pool/openssh
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 737034 from home:hpjansson:branches:network

Browse Source 
Version update to 8.1p1:
  * ssh-keygen(1): when acting as a CA and signing certificates with
    an RSA key, default to using the rsa-sha2-512 signature algorithm.
    Certificates signed by RSA keys will therefore be incompatible
    with OpenSSH versions prior to 7.2 unless the default is
    overridden (using "ssh-keygen -t ssh-rsa -s ...").
  * ssh(1): Allow %n to be expanded in ProxyCommand strings
  * ssh(1), sshd(8): Allow prepending a list of algorithms to the
    default set by starting the list with the '^' character, E.g.
    "HostKeyAlgorithms ^ssh-ed25519"
  * ssh-keygen(1): add an experimental lightweight signature and
    verification ability. Signatures may be made using regular ssh keys
    held on disk or stored in a ssh-agent and verified against an
    authorized_keys-like list of allowed keys. Signatures embed a
    namespace that prevents confusion and attacks between different
    usage domains (e.g. files vs email).
  * ssh-keygen(1): print key comment when extracting public key from a
    private key.
  * ssh-keygen(1): accept the verbose flag when searching for host keys
    in known hosts (i.e. "ssh-keygen -vF host") to print the matching
    host's random-art signature too.
  * All: support PKCS8 as an optional format for storage of private
    keys to disk.  The OpenSSH native key format remains the default,
    but PKCS8 is a superior format to PEM if interoperability with
    non-OpenSSH software is required, as it may use a less insecure
    key derivation function than PEM's.
- Additional changes from 8.0p1 release:
  * scp(1): Add "-T" flag to disable client-side filtering of
    server file list.
  * sshd(8): Remove support for obsolete "host/port" syntax.

OBS-URL: https://build.opensuse.org/request/show/737034
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=197
This commit is contained in:
Tomáš Chvátal 2019-10-10 13:32:50 +00:00 committed by Git OBS Bridge
parent 9a25e259e6
commit 318211936a
28 changed files with 5336 additions and 5806 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

252
0001-upstream-Fix-two-race-conditions-in-sshd-relating-to.patch
View File

@ -1,252 +0,0 @@
From 76a24b3fa193a9ca3e47a8779d497cb06500798b Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Fri, 1 Mar 2019 02:32:39 +0000
Subject: upstream: Fix two race conditions in sshd relating to SIGHUP:
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
1. Recently-forked child processes will briefly remain listening to
listen_socks. If the main server sshd process completes its restart
via execv() before these sockets are closed by the child processes
then it can fail to listen at the desired addresses/ports and/or
fail to restart.
2. When a SIGHUP is received, there may be forked child processes that
are awaiting their reexecution state. If the main server sshd
process restarts before passing this state, these child processes
will yield errors and use a fallback path of reading the current
sshd_config from the filesystem rather than use the one that sshd
was started with.
To fix both of these cases, we reuse the startup_pipes that are shared
between the main server sshd and forked children. Previously this was
used solely to implement tracking of pre-auth child processes for
MaxStartups, but this extends the messaging over these pipes to include
a child->parent message that the parent process is safe to restart. This
message is sent from the child after it has completed its preliminaries:
closing listen_socks and receiving its reexec state.
bz#2953, reported by Michal Koutný; ok markus@ dtucker@
OpenBSD-Commit-ID: 7df09eacfa3ce13e9a7b1e9f17276ecc924d65ab
---
sshd.c | 114 +++++++++++++++++++++++++++++++++++++++++++++++++----------------
1 file changed, 86 insertions(+), 28 deletions(-)
Index: openssh-7.9p1/sshd.c
===================================================================
--- openssh-7.9p1.orig/sshd.c 2019-03-11 15:26:34.532966127 +0100
+++ openssh-7.9p1/sshd.c 2019-03-11 16:05:21.242748303 +0100
@@ -240,9 +240,26 @@ u_int session_id2_len = 0;
/* record remote hostname or ip */
u_int utmp_len = HOST_NAME_MAX+1;
-/* options.max_startup sized array of fd ints */
+/*
+ * startup_pipes/flags are used for tracking children of the listening sshd
+ * process early in their lifespans. This tracking is needed for three things:
+ *
+ * 1) Implementing the MaxStartups limit of concurrent unauthenticated
+ * connections.
+ * 2) Avoiding a race condition for SIGHUP processing, where child processes
+ * may have listen_socks open that could collide with main listener process
+ * after it restarts.
+ * 3) Ensuring that rexec'd sshd processes have received their initial state
+ * from the parent listen process before handling SIGHUP.
+ *
+ * Child processes signal that they have completed closure of the listen_socks
+ * and (if applicable) received their rexec state by sending a char over their
+ * sock. Child processes signal that authentication has completed by closing
+ * the sock (or by exiting).
+ */
int *startup_pipes = NULL;
-int startup_pipe; /* in child */
+static int *startup_flags = NULL; /* Indicates child closed listener */
+static int startup_pipe = -1; /* in child */
/* variables used for privilege separation */
int use_privsep = -1;
@@ -1081,14 +1098,9 @@ server_accept_inetd(int *sock_in, int *s
{
int fd;
- startup_pipe = -1;
if (rexeced_flag) {
close(REEXEC_CONFIG_PASS_FD);
*sock_in = *sock_out = dup(STDIN_FILENO);
- if (!debug_flag) {
- startup_pipe = dup(REEXEC_STARTUP_PIPE_FD);
- close(REEXEC_STARTUP_PIPE_FD);
- }
} else {
*sock_in = dup(STDIN_FILENO);
*sock_out = dup(STDOUT_FILENO);
@@ -1213,8 +1225,9 @@ server_accept_loop(int *sock_in, int *so
{
fd_set *fdset;
int i, j, ret, maxfd;
- int startups = 0;
+ int startups = 0, listening = 0, lameduck = 0;
int startup_p[2] = { -1 , -1 };
+ char c = 0;
struct sockaddr_storage from;
socklen_t fromlen;
pid_t pid;
@@ -1228,6 +1241,7 @@ server_accept_loop(int *sock_in, int *so
maxfd = listen_socks[i];
/* pipes connected to unauthenticated childs */
startup_pipes = xcalloc(options.max_startups, sizeof(int));
+ startup_flags = xcalloc(options.max_startups, sizeof(int));
for (i = 0; i < options.max_startups; i++)
startup_pipes[i] = -1;
@@ -1236,8 +1250,15 @@ server_accept_loop(int *sock_in, int *so
* the daemon is killed with a signal.
*/
for (;;) {
- if (received_sighup)
- sighup_restart();
+ if (received_sighup) {
+ if (!lameduck) {
+ debug("Received SIGHUP; waiting for children");
+ close_listen_socks();
+ lameduck = 1;
+ }
+ if (listening <= 0)
+ sighup_restart();
+ }
free(fdset);
fdset = xcalloc(howmany(maxfd + 1, NFDBITS),
sizeof(fd_mask));
@@ -1264,19 +1285,37 @@ server_accept_loop(int *sock_in, int *so
if (ret < 0)
continue;
- for (i = 0; i < options.max_startups; i++)
- if (startup_pipes[i] != -1 &&
- FD_ISSET(startup_pipes[i], fdset)) {
- /*
- * the read end of the pipe is ready
- * if the child has closed the pipe
- * after successful authentication
- * or if the child has died
- */
+ for (i = 0; i < options.max_startups; i++) {
+ if (startup_pipes[i] == -1 ||
+ !FD_ISSET(startup_pipes[i], fdset))
+ continue;
+ switch (read(startup_pipes[i], &c, sizeof(c))) {
+ case -1:
+ if (errno == EINTR || errno == EAGAIN)
+ continue;
+ if (errno != EPIPE) {
+ error("%s: startup pipe %d (fd=%d): "
+ "read %s", __func__, i,
+ startup_pipes[i], strerror(errno));
+ }
+ /* FALLTHROUGH */
+ case 0:
+ /* child exited or completed auth */
close(startup_pipes[i]);
startup_pipes[i] = -1;
startups--;
+ if (startup_flags[i])
+ listening--;
+ break;
+ case 1:
+ /* child has finished preliminaries */
+ if (startup_flags[i]) {
+ listening--;
+ startup_flags[i] = 0;
+ }
+ break;
}
+ }
for (i = 0; i < num_listen_socks; i++) {
if (!FD_ISSET(listen_socks[i], fdset))
continue;
@@ -1330,6 +1369,7 @@ server_accept_loop(int *sock_in, int *so
if (maxfd < startup_p[0])
maxfd = startup_p[0];
startups++;
+ startup_flags[j] = 1;
break;
}
if(!(--re_seeding_counter)) {
@@ -1359,7 +1399,7 @@ server_accept_loop(int *sock_in, int *so
send_rexec_state(config_s[0], cfg);
close(config_s[0]);
}
- break;
+ return;
}
/*
@@ -1368,13 +1408,14 @@ server_accept_loop(int *sock_in, int *so
* parent continues listening.
*/
platform_pre_fork();
+ listening++;
if ((pid = fork()) == 0) {
/*
* Child. Close the listening and
* max_startup sockets. Start using
* the accepted socket. Reinitialize
* logging (since our pid has changed).
- * We break out of the loop to handle
+ * We return from this function to handle
* the connection.
*/
platform_post_fork_child();
@@ -1389,7 +1430,18 @@ server_accept_loop(int *sock_in, int *so
log_stderr);
if (rexec_flag)
close(config_s[0]);
- break;
+ else {
+ /*
+ * Signal parent that the preliminaries
+ * for this child are complete. For the
+ * re-exec case, this happens after the
+ * child has received the rexec state
+ * from the server.
+ */
+ (void)atomicio(vwrite, startup_pipe,
+ "\0", 1);
+ }
+ return;
}
/* Parent. Stay in the loop. */
@@ -1421,10 +1473,6 @@ server_accept_loop(int *sock_in, int *so
#endif
explicit_bzero(rnd, sizeof(rnd));
}
-
- /* child process check (or debug mode) */
- if (num_listen_socks < 0)
- break;
}
}
@@ -1760,8 +1808,18 @@ main(int ac, char **av)
/* Fetch our configuration */
if ((cfg = sshbuf_new()) == NULL)
fatal("%s: sshbuf_new failed", __func__);
- if (rexeced_flag)
+ if (rexeced_flag) {
recv_rexec_state(REEXEC_CONFIG_PASS_FD, cfg);
+ if (!debug_flag) {
+ startup_pipe = dup(REEXEC_STARTUP_PIPE_FD);
+ close(REEXEC_STARTUP_PIPE_FD);
+ /*
+ * Signal parent that this child is at a point where
+ * they can go away if they have a SIGHUP pending.
+ */
+ (void)atomicio(vwrite, startup_pipe, "\0", 1);
+ }
+ }
else if (strcasecmp(config_file_name, "none") != 0)
load_server_config(config_file_name, cfg);

21
openssh-7.7p1-X_forward_with_disabled_ipv6.patch
View File

@ -3,15 +3,11 @@
Do not throw away already open sockets for X11 forwarding if another socket
family is not available for bind()
diff --git a/openssh-7.7p1/channels.c b/openssh-7.7p1/channels.c
--- openssh-7.7p1/channels.c
+++ openssh-7.7p1/channels.c
@@ -4421,16 +4421,23 @@ x11_create_display_inet(struct ssh *ssh,
if (ai->ai_family == AF_INET6)
sock_set_v6only(sock);
if (x11_use_localhost)
set_reuseaddr(sock);
if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
diff --git a/channels.c b/channels.c
index f51b7e3..95af47e 100644
--- a/channels.c
+++ b/channels.c
@@ -4637,6 +4637,13 @@ x11_create_display_inet(struct ssh *ssh, int x11_display_offset,
debug2("%s: bind port %d: %.100s", __func__,
port, strerror(errno));
close(sock);
@ -21,12 +17,7 @@ diff --git a/openssh-7.7p1/channels.c b/openssh-7.7p1/channels.c
+ * disabled while being supported)
+ */
+ if (EADDRNOTAVAIL == errno)
+ continue;
+ continue;
for (n = 0; n < num_socks; n++)
close(socks[n]);
num_socks = 0;
break;
}
socks[num_socks++] = sock;
if (num_socks == NUM_SOCKS)
break;

45
openssh-7.7p1-cavstest-ctr.patch
View File

@ -2,11 +2,11 @@
# Parent cc1022edba2c5eeb0facba08468f65afc2466b63
CAVS test for OpenSSH's own CTR encryption mode implementation
Index: openssh-7.9p1/Makefile.in
===================================================================
--- openssh-7.9p1.orig/Makefile.in
+++ openssh-7.9p1/Makefile.in
@@ -24,6 +24,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas
diff --git a/Makefile.in b/Makefile.in
index 7488595..d426006 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -24,6 +24,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
@ -23,7 +23,7 @@ Index: openssh-7.9p1/Makefile.in
XMSS_OBJS=\
ssh-xmss.o \
sshkey-xmss.o \
@@ -204,6 +207,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libss
@@ -210,6 +213,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o s
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
$(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
@ -34,7 +34,7 @@ Index: openssh-7.9p1/Makefile.in
# test driver for the loginrec code - not built by default
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
@@ -348,6 +355,7 @@ install-files:
@@ -354,6 +361,7 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
@ -42,10 +42,11 @@ Index: openssh-7.9p1/Makefile.in
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
Index: openssh-7.9p1/cavstest-ctr.c
===================================================================
diff --git a/cavstest-ctr.c b/cavstest-ctr.c
new file mode 100644
index 0000000..f81cb72
--- /dev/null
+++ openssh-7.9p1/cavstest-ctr.c
+++ b/cavstest-ctr.c
@@ -0,0 +1,214 @@
+/*
+ *
@ -261,13 +262,13 @@ Index: openssh-7.9p1/cavstest-ctr.c
+ printf("\n");
+ return 0;
+}
Index: openssh-7.9p1/cipher.c
===================================================================
--- openssh-7.9p1.orig/cipher.c
+++ openssh-7.9p1/cipher.c
@@ -54,15 +54,6 @@
#include "fips.h"
#include "log.h"
diff --git a/cipher.c b/cipher.c
index acca752..b67a4ff 100644
--- a/cipher.c
+++ b/cipher.c
@@ -58,15 +58,6 @@
#define EVP_CIPHER_CTX void
#endif
-struct sshcipher_ctx {
- int plaintext;
@ -281,11 +282,11 @@ Index: openssh-7.9p1/cipher.c
struct sshcipher {
char *name;
u_int block_size;
Index: openssh-7.9p1/cipher.h
===================================================================
--- openssh-7.9p1.orig/cipher.h
+++ openssh-7.9p1/cipher.h
@@ -46,7 +46,15 @@
diff --git a/cipher.h b/cipher.h
index 5843aab..d7d8c89 100644
--- a/cipher.h
+++ b/cipher.h
@@ -48,7 +48,15 @@
#define CIPHER_DECRYPT 0
struct sshcipher;

41
openssh-7.7p1-cavstest-kdf.patch
View File

@ -2,10 +2,10 @@
# Parent 1e1d5a2ab8bddfc800f570755f9ea1addcc878c1
CAVS test for KDF implementation in OpenSSH
Index: openssh-7.9p1/Makefile.in
===================================================================
--- openssh-7.9p1.orig/Makefile.in 2019-03-12 16:12:42.213142294 +0100
+++ openssh-7.9p1/Makefile.in 2019-03-28 13:49:37.150166231 +0100
diff --git a/Makefile.in b/Makefile.in
index d426006..85818f4 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -25,6 +25,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
@ -23,7 +23,7 @@ Index: openssh-7.9p1/Makefile.in
XMSS_OBJS=\
ssh-xmss.o \
@@ -211,6 +212,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sft
@@ -217,6 +218,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glo
cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-ctr.o
$(LD) -o $@ cavstest-ctr.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@ -33,7 +33,7 @@ Index: openssh-7.9p1/Makefile.in
# test driver for the loginrec code - not built by default
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
@@ -356,6 +360,7 @@ install-files:
@@ -362,6 +366,7 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
@ -41,11 +41,12 @@ Index: openssh-7.9p1/Makefile.in
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
Index: openssh-7.9p1/cavstest-kdf.c
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ openssh-7.9p1/cavstest-kdf.c 2019-03-28 13:54:20.047709759 +0100
@@ -0,0 +1,384 @@
diff --git a/cavstest-kdf.c b/cavstest-kdf.c
new file mode 100644
index 0000000..a6ecf45
--- /dev/null
+++ b/cavstest-kdf.c
@@ -0,0 +1,402 @@
+/*
+ * Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
+ *
@ -93,6 +94,7 @@ Index: openssh-7.9p1/cavstest-kdf.c
+#include <openssl/bn.h>
+
+#include "xmalloc.h"
+#include "ssherr.h"
+#include "sshbuf.h"
+#include "sshkey.h"
+#include "cipher.h"
@ -208,6 +210,23 @@ Index: openssh-7.9p1/cavstest-kdf.c
+ unsigned int ik_len;
+};
+
+#ifdef WITH_OPENSSL
+static int
+kex_derive_keys_bn(struct ssh *ssh, u_char *hash, u_int hashlen,
+ const BIGNUM *secret)
+{
+ struct sshbuf *shared_secret;
+ int r;
+
+ if ((shared_secret = sshbuf_new()) == NULL)
+ return SSH_ERR_ALLOC_FAIL;
+ if ((r = sshbuf_put_bignum2(shared_secret, secret)) == 0)
+ r = kex_derive_keys(ssh, hash, hashlen, shared_secret);
+ sshbuf_free(shared_secret);
+ return r;
+}
+#endif
+
+static int sshkdf_cavs(struct kdf_cavs *test)
+{
+ int ret = 0;

50
openssh-7.7p1-disable_openssl_abi_check.patch
View File

@ -4,15 +4,11 @@ disable run-time check for OpenSSL ABI by version number as that is not a
reliable indicator of ABI changes and doesn't make much sense in a
distribution package
diff --git a/openssh-7.7p1/configure.ac b/openssh-7.7p1/configure.ac
--- openssh-7.7p1/configure.ac
+++ openssh-7.7p1/configure.ac
@@ -4895,16 +4895,29 @@ AC_ARG_WITH([bsd-auth],
if test "x$withval" != "xno" ; then
AC_DEFINE([BSD_AUTH], [1],
[Define if you have BSD auth support])
BSD_AUTH_MSG=yes
fi
diff --git a/configure.ac b/configure.ac
index 42ffd95..20a1884 100644
--- a/configure.ac
+++ b/configure.ac
@@ -4878,6 +4878,19 @@ AC_ARG_WITH([bsd-auth],
]
)
@ -32,33 +28,21 @@ diff --git a/openssh-7.7p1/configure.ac b/openssh-7.7p1/configure.ac
# Where to place sshd.pid
piddir=/var/run
# make sure the directory exists
if test ! -d $piddir ; then
piddir=`eval echo ${sysconfdir}`
case $piddir in
NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
esac
diff --git a/openssh-7.7p1/entropy.c b/openssh-7.7p1/entropy.c
--- openssh-7.7p1/entropy.c
+++ openssh-7.7p1/entropy.c
@@ -209,19 +209,21 @@ rexec_recv_rng_seed(Buffer *m)
#endif /* OPENSSL_PRNG_ONLY */
diff --git a/entropy.c b/entropy.c
index f8b9f42..4957b23 100644
--- a/entropy.c
+++ b/entropy.c
@@ -223,11 +223,13 @@ seed_rng(void)
/* Initialise libcrypto */
ssh_libcrypto_init();
void
seed_rng(void)
{
#ifndef OPENSSL_PRNG_ONLY
unsigned char buf[RANDOM_SEED_SIZE];
#endif
+#ifndef DISTRO_SSL
if (!ssh_compatible_openssl(OPENSSL_VERSION_NUMBER, SSLeay()))
if (!ssh_compatible_openssl(OPENSSL_VERSION_NUMBER,
OpenSSL_version_num()))
fatal("OpenSSL version mismatch. Built against %lx, you "
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
"have %lx", (u_long)OPENSSL_VERSION_NUMBER,
OpenSSL_version_num());
+#endif
#ifndef OPENSSL_PRNG_ONLY
if (RAND_status() == 1) {
debug3("RNG is ready, skipping seeding");
return;
}
if (seed_from_prngd(buf, sizeof(buf)) == -1)
if (RAND_status() == 1)

255
openssh-7.7p1-fips.patch
View File

@ -3,23 +3,23 @@
FIPS 140-2 compliance. Perform selftests on start and use only FIPS approved
algorithms.
Index: openssh-7.9p1/Makefile.in
===================================================================
--- openssh-7.9p1.orig/Makefile.in 2019-02-28 17:20:15.767164591 +0100
+++ openssh-7.9p1/Makefile.in 2019-03-12 11:41:49.662894934 +0100
@@ -102,6 +102,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
diff --git a/Makefile.in b/Makefile.in
index 1d2b2d9..7488595 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -103,6 +103,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
platform-pledge.o platform-tracing.o platform-misc.o
+LIBSSH_OBJS += fips.o
+
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect2.o mux.o
Index: openssh-7.9p1/cipher-ctr.c
===================================================================
--- openssh-7.9p1.orig/cipher-ctr.c 2018-10-17 02:01:20.000000000 +0200
+++ openssh-7.9p1/cipher-ctr.c 2019-02-28 17:20:15.919165544 +0100
diff --git a/cipher-ctr.c b/cipher-ctr.c
index 32771f2..b66f92f 100644
--- a/cipher-ctr.c
+++ b/cipher-ctr.c
@@ -27,6 +27,8 @@
#include "xmalloc.h"
#include "log.h"
@ -38,20 +38,21 @@ Index: openssh-7.9p1/cipher-ctr.c
#endif
return (&aes_ctr);
}
Index: openssh-7.9p1/cipher.c
===================================================================
--- openssh-7.9p1.orig/cipher.c 2018-10-17 02:01:20.000000000 +0200
+++ openssh-7.9p1/cipher.c 2019-03-12 11:41:49.662894934 +0100
@@ -51,6 +51,8 @@
diff --git a/cipher.c b/cipher.c
index 25f98ba..acca752 100644
--- a/cipher.c
+++ b/cipher.c
@@ -51,6 +51,9 @@
#include "openbsd-compat/openssl-compat.h"
+#include "fips.h"
+#include "log.h"
struct sshcipher_ctx {
int plaintext;
@@ -80,7 +82,7 @@ struct sshcipher {
+
#ifndef WITH_OPENSSL
#define EVP_CIPHER_CTX void
#endif
@@ -83,7 +86,7 @@ struct sshcipher {
#endif
};
@ -60,7 +61,7 @@ Index: openssh-7.9p1/cipher.c
#ifdef WITH_OPENSSL
#ifndef OPENSSL_NO_DES
{ "3des-cbc", 8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc },
@@ -111,8 +113,52 @@ static const struct sshcipher ciphers[]
@@ -114,8 +117,52 @@ static const struct sshcipher ciphers[] = {
{ NULL, 0, 0, 0, 0, 0, NULL }
};
@ -113,7 +114,7 @@ Index: openssh-7.9p1/cipher.c
/* Returns a comma-separated list of supported ciphers. */
char *
cipher_alg_list(char sep, int auth_only)
@@ -121,7 +167,7 @@ cipher_alg_list(char sep, int auth_only)
@@ -124,7 +171,7 @@ cipher_alg_list(char sep, int auth_only)
size_t nlen, rlen = 0;
const struct sshcipher *c;
@ -122,7 +123,7 @@ Index: openssh-7.9p1/cipher.c
if ((c->flags & CFLAG_INTERNAL) != 0)
continue;
if (auth_only && c->auth_len == 0)
@@ -193,7 +239,7 @@ const struct sshcipher *
@@ -196,7 +243,7 @@ const struct sshcipher *
cipher_by_name(const char *name)
{
const struct sshcipher *c;
@ -131,10 +132,11 @@ Index: openssh-7.9p1/cipher.c
if (strcmp(c->name, name) == 0)
return c;
return NULL;
Index: openssh-7.9p1/fips.c
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ openssh-7.9p1/fips.c 2019-03-12 11:42:10.971006569 +0100
diff --git a/fips.c b/fips.c
new file mode 100644
index 0000000..23e3876
--- /dev/null
+++ b/fips.c
@@ -0,0 +1,212 @@
+/*
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
@ -348,10 +350,11 @@ Index: openssh-7.9p1/fips.c
+ return dgst;
+}
+
Index: openssh-7.9p1/fips.h
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ openssh-7.9p1/fips.h 2019-03-12 11:41:49.514894158 +0100
diff --git a/fips.h b/fips.h
new file mode 100644
index 0000000..a115a61
--- /dev/null
+++ b/fips.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
@ -397,11 +400,11 @@ Index: openssh-7.9p1/fips.h
+
+#endif
+
Index: openssh-7.9p1/hmac.c
===================================================================
--- openssh-7.9p1.orig/hmac.c 2018-10-17 02:01:20.000000000 +0200
+++ openssh-7.9p1/hmac.c 2019-02-28 17:20:15.919165544 +0100
@@ -144,7 +144,7 @@ hmac_test(void *key, size_t klen, void *
diff --git a/hmac.c b/hmac.c
index 3268887..b905a1e 100644
--- a/hmac.c
+++ b/hmac.c
@@ -146,7 +146,7 @@ hmac_test(void *key, size_t klen, void *m, size_t mlen, u_char *e, size_t elen)
size_t i;
u_char digest[16];
@ -410,11 +413,11 @@ Index: openssh-7.9p1/hmac.c
printf("ssh_hmac_start failed");
if (ssh_hmac_init(ctx, key, klen) < 0 ||
ssh_hmac_update(ctx, m, mlen) < 0 ||
Index: openssh-7.9p1/kex.c
===================================================================
--- openssh-7.9p1.orig/kex.c 2018-10-17 02:01:20.000000000 +0200
+++ openssh-7.9p1/kex.c 2019-02-28 17:20:15.919165544 +0100
@@ -54,6 +54,8 @@
diff --git a/kex.c b/kex.c
index 49d7015..1f82c2e 100644
--- a/kex.c
+++ b/kex.c
@@ -60,6 +60,8 @@
#include "sshbuf.h"
#include "digest.h"
@ -423,7 +426,7 @@ Index: openssh-7.9p1/kex.c
/* prototype */
static int kex_choose_conf(struct ssh *);
static int kex_input_newkeys(int, u_int32_t, struct ssh *);
@@ -77,7 +79,7 @@ struct kexalg {
@@ -83,7 +85,7 @@ struct kexalg {
int ec_nid;
int hash_alg;
};
@ -432,8 +435,8 @@ Index: openssh-7.9p1/kex.c
#ifdef WITH_OPENSSL
{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
@@ -106,6 +108,47 @@ static const struct kexalg kexalgs[] = {
{ NULL, -1, -1, -1},
@@ -114,6 +116,47 @@ static const struct kexalg kexalgs[] = {
{ NULL, 0, -1, -1},
};
+static const struct kexalg kexalgs_fips140_2[] = {
@ -480,7 +483,7 @@ Index: openssh-7.9p1/kex.c
char *
kex_alg_list(char sep)
{
@@ -113,7 +156,7 @@ kex_alg_list(char sep)
@@ -121,7 +164,7 @@ kex_alg_list(char sep)
size_t nlen, rlen = 0;
const struct kexalg *k;
@ -489,7 +492,7 @@ Index: openssh-7.9p1/kex.c
if (ret != NULL)
ret[rlen++] = sep;
nlen = strlen(k->name);
@@ -133,7 +176,7 @@ kex_alg_by_name(const char *name)
@@ -141,7 +184,7 @@ kex_alg_by_name(const char *name)
{
const struct kexalg *k;
@ -498,7 +501,7 @@ Index: openssh-7.9p1/kex.c
if (strcmp(k->name, name) == 0)
return k;
}
@@ -153,7 +196,10 @@ kex_names_valid(const char *names)
@@ -161,7 +204,10 @@ kex_names_valid(const char *names)
for ((p = strsep(&cp, ",")); p && *p != '\0';
(p = strsep(&cp, ","))) {
if (kex_alg_by_name(p) == NULL) {
@ -509,11 +512,11 @@ Index: openssh-7.9p1/kex.c
free(s);
return 0;
}
Index: openssh-7.9p1/mac.c
===================================================================
--- openssh-7.9p1.orig/mac.c 2018-10-17 02:01:20.000000000 +0200
+++ openssh-7.9p1/mac.c 2019-02-28 17:20:15.923165569 +0100
@@ -40,6 +40,9 @@
diff --git a/mac.c b/mac.c
index f3dda66..90d71c8 100644
--- a/mac.c
+++ b/mac.c
@@ -41,6 +41,9 @@
#include "openbsd-compat/openssl-compat.h"
@ -523,7 +526,7 @@ Index: openssh-7.9p1/mac.c
#define SSH_DIGEST 1 /* SSH_DIGEST_XXX */
#define SSH_UMAC 2 /* UMAC (not integrated with OpenSSL) */
#define SSH_UMAC128 3
@@ -54,7 +57,7 @@ struct macalg {
@@ -55,7 +58,7 @@ struct macalg {
int etm; /* Encrypt-then-MAC */
};
@ -532,7 +535,7 @@ Index: openssh-7.9p1/mac.c
/* Encrypt-and-MAC (encrypt-and-authenticate) variants */
{ "hmac-sha1", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 },
{ "hmac-sha1-96", SSH_DIGEST, SSH_DIGEST_SHA1, 96, 0, 0, 0 },
@@ -82,6 +85,41 @@ static const struct macalg macs[] = {
@@ -79,6 +82,41 @@ static const struct macalg macs[] = {
{ NULL, 0, 0, 0, 0, 0, 0 }
};
@ -574,7 +577,7 @@ Index: openssh-7.9p1/mac.c
/* Returns a list of supported MACs separated by the specified char. */
char *
mac_alg_list(char sep)
@@ -90,7 +128,7 @@ mac_alg_list(char sep)
@@ -87,7 +125,7 @@ mac_alg_list(char sep)
size_t nlen, rlen = 0;
const struct macalg *m;
@ -583,7 +586,7 @@ Index: openssh-7.9p1/mac.c
if (ret != NULL)
ret[rlen++] = sep;
nlen = strlen(m->name);
@@ -129,7 +167,7 @@ mac_setup(struct sshmac *mac, char *name
@@ -126,7 +164,7 @@ mac_setup(struct sshmac *mac, char *name)
{
const struct macalg *m;
@ -592,11 +595,11 @@ Index: openssh-7.9p1/mac.c
if (strcmp(name, m->name) != 0)
continue;
if (mac != NULL)
Index: openssh-7.9p1/myproposal.h
===================================================================
--- openssh-7.9p1.orig/myproposal.h 2018-10-17 02:01:20.000000000 +0200
+++ openssh-7.9p1/myproposal.h 2019-02-28 17:20:15.923165569 +0100
@@ -151,6 +151,8 @@
diff --git a/myproposal.h b/myproposal.h
index 34bd10c..e6be484 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -144,6 +144,8 @@
#else /* WITH_OPENSSL */
@ -605,10 +608,10 @@ Index: openssh-7.9p1/myproposal.h
#define KEX_SERVER_KEX \
"curve25519-sha256," \
"curve25519-sha256@libssh.org"
Index: openssh-7.9p1/readconf.c
===================================================================
--- openssh-7.9p1.orig/readconf.c 2018-10-17 02:01:20.000000000 +0200
+++ openssh-7.9p1/readconf.c 2019-02-28 20:20:19.619112418 +0100
diff --git a/readconf.c b/readconf.c
index f78b4d6..228f481 100644
--- a/readconf.c
+++ b/readconf.c
@@ -68,6 +68,8 @@
#include "myproposal.h"
#include "digest.h"
@ -618,7 +621,7 @@ Index: openssh-7.9p1/readconf.c
/* Format of the configuration file:
# Configuration data is parsed as follows:
@@ -1816,6 +1818,23 @@ option_clear_or_none(const char *o)
@@ -1837,6 +1839,23 @@ option_clear_or_none(const char *o)
return o == NULL || strcasecmp(o, "none") == 0;
}
@ -642,7 +645,7 @@ Index: openssh-7.9p1/readconf.c
/*
* Initializes options to special values that indicate that they have not yet
* been set. Read_config_file will only set options with this value. Options
@@ -2095,6 +2114,8 @@ fill_default_options(Options * options)
@@ -2116,6 +2135,8 @@ fill_default_options(Options * options)
options->canonicalize_hostname = SSH_CANONICALISE_NO;
if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
@ -651,7 +654,7 @@ Index: openssh-7.9p1/readconf.c
if (options->update_hostkeys == -1)
options->update_hostkeys = 0;
@@ -2122,6 +2143,7 @@ fill_default_options(Options * options)
@@ -2143,6 +2164,7 @@ fill_default_options(Options * options)
free(all_kex);
free(all_key);
free(all_sig);
@ -659,10 +662,10 @@ Index: openssh-7.9p1/readconf.c
#define CLEAR_ON_NONE(v) \
do { \
Index: openssh-7.9p1/readconf.h
===================================================================
--- openssh-7.9p1.orig/readconf.h 2018-10-17 02:01:20.000000000 +0200
+++ openssh-7.9p1/readconf.h 2019-02-28 17:20:15.923165569 +0100
diff --git a/readconf.h b/readconf.h
index 8e36bf3..67111e9 100644
--- a/readconf.h
+++ b/readconf.h
@@ -197,6 +197,7 @@ typedef struct {
#define SSH_STRICT_HOSTKEY_YES 2
#define SSH_STRICT_HOSTKEY_ASK 3
@ -671,10 +674,10 @@ Index: openssh-7.9p1/readconf.h
void initialize_options(Options *);
void fill_default_options(Options *);
void fill_default_options_for_canonicalization(Options *);
Index: openssh-7.9p1/servconf.c
===================================================================
--- openssh-7.9p1.orig/servconf.c 2019-02-28 17:20:15.851165117 +0100
+++ openssh-7.9p1/servconf.c 2019-02-28 17:20:15.923165569 +0100
diff --git a/servconf.c b/servconf.c
index f58fecb..a8833a9 100644
--- a/servconf.c
+++ b/servconf.c
@@ -64,6 +64,7 @@
#include "auth.h"
#include "myproposal.h"
@ -716,7 +719,7 @@ Index: openssh-7.9p1/servconf.c
}
static void
@@ -410,6 +430,8 @@ fill_default_server_options(ServerOption
@@ -424,6 +444,8 @@ fill_default_server_options(ServerOptions *options)
options->fwd_opts.streamlocal_bind_unlink = 0;
if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
@ -725,20 +728,20 @@ Index: openssh-7.9p1/servconf.c
if (options->disable_forwarding == -1)
options->disable_forwarding = 0;
if (options->expose_userauth_info == -1)
Index: openssh-7.9p1/ssh-keygen.c
===================================================================
--- openssh-7.9p1.orig/ssh-keygen.c 2018-10-17 02:01:20.000000000 +0200
+++ openssh-7.9p1/ssh-keygen.c 2019-02-28 17:20:15.923165569 +0100
@@ -61,6 +61,8 @@
#include "utf8.h"
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 8c829ca..da63fb0 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -64,6 +64,8 @@
#include "authfd.h"
#include "sshsig.h"
+#include "fips.h"
+
#ifdef WITH_OPENSSL
# define DEFAULT_KEY_TYPE_NAME "rsa"
#else
@@ -996,11 +998,13 @@ do_fingerprint(struct passwd *pw)
@@ -1002,11 +1004,13 @@ do_fingerprint(struct passwd *pw)
static void
do_gen_all_hostkeys(struct passwd *pw)
{
@ -754,7 +757,7 @@ Index: openssh-7.9p1/ssh-keygen.c
#ifdef WITH_OPENSSL
{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
{ "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
@@ -1015,6 +1019,17 @@ do_gen_all_hostkeys(struct passwd *pw)
@@ -1021,6 +1025,17 @@ do_gen_all_hostkeys(struct passwd *pw)
{ NULL, NULL, NULL }
};
@ -769,10 +772,10 @@ Index: openssh-7.9p1/ssh-keygen.c
+ };
+
+ struct Key_types *key_types;
u_int32_t bits = 0;
int first = 0;
struct stat st;
struct sshkey *private, *public;
@@ -1022,6 +1037,12 @@ do_gen_all_hostkeys(struct passwd *pw)
@@ -1029,6 +1044,12 @@ do_gen_all_hostkeys(struct passwd *pw)
int i, type, fd, r;
FILE *f;
@ -785,7 +788,7 @@ Index: openssh-7.9p1/ssh-keygen.c
for (i = 0; key_types[i].key_type; i++) {
public = private = NULL;
prv_tmp = pub_tmp = prv_file = pub_file = NULL;
@@ -2817,6 +2838,15 @@ main(int argc, char **argv)
@@ -3215,6 +3236,15 @@ main(int argc, char **argv)
key_type_name = DEFAULT_KEY_TYPE_NAME;
type = sshkey_type_from_name(key_type_name);
@ -801,35 +804,11 @@ Index: openssh-7.9p1/ssh-keygen.c
type_bits_valid(type, key_type_name, &bits);
if (!quiet)
Index: openssh-7.9p1/ssh_config.0
===================================================================
--- openssh-7.9p1.orig/ssh_config.0 2018-10-19 03:06:19.000000000 +0200
+++ openssh-7.9p1/ssh_config.0 2019-02-28 17:20:15.923165569 +0100
@@ -353,6 +353,9 @@ DESCRIPTION
Specifies the hash algorithm used when displaying key
fingerprints. Valid options are: md5 and sha256 (the default).
+ In the FIPS mode the minimum of SHA-1 is enforced (which means
+ sha256).
+
ForwardAgent
Specifies whether the connection to the authentication agent (if
any) will be forwarded to the remote machine. The argument must
@@ -610,6 +613,9 @@ DESCRIPTION
The list of available key exchange algorithms may also be
obtained using "ssh -Q kex".
+ In the FIPS mode the FIPS standard takes precedence over RFC and
+ forces the minimum to a higher value, currently 2048 bits.
+
LocalCommand
Specifies a command to execute on the local machine after
successfully connecting to the server. The command string
Index: openssh-7.9p1/ssh_config.5
===================================================================
--- openssh-7.9p1.orig/ssh_config.5 2018-10-17 02:01:20.000000000 +0200
+++ openssh-7.9p1/ssh_config.5 2019-02-28 17:20:15.923165569 +0100
@@ -642,6 +642,8 @@ Valid options are:
diff --git a/ssh_config.5 b/ssh_config.5
index 02a8789..f0cb291 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -664,6 +664,8 @@ Valid options are:
and
.Cm sha256
(the default).
@ -838,11 +817,11 @@ Index: openssh-7.9p1/ssh_config.5
.It Cm ForwardAgent
Specifies whether the connection to the authentication agent (if any)
will be forwarded to the remote machine.
Index: openssh-7.9p1/sshd.c
===================================================================
--- openssh-7.9p1.orig/sshd.c 2018-10-17 02:01:20.000000000 +0200
+++ openssh-7.9p1/sshd.c 2019-03-12 11:41:49.514894158 +0100
@@ -123,6 +123,8 @@
diff --git a/sshd.c b/sshd.c
index 6b55ef7..c8086cd 100644
--- a/sshd.c
+++ b/sshd.c
@@ -127,6 +127,8 @@
#include "version.h"
#include "ssherr.h"
@ -851,35 +830,11 @@ Index: openssh-7.9p1/sshd.c
/* Re-exec fds */
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
Index: openssh-7.9p1/sshd_config.0
===================================================================
--- openssh-7.9p1.orig/sshd_config.0 2019-02-28 17:20:15.851165117 +0100
+++ openssh-7.9p1/sshd_config.0 2019-02-28 17:20:15.927165594 +0100
@@ -348,6 +348,9 @@ DESCRIPTION
Specifies the hash algorithm used when logging key fingerprints.
Valid options are: md5 and sha256. The default is sha256.
+ In the FIPS mode the minimum of SHA-1 is enforced (which means
+ sha256).
+
ForceCommand
Forces the execution of the command specified by ForceCommand,
ignoring any command supplied by the client and ~/.ssh/rc if
@@ -555,6 +558,9 @@ DESCRIPTION
The list of available key exchange algorithms may also be
obtained using "ssh -Q kex".
+ In the FIPS mode the FIPS standard takes precedence over RFC and
+ forces the minimum to a higher value, currently 2048 bits.
+
ListenAddress
Specifies the local addresses sshd(8) should listen on. The
following forms may be used:
Index: openssh-7.9p1/sshd_config.5
===================================================================
--- openssh-7.9p1.orig/sshd_config.5 2019-02-28 17:20:15.851165117 +0100
+++ openssh-7.9p1/sshd_config.5 2019-02-28 17:20:15.927165594 +0100
@@ -603,6 +603,8 @@ and
diff --git a/sshd_config.5 b/sshd_config.5
index 0707b47..8818ea5 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -605,6 +605,8 @@ and
.Cm sha256 .
The default is
.Cm sha256 .

86
openssh-7.7p1-fips_checks.patch
View File

@ -14,10 +14,11 @@
# file is not found (or the hash matches), proceed in non-FIPS mode and abort
# otherwise.
Index: openssh-7.9p1/fips-check.c
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ openssh-7.9p1/fips-check.c 2019-03-12 11:42:19.299050200 +0100
diff --git a/fips-check.c b/fips-check.c
new file mode 100644
index 0000000..eceb031
--- /dev/null
+++ b/fips-check.c
@@ -0,0 +1,34 @@
+#include "includes.h"
+#include <fcntl.h>
@ -53,10 +54,10 @@ Index: openssh-7.9p1/fips-check.c
+ fips_ssh_init();
+ return 0;
+}
Index: openssh-7.9p1/fips.c
===================================================================
--- openssh-7.9p1.orig/fips.c 2019-03-12 11:42:19.299050200 +0100
+++ openssh-7.9p1/fips.c 2019-03-12 11:43:02.363275819 +0100
diff --git a/fips.c b/fips.c
index 23e3876..297ae99 100644
--- a/fips.c
+++ b/fips.c
@@ -35,30 +35,293 @@
#include "log.h"
#include "xmalloc.h"
@ -245,9 +246,7 @@ Index: openssh-7.9p1/fips.c
{
int fips_required = 0;
- char *env = getenv(SSH_FORCE_FIPS_ENV);
+ int fips_fd;
+ char fips_sys = 0;
-
- if (env) {
- errno = 0;
- fips_required = strtol(env, NULL, 10);
@ -257,6 +256,9 @@ Index: openssh-7.9p1/fips.c
- fips_required = 0;
- } else
- fips_required = 1;
+ int fips_fd;
+ char fips_sys = 0;
+
+ struct stat dummy;
+ if (-1 == stat(FIPS_PROC_PATH, &dummy)) {
+ switch (errno) {
@ -362,10 +364,10 @@ Index: openssh-7.9p1/fips.c
int
fips_mode(void)
{
Index: openssh-7.9p1/fips.h
===================================================================
--- openssh-7.9p1.orig/fips.h 2019-03-12 11:42:13.819021490 +0100
+++ openssh-7.9p1/fips.h 2019-03-12 11:42:19.303050221 +0100
diff --git a/fips.h b/fips.h
index a115a61..3404684 100644
--- a/fips.h
+++ b/fips.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2012 Petr Cerny. All rights reserved.
@ -402,38 +404,38 @@ Index: openssh-7.9p1/fips.h
int fips_mode(void);
int fips_correct_dgst(int);
int fips_dgst_min(void);
@@ -41,4 +56,3 @@ enum fp_type fips_correct_fp_type(enum
@@ -41,4 +56,3 @@ enum fp_type fips_correct_fp_type(enum fp_type);
int fips_filter_crypto(char **, fips_filters);
#endif
-
Index: openssh-7.9p1/sftp-server.c
===================================================================
--- openssh-7.9p1.orig/sftp-server.c 2019-03-12 11:42:13.819021490 +0100
+++ openssh-7.9p1/sftp-server.c 2019-03-12 11:42:19.303050221 +0100
@@ -51,6 +51,8 @@
#include "sftp.h"
#include "sftp-common.h"
diff --git a/sftp-server.c b/sftp-server.c
index b133cbc..c3086b6 100644
--- a/sftp-server.c
+++ b/sftp-server.c
@@ -53,6 +53,8 @@
char *sftp_realpath(const char *, char *); /* sftp-realpath.c */
+#include "fips.h"
+
/* Our verbosity */
static LogLevel log_level = SYSLOG_LEVEL_ERROR;
@@ -1509,6 +1511,9 @@ sftp_server_main(int argc, char **argv,
@@ -1595,6 +1597,9 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
extern char *optarg;
extern char *__progname;
+ /* initialize fips */
+ fips_ssh_init();
+
ssh_malloc_init(); /* must be called before any mallocs */
__progname = ssh_get_progname(argv[0]);
log_init(__progname, log_level, log_facility, log_stderr);
Index: openssh-7.9p1/ssh.c
===================================================================
--- openssh-7.9p1.orig/ssh.c 2019-03-12 11:42:13.823021511 +0100
+++ openssh-7.9p1/ssh.c 2019-03-12 11:42:19.303050221 +0100
diff --git a/ssh.c b/ssh.c
index ee51823..882d1da 100644
--- a/ssh.c
+++ b/ssh.c
@@ -113,6 +113,8 @@
#include "ssh-pkcs11.h"
#endif
@ -443,29 +445,29 @@ Index: openssh-7.9p1/ssh.c
extern char *__progname;
/* Saves a copy of argv for setproctitle emulation */
@@ -593,6 +595,10 @@ main(int ac, char **av)
@@ -596,6 +598,10 @@ main(int ac, char **av)
struct ssh_digest_ctx *md;
u_char conn_hash[SSH_DIGEST_MAX_LENGTH];
+ /* initialize fips - can go before ssh_malloc_init(), since that is a
+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
+ /* initialize fips - can go before ssh_malloc_init(), since that is a
+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
+ fips_ssh_init();
+
ssh_malloc_init(); /* must be called before any mallocs */
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();
Index: openssh-7.9p1/sshd.c
===================================================================
--- openssh-7.9p1.orig/sshd.c 2019-03-12 11:42:13.823021511 +0100
+++ openssh-7.9p1/sshd.c 2019-03-12 11:42:19.303050221 +0100
@@ -1485,6 +1485,10 @@ main(int ac, char **av)
diff --git a/sshd.c b/sshd.c
index c8086cd..bb20eec 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1443,6 +1443,10 @@ main(int ac, char **av)
Authctxt *authctxt;
struct connection_info *connection_info = NULL;
+ /* initialize fips - can go before ssh_malloc_init(), since that is a
+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
+ /* initialize fips - can go before ssh_malloc_init(), since that is a
+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
+ fips_ssh_init();
+
ssh_malloc_init(); /* must be called before any mallocs */
#ifdef HAVE_SECUREWARE
(void)set_auth_parameters(ac, av);
#endif

3313
openssh-7.7p1-gssapi_key_exchange.patch
View File

File diff suppressed because it is too large Load Diff

32
openssh-7.7p1-hostname_changes_when_forwarding_X.patch
View File

@ -5,11 +5,11 @@ handle hostname changes when forwarding X
bnc#98627
Index: openssh-7.8p1/session.c
===================================================================
--- openssh-7.8p1.orig/session.c
+++ openssh-7.8p1/session.c
@@ -1009,7 +1009,7 @@ copy_environment(char **source, char ***
diff --git a/session.c b/session.c
index 94d7438..d81060c 100644
--- a/session.c
+++ b/session.c
@@ -981,7 +981,7 @@ copy_environment(char **source, char ***env, u_int *envsize)
}
static char **
@ -18,7 +18,7 @@ Index: openssh-7.8p1/session.c
{
char buf[256];
size_t n;
@@ -1213,6 +1213,8 @@ do_setup_env(struct ssh *ssh, Session *s
@@ -1191,6 +1191,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
for (i = 0; env[i]; i++)
fprintf(stderr, " %.200s\n", env[i]);
}
@ -27,7 +27,7 @@ Index: openssh-7.8p1/session.c
return env;
}
@@ -1221,7 +1223,7 @@ do_setup_env(struct ssh *ssh, Session *s
@@ -1199,7 +1201,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
* first in this order).
*/
static void
@ -36,7 +36,7 @@ Index: openssh-7.8p1/session.c
{
FILE *f = NULL;
char cmd[1024];
@@ -1276,12 +1278,20 @@ do_rc_files(struct ssh *ssh, Session *s,
@@ -1254,12 +1256,20 @@ do_rc_files(struct ssh *ssh, Session *s, const char *shell)
options.xauth_location);
f = popen(cmd, "w");
if (f) {
@ -57,15 +57,15 @@ Index: openssh-7.8p1/session.c
} else {
fprintf(stderr, "Could not run %s\n",
cmd);
@@ -1534,6 +1544,7 @@ do_child(struct ssh *ssh, Session *s, co
{
extern char **environ;
char **env;
+ int env_size;
char *argv[ARGV_MAX];
@@ -1515,6 +1525,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
char **env, *argv[ARGV_MAX], remote_id[512];
const char *shell, *shell0;
struct passwd *pw = s->pw;
@@ -1591,7 +1602,7 @@ do_child(struct ssh *ssh, Session *s, co
+ int env_size;
int r = 0;
sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
@@ -1571,7 +1582,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
* Make sure $SHELL points to the shell from the password file,
* even if shell is overridden from login.conf
*/
@ -74,7 +74,7 @@ Index: openssh-7.8p1/session.c
#ifdef HAVE_LOGIN_CAP
shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
@@ -1655,7 +1666,7 @@ do_child(struct ssh *ssh, Session *s, co
@@ -1635,7 +1646,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
closefrom(STDERR_FILENO + 1);

170
openssh-7.7p1-ldap.patch
View File

@ -10,10 +10,11 @@
# internal versions. ssh-keyconverter consequently fails to link as it lacks
# the proper flags, and libopenbsd-compat doesn't contain the b64_* functions)
Index: openssh-7.9p1/HOWTO.ldap-keys
===================================================================
diff --git a/HOWTO.ldap-keys b/HOWTO.ldap-keys
new file mode 100644
index 0000000..831d399
--- /dev/null
+++ openssh-7.9p1/HOWTO.ldap-keys
+++ b/HOWTO.ldap-keys
@@ -0,0 +1,108 @@
+
+HOW TO START
@ -123,11 +124,11 @@ Index: openssh-7.9p1/HOWTO.ldap-keys
+ - frederic peters.
+ - Finlay dobbie.
+ - Stefan Fisher.
Index: openssh-7.9p1/Makefile.in
===================================================================
--- openssh-7.9p1.orig/Makefile.in
+++ openssh-7.9p1/Makefile.in
@@ -24,6 +24,8 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas
diff --git a/Makefile.in b/Makefile.in
index 750aada..1baf5c6 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -24,6 +24,8 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
@ -136,7 +137,7 @@ Index: openssh-7.9p1/Makefile.in
CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
CAVSTEST_KDF=$(libexecdir)/cavstest-kdf
PRIVSEP_PATH=@PRIVSEP_PATH@
@@ -66,6 +68,9 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-a
@@ -66,6 +68,9 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keys
TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
@ -146,7 +147,7 @@ Index: openssh-7.9p1/Makefile.in
XMSS_OBJS=\
ssh-xmss.o \
sshkey-xmss.o \
@@ -130,8 +135,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
@@ -127,8 +132,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \
sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
sandbox-solaris.o uidswap.o
@ -157,17 +158,17 @@ Index: openssh-7.9p1/Makefile.in
MANTYPE = @MANTYPE@
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
@@ -206,6 +211,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
@@ -208,6 +213,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
+ $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-realpath.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
@@ -361,6 +369,10 @@ install-files:
@@ -363,6 +371,10 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
@ -178,7 +179,7 @@ Index: openssh-7.9p1/Makefile.in
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
@@ -379,6 +391,10 @@ install-files:
@@ -381,6 +393,10 @@ install-files:
$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@ -189,7 +190,7 @@ Index: openssh-7.9p1/Makefile.in
install-sysconf:
$(MKDIR_P) $(DESTDIR)$(sysconfdir)
@@ -402,6 +418,13 @@ install-sysconf:
@@ -404,6 +420,13 @@ install-sysconf:
else \
echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
fi
@ -203,7 +204,7 @@ Index: openssh-7.9p1/Makefile.in
host-key: ssh-keygen$(EXEEXT)
@if [ -z "$(DESTDIR)" ] ; then \
@@ -439,6 +462,8 @@ uninstall:
@@ -441,6 +464,8 @@ uninstall:
-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
@ -212,7 +213,7 @@ Index: openssh-7.9p1/Makefile.in
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
@@ -450,6 +475,7 @@ uninstall:
@@ -452,6 +477,7 @@ uninstall:
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@ -220,11 +221,11 @@ Index: openssh-7.9p1/Makefile.in
regress-prep:
$(MKDIR_P) `pwd`/regress/unittests/test_helper
Index: openssh-7.9p1/configure.ac
===================================================================
--- openssh-7.9p1.orig/configure.ac
+++ openssh-7.9p1/configure.ac
@@ -1671,6 +1671,106 @@ AC_ARG_WITH([audit],
diff --git a/configure.ac b/configure.ac
index 20a1884..ff9c11a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1651,6 +1651,106 @@ AC_ARG_WITH([audit],
esac ]
)
@ -331,10 +332,11 @@ Index: openssh-7.9p1/configure.ac
AC_ARG_WITH([pie],
[ --with-pie Build Position Independent Executables if possible], [
if test "x$withval" = "xno"; then
Index: openssh-7.9p1/ldap-helper.c
===================================================================
diff --git a/ldap-helper.c b/ldap-helper.c
new file mode 100644
index 0000000..0efff1f
--- /dev/null
+++ openssh-7.9p1/ldap-helper.c
+++ b/ldap-helper.c
@@ -0,0 +1,155 @@
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -491,10 +493,11 @@ Index: openssh-7.9p1/ldap-helper.c
+void *buffer_get_string(struct sshbuf *b, u_int *l) { return NULL; }
+void buffer_put_string(struct sshbuf *b, const void *f, u_int l) {}
+
Index: openssh-7.9p1/ldap-helper.h
===================================================================
diff --git a/ldap-helper.h b/ldap-helper.h
new file mode 100644
index 0000000..14cb29a
--- /dev/null
+++ openssh-7.9p1/ldap-helper.h
+++ b/ldap-helper.h
@@ -0,0 +1,32 @@
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -528,10 +531,11 @@ Index: openssh-7.9p1/ldap-helper.h
+extern int config_warning_config_file;
+
+#endif /* LDAP_HELPER_H */
Index: openssh-7.9p1/ldap.conf
===================================================================
diff --git a/ldap.conf b/ldap.conf
new file mode 100644
index 0000000..42e38d3
--- /dev/null
+++ openssh-7.9p1/ldap.conf
+++ b/ldap.conf
@@ -0,0 +1,88 @@
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
+#
@ -621,10 +625,11 @@ Index: openssh-7.9p1/ldap.conf
+#tls_cert
+#tls_key
+
Index: openssh-7.9p1/ldapbody.c
===================================================================
diff --git a/ldapbody.c b/ldapbody.c
new file mode 100644
index 0000000..032cc89
--- /dev/null
+++ openssh-7.9p1/ldapbody.c
+++ b/ldapbody.c
@@ -0,0 +1,494 @@
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -1120,10 +1125,11 @@ Index: openssh-7.9p1/ldapbody.c
+ return;
+}
+
Index: openssh-7.9p1/ldapbody.h
===================================================================
diff --git a/ldapbody.h b/ldapbody.h
new file mode 100644
index 0000000..665dca2
--- /dev/null
+++ openssh-7.9p1/ldapbody.h
+++ b/ldapbody.h
@@ -0,0 +1,37 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -1162,10 +1168,11 @@ Index: openssh-7.9p1/ldapbody.h
+
+#endif /* LDAPBODY_H */
+
Index: openssh-7.9p1/ldapconf.c
===================================================================
diff --git a/ldapconf.c b/ldapconf.c
new file mode 100644
index 0000000..2e22438
--- /dev/null
+++ openssh-7.9p1/ldapconf.c
+++ b/ldapconf.c
@@ -0,0 +1,711 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -1878,10 +1885,11 @@ Index: openssh-7.9p1/ldapconf.c
+ dump_cfg_string(lSSH_Filter, options.ssh_filter);
+}
+
Index: openssh-7.9p1/ldapconf.h
===================================================================
diff --git a/ldapconf.h b/ldapconf.h
new file mode 100644
index 0000000..c2aa704
--- /dev/null
+++ openssh-7.9p1/ldapconf.h
+++ b/ldapconf.h
@@ -0,0 +1,71 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -1954,10 +1962,11 @@ Index: openssh-7.9p1/ldapconf.h
+void dump_config(void);
+
+#endif /* LDAPCONF_H */
Index: openssh-7.9p1/ldapincludes.h
===================================================================
diff --git a/ldapincludes.h b/ldapincludes.h
new file mode 100644
index 0000000..8539bdc
--- /dev/null
+++ openssh-7.9p1/ldapincludes.h
+++ b/ldapincludes.h
@@ -0,0 +1,41 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -2000,10 +2009,11 @@ Index: openssh-7.9p1/ldapincludes.h
+#endif
+
+#endif /* LDAPINCLUDES_H */
Index: openssh-7.9p1/ldapmisc.c
===================================================================
diff --git a/ldapmisc.c b/ldapmisc.c
new file mode 100644
index 0000000..de23c0c
--- /dev/null
+++ openssh-7.9p1/ldapmisc.c
+++ b/ldapmisc.c
@@ -0,0 +1,79 @@
+
+#include "ldapincludes.h"
@ -2084,10 +2094,11 @@ Index: openssh-7.9p1/ldapmisc.c
+}
+#endif
+
Index: openssh-7.9p1/ldapmisc.h
===================================================================
diff --git a/ldapmisc.h b/ldapmisc.h
new file mode 100644
index 0000000..4c271df
--- /dev/null
+++ openssh-7.9p1/ldapmisc.h
+++ b/ldapmisc.h
@@ -0,0 +1,35 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -2124,10 +2135,10 @@ Index: openssh-7.9p1/ldapmisc.h
+
+#endif /* LDAPMISC_H */
+
Index: openssh-7.9p1/openbsd-compat/base64.c
===================================================================
--- openssh-7.9p1.orig/openbsd-compat/base64.c
+++ openssh-7.9p1/openbsd-compat/base64.c
diff --git a/openbsd-compat/base64.c b/openbsd-compat/base64.c
index 9e74667..14824be 100644
--- a/openbsd-compat/base64.c
+++ b/openbsd-compat/base64.c
@@ -46,7 +46,7 @@
#include "includes.h"
@ -2146,7 +2157,7 @@ Index: openssh-7.9p1/openbsd-compat/base64.c
int
b64_ntop(u_char const *src, size_t srclength, char *target, size_t targsize)
{
@@ -185,7 +185,7 @@ b64_ntop(u_char const *src, size_t srcle
@@ -185,7 +185,7 @@ b64_ntop(u_char const *src, size_t srclength, char *target, size_t targsize)
}
#endif /* !defined(HAVE_B64_NTOP) && !defined(HAVE___B64_NTOP) */
@ -2155,10 +2166,10 @@ Index: openssh-7.9p1/openbsd-compat/base64.c
/* skips all whitespace anywhere.
converts characters, four at a time, starting at (or after)
Index: openssh-7.9p1/openbsd-compat/base64.h
===================================================================
--- openssh-7.9p1.orig/openbsd-compat/base64.h
+++ openssh-7.9p1/openbsd-compat/base64.h
diff --git a/openbsd-compat/base64.h b/openbsd-compat/base64.h
index bd77293..e27df9a 100644
--- a/openbsd-compat/base64.h
+++ b/openbsd-compat/base64.h
@@ -45,16 +45,16 @@
#include "includes.h"
@ -2180,10 +2191,11 @@ Index: openssh-7.9p1/openbsd-compat/base64.h
int b64_pton(char const *src, u_char *target, size_t targsize);
# endif /* !HAVE_B64_PTON */
# define __b64_pton(a,b,c) b64_pton(a,b,c)
Index: openssh-7.9p1/openssh-lpk-openldap.schema
===================================================================
diff --git a/openssh-lpk-openldap.schema b/openssh-lpk-openldap.schema
new file mode 100644
index 0000000..c84f90f
--- /dev/null
+++ openssh-7.9p1/openssh-lpk-openldap.schema
+++ b/openssh-lpk-openldap.schema
@@ -0,0 +1,21 @@
+#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2206,10 +2218,11 @@ Index: openssh-7.9p1/openssh-lpk-openldap.schema
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
+ MUST ( sshPublicKey $ uid )
+ )
Index: openssh-7.9p1/openssh-lpk-sun.schema
===================================================================
diff --git a/openssh-lpk-sun.schema b/openssh-lpk-sun.schema
new file mode 100644
index 0000000..3136673
--- /dev/null
+++ openssh-7.9p1/openssh-lpk-sun.schema
+++ b/openssh-lpk-sun.schema
@@ -0,0 +1,23 @@
+#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2234,10 +2247,11 @@ Index: openssh-7.9p1/openssh-lpk-sun.schema
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
+ MUST ( sshPublicKey $ uid )
+ )
Index: openssh-7.9p1/ssh-ldap-helper.8
===================================================================
diff --git a/ssh-ldap-helper.8 b/ssh-ldap-helper.8
new file mode 100644
index 0000000..f8440e4
--- /dev/null
+++ openssh-7.9p1/ssh-ldap-helper.8
+++ b/ssh-ldap-helper.8
@@ -0,0 +1,79 @@
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\"
@ -2318,19 +2332,21 @@ Index: openssh-7.9p1/ssh-ldap-helper.8
+OpenSSH 5.5 + PKA-LDAP .
+.Sh AUTHORS
+.An Jan F. Chadima Aq jchadima@redhat.com
Index: openssh-7.9p1/ssh-ldap-wrapper
===================================================================
diff --git a/ssh-ldap-wrapper b/ssh-ldap-wrapper
new file mode 100644
index 0000000..9fdfc37
--- /dev/null
+++ openssh-7.9p1/ssh-ldap-wrapper
+++ b/ssh-ldap-wrapper
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+exec @LIBEXECDIR@/ssh-ldap-helper -s "$1"
+
Index: openssh-7.9p1/ssh-ldap.conf.5
===================================================================
diff --git a/ssh-ldap.conf.5 b/ssh-ldap.conf.5
new file mode 100644
index 0000000..15eb03d
--- /dev/null
+++ openssh-7.9p1/ssh-ldap.conf.5
+++ b/ssh-ldap.conf.5
@@ -0,0 +1,376 @@
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\"

36
openssh-7.7p1-seccomp_ioctl_s390_EP11.patch
View File

@ -1,36 +0,0 @@
# HG changeset patch
# Parent a7b18fdd68dba10349e59a9085fd822343311f45
Patch from IBM enabling use of EP11 hw crypto accelerator, submitted upstreams:
From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
To: openssh-unix-dev@mindrot.org
Subject: [PATCH 3/3] Enable specific ioctl call for EP11 crypto card (s390)
Date: Tue, 9 May 2017 14:27:15 -0300
The EP11 crypto card needs to make an ioctl call, which receives an
specific argument. This crypto card is for s390 only.
Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
diff --git a/openssh-7.7p1/sandbox-seccomp-filter.c b/openssh-7.7p1/sandbox-seccomp-filter.c
--- openssh-7.7p1/sandbox-seccomp-filter.c
+++ openssh-7.7p1/sandbox-seccomp-filter.c
@@ -248,16 +248,18 @@ static const struct sock_filter preauth_
SC_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN),
SC_DENY(__NR_socketcall, EACCES),
#endif
#if defined(__NR_ioctl) && defined(__s390__)
/* Allow ioctls for ICA crypto card on s390 */
SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),
SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO),
SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
+ /* Allow ioctls for EP11 crypto card on s390 */
+ SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB),
#endif
#if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
/*
* On Linux x32, the clock_gettime VDSO falls back to the
* x86-64 syscall under some circumstances, e.g.
* https://bugs.debian.org/849923
*/
SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT),

161
openssh-7.7p1-seed-prng.patch
View File

@ -3,25 +3,71 @@
# extended support for (re-)seeding the OpenSSL PRNG from /dev/random
# bnc#703221, FATE#312172
Index: openssh-7.8p1/entropy.c
===================================================================
--- openssh-7.8p1.orig/entropy.c
+++ openssh-7.8p1/entropy.c
@@ -235,6 +235,9 @@ seed_rng(void)
memset(buf, '\0', sizeof(buf));
diff --git a/Makefile.in b/Makefile.in
index 85818f4..750aada 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -182,13 +182,13 @@ libssh.a: $(LIBSSH_OBJS)
$(RANLIB) $@
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(SSHLIBS) $(LIBS) $(GSSLIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
- $(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
$(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
@@ -197,10 +197,10 @@ ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
$(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o sshsig.o
- $(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o compat.o
- $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
@@ -209,10 +209,10 @@ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-realpath.o sftp-server-main.o
- $(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
- $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
+ $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
# FIPS tests
cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-ctr.o
diff --git a/entropy.c b/entropy.c
index 5de6801..f8b9f42 100644
--- a/entropy.c
+++ b/entropy.c
@@ -239,6 +239,8 @@ seed_rng(void)
}
#endif /* OPENSSL_PRNG_ONLY */
+
+ linux_seed();
+
if (RAND_status() != 1)
fatal("PRNG is not seeded");
}
Index: openssh-7.8p1/openbsd-compat/Makefile.in
===================================================================
--- openssh-7.8p1.orig/openbsd-compat/Makefile.in
+++ openssh-7.8p1/openbsd-compat/Makefile.in
@@ -90,6 +90,7 @@ COMPAT= arc4random.o \
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
index 1162dc5..80fd688 100644
--- a/openbsd-compat/Makefile.in
+++ b/openbsd-compat/Makefile.in
@@ -91,6 +91,7 @@ COMPAT= arc4random.o \
PORTS= port-aix.o \
port-irix.o \
port-linux.o \
@ -29,10 +75,11 @@ Index: openssh-7.8p1/openbsd-compat/Makefile.in
port-solaris.o \
port-net.o \
port-uw.o
Index: openssh-7.8p1/openbsd-compat/port-linux-prng.c
===================================================================
diff --git a/openbsd-compat/port-linux-prng.c b/openbsd-compat/port-linux-prng.c
new file mode 100644
index 0000000..dfc4bdb
--- /dev/null
+++ openssh-7.8p1/openbsd-compat/port-linux-prng.c
+++ b/openbsd-compat/port-linux-prng.c
@@ -0,0 +1,81 @@
+/*
+ * Copyright (c) 2011 Jan F. Chadima <jchadima@redhat.com>
@ -115,10 +162,10 @@ Index: openssh-7.8p1/openbsd-compat/port-linux-prng.c
+ fatal ("EOF reading %s", rand_file);
+ }
+}
Index: openssh-7.8p1/openbsd-compat/port-linux.h
===================================================================
--- openssh-7.8p1.orig/openbsd-compat/port-linux.h
+++ openssh-7.8p1/openbsd-compat/port-linux.h
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
index 3c22a85..2dc1fd0 100644
--- a/openbsd-compat/port-linux.h
+++ b/openbsd-compat/port-linux.h
@@ -17,6 +17,10 @@
#ifndef _PORT_LINUX_H
#define _PORT_LINUX_H
@ -130,11 +177,11 @@ Index: openssh-7.8p1/openbsd-compat/port-linux.h
#ifdef WITH_SELINUX
int ssh_selinux_enabled(void);
void ssh_selinux_setup_pty(char *, const char *);
Index: openssh-7.8p1/ssh-add.1
===================================================================
--- openssh-7.8p1.orig/ssh-add.1
+++ openssh-7.8p1/ssh-add.1
@@ -172,6 +172,20 @@ to make this work.)
diff --git a/ssh-add.1 b/ssh-add.1
index d4e1c60..6f76900 100644
--- a/ssh-add.1
+++ b/ssh-add.1
@@ -189,6 +189,20 @@ to make this work.)
Identifies the path of a
.Ux Ns -domain
socket used to communicate with the agent.
@ -155,11 +202,11 @@ Index: openssh-7.8p1/ssh-add.1
.El
.Sh FILES
.Bl -tag -width Ds
Index: openssh-7.8p1/ssh-agent.1
===================================================================
--- openssh-7.8p1.orig/ssh-agent.1
+++ openssh-7.8p1/ssh-agent.1
@@ -214,6 +214,23 @@ sockets used to contain the connection t
diff --git a/ssh-agent.1 b/ssh-agent.1
index 83b2b41..9e187f2 100644
--- a/ssh-agent.1
+++ b/ssh-agent.1
@@ -214,6 +214,23 @@ sockets used to contain the connection to the authentication agent.
These sockets should only be readable by the owner.
The sockets should get automatically removed when the agent exits.
.El
@ -183,11 +230,11 @@ Index: openssh-7.8p1/ssh-agent.1
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-add 1 ,
Index: openssh-7.8p1/ssh-keygen.1
===================================================================
--- openssh-7.8p1.orig/ssh-keygen.1
+++ openssh-7.8p1/ssh-keygen.1
@@ -869,6 +869,23 @@ Contains Diffie-Hellman groups used for
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 957d2f0..70c4a28 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1054,6 +1054,23 @@ Contains Diffie-Hellman groups used for DH-GEX.
The file format is described in
.Xr moduli 5 .
.El
@ -211,11 +258,11 @@ Index: openssh-7.8p1/ssh-keygen.1
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-add 1 ,
Index: openssh-7.8p1/ssh-keysign.8
===================================================================
--- openssh-7.8p1.orig/ssh-keysign.8
+++ openssh-7.8p1/ssh-keysign.8
@@ -80,6 +80,23 @@ must be set-uid root if host-based authe
diff --git a/ssh-keysign.8 b/ssh-keysign.8
index 19b0dbc..639b56e 100644
--- a/ssh-keysign.8
+++ b/ssh-keysign.8
@@ -80,6 +80,23 @@ must be set-uid root if host-based authentication is used.
If these files exist they are assumed to contain public certificate
information corresponding with the private keys above.
.El
@ -239,11 +286,11 @@ Index: openssh-7.8p1/ssh-keysign.8
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-keygen 1 ,
Index: openssh-7.8p1/ssh.1
===================================================================
--- openssh-7.8p1.orig/ssh.1
+++ openssh-7.8p1/ssh.1
@@ -1432,6 +1432,20 @@ For more information, see the
diff --git a/ssh.1 b/ssh.1
index 424d6c3..899a339 100644
--- a/ssh.1
+++ b/ssh.1
@@ -1433,6 +1433,20 @@ For more information, see the
.Cm PermitUserEnvironment
option in
.Xr sshd_config 5 .
@ -264,11 +311,11 @@ Index: openssh-7.8p1/ssh.1
.Sh FILES
.Bl -tag -width Ds -compact
.It Pa ~/.rhosts
Index: openssh-7.8p1/sshd.8
===================================================================
--- openssh-7.8p1.orig/sshd.8
+++ openssh-7.8p1/sshd.8
@@ -966,6 +966,23 @@ concurrently for different ports, this c
diff --git a/sshd.8 b/sshd.8
index fb133c1..2f1d3ab 100644
--- a/sshd.8
+++ b/sshd.8
@@ -966,6 +966,23 @@ concurrently for different ports, this contains the process ID of the one
started last).
The content of this file is not sensitive; it can be world-readable.
.El
@ -292,10 +339,10 @@ Index: openssh-7.8p1/sshd.8
.Sh SEE ALSO
.Xr scp 1 ,
.Xr sftp 1 ,
Index: openssh-7.8p1/sshd.c
===================================================================
--- openssh-7.8p1.orig/sshd.c
+++ openssh-7.8p1/sshd.c
diff --git a/sshd.c b/sshd.c
index bb20eec..c562094 100644
--- a/sshd.c
+++ b/sshd.c
@@ -55,6 +55,8 @@
#endif
#include "openbsd-compat/sys-tree.h"
@ -305,7 +352,7 @@ Index: openssh-7.8p1/sshd.c
#include <sys/wait.h>
#include <errno.h>
@@ -208,6 +210,13 @@ struct {
@@ -205,6 +207,13 @@ struct {
int have_ssh2_key;
} sensitive_data;
@ -319,8 +366,8 @@ Index: openssh-7.8p1/sshd.c
/* This is set to true when a signal is received. */
static volatile sig_atomic_t received_sighup = 0;
static volatile sig_atomic_t received_sigterm = 0;
@@ -1252,6 +1261,10 @@ server_accept_loop(int *sock_in, int *so
startups++;
@@ -1201,6 +1210,10 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
startup_flags[j] = 1;
break;
}
+ if(!(--re_seeding_counter)) {

45
openssh-7.7p1-sftp_print_diagnostic_messages.patch
View File

@ -3,26 +3,11 @@
Put back sftp client diagnostic messages in batch mode
bsc#1023275
Index: openssh-7.8p1/sftp.0
===================================================================
--- openssh-7.8p1.orig/sftp.0
+++ openssh-7.8p1/sftp.0
@@ -160,6 +160,9 @@ DESCRIPTION
-p Preserves modification times, access times, and modes from the
original files transferred.
+ -Q Not-so-quiet batch mode: forces printing of diagnostic messages
+ in batch mode.
+
-q Quiet mode: disables the progress meter as well as warning and
diagnostic messages from ssh(1).
Index: openssh-7.8p1/sftp.1
===================================================================
--- openssh-7.8p1.orig/sftp.1
+++ openssh-7.8p1/sftp.1
@@ -256,6 +256,9 @@ Specifies the port to connect to on the
diff --git a/sftp.1 b/sftp.1
index a52c1cf..7333de8 100644
--- a/sftp.1
+++ b/sftp.1
@@ -278,6 +278,9 @@ Specifies the port to connect to on the remote host.
.It Fl p
Preserves modification times, access times, and modes from the
original files transferred.
@ -32,11 +17,11 @@ Index: openssh-7.8p1/sftp.1
.It Fl q
Quiet mode: disables the progress meter as well as warning and
diagnostic messages from
Index: openssh-7.8p1/sftp.c
===================================================================
--- openssh-7.8p1.orig/sftp.c
+++ openssh-7.8p1/sftp.c
@@ -86,6 +86,9 @@ static volatile pid_t sshpid = -1;
diff --git a/sftp.c b/sftp.c
index b66037f..6c94a38 100644
--- a/sftp.c
+++ b/sftp.c
@@ -85,6 +85,9 @@ static volatile pid_t sshpid = -1;
/* Suppress diagnositic messages */
int quiet = 0;
@ -46,16 +31,16 @@ Index: openssh-7.8p1/sftp.c
/* This is set to 0 if the progressmeter is not desired. */
int showprogress = 1;
@@ -2373,7 +2376,7 @@ main(int argc, char **argv)
@@ -2406,7 +2409,7 @@ main(int argc, char **argv)
infile = stdin;
while ((ch = getopt(argc, argv,
- "1246afhpqrvCc:D:i:l:o:s:S:b:B:F:P:R:")) != -1) {
+ "1246afhpQqrvCc:D:i:l:o:s:S:b:B:F:P:R:")) != -1) {
- "1246afhpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
+ "1246afhpQqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
switch (ch) {
/* Passed through to ssh(1) */
case '4':
@@ -2389,6 +2392,9 @@ main(int argc, char **argv)
@@ -2423,6 +2426,9 @@ main(int argc, char **argv)
addargs(&args, "-%c", ch);
addargs(&args, "%s", optarg);
break;
@ -65,7 +50,7 @@ Index: openssh-7.8p1/sftp.c
case 'q':
ll = SYSLOG_LEVEL_ERROR;
quiet = 1;
@@ -2472,6 +2478,8 @@ main(int argc, char **argv)
@@ -2506,6 +2512,8 @@ main(int argc, char **argv)
usage();
}
}

33
openssh-7.9p1-CVE-2018-20685.patch
View File

@ -1,33 +0,0 @@
From 6010c0303a422a9c5fa8860c061bf7105eb7f8b2 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Fri, 16 Nov 2018 03:03:10 +0000
Subject: [PATCH] upstream: disallow empty incoming filename or ones that refer
to the
current directory; based on report/patch from Harry Sintonen
OpenBSD-Commit-ID: f27651b30eaee2df49540ab68d030865c04f6de9
---
scp.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/scp.c b/scp.c
index 60682c687..4f3fdcd3d 100644
--- a/scp.c
+++ b/scp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: scp.c,v 1.197 2018/06/01 04:31:48 dtucker Exp $ */
+/* $OpenBSD: scp.c,v 1.198 2018/11/16 03:03:10 djm Exp $ */
/*
* scp - secure remote copy. This is basically patched BSD rcp which
* uses ssh to do the data transfer (instead of using rcmd).
@@ -1106,7 +1106,8 @@ sink(int argc, char **argv)
SCREWUP("size out of range");
size = (off_t)ull;
- if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {
+ if (*cp == '\0' || strchr(cp, '/') != NULL ||
+ strcmp(cp, ".") == 0 || strcmp(cp, "..") == 0) {
run_err("error: unexpected filename: %s", cp);
exit(1);
}

348
openssh-7.9p1-brace-expansion.patch
View File

@ -1,348 +0,0 @@
From 3d896c157c722bc47adca51a58dca859225b5874 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Sun, 10 Feb 2019 11:15:52 +0000
Subject: [PATCH] upstream: when checking that filenames sent by the server
side
match what the client requested, be prepared to handle shell-style brace
alternations, e.g. "{foo,bar}".
"looks good to me" millert@ + in snaps for the last week courtesy
deraadt@
OpenBSD-Commit-ID: 3b1ce7639b0b25b2248e3a30f561a548f6815f3e
---
scp.c | 282 +++++++++++++++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 270 insertions(+), 12 deletions(-)
Index: openssh-7.9p1/scp.c
===================================================================
--- openssh-7.9p1.orig/scp.c
+++ openssh-7.9p1/scp.c
@@ -627,6 +627,253 @@ parse_scp_uri(const char *uri, char **us
return r;
}
+/* Appends a string to an array; returns 0 on success, -1 on alloc failure */
+static int
+append(char *cp, char ***ap, size_t *np)
+{
+ char **tmp;
+
+ if ((tmp = reallocarray(*ap, *np + 1, sizeof(*tmp))) == NULL)
+ return -1;
+ tmp[(*np)] = cp;
+ (*np)++;
+ *ap = tmp;
+ return 0;
+}
+
+/*
+ * Finds the start and end of the first brace pair in the pattern.
+ * returns 0 on success or -1 for invalid patterns.
+ */
+static int
+find_brace(const char *pattern, int *startp, int *endp)
+{
+ int i;
+ int in_bracket, brace_level;
+
+ *startp = *endp = -1;
+ in_bracket = brace_level = 0;
+ for (i = 0; i < INT_MAX && *endp < 0 && pattern[i] != '\0'; i++) {
+ switch (pattern[i]) {
+ case '\\':
+ /* skip next character */
+ if (pattern[i + 1] != '\0')
+ i++;
+ break;
+ case '[':
+ in_bracket = 1;
+ break;
+ case ']':
+ in_bracket = 0;
+ break;
+ case '{':
+ if (in_bracket)
+ break;
+ if (pattern[i + 1] == '}') {
+ /* Protect a single {}, for find(1), like csh */
+ i++; /* skip */
+ break;
+ }
+ if (*startp == -1)
+ *startp = i;
+ brace_level++;
+ break;
+ case '}':
+ if (in_bracket)
+ break;
+ if (*startp < 0) {
+ /* Unbalanced brace */
+ return -1;
+ }
+ if (--brace_level <= 0)
+ *endp = i;
+ break;
+ }
+ }
+ /* unbalanced brackets/braces */
+ if (*endp < 0 && (*startp >= 0 || in_bracket))
+ return -1;
+ return 0;
+}
+
+/*
+ * Assembles and records a successfully-expanded pattern, returns -1 on
+ * alloc failure.
+ */
+static int
+emit_expansion(const char *pattern, int brace_start, int brace_end,
+ int sel_start, int sel_end, char ***patternsp, size_t *npatternsp)
+{
+ char *cp;
+ int o = 0, tail_len = strlen(pattern + brace_end + 1);
+
+ if ((cp = malloc(brace_start + (sel_end - sel_start) +
+ tail_len + 1)) == NULL)
+ return -1;
+
+ /* Pattern before initial brace */
+ if (brace_start > 0) {
+ memcpy(cp, pattern, brace_start);
+ o = brace_start;
+ }
+ /* Current braced selection */
+ if (sel_end - sel_start > 0) {
+ memcpy(cp + o, pattern + sel_start,
+ sel_end - sel_start);
+ o += sel_end - sel_start;
+ }
+ /* Remainder of pattern after closing brace */
+ if (tail_len > 0) {
+ memcpy(cp + o, pattern + brace_end + 1, tail_len);
+ o += tail_len;
+ }
+ cp[o] = '\0';
+ if (append(cp, patternsp, npatternsp) != 0) {
+ free(cp);
+ return -1;
+ }
+ return 0;
+}
+
+/*
+ * Expand the first encountered brace in pattern, appending the expanded
+ * patterns it yielded to the *patternsp array.
+ *
+ * Returns 0 on success or -1 on allocation failure.
+ *
+ * Signals whether expansion was performed via *expanded and whether
+ * pattern was invalid via *invalid.
+ */
+static int
+brace_expand_one(const char *pattern, char ***patternsp, size_t *npatternsp,
+ int *expanded, int *invalid)
+{
+ int i;
+ int in_bracket, brace_start, brace_end, brace_level;
+ int sel_start, sel_end;
+
+ *invalid = *expanded = 0;
+
+ if (find_brace(pattern, &brace_start, &brace_end) != 0) {
+ *invalid = 1;
+ return 0;
+ } else if (brace_start == -1)
+ return 0;
+
+ in_bracket = brace_level = 0;
+ for (i = sel_start = brace_start + 1; i < brace_end; i++) {
+ switch (pattern[i]) {
+ case '{':
+ if (in_bracket)
+ break;
+ brace_level++;
+ break;
+ case '}':
+ if (in_bracket)
+ break;
+ brace_level--;
+ break;
+ case '[':
+ in_bracket = 1;
+ break;
+ case ']':
+ in_bracket = 0;
+ break;
+ case '\\':
+ if (i < brace_end - 1)
+ i++; /* skip */
+ break;
+ }
+ if (pattern[i] == ',' || i == brace_end - 1) {
+ if (in_bracket || brace_level > 0)
+ continue;
+ /* End of a selection, emit an expanded pattern */
+
+ /* Adjust end index for last selection */
+ sel_end = (i == brace_end - 1) ? brace_end : i;
+ if (emit_expansion(pattern, brace_start, brace_end,
+ sel_start, sel_end, patternsp, npatternsp) != 0)
+ return -1;
+ /* move on to the next selection */
+ sel_start = i + 1;
+ continue;
+ }
+ }
+ if (in_bracket || brace_level > 0) {
+ *invalid = 1;
+ return 0;
+ }
+ /* success */
+ *expanded = 1;
+ return 0;
+}
+
+/* Expand braces from pattern. Returns 0 on success, -1 on failure */
+static int
+brace_expand(const char *pattern, char ***patternsp, size_t *npatternsp)
+{
+ char *cp, *cp2, **active = NULL, **done = NULL;
+ size_t i, nactive = 0, ndone = 0;
+ int ret = -1, invalid = 0, expanded = 0;
+
+ *patternsp = NULL;
+ *npatternsp = 0;
+
+ /* Start the worklist with the original pattern */
+ if ((cp = strdup(pattern)) == NULL)
+ return -1;
+ if (append(cp, &active, &nactive) != 0) {
+ free(cp);
+ return -1;
+ }
+ while (nactive > 0) {
+ cp = active[nactive - 1];
+ nactive--;
+ if (brace_expand_one(cp, &active, &nactive,
+ &expanded, &invalid) == -1) {
+ free(cp);
+ goto fail;
+ }
+ if (invalid)
+ fatal("%s: invalid brace pattern \"%s\"", __func__, cp);
+ if (expanded) {
+ /*
+ * Current entry expanded to new entries on the
+ * active list; discard the progenitor pattern.
+ */
+ free(cp);
+ continue;
+ }
+ /*
+ * Pattern did not expand; append the finename component to
+ * the completed list
+ */
+ if ((cp2 = strrchr(cp, '/')) != NULL)
+ *cp2++ = '\0';
+ else
+ cp2 = cp;
+ if (append(xstrdup(cp2), &done, &ndone) != 0) {
+ free(cp);
+ goto fail;
+ }
+ free(cp);
+ }
+ /* success */
+ *patternsp = done;
+ *npatternsp = ndone;
+ done = NULL;
+ ndone = 0;
+ ret = 0;
+ fail:
+ for (i = 0; i < nactive; i++)
+ free(active[i]);
+ free(active);
+ for (i = 0; i < ndone; i++)
+ free(done[i]);
+ free(done);
+ return ret;
+}
+
void
toremote(int argc, char **argv)
{
@@ -990,7 +1237,8 @@ sink(int argc, char **argv, const char *
unsigned long long ull;
int setimes, targisdir, wrerrno = 0;
char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048];
- char *src_copy = NULL, *restrict_pattern = NULL;
+ char **patterns = NULL;
+ size_t n, npatterns = 0;
struct timeval tv[2];
#define atime tv[0]
@@ -1020,16 +1268,13 @@ sink(int argc, char **argv, const char *
* Prepare to try to restrict incoming filenames to match
* the requested destination file glob.
*/
- if ((src_copy = strdup(src)) == NULL)
- fatal("strdup failed");
- if ((restrict_pattern = strrchr(src_copy, '/')) != NULL) {
- *restrict_pattern++ = '\0';
- }
+ if (brace_expand(src, &patterns, &npatterns) != 0)
+ fatal("%s: could not expand pattern", __func__);
}
for (first = 1;; first = 0) {
cp = buf;
if (atomicio(read, remin, cp, 1) != 1)
- return;
+ goto done;
if (*cp++ == '\n')
SCREWUP("unexpected <newline>");
do {
@@ -1055,7 +1300,7 @@ sink(int argc, char **argv, const char *
}
if (buf[0] == 'E') {
(void) atomicio(vwrite, remout, "", 1);
- return;
+ goto done;
}
if (ch == '\n')
*--cp = 0;
@@ -1130,9 +1375,14 @@ sink(int argc, char **argv, const char *
run_err("error: unexpected filename: %s", cp);
exit(1);
}
- if (restrict_pattern != NULL &&
- fnmatch(restrict_pattern, cp, 0) != 0)
- SCREWUP("filename does not match request");
+ if (npatterns > 0) {
+ for (n = 0; n < npatterns; n++) {
+ if (fnmatch(patterns[n], cp, 0) == 0)
+ break;
+ }
+ if (n >= npatterns)
+ SCREWUP("filename does not match request");
+ }
if (targisdir) {
static char *namebuf;
static size_t cursize;
@@ -1291,7 +1541,15 @@ bad: run_err("%s: %s", np, strerror(er
break;
}
}
+done:
+ for (n = 0; n < npatterns; n++)
+ free(patterns[n]);
+ free(patterns);
+ return;
screwup:
+ for (n = 0; n < npatterns; n++)
+ free(patterns[n]);
+ free(patterns);
run_err("protocol error: %s", why);
exit(1);
}

3
openssh-7.9p1.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:6b4b3ba2253d84ed3771c8050728d597c91cfce898713beb7b64a305b6f11aad
size 1565384

14
openssh-7.9p1.tar.gz.asc
View File

@ -1,14 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAlvJLhsACgkQ0+X1a22S
DTBjHwx/T3EX3EtCzB9I6zHFUgF2/0hEKVYZw2Yl4UbUvgjy/KdEdlJzdH3Hc/yU
jJZzraDY7nJMrCly734FbFGKsKoRkxWMkeuQGOhvpzgTYg+fOa1J0a14xK/ub9Y0
9Z/4zP0Zs7mn+8MApMS3XOZ+AJgdRiXN9i3PXmbYO9Gcg+QthtgE1DeG0d0vVTP/
ipCBBg8mMlAANdlu9IUCv4CJPwJjQt2aYsvCiuUQuzrKYsV5noCOBaGRbmPcN9SM
3cvSTZgDbK3kHdL1RnBgWpcO+o+D8sqSW2rm8xpCQv/ILo86/BLBjXDCYLEt0nSn
+dONPytwhwwJWPPYe7+RSYWHS2cKwVTDk7lr2E636SwU1fM1NiNYle9hB6cUT0nU
sypfHOIARAMSqepnaT3WgffM0jlEWrSB0PuDLTLTO5ZPmUijqqT6xGwWSUc4GQZY
WNyGg1w0Ryj2pRd7DlXDDivTCneXFqV7JZiR3R4ZXJJV0uVQOUitCS/DnwSDpIfp
HlVEWeRAszQFKLKttu0/4SY2NVrRBA==
=4Z9x
-----END PGP SIGNATURE-----

3922
openssh-8.0p1-gssapi-keyex.patch Normal file
View File

File diff suppressed because it is too large Load Diff

1575
openssh-7.7p1-audit.patch → openssh-8.1p1-audit.patch
View File

File diff suppressed because it is too large Load Diff

3
openssh-8.1p1.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:02f5dbef3835d0753556f973cd57b4c19b6b1f6cd24c03445e23ac77ca1b93ff
size 1625894

14
openssh-8.1p1.tar.gz.asc Normal file
View File

@ -0,0 +1,14 @@
-----BEGIN PGP SIGNATURE-----
iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAl2dLEgACgkQ0+X1a22S
DTAcUgx7BcRCaH7fb0AeQGvIrxXlyeN3uL6HOyo8MKkryN+y9zpvpcU6T8FBjtoh
zgjonewzodGj+C1ma0O9TgIfnUxdOVL+eQsPYgOWLJt2MzSnY/Ru+20J5ZGwGc+5
pJcuV+xlAuwae/EL+Pk86CdQ0D6zaf9NBHGTNmrswwhT9B3UWSCbEmmc8jm0DChm
F5+dW1nK0n6YSQ9dVUH17/ujvego5WQkOiaSxjaK29/xS39BD6jrbwfFpL3/iKru
mWVzcNJaX5WL3ZUnyZRcIHzVpBdr2n0pLCnmqIT8LGPwI3razEbZKIDXf+q0ZA88
wRfCL9aEVWjhG+v56c/NiM/wD3h3A4uh8fZeeeyP3hmgEv8Wp8g7fFxf5MaEJlGL
Oy6LeH0+x/uPySxaEvy4kuo/hapX2ClM16EMCUXHPwGIYRWdbTL7rzMTaoG3thyz
VO04LulI9Xmvadn6k3JR5mFPpIsV+LNwt3g+c+4rBWspOdTHnFqo+OO7Uk8Ee3E0
/MeuPBtqQq9o7RkoY8wtVOqT8q9/6g==
=mpF6
-----END PGP SIGNATURE-----

110
openssh-CVE-2019-6109-force-progressmeter-update.patch
View File

@ -1,110 +0,0 @@
commit bdc6c63c80b55bcbaa66b5fde31c1cb1d09a41eb
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date: Thu Jan 24 16:52:17 2019 +0000
upstream: Have progressmeter force an update at the beginning and
end of each transfer. Fixes the problem recently introduces where very quick
transfers do not display the progressmeter at all. Spotted by naddy@
OpenBSD-Commit-ID: 68dc46c259e8fdd4f5db3ec2a130f8e4590a7a9a
Index: openssh-7.9p1/progressmeter.c
===================================================================
--- openssh-7.9p1.orig/progressmeter.c
+++ openssh-7.9p1/progressmeter.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: progressmeter.c,v 1.46 2019/01/23 08:01:46 dtucker Exp $ */
+/* $OpenBSD: progressmeter.c,v 1.47 2019/01/24 16:52:17 dtucker Exp $ */
/*
* Copyright (c) 2003 Nils Nordman. All rights reserved.
*
@@ -59,9 +59,6 @@ static void format_rate(char *, int, off
static void sig_winch(int);
static void setscreensize(void);
-/* updates the progressmeter to reflect the current state of the transfer */
-void refresh_progress_meter(void);
-
/* signal handler for updating the progress meter */
static void sig_alarm(int);
@@ -120,7 +117,7 @@ format_size(char *buf, int size, off_t b
}
void
-refresh_progress_meter(void)
+refresh_progress_meter(int force_update)
{
char buf[MAX_WINSIZE + 1];
off_t transferred;
@@ -131,7 +128,7 @@ refresh_progress_meter(void)
int hours, minutes, seconds;
int file_len;
- if ((!alarm_fired && !win_resized) || !can_output())
+ if ((!force_update && !alarm_fired && !win_resized) || !can_output())
return;
alarm_fired = 0;
@@ -254,7 +251,7 @@ start_progress_meter(const char *f, off_
bytes_per_second = 0;
setscreensize();
- refresh_progress_meter();
+ refresh_progress_meter(1);
signal(SIGALRM, sig_alarm);
signal(SIGWINCH, sig_winch);
@@ -271,7 +268,7 @@ stop_progress_meter(void)
/* Ensure we complete the progress */
if (cur_pos != end_pos)
- refresh_progress_meter();
+ refresh_progress_meter(1);
atomicio(vwrite, STDOUT_FILENO, "\n", 1);
}
Index: openssh-7.9p1/progressmeter.h
===================================================================
--- openssh-7.9p1.orig/progressmeter.h
+++ openssh-7.9p1/progressmeter.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: progressmeter.h,v 1.4 2019/01/23 08:01:46 dtucker Exp $ */
+/* $OpenBSD: progressmeter.h,v 1.5 2019/01/24 16:52:17 dtucker Exp $ */
/*
* Copyright (c) 2002 Nils Nordman. All rights reserved.
*
@@ -24,5 +24,5 @@
*/
void start_progress_meter(const char *, off_t, off_t *);
-void refresh_progress_meter(void);
+void refresh_progress_meter(int);
void stop_progress_meter(void);
Index: openssh-7.9p1/scp.c
===================================================================
--- openssh-7.9p1.orig/scp.c
+++ openssh-7.9p1/scp.c
@@ -585,7 +585,7 @@ scpio(void *_cnt, size_t s)
off_t *cnt = (off_t *)_cnt;
*cnt += s;
- refresh_progress_meter();
+ refresh_progress_meter(0);
if (limit_kbps > 0)
bandwidth_limit(&bwlimit, s);
return 0;
Index: openssh-7.9p1/sftp-client.c
===================================================================
--- openssh-7.9p1.orig/sftp-client.c
+++ openssh-7.9p1/sftp-client.c
@@ -101,7 +101,7 @@ sftpio(void *_bwlimit, size_t amount)
{
struct bwlimit *bwlimit = (struct bwlimit *)_bwlimit;
- refresh_progress_meter();
+ refresh_progress_meter(0);
if (bwlimit != NULL)
bandwidth_limit(bwlimit, amount);
return 0;

262
openssh-CVE-2019-6109-sanitize-scp-filenames.patch
View File

@ -1,262 +0,0 @@
commit 8976f1c4b2721c26e878151f52bdf346dfe2d54c
Author: dtucker@openbsd.org <dtucker@openbsd.org>
Date: Wed Jan 23 08:01:46 2019 +0000
upstream: Sanitize scp filenames via snmprintf. To do this we move
the progressmeter formatting outside of signal handler context and have the
atomicio callback called for EINTR too. bz#2434 with contributions from djm
and jjelen at redhat.com, ok djm@
OpenBSD-Commit-ID: 1af61c1f70e4f3bd8ab140b9f1fa699481db57d8
Index: openssh-7.9p1/atomicio.c
===================================================================
--- openssh-7.9p1.orig/atomicio.c
+++ openssh-7.9p1/atomicio.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: atomicio.c,v 1.28 2016/07/27 23:18:12 djm Exp $ */
+/* $OpenBSD: atomicio.c,v 1.29 2019/01/23 08:01:46 dtucker Exp $ */
/*
* Copyright (c) 2006 Damien Miller. All rights reserved.
* Copyright (c) 2005 Anil Madhavapeddy. All rights reserved.
@@ -65,9 +65,14 @@ atomicio6(ssize_t (*f) (int, void *, siz
res = (f) (fd, s + pos, n - pos);
switch (res) {
case -1:
- if (errno == EINTR)
+ if (errno == EINTR) {
+ /* possible SIGALARM, update callback */
+ if (cb != NULL && cb(cb_arg, 0) == -1) {
+ errno = EINTR;
+ return pos;
+ }
continue;
- if (errno == EAGAIN || errno == EWOULDBLOCK) {
+ } else if (errno == EAGAIN || errno == EWOULDBLOCK) {
#ifndef BROKEN_READ_COMPARISON
(void)poll(&pfd, 1, -1);
#endif
@@ -122,9 +127,14 @@ atomiciov6(ssize_t (*f) (int, const stru
res = (f) (fd, iov, iovcnt);
switch (res) {
case -1:
- if (errno == EINTR)
+ if (errno == EINTR) {
+ /* possible SIGALARM, update callback */
+ if (cb != NULL && cb(cb_arg, 0) == -1) {
+ errno = EINTR;
+ return pos;
+ }
continue;
- if (errno == EAGAIN || errno == EWOULDBLOCK) {
+ } else if (errno == EAGAIN || errno == EWOULDBLOCK) {
#ifndef BROKEN_READV_COMPARISON
(void)poll(&pfd, 1, -1);
#endif
Index: openssh-7.9p1/progressmeter.c
===================================================================
--- openssh-7.9p1.orig/progressmeter.c
+++ openssh-7.9p1/progressmeter.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: progressmeter.c,v 1.45 2016/06/30 05:17:05 dtucker Exp $ */
+/* $OpenBSD: progressmeter.c,v 1.46 2019/01/23 08:01:46 dtucker Exp $ */
/*
* Copyright (c) 2003 Nils Nordman. All rights reserved.
*
@@ -31,6 +31,7 @@
#include <errno.h>
#include <signal.h>
+#include <stdarg.h>
#include <stdio.h>
#include <string.h>
#include <time.h>
@@ -39,6 +40,7 @@
#include "progressmeter.h"
#include "atomicio.h"
#include "misc.h"
+#include "utf8.h"
#define DEFAULT_WINSIZE 80
#define MAX_WINSIZE 512
@@ -61,7 +63,7 @@ static void setscreensize(void);
void refresh_progress_meter(void);
/* signal handler for updating the progress meter */
-static void update_progress_meter(int);
+static void sig_alarm(int);
static double start; /* start progress */
static double last_update; /* last progress update */
@@ -74,6 +76,7 @@ static long stalled; /* how long we hav
static int bytes_per_second; /* current speed in bytes per second */
static int win_size; /* terminal window size */
static volatile sig_atomic_t win_resized; /* for window resizing */
+static volatile sig_atomic_t alarm_fired;
/* units for format_size */
static const char unit[] = " KMGT";
@@ -126,9 +129,17 @@ refresh_progress_meter(void)
off_t bytes_left;
int cur_speed;
int hours, minutes, seconds;
- int i, len;
int file_len;
+ if ((!alarm_fired && !win_resized) || !can_output())
+ return;
+ alarm_fired = 0;
+
+ if (win_resized) {
+ setscreensize();
+ win_resized = 0;
+ }
+
transferred = *counter - (cur_pos ? cur_pos : start_pos);
cur_pos = *counter;
now = monotime_double();
@@ -158,16 +169,11 @@ refresh_progress_meter(void)
/* filename */
buf[0] = '\0';
- file_len = win_size - 35;
+ file_len = win_size - 36;
if (file_len > 0) {
- len = snprintf(buf, file_len + 1, "\r%s", file);
- if (len < 0)
- len = 0;
- if (len >= file_len + 1)
- len = file_len;
- for (i = len; i < file_len; i++)
- buf[i] = ' ';
- buf[file_len] = '\0';
+ buf[0] = '\r';
+ snmprintf(buf+1, sizeof(buf)-1 , &file_len, "%*s",
+ file_len * -1, file);
}
/* percent of transfer done */
@@ -228,22 +234,11 @@ refresh_progress_meter(void)
/*ARGSUSED*/
static void
-update_progress_meter(int ignore)
+sig_alarm(int ignore)
{
- int save_errno;
-
- save_errno = errno;
-
- if (win_resized) {
- setscreensize();
- win_resized = 0;
- }
- if (can_output())
- refresh_progress_meter();
-
- signal(SIGALRM, update_progress_meter);
+ signal(SIGALRM, sig_alarm);
+ alarm_fired = 1;
alarm(UPDATE_INTERVAL);
- errno = save_errno;
}
void
@@ -259,10 +254,9 @@ start_progress_meter(const char *f, off_
bytes_per_second = 0;
setscreensize();
- if (can_output())
- refresh_progress_meter();
+ refresh_progress_meter();
- signal(SIGALRM, update_progress_meter);
+ signal(SIGALRM, sig_alarm);
signal(SIGWINCH, sig_winch);
alarm(UPDATE_INTERVAL);
}
@@ -286,6 +280,7 @@ stop_progress_meter(void)
static void
sig_winch(int sig)
{
+ signal(SIGWINCH, sig_winch);
win_resized = 1;
}
Index: openssh-7.9p1/progressmeter.h
===================================================================
--- openssh-7.9p1.orig/progressmeter.h
+++ openssh-7.9p1/progressmeter.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: progressmeter.h,v 1.3 2015/01/14 13:54:13 djm Exp $ */
+/* $OpenBSD: progressmeter.h,v 1.4 2019/01/23 08:01:46 dtucker Exp $ */
/*
* Copyright (c) 2002 Nils Nordman. All rights reserved.
*
@@ -24,4 +24,5 @@
*/
void start_progress_meter(const char *, off_t, off_t *);
+void refresh_progress_meter(void);
void stop_progress_meter(void);
Index: openssh-7.9p1/scp.c
===================================================================
--- openssh-7.9p1.orig/scp.c
+++ openssh-7.9p1/scp.c
@@ -585,6 +585,7 @@ scpio(void *_cnt, size_t s)
off_t *cnt = (off_t *)_cnt;
*cnt += s;
+ refresh_progress_meter();
if (limit_kbps > 0)
bandwidth_limit(&bwlimit, s);
return 0;
Index: openssh-7.9p1/sftp-client.c
===================================================================
--- openssh-7.9p1.orig/sftp-client.c
+++ openssh-7.9p1/sftp-client.c
@@ -101,7 +101,9 @@ sftpio(void *_bwlimit, size_t amount)
{
struct bwlimit *bwlimit = (struct bwlimit *)_bwlimit;
- bandwidth_limit(bwlimit, amount);
+ refresh_progress_meter();
+ if (bwlimit != NULL)
+ bandwidth_limit(bwlimit, amount);
return 0;
}
@@ -121,8 +123,8 @@ send_msg(struct sftp_conn *conn, struct
iov[1].iov_base = (u_char *)sshbuf_ptr(m);
iov[1].iov_len = sshbuf_len(m);
- if (atomiciov6(writev, conn->fd_out, iov, 2,
- conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_out) !=
+ if (atomiciov6(writev, conn->fd_out, iov, 2, sftpio,
+ conn->limit_kbps > 0 ? &conn->bwlimit_out : NULL) !=
sshbuf_len(m) + sizeof(mlen))
fatal("Couldn't send packet: %s", strerror(errno));
@@ -138,8 +140,8 @@ get_msg_extended(struct sftp_conn *conn,
if ((r = sshbuf_reserve(m, 4, &p)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
- if (atomicio6(read, conn->fd_in, p, 4,
- conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_in) != 4) {
+ if (atomicio6(read, conn->fd_in, p, 4, sftpio,
+ conn->limit_kbps > 0 ? &conn->bwlimit_in : NULL) != 4) {
if (errno == EPIPE || errno == ECONNRESET)
fatal("Connection closed");
else
@@ -157,8 +159,8 @@ get_msg_extended(struct sftp_conn *conn,
if ((r = sshbuf_reserve(m, msg_len, &p)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
- if (atomicio6(read, conn->fd_in, p, msg_len,
- conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_in)
+ if (atomicio6(read, conn->fd_in, p, msg_len, sftpio,
+ conn->limit_kbps > 0 ? &conn->bwlimit_in : NULL)
!= msg_len) {
if (errno == EPIPE)
fatal("Connection closed");

186
openssh-CVE-2019-6111-scp-client-wildcard.patch
View File

@ -1,186 +0,0 @@
commit 391ffc4b9d31fa1f4ad566499fef9176ff8a07dc
Author: djm@openbsd.org <djm@openbsd.org>
Date: Sat Jan 26 22:41:28 2019 +0000
upstream: check in scp client that filenames sent during
remote->local directory copies satisfy the wildcard specified by the user.
This checking provides some protection against a malicious server
sending unexpected filenames, but it comes at a risk of rejecting wanted
files due to differences between client and server wildcard expansion rules.
For this reason, this also adds a new -T flag to disable the check.
reported by Harry Sintonen
fix approach suggested by markus@;
has been in snaps for ~1wk courtesy deraadt@
OpenBSD-Commit-ID: 00f44b50d2be8e321973f3c6d014260f8f7a8eda
Index: openssh-7.9p1/scp.1
===================================================================
--- openssh-7.9p1.orig/scp.1
+++ openssh-7.9p1/scp.1
@@ -18,7 +18,7 @@
.Nd secure copy (remote file copy program)
.Sh SYNOPSIS
.Nm scp
-.Op Fl 346BCpqrv
+.Op Fl 346BCpqrTv
.Op Fl c Ar cipher
.Op Fl F Ar ssh_config
.Op Fl i Ar identity_file
@@ -208,6 +208,16 @@ to use for the encrypted connection.
The program must understand
.Xr ssh 1
options.
+.It Fl T
+Disable strict filename checking.
+By default when copying files from a remote host to a local directory
+.Nm
+checks that the received filenames match those requested on the command-line
+to prevent the remote end from sending unexpected or unwanted files.
+Because of differences in how various operating systems and shells interpret
+filename wildcards, these checks may cause wanted files to be rejected.
+This option disables these checks at the expense of fully trusting that
+the server will not send unexpected filenames.
.It Fl v
Verbose mode.
Causes
Index: openssh-7.9p1/scp.c
===================================================================
--- openssh-7.9p1.orig/scp.c
+++ openssh-7.9p1/scp.c
@@ -94,6 +94,7 @@
#include <dirent.h>
#include <errno.h>
#include <fcntl.h>
+#include <fnmatch.h>
#include <limits.h>
#include <locale.h>
#include <pwd.h>
@@ -375,14 +376,14 @@ void verifydir(char *);
struct passwd *pwd;
uid_t userid;
int errs, remin, remout;
-int pflag, iamremote, iamrecursive, targetshouldbedirectory;
+int Tflag, pflag, iamremote, iamrecursive, targetshouldbedirectory;
#define CMDNEEDS 64
char cmd[CMDNEEDS]; /* must hold "rcp -r -p -d\0" */
int response(void);
void rsource(char *, struct stat *);
-void sink(int, char *[]);
+void sink(int, char *[], const char *);
void source(int, char *[]);
void tolocal(int, char *[]);
void toremote(int, char *[]);
@@ -421,8 +422,9 @@ main(int argc, char **argv)
addargs(&args, "-oRemoteCommand=none");
addargs(&args, "-oRequestTTY=no");
- fflag = tflag = 0;
- while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q12346S:o:F:")) != -1)
+ fflag = Tflag = tflag = 0;
+ while ((ch = getopt(argc, argv,
+ "dfl:prtTvBCc:i:P:q12346S:o:F:J:")) != -1) {
switch (ch) {
/* User-visible flags. */
case '1':
@@ -501,9 +503,13 @@ main(int argc, char **argv)
setmode(0, O_BINARY);
#endif
break;
+ case 'T':
+ Tflag = 1;
+ break;
default:
usage();
}
+ }
argc -= optind;
argv += optind;
@@ -534,7 +540,7 @@ main(int argc, char **argv)
}
if (tflag) {
/* Receive data. */
- sink(argc, argv);
+ sink(argc, argv, NULL);
exit(errs != 0);
}
if (argc < 2)
@@ -792,7 +798,7 @@ tolocal(int argc, char **argv)
continue;
}
free(bp);
- sink(1, argv + argc - 1);
+ sink(1, argv + argc - 1, src);
(void) close(remin);
remin = remout = -1;
}
@@ -968,7 +974,7 @@ rsource(char *name, struct stat *statp)
(sizeof(type) != 4 && sizeof(type) != 8))
void
-sink(int argc, char **argv)
+sink(int argc, char **argv, const char *src)
{
static BUF buffer;
struct stat stb;
@@ -984,6 +990,7 @@ sink(int argc, char **argv)
unsigned long long ull;
int setimes, targisdir, wrerrno = 0;
char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048];
+ char *src_copy = NULL, *restrict_pattern = NULL;
struct timeval tv[2];
#define atime tv[0]
@@ -1008,6 +1015,17 @@ sink(int argc, char **argv)
(void) atomicio(vwrite, remout, "", 1);
if (stat(targ, &stb) == 0 && S_ISDIR(stb.st_mode))
targisdir = 1;
+ if (src != NULL && !iamrecursive && !Tflag) {
+ /*
+ * Prepare to try to restrict incoming filenames to match
+ * the requested destination file glob.
+ */
+ if ((src_copy = strdup(src)) == NULL)
+ fatal("strdup failed");
+ if ((restrict_pattern = strrchr(src_copy, '/')) != NULL) {
+ *restrict_pattern++ = '\0';
+ }
+ }
for (first = 1;; first = 0) {
cp = buf;
if (atomicio(read, remin, cp, 1) != 1)
@@ -1112,6 +1130,9 @@ sink(int argc, char **argv)
run_err("error: unexpected filename: %s", cp);
exit(1);
}
+ if (restrict_pattern != NULL &&
+ fnmatch(restrict_pattern, cp, 0) != 0)
+ SCREWUP("filename does not match request");
if (targisdir) {
static char *namebuf;
static size_t cursize;
@@ -1149,7 +1170,7 @@ sink(int argc, char **argv)
goto bad;
}
vect[0] = xstrdup(np);
- sink(1, vect);
+ sink(1, vect, src);
if (setimes) {
setimes = 0;
if (utimes(vect[0], tv) < 0)
@@ -1317,7 +1338,7 @@ void
usage(void)
{
(void) fprintf(stderr,
- "usage: scp [-346BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file]\n"
+ "usage: scp [-346BCpqrTv] [-c cipher] [-F ssh_config] [-i identity_file]\n"
" [-l limit] [-o ssh_option] [-P port] [-S program] source ... target\n");
exit(1);
}

2
openssh-askpass-gnome.spec
View File

@ -18,7 +18,7 @@
%define _name openssh
Name: openssh-askpass-gnome
Version: 7.9p1
Version: 8.1p1
Release: 0
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
License: BSD-2-Clause

41
openssh-openssl-1_0_0-compatibility.patch
View File

@ -1,41 +0,0 @@
Index: openssh-7.9p1/openbsd-compat/openssl-compat.c
===================================================================
--- openssh-7.9p1.orig/openbsd-compat/openssl-compat.c 2018-11-26 11:47:17.417925053 +0100
+++ openssh-7.9p1/openbsd-compat/openssl-compat.c 2018-11-26 11:52:47.127727580 +0100
@@ -76,7 +76,7 @@ ssh_OpenSSL_add_all_algorithms(void)
ENGINE_load_builtin_engines();
ENGINE_register_all_complete();
-#if OPENSSL_VERSION_NUMBER < 0x10001000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
OPENSSL_config(NULL);
#else
OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS |
Index: openssh-7.9p1/gss-genr.c
===================================================================
--- openssh-7.9p1.orig/gss-genr.c 2018-11-26 11:47:17.417925053 +0100
+++ openssh-7.9p1/gss-genr.c 2018-11-26 12:01:40.354642746 +0100
@@ -114,7 +114,11 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
if ((buf = sshbuf_new()) == NULL)
fatal("%s: sshbuf_new failed", __func__);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ md = EVP_MD_CTX_create();
+#else
md = EVP_MD_CTX_new();
+#endif
oidpos = 0;
for (i = 0; i < gss_supported->count; i++) {
if (gss_supported->elements[i].length < 128 &&
@@ -156,7 +160,11 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
oidpos++;
}
}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ EVP_MD_CTX_destroy(md);
+#else
EVP_MD_CTX_free(md);
+#endif
gss_enc2oid[oidpos].oid = NULL;
gss_enc2oid[oidpos].encoded = NULL;

108
openssh.changes
View File

@ -1,3 +1,111 @@
-------------------------------------------------------------------
Thu Oct 10 00:41:18 UTC 2019 - Hans Petter Jansson <hpj@suse.com>
- Version update to 8.1p1:
* ssh-keygen(1): when acting as a CA and signing certificates with
an RSA key, default to using the rsa-sha2-512 signature algorithm.
Certificates signed by RSA keys will therefore be incompatible
with OpenSSH versions prior to 7.2 unless the default is
overridden (using "ssh-keygen -t ssh-rsa -s ...").
* ssh(1): Allow %n to be expanded in ProxyCommand strings
* ssh(1), sshd(8): Allow prepending a list of algorithms to the
default set by starting the list with the '^' character, E.g.
"HostKeyAlgorithms ^ssh-ed25519"
* ssh-keygen(1): add an experimental lightweight signature and
verification ability. Signatures may be made using regular ssh keys
held on disk or stored in a ssh-agent and verified against an
authorized_keys-like list of allowed keys. Signatures embed a
namespace that prevents confusion and attacks between different
usage domains (e.g. files vs email).
* ssh-keygen(1): print key comment when extracting public key from a
private key.
* ssh-keygen(1): accept the verbose flag when searching for host keys
in known hosts (i.e. "ssh-keygen -vF host") to print the matching
host's random-art signature too.
* All: support PKCS8 as an optional format for storage of private
keys to disk. The OpenSSH native key format remains the default,
but PKCS8 is a superior format to PEM if interoperability with
non-OpenSSH software is required, as it may use a less insecure
key derivation function than PEM's.
- Additional changes from 8.0p1 release:
* scp(1): Add "-T" flag to disable client-side filtering of
server file list.
* sshd(8): Remove support for obsolete "host/port" syntax.
* ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in
PKCS#11 tokens.
* ssh(1), sshd(8): Add experimental quantum-computing resistant
key exchange method, based on a combination of Streamlined NTRU
Prime 4591^761 and X25519.
* ssh-keygen(1): Increase the default RSA key size to 3072 bits,
following NIST Special Publication 800-57's guidance for a
128-bit equivalent symmetric security level.
* ssh(1): Allow "PKCS11Provider=none" to override later instances of
the PKCS11Provider directive in ssh_config,
* sshd(8): Add a log message for situations where a connection is
dropped for attempting to run a command but a sshd_config
ForceCommand=internal-sftp restriction is in effect.
* ssh(1): When prompting whether to record a new host key, accept
the key fingerprint as a synonym for "yes". This allows the user
to paste a fingerprint obtained out of band at the prompt and
have the client do the comparison for you.
* ssh-keygen(1): When signing multiple certificates on a single
command-line invocation, allow automatically incrementing the
certificate serial number.
* scp(1), sftp(1): Accept -J option as an alias to ProxyJump on
the scp and sftp command-lines.
* ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v"
command-line flags to increase the verbosity of output; pass
verbose flags though to subprocesses, such as ssh-pkcs11-helper
started from ssh-agent.
* ssh-add(1): Add a "-T" option to allowing testing whether keys in
an agent are usable by performing a signature and a verification.
* sftp-server(8): Add a "lsetstat@openssh.com" protocol extension
that replicates the functionality of the existing SSH2_FXP_SETSTAT
operation but does not follow symlinks.
* sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request
they do not follow symlinks.
* sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes
the connection 4-tuple available to PAM modules that wish to use
it in decision-making.
* sshd(8): Add a ssh_config "Match final" predicate Matches in same
pass as "Match canonical" but doesn't require hostname
canonicalisation be enabled.
* sftp(1): Support a prefix of '@' to suppress echo of sftp batch
commands.
* ssh-keygen(1): When printing certificate contents using
"ssh-keygen -Lf /path/certificate", include the algorithm that
the CA used to sign the cert.
- Rebased patches:
* openssh-7.7p1-IPv6_X_forwarding.patch
* openssh-7.7p1-X_forward_with_disabled_ipv6.patch
* openssh-7.7p1-cavstest-ctr.patch
* openssh-7.7p1-cavstest-kdf.patch
* openssh-7.7p1-disable_openssl_abi_check.patch
* openssh-7.7p1-fips.patch
* openssh-7.7p1-fips_checks.patch
* openssh-7.7p1-hostname_changes_when_forwarding_X.patch
* openssh-7.7p1-ldap.patch
* openssh-7.7p1-seed-prng.patch
* openssh-7.7p1-sftp_force_permissions.patch
* openssh-7.7p1-sftp_print_diagnostic_messages.patch
* openssh-8.0p1-gssapi-keyex.patch (formerly
openssh-7.7p1-gssapi_key_exchange.patch)
* openssh-8.1p1-audit.patch (formerly openssh-7.7p1-audit.patch)
- Removed patches (integrated upstream):
* 0001-upstream-Fix-two-race-conditions-in-sshd-relating-to.patch
* openssh-7.7p1-seccomp_ioctl_s390_EP11.patch
* openssh-7.9p1-CVE-2018-20685.patch
* openssh-7.9p1-brace-expansion.patch
* openssh-CVE-2019-6109-force-progressmeter-update.patch
* openssh-CVE-2019-6109-sanitize-scp-filenames.patch
* openssh-CVE-2019-6111-scp-client-wildcard.patch
- Removed patches (obsolete):
* openssh-openssl-1_0_0-compatibility.patch
-------------------------------------------------------------------
Mon Aug 19 11:24:36 CEST 2019 - kukuk@suse.de

14
openssh.spec
View File

@ -37,7 +37,7 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: openssh
Version: 7.9p1
Version: 8.1p1
Release: 0
Summary: Secure Shell Client and Server (Remote Login Program)
License: BSD-2-Clause AND MIT
@ -70,7 +70,6 @@ Patch14: openssh-7.7p1-seccomp_stat.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
Patch15: openssh-7.7p1-seccomp_ipc_flock.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
Patch16: openssh-7.7p1-seccomp_ioctl_s390_EP11.patch
# Local FIPS patchset
Patch17: openssh-7.7p1-fips.patch
# Local cavs patchset
@ -82,9 +81,9 @@ Patch20: openssh-7.7p1-fips_checks.patch
Patch21: openssh-7.7p1-seed-prng.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2641
Patch22: openssh-7.7p1-systemd-notify.patch
Patch23: openssh-7.7p1-gssapi_key_exchange.patch
Patch23: openssh-8.0p1-gssapi-keyex.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=1402
Patch24: openssh-7.7p1-audit.patch
Patch24: openssh-8.1p1-audit.patch
# Local patch to disable runtime abi SSL checks, quite pointless for us
Patch26: openssh-7.7p1-disable_openssl_abi_check.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2641
@ -98,13 +97,6 @@ Patch31: openssh-7.7p1-ldap.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2213
Patch32: openssh-7.7p1-IPv6_X_forwarding.patch
Patch33: openssh-7.7p1-sftp_print_diagnostic_messages.patch
Patch34: openssh-openssl-1_0_0-compatibility.patch
Patch35: openssh-7.9p1-CVE-2018-20685.patch
Patch36: openssh-CVE-2019-6109-sanitize-scp-filenames.patch
Patch37: openssh-CVE-2019-6109-force-progressmeter-update.patch
Patch38: openssh-CVE-2019-6111-scp-client-wildcard.patch
Patch39: openssh-7.9p1-brace-expansion.patch
Patch40: 0001-upstream-Fix-two-race-conditions-in-sshd-relating-to.patch
BuildRequires: audit-devel
BuildRequires: autoconf
BuildRequires: groff