Accepting request 680205 from network
OBS-URL: https://build.opensuse.org/request/show/680205 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=129
This commit is contained in:
commit
5a265c2de0
@ -1,425 +0,0 @@
|
||||
# HG changeset patch
|
||||
# Parent 681914438b1a02c1940d19204138e9b8eacfda7b
|
||||
|
||||
Raise minimal size of DH group parameters to 2048 bits like upstream did in
|
||||
7.2. 1024b values are believed to be in breaking range for state adversaries
|
||||
and the default moduli shipped with openssh have been around long enough to
|
||||
make it more likely for them to be broken.
|
||||
|
||||
Also provide an option that allows the client to accept shorter (RFC4419
|
||||
compliant) parameters.
|
||||
|
||||
CVE-2015-4000 (LOGJAM)
|
||||
bsc#932483
|
||||
|
||||
Index: openssh-7.9p1/dh.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/dh.c
|
||||
+++ openssh-7.9p1/dh.c
|
||||
@@ -45,6 +45,8 @@
|
||||
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
|
||||
+int dh_grp_min = DH_GRP_MIN;
|
||||
+
|
||||
static int
|
||||
parse_prime(int linenum, char *line, struct dhgroup *dhg)
|
||||
{
|
||||
Index: openssh-7.9p1/dh.h
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/dh.h
|
||||
+++ openssh-7.9p1/dh.h
|
||||
@@ -50,6 +50,7 @@ u_int dh_estimate(int);
|
||||
* Max value from RFC4419.
|
||||
* Miniumum increased in light of DH precomputation attacks.
|
||||
*/
|
||||
+#define DH_GRP_MIN_RFC 1024
|
||||
#define DH_GRP_MIN 2048
|
||||
#define DH_GRP_MAX 8192
|
||||
|
||||
Index: openssh-7.9p1/kexgexc.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/kexgexc.c
|
||||
+++ openssh-7.9p1/kexgexc.c
|
||||
@@ -53,6 +53,9 @@
|
||||
#include "sshbuf.h"
|
||||
#include "misc.h"
|
||||
|
||||
+/* import from dh.c */
|
||||
+extern int dh_grp_min;
|
||||
+
|
||||
static int input_kex_dh_gex_group(int, u_int32_t, struct ssh *);
|
||||
static int input_kex_dh_gex_reply(int, u_int32_t, struct ssh *);
|
||||
|
||||
@@ -65,7 +68,7 @@ kexgex_client(struct ssh *ssh)
|
||||
|
||||
nbits = dh_estimate(kex->dh_need * 8);
|
||||
|
||||
- kex->min = DH_GRP_MIN;
|
||||
+ kex->min = dh_grp_min;
|
||||
kex->max = DH_GRP_MAX;
|
||||
kex->nbits = nbits;
|
||||
if (datafellows & SSH_BUG_DHGEX_LARGE)
|
||||
@@ -111,6 +114,12 @@ input_kex_dh_gex_group(int type, u_int32
|
||||
goto out;
|
||||
if ((bits = BN_num_bits(p)) < 0 ||
|
||||
(u_int)bits < kex->min || (u_int)bits > kex->max) {
|
||||
+ if ((u_int)bits < kex->min && (u_int)bits >= DH_GRP_MIN_RFC)
|
||||
+ logit("DH parameter offered by the server (%d bits) "
|
||||
+ "is considered insecure. "
|
||||
+ "You can lower the accepted the minimum "
|
||||
+ "via the KexDHMin option.",
|
||||
+ bits);
|
||||
r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
|
||||
goto out;
|
||||
}
|
||||
Index: openssh-7.9p1/kexgexs.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/kexgexs.c
|
||||
+++ openssh-7.9p1/kexgexs.c
|
||||
@@ -56,6 +56,9 @@
|
||||
#include "sshbuf.h"
|
||||
#include "misc.h"
|
||||
|
||||
+/* import from dh.c */
|
||||
+extern int dh_grp_min;
|
||||
+
|
||||
static int input_kex_dh_gex_request(int, u_int32_t, struct ssh *);
|
||||
static int input_kex_dh_gex_init(int, u_int32_t, struct ssh *);
|
||||
|
||||
@@ -85,13 +88,19 @@ input_kex_dh_gex_request(int type, u_int
|
||||
kex->nbits = nbits;
|
||||
kex->min = min;
|
||||
kex->max = max;
|
||||
- min = MAXIMUM(DH_GRP_MIN, min);
|
||||
+ min = MAXIMUM(dh_grp_min, min);
|
||||
max = MINIMUM(DH_GRP_MAX, max);
|
||||
- nbits = MAXIMUM(DH_GRP_MIN, nbits);
|
||||
+ nbits = MAXIMUM(dh_grp_min, nbits);
|
||||
nbits = MINIMUM(DH_GRP_MAX, nbits);
|
||||
|
||||
if (kex->max < kex->min || kex->nbits < kex->min ||
|
||||
kex->max < kex->nbits || kex->max < DH_GRP_MIN) {
|
||||
+ if (kex->nbits < kex->min && kex->nbits >= DH_GRP_MIN_RFC)
|
||||
+ logit("DH parameter requested by the client (%d bits) "
|
||||
+ "is considered insecure. "
|
||||
+ "You can lower the accepted minimum "
|
||||
+ "via the KexDHMin option.",
|
||||
+ kex->nbits);
|
||||
r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
|
||||
goto out;
|
||||
}
|
||||
Index: openssh-7.9p1/readconf.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/readconf.c
|
||||
+++ openssh-7.9p1/readconf.c
|
||||
@@ -67,6 +67,7 @@
|
||||
#include "uidswap.h"
|
||||
#include "myproposal.h"
|
||||
#include "digest.h"
|
||||
+#include "dh.h"
|
||||
|
||||
/* Format of the configuration file:
|
||||
|
||||
@@ -167,7 +168,7 @@ typedef enum {
|
||||
oTunnel, oTunnelDevice,
|
||||
oLocalCommand, oPermitLocalCommand, oRemoteCommand,
|
||||
oVisualHostKey,
|
||||
- oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
|
||||
+ oKexAlgorithms, oKexDHMin, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
|
||||
oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
|
||||
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
|
||||
oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
|
||||
@@ -292,6 +293,7 @@ static struct {
|
||||
{ "remotecommand", oRemoteCommand },
|
||||
{ "visualhostkey", oVisualHostKey },
|
||||
{ "kexalgorithms", oKexAlgorithms },
|
||||
+ { "kexdhmin", oKexDHMin },
|
||||
{ "ipqos", oIPQoS },
|
||||
{ "requesttty", oRequestTTY },
|
||||
{ "proxyusefdpass", oProxyUseFdpass },
|
||||
@@ -313,6 +315,9 @@ static struct {
|
||||
{ NULL, oBadOption }
|
||||
};
|
||||
|
||||
+/* import from dh.c */
|
||||
+extern int dh_grp_min;
|
||||
+
|
||||
/*
|
||||
* Adds a local TCP/IP port forward to options. Never returns if there is an
|
||||
* error.
|
||||
@@ -1216,6 +1221,10 @@ parse_int:
|
||||
options->kex_algorithms = xstrdup(arg);
|
||||
break;
|
||||
|
||||
+ case oKexDHMin:
|
||||
+ intptr = &options->kex_dhmin;
|
||||
+ goto parse_int;
|
||||
+
|
||||
case oHostKeyAlgorithms:
|
||||
charptr = &options->hostkeyalgorithms;
|
||||
parse_keytypes:
|
||||
@@ -1860,6 +1869,7 @@ initialize_options(Options * options)
|
||||
options->ciphers = NULL;
|
||||
options->macs = NULL;
|
||||
options->kex_algorithms = NULL;
|
||||
+ options->kex_dhmin = -1;
|
||||
options->hostkeyalgorithms = NULL;
|
||||
options->ca_sign_algorithms = NULL;
|
||||
options->num_identity_files = 0;
|
||||
@@ -2014,6 +2024,13 @@ fill_default_options(Options * options)
|
||||
options->connection_attempts = 1;
|
||||
if (options->number_of_password_prompts == -1)
|
||||
options->number_of_password_prompts = 3;
|
||||
+ if (options->kex_dhmin == -1)
|
||||
+ options->kex_dhmin = DH_GRP_MIN;
|
||||
+ else {
|
||||
+ options->kex_dhmin = MAXIMUM(options->kex_dhmin, DH_GRP_MIN_RFC);
|
||||
+ options->kex_dhmin = MINIMUM(options->kex_dhmin, DH_GRP_MAX);
|
||||
+ }
|
||||
+ dh_grp_min = options->kex_dhmin;
|
||||
/* options->hostkeyalgorithms, default set in myproposals.h */
|
||||
if (options->add_keys_to_agent == -1)
|
||||
options->add_keys_to_agent = 0;
|
||||
Index: openssh-7.9p1/readconf.h
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/readconf.h
|
||||
+++ openssh-7.9p1/readconf.h
|
||||
@@ -68,6 +68,7 @@ typedef struct {
|
||||
char *hostkeyalgorithms; /* SSH2 server key types in order of preference. */
|
||||
char *kex_algorithms; /* SSH2 kex methods in order of preference. */
|
||||
char *ca_sign_algorithms; /* Allowed CA signature algorithms */
|
||||
+ int kex_dhmin; /* minimum bit length of the DH group parameter */
|
||||
char *hostname; /* Real host to connect. */
|
||||
char *host_key_alias; /* hostname alias for .ssh/known_hosts */
|
||||
char *proxy_command; /* Proxy command for connecting the host. */
|
||||
Index: openssh-7.9p1/servconf.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/servconf.c
|
||||
+++ openssh-7.9p1/servconf.c
|
||||
@@ -64,6 +64,10 @@
|
||||
#include "auth.h"
|
||||
#include "myproposal.h"
|
||||
#include "digest.h"
|
||||
+#include "dh.h"
|
||||
+
|
||||
+/* import from dh.c */
|
||||
+extern int dh_grp_min;
|
||||
|
||||
static void add_listen_addr(ServerOptions *, const char *,
|
||||
const char *, int);
|
||||
@@ -146,6 +150,7 @@ initialize_server_options(ServerOptions
|
||||
options->ciphers = NULL;
|
||||
options->macs = NULL;
|
||||
options->kex_algorithms = NULL;
|
||||
+ options->kex_dhmin = -1;
|
||||
options->ca_sign_algorithms = NULL;
|
||||
options->fwd_opts.gateway_ports = -1;
|
||||
options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
|
||||
@@ -267,6 +272,14 @@ fill_default_server_options(ServerOption
|
||||
if (options->use_pam_check_locks == -1)
|
||||
options->use_pam_check_locks = 0;
|
||||
|
||||
+ if (options->kex_dhmin == -1)
|
||||
+ options->kex_dhmin = DH_GRP_MIN;
|
||||
+ else {
|
||||
+ options->kex_dhmin = MAXIMUM(options->kex_dhmin, DH_GRP_MIN_RFC);
|
||||
+ options->kex_dhmin = MINIMUM(options->kex_dhmin, DH_GRP_MAX);
|
||||
+ }
|
||||
+ dh_grp_min = options->kex_dhmin;
|
||||
+
|
||||
/* Standard Options */
|
||||
if (options->num_host_key_files == 0) {
|
||||
/* fill default hostkeys for protocols */
|
||||
@@ -494,7 +507,7 @@ typedef enum {
|
||||
sHostCertificate,
|
||||
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
|
||||
sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
|
||||
- sKexAlgorithms, sCASignatureAlgorithms, sIPQoS, sVersionAddendum,
|
||||
+ sKexAlgorithms, sKexDHMin, sCASignatureAlgorithms, sIPQoS, sVersionAddendum,
|
||||
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
|
||||
sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
|
||||
sStreamLocalBindMask, sStreamLocalBindUnlink,
|
||||
@@ -635,6 +648,7 @@ static struct {
|
||||
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
|
||||
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
|
||||
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
|
||||
+ { "kexdhmin", sKexDHMin },
|
||||
{ "ipqos", sIPQoS, SSHCFG_ALL },
|
||||
{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
|
||||
{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
|
||||
@@ -1735,6 +1749,10 @@ process_server_config_line(ServerOptions
|
||||
options->kex_algorithms = xstrdup(arg);
|
||||
break;
|
||||
|
||||
+ case sKexDHMin:
|
||||
+ intptr = &options->kex_dhmin;
|
||||
+ goto parse_int;
|
||||
+
|
||||
case sSubsystem:
|
||||
if (options->num_subsystems >= MAX_SUBSYSTEMS) {
|
||||
fatal("%s line %d: too many subsystems defined.",
|
||||
@@ -2549,6 +2567,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
|
||||
dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
|
||||
dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
|
||||
+ dump_cfg_int(sKexDHMin, o->kex_dhmin);
|
||||
|
||||
/* formatted integer arguments */
|
||||
dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
|
||||
Index: openssh-7.9p1/servconf.h
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/servconf.h
|
||||
+++ openssh-7.9p1/servconf.h
|
||||
@@ -103,6 +103,7 @@ typedef struct {
|
||||
char *ciphers; /* Supported SSH2 ciphers. */
|
||||
char *macs; /* Supported SSH2 macs. */
|
||||
char *kex_algorithms; /* SSH2 kex methods in order of preference. */
|
||||
+ int kex_dhmin; /* minimum bit length of the DH group parameter */
|
||||
struct ForwardOptions fwd_opts; /* forwarding options */
|
||||
SyslogFacility log_facility; /* Facility for system logging. */
|
||||
LogLevel log_level; /* Level for system logging. */
|
||||
Index: openssh-7.9p1/ssh_config
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/ssh_config
|
||||
+++ openssh-7.9p1/ssh_config
|
||||
@@ -17,6 +17,11 @@
|
||||
# list of available options, their meanings and defaults, please see the
|
||||
# ssh_config(5) man page.
|
||||
|
||||
+# Minimum accepted size of the DH parameter p. By default this is set to 1024
|
||||
+# to maintain compatibility with RFC4419, but should be set higher.
|
||||
+# Upstream default is identical to setting this to 2048.
|
||||
+#KexDHMin 1024
|
||||
+
|
||||
Host *
|
||||
# ForwardAgent no
|
||||
# ForwardX11 no
|
||||
Index: openssh-7.9p1/ssh_config.0
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/ssh_config.0
|
||||
+++ openssh-7.9p1/ssh_config.0
|
||||
@@ -610,6 +610,23 @@ DESCRIPTION
|
||||
The list of available key exchange algorithms may also be
|
||||
obtained using "ssh -Q kex".
|
||||
|
||||
+ KexDHMin
|
||||
+ Specifies the minimum accepted bit length of the DH group
|
||||
+ parameter p.
|
||||
+
|
||||
+ As per RFC4419, this is 1024 bits, however this has increasingly
|
||||
+ been seen as insecure, which prompted the change to 2048 bits.
|
||||
+ Setting this option allows the client to accept parameters shorter
|
||||
+ than the current minimum, down to the RFC specified 1024 bits.
|
||||
+ Using this option may be needed when connecting to servers that
|
||||
+ only know short DH group parameters.
|
||||
+
|
||||
+ Note, that while by default this option is set to 1024 to maintain
|
||||
+ maximum backward compatibility, using it can severly impact
|
||||
+ security and thus should be viewed as a temporary fix of last
|
||||
+ resort and all efforts should be made to fix the (broken)
|
||||
+ counterparty.
|
||||
+
|
||||
LocalCommand
|
||||
Specifies a command to execute on the local machine after
|
||||
successfully connecting to the server. The command string
|
||||
Index: openssh-7.9p1/ssh_config.5
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/ssh_config.5
|
||||
+++ openssh-7.9p1/ssh_config.5
|
||||
@@ -1047,6 +1047,22 @@ diffie-hellman-group14-sha1
|
||||
.Pp
|
||||
The list of available key exchange algorithms may also be obtained using
|
||||
.Qq ssh -Q kex .
|
||||
+.It Cm KexDHMin
|
||||
+Specifies the minimum accepted bit length of the DH group
|
||||
+parameter p.
|
||||
+.Pp
|
||||
+As per RFC4419, this is 1024 bits, however this has increasingly
|
||||
+been seen as insecure, which prompted the change to 2048 bits.
|
||||
+Setting this option allows the client to accept parameters shorter
|
||||
+than the current minimum, down to the RFC specified 1024 bits.
|
||||
+Using this option may be needed when connecting to servers that
|
||||
+only know short DH group parameters.
|
||||
+.Pp
|
||||
+Note, that while by default this option is set to 1024 to maintain
|
||||
+maximum backward compatibility, using it can severly impact
|
||||
+security and thus should be viewed as a temporary fix of last
|
||||
+resort and all efforts should be made to fix the (broken)
|
||||
+counterparty.
|
||||
.It Cm LocalCommand
|
||||
Specifies a command to execute on the local machine after successfully
|
||||
connecting to the server.
|
||||
Index: openssh-7.9p1/sshd_config
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/sshd_config
|
||||
+++ openssh-7.9p1/sshd_config
|
||||
@@ -19,6 +19,13 @@
|
||||
#HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
#HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
|
||||
+# Minimum accepted size of the DH parameter p. The default, which replicates
|
||||
+# upstream behaviour, is 2048. To maintain compatibility with RFC4419 it should
|
||||
+# be set to 1024.
|
||||
+# You will also need to add a HostKey directive to load a DSA key (typically
|
||||
+# located in /etc/ssh/ssh_host_dsa_key), which is not loaded by default.
|
||||
+#KexDHMin 2048
|
||||
+
|
||||
# Ciphers and keying
|
||||
#RekeyLimit default none
|
||||
|
||||
Index: openssh-7.9p1/sshd_config.0
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/sshd_config.0
|
||||
+++ openssh-7.9p1/sshd_config.0
|
||||
@@ -555,6 +555,23 @@ DESCRIPTION
|
||||
The list of available key exchange algorithms may also be
|
||||
obtained using "ssh -Q kex".
|
||||
|
||||
+ KexDHMin
|
||||
+ Specifies the minimum accepted bit length of the DH group
|
||||
+ parameter p.
|
||||
+
|
||||
+ As per RFC4419, this is 1024 bits, however this has increasingly
|
||||
+ been seen as insecure, which prompted the change to 2048 bits.
|
||||
+ Setting this option allows the server to accept parameters shorter
|
||||
+ than the current minimum, down to the RFC specified 1024 bits.
|
||||
+ Using this option may be needed when some of the connectiong
|
||||
+ clients only know short DH group parameters.
|
||||
+
|
||||
+ Note, that while by default this option is set to 1024 to maintain
|
||||
+ maximum backward compatibility, using it can severly impact
|
||||
+ security and thus should be viewed as a temporary fix of last
|
||||
+ resort and all efforts should be made to fix the (broken)
|
||||
+ counterparty.
|
||||
+
|
||||
ListenAddress
|
||||
Specifies the local addresses sshd(8) should listen on. The
|
||||
following forms may be used:
|
||||
Index: openssh-7.9p1/sshd_config.5
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/sshd_config.5
|
||||
+++ openssh-7.9p1/sshd_config.5
|
||||
@@ -923,6 +923,22 @@ diffie-hellman-group14-sha256,diffie-hel
|
||||
.Pp
|
||||
The list of available key exchange algorithms may also be obtained using
|
||||
.Qq ssh -Q kex .
|
||||
+.It Cm KexDHMin
|
||||
+Specifies the minimum accepted bit length of the DH group
|
||||
+parameter p.
|
||||
+.Pp
|
||||
+As per RFC4419, this is 1024 bits, however this has increasingly
|
||||
+been seen as insecure, which prompted the change to 2048 bits.
|
||||
+Setting this option allows the server to accept parameters shorter
|
||||
+than the current minimum, down to the RFC specified 1024 bits.
|
||||
+Using this option may be needed when some of the connectiong
|
||||
+clients only know short DH group parameters.
|
||||
+.Pp
|
||||
+Note, that while by default this option is set to 1024 to maintain
|
||||
+maximum backward compatibility, using it can severly impact
|
||||
+security and thus should be viewed as a temporary fix of last
|
||||
+resort and all efforts should be made to fix the (broken)
|
||||
+counterparty.
|
||||
.It Cm ListenAddress
|
||||
Specifies the local addresses
|
||||
.Xr sshd 8
|
@ -5,8 +5,8 @@ algorithms.
|
||||
|
||||
Index: openssh-7.9p1/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/Makefile.in
|
||||
+++ openssh-7.9p1/Makefile.in
|
||||
--- openssh-7.9p1.orig/Makefile.in 2019-02-28 17:20:15.767164591 +0100
|
||||
+++ openssh-7.9p1/Makefile.in 2019-02-28 20:18:30.666473978 +0100
|
||||
@@ -102,6 +102,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||
kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
|
||||
platform-pledge.o platform-tracing.o platform-misc.o
|
||||
@ -18,8 +18,8 @@ Index: openssh-7.9p1/Makefile.in
|
||||
|
||||
Index: openssh-7.9p1/cipher-ctr.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/cipher-ctr.c
|
||||
+++ openssh-7.9p1/cipher-ctr.c
|
||||
--- openssh-7.9p1.orig/cipher-ctr.c 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/cipher-ctr.c 2019-02-28 17:20:15.919165544 +0100
|
||||
@@ -27,6 +27,8 @@
|
||||
#include "xmalloc.h"
|
||||
#include "log.h"
|
||||
@ -40,8 +40,8 @@ Index: openssh-7.9p1/cipher-ctr.c
|
||||
}
|
||||
Index: openssh-7.9p1/cipher.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/cipher.c
|
||||
+++ openssh-7.9p1/cipher.c
|
||||
--- openssh-7.9p1.orig/cipher.c 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/cipher.c 2019-02-28 20:18:30.666473978 +0100
|
||||
@@ -51,6 +51,8 @@
|
||||
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
@ -131,23 +131,11 @@ Index: openssh-7.9p1/cipher.c
|
||||
if (strcmp(c->name, name) == 0)
|
||||
return c;
|
||||
return NULL;
|
||||
Index: openssh-7.9p1/dh.h
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/dh.h
|
||||
+++ openssh-7.9p1/dh.h
|
||||
@@ -52,6 +52,7 @@ u_int dh_estimate(int);
|
||||
*/
|
||||
#define DH_GRP_MIN_RFC 1024
|
||||
#define DH_GRP_MIN 2048
|
||||
+#define DH_GRP_MIN_FIPS 2048
|
||||
#define DH_GRP_MAX 8192
|
||||
|
||||
/*
|
||||
Index: openssh-7.9p1/fips.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.9p1/fips.c
|
||||
@@ -0,0 +1,237 @@
|
||||
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
|
||||
+++ openssh-7.9p1/fips.c 2019-02-28 20:18:30.534473204 +0100
|
||||
@@ -0,0 +1,215 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
|
||||
+ *
|
||||
@ -363,33 +351,11 @@ Index: openssh-7.9p1/fips.c
|
||||
+ return dgst;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+fips_dh_grp_min(void)
|
||||
+{
|
||||
+ int fips;
|
||||
+ int dh;
|
||||
+
|
||||
+ fips = fips_mode();
|
||||
+ switch (fips) {
|
||||
+ case 0:
|
||||
+ dh = dh_grp_min;
|
||||
+ break;
|
||||
+ case 1:
|
||||
+ dh = DH_GRP_MIN_FIPS;
|
||||
+ break;
|
||||
+ default:
|
||||
+ /* should not be reached */
|
||||
+ fatal("Fatal error: incorrect FIPS mode '%i' at %s:%u",
|
||||
+ fips, __FILE__, __LINE__);
|
||||
+ }
|
||||
+ return dh;
|
||||
+}
|
||||
+
|
||||
Index: openssh-7.9p1/fips.h
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.9p1/fips.h
|
||||
@@ -0,0 +1,45 @@
|
||||
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
|
||||
+++ openssh-7.9p1/fips.h 2019-02-28 20:18:30.534473204 +0100
|
||||
@@ -0,0 +1,44 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
|
||||
+ *
|
||||
@ -429,7 +395,6 @@ Index: openssh-7.9p1/fips.h
|
||||
+int fips_mode(void);
|
||||
+int fips_correct_dgst(int);
|
||||
+int fips_dgst_min(void);
|
||||
+int fips_dh_grp_min(void);
|
||||
+enum fp_type fips_correct_fp_type(enum fp_type);
|
||||
+int fips_filter_crypto(char **, fips_filters);
|
||||
+
|
||||
@ -437,8 +402,8 @@ Index: openssh-7.9p1/fips.h
|
||||
+
|
||||
Index: openssh-7.9p1/hmac.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/hmac.c
|
||||
+++ openssh-7.9p1/hmac.c
|
||||
--- openssh-7.9p1.orig/hmac.c 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/hmac.c 2019-02-28 17:20:15.919165544 +0100
|
||||
@@ -144,7 +144,7 @@ hmac_test(void *key, size_t klen, void *
|
||||
size_t i;
|
||||
u_char digest[16];
|
||||
@ -450,8 +415,8 @@ Index: openssh-7.9p1/hmac.c
|
||||
ssh_hmac_update(ctx, m, mlen) < 0 ||
|
||||
Index: openssh-7.9p1/kex.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/kex.c
|
||||
+++ openssh-7.9p1/kex.c
|
||||
--- openssh-7.9p1.orig/kex.c 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/kex.c 2019-02-28 17:20:15.919165544 +0100
|
||||
@@ -54,6 +54,8 @@
|
||||
#include "sshbuf.h"
|
||||
#include "digest.h"
|
||||
@ -547,59 +512,23 @@ Index: openssh-7.9p1/kex.c
|
||||
free(s);
|
||||
return 0;
|
||||
}
|
||||
Index: openssh-7.9p1/kexgexc.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/kexgexc.c
|
||||
+++ openssh-7.9p1/kexgexc.c
|
||||
@@ -53,8 +53,7 @@
|
||||
#include "sshbuf.h"
|
||||
#include "misc.h"
|
||||
|
||||
-/* import from dh.c */
|
||||
-extern int dh_grp_min;
|
||||
+#include "fips.h"
|
||||
|
||||
static int input_kex_dh_gex_group(int, u_int32_t, struct ssh *);
|
||||
static int input_kex_dh_gex_reply(int, u_int32_t, struct ssh *);
|
||||
@@ -68,7 +67,7 @@ kexgex_client(struct ssh *ssh)
|
||||
|
||||
nbits = dh_estimate(kex->dh_need * 8);
|
||||
|
||||
- kex->min = dh_grp_min;
|
||||
+ kex->min = fips_dh_grp_min();
|
||||
kex->max = DH_GRP_MAX;
|
||||
kex->nbits = nbits;
|
||||
if (datafellows & SSH_BUG_DHGEX_LARGE)
|
||||
Index: openssh-7.9p1/kexgexs.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/kexgexs.c
|
||||
+++ openssh-7.9p1/kexgexs.c
|
||||
@@ -56,8 +56,7 @@
|
||||
--- openssh-7.9p1.orig/kexgexs.c 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/kexgexs.c 2019-02-28 17:20:15.923165569 +0100
|
||||
@@ -56,6 +56,8 @@
|
||||
#include "sshbuf.h"
|
||||
#include "misc.h"
|
||||
|
||||
-/* import from dh.c */
|
||||
-extern int dh_grp_min;
|
||||
+#include "fips.h"
|
||||
|
||||
+
|
||||
static int input_kex_dh_gex_request(int, u_int32_t, struct ssh *);
|
||||
static int input_kex_dh_gex_init(int, u_int32_t, struct ssh *);
|
||||
@@ -88,9 +87,9 @@ input_kex_dh_gex_request(int type, u_int
|
||||
kex->nbits = nbits;
|
||||
kex->min = min;
|
||||
kex->max = max;
|
||||
- min = MAXIMUM(dh_grp_min, min);
|
||||
+ min = MAXIMUM(fips_dh_grp_min(), min);
|
||||
max = MINIMUM(DH_GRP_MAX, max);
|
||||
- nbits = MAXIMUM(dh_grp_min, nbits);
|
||||
+ nbits = MAXIMUM(fips_dh_grp_min(), nbits);
|
||||
nbits = MINIMUM(DH_GRP_MAX, nbits);
|
||||
|
||||
if (kex->max < kex->min || kex->nbits < kex->min ||
|
||||
Index: openssh-7.9p1/mac.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/mac.c
|
||||
+++ openssh-7.9p1/mac.c
|
||||
--- openssh-7.9p1.orig/mac.c 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/mac.c 2019-02-28 17:20:15.923165569 +0100
|
||||
@@ -40,6 +40,9 @@
|
||||
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
@ -681,8 +610,8 @@ Index: openssh-7.9p1/mac.c
|
||||
if (mac != NULL)
|
||||
Index: openssh-7.9p1/myproposal.h
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/myproposal.h
|
||||
+++ openssh-7.9p1/myproposal.h
|
||||
--- openssh-7.9p1.orig/myproposal.h 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/myproposal.h 2019-02-28 17:20:15.923165569 +0100
|
||||
@@ -151,6 +151,8 @@
|
||||
|
||||
#else /* WITH_OPENSSL */
|
||||
@ -694,17 +623,18 @@ Index: openssh-7.9p1/myproposal.h
|
||||
"curve25519-sha256@libssh.org"
|
||||
Index: openssh-7.9p1/readconf.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/readconf.c
|
||||
+++ openssh-7.9p1/readconf.c
|
||||
@@ -68,6 +68,7 @@
|
||||
--- openssh-7.9p1.orig/readconf.c 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/readconf.c 2019-02-28 20:18:54.650614520 +0100
|
||||
@@ -68,6 +68,8 @@
|
||||
#include "myproposal.h"
|
||||
#include "digest.h"
|
||||
#include "dh.h"
|
||||
+#include "fips.h"
|
||||
|
||||
+#include "fips.h"
|
||||
+
|
||||
/* Format of the configuration file:
|
||||
|
||||
@@ -1825,6 +1826,23 @@ option_clear_or_none(const char *o)
|
||||
# Configuration data is parsed as follows:
|
||||
@@ -1816,6 +1818,23 @@ option_clear_or_none(const char *o)
|
||||
return o == NULL || strcasecmp(o, "none") == 0;
|
||||
}
|
||||
|
||||
@ -728,19 +658,7 @@ Index: openssh-7.9p1/readconf.c
|
||||
/*
|
||||
* Initializes options to special values that indicate that they have not yet
|
||||
* been set. Read_config_file will only set options with this value. Options
|
||||
@@ -2025,9 +2043,9 @@ fill_default_options(Options * options)
|
||||
if (options->number_of_password_prompts == -1)
|
||||
options->number_of_password_prompts = 3;
|
||||
if (options->kex_dhmin == -1)
|
||||
- options->kex_dhmin = DH_GRP_MIN;
|
||||
+ options->kex_dhmin = fips_dh_grp_min();
|
||||
else {
|
||||
- options->kex_dhmin = MAXIMUM(options->kex_dhmin, DH_GRP_MIN_RFC);
|
||||
+ options->kex_dhmin = MAXIMUM(options->kex_dhmin, fips_dh_grp_min());
|
||||
options->kex_dhmin = MINIMUM(options->kex_dhmin, DH_GRP_MAX);
|
||||
}
|
||||
dh_grp_min = options->kex_dhmin;
|
||||
@@ -2112,6 +2130,8 @@ fill_default_options(Options * options)
|
||||
@@ -2095,6 +2114,8 @@ fill_default_options(Options * options)
|
||||
options->canonicalize_hostname = SSH_CANONICALISE_NO;
|
||||
if (options->fingerprint_hash == -1)
|
||||
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
||||
@ -749,19 +667,19 @@ Index: openssh-7.9p1/readconf.c
|
||||
if (options->update_hostkeys == -1)
|
||||
options->update_hostkeys = 0;
|
||||
|
||||
@@ -2594,6 +2614,7 @@ dump_client_config(Options *o, const cha
|
||||
KEX_DEFAULT_PK_ALG, all_key) != 0)
|
||||
fatal("%s: kex_assemble_names failed", __func__);
|
||||
@@ -2122,6 +2143,7 @@ fill_default_options(Options * options)
|
||||
free(all_kex);
|
||||
free(all_key);
|
||||
+ filter_fips_algorithms(o);
|
||||
free(all_sig);
|
||||
+ filter_fips_algorithms(options);
|
||||
|
||||
/* Most interesting options first: user, host, port */
|
||||
dump_cfg_string(oUser, o->user);
|
||||
#define CLEAR_ON_NONE(v) \
|
||||
do { \
|
||||
Index: openssh-7.9p1/readconf.h
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/readconf.h
|
||||
+++ openssh-7.9p1/readconf.h
|
||||
@@ -198,6 +198,7 @@ typedef struct {
|
||||
--- openssh-7.9p1.orig/readconf.h 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/readconf.h 2019-02-28 17:20:15.923165569 +0100
|
||||
@@ -197,6 +197,7 @@ typedef struct {
|
||||
#define SSH_STRICT_HOSTKEY_YES 2
|
||||
#define SSH_STRICT_HOSTKEY_ASK 3
|
||||
|
||||
@ -771,17 +689,17 @@ Index: openssh-7.9p1/readconf.h
|
||||
void fill_default_options_for_canonicalization(Options *);
|
||||
Index: openssh-7.9p1/servconf.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/servconf.c
|
||||
+++ openssh-7.9p1/servconf.c
|
||||
@@ -65,6 +65,7 @@
|
||||
--- openssh-7.9p1.orig/servconf.c 2019-02-28 17:20:15.851165117 +0100
|
||||
+++ openssh-7.9p1/servconf.c 2019-02-28 17:20:15.923165569 +0100
|
||||
@@ -64,6 +64,7 @@
|
||||
#include "auth.h"
|
||||
#include "myproposal.h"
|
||||
#include "digest.h"
|
||||
#include "dh.h"
|
||||
+#include "fips.h"
|
||||
|
||||
/* import from dh.c */
|
||||
extern int dh_grp_min;
|
||||
@@ -195,6 +196,23 @@ option_clear_or_none(const char *o)
|
||||
static void add_listen_addr(ServerOptions *, const char *,
|
||||
const char *, int);
|
||||
@@ -190,6 +191,23 @@ option_clear_or_none(const char *o)
|
||||
return o == NULL || strcasecmp(o, "none") == 0;
|
||||
}
|
||||
|
||||
@ -805,7 +723,7 @@ Index: openssh-7.9p1/servconf.c
|
||||
static void
|
||||
assemble_algorithms(ServerOptions *o)
|
||||
{
|
||||
@@ -224,6 +242,8 @@ assemble_algorithms(ServerOptions *o)
|
||||
@@ -219,6 +237,8 @@ assemble_algorithms(ServerOptions *o)
|
||||
free(all_kex);
|
||||
free(all_key);
|
||||
free(all_sig);
|
||||
@ -814,19 +732,7 @@ Index: openssh-7.9p1/servconf.c
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -273,9 +293,9 @@ fill_default_server_options(ServerOption
|
||||
options->use_pam_check_locks = 0;
|
||||
|
||||
if (options->kex_dhmin == -1)
|
||||
- options->kex_dhmin = DH_GRP_MIN;
|
||||
+ options->kex_dhmin = fips_dh_grp_min();
|
||||
else {
|
||||
- options->kex_dhmin = MAXIMUM(options->kex_dhmin, DH_GRP_MIN_RFC);
|
||||
+ options->kex_dhmin = MAXIMUM(options->kex_dhmin, fips_dh_grp_min());
|
||||
options->kex_dhmin = MINIMUM(options->kex_dhmin, DH_GRP_MAX);
|
||||
}
|
||||
dh_grp_min = options->kex_dhmin;
|
||||
@@ -423,6 +443,8 @@ fill_default_server_options(ServerOption
|
||||
@@ -410,6 +430,8 @@ fill_default_server_options(ServerOption
|
||||
options->fwd_opts.streamlocal_bind_unlink = 0;
|
||||
if (options->fingerprint_hash == -1)
|
||||
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
||||
@ -837,8 +743,8 @@ Index: openssh-7.9p1/servconf.c
|
||||
if (options->expose_userauth_info == -1)
|
||||
Index: openssh-7.9p1/ssh-keygen.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/ssh-keygen.c
|
||||
+++ openssh-7.9p1/ssh-keygen.c
|
||||
--- openssh-7.9p1.orig/ssh-keygen.c 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/ssh-keygen.c 2019-02-28 17:20:15.923165569 +0100
|
||||
@@ -61,6 +61,8 @@
|
||||
#include "utf8.h"
|
||||
#include "authfd.h"
|
||||
@ -913,8 +819,8 @@ Index: openssh-7.9p1/ssh-keygen.c
|
||||
if (!quiet)
|
||||
Index: openssh-7.9p1/ssh_config.0
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/ssh_config.0
|
||||
+++ openssh-7.9p1/ssh_config.0
|
||||
--- openssh-7.9p1.orig/ssh_config.0 2018-10-19 03:06:19.000000000 +0200
|
||||
+++ openssh-7.9p1/ssh_config.0 2019-02-28 17:20:15.923165569 +0100
|
||||
@@ -353,6 +353,9 @@ DESCRIPTION
|
||||
Specifies the hash algorithm used when displaying key
|
||||
fingerprints. Valid options are: md5 and sha256 (the default).
|
||||
@ -925,9 +831,9 @@ Index: openssh-7.9p1/ssh_config.0
|
||||
ForwardAgent
|
||||
Specifies whether the connection to the authentication agent (if
|
||||
any) will be forwarded to the remote machine. The argument must
|
||||
@@ -627,6 +630,9 @@ DESCRIPTION
|
||||
resort and all efforts should be made to fix the (broken)
|
||||
counterparty.
|
||||
@@ -610,6 +613,9 @@ DESCRIPTION
|
||||
The list of available key exchange algorithms may also be
|
||||
obtained using "ssh -Q kex".
|
||||
|
||||
+ In the FIPS mode the FIPS standard takes precedence over RFC and
|
||||
+ forces the minimum to a higher value, currently 2048 bits.
|
||||
@ -937,8 +843,8 @@ Index: openssh-7.9p1/ssh_config.0
|
||||
successfully connecting to the server. The command string
|
||||
Index: openssh-7.9p1/ssh_config.5
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/ssh_config.5
|
||||
+++ openssh-7.9p1/ssh_config.5
|
||||
--- openssh-7.9p1.orig/ssh_config.5 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/ssh_config.5 2019-02-28 17:20:15.923165569 +0100
|
||||
@@ -642,6 +642,8 @@ Valid options are:
|
||||
and
|
||||
.Cm sha256
|
||||
@ -948,20 +854,10 @@ Index: openssh-7.9p1/ssh_config.5
|
||||
.It Cm ForwardAgent
|
||||
Specifies whether the connection to the authentication agent (if any)
|
||||
will be forwarded to the remote machine.
|
||||
@@ -1063,6 +1065,9 @@ maximum backward compatibility, using it
|
||||
security and thus should be viewed as a temporary fix of last
|
||||
resort and all efforts should be made to fix the (broken)
|
||||
counterparty.
|
||||
+.Pp
|
||||
+In the FIPS mode the FIPS standard takes precedence over RFC and
|
||||
+forces the minimum to a higher value, currently 2048 bits.
|
||||
.It Cm LocalCommand
|
||||
Specifies a command to execute on the local machine after successfully
|
||||
connecting to the server.
|
||||
Index: openssh-7.9p1/sshd.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/sshd.c
|
||||
+++ openssh-7.9p1/sshd.c
|
||||
--- openssh-7.9p1.orig/sshd.c 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/sshd.c 2019-02-28 20:18:30.534473204 +0100
|
||||
@@ -123,6 +123,8 @@
|
||||
#include "version.h"
|
||||
#include "ssherr.h"
|
||||
@ -973,8 +869,8 @@ Index: openssh-7.9p1/sshd.c
|
||||
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
|
||||
Index: openssh-7.9p1/sshd_config.0
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/sshd_config.0
|
||||
+++ openssh-7.9p1/sshd_config.0
|
||||
--- openssh-7.9p1.orig/sshd_config.0 2019-02-28 17:20:15.851165117 +0100
|
||||
+++ openssh-7.9p1/sshd_config.0 2019-02-28 17:20:15.927165594 +0100
|
||||
@@ -348,6 +348,9 @@ DESCRIPTION
|
||||
Specifies the hash algorithm used when logging key fingerprints.
|
||||
Valid options are: md5 and sha256. The default is sha256.
|
||||
@ -985,9 +881,9 @@ Index: openssh-7.9p1/sshd_config.0
|
||||
ForceCommand
|
||||
Forces the execution of the command specified by ForceCommand,
|
||||
ignoring any command supplied by the client and ~/.ssh/rc if
|
||||
@@ -572,6 +575,9 @@ DESCRIPTION
|
||||
resort and all efforts should be made to fix the (broken)
|
||||
counterparty.
|
||||
@@ -555,6 +558,9 @@ DESCRIPTION
|
||||
The list of available key exchange algorithms may also be
|
||||
obtained using "ssh -Q kex".
|
||||
|
||||
+ In the FIPS mode the FIPS standard takes precedence over RFC and
|
||||
+ forces the minimum to a higher value, currently 2048 bits.
|
||||
@ -997,8 +893,8 @@ Index: openssh-7.9p1/sshd_config.0
|
||||
following forms may be used:
|
||||
Index: openssh-7.9p1/sshd_config.5
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/sshd_config.5
|
||||
+++ openssh-7.9p1/sshd_config.5
|
||||
--- openssh-7.9p1.orig/sshd_config.5 2019-02-28 17:20:15.851165117 +0100
|
||||
+++ openssh-7.9p1/sshd_config.5 2019-02-28 17:20:15.927165594 +0100
|
||||
@@ -603,6 +603,8 @@ and
|
||||
.Cm sha256 .
|
||||
The default is
|
||||
|
@ -14,10 +14,10 @@
|
||||
# file is not found (or the hash matches), proceed in non-FIPS mode and abort
|
||||
# otherwise.
|
||||
|
||||
Index: openssh-7.8p1/fips-check.c
|
||||
Index: openssh-7.9p1/fips-check.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.8p1/fips-check.c
|
||||
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
|
||||
+++ openssh-7.9p1/fips-check.c 2019-02-27 14:03:03.383988170 +0100
|
||||
@@ -0,0 +1,34 @@
|
||||
+#include "includes.h"
|
||||
+#include <fcntl.h>
|
||||
@ -53,10 +53,10 @@ Index: openssh-7.8p1/fips-check.c
|
||||
+ fips_ssh_init();
|
||||
+ return 0;
|
||||
+}
|
||||
Index: openssh-7.8p1/fips.c
|
||||
Index: openssh-7.9p1/fips.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/fips.c
|
||||
+++ openssh-7.8p1/fips.c
|
||||
--- openssh-7.9p1.orig/fips.c 2019-02-27 14:03:03.323987792 +0100
|
||||
+++ openssh-7.9p1/fips.c 2019-02-27 14:03:03.383988170 +0100
|
||||
@@ -35,33 +35,296 @@
|
||||
#include "log.h"
|
||||
#include "xmalloc.h"
|
||||
@ -365,15 +365,10 @@ Index: openssh-7.8p1/fips.c
|
||||
int
|
||||
fips_mode(void)
|
||||
{
|
||||
@@ -234,4 +497,3 @@ fips_dh_grp_min(void)
|
||||
}
|
||||
return dh;
|
||||
}
|
||||
-
|
||||
Index: openssh-7.8p1/fips.h
|
||||
Index: openssh-7.9p1/fips.h
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/fips.h
|
||||
+++ openssh-7.8p1/fips.h
|
||||
--- openssh-7.9p1.orig/fips.h 2019-02-27 14:03:03.323987792 +0100
|
||||
+++ openssh-7.9p1/fips.h 2019-02-27 14:03:03.383988170 +0100
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
- * Copyright (c) 2012 Petr Cerny. All rights reserved.
|
||||
@ -410,15 +405,15 @@ Index: openssh-7.8p1/fips.h
|
||||
int fips_mode(void);
|
||||
int fips_correct_dgst(int);
|
||||
int fips_dgst_min(void);
|
||||
@@ -42,4 +57,3 @@ enum fp_type fips_correct_fp_type(enum
|
||||
@@ -41,4 +56,3 @@ enum fp_type fips_correct_fp_type(enum
|
||||
int fips_filter_crypto(char **, fips_filters);
|
||||
|
||||
#endif
|
||||
-
|
||||
Index: openssh-7.8p1/sftp-server.c
|
||||
Index: openssh-7.9p1/sftp-server.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/sftp-server.c
|
||||
+++ openssh-7.8p1/sftp-server.c
|
||||
--- openssh-7.9p1.orig/sftp-server.c 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/sftp-server.c 2019-02-27 14:03:03.383988170 +0100
|
||||
@@ -51,6 +51,8 @@
|
||||
#include "sftp.h"
|
||||
#include "sftp-common.h"
|
||||
@ -438,10 +433,10 @@ Index: openssh-7.8p1/sftp-server.c
|
||||
ssh_malloc_init(); /* must be called before any mallocs */
|
||||
__progname = ssh_get_progname(argv[0]);
|
||||
log_init(__progname, log_level, log_facility, log_stderr);
|
||||
Index: openssh-7.8p1/ssh.c
|
||||
Index: openssh-7.9p1/ssh.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/ssh.c
|
||||
+++ openssh-7.8p1/ssh.c
|
||||
--- openssh-7.9p1.orig/ssh.c 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/ssh.c 2019-02-27 14:03:03.387988194 +0100
|
||||
@@ -113,6 +113,8 @@
|
||||
#include "ssh-pkcs11.h"
|
||||
#endif
|
||||
@ -462,11 +457,11 @@ Index: openssh-7.8p1/ssh.c
|
||||
ssh_malloc_init(); /* must be called before any mallocs */
|
||||
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
|
||||
sanitise_stdfd();
|
||||
Index: openssh-7.8p1/sshd.c
|
||||
Index: openssh-7.9p1/sshd.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/sshd.c
|
||||
+++ openssh-7.8p1/sshd.c
|
||||
@@ -1486,6 +1486,10 @@ main(int ac, char **av)
|
||||
--- openssh-7.9p1.orig/sshd.c 2019-02-27 14:03:03.327987816 +0100
|
||||
+++ openssh-7.9p1/sshd.c 2019-02-27 14:03:03.387988194 +0100
|
||||
@@ -1485,6 +1485,10 @@ main(int ac, char **av)
|
||||
Authctxt *authctxt;
|
||||
struct connection_info *connection_info = NULL;
|
||||
|
||||
|
@ -3,8 +3,8 @@
|
||||
|
||||
Index: openssh-7.9p1/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/Makefile.in
|
||||
+++ openssh-7.9p1/Makefile.in
|
||||
--- openssh-7.9p1.orig/Makefile.in 2019-02-27 15:43:51.360515721 +0100
|
||||
+++ openssh-7.9p1/Makefile.in 2019-02-27 15:43:55.360539487 +0100
|
||||
@@ -104,10 +104,13 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||
kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
|
||||
kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
|
||||
@ -30,8 +30,8 @@ Index: openssh-7.9p1/Makefile.in
|
||||
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
|
||||
Index: openssh-7.9p1/auth-krb5.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/auth-krb5.c
|
||||
+++ openssh-7.9p1/auth-krb5.c
|
||||
--- openssh-7.9p1.orig/auth-krb5.c 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/auth-krb5.c 2019-02-27 15:43:51.428516125 +0100
|
||||
@@ -182,8 +182,13 @@ auth_krb5_password(Authctxt *authctxt, c
|
||||
|
||||
len = strlen(authctxt->krb5_ticket_file) + 6;
|
||||
@ -76,8 +76,8 @@ Index: openssh-7.9p1/auth-krb5.c
|
||||
}
|
||||
Index: openssh-7.9p1/auth.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/auth.c
|
||||
+++ openssh-7.9p1/auth.c
|
||||
--- openssh-7.9p1.orig/auth.c 2019-02-27 15:43:51.228514936 +0100
|
||||
+++ openssh-7.9p1/auth.c 2019-02-27 15:43:55.360539487 +0100
|
||||
@@ -399,6 +399,7 @@ auth_root_allowed(struct ssh *ssh, const
|
||||
case PERMIT_NO_PASSWD:
|
||||
if (strcmp(method, "publickey") == 0 ||
|
||||
@ -88,8 +88,8 @@ Index: openssh-7.9p1/auth.c
|
||||
break;
|
||||
Index: openssh-7.9p1/auth2-gss.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/auth2-gss.c
|
||||
+++ openssh-7.9p1/auth2-gss.c
|
||||
--- openssh-7.9p1.orig/auth2-gss.c 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/auth2-gss.c 2019-02-27 15:43:51.428516125 +0100
|
||||
@@ -31,6 +31,7 @@
|
||||
#include <sys/types.h>
|
||||
|
||||
@ -143,7 +143,7 @@ Index: openssh-7.9p1/auth2-gss.c
|
||||
* We only support those mechanisms that we know about (ie ones that we know
|
||||
* how to check local user kuserok and the like)
|
||||
*/
|
||||
@@ -260,7 +302,8 @@ input_gssapi_exchange_complete(int type,
|
||||
@@ -260,7 +299,8 @@ input_gssapi_exchange_complete(int type,
|
||||
if ((r = sshpkt_get_end(ssh)) != 0)
|
||||
fatal("%s: %s", __func__, ssh_err(r));
|
||||
|
||||
@ -153,7 +153,7 @@ Index: openssh-7.9p1/auth2-gss.c
|
||||
|
||||
if ((!use_privsep || mm_is_monitor()) &&
|
||||
(displayname = ssh_gssapi_displayname()) != NULL)
|
||||
@@ -306,7 +349,8 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
@@ -306,7 +346,8 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
gssbuf.length = sshbuf_len(b);
|
||||
|
||||
if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
|
||||
@ -163,7 +163,7 @@ Index: openssh-7.9p1/auth2-gss.c
|
||||
else
|
||||
logit("GSSAPI MIC check failed");
|
||||
|
||||
@@ -326,6 +370,12 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
@@ -326,6 +367,12 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -178,8 +178,8 @@ Index: openssh-7.9p1/auth2-gss.c
|
||||
userauth_gssapi,
|
||||
Index: openssh-7.9p1/auth2.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/auth2.c
|
||||
+++ openssh-7.9p1/auth2.c
|
||||
--- openssh-7.9p1.orig/auth2.c 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/auth2.c 2019-02-27 15:43:55.360539487 +0100
|
||||
@@ -74,6 +74,7 @@ extern Authmethod method_passwd;
|
||||
extern Authmethod method_kbdint;
|
||||
extern Authmethod method_hostbased;
|
||||
@ -198,8 +198,8 @@ Index: openssh-7.9p1/auth2.c
|
||||
&method_passwd,
|
||||
Index: openssh-7.9p1/clientloop.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/clientloop.c
|
||||
+++ openssh-7.9p1/clientloop.c
|
||||
--- openssh-7.9p1.orig/clientloop.c 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/clientloop.c 2019-02-27 15:43:51.428516125 +0100
|
||||
@@ -112,6 +112,10 @@
|
||||
#include "ssherr.h"
|
||||
#include "hostfile.h"
|
||||
@ -233,8 +233,8 @@ Index: openssh-7.9p1/clientloop.c
|
||||
|
||||
Index: openssh-7.9p1/configure.ac
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/configure.ac
|
||||
+++ openssh-7.9p1/configure.ac
|
||||
--- openssh-7.9p1.orig/configure.ac 2019-02-27 15:43:51.412516029 +0100
|
||||
+++ openssh-7.9p1/configure.ac 2019-02-27 15:43:55.192538489 +0100
|
||||
@@ -664,6 +664,30 @@ main() { if (NSVersionOfRunTimeLibrary("
|
||||
[Use tunnel device compatibility to OpenBSD])
|
||||
AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
|
||||
@ -308,8 +308,8 @@ Index: openssh-7.9p1/configure.ac
|
||||
if test "X$maildir" != "X"; then
|
||||
Index: openssh-7.9p1/gss-genr.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/gss-genr.c
|
||||
+++ openssh-7.9p1/gss-genr.c
|
||||
--- openssh-7.9p1.orig/gss-genr.c 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/gss-genr.c 2019-02-27 15:43:54.528534543 +0100
|
||||
@@ -41,12 +41,174 @@
|
||||
#include "sshbuf.h"
|
||||
#include "log.h"
|
||||
@ -485,7 +485,7 @@ Index: openssh-7.9p1/gss-genr.c
|
||||
/* sshbuf_get for gss_buffer_desc */
|
||||
int
|
||||
ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g)
|
||||
@@ -218,7 +381,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int de
|
||||
@@ -218,7 +380,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int de
|
||||
}
|
||||
|
||||
ctx->major = gss_init_sec_context(&ctx->minor,
|
||||
@ -494,7 +494,7 @@ Index: openssh-7.9p1/gss-genr.c
|
||||
GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,
|
||||
0, NULL, recv_tok, NULL, send_tok, flags, NULL);
|
||||
|
||||
@@ -248,8 +411,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, con
|
||||
@@ -248,8 +410,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, con
|
||||
}
|
||||
|
||||
OM_uint32
|
||||
@ -537,7 +537,7 @@ Index: openssh-7.9p1/gss-genr.c
|
||||
if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
|
||||
GSS_C_QOP_DEFAULT, buffer, hash)))
|
||||
ssh_gssapi_error(ctx);
|
||||
@@ -257,6 +454,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer
|
||||
@@ -257,6 +453,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer
|
||||
return (ctx->major);
|
||||
}
|
||||
|
||||
@ -557,7 +557,7 @@ Index: openssh-7.9p1/gss-genr.c
|
||||
void
|
||||
ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service,
|
||||
const char *context)
|
||||
@@ -273,22 +483,31 @@ ssh_gssapi_buildmic(struct sshbuf *b, co
|
||||
@@ -273,22 +482,31 @@ ssh_gssapi_buildmic(struct sshbuf *b, co
|
||||
}
|
||||
|
||||
int
|
||||
@ -592,7 +592,7 @@ Index: openssh-7.9p1/gss-genr.c
|
||||
NULL);
|
||||
gss_release_buffer(&minor, &token);
|
||||
if ((*ctx)->context != GSS_C_NO_CONTEXT)
|
||||
@@ -296,10 +515,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
|
||||
@@ -296,10 +514,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
|
||||
GSS_C_NO_BUFFER);
|
||||
}
|
||||
|
||||
@ -662,8 +662,8 @@ Index: openssh-7.9p1/gss-genr.c
|
||||
#endif /* GSSAPI */
|
||||
Index: openssh-7.9p1/gss-serv-krb5.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/gss-serv-krb5.c
|
||||
+++ openssh-7.9p1/gss-serv-krb5.c
|
||||
--- openssh-7.9p1.orig/gss-serv-krb5.c 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/gss-serv-krb5.c 2019-02-27 15:43:51.432516148 +0100
|
||||
@@ -120,7 +120,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
|
||||
krb5_error_code problem;
|
||||
krb5_principal princ;
|
||||
@ -701,7 +701,7 @@ Index: openssh-7.9p1/gss-serv-krb5.c
|
||||
|
||||
#ifdef USE_PAM
|
||||
if (options.use_pam)
|
||||
@@ -193,9 +208,76 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
|
||||
@@ -193,9 +205,76 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
|
||||
|
||||
krb5_cc_close(krb_context, ccache);
|
||||
|
||||
@ -778,7 +778,7 @@ Index: openssh-7.9p1/gss-serv-krb5.c
|
||||
ssh_gssapi_mech gssapi_kerberos_mech = {
|
||||
"toWM5Slw5Ew8Mqkay+al2g==",
|
||||
"Kerberos",
|
||||
@@ -203,7 +285,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
|
||||
@@ -203,7 +282,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
|
||||
NULL,
|
||||
&ssh_gssapi_krb5_userok,
|
||||
NULL,
|
||||
@ -790,8 +790,8 @@ Index: openssh-7.9p1/gss-serv-krb5.c
|
||||
#endif /* KRB5 */
|
||||
Index: openssh-7.9p1/gss-serv.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/gss-serv.c
|
||||
+++ openssh-7.9p1/gss-serv.c
|
||||
--- openssh-7.9p1.orig/gss-serv.c 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/gss-serv.c 2019-02-27 15:43:51.432516148 +0100
|
||||
@@ -44,17 +44,19 @@
|
||||
#include "session.h"
|
||||
#include "misc.h"
|
||||
@ -1075,8 +1075,8 @@ Index: openssh-7.9p1/gss-serv.c
|
||||
/* Privileged */
|
||||
Index: openssh-7.9p1/kex.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/kex.c
|
||||
+++ openssh-7.9p1/kex.c
|
||||
--- openssh-7.9p1.orig/kex.c 2019-02-27 15:43:51.296515340 +0100
|
||||
+++ openssh-7.9p1/kex.c 2019-02-27 15:43:55.360539487 +0100
|
||||
@@ -56,6 +56,10 @@
|
||||
|
||||
#include "fips.h"
|
||||
@ -1126,8 +1126,8 @@ Index: openssh-7.9p1/kex.c
|
||||
}
|
||||
Index: openssh-7.9p1/kex.h
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/kex.h
|
||||
+++ openssh-7.9p1/kex.h
|
||||
--- openssh-7.9p1.orig/kex.h 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/kex.h 2019-02-27 15:43:55.360539487 +0100
|
||||
@@ -100,6 +100,11 @@ enum kex_exchange {
|
||||
KEX_DH_GEX_SHA256,
|
||||
KEX_ECDH_SHA2,
|
||||
@ -1166,8 +1166,8 @@ Index: openssh-7.9p1/kex.h
|
||||
const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
|
||||
Index: openssh-7.9p1/kexgssc.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.9p1/kexgssc.c
|
||||
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
|
||||
+++ openssh-7.9p1/kexgssc.c 2019-02-27 15:44:14.792654941 +0100
|
||||
@@ -0,0 +1,346 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
||||
@ -1240,7 +1240,7 @@ Index: openssh-7.9p1/kexgssc.c
|
||||
+ char *lang;
|
||||
+ int type = 0;
|
||||
+ int first = 1;
|
||||
+ int nbits = 0, min = fips_dh_grp_min(), max = DH_GRP_MAX;
|
||||
+ int nbits = 0, min = DH_GRP_MIN, max = DH_GRP_MAX;
|
||||
+ u_char hash[SSH_DIGEST_MAX_LENGTH];
|
||||
+ size_t hashlen;
|
||||
+
|
||||
@ -1517,9 +1517,9 @@ Index: openssh-7.9p1/kexgssc.c
|
||||
+#endif /* GSSAPI */
|
||||
Index: openssh-7.9p1/kexgsss.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.9p1/kexgsss.c
|
||||
@@ -0,0 +1,308 @@
|
||||
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
|
||||
+++ openssh-7.9p1/kexgsss.c 2019-02-27 15:43:51.432516148 +0100
|
||||
@@ -0,0 +1,302 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
||||
+ *
|
||||
@ -1636,16 +1636,10 @@ Index: openssh-7.9p1/kexgsss.c
|
||||
+ cmin = packet_get_int();
|
||||
+ nbits = packet_get_int();
|
||||
+ cmax = packet_get_int();
|
||||
+ min = MAX(fips_dh_grp_min(), cmin);
|
||||
+ min = MAX(DH_GRP_MIN, cmin);
|
||||
+ max = MIN(DH_GRP_MAX, cmax);
|
||||
+ packet_check_eom();
|
||||
+ if (max < min || nbits < min || max < nbits) {
|
||||
+ if (nbits < min && nbits >= DH_GRP_MIN_RFC)
|
||||
+ logit("DH parameter requested by the client (%d bits) "
|
||||
+ "is considered insecure. "
|
||||
+ "You can lower the accepted minimum "
|
||||
+ "via the KexDHMin option.",
|
||||
+ nbits);
|
||||
+ fatal("GSS_GEX, bad parameters: %d !< %d !< %d",
|
||||
+ min, nbits, max);
|
||||
+ }
|
||||
@ -1830,8 +1824,8 @@ Index: openssh-7.9p1/kexgsss.c
|
||||
+#endif /* GSSAPI */
|
||||
Index: openssh-7.9p1/monitor.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/monitor.c
|
||||
+++ openssh-7.9p1/monitor.c
|
||||
--- openssh-7.9p1.orig/monitor.c 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/monitor.c 2019-02-27 15:43:55.360539487 +0100
|
||||
@@ -145,6 +145,8 @@ int mm_answer_gss_setup_ctx(int, struct
|
||||
int mm_answer_gss_accept_ctx(int, struct sshbuf *);
|
||||
int mm_answer_gss_userok(int, struct sshbuf *);
|
||||
@ -2045,8 +2039,8 @@ Index: openssh-7.9p1/monitor.c
|
||||
+#endif /* GSSAPI */
|
||||
Index: openssh-7.9p1/monitor.h
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/monitor.h
|
||||
+++ openssh-7.9p1/monitor.h
|
||||
--- openssh-7.9p1.orig/monitor.h 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/monitor.h 2019-02-27 15:43:55.360539487 +0100
|
||||
@@ -63,6 +63,9 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
|
||||
MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113,
|
||||
@ -2059,8 +2053,8 @@ Index: openssh-7.9p1/monitor.h
|
||||
struct monitor {
|
||||
Index: openssh-7.9p1/monitor_wrap.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/monitor_wrap.c
|
||||
+++ openssh-7.9p1/monitor_wrap.c
|
||||
--- openssh-7.9p1.orig/monitor_wrap.c 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/monitor_wrap.c 2019-02-27 15:43:55.360539487 +0100
|
||||
@@ -984,7 +984,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
|
||||
}
|
||||
|
||||
@ -2125,8 +2119,8 @@ Index: openssh-7.9p1/monitor_wrap.c
|
||||
#endif /* GSSAPI */
|
||||
Index: openssh-7.9p1/monitor_wrap.h
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/monitor_wrap.h
|
||||
+++ openssh-7.9p1/monitor_wrap.h
|
||||
--- openssh-7.9p1.orig/monitor_wrap.h 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/monitor_wrap.h 2019-02-27 15:43:55.360539487 +0100
|
||||
@@ -60,8 +60,10 @@ int mm_sshkey_verify(const struct sshkey
|
||||
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
|
||||
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
|
||||
@ -2141,8 +2135,8 @@ Index: openssh-7.9p1/monitor_wrap.h
|
||||
#ifdef USE_PAM
|
||||
Index: openssh-7.9p1/readconf.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/readconf.c
|
||||
+++ openssh-7.9p1/readconf.c
|
||||
--- openssh-7.9p1.orig/readconf.c 2019-02-27 15:43:51.296515340 +0100
|
||||
+++ openssh-7.9p1/readconf.c 2019-02-27 15:43:51.432516148 +0100
|
||||
@@ -163,6 +163,8 @@ typedef enum {
|
||||
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
|
||||
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
|
||||
@ -2173,7 +2167,7 @@ Index: openssh-7.9p1/readconf.c
|
||||
#endif
|
||||
#ifdef ENABLE_PKCS11
|
||||
{ "smartcarddevice", oPKCS11Provider },
|
||||
@@ -980,10 +992,30 @@ parse_time:
|
||||
@@ -976,10 +988,30 @@ parse_time:
|
||||
intptr = &options->gss_authentication;
|
||||
goto parse_flag;
|
||||
|
||||
@ -2204,7 +2198,7 @@ Index: openssh-7.9p1/readconf.c
|
||||
case oBatchMode:
|
||||
intptr = &options->batch_mode;
|
||||
goto parse_flag;
|
||||
@@ -1869,7 +1901,12 @@ initialize_options(Options * options)
|
||||
@@ -1861,7 +1893,12 @@ initialize_options(Options * options)
|
||||
options->pubkey_authentication = -1;
|
||||
options->challenge_response_authentication = -1;
|
||||
options->gss_authentication = -1;
|
||||
@ -2217,7 +2211,7 @@ Index: openssh-7.9p1/readconf.c
|
||||
options->password_authentication = -1;
|
||||
options->kbd_interactive_authentication = -1;
|
||||
options->kbd_interactive_devices = NULL;
|
||||
@@ -2016,8 +2053,14 @@ fill_default_options(Options * options)
|
||||
@@ -2007,8 +2044,14 @@ fill_default_options(Options * options)
|
||||
options->challenge_response_authentication = 1;
|
||||
if (options->gss_authentication == -1)
|
||||
options->gss_authentication = 0;
|
||||
@ -2234,8 +2228,8 @@ Index: openssh-7.9p1/readconf.c
|
||||
if (options->kbd_interactive_authentication == -1)
|
||||
Index: openssh-7.9p1/readconf.h
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/readconf.h
|
||||
+++ openssh-7.9p1/readconf.h
|
||||
--- openssh-7.9p1.orig/readconf.h 2019-02-27 15:43:51.296515340 +0100
|
||||
+++ openssh-7.9p1/readconf.h 2019-02-27 15:43:51.432516148 +0100
|
||||
@@ -40,7 +40,12 @@ typedef struct {
|
||||
int challenge_response_authentication;
|
||||
/* Try S/Key or TIS, authentication. */
|
||||
@ -2251,8 +2245,8 @@ Index: openssh-7.9p1/readconf.h
|
||||
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
|
||||
Index: openssh-7.9p1/regress/cert-hostkey.sh
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/regress/cert-hostkey.sh
|
||||
+++ openssh-7.9p1/regress/cert-hostkey.sh
|
||||
--- openssh-7.9p1.orig/regress/cert-hostkey.sh 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/regress/cert-hostkey.sh 2019-02-27 15:43:51.432516148 +0100
|
||||
@@ -66,7 +66,7 @@ touch $OBJ/host_revoked_plain
|
||||
touch $OBJ/host_revoked_cert
|
||||
cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca
|
||||
@ -2264,8 +2258,8 @@ Index: openssh-7.9p1/regress/cert-hostkey.sh
|
||||
PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
|
||||
Index: openssh-7.9p1/regress/cert-userkey.sh
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/regress/cert-userkey.sh
|
||||
+++ openssh-7.9p1/regress/cert-userkey.sh
|
||||
--- openssh-7.9p1.orig/regress/cert-userkey.sh 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/regress/cert-userkey.sh 2019-02-27 15:43:51.432516148 +0100
|
||||
@@ -7,7 +7,7 @@ rm -f $OBJ/authorized_keys_$USER $OBJ/us
|
||||
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
|
||||
cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
|
||||
@ -2277,8 +2271,8 @@ Index: openssh-7.9p1/regress/cert-userkey.sh
|
||||
if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
|
||||
Index: openssh-7.9p1/regress/kextype.sh
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/regress/kextype.sh
|
||||
+++ openssh-7.9p1/regress/kextype.sh
|
||||
--- openssh-7.9p1.orig/regress/kextype.sh 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/regress/kextype.sh 2019-02-27 15:43:51.432516148 +0100
|
||||
@@ -14,6 +14,9 @@ echo "KexAlgorithms=$KEXOPT" >> $OBJ/ssh
|
||||
|
||||
tries="1 2 3 4"
|
||||
@ -2291,8 +2285,8 @@ Index: openssh-7.9p1/regress/kextype.sh
|
||||
${SSH} -F $OBJ/ssh_proxy -o KexAlgorithms=$k x true
|
||||
Index: openssh-7.9p1/regress/rekey.sh
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/regress/rekey.sh
|
||||
+++ openssh-7.9p1/regress/rekey.sh
|
||||
--- openssh-7.9p1.orig/regress/rekey.sh 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/regress/rekey.sh 2019-02-27 15:43:51.436516173 +0100
|
||||
@@ -38,6 +38,9 @@ increase_datafile_size 300
|
||||
|
||||
opts=""
|
||||
@ -2315,9 +2309,9 @@ Index: openssh-7.9p1/regress/rekey.sh
|
||||
done
|
||||
Index: openssh-7.9p1/servconf.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/servconf.c
|
||||
+++ openssh-7.9p1/servconf.c
|
||||
@@ -130,8 +130,10 @@ initialize_server_options(ServerOptions
|
||||
--- openssh-7.9p1.orig/servconf.c 2019-02-27 15:43:51.296515340 +0100
|
||||
+++ openssh-7.9p1/servconf.c 2019-02-27 15:43:51.436516173 +0100
|
||||
@@ -126,8 +126,10 @@ initialize_server_options(ServerOptions
|
||||
options->kerberos_ticket_cleanup = -1;
|
||||
options->kerberos_get_afs_token = -1;
|
||||
options->gss_authentication=-1;
|
||||
@ -2328,7 +2322,7 @@ Index: openssh-7.9p1/servconf.c
|
||||
options->password_authentication = -1;
|
||||
options->kbd_interactive_authentication = -1;
|
||||
options->challenge_response_authentication = -1;
|
||||
@@ -373,10 +375,14 @@ fill_default_server_options(ServerOption
|
||||
@@ -360,10 +362,14 @@ fill_default_server_options(ServerOption
|
||||
options->kerberos_get_afs_token = 0;
|
||||
if (options->gss_authentication == -1)
|
||||
options->gss_authentication = 0;
|
||||
@ -2343,7 +2337,7 @@ Index: openssh-7.9p1/servconf.c
|
||||
if (options->password_authentication == -1)
|
||||
options->password_authentication = 1;
|
||||
if (options->kbd_interactive_authentication == -1)
|
||||
@@ -523,6 +529,7 @@ typedef enum {
|
||||
@@ -510,6 +516,7 @@ typedef enum {
|
||||
sHostKeyAlgorithms,
|
||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
||||
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
||||
@ -2351,7 +2345,7 @@ Index: openssh-7.9p1/servconf.c
|
||||
sAcceptEnv, sSetEnv, sPermitTunnel,
|
||||
sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
|
||||
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
||||
@@ -600,11 +607,17 @@ static struct {
|
||||
@@ -587,11 +594,17 @@ static struct {
|
||||
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
|
||||
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
|
||||
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
|
||||
@ -2369,7 +2363,7 @@ Index: openssh-7.9p1/servconf.c
|
||||
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
|
||||
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
|
||||
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
|
||||
@@ -1512,6 +1525,10 @@ process_server_config_line(ServerOptions
|
||||
@@ -1498,6 +1511,10 @@ process_server_config_line(ServerOptions
|
||||
intptr = &options->gss_authentication;
|
||||
goto parse_flag;
|
||||
|
||||
@ -2380,7 +2374,7 @@ Index: openssh-7.9p1/servconf.c
|
||||
case sGssCleanupCreds:
|
||||
intptr = &options->gss_cleanup_creds;
|
||||
goto parse_flag;
|
||||
@@ -1520,6 +1537,10 @@ process_server_config_line(ServerOptions
|
||||
@@ -1506,6 +1523,10 @@ process_server_config_line(ServerOptions
|
||||
intptr = &options->gss_strict_acceptor;
|
||||
goto parse_flag;
|
||||
|
||||
@ -2391,7 +2385,7 @@ Index: openssh-7.9p1/servconf.c
|
||||
case sPasswordAuthentication:
|
||||
intptr = &options->password_authentication;
|
||||
goto parse_flag;
|
||||
@@ -2313,6 +2334,10 @@ copy_set_server_options(ServerOptions *d
|
||||
@@ -2295,6 +2316,10 @@ copy_set_server_options(ServerOptions *d
|
||||
|
||||
M_CP_INTOPT(password_authentication);
|
||||
M_CP_INTOPT(gss_authentication);
|
||||
@ -2402,7 +2396,7 @@ Index: openssh-7.9p1/servconf.c
|
||||
M_CP_INTOPT(pubkey_authentication);
|
||||
M_CP_INTOPT(kerberos_authentication);
|
||||
M_CP_INTOPT(hostbased_authentication);
|
||||
@@ -2609,7 +2634,10 @@ dump_config(ServerOptions *o)
|
||||
@@ -2590,7 +2615,10 @@ dump_config(ServerOptions *o)
|
||||
#endif
|
||||
#ifdef GSSAPI
|
||||
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
|
||||
@ -2415,8 +2409,8 @@ Index: openssh-7.9p1/servconf.c
|
||||
dump_cfg_fmtint(sKbdInteractiveAuthentication,
|
||||
Index: openssh-7.9p1/servconf.h
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/servconf.h
|
||||
+++ openssh-7.9p1/servconf.h
|
||||
--- openssh-7.9p1.orig/servconf.h 2019-02-27 15:43:51.232514961 +0100
|
||||
+++ openssh-7.9p1/servconf.h 2019-02-27 15:43:51.436516173 +0100
|
||||
@@ -16,6 +16,8 @@
|
||||
#ifndef SERVCONF_H
|
||||
#define SERVCONF_H
|
||||
@ -2426,7 +2420,7 @@ Index: openssh-7.9p1/servconf.h
|
||||
#define MAX_PORTS 256 /* Max # ports. */
|
||||
|
||||
#define MAX_SUBSYSTEMS 256 /* Max # subsystems. */
|
||||
@@ -126,8 +128,10 @@ typedef struct {
|
||||
@@ -125,8 +127,10 @@ typedef struct {
|
||||
int kerberos_get_afs_token; /* If true, try to get AFS token if
|
||||
* authenticated with Kerberos. */
|
||||
int gss_authentication; /* If true, permit GSSAPI authentication */
|
||||
@ -2439,8 +2433,8 @@ Index: openssh-7.9p1/servconf.h
|
||||
int kbd_interactive_authentication; /* If true, permit */
|
||||
Index: openssh-7.9p1/ssh-gss.h
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/ssh-gss.h
|
||||
+++ openssh-7.9p1/ssh-gss.h
|
||||
--- openssh-7.9p1.orig/ssh-gss.h 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/ssh-gss.h 2019-02-27 15:43:51.436516173 +0100
|
||||
@@ -61,10 +61,22 @@
|
||||
|
||||
#define SSH_GSS_OIDTYPE 0x06
|
||||
@ -2533,9 +2527,9 @@ Index: openssh-7.9p1/ssh-gss.h
|
||||
#endif /* _SSH_GSS_H */
|
||||
Index: openssh-7.9p1/ssh_config
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/ssh_config
|
||||
+++ openssh-7.9p1/ssh_config
|
||||
@@ -45,6 +45,8 @@ Host *
|
||||
--- openssh-7.9p1.orig/ssh_config 2019-02-27 15:43:51.172514604 +0100
|
||||
+++ openssh-7.9p1/ssh_config 2019-02-27 15:43:51.436516173 +0100
|
||||
@@ -40,6 +40,8 @@ Host *
|
||||
# HostbasedAuthentication no
|
||||
# GSSAPIAuthentication no
|
||||
# GSSAPIDelegateCredentials no
|
||||
@ -2546,8 +2540,8 @@ Index: openssh-7.9p1/ssh_config
|
||||
# AddressFamily any
|
||||
Index: openssh-7.9p1/ssh_config.0
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/ssh_config.0
|
||||
+++ openssh-7.9p1/ssh_config.0
|
||||
--- openssh-7.9p1.orig/ssh_config.0 2019-02-27 15:43:51.300515365 +0100
|
||||
+++ openssh-7.9p1/ssh_config.0 2019-02-27 15:43:51.436516173 +0100
|
||||
@@ -422,9 +422,40 @@ DESCRIPTION
|
||||
Specifies whether user authentication based on GSSAPI is allowed.
|
||||
The default is no.
|
||||
@ -2591,8 +2585,8 @@ Index: openssh-7.9p1/ssh_config.0
|
||||
they are added to ~/.ssh/known_hosts. These hashed names may be
|
||||
Index: openssh-7.9p1/ssh_config.5
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/ssh_config.5
|
||||
+++ openssh-7.9p1/ssh_config.5
|
||||
--- openssh-7.9p1.orig/ssh_config.5 2019-02-27 15:43:51.300515365 +0100
|
||||
+++ openssh-7.9p1/ssh_config.5 2019-02-27 15:43:51.436516173 +0100
|
||||
@@ -738,10 +738,40 @@ The default is
|
||||
Specifies whether user authentication based on GSSAPI is allowed.
|
||||
The default is
|
||||
@ -2636,8 +2630,8 @@ Index: openssh-7.9p1/ssh_config.5
|
||||
.Xr ssh 1
|
||||
Index: openssh-7.9p1/sshconnect2.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/sshconnect2.c
|
||||
+++ openssh-7.9p1/sshconnect2.c
|
||||
--- openssh-7.9p1.orig/sshconnect2.c 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/sshconnect2.c 2019-02-27 15:43:51.436516173 +0100
|
||||
@@ -82,6 +82,124 @@ extern char *client_version_string;
|
||||
extern char *server_version_string;
|
||||
extern Options options;
|
||||
@ -2956,7 +2950,7 @@ Index: openssh-7.9p1/sshconnect2.c
|
||||
#endif /* GSSAPI */
|
||||
|
||||
int
|
||||
@@ -1473,8 +1716,8 @@ key_type_allowed_by_config(struct sshkey
|
||||
@@ -1473,8 +1713,8 @@ key_type_allowed_by_config(struct sshkey
|
||||
|
||||
/*
|
||||
* try keys in the following order:
|
||||
@ -2969,8 +2963,8 @@ Index: openssh-7.9p1/sshconnect2.c
|
||||
* 5. keys that are only listed in the config file
|
||||
Index: openssh-7.9p1/sshd.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/sshd.c
|
||||
+++ openssh-7.9p1/sshd.c
|
||||
--- openssh-7.9p1.orig/sshd.c 2019-02-27 15:43:51.412516029 +0100
|
||||
+++ openssh-7.9p1/sshd.c 2019-02-27 15:43:55.360539487 +0100
|
||||
@@ -131,6 +131,10 @@
|
||||
|
||||
#include "fips.h"
|
||||
@ -3204,9 +3198,9 @@ Index: openssh-7.9p1/sshd.c
|
||||
kex->server_version_string=server_version_string;
|
||||
Index: openssh-7.9p1/sshd_config
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/sshd_config
|
||||
+++ openssh-7.9p1/sshd_config
|
||||
@@ -76,6 +76,8 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
--- openssh-7.9p1.orig/sshd_config 2019-02-27 15:43:51.172514604 +0100
|
||||
+++ openssh-7.9p1/sshd_config 2019-02-27 15:43:51.436516173 +0100
|
||||
@@ -69,6 +69,8 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
# GSSAPI options
|
||||
#GSSAPIAuthentication no
|
||||
#GSSAPICleanupCredentials yes
|
||||
@ -3217,8 +3211,8 @@ Index: openssh-7.9p1/sshd_config
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
Index: openssh-7.9p1/sshd_config.5
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/sshd_config.5
|
||||
+++ openssh-7.9p1/sshd_config.5
|
||||
--- openssh-7.9p1.orig/sshd_config.5 2019-02-27 15:43:51.300515365 +0100
|
||||
+++ openssh-7.9p1/sshd_config.5 2019-02-27 15:43:51.436516173 +0100
|
||||
@@ -655,6 +655,11 @@ Specifies whether to automatically destr
|
||||
on logout.
|
||||
The default is
|
||||
@ -3243,7 +3237,7 @@ Index: openssh-7.9p1/sshd_config.5
|
||||
.It Cm HostbasedAcceptedKeyTypes
|
||||
Specifies the key types that will be accepted for hostbased authentication
|
||||
as a list of comma-separated patterns.
|
||||
@@ -1643,16 +1653,16 @@ as a non-root user.
|
||||
@@ -1627,16 +1637,16 @@ as a non-root user.
|
||||
The default is
|
||||
.Cm no .
|
||||
.It Cm UsePAMCheckLocks
|
||||
@ -3265,8 +3259,8 @@ Index: openssh-7.9p1/sshd_config.5
|
||||
Optionally specifies additional text to append to the SSH protocol banner
|
||||
Index: openssh-7.9p1/sshkey.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/sshkey.c
|
||||
+++ openssh-7.9p1/sshkey.c
|
||||
--- openssh-7.9p1.orig/sshkey.c 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/sshkey.c 2019-02-27 15:43:55.360539487 +0100
|
||||
@@ -135,6 +135,7 @@ static const struct keytype keytypes[] =
|
||||
# endif /* OPENSSL_HAS_NISTP521 */
|
||||
# endif /* OPENSSL_HAS_ECC */
|
||||
@ -3277,8 +3271,8 @@ Index: openssh-7.9p1/sshkey.c
|
||||
|
||||
Index: openssh-7.9p1/sshkey.h
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/sshkey.h
|
||||
+++ openssh-7.9p1/sshkey.h
|
||||
--- openssh-7.9p1.orig/sshkey.h 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/sshkey.h 2019-02-27 15:43:55.360539487 +0100
|
||||
@@ -64,6 +64,7 @@ enum sshkey_types {
|
||||
KEY_ED25519_CERT,
|
||||
KEY_XMSS,
|
||||
@ -3289,8 +3283,8 @@ Index: openssh-7.9p1/sshkey.h
|
||||
|
||||
Index: openssh-7.9p1/sshd_config.0
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/sshd_config.0
|
||||
+++ openssh-7.9p1/sshd_config.0
|
||||
--- openssh-7.9p1.orig/sshd_config.0 2019-02-27 15:43:51.300515365 +0100
|
||||
+++ openssh-7.9p1/sshd_config.0 2019-02-27 15:43:51.436516173 +0100
|
||||
@@ -380,6 +380,12 @@ DESCRIPTION
|
||||
Specifies whether user authentication based on GSSAPI is allowed.
|
||||
The default is no.
|
||||
|
@ -1,3 +1,30 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Feb 28 19:20:58 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
|
||||
|
||||
- Correctly filter out non-compliant algorithms when in FIPS mode
|
||||
(bsc#1126397)
|
||||
* A hunk was applied to a wrong place due to a patch fuzz when
|
||||
the fips patch was being ported to openssh 7.9p1
|
||||
- update openssh-7.7p1-fips.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Feb 27 12:29:05 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
|
||||
|
||||
- Remove the "KexDHMin" config keyword (bsc#1127180)
|
||||
It used to allow lowering of the minimal allowed DH group size,
|
||||
which was increased to 2048 by upstream in the light of the Logjam
|
||||
attack.
|
||||
The code was broken since the upgrade to 7.6p1, but nobody noticed.
|
||||
As apparently no one needs the functionality any more, let's drop
|
||||
the patch.
|
||||
It's still possible to use the fixed 1024-bit diffie-hellman-group1-sha1
|
||||
key exchange method when working with legacy systems.
|
||||
- drop openssh-7.7p1-disable_short_DH_parameters.patch
|
||||
- updated patches:
|
||||
openssh-7.7p1-fips.patch
|
||||
openssh-7.7p1-fips_checks.patch
|
||||
openssh-7.7p1-gssapi_key_exchange.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Feb 18 10:01:45 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
|
||||
|
||||
|
@ -65,7 +65,6 @@ Patch7: openssh-7.7p1-hostname_changes_when_forwarding_X.patch
|
||||
Patch8: openssh-7.7p1-remove_xauth_cookies_on_exit.patch
|
||||
Patch9: openssh-7.7p1-pts_names_formatting.patch
|
||||
Patch10: openssh-7.7p1-pam_check_locks.patch
|
||||
Patch11: openssh-7.7p1-disable_short_DH_parameters.patch
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
|
||||
Patch14: openssh-7.7p1-seccomp_stat.patch
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
|
||||
|
Loading…
Reference in New Issue
Block a user