diff --git a/openssh-7.7p1-IPv6_X_forwarding.patch b/openssh-7.7p1-IPv6_X_forwarding.patch index 3a3b2d9..a036a86 100644 --- a/openssh-7.7p1-IPv6_X_forwarding.patch +++ b/openssh-7.7p1-IPv6_X_forwarding.patch @@ -5,15 +5,11 @@ Correctly parse DISPLAY variable for cases where it contains an IPv6 address bnc#847710 - https://bugzilla.novell.com/show_bug.cgi?id=847710 -diff --git a/openssh-7.7p1/channels.c b/openssh-7.7p1/channels.c ---- openssh-7.7p1/channels.c -+++ openssh-7.7p1/channels.c -@@ -4590,33 +4590,42 @@ x11_connect_display(struct ssh *ssh) - return -1; - - /* OK, we now have a connection to the display. */ - return sock; - } +Index: openssh-8.8p1/channels.c +=================================================================== +--- openssh-8.8p1.orig/channels.c ++++ openssh-8.8p1/channels.c +@@ -4776,9 +4776,10 @@ x11_connect_display(struct ssh *ssh) /* * Connect to an inet socket. The DISPLAY value is supposedly * hostname:d[.s], where hostname may also be numeric IP address. @@ -25,14 +21,7 @@ diff --git a/openssh-7.7p1/channels.c b/openssh-7.7p1/channels.c if (!cp) { error("Could not find ':' in DISPLAY: %.100s", display); return -1; - } - *cp = 0; - /* - * buf now contains the host name. But first we parse the - * display number. - */ - if (sscanf(cp + 1, "%u", &display_number) != 1) { - error("Could not parse display number from DISPLAY: %.100s", +@@ -4793,6 +4794,14 @@ x11_connect_display(struct ssh *ssh) display); return -1; } @@ -47,8 +36,3 @@ diff --git a/openssh-7.7p1/channels.c b/openssh-7.7p1/channels.c /* Look up the host address */ memset(&hints, 0, sizeof(hints)); - hints.ai_family = ssh->chanctxt->IPv4or6; - hints.ai_socktype = SOCK_STREAM; - snprintf(strport, sizeof strport, "%u", 6000 + display_number); - if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) { - error("%.100s: unknown host. (%s)", buf, diff --git a/openssh-7.7p1-X11_trusted_forwarding.patch b/openssh-7.7p1-X11_trusted_forwarding.patch index b48d480..020a92a 100644 --- a/openssh-7.7p1-X11_trusted_forwarding.patch +++ b/openssh-7.7p1-X11_trusted_forwarding.patch @@ -6,10 +6,10 @@ Enable Trusted X11 forwarding by default, since the security benefits of having it disabled are negligible these days with XI2 being widely used. -Index: openssh-7.8p1/ssh_config +Index: openssh-8.8p1/ssh_config =================================================================== ---- openssh-7.8p1.orig/ssh_config -+++ openssh-7.8p1/ssh_config +--- openssh-8.8p1.orig/ssh_config ++++ openssh-8.8p1/ssh_config @@ -17,9 +17,20 @@ # list of available options, their meanings and defaults, please see the # ssh_config(5) man page. @@ -32,10 +32,10 @@ Index: openssh-7.8p1/ssh_config # PasswordAuthentication yes # HostbasedAuthentication no # GSSAPIAuthentication no -Index: openssh-7.8p1/sshd_config +Index: openssh-8.8p1/sshd_config =================================================================== ---- openssh-7.8p1.orig/sshd_config -+++ openssh-7.8p1/sshd_config +--- openssh-8.8p1.orig/sshd_config ++++ openssh-8.8p1/sshd_config @@ -84,7 +84,7 @@ AuthorizedKeysFile .ssh/authorized_keys #AllowAgentForwarding yes #AllowTcpForwarding yes diff --git a/openssh-7.7p1-X_forward_with_disabled_ipv6.patch b/openssh-7.7p1-X_forward_with_disabled_ipv6.patch index 5ab2d56..3e7118b 100644 --- a/openssh-7.7p1-X_forward_with_disabled_ipv6.patch +++ b/openssh-7.7p1-X_forward_with_disabled_ipv6.patch @@ -3,13 +3,13 @@ Do not throw away already open sockets for X11 forwarding if another socket family is not available for bind() -diff --git a/channels.c b/channels.c -index f51b7e3..95af47e 100644 ---- a/channels.c -+++ b/channels.c -@@ -4637,6 +4637,13 @@ x11_create_display_inet(struct ssh *ssh, int x11_display_offset, - debug2("%s: bind port %d: %.100s", __func__, - port, strerror(errno)); +Index: openssh-8.8p1/channels.c +=================================================================== +--- openssh-8.8p1.orig/channels.c ++++ openssh-8.8p1/channels.c +@@ -4607,6 +4607,13 @@ x11_create_display_inet(struct ssh *ssh, + debug2_f("bind port %d: %.100s", port, + strerror(errno)); close(sock); + /* do not remove successfully opened sockets if + * the request failed because the protocol diff --git a/openssh-7.7p1-cavstest-ctr.patch b/openssh-7.7p1-cavstest-ctr.patch index e2bf8f1..17b6672 100644 --- a/openssh-7.7p1-cavstest-ctr.patch +++ b/openssh-7.7p1-cavstest-ctr.patch @@ -2,11 +2,11 @@ # Parent cc1022edba2c5eeb0facba08468f65afc2466b63 CAVS test for OpenSSH's own CTR encryption mode implementation -Index: openssh-8.4p1/Makefile.in +Index: openssh-8.8p1/Makefile.in =================================================================== ---- openssh-8.4p1.orig/Makefile.in -+++ openssh-8.4p1/Makefile.in -@@ -25,6 +25,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server +--- openssh-8.8p1.orig/Makefile.in ++++ openssh-8.8p1/Makefile.in +@@ -26,6 +26,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server SSH_KEYSIGN=$(libexecdir)/ssh-keysign SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper @@ -14,7 +14,7 @@ Index: openssh-8.4p1/Makefile.in PRIVSEP_PATH=@PRIVSEP_PATH@ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ STRIP_OPT=@STRIP_OPT@ -@@ -68,6 +69,8 @@ MKDIR_P=@MKDIR_P@ +@@ -69,6 +70,8 @@ MKDIR_P=@MKDIR_P@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) @@ -23,7 +23,7 @@ Index: openssh-8.4p1/Makefile.in XMSS_OBJS=\ ssh-xmss.o \ sshkey-xmss.o \ -@@ -242,6 +245,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libss +@@ -245,6 +248,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libss sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS) $(LD) -o $@ $(SFTP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT) @@ -34,7 +34,7 @@ Index: openssh-8.4p1/Makefile.in # test driver for the loginrec code - not built by default logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) -@@ -400,6 +407,7 @@ install-files: +@@ -407,6 +414,7 @@ install-files: $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) @@ -42,10 +42,10 @@ Index: openssh-8.4p1/Makefile.in $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 -Index: openssh-8.4p1/cavstest-ctr.c +Index: openssh-8.8p1/cavstest-ctr.c =================================================================== --- /dev/null -+++ openssh-8.4p1/cavstest-ctr.c ++++ openssh-8.8p1/cavstest-ctr.c @@ -0,0 +1,214 @@ +/* + * @@ -261,10 +261,10 @@ Index: openssh-8.4p1/cavstest-ctr.c + printf("\n"); + return 0; +} -Index: openssh-8.4p1/cipher.c +Index: openssh-8.8p1/cipher.c =================================================================== ---- openssh-8.4p1.orig/cipher.c -+++ openssh-8.4p1/cipher.c +--- openssh-8.8p1.orig/cipher.c ++++ openssh-8.8p1/cipher.c @@ -58,15 +58,6 @@ #define EVP_CIPHER_CTX void #endif @@ -281,10 +281,10 @@ Index: openssh-8.4p1/cipher.c struct sshcipher { char *name; u_int block_size; -Index: openssh-8.4p1/cipher.h +Index: openssh-8.8p1/cipher.h =================================================================== ---- openssh-8.4p1.orig/cipher.h -+++ openssh-8.4p1/cipher.h +--- openssh-8.8p1.orig/cipher.h ++++ openssh-8.8p1/cipher.h @@ -48,7 +48,15 @@ #define CIPHER_DECRYPT 0 diff --git a/openssh-7.7p1-cavstest-kdf.patch b/openssh-7.7p1-cavstest-kdf.patch index f30919a..bc5763e 100644 --- a/openssh-7.7p1-cavstest-kdf.patch +++ b/openssh-7.7p1-cavstest-kdf.patch @@ -2,11 +2,11 @@ # Parent 1e1d5a2ab8bddfc800f570755f9ea1addcc878c1 CAVS test for KDF implementation in OpenSSH -Index: openssh-8.4p1/Makefile.in +Index: openssh-8.8p1/Makefile.in =================================================================== ---- openssh-8.4p1.orig/Makefile.in -+++ openssh-8.4p1/Makefile.in -@@ -26,6 +26,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign +--- openssh-8.8p1.orig/Makefile.in ++++ openssh-8.8p1/Makefile.in +@@ -27,6 +27,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper CAVSTEST_CTR=$(libexecdir)/cavstest-ctr @@ -14,7 +14,7 @@ Index: openssh-8.4p1/Makefile.in PRIVSEP_PATH=@PRIVSEP_PATH@ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ STRIP_OPT=@STRIP_OPT@ -@@ -69,7 +70,7 @@ MKDIR_P=@MKDIR_P@ +@@ -70,7 +71,7 @@ MKDIR_P=@MKDIR_P@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) @@ -23,7 +23,7 @@ Index: openssh-8.4p1/Makefile.in XMSS_OBJS=\ ssh-xmss.o \ -@@ -249,6 +250,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(S +@@ -252,6 +253,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(S cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) @@ -33,7 +33,7 @@ Index: openssh-8.4p1/Makefile.in # test driver for the loginrec code - not built by default logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) -@@ -408,6 +412,7 @@ install-files: +@@ -415,6 +419,7 @@ install-files: $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT) @@ -41,10 +41,10 @@ Index: openssh-8.4p1/Makefile.in $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 -Index: openssh-8.4p1/cavstest-kdf.c +Index: openssh-8.8p1/cavstest-kdf.c =================================================================== --- /dev/null -+++ openssh-8.4p1/cavstest-kdf.c ++++ openssh-8.8p1/cavstest-kdf.c @@ -0,0 +1,402 @@ +/* + * Copyright (C) 2015, Stephan Mueller @@ -249,8 +249,8 @@ Index: openssh-8.4p1/cavstest-kdf.c + goto out; + } + -+ kex.session_id = test->session_id; -+ kex.session_id_len = test->session_id_len; ++ kex.session_id = sshbuf_new(); ++ sshbuf_put(kex.session_id, test->session_id, test->session_id_len); + + /* setup kex */ + diff --git a/openssh-7.7p1-disable_openssl_abi_check.patch b/openssh-7.7p1-disable_openssl_abi_check.patch index 8e33f62..11723a7 100644 --- a/openssh-7.7p1-disable_openssl_abi_check.patch +++ b/openssh-7.7p1-disable_openssl_abi_check.patch @@ -4,11 +4,11 @@ disable run-time check for OpenSSL ABI by version number as that is not a reliable indicator of ABI changes and doesn't make much sense in a distribution package -diff --git a/configure.ac b/configure.ac -index 42ffd95..20a1884 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -4878,6 +4878,19 @@ AC_ARG_WITH([bsd-auth], +Index: openssh-8.8p1/configure.ac +=================================================================== +--- openssh-8.8p1.orig/configure.ac ++++ openssh-8.8p1/configure.ac +@@ -5236,6 +5236,19 @@ AC_ARG_WITH([bsd-auth], ] ) @@ -28,11 +28,11 @@ index 42ffd95..20a1884 100644 # Where to place sshd.pid piddir=/var/run # make sure the directory exists -diff --git a/entropy.c b/entropy.c -index f8b9f42..4957b23 100644 ---- a/entropy.c -+++ b/entropy.c -@@ -223,11 +223,13 @@ seed_rng(void) +Index: openssh-8.8p1/entropy.c +=================================================================== +--- openssh-8.8p1.orig/entropy.c ++++ openssh-8.8p1/entropy.c +@@ -100,11 +100,13 @@ seed_rng(void) /* Initialise libcrypto */ ssh_libcrypto_init(); diff --git a/openssh-7.7p1-eal3.patch b/openssh-7.7p1-eal3.patch index 8faf689..7a52a4e 100644 --- a/openssh-7.7p1-eal3.patch +++ b/openssh-7.7p1-eal3.patch @@ -2,15 +2,11 @@ # Parent 8fd4e445c3a5c823568661a4f71b064cbcb217a9 fix paths and references in sshd man pages -diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in ---- openssh-7.7p1/Makefile.in -+++ openssh-7.7p1/Makefile.in -@@ -127,17 +127,18 @@ MANTYPE = @MANTYPE@ - CONFIGFILES=sshd_config.out ssh_config.out moduli.out - CONFIGFILES_IN=sshd_config ssh_config moduli - - PATHSUBS = \ - -e 's|/etc/ssh/ssh_config|$(sysconfdir)/ssh_config|g' \ +Index: openssh-8.8p1/Makefile.in +=================================================================== +--- openssh-8.8p1.orig/Makefile.in ++++ openssh-8.8p1/Makefile.in +@@ -165,7 +165,8 @@ PATHSUBS = \ -e 's|/etc/ssh/ssh_known_hosts|$(sysconfdir)/ssh_known_hosts|g' \ -e 's|/etc/ssh/sshd_config|$(sysconfdir)/sshd_config|g' \ -e 's|/usr/libexec|$(libexecdir)|g' \ @@ -20,8 +16,3 @@ diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in -e 's|/etc/ssh/ssh_host_key|$(sysconfdir)/ssh_host_key|g' \ -e 's|/etc/ssh/ssh_host_ecdsa_key|$(sysconfdir)/ssh_host_ecdsa_key|g' \ -e 's|/etc/ssh/ssh_host_dsa_key|$(sysconfdir)/ssh_host_dsa_key|g' \ - -e 's|/etc/ssh/ssh_host_rsa_key|$(sysconfdir)/ssh_host_rsa_key|g' \ - -e 's|/etc/ssh/ssh_host_ed25519_key|$(sysconfdir)/ssh_host_ed25519_key|g' \ - -e 's|/var/run/sshd.pid|$(piddir)/sshd.pid|g' \ - -e 's|/etc/moduli|$(sysconfdir)/moduli|g' \ - -e 's|/etc/ssh/moduli|$(sysconfdir)/moduli|g' \ diff --git a/openssh-7.7p1-enable_PAM_by_default.patch b/openssh-7.7p1-enable_PAM_by_default.patch index 61576cd..c47e04b 100644 --- a/openssh-7.7p1-enable_PAM_by_default.patch +++ b/openssh-7.7p1-enable_PAM_by_default.patch @@ -4,25 +4,16 @@ # bnc#46749 # --used to be called '-pam-fix2' -diff --git a/openssh-7.7p1/sshd_config b/openssh-7.7p1/sshd_config ---- openssh-7.7p1/sshd_config -+++ openssh-7.7p1/sshd_config -@@ -74,17 +74,17 @@ AuthorizedKeysFile .ssh/authorized_keys - # and session processing. If this is enabled, PAM authentication will - # be allowed through the ChallengeResponseAuthentication and - # PasswordAuthentication. Depending on your PAM configuration, - # PAM authentication via ChallengeResponseAuthentication may bypass - # the setting of "PermitRootLogin without-password". +Index: openssh-8.8p1/sshd_config +=================================================================== +--- openssh-8.8p1.orig/sshd_config ++++ openssh-8.8p1/sshd_config +@@ -79,7 +79,7 @@ AuthorizedKeysFile .ssh/authorized_keys # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication - # and ChallengeResponseAuthentication to 'no'. + # and KbdInteractiveAuthentication to 'no'. -#UsePAM no +UsePAM yes #AllowAgentForwarding yes #AllowTcpForwarding yes - #GatewayPorts no - X11Forwarding yes - #X11DisplayOffset 10 - #X11UseLocalhost yes - #PermitTTY yes diff --git a/openssh-7.7p1-fips.patch b/openssh-7.7p1-fips.patch index 80ad852..03f57a8 100644 --- a/openssh-7.7p1-fips.patch +++ b/openssh-7.7p1-fips.patch @@ -3,11 +3,11 @@ FIPS 140-2 compliance. Perform selftests on start and use only FIPS approved algorithms. -Index: openssh-8.4p1/Makefile.in +Index: openssh-8.8p1/Makefile.in =================================================================== ---- openssh-8.4p1.orig/Makefile.in -+++ openssh-8.4p1/Makefile.in -@@ -112,6 +112,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ +--- openssh-8.8p1.orig/Makefile.in ++++ openssh-8.8p1/Makefile.in +@@ -113,6 +113,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ SKOBJS= ssh-sk-client.o @@ -16,10 +16,10 @@ Index: openssh-8.4p1/Makefile.in SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ sshconnect.o sshconnect2.o mux.o $(SKOBJS) -Index: openssh-8.4p1/cipher-ctr.c +Index: openssh-8.8p1/cipher-ctr.c =================================================================== ---- openssh-8.4p1.orig/cipher-ctr.c -+++ openssh-8.4p1/cipher-ctr.c +--- openssh-8.8p1.orig/cipher-ctr.c ++++ openssh-8.8p1/cipher-ctr.c @@ -27,6 +27,8 @@ #include "xmalloc.h" #include "log.h" @@ -38,10 +38,10 @@ Index: openssh-8.4p1/cipher-ctr.c #endif return (&aes_ctr); } -Index: openssh-8.4p1/cipher.c +Index: openssh-8.8p1/cipher.c =================================================================== ---- openssh-8.4p1.orig/cipher.c -+++ openssh-8.4p1/cipher.c +--- openssh-8.8p1.orig/cipher.c ++++ openssh-8.8p1/cipher.c @@ -51,6 +51,9 @@ #include "openbsd-compat/openssl-compat.h" @@ -61,7 +61,7 @@ Index: openssh-8.4p1/cipher.c #ifdef WITH_OPENSSL #ifndef OPENSSL_NO_DES { "3des-cbc", 8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc }, -@@ -114,8 +117,52 @@ static const struct sshcipher ciphers[] +@@ -112,8 +115,52 @@ static const struct sshcipher ciphers[] { NULL, 0, 0, 0, 0, 0, NULL } }; @@ -114,7 +114,7 @@ Index: openssh-8.4p1/cipher.c /* Returns a comma-separated list of supported ciphers. */ char * cipher_alg_list(char sep, int auth_only) -@@ -124,7 +171,7 @@ cipher_alg_list(char sep, int auth_only) +@@ -122,7 +169,7 @@ cipher_alg_list(char sep, int auth_only) size_t nlen, rlen = 0; const struct sshcipher *c; @@ -123,7 +123,7 @@ Index: openssh-8.4p1/cipher.c if ((c->flags & CFLAG_INTERNAL) != 0) continue; if (auth_only && c->auth_len == 0) -@@ -207,7 +254,7 @@ const struct sshcipher * +@@ -205,7 +252,7 @@ const struct sshcipher * cipher_by_name(const char *name) { const struct sshcipher *c; @@ -132,10 +132,10 @@ Index: openssh-8.4p1/cipher.c if (strcmp(c->name, name) == 0) return c; return NULL; -Index: openssh-8.4p1/fips.c +Index: openssh-8.8p1/fips.c =================================================================== --- /dev/null -+++ openssh-8.4p1/fips.c ++++ openssh-8.8p1/fips.c @@ -0,0 +1,212 @@ +/* + * Copyright (c) 2012 Petr Cerny. All rights reserved. @@ -349,10 +349,10 @@ Index: openssh-8.4p1/fips.c + return dgst; +} + -Index: openssh-8.4p1/fips.h +Index: openssh-8.8p1/fips.h =================================================================== --- /dev/null -+++ openssh-8.4p1/fips.h ++++ openssh-8.8p1/fips.h @@ -0,0 +1,44 @@ +/* + * Copyright (c) 2012 Petr Cerny. All rights reserved. @@ -398,10 +398,10 @@ Index: openssh-8.4p1/fips.h + +#endif + -Index: openssh-8.4p1/hmac.c +Index: openssh-8.8p1/hmac.c =================================================================== ---- openssh-8.4p1.orig/hmac.c -+++ openssh-8.4p1/hmac.c +--- openssh-8.8p1.orig/hmac.c ++++ openssh-8.8p1/hmac.c @@ -145,7 +145,7 @@ hmac_test(void *key, size_t klen, void * size_t i; u_char digest[16]; @@ -411,10 +411,10 @@ Index: openssh-8.4p1/hmac.c printf("ssh_hmac_start failed"); if (ssh_hmac_init(ctx, key, klen) < 0 || ssh_hmac_update(ctx, m, mlen) < 0 || -Index: openssh-8.4p1/kex.c +Index: openssh-8.8p1/kex.c =================================================================== ---- openssh-8.4p1.orig/kex.c -+++ openssh-8.4p1/kex.c +--- openssh-8.8p1.orig/kex.c ++++ openssh-8.8p1/kex.c @@ -62,6 +62,8 @@ #include "sshbuf.h" #include "digest.h" @@ -433,7 +433,7 @@ Index: openssh-8.4p1/kex.c #ifdef WITH_OPENSSL { KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 }, { KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 }, -@@ -116,6 +118,47 @@ static const struct kexalg kexalgs[] = { +@@ -118,6 +120,47 @@ static const struct kexalg kexalgs[] = { { NULL, 0, -1, -1}, }; @@ -481,7 +481,7 @@ Index: openssh-8.4p1/kex.c char * kex_alg_list(char sep) { -@@ -123,7 +166,7 @@ kex_alg_list(char sep) +@@ -125,7 +168,7 @@ kex_alg_list(char sep) size_t nlen, rlen = 0; const struct kexalg *k; @@ -490,7 +490,7 @@ Index: openssh-8.4p1/kex.c if (ret != NULL) ret[rlen++] = sep; nlen = strlen(k->name); -@@ -143,7 +186,7 @@ kex_alg_by_name(const char *name) +@@ -145,7 +188,7 @@ kex_alg_by_name(const char *name) { const struct kexalg *k; @@ -499,7 +499,7 @@ Index: openssh-8.4p1/kex.c if (strcmp(k->name, name) == 0) return k; } -@@ -163,7 +206,10 @@ kex_names_valid(const char *names) +@@ -165,7 +208,10 @@ kex_names_valid(const char *names) for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) { if (kex_alg_by_name(p) == NULL) { @@ -510,10 +510,10 @@ Index: openssh-8.4p1/kex.c free(s); return 0; } -Index: openssh-8.4p1/mac.c +Index: openssh-8.8p1/mac.c =================================================================== ---- openssh-8.4p1.orig/mac.c -+++ openssh-8.4p1/mac.c +--- openssh-8.8p1.orig/mac.c ++++ openssh-8.8p1/mac.c @@ -41,6 +41,9 @@ #include "openbsd-compat/openssl-compat.h" @@ -593,10 +593,10 @@ Index: openssh-8.4p1/mac.c if (strcmp(name, m->name) != 0) continue; if (mac != NULL) -Index: openssh-8.4p1/readconf.c +Index: openssh-8.8p1/readconf.c =================================================================== ---- openssh-8.4p1.orig/readconf.c -+++ openssh-8.4p1/readconf.c +--- openssh-8.8p1.orig/readconf.c ++++ openssh-8.8p1/readconf.c @@ -68,6 +68,8 @@ #include "myproposal.h" #include "digest.h" @@ -606,8 +606,8 @@ Index: openssh-8.4p1/readconf.c /* Format of the configuration file: # Configuration data is parsed as follows: -@@ -1949,6 +1951,23 @@ option_clear_or_none(const char *o) - return o == NULL || strcasecmp(o, "none") == 0; +@@ -2307,6 +2309,23 @@ config_has_permitted_cnames(Options *opt + return options->num_permitted_cnames > 0; } +/* remove algorithms not approved for use in FIPS mode, when running in FIPS @@ -630,7 +630,7 @@ Index: openssh-8.4p1/readconf.c /* * Initializes options to special values that indicate that they have not yet * been set. Read_config_file will only set options with this value. Options -@@ -2240,6 +2259,9 @@ fill_default_options(Options * options) +@@ -2618,6 +2637,9 @@ fill_default_options(Options * options) options->canonicalize_hostname = SSH_CANONICALISE_NO; if (options->fingerprint_hash == -1) options->fingerprint_hash = SSH_FP_HASH_DEFAULT; @@ -640,28 +640,20 @@ Index: openssh-8.4p1/readconf.c #ifdef ENABLE_SK_INTERNAL if (options->sk_provider == NULL) options->sk_provider = xstrdup("internal"); -@@ -2273,6 +2295,7 @@ fill_default_options(Options * options) - ASSEMBLE(pubkey_key_types, def_key, all_key); +@@ -2654,6 +2676,8 @@ fill_default_options(Options * options) ASSEMBLE(ca_sign_algorithms, def_sig, all_sig); #undef ASSEMBLE -+ - free(all_cipher); - free(all_mac); - free(all_kex); -@@ -2284,6 +2307,8 @@ fill_default_options(Options * options) - kex_default_pk_alg_filtered = def_key; /* save for later use */ - free(def_sig); + filter_fips_algorithms(options); + #define CLEAR_ON_NONE(v) \ do { \ if (option_clear_or_none(v)) { \ -Index: openssh-8.4p1/readconf.h +Index: openssh-8.8p1/readconf.h =================================================================== ---- openssh-8.4p1.orig/readconf.h -+++ openssh-8.4p1/readconf.h -@@ -200,6 +200,7 @@ typedef struct { +--- openssh-8.8p1.orig/readconf.h ++++ openssh-8.8p1/readconf.h +@@ -212,6 +212,7 @@ typedef struct { #define SSH_STRICT_HOSTKEY_YES 2 #define SSH_STRICT_HOSTKEY_ASK 3 @@ -669,10 +661,10 @@ Index: openssh-8.4p1/readconf.h const char *kex_default_pk_alg(void); char *ssh_connection_hash(const char *thishost, const char *host, const char *portstr, const char *user); -Index: openssh-8.4p1/servconf.c +Index: openssh-8.8p1/servconf.c =================================================================== ---- openssh-8.4p1.orig/servconf.c -+++ openssh-8.4p1/servconf.c +--- openssh-8.8p1.orig/servconf.c ++++ openssh-8.8p1/servconf.c @@ -70,6 +70,7 @@ #include "auth.h" #include "myproposal.h" @@ -681,7 +673,7 @@ Index: openssh-8.4p1/servconf.c static void add_listen_addr(ServerOptions *, const char *, const char *, int); -@@ -201,6 +202,23 @@ option_clear_or_none(const char *o) +@@ -205,6 +206,23 @@ option_clear_or_none(const char *o) return o == NULL || strcasecmp(o, "none") == 0; } @@ -705,7 +697,7 @@ Index: openssh-8.4p1/servconf.c static void assemble_algorithms(ServerOptions *o) { -@@ -242,6 +260,8 @@ assemble_algorithms(ServerOptions *o) +@@ -246,6 +264,8 @@ assemble_algorithms(ServerOptions *o) free(def_kex); free(def_key); free(def_sig); @@ -713,8 +705,8 @@ Index: openssh-8.4p1/servconf.c + filter_fips_algorithms_s(o); } - static void -@@ -454,6 +474,8 @@ fill_default_server_options(ServerOption + void +@@ -438,6 +458,8 @@ fill_default_server_options(ServerOption options->fwd_opts.streamlocal_bind_unlink = 0; if (options->fingerprint_hash == -1) options->fingerprint_hash = SSH_FP_HASH_DEFAULT; @@ -723,20 +715,20 @@ Index: openssh-8.4p1/servconf.c if (options->disable_forwarding == -1) options->disable_forwarding = 0; if (options->expose_userauth_info == -1) -Index: openssh-8.4p1/ssh-keygen.c +Index: openssh-8.8p1/ssh-keygen.c =================================================================== ---- openssh-8.4p1.orig/ssh-keygen.c -+++ openssh-8.4p1/ssh-keygen.c -@@ -66,6 +66,8 @@ - #include "ssh-sk.h" +--- openssh-8.8p1.orig/ssh-keygen.c ++++ openssh-8.8p1/ssh-keygen.c +@@ -67,6 +67,8 @@ #include "sk-api.h" /* XXX for SSH_SK_USER_PRESENCE_REQD; remove */ + #include "cipher.h" +#include "fips.h" + #ifdef WITH_OPENSSL # define DEFAULT_KEY_TYPE_NAME "rsa" #else -@@ -1036,11 +1038,13 @@ do_fingerprint(struct passwd *pw) +@@ -1037,11 +1039,13 @@ do_fingerprint(struct passwd *pw) static void do_gen_all_hostkeys(struct passwd *pw) { @@ -752,7 +744,7 @@ Index: openssh-8.4p1/ssh-keygen.c #ifdef WITH_OPENSSL { "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE }, { "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE }, -@@ -1055,6 +1059,17 @@ do_gen_all_hostkeys(struct passwd *pw) +@@ -1056,6 +1060,17 @@ do_gen_all_hostkeys(struct passwd *pw) { NULL, NULL, NULL } }; @@ -770,7 +762,7 @@ Index: openssh-8.4p1/ssh-keygen.c u_int32_t bits = 0; int first = 0; struct stat st; -@@ -1062,6 +1077,12 @@ do_gen_all_hostkeys(struct passwd *pw) +@@ -1063,6 +1078,12 @@ do_gen_all_hostkeys(struct passwd *pw) char comment[1024], *prv_tmp, *pub_tmp, *prv_file, *pub_file; int i, type, fd, r; @@ -783,7 +775,7 @@ Index: openssh-8.4p1/ssh-keygen.c for (i = 0; key_types[i].key_type; i++) { public = private = NULL; prv_tmp = pub_tmp = prv_file = pub_file = NULL; -@@ -3586,6 +3607,15 @@ main(int argc, char **argv) +@@ -3620,6 +3641,15 @@ main(int argc, char **argv) key_type_name = DEFAULT_KEY_TYPE_NAME; type = sshkey_type_from_name(key_type_name); @@ -799,37 +791,37 @@ Index: openssh-8.4p1/ssh-keygen.c type_bits_valid(type, key_type_name, &bits); if (!quiet) -Index: openssh-8.4p1/ssh_config.5 +Index: openssh-8.8p1/ssh_config.5 =================================================================== ---- openssh-8.4p1.orig/ssh_config.5 -+++ openssh-8.4p1/ssh_config.5 -@@ -682,6 +682,8 @@ Valid options are: - and - .Cm sha256 +--- openssh-8.8p1.orig/ssh_config.5 ++++ openssh-8.8p1/ssh_config.5 +@@ -736,6 +736,8 @@ The argument to this keyword must be + option) or + .Cm no (the default). +.Pp +In the FIPS mode the minimum of SHA-1 is enforced (which means sha256). .It Cm ForwardAgent Specifies whether the connection to the authentication agent (if any) will be forwarded to the remote machine. -Index: openssh-8.4p1/sshd.c +Index: openssh-8.8p1/sshd.c =================================================================== ---- openssh-8.4p1.orig/sshd.c -+++ openssh-8.4p1/sshd.c -@@ -124,6 +124,8 @@ - #include "ssherr.h" - #include "sk-api.h" +--- openssh-8.8p1.orig/sshd.c ++++ openssh-8.8p1/sshd.c +@@ -126,6 +126,8 @@ + #include "srclimit.h" + #include "dh.h" +#include "fips.h" + /* Re-exec fds */ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) -Index: openssh-8.4p1/sshd_config.5 +Index: openssh-8.8p1/sshd_config.5 =================================================================== ---- openssh-8.4p1.orig/sshd_config.5 -+++ openssh-8.4p1/sshd_config.5 -@@ -594,6 +594,8 @@ and +--- openssh-8.8p1.orig/sshd_config.5 ++++ openssh-8.8p1/sshd_config.5 +@@ -600,6 +600,8 @@ and .Cm sha256 . The default is .Cm sha256 . diff --git a/openssh-7.7p1-fips_checks.patch b/openssh-7.7p1-fips_checks.patch index cc0d5dc..85111ab 100644 --- a/openssh-7.7p1-fips_checks.patch +++ b/openssh-7.7p1-fips_checks.patch @@ -14,10 +14,10 @@ # file is not found (or the hash matches), proceed in non-FIPS mode and abort # otherwise. -Index: openssh-8.4p1/fips-check.c +Index: openssh-8.8p1/fips-check.c =================================================================== --- /dev/null -+++ openssh-8.4p1/fips-check.c ++++ openssh-8.8p1/fips-check.c @@ -0,0 +1,34 @@ +#include "includes.h" +#include @@ -53,10 +53,10 @@ Index: openssh-8.4p1/fips-check.c + fips_ssh_init(); + return 0; +} -Index: openssh-8.4p1/fips.c +Index: openssh-8.8p1/fips.c =================================================================== ---- openssh-8.4p1.orig/fips.c -+++ openssh-8.4p1/fips.c +--- openssh-8.8p1.orig/fips.c ++++ openssh-8.8p1/fips.c @@ -35,30 +35,293 @@ #include "log.h" #include "xmalloc.h" @@ -362,10 +362,10 @@ Index: openssh-8.4p1/fips.c int fips_mode(void) { -Index: openssh-8.4p1/fips.h +Index: openssh-8.8p1/fips.h =================================================================== ---- openssh-8.4p1.orig/fips.h -+++ openssh-8.4p1/fips.h +--- openssh-8.8p1.orig/fips.h ++++ openssh-8.8p1/fips.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012 Petr Cerny. All rights reserved. @@ -407,20 +407,20 @@ Index: openssh-8.4p1/fips.h #endif - -Index: openssh-8.4p1/sftp-server.c +Index: openssh-8.8p1/sftp-server.c =================================================================== ---- openssh-8.4p1.orig/sftp-server.c -+++ openssh-8.4p1/sftp-server.c -@@ -53,6 +53,8 @@ - - char *sftp_realpath(const char *, char *); /* sftp-realpath.c */ +--- openssh-8.8p1.orig/sftp-server.c ++++ openssh-8.8p1/sftp-server.c +@@ -57,6 +57,8 @@ char *sftp_realpath(const char *, char * + /* Maximum data read that we are willing to accept */ + #define SFTP_MAX_READ_LENGTH (SFTP_MAX_MSG_LENGTH - 1024) +#include "fips.h" + /* Our verbosity */ static LogLevel log_level = SYSLOG_LEVEL_ERROR; -@@ -1577,6 +1579,9 @@ sftp_server_main(int argc, char **argv, +@@ -1717,6 +1719,9 @@ sftp_server_main(int argc, char **argv, extern char *optarg; extern char *__progname; @@ -430,10 +430,10 @@ Index: openssh-8.4p1/sftp-server.c __progname = ssh_get_progname(argv[0]); log_init(__progname, log_level, log_facility, log_stderr); -Index: openssh-8.4p1/ssh.c +Index: openssh-8.8p1/ssh.c =================================================================== ---- openssh-8.4p1.orig/ssh.c -+++ openssh-8.4p1/ssh.c +--- openssh-8.8p1.orig/ssh.c ++++ openssh-8.8p1/ssh.c @@ -113,6 +113,8 @@ #include "ssh-pkcs11.h" #endif @@ -443,9 +443,9 @@ Index: openssh-8.4p1/ssh.c extern char *__progname; /* Saves a copy of argv for setproctitle emulation */ -@@ -658,6 +660,10 @@ main(int ac, char **av) - size_t n, len; +@@ -632,6 +634,10 @@ main(int ac, char **av) u_int j; + struct ssh_conn_info *cinfo = NULL; + /* initialize fips - can go before ssh_malloc_init(), since that is a + * OpenBSD-only thing (as of OpenSSH 7.6p1) */ @@ -454,11 +454,11 @@ Index: openssh-8.4p1/ssh.c /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd(); -Index: openssh-8.4p1/sshd.c +Index: openssh-8.8p1/sshd.c =================================================================== ---- openssh-8.4p1.orig/sshd.c -+++ openssh-8.4p1/sshd.c -@@ -1545,6 +1545,10 @@ main(int ac, char **av) +--- openssh-8.8p1.orig/sshd.c ++++ openssh-8.8p1/sshd.c +@@ -1547,6 +1547,10 @@ main(int ac, char **av) Authctxt *authctxt; struct connection_info *connection_info = NULL; diff --git a/openssh-7.7p1-host_ident.patch b/openssh-7.7p1-host_ident.patch index e164b01..9e08375 100644 --- a/openssh-7.7p1-host_ident.patch +++ b/openssh-7.7p1-host_ident.patch @@ -2,15 +2,11 @@ # Parent 0f731d0b541b8a919d24ac91098f560a49712822 Suggest command line for removal of offending keys from known_hosts file -diff --git a/openssh-7.7p1/sshconnect.c b/openssh-7.7p1/sshconnect.c ---- openssh-7.7p1/sshconnect.c -+++ openssh-7.7p1/sshconnect.c -@@ -1147,16 +1147,21 @@ check_host_key(char *hostname, struct so - } - /* The host key has changed. */ - warn_changed_key(host_key); - error("Add correct host key in %.100s to get rid of this message.", - user_hostfiles[0]); +Index: openssh-8.8p1/sshconnect.c +=================================================================== +--- openssh-8.8p1.orig/sshconnect.c ++++ openssh-8.8p1/sshconnect.c +@@ -1270,6 +1270,11 @@ check_host_key(char *hostname, const str error("Offending %s key in %s:%lu", sshkey_type(host_found->key), host_found->file, host_found->line); @@ -22,8 +18,3 @@ diff --git a/openssh-7.7p1/sshconnect.c b/openssh-7.7p1/sshconnect.c /* * If strict host key checking is in use, the user will have - * to edit the key manually and we can only abort. - */ - if (options.strict_host_key_checking != - SSH_STRICT_HOSTKEY_OFF) { - error("%s host key for %.200s has changed and you have " diff --git a/openssh-7.7p1-hostname_changes_when_forwarding_X.patch b/openssh-7.7p1-hostname_changes_when_forwarding_X.patch index b2f8dda..33fd46c 100644 --- a/openssh-7.7p1-hostname_changes_when_forwarding_X.patch +++ b/openssh-7.7p1-hostname_changes_when_forwarding_X.patch @@ -3,11 +3,11 @@ # -- uset do be called '-xauthlocalhostname' handle hostname changes when forwarding X -Index: openssh-8.4p1/session.c +Index: openssh-8.8p1/session.c =================================================================== ---- openssh-8.4p1.orig/session.c -+++ openssh-8.4p1/session.c -@@ -985,7 +985,7 @@ copy_environment(char **source, char *** +--- openssh-8.8p1.orig/session.c ++++ openssh-8.8p1/session.c +@@ -981,7 +981,7 @@ copy_environment(char **source, char *** #endif static char ** @@ -16,7 +16,7 @@ Index: openssh-8.4p1/session.c { char buf[256]; size_t n; -@@ -1195,6 +1195,8 @@ do_setup_env(struct ssh *ssh, Session *s +@@ -1191,6 +1191,8 @@ do_setup_env(struct ssh *ssh, Session *s for (i = 0; env[i]; i++) fprintf(stderr, " %.200s\n", env[i]); } @@ -25,7 +25,7 @@ Index: openssh-8.4p1/session.c return env; } -@@ -1203,7 +1205,7 @@ do_setup_env(struct ssh *ssh, Session *s +@@ -1199,7 +1201,7 @@ do_setup_env(struct ssh *ssh, Session *s * first in this order). */ static void @@ -34,8 +34,8 @@ Index: openssh-8.4p1/session.c { FILE *f = NULL; char *cmd = NULL, *user_rc = NULL; -@@ -1260,12 +1262,20 @@ do_rc_files(struct ssh *ssh, Session *s, - fatal("%s: xasprintf: %s", __func__, strerror(errno)); +@@ -1256,12 +1258,20 @@ do_rc_files(struct ssh *ssh, Session *s, + fatal_f("xasprintf: %s", strerror(errno)); f = popen(cmd, "w"); if (f) { + char hostname[MAXHOSTNAMELEN]; @@ -55,7 +55,7 @@ Index: openssh-8.4p1/session.c } else { fprintf(stderr, "Could not run %s\n", cmd); -@@ -1526,6 +1536,7 @@ do_child(struct ssh *ssh, Session *s, co +@@ -1518,6 +1528,7 @@ do_child(struct ssh *ssh, Session *s, co char **env, *argv[ARGV_MAX], remote_id[512]; const char *shell, *shell0; struct passwd *pw = s->pw; @@ -63,7 +63,7 @@ Index: openssh-8.4p1/session.c int r = 0; sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id)); -@@ -1582,7 +1593,7 @@ do_child(struct ssh *ssh, Session *s, co +@@ -1574,7 +1585,7 @@ do_child(struct ssh *ssh, Session *s, co * Make sure $SHELL points to the shell from the password file, * even if shell is overridden from login.conf */ @@ -72,7 +72,7 @@ Index: openssh-8.4p1/session.c #ifdef HAVE_LOGIN_CAP shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell); -@@ -1646,7 +1657,7 @@ do_child(struct ssh *ssh, Session *s, co +@@ -1638,7 +1649,7 @@ do_child(struct ssh *ssh, Session *s, co closefrom(STDERR_FILENO + 1); diff --git a/openssh-7.7p1-ldap.patch b/openssh-7.7p1-ldap.patch index 7459f5a..5f8fe09 100644 --- a/openssh-7.7p1-ldap.patch +++ b/openssh-7.7p1-ldap.patch @@ -10,11 +10,10 @@ # internal versions. ssh-keyconverter consequently fails to link as it lacks # the proper flags, and libopenbsd-compat doesn't contain the b64_* functions) -diff --git a/HOWTO.ldap-keys b/HOWTO.ldap-keys -new file mode 100644 -index 0000000..831d399 +Index: openssh-8.8p1/HOWTO.ldap-keys +=================================================================== --- /dev/null -+++ b/HOWTO.ldap-keys ++++ openssh-8.8p1/HOWTO.ldap-keys @@ -0,0 +1,108 @@ + +HOW TO START @@ -124,11 +123,11 @@ index 0000000..831d399 + - frederic peters. + - Finlay dobbie. + - Stefan Fisher. -diff --git a/Makefile.in b/Makefile.in -index 6010d1c..f54348b 100644 ---- a/Makefile.in -+++ b/Makefile.in -@@ -25,6 +25,8 @@ SFTP_SERVER=$(libexecdir)/sftp-server +Index: openssh-8.8p1/Makefile.in +=================================================================== +--- openssh-8.8p1.orig/Makefile.in ++++ openssh-8.8p1/Makefile.in +@@ -26,6 +26,8 @@ SFTP_SERVER=$(libexecdir)/sftp-server SSH_KEYSIGN=$(libexecdir)/ssh-keysign SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper @@ -137,7 +136,7 @@ index 6010d1c..f54348b 100644 CAVSTEST_CTR=$(libexecdir)/cavstest-ctr CAVSTEST_KDF=$(libexecdir)/cavstest-kdf PRIVSEP_PATH=@PRIVSEP_PATH@ -@@ -74,6 +76,9 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keys +@@ -73,6 +75,9 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-a TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT) @@ -147,9 +146,9 @@ index 6010d1c..f54348b 100644 XMSS_OBJS=\ ssh-xmss.o \ sshkey-xmss.o \ -@@ -158,8 +163,8 @@ SFTPSERVER_OBJS=sftp-common.o sftp-server.o sftp-server-main.o +@@ -160,8 +165,8 @@ SFTPSERVER_OBJS=sftp-common.o sftp-serve - SFTP_OBJS= sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o + SFTP_OBJS= sftp.o progressmeter.o $(SFTP_CLIENT_OBJS) -MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out sshd_config.5.out ssh_config.5.out -MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5 @@ -158,7 +157,7 @@ index 6010d1c..f54348b 100644 MANTYPE = @MANTYPE@ CONFIGFILES=sshd_config.out ssh_config.out moduli.out -@@ -242,6 +247,9 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS) +@@ -244,6 +249,9 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) lib ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) @@ -166,9 +165,9 @@ index 6010d1c..f54348b 100644 + $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) + sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS) - $(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + $(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) -@@ -406,6 +414,10 @@ install-files: +@@ -416,6 +424,10 @@ install-files: $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT) $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) @@ -179,7 +178,7 @@ index 6010d1c..f54348b 100644 $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) -@@ -425,6 +437,10 @@ install-files: +@@ -435,6 +447,10 @@ install-files: $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 @@ -190,7 +189,7 @@ index 6010d1c..f54348b 100644 $(INSTALL) -m 644 ssh-sk-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8 install-sysconf: -@@ -449,6 +465,13 @@ install-sysconf: +@@ -459,6 +475,13 @@ install-sysconf: else \ echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \ fi @@ -204,7 +203,7 @@ index 6010d1c..f54348b 100644 host-key: ssh-keygen$(EXEEXT) @if [ -z "$(DESTDIR)" ] ; then \ -@@ -487,6 +510,8 @@ uninstall: +@@ -497,6 +520,8 @@ uninstall: -rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) -rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) -rm -f $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT) @@ -213,7 +212,7 @@ index 6010d1c..f54348b 100644 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 -@@ -499,6 +524,7 @@ uninstall: +@@ -509,6 +534,7 @@ uninstall: -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8 @@ -221,11 +220,11 @@ index 6010d1c..f54348b 100644 regress-prep: $(MKDIR_P) `pwd`/regress/unittests/test_helper -diff --git a/configure.ac b/configure.ac -index 4ddf539..1fd0b17 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -1688,6 +1688,106 @@ AC_ARG_WITH([audit], +Index: openssh-8.8p1/configure.ac +=================================================================== +--- openssh-8.8p1.orig/configure.ac ++++ openssh-8.8p1/configure.ac +@@ -1758,6 +1758,106 @@ AC_ARG_WITH([audit], esac ] ) @@ -332,11 +331,10 @@ index 4ddf539..1fd0b17 100644 AC_ARG_WITH([pie], [ --with-pie Build Position Independent Executables if possible], [ if test "x$withval" = "xno"; then -diff --git a/ldap-helper.c b/ldap-helper.c -new file mode 100644 -index 0000000..0efff1f +Index: openssh-8.8p1/ldap-helper.c +=================================================================== --- /dev/null -+++ b/ldap-helper.c ++++ openssh-8.8p1/ldap-helper.c @@ -0,0 +1,155 @@ +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -493,11 +491,10 @@ index 0000000..0efff1f +void *buffer_get_string(struct sshbuf *b, u_int *l) { return NULL; } +void buffer_put_string(struct sshbuf *b, const void *f, u_int l) {} + -diff --git a/ldap-helper.h b/ldap-helper.h -new file mode 100644 -index 0000000..14cb29a +Index: openssh-8.8p1/ldap-helper.h +=================================================================== --- /dev/null -+++ b/ldap-helper.h ++++ openssh-8.8p1/ldap-helper.h @@ -0,0 +1,32 @@ +/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -531,11 +528,10 @@ index 0000000..14cb29a +extern int config_warning_config_file; + +#endif /* LDAP_HELPER_H */ -diff --git a/ldap.conf b/ldap.conf -new file mode 100644 -index 0000000..42e38d3 +Index: openssh-8.8p1/ldap.conf +=================================================================== --- /dev/null -+++ b/ldap.conf ++++ openssh-8.8p1/ldap.conf @@ -0,0 +1,88 @@ +# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $ +# @@ -625,12 +621,11 @@ index 0000000..42e38d3 +#tls_cert +#tls_key + -diff --git a/ldapbody.c b/ldapbody.c -new file mode 100644 -index 0000000..032cc89 +Index: openssh-8.8p1/ldapbody.c +=================================================================== --- /dev/null -+++ b/ldapbody.c -@@ -0,0 +1,494 @@ ++++ openssh-8.8p1/ldapbody.c +@@ -0,0 +1,503 @@ +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* + * Copyright (c) 2009 Jan F. Chadima. All rights reserved. @@ -663,8 +658,17 @@ index 0000000..032cc89 +#include "ldapmisc.h" +#include "ldapbody.h" +#include ++#include +#include + ++#ifndef FALSE ++# define FALSE 0 ++#endif ++ ++#ifndef TRUE ++# define TRUE 1 ++#endif ++ +#define LDAPSEARCH_FORMAT "(&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=%s)%s)" +#define PUBKEYATTR "sshPublicKey" +#define LDAP_LOGFILE "%s/ldap.%d" @@ -1125,11 +1129,10 @@ index 0000000..032cc89 + return; +} + -diff --git a/ldapbody.h b/ldapbody.h -new file mode 100644 -index 0000000..665dca2 +Index: openssh-8.8p1/ldapbody.h +=================================================================== --- /dev/null -+++ b/ldapbody.h ++++ openssh-8.8p1/ldapbody.h @@ -0,0 +1,37 @@ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1168,11 +1171,10 @@ index 0000000..665dca2 + +#endif /* LDAPBODY_H */ + -diff --git a/ldapconf.c b/ldapconf.c -new file mode 100644 -index 0000000..2e22438 +Index: openssh-8.8p1/ldapconf.c +=================================================================== --- /dev/null -+++ b/ldapconf.c ++++ openssh-8.8p1/ldapconf.c @@ -0,0 +1,711 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1885,11 +1887,10 @@ index 0000000..2e22438 + dump_cfg_string(lSSH_Filter, options.ssh_filter); +} + -diff --git a/ldapconf.h b/ldapconf.h -new file mode 100644 -index 0000000..c2aa704 +Index: openssh-8.8p1/ldapconf.h +=================================================================== --- /dev/null -+++ b/ldapconf.h ++++ openssh-8.8p1/ldapconf.h @@ -0,0 +1,71 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1962,11 +1963,10 @@ index 0000000..c2aa704 +void dump_config(void); + +#endif /* LDAPCONF_H */ -diff --git a/ldapincludes.h b/ldapincludes.h -new file mode 100644 -index 0000000..8539bdc +Index: openssh-8.8p1/ldapincludes.h +=================================================================== --- /dev/null -+++ b/ldapincludes.h ++++ openssh-8.8p1/ldapincludes.h @@ -0,0 +1,41 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -2009,11 +2009,10 @@ index 0000000..8539bdc +#endif + +#endif /* LDAPINCLUDES_H */ -diff --git a/ldapmisc.c b/ldapmisc.c -new file mode 100644 -index 0000000..de23c0c +Index: openssh-8.8p1/ldapmisc.c +=================================================================== --- /dev/null -+++ b/ldapmisc.c ++++ openssh-8.8p1/ldapmisc.c @@ -0,0 +1,79 @@ + +#include "ldapincludes.h" @@ -2094,11 +2093,10 @@ index 0000000..de23c0c +} +#endif + -diff --git a/ldapmisc.h b/ldapmisc.h -new file mode 100644 -index 0000000..4c271df +Index: openssh-8.8p1/ldapmisc.h +=================================================================== --- /dev/null -+++ b/ldapmisc.h ++++ openssh-8.8p1/ldapmisc.h @@ -0,0 +1,35 @@ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -2135,10 +2133,10 @@ index 0000000..4c271df + +#endif /* LDAPMISC_H */ + -diff --git a/openbsd-compat/base64.c b/openbsd-compat/base64.c -index 9e74667..14824be 100644 ---- a/openbsd-compat/base64.c -+++ b/openbsd-compat/base64.c +Index: openssh-8.8p1/openbsd-compat/base64.c +=================================================================== +--- openssh-8.8p1.orig/openbsd-compat/base64.c ++++ openssh-8.8p1/openbsd-compat/base64.c @@ -46,7 +46,7 @@ #include "includes.h" @@ -2157,7 +2155,7 @@ index 9e74667..14824be 100644 int b64_ntop(u_char const *src, size_t srclength, char *target, size_t targsize) { -@@ -185,7 +185,7 @@ b64_ntop(u_char const *src, size_t srclength, char *target, size_t targsize) +@@ -185,7 +185,7 @@ b64_ntop(u_char const *src, size_t srcle } #endif /* !defined(HAVE_B64_NTOP) && !defined(HAVE___B64_NTOP) */ @@ -2166,10 +2164,10 @@ index 9e74667..14824be 100644 /* skips all whitespace anywhere. converts characters, four at a time, starting at (or after) -diff --git a/openbsd-compat/base64.h b/openbsd-compat/base64.h -index bd77293..e27df9a 100644 ---- a/openbsd-compat/base64.h -+++ b/openbsd-compat/base64.h +Index: openssh-8.8p1/openbsd-compat/base64.h +=================================================================== +--- openssh-8.8p1.orig/openbsd-compat/base64.h ++++ openssh-8.8p1/openbsd-compat/base64.h @@ -45,16 +45,16 @@ #include "includes.h" @@ -2191,11 +2189,10 @@ index bd77293..e27df9a 100644 int b64_pton(char const *src, u_char *target, size_t targsize); # endif /* !HAVE_B64_PTON */ # define __b64_pton(a,b,c) b64_pton(a,b,c) -diff --git a/openssh-lpk-openldap.schema b/openssh-lpk-openldap.schema -new file mode 100644 -index 0000000..c84f90f +Index: openssh-8.8p1/openssh-lpk-openldap.schema +=================================================================== --- /dev/null -+++ b/openssh-lpk-openldap.schema ++++ openssh-8.8p1/openssh-lpk-openldap.schema @@ -0,0 +1,21 @@ +# +# LDAP Public Key Patch schema for use with openssh-ldappubkey @@ -2218,11 +2215,10 @@ index 0000000..c84f90f + DESC 'MANDATORY: OpenSSH LPK objectclass' + MUST ( sshPublicKey $ uid ) + ) -diff --git a/openssh-lpk-sun.schema b/openssh-lpk-sun.schema -new file mode 100644 -index 0000000..3136673 +Index: openssh-8.8p1/openssh-lpk-sun.schema +=================================================================== --- /dev/null -+++ b/openssh-lpk-sun.schema ++++ openssh-8.8p1/openssh-lpk-sun.schema @@ -0,0 +1,23 @@ +# +# LDAP Public Key Patch schema for use with openssh-ldappubkey @@ -2247,11 +2243,10 @@ index 0000000..3136673 + DESC 'MANDATORY: OpenSSH LPK objectclass' + MUST ( sshPublicKey $ uid ) + ) -diff --git a/ssh-ldap-helper.8 b/ssh-ldap-helper.8 -new file mode 100644 -index 0000000..f8440e4 +Index: openssh-8.8p1/ssh-ldap-helper.8 +=================================================================== --- /dev/null -+++ b/ssh-ldap-helper.8 ++++ openssh-8.8p1/ssh-ldap-helper.8 @@ -0,0 +1,79 @@ +.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" @@ -2332,21 +2327,19 @@ index 0000000..f8440e4 +OpenSSH 5.5 + PKA-LDAP . +.Sh AUTHORS +.An Jan F. Chadima Aq jchadima@redhat.com -diff --git a/ssh-ldap-wrapper b/ssh-ldap-wrapper -new file mode 100644 -index 0000000..9fdfc37 +Index: openssh-8.8p1/ssh-ldap-wrapper +=================================================================== --- /dev/null -+++ b/ssh-ldap-wrapper ++++ openssh-8.8p1/ssh-ldap-wrapper @@ -0,0 +1,4 @@ +#!/bin/sh + +exec @LIBEXECDIR@/ssh-ldap-helper -s "$1" + -diff --git a/ssh-ldap.conf.5 b/ssh-ldap.conf.5 -new file mode 100644 -index 0000000..15eb03d +Index: openssh-8.8p1/ssh-ldap.conf.5 +=================================================================== --- /dev/null -+++ b/ssh-ldap.conf.5 ++++ openssh-8.8p1/ssh-ldap.conf.5 @@ -0,0 +1,376 @@ +.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" diff --git a/openssh-7.7p1-no_fork-no_pid_file.patch b/openssh-7.7p1-no_fork-no_pid_file.patch index 655870c..1767963 100644 --- a/openssh-7.7p1-no_fork-no_pid_file.patch +++ b/openssh-7.7p1-no_fork-no_pid_file.patch @@ -2,11 +2,11 @@ # Parent bad0c8b3b8d72abb6960ed85b57ee42352371738 Do not write a PID file when not daemonizing (e.g. when running from systemd) -diff --git a/sshd.c b/sshd.c -index f3ccc3a..eadc1b3 100644 ---- a/sshd.c -+++ b/sshd.c -@@ -2076,7 +2076,7 @@ main(int ac, char **av) +Index: openssh-8.8p1/sshd.c +=================================================================== +--- openssh-8.8p1.orig/sshd.c ++++ openssh-8.8p1/sshd.c +@@ -2129,7 +2129,7 @@ main(int ac, char **av) * Write out the pid file after the sigterm handler * is setup and the listen sockets are bound */ diff --git a/openssh-7.7p1-pam_check_locks.patch b/openssh-7.7p1-pam_check_locks.patch index c1f8847..a0480f7 100644 --- a/openssh-7.7p1-pam_check_locks.patch +++ b/openssh-7.7p1-pam_check_locks.patch @@ -5,10 +5,10 @@ UsePAM is used bnc#708678, FATE#312033 -Index: openssh-8.4p1/auth.c +Index: openssh-8.8p1/auth.c =================================================================== ---- openssh-8.4p1.orig/auth.c -+++ openssh-8.4p1/auth.c +--- openssh-8.8p1.orig/auth.c ++++ openssh-8.8p1/auth.c @@ -113,7 +113,7 @@ allowed_user(struct ssh *ssh, struct pas return 0; @@ -27,10 +27,10 @@ Index: openssh-8.4p1/auth.c int locked = 0; #ifdef LOCKED_PASSWD_STRING -Index: openssh-8.4p1/servconf.c +Index: openssh-8.8p1/servconf.c =================================================================== ---- openssh-8.4p1.orig/servconf.c -+++ openssh-8.4p1/servconf.c +--- openssh-8.8p1.orig/servconf.c ++++ openssh-8.8p1/servconf.c @@ -92,6 +92,7 @@ initialize_server_options(ServerOptions /* Portable-specific options */ @@ -39,7 +39,7 @@ Index: openssh-8.4p1/servconf.c /* Standard Options */ options->num_ports = 0; -@@ -300,6 +301,8 @@ fill_default_server_options(ServerOption +@@ -278,6 +279,8 @@ fill_default_server_options(ServerOption /* Portable-specific options */ if (options->use_pam == -1) options->use_pam = 0; @@ -48,7 +48,7 @@ Index: openssh-8.4p1/servconf.c /* Standard Options */ if (options->num_host_key_files == 0) { -@@ -501,7 +504,7 @@ fill_default_server_options(ServerOption +@@ -485,7 +488,7 @@ fill_default_server_options(ServerOption typedef enum { sBadOption, /* == unknown option */ /* Portable-specific options */ @@ -56,8 +56,8 @@ Index: openssh-8.4p1/servconf.c + sUsePAM, sUsePAMChecklocks, /* Standard Options */ sPort, sHostKeyFile, sLoginGraceTime, - sPermitRootLogin, sLogFacility, sLogLevel, -@@ -553,8 +556,10 @@ static struct { + sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, +@@ -535,8 +538,10 @@ static struct { /* Portable-specific options */ #ifdef USE_PAM { "usepam", sUsePAM, SSHCFG_GLOBAL }, @@ -68,7 +68,7 @@ Index: openssh-8.4p1/servconf.c #endif { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL }, /* Standard Options */ -@@ -1318,6 +1323,9 @@ process_server_config_line_depth(ServerO +@@ -1331,6 +1336,9 @@ process_server_config_line_depth(ServerO case sUsePAM: intptr = &options->use_pam; goto parse_flag; @@ -78,11 +78,11 @@ Index: openssh-8.4p1/servconf.c /* Standard Options */ case sBadOption: -Index: openssh-8.4p1/servconf.h +Index: openssh-8.8p1/servconf.h =================================================================== ---- openssh-8.4p1.orig/servconf.h -+++ openssh-8.4p1/servconf.h -@@ -195,6 +195,7 @@ typedef struct { +--- openssh-8.8p1.orig/servconf.h ++++ openssh-8.8p1/servconf.h +@@ -200,6 +200,7 @@ typedef struct { char *adm_forced_command; int use_pam; /* Enable auth via PAM */ @@ -90,11 +90,11 @@ Index: openssh-8.4p1/servconf.h int permit_tun; -Index: openssh-8.4p1/sshd_config.0 +Index: openssh-8.8p1/sshd_config.0 =================================================================== ---- openssh-8.4p1.orig/sshd_config.0 -+++ openssh-8.4p1/sshd_config.0 -@@ -1032,6 +1032,14 @@ DESCRIPTION +--- openssh-8.8p1.orig/sshd_config.0 ++++ openssh-8.8p1/sshd_config.0 +@@ -1074,6 +1074,14 @@ DESCRIPTION If UsePAM is enabled, you will not be able to run sshd(8) as a non-root user. The default is no. @@ -109,11 +109,11 @@ Index: openssh-8.4p1/sshd_config.0 VersionAddendum Optionally specifies additional text to append to the SSH protocol banner sent by the server upon connection. The default -Index: openssh-8.4p1/sshd_config.5 +Index: openssh-8.8p1/sshd_config.5 =================================================================== ---- openssh-8.4p1.orig/sshd_config.5 -+++ openssh-8.4p1/sshd_config.5 -@@ -1718,6 +1718,18 @@ is enabled, you will not be able to run +--- openssh-8.8p1.orig/sshd_config.5 ++++ openssh-8.8p1/sshd_config.5 +@@ -1775,6 +1775,18 @@ is enabled, you will not be able to run as a non-root user. The default is .Cm no . diff --git a/openssh-7.7p1-pts_names_formatting.patch b/openssh-7.7p1-pts_names_formatting.patch index 5d984e8..04ed646 100644 --- a/openssh-7.7p1-pts_names_formatting.patch +++ b/openssh-7.7p1-pts_names_formatting.patch @@ -4,15 +4,11 @@ # formats in ?tmp? files) # --used to be called '-pts' -diff --git a/openssh-7.7p1/loginrec.c b/openssh-7.7p1/loginrec.c ---- openssh-7.7p1/loginrec.c -+++ openssh-7.7p1/loginrec.c -@@ -541,17 +541,17 @@ getlast_entry(struct logininfo *li) - /* - * 'line' string utility functions - * - * These functions process the 'line' string into one of three forms: - * +Index: openssh-8.8p1/loginrec.c +=================================================================== +--- openssh-8.8p1.orig/loginrec.c ++++ openssh-8.8p1/loginrec.c +@@ -549,7 +549,7 @@ getlast_entry(struct logininfo *li) * 1. The full filename (including '/dev') * 2. The stripped name (excluding '/dev') * 3. The abbreviated name (e.g. /dev/ttyp00 -> yp00 @@ -21,17 +17,7 @@ diff --git a/openssh-7.7p1/loginrec.c b/openssh-7.7p1/loginrec.c * * Form 3 is used on some systems to identify a .tmp.? entry when * attempting to remove it. Typically both addition and removal is - * performed by one application - say, sshd - so as long as the choice - * uniquely identifies a terminal it's ok. - */ - - -@@ -602,16 +602,20 @@ line_abbrevname(char *dst, const char *s - /* Always skip prefix if present */ - if (strncmp(src, "/dev/", 5) == 0) - src += 5; - - #ifdef WITH_ABBREV_NO_TTY +@@ -610,6 +610,10 @@ line_abbrevname(char *dst, const char *s if (strncmp(src, "tty", 3) == 0) src += 3; #endif @@ -42,8 +28,3 @@ diff --git a/openssh-7.7p1/loginrec.c b/openssh-7.7p1/loginrec.c len = strlen(src); - if (len > 0) { - if (((int)len - dstsize) > 0) - src += ((int)len - dstsize); - - /* note: _don't_ change this to strlcpy */ diff --git a/openssh-7.7p1-remove_xauth_cookies_on_exit.patch b/openssh-7.7p1-remove_xauth_cookies_on_exit.patch index 58d0f9d..d14bb6e 100644 --- a/openssh-7.7p1-remove_xauth_cookies_on_exit.patch +++ b/openssh-7.7p1-remove_xauth_cookies_on_exit.patch @@ -5,15 +5,11 @@ try to remove xauth cookies on logout bnc#98815 -diff --git a/openssh-7.7p1/session.c b/openssh-7.7p1/session.c ---- openssh-7.7p1/session.c -+++ openssh-7.7p1/session.c -@@ -2302,16 +2302,44 @@ session_close(struct ssh *ssh, Session * - u_int i; - - verbose("Close session: user %s from %.200s port %d id %d", - s->pw->pw_name, - ssh_remote_ipaddr(ssh), +Index: openssh-8.8p1/session.c +=================================================================== +--- openssh-8.8p1.orig/session.c ++++ openssh-8.8p1/session.c +@@ -2441,6 +2441,34 @@ session_close(struct ssh *ssh, Session * ssh_remote_port(ssh), s->self); @@ -48,8 +44,3 @@ diff --git a/openssh-7.7p1/session.c b/openssh-7.7p1/session.c if (s->ttyfd != -1) session_pty_cleanup(s); free(s->term); - free(s->display); - free(s->x11_chanids); - free(s->auth_display); - free(s->auth_data); - free(s->auth_proto); diff --git a/openssh-7.7p1-seccomp_ipc_flock.patch b/openssh-7.7p1-seccomp_ipc_flock.patch index 2191edb..8a3b545 100644 --- a/openssh-7.7p1-seccomp_ipc_flock.patch +++ b/openssh-7.7p1-seccomp_ipc_flock.patch @@ -15,11 +15,11 @@ this is only need on s390 architecture. Signed-off-by: Eduardo Barretto -Index: openssh-7.9p1/sandbox-seccomp-filter.c +Index: openssh-8.8p1/sandbox-seccomp-filter.c =================================================================== ---- openssh-7.9p1.orig/sandbox-seccomp-filter.c -+++ openssh-7.9p1/sandbox-seccomp-filter.c -@@ -175,6 +175,9 @@ static const struct sock_filter preauth_ +--- openssh-8.8p1.orig/sandbox-seccomp-filter.c ++++ openssh-8.8p1/sandbox-seccomp-filter.c +@@ -219,6 +219,9 @@ static const struct sock_filter preauth_ #ifdef __NR_geteuid32 SC_ALLOW(__NR_geteuid32), #endif @@ -29,7 +29,7 @@ Index: openssh-7.9p1/sandbox-seccomp-filter.c #ifdef __NR_getpgid SC_ALLOW(__NR_getpgid), #endif -@@ -193,6 +196,9 @@ static const struct sock_filter preauth_ +@@ -237,6 +240,9 @@ static const struct sock_filter preauth_ #ifdef __NR_getuid32 SC_ALLOW(__NR_getuid32), #endif diff --git a/openssh-7.7p1-seccomp_stat.patch b/openssh-7.7p1-seccomp_stat.patch index 2e0acff..ca85530 100644 --- a/openssh-7.7p1-seccomp_stat.patch +++ b/openssh-7.7p1-seccomp_stat.patch @@ -5,15 +5,11 @@ Allow the stat() syscall for OpenSSL re-seed patch bnc#912436 -diff --git a/openssh-7.7p1/sandbox-seccomp-filter.c b/openssh-7.7p1/sandbox-seccomp-filter.c ---- openssh-7.7p1/sandbox-seccomp-filter.c -+++ openssh-7.7p1/sandbox-seccomp-filter.c -@@ -224,16 +224,19 @@ static const struct sock_filter preauth_ - SC_ALLOW(__NR_select), - #endif - #ifdef __NR_shutdown - SC_ALLOW(__NR_shutdown), - #endif +Index: openssh-8.8p1/sandbox-seccomp-filter.c +=================================================================== +--- openssh-8.8p1.orig/sandbox-seccomp-filter.c ++++ openssh-8.8p1/sandbox-seccomp-filter.c +@@ -294,6 +294,9 @@ static const struct sock_filter preauth_ #ifdef __NR_sigprocmask SC_ALLOW(__NR_sigprocmask), #endif @@ -23,8 +19,3 @@ diff --git a/openssh-7.7p1/sandbox-seccomp-filter.c b/openssh-7.7p1/sandbox-secc #ifdef __NR_time SC_ALLOW(__NR_time), #endif - #ifdef __NR_write - SC_ALLOW(__NR_write), - #endif - #ifdef __NR_socketcall - SC_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN), diff --git a/openssh-7.7p1-send_locale.patch b/openssh-7.7p1-send_locale.patch index 10dcb46..4dd1c0a 100644 --- a/openssh-7.7p1-send_locale.patch +++ b/openssh-7.7p1-send_locale.patch @@ -3,15 +3,11 @@ send locales in default configuration bnc#65747 -diff --git a/openssh-7.7p1/ssh_config b/openssh-7.7p1/ssh_config ---- openssh-7.7p1/ssh_config -+++ openssh-7.7p1/ssh_config -@@ -26,16 +26,21 @@ Host * - # security reasons: Someone stealing the authentification data on the - # remote side (the "spoofed" X-server by the remote sshd) can read your - # keystrokes as you type, just like any other X11 client could do. - # Set this to "no" here for global effect or in your own ~/.ssh/config - # file if you want to have the remote X11 authentification data to +Index: openssh-8.8p1/ssh_config +=================================================================== +--- openssh-8.8p1.orig/ssh_config ++++ openssh-8.8p1/ssh_config +@@ -31,6 +31,11 @@ Host * # expire after twenty minutes after remote login. ForwardX11Trusted yes @@ -23,20 +19,11 @@ diff --git a/openssh-7.7p1/ssh_config b/openssh-7.7p1/ssh_config # PasswordAuthentication yes # HostbasedAuthentication no # GSSAPIAuthentication no - # GSSAPIDelegateCredentials no - # BatchMode no - # CheckHostIP yes - # AddressFamily any - # ConnectTimeout 0 -diff --git a/openssh-7.7p1/sshd_config b/openssh-7.7p1/sshd_config ---- openssh-7.7p1/sshd_config -+++ openssh-7.7p1/sshd_config -@@ -104,14 +104,19 @@ X11Forwarding yes - #VersionAddendum none - - # no default banner path - #Banner none - +Index: openssh-8.8p1/sshd_config +=================================================================== +--- openssh-8.8p1.orig/sshd_config ++++ openssh-8.8p1/sshd_config +@@ -108,6 +108,11 @@ X11Forwarding yes # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server @@ -48,6 +35,3 @@ diff --git a/openssh-7.7p1/sshd_config b/openssh-7.7p1/sshd_config # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no - # AllowTcpForwarding no - # PermitTTY no - # ForceCommand cvs server diff --git a/openssh-7.7p1-sftp_force_permissions.patch b/openssh-7.7p1-sftp_force_permissions.patch index 8e0cce8..db48829 100644 --- a/openssh-7.7p1-sftp_force_permissions.patch +++ b/openssh-7.7p1-sftp_force_permissions.patch @@ -1,7 +1,7 @@ -Index: openssh-8.4p1/sftp-server.8 +Index: openssh-8.8p1/sftp-server.8 =================================================================== ---- openssh-8.4p1.orig/sftp-server.8 -+++ openssh-8.4p1/sftp-server.8 +--- openssh-8.8p1.orig/sftp-server.8 ++++ openssh-8.8p1/sftp-server.8 @@ -38,6 +38,7 @@ .Op Fl P Ar denied_requests .Op Fl p Ar allowed_requests @@ -21,11 +21,11 @@ Index: openssh-8.4p1/sftp-server.8 .El .Pp On some systems, -Index: openssh-8.4p1/sftp-server.c +Index: openssh-8.8p1/sftp-server.c =================================================================== ---- openssh-8.4p1.orig/sftp-server.c -+++ openssh-8.4p1/sftp-server.c -@@ -69,6 +69,10 @@ struct sshbuf *oqueue; +--- openssh-8.8p1.orig/sftp-server.c ++++ openssh-8.8p1/sftp-server.c +@@ -73,6 +73,10 @@ struct sshbuf *oqueue; /* Version of client */ static u_int version; @@ -36,7 +36,7 @@ Index: openssh-8.4p1/sftp-server.c /* SSH2_FXP_INIT received */ static int init_done; -@@ -687,6 +691,7 @@ process_open(u_int32_t id) +@@ -724,6 +728,7 @@ process_open(u_int32_t id) Attrib a; char *name; int r, handle, fd, flags, mode, status = SSH2_FX_FAILURE; @@ -44,7 +44,7 @@ Index: openssh-8.4p1/sftp-server.c if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 || (r = sshbuf_get_u32(iqueue, &pflags)) != 0 || /* portable flags */ -@@ -696,6 +701,10 @@ process_open(u_int32_t id) +@@ -733,6 +738,10 @@ process_open(u_int32_t id) debug3("request %u: open flags %d", id, pflags); flags = flags_from_portable(pflags); mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm : 0666; @@ -55,7 +55,7 @@ Index: openssh-8.4p1/sftp-server.c logit("open \"%s\" flags %s mode 0%o", name, string_from_portable(pflags), mode); if (readonly && -@@ -717,6 +726,8 @@ process_open(u_int32_t id) +@@ -754,6 +763,8 @@ process_open(u_int32_t id) } } } @@ -64,7 +64,7 @@ Index: openssh-8.4p1/sftp-server.c if (status != SSH2_FX_OK) send_status(id, status); free(name); -@@ -1131,6 +1142,7 @@ process_mkdir(u_int32_t id) +@@ -1183,6 +1194,7 @@ process_mkdir(u_int32_t id) Attrib a; char *name; int r, mode, status = SSH2_FX_FAILURE; @@ -72,7 +72,7 @@ Index: openssh-8.4p1/sftp-server.c if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 || (r = decode_attrib(iqueue, &a)) != 0) -@@ -1138,9 +1150,16 @@ process_mkdir(u_int32_t id) +@@ -1190,9 +1202,16 @@ process_mkdir(u_int32_t id) mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm & 07777 : 0777; @@ -89,7 +89,7 @@ Index: openssh-8.4p1/sftp-server.c status = (r == -1) ? errno_to_portable(errno) : SSH2_FX_OK; send_status(id, status); free(name); -@@ -1560,7 +1579,7 @@ sftp_server_usage(void) +@@ -1700,7 +1719,7 @@ sftp_server_usage(void) fprintf(stderr, "usage: %s [-ehR] [-d start_directory] [-f log_facility] " "[-l log_level]\n\t[-P denied_requests] " @@ -98,7 +98,7 @@ Index: openssh-8.4p1/sftp-server.c " %s -Q protocol_feature\n", __progname, __progname); exit(1); -@@ -1588,7 +1607,7 @@ sftp_server_main(int argc, char **argv, +@@ -1728,7 +1747,7 @@ sftp_server_main(int argc, char **argv, pw = pwcopy(user_pw); while (!skipargs && (ch = getopt(argc, argv, @@ -107,7 +107,7 @@ Index: openssh-8.4p1/sftp-server.c switch (ch) { case 'Q': if (strcasecmp(optarg, "requests") != 0) { -@@ -1650,6 +1669,15 @@ sftp_server_main(int argc, char **argv, +@@ -1790,6 +1809,15 @@ sftp_server_main(int argc, char **argv, fatal("Invalid umask \"%s\"", optarg); (void)umask((mode_t)mask); break; diff --git a/openssh-7.7p1-sftp_print_diagnostic_messages.patch b/openssh-7.7p1-sftp_print_diagnostic_messages.patch index f3706c4..b6a1ed1 100644 --- a/openssh-7.7p1-sftp_print_diagnostic_messages.patch +++ b/openssh-7.7p1-sftp_print_diagnostic_messages.patch @@ -2,10 +2,10 @@ # Parent 60bdbe6dd8d6bc011883472363d56e1d97f68835 Put back sftp client diagnostic messages in batch mode -Index: openssh-8.4p1/sftp.1 +Index: openssh-8.8p1/sftp.1 =================================================================== ---- openssh-8.4p1.orig/sftp.1 -+++ openssh-8.4p1/sftp.1 +--- openssh-8.8p1.orig/sftp.1 ++++ openssh-8.8p1/sftp.1 @@ -287,6 +287,9 @@ Specifies the port to connect to on the .It Fl p Preserves modification times, access times, and modes from the @@ -16,12 +16,12 @@ Index: openssh-8.4p1/sftp.1 .It Fl q Quiet mode: disables the progress meter as well as warning and diagnostic messages from -Index: openssh-8.4p1/sftp.c +Index: openssh-8.8p1/sftp.c =================================================================== ---- openssh-8.4p1.orig/sftp.c -+++ openssh-8.4p1/sftp.c -@@ -85,6 +85,9 @@ static volatile pid_t sshpid = -1; - /* Suppress diagnositic messages */ +--- openssh-8.8p1.orig/sftp.c ++++ openssh-8.8p1/sftp.c +@@ -82,6 +82,9 @@ static volatile pid_t sshpid = -1; + /* Suppress diagnostic messages */ int quiet = 0; +/* Force diagnositic messages in batch mode */ @@ -30,7 +30,7 @@ Index: openssh-8.4p1/sftp.c /* This is set to 0 if the progressmeter is not desired. */ int showprogress = 1; -@@ -2408,7 +2411,7 @@ main(int argc, char **argv) +@@ -2381,7 +2384,7 @@ main(int argc, char **argv) infile = stdin; while ((ch = getopt(argc, argv, @@ -39,7 +39,7 @@ Index: openssh-8.4p1/sftp.c switch (ch) { /* Passed through to ssh(1) */ case 'A': -@@ -2426,6 +2429,9 @@ main(int argc, char **argv) +@@ -2399,6 +2402,9 @@ main(int argc, char **argv) addargs(&args, "-%c", ch); addargs(&args, "%s", optarg); break; @@ -49,7 +49,7 @@ Index: openssh-8.4p1/sftp.c case 'q': ll = SYSLOG_LEVEL_ERROR; quiet = 1; -@@ -2510,6 +2516,8 @@ main(int argc, char **argv) +@@ -2483,6 +2489,8 @@ main(int argc, char **argv) usage(); } } diff --git a/openssh-7.7p1-systemd-notify.patch b/openssh-7.7p1-systemd-notify.patch index 5ae8b30..354fc4c 100644 --- a/openssh-7.7p1-systemd-notify.patch +++ b/openssh-7.7p1-systemd-notify.patch @@ -3,11 +3,11 @@ Send signals to systemd to prevent various race conditions bsc#1048367 -Index: openssh-7.8p1/configure.ac +Index: openssh-8.8p1/configure.ac =================================================================== ---- openssh-7.8p1.orig/configure.ac -+++ openssh-7.8p1/configure.ac -@@ -4378,6 +4378,30 @@ AC_ARG_WITH([kerberos5], +--- openssh-8.8p1.orig/configure.ac ++++ openssh-8.8p1/configure.ac +@@ -4751,6 +4751,30 @@ AC_ARG_WITH([kerberos5], AC_SUBST([GSSLIBS]) AC_SUBST([K5LIBS]) @@ -38,7 +38,7 @@ Index: openssh-7.8p1/configure.ac # Looking for programs, paths and files PRIVSEP_PATH=/var/empty -@@ -5183,6 +5207,7 @@ echo " libldns support +@@ -5564,6 +5588,7 @@ echo " libldns support echo " Solaris process contract support: $SPC_MSG" echo " Solaris project support: $SP_MSG" echo " Solaris privilege support: $SPP_MSG" @@ -46,11 +46,11 @@ Index: openssh-7.8p1/configure.ac echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" echo " BSD Auth support: $BSD_AUTH_MSG" -Index: openssh-7.8p1/sshd.c +Index: openssh-8.8p1/sshd.c =================================================================== ---- openssh-7.8p1.orig/sshd.c -+++ openssh-7.8p1/sshd.c -@@ -87,6 +87,10 @@ +--- openssh-8.8p1.orig/sshd.c ++++ openssh-8.8p1/sshd.c +@@ -85,6 +85,10 @@ #include #endif @@ -72,7 +72,7 @@ Index: openssh-7.8p1/sshd.c logit("Received SIGHUP; restarting."); if (options.pid_file != NULL) unlink(options.pid_file); -@@ -1995,6 +2003,11 @@ main(int ac, char **av) +@@ -2076,6 +2084,11 @@ main(int ac, char **av) } } diff --git a/openssh-7.9p1-keygen-preserve-perms.patch b/openssh-7.9p1-keygen-preserve-perms.patch index a32eff9..8c2cb07 100644 --- a/openssh-7.9p1-keygen-preserve-perms.patch +++ b/openssh-7.9p1-keygen-preserve-perms.patch @@ -8,11 +8,11 @@ Date: Fri Sep 27 01:57:16 2019 +0200 just going with what mkstemp() gives us. This is useful in corner cases where known_hosts is shared between users. -diff --git a/ssh-keygen.c b/ssh-keygen.c -index 03a7fe5..ca8a309 100644 ---- a/ssh-keygen.c -+++ b/ssh-keygen.c -@@ -1338,6 +1338,11 @@ do_known_hosts(struct passwd *pw, const char *name) +Index: openssh-8.8p1/ssh-keygen.c +=================================================================== +--- openssh-8.8p1.orig/ssh-keygen.c ++++ openssh-8.8p1/ssh-keygen.c +@@ -1384,6 +1384,11 @@ do_known_hosts(struct passwd *pw, const if (inplace) unlink(tmp); } else if (inplace) { @@ -24,7 +24,7 @@ index 03a7fe5..ca8a309 100644 /* Backup existing file */ if (unlink(old) == -1 && errno != ENOENT) fatal("unlink %.100s: %s", old, strerror(errno)); -@@ -1352,6 +1357,12 @@ do_known_hosts(struct passwd *pw, const char *name) +@@ -1398,6 +1403,12 @@ do_known_hosts(struct passwd *pw, const unlink(old); exit(1); } diff --git a/openssh-7.9p1-revert-new-qos-defaults.patch b/openssh-7.9p1-revert-new-qos-defaults.patch index db6ca6c..0a989b9 100644 --- a/openssh-7.9p1-revert-new-qos-defaults.patch +++ b/openssh-7.9p1-revert-new-qos-defaults.patch @@ -6,11 +6,11 @@ Date: Thu Jun 20 23:54:11 2019 +0200 Reverts OpenBSD-Commit-ID: d11d2a4484f461524ef0c20870523dfcdeb52181 -diff --git a/readconf.c b/readconf.c -index 24f2cb1..bbdea0d 100644 ---- a/readconf.c -+++ b/readconf.c -@@ -2183,9 +2183,9 @@ fill_default_options(Options * options) +Index: openssh-8.8p1/readconf.c +=================================================================== +--- openssh-8.8p1.orig/readconf.c ++++ openssh-8.8p1/readconf.c +@@ -2679,9 +2679,9 @@ fill_default_options(Options * options) if (options->visual_host_key == -1) options->visual_host_key = 0; if (options->ip_qos_interactive == -1) @@ -21,12 +21,12 @@ index 24f2cb1..bbdea0d 100644 + options->ip_qos_bulk = IPTOS_THROUGHPUT; if (options->request_tty == -1) options->request_tty = REQUEST_TTY_AUTO; - if (options->proxy_use_fdpass == -1) -diff --git a/servconf.c b/servconf.c -index 13cf154..766ac6b 100644 ---- a/servconf.c -+++ b/servconf.c -@@ -445,9 +445,9 @@ fill_default_server_options(ServerOptions *options) + if (options->session_type == -1) +Index: openssh-8.8p1/servconf.c +=================================================================== +--- openssh-8.8p1.orig/servconf.c ++++ openssh-8.8p1/servconf.c +@@ -459,9 +459,9 @@ fill_default_server_options(ServerOption if (options->permit_tun == -1) options->permit_tun = SSH_TUNMODE_NO; if (options->ip_qos_interactive == -1) @@ -38,11 +38,11 @@ index 13cf154..766ac6b 100644 if (options->version_addendum == NULL) options->version_addendum = xstrdup(""); if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) -diff --git a/ssh_config.5 b/ssh_config.5 -index 3bf0502..10246f8 100644 ---- a/ssh_config.5 -+++ b/ssh_config.5 -@@ -1088,11 +1088,9 @@ If one argument is specified, it is used as the packet class unconditionally. +Index: openssh-8.8p1/ssh_config.5 +=================================================================== +--- openssh-8.8p1.orig/ssh_config.5 ++++ openssh-8.8p1/ssh_config.5 +@@ -1182,11 +1182,9 @@ If one argument is specified, it is used If two values are specified, the first is automatically selected for interactive sessions and the second for non-interactive sessions. The default is @@ -56,11 +56,11 @@ index 3bf0502..10246f8 100644 for non-interactive sessions. .It Cm KbdInteractiveAuthentication Specifies whether to use keyboard-interactive authentication. -diff --git a/sshd_config.5 b/sshd_config.5 -index 50a4917..a276fcb 100644 ---- a/sshd_config.5 -+++ b/sshd_config.5 -@@ -868,11 +868,9 @@ If one argument is specified, it is used as the packet class unconditionally. +Index: openssh-8.8p1/sshd_config.5 +=================================================================== +--- openssh-8.8p1.orig/sshd_config.5 ++++ openssh-8.8p1/sshd_config.5 +@@ -903,11 +903,9 @@ If one argument is specified, it is used If two values are specified, the first is automatically selected for interactive sessions and the second for non-interactive sessions. The default is diff --git a/openssh-8.0p1-gssapi-keyex.patch b/openssh-8.0p1-gssapi-keyex.patch index 1f74989..e26ff2f 100644 --- a/openssh-8.0p1-gssapi-keyex.patch +++ b/openssh-8.0p1-gssapi-keyex.patch @@ -1,29 +1,29 @@ -diff --git a/Makefile.in b/Makefile.in -index 9eab827..9d3f569 100644 ---- a/Makefile.in -+++ b/Makefile.in -@@ -113,6 +113,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ +Index: openssh-8.8p1/Makefile.in +=================================================================== +--- openssh-8.8p1.orig/Makefile.in ++++ openssh-8.8p1/Makefile.in +@@ -112,6 +112,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \ kexgexc.o kexgexs.o \ - sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \ + kexsntrup761x25519.o sntrup761.o kexgen.o \ + kexgssc.o \ sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \ sshbuf-io.o -@@ -131,7 +132,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \ +@@ -130,7 +131,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ auth2-none.o auth2-passwd.o auth2-pubkey.o \ monitor.o monitor_wrap.o auth-krb5.o \ - auth2-gss.o gss-serv.o gss-serv-krb5.o \ + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ - sftp-server.o sftp-common.o \ + srclimit.o sftp-server.o sftp-common.o \ sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ -diff --git a/auth.c b/auth.c -index 0a2dd3a..779a1af 100644 ---- a/auth.c -+++ b/auth.c -@@ -400,7 +400,8 @@ auth_root_allowed(struct ssh *ssh, const char *method) +Index: openssh-8.8p1/auth.c +=================================================================== +--- openssh-8.8p1.orig/auth.c ++++ openssh-8.8p1/auth.c +@@ -402,7 +402,8 @@ auth_root_allowed(struct ssh *ssh, const case PERMIT_NO_PASSWD: if (strcmp(method, "publickey") == 0 || strcmp(method, "hostbased") == 0 || @@ -33,18 +33,15 @@ index 0a2dd3a..779a1af 100644 return 1; break; case PERMIT_FORCED_ONLY: -@@ -724,99 +725,6 @@ fakepw(void) - return (&fake); +@@ -730,97 +731,6 @@ fakepw(void) } --/* + /* - * Returns the remote DNS hostname as a string. The returned string must not - * be freed. NB. this will usually trigger a DNS query the first time it is - * called. - * This function does additional checks on the hostname to mitigate some -- * attacks on legacy rhosts-style authentication. -- * XXX is RhostsRSAAuthentication vulnerable to these? -- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) +- * attacks on based on conflation of hostnames and IP addresses. - */ - -static char * @@ -130,15 +127,16 @@ index 0a2dd3a..779a1af 100644 - return xstrdup(name); -} - - /* +-/* * Return the canonical name of the host in the other side of the current * connection. The host name is cached, so it is efficient to call this -diff --git a/auth2-gss.c b/auth2-gss.c -index 9351e04..d6446c0 100644 ---- a/auth2-gss.c -+++ b/auth2-gss.c + * several times. +Index: openssh-8.8p1/auth2-gss.c +=================================================================== +--- openssh-8.8p1.orig/auth2-gss.c ++++ openssh-8.8p1/auth2-gss.c @@ -1,7 +1,7 @@ - /* $OpenBSD: auth2-gss.c,v 1.29 2018/07/31 03:10:27 djm Exp $ */ + /* $OpenBSD: auth2-gss.c,v 1.32 2021/01/27 10:15:08 djm Exp $ */ /* - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -146,11 +144,10 @@ index 9351e04..d6446c0 100644 * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions -@@ -54,6 +54,48 @@ static int input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh); - static int input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh); +@@ -56,6 +56,48 @@ static int input_gssapi_exchange_complet static int input_gssapi_errtok(int, u_int32_t, struct ssh *); -+/* + /* + * The 'gssapi_keyex' userauth mechanism. + */ +static int @@ -174,7 +171,7 @@ index 9351e04..d6446c0 100644 + mic.length = len; + + ssh_gssapi_buildmic(b, authctxt->user, authctxt->service, -+ "gssapi-keyex"); ++ "gssapi-keyex", ssh->kex->session_id); + + if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL) + fatal("%s: sshbuf_mutable_ptr failed", __func__); @@ -192,12 +189,13 @@ index 9351e04..d6446c0 100644 + return (authenticated); +} + - /* ++/* * We only support those mechanisms that we know about (ie ones that we know * how to check local user kuserok and the like) -@@ -260,7 +302,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh) + */ +@@ -261,7 +303,8 @@ input_gssapi_exchange_complete(int type, if ((r = sshpkt_get_end(ssh)) != 0) - fatal("%s: %s", __func__, ssh_err(r)); + fatal_fr(r, "parse packet"); - authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); + authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, @@ -205,7 +203,7 @@ index 9351e04..d6446c0 100644 if ((!use_privsep || mm_is_monitor()) && (displayname = ssh_gssapi_displayname()) != NULL) -@@ -306,7 +349,8 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh) +@@ -307,7 +350,8 @@ input_gssapi_mic(int type, u_int32_t ple gssbuf.length = sshbuf_len(b); if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) @@ -215,7 +213,7 @@ index 9351e04..d6446c0 100644 else logit("GSSAPI MIC check failed"); -@@ -326,6 +370,12 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh) +@@ -327,6 +371,12 @@ input_gssapi_mic(int type, u_int32_t ple return 0; } @@ -228,11 +226,11 @@ index 9351e04..d6446c0 100644 Authmethod method_gssapi = { "gssapi-with-mic", userauth_gssapi, -diff --git a/auth2.c b/auth2.c -index 91aaf34..a4a5e00 100644 ---- a/auth2.c -+++ b/auth2.c -@@ -73,6 +73,7 @@ extern Authmethod method_passwd; +Index: openssh-8.8p1/auth2.c +=================================================================== +--- openssh-8.8p1.orig/auth2.c ++++ openssh-8.8p1/auth2.c +@@ -71,6 +71,7 @@ extern Authmethod method_passwd; extern Authmethod method_kbdint; extern Authmethod method_hostbased; #ifdef GSSAPI @@ -240,7 +238,7 @@ index 91aaf34..a4a5e00 100644 extern Authmethod method_gssapi; #endif -@@ -80,6 +81,7 @@ Authmethod *authmethods[] = { +@@ -78,6 +79,7 @@ Authmethod *authmethods[] = { &method_none, &method_pubkey, #ifdef GSSAPI @@ -248,10 +246,10 @@ index 91aaf34..a4a5e00 100644 &method_gssapi, #endif &method_passwd, -diff --git a/canohost.c b/canohost.c -index abea9c6..8e81b51 100644 ---- a/canohost.c -+++ b/canohost.c +Index: openssh-8.8p1/canohost.c +=================================================================== +--- openssh-8.8p1.orig/canohost.c ++++ openssh-8.8p1/canohost.c @@ -35,6 +35,99 @@ #include "canohost.h" #include "misc.h" @@ -352,10 +350,10 @@ index abea9c6..8e81b51 100644 void ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len) { -diff --git a/canohost.h b/canohost.h -index 26d6285..0cadc9f 100644 ---- a/canohost.h -+++ b/canohost.h +Index: openssh-8.8p1/canohost.h +=================================================================== +--- openssh-8.8p1.orig/canohost.h ++++ openssh-8.8p1/canohost.h @@ -15,6 +15,9 @@ #ifndef _CANOHOST_H #define _CANOHOST_H @@ -366,10 +364,10 @@ index 26d6285..0cadc9f 100644 char *get_peer_ipaddr(int); int get_peer_port(int); char *get_local_ipaddr(int); -diff --git a/clientloop.c b/clientloop.c -index da396c7..42ace77 100644 ---- a/clientloop.c -+++ b/clientloop.c +Index: openssh-8.8p1/clientloop.c +=================================================================== +--- openssh-8.8p1.orig/clientloop.c ++++ openssh-8.8p1/clientloop.c @@ -112,6 +112,10 @@ #include "ssherr.h" #include "hostfile.h" @@ -381,7 +379,7 @@ index da396c7..42ace77 100644 /* import options */ extern Options options; -@@ -1361,9 +1365,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, +@@ -1343,9 +1347,18 @@ client_loop(struct ssh *ssh, int have_pt break; /* Do channel operations unless rekeying in progress. */ @@ -401,11 +399,11 @@ index da396c7..42ace77 100644 /* Buffer input from the connection. */ client_process_net_input(ssh, readset); -diff --git a/configure.ac b/configure.ac -index 82aafe3..8a0e791 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -676,6 +676,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) +Index: openssh-8.8p1/configure.ac +=================================================================== +--- openssh-8.8p1.orig/configure.ac ++++ openssh-8.8p1/configure.ac +@@ -709,6 +709,30 @@ main() { if (NSVersionOfRunTimeLibrary(" [Use tunnel device compatibility to OpenBSD]) AC_DEFINE([SSH_TUN_PREPEND_AF], [1], [Prepend the address family to IP tunnel traffic]) @@ -436,12 +434,12 @@ index 82aafe3..8a0e791 100644 m4_pattern_allow([AU_IPv]) AC_CHECK_DECL([AU_IPv4], [], AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) -diff --git a/gss-genr.c b/gss-genr.c -index d56257b..3eaa5fa 100644 ---- a/gss-genr.c -+++ b/gss-genr.c +Index: openssh-8.8p1/gss-genr.c +=================================================================== +--- openssh-8.8p1.orig/gss-genr.c ++++ openssh-8.8p1/gss-genr.c @@ -1,7 +1,7 @@ - /* $OpenBSD: gss-genr.c,v 1.26 2018/07/10 09:13:30 djm Exp $ */ + /* $OpenBSD: gss-genr.c,v 1.28 2021/01/27 10:05:28 djm Exp $ */ /* - * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. @@ -449,21 +447,18 @@ index d56257b..3eaa5fa 100644 * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions -@@ -41,12 +41,36 @@ - #include "sshbuf.h" +@@ -42,8 +42,34 @@ #include "log.h" #include "ssh2.h" + +#include "cipher.h" +#include "sshkey.h" +#include "kex.h" +#include "digest.h" +#include "packet.h" - ++ #include "ssh-gss.h" - extern u_char *session_id2; - extern u_int session_id2_len; - +typedef struct { + char *encoded; + gss_OID oid; @@ -479,14 +474,15 @@ index d56257b..3eaa5fa 100644 +static ssh_gss_kex_mapping *gss_enc2oid = NULL; + +int -+ssh_gssapi_oid_table_ok(void) { ++ssh_gssapi_oid_table_ok(void) ++{ + return (gss_enc2oid != NULL); +} + /* sshbuf_get for gss_buffer_desc */ int ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g) -@@ -62,6 +86,161 @@ ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g) +@@ -59,6 +85,161 @@ ssh_gssapi_get_buffer_desc(struct sshbuf return 0; } @@ -648,7 +644,7 @@ index d56257b..3eaa5fa 100644 /* Check that the OID in a data stream matches that in the context */ int ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len) -@@ -218,7 +397,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok, +@@ -215,7 +396,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int de } ctx->major = gss_init_sec_context(&ctx->minor, @@ -657,11 +653,10 @@ index d56257b..3eaa5fa 100644 GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, 0, NULL, recv_tok, NULL, send_tok, flags, NULL); -@@ -247,9 +426,43 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host) - return (ctx->major); +@@ -245,8 +426,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, con } -+OM_uint32 + OM_uint32 +ssh_gssapi_client_identity(Gssctxt *ctx, const char *name) +{ + gss_buffer_desc gssbuf; @@ -692,7 +687,7 @@ index d56257b..3eaa5fa 100644 + return(ctx->major); +} + - OM_uint32 ++OM_uint32 ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash) { + if (ctx == NULL) @@ -701,7 +696,7 @@ index d56257b..3eaa5fa 100644 if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context, GSS_C_QOP_DEFAULT, buffer, hash))) ssh_gssapi_error(ctx); -@@ -257,6 +470,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash) +@@ -254,6 +469,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer return (ctx->major); } @@ -720,8 +715,8 @@ index d56257b..3eaa5fa 100644 + void ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service, - const char *context) -@@ -273,11 +499,16 @@ ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service, + const char *context, const struct sshbuf *session_id) +@@ -270,11 +498,16 @@ ssh_gssapi_buildmic(struct sshbuf *b, co } int @@ -739,7 +734,7 @@ index d56257b..3eaa5fa 100644 /* RFC 4462 says we MUST NOT do SPNEGO */ if (oid->length == spnego_oid.length && -@@ -287,6 +518,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) +@@ -284,6 +517,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx ssh_gssapi_build_ctx(ctx); ssh_gssapi_set_oid(*ctx, oid); major = ssh_gssapi_import_name(*ctx, host); @@ -750,7 +745,7 @@ index d56257b..3eaa5fa 100644 if (!GSS_ERROR(major)) { major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, NULL); -@@ -296,10 +531,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) +@@ -293,10 +530,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx GSS_C_NO_BUFFER); } @@ -818,10 +813,10 @@ index d56257b..3eaa5fa 100644 +} + #endif /* GSSAPI */ -diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c -index a151bc1..8d2b677 100644 ---- a/gss-serv-krb5.c -+++ b/gss-serv-krb5.c +Index: openssh-8.8p1/gss-serv-krb5.c +=================================================================== +--- openssh-8.8p1.orig/gss-serv-krb5.c ++++ openssh-8.8p1/gss-serv-krb5.c @@ -1,7 +1,7 @@ /* $OpenBSD: gss-serv-krb5.c,v 1.9 2018/07/09 21:37:55 markus Exp $ */ @@ -831,7 +826,7 @@ index a151bc1..8d2b677 100644 * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions -@@ -120,7 +120,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) +@@ -120,7 +120,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl krb5_error_code problem; krb5_principal princ; OM_uint32 maj_status, min_status; @@ -840,7 +835,7 @@ index a151bc1..8d2b677 100644 const char *errmsg; if (client->creds == NULL) { -@@ -180,11 +180,26 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) +@@ -180,11 +180,26 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl return; } @@ -871,7 +866,7 @@ index a151bc1..8d2b677 100644 #ifdef USE_PAM if (options.use_pam) -@@ -193,9 +208,76 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) +@@ -193,9 +208,76 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl krb5_cc_close(krb_context, ccache); @@ -958,10 +953,10 @@ index a151bc1..8d2b677 100644 }; #endif /* KRB5 */ -diff --git a/gss-serv.c b/gss-serv.c -index b5d4bb2..d8010dd 100644 ---- a/gss-serv.c -+++ b/gss-serv.c +Index: openssh-8.8p1/gss-serv.c +=================================================================== +--- openssh-8.8p1.orig/gss-serv.c ++++ openssh-8.8p1/gss-serv.c @@ -1,7 +1,7 @@ /* $OpenBSD: gss-serv.c,v 1.32 2020/03/13 03:17:07 djm Exp $ */ @@ -994,11 +989,10 @@ index b5d4bb2..d8010dd 100644 #ifdef KRB5 extern ssh_gssapi_mech gssapi_kerberos_mech; -@@ -140,6 +142,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) - return (ssh_gssapi_acquire_cred(*ctx)); +@@ -141,6 +143,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss } -+/* Unprivileged */ + /* Unprivileged */ +char * +ssh_gssapi_server_mechanisms(void) { + if (supported_oids == NULL) @@ -1021,10 +1015,11 @@ index b5d4bb2..d8010dd 100644 + return (res); +} + - /* Unprivileged */ ++/* Unprivileged */ void ssh_gssapi_supported_oids(gss_OID_set *oidset) -@@ -150,7 +175,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset) + { +@@ -150,7 +175,9 @@ ssh_gssapi_supported_oids(gss_OID_set *o gss_OID_set supported; gss_create_empty_oid_set(&min_status, oidset); @@ -1057,8 +1052,7 @@ index b5d4bb2..d8010dd 100644 + ssh_gssapi_error(ctx); + return (ctx->major); + } - -- gss_buffer_desc ename; ++ + ctx->major = gss_compare_name(&ctx->minor, client->name, + new_name, &equal); + @@ -1071,7 +1065,8 @@ index b5d4bb2..d8010dd 100644 + debug("Rekeyed credentials have different name"); + return GSS_S_COMPLETE; + } -+ + +- gss_buffer_desc ename; + debug("Marking rekeyed credentials for export"); + + gss_release_name(&ctx->minor, &client->name); @@ -1085,7 +1080,7 @@ index b5d4bb2..d8010dd 100644 client->mech = NULL; -@@ -292,6 +359,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) +@@ -292,6 +359,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g if (client->mech == NULL) return GSS_S_FAILURE; @@ -1099,7 +1094,7 @@ index b5d4bb2..d8010dd 100644 if ((ctx->major = gss_display_name(&ctx->minor, ctx->client, &client->displayname, NULL))) { ssh_gssapi_error(ctx); -@@ -309,6 +383,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) +@@ -309,6 +383,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g return (ctx->major); } @@ -1108,7 +1103,7 @@ index b5d4bb2..d8010dd 100644 /* We can't copy this structure, so we just move the pointer to it */ client->creds = ctx->client_creds; ctx->client_creds = GSS_C_NO_CREDENTIAL; -@@ -319,11 +395,20 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) +@@ -319,11 +395,20 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g void ssh_gssapi_cleanup_creds(void) { @@ -1134,7 +1129,7 @@ index b5d4bb2..d8010dd 100644 } } -@@ -356,19 +441,23 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep) +@@ -356,19 +441,23 @@ ssh_gssapi_do_child(char ***envp, u_int /* Privileged */ int @@ -1258,10 +1253,10 @@ index b5d4bb2..d8010dd 100644 } /* Privileged */ -diff --git a/kex.c b/kex.c -index 53f7ff8..fbb8e4f 100644 ---- a/kex.c -+++ b/kex.c +Index: openssh-8.8p1/kex.c +=================================================================== +--- openssh-8.8p1.orig/kex.c ++++ openssh-8.8p1/kex.c @@ -57,11 +57,16 @@ #include "misc.h" #include "dispatch.h" @@ -1279,7 +1274,7 @@ index 53f7ff8..fbb8e4f 100644 #include "fips.h" /* prototype */ -@@ -117,6 +122,19 @@ static const struct kexalg kexalgs_all[] = { +@@ -119,6 +124,19 @@ static const struct kexalg kexalgs_all[] #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ { NULL, 0, -1, -1}, }; @@ -1299,7 +1294,7 @@ index 53f7ff8..fbb8e4f 100644 static const struct kexalg kexalgs_fips140_2[] = { #ifdef WITH_OPENSSL -@@ -144,12 +162,12 @@ static const struct kexalg kexalgs_fips140_2[] = { +@@ -146,12 +164,12 @@ static const struct kexalg kexalgs_fips1 /* Returns array of macs available depending on selected FIPS mode */ static const struct kexalg * @@ -1314,7 +1309,7 @@ index 53f7ff8..fbb8e4f 100644 case 1: return kexalgs_fips140_2; default: -@@ -160,13 +178,13 @@ fips_select_kexalgs(void) +@@ -162,13 +180,13 @@ fips_select_kexalgs(void) } char * @@ -1330,7 +1325,7 @@ index 53f7ff8..fbb8e4f 100644 if (ret != NULL) ret[rlen++] = sep; nlen = strlen(k->name); -@@ -181,15 +199,31 @@ kex_alg_list(char sep) +@@ -183,15 +201,31 @@ kex_alg_list(char sep) return ret; } @@ -1363,7 +1358,7 @@ index 53f7ff8..fbb8e4f 100644 return NULL; } -@@ -361,6 +395,29 @@ kex_assemble_names(char **listp, const char *def, const char *all) +@@ -363,6 +397,29 @@ kex_assemble_names(char **listp, const c return r; } @@ -1393,24 +1388,24 @@ index 53f7ff8..fbb8e4f 100644 /* put algorithm proposal into buffer */ int kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX]) -@@ -743,6 +800,9 @@ kex_free(struct kex *kex) +@@ -745,6 +802,9 @@ kex_free(struct kex *kex) sshbuf_free(kex->server_version); sshbuf_free(kex->client_pub); - free(kex->session_id); + sshbuf_free(kex->session_id); +#ifdef GSSAPI + free(kex->gss_host); +#endif /* GSSAPI */ free(kex->failed_choice); free(kex->hostkey_alg); free(kex->name); -diff --git a/kex.h b/kex.h -index a5ae6ac..4dc48fd 100644 ---- a/kex.h -+++ b/kex.h +Index: openssh-8.8p1/kex.h +=================================================================== +--- openssh-8.8p1.orig/kex.h ++++ openssh-8.8p1/kex.h @@ -102,6 +102,15 @@ enum kex_exchange { KEX_ECDH_SHA2, KEX_C25519_SHA256, - KEX_KEM_SNTRUP4591761X25519_SHA512, + KEX_KEM_SNTRUP761X25519_SHA512, +#ifdef GSSAPI + KEX_GSS_GRP1_SHA1, + KEX_GSS_GRP14_SHA1, @@ -1423,7 +1418,7 @@ index a5ae6ac..4dc48fd 100644 KEX_MAX }; -@@ -153,6 +162,12 @@ struct kex { +@@ -152,6 +161,12 @@ struct kex { u_int flags; int hash_alg; int ec_nid; @@ -1436,7 +1431,7 @@ index a5ae6ac..4dc48fd 100644 char *failed_choice; int (*verify_host_key)(struct sshkey *, struct ssh *); struct sshkey *(*load_host_public_key)(int, int, struct ssh *); -@@ -174,8 +189,10 @@ struct kex { +@@ -173,8 +188,10 @@ struct kex { int kex_names_valid(const char *); char *kex_alg_list(char); @@ -1460,7 +1455,7 @@ index a5ae6ac..4dc48fd 100644 int kex_dh_keypair(struct kex *); int kex_dh_enc(struct kex *, const struct sshbuf *, struct sshbuf **, -@@ -234,6 +257,12 @@ int kexgex_hash(int, const struct sshbuf *, const struct sshbuf *, +@@ -234,6 +257,12 @@ int kexgex_hash(int, const struct sshbu const BIGNUM *, const u_char *, size_t, u_char *, size_t *); @@ -1473,11 +1468,11 @@ index a5ae6ac..4dc48fd 100644 void kexc25519_keygen(u_char key[CURVE25519_SIZE], u_char pub[CURVE25519_SIZE]) __attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE))) __attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE))); -diff --git a/kexdh.c b/kexdh.c -index 67133e3..edaa467 100644 ---- a/kexdh.c -+++ b/kexdh.c -@@ -48,13 +48,23 @@ kex_dh_keygen(struct kex *kex) +Index: openssh-8.8p1/kexdh.c +=================================================================== +--- openssh-8.8p1.orig/kexdh.c ++++ openssh-8.8p1/kexdh.c +@@ -49,13 +49,23 @@ kex_dh_keygen(struct kex *kex) { switch (kex->kex_type) { case KEX_DH_GRP1_SHA1: @@ -1501,10 +1496,10 @@ index 67133e3..edaa467 100644 kex->dh = dh_new_group16(); break; case KEX_DH_GRP18_SHA512: -diff --git a/kexgen.c b/kexgen.c -index 69348b9..c0e8c2f 100644 ---- a/kexgen.c -+++ b/kexgen.c +Index: openssh-8.8p1/kexgen.c +=================================================================== +--- openssh-8.8p1.orig/kexgen.c ++++ openssh-8.8p1/kexgen.c @@ -44,7 +44,7 @@ static int input_kex_gen_init(int, u_int32_t, struct ssh *); static int input_kex_gen_reply(int type, u_int32_t seq, struct ssh *ssh); @@ -1514,11 +1509,10 @@ index 69348b9..c0e8c2f 100644 kex_gen_hash( int hash_alg, const struct sshbuf *client_version, -diff --git a/kexgssc.c b/kexgssc.c -new file mode 100644 -index 0000000..0b2f6a5 +Index: openssh-8.8p1/kexgssc.c +=================================================================== --- /dev/null -+++ b/kexgssc.c ++++ openssh-8.8p1/kexgssc.c @@ -0,0 +1,595 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. @@ -2087,9 +2081,9 @@ index 0000000..0b2f6a5 + + /* save session id */ + if (kex->session_id == NULL) { -+ kex->session_id_len = hashlen; -+ kex->session_id = xmalloc(kex->session_id_len); -+ memcpy(kex->session_id, hash, kex->session_id_len); ++ kex->session_id = sshbuf_new (); ++ if ((r = sshbuf_put(kex->session_id, hash, hashlen)) != 0) ++ goto out; + } + + if (kex->gss_deleg_creds) @@ -2115,11 +2109,10 @@ index 0000000..0b2f6a5 + return r; +} +#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */ -diff --git a/kexgsss.c b/kexgsss.c -new file mode 100644 -index 0000000..60bc02d +Index: openssh-8.8p1/kexgsss.c +=================================================================== --- /dev/null -+++ b/kexgsss.c ++++ openssh-8.8p1/kexgsss.c @@ -0,0 +1,474 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. @@ -2595,11 +2588,11 @@ index 0000000..60bc02d + return r; +} +#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */ -diff --git a/monitor.c b/monitor.c -index b6e855d..cf775e5 100644 ---- a/monitor.c -+++ b/monitor.c -@@ -148,6 +148,8 @@ int mm_answer_gss_setup_ctx(struct ssh *, int, struct sshbuf *); +Index: openssh-8.8p1/monitor.c +=================================================================== +--- openssh-8.8p1.orig/monitor.c ++++ openssh-8.8p1/monitor.c +@@ -145,6 +145,8 @@ int mm_answer_gss_setup_ctx(struct ssh * int mm_answer_gss_accept_ctx(struct ssh *, int, struct sshbuf *); int mm_answer_gss_userok(struct ssh *, int, struct sshbuf *); int mm_answer_gss_checkmic(struct ssh *, int, struct sshbuf *); @@ -2608,7 +2601,7 @@ index b6e855d..cf775e5 100644 #endif #ifdef SSH_AUDIT_EVENTS -@@ -220,11 +222,18 @@ struct mon_table mon_dispatch_proto20[] = { +@@ -217,11 +219,18 @@ struct mon_table mon_dispatch_proto20[] {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx}, {MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok}, {MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic}, @@ -2627,7 +2620,7 @@ index b6e855d..cf775e5 100644 #ifdef WITH_OPENSSL {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, #endif -@@ -293,6 +302,10 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor) +@@ -290,6 +299,10 @@ monitor_child_preauth(struct ssh *ssh, s /* Permit requests for moduli and signatures */ monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); @@ -2638,7 +2631,7 @@ index b6e855d..cf775e5 100644 /* The first few requests do not require asynchronous access */ while (!authenticated) { -@@ -406,6 +419,10 @@ monitor_child_postauth(struct ssh *ssh, struct monitor *pmonitor) +@@ -401,6 +414,10 @@ monitor_child_postauth(struct ssh *ssh, monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); @@ -2649,9 +2642,9 @@ index b6e855d..cf775e5 100644 if (auth_opts->permit_pty_flag) { monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); -@@ -1712,6 +1729,17 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor) +@@ -1730,6 +1747,17 @@ monitor_apply_keystate(struct ssh *ssh, # ifdef OPENSSL_HAS_ECC - kex->kex[KEX_ECDH_SHA2] = kex_gen_server; + kex->kex[KEX_ECDH_SHA2] = kex_gen_server; # endif +# ifdef GSSAPI + if (options.gss_keyex) { @@ -2665,31 +2658,31 @@ index b6e855d..cf775e5 100644 + } +# endif #endif /* WITH_OPENSSL */ - kex->kex[KEX_C25519_SHA256] = kex_gen_server; - kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server; -@@ -1805,8 +1833,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m) + kex->kex[KEX_C25519_SHA256] = kex_gen_server; + kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server; +@@ -1822,8 +1850,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, u_char *p; int r; - if (!options.gss_authentication) -- fatal("%s: GSSAPI authentication not enabled", __func__); +- fatal_f("GSSAPI authentication not enabled"); + if (!options.gss_authentication && !options.gss_keyex) -+ fatal("%s: GSSAPI not enabled", __func__); ++ fatal_f("GSSAPI not enabled"); if ((r = sshbuf_get_string(m, &p, &len)) != 0) - fatal("%s: buffer error: %s", __func__, ssh_err(r)); -@@ -1838,8 +1866,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m) + fatal_fr(r, "parse"); +@@ -1855,8 +1883,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh OM_uint32 flags = 0; /* GSI needs this */ int r; - if (!options.gss_authentication) -- fatal("%s: GSSAPI authentication not enabled", __func__); +- fatal_f("GSSAPI authentication not enabled"); + if (!options.gss_authentication && !options.gss_keyex) -+ fatal("%s: GSSAPI not enabled", __func__); ++ fatal_f("GSSAPI not enabled"); if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0) - fatal("%s: buffer error: %s", __func__, ssh_err(r)); -@@ -1859,6 +1887,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m) + fatal_fr(r, "ssh_gssapi_get_buffer_desc"); +@@ -1876,6 +1904,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); @@ -2697,18 +2690,18 @@ index b6e855d..cf775e5 100644 } return (0); } -@@ -1870,8 +1899,8 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m) +@@ -1887,8 +1916,8 @@ mm_answer_gss_checkmic(struct ssh *ssh, OM_uint32 ret; int r; - if (!options.gss_authentication) -- fatal("%s: GSSAPI authentication not enabled", __func__); +- fatal_f("GSSAPI authentication not enabled"); + if (!options.gss_authentication && !options.gss_keyex) -+ fatal("%s: GSSAPI not enabled", __func__); ++ fatal_f("GSSAPI not enabled"); if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 || (r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0) -@@ -1897,13 +1926,17 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m) +@@ -1914,13 +1943,17 @@ mm_answer_gss_checkmic(struct ssh *ssh, int mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) { @@ -2717,9 +2710,9 @@ index b6e855d..cf775e5 100644 const char *displayname; - if (!options.gss_authentication) -- fatal("%s: GSSAPI authentication not enabled", __func__); +- fatal_f("GSSAPI authentication not enabled"); + if (!options.gss_authentication && !options.gss_keyex) -+ fatal("%s: GSSAPI not enabled", __func__); ++ fatal_f("GSSAPI not enabled"); - authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user); + if ((r = sshbuf_get_u32(m, &kex)) != 0) @@ -2730,8 +2723,8 @@ index b6e855d..cf775e5 100644 sshbuf_reset(m); if ((r = sshbuf_put_u32(m, authenticated)) != 0) -@@ -1912,7 +1945,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) - debug3("%s: sending result %d", __func__, authenticated); +@@ -1929,7 +1962,11 @@ mm_answer_gss_userok(struct ssh *ssh, in + debug3_f("sending result %d", authenticated); mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m); - auth_method = "gssapi-with-mic"; @@ -2743,7 +2736,7 @@ index b6e855d..cf775e5 100644 if ((displayname = ssh_gssapi_displayname()) != NULL) auth2_record_info(authctxt, "%s", displayname); -@@ -1920,5 +1957,85 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) +@@ -1937,5 +1974,85 @@ mm_answer_gss_userok(struct ssh *ssh, in /* Monitor loop will terminate if authenticated */ return (authenticated); } @@ -2829,10 +2822,10 @@ index b6e855d..cf775e5 100644 + #endif /* GSSAPI */ -diff --git a/monitor.h b/monitor.h -index 683e5e0..2b1a2d5 100644 ---- a/monitor.h -+++ b/monitor.h +Index: openssh-8.8p1/monitor.h +=================================================================== +--- openssh-8.8p1.orig/monitor.h ++++ openssh-8.8p1/monitor.h @@ -63,6 +63,8 @@ enum monitor_reqtype { MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111, MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113, @@ -2842,11 +2835,11 @@ index 683e5e0..2b1a2d5 100644 }; struct ssh; -diff --git a/monitor_wrap.c b/monitor_wrap.c -index 001a8fa..6edb509 100644 ---- a/monitor_wrap.c -+++ b/monitor_wrap.c -@@ -993,13 +993,15 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) +Index: openssh-8.8p1/monitor_wrap.c +=================================================================== +--- openssh-8.8p1.orig/monitor_wrap.c ++++ openssh-8.8p1/monitor_wrap.c +@@ -999,13 +999,15 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss } int @@ -2857,14 +2850,14 @@ index 001a8fa..6edb509 100644 int r, authenticated = 0; if ((m = sshbuf_new()) == NULL) - fatal("%s: sshbuf_new failed", __func__); + fatal_f("sshbuf_new failed"); + if ((r = sshbuf_put_u32(m, kex)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, m); mm_request_receive_expect(pmonitor->m_recvfd, -@@ -1012,4 +1014,57 @@ mm_ssh_gssapi_userok(char *user) - debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); +@@ -1018,4 +1020,57 @@ mm_ssh_gssapi_userok(char *user) + debug3_f("user %sauthenticated", authenticated ? "" : "not "); return (authenticated); } + @@ -2921,11 +2914,11 @@ index 001a8fa..6edb509 100644 +} + #endif /* GSSAPI */ -diff --git a/monitor_wrap.h b/monitor_wrap.h -index 23ab096..485590c 100644 ---- a/monitor_wrap.h -+++ b/monitor_wrap.h -@@ -64,8 +64,10 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t, +Index: openssh-8.8p1/monitor_wrap.h +=================================================================== +--- openssh-8.8p1.orig/monitor_wrap.h ++++ openssh-8.8p1/monitor_wrap.h +@@ -65,8 +65,10 @@ int mm_sshkey_verify(const struct sshkey OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); @@ -2937,10 +2930,10 @@ index 23ab096..485590c 100644 #endif #ifdef USE_PAM -diff --git a/readconf.c b/readconf.c -index 408a80c..d37658a 100644 ---- a/readconf.c -+++ b/readconf.c +Index: openssh-8.8p1/readconf.c +=================================================================== +--- openssh-8.8p1.orig/readconf.c ++++ openssh-8.8p1/readconf.c @@ -67,6 +67,7 @@ #include "uidswap.h" #include "myproposal.h" @@ -2949,7 +2942,7 @@ index 408a80c..d37658a 100644 #include "fips.h" -@@ -162,6 +163,8 @@ typedef enum { +@@ -163,6 +164,8 @@ typedef enum { oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, oAddressFamily, oGssAuthentication, oGssDelegateCreds, @@ -2958,7 +2951,7 @@ index 408a80c..d37658a 100644 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist, oHashKnownHosts, -@@ -206,10 +209,22 @@ static struct { +@@ -208,10 +211,22 @@ static struct { /* Sometimes-unsupported options */ #if defined(GSSAPI) { "gssapiauthentication", oGssAuthentication }, @@ -2981,7 +2974,7 @@ index 408a80c..d37658a 100644 #endif #ifdef ENABLE_PKCS11 { "pkcs11provider", oPKCS11Provider }, -@@ -1055,10 +1070,42 @@ parse_time: +@@ -1115,10 +1130,42 @@ parse_time: intptr = &options->gss_authentication; goto parse_flag; @@ -3010,7 +3003,7 @@ index 408a80c..d37658a 100644 + goto parse_flag; + + case oGssKexAlgorithms: -+ arg = strdelim(&s); ++ arg = argv_next(&ac, &av); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing argument.", + filename, linenum); @@ -3024,9 +3017,9 @@ index 408a80c..d37658a 100644 case oBatchMode: intptr = &options->batch_mode; goto parse_flag; -@@ -1954,7 +2001,13 @@ initialize_options(Options * options) +@@ -2352,7 +2399,13 @@ initialize_options(Options * options) + options->fwd_opts.streamlocal_bind_unlink = -1; options->pubkey_authentication = -1; - options->challenge_response_authentication = -1; options->gss_authentication = -1; + options->gss_keyex = -1; options->gss_deleg_creds = -1; @@ -3038,8 +3031,8 @@ index 408a80c..d37658a 100644 options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->kbd_interactive_devices = NULL; -@@ -2102,8 +2155,18 @@ fill_default_options(Options * options) - options->challenge_response_authentication = 1; +@@ -2509,8 +2562,18 @@ fill_default_options(Options * options) + options->pubkey_authentication = 1; if (options->gss_authentication == -1) options->gss_authentication = 0; + if (options->gss_keyex == -1) @@ -3057,7 +3050,7 @@ index 408a80c..d37658a 100644 if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -@@ -2751,7 +2814,14 @@ dump_client_config(Options *o, const char *host) +@@ -3306,7 +3369,14 @@ dump_client_config(Options *o, const cha dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports); #ifdef GSSAPI dump_cfg_fmtint(oGssAuthentication, o->gss_authentication); @@ -3072,13 +3065,13 @@ index 408a80c..d37658a 100644 #endif /* GSSAPI */ dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts); dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication); -diff --git a/readconf.h b/readconf.h -index ef18d5c..c0d797e 100644 ---- a/readconf.h -+++ b/readconf.h -@@ -41,7 +41,13 @@ typedef struct { - int challenge_response_authentication; - /* Try S/Key or TIS, authentication. */ +Index: openssh-8.8p1/readconf.h +=================================================================== +--- openssh-8.8p1.orig/readconf.h ++++ openssh-8.8p1/readconf.h +@@ -39,7 +39,13 @@ typedef struct { + int pubkey_authentication; /* Try ssh2 pubkey authentication. */ + int hostbased_authentication; /* ssh2's rhosts_rsa */ int gss_authentication; /* Try GSS authentication */ + int gss_keyex; /* Try GSS key exchange */ int gss_deleg_creds; /* Delegate GSS credentials */ @@ -3090,11 +3083,11 @@ index ef18d5c..c0d797e 100644 int password_authentication; /* Try password * authentication. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ -diff --git a/servconf.c b/servconf.c -index 8a9db25..18b70b6 100644 ---- a/servconf.c -+++ b/servconf.c -@@ -69,6 +69,7 @@ +Index: openssh-8.8p1/servconf.c +=================================================================== +--- openssh-8.8p1.orig/servconf.c ++++ openssh-8.8p1/servconf.c +@@ -70,6 +70,7 @@ #include "auth.h" #include "myproposal.h" #include "digest.h" @@ -3102,7 +3095,7 @@ index 8a9db25..18b70b6 100644 #include "fips.h" static void add_listen_addr(ServerOptions *, const char *, -@@ -135,8 +136,11 @@ initialize_server_options(ServerOptions *options) +@@ -138,8 +139,11 @@ initialize_server_options(ServerOptions options->kerberos_ticket_cleanup = -1; options->kerberos_get_afs_token = -1; options->gss_authentication=-1; @@ -3113,8 +3106,8 @@ index 8a9db25..18b70b6 100644 + options->gss_kex_algorithms = NULL; options->password_authentication = -1; options->kbd_interactive_authentication = -1; - options->challenge_response_authentication = -1; -@@ -398,10 +402,18 @@ fill_default_server_options(ServerOptions *options) + options->permit_empty_passwd = -1; +@@ -379,10 +383,18 @@ fill_default_server_options(ServerOption options->kerberos_get_afs_token = 0; if (options->gss_authentication == -1) options->gss_authentication = 0; @@ -3133,15 +3126,15 @@ index 8a9db25..18b70b6 100644 if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -@@ -556,6 +568,7 @@ typedef enum { - sHostKeyAlgorithms, +@@ -530,6 +542,7 @@ typedef enum { + sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, + sGssKeyEx, sGssKexAlgorithms, sGssStoreRekey, sAcceptEnv, sSetEnv, sPermitTunnel, sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sAllowAgentForwarding, -@@ -634,12 +647,22 @@ static struct { +@@ -613,12 +626,22 @@ static struct { #ifdef GSSAPI { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, @@ -3163,8 +3156,8 @@ index 8a9db25..18b70b6 100644 + { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL }, { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, - { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, -@@ -1585,6 +1608,10 @@ process_server_config_line_depth(ServerOptions *options, char *line, + { "challengeresponseauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */ +@@ -1605,6 +1628,10 @@ process_server_config_line_depth(ServerO intptr = &options->gss_authentication; goto parse_flag; @@ -3175,7 +3168,7 @@ index 8a9db25..18b70b6 100644 case sGssCleanupCreds: intptr = &options->gss_cleanup_creds; goto parse_flag; -@@ -1593,6 +1620,22 @@ process_server_config_line_depth(ServerOptions *options, char *line, +@@ -1613,6 +1640,22 @@ process_server_config_line_depth(ServerO intptr = &options->gss_strict_acceptor; goto parse_flag; @@ -3184,7 +3177,7 @@ index 8a9db25..18b70b6 100644 + goto parse_flag; + + case sGssKexAlgorithms: -+ arg = strdelim(&cp); ++ arg = argv_next(&ac, &av); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing argument.", + filename, linenum); @@ -3198,7 +3191,7 @@ index 8a9db25..18b70b6 100644 case sPasswordAuthentication: intptr = &options->password_authentication; goto parse_flag; -@@ -2821,6 +2864,10 @@ dump_config(ServerOptions *o) +@@ -2921,6 +2964,10 @@ dump_config(ServerOptions *o) #ifdef GSSAPI dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); @@ -3209,11 +3202,11 @@ index 8a9db25..18b70b6 100644 #endif dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); dump_cfg_fmtint(sKbdInteractiveAuthentication, -diff --git a/servconf.h b/servconf.h -index d24d459..45665df 100644 ---- a/servconf.h -+++ b/servconf.h -@@ -137,8 +137,11 @@ typedef struct { +Index: openssh-8.8p1/servconf.h +=================================================================== +--- openssh-8.8p1.orig/servconf.h ++++ openssh-8.8p1/servconf.h +@@ -141,8 +141,11 @@ typedef struct { int kerberos_get_afs_token; /* If true, try to get AFS token if * authenticated with Kerberos. */ int gss_authentication; /* If true, permit GSSAPI authentication */ @@ -3225,11 +3218,11 @@ index d24d459..45665df 100644 int password_authentication; /* If true, permit password * authentication. */ int kbd_interactive_authentication; /* If true, permit */ -diff --git a/session.c b/session.c -index 501bbdf..530aa26 100644 ---- a/session.c -+++ b/session.c -@@ -2717,13 +2717,19 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt) +Index: openssh-8.8p1/session.c +=================================================================== +--- openssh-8.8p1.orig/session.c ++++ openssh-8.8p1/session.c +@@ -2709,13 +2709,19 @@ do_cleanup(struct ssh *ssh, Authctxt *au #ifdef KRB5 if (options.kerberos_ticket_cleanup && @@ -3251,12 +3244,12 @@ index 501bbdf..530aa26 100644 #endif /* remove agent socket */ -diff --git a/ssh-gss.h b/ssh-gss.h -index 36180d0..70dd366 100644 ---- a/ssh-gss.h -+++ b/ssh-gss.h +Index: openssh-8.8p1/ssh-gss.h +=================================================================== +--- openssh-8.8p1.orig/ssh-gss.h ++++ openssh-8.8p1/ssh-gss.h @@ -1,6 +1,6 @@ - /* $OpenBSD: ssh-gss.h,v 1.14 2018/07/10 09:13:30 djm Exp $ */ + /* $OpenBSD: ssh-gss.h,v 1.15 2021/01/27 10:05:28 djm Exp $ */ /* - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. @@ -3327,7 +3320,7 @@ index 36180d0..70dd366 100644 int ssh_gssapi_check_oid(Gssctxt *, void *, size_t); void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t); -@@ -109,6 +134,7 @@ OM_uint32 ssh_gssapi_test_oid_supported(OM_uint32 *, gss_OID, int *); +@@ -109,6 +134,7 @@ OM_uint32 ssh_gssapi_test_oid_supported( struct sshbuf; int ssh_gssapi_get_buffer_desc(struct sshbuf *, gss_buffer_desc *); @@ -3338,7 +3331,7 @@ index 36180d0..70dd366 100644 @@ -123,17 +149,33 @@ void ssh_gssapi_delete_ctx(Gssctxt **); OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); void ssh_gssapi_buildmic(struct sshbuf *, const char *, - const char *, const char *); + const char *, const char *, const struct sshbuf *); -int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *); +int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *, const char *); +OM_uint32 ssh_gssapi_client_identity(Gssctxt *, const char *); @@ -3355,7 +3348,7 @@ index 36180d0..70dd366 100644 + const char *); OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID); -int ssh_gssapi_userok(char *name); -+int ssh_gssapi_userok(char *name, struct passwd *, int kex); ++int ssh_gssapi_userok(char *, struct passwd *, int kex); OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t); void ssh_gssapi_do_child(char ***, u_int *); void ssh_gssapi_cleanup_creds(void); @@ -3371,11 +3364,11 @@ index 36180d0..70dd366 100644 #endif /* GSSAPI */ #endif /* _SSH_GSS_H */ -diff --git a/ssh.1 b/ssh.1 -index dce5f40..7a3ba31 100644 ---- a/ssh.1 -+++ b/ssh.1 -@@ -506,7 +506,13 @@ For full details of the options listed below, and their possible values, see +Index: openssh-8.8p1/ssh.1 +=================================================================== +--- openssh-8.8p1.orig/ssh.1 ++++ openssh-8.8p1/ssh.1 +@@ -530,7 +530,13 @@ For full details of the options listed b .It GatewayPorts .It GlobalKnownHostsFile .It GSSAPIAuthentication @@ -3388,8 +3381,8 @@ index dce5f40..7a3ba31 100644 +.It GSSAPITrustDns .It HashKnownHosts .It Host - .It HostbasedAuthentication -@@ -582,6 +588,8 @@ flag), + .It HostbasedAcceptedAlgorithms +@@ -607,6 +613,8 @@ flag), (supported message integrity codes), .Ar kex (key exchange algorithms), @@ -3398,11 +3391,11 @@ index dce5f40..7a3ba31 100644 .Ar key (key types), .Ar key-cert -diff --git a/ssh.c b/ssh.c -index dce28fd..c99e0e4 100644 ---- a/ssh.c -+++ b/ssh.c -@@ -779,6 +779,8 @@ main(int ac, char **av) +Index: openssh-8.8p1/ssh.c +=================================================================== +--- openssh-8.8p1.orig/ssh.c ++++ openssh-8.8p1/ssh.c +@@ -781,6 +781,8 @@ main(int ac, char **av) else if (strcmp(optarg, "kex") == 0 || strcasecmp(optarg, "KexAlgorithms") == 0) cp = kex_alg_list('\n'); @@ -3411,7 +3404,7 @@ index dce28fd..c99e0e4 100644 else if (strcmp(optarg, "key") == 0) cp = sshkey_alg_list(0, 0, 0, '\n'); else if (strcmp(optarg, "key-cert") == 0) -@@ -803,7 +805,7 @@ main(int ac, char **av) +@@ -807,7 +809,7 @@ main(int ac, char **av) cp[n] = '\n'; } else if (strcmp(optarg, "help") == 0) { cp = xstrdup( @@ -3420,10 +3413,10 @@ index dce28fd..c99e0e4 100644 "key\nkey-cert\nkey-plain\nkey-sig\nmac\n" "protocol-version\nsig"); } -diff --git a/ssh_config b/ssh_config -index 3a00f4d..a798a43 100644 ---- a/ssh_config -+++ b/ssh_config +Index: openssh-8.8p1/ssh_config +=================================================================== +--- openssh-8.8p1.orig/ssh_config ++++ openssh-8.8p1/ssh_config @@ -40,6 +40,8 @@ Host * # HostbasedAuthentication no # GSSAPIAuthentication no @@ -3433,11 +3426,11 @@ index 3a00f4d..a798a43 100644 # BatchMode no # CheckHostIP yes # AddressFamily any -diff --git a/ssh_config.5 b/ssh_config.5 -index f6c3bdc..30c22e5 100644 ---- a/ssh_config.5 -+++ b/ssh_config.5 -@@ -768,10 +768,67 @@ The default is +Index: openssh-8.8p1/ssh_config.5 +=================================================================== +--- openssh-8.8p1.orig/ssh_config.5 ++++ openssh-8.8p1/ssh_config.5 +@@ -835,10 +835,67 @@ The default is Specifies whether user authentication based on GSSAPI is allowed. The default is .Cm no . @@ -3505,11 +3498,11 @@ index f6c3bdc..30c22e5 100644 .It Cm HashKnownHosts Indicates that .Xr ssh 1 -diff --git a/sshconnect2.c b/sshconnect2.c -index 1a6545e..b970198 100644 ---- a/sshconnect2.c -+++ b/sshconnect2.c -@@ -80,8 +80,6 @@ +Index: openssh-8.8p1/sshconnect2.c +=================================================================== +--- openssh-8.8p1.orig/sshconnect2.c ++++ openssh-8.8p1/sshconnect2.c +@@ -81,8 +81,6 @@ #endif /* import */ @@ -3518,7 +3511,7 @@ index 1a6545e..b970198 100644 extern Options options; /* -@@ -163,6 +161,11 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) +@@ -220,6 +218,11 @@ ssh_kex2(struct ssh *ssh, char *host, st char *s, *all_key; int r, use_known_hosts_order = 0; @@ -3529,9 +3522,9 @@ index 1a6545e..b970198 100644 + xxx_host = host; xxx_hostaddr = hostaddr; - -@@ -206,6 +209,35 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) - compat_pkalg_proposal(options.hostkeyalgorithms); + xxx_conn_info = cinfo; +@@ -264,6 +267,35 @@ ssh_kex2(struct ssh *ssh, char *host, st + compat_pkalg_proposal(ssh, options.hostkeyalgorithms); } +#if defined(GSSAPI) && defined(WITH_OPENSSL) @@ -3566,7 +3559,7 @@ index 1a6545e..b970198 100644 if (options.rekey_limit || options.rekey_interval) ssh_packet_set_rekey_limits(ssh, options.rekey_limit, options.rekey_interval); -@@ -224,16 +256,46 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) +@@ -282,16 +314,46 @@ ssh_kex2(struct ssh *ssh, char *host, st # ifdef OPENSSL_HAS_ECC ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client; # endif @@ -3584,7 +3577,7 @@ index 1a6545e..b970198 100644 +# endif +#endif /* WITH_OPENSSL */ ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client; - ssh->kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_client; + ssh->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_client; ssh->kex->verify_host_key=&verify_host_key_callback; +#if defined(GSSAPI) && defined(WITH_OPENSSL) @@ -3600,7 +3593,7 @@ index 1a6545e..b970198 100644 /* remove ext-info from the KEX proposals for rekeying */ myproposal[PROPOSAL_KEX_ALGS] = - compat_kex_proposal(options.kex_algorithms); + compat_kex_proposal(ssh, options.kex_algorithms); +#if defined(GSSAPI) && defined(WITH_OPENSSL) + /* repair myproposal after it was crumpled by the */ + /* ext-info removal above */ @@ -3612,9 +3605,9 @@ index 1a6545e..b970198 100644 + } +#endif if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0) - fatal("kex_prop2buf: %s", ssh_err(r)); + fatal_r(r, "kex_prop2buf"); -@@ -330,6 +392,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *); +@@ -385,6 +447,7 @@ static int input_gssapi_response(int typ static int input_gssapi_token(int type, u_int32_t, struct ssh *); static int input_gssapi_error(int, u_int32_t, struct ssh *); static int input_gssapi_errtok(int, u_int32_t, struct ssh *); @@ -3622,7 +3615,7 @@ index 1a6545e..b970198 100644 #endif void userauth(struct ssh *, char *); -@@ -346,6 +409,11 @@ static char *authmethods_get(void); +@@ -401,6 +464,11 @@ static char *authmethods_get(void); Authmethod authmethods[] = { #ifdef GSSAPI @@ -3634,7 +3627,7 @@ index 1a6545e..b970198 100644 {"gssapi-with-mic", userauth_gssapi, userauth_gssapi_cleanup, -@@ -716,12 +784,23 @@ userauth_gssapi(struct ssh *ssh) +@@ -776,12 +844,23 @@ userauth_gssapi(struct ssh *ssh) OM_uint32 min; int r, ok = 0; gss_OID mech = NULL; @@ -3659,7 +3652,7 @@ index 1a6545e..b970198 100644 /* Check to see whether the mechanism is usable before we offer it */ while (authctxt->mech_tried < authctxt->gss_supported_mechs->count && -@@ -730,13 +809,15 @@ userauth_gssapi(struct ssh *ssh) +@@ -790,13 +869,15 @@ userauth_gssapi(struct ssh *ssh) elements[authctxt->mech_tried]; /* My DER encoding requires length<128 */ if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt, @@ -3676,7 +3669,7 @@ index 1a6545e..b970198 100644 if (!ok || mech == NULL) return 0; -@@ -976,6 +1057,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh) +@@ -1037,6 +1118,55 @@ input_gssapi_error(int type, u_int32_t p free(lang); return r; } @@ -3704,7 +3697,7 @@ index 1a6545e..b970198 100644 + fatal("%s: sshbuf_new failed", __func__); + + ssh_gssapi_buildmic(b, authctxt->server_user, authctxt->service, -+ "gssapi-keyex"); ++ "gssapi-keyex", ssh->kex->session_id); + + if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL) + fatal("%s: sshbuf_mutable_ptr failed", __func__); @@ -3732,22 +3725,22 @@ index 1a6545e..b970198 100644 #endif /* GSSAPI */ static int -diff --git a/sshd.c b/sshd.c -index 1a09e7b..7d23232 100644 ---- a/sshd.c -+++ b/sshd.c -@@ -826,8 +826,8 @@ notify_hostkeys(struct ssh *ssh) +Index: openssh-8.8p1/sshd.c +=================================================================== +--- openssh-8.8p1.orig/sshd.c ++++ openssh-8.8p1/sshd.c +@@ -817,8 +817,8 @@ notify_hostkeys(struct ssh *ssh) } - debug3("%s: sent %u hostkeys", __func__, nkeys); + debug3_f("sent %u hostkeys", nkeys); if (nkeys == 0) -- fatal("%s: no hostkeys", __func__); +- fatal_f("no hostkeys"); - if ((r = sshpkt_send(ssh)) != 0) + debug3("%s: no hostkeys", __func__); + else if ((r = sshpkt_send(ssh)) != 0) sshpkt_fatal(ssh, r, "%s: send", __func__); sshbuf_free(buf); } -@@ -1865,7 +1865,8 @@ main(int ac, char **av) +@@ -1912,7 +1912,8 @@ main(int ac, char **av) free(fp); } accumulate_host_timing_secret(cfg, NULL); @@ -3757,9 +3750,9 @@ index 1a09e7b..7d23232 100644 logit("sshd: no hostkeys available -- exiting."); exit(1); } -@@ -2361,6 +2362,48 @@ do_ssh2_kex(struct ssh *ssh) +@@ -2407,6 +2408,48 @@ do_ssh2_kex(struct ssh *ssh) myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( - list_hostkey_types()); + ssh, list_hostkey_types()); +#if defined(GSSAPI) && defined(WITH_OPENSSL) + { @@ -3805,8 +3798,8 @@ index 1a09e7b..7d23232 100644 + /* start key exchange */ if ((r = kex_setup(ssh, myproposal)) != 0) - fatal("kex_setup: %s", ssh_err(r)); -@@ -2376,7 +2419,18 @@ do_ssh2_kex(struct ssh *ssh) + fatal_r(r, "kex_setup"); +@@ -2422,7 +2465,18 @@ do_ssh2_kex(struct ssh *ssh) # ifdef OPENSSL_HAS_ECC kex->kex[KEX_ECDH_SHA2] = kex_gen_server; # endif @@ -3824,12 +3817,12 @@ index 1a09e7b..7d23232 100644 +# endif +#endif /* WITH_OPENSSL */ kex->kex[KEX_C25519_SHA256] = kex_gen_server; - kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server; + kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server; kex->load_host_public_key=&get_hostkey_public_by_type; -diff --git a/sshd_config b/sshd_config -index 9ae8b05..8c1d1e5 100644 ---- a/sshd_config -+++ b/sshd_config +Index: openssh-8.8p1/sshd_config +=================================================================== +--- openssh-8.8p1.orig/sshd_config ++++ openssh-8.8p1/sshd_config @@ -69,6 +69,8 @@ AuthorizedKeysFile .ssh/authorized_keys # GSSAPI options #GSSAPIAuthentication no @@ -3839,11 +3832,11 @@ index 9ae8b05..8c1d1e5 100644 # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will -diff --git a/sshd_config.5 b/sshd_config.5 -index 9c64f41..36696cc 100644 ---- a/sshd_config.5 -+++ b/sshd_config.5 -@@ -646,6 +646,11 @@ Specifies whether to automatically destroy the user's credentials cache +Index: openssh-8.8p1/sshd_config.5 +=================================================================== +--- openssh-8.8p1.orig/sshd_config.5 ++++ openssh-8.8p1/sshd_config.5 +@@ -652,6 +652,11 @@ Specifies whether to automatically destr on logout. The default is .Cm yes . @@ -3855,7 +3848,7 @@ index 9c64f41..36696cc 100644 .It Cm GSSAPIStrictAcceptorCheck Determines whether to be strict about the identity of the GSSAPI acceptor a client authenticates against. -@@ -660,6 +665,31 @@ machine's default store. +@@ -666,6 +671,31 @@ machine's default store. This facility is provided to assist with operation on multi homed machines. The default is .Cm yes . @@ -3884,14 +3877,14 @@ index 9c64f41..36696cc 100644 +The default is +.Dq gss-gex-sha1-,gss-group14-sha1- . +This option only applies to protocol version 2 connections using GSSAPI. - .It Cm HostbasedAcceptedKeyTypes - Specifies the key types that will be accepted for hostbased authentication - as a list of comma-separated patterns. -diff --git a/sshkey.c b/sshkey.c -index 1571e3d..1ac32a0 100644 ---- a/sshkey.c -+++ b/sshkey.c -@@ -154,6 +154,7 @@ static const struct keytype keytypes[] = { + .It Cm HostbasedAcceptedAlgorithms + Specifies the signature algorithms that will be accepted for hostbased + authentication as a list of comma-separated patterns. +Index: openssh-8.8p1/sshkey.c +=================================================================== +--- openssh-8.8p1.orig/sshkey.c ++++ openssh-8.8p1/sshkey.c +@@ -156,6 +156,7 @@ static const struct keytype keytypes[] = KEY_ECDSA_SK_CERT, NID_X9_62_prime256v1, 1, 0 }, # endif /* OPENSSL_HAS_ECC */ #endif /* WITH_OPENSSL */ @@ -3899,7 +3892,7 @@ index 1571e3d..1ac32a0 100644 { NULL, NULL, NULL, -1, -1, 0, 0 } }; -@@ -255,7 +256,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) +@@ -257,7 +258,7 @@ sshkey_alg_list(int certs_only, int plai const struct keytype *kt; for (kt = keytypes; kt->type != -1; kt++) { @@ -3908,11 +3901,11 @@ index 1571e3d..1ac32a0 100644 continue; if (!include_sigonly && kt->sigonly) continue; -diff --git a/sshkey.h b/sshkey.h -index 9c1d4f6..f586e89 100644 ---- a/sshkey.h -+++ b/sshkey.h -@@ -69,6 +69,7 @@ enum sshkey_types { +Index: openssh-8.8p1/sshkey.h +=================================================================== +--- openssh-8.8p1.orig/sshkey.h ++++ openssh-8.8p1/sshkey.h +@@ -71,6 +71,7 @@ enum sshkey_types { KEY_ECDSA_SK_CERT, KEY_ED25519_SK, KEY_ED25519_SK_CERT, diff --git a/openssh-8.1p1-audit.patch b/openssh-8.1p1-audit.patch index 30247e2..6364ae9 100644 --- a/openssh-8.1p1-audit.patch +++ b/openssh-8.1p1-audit.patch @@ -1,9 +1,9 @@ -Index: openssh-8.4p1/Makefile.in +Index: openssh-8.8p1/Makefile.in =================================================================== ---- openssh-8.4p1.orig/Makefile.in -+++ openssh-8.4p1/Makefile.in -@@ -113,7 +113,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ - sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \ +--- openssh-8.8p1.orig/Makefile.in ++++ openssh-8.8p1/Makefile.in +@@ -114,7 +114,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ + kexsntrup761x25519.o sntrup761.o kexgen.o \ kexgssc.o \ sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \ - sshbuf-io.o @@ -11,11 +11,11 @@ Index: openssh-8.4p1/Makefile.in SKOBJS= ssh-sk-client.o -Index: openssh-8.4p1/audit-bsm.c +Index: openssh-8.8p1/audit-bsm.c =================================================================== ---- openssh-8.4p1.orig/audit-bsm.c -+++ openssh-8.4p1/audit-bsm.c -@@ -372,13 +372,26 @@ audit_connection_from(const char *host, +--- openssh-8.8p1.orig/audit-bsm.c ++++ openssh-8.8p1/audit-bsm.c +@@ -373,13 +373,26 @@ audit_connection_from(const char *host, #endif } @@ -43,7 +43,7 @@ Index: openssh-8.4p1/audit-bsm.c audit_session_open(struct logininfo *li) { /* not implemented */ -@@ -390,6 +403,12 @@ audit_session_close(struct logininfo *li +@@ -391,6 +404,12 @@ audit_session_close(struct logininfo *li /* not implemented */ } @@ -56,7 +56,7 @@ Index: openssh-8.4p1/audit-bsm.c void audit_event(struct ssh *ssh, ssh_audit_event_t event) { -@@ -451,4 +470,28 @@ audit_event(struct ssh *ssh, ssh_audit_e +@@ -452,4 +471,28 @@ audit_event(struct ssh *ssh, ssh_audit_e debug("%s: unhandled event %d", __func__, event); } } @@ -85,10 +85,10 @@ Index: openssh-8.4p1/audit-bsm.c + /* not implemented */ +} #endif /* BSM */ -Index: openssh-8.4p1/audit-linux.c +Index: openssh-8.8p1/audit-linux.c =================================================================== ---- openssh-8.4p1.orig/audit-linux.c -+++ openssh-8.4p1/audit-linux.c +--- openssh-8.8p1.orig/audit-linux.c ++++ openssh-8.8p1/audit-linux.c @@ -33,27 +33,40 @@ #include "log.h" @@ -459,10 +459,10 @@ Index: openssh-8.4p1/audit-linux.c + error("cannot write into audit"); +} #endif /* USE_LINUX_AUDIT */ -Index: openssh-8.4p1/audit.c +Index: openssh-8.8p1/audit.c =================================================================== ---- openssh-8.4p1.orig/audit.c -+++ openssh-8.4p1/audit.c +--- openssh-8.8p1.orig/audit.c ++++ openssh-8.8p1/audit.c @@ -34,6 +34,12 @@ #include "log.h" #include "hostfile.h" @@ -640,10 +640,10 @@ Index: openssh-8.4p1/audit.c } # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */ -Index: openssh-8.4p1/audit.h +Index: openssh-8.8p1/audit.h =================================================================== ---- openssh-8.4p1.orig/audit.h -+++ openssh-8.4p1/audit.h +--- openssh-8.8p1.orig/audit.h ++++ openssh-8.8p1/audit.h @@ -26,6 +26,7 @@ # define _SSH_AUDIT_H @@ -686,10 +686,10 @@ Index: openssh-8.4p1/audit.h +void audit_destroy_sensitive_data(struct ssh *, const char *, pid_t, uid_t); #endif /* _SSH_AUDIT_H */ -Index: openssh-8.4p1/auditstub.c +Index: openssh-8.8p1/auditstub.c =================================================================== --- /dev/null -+++ openssh-8.4p1/auditstub.c ++++ openssh-8.8p1/auditstub.c @@ -0,0 +1,52 @@ +/* $Id: auditstub.c,v 1.1 jfch Exp $ */ + @@ -743,20 +743,11 @@ Index: openssh-8.4p1/auditstub.c +audit_session_key_free_body(struct ssh *ssh, int ctos, pid_t pid, uid_t uid) +{ +} -Index: openssh-8.4p1/auth.c +Index: openssh-8.8p1/auth.c =================================================================== ---- openssh-8.4p1.orig/auth.c -+++ openssh-8.4p1/auth.c -@@ -367,7 +367,7 @@ auth_log(struct ssh *ssh, int authentica - # endif - #endif - #ifdef SSH_AUDIT_EVENTS -- if (authenticated == 0 && !authctxt->postponed) -+ if (authenticated == 0 && !authctxt->postponed && !partial) - audit_event(ssh, audit_classify_auth(method)); - #endif - } -@@ -593,9 +593,6 @@ getpwnamallow(struct ssh *ssh, const cha +--- openssh-8.8p1.orig/auth.c ++++ openssh-8.8p1/auth.c +@@ -599,9 +599,6 @@ getpwnamallow(struct ssh *ssh, const cha record_failed_login(ssh, user, auth_get_canonical_hostname(ssh, options.use_dns), "ssh"); #endif @@ -766,10 +757,10 @@ Index: openssh-8.4p1/auth.c return (NULL); } if (!allowed_user(ssh, pw)) -Index: openssh-8.4p1/auth.h +Index: openssh-8.8p1/auth.h =================================================================== ---- openssh-8.4p1.orig/auth.h -+++ openssh-8.4p1/auth.h +--- openssh-8.8p1.orig/auth.h ++++ openssh-8.8p1/auth.h @@ -189,6 +189,8 @@ struct passwd * getpwnamallow(struct ssh char *expand_authorized_keys(const char *, struct passwd *pw); @@ -788,11 +779,11 @@ Index: openssh-8.4p1/auth.h /* Key / cert options linkage to auth layer */ const struct sshauthopt *auth_options(struct ssh *); -Index: openssh-8.4p1/auth2-hostbased.c +Index: openssh-8.8p1/auth2-hostbased.c =================================================================== ---- openssh-8.4p1.orig/auth2-hostbased.c -+++ openssh-8.4p1/auth2-hostbased.c -@@ -150,7 +150,7 @@ userauth_hostbased(struct ssh *ssh) +--- openssh-8.8p1.orig/auth2-hostbased.c ++++ openssh-8.8p1/auth2-hostbased.c +@@ -149,7 +149,7 @@ userauth_hostbased(struct ssh *ssh) authenticated = 0; if (PRIVSEP(hostbased_key_allowed(ssh, authctxt->pw, cuser, chost, key)) && @@ -801,7 +792,7 @@ Index: openssh-8.4p1/auth2-hostbased.c sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat, NULL)) == 0) authenticated = 1; -@@ -167,6 +167,19 @@ done: +@@ -166,6 +166,19 @@ done: return authenticated; } @@ -821,11 +812,11 @@ Index: openssh-8.4p1/auth2-hostbased.c /* return 1 if given hostkey is allowed */ int hostbased_key_allowed(struct ssh *ssh, struct passwd *pw, -Index: openssh-8.4p1/auth2-pubkey.c +Index: openssh-8.8p1/auth2-pubkey.c =================================================================== ---- openssh-8.4p1.orig/auth2-pubkey.c -+++ openssh-8.4p1/auth2-pubkey.c -@@ -212,7 +212,7 @@ userauth_pubkey(struct ssh *ssh) +--- openssh-8.8p1.orig/auth2-pubkey.c ++++ openssh-8.8p1/auth2-pubkey.c +@@ -203,7 +203,7 @@ userauth_pubkey(struct ssh *ssh) /* test for correct signature */ authenticated = 0; if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) && @@ -834,7 +825,7 @@ Index: openssh-8.4p1/auth2-pubkey.c sshbuf_ptr(b), sshbuf_len(b), (ssh->compat & SSH_BUG_SIGTYPE) == 0 ? pkalg : NULL, ssh->compat, &sig_details)) == 0) { -@@ -308,6 +308,19 @@ done: +@@ -295,6 +295,19 @@ done: return authenticated; } @@ -854,11 +845,11 @@ Index: openssh-8.4p1/auth2-pubkey.c static int match_principals_option(const char *principal_list, struct sshkey_cert *cert) { -Index: openssh-8.4p1/auth2.c +Index: openssh-8.8p1/auth2.c =================================================================== ---- openssh-8.4p1.orig/auth2.c -+++ openssh-8.4p1/auth2.c -@@ -293,9 +293,6 @@ input_userauth_request(int type, u_int32 +--- openssh-8.8p1.orig/auth2.c ++++ openssh-8.8p1/auth2.c +@@ -290,9 +290,6 @@ input_userauth_request(int type, u_int32 } else { /* Invalid user, fake password information */ authctxt->pw = fakepw(); @@ -868,10 +859,10 @@ Index: openssh-8.4p1/auth2.c } #ifdef USE_PAM if (options.use_pam) -Index: openssh-8.4p1/cipher.c +Index: openssh-8.8p1/cipher.c =================================================================== ---- openssh-8.4p1.orig/cipher.c -+++ openssh-8.4p1/cipher.c +--- openssh-8.8p1.orig/cipher.c ++++ openssh-8.8p1/cipher.c @@ -58,25 +58,6 @@ #define EVP_CIPHER_CTX void #endif @@ -898,7 +889,7 @@ Index: openssh-8.4p1/cipher.c static const struct sshcipher ciphers_all[] = { #ifdef WITH_OPENSSL #ifndef OPENSSL_NO_DES -@@ -462,7 +443,7 @@ cipher_get_length(struct sshcipher_ctx * +@@ -460,7 +441,7 @@ cipher_get_length(struct sshcipher_ctx * void cipher_free(struct sshcipher_ctx *cc) { @@ -907,10 +898,10 @@ Index: openssh-8.4p1/cipher.c return; if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) { chachapoly_free(cc->cp_ctx); -Index: openssh-8.4p1/cipher.h +Index: openssh-8.8p1/cipher.h =================================================================== ---- openssh-8.4p1.orig/cipher.h -+++ openssh-8.4p1/cipher.h +--- openssh-8.8p1.orig/cipher.h ++++ openssh-8.8p1/cipher.h @@ -47,7 +47,25 @@ #define CIPHER_ENCRYPT 1 #define CIPHER_DECRYPT 0 @@ -938,10 +929,10 @@ Index: openssh-8.4p1/cipher.h struct sshcipher_ctx { int plaintext; int encrypt; -Index: openssh-8.4p1/kex.c +Index: openssh-8.8p1/kex.c =================================================================== ---- openssh-8.4p1.orig/kex.c -+++ openssh-8.4p1/kex.c +--- openssh-8.8p1.orig/kex.c ++++ openssh-8.8p1/kex.c @@ -62,6 +62,7 @@ #include "ssherr.h" #include "sshbuf.h" @@ -950,7 +941,7 @@ Index: openssh-8.4p1/kex.c #ifdef GSSAPI #include "ssh-gss.h" -@@ -857,12 +858,16 @@ kex_start_rekex(struct ssh *ssh) +@@ -859,12 +860,16 @@ kex_start_rekex(struct ssh *ssh) } static int @@ -967,9 +958,9 @@ Index: openssh-8.4p1/kex.c return SSH_ERR_NO_CIPHER_ALG_MATCH; + } if ((enc->cipher = cipher_by_name(name)) == NULL) { - error("%s: unsupported cipher %s", __func__, name); + error_f("unsupported cipher %s", name); free(name); -@@ -883,8 +888,12 @@ choose_mac(struct ssh *ssh, struct sshma +@@ -885,8 +890,12 @@ choose_mac(struct ssh *ssh, struct sshma { char *name = match_list(client, server, NULL); @@ -981,9 +972,9 @@ Index: openssh-8.4p1/kex.c return SSH_ERR_NO_MAC_ALG_MATCH; + } if (mac_setup(mac, name) < 0) { - error("%s: unsupported MAC %s", __func__, name); + error_f("unsupported MAC %s", name); free(name); -@@ -897,12 +906,16 @@ choose_mac(struct ssh *ssh, struct sshma +@@ -899,12 +908,16 @@ choose_mac(struct ssh *ssh, struct sshma } static int @@ -1002,7 +993,7 @@ Index: openssh-8.4p1/kex.c #ifdef WITH_ZLIB if (strcmp(name, "zlib@openssh.com") == 0) { comp->type = COMP_DELAYED; -@@ -1043,7 +1056,7 @@ kex_choose_conf(struct ssh *ssh) +@@ -1045,7 +1058,7 @@ kex_choose_conf(struct ssh *ssh) nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC; nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC; ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC; @@ -1011,7 +1002,7 @@ Index: openssh-8.4p1/kex.c sprop[nenc])) != 0) { kex->failed_choice = peer[nenc]; peer[nenc] = NULL; -@@ -1058,7 +1071,7 @@ kex_choose_conf(struct ssh *ssh) +@@ -1060,7 +1073,7 @@ kex_choose_conf(struct ssh *ssh) peer[nmac] = NULL; goto out; } @@ -1020,7 +1011,7 @@ Index: openssh-8.4p1/kex.c sprop[ncomp])) != 0) { kex->failed_choice = peer[ncomp]; peer[ncomp] = NULL; -@@ -1081,6 +1094,10 @@ kex_choose_conf(struct ssh *ssh) +@@ -1083,6 +1096,10 @@ kex_choose_conf(struct ssh *ssh) dh_need = MAXIMUM(dh_need, newkeys->enc.block_size); dh_need = MAXIMUM(dh_need, newkeys->enc.iv_len); dh_need = MAXIMUM(dh_need, newkeys->mac.key_len); @@ -1031,7 +1022,7 @@ Index: openssh-8.4p1/kex.c } /* XXX need runden? */ kex->we_need = need; -@@ -1245,6 +1262,36 @@ dump_digest(const char *msg, const u_cha +@@ -1250,6 +1267,36 @@ dump_digest(const char *msg, const u_cha } #endif @@ -1068,10 +1059,10 @@ Index: openssh-8.4p1/kex.c /* * Send a plaintext error message to the peer, suffixed by \r\n. * Only used during banner exchange, and there only for the server. -Index: openssh-8.4p1/kex.h +Index: openssh-8.8p1/kex.h =================================================================== ---- openssh-8.4p1.orig/kex.h -+++ openssh-8.4p1/kex.h +--- openssh-8.8p1.orig/kex.h ++++ openssh-8.8p1/kex.h @@ -226,6 +226,8 @@ int kexgss_client(struct ssh *); int kexgss_server(struct ssh *); #endif @@ -1081,10 +1072,10 @@ Index: openssh-8.4p1/kex.h int kex_dh_keypair(struct kex *); int kex_dh_enc(struct kex *, const struct sshbuf *, struct sshbuf **, struct sshbuf **); -Index: openssh-8.4p1/mac.c +Index: openssh-8.8p1/mac.c =================================================================== ---- openssh-8.4p1.orig/mac.c -+++ openssh-8.4p1/mac.c +--- openssh-8.8p1.orig/mac.c ++++ openssh-8.8p1/mac.c @@ -277,6 +277,20 @@ mac_clear(struct sshmac *mac) mac->umac_ctx = NULL; } @@ -1106,10 +1097,10 @@ Index: openssh-8.4p1/mac.c /* XXX copied from ciphers_valid */ #define MAC_SEP "," int -Index: openssh-8.4p1/mac.h +Index: openssh-8.8p1/mac.h =================================================================== ---- openssh-8.4p1.orig/mac.h -+++ openssh-8.4p1/mac.h +--- openssh-8.8p1.orig/mac.h ++++ openssh-8.8p1/mac.h @@ -49,5 +49,6 @@ int mac_compute(struct sshmac *, u_int3 int mac_check(struct sshmac *, u_int32_t, const u_char *, size_t, const u_char *, size_t); @@ -1117,10 +1108,10 @@ Index: openssh-8.4p1/mac.h +void mac_destroy(struct sshmac *); #endif /* SSHMAC_H */ -Index: openssh-8.4p1/monitor.c +Index: openssh-8.8p1/monitor.c =================================================================== ---- openssh-8.4p1.orig/monitor.c -+++ openssh-8.4p1/monitor.c +--- openssh-8.8p1.orig/monitor.c ++++ openssh-8.8p1/monitor.c @@ -93,6 +93,7 @@ #include "compat.h" #include "ssh2.h" @@ -1129,7 +1120,7 @@ Index: openssh-8.4p1/monitor.c #include "match.h" #include "ssherr.h" #include "sk-api.h" -@@ -108,6 +109,8 @@ extern u_char session_id[]; +@@ -107,6 +108,8 @@ extern u_int utmp_len; extern struct sshbuf *loginmsg; extern struct sshauthopt *auth_opts; /* XXX move to permanent ssh->authctxt? */ @@ -1138,7 +1129,7 @@ Index: openssh-8.4p1/monitor.c /* State exported from the child */ static struct sshbuf *child_state; -@@ -155,6 +158,11 @@ int mm_answer_gss_updatecreds(struct ssh +@@ -152,6 +155,11 @@ int mm_answer_gss_updatecreds(struct ssh #ifdef SSH_AUDIT_EVENTS int mm_answer_audit_event(struct ssh *, int, struct sshbuf *); int mm_answer_audit_command(struct ssh *, int, struct sshbuf *); @@ -1150,7 +1141,7 @@ Index: openssh-8.4p1/monitor.c #endif static Authctxt *authctxt; -@@ -210,6 +218,10 @@ struct mon_table mon_dispatch_proto20[] +@@ -207,6 +215,10 @@ struct mon_table mon_dispatch_proto20[] #endif #ifdef SSH_AUDIT_EVENTS {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, @@ -1161,7 +1152,7 @@ Index: openssh-8.4p1/monitor.c #endif #ifdef BSD_AUTH {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery}, -@@ -244,6 +256,11 @@ struct mon_table mon_dispatch_postauth20 +@@ -241,6 +253,11 @@ struct mon_table mon_dispatch_postauth20 #ifdef SSH_AUDIT_EVENTS {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command}, @@ -1173,7 +1164,7 @@ Index: openssh-8.4p1/monitor.c #endif {0, 0, NULL} }; -@@ -1407,8 +1424,10 @@ mm_answer_keyverify(struct ssh *ssh, int +@@ -1403,8 +1420,10 @@ mm_answer_keyverify(struct ssh *ssh, int int r, ret, req_presence = 0, req_verify = 0, valid_data = 0; int encoded_ret; struct sshkey_sig_details *sig_details = NULL; @@ -1185,18 +1176,18 @@ Index: openssh-8.4p1/monitor.c (r = sshbuf_get_string_direct(m, &signature, &signaturelen)) != 0 || (r = sshbuf_get_string_direct(m, &data, &datalen)) != 0 || (r = sshbuf_get_cstring(m, &sigalg, NULL)) != 0) -@@ -1417,6 +1436,8 @@ mm_answer_keyverify(struct ssh *ssh, int +@@ -1413,6 +1432,8 @@ mm_answer_keyverify(struct ssh *ssh, int if (hostbased_cuser == NULL || hostbased_chost == NULL || !monitor_allowed_key(blob, bloblen)) - fatal("%s: bad key, not previously allowed", __func__); + fatal_f("bad key, not previously allowed"); + if (type != key_blobtype) -+ fatal("%s: bad key type", __func__); ++ fatal_f("bad key type"); /* Empty signature algorithm means NULL. */ if (*sigalg == '\0') { -@@ -1432,14 +1453,19 @@ mm_answer_keyverify(struct ssh *ssh, int +@@ -1428,14 +1449,19 @@ mm_answer_keyverify(struct ssh *ssh, int case MM_USERKEY: - valid_data = monitor_valid_userblob(data, datalen); + valid_data = monitor_valid_userblob(ssh, data, datalen); auth_method = "publickey"; + ret = user_key_verify(ssh, key, signature, signaturelen, data, + datalen, sigalg, ssh->compat, &sig_details); @@ -1214,55 +1205,55 @@ Index: openssh-8.4p1/monitor.c break; } if (!valid_data) -@@ -1449,8 +1475,6 @@ mm_answer_keyverify(struct ssh *ssh, int +@@ -1447,8 +1473,6 @@ mm_answer_keyverify(struct ssh *ssh, int SSH_FP_DEFAULT)) == NULL) - fatal("%s: sshkey_fingerprint failed", __func__); + fatal_f("sshkey_fingerprint failed"); - ret = sshkey_verify(key, signature, signaturelen, data, datalen, - sigalg, ssh->compat, &sig_details); - debug3("%s: %s %p signature %s%s%s", __func__, auth_method, key, + debug3_f("%s %s signature %s%s%s", auth_method, sshkey_type(key), (ret == 0) ? "verified" : "unverified", (ret != 0) ? ": " : "", (ret != 0) ? ssh_err(ret) : ""); -@@ -1537,13 +1561,19 @@ mm_record_login(struct ssh *ssh, Session +@@ -1535,13 +1559,19 @@ mm_record_login(struct ssh *ssh, Session } static void -mm_session_close(Session *s) +mm_session_close(struct ssh *ssh, Session *s) { - debug3("%s: session %d pid %ld", __func__, s->self, (long)s->pid); + debug3_f("session %d pid %ld", s->self, (long)s->pid); if (s->ttyfd != -1) { - debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd); + debug3_f("tty %s ptyfd %d", s->tty, s->ptyfd); session_pty_cleanup2(s); } +#ifdef SSH_AUDIT_EVENTS + if (s->command != NULL) { -+ debug3("%s: command %d", __func__, s->command_handle); ++ debug3_f("command %d", s->command_handle); + session_end_command2(ssh, s); + } +#endif session_unused(s->self); } -@@ -1610,7 +1640,7 @@ mm_answer_pty(struct ssh *ssh, int sock, +@@ -1608,7 +1638,7 @@ mm_answer_pty(struct ssh *ssh, int sock, error: if (s != NULL) - mm_session_close(s); + mm_session_close(ssh, s); if ((r = sshbuf_put_u32(m, 0)) != 0) - fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "assemble 0"); mm_request_send(sock, MONITOR_ANS_PTY, m); -@@ -1629,7 +1659,7 @@ mm_answer_pty_cleanup(struct ssh *ssh, i +@@ -1627,7 +1657,7 @@ mm_answer_pty_cleanup(struct ssh *ssh, i if ((r = sshbuf_get_cstring(m, &tty, NULL)) != 0) - fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "parse tty"); if ((s = session_by_tty(tty)) != NULL) - mm_session_close(s); + mm_session_close(ssh, s); sshbuf_reset(m); free(tty); return (0); -@@ -1651,6 +1681,8 @@ mm_answer_term(struct ssh *ssh, int sock +@@ -1649,6 +1679,8 @@ mm_answer_term(struct ssh *ssh, int sock sshpam_cleanup(); #endif @@ -1271,7 +1262,7 @@ Index: openssh-8.4p1/monitor.c while (waitpid(pmonitor->m_pid, &status, 0) == -1) if (errno != EINTR) exit(1); -@@ -1697,12 +1729,47 @@ mm_answer_audit_command(struct ssh *ssh, +@@ -1695,12 +1727,47 @@ mm_answer_audit_command(struct ssh *ssh, { char *cmd; int r; @@ -1320,18 +1311,18 @@ Index: openssh-8.4p1/monitor.c free(cmd); return (0); } -@@ -1768,6 +1835,7 @@ monitor_apply_keystate(struct ssh *ssh, +@@ -1772,6 +1839,7 @@ monitor_apply_keystate(struct ssh *ssh, void mm_get_keystate(struct ssh *ssh, struct monitor *pmonitor) { + struct sshbuf *m; - debug3("%s: Waiting for new keys", __func__); + debug3_f("Waiting for new keys"); if ((child_state = sshbuf_new()) == NULL) -@@ -1775,6 +1843,19 @@ mm_get_keystate(struct ssh *ssh, struct +@@ -1779,6 +1847,18 @@ mm_get_keystate(struct ssh *ssh, struct mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_KEYEXPORT, child_state); - debug3("%s: GOT new keys", __func__); + debug3_f("GOT new keys"); + +#ifdef SSH_AUDIT_EVENTS + m = sshbuf_new(); @@ -1344,11 +1335,10 @@ Index: openssh-8.4p1/monitor.c + /* Drain any buffered messages from the child */ + while (pmonitor->m_log_recvfd >= 0 && monitor_read_log(pmonitor) == 0) + ; -+ } -@@ -2052,3 +2133,102 @@ mm_answer_gss_updatecreds(struct ssh *ss +@@ -2056,3 +2136,102 @@ mm_answer_gss_updatecreds(struct ssh *ss #endif /* GSSAPI */ @@ -1451,10 +1441,10 @@ Index: openssh-8.4p1/monitor.c + return 0; +} +#endif /* SSH_AUDIT_EVENTS */ -Index: openssh-8.4p1/monitor.h +Index: openssh-8.8p1/monitor.h =================================================================== ---- openssh-8.4p1.orig/monitor.h -+++ openssh-8.4p1/monitor.h +--- openssh-8.8p1.orig/monitor.h ++++ openssh-8.8p1/monitor.h @@ -61,7 +61,13 @@ enum monitor_reqtype { MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107, MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109, @@ -1470,11 +1460,11 @@ Index: openssh-8.4p1/monitor.h MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151, MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153, -Index: openssh-8.4p1/monitor_wrap.c +Index: openssh-8.8p1/monitor_wrap.c =================================================================== ---- openssh-8.4p1.orig/monitor_wrap.c -+++ openssh-8.4p1/monitor_wrap.c -@@ -492,7 +492,7 @@ mm_key_allowed(enum mm_keytype type, con +--- openssh-8.8p1.orig/monitor_wrap.c ++++ openssh-8.8p1/monitor_wrap.c +@@ -499,7 +499,7 @@ mm_key_allowed(enum mm_keytype type, con */ int @@ -1483,17 +1473,17 @@ Index: openssh-8.4p1/monitor_wrap.c const u_char *data, size_t datalen, const char *sigalg, u_int compat, struct sshkey_sig_details **sig_detailsp) { -@@ -508,7 +508,8 @@ mm_sshkey_verify(const struct sshkey *ke +@@ -515,7 +515,8 @@ mm_sshkey_verify(const struct sshkey *ke *sig_detailsp = NULL; if ((m = sshbuf_new()) == NULL) - fatal("%s: sshbuf_new failed", __func__); + fatal_f("sshbuf_new failed"); - if ((r = sshkey_puts(key, m)) != 0 || + if ((r = sshbuf_put_u32(m, type)) != 0 || + (r = sshkey_puts(key, m)) != 0 || (r = sshbuf_put_string(m, sig, siglen)) != 0 || (r = sshbuf_put_string(m, data, datalen)) != 0 || (r = sshbuf_put_cstring(m, sigalg == NULL ? "" : sigalg)) != 0) -@@ -541,6 +542,20 @@ mm_sshkey_verify(const struct sshkey *ke +@@ -548,6 +549,20 @@ mm_sshkey_verify(const struct sshkey *ke return 0; } @@ -1514,7 +1504,7 @@ Index: openssh-8.4p1/monitor_wrap.c void mm_send_keystate(struct ssh *ssh, struct monitor *monitor) { -@@ -894,11 +909,12 @@ mm_audit_event(struct ssh *ssh, ssh_audi +@@ -900,11 +915,12 @@ mm_audit_event(struct ssh *ssh, ssh_audi sshbuf_free(m); } @@ -1529,7 +1519,7 @@ Index: openssh-8.4p1/monitor_wrap.c debug3("%s entering command %s", __func__, command); -@@ -908,6 +924,30 @@ mm_audit_run_command(const char *command +@@ -914,6 +930,30 @@ mm_audit_run_command(const char *command fatal("%s: buffer error: %s", __func__, ssh_err(r)); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, m); @@ -1560,7 +1550,7 @@ Index: openssh-8.4p1/monitor_wrap.c sshbuf_free(m); } #endif /* SSH_AUDIT_EVENTS */ -@@ -1068,3 +1108,83 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_cc +@@ -1074,3 +1114,83 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_cc } #endif /* GSSAPI */ @@ -1644,10 +1634,10 @@ Index: openssh-8.4p1/monitor_wrap.c + sshbuf_free(m); +} +#endif /* SSH_AUDIT_EVENTS */ -Index: openssh-8.4p1/monitor_wrap.h +Index: openssh-8.8p1/monitor_wrap.h =================================================================== ---- openssh-8.4p1.orig/monitor_wrap.h -+++ openssh-8.4p1/monitor_wrap.h +--- openssh-8.8p1.orig/monitor_wrap.h ++++ openssh-8.8p1/monitor_wrap.h @@ -58,7 +58,9 @@ int mm_user_key_allowed(struct ssh *, st struct sshauthopt **); int mm_hostbased_key_allowed(struct ssh *, struct passwd *, const char *, @@ -1673,10 +1663,10 @@ Index: openssh-8.4p1/monitor_wrap.h #endif struct Session; -Index: openssh-8.4p1/packet.c +Index: openssh-8.8p1/packet.c =================================================================== ---- openssh-8.4p1.orig/packet.c -+++ openssh-8.4p1/packet.c +--- openssh-8.8p1.orig/packet.c ++++ openssh-8.8p1/packet.c @@ -81,6 +81,7 @@ #endif @@ -1685,7 +1675,7 @@ Index: openssh-8.4p1/packet.c #include "compat.h" #include "ssh2.h" #include "cipher.h" -@@ -518,6 +519,13 @@ ssh_packet_get_connection_out(struct ssh +@@ -506,6 +507,13 @@ ssh_packet_get_connection_out(struct ssh return ssh->state->connection_out; } @@ -1699,7 +1689,7 @@ Index: openssh-8.4p1/packet.c /* * Returns the IP-address of the remote host as a string. The returned * string must not be freed. -@@ -595,22 +603,19 @@ ssh_packet_close_internal(struct ssh *ss +@@ -583,22 +591,19 @@ ssh_packet_close_internal(struct ssh *ss { struct session_state *state = ssh->state; u_int mode; @@ -1727,7 +1717,7 @@ Index: openssh-8.4p1/packet.c for (mode = 0; mode < MODE_MAX; mode++) { kex_free_newkeys(state->newkeys[mode]); /* current keys */ state->newkeys[mode] = NULL; -@@ -646,8 +651,18 @@ ssh_packet_close_internal(struct ssh *ss +@@ -634,8 +639,18 @@ ssh_packet_close_internal(struct ssh *ss #endif /* WITH_ZLIB */ cipher_free(state->send_context); cipher_free(state->receive_context); @@ -1746,15 +1736,15 @@ Index: openssh-8.4p1/packet.c free(ssh->local_ipaddr); ssh->local_ipaddr = NULL; free(ssh->remote_ipaddr); -@@ -904,6 +919,7 @@ ssh_set_newkeys(struct ssh *ssh, int mod - (unsigned long long)state->p_send.bytes, - (unsigned long long)state->p_send.blocks); +@@ -892,6 +907,7 @@ ssh_set_newkeys(struct ssh *ssh, int mod + (unsigned long long)state->p_send.bytes, + (unsigned long long)state->p_send.blocks); kex_free_newkeys(state->newkeys[mode]); + audit_session_key_free(ssh, mode); state->newkeys[mode] = NULL; } /* note that both bytes and the seqnr are not reset */ -@@ -2210,6 +2226,73 @@ ssh_packet_get_output(struct ssh *ssh) +@@ -2178,6 +2194,73 @@ ssh_packet_get_output(struct ssh *ssh) return (void *)ssh->state->output; } @@ -1828,20 +1818,20 @@ Index: openssh-8.4p1/packet.c /* Reset after_authentication and reset compression in post-auth privsep */ static int ssh_packet_set_postauth(struct ssh *ssh) -Index: openssh-8.4p1/packet.h +Index: openssh-8.8p1/packet.h =================================================================== ---- openssh-8.4p1.orig/packet.h -+++ openssh-8.4p1/packet.h -@@ -218,4 +218,5 @@ const u_char *sshpkt_ptr(struct ssh *, s +--- openssh-8.8p1.orig/packet.h ++++ openssh-8.8p1/packet.h +@@ -219,4 +219,5 @@ const u_char *sshpkt_ptr(struct ssh *, s # undef EC_POINT #endif +void packet_destroy_all(struct ssh *, int, int); #endif /* PACKET_H */ -Index: openssh-8.4p1/session.c +Index: openssh-8.8p1/session.c =================================================================== ---- openssh-8.4p1.orig/session.c -+++ openssh-8.4p1/session.c +--- openssh-8.8p1.orig/session.c ++++ openssh-8.8p1/session.c @@ -136,7 +136,7 @@ extern char *__progname; extern int debug_flag; extern u_int utmp_len; @@ -1851,7 +1841,7 @@ Index: openssh-8.4p1/session.c extern struct sshbuf *loginmsg; extern struct sshauthopt *auth_opts; extern char *tun_fwd_ifnames; /* serverloop.c */ -@@ -647,6 +647,14 @@ do_exec_pty(struct ssh *ssh, Session *s, +@@ -643,6 +643,14 @@ do_exec_pty(struct ssh *ssh, Session *s, /* Parent. Close the slave side of the pseudo tty. */ close(ttyfd); @@ -1866,7 +1856,7 @@ Index: openssh-8.4p1/session.c /* Enter interactive session. */ s->ptymaster = ptymaster; ssh_packet_set_interactive(ssh, 1, -@@ -711,15 +719,19 @@ do_exec(struct ssh *ssh, Session *s, con +@@ -707,15 +715,19 @@ do_exec(struct ssh *ssh, Session *s, con s->self); #ifdef SSH_AUDIT_EVENTS @@ -1888,7 +1878,7 @@ Index: openssh-8.4p1/session.c #endif if (s->ttyfd != -1) ret = do_exec_pty(ssh, s, command); -@@ -1542,8 +1554,11 @@ do_child(struct ssh *ssh, Session *s, co +@@ -1534,8 +1546,11 @@ do_child(struct ssh *ssh, Session *s, co sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id)); /* remove hostkey from the child's memory */ @@ -1901,7 +1891,7 @@ Index: openssh-8.4p1/session.c /* Force a password change */ if (s->authctxt->force_pwchange) { -@@ -1752,6 +1767,9 @@ session_unused(int id) +@@ -1744,6 +1759,9 @@ session_unused(int id) sessions[id].ttyfd = -1; sessions[id].ptymaster = -1; sessions[id].x11_chanids = NULL; @@ -1911,7 +1901,7 @@ Index: openssh-8.4p1/session.c sessions[id].next_unused = sessions_first_unused; sessions_first_unused = id; } -@@ -1834,6 +1852,19 @@ session_open(Authctxt *authctxt, int cha +@@ -1823,6 +1841,19 @@ session_open(Authctxt *authctxt, int cha } Session * @@ -1931,7 +1921,7 @@ Index: openssh-8.4p1/session.c session_by_tty(char *tty) { int i; -@@ -2444,6 +2475,32 @@ session_exit_message(struct ssh *ssh, Se +@@ -2430,6 +2461,32 @@ session_exit_message(struct ssh *ssh, Se chan_write_failed(ssh, c); } @@ -1964,7 +1954,7 @@ Index: openssh-8.4p1/session.c void session_close(struct ssh *ssh, Session *s) { -@@ -2485,6 +2542,10 @@ session_close(struct ssh *ssh, Session * +@@ -2471,6 +2528,10 @@ session_close(struct ssh *ssh, Session * if (s->ttyfd != -1) session_pty_cleanup(s); @@ -1975,7 +1965,7 @@ Index: openssh-8.4p1/session.c free(s->term); free(s->display); free(s->x11_chanids); -@@ -2560,14 +2621,14 @@ session_close_by_channel(struct ssh *ssh +@@ -2545,14 +2606,14 @@ session_close_by_channel(struct ssh *ssh } void @@ -1992,7 +1982,7 @@ Index: openssh-8.4p1/session.c else session_close(ssh, s); } -@@ -2693,6 +2754,15 @@ do_authenticated2(struct ssh *ssh, Authc +@@ -2678,6 +2739,15 @@ do_authenticated2(struct ssh *ssh, Authc server_loop2(ssh, authctxt); } @@ -2008,7 +1998,7 @@ Index: openssh-8.4p1/session.c void do_cleanup(struct ssh *ssh, Authctxt *authctxt) { -@@ -2756,7 +2826,7 @@ do_cleanup(struct ssh *ssh, Authctxt *au +@@ -2741,7 +2811,7 @@ do_cleanup(struct ssh *ssh, Authctxt *au * or if running in monitor. */ if (!use_privsep || mm_is_monitor()) @@ -2017,10 +2007,10 @@ Index: openssh-8.4p1/session.c } /* Return a name for the remote host that fits inside utmp_size */ -Index: openssh-8.4p1/session.h +Index: openssh-8.8p1/session.h =================================================================== ---- openssh-8.4p1.orig/session.h -+++ openssh-8.4p1/session.h +--- openssh-8.8p1.orig/session.h ++++ openssh-8.8p1/session.h @@ -61,6 +61,12 @@ struct Session { char *name; char *val; @@ -2048,10 +2038,10 @@ Index: openssh-8.4p1/session.h Session *session_by_tty(char *); void session_close(struct ssh *, Session *); void do_setusercontext(struct passwd *); -Index: openssh-8.4p1/sshd.c +Index: openssh-8.8p1/sshd.c =================================================================== ---- openssh-8.4p1.orig/sshd.c -+++ openssh-8.4p1/sshd.c +--- openssh-8.8p1.orig/sshd.c ++++ openssh-8.8p1/sshd.c @@ -122,6 +122,7 @@ #include "ssh-gss.h" #endif @@ -2060,7 +2050,7 @@ Index: openssh-8.4p1/sshd.c #include "ssh-sandbox.h" #include "auth-options.h" #include "version.h" -@@ -267,8 +268,8 @@ struct sshbuf *loginmsg; +@@ -262,8 +263,8 @@ struct sshbuf *loginmsg; struct passwd *privsep_pw = NULL; /* Prototypes for various functions defined later in this file. */ @@ -2071,7 +2061,7 @@ Index: openssh-8.4p1/sshd.c static void do_ssh2_kex(struct ssh *); static char *listener_proctitle; -@@ -286,6 +287,15 @@ close_listen_socks(void) +@@ -281,6 +282,15 @@ close_listen_socks(void) num_listen_socks = -1; } @@ -2087,8 +2077,8 @@ Index: openssh-8.4p1/sshd.c static void close_startup_pipes(void) { -@@ -390,18 +400,45 @@ grace_alarm_handler(int sig) - ssh_remote_port(the_active_state)); +@@ -386,18 +396,45 @@ grace_alarm_handler(int sig) + } } -/* Destroy the host and server keys. They will no longer be needed. */ @@ -2136,7 +2126,7 @@ Index: openssh-8.4p1/sshd.c sshkey_free(sensitive_data.host_certificates[i]); sensitive_data.host_certificates[i] = NULL; } -@@ -410,14 +447,26 @@ destroy_sensitive_data(void) +@@ -406,20 +443,38 @@ destroy_sensitive_data(void) /* Demote private to public keys for network child */ void @@ -2163,9 +2153,8 @@ Index: openssh-8.4p1/sshd.c + fp = NULL; if ((r = sshkey_from_private( sensitive_data.host_keys[i], &tmp)) != 0) - fatal("could not demote host %s key: %s", -@@ -425,6 +474,12 @@ demote_sensitive_data(void) - ssh_err(r)); + fatal_r(r, "could not demote host %s key", + sshkey_type(sensitive_data.host_keys[i])); sshkey_free(sensitive_data.host_keys[i]); sensitive_data.host_keys[i] = tmp; + if (fp != NULL) { @@ -2177,7 +2166,7 @@ Index: openssh-8.4p1/sshd.c } /* Certs do not need demotion */ } -@@ -452,7 +507,7 @@ reseed_prngs(void) +@@ -447,7 +502,7 @@ reseed_prngs(void) } static void @@ -2186,7 +2175,7 @@ Index: openssh-8.4p1/sshd.c { gid_t gidset[1]; -@@ -467,7 +522,7 @@ privsep_preauth_child(void) +@@ -462,7 +517,7 @@ privsep_preauth_child(void) reseed_prngs(); /* Demote the private keys to public keys. */ @@ -2195,7 +2184,7 @@ Index: openssh-8.4p1/sshd.c /* Demote the child */ if (privsep_chroot) { -@@ -502,7 +557,7 @@ privsep_preauth(struct ssh *ssh) +@@ -497,7 +552,7 @@ privsep_preauth(struct ssh *ssh) if (use_privsep == PRIVSEP_ON) box = ssh_sandbox_init(pmonitor); @@ -2204,7 +2193,7 @@ Index: openssh-8.4p1/sshd.c if (pid == -1) { fatal("fork of unprivileged child failed"); } else if (pid != 0) { -@@ -548,7 +603,7 @@ privsep_preauth(struct ssh *ssh) +@@ -542,7 +597,7 @@ privsep_preauth(struct ssh *ssh) /* Arrange for logging to be sent to the monitor */ set_log_handler(mm_log_handler, pmonitor); @@ -2213,7 +2202,7 @@ Index: openssh-8.4p1/sshd.c setproctitle("%s", "[net]"); if (box != NULL) ssh_sandbox_child(box); -@@ -592,7 +647,7 @@ privsep_postauth(struct ssh *ssh, Authct +@@ -586,7 +641,7 @@ privsep_postauth(struct ssh *ssh, Authct pmonitor->m_sendfd = -1; /* Demote the private keys to public keys. */ @@ -2222,7 +2211,7 @@ Index: openssh-8.4p1/sshd.c reseed_prngs(); -@@ -1159,7 +1214,7 @@ server_listen(void) +@@ -1140,7 +1195,7 @@ server_listen(void) * from this function are in a forked subprocess. */ static void @@ -2231,7 +2220,7 @@ Index: openssh-8.4p1/sshd.c { fd_set *fdset; int i, j, ret, maxfd; -@@ -1220,6 +1275,7 @@ server_accept_loop(int *sock_in, int *so +@@ -1186,6 +1241,7 @@ server_accept_loop(int *sock_in, int *so if (received_sigterm) { logit("Received signal %d; terminating.", (int) received_sigterm); @@ -2239,7 +2228,7 @@ Index: openssh-8.4p1/sshd.c close_listen_socks(); if (options.pid_file != NULL) unlink(options.pid_file); -@@ -2089,7 +2145,7 @@ main(int ac, char **av) +@@ -2091,7 +2147,7 @@ main(int ac, char **av) #endif /* Accept a connection and return in a forked child */ @@ -2248,7 +2237,7 @@ Index: openssh-8.4p1/sshd.c &newsock, config_s); } -@@ -2325,6 +2381,9 @@ main(int ac, char **av) +@@ -2321,6 +2377,9 @@ main(int ac, char **av) do_authenticated(ssh, authctxt); /* The connection has been terminated. */ @@ -2258,7 +2247,7 @@ Index: openssh-8.4p1/sshd.c ssh_packet_get_bytes(ssh, &ibytes, &obytes); verbose("Transferred: sent %llu, received %llu bytes", (unsigned long long)obytes, (unsigned long long)ibytes); -@@ -2509,6 +2568,15 @@ do_ssh2_kex(struct ssh *ssh) +@@ -2501,6 +2560,15 @@ do_ssh2_kex(struct ssh *ssh) void cleanup_exit(int i) { @@ -2274,8 +2263,8 @@ Index: openssh-8.4p1/sshd.c if (the_active_state != NULL && the_authctxt != NULL) { do_cleanup(the_active_state, the_authctxt); if (use_privsep && privsep_is_preauth && -@@ -2520,9 +2588,16 @@ cleanup_exit(int i) - pmonitor->m_pid, strerror(errno)); +@@ -2513,9 +2581,16 @@ cleanup_exit(int i) + } } } + is_privsep_child = use_privsep && pmonitor != NULL && pmonitor->m_pid == 0; @@ -2292,10 +2281,10 @@ Index: openssh-8.4p1/sshd.c audit_event(the_active_state, SSH_CONNECTION_ABANDON); #endif _exit(i); -Index: openssh-8.4p1/sshkey.c +Index: openssh-8.8p1/sshkey.c =================================================================== ---- openssh-8.4p1.orig/sshkey.c -+++ openssh-8.4p1/sshkey.c +--- openssh-8.8p1.orig/sshkey.c ++++ openssh-8.8p1/sshkey.c @@ -371,6 +371,38 @@ sshkey_type_is_valid_ca(int type) } @@ -2335,11 +2324,11 @@ Index: openssh-8.4p1/sshkey.c sshkey_is_cert(const struct sshkey *k) { if (k == NULL) -Index: openssh-8.4p1/sshkey.h +Index: openssh-8.8p1/sshkey.h =================================================================== ---- openssh-8.4p1.orig/sshkey.h -+++ openssh-8.4p1/sshkey.h -@@ -187,6 +187,7 @@ int sshkey_shield_private(struct sshke +--- openssh-8.8p1.orig/sshkey.h ++++ openssh-8.8p1/sshkey.h +@@ -189,6 +189,7 @@ int sshkey_shield_private(struct sshke int sshkey_unshield_private(struct sshkey *); int sshkey_type_from_name(const char *); diff --git a/openssh-8.1p1-seccomp-clock_gettime64.patch b/openssh-8.1p1-seccomp-clock_gettime64.patch index d809ca0..25b96fc 100644 --- a/openssh-8.1p1-seccomp-clock_gettime64.patch +++ b/openssh-8.1p1-seccomp-clock_gettime64.patch @@ -9,11 +9,11 @@ upcoming glibc ( 2.31 ) sandbox-seccomp-filter.c | 3 +++ 1 file changed, 3 insertions(+) -diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c -index 3ef30c9d5..999c46c9f 100644 ---- a/sandbox-seccomp-filter.c -+++ b/sandbox-seccomp-filter.c -@@ -248,6 +248,9 @@ static const struct sock_filter preauth_insns[] = { +Index: openssh-8.8p1/sandbox-seccomp-filter.c +=================================================================== +--- openssh-8.8p1.orig/sandbox-seccomp-filter.c ++++ openssh-8.8p1/sandbox-seccomp-filter.c +@@ -279,6 +279,9 @@ static const struct sock_filter preauth_ #ifdef __NR_clock_nanosleep_time64 SC_ALLOW(__NR_clock_nanosleep_time64), #endif diff --git a/openssh-8.1p1-seccomp-clock_nanosleep.patch b/openssh-8.1p1-seccomp-clock_nanosleep.patch index 805b26c..099225d 100644 --- a/openssh-8.1p1-seccomp-clock_nanosleep.patch +++ b/openssh-8.1p1-seccomp-clock_nanosleep.patch @@ -1,8 +1,8 @@ -diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c -index c1e689e..74f69bc 100644 ---- a/sandbox-seccomp-filter.c -+++ b/sandbox-seccomp-filter.c -@@ -264,6 +264,9 @@ static const struct sock_filter preauth_insns[] = { +Index: openssh-8.8p1/sandbox-seccomp-filter.c +=================================================================== +--- openssh-8.8p1.orig/sandbox-seccomp-filter.c ++++ openssh-8.8p1/sandbox-seccomp-filter.c +@@ -273,6 +273,9 @@ static const struct sock_filter preauth_ #ifdef __NR_clock_gettime64 SC_ALLOW(__NR_clock_gettime64), #endif diff --git a/openssh-8.1p1-seccomp-clock_nanosleep_time64.patch b/openssh-8.1p1-seccomp-clock_nanosleep_time64.patch index 558883b..0f3c774 100644 --- a/openssh-8.1p1-seccomp-clock_nanosleep_time64.patch +++ b/openssh-8.1p1-seccomp-clock_nanosleep_time64.patch @@ -8,11 +8,11 @@ Needed on Linux ARM. bz#3100, patch from jjelen@redhat.com. sandbox-seccomp-filter.c | 3 +++ 1 file changed, 3 insertions(+) -Index: openssh-8.1p1/sandbox-seccomp-filter.c +Index: openssh-8.8p1/sandbox-seccomp-filter.c =================================================================== ---- openssh-8.1p1.orig/sandbox-seccomp-filter.c -+++ openssh-8.1p1/sandbox-seccomp-filter.c -@@ -251,6 +251,9 @@ static const struct sock_filter preauth_ +--- openssh-8.8p1.orig/sandbox-seccomp-filter.c ++++ openssh-8.8p1/sandbox-seccomp-filter.c +@@ -276,6 +276,9 @@ static const struct sock_filter preauth_ #ifdef __NR_clock_nanosleep SC_ALLOW(__NR_clock_nanosleep), #endif diff --git a/openssh-8.1p1-use-openssl-kdf.patch b/openssh-8.1p1-use-openssl-kdf.patch index ff1c09c..51326da 100644 --- a/openssh-8.1p1-use-openssl-kdf.patch +++ b/openssh-8.1p1-use-openssl-kdf.patch @@ -1,8 +1,8 @@ -diff --git a/kex.c b/kex.c -index 96e44a5..7cd37d6 100644 ---- a/kex.c -+++ b/kex.c -@@ -38,6 +38,7 @@ +Index: openssh-8.8p1/kex.c +=================================================================== +--- openssh-8.8p1.orig/kex.c ++++ openssh-8.8p1/kex.c +@@ -40,6 +40,7 @@ #ifdef WITH_OPENSSL #include #include @@ -10,7 +10,7 @@ index 96e44a5..7cd37d6 100644 #endif #include "ssh.h" -@@ -1109,8 +1110,92 @@ kex_choose_conf(struct ssh *ssh) +@@ -1115,8 +1116,93 @@ kex_choose_conf(struct ssh *ssh) return r; } @@ -69,7 +69,8 @@ index 96e44a5..7cd37d6 100644 + || EVP_KDF_ctrl (hashctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH, + hash, (size_t) hashlen) != 1 + || EVP_KDF_ctrl (hashctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID, -+ kex->session_id, (size_t) kex->session_id_len) != 1) ++ sshbuf_ptr(kex->session_id), ++ (size_t) sshbuf_len(kex->session_id)) != 1) + goto out; + + digest = calloc (1, need); @@ -104,7 +105,7 @@ index 96e44a5..7cd37d6 100644 const struct sshbuf *shared_secret, u_char **keyp) { struct kex *kex = ssh->kex; -@@ -1174,6 +1259,50 @@ derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen, +@@ -1179,6 +1265,50 @@ derive_key(struct ssh *ssh, int id, u_in return r; } diff --git a/openssh-8.4p1-vendordir.patch b/openssh-8.4p1-vendordir.patch index 9566a96..1bd12bd 100644 --- a/openssh-8.4p1-vendordir.patch +++ b/openssh-8.4p1-vendordir.patch @@ -1,52 +1,31 @@ Gemeinsame Unterverzeichnisse: openssh-8.4p1/contrib und openssh-8.4p1-vendor/contrib. -diff -u openssh-8.4p1/dh.c openssh-8.4p1-vendor/dh.c ---- openssh-8.4p1/dh.c 2020-09-27 09:25:01.000000000 +0200 -+++ openssh-8.4p1-vendor/dh.c 2021-01-29 11:49:40.968418136 +0100 -@@ -151,10 +151,18 @@ - size_t linesize = 0; - int best, bestcount, which, linenum; - struct dhgroup dhg; -+ char *dh_moduli_path; -+ struct stat st; +Index: openssh-8.8p1/dh.c +=================================================================== +--- openssh-8.8p1.orig/dh.c ++++ openssh-8.8p1/dh.c +@@ -54,7 +54,17 @@ void dh_set_moduli_file(const char *file -- if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL) { + static const char * get_moduli_filename(void) + { +- return moduli_filename ? moduli_filename : _PATH_DH_MODULI; ++ struct stat st; ++ ++ if (moduli_filename) ++ return moduli_filename; ++ + if (stat(_PATH_VENDOR_DH_MODULI, &st) == 0 && + stat(_PATH_DH_MODULI, &st) == -1) { -+ dh_moduli_path = _PATH_VENDOR_DH_MODULI; -+ } else { -+ dh_moduli_path = _PATH_DH_MODULI; ++ return _PATH_VENDOR_DH_MODULI; + } -+ if ((f = fopen(dh_moduli_path, "r")) == NULL) { - logit("WARNING: could not open %s (%s), using fixed modulus", -- _PATH_DH_MODULI, strerror(errno)); -+ dh_moduli_path, strerror(errno)); - return (dh_new_group_fallback(max)); - } ++ ++ return _PATH_DH_MODULI; + } -@@ -185,7 +193,7 @@ - - if (bestcount == 0) { - fclose(f); -- logit("WARNING: no suitable primes in %s", _PATH_DH_MODULI); -+ logit("WARNING: no suitable primes in %s", dh_moduli_path); - return (dh_new_group_fallback(max)); - } - which = arc4random_uniform(bestcount); -@@ -210,7 +218,7 @@ - fclose(f); - if (bestcount != which + 1) { - logit("WARNING: selected prime disappeared in %s, giving up", -- _PATH_DH_MODULI); -+ dh_moduli_path); - return (dh_new_group_fallback(max)); - } - -Gemeinsame Unterverzeichnisse: openssh-8.4p1/.github und openssh-8.4p1-vendor/.github. -Gemeinsame Unterverzeichnisse: openssh-8.4p1/m4 und openssh-8.4p1-vendor/m4. -Gemeinsame Unterverzeichnisse: openssh-8.4p1/openbsd-compat und openssh-8.4p1-vendor/openbsd-compat. -diff -u openssh-8.4p1/pathnames.h openssh-8.4p1-vendor/pathnames.h ---- openssh-8.4p1/pathnames.h 2020-09-27 09:25:01.000000000 +0200 -+++ openssh-8.4p1-vendor/pathnames.h 2021-01-29 11:35:41.655599046 +0100 + static int +Index: openssh-8.8p1/pathnames.h +=================================================================== +--- openssh-8.8p1.orig/pathnames.h ++++ openssh-8.8p1/pathnames.h @@ -18,6 +18,8 @@ #define SSHDIR ETCDIR "/ssh" #endif @@ -74,11 +53,11 @@ diff -u openssh-8.4p1/pathnames.h openssh-8.4p1-vendor/pathnames.h #ifndef _PATH_SSH_PROGRAM #define _PATH_SSH_PROGRAM "/usr/bin/ssh" -Gemeinsame Unterverzeichnisse: openssh-8.4p1/regress und openssh-8.4p1-vendor/regress. -diff -u openssh-8.4p1/ssh.c openssh-8.4p1-vendor/ssh.c ---- openssh-8.4p1/ssh.c 2020-09-27 09:25:01.000000000 +0200 -+++ openssh-8.4p1-vendor/ssh.c 2021-01-27 18:22:52.322271681 +0100 -@@ -593,6 +593,7 @@ +Index: openssh-8.8p1/ssh.c +=================================================================== +--- openssh-8.8p1.orig/ssh.c ++++ openssh-8.8p1/ssh.c +@@ -549,6 +549,7 @@ static void process_config_files(const char *host_name, struct passwd *pw, int final_pass, int *want_final_pass) { @@ -86,7 +65,7 @@ diff -u openssh-8.4p1/ssh.c openssh-8.4p1-vendor/ssh.c char buf[PATH_MAX]; int r; -@@ -611,10 +612,23 @@ +@@ -567,10 +568,23 @@ process_config_files(const char *host_na &options, SSHCONF_CHECKPERM | SSHCONF_USERCONF | (final_pass ? SSHCONF_FINAL : 0), want_final_pass); @@ -114,11 +93,11 @@ diff -u openssh-8.4p1/ssh.c openssh-8.4p1-vendor/ssh.c } } -Nur in openssh-8.4p1-vendor: #ssh_config.5#. -diff -u openssh-8.4p1/ssh_config.5 openssh-8.4p1-vendor/ssh_config.5 ---- openssh-8.4p1/ssh_config.5 2020-09-27 09:25:01.000000000 +0200 -+++ openssh-8.4p1-vendor/ssh_config.5 2021-02-24 12:02:53.935729753 +0100 -@@ -54,6 +54,9 @@ +Index: openssh-8.8p1/ssh_config.5 +=================================================================== +--- openssh-8.8p1.orig/ssh_config.5 ++++ openssh-8.8p1/ssh_config.5 +@@ -54,6 +54,9 @@ user's configuration file .It system-wide configuration file .Pq Pa /etc/ssh/ssh_config @@ -128,7 +107,7 @@ diff -u openssh-8.4p1/ssh_config.5 openssh-8.4p1-vendor/ssh_config.5 .El .Pp For each parameter, the first obtained value -@@ -1942,6 +1945,11 @@ +@@ -2212,6 +2215,11 @@ This file provides defaults for those values that are not specified in the user's configuration file, and for those users who do not have a configuration file. This file must be world-readable. @@ -140,11 +119,11 @@ diff -u openssh-8.4p1/ssh_config.5 openssh-8.4p1-vendor/ssh_config.5 .El .Sh SEE ALSO .Xr ssh 1 -Nur in openssh-8.4p1-vendor: ssh_config.5~. -diff -u openssh-8.4p1/sshd.c openssh-8.4p1-vendor/sshd.c ---- openssh-8.4p1/sshd.c 2020-09-27 09:25:01.000000000 +0200 -+++ openssh-8.4p1-vendor/sshd.c 2021-01-27 18:25:38.370273280 +0100 -@@ -136,7 +136,7 @@ +Index: openssh-8.8p1/sshd.c +=================================================================== +--- openssh-8.8p1.orig/sshd.c ++++ openssh-8.8p1/sshd.c +@@ -145,7 +145,7 @@ extern char *__progname; ServerOptions options; /* Name of the server configuration file. */ @@ -153,7 +132,7 @@ diff -u openssh-8.4p1/sshd.c openssh-8.4p1-vendor/sshd.c /* * Debug mode flag. This can be set on the command line. If debug -@@ -1526,6 +1526,7 @@ +@@ -1594,6 +1594,7 @@ prepare_proctitle(int ac, char **av) int main(int ac, char **av) { @@ -161,7 +140,7 @@ diff -u openssh-8.4p1/sshd.c openssh-8.4p1-vendor/sshd.c struct ssh *ssh = NULL; extern char *optarg; extern int optind; -@@ -1737,7 +1738,21 @@ +@@ -1809,7 +1810,21 @@ main(int ac, char **av) */ (void)atomicio(vwrite, startup_pipe, "\0", 1); } @@ -183,9 +162,10 @@ diff -u openssh-8.4p1/sshd.c openssh-8.4p1-vendor/sshd.c load_server_config(config_file_name, cfg); parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name, -diff -u openssh-8.4p1/sshd_config.5 openssh-8.4p1-vendor/sshd_config.5 ---- openssh-8.4p1/sshd_config.5 2020-09-27 09:25:01.000000000 +0200 -+++ openssh-8.4p1-vendor/sshd_config.5 2021-02-24 14:14:27.912038335 +0100 +Index: openssh-8.8p1/sshd_config.5 +=================================================================== +--- openssh-8.8p1.orig/sshd_config.5 ++++ openssh-8.8p1/sshd_config.5 @@ -44,7 +44,9 @@ .Xr sshd 8 reads configuration data from @@ -197,11 +177,11 @@ diff -u openssh-8.4p1/sshd_config.5 openssh-8.4p1-vendor/sshd_config.5 .Fl f on the command line). The file contains keyword-argument pairs, one per line. -Nur in openssh-8.4p1-vendor: sshd_config.5~. -diff -u openssh-8.4p1/ssh-keysign.c openssh-8.4p1-vendor/ssh-keysign.c ---- openssh-8.4p1/ssh-keysign.c 2020-09-27 09:25:01.000000000 +0200 -+++ openssh-8.4p1-vendor/ssh-keysign.c 2021-02-24 11:34:17.684570215 +0100 -@@ -172,6 +172,7 @@ +Index: openssh-8.8p1/ssh-keysign.c +=================================================================== +--- openssh-8.8p1.orig/ssh-keysign.c ++++ openssh-8.8p1/ssh-keysign.c +@@ -172,6 +172,7 @@ main(int argc, char **argv) u_char *signature, *data, rver; char *host, *fp; size_t slen, dlen; @@ -209,19 +189,20 @@ diff -u openssh-8.4p1/ssh-keysign.c openssh-8.4p1-vendor/ssh-keysign.c if (pledge("stdio rpath getpw dns id", NULL) != 0) fatal("%s: pledge: %s", __progname, strerror(errno)); -@@ -205,8 +206,12 @@ +@@ -205,8 +206,14 @@ main(int argc, char **argv) /* verify that ssh-keysign is enabled by the admin */ initialize_options(&options); - (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", "", - &options, 0, NULL); ++ + if (stat(_PATH_HOST_CONFIG_FILE, &st) == 0) + (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", "", + &options, 0, NULL); + else -+ (void)read_config_file(_PATH_HOST_VENDOR_CONFIG_FILE, pw, -+ "", "", &options, 0, NULL); - fill_default_options(&options); ++ (void)read_config_file(_PATH_HOST_VENDOR_CONFIG_FILE, pw, "", "", ++ &options, 0, NULL); ++ + (void)fill_default_options(&options); if (options.enable_ssh_keysign != 1) fatal("ssh-keysign not enabled in %s", -Nur in openssh-8.4p1-vendor: ssh-keysign.c~. diff --git a/openssh-8.4p1.tar.gz b/openssh-8.4p1.tar.gz deleted file mode 100644 index 40e43fe..0000000 --- a/openssh-8.4p1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24 -size 1742201 diff --git a/openssh-8.4p1.tar.gz.asc b/openssh-8.4p1.tar.gz.asc deleted file mode 100644 index 1f83b75..0000000 --- a/openssh-8.4p1.tar.gz.asc +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAl9wQnwACgkQ0+X1a22S -DTAR6wyAjRcvW7Jg9v73AR7TUO4WAD085sYi4ZLsECMZqhVZUBVv0Ofmcz2ISg3I -NU1nr9Kiqf1/i05OUIR64kJEd4wTSwv+4HhyP5MPJqyCkKcFJ9TyRy6pASZtyH6D -hKezJ79iGUg1U46bI6yyxchcAKrz0if97fKd0/1h5yE7T5lcbo+zQPsAg9dDXHBJ -nL5mpBQXU3xbU8bC+E+vZ7VAyxEm6kzuY7MRW2wOhpPQ5DJgEjAUjtvzvd9SJhKl -u/hgKXqIJBQB1pHlAFI1knfTrGUGrzob8QphukrvmbMJC3dO/o3Dplvx6lZkes0c -6hP66rhTRp5Tmw9ae3iUmoDf6SyStlo/4QomCuw0NxHrSOng16VjCR+NRWHvZbXC -JckIqparyOJ2jtHz0+e52sRZCZKauFBDMZboNj7f+htwQRUFOVfeSecpJiYut4bM -YALdayOQwL96J6aMdoMKfMGZUevCPN6OM96E6cMC1fmanBenZQ/vatmskIvvvO/P -rwECYTpGVRezhAvXMEy9x+EVdV6ctA== -=PW3D ------END PGP SIGNATURE----- diff --git a/openssh-8.8p1.tar.gz b/openssh-8.8p1.tar.gz new file mode 100644 index 0000000..16197ac --- /dev/null +++ b/openssh-8.8p1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4590890ea9bb9ace4f71ae331785a3a5823232435161960ed5fc86588f331fe9 +size 1815060 diff --git a/openssh-8.8p1.tar.gz.asc b/openssh-8.8p1.tar.gz.asc new file mode 100644 index 0000000..18f5024 --- /dev/null +++ b/openssh-8.8p1.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmFQfp8ACgkQKj9BTnNg +YLq2SQ/8C3iOHTkyqX82FYt0SKkybebe9b2iBPr91HQOUmx+U3I+vgrSWArXabWJ +uSu0b685RQKlcr7UjEtPk6g0cm45NoJFjju9ljvnOFfZw73V3a5qX15Lx4xRnkRx +v1LJn6Yh12PKLWL4/A1qPQnfAObVwq/BF0BR01FfXLAOt5+lFwYvg79HpE+69b0r +KtcIEpsyTEn2lSKSWD7q4lpe6Z/iR+XzBKfnB6JJXhKyHiDV63hlAJk9Pt3mIvS6 +tnE9/7GDawvi+Tsl018kw3wsf6aHVSQ+O+vzcDgfy0vDJVGjD6Ec9it9FvikXJh6 +3pSTBYuUJdt+CAQYvmEui73v4nrkfouHXsxqgzEDZaTwIZC4wPrvNYxUaIyirWlc +l4/YSnxSxSiYbvPa5eYRBvXvoWbnQXjPOkuhjETxz/KTcHirQpWE9eldi0jHcKUa +FVu9YqMPAjIUd1Jj4vC5bgH7v5cLeEMm/AetMvKsJs+rhY9NZaKpiqOqU2m6Geb+ +sQSXHNTeA8uOlrHim4SmYHtmfglVbH5lIroiUqtRzjbOhMhqUb+yN9+aAxe0bwmN +VcFMSThlbmYokb9bkQryY2I/FfXb997vxgF6v15Z8d9e8HH2zc2Irj1HYXG4Bf3o +WCiSvd8+Tr/FxS2Gn8qj/vgSPWXT0d0Hy4zHW9JeT/jn3RtIYhU= +=EnoG +-----END PGP SIGNATURE----- diff --git a/openssh-askpass-gnome.changes b/openssh-askpass-gnome.changes index 9109aa5..bf7054e 100644 --- a/openssh-askpass-gnome.changes +++ b/openssh-askpass-gnome.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Sep 28 19:05:15 UTC 2021 - Hans Petter Jansson + +- Version upgrade to 8.8p1 + * No changes for askpass, see main package changelog for + details + ------------------------------------------------------------------- Thu Sep 17 20:41:39 UTC 2020 - Jan Engelhardt diff --git a/openssh-askpass-gnome.spec b/openssh-askpass-gnome.spec index 351edc1..4dabf18 100644 --- a/openssh-askpass-gnome.spec +++ b/openssh-askpass-gnome.spec @@ -18,7 +18,7 @@ %define _name openssh Name: openssh-askpass-gnome -Version: 8.4p1 +Version: 8.8p1 Release: 0 Summary: A GNOME-Based Passphrase Dialog for OpenSSH License: BSD-2-Clause diff --git a/openssh-fips-ensure-approved-moduli.patch b/openssh-fips-ensure-approved-moduli.patch index 3bbdf89..b51c1c2 100644 --- a/openssh-fips-ensure-approved-moduli.patch +++ b/openssh-fips-ensure-approved-moduli.patch @@ -4,11 +4,11 @@ Date: Mon Oct 26 22:26:46 2020 +0100 Ensure DHGs are approved in FIPS mode using OpenSSL's DH_check_params() -diff --git a/dh.c b/dh.c -index 7cb135d..3fe7f75 100644 ---- a/dh.c -+++ b/dh.c -@@ -143,6 +143,28 @@ parse_prime(int linenum, char *line, struct dhgroup *dhg) +Index: openssh-8.8p1/dh.c +=================================================================== +--- openssh-8.8p1.orig/dh.c ++++ openssh-8.8p1/dh.c +@@ -155,6 +155,28 @@ parse_prime(int linenum, char *line, str return 0; } @@ -37,7 +37,7 @@ index 7cb135d..3fe7f75 100644 DH * choose_dh(int min, int wantbits, int max) { -@@ -161,12 +183,20 @@ choose_dh(int min, int wantbits, int max) +@@ -173,12 +195,20 @@ choose_dh(int min, int wantbits, int max linenum = 0; best = bestcount = 0; while (getline(&line, &linesize, f) != -1) { @@ -58,7 +58,7 @@ index 7cb135d..3fe7f75 100644 if (dhg.size > max || dhg.size < min) continue; -@@ -193,10 +223,16 @@ choose_dh(int min, int wantbits, int max) +@@ -206,10 +236,16 @@ choose_dh(int min, int wantbits, int max linenum = 0; bestcount = 0; while (getline(&line, &linesize, f) != -1) { diff --git a/openssh-fix-ssh-copy-id.patch b/openssh-fix-ssh-copy-id.patch deleted file mode 100644 index 3c63ce1..0000000 --- a/openssh-fix-ssh-copy-id.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 66f16e5425eb881570e82bfef7baeac2e7accc0a Mon Sep 17 00:00:00 2001 -From: Oleg -Date: Thu, 1 Oct 2020 12:09:08 +0300 -Subject: [PATCH] Fix `EOF: command not found` error in ssh-copy-id - ---- - contrib/ssh-copy-id | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id -index 392f64f94..a76907717 100644 ---- a/contrib/ssh-copy-id -+++ b/contrib/ssh-copy-id -@@ -247,7 +247,7 @@ installkeys_sh() { - # the -z `tail ...` checks for a trailing newline. The echo adds one if was missing - # the cat adds the keys we're getting via STDIN - # and if available restorecon is used to restore the SELinux context -- INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF) -+ INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF - cd; - umask 077; - mkdir -p $(dirname "${AUTH_KEY_FILE}") && -@@ -258,6 +258,7 @@ installkeys_sh() { - restorecon -F .ssh ${AUTH_KEY_FILE}; - fi - EOF -+ ) - - # to defend against quirky remote shells: use 'exec sh -c' to get POSIX; - printf "exec sh -c '%s'" "${INSTALLKEYS_SH}" diff --git a/openssh-link-with-sk.patch b/openssh-link-with-sk.patch index 6a3ba10..dd1bb6d 100644 --- a/openssh-link-with-sk.patch +++ b/openssh-link-with-sk.patch @@ -1,15 +1,15 @@ -diff --git a/Makefile.in b/Makefile.in -index 6dec09c..25e74ac 100644 ---- a/Makefile.in -+++ b/Makefile.in -@@ -251,8 +251,8 @@ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) +Index: openssh-8.8p1/Makefile.in +=================================================================== +--- openssh-8.8p1.orig/Makefile.in ++++ openssh-8.8p1/Makefile.in +@@ -252,8 +252,8 @@ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libss ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) -sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS) -- $(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) +- $(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) +sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o $(SFTPSERVER_OBJS) -+ $(LD) -o $@ $(SFTPSERVER_OBJS) ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2) ++ $(LD) -o $@ $(SFTPSERVER_OBJS) ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS) $(LD) -o $@ $(SFTP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT) diff --git a/openssh-reenable-dh-group14-sha1-default.patch b/openssh-reenable-dh-group14-sha1-default.patch index 8a70958..76b5f94 100644 --- a/openssh-reenable-dh-group14-sha1-default.patch +++ b/openssh-reenable-dh-group14-sha1-default.patch @@ -1,7 +1,7 @@ -diff --git a/myproposal.h b/myproposal.h -index 5312e60..83fd62d 100644 ---- a/myproposal.h -+++ b/myproposal.h +Index: openssh-8.8p1/myproposal.h +=================================================================== +--- openssh-8.8p1.orig/myproposal.h ++++ openssh-8.8p1/myproposal.h @@ -33,7 +33,8 @@ "diffie-hellman-group-exchange-sha256," \ "diffie-hellman-group16-sha512," \ @@ -12,11 +12,11 @@ index 5312e60..83fd62d 100644 #define KEX_CLIENT_KEX KEX_SERVER_KEX -diff --git a/ssh_config.5 b/ssh_config.5 -index d5888f2..100563e 100644 ---- a/ssh_config.5 -+++ b/ssh_config.5 -@@ -1170,7 +1170,8 @@ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, +Index: openssh-8.8p1/ssh_config.5 +=================================================================== +--- openssh-8.8p1.orig/ssh_config.5 ++++ openssh-8.8p1/ssh_config.5 +@@ -1227,7 +1227,8 @@ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, @@ -26,11 +26,11 @@ index d5888f2..100563e 100644 .Ed .Pp The list of available key exchange algorithms may also be obtained using -diff --git a/sshd_config.5 b/sshd_config.5 -index 0f5fe53..97364f5 100644 ---- a/sshd_config.5 -+++ b/sshd_config.5 -@@ -986,7 +986,7 @@ curve25519-sha256,curve25519-sha256@libssh.org, +Index: openssh-8.8p1/sshd_config.5 +=================================================================== +--- openssh-8.8p1.orig/sshd_config.5 ++++ openssh-8.8p1/sshd_config.5 +@@ -997,7 +997,7 @@ curve25519-sha256,curve25519-sha256@libs ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512,diffie-hellman-group18-sha512, diff --git a/openssh-whitelist-syscalls.patch b/openssh-whitelist-syscalls.patch index d612867..dcb25bd 100644 --- a/openssh-whitelist-syscalls.patch +++ b/openssh-whitelist-syscalls.patch @@ -1,6 +1,8 @@ ---- a/sandbox-seccomp-filter.c -+++ b/sandbox-seccomp-filter.c -@@ -195,6 +195,9 @@ +Index: openssh-8.8p1/sandbox-seccomp-filter.c +=================================================================== +--- openssh-8.8p1.orig/sandbox-seccomp-filter.c ++++ openssh-8.8p1/sandbox-seccomp-filter.c +@@ -201,6 +201,9 @@ static const struct sock_filter preauth_ #ifdef __NR_close SC_ALLOW(__NR_close), #endif @@ -10,9 +12,9 @@ #ifdef __NR_exit SC_ALLOW(__NR_exit), #endif -@@ -204,6 +207,9 @@ - #ifdef __NR_futex - SC_ALLOW(__NR_futex), +@@ -213,6 +216,9 @@ static const struct sock_filter preauth_ + #ifdef __NR_futex_time64 + SC_ALLOW(__NR_futex_time64), #endif +#ifdef __NR_futex_time64 + SC_ALLOW(__NR_futex_time64), @@ -20,13 +22,13 @@ #ifdef __NR_geteuid SC_ALLOW(__NR_geteuid), #endif -@@ -282,6 +288,9 @@ - #ifdef __NR_pselect6 - SC_ALLOW(__NR_pselect6), +@@ -293,6 +299,9 @@ static const struct sock_filter preauth_ #endif + #ifdef __NR_pselect6_time64 + SC_ALLOW(__NR_pselect6_time64), ++#endif +#ifdef __NR_pselect6_time64 + SC_ALLOW(__NR_pselect6_time64), -+#endif + #endif #ifdef __NR_read SC_ALLOW(__NR_read), - #endif diff --git a/openssh.changes b/openssh.changes index 9f24a62..0fee4bd 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,362 @@ +------------------------------------------------------------------- +Tue Sep 28 17:50:57 UTC 2021 - Hans Petter Jansson + +- Version update to 8.8p1: + = Security + * sshd(8) from OpenSSH 6.2 through 8.7 failed to correctly initialise + supplemental groups when executing an AuthorizedKeysCommand or + AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or + AuthorizedPrincipalsCommandUser directive has been set to run the + command as a different user. Instead these commands would inherit + the groups that sshd(8) was started with. + + Depending on system configuration, inherited groups may allow + AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to + gain unintended privilege. + + Neither AuthorizedKeysCommand nor AuthorizedPrincipalsCommand are + enabled by default in sshd_config(5). + + = Potentially-incompatible changes + * This release disables RSA signatures using the SHA-1 hash algorithm + by default. This change has been made as the SHA-1 hash algorithm is + cryptographically broken, and it is possible to create chosen-prefix + hash collisions for argv conversion. Multiple + backslashes were not being dequoted correctly and quoted space in + the middle of a string was being incorrectly split. GHPR223 + * ssh(1): return non-zero exit status when killed by signal; bz#3281 + * sftp-server(8): increase maximum SSH2_FXP_READ to match the maximum + packet size. Also handle zero-length reads that are not explicitly + banned by the spec. + +- Additional changes from 8.5p1 release: + = Security + * ssh-agent(1): fixed a double-free memory corruption that was + introduced in OpenSSH 8.2 . We treat all such memory faults as + potentially exploitable. This bug could be reached by an attacker + with access to the agent socket. + + = Potentially-incompatible changes + * ssh(1), sshd(8): this release changes the first-preference signature + algorithm from ECDSA to ED25519. + * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration + for interactive use prior to TCP connect. The connection phase of + the SSH session is time-sensitive and often explicitly interactive. + The ultimate interactive/bulk TOS/DSCP will be set after + authentication completes. + * ssh(1), sshd(8): remove the pre-standardization cipher + rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before + it was standardized in RFC4253 (2006), has been deprecated and + disabled by default since OpenSSH 7.2 (2016) and was only briefly + documented in ssh.1 in 2001. + * ssh(1), sshd(8): update/replace the experimental post-quantum + hybrid key exchange method based on Streamlined NTRU Prime coupled + with X25519. The previous sntrup4591761x25519-sha512@tinyssh.org + method is replaced with sntrup761x25519-sha512@openssh.com. + * ssh(1): disable CheckHostIP by default. It provides insignificant + benefits while making key rotation significantly more difficult, + especially for hosts behind IP-based load-balancers. + + = New features + * ssh(1): this release enables UpdateHostkeys by default subject to + some conservative preconditions: + - The key was matched in the UserKnownHostsFile (and not in the + GlobalKnownHostsFile). + - The same key does not exist under another name. + - A certificate host key is not in use. + - known_hosts contains no matching wildcard hostname pattern. + - VerifyHostKeyDNS is not enabled. + - The default UserKnownHostsFile is in use. + * ssh(1), sshd(8): add a new LogVerbose configuration directive for + that allows forcing maximum debug logging by file/function/line + pattern-lists. + * ssh(1): when prompting the user to accept a new hostkey, display + any other host names/addresses already associated with the key. + * ssh(1): allow UserKnownHostsFile=none to indicate that no + known_hosts file should be used to identify host keys. + * ssh(1): add a ssh_config KnownHostsCommand option that allows the + client to obtain known_hosts data from a command in addition to + the usual files. + * ssh(1): add a ssh_config PermitRemoteOpen option that allows the + client to restrict the destination when RemoteForward is used + with SOCKS. + * ssh(1): for FIDO keys, if a signature operation fails with a + "incorrect PIN" reason and no PIN was initially requested from the + user, then request a PIN and retry the operation. This supports + some biometric devices that fall back to requiring PIN when reading + of the biometric failed, and devices that require PINs for all + hosted credentials. + * sshd(8): implement client address-based rate-limiting via new + sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize + directives that provide more fine-grained control on a per-origin + address basis than the global MaxStartups limit. + + = Bugfixes + * ssh(1): Prefix keyboard interactive prompts with "(user@host)" to + make it easier to determine which connection they are associated + with in cases like scp -3, ProxyJump, etc. bz#3224 + * sshd(8): fix sshd_config SetEnv directives located inside Match + blocks. GHPR201 + * ssh(1): when requesting a FIDO token touch on stderr, inform the + user once the touch has been recorded. + * ssh(1): prevent integer overflow when ridiculously large + ConnectTimeout values are specified, capping the effective value + (for most platforms) at 24 days. bz#3229 + * ssh(1): consider the ECDSA key subtype when ordering host key + algorithms in the client. + * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to + PubkeyAcceptedAlgorithms. The previous name incorrectly suggested + that it control allowed key algorithms, when this option actually + specifies the signature algorithms that are accepted. The previous + name remains available as an alias. bz#3253 + * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and + HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms. + * sftp-server(8): add missing lsetstat@openssh.com documentation + and advertisement in the server's SSH2_FXP_VERSION hello packet. + * ssh(1), sshd(8): more strictly enforce KEX state-machine by + banning packet types once they are received. Fixes memleak caused + by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078). + * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit + platforms instead of being limited by LONG_MAX. bz#3206 + * Minor man page fixes (capitalization, commas, etc.) bz#3223 + * sftp(1): when doing an sftp recursive upload or download of a + read-only directory, ensure that the directory is created with + write and execute permissions in the interim so that the transfer + can actually complete, then set the directory permission as the + final step. bz#3222 + * ssh-keygen(1): document the -Z, check the validity of its argument + earlier and provide a better error message if it's not correct. + bz#2879 + * ssh(1): ignore comments at the end of config lines in ssh_config, + similar to what we already do for sshd_config. bz#2320 + * sshd_config(5): mention that DisableForwarding is valid in a + sshd_config Match block. bz3239 + * sftp(1): fix incorrect sorting of "ls -ltr" under some + circumstances. bz3248. + * ssh(1), sshd(8): fix potential integer truncation of (unlikely) + timeout values. bz#3250 + * ssh(1): make hostbased authentication send the signature algorithm + in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. + This make HostbasedAcceptedAlgorithms do what it is supposed to - + filter on signature algorithm and not key type. + +- Rebased patches: + * openssh-7.7p1-IPv6_X_forwarding.patch + * openssh-7.7p1-X11_trusted_forwarding.patch + * openssh-7.7p1-X_forward_with_disabled_ipv6.patch + * openssh-7.7p1-cavstest-ctr.patch + * openssh-7.7p1-cavstest-kdf.patch + * openssh-7.7p1-disable_openssl_abi_check.patch + * openssh-7.7p1-eal3.patch + * openssh-7.7p1-enable_PAM_by_default.patch + * openssh-7.7p1-fips.patch + * openssh-7.7p1-fips_checks.patch + * openssh-7.7p1-host_ident.patch + * openssh-7.7p1-hostname_changes_when_forwarding_X.patch + * openssh-7.7p1-ldap.patch + * openssh-7.7p1-no_fork-no_pid_file.patch + * openssh-7.7p1-pam_check_locks.patch + * openssh-7.7p1-pts_names_formatting.patch + * openssh-7.7p1-remove_xauth_cookies_on_exit.patch + * openssh-7.7p1-seccomp_ipc_flock.patch + * openssh-7.7p1-seccomp_stat.patch + * openssh-7.7p1-send_locale.patch + * openssh-7.7p1-sftp_force_permissions.patch + * openssh-7.7p1-sftp_print_diagnostic_messages.patch + * openssh-7.7p1-systemd-notify.patch + * openssh-7.9p1-keygen-preserve-perms.patch + * openssh-7.9p1-revert-new-qos-defaults.patch + * openssh-8.0p1-gssapi-keyex.patch + * openssh-8.1p1-audit.patch + * openssh-8.1p1-seccomp-clock_gettime64.patch + * openssh-8.1p1-seccomp-clock_nanosleep.patch + * openssh-8.1p1-seccomp-clock_nanosleep_time64.patch + * openssh-8.1p1-use-openssl-kdf.patch + * openssh-8.4p1-vendordir.patch + * openssh-fips-ensure-approved-moduli.patch + * openssh-link-with-sk.patch + * openssh-reenable-dh-group14-sha1-default.patch + * openssh-whitelist-syscalls.patch + +- Removed openssh-fix-ssh-copy-id.patch (fixed upstream). + ------------------------------------------------------------------- Thu Aug 19 10:07:10 UTC 2021 - Thorsten Kukuk diff --git a/openssh.spec b/openssh.spec index a8430bd..6ecf7e7 100644 --- a/openssh.spec +++ b/openssh.spec @@ -35,7 +35,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: openssh -Version: 8.4p1 +Version: 8.8p1 Release: 0 Summary: Secure Shell Client and Server (Remote Login Program) License: BSD-2-Clause AND MIT @@ -105,7 +105,6 @@ Patch40: openssh-8.1p1-ed25519-use-openssl-rng.patch Patch41: openssh-fips-ensure-approved-moduli.patch Patch42: openssh-link-with-sk.patch Patch43: openssh-reenable-dh-group14-sha1-default.patch -Patch44: openssh-fix-ssh-copy-id.patch Patch45: openssh-8.4p1-ssh_config_d.patch Patch46: openssh-whitelist-syscalls.patch Patch47: openssh-8.4p1-vendordir.patch