diff --git a/openssh-7.7p1-ldap.patch b/openssh-7.7p1-ldap.patch index 5f8fe09..151299e 100644 --- a/openssh-7.7p1-ldap.patch +++ b/openssh-7.7p1-ldap.patch @@ -10,10 +10,10 @@ # internal versions. ssh-keyconverter consequently fails to link as it lacks # the proper flags, and libopenbsd-compat doesn't contain the b64_* functions) -Index: openssh-8.8p1/HOWTO.ldap-keys +Index: openssh-8.9p1/HOWTO.ldap-keys =================================================================== --- /dev/null -+++ openssh-8.8p1/HOWTO.ldap-keys ++++ openssh-8.9p1/HOWTO.ldap-keys @@ -0,0 +1,108 @@ + +HOW TO START @@ -123,11 +123,11 @@ Index: openssh-8.8p1/HOWTO.ldap-keys + - frederic peters. + - Finlay dobbie. + - Stefan Fisher. -Index: openssh-8.8p1/Makefile.in +Index: openssh-8.9p1/Makefile.in =================================================================== ---- openssh-8.8p1.orig/Makefile.in -+++ openssh-8.8p1/Makefile.in -@@ -26,6 +26,8 @@ SFTP_SERVER=$(libexecdir)/sftp-server +--- openssh-8.9p1.orig/Makefile.in ++++ openssh-8.9p1/Makefile.in +@@ -27,6 +27,8 @@ SFTP_SERVER=$(libexecdir)/sftp-server SSH_KEYSIGN=$(libexecdir)/ssh-keysign SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper @@ -136,7 +136,7 @@ Index: openssh-8.8p1/Makefile.in CAVSTEST_CTR=$(libexecdir)/cavstest-ctr CAVSTEST_KDF=$(libexecdir)/cavstest-kdf PRIVSEP_PATH=@PRIVSEP_PATH@ -@@ -73,6 +75,9 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-a +@@ -75,6 +77,9 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-a TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT) @@ -146,7 +146,7 @@ Index: openssh-8.8p1/Makefile.in XMSS_OBJS=\ ssh-xmss.o \ sshkey-xmss.o \ -@@ -160,8 +165,8 @@ SFTPSERVER_OBJS=sftp-common.o sftp-serve +@@ -162,8 +167,8 @@ SFTPSERVER_OBJS=sftp-common.o sftp-serve SFTP_OBJS= sftp.o progressmeter.o $(SFTP_CLIENT_OBJS) @@ -157,7 +157,7 @@ Index: openssh-8.8p1/Makefile.in MANTYPE = @MANTYPE@ CONFIGFILES=sshd_config.out ssh_config.out moduli.out -@@ -244,6 +249,9 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) lib +@@ -246,6 +251,9 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) lib ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) @@ -167,7 +167,7 @@ Index: openssh-8.8p1/Makefile.in sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS) $(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) -@@ -416,6 +424,10 @@ install-files: +@@ -421,6 +429,10 @@ install-files: $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT) $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) @@ -178,7 +178,7 @@ Index: openssh-8.8p1/Makefile.in $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) -@@ -435,6 +447,10 @@ install-files: +@@ -440,6 +452,10 @@ install-files: $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 @@ -189,7 +189,7 @@ Index: openssh-8.8p1/Makefile.in $(INSTALL) -m 644 ssh-sk-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8 install-sysconf: -@@ -459,6 +475,13 @@ install-sysconf: +@@ -464,6 +480,13 @@ install-sysconf: else \ echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \ fi @@ -203,7 +203,7 @@ Index: openssh-8.8p1/Makefile.in host-key: ssh-keygen$(EXEEXT) @if [ -z "$(DESTDIR)" ] ; then \ -@@ -497,6 +520,8 @@ uninstall: +@@ -502,6 +525,8 @@ uninstall: -rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) -rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) -rm -f $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT) @@ -212,7 +212,7 @@ Index: openssh-8.8p1/Makefile.in -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 -@@ -509,6 +534,7 @@ uninstall: +@@ -514,6 +539,7 @@ uninstall: -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8 @@ -220,11 +220,11 @@ Index: openssh-8.8p1/Makefile.in regress-prep: $(MKDIR_P) `pwd`/regress/unittests/test_helper -Index: openssh-8.8p1/configure.ac +Index: openssh-8.9p1/configure.ac =================================================================== ---- openssh-8.8p1.orig/configure.ac -+++ openssh-8.8p1/configure.ac -@@ -1758,6 +1758,106 @@ AC_ARG_WITH([audit], +--- openssh-8.9p1.orig/configure.ac ++++ openssh-8.9p1/configure.ac +@@ -1780,6 +1780,106 @@ AC_ARG_WITH([audit], esac ] ) @@ -331,10 +331,10 @@ Index: openssh-8.8p1/configure.ac AC_ARG_WITH([pie], [ --with-pie Build Position Independent Executables if possible], [ if test "x$withval" = "xno"; then -Index: openssh-8.8p1/ldap-helper.c +Index: openssh-8.9p1/ldap-helper.c =================================================================== --- /dev/null -+++ openssh-8.8p1/ldap-helper.c ++++ openssh-8.9p1/ldap-helper.c @@ -0,0 +1,155 @@ +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -491,10 +491,10 @@ Index: openssh-8.8p1/ldap-helper.c +void *buffer_get_string(struct sshbuf *b, u_int *l) { return NULL; } +void buffer_put_string(struct sshbuf *b, const void *f, u_int l) {} + -Index: openssh-8.8p1/ldap-helper.h +Index: openssh-8.9p1/ldap-helper.h =================================================================== --- /dev/null -+++ openssh-8.8p1/ldap-helper.h ++++ openssh-8.9p1/ldap-helper.h @@ -0,0 +1,32 @@ +/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -528,10 +528,10 @@ Index: openssh-8.8p1/ldap-helper.h +extern int config_warning_config_file; + +#endif /* LDAP_HELPER_H */ -Index: openssh-8.8p1/ldap.conf +Index: openssh-8.9p1/ldap.conf =================================================================== --- /dev/null -+++ openssh-8.8p1/ldap.conf ++++ openssh-8.9p1/ldap.conf @@ -0,0 +1,88 @@ +# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $ +# @@ -621,10 +621,10 @@ Index: openssh-8.8p1/ldap.conf +#tls_cert +#tls_key + -Index: openssh-8.8p1/ldapbody.c +Index: openssh-8.9p1/ldapbody.c =================================================================== --- /dev/null -+++ openssh-8.8p1/ldapbody.c ++++ openssh-8.9p1/ldapbody.c @@ -0,0 +1,503 @@ +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1129,10 +1129,10 @@ Index: openssh-8.8p1/ldapbody.c + return; +} + -Index: openssh-8.8p1/ldapbody.h +Index: openssh-8.9p1/ldapbody.h =================================================================== --- /dev/null -+++ openssh-8.8p1/ldapbody.h ++++ openssh-8.9p1/ldapbody.h @@ -0,0 +1,37 @@ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1171,10 +1171,10 @@ Index: openssh-8.8p1/ldapbody.h + +#endif /* LDAPBODY_H */ + -Index: openssh-8.8p1/ldapconf.c +Index: openssh-8.9p1/ldapconf.c =================================================================== --- /dev/null -+++ openssh-8.8p1/ldapconf.c ++++ openssh-8.9p1/ldapconf.c @@ -0,0 +1,711 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1887,10 +1887,10 @@ Index: openssh-8.8p1/ldapconf.c + dump_cfg_string(lSSH_Filter, options.ssh_filter); +} + -Index: openssh-8.8p1/ldapconf.h +Index: openssh-8.9p1/ldapconf.h =================================================================== --- /dev/null -+++ openssh-8.8p1/ldapconf.h ++++ openssh-8.9p1/ldapconf.h @@ -0,0 +1,71 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1963,10 +1963,10 @@ Index: openssh-8.8p1/ldapconf.h +void dump_config(void); + +#endif /* LDAPCONF_H */ -Index: openssh-8.8p1/ldapincludes.h +Index: openssh-8.9p1/ldapincludes.h =================================================================== --- /dev/null -+++ openssh-8.8p1/ldapincludes.h ++++ openssh-8.9p1/ldapincludes.h @@ -0,0 +1,41 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -2009,10 +2009,10 @@ Index: openssh-8.8p1/ldapincludes.h +#endif + +#endif /* LDAPINCLUDES_H */ -Index: openssh-8.8p1/ldapmisc.c +Index: openssh-8.9p1/ldapmisc.c =================================================================== --- /dev/null -+++ openssh-8.8p1/ldapmisc.c ++++ openssh-8.9p1/ldapmisc.c @@ -0,0 +1,79 @@ + +#include "ldapincludes.h" @@ -2093,10 +2093,10 @@ Index: openssh-8.8p1/ldapmisc.c +} +#endif + -Index: openssh-8.8p1/ldapmisc.h +Index: openssh-8.9p1/ldapmisc.h =================================================================== --- /dev/null -+++ openssh-8.8p1/ldapmisc.h ++++ openssh-8.9p1/ldapmisc.h @@ -0,0 +1,35 @@ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -2133,10 +2133,10 @@ Index: openssh-8.8p1/ldapmisc.h + +#endif /* LDAPMISC_H */ + -Index: openssh-8.8p1/openbsd-compat/base64.c +Index: openssh-8.9p1/openbsd-compat/base64.c =================================================================== ---- openssh-8.8p1.orig/openbsd-compat/base64.c -+++ openssh-8.8p1/openbsd-compat/base64.c +--- openssh-8.9p1.orig/openbsd-compat/base64.c ++++ openssh-8.9p1/openbsd-compat/base64.c @@ -46,7 +46,7 @@ #include "includes.h" @@ -2145,8 +2145,8 @@ Index: openssh-8.8p1/openbsd-compat/base64.c +#if (!defined(HAVE_B64_NTOP) && !defined(HAVE___B64_NTOP)) || (!defined(HAVE_B64_PTON) && !defined(HAVE___B64_PTON)) || defined(USE_INTERNAL_B64) #include - #include -@@ -129,7 +129,7 @@ static const char Pad64 = '='; + #include +@@ -128,7 +128,7 @@ static const char Pad64 = '='; characters followed by one "=" padding character. */ @@ -2155,7 +2155,7 @@ Index: openssh-8.8p1/openbsd-compat/base64.c int b64_ntop(u_char const *src, size_t srclength, char *target, size_t targsize) { -@@ -185,7 +185,7 @@ b64_ntop(u_char const *src, size_t srcle +@@ -184,7 +184,7 @@ b64_ntop(u_char const *src, size_t srcle } #endif /* !defined(HAVE_B64_NTOP) && !defined(HAVE___B64_NTOP) */ @@ -2164,10 +2164,10 @@ Index: openssh-8.8p1/openbsd-compat/base64.c /* skips all whitespace anywhere. converts characters, four at a time, starting at (or after) -Index: openssh-8.8p1/openbsd-compat/base64.h +Index: openssh-8.9p1/openbsd-compat/base64.h =================================================================== ---- openssh-8.8p1.orig/openbsd-compat/base64.h -+++ openssh-8.8p1/openbsd-compat/base64.h +--- openssh-8.9p1.orig/openbsd-compat/base64.h ++++ openssh-8.9p1/openbsd-compat/base64.h @@ -45,16 +45,16 @@ #include "includes.h" @@ -2189,10 +2189,10 @@ Index: openssh-8.8p1/openbsd-compat/base64.h int b64_pton(char const *src, u_char *target, size_t targsize); # endif /* !HAVE_B64_PTON */ # define __b64_pton(a,b,c) b64_pton(a,b,c) -Index: openssh-8.8p1/openssh-lpk-openldap.schema +Index: openssh-8.9p1/openssh-lpk-openldap.schema =================================================================== --- /dev/null -+++ openssh-8.8p1/openssh-lpk-openldap.schema ++++ openssh-8.9p1/openssh-lpk-openldap.schema @@ -0,0 +1,21 @@ +# +# LDAP Public Key Patch schema for use with openssh-ldappubkey @@ -2215,10 +2215,10 @@ Index: openssh-8.8p1/openssh-lpk-openldap.schema + DESC 'MANDATORY: OpenSSH LPK objectclass' + MUST ( sshPublicKey $ uid ) + ) -Index: openssh-8.8p1/openssh-lpk-sun.schema +Index: openssh-8.9p1/openssh-lpk-sun.schema =================================================================== --- /dev/null -+++ openssh-8.8p1/openssh-lpk-sun.schema ++++ openssh-8.9p1/openssh-lpk-sun.schema @@ -0,0 +1,23 @@ +# +# LDAP Public Key Patch schema for use with openssh-ldappubkey @@ -2243,10 +2243,10 @@ Index: openssh-8.8p1/openssh-lpk-sun.schema + DESC 'MANDATORY: OpenSSH LPK objectclass' + MUST ( sshPublicKey $ uid ) + ) -Index: openssh-8.8p1/ssh-ldap-helper.8 +Index: openssh-8.9p1/ssh-ldap-helper.8 =================================================================== --- /dev/null -+++ openssh-8.8p1/ssh-ldap-helper.8 ++++ openssh-8.9p1/ssh-ldap-helper.8 @@ -0,0 +1,79 @@ +.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" @@ -2327,19 +2327,19 @@ Index: openssh-8.8p1/ssh-ldap-helper.8 +OpenSSH 5.5 + PKA-LDAP . +.Sh AUTHORS +.An Jan F. Chadima Aq jchadima@redhat.com -Index: openssh-8.8p1/ssh-ldap-wrapper +Index: openssh-8.9p1/ssh-ldap-wrapper =================================================================== --- /dev/null -+++ openssh-8.8p1/ssh-ldap-wrapper ++++ openssh-8.9p1/ssh-ldap-wrapper @@ -0,0 +1,4 @@ +#!/bin/sh + +exec @LIBEXECDIR@/ssh-ldap-helper -s "$1" + -Index: openssh-8.8p1/ssh-ldap.conf.5 +Index: openssh-8.9p1/ssh-ldap.conf.5 =================================================================== --- /dev/null -+++ openssh-8.8p1/ssh-ldap.conf.5 ++++ openssh-8.9p1/ssh-ldap.conf.5 @@ -0,0 +1,376 @@ +.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" diff --git a/openssh-8.0p1-gssapi-keyex.patch b/openssh-8.0p1-gssapi-keyex.patch index e26ff2f..f9426cb 100644 --- a/openssh-8.0p1-gssapi-keyex.patch +++ b/openssh-8.0p1-gssapi-keyex.patch @@ -1,8 +1,8 @@ -Index: openssh-8.8p1/Makefile.in +Index: openssh-8.9p1/Makefile.in =================================================================== ---- openssh-8.8p1.orig/Makefile.in -+++ openssh-8.8p1/Makefile.in -@@ -112,6 +112,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ +--- openssh-8.9p1.orig/Makefile.in ++++ openssh-8.9p1/Makefile.in +@@ -114,6 +114,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \ kexgexc.o kexgexs.o \ kexsntrup761x25519.o sntrup761.o kexgen.o \ @@ -10,19 +10,19 @@ Index: openssh-8.8p1/Makefile.in sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \ sshbuf-io.o -@@ -130,7 +131,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw +@@ -132,7 +133,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ auth2-none.o auth2-passwd.o auth2-pubkey.o \ monitor.o monitor_wrap.o auth-krb5.o \ - auth2-gss.o gss-serv.o gss-serv-krb5.o \ + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ - loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ + loginrec.o auth-pam.o auth-shadow.o auth-sia.o \ srclimit.o sftp-server.o sftp-common.o \ sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ -Index: openssh-8.8p1/auth.c +Index: openssh-8.9p1/auth.c =================================================================== ---- openssh-8.8p1.orig/auth.c -+++ openssh-8.8p1/auth.c +--- openssh-8.9p1.orig/auth.c ++++ openssh-8.9p1/auth.c @@ -402,7 +402,8 @@ auth_root_allowed(struct ssh *ssh, const case PERMIT_NO_PASSWD: if (strcmp(method, "publickey") == 0 || @@ -33,7 +33,7 @@ Index: openssh-8.8p1/auth.c return 1; break; case PERMIT_FORCED_ONLY: -@@ -730,97 +731,6 @@ fakepw(void) +@@ -740,97 +741,6 @@ fakepw(void) } /* @@ -131,12 +131,12 @@ Index: openssh-8.8p1/auth.c * Return the canonical name of the host in the other side of the current * connection. The host name is cached, so it is efficient to call this * several times. -Index: openssh-8.8p1/auth2-gss.c +Index: openssh-8.9p1/auth2-gss.c =================================================================== ---- openssh-8.8p1.orig/auth2-gss.c -+++ openssh-8.8p1/auth2-gss.c +--- openssh-8.9p1.orig/auth2-gss.c ++++ openssh-8.9p1/auth2-gss.c @@ -1,7 +1,7 @@ - /* $OpenBSD: auth2-gss.c,v 1.32 2021/01/27 10:15:08 djm Exp $ */ + /* $OpenBSD: auth2-gss.c,v 1.33 2021/12/19 22:12:07 djm Exp $ */ /* - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -225,11 +225,11 @@ Index: openssh-8.8p1/auth2-gss.c + Authmethod method_gssapi = { "gssapi-with-mic", - userauth_gssapi, -Index: openssh-8.8p1/auth2.c + NULL, +Index: openssh-8.9p1/auth2.c =================================================================== ---- openssh-8.8p1.orig/auth2.c -+++ openssh-8.8p1/auth2.c +--- openssh-8.9p1.orig/auth2.c ++++ openssh-8.9p1/auth2.c @@ -71,6 +71,7 @@ extern Authmethod method_passwd; extern Authmethod method_kbdint; extern Authmethod method_hostbased; @@ -246,10 +246,10 @@ Index: openssh-8.8p1/auth2.c &method_gssapi, #endif &method_passwd, -Index: openssh-8.8p1/canohost.c +Index: openssh-8.9p1/canohost.c =================================================================== ---- openssh-8.8p1.orig/canohost.c -+++ openssh-8.8p1/canohost.c +--- openssh-8.9p1.orig/canohost.c ++++ openssh-8.9p1/canohost.c @@ -35,6 +35,99 @@ #include "canohost.h" #include "misc.h" @@ -350,10 +350,10 @@ Index: openssh-8.8p1/canohost.c void ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len) { -Index: openssh-8.8p1/canohost.h +Index: openssh-8.9p1/canohost.h =================================================================== ---- openssh-8.8p1.orig/canohost.h -+++ openssh-8.8p1/canohost.h +--- openssh-8.9p1.orig/canohost.h ++++ openssh-8.9p1/canohost.h @@ -15,6 +15,9 @@ #ifndef _CANOHOST_H #define _CANOHOST_H @@ -364,13 +364,13 @@ Index: openssh-8.8p1/canohost.h char *get_peer_ipaddr(int); int get_peer_port(int); char *get_local_ipaddr(int); -Index: openssh-8.8p1/clientloop.c +Index: openssh-8.9p1/clientloop.c =================================================================== ---- openssh-8.8p1.orig/clientloop.c -+++ openssh-8.8p1/clientloop.c -@@ -112,6 +112,10 @@ - #include "ssherr.h" - #include "hostfile.h" +--- openssh-8.9p1.orig/clientloop.c ++++ openssh-8.9p1/clientloop.c +@@ -118,6 +118,10 @@ + /* Permitted RSA signature algorithms for UpdateHostkeys proofs */ + #define HOSTKEY_PROOF_RSA_ALGS "rsa-sha2-512,rsa-sha2-256" +#ifdef GSSAPI +#include "ssh-gss.h" @@ -379,13 +379,13 @@ Index: openssh-8.8p1/clientloop.c /* import options */ extern Options options; -@@ -1343,9 +1347,18 @@ client_loop(struct ssh *ssh, int have_pt +@@ -1349,9 +1353,18 @@ client_loop(struct ssh *ssh, int have_pt break; /* Do channel operations unless rekeying in progress. */ - if (!ssh_packet_is_rekeying(ssh)) + if (!ssh_packet_is_rekeying(ssh)) { - channel_after_select(ssh, readset, writeset); + channel_after_poll(ssh, pfd, npfd_active); +#ifdef GSSAPI + if (options.gss_renewal_rekey && @@ -397,13 +397,13 @@ Index: openssh-8.8p1/clientloop.c + } + /* Buffer input from the connection. */ - client_process_net_input(ssh, readset); - -Index: openssh-8.8p1/configure.ac + if (conn_in_ready) + client_process_net_input(ssh); +Index: openssh-8.9p1/configure.ac =================================================================== ---- openssh-8.8p1.orig/configure.ac -+++ openssh-8.8p1/configure.ac -@@ -709,6 +709,30 @@ main() { if (NSVersionOfRunTimeLibrary(" +--- openssh-8.9p1.orig/configure.ac ++++ openssh-8.9p1/configure.ac +@@ -714,6 +714,30 @@ main() { if (NSVersionOfRunTimeLibrary(" [Use tunnel device compatibility to OpenBSD]) AC_DEFINE([SSH_TUN_PREPEND_AF], [1], [Prepend the address family to IP tunnel traffic]) @@ -434,10 +434,10 @@ Index: openssh-8.8p1/configure.ac m4_pattern_allow([AU_IPv]) AC_CHECK_DECL([AU_IPv4], [], AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) -Index: openssh-8.8p1/gss-genr.c +Index: openssh-8.9p1/gss-genr.c =================================================================== ---- openssh-8.8p1.orig/gss-genr.c -+++ openssh-8.8p1/gss-genr.c +--- openssh-8.9p1.orig/gss-genr.c ++++ openssh-8.9p1/gss-genr.c @@ -1,7 +1,7 @@ /* $OpenBSD: gss-genr.c,v 1.28 2021/01/27 10:05:28 djm Exp $ */ @@ -447,7 +447,7 @@ Index: openssh-8.8p1/gss-genr.c * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions -@@ -42,8 +42,34 @@ +@@ -43,8 +43,34 @@ #include "log.h" #include "ssh2.h" @@ -482,7 +482,7 @@ Index: openssh-8.8p1/gss-genr.c /* sshbuf_get for gss_buffer_desc */ int ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g) -@@ -59,6 +85,161 @@ ssh_gssapi_get_buffer_desc(struct sshbuf +@@ -60,6 +86,161 @@ ssh_gssapi_get_buffer_desc(struct sshbuf return 0; } @@ -644,7 +644,7 @@ Index: openssh-8.8p1/gss-genr.c /* Check that the OID in a data stream matches that in the context */ int ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len) -@@ -215,7 +396,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int de +@@ -216,7 +397,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int de } ctx->major = gss_init_sec_context(&ctx->minor, @@ -653,7 +653,7 @@ Index: openssh-8.8p1/gss-genr.c GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, 0, NULL, recv_tok, NULL, send_tok, flags, NULL); -@@ -245,8 +426,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, con +@@ -246,8 +427,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, con } OM_uint32 @@ -696,7 +696,7 @@ Index: openssh-8.8p1/gss-genr.c if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context, GSS_C_QOP_DEFAULT, buffer, hash))) ssh_gssapi_error(ctx); -@@ -254,6 +469,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer +@@ -255,6 +470,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer return (ctx->major); } @@ -716,7 +716,7 @@ Index: openssh-8.8p1/gss-genr.c void ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service, const char *context, const struct sshbuf *session_id) -@@ -270,11 +498,16 @@ ssh_gssapi_buildmic(struct sshbuf *b, co +@@ -271,11 +499,16 @@ ssh_gssapi_buildmic(struct sshbuf *b, co } int @@ -734,7 +734,7 @@ Index: openssh-8.8p1/gss-genr.c /* RFC 4462 says we MUST NOT do SPNEGO */ if (oid->length == spnego_oid.length && -@@ -284,6 +517,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx +@@ -285,6 +518,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx ssh_gssapi_build_ctx(ctx); ssh_gssapi_set_oid(*ctx, oid); major = ssh_gssapi_import_name(*ctx, host); @@ -745,7 +745,7 @@ Index: openssh-8.8p1/gss-genr.c if (!GSS_ERROR(major)) { major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, NULL); -@@ -293,10 +530,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx +@@ -294,10 +531,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx GSS_C_NO_BUFFER); } @@ -813,10 +813,10 @@ Index: openssh-8.8p1/gss-genr.c +} + #endif /* GSSAPI */ -Index: openssh-8.8p1/gss-serv-krb5.c +Index: openssh-8.9p1/gss-serv-krb5.c =================================================================== ---- openssh-8.8p1.orig/gss-serv-krb5.c -+++ openssh-8.8p1/gss-serv-krb5.c +--- openssh-8.9p1.orig/gss-serv-krb5.c ++++ openssh-8.9p1/gss-serv-krb5.c @@ -1,7 +1,7 @@ /* $OpenBSD: gss-serv-krb5.c,v 1.9 2018/07/09 21:37:55 markus Exp $ */ @@ -953,10 +953,10 @@ Index: openssh-8.8p1/gss-serv-krb5.c }; #endif /* KRB5 */ -Index: openssh-8.8p1/gss-serv.c +Index: openssh-8.9p1/gss-serv.c =================================================================== ---- openssh-8.8p1.orig/gss-serv.c -+++ openssh-8.8p1/gss-serv.c +--- openssh-8.9p1.orig/gss-serv.c ++++ openssh-8.9p1/gss-serv.c @@ -1,7 +1,7 @@ /* $OpenBSD: gss-serv.c,v 1.32 2020/03/13 03:17:07 djm Exp $ */ @@ -1253,10 +1253,10 @@ Index: openssh-8.8p1/gss-serv.c } /* Privileged */ -Index: openssh-8.8p1/kex.c +Index: openssh-8.9p1/kex.c =================================================================== ---- openssh-8.8p1.orig/kex.c -+++ openssh-8.8p1/kex.c +--- openssh-8.9p1.orig/kex.c ++++ openssh-8.9p1/kex.c @@ -57,11 +57,16 @@ #include "misc.h" #include "dispatch.h" @@ -1388,20 +1388,20 @@ Index: openssh-8.8p1/kex.c /* put algorithm proposal into buffer */ int kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX]) -@@ -745,6 +802,9 @@ kex_free(struct kex *kex) - sshbuf_free(kex->server_version); - sshbuf_free(kex->client_pub); +@@ -765,6 +822,9 @@ kex_free(struct kex *kex) sshbuf_free(kex->session_id); + sshbuf_free(kex->initial_sig); + sshkey_free(kex->initial_hostkey); +#ifdef GSSAPI + free(kex->gss_host); +#endif /* GSSAPI */ free(kex->failed_choice); free(kex->hostkey_alg); free(kex->name); -Index: openssh-8.8p1/kex.h +Index: openssh-8.9p1/kex.h =================================================================== ---- openssh-8.8p1.orig/kex.h -+++ openssh-8.8p1/kex.h +--- openssh-8.9p1.orig/kex.h ++++ openssh-8.9p1/kex.h @@ -102,6 +102,15 @@ enum kex_exchange { KEX_ECDH_SHA2, KEX_C25519_SHA256, @@ -1418,7 +1418,7 @@ Index: openssh-8.8p1/kex.h KEX_MAX }; -@@ -152,6 +161,12 @@ struct kex { +@@ -159,6 +168,12 @@ struct kex { u_int flags; int hash_alg; int ec_nid; @@ -1431,7 +1431,7 @@ Index: openssh-8.8p1/kex.h char *failed_choice; int (*verify_host_key)(struct sshkey *, struct ssh *); struct sshkey *(*load_host_public_key)(int, int, struct ssh *); -@@ -173,8 +188,10 @@ struct kex { +@@ -180,8 +195,10 @@ struct kex { int kex_names_valid(const char *); char *kex_alg_list(char); @@ -1442,7 +1442,7 @@ Index: openssh-8.8p1/kex.h int kex_exchange_identification(struct ssh *, int, const char *); -@@ -202,6 +219,12 @@ int kexgex_client(struct ssh *); +@@ -209,6 +226,12 @@ int kexgex_client(struct ssh *); int kexgex_server(struct ssh *); int kex_gen_client(struct ssh *); int kex_gen_server(struct ssh *); @@ -1455,7 +1455,7 @@ Index: openssh-8.8p1/kex.h int kex_dh_keypair(struct kex *); int kex_dh_enc(struct kex *, const struct sshbuf *, struct sshbuf **, -@@ -234,6 +257,12 @@ int kexgex_hash(int, const struct sshbu +@@ -241,6 +264,12 @@ int kexgex_hash(int, const struct sshbu const BIGNUM *, const u_char *, size_t, u_char *, size_t *); @@ -1468,10 +1468,10 @@ Index: openssh-8.8p1/kex.h void kexc25519_keygen(u_char key[CURVE25519_SIZE], u_char pub[CURVE25519_SIZE]) __attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE))) __attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE))); -Index: openssh-8.8p1/kexdh.c +Index: openssh-8.9p1/kexdh.c =================================================================== ---- openssh-8.8p1.orig/kexdh.c -+++ openssh-8.8p1/kexdh.c +--- openssh-8.9p1.orig/kexdh.c ++++ openssh-8.9p1/kexdh.c @@ -49,13 +49,23 @@ kex_dh_keygen(struct kex *kex) { switch (kex->kex_type) { @@ -1496,10 +1496,10 @@ Index: openssh-8.8p1/kexdh.c kex->dh = dh_new_group16(); break; case KEX_DH_GRP18_SHA512: -Index: openssh-8.8p1/kexgen.c +Index: openssh-8.9p1/kexgen.c =================================================================== ---- openssh-8.8p1.orig/kexgen.c -+++ openssh-8.8p1/kexgen.c +--- openssh-8.9p1.orig/kexgen.c ++++ openssh-8.9p1/kexgen.c @@ -44,7 +44,7 @@ static int input_kex_gen_init(int, u_int32_t, struct ssh *); static int input_kex_gen_reply(int type, u_int32_t seq, struct ssh *ssh); @@ -1509,10 +1509,10 @@ Index: openssh-8.8p1/kexgen.c kex_gen_hash( int hash_alg, const struct sshbuf *client_version, -Index: openssh-8.8p1/kexgssc.c +Index: openssh-8.9p1/kexgssc.c =================================================================== --- /dev/null -+++ openssh-8.8p1/kexgssc.c ++++ openssh-8.9p1/kexgssc.c @@ -0,0 +1,595 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. @@ -2109,10 +2109,10 @@ Index: openssh-8.8p1/kexgssc.c + return r; +} +#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */ -Index: openssh-8.8p1/kexgsss.c +Index: openssh-8.9p1/kexgsss.c =================================================================== --- /dev/null -+++ openssh-8.8p1/kexgsss.c ++++ openssh-8.9p1/kexgsss.c @@ -0,0 +1,474 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. @@ -2588,10 +2588,10 @@ Index: openssh-8.8p1/kexgsss.c + return r; +} +#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */ -Index: openssh-8.8p1/monitor.c +Index: openssh-8.9p1/monitor.c =================================================================== ---- openssh-8.8p1.orig/monitor.c -+++ openssh-8.8p1/monitor.c +--- openssh-8.9p1.orig/monitor.c ++++ openssh-8.9p1/monitor.c @@ -145,6 +145,8 @@ int mm_answer_gss_setup_ctx(struct ssh * int mm_answer_gss_accept_ctx(struct ssh *, int, struct sshbuf *); int mm_answer_gss_userok(struct ssh *, int, struct sshbuf *); @@ -2642,7 +2642,7 @@ Index: openssh-8.8p1/monitor.c if (auth_opts->permit_pty_flag) { monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); -@@ -1730,6 +1747,17 @@ monitor_apply_keystate(struct ssh *ssh, +@@ -1747,6 +1764,17 @@ monitor_apply_keystate(struct ssh *ssh, # ifdef OPENSSL_HAS_ECC kex->kex[KEX_ECDH_SHA2] = kex_gen_server; # endif @@ -2660,7 +2660,7 @@ Index: openssh-8.8p1/monitor.c #endif /* WITH_OPENSSL */ kex->kex[KEX_C25519_SHA256] = kex_gen_server; kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server; -@@ -1822,8 +1850,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, +@@ -1839,8 +1867,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, u_char *p; int r; @@ -2671,7 +2671,7 @@ Index: openssh-8.8p1/monitor.c if ((r = sshbuf_get_string(m, &p, &len)) != 0) fatal_fr(r, "parse"); -@@ -1855,8 +1883,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh +@@ -1872,8 +1900,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh OM_uint32 flags = 0; /* GSI needs this */ int r; @@ -2682,7 +2682,7 @@ Index: openssh-8.8p1/monitor.c if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0) fatal_fr(r, "ssh_gssapi_get_buffer_desc"); -@@ -1876,6 +1904,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh +@@ -1893,6 +1921,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); @@ -2690,7 +2690,7 @@ Index: openssh-8.8p1/monitor.c } return (0); } -@@ -1887,8 +1916,8 @@ mm_answer_gss_checkmic(struct ssh *ssh, +@@ -1904,8 +1933,8 @@ mm_answer_gss_checkmic(struct ssh *ssh, OM_uint32 ret; int r; @@ -2701,7 +2701,7 @@ Index: openssh-8.8p1/monitor.c if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 || (r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0) -@@ -1914,13 +1943,17 @@ mm_answer_gss_checkmic(struct ssh *ssh, +@@ -1931,13 +1960,17 @@ mm_answer_gss_checkmic(struct ssh *ssh, int mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) { @@ -2723,7 +2723,7 @@ Index: openssh-8.8p1/monitor.c sshbuf_reset(m); if ((r = sshbuf_put_u32(m, authenticated)) != 0) -@@ -1929,7 +1962,11 @@ mm_answer_gss_userok(struct ssh *ssh, in +@@ -1946,7 +1979,11 @@ mm_answer_gss_userok(struct ssh *ssh, in debug3_f("sending result %d", authenticated); mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m); @@ -2736,7 +2736,7 @@ Index: openssh-8.8p1/monitor.c if ((displayname = ssh_gssapi_displayname()) != NULL) auth2_record_info(authctxt, "%s", displayname); -@@ -1937,5 +1974,85 @@ mm_answer_gss_userok(struct ssh *ssh, in +@@ -1954,5 +1991,85 @@ mm_answer_gss_userok(struct ssh *ssh, in /* Monitor loop will terminate if authenticated */ return (authenticated); } @@ -2822,10 +2822,10 @@ Index: openssh-8.8p1/monitor.c + #endif /* GSSAPI */ -Index: openssh-8.8p1/monitor.h +Index: openssh-8.9p1/monitor.h =================================================================== ---- openssh-8.8p1.orig/monitor.h -+++ openssh-8.8p1/monitor.h +--- openssh-8.9p1.orig/monitor.h ++++ openssh-8.9p1/monitor.h @@ -63,6 +63,8 @@ enum monitor_reqtype { MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111, MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113, @@ -2835,10 +2835,10 @@ Index: openssh-8.8p1/monitor.h }; struct ssh; -Index: openssh-8.8p1/monitor_wrap.c +Index: openssh-8.9p1/monitor_wrap.c =================================================================== ---- openssh-8.8p1.orig/monitor_wrap.c -+++ openssh-8.8p1/monitor_wrap.c +--- openssh-8.9p1.orig/monitor_wrap.c ++++ openssh-8.9p1/monitor_wrap.c @@ -999,13 +999,15 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss } @@ -2914,10 +2914,10 @@ Index: openssh-8.8p1/monitor_wrap.c +} + #endif /* GSSAPI */ -Index: openssh-8.8p1/monitor_wrap.h +Index: openssh-8.9p1/monitor_wrap.h =================================================================== ---- openssh-8.8p1.orig/monitor_wrap.h -+++ openssh-8.8p1/monitor_wrap.h +--- openssh-8.9p1.orig/monitor_wrap.h ++++ openssh-8.9p1/monitor_wrap.h @@ -65,8 +65,10 @@ int mm_sshkey_verify(const struct sshkey OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, @@ -2930,10 +2930,10 @@ Index: openssh-8.8p1/monitor_wrap.h #endif #ifdef USE_PAM -Index: openssh-8.8p1/readconf.c +Index: openssh-8.9p1/readconf.c =================================================================== ---- openssh-8.8p1.orig/readconf.c -+++ openssh-8.8p1/readconf.c +--- openssh-8.9p1.orig/readconf.c ++++ openssh-8.9p1/readconf.c @@ -67,6 +67,7 @@ #include "uidswap.h" #include "myproposal.h" @@ -2974,7 +2974,7 @@ Index: openssh-8.8p1/readconf.c #endif #ifdef ENABLE_PKCS11 { "pkcs11provider", oPKCS11Provider }, -@@ -1115,10 +1130,42 @@ parse_time: +@@ -1125,10 +1140,42 @@ parse_time: intptr = &options->gss_authentication; goto parse_flag; @@ -3017,7 +3017,7 @@ Index: openssh-8.8p1/readconf.c case oBatchMode: intptr = &options->batch_mode; goto parse_flag; -@@ -2352,7 +2399,13 @@ initialize_options(Options * options) +@@ -2361,7 +2408,13 @@ initialize_options(Options * options) options->fwd_opts.streamlocal_bind_unlink = -1; options->pubkey_authentication = -1; options->gss_authentication = -1; @@ -3031,8 +3031,8 @@ Index: openssh-8.8p1/readconf.c options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->kbd_interactive_devices = NULL; -@@ -2509,8 +2562,18 @@ fill_default_options(Options * options) - options->pubkey_authentication = 1; +@@ -2518,8 +2571,18 @@ fill_default_options(Options * options) + options->pubkey_authentication = SSH_PUBKEY_AUTH_ALL; if (options->gss_authentication == -1) options->gss_authentication = 0; + if (options->gss_keyex == -1) @@ -3050,7 +3050,7 @@ Index: openssh-8.8p1/readconf.c if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -@@ -3306,7 +3369,14 @@ dump_client_config(Options *o, const cha +@@ -3317,7 +3380,14 @@ dump_client_config(Options *o, const cha dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports); #ifdef GSSAPI dump_cfg_fmtint(oGssAuthentication, o->gss_authentication); @@ -3065,10 +3065,10 @@ Index: openssh-8.8p1/readconf.c #endif /* GSSAPI */ dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts); dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication); -Index: openssh-8.8p1/readconf.h +Index: openssh-8.9p1/readconf.h =================================================================== ---- openssh-8.8p1.orig/readconf.h -+++ openssh-8.8p1/readconf.h +--- openssh-8.9p1.orig/readconf.h ++++ openssh-8.9p1/readconf.h @@ -39,7 +39,13 @@ typedef struct { int pubkey_authentication; /* Try ssh2 pubkey authentication. */ int hostbased_authentication; /* ssh2's rhosts_rsa */ @@ -3083,10 +3083,10 @@ Index: openssh-8.8p1/readconf.h int password_authentication; /* Try password * authentication. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ -Index: openssh-8.8p1/servconf.c +Index: openssh-8.9p1/servconf.c =================================================================== ---- openssh-8.8p1.orig/servconf.c -+++ openssh-8.8p1/servconf.c +--- openssh-8.9p1.orig/servconf.c ++++ openssh-8.9p1/servconf.c @@ -70,6 +70,7 @@ #include "auth.h" #include "myproposal.h" @@ -3157,7 +3157,7 @@ Index: openssh-8.8p1/servconf.c { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, { "challengeresponseauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */ -@@ -1605,6 +1628,10 @@ process_server_config_line_depth(ServerO +@@ -1603,6 +1626,10 @@ process_server_config_line_depth(ServerO intptr = &options->gss_authentication; goto parse_flag; @@ -3168,7 +3168,7 @@ Index: openssh-8.8p1/servconf.c case sGssCleanupCreds: intptr = &options->gss_cleanup_creds; goto parse_flag; -@@ -1613,6 +1640,22 @@ process_server_config_line_depth(ServerO +@@ -1611,6 +1638,22 @@ process_server_config_line_depth(ServerO intptr = &options->gss_strict_acceptor; goto parse_flag; @@ -3191,7 +3191,7 @@ Index: openssh-8.8p1/servconf.c case sPasswordAuthentication: intptr = &options->password_authentication; goto parse_flag; -@@ -2921,6 +2964,10 @@ dump_config(ServerOptions *o) +@@ -2918,6 +2961,10 @@ dump_config(ServerOptions *o) #ifdef GSSAPI dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); @@ -3202,10 +3202,10 @@ Index: openssh-8.8p1/servconf.c #endif dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); dump_cfg_fmtint(sKbdInteractiveAuthentication, -Index: openssh-8.8p1/servconf.h +Index: openssh-8.9p1/servconf.h =================================================================== ---- openssh-8.8p1.orig/servconf.h -+++ openssh-8.8p1/servconf.h +--- openssh-8.9p1.orig/servconf.h ++++ openssh-8.9p1/servconf.h @@ -141,8 +141,11 @@ typedef struct { int kerberos_get_afs_token; /* If true, try to get AFS token if * authenticated with Kerberos. */ @@ -3218,11 +3218,11 @@ Index: openssh-8.8p1/servconf.h int password_authentication; /* If true, permit password * authentication. */ int kbd_interactive_authentication; /* If true, permit */ -Index: openssh-8.8p1/session.c +Index: openssh-8.9p1/session.c =================================================================== ---- openssh-8.8p1.orig/session.c -+++ openssh-8.8p1/session.c -@@ -2709,13 +2709,19 @@ do_cleanup(struct ssh *ssh, Authctxt *au +--- openssh-8.9p1.orig/session.c ++++ openssh-8.9p1/session.c +@@ -2708,13 +2708,19 @@ do_cleanup(struct ssh *ssh, Authctxt *au #ifdef KRB5 if (options.kerberos_ticket_cleanup && @@ -3244,10 +3244,10 @@ Index: openssh-8.8p1/session.c #endif /* remove agent socket */ -Index: openssh-8.8p1/ssh-gss.h +Index: openssh-8.9p1/ssh-gss.h =================================================================== ---- openssh-8.8p1.orig/ssh-gss.h -+++ openssh-8.8p1/ssh-gss.h +--- openssh-8.9p1.orig/ssh-gss.h ++++ openssh-8.9p1/ssh-gss.h @@ -1,6 +1,6 @@ /* $OpenBSD: ssh-gss.h,v 1.15 2021/01/27 10:05:28 djm Exp $ */ /* @@ -3364,10 +3364,10 @@ Index: openssh-8.8p1/ssh-gss.h #endif /* GSSAPI */ #endif /* _SSH_GSS_H */ -Index: openssh-8.8p1/ssh.1 +Index: openssh-8.9p1/ssh.1 =================================================================== ---- openssh-8.8p1.orig/ssh.1 -+++ openssh-8.8p1/ssh.1 +--- openssh-8.9p1.orig/ssh.1 ++++ openssh-8.9p1/ssh.1 @@ -530,7 +530,13 @@ For full details of the options listed b .It GatewayPorts .It GlobalKnownHostsFile @@ -3391,10 +3391,10 @@ Index: openssh-8.8p1/ssh.1 .Ar key (key types), .Ar key-cert -Index: openssh-8.8p1/ssh.c +Index: openssh-8.9p1/ssh.c =================================================================== ---- openssh-8.8p1.orig/ssh.c -+++ openssh-8.8p1/ssh.c +--- openssh-8.9p1.orig/ssh.c ++++ openssh-8.9p1/ssh.c @@ -781,6 +781,8 @@ main(int ac, char **av) else if (strcmp(optarg, "kex") == 0 || strcasecmp(optarg, "KexAlgorithms") == 0) @@ -3413,10 +3413,10 @@ Index: openssh-8.8p1/ssh.c "key\nkey-cert\nkey-plain\nkey-sig\nmac\n" "protocol-version\nsig"); } -Index: openssh-8.8p1/ssh_config +Index: openssh-8.9p1/ssh_config =================================================================== ---- openssh-8.8p1.orig/ssh_config -+++ openssh-8.8p1/ssh_config +--- openssh-8.9p1.orig/ssh_config ++++ openssh-8.9p1/ssh_config @@ -40,6 +40,8 @@ Host * # HostbasedAuthentication no # GSSAPIAuthentication no @@ -3426,10 +3426,10 @@ Index: openssh-8.8p1/ssh_config # BatchMode no # CheckHostIP yes # AddressFamily any -Index: openssh-8.8p1/ssh_config.5 +Index: openssh-8.9p1/ssh_config.5 =================================================================== ---- openssh-8.8p1.orig/ssh_config.5 -+++ openssh-8.8p1/ssh_config.5 +--- openssh-8.9p1.orig/ssh_config.5 ++++ openssh-8.9p1/ssh_config.5 @@ -835,10 +835,67 @@ The default is Specifies whether user authentication based on GSSAPI is allowed. The default is @@ -3498,10 +3498,10 @@ Index: openssh-8.8p1/ssh_config.5 .It Cm HashKnownHosts Indicates that .Xr ssh 1 -Index: openssh-8.8p1/sshconnect2.c +Index: openssh-8.9p1/sshconnect2.c =================================================================== ---- openssh-8.8p1.orig/sshconnect2.c -+++ openssh-8.8p1/sshconnect2.c +--- openssh-8.9p1.orig/sshconnect2.c ++++ openssh-8.9p1/sshconnect2.c @@ -81,8 +81,6 @@ #endif @@ -3725,11 +3725,11 @@ Index: openssh-8.8p1/sshconnect2.c #endif /* GSSAPI */ static int -Index: openssh-8.8p1/sshd.c +Index: openssh-8.9p1/sshd.c =================================================================== ---- openssh-8.8p1.orig/sshd.c -+++ openssh-8.8p1/sshd.c -@@ -817,8 +817,8 @@ notify_hostkeys(struct ssh *ssh) +--- openssh-8.9p1.orig/sshd.c ++++ openssh-8.9p1/sshd.c +@@ -813,8 +813,8 @@ notify_hostkeys(struct ssh *ssh) } debug3_f("sent %u hostkeys", nkeys); if (nkeys == 0) @@ -3740,7 +3740,7 @@ Index: openssh-8.8p1/sshd.c sshpkt_fatal(ssh, r, "%s: send", __func__); sshbuf_free(buf); } -@@ -1912,7 +1912,8 @@ main(int ac, char **av) +@@ -1909,7 +1909,8 @@ main(int ac, char **av) free(fp); } accumulate_host_timing_secret(cfg, NULL); @@ -3750,7 +3750,7 @@ Index: openssh-8.8p1/sshd.c logit("sshd: no hostkeys available -- exiting."); exit(1); } -@@ -2407,6 +2408,48 @@ do_ssh2_kex(struct ssh *ssh) +@@ -2397,6 +2398,48 @@ do_ssh2_kex(struct ssh *ssh) myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( ssh, list_hostkey_types()); @@ -3799,7 +3799,7 @@ Index: openssh-8.8p1/sshd.c /* start key exchange */ if ((r = kex_setup(ssh, myproposal)) != 0) fatal_r(r, "kex_setup"); -@@ -2422,7 +2465,18 @@ do_ssh2_kex(struct ssh *ssh) +@@ -2412,7 +2455,18 @@ do_ssh2_kex(struct ssh *ssh) # ifdef OPENSSL_HAS_ECC kex->kex[KEX_ECDH_SHA2] = kex_gen_server; # endif @@ -3819,10 +3819,10 @@ Index: openssh-8.8p1/sshd.c kex->kex[KEX_C25519_SHA256] = kex_gen_server; kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server; kex->load_host_public_key=&get_hostkey_public_by_type; -Index: openssh-8.8p1/sshd_config +Index: openssh-8.9p1/sshd_config =================================================================== ---- openssh-8.8p1.orig/sshd_config -+++ openssh-8.8p1/sshd_config +--- openssh-8.9p1.orig/sshd_config ++++ openssh-8.9p1/sshd_config @@ -69,6 +69,8 @@ AuthorizedKeysFile .ssh/authorized_keys # GSSAPI options #GSSAPIAuthentication no @@ -3832,10 +3832,10 @@ Index: openssh-8.8p1/sshd_config # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will -Index: openssh-8.8p1/sshd_config.5 +Index: openssh-8.9p1/sshd_config.5 =================================================================== ---- openssh-8.8p1.orig/sshd_config.5 -+++ openssh-8.8p1/sshd_config.5 +--- openssh-8.9p1.orig/sshd_config.5 ++++ openssh-8.9p1/sshd_config.5 @@ -652,6 +652,11 @@ Specifies whether to automatically destr on logout. The default is @@ -3880,19 +3880,19 @@ Index: openssh-8.8p1/sshd_config.5 .It Cm HostbasedAcceptedAlgorithms Specifies the signature algorithms that will be accepted for hostbased authentication as a list of comma-separated patterns. -Index: openssh-8.8p1/sshkey.c +Index: openssh-8.9p1/sshkey.c =================================================================== ---- openssh-8.8p1.orig/sshkey.c -+++ openssh-8.8p1/sshkey.c -@@ -156,6 +156,7 @@ static const struct keytype keytypes[] = - KEY_ECDSA_SK_CERT, NID_X9_62_prime256v1, 1, 0 }, +--- openssh-8.9p1.orig/sshkey.c ++++ openssh-8.9p1/sshkey.c +@@ -162,6 +162,7 @@ static const struct keytype keytypes[] = + # endif /* ENABLE_SK */ # endif /* OPENSSL_HAS_ECC */ #endif /* WITH_OPENSSL */ + { "null", "null", NULL, KEY_NULL, 0, 0, 0 }, { NULL, NULL, NULL, -1, -1, 0, 0 } }; -@@ -257,7 +258,7 @@ sshkey_alg_list(int certs_only, int plai +@@ -286,7 +287,7 @@ sshkey_alg_list(int certs_only, int plai const struct keytype *kt; for (kt = keytypes; kt->type != -1; kt++) { @@ -3901,10 +3901,10 @@ Index: openssh-8.8p1/sshkey.c continue; if (!include_sigonly && kt->sigonly) continue; -Index: openssh-8.8p1/sshkey.h +Index: openssh-8.9p1/sshkey.h =================================================================== ---- openssh-8.8p1.orig/sshkey.h -+++ openssh-8.8p1/sshkey.h +--- openssh-8.9p1.orig/sshkey.h ++++ openssh-8.9p1/sshkey.h @@ -71,6 +71,7 @@ enum sshkey_types { KEY_ECDSA_SK_CERT, KEY_ED25519_SK, diff --git a/openssh-8.1p1-audit.patch b/openssh-8.1p1-audit.patch index 6364ae9..e56c5dd 100644 --- a/openssh-8.1p1-audit.patch +++ b/openssh-8.1p1-audit.patch @@ -1,8 +1,8 @@ -Index: openssh-8.8p1/Makefile.in +Index: openssh-8.9p1/Makefile.in =================================================================== ---- openssh-8.8p1.orig/Makefile.in -+++ openssh-8.8p1/Makefile.in -@@ -114,7 +114,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ +--- openssh-8.9p1.orig/Makefile.in ++++ openssh-8.9p1/Makefile.in +@@ -116,7 +116,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ kexsntrup761x25519.o sntrup761.o kexgen.o \ kexgssc.o \ sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \ @@ -11,10 +11,10 @@ Index: openssh-8.8p1/Makefile.in SKOBJS= ssh-sk-client.o -Index: openssh-8.8p1/audit-bsm.c +Index: openssh-8.9p1/audit-bsm.c =================================================================== ---- openssh-8.8p1.orig/audit-bsm.c -+++ openssh-8.8p1/audit-bsm.c +--- openssh-8.9p1.orig/audit-bsm.c ++++ openssh-8.9p1/audit-bsm.c @@ -373,13 +373,26 @@ audit_connection_from(const char *host, #endif } @@ -85,10 +85,10 @@ Index: openssh-8.8p1/audit-bsm.c + /* not implemented */ +} #endif /* BSM */ -Index: openssh-8.8p1/audit-linux.c +Index: openssh-8.9p1/audit-linux.c =================================================================== ---- openssh-8.8p1.orig/audit-linux.c -+++ openssh-8.8p1/audit-linux.c +--- openssh-8.9p1.orig/audit-linux.c ++++ openssh-8.9p1/audit-linux.c @@ -33,27 +33,40 @@ #include "log.h" @@ -459,10 +459,10 @@ Index: openssh-8.8p1/audit-linux.c + error("cannot write into audit"); +} #endif /* USE_LINUX_AUDIT */ -Index: openssh-8.8p1/audit.c +Index: openssh-8.9p1/audit.c =================================================================== ---- openssh-8.8p1.orig/audit.c -+++ openssh-8.8p1/audit.c +--- openssh-8.9p1.orig/audit.c ++++ openssh-8.9p1/audit.c @@ -34,6 +34,12 @@ #include "log.h" #include "hostfile.h" @@ -640,10 +640,10 @@ Index: openssh-8.8p1/audit.c } # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */ -Index: openssh-8.8p1/audit.h +Index: openssh-8.9p1/audit.h =================================================================== ---- openssh-8.8p1.orig/audit.h -+++ openssh-8.8p1/audit.h +--- openssh-8.9p1.orig/audit.h ++++ openssh-8.9p1/audit.h @@ -26,6 +26,7 @@ # define _SSH_AUDIT_H @@ -686,10 +686,10 @@ Index: openssh-8.8p1/audit.h +void audit_destroy_sensitive_data(struct ssh *, const char *, pid_t, uid_t); #endif /* _SSH_AUDIT_H */ -Index: openssh-8.8p1/auditstub.c +Index: openssh-8.9p1/auditstub.c =================================================================== --- /dev/null -+++ openssh-8.8p1/auditstub.c ++++ openssh-8.9p1/auditstub.c @@ -0,0 +1,52 @@ +/* $Id: auditstub.c,v 1.1 jfch Exp $ */ + @@ -743,10 +743,10 @@ Index: openssh-8.8p1/auditstub.c +audit_session_key_free_body(struct ssh *ssh, int ctos, pid_t pid, uid_t uid) +{ +} -Index: openssh-8.8p1/auth.c +Index: openssh-8.9p1/auth.c =================================================================== ---- openssh-8.8p1.orig/auth.c -+++ openssh-8.8p1/auth.c +--- openssh-8.9p1.orig/auth.c ++++ openssh-8.9p1/auth.c @@ -599,9 +599,6 @@ getpwnamallow(struct ssh *ssh, const cha record_failed_login(ssh, user, auth_get_canonical_hostname(ssh, options.use_dns), "ssh"); @@ -757,11 +757,11 @@ Index: openssh-8.8p1/auth.c return (NULL); } if (!allowed_user(ssh, pw)) -Index: openssh-8.8p1/auth.h +Index: openssh-8.9p1/auth.h =================================================================== ---- openssh-8.8p1.orig/auth.h -+++ openssh-8.8p1/auth.h -@@ -189,6 +189,8 @@ struct passwd * getpwnamallow(struct ssh +--- openssh-8.9p1.orig/auth.h ++++ openssh-8.9p1/auth.h +@@ -190,6 +190,8 @@ struct passwd * getpwnamallow(struct ssh char *expand_authorized_keys(const char *, struct passwd *pw); char *authorized_principals_file(struct passwd *); @@ -770,7 +770,7 @@ Index: openssh-8.8p1/auth.h FILE *auth_openkeyfile(const char *, struct passwd *, int); FILE *auth_openprincipals(const char *, struct passwd *, int); -@@ -208,6 +210,8 @@ struct sshkey *get_hostkey_private_by_ty +@@ -209,6 +211,8 @@ struct sshkey *get_hostkey_private_by_ty int get_hostkey_index(struct sshkey *, int, struct ssh *); int sshd_hostkey_sign(struct ssh *, struct sshkey *, struct sshkey *, u_char **, size_t *, const u_char *, size_t, const char *); @@ -779,11 +779,11 @@ Index: openssh-8.8p1/auth.h /* Key / cert options linkage to auth layer */ const struct sshauthopt *auth_options(struct ssh *); -Index: openssh-8.8p1/auth2-hostbased.c +Index: openssh-8.9p1/auth2-hostbased.c =================================================================== ---- openssh-8.8p1.orig/auth2-hostbased.c -+++ openssh-8.8p1/auth2-hostbased.c -@@ -149,7 +149,7 @@ userauth_hostbased(struct ssh *ssh) +--- openssh-8.9p1.orig/auth2-hostbased.c ++++ openssh-8.9p1/auth2-hostbased.c +@@ -149,7 +149,7 @@ userauth_hostbased(struct ssh *ssh, cons authenticated = 0; if (PRIVSEP(hostbased_key_allowed(ssh, authctxt->pw, cuser, chost, key)) && @@ -812,11 +812,11 @@ Index: openssh-8.8p1/auth2-hostbased.c /* return 1 if given hostkey is allowed */ int hostbased_key_allowed(struct ssh *ssh, struct passwd *pw, -Index: openssh-8.8p1/auth2-pubkey.c +Index: openssh-8.9p1/auth2-pubkey.c =================================================================== ---- openssh-8.8p1.orig/auth2-pubkey.c -+++ openssh-8.8p1/auth2-pubkey.c -@@ -203,7 +203,7 @@ userauth_pubkey(struct ssh *ssh) +--- openssh-8.9p1.orig/auth2-pubkey.c ++++ openssh-8.9p1/auth2-pubkey.c +@@ -223,7 +223,7 @@ userauth_pubkey(struct ssh *ssh, const c /* test for correct signature */ authenticated = 0; if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) && @@ -825,7 +825,7 @@ Index: openssh-8.8p1/auth2-pubkey.c sshbuf_ptr(b), sshbuf_len(b), (ssh->compat & SSH_BUG_SIGTYPE) == 0 ? pkalg : NULL, ssh->compat, &sig_details)) == 0) { -@@ -295,6 +295,19 @@ done: +@@ -316,6 +316,19 @@ done: return authenticated; } @@ -845,12 +845,12 @@ Index: openssh-8.8p1/auth2-pubkey.c static int match_principals_option(const char *principal_list, struct sshkey_cert *cert) { -Index: openssh-8.8p1/auth2.c +Index: openssh-8.9p1/auth2.c =================================================================== ---- openssh-8.8p1.orig/auth2.c -+++ openssh-8.8p1/auth2.c -@@ -290,9 +290,6 @@ input_userauth_request(int type, u_int32 - } else { +--- openssh-8.9p1.orig/auth2.c ++++ openssh-8.9p1/auth2.c +@@ -294,9 +294,6 @@ input_userauth_request(int type, u_int32 + authctxt->valid = 0; /* Invalid user, fake password information */ authctxt->pw = fakepw(); -#ifdef SSH_AUDIT_EVENTS @@ -859,10 +859,10 @@ Index: openssh-8.8p1/auth2.c } #ifdef USE_PAM if (options.use_pam) -Index: openssh-8.8p1/cipher.c +Index: openssh-8.9p1/cipher.c =================================================================== ---- openssh-8.8p1.orig/cipher.c -+++ openssh-8.8p1/cipher.c +--- openssh-8.9p1.orig/cipher.c ++++ openssh-8.9p1/cipher.c @@ -58,25 +58,6 @@ #define EVP_CIPHER_CTX void #endif @@ -898,10 +898,10 @@ Index: openssh-8.8p1/cipher.c return; if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) { chachapoly_free(cc->cp_ctx); -Index: openssh-8.8p1/cipher.h +Index: openssh-8.9p1/cipher.h =================================================================== ---- openssh-8.8p1.orig/cipher.h -+++ openssh-8.8p1/cipher.h +--- openssh-8.9p1.orig/cipher.h ++++ openssh-8.9p1/cipher.h @@ -47,7 +47,25 @@ #define CIPHER_ENCRYPT 1 #define CIPHER_DECRYPT 0 @@ -929,10 +929,10 @@ Index: openssh-8.8p1/cipher.h struct sshcipher_ctx { int plaintext; int encrypt; -Index: openssh-8.8p1/kex.c +Index: openssh-8.9p1/kex.c =================================================================== ---- openssh-8.8p1.orig/kex.c -+++ openssh-8.8p1/kex.c +--- openssh-8.9p1.orig/kex.c ++++ openssh-8.9p1/kex.c @@ -62,6 +62,7 @@ #include "ssherr.h" #include "sshbuf.h" @@ -941,7 +941,7 @@ Index: openssh-8.8p1/kex.c #ifdef GSSAPI #include "ssh-gss.h" -@@ -859,12 +860,16 @@ kex_start_rekex(struct ssh *ssh) +@@ -879,12 +880,16 @@ kex_start_rekex(struct ssh *ssh) } static int @@ -960,7 +960,7 @@ Index: openssh-8.8p1/kex.c if ((enc->cipher = cipher_by_name(name)) == NULL) { error_f("unsupported cipher %s", name); free(name); -@@ -885,8 +890,12 @@ choose_mac(struct ssh *ssh, struct sshma +@@ -905,8 +910,12 @@ choose_mac(struct ssh *ssh, struct sshma { char *name = match_list(client, server, NULL); @@ -974,7 +974,7 @@ Index: openssh-8.8p1/kex.c if (mac_setup(mac, name) < 0) { error_f("unsupported MAC %s", name); free(name); -@@ -899,12 +908,16 @@ choose_mac(struct ssh *ssh, struct sshma +@@ -919,12 +928,16 @@ choose_mac(struct ssh *ssh, struct sshma } static int @@ -993,7 +993,7 @@ Index: openssh-8.8p1/kex.c #ifdef WITH_ZLIB if (strcmp(name, "zlib@openssh.com") == 0) { comp->type = COMP_DELAYED; -@@ -1045,7 +1058,7 @@ kex_choose_conf(struct ssh *ssh) +@@ -1087,7 +1100,7 @@ kex_choose_conf(struct ssh *ssh) nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC; nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC; ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC; @@ -1002,7 +1002,7 @@ Index: openssh-8.8p1/kex.c sprop[nenc])) != 0) { kex->failed_choice = peer[nenc]; peer[nenc] = NULL; -@@ -1060,7 +1073,7 @@ kex_choose_conf(struct ssh *ssh) +@@ -1102,7 +1115,7 @@ kex_choose_conf(struct ssh *ssh) peer[nmac] = NULL; goto out; } @@ -1011,7 +1011,7 @@ Index: openssh-8.8p1/kex.c sprop[ncomp])) != 0) { kex->failed_choice = peer[ncomp]; peer[ncomp] = NULL; -@@ -1083,6 +1096,10 @@ kex_choose_conf(struct ssh *ssh) +@@ -1125,6 +1138,10 @@ kex_choose_conf(struct ssh *ssh) dh_need = MAXIMUM(dh_need, newkeys->enc.block_size); dh_need = MAXIMUM(dh_need, newkeys->enc.iv_len); dh_need = MAXIMUM(dh_need, newkeys->mac.key_len); @@ -1022,7 +1022,7 @@ Index: openssh-8.8p1/kex.c } /* XXX need runden? */ kex->we_need = need; -@@ -1250,6 +1267,36 @@ dump_digest(const char *msg, const u_cha +@@ -1292,6 +1309,36 @@ dump_digest(const char *msg, const u_cha } #endif @@ -1059,11 +1059,11 @@ Index: openssh-8.8p1/kex.c /* * Send a plaintext error message to the peer, suffixed by \r\n. * Only used during banner exchange, and there only for the server. -Index: openssh-8.8p1/kex.h +Index: openssh-8.9p1/kex.h =================================================================== ---- openssh-8.8p1.orig/kex.h -+++ openssh-8.8p1/kex.h -@@ -226,6 +226,8 @@ int kexgss_client(struct ssh *); +--- openssh-8.9p1.orig/kex.h ++++ openssh-8.9p1/kex.h +@@ -233,6 +233,8 @@ int kexgss_client(struct ssh *); int kexgss_server(struct ssh *); #endif @@ -1072,10 +1072,10 @@ Index: openssh-8.8p1/kex.h int kex_dh_keypair(struct kex *); int kex_dh_enc(struct kex *, const struct sshbuf *, struct sshbuf **, struct sshbuf **); -Index: openssh-8.8p1/mac.c +Index: openssh-8.9p1/mac.c =================================================================== ---- openssh-8.8p1.orig/mac.c -+++ openssh-8.8p1/mac.c +--- openssh-8.9p1.orig/mac.c ++++ openssh-8.9p1/mac.c @@ -277,6 +277,20 @@ mac_clear(struct sshmac *mac) mac->umac_ctx = NULL; } @@ -1097,10 +1097,10 @@ Index: openssh-8.8p1/mac.c /* XXX copied from ciphers_valid */ #define MAC_SEP "," int -Index: openssh-8.8p1/mac.h +Index: openssh-8.9p1/mac.h =================================================================== ---- openssh-8.8p1.orig/mac.h -+++ openssh-8.8p1/mac.h +--- openssh-8.9p1.orig/mac.h ++++ openssh-8.9p1/mac.h @@ -49,5 +49,6 @@ int mac_compute(struct sshmac *, u_int3 int mac_check(struct sshmac *, u_int32_t, const u_char *, size_t, const u_char *, size_t); @@ -1108,10 +1108,10 @@ Index: openssh-8.8p1/mac.h +void mac_destroy(struct sshmac *); #endif /* SSHMAC_H */ -Index: openssh-8.8p1/monitor.c +Index: openssh-8.9p1/monitor.c =================================================================== ---- openssh-8.8p1.orig/monitor.c -+++ openssh-8.8p1/monitor.c +--- openssh-8.9p1.orig/monitor.c ++++ openssh-8.9p1/monitor.c @@ -93,6 +93,7 @@ #include "compat.h" #include "ssh2.h" @@ -1164,7 +1164,7 @@ Index: openssh-8.8p1/monitor.c #endif {0, 0, NULL} }; -@@ -1403,8 +1420,10 @@ mm_answer_keyverify(struct ssh *ssh, int +@@ -1419,8 +1436,10 @@ mm_answer_keyverify(struct ssh *ssh, int int r, ret, req_presence = 0, req_verify = 0, valid_data = 0; int encoded_ret; struct sshkey_sig_details *sig_details = NULL; @@ -1176,7 +1176,7 @@ Index: openssh-8.8p1/monitor.c (r = sshbuf_get_string_direct(m, &signature, &signaturelen)) != 0 || (r = sshbuf_get_string_direct(m, &data, &datalen)) != 0 || (r = sshbuf_get_cstring(m, &sigalg, NULL)) != 0) -@@ -1413,6 +1432,8 @@ mm_answer_keyverify(struct ssh *ssh, int +@@ -1429,6 +1448,8 @@ mm_answer_keyverify(struct ssh *ssh, int if (hostbased_cuser == NULL || hostbased_chost == NULL || !monitor_allowed_key(blob, bloblen)) fatal_f("bad key, not previously allowed"); @@ -1185,7 +1185,7 @@ Index: openssh-8.8p1/monitor.c /* Empty signature algorithm means NULL. */ if (*sigalg == '\0') { -@@ -1428,14 +1449,19 @@ mm_answer_keyverify(struct ssh *ssh, int +@@ -1444,14 +1465,19 @@ mm_answer_keyverify(struct ssh *ssh, int case MM_USERKEY: valid_data = monitor_valid_userblob(ssh, data, datalen); auth_method = "publickey"; @@ -1205,16 +1205,16 @@ Index: openssh-8.8p1/monitor.c break; } if (!valid_data) -@@ -1447,8 +1473,6 @@ mm_answer_keyverify(struct ssh *ssh, int +@@ -1463,8 +1489,6 @@ mm_answer_keyverify(struct ssh *ssh, int SSH_FP_DEFAULT)) == NULL) fatal_f("sshkey_fingerprint failed"); - ret = sshkey_verify(key, signature, signaturelen, data, datalen, - sigalg, ssh->compat, &sig_details); - debug3_f("%s %s signature %s%s%s", auth_method, sshkey_type(key), + debug3_f("%s %s signature using %s %s%s%s", auth_method, + sshkey_type(key), sigalg == NULL ? "default" : sigalg, (ret == 0) ? "verified" : "unverified", - (ret != 0) ? ": " : "", (ret != 0) ? ssh_err(ret) : ""); -@@ -1535,13 +1559,19 @@ mm_record_login(struct ssh *ssh, Session +@@ -1552,13 +1576,19 @@ mm_record_login(struct ssh *ssh, Session } static void @@ -1235,7 +1235,7 @@ Index: openssh-8.8p1/monitor.c session_unused(s->self); } -@@ -1608,7 +1638,7 @@ mm_answer_pty(struct ssh *ssh, int sock, +@@ -1625,7 +1655,7 @@ mm_answer_pty(struct ssh *ssh, int sock, error: if (s != NULL) @@ -1244,7 +1244,7 @@ Index: openssh-8.8p1/monitor.c if ((r = sshbuf_put_u32(m, 0)) != 0) fatal_fr(r, "assemble 0"); mm_request_send(sock, MONITOR_ANS_PTY, m); -@@ -1627,7 +1657,7 @@ mm_answer_pty_cleanup(struct ssh *ssh, i +@@ -1644,7 +1674,7 @@ mm_answer_pty_cleanup(struct ssh *ssh, i if ((r = sshbuf_get_cstring(m, &tty, NULL)) != 0) fatal_fr(r, "parse tty"); if ((s = session_by_tty(tty)) != NULL) @@ -1253,7 +1253,7 @@ Index: openssh-8.8p1/monitor.c sshbuf_reset(m); free(tty); return (0); -@@ -1649,6 +1679,8 @@ mm_answer_term(struct ssh *ssh, int sock +@@ -1666,6 +1696,8 @@ mm_answer_term(struct ssh *ssh, int sock sshpam_cleanup(); #endif @@ -1262,7 +1262,7 @@ Index: openssh-8.8p1/monitor.c while (waitpid(pmonitor->m_pid, &status, 0) == -1) if (errno != EINTR) exit(1); -@@ -1695,12 +1727,47 @@ mm_answer_audit_command(struct ssh *ssh, +@@ -1712,12 +1744,47 @@ mm_answer_audit_command(struct ssh *ssh, { char *cmd; int r; @@ -1311,7 +1311,7 @@ Index: openssh-8.8p1/monitor.c free(cmd); return (0); } -@@ -1772,6 +1839,7 @@ monitor_apply_keystate(struct ssh *ssh, +@@ -1789,6 +1856,7 @@ monitor_apply_keystate(struct ssh *ssh, void mm_get_keystate(struct ssh *ssh, struct monitor *pmonitor) { @@ -1319,7 +1319,7 @@ Index: openssh-8.8p1/monitor.c debug3_f("Waiting for new keys"); if ((child_state = sshbuf_new()) == NULL) -@@ -1779,6 +1847,18 @@ mm_get_keystate(struct ssh *ssh, struct +@@ -1796,6 +1864,18 @@ mm_get_keystate(struct ssh *ssh, struct mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_KEYEXPORT, child_state); debug3_f("GOT new keys"); @@ -1338,7 +1338,7 @@ Index: openssh-8.8p1/monitor.c } -@@ -2056,3 +2136,102 @@ mm_answer_gss_updatecreds(struct ssh *ss +@@ -2073,3 +2153,102 @@ mm_answer_gss_updatecreds(struct ssh *ss #endif /* GSSAPI */ @@ -1441,10 +1441,10 @@ Index: openssh-8.8p1/monitor.c + return 0; +} +#endif /* SSH_AUDIT_EVENTS */ -Index: openssh-8.8p1/monitor.h +Index: openssh-8.9p1/monitor.h =================================================================== ---- openssh-8.8p1.orig/monitor.h -+++ openssh-8.8p1/monitor.h +--- openssh-8.9p1.orig/monitor.h ++++ openssh-8.9p1/monitor.h @@ -61,7 +61,13 @@ enum monitor_reqtype { MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107, MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109, @@ -1460,10 +1460,10 @@ Index: openssh-8.8p1/monitor.h MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151, MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153, -Index: openssh-8.8p1/monitor_wrap.c +Index: openssh-8.9p1/monitor_wrap.c =================================================================== ---- openssh-8.8p1.orig/monitor_wrap.c -+++ openssh-8.8p1/monitor_wrap.c +--- openssh-8.9p1.orig/monitor_wrap.c ++++ openssh-8.9p1/monitor_wrap.c @@ -499,7 +499,7 @@ mm_key_allowed(enum mm_keytype type, con */ @@ -1634,10 +1634,10 @@ Index: openssh-8.8p1/monitor_wrap.c + sshbuf_free(m); +} +#endif /* SSH_AUDIT_EVENTS */ -Index: openssh-8.8p1/monitor_wrap.h +Index: openssh-8.9p1/monitor_wrap.h =================================================================== ---- openssh-8.8p1.orig/monitor_wrap.h -+++ openssh-8.8p1/monitor_wrap.h +--- openssh-8.9p1.orig/monitor_wrap.h ++++ openssh-8.9p1/monitor_wrap.h @@ -58,7 +58,9 @@ int mm_user_key_allowed(struct ssh *, st struct sshauthopt **); int mm_hostbased_key_allowed(struct ssh *, struct passwd *, const char *, @@ -1663,10 +1663,10 @@ Index: openssh-8.8p1/monitor_wrap.h #endif struct Session; -Index: openssh-8.8p1/packet.c +Index: openssh-8.9p1/packet.c =================================================================== ---- openssh-8.8p1.orig/packet.c -+++ openssh-8.8p1/packet.c +--- openssh-8.9p1.orig/packet.c ++++ openssh-8.9p1/packet.c @@ -81,6 +81,7 @@ #endif @@ -1744,7 +1744,7 @@ Index: openssh-8.8p1/packet.c state->newkeys[mode] = NULL; } /* note that both bytes and the seqnr are not reset */ -@@ -2178,6 +2194,73 @@ ssh_packet_get_output(struct ssh *ssh) +@@ -2183,6 +2199,73 @@ ssh_packet_get_output(struct ssh *ssh) return (void *)ssh->state->output; } @@ -1818,21 +1818,21 @@ Index: openssh-8.8p1/packet.c /* Reset after_authentication and reset compression in post-auth privsep */ static int ssh_packet_set_postauth(struct ssh *ssh) -Index: openssh-8.8p1/packet.h +Index: openssh-8.9p1/packet.h =================================================================== ---- openssh-8.8p1.orig/packet.h -+++ openssh-8.8p1/packet.h -@@ -219,4 +219,5 @@ const u_char *sshpkt_ptr(struct ssh *, s +--- openssh-8.9p1.orig/packet.h ++++ openssh-8.9p1/packet.h +@@ -220,4 +220,5 @@ const u_char *sshpkt_ptr(struct ssh *, s # undef EC_POINT #endif +void packet_destroy_all(struct ssh *, int, int); #endif /* PACKET_H */ -Index: openssh-8.8p1/session.c +Index: openssh-8.9p1/session.c =================================================================== ---- openssh-8.8p1.orig/session.c -+++ openssh-8.8p1/session.c -@@ -136,7 +136,7 @@ extern char *__progname; +--- openssh-8.9p1.orig/session.c ++++ openssh-8.9p1/session.c +@@ -135,7 +135,7 @@ extern char *__progname; extern int debug_flag; extern u_int utmp_len; extern int startup_pipe; @@ -1841,7 +1841,7 @@ Index: openssh-8.8p1/session.c extern struct sshbuf *loginmsg; extern struct sshauthopt *auth_opts; extern char *tun_fwd_ifnames; /* serverloop.c */ -@@ -643,6 +643,14 @@ do_exec_pty(struct ssh *ssh, Session *s, +@@ -642,6 +642,14 @@ do_exec_pty(struct ssh *ssh, Session *s, /* Parent. Close the slave side of the pseudo tty. */ close(ttyfd); @@ -1856,7 +1856,7 @@ Index: openssh-8.8p1/session.c /* Enter interactive session. */ s->ptymaster = ptymaster; ssh_packet_set_interactive(ssh, 1, -@@ -707,15 +715,19 @@ do_exec(struct ssh *ssh, Session *s, con +@@ -706,15 +714,19 @@ do_exec(struct ssh *ssh, Session *s, con s->self); #ifdef SSH_AUDIT_EVENTS @@ -1878,7 +1878,7 @@ Index: openssh-8.8p1/session.c #endif if (s->ttyfd != -1) ret = do_exec_pty(ssh, s, command); -@@ -1534,8 +1546,11 @@ do_child(struct ssh *ssh, Session *s, co +@@ -1533,8 +1545,11 @@ do_child(struct ssh *ssh, Session *s, co sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id)); /* remove hostkey from the child's memory */ @@ -1891,7 +1891,7 @@ Index: openssh-8.8p1/session.c /* Force a password change */ if (s->authctxt->force_pwchange) { -@@ -1744,6 +1759,9 @@ session_unused(int id) +@@ -1743,6 +1758,9 @@ session_unused(int id) sessions[id].ttyfd = -1; sessions[id].ptymaster = -1; sessions[id].x11_chanids = NULL; @@ -1901,7 +1901,7 @@ Index: openssh-8.8p1/session.c sessions[id].next_unused = sessions_first_unused; sessions_first_unused = id; } -@@ -1823,6 +1841,19 @@ session_open(Authctxt *authctxt, int cha +@@ -1822,6 +1840,19 @@ session_open(Authctxt *authctxt, int cha } Session * @@ -1921,7 +1921,7 @@ Index: openssh-8.8p1/session.c session_by_tty(char *tty) { int i; -@@ -2430,6 +2461,32 @@ session_exit_message(struct ssh *ssh, Se +@@ -2429,6 +2460,32 @@ session_exit_message(struct ssh *ssh, Se chan_write_failed(ssh, c); } @@ -1954,7 +1954,7 @@ Index: openssh-8.8p1/session.c void session_close(struct ssh *ssh, Session *s) { -@@ -2471,6 +2528,10 @@ session_close(struct ssh *ssh, Session * +@@ -2470,6 +2527,10 @@ session_close(struct ssh *ssh, Session * if (s->ttyfd != -1) session_pty_cleanup(s); @@ -1965,7 +1965,7 @@ Index: openssh-8.8p1/session.c free(s->term); free(s->display); free(s->x11_chanids); -@@ -2545,14 +2606,14 @@ session_close_by_channel(struct ssh *ssh +@@ -2544,14 +2605,14 @@ session_close_by_channel(struct ssh *ssh } void @@ -1982,7 +1982,7 @@ Index: openssh-8.8p1/session.c else session_close(ssh, s); } -@@ -2678,6 +2739,15 @@ do_authenticated2(struct ssh *ssh, Authc +@@ -2677,6 +2738,15 @@ do_authenticated2(struct ssh *ssh, Authc server_loop2(ssh, authctxt); } @@ -1998,7 +1998,7 @@ Index: openssh-8.8p1/session.c void do_cleanup(struct ssh *ssh, Authctxt *authctxt) { -@@ -2741,7 +2811,7 @@ do_cleanup(struct ssh *ssh, Authctxt *au +@@ -2740,7 +2810,7 @@ do_cleanup(struct ssh *ssh, Authctxt *au * or if running in monitor. */ if (!use_privsep || mm_is_monitor()) @@ -2007,10 +2007,10 @@ Index: openssh-8.8p1/session.c } /* Return a name for the remote host that fits inside utmp_size */ -Index: openssh-8.8p1/session.h +Index: openssh-8.9p1/session.h =================================================================== ---- openssh-8.8p1.orig/session.h -+++ openssh-8.8p1/session.h +--- openssh-8.9p1.orig/session.h ++++ openssh-8.9p1/session.h @@ -61,6 +61,12 @@ struct Session { char *name; char *val; @@ -2038,11 +2038,11 @@ Index: openssh-8.8p1/session.h Session *session_by_tty(char *); void session_close(struct ssh *, Session *); void do_setusercontext(struct passwd *); -Index: openssh-8.8p1/sshd.c +Index: openssh-8.9p1/sshd.c =================================================================== ---- openssh-8.8p1.orig/sshd.c -+++ openssh-8.8p1/sshd.c -@@ -122,6 +122,7 @@ +--- openssh-8.9p1.orig/sshd.c ++++ openssh-8.9p1/sshd.c +@@ -125,6 +125,7 @@ #include "ssh-gss.h" #endif #include "monitor_wrap.h" @@ -2050,7 +2050,7 @@ Index: openssh-8.8p1/sshd.c #include "ssh-sandbox.h" #include "auth-options.h" #include "version.h" -@@ -262,8 +263,8 @@ struct sshbuf *loginmsg; +@@ -265,8 +266,8 @@ struct sshbuf *loginmsg; struct passwd *privsep_pw = NULL; /* Prototypes for various functions defined later in this file. */ @@ -2061,8 +2061,8 @@ Index: openssh-8.8p1/sshd.c static void do_ssh2_kex(struct ssh *); static char *listener_proctitle; -@@ -281,6 +282,15 @@ close_listen_socks(void) - num_listen_socks = -1; +@@ -284,6 +285,15 @@ close_listen_socks(void) + num_listen_socks = 0; } +/* @@ -2077,8 +2077,8 @@ Index: openssh-8.8p1/sshd.c static void close_startup_pipes(void) { -@@ -386,18 +396,45 @@ grace_alarm_handler(int sig) - } +@@ -382,18 +392,45 @@ grace_alarm_handler(int sig) + ssh_remote_port(the_active_state)); } -/* Destroy the host and server keys. They will no longer be needed. */ @@ -2126,7 +2126,7 @@ Index: openssh-8.8p1/sshd.c sshkey_free(sensitive_data.host_certificates[i]); sensitive_data.host_certificates[i] = NULL; } -@@ -406,20 +443,38 @@ destroy_sensitive_data(void) +@@ -402,20 +439,38 @@ destroy_sensitive_data(void) /* Demote private to public keys for network child */ void @@ -2166,7 +2166,7 @@ Index: openssh-8.8p1/sshd.c } /* Certs do not need demotion */ } -@@ -447,7 +502,7 @@ reseed_prngs(void) +@@ -443,7 +498,7 @@ reseed_prngs(void) } static void @@ -2175,7 +2175,7 @@ Index: openssh-8.8p1/sshd.c { gid_t gidset[1]; -@@ -462,7 +517,7 @@ privsep_preauth_child(void) +@@ -458,7 +513,7 @@ privsep_preauth_child(void) reseed_prngs(); /* Demote the private keys to public keys. */ @@ -2184,7 +2184,7 @@ Index: openssh-8.8p1/sshd.c /* Demote the child */ if (privsep_chroot) { -@@ -497,7 +552,7 @@ privsep_preauth(struct ssh *ssh) +@@ -493,7 +548,7 @@ privsep_preauth(struct ssh *ssh) if (use_privsep == PRIVSEP_ON) box = ssh_sandbox_init(pmonitor); @@ -2193,7 +2193,7 @@ Index: openssh-8.8p1/sshd.c if (pid == -1) { fatal("fork of unprivileged child failed"); } else if (pid != 0) { -@@ -542,7 +597,7 @@ privsep_preauth(struct ssh *ssh) +@@ -538,7 +593,7 @@ privsep_preauth(struct ssh *ssh) /* Arrange for logging to be sent to the monitor */ set_log_handler(mm_log_handler, pmonitor); @@ -2202,7 +2202,7 @@ Index: openssh-8.8p1/sshd.c setproctitle("%s", "[net]"); if (box != NULL) ssh_sandbox_child(box); -@@ -586,7 +641,7 @@ privsep_postauth(struct ssh *ssh, Authct +@@ -582,7 +637,7 @@ privsep_postauth(struct ssh *ssh, Authct pmonitor->m_sendfd = -1; /* Demote the private keys to public keys. */ @@ -2211,16 +2211,16 @@ Index: openssh-8.8p1/sshd.c reseed_prngs(); -@@ -1140,7 +1195,7 @@ server_listen(void) +@@ -1136,7 +1191,7 @@ server_listen(void) * from this function are in a forked subprocess. */ static void -server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) +server_accept_loop(struct ssh *ssh, int *sock_in, int *sock_out, int *newsock, int *config_s) { - fd_set *fdset; - int i, j, ret, maxfd; -@@ -1186,6 +1241,7 @@ server_accept_loop(int *sock_in, int *so + struct pollfd *pfd = NULL; + int i, j, ret; +@@ -1179,6 +1234,7 @@ server_accept_loop(int *sock_in, int *so if (received_sigterm) { logit("Received signal %d; terminating.", (int) received_sigterm); @@ -2228,7 +2228,7 @@ Index: openssh-8.8p1/sshd.c close_listen_socks(); if (options.pid_file != NULL) unlink(options.pid_file); -@@ -2091,7 +2147,7 @@ main(int ac, char **av) +@@ -2088,7 +2144,7 @@ main(int ac, char **av) #endif /* Accept a connection and return in a forked child */ @@ -2237,7 +2237,7 @@ Index: openssh-8.8p1/sshd.c &newsock, config_s); } -@@ -2321,6 +2377,9 @@ main(int ac, char **av) +@@ -2311,6 +2367,9 @@ main(int ac, char **av) do_authenticated(ssh, authctxt); /* The connection has been terminated. */ @@ -2247,7 +2247,7 @@ Index: openssh-8.8p1/sshd.c ssh_packet_get_bytes(ssh, &ibytes, &obytes); verbose("Transferred: sent %llu, received %llu bytes", (unsigned long long)obytes, (unsigned long long)ibytes); -@@ -2501,6 +2560,15 @@ do_ssh2_kex(struct ssh *ssh) +@@ -2491,6 +2550,15 @@ do_ssh2_kex(struct ssh *ssh) void cleanup_exit(int i) { @@ -2263,7 +2263,7 @@ Index: openssh-8.8p1/sshd.c if (the_active_state != NULL && the_authctxt != NULL) { do_cleanup(the_active_state, the_authctxt); if (use_privsep && privsep_is_preauth && -@@ -2513,9 +2581,16 @@ cleanup_exit(int i) +@@ -2503,9 +2571,16 @@ cleanup_exit(int i) } } } @@ -2281,11 +2281,11 @@ Index: openssh-8.8p1/sshd.c audit_event(the_active_state, SSH_CONNECTION_ABANDON); #endif _exit(i); -Index: openssh-8.8p1/sshkey.c +Index: openssh-8.9p1/sshkey.c =================================================================== ---- openssh-8.8p1.orig/sshkey.c -+++ openssh-8.8p1/sshkey.c -@@ -371,6 +371,38 @@ sshkey_type_is_valid_ca(int type) +--- openssh-8.9p1.orig/sshkey.c ++++ openssh-8.9p1/sshkey.c +@@ -400,6 +400,38 @@ sshkey_type_is_valid_ca(int type) } int @@ -2324,10 +2324,10 @@ Index: openssh-8.8p1/sshkey.c sshkey_is_cert(const struct sshkey *k) { if (k == NULL) -Index: openssh-8.8p1/sshkey.h +Index: openssh-8.9p1/sshkey.h =================================================================== ---- openssh-8.8p1.orig/sshkey.h -+++ openssh-8.8p1/sshkey.h +--- openssh-8.9p1.orig/sshkey.h ++++ openssh-8.9p1/sshkey.h @@ -189,6 +189,7 @@ int sshkey_shield_private(struct sshke int sshkey_unshield_private(struct sshkey *); diff --git a/openssh-8.4p1-vendordir.patch b/openssh-8.4p1-vendordir.patch index 1bd12bd..7c34be3 100644 --- a/openssh-8.4p1-vendordir.patch +++ b/openssh-8.4p1-vendordir.patch @@ -1,8 +1,8 @@ Gemeinsame Unterverzeichnisse: openssh-8.4p1/contrib und openssh-8.4p1-vendor/contrib. -Index: openssh-8.8p1/dh.c +Index: openssh-8.9p1/dh.c =================================================================== ---- openssh-8.8p1.orig/dh.c -+++ openssh-8.8p1/dh.c +--- openssh-8.9p1.orig/dh.c ++++ openssh-8.9p1/dh.c @@ -54,7 +54,17 @@ void dh_set_moduli_file(const char *file static const char * get_moduli_filename(void) @@ -22,10 +22,10 @@ Index: openssh-8.8p1/dh.c } static int -Index: openssh-8.8p1/pathnames.h +Index: openssh-8.9p1/pathnames.h =================================================================== ---- openssh-8.8p1.orig/pathnames.h -+++ openssh-8.8p1/pathnames.h +--- openssh-8.9p1.orig/pathnames.h ++++ openssh-8.9p1/pathnames.h @@ -18,6 +18,8 @@ #define SSHDIR ETCDIR "/ssh" #endif @@ -53,10 +53,10 @@ Index: openssh-8.8p1/pathnames.h #ifndef _PATH_SSH_PROGRAM #define _PATH_SSH_PROGRAM "/usr/bin/ssh" -Index: openssh-8.8p1/ssh.c +Index: openssh-8.9p1/ssh.c =================================================================== ---- openssh-8.8p1.orig/ssh.c -+++ openssh-8.8p1/ssh.c +--- openssh-8.9p1.orig/ssh.c ++++ openssh-8.9p1/ssh.c @@ -549,6 +549,7 @@ static void process_config_files(const char *host_name, struct passwd *pw, int final_pass, int *want_final_pass) @@ -93,10 +93,10 @@ Index: openssh-8.8p1/ssh.c } } -Index: openssh-8.8p1/ssh_config.5 +Index: openssh-8.9p1/ssh_config.5 =================================================================== ---- openssh-8.8p1.orig/ssh_config.5 -+++ openssh-8.8p1/ssh_config.5 +--- openssh-8.9p1.orig/ssh_config.5 ++++ openssh-8.9p1/ssh_config.5 @@ -54,6 +54,9 @@ user's configuration file .It system-wide configuration file @@ -107,7 +107,7 @@ Index: openssh-8.8p1/ssh_config.5 .El .Pp For each parameter, the first obtained value -@@ -2212,6 +2215,11 @@ This file provides defaults for those +@@ -2220,6 +2223,11 @@ This file provides defaults for those values that are not specified in the user's configuration file, and for those users who do not have a configuration file. This file must be world-readable. @@ -119,11 +119,11 @@ Index: openssh-8.8p1/ssh_config.5 .El .Sh SEE ALSO .Xr ssh 1 -Index: openssh-8.8p1/sshd.c +Index: openssh-8.9p1/sshd.c =================================================================== ---- openssh-8.8p1.orig/sshd.c -+++ openssh-8.8p1/sshd.c -@@ -145,7 +145,7 @@ extern char *__progname; +--- openssh-8.9p1.orig/sshd.c ++++ openssh-8.9p1/sshd.c +@@ -148,7 +148,7 @@ extern char *__progname; ServerOptions options; /* Name of the server configuration file. */ @@ -132,7 +132,7 @@ Index: openssh-8.8p1/sshd.c /* * Debug mode flag. This can be set on the command line. If debug -@@ -1594,6 +1594,7 @@ prepare_proctitle(int ac, char **av) +@@ -1591,6 +1591,7 @@ prepare_proctitle(int ac, char **av) int main(int ac, char **av) { @@ -140,7 +140,7 @@ Index: openssh-8.8p1/sshd.c struct ssh *ssh = NULL; extern char *optarg; extern int optind; -@@ -1809,7 +1810,21 @@ main(int ac, char **av) +@@ -1806,7 +1807,21 @@ main(int ac, char **av) */ (void)atomicio(vwrite, startup_pipe, "\0", 1); } @@ -162,10 +162,10 @@ Index: openssh-8.8p1/sshd.c load_server_config(config_file_name, cfg); parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name, -Index: openssh-8.8p1/sshd_config.5 +Index: openssh-8.9p1/sshd_config.5 =================================================================== ---- openssh-8.8p1.orig/sshd_config.5 -+++ openssh-8.8p1/sshd_config.5 +--- openssh-8.9p1.orig/sshd_config.5 ++++ openssh-8.9p1/sshd_config.5 @@ -44,7 +44,9 @@ .Xr sshd 8 reads configuration data from @@ -177,19 +177,19 @@ Index: openssh-8.8p1/sshd_config.5 .Fl f on the command line). The file contains keyword-argument pairs, one per line. -Index: openssh-8.8p1/ssh-keysign.c +Index: openssh-8.9p1/ssh-keysign.c =================================================================== ---- openssh-8.8p1.orig/ssh-keysign.c -+++ openssh-8.8p1/ssh-keysign.c -@@ -172,6 +172,7 @@ main(int argc, char **argv) +--- openssh-8.9p1.orig/ssh-keysign.c ++++ openssh-8.9p1/ssh-keysign.c +@@ -186,6 +186,7 @@ main(int argc, char **argv) u_char *signature, *data, rver; - char *host, *fp; + char *host, *fp, *pkalg; size_t slen, dlen; -+ struct stat st; ++ struct stat st; if (pledge("stdio rpath getpw dns id", NULL) != 0) fatal("%s: pledge: %s", __progname, strerror(errno)); -@@ -205,8 +206,14 @@ main(int argc, char **argv) +@@ -219,8 +220,14 @@ main(int argc, char **argv) /* verify that ssh-keysign is enabled by the admin */ initialize_options(&options); diff --git a/openssh-8.8p1.tar.gz b/openssh-8.8p1.tar.gz deleted file mode 100644 index 16197ac..0000000 --- a/openssh-8.8p1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:4590890ea9bb9ace4f71ae331785a3a5823232435161960ed5fc86588f331fe9 -size 1815060 diff --git a/openssh-8.8p1.tar.gz.asc b/openssh-8.8p1.tar.gz.asc deleted file mode 100644 index 18f5024..0000000 --- a/openssh-8.8p1.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmFQfp8ACgkQKj9BTnNg -YLq2SQ/8C3iOHTkyqX82FYt0SKkybebe9b2iBPr91HQOUmx+U3I+vgrSWArXabWJ -uSu0b685RQKlcr7UjEtPk6g0cm45NoJFjju9ljvnOFfZw73V3a5qX15Lx4xRnkRx -v1LJn6Yh12PKLWL4/A1qPQnfAObVwq/BF0BR01FfXLAOt5+lFwYvg79HpE+69b0r -KtcIEpsyTEn2lSKSWD7q4lpe6Z/iR+XzBKfnB6JJXhKyHiDV63hlAJk9Pt3mIvS6 -tnE9/7GDawvi+Tsl018kw3wsf6aHVSQ+O+vzcDgfy0vDJVGjD6Ec9it9FvikXJh6 -3pSTBYuUJdt+CAQYvmEui73v4nrkfouHXsxqgzEDZaTwIZC4wPrvNYxUaIyirWlc -l4/YSnxSxSiYbvPa5eYRBvXvoWbnQXjPOkuhjETxz/KTcHirQpWE9eldi0jHcKUa -FVu9YqMPAjIUd1Jj4vC5bgH7v5cLeEMm/AetMvKsJs+rhY9NZaKpiqOqU2m6Geb+ -sQSXHNTeA8uOlrHim4SmYHtmfglVbH5lIroiUqtRzjbOhMhqUb+yN9+aAxe0bwmN -VcFMSThlbmYokb9bkQryY2I/FfXb997vxgF6v15Z8d9e8HH2zc2Irj1HYXG4Bf3o -WCiSvd8+Tr/FxS2Gn8qj/vgSPWXT0d0Hy4zHW9JeT/jn3RtIYhU= -=EnoG ------END PGP SIGNATURE----- diff --git a/openssh-8.9p1.tar.gz b/openssh-8.9p1.tar.gz new file mode 100644 index 0000000..c994b36 --- /dev/null +++ b/openssh-8.9p1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7 +size 1820282 diff --git a/openssh-8.9p1.tar.gz.asc b/openssh-8.9p1.tar.gz.asc new file mode 100644 index 0000000..a554f9f --- /dev/null +++ b/openssh-8.9p1.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmIWG5YACgkQKj9BTnNg +YLoL2A//TuX5vo9EplHaoqTbgL5KkwaJGaae2bXczbw1N8anfSlnPi7IAL4TkLFW +SpIAGYcDoxqSAT62Ad9TsIvallPWmzG8mIa1M6dgQHUW95KbI5NHC53NgMkExI7O +x9HGDanLRoXCwbDrYAZN8UlddTsZYGrfoVso7lrW87lcTkM4AYQKNbCum/C8OUq0 +esJgaaiXTIK+Rwbtpa+msDo8scfq08IG4rMM+kiNOnYpxaVyPIvspUF/ULinEQ5M +KrgRCZKI6573yZAdzA3KE6fXlzFJuxqcpk8Zimdm6c5+TEk30pzZ65Q+KLLrW7Gm +YK9gkkbdGWvtoRoE66RnPcBbPoFFM3h0mPhY/08iKHZKQL29bhDABx5qqUN0WDtg +uqz21PT/yXwxXglvHRMtq9w1dzjrPs/aEWQiO2ta+tspC+vUwVjnengmvcj7pP6B +4MQWDcw0ZULn5ns/Vzja6VO9V6hKYApCHs0o4lvBnXXtdIRNHmuROoVQsGPlBTKN +jPSfz3XU7lebayJwGpJFVwfHYTzxGu8IuK7k6WUvCA4j98HbRpJCuNEZeE4Jsvlc +CLhee1YTkUDtNb3GaV2F8a4pDyCxvxCBlhoTMdDDWLGibylpZKaqZyxuO+X7QTUM +TfiyQEZ6YFqQj+f1/BjzPDeXXXMOYA5tgHumjB726rtmK1HB7ZQ= +=5Ghp +-----END PGP SIGNATURE----- diff --git a/openssh-askpass-gnome.spec b/openssh-askpass-gnome.spec index 4dabf18..746820c 100644 --- a/openssh-askpass-gnome.spec +++ b/openssh-askpass-gnome.spec @@ -18,7 +18,7 @@ %define _name openssh Name: openssh-askpass-gnome -Version: 8.8p1 +Version: 8.9p1 Release: 0 Summary: A GNOME-Based Passphrase Dialog for OpenSSH License: BSD-2-Clause diff --git a/openssh-reenable-dh-group14-sha1-default.patch b/openssh-reenable-dh-group14-sha1-default.patch index 76b5f94..50c2e62 100644 --- a/openssh-reenable-dh-group14-sha1-default.patch +++ b/openssh-reenable-dh-group14-sha1-default.patch @@ -1,8 +1,8 @@ -Index: openssh-8.8p1/myproposal.h +Index: openssh-8.9p1/myproposal.h =================================================================== ---- openssh-8.8p1.orig/myproposal.h -+++ openssh-8.8p1/myproposal.h -@@ -33,7 +33,8 @@ +--- openssh-8.9p1.orig/myproposal.h ++++ openssh-8.9p1/myproposal.h +@@ -34,7 +34,8 @@ "diffie-hellman-group-exchange-sha256," \ "diffie-hellman-group16-sha512," \ "diffie-hellman-group18-sha512," \ @@ -12,11 +12,11 @@ Index: openssh-8.8p1/myproposal.h #define KEX_CLIENT_KEX KEX_SERVER_KEX -Index: openssh-8.8p1/ssh_config.5 +Index: openssh-8.9p1/ssh_config.5 =================================================================== ---- openssh-8.8p1.orig/ssh_config.5 -+++ openssh-8.8p1/ssh_config.5 -@@ -1227,7 +1227,8 @@ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec +--- openssh-8.9p1.orig/ssh_config.5 ++++ openssh-8.9p1/ssh_config.5 +@@ -1228,7 +1228,8 @@ sntrup761x25519-sha512@openssh.com, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, @@ -26,12 +26,12 @@ Index: openssh-8.8p1/ssh_config.5 .Ed .Pp The list of available key exchange algorithms may also be obtained using -Index: openssh-8.8p1/sshd_config.5 +Index: openssh-8.9p1/sshd_config.5 =================================================================== ---- openssh-8.8p1.orig/sshd_config.5 -+++ openssh-8.8p1/sshd_config.5 -@@ -997,7 +997,7 @@ curve25519-sha256,curve25519-sha256@libs - ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, +--- openssh-8.9p1.orig/sshd_config.5 ++++ openssh-8.9p1/sshd_config.5 +@@ -996,7 +996,7 @@ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec + sntrup761x25519-sha512@openssh.com, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512,diffie-hellman-group18-sha512, -diffie-hellman-group14-sha256 diff --git a/openssh.changes b/openssh.changes index ffa35f5..f60e3c7 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,173 @@ +------------------------------------------------------------------- +Mon Mar 7 18:00:09 UTC 2022 - Hans Petter Jansson + +- Version update to 8.9p1: + = Security + * sshd(8): fix an integer overflow in the user authentication path + that, in conjunction with other logic errors, could have yielded + unauthenticated access under difficult to exploit conditions. + + This situation is not exploitable because of independent checks in + the privilege separation monitor. Privilege separation has been + enabled by default in since openssh-3.2.2 (released in 2002) and + has been mandatory since openssh-7.5 (released in 2017). Moreover, + portable OpenSSH has used toolchain features available in most + modern compilers to abort on signed integer overflow since + openssh-6.5 (released in 2014). + + Thanks to Malcolm Stagg for finding and reporting this bug. + + = Potentially-incompatible changes + * sshd(8), portable OpenSSH only: this release removes in-built + support for MD5-hashed passwords. If you require these on your + system then we recommend linking against libxcrypt or similar. + * This release modifies the FIDO security key middleware interface + and increments SSH_SK_VERSION_MAJOR. + + = New features + * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for + restricting forwarding and use of keys added to ssh-agent(1) + A detailed description of the feature is available at + https://www.openssh.com/agent-restrict.html and the protocol + extensions are documented in the PROTOCOL and PROTOCOL.agent + files in the source release. + * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid + ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the + default KEXAlgorithms list (after the ECDH methods but before the + prime-group DH ones). The next release of OpenSSH is likely to + make this key exchange the default method. + * ssh-keygen(1): when downloading resident keys from a FIDO token, + pass back the user ID that was used when the key was created and + append it to the filename the key is written to (if it is not the + default). Avoids keys being clobbered if the user created multiple + resident keys with the same application string but different user + IDs. + * ssh-keygen(1), ssh(1), ssh-agent(1): better handling for FIDO keys + on tokens that provide user verification (UV) on the device itself, + including biometric keys, avoiding unnecessary PIN prompts. + * ssh-keygen(1): add "ssh-keygen -Y match-principals" operation to + perform matching of principals names against an allowed signers + file. To be used towards a TOFU model for SSH signatures in git. + * ssh-add(1), ssh-agent(1): allow pin-required FIDO keys to be added + to ssh-agent(1). $SSH_ASKPASS will be used to request the PIN at + authentication time. + * ssh-keygen(1): allow selection of hash at sshsig signing time + (either sha512 (default) or sha256). + * ssh(1), sshd(8): read network data directly to the packet input + buffer instead of indirectly via a small stack buffer. Provides a + modest performance improvement. + * ssh(1), sshd(8): read data directly to the channel input buffer, + providing a similar modest performance improvement. + * ssh(1): extend the PubkeyAuthentication configuration directive to + accept yes|no|unbound|host-bound to allow control over one of the + protocol extensions used to implement agent-restricted keys. + + = Bugfixes + * sshd(8): document that CASignatureAlgorithms, ExposeAuthInfo and + PubkeyAuthOptions can be used in a Match block. PR277. + * sshd(8): fix possible string truncation when constructing paths to + .rhosts/.shosts files with very long user home directory names. + * ssh-keysign(1): unbreak for KEX algorithms that use SHA384/512 + exchange hashes + * ssh(1): don't put the TTY into raw mode when SessionType=none, + avoids ^C being unable to kill such a session. bz3360 + * scp(1): fix some corner-case bugs in SFTP-mode handling of + ~-prefixed paths. + * ssh(1): unbreak hostbased auth using RSA keys. Allow ssh(1) to + select RSA keys when only RSA/SHA2 signature algorithms are + configured (this is the default case). Previously RSA keys were + not being considered in the default case. + * ssh-keysign(1): make ssh-keysign use the requested signature + algorithm and not the default for the key type. Part of unbreaking + hostbased auth for RSA/SHA2 keys. + * ssh(1): stricter UpdateHostkey signature verification logic on + the client- side. Require RSA/SHA2 signatures for RSA hostkeys + except when RSA/SHA1 was explicitly negotiated during initial + KEX; bz3375 + * ssh(1), sshd(8): fix signature algorithm selection logic for + UpdateHostkeys on the server side. The previous code tried to + prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some + cases. This will use RSA/SHA2 signatures for RSA keys if the + client proposed these algorithms in initial KEX. bz3375 + * All: convert all uses of select(2)/pselect(2) to poll(2)/ppoll(2). + This includes the mainloops in ssh(1), ssh-agent(1), ssh-agent(1) + and sftp-server(8), as well as the sshd(8) listen loop and all + other FD read/writability checks. On platforms with missing or + broken poll(2)/ppoll(2) syscalls a select(2)-based compat shim is + available. + * ssh-keygen(1): the "-Y find-principals" command was verifying key + validity when using ca certs but not with simple key lifetimes + within the allowed signers file. + * ssh-keygen(1): make sshsig verify-time argument parsing optional + * sshd(8): fix truncation in rhosts/shosts path construction. + * ssh(1), ssh-agent(1): avoid xmalloc(0) for PKCS#11 keyid for ECDSA + keys (we already did this for RSA keys). Avoids fatal errors for + PKCS#11 libraries that return empty keyid, e.g. Microchip ATECC608B + "cryptoauthlib"; bz#3364 + * ssh(1), ssh-agent(1): improve the testing of credentials against + inserted FIDO: ask the token whether a particular key belongs to + it in cases where the token supports on-token user-verification + (e.g. biometrics) rather than just assuming that it will accept it. + Will reduce spurious "Confirm user presence" notifications for key + handles that relate to FIDO keys that are not currently inserted in at + least some cases. bz3366 + * ssh(1), sshd(8): correct value for IPTOS_DSCP_LE. It needs to + allow for the preceding two ECN bits. bz#3373 + * ssh-keygen(1): add missing -O option to usage() for the "-Y sign" + option. + * ssh-keygen(1): fix a NULL deref when using the find-principals + function, when matching an allowed_signers line that contains a + namespace restriction, but no restriction specified on the + command-line + * ssh-agent(1): fix memleak in process_extension(); oss-fuzz + issue #42719 + * ssh(1): suppress "Connection to xxx closed" messages when LogLevel + is set to "error" or above. bz3378 + * ssh(1), sshd(8): use correct zlib flags when inflate(3)-ing + compressed packet data. bz3372 + * scp(1): when recursively transferring files in SFTP mode, create the + destination directory if it doesn't already exist to match scp(1) in + legacy RCP mode behaviour. + * scp(1): many improvements in error message consistency between scp(1) + in SFTP mode vs legacy RCP mode. + * sshd(8): fix potential race in SIGTERM handling PR289 + * ssh(1), ssh(8): since DSA keys are deprecated, move them to the + end of the default list of public keys so that they will be tried + last. PR295 + * ssh-keygen(1): allow 'ssh-keygen -Y find-principals' to match + wildcard principals in allowed_signers files + + = Portability + * ssh(1), sshd(8): don't trust closefrom(2) on Linux. glibc's + implementation does not work in a chroot when the kernel does not + have close_range(2). It tries to read from /proc/self/fd and when + that fails dies with an assertion of sorts. Instead, call + close_range(2) directly from our compat code and fall back if + that fails. bz#3349, + * OS X poll(2) is broken; use compat replacement. For character- + special devices like /dev/null, Darwin's poll(2) returns POLLNVAL + when polled with POLLIN. Apparently this is Apple bug 3710161 - + not public but a websearch will find other OSS projects + rediscovering it periodically since it was first identified in + 2005. + * Correct handling of exceptfds/POLLPRI in our select(2)-based + poll(2)/ppoll(2) compat implementation. + * Cygwin: correct checking of mbstowcs() return value. + * Add a basic SECURITY.md that refers people to the openssh.com + website. + * Enable additional compiler warnings and toolchain hardening flags, + including -Wbitwise-instead-of-logical, -Wmisleading-indentation, + -fzero-call-used-regs and -ftrivial-auto-var-init. + * HP/UX. Use compat getline(3) on HP-UX 10.x, where the libc version + is not reliable. + +- Rebased patches: + * openssh-7.7p1-ldap.patch + * openssh-8.0p1-gssapi-keyex.patch + * openssh-8.1p1-audit.patch + * openssh-8.4p1-vendordir.patch + * openssh-reenable-dh-group14-sha1-default.patch + ------------------------------------------------------------------- Tue Sep 28 17:50:57 UTC 2021 - Hans Petter Jansson diff --git a/openssh.spec b/openssh.spec index 6ecf7e7..8754d82 100644 --- a/openssh.spec +++ b/openssh.spec @@ -35,7 +35,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: openssh -Version: 8.8p1 +Version: 8.9p1 Release: 0 Summary: Secure Shell Client and Server (Remote Login Program) License: BSD-2-Clause AND MIT