Accepting request 644397 from home:pmonrealgonzalez:branches:network

* openssh-7.7p1-cavstest-ctr.patch
  * openssh-7.7p1-ldap.patch

OBS-URL: https://build.opensuse.org/request/show/644397
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=161
This commit is contained in:
Tomáš Chvátal 2018-10-24 17:58:38 +00:00 committed by Git OBS Bridge
parent b21be4c6b4
commit 5f87526504
6 changed files with 224 additions and 274 deletions

View File

@ -7,7 +7,7 @@ Index: openssh-7.9p1/Makefile.in
===================================================================
--- openssh-7.9p1.orig/Makefile.in
+++ openssh-7.9p1/Makefile.in
@@ -110,6 +110,8 @@ LIBSSH_OBJS += fips.o
@@ -111,6 +111,8 @@ LIBSSH_OBJS += fips.o
LIBSSH_OBJS += kexgssc.o kexgsss.o
@ -97,7 +97,7 @@ Index: openssh-7.9p1/audit-linux.c
===================================================================
--- openssh-7.9p1.orig/audit-linux.c
+++ openssh-7.9p1/audit-linux.c
@@ -33,27 +33,40 @@
@@ -33,27 +33,41 @@
#include "log.h"
#include "audit.h"
@ -106,6 +106,7 @@ Index: openssh-7.9p1/audit-linux.c
+#include "auth.h"
+#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
+#include "servconf.h"
+#include "ssherr.h"
#include "canohost.h"
#include "packet.h"
-
@ -146,7 +147,7 @@ Index: openssh-7.9p1/audit-linux.c
saved_errno = errno;
close(audit_fd);
@@ -65,9 +78,96 @@ linux_audit_record_event(int uid, const
@@ -65,9 +79,96 @@ linux_audit_record_event(int uid, const
rc = 0;
errno = saved_errno;
@ -244,7 +245,7 @@ Index: openssh-7.9p1/audit-linux.c
/* Below is the sshd audit API code */
void
@@ -76,24 +176,55 @@ audit_connection_from(const char *host,
@@ -76,24 +177,55 @@ audit_connection_from(const char *host,
/* not implemented */
}
@ -306,7 +307,7 @@ Index: openssh-7.9p1/audit-linux.c
}
void
@@ -102,25 +233,155 @@ audit_event(ssh_audit_event_t event)
@@ -102,25 +234,155 @@ audit_event(ssh_audit_event_t event)
struct ssh *ssh = active_state; /* XXX */
switch(event) {
@ -1308,32 +1309,15 @@ Index: openssh-7.9p1/monitor.c
}
@@ -1906,19 +1988,19 @@ mm_answer_gss_sign(int socket, struct ss
int r;
if (!options.gss_authentication && !options.gss_keyex)
- fatal("In GSSAPI monitor when GSSAPI is disabled");
+ fatal("In GSSAPI monitor when GSSAPI is disabled");
@@ -1909,7 +1991,7 @@ mm_answer_gss_sign(int socket, struct ss
fatal("In GSSAPI monitor when GSSAPI is disabled");
if ((r = sshbuf_get_string(m, (u_char **)&data.value, &data.length)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
- fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
if (data.length != 20)
- fatal("%s: data length incorrect: %d", __func__,
- (int) data.length);
+ fatal("%s: data length incorrect: %d", __func__,
+ (int) data.length);
/* Save the session ID on the first time around */
if (session_id2_len == 0) {
- session_id2_len = data.length;
- session_id2 = xmalloc(session_id2_len);
- memcpy(session_id2, data.value, session_id2_len);
+ session_id2_len = data.length;
+ session_id2 = xmalloc(session_id2_len);
+ memcpy(session_id2, data.value, session_id2_len);
}
major = ssh_gssapi_sign(gsscontext, &data, &hash);
fatal("%s: data length incorrect: %d", __func__,
(int) data.length);
@@ -1966,3 +2048,102 @@ mm_answer_gss_updatecreds(int socket, st
}
@ -2091,24 +2075,24 @@ Index: openssh-7.9p1/sshd.c
for (i = 0; i < options.num_host_key_files; i++) {
if (sensitive_data.host_keys[i]) {
- sshkey_free(sensitive_data.host_keys[i]);
+ char *fp;
+ char *fp;
+
+ if (sshkey_is_private(sensitive_data.host_keys[i]))
+ fp = sshkey_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX);
+ else
+ fp = NULL;
+ sshkey_free(sensitive_data.host_keys[i]);
+ if (sshkey_is_private(sensitive_data.host_keys[i]))
+ fp = sshkey_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX);
+ else
+ fp = NULL;
+ sshkey_free(sensitive_data.host_keys[i]);
sensitive_data.host_keys[i] = NULL;
+ if (fp != NULL) {
+#ifdef SSH_AUDIT_EVENTS
+ if (privsep)
+ PRIVSEP(audit_destroy_sensitive_data(fp,
+ pid, uid));
+ else
+ audit_destroy_sensitive_data(fp,
+ pid, uid);
+ if (privsep)
+ PRIVSEP(audit_destroy_sensitive_data(fp,
+ pid, uid));
+ else
+ audit_destroy_sensitive_data(fp,
+ pid, uid);
+#endif
+ free(fp);
+ free(fp);
+ }
}
- if (sensitive_data.host_certificates[i]) {
@ -2211,43 +2195,6 @@ Index: openssh-7.9p1/sshd.c
audit_event(SSH_CONNECTION_ABANDON);
#endif
_exit(i);
Index: openssh-7.9p1/sshkey.c
===================================================================
--- openssh-7.9p1.orig/sshkey.c
+++ openssh-7.9p1/sshkey.c
@@ -331,6 +331,32 @@ sshkey_type_is_valid_ca(int type)
}
int
+sshkey_is_private(const struct sshkey *k)
+{
+ switch (k->type) {
+#ifdef WITH_OPENSSL
+ case KEY_RSA_CERT:
+ case KEY_RSA:
+ return k->rsa->d != NULL;
+ case KEY_DSA_CERT:
+ case KEY_DSA:
+ return k->dsa->priv_key != NULL;
+#ifdef OPENSSL_HAS_ECC
+ case KEY_ECDSA_CERT:
+ case KEY_ECDSA:
+ return EC_KEY_get0_private_key(k->ecdsa) != NULL;
+#endif /* OPENSSL_HAS_ECC */
+#endif /* WITH_OPENSSL */
+ case KEY_ED25519_CERT:
+ case KEY_ED25519:
+ return (k->ed25519_pk != NULL);
+ default:
+ /* fatal("key_is_private: bad key type %d", k->type); */
+ return 0;
+ }
+}
+
+int
sshkey_is_cert(const struct sshkey *k)
{
if (k == NULL)
Index: openssh-7.9p1/sshkey.h
===================================================================
--- openssh-7.9p1.orig/sshkey.h
@ -2260,3 +2207,46 @@ Index: openssh-7.9p1/sshkey.h
int sshkey_is_cert(const struct sshkey *);
int sshkey_type_is_cert(int);
int sshkey_type_plain(int);
Index: openssh-7.9p1/sshkey.c
===================================================================
--- openssh-7.9p1.orig/sshkey.c
+++ openssh-7.9p1/sshkey.c
@@ -331,6 +331,38 @@ sshkey_type_is_valid_ca(int type)
}
int
+sshkey_is_private(const struct sshkey *k)
+{
+ switch (k->type) {
+#ifdef WITH_OPENSSL
+ case KEY_RSA_CERT:
+ case KEY_RSA: {
+ const BIGNUM *d;
+ RSA_get0_key(k->rsa, NULL, NULL, &d);
+ return d != NULL;
+ }
+ case KEY_DSA_CERT:
+ case KEY_DSA: {
+ const BIGNUM *priv_key;
+ DSA_get0_key(k->dsa, NULL, &priv_key);
+ return priv_key != NULL;
+ }
+#ifdef OPENSSL_HAS_ECC
+ case KEY_ECDSA_CERT:
+ case KEY_ECDSA:
+ return EC_KEY_get0_private_key(k->ecdsa) != NULL;
+#endif /* OPENSSL_HAS_ECC */
+#endif /* WITH_OPENSSL */
+ case KEY_ED25519_CERT:
+ case KEY_ED25519:
+ return (k->ed25519_pk != NULL);
+ default:
+ /* fatal("key_is_private: bad key type %d", k->type); */
+ return 0;
+ }
+}
+
+int
sshkey_is_cert(const struct sshkey *k)
{
if (k == NULL)

View File

@ -2,15 +2,11 @@
# Parent cc1022edba2c5eeb0facba08468f65afc2466b63
CAVS test for OpenSSH's own CTR encryption mode implementation
diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in
--- openssh-7.7p1/Makefile.in
+++ openssh-7.7p1/Makefile.in
@@ -19,16 +19,17 @@ top_srcdir=@top_srcdir@
DESTDIR=
VPATH=@srcdir@
SSH_PROGRAM=@bindir@/ssh
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
Index: openssh-7.9p1/Makefile.in
===================================================================
--- openssh-7.9p1.orig/Makefile.in
+++ openssh-7.9p1/Makefile.in
@@ -24,6 +24,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas
SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
@ -18,17 +14,7 @@ diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in
PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
STRIP_OPT=@STRIP_OPT@
TEST_SHELL=@TEST_SHELL@
PATHS= -DSSHDIR=\"$(sysconfdir)\" \
-D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
-D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \
@@ -57,16 +58,18 @@ ENT=@ENT@
XAUTH_PATH=@XAUTH_PATH@
LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
EXEEXT=@EXEEXT@
MANFMT=@MANFMT@
MKDIR_P=@MKDIR_P@
@@ -62,6 +63,8 @@ MKDIR_P=@MKDIR_P@
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
@ -37,17 +23,7 @@ diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in
XMSS_OBJS=\
ssh-xmss.o \
sshkey-xmss.o \
xmss_commons.o \
xmss_fast.o \
xmss_hash.o \
xmss_hash_address.o \
xmss_wots.o
@@ -199,16 +202,20 @@ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libss
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
@@ -204,6 +207,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libss
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
$(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
@ -58,17 +34,7 @@ diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in
# test driver for the loginrec code - not built by default
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
$(MANPAGES): $(MANPAGES_IN)
if test "$(MANTYPE)" = "cat"; then \
manpage=$(srcdir)/`echo $@ | sed 's/\.[1-9]\.out$$/\.0/'`; \
else \
@@ -339,16 +346,17 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT) $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
@@ -348,6 +355,7 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
@ -76,15 +42,10 @@ diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
$(INSTALL) -m 644 ssh-agent.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1
$(INSTALL) -m 644 ssh-keygen.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
$(INSTALL) -m 644 ssh-keyscan.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
$(INSTALL) -m 644 moduli.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/moduli.5
$(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
diff --git a/openssh-7.7p1/cavstest-ctr.c b/openssh-7.7p1/cavstest-ctr.c
new file mode 100644
Index: openssh-7.9p1/cavstest-ctr.c
===================================================================
--- /dev/null
+++ openssh-7.7p1/cavstest-ctr.c
+++ openssh-7.9p1/cavstest-ctr.c
@@ -0,0 +1,214 @@
+/*
+ *
@ -238,7 +199,7 @@ new file mode 100644
+ usage();
+ }
+
+ SSLeay_add_all_algorithms();
+ OpenSSL_add_all_algorithms();
+
+ c = cipher_by_name(algo);
+ if (c == NULL) {
@ -300,15 +261,11 @@ new file mode 100644
+ printf("\n");
+ return 0;
+}
diff --git a/openssh-7.7p1/cipher.c b/openssh-7.7p1/cipher.c
--- openssh-7.7p1/cipher.c
+++ openssh-7.7p1/cipher.c
@@ -49,25 +49,16 @@
#include "ssherr.h"
#include "digest.h"
#include "openbsd-compat/openssl-compat.h"
Index: openssh-7.9p1/cipher.c
===================================================================
--- openssh-7.9p1.orig/cipher.c
+++ openssh-7.9p1/cipher.c
@@ -54,15 +54,6 @@
#include "fips.h"
#include "log.h"
@ -324,20 +281,11 @@ diff --git a/openssh-7.7p1/cipher.c b/openssh-7.7p1/cipher.c
struct sshcipher {
char *name;
u_int block_size;
u_int key_len;
u_int iv_len; /* defaults to block_size */
u_int auth_len;
u_int flags;
#define CFLAG_CBC (1<<0)
diff --git a/openssh-7.7p1/cipher.h b/openssh-7.7p1/cipher.h
--- openssh-7.7p1/cipher.h
+++ openssh-7.7p1/cipher.h
@@ -41,17 +41,25 @@
#include <openssl/evp.h>
#include "cipher-chachapoly.h"
#include "cipher-aesctr.h"
#define CIPHER_ENCRYPT 1
Index: openssh-7.9p1/cipher.h
===================================================================
--- openssh-7.9p1.orig/cipher.h
+++ openssh-7.9p1/cipher.h
@@ -46,7 +46,15 @@
#define CIPHER_DECRYPT 0
struct sshcipher;
@ -354,8 +302,3 @@ diff --git a/openssh-7.7p1/cipher.h b/openssh-7.7p1/cipher.h
const struct sshcipher *cipher_by_name(const char *);
const char *cipher_warning_message(const struct sshcipher_ctx *);
int ciphers_valid(const char *);
char *cipher_alg_list(char, int);
int cipher_init(struct sshcipher_ctx **, const struct sshcipher *,
const u_char *, u_int, const u_char *, u_int, int);
int cipher_crypt(struct sshcipher_ctx *, u_int, u_char *, const u_char *,

View File

@ -753,7 +753,7 @@ Index: openssh-7.9p1/readconf.c
KEX_DEFAULT_PK_ALG, all_key) != 0)
fatal("%s: kex_assemble_names failed", __func__);
free(all_key);
+ filter_fips_algorithms(options);
+ filter_fips_algorithms(o);
/* Most interesting options first: user, host, port */
dump_cfg_string(oUser, o->user);

View File

@ -5,7 +5,12 @@ Index: openssh-7.9p1/Makefile.in
===================================================================
--- openssh-7.9p1.orig/Makefile.in
+++ openssh-7.9p1/Makefile.in
@@ -108,6 +108,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
@@ -104,10 +104,13 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
+ kexgssc.o \
platform-pledge.o platform-tracing.o platform-misc.o
LIBSSH_OBJS += fips.o
@ -14,6 +19,15 @@ Index: openssh-7.9p1/Makefile.in
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect2.o mux.o
@@ -119,7 +122,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
auth2-none.o auth2-passwd.o auth2-pubkey.o \
monitor.o monitor_wrap.o auth-krb5.o \
- auth2-gss.o gss-serv.o gss-serv-krb5.o \
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
sftp-server.o sftp-common.o \
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
Index: openssh-7.9p1/auth-krb5.c
===================================================================
--- openssh-7.9p1.orig/auth-krb5.c
@ -105,7 +119,7 @@ Index: openssh-7.9p1/auth2-gss.c
+ packet_check_eom();
+
+ if ((b = sshbuf_new()) == NULL)
+ fatal("%s: sshbuf_new failed", __func__);
+ fatal("%s: sshbuf_new failed", __func__);
+
+ ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
+ "gssapi-keyex");
@ -129,7 +143,7 @@ Index: openssh-7.9p1/auth2-gss.c
* We only support those mechanisms that we know about (ie ones that we know
* how to check local user kuserok and the like)
*/
@@ -260,7 +299,8 @@ input_gssapi_exchange_complete(int type,
@@ -260,7 +302,8 @@ input_gssapi_exchange_complete(int type,
if ((r = sshpkt_get_end(ssh)) != 0)
fatal("%s: %s", __func__, ssh_err(r));
@ -139,7 +153,7 @@ Index: openssh-7.9p1/auth2-gss.c
if ((!use_privsep || mm_is_monitor()) &&
(displayname = ssh_gssapi_displayname()) != NULL)
@@ -306,7 +346,8 @@ input_gssapi_mic(int type, u_int32_t ple
@@ -306,7 +349,8 @@ input_gssapi_mic(int type, u_int32_t ple
gssbuf.length = sshbuf_len(b);
if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
@ -149,7 +163,7 @@ Index: openssh-7.9p1/auth2-gss.c
else
logit("GSSAPI MIC check failed");
@@ -326,6 +367,12 @@ input_gssapi_mic(int type, u_int32_t ple
@@ -326,6 +370,12 @@ input_gssapi_mic(int type, u_int32_t ple
return 0;
}
@ -296,7 +310,7 @@ Index: openssh-7.9p1/gss-genr.c
===================================================================
--- openssh-7.9p1.orig/gss-genr.c
+++ openssh-7.9p1/gss-genr.c
@@ -41,12 +41,169 @@
@@ -41,12 +41,174 @@
#include "sshbuf.h"
#include "log.h"
#include "ssh2.h"
@ -359,7 +373,7 @@ Index: openssh-7.9p1/gss-genr.c
+ u_char digest[EVP_MAX_MD_SIZE];
+ char deroid[2];
+ const EVP_MD *evp_md = EVP_md5();
+ EVP_MD_CTX md;
+ EVP_MD_CTX *md;
+
+ if (gss_enc2oid != NULL) {
+ for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
@ -373,6 +387,7 @@ Index: openssh-7.9p1/gss-genr.c
+ if ((buf = sshbuf_new()) == NULL)
+ fatal("%s: sshbuf_new failed", __func__);
+
+ md = EVP_MD_CTX_new();
+ oidpos = 0;
+ for (i = 0; i < gss_supported->count; i++) {
+ if (gss_supported->elements[i].length < 128 &&
@ -381,36 +396,40 @@ Index: openssh-7.9p1/gss-genr.c
+ deroid[0] = SSH_GSS_OIDTYPE;
+ deroid[1] = gss_supported->elements[i].length;
+
+ EVP_DigestInit(&md, evp_md);
+ EVP_DigestUpdate(&md, deroid, 2);
+ EVP_DigestUpdate(&md,
+ EVP_DigestInit(md, evp_md);
+ EVP_DigestUpdate(md, deroid, 2);
+ EVP_DigestUpdate(md,
+ gss_supported->elements[i].elements,
+ gss_supported->elements[i].length);
+ EVP_DigestFinal(&md, digest, NULL);
+ EVP_DigestFinal(md, digest, NULL);
+
+ encoded = xmalloc(EVP_MD_size(evp_md) * 2);
+ enclen = __b64_ntop(digest, EVP_MD_size(evp_md),
+ encoded, EVP_MD_size(evp_md) * 2);
+
+ cp = strncpy(s, kex, strlen(kex));
+ for ((p = strsep(&cp, ",")); p && *p != '\0';
+ (p = strsep(&cp, ","))) {
+ if (sshbuf_len(buf) != 0)
+ if ((r = sshbuf_put_u8(buf, ',')) !=0)
+ fatal("%s: buffer error: %s",
+ __func__, ssh_err(r));
+ if ((r = sshbuf_put(buf, p, strlen(p))) != 0 ||
+ (r = sshbuf_put(buf, encoded, enclen)) != 0)
+ fatal("%s: buffer error: %s",
+ __func__, ssh_err(r));
+ }
+ if (oidpos != 0)
+ if ((r = sshbuf_put_u8(buf, ',')) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+
+ if ((r = sshbuf_put(buf, KEX_GSS_GEX_SHA1_ID,
+ sizeof(KEX_GSS_GEX_SHA1_ID) - 1)) != 0 ||
+ (r = sshbuf_put(buf, encoded, enclen)) != 0 ||
+ (r = sshbuf_put_u8(buf, ',')) != 0 ||
+ (r = sshbuf_put(buf, KEX_GSS_GRP1_SHA1_ID,
+ sizeof(KEX_GSS_GRP1_SHA1_ID) - 1)) != 0 ||
+ (r = sshbuf_put(buf, encoded, enclen)) != 0 ||
+ (r = sshbuf_put_u8(buf, ',')) != 0 ||
+ (r = sshbuf_put(buf, KEX_GSS_GRP14_SHA1_ID,
+ sizeof(KEX_GSS_GRP14_SHA1_ID) - 1)) != 0 ||
+ (r = sshbuf_put(buf, encoded, enclen)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+
+ gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
+ gss_enc2oid[oidpos].encoded = encoded;
+ oidpos++;
+ }
+ }
+ free(s);
+ EVP_MD_CTX_free(md);
+ gss_enc2oid[oidpos].oid = NULL;
+ gss_enc2oid[oidpos].encoded = NULL;
+
@ -466,7 +485,7 @@ Index: openssh-7.9p1/gss-genr.c
/* sshbuf_get for gss_buffer_desc */
int
ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g)
@@ -218,7 +375,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int de
@@ -218,7 +381,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int de
}
ctx->major = gss_init_sec_context(&ctx->minor,
@ -475,7 +494,7 @@ Index: openssh-7.9p1/gss-genr.c
GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,
0, NULL, recv_tok, NULL, send_tok, flags, NULL);
@@ -248,8 +405,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, con
@@ -248,8 +411,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, con
}
OM_uint32
@ -518,7 +537,7 @@ Index: openssh-7.9p1/gss-genr.c
if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
GSS_C_QOP_DEFAULT, buffer, hash)))
ssh_gssapi_error(ctx);
@@ -257,6 +448,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer
@@ -257,6 +454,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer
return (ctx->major);
}
@ -538,7 +557,7 @@ Index: openssh-7.9p1/gss-genr.c
void
ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service,
const char *context)
@@ -273,22 +477,31 @@ ssh_gssapi_buildmic(struct sshbuf *b, co
@@ -273,22 +483,31 @@ ssh_gssapi_buildmic(struct sshbuf *b, co
}
int
@ -573,7 +592,7 @@ Index: openssh-7.9p1/gss-genr.c
NULL);
gss_release_buffer(&minor, &token);
if ((*ctx)->context != GSS_C_NO_CONTEXT)
@@ -296,10 +509,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
@@ -296,10 +515,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
GSS_C_NO_BUFFER);
}
@ -654,7 +673,7 @@ Index: openssh-7.9p1/gss-serv-krb5.c
const char *errmsg;
if (client->creds == NULL) {
@@ -180,11 +180,26 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
@@ -180,11 +180,23 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
return;
}
@ -668,7 +687,6 @@ Index: openssh-7.9p1/gss-serv-krb5.c
- snprintf(client->store.envval, len, "FILE:%s", client->store.filename);
+#ifdef USE_CCAPI
+ xasprintf(&client->store.envval, "API:%s", new_ccname);
+ client->store.filename = NULL;
+#else
+ if (new_ccname[0] == ':')
+ new_ccname++;
@ -679,8 +697,6 @@ Index: openssh-7.9p1/gss-serv-krb5.c
+ if (p)
+ *p = '\0';
+ }
+ if ((strcmp(new_cctype, "FILE") == 0) || (strcmp(new_cctype, "DIR") == 0))
+ client->store.filename = xstrdup(new_ccname);
+#endif
#ifdef USE_PAM
@ -1152,7 +1168,7 @@ Index: openssh-7.9p1/kexgssc.c
===================================================================
--- /dev/null
+++ openssh-7.9p1/kexgssc.c
@@ -0,0 +1,348 @@
@@ -0,0 +1,346 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
+ *
@ -1216,13 +1232,12 @@ Index: openssh-7.9p1/kexgssc.c
+ BIGNUM *shared_secret = NULL;
+ BIGNUM *p = NULL;
+ BIGNUM *g = NULL;
+ const BIGNUM *pub_key, *p1, *g1;
+ u_char *kbuf;
+ u_char *serverhostkey = NULL;
+ u_char *empty = "";
+ char *msg;
+ /* TODO
+ char *lang;
+ */
+ int type = 0;
+ int first = 1;
+ int nbits = 0, min = fips_dh_grp_min(), max = DH_GRP_MAX;
@ -1279,8 +1294,9 @@ Index: openssh-7.9p1/kexgssc.c
+ fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type);
+ }
+
+ /* Step 1 - e is dh->pub_key */
+ /* Step 1 - e is pub_key */
+ dh_gen_key(dh, ssh->kex->we_need * 8);
+ DH_get0_key(dh, &pub_key, NULL);
+
+ /* This is f, we initialise it now to make life easier */
+ dh_server_pub = BN_new();
@ -1328,7 +1344,7 @@ Index: openssh-7.9p1/kexgssc.c
+ packet_start(SSH2_MSG_KEXGSS_INIT);
+ packet_put_string(send_tok.value,
+ send_tok.length);
+ packet_put_bignum2(dh->pub_key);
+ packet_put_bignum2((BIGNUM *)pub_key);
+ first = 0;
+ } else {
+ packet_start(SSH2_MSG_KEXGSS_CONTINUE);
@ -1383,9 +1399,7 @@ Index: openssh-7.9p1/kexgssc.c
+ maj_status = packet_get_int();
+ min_status = packet_get_int();
+ msg = packet_get_string(NULL);
+ /* TODO
+ lang = packet_get_string(NULL);
+ */
+ fatal("GSSAPI Error: \n%.400s",msg);
+ default:
+ packet_disconnect("Protocol error: didn't expect packet type %d",
@ -1415,7 +1429,7 @@ Index: openssh-7.9p1/kexgssc.c
+ klen = DH_size(dh);
+ kbuf = xmalloc(klen);
+ kout = DH_compute_key(kbuf, dh_server_pub, dh);
+ if ((int)kout < 0)
+ if (kout < 0)
+ fatal("DH_compute_key: failed");
+
+ shared_secret = BN_new();
@ -1434,18 +1448,19 @@ Index: openssh-7.9p1/kexgssc.c
+ case KEX_GSS_GRP14_SHA1:
+ kex_dh_hash(
+ ssh->kex->hash_alg,
+ ssh->kex->client_version_string,
+ ssh->kex->client_version_string,
+ ssh->kex->server_version_string,
+ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
+ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
+ (serverhostkey ? serverhostkey : empty), slen,
+ dh->pub_key, /* e */
+ pub_key, /* e */
+ dh_server_pub, /* f */
+ shared_secret, /* K */
+ hash, &hashlen
+ );
+ break;
+ case KEX_GSS_GEX_SHA1:
+ DH_get0_pqg(dh, &p1, NULL, &g1);
+ kexgex_hash(
+ ssh->kex->hash_alg,
+ ssh->kex->client_version_string,
@ -1454,8 +1469,8 @@ Index: openssh-7.9p1/kexgssc.c
+ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
+ (serverhostkey ? serverhostkey : empty), slen,
+ min, nbits, max,
+ dh->p, dh->g,
+ dh->pub_key,
+ p, g,
+ pub_key,
+ dh_server_pub,
+ shared_secret,
+ hash, &hashlen
@ -1494,7 +1509,6 @@ Index: openssh-7.9p1/kexgssc.c
+ else
+ ssh_gssapi_delete_ctx(&ctxt);
+
+ /* TODO: check kex_derive_keys_bn return value */
+ kex_derive_keys_bn(ssh, hash, hashlen, shared_secret);
+ BN_clear_free(shared_secret);
+ return kex_send_newkeys(ssh);
@ -1505,7 +1519,7 @@ Index: openssh-7.9p1/kexgsss.c
===================================================================
--- /dev/null
+++ openssh-7.9p1/kexgsss.c
@@ -0,0 +1,307 @@
@@ -0,0 +1,308 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
+ *
@ -1586,6 +1600,7 @@ Index: openssh-7.9p1/kexgsss.c
+ char *mechs;
+ u_char hash[SSH_DIGEST_MAX_LENGTH];
+ size_t hashlen;
+ const BIGNUM *p, *g, *pub_key;
+
+ /* Initialise GSSAPI */
+
@ -1638,9 +1653,10 @@ Index: openssh-7.9p1/kexgsss.c
+ if (dh == NULL)
+ packet_disconnect("Protocol error: no matching group found");
+
+ DH_set0_pqg(dh, &p, NULL, &g);
+ packet_start(SSH2_MSG_KEXGSS_GROUP);
+ packet_put_bignum2(dh->p);
+ packet_put_bignum2(dh->g);
+ packet_put_bignum2((BIGNUM *)p);
+ packet_put_bignum2((BIGNUM *)g);
+ packet_send();
+
+ packet_write_wait();
@ -1701,7 +1717,7 @@ Index: openssh-7.9p1/kexgsss.c
+ if (GSS_ERROR(maj_status)) {
+ if (send_tok.length > 0) {
+ packet_start(SSH2_MSG_KEXGSS_CONTINUE);
+ packet_put_string(send_tok.value, send_tok.length);
+ packet_put_string((char *)send_tok.value, send_tok.length);
+ packet_send();
+ }
+ fatal("accept_ctx died");
@ -1732,17 +1748,17 @@ Index: openssh-7.9p1/kexgsss.c
+ memset(kbuf, 0, klen);
+ free(kbuf);
+
+ DH_get0_key(dh, &pub_key, NULL);
+ hashlen = sizeof(hash);
+ switch (ssh->kex->kex_type) {
+ case KEX_GSS_GRP1_SHA1:
+ case KEX_GSS_GRP14_SHA1:
+ kex_dh_hash(
+ ssh->kex->hash_alg,
+ kex_dh_hash(ssh->kex->hash_alg,
+ ssh->kex->client_version_string, ssh->kex->server_version_string,
+ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
+ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
+ NULL, 0, /* Change this if we start sending host keys */
+ dh_client_pub, dh->pub_key, shared_secret,
+ dh_client_pub, pub_key, shared_secret,
+ hash, &hashlen
+ );
+ break;
@ -1754,9 +1770,9 @@ Index: openssh-7.9p1/kexgsss.c
+ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
+ NULL, 0,
+ cmin, nbits, cmax,
+ dh->p, dh->g,
+ p, g,
+ dh_client_pub,
+ dh->pub_key,
+ pub_key,
+ shared_secret,
+ hash, &hashlen
+ );
@ -1780,12 +1796,12 @@ Index: openssh-7.9p1/kexgsss.c
+ fatal("Couldn't get MIC");
+
+ packet_start(SSH2_MSG_KEXGSS_COMPLETE);
+ packet_put_bignum2(dh->pub_key);
+ packet_put_bignum2(pub_key);
+ packet_put_string(msg_tok.value,msg_tok.length);
+
+ if (send_tok.length != 0) {
+ packet_put_char(1); /* true */
+ packet_put_string(send_tok.value, send_tok.length);
+ packet_put_string((char *)send_tok.value, send_tok.length);
+ } else {
+ packet_put_char(0); /* false */
+ }
@ -1801,7 +1817,6 @@ Index: openssh-7.9p1/kexgsss.c
+
+ DH_free(dh);
+
+ /* TODO: check kex_derive_keys_bn return value */
+ kex_derive_keys_bn(ssh, hash, hashlen, shared_secret);
+ BN_clear_free(shared_secret);
+ kex_send_newkeys(ssh);
@ -1971,7 +1986,7 @@ Index: openssh-7.9p1/monitor.c
+ fatal("In GSSAPI monitor when GSSAPI is disabled");
+
+ if ((r = sshbuf_get_string(m, (u_char **)&data.value, &data.length)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ if (data.length != 20)
+ fatal("%s: data length incorrect: %d", __func__,
+ (int) data.length);
@ -1988,8 +2003,8 @@ Index: openssh-7.9p1/monitor.c
+
+ sshbuf_reset(m);
+ if ((r = sshbuf_put_u32(m, major)) != 0 ||
+ (r = sshbuf_put_string(m, hash.value, hash.length)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ (r = sshbuf_put_string(m, hash.value, hash.length)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+
+ mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
+
@ -2917,7 +2932,7 @@ Index: openssh-7.9p1/sshconnect2.c
+ ssh_gssapi_buildmic(b, authctxt->server_user, authctxt->service,
+ "gssapi-keyex");
+
+ gssbuf.value = sshbuf_mutable_ptr(b);
+ gssbuf.value = sshbuf_mutable_ptr(b);
+ gssbuf.length = sshbuf_len(b);
+
+ if (GSS_ERROR(ssh_gssapi_sign(gss_kex_context, &gssbuf, &mic))) {
@ -2925,7 +2940,7 @@ Index: openssh-7.9p1/sshconnect2.c
+ return (0);
+ }
+
+ packet_start(SSH2_MSG_USERAUTH_REQUEST);
+ packet_start(SSH2_MSG_USERAUTH_REQUEST);
+ packet_put_cstring(authctxt->server_user);
+ packet_put_cstring(authctxt->service);
+ packet_put_cstring(authctxt->method->name);
@ -2941,7 +2956,7 @@ Index: openssh-7.9p1/sshconnect2.c
#endif /* GSSAPI */
int
@@ -1473,8 +1713,8 @@ key_type_allowed_by_config(struct sshkey
@@ -1473,8 +1716,8 @@ key_type_allowed_by_config(struct sshkey
/*
* try keys in the following order:

View File

@ -10,10 +10,10 @@
# internal versions. ssh-keyconverter consequently fails to link as it lacks
# the proper flags, and libopenbsd-compat doesn't contain the b64_* functions)
Index: openssh-7.8p1/HOWTO.ldap-keys
Index: openssh-7.9p1/HOWTO.ldap-keys
===================================================================
--- /dev/null
+++ openssh-7.8p1/HOWTO.ldap-keys
+++ openssh-7.9p1/HOWTO.ldap-keys
@@ -0,0 +1,108 @@
+
+HOW TO START
@ -123,10 +123,10 @@ Index: openssh-7.8p1/HOWTO.ldap-keys
+ - frederic peters.
+ - Finlay dobbie.
+ - Stefan Fisher.
Index: openssh-7.8p1/Makefile.in
Index: openssh-7.9p1/Makefile.in
===================================================================
--- openssh-7.8p1.orig/Makefile.in
+++ openssh-7.8p1/Makefile.in
--- openssh-7.9p1.orig/Makefile.in
+++ openssh-7.9p1/Makefile.in
@@ -24,6 +24,8 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas
SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
@ -146,7 +146,7 @@ Index: openssh-7.8p1/Makefile.in
XMSS_OBJS=\
ssh-xmss.o \
sshkey-xmss.o \
@@ -132,8 +137,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
@@ -130,8 +135,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
sandbox-solaris.o uidswap.o
@ -157,7 +157,7 @@ Index: openssh-7.8p1/Makefile.in
MANTYPE = @MANTYPE@
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
@@ -208,6 +213,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
@@ -206,6 +211,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@ -167,7 +167,7 @@ Index: openssh-7.8p1/Makefile.in
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
@@ -363,6 +371,10 @@ install-files:
@@ -361,6 +369,10 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
@ -178,7 +178,7 @@ Index: openssh-7.8p1/Makefile.in
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
@@ -381,6 +393,10 @@ install-files:
@@ -379,6 +391,10 @@ install-files:
$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@ -189,7 +189,7 @@ Index: openssh-7.8p1/Makefile.in
install-sysconf:
$(MKDIR_P) $(DESTDIR)$(sysconfdir)
@@ -404,6 +420,13 @@ install-sysconf:
@@ -402,6 +418,13 @@ install-sysconf:
else \
echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
fi
@ -203,7 +203,7 @@ Index: openssh-7.8p1/Makefile.in
host-key: ssh-keygen$(EXEEXT)
@if [ -z "$(DESTDIR)" ] ; then \
@@ -441,6 +464,8 @@ uninstall:
@@ -439,6 +462,8 @@ uninstall:
-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
@ -212,7 +212,7 @@ Index: openssh-7.8p1/Makefile.in
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
@@ -452,6 +477,7 @@ uninstall:
@@ -450,6 +475,7 @@ uninstall:
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@ -220,11 +220,11 @@ Index: openssh-7.8p1/Makefile.in
regress-prep:
$(MKDIR_P) `pwd`/regress/unittests/test_helper
Index: openssh-7.8p1/configure.ac
Index: openssh-7.9p1/configure.ac
===================================================================
--- openssh-7.8p1.orig/configure.ac
+++ openssh-7.8p1/configure.ac
@@ -1680,6 +1680,106 @@ AC_ARG_WITH([audit],
--- openssh-7.9p1.orig/configure.ac
+++ openssh-7.9p1/configure.ac
@@ -1671,6 +1671,106 @@ AC_ARG_WITH([audit],
esac ]
)
@ -331,10 +331,10 @@ Index: openssh-7.8p1/configure.ac
AC_ARG_WITH([pie],
[ --with-pie Build Position Independent Executables if possible], [
if test "x$withval" = "xno"; then
Index: openssh-7.8p1/ldap-helper.c
Index: openssh-7.9p1/ldap-helper.c
===================================================================
--- /dev/null
+++ openssh-7.8p1/ldap-helper.c
+++ openssh-7.9p1/ldap-helper.c
@@ -0,0 +1,155 @@
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -491,10 +491,10 @@ Index: openssh-7.8p1/ldap-helper.c
+void *buffer_get_string(struct sshbuf *b, u_int *l) { return NULL; }
+void buffer_put_string(struct sshbuf *b, const void *f, u_int l) {}
+
Index: openssh-7.8p1/ldap-helper.h
Index: openssh-7.9p1/ldap-helper.h
===================================================================
--- /dev/null
+++ openssh-7.8p1/ldap-helper.h
+++ openssh-7.9p1/ldap-helper.h
@@ -0,0 +1,32 @@
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -528,10 +528,10 @@ Index: openssh-7.8p1/ldap-helper.h
+extern int config_warning_config_file;
+
+#endif /* LDAP_HELPER_H */
Index: openssh-7.8p1/ldap.conf
Index: openssh-7.9p1/ldap.conf
===================================================================
--- /dev/null
+++ openssh-7.8p1/ldap.conf
+++ openssh-7.9p1/ldap.conf
@@ -0,0 +1,88 @@
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
+#
@ -621,10 +621,10 @@ Index: openssh-7.8p1/ldap.conf
+#tls_cert
+#tls_key
+
Index: openssh-7.8p1/ldapbody.c
Index: openssh-7.9p1/ldapbody.c
===================================================================
--- /dev/null
+++ openssh-7.8p1/ldapbody.c
+++ openssh-7.9p1/ldapbody.c
@@ -0,0 +1,494 @@
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -1120,10 +1120,10 @@ Index: openssh-7.8p1/ldapbody.c
+ return;
+}
+
Index: openssh-7.8p1/ldapbody.h
Index: openssh-7.9p1/ldapbody.h
===================================================================
--- /dev/null
+++ openssh-7.8p1/ldapbody.h
+++ openssh-7.9p1/ldapbody.h
@@ -0,0 +1,37 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -1162,10 +1162,10 @@ Index: openssh-7.8p1/ldapbody.h
+
+#endif /* LDAPBODY_H */
+
Index: openssh-7.8p1/ldapconf.c
Index: openssh-7.9p1/ldapconf.c
===================================================================
--- /dev/null
+++ openssh-7.8p1/ldapconf.c
+++ openssh-7.9p1/ldapconf.c
@@ -0,0 +1,711 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -1878,10 +1878,10 @@ Index: openssh-7.8p1/ldapconf.c
+ dump_cfg_string(lSSH_Filter, options.ssh_filter);
+}
+
Index: openssh-7.8p1/ldapconf.h
Index: openssh-7.9p1/ldapconf.h
===================================================================
--- /dev/null
+++ openssh-7.8p1/ldapconf.h
+++ openssh-7.9p1/ldapconf.h
@@ -0,0 +1,71 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -1954,10 +1954,10 @@ Index: openssh-7.8p1/ldapconf.h
+void dump_config(void);
+
+#endif /* LDAPCONF_H */
Index: openssh-7.8p1/ldapincludes.h
Index: openssh-7.9p1/ldapincludes.h
===================================================================
--- /dev/null
+++ openssh-7.8p1/ldapincludes.h
+++ openssh-7.9p1/ldapincludes.h
@@ -0,0 +1,41 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -2000,10 +2000,10 @@ Index: openssh-7.8p1/ldapincludes.h
+#endif
+
+#endif /* LDAPINCLUDES_H */
Index: openssh-7.8p1/ldapmisc.c
Index: openssh-7.9p1/ldapmisc.c
===================================================================
--- /dev/null
+++ openssh-7.8p1/ldapmisc.c
+++ openssh-7.9p1/ldapmisc.c
@@ -0,0 +1,79 @@
+
+#include "ldapincludes.h"
@ -2084,10 +2084,10 @@ Index: openssh-7.8p1/ldapmisc.c
+}
+#endif
+
Index: openssh-7.8p1/ldapmisc.h
Index: openssh-7.9p1/ldapmisc.h
===================================================================
--- /dev/null
+++ openssh-7.8p1/ldapmisc.h
+++ openssh-7.9p1/ldapmisc.h
@@ -0,0 +1,35 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@ -2124,10 +2124,10 @@ Index: openssh-7.8p1/ldapmisc.h
+
+#endif /* LDAPMISC_H */
+
Index: openssh-7.8p1/openbsd-compat/base64.c
Index: openssh-7.9p1/openbsd-compat/base64.c
===================================================================
--- openssh-7.8p1.orig/openbsd-compat/base64.c
+++ openssh-7.8p1/openbsd-compat/base64.c
--- openssh-7.9p1.orig/openbsd-compat/base64.c
+++ openssh-7.9p1/openbsd-compat/base64.c
@@ -46,7 +46,7 @@
#include "includes.h"
@ -2155,10 +2155,10 @@ Index: openssh-7.8p1/openbsd-compat/base64.c
/* skips all whitespace anywhere.
converts characters, four at a time, starting at (or after)
Index: openssh-7.8p1/openbsd-compat/base64.h
Index: openssh-7.9p1/openbsd-compat/base64.h
===================================================================
--- openssh-7.8p1.orig/openbsd-compat/base64.h
+++ openssh-7.8p1/openbsd-compat/base64.h
--- openssh-7.9p1.orig/openbsd-compat/base64.h
+++ openssh-7.9p1/openbsd-compat/base64.h
@@ -45,16 +45,16 @@
#include "includes.h"
@ -2180,10 +2180,10 @@ Index: openssh-7.8p1/openbsd-compat/base64.h
int b64_pton(char const *src, u_char *target, size_t targsize);
# endif /* !HAVE_B64_PTON */
# define __b64_pton(a,b,c) b64_pton(a,b,c)
Index: openssh-7.8p1/openssh-lpk-openldap.schema
Index: openssh-7.9p1/openssh-lpk-openldap.schema
===================================================================
--- /dev/null
+++ openssh-7.8p1/openssh-lpk-openldap.schema
+++ openssh-7.9p1/openssh-lpk-openldap.schema
@@ -0,0 +1,21 @@
+#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2206,10 +2206,10 @@ Index: openssh-7.8p1/openssh-lpk-openldap.schema
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
+ MUST ( sshPublicKey $ uid )
+ )
Index: openssh-7.8p1/openssh-lpk-sun.schema
Index: openssh-7.9p1/openssh-lpk-sun.schema
===================================================================
--- /dev/null
+++ openssh-7.8p1/openssh-lpk-sun.schema
+++ openssh-7.9p1/openssh-lpk-sun.schema
@@ -0,0 +1,23 @@
+#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2234,10 +2234,10 @@ Index: openssh-7.8p1/openssh-lpk-sun.schema
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
+ MUST ( sshPublicKey $ uid )
+ )
Index: openssh-7.8p1/ssh-ldap-helper.8
Index: openssh-7.9p1/ssh-ldap-helper.8
===================================================================
--- /dev/null
+++ openssh-7.8p1/ssh-ldap-helper.8
+++ openssh-7.9p1/ssh-ldap-helper.8
@@ -0,0 +1,79 @@
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\"
@ -2318,19 +2318,19 @@ Index: openssh-7.8p1/ssh-ldap-helper.8
+OpenSSH 5.5 + PKA-LDAP .
+.Sh AUTHORS
+.An Jan F. Chadima Aq jchadima@redhat.com
Index: openssh-7.8p1/ssh-ldap-wrapper
Index: openssh-7.9p1/ssh-ldap-wrapper
===================================================================
--- /dev/null
+++ openssh-7.8p1/ssh-ldap-wrapper
+++ openssh-7.9p1/ssh-ldap-wrapper
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+exec @LIBEXECDIR@/ssh-ldap-helper -s "$1"
+
Index: openssh-7.8p1/ssh-ldap.conf.5
Index: openssh-7.9p1/ssh-ldap.conf.5
===================================================================
--- /dev/null
+++ openssh-7.8p1/ssh-ldap.conf.5
+++ openssh-7.9p1/ssh-ldap.conf.5
@@ -0,0 +1,376 @@
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\"

View File

@ -41,6 +41,8 @@ Mon Oct 22 08:51:30 UTC 2018 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com
* openssh-7.7p1-fips.patch
* openssh-7.7p1-gssapi_key_exchange.patch
* openssh-7.7p1-seccomp_ipc_flock.patch
* openssh-7.7p1-cavstest-ctr.patch
* openssh-7.7p1-ldap.patch
-------------------------------------------------------------------
Fri Oct 19 13:22:10 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>