From 712ccf339570909e42a8b770e73b6c9ae955576eaf5ef3f212d5150b700c9120 Mon Sep 17 00:00:00 2001 From: Petr Cerny Date: Fri, 31 Jan 2014 12:18:41 +0000 Subject: [PATCH] Accepting request 220466 from home:pcerny:factory - Update of the underlying OpenSSH to 6.4p1 - Update to 6.4p1 Features since 6.2p2: * ssh-agent(1) support in sshd(8); allows encrypted hostkeys, or hostkeys on smartcards. * ssh(1)/sshd(8): allow optional time-based rekeying via a second argument to the existing RekeyLimit option. RekeyLimit is now supported in sshd_config as well as on the client. * sshd(8): standardise logging of information during user authentication. * The presented key/cert and the remote username (if available) is now logged in the authentication success/failure message on the same log line as the local username, remote host/port and protocol in use. Certificates contents and the key fingerprint of the signing CA are logged too. * ssh(1) ability to query what cryptographic algorithms are supported in the binary. * ssh(1): ProxyCommand=- for cases where stdin and stdout already point to the proxy. * ssh(1): allow IdentityFile=none * ssh(1)/sshd(8): -E option to append debugging logs to a specified file instead of stderr or syslog. * sftp(1): support resuming partial downloads with the "reget" command and on the sftp commandline or on the "get" commandline with the "-a" (append) option. * ssh(1): "IgnoreUnknown" configuration option to selectively suppress errors arising from unknown configuration directives. * sshd(8): support for submethods to be appended to required authentication methods listed via AuthenticationMethods. OBS-URL: https://build.opensuse.org/request/show/220466 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=58 --- openssh-6.2p2.tar.gz | 3 - ...atch => openssh-6.4p1-X11-forwarding.patch | 14 +- ...h-6.4p1-audit1-remove_duplicit_audit.patch | 8 +- ...-audit2-better_audit_of_user_actions.patch | 115 ++++---- ... openssh-6.4p1-audit3-key_auth_usage.patch | 138 +++++----- ... => openssh-6.4p1-audit4-kex_results.patch | 126 ++++----- ...6.4p1-audit5-session_key_destruction.patch | 204 +++++++------- ...-6.4p1-audit6-server_key_destruction.patch | 116 ++++---- ...openssh-6.4p1-audit7-libaudit_compat.patch | 10 +- ...h-6.4p1-audit8-libaudit_dns_timeouts.patch | 6 +- ....patch => openssh-6.4p1-blocksigalrm.patch | 16 +- ...ch => openssh-6.4p1-default-protocol.patch | 6 +- ...nssh-6.4p1-disable-openssl-abi-check.patch | 6 +- ...2p2-eal3.patch => openssh-6.4p1-eal3.patch | 20 +- ...ch => openssh-6.4p1-fingerprint_hash.patch | 256 +++++++++++------- ...2p2-fips.patch => openssh-6.4p1-fips.patch | 86 +++--- ...=> openssh-6.4p1-gssapi_key_exchange.patch | 228 ++++++++-------- ...tm.patch => openssh-6.4p1-gssapimitm.patch | 99 +++---- ...nt.patch => openssh-6.4p1-host_ident.patch | 8 +- ...patch => openssh-6.4p1-key-converter.patch | 20 +- ...stlog.patch => openssh-6.4p1-lastlog.patch | 6 +- ...2p2-ldap.patch => openssh-6.4p1-ldap.patch | 114 ++++---- ...patch => openssh-6.4p1-login_options.patch | 8 +- ...=> openssh-6.4p1-no_fork-no_pid_file.patch | 8 +- ...tch => openssh-6.4p1-pam-check-locks.patch | 52 ++-- ...fix2.patch => openssh-6.4p1-pam-fix2.patch | 10 +- ...fix3.patch => openssh-6.4p1-pam-fix3.patch | 10 +- ...6.2p2-pts.patch => openssh-6.4p1-pts.patch | 6 +- ....patch => openssh-6.4p1-saveargv-fix.patch | 10 +- ...rng.patch => openssh-6.4p1-seed-prng.patch | 102 +++---- ...e.patch => openssh-6.4p1-send_locale.patch | 17 +- ...tch => openssh-6.4p1-sftp_homechroot.patch | 48 ++-- ...2-xauth.patch => openssh-6.4p1-xauth.patch | 20 +- ... => openssh-6.4p1-xauthlocalhostname.patch | 14 +- openssh-6.4p1.tar.gz | 3 + openssh-askpass-gnome.changes | 5 + openssh-askpass-gnome.spec | 4 +- openssh.changes | 82 ++++++ openssh.spec | 101 +++---- 39 files changed, 1129 insertions(+), 976 deletions(-) delete mode 100644 openssh-6.2p2.tar.gz rename openssh-6.2p2-X11-forwarding.patch => openssh-6.4p1-X11-forwarding.patch (85%) rename openssh-6.2p2-audit1-remove_duplicit_audit.patch => openssh-6.4p1-audit1-remove_duplicit_audit.patch (84%) rename openssh-6.2p2-audit2-better_audit_of_user_actions.patch => openssh-6.4p1-audit2-better_audit_of_user_actions.patch (90%) rename openssh-6.2p2-audit3-key_auth_usage.patch => openssh-6.4p1-audit3-key_auth_usage.patch (85%) rename openssh-6.2p2-audit4-kex_results.patch => openssh-6.4p1-audit4-kex_results.patch (89%) rename openssh-6.2p2-audit5-session_key_destruction.patch => openssh-6.4p1-audit5-session_key_destruction.patch (86%) rename openssh-6.2p2-audit6-server_key_destruction.patch => openssh-6.4p1-audit6-server_key_destruction.patch (89%) rename openssh-6.2p2-audit7-libaudit_compat.patch => openssh-6.4p1-audit7-libaudit_compat.patch (92%) rename openssh-6.2p2-audit8-libaudit_dns_timeouts.patch => openssh-6.4p1-audit8-libaudit_dns_timeouts.patch (92%) rename openssh-6.2p2-blocksigalrm.patch => openssh-6.4p1-blocksigalrm.patch (83%) rename openssh-6.2p2-default-protocol.patch => openssh-6.4p1-default-protocol.patch (83%) rename openssh-6.2p2-disable-openssl-abi-check.patch => openssh-6.4p1-disable-openssl-abi-check.patch (89%) rename openssh-6.2p2-eal3.patch => openssh-6.4p1-eal3.patch (82%) rename openssh-6.2p2-fingerprint_hash.patch => openssh-6.4p1-fingerprint_hash.patch (76%) rename openssh-6.2p2-fips.patch => openssh-6.4p1-fips.patch (94%) rename openssh-6.2p2-gssapi_key_exchange.patch => openssh-6.4p1-gssapi_key_exchange.patch (96%) rename openssh-6.2p2-gssapimitm.patch => openssh-6.4p1-gssapimitm.patch (86%) rename openssh-6.2p2-host_ident.patch => openssh-6.4p1-host_ident.patch (82%) rename openssh-6.2p2-key-converter.patch => openssh-6.4p1-key-converter.patch (94%) rename openssh-6.2p2-lastlog.patch => openssh-6.4p1-lastlog.patch (82%) rename openssh-6.2p2-ldap.patch => openssh-6.4p1-ldap.patch (96%) rename openssh-6.2p2-login_options.patch => openssh-6.4p1-login_options.patch (84%) rename openssh-6.2p2-no_fork-no_pid_file.patch => openssh-6.4p1-no_fork-no_pid_file.patch (79%) rename openssh-6.2p2-pam-check-locks.patch => openssh-6.4p1-pam-check-locks.patch (84%) rename openssh-6.2p2-pam-fix2.patch => openssh-6.4p1-pam-fix2.patch (84%) rename openssh-6.2p2-pam-fix3.patch => openssh-6.4p1-pam-fix3.patch (75%) rename openssh-6.2p2-pts.patch => openssh-6.4p1-pts.patch (91%) rename openssh-6.2p2-saveargv-fix.patch => openssh-6.4p1-saveargv-fix.patch (84%) rename openssh-6.2p2-seed-prng.patch => openssh-6.4p1-seed-prng.patch (85%) rename openssh-6.2p2-send_locale.patch => openssh-6.4p1-send_locale.patch (77%) rename openssh-6.2p2-sftp_homechroot.patch => openssh-6.4p1-sftp_homechroot.patch (90%) rename openssh-6.2p2-xauth.patch => openssh-6.4p1-xauth.patch (78%) rename openssh-6.2p2-xauthlocalhostname.patch => openssh-6.4p1-xauthlocalhostname.patch (91%) create mode 100644 openssh-6.4p1.tar.gz diff --git a/openssh-6.2p2.tar.gz b/openssh-6.2p2.tar.gz deleted file mode 100644 index 2159c85..0000000 --- a/openssh-6.2p2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:7f29b9d2ad672ae0f9e1dcbff871fc5c2e60a194e90c766432e32161b842313b -size 1182922 diff --git a/openssh-6.2p2-X11-forwarding.patch b/openssh-6.4p1-X11-forwarding.patch similarity index 85% rename from openssh-6.2p2-X11-forwarding.patch rename to openssh-6.4p1-X11-forwarding.patch index 1f3f946..f2914fa 100644 --- a/openssh-6.2p2-X11-forwarding.patch +++ b/openssh-6.4p1-X11-forwarding.patch @@ -2,9 +2,9 @@ # configuration # bnc#50836 (was suse #35836) -diff --git a/openssh-6.2p2/ssh_config b/openssh-6.2p2/ssh_config ---- a/openssh-6.2p2/ssh_config -+++ b/openssh-6.2p2/ssh_config +diff --git a/openssh-6.4p1/ssh_config b/openssh-6.4p1/ssh_config +--- a/openssh-6.4p1/ssh_config ++++ b/openssh-6.4p1/ssh_config @@ -12,19 +12,30 @@ # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the @@ -37,10 +37,10 @@ diff --git a/openssh-6.2p2/ssh_config b/openssh-6.2p2/ssh_config # GSSAPIDelegateCredentials no # BatchMode no # CheckHostIP yes -diff --git a/openssh-6.2p2/sshd_config b/openssh-6.2p2/sshd_config ---- a/openssh-6.2p2/sshd_config -+++ b/openssh-6.2p2/sshd_config -@@ -90,17 +90,17 @@ AuthorizedKeysFile .ssh/authorized_keys +diff --git a/openssh-6.4p1/sshd_config b/openssh-6.4p1/sshd_config +--- a/openssh-6.4p1/sshd_config ++++ b/openssh-6.4p1/sshd_config +@@ -93,17 +93,17 @@ AuthorizedKeysFile .ssh/authorized_keys # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. diff --git a/openssh-6.2p2-audit1-remove_duplicit_audit.patch b/openssh-6.4p1-audit1-remove_duplicit_audit.patch similarity index 84% rename from openssh-6.2p2-audit1-remove_duplicit_audit.patch rename to openssh-6.4p1-audit1-remove_duplicit_audit.patch index 72398cf..891a91b 100644 --- a/openssh-6.2p2-audit1-remove_duplicit_audit.patch +++ b/openssh-6.4p1-audit1-remove_duplicit_audit.patch @@ -8,10 +8,10 @@ # # PRIVSEP(getpwnamallow()) a few lines above already did this. -diff --git a/openssh-6.2p2/auth2.c b/openssh-6.2p2/auth2.c ---- a/openssh-6.2p2/auth2.c -+++ b/openssh-6.2p2/auth2.c -@@ -239,19 +239,16 @@ input_userauth_request(int type, u_int32 +diff --git a/openssh-6.4p1/auth2.c b/openssh-6.4p1/auth2.c +--- a/openssh-6.4p1/auth2.c ++++ b/openssh-6.4p1/auth2.c +@@ -242,19 +242,16 @@ input_userauth_request(int type, u_int32 authctxt->pw = PRIVSEP(getpwnamallow(user)); authctxt->user = xstrdup(user); if (authctxt->pw && strcmp(service, "ssh-connection")==0) { diff --git a/openssh-6.2p2-audit2-better_audit_of_user_actions.patch b/openssh-6.4p1-audit2-better_audit_of_user_actions.patch similarity index 90% rename from openssh-6.2p2-audit2-better_audit_of_user_actions.patch rename to openssh-6.4p1-audit2-better_audit_of_user_actions.patch index 27d6798..d95521e 100644 --- a/openssh-6.2p2-audit2-better_audit_of_user_actions.patch +++ b/openssh-6.4p1-audit2-better_audit_of_user_actions.patch @@ -4,9 +4,9 @@ # https://bugzilla.mindrot.org/attachment.cgi?id=2011 # by jchadima@redhat.com -diff --git a/openssh-6.2p2/audit-bsm.c b/openssh-6.2p2/audit-bsm.c ---- a/openssh-6.2p2/audit-bsm.c -+++ b/openssh-6.2p2/audit-bsm.c +diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c +--- a/openssh-6.4p1/audit-bsm.c ++++ b/openssh-6.4p1/audit-bsm.c @@ -370,20 +370,33 @@ audit_connection_from(const char *host, /* this is used on IPv4-only machines */ tid->port = (dev_t)port; @@ -42,9 +42,9 @@ diff --git a/openssh-6.2p2/audit-bsm.c b/openssh-6.2p2/audit-bsm.c /* not implemented */ } -diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c ---- a/openssh-6.2p2/audit-linux.c -+++ b/openssh-6.2p2/audit-linux.c +diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c +--- a/openssh-6.4p1/audit-linux.c ++++ b/openssh-6.4p1/audit-linux.c @@ -30,97 +30,210 @@ #include "includes.h" #if defined(USE_LINUX_AUDIT) @@ -276,9 +276,9 @@ diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c } #endif /* USE_LINUX_AUDIT */ -diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c ---- a/openssh-6.2p2/audit.c -+++ b/openssh-6.2p2/audit.c +diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c +--- a/openssh-6.4p1/audit.c ++++ b/openssh-6.4p1/audit.c @@ -135,16 +135,27 @@ audit_connection_from(const char *host, void audit_event(ssh_audit_event_t event) @@ -344,9 +344,9 @@ diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c + # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */ -diff --git a/openssh-6.2p2/audit.h b/openssh-6.2p2/audit.h ---- a/openssh-6.2p2/audit.h -+++ b/openssh-6.2p2/audit.h +diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h +--- a/openssh-6.4p1/audit.h ++++ b/openssh-6.4p1/audit.h @@ -44,14 +44,16 @@ enum ssh_audit_event_type { SSH_CONNECTION_CLOSE, /* closed after attempting auth or session */ SSH_CONNECTION_ABANDON, /* closed without completing auth */ @@ -365,10 +365,10 @@ diff --git a/openssh-6.2p2/audit.h b/openssh-6.2p2/audit.h ssh_audit_event_t audit_classify_auth(const char *); #endif /* _SSH_AUDIT_H */ -diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c ---- a/openssh-6.2p2/monitor.c -+++ b/openssh-6.2p2/monitor.c -@@ -180,16 +180,17 @@ int mm_answer_gss_setup_ctx(int, Buffer +diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c +--- a/openssh-6.4p1/monitor.c ++++ b/openssh-6.4p1/monitor.c +@@ -181,16 +181,17 @@ int mm_answer_gss_setup_ctx(int, Buffer int mm_answer_gss_accept_ctx(int, Buffer *); int mm_answer_gss_userok(int, Buffer *); int mm_answer_gss_checkmic(int, Buffer *); @@ -386,7 +386,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ /* local state for key verify */ -@@ -267,16 +268,17 @@ struct mon_table mon_dispatch_postauth20 +@@ -268,16 +269,17 @@ struct mon_table mon_dispatch_postauth20 {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, {MONITOR_REQ_SIGN, 0, mm_answer_sign}, {MONITOR_REQ_PTY, 0, mm_answer_pty}, @@ -404,7 +404,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey}, {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid}, -@@ -309,16 +311,17 @@ struct mon_table mon_dispatch_proto15[] +@@ -310,16 +312,17 @@ struct mon_table mon_dispatch_proto15[] struct mon_table mon_dispatch_postauth15[] = { {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty}, @@ -422,7 +422,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c /* Specifies if a certain message is allowed at the moment */ -@@ -1427,16 +1430,22 @@ mm_record_login(Session *s, struct passw +@@ -1442,16 +1445,22 @@ mm_record_login(Session *s, struct passw static void mm_session_close(Session *s) { @@ -445,7 +445,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c { extern struct monitor *pmonitor; Session *s; -@@ -1749,21 +1758,54 @@ mm_answer_audit_event(int socket, Buffer +@@ -1764,21 +1773,53 @@ mm_answer_audit_event(int socket, Buffer return (0); } @@ -458,7 +458,6 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c debug3("%s entering", __func__); cmd = buffer_get_string(m, &len); -+ /* sanity check command, if so how? */ - audit_run_command(cmd); + s = session_new(); @@ -493,7 +492,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c + fatal("%s: invalid handle", __func__); + mm_session_close(s); + - xfree(cmd); + free(cmd); return (0); } #endif /* SSH_AUDIT_EVENTS */ @@ -501,9 +500,9 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c void monitor_apply_keystate(struct monitor *pmonitor) { -diff --git a/openssh-6.2p2/monitor.h b/openssh-6.2p2/monitor.h ---- a/openssh-6.2p2/monitor.h -+++ b/openssh-6.2p2/monitor.h +diff --git a/openssh-6.4p1/monitor.h b/openssh-6.4p1/monitor.h +--- a/openssh-6.4p1/monitor.h ++++ b/openssh-6.4p1/monitor.h @@ -64,16 +64,17 @@ enum monitor_reqtype { MONITOR_REQ_PAM_START = 100, @@ -522,10 +521,10 @@ diff --git a/openssh-6.2p2/monitor.h b/openssh-6.2p2/monitor.h int m_recvfd; int m_sendfd; int m_log_recvfd; -diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c ---- a/openssh-6.2p2/monitor_wrap.c -+++ b/openssh-6.2p2/monitor_wrap.c -@@ -1184,27 +1184,48 @@ mm_audit_event(ssh_audit_event_t event) +diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c +--- a/openssh-6.4p1/monitor_wrap.c ++++ b/openssh-6.4p1/monitor_wrap.c +@@ -1186,27 +1186,48 @@ mm_audit_event(ssh_audit_event_t event) buffer_init(&m); buffer_put_int(&m, event); @@ -575,9 +574,9 @@ diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID goid) { -diff --git a/openssh-6.2p2/monitor_wrap.h b/openssh-6.2p2/monitor_wrap.h ---- a/openssh-6.2p2/monitor_wrap.h -+++ b/openssh-6.2p2/monitor_wrap.h +diff --git a/openssh-6.4p1/monitor_wrap.h b/openssh-6.4p1/monitor_wrap.h +--- a/openssh-6.4p1/monitor_wrap.h ++++ b/openssh-6.4p1/monitor_wrap.h @@ -69,17 +69,18 @@ void *mm_sshpam_init_ctx(struct Authctxt int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **); int mm_sshpam_respond(void *, u_int, char **); @@ -598,9 +597,9 @@ diff --git a/openssh-6.2p2/monitor_wrap.h b/openssh-6.2p2/monitor_wrap.h void mm_session_pty_cleanup2(struct Session *); /* SSHv1 interfaces */ -diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c ---- a/openssh-6.2p2/session.c -+++ b/openssh-6.2p2/session.c +diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c +--- a/openssh-6.4p1/session.c ++++ b/openssh-6.4p1/session.c @@ -740,16 +740,24 @@ do_exec_pty(Session *s, const char *comm cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); #endif @@ -658,7 +657,7 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c original_command = NULL; -@@ -1862,16 +1874,17 @@ session_unused(int id) +@@ -1875,16 +1887,17 @@ session_unused(int id) bzero(&sessions[id], sizeof(*sessions)); sessions[id].self = id; sessions[id].used = 0; @@ -676,7 +675,7 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c session_new(void) { Session *s, *tmp; -@@ -1944,16 +1957,29 @@ session_open(Authctxt *authctxt, int cha +@@ -1957,16 +1970,29 @@ session_open(Authctxt *authctxt, int cha if (s->pw == NULL || !authctxt->valid) fatal("no user for session %d", s->self); debug("session_open: session %d: link with channel %d", s->self, chanid); @@ -706,7 +705,7 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c if (s->used && s->ttyfd != -1 && strcmp(s->tty, tty) == 0) { debug("session_by_tty: session %d tty %s", i, tty); return s; -@@ -2469,16 +2495,40 @@ session_exit_message(Session *s, int sta +@@ -2473,16 +2499,40 @@ session_exit_message(Session *s, int sta * interested in data we write. * Note that we must not call 'chan_read_failed', since there could * be some more data waiting in the pipe. @@ -721,7 +720,7 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c +{ + if (s->command != NULL) { + audit_end_command(s->command_handle, s->command); -+ xfree(s->command); ++ free(s->command); + s->command = NULL; + s->command_handle = -1; + } @@ -732,7 +731,7 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c +{ + if (s->command != NULL) { + PRIVSEP(audit_end_command(s->command_handle, s->command)); -+ xfree(s->command); ++ free(s->command); + s->command = NULL; + s->command_handle = -1; + } @@ -747,7 +746,7 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c debug("session_close: session %d pid %ld", s->self, (long)s->pid); -@@ -2509,16 +2559,20 @@ session_close(Session *s) +@@ -2513,16 +2563,20 @@ session_close(Session *s) int status; waitpid(pid, &status, 0); @@ -760,15 +759,15 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c + if (s->command) + session_end_command(s); +#endif - if (s->term) - xfree(s->term); - if (s->display) - xfree(s->display); - if (s->x11_chanids) - xfree(s->x11_chanids); - if (s->auth_display) - xfree(s->auth_display); -@@ -2728,16 +2782,25 @@ session_setup_x11fwd(Session *s) + free(s->term); + free(s->display); + free(s->x11_chanids); + free(s->auth_display); + free(s->auth_data); + free(s->auth_proto); + if (s->env != NULL) { + for (i = 0; i < s->num_env; i++) { +@@ -2726,16 +2780,25 @@ session_setup_x11fwd(Session *s) } static void @@ -794,7 +793,7 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c debug("do_cleanup"); /* no cleanup if we're in the child for login shell */ -@@ -2776,10 +2839,10 @@ do_cleanup(Authctxt *authctxt) +@@ -2774,10 +2837,10 @@ do_cleanup(Authctxt *authctxt) /* remove agent socket */ auth_sock_cleanup_proc(authctxt->pw); @@ -806,9 +805,9 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c - session_destroy_all(session_pty_cleanup2); + session_destroy_all(do_cleanup_one_session); } -diff --git a/openssh-6.2p2/session.h b/openssh-6.2p2/session.h ---- a/openssh-6.2p2/session.h -+++ b/openssh-6.2p2/session.h +diff --git a/openssh-6.4p1/session.h b/openssh-6.4p1/session.h +--- a/openssh-6.4p1/session.h ++++ b/openssh-6.4p1/session.h @@ -55,29 +55,37 @@ struct Session { int chanid; int *x11_chanids; @@ -847,10 +846,10 @@ diff --git a/openssh-6.2p2/session.h b/openssh-6.2p2/session.h const char *value); #endif -diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c ---- a/openssh-6.2p2/sshd.c -+++ b/openssh-6.2p2/sshd.c -@@ -2404,13 +2404,14 @@ cleanup_exit(int i) +diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c +--- a/openssh-6.4p1/sshd.c ++++ b/openssh-6.4p1/sshd.c +@@ -2487,13 +2487,14 @@ cleanup_exit(int i) if (kill(pmonitor->m_pid, SIGKILL) != 0 && errno != ESRCH) error("%s: kill(%d): %s", __func__, diff --git a/openssh-6.2p2-audit3-key_auth_usage.patch b/openssh-6.4p1-audit3-key_auth_usage.patch similarity index 85% rename from openssh-6.2p2-audit3-key_auth_usage.patch rename to openssh-6.4p1-audit3-key_auth_usage.patch index 5aae675..0b04782 100644 --- a/openssh-6.2p2-audit3-key_auth_usage.patch +++ b/openssh-6.4p1-audit3-key_auth_usage.patch @@ -5,9 +5,9 @@ # (replaces: https://bugzilla.mindrot.org/attachment.cgi?id=1975) # by jchadima@redhat.com -diff --git a/openssh-6.2p2/audit-bsm.c b/openssh-6.2p2/audit-bsm.c ---- a/openssh-6.2p2/audit-bsm.c -+++ b/openssh-6.2p2/audit-bsm.c +diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c +--- a/openssh-6.4p1/audit-bsm.c ++++ b/openssh-6.4p1/audit-bsm.c @@ -401,16 +401,22 @@ audit_session_open(struct logininfo *li) } @@ -31,9 +31,9 @@ diff --git a/openssh-6.2p2/audit-bsm.c b/openssh-6.2p2/audit-bsm.c const char *user = the_authctxt ? the_authctxt->user : "(unknown user)"; if (cannot_audit(0)) -diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c ---- a/openssh-6.2p2/audit-linux.c -+++ b/openssh-6.2p2/audit-linux.c +diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c +--- a/openssh-6.4p1/audit-linux.c ++++ b/openssh-6.4p1/audit-linux.c @@ -36,16 +36,18 @@ #include "log.h" #include "audit.h" @@ -101,9 +101,9 @@ diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c audit_connection_from(const char *host, int port) { /* not implemented */ -diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c ---- a/openssh-6.2p2/audit.c -+++ b/openssh-6.2p2/audit.c +diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c +--- a/openssh-6.4p1/audit.c ++++ b/openssh-6.4p1/audit.c @@ -31,16 +31,17 @@ #ifdef SSH_AUDIT_EVENTS @@ -144,7 +144,7 @@ diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c + crypto_name = key_ssh_name(key); + if (audit_keyusage(host_user, crypto_name, key_size(key), fp, *rv) == 0) + *rv = 0; -+ xfree(fp); ++ free(fp); +} + # ifndef CUSTOM_SSH_AUDIT_EVENTS @@ -178,9 +178,9 @@ diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c +} # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */ -diff --git a/openssh-6.2p2/audit.h b/openssh-6.2p2/audit.h ---- a/openssh-6.2p2/audit.h -+++ b/openssh-6.2p2/audit.h +diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h +--- a/openssh-6.4p1/audit.h ++++ b/openssh-6.4p1/audit.h @@ -23,16 +23,17 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. @@ -212,9 +212,9 @@ diff --git a/openssh-6.2p2/audit.h b/openssh-6.2p2/audit.h +void audit_key(int, int *, const Key *); #endif /* _SSH_AUDIT_H */ -diff --git a/openssh-6.2p2/auth-rsa.c b/openssh-6.2p2/auth-rsa.c ---- a/openssh-6.2p2/auth-rsa.c -+++ b/openssh-6.2p2/auth-rsa.c +diff --git a/openssh-6.4p1/auth-rsa.c b/openssh-6.4p1/auth-rsa.c +--- a/openssh-6.4p1/auth-rsa.c ++++ b/openssh-6.4p1/auth-rsa.c @@ -87,17 +87,20 @@ auth_rsa_generate_challenge(Key *key) return challenge; } @@ -259,7 +259,7 @@ diff --git a/openssh-6.2p2/auth-rsa.c b/openssh-6.2p2/auth-rsa.c } - /* Correct answer. */ - return (1); -+ xfree(fp); ++ free(fp); +#endif + + return rv; @@ -271,10 +271,10 @@ diff --git a/openssh-6.2p2/auth-rsa.c b/openssh-6.2p2/auth-rsa.c * our challenge; returns zero if the client gives a wrong answer. */ -diff --git a/openssh-6.2p2/auth.h b/openssh-6.2p2/auth.h ---- a/openssh-6.2p2/auth.h -+++ b/openssh-6.2p2/auth.h -@@ -176,31 +176,33 @@ int allowed_user(struct passwd *); +diff --git a/openssh-6.4p1/auth.h b/openssh-6.4p1/auth.h +--- a/openssh-6.4p1/auth.h ++++ b/openssh-6.4p1/auth.h +@@ -182,16 +182,17 @@ int allowed_user(struct passwd *); struct passwd * getpwnamallow(const char *user); char *get_challenge(Authctxt *); @@ -292,13 +292,15 @@ diff --git a/openssh-6.2p2/auth.h b/openssh-6.2p2/auth.h HostStatus check_key_in_hostfiles(struct passwd *, Key *, const char *, const char *, const char *); - +@@ -199,16 +200,17 @@ check_key_in_hostfiles(struct passwd *, /* hostkey handling */ Key *get_hostkey_by_index(int); + Key *get_hostkey_public_by_index(int); Key *get_hostkey_public_by_type(int); Key *get_hostkey_private_by_type(int); int get_hostkey_index(Key *); int ssh1_session_key(BIGNUM *); + void sshd_hostkey_sign(Key *, Key *, u_char **, u_int *, u_char *, u_int); +int hostbased_key_verify(const Key *, const u_char *, u_int, const u_char *, u_int); /* debug messages during authentication */ @@ -308,15 +310,15 @@ diff --git a/openssh-6.2p2/auth.h b/openssh-6.2p2/auth.h struct passwd *fakepw(void); -diff --git a/openssh-6.2p2/auth2-hostbased.c b/openssh-6.2p2/auth2-hostbased.c ---- a/openssh-6.2p2/auth2-hostbased.c -+++ b/openssh-6.2p2/auth2-hostbased.c -@@ -114,33 +114,45 @@ userauth_hostbased(Authctxt *authctxt) - buffer_put_cstring(&b, chost); - buffer_put_cstring(&b, cuser); - #ifdef DEBUG_PK - buffer_dump(&b); +diff --git a/openssh-6.4p1/auth2-hostbased.c b/openssh-6.4p1/auth2-hostbased.c +--- a/openssh-6.4p1/auth2-hostbased.c ++++ b/openssh-6.4p1/auth2-hostbased.c +@@ -118,33 +118,45 @@ userauth_hostbased(Authctxt *authctxt) #endif + + pubkey_auth_info(authctxt, key, + "client user \"%.100s\", client host \"%.100s\"", cuser, chost); + /* test for allowed key and correct signature */ authenticated = 0; if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) && @@ -330,11 +332,11 @@ diff --git a/openssh-6.2p2/auth2-hostbased.c b/openssh-6.2p2/auth2-hostbased.c debug2("userauth_hostbased: authenticated %d", authenticated); if (key != NULL) key_free(key); - xfree(pkalg); - xfree(pkblob); - xfree(cuser); - xfree(chost); - xfree(sig); + free(pkalg); + free(pkblob); + free(cuser); + free(chost); + free(sig); return authenticated; } @@ -358,15 +360,15 @@ diff --git a/openssh-6.2p2/auth2-hostbased.c b/openssh-6.2p2/auth2-hostbased.c const char *resolvedname, *ipaddr, *lookup, *reason; HostStatus host_status; int len; -diff --git a/openssh-6.2p2/auth2-pubkey.c b/openssh-6.2p2/auth2-pubkey.c ---- a/openssh-6.2p2/auth2-pubkey.c -+++ b/openssh-6.2p2/auth2-pubkey.c -@@ -141,17 +141,17 @@ userauth_pubkey(Authctxt *authctxt) - } - buffer_put_string(&b, pkblob, blen); +diff --git a/openssh-6.4p1/auth2-pubkey.c b/openssh-6.4p1/auth2-pubkey.c +--- a/openssh-6.4p1/auth2-pubkey.c ++++ b/openssh-6.4p1/auth2-pubkey.c +@@ -147,17 +147,17 @@ userauth_pubkey(Authctxt *authctxt) #ifdef DEBUG_PK buffer_dump(&b); #endif + pubkey_auth_info(authctxt, key, NULL); + /* test for correct signature */ authenticated = 0; if (PRIVSEP(user_key_allowed(authctxt->pw, key)) && @@ -375,17 +377,17 @@ diff --git a/openssh-6.2p2/auth2-pubkey.c b/openssh-6.2p2/auth2-pubkey.c buffer_len(&b))) == 1) authenticated = 1; buffer_free(&b); - xfree(sig); + free(sig); } else { debug("test whether pkalg/pkblob are acceptable"); packet_check_eom(); -@@ -178,16 +178,28 @@ done: +@@ -184,16 +184,28 @@ done: debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg); if (key != NULL) key_free(key); - xfree(pkalg); - xfree(pkblob); + free(pkalg); + free(pkblob); return authenticated; } @@ -401,18 +403,18 @@ diff --git a/openssh-6.2p2/auth2-pubkey.c b/openssh-6.2p2/auth2-pubkey.c + return rv; +} + - static int - match_principals_option(const char *principal_list, struct KeyCert *cert) + void + pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...) { - char *result; - u_int i; + char *fp, *extra; + va_list ap; + int i; - /* XXX percent_expand() sequences for authorized_principals? */ - -diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c ---- a/openssh-6.2p2/monitor.c -+++ b/openssh-6.2p2/monitor.c -@@ -1347,26 +1347,30 @@ monitor_valid_hostbasedblob(u_char *data + extra = NULL; +diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c +--- a/openssh-6.4p1/monitor.c ++++ b/openssh-6.4p1/monitor.c +@@ -1362,26 +1362,30 @@ monitor_valid_hostbasedblob(u_char *data } int @@ -443,7 +445,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c switch (key_blobtype) { case MM_USERKEY: valid_data = monitor_valid_userblob(data, datalen); -@@ -1377,17 +1381,27 @@ mm_answer_keyverify(int sock, Buffer *m) +@@ -1392,17 +1396,27 @@ mm_answer_keyverify(int sock, Buffer *m) break; default: valid_data = 0; @@ -468,14 +470,14 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c __func__, key, (verified == 1) ? "verified" : "unverified"); key_free(key); - xfree(blob); - xfree(signature); - xfree(data); + free(blob); + free(signature); + free(data); -diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c ---- a/openssh-6.2p2/monitor_wrap.c -+++ b/openssh-6.2p2/monitor_wrap.c -@@ -426,30 +426,31 @@ mm_key_allowed(enum mm_keytype type, cha +diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c +--- a/openssh-6.4p1/monitor_wrap.c ++++ b/openssh-6.4p1/monitor_wrap.c +@@ -428,30 +428,31 @@ mm_key_allowed(enum mm_keytype type, cha /* * This key verify needs to send the key type along, because the @@ -503,12 +505,12 @@ diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c buffer_put_string(&m, blob, len); buffer_put_string(&m, sig, siglen); buffer_put_string(&m, data, datalen); - xfree(blob); + free(blob); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYVERIFY, &m); debug3("%s: waiting for MONITOR_ANS_KEYVERIFY", __func__); -@@ -457,16 +458,29 @@ mm_key_verify(Key *key, u_char *sig, u_i +@@ -459,16 +460,29 @@ mm_key_verify(Key *key, u_char *sig, u_i verified = buffer_get_int(&m); @@ -538,9 +540,9 @@ diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c u_int len; Newkeys *newkey = NULL; Enc *enc; -diff --git a/openssh-6.2p2/monitor_wrap.h b/openssh-6.2p2/monitor_wrap.h ---- a/openssh-6.2p2/monitor_wrap.h -+++ b/openssh-6.2p2/monitor_wrap.h +diff --git a/openssh-6.4p1/monitor_wrap.h b/openssh-6.4p1/monitor_wrap.h +--- a/openssh-6.4p1/monitor_wrap.h ++++ b/openssh-6.4p1/monitor_wrap.h @@ -44,17 +44,18 @@ int mm_key_sign(Key *, u_char **, u_int void mm_inform_authserv(char *, char *); struct passwd *mm_getpwnamallow(const char *); diff --git a/openssh-6.2p2-audit4-kex_results.patch b/openssh-6.4p1-audit4-kex_results.patch similarity index 89% rename from openssh-6.2p2-audit4-kex_results.patch rename to openssh-6.4p1-audit4-kex_results.patch index 172894b..bb3adcd 100644 --- a/openssh-6.2p2-audit4-kex_results.patch +++ b/openssh-6.4p1-audit4-kex_results.patch @@ -5,9 +5,9 @@ # (replaces: https://bugzilla.mindrot.org/attachment.cgi?id=1976) # by jchadima@redhat.com -diff --git a/openssh-6.2p2/Makefile.in b/openssh-6.2p2/Makefile.in ---- a/openssh-6.2p2/Makefile.in -+++ b/openssh-6.2p2/Makefile.in +diff --git a/openssh-6.4p1/Makefile.in b/openssh-6.4p1/Makefile.in +--- a/openssh-6.4p1/Makefile.in ++++ b/openssh-6.4p1/Makefile.in @@ -68,17 +68,17 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \ compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \ @@ -27,9 +27,9 @@ diff --git a/openssh-6.2p2/Makefile.in b/openssh-6.2p2/Makefile.in SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ audit.o audit-bsm.o audit-linux.o platform.o \ sshpty.o sshlogin.o servconf.o serverloop.o \ -diff --git a/openssh-6.2p2/audit-bsm.c b/openssh-6.2p2/audit-bsm.c ---- a/openssh-6.2p2/audit-bsm.c -+++ b/openssh-6.2p2/audit-bsm.c +diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c +--- a/openssh-6.4p1/audit-bsm.c ++++ b/openssh-6.4p1/audit-bsm.c @@ -468,9 +468,21 @@ audit_event(ssh_audit_event_t event) case SSH_AUTH_FAIL_KBDINT: bsm_audit_bad_login("interactive password entry"); @@ -52,9 +52,9 @@ diff --git a/openssh-6.2p2/audit-bsm.c b/openssh-6.2p2/audit-bsm.c + /* not implemented */ +} #endif /* BSM */ -diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c ---- a/openssh-6.2p2/audit-linux.c -+++ b/openssh-6.2p2/audit-linux.c +diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c +--- a/openssh-6.4p1/audit-linux.c ++++ b/openssh-6.4p1/audit-linux.c @@ -35,16 +35,18 @@ #include "log.h" @@ -95,7 +95,7 @@ diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c + snprintf(buf, sizeof(buf), "op=unsupported-%s direction=? cipher=? ksize=? rport=%d laddr=%s lport=%d ", + name[what], get_remote_port(), (s = get_local_ipaddr(packet_get_connection_in())), + get_local_port()); -+ xfree(s); ++ free(s); + audit_fd = audit_open(); + if (audit_fd < 0) + /* no problem, the next instruction will be fatal() */ @@ -121,7 +121,7 @@ diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c + direction[ctos], enc, cipher ? 8 * cipher->key_len : 0, + (intmax_t)pid, (intmax_t)uid, + get_remote_port(), (s = get_local_ipaddr(packet_get_connection_in())), get_local_port()); -+ xfree(s); ++ free(s); + audit_fd = audit_open(); + if (audit_fd < 0) { + if (errno == EINVAL || errno == EPROTONOSUPPORT || @@ -140,9 +140,9 @@ diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c +} + #endif /* USE_LINUX_AUDIT */ -diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c ---- a/openssh-6.2p2/audit.c -+++ b/openssh-6.2p2/audit.c +diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c +--- a/openssh-6.4p1/audit.c ++++ b/openssh-6.4p1/audit.c @@ -23,24 +23,27 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. @@ -177,7 +177,7 @@ diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c crypto_name = key_ssh_name(key); if (audit_keyusage(host_user, crypto_name, key_size(key), fp, *rv) == 0) *rv = 0; - xfree(fp); + free(fp); } +void @@ -232,9 +232,9 @@ diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c +} # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */ -diff --git a/openssh-6.2p2/audit.h b/openssh-6.2p2/audit.h ---- a/openssh-6.2p2/audit.h -+++ b/openssh-6.2p2/audit.h +diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h +--- a/openssh-6.4p1/audit.h ++++ b/openssh-6.4p1/audit.h @@ -53,10 +53,14 @@ void audit_event(ssh_audit_event_t); void audit_count_session_open(void); void audit_session_open(struct logininfo *); @@ -250,10 +250,10 @@ diff --git a/openssh-6.2p2/audit.h b/openssh-6.2p2/audit.h +void audit_kex_body(int, char *, char *, char *, pid_t, uid_t); #endif /* _SSH_AUDIT_H */ -diff --git a/openssh-6.2p2/auditstub.c b/openssh-6.2p2/auditstub.c +diff --git a/openssh-6.4p1/auditstub.c b/openssh-6.4p1/auditstub.c new file mode 100644 --- /dev/null -+++ b/openssh-6.2p2/auditstub.c ++++ b/openssh-6.4p1/auditstub.c @@ -0,0 +1,39 @@ +/* $Id: auditstub.c,v 1.1 jfch Exp $ */ + @@ -294,10 +294,10 @@ new file mode 100644 +{ +} + -diff --git a/openssh-6.2p2/cipher.c b/openssh-6.2p2/cipher.c ---- a/openssh-6.2p2/cipher.c -+++ b/openssh-6.2p2/cipher.c -@@ -50,27 +50,17 @@ +diff --git a/openssh-6.4p1/cipher.c b/openssh-6.4p1/cipher.c +--- a/openssh-6.4p1/cipher.c ++++ b/openssh-6.4p1/cipher.c +@@ -50,29 +50,17 @@ /* compatibility with old or broken OpenSSL versions */ #include "openbsd-compat/openssl-compat.h" @@ -316,7 +316,9 @@ diff --git a/openssh-6.2p2/cipher.c b/openssh-6.2p2/cipher.c - u_int discard_len; - u_int cbc_mode; - const EVP_CIPHER *(*evptype)(void); --} ciphers[] = { +-}; +- +-static const struct Cipher ciphers[] = { +struct Cipher ciphers[] = { { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null }, { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc }, @@ -326,9 +328,9 @@ diff --git a/openssh-6.2p2/cipher.c b/openssh-6.2p2/cipher.c { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc }, { "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc }, -diff --git a/openssh-6.2p2/cipher.h b/openssh-6.2p2/cipher.h ---- a/openssh-6.2p2/cipher.h -+++ b/openssh-6.2p2/cipher.h +diff --git a/openssh-6.4p1/cipher.h b/openssh-6.4p1/cipher.h +--- a/openssh-6.4p1/cipher.h ++++ b/openssh-6.4p1/cipher.h @@ -56,17 +56,28 @@ #define SSH_CIPHER_MAX 31 @@ -355,13 +357,13 @@ diff --git a/openssh-6.2p2/cipher.h b/openssh-6.2p2/cipher.h int plaintext; int encrypt; EVP_CIPHER_CTX evp; - Cipher *cipher; + const Cipher *cipher; }; u_int cipher_mask_ssh1(int); -diff --git a/openssh-6.2p2/kex.c b/openssh-6.2p2/kex.c ---- a/openssh-6.2p2/kex.c -+++ b/openssh-6.2p2/kex.c +diff --git a/openssh-6.4p1/kex.c b/openssh-6.4p1/kex.c +--- a/openssh-6.4p1/kex.c ++++ b/openssh-6.4p1/kex.c @@ -44,16 +44,17 @@ #include "key.h" #include "kex.h" @@ -380,7 +382,7 @@ diff --git a/openssh-6.2p2/kex.c b/openssh-6.2p2/kex.c extern const EVP_MD *evp_ssh_sha256(void); # endif #endif -@@ -291,53 +292,65 @@ kex_kexinit_finish(Kex *kex) +@@ -336,53 +337,65 @@ kex_kexinit_finish(Kex *kex) fatal("Unsupported key exchange %d", kex->kex_type); } } @@ -449,7 +451,7 @@ diff --git a/openssh-6.2p2/kex.c b/openssh-6.2p2/kex.c comp->type = COMP_NONE; } else { fatal("unsupported comp %s", name); -@@ -455,16 +468,19 @@ kex_choose_conf(Kex *kex) +@@ -487,16 +500,19 @@ kex_choose_conf(Kex *kex) if (authlen == 0) choose_mac(&newkeys->mac, cprop[nmac], sprop[nmac]); choose_comp(&newkeys->comp, cprop[ncomp], sprop[ncomp]); @@ -469,11 +471,10 @@ diff --git a/openssh-6.2p2/kex.c b/openssh-6.2p2/kex.c for (mode = 0; mode < MODE_MAX; mode++) { newkeys = kex->newkeys[mode]; if (need < newkeys->enc.key_len) -diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c ---- a/openssh-6.2p2/monitor.c -+++ b/openssh-6.2p2/monitor.c -@@ -92,16 +92,17 @@ - #endif +diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c +--- a/openssh-6.4p1/monitor.c ++++ b/openssh-6.4p1/monitor.c +@@ -93,16 +93,17 @@ #include "monitor_wrap.h" #include "monitor_fdpass.h" #include "misc.h" @@ -481,6 +482,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c #include "ssh2.h" #include "jpake.h" #include "roaming.h" + #include "authfd.h" +#include "audit.h" #ifdef GSSAPI @@ -490,7 +492,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c /* Imports */ extern ServerOptions options; extern u_int utmp_len; -@@ -181,16 +182,18 @@ int mm_answer_gss_accept_ctx(int, Buffer +@@ -182,16 +183,18 @@ int mm_answer_gss_accept_ctx(int, Buffer int mm_answer_gss_userok(int, Buffer *); int mm_answer_gss_checkmic(int, Buffer *); #endif @@ -509,7 +511,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ /* local state for key verify */ -@@ -232,16 +235,18 @@ struct mon_table mon_dispatch_proto20[] +@@ -233,16 +236,18 @@ struct mon_table mon_dispatch_proto20[] {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account}, {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx}, {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query}, @@ -528,7 +530,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c #ifdef SKEY {MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery}, {MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond}, -@@ -269,16 +274,18 @@ struct mon_table mon_dispatch_postauth20 +@@ -270,16 +275,18 @@ struct mon_table mon_dispatch_postauth20 {MONITOR_REQ_SIGN, 0, mm_answer_sign}, {MONITOR_REQ_PTY, 0, mm_answer_pty}, {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup}, @@ -547,7 +549,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey}, {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid}, -@@ -300,28 +307,32 @@ struct mon_table mon_dispatch_proto15[] +@@ -301,28 +308,32 @@ struct mon_table mon_dispatch_proto15[] {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account}, {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx}, {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query}, @@ -580,7 +582,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c /* Specifies if a certain message is allowed at the moment */ -@@ -2391,8 +2402,52 @@ mm_answer_jpake_check_confirm(int sock, +@@ -2410,8 +2421,52 @@ mm_answer_jpake_check_confirm(int sock, monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 1); @@ -623,9 +625,9 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c + + audit_kex_body(ctos, cipher, mac, compress, pid, uid); + -+ xfree(cipher); -+ xfree(mac); -+ xfree(compress); ++ free(cipher); ++ free(mac); ++ free(compress); + buffer_clear(m); + + mm_request_send(sock, MONITOR_ANS_AUDIT_KEX, m); @@ -633,9 +635,9 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c +} + +#endif /* SSH_AUDIT_EVENTS */ -diff --git a/openssh-6.2p2/monitor.h b/openssh-6.2p2/monitor.h ---- a/openssh-6.2p2/monitor.h -+++ b/openssh-6.2p2/monitor.h +diff --git a/openssh-6.4p1/monitor.h b/openssh-6.4p1/monitor.h +--- a/openssh-6.4p1/monitor.h ++++ b/openssh-6.4p1/monitor.h @@ -65,16 +65,18 @@ enum monitor_reqtype { MONITOR_REQ_PAM_START = 100, MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103, @@ -655,10 +657,10 @@ diff --git a/openssh-6.2p2/monitor.h b/openssh-6.2p2/monitor.h int m_recvfd; int m_sendfd; int m_log_recvfd; -diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c ---- a/openssh-6.2p2/monitor_wrap.c -+++ b/openssh-6.2p2/monitor_wrap.c -@@ -1481,8 +1481,46 @@ mm_jpake_check_confirm(const BIGNUM *k, +diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c +--- a/openssh-6.4p1/monitor_wrap.c ++++ b/openssh-6.4p1/monitor_wrap.c +@@ -1483,8 +1483,46 @@ mm_jpake_check_confirm(const BIGNUM *k, success = buffer_get_int(&m); buffer_free(&m); @@ -705,9 +707,9 @@ diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c + buffer_free(&m); +} +#endif /* SSH_AUDIT_EVENTS */ -diff --git a/openssh-6.2p2/monitor_wrap.h b/openssh-6.2p2/monitor_wrap.h ---- a/openssh-6.2p2/monitor_wrap.h -+++ b/openssh-6.2p2/monitor_wrap.h +diff --git a/openssh-6.4p1/monitor_wrap.h b/openssh-6.4p1/monitor_wrap.h +--- a/openssh-6.4p1/monitor_wrap.h ++++ b/openssh-6.4p1/monitor_wrap.h @@ -72,16 +72,18 @@ int mm_sshpam_respond(void *, u_int, cha void mm_sshpam_free_ctx(void *); #endif @@ -727,10 +729,10 @@ diff --git a/openssh-6.2p2/monitor_wrap.h b/openssh-6.2p2/monitor_wrap.h void mm_session_pty_cleanup2(struct Session *); /* SSHv1 interfaces */ -diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c ---- a/openssh-6.2p2/sshd.c -+++ b/openssh-6.2p2/sshd.c -@@ -113,16 +113,17 @@ +diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c +--- a/openssh-6.4p1/sshd.c ++++ b/openssh-6.4p1/sshd.c +@@ -114,16 +114,17 @@ #include "session.h" #include "monitor_mm.h" #include "monitor.h" @@ -748,7 +750,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c #include int allow_severity; int deny_severity; -@@ -2236,16 +2237,20 @@ do_ssh1_kex(void) +@@ -2297,16 +2298,20 @@ do_ssh1_kex(void) packet_disconnect("Warning: client selects unsupported cipher."); /* Get check bytes from the packet. These must match those we diff --git a/openssh-6.2p2-audit5-session_key_destruction.patch b/openssh-6.4p1-audit5-session_key_destruction.patch similarity index 86% rename from openssh-6.2p2-audit5-session_key_destruction.patch rename to openssh-6.4p1-audit5-session_key_destruction.patch index 9b767c0..e8eb05a 100644 --- a/openssh-6.2p2-audit5-session_key_destruction.patch +++ b/openssh-6.4p1-audit5-session_key_destruction.patch @@ -4,9 +4,9 @@ # https://bugzilla.mindrot.org/attachment.cgi?id=2014 # by jchadima@redhat.com -diff --git a/openssh-6.2p2/audit-bsm.c b/openssh-6.2p2/audit-bsm.c ---- a/openssh-6.2p2/audit-bsm.c -+++ b/openssh-6.2p2/audit-bsm.c +diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c +--- a/openssh-6.4p1/audit-bsm.c ++++ b/openssh-6.4p1/audit-bsm.c @@ -480,9 +480,15 @@ audit_unsupported_body(int what) /* not implemented */ } @@ -23,9 +23,9 @@ diff --git a/openssh-6.2p2/audit-bsm.c b/openssh-6.2p2/audit-bsm.c + /* not implemented */ +} #endif /* BSM */ -diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c ---- a/openssh-6.2p2/audit-linux.c -+++ b/openssh-6.2p2/audit-linux.c +diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c +--- a/openssh-6.4p1/audit-linux.c ++++ b/openssh-6.4p1/audit-linux.c @@ -289,24 +289,25 @@ audit_unsupported_body(int what) /* no problem, the next instruction will be fatal() */ return; @@ -52,7 +52,7 @@ diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c direction[ctos], enc, cipher ? 8 * cipher->key_len : 0, (intmax_t)pid, (intmax_t)uid, get_remote_port(), (s = get_local_ipaddr(packet_get_connection_in())), get_local_port()); - xfree(s); + free(s); @@ -322,9 +323,37 @@ audit_kex_body(int ctos, char *enc, char buf, NULL, get_remote_ipaddr(), NULL, 1); audit_close(audit_fd); @@ -74,7 +74,7 @@ diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c + get_remote_port(), + (s = get_local_ipaddr(packet_get_connection_in())), + get_local_port()); -+ xfree(s); ++ free(s); + audit_fd = audit_open(); + if (audit_fd < 0) { + if (errno != EINVAL && errno != EPROTONOSUPPORT && @@ -91,9 +91,9 @@ diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c +} + #endif /* USE_LINUX_AUDIT */ -diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c ---- a/openssh-6.2p2/audit.c -+++ b/openssh-6.2p2/audit.c +diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c +--- a/openssh-6.4p1/audit.c ++++ b/openssh-6.4p1/audit.c @@ -138,16 +138,22 @@ audit_unsupported(int what) } @@ -138,9 +138,9 @@ diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c +} # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */ -diff --git a/openssh-6.2p2/audit.h b/openssh-6.2p2/audit.h ---- a/openssh-6.2p2/audit.h -+++ b/openssh-6.2p2/audit.h +diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h +--- a/openssh-6.4p1/audit.h ++++ b/openssh-6.4p1/audit.h @@ -57,10 +57,12 @@ int audit_run_command(const char *); void audit_end_command(int, const char *); ssh_audit_event_t audit_classify_auth(const char *); @@ -154,9 +154,9 @@ diff --git a/openssh-6.2p2/audit.h b/openssh-6.2p2/audit.h +void audit_session_key_free_body(int ctos, pid_t, uid_t); #endif /* _SSH_AUDIT_H */ -diff --git a/openssh-6.2p2/auditstub.c b/openssh-6.2p2/auditstub.c ---- a/openssh-6.2p2/auditstub.c -+++ b/openssh-6.2p2/auditstub.c +diff --git a/openssh-6.4p1/auditstub.c b/openssh-6.4p1/auditstub.c +--- a/openssh-6.4p1/auditstub.c ++++ b/openssh-6.4p1/auditstub.c @@ -22,18 +22,29 @@ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT @@ -187,10 +187,10 @@ diff --git a/openssh-6.2p2/auditstub.c b/openssh-6.2p2/auditstub.c +audit_session_key_free_body(int ctos, pid_t pid, uid_t uid) +{ +} -diff --git a/openssh-6.2p2/kex.c b/openssh-6.2p2/kex.c ---- a/openssh-6.2p2/kex.c -+++ b/openssh-6.2p2/kex.c -@@ -635,8 +635,39 @@ dump_digest(char *msg, u_char *digest, i +diff --git a/openssh-6.4p1/kex.c b/openssh-6.4p1/kex.c +--- a/openssh-6.4p1/kex.c ++++ b/openssh-6.4p1/kex.c +@@ -667,8 +667,39 @@ dump_digest(char *msg, u_char *digest, i if (i%32 == 31) fprintf(stderr, "\n"); else if (i%8 == 7) @@ -208,12 +208,12 @@ diff --git a/openssh-6.2p2/kex.c b/openssh-6.2p2/kex.c + + if (enc->key) { + memset(enc->key, 0, enc->key_len); -+ xfree(enc->key); ++ free(enc->key); + } + + if (enc->iv) { + memset(enc->iv, 0, enc->block_size); -+ xfree(enc->iv); ++ free(enc->iv); + } + + memset(enc, 0, sizeof(*enc)); @@ -230,10 +230,10 @@ diff --git a/openssh-6.2p2/kex.c b/openssh-6.2p2/kex.c + memset(&newkeys->comp, 0, sizeof(newkeys->comp)); +} + -diff --git a/openssh-6.2p2/kex.h b/openssh-6.2p2/kex.h ---- a/openssh-6.2p2/kex.h -+++ b/openssh-6.2p2/kex.h -@@ -153,16 +153,18 @@ Newkeys *kex_get_newkeys(int); +diff --git a/openssh-6.4p1/kex.h b/openssh-6.4p1/kex.h +--- a/openssh-6.4p1/kex.h ++++ b/openssh-6.4p1/kex.h +@@ -157,16 +157,18 @@ Newkeys *kex_get_newkeys(int); void kexdh_client(Kex *); void kexdh_server(Kex *); @@ -252,10 +252,10 @@ diff --git a/openssh-6.2p2/kex.h b/openssh-6.2p2/kex.h int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); #ifdef OPENSSL_HAS_ECC -diff --git a/openssh-6.2p2/mac.c b/openssh-6.2p2/mac.c ---- a/openssh-6.2p2/mac.c -+++ b/openssh-6.2p2/mac.c -@@ -194,16 +194,30 @@ mac_clear(Mac *mac) +diff --git a/openssh-6.4p1/mac.c b/openssh-6.4p1/mac.c +--- a/openssh-6.4p1/mac.c ++++ b/openssh-6.4p1/mac.c +@@ -219,16 +219,30 @@ mac_clear(Mac *mac) if (mac->umac_ctx != NULL) umac128_delete(mac->umac_ctx); } else if (mac->evp_md != NULL) @@ -272,7 +272,7 @@ diff --git a/openssh-6.2p2/mac.c b/openssh-6.2p2/mac.c + + if (mac->key) { + memset(mac->key, 0, mac->key_len); -+ xfree(mac->key); ++ free(mac->key); + } + + memset(mac, 0, sizeof(*mac)); @@ -286,23 +286,23 @@ diff --git a/openssh-6.2p2/mac.c b/openssh-6.2p2/mac.c char *maclist, *cp, *p; if (names == NULL || strcmp(names, "") == 0) -diff --git a/openssh-6.2p2/mac.h b/openssh-6.2p2/mac.h ---- a/openssh-6.2p2/mac.h -+++ b/openssh-6.2p2/mac.h -@@ -23,8 +23,9 @@ - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +diff --git a/openssh-6.4p1/mac.h b/openssh-6.4p1/mac.h +--- a/openssh-6.4p1/mac.h ++++ b/openssh-6.4p1/mac.h +@@ -24,8 +24,9 @@ */ int mac_valid(const char *); + char *mac_alg_list(void); int mac_setup(Mac *, char *); int mac_init(Mac *); u_char *mac_compute(Mac *, u_int32_t, u_char *, int); void mac_clear(Mac *); +void mac_destroy(Mac *); -diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c ---- a/openssh-6.2p2/monitor.c -+++ b/openssh-6.2p2/monitor.c -@@ -184,16 +184,17 @@ int mm_answer_gss_checkmic(int, Buffer * +diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c +--- a/openssh-6.4p1/monitor.c ++++ b/openssh-6.4p1/monitor.c +@@ -185,16 +185,17 @@ int mm_answer_gss_checkmic(int, Buffer * #endif #ifdef SSH_AUDIT_EVENTS @@ -320,7 +320,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ /* local state for key verify */ -@@ -237,16 +238,17 @@ struct mon_table mon_dispatch_proto20[] +@@ -238,16 +239,17 @@ struct mon_table mon_dispatch_proto20[] {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query}, {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, @@ -338,7 +338,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c #ifdef SKEY {MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery}, {MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond}, -@@ -276,16 +278,17 @@ struct mon_table mon_dispatch_postauth20 +@@ -277,16 +279,17 @@ struct mon_table mon_dispatch_postauth20 {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup}, {MONITOR_REQ_TERM, 0, mm_answer_term}, #ifdef SSH_AUDIT_EVENTS @@ -356,7 +356,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey}, {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid}, -@@ -309,30 +312,32 @@ struct mon_table mon_dispatch_proto15[] +@@ -310,30 +313,32 @@ struct mon_table mon_dispatch_proto15[] {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query}, {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, @@ -389,7 +389,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c /* Specifies if a certain message is allowed at the moment */ -@@ -1951,21 +1956,23 @@ mm_get_keystate(struct monitor *pmonitor +@@ -1970,21 +1975,23 @@ mm_get_keystate(struct monitor *pmonitor goto skip; } else { /* Get the Kex for rekeying */ @@ -399,13 +399,13 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c blob = buffer_get_string(&m, &bloblen); current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen); + memset(blob, 0, bloblen); - xfree(blob); + free(blob); debug3("%s: Waiting for second key", __func__); blob = buffer_get_string(&m, &bloblen); current_keys[MODE_IN] = mm_newkeys_from_blob(blob, bloblen); + memset(blob, 0, bloblen); - xfree(blob); + free(blob); /* Now get sequence numbers for the packets */ seqnr = buffer_get_int(&m); @@ -413,7 +413,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c packets = buffer_get_int(&m); bytes = buffer_get_int64(&m); packet_set_state(MODE_OUT, seqnr, blocks, packets, bytes); -@@ -2001,16 +2008,31 @@ mm_get_keystate(struct monitor *pmonitor +@@ -2020,16 +2027,31 @@ mm_get_keystate(struct monitor *pmonitor /* Roaming */ if (compat20) { @@ -445,9 +445,9 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c mm_zalloc(struct mm_master *mm, u_int ncount, u_int size) { size_t len = (size_t) size * ncount; -@@ -2445,9 +2467,27 @@ mm_answer_audit_kex_body(int sock, Buffe - xfree(mac); - xfree(compress); +@@ -2464,9 +2486,27 @@ mm_answer_audit_kex_body(int sock, Buffe + free(mac); + free(compress); buffer_clear(m); mm_request_send(sock, MONITOR_ANS_AUDIT_KEX, m); @@ -473,9 +473,9 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c + return 0; +} #endif /* SSH_AUDIT_EVENTS */ -diff --git a/openssh-6.2p2/monitor.h b/openssh-6.2p2/monitor.h ---- a/openssh-6.2p2/monitor.h -+++ b/openssh-6.2p2/monitor.h +diff --git a/openssh-6.4p1/monitor.h b/openssh-6.4p1/monitor.h +--- a/openssh-6.4p1/monitor.h ++++ b/openssh-6.4p1/monitor.h @@ -67,16 +67,17 @@ enum monitor_reqtype { MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105, MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107, @@ -494,10 +494,10 @@ diff --git a/openssh-6.2p2/monitor.h b/openssh-6.2p2/monitor.h int m_recvfd; int m_sendfd; int m_log_recvfd; -diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c ---- a/openssh-6.2p2/monitor_wrap.c -+++ b/openssh-6.2p2/monitor_wrap.c -@@ -649,22 +649,24 @@ mm_send_keystate(struct monitor *monitor +diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c +--- a/openssh-6.4p1/monitor_wrap.c ++++ b/openssh-6.4p1/monitor_wrap.c +@@ -651,22 +651,24 @@ mm_send_keystate(struct monitor *monitor __func__, packet_get_newkeys(MODE_OUT), packet_get_newkeys(MODE_IN)); @@ -507,14 +507,14 @@ diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c buffer_put_string(&m, blob, bloblen); + memset(blob, 0, bloblen); - xfree(blob); + free(blob); if (!mm_newkeys_to_blob(MODE_IN, &blob, &bloblen)) fatal("%s: conversion of newkeys failed", __func__); buffer_put_string(&m, blob, bloblen); + memset(blob, 0, bloblen); - xfree(blob); + free(blob); packet_get_state(MODE_OUT, &seqnr, &blocks, &packets, &bytes); buffer_put_int(&m, seqnr); @@ -522,7 +522,7 @@ diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c buffer_put_int(&m, packets); buffer_put_int64(&m, bytes); packet_get_state(MODE_IN, &seqnr, &blocks, &packets, &bytes); -@@ -1518,9 +1520,24 @@ mm_audit_kex_body(int ctos, char *cipher +@@ -1520,9 +1522,24 @@ mm_audit_kex_body(int ctos, char *cipher buffer_put_int64(&m, uid); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_KEX, &m); @@ -547,9 +547,9 @@ diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c + buffer_free(&m); +} #endif /* SSH_AUDIT_EVENTS */ -diff --git a/openssh-6.2p2/monitor_wrap.h b/openssh-6.2p2/monitor_wrap.h ---- a/openssh-6.2p2/monitor_wrap.h -+++ b/openssh-6.2p2/monitor_wrap.h +diff --git a/openssh-6.4p1/monitor_wrap.h b/openssh-6.4p1/monitor_wrap.h +--- a/openssh-6.4p1/monitor_wrap.h ++++ b/openssh-6.4p1/monitor_wrap.h @@ -74,16 +74,17 @@ void mm_sshpam_free_ctx(void *); #ifdef SSH_AUDIT_EVENTS @@ -568,16 +568,16 @@ diff --git a/openssh-6.2p2/monitor_wrap.h b/openssh-6.2p2/monitor_wrap.h void mm_session_pty_cleanup2(struct Session *); /* SSHv1 interfaces */ -diff --git a/openssh-6.2p2/packet.c b/openssh-6.2p2/packet.c ---- a/openssh-6.2p2/packet.c -+++ b/openssh-6.2p2/packet.c -@@ -55,16 +55,17 @@ - #include +diff --git a/openssh-6.4p1/packet.c b/openssh-6.4p1/packet.c +--- a/openssh-6.4p1/packet.c ++++ b/openssh-6.4p1/packet.c +@@ -56,16 +56,17 @@ #include #include #include #include #include + #include #include "xmalloc.h" +#include "audit.h" @@ -589,7 +589,7 @@ diff --git a/openssh-6.2p2/packet.c b/openssh-6.2p2/packet.c #include "channels.h" #include "compat.h" #include "ssh1.h" -@@ -463,41 +464,51 @@ packet_get_connection_in(void) +@@ -469,41 +470,51 @@ packet_get_connection_in(void) /* Returns the descriptor used for writing. */ int @@ -650,7 +650,7 @@ diff --git a/openssh-6.2p2/packet.c b/openssh-6.2p2/packet.c packet_set_protocol_flags(u_int protocol_flags) { active_state->remote_protocol_flags = protocol_flags; -@@ -722,16 +733,35 @@ packet_send1(void) +@@ -728,16 +739,35 @@ packet_send1(void) /* * Note that the packet is now only buffered in output. It won't be @@ -665,17 +665,17 @@ diff --git a/openssh-6.2p2/packet.c b/openssh-6.2p2/packet.c + if (newkeys == NULL) + return; + -+ xfree(newkeys->enc.name); ++ free(newkeys->enc.name); + + mac_clear(&newkeys->mac); + /* MAC may happen to be empty - if the GCM mode of AES is used */ + if (newkeys->mac.name) -+ xfree(newkeys->mac.name); ++ free(newkeys->mac.name); + -+ xfree(newkeys->comp.name); ++ free(newkeys->comp.name); + + newkeys_destroy(newkeys); -+ xfree(newkeys); ++ free(newkeys); +} + void @@ -686,7 +686,7 @@ diff --git a/openssh-6.2p2/packet.c b/openssh-6.2p2/packet.c Comp *comp; CipherContext *cc; u_int64_t *max_blocks; -@@ -747,31 +777,19 @@ set_newkeys(int mode) +@@ -753,31 +783,19 @@ set_newkeys(int mode) } else { cc = &active_state->receive_context; crypt_type = CIPHER_DECRYPT; @@ -704,13 +704,13 @@ diff --git a/openssh-6.2p2/packet.c b/openssh-6.2p2/packet.c - memset(enc->iv, 0, enc->iv_len); - memset(enc->key, 0, enc->key_len); - memset(mac->key, 0, mac->key_len); -- xfree(enc->name); -- xfree(enc->iv); -- xfree(enc->key); -- xfree(mac->name); -- xfree(mac->key); -- xfree(comp->name); -- xfree(active_state->newkeys[mode]); +- free(enc->name); +- free(enc->iv); +- free(enc->key); +- free(mac->name); +- free(mac->key); +- free(comp->name); +- free(active_state->newkeys[mode]); + newkeys_destroy_and_free(active_state->newkeys[mode]); } active_state->newkeys[mode] = kex_get_newkeys(mode); @@ -720,7 +720,7 @@ diff --git a/openssh-6.2p2/packet.c b/openssh-6.2p2/packet.c mac = &active_state->newkeys[mode]->mac; comp = &active_state->newkeys[mode]->comp; if (cipher_authlen(enc->cipher) == 0 && mac_init(mac) == 0) -@@ -1967,54 +1985,93 @@ packet_get_output(void) +@@ -1995,54 +2013,93 @@ packet_get_output(void) } void * @@ -819,15 +819,15 @@ diff --git a/openssh-6.2p2/packet.c b/openssh-6.2p2/packet.c + backup_state->connection_in = -1; + backup_state->connection_out = -1; + packet_destroy_state(backup_state); -+ xfree(backup_state); ++ free(backup_state); + backup_state = NULL; } + -diff --git a/openssh-6.2p2/packet.h b/openssh-6.2p2/packet.h ---- a/openssh-6.2p2/packet.h -+++ b/openssh-6.2p2/packet.h -@@ -118,9 +118,10 @@ int packet_need_rekeying(void); - void packet_set_rekey_limit(u_int32_t); +diff --git a/openssh-6.4p1/packet.h b/openssh-6.4p1/packet.h +--- a/openssh-6.4p1/packet.h ++++ b/openssh-6.4p1/packet.h +@@ -119,9 +119,10 @@ void packet_set_rekey_limits(u_int32_t, + time_t packet_get_rekey_timeout(void); void packet_backup_state(void); void packet_restore_state(void); @@ -837,10 +837,10 @@ diff --git a/openssh-6.2p2/packet.h b/openssh-6.2p2/packet.h +void packet_destroy_all(int, int); #endif /* PACKET_H */ -diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c ---- a/openssh-6.2p2/session.c -+++ b/openssh-6.2p2/session.c -@@ -1648,16 +1648,19 @@ do_child(Session *s, const char *command +diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c +--- a/openssh-6.4p1/session.c ++++ b/openssh-6.4p1/session.c +@@ -1661,16 +1661,19 @@ do_child(Session *s, const char *command int env_size; char *argv[ARGV_MAX]; const char *shell, *shell0, *hostname = NULL; @@ -860,10 +860,10 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c do_pwchange(s); exit(1); } -diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c ---- a/openssh-6.2p2/sshd.c -+++ b/openssh-6.2p2/sshd.c -@@ -695,16 +695,18 @@ privsep_preauth(Authctxt *authctxt) +diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c +--- a/openssh-6.4p1/sshd.c ++++ b/openssh-6.4p1/sshd.c +@@ -703,16 +703,18 @@ privsep_preauth(Authctxt *authctxt) setproctitle("%s", "[net]"); if (box != NULL) ssh_sandbox_child(box); @@ -882,7 +882,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c #ifdef DISABLE_FD_PASSING if (1) { #else -@@ -719,16 +721,20 @@ privsep_postauth(Authctxt *authctxt) +@@ -727,16 +729,20 @@ privsep_postauth(Authctxt *authctxt) monitor_reinit(pmonitor); pmonitor->m_pid = fork(); @@ -903,7 +903,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c /* child */ -@@ -2028,16 +2034,17 @@ main(int ac, char **av) +@@ -2089,16 +2095,17 @@ main(int ac, char **av) do_authentication(authctxt); } /* @@ -921,7 +921,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c * Cancel the alarm we set to limit the time taken for * authentication. */ -@@ -2080,16 +2087,18 @@ main(int ac, char **av) +@@ -2141,16 +2148,18 @@ main(int ac, char **av) packet_set_timeout(options.client_alive_interval, options.client_alive_count_max); @@ -940,7 +940,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c verbose("Closing connection to %.500s port %d", remote_ip, remote_port); #ifdef USE_PAM -@@ -2397,26 +2406,38 @@ do_ssh2_kex(void) +@@ -2480,26 +2489,38 @@ do_ssh2_kex(void) #endif debug("KEX done"); } diff --git a/openssh-6.2p2-audit6-server_key_destruction.patch b/openssh-6.4p1-audit6-server_key_destruction.patch similarity index 89% rename from openssh-6.2p2-audit6-server_key_destruction.patch rename to openssh-6.4p1-audit6-server_key_destruction.patch index 26e1bba..09d9742 100644 --- a/openssh-6.2p2-audit6-server_key_destruction.patch +++ b/openssh-6.4p1-audit6-server_key_destruction.patch @@ -4,9 +4,9 @@ # https://bugzilla.mindrot.org/attachment.cgi?id=2015 # by jchadima@redhat.com -diff --git a/openssh-6.2p2/audit-bsm.c b/openssh-6.2p2/audit-bsm.c ---- a/openssh-6.2p2/audit-bsm.c -+++ b/openssh-6.2p2/audit-bsm.c +diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c +--- a/openssh-6.4p1/audit-bsm.c ++++ b/openssh-6.4p1/audit-bsm.c @@ -486,9 +486,27 @@ audit_kex_body(int ctos, char *enc, char /* not implemented */ } @@ -35,9 +35,9 @@ diff --git a/openssh-6.2p2/audit-bsm.c b/openssh-6.2p2/audit-bsm.c + /* not implemented */ +} #endif /* BSM */ -diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c ---- a/openssh-6.2p2/audit-linux.c -+++ b/openssh-6.2p2/audit-linux.c +diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c +--- a/openssh-6.4p1/audit-linux.c ++++ b/openssh-6.4p1/audit-linux.c @@ -351,9 +351,55 @@ audit_session_key_free_body(int ctos, pi audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER, buf, NULL, get_remote_ipaddr(), NULL, 1); @@ -94,9 +94,9 @@ diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c + error("cannot write into audit"); +} #endif /* USE_LINUX_AUDIT */ -diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c ---- a/openssh-6.2p2/audit.c -+++ b/openssh-6.2p2/audit.c +diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c +--- a/openssh-6.4p1/audit.c ++++ b/openssh-6.4p1/audit.c @@ -285,10 +285,29 @@ audit_kex_body(int ctos, char *enc, char * This will be called on succesfull session key discard */ @@ -127,9 +127,9 @@ diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c +} # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */ -diff --git a/openssh-6.2p2/audit.h b/openssh-6.2p2/audit.h ---- a/openssh-6.2p2/audit.h -+++ b/openssh-6.2p2/audit.h +diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h +--- a/openssh-6.4p1/audit.h ++++ b/openssh-6.4p1/audit.h @@ -43,26 +43,30 @@ enum ssh_audit_event_type { SSH_INVALID_USER, SSH_NOLOGIN, /* denied by /etc/nologin, not implemented */ @@ -161,10 +161,10 @@ diff --git a/openssh-6.2p2/audit.h b/openssh-6.2p2/audit.h +void audit_generate_ephemeral_server_key(const char *); #endif /* _SSH_AUDIT_H */ -diff --git a/openssh-6.2p2/key.c b/openssh-6.2p2/key.c ---- a/openssh-6.2p2/key.c -+++ b/openssh-6.2p2/key.c -@@ -1841,16 +1841,40 @@ key_demote(const Key *k) +diff --git a/openssh-6.4p1/key.c b/openssh-6.4p1/key.c +--- a/openssh-6.4p1/key.c ++++ b/openssh-6.4p1/key.c +@@ -1805,16 +1805,40 @@ key_demote(const Key *k) fatal("key_free: bad key type %d", k->type); break; } @@ -205,9 +205,9 @@ diff --git a/openssh-6.2p2/key.c b/openssh-6.2p2/key.c case KEY_RSA_CERT_V00: case KEY_DSA_CERT_V00: case KEY_RSA_CERT: -diff --git a/openssh-6.2p2/key.h b/openssh-6.2p2/key.h ---- a/openssh-6.2p2/key.h -+++ b/openssh-6.2p2/key.h +diff --git a/openssh-6.4p1/key.h b/openssh-6.4p1/key.h +--- a/openssh-6.4p1/key.h ++++ b/openssh-6.4p1/key.h @@ -106,16 +106,17 @@ int key_read(Key *, char **); u_int key_size(const Key *); enum fp_type key_fp_type_select(void); @@ -226,10 +226,10 @@ diff --git a/openssh-6.2p2/key.h b/openssh-6.2p2/key.h int key_cert_check_authority(const Key *, int, int, const char *, const char **); int key_cert_is_legacy(const Key *); -diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c ---- a/openssh-6.2p2/monitor.c -+++ b/openssh-6.2p2/monitor.c -@@ -109,16 +109,18 @@ extern u_int utmp_len; +diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c +--- a/openssh-6.4p1/monitor.c ++++ b/openssh-6.4p1/monitor.c +@@ -110,16 +110,18 @@ extern u_int utmp_len; extern Newkeys *current_keys[]; extern z_stream incoming_stream; extern z_stream outgoing_stream; @@ -248,7 +248,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c u_char *keyin; u_int keyinlen; u_char *keyout; -@@ -185,16 +187,17 @@ int mm_answer_gss_checkmic(int, Buffer * +@@ -186,16 +188,17 @@ int mm_answer_gss_checkmic(int, Buffer * #ifdef SSH_AUDIT_EVENTS int mm_answer_audit_event(int, Buffer *); @@ -266,7 +266,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ /* local state for key verify */ -@@ -239,16 +242,17 @@ struct mon_table mon_dispatch_proto20[] +@@ -240,16 +243,17 @@ struct mon_table mon_dispatch_proto20[] {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, #endif @@ -284,7 +284,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c #ifdef SKEY {MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery}, {MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond}, -@@ -279,16 +283,17 @@ struct mon_table mon_dispatch_postauth20 +@@ -280,16 +284,17 @@ struct mon_table mon_dispatch_postauth20 {MONITOR_REQ_TERM, 0, mm_answer_term}, #ifdef SSH_AUDIT_EVENTS {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, @@ -302,7 +302,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey}, {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid}, -@@ -313,31 +318,33 @@ struct mon_table mon_dispatch_proto15[] +@@ -314,31 +319,33 @@ struct mon_table mon_dispatch_proto15[] {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, #endif @@ -336,7 +336,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c /* Specifies if a certain message is allowed at the moment */ -@@ -1746,16 +1753,18 @@ mm_answer_term(int sock, Buffer *req) +@@ -1761,16 +1768,18 @@ mm_answer_term(int sock, Buffer *req) /* The child is terminating */ session_destroy_all(&mm_session_close); @@ -355,7 +355,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c /* Terminate process */ exit(res); -@@ -2485,9 +2494,30 @@ mm_answer_audit_session_key_free_body(in +@@ -2504,9 +2513,30 @@ mm_answer_audit_session_key_free_body(in audit_session_key_free_body(ctos, pid, uid); @@ -379,16 +379,16 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c + + audit_destroy_sensitive_data(fp, pid, uid); + -+ xfree(fp); ++ free(fp); + buffer_clear(m); + + mm_request_send(sock, MONITOR_ANS_AUDIT_SERVER_KEY_FREE, m); + return 0; +} #endif /* SSH_AUDIT_EVENTS */ -diff --git a/openssh-6.2p2/monitor.h b/openssh-6.2p2/monitor.h ---- a/openssh-6.2p2/monitor.h -+++ b/openssh-6.2p2/monitor.h +diff --git a/openssh-6.4p1/monitor.h b/openssh-6.4p1/monitor.h +--- a/openssh-6.4p1/monitor.h ++++ b/openssh-6.4p1/monitor.h @@ -68,16 +68,17 @@ enum monitor_reqtype { MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107, MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109, @@ -407,10 +407,10 @@ diff --git a/openssh-6.2p2/monitor.h b/openssh-6.2p2/monitor.h int m_recvfd; int m_sendfd; int m_log_recvfd; -diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c ---- a/openssh-6.2p2/monitor_wrap.c -+++ b/openssh-6.2p2/monitor_wrap.c -@@ -1535,9 +1535,25 @@ mm_audit_session_key_free_body(int ctos, +diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c +--- a/openssh-6.4p1/monitor_wrap.c ++++ b/openssh-6.4p1/monitor_wrap.c +@@ -1537,9 +1537,25 @@ mm_audit_session_key_free_body(int ctos, buffer_put_int(&m, ctos); buffer_put_int64(&m, pid); buffer_put_int64(&m, uid); @@ -436,9 +436,9 @@ diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c + buffer_free(&m); +} #endif /* SSH_AUDIT_EVENTS */ -diff --git a/openssh-6.2p2/monitor_wrap.h b/openssh-6.2p2/monitor_wrap.h ---- a/openssh-6.2p2/monitor_wrap.h -+++ b/openssh-6.2p2/monitor_wrap.h +diff --git a/openssh-6.4p1/monitor_wrap.h b/openssh-6.4p1/monitor_wrap.h +--- a/openssh-6.4p1/monitor_wrap.h ++++ b/openssh-6.4p1/monitor_wrap.h @@ -75,16 +75,17 @@ void mm_sshpam_free_ctx(void *); #ifdef SSH_AUDIT_EVENTS #include "audit.h" @@ -457,10 +457,10 @@ diff --git a/openssh-6.2p2/monitor_wrap.h b/openssh-6.2p2/monitor_wrap.h void mm_session_pty_cleanup2(struct Session *); /* SSHv1 interfaces */ -diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c ---- a/openssh-6.2p2/session.c -+++ b/openssh-6.2p2/session.c -@@ -131,17 +131,17 @@ static int session_pty_req(Session *); +diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c +--- a/openssh-6.4p1/session.c ++++ b/openssh-6.4p1/session.c +@@ -132,17 +132,17 @@ static int session_pty_req(Session *); /* import */ extern ServerOptions options; @@ -479,7 +479,7 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c /* data */ static int sessions_first_unused = -1; static int sessions_nalloc = 0; -@@ -1647,17 +1647,17 @@ do_child(Session *s, const char *command +@@ -1660,17 +1660,17 @@ do_child(Session *s, const char *command char **env; int env_size; char *argv[ARGV_MAX]; @@ -498,10 +498,10 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c if (s->authctxt->force_pwchange) { do_setusercontext(pw); child_close_fds(); -diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c ---- a/openssh-6.2p2/sshd.c -+++ b/openssh-6.2p2/sshd.c -@@ -250,17 +250,17 @@ Buffer cfg; +diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c +--- a/openssh-6.4p1/sshd.c ++++ b/openssh-6.4p1/sshd.c +@@ -256,17 +256,17 @@ Buffer cfg; /* message to be displayed after login */ Buffer loginmsg; @@ -520,7 +520,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c /* * Close all listening sockets */ -@@ -269,16 +269,25 @@ close_listen_socks(void) +@@ -275,16 +275,25 @@ close_listen_socks(void) { int i; @@ -546,7 +546,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c if (startup_pipes) for (i = 0; i < options.max_startups; i++) if (startup_pipes[i] != -1) -@@ -541,60 +550,99 @@ sshd_exchange_identification(int sock_in +@@ -547,60 +556,99 @@ sshd_exchange_identification(int sock_in close(sock_out); logit("Protocol major versions differ for %s: %.200s vs. %.200s", get_remote_ipaddr(), @@ -592,7 +592,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c + else + audit_destroy_sensitive_data(fp, + pid, uid); -+ xfree(fp); ++ free(fp); + } } - if (sensitive_data.host_certificates[i]) { @@ -639,7 +639,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c sensitive_data.ssh1_host_key = tmp; + if (fp != NULL) { + audit_destroy_sensitive_data(fp, pid, uid); -+ xfree(fp); ++ free(fp); + } } /* Certs do not need demotion */ @@ -649,7 +649,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c } static void -@@ -1154,16 +1202,17 @@ server_accept_loop(int *sock_in, int *so +@@ -1179,16 +1227,17 @@ server_accept_loop(int *sock_in, int *so /* Wait in select until there is a connection. */ ret = select(maxfd+1, fdset, NULL, NULL, NULL); @@ -667,7 +667,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c generate_ephemeral_server_key(); key_used = 0; key_do_regen = 0; -@@ -2077,27 +2126,28 @@ main(int ac, char **av) +@@ -2138,27 +2187,28 @@ main(int ac, char **av) /* * In privilege separation, we fork another child and prepare * file descriptor passing. @@ -697,11 +697,11 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c verbose("Closing connection to %.500s port %d", remote_ip, remote_port); -@@ -2316,17 +2366,17 @@ do_ssh1_kex(void) +@@ -2377,17 +2427,17 @@ do_ssh1_kex(void) MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH); MD5_Final(session_key + 16, &md); memset(buf, 0, bytes); - xfree(buf); + free(buf); for (i = 0; i < 16; i++) session_id[i] = session_key[i] ^ session_key[i + 16]; } @@ -716,7 +716,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c BN_clear_free(session_key_int); /* Set the session key. From this on all communications will be encrypted. */ -@@ -2427,16 +2477,18 @@ cleanup_exit(int i) +@@ -2510,16 +2560,18 @@ cleanup_exit(int i) debug("Killing privsep child %d", pmonitor->m_pid); if (kill(pmonitor->m_pid, SIGKILL) != 0 && errno != ESRCH) diff --git a/openssh-6.2p2-audit7-libaudit_compat.patch b/openssh-6.4p1-audit7-libaudit_compat.patch similarity index 92% rename from openssh-6.2p2-audit7-libaudit_compat.patch rename to openssh-6.4p1-audit7-libaudit_compat.patch index 4def265..1924510 100644 --- a/openssh-6.2p2-audit7-libaudit_compat.patch +++ b/openssh-6.4p1-audit7-libaudit_compat.patch @@ -1,8 +1,8 @@ # definitions for AUDIT_CRYPTO_* symbols fom libaudit 2.x -diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c ---- a/openssh-6.2p2/audit-linux.c -+++ b/openssh-6.2p2/audit-linux.c +diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c +--- a/openssh-6.4p1/audit-linux.c ++++ b/openssh-6.4p1/audit-linux.c @@ -25,16 +25,17 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * @@ -21,10 +21,10 @@ diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c #include "key.h" #include "hostfile.h" #include "auth.h" -diff --git a/openssh-6.2p2/compat-libaudit.h b/openssh-6.2p2/compat-libaudit.h +diff --git a/openssh-6.4p1/compat-libaudit.h b/openssh-6.4p1/compat-libaudit.h new file mode 100644 --- /dev/null -+++ b/openssh-6.2p2/compat-libaudit.h ++++ b/openssh-6.4p1/compat-libaudit.h @@ -0,0 +1,79 @@ +/* AUDIT_CRYPTO symbol definitions from libaudit 2.x */ +/* libaudit.h -- diff --git a/openssh-6.2p2-audit8-libaudit_dns_timeouts.patch b/openssh-6.4p1-audit8-libaudit_dns_timeouts.patch similarity index 92% rename from openssh-6.2p2-audit8-libaudit_dns_timeouts.patch rename to openssh-6.4p1-audit8-libaudit_dns_timeouts.patch index 8e7f191..ad92f62 100644 --- a/openssh-6.2p2-audit8-libaudit_dns_timeouts.patch +++ b/openssh-6.4p1-audit8-libaudit_dns_timeouts.patch @@ -4,9 +4,9 @@ # Note that this particular solution causes the logs to always contain # "hostname=?, addr=?" when DNS lookups are disabled. -diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c ---- a/openssh-6.2p2/audit-linux.c -+++ b/openssh-6.2p2/audit-linux.c +diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c +--- a/openssh-6.4p1/audit-linux.c ++++ b/openssh-6.4p1/audit-linux.c @@ -62,17 +62,17 @@ linux_audit_user_logxxx(int uid, const c if (errno == EINVAL || errno == EPROTONOSUPPORT || errno == EAFNOSUPPORT) diff --git a/openssh-6.2p2-blocksigalrm.patch b/openssh-6.4p1-blocksigalrm.patch similarity index 83% rename from openssh-6.2p2-blocksigalrm.patch rename to openssh-6.4p1-blocksigalrm.patch index c709009..2556adc 100644 --- a/openssh-6.2p2-blocksigalrm.patch +++ b/openssh-6.4p1-blocksigalrm.patch @@ -2,10 +2,10 @@ # grace_alarm_handler) # bnc#57354 -diff --git a/openssh-6.2p2/log.c b/openssh-6.2p2/log.c ---- a/openssh-6.2p2/log.c -+++ b/openssh-6.2p2/log.c -@@ -46,16 +46,17 @@ +diff --git a/openssh-6.4p1/log.c b/openssh-6.4p1/log.c +--- a/openssh-6.4p1/log.c ++++ b/openssh-6.4p1/log.c +@@ -47,16 +47,17 @@ #include #include #if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS) @@ -18,12 +18,12 @@ diff --git a/openssh-6.2p2/log.c b/openssh-6.2p2/log.c static LogLevel log_level = SYSLOG_LEVEL_INFO; static int log_on_stderr = 1; + static int log_stderr_fd = STDERR_FILENO; static int log_facility = LOG_AUTH; static char *argv0; static log_handler_fn *log_handler; static void *log_handler_ctx; - -@@ -368,16 +369,17 @@ do_log(LogLevel level, const char *fmt, +@@ -384,16 +385,17 @@ do_log(LogLevel level, const char *fmt, { #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) struct syslog_data sdata = SYSLOG_DATA_INIT; @@ -41,14 +41,14 @@ diff --git a/openssh-6.2p2/log.c b/openssh-6.2p2/log.c switch (level) { case SYSLOG_LEVEL_FATAL: -@@ -426,20 +428,29 @@ do_log(LogLevel level, const char *fmt, +@@ -442,20 +444,29 @@ do_log(LogLevel level, const char *fmt, tmp_handler = log_handler; log_handler = NULL; tmp_handler(level, fmtbuf, log_handler_ctx); log_handler = tmp_handler; } else if (log_on_stderr) { snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf); - write(STDERR_FILENO, msgbuf, strlen(msgbuf)); + (void)write(log_stderr_fd, msgbuf, strlen(msgbuf)); } else { + /* Prevent a race between the grace_alarm + * which writes a log message and terminates diff --git a/openssh-6.2p2-default-protocol.patch b/openssh-6.4p1-default-protocol.patch similarity index 83% rename from openssh-6.2p2-default-protocol.patch rename to openssh-6.4p1-default-protocol.patch index 6d2d2b8..e71fabf 100644 --- a/openssh-6.2p2-default-protocol.patch +++ b/openssh-6.4p1-default-protocol.patch @@ -1,8 +1,8 @@ # only enable SSHv2 protocol by default (upstream default is fallback to v1) -diff --git a/openssh-6.2p2/ssh_config b/openssh-6.2p2/ssh_config ---- a/openssh-6.2p2/ssh_config -+++ b/openssh-6.2p2/ssh_config +diff --git a/openssh-6.4p1/ssh_config b/openssh-6.4p1/ssh_config +--- a/openssh-6.4p1/ssh_config ++++ b/openssh-6.4p1/ssh_config @@ -41,17 +41,17 @@ ForwardX11Trusted yes # CheckHostIP yes # AddressFamily any diff --git a/openssh-6.2p2-disable-openssl-abi-check.patch b/openssh-6.4p1-disable-openssl-abi-check.patch similarity index 89% rename from openssh-6.2p2-disable-openssl-abi-check.patch rename to openssh-6.4p1-disable-openssl-abi-check.patch index 3f382ff..23288a5 100644 --- a/openssh-6.2p2-disable-openssl-abi-check.patch +++ b/openssh-6.4p1-disable-openssl-abi-check.patch @@ -2,9 +2,9 @@ # reliable indicator of ABI changes and doesn't make much sense in a # distribution package -diff --git a/openssh-6.2p2/entropy.c b/openssh-6.2p2/entropy.c ---- a/openssh-6.2p2/entropy.c -+++ b/openssh-6.2p2/entropy.c +diff --git a/openssh-6.4p1/entropy.c b/openssh-6.4p1/entropy.c +--- a/openssh-6.4p1/entropy.c ++++ b/openssh-6.4p1/entropy.c @@ -212,22 +212,23 @@ seed_rng(void) #endif /* diff --git a/openssh-6.2p2-eal3.patch b/openssh-6.4p1-eal3.patch similarity index 82% rename from openssh-6.2p2-eal3.patch rename to openssh-6.4p1-eal3.patch index 77501c9..22b8d8c 100644 --- a/openssh-6.2p2-eal3.patch +++ b/openssh-6.4p1-eal3.patch @@ -1,9 +1,9 @@ # fix paths and references in sshd man pages -diff --git a/openssh-6.2p2/sshd.8 b/openssh-6.2p2/sshd.8 ---- a/openssh-6.2p2/sshd.8 -+++ b/openssh-6.2p2/sshd.8 -@@ -871,17 +871,17 @@ See +diff --git a/openssh-6.4p1/sshd.8 b/openssh-6.4p1/sshd.8 +--- a/openssh-6.4p1/sshd.8 ++++ b/openssh-6.4p1/sshd.8 +@@ -872,17 +872,17 @@ See If this file exists, .Nm refuses to let anyone except root log in. @@ -22,7 +22,7 @@ diff --git a/openssh-6.2p2/sshd.8 b/openssh-6.2p2/sshd.8 .It Pa /etc/ssh/ssh_host_key .It Pa /etc/ssh/ssh_host_dsa_key .It Pa /etc/ssh/ssh_host_ecdsa_key -@@ -950,17 +950,17 @@ The content of this file is not sensitiv +@@ -951,17 +951,17 @@ The content of this file is not sensitiv .Xr sftp 1 , .Xr ssh 1 , .Xr ssh-add 1 , @@ -41,10 +41,10 @@ diff --git a/openssh-6.2p2/sshd.8 b/openssh-6.2p2/sshd.8 OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, -diff --git a/openssh-6.2p2/sshd_config.5 b/openssh-6.2p2/sshd_config.5 ---- a/openssh-6.2p2/sshd_config.5 -+++ b/openssh-6.2p2/sshd_config.5 -@@ -271,18 +271,17 @@ The contents of the specified file are s +diff --git a/openssh-6.4p1/sshd_config.5 b/openssh-6.4p1/sshd_config.5 +--- a/openssh-6.4p1/sshd_config.5 ++++ b/openssh-6.4p1/sshd_config.5 +@@ -278,18 +278,17 @@ The contents of the specified file are s authentication is allowed. If the argument is .Dq none @@ -64,7 +64,7 @@ diff --git a/openssh-6.2p2/sshd_config.5 b/openssh-6.2p2/sshd_config.5 to after authentication. All components of the pathname must be root-owned directories that are not writable by any other user or group. -@@ -550,17 +549,17 @@ and +@@ -565,17 +564,17 @@ and .Pa .shosts files will not be used in .Cm RhostsRSAAuthentication diff --git a/openssh-6.2p2-fingerprint_hash.patch b/openssh-6.4p1-fingerprint_hash.patch similarity index 76% rename from openssh-6.2p2-fingerprint_hash.patch rename to openssh-6.4p1-fingerprint_hash.patch index 57e4dad..392a403 100644 --- a/openssh-6.2p2-fingerprint_hash.patch +++ b/openssh-6.4p1-fingerprint_hash.patch @@ -1,36 +1,36 @@ # HG changeset patch -# Parent 2e71c896d924778e46e68e0c9be9a8b13e428f2f +# Parent d41afe56fd49d0a9669738b1f4d53ddae0cb195a # select fingerprint hash algorithms based on the environment variable # SSH_FP_TYPE_ENVVAR and append it to hex and randomart fingerprints # Petr Cerny -diff --git a/openssh-6.2p2/auth-rsa.c b/openssh-6.2p2/auth-rsa.c ---- a/openssh-6.2p2/auth-rsa.c -+++ b/openssh-6.2p2/auth-rsa.c -@@ -323,17 +323,17 @@ auth_rsa(Authctxt *authctxt, BIGNUM *cli - return (0); - } - /* - * Correct response. The client has been successfully - * authenticated. Note that we have not yet processed the - * options; this will be reset if the options cause the - * authentication to be rejected. - */ -- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); -+ fp = key_fingerprint(key, key_fp_type_select(), SSH_FP_HEX); - verbose("Found matching %s key: %s", - key_type(key), fp); - xfree(fp); - key_free(key); +diff --git a/openssh-6.4p1/auth-rsa.c b/openssh-6.4p1/auth-rsa.c +--- a/openssh-6.4p1/auth-rsa.c ++++ b/openssh-6.4p1/auth-rsa.c +@@ -226,17 +226,17 @@ rsa_key_allowed_in_file(struct passwd *p - packet_send_debug("RSA authentication accepted."); - return (1); - } -diff --git a/openssh-6.2p2/auth.c b/openssh-6.2p2/auth.c ---- a/openssh-6.2p2/auth.c -+++ b/openssh-6.2p2/auth.c -@@ -658,17 +658,17 @@ auth_key_is_revoked(Key *key) + /* check the real bits */ + keybits = BN_num_bits(key->rsa->n); + if (keybits < 0 || bits != keybits) + logit("Warning: %s, line %lu: keysize mismatch: " + "actual %d vs. announced %d.", + file, linenum, BN_num_bits(key->rsa->n), bits); + +- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); ++ fp = key_fingerprint(key, key_fp_type_select(), SSH_FP_HEX); + debug("matching key found: file %s, line %lu %s %s", + file, linenum, key_type(key), fp); + free(fp); + + /* Never accept a revoked key */ + if (auth_key_is_revoked(key)) + break; + +diff --git a/openssh-6.4p1/auth.c b/openssh-6.4p1/auth.c +--- a/openssh-6.4p1/auth.c ++++ b/openssh-6.4p1/auth.c +@@ -680,17 +680,17 @@ auth_key_is_revoked(Key *key) case -1: /* Error opening revoked_keys_file: refuse all keys */ error("Revoked keys file is unreadable: refusing public key " @@ -43,16 +43,16 @@ diff --git a/openssh-6.2p2/auth.c b/openssh-6.2p2/auth.c + key_fp = key_fingerprint(key, key_fp_type_select(), SSH_FP_HEX); error("WARNING: authentication attempt with a revoked " "%s key %s ", key_type(key), key_fp); - xfree(key_fp); + free(key_fp); return 1; } fatal("key_in_file returned junk"); } -diff --git a/openssh-6.2p2/auth2-hostbased.c b/openssh-6.2p2/auth2-hostbased.c ---- a/openssh-6.2p2/auth2-hostbased.c -+++ b/openssh-6.2p2/auth2-hostbased.c -@@ -192,23 +192,23 @@ hostbased_key_allowed(struct passwd *pw, +diff --git a/openssh-6.4p1/auth2-hostbased.c b/openssh-6.4p1/auth2-hostbased.c +--- a/openssh-6.4p1/auth2-hostbased.c ++++ b/openssh-6.4p1/auth2-hostbased.c +@@ -196,23 +196,23 @@ hostbased_key_allowed(struct passwd *pw, _PATH_SSH_SYSTEM_HOSTFILE2, options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE2); @@ -73,15 +73,43 @@ diff --git a/openssh-6.2p2/auth2-hostbased.c b/openssh-6.2p2/auth2-hostbased.c verbose("Accepted %s public key %s from %s@%s", key_type(key), fp, cuser, lookup); } - xfree(fp); + free(fp); } return (host_status == HOST_OK); } -diff --git a/openssh-6.2p2/auth2-pubkey.c b/openssh-6.2p2/auth2-pubkey.c ---- a/openssh-6.2p2/auth2-pubkey.c -+++ b/openssh-6.2p2/auth2-pubkey.c -@@ -312,17 +312,17 @@ check_authkeys_file(FILE *f, char *file, +diff --git a/openssh-6.4p1/auth2-pubkey.c b/openssh-6.4p1/auth2-pubkey.c +--- a/openssh-6.4p1/auth2-pubkey.c ++++ b/openssh-6.4p1/auth2-pubkey.c +@@ -202,25 +202,25 @@ pubkey_auth_info(Authctxt *authctxt, con + i = vasprintf(&extra, fmt, ap); + va_end(ap); + if (i < 0 || extra == NULL) + fatal("%s: vasprintf failed", __func__); + } + + if (key_is_cert(key)) { + fp = key_fingerprint(key->cert->signature_key, +- SSH_FP_MD5, SSH_FP_HEX); ++ key_fp_type_select(), SSH_FP_HEX); + auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s", + key_type(key), key->cert->key_id, + (unsigned long long)key->cert->serial, + key_type(key->cert->signature_key), fp, + extra == NULL ? "" : ", ", extra == NULL ? "" : extra); + free(fp); + } else { +- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); ++ fp = key_fingerprint(key, key_fp_type_select(), SSH_FP_HEX); + auth_info(authctxt, "%s %s%s%s", key_type(key), fp, + extra == NULL ? "" : ", ", extra == NULL ? "" : extra); + free(fp); + } + free(extra); + } + + static int +@@ -354,17 +354,17 @@ check_authkeys_file(FILE *f, char *file, if (key_is_cert(key)) { if (!key_equal(found, key->cert->signature_key)) continue; @@ -100,26 +128,26 @@ diff --git a/openssh-6.2p2/auth2-pubkey.c b/openssh-6.2p2/auth2-pubkey.c * a key option, then prefer that list to matching * their username in the certificate principals list. */ -@@ -355,17 +355,17 @@ check_authkeys_file(FILE *f, char *file, +@@ -395,17 +395,17 @@ check_authkeys_file(FILE *f, char *file, + break; + } else if (key_equal(found, key)) { if (auth_parse_options(pw, key_options, file, linenum) != 1) continue; if (key_is_cert_authority) continue; found_key = 1; - debug("matching key found: file %s, line %lu", - file, linenum); - fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); + fp = key_fingerprint(found, key_fp_type_select(), SSH_FP_HEX); - verbose("Found matching %s key: %s", - key_type(found), fp); - xfree(fp); + debug("matching key found: file %s, line %lu %s %s", + file, linenum, key_type(found), fp); + free(fp); break; } } - key_free(found); - if (!found_key) -@@ -380,17 +380,17 @@ user_cert_trusted_ca(struct passwd *pw, + if (found != NULL) + key_free(found); +@@ -421,17 +421,17 @@ user_cert_trusted_ca(struct passwd *pw, char *ca_fp, *principals_file = NULL; const char *reason; int ret = 0; @@ -138,11 +166,11 @@ diff --git a/openssh-6.2p2/auth2-pubkey.c b/openssh-6.2p2/auth2-pubkey.c options.trusted_user_ca_keys); goto out; } -diff --git a/openssh-6.2p2/key.c b/openssh-6.2p2/key.c ---- a/openssh-6.2p2/key.c -+++ b/openssh-6.2p2/key.c -@@ -391,30 +391,38 @@ key_fingerprint_raw(const Key *k, enum f - xfree(blob); +diff --git a/openssh-6.4p1/key.c b/openssh-6.4p1/key.c +--- a/openssh-6.4p1/key.c ++++ b/openssh-6.4p1/key.c +@@ -390,30 +390,38 @@ key_fingerprint_raw(const Key *k, enum f + free(blob); } else { fatal("key_fingerprint_raw: blob is null"); } @@ -183,7 +211,7 @@ diff --git a/openssh-6.2p2/key.c b/openssh-6.2p2/key.c { char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' }; char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm', -@@ -489,17 +497,18 @@ key_fingerprint_bubblebabble(u_char *dgs +@@ -488,17 +496,18 @@ key_fingerprint_bubblebabble(u_char *dgs * can be in the exact middle of the picture, and FLDBASE should be >=8 . * Else pictures would be too dense, and drawing the frame would * fail, too, because the key type would not fit in anymore. @@ -203,7 +231,7 @@ diff --git a/openssh-6.2p2/key.c b/openssh-6.2p2/key.c char *augmentation_string = " .o+=*BOX@%&#/^SE"; char *retval, *p; u_char field[FLDSIZE_X][FLDSIZE_Y]; -@@ -556,18 +565,19 @@ key_fingerprint_randomart(u_char *dgst_r +@@ -555,18 +564,19 @@ key_fingerprint_randomart(u_char *dgst_r *p++ = '|'; for (x = 0; x < FLDSIZE_X; x++) *p++ = augmentation_string[MIN(field[x][y], len)]; @@ -224,8 +252,8 @@ diff --git a/openssh-6.2p2/key.c b/openssh-6.2p2/key.c } char * - key_fingerprint(Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep) -@@ -576,34 +586,91 @@ key_fingerprint(Key *k, enum fp_type dgs + key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep) +@@ -575,34 +585,91 @@ key_fingerprint(const Key *k, enum fp_ty u_char *dgst_raw; u_int dgst_raw_len; @@ -250,7 +278,7 @@ diff --git a/openssh-6.2p2/key.c b/openssh-6.2p2/key.c break; } memset(dgst_raw, 0, dgst_raw_len); - xfree(dgst_raw); + free(dgst_raw); return retval; } @@ -319,9 +347,9 @@ diff --git a/openssh-6.2p2/key.c b/openssh-6.2p2/key.c * the buffer containing the number. */ static int -diff --git a/openssh-6.2p2/key.h b/openssh-6.2p2/key.h ---- a/openssh-6.2p2/key.h -+++ b/openssh-6.2p2/key.h +diff --git a/openssh-6.4p1/key.h b/openssh-6.4p1/key.h +--- a/openssh-6.4p1/key.h ++++ b/openssh-6.4p1/key.h @@ -51,16 +51,18 @@ enum fp_type { SSH_FP_MD5, SSH_FP_SHA256 @@ -343,7 +371,7 @@ diff --git a/openssh-6.2p2/key.h b/openssh-6.2p2/key.h u_int type; /* SSH2_CERT_TYPE_USER or SSH2_CERT_TYPE_HOST */ @@ -97,16 +99,18 @@ int key_equal_public(const Key *, cons int key_equal(const Key *, const Key *); - char *key_fingerprint(Key *, enum fp_type, enum fp_rep); + char *key_fingerprint(const Key *, enum fp_type, enum fp_rep); u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *); const char *key_type(const Key *); const char *key_cert_type(const Key *); @@ -360,9 +388,9 @@ diff --git a/openssh-6.2p2/key.h b/openssh-6.2p2/key.h int key_type_plain(int); int key_to_certified(Key *, int); int key_drop_cert(Key *); -diff --git a/openssh-6.2p2/ssh-add.c b/openssh-6.2p2/ssh-add.c ---- a/openssh-6.2p2/ssh-add.c -+++ b/openssh-6.2p2/ssh-add.c +diff --git a/openssh-6.4p1/ssh-add.c b/openssh-6.4p1/ssh-add.c +--- a/openssh-6.4p1/ssh-add.c ++++ b/openssh-6.4p1/ssh-add.c @@ -321,17 +321,17 @@ list_identities(AuthenticationConnection int version; @@ -377,15 +405,15 @@ diff --git a/openssh-6.2p2/ssh-add.c b/openssh-6.2p2/ssh-add.c SSH_FP_HEX); printf("%d %s %s (%s)\n", key_size(key), fp, comment, key_type(key)); - xfree(fp); + free(fp); } else { if (!key_write(key, stdout)) fprintf(stderr, "key_write failed"); fprintf(stdout, " %s\n", comment); -diff --git a/openssh-6.2p2/ssh-agent.c b/openssh-6.2p2/ssh-agent.c ---- a/openssh-6.2p2/ssh-agent.c -+++ b/openssh-6.2p2/ssh-agent.c -@@ -194,17 +194,17 @@ lookup_identity(Key *key, int version) +diff --git a/openssh-6.4p1/ssh-agent.c b/openssh-6.4p1/ssh-agent.c +--- a/openssh-6.4p1/ssh-agent.c ++++ b/openssh-6.4p1/ssh-agent.c +@@ -193,17 +193,17 @@ lookup_identity(Key *key, int version) /* Check confirmation of keysign request */ static int @@ -399,14 +427,44 @@ diff --git a/openssh-6.2p2/ssh-agent.c b/openssh-6.2p2/ssh-agent.c if (ask_permission("Allow use of key %s?\nKey fingerprint %s.", id->comment, p)) ret = 0; - xfree(p); + free(p); return (ret); } -diff --git a/openssh-6.2p2/ssh-keygen.c b/openssh-6.2p2/ssh-keygen.c ---- a/openssh-6.2p2/ssh-keygen.c -+++ b/openssh-6.2p2/ssh-keygen.c +diff --git a/openssh-6.4p1/ssh-keygen.c b/openssh-6.4p1/ssh-keygen.c +--- a/openssh-6.4p1/ssh-keygen.c ++++ b/openssh-6.4p1/ssh-keygen.c +@@ -725,27 +725,27 @@ do_download(struct passwd *pw) + { + #ifdef ENABLE_PKCS11 + Key **keys = NULL; + int i, nkeys; + enum fp_rep rep; + enum fp_type fptype; + char *fp, *ra; + +- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5; ++ fptype = print_bubblebabble ? SSH_FP_SHA1 : key_fp_type_select(); + rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; + + pkcs11_init(0); + nkeys = pkcs11_add_provider(pkcs11provider, NULL, &keys); + if (nkeys <= 0) + fatal("cannot read public key from pkcs11"); + for (i = 0; i < nkeys; i++) { + if (print_fingerprint) { + fp = key_fingerprint(keys[i], fptype, rep); +- ra = key_fingerprint(keys[i], SSH_FP_MD5, ++ ra = key_fingerprint(keys[i], key_fp_type_select(), + SSH_FP_RANDOMART); + printf("%u %s %s (PKCS11 key)\n", key_size(keys[i]), + fp, key_type(keys[i])); + if (log_level >= SYSLOG_LEVEL_VERBOSE) + printf("%s\n", ra); + free(ra); + free(fp); + } else { @@ -768,29 +768,29 @@ do_fingerprint(struct passwd *pw) FILE *f; Key *public; @@ -436,9 +494,9 @@ diff --git a/openssh-6.2p2/ssh-keygen.c b/openssh-6.2p2/ssh-keygen.c if (log_level >= SYSLOG_LEVEL_VERBOSE) printf("%s\n", ra); key_free(public); - xfree(comment); - xfree(ra); - xfree(fp); + free(comment); + free(ra); + free(fp); @@ -846,17 +846,17 @@ do_fingerprint(struct passwd *pw) public = key_new(KEY_UNSPEC); if (key_read(public, &cp) != 1) { @@ -454,8 +512,8 @@ diff --git a/openssh-6.2p2/ssh-keygen.c b/openssh-6.2p2/ssh-keygen.c comment ? comment : "no comment", key_type(public)); if (log_level >= SYSLOG_LEVEL_VERBOSE) printf("%s\n", ra); - xfree(ra); - xfree(fp); + free(ra); + free(fp); key_free(public); invalid = 0; @@ -967,20 +967,20 @@ do_gen_all_hostkeys(struct passwd *pw) @@ -477,11 +535,11 @@ diff --git a/openssh-6.2p2/ssh-keygen.c b/openssh-6.2p2/ssh-keygen.c key_type(public)); if (log_level >= SYSLOG_LEVEL_VERBOSE) printf("%s\n", ra); - xfree(ra); - xfree(fp); + free(ra); + free(fp); } else { if (hash && (name = host_hash(name, NULL, 0)) == NULL) -@@ -1849,19 +1849,19 @@ do_show_cert(struct passwd *pw) +@@ -1850,19 +1850,19 @@ do_show_cert(struct passwd *pw) if (stat(identity_file, &st) < 0) fatal("%s: %s: %s", __progname, identity_file, strerror(errno)); if ((key = key_load_public(identity_file, NULL)) == NULL) @@ -503,7 +561,7 @@ diff --git a/openssh-6.2p2/ssh-keygen.c b/openssh-6.2p2/ssh-keygen.c printf(" Signing CA: %s %s\n", key_type(key->cert->signature_key), ca_fp); printf(" Key ID: \"%s\"\n", key->cert->key_id); -@@ -2646,18 +2646,18 @@ passphrase_again: +@@ -2650,18 +2650,18 @@ passphrase_again: exit(1); } if (!key_write(public, f)) @@ -523,11 +581,11 @@ diff --git a/openssh-6.2p2/ssh-keygen.c b/openssh-6.2p2/ssh-keygen.c printf("%s %s\n", fp, comment); printf("The key's randomart image is:\n"); printf("%s\n", ra); - xfree(ra); -diff --git a/openssh-6.2p2/sshconnect.c b/openssh-6.2p2/sshconnect.c ---- a/openssh-6.2p2/sshconnect.c -+++ b/openssh-6.2p2/sshconnect.c -@@ -826,18 +826,18 @@ check_host_key(char *hostname, struct so + free(ra); +diff --git a/openssh-6.4p1/sshconnect.c b/openssh-6.4p1/sshconnect.c +--- a/openssh-6.4p1/sshconnect.c ++++ b/openssh-6.4p1/sshconnect.c +@@ -825,18 +825,18 @@ check_host_key(char *hostname, struct so "address '%.128s' to the list of known " "hosts (%.30s).", type, ip, user_hostfiles[0]); @@ -542,13 +600,13 @@ diff --git a/openssh-6.2p2/sshconnect.c b/openssh-6.2p2/sshconnect.c + ra = key_fingerprint(host_key, key_fp_type_select(), SSH_FP_RANDOMART); logit("Host key fingerprint is %s\n%s\n", fp, ra); - xfree(ra); - xfree(fp); + free(ra); + free(fp); } break; case HOST_NEW: if (options.host_key_alias == NULL && port != 0 && -@@ -867,18 +867,18 @@ check_host_key(char *hostname, struct so +@@ -866,18 +866,18 @@ check_host_key(char *hostname, struct so if (show_other_keys(host_hostkeys, host_key)) snprintf(msg1, sizeof(msg1), @@ -569,7 +627,7 @@ diff --git a/openssh-6.2p2/sshconnect.c b/openssh-6.2p2/sshconnect.c "Matching host key fingerprint" " found in DNS.\n"); else -@@ -1132,17 +1132,17 @@ fail: +@@ -1131,17 +1131,17 @@ fail: /* returns 0 if key verifies or -1 if key does NOT verify */ int @@ -581,14 +639,14 @@ diff --git a/openssh-6.2p2/sshconnect.c b/openssh-6.2p2/sshconnect.c - fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); + fp = key_fingerprint(host_key, key_fp_type_select(), SSH_FP_HEX); debug("Server host key: %s %s", key_type(host_key), fp); - xfree(fp); + free(fp); /* XXX certs are not yet supported for DNS */ if (!key_is_cert(host_key) && options.verify_host_key_dns && verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) { if (flags & DNS_VERIFY_FOUND) { -@@ -1234,18 +1234,18 @@ show_other_keys(struct hostkeys *hostkey +@@ -1233,18 +1233,18 @@ show_other_keys(struct hostkeys *hostkey char *fp, *ra; const struct hostkey_entry *found; @@ -609,7 +667,7 @@ diff --git a/openssh-6.2p2/sshconnect.c b/openssh-6.2p2/sshconnect.c key_type(found->key), fp); if (options.visual_host_key) logit("%s", ra); -@@ -1256,17 +1256,17 @@ show_other_keys(struct hostkeys *hostkey +@@ -1255,17 +1255,17 @@ show_other_keys(struct hostkeys *hostkey return ret; } @@ -628,10 +686,10 @@ diff --git a/openssh-6.2p2/sshconnect.c b/openssh-6.2p2/sshconnect.c error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); error("It is also possible that a host key has just been changed."); error("The fingerprint for the %s key sent by the remote host is\n%s.", -diff --git a/openssh-6.2p2/sshconnect2.c b/openssh-6.2p2/sshconnect2.c ---- a/openssh-6.2p2/sshconnect2.c -+++ b/openssh-6.2p2/sshconnect2.c -@@ -592,17 +592,17 @@ input_userauth_pk_ok(int type, u_int32_t +diff --git a/openssh-6.4p1/sshconnect2.c b/openssh-6.4p1/sshconnect2.c +--- a/openssh-6.4p1/sshconnect2.c ++++ b/openssh-6.4p1/sshconnect2.c +@@ -590,17 +590,17 @@ input_userauth_pk_ok(int type, u_int32_t goto done; } if (key->type != pktype) { @@ -643,14 +701,14 @@ diff --git a/openssh-6.2p2/sshconnect2.c b/openssh-6.2p2/sshconnect2.c - fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); + fp = key_fingerprint(key, key_fp_type_select(), SSH_FP_HEX); debug2("input_userauth_pk_ok: fp %s", fp); - xfree(fp); + free(fp); /* * search keys in the reverse order, because last candidate has been * moved to the end of the queue. this also avoids confusion by * duplicate keys */ -@@ -1207,17 +1207,17 @@ sign_and_send_pubkey(Authctxt *authctxt, +@@ -1204,17 +1204,17 @@ sign_and_send_pubkey(Authctxt *authctxt, Buffer b; u_char *blob, *signature; u_int bloblen, slen; @@ -662,7 +720,7 @@ diff --git a/openssh-6.2p2/sshconnect2.c b/openssh-6.2p2/sshconnect2.c - fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX); + fp = key_fingerprint(id->key, key_fp_type_select(), SSH_FP_HEX); debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp); - xfree(fp); + free(fp); if (key_to_blob(id->key, &blob, &bloblen) == 0) { /* we cannot handle this key */ diff --git a/openssh-6.2p2-fips.patch b/openssh-6.4p1-fips.patch similarity index 94% rename from openssh-6.2p2-fips.patch rename to openssh-6.4p1-fips.patch index d441f12..bd5b2f9 100644 --- a/openssh-6.2p2-fips.patch +++ b/openssh-6.4p1-fips.patch @@ -4,9 +4,9 @@ # HG changeset patch # Parent 6536ed881743cbf05afe962021b985f9b1eab495 -diff --git a/openssh-6.2p2/Makefile.in b/openssh-6.2p2/Makefile.in ---- a/openssh-6.2p2/Makefile.in -+++ b/openssh-6.2p2/Makefile.in +diff --git a/openssh-6.4p1/Makefile.in b/openssh-6.4p1/Makefile.in +--- a/openssh-6.4p1/Makefile.in ++++ b/openssh-6.4p1/Makefile.in @@ -72,17 +72,17 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \ compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \ @@ -26,9 +26,9 @@ diff --git a/openssh-6.2p2/Makefile.in b/openssh-6.2p2/Makefile.in SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ audit.o audit-bsm.o audit-linux.o platform.o \ sshpty.o sshlogin.o servconf.o serverloop.o \ -diff --git a/openssh-6.2p2/auth-rsa.c b/openssh-6.2p2/auth-rsa.c ---- a/openssh-6.2p2/auth-rsa.c -+++ b/openssh-6.2p2/auth-rsa.c +diff --git a/openssh-6.4p1/auth-rsa.c b/openssh-6.4p1/auth-rsa.c +--- a/openssh-6.4p1/auth-rsa.c ++++ b/openssh-6.4p1/auth-rsa.c @@ -15,17 +15,17 @@ */ @@ -132,7 +132,7 @@ diff --git a/openssh-6.2p2/auth-rsa.c b/openssh-6.2p2/auth-rsa.c debug("unsuccessful audit"); rv = 0; } - xfree(fp); + free(fp); @@ -135,17 +145,17 @@ auth_rsa_verify_response(Key *key, BIGNU * and returns true (non-zero) if the client gave the correct answer to * our challenge; returns zero if the client gives a wrong answer. @@ -171,9 +171,9 @@ diff --git a/openssh-6.2p2/auth-rsa.c b/openssh-6.2p2/auth-rsa.c return (success); } -diff --git a/openssh-6.2p2/cipher-ctr.c b/openssh-6.2p2/cipher-ctr.c ---- a/openssh-6.2p2/cipher-ctr.c -+++ b/openssh-6.2p2/cipher-ctr.c +diff --git a/openssh-6.4p1/cipher-ctr.c b/openssh-6.4p1/cipher-ctr.c +--- a/openssh-6.4p1/cipher-ctr.c ++++ b/openssh-6.4p1/cipher-ctr.c @@ -21,16 +21,17 @@ #include @@ -208,9 +208,9 @@ diff --git a/openssh-6.2p2/cipher-ctr.c b/openssh-6.2p2/cipher-ctr.c } #endif /* OPENSSL_HAVE_EVPCTR */ -diff --git a/openssh-6.2p2/cipher.c b/openssh-6.2p2/cipher.c ---- a/openssh-6.2p2/cipher.c -+++ b/openssh-6.2p2/cipher.c +diff --git a/openssh-6.4p1/cipher.c b/openssh-6.4p1/cipher.c +--- a/openssh-6.4p1/cipher.c ++++ b/openssh-6.4p1/cipher.c @@ -42,16 +42,17 @@ #include @@ -373,10 +373,10 @@ diff --git a/openssh-6.2p2/cipher.c b/openssh-6.2p2/cipher.c /* * Exports an IV from the CipherContext required to export the key * state back from the unprivileged child to the privileged parent -diff --git a/openssh-6.2p2/fips.c b/openssh-6.2p2/fips.c +diff --git a/openssh-6.4p1/fips.c b/openssh-6.4p1/fips.c new file mode 100644 --- /dev/null -+++ b/openssh-6.2p2/fips.c ++++ b/openssh-6.4p1/fips.c @@ -0,0 +1,176 @@ +/* + * Copyright (c) 2012 Petr Cerny. All rights reserved. @@ -554,10 +554,10 @@ new file mode 100644 + return EVP_get_digestbynid(fips_hash_nid_min()); +} + -diff --git a/openssh-6.2p2/fips.h b/openssh-6.2p2/fips.h +diff --git a/openssh-6.4p1/fips.h b/openssh-6.4p1/fips.h new file mode 100644 --- /dev/null -+++ b/openssh-6.2p2/fips.h ++++ b/openssh-6.4p1/fips.h @@ -0,0 +1,54 @@ +/* + * Copyright (c) 2012 Petr Cerny. All rights reserved. @@ -613,9 +613,9 @@ new file mode 100644 + +#endif + -diff --git a/openssh-6.2p2/key.c b/openssh-6.2p2/key.c ---- a/openssh-6.2p2/key.c -+++ b/openssh-6.2p2/key.c +diff --git a/openssh-6.4p1/key.c b/openssh-6.4p1/key.c +--- a/openssh-6.4p1/key.c ++++ b/openssh-6.4p1/key.c @@ -49,16 +49,17 @@ #include "xmalloc.h" #include "key.h" @@ -654,9 +654,9 @@ diff --git a/openssh-6.2p2/key.c b/openssh-6.2p2/key.c /* * string lengths must be less or equal to SSH_FP_TYPE_STRLEN (defined in * key.h) as to fit into the fingerprint string buffer -diff --git a/openssh-6.2p2/mac.c b/openssh-6.2p2/mac.c ---- a/openssh-6.2p2/mac.c -+++ b/openssh-6.2p2/mac.c +diff --git a/openssh-6.4p1/mac.c b/openssh-6.4p1/mac.c +--- a/openssh-6.4p1/mac.c ++++ b/openssh-6.4p1/mac.c @@ -36,34 +36,35 @@ #include "xmalloc.h" #include "log.h" @@ -760,9 +760,9 @@ diff --git a/openssh-6.2p2/mac.c b/openssh-6.2p2/mac.c mac_setup_by_id(mac, i); debug2("mac_setup: found %s", name); return (0); -diff --git a/openssh-6.2p2/myproposal.h b/openssh-6.2p2/myproposal.h ---- a/openssh-6.2p2/myproposal.h -+++ b/openssh-6.2p2/myproposal.h +diff --git a/openssh-6.4p1/myproposal.h b/openssh-6.4p1/myproposal.h +--- a/openssh-6.4p1/myproposal.h ++++ b/openssh-6.4p1/myproposal.h @@ -71,16 +71,20 @@ "ssh-dss" @@ -804,9 +804,9 @@ diff --git a/openssh-6.2p2/myproposal.h b/openssh-6.2p2/myproposal.h static char *myproposal[PROPOSAL_MAX] = { KEX_DEFAULT_KEX, KEX_DEFAULT_PK_ALG, -diff --git a/openssh-6.2p2/openbsd-compat/bsd-arc4random.c b/openssh-6.2p2/openbsd-compat/bsd-arc4random.c ---- a/openssh-6.2p2/openbsd-compat/bsd-arc4random.c -+++ b/openssh-6.2p2/openbsd-compat/bsd-arc4random.c +diff --git a/openssh-6.4p1/openbsd-compat/bsd-arc4random.c b/openssh-6.4p1/openbsd-compat/bsd-arc4random.c +--- a/openssh-6.4p1/openbsd-compat/bsd-arc4random.c ++++ b/openssh-6.4p1/openbsd-compat/bsd-arc4random.c @@ -18,34 +18,35 @@ #include @@ -930,9 +930,9 @@ diff --git a/openssh-6.2p2/openbsd-compat/bsd-arc4random.c b/openssh-6.2p2/openb { size_t i; u_int32_t r = 0; -diff --git a/openssh-6.2p2/ssh-rsa.c b/openssh-6.2p2/ssh-rsa.c ---- a/openssh-6.2p2/ssh-rsa.c -+++ b/openssh-6.2p2/ssh-rsa.c +diff --git a/openssh-6.4p1/ssh-rsa.c b/openssh-6.4p1/ssh-rsa.c +--- a/openssh-6.4p1/ssh-rsa.c ++++ b/openssh-6.4p1/ssh-rsa.c @@ -27,16 +27,17 @@ #include "xmalloc.h" @@ -981,15 +981,15 @@ diff --git a/openssh-6.2p2/ssh-rsa.c b/openssh-6.2p2/ssh-rsa.c + fips_correct_nid(&nid); if ((evp_md = EVP_get_digestbynid(nid)) == NULL) { error("ssh_rsa_verify: EVP_get_digestbynid %d failed", nid); - xfree(sigblob); + free(sigblob); return -1; } EVP_DigestInit(&md, evp_md); EVP_DigestUpdate(&md, data, datalen); EVP_DigestFinal(&md, digest, &dlen); -diff --git a/openssh-6.2p2/ssh.c b/openssh-6.2p2/ssh.c ---- a/openssh-6.2p2/ssh.c -+++ b/openssh-6.2p2/ssh.c +diff --git a/openssh-6.4p1/ssh.c b/openssh-6.4p1/ssh.c +--- a/openssh-6.4p1/ssh.c ++++ b/openssh-6.4p1/ssh.c @@ -99,16 +99,17 @@ #include "kex.h" #include "mac.h" @@ -1028,7 +1028,7 @@ diff --git a/openssh-6.2p2/ssh.c b/openssh-6.2p2/ssh.c options.address_family = AF_INET; break; @@ -781,17 +784,22 @@ main(int ac, char **av) - xfree(cp); + free(cp); } if (muxclient_command != 0 && options.control_path == NULL) fatal("No ControlPath specified for \"-O\" command"); @@ -1051,9 +1051,9 @@ diff --git a/openssh-6.2p2/ssh.c b/openssh-6.2p2/ssh.c options.use_privileged_port, #else original_effective_uid == 0 && options.use_privileged_port, -diff --git a/openssh-6.2p2/sshconnect2.c b/openssh-6.2p2/sshconnect2.c ---- a/openssh-6.2p2/sshconnect2.c -+++ b/openssh-6.2p2/sshconnect2.c +diff --git a/openssh-6.4p1/sshconnect2.c b/openssh-6.4p1/sshconnect2.c +--- a/openssh-6.4p1/sshconnect2.c ++++ b/openssh-6.4p1/sshconnect2.c @@ -67,16 +67,17 @@ #include "dispatch.h" #include "canohost.h" @@ -1110,9 +1110,9 @@ diff --git a/openssh-6.2p2/sshconnect2.c b/openssh-6.2p2/sshconnect2.c /* Prefer algorithms that we already have keys for */ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = order_hostkeyalgs(host, hostaddr, port); -diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c ---- a/openssh-6.2p2/sshd.c -+++ b/openssh-6.2p2/sshd.c +diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c +--- a/openssh-6.4p1/sshd.c ++++ b/openssh-6.4p1/sshd.c @@ -118,16 +118,17 @@ #ifdef GSSAPI #include "ssh-gss.h" diff --git a/openssh-6.2p2-gssapi_key_exchange.patch b/openssh-6.4p1-gssapi_key_exchange.patch similarity index 96% rename from openssh-6.2p2-gssapi_key_exchange.patch rename to openssh-6.4p1-gssapi_key_exchange.patch index f329b0a..ba3dec6 100644 --- a/openssh-6.2p2-gssapi_key_exchange.patch +++ b/openssh-6.4p1-gssapi_key_exchange.patch @@ -1,10 +1,10 @@ # HG changeset patch # Parent a72dad36a987a441e9c92807b1d654e43ddee409 -diff --git a/openssh-6.2p2/ChangeLog.gssapi b/openssh-6.2p2/ChangeLog.gssapi +diff --git a/openssh-6.4p1/ChangeLog.gssapi b/openssh-6.4p1/ChangeLog.gssapi new file mode 100644 --- /dev/null -+++ b/openssh-6.2p2/ChangeLog.gssapi ++++ b/openssh-6.4p1/ChangeLog.gssapi @@ -0,0 +1,113 @@ +20110101 + - Finally update for OpenSSH 5.6p1 @@ -119,9 +119,9 @@ new file mode 100644 + add support for GssapiTrustDns option for gssapi-with-mic + (from jbasney AT ncsa.uiuc.edu) + -diff --git a/openssh-6.2p2/Makefile.in b/openssh-6.2p2/Makefile.in ---- a/openssh-6.2p2/Makefile.in -+++ b/openssh-6.2p2/Makefile.in +diff --git a/openssh-6.4p1/Makefile.in b/openssh-6.4p1/Makefile.in +--- a/openssh-6.4p1/Makefile.in ++++ b/openssh-6.4p1/Makefile.in @@ -71,33 +71,34 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o canohost.o channels.o cipher.o cipher-aes.o \ cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \ @@ -158,9 +158,9 @@ diff --git a/openssh-6.2p2/Makefile.in b/openssh-6.2p2/Makefile.in MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap-helper.8.out ssh-ldap.conf.5.out MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 ssh-ldap-helper.8 ssh-ldap.conf.5 -diff --git a/openssh-6.2p2/auth-krb5.c b/openssh-6.2p2/auth-krb5.c ---- a/openssh-6.2p2/auth-krb5.c -+++ b/openssh-6.2p2/auth-krb5.c +diff --git a/openssh-6.4p1/auth-krb5.c b/openssh-6.4p1/auth-krb5.c +--- a/openssh-6.4p1/auth-krb5.c ++++ b/openssh-6.4p1/auth-krb5.c @@ -165,18 +165,23 @@ auth_krb5_password(Authctxt *authctxt, c if (problem) goto out; @@ -229,9 +229,9 @@ diff --git a/openssh-6.2p2/auth-krb5.c b/openssh-6.2p2/auth-krb5.c } #endif /* !HEIMDAL */ #endif /* KRB5 */ -diff --git a/openssh-6.2p2/auth2-gss.c b/openssh-6.2p2/auth2-gss.c ---- a/openssh-6.2p2/auth2-gss.c -+++ b/openssh-6.2p2/auth2-gss.c +diff --git a/openssh-6.4p1/auth2-gss.c b/openssh-6.4p1/auth2-gss.c +--- a/openssh-6.4p1/auth2-gss.c ++++ b/openssh-6.4p1/auth2-gss.c @@ -1,12 +1,12 @@ /* $OpenBSD: auth2-gss.c,v 1.18 2012/12/02 20:34:09 djm Exp $ */ @@ -284,7 +284,7 @@ diff --git a/openssh-6.2p2/auth2-gss.c b/openssh-6.2p2/auth2-gss.c + authctxt->pw)); + + buffer_free(&b); -+ xfree(mic.value); ++ free(mic.value); + + return (authenticated); +} @@ -333,7 +333,7 @@ diff --git a/openssh-6.2p2/auth2-gss.c b/openssh-6.2p2/auth2-gss.c logit("GSSAPI MIC check failed"); buffer_free(&b); - xfree(mic.value); + free(mic.value); authctxt->postponed = 0; dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); @@ -357,9 +357,9 @@ diff --git a/openssh-6.2p2/auth2-gss.c b/openssh-6.2p2/auth2-gss.c Authmethod method_gssapi_old = { "gssapi", -diff --git a/openssh-6.2p2/auth2.c b/openssh-6.2p2/auth2.c ---- a/openssh-6.2p2/auth2.c -+++ b/openssh-6.2p2/auth2.c +diff --git a/openssh-6.4p1/auth2.c b/openssh-6.4p1/auth2.c +--- a/openssh-6.4p1/auth2.c ++++ b/openssh-6.4p1/auth2.c @@ -64,27 +64,29 @@ extern Buffer loginmsg; /* methods */ @@ -390,9 +390,9 @@ diff --git a/openssh-6.2p2/auth2.c b/openssh-6.2p2/auth2.c #endif &method_passwd, &method_kbdint, -diff --git a/openssh-6.2p2/clientloop.c b/openssh-6.2p2/clientloop.c ---- a/openssh-6.2p2/clientloop.c -+++ b/openssh-6.2p2/clientloop.c +diff --git a/openssh-6.4p1/clientloop.c b/openssh-6.4p1/clientloop.c +--- a/openssh-6.4p1/clientloop.c ++++ b/openssh-6.4p1/clientloop.c @@ -106,16 +106,20 @@ #include "authfd.h" #include "atomicio.h" @@ -440,9 +440,9 @@ diff --git a/openssh-6.2p2/clientloop.c b/openssh-6.2p2/clientloop.c } } -diff --git a/openssh-6.2p2/configure.ac b/openssh-6.2p2/configure.ac ---- a/openssh-6.2p2/configure.ac -+++ b/openssh-6.2p2/configure.ac +diff --git a/openssh-6.4p1/configure.ac b/openssh-6.4p1/configure.ac +--- a/openssh-6.4p1/configure.ac ++++ b/openssh-6.4p1/configure.ac @@ -528,16 +528,40 @@ main() { if (NSVersionOfRunTimeLibrary(" AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect]) AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1], @@ -484,9 +484,9 @@ diff --git a/openssh-6.2p2/configure.ac b/openssh-6.2p2/configure.ac [Define if pututxline updates lastlog too]) ) AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV], -diff --git a/openssh-6.2p2/gss-genr.c b/openssh-6.2p2/gss-genr.c ---- a/openssh-6.2p2/gss-genr.c -+++ b/openssh-6.2p2/gss-genr.c +diff --git a/openssh-6.4p1/gss-genr.c b/openssh-6.4p1/gss-genr.c +--- a/openssh-6.4p1/gss-genr.c ++++ b/openssh-6.4p1/gss-genr.c @@ -1,12 +1,12 @@ /* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */ @@ -572,8 +572,8 @@ diff --git a/openssh-6.2p2/gss-genr.c b/openssh-6.2p2/gss-genr.c + + if (gss_enc2oid != NULL) { + for (i = 0; gss_enc2oid[i].encoded != NULL; i++) -+ xfree(gss_enc2oid[i].encoded); -+ xfree(gss_enc2oid); ++ free(gss_enc2oid[i].encoded); ++ free(gss_enc2oid); + } + + gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping) * @@ -630,7 +630,7 @@ diff --git a/openssh-6.2p2/gss-genr.c b/openssh-6.2p2/gss-genr.c + buffer_free(&buf); + + if (strlen(mechs) == 0) { -+ xfree(mechs); ++ free(mechs); + mechs = NULL; + } + @@ -702,7 +702,7 @@ diff --git a/openssh-6.2p2/gss-genr.c b/openssh-6.2p2/gss-genr.c &gssbuf, GSS_C_NT_HOSTBASED_SERVICE, &ctx->name))) ssh_gssapi_error(ctx); - xfree(gssbuf.value); + free(gssbuf.value); return (ctx->major); } @@ -874,9 +874,9 @@ diff --git a/openssh-6.2p2/gss-genr.c b/openssh-6.2p2/gss-genr.c +} + #endif /* GSSAPI */ -diff --git a/openssh-6.2p2/gss-serv-krb5.c b/openssh-6.2p2/gss-serv-krb5.c ---- a/openssh-6.2p2/gss-serv-krb5.c -+++ b/openssh-6.2p2/gss-serv-krb5.c +diff --git a/openssh-6.4p1/gss-serv-krb5.c b/openssh-6.4p1/gss-serv-krb5.c +--- a/openssh-6.4p1/gss-serv-krb5.c ++++ b/openssh-6.4p1/gss-serv-krb5.c @@ -1,12 +1,12 @@ /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ @@ -1023,9 +1023,9 @@ diff --git a/openssh-6.2p2/gss-serv-krb5.c b/openssh-6.2p2/gss-serv-krb5.c #endif /* KRB5 */ #endif /* GSSAPI */ -diff --git a/openssh-6.2p2/gss-serv.c b/openssh-6.2p2/gss-serv.c ---- a/openssh-6.2p2/gss-serv.c -+++ b/openssh-6.2p2/gss-serv.c +diff --git a/openssh-6.4p1/gss-serv.c b/openssh-6.4p1/gss-serv.c +--- a/openssh-6.4p1/gss-serv.c ++++ b/openssh-6.4p1/gss-serv.c @@ -1,12 +1,12 @@ /* $OpenBSD: gss-serv.c,v 1.23 2011/08/01 19:18:15 markus Exp $ */ @@ -1412,9 +1412,9 @@ diff --git a/openssh-6.2p2/gss-serv.c b/openssh-6.2p2/gss-serv.c } #endif -diff --git a/openssh-6.2p2/kex.c b/openssh-6.2p2/kex.c ---- a/openssh-6.2p2/kex.c -+++ b/openssh-6.2p2/kex.c +diff --git a/openssh-6.4p1/kex.c b/openssh-6.4p1/kex.c +--- a/openssh-6.4p1/kex.c ++++ b/openssh-6.4p1/kex.c @@ -46,16 +46,24 @@ #include "log.h" #include "mac.h" @@ -1471,9 +1471,9 @@ diff --git a/openssh-6.2p2/kex.c b/openssh-6.2p2/kex.c choose_hostkeyalg(Kex *k, char *client, char *server) { char *hostkeyalg = match_list(client, server, NULL); -diff --git a/openssh-6.2p2/kex.h b/openssh-6.2p2/kex.h ---- a/openssh-6.2p2/kex.h -+++ b/openssh-6.2p2/kex.h +diff --git a/openssh-6.4p1/kex.h b/openssh-6.4p1/kex.h +--- a/openssh-6.4p1/kex.h ++++ b/openssh-6.4p1/kex.h @@ -68,16 +68,19 @@ enum kex_modes { }; @@ -1539,10 +1539,10 @@ diff --git a/openssh-6.2p2/kex.h b/openssh-6.2p2/kex.h kexgex_hash(const EVP_MD *, char *, char *, char *, int, char *, int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); -diff --git a/openssh-6.2p2/kexgssc.c b/openssh-6.2p2/kexgssc.c +diff --git a/openssh-6.4p1/kexgssc.c b/openssh-6.4p1/kexgssc.c new file mode 100644 --- /dev/null -+++ b/openssh-6.2p2/kexgssc.c ++++ b/openssh-6.4p1/kexgssc.c @@ -0,0 +1,334 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. @@ -1690,7 +1690,7 @@ new file mode 100644 + + /* If we've got an old receive buffer get rid of it */ + if (token_ptr != GSS_C_NO_BUFFER) -+ xfree(recv_tok.value); ++ free(recv_tok.value); + + if (maj_status == GSS_S_COMPLETE) { + /* If mutual state flag is not true, kex fails */ @@ -1807,7 +1807,7 @@ new file mode 100644 + fatal("kexdh_client: BN_bin2bn failed"); + + memset(kbuf, 0, klen); -+ xfree(kbuf); ++ free(kbuf); + + switch (kex->kex_type) { + case KEX_GSS_GRP1_SHA1: @@ -1850,11 +1850,11 @@ new file mode 100644 + if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok))) + packet_disconnect("Hash's MIC didn't verify"); + -+ xfree(msg_tok.value); ++ free(msg_tok.value); + + DH_free(dh); + if (serverhostkey) -+ xfree(serverhostkey); ++ free(serverhostkey); + BN_clear_free(dh_server_pub); + + /* save session id */ @@ -1878,10 +1878,10 @@ new file mode 100644 +} + +#endif /* GSSAPI */ -diff --git a/openssh-6.2p2/kexgsss.c b/openssh-6.2p2/kexgsss.c +diff --git a/openssh-6.4p1/kexgsss.c b/openssh-6.4p1/kexgsss.c new file mode 100644 --- /dev/null -+++ b/openssh-6.2p2/kexgsss.c ++++ b/openssh-6.4p1/kexgsss.c @@ -0,0 +1,288 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. @@ -1965,7 +1965,7 @@ new file mode 100644 + */ + if (!ssh_gssapi_oid_table_ok()) + if ((mechs = ssh_gssapi_server_mechanisms())) -+ xfree(mechs); ++ free(mechs); + + debug2("%s: Identifying %s", __func__, kex->name); + oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type); @@ -2043,7 +2043,7 @@ new file mode 100644 + maj_status = PRIVSEP(ssh_gssapi_accept_ctx(ctxt, &recv_tok, + &send_tok, &ret_flags)); + -+ xfree(recv_tok.value); ++ free(recv_tok.value); + + if (maj_status != GSS_S_COMPLETE && send_tok.length == 0) + fatal("Zero length token output when incomplete"); @@ -2092,7 +2092,7 @@ new file mode 100644 + fatal("kexgss_server: BN_bin2bn failed"); + + memset(kbuf, 0, klen); -+ xfree(kbuf); ++ free(kbuf); + + switch (kex->kex_type) { + case KEX_GSS_GRP1_SHA1: @@ -2171,9 +2171,9 @@ new file mode 100644 + ssh_gssapi_rekey_creds(); +} +#endif /* GSSAPI */ -diff --git a/openssh-6.2p2/key.c b/openssh-6.2p2/key.c ---- a/openssh-6.2p2/key.c -+++ b/openssh-6.2p2/key.c +diff --git a/openssh-6.4p1/key.c b/openssh-6.4p1/key.c +--- a/openssh-6.4p1/key.c ++++ b/openssh-6.4p1/key.c @@ -1038,16 +1038,18 @@ key_ssh_name_from_type_nid(int type, int return "ecdsa-sha2-nistp384-cert-v01@openssh.com"; case NID_secp521r1: @@ -2212,9 +2212,9 @@ diff --git a/openssh-6.2p2/key.c b/openssh-6.2p2/key.c int key_ecdsa_nid_from_name(const char *name) -diff --git a/openssh-6.2p2/key.h b/openssh-6.2p2/key.h ---- a/openssh-6.2p2/key.h -+++ b/openssh-6.2p2/key.h +diff --git a/openssh-6.4p1/key.h b/openssh-6.4p1/key.h +--- a/openssh-6.4p1/key.h ++++ b/openssh-6.4p1/key.h @@ -39,16 +39,17 @@ enum types { KEY_RSA, KEY_DSA, @@ -2233,9 +2233,9 @@ diff --git a/openssh-6.2p2/key.h b/openssh-6.2p2/key.h SSH_FP_SHA256 }; enum fp_rep { -diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c ---- a/openssh-6.2p2/monitor.c -+++ b/openssh-6.2p2/monitor.c +diff --git a/openssh-6.4p1/monitor.c b/openssh-6.4p1/monitor.c +--- a/openssh-6.4p1/monitor.c ++++ b/openssh-6.4p1/monitor.c @@ -178,16 +178,18 @@ int mm_answer_pam_respond(int, Buffer *) int mm_answer_pam_free_ctx(int, Buffer *); #endif @@ -2355,7 +2355,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c blob = buffer_get_string(m, &bloblen); buffer_init(&kex->my); buffer_append(&kex->my, blob, bloblen); - xfree(blob); + free(blob); blob = buffer_get_string(m, &bloblen); @@ -2135,16 +2159,19 @@ monitor_reinit(struct monitor *mon) #ifdef GSSAPI @@ -2374,7 +2374,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c major = ssh_gssapi_server_ctx(&gsscontext, &goid); - xfree(goid.elements); + free(goid.elements); buffer_clear(m); @@ -2162,16 +2189,19 @@ int @@ -2392,7 +2392,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c in.value = buffer_get_string(m, &len); in.length = len; major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); - xfree(in.value); + free(in.value); buffer_clear(m); buffer_put_int(m, major); @@ -2428,7 +2428,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic); - xfree(gssbuf.value); + free(gssbuf.value); @@ -2216,29 +2250,101 @@ mm_answer_gss_checkmic(int sock, Buffer return (0); } @@ -2482,7 +2482,7 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c + } + major = ssh_gssapi_sign(gsscontext, &data, &hash); + -+ xfree(data.value); ++ free(data.value); + + buffer_clear(m); + buffer_put_int(m, major); @@ -2512,9 +2512,9 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c + + ok = ssh_gssapi_update_creds(&store); + -+ xfree(store.filename); -+ xfree(store.envvar); -+ xfree(store.envval); ++ free(store.filename); ++ free(store.envvar); ++ free(store.envval); + + buffer_clear(m); + buffer_put_int(m, ok); @@ -2532,9 +2532,9 @@ diff --git a/openssh-6.2p2/monitor.c b/openssh-6.2p2/monitor.c { struct jpake_ctx *pctx; u_char *x3_proof, *x4_proof; -diff --git a/openssh-6.2p2/monitor.h b/openssh-6.2p2/monitor.h ---- a/openssh-6.2p2/monitor.h -+++ b/openssh-6.2p2/monitor.h +diff --git a/openssh-6.4p1/monitor.h b/openssh-6.4p1/monitor.h +--- a/openssh-6.4p1/monitor.h ++++ b/openssh-6.4p1/monitor.h @@ -70,16 +70,19 @@ enum monitor_reqtype { MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111, MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113, @@ -2555,9 +2555,9 @@ diff --git a/openssh-6.2p2/monitor.h b/openssh-6.2p2/monitor.h int m_sendfd; int m_log_recvfd; int m_log_sendfd; -diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c ---- a/openssh-6.2p2/monitor_wrap.c -+++ b/openssh-6.2p2/monitor_wrap.c +diff --git a/openssh-6.4p1/monitor_wrap.c b/openssh-6.4p1/monitor_wrap.c +--- a/openssh-6.4p1/monitor_wrap.c ++++ b/openssh-6.4p1/monitor_wrap.c @@ -1303,33 +1303,78 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss &m); @@ -2638,9 +2638,9 @@ diff --git a/openssh-6.2p2/monitor_wrap.c b/openssh-6.2p2/monitor_wrap.c char **hash_scheme, char **salt) { Buffer m; -diff --git a/openssh-6.2p2/monitor_wrap.h b/openssh-6.2p2/monitor_wrap.h ---- a/openssh-6.2p2/monitor_wrap.h -+++ b/openssh-6.2p2/monitor_wrap.h +diff --git a/openssh-6.4p1/monitor_wrap.h b/openssh-6.4p1/monitor_wrap.h +--- a/openssh-6.4p1/monitor_wrap.h ++++ b/openssh-6.4p1/monitor_wrap.h @@ -54,18 +54,20 @@ int mm_user_key_verify(Key *, u_char *, int mm_auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **); int mm_auth_rsa_verify_response(Key *, BIGNUM *, u_char *); @@ -2663,9 +2663,9 @@ diff --git a/openssh-6.2p2/monitor_wrap.h b/openssh-6.2p2/monitor_wrap.h void *mm_sshpam_init_ctx(struct Authctxt *); int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **); int mm_sshpam_respond(void *, u_int, char **); -diff --git a/openssh-6.2p2/readconf.c b/openssh-6.2p2/readconf.c ---- a/openssh-6.2p2/readconf.c -+++ b/openssh-6.2p2/readconf.c +diff --git a/openssh-6.4p1/readconf.c b/openssh-6.4p1/readconf.c +--- a/openssh-6.4p1/readconf.c ++++ b/openssh-6.4p1/readconf.c @@ -124,16 +124,18 @@ typedef enum { oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs, oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, @@ -2813,9 +2813,9 @@ diff --git a/openssh-6.2p2/readconf.c b/openssh-6.2p2/readconf.c options->rhosts_rsa_authentication = 0; if (options->hostbased_authentication == -1) options->hostbased_authentication = 0; -diff --git a/openssh-6.2p2/readconf.h b/openssh-6.2p2/readconf.h ---- a/openssh-6.2p2/readconf.h -+++ b/openssh-6.2p2/readconf.h +diff --git a/openssh-6.4p1/readconf.h b/openssh-6.4p1/readconf.h +--- a/openssh-6.4p1/readconf.h ++++ b/openssh-6.4p1/readconf.h @@ -43,18 +43,23 @@ typedef struct { int rhosts_rsa_authentication; /* Try rhosts with RSA * authentication. */ @@ -2840,9 +2840,9 @@ diff --git a/openssh-6.2p2/readconf.h b/openssh-6.2p2/readconf.h int batch_mode; /* Batch mode: do not ask for passwords. */ int check_host_ip; /* Also keep track of keys for IP address */ int strict_host_key_checking; /* Strict host key checking. */ -diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c ---- a/openssh-6.2p2/servconf.c -+++ b/openssh-6.2p2/servconf.c +diff --git a/openssh-6.4p1/servconf.c b/openssh-6.4p1/servconf.c +--- a/openssh-6.4p1/servconf.c ++++ b/openssh-6.4p1/servconf.c @@ -98,18 +98,21 @@ initialize_server_options(ServerOptions options->hostbased_uses_name_from_packet_only = -1; options->rsa_authentication = -1; @@ -3000,9 +3000,9 @@ diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); dump_cfg_fmtint(sKbdInteractiveAuthentication, o->kbd_interactive_authentication); -diff --git a/openssh-6.2p2/servconf.h b/openssh-6.2p2/servconf.h ---- a/openssh-6.2p2/servconf.h -+++ b/openssh-6.2p2/servconf.h +diff --git a/openssh-6.4p1/servconf.h b/openssh-6.4p1/servconf.h +--- a/openssh-6.4p1/servconf.h ++++ b/openssh-6.4p1/servconf.h @@ -105,18 +105,21 @@ typedef struct { * authentication mechanism, * such as SecurID or @@ -3025,9 +3025,9 @@ diff --git a/openssh-6.2p2/servconf.h b/openssh-6.2p2/servconf.h /* If true, permit jpake auth */ int permit_empty_passwd; /* If false, do not permit empty * passwords. */ -diff --git a/openssh-6.2p2/ssh-gss.h b/openssh-6.2p2/ssh-gss.h ---- a/openssh-6.2p2/ssh-gss.h -+++ b/openssh-6.2p2/ssh-gss.h +diff --git a/openssh-6.4p1/ssh-gss.h b/openssh-6.4p1/ssh-gss.h +--- a/openssh-6.4p1/ssh-gss.h ++++ b/openssh-6.4p1/ssh-gss.h @@ -1,11 +1,11 @@ /* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */ /* @@ -3151,9 +3151,9 @@ diff --git a/openssh-6.2p2/ssh-gss.h b/openssh-6.2p2/ssh-gss.h #endif /* GSSAPI */ #endif /* _SSH_GSS_H */ -diff --git a/openssh-6.2p2/ssh_config b/openssh-6.2p2/ssh_config ---- a/openssh-6.2p2/ssh_config -+++ b/openssh-6.2p2/ssh_config +diff --git a/openssh-6.4p1/ssh_config b/openssh-6.4p1/ssh_config +--- a/openssh-6.4p1/ssh_config ++++ b/openssh-6.4p1/ssh_config @@ -32,16 +32,18 @@ Host * ForwardX11Trusted yes @@ -3173,9 +3173,9 @@ diff --git a/openssh-6.2p2/ssh_config b/openssh-6.2p2/ssh_config # IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa -diff --git a/openssh-6.2p2/ssh_config.5 b/openssh-6.2p2/ssh_config.5 ---- a/openssh-6.2p2/ssh_config.5 -+++ b/openssh-6.2p2/ssh_config.5 +diff --git a/openssh-6.4p1/ssh_config.5 b/openssh-6.4p1/ssh_config.5 +--- a/openssh-6.4p1/ssh_config.5 ++++ b/openssh-6.4p1/ssh_config.5 @@ -525,21 +525,53 @@ host key database, separated by whitespa The default is .Pa /etc/ssh/ssh_known_hosts , @@ -3231,9 +3231,9 @@ diff --git a/openssh-6.2p2/ssh_config.5 b/openssh-6.2p2/ssh_config.5 These hashed names may be used normally by .Xr ssh 1 and -diff --git a/openssh-6.2p2/sshconnect2.c b/openssh-6.2p2/sshconnect2.c ---- a/openssh-6.2p2/sshconnect2.c -+++ b/openssh-6.2p2/sshconnect2.c +diff --git a/openssh-6.4p1/sshconnect2.c b/openssh-6.4p1/sshconnect2.c +--- a/openssh-6.4p1/sshconnect2.c ++++ b/openssh-6.4p1/sshconnect2.c @@ -155,19 +155,44 @@ order_hostkeyalgs(char *host, struct soc return ret; } @@ -3295,7 +3295,7 @@ diff --git a/openssh-6.2p2/sshconnect2.c b/openssh-6.2p2/sshconnect2.c + orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]; + xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS], + "%s,null", orig); -+ xfree(gss); ++ free(gss); + } +#endif + @@ -3450,8 +3450,8 @@ diff --git a/openssh-6.2p2/sshconnect2.c b/openssh-6.2p2/sshconnect2.c packet_check_eom(); debug("Server GSSAPI Error:\n%s", msg); - xfree(msg); - xfree(lang); + free(msg); + free(lang); } + +int @@ -3503,9 +3503,9 @@ diff --git a/openssh-6.2p2/sshconnect2.c b/openssh-6.2p2/sshconnect2.c /* initial userauth request */ packet_start(SSH2_MSG_USERAUTH_REQUEST); packet_put_cstring(authctxt->server_user); -diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c ---- a/openssh-6.2p2/sshd.c -+++ b/openssh-6.2p2/sshd.c +diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c +--- a/openssh-6.4p1/sshd.c ++++ b/openssh-6.4p1/sshd.c @@ -119,16 +119,24 @@ #include "ssh-gss.h" #endif @@ -3812,9 +3812,9 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c kex->host_key_index=&get_hostkey_index; xxx_kex = kex; -diff --git a/openssh-6.2p2/sshd_config b/openssh-6.2p2/sshd_config ---- a/openssh-6.2p2/sshd_config -+++ b/openssh-6.2p2/sshd_config +diff --git a/openssh-6.4p1/sshd_config b/openssh-6.4p1/sshd_config +--- a/openssh-6.4p1/sshd_config ++++ b/openssh-6.4p1/sshd_config @@ -75,16 +75,18 @@ PasswordAuthentication no #KerberosAuthentication no #KerberosOrLocalPasswd yes @@ -3834,9 +3834,9 @@ diff --git a/openssh-6.2p2/sshd_config b/openssh-6.2p2/sshd_config #GSSAPIEnableMITMAttack no -diff --git a/openssh-6.2p2/sshd_config.5 b/openssh-6.2p2/sshd_config.5 ---- a/openssh-6.2p2/sshd_config.5 -+++ b/openssh-6.2p2/sshd_config.5 +diff --git a/openssh-6.4p1/sshd_config.5 b/openssh-6.4p1/sshd_config.5 +--- a/openssh-6.4p1/sshd_config.5 ++++ b/openssh-6.4p1/sshd_config.5 @@ -475,22 +475,50 @@ to force remote port forwardings to bind to allow the client to select the address to which the forwarding is bound. The default is diff --git a/openssh-6.2p2-gssapimitm.patch b/openssh-6.4p1-gssapimitm.patch similarity index 86% rename from openssh-6.2p2-gssapimitm.patch rename to openssh-6.4p1-gssapimitm.patch index 1c0a996..0f9046d 100644 --- a/openssh-6.2p2-gssapimitm.patch +++ b/openssh-6.4p1-gssapimitm.patch @@ -13,10 +13,10 @@ # recommended to use the 'gssapi-with-mic' mechanism. Existing installations # are encouraged to upgrade as soon as possible. -diff --git a/openssh-6.2p2/auth2-gss.c b/openssh-6.2p2/auth2-gss.c ---- a/openssh-6.2p2/auth2-gss.c -+++ b/openssh-6.2p2/auth2-gss.c -@@ -174,16 +174,25 @@ input_gssapi_token(int type, u_int32_t p +diff --git a/openssh-6.4p1/auth2-gss.c b/openssh-6.4p1/auth2-gss.c +--- a/openssh-6.4p1/auth2-gss.c ++++ b/openssh-6.4p1/auth2-gss.c +@@ -173,16 +173,25 @@ input_gssapi_token(int type, u_int32_t p dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); if (flags & GSS_C_INTEG_FLAG) dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, @@ -42,7 +42,7 @@ diff --git a/openssh-6.2p2/auth2-gss.c b/openssh-6.2p2/auth2-gss.c static void input_gssapi_errtok(int type, u_int32_t plen, void *ctxt) -@@ -295,9 +304,15 @@ input_gssapi_mic(int type, u_int32_t ple +@@ -291,9 +300,15 @@ input_gssapi_mic(int type, u_int32_t ple } Authmethod method_gssapi = { @@ -58,9 +58,9 @@ diff --git a/openssh-6.2p2/auth2-gss.c b/openssh-6.2p2/auth2-gss.c +}; + #endif /* GSSAPI */ -diff --git a/openssh-6.2p2/auth2.c b/openssh-6.2p2/auth2.c ---- a/openssh-6.2p2/auth2.c -+++ b/openssh-6.2p2/auth2.c +diff --git a/openssh-6.4p1/auth2.c b/openssh-6.4p1/auth2.c +--- a/openssh-6.4p1/auth2.c ++++ b/openssh-6.4p1/auth2.c @@ -65,26 +65,28 @@ extern Buffer loginmsg; extern Authmethod method_none; @@ -90,10 +90,10 @@ diff --git a/openssh-6.2p2/auth2.c b/openssh-6.2p2/auth2.c &method_kbdint, &method_hostbased, NULL -diff --git a/openssh-6.2p2/readconf.c b/openssh-6.2p2/readconf.c ---- a/openssh-6.2p2/readconf.c -+++ b/openssh-6.2p2/readconf.c -@@ -123,17 +123,17 @@ typedef enum { +diff --git a/openssh-6.4p1/readconf.c b/openssh-6.4p1/readconf.c +--- a/openssh-6.4p1/readconf.c ++++ b/openssh-6.4p1/readconf.c +@@ -126,17 +126,17 @@ typedef enum { oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts, oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs, oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, @@ -109,10 +109,10 @@ diff --git a/openssh-6.2p2/readconf.c b/openssh-6.2p2/readconf.c oHashKnownHosts, oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, - oKexAlgorithms, oIPQoS, oRequestTTY, - oDeprecated, oUnsupported + oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, + oIgnoredUnknownOption, oDeprecated, oUnsupported } OpCodes; -@@ -165,19 +165,21 @@ static struct { +@@ -168,19 +168,21 @@ static struct { { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */ { "tisauthentication", oChallengeResponseAuthentication }, /* alias */ { "kerberosauthentication", oUnsupported }, @@ -134,7 +134,7 @@ diff --git a/openssh-6.2p2/readconf.c b/openssh-6.2p2/readconf.c { "identitiesonly", oIdentitiesOnly }, { "hostname", oHostName }, { "hostkeyalias", oHostKeyAlias }, -@@ -501,16 +503,20 @@ parse_flag: +@@ -514,16 +516,20 @@ parse_flag: case oGssAuthentication: intptr = &options->gss_authentication; @@ -155,7 +155,7 @@ diff --git a/openssh-6.2p2/readconf.c b/openssh-6.2p2/readconf.c case oCheckHostIP: intptr = &options->check_host_ip; goto parse_flag; -@@ -1154,16 +1160,17 @@ initialize_options(Options * options) +@@ -1164,16 +1170,17 @@ initialize_options(Options * options) options->xauth_location = NULL; options->gateway_ports = -1; options->use_privileged_port = -1; @@ -173,7 +173,7 @@ diff --git a/openssh-6.2p2/readconf.c b/openssh-6.2p2/readconf.c options->batch_mode = -1; options->check_host_ip = -1; options->strict_host_key_checking = -1; -@@ -1255,16 +1262,18 @@ fill_default_options(Options * options) +@@ -1265,16 +1272,18 @@ fill_default_options(Options * options) if (options->pubkey_authentication == -1) options->pubkey_authentication = 1; if (options->challenge_response_authentication == -1) @@ -192,9 +192,9 @@ diff --git a/openssh-6.2p2/readconf.c b/openssh-6.2p2/readconf.c options->rhosts_rsa_authentication = 0; if (options->hostbased_authentication == -1) options->hostbased_authentication = 0; -diff --git a/openssh-6.2p2/readconf.h b/openssh-6.2p2/readconf.h ---- a/openssh-6.2p2/readconf.h -+++ b/openssh-6.2p2/readconf.h +diff --git a/openssh-6.4p1/readconf.h b/openssh-6.4p1/readconf.h +--- a/openssh-6.4p1/readconf.h ++++ b/openssh-6.4p1/readconf.h @@ -44,16 +44,17 @@ typedef struct { * authentication. */ int rsa_authentication; /* Try RSA authentication. */ @@ -213,10 +213,10 @@ diff --git a/openssh-6.2p2/readconf.h b/openssh-6.2p2/readconf.h int batch_mode; /* Batch mode: do not ask for passwords. */ int check_host_ip; /* Also keep track of keys for IP address */ int strict_host_key_checking; /* Strict host key checking. */ -diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c ---- a/openssh-6.2p2/servconf.c -+++ b/openssh-6.2p2/servconf.c -@@ -98,16 +98,17 @@ initialize_server_options(ServerOptions +diff --git a/openssh-6.4p1/servconf.c b/openssh-6.4p1/servconf.c +--- a/openssh-6.4p1/servconf.c ++++ b/openssh-6.4p1/servconf.c +@@ -103,16 +103,17 @@ initialize_server_options(ServerOptions options->rsa_authentication = -1; options->pubkey_authentication = -1; options->kerberos_authentication = -1; @@ -233,8 +233,8 @@ diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c options->permit_user_env = -1; options->use_login = -1; options->compression = -1; - options->allow_tcp_forwarding = -1; -@@ -230,16 +231,18 @@ fill_default_server_options(ServerOption + options->rekey_limit = -1; +@@ -237,16 +238,18 @@ fill_default_server_options(ServerOption if (options->kerberos_ticket_cleanup == -1) options->kerberos_ticket_cleanup = 1; if (options->kerberos_get_afs_token == -1) @@ -253,9 +253,9 @@ diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c options->challenge_response_authentication = 1; if (options->permit_empty_passwd == -1) options->permit_empty_passwd = 0; -@@ -322,17 +325,17 @@ typedef enum { +@@ -333,17 +336,17 @@ typedef enum { sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, - sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, + sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions, @@ -270,9 +270,9 @@ diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, sKexAlgorithms, sIPQoS, sVersionAddendum, sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, - sAuthenticationMethods, + sAuthenticationMethods, sHostKeyAgent, sDeprecated, sUnsupported -@@ -388,19 +391,21 @@ static struct { +@@ -400,19 +403,21 @@ static struct { { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL }, { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, #endif @@ -294,7 +294,7 @@ diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c #ifdef JPAKE { "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL }, #else -@@ -1048,16 +1053,20 @@ process_server_config_line(ServerOptions +@@ -1072,16 +1077,20 @@ process_server_config_line(ServerOptions case sGssAuthentication: intptr = &options->gss_authentication; goto parse_flag; @@ -315,10 +315,10 @@ diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c intptr = &options->zero_knowledge_password_authentication; goto parse_flag; -diff --git a/openssh-6.2p2/servconf.h b/openssh-6.2p2/servconf.h ---- a/openssh-6.2p2/servconf.h -+++ b/openssh-6.2p2/servconf.h -@@ -106,16 +106,17 @@ typedef struct { +diff --git a/openssh-6.4p1/servconf.h b/openssh-6.4p1/servconf.h +--- a/openssh-6.4p1/servconf.h ++++ b/openssh-6.4p1/servconf.h +@@ -107,16 +107,17 @@ typedef struct { * such as SecurID or * /etc/passwd */ int kerberos_ticket_cleanup; /* If true, destroy ticket @@ -336,10 +336,10 @@ diff --git a/openssh-6.2p2/servconf.h b/openssh-6.2p2/servconf.h /* If true, permit jpake auth */ int permit_empty_passwd; /* If false, do not permit empty * passwords. */ -diff --git a/openssh-6.2p2/ssh_config b/openssh-6.2p2/ssh_config ---- a/openssh-6.2p2/ssh_config -+++ b/openssh-6.2p2/ssh_config -@@ -51,8 +51,15 @@ ForwardX11Trusted yes +diff --git a/openssh-6.4p1/ssh_config b/openssh-6.4p1/ssh_config +--- a/openssh-6.4p1/ssh_config ++++ b/openssh-6.4p1/ssh_config +@@ -51,9 +51,16 @@ ForwardX11Trusted yes # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc # MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 # EscapeChar ~ @@ -355,10 +355,11 @@ diff --git a/openssh-6.2p2/ssh_config b/openssh-6.2p2/ssh_config +# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to. +# GSSAPIEnableMITMAttack no + -diff --git a/openssh-6.2p2/sshconnect2.c b/openssh-6.2p2/sshconnect2.c ---- a/openssh-6.2p2/sshconnect2.c -+++ b/openssh-6.2p2/sshconnect2.c -@@ -321,16 +321,21 @@ static char *authmethods_get(void); + # RekeyLimit 1G 1h +diff --git a/openssh-6.4p1/sshconnect2.c b/openssh-6.4p1/sshconnect2.c +--- a/openssh-6.4p1/sshconnect2.c ++++ b/openssh-6.4p1/sshconnect2.c +@@ -322,16 +322,21 @@ static char *authmethods_get(void); Authmethod authmethods[] = { #ifdef GSSAPI @@ -380,7 +381,7 @@ diff --git a/openssh-6.2p2/sshconnect2.c b/openssh-6.2p2/sshconnect2.c NULL}, {"publickey", userauth_pubkey, -@@ -698,17 +703,19 @@ process_gssapi_token(void *ctxt, gss_buf +@@ -696,17 +701,19 @@ process_gssapi_token(void *ctxt, gss_buf packet_put_string(send_tok.value, send_tok.length); packet_send(); @@ -401,10 +402,10 @@ diff --git a/openssh-6.2p2/sshconnect2.c b/openssh-6.2p2/sshconnect2.c gssbuf.value = buffer_ptr(&b); gssbuf.length = buffer_len(&b); -diff --git a/openssh-6.2p2/sshd_config b/openssh-6.2p2/sshd_config ---- a/openssh-6.2p2/sshd_config -+++ b/openssh-6.2p2/sshd_config -@@ -76,16 +76,23 @@ PasswordAuthentication no +diff --git a/openssh-6.4p1/sshd_config b/openssh-6.4p1/sshd_config +--- a/openssh-6.4p1/sshd_config ++++ b/openssh-6.4p1/sshd_config +@@ -79,16 +79,23 @@ PasswordAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no diff --git a/openssh-6.2p2-host_ident.patch b/openssh-6.4p1-host_ident.patch similarity index 82% rename from openssh-6.2p2-host_ident.patch rename to openssh-6.4p1-host_ident.patch index 9cd3005..0888c48 100644 --- a/openssh-6.2p2-host_ident.patch +++ b/openssh-6.4p1-host_ident.patch @@ -1,10 +1,10 @@ # identify hashed hosts in known_hosts and suggest command line for their # removal -diff --git a/openssh-6.2p2/sshconnect.c b/openssh-6.2p2/sshconnect.c ---- a/openssh-6.2p2/sshconnect.c -+++ b/openssh-6.2p2/sshconnect.c -@@ -987,16 +987,21 @@ check_host_key(char *hostname, struct so +diff --git a/openssh-6.4p1/sshconnect.c b/openssh-6.4p1/sshconnect.c +--- a/openssh-6.4p1/sshconnect.c ++++ b/openssh-6.4p1/sshconnect.c +@@ -986,16 +986,21 @@ check_host_key(char *hostname, struct so ip_found->file, ip_found->line); } /* The host key has changed. */ diff --git a/openssh-6.2p2-key-converter.patch b/openssh-6.4p1-key-converter.patch similarity index 94% rename from openssh-6.2p2-key-converter.patch rename to openssh-6.4p1-key-converter.patch index b9c5c85..8d463a1 100644 --- a/openssh-6.2p2-key-converter.patch +++ b/openssh-6.4p1-key-converter.patch @@ -1,9 +1,9 @@ # SSHv1 to SSHv2 RSA keys converter -diff --git a/openssh-6.2p2/converter/Makefile b/openssh-6.2p2/converter/Makefile +diff --git a/openssh-6.4p1/converter/Makefile b/openssh-6.4p1/converter/Makefile new file mode 100644 --- /dev/null -+++ b/openssh-6.2p2/converter/Makefile ++++ b/openssh-6.4p1/converter/Makefile @@ -0,0 +1,17 @@ + +bindir=/usr/bin @@ -12,20 +12,20 @@ new file mode 100644 +all : ssh-keyconverter + +ssh-keyconverter.o: ssh-keyconverter.c ../key.h ../authfile.h ../misc.h ../xmalloc.h -+ gcc $(RPM_OPT_FLAGS) -c -I../ $< -o $@ ++ gcc $(CFLAGS) $(RPM_OPT_FLAGS) -c -I../ $< -o $@ + +ssh-keyconverter: ssh-keyconverter.o ../libssh.a ../openbsd-compat/libopenbsd-compat.a -+ gcc $< -Wl,--no-as-needed $(RPM_OPT_FLAGS) -L../ -L../openbsd-compat/ -lcrypto -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lpam -ldl -lwrap -lutil -lz -lnsl -lcrypt -lssl -o $@ ++ gcc $< $(LDFLAGS) $(RPM_OPT_FLAGS) -L../ -L../openbsd-compat/ -lcrypto -lssh -lopenbsd-compat -lcrypto -lssh -lopenbsd-compat -lpam -ldl -lwrap -lutil -lz -lnsl -lcrypt -lssl -o $@ + +install: ssh-keyconverter ssh-keyconverter.1 + if [ ! -d $(DESTDIR)$(bindir) ]; then install -d -m 755 $(DESTDIR)$(bindir); fi + install -m 755 ssh-keyconverter $(DESTDIR)$(bindir) + if [ ! -d $(DESTDIR)$(mandir)/man1 ]; then install -d -m 755 $(DESTDIR)$(mandir)/man1; fi + install -m 644 ssh-keyconverter.1 $(DESTDIR)$(mandir)/man1 -diff --git a/openssh-6.2p2/converter/ssh-keyconverter.1 b/openssh-6.2p2/converter/ssh-keyconverter.1 +diff --git a/openssh-6.4p1/converter/ssh-keyconverter.1 b/openssh-6.4p1/converter/ssh-keyconverter.1 new file mode 100644 --- /dev/null -+++ b/openssh-6.2p2/converter/ssh-keyconverter.1 ++++ b/openssh-6.4p1/converter/ssh-keyconverter.1 @@ -0,0 +1,155 @@ +.\" Manpage for ssh-keyconverter +.\" @@ -182,10 +182,10 @@ new file mode 100644 +.%D March 2001 +.%O work in progress material +.Re -diff --git a/openssh-6.2p2/converter/ssh-keyconverter.c b/openssh-6.2p2/converter/ssh-keyconverter.c +diff --git a/openssh-6.4p1/converter/ssh-keyconverter.c b/openssh-6.4p1/converter/ssh-keyconverter.c new file mode 100644 --- /dev/null -+++ b/openssh-6.2p2/converter/ssh-keyconverter.c ++++ b/openssh-6.4p1/converter/ssh-keyconverter.c @@ -0,0 +1,345 @@ +/* + * SSH v1 to v2 RSA key converter. @@ -330,7 +330,7 @@ new file mode 100644 + if (i) { + /* Zap old pass phrase */ + memset(passphrase, 0, strlen(passphrase)); -+ xfree(passphrase); ++ free(passphrase); + + /* Get a pass phrase from the user */ + passphrase = read_passphrase(prompt, 0); @@ -387,7 +387,7 @@ new file mode 100644 + +out: + memset(passphrase, 0, strlen(passphrase)); -+ xfree(passphrase); ++ free(passphrase); + if (key) + key_free(key); + if (pk) diff --git a/openssh-6.2p2-lastlog.patch b/openssh-6.4p1-lastlog.patch similarity index 82% rename from openssh-6.2p2-lastlog.patch rename to openssh-6.4p1-lastlog.patch index 75de9c4..907a643 100644 --- a/openssh-6.2p2-lastlog.patch +++ b/openssh-6.4p1-lastlog.patch @@ -1,9 +1,9 @@ # set uid for functions that use it to seek in lastlog and wtmp files # bnc#18024 (was suse #3024) -diff --git a/openssh-6.2p2/sshlogin.c b/openssh-6.2p2/sshlogin.c ---- a/openssh-6.2p2/sshlogin.c -+++ b/openssh-6.2p2/sshlogin.c +diff --git a/openssh-6.4p1/sshlogin.c b/openssh-6.4p1/sshlogin.c +--- a/openssh-6.4p1/sshlogin.c ++++ b/openssh-6.4p1/sshlogin.c @@ -128,16 +128,17 @@ record_login(pid_t pid, const char *tty, { struct logininfo *li; diff --git a/openssh-6.2p2-ldap.patch b/openssh-6.4p1-ldap.patch similarity index 96% rename from openssh-6.2p2-ldap.patch rename to openssh-6.4p1-ldap.patch index 27e1334..8418e77 100644 --- a/openssh-6.2p2-ldap.patch +++ b/openssh-6.4p1-ldap.patch @@ -8,10 +8,10 @@ # internal versions. ssh-keyconverter consequently fails to link as it lacks # the proper flags, and libopenbsd-compat doesn't contain the b64_* functions) -diff --git a/openssh-6.2p2/HOWTO.ldap-keys b/openssh-6.2p2/HOWTO.ldap-keys +diff --git a/openssh-6.4p1/HOWTO.ldap-keys b/openssh-6.4p1/HOWTO.ldap-keys new file mode 100644 --- /dev/null -+++ b/openssh-6.2p2/HOWTO.ldap-keys ++++ b/openssh-6.4p1/HOWTO.ldap-keys @@ -0,0 +1,108 @@ + +HOW TO START @@ -121,9 +121,9 @@ new file mode 100644 + - frederic peters. + - Finlay dobbie. + - Stefan Fisher. -diff --git a/openssh-6.2p2/Makefile.in b/openssh-6.2p2/Makefile.in ---- a/openssh-6.2p2/Makefile.in -+++ b/openssh-6.2p2/Makefile.in +diff --git a/openssh-6.4p1/Makefile.in b/openssh-6.4p1/Makefile.in +--- a/openssh-6.4p1/Makefile.in ++++ b/openssh-6.4p1/Makefile.in @@ -20,16 +20,18 @@ srcdir=@srcdir@ top_srcdir=@top_srcdir@ @@ -185,7 +185,7 @@ diff --git a/openssh-6.2p2/Makefile.in b/openssh-6.2p2/Makefile.in PATHSUBS = \ -e 's|/etc/ssh/ssh_config|$(sysconfdir)/ssh_config|g' \ -e 's|/etc/ssh/ssh_known_hosts|$(sysconfdir)/ssh_known_hosts|g' \ -@@ -162,16 +166,19 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss +@@ -164,16 +168,19 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o @@ -205,7 +205,7 @@ diff --git a/openssh-6.2p2/Makefile.in b/openssh-6.2p2/Makefile.in # test driver for the loginrec code - not built by default logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o -@@ -263,30 +270,38 @@ install-files: +@@ -266,30 +273,38 @@ install-files: $(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT) $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) @@ -244,7 +244,7 @@ diff --git a/openssh-6.2p2/Makefile.in b/openssh-6.2p2/Makefile.in install-sysconf: if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \ $(srcdir)/mkinstalldirs $(DESTDIR)$(sysconfdir); \ -@@ -306,16 +321,23 @@ install-sysconf: +@@ -309,16 +324,23 @@ install-sysconf: echo "moving $(DESTDIR)$(sysconfdir)/primes to $(DESTDIR)$(sysconfdir)/moduli"; \ mv "$(DESTDIR)$(sysconfdir)/primes" "$(DESTDIR)$(sysconfdir)/moduli"; \ else \ @@ -268,7 +268,7 @@ diff --git a/openssh-6.2p2/Makefile.in b/openssh-6.2p2/Makefile.in else \ ./ssh-keygen -t rsa1 -f $(sysconfdir)/ssh_host_key -N "" ; \ fi ; \ -@@ -363,27 +385,30 @@ uninstall: +@@ -366,27 +388,30 @@ uninstall: -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) @@ -294,15 +294,15 @@ diff --git a/openssh-6.2p2/Makefile.in b/openssh-6.2p2/Makefile.in -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c - [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \ - $(CC) $(CPPFLAGS) -o $@ $? \ - $(LDFLAGS) -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) - - tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT) -diff --git a/openssh-6.2p2/configure.ac b/openssh-6.2p2/configure.ac ---- a/openssh-6.2p2/configure.ac -+++ b/openssh-6.2p2/configure.ac -@@ -1504,16 +1504,116 @@ AC_ARG_WITH([audit], + [ -d `pwd`/regress ] || mkdir -p `pwd`/regress + [ -f `pwd`/regress/Makefile ] || \ + ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile + $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \ + $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) +diff --git a/openssh-6.4p1/configure.ac b/openssh-6.4p1/configure.ac +--- a/openssh-6.4p1/configure.ac ++++ b/openssh-6.4p1/configure.ac +@@ -1519,16 +1519,116 @@ AC_ARG_WITH([audit], AC_MSG_RESULT([no]) ;; *) @@ -419,10 +419,10 @@ diff --git a/openssh-6.2p2/configure.ac b/openssh-6.2p2/configure.ac asprintf \ b64_ntop \ __b64_ntop \ -diff --git a/openssh-6.2p2/ldap-helper.c b/openssh-6.2p2/ldap-helper.c +diff --git a/openssh-6.4p1/ldap-helper.c b/openssh-6.4p1/ldap-helper.c new file mode 100644 --- /dev/null -+++ b/openssh-6.2p2/ldap-helper.c ++++ b/openssh-6.4p1/ldap-helper.c @@ -0,0 +1,155 @@ +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -579,10 +579,10 @@ new file mode 100644 +void *buffer_get_string(Buffer *b, u_int *l) { return NULL; } +void buffer_put_string(Buffer *b, const void *f, u_int l) {} + -diff --git a/openssh-6.2p2/ldap-helper.h b/openssh-6.2p2/ldap-helper.h +diff --git a/openssh-6.4p1/ldap-helper.h b/openssh-6.4p1/ldap-helper.h new file mode 100644 --- /dev/null -+++ b/openssh-6.2p2/ldap-helper.h ++++ b/openssh-6.4p1/ldap-helper.h @@ -0,0 +1,32 @@ +/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -616,10 +616,10 @@ new file mode 100644 +extern int config_warning_config_file; + +#endif /* LDAP_HELPER_H */ -diff --git a/openssh-6.2p2/ldap.conf b/openssh-6.2p2/ldap.conf +diff --git a/openssh-6.4p1/ldap.conf b/openssh-6.4p1/ldap.conf new file mode 100644 --- /dev/null -+++ b/openssh-6.2p2/ldap.conf ++++ b/openssh-6.4p1/ldap.conf @@ -0,0 +1,88 @@ +# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $ +# @@ -709,10 +709,10 @@ new file mode 100644 +#tls_cert +#tls_key + -diff --git a/openssh-6.2p2/ldapbody.c b/openssh-6.2p2/ldapbody.c +diff --git a/openssh-6.4p1/ldapbody.c b/openssh-6.4p1/ldapbody.c new file mode 100644 --- /dev/null -+++ b/openssh-6.2p2/ldapbody.c ++++ b/openssh-6.4p1/ldapbody.c @@ -0,0 +1,494 @@ +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -873,7 +873,7 @@ new file mode 100644 + if ((logfile = fopen (logfilename, "a")) == NULL) + fatal ("cannot append to %s: %s", logfilename, strerror (errno)); + debug3 ("LDAP debug into %s", logfilename); -+ xfree (logfilename); ++ free (logfilename); + ber_set_option (NULL, LBER_OPT_LOG_PRINT_FILE, logfile); + } +#endif @@ -1162,12 +1162,12 @@ new file mode 100644 + timeout.tv_usec = 0; + if ((rc = ldap_search_st(ld, options.base, options.scope, buffer, attrs, 0, &timeout, &res)) != LDAP_SUCCESS) { + error ("ldap_search_st(): %s", ldap_err2string (rc)); -+ xfree (buffer); ++ free (buffer); + return; + } + + /* free */ -+ xfree (buffer); ++ free (buffer); + + for (e = ldap_first_entry(ld, res); e != NULL; e = ldap_next_entry(ld, e)) { + int num; @@ -1208,10 +1208,10 @@ new file mode 100644 + return; +} + -diff --git a/openssh-6.2p2/ldapbody.h b/openssh-6.2p2/ldapbody.h +diff --git a/openssh-6.4p1/ldapbody.h b/openssh-6.4p1/ldapbody.h new file mode 100644 --- /dev/null -+++ b/openssh-6.2p2/ldapbody.h ++++ b/openssh-6.4p1/ldapbody.h @@ -0,0 +1,37 @@ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1250,10 +1250,10 @@ new file mode 100644 + +#endif /* LDAPBODY_H */ + -diff --git a/openssh-6.2p2/ldapconf.c b/openssh-6.2p2/ldapconf.c +diff --git a/openssh-6.4p1/ldapconf.c b/openssh-6.4p1/ldapconf.c new file mode 100644 --- /dev/null -+++ b/openssh-6.2p2/ldapconf.c ++++ b/openssh-6.4p1/ldapconf.c @@ -0,0 +1,682 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1937,10 +1937,10 @@ new file mode 100644 + dump_cfg_string(lSSH_Filter, options.ssh_filter); +} + -diff --git a/openssh-6.2p2/ldapconf.h b/openssh-6.2p2/ldapconf.h +diff --git a/openssh-6.4p1/ldapconf.h b/openssh-6.4p1/ldapconf.h new file mode 100644 --- /dev/null -+++ b/openssh-6.2p2/ldapconf.h ++++ b/openssh-6.4p1/ldapconf.h @@ -0,0 +1,71 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -2013,10 +2013,10 @@ new file mode 100644 +void dump_config(void); + +#endif /* LDAPCONF_H */ -diff --git a/openssh-6.2p2/ldapincludes.h b/openssh-6.2p2/ldapincludes.h +diff --git a/openssh-6.4p1/ldapincludes.h b/openssh-6.4p1/ldapincludes.h new file mode 100644 --- /dev/null -+++ b/openssh-6.2p2/ldapincludes.h ++++ b/openssh-6.4p1/ldapincludes.h @@ -0,0 +1,41 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -2059,10 +2059,10 @@ new file mode 100644 +#endif + +#endif /* LDAPINCLUDES_H */ -diff --git a/openssh-6.2p2/ldapmisc.c b/openssh-6.2p2/ldapmisc.c +diff --git a/openssh-6.4p1/ldapmisc.c b/openssh-6.4p1/ldapmisc.c new file mode 100644 --- /dev/null -+++ b/openssh-6.2p2/ldapmisc.c ++++ b/openssh-6.4p1/ldapmisc.c @@ -0,0 +1,79 @@ + +#include "ldapincludes.h" @@ -2143,10 +2143,10 @@ new file mode 100644 +} +#endif + -diff --git a/openssh-6.2p2/ldapmisc.h b/openssh-6.2p2/ldapmisc.h +diff --git a/openssh-6.4p1/ldapmisc.h b/openssh-6.4p1/ldapmisc.h new file mode 100644 --- /dev/null -+++ b/openssh-6.2p2/ldapmisc.h ++++ b/openssh-6.4p1/ldapmisc.h @@ -0,0 +1,35 @@ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -2183,9 +2183,9 @@ new file mode 100644 + +#endif /* LDAPMISC_H */ + -diff --git a/openssh-6.2p2/openbsd-compat/base64.c b/openssh-6.2p2/openbsd-compat/base64.c ---- a/openssh-6.2p2/openbsd-compat/base64.c -+++ b/openssh-6.2p2/openbsd-compat/base64.c +diff --git a/openssh-6.4p1/openbsd-compat/base64.c b/openssh-6.4p1/openbsd-compat/base64.c +--- a/openssh-6.4p1/openbsd-compat/base64.c ++++ b/openssh-6.4p1/openbsd-compat/base64.c @@ -41,17 +41,17 @@ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES. @@ -2243,9 +2243,9 @@ diff --git a/openssh-6.2p2/openbsd-compat/base64.c b/openssh-6.2p2/openbsd-compa */ int -diff --git a/openssh-6.2p2/openbsd-compat/base64.h b/openssh-6.2p2/openbsd-compat/base64.h ---- a/openssh-6.2p2/openbsd-compat/base64.h -+++ b/openssh-6.2p2/openbsd-compat/base64.h +diff --git a/openssh-6.4p1/openbsd-compat/base64.h b/openssh-6.4p1/openbsd-compat/base64.h +--- a/openssh-6.4p1/openbsd-compat/base64.h ++++ b/openssh-6.4p1/openbsd-compat/base64.h @@ -42,24 +42,24 @@ * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES. */ @@ -2275,10 +2275,10 @@ diff --git a/openssh-6.2p2/openbsd-compat/base64.h b/openssh-6.2p2/openbsd-compa #endif /* HAVE___B64_PTON */ #endif /* _BSD_BASE64_H */ -diff --git a/openssh-6.2p2/openssh-lpk-openldap.schema b/openssh-6.2p2/openssh-lpk-openldap.schema +diff --git a/openssh-6.4p1/openssh-lpk-openldap.schema b/openssh-6.4p1/openssh-lpk-openldap.schema new file mode 100644 --- /dev/null -+++ b/openssh-6.2p2/openssh-lpk-openldap.schema ++++ b/openssh-6.4p1/openssh-lpk-openldap.schema @@ -0,0 +1,21 @@ +# +# LDAP Public Key Patch schema for use with openssh-ldappubkey @@ -2301,10 +2301,10 @@ new file mode 100644 + DESC 'MANDATORY: OpenSSH LPK objectclass' + MUST ( sshPublicKey $ uid ) + ) -diff --git a/openssh-6.2p2/openssh-lpk-sun.schema b/openssh-6.2p2/openssh-lpk-sun.schema +diff --git a/openssh-6.4p1/openssh-lpk-sun.schema b/openssh-6.4p1/openssh-lpk-sun.schema new file mode 100644 --- /dev/null -+++ b/openssh-6.2p2/openssh-lpk-sun.schema ++++ b/openssh-6.4p1/openssh-lpk-sun.schema @@ -0,0 +1,23 @@ +# +# LDAP Public Key Patch schema for use with openssh-ldappubkey @@ -2329,10 +2329,10 @@ new file mode 100644 + DESC 'MANDATORY: OpenSSH LPK objectclass' + MUST ( sshPublicKey $ uid ) + ) -diff --git a/openssh-6.2p2/ssh-ldap-helper.8 b/openssh-6.2p2/ssh-ldap-helper.8 +diff --git a/openssh-6.4p1/ssh-ldap-helper.8 b/openssh-6.4p1/ssh-ldap-helper.8 new file mode 100644 --- /dev/null -+++ b/openssh-6.2p2/ssh-ldap-helper.8 ++++ b/openssh-6.4p1/ssh-ldap-helper.8 @@ -0,0 +1,79 @@ +.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" @@ -2413,19 +2413,19 @@ new file mode 100644 +OpenSSH 5.5 + PKA-LDAP . +.Sh AUTHORS +.An Jan F. Chadima Aq jchadima@redhat.com -diff --git a/openssh-6.2p2/ssh-ldap-wrapper b/openssh-6.2p2/ssh-ldap-wrapper +diff --git a/openssh-6.4p1/ssh-ldap-wrapper b/openssh-6.4p1/ssh-ldap-wrapper new file mode 100644 --- /dev/null -+++ b/openssh-6.2p2/ssh-ldap-wrapper ++++ b/openssh-6.4p1/ssh-ldap-wrapper @@ -0,0 +1,4 @@ +#!/bin/sh + +exec @LIBEXECDIR@/ssh-ldap-helper -s "$1" + -diff --git a/openssh-6.2p2/ssh-ldap.conf.5 b/openssh-6.2p2/ssh-ldap.conf.5 +diff --git a/openssh-6.4p1/ssh-ldap.conf.5 b/openssh-6.4p1/ssh-ldap.conf.5 new file mode 100644 --- /dev/null -+++ b/openssh-6.2p2/ssh-ldap.conf.5 ++++ b/openssh-6.4p1/ssh-ldap.conf.5 @@ -0,0 +1,376 @@ +.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" diff --git a/openssh-6.2p2-login_options.patch b/openssh-6.4p1-login_options.patch similarity index 84% rename from openssh-6.2p2-login_options.patch rename to openssh-6.4p1-login_options.patch index 1c0005c..1b4552e 100644 --- a/openssh-6.2p2-login_options.patch +++ b/openssh-6.4p1-login_options.patch @@ -4,10 +4,10 @@ # # bnc#833605 -diff --git a/openssh-6.2p2/configure.ac b/openssh-6.2p2/configure.ac ---- a/openssh-6.2p2/configure.ac -+++ b/openssh-6.2p2/configure.ac -@@ -666,16 +666,18 @@ main() { if (NSVersionOfRunTimeLibrary(" +diff --git a/openssh-6.4p1/configure.ac b/openssh-6.4p1/configure.ac +--- a/openssh-6.4p1/configure.ac ++++ b/openssh-6.4p1/configure.ac +@@ -657,16 +657,18 @@ main() { if (NSVersionOfRunTimeLibrary(" AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV]) AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts]) AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins]) diff --git a/openssh-6.2p2-no_fork-no_pid_file.patch b/openssh-6.4p1-no_fork-no_pid_file.patch similarity index 79% rename from openssh-6.2p2-no_fork-no_pid_file.patch rename to openssh-6.4p1-no_fork-no_pid_file.patch index 13df9b1..c0c0e0a 100644 --- a/openssh-6.2p2-no_fork-no_pid_file.patch +++ b/openssh-6.4p1-no_fork-no_pid_file.patch @@ -1,9 +1,9 @@ # Do not write a PID file when not daemonizing (e.g. when running from systemd) -diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c ---- a/openssh-6.2p2/sshd.c -+++ b/openssh-6.2p2/sshd.c -@@ -1911,17 +1911,17 @@ main(int ac, char **av) +diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c +--- a/openssh-6.4p1/sshd.c ++++ b/openssh-6.4p1/sshd.c +@@ -1959,17 +1959,17 @@ main(int ac, char **av) signal(SIGCHLD, main_sigchld_handler); signal(SIGTERM, sigterm_handler); signal(SIGQUIT, sigterm_handler); diff --git a/openssh-6.2p2-pam-check-locks.patch b/openssh-6.4p1-pam-check-locks.patch similarity index 84% rename from openssh-6.2p2-pam-check-locks.patch rename to openssh-6.4p1-pam-check-locks.patch index 3c1bf00..fa3c3d3 100644 --- a/openssh-6.2p2-pam-check-locks.patch +++ b/openssh-6.4p1-pam-check-locks.patch @@ -2,10 +2,10 @@ # UsePAM is used # bnc#708678, FATE#312033 -diff --git a/openssh-6.2p2/auth.c b/openssh-6.2p2/auth.c ---- a/openssh-6.2p2/auth.c -+++ b/openssh-6.2p2/auth.c -@@ -102,17 +102,17 @@ allowed_user(struct passwd * pw) +diff --git a/openssh-6.4p1/auth.c b/openssh-6.4p1/auth.c +--- a/openssh-6.4p1/auth.c ++++ b/openssh-6.4p1/auth.c +@@ -103,17 +103,17 @@ allowed_user(struct passwd * pw) struct spwd *spw = NULL; #endif @@ -24,7 +24,7 @@ diff --git a/openssh-6.2p2/auth.c b/openssh-6.2p2/auth.c #endif /* USE_SHADOW */ /* grab passwd field for locked account check */ -@@ -122,17 +122,17 @@ allowed_user(struct passwd * pw) +@@ -123,17 +123,17 @@ allowed_user(struct passwd * pw) #ifdef USE_LIBIAF passwd = get_iaf_password(pw); #else @@ -43,10 +43,10 @@ diff --git a/openssh-6.2p2/auth.c b/openssh-6.2p2/auth.c #endif #ifdef LOCKED_PASSWD_PREFIX if (strncmp(passwd, LOCKED_PASSWD_PREFIX, -diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c ---- a/openssh-6.2p2/servconf.c -+++ b/openssh-6.2p2/servconf.c -@@ -62,16 +62,17 @@ extern Buffer cfg; +diff --git a/openssh-6.4p1/servconf.c b/openssh-6.4p1/servconf.c +--- a/openssh-6.4p1/servconf.c ++++ b/openssh-6.4p1/servconf.c +@@ -66,16 +66,17 @@ extern Buffer cfg; void initialize_server_options(ServerOptions *options) @@ -64,7 +64,7 @@ diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c options->address_family = -1; options->num_host_key_files = 0; options->num_host_cert_files = 0; -@@ -150,16 +151,18 @@ initialize_server_options(ServerOptions +@@ -157,16 +158,18 @@ initialize_server_options(ServerOptions } void @@ -83,7 +83,7 @@ diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c /* fill default hostkeys for protocols */ if (options->protocol & SSH_PROTO_1) options->host_key_files[options->num_host_key_files++] = -@@ -304,17 +307,17 @@ fill_default_server_options(ServerOption +@@ -315,17 +318,17 @@ fill_default_server_options(ServerOption #endif } @@ -102,7 +102,7 @@ diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c sKerberosGetAFSToken, sKerberosTgtPassing, sChallengeResponseAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication, -@@ -349,18 +352,20 @@ typedef enum { +@@ -360,18 +363,20 @@ typedef enum { static struct { const char *name; ServerOpCodes opcode; @@ -121,9 +121,9 @@ diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c { "port", sPort, SSHCFG_GLOBAL }, { "hostkey", sHostKeyFile, SSHCFG_GLOBAL }, { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ + { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL }, { "pidfile", sPidFile, SSHCFG_GLOBAL }, - { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL }, -@@ -844,16 +849,19 @@ process_server_config_line(ServerOptions +@@ -857,16 +862,19 @@ process_server_config_line(ServerOptions } } @@ -143,10 +143,10 @@ diff --git a/openssh-6.2p2/servconf.c b/openssh-6.2p2/servconf.c /* ignore ports from configfile if cmdline specifies ports */ if (options->ports_from_cmdline) return 0; -diff --git a/openssh-6.2p2/servconf.h b/openssh-6.2p2/servconf.h ---- a/openssh-6.2p2/servconf.h -+++ b/openssh-6.2p2/servconf.h -@@ -160,16 +160,17 @@ typedef struct { +diff --git a/openssh-6.4p1/servconf.h b/openssh-6.4p1/servconf.h +--- a/openssh-6.4p1/servconf.h ++++ b/openssh-6.4p1/servconf.h +@@ -161,16 +161,17 @@ typedef struct { */ u_int num_authkeys_files; /* Files containing public keys */ @@ -164,10 +164,10 @@ diff --git a/openssh-6.2p2/servconf.h b/openssh-6.2p2/servconf.h char *chroot_directory; char *revoked_keys_file; char *trusted_user_ca_keys; -diff --git a/openssh-6.2p2/sshd_config.0 b/openssh-6.2p2/sshd_config.0 ---- a/openssh-6.2p2/sshd_config.0 -+++ b/openssh-6.2p2/sshd_config.0 -@@ -673,16 +673,24 @@ DESCRIPTION +diff --git a/openssh-6.4p1/sshd_config.0 b/openssh-6.4p1/sshd_config.0 +--- a/openssh-6.4p1/sshd_config.0 ++++ b/openssh-6.4p1/sshd_config.0 +@@ -706,16 +706,24 @@ DESCRIPTION Because PAM challenge-response authentication usually serves an equivalent role to password authentication, you should disable @@ -192,10 +192,10 @@ diff --git a/openssh-6.2p2/sshd_config.0 b/openssh-6.2p2/sshd_config.0 privilege separation is to prevent privilege escalation by containing any corruption within the unprivileged processes. The default is ``yes''. If UsePrivilegeSeparation is set to -diff --git a/openssh-6.2p2/sshd_config.5 b/openssh-6.2p2/sshd_config.5 ---- a/openssh-6.2p2/sshd_config.5 -+++ b/openssh-6.2p2/sshd_config.5 -@@ -1141,16 +1141,28 @@ or +diff --git a/openssh-6.4p1/sshd_config.5 b/openssh-6.4p1/sshd_config.5 +--- a/openssh-6.4p1/sshd_config.5 ++++ b/openssh-6.4p1/sshd_config.5 +@@ -1178,16 +1178,28 @@ or .Pp If .Cm UsePAM diff --git a/openssh-6.2p2-pam-fix2.patch b/openssh-6.4p1-pam-fix2.patch similarity index 84% rename from openssh-6.2p2-pam-fix2.patch rename to openssh-6.4p1-pam-fix2.patch index bcb5b6c..5d1f003 100644 --- a/openssh-6.2p2-pam-fix2.patch +++ b/openssh-6.4p1-pam-fix2.patch @@ -1,10 +1,10 @@ # force PAM in defaullt install (this was removed from upstream in 3.8p1) # bnc#46749 -diff --git a/openssh-6.2p2/sshd_config b/openssh-6.2p2/sshd_config ---- a/openssh-6.2p2/sshd_config -+++ b/openssh-6.2p2/sshd_config -@@ -60,17 +60,17 @@ AuthorizedKeysFile .ssh/authorized_keys +diff --git a/openssh-6.4p1/sshd_config b/openssh-6.4p1/sshd_config +--- a/openssh-6.4p1/sshd_config ++++ b/openssh-6.4p1/sshd_config +@@ -63,17 +63,17 @@ AuthorizedKeysFile .ssh/authorized_keys #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication @@ -23,7 +23,7 @@ diff --git a/openssh-6.2p2/sshd_config b/openssh-6.2p2/sshd_config # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes -@@ -85,17 +85,17 @@ AuthorizedKeysFile .ssh/authorized_keys +@@ -88,17 +88,17 @@ AuthorizedKeysFile .ssh/authorized_keys # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, diff --git a/openssh-6.2p2-pam-fix3.patch b/openssh-6.4p1-pam-fix3.patch similarity index 75% rename from openssh-6.2p2-pam-fix3.patch rename to openssh-6.4p1-pam-fix3.patch index 59ff8ad..9ae445d 100644 --- a/openssh-6.2p2-pam-fix3.patch +++ b/openssh-6.4p1-pam-fix3.patch @@ -1,10 +1,10 @@ # posix threads are generally not supported nor safe # (see upstream log from 2005-05-24) -diff --git a/openssh-6.2p2/auth-pam.c b/openssh-6.2p2/auth-pam.c ---- a/openssh-6.2p2/auth-pam.c -+++ b/openssh-6.2p2/auth-pam.c -@@ -781,17 +781,19 @@ sshpam_query(void *ctx, char **name, cha +diff --git a/openssh-6.4p1/auth-pam.c b/openssh-6.4p1/auth-pam.c +--- a/openssh-6.4p1/auth-pam.c ++++ b/openssh-6.4p1/auth-pam.c +@@ -779,17 +779,19 @@ sshpam_query(void *ctx, char **name, cha } if (type == PAM_SUCCESS) { if (!sshpam_authctxt->valid || @@ -19,7 +19,7 @@ diff --git a/openssh-6.2p2/auth-pam.c b/openssh-6.2p2/auth-pam.c *num = 0; **echo_on = 0; ctxt->pam_done = 1; - xfree(msg); + free(msg); return (0); } error("PAM: %s for %s%.100s from %.100s", msg, diff --git a/openssh-6.2p2-pts.patch b/openssh-6.4p1-pts.patch similarity index 91% rename from openssh-6.2p2-pts.patch rename to openssh-6.4p1-pts.patch index eb4573b..aa557fe 100644 --- a/openssh-6.2p2-pts.patch +++ b/openssh-6.4p1-pts.patch @@ -1,9 +1,9 @@ # use same lines naming as utempter (prevents problems with using different # formats in ?tmp? files) -diff --git a/openssh-6.2p2/loginrec.c b/openssh-6.2p2/loginrec.c ---- a/openssh-6.2p2/loginrec.c -+++ b/openssh-6.2p2/loginrec.c +diff --git a/openssh-6.4p1/loginrec.c b/openssh-6.4p1/loginrec.c +--- a/openssh-6.4p1/loginrec.c ++++ b/openssh-6.4p1/loginrec.c @@ -535,17 +535,17 @@ getlast_entry(struct logininfo *li) /* * 'line' string utility functions diff --git a/openssh-6.2p2-saveargv-fix.patch b/openssh-6.4p1-saveargv-fix.patch similarity index 84% rename from openssh-6.2p2-saveargv-fix.patch rename to openssh-6.4p1-saveargv-fix.patch index 44133d0..74fe962 100644 --- a/openssh-6.2p2-saveargv-fix.patch +++ b/openssh-6.4p1-saveargv-fix.patch @@ -1,9 +1,9 @@ # related to bnc#49845, upstream bug #529 -diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c ---- a/openssh-6.2p2/sshd.c -+++ b/openssh-6.2p2/sshd.c -@@ -303,16 +303,17 @@ sighup_handler(int sig) +diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c +--- a/openssh-6.4p1/sshd.c ++++ b/openssh-6.4p1/sshd.c +@@ -309,16 +309,17 @@ sighup_handler(int sig) /* * Called from the main program after receiving SIGHUP. @@ -21,7 +21,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c execv(saved_argv[0], saved_argv); logit("RESTART FAILED: av[0]='%.100s', error: %.100s.", saved_argv[0], strerror(errno)); -@@ -1355,17 +1356,21 @@ main(int ac, char **av) +@@ -1382,17 +1383,21 @@ main(int ac, char **av) saved_argv = xcalloc(ac + 1, sizeof(*saved_argv)); for (i = 0; i < ac; i++) saved_argv[i] = xstrdup(av[i]); diff --git a/openssh-6.2p2-seed-prng.patch b/openssh-6.4p1-seed-prng.patch similarity index 85% rename from openssh-6.2p2-seed-prng.patch rename to openssh-6.4p1-seed-prng.patch index 5ecfd5a..ac021ed 100644 --- a/openssh-6.2p2-seed-prng.patch +++ b/openssh-6.4p1-seed-prng.patch @@ -1,9 +1,9 @@ # extended support for (re-)seeding the OpenSSL PRNG from /dev/random # bnc#703221, FATE#312172 -diff --git a/openssh-6.2p2/audit-bsm.c b/openssh-6.2p2/audit-bsm.c ---- a/openssh-6.2p2/audit-bsm.c -+++ b/openssh-6.2p2/audit-bsm.c +diff --git a/openssh-6.4p1/audit-bsm.c b/openssh-6.4p1/audit-bsm.c +--- a/openssh-6.4p1/audit-bsm.c ++++ b/openssh-6.4p1/audit-bsm.c @@ -504,9 +504,15 @@ audit_destroy_sensitive_data(const char /* not implemented */ } @@ -20,9 +20,9 @@ diff --git a/openssh-6.2p2/audit-bsm.c b/openssh-6.2p2/audit-bsm.c + /* not implemented */ +} #endif /* BSM */ -diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c ---- a/openssh-6.2p2/audit-linux.c -+++ b/openssh-6.2p2/audit-linux.c +diff --git a/openssh-6.4p1/audit-linux.c b/openssh-6.4p1/audit-linux.c +--- a/openssh-6.4p1/audit-linux.c ++++ b/openssh-6.4p1/audit-linux.c @@ -398,9 +398,31 @@ audit_generate_ephemeral_server_key(cons } audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER, @@ -55,9 +55,9 @@ diff --git a/openssh-6.2p2/audit-linux.c b/openssh-6.2p2/audit-linux.c + error("cannot write into audit"); +} #endif /* USE_LINUX_AUDIT */ -diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c ---- a/openssh-6.2p2/audit.c -+++ b/openssh-6.2p2/audit.c +diff --git a/openssh-6.4p1/audit.c b/openssh-6.4p1/audit.c +--- a/openssh-6.4p1/audit.c ++++ b/openssh-6.4p1/audit.c @@ -304,10 +304,16 @@ audit_destroy_sensitive_data(const char /* * This will be called on generation of the ephemeral server key @@ -75,9 +75,9 @@ diff --git a/openssh-6.2p2/audit.c b/openssh-6.2p2/audit.c +} # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */ -diff --git a/openssh-6.2p2/audit.h b/openssh-6.2p2/audit.h ---- a/openssh-6.2p2/audit.h -+++ b/openssh-6.2p2/audit.h +diff --git a/openssh-6.4p1/audit.h b/openssh-6.4p1/audit.h +--- a/openssh-6.4p1/audit.h ++++ b/openssh-6.4p1/audit.h @@ -63,10 +63,11 @@ void audit_key(int, int *, const Key *); void audit_unsupported(int); void audit_kex(int, char *, char *, char *); @@ -90,9 +90,9 @@ diff --git a/openssh-6.2p2/audit.h b/openssh-6.2p2/audit.h +void audit_linux_prng_seed(long, const char *); #endif /* _SSH_AUDIT_H */ -diff --git a/openssh-6.2p2/entropy.c b/openssh-6.2p2/entropy.c ---- a/openssh-6.2p2/entropy.c -+++ b/openssh-6.2p2/entropy.c +diff --git a/openssh-6.4p1/entropy.c b/openssh-6.4p1/entropy.c +--- a/openssh-6.4p1/entropy.c ++++ b/openssh-6.4p1/entropy.c @@ -45,16 +45,17 @@ #include "ssh.h" @@ -126,15 +126,15 @@ diff --git a/openssh-6.2p2/entropy.c b/openssh-6.2p2/entropy.c if (RAND_status() != 1) fatal("PRNG is not seeded"); } -diff --git a/openssh-6.2p2/openbsd-compat/Makefile.in b/openssh-6.2p2/openbsd-compat/Makefile.in ---- a/openssh-6.2p2/openbsd-compat/Makefile.in -+++ b/openssh-6.2p2/openbsd-compat/Makefile.in +diff --git a/openssh-6.4p1/openbsd-compat/Makefile.in b/openssh-6.4p1/openbsd-compat/Makefile.in +--- a/openssh-6.4p1/openbsd-compat/Makefile.in ++++ b/openssh-6.4p1/openbsd-compat/Makefile.in @@ -15,17 +15,17 @@ AR=@AR@ RANLIB=@RANLIB@ INSTALL=@INSTALL@ LDFLAGS=-L. @LDFLAGS@ - OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o + OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o @@ -148,10 +148,10 @@ diff --git a/openssh-6.2p2/openbsd-compat/Makefile.in b/openssh-6.2p2/openbsd-co $(COMPAT): ../config.h $(OPENBSD): ../config.h -diff --git a/openssh-6.2p2/openbsd-compat/port-linux-prng.c b/openssh-6.2p2/openbsd-compat/port-linux-prng.c +diff --git a/openssh-6.4p1/openbsd-compat/port-linux-prng.c b/openssh-6.4p1/openbsd-compat/port-linux-prng.c new file mode 100644 --- /dev/null -+++ b/openssh-6.2p2/openbsd-compat/port-linux-prng.c ++++ b/openssh-6.4p1/openbsd-compat/port-linux-prng.c @@ -0,0 +1,79 @@ +/* + * Copyright (c) 2011 Jan F. Chadima @@ -232,9 +232,9 @@ new file mode 100644 + fatal ("EOF reading %s", random); + } +} -diff --git a/openssh-6.2p2/openbsd-compat/port-linux.h b/openssh-6.2p2/openbsd-compat/port-linux.h ---- a/openssh-6.2p2/openbsd-compat/port-linux.h -+++ b/openssh-6.2p2/openbsd-compat/port-linux.h +diff --git a/openssh-6.4p1/openbsd-compat/port-linux.h b/openssh-6.4p1/openbsd-compat/port-linux.h +--- a/openssh-6.4p1/openbsd-compat/port-linux.h ++++ b/openssh-6.4p1/openbsd-compat/port-linux.h @@ -14,16 +14,20 @@ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF @@ -256,9 +256,9 @@ diff --git a/openssh-6.2p2/openbsd-compat/port-linux.h b/openssh-6.2p2/openbsd-c void ssh_selinux_setfscreatecon(const char *); #endif -diff --git a/openssh-6.2p2/ssh-add.1 b/openssh-6.2p2/ssh-add.1 ---- a/openssh-6.2p2/ssh-add.1 -+++ b/openssh-6.2p2/ssh-add.1 +diff --git a/openssh-6.4p1/ssh-add.1 b/openssh-6.4p1/ssh-add.1 +--- a/openssh-6.4p1/ssh-add.1 ++++ b/openssh-6.4p1/ssh-add.1 @@ -155,16 +155,30 @@ or related script. (Note that on some machines it may be necessary to redirect the input from @@ -290,9 +290,9 @@ diff --git a/openssh-6.2p2/ssh-add.1 b/openssh-6.2p2/ssh-add.1 .It Pa ~/.ssh/id_dsa Contains the protocol version 2 DSA authentication identity of the user. .It Pa ~/.ssh/id_ecdsa -diff --git a/openssh-6.2p2/ssh-agent.1 b/openssh-6.2p2/ssh-agent.1 ---- a/openssh-6.2p2/ssh-agent.1 -+++ b/openssh-6.2p2/ssh-agent.1 +diff --git a/openssh-6.4p1/ssh-agent.1 b/openssh-6.4p1/ssh-agent.1 +--- a/openssh-6.4p1/ssh-agent.1 ++++ b/openssh-6.4p1/ssh-agent.1 @@ -193,16 +193,33 @@ Contains the protocol version 2 ECDSA au .It Pa ~/.ssh/id_rsa Contains the protocol version 2 RSA authentication identity of the user. @@ -327,10 +327,10 @@ diff --git a/openssh-6.2p2/ssh-agent.1 b/openssh-6.2p2/ssh-agent.1 .Sh AUTHORS OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. -diff --git a/openssh-6.2p2/ssh-keygen.1 b/openssh-6.2p2/ssh-keygen.1 ---- a/openssh-6.2p2/ssh-keygen.1 -+++ b/openssh-6.2p2/ssh-keygen.1 -@@ -801,16 +801,33 @@ on all machines +diff --git a/openssh-6.4p1/ssh-keygen.1 b/openssh-6.4p1/ssh-keygen.1 +--- a/openssh-6.4p1/ssh-keygen.1 ++++ b/openssh-6.4p1/ssh-keygen.1 +@@ -800,16 +800,33 @@ on all machines where the user wishes to log in using public key authentication. There is no need to keep the contents of this file secret. .Pp @@ -364,9 +364,9 @@ diff --git a/openssh-6.2p2/ssh-keygen.1 b/openssh-6.2p2/ssh-keygen.1 .Xr sshd 8 .Rs .%R RFC 4716 -diff --git a/openssh-6.2p2/ssh-keysign.8 b/openssh-6.2p2/ssh-keysign.8 ---- a/openssh-6.2p2/ssh-keysign.8 -+++ b/openssh-6.2p2/ssh-keysign.8 +diff --git a/openssh-6.4p1/ssh-keysign.8 b/openssh-6.4p1/ssh-keysign.8 +--- a/openssh-6.4p1/ssh-keysign.8 ++++ b/openssh-6.4p1/ssh-keysign.8 @@ -73,16 +73,33 @@ Since they are readable only by root, must be set-uid root if host-based authentication is used. .Pp @@ -401,10 +401,10 @@ diff --git a/openssh-6.2p2/ssh-keysign.8 b/openssh-6.2p2/ssh-keysign.8 .Sh HISTORY .Nm first appeared in -diff --git a/openssh-6.2p2/ssh.1 b/openssh-6.2p2/ssh.1 ---- a/openssh-6.2p2/ssh.1 -+++ b/openssh-6.2p2/ssh.1 -@@ -1272,16 +1272,30 @@ reads +diff --git a/openssh-6.4p1/ssh.1 b/openssh-6.4p1/ssh.1 +--- a/openssh-6.4p1/ssh.1 ++++ b/openssh-6.4p1/ssh.1 +@@ -1290,16 +1290,30 @@ reads and adds lines of the format .Dq VARNAME=value to the environment if the file exists and users are allowed to @@ -435,10 +435,10 @@ diff --git a/openssh-6.2p2/ssh.1 b/openssh-6.2p2/ssh.1 world-readable if the user's home directory is on an NFS partition, because .Xr sshd 8 -diff --git a/openssh-6.2p2/sshd.8 b/openssh-6.2p2/sshd.8 ---- a/openssh-6.2p2/sshd.8 -+++ b/openssh-6.2p2/sshd.8 -@@ -940,16 +940,33 @@ and not group or world-writable. +diff --git a/openssh-6.4p1/sshd.8 b/openssh-6.4p1/sshd.8 +--- a/openssh-6.4p1/sshd.8 ++++ b/openssh-6.4p1/sshd.8 +@@ -941,16 +941,33 @@ and not group or world-writable. .It Pa /var/run/sshd.pid Contains the process ID of the .Nm @@ -472,9 +472,9 @@ diff --git a/openssh-6.2p2/sshd.8 b/openssh-6.2p2/sshd.8 .Xr ssh-agent 1 , .Xr ssh-keygen 1 , .Xr ssh-keyscan 1 , -diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c ---- a/openssh-6.2p2/sshd.c -+++ b/openssh-6.2p2/sshd.c +diff --git a/openssh-6.4p1/sshd.c b/openssh-6.4p1/sshd.c +--- a/openssh-6.4p1/sshd.c ++++ b/openssh-6.4p1/sshd.c @@ -50,16 +50,18 @@ #ifdef HAVE_SYS_STAT_H # include @@ -494,8 +494,8 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c #ifdef HAVE_PATHS_H #include #endif -@@ -209,16 +211,23 @@ struct { - Key **host_keys; /* all private host keys */ +@@ -215,16 +217,23 @@ struct { + Key **host_pubkeys; /* all public host keys */ Key **host_certificates; /* all public host certificates */ int have_ssh1_key; int have_ssh2_key; @@ -518,7 +518,7 @@ diff --git a/openssh-6.2p2/sshd.c b/openssh-6.2p2/sshd.c /* This is set to true when a signal is received. */ static volatile sig_atomic_t received_sighup = 0; static volatile sig_atomic_t received_sigterm = 0; -@@ -1275,16 +1284,21 @@ server_accept_loop(int *sock_in, int *so +@@ -1300,16 +1309,21 @@ server_accept_loop(int *sock_in, int *so for (j = 0; j < options.max_startups; j++) if (startup_pipes[j] == -1) { startup_pipes[j] = startup_p[0]; diff --git a/openssh-6.2p2-send_locale.patch b/openssh-6.4p1-send_locale.patch similarity index 77% rename from openssh-6.2p2-send_locale.patch rename to openssh-6.4p1-send_locale.patch index 65dc913..45df36c 100644 --- a/openssh-6.2p2-send_locale.patch +++ b/openssh-6.4p1-send_locale.patch @@ -1,10 +1,10 @@ # send locales in default configuration # bnc#65747 -diff --git a/openssh-6.2p2/ssh_config b/openssh-6.2p2/ssh_config ---- a/openssh-6.2p2/ssh_config -+++ b/openssh-6.2p2/ssh_config -@@ -58,8 +58,13 @@ ForwardX11Trusted yes +diff --git a/openssh-6.4p1/ssh_config b/openssh-6.4p1/ssh_config +--- a/openssh-6.4p1/ssh_config ++++ b/openssh-6.4p1/ssh_config +@@ -58,9 +58,14 @@ ForwardX11Trusted yes # ProxyCommand ssh -q -W %h:%p gateway.example.com # Set this to 'yes' to enable support for the deprecated 'gssapi' authentication @@ -18,10 +18,11 @@ diff --git a/openssh-6.2p2/ssh_config b/openssh-6.2p2/ssh_config +SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +SendEnv LC_IDENTIFICATION LC_ALL + -diff --git a/openssh-6.2p2/sshd_config b/openssh-6.2p2/sshd_config ---- a/openssh-6.2p2/sshd_config -+++ b/openssh-6.2p2/sshd_config -@@ -122,13 +122,18 @@ UsePrivilegeSeparation sandbox # Defaul + # RekeyLimit 1G 1h +diff --git a/openssh-6.4p1/sshd_config b/openssh-6.4p1/sshd_config +--- a/openssh-6.4p1/sshd_config ++++ b/openssh-6.4p1/sshd_config +@@ -125,13 +125,18 @@ UsePrivilegeSeparation sandbox # Defaul #VersionAddendum none # no default banner path diff --git a/openssh-6.2p2-sftp_homechroot.patch b/openssh-6.4p1-sftp_homechroot.patch similarity index 90% rename from openssh-6.2p2-sftp_homechroot.patch rename to openssh-6.4p1-sftp_homechroot.patch index c1afabc..09127bb 100644 --- a/openssh-6.2p2-sftp_homechroot.patch +++ b/openssh-6.4p1-sftp_homechroot.patch @@ -1,9 +1,9 @@ # run sftp sessions inside a chroot -diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c ---- a/openssh-6.2p2/session.c -+++ b/openssh-6.2p2/session.c -@@ -119,16 +119,18 @@ int do_exec(Session *, const char *); +diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c +--- a/openssh-6.4p1/session.c ++++ b/openssh-6.4p1/session.c +@@ -120,16 +120,18 @@ int do_exec(Session *, const char *); void do_login(Session *, const char *); #ifdef LOGIN_NEEDS_UTMPX static void do_pre_login(Session *s); @@ -179,10 +179,10 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c do_setusercontext(struct passwd *pw) { char *chroot_path, *tmp; -diff --git a/openssh-6.2p2/sftp-chrootenv.h b/openssh-6.2p2/sftp-chrootenv.h +diff --git a/openssh-6.4p1/sftp-chrootenv.h b/openssh-6.4p1/sftp-chrootenv.h new file mode 100644 --- /dev/null -+++ b/openssh-6.2p2/sftp-chrootenv.h ++++ b/openssh-6.4p1/sftp-chrootenv.h @@ -0,0 +1,30 @@ +/* + * Copyright (c) 2009 Jan F Chadima. All rights reserved. @@ -214,9 +214,9 @@ new file mode 100644 + +#endif + -diff --git a/openssh-6.2p2/sftp-common.c b/openssh-6.2p2/sftp-common.c ---- a/openssh-6.2p2/sftp-common.c -+++ b/openssh-6.2p2/sftp-common.c +diff --git a/openssh-6.4p1/sftp-common.c b/openssh-6.4p1/sftp-common.c +--- a/openssh-6.4p1/sftp-common.c ++++ b/openssh-6.4p1/sftp-common.c @@ -41,16 +41,17 @@ #endif @@ -261,9 +261,9 @@ diff --git a/openssh-6.2p2/sftp-common.c b/openssh-6.2p2/sftp-common.c if (ltime != NULL) { if (time(NULL) - st->st_mtime < (365*24*60*60)/2) sz = strftime(tbuf, sizeof tbuf, "%b %e %H:%M", ltime); -diff --git a/openssh-6.2p2/sftp-server-main.c b/openssh-6.2p2/sftp-server-main.c ---- a/openssh-6.2p2/sftp-server-main.c -+++ b/openssh-6.2p2/sftp-server-main.c +diff --git a/openssh-6.4p1/sftp-server-main.c b/openssh-6.4p1/sftp-server-main.c +--- a/openssh-6.4p1/sftp-server-main.c ++++ b/openssh-6.4p1/sftp-server-main.c @@ -17,21 +17,24 @@ #include "includes.h" @@ -289,10 +289,10 @@ diff --git a/openssh-6.2p2/sftp-server-main.c b/openssh-6.2p2/sftp-server-main.c int main(int argc, char **argv) -diff --git a/openssh-6.2p2/sftp.c b/openssh-6.2p2/sftp.c ---- a/openssh-6.2p2/sftp.c -+++ b/openssh-6.2p2/sftp.c -@@ -97,16 +97,18 @@ struct complete_ctx { +diff --git a/openssh-6.4p1/sftp.c b/openssh-6.4p1/sftp.c +--- a/openssh-6.4p1/sftp.c ++++ b/openssh-6.4p1/sftp.c +@@ -106,16 +106,18 @@ struct complete_ctx { char **remote_pathp; }; @@ -311,10 +311,10 @@ diff --git a/openssh-6.2p2/sftp.c b/openssh-6.2p2/sftp.c #define LS_SHORT_VIEW 0x0002 /* Single row view ala ls -1 */ #define LS_NUMERIC_VIEW 0x0004 /* Long view with numeric uid/gid */ #define LS_NAME_SORT 0x0008 /* Sort by name (default) */ -diff --git a/openssh-6.2p2/sshd_config.0 b/openssh-6.2p2/sshd_config.0 ---- a/openssh-6.2p2/sshd_config.0 -+++ b/openssh-6.2p2/sshd_config.0 -@@ -181,16 +181,24 @@ DESCRIPTION +diff --git a/openssh-6.4p1/sshd_config.0 b/openssh-6.4p1/sshd_config.0 +--- a/openssh-6.4p1/sshd_config.0 ++++ b/openssh-6.4p1/sshd_config.0 +@@ -189,16 +189,24 @@ DESCRIPTION session this requires at least a shell, typically sh(1), and basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4), arandom(4) and tty(4) devices. For file transfer @@ -339,10 +339,10 @@ diff --git a/openssh-6.2p2/sshd_config.0 b/openssh-6.2p2/sshd_config.0 ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'', ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', ``aes128-gcm@openssh.com'', ``aes256-gcm@openssh.com'', -diff --git a/openssh-6.2p2/sshd_config.5 b/openssh-6.2p2/sshd_config.5 ---- a/openssh-6.2p2/sshd_config.5 -+++ b/openssh-6.2p2/sshd_config.5 -@@ -317,16 +317,27 @@ For file transfer sessions using +diff --git a/openssh-6.4p1/sshd_config.5 b/openssh-6.4p1/sshd_config.5 +--- a/openssh-6.4p1/sshd_config.5 ++++ b/openssh-6.4p1/sshd_config.5 +@@ -324,16 +324,27 @@ For file transfer sessions using no additional configuration of the environment is necessary if the in-process sftp server is used, though sessions which use logging do require diff --git a/openssh-6.2p2-xauth.patch b/openssh-6.4p1-xauth.patch similarity index 78% rename from openssh-6.2p2-xauth.patch rename to openssh-6.4p1-xauth.patch index 35dbb82..97a4484 100644 --- a/openssh-6.2p2-xauth.patch +++ b/openssh-6.4p1-xauth.patch @@ -1,10 +1,10 @@ # try to remove xauth cookies on logout # bnc#98815 -diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c ---- a/openssh-6.2p2/session.c -+++ b/openssh-6.2p2/session.c -@@ -2473,18 +2473,50 @@ session_exit_message(Session *s, int sta +diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c +--- a/openssh-6.4p1/session.c ++++ b/openssh-6.4p1/session.c +@@ -2477,18 +2477,50 @@ session_exit_message(Session *s, int sta if (c->ostate != CHAN_OUTPUT_CLOSED) chan_write_failed(c); } @@ -49,9 +49,9 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c + if (s->ttyfd != -1) session_pty_cleanup(s); - if (s->term) - xfree(s->term); - if (s->display) - xfree(s->display); - if (s->x11_chanids) - xfree(s->x11_chanids); + free(s->term); + free(s->display); + free(s->x11_chanids); + free(s->auth_display); + free(s->auth_data); + free(s->auth_proto); diff --git a/openssh-6.2p2-xauthlocalhostname.patch b/openssh-6.4p1-xauthlocalhostname.patch similarity index 91% rename from openssh-6.2p2-xauthlocalhostname.patch rename to openssh-6.4p1-xauthlocalhostname.patch index 8412af7..3ca28e5 100644 --- a/openssh-6.2p2-xauthlocalhostname.patch +++ b/openssh-6.4p1-xauthlocalhostname.patch @@ -1,14 +1,14 @@ # handle hostname changes when forwarding X # bnc#98627 -diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c ---- a/openssh-6.2p2/session.c -+++ b/openssh-6.2p2/session.c +diff --git a/openssh-6.4p1/session.c b/openssh-6.4p1/session.c +--- a/openssh-6.4p1/session.c ++++ b/openssh-6.4p1/session.c @@ -1118,17 +1118,17 @@ copy_environment(char **source, char *** debug3("Copy environment: %s=%s", var_name, var_val); child_set_env(env, envsize, var_name, var_val); - xfree(var_name); + free(var_name); } } @@ -83,7 +83,7 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c } static void -@@ -1618,16 +1628,17 @@ child_close_fds(void) +@@ -1631,16 +1641,17 @@ child_close_fds(void) * ids, and executing the command or shell. */ #define ARGV_MAX 10 @@ -101,7 +101,7 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c /* remove hostkey from the child's memory */ destroy_sensitive_data(); -@@ -1684,17 +1695,17 @@ do_child(Session *s, const char *command +@@ -1697,17 +1708,17 @@ do_child(Session *s, const char *command * legal, and means /bin/sh. */ shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell; @@ -120,7 +120,7 @@ diff --git a/openssh-6.2p2/session.c b/openssh-6.2p2/session.c /* we have to stash the hostname before we close our socket. */ if (options.use_login) hostname = get_remote_name_or_ip(utmp_len, -@@ -1753,17 +1764,17 @@ do_child(Session *s, const char *command +@@ -1766,17 +1777,17 @@ do_child(Session *s, const char *command strerror(errno)); if (r) exit(1); diff --git a/openssh-6.4p1.tar.gz b/openssh-6.4p1.tar.gz new file mode 100644 index 0000000..cd356bb --- /dev/null +++ b/openssh-6.4p1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5530f616513b14aea3662c4c373bafd6a97a269938674c006377e381f68975d2 +size 1201402 diff --git a/openssh-askpass-gnome.changes b/openssh-askpass-gnome.changes index e7cf1bd..96ca191 100644 --- a/openssh-askpass-gnome.changes +++ b/openssh-askpass-gnome.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Jan 24 15:13:09 UTC 2014 - pcerny@suse.com + +- Update of the underlying OpenSSH to 6.4p1 + ------------------------------------------------------------------- Thu Sep 19 02:02:56 UTC 2013 - pcerny@suse.com diff --git a/openssh-askpass-gnome.spec b/openssh-askpass-gnome.spec index aff9335..ff959eb 100644 --- a/openssh-askpass-gnome.spec +++ b/openssh-askpass-gnome.spec @@ -1,7 +1,7 @@ # # spec file for package openssh-askpass-gnome # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -26,7 +26,7 @@ BuildRequires: openssl-devel BuildRequires: pam-devel BuildRequires: tcpd-devel BuildRequires: update-desktop-files -Version: 6.2p2 +Version: 6.4p1 Release: 0 Requires: openssh = %{version} Summary: A GNOME-Based Passphrase Dialog for OpenSSH diff --git a/openssh.changes b/openssh.changes index 9aed0d7..0cb97cb 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,85 @@ +------------------------------------------------------------------- +Fri Jan 24 15:13:09 UTC 2014 - pcerny@suse.com + +- Update to 6.4p1 + Features since 6.2p2: + * ssh-agent(1) support in sshd(8); allows encrypted hostkeys, or + hostkeys on smartcards. + * ssh(1)/sshd(8): allow optional time-based rekeying via a + second argument to the existing RekeyLimit option. RekeyLimit + is now supported in sshd_config as well as on the client. + * sshd(8): standardise logging of information during user + authentication. + * The presented key/cert and the remote username (if available) + is now logged in the authentication success/failure message on + the same log line as the local username, remote host/port and + protocol in use. Certificates contents and the key + fingerprint of the signing CA are logged too. + * ssh(1) ability to query what cryptographic algorithms are + supported in the binary. + * ssh(1): ProxyCommand=- for cases where stdin and stdout + already point to the proxy. + * ssh(1): allow IdentityFile=none + * ssh(1)/sshd(8): -E option to append debugging logs to a + specified file instead of stderr or syslog. + * sftp(1): support resuming partial downloads with the "reget" + command and on the sftp commandline or on the "get" + commandline with the "-a" (append) option. + * ssh(1): "IgnoreUnknown" configuration option to selectively + suppress errors arising from unknown configuration directives. + * sshd(8): support for submethods to be appended to required + authentication methods listed via AuthenticationMethods. + Bugfixes since 6.2p2: + * sshd(8): fix refusal to accept certificate if a key of a + different type to the CA key appeared in authorized_keys + before the CA key. + * ssh(1)/ssh-agent(1)/sshd(8): Use a monotonic time source for + timers so that things like keepalives and rekeying will work + properly over clock steps. + * sftp(1): update progressmeter when data is acknowledged, not + when it's sent. bz#2108 + * ssh(1)/ssh-keygen(1): improve error messages when the current + user does not exist in /etc/passwd; bz#2125 + * ssh(1): reset the order in which public keys are tried after + partial authentication success. + * ssh-agent(1): clean up socket files after SIGINT when in debug + mode; bz#2120 + * ssh(1) and others: avoid confusing error messages in the case + of broken system resolver configurations; bz#2122 + * ssh(1): set TCP nodelay for connections started with -N; + bz#2124 + * ssh(1): correct manual for permission requirements on + ~/.ssh/config; bz#2078 + * ssh(1): fix ControlPersist timeout not triggering in cases + where TCP connections have hung. bz#1917 + * ssh(1): properly deatch a ControlPersist master from its + controlling terminal. + * sftp(1): avoid crashes in libedit when it has been compiled + with multi- byte character support. bz#1990 + * sshd(8): when running sshd -D, close stderr unless we have + explicitly requested logging to stderr. bz#1976, + * ssh(1): fix incomplete bzero; bz#2100 + * sshd(8): log and error and exit if ChrootDirectory is + specified and running without root privileges. + * Many improvements to the regression test suite. In particular + log files are now saved from ssh and sshd after failures. + * Fix a number of memory leaks. bz#1967 bz#2096 and others + * sshd(8): fix public key authentication when a :style is + appended to the requested username. + * ssh(1): do not fatally exit when attempting to cleanup + multiplexing- created channels that are incompletely opened. + bz#2079 + * sshd(8): fix a memory corruption problem triggered during + rekeying when an AES-GCM cipher is selected + * Fix unaligned accesses in umac.c for strict-alignment + architectures. bz#2101 + * Fix broken incorrect commandline reporting errors. bz#1448 + * Only include SHA256 and ECC-based key exchange methods if + libcrypto has the required support. + * Fix crash in SOCKS5 dynamic forwarding code on + strict-alignment architectures. + - FIPS and GSSKEX patched disabled for now + ------------------------------------------------------------------- Fri Oct 4 17:50:32 UTC 2013 - pcerny@suse.com diff --git a/openssh.spec b/openssh.spec index a6843c6..4e053c5 100644 --- a/openssh.spec +++ b/openssh.spec @@ -1,7 +1,7 @@ # # spec file for package openssh # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,10 +18,8 @@ %if 0%{suse_version} >= 1100 %define has_fw_dir 1 -%define needs_xorg_libs 0 %else %define has_fw_dir 0 -%define needs_xorg_libs 1 %endif %if 0%{suse_version} >= 1110 @@ -80,7 +78,7 @@ BuildRequires: openldap2-devel BuildRequires: openssl-devel BuildRequires: pam-devel %if %{has_systemd} -BuildRequires: systemd +BuildRequires: pkgconfig(systemd) %{?systemd_requires} %endif BuildRequires: tcpd-devel @@ -88,8 +86,8 @@ Requires: /bin/netstat PreReq: pwdutils %{insserv_prereq} %{fillup_prereq} coreutils Conflicts: nonfreessh Recommends: xauth -Recommends: %{name}-akc-ldap -Version: 6.2p2 +Recommends: %{name}-helpers +Version: 6.4p1 Release: 0 Summary: Secure Shell Client and Server (Remote Login Program) License: BSD-3-Clause and MIT @@ -106,39 +104,39 @@ Source7: sshd.fw Source8: sysconfig.ssh Source9: sshd-gen-keys-start Source10: sshd.service -Patch1: %{name}-%{version}-key-converter.patch -Patch2: %{name}-%{version}-X11-forwarding.patch -Patch3: %{name}-%{version}-lastlog.patch -Patch4: %{name}-%{version}-pam-fix2.patch -Patch5: %{name}-%{version}-saveargv-fix.patch -Patch6: %{name}-%{version}-pam-fix3.patch -Patch7: %{name}-%{version}-gssapimitm.patch -Patch8: %{name}-%{version}-eal3.patch -Patch9: %{name}-%{version}-blocksigalrm.patch -Patch10: %{name}-%{version}-send_locale.patch -Patch11: %{name}-%{version}-xauthlocalhostname.patch -Patch12: %{name}-%{version}-xauth.patch -Patch13: %{name}-%{version}-default-protocol.patch -Patch14: %{name}-%{version}-pts.patch -Patch15: %{name}-%{version}-pam-check-locks.patch -Patch16: %{name}-%{version}-fingerprint_hash.patch -Patch17: %{name}-%{version}-audit1-remove_duplicit_audit.patch -Patch18: %{name}-%{version}-audit2-better_audit_of_user_actions.patch -Patch19: %{name}-%{version}-audit3-key_auth_usage.patch -Patch20: %{name}-%{version}-audit4-kex_results.patch -Patch21: %{name}-%{version}-audit5-session_key_destruction.patch -Patch22: %{name}-%{version}-audit6-server_key_destruction.patch -Patch23: %{name}-%{version}-audit7-libaudit_compat.patch -Patch24: %{name}-%{version}-audit8-libaudit_dns_timeouts.patch -Patch25: %{name}-%{version}-seed-prng.patch -Patch26: %{name}-%{version}-ldap.patch -Patch27: %{name}-%{version}-fips.patch -Patch28: %{name}-%{version}-gssapi_key_exchange.patch -Patch29: %{name}-%{version}-login_options.patch -Patch30: %{name}-%{version}-disable-openssl-abi-check.patch -Patch31: %{name}-%{version}-no_fork-no_pid_file.patch -Patch32: %{name}-%{version}-host_ident.patch -Patch33: %{name}-%{version}-sftp_homechroot.patch +Patch1: openssh-6.4p1-key-converter.patch +Patch2: openssh-6.4p1-X11-forwarding.patch +Patch3: openssh-6.4p1-lastlog.patch +Patch4: openssh-6.4p1-pam-fix2.patch +Patch5: openssh-6.4p1-saveargv-fix.patch +Patch6: openssh-6.4p1-pam-fix3.patch +Patch7: openssh-6.4p1-gssapimitm.patch +Patch8: openssh-6.4p1-eal3.patch +Patch9: openssh-6.4p1-blocksigalrm.patch +Patch10: openssh-6.4p1-send_locale.patch +Patch11: openssh-6.4p1-xauthlocalhostname.patch +Patch12: openssh-6.4p1-xauth.patch +Patch13: openssh-6.4p1-default-protocol.patch +Patch14: openssh-6.4p1-pts.patch +Patch15: openssh-6.4p1-pam-check-locks.patch +Patch16: openssh-6.4p1-fingerprint_hash.patch +Patch17: openssh-6.4p1-audit1-remove_duplicit_audit.patch +Patch18: openssh-6.4p1-audit2-better_audit_of_user_actions.patch +Patch19: openssh-6.4p1-audit3-key_auth_usage.patch +Patch20: openssh-6.4p1-audit4-kex_results.patch +Patch21: openssh-6.4p1-audit5-session_key_destruction.patch +Patch22: openssh-6.4p1-audit6-server_key_destruction.patch +Patch23: openssh-6.4p1-audit7-libaudit_compat.patch +Patch24: openssh-6.4p1-audit8-libaudit_dns_timeouts.patch +Patch25: openssh-6.4p1-seed-prng.patch +Patch26: openssh-6.4p1-ldap.patch +Patch27: openssh-6.4p1-fips.patch +Patch28: openssh-6.4p1-gssapi_key_exchange.patch +Patch29: openssh-6.4p1-login_options.patch +Patch30: openssh-6.4p1-disable-openssl-abi-check.patch +Patch31: openssh-6.4p1-no_fork-no_pid_file.patch +Patch32: openssh-6.4p1-host_ident.patch +Patch33: openssh-6.4p1-sftp_homechroot.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -152,15 +150,14 @@ xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. -%package akc-ldap -Summary: OpenSSH AuthorizedKeysCommand helper for LDAP +%package helpers +Summary: OpenSSH AuthorizedKeysCommand helpers Group: Productivity/Networking/SSH Requires: openldap2 Requires: openssh -%description akc-ldap -Helper application for OpenSSH which retrieves authorized keys from -a LDAP server. +%description helpers +Helper applications for OpenSSH which retrieve keys from various sources. %prep @@ -192,7 +189,7 @@ a LDAP server. %patch25 -p2 %patch26 -p2 #patch27 -p2 -%patch28 -p2 +#patch28 -p2 %patch29 -p2 %patch30 -p2 %patch31 -p2 @@ -214,11 +211,17 @@ PIEFLAGS="-fPIE" PIEFLAGS="-fpie" %endif CFLAGS="%{optflags} $PIEFLAGS -fstack-protector" +%if 0%{?suse_version} < 1230 +CFLAGS="-lrt $CFLAGS" +%endif CXXFLAGS="%{optflags} $PIEFLAGS -fstack-protector" LDFLAGS="-pie -Wl,--as-needed" +%if 0%{?suse_version} < 1230 +LDFLAGS="-lrt $LDFLAGS" +%endif #CPPFLAGS="%{optflags} -DUSE_INTERNAL_B64" export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS -%configure \ +./configure \ --prefix=%{_prefix} \ --mandir=%{_mandir} \ --infodir=%{_infodir} \ @@ -249,9 +252,9 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS --target=%{_target_cpu}-suse-linux \ ### configure end -make %{?_smp_mflags} +make -j 1 -make %{?_smp_mflags} -C converter +make -j 1 -C converter %install make install DESTDIR=%{buildroot} @@ -360,7 +363,7 @@ getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d /var/lib/sshd %config %{_fwdefdir}/sshd %endif -%files akc-ldap +%files helpers %defattr(-,root,root) %attr(0755,root,root) %dir %{_sysconfdir}/ssh %verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf