Accepting request 644397 from home:pmonrealgonzalez:branches:network

* openssh-7.7p1-cavstest-ctr.patch
  * openssh-7.7p1-ldap.patch

OBS-URL: https://build.opensuse.org/request/show/644397
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=161
This commit is contained in:
Tomáš Chvátal 2018-10-24 17:58:38 +00:00 committed by Git OBS Bridge
parent b21be4c6b4
commit 5f87526504
6 changed files with 224 additions and 274 deletions

View File

@ -7,7 +7,7 @@ Index: openssh-7.9p1/Makefile.in
=================================================================== ===================================================================
--- openssh-7.9p1.orig/Makefile.in --- openssh-7.9p1.orig/Makefile.in
+++ openssh-7.9p1/Makefile.in +++ openssh-7.9p1/Makefile.in
@@ -110,6 +110,8 @@ LIBSSH_OBJS += fips.o @@ -111,6 +111,8 @@ LIBSSH_OBJS += fips.o
LIBSSH_OBJS += kexgssc.o kexgsss.o LIBSSH_OBJS += kexgssc.o kexgsss.o
@ -97,7 +97,7 @@ Index: openssh-7.9p1/audit-linux.c
=================================================================== ===================================================================
--- openssh-7.9p1.orig/audit-linux.c --- openssh-7.9p1.orig/audit-linux.c
+++ openssh-7.9p1/audit-linux.c +++ openssh-7.9p1/audit-linux.c
@@ -33,27 +33,40 @@ @@ -33,27 +33,41 @@
#include "log.h" #include "log.h"
#include "audit.h" #include "audit.h"
@ -106,6 +106,7 @@ Index: openssh-7.9p1/audit-linux.c
+#include "auth.h" +#include "auth.h"
+#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */ +#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
+#include "servconf.h" +#include "servconf.h"
+#include "ssherr.h"
#include "canohost.h" #include "canohost.h"
#include "packet.h" #include "packet.h"
- -
@ -146,7 +147,7 @@ Index: openssh-7.9p1/audit-linux.c
saved_errno = errno; saved_errno = errno;
close(audit_fd); close(audit_fd);
@@ -65,9 +78,96 @@ linux_audit_record_event(int uid, const @@ -65,9 +79,96 @@ linux_audit_record_event(int uid, const
rc = 0; rc = 0;
errno = saved_errno; errno = saved_errno;
@ -244,7 +245,7 @@ Index: openssh-7.9p1/audit-linux.c
/* Below is the sshd audit API code */ /* Below is the sshd audit API code */
void void
@@ -76,24 +176,55 @@ audit_connection_from(const char *host, @@ -76,24 +177,55 @@ audit_connection_from(const char *host,
/* not implemented */ /* not implemented */
} }
@ -306,7 +307,7 @@ Index: openssh-7.9p1/audit-linux.c
} }
void void
@@ -102,25 +233,155 @@ audit_event(ssh_audit_event_t event) @@ -102,25 +234,155 @@ audit_event(ssh_audit_event_t event)
struct ssh *ssh = active_state; /* XXX */ struct ssh *ssh = active_state; /* XXX */
switch(event) { switch(event) {
@ -1308,32 +1309,15 @@ Index: openssh-7.9p1/monitor.c
} }
@@ -1906,19 +1988,19 @@ mm_answer_gss_sign(int socket, struct ss @@ -1909,7 +1991,7 @@ mm_answer_gss_sign(int socket, struct ss
int r; fatal("In GSSAPI monitor when GSSAPI is disabled");
if (!options.gss_authentication && !options.gss_keyex)
- fatal("In GSSAPI monitor when GSSAPI is disabled");
+ fatal("In GSSAPI monitor when GSSAPI is disabled");
if ((r = sshbuf_get_string(m, (u_char **)&data.value, &data.length)) != 0) if ((r = sshbuf_get_string(m, (u_char **)&data.value, &data.length)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r)); - fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
if (data.length != 20) if (data.length != 20)
- fatal("%s: data length incorrect: %d", __func__, fatal("%s: data length incorrect: %d", __func__,
- (int) data.length); (int) data.length);
+ fatal("%s: data length incorrect: %d", __func__,
+ (int) data.length);
/* Save the session ID on the first time around */
if (session_id2_len == 0) {
- session_id2_len = data.length;
- session_id2 = xmalloc(session_id2_len);
- memcpy(session_id2, data.value, session_id2_len);
+ session_id2_len = data.length;
+ session_id2 = xmalloc(session_id2_len);
+ memcpy(session_id2, data.value, session_id2_len);
}
major = ssh_gssapi_sign(gsscontext, &data, &hash);
@@ -1966,3 +2048,102 @@ mm_answer_gss_updatecreds(int socket, st @@ -1966,3 +2048,102 @@ mm_answer_gss_updatecreds(int socket, st
} }
@ -2091,24 +2075,24 @@ Index: openssh-7.9p1/sshd.c
for (i = 0; i < options.num_host_key_files; i++) { for (i = 0; i < options.num_host_key_files; i++) {
if (sensitive_data.host_keys[i]) { if (sensitive_data.host_keys[i]) {
- sshkey_free(sensitive_data.host_keys[i]); - sshkey_free(sensitive_data.host_keys[i]);
+ char *fp; + char *fp;
+ +
+ if (sshkey_is_private(sensitive_data.host_keys[i])) + if (sshkey_is_private(sensitive_data.host_keys[i]))
+ fp = sshkey_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX); + fp = sshkey_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX);
+ else + else
+ fp = NULL; + fp = NULL;
+ sshkey_free(sensitive_data.host_keys[i]); + sshkey_free(sensitive_data.host_keys[i]);
sensitive_data.host_keys[i] = NULL; sensitive_data.host_keys[i] = NULL;
+ if (fp != NULL) { + if (fp != NULL) {
+#ifdef SSH_AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS
+ if (privsep) + if (privsep)
+ PRIVSEP(audit_destroy_sensitive_data(fp, + PRIVSEP(audit_destroy_sensitive_data(fp,
+ pid, uid)); + pid, uid));
+ else + else
+ audit_destroy_sensitive_data(fp, + audit_destroy_sensitive_data(fp,
+ pid, uid); + pid, uid);
+#endif +#endif
+ free(fp); + free(fp);
+ } + }
} }
- if (sensitive_data.host_certificates[i]) { - if (sensitive_data.host_certificates[i]) {
@ -2211,43 +2195,6 @@ Index: openssh-7.9p1/sshd.c
audit_event(SSH_CONNECTION_ABANDON); audit_event(SSH_CONNECTION_ABANDON);
#endif #endif
_exit(i); _exit(i);
Index: openssh-7.9p1/sshkey.c
===================================================================
--- openssh-7.9p1.orig/sshkey.c
+++ openssh-7.9p1/sshkey.c
@@ -331,6 +331,32 @@ sshkey_type_is_valid_ca(int type)
}
int
+sshkey_is_private(const struct sshkey *k)
+{
+ switch (k->type) {
+#ifdef WITH_OPENSSL
+ case KEY_RSA_CERT:
+ case KEY_RSA:
+ return k->rsa->d != NULL;
+ case KEY_DSA_CERT:
+ case KEY_DSA:
+ return k->dsa->priv_key != NULL;
+#ifdef OPENSSL_HAS_ECC
+ case KEY_ECDSA_CERT:
+ case KEY_ECDSA:
+ return EC_KEY_get0_private_key(k->ecdsa) != NULL;
+#endif /* OPENSSL_HAS_ECC */
+#endif /* WITH_OPENSSL */
+ case KEY_ED25519_CERT:
+ case KEY_ED25519:
+ return (k->ed25519_pk != NULL);
+ default:
+ /* fatal("key_is_private: bad key type %d", k->type); */
+ return 0;
+ }
+}
+
+int
sshkey_is_cert(const struct sshkey *k)
{
if (k == NULL)
Index: openssh-7.9p1/sshkey.h Index: openssh-7.9p1/sshkey.h
=================================================================== ===================================================================
--- openssh-7.9p1.orig/sshkey.h --- openssh-7.9p1.orig/sshkey.h
@ -2260,3 +2207,46 @@ Index: openssh-7.9p1/sshkey.h
int sshkey_is_cert(const struct sshkey *); int sshkey_is_cert(const struct sshkey *);
int sshkey_type_is_cert(int); int sshkey_type_is_cert(int);
int sshkey_type_plain(int); int sshkey_type_plain(int);
Index: openssh-7.9p1/sshkey.c
===================================================================
--- openssh-7.9p1.orig/sshkey.c
+++ openssh-7.9p1/sshkey.c
@@ -331,6 +331,38 @@ sshkey_type_is_valid_ca(int type)
}
int
+sshkey_is_private(const struct sshkey *k)
+{
+ switch (k->type) {
+#ifdef WITH_OPENSSL
+ case KEY_RSA_CERT:
+ case KEY_RSA: {
+ const BIGNUM *d;
+ RSA_get0_key(k->rsa, NULL, NULL, &d);
+ return d != NULL;
+ }
+ case KEY_DSA_CERT:
+ case KEY_DSA: {
+ const BIGNUM *priv_key;
+ DSA_get0_key(k->dsa, NULL, &priv_key);
+ return priv_key != NULL;
+ }
+#ifdef OPENSSL_HAS_ECC
+ case KEY_ECDSA_CERT:
+ case KEY_ECDSA:
+ return EC_KEY_get0_private_key(k->ecdsa) != NULL;
+#endif /* OPENSSL_HAS_ECC */
+#endif /* WITH_OPENSSL */
+ case KEY_ED25519_CERT:
+ case KEY_ED25519:
+ return (k->ed25519_pk != NULL);
+ default:
+ /* fatal("key_is_private: bad key type %d", k->type); */
+ return 0;
+ }
+}
+
+int
sshkey_is_cert(const struct sshkey *k)
{
if (k == NULL)

View File

@ -2,15 +2,11 @@
# Parent cc1022edba2c5eeb0facba08468f65afc2466b63 # Parent cc1022edba2c5eeb0facba08468f65afc2466b63
CAVS test for OpenSSH's own CTR encryption mode implementation CAVS test for OpenSSH's own CTR encryption mode implementation
diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in Index: openssh-7.9p1/Makefile.in
--- openssh-7.7p1/Makefile.in ===================================================================
+++ openssh-7.7p1/Makefile.in --- openssh-7.9p1.orig/Makefile.in
@@ -19,16 +19,17 @@ top_srcdir=@top_srcdir@ +++ openssh-7.9p1/Makefile.in
@@ -24,6 +24,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas
DESTDIR=
VPATH=@srcdir@
SSH_PROGRAM=@bindir@/ssh
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
SFTP_SERVER=$(libexecdir)/sftp-server SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
@ -18,17 +14,7 @@ diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in
PRIVSEP_PATH=@PRIVSEP_PATH@ PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
STRIP_OPT=@STRIP_OPT@ STRIP_OPT=@STRIP_OPT@
TEST_SHELL=@TEST_SHELL@ @@ -62,6 +63,8 @@ MKDIR_P=@MKDIR_P@
PATHS= -DSSHDIR=\"$(sysconfdir)\" \
-D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
-D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \
@@ -57,16 +58,18 @@ ENT=@ENT@
XAUTH_PATH=@XAUTH_PATH@
LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
EXEEXT=@EXEEXT@
MANFMT=@MANFMT@
MKDIR_P=@MKDIR_P@
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
@ -37,17 +23,7 @@ diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in
XMSS_OBJS=\ XMSS_OBJS=\
ssh-xmss.o \ ssh-xmss.o \
sshkey-xmss.o \ sshkey-xmss.o \
xmss_commons.o \ @@ -204,6 +207,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libss
xmss_fast.o \
xmss_hash.o \
xmss_hash_address.o \
xmss_wots.o
@@ -199,16 +202,20 @@ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libss
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
$(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT) $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
@ -58,17 +34,7 @@ diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in
# test driver for the loginrec code - not built by default # test driver for the loginrec code - not built by default
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
@@ -348,6 +355,7 @@ install-files:
$(MANPAGES): $(MANPAGES_IN)
if test "$(MANTYPE)" = "cat"; then \
manpage=$(srcdir)/`echo $@ | sed 's/\.[1-9]\.out$$/\.0/'`; \
else \
@@ -339,16 +346,17 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT) $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
@ -76,15 +42,10 @@ diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
$(INSTALL) -m 644 ssh-agent.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1 Index: openssh-7.9p1/cavstest-ctr.c
$(INSTALL) -m 644 ssh-keygen.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 ===================================================================
$(INSTALL) -m 644 ssh-keyscan.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
$(INSTALL) -m 644 moduli.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/moduli.5
$(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
diff --git a/openssh-7.7p1/cavstest-ctr.c b/openssh-7.7p1/cavstest-ctr.c
new file mode 100644
--- /dev/null --- /dev/null
+++ openssh-7.7p1/cavstest-ctr.c +++ openssh-7.9p1/cavstest-ctr.c
@@ -0,0 +1,214 @@ @@ -0,0 +1,214 @@
+/* +/*
+ * + *
@ -238,7 +199,7 @@ new file mode 100644
+ usage(); + usage();
+ } + }
+ +
+ SSLeay_add_all_algorithms(); + OpenSSL_add_all_algorithms();
+ +
+ c = cipher_by_name(algo); + c = cipher_by_name(algo);
+ if (c == NULL) { + if (c == NULL) {
@ -300,15 +261,11 @@ new file mode 100644
+ printf("\n"); + printf("\n");
+ return 0; + return 0;
+} +}
diff --git a/openssh-7.7p1/cipher.c b/openssh-7.7p1/cipher.c Index: openssh-7.9p1/cipher.c
--- openssh-7.7p1/cipher.c ===================================================================
+++ openssh-7.7p1/cipher.c --- openssh-7.9p1.orig/cipher.c
@@ -49,25 +49,16 @@ +++ openssh-7.9p1/cipher.c
#include "ssherr.h" @@ -54,15 +54,6 @@
#include "digest.h"
#include "openbsd-compat/openssl-compat.h"
#include "fips.h" #include "fips.h"
#include "log.h" #include "log.h"
@ -324,20 +281,11 @@ diff --git a/openssh-7.7p1/cipher.c b/openssh-7.7p1/cipher.c
struct sshcipher { struct sshcipher {
char *name; char *name;
u_int block_size; u_int block_size;
u_int key_len; Index: openssh-7.9p1/cipher.h
u_int iv_len; /* defaults to block_size */ ===================================================================
u_int auth_len; --- openssh-7.9p1.orig/cipher.h
u_int flags; +++ openssh-7.9p1/cipher.h
#define CFLAG_CBC (1<<0) @@ -46,7 +46,15 @@
diff --git a/openssh-7.7p1/cipher.h b/openssh-7.7p1/cipher.h
--- openssh-7.7p1/cipher.h
+++ openssh-7.7p1/cipher.h
@@ -41,17 +41,25 @@
#include <openssl/evp.h>
#include "cipher-chachapoly.h"
#include "cipher-aesctr.h"
#define CIPHER_ENCRYPT 1
#define CIPHER_DECRYPT 0 #define CIPHER_DECRYPT 0
struct sshcipher; struct sshcipher;
@ -354,8 +302,3 @@ diff --git a/openssh-7.7p1/cipher.h b/openssh-7.7p1/cipher.h
const struct sshcipher *cipher_by_name(const char *); const struct sshcipher *cipher_by_name(const char *);
const char *cipher_warning_message(const struct sshcipher_ctx *); const char *cipher_warning_message(const struct sshcipher_ctx *);
int ciphers_valid(const char *);
char *cipher_alg_list(char, int);
int cipher_init(struct sshcipher_ctx **, const struct sshcipher *,
const u_char *, u_int, const u_char *, u_int, int);
int cipher_crypt(struct sshcipher_ctx *, u_int, u_char *, const u_char *,

View File

@ -753,7 +753,7 @@ Index: openssh-7.9p1/readconf.c
KEX_DEFAULT_PK_ALG, all_key) != 0) KEX_DEFAULT_PK_ALG, all_key) != 0)
fatal("%s: kex_assemble_names failed", __func__); fatal("%s: kex_assemble_names failed", __func__);
free(all_key); free(all_key);
+ filter_fips_algorithms(options); + filter_fips_algorithms(o);
/* Most interesting options first: user, host, port */ /* Most interesting options first: user, host, port */
dump_cfg_string(oUser, o->user); dump_cfg_string(oUser, o->user);

View File

@ -5,7 +5,12 @@ Index: openssh-7.9p1/Makefile.in
=================================================================== ===================================================================
--- openssh-7.9p1.orig/Makefile.in --- openssh-7.9p1.orig/Makefile.in
+++ openssh-7.9p1/Makefile.in +++ openssh-7.9p1/Makefile.in
@@ -108,6 +108,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ @@ -104,10 +104,13 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
+ kexgssc.o \
platform-pledge.o platform-tracing.o platform-misc.o
LIBSSH_OBJS += fips.o LIBSSH_OBJS += fips.o
@ -14,6 +19,15 @@ Index: openssh-7.9p1/Makefile.in
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect2.o mux.o sshconnect.o sshconnect2.o mux.o
@@ -119,7 +122,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
auth2-none.o auth2-passwd.o auth2-pubkey.o \
monitor.o monitor_wrap.o auth-krb5.o \
- auth2-gss.o gss-serv.o gss-serv-krb5.o \
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
sftp-server.o sftp-common.o \
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
Index: openssh-7.9p1/auth-krb5.c Index: openssh-7.9p1/auth-krb5.c
=================================================================== ===================================================================
--- openssh-7.9p1.orig/auth-krb5.c --- openssh-7.9p1.orig/auth-krb5.c
@ -105,7 +119,7 @@ Index: openssh-7.9p1/auth2-gss.c
+ packet_check_eom(); + packet_check_eom();
+ +
+ if ((b = sshbuf_new()) == NULL) + if ((b = sshbuf_new()) == NULL)
+ fatal("%s: sshbuf_new failed", __func__); + fatal("%s: sshbuf_new failed", __func__);
+ +
+ ssh_gssapi_buildmic(b, authctxt->user, authctxt->service, + ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
+ "gssapi-keyex"); + "gssapi-keyex");
@ -129,7 +143,7 @@ Index: openssh-7.9p1/auth2-gss.c
* We only support those mechanisms that we know about (ie ones that we know * We only support those mechanisms that we know about (ie ones that we know
* how to check local user kuserok and the like) * how to check local user kuserok and the like)
*/ */
@@ -260,7 +299,8 @@ input_gssapi_exchange_complete(int type, @@ -260,7 +302,8 @@ input_gssapi_exchange_complete(int type,
if ((r = sshpkt_get_end(ssh)) != 0) if ((r = sshpkt_get_end(ssh)) != 0)
fatal("%s: %s", __func__, ssh_err(r)); fatal("%s: %s", __func__, ssh_err(r));
@ -139,7 +153,7 @@ Index: openssh-7.9p1/auth2-gss.c
if ((!use_privsep || mm_is_monitor()) && if ((!use_privsep || mm_is_monitor()) &&
(displayname = ssh_gssapi_displayname()) != NULL) (displayname = ssh_gssapi_displayname()) != NULL)
@@ -306,7 +346,8 @@ input_gssapi_mic(int type, u_int32_t ple @@ -306,7 +349,8 @@ input_gssapi_mic(int type, u_int32_t ple
gssbuf.length = sshbuf_len(b); gssbuf.length = sshbuf_len(b);
if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
@ -149,7 +163,7 @@ Index: openssh-7.9p1/auth2-gss.c
else else
logit("GSSAPI MIC check failed"); logit("GSSAPI MIC check failed");
@@ -326,6 +367,12 @@ input_gssapi_mic(int type, u_int32_t ple @@ -326,6 +370,12 @@ input_gssapi_mic(int type, u_int32_t ple
return 0; return 0;
} }
@ -296,7 +310,7 @@ Index: openssh-7.9p1/gss-genr.c
=================================================================== ===================================================================
--- openssh-7.9p1.orig/gss-genr.c --- openssh-7.9p1.orig/gss-genr.c
+++ openssh-7.9p1/gss-genr.c +++ openssh-7.9p1/gss-genr.c
@@ -41,12 +41,169 @@ @@ -41,12 +41,174 @@
#include "sshbuf.h" #include "sshbuf.h"
#include "log.h" #include "log.h"
#include "ssh2.h" #include "ssh2.h"
@ -359,7 +373,7 @@ Index: openssh-7.9p1/gss-genr.c
+ u_char digest[EVP_MAX_MD_SIZE]; + u_char digest[EVP_MAX_MD_SIZE];
+ char deroid[2]; + char deroid[2];
+ const EVP_MD *evp_md = EVP_md5(); + const EVP_MD *evp_md = EVP_md5();
+ EVP_MD_CTX md; + EVP_MD_CTX *md;
+ +
+ if (gss_enc2oid != NULL) { + if (gss_enc2oid != NULL) {
+ for (i = 0; gss_enc2oid[i].encoded != NULL; i++) + for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
@ -373,6 +387,7 @@ Index: openssh-7.9p1/gss-genr.c
+ if ((buf = sshbuf_new()) == NULL) + if ((buf = sshbuf_new()) == NULL)
+ fatal("%s: sshbuf_new failed", __func__); + fatal("%s: sshbuf_new failed", __func__);
+ +
+ md = EVP_MD_CTX_new();
+ oidpos = 0; + oidpos = 0;
+ for (i = 0; i < gss_supported->count; i++) { + for (i = 0; i < gss_supported->count; i++) {
+ if (gss_supported->elements[i].length < 128 && + if (gss_supported->elements[i].length < 128 &&
@ -381,36 +396,40 @@ Index: openssh-7.9p1/gss-genr.c
+ deroid[0] = SSH_GSS_OIDTYPE; + deroid[0] = SSH_GSS_OIDTYPE;
+ deroid[1] = gss_supported->elements[i].length; + deroid[1] = gss_supported->elements[i].length;
+ +
+ EVP_DigestInit(&md, evp_md); + EVP_DigestInit(md, evp_md);
+ EVP_DigestUpdate(&md, deroid, 2); + EVP_DigestUpdate(md, deroid, 2);
+ EVP_DigestUpdate(&md, + EVP_DigestUpdate(md,
+ gss_supported->elements[i].elements, + gss_supported->elements[i].elements,
+ gss_supported->elements[i].length); + gss_supported->elements[i].length);
+ EVP_DigestFinal(&md, digest, NULL); + EVP_DigestFinal(md, digest, NULL);
+ +
+ encoded = xmalloc(EVP_MD_size(evp_md) * 2); + encoded = xmalloc(EVP_MD_size(evp_md) * 2);
+ enclen = __b64_ntop(digest, EVP_MD_size(evp_md), + enclen = __b64_ntop(digest, EVP_MD_size(evp_md),
+ encoded, EVP_MD_size(evp_md) * 2); + encoded, EVP_MD_size(evp_md) * 2);
+ +
+ cp = strncpy(s, kex, strlen(kex)); + if (oidpos != 0)
+ for ((p = strsep(&cp, ",")); p && *p != '\0'; + if ((r = sshbuf_put_u8(buf, ',')) != 0)
+ (p = strsep(&cp, ","))) { + fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ if (sshbuf_len(buf) != 0) +
+ if ((r = sshbuf_put_u8(buf, ',')) !=0) + if ((r = sshbuf_put(buf, KEX_GSS_GEX_SHA1_ID,
+ fatal("%s: buffer error: %s", + sizeof(KEX_GSS_GEX_SHA1_ID) - 1)) != 0 ||
+ __func__, ssh_err(r)); + (r = sshbuf_put(buf, encoded, enclen)) != 0 ||
+ if ((r = sshbuf_put(buf, p, strlen(p))) != 0 || + (r = sshbuf_put_u8(buf, ',')) != 0 ||
+ (r = sshbuf_put(buf, encoded, enclen)) != 0) + (r = sshbuf_put(buf, KEX_GSS_GRP1_SHA1_ID,
+ fatal("%s: buffer error: %s", + sizeof(KEX_GSS_GRP1_SHA1_ID) - 1)) != 0 ||
+ __func__, ssh_err(r)); + (r = sshbuf_put(buf, encoded, enclen)) != 0 ||
+ } + (r = sshbuf_put_u8(buf, ',')) != 0 ||
+ (r = sshbuf_put(buf, KEX_GSS_GRP14_SHA1_ID,
+ sizeof(KEX_GSS_GRP14_SHA1_ID) - 1)) != 0 ||
+ (r = sshbuf_put(buf, encoded, enclen)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ +
+ gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]); + gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
+ gss_enc2oid[oidpos].encoded = encoded; + gss_enc2oid[oidpos].encoded = encoded;
+ oidpos++; + oidpos++;
+ } + }
+ } + }
+ free(s); + EVP_MD_CTX_free(md);
+ gss_enc2oid[oidpos].oid = NULL; + gss_enc2oid[oidpos].oid = NULL;
+ gss_enc2oid[oidpos].encoded = NULL; + gss_enc2oid[oidpos].encoded = NULL;
+ +
@ -466,7 +485,7 @@ Index: openssh-7.9p1/gss-genr.c
/* sshbuf_get for gss_buffer_desc */ /* sshbuf_get for gss_buffer_desc */
int int
ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g) ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g)
@@ -218,7 +375,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int de @@ -218,7 +381,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int de
} }
ctx->major = gss_init_sec_context(&ctx->minor, ctx->major = gss_init_sec_context(&ctx->minor,
@ -475,7 +494,7 @@ Index: openssh-7.9p1/gss-genr.c
GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,
0, NULL, recv_tok, NULL, send_tok, flags, NULL); 0, NULL, recv_tok, NULL, send_tok, flags, NULL);
@@ -248,8 +405,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, con @@ -248,8 +411,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, con
} }
OM_uint32 OM_uint32
@ -518,7 +537,7 @@ Index: openssh-7.9p1/gss-genr.c
if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context, if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
GSS_C_QOP_DEFAULT, buffer, hash))) GSS_C_QOP_DEFAULT, buffer, hash)))
ssh_gssapi_error(ctx); ssh_gssapi_error(ctx);
@@ -257,6 +448,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer @@ -257,6 +454,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer
return (ctx->major); return (ctx->major);
} }
@ -538,7 +557,7 @@ Index: openssh-7.9p1/gss-genr.c
void void
ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service, ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service,
const char *context) const char *context)
@@ -273,22 +477,31 @@ ssh_gssapi_buildmic(struct sshbuf *b, co @@ -273,22 +483,31 @@ ssh_gssapi_buildmic(struct sshbuf *b, co
} }
int int
@ -573,7 +592,7 @@ Index: openssh-7.9p1/gss-genr.c
NULL); NULL);
gss_release_buffer(&minor, &token); gss_release_buffer(&minor, &token);
if ((*ctx)->context != GSS_C_NO_CONTEXT) if ((*ctx)->context != GSS_C_NO_CONTEXT)
@@ -296,10 +509,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx @@ -296,10 +515,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
GSS_C_NO_BUFFER); GSS_C_NO_BUFFER);
} }
@ -654,7 +673,7 @@ Index: openssh-7.9p1/gss-serv-krb5.c
const char *errmsg; const char *errmsg;
if (client->creds == NULL) { if (client->creds == NULL) {
@@ -180,11 +180,26 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl @@ -180,11 +180,23 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
return; return;
} }
@ -668,7 +687,6 @@ Index: openssh-7.9p1/gss-serv-krb5.c
- snprintf(client->store.envval, len, "FILE:%s", client->store.filename); - snprintf(client->store.envval, len, "FILE:%s", client->store.filename);
+#ifdef USE_CCAPI +#ifdef USE_CCAPI
+ xasprintf(&client->store.envval, "API:%s", new_ccname); + xasprintf(&client->store.envval, "API:%s", new_ccname);
+ client->store.filename = NULL;
+#else +#else
+ if (new_ccname[0] == ':') + if (new_ccname[0] == ':')
+ new_ccname++; + new_ccname++;
@ -679,8 +697,6 @@ Index: openssh-7.9p1/gss-serv-krb5.c
+ if (p) + if (p)
+ *p = '\0'; + *p = '\0';
+ } + }
+ if ((strcmp(new_cctype, "FILE") == 0) || (strcmp(new_cctype, "DIR") == 0))
+ client->store.filename = xstrdup(new_ccname);
+#endif +#endif
#ifdef USE_PAM #ifdef USE_PAM
@ -1152,7 +1168,7 @@ Index: openssh-7.9p1/kexgssc.c
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ openssh-7.9p1/kexgssc.c +++ openssh-7.9p1/kexgssc.c
@@ -0,0 +1,348 @@ @@ -0,0 +1,346 @@
+/* +/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
+ * + *
@ -1216,13 +1232,12 @@ Index: openssh-7.9p1/kexgssc.c
+ BIGNUM *shared_secret = NULL; + BIGNUM *shared_secret = NULL;
+ BIGNUM *p = NULL; + BIGNUM *p = NULL;
+ BIGNUM *g = NULL; + BIGNUM *g = NULL;
+ const BIGNUM *pub_key, *p1, *g1;
+ u_char *kbuf; + u_char *kbuf;
+ u_char *serverhostkey = NULL; + u_char *serverhostkey = NULL;
+ u_char *empty = ""; + u_char *empty = "";
+ char *msg; + char *msg;
+ /* TODO
+ char *lang; + char *lang;
+ */
+ int type = 0; + int type = 0;
+ int first = 1; + int first = 1;
+ int nbits = 0, min = fips_dh_grp_min(), max = DH_GRP_MAX; + int nbits = 0, min = fips_dh_grp_min(), max = DH_GRP_MAX;
@ -1279,8 +1294,9 @@ Index: openssh-7.9p1/kexgssc.c
+ fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type); + fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type);
+ } + }
+ +
+ /* Step 1 - e is dh->pub_key */ + /* Step 1 - e is pub_key */
+ dh_gen_key(dh, ssh->kex->we_need * 8); + dh_gen_key(dh, ssh->kex->we_need * 8);
+ DH_get0_key(dh, &pub_key, NULL);
+ +
+ /* This is f, we initialise it now to make life easier */ + /* This is f, we initialise it now to make life easier */
+ dh_server_pub = BN_new(); + dh_server_pub = BN_new();
@ -1328,7 +1344,7 @@ Index: openssh-7.9p1/kexgssc.c
+ packet_start(SSH2_MSG_KEXGSS_INIT); + packet_start(SSH2_MSG_KEXGSS_INIT);
+ packet_put_string(send_tok.value, + packet_put_string(send_tok.value,
+ send_tok.length); + send_tok.length);
+ packet_put_bignum2(dh->pub_key); + packet_put_bignum2((BIGNUM *)pub_key);
+ first = 0; + first = 0;
+ } else { + } else {
+ packet_start(SSH2_MSG_KEXGSS_CONTINUE); + packet_start(SSH2_MSG_KEXGSS_CONTINUE);
@ -1383,9 +1399,7 @@ Index: openssh-7.9p1/kexgssc.c
+ maj_status = packet_get_int(); + maj_status = packet_get_int();
+ min_status = packet_get_int(); + min_status = packet_get_int();
+ msg = packet_get_string(NULL); + msg = packet_get_string(NULL);
+ /* TODO
+ lang = packet_get_string(NULL); + lang = packet_get_string(NULL);
+ */
+ fatal("GSSAPI Error: \n%.400s",msg); + fatal("GSSAPI Error: \n%.400s",msg);
+ default: + default:
+ packet_disconnect("Protocol error: didn't expect packet type %d", + packet_disconnect("Protocol error: didn't expect packet type %d",
@ -1415,7 +1429,7 @@ Index: openssh-7.9p1/kexgssc.c
+ klen = DH_size(dh); + klen = DH_size(dh);
+ kbuf = xmalloc(klen); + kbuf = xmalloc(klen);
+ kout = DH_compute_key(kbuf, dh_server_pub, dh); + kout = DH_compute_key(kbuf, dh_server_pub, dh);
+ if ((int)kout < 0) + if (kout < 0)
+ fatal("DH_compute_key: failed"); + fatal("DH_compute_key: failed");
+ +
+ shared_secret = BN_new(); + shared_secret = BN_new();
@ -1439,13 +1453,14 @@ Index: openssh-7.9p1/kexgssc.c
+ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my), + sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
+ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer), + sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
+ (serverhostkey ? serverhostkey : empty), slen, + (serverhostkey ? serverhostkey : empty), slen,
+ dh->pub_key, /* e */ + pub_key, /* e */
+ dh_server_pub, /* f */ + dh_server_pub, /* f */
+ shared_secret, /* K */ + shared_secret, /* K */
+ hash, &hashlen + hash, &hashlen
+ ); + );
+ break; + break;
+ case KEX_GSS_GEX_SHA1: + case KEX_GSS_GEX_SHA1:
+ DH_get0_pqg(dh, &p1, NULL, &g1);
+ kexgex_hash( + kexgex_hash(
+ ssh->kex->hash_alg, + ssh->kex->hash_alg,
+ ssh->kex->client_version_string, + ssh->kex->client_version_string,
@ -1454,8 +1469,8 @@ Index: openssh-7.9p1/kexgssc.c
+ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer), + sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
+ (serverhostkey ? serverhostkey : empty), slen, + (serverhostkey ? serverhostkey : empty), slen,
+ min, nbits, max, + min, nbits, max,
+ dh->p, dh->g, + p, g,
+ dh->pub_key, + pub_key,
+ dh_server_pub, + dh_server_pub,
+ shared_secret, + shared_secret,
+ hash, &hashlen + hash, &hashlen
@ -1494,7 +1509,6 @@ Index: openssh-7.9p1/kexgssc.c
+ else + else
+ ssh_gssapi_delete_ctx(&ctxt); + ssh_gssapi_delete_ctx(&ctxt);
+ +
+ /* TODO: check kex_derive_keys_bn return value */
+ kex_derive_keys_bn(ssh, hash, hashlen, shared_secret); + kex_derive_keys_bn(ssh, hash, hashlen, shared_secret);
+ BN_clear_free(shared_secret); + BN_clear_free(shared_secret);
+ return kex_send_newkeys(ssh); + return kex_send_newkeys(ssh);
@ -1505,7 +1519,7 @@ Index: openssh-7.9p1/kexgsss.c
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ openssh-7.9p1/kexgsss.c +++ openssh-7.9p1/kexgsss.c
@@ -0,0 +1,307 @@ @@ -0,0 +1,308 @@
+/* +/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
+ * + *
@ -1586,6 +1600,7 @@ Index: openssh-7.9p1/kexgsss.c
+ char *mechs; + char *mechs;
+ u_char hash[SSH_DIGEST_MAX_LENGTH]; + u_char hash[SSH_DIGEST_MAX_LENGTH];
+ size_t hashlen; + size_t hashlen;
+ const BIGNUM *p, *g, *pub_key;
+ +
+ /* Initialise GSSAPI */ + /* Initialise GSSAPI */
+ +
@ -1638,9 +1653,10 @@ Index: openssh-7.9p1/kexgsss.c
+ if (dh == NULL) + if (dh == NULL)
+ packet_disconnect("Protocol error: no matching group found"); + packet_disconnect("Protocol error: no matching group found");
+ +
+ DH_set0_pqg(dh, &p, NULL, &g);
+ packet_start(SSH2_MSG_KEXGSS_GROUP); + packet_start(SSH2_MSG_KEXGSS_GROUP);
+ packet_put_bignum2(dh->p); + packet_put_bignum2((BIGNUM *)p);
+ packet_put_bignum2(dh->g); + packet_put_bignum2((BIGNUM *)g);
+ packet_send(); + packet_send();
+ +
+ packet_write_wait(); + packet_write_wait();
@ -1701,7 +1717,7 @@ Index: openssh-7.9p1/kexgsss.c
+ if (GSS_ERROR(maj_status)) { + if (GSS_ERROR(maj_status)) {
+ if (send_tok.length > 0) { + if (send_tok.length > 0) {
+ packet_start(SSH2_MSG_KEXGSS_CONTINUE); + packet_start(SSH2_MSG_KEXGSS_CONTINUE);
+ packet_put_string(send_tok.value, send_tok.length); + packet_put_string((char *)send_tok.value, send_tok.length);
+ packet_send(); + packet_send();
+ } + }
+ fatal("accept_ctx died"); + fatal("accept_ctx died");
@ -1732,17 +1748,17 @@ Index: openssh-7.9p1/kexgsss.c
+ memset(kbuf, 0, klen); + memset(kbuf, 0, klen);
+ free(kbuf); + free(kbuf);
+ +
+ DH_get0_key(dh, &pub_key, NULL);
+ hashlen = sizeof(hash); + hashlen = sizeof(hash);
+ switch (ssh->kex->kex_type) { + switch (ssh->kex->kex_type) {
+ case KEX_GSS_GRP1_SHA1: + case KEX_GSS_GRP1_SHA1:
+ case KEX_GSS_GRP14_SHA1: + case KEX_GSS_GRP14_SHA1:
+ kex_dh_hash( + kex_dh_hash(ssh->kex->hash_alg,
+ ssh->kex->hash_alg,
+ ssh->kex->client_version_string, ssh->kex->server_version_string, + ssh->kex->client_version_string, ssh->kex->server_version_string,
+ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer), + sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
+ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my), + sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
+ NULL, 0, /* Change this if we start sending host keys */ + NULL, 0, /* Change this if we start sending host keys */
+ dh_client_pub, dh->pub_key, shared_secret, + dh_client_pub, pub_key, shared_secret,
+ hash, &hashlen + hash, &hashlen
+ ); + );
+ break; + break;
@ -1754,9 +1770,9 @@ Index: openssh-7.9p1/kexgsss.c
+ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my), + sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
+ NULL, 0, + NULL, 0,
+ cmin, nbits, cmax, + cmin, nbits, cmax,
+ dh->p, dh->g, + p, g,
+ dh_client_pub, + dh_client_pub,
+ dh->pub_key, + pub_key,
+ shared_secret, + shared_secret,
+ hash, &hashlen + hash, &hashlen
+ ); + );
@ -1780,12 +1796,12 @@ Index: openssh-7.9p1/kexgsss.c
+ fatal("Couldn't get MIC"); + fatal("Couldn't get MIC");
+ +
+ packet_start(SSH2_MSG_KEXGSS_COMPLETE); + packet_start(SSH2_MSG_KEXGSS_COMPLETE);
+ packet_put_bignum2(dh->pub_key); + packet_put_bignum2(pub_key);
+ packet_put_string(msg_tok.value,msg_tok.length); + packet_put_string(msg_tok.value,msg_tok.length);
+ +
+ if (send_tok.length != 0) { + if (send_tok.length != 0) {
+ packet_put_char(1); /* true */ + packet_put_char(1); /* true */
+ packet_put_string(send_tok.value, send_tok.length); + packet_put_string((char *)send_tok.value, send_tok.length);
+ } else { + } else {
+ packet_put_char(0); /* false */ + packet_put_char(0); /* false */
+ } + }
@ -1801,7 +1817,6 @@ Index: openssh-7.9p1/kexgsss.c
+ +
+ DH_free(dh); + DH_free(dh);
+ +
+ /* TODO: check kex_derive_keys_bn return value */
+ kex_derive_keys_bn(ssh, hash, hashlen, shared_secret); + kex_derive_keys_bn(ssh, hash, hashlen, shared_secret);
+ BN_clear_free(shared_secret); + BN_clear_free(shared_secret);
+ kex_send_newkeys(ssh); + kex_send_newkeys(ssh);
@ -1971,7 +1986,7 @@ Index: openssh-7.9p1/monitor.c
+ fatal("In GSSAPI monitor when GSSAPI is disabled"); + fatal("In GSSAPI monitor when GSSAPI is disabled");
+ +
+ if ((r = sshbuf_get_string(m, (u_char **)&data.value, &data.length)) != 0) + if ((r = sshbuf_get_string(m, (u_char **)&data.value, &data.length)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ if (data.length != 20) + if (data.length != 20)
+ fatal("%s: data length incorrect: %d", __func__, + fatal("%s: data length incorrect: %d", __func__,
+ (int) data.length); + (int) data.length);
@ -1988,8 +2003,8 @@ Index: openssh-7.9p1/monitor.c
+ +
+ sshbuf_reset(m); + sshbuf_reset(m);
+ if ((r = sshbuf_put_u32(m, major)) != 0 || + if ((r = sshbuf_put_u32(m, major)) != 0 ||
+ (r = sshbuf_put_string(m, hash.value, hash.length)) != 0) + (r = sshbuf_put_string(m, hash.value, hash.length)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ +
+ mm_request_send(socket, MONITOR_ANS_GSSSIGN, m); + mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
+ +
@ -2917,7 +2932,7 @@ Index: openssh-7.9p1/sshconnect2.c
+ ssh_gssapi_buildmic(b, authctxt->server_user, authctxt->service, + ssh_gssapi_buildmic(b, authctxt->server_user, authctxt->service,
+ "gssapi-keyex"); + "gssapi-keyex");
+ +
+ gssbuf.value = sshbuf_mutable_ptr(b); + gssbuf.value = sshbuf_mutable_ptr(b);
+ gssbuf.length = sshbuf_len(b); + gssbuf.length = sshbuf_len(b);
+ +
+ if (GSS_ERROR(ssh_gssapi_sign(gss_kex_context, &gssbuf, &mic))) { + if (GSS_ERROR(ssh_gssapi_sign(gss_kex_context, &gssbuf, &mic))) {
@ -2925,7 +2940,7 @@ Index: openssh-7.9p1/sshconnect2.c
+ return (0); + return (0);
+ } + }
+ +
+ packet_start(SSH2_MSG_USERAUTH_REQUEST); + packet_start(SSH2_MSG_USERAUTH_REQUEST);
+ packet_put_cstring(authctxt->server_user); + packet_put_cstring(authctxt->server_user);
+ packet_put_cstring(authctxt->service); + packet_put_cstring(authctxt->service);
+ packet_put_cstring(authctxt->method->name); + packet_put_cstring(authctxt->method->name);
@ -2941,7 +2956,7 @@ Index: openssh-7.9p1/sshconnect2.c
#endif /* GSSAPI */ #endif /* GSSAPI */
int int
@@ -1473,8 +1713,8 @@ key_type_allowed_by_config(struct sshkey @@ -1473,8 +1716,8 @@ key_type_allowed_by_config(struct sshkey
/* /*
* try keys in the following order: * try keys in the following order:

View File

@ -10,10 +10,10 @@
# internal versions. ssh-keyconverter consequently fails to link as it lacks # internal versions. ssh-keyconverter consequently fails to link as it lacks
# the proper flags, and libopenbsd-compat doesn't contain the b64_* functions) # the proper flags, and libopenbsd-compat doesn't contain the b64_* functions)
Index: openssh-7.8p1/HOWTO.ldap-keys Index: openssh-7.9p1/HOWTO.ldap-keys
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ openssh-7.8p1/HOWTO.ldap-keys +++ openssh-7.9p1/HOWTO.ldap-keys
@@ -0,0 +1,108 @@ @@ -0,0 +1,108 @@
+ +
+HOW TO START +HOW TO START
@ -123,10 +123,10 @@ Index: openssh-7.8p1/HOWTO.ldap-keys
+ - frederic peters. + - frederic peters.
+ - Finlay dobbie. + - Finlay dobbie.
+ - Stefan Fisher. + - Stefan Fisher.
Index: openssh-7.8p1/Makefile.in Index: openssh-7.9p1/Makefile.in
=================================================================== ===================================================================
--- openssh-7.8p1.orig/Makefile.in --- openssh-7.9p1.orig/Makefile.in
+++ openssh-7.8p1/Makefile.in +++ openssh-7.9p1/Makefile.in
@@ -24,6 +24,8 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas @@ -24,6 +24,8 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas
SFTP_SERVER=$(libexecdir)/sftp-server SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign SSH_KEYSIGN=$(libexecdir)/ssh-keysign
@ -146,7 +146,7 @@ Index: openssh-7.8p1/Makefile.in
XMSS_OBJS=\ XMSS_OBJS=\
ssh-xmss.o \ ssh-xmss.o \
sshkey-xmss.o \ sshkey-xmss.o \
@@ -132,8 +137,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw @@ -130,8 +135,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \ sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
sandbox-solaris.o uidswap.o sandbox-solaris.o uidswap.o
@ -157,7 +157,7 @@ Index: openssh-7.8p1/Makefile.in
MANTYPE = @MANTYPE@ MANTYPE = @MANTYPE@
CONFIGFILES=sshd_config.out ssh_config.out moduli.out CONFIGFILES=sshd_config.out ssh_config.out moduli.out
@@ -208,6 +213,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) @@ -206,6 +211,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@ -167,7 +167,7 @@ Index: openssh-7.8p1/Makefile.in
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
@@ -363,6 +371,10 @@ install-files: @@ -361,6 +369,10 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
@ -178,7 +178,7 @@ Index: openssh-7.8p1/Makefile.in
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
@@ -381,6 +393,10 @@ install-files: @@ -379,6 +391,10 @@ install-files:
$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@ -189,7 +189,7 @@ Index: openssh-7.8p1/Makefile.in
install-sysconf: install-sysconf:
$(MKDIR_P) $(DESTDIR)$(sysconfdir) $(MKDIR_P) $(DESTDIR)$(sysconfdir)
@@ -404,6 +420,13 @@ install-sysconf: @@ -402,6 +418,13 @@ install-sysconf:
else \ else \
echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \ echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
fi fi
@ -203,7 +203,7 @@ Index: openssh-7.8p1/Makefile.in
host-key: ssh-keygen$(EXEEXT) host-key: ssh-keygen$(EXEEXT)
@if [ -z "$(DESTDIR)" ] ; then \ @if [ -z "$(DESTDIR)" ] ; then \
@@ -441,6 +464,8 @@ uninstall: @@ -439,6 +462,8 @@ uninstall:
-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) -rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) -rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
@ -212,7 +212,7 @@ Index: openssh-7.8p1/Makefile.in
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
@@ -452,6 +477,7 @@ uninstall: @@ -450,6 +475,7 @@ uninstall:
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@ -220,11 +220,11 @@ Index: openssh-7.8p1/Makefile.in
regress-prep: regress-prep:
$(MKDIR_P) `pwd`/regress/unittests/test_helper $(MKDIR_P) `pwd`/regress/unittests/test_helper
Index: openssh-7.8p1/configure.ac Index: openssh-7.9p1/configure.ac
=================================================================== ===================================================================
--- openssh-7.8p1.orig/configure.ac --- openssh-7.9p1.orig/configure.ac
+++ openssh-7.8p1/configure.ac +++ openssh-7.9p1/configure.ac
@@ -1680,6 +1680,106 @@ AC_ARG_WITH([audit], @@ -1671,6 +1671,106 @@ AC_ARG_WITH([audit],
esac ] esac ]
) )
@ -331,10 +331,10 @@ Index: openssh-7.8p1/configure.ac
AC_ARG_WITH([pie], AC_ARG_WITH([pie],
[ --with-pie Build Position Independent Executables if possible], [ [ --with-pie Build Position Independent Executables if possible], [
if test "x$withval" = "xno"; then if test "x$withval" = "xno"; then
Index: openssh-7.8p1/ldap-helper.c Index: openssh-7.9p1/ldap-helper.c
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ openssh-7.8p1/ldap-helper.c +++ openssh-7.9p1/ldap-helper.c
@@ -0,0 +1,155 @@ @@ -0,0 +1,155 @@
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -491,10 +491,10 @@ Index: openssh-7.8p1/ldap-helper.c
+void *buffer_get_string(struct sshbuf *b, u_int *l) { return NULL; } +void *buffer_get_string(struct sshbuf *b, u_int *l) { return NULL; }
+void buffer_put_string(struct sshbuf *b, const void *f, u_int l) {} +void buffer_put_string(struct sshbuf *b, const void *f, u_int l) {}
+ +
Index: openssh-7.8p1/ldap-helper.h Index: openssh-7.9p1/ldap-helper.h
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ openssh-7.8p1/ldap-helper.h +++ openssh-7.9p1/ldap-helper.h
@@ -0,0 +1,32 @@ @@ -0,0 +1,32 @@
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -528,10 +528,10 @@ Index: openssh-7.8p1/ldap-helper.h
+extern int config_warning_config_file; +extern int config_warning_config_file;
+ +
+#endif /* LDAP_HELPER_H */ +#endif /* LDAP_HELPER_H */
Index: openssh-7.8p1/ldap.conf Index: openssh-7.9p1/ldap.conf
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ openssh-7.8p1/ldap.conf +++ openssh-7.9p1/ldap.conf
@@ -0,0 +1,88 @@ @@ -0,0 +1,88 @@
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $ +# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
+# +#
@ -621,10 +621,10 @@ Index: openssh-7.8p1/ldap.conf
+#tls_cert +#tls_cert
+#tls_key +#tls_key
+ +
Index: openssh-7.8p1/ldapbody.c Index: openssh-7.9p1/ldapbody.c
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ openssh-7.8p1/ldapbody.c +++ openssh-7.9p1/ldapbody.c
@@ -0,0 +1,494 @@ @@ -0,0 +1,494 @@
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -1120,10 +1120,10 @@ Index: openssh-7.8p1/ldapbody.c
+ return; + return;
+} +}
+ +
Index: openssh-7.8p1/ldapbody.h Index: openssh-7.9p1/ldapbody.h
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ openssh-7.8p1/ldapbody.h +++ openssh-7.9p1/ldapbody.h
@@ -0,0 +1,37 @@ @@ -0,0 +1,37 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -1162,10 +1162,10 @@ Index: openssh-7.8p1/ldapbody.h
+ +
+#endif /* LDAPBODY_H */ +#endif /* LDAPBODY_H */
+ +
Index: openssh-7.8p1/ldapconf.c Index: openssh-7.9p1/ldapconf.c
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ openssh-7.8p1/ldapconf.c +++ openssh-7.9p1/ldapconf.c
@@ -0,0 +1,711 @@ @@ -0,0 +1,711 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -1878,10 +1878,10 @@ Index: openssh-7.8p1/ldapconf.c
+ dump_cfg_string(lSSH_Filter, options.ssh_filter); + dump_cfg_string(lSSH_Filter, options.ssh_filter);
+} +}
+ +
Index: openssh-7.8p1/ldapconf.h Index: openssh-7.9p1/ldapconf.h
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ openssh-7.8p1/ldapconf.h +++ openssh-7.9p1/ldapconf.h
@@ -0,0 +1,71 @@ @@ -0,0 +1,71 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -1954,10 +1954,10 @@ Index: openssh-7.8p1/ldapconf.h
+void dump_config(void); +void dump_config(void);
+ +
+#endif /* LDAPCONF_H */ +#endif /* LDAPCONF_H */
Index: openssh-7.8p1/ldapincludes.h Index: openssh-7.9p1/ldapincludes.h
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ openssh-7.8p1/ldapincludes.h +++ openssh-7.9p1/ldapincludes.h
@@ -0,0 +1,41 @@ @@ -0,0 +1,41 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -2000,10 +2000,10 @@ Index: openssh-7.8p1/ldapincludes.h
+#endif +#endif
+ +
+#endif /* LDAPINCLUDES_H */ +#endif /* LDAPINCLUDES_H */
Index: openssh-7.8p1/ldapmisc.c Index: openssh-7.9p1/ldapmisc.c
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ openssh-7.8p1/ldapmisc.c +++ openssh-7.9p1/ldapmisc.c
@@ -0,0 +1,79 @@ @@ -0,0 +1,79 @@
+ +
+#include "ldapincludes.h" +#include "ldapincludes.h"
@ -2084,10 +2084,10 @@ Index: openssh-7.8p1/ldapmisc.c
+} +}
+#endif +#endif
+ +
Index: openssh-7.8p1/ldapmisc.h Index: openssh-7.9p1/ldapmisc.h
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ openssh-7.8p1/ldapmisc.h +++ openssh-7.9p1/ldapmisc.h
@@ -0,0 +1,35 @@ @@ -0,0 +1,35 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/* +/*
@ -2124,10 +2124,10 @@ Index: openssh-7.8p1/ldapmisc.h
+ +
+#endif /* LDAPMISC_H */ +#endif /* LDAPMISC_H */
+ +
Index: openssh-7.8p1/openbsd-compat/base64.c Index: openssh-7.9p1/openbsd-compat/base64.c
=================================================================== ===================================================================
--- openssh-7.8p1.orig/openbsd-compat/base64.c --- openssh-7.9p1.orig/openbsd-compat/base64.c
+++ openssh-7.8p1/openbsd-compat/base64.c +++ openssh-7.9p1/openbsd-compat/base64.c
@@ -46,7 +46,7 @@ @@ -46,7 +46,7 @@
#include "includes.h" #include "includes.h"
@ -2155,10 +2155,10 @@ Index: openssh-7.8p1/openbsd-compat/base64.c
/* skips all whitespace anywhere. /* skips all whitespace anywhere.
converts characters, four at a time, starting at (or after) converts characters, four at a time, starting at (or after)
Index: openssh-7.8p1/openbsd-compat/base64.h Index: openssh-7.9p1/openbsd-compat/base64.h
=================================================================== ===================================================================
--- openssh-7.8p1.orig/openbsd-compat/base64.h --- openssh-7.9p1.orig/openbsd-compat/base64.h
+++ openssh-7.8p1/openbsd-compat/base64.h +++ openssh-7.9p1/openbsd-compat/base64.h
@@ -45,16 +45,16 @@ @@ -45,16 +45,16 @@
#include "includes.h" #include "includes.h"
@ -2180,10 +2180,10 @@ Index: openssh-7.8p1/openbsd-compat/base64.h
int b64_pton(char const *src, u_char *target, size_t targsize); int b64_pton(char const *src, u_char *target, size_t targsize);
# endif /* !HAVE_B64_PTON */ # endif /* !HAVE_B64_PTON */
# define __b64_pton(a,b,c) b64_pton(a,b,c) # define __b64_pton(a,b,c) b64_pton(a,b,c)
Index: openssh-7.8p1/openssh-lpk-openldap.schema Index: openssh-7.9p1/openssh-lpk-openldap.schema
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ openssh-7.8p1/openssh-lpk-openldap.schema +++ openssh-7.9p1/openssh-lpk-openldap.schema
@@ -0,0 +1,21 @@ @@ -0,0 +1,21 @@
+# +#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey +# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2206,10 +2206,10 @@ Index: openssh-7.8p1/openssh-lpk-openldap.schema
+ DESC 'MANDATORY: OpenSSH LPK objectclass' + DESC 'MANDATORY: OpenSSH LPK objectclass'
+ MUST ( sshPublicKey $ uid ) + MUST ( sshPublicKey $ uid )
+ ) + )
Index: openssh-7.8p1/openssh-lpk-sun.schema Index: openssh-7.9p1/openssh-lpk-sun.schema
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ openssh-7.8p1/openssh-lpk-sun.schema +++ openssh-7.9p1/openssh-lpk-sun.schema
@@ -0,0 +1,23 @@ @@ -0,0 +1,23 @@
+# +#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey +# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2234,10 +2234,10 @@ Index: openssh-7.8p1/openssh-lpk-sun.schema
+ DESC 'MANDATORY: OpenSSH LPK objectclass' + DESC 'MANDATORY: OpenSSH LPK objectclass'
+ MUST ( sshPublicKey $ uid ) + MUST ( sshPublicKey $ uid )
+ ) + )
Index: openssh-7.8p1/ssh-ldap-helper.8 Index: openssh-7.9p1/ssh-ldap-helper.8
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ openssh-7.8p1/ssh-ldap-helper.8 +++ openssh-7.9p1/ssh-ldap-helper.8
@@ -0,0 +1,79 @@ @@ -0,0 +1,79 @@
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\" +.\"
@ -2318,19 +2318,19 @@ Index: openssh-7.8p1/ssh-ldap-helper.8
+OpenSSH 5.5 + PKA-LDAP . +OpenSSH 5.5 + PKA-LDAP .
+.Sh AUTHORS +.Sh AUTHORS
+.An Jan F. Chadima Aq jchadima@redhat.com +.An Jan F. Chadima Aq jchadima@redhat.com
Index: openssh-7.8p1/ssh-ldap-wrapper Index: openssh-7.9p1/ssh-ldap-wrapper
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ openssh-7.8p1/ssh-ldap-wrapper +++ openssh-7.9p1/ssh-ldap-wrapper
@@ -0,0 +1,4 @@ @@ -0,0 +1,4 @@
+#!/bin/sh +#!/bin/sh
+ +
+exec @LIBEXECDIR@/ssh-ldap-helper -s "$1" +exec @LIBEXECDIR@/ssh-ldap-helper -s "$1"
+ +
Index: openssh-7.8p1/ssh-ldap.conf.5 Index: openssh-7.9p1/ssh-ldap.conf.5
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ openssh-7.8p1/ssh-ldap.conf.5 +++ openssh-7.9p1/ssh-ldap.conf.5
@@ -0,0 +1,376 @@ @@ -0,0 +1,376 @@
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\" +.\"

View File

@ -41,6 +41,8 @@ Mon Oct 22 08:51:30 UTC 2018 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com
* openssh-7.7p1-fips.patch * openssh-7.7p1-fips.patch
* openssh-7.7p1-gssapi_key_exchange.patch * openssh-7.7p1-gssapi_key_exchange.patch
* openssh-7.7p1-seccomp_ipc_flock.patch * openssh-7.7p1-seccomp_ipc_flock.patch
* openssh-7.7p1-cavstest-ctr.patch
* openssh-7.7p1-ldap.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Oct 19 13:22:10 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com> Fri Oct 19 13:22:10 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>