authctxt *authctxt, c
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
- problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache);
|
- problem = ssh_krb5_cc_gen(authctxt->krb5_ctx,
|
||||||
|
- &authctxt->krb5_fwd_ccache);
|
||||||
+ problem = ssh_krb5_cc_new_unique(authctxt->krb5_ctx,
|
+ problem = ssh_krb5_cc_new_unique(authctxt->krb5_ctx,
|
||||||
+ &authctxt->krb5_fwd_ccache, &authctxt->krb5_set_env);
|
+ &authctxt->krb5_fwd_ccache, &authctxt->krb5_set_env);
|
||||||
if (problem)
|
if (problem)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
@@ -172,21 +174,20 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
|
@@ -179,15 +180,14 @@ auth_krb5_password(Authctxt *authctxt, c
|
||||||
if (problem)
|
|
||||||
goto out;
|
|
||||||
|
|
||||||
- problem= krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
|
|
||||||
+ problem = krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
|
|
||||||
&creds);
|
|
||||||
if (problem)
|
|
||||||
goto out;
|
goto out;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@ -57,7 +70,7 @@ index a5a81ed2..63f877f2 100644
|
|||||||
do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname);
|
do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@@ -222,11 +223,54 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
|
@@ -223,11 +223,54 @@ auth_krb5_password(Authctxt *authctxt, c
|
||||||
void
|
void
|
||||||
krb5_cleanup_proc(Authctxt *authctxt)
|
krb5_cleanup_proc(Authctxt *authctxt)
|
||||||
{
|
{
|
||||||
@ -113,7 +126,7 @@ index a5a81ed2..63f877f2 100644
|
|||||||
if (authctxt->krb5_user) {
|
if (authctxt->krb5_user) {
|
||||||
krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
|
krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
|
||||||
authctxt->krb5_user = NULL;
|
authctxt->krb5_user = NULL;
|
||||||
@@ -237,36 +281,188 @@ krb5_cleanup_proc(Authctxt *authctxt)
|
@@ -238,36 +281,188 @@ krb5_cleanup_proc(Authctxt *authctxt)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -151,7 +164,7 @@ index a5a81ed2..63f877f2 100644
|
|||||||
+ssh_krb5_expand_template(char **result, const char *template) {
|
+ssh_krb5_expand_template(char **result, const char *template) {
|
||||||
+ char *p_n, *p_o, *r, *tmp_template;
|
+ char *p_n, *p_o, *r, *tmp_template;
|
||||||
+
|
+
|
||||||
+ debug3("%s: called, template = %s", __func__, template);
|
+ debug3_f("called, template = %s", template);
|
||||||
+ if (template == NULL)
|
+ if (template == NULL)
|
||||||
+ return -1;
|
+ return -1;
|
||||||
+
|
+
|
||||||
@ -179,7 +192,7 @@ index a5a81ed2..63f877f2 100644
|
|||||||
+ } else {
|
+ } else {
|
||||||
+ p_o = strchr(p_n, '}') + 1;
|
+ p_o = strchr(p_n, '}') + 1;
|
||||||
+ *p_o = '\0';
|
+ *p_o = '\0';
|
||||||
+ debug("%s: unsupported token %s in %s", __func__, p_n, template);
|
+ debug_f("unsupported token %s in %s", p_n, template);
|
||||||
+ /* unknown token, fallback to the default */
|
+ /* unknown token, fallback to the default */
|
||||||
+ goto cleanup;
|
+ goto cleanup;
|
||||||
+ }
|
+ }
|
||||||
@ -198,16 +211,13 @@ index a5a81ed2..63f877f2 100644
|
|||||||
+ return -1;
|
+ return -1;
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
krb5_error_code
|
+krb5_error_code
|
||||||
-ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
|
|
||||||
- int tmpfd, ret, oerrno;
|
|
||||||
- char ccname[40];
|
|
||||||
+ssh_krb5_get_cctemplate(krb5_context ctx, char **ccname) {
|
+ssh_krb5_get_cctemplate(krb5_context ctx, char **ccname) {
|
||||||
+ profile_t p;
|
+ profile_t p;
|
||||||
+ int ret = 0;
|
+ int ret = 0;
|
||||||
+ char *value = NULL;
|
+ char *value = NULL;
|
||||||
+
|
+
|
||||||
+ debug3("%s: called", __func__);
|
+ debug3_f("called");
|
||||||
+ ret = krb5_get_profile(ctx, &p);
|
+ ret = krb5_get_profile(ctx, &p);
|
||||||
+ if (ret)
|
+ if (ret)
|
||||||
+ return ret;
|
+ return ret;
|
||||||
@ -218,11 +228,14 @@ index a5a81ed2..63f877f2 100644
|
|||||||
+
|
+
|
||||||
+ ret = ssh_krb5_expand_template(ccname, value);
|
+ ret = ssh_krb5_expand_template(ccname, value);
|
||||||
+
|
+
|
||||||
+ debug3("%s: returning with ccname = %s", __func__, *ccname);
|
+ debug3_f("returning with ccname = %s", *ccname);
|
||||||
+ return ret;
|
+ return ret;
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+krb5_error_code
|
krb5_error_code
|
||||||
|
-ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
|
||||||
|
- int tmpfd, ret, oerrno;
|
||||||
|
- char ccname[40];
|
||||||
+ssh_krb5_cc_new_unique(krb5_context ctx, krb5_ccache *ccache, int *need_environment) {
|
+ssh_krb5_cc_new_unique(krb5_context ctx, krb5_ccache *ccache, int *need_environment) {
|
||||||
+ int tmpfd, ret, oerrno, type_len;
|
+ int tmpfd, ret, oerrno, type_len;
|
||||||
+ char *ccname = NULL;
|
+ char *ccname = NULL;
|
||||||
@ -242,7 +255,7 @@ index a5a81ed2..63f877f2 100644
|
|||||||
- logit("mkstemp(): %.100s", strerror(oerrno));
|
- logit("mkstemp(): %.100s", strerror(oerrno));
|
||||||
- return oerrno;
|
- return oerrno;
|
||||||
- }
|
- }
|
||||||
+ debug3("%s: called", __func__);
|
+ debug3_f("called");
|
||||||
+ if (need_environment)
|
+ if (need_environment)
|
||||||
+ *need_environment = 0;
|
+ *need_environment = 0;
|
||||||
+ ret = ssh_krb5_get_cctemplate(ctx, &ccname);
|
+ ret = ssh_krb5_get_cctemplate(ctx, &ccname);
|
||||||
@ -283,7 +296,7 @@ index a5a81ed2..63f877f2 100644
|
|||||||
- close(tmpfd);
|
- close(tmpfd);
|
||||||
|
|
||||||
- return (krb5_cc_resolve(ctx, ccname, ccache));
|
- return (krb5_cc_resolve(ctx, ccname, ccache));
|
||||||
+ debug3("%s: setting default ccname to %s", __func__, ccname);
|
+ debug3_f("setting default ccname to %s", ccname);
|
||||||
+ /* set the default with already expanded user IDs */
|
+ /* set the default with already expanded user IDs */
|
||||||
+ ret = krb5_cc_set_default_name(ctx, ccname);
|
+ ret = krb5_cc_set_default_name(ctx, ccname);
|
||||||
+ if (ret)
|
+ if (ret)
|
||||||
@ -304,13 +317,13 @@ index a5a81ed2..63f877f2 100644
|
|||||||
+ * a primary cache for this collection, if it supports that (non-FILE)
|
+ * a primary cache for this collection, if it supports that (non-FILE)
|
||||||
+ */
|
+ */
|
||||||
+ if (krb5_cc_support_switch(ctx, type)) {
|
+ if (krb5_cc_support_switch(ctx, type)) {
|
||||||
+ debug3("%s: calling cc_new_unique(%s)", __func__, ccname);
|
+ debug3_f("calling cc_new_unique(%s)", ccname);
|
||||||
+ ret = krb5_cc_new_unique(ctx, type, NULL, ccache);
|
+ ret = krb5_cc_new_unique(ctx, type, NULL, ccache);
|
||||||
+ free(type);
|
+ free(type);
|
||||||
+ if (ret)
|
+ if (ret)
|
||||||
+ return ret;
|
+ return ret;
|
||||||
+
|
+
|
||||||
+ debug3("%s: calling cc_switch()", __func__);
|
+ debug3_f("calling cc_switch()");
|
||||||
+ return krb5_cc_switch(ctx, *ccache);
|
+ return krb5_cc_switch(ctx, *ccache);
|
||||||
+ } else {
|
+ } else {
|
||||||
+ /* Otherwise, we can not create a unique ccname here (either
|
+ /* Otherwise, we can not create a unique ccname here (either
|
||||||
@ -318,35 +331,47 @@ index a5a81ed2..63f877f2 100644
|
|||||||
+ * collections
|
+ * collections
|
||||||
+ */
|
+ */
|
||||||
+ free(type);
|
+ free(type);
|
||||||
+ debug3("%s: calling cc_resolve(%s)", __func__, ccname);
|
+ debug3_f("calling cc_resolve(%s)", ccname);
|
||||||
+ return (krb5_cc_resolve(ctx, ccname, ccache));
|
+ return (krb5_cc_resolve(ctx, ccname, ccache));
|
||||||
+ }
|
+ }
|
||||||
}
|
}
|
||||||
#endif /* !HEIMDAL */
|
#endif /* !HEIMDAL */
|
||||||
#endif /* KRB5 */
|
#endif /* KRB5 */
|
||||||
diff --git a/auth.h b/auth.h
|
diff -up openssh-8.6p1/gss-serv.c.ccache_name openssh-8.6p1/gss-serv.c
|
||||||
index 29491df9..fdab5040 100644
|
--- openssh-8.6p1/gss-serv.c.ccache_name 2021-04-19 14:05:10.844744503 +0200
|
||||||
--- a/auth.h
|
+++ openssh-8.6p1/gss-serv.c 2021-04-19 14:05:10.854744577 +0200
|
||||||
+++ b/auth.h
|
@@ -413,13 +413,15 @@ ssh_gssapi_cleanup_creds(void)
|
||||||
@@ -82,6 +82,7 @@ struct Authctxt {
|
}
|
||||||
krb5_principal krb5_user;
|
|
||||||
char *krb5_ticket_file;
|
|
||||||
char *krb5_ccname;
|
|
||||||
+ int krb5_set_env;
|
|
||||||
#endif
|
|
||||||
struct sshbuf *loginmsg;
|
|
||||||
|
|
||||||
@@ -243,6 +244,6 @@ int sys_auth_passwd(struct ssh *, const char *);
|
/* As user */
|
||||||
|
-void
|
||||||
|
+int
|
||||||
|
ssh_gssapi_storecreds(void)
|
||||||
|
{
|
||||||
|
if (gssapi_client.mech && gssapi_client.mech->storecreds) {
|
||||||
|
- (*gssapi_client.mech->storecreds)(&gssapi_client);
|
||||||
|
+ return (*gssapi_client.mech->storecreds)(&gssapi_client);
|
||||||
|
} else
|
||||||
|
debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");
|
||||||
|
+
|
||||||
|
+ return 0;
|
||||||
|
}
|
||||||
|
|
||||||
#if defined(KRB5) && !defined(HEIMDAL)
|
/* This allows GSSAPI methods to do things to the child's environment based
|
||||||
#include <krb5.h>
|
@@ -499,9 +501,7 @@ ssh_gssapi_rekey_creds(void) {
|
||||||
-krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);
|
char *envstr;
|
||||||
+krb5_error_code ssh_krb5_cc_new_unique(krb5_context, krb5_ccache *, int *);
|
|
||||||
#endif
|
#endif
|
||||||
#endif
|
|
||||||
diff -up openssh-7.9p1/gss-serv-krb5.c.ccache_name openssh-7.9p1/gss-serv-krb5.c
|
- if (gssapi_client.store.filename == NULL &&
|
||||||
--- openssh-7.9p1/gss-serv-krb5.c.ccache_name 2019-03-01 15:17:42.708611802 +0100
|
- gssapi_client.store.envval == NULL &&
|
||||||
+++ openssh-7.9p1/gss-serv-krb5.c 2019-03-01 15:17:42.713611844 +0100
|
- gssapi_client.store.envvar == NULL)
|
||||||
|
+ if (gssapi_client.store.envval == NULL)
|
||||||
|
return;
|
||||||
|
|
||||||
|
ok = mm_ssh_gssapi_update_creds(&gssapi_client.store);
|
||||||
|
diff -up openssh-8.6p1/gss-serv-krb5.c.ccache_name openssh-8.6p1/gss-serv-krb5.c
|
||||||
|
--- openssh-8.6p1/gss-serv-krb5.c.ccache_name 2021-04-19 14:05:10.852744562 +0200
|
||||||
|
+++ openssh-8.6p1/gss-serv-krb5.c 2021-04-19 14:05:10.854744577 +0200
|
||||||
@@ -267,7 +267,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
|
@@ -267,7 +267,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
|
||||||
/* This writes out any forwarded credentials from the structure populated
|
/* This writes out any forwarded credentials from the structure populated
|
||||||
* during userauth. Called after we have setuid to the user */
|
* during userauth. Called after we have setuid to the user */
|
||||||
@ -449,7 +474,7 @@ diff -up openssh-7.9p1/gss-serv-krb5.c.ccache_name openssh-7.9p1/gss-serv-krb5.c
|
|||||||
do_pam_putenv(client->store.envvar, client->store.envval);
|
do_pam_putenv(client->store.envvar, client->store.envval);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@@ -361,7 +355,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
|
@@ -364,7 +354,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
|
||||||
|
|
||||||
client->store.data = krb_context;
|
client->store.data = krb_context;
|
||||||
|
|
||||||
@ -458,43 +483,10 @@ diff -up openssh-7.9p1/gss-serv-krb5.c.ccache_name openssh-7.9p1/gss-serv-krb5.c
|
|||||||
}
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
diff --git a/gss-serv.c b/gss-serv.c
|
diff -up openssh-8.6p1/servconf.c.ccache_name openssh-8.6p1/servconf.c
|
||||||
index 6cae720e..16e55cbc 100644
|
--- openssh-8.6p1/servconf.c.ccache_name 2021-04-19 14:05:10.848744532 +0200
|
||||||
--- a/gss-serv.c
|
+++ openssh-8.6p1/servconf.c 2021-04-19 14:05:10.854744577 +0200
|
||||||
+++ b/gss-serv.c
|
@@ -136,6 +136,7 @@ initialize_server_options(ServerOptions
|
||||||
@@ -320,13 +320,15 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
|
|
||||||
}
|
|
||||||
|
|
||||||
/* As user */
|
|
||||||
-void
|
|
||||||
+int
|
|
||||||
ssh_gssapi_storecreds(void)
|
|
||||||
{
|
|
||||||
if (gssapi_client.mech && gssapi_client.mech->storecreds) {
|
|
||||||
- (*gssapi_client.mech->storecreds)(&gssapi_client);
|
|
||||||
+ return (*gssapi_client.mech->storecreds)(&gssapi_client);
|
|
||||||
} else
|
|
||||||
debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");
|
|
||||||
+
|
|
||||||
+ return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* This allows GSSAPI methods to do things to the childs environment based
|
|
||||||
@@ -498,9 +500,7 @@ ssh_gssapi_rekey_creds() {
|
|
||||||
char *envstr;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
- if (gssapi_client.store.filename == NULL &&
|
|
||||||
- gssapi_client.store.envval == NULL &&
|
|
||||||
- gssapi_client.store.envvar == NULL)
|
|
||||||
+ if (gssapi_client.store.envval == NULL)
|
|
||||||
return;
|
|
||||||
|
|
||||||
ok = PRIVSEP(ssh_gssapi_update_creds(&gssapi_client.store));
|
|
||||||
diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
|
|
||||||
--- openssh-7.9p1/servconf.c.ccache_name 2019-03-01 15:17:42.704611768 +0100
|
|
||||||
+++ openssh-7.9p1/servconf.c 2019-03-01 15:17:42.713611844 +0100
|
|
||||||
@@ -123,6 +123,7 @@ initialize_server_options(ServerOptions
|
|
||||||
options->kerberos_or_local_passwd = -1;
|
options->kerberos_or_local_passwd = -1;
|
||||||
options->kerberos_ticket_cleanup = -1;
|
options->kerberos_ticket_cleanup = -1;
|
||||||
options->kerberos_get_afs_token = -1;
|
options->kerberos_get_afs_token = -1;
|
||||||
@ -502,7 +494,7 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
|
|||||||
options->gss_authentication=-1;
|
options->gss_authentication=-1;
|
||||||
options->gss_keyex = -1;
|
options->gss_keyex = -1;
|
||||||
options->gss_cleanup_creds = -1;
|
options->gss_cleanup_creds = -1;
|
||||||
@@ -315,6 +316,8 @@ fill_default_server_options(ServerOptions *options)
|
@@ -359,6 +360,8 @@ fill_default_server_options(ServerOption
|
||||||
options->kerberos_ticket_cleanup = 1;
|
options->kerberos_ticket_cleanup = 1;
|
||||||
if (options->kerberos_get_afs_token == -1)
|
if (options->kerberos_get_afs_token == -1)
|
||||||
options->kerberos_get_afs_token = 0;
|
options->kerberos_get_afs_token = 0;
|
||||||
@ -511,17 +503,16 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
|
|||||||
if (options->gss_authentication == -1)
|
if (options->gss_authentication == -1)
|
||||||
options->gss_authentication = 0;
|
options->gss_authentication = 0;
|
||||||
if (options->gss_keyex == -1)
|
if (options->gss_keyex == -1)
|
||||||
@@ -447,7 +450,8 @@ typedef enum {
|
@@ -506,7 +509,7 @@ typedef enum {
|
||||||
sPermitRootLogin, sLogFacility, sLogLevel,
|
sPort, sHostKeyFile, sLoginGraceTime,
|
||||||
sRhostsRSAAuthentication, sRSAAuthentication,
|
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
|
||||||
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
||||||
- sKerberosGetAFSToken, sChallengeResponseAuthentication,
|
- sKerberosGetAFSToken, sPasswordAuthentication,
|
||||||
+ sKerberosGetAFSToken, sKerberosUniqueCCache,
|
+ sKerberosGetAFSToken, sKerberosUniqueCCache, sPasswordAuthentication,
|
||||||
+ sChallengeResponseAuthentication,
|
sKbdInteractiveAuthentication, sListenAddress, sAddressFamily,
|
||||||
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
|
||||||
sListenAddress, sAddressFamily,
|
sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
|
||||||
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
|
@@ -593,11 +597,13 @@ static struct {
|
||||||
@@ -526,11 +530,13 @@ static struct {
|
|
||||||
#else
|
#else
|
||||||
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
||||||
#endif
|
#endif
|
||||||
@ -535,7 +526,7 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
|
|||||||
#endif
|
#endif
|
||||||
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
|
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||||
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
|
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||||
@@ -1437,6 +1443,10 @@ process_server_config_line(ServerOptions *options, char *line,
|
@@ -1573,6 +1579,10 @@ process_server_config_line_depth(ServerO
|
||||||
intptr = &options->kerberos_get_afs_token;
|
intptr = &options->kerberos_get_afs_token;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
|
|
||||||
@ -546,7 +537,7 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
|
|||||||
case sGssAuthentication:
|
case sGssAuthentication:
|
||||||
intptr = &options->gss_authentication;
|
intptr = &options->gss_authentication;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
@@ -2507,6 +2517,7 @@ dump_config(ServerOptions *o)
|
@@ -2891,6 +2901,7 @@ dump_config(ServerOptions *o)
|
||||||
# ifdef USE_AFS
|
# ifdef USE_AFS
|
||||||
dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
|
dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
|
||||||
# endif
|
# endif
|
||||||
@ -554,11 +545,10 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
|
|||||||
#endif
|
#endif
|
||||||
#ifdef GSSAPI
|
#ifdef GSSAPI
|
||||||
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
|
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
|
||||||
diff --git a/servconf.h b/servconf.h
|
diff -up openssh-8.6p1/servconf.h.ccache_name openssh-8.6p1/servconf.h
|
||||||
index db8362c6..4fa42d64 100644
|
--- openssh-8.6p1/servconf.h.ccache_name 2021-04-19 14:05:10.848744532 +0200
|
||||||
--- a/servconf.h
|
+++ openssh-8.6p1/servconf.h 2021-04-19 14:05:10.855744584 +0200
|
||||||
+++ b/servconf.h
|
@@ -140,6 +140,8 @@ typedef struct {
|
||||||
@@ -123,6 +123,8 @@ typedef struct {
|
|
||||||
* file on logout. */
|
* file on logout. */
|
||||||
int kerberos_get_afs_token; /* If true, try to get AFS token if
|
int kerberos_get_afs_token; /* If true, try to get AFS token if
|
||||||
* authenticated with Kerberos. */
|
* authenticated with Kerberos. */
|
||||||
@ -567,13 +557,12 @@ index db8362c6..4fa42d64 100644
|
|||||||
int gss_authentication; /* If true, permit GSSAPI authentication */
|
int gss_authentication; /* If true, permit GSSAPI authentication */
|
||||||
int gss_keyex; /* If true, permit GSSAPI key exchange */
|
int gss_keyex; /* If true, permit GSSAPI key exchange */
|
||||||
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
|
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
|
||||||
diff --git a/session.c b/session.c
|
diff -up openssh-8.6p1/session.c.ccache_name openssh-8.6p1/session.c
|
||||||
index 85df6a27..480a5ead 100644
|
--- openssh-8.6p1/session.c.ccache_name 2021-04-19 14:05:10.852744562 +0200
|
||||||
--- a/session.c
|
+++ openssh-8.6p1/session.c 2021-04-19 14:05:10.855744584 +0200
|
||||||
+++ b/session.c
|
@@ -1038,7 +1038,8 @@ do_setup_env(struct ssh *ssh, Session *s
|
||||||
@@ -1033,7 +1033,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
|
|
||||||
/* Allow any GSSAPI methods that we've used to alter
|
/* Allow any GSSAPI methods that we've used to alter
|
||||||
* the childs environment as they see fit
|
* the child's environment as they see fit
|
||||||
*/
|
*/
|
||||||
- ssh_gssapi_do_child(&env, &envsize);
|
- ssh_gssapi_do_child(&env, &envsize);
|
||||||
+ if (s->authctxt->krb5_set_env)
|
+ if (s->authctxt->krb5_set_env)
|
||||||
@ -581,7 +570,7 @@ index 85df6a27..480a5ead 100644
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* Set basic environment. */
|
/* Set basic environment. */
|
||||||
@@ -1105,7 +1106,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
|
@@ -1114,7 +1115,7 @@ do_setup_env(struct ssh *ssh, Session *s
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
#ifdef KRB5
|
#ifdef KRB5
|
||||||
@ -590,33 +579,10 @@ index 85df6a27..480a5ead 100644
|
|||||||
child_set_env(&env, &envsize, "KRB5CCNAME",
|
child_set_env(&env, &envsize, "KRB5CCNAME",
|
||||||
s->authctxt->krb5_ccname);
|
s->authctxt->krb5_ccname);
|
||||||
#endif
|
#endif
|
||||||
diff --git a/ssh-gss.h b/ssh-gss.h
|
diff -up openssh-8.6p1/sshd-session.c.ccache_name openssh-8.6p1/sshd-session.c
|
||||||
index 6593e422..245178af 100644
|
--- openssh-8.6p1/sshd-session.c.ccache_name 2021-04-19 14:05:10.849744540 +0200
|
||||||
--- a/ssh-gss.h
|
+++ openssh-8.6p1/sshd-session.c 2021-04-19 14:05:10.855744584 +0200
|
||||||
+++ b/ssh-gss.h
|
@@ -2284,7 +2284,7 @@ main(int ac, char **av)
|
||||||
@@ -83,7 +82,7 @@ typedef struct ssh_gssapi_mech_struct {
|
|
||||||
int (*dochild) (ssh_gssapi_client *);
|
|
||||||
int (*userok) (ssh_gssapi_client *, char *);
|
|
||||||
int (*localname) (ssh_gssapi_client *, char **);
|
|
||||||
- void (*storecreds) (ssh_gssapi_client *);
|
|
||||||
+ int (*storecreds) (ssh_gssapi_client *);
|
|
||||||
int (*updatecreds) (ssh_gssapi_ccache *, ssh_gssapi_client *);
|
|
||||||
} ssh_gssapi_mech;
|
|
||||||
|
|
||||||
@@ -127,7 +126,7 @@ int ssh_gssapi_userok(char *name);
|
|
||||||
OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
|
|
||||||
void ssh_gssapi_do_child(char ***, u_int *);
|
|
||||||
void ssh_gssapi_cleanup_creds(void);
|
|
||||||
-void ssh_gssapi_storecreds(void);
|
|
||||||
+int ssh_gssapi_storecreds(void);
|
|
||||||
const char *ssh_gssapi_displayname(void);
|
|
||||||
|
|
||||||
char *ssh_gssapi_server_mechanisms(void);
|
|
||||||
diff --git a/sshd.c b/sshd.c
|
|
||||||
index edbe815c..89514e8a 100644
|
|
||||||
--- a/sshd.c
|
|
||||||
+++ b/sshd.c
|
|
||||||
@@ -2162,7 +2162,7 @@ main(int ac, char **av)
|
|
||||||
#ifdef GSSAPI
|
#ifdef GSSAPI
|
||||||
if (options.gss_authentication) {
|
if (options.gss_authentication) {
|
||||||
temporarily_use_uid(authctxt->pw);
|
temporarily_use_uid(authctxt->pw);
|
||||||
@ -625,11 +591,10 @@ index edbe815c..89514e8a 100644
|
|||||||
restore_uid();
|
restore_uid();
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
diff --git a/sshd_config.5 b/sshd_config.5
|
diff -up openssh-8.6p1/sshd_config.5.ccache_name openssh-8.6p1/sshd_config.5
|
||||||
index c0683d4a..2349f477 100644
|
--- openssh-8.6p1/sshd_config.5.ccache_name 2021-04-19 14:05:10.849744540 +0200
|
||||||
--- a/sshd_config.5
|
+++ openssh-8.6p1/sshd_config.5 2021-04-19 14:05:10.856744592 +0200
|
||||||
+++ b/sshd_config.5
|
@@ -939,6 +939,14 @@ Specifies whether to automatically destr
|
||||||
@@ -860,6 +860,14 @@ Specifies whether to automatically destroy the user's ticket cache
|
|
||||||
file on logout.
|
file on logout.
|
||||||
The default is
|
The default is
|
||||||
.Cm yes .
|
.Cm yes .
|
||||||
@ -642,5 +607,26 @@ index c0683d4a..2349f477 100644
|
|||||||
+can lead to overwriting previous tickets by subseqent connections to the same
|
+can lead to overwriting previous tickets by subseqent connections to the same
|
||||||
+user account.
|
+user account.
|
||||||
.It Cm KexAlgorithms
|
.It Cm KexAlgorithms
|
||||||
Specifies the available KEX (Key Exchange) algorithms.
|
Specifies the permitted KEX (Key Exchange) algorithms that the server will
|
||||||
Multiple algorithms must be comma-separated.
|
offer to clients.
|
||||||
|
diff -up openssh-8.6p1/ssh-gss.h.ccache_name openssh-8.6p1/ssh-gss.h
|
||||||
|
--- openssh-8.6p1/ssh-gss.h.ccache_name 2021-04-19 14:05:10.852744562 +0200
|
||||||
|
+++ openssh-8.6p1/ssh-gss.h 2021-04-19 14:05:10.855744584 +0200
|
||||||
|
@@ -114,7 +114,7 @@ typedef struct ssh_gssapi_mech_struct {
|
||||||
|
int (*dochild) (ssh_gssapi_client *);
|
||||||
|
int (*userok) (ssh_gssapi_client *, char *);
|
||||||
|
int (*localname) (ssh_gssapi_client *, char **);
|
||||||
|
- void (*storecreds) (ssh_gssapi_client *);
|
||||||
|
+ int (*storecreds) (ssh_gssapi_client *);
|
||||||
|
int (*updatecreds) (ssh_gssapi_ccache *, ssh_gssapi_client *);
|
||||||
|
} ssh_gssapi_mech;
|
||||||
|
|
||||||
|
@@ -175,7 +175,7 @@ int ssh_gssapi_userok(char *name, struct
|
||||||
|
OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
|
||||||
|
void ssh_gssapi_do_child(char ***, u_int *);
|
||||||
|
void ssh_gssapi_cleanup_creds(void);
|
||||||
|
-void ssh_gssapi_storecreds(void);
|
||||||
|
+int ssh_gssapi_storecreds(void);
|
||||||
|
const char *ssh_gssapi_displayname(void);
|
||||||
|
|
||||||
|
char *ssh_gssapi_server_mechanisms(void);
|
109
openssh-7.7p1-redhat.patch
Normal file
109
openssh-7.7p1-redhat.patch
Normal file
@ -0,0 +1,109 @@
|
|||||||
|
diff -up openssh/ssh_config.redhat openssh/ssh_config
|
||||||
|
--- openssh/ssh_config.redhat 2020-02-11 23:28:35.000000000 +0100
|
||||||
|
+++ openssh/ssh_config 2020-02-13 18:13:39.180641839 +0100
|
||||||
|
@@ -43,3 +43,10 @@
|
||||||
|
# ProxyCommand ssh -q -W %h:%p gateway.example.com
|
||||||
|
# RekeyLimit 1G 1h
|
||||||
|
# UserKnownHostsFile ~/.ssh/known_hosts.d/%k
|
||||||
|
+#
|
||||||
|
+# This system is following system-wide crypto policy.
|
||||||
|
+# To modify the crypto properties (Ciphers, MACs, ...), create a *.conf
|
||||||
|
+# file under /etc/ssh/ssh_config.d/ which will be automatically
|
||||||
|
+# included below. For more information, see manual page for
|
||||||
|
+# update-crypto-policies(8) and ssh_config(5).
|
||||||
|
+Include /etc/ssh/ssh_config.d/*.conf
|
||||||
|
diff -up openssh/ssh_config_redhat.redhat openssh/ssh_config_redhat
|
||||||
|
--- openssh/ssh_config_redhat.redhat 2020-02-13 18:13:39.180641839 +0100
|
||||||
|
+++ openssh/ssh_config_redhat 2020-02-13 18:13:39.180641839 +0100
|
||||||
|
@@ -0,0 +1,15 @@
|
||||||
|
+# The options here are in the "Match final block" to be applied as the last
|
||||||
|
+# options and could be potentially overwritten by the user configuration
|
||||||
|
+Match final all
|
||||||
|
+ # Follow system-wide Crypto Policy, if defined:
|
||||||
|
+ Include /etc/crypto-policies/back-ends/openssh.config
|
||||||
|
+
|
||||||
|
+ GSSAPIAuthentication yes
|
||||||
|
+
|
||||||
|
+# If this option is set to yes then remote X11 clients will have full access
|
||||||
|
+# to the original X11 display. As virtually no X11 client supports the untrusted
|
||||||
|
+# mode correctly we set this to yes.
|
||||||
|
+ ForwardX11Trusted yes
|
||||||
|
+
|
||||||
|
+# Uncomment this if you want to use .local domain
|
||||||
|
+# Host *.local
|
||||||
|
diff -up openssh/sshd_config.0.redhat openssh/sshd_config.0
|
||||||
|
--- openssh/sshd_config.0.redhat 2020-02-12 14:30:04.000000000 +0100
|
||||||
|
+++ openssh/sshd_config.0 2020-02-13 18:13:39.181641855 +0100
|
||||||
|
@@ -970,9 +970,9 @@ DESCRIPTION
|
||||||
|
|
||||||
|
SyslogFacility
|
||||||
|
Gives the facility code that is used when logging messages from
|
||||||
|
- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,
|
||||||
|
- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The
|
||||||
|
- default is AUTH.
|
||||||
|
+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
|
||||||
|
+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
||||||
|
+ The default is AUTH.
|
||||||
|
|
||||||
|
TCPKeepAlive
|
||||||
|
Specifies whether the system should send TCP keepalive messages
|
||||||
|
diff -up openssh/sshd_config.5.redhat openssh/sshd_config.5
|
||||||
|
--- openssh/sshd_config.5.redhat 2020-02-11 23:28:35.000000000 +0100
|
||||||
|
+++ openssh/sshd_config.5 2020-02-13 18:13:39.181641855 +0100
|
||||||
|
@@ -1614,7 +1614,7 @@ By default no subsystems are defined.
|
||||||
|
.It Cm SyslogFacility
|
||||||
|
Gives the facility code that is used when logging messages from
|
||||||
|
.Xr sshd 8 .
|
||||||
|
-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
|
||||||
|
+The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,
|
||||||
|
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
||||||
|
The default is AUTH.
|
||||||
|
.It Cm TCPKeepAlive
|
||||||
|
diff -up openssh/sshd_config.redhat openssh/sshd_config
|
||||||
|
--- openssh/sshd_config.redhat 2020-02-11 23:28:35.000000000 +0100
|
||||||
|
+++ openssh/sshd_config 2020-02-13 18:20:16.349913681 +0100
|
||||||
|
@@ -10,6 +10,14 @@
|
||||||
|
# possible, but leave them commented. Uncommented options override the
|
||||||
|
# default value.
|
||||||
|
|
||||||
|
+# To modify the system-wide sshd configuration, create a *.conf file under
|
||||||
|
+# /etc/ssh/sshd_config.d/ which will be automatically included below
|
||||||
|
+Include /etc/ssh/sshd_config.d/*.conf
|
||||||
|
+
|
||||||
|
+# If you want to change the port on a SELinux system, you have to tell
|
||||||
|
+# SELinux about this change.
|
||||||
|
+# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
|
||||||
|
+#
|
||||||
|
#Port 22
|
||||||
|
#AddressFamily any
|
||||||
|
#ListenAddress 0.0.0.0
|
||||||
|
diff -up openssh/sshd_config_redhat.redhat openssh/sshd_config_redhat
|
||||||
|
--- openssh/sshd_config_redhat.redhat 2020-02-13 18:14:02.268006439 +0100
|
||||||
|
+++ openssh/sshd_config_redhat 2020-02-13 18:19:20.765035947 +0100
|
||||||
|
@@ -0,0 +1,15 @@
|
||||||
|
+SyslogFacility AUTHPRIV
|
||||||
|
+
|
||||||
|
+ChallengeResponseAuthentication no
|
||||||
|
+
|
||||||
|
+GSSAPIAuthentication yes
|
||||||
|
+GSSAPICleanupCredentials no
|
||||||
|
+
|
||||||
|
+UsePAM yes
|
||||||
|
+
|
||||||
|
+X11Forwarding yes
|
||||||
|
+
|
||||||
|
+# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
|
||||||
|
+# as it is more configurable and versatile than the built-in version.
|
||||||
|
+PrintMotd no
|
||||||
|
+
|
||||||
|
diff -up openssh/sshd_config_redhat.redhat openssh/sshd_config_redhat
|
||||||
|
--- openssh/sshd_config_redhat_cp.redhat 2020-02-13 18:14:02.268006439 +0100
|
||||||
|
+++ openssh/sshd_config_redhat_cp 2020-02-13 18:19:20.765035947 +0100
|
||||||
|
@@ -0,0 +1,7 @@
|
||||||
|
+# This system is following system-wide crypto policy. The changes to
|
||||||
|
+# crypto properties (Ciphers, MACs, ...) will not have any effect in
|
||||||
|
+# this or following included files. To override some configuration option,
|
||||||
|
+# write it before this block or include it before this file.
|
||||||
|
+# Please, see manual pages for update-crypto-policies(8) and sshd_config(5).
|
||||||
|
+Include /etc/crypto-policies/back-ends/opensshserver.config
|
||||||
|
+
|
26
openssh-7.8p1-UsePAM-warning.patch
Normal file
26
openssh-7.8p1-UsePAM-warning.patch
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
diff -up openssh-8.6p1/sshd.c.log-usepam-no openssh-8.6p1/sshd.c
|
||||||
|
--- openssh-8.6p1/sshd-session.c.log-usepam-no 2021-04-19 14:00:45.099735129 +0200
|
||||||
|
+++ openssh-8.6p1/sshd-session.c 2021-04-19 14:03:21.140920974 +0200
|
||||||
|
@@ -1749,6 +1749,10 @@ main(int ac, char **av)
|
||||||
|
"enabled authentication methods");
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* 'UsePAM no' is not supported in our builds */
|
||||||
|
+ if (! options.use_pam)
|
||||||
|
+ logit("WARNING: 'UsePAM no' is not supported in this build and may cause several problems.");
|
||||||
|
+
|
||||||
|
#ifdef WITH_OPENSSL
|
||||||
|
if (options.moduli_file != NULL)
|
||||||
|
dh_set_moduli_file(options.moduli_file);
|
||||||
|
diff -up openssh-8.6p1/sshd_config.log-usepam-no openssh-8.6p1/sshd_config
|
||||||
|
--- openssh-8.6p1/sshd_config.log-usepam-no 2021-04-19 14:00:45.098735121 +0200
|
||||||
|
+++ openssh-8.6p1/sshd_config 2021-04-19 14:00:45.099735129 +0200
|
||||||
|
@@ -87,6 +87,8 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||||
|
# If you just want the PAM account and session checks to run without
|
||||||
|
# PAM authentication, then enable this but set PasswordAuthentication
|
||||||
|
# and KbdInteractiveAuthentication to 'no'.
|
||||||
|
+# WARNING: 'UsePAM no' is not supported in this build and may cause several
|
||||||
|
+# problems.
|
||||||
|
#UsePAM no
|
||||||
|
|
||||||
|
#AllowAgentForwarding yes
|
@ -23,23 +23,20 @@ diff -up openssh/auth2.c.role-mls openssh/auth2.c
|
|||||||
if ((style = strchr(user, ':')) != NULL)
|
if ((style = strchr(user, ':')) != NULL)
|
||||||
*style++ = 0;
|
*style++ = 0;
|
||||||
|
|
||||||
@@ -296,8 +304,15 @@ input_userauth_request(int type, u_int32
|
@@ -314,7 +314,13 @@ input_userauth_request(int type, u_int32
|
||||||
use_privsep ? " [net]" : "");
|
setproctitle("%s [net]", authctxt->valid ? user : "unknown");
|
||||||
authctxt->service = xstrdup(service);
|
authctxt->service = xstrdup(service);
|
||||||
authctxt->style = style ? xstrdup(style) : NULL;
|
authctxt->style = style ? xstrdup(style) : NULL;
|
||||||
- if (use_privsep)
|
|
||||||
+#ifdef WITH_SELINUX
|
+#ifdef WITH_SELINUX
|
||||||
+ authctxt->role = role ? xstrdup(role) : NULL;
|
+ authctxt->role = role ? xstrdup(role) : NULL;
|
||||||
+#endif
|
+#endif
|
||||||
+ if (use_privsep) {
|
mm_inform_authserv(service, style);
|
||||||
mm_inform_authserv(service, style);
|
|
||||||
+#ifdef WITH_SELINUX
|
+#ifdef WITH_SELINUX
|
||||||
+ mm_inform_authrole(role);
|
+ mm_inform_authrole(role);
|
||||||
+#endif
|
+#endif
|
||||||
+ }
|
|
||||||
userauth_banner(ssh);
|
userauth_banner(ssh);
|
||||||
if (auth2_setup_methods_lists(authctxt) != 0)
|
if ((r = kex_server_update_ext_info(ssh)) != 0)
|
||||||
ssh_packet_disconnect(ssh,
|
fatal_fr(r, "kex_server_update_ext_info failed");
|
||||||
diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
|
diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
|
||||||
--- openssh/auth2-gss.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
--- openssh/auth2-gss.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||||
+++ openssh/auth2-gss.c 2018-08-22 11:15:42.459799171 +0200
|
+++ openssh/auth2-gss.c 2018-08-22 11:15:42.459799171 +0200
|
||||||
@ -50,9 +47,9 @@ diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
|
|||||||
+ char *micuser;
|
+ char *micuser;
|
||||||
struct sshbuf *b;
|
struct sshbuf *b;
|
||||||
gss_buffer_desc mic, gssbuf;
|
gss_buffer_desc mic, gssbuf;
|
||||||
const char *displayname;
|
u_char *p;
|
||||||
@@ -298,7 +299,13 @@ input_gssapi_mic(int type, u_int32_t ple
|
@@ -298,7 +299,13 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||||
fatal("%s: sshbuf_new failed", __func__);
|
fatal_f("sshbuf_new failed");
|
||||||
mic.value = p;
|
mic.value = p;
|
||||||
mic.length = len;
|
mic.length = len;
|
||||||
- ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
|
- ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
|
||||||
@ -63,7 +60,7 @@ diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
|
|||||||
+#endif
|
+#endif
|
||||||
+ micuser = authctxt->user;
|
+ micuser = authctxt->user;
|
||||||
+ ssh_gssapi_buildmic(b, micuser, authctxt->service,
|
+ ssh_gssapi_buildmic(b, micuser, authctxt->service,
|
||||||
"gssapi-with-mic");
|
"gssapi-with-mic", ssh->kex->session_id);
|
||||||
|
|
||||||
if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
|
if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
|
||||||
@@ -311,6 +318,8 @@ input_gssapi_mic(int type, u_int32_t ple
|
@@ -311,6 +318,8 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||||
@ -74,13 +71,13 @@ diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
|
|||||||
+ free(micuser);
|
+ free(micuser);
|
||||||
free(mic.value);
|
free(mic.value);
|
||||||
|
|
||||||
if ((!use_privsep || mm_is_monitor()) &&
|
authctxt->postponed = 0;
|
||||||
diff -up openssh/auth2-hostbased.c.role-mls openssh/auth2-hostbased.c
|
diff -up openssh/auth2-hostbased.c.role-mls openssh/auth2-hostbased.c
|
||||||
--- openssh/auth2-hostbased.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
--- openssh/auth2-hostbased.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||||
+++ openssh/auth2-hostbased.c 2018-08-22 11:14:56.816430924 +0200
|
+++ openssh/auth2-hostbased.c 2018-08-22 11:14:56.816430924 +0200
|
||||||
@@ -123,7 +123,16 @@ userauth_hostbased(struct ssh *ssh)
|
@@ -123,7 +123,16 @@ userauth_hostbased(struct ssh *ssh)
|
||||||
/* reconstruct packet */
|
/* reconstruct packet */
|
||||||
if ((r = sshbuf_put_string(b, session_id2, session_id2_len)) != 0 ||
|
if ((r = sshbuf_put_stringb(b, ssh->kex->session_id)) != 0 ||
|
||||||
(r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
|
(r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
|
||||||
+#ifdef WITH_SELINUX
|
+#ifdef WITH_SELINUX
|
||||||
+ (authctxt->role
|
+ (authctxt->role
|
||||||
@ -93,7 +90,7 @@ diff -up openssh/auth2-hostbased.c.role-mls openssh/auth2-hostbased.c
|
|||||||
(r = sshbuf_put_cstring(b, authctxt->user)) != 0 ||
|
(r = sshbuf_put_cstring(b, authctxt->user)) != 0 ||
|
||||||
+#endif
|
+#endif
|
||||||
(r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
|
(r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
|
||||||
(r = sshbuf_put_cstring(b, "hostbased")) != 0 ||
|
(r = sshbuf_put_cstring(b, method)) != 0 ||
|
||||||
(r = sshbuf_put_string(b, pkalg, alen)) != 0 ||
|
(r = sshbuf_put_string(b, pkalg, alen)) != 0 ||
|
||||||
diff -up openssh/auth2-pubkey.c.role-mls openssh/auth2-pubkey.c
|
diff -up openssh/auth2-pubkey.c.role-mls openssh/auth2-pubkey.c
|
||||||
--- openssh/auth2-pubkey.c.role-mls 2018-08-22 11:14:56.816430924 +0200
|
--- openssh/auth2-pubkey.c.role-mls 2018-08-22 11:14:56.816430924 +0200
|
||||||
@ -141,33 +138,19 @@ diff -up openssh/auth-pam.c.role-mls openssh/auth-pam.c
|
|||||||
+do_pam_putenv(char *name, const char *value)
|
+do_pam_putenv(char *name, const char *value)
|
||||||
{
|
{
|
||||||
int ret = 1;
|
int ret = 1;
|
||||||
#ifdef HAVE_PAM_PUTENV
|
char *compound;
|
||||||
diff -up openssh/auth-pam.h.role-mls openssh/auth-pam.h
|
diff -up openssh/auth-pam.h.role-mls openssh/auth-pam.h
|
||||||
--- openssh/auth-pam.h.role-mls 2018-08-20 07:57:29.000000000 +0200
|
--- openssh/auth-pam.h.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||||
+++ openssh/auth-pam.h 2018-08-22 11:14:56.817430932 +0200
|
+++ openssh/auth-pam.h 2018-08-22 11:14:56.817430932 +0200
|
||||||
@@ -33,7 +33,7 @@ u_int do_pam_account(void);
|
@@ -33,7 +33,7 @@ u_int do_pam_account(void);
|
||||||
void do_pam_session(struct ssh *);
|
void do_pam_session(struct ssh *);
|
||||||
void do_pam_setcred(int );
|
void do_pam_setcred(void);
|
||||||
void do_pam_chauthtok(void);
|
void do_pam_chauthtok(void);
|
||||||
-int do_pam_putenv(char *, char *);
|
-int do_pam_putenv(char *, char *);
|
||||||
+int do_pam_putenv(char *, const char *);
|
+int do_pam_putenv(char *, const char *);
|
||||||
char ** fetch_pam_environment(void);
|
char ** fetch_pam_environment(void);
|
||||||
char ** fetch_pam_child_environment(void);
|
char ** fetch_pam_child_environment(void);
|
||||||
void free_pam_environment(char **);
|
void free_pam_environment(char **);
|
||||||
diff -up openssh/configure.ac.role-mls openssh/configure.ac
|
|
||||||
--- openssh/configure.ac.role-mls 2018-08-20 07:57:29.000000000 +0200
|
|
||||||
+++ openssh/configure.ac 2018-08-22 11:14:56.820430957 +0200
|
|
||||||
@@ -4241,10 +4241,7 @@ AC_ARG_WITH([selinux],
|
|
||||||
LIBS="$LIBS -lselinux"
|
|
||||||
],
|
|
||||||
AC_MSG_ERROR([SELinux support requires libselinux library]))
|
|
||||||
- SSHLIBS="$SSHLIBS $LIBSELINUX"
|
|
||||||
- SSHDLIBS="$SSHDLIBS $LIBSELINUX"
|
|
||||||
AC_CHECK_FUNCS([getseuserbyname get_default_context_with_level])
|
|
||||||
- LIBS="$save_LIBS"
|
|
||||||
fi ]
|
|
||||||
)
|
|
||||||
AC_SUBST([SSHLIBS])
|
|
||||||
diff -up openssh/misc.c.role-mls openssh/misc.c
|
diff -up openssh/misc.c.role-mls openssh/misc.c
|
||||||
--- openssh/misc.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
--- openssh/misc.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||||
+++ openssh/misc.c 2018-08-22 11:14:56.817430932 +0200
|
+++ openssh/misc.c 2018-08-22 11:14:56.817430932 +0200
|
||||||
@ -193,10 +176,10 @@ diff -up openssh/misc.c.role-mls openssh/misc.c
|
|||||||
}
|
}
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
diff -up openssh/monitor.c.role-mls openssh/monitor.c
|
diff -up openssh-8.6p1/monitor.c.role-mls openssh-8.6p1/monitor.c
|
||||||
--- openssh/monitor.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
--- openssh-8.6p1/monitor.c.role-mls 2021-04-16 05:55:25.000000000 +0200
|
||||||
+++ openssh/monitor.c 2018-08-22 11:19:56.006844867 +0200
|
+++ openssh-8.6p1/monitor.c 2021-05-21 14:21:56.719414087 +0200
|
||||||
@@ -115,6 +115,9 @@ int mm_answer_sign(int, struct sshbuf *)
|
@@ -117,6 +117,9 @@ int mm_answer_sign(struct ssh *, int, st
|
||||||
int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *);
|
int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *);
|
||||||
int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *);
|
int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *);
|
||||||
int mm_answer_authserv(struct ssh *, int, struct sshbuf *);
|
int mm_answer_authserv(struct ssh *, int, struct sshbuf *);
|
||||||
@ -206,7 +189,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
|
|||||||
int mm_answer_authpassword(struct ssh *, int, struct sshbuf *);
|
int mm_answer_authpassword(struct ssh *, int, struct sshbuf *);
|
||||||
int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *);
|
int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *);
|
||||||
int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *);
|
int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *);
|
||||||
@@ -189,6 +192,9 @@ struct mon_table mon_dispatch_proto20[]
|
@@ -195,6 +198,9 @@ struct mon_table mon_dispatch_proto20[]
|
||||||
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
|
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
|
||||||
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
|
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
|
||||||
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
|
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
|
||||||
@ -216,7 +199,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
|
|||||||
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
|
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
|
||||||
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
|
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
|
||||||
#ifdef USE_PAM
|
#ifdef USE_PAM
|
||||||
@@ -796,6 +802,9 @@ mm_answer_pwnamallow(int sock, struct ss
|
@@ -803,6 +809,9 @@ mm_answer_pwnamallow(struct ssh *ssh, in
|
||||||
|
|
||||||
/* Allow service/style information on the auth context */
|
/* Allow service/style information on the auth context */
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
|
||||||
@ -226,7 +209,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
|
|||||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
|
||||||
|
|
||||||
#ifdef USE_PAM
|
#ifdef USE_PAM
|
||||||
@@ -842,6 +851,26 @@ mm_answer_authserv(int sock, struct sshb
|
@@ -877,6 +886,26 @@ key_base_type_match(const char *method,
|
||||||
return found;
|
return found;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -238,8 +221,8 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
|
|||||||
+ monitor_permit_authentications(1);
|
+ monitor_permit_authentications(1);
|
||||||
+
|
+
|
||||||
+ if ((r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0)
|
+ if ((r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_f("buffer error: %s", ssh_err(r));
|
||||||
+ debug3("%s: role=%s", __func__, authctxt->role);
|
+ debug3_f("role=%s", authctxt->role);
|
||||||
+
|
+
|
||||||
+ if (strlen(authctxt->role) == 0) {
|
+ if (strlen(authctxt->role) == 0) {
|
||||||
+ free(authctxt->role);
|
+ free(authctxt->role);
|
||||||
@ -253,25 +236,25 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
|
|||||||
int
|
int
|
||||||
mm_answer_authpassword(struct ssh *ssh, int sock, struct sshbuf *m)
|
mm_answer_authpassword(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||||
{
|
{
|
||||||
@@ -1218,7 +1247,7 @@ monitor_valid_userblob(u_char *data, u_i
|
@@ -1251,7 +1280,7 @@ monitor_valid_userblob(struct ssh *ssh,
|
||||||
{
|
|
||||||
struct sshbuf *b;
|
struct sshbuf *b;
|
||||||
|
struct sshkey *hostkey = NULL;
|
||||||
const u_char *p;
|
const u_char *p;
|
||||||
- char *userstyle, *cp;
|
- char *userstyle, *cp;
|
||||||
+ char *userstyle, *s, *cp;
|
+ char *userstyle, *s, *cp;
|
||||||
size_t len;
|
size_t len;
|
||||||
u_char type;
|
u_char type;
|
||||||
int r, fail = 0;
|
int hostbound = 0, r, fail = 0;
|
||||||
@@ -1251,6 +1280,8 @@ monitor_valid_userblob(u_char *data, u_i
|
@@ -1282,6 +1311,8 @@ monitor_valid_userblob(struct ssh *ssh,
|
||||||
fail++;
|
fail++;
|
||||||
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
|
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
|
||||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
fatal_fr(r, "parse userstyle");
|
||||||
+ if ((s = strchr(cp, '/')) != NULL)
|
+ if ((s = strchr(cp, '/')) != NULL)
|
||||||
+ *s = '\0';
|
+ *s = '\0';
|
||||||
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
||||||
authctxt->style ? ":" : "",
|
authctxt->style ? ":" : "",
|
||||||
authctxt->style ? authctxt->style : "");
|
authctxt->style ? authctxt->style : "");
|
||||||
@@ -1286,7 +1317,7 @@ monitor_valid_hostbasedblob(u_char *data
|
@@ -1317,7 +1348,7 @@ monitor_valid_hostbasedblob(const u_char
|
||||||
{
|
{
|
||||||
struct sshbuf *b;
|
struct sshbuf *b;
|
||||||
const u_char *p;
|
const u_char *p;
|
||||||
@ -280,10 +263,10 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
|
|||||||
size_t len;
|
size_t len;
|
||||||
int r, fail = 0;
|
int r, fail = 0;
|
||||||
u_char type;
|
u_char type;
|
||||||
@@ -1308,6 +1339,8 @@ monitor_valid_hostbasedblob(u_char *data
|
@@ -1338,6 +1370,8 @@ monitor_valid_hostbasedblob(const u_char
|
||||||
fail++;
|
fail++;
|
||||||
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
|
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
|
||||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
fatal_fr(r, "parse userstyle");
|
||||||
+ if ((s = strchr(cp, '/')) != NULL)
|
+ if ((s = strchr(cp, '/')) != NULL)
|
||||||
+ *s = '\0';
|
+ *s = '\0';
|
||||||
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
||||||
@ -319,12 +302,12 @@ diff -up openssh/monitor_wrap.c.role-mls openssh/monitor_wrap.c
|
|||||||
+ int r;
|
+ int r;
|
||||||
+ struct sshbuf *m;
|
+ struct sshbuf *m;
|
||||||
+
|
+
|
||||||
+ debug3("%s entering", __func__);
|
+ debug3_f("entering");
|
||||||
+
|
+
|
||||||
+ if ((m = sshbuf_new()) == NULL)
|
+ if ((m = sshbuf_new()) == NULL)
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
+ fatal_f("sshbuf_new failed");
|
||||||
+ if ((r = sshbuf_put_cstring(m, role ? role : "")) != 0)
|
+ if ((r = sshbuf_put_cstring(m, role ? role : "")) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_f("buffer error: %s", ssh_err(r));
|
||||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, m);
|
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, m);
|
||||||
+
|
+
|
||||||
+ sshbuf_free(m);
|
+ sshbuf_free(m);
|
||||||
@ -338,8 +321,8 @@ diff -up openssh/monitor_wrap.h.role-mls openssh/monitor_wrap.h
|
|||||||
--- openssh/monitor_wrap.h.role-mls 2018-08-22 11:14:56.818430941 +0200
|
--- openssh/monitor_wrap.h.role-mls 2018-08-22 11:14:56.818430941 +0200
|
||||||
+++ openssh/monitor_wrap.h 2018-08-22 11:22:10.439929513 +0200
|
+++ openssh/monitor_wrap.h 2018-08-22 11:22:10.439929513 +0200
|
||||||
@@ -44,6 +44,9 @@ DH *mm_choose_dh(int, int, int);
|
@@ -44,6 +44,9 @@ DH *mm_choose_dh(int, int, int);
|
||||||
int mm_sshkey_sign(struct ssh *, struct sshkey *, u_char **, size_t *,
|
const u_char *, size_t, const char *, const char *,
|
||||||
const u_char *, size_t, const char *, u_int compat);
|
const char *, u_int compat);
|
||||||
void mm_inform_authserv(char *, char *);
|
void mm_inform_authserv(char *, char *);
|
||||||
+#ifdef WITH_SELINUX
|
+#ifdef WITH_SELINUX
|
||||||
+void mm_inform_authrole(char *);
|
+void mm_inform_authrole(char *);
|
||||||
@ -351,7 +334,7 @@ diff -up openssh/openbsd-compat/Makefile.in.role-mls openssh/openbsd-compat/Make
|
|||||||
--- openssh/openbsd-compat/Makefile.in.role-mls 2018-08-20 07:57:29.000000000 +0200
|
--- openssh/openbsd-compat/Makefile.in.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||||
+++ openssh/openbsd-compat/Makefile.in 2018-08-22 11:14:56.819430949 +0200
|
+++ openssh/openbsd-compat/Makefile.in 2018-08-22 11:14:56.819430949 +0200
|
||||||
@@ -92,7 +92,8 @@ PORTS= port-aix.o \
|
@@ -92,7 +92,8 @@ PORTS= port-aix.o \
|
||||||
port-linux.o \
|
port-prngd.o \
|
||||||
port-solaris.o \
|
port-solaris.o \
|
||||||
port-net.o \
|
port-net.o \
|
||||||
- port-uw.o
|
- port-uw.o
|
||||||
@ -359,7 +342,7 @@ diff -up openssh/openbsd-compat/Makefile.in.role-mls openssh/openbsd-compat/Make
|
|||||||
+ port-linux-sshd.o
|
+ port-linux-sshd.o
|
||||||
|
|
||||||
.c.o:
|
.c.o:
|
||||||
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
|
$(CC) $(CFLAGS_NOPIE) $(PICFLAG) $(CPPFLAGS) -c $<
|
||||||
diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/port-linux.c
|
diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/port-linux.c
|
||||||
--- openssh/openbsd-compat/port-linux.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
--- openssh/openbsd-compat/port-linux.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||||
+++ openssh/openbsd-compat/port-linux.c 2018-08-22 11:14:56.819430949 +0200
|
+++ openssh/openbsd-compat/port-linux.c 2018-08-22 11:14:56.819430949 +0200
|
||||||
@ -371,7 +354,7 @@ diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/por
|
|||||||
-void
|
-void
|
||||||
-ssh_selinux_setup_exec_context(char *pwname)
|
-ssh_selinux_setup_exec_context(char *pwname)
|
||||||
-{
|
-{
|
||||||
- security_context_t user_ctx = NULL;
|
- char *user_ctx = NULL;
|
||||||
-
|
-
|
||||||
- if (!ssh_selinux_enabled())
|
- if (!ssh_selinux_enabled())
|
||||||
- return;
|
- return;
|
||||||
@ -407,7 +390,7 @@ diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/por
|
|||||||
|
|
||||||
- user_ctx = ssh_selinux_getctxbyname(pwname);
|
- user_ctx = ssh_selinux_getctxbyname(pwname);
|
||||||
+ if (getexeccon(&user_ctx) != 0) {
|
+ if (getexeccon(&user_ctx) != 0) {
|
||||||
+ error("%s: getexeccon: %s", __func__, strerror(errno));
|
+ error_f("getexeccon: %s", strerror(errno));
|
||||||
+ goto out;
|
+ goto out;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
@ -432,7 +415,7 @@ diff -up openssh/openbsd-compat/port-linux.h.role-mls openssh/openbsd-compat/por
|
|||||||
diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compat/port-linux-sshd.c
|
diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compat/port-linux-sshd.c
|
||||||
--- openssh/openbsd-compat/port-linux-sshd.c.role-mls 2018-08-22 11:14:56.819430949 +0200
|
--- openssh/openbsd-compat/port-linux-sshd.c.role-mls 2018-08-22 11:14:56.819430949 +0200
|
||||||
+++ openssh/openbsd-compat/port-linux-sshd.c 2018-08-22 11:14:56.819430949 +0200
|
+++ openssh/openbsd-compat/port-linux-sshd.c 2018-08-22 11:14:56.819430949 +0200
|
||||||
@@ -0,0 +1,425 @@
|
@@ -0,0 +1,420 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
|
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
|
||||||
+ * Copyright (c) 2014 Petr Lautrbach <plautrba@redhat.com>
|
+ * Copyright (c) 2014 Petr Lautrbach <plautrba@redhat.com>
|
||||||
@ -486,7 +469,6 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
|
|||||||
+extern ServerOptions options;
|
+extern ServerOptions options;
|
||||||
+extern Authctxt *the_authctxt;
|
+extern Authctxt *the_authctxt;
|
||||||
+extern int inetd_flag;
|
+extern int inetd_flag;
|
||||||
+extern int rexeced_flag;
|
|
||||||
+
|
+
|
||||||
+/* Send audit message */
|
+/* Send audit message */
|
||||||
+static int
|
+static int
|
||||||
@ -544,7 +526,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
|
|||||||
+ access_vector_t bit;
|
+ access_vector_t bit;
|
||||||
+ security_class_t class;
|
+ security_class_t class;
|
||||||
+
|
+
|
||||||
+ debug("%s: src:%s dst:%s", __func__, src, dst);
|
+ debug_f("src:%s dst:%s", src, dst);
|
||||||
+ class = string_to_security_class("context");
|
+ class = string_to_security_class("context");
|
||||||
+ if (!class) {
|
+ if (!class) {
|
||||||
+ error("string_to_security_class failed to translate security class context");
|
+ error("string_to_security_class failed to translate security class context");
|
||||||
@ -692,7 +674,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
|
|||||||
+
|
+
|
||||||
+ if (r == 0) {
|
+ if (r == 0) {
|
||||||
+ /* If launched from xinetd, we must use current level */
|
+ /* If launched from xinetd, we must use current level */
|
||||||
+ if (inetd_flag && !rexeced_flag) {
|
+ if (inetd_flag) {
|
||||||
+ security_context_t sshdsc=NULL;
|
+ security_context_t sshdsc=NULL;
|
||||||
+
|
+
|
||||||
+ if (getcon_raw(&sshdsc) < 0)
|
+ if (getcon_raw(&sshdsc) < 0)
|
||||||
@ -706,7 +688,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
|
|||||||
+ /* we actually don't change level */
|
+ /* we actually don't change level */
|
||||||
+ reqlvl = "";
|
+ reqlvl = "";
|
||||||
+
|
+
|
||||||
+ debug("%s: current connection level '%s'", __func__, reqlvl);
|
+ debug_f("current connection level '%s'", reqlvl);
|
||||||
+
|
+
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
@ -734,8 +716,8 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
|
|||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
+ if (r != 0) {
|
+ if (r != 0) {
|
||||||
+ error("%s: Failed to get default SELinux security "
|
+ error_f("Failed to get default SELinux security "
|
||||||
+ "context for %s", __func__, pwname);
|
+ "context for %s", pwname);
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+#ifdef HAVE_GETSEUSERBYNAME
|
+#ifdef HAVE_GETSEUSERBYNAME
|
||||||
@ -760,13 +742,13 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
|
|||||||
+ char *use_current;
|
+ char *use_current;
|
||||||
+ int rv;
|
+ int rv;
|
||||||
+
|
+
|
||||||
+ debug3("%s: setting execution context", __func__);
|
+ debug3_f("setting execution context");
|
||||||
+
|
+
|
||||||
+ ssh_selinux_get_role_level(&role, &reqlvl);
|
+ ssh_selinux_get_role_level(&role, &reqlvl);
|
||||||
+
|
+
|
||||||
+ rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");
|
+ rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");
|
||||||
+
|
+
|
||||||
+ if (inetd_flag && !rexeced_flag) {
|
+ if (inetd_flag) {
|
||||||
+ use_current = "1";
|
+ use_current = "1";
|
||||||
+ } else {
|
+ } else {
|
||||||
+ use_current = "";
|
+ use_current = "";
|
||||||
@ -797,32 +779,30 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
|
|||||||
+ if (sshd_selinux_setup_pam_variables()) {
|
+ if (sshd_selinux_setup_pam_variables()) {
|
||||||
+ switch (security_getenforce()) {
|
+ switch (security_getenforce()) {
|
||||||
+ case -1:
|
+ case -1:
|
||||||
+ fatal("%s: security_getenforce() failed", __func__);
|
+ fatal_f("security_getenforce() failed");
|
||||||
+ case 0:
|
+ case 0:
|
||||||
+ error("%s: SELinux PAM variable setup failure. Continuing in permissive mode.",
|
+ error_f("SELinux PAM variable setup failure. Continuing in permissive mode.");
|
||||||
+ __func__);
|
|
||||||
+ break;
|
+ break;
|
||||||
+ default:
|
+ default:
|
||||||
+ fatal("%s: SELinux PAM variable setup failure. Aborting connection.",
|
+ fatal_f("SELinux PAM variable setup failure. Aborting connection.");
|
||||||
+ __func__);
|
|
||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
+ return;
|
+ return;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ debug3("%s: setting execution context", __func__);
|
+ debug3_f("setting execution context");
|
||||||
+
|
+
|
||||||
+ r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
|
+ r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
|
||||||
+ if (r >= 0) {
|
+ if (r >= 0) {
|
||||||
+ r = setexeccon(user_ctx);
|
+ r = setexeccon(user_ctx);
|
||||||
+ if (r < 0) {
|
+ if (r < 0) {
|
||||||
+ error("%s: Failed to set SELinux execution context %s for %s",
|
+ error_f("Failed to set SELinux execution context %s for %s",
|
||||||
+ __func__, user_ctx, pwname);
|
+ user_ctx, pwname);
|
||||||
+ }
|
+ }
|
||||||
+#ifdef HAVE_SETKEYCREATECON
|
+#ifdef HAVE_SETKEYCREATECON
|
||||||
+ else if (setkeycreatecon(user_ctx) < 0) {
|
+ else if (setkeycreatecon(user_ctx) < 0) {
|
||||||
+ error("%s: Failed to set SELinux keyring creation context %s for %s",
|
+ error_f("Failed to set SELinux keyring creation context %s for %s",
|
||||||
+ __func__, user_ctx, pwname);
|
+ user_ctx, pwname);
|
||||||
+ }
|
+ }
|
||||||
+#endif
|
+#endif
|
||||||
+ }
|
+ }
|
||||||
@ -837,14 +817,12 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
|
|||||||
+ if (r < 0) {
|
+ if (r < 0) {
|
||||||
+ switch (security_getenforce()) {
|
+ switch (security_getenforce()) {
|
||||||
+ case -1:
|
+ case -1:
|
||||||
+ fatal("%s: security_getenforce() failed", __func__);
|
+ fatal_f("security_getenforce() failed");
|
||||||
+ case 0:
|
+ case 0:
|
||||||
+ error("%s: SELinux failure. Continuing in permissive mode.",
|
+ error_f("ELinux failure. Continuing in permissive mode.");
|
||||||
+ __func__);
|
|
||||||
+ break;
|
+ break;
|
||||||
+ default:
|
+ default:
|
||||||
+ fatal("%s: SELinux failure. Aborting connection.",
|
+ fatal_f("SELinux failure. Aborting connection.");
|
||||||
+ __func__);
|
|
||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
+ if (user_ctx != NULL && user_ctx != default_ctx)
|
+ if (user_ctx != NULL && user_ctx != default_ctx)
|
||||||
@ -852,7 +830,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
|
|||||||
+ if (default_ctx != NULL)
|
+ if (default_ctx != NULL)
|
||||||
+ freecon(default_ctx);
|
+ freecon(default_ctx);
|
||||||
+
|
+
|
||||||
+ debug3("%s: done", __func__);
|
+ debug3_f("done");
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+#endif
|
+#endif
|
||||||
@ -871,8 +849,8 @@ diff -up openssh/platform.c.role-mls openssh/platform.c
|
|||||||
}
|
}
|
||||||
|
|
||||||
diff -up openssh/sshd.c.role-mls openssh/sshd.c
|
diff -up openssh/sshd.c.role-mls openssh/sshd.c
|
||||||
--- openssh/sshd.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
--- openssh/sshd-session.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||||
+++ openssh/sshd.c 2018-08-22 11:14:56.820430957 +0200
|
+++ openssh/sshd-session.c 2018-08-22 11:14:56.820430957 +0200
|
||||||
@@ -2186,6 +2186,9 @@ main(int ac, char **av)
|
@@ -2186,6 +2186,9 @@ main(int ac, char **av)
|
||||||
restore_uid();
|
restore_uid();
|
||||||
}
|
}
|
||||||
@ -882,4 +860,4 @@ diff -up openssh/sshd.c.role-mls openssh/sshd.c
|
|||||||
+#endif
|
+#endif
|
||||||
#ifdef USE_PAM
|
#ifdef USE_PAM
|
||||||
if (options.use_pam) {
|
if (options.use_pam) {
|
||||||
do_pam_setcred(1);
|
do_pam_setcred();
|
642
openssh-8.0p1-crypto-policies.patch
Normal file
642
openssh-8.0p1-crypto-policies.patch
Normal file
@ -0,0 +1,642 @@
|
|||||||
|
diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.3p1/ssh_config.5 openssh-9.3p1-patched/ssh_config.5
|
||||||
|
--- openssh-9.3p1/ssh_config.5 2023-06-07 10:26:48.284590156 +0200
|
||||||
|
+++ openssh-9.3p1-patched/ssh_config.5 2023-06-07 10:26:00.623052194 +0200
|
||||||
|
@@ -378,17 +378,13 @@
|
||||||
|
causes no CNAMEs to be considered for canonicalization.
|
||||||
|
This is the default behaviour.
|
||||||
|
.It Cm CASignatureAlgorithms
|
||||||
|
+The default is handled system-wide by
|
||||||
|
+.Xr crypto-policies 7 .
|
||||||
|
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
|
||||||
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
|
Specifies which algorithms are allowed for signing of certificates
|
||||||
|
by certificate authorities (CAs).
|
||||||
|
-The default is:
|
||||||
|
-.Bd -literal -offset indent
|
||||||
|
-ssh-ed25519,ecdsa-sha2-nistp256,
|
||||||
|
-ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||||
|
-sk-ssh-ed25519@openssh.com,
|
||||||
|
-sk-ecdsa-sha2-nistp256@openssh.com,
|
||||||
|
-rsa-sha2-512,rsa-sha2-256
|
||||||
|
-.Ed
|
||||||
|
-.Pp
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq +
|
||||||
|
character, then the specified algorithms will be appended to the default set
|
||||||
|
@@ -450,20 +446,25 @@
|
||||||
|
(the default),
|
||||||
|
the check will not be executed.
|
||||||
|
.It Cm Ciphers
|
||||||
|
+The default is handled system-wide by
|
||||||
|
+.Xr crypto-policies 7 .
|
||||||
|
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
|
||||||
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
|
Specifies the ciphers allowed and their order of preference.
|
||||||
|
Multiple ciphers must be comma-separated.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq +
|
||||||
|
-character, then the specified ciphers will be appended to the default set
|
||||||
|
-instead of replacing them.
|
||||||
|
+character, then the specified ciphers will be appended to the built-in
|
||||||
|
+openssh default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq -
|
||||||
|
character, then the specified ciphers (including wildcards) will be removed
|
||||||
|
-from the default set instead of replacing them.
|
||||||
|
+from the built-in openssh default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq ^
|
||||||
|
character, then the specified ciphers will be placed at the head of the
|
||||||
|
-default set.
|
||||||
|
+built-in openssh default set.
|
||||||
|
.Pp
|
||||||
|
The supported ciphers are:
|
||||||
|
.Bd -literal -offset indent
|
||||||
|
@@ -479,13 +480,6 @@
|
||||||
|
chacha20-poly1305@openssh.com
|
||||||
|
.Ed
|
||||||
|
.Pp
|
||||||
|
-The default is:
|
||||||
|
-.Bd -literal -offset indent
|
||||||
|
-chacha20-poly1305@openssh.com,
|
||||||
|
-aes128-ctr,aes192-ctr,aes256-ctr,
|
||||||
|
-aes128-gcm@openssh.com,aes256-gcm@openssh.com
|
||||||
|
-.Ed
|
||||||
|
-.Pp
|
||||||
|
The list of available ciphers may also be obtained using
|
||||||
|
.Qq ssh -Q cipher .
|
||||||
|
.It Cm ClearAllForwardings
|
||||||
|
@@ -885,6 +879,11 @@
|
||||||
|
The default is
|
||||||
|
.Dq no .
|
||||||
|
.It Cm GSSAPIKexAlgorithms
|
||||||
|
+The default is handled system-wide by
|
||||||
|
+.Xr crypto-policies 7 .
|
||||||
|
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
|
||||||
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
|
The list of key exchange algorithms that are offered for GSSAPI
|
||||||
|
key exchange. Possible values are
|
||||||
|
.Bd -literal -offset 3n
|
||||||
|
@@ -897,10 +896,8 @@
|
||||||
|
gss-curve25519-sha256-
|
||||||
|
.Ed
|
||||||
|
.Pp
|
||||||
|
-The default is
|
||||||
|
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
||||||
|
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
||||||
|
This option only applies to connections using GSSAPI.
|
||||||
|
+.Pp
|
||||||
|
.It Cm HashKnownHosts
|
||||||
|
Indicates that
|
||||||
|
.Xr ssh 1
|
||||||
|
@@ -919,36 +916,25 @@
|
||||||
|
but may be manually hashed using
|
||||||
|
.Xr ssh-keygen 1 .
|
||||||
|
.It Cm HostbasedAcceptedAlgorithms
|
||||||
|
+The default is handled system-wide by
|
||||||
|
+.Xr crypto-policies 7 .
|
||||||
|
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
|
||||||
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
|
Specifies the signature algorithms that will be used for hostbased
|
||||||
|
authentication as a comma-separated list of patterns.
|
||||||
|
Alternately if the specified list begins with a
|
||||||
|
.Sq +
|
||||||
|
character, then the specified signature algorithms will be appended
|
||||||
|
-to the default set instead of replacing them.
|
||||||
|
+to the built-in openssh default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq -
|
||||||
|
character, then the specified signature algorithms (including wildcards)
|
||||||
|
-will be removed from the default set instead of replacing them.
|
||||||
|
+will be removed from the built-in openssh default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq ^
|
||||||
|
character, then the specified signature algorithms will be placed
|
||||||
|
-at the head of the default set.
|
||||||
|
-The default for this option is:
|
||||||
|
-.Bd -literal -offset 3n
|
||||||
|
-ssh-ed25519-cert-v01@openssh.com,
|
||||||
|
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
|
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||||
|
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||||
|
-sk-ssh-ed25519-cert-v01@openssh.com,
|
||||||
|
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
|
-rsa-sha2-512-cert-v01@openssh.com,
|
||||||
|
-rsa-sha2-256-cert-v01@openssh.com,
|
||||||
|
-ssh-ed25519,
|
||||||
|
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||||
|
-sk-ssh-ed25519@openssh.com,
|
||||||
|
-sk-ecdsa-sha2-nistp256@openssh.com,
|
||||||
|
-rsa-sha2-512,rsa-sha2-256
|
||||||
|
-.Ed
|
||||||
|
+at the head of the built-in openssh default set.
|
||||||
|
.Pp
|
||||||
|
The
|
||||||
|
.Fl Q
|
||||||
|
@@ -1001,6 +987,17 @@
|
||||||
|
.Pp
|
||||||
|
The list of available signature algorithms may also be obtained using
|
||||||
|
.Qq ssh -Q HostKeyAlgorithms .
|
||||||
|
+.Pp
|
||||||
|
+The proposed
|
||||||
|
+.Cm HostKeyAlgorithms
|
||||||
|
+during KEX are limited to the set of algorithms that is defined in
|
||||||
|
+.Cm PubkeyAcceptedAlgorithms
|
||||||
|
+and therefore they are indirectly affected by system-wide
|
||||||
|
+.Xr crypto_policies 7 .
|
||||||
|
+.Xr crypto_policies 7 can not handle the list of host key algorithms directly as doing so
|
||||||
|
+would break the order given by the
|
||||||
|
+.Pa known_hosts
|
||||||
|
+file.
|
||||||
|
.It Cm HostKeyAlias
|
||||||
|
Specifies an alias that should be used instead of the
|
||||||
|
real host name when looking up or saving the host key
|
||||||
|
@@ -1330,6 +1330,11 @@ it may be zero or more of:
|
||||||
|
and
|
||||||
|
.Cm pam .
|
||||||
|
.It Cm KexAlgorithms
|
||||||
|
+The default is handled system-wide by
|
||||||
|
+.Xr crypto-policies 7 .
|
||||||
|
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
|
||||||
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
|
Specifies the permitted KEX (Key Exchange) algorithms that will be used and
|
||||||
|
their preference order.
|
||||||
|
The selected algorithm will be the first algorithm in this list that
|
||||||
|
@@ -1338,29 +1343,17 @@ Multiple algorithms must be comma-separa
|
||||||
|
.Pp
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq +
|
||||||
|
-character, then the specified algorithms will be appended to the default set
|
||||||
|
-instead of replacing them.
|
||||||
|
+character, then the specified methods will be appended to the built-in
|
||||||
|
+openssh default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq -
|
||||||
|
character, then the specified algorithms (including wildcards) will be removed
|
||||||
|
-from the default set instead of replacing them.
|
||||||
|
+from the built-in openssh default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq ^
|
||||||
|
character, then the specified algorithms will be placed at the head of the
|
||||||
|
-default set.
|
||||||
|
-.Pp
|
||||||
|
-The default is:
|
||||||
|
-.Bd -literal -offset indent
|
||||||
|
-sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,
|
||||||
|
-mlkem768x25519-sha256,
|
||||||
|
-curve25519-sha256,curve25519-sha256@libssh.org,
|
||||||
|
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
||||||
|
-diffie-hellman-group-exchange-sha256,
|
||||||
|
-diffie-hellman-group16-sha512,
|
||||||
|
-diffie-hellman-group18-sha512,
|
||||||
|
-diffie-hellman-group14-sha256
|
||||||
|
-.Ed
|
||||||
|
.Pp
|
||||||
|
+built-in openssh default set.
|
||||||
|
The list of supported key exchange algorithms may also be obtained using
|
||||||
|
.Qq ssh -Q kex .
|
||||||
|
.It Cm KnownHostsCommand
|
||||||
|
@@ -1365,37 +1357,33 @@
|
||||||
|
file.
|
||||||
|
This option is intended for debugging and no overrides are enabled by default.
|
||||||
|
.It Cm MACs
|
||||||
|
+The default is handled system-wide by
|
||||||
|
+.Xr crypto-policies 7 .
|
||||||
|
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
|
||||||
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
|
Specifies the MAC (message authentication code) algorithms
|
||||||
|
in order of preference.
|
||||||
|
The MAC algorithm is used for data integrity protection.
|
||||||
|
Multiple algorithms must be comma-separated.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq +
|
||||||
|
-character, then the specified algorithms will be appended to the default set
|
||||||
|
-instead of replacing them.
|
||||||
|
+character, then the specified algorithms will be appended to the built-in
|
||||||
|
+openssh default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq -
|
||||||
|
character, then the specified algorithms (including wildcards) will be removed
|
||||||
|
-from the default set instead of replacing them.
|
||||||
|
+from the built-in openssh default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq ^
|
||||||
|
character, then the specified algorithms will be placed at the head of the
|
||||||
|
-default set.
|
||||||
|
+built-in openssh default set.
|
||||||
|
.Pp
|
||||||
|
The algorithms that contain
|
||||||
|
.Qq -etm
|
||||||
|
calculate the MAC after encryption (encrypt-then-mac).
|
||||||
|
These are considered safer and their use recommended.
|
||||||
|
.Pp
|
||||||
|
-The default is:
|
||||||
|
-.Bd -literal -offset indent
|
||||||
|
-umac-64-etm@openssh.com,umac-128-etm@openssh.com,
|
||||||
|
-hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
|
||||||
|
-hmac-sha1-etm@openssh.com,
|
||||||
|
-umac-64@openssh.com,umac-128@openssh.com,
|
||||||
|
-hmac-sha2-256,hmac-sha2-512,hmac-sha1
|
||||||
|
-.Ed
|
||||||
|
-.Pp
|
||||||
|
The list of available MAC algorithms may also be obtained using
|
||||||
|
.Qq ssh -Q mac .
|
||||||
|
.It Cm NoHostAuthenticationForLocalhost
|
||||||
|
@@ -1567,39 +1555,31 @@
|
||||||
|
The default is
|
||||||
|
.Cm no .
|
||||||
|
.It Cm PubkeyAcceptedAlgorithms
|
||||||
|
+The default is handled system-wide by
|
||||||
|
+.Xr crypto-policies 7 .
|
||||||
|
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
|
||||||
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
|
Specifies the signature algorithms that will be used for public key
|
||||||
|
authentication as a comma-separated list of patterns.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq +
|
||||||
|
-character, then the algorithms after it will be appended to the default
|
||||||
|
-instead of replacing it.
|
||||||
|
+character, then the algorithms after it will be appended to the built-in
|
||||||
|
+openssh default instead of replacing it.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq -
|
||||||
|
character, then the specified algorithms (including wildcards) will be removed
|
||||||
|
-from the default set instead of replacing them.
|
||||||
|
+from the built-in openssh default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq ^
|
||||||
|
character, then the specified algorithms will be placed at the head of the
|
||||||
|
-default set.
|
||||||
|
-The default for this option is:
|
||||||
|
-.Bd -literal -offset 3n
|
||||||
|
-ssh-ed25519-cert-v01@openssh.com,
|
||||||
|
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
|
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||||
|
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||||
|
-sk-ssh-ed25519-cert-v01@openssh.com,
|
||||||
|
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
|
-rsa-sha2-512-cert-v01@openssh.com,
|
||||||
|
-rsa-sha2-256-cert-v01@openssh.com,
|
||||||
|
-ssh-ed25519,
|
||||||
|
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||||
|
-sk-ssh-ed25519@openssh.com,
|
||||||
|
-sk-ecdsa-sha2-nistp256@openssh.com,
|
||||||
|
-rsa-sha2-512,rsa-sha2-256
|
||||||
|
-.Ed
|
||||||
|
+built-in openssh default set.
|
||||||
|
.Pp
|
||||||
|
The list of available signature algorithms may also be obtained using
|
||||||
|
.Qq ssh -Q PubkeyAcceptedAlgorithms .
|
||||||
|
+.Pp
|
||||||
|
+This option affects also
|
||||||
|
+.Cm HostKeyAlgorithms
|
||||||
|
.It Cm PubkeyAuthentication
|
||||||
|
Specifies whether to try public key authentication.
|
||||||
|
The argument to this keyword must be
|
||||||
|
@@ -2265,7 +2245,9 @@
|
||||||
|
This file must be world-readable.
|
||||||
|
.El
|
||||||
|
.Sh SEE ALSO
|
||||||
|
-.Xr ssh 1
|
||||||
|
+.Xr ssh 1 ,
|
||||||
|
+.Xr crypto-policies 7 ,
|
||||||
|
+.Xr update-crypto-policies 8
|
||||||
|
.Sh AUTHORS
|
||||||
|
.An -nosplit
|
||||||
|
OpenSSH is a derivative of the original and free
|
||||||
|
diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.3p1/sshd_config.5 openssh-9.3p1-patched/sshd_config.5
|
||||||
|
--- openssh-9.3p1/sshd_config.5 2023-06-07 10:26:48.277590077 +0200
|
||||||
|
+++ openssh-9.3p1-patched/sshd_config.5 2023-06-07 10:26:00.592051845 +0200
|
||||||
|
@@ -379,17 +379,13 @@
|
||||||
|
then no banner is displayed.
|
||||||
|
By default, no banner is displayed.
|
||||||
|
.It Cm CASignatureAlgorithms
|
||||||
|
+The default is handled system-wide by
|
||||||
|
+.Xr crypto-policies 7 .
|
||||||
|
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
|
||||||
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
|
Specifies which algorithms are allowed for signing of certificates
|
||||||
|
by certificate authorities (CAs).
|
||||||
|
-The default is:
|
||||||
|
-.Bd -literal -offset indent
|
||||||
|
-ssh-ed25519,ecdsa-sha2-nistp256,
|
||||||
|
-ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||||
|
-sk-ssh-ed25519@openssh.com,
|
||||||
|
-sk-ecdsa-sha2-nistp256@openssh.com,
|
||||||
|
-rsa-sha2-512,rsa-sha2-256
|
||||||
|
-.Ed
|
||||||
|
-.Pp
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq +
|
||||||
|
character, then the specified algorithms will be appended to the default set
|
||||||
|
@@ -525,20 +521,25 @@
|
||||||
|
indicating not to
|
||||||
|
.Xr chroot 2 .
|
||||||
|
.It Cm Ciphers
|
||||||
|
+The default is handled system-wide by
|
||||||
|
+.Xr crypto-policies 7 .
|
||||||
|
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
|
||||||
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
|
Specifies the ciphers allowed.
|
||||||
|
Multiple ciphers must be comma-separated.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq +
|
||||||
|
-character, then the specified ciphers will be appended to the default set
|
||||||
|
-instead of replacing them.
|
||||||
|
+character, then the specified ciphers will be appended to the built-in
|
||||||
|
+openssh default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq -
|
||||||
|
character, then the specified ciphers (including wildcards) will be removed
|
||||||
|
-from the default set instead of replacing them.
|
||||||
|
+from the built-in openssh default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq ^
|
||||||
|
character, then the specified ciphers will be placed at the head of the
|
||||||
|
-default set.
|
||||||
|
+built-in openssh default set.
|
||||||
|
.Pp
|
||||||
|
The supported ciphers are:
|
||||||
|
.Pp
|
||||||
|
@@ -565,13 +566,6 @@
|
||||||
|
chacha20-poly1305@openssh.com
|
||||||
|
.El
|
||||||
|
.Pp
|
||||||
|
-The default is:
|
||||||
|
-.Bd -literal -offset indent
|
||||||
|
-chacha20-poly1305@openssh.com,
|
||||||
|
-aes128-ctr,aes192-ctr,aes256-ctr,
|
||||||
|
-aes128-gcm@openssh.com,aes256-gcm@openssh.com
|
||||||
|
-.Ed
|
||||||
|
-.Pp
|
||||||
|
The list of available ciphers may also be obtained using
|
||||||
|
.Qq ssh -Q cipher .
|
||||||
|
.It Cm ClientAliveCountMax
|
||||||
|
@@ -766,53 +760,43 @@
|
||||||
|
.Cm GSSAPIKeyExchange
|
||||||
|
needs to be enabled in the server and also used by the client.
|
||||||
|
.It Cm GSSAPIKexAlgorithms
|
||||||
|
+The default is handled system-wide by
|
||||||
|
+.Xr crypto-policies 7 .
|
||||||
|
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
|
||||||
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
|
The list of key exchange algorithms that are accepted by GSSAPI
|
||||||
|
key exchange. Possible values are
|
||||||
|
.Bd -literal -offset 3n
|
||||||
|
-gss-gex-sha1-,
|
||||||
|
-gss-group1-sha1-,
|
||||||
|
-gss-group14-sha1-,
|
||||||
|
-gss-group14-sha256-,
|
||||||
|
-gss-group16-sha512-,
|
||||||
|
-gss-nistp256-sha256-,
|
||||||
|
+gss-gex-sha1-
|
||||||
|
+gss-group1-sha1-
|
||||||
|
+gss-group14-sha1-
|
||||||
|
+gss-group14-sha256-
|
||||||
|
+gss-group16-sha512-
|
||||||
|
+gss-nistp256-sha256-
|
||||||
|
gss-curve25519-sha256-
|
||||||
|
.Ed
|
||||||
|
-.Pp
|
||||||
|
-The default is
|
||||||
|
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
||||||
|
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
||||||
|
This option only applies to connections using GSSAPI.
|
||||||
|
.It Cm HostbasedAcceptedAlgorithms
|
||||||
|
+The default is handled system-wide by
|
||||||
|
+.Xr crypto-policies 7 .
|
||||||
|
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
|
||||||
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
|
Specifies the signature algorithms that will be accepted for hostbased
|
||||||
|
authentication as a list of comma-separated patterns.
|
||||||
|
Alternately if the specified list begins with a
|
||||||
|
.Sq +
|
||||||
|
character, then the specified signature algorithms will be appended to
|
||||||
|
-the default set instead of replacing them.
|
||||||
|
+the built-in openssh default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq -
|
||||||
|
character, then the specified signature algorithms (including wildcards)
|
||||||
|
-will be removed from the default set instead of replacing them.
|
||||||
|
+will be removed from the built-in openssh default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq ^
|
||||||
|
character, then the specified signature algorithms will be placed at
|
||||||
|
-the head of the default set.
|
||||||
|
-The default for this option is:
|
||||||
|
-.Bd -literal -offset 3n
|
||||||
|
-ssh-ed25519-cert-v01@openssh.com,
|
||||||
|
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
|
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||||
|
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||||
|
-sk-ssh-ed25519-cert-v01@openssh.com,
|
||||||
|
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
|
-rsa-sha2-512-cert-v01@openssh.com,
|
||||||
|
-rsa-sha2-256-cert-v01@openssh.com,
|
||||||
|
-ssh-ed25519,
|
||||||
|
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||||
|
-sk-ssh-ed25519@openssh.com,
|
||||||
|
-sk-ecdsa-sha2-nistp256@openssh.com,
|
||||||
|
-rsa-sha2-512,rsa-sha2-256
|
||||||
|
-.Ed
|
||||||
|
+the head of the built-in openssh default set.
|
||||||
|
.Pp
|
||||||
|
The list of available signature algorithms may also be obtained using
|
||||||
|
.Qq ssh -Q HostbasedAcceptedAlgorithms .
|
||||||
|
@@ -879,25 +863,14 @@
|
||||||
|
.Ev SSH_AUTH_SOCK
|
||||||
|
environment variable.
|
||||||
|
.It Cm HostKeyAlgorithms
|
||||||
|
+The default is handled system-wide by
|
||||||
|
+.Xr crypto-policies 7 .
|
||||||
|
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
|
||||||
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
|
Specifies the host key signature algorithms
|
||||||
|
that the server offers.
|
||||||
|
The default for this option is:
|
||||||
|
-.Bd -literal -offset 3n
|
||||||
|
-ssh-ed25519-cert-v01@openssh.com,
|
||||||
|
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
|
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||||
|
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||||
|
-sk-ssh-ed25519-cert-v01@openssh.com,
|
||||||
|
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
|
-rsa-sha2-512-cert-v01@openssh.com,
|
||||||
|
-rsa-sha2-256-cert-v01@openssh.com,
|
||||||
|
-ssh-ed25519,
|
||||||
|
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||||
|
-sk-ssh-ed25519@openssh.com,
|
||||||
|
-sk-ecdsa-sha2-nistp256@openssh.com,
|
||||||
|
-rsa-sha2-512,rsa-sha2-256
|
||||||
|
-.Ed
|
||||||
|
-.Pp
|
||||||
|
The list of available signature algorithms may also be obtained using
|
||||||
|
.Qq ssh -Q HostKeyAlgorithms .
|
||||||
|
.It Cm IgnoreRhosts
|
||||||
|
@@ -1025,6 +1025,11 @@ Specifies whether to look at .k5login fi
|
||||||
|
The default is
|
||||||
|
.Cm yes .
|
||||||
|
.It Cm KexAlgorithms
|
||||||
|
+The default is handled system-wide by
|
||||||
|
+.Xr crypto-policies 7 .
|
||||||
|
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
|
||||||
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
|
Specifies the permitted KEX (Key Exchange) algorithms that the server will
|
||||||
|
offer to clients.
|
||||||
|
The ordering of this list is not important, as the client specifies the
|
||||||
|
@@ -1033,16 +1038,16 @@ Multiple algorithms must be comma-separa
|
||||||
|
.Pp
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq +
|
||||||
|
-character, then the specified algorithms will be appended to the default set
|
||||||
|
-instead of replacing them.
|
||||||
|
+character, then the specified methods will be appended to the built-in
|
||||||
|
+openssh default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq -
|
||||||
|
character, then the specified algorithms (including wildcards) will be removed
|
||||||
|
-from the default set instead of replacing them.
|
||||||
|
+from the built-in openssh default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq ^
|
||||||
|
character, then the specified algorithms will be placed at the head of the
|
||||||
|
-default set.
|
||||||
|
+built-in openssh default set.
|
||||||
|
.Pp
|
||||||
|
The supported algorithms are:
|
||||||
|
.Pp
|
||||||
|
@@ -1075,17 +1080,6 @@ ecdh-sha2-nistp521
|
||||||
|
sntrup761x25519-sha512@openssh.com
|
||||||
|
.El
|
||||||
|
.Pp
|
||||||
|
-The default is:
|
||||||
|
-.Bd -literal -offset indent
|
||||||
|
-sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,
|
||||||
|
-mlkem768x25519-sha256,
|
||||||
|
-curve25519-sha256,curve25519-sha256@libssh.org,
|
||||||
|
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
||||||
|
-diffie-hellman-group-exchange-sha256,
|
||||||
|
-diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
|
||||||
|
-diffie-hellman-group14-sha256
|
||||||
|
-.Ed
|
||||||
|
-.Pp
|
||||||
|
The list of supported key exchange algorithms may also be obtained using
|
||||||
|
.Qq ssh -Q KexAlgorithms .
|
||||||
|
.It Cm ListenAddress
|
||||||
|
@@ -1184,21 +1152,26 @@
|
||||||
|
file.
|
||||||
|
This option is intended for debugging and no overrides are enabled by default.
|
||||||
|
.It Cm MACs
|
||||||
|
+The default is handled system-wide by
|
||||||
|
+.Xr crypto-policies 7 .
|
||||||
|
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
|
||||||
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
|
Specifies the available MAC (message authentication code) algorithms.
|
||||||
|
The MAC algorithm is used for data integrity protection.
|
||||||
|
Multiple algorithms must be comma-separated.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq +
|
||||||
|
-character, then the specified algorithms will be appended to the default set
|
||||||
|
-instead of replacing them.
|
||||||
|
+character, then the specified algorithms will be appended to the built-in
|
||||||
|
+openssh default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq -
|
||||||
|
character, then the specified algorithms (including wildcards) will be removed
|
||||||
|
-from the default set instead of replacing them.
|
||||||
|
+from the built-in openssh default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq ^
|
||||||
|
character, then the specified algorithms will be placed at the head of the
|
||||||
|
-default set.
|
||||||
|
+built-in openssh default set.
|
||||||
|
.Pp
|
||||||
|
The algorithms that contain
|
||||||
|
.Qq -etm
|
||||||
|
@@ -1241,15 +1214,6 @@
|
||||||
|
umac-128-etm@openssh.com
|
||||||
|
.El
|
||||||
|
.Pp
|
||||||
|
-The default is:
|
||||||
|
-.Bd -literal -offset indent
|
||||||
|
-umac-64-etm@openssh.com,umac-128-etm@openssh.com,
|
||||||
|
-hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
|
||||||
|
-hmac-sha1-etm@openssh.com,
|
||||||
|
-umac-64@openssh.com,umac-128@openssh.com,
|
||||||
|
-hmac-sha2-256,hmac-sha2-512,hmac-sha1
|
||||||
|
-.Ed
|
||||||
|
-.Pp
|
||||||
|
The list of available MAC algorithms may also be obtained using
|
||||||
|
.Qq ssh -Q mac .
|
||||||
|
.It Cm Match
|
||||||
|
@@ -1633,36 +1597,25 @@
|
||||||
|
The default is
|
||||||
|
.Cm yes .
|
||||||
|
.It Cm PubkeyAcceptedAlgorithms
|
||||||
|
+The default is handled system-wide by
|
||||||
|
+.Xr crypto-policies 7 .
|
||||||
|
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
|
||||||
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
|
Specifies the signature algorithms that will be accepted for public key
|
||||||
|
authentication as a list of comma-separated patterns.
|
||||||
|
Alternately if the specified list begins with a
|
||||||
|
.Sq +
|
||||||
|
-character, then the specified algorithms will be appended to the default set
|
||||||
|
-instead of replacing them.
|
||||||
|
+character, then the specified algorithms will be appended to the built-in
|
||||||
|
+openssh default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq -
|
||||||
|
character, then the specified algorithms (including wildcards) will be removed
|
||||||
|
-from the default set instead of replacing them.
|
||||||
|
+from the built-in openssh default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq ^
|
||||||
|
character, then the specified algorithms will be placed at the head of the
|
||||||
|
-default set.
|
||||||
|
-The default for this option is:
|
||||||
|
-.Bd -literal -offset 3n
|
||||||
|
-ssh-ed25519-cert-v01@openssh.com,
|
||||||
|
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
|
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||||
|
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||||
|
-sk-ssh-ed25519-cert-v01@openssh.com,
|
||||||
|
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
|
-rsa-sha2-512-cert-v01@openssh.com,
|
||||||
|
-rsa-sha2-256-cert-v01@openssh.com,
|
||||||
|
-ssh-ed25519,
|
||||||
|
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||||
|
-sk-ssh-ed25519@openssh.com,
|
||||||
|
-sk-ecdsa-sha2-nistp256@openssh.com,
|
||||||
|
-rsa-sha2-512,rsa-sha2-256
|
||||||
|
-.Ed
|
||||||
|
+built-in openssh default set.
|
||||||
|
.Pp
|
||||||
|
The list of available signature algorithms may also be obtained using
|
||||||
|
.Qq ssh -Q PubkeyAcceptedAlgorithms .
|
||||||
|
@@ -2131,7 +2084,9 @@
|
||||||
|
.El
|
||||||
|
.Sh SEE ALSO
|
||||||
|
.Xr sftp-server 8 ,
|
||||||
|
-.Xr sshd 8
|
||||||
|
+.Xr sshd 8 ,
|
||||||
|
+.Xr crypto-policies 7 ,
|
||||||
|
+.Xr update-crypto-policies 8
|
||||||
|
.Sh AUTHORS
|
||||||
|
.An -nosplit
|
||||||
|
OpenSSH is a derivative of the original and free
|
@ -12,7 +12,7 @@ index 2a455e4e..e01c3d43 100644
|
|||||||
HMAC_CTX_init \
|
HMAC_CTX_init \
|
||||||
RSA_generate_key_ex \
|
RSA_generate_key_ex \
|
||||||
RSA_get_default_method \
|
RSA_get_default_method \
|
||||||
+ EVP_KDF_CTX_new_id \
|
+ EVP_KDF_CTX_new \
|
||||||
])
|
])
|
||||||
|
|
||||||
# OpenSSL_add_all_algorithms may be a macro.
|
# OpenSSL_add_all_algorithms may be a macro.
|
||||||
@ -20,33 +20,35 @@ diff --git a/kex.c b/kex.c
|
|||||||
index b6f041f4..1fbce2bb 100644
|
index b6f041f4..1fbce2bb 100644
|
||||||
--- a/kex.c
|
--- a/kex.c
|
||||||
+++ b/kex.c
|
+++ b/kex.c
|
||||||
@@ -38,6 +38,9 @@
|
@@ -38,6 +38,11 @@
|
||||||
#ifdef WITH_OPENSSL
|
#ifdef WITH_OPENSSL
|
||||||
#include <openssl/crypto.h>
|
#include <openssl/crypto.h>
|
||||||
#include <openssl/dh.h>
|
#include <openssl/dh.h>
|
||||||
+# ifdef HAVE_EVP_KDF_CTX_NEW_ID
|
+# ifdef HAVE_EVP_KDF_CTX_NEW
|
||||||
+# include <openssl/kdf.h>
|
+# include <openssl/kdf.h>
|
||||||
|
+# include <openssl/param_build.h>
|
||||||
|
+# include <openssl/core_names.h>
|
||||||
+# endif
|
+# endif
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#include "ssh.h"
|
#include "ssh.h"
|
||||||
@@ -942,6 +945,95 @@ kex_choose_conf(struct ssh *ssh)
|
@@ -942,6 +945,107 @@ kex_choose_conf(struct ssh *ssh)
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
|
|
||||||
+#ifdef HAVE_EVP_KDF_CTX_NEW_ID
|
+#ifdef HAVE_EVP_KDF_CTX_NEW
|
||||||
+static const EVP_MD *
|
+static const char *
|
||||||
+digest_to_md(int digest_type)
|
+digest_to_md(int digest_type)
|
||||||
+{
|
+{
|
||||||
+ switch (digest_type) {
|
+ switch (digest_type) {
|
||||||
+ case SSH_DIGEST_SHA1:
|
+ case SSH_DIGEST_SHA1:
|
||||||
+ return EVP_sha1();
|
+ return SN_sha1;
|
||||||
+ case SSH_DIGEST_SHA256:
|
+ case SSH_DIGEST_SHA256:
|
||||||
+ return EVP_sha256();
|
+ return SN_sha256;
|
||||||
+ case SSH_DIGEST_SHA384:
|
+ case SSH_DIGEST_SHA384:
|
||||||
+ return EVP_sha384();
|
+ return SN_sha384;
|
||||||
+ case SSH_DIGEST_SHA512:
|
+ case SSH_DIGEST_SHA512:
|
||||||
+ return EVP_sha512();
|
+ return SN_sha512;
|
||||||
+ }
|
+ }
|
||||||
+ return NULL;
|
+ return NULL;
|
||||||
+}
|
+}
|
||||||
@ -56,52 +58,62 @@ index b6f041f4..1fbce2bb 100644
|
|||||||
+ const struct sshbuf *shared_secret, u_char **keyp)
|
+ const struct sshbuf *shared_secret, u_char **keyp)
|
||||||
+{
|
+{
|
||||||
+ struct kex *kex = ssh->kex;
|
+ struct kex *kex = ssh->kex;
|
||||||
+ EVP_KDF_CTX *ctx = NULL;
|
|
||||||
+ u_char *key = NULL;
|
+ u_char *key = NULL;
|
||||||
+ int r, key_len;
|
+ int r, key_len;
|
||||||
+
|
+
|
||||||
+ if ((key_len = ssh_digest_bytes(kex->hash_alg)) == 0)
|
+ EVP_KDF *kdf = EVP_KDF_fetch(NULL, "SSHKDF", NULL);
|
||||||
+ return SSH_ERR_INVALID_ARGUMENT;
|
+ EVP_KDF_CTX *ctx = EVP_KDF_CTX_new(kdf);
|
||||||
|
+ OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new();
|
||||||
|
+ OSSL_PARAM *params = NULL;
|
||||||
|
+ const char *md = digest_to_md(kex->hash_alg);
|
||||||
|
+ char keytype = (char)id;
|
||||||
|
+
|
||||||
|
+ EVP_KDF_free(kdf);
|
||||||
|
+ if (!ctx) {
|
||||||
|
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+ if (md == NULL) {
|
||||||
|
+ r = SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (param_bld == NULL) {
|
||||||
|
+ EVP_KDF_CTX_free(ctx);
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+ if ((key_len = ssh_digest_bytes(kex->hash_alg)) == 0) {
|
||||||
|
+ r = SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
+ key_len = ROUNDUP(need, key_len);
|
+ key_len = ROUNDUP(need, key_len);
|
||||||
+ if ((key = calloc(1, key_len)) == NULL) {
|
+ if ((key = calloc(1, key_len)) == NULL) {
|
||||||
+ r = SSH_ERR_ALLOC_FAIL;
|
+ r = SSH_ERR_ALLOC_FAIL;
|
||||||
+ goto out;
|
+ goto out;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ ctx = EVP_KDF_CTX_new_id(EVP_KDF_SSHKDF);
|
+ r = OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_DIGEST,
|
||||||
+ if (!ctx) {
|
+ md, strlen(md)) && /* SN */
|
||||||
|
+ OSSL_PARAM_BLD_push_octet_string(param_bld, OSSL_KDF_PARAM_KEY,
|
||||||
|
+ sshbuf_ptr(shared_secret), sshbuf_len(shared_secret)) &&
|
||||||
|
+ OSSL_PARAM_BLD_push_octet_string(param_bld, OSSL_KDF_PARAM_SSHKDF_XCGHASH,
|
||||||
|
+ hash, hashlen) &&
|
||||||
|
+ OSSL_PARAM_BLD_push_octet_string(param_bld, OSSL_KDF_PARAM_SSHKDF_SESSION_ID,
|
||||||
|
+ sshbuf_ptr(kex->session_id), sshbuf_len(kex->session_id)) &&
|
||||||
|
+ OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_SSHKDF_TYPE,
|
||||||
|
+ &keytype, 1);
|
||||||
|
+ if (r != 1) {
|
||||||
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||||
+ goto out;
|
+ goto out;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_MD, digest_to_md(kex->hash_alg));
|
+ params = OSSL_PARAM_BLD_to_param(param_bld);
|
||||||
+ if (r != 1) {
|
+ if (params == NULL) {
|
||||||
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||||
+ goto out;
|
+ goto out;
|
||||||
+ }
|
+ }
|
||||||
+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_KEY,
|
+ r = EVP_KDF_derive(ctx, key, key_len, params);
|
||||||
+ sshbuf_ptr(shared_secret), sshbuf_len(shared_secret));
|
|
||||||
+ if (r != 1) {
|
|
||||||
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH, hash, hashlen);
|
|
||||||
+ if (r != 1) {
|
|
||||||
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, id);
|
|
||||||
+ if (r != 1) {
|
|
||||||
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
|
|
||||||
+ kex->session_id, kex->session_id_len);
|
|
||||||
+ if (r != 1) {
|
|
||||||
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+ r = EVP_KDF_derive(ctx, key, key_len);
|
|
||||||
+ if (r != 1) {
|
+ if (r != 1) {
|
||||||
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||||
+ goto out;
|
+ goto out;
|
||||||
@ -115,6 +127,8 @@ index b6f041f4..1fbce2bb 100644
|
|||||||
+ r = 0;
|
+ r = 0;
|
||||||
+
|
+
|
||||||
+out:
|
+out:
|
||||||
|
+ OSSL_PARAM_BLD_free(param_bld);
|
||||||
|
+ OSSL_PARAM_free(params);
|
||||||
+ free (key);
|
+ free (key);
|
||||||
+ EVP_KDF_CTX_free(ctx);
|
+ EVP_KDF_CTX_free(ctx);
|
||||||
+ if (r < 0) {
|
+ if (r < 0) {
|
||||||
@ -130,7 +144,7 @@ index b6f041f4..1fbce2bb 100644
|
|||||||
ssh_digest_free(hashctx);
|
ssh_digest_free(hashctx);
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
+#endif /* HAVE_OPENSSL_EVP_KDF_CTX_NEW_ID */
|
+#endif /* HAVE_OPENSSL_EVP_KDF_CTX_NEW */
|
||||||
|
|
||||||
#define NKEYS 6
|
#define NKEYS 6
|
||||||
int
|
int
|
File diff suppressed because it is too large
Load Diff
@ -27,16 +27,15 @@ diff -up openssh-8.0p1/auth-pam.c.preserve-pam-errors openssh-8.0p1/auth-pam.c
|
|||||||
else if (sshpam_maxtries_reached)
|
else if (sshpam_maxtries_reached)
|
||||||
ssh_msg_send(ctxt->pam_csock, PAM_MAXTRIES, buffer);
|
ssh_msg_send(ctxt->pam_csock, PAM_MAXTRIES, buffer);
|
||||||
else
|
else
|
||||||
@@ -856,10 +862,12 @@ sshpam_query(void *ctx, char **name, cha
|
@@ -856,9 +862,11 @@ sshpam_query(void *ctx, char **name, cha
|
||||||
plen++;
|
|
||||||
free(msg);
|
free(msg);
|
||||||
break;
|
break;
|
||||||
+ case PAM_USER_UNKNOWN:
|
|
||||||
+ case PAM_PERM_DENIED:
|
|
||||||
case PAM_ACCT_EXPIRED:
|
case PAM_ACCT_EXPIRED:
|
||||||
+ sshpam_account_status = 0;
|
+ sshpam_account_status = 0;
|
||||||
+ /* FALLTHROUGH */
|
+ /* FALLTHROUGH */
|
||||||
case PAM_MAXTRIES:
|
case PAM_MAXTRIES:
|
||||||
|
+ case PAM_USER_UNKNOWN:
|
||||||
|
+ case PAM_PERM_DENIED:
|
||||||
- if (type == PAM_ACCT_EXPIRED)
|
- if (type == PAM_ACCT_EXPIRED)
|
||||||
- sshpam_account_status = 0;
|
- sshpam_account_status = 0;
|
||||||
if (type == PAM_MAXTRIES)
|
if (type == PAM_MAXTRIES)
|
40
openssh-8.2p1-visibility.patch
Normal file
40
openssh-8.2p1-visibility.patch
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
diff --git a/regress/misc/sk-dummy/sk-dummy.c b/regress/misc/sk-dummy/sk-dummy.c
|
||||||
|
index dca158de..afdcb1d2 100644
|
||||||
|
--- a/regress/misc/sk-dummy/sk-dummy.c
|
||||||
|
+++ b/regress/misc/sk-dummy/sk-dummy.c
|
||||||
|
@@ -71,7 +71,7 @@ skdebug(const char *func, const char *fmt, ...)
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
-uint32_t
|
||||||
|
+uint32_t __attribute__((visibility("default")))
|
||||||
|
sk_api_version(void)
|
||||||
|
{
|
||||||
|
return SSH_SK_VERSION_MAJOR;
|
||||||
|
@@ -220,7 +220,7 @@ check_options(struct sk_option **options)
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
-int
|
||||||
|
+int __attribute__((visibility("default")))
|
||||||
|
sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,
|
||||||
|
const char *application, uint8_t flags, const char *pin,
|
||||||
|
struct sk_option **options, struct sk_enroll_response **enroll_response)
|
||||||
|
@@ -467,7 +467,7 @@ sig_ed25519(const uint8_t *message, size_t message_len,
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
-int
|
||||||
|
+int __attribute__((visibility("default")))
|
||||||
|
sk_sign(uint32_t alg, const uint8_t *data, size_t datalen,
|
||||||
|
const char *application, const uint8_t *key_handle, size_t key_handle_len,
|
||||||
|
uint8_t flags, const char *pin, struct sk_option **options,
|
||||||
|
@@ -518,7 +518,7 @@ sk_sign(uint32_t alg, const uint8_t *message, size_t message_len,
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
-int
|
||||||
|
+int __attribute__((visibility("default")))
|
||||||
|
sk_load_resident_keys(const char *pin, struct sk_option **options,
|
||||||
|
struct sk_resident_key ***rks, size_t *nrks)
|
||||||
|
{
|
@ -6,9 +6,9 @@ diff --git a/channels.c b/channels.c
|
|||||||
sock_set_v6only(sock);
|
sock_set_v6only(sock);
|
||||||
if (x11_use_localhost)
|
if (x11_use_localhost)
|
||||||
set_reuseaddr(sock);
|
set_reuseaddr(sock);
|
||||||
if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
|
if (bind(sock, ai->ai_addr, ai->ai_addrlen) == -1) {
|
||||||
debug2("%s: bind port %d: %.100s", __func__,
|
debug2_f("bind port %d: %.100s", port,
|
||||||
port, strerror(errno));
|
strerror(errno));
|
||||||
close(sock);
|
close(sock);
|
||||||
+
|
+
|
||||||
+ /* do not remove successfully opened
|
+ /* do not remove successfully opened
|
11
openssh-8.7p1-ibmca.patch
Normal file
11
openssh-8.7p1-ibmca.patch
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
--- openssh-8.7p1/openbsd-compat/bsd-closefrom.c.orig 2022-04-12 15:47:03.815044607 +0200
|
||||||
|
+++ openssh-8.7p1/openbsd-compat/bsd-closefrom.c 2022-04-12 15:48:12.464963511 +0200
|
||||||
|
@@ -16,7 +16,7 @@
|
||||||
|
|
||||||
|
#include "includes.h"
|
||||||
|
|
||||||
|
-#if !defined(HAVE_CLOSEFROM) || defined(BROKEN_CLOSEFROM)
|
||||||
|
+#if !defined(HAVE_CLOSEFROM) || defined(BROKEN_CLOSEFROM) || (defined __s390__)
|
||||||
|
|
||||||
|
#include <sys/types.h>
|
||||||
|
#include <unistd.h>
|
22
openssh-8.7p1-minrsabits.patch
Normal file
22
openssh-8.7p1-minrsabits.patch
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
diff --git a/readconf.c b/readconf.c
|
||||||
|
--- a/readconf.c (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
|
||||||
|
+++ b/readconf.c (date 1703169891147)
|
||||||
|
@@ -326,6 +326,7 @@
|
||||||
|
{ "securitykeyprovider", oSecurityKeyProvider },
|
||||||
|
{ "knownhostscommand", oKnownHostsCommand },
|
||||||
|
{ "requiredrsasize", oRequiredRSASize },
|
||||||
|
+ { "rsaminsize", oRequiredRSASize }, /* alias */
|
||||||
|
{ "enableescapecommandline", oEnableEscapeCommandline },
|
||||||
|
{ "obscurekeystroketiming", oObscureKeystrokeTiming },
|
||||||
|
{ "channeltimeout", oChannelTimeout },
|
||||||
|
diff --git a/servconf.c b/servconf.c
|
||||||
|
--- a/servconf.c (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
|
||||||
|
+++ b/servconf.c (date 1703169891148)
|
||||||
|
@@ -691,6 +691,7 @@
|
||||||
|
{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
|
||||||
|
{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
|
||||||
|
{ "requiredrsasize", sRequiredRSASize, SSHCFG_ALL },
|
||||||
|
+ { "rsaminsize", sRequiredRSASize, SSHCFG_ALL }, /* alias */
|
||||||
|
{ "channeltimeout", sChannelTimeout, SSHCFG_ALL },
|
||||||
|
{ "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL },
|
||||||
|
{ "sshdsessionpath", sSshdSessionPath, SSHCFG_GLOBAL },
|
118
openssh-8.7p1-negotiate-supported-algs.patch
Normal file
118
openssh-8.7p1-negotiate-supported-algs.patch
Normal file
@ -0,0 +1,118 @@
|
|||||||
|
diff -up openssh-9.3p1/regress/hostkey-agent.sh.xxx openssh-9.3p1/regress/hostkey-agent.sh
|
||||||
|
--- openssh-9.3p1/regress/hostkey-agent.sh.xxx 2023-05-29 18:15:56.311236887 +0200
|
||||||
|
+++ openssh-9.3p1/regress/hostkey-agent.sh 2023-05-29 18:16:07.598503551 +0200
|
||||||
|
@@ -17,8 +17,21 @@ trace "make CA key"
|
||||||
|
|
||||||
|
${SSHKEYGEN} -qt ed25519 -f $OBJ/agent-ca -N '' || fatal "ssh-keygen CA"
|
||||||
|
|
||||||
|
+PUBKEY_ACCEPTED_ALGOS=`$SSH -G "example.com" | \
|
||||||
|
+ grep -i "PubkeyAcceptedAlgorithms" | cut -d ' ' -f2- | tr "," "|"`
|
||||||
|
+SSH_ACCEPTED_KEYTYPES=`echo "$SSH_KEYTYPES" | egrep "$PUBKEY_ACCEPTED_ALGOS"`
|
||||||
|
+echo $PUBKEY_ACCEPTED_ALGOS | grep "rsa"
|
||||||
|
+r=$?
|
||||||
|
+if [ $r == 0 ]; then
|
||||||
|
+echo $SSH_ACCEPTED_KEYTYPES | grep "rsa"
|
||||||
|
+r=$?
|
||||||
|
+if [ $r -ne 0 ]; then
|
||||||
|
+SSH_ACCEPTED_KEYTYPES="$SSH_ACCEPTED_KEYTYPES ssh-rsa"
|
||||||
|
+fi
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
trace "load hostkeys"
|
||||||
|
-for k in $SSH_KEYTYPES ; do
|
||||||
|
+for k in $SSH_ACCEPTED_KEYTYPES ; do
|
||||||
|
${SSHKEYGEN} -qt $k -f $OBJ/agent-key.$k -N '' || fatal "ssh-keygen $k"
|
||||||
|
${SSHKEYGEN} -s $OBJ/agent-ca -qh -n localhost-with-alias \
|
||||||
|
-I localhost-with-alias $OBJ/agent-key.$k.pub || \
|
||||||
|
@@ -32,12 +48,16 @@ rm $OBJ/agent-ca # Don't need CA private
|
||||||
|
|
||||||
|
unset SSH_AUTH_SOCK
|
||||||
|
|
||||||
|
-for k in $SSH_KEYTYPES ; do
|
||||||
|
+for k in $SSH_ACCEPTED_KEYTYPES ; do
|
||||||
|
verbose "key type $k"
|
||||||
|
+ hka=$k
|
||||||
|
+ if [ $k = "ssh-rsa" ]; then
|
||||||
|
+ hka="rsa-sha2-512"
|
||||||
|
+ fi
|
||||||
|
cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
|
||||||
|
- echo "HostKeyAlgorithms $k" >> $OBJ/sshd_proxy
|
||||||
|
+ echo "HostKeyAlgorithms $hka" >> $OBJ/sshd_proxy
|
||||||
|
echo "Hostkey $OBJ/agent-key.${k}" >> $OBJ/sshd_proxy
|
||||||
|
- opts="-oHostKeyAlgorithms=$k -F $OBJ/ssh_proxy"
|
||||||
|
+ opts="-oHostKeyAlgorithms=$hka -F $OBJ/ssh_proxy"
|
||||||
|
( printf 'localhost-with-alias,127.0.0.1,::1 ' ;
|
||||||
|
cat $OBJ/agent-key.$k.pub) > $OBJ/known_hosts
|
||||||
|
SSH_CONNECTION=`${SSH} $opts host 'echo $SSH_CONNECTION'`
|
||||||
|
@@ -50,15 +70,16 @@ for k in $SSH_KEYTYPES ; do
|
||||||
|
done
|
||||||
|
|
||||||
|
SSH_CERTTYPES=`ssh -Q key-sig | grep 'cert-v01@openssh.com'`
|
||||||
|
+SSH_ACCEPTED_CERTTYPES=`echo "$SSH_CERTTYPES" | egrep "$PUBKEY_ACCEPTED_ALGOS"`
|
||||||
|
|
||||||
|
# Prepare sshd_proxy for certificates.
|
||||||
|
cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
|
||||||
|
HOSTKEYALGS=""
|
||||||
|
-for k in $SSH_CERTTYPES ; do
|
||||||
|
+for k in $SSH_ACCEPTED_CERTTYPES ; do
|
||||||
|
test -z "$HOSTKEYALGS" || HOSTKEYALGS="${HOSTKEYALGS},"
|
||||||
|
HOSTKEYALGS="${HOSTKEYALGS}${k}"
|
||||||
|
done
|
||||||
|
-for k in $SSH_KEYTYPES ; do
|
||||||
|
+for k in $SSH_ACCEPTED_KEYTYPES ; do
|
||||||
|
echo "Hostkey $OBJ/agent-key.${k}.pub" >> $OBJ/sshd_proxy
|
||||||
|
echo "HostCertificate $OBJ/agent-key.${k}-cert.pub" >> $OBJ/sshd_proxy
|
||||||
|
test -f $OBJ/agent-key.${k}.pub || fatal "no $k key"
|
||||||
|
@@ -70,7 +93,7 @@ echo "HostKeyAlgorithms $HOSTKEYALGS" >>
|
||||||
|
( printf '@cert-authority localhost-with-alias ' ;
|
||||||
|
cat $OBJ/agent-ca.pub) > $OBJ/known_hosts
|
||||||
|
|
||||||
|
-for k in $SSH_CERTTYPES ; do
|
||||||
|
+for k in $SSH_ACCEPTED_CERTTYPES ; do
|
||||||
|
verbose "cert type $k"
|
||||||
|
opts="-oHostKeyAlgorithms=$k -F $OBJ/ssh_proxy"
|
||||||
|
SSH_CONNECTION=`${SSH} $opts host 'echo $SSH_CONNECTION'`
|
||||||
|
diff -up openssh-9.3p1/sshconnect2.c.xxx openssh-9.3p1/sshconnect2.c
|
||||||
|
--- openssh-9.3p1/sshconnect2.c.xxx 2023-04-26 17:37:35.100827792 +0200
|
||||||
|
+++ openssh-9.3p1/sshconnect2.c 2023-04-26 17:50:31.860748877 +0200
|
||||||
|
@@ -221,7 +221,7 @@ ssh_kex2(struct ssh *ssh, char *host, st
|
||||||
|
const struct ssh_conn_info *cinfo)
|
||||||
|
{
|
||||||
|
char *myproposal[PROPOSAL_MAX];
|
||||||
|
- char *all_key, *hkalgs = NULL;
|
||||||
|
+ char *all_key, *hkalgs = NULL, *filtered_algs = NULL;
|
||||||
|
int r, use_known_hosts_order = 0;
|
||||||
|
|
||||||
|
#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
||||||
|
@@ -260,10 +260,22 @@ ssh_kex2(struct ssh *ssh, char *host, st
|
||||||
|
if (use_known_hosts_order)
|
||||||
|
hkalgs = order_hostkeyalgs(host, hostaddr, port, cinfo);
|
||||||
|
|
||||||
|
+ filtered_algs = hkalgs ? match_filter_allowlist(hkalgs, options.pubkey_accepted_algos)
|
||||||
|
+ : match_filter_allowlist(options.hostkeyalgorithms,
|
||||||
|
+ options.pubkey_accepted_algos);
|
||||||
|
+ if (filtered_algs == NULL) {
|
||||||
|
+ if (hkalgs)
|
||||||
|
+ fatal_f("No match between algorithms for %s (host %s) and pubkey accepted algorithms %s",
|
||||||
|
+ hkalgs, host, options.pubkey_accepted_algos);
|
||||||
|
+ else
|
||||||
|
+ fatal_f("No match between host key algorithms %s and pubkey accepted algorithms %s",
|
||||||
|
+ options.hostkeyalgorithms, options.pubkey_accepted_algos);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
kex_proposal_populate_entries(ssh, myproposal,
|
||||||
|
options.kex_algorithms, options.ciphers, options.macs,
|
||||||
|
compression_alg_list(options.compression),
|
||||||
|
- hkalgs ? hkalgs : options.hostkeyalgorithms);
|
||||||
|
+ filtered_algs);
|
||||||
|
|
||||||
|
#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
||||||
|
if (options.gss_keyex) {
|
||||||
|
@@ -303,6 +315,7 @@ ssh_kex2(struct ssh *ssh, char *host, st
|
||||||
|
#endif
|
||||||
|
|
||||||
|
free(hkalgs);
|
||||||
|
+ free(filtered_algs);
|
||||||
|
|
||||||
|
/* start key exchange */
|
||||||
|
if ((r = kex_setup(ssh, myproposal)) != 0)
|
297
openssh-8.7p1-nohostsha1proof.patch
Normal file
297
openssh-8.7p1-nohostsha1proof.patch
Normal file
@ -0,0 +1,297 @@
|
|||||||
|
diff -up openssh-8.7p1/compat.c.sshrsacheck openssh-8.7p1/compat.c
|
||||||
|
--- openssh-8.7p1/compat.c.sshrsacheck 2023-01-12 13:29:06.338710923 +0100
|
||||||
|
+++ openssh-8.7p1/compat.c 2023-01-12 13:29:06.357711165 +0100
|
||||||
|
@@ -43,6 +43,7 @@ void
|
||||||
|
compat_banner(struct ssh *ssh, const char *version)
|
||||||
|
{
|
||||||
|
int i;
|
||||||
|
+ int forbid_ssh_rsa = 0;
|
||||||
|
static struct {
|
||||||
|
char *pat;
|
||||||
|
int bugs;
|
||||||
|
@@ -145,16 +146,21 @@ compat_banner(struct ssh *ssh, const cha
|
||||||
|
};
|
||||||
|
|
||||||
|
/* process table, return first match */
|
||||||
|
+ forbid_ssh_rsa = (ssh->compat & SSH_RH_RSASIGSHA);
|
||||||
|
ssh->compat = 0;
|
||||||
|
for (i = 0; check[i].pat; i++) {
|
||||||
|
if (match_pattern_list(version, check[i].pat, 0) == 1) {
|
||||||
|
debug_f("match: %s pat %s compat 0x%08x",
|
||||||
|
version, check[i].pat, check[i].bugs);
|
||||||
|
ssh->compat = check[i].bugs;
|
||||||
|
+ if (forbid_ssh_rsa)
|
||||||
|
+ ssh->compat |= SSH_RH_RSASIGSHA;
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
debug_f("no match: %s", version);
|
||||||
|
+ if (forbid_ssh_rsa)
|
||||||
|
+ ssh->compat |= SSH_RH_RSASIGSHA;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Always returns pointer to allocated memory, caller must free. */
|
||||||
|
diff -up openssh-8.7p1/compat.h.sshrsacheck openssh-8.7p1/compat.h
|
||||||
|
--- openssh-8.7p1/compat.h.sshrsacheck 2021-08-20 06:03:49.000000000 +0200
|
||||||
|
+++ openssh-8.7p1/compat.h 2023-01-12 13:29:06.358711178 +0100
|
||||||
|
@@ -30,7 +30,7 @@
|
||||||
|
#define SSH_BUG_UTF8TTYMODE 0x00000001
|
||||||
|
#define SSH_BUG_SIGTYPE 0x00000002
|
||||||
|
#define SSH_BUG_SIGTYPE74 0x00000004
|
||||||
|
-/* #define unused 0x00000008 */
|
||||||
|
+#define SSH_RH_RSASIGSHA 0x00000008
|
||||||
|
#define SSH_OLD_SESSIONID 0x00000010
|
||||||
|
/* #define unused 0x00000020 */
|
||||||
|
#define SSH_BUG_DEBUG 0x00000040
|
||||||
|
diff -up openssh-8.7p1/monitor.c.sshrsacheck openssh-8.7p1/monitor.c
|
||||||
|
--- openssh-8.7p1/monitor.c.sshrsacheck 2023-01-20 13:07:54.279676981 +0100
|
||||||
|
+++ openssh-8.7p1/monitor.c 2023-01-20 15:01:07.007821379 +0100
|
||||||
|
@@ -660,11 +660,12 @@ mm_answer_sign(struct ssh *ssh, int sock
|
||||||
|
struct sshkey *key;
|
||||||
|
struct sshbuf *sigbuf = NULL;
|
||||||
|
u_char *p = NULL, *signature = NULL;
|
||||||
|
- char *alg = NULL;
|
||||||
|
+ char *alg = NULL, *effective_alg;
|
||||||
|
size_t datlen, siglen, alglen;
|
||||||
|
int r, is_proof = 0;
|
||||||
|
u_int keyid, compat;
|
||||||
|
const char proof_req[] = "hostkeys-prove-00@openssh.com";
|
||||||
|
+ const char safe_rsa[] = "rsa-sha2-256";
|
||||||
|
|
||||||
|
debug3_f("entering");
|
||||||
|
|
||||||
|
@@ -719,18 +720,30 @@ mm_answer_sign(struct ssh *ssh, int sock
|
||||||
|
}
|
||||||
|
|
||||||
|
if ((key = get_hostkey_by_index(keyid)) != NULL) {
|
||||||
|
- if ((r = sshkey_sign(key, &signature, &siglen, p, datlen, alg,
|
||||||
|
+ if (ssh->compat & SSH_RH_RSASIGSHA && strcmp(alg, "ssh-rsa") == 0
|
||||||
|
+ && (sshkey_type_plain(key->type) == KEY_RSA)) {
|
||||||
|
+ effective_alg = safe_rsa;
|
||||||
|
+ } else {
|
||||||
|
+ effective_alg = alg;
|
||||||
|
+ }
|
||||||
|
+ if ((r = sshkey_sign(key, &signature, &siglen, p, datlen, effective_alg,
|
||||||
|
options.sk_provider, NULL, compat)) != 0)
|
||||||
|
fatal_fr(r, "sign");
|
||||||
|
} else if ((key = get_hostkey_public_by_index(keyid, ssh)) != NULL &&
|
||||||
|
auth_sock > 0) {
|
||||||
|
+ if (ssh->compat & SSH_RH_RSASIGSHA && strcmp(alg, "ssh-rsa") == 0
|
||||||
|
+ && (sshkey_type_plain(key->type) == KEY_RSA)) {
|
||||||
|
+ effective_alg = safe_rsa;
|
||||||
|
+ } else {
|
||||||
|
+ effective_alg = alg;
|
||||||
|
+ }
|
||||||
|
if ((r = ssh_agent_sign(auth_sock, key, &signature, &siglen,
|
||||||
|
- p, datlen, alg, compat)) != 0)
|
||||||
|
+ p, datlen, effective_alg, compat)) != 0)
|
||||||
|
fatal_fr(r, "agent sign");
|
||||||
|
} else
|
||||||
|
fatal_f("no hostkey from index %d", keyid);
|
||||||
|
|
||||||
|
- debug3_f("%s %s signature len=%zu", alg,
|
||||||
|
+ debug3_f("%s (effective: %s) %s signature len=%zu", alg, effective_alg,
|
||||||
|
is_proof ? "hostkey proof" : "KEX", siglen);
|
||||||
|
|
||||||
|
sshbuf_reset(m);
|
||||||
|
diff -up openssh-8.7p1/regress/unittests/kex/test_kex.c.sshrsacheck openssh-8.7p1/regress/unittests/kex/test_kex.c
|
||||||
|
--- openssh-8.7p1/regress/unittests/kex/test_kex.c.sshrsacheck 2023-01-26 13:34:52.645743677 +0100
|
||||||
|
+++ openssh-8.7p1/regress/unittests/kex/test_kex.c 2023-01-26 13:36:56.220745823 +0100
|
||||||
|
@@ -97,7 +97,8 @@ do_kex_with_key(char *kex, int keytype,
|
||||||
|
memcpy(kex_params.proposal, myproposal, sizeof(myproposal));
|
||||||
|
if (kex != NULL)
|
||||||
|
kex_params.proposal[PROPOSAL_KEX_ALGS] = kex;
|
||||||
|
- keyname = strdup(sshkey_ssh_name(private));
|
||||||
|
+ keyname = (strcmp(sshkey_ssh_name(private), "ssh-rsa")) ?
|
||||||
|
+ strdup(sshkey_ssh_name(private)) : strdup("rsa-sha2-256");
|
||||||
|
ASSERT_PTR_NE(keyname, NULL);
|
||||||
|
kex_params.proposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = keyname;
|
||||||
|
ASSERT_INT_EQ(ssh_init(&client, 0, &kex_params), 0);
|
||||||
|
diff -up openssh-8.7p1/regress/unittests/sshkey/test_file.c.sshrsacheck openssh-8.7p1/regress/unittests/sshkey/test_file.c
|
||||||
|
--- openssh-8.7p1/regress/unittests/sshkey/test_file.c.sshrsacheck 2023-01-26 12:04:55.946343408 +0100
|
||||||
|
+++ openssh-8.7p1/regress/unittests/sshkey/test_file.c 2023-01-26 12:06:35.235164432 +0100
|
||||||
|
@@ -110,6 +110,7 @@ sshkey_file_tests(void)
|
||||||
|
sshkey_free(k2);
|
||||||
|
TEST_DONE();
|
||||||
|
|
||||||
|
+ /* Skip this test, SHA1 signatures are not supported
|
||||||
|
TEST_START("load RSA cert with SHA1 signature");
|
||||||
|
ASSERT_INT_EQ(sshkey_load_cert(test_data_file("rsa_1_sha1"), &k2), 0);
|
||||||
|
ASSERT_PTR_NE(k2, NULL);
|
||||||
|
@@ -117,7 +118,7 @@ sshkey_file_tests(void)
|
||||||
|
ASSERT_INT_EQ(sshkey_equal_public(k1, k2), 1);
|
||||||
|
ASSERT_STRING_EQ(k2->cert->signature_type, "ssh-rsa");
|
||||||
|
sshkey_free(k2);
|
||||||
|
- TEST_DONE();
|
||||||
|
+ TEST_DONE(); */
|
||||||
|
|
||||||
|
TEST_START("load RSA cert with SHA512 signature");
|
||||||
|
ASSERT_INT_EQ(sshkey_load_cert(test_data_file("rsa_1_sha512"), &k2), 0);
|
||||||
|
diff -up openssh-8.7p1/regress/unittests/sshkey/test_fuzz.c.sshrsacheck openssh-8.7p1/regress/unittests/sshkey/test_fuzz.c
|
||||||
|
--- openssh-8.7p1/regress/unittests/sshkey/test_fuzz.c.sshrsacheck 2023-01-26 12:10:37.533168013 +0100
|
||||||
|
+++ openssh-8.7p1/regress/unittests/sshkey/test_fuzz.c 2023-01-26 12:15:35.637631860 +0100
|
||||||
|
@@ -333,13 +333,14 @@ sshkey_fuzz_tests(void)
|
||||||
|
TEST_DONE();
|
||||||
|
|
||||||
|
#ifdef WITH_OPENSSL
|
||||||
|
+ /* Skip this test, SHA1 signatures are not supported
|
||||||
|
TEST_START("fuzz RSA sig");
|
||||||
|
buf = load_file("rsa_1");
|
||||||
|
ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
|
||||||
|
sshbuf_free(buf);
|
||||||
|
sig_fuzz(k1, "ssh-rsa");
|
||||||
|
sshkey_free(k1);
|
||||||
|
- TEST_DONE();
|
||||||
|
+ TEST_DONE();*/
|
||||||
|
|
||||||
|
TEST_START("fuzz RSA SHA256 sig");
|
||||||
|
buf = load_file("rsa_1");
|
||||||
|
diff -up openssh-8.7p1/regress/unittests/sshkey/test_sshkey.c.sshrsacheck openssh-8.7p1/regress/unittests/sshkey/test_sshkey.c
|
||||||
|
--- openssh-8.7p1/regress/unittests/sshkey/test_sshkey.c.sshrsacheck 2023-01-26 11:02:52.339413463 +0100
|
||||||
|
+++ openssh-8.7p1/regress/unittests/sshkey/test_sshkey.c 2023-01-26 11:58:42.324253896 +0100
|
||||||
|
@@ -60,6 +60,9 @@ build_cert(struct sshbuf *b, struct sshk
|
||||||
|
u_char *sigblob;
|
||||||
|
size_t siglen;
|
||||||
|
|
||||||
|
+ /* ssh-rsa implies SHA1, forbidden in DEFAULT cp */
|
||||||
|
+ int expected = (sig_alg == NULL || strcmp(sig_alg, "ssh-rsa") == 0) ? SSH_ERR_LIBCRYPTO_ERROR : 0;
|
||||||
|
+
|
||||||
|
ca_buf = sshbuf_new();
|
||||||
|
ASSERT_PTR_NE(ca_buf, NULL);
|
||||||
|
ASSERT_INT_EQ(sshkey_putb(ca_key, ca_buf), 0);
|
||||||
|
@@ -101,8 +104,9 @@ build_cert(struct sshbuf *b, struct sshk
|
||||||
|
ASSERT_INT_EQ(sshbuf_put_string(b, NULL, 0), 0); /* reserved */
|
||||||
|
ASSERT_INT_EQ(sshbuf_put_stringb(b, ca_buf), 0); /* signature key */
|
||||||
|
ASSERT_INT_EQ(sshkey_sign(sign_key, &sigblob, &siglen,
|
||||||
|
- sshbuf_ptr(b), sshbuf_len(b), sig_alg, NULL, NULL, 0), 0);
|
||||||
|
- ASSERT_INT_EQ(sshbuf_put_string(b, sigblob, siglen), 0); /* signature */
|
||||||
|
+ sshbuf_ptr(b), sshbuf_len(b), sig_alg, NULL, NULL, 0), expected);
|
||||||
|
+ if (expected == 0)
|
||||||
|
+ ASSERT_INT_EQ(sshbuf_put_string(b, sigblob, siglen), 0); /* signature */
|
||||||
|
|
||||||
|
free(sigblob);
|
||||||
|
sshbuf_free(ca_buf);
|
||||||
|
@@ -119,16 +123,22 @@ signature_test(struct sshkey *k, struct
|
||||||
|
{
|
||||||
|
size_t len;
|
||||||
|
u_char *sig;
|
||||||
|
+ /* ssh-rsa implies SHA1, forbidden in DEFAULT cp in RHEL, permitted in Fedora */
|
||||||
|
+ int expected = (sig_alg && strcmp(sig_alg, "ssh-rsa") == 0) ? sshkey_sign(k, &sig, &len, d, l, sig_alg, NULL, NULL, 0) : 0;
|
||||||
|
+ if (k && (sshkey_type_plain(k->type) == KEY_DSA || sshkey_type_plain(k->type) == KEY_DSA_CERT))
|
||||||
|
+ expected = sshkey_sign(k, &sig, &len, d, l, sig_alg, NULL, NULL, 0);
|
||||||
|
|
||||||
|
ASSERT_INT_EQ(sshkey_sign(k, &sig, &len, d, l, sig_alg,
|
||||||
|
- NULL, NULL, 0), 0);
|
||||||
|
- ASSERT_SIZE_T_GT(len, 8);
|
||||||
|
- ASSERT_PTR_NE(sig, NULL);
|
||||||
|
- ASSERT_INT_EQ(sshkey_verify(k, sig, len, d, l, NULL, 0, NULL), 0);
|
||||||
|
- ASSERT_INT_NE(sshkey_verify(bad, sig, len, d, l, NULL, 0, NULL), 0);
|
||||||
|
- /* Fuzz test is more comprehensive, this is just a smoke test */
|
||||||
|
- sig[len - 5] ^= 0x10;
|
||||||
|
- ASSERT_INT_NE(sshkey_verify(k, sig, len, d, l, NULL, 0, NULL), 0);
|
||||||
|
+ NULL, NULL, 0), expected);
|
||||||
|
+ if (expected == 0) {
|
||||||
|
+ ASSERT_SIZE_T_GT(len, 8);
|
||||||
|
+ ASSERT_PTR_NE(sig, NULL);
|
||||||
|
+ ASSERT_INT_EQ(sshkey_verify(k, sig, len, d, l, NULL, 0, NULL), 0);
|
||||||
|
+ ASSERT_INT_NE(sshkey_verify(bad, sig, len, d, l, NULL, 0, NULL), 0);
|
||||||
|
+ /* Fuzz test is more comprehensive, this is just a smoke test */
|
||||||
|
+ sig[len - 5] ^= 0x10;
|
||||||
|
+ ASSERT_INT_NE(sshkey_verify(k, sig, len, d, l, NULL, 0, NULL), 0);
|
||||||
|
+ }
|
||||||
|
free(sig);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -514,7 +524,7 @@ sshkey_tests(void)
|
||||||
|
ASSERT_INT_EQ(sshkey_load_public(test_data_file("rsa_1.pub"), &k2,
|
||||||
|
NULL), 0);
|
||||||
|
k3 = get_private("rsa_1");
|
||||||
|
- build_cert(b, k2, "ssh-rsa-cert-v01@openssh.com", k3, k1, NULL);
|
||||||
|
+ build_cert(b, k2, "ssh-rsa-cert-v01@openssh.com", k3, k1, "rsa-sha2-256");
|
||||||
|
ASSERT_INT_EQ(sshkey_from_blob(sshbuf_ptr(b), sshbuf_len(b), &k4),
|
||||||
|
SSH_ERR_KEY_CERT_INVALID_SIGN_KEY);
|
||||||
|
ASSERT_PTR_EQ(k4, NULL);
|
||||||
|
diff -up openssh-8.7p1/serverloop.c.sshrsacheck openssh-8.7p1/serverloop.c
|
||||||
|
--- openssh-8.7p1/serverloop.c.sshrsacheck 2023-01-12 14:57:08.118400073 +0100
|
||||||
|
+++ openssh-8.7p1/serverloop.c 2023-01-12 14:59:17.330470518 +0100
|
||||||
|
@@ -80,6 +80,7 @@
|
||||||
|
#include "auth-options.h"
|
||||||
|
#include "serverloop.h"
|
||||||
|
#include "ssherr.h"
|
||||||
|
+#include "compat.h"
|
||||||
|
|
||||||
|
extern ServerOptions options;
|
||||||
|
|
||||||
|
@@ -737,6 +737,10 @@ server_input_hostkeys_prove(struct ssh *
|
||||||
|
else if (ssh->kex->flags & KEX_RSA_SHA2_256_SUPPORTED)
|
||||||
|
sigalg = "rsa-sha2-256";
|
||||||
|
}
|
||||||
|
+ if (ssh->compat & SSH_RH_RSASIGSHA && sigalg == NULL) {
|
||||||
|
+ sigalg = "rsa-sha2-512";
|
||||||
|
+ debug3_f("SHA1 signature is not supported, falling back to %s", sigalg);
|
||||||
|
+ }
|
||||||
|
debug3_f("sign %s key (index %d) using sigalg %s",
|
||||||
|
sshkey_type(key), ndx, sigalg == NULL ? "default" : sigalg);
|
||||||
|
if ((r = sshbuf_put_cstring(sigbuf,
|
||||||
|
diff -up openssh-8.7p1/sshconnect2.c.sshrsacheck openssh-8.7p1/sshconnect2.c
|
||||||
|
--- openssh-8.7p1/sshconnect2.c.sshrsacheck 2023-01-25 15:33:29.140353651 +0100
|
||||||
|
+++ openssh-8.7p1/sshconnect2.c 2023-01-25 15:59:34.225364883 +0100
|
||||||
|
@@ -1461,6 +1464,14 @@ identity_sign(struct identity *id, u_cha
|
||||||
|
retried = 1;
|
||||||
|
goto retry_pin;
|
||||||
|
}
|
||||||
|
+ if ((r == SSH_ERR_LIBCRYPTO_ERROR) && strcmp("ssh-rsa", alg)) {
|
||||||
|
+ char rsa_safe_alg[] = "rsa-sha2-512";
|
||||||
|
+ debug3_f("trying to fallback to algorithm %s", rsa_safe_alg);
|
||||||
|
+
|
||||||
|
+ if ((r = sshkey_sign(sign_key, sigp, lenp, data, datalen,
|
||||||
|
+ rsa_safe_alg, options.sk_provider, pin, compat)) != 0)
|
||||||
|
+ debug_fr(r, "sshkey_sign - RSA fallback");
|
||||||
|
+ }
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
diff -up openssh-8.7p1/ssh-rsa.c.sshrsacheck openssh-8.7p1/ssh-rsa.c
|
||||||
|
--- openssh-8.7p1/ssh-rsa.c.sshrsacheck 2023-01-20 13:07:54.180676144 +0100
|
||||||
|
+++ openssh-8.7p1/ssh-rsa.c 2023-01-20 13:07:54.290677074 +0100
|
||||||
|
@@ -254,7 +254,8 @@ ssh_rsa_verify(const struct sshkey *key,
|
||||||
|
ret = SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
- if (hash_alg != want_alg) {
|
||||||
|
+ if (hash_alg != want_alg && want_alg != SSH_DIGEST_SHA1) {
|
||||||
|
+ debug_f("Unexpected digest algorithm: got %d, wanted %d", hash_alg, want_alg);
|
||||||
|
ret = SSH_ERR_SIGNATURE_INVALID;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
diff -up openssh-9.8p1/sshd-session.c.xxx openssh-9.8p1/sshd-session.c
|
||||||
|
--- openssh-9.8p1/sshd-session.c.xxx 2024-07-23 15:08:14.794350818 +0200
|
||||||
|
+++ openssh-9.8p1/sshd-session.c 2024-07-23 15:40:21.658456636 +0200
|
||||||
|
@@ -1305,6 +1305,27 @@ main(int ac, char **av)
|
||||||
|
|
||||||
|
check_ip_options(ssh);
|
||||||
|
|
||||||
|
+ {
|
||||||
|
+ struct sshkey *rsakey = NULL;
|
||||||
|
+ rsakey = get_hostkey_private_by_type(KEY_RSA, 0, ssh);
|
||||||
|
+ if (rsakey == NULL)
|
||||||
|
+ rsakey = get_hostkey_private_by_type(KEY_RSA_CERT, 0, ssh);
|
||||||
|
+
|
||||||
|
+ if (rsakey != NULL) {
|
||||||
|
+ size_t sign_size = 0;
|
||||||
|
+ u_char *tmp = NULL;
|
||||||
|
+ u_char data[] = "Test SHA1 vector";
|
||||||
|
+ int res;
|
||||||
|
+
|
||||||
|
+ res = sshkey_sign(rsakey, &tmp, &sign_size, data, sizeof(data), NULL, NULL, NULL, 0);
|
||||||
|
+ free(tmp);
|
||||||
|
+ if (res == SSH_ERR_LIBCRYPTO_ERROR) {
|
||||||
|
+ verbose_f("SHA1 in signatures is disabled for RSA keys");
|
||||||
|
+ ssh->compat |= SSH_RH_RSASIGSHA;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* Prepare the channels layer */
|
||||||
|
channel_init_channels(ssh);
|
||||||
|
channel_set_af(ssh, options.address_family);
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user