Accepting request 644397 from home:pmonrealgonzalez:branches:network
* openssh-7.7p1-cavstest-ctr.patch * openssh-7.7p1-ldap.patch OBS-URL: https://build.opensuse.org/request/show/644397 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=161
This commit is contained in:
Tomáš Chvátal
Git OBS Bridge
parent
b21be4c6b4
commit
5f87526504
@ -7,7 +7,7 @@ Index: openssh-7.9p1/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/Makefile.in
|
||||
+++ openssh-7.9p1/Makefile.in
|
||||
@@ -110,6 +110,8 @@ LIBSSH_OBJS += fips.o
|
||||
@@ -111,6 +111,8 @@ LIBSSH_OBJS += fips.o
|
||||
|
||||
LIBSSH_OBJS += kexgssc.o kexgsss.o
|
||||
|
||||
@ -97,7 +97,7 @@ Index: openssh-7.9p1/audit-linux.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/audit-linux.c
|
||||
+++ openssh-7.9p1/audit-linux.c
|
||||
@@ -33,27 +33,40 @@
|
||||
@@ -33,27 +33,41 @@
|
||||
|
||||
#include "log.h"
|
||||
#include "audit.h"
|
||||
@ -106,6 +106,7 @@ Index: openssh-7.9p1/audit-linux.c
|
||||
+#include "auth.h"
|
||||
+#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
|
||||
+#include "servconf.h"
|
||||
+#include "ssherr.h"
|
||||
#include "canohost.h"
|
||||
#include "packet.h"
|
||||
-
|
||||
@ -146,7 +147,7 @@ Index: openssh-7.9p1/audit-linux.c
|
||||
saved_errno = errno;
|
||||
close(audit_fd);
|
||||
|
||||
@@ -65,9 +78,96 @@ linux_audit_record_event(int uid, const
|
||||
@@ -65,9 +79,96 @@ linux_audit_record_event(int uid, const
|
||||
rc = 0;
|
||||
errno = saved_errno;
|
||||
|
||||
@ -244,7 +245,7 @@ Index: openssh-7.9p1/audit-linux.c
|
||||
/* Below is the sshd audit API code */
|
||||
|
||||
void
|
||||
@@ -76,24 +176,55 @@ audit_connection_from(const char *host,
|
||||
@@ -76,24 +177,55 @@ audit_connection_from(const char *host,
|
||||
/* not implemented */
|
||||
}
|
||||
|
||||
@ -306,7 +307,7 @@ Index: openssh-7.9p1/audit-linux.c
|
||||
}
|
||||
|
||||
void
|
||||
@@ -102,25 +233,155 @@ audit_event(ssh_audit_event_t event)
|
||||
@@ -102,25 +234,155 @@ audit_event(ssh_audit_event_t event)
|
||||
struct ssh *ssh = active_state; /* XXX */
|
||||
|
||||
switch(event) {
|
||||
@ -1308,32 +1309,15 @@ Index: openssh-7.9p1/monitor.c
|
||||
}
|
||||
|
||||
|
||||
@@ -1906,19 +1988,19 @@ mm_answer_gss_sign(int socket, struct ss
|
||||
int r;
|
||||
|
||||
if (!options.gss_authentication && !options.gss_keyex)
|
||||
- fatal("In GSSAPI monitor when GSSAPI is disabled");
|
||||
+ fatal("In GSSAPI monitor when GSSAPI is disabled");
|
||||
@@ -1909,7 +1991,7 @@ mm_answer_gss_sign(int socket, struct ss
|
||||
fatal("In GSSAPI monitor when GSSAPI is disabled");
|
||||
|
||||
if ((r = sshbuf_get_string(m, (u_char **)&data.value, &data.length)) != 0)
|
||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
- fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
if (data.length != 20)
|
||||
- fatal("%s: data length incorrect: %d", __func__,
|
||||
- (int) data.length);
|
||||
+ fatal("%s: data length incorrect: %d", __func__,
|
||||
+ (int) data.length);
|
||||
|
||||
/* Save the session ID on the first time around */
|
||||
if (session_id2_len == 0) {
|
||||
- session_id2_len = data.length;
|
||||
- session_id2 = xmalloc(session_id2_len);
|
||||
- memcpy(session_id2, data.value, session_id2_len);
|
||||
+ session_id2_len = data.length;
|
||||
+ session_id2 = xmalloc(session_id2_len);
|
||||
+ memcpy(session_id2, data.value, session_id2_len);
|
||||
}
|
||||
major = ssh_gssapi_sign(gsscontext, &data, &hash);
|
||||
|
||||
fatal("%s: data length incorrect: %d", __func__,
|
||||
(int) data.length);
|
||||
@@ -1966,3 +2048,102 @@ mm_answer_gss_updatecreds(int socket, st
|
||||
}
|
||||
|
||||
@ -2091,24 +2075,24 @@ Index: openssh-7.9p1/sshd.c
|
||||
for (i = 0; i < options.num_host_key_files; i++) {
|
||||
if (sensitive_data.host_keys[i]) {
|
||||
- sshkey_free(sensitive_data.host_keys[i]);
|
||||
+ char *fp;
|
||||
+ char *fp;
|
||||
+
|
||||
+ if (sshkey_is_private(sensitive_data.host_keys[i]))
|
||||
+ fp = sshkey_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX);
|
||||
+ else
|
||||
+ fp = NULL;
|
||||
+ sshkey_free(sensitive_data.host_keys[i]);
|
||||
+ if (sshkey_is_private(sensitive_data.host_keys[i]))
|
||||
+ fp = sshkey_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX);
|
||||
+ else
|
||||
+ fp = NULL;
|
||||
+ sshkey_free(sensitive_data.host_keys[i]);
|
||||
sensitive_data.host_keys[i] = NULL;
|
||||
+ if (fp != NULL) {
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
+ if (privsep)
|
||||
+ PRIVSEP(audit_destroy_sensitive_data(fp,
|
||||
+ pid, uid));
|
||||
+ else
|
||||
+ audit_destroy_sensitive_data(fp,
|
||||
+ pid, uid);
|
||||
+ if (privsep)
|
||||
+ PRIVSEP(audit_destroy_sensitive_data(fp,
|
||||
+ pid, uid));
|
||||
+ else
|
||||
+ audit_destroy_sensitive_data(fp,
|
||||
+ pid, uid);
|
||||
+#endif
|
||||
+ free(fp);
|
||||
+ free(fp);
|
||||
+ }
|
||||
}
|
||||
- if (sensitive_data.host_certificates[i]) {
|
||||
@ -2211,43 +2195,6 @@ Index: openssh-7.9p1/sshd.c
|
||||
audit_event(SSH_CONNECTION_ABANDON);
|
||||
#endif
|
||||
_exit(i);
|
||||
Index: openssh-7.9p1/sshkey.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/sshkey.c
|
||||
+++ openssh-7.9p1/sshkey.c
|
||||
@@ -331,6 +331,32 @@ sshkey_type_is_valid_ca(int type)
|
||||
}
|
||||
|
||||
int
|
||||
+sshkey_is_private(const struct sshkey *k)
|
||||
+{
|
||||
+ switch (k->type) {
|
||||
+#ifdef WITH_OPENSSL
|
||||
+ case KEY_RSA_CERT:
|
||||
+ case KEY_RSA:
|
||||
+ return k->rsa->d != NULL;
|
||||
+ case KEY_DSA_CERT:
|
||||
+ case KEY_DSA:
|
||||
+ return k->dsa->priv_key != NULL;
|
||||
+#ifdef OPENSSL_HAS_ECC
|
||||
+ case KEY_ECDSA_CERT:
|
||||
+ case KEY_ECDSA:
|
||||
+ return EC_KEY_get0_private_key(k->ecdsa) != NULL;
|
||||
+#endif /* OPENSSL_HAS_ECC */
|
||||
+#endif /* WITH_OPENSSL */
|
||||
+ case KEY_ED25519_CERT:
|
||||
+ case KEY_ED25519:
|
||||
+ return (k->ed25519_pk != NULL);
|
||||
+ default:
|
||||
+ /* fatal("key_is_private: bad key type %d", k->type); */
|
||||
+ return 0;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+int
|
||||
sshkey_is_cert(const struct sshkey *k)
|
||||
{
|
||||
if (k == NULL)
|
||||
Index: openssh-7.9p1/sshkey.h
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/sshkey.h
|
||||
@ -2260,3 +2207,46 @@ Index: openssh-7.9p1/sshkey.h
|
||||
int sshkey_is_cert(const struct sshkey *);
|
||||
int sshkey_type_is_cert(int);
|
||||
int sshkey_type_plain(int);
|
||||
Index: openssh-7.9p1/sshkey.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/sshkey.c
|
||||
+++ openssh-7.9p1/sshkey.c
|
||||
@@ -331,6 +331,38 @@ sshkey_type_is_valid_ca(int type)
|
||||
}
|
||||
|
||||
int
|
||||
+sshkey_is_private(const struct sshkey *k)
|
||||
+{
|
||||
+ switch (k->type) {
|
||||
+#ifdef WITH_OPENSSL
|
||||
+ case KEY_RSA_CERT:
|
||||
+ case KEY_RSA: {
|
||||
+ const BIGNUM *d;
|
||||
+ RSA_get0_key(k->rsa, NULL, NULL, &d);
|
||||
+ return d != NULL;
|
||||
+ }
|
||||
+ case KEY_DSA_CERT:
|
||||
+ case KEY_DSA: {
|
||||
+ const BIGNUM *priv_key;
|
||||
+ DSA_get0_key(k->dsa, NULL, &priv_key);
|
||||
+ return priv_key != NULL;
|
||||
+ }
|
||||
+#ifdef OPENSSL_HAS_ECC
|
||||
+ case KEY_ECDSA_CERT:
|
||||
+ case KEY_ECDSA:
|
||||
+ return EC_KEY_get0_private_key(k->ecdsa) != NULL;
|
||||
+#endif /* OPENSSL_HAS_ECC */
|
||||
+#endif /* WITH_OPENSSL */
|
||||
+ case KEY_ED25519_CERT:
|
||||
+ case KEY_ED25519:
|
||||
+ return (k->ed25519_pk != NULL);
|
||||
+ default:
|
||||
+ /* fatal("key_is_private: bad key type %d", k->type); */
|
||||
+ return 0;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+int
|
||||
sshkey_is_cert(const struct sshkey *k)
|
||||
{
|
||||
if (k == NULL)
|
||||
|
||||
@ -2,15 +2,11 @@
|
||||
# Parent cc1022edba2c5eeb0facba08468f65afc2466b63
|
||||
CAVS test for OpenSSH's own CTR encryption mode implementation
|
||||
|
||||
diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in
|
||||
--- openssh-7.7p1/Makefile.in
|
||||
+++ openssh-7.7p1/Makefile.in
|
||||
@@ -19,16 +19,17 @@ top_srcdir=@top_srcdir@
|
||||
|
||||
DESTDIR=
|
||||
VPATH=@srcdir@
|
||||
SSH_PROGRAM=@bindir@/ssh
|
||||
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
|
||||
Index: openssh-7.9p1/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/Makefile.in
|
||||
+++ openssh-7.9p1/Makefile.in
|
||||
@@ -24,6 +24,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas
|
||||
SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
@ -18,17 +14,7 @@ diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in
|
||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
||||
STRIP_OPT=@STRIP_OPT@
|
||||
TEST_SHELL=@TEST_SHELL@
|
||||
|
||||
PATHS= -DSSHDIR=\"$(sysconfdir)\" \
|
||||
-D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
|
||||
-D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \
|
||||
@@ -57,16 +58,18 @@ ENT=@ENT@
|
||||
XAUTH_PATH=@XAUTH_PATH@
|
||||
LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
|
||||
EXEEXT=@EXEEXT@
|
||||
MANFMT=@MANFMT@
|
||||
MKDIR_P=@MKDIR_P@
|
||||
@@ -62,6 +63,8 @@ MKDIR_P=@MKDIR_P@
|
||||
|
||||
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
|
||||
|
||||
@ -37,17 +23,7 @@ diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in
|
||||
XMSS_OBJS=\
|
||||
ssh-xmss.o \
|
||||
sshkey-xmss.o \
|
||||
xmss_commons.o \
|
||||
xmss_fast.o \
|
||||
xmss_hash.o \
|
||||
xmss_hash_address.o \
|
||||
xmss_wots.o
|
||||
@@ -199,16 +202,20 @@ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libss
|
||||
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
|
||||
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
@@ -204,6 +207,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libss
|
||||
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
|
||||
$(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
|
||||
|
||||
@ -58,17 +34,7 @@ diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in
|
||||
# test driver for the loginrec code - not built by default
|
||||
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
|
||||
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
$(MANPAGES): $(MANPAGES_IN)
|
||||
if test "$(MANTYPE)" = "cat"; then \
|
||||
manpage=$(srcdir)/`echo $@ | sed 's/\.[1-9]\.out$$/\.0/'`; \
|
||||
else \
|
||||
@@ -339,16 +346,17 @@ install-files:
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT) $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
|
||||
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
||||
@@ -348,6 +355,7 @@ install-files:
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
@ -76,15 +42,10 @@ diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in
|
||||
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
|
||||
$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
|
||||
$(INSTALL) -m 644 ssh-agent.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1
|
||||
$(INSTALL) -m 644 ssh-keygen.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
|
||||
$(INSTALL) -m 644 ssh-keyscan.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
|
||||
$(INSTALL) -m 644 moduli.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/moduli.5
|
||||
$(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
|
||||
diff --git a/openssh-7.7p1/cavstest-ctr.c b/openssh-7.7p1/cavstest-ctr.c
|
||||
new file mode 100644
|
||||
Index: openssh-7.9p1/cavstest-ctr.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.7p1/cavstest-ctr.c
|
||||
+++ openssh-7.9p1/cavstest-ctr.c
|
||||
@@ -0,0 +1,214 @@
|
||||
+/*
|
||||
+ *
|
||||
@ -238,7 +199,7 @@ new file mode 100644
|
||||
+ usage();
|
||||
+ }
|
||||
+
|
||||
+ SSLeay_add_all_algorithms();
|
||||
+ OpenSSL_add_all_algorithms();
|
||||
+
|
||||
+ c = cipher_by_name(algo);
|
||||
+ if (c == NULL) {
|
||||
@ -300,15 +261,11 @@ new file mode 100644
|
||||
+ printf("\n");
|
||||
+ return 0;
|
||||
+}
|
||||
diff --git a/openssh-7.7p1/cipher.c b/openssh-7.7p1/cipher.c
|
||||
--- openssh-7.7p1/cipher.c
|
||||
+++ openssh-7.7p1/cipher.c
|
||||
@@ -49,25 +49,16 @@
|
||||
#include "ssherr.h"
|
||||
#include "digest.h"
|
||||
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
|
||||
Index: openssh-7.9p1/cipher.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/cipher.c
|
||||
+++ openssh-7.9p1/cipher.c
|
||||
@@ -54,15 +54,6 @@
|
||||
#include "fips.h"
|
||||
#include "log.h"
|
||||
|
||||
@ -324,20 +281,11 @@ diff --git a/openssh-7.7p1/cipher.c b/openssh-7.7p1/cipher.c
|
||||
struct sshcipher {
|
||||
char *name;
|
||||
u_int block_size;
|
||||
u_int key_len;
|
||||
u_int iv_len; /* defaults to block_size */
|
||||
u_int auth_len;
|
||||
u_int flags;
|
||||
#define CFLAG_CBC (1<<0)
|
||||
diff --git a/openssh-7.7p1/cipher.h b/openssh-7.7p1/cipher.h
|
||||
--- openssh-7.7p1/cipher.h
|
||||
+++ openssh-7.7p1/cipher.h
|
||||
@@ -41,17 +41,25 @@
|
||||
#include <openssl/evp.h>
|
||||
#include "cipher-chachapoly.h"
|
||||
#include "cipher-aesctr.h"
|
||||
|
||||
#define CIPHER_ENCRYPT 1
|
||||
Index: openssh-7.9p1/cipher.h
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/cipher.h
|
||||
+++ openssh-7.9p1/cipher.h
|
||||
@@ -46,7 +46,15 @@
|
||||
#define CIPHER_DECRYPT 0
|
||||
|
||||
struct sshcipher;
|
||||
@ -354,8 +302,3 @@ diff --git a/openssh-7.7p1/cipher.h b/openssh-7.7p1/cipher.h
|
||||
|
||||
const struct sshcipher *cipher_by_name(const char *);
|
||||
const char *cipher_warning_message(const struct sshcipher_ctx *);
|
||||
int ciphers_valid(const char *);
|
||||
char *cipher_alg_list(char, int);
|
||||
int cipher_init(struct sshcipher_ctx **, const struct sshcipher *,
|
||||
const u_char *, u_int, const u_char *, u_int, int);
|
||||
int cipher_crypt(struct sshcipher_ctx *, u_int, u_char *, const u_char *,
|
||||
|
||||
@ -753,7 +753,7 @@ Index: openssh-7.9p1/readconf.c
|
||||
KEX_DEFAULT_PK_ALG, all_key) != 0)
|
||||
fatal("%s: kex_assemble_names failed", __func__);
|
||||
free(all_key);
|
||||
+ filter_fips_algorithms(options);
|
||||
+ filter_fips_algorithms(o);
|
||||
|
||||
/* Most interesting options first: user, host, port */
|
||||
dump_cfg_string(oUser, o->user);
|
||||
|
||||
@ -5,7 +5,12 @@ Index: openssh-7.9p1/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/Makefile.in
|
||||
+++ openssh-7.9p1/Makefile.in
|
||||
@@ -108,6 +108,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||
@@ -104,10 +104,13 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||
kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
|
||||
kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
|
||||
kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
|
||||
+ kexgssc.o \
|
||||
platform-pledge.o platform-tracing.o platform-misc.o
|
||||
|
||||
LIBSSH_OBJS += fips.o
|
||||
|
||||
@ -14,6 +19,15 @@ Index: openssh-7.9p1/Makefile.in
|
||||
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
||||
sshconnect.o sshconnect2.o mux.o
|
||||
|
||||
@@ -119,7 +122,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
|
||||
auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
|
||||
auth2-none.o auth2-passwd.o auth2-pubkey.o \
|
||||
monitor.o monitor_wrap.o auth-krb5.o \
|
||||
- auth2-gss.o gss-serv.o gss-serv-krb5.o \
|
||||
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
|
||||
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
|
||||
sftp-server.o sftp-common.o \
|
||||
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
|
||||
Index: openssh-7.9p1/auth-krb5.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/auth-krb5.c
|
||||
@ -105,7 +119,7 @@ Index: openssh-7.9p1/auth2-gss.c
|
||||
+ packet_check_eom();
|
||||
+
|
||||
+ if ((b = sshbuf_new()) == NULL)
|
||||
+ fatal("%s: sshbuf_new failed", __func__);
|
||||
+ fatal("%s: sshbuf_new failed", __func__);
|
||||
+
|
||||
+ ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
|
||||
+ "gssapi-keyex");
|
||||
@ -129,7 +143,7 @@ Index: openssh-7.9p1/auth2-gss.c
|
||||
* We only support those mechanisms that we know about (ie ones that we know
|
||||
* how to check local user kuserok and the like)
|
||||
*/
|
||||
@@ -260,7 +299,8 @@ input_gssapi_exchange_complete(int type,
|
||||
@@ -260,7 +302,8 @@ input_gssapi_exchange_complete(int type,
|
||||
if ((r = sshpkt_get_end(ssh)) != 0)
|
||||
fatal("%s: %s", __func__, ssh_err(r));
|
||||
|
||||
@ -139,7 +153,7 @@ Index: openssh-7.9p1/auth2-gss.c
|
||||
|
||||
if ((!use_privsep || mm_is_monitor()) &&
|
||||
(displayname = ssh_gssapi_displayname()) != NULL)
|
||||
@@ -306,7 +346,8 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
@@ -306,7 +349,8 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
gssbuf.length = sshbuf_len(b);
|
||||
|
||||
if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
|
||||
@ -149,7 +163,7 @@ Index: openssh-7.9p1/auth2-gss.c
|
||||
else
|
||||
logit("GSSAPI MIC check failed");
|
||||
|
||||
@@ -326,6 +367,12 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
@@ -326,6 +370,12 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -296,7 +310,7 @@ Index: openssh-7.9p1/gss-genr.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/gss-genr.c
|
||||
+++ openssh-7.9p1/gss-genr.c
|
||||
@@ -41,12 +41,169 @@
|
||||
@@ -41,12 +41,174 @@
|
||||
#include "sshbuf.h"
|
||||
#include "log.h"
|
||||
#include "ssh2.h"
|
||||
@ -359,7 +373,7 @@ Index: openssh-7.9p1/gss-genr.c
|
||||
+ u_char digest[EVP_MAX_MD_SIZE];
|
||||
+ char deroid[2];
|
||||
+ const EVP_MD *evp_md = EVP_md5();
|
||||
+ EVP_MD_CTX md;
|
||||
+ EVP_MD_CTX *md;
|
||||
+
|
||||
+ if (gss_enc2oid != NULL) {
|
||||
+ for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
|
||||
@ -373,6 +387,7 @@ Index: openssh-7.9p1/gss-genr.c
|
||||
+ if ((buf = sshbuf_new()) == NULL)
|
||||
+ fatal("%s: sshbuf_new failed", __func__);
|
||||
+
|
||||
+ md = EVP_MD_CTX_new();
|
||||
+ oidpos = 0;
|
||||
+ for (i = 0; i < gss_supported->count; i++) {
|
||||
+ if (gss_supported->elements[i].length < 128 &&
|
||||
@ -381,36 +396,40 @@ Index: openssh-7.9p1/gss-genr.c
|
||||
+ deroid[0] = SSH_GSS_OIDTYPE;
|
||||
+ deroid[1] = gss_supported->elements[i].length;
|
||||
+
|
||||
+ EVP_DigestInit(&md, evp_md);
|
||||
+ EVP_DigestUpdate(&md, deroid, 2);
|
||||
+ EVP_DigestUpdate(&md,
|
||||
+ EVP_DigestInit(md, evp_md);
|
||||
+ EVP_DigestUpdate(md, deroid, 2);
|
||||
+ EVP_DigestUpdate(md,
|
||||
+ gss_supported->elements[i].elements,
|
||||
+ gss_supported->elements[i].length);
|
||||
+ EVP_DigestFinal(&md, digest, NULL);
|
||||
+ EVP_DigestFinal(md, digest, NULL);
|
||||
+
|
||||
+ encoded = xmalloc(EVP_MD_size(evp_md) * 2);
|
||||
+ enclen = __b64_ntop(digest, EVP_MD_size(evp_md),
|
||||
+ encoded, EVP_MD_size(evp_md) * 2);
|
||||
+
|
||||
+ cp = strncpy(s, kex, strlen(kex));
|
||||
+ for ((p = strsep(&cp, ",")); p && *p != '\0';
|
||||
+ (p = strsep(&cp, ","))) {
|
||||
+ if (sshbuf_len(buf) != 0)
|
||||
+ if ((r = sshbuf_put_u8(buf, ',')) !=0)
|
||||
+ fatal("%s: buffer error: %s",
|
||||
+ __func__, ssh_err(r));
|
||||
+ if ((r = sshbuf_put(buf, p, strlen(p))) != 0 ||
|
||||
+ (r = sshbuf_put(buf, encoded, enclen)) != 0)
|
||||
+ fatal("%s: buffer error: %s",
|
||||
+ __func__, ssh_err(r));
|
||||
+ }
|
||||
+ if (oidpos != 0)
|
||||
+ if ((r = sshbuf_put_u8(buf, ',')) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+
|
||||
+ if ((r = sshbuf_put(buf, KEX_GSS_GEX_SHA1_ID,
|
||||
+ sizeof(KEX_GSS_GEX_SHA1_ID) - 1)) != 0 ||
|
||||
+ (r = sshbuf_put(buf, encoded, enclen)) != 0 ||
|
||||
+ (r = sshbuf_put_u8(buf, ',')) != 0 ||
|
||||
+ (r = sshbuf_put(buf, KEX_GSS_GRP1_SHA1_ID,
|
||||
+ sizeof(KEX_GSS_GRP1_SHA1_ID) - 1)) != 0 ||
|
||||
+ (r = sshbuf_put(buf, encoded, enclen)) != 0 ||
|
||||
+ (r = sshbuf_put_u8(buf, ',')) != 0 ||
|
||||
+ (r = sshbuf_put(buf, KEX_GSS_GRP14_SHA1_ID,
|
||||
+ sizeof(KEX_GSS_GRP14_SHA1_ID) - 1)) != 0 ||
|
||||
+ (r = sshbuf_put(buf, encoded, enclen)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+
|
||||
+ gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
|
||||
+ gss_enc2oid[oidpos].encoded = encoded;
|
||||
+ oidpos++;
|
||||
+ }
|
||||
+ }
|
||||
+ free(s);
|
||||
+ EVP_MD_CTX_free(md);
|
||||
+ gss_enc2oid[oidpos].oid = NULL;
|
||||
+ gss_enc2oid[oidpos].encoded = NULL;
|
||||
+
|
||||
@ -466,7 +485,7 @@ Index: openssh-7.9p1/gss-genr.c
|
||||
/* sshbuf_get for gss_buffer_desc */
|
||||
int
|
||||
ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g)
|
||||
@@ -218,7 +375,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int de
|
||||
@@ -218,7 +381,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int de
|
||||
}
|
||||
|
||||
ctx->major = gss_init_sec_context(&ctx->minor,
|
||||
@ -475,7 +494,7 @@ Index: openssh-7.9p1/gss-genr.c
|
||||
GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,
|
||||
0, NULL, recv_tok, NULL, send_tok, flags, NULL);
|
||||
|
||||
@@ -248,8 +405,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, con
|
||||
@@ -248,8 +411,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, con
|
||||
}
|
||||
|
||||
OM_uint32
|
||||
@ -518,7 +537,7 @@ Index: openssh-7.9p1/gss-genr.c
|
||||
if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
|
||||
GSS_C_QOP_DEFAULT, buffer, hash)))
|
||||
ssh_gssapi_error(ctx);
|
||||
@@ -257,6 +448,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer
|
||||
@@ -257,6 +454,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer
|
||||
return (ctx->major);
|
||||
}
|
||||
|
||||
@ -538,7 +557,7 @@ Index: openssh-7.9p1/gss-genr.c
|
||||
void
|
||||
ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service,
|
||||
const char *context)
|
||||
@@ -273,22 +477,31 @@ ssh_gssapi_buildmic(struct sshbuf *b, co
|
||||
@@ -273,22 +483,31 @@ ssh_gssapi_buildmic(struct sshbuf *b, co
|
||||
}
|
||||
|
||||
int
|
||||
@ -573,7 +592,7 @@ Index: openssh-7.9p1/gss-genr.c
|
||||
NULL);
|
||||
gss_release_buffer(&minor, &token);
|
||||
if ((*ctx)->context != GSS_C_NO_CONTEXT)
|
||||
@@ -296,10 +509,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
|
||||
@@ -296,10 +515,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
|
||||
GSS_C_NO_BUFFER);
|
||||
}
|
||||
|
||||
@ -654,7 +673,7 @@ Index: openssh-7.9p1/gss-serv-krb5.c
|
||||
const char *errmsg;
|
||||
|
||||
if (client->creds == NULL) {
|
||||
@@ -180,11 +180,26 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
|
||||
@@ -180,11 +180,23 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
|
||||
return;
|
||||
}
|
||||
|
||||
@ -668,7 +687,6 @@ Index: openssh-7.9p1/gss-serv-krb5.c
|
||||
- snprintf(client->store.envval, len, "FILE:%s", client->store.filename);
|
||||
+#ifdef USE_CCAPI
|
||||
+ xasprintf(&client->store.envval, "API:%s", new_ccname);
|
||||
+ client->store.filename = NULL;
|
||||
+#else
|
||||
+ if (new_ccname[0] == ':')
|
||||
+ new_ccname++;
|
||||
@ -679,8 +697,6 @@ Index: openssh-7.9p1/gss-serv-krb5.c
|
||||
+ if (p)
|
||||
+ *p = '\0';
|
||||
+ }
|
||||
+ if ((strcmp(new_cctype, "FILE") == 0) || (strcmp(new_cctype, "DIR") == 0))
|
||||
+ client->store.filename = xstrdup(new_ccname);
|
||||
+#endif
|
||||
|
||||
#ifdef USE_PAM
|
||||
@ -1152,7 +1168,7 @@ Index: openssh-7.9p1/kexgssc.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.9p1/kexgssc.c
|
||||
@@ -0,0 +1,348 @@
|
||||
@@ -0,0 +1,346 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
||||
+ *
|
||||
@ -1216,13 +1232,12 @@ Index: openssh-7.9p1/kexgssc.c
|
||||
+ BIGNUM *shared_secret = NULL;
|
||||
+ BIGNUM *p = NULL;
|
||||
+ BIGNUM *g = NULL;
|
||||
+ const BIGNUM *pub_key, *p1, *g1;
|
||||
+ u_char *kbuf;
|
||||
+ u_char *serverhostkey = NULL;
|
||||
+ u_char *empty = "";
|
||||
+ char *msg;
|
||||
+ /* TODO
|
||||
+ char *lang;
|
||||
+ */
|
||||
+ int type = 0;
|
||||
+ int first = 1;
|
||||
+ int nbits = 0, min = fips_dh_grp_min(), max = DH_GRP_MAX;
|
||||
@ -1279,8 +1294,9 @@ Index: openssh-7.9p1/kexgssc.c
|
||||
+ fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type);
|
||||
+ }
|
||||
+
|
||||
+ /* Step 1 - e is dh->pub_key */
|
||||
+ /* Step 1 - e is pub_key */
|
||||
+ dh_gen_key(dh, ssh->kex->we_need * 8);
|
||||
+ DH_get0_key(dh, &pub_key, NULL);
|
||||
+
|
||||
+ /* This is f, we initialise it now to make life easier */
|
||||
+ dh_server_pub = BN_new();
|
||||
@ -1328,7 +1344,7 @@ Index: openssh-7.9p1/kexgssc.c
|
||||
+ packet_start(SSH2_MSG_KEXGSS_INIT);
|
||||
+ packet_put_string(send_tok.value,
|
||||
+ send_tok.length);
|
||||
+ packet_put_bignum2(dh->pub_key);
|
||||
+ packet_put_bignum2((BIGNUM *)pub_key);
|
||||
+ first = 0;
|
||||
+ } else {
|
||||
+ packet_start(SSH2_MSG_KEXGSS_CONTINUE);
|
||||
@ -1383,9 +1399,7 @@ Index: openssh-7.9p1/kexgssc.c
|
||||
+ maj_status = packet_get_int();
|
||||
+ min_status = packet_get_int();
|
||||
+ msg = packet_get_string(NULL);
|
||||
+ /* TODO
|
||||
+ lang = packet_get_string(NULL);
|
||||
+ */
|
||||
+ fatal("GSSAPI Error: \n%.400s",msg);
|
||||
+ default:
|
||||
+ packet_disconnect("Protocol error: didn't expect packet type %d",
|
||||
@ -1415,7 +1429,7 @@ Index: openssh-7.9p1/kexgssc.c
|
||||
+ klen = DH_size(dh);
|
||||
+ kbuf = xmalloc(klen);
|
||||
+ kout = DH_compute_key(kbuf, dh_server_pub, dh);
|
||||
+ if ((int)kout < 0)
|
||||
+ if (kout < 0)
|
||||
+ fatal("DH_compute_key: failed");
|
||||
+
|
||||
+ shared_secret = BN_new();
|
||||
@ -1434,18 +1448,19 @@ Index: openssh-7.9p1/kexgssc.c
|
||||
+ case KEX_GSS_GRP14_SHA1:
|
||||
+ kex_dh_hash(
|
||||
+ ssh->kex->hash_alg,
|
||||
+ ssh->kex->client_version_string,
|
||||
+ ssh->kex->client_version_string,
|
||||
+ ssh->kex->server_version_string,
|
||||
+ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
|
||||
+ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
|
||||
+ (serverhostkey ? serverhostkey : empty), slen,
|
||||
+ dh->pub_key, /* e */
|
||||
+ pub_key, /* e */
|
||||
+ dh_server_pub, /* f */
|
||||
+ shared_secret, /* K */
|
||||
+ hash, &hashlen
|
||||
+ );
|
||||
+ break;
|
||||
+ case KEX_GSS_GEX_SHA1:
|
||||
+ DH_get0_pqg(dh, &p1, NULL, &g1);
|
||||
+ kexgex_hash(
|
||||
+ ssh->kex->hash_alg,
|
||||
+ ssh->kex->client_version_string,
|
||||
@ -1454,8 +1469,8 @@ Index: openssh-7.9p1/kexgssc.c
|
||||
+ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
|
||||
+ (serverhostkey ? serverhostkey : empty), slen,
|
||||
+ min, nbits, max,
|
||||
+ dh->p, dh->g,
|
||||
+ dh->pub_key,
|
||||
+ p, g,
|
||||
+ pub_key,
|
||||
+ dh_server_pub,
|
||||
+ shared_secret,
|
||||
+ hash, &hashlen
|
||||
@ -1494,7 +1509,6 @@ Index: openssh-7.9p1/kexgssc.c
|
||||
+ else
|
||||
+ ssh_gssapi_delete_ctx(&ctxt);
|
||||
+
|
||||
+ /* TODO: check kex_derive_keys_bn return value */
|
||||
+ kex_derive_keys_bn(ssh, hash, hashlen, shared_secret);
|
||||
+ BN_clear_free(shared_secret);
|
||||
+ return kex_send_newkeys(ssh);
|
||||
@ -1505,7 +1519,7 @@ Index: openssh-7.9p1/kexgsss.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.9p1/kexgsss.c
|
||||
@@ -0,0 +1,307 @@
|
||||
@@ -0,0 +1,308 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
||||
+ *
|
||||
@ -1586,6 +1600,7 @@ Index: openssh-7.9p1/kexgsss.c
|
||||
+ char *mechs;
|
||||
+ u_char hash[SSH_DIGEST_MAX_LENGTH];
|
||||
+ size_t hashlen;
|
||||
+ const BIGNUM *p, *g, *pub_key;
|
||||
+
|
||||
+ /* Initialise GSSAPI */
|
||||
+
|
||||
@ -1638,9 +1653,10 @@ Index: openssh-7.9p1/kexgsss.c
|
||||
+ if (dh == NULL)
|
||||
+ packet_disconnect("Protocol error: no matching group found");
|
||||
+
|
||||
+ DH_set0_pqg(dh, &p, NULL, &g);
|
||||
+ packet_start(SSH2_MSG_KEXGSS_GROUP);
|
||||
+ packet_put_bignum2(dh->p);
|
||||
+ packet_put_bignum2(dh->g);
|
||||
+ packet_put_bignum2((BIGNUM *)p);
|
||||
+ packet_put_bignum2((BIGNUM *)g);
|
||||
+ packet_send();
|
||||
+
|
||||
+ packet_write_wait();
|
||||
@ -1701,7 +1717,7 @@ Index: openssh-7.9p1/kexgsss.c
|
||||
+ if (GSS_ERROR(maj_status)) {
|
||||
+ if (send_tok.length > 0) {
|
||||
+ packet_start(SSH2_MSG_KEXGSS_CONTINUE);
|
||||
+ packet_put_string(send_tok.value, send_tok.length);
|
||||
+ packet_put_string((char *)send_tok.value, send_tok.length);
|
||||
+ packet_send();
|
||||
+ }
|
||||
+ fatal("accept_ctx died");
|
||||
@ -1732,17 +1748,17 @@ Index: openssh-7.9p1/kexgsss.c
|
||||
+ memset(kbuf, 0, klen);
|
||||
+ free(kbuf);
|
||||
+
|
||||
+ DH_get0_key(dh, &pub_key, NULL);
|
||||
+ hashlen = sizeof(hash);
|
||||
+ switch (ssh->kex->kex_type) {
|
||||
+ case KEX_GSS_GRP1_SHA1:
|
||||
+ case KEX_GSS_GRP14_SHA1:
|
||||
+ kex_dh_hash(
|
||||
+ ssh->kex->hash_alg,
|
||||
+ kex_dh_hash(ssh->kex->hash_alg,
|
||||
+ ssh->kex->client_version_string, ssh->kex->server_version_string,
|
||||
+ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
|
||||
+ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
|
||||
+ NULL, 0, /* Change this if we start sending host keys */
|
||||
+ dh_client_pub, dh->pub_key, shared_secret,
|
||||
+ dh_client_pub, pub_key, shared_secret,
|
||||
+ hash, &hashlen
|
||||
+ );
|
||||
+ break;
|
||||
@ -1754,9 +1770,9 @@ Index: openssh-7.9p1/kexgsss.c
|
||||
+ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
|
||||
+ NULL, 0,
|
||||
+ cmin, nbits, cmax,
|
||||
+ dh->p, dh->g,
|
||||
+ p, g,
|
||||
+ dh_client_pub,
|
||||
+ dh->pub_key,
|
||||
+ pub_key,
|
||||
+ shared_secret,
|
||||
+ hash, &hashlen
|
||||
+ );
|
||||
@ -1780,12 +1796,12 @@ Index: openssh-7.9p1/kexgsss.c
|
||||
+ fatal("Couldn't get MIC");
|
||||
+
|
||||
+ packet_start(SSH2_MSG_KEXGSS_COMPLETE);
|
||||
+ packet_put_bignum2(dh->pub_key);
|
||||
+ packet_put_bignum2(pub_key);
|
||||
+ packet_put_string(msg_tok.value,msg_tok.length);
|
||||
+
|
||||
+ if (send_tok.length != 0) {
|
||||
+ packet_put_char(1); /* true */
|
||||
+ packet_put_string(send_tok.value, send_tok.length);
|
||||
+ packet_put_string((char *)send_tok.value, send_tok.length);
|
||||
+ } else {
|
||||
+ packet_put_char(0); /* false */
|
||||
+ }
|
||||
@ -1801,7 +1817,6 @@ Index: openssh-7.9p1/kexgsss.c
|
||||
+
|
||||
+ DH_free(dh);
|
||||
+
|
||||
+ /* TODO: check kex_derive_keys_bn return value */
|
||||
+ kex_derive_keys_bn(ssh, hash, hashlen, shared_secret);
|
||||
+ BN_clear_free(shared_secret);
|
||||
+ kex_send_newkeys(ssh);
|
||||
@ -1971,7 +1986,7 @@ Index: openssh-7.9p1/monitor.c
|
||||
+ fatal("In GSSAPI monitor when GSSAPI is disabled");
|
||||
+
|
||||
+ if ((r = sshbuf_get_string(m, (u_char **)&data.value, &data.length)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ if (data.length != 20)
|
||||
+ fatal("%s: data length incorrect: %d", __func__,
|
||||
+ (int) data.length);
|
||||
@ -1988,8 +2003,8 @@ Index: openssh-7.9p1/monitor.c
|
||||
+
|
||||
+ sshbuf_reset(m);
|
||||
+ if ((r = sshbuf_put_u32(m, major)) != 0 ||
|
||||
+ (r = sshbuf_put_string(m, hash.value, hash.length)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ (r = sshbuf_put_string(m, hash.value, hash.length)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+
|
||||
+ mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
|
||||
+
|
||||
@ -2917,7 +2932,7 @@ Index: openssh-7.9p1/sshconnect2.c
|
||||
+ ssh_gssapi_buildmic(b, authctxt->server_user, authctxt->service,
|
||||
+ "gssapi-keyex");
|
||||
+
|
||||
+ gssbuf.value = sshbuf_mutable_ptr(b);
|
||||
+ gssbuf.value = sshbuf_mutable_ptr(b);
|
||||
+ gssbuf.length = sshbuf_len(b);
|
||||
+
|
||||
+ if (GSS_ERROR(ssh_gssapi_sign(gss_kex_context, &gssbuf, &mic))) {
|
||||
@ -2925,7 +2940,7 @@ Index: openssh-7.9p1/sshconnect2.c
|
||||
+ return (0);
|
||||
+ }
|
||||
+
|
||||
+ packet_start(SSH2_MSG_USERAUTH_REQUEST);
|
||||
+ packet_start(SSH2_MSG_USERAUTH_REQUEST);
|
||||
+ packet_put_cstring(authctxt->server_user);
|
||||
+ packet_put_cstring(authctxt->service);
|
||||
+ packet_put_cstring(authctxt->method->name);
|
||||
@ -2941,7 +2956,7 @@ Index: openssh-7.9p1/sshconnect2.c
|
||||
#endif /* GSSAPI */
|
||||
|
||||
int
|
||||
@@ -1473,8 +1713,8 @@ key_type_allowed_by_config(struct sshkey
|
||||
@@ -1473,8 +1716,8 @@ key_type_allowed_by_config(struct sshkey
|
||||
|
||||
/*
|
||||
* try keys in the following order:
|
||||
|
||||
@ -10,10 +10,10 @@
|
||||
# internal versions. ssh-keyconverter consequently fails to link as it lacks
|
||||
# the proper flags, and libopenbsd-compat doesn't contain the b64_* functions)
|
||||
|
||||
Index: openssh-7.8p1/HOWTO.ldap-keys
|
||||
Index: openssh-7.9p1/HOWTO.ldap-keys
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.8p1/HOWTO.ldap-keys
|
||||
+++ openssh-7.9p1/HOWTO.ldap-keys
|
||||
@@ -0,0 +1,108 @@
|
||||
+
|
||||
+HOW TO START
|
||||
@ -123,10 +123,10 @@ Index: openssh-7.8p1/HOWTO.ldap-keys
|
||||
+ - frederic peters.
|
||||
+ - Finlay dobbie.
|
||||
+ - Stefan Fisher.
|
||||
Index: openssh-7.8p1/Makefile.in
|
||||
Index: openssh-7.9p1/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/Makefile.in
|
||||
+++ openssh-7.8p1/Makefile.in
|
||||
--- openssh-7.9p1.orig/Makefile.in
|
||||
+++ openssh-7.9p1/Makefile.in
|
||||
@@ -24,6 +24,8 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas
|
||||
SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
@ -146,7 +146,7 @@ Index: openssh-7.8p1/Makefile.in
|
||||
XMSS_OBJS=\
|
||||
ssh-xmss.o \
|
||||
sshkey-xmss.o \
|
||||
@@ -132,8 +137,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
|
||||
@@ -130,8 +135,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
|
||||
sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
|
||||
sandbox-solaris.o uidswap.o
|
||||
|
||||
@ -157,7 +157,7 @@ Index: openssh-7.8p1/Makefile.in
|
||||
MANTYPE = @MANTYPE@
|
||||
|
||||
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
|
||||
@@ -208,6 +213,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
|
||||
@@ -206,6 +211,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
|
||||
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
@ -167,7 +167,7 @@ Index: openssh-7.8p1/Makefile.in
|
||||
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
|
||||
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
@@ -363,6 +371,10 @@ install-files:
|
||||
@@ -361,6 +369,10 @@ install-files:
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
|
||||
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
||||
@ -178,7 +178,7 @@ Index: openssh-7.8p1/Makefile.in
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
|
||||
@@ -381,6 +393,10 @@ install-files:
|
||||
@@ -379,6 +391,10 @@ install-files:
|
||||
$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
|
||||
$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
|
||||
$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
|
||||
@ -189,7 +189,7 @@ Index: openssh-7.8p1/Makefile.in
|
||||
|
||||
install-sysconf:
|
||||
$(MKDIR_P) $(DESTDIR)$(sysconfdir)
|
||||
@@ -404,6 +420,13 @@ install-sysconf:
|
||||
@@ -402,6 +418,13 @@ install-sysconf:
|
||||
else \
|
||||
echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
|
||||
fi
|
||||
@ -203,7 +203,7 @@ Index: openssh-7.8p1/Makefile.in
|
||||
|
||||
host-key: ssh-keygen$(EXEEXT)
|
||||
@if [ -z "$(DESTDIR)" ] ; then \
|
||||
@@ -441,6 +464,8 @@ uninstall:
|
||||
@@ -439,6 +462,8 @@ uninstall:
|
||||
-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
||||
-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
||||
@ -212,7 +212,7 @@ Index: openssh-7.8p1/Makefile.in
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
|
||||
@@ -452,6 +477,7 @@ uninstall:
|
||||
@@ -450,6 +475,7 @@ uninstall:
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
|
||||
@ -220,11 +220,11 @@ Index: openssh-7.8p1/Makefile.in
|
||||
|
||||
regress-prep:
|
||||
$(MKDIR_P) `pwd`/regress/unittests/test_helper
|
||||
Index: openssh-7.8p1/configure.ac
|
||||
Index: openssh-7.9p1/configure.ac
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/configure.ac
|
||||
+++ openssh-7.8p1/configure.ac
|
||||
@@ -1680,6 +1680,106 @@ AC_ARG_WITH([audit],
|
||||
--- openssh-7.9p1.orig/configure.ac
|
||||
+++ openssh-7.9p1/configure.ac
|
||||
@@ -1671,6 +1671,106 @@ AC_ARG_WITH([audit],
|
||||
esac ]
|
||||
)
|
||||
|
||||
@ -331,10 +331,10 @@ Index: openssh-7.8p1/configure.ac
|
||||
AC_ARG_WITH([pie],
|
||||
[ --with-pie Build Position Independent Executables if possible], [
|
||||
if test "x$withval" = "xno"; then
|
||||
Index: openssh-7.8p1/ldap-helper.c
|
||||
Index: openssh-7.9p1/ldap-helper.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.8p1/ldap-helper.c
|
||||
+++ openssh-7.9p1/ldap-helper.c
|
||||
@@ -0,0 +1,155 @@
|
||||
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -491,10 +491,10 @@ Index: openssh-7.8p1/ldap-helper.c
|
||||
+void *buffer_get_string(struct sshbuf *b, u_int *l) { return NULL; }
|
||||
+void buffer_put_string(struct sshbuf *b, const void *f, u_int l) {}
|
||||
+
|
||||
Index: openssh-7.8p1/ldap-helper.h
|
||||
Index: openssh-7.9p1/ldap-helper.h
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.8p1/ldap-helper.h
|
||||
+++ openssh-7.9p1/ldap-helper.h
|
||||
@@ -0,0 +1,32 @@
|
||||
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -528,10 +528,10 @@ Index: openssh-7.8p1/ldap-helper.h
|
||||
+extern int config_warning_config_file;
|
||||
+
|
||||
+#endif /* LDAP_HELPER_H */
|
||||
Index: openssh-7.8p1/ldap.conf
|
||||
Index: openssh-7.9p1/ldap.conf
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.8p1/ldap.conf
|
||||
+++ openssh-7.9p1/ldap.conf
|
||||
@@ -0,0 +1,88 @@
|
||||
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
|
||||
+#
|
||||
@ -621,10 +621,10 @@ Index: openssh-7.8p1/ldap.conf
|
||||
+#tls_cert
|
||||
+#tls_key
|
||||
+
|
||||
Index: openssh-7.8p1/ldapbody.c
|
||||
Index: openssh-7.9p1/ldapbody.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.8p1/ldapbody.c
|
||||
+++ openssh-7.9p1/ldapbody.c
|
||||
@@ -0,0 +1,494 @@
|
||||
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -1120,10 +1120,10 @@ Index: openssh-7.8p1/ldapbody.c
|
||||
+ return;
|
||||
+}
|
||||
+
|
||||
Index: openssh-7.8p1/ldapbody.h
|
||||
Index: openssh-7.9p1/ldapbody.h
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.8p1/ldapbody.h
|
||||
+++ openssh-7.9p1/ldapbody.h
|
||||
@@ -0,0 +1,37 @@
|
||||
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -1162,10 +1162,10 @@ Index: openssh-7.8p1/ldapbody.h
|
||||
+
|
||||
+#endif /* LDAPBODY_H */
|
||||
+
|
||||
Index: openssh-7.8p1/ldapconf.c
|
||||
Index: openssh-7.9p1/ldapconf.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.8p1/ldapconf.c
|
||||
+++ openssh-7.9p1/ldapconf.c
|
||||
@@ -0,0 +1,711 @@
|
||||
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -1878,10 +1878,10 @@ Index: openssh-7.8p1/ldapconf.c
|
||||
+ dump_cfg_string(lSSH_Filter, options.ssh_filter);
|
||||
+}
|
||||
+
|
||||
Index: openssh-7.8p1/ldapconf.h
|
||||
Index: openssh-7.9p1/ldapconf.h
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.8p1/ldapconf.h
|
||||
+++ openssh-7.9p1/ldapconf.h
|
||||
@@ -0,0 +1,71 @@
|
||||
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -1954,10 +1954,10 @@ Index: openssh-7.8p1/ldapconf.h
|
||||
+void dump_config(void);
|
||||
+
|
||||
+#endif /* LDAPCONF_H */
|
||||
Index: openssh-7.8p1/ldapincludes.h
|
||||
Index: openssh-7.9p1/ldapincludes.h
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.8p1/ldapincludes.h
|
||||
+++ openssh-7.9p1/ldapincludes.h
|
||||
@@ -0,0 +1,41 @@
|
||||
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -2000,10 +2000,10 @@ Index: openssh-7.8p1/ldapincludes.h
|
||||
+#endif
|
||||
+
|
||||
+#endif /* LDAPINCLUDES_H */
|
||||
Index: openssh-7.8p1/ldapmisc.c
|
||||
Index: openssh-7.9p1/ldapmisc.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.8p1/ldapmisc.c
|
||||
+++ openssh-7.9p1/ldapmisc.c
|
||||
@@ -0,0 +1,79 @@
|
||||
+
|
||||
+#include "ldapincludes.h"
|
||||
@ -2084,10 +2084,10 @@ Index: openssh-7.8p1/ldapmisc.c
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
Index: openssh-7.8p1/ldapmisc.h
|
||||
Index: openssh-7.9p1/ldapmisc.h
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.8p1/ldapmisc.h
|
||||
+++ openssh-7.9p1/ldapmisc.h
|
||||
@@ -0,0 +1,35 @@
|
||||
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -2124,10 +2124,10 @@ Index: openssh-7.8p1/ldapmisc.h
|
||||
+
|
||||
+#endif /* LDAPMISC_H */
|
||||
+
|
||||
Index: openssh-7.8p1/openbsd-compat/base64.c
|
||||
Index: openssh-7.9p1/openbsd-compat/base64.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/openbsd-compat/base64.c
|
||||
+++ openssh-7.8p1/openbsd-compat/base64.c
|
||||
--- openssh-7.9p1.orig/openbsd-compat/base64.c
|
||||
+++ openssh-7.9p1/openbsd-compat/base64.c
|
||||
@@ -46,7 +46,7 @@
|
||||
|
||||
#include "includes.h"
|
||||
@ -2155,10 +2155,10 @@ Index: openssh-7.8p1/openbsd-compat/base64.c
|
||||
|
||||
/* skips all whitespace anywhere.
|
||||
converts characters, four at a time, starting at (or after)
|
||||
Index: openssh-7.8p1/openbsd-compat/base64.h
|
||||
Index: openssh-7.9p1/openbsd-compat/base64.h
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/openbsd-compat/base64.h
|
||||
+++ openssh-7.8p1/openbsd-compat/base64.h
|
||||
--- openssh-7.9p1.orig/openbsd-compat/base64.h
|
||||
+++ openssh-7.9p1/openbsd-compat/base64.h
|
||||
@@ -45,16 +45,16 @@
|
||||
|
||||
#include "includes.h"
|
||||
@ -2180,10 +2180,10 @@ Index: openssh-7.8p1/openbsd-compat/base64.h
|
||||
int b64_pton(char const *src, u_char *target, size_t targsize);
|
||||
# endif /* !HAVE_B64_PTON */
|
||||
# define __b64_pton(a,b,c) b64_pton(a,b,c)
|
||||
Index: openssh-7.8p1/openssh-lpk-openldap.schema
|
||||
Index: openssh-7.9p1/openssh-lpk-openldap.schema
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.8p1/openssh-lpk-openldap.schema
|
||||
+++ openssh-7.9p1/openssh-lpk-openldap.schema
|
||||
@@ -0,0 +1,21 @@
|
||||
+#
|
||||
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
|
||||
@ -2206,10 +2206,10 @@ Index: openssh-7.8p1/openssh-lpk-openldap.schema
|
||||
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
|
||||
+ MUST ( sshPublicKey $ uid )
|
||||
+ )
|
||||
Index: openssh-7.8p1/openssh-lpk-sun.schema
|
||||
Index: openssh-7.9p1/openssh-lpk-sun.schema
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.8p1/openssh-lpk-sun.schema
|
||||
+++ openssh-7.9p1/openssh-lpk-sun.schema
|
||||
@@ -0,0 +1,23 @@
|
||||
+#
|
||||
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
|
||||
@ -2234,10 +2234,10 @@ Index: openssh-7.8p1/openssh-lpk-sun.schema
|
||||
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
|
||||
+ MUST ( sshPublicKey $ uid )
|
||||
+ )
|
||||
Index: openssh-7.8p1/ssh-ldap-helper.8
|
||||
Index: openssh-7.9p1/ssh-ldap-helper.8
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.8p1/ssh-ldap-helper.8
|
||||
+++ openssh-7.9p1/ssh-ldap-helper.8
|
||||
@@ -0,0 +1,79 @@
|
||||
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
|
||||
+.\"
|
||||
@ -2318,19 +2318,19 @@ Index: openssh-7.8p1/ssh-ldap-helper.8
|
||||
+OpenSSH 5.5 + PKA-LDAP .
|
||||
+.Sh AUTHORS
|
||||
+.An Jan F. Chadima Aq jchadima@redhat.com
|
||||
Index: openssh-7.8p1/ssh-ldap-wrapper
|
||||
Index: openssh-7.9p1/ssh-ldap-wrapper
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.8p1/ssh-ldap-wrapper
|
||||
+++ openssh-7.9p1/ssh-ldap-wrapper
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/sh
|
||||
+
|
||||
+exec @LIBEXECDIR@/ssh-ldap-helper -s "$1"
|
||||
+
|
||||
Index: openssh-7.8p1/ssh-ldap.conf.5
|
||||
Index: openssh-7.9p1/ssh-ldap.conf.5
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ openssh-7.8p1/ssh-ldap.conf.5
|
||||
+++ openssh-7.9p1/ssh-ldap.conf.5
|
||||
@@ -0,0 +1,376 @@
|
||||
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
|
||||
+.\"
|
||||
|
||||
@ -41,6 +41,8 @@ Mon Oct 22 08:51:30 UTC 2018 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com
|
||||
* openssh-7.7p1-fips.patch
|
||||
* openssh-7.7p1-gssapi_key_exchange.patch
|
||||
* openssh-7.7p1-seccomp_ipc_flock.patch
|
||||
* openssh-7.7p1-cavstest-ctr.patch
|
||||
* openssh-7.7p1-ldap.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Oct 19 13:22:10 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
|
||||
|
||||
Loading…
Reference in New Issue
Block a user