diff --git a/openssh-6.5p1.tar.gz b/openssh-6.5p1.tar.gz deleted file mode 100644 index 915ff6b..0000000 --- a/openssh-6.5p1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:a1195ed55db945252d5a1730d4a2a2a5c1c9a6aa01ef2e5af750a962623d9027 -size 1293187 diff --git a/openssh-6.5p1-X11-forwarding.patch b/openssh-6.6p1-X11-forwarding.patch similarity index 88% rename from openssh-6.5p1-X11-forwarding.patch rename to openssh-6.6p1-X11-forwarding.patch index 8be22fa..e8c8ef8 100644 --- a/openssh-6.5p1-X11-forwarding.patch +++ b/openssh-6.6p1-X11-forwarding.patch @@ -2,9 +2,9 @@ # configuration # bnc#50836 (was suse #35836) -diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config ---- a/openssh-6.5p1/ssh_config -+++ b/openssh-6.5p1/ssh_config +diff --git a/openssh-6.6p1/ssh_config b/openssh-6.6p1/ssh_config +--- a/openssh-6.6p1/ssh_config ++++ b/openssh-6.6p1/ssh_config @@ -12,19 +12,30 @@ # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the @@ -37,9 +37,9 @@ diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config # GSSAPIDelegateCredentials no # BatchMode no # CheckHostIP yes -diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config ---- a/openssh-6.5p1/sshd_config -+++ b/openssh-6.5p1/sshd_config +diff --git a/openssh-6.6p1/sshd_config b/openssh-6.6p1/sshd_config +--- a/openssh-6.6p1/sshd_config ++++ b/openssh-6.6p1/sshd_config @@ -94,17 +94,17 @@ AuthorizedKeysFile .ssh/authorized_keys # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication diff --git a/openssh-6.5p1-X_forward_with_disabled_ipv6.patch b/openssh-6.6p1-X_forward_with_disabled_ipv6.patch similarity index 74% rename from openssh-6.5p1-X_forward_with_disabled_ipv6.patch rename to openssh-6.6p1-X_forward_with_disabled_ipv6.patch index 3f4843c..8144b39 100644 --- a/openssh-6.5p1-X_forward_with_disabled_ipv6.patch +++ b/openssh-6.6p1-X_forward_with_disabled_ipv6.patch @@ -1,12 +1,12 @@ # HG changeset patch -# Parent bb0162afc928b3eeb69f11419e214e0737bb8034 +# Parent 73eb63cbbd603bf8c13995c478333c1b5a2a020a Do not throw away already open sockets for X11 forwarding if another socket family is not available for bind() -diff --git a/openssh-6.5p1/channels.c b/openssh-6.5p1/channels.c ---- a/openssh-6.5p1/channels.c -+++ b/openssh-6.5p1/channels.c -@@ -3475,22 +3475,24 @@ x11_create_display_inet(int x11_display_ +diff --git a/openssh-6.6p1/channels.c b/openssh-6.6p1/channels.c +--- a/openssh-6.6p1/channels.c ++++ b/openssh-6.6p1/channels.c +@@ -3476,22 +3476,24 @@ x11_create_display_inet(int x11_display_ } if (ai->ai_family == AF_INET6) sock_set_v6only(sock); diff --git a/openssh-6.5p1-audit1-remove_duplicit_audit.patch b/openssh-6.6p1-audit1-remove_duplicit_audit.patch similarity index 84% rename from openssh-6.5p1-audit1-remove_duplicit_audit.patch rename to openssh-6.6p1-audit1-remove_duplicit_audit.patch index dc5b49f..96d9c54 100644 --- a/openssh-6.5p1-audit1-remove_duplicit_audit.patch +++ b/openssh-6.6p1-audit1-remove_duplicit_audit.patch @@ -8,10 +8,10 @@ # # PRIVSEP(getpwnamallow()) a few lines above already did this. -diff --git a/openssh-6.5p1/auth2.c b/openssh-6.5p1/auth2.c ---- a/openssh-6.5p1/auth2.c -+++ b/openssh-6.5p1/auth2.c -@@ -242,19 +242,16 @@ input_userauth_request(int type, u_int32 +diff --git a/openssh-6.6p1/auth2.c b/openssh-6.6p1/auth2.c +--- a/openssh-6.6p1/auth2.c ++++ b/openssh-6.6p1/auth2.c +@@ -236,19 +236,16 @@ input_userauth_request(int type, u_int32 authctxt->pw = PRIVSEP(getpwnamallow(user)); authctxt->user = xstrdup(user); if (authctxt->pw && strcmp(service, "ssh-connection")==0) { diff --git a/openssh-6.5p1-audit2-better_audit_of_user_actions.patch b/openssh-6.6p1-audit2-better_audit_of_user_actions.patch similarity index 90% rename from openssh-6.5p1-audit2-better_audit_of_user_actions.patch rename to openssh-6.6p1-audit2-better_audit_of_user_actions.patch index 43f3a9b..20c87cc 100644 --- a/openssh-6.5p1-audit2-better_audit_of_user_actions.patch +++ b/openssh-6.6p1-audit2-better_audit_of_user_actions.patch @@ -4,9 +4,9 @@ # https://bugzilla.mindrot.org/attachment.cgi?id=2011 # by jchadima@redhat.com -diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c ---- a/openssh-6.5p1/audit-bsm.c -+++ b/openssh-6.5p1/audit-bsm.c +diff --git a/openssh-6.6p1/audit-bsm.c b/openssh-6.6p1/audit-bsm.c +--- a/openssh-6.6p1/audit-bsm.c ++++ b/openssh-6.6p1/audit-bsm.c @@ -370,20 +370,33 @@ audit_connection_from(const char *host, /* this is used on IPv4-only machines */ tid->port = (dev_t)port; @@ -42,9 +42,9 @@ diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c /* not implemented */ } -diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c ---- a/openssh-6.5p1/audit-linux.c -+++ b/openssh-6.5p1/audit-linux.c +diff --git a/openssh-6.6p1/audit-linux.c b/openssh-6.6p1/audit-linux.c +--- a/openssh-6.6p1/audit-linux.c ++++ b/openssh-6.6p1/audit-linux.c @@ -30,97 +30,210 @@ #include "includes.h" #if defined(USE_LINUX_AUDIT) @@ -276,9 +276,9 @@ diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c } #endif /* USE_LINUX_AUDIT */ -diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c ---- a/openssh-6.5p1/audit.c -+++ b/openssh-6.5p1/audit.c +diff --git a/openssh-6.6p1/audit.c b/openssh-6.6p1/audit.c +--- a/openssh-6.6p1/audit.c ++++ b/openssh-6.6p1/audit.c @@ -135,16 +135,27 @@ audit_connection_from(const char *host, void audit_event(ssh_audit_event_t event) @@ -344,9 +344,9 @@ diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c + # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */ -diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h ---- a/openssh-6.5p1/audit.h -+++ b/openssh-6.5p1/audit.h +diff --git a/openssh-6.6p1/audit.h b/openssh-6.6p1/audit.h +--- a/openssh-6.6p1/audit.h ++++ b/openssh-6.6p1/audit.h @@ -44,14 +44,16 @@ enum ssh_audit_event_type { SSH_CONNECTION_CLOSE, /* closed after attempting auth or session */ SSH_CONNECTION_ABANDON, /* closed without completing auth */ @@ -365,10 +365,10 @@ diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h ssh_audit_event_t audit_classify_auth(const char *); #endif /* _SSH_AUDIT_H */ -diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c ---- a/openssh-6.5p1/monitor.c -+++ b/openssh-6.5p1/monitor.c -@@ -181,16 +181,17 @@ int mm_answer_gss_setup_ctx(int, Buffer +diff --git a/openssh-6.6p1/monitor.c b/openssh-6.6p1/monitor.c +--- a/openssh-6.6p1/monitor.c ++++ b/openssh-6.6p1/monitor.c +@@ -175,16 +175,17 @@ int mm_answer_gss_setup_ctx(int, Buffer int mm_answer_gss_accept_ctx(int, Buffer *); int mm_answer_gss_userok(int, Buffer *); int mm_answer_gss_checkmic(int, Buffer *); @@ -386,7 +386,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ /* local state for key verify */ -@@ -268,16 +269,17 @@ struct mon_table mon_dispatch_postauth20 +@@ -255,16 +256,17 @@ struct mon_table mon_dispatch_postauth20 {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, {MONITOR_REQ_SIGN, 0, mm_answer_sign}, {MONITOR_REQ_PTY, 0, mm_answer_pty}, @@ -404,7 +404,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey}, {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid}, -@@ -310,16 +312,17 @@ struct mon_table mon_dispatch_proto15[] +@@ -297,16 +299,17 @@ struct mon_table mon_dispatch_proto15[] struct mon_table mon_dispatch_postauth15[] = { {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty}, @@ -422,7 +422,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c /* Specifies if a certain message is allowed at the moment */ -@@ -1442,16 +1445,22 @@ mm_record_login(Session *s, struct passw +@@ -1420,16 +1423,22 @@ mm_record_login(Session *s, struct passw static void mm_session_close(Session *s) { @@ -445,7 +445,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c { extern struct monitor *pmonitor; Session *s; -@@ -1764,21 +1773,53 @@ mm_answer_audit_event(int socket, Buffer +@@ -1742,21 +1751,53 @@ mm_answer_audit_event(int socket, Buffer return (0); } @@ -500,10 +500,10 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c void monitor_apply_keystate(struct monitor *pmonitor) { -diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h ---- a/openssh-6.5p1/monitor.h -+++ b/openssh-6.5p1/monitor.h -@@ -64,16 +64,17 @@ enum monitor_reqtype { +diff --git a/openssh-6.6p1/monitor.h b/openssh-6.6p1/monitor.h +--- a/openssh-6.6p1/monitor.h ++++ b/openssh-6.6p1/monitor.h +@@ -59,16 +59,17 @@ enum monitor_reqtype { MONITOR_REQ_PAM_START = 100, MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103, @@ -521,10 +521,10 @@ diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h int m_recvfd; int m_sendfd; int m_log_recvfd; -diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c ---- a/openssh-6.5p1/monitor_wrap.c -+++ b/openssh-6.5p1/monitor_wrap.c -@@ -1186,27 +1186,48 @@ mm_audit_event(ssh_audit_event_t event) +diff --git a/openssh-6.6p1/monitor_wrap.c b/openssh-6.6p1/monitor_wrap.c +--- a/openssh-6.6p1/monitor_wrap.c ++++ b/openssh-6.6p1/monitor_wrap.c +@@ -1184,27 +1184,48 @@ mm_audit_event(ssh_audit_event_t event) buffer_init(&m); buffer_put_int(&m, event); @@ -574,9 +574,9 @@ diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID goid) { -diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h ---- a/openssh-6.5p1/monitor_wrap.h -+++ b/openssh-6.5p1/monitor_wrap.h +diff --git a/openssh-6.6p1/monitor_wrap.h b/openssh-6.6p1/monitor_wrap.h +--- a/openssh-6.6p1/monitor_wrap.h ++++ b/openssh-6.6p1/monitor_wrap.h @@ -69,17 +69,18 @@ void *mm_sshpam_init_ctx(struct Authctxt int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **); int mm_sshpam_respond(void *, u_int, char **); @@ -597,9 +597,9 @@ diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h void mm_session_pty_cleanup2(struct Session *); /* SSHv1 interfaces */ -diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c ---- a/openssh-6.5p1/session.c -+++ b/openssh-6.5p1/session.c +diff --git a/openssh-6.6p1/session.c b/openssh-6.6p1/session.c +--- a/openssh-6.6p1/session.c ++++ b/openssh-6.6p1/session.c @@ -740,16 +740,24 @@ do_exec_pty(Session *s, const char *comm cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); #endif @@ -657,8 +657,8 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c original_command = NULL; -@@ -1903,16 +1915,17 @@ session_unused(int id) - bzero(&sessions[id], sizeof(*sessions)); +@@ -1908,16 +1920,17 @@ session_unused(int id) + memset(&sessions[id], 0, sizeof(*sessions)); sessions[id].self = id; sessions[id].used = 0; sessions[id].chanid = -1; @@ -675,7 +675,7 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c session_new(void) { Session *s, *tmp; -@@ -1985,16 +1998,29 @@ session_open(Authctxt *authctxt, int cha +@@ -1990,16 +2003,29 @@ session_open(Authctxt *authctxt, int cha if (s->pw == NULL || !authctxt->valid) fatal("no user for session %d", s->self); debug("session_open: session %d: link with channel %d", s->self, chanid); @@ -705,7 +705,7 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c if (s->used && s->ttyfd != -1 && strcmp(s->tty, tty) == 0) { debug("session_by_tty: session %d tty %s", i, tty); return s; -@@ -2501,16 +2527,40 @@ session_exit_message(Session *s, int sta +@@ -2506,16 +2532,40 @@ session_exit_message(Session *s, int sta * interested in data we write. * Note that we must not call 'chan_read_failed', since there could * be some more data waiting in the pipe. @@ -746,7 +746,7 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c debug("session_close: session %d pid %ld", s->self, (long)s->pid); -@@ -2541,16 +2591,20 @@ session_close(Session *s) +@@ -2546,16 +2596,20 @@ session_close(Session *s) int status; waitpid(pid, &status, 0); @@ -767,7 +767,7 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c free(s->auth_proto); free(s->subsys); if (s->env != NULL) { -@@ -2755,16 +2809,25 @@ session_setup_x11fwd(Session *s) +@@ -2760,16 +2814,25 @@ session_setup_x11fwd(Session *s) } static void @@ -793,7 +793,7 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c debug("do_cleanup"); /* no cleanup if we're in the child for login shell */ -@@ -2803,10 +2866,10 @@ do_cleanup(Authctxt *authctxt) +@@ -2808,10 +2871,10 @@ do_cleanup(Authctxt *authctxt) /* remove agent socket */ auth_sock_cleanup_proc(authctxt->pw); @@ -805,9 +805,9 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c - session_destroy_all(session_pty_cleanup2); + session_destroy_all(do_cleanup_one_session); } -diff --git a/openssh-6.5p1/session.h b/openssh-6.5p1/session.h ---- a/openssh-6.5p1/session.h -+++ b/openssh-6.5p1/session.h +diff --git a/openssh-6.6p1/session.h b/openssh-6.6p1/session.h +--- a/openssh-6.6p1/session.h ++++ b/openssh-6.6p1/session.h @@ -56,29 +56,37 @@ struct Session { int *x11_chanids; int is_subsystem; @@ -846,10 +846,10 @@ diff --git a/openssh-6.5p1/session.h b/openssh-6.5p1/session.h const char *value); #endif -diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c ---- a/openssh-6.5p1/sshd.c -+++ b/openssh-6.5p1/sshd.c -@@ -2504,13 +2504,14 @@ cleanup_exit(int i) +diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c +--- a/openssh-6.6p1/sshd.c ++++ b/openssh-6.6p1/sshd.c +@@ -2529,13 +2529,14 @@ cleanup_exit(int i) if (kill(pmonitor->m_pid, SIGKILL) != 0 && errno != ESRCH) error("%s: kill(%d): %s", __func__, diff --git a/openssh-6.5p1-audit3-key_auth_usage.patch b/openssh-6.6p1-audit3-key_auth_usage.patch similarity index 80% rename from openssh-6.5p1-audit3-key_auth_usage.patch rename to openssh-6.6p1-audit3-key_auth_usage.patch index ce84f93..1471ec8 100644 --- a/openssh-6.5p1-audit3-key_auth_usage.patch +++ b/openssh-6.6p1-audit3-key_auth_usage.patch @@ -5,9 +5,9 @@ # (replaces: https://bugzilla.mindrot.org/attachment.cgi?id=1975) # by jchadima@redhat.com -diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c ---- a/openssh-6.5p1/audit-bsm.c -+++ b/openssh-6.5p1/audit-bsm.c +diff --git a/openssh-6.6p1/audit-bsm.c b/openssh-6.6p1/audit-bsm.c +--- a/openssh-6.6p1/audit-bsm.c ++++ b/openssh-6.6p1/audit-bsm.c @@ -401,16 +401,22 @@ audit_session_open(struct logininfo *li) } @@ -31,9 +31,9 @@ diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c const char *user = the_authctxt ? the_authctxt->user : "(unknown user)"; if (cannot_audit(0)) -diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c ---- a/openssh-6.5p1/audit-linux.c -+++ b/openssh-6.5p1/audit-linux.c +diff --git a/openssh-6.6p1/audit-linux.c b/openssh-6.6p1/audit-linux.c +--- a/openssh-6.6p1/audit-linux.c ++++ b/openssh-6.6p1/audit-linux.c @@ -36,16 +36,18 @@ #include "log.h" #include "audit.h" @@ -101,9 +101,9 @@ diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c audit_connection_from(const char *host, int port) { /* not implemented */ -diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c ---- a/openssh-6.5p1/audit.c -+++ b/openssh-6.5p1/audit.c +diff --git a/openssh-6.6p1/audit.c b/openssh-6.6p1/audit.c +--- a/openssh-6.6p1/audit.c ++++ b/openssh-6.6p1/audit.c @@ -31,16 +31,17 @@ #ifdef SSH_AUDIT_EVENTS @@ -178,9 +178,9 @@ diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c +} # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */ -diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h ---- a/openssh-6.5p1/audit.h -+++ b/openssh-6.5p1/audit.h +diff --git a/openssh-6.6p1/audit.h b/openssh-6.6p1/audit.h +--- a/openssh-6.6p1/audit.h ++++ b/openssh-6.6p1/audit.h @@ -23,16 +23,17 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. @@ -212,69 +212,10 @@ diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h +void audit_key(int, int *, const Key *); #endif /* _SSH_AUDIT_H */ -diff --git a/openssh-6.5p1/auth-rsa.c b/openssh-6.5p1/auth-rsa.c ---- a/openssh-6.5p1/auth-rsa.c -+++ b/openssh-6.5p1/auth-rsa.c -@@ -87,17 +87,20 @@ auth_rsa_generate_challenge(Key *key) - return challenge; - } - - int - auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16]) - { - u_char buf[32], mdbuf[16]; - MD5_CTX md; -- int len; -+ int len, rv; -+#ifdef SSH_AUDIT_EVENTS -+ char *fp; -+#endif - - /* don't allow short keys */ - if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) { - error("auth_rsa_verify_response: RSA modulus too small: %d < minimum %d bits", - BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE); - return (0); - } - -@@ -108,22 +111,28 @@ auth_rsa_verify_response(Key *key, BIGNU - memset(buf, 0, 32); - BN_bn2bin(challenge, buf + 32 - len); - MD5_Init(&md); - MD5_Update(&md, buf, 32); - MD5_Update(&md, session_id, 16); - MD5_Final(mdbuf, &md); - - /* Verify that the response is the original challenge. */ -- if (timingsafe_bcmp(response, mdbuf, 16) != 0) { -- /* Wrong answer. */ -- return (0); -+ rv = timingsafe_bcmp(response, mdbuf, 16) == 0; -+ -+#ifdef SSH_AUDIT_EVENTS -+ fp = key_fingerprint(key, key_fp_type_select(), SSH_FP_HEX); -+ if (audit_keyusage(1, "ssh-rsa1", RSA_size(key->rsa) * 8, fp, rv) == 0) { -+ debug("unsuccessful audit"); -+ rv = 0; - } -- /* Correct answer. */ -- return (1); -+ free(fp); -+#endif -+ -+ return rv; - } - - /* - * Performs the RSA authentication challenge-response dialog with the client, - * and returns true (non-zero) if the client gave the correct answer to - * our challenge; returns zero if the client gives a wrong answer. - */ - -diff --git a/openssh-6.5p1/auth.h b/openssh-6.5p1/auth.h ---- a/openssh-6.5p1/auth.h -+++ b/openssh-6.5p1/auth.h -@@ -182,16 +182,17 @@ int allowed_user(struct passwd *); +diff --git a/openssh-6.6p1/auth.h b/openssh-6.6p1/auth.h +--- a/openssh-6.6p1/auth.h ++++ b/openssh-6.6p1/auth.h +@@ -178,16 +178,17 @@ int allowed_user(struct passwd *); struct passwd * getpwnamallow(const char *user); char *get_challenge(Authctxt *); @@ -292,7 +233,7 @@ diff --git a/openssh-6.5p1/auth.h b/openssh-6.5p1/auth.h HostStatus check_key_in_hostfiles(struct passwd *, Key *, const char *, const char *, const char *); -@@ -199,16 +200,17 @@ check_key_in_hostfiles(struct passwd *, +@@ -195,16 +196,17 @@ check_key_in_hostfiles(struct passwd *, /* hostkey handling */ Key *get_hostkey_by_index(int); Key *get_hostkey_public_by_index(int); @@ -310,9 +251,9 @@ diff --git a/openssh-6.5p1/auth.h b/openssh-6.5p1/auth.h struct passwd *fakepw(void); -diff --git a/openssh-6.5p1/auth2-hostbased.c b/openssh-6.5p1/auth2-hostbased.c ---- a/openssh-6.5p1/auth2-hostbased.c -+++ b/openssh-6.5p1/auth2-hostbased.c +diff --git a/openssh-6.6p1/auth2-hostbased.c b/openssh-6.6p1/auth2-hostbased.c +--- a/openssh-6.6p1/auth2-hostbased.c ++++ b/openssh-6.6p1/auth2-hostbased.c @@ -124,33 +124,45 @@ userauth_hostbased(Authctxt *authctxt) #endif @@ -360,9 +301,9 @@ diff --git a/openssh-6.5p1/auth2-hostbased.c b/openssh-6.5p1/auth2-hostbased.c const char *resolvedname, *ipaddr, *lookup, *reason; HostStatus host_status; int len; -diff --git a/openssh-6.5p1/auth2-pubkey.c b/openssh-6.5p1/auth2-pubkey.c ---- a/openssh-6.5p1/auth2-pubkey.c -+++ b/openssh-6.5p1/auth2-pubkey.c +diff --git a/openssh-6.6p1/auth2-pubkey.c b/openssh-6.6p1/auth2-pubkey.c +--- a/openssh-6.6p1/auth2-pubkey.c ++++ b/openssh-6.6p1/auth2-pubkey.c @@ -153,17 +153,17 @@ userauth_pubkey(Authctxt *authctxt) #ifdef DEBUG_PK buffer_dump(&b); @@ -411,10 +352,10 @@ diff --git a/openssh-6.5p1/auth2-pubkey.c b/openssh-6.5p1/auth2-pubkey.c int i; extra = NULL; -diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c ---- a/openssh-6.5p1/monitor.c -+++ b/openssh-6.5p1/monitor.c -@@ -1362,26 +1362,30 @@ monitor_valid_hostbasedblob(u_char *data +diff --git a/openssh-6.6p1/monitor.c b/openssh-6.6p1/monitor.c +--- a/openssh-6.6p1/monitor.c ++++ b/openssh-6.6p1/monitor.c +@@ -1340,26 +1340,30 @@ monitor_valid_hostbasedblob(u_char *data } int @@ -445,7 +386,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c switch (key_blobtype) { case MM_USERKEY: valid_data = monitor_valid_userblob(data, datalen); -@@ -1392,17 +1396,27 @@ mm_answer_keyverify(int sock, Buffer *m) +@@ -1370,17 +1374,27 @@ mm_answer_keyverify(int sock, Buffer *m) break; default: valid_data = 0; @@ -474,10 +415,10 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c free(signature); free(data); -diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c ---- a/openssh-6.5p1/monitor_wrap.c -+++ b/openssh-6.5p1/monitor_wrap.c -@@ -428,30 +428,31 @@ mm_key_allowed(enum mm_keytype type, cha +diff --git a/openssh-6.6p1/monitor_wrap.c b/openssh-6.6p1/monitor_wrap.c +--- a/openssh-6.6p1/monitor_wrap.c ++++ b/openssh-6.6p1/monitor_wrap.c +@@ -426,30 +426,31 @@ mm_key_allowed(enum mm_keytype type, cha /* * This key verify needs to send the key type along, because the @@ -510,7 +451,7 @@ diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYVERIFY, &m); debug3("%s: waiting for MONITOR_ANS_KEYVERIFY", __func__); -@@ -459,16 +460,29 @@ mm_key_verify(Key *key, u_char *sig, u_i +@@ -457,16 +458,29 @@ mm_key_verify(Key *key, u_char *sig, u_i verified = buffer_get_int(&m); @@ -540,9 +481,9 @@ diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c u_int len; Newkeys *newkey = NULL; Enc *enc; -diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h ---- a/openssh-6.5p1/monitor_wrap.h -+++ b/openssh-6.5p1/monitor_wrap.h +diff --git a/openssh-6.6p1/monitor_wrap.h b/openssh-6.6p1/monitor_wrap.h +--- a/openssh-6.6p1/monitor_wrap.h ++++ b/openssh-6.6p1/monitor_wrap.h @@ -44,17 +44,18 @@ int mm_key_sign(Key *, u_char **, u_int void mm_inform_authserv(char *, char *); struct passwd *mm_getpwnamallow(const char *); diff --git a/openssh-6.6p1-audit3_fips-key_auth_usage.patch b/openssh-6.6p1-audit3_fips-key_auth_usage.patch new file mode 100644 index 0000000..e736c88 --- /dev/null +++ b/openssh-6.6p1-audit3_fips-key_auth_usage.patch @@ -0,0 +1,61 @@ +# HG changeset patch +# Parent c487e15d91bc5cdfb0aedcf4d3c7fe4d0f309a73 + +diff --git a/openssh-6.6p1/auth-rsa.c b/openssh-6.6p1/auth-rsa.c +--- a/openssh-6.6p1/auth-rsa.c ++++ b/openssh-6.6p1/auth-rsa.c +@@ -94,16 +94,20 @@ int + auth_rsa_verify_response(Key *key, BIGNUM *challenge, + u_char response[SSH_DIGEST_MAX_LENGTH]) + { + u_char buf[2 * SSH_DIGEST_MAX_LENGTH], mdbuf[SSH_DIGEST_MAX_LENGTH]; + struct ssh_digest_ctx *md; + int len; + int dgst; + size_t dgst_len; ++ int rv; ++#ifdef SSH_AUDIT_EVENTS ++ char *fp; ++#endif + + /* don't allow short keys */ + if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) { + error("%s: RSA modulus too small: %d < minimum %d bits", + __func__, + BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE); + return (0); + } +@@ -121,22 +125,28 @@ auth_rsa_verify_response(Key *key, BIGNU + if ((md = ssh_digest_start(dgst)) == NULL || + ssh_digest_update(md, buf, 2 * dgst_len) < 0 || + ssh_digest_update(md, session_id, dgst_len) < 0 || + ssh_digest_final(md, mdbuf, sizeof(mdbuf)) < 0) + fatal("%s: md5 failed", __func__); + ssh_digest_free(md); + + /* Verify that the response is the original challenge. */ +- if (timingsafe_bcmp(response, mdbuf, dgst_len) != 0) { +- /* Wrong answer. */ +- return (0); ++ rv = timingsafe_bcmp(response, mdbuf, dgst_len) == 0; ++ ++#ifdef SSH_AUDIT_EVENTS ++ fp = key_fingerprint(key, key_fp_type_select(), SSH_FP_HEX); ++ if (audit_keyusage(1, "ssh-rsa1", RSA_size(key->rsa) * 8, fp, rv) == 0) { ++ debug("unsuccessful audit"); ++ rv = 0; + } +- /* Correct answer. */ +- return (1); ++ free(fp); ++#endif ++ ++ return rv; + } + + /* + * Performs the RSA authentication challenge-response dialog with the client, + * and returns true (non-zero) if the client gave the correct answer to + * our challenge; returns zero if the client gives a wrong answer. + */ + diff --git a/openssh-6.5p1-audit4-kex_results.patch b/openssh-6.6p1-audit4-kex_results.patch similarity index 79% rename from openssh-6.5p1-audit4-kex_results.patch rename to openssh-6.6p1-audit4-kex_results.patch index 100f1ff..d6bb569 100644 --- a/openssh-6.5p1-audit4-kex_results.patch +++ b/openssh-6.6p1-audit4-kex_results.patch @@ -5,32 +5,9 @@ # (replaces: https://bugzilla.mindrot.org/attachment.cgi?id=1976) # by jchadima@redhat.com -diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in ---- a/openssh-6.5p1/Makefile.in -+++ b/openssh-6.5p1/Makefile.in -@@ -71,17 +71,18 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o - readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \ - atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ - monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ - kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ - msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ - jpake.o schnorr.o ssh-pkcs11.o krl.o smult_curve25519_ref.o \ - kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \ - ssh-ed25519.o digest.o \ -- sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o -+ sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \ -+ auditstub.o - - SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ - sshconnect.o sshconnect1.o sshconnect2.o mux.o \ - roaming_common.o roaming_client.o - - SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ - audit.o audit-bsm.o audit-linux.o platform.o \ - sshpty.o sshlogin.o servconf.o serverloop.o \ -diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c ---- a/openssh-6.5p1/audit-bsm.c -+++ b/openssh-6.5p1/audit-bsm.c +diff --git a/openssh-6.6p1/audit-bsm.c b/openssh-6.6p1/audit-bsm.c +--- a/openssh-6.6p1/audit-bsm.c ++++ b/openssh-6.6p1/audit-bsm.c @@ -468,9 +468,21 @@ audit_event(ssh_audit_event_t event) case SSH_AUTH_FAIL_KBDINT: bsm_audit_bad_login("interactive password entry"); @@ -53,9 +30,9 @@ diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c + /* not implemented */ +} #endif /* BSM */ -diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c ---- a/openssh-6.5p1/audit-linux.c -+++ b/openssh-6.5p1/audit-linux.c +diff --git a/openssh-6.6p1/audit-linux.c b/openssh-6.6p1/audit-linux.c +--- a/openssh-6.6p1/audit-linux.c ++++ b/openssh-6.6p1/audit-linux.c @@ -35,16 +35,18 @@ #include "log.h" @@ -141,9 +118,9 @@ diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c +} + #endif /* USE_LINUX_AUDIT */ -diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c ---- a/openssh-6.5p1/audit.c -+++ b/openssh-6.5p1/audit.c +diff --git a/openssh-6.6p1/audit.c b/openssh-6.6p1/audit.c +--- a/openssh-6.6p1/audit.c ++++ b/openssh-6.6p1/audit.c @@ -23,24 +23,27 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. @@ -233,9 +210,9 @@ diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c +} # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */ -diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h ---- a/openssh-6.5p1/audit.h -+++ b/openssh-6.5p1/audit.h +diff --git a/openssh-6.6p1/audit.h b/openssh-6.6p1/audit.h +--- a/openssh-6.6p1/audit.h ++++ b/openssh-6.6p1/audit.h @@ -53,10 +53,14 @@ void audit_event(ssh_audit_event_t); void audit_count_session_open(void); void audit_session_open(struct logininfo *); @@ -251,10 +228,10 @@ diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h +void audit_kex_body(int, char *, char *, char *, pid_t, uid_t); #endif /* _SSH_AUDIT_H */ -diff --git a/openssh-6.5p1/auditstub.c b/openssh-6.5p1/auditstub.c +diff --git a/openssh-6.6p1/auditstub.c b/openssh-6.6p1/auditstub.c new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/auditstub.c ++++ b/openssh-6.6p1/auditstub.c @@ -0,0 +1,39 @@ +/* $Id: auditstub.c,v 1.1 jfch Exp $ */ + @@ -295,45 +272,9 @@ new file mode 100644 +{ +} + -diff --git a/openssh-6.5p1/cipher.c b/openssh-6.5p1/cipher.c ---- a/openssh-6.5p1/cipher.c -+++ b/openssh-6.5p1/cipher.c -@@ -52,31 +52,17 @@ - - /* compatibility with old or broken OpenSSL versions */ - #include "openbsd-compat/openssl-compat.h" - - extern const EVP_CIPHER *evp_ssh1_bf(void); - extern const EVP_CIPHER *evp_ssh1_3des(void); - extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int); - --struct Cipher { -- char *name; -- int number; /* for ssh1 only */ -- u_int block_size; -- u_int key_len; -- u_int iv_len; /* defaults to block_size */ -- u_int auth_len; -- u_int discard_len; -- u_int flags; --#define CFLAG_CBC (1<<0) --#define CFLAG_CHACHAPOLY (1<<1) -- const EVP_CIPHER *(*evptype)(void); --}; -- --static const struct Cipher ciphers[] = { -+struct Cipher ciphers[] = { - { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null }, - { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc }, - { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des }, - { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, 0, 1, evp_ssh1_bf }, - - { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc }, - { "blowfish-cbc", - SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc }, -diff --git a/openssh-6.5p1/cipher.h b/openssh-6.5p1/cipher.h ---- a/openssh-6.5p1/cipher.h -+++ b/openssh-6.5p1/cipher.h +diff --git a/openssh-6.6p1/cipher.h b/openssh-6.6p1/cipher.h +--- a/openssh-6.6p1/cipher.h ++++ b/openssh-6.6p1/cipher.h @@ -58,17 +58,30 @@ #define SSH_CIPHER_MAX 31 @@ -366,9 +307,9 @@ diff --git a/openssh-6.5p1/cipher.h b/openssh-6.5p1/cipher.h const Cipher *cipher; }; -diff --git a/openssh-6.5p1/kex.c b/openssh-6.5p1/kex.c ---- a/openssh-6.5p1/kex.c -+++ b/openssh-6.5p1/kex.c +diff --git a/openssh-6.6p1/kex.c b/openssh-6.6p1/kex.c +--- a/openssh-6.6p1/kex.c ++++ b/openssh-6.6p1/kex.c @@ -45,16 +45,17 @@ #include "kex.h" #include "log.h" @@ -476,16 +417,16 @@ diff --git a/openssh-6.5p1/kex.c b/openssh-6.5p1/kex.c for (mode = 0; mode < MODE_MAX; mode++) { newkeys = kex->newkeys[mode]; need = MAX(need, newkeys->enc.key_len); -diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c ---- a/openssh-6.5p1/monitor.c -+++ b/openssh-6.5p1/monitor.c -@@ -93,16 +93,17 @@ +diff --git a/openssh-6.6p1/monitor.c b/openssh-6.6p1/monitor.c +--- a/openssh-6.6p1/monitor.c ++++ b/openssh-6.6p1/monitor.c +@@ -92,16 +92,17 @@ + #endif #include "monitor_wrap.h" #include "monitor_fdpass.h" #include "misc.h" #include "compat.h" #include "ssh2.h" - #include "jpake.h" #include "roaming.h" #include "authfd.h" +#include "audit.h" @@ -497,7 +438,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c /* Imports */ extern ServerOptions options; extern u_int utmp_len; -@@ -182,16 +183,18 @@ int mm_answer_gss_accept_ctx(int, Buffer +@@ -176,16 +177,18 @@ int mm_answer_gss_accept_ctx(int, Buffer int mm_answer_gss_userok(int, Buffer *); int mm_answer_gss_checkmic(int, Buffer *); #endif @@ -516,7 +457,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ /* local state for key verify */ -@@ -233,16 +236,18 @@ struct mon_table mon_dispatch_proto20[] +@@ -227,16 +230,18 @@ struct mon_table mon_dispatch_proto20[] {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account}, {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx}, {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query}, @@ -535,7 +476,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c #ifdef SKEY {MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery}, {MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond}, -@@ -270,16 +275,18 @@ struct mon_table mon_dispatch_postauth20 +@@ -257,16 +262,18 @@ struct mon_table mon_dispatch_postauth20 {MONITOR_REQ_SIGN, 0, mm_answer_sign}, {MONITOR_REQ_PTY, 0, mm_answer_pty}, {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup}, @@ -554,7 +495,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey}, {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid}, -@@ -301,28 +308,32 @@ struct mon_table mon_dispatch_proto15[] +@@ -288,28 +295,32 @@ struct mon_table mon_dispatch_proto15[] {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account}, {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx}, {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query}, @@ -587,16 +528,15 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c /* Specifies if a certain message is allowed at the moment */ -@@ -2411,8 +2422,52 @@ mm_answer_jpake_check_confirm(int sock, +@@ -2187,8 +2198,52 @@ mm_answer_gss_userok(int sock, Buffer *m - monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 1); + auth_method = "gssapi-with-mic"; - auth_method = "jpake-01@openssh.com"; - return authenticated; + /* Monitor loop will terminate if authenticated */ + return (authenticated); } + #endif /* GSSAPI */ - #endif /* JPAKE */ -+ +#ifdef SSH_AUDIT_EVENTS +int +mm_answer_audit_unsupported_body(int sock, Buffer *m) @@ -640,10 +580,11 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c +} + +#endif /* SSH_AUDIT_EVENTS */ -diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h ---- a/openssh-6.5p1/monitor.h -+++ b/openssh-6.5p1/monitor.h -@@ -65,16 +65,18 @@ enum monitor_reqtype { ++ +diff --git a/openssh-6.6p1/monitor.h b/openssh-6.6p1/monitor.h +--- a/openssh-6.6p1/monitor.h ++++ b/openssh-6.6p1/monitor.h +@@ -60,16 +60,18 @@ enum monitor_reqtype { MONITOR_REQ_PAM_START = 100, MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103, MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105, @@ -662,19 +603,18 @@ diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h int m_recvfd; int m_sendfd; int m_log_recvfd; -diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c ---- a/openssh-6.5p1/monitor_wrap.c -+++ b/openssh-6.5p1/monitor_wrap.c -@@ -1483,8 +1483,46 @@ mm_jpake_check_confirm(const BIGNUM *k, +diff --git a/openssh-6.6p1/monitor_wrap.c b/openssh-6.6p1/monitor_wrap.c +--- a/openssh-6.6p1/monitor_wrap.c ++++ b/openssh-6.6p1/monitor_wrap.c +@@ -1320,8 +1320,46 @@ mm_ssh_gssapi_userok(char *user) + authenticated = buffer_get_int(&m); - success = buffer_get_int(&m); buffer_free(&m); - - debug3("%s: success = %d", __func__, success); - return success; + debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); + return (authenticated); } - #endif /* JPAKE */ -+ + #endif /* GSSAPI */ + +#ifdef SSH_AUDIT_EVENTS +void +mm_audit_unsupported_body(int what) @@ -712,9 +652,10 @@ diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c + buffer_free(&m); +} +#endif /* SSH_AUDIT_EVENTS */ -diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h ---- a/openssh-6.5p1/monitor_wrap.h -+++ b/openssh-6.5p1/monitor_wrap.h ++ +diff --git a/openssh-6.6p1/monitor_wrap.h b/openssh-6.6p1/monitor_wrap.h +--- a/openssh-6.6p1/monitor_wrap.h ++++ b/openssh-6.6p1/monitor_wrap.h @@ -72,16 +72,18 @@ int mm_sshpam_respond(void *, u_int, cha void mm_sshpam_free_ctx(void *); #endif @@ -734,28 +675,10 @@ diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h void mm_session_pty_cleanup2(struct Session *); /* SSHv1 interfaces */ -diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c ---- a/openssh-6.5p1/sshd.c -+++ b/openssh-6.5p1/sshd.c -@@ -114,16 +114,17 @@ - #include "session.h" - #include "monitor_mm.h" - #include "monitor.h" - #ifdef GSSAPI - #include "ssh-gss.h" - #endif - #include "monitor_wrap.h" - #include "roaming.h" -+#include "audit.h" - #include "ssh-sandbox.h" - #include "version.h" - - #ifdef LIBWRAP - #include - #include - int allow_severity; - int deny_severity; -@@ -2312,16 +2313,20 @@ do_ssh1_kex(void) +diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c +--- a/openssh-6.6p1/sshd.c ++++ b/openssh-6.6p1/sshd.c +@@ -2325,16 +2325,20 @@ do_ssh1_kex(void) packet_disconnect("Warning: client selects unsupported cipher."); /* Get check bytes from the packet. These must match those we diff --git a/openssh-6.6p1-audit4_fips-kex_results.patch b/openssh-6.6p1-audit4_fips-kex_results.patch new file mode 100644 index 0000000..5b955c1 --- /dev/null +++ b/openssh-6.6p1-audit4_fips-kex_results.patch @@ -0,0 +1,82 @@ +# HG changeset patch +# Parent dec5efd68e0b652282f2b9b31f5999342123d33d + +diff --git a/openssh-6.6p1/Makefile.in b/openssh-6.6p1/Makefile.in +--- a/openssh-6.6p1/Makefile.in ++++ b/openssh-6.6p1/Makefile.in +@@ -72,17 +72,18 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o + atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ + monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ + kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ + msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ + ssh-pkcs11.o krl.o smult_curve25519_ref.o \ + kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \ + ssh-ed25519.o digest-openssl.o hmac.o \ + sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \ +- fips.o ++ fips.o \ ++ auditstub.o + + SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ + sshconnect.o sshconnect1.o sshconnect2.o mux.o \ + roaming_common.o roaming_client.o + + SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ + audit.o audit-bsm.o audit-linux.o platform.o \ + sshpty.o sshlogin.o servconf.o serverloop.o \ +diff --git a/openssh-6.6p1/cipher.c b/openssh-6.6p1/cipher.c +--- a/openssh-6.6p1/cipher.c ++++ b/openssh-6.6p1/cipher.c +@@ -54,30 +54,16 @@ + + /* compatibility with old or broken OpenSSL versions */ + #include "openbsd-compat/openssl-compat.h" + + extern const EVP_CIPHER *evp_ssh1_bf(void); + extern const EVP_CIPHER *evp_ssh1_3des(void); + extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int); + +-struct Cipher { +- char *name; +- int number; /* for ssh1 only */ +- u_int block_size; +- u_int key_len; +- u_int iv_len; /* defaults to block_size */ +- u_int auth_len; +- u_int discard_len; +- u_int flags; +-#define CFLAG_CBC (1<<0) +-#define CFLAG_CHACHAPOLY (1<<1) +- const EVP_CIPHER *(*evptype)(void); +-}; +- + static const struct Cipher ciphers_all[] = { + { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null }, + { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc }, + { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des }, + { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, 0, 1, evp_ssh1_bf }, + + { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc }, + { "blowfish-cbc", +diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c +--- a/openssh-6.6p1/sshd.c ++++ b/openssh-6.6p1/sshd.c +@@ -119,16 +119,18 @@ + #endif + #include "monitor_wrap.h" + #include "roaming.h" + #include "ssh-sandbox.h" + #include "version.h" + + #include "fips.h" + ++#include "audit.h" ++ + #ifdef LIBWRAP + #include + #include + int allow_severity; + int deny_severity; + #endif /* LIBWRAP */ + + #ifndef O_NOCTTY diff --git a/openssh-6.5p1-audit5-session_key_destruction.patch b/openssh-6.6p1-audit5-session_key_destruction.patch similarity index 88% rename from openssh-6.5p1-audit5-session_key_destruction.patch rename to openssh-6.6p1-audit5-session_key_destruction.patch index e68dd56..2f3de00 100644 --- a/openssh-6.5p1-audit5-session_key_destruction.patch +++ b/openssh-6.6p1-audit5-session_key_destruction.patch @@ -4,9 +4,9 @@ # https://bugzilla.mindrot.org/attachment.cgi?id=2014 # by jchadima@redhat.com -diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c ---- a/openssh-6.5p1/audit-bsm.c -+++ b/openssh-6.5p1/audit-bsm.c +diff --git a/openssh-6.6p1/audit-bsm.c b/openssh-6.6p1/audit-bsm.c +--- a/openssh-6.6p1/audit-bsm.c ++++ b/openssh-6.6p1/audit-bsm.c @@ -480,9 +480,15 @@ audit_unsupported_body(int what) /* not implemented */ } @@ -23,9 +23,9 @@ diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c + /* not implemented */ +} #endif /* BSM */ -diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c ---- a/openssh-6.5p1/audit-linux.c -+++ b/openssh-6.5p1/audit-linux.c +diff --git a/openssh-6.6p1/audit-linux.c b/openssh-6.6p1/audit-linux.c +--- a/openssh-6.6p1/audit-linux.c ++++ b/openssh-6.6p1/audit-linux.c @@ -289,24 +289,25 @@ audit_unsupported_body(int what) /* no problem, the next instruction will be fatal() */ return; @@ -91,9 +91,9 @@ diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c +} + #endif /* USE_LINUX_AUDIT */ -diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c ---- a/openssh-6.5p1/audit.c -+++ b/openssh-6.5p1/audit.c +diff --git a/openssh-6.6p1/audit.c b/openssh-6.6p1/audit.c +--- a/openssh-6.6p1/audit.c ++++ b/openssh-6.6p1/audit.c @@ -138,16 +138,22 @@ audit_unsupported(int what) } @@ -138,9 +138,9 @@ diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c +} # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */ -diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h ---- a/openssh-6.5p1/audit.h -+++ b/openssh-6.5p1/audit.h +diff --git a/openssh-6.6p1/audit.h b/openssh-6.6p1/audit.h +--- a/openssh-6.6p1/audit.h ++++ b/openssh-6.6p1/audit.h @@ -57,10 +57,12 @@ int audit_run_command(const char *); void audit_end_command(int, const char *); ssh_audit_event_t audit_classify_auth(const char *); @@ -154,9 +154,9 @@ diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h +void audit_session_key_free_body(int ctos, pid_t, uid_t); #endif /* _SSH_AUDIT_H */ -diff --git a/openssh-6.5p1/auditstub.c b/openssh-6.5p1/auditstub.c ---- a/openssh-6.5p1/auditstub.c -+++ b/openssh-6.5p1/auditstub.c +diff --git a/openssh-6.6p1/auditstub.c b/openssh-6.6p1/auditstub.c +--- a/openssh-6.6p1/auditstub.c ++++ b/openssh-6.6p1/auditstub.c @@ -22,18 +22,29 @@ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT @@ -187,10 +187,10 @@ diff --git a/openssh-6.5p1/auditstub.c b/openssh-6.5p1/auditstub.c +audit_session_key_free_body(int ctos, pid_t pid, uid_t uid) +{ +} -diff --git a/openssh-6.5p1/kex.c b/openssh-6.5p1/kex.c ---- a/openssh-6.5p1/kex.c -+++ b/openssh-6.5p1/kex.c -@@ -698,8 +698,39 @@ dump_digest(char *msg, u_char *digest, i +diff --git a/openssh-6.6p1/kex.c b/openssh-6.6p1/kex.c +--- a/openssh-6.6p1/kex.c ++++ b/openssh-6.6p1/kex.c +@@ -700,8 +700,39 @@ dump_digest(char *msg, u_char *digest, i if (i%32 == 31) fprintf(stderr, "\n"); else if (i%8 == 7) @@ -230,10 +230,10 @@ diff --git a/openssh-6.5p1/kex.c b/openssh-6.5p1/kex.c + memset(&newkeys->comp, 0, sizeof(newkeys->comp)); +} + -diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h ---- a/openssh-6.5p1/kex.h -+++ b/openssh-6.5p1/kex.h -@@ -163,16 +163,18 @@ void kexdh_client(Kex *); +diff --git a/openssh-6.6p1/kex.h b/openssh-6.6p1/kex.h +--- a/openssh-6.6p1/kex.h ++++ b/openssh-6.6p1/kex.h +@@ -162,16 +162,18 @@ void kexdh_client(Kex *); void kexdh_server(Kex *); void kexgex_client(Kex *); void kexgex_server(Kex *); @@ -252,15 +252,15 @@ diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); #ifdef OPENSSL_HAS_ECC -diff --git a/openssh-6.5p1/mac.c b/openssh-6.5p1/mac.c ---- a/openssh-6.5p1/mac.c -+++ b/openssh-6.5p1/mac.c -@@ -219,16 +219,30 @@ mac_clear(Mac *mac) +diff --git a/openssh-6.6p1/mac.c b/openssh-6.6p1/mac.c +--- a/openssh-6.6p1/mac.c ++++ b/openssh-6.6p1/mac.c +@@ -253,16 +253,30 @@ mac_clear(Mac *mac) if (mac->umac_ctx != NULL) umac128_delete(mac->umac_ctx); - } else if (mac->evp_md != NULL) - HMAC_cleanup(&mac->evp_ctx); - mac->evp_md = NULL; + } else if (mac->hmac_ctx != NULL) + ssh_hmac_free(mac->hmac_ctx); + mac->hmac_ctx = NULL; mac->umac_ctx = NULL; } @@ -286,9 +286,9 @@ diff --git a/openssh-6.5p1/mac.c b/openssh-6.5p1/mac.c char *maclist, *cp, *p; if (names == NULL || strcmp(names, "") == 0) -diff --git a/openssh-6.5p1/mac.h b/openssh-6.5p1/mac.h ---- a/openssh-6.5p1/mac.h -+++ b/openssh-6.5p1/mac.h +diff --git a/openssh-6.6p1/mac.h b/openssh-6.6p1/mac.h +--- a/openssh-6.6p1/mac.h ++++ b/openssh-6.6p1/mac.h @@ -24,8 +24,9 @@ */ @@ -299,10 +299,10 @@ diff --git a/openssh-6.5p1/mac.h b/openssh-6.5p1/mac.h u_char *mac_compute(Mac *, u_int32_t, u_char *, int); void mac_clear(Mac *); +void mac_destroy(Mac *); -diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c ---- a/openssh-6.5p1/monitor.c -+++ b/openssh-6.5p1/monitor.c -@@ -185,16 +185,17 @@ int mm_answer_gss_checkmic(int, Buffer * +diff --git a/openssh-6.6p1/monitor.c b/openssh-6.6p1/monitor.c +--- a/openssh-6.6p1/monitor.c ++++ b/openssh-6.6p1/monitor.c +@@ -179,16 +179,17 @@ int mm_answer_gss_checkmic(int, Buffer * #endif #ifdef SSH_AUDIT_EVENTS @@ -320,7 +320,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ /* local state for key verify */ -@@ -238,16 +239,17 @@ struct mon_table mon_dispatch_proto20[] +@@ -232,16 +233,17 @@ struct mon_table mon_dispatch_proto20[] {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query}, {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, @@ -338,7 +338,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c #ifdef SKEY {MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery}, {MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond}, -@@ -277,16 +279,17 @@ struct mon_table mon_dispatch_postauth20 +@@ -264,16 +266,17 @@ struct mon_table mon_dispatch_postauth20 {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup}, {MONITOR_REQ_TERM, 0, mm_answer_term}, #ifdef SSH_AUDIT_EVENTS @@ -356,7 +356,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey}, {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid}, -@@ -310,30 +313,32 @@ struct mon_table mon_dispatch_proto15[] +@@ -297,30 +300,32 @@ struct mon_table mon_dispatch_proto15[] {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query}, {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, @@ -389,7 +389,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c /* Specifies if a certain message is allowed at the moment */ -@@ -1971,21 +1976,23 @@ mm_get_keystate(struct monitor *pmonitor +@@ -1949,21 +1954,23 @@ mm_get_keystate(struct monitor *pmonitor goto skip; } else { /* Get the Kex for rekeying */ @@ -413,7 +413,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c packets = buffer_get_int(&m); bytes = buffer_get_int64(&m); packet_set_state(MODE_OUT, seqnr, blocks, packets, bytes); -@@ -2021,16 +2028,31 @@ mm_get_keystate(struct monitor *pmonitor +@@ -1999,16 +2006,31 @@ mm_get_keystate(struct monitor *pmonitor /* Roaming */ if (compat20) { @@ -445,7 +445,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c mm_zalloc(struct mm_master *mm, u_int ncount, u_int size) { size_t len = (size_t) size * ncount; -@@ -2465,9 +2487,27 @@ mm_answer_audit_kex_body(int sock, Buffe +@@ -2240,10 +2262,28 @@ mm_answer_audit_kex_body(int sock, Buffe free(mac); free(compress); buffer_clear(m); @@ -473,10 +473,11 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c + return 0; +} #endif /* SSH_AUDIT_EVENTS */ -diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h ---- a/openssh-6.5p1/monitor.h -+++ b/openssh-6.5p1/monitor.h -@@ -67,16 +67,17 @@ enum monitor_reqtype { + +diff --git a/openssh-6.6p1/monitor.h b/openssh-6.6p1/monitor.h +--- a/openssh-6.6p1/monitor.h ++++ b/openssh-6.6p1/monitor.h +@@ -62,16 +62,17 @@ enum monitor_reqtype { MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105, MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107, MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109, @@ -494,10 +495,10 @@ diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h int m_recvfd; int m_sendfd; int m_log_recvfd; -diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c ---- a/openssh-6.5p1/monitor_wrap.c -+++ b/openssh-6.5p1/monitor_wrap.c -@@ -651,22 +651,24 @@ mm_send_keystate(struct monitor *monitor +diff --git a/openssh-6.6p1/monitor_wrap.c b/openssh-6.6p1/monitor_wrap.c +--- a/openssh-6.6p1/monitor_wrap.c ++++ b/openssh-6.6p1/monitor_wrap.c +@@ -649,22 +649,24 @@ mm_send_keystate(struct monitor *monitor __func__, packet_get_newkeys(MODE_OUT), packet_get_newkeys(MODE_IN)); @@ -522,7 +523,7 @@ diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c buffer_put_int(&m, packets); buffer_put_int64(&m, bytes); packet_get_state(MODE_IN, &seqnr, &blocks, &packets, &bytes); -@@ -1520,9 +1522,24 @@ mm_audit_kex_body(int ctos, char *cipher +@@ -1356,10 +1358,25 @@ mm_audit_kex_body(int ctos, char *cipher buffer_put_int64(&m, uid); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_KEX, &m); @@ -547,9 +548,10 @@ diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c + buffer_free(&m); +} #endif /* SSH_AUDIT_EVENTS */ -diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h ---- a/openssh-6.5p1/monitor_wrap.h -+++ b/openssh-6.5p1/monitor_wrap.h + +diff --git a/openssh-6.6p1/monitor_wrap.h b/openssh-6.6p1/monitor_wrap.h +--- a/openssh-6.6p1/monitor_wrap.h ++++ b/openssh-6.6p1/monitor_wrap.h @@ -74,16 +74,17 @@ void mm_sshpam_free_ctx(void *); #ifdef SSH_AUDIT_EVENTS @@ -568,9 +570,9 @@ diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h void mm_session_pty_cleanup2(struct Session *); /* SSHv1 interfaces */ -diff --git a/openssh-6.5p1/packet.c b/openssh-6.5p1/packet.c ---- a/openssh-6.5p1/packet.c -+++ b/openssh-6.5p1/packet.c +diff --git a/openssh-6.6p1/packet.c b/openssh-6.6p1/packet.c +--- a/openssh-6.6p1/packet.c ++++ b/openssh-6.6p1/packet.c @@ -56,16 +56,17 @@ #include #include @@ -701,9 +703,9 @@ diff --git a/openssh-6.5p1/packet.c b/openssh-6.5p1/packet.c - mac = &active_state->newkeys[mode]->mac; - comp = &active_state->newkeys[mode]->comp; - mac_clear(mac); -- memset(enc->iv, 0, enc->iv_len); -- memset(enc->key, 0, enc->key_len); -- memset(mac->key, 0, mac->key_len); +- explicit_bzero(enc->iv, enc->iv_len); +- explicit_bzero(enc->key, enc->key_len); +- explicit_bzero(mac->key, mac->key_len); - free(enc->name); - free(enc->iv); - free(enc->key); @@ -823,9 +825,9 @@ diff --git a/openssh-6.5p1/packet.c b/openssh-6.5p1/packet.c + backup_state = NULL; } + -diff --git a/openssh-6.5p1/packet.h b/openssh-6.5p1/packet.h ---- a/openssh-6.5p1/packet.h -+++ b/openssh-6.5p1/packet.h +diff --git a/openssh-6.6p1/packet.h b/openssh-6.6p1/packet.h +--- a/openssh-6.6p1/packet.h ++++ b/openssh-6.6p1/packet.h @@ -119,9 +119,10 @@ void packet_set_rekey_limits(u_int32_t, time_t packet_get_rekey_timeout(void); @@ -837,10 +839,10 @@ diff --git a/openssh-6.5p1/packet.h b/openssh-6.5p1/packet.h +void packet_destroy_all(int, int); #endif /* PACKET_H */ -diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c ---- a/openssh-6.5p1/session.c -+++ b/openssh-6.5p1/session.c -@@ -1689,16 +1689,19 @@ do_child(Session *s, const char *command +diff --git a/openssh-6.6p1/session.c b/openssh-6.6p1/session.c +--- a/openssh-6.6p1/session.c ++++ b/openssh-6.6p1/session.c +@@ -1694,16 +1694,19 @@ do_child(Session *s, const char *command int env_size; char *argv[ARGV_MAX]; const char *shell, *shell0, *hostname = NULL; @@ -860,10 +862,10 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c do_pwchange(s); exit(1); } -diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c ---- a/openssh-6.5p1/sshd.c -+++ b/openssh-6.5p1/sshd.c -@@ -711,16 +711,18 @@ privsep_preauth(Authctxt *authctxt) +diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c +--- a/openssh-6.6p1/sshd.c ++++ b/openssh-6.6p1/sshd.c +@@ -720,16 +720,18 @@ privsep_preauth(Authctxt *authctxt) setproctitle("%s", "[net]"); if (box != NULL) ssh_sandbox_child(box); @@ -882,7 +884,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c #ifdef DISABLE_FD_PASSING if (1) { #else -@@ -735,16 +737,20 @@ privsep_postauth(Authctxt *authctxt) +@@ -744,16 +746,20 @@ privsep_postauth(Authctxt *authctxt) monitor_reinit(pmonitor); pmonitor->m_pid = fork(); @@ -903,7 +905,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c /* child */ -@@ -2104,16 +2110,17 @@ main(int ac, char **av) +@@ -2118,16 +2124,17 @@ main(int ac, char **av) do_authentication(authctxt); } /* @@ -921,7 +923,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c * Cancel the alarm we set to limit the time taken for * authentication. */ -@@ -2156,16 +2163,18 @@ main(int ac, char **av) +@@ -2170,16 +2177,18 @@ main(int ac, char **av) packet_set_timeout(options.client_alive_interval, options.client_alive_count_max); @@ -940,7 +942,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c verbose("Closing connection to %.500s port %d", remote_ip, remote_port); #ifdef USE_PAM -@@ -2497,26 +2506,38 @@ do_ssh2_kex(void) +@@ -2523,26 +2532,38 @@ do_ssh2_kex(void) #endif debug("KEX done"); } diff --git a/openssh-6.5p1-audit6-server_key_destruction.patch b/openssh-6.6p1-audit6-server_key_destruction.patch similarity index 88% rename from openssh-6.5p1-audit6-server_key_destruction.patch rename to openssh-6.6p1-audit6-server_key_destruction.patch index efd0272..8d25c79 100644 --- a/openssh-6.5p1-audit6-server_key_destruction.patch +++ b/openssh-6.6p1-audit6-server_key_destruction.patch @@ -4,9 +4,9 @@ # https://bugzilla.mindrot.org/attachment.cgi?id=2015 # by jchadima@redhat.com -diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c ---- a/openssh-6.5p1/audit-bsm.c -+++ b/openssh-6.5p1/audit-bsm.c +diff --git a/openssh-6.6p1/audit-bsm.c b/openssh-6.6p1/audit-bsm.c +--- a/openssh-6.6p1/audit-bsm.c ++++ b/openssh-6.6p1/audit-bsm.c @@ -486,9 +486,27 @@ audit_kex_body(int ctos, char *enc, char /* not implemented */ } @@ -35,9 +35,9 @@ diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c + /* not implemented */ +} #endif /* BSM */ -diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c ---- a/openssh-6.5p1/audit-linux.c -+++ b/openssh-6.5p1/audit-linux.c +diff --git a/openssh-6.6p1/audit-linux.c b/openssh-6.6p1/audit-linux.c +--- a/openssh-6.6p1/audit-linux.c ++++ b/openssh-6.6p1/audit-linux.c @@ -351,9 +351,55 @@ audit_session_key_free_body(int ctos, pi audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER, buf, NULL, get_remote_ipaddr(), NULL, 1); @@ -94,9 +94,9 @@ diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c + error("cannot write into audit"); +} #endif /* USE_LINUX_AUDIT */ -diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c ---- a/openssh-6.5p1/audit.c -+++ b/openssh-6.5p1/audit.c +diff --git a/openssh-6.6p1/audit.c b/openssh-6.6p1/audit.c +--- a/openssh-6.6p1/audit.c ++++ b/openssh-6.6p1/audit.c @@ -285,10 +285,29 @@ audit_kex_body(int ctos, char *enc, char * This will be called on succesfull session key discard */ @@ -127,9 +127,9 @@ diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c +} # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */ -diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h ---- a/openssh-6.5p1/audit.h -+++ b/openssh-6.5p1/audit.h +diff --git a/openssh-6.6p1/audit.h b/openssh-6.6p1/audit.h +--- a/openssh-6.6p1/audit.h ++++ b/openssh-6.6p1/audit.h @@ -43,26 +43,30 @@ enum ssh_audit_event_type { SSH_INVALID_USER, SSH_NOLOGIN, /* denied by /etc/nologin, not implemented */ @@ -161,10 +161,10 @@ diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h +void audit_generate_ephemeral_server_key(const char *); #endif /* _SSH_AUDIT_H */ -diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c ---- a/openssh-6.5p1/key.c -+++ b/openssh-6.5p1/key.c -@@ -1959,16 +1959,43 @@ key_demote(const Key *k) +diff --git a/openssh-6.6p1/key.c b/openssh-6.6p1/key.c +--- a/openssh-6.6p1/key.c ++++ b/openssh-6.6p1/key.c +@@ -1964,16 +1964,43 @@ key_demote(const Key *k) fatal("key_demote: bad key type %d", k->type); break; } @@ -208,9 +208,9 @@ diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c } /* Return the cert-less equivalent to a certified key type */ -diff --git a/openssh-6.5p1/key.h b/openssh-6.5p1/key.h ---- a/openssh-6.5p1/key.h -+++ b/openssh-6.5p1/key.h +diff --git a/openssh-6.6p1/key.h b/openssh-6.6p1/key.h +--- a/openssh-6.6p1/key.h ++++ b/openssh-6.6p1/key.h @@ -113,16 +113,17 @@ int key_read(Key *, char **); u_int key_size(const Key *); enum fp_type key_fp_type_select(void); @@ -229,10 +229,10 @@ diff --git a/openssh-6.5p1/key.h b/openssh-6.5p1/key.h void key_cert_copy(const Key *, struct Key *); int key_cert_check_authority(const Key *, int, int, const char *, const char **); -diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c ---- a/openssh-6.5p1/monitor.c -+++ b/openssh-6.5p1/monitor.c -@@ -110,16 +110,18 @@ extern u_int utmp_len; +diff --git a/openssh-6.6p1/monitor.c b/openssh-6.6p1/monitor.c +--- a/openssh-6.6p1/monitor.c ++++ b/openssh-6.6p1/monitor.c +@@ -109,16 +109,18 @@ extern u_int utmp_len; extern Newkeys *current_keys[]; extern z_stream incoming_stream; extern z_stream outgoing_stream; @@ -251,7 +251,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c u_char *keyin; u_int keyinlen; u_char *keyout; -@@ -186,16 +188,17 @@ int mm_answer_gss_checkmic(int, Buffer * +@@ -180,16 +182,17 @@ int mm_answer_gss_checkmic(int, Buffer * #ifdef SSH_AUDIT_EVENTS int mm_answer_audit_event(int, Buffer *); @@ -269,7 +269,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ /* local state for key verify */ -@@ -240,16 +243,17 @@ struct mon_table mon_dispatch_proto20[] +@@ -234,16 +237,17 @@ struct mon_table mon_dispatch_proto20[] {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, #endif @@ -287,7 +287,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c #ifdef SKEY {MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery}, {MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond}, -@@ -280,16 +284,17 @@ struct mon_table mon_dispatch_postauth20 +@@ -267,16 +271,17 @@ struct mon_table mon_dispatch_postauth20 {MONITOR_REQ_TERM, 0, mm_answer_term}, #ifdef SSH_AUDIT_EVENTS {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, @@ -305,7 +305,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey}, {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid}, -@@ -314,31 +319,33 @@ struct mon_table mon_dispatch_proto15[] +@@ -301,31 +306,33 @@ struct mon_table mon_dispatch_proto15[] {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, #endif @@ -339,7 +339,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c /* Specifies if a certain message is allowed at the moment */ -@@ -1761,16 +1768,18 @@ mm_answer_term(int sock, Buffer *req) +@@ -1739,16 +1746,18 @@ mm_answer_term(int sock, Buffer *req) /* The child is terminating */ session_destroy_all(&mm_session_close); @@ -358,7 +358,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c /* Terminate process */ exit(res); -@@ -2505,9 +2514,30 @@ mm_answer_audit_session_key_free_body(in +@@ -2280,10 +2289,31 @@ mm_answer_audit_session_key_free_body(in audit_session_key_free_body(ctos, pid, uid); @@ -389,10 +389,11 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c + return 0; +} #endif /* SSH_AUDIT_EVENTS */ -diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h ---- a/openssh-6.5p1/monitor.h -+++ b/openssh-6.5p1/monitor.h -@@ -68,16 +68,17 @@ enum monitor_reqtype { + +diff --git a/openssh-6.6p1/monitor.h b/openssh-6.6p1/monitor.h +--- a/openssh-6.6p1/monitor.h ++++ b/openssh-6.6p1/monitor.h +@@ -63,16 +63,17 @@ enum monitor_reqtype { MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107, MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109, MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111, @@ -410,10 +411,10 @@ diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h int m_recvfd; int m_sendfd; int m_log_recvfd; -diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c ---- a/openssh-6.5p1/monitor_wrap.c -+++ b/openssh-6.5p1/monitor_wrap.c -@@ -1537,9 +1537,25 @@ mm_audit_session_key_free_body(int ctos, +diff --git a/openssh-6.6p1/monitor_wrap.c b/openssh-6.6p1/monitor_wrap.c +--- a/openssh-6.6p1/monitor_wrap.c ++++ b/openssh-6.6p1/monitor_wrap.c +@@ -1373,10 +1373,26 @@ mm_audit_session_key_free_body(int ctos, buffer_put_int(&m, ctos); buffer_put_int64(&m, pid); buffer_put_int64(&m, uid); @@ -439,9 +440,10 @@ diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c + buffer_free(&m); +} #endif /* SSH_AUDIT_EVENTS */ -diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h ---- a/openssh-6.5p1/monitor_wrap.h -+++ b/openssh-6.5p1/monitor_wrap.h + +diff --git a/openssh-6.6p1/monitor_wrap.h b/openssh-6.6p1/monitor_wrap.h +--- a/openssh-6.6p1/monitor_wrap.h ++++ b/openssh-6.6p1/monitor_wrap.h @@ -75,16 +75,17 @@ void mm_sshpam_free_ctx(void *); #ifdef SSH_AUDIT_EVENTS #include "audit.h" @@ -460,9 +462,9 @@ diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h void mm_session_pty_cleanup2(struct Session *); /* SSHv1 interfaces */ -diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c ---- a/openssh-6.5p1/session.c -+++ b/openssh-6.5p1/session.c +diff --git a/openssh-6.6p1/session.c b/openssh-6.6p1/session.c +--- a/openssh-6.6p1/session.c ++++ b/openssh-6.6p1/session.c @@ -132,17 +132,17 @@ static int session_pty_req(Session *); /* import */ @@ -482,7 +484,7 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c /* data */ static int sessions_first_unused = -1; static int sessions_nalloc = 0; -@@ -1688,17 +1688,17 @@ do_child(Session *s, const char *command +@@ -1693,17 +1693,17 @@ do_child(Session *s, const char *command char **env; int env_size; char *argv[ARGV_MAX]; @@ -501,10 +503,10 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c if (s->authctxt->force_pwchange) { do_setusercontext(pw); child_close_fds(); -diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c ---- a/openssh-6.5p1/sshd.c -+++ b/openssh-6.5p1/sshd.c -@@ -256,17 +256,17 @@ Buffer cfg; +diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c +--- a/openssh-6.6p1/sshd.c ++++ b/openssh-6.6p1/sshd.c +@@ -259,17 +259,17 @@ Buffer cfg; /* message to be displayed after login */ Buffer loginmsg; @@ -523,7 +525,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c /* * Close all listening sockets */ -@@ -275,16 +275,25 @@ close_listen_socks(void) +@@ -278,16 +278,25 @@ close_listen_socks(void) { int i; @@ -549,7 +551,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c if (startup_pipes) for (i = 0; i < options.max_startups; i++) if (startup_pipes[i] != -1) -@@ -554,60 +563,99 @@ sshd_exchange_identification(int sock_in +@@ -557,60 +566,99 @@ sshd_exchange_identification(int sock_in close(sock_out); logit("Protocol major versions differ for %s: %.200s vs. %.200s", get_remote_ipaddr(), @@ -606,7 +608,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c } } sensitive_data.ssh1_host_key = NULL; - memset(sensitive_data.ssh1_cookie, 0, SSH_SESSION_KEY_LENGTH); + explicit_bzero(sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH); } /* Demote private to public keys for network child */ @@ -618,14 +620,14 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c + uid_t uid; int i; ++ pid = getpid(); ++ uid = getuid(); if (sensitive_data.server_key) { tmp = key_demote(sensitive_data.server_key); key_free(sensitive_data.server_key); sensitive_data.server_key = tmp; } -+ pid = getpid(); -+ uid = getuid(); for (i = 0; i < options.num_host_key_files; i++) { if (sensitive_data.host_keys[i]) { + char *fp; @@ -652,7 +654,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c } static void -@@ -1192,16 +1240,17 @@ server_accept_loop(int *sock_in, int *so +@@ -1201,16 +1249,17 @@ server_accept_loop(int *sock_in, int *so /* Wait in select until there is a connection. */ ret = select(maxfd+1, fdset, NULL, NULL, NULL); @@ -670,7 +672,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c generate_ephemeral_server_key(); key_used = 0; key_do_regen = 0; -@@ -2153,27 +2202,28 @@ main(int ac, char **av) +@@ -2167,27 +2216,28 @@ main(int ac, char **av) /* * In privilege separation, we fork another child and prepare * file descriptor passing. @@ -700,10 +702,10 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c verbose("Closing connection to %.500s port %d", remote_ip, remote_port); -@@ -2392,17 +2442,17 @@ do_ssh1_kex(void) - MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH); - MD5_Final(session_key + 16, &md); - memset(buf, 0, bytes); +@@ -2412,17 +2462,17 @@ do_ssh1_kex(void) + fatal("%s: hash failed", __func__); + ssh_digest_free(md); + explicit_bzero(buf, bytes); free(buf); for (i = 0; i < 16; i++) session_id[i] = session_key[i] ^ session_key[i + 16]; @@ -719,7 +721,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c BN_clear_free(session_key_int); /* Set the session key. From this on all communications will be encrypted. */ -@@ -2527,16 +2577,18 @@ cleanup_exit(int i) +@@ -2553,16 +2603,18 @@ cleanup_exit(int i) debug("Killing privsep child %d", pmonitor->m_pid); if (kill(pmonitor->m_pid, SIGKILL) != 0 && errno != ESRCH) diff --git a/openssh-6.5p1-audit7-libaudit_compat.patch b/openssh-6.6p1-audit7-libaudit_compat.patch similarity index 92% rename from openssh-6.5p1-audit7-libaudit_compat.patch rename to openssh-6.6p1-audit7-libaudit_compat.patch index 6618b3d..ce46452 100644 --- a/openssh-6.5p1-audit7-libaudit_compat.patch +++ b/openssh-6.6p1-audit7-libaudit_compat.patch @@ -1,8 +1,8 @@ # definitions for AUDIT_CRYPTO_* symbols fom libaudit 2.x -diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c ---- a/openssh-6.5p1/audit-linux.c -+++ b/openssh-6.5p1/audit-linux.c +diff --git a/openssh-6.6p1/audit-linux.c b/openssh-6.6p1/audit-linux.c +--- a/openssh-6.6p1/audit-linux.c ++++ b/openssh-6.6p1/audit-linux.c @@ -25,16 +25,17 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * @@ -21,10 +21,10 @@ diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c #include "key.h" #include "hostfile.h" #include "auth.h" -diff --git a/openssh-6.5p1/compat-libaudit.h b/openssh-6.5p1/compat-libaudit.h +diff --git a/openssh-6.6p1/compat-libaudit.h b/openssh-6.6p1/compat-libaudit.h new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/compat-libaudit.h ++++ b/openssh-6.6p1/compat-libaudit.h @@ -0,0 +1,79 @@ +/* AUDIT_CRYPTO symbol definitions from libaudit 2.x */ +/* libaudit.h -- diff --git a/openssh-6.5p1-audit8-libaudit_dns_timeouts.patch b/openssh-6.6p1-audit8-libaudit_dns_timeouts.patch similarity index 92% rename from openssh-6.5p1-audit8-libaudit_dns_timeouts.patch rename to openssh-6.6p1-audit8-libaudit_dns_timeouts.patch index bbf76a8..c199c65 100644 --- a/openssh-6.5p1-audit8-libaudit_dns_timeouts.patch +++ b/openssh-6.6p1-audit8-libaudit_dns_timeouts.patch @@ -4,9 +4,9 @@ # Note that this particular solution causes the logs to always contain # "hostname=?, addr=?" when DNS lookups are disabled. -diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c ---- a/openssh-6.5p1/audit-linux.c -+++ b/openssh-6.5p1/audit-linux.c +diff --git a/openssh-6.6p1/audit-linux.c b/openssh-6.6p1/audit-linux.c +--- a/openssh-6.6p1/audit-linux.c ++++ b/openssh-6.6p1/audit-linux.c @@ -62,17 +62,17 @@ linux_audit_user_logxxx(int uid, const c if (errno == EINVAL || errno == EPROTONOSUPPORT || errno == EAFNOSUPPORT) diff --git a/openssh-6.5p1-blocksigalrm.patch b/openssh-6.6p1-blocksigalrm.patch similarity index 95% rename from openssh-6.5p1-blocksigalrm.patch rename to openssh-6.6p1-blocksigalrm.patch index b2b6483..1cd7f05 100644 --- a/openssh-6.5p1-blocksigalrm.patch +++ b/openssh-6.6p1-blocksigalrm.patch @@ -2,9 +2,9 @@ # grace_alarm_handler) # bnc#57354 -diff --git a/openssh-6.5p1/log.c b/openssh-6.5p1/log.c ---- a/openssh-6.5p1/log.c -+++ b/openssh-6.5p1/log.c +diff --git a/openssh-6.6p1/log.c b/openssh-6.6p1/log.c +--- a/openssh-6.6p1/log.c ++++ b/openssh-6.6p1/log.c @@ -47,16 +47,17 @@ #include #include diff --git a/openssh-6.5p1-default-protocol.patch b/openssh-6.6p1-default-protocol.patch similarity index 83% rename from openssh-6.5p1-default-protocol.patch rename to openssh-6.6p1-default-protocol.patch index cea3064..c1ddaa7 100644 --- a/openssh-6.5p1-default-protocol.patch +++ b/openssh-6.6p1-default-protocol.patch @@ -1,8 +1,8 @@ # only enable SSHv2 protocol by default (upstream default is fallback to v1) -diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config ---- a/openssh-6.5p1/ssh_config -+++ b/openssh-6.5p1/ssh_config +diff --git a/openssh-6.6p1/ssh_config b/openssh-6.6p1/ssh_config +--- a/openssh-6.6p1/ssh_config ++++ b/openssh-6.6p1/ssh_config @@ -41,17 +41,17 @@ ForwardX11Trusted yes # CheckHostIP yes # AddressFamily any diff --git a/openssh-6.5p1-disable-openssl-abi-check.patch b/openssh-6.6p1-disable-openssl-abi-check.patch similarity index 89% rename from openssh-6.5p1-disable-openssl-abi-check.patch rename to openssh-6.6p1-disable-openssl-abi-check.patch index 84a9e11..61ce8d5 100644 --- a/openssh-6.5p1-disable-openssl-abi-check.patch +++ b/openssh-6.6p1-disable-openssl-abi-check.patch @@ -2,9 +2,9 @@ # reliable indicator of ABI changes and doesn't make much sense in a # distribution package -diff --git a/openssh-6.5p1/entropy.c b/openssh-6.5p1/entropy.c ---- a/openssh-6.5p1/entropy.c -+++ b/openssh-6.5p1/entropy.c +diff --git a/openssh-6.6p1/entropy.c b/openssh-6.6p1/entropy.c +--- a/openssh-6.6p1/entropy.c ++++ b/openssh-6.6p1/entropy.c @@ -212,22 +212,23 @@ seed_rng(void) #endif /* diff --git a/openssh-6.5p1-eal3.patch b/openssh-6.6p1-eal3.patch similarity index 89% rename from openssh-6.5p1-eal3.patch rename to openssh-6.6p1-eal3.patch index f2c5fdc..a3058d3 100644 --- a/openssh-6.5p1-eal3.patch +++ b/openssh-6.6p1-eal3.patch @@ -1,8 +1,8 @@ # fix paths and references in sshd man pages -diff --git a/openssh-6.5p1/sshd.8 b/openssh-6.5p1/sshd.8 ---- a/openssh-6.5p1/sshd.8 -+++ b/openssh-6.5p1/sshd.8 +diff --git a/openssh-6.6p1/sshd.8 b/openssh-6.6p1/sshd.8 +--- a/openssh-6.6p1/sshd.8 ++++ b/openssh-6.6p1/sshd.8 @@ -875,17 +875,17 @@ See If this file exists, .Nm @@ -41,9 +41,9 @@ diff --git a/openssh-6.5p1/sshd.8 b/openssh-6.5p1/sshd.8 OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, -diff --git a/openssh-6.5p1/sshd_config.5 b/openssh-6.5p1/sshd_config.5 ---- a/openssh-6.5p1/sshd_config.5 -+++ b/openssh-6.5p1/sshd_config.5 +diff --git a/openssh-6.6p1/sshd_config.5 b/openssh-6.6p1/sshd_config.5 +--- a/openssh-6.6p1/sshd_config.5 ++++ b/openssh-6.6p1/sshd_config.5 @@ -278,18 +278,17 @@ The contents of the specified file are s authentication is allowed. If the argument is diff --git a/openssh-6.5p1-fingerprint_hash.patch b/openssh-6.6p1-fingerprint_hash.patch similarity index 91% rename from openssh-6.5p1-fingerprint_hash.patch rename to openssh-6.6p1-fingerprint_hash.patch index 61c681a..e777e15 100644 --- a/openssh-6.5p1-fingerprint_hash.patch +++ b/openssh-6.6p1-fingerprint_hash.patch @@ -1,14 +1,14 @@ # HG changeset patch -# Parent 450c3933f35c6801a682ea32c588e4c9ff73414a +# Parent a3a898b117b0f726e6cc923f18463de8e45e74f5 # select fingerprint hash algorithms based on the environment variable # SSH_FP_TYPE_ENVVAR and append it to hex and randomart fingerprints # Petr Cerny -diff --git a/openssh-6.5p1/auth-rsa.c b/openssh-6.5p1/auth-rsa.c ---- a/openssh-6.5p1/auth-rsa.c -+++ b/openssh-6.5p1/auth-rsa.c -@@ -226,17 +226,17 @@ rsa_key_allowed_in_file(struct passwd *p +diff --git a/openssh-6.6p1/auth-rsa.c b/openssh-6.6p1/auth-rsa.c +--- a/openssh-6.6p1/auth-rsa.c ++++ b/openssh-6.6p1/auth-rsa.c +@@ -230,17 +230,17 @@ rsa_key_allowed_in_file(struct passwd *p /* check the real bits */ keybits = BN_num_bits(key->rsa->n); @@ -27,9 +27,9 @@ diff --git a/openssh-6.5p1/auth-rsa.c b/openssh-6.5p1/auth-rsa.c if (auth_key_is_revoked(key)) break; -diff --git a/openssh-6.5p1/auth.c b/openssh-6.5p1/auth.c ---- a/openssh-6.5p1/auth.c -+++ b/openssh-6.5p1/auth.c +diff --git a/openssh-6.6p1/auth.c b/openssh-6.6p1/auth.c +--- a/openssh-6.6p1/auth.c ++++ b/openssh-6.6p1/auth.c @@ -680,17 +680,17 @@ auth_key_is_revoked(Key *key) case -1: /* Error opening revoked_keys_file: refuse all keys */ @@ -49,9 +49,9 @@ diff --git a/openssh-6.5p1/auth.c b/openssh-6.5p1/auth.c fatal("key_in_file returned junk"); } -diff --git a/openssh-6.5p1/auth2-hostbased.c b/openssh-6.5p1/auth2-hostbased.c ---- a/openssh-6.5p1/auth2-hostbased.c -+++ b/openssh-6.5p1/auth2-hostbased.c +diff --git a/openssh-6.6p1/auth2-hostbased.c b/openssh-6.6p1/auth2-hostbased.c +--- a/openssh-6.6p1/auth2-hostbased.c ++++ b/openssh-6.6p1/auth2-hostbased.c @@ -202,23 +202,23 @@ hostbased_key_allowed(struct passwd *pw, _PATH_SSH_SYSTEM_HOSTFILE2, options.ignore_user_known_hosts ? NULL : @@ -78,9 +78,9 @@ diff --git a/openssh-6.5p1/auth2-hostbased.c b/openssh-6.5p1/auth2-hostbased.c return (host_status == HOST_OK); } -diff --git a/openssh-6.5p1/auth2-pubkey.c b/openssh-6.5p1/auth2-pubkey.c ---- a/openssh-6.5p1/auth2-pubkey.c -+++ b/openssh-6.5p1/auth2-pubkey.c +diff --git a/openssh-6.6p1/auth2-pubkey.c b/openssh-6.6p1/auth2-pubkey.c +--- a/openssh-6.6p1/auth2-pubkey.c ++++ b/openssh-6.6p1/auth2-pubkey.c @@ -208,25 +208,25 @@ pubkey_auth_info(Authctxt *authctxt, con i = vasprintf(&extra, fmt, ap); va_end(ap); @@ -166,9 +166,9 @@ diff --git a/openssh-6.5p1/auth2-pubkey.c b/openssh-6.5p1/auth2-pubkey.c options.trusted_user_ca_keys); goto out; } -diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c ---- a/openssh-6.5p1/key.c -+++ b/openssh-6.5p1/key.c +diff --git a/openssh-6.6p1/key.c b/openssh-6.6p1/key.c +--- a/openssh-6.6p1/key.c ++++ b/openssh-6.6p1/key.c @@ -420,30 +420,39 @@ key_fingerprint_raw(const Key *k, enum f *dgst_raw_length = ssh_digest_bytes(hash_alg); } else { @@ -278,7 +278,7 @@ diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c dgst_rep); break; } - memset(dgst_raw, 0, dgst_raw_len); + explicit_bzero(dgst_raw, dgst_raw_len); free(dgst_raw); return retval; } @@ -348,9 +348,9 @@ diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c * the buffer containing the number. */ static int -diff --git a/openssh-6.5p1/key.h b/openssh-6.5p1/key.h ---- a/openssh-6.5p1/key.h -+++ b/openssh-6.5p1/key.h +diff --git a/openssh-6.6p1/key.h b/openssh-6.6p1/key.h +--- a/openssh-6.6p1/key.h ++++ b/openssh-6.6p1/key.h @@ -53,16 +53,18 @@ enum fp_type { SSH_FP_MD5, SSH_FP_SHA256 @@ -389,9 +389,9 @@ diff --git a/openssh-6.5p1/key.h b/openssh-6.5p1/key.h int key_type_is_cert(int); int key_type_plain(int); int key_to_certified(Key *, int); -diff --git a/openssh-6.5p1/ssh-add.c b/openssh-6.5p1/ssh-add.c ---- a/openssh-6.5p1/ssh-add.c -+++ b/openssh-6.5p1/ssh-add.c +diff --git a/openssh-6.6p1/ssh-add.c b/openssh-6.6p1/ssh-add.c +--- a/openssh-6.6p1/ssh-add.c ++++ b/openssh-6.6p1/ssh-add.c @@ -325,17 +325,17 @@ list_identities(AuthenticationConnection int version; @@ -411,9 +411,9 @@ diff --git a/openssh-6.5p1/ssh-add.c b/openssh-6.5p1/ssh-add.c if (!key_write(key, stdout)) fprintf(stderr, "key_write failed"); fprintf(stdout, " %s\n", comment); -diff --git a/openssh-6.5p1/ssh-agent.c b/openssh-6.5p1/ssh-agent.c ---- a/openssh-6.5p1/ssh-agent.c -+++ b/openssh-6.5p1/ssh-agent.c +diff --git a/openssh-6.6p1/ssh-agent.c b/openssh-6.6p1/ssh-agent.c +--- a/openssh-6.6p1/ssh-agent.c ++++ b/openssh-6.6p1/ssh-agent.c @@ -193,17 +193,17 @@ lookup_identity(Key *key, int version) /* Check confirmation of keysign request */ @@ -433,9 +433,9 @@ diff --git a/openssh-6.5p1/ssh-agent.c b/openssh-6.5p1/ssh-agent.c return (ret); } -diff --git a/openssh-6.5p1/ssh-keygen.c b/openssh-6.5p1/ssh-keygen.c ---- a/openssh-6.5p1/ssh-keygen.c -+++ b/openssh-6.5p1/ssh-keygen.c +diff --git a/openssh-6.6p1/ssh-keygen.c b/openssh-6.6p1/ssh-keygen.c +--- a/openssh-6.6p1/ssh-keygen.c ++++ b/openssh-6.6p1/ssh-keygen.c @@ -741,27 +741,27 @@ do_download(struct passwd *pw) { #ifdef ENABLE_PKCS11 @@ -583,10 +583,10 @@ diff --git a/openssh-6.5p1/ssh-keygen.c b/openssh-6.5p1/ssh-keygen.c printf("The key's randomart image is:\n"); printf("%s\n", ra); free(ra); -diff --git a/openssh-6.5p1/sshconnect.c b/openssh-6.5p1/sshconnect.c ---- a/openssh-6.5p1/sshconnect.c -+++ b/openssh-6.5p1/sshconnect.c -@@ -906,18 +906,18 @@ check_host_key(char *hostname, struct so +diff --git a/openssh-6.6p1/sshconnect.c b/openssh-6.6p1/sshconnect.c +--- a/openssh-6.6p1/sshconnect.c ++++ b/openssh-6.6p1/sshconnect.c +@@ -909,18 +909,18 @@ check_host_key(char *hostname, struct so "address '%.128s' to the list of known " "hosts (%.30s).", type, ip, user_hostfiles[0]); @@ -607,7 +607,7 @@ diff --git a/openssh-6.5p1/sshconnect.c b/openssh-6.5p1/sshconnect.c break; case HOST_NEW: if (options.host_key_alias == NULL && port != 0 && -@@ -947,18 +947,18 @@ check_host_key(char *hostname, struct so +@@ -950,18 +950,18 @@ check_host_key(char *hostname, struct so if (show_other_keys(host_hostkeys, host_key)) snprintf(msg1, sizeof(msg1), @@ -628,7 +628,7 @@ diff --git a/openssh-6.5p1/sshconnect.c b/openssh-6.5p1/sshconnect.c "Matching host key fingerprint" " found in DNS.\n"); else -@@ -1212,17 +1212,17 @@ fail: +@@ -1215,17 +1215,17 @@ fail: /* returns 0 if key verifies or -1 if key does NOT verify */ int @@ -647,7 +647,7 @@ diff --git a/openssh-6.5p1/sshconnect.c b/openssh-6.5p1/sshconnect.c verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) { if (flags & DNS_VERIFY_FOUND) { -@@ -1319,18 +1319,18 @@ show_other_keys(struct hostkeys *hostkey +@@ -1322,18 +1322,18 @@ show_other_keys(struct hostkeys *hostkey char *fp, *ra; const struct hostkey_entry *found; @@ -668,7 +668,7 @@ diff --git a/openssh-6.5p1/sshconnect.c b/openssh-6.5p1/sshconnect.c key_type(found->key), fp); if (options.visual_host_key) logit("%s", ra); -@@ -1341,17 +1341,17 @@ show_other_keys(struct hostkeys *hostkey +@@ -1344,17 +1344,17 @@ show_other_keys(struct hostkeys *hostkey return ret; } @@ -687,10 +687,10 @@ diff --git a/openssh-6.5p1/sshconnect.c b/openssh-6.5p1/sshconnect.c error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); error("It is also possible that a host key has just been changed."); error("The fingerprint for the %s key sent by the remote host is\n%s.", -diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c ---- a/openssh-6.5p1/sshconnect2.c -+++ b/openssh-6.5p1/sshconnect2.c -@@ -592,17 +592,17 @@ input_userauth_pk_ok(int type, u_int32_t +diff --git a/openssh-6.6p1/sshconnect2.c b/openssh-6.6p1/sshconnect2.c +--- a/openssh-6.6p1/sshconnect2.c ++++ b/openssh-6.6p1/sshconnect2.c +@@ -577,17 +577,17 @@ input_userauth_pk_ok(int type, u_int32_t goto done; } if (key->type != pktype) { @@ -709,7 +709,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c * moved to the end of the queue. this also avoids confusion by * duplicate keys */ -@@ -1206,17 +1206,17 @@ sign_and_send_pubkey(Authctxt *authctxt, +@@ -988,17 +988,17 @@ sign_and_send_pubkey(Authctxt *authctxt, Buffer b; u_char *blob, *signature; u_int bloblen, slen; diff --git a/openssh-6.6p1-fips-checks.patch b/openssh-6.6p1-fips-checks.patch new file mode 100644 index 0000000..ef64087 --- /dev/null +++ b/openssh-6.6p1-fips-checks.patch @@ -0,0 +1,517 @@ +# HG changeset patch +# Parent 12ad7b6077ef9c6b3a3a53b4f0084c3eb2f80fe7 + +diff --git a/openssh-6.6p1/fips-check.c b/openssh-6.6p1/fips-check.c +new file mode 100644 +--- /dev/null ++++ b/openssh-6.6p1/fips-check.c +@@ -0,0 +1,37 @@ ++#include "includes.h" ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include "digest.h" ++#include "fips.h" ++ ++#include ++ ++#define PROC_NAME_LEN 64 ++ ++static const char *argv0; ++ ++void ++print_help_exit(int ev) ++{ ++ fprintf(stderr, "%s <-c|-w> \n", argv0); ++ fprintf(stderr, " -c verify hash of 'file' against hash in 'checksum_file'\n"); ++ fprintf(stderr, " -w write hash of 'file' into 'checksum_file'\n"); ++ exit(ev); ++} ++ ++int ++main(int argc, char **argv) ++{ ++ ++ fips_ssh_init(); ++// printf("SSL Error: %lx: %s", ERR_get_error(), ERR_get_string(ERR_get_error(), NULL)); ++ ++ return 0; ++} +diff --git a/openssh-6.6p1/fips.c b/openssh-6.6p1/fips.c +--- a/openssh-6.6p1/fips.c ++++ b/openssh-6.6p1/fips.c +@@ -24,21 +24,342 @@ + + #include "includes.h" + + #include "fips.h" + + #include "digest.h" + #include "key.h" + #include "log.h" ++#include "xmalloc.h" ++#include ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include + + #include ++#include ++ ++enum fips_checksum_status { ++ CHECK_OK = 0, ++ CHECK_FAIL, ++ CHECK_MISSING ++}; + + static int fips_state = -1; + ++static char * ++hex_fingerprint(u_int raw_len, u_char *raw) ++{ ++ char *retval; ++ u_int i; ++ ++ /* reserve space for both the key hash and the string for the hash type */ ++ retval = malloc(3 * raw_len); ++ for (i = 0; i < raw_len; i++) { ++ char hex[4]; ++ snprintf(hex, sizeof(hex), "%02x:", raw[i]); ++ strlcat(retval, hex, raw_len * 3); ++ } ++ ++ return retval; ++} ++ ++/* calculates hash of contents of file given by filename using algorithm alg ++ * and placing the resukt into newly allacated memory - remember to free it ++ * when not needed anymore */ ++static int ++hash_file(const char *filename, int alg, u_char **hash_out) ++{ ++ int check = -1; ++ int hash_len; ++ int fd; ++ struct stat fs; ++ void *hmap; ++ char *hash; ++ ++ hash_len = ssh_digest_bytes(alg); ++ hash = xmalloc(hash_len); ++ ++ fd = open(filename, O_RDONLY); ++ if (-1 == fd) ++ goto bail_out; ++ ++ if (-1 == fstat(fd, &fs)) ++ goto bail_out; ++ ++ hmap = mmap(NULL, fs.st_size, PROT_READ, MAP_SHARED, fd, 0); ++ ++ if ((void *)(-1) != hmap) { ++ check = ssh_digest_memory(alg, hmap, fs.st_size, hash, hash_len); ++ munmap(hmap, fs.st_size); ++ } ++ close(fd); ++ ++bail_out: ++ if (0 == check) { ++ check = CHECK_OK; ++ *hash_out = hash; ++ } else { ++ check = CHECK_FAIL; ++ *hash_out = NULL; ++ free(hash); ++ } ++ return check; ++} ++ ++/* find pathname of binary of process with PID pid. exe is buffer expected to ++ * be capable of holding at least max_pathlen characters ++ */ ++static int ++get_executable_path(pid_t pid, char *exe, int max_pathlen) ++{ ++ char exe_sl[PROC_EXE_PATH_LEN]; ++ int n; ++ ++ n = snprintf(exe_sl, sizeof(exe_sl), "/proc/%u/exe", pid); ++ if ((n <= 10) || (n >= max_pathlen)) { ++ fatal("error compiling filename of link to executable"); ++ } ++ ++ n = readlink(exe_sl, exe, max_pathlen); ++ if (n < max_pathlen) { ++ exe[n] = 0; ++ } else { ++ fatal("error getting executable pathname"); ++ } ++ return 0; ++} ++ ++/* Read checksum file chk, storing the algorithm used for generating it into ++ * *alg; allocate enough memory to hold the hash and return it in *hash. ++ * Remember to free() it when not needed anymore. ++ */ ++static int ++read_hash(const char *chk, int *alg, u_char **hash) ++{ ++ int check = -1; ++ int hash_len; ++ int fdh, n; ++ char alg_c; ++ char *hash_in; ++ ++ *hash = NULL; ++ ++ fdh = open(chk, O_RDONLY); ++ if (-1 == fdh) { ++ switch (errno) { ++ case ENOENT: ++ check = CHECK_MISSING; ++ debug("fips: checksum file %s is missing\n", chk); ++ break; ++ default: ++ check = CHECK_FAIL; ++ debug("fips: ckecksum file %s not accessible\n", chk); ++ break; ++ ++ } ++ goto bail_out; ++ } ++ ++ n = read(fdh, &alg_c, 1); ++ if (1 != n) { ++ check = CHECK_FAIL; ++ goto bail_out; ++ } ++ ++ *alg = (int)alg_c; ++ hash_len = ssh_digest_bytes(*alg); ++ hash_in = xmalloc(hash_len); ++ ++ n = read(fdh, (void *)hash_in, hash_len); ++ if (hash_len != n) { ++ debug("fips: unable to read whole checksum from checksum file\n"); ++ free (hash_in); ++ check = CHECK_FAIL; ++ } else { ++ check = CHECK_OK; ++ *hash = hash_in; ++ } ++bail_out: ++ return check; ++} ++ ++static int ++fips_hash_self(void) ++{ ++ int check = -1; ++ int alg; ++ u_char *hash, *hash_chk; ++ char *exe, *chk; ++ ++ exe = xmalloc(PATH_MAX); ++ chk = xmalloc(PATH_MAX); ++ ++ /* we will need to add the ".chk" suffix and the null terminator */ ++ check = get_executable_path(getpid(), exe ++ , PATH_MAX - strlen(CHECKSUM_SUFFIX) - 1); ++ ++ strncpy(chk, exe, PATH_MAX); ++ strlcat(chk, CHECKSUM_SUFFIX, PATH_MAX); ++ ++ check = read_hash(chk, &alg, &hash_chk); ++ if (CHECK_OK != check) ++ goto cleanup_chk; ++ ++ check = hash_file(exe, alg, &hash); ++ if (CHECK_OK != check) ++ goto cleanup; ++ ++ check = memcmp(hash, hash_chk, ssh_digest_bytes(alg)); ++ if (0 == check) { ++ check = CHECK_OK; ++ debug("fips: checksum matches\n"); ++ } else { ++ check = CHECK_FAIL; ++ debug("fips: checksum mismatch!\n"); ++ } ++ ++cleanup: ++ free(hash); ++cleanup_chk: ++ free(hash_chk); ++ free(chk); ++ free(exe); ++ ++ return check; ++} ++ ++static int ++fips_check_required_proc(void) ++{ ++ int fips_required = 0; ++ int fips_fd; ++ char fips_sys = 0; ++ ++ struct stat dummy; ++ if (-1 == stat(FIPS_PROC_PATH, &dummy)) { ++ switch (errno) { ++ case ENOENT: ++ case ENOTDIR: ++ break; ++ default: ++ fatal("Check for system-wide FIPS mode is required and %s cannot" ++ " be accessed for reason other than non-existence - aborting" ++ , FIPS_PROC_PATH); ++ break; ++ } ++ } else { ++ if (-1 == (fips_fd = open(FIPS_PROC_PATH, O_RDONLY))) ++ fatal("Check for system-wide FIPS mode is required and %s cannot" ++ " be opened for reading - aborting" ++ , FIPS_PROC_PATH); ++ if (1 > read(fips_fd, &fips_sys, 1)) ++ fatal("Check for system-wide FIPS mode is required and %s doesn't" ++ " return at least one character - aborting" ++ , FIPS_PROC_PATH); ++ close(fips_sys); ++ switch (fips_sys) { ++ case '0': ++ case '1': ++ fips_required = fips_sys - '0'; ++ break; ++ default: ++ fatal("Bogus character %c found in %s - aborting" ++ , fips_sys, FIPS_PROC_PATH); ++ } ++ } ++ return fips_required; ++} ++ ++static int ++fips_check_required_env(void) ++{ ++ int fips_required = 0; ++ char *env = getenv(SSH_FORCE_FIPS_ENV); ++ ++ if (env) { ++ errno = 0; ++ fips_required = strtol(env, NULL, 10); ++ if (errno) { ++ debug("bogus value in the %s environment variable, ignoring\n" ++ , SSH_FORCE_FIPS_ENV); ++ fips_required = 0; ++ } else ++ fips_required = 1; ++ } ++ return fips_required; ++} ++ ++static int ++fips_required(void) ++{ ++ int fips_requests = 0; ++ fips_requests += fips_check_required_proc(); ++ fips_requests += fips_check_required_env(); ++ return fips_requests; ++} ++ ++/* check whether FIPS mode is required and perform selfchecksum/selftest */ ++void ++fips_ssh_init(void) ++{ ++ int checksum; ++ ++ checksum = fips_hash_self(); ++ ++ if (fips_required()) { ++ switch (checksum) { ++ case CHECK_OK: ++ debug("fips: mandatory checksum ok"); ++ break; ++ case CHECK_FAIL: ++ fatal("fips: mandatory checksum failed - aborting"); ++ break; ++ case CHECK_MISSING: ++ fatal("fips: mandatory checksum data missing - aborting"); ++ break; ++ default: ++ fatal("Fatal error: internal error at %s:%u" ++ , __FILE__, __LINE__); ++ break; ++ } ++ fips_state = FIPS_mode_set(1); ++ if (1 != fips_state) { ++ ERR_load_crypto_strings(); ++ u_long err = ERR_get_error(); ++ error("fips: OpenSSL error %lx: %s", err, ERR_error_string(err, NULL)); ++ fatal("fips: unable to set OpenSSL into FIPS mode - aborting" ++ , fips_state); ++ } ++ } else { ++ switch (checksum) { ++ case CHECK_OK: ++ debug("fips: checksum ok"); ++ break; ++ case CHECK_FAIL: ++ fatal("fips: checksum failed - aborting"); ++ break; ++ case CHECK_MISSING: ++ debug("fips: mandatory checksum data missing, but not required - continuing non-FIPS"); ++ break; ++ default: ++ fatal("Fatal error: internal error at %s:%u", ++ __FILE__, __LINE__); ++ break; ++ } ++ } ++ return; ++} ++ + int + fips_mode() + { + if (-1 == fips_state) { + fips_state = FIPS_mode(); + if (fips_state) + debug("FIPS mode initialized"); + } +diff --git a/openssh-6.6p1/fips.h b/openssh-6.6p1/fips.h +--- a/openssh-6.6p1/fips.h ++++ b/openssh-6.6p1/fips.h +@@ -1,10 +1,10 @@ + /* +- * Copyright (c) 2012 Petr Cerny. All rights reserved. ++ * Copyright (c) 2012-2014 Petr Cerny. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the +@@ -19,15 +19,22 @@ + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + #ifndef FIPS_H + #define FIPS_H + ++#define SSH_FORCE_FIPS_ENV "SSH_FORCE_FIPS" ++#define FIPS_PROC_PATH "/proc/sys/crypto/fips_enabled" ++ ++#define PROC_EXE_PATH_LEN 64 ++#define CHECKSUM_SUFFIX ".chk" ++ ++void fips_ssh_init(void); + int fips_mode(void); + int fips_correct_dgst(int); + int fips_dgst_min(void); + enum fp_type fips_correct_fp_type(enum fp_type); + + #endif + +diff --git a/openssh-6.6p1/sftp-server.c b/openssh-6.6p1/sftp-server.c +--- a/openssh-6.6p1/sftp-server.c ++++ b/openssh-6.6p1/sftp-server.c +@@ -47,16 +47,18 @@ + #include "log.h" + #include "misc.h" + #include "match.h" + #include "uidswap.h" + + #include "sftp.h" + #include "sftp-common.h" + ++#include "fips.h" ++ + /* helper */ + #define get_int64() buffer_get_int64(&iqueue); + #define get_int() buffer_get_int(&iqueue); + #define get_string(lenp) buffer_get_string(&iqueue, lenp); + + /* Our verbosity */ + static LogLevel log_level = SYSLOG_LEVEL_ERROR; + +@@ -1453,16 +1455,19 @@ sftp_server_main(int argc, char **argv, + ssize_t len, olen, set_size; + SyslogFacility log_facility = SYSLOG_FACILITY_AUTH; + char *cp, *homedir = NULL, buf[4*4096]; + long mask; + + extern char *optarg; + extern char *__progname; + ++ /* initialize fips */ ++ fips_ssh_init(); ++ + __progname = ssh_get_progname(argv[0]); + log_init(__progname, log_level, log_facility, log_stderr); + + pw = pwcopy(user_pw); + + while (!skipargs && (ch = getopt(argc, argv, + "d:f:l:P:p:Q:u:m:cehR")) != -1) { + switch (ch) { +diff --git a/openssh-6.6p1/ssh.c b/openssh-6.6p1/ssh.c +--- a/openssh-6.6p1/ssh.c ++++ b/openssh-6.6p1/ssh.c +@@ -420,16 +420,19 @@ main(int ac, char **av) + struct stat st; + struct passwd *pw; + int timeout_ms; + extern int optind, optreset; + extern char *optarg; + Forward fwd; + struct addrinfo *addrs = NULL; + ++ /* initialize fips */ ++ fips_ssh_init(); ++ + /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ + sanitise_stdfd(); + + __progname = ssh_get_progname(av[0]); + + #ifndef HAVE_SETPROCTITLE + /* Prepare for later setproctitle emulation */ + /* Save argv so it isn't clobbered by setproctitle() emulation */ +diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c +--- a/openssh-6.6p1/sshd.c ++++ b/openssh-6.6p1/sshd.c +@@ -1466,16 +1466,19 @@ main(int ac, char **av) + u_int64_t ibytes, obytes; + mode_t new_umask; + Key *key; + Key *pubkey; + int keytype; + Authctxt *authctxt; + struct connection_info *connection_info = get_connection_info(0, 0); + ++ /* initialize fips */ ++ fips_ssh_init(); ++ + #ifdef HAVE_SECUREWARE + (void)set_auth_parameters(ac, av); + #endif + __progname = ssh_get_progname(av[0]); + + /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ + saved_argc = ac; + rexec_argc = ac; diff --git a/openssh-6.5p1-fips.patch b/openssh-6.6p1-fips.patch similarity index 64% rename from openssh-6.5p1-fips.patch rename to openssh-6.6p1-fips.patch index bd44946..1255117 100644 --- a/openssh-6.5p1-fips.patch +++ b/openssh-6.6p1-fips.patch @@ -2,22 +2,22 @@ # when OpenSSL is detected to be running in FIPS mode # # HG changeset patch -# Parent df8b01308484dd9227b64c8bb820e52b56b89b4d +# Parent ff04a9a96b7c41e99445c68d91911a9a1474ffa2 -diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in ---- a/openssh-6.5p1/Makefile.in -+++ b/openssh-6.5p1/Makefile.in -@@ -76,17 +76,18 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o +diff --git a/openssh-6.6p1/Makefile.in b/openssh-6.6p1/Makefile.in +--- a/openssh-6.6p1/Makefile.in ++++ b/openssh-6.6p1/Makefile.in +@@ -71,17 +71,18 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o + readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \ atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ - jpake.o schnorr.o ssh-pkcs11.o krl.o smult_curve25519_ref.o \ + ssh-pkcs11.o krl.o smult_curve25519_ref.o \ kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \ - ssh-ed25519.o digest.o \ - sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \ -- auditstub.o -+ auditstub.o \ + ssh-ed25519.o digest-openssl.o hmac.o \ +- sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o ++ sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \ + fips.o SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ @@ -27,39 +27,20 @@ diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ audit.o audit-bsm.o audit-linux.o platform.o \ sshpty.o sshlogin.o servconf.o serverloop.o \ -diff --git a/openssh-6.5p1/auth-rsa.c b/openssh-6.5p1/auth-rsa.c ---- a/openssh-6.5p1/auth-rsa.c -+++ b/openssh-6.5p1/auth-rsa.c -@@ -15,17 +15,17 @@ - */ - - #include "includes.h" - - #include - #include - - #include --#include -+#include - - #include - #include - #include - #include - - #include "xmalloc.h" - #include "rsa.h" -@@ -42,16 +42,17 @@ - #include "hostfile.h" - #include "auth.h" - #ifdef GSSAPI +diff --git a/openssh-6.6p1/auth-rsa.c b/openssh-6.6p1/auth-rsa.c +--- a/openssh-6.6p1/auth-rsa.c ++++ b/openssh-6.6p1/auth-rsa.c +@@ -44,16 +44,18 @@ #include "ssh-gss.h" #endif #include "monitor_wrap.h" #include "ssh.h" #include "misc.h" -+#include "fips.h" + #include "digest.h" + ++#include "fips.h" ++ /* import */ extern ServerOptions options; @@ -67,7 +48,8 @@ diff --git a/openssh-6.5p1/auth-rsa.c b/openssh-6.5p1/auth-rsa.c * Session identifier that is used to bind key exchange and authentication * responses to a particular session. */ -@@ -83,45 +84,54 @@ auth_rsa_generate_challenge(Key *key) + extern u_char session_id[16]; +@@ -84,45 +86,52 @@ auth_rsa_generate_challenge(Key *key) if (BN_mod(challenge, challenge, key->rsa->n, ctx) == 0) fatal("auth_rsa_generate_challenge: BN_mod failed"); BN_CTX_free(ctx); @@ -77,64 +59,60 @@ diff --git a/openssh-6.5p1/auth-rsa.c b/openssh-6.5p1/auth-rsa.c int -auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16]) -+auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[MAX_HASH_LEN]) ++auth_rsa_verify_response(Key *key, BIGNUM *challenge, ++ u_char response[SSH_DIGEST_MAX_LENGTH]) { - u_char buf[32], mdbuf[16]; -- MD5_CTX md; -+ u_char buf[2 * MAX_HASH_LEN], mdbuf[MAX_HASH_LEN]; -+ const EVP_MD *evp_md; -+ EVP_MD_CTX md; - int len, rv; - #ifdef SSH_AUDIT_EVENTS - char *fp; - #endif -+ int hash_len; ++ u_char buf[2 * SSH_DIGEST_MAX_LENGTH], mdbuf[SSH_DIGEST_MAX_LENGTH]; + struct ssh_digest_ctx *md; + int len; ++ int dgst; ++ size_t dgst_len; /* don't allow short keys */ if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) { - error("auth_rsa_verify_response: RSA modulus too small: %d < minimum %d bits", + error("%s: RSA modulus too small: %d < minimum %d bits", + __func__, BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE); return (0); } - /* The response is MD5 of decrypted challenge plus session id. */ -+ hash_len = fips_hash_len(fips_hash_min()); ++ dgst = fips_correct_dgst(SSH_DIGEST_MD5); ++ dgst_len = ssh_digest_bytes(dgst); + + /* The response is a hash of decrypted challenge plus session id. + * Normally this is MD5, in FIPS mode a stronger function is used. */ len = BN_num_bytes(challenge); - if (len <= 0 || len > 32) -+ if (len <= 0 || len > (2 * hash_len)) - fatal("auth_rsa_verify_response: bad challenge length %d", len); ++ if (len <= 0 || (unsigned int)len > (2 * dgst_len)) + fatal("%s: bad challenge length %d", __func__, len); - memset(buf, 0, 32); - BN_bn2bin(challenge, buf + 32 - len); -- MD5_Init(&md); -- MD5_Update(&md, buf, 32); -- MD5_Update(&md, session_id, 16); -- MD5_Final(mdbuf, &md); +- if ((md = ssh_digest_start(SSH_DIGEST_MD5)) == NULL || +- ssh_digest_update(md, buf, 32) < 0 || +- ssh_digest_update(md, session_id, 16) < 0 || + memset(buf, 0, sizeof(buf)); -+ BN_bn2bin(challenge, buf + 2 * hash_len - len); -+ -+ if ((evp_md = fips_EVP_get_digest_min()) == NULL) { -+ fatal("auth_rsa_verify_response: fips_EVP_get_digest_min failed"); -+ } -+ EVP_DigestInit(&md, evp_md); -+ EVP_DigestUpdate(&md, buf, 2 * hash_len); -+ EVP_DigestUpdate(&md, session_id, hash_len); -+ EVP_DigestFinal(&md, mdbuf, NULL); ++ BN_bn2bin(challenge, buf + 2 * dgst_len - len); ++ if ((md = ssh_digest_start(dgst)) == NULL || ++ ssh_digest_update(md, buf, 2 * dgst_len) < 0 || ++ ssh_digest_update(md, session_id, dgst_len) < 0 || + ssh_digest_final(md, mdbuf, sizeof(mdbuf)) < 0) + fatal("%s: md5 failed", __func__); + ssh_digest_free(md); /* Verify that the response is the original challenge. */ -- rv = timingsafe_bcmp(response, mdbuf, 16) == 0; -+ rv = timingsafe_bcmp(response, mdbuf, hash_len) == 0; - - #ifdef SSH_AUDIT_EVENTS - fp = key_fingerprint(key, key_fp_type_select(), SSH_FP_HEX); - if (audit_keyusage(1, "ssh-rsa1", RSA_size(key->rsa) * 8, fp, rv) == 0) { - debug("unsuccessful audit"); - rv = 0; +- if (timingsafe_bcmp(response, mdbuf, 16) != 0) { ++ if (timingsafe_bcmp(response, mdbuf, dgst_len) != 0) { + /* Wrong answer. */ + return (0); } - free(fp); -@@ -135,17 +145,17 @@ auth_rsa_verify_response(Key *key, BIGNU + /* Correct answer. */ + return (1); + } + + /* +@@ -130,17 +139,17 @@ auth_rsa_verify_response(Key *key, BIGNU * and returns true (non-zero) if the client gave the correct answer to * our challenge; returns zero if the client gives a wrong answer. */ @@ -144,7 +122,7 @@ diff --git a/openssh-6.5p1/auth-rsa.c b/openssh-6.5p1/auth-rsa.c { BIGNUM *challenge, *encrypted_challenge; - u_char response[16]; -+ u_char response[MAX_HASH_LEN]; ++ u_char response[SSH_DIGEST_MAX_LENGTH]; int i, success; if ((encrypted_challenge = BN_new()) == NULL) @@ -153,7 +131,7 @@ diff --git a/openssh-6.5p1/auth-rsa.c b/openssh-6.5p1/auth-rsa.c challenge = PRIVSEP(auth_rsa_generate_challenge(key)); /* Encrypt the challenge with the public key. */ -@@ -155,17 +165,17 @@ auth_rsa_challenge_dialog(Key *key) +@@ -150,17 +159,17 @@ auth_rsa_challenge_dialog(Key *key) packet_start(SSH_SMSG_AUTH_RSA_CHALLENGE); packet_put_bignum(encrypted_challenge); packet_send(); @@ -163,7 +141,7 @@ diff --git a/openssh-6.5p1/auth-rsa.c b/openssh-6.5p1/auth-rsa.c /* Wait for a response. */ packet_read_expect(SSH_CMSG_AUTH_RSA_RESPONSE); - for (i = 0; i < 16; i++) -+ for (i = 0; i < fips_hash_len(fips_hash_min()); i++) ++ for (i = 0; i < ssh_digest_bytes(fips_dgst_min()); i++) response[i] = (u_char)packet_get_char(); packet_check_eom(); @@ -172,11 +150,10 @@ diff --git a/openssh-6.5p1/auth-rsa.c b/openssh-6.5p1/auth-rsa.c return (success); } -diff --git a/openssh-6.5p1/cipher-ctr.c b/openssh-6.5p1/cipher-ctr.c ---- a/openssh-6.5p1/cipher-ctr.c -+++ b/openssh-6.5p1/cipher-ctr.c -@@ -21,16 +21,17 @@ - +diff --git a/openssh-6.6p1/cipher-ctr.c b/openssh-6.6p1/cipher-ctr.c +--- a/openssh-6.6p1/cipher-ctr.c ++++ b/openssh-6.6p1/cipher-ctr.c +@@ -22,16 +22,18 @@ #include #include @@ -184,8 +161,9 @@ diff --git a/openssh-6.5p1/cipher-ctr.c b/openssh-6.5p1/cipher-ctr.c #include "xmalloc.h" #include "log.h" -+#include "fips.h" ++#include "fips.h" ++ /* compatibility with old or broken OpenSSL versions */ #include "openbsd-compat/openssl-compat.h" @@ -193,7 +171,8 @@ diff --git a/openssh-6.5p1/cipher-ctr.c b/openssh-6.5p1/cipher-ctr.c #include #endif -@@ -134,13 +135,15 @@ evp_aes_128_ctr(void) + struct ssh_aes_ctr_ctx +@@ -134,13 +136,15 @@ evp_aes_128_ctr(void) aes_ctr.iv_len = AES_BLOCK_SIZE; aes_ctr.key_len = 16; aes_ctr.init = ssh_aes_ctr_init; @@ -209,20 +188,20 @@ diff --git a/openssh-6.5p1/cipher-ctr.c b/openssh-6.5p1/cipher-ctr.c } #endif /* OPENSSL_HAVE_EVPCTR */ -diff --git a/openssh-6.5p1/cipher.c b/openssh-6.5p1/cipher.c ---- a/openssh-6.5p1/cipher.c -+++ b/openssh-6.5p1/cipher.c -@@ -44,25 +44,26 @@ - #include - #include - #include +diff --git a/openssh-6.6p1/cipher.c b/openssh-6.6p1/cipher.c +--- a/openssh-6.6p1/cipher.c ++++ b/openssh-6.6p1/cipher.c +@@ -45,16 +45,18 @@ #include "xmalloc.h" #include "log.h" #include "misc.h" #include "cipher.h" -+#include "fips.h" + #include "buffer.h" + #include "digest.h" ++#include "fips.h" ++ /* compatibility with old or broken OpenSSL versions */ #include "openbsd-compat/openssl-compat.h" @@ -230,8 +209,18 @@ diff --git a/openssh-6.5p1/cipher.c b/openssh-6.5p1/cipher.c extern const EVP_CIPHER *evp_ssh1_3des(void); extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int); --struct Cipher ciphers[] = { -+struct Cipher ciphers_all[] = { + struct Cipher { +@@ -66,17 +68,17 @@ struct Cipher { + u_int auth_len; + u_int discard_len; + u_int flags; + #define CFLAG_CBC (1<<0) + #define CFLAG_CHACHAPOLY (1<<1) + const EVP_CIPHER *(*evptype)(void); + }; + +-static const struct Cipher ciphers[] = { ++static const struct Cipher ciphers_all[] = { { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null }, { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc }, { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des }, @@ -240,7 +229,7 @@ diff --git a/openssh-6.5p1/cipher.c b/openssh-6.5p1/cipher.c { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc }, { "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc }, -@@ -85,27 +86,67 @@ struct Cipher ciphers[] = { +@@ -99,27 +101,67 @@ static const struct Cipher ciphers[] = { { "aes256-gcm@openssh.com", SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm }, #endif @@ -249,7 +238,7 @@ diff --git a/openssh-6.5p1/cipher.c b/openssh-6.5p1/cipher.c { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL } }; -+struct Cipher ciphers_fips140_2[] = { ++static const struct Cipher ciphers_fips140_2[] = { + { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null }, + { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des }, + @@ -309,7 +298,7 @@ diff --git a/openssh-6.5p1/cipher.c b/openssh-6.5p1/cipher.c ret[rlen++] = sep; nlen = strlen(c->name); ret = xrealloc(ret, 1, rlen + nlen + 2); -@@ -175,27 +216,27 @@ cipher_mask_ssh1(int client) +@@ -189,27 +231,27 @@ cipher_mask_ssh1(int client) } return mask; } @@ -339,7 +328,7 @@ diff --git a/openssh-6.5p1/cipher.c b/openssh-6.5p1/cipher.c #define CIPHER_SEP "," int ciphers_valid(const char *names) -@@ -229,17 +270,17 @@ ciphers_valid(const char *names) +@@ -241,17 +283,17 @@ ciphers_valid(const char *names) */ int @@ -358,7 +347,7 @@ diff --git a/openssh-6.5p1/cipher.c b/openssh-6.5p1/cipher.c char * cipher_name(int id) { -@@ -417,24 +458,29 @@ cipher_cleanup(CipherContext *cc) +@@ -429,23 +471,24 @@ cipher_cleanup(CipherContext *cc) * Selects the cipher, and keys if by computing the MD5 checksum of the * passphrase and using the resulting 16 bytes as the key. */ @@ -367,39 +356,30 @@ diff --git a/openssh-6.5p1/cipher.c b/openssh-6.5p1/cipher.c cipher_set_key_string(CipherContext *cc, const Cipher *cipher, const char *passphrase, int do_encrypt) { -- MD5_CTX md; - u_char digest[16]; -+ const EVP_MD *evp_md; -+ EVP_MD_CTX md; -+ u_char digest[MAX_HASH_LEN]; -+ int dlen; ++ u_char digest[SSH_DIGEST_MAX_LENGTH]; ++ int dgst = fips_correct_dgst(SSH_DIGEST_MD5); + +- if (ssh_digest_memory(SSH_DIGEST_MD5, passphrase, strlen(passphrase), ++ if (ssh_digest_memory(dgst, passphrase, strlen(passphrase), + digest, sizeof(digest)) < 0) + fatal("%s: md5 failed", __func__); -- MD5_Init(&md); -- MD5_Update(&md, (const u_char *)passphrase, strlen(passphrase)); -- MD5_Final(digest, &md); -- - cipher_init(cc, cipher, digest, 16, NULL, 0, do_encrypt); -+ if ((evp_md = fips_EVP_get_digest_min()) == NULL) { -+ fatal("auth_rsa_verify_response: fips_EVP_get_digest_min failed"); -+ } -+ EVP_DigestInit(&md, evp_md); -+ EVP_DigestUpdate(&md, (const u_char *)passphrase, strlen(passphrase)); -+ EVP_DigestFinal(&md, digest, &dlen); -+ -+ cipher_init(cc, cipher, digest, dlen, NULL, 0, do_encrypt); ++ cipher_init(cc, cipher, digest, ssh_digest_bytes(dgst), NULL, 0, do_encrypt); - memset(digest, 0, sizeof(digest)); - memset(&md, 0, sizeof(md)); + explicit_bzero(digest, sizeof(digest)); } /* * Exports an IV from the CipherContext required to export the key * state back from the unprivileged child to the privileged parent -diff --git a/openssh-6.5p1/fips.c b/openssh-6.5p1/fips.c + * process. +diff --git a/openssh-6.6p1/fips.c b/openssh-6.6p1/fips.c new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/fips.c -@@ -0,0 +1,176 @@ ++++ b/openssh-6.6p1/fips.c +@@ -0,0 +1,128 @@ +/* + * Copyright (c) 2012 Petr Cerny. All rights reserved. + * @@ -424,28 +404,18 @@ new file mode 100644 + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + ++#include "includes.h" ++ +#include "fips.h" + ++#include "digest.h" ++#include "key.h" +#include "log.h" + -+enum hgp { -+ HGP_LEN, -+ HGP_NID -+}; ++#include + +static int fips_state = -1; + -+static const struct Hashes { -+ enum hash_type ht; -+ int byte_length; -+ int nid; -+} hashes[] = { -+ { HASH_MD5, HASH_LEN_MD5, NID_md5 }, -+ { HASH_SHA1, HASH_LEN_SHA1, NID_sha1 }, -+ { HASH_SHA256, HASH_LEN_SHA256, NID_sha256 }, -+ { HASH_err, -1, -1 } -+}; -+ +int +fips_mode() +{ @@ -457,54 +427,20 @@ new file mode 100644 + return fips_state; +} + -+static int -+fips_hash_get_param(enum hash_type ht, int param) -+{ -+ int i; -+ for (i = 0; i < HASH_err; i++) { -+ if (hashes[i].ht == ht) { -+ switch (param) { -+ case HGP_LEN: -+ return hashes[i].byte_length; -+ case HGP_NID: -+ return hashes[i].nid; -+ default: -+ fatal("Fatal error: internal error at %s:%u", -+ __FILE__, __LINE__); -+ } -+ } -+ } -+ /* should not be reached */ -+ fatal("Fatal error: incorrect hash type '%i' at %s:%u", -+ ht, __FILE__, __LINE__); -+// return -1; -+} -+ -+int -+fips_hash2nid(enum hash_type ht) -+{ -+ return fips_hash_get_param(ht, HGP_NID); -+} -+ -+int -+fips_hash_len(enum hash_type ht) -+{ -+ return fips_hash_get_param(ht, HGP_LEN); -+} -+ -+void -+fips_correct_fp_type(enum fp_type *fp) ++enum fp_type ++fips_correct_fp_type(enum fp_type fp) +{ + int fips; ++ enum fp_type fp_fix = fp; + + fips = fips_mode(); + switch (fips) { + case 0: + break; + case 1: -+ if (SSH_FP_MD5 == *fp) { -+ *fp = SSH_FP_SHA1; -+ logit("MD5 not allowed in FIPS 140-2 mode, " ++ if (SSH_FP_MD5 == fp) { ++ fp_fix = SSH_FP_SHA1; ++ debug("MD5 not allowed in FIPS 140-2 mode, " + "using SHA-1 for key fingerprints instead."); + } + break; @@ -514,23 +450,31 @@ new file mode 100644 + fips, __FILE__, __LINE__); + } + -+ return; ++ return fp_fix; +} + -+void -+fips_correct_nid(int *nid) ++int ++fips_correct_dgst(int digest) +{ + int fips; ++ int rv = -1; + + fips = fips_mode(); + switch (fips) { + case 0: ++ rv = digest; + break; + case 1: -+ if (NID_md5 == *nid) { -+ *nid = NID_sha1; -+ logit("MD5 not allowed in FIPS 140-2 mode, " -+ "using SHA-1 for hashing instead."); ++ switch (digest) { ++ case SSH_DIGEST_MD5: ++ case SSH_DIGEST_RIPEMD160: ++ debug("MD5/RIPEMD160 digests not allowed in FIPS 140-2 mode" ++ "using SHA-1 instead."); ++ rv = SSH_DIGEST_SHA1; ++ break; ++ default: ++ rv = digest; ++ break; + } + break; + default: @@ -539,48 +483,36 @@ new file mode 100644 + fips, __FILE__, __LINE__); + } + -+ return; ++ return rv; +} + -+enum hash_type -+fips_hash_min(void) ++int ++fips_dgst_min(void) +{ + int fips; -+ enum hash_type ht; ++ int dgst; + + fips = fips_mode(); + switch (fips) { + case 0: -+ ht = HASH_MD5; ++ dgst = SSH_DIGEST_MD5; + break; + case 1: -+ ht = HASH_SHA1; ++ dgst = SSH_DIGEST_SHA1; + break; + default: + /* should not be reached */ + fatal("Fatal error: incorrect FIPS mode '%i' at %s:%u", + fips, __FILE__, __LINE__); + } -+ return ht; ++ return dgst; +} + -+enum hash_type -+fips_hash_nid_min() -+{ -+ return fips_hash2nid(fips_hash_min()); -+} -+ -+const EVP_MD * -+fips_EVP_get_digest_min(void) -+{ -+ return EVP_get_digestbynid(fips_hash_nid_min()); -+} -+ -diff --git a/openssh-6.5p1/fips.h b/openssh-6.5p1/fips.h +diff --git a/openssh-6.6p1/fips.h b/openssh-6.6p1/fips.h new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/fips.h -@@ -0,0 +1,54 @@ ++++ b/openssh-6.6p1/fips.h +@@ -0,0 +1,33 @@ +/* + * Copyright (c) 2012 Petr Cerny. All rights reserved. + * @@ -607,39 +539,84 @@ new file mode 100644 +#ifndef FIPS_H +#define FIPS_H + -+#include -+#include -+ -+#include "key.h" -+ -+#define HASH_LEN_MD5 16 -+#define HASH_LEN_SHA1 20 -+#define HASH_LEN_SHA256 32 -+#define MAX_HASH_LEN HASH_LEN_SHA256 -+ -+enum hash_type { -+ HASH_MD5 = 1, -+ HASH_SHA1, -+ HASH_SHA256, -+ HASH_err -+}; -+ +int fips_mode(void); -+void fips_correct_fp_type(enum fp_type *); -+void fips_correct_nid(int *); -+ -+enum hash_type fips_hash_min(void); -+const EVP_MD *fips_EVP_get_digest_min(void); -+int fips_hash2nid(enum hash_type); -+int fips_hash_len(enum hash_type); ++int fips_correct_dgst(int); ++int fips_dgst_min(void); ++enum fp_type fips_correct_fp_type(enum fp_type); + +#endif + -diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c ---- a/openssh-6.5p1/key.c -+++ b/openssh-6.5p1/key.c -@@ -52,16 +52,17 @@ - #include "key.h" +diff --git a/openssh-6.6p1/hmac.c b/openssh-6.6p1/hmac.c +--- a/openssh-6.6p1/hmac.c ++++ b/openssh-6.6p1/hmac.c +@@ -139,17 +139,17 @@ ssh_hmac_free(struct ssh_hmac_ctx *ctx) + /* cc -DTEST hmac.c digest.c buffer.c cleanup.c fatal.c log.c xmalloc.c -lcrypto */ + static void + hmac_test(void *key, size_t klen, void *m, size_t mlen, u_char *e, size_t elen) + { + struct ssh_hmac_ctx *ctx; + size_t i; + u_char digest[16]; + +- if ((ctx = ssh_hmac_start(SSH_DIGEST_MD5)) == NULL) ++ if ((ctx = ssh_hmac_start(fips_correct_dgst(SSH_DIGEST_MD5))) == NULL) + printf("ssh_hmac_start failed"); + if (ssh_hmac_init(ctx, key, klen) < 0 || + ssh_hmac_update(ctx, m, mlen) < 0 || + ssh_hmac_final(ctx, digest, sizeof(digest)) < 0) + printf("ssh_hmac_xxx failed"); + ssh_hmac_free(ctx); + + if (memcmp(e, digest, elen)) { +diff --git a/openssh-6.6p1/kex.c b/openssh-6.6p1/kex.c +--- a/openssh-6.6p1/kex.c ++++ b/openssh-6.6p1/kex.c +@@ -638,19 +638,21 @@ kex_get_newkeys(int mode) + } + + void + derive_ssh1_session_id(BIGNUM *host_modulus, BIGNUM *server_modulus, + u_int8_t cookie[8], u_int8_t id[16]) + { + u_int8_t nbuf[2048], obuf[SSH_DIGEST_MAX_LENGTH]; + int len; ++ int digest; + struct ssh_digest_ctx *hashctx; + +- if ((hashctx = ssh_digest_start(SSH_DIGEST_MD5)) == NULL) ++ digest = fips_correct_dgst(SSH_DIGEST_MD5); ++ if ((hashctx = ssh_digest_start(digest)) == NULL) + fatal("%s: ssh_digest_start", __func__); + + len = BN_num_bytes(host_modulus); + if (len < (512 / 8) || (u_int)len > sizeof(nbuf)) + fatal("%s: bad host modulus (len %d)", __func__, len); + BN_bn2bin(host_modulus, nbuf); + if (ssh_digest_update(hashctx, nbuf, len) != 0) + fatal("%s: ssh_digest_update failed", __func__); +@@ -659,17 +661,17 @@ derive_ssh1_session_id(BIGNUM *host_modu + if (len < (512 / 8) || (u_int)len > sizeof(nbuf)) + fatal("%s: bad server modulus (len %d)", __func__, len); + BN_bn2bin(server_modulus, nbuf); + if (ssh_digest_update(hashctx, nbuf, len) != 0 || + ssh_digest_update(hashctx, cookie, 8) != 0) + fatal("%s: ssh_digest_update failed", __func__); + if (ssh_digest_final(hashctx, obuf, sizeof(obuf)) != 0) + fatal("%s: ssh_digest_final failed", __func__); +- memcpy(id, obuf, ssh_digest_bytes(SSH_DIGEST_MD5)); ++ memcpy(id, obuf, ssh_digest_bytes(digest)); + + explicit_bzero(nbuf, sizeof(nbuf)); + explicit_bzero(obuf, sizeof(obuf)); + } + + #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH) + void + dump_digest(char *msg, u_char *digest, int len) +diff --git a/openssh-6.6p1/key.c b/openssh-6.6p1/key.c +--- a/openssh-6.6p1/key.c ++++ b/openssh-6.6p1/key.c +@@ -53,16 +53,18 @@ #include "rsa.h" #include "uuencode.h" #include "buffer.h" @@ -647,8 +624,9 @@ diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c #include "misc.h" #include "ssh2.h" #include "digest.h" -+#include "fips.h" ++#include "fips.h" ++ static int to_blob(const Key *, u_char **, u_int *, int); static Key *key_from_blob2(const u_char *, u_int, int); @@ -656,7 +634,8 @@ diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c cert_new(void) { struct KeyCert *cert; -@@ -664,16 +665,19 @@ key_fp_type_select(void) + +@@ -664,16 +666,19 @@ key_fp_type_select(void) error("invalid key type in environment variable " SSH_FP_TYPE_ENVVAR ": '%s' - falling back to MD5.", env); @@ -666,7 +645,7 @@ diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c fp = SSH_FP_MD5; + if (fips_mode()) -+ fips_correct_fp_type(&fp); ++ fp = fips_correct_fp_type(fp); + fp_defined = 1; } @@ -676,30 +655,30 @@ diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c /* * string lengths must be less or equal to SSH_FP_TYPE_STRLEN (defined in * key.h) as to fit into the fingerprint string buffer -diff --git a/openssh-6.5p1/mac.c b/openssh-6.5p1/mac.c ---- a/openssh-6.5p1/mac.c -+++ b/openssh-6.5p1/mac.c -@@ -36,16 +36,17 @@ - #include "xmalloc.h" - #include "log.h" - #include "cipher.h" - #include "buffer.h" - #include "key.h" +diff --git a/openssh-6.6p1/mac.c b/openssh-6.6p1/mac.c +--- a/openssh-6.6p1/mac.c ++++ b/openssh-6.6p1/mac.c +@@ -39,33 +39,35 @@ #include "kex.h" #include "mac.h" #include "misc.h" -+#include "fips.h" + #include "digest.h" + #include "hmac.h" #include "umac.h" ++#include "fips.h" ++ #include "openbsd-compat/openssl-compat.h" - #define SSH_EVP 1 /* OpenSSL EVP-based MAC */ + #define SSH_DIGEST 1 /* SSH_DIGEST_XXX */ #define SSH_UMAC 2 /* UMAC (not integrated with OpenSSL) */ #define SSH_UMAC128 3 -@@ -55,17 +56,17 @@ struct macalg { + + struct macalg { + char *name; int type; - const EVP_MD * (*mdfunc)(void); + int alg; int truncatebits; /* truncate digest if != 0 */ int key_len; /* just for UMAC */ int len; /* just for UMAC */ @@ -709,38 +688,40 @@ diff --git a/openssh-6.5p1/mac.c b/openssh-6.5p1/mac.c -static const struct macalg macs[] = { +static const struct macalg macs_all[] = { /* Encrypt-and-MAC (encrypt-and-authenticate) variants */ - { "hmac-sha1", SSH_EVP, EVP_sha1, 0, 0, 0, 0 }, - { "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, 0, 0, 0 }, + { "hmac-sha1", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 }, + { "hmac-sha1-96", SSH_DIGEST, SSH_DIGEST_SHA1, 96, 0, 0, 0 }, #ifdef HAVE_EVP_SHA256 - { "hmac-sha2-256", SSH_EVP, EVP_sha256, 0, 0, 0, 0 }, - { "hmac-sha2-512", SSH_EVP, EVP_sha512, 0, 0, 0, 0 }, + { "hmac-sha2-256", SSH_DIGEST, SSH_DIGEST_SHA256, 0, 0, 0, 0 }, + { "hmac-sha2-512", SSH_DIGEST, SSH_DIGEST_SHA512, 0, 0, 0, 0 }, #endif - { "hmac-md5", SSH_EVP, EVP_md5, 0, 0, 0, 0 }, -@@ -86,25 +87,57 @@ static const struct macalg macs[] = { - { "hmac-md5-96-etm@openssh.com", SSH_EVP, EVP_md5, 96, 0, 0, 1 }, - { "hmac-ripemd160-etm@openssh.com", SSH_EVP, EVP_ripemd160, 0, 0, 0, 1 }, - { "umac-64-etm@openssh.com", SSH_UMAC, NULL, 0, 128, 64, 1 }, - { "umac-128-etm@openssh.com", SSH_UMAC128, NULL, 0, 128, 128, 1 }, + { "hmac-md5", SSH_DIGEST, SSH_DIGEST_MD5, 0, 0, 0, 0 }, +@@ -86,25 +88,59 @@ static const struct macalg macs[] = { + { "hmac-md5-96-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_MD5, 96, 0, 0, 1 }, + { "hmac-ripemd160-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_RIPEMD160, 0, 0, 0, 1 }, + { "umac-64-etm@openssh.com", SSH_UMAC, 0, 0, 128, 64, 1 }, + { "umac-128-etm@openssh.com", SSH_UMAC128, 0, 0, 128, 128, 1 }, - { NULL, 0, NULL, 0, 0, 0, 0 } + { NULL, 0, 0, 0, 0, 0, 0 } }; +static const struct macalg macs_fips140_2[] = { + /* Encrypt-and-MAC (encrypt-and-authenticate) variants */ -+ { "hmac-sha1", SSH_EVP, EVP_sha1, 0, 0, 0, 0 }, ++ { "hmac-sha1", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 }, +#ifdef HAVE_EVP_SHA256 -+ { "hmac-sha2-256", SSH_EVP, EVP_sha256, 0, 0, 0, 0 }, -+ { "hmac-sha2-512", SSH_EVP, EVP_sha512, 0, 0, 0, 0 }, ++ { "hmac-sha2-256", SSH_DIGEST, SSH_DIGEST_SHA256, 0, 0, 0, 0 }, ++ { "hmac-sha2-512", SSH_DIGEST, SSH_DIGEST_SHA512, 0, 0, 0, 0 }, +#endif ++ ++ /* Encrypt-then-MAC variants */ +#ifdef HAVE_EVP_SHA256 -+ { "hmac-sha2-256-etm@openssh.com", SSH_EVP, EVP_sha256, 0, 0, 0, 1 }, -+ { "hmac-sha2-512-etm@openssh.com", SSH_EVP, EVP_sha512, 0, 0, 0, 1 }, ++ { "hmac-sha2-256-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_SHA256, 0, 0, 0, 1 }, ++ { "hmac-sha2-512-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_SHA512, 0, 0, 0, 1 }, +#endif -+ { NULL, 0, NULL, 0, 0, 0, 0 } ++ { NULL, 0, 0, 0, 0, 0, 0 } +}; + +/* Returns array of macs available depending on selected FIPS mode */ -+static struct Macs * ++static struct macalg * +fips_select_macs(void) +{ + int fips = fips_mode(); @@ -775,7 +756,7 @@ diff --git a/openssh-6.5p1/mac.c b/openssh-6.5p1/mac.c rlen += nlen; } return ret; -@@ -131,17 +164,17 @@ mac_setup_by_alg(Mac *mac, const struct +@@ -128,17 +164,17 @@ mac_setup_by_alg(Mac *mac, const struct mac->etm = macalg->etm; } @@ -788,15 +769,15 @@ diff --git a/openssh-6.5p1/mac.c b/openssh-6.5p1/mac.c + for (m = fips_select_macs(); m->name != NULL; m++) { if (strcmp(name, m->name) != 0) continue; - if (mac != NULL) + if (mac != NULL) { mac_setup_by_alg(mac, m); - debug2("mac_setup: found %s", name); + debug2("mac_setup: setup %s", name); + } return (0); } - debug2("mac_setup: unknown %s", name); -diff --git a/openssh-6.5p1/myproposal.h b/openssh-6.5p1/myproposal.h ---- a/openssh-6.5p1/myproposal.h -+++ b/openssh-6.5p1/myproposal.h +diff --git a/openssh-6.6p1/myproposal.h b/openssh-6.6p1/myproposal.h +--- a/openssh-6.6p1/myproposal.h ++++ b/openssh-6.6p1/myproposal.h @@ -104,16 +104,20 @@ #define KEX_DEFAULT_ENCRYPT \ @@ -838,11 +819,10 @@ diff --git a/openssh-6.5p1/myproposal.h b/openssh-6.5p1/myproposal.h static char *myproposal[PROPOSAL_MAX] = { KEX_DEFAULT_KEX, KEX_DEFAULT_PK_ALG, -diff --git a/openssh-6.5p1/ssh.c b/openssh-6.5p1/ssh.c ---- a/openssh-6.5p1/ssh.c -+++ b/openssh-6.5p1/ssh.c -@@ -99,16 +99,17 @@ - #include "kex.h" +diff --git a/openssh-6.6p1/ssh.c b/openssh-6.6p1/ssh.c +--- a/openssh-6.6p1/ssh.c ++++ b/openssh-6.6p1/ssh.c +@@ -100,16 +100,18 @@ #include "mac.h" #include "sshpty.h" #include "match.h" @@ -850,8 +830,9 @@ diff --git a/openssh-6.5p1/ssh.c b/openssh-6.5p1/ssh.c #include "uidswap.h" #include "roaming.h" #include "version.h" -+#include "fips.h" ++#include "fips.h" ++ #ifdef ENABLE_PKCS11 #include "ssh-pkcs11.h" #endif @@ -859,7 +840,8 @@ diff --git a/openssh-6.5p1/ssh.c b/openssh-6.5p1/ssh.c extern char *__progname; /* Saves a copy of argv for setproctitle emulation */ -@@ -453,16 +454,18 @@ main(int ac, char **av) + #ifndef HAVE_SETPROCTITLE +@@ -499,16 +501,18 @@ main(int ac, char **av) logfile = NULL; argv0 = av[0]; @@ -878,14 +860,14 @@ diff --git a/openssh-6.5p1/ssh.c b/openssh-6.5p1/ssh.c case '4': options.address_family = AF_INET; break; -@@ -959,16 +962,22 @@ main(int ac, char **av) - } - if (muxclient_command != 0 && options.control_path == NULL) - fatal("No ControlPath specified for \"-O\" command"); - if (options.control_path != NULL) - muxclient(options.control_path); +@@ -826,16 +830,22 @@ main(int ac, char **av) + if (!host) + usage(); - timeout_ms = options.connection_timeout * 1000; + host_arg = xstrdup(host); + + OpenSSL_add_all_algorithms(); + ERR_load_crypto_strings(); + if (FIPS_mode()) { + options.protocol &= SSH_PROTO_2; @@ -893,28 +875,28 @@ diff --git a/openssh-6.5p1/ssh.c b/openssh-6.5p1/ssh.c + fatal("Protocol 2 disabled by configuration but required in the FIPS mode"); + } + - /* Open a connection to the remote host. */ - if (ssh_connect(host, addrs, &hostaddr, options.port, - options.address_family, options.connection_attempts, - &timeout_ms, options.tcp_keep_alive, - options.use_privileged_port) != 0) - exit(255); + /* Initialize the command to execute on remote host. */ + buffer_init(&command); - if (addrs != NULL) -diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c ---- a/openssh-6.5p1/sshconnect2.c -+++ b/openssh-6.5p1/sshconnect2.c -@@ -67,16 +67,17 @@ + /* + * Save the command to execute on the remote host in a buffer. There + * is no limit on the length of the command, except by the maximum + * packet size. Also sets the tty flag if there is no command. + */ +diff --git a/openssh-6.6p1/sshconnect2.c b/openssh-6.6p1/sshconnect2.c +--- a/openssh-6.6p1/sshconnect2.c ++++ b/openssh-6.6p1/sshconnect2.c +@@ -66,16 +66,18 @@ + #include "match.h" #include "dispatch.h" #include "canohost.h" #include "msg.h" #include "pathnames.h" #include "uidswap.h" #include "hostfile.h" - #include "schnorr.h" - #include "jpake.h" -+#include "fips.h" ++#include "fips.h" ++ #ifdef GSSAPI #include "ssh-gss.h" #endif @@ -922,7 +904,8 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c /* import */ extern char *client_version_string; extern char *server_version_string; -@@ -165,31 +166,41 @@ ssh_kex2(char *host, struct sockaddr *ho + extern Options options; +@@ -163,31 +165,41 @@ ssh_kex2(char *host, struct sockaddr *ho if (options.ciphers == (char *)-1) { logit("No valid ciphers for protocol version 2 given, using defaults."); @@ -964,20 +947,20 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c /* Prefer algorithms that we already have keys for */ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( -diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c ---- a/openssh-6.5p1/sshd.c -+++ b/openssh-6.5p1/sshd.c -@@ -119,16 +119,17 @@ +diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c +--- a/openssh-6.6p1/sshd.c ++++ b/openssh-6.6p1/sshd.c +@@ -117,16 +117,18 @@ #ifdef GSSAPI #include "ssh-gss.h" #endif #include "monitor_wrap.h" #include "roaming.h" - #include "audit.h" #include "ssh-sandbox.h" #include "version.h" -+#include "fips.h" ++#include "fips.h" ++ #ifdef LIBWRAP #include #include @@ -985,7 +968,8 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c int deny_severity; #endif /* LIBWRAP */ -@@ -1786,16 +1787,20 @@ main(int ac, char **av) + #ifndef O_NOCTTY +@@ -1723,16 +1725,20 @@ main(int ac, char **av) case KEY_ECDSA: case KEY_ED25519: sensitive_data.have_ssh2_key = 1; @@ -1006,7 +990,42 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c logit("Disabling protocol version 2. Could not load host key"); options.protocol &= ~SSH_PROTO_2; } -@@ -2506,25 +2511,31 @@ sshd_hostkey_sign(Key *privkey, Key *pub +@@ -2370,30 +2376,30 @@ do_ssh1_kex(void) + } + if (rsafail) { + int bytes = BN_num_bytes(session_key_int); + u_char *buf = xmalloc(bytes); + struct ssh_digest_ctx *md; + + logit("do_connection: generating a fake encryption key"); + BN_bn2bin(session_key_int, buf); +- if ((md = ssh_digest_start(SSH_DIGEST_MD5)) == NULL || ++ if ((md = ssh_digest_start(fips_correct_dgst(SSH_DIGEST_MD5))) == NULL || + ssh_digest_update(md, buf, bytes) < 0 || + ssh_digest_update(md, sensitive_data.ssh1_cookie, + SSH_SESSION_KEY_LENGTH) < 0 || + ssh_digest_final(md, session_key, sizeof(session_key)) < 0) +- fatal("%s: md5 failed", __func__); ++ fatal("%s: hash failed", __func__); + ssh_digest_free(md); +- if ((md = ssh_digest_start(SSH_DIGEST_MD5)) == NULL || ++ if ((md = ssh_digest_start(fips_correct_dgst(SSH_DIGEST_MD5))) == NULL || + ssh_digest_update(md, session_key, 16) < 0 || + ssh_digest_update(md, sensitive_data.ssh1_cookie, + SSH_SESSION_KEY_LENGTH) < 0 || + ssh_digest_final(md, session_key + 16, + sizeof(session_key) - 16) < 0) +- fatal("%s: md5 failed", __func__); ++ fatal("%s: hash failed", __func__); + ssh_digest_free(md); + explicit_bzero(buf, bytes); + free(buf); + for (i = 0; i < 16; i++) + session_id[i] = session_key[i] ^ session_key[i + 16]; + } + /* Destroy the private and public keys. No longer. */ + destroy_sensitive_data(); +@@ -2441,25 +2447,31 @@ sshd_hostkey_sign(Key *privkey, Key *pub static void do_ssh2_kex(void) { diff --git a/openssh-6.5p1-gssapi_key_exchange.patch b/openssh-6.6p1-gssapi_key_exchange.patch similarity index 92% rename from openssh-6.5p1-gssapi_key_exchange.patch rename to openssh-6.6p1-gssapi_key_exchange.patch index 4b8746f..e64553e 100644 --- a/openssh-6.5p1-gssapi_key_exchange.patch +++ b/openssh-6.6p1-gssapi_key_exchange.patch @@ -1,10 +1,10 @@ # HG changeset patch -# Parent fd62140898f5f8bfaa6d0b527c5893001322a662 +# Parent b50b01e06558d268ae59e8be8c1a41fde44fc70d -diff --git a/openssh-6.5p1/ChangeLog.gssapi b/openssh-6.5p1/ChangeLog.gssapi +diff --git a/openssh-6.6p1/ChangeLog.gssapi b/openssh-6.6p1/ChangeLog.gssapi new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/ChangeLog.gssapi ++++ b/openssh-6.6p1/ChangeLog.gssapi @@ -0,0 +1,113 @@ +20110101 + - Finally update for OpenSSH 5.6p1 @@ -119,10 +119,10 @@ new file mode 100644 + add support for GssapiTrustDns option for gssapi-with-mic + (from jbasney AT ncsa.uiuc.edu) + -diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in ---- a/openssh-6.5p1/Makefile.in -+++ b/openssh-6.5p1/Makefile.in -@@ -71,16 +71,17 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o +diff --git a/openssh-6.6p1/Makefile.in b/openssh-6.6p1/Makefile.in +--- a/openssh-6.6p1/Makefile.in ++++ b/openssh-6.6p1/Makefile.in +@@ -67,16 +67,17 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o canohost.o channels.o cipher.o cipher-aes.o \ cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \ compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \ @@ -133,35 +133,35 @@ diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ + kexgssc.o \ msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ - jpake.o schnorr.o ssh-pkcs11.o krl.o smult_curve25519_ref.o \ + ssh-pkcs11.o krl.o smult_curve25519_ref.o \ kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \ - ssh-ed25519.o digest.o \ + ssh-ed25519.o digest-openssl.o hmac.o \ sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \ - auditstub.o \ - fips.o + fips.o \ + auditstub.o -@@ -92,17 +93,17 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw +@@ -86,17 +87,17 @@ SSHOBJS= ssh.o readconf.o clientloop.o s + + SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ audit.o audit-bsm.o audit-linux.o platform.o \ sshpty.o sshlogin.o servconf.o serverloop.o \ auth.o auth1.o auth2.o auth-options.o session.o \ auth-chall.o auth2-chall.o groupaccess.o \ auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ - auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ - monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ + auth2-none.o auth2-passwd.o auth2-pubkey.o \ +- monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ ++ monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o kexgsss.o \ kexc25519s.o auth-krb5.o \ -- auth2-gss.o gss-serv.o gss-serv-krb5.o \ -+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\ + auth2-gss.o gss-serv.o gss-serv-krb5.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ sftp-server.o sftp-common.o \ roaming_common.o roaming_serv.o \ sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ sandbox-seccomp-filter.o sandbox-capsicum.o - MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap-helper.8.out ssh-ldap.conf.5.out - MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 ssh-ldap-helper.8 ssh-ldap.conf.5 -diff --git a/openssh-6.5p1/auth-krb5.c b/openssh-6.5p1/auth-krb5.c ---- a/openssh-6.5p1/auth-krb5.c -+++ b/openssh-6.5p1/auth-krb5.c +diff --git a/openssh-6.6p1/auth-krb5.c b/openssh-6.6p1/auth-krb5.c +--- a/openssh-6.6p1/auth-krb5.c ++++ b/openssh-6.6p1/auth-krb5.c @@ -177,18 +177,23 @@ auth_krb5_password(Authctxt *authctxt, c if (problem) goto out; @@ -230,11 +230,11 @@ diff --git a/openssh-6.5p1/auth-krb5.c b/openssh-6.5p1/auth-krb5.c } #endif /* !HEIMDAL */ #endif /* KRB5 */ -diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c ---- a/openssh-6.5p1/auth2-gss.c -+++ b/openssh-6.5p1/auth2-gss.c +diff --git a/openssh-6.6p1/auth2-gss.c b/openssh-6.6p1/auth2-gss.c +--- a/openssh-6.6p1/auth2-gss.c ++++ b/openssh-6.6p1/auth2-gss.c @@ -1,12 +1,12 @@ - /* $OpenBSD: auth2-gss.c,v 1.20 2013/05/17 00:13:13 djm Exp $ */ + /* $OpenBSD: auth2-gss.c,v 1.21 2014/02/26 20:28:44 djm Exp $ */ /* - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -298,7 +298,7 @@ diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c userauth_gssapi(Authctxt *authctxt) { gss_OID_desc goid = {0, NULL}; -@@ -244,17 +278,18 @@ input_gssapi_exchange_complete(int type, +@@ -239,17 +273,18 @@ input_gssapi_exchange_complete(int type, /* * We don't need to check the status, because we're only enabled in @@ -318,7 +318,7 @@ diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); } -@@ -279,31 +314,38 @@ input_gssapi_mic(int type, u_int32_t ple +@@ -274,31 +309,38 @@ input_gssapi_mic(int type, u_int32_t ple ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service, "gssapi-with-mic"); @@ -358,10 +358,10 @@ diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c Authmethod method_gssapi_old = { "gssapi", -diff --git a/openssh-6.5p1/auth2.c b/openssh-6.5p1/auth2.c ---- a/openssh-6.5p1/auth2.c -+++ b/openssh-6.5p1/auth2.c -@@ -64,27 +64,29 @@ extern Buffer loginmsg; +diff --git a/openssh-6.6p1/auth2.c b/openssh-6.6p1/auth2.c +--- a/openssh-6.6p1/auth2.c ++++ b/openssh-6.6p1/auth2.c +@@ -64,24 +64,26 @@ extern Buffer loginmsg; /* methods */ extern Authmethod method_none; @@ -374,9 +374,6 @@ diff --git a/openssh-6.5p1/auth2.c b/openssh-6.5p1/auth2.c extern Authmethod method_gssapi; extern Authmethod method_gssapi_old; #endif - #ifdef JPAKE - extern Authmethod method_jpake; - #endif Authmethod *authmethods[] = { &method_none, @@ -385,15 +382,15 @@ diff --git a/openssh-6.5p1/auth2.c b/openssh-6.5p1/auth2.c + &method_gsskeyex, &method_gssapi, &method_gssapi_old, - #endif - #ifdef JPAKE - &method_jpake, #endif &method_passwd, &method_kbdint, -diff --git a/openssh-6.5p1/clientloop.c b/openssh-6.5p1/clientloop.c ---- a/openssh-6.5p1/clientloop.c -+++ b/openssh-6.5p1/clientloop.c + &method_hostbased, + NULL + }; +diff --git a/openssh-6.6p1/clientloop.c b/openssh-6.6p1/clientloop.c +--- a/openssh-6.6p1/clientloop.c ++++ b/openssh-6.6p1/clientloop.c @@ -106,16 +106,20 @@ #include "authfd.h" #include "atomicio.h" @@ -441,9 +438,9 @@ diff --git a/openssh-6.5p1/clientloop.c b/openssh-6.5p1/clientloop.c } } -diff --git a/openssh-6.5p1/configure.ac b/openssh-6.5p1/configure.ac ---- a/openssh-6.5p1/configure.ac -+++ b/openssh-6.5p1/configure.ac +diff --git a/openssh-6.6p1/configure.ac b/openssh-6.6p1/configure.ac +--- a/openssh-6.6p1/configure.ac ++++ b/openssh-6.6p1/configure.ac @@ -579,16 +579,40 @@ main() { if (NSVersionOfRunTimeLibrary(" AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect]) AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1], @@ -485,9 +482,9 @@ diff --git a/openssh-6.5p1/configure.ac b/openssh-6.5p1/configure.ac [Define if pututxline updates lastlog too]) ) AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV], -diff --git a/openssh-6.5p1/gss-genr.c b/openssh-6.5p1/gss-genr.c ---- a/openssh-6.5p1/gss-genr.c -+++ b/openssh-6.5p1/gss-genr.c +diff --git a/openssh-6.6p1/gss-genr.c b/openssh-6.6p1/gss-genr.c +--- a/openssh-6.6p1/gss-genr.c ++++ b/openssh-6.6p1/gss-genr.c @@ -1,12 +1,12 @@ /* $OpenBSD: gss-genr.c,v 1.22 2013/11/08 00:39:15 djm Exp $ */ @@ -875,9 +872,9 @@ diff --git a/openssh-6.5p1/gss-genr.c b/openssh-6.5p1/gss-genr.c +} + #endif /* GSSAPI */ -diff --git a/openssh-6.5p1/gss-serv-krb5.c b/openssh-6.5p1/gss-serv-krb5.c ---- a/openssh-6.5p1/gss-serv-krb5.c -+++ b/openssh-6.5p1/gss-serv-krb5.c +diff --git a/openssh-6.6p1/gss-serv-krb5.c b/openssh-6.6p1/gss-serv-krb5.c +--- a/openssh-6.6p1/gss-serv-krb5.c ++++ b/openssh-6.6p1/gss-serv-krb5.c @@ -1,12 +1,12 @@ /* $OpenBSD: gss-serv-krb5.c,v 1.8 2013/07/20 01:55:13 djm Exp $ */ @@ -1024,11 +1021,11 @@ diff --git a/openssh-6.5p1/gss-serv-krb5.c b/openssh-6.5p1/gss-serv-krb5.c #endif /* KRB5 */ #endif /* GSSAPI */ -diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c ---- a/openssh-6.5p1/gss-serv.c -+++ b/openssh-6.5p1/gss-serv.c +diff --git a/openssh-6.6p1/gss-serv.c b/openssh-6.6p1/gss-serv.c +--- a/openssh-6.6p1/gss-serv.c ++++ b/openssh-6.6p1/gss-serv.c @@ -1,12 +1,12 @@ - /* $OpenBSD: gss-serv.c,v 1.24 2013/07/20 01:55:13 djm Exp $ */ + /* $OpenBSD: gss-serv.c,v 1.26 2014/02/26 20:28:44 djm Exp $ */ /* - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -1074,7 +1071,7 @@ diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c ssh_gssapi_mech* supported_mechs[]= { #ifdef KRB5 &gssapi_kerberos_mech, -@@ -76,59 +81,91 @@ ssh_gssapi_mech* supported_mechs[]= { +@@ -95,59 +100,91 @@ ssh_gssapi_test_oid_supported(OM_uint32 /* Privileged (called from ssh_gssapi_server_ctx) */ static OM_uint32 ssh_gssapi_acquire_cred(Gssctxt *ctx) @@ -1181,7 +1178,7 @@ diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c if (present) gss_add_oid_set_member(&min_status, &supported_mechs[i]->oid, oidset); -@@ -244,32 +281,79 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss +@@ -263,32 +300,79 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss /* Extract the client details from a given context. This can only reliably * be called once for a context */ @@ -1262,7 +1259,7 @@ diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c if ((ctx->major = gss_export_name(&ctx->minor, ctx->client, &ename))) { -@@ -277,16 +361,18 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g +@@ -296,16 +380,18 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g return (ctx->major); } @@ -1281,7 +1278,7 @@ diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c /* As user - called on fatal/exit */ void -@@ -324,44 +410,122 @@ ssh_gssapi_do_child(char ***envp, u_int +@@ -343,45 +429,124 @@ ssh_gssapi_do_child(char ***envp, u_int gssapi_client.store.envval); child_set_env(envp, envsizep, gssapi_client.store.envvar, gssapi_client.store.envval); @@ -1307,12 +1304,13 @@ diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c + gssapi_client.store.owner = pw; return 1; - else { -+ } else { ++ } else { /* Destroy delegated credentials if userok fails */ gss_release_buffer(&lmin, &gssapi_client.displayname); gss_release_buffer(&lmin, &gssapi_client.exportedname); gss_release_cred(&lmin, &gssapi_client.creds); - memset(&gssapi_client, 0, sizeof(ssh_gssapi_client)); + explicit_bzero(&gssapi_client, + sizeof(ssh_gssapi_client)); return 0; } else @@ -1320,7 +1318,7 @@ diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c return (0); } --/* Privileged */ + /* Privileged */ -OM_uint32 -ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) +/* These bits are only used for rekeying. The unpriviledged child is running @@ -1413,9 +1411,9 @@ diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c } #endif -diff --git a/openssh-6.5p1/kex.c b/openssh-6.5p1/kex.c ---- a/openssh-6.5p1/kex.c -+++ b/openssh-6.5p1/kex.c +diff --git a/openssh-6.6p1/kex.c b/openssh-6.6p1/kex.c +--- a/openssh-6.6p1/kex.c ++++ b/openssh-6.6p1/kex.c @@ -47,16 +47,20 @@ #include "mac.h" #include "match.h" @@ -1459,9 +1457,9 @@ diff --git a/openssh-6.5p1/kex.c b/openssh-6.5p1/kex.c { char *ret = NULL; size_t nlen, rlen = 0; -diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h ---- a/openssh-6.5p1/kex.h -+++ b/openssh-6.5p1/kex.h +diff --git a/openssh-6.6p1/kex.h b/openssh-6.6p1/kex.h +--- a/openssh-6.6p1/kex.h ++++ b/openssh-6.6p1/kex.h @@ -71,16 +71,19 @@ enum kex_modes { enum kex_exchange { @@ -1482,7 +1480,7 @@ diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h typedef struct Kex Kex; typedef struct Mac Mac; typedef struct Comp Comp; -@@ -131,16 +134,22 @@ struct Kex { +@@ -130,16 +133,22 @@ struct Kex { int kex_type; int roaming; Buffer my; @@ -1505,7 +1503,7 @@ diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h int (*host_key_index)(Key *); void (*sign)(Key *, Key *, u_char **, u_int *, u_char *, u_int); void (*kex[KEX_MAX])(Kex *); -@@ -164,16 +173,21 @@ void kexdh_server(Kex *); +@@ -163,16 +172,21 @@ void kexdh_server(Kex *); void kexgex_client(Kex *); void kexgex_server(Kex *); void kexecdh_client(Kex *); @@ -1527,10 +1525,10 @@ diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h kexgex_hash(int, char *, char *, char *, int, char *, int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); -diff --git a/openssh-6.5p1/kexgssc.c b/openssh-6.5p1/kexgssc.c +diff --git a/openssh-6.6p1/kexgssc.c b/openssh-6.6p1/kexgssc.c new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/kexgssc.c ++++ b/openssh-6.6p1/kexgssc.c @@ -0,0 +1,334 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. @@ -1866,10 +1864,10 @@ new file mode 100644 +} + +#endif /* GSSAPI */ -diff --git a/openssh-6.5p1/kexgsss.c b/openssh-6.5p1/kexgsss.c +diff --git a/openssh-6.6p1/kexgsss.c b/openssh-6.6p1/kexgsss.c new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/kexgsss.c ++++ b/openssh-6.6p1/kexgsss.c @@ -0,0 +1,288 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. @@ -2159,10 +2157,10 @@ new file mode 100644 + ssh_gssapi_rekey_creds(); +} +#endif /* GSSAPI */ -diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c ---- a/openssh-6.5p1/key.c -+++ b/openssh-6.5p1/key.c -@@ -1052,16 +1052,18 @@ static const struct keytype keytypes[] = +diff --git a/openssh-6.6p1/key.c b/openssh-6.6p1/key.c +--- a/openssh-6.6p1/key.c ++++ b/openssh-6.6p1/key.c +@@ -1053,16 +1053,18 @@ static const struct keytype keytypes[] = # endif #endif /* OPENSSL_HAS_ECC */ { "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00", @@ -2181,9 +2179,9 @@ diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c { const struct keytype *kt; -diff --git a/openssh-6.5p1/key.h b/openssh-6.5p1/key.h ---- a/openssh-6.5p1/key.h -+++ b/openssh-6.5p1/key.h +diff --git a/openssh-6.6p1/key.h b/openssh-6.6p1/key.h +--- a/openssh-6.6p1/key.h ++++ b/openssh-6.6p1/key.h @@ -41,16 +41,17 @@ enum types { KEY_ECDSA, KEY_ED25519, @@ -2202,10 +2200,10 @@ diff --git a/openssh-6.5p1/key.h b/openssh-6.5p1/key.h SSH_FP_SHA256 }; enum fp_rep { -diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c ---- a/openssh-6.5p1/monitor.c -+++ b/openssh-6.5p1/monitor.c -@@ -179,16 +179,18 @@ int mm_answer_pam_respond(int, Buffer *) +diff --git a/openssh-6.6p1/monitor.c b/openssh-6.6p1/monitor.c +--- a/openssh-6.6p1/monitor.c ++++ b/openssh-6.6p1/monitor.c +@@ -173,16 +173,18 @@ int mm_answer_pam_respond(int, Buffer *) int mm_answer_pam_free_ctx(int, Buffer *); #endif @@ -2224,7 +2222,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c int mm_answer_audit_end_command(int, Buffer *); int mm_answer_audit_unsupported_body(int, Buffer *); int mm_answer_audit_kex_body(int, Buffer *); -@@ -260,28 +262,35 @@ struct mon_table mon_dispatch_proto20[] +@@ -254,21 +256,28 @@ struct mon_table mon_dispatch_proto20[] #endif {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed}, {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify}, @@ -2234,13 +2232,6 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, + {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign}, - #endif - #ifdef JPAKE - {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata}, - {MONITOR_REQ_JPAKE_STEP1, MON_ISAUTH, mm_answer_jpake_step1}, - {MONITOR_REQ_JPAKE_STEP2, MON_ONCE, mm_answer_jpake_step2}, - {MONITOR_REQ_JPAKE_KEY_CONFIRM, MON_ONCE, mm_answer_jpake_key_confirm}, - {MONITOR_REQ_JPAKE_CHECK_CONFIRM, MON_AUTH, mm_answer_jpake_check_confirm}, #endif {0, 0, NULL} }; @@ -2260,7 +2251,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c #ifdef SSH_AUDIT_EVENTS {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command}, -@@ -394,16 +403,20 @@ monitor_child_preauth(Authctxt *_authctx +@@ -381,16 +390,20 @@ monitor_child_preauth(Authctxt *_authctx authctxt->loginmsg = &loginmsg; if (compat20) { @@ -2281,7 +2272,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c /* The first few requests do not require asynchronous access */ while (!authenticated) { -@@ -508,16 +521,20 @@ monitor_child_postauth(struct monitor *p +@@ -486,16 +499,20 @@ monitor_child_postauth(struct monitor *p if (compat20) { mon_dispatch = mon_dispatch_postauth20; @@ -2302,7 +2293,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1); } -@@ -1931,16 +1948,23 @@ mm_get_kex(Buffer *m) +@@ -1909,16 +1926,23 @@ mm_get_kex(Buffer *m) fatal("mm_get_get: internal error: bad session id"); kex->we_need = buffer_get_int(m); kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; @@ -2326,7 +2317,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c buffer_append(&kex->my, blob, bloblen); free(blob); blob = buffer_get_string(m, &bloblen); -@@ -2155,16 +2179,19 @@ monitor_reinit(struct monitor *mon) +@@ -2133,16 +2157,19 @@ monitor_reinit(struct monitor *mon) #ifdef GSSAPI int mm_answer_gss_setup_ctx(int sock, Buffer *m) @@ -2346,7 +2337,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c free(goid.elements); buffer_clear(m); -@@ -2182,16 +2209,19 @@ int +@@ -2160,16 +2187,19 @@ int mm_answer_gss_accept_ctx(int sock, Buffer *m) { gss_buffer_desc in; @@ -2366,7 +2357,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c buffer_clear(m); buffer_put_int(m, major); buffer_put_string(m, out.value, out.length); -@@ -2199,27 +2229,31 @@ mm_answer_gss_accept_ctx(int sock, Buffe +@@ -2177,27 +2207,31 @@ mm_answer_gss_accept_ctx(int sock, Buffe mm_request_send(sock, MONITOR_ANS_GSSSTEP, m); gss_release_buffer(&minor, &out); @@ -2398,7 +2389,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic); free(gssbuf.value); -@@ -2236,29 +2270,101 @@ mm_answer_gss_checkmic(int sock, Buffer +@@ -2214,29 +2248,101 @@ mm_answer_gss_checkmic(int sock, Buffer return (0); } @@ -2495,16 +2486,16 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c + #endif /* GSSAPI */ - #ifdef JPAKE + #ifdef SSH_AUDIT_EVENTS int - mm_answer_jpake_step1(int sock, Buffer *m) + mm_answer_audit_unsupported_body(int sock, Buffer *m) { - struct jpake_ctx *pctx; - u_char *x3_proof, *x4_proof; -diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h ---- a/openssh-6.5p1/monitor.h -+++ b/openssh-6.5p1/monitor.h -@@ -70,16 +70,19 @@ enum monitor_reqtype { + int what; + +diff --git a/openssh-6.6p1/monitor.h b/openssh-6.6p1/monitor.h +--- a/openssh-6.6p1/monitor.h ++++ b/openssh-6.6p1/monitor.h +@@ -65,16 +65,19 @@ enum monitor_reqtype { MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111, MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113, MONITOR_ANS_AUDIT_COMMAND = 114, MONITOR_REQ_AUDIT_END_COMMAND = 115, @@ -2524,10 +2515,10 @@ diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h int m_sendfd; int m_log_recvfd; int m_log_sendfd; -diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c ---- a/openssh-6.5p1/monitor_wrap.c -+++ b/openssh-6.5p1/monitor_wrap.c -@@ -1305,33 +1305,78 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss +diff --git a/openssh-6.6p1/monitor_wrap.c b/openssh-6.6p1/monitor_wrap.c +--- a/openssh-6.6p1/monitor_wrap.c ++++ b/openssh-6.6p1/monitor_wrap.c +@@ -1303,33 +1303,78 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss &m); major = buffer_get_int(&m); @@ -2601,15 +2592,15 @@ diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c + #endif /* GSSAPI */ - #ifdef JPAKE + #ifdef SSH_AUDIT_EVENTS void - mm_auth2_jpake_get_pwdata(Authctxt *authctxt, BIGNUM **s, - char **hash_scheme, char **salt) + mm_audit_unsupported_body(int what) { Buffer m; -diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h ---- a/openssh-6.5p1/monitor_wrap.h -+++ b/openssh-6.5p1/monitor_wrap.h + +diff --git a/openssh-6.6p1/monitor_wrap.h b/openssh-6.6p1/monitor_wrap.h +--- a/openssh-6.6p1/monitor_wrap.h ++++ b/openssh-6.6p1/monitor_wrap.h @@ -54,18 +54,20 @@ int mm_user_key_verify(Key *, u_char *, int mm_auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **); int mm_auth_rsa_verify_response(Key *, BIGNUM *, u_char *); @@ -2632,10 +2623,10 @@ diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h void *mm_sshpam_init_ctx(struct Authctxt *); int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **); int mm_sshpam_respond(void *, u_int, char **); -diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c ---- a/openssh-6.5p1/readconf.c -+++ b/openssh-6.5p1/readconf.c -@@ -135,16 +135,18 @@ typedef enum { +diff --git a/openssh-6.6p1/readconf.c b/openssh-6.6p1/readconf.c +--- a/openssh-6.6p1/readconf.c ++++ b/openssh-6.6p1/readconf.c +@@ -136,16 +136,18 @@ typedef enum { oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs, oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, @@ -2650,11 +2641,11 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c oSendEnv, oControlPath, oControlMaster, oControlPersist, oHashKnownHosts, oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, - oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, + oVisualHostKey, oUseRoaming, oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, -@@ -177,22 +179,31 @@ static struct { +@@ -178,22 +180,31 @@ static struct { { "challengeresponseauthentication", oChallengeResponseAuthentication }, { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */ { "tisauthentication", oChallengeResponseAuthentication }, /* alias */ @@ -2686,7 +2677,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c { "identitiesonly", oIdentitiesOnly }, { "hostname", oHostName }, { "hostkeyalias", oHostKeyAlias }, -@@ -836,24 +847,44 @@ parse_time: +@@ -838,24 +849,44 @@ parse_time: case oChallengeResponseAuthentication: intptr = &options->challenge_response_authentication; goto parse_flag; @@ -2731,7 +2722,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c intptr = &options->check_host_ip; goto parse_flag; -@@ -1489,18 +1520,23 @@ initialize_options(Options * options) +@@ -1498,18 +1529,23 @@ initialize_options(Options * options) options->exit_on_forward_failure = -1; options->xauth_location = NULL; options->gateway_ports = -1; @@ -2755,7 +2746,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c options->batch_mode = -1; options->check_host_ip = -1; options->strict_host_key_checking = -1; -@@ -1596,20 +1632,26 @@ fill_default_options(Options * options) +@@ -1618,20 +1654,26 @@ fill_default_options(Options * options) if (options->rsa_authentication == -1) options->rsa_authentication = 1; if (options->pubkey_authentication == -1) @@ -2782,9 +2773,9 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c options->rhosts_rsa_authentication = 0; if (options->hostbased_authentication == -1) options->hostbased_authentication = 0; -diff --git a/openssh-6.5p1/readconf.h b/openssh-6.5p1/readconf.h ---- a/openssh-6.5p1/readconf.h -+++ b/openssh-6.5p1/readconf.h +diff --git a/openssh-6.6p1/readconf.h b/openssh-6.6p1/readconf.h +--- a/openssh-6.6p1/readconf.h ++++ b/openssh-6.6p1/readconf.h @@ -49,18 +49,23 @@ typedef struct { int rhosts_rsa_authentication; /* Try rhosts with RSA * authentication. */ @@ -2805,13 +2796,13 @@ diff --git a/openssh-6.5p1/readconf.h b/openssh-6.5p1/readconf.h * authentication. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */ - int zero_knowledge_password_authentication; /* Try jpake */ int batch_mode; /* Batch mode: do not ask for passwords. */ int check_host_ip; /* Also keep track of keys for IP address */ int strict_host_key_checking; /* Strict host key checking. */ -diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c ---- a/openssh-6.5p1/servconf.c -+++ b/openssh-6.5p1/servconf.c + int compression; /* Compress packets in both directions. */ +diff --git a/openssh-6.6p1/servconf.c b/openssh-6.6p1/servconf.c +--- a/openssh-6.6p1/servconf.c ++++ b/openssh-6.6p1/servconf.c @@ -104,18 +104,21 @@ initialize_server_options(ServerOptions options->hostbased_uses_name_from_packet_only = -1; options->rsa_authentication = -1; @@ -2834,7 +2825,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c options->use_login = -1; options->compression = -1; options->rekey_limit = -1; -@@ -244,20 +247,26 @@ fill_default_server_options(ServerOption +@@ -243,20 +246,26 @@ fill_default_server_options(ServerOption if (options->kerberos_or_local_passwd == -1) options->kerberos_or_local_passwd = 1; if (options->kerberos_ticket_cleanup == -1) @@ -2861,7 +2852,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c options->challenge_response_authentication = 1; if (options->permit_empty_passwd == -1) options->permit_empty_passwd = 0; -@@ -345,16 +354,17 @@ typedef enum { +@@ -342,16 +351,17 @@ typedef enum { sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, @@ -2873,13 +2864,13 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c + sGssStrictAcceptor, sGssKeyEx, sGssStoreRekey, sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sAllowAgentForwarding, - sZeroKnowledgePasswordAuthentication, sHostCertificate, + sHostCertificate, sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, sKexAlgorithms, sIPQoS, sVersionAddendum, sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, sAuthenticationMethods, sHostKeyAgent, sDeprecated, sUnsupported -@@ -414,21 +424,31 @@ static struct { +@@ -411,21 +421,31 @@ static struct { { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, #endif { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, @@ -2907,11 +2898,11 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */ - #ifdef JPAKE - { "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL }, - #else - { "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL }, -@@ -1102,24 +1122,36 @@ process_server_config_line(ServerOptions + { "checkmail", sDeprecated, SSHCFG_GLOBAL }, + { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, + { "addressfamily", sAddressFamily, SSHCFG_GLOBAL }, + { "printmotd", sPrintMotd, SSHCFG_GLOBAL }, +@@ -1094,24 +1114,36 @@ process_server_config_line(ServerOptions case sKerberosGetAFSToken: intptr = &options->kerberos_get_afs_token; goto parse_flag; @@ -2944,11 +2935,11 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c intptr = &options->password_authentication; goto parse_flag; - case sZeroKnowledgePasswordAuthentication: - intptr = &options->zero_knowledge_password_authentication; + case sKbdInteractiveAuthentication: + intptr = &options->kbd_interactive_authentication; goto parse_flag; -@@ -2020,17 +2052,20 @@ dump_config(ServerOptions *o) +@@ -2007,17 +2039,20 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd); dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup); # ifdef USE_AFS @@ -2961,17 +2952,17 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); + dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor); + dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey); - #endif - #ifdef JPAKE - dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication, - o->zero_knowledge_password_authentication); #endif dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); dump_cfg_fmtint(sKbdInteractiveAuthentication, o->kbd_interactive_authentication); -diff --git a/openssh-6.5p1/servconf.h b/openssh-6.5p1/servconf.h ---- a/openssh-6.5p1/servconf.h -+++ b/openssh-6.5p1/servconf.h + dump_cfg_fmtint(sChallengeResponseAuthentication, + o->challenge_response_authentication); + dump_cfg_fmtint(sPrintMotd, o->print_motd); + dump_cfg_fmtint(sPrintLastLog, o->print_lastlog); +diff --git a/openssh-6.6p1/servconf.h b/openssh-6.6p1/servconf.h +--- a/openssh-6.6p1/servconf.h ++++ b/openssh-6.6p1/servconf.h @@ -107,18 +107,21 @@ typedef struct { * authentication mechanism, * such as SecurID or @@ -2990,15 +2981,15 @@ diff --git a/openssh-6.5p1/servconf.h b/openssh-6.5p1/servconf.h * authentication. */ int kbd_interactive_authentication; /* If true, permit */ int challenge_response_authentication; - int zero_knowledge_password_authentication; - /* If true, permit jpake auth */ int permit_empty_passwd; /* If false, do not permit empty * passwords. */ -diff --git a/openssh-6.5p1/ssh-gss.h b/openssh-6.5p1/ssh-gss.h ---- a/openssh-6.5p1/ssh-gss.h -+++ b/openssh-6.5p1/ssh-gss.h + int permit_user_env; /* If true, read ~/.ssh/environment */ + int use_login; /* If true, login(1) is used */ +diff --git a/openssh-6.6p1/ssh-gss.h b/openssh-6.6p1/ssh-gss.h +--- a/openssh-6.6p1/ssh-gss.h ++++ b/openssh-6.6p1/ssh-gss.h @@ -1,11 +1,11 @@ - /* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */ + /* $OpenBSD: ssh-gss.h,v 1.11 2014/02/26 20:28:44 djm Exp $ */ /* - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. @@ -3080,9 +3071,9 @@ diff --git a/openssh-6.5p1/ssh-gss.h b/openssh-6.5p1/ssh-gss.h void ssh_gssapi_set_oid(Gssctxt *, gss_OID); void ssh_gssapi_supported_oids(gss_OID_set *); ssh_gssapi_mech *ssh_gssapi_get_ctype(Gssctxt *); - - OM_uint32 ssh_gssapi_import_name(Gssctxt *, const char *); -@@ -112,21 +129,35 @@ OM_uint32 ssh_gssapi_accept_ctx(Gssctxt + void ssh_gssapi_prepare_supported_oids(void); + OM_uint32 ssh_gssapi_test_oid_supported(OM_uint32 *, gss_OID, int *); +@@ -114,21 +131,35 @@ OM_uint32 ssh_gssapi_accept_ctx(Gssctxt gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); OM_uint32 ssh_gssapi_getclient(Gssctxt *, ssh_gssapi_client *); void ssh_gssapi_error(Gssctxt *); @@ -3120,9 +3111,9 @@ diff --git a/openssh-6.5p1/ssh-gss.h b/openssh-6.5p1/ssh-gss.h #endif /* GSSAPI */ #endif /* _SSH_GSS_H */ -diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config ---- a/openssh-6.5p1/ssh_config -+++ b/openssh-6.5p1/ssh_config +diff --git a/openssh-6.6p1/ssh_config b/openssh-6.6p1/ssh_config +--- a/openssh-6.6p1/ssh_config ++++ b/openssh-6.6p1/ssh_config @@ -32,16 +32,18 @@ Host * ForwardX11Trusted yes @@ -3142,10 +3133,10 @@ diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config # IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa -diff --git a/openssh-6.5p1/ssh_config.5 b/openssh-6.5p1/ssh_config.5 ---- a/openssh-6.5p1/ssh_config.5 -+++ b/openssh-6.5p1/ssh_config.5 -@@ -671,21 +671,53 @@ host key database, separated by whitespa +diff --git a/openssh-6.6p1/ssh_config.5 b/openssh-6.6p1/ssh_config.5 +--- a/openssh-6.6p1/ssh_config.5 ++++ b/openssh-6.6p1/ssh_config.5 +@@ -677,21 +677,53 @@ host key database, separated by whitespa The default is .Pa /etc/ssh/ssh_known_hosts , .Pa /etc/ssh/ssh_known_hosts2 . @@ -3200,10 +3191,10 @@ diff --git a/openssh-6.5p1/ssh_config.5 b/openssh-6.5p1/ssh_config.5 These hashed names may be used normally by .Xr ssh 1 and -diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c ---- a/openssh-6.5p1/sshconnect2.c -+++ b/openssh-6.5p1/sshconnect2.c -@@ -156,19 +156,44 @@ order_hostkeyalgs(char *host, struct soc +diff --git a/openssh-6.6p1/sshconnect2.c b/openssh-6.6p1/sshconnect2.c +--- a/openssh-6.6p1/sshconnect2.c ++++ b/openssh-6.6p1/sshconnect2.c +@@ -155,19 +155,44 @@ order_hostkeyalgs(char *host, struct soc return ret; } @@ -3248,7 +3239,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; } else if (fips_mode()) { -@@ -204,32 +229,63 @@ ssh_kex2(char *host, struct sockaddr *ho +@@ -203,32 +228,63 @@ ssh_kex2(char *host, struct sockaddr *ho /* Prefer algorithms that we already have keys for */ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( @@ -3312,7 +3303,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c debug("Roaming not allowed by server"); options.use_roaming = 0; } -@@ -315,31 +371,37 @@ void userauth_jpake_cleanup(Authctxt *); +@@ -308,31 +364,37 @@ int userauth_hostbased(Authctxt *); #ifdef GSSAPI int userauth_gssapi(Authctxt *authctxt); @@ -3350,7 +3341,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c {"gssapi", userauth_gssapi, NULL, -@@ -638,29 +700,41 @@ done: +@@ -624,29 +686,41 @@ done: int userauth_gssapi(Authctxt *authctxt) { @@ -3394,7 +3385,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c if (!ok) return 0; -@@ -749,18 +823,18 @@ process_gssapi_token(void *ctxt, gss_buf +@@ -735,18 +809,18 @@ process_gssapi_token(void *ctxt, gss_buf } /* ARGSUSED */ @@ -3415,7 +3406,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c /* Setup our OID */ oidv = packet_get_string(&oidlen); -@@ -859,16 +933,58 @@ input_gssapi_error(int type, u_int32_t p +@@ -845,16 +919,58 @@ input_gssapi_error(int type, u_int32_t p lang=packet_get_string(NULL); packet_check_eom(); @@ -3474,18 +3465,18 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c /* initial userauth request */ packet_start(SSH2_MSG_USERAUTH_REQUEST); packet_put_cstring(authctxt->server_user); -diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c ---- a/openssh-6.5p1/sshd.c -+++ b/openssh-6.5p1/sshd.c -@@ -121,16 +121,20 @@ - #endif - #include "monitor_wrap.h" +diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c +--- a/openssh-6.6p1/sshd.c ++++ b/openssh-6.6p1/sshd.c +@@ -123,16 +123,20 @@ #include "roaming.h" - #include "audit.h" #include "ssh-sandbox.h" #include "version.h" + #include "fips.h" + #include "audit.h" + +#ifdef USE_SECURITY_SESSION_API +#include +#endif @@ -3498,7 +3489,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c #endif /* LIBWRAP */ #ifndef O_NOCTTY -@@ -1795,20 +1799,23 @@ main(int ac, char **av) +@@ -1804,20 +1808,23 @@ main(int ac, char **av) if ((options.protocol & SSH_PROTO_1) && fips_mode()) { logit("Disabling protocol version 1. Not allowed in the FIPS mode."); options.protocol &= ~SSH_PROTO_1; @@ -3522,7 +3513,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c /* * Load certificates. They are stored in an array at identical * indices to the public keys that they relate to. -@@ -1998,16 +2005,70 @@ main(int ac, char **av) +@@ -2007,16 +2014,70 @@ main(int ac, char **av) /* Accept a connection and return in a forked child */ server_accept_loop(&sock_in, &sock_out, &newsock, config_s); @@ -3593,7 +3584,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c #if !defined(SSHD_ACQUIRES_CTTY) /* * If setsid is called, on some platforms sshd will later acquire a -@@ -2125,16 +2186,70 @@ main(int ac, char **av) +@@ -2134,16 +2195,70 @@ main(int ac, char **av) } #endif /* LIBWRAP */ @@ -3664,7 +3655,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c * mode; it is just annoying to have the server exit just when you * are about to discover the bug. */ -@@ -2544,24 +2659,73 @@ do_ssh2_kex(void) +@@ -2559,24 +2674,73 @@ do_ssh2_kex(void) if (options.rekey_limit || options.rekey_interval) packet_set_rekey_limits((u_int32_t)options.rekey_limit, @@ -3738,9 +3729,9 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c kex->host_key_index=&get_hostkey_index; kex->sign = sshd_hostkey_sign; -diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config ---- a/openssh-6.5p1/sshd_config -+++ b/openssh-6.5p1/sshd_config +diff --git a/openssh-6.6p1/sshd_config b/openssh-6.6p1/sshd_config +--- a/openssh-6.6p1/sshd_config ++++ b/openssh-6.6p1/sshd_config @@ -79,16 +79,18 @@ PasswordAuthentication no #KerberosAuthentication no #KerberosOrLocalPasswd yes @@ -3760,9 +3751,9 @@ diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config #GSSAPIEnableMITMAttack no -diff --git a/openssh-6.5p1/sshd_config.5 b/openssh-6.5p1/sshd_config.5 ---- a/openssh-6.5p1/sshd_config.5 -+++ b/openssh-6.5p1/sshd_config.5 +diff --git a/openssh-6.6p1/sshd_config.5 b/openssh-6.6p1/sshd_config.5 +--- a/openssh-6.6p1/sshd_config.5 ++++ b/openssh-6.6p1/sshd_config.5 @@ -487,22 +487,50 @@ to force remote port forwardings to bind to allow the client to select the address to which the forwarding is bound. The default is diff --git a/openssh-6.5p1-gssapimitm.patch b/openssh-6.6p1-gssapimitm.patch similarity index 85% rename from openssh-6.5p1-gssapimitm.patch rename to openssh-6.6p1-gssapimitm.patch index fb87bb0..bbdf6c7 100644 --- a/openssh-6.5p1-gssapimitm.patch +++ b/openssh-6.6p1-gssapimitm.patch @@ -13,10 +13,10 @@ # recommended to use the 'gssapi-with-mic' mechanism. Existing installations # are encouraged to upgrade as soon as possible. -diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c ---- a/openssh-6.5p1/auth2-gss.c -+++ b/openssh-6.5p1/auth2-gss.c -@@ -173,16 +173,25 @@ input_gssapi_token(int type, u_int32_t p +diff --git a/openssh-6.6p1/auth2-gss.c b/openssh-6.6p1/auth2-gss.c +--- a/openssh-6.6p1/auth2-gss.c ++++ b/openssh-6.6p1/auth2-gss.c +@@ -168,16 +168,25 @@ input_gssapi_token(int type, u_int32_t p dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); if (flags & GSS_C_INTEG_FLAG) dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, @@ -42,7 +42,7 @@ diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c static void input_gssapi_errtok(int type, u_int32_t plen, void *ctxt) -@@ -291,9 +300,15 @@ input_gssapi_mic(int type, u_int32_t ple +@@ -286,9 +295,15 @@ input_gssapi_mic(int type, u_int32_t ple } Authmethod method_gssapi = { @@ -58,10 +58,10 @@ diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c +}; + #endif /* GSSAPI */ -diff --git a/openssh-6.5p1/auth2.c b/openssh-6.5p1/auth2.c ---- a/openssh-6.5p1/auth2.c -+++ b/openssh-6.5p1/auth2.c -@@ -65,26 +65,28 @@ extern Buffer loginmsg; +diff --git a/openssh-6.6p1/auth2.c b/openssh-6.6p1/auth2.c +--- a/openssh-6.6p1/auth2.c ++++ b/openssh-6.6p1/auth2.c +@@ -65,23 +65,25 @@ extern Buffer loginmsg; extern Authmethod method_none; extern Authmethod method_pubkey; @@ -72,9 +72,6 @@ diff --git a/openssh-6.5p1/auth2.c b/openssh-6.5p1/auth2.c extern Authmethod method_gssapi; +extern Authmethod method_gssapi_old; #endif - #ifdef JPAKE - extern Authmethod method_jpake; - #endif Authmethod *authmethods[] = { &method_none, @@ -82,18 +79,18 @@ diff --git a/openssh-6.5p1/auth2.c b/openssh-6.5p1/auth2.c #ifdef GSSAPI &method_gssapi, + &method_gssapi_old, - #endif - #ifdef JPAKE - &method_jpake, #endif &method_passwd, &method_kbdint, &method_hostbased, NULL -diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c ---- a/openssh-6.5p1/readconf.c -+++ b/openssh-6.5p1/readconf.c -@@ -134,17 +134,17 @@ typedef enum { + }; + + /* protocol */ +diff --git a/openssh-6.6p1/readconf.c b/openssh-6.6p1/readconf.c +--- a/openssh-6.6p1/readconf.c ++++ b/openssh-6.6p1/readconf.c +@@ -135,17 +135,17 @@ typedef enum { oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts, oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs, oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, @@ -108,11 +105,11 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c oSendEnv, oControlPath, oControlMaster, oControlPersist, oHashKnownHosts, oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, - oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, + oVisualHostKey, oUseRoaming, oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, -@@ -178,19 +178,21 @@ static struct { +@@ -179,19 +179,21 @@ static struct { { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */ { "tisauthentication", oChallengeResponseAuthentication }, /* alias */ { "kerberosauthentication", oUnsupported }, @@ -134,7 +131,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c { "identitiesonly", oIdentitiesOnly }, { "hostname", oHostName }, { "hostkeyalias", oHostKeyAlias }, -@@ -837,16 +839,20 @@ parse_time: +@@ -839,16 +841,20 @@ parse_time: case oGssAuthentication: intptr = &options->gss_authentication; @@ -155,7 +152,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c case oCheckHostIP: intptr = &options->check_host_ip; goto parse_flag; -@@ -1484,16 +1490,17 @@ initialize_options(Options * options) +@@ -1493,16 +1499,17 @@ initialize_options(Options * options) options->xauth_location = NULL; options->gateway_ports = -1; options->use_privileged_port = -1; @@ -173,7 +170,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c options->batch_mode = -1; options->check_host_ip = -1; options->strict_host_key_checking = -1; -@@ -1591,16 +1598,18 @@ fill_default_options(Options * options) +@@ -1613,16 +1620,18 @@ fill_default_options(Options * options) if (options->pubkey_authentication == -1) options->pubkey_authentication = 1; if (options->challenge_response_authentication == -1) @@ -192,9 +189,9 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c options->rhosts_rsa_authentication = 0; if (options->hostbased_authentication == -1) options->hostbased_authentication = 0; -diff --git a/openssh-6.5p1/readconf.h b/openssh-6.5p1/readconf.h ---- a/openssh-6.5p1/readconf.h -+++ b/openssh-6.5p1/readconf.h +diff --git a/openssh-6.6p1/readconf.h b/openssh-6.6p1/readconf.h +--- a/openssh-6.6p1/readconf.h ++++ b/openssh-6.6p1/readconf.h @@ -50,16 +50,17 @@ typedef struct { * authentication. */ int rsa_authentication; /* Try RSA authentication. */ @@ -209,13 +206,13 @@ diff --git a/openssh-6.5p1/readconf.h b/openssh-6.5p1/readconf.h * authentication. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */ - int zero_knowledge_password_authentication; /* Try jpake */ int batch_mode; /* Batch mode: do not ask for passwords. */ int check_host_ip; /* Also keep track of keys for IP address */ int strict_host_key_checking; /* Strict host key checking. */ -diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c ---- a/openssh-6.5p1/servconf.c -+++ b/openssh-6.5p1/servconf.c + int compression; /* Compress packets in both directions. */ +diff --git a/openssh-6.6p1/servconf.c b/openssh-6.6p1/servconf.c +--- a/openssh-6.6p1/servconf.c ++++ b/openssh-6.6p1/servconf.c @@ -104,16 +104,17 @@ initialize_server_options(ServerOptions options->rsa_authentication = -1; options->pubkey_authentication = -1; @@ -234,7 +231,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c options->use_login = -1; options->compression = -1; options->rekey_limit = -1; -@@ -242,16 +243,18 @@ fill_default_server_options(ServerOption +@@ -241,16 +242,18 @@ fill_default_server_options(ServerOption if (options->kerberos_ticket_cleanup == -1) options->kerberos_ticket_cleanup = 1; if (options->kerberos_get_afs_token == -1) @@ -253,7 +250,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c options->challenge_response_authentication = 1; if (options->permit_empty_passwd == -1) options->permit_empty_passwd = 0; -@@ -338,17 +341,17 @@ typedef enum { +@@ -335,17 +338,17 @@ typedef enum { sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, @@ -266,13 +263,13 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c + sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sGssEnableMITM, sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sAllowAgentForwarding, - sZeroKnowledgePasswordAuthentication, sHostCertificate, + sHostCertificate, sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, sKexAlgorithms, sIPQoS, sVersionAddendum, sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, sAuthenticationMethods, sHostKeyAgent, sDeprecated, sUnsupported -@@ -405,19 +408,21 @@ static struct { +@@ -402,19 +405,21 @@ static struct { { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL }, { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, #endif @@ -291,10 +288,10 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */ - #ifdef JPAKE - { "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL }, - #else -@@ -1093,16 +1098,20 @@ process_server_config_line(ServerOptions + { "checkmail", sDeprecated, SSHCFG_GLOBAL }, + { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, + { "addressfamily", sAddressFamily, SSHCFG_GLOBAL }, +@@ -1085,16 +1090,20 @@ process_server_config_line(ServerOptions case sGssAuthentication: intptr = &options->gss_authentication; goto parse_flag; @@ -311,13 +308,13 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c intptr = &options->password_authentication; goto parse_flag; - case sZeroKnowledgePasswordAuthentication: - intptr = &options->zero_knowledge_password_authentication; + case sKbdInteractiveAuthentication: + intptr = &options->kbd_interactive_authentication; goto parse_flag; -diff --git a/openssh-6.5p1/servconf.h b/openssh-6.5p1/servconf.h ---- a/openssh-6.5p1/servconf.h -+++ b/openssh-6.5p1/servconf.h +diff --git a/openssh-6.6p1/servconf.h b/openssh-6.6p1/servconf.h +--- a/openssh-6.6p1/servconf.h ++++ b/openssh-6.6p1/servconf.h @@ -108,16 +108,17 @@ typedef struct { * such as SecurID or * /etc/passwd */ @@ -332,13 +329,13 @@ diff --git a/openssh-6.5p1/servconf.h b/openssh-6.5p1/servconf.h * authentication. */ int kbd_interactive_authentication; /* If true, permit */ int challenge_response_authentication; - int zero_knowledge_password_authentication; - /* If true, permit jpake auth */ int permit_empty_passwd; /* If false, do not permit empty * passwords. */ -diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config ---- a/openssh-6.5p1/ssh_config -+++ b/openssh-6.5p1/ssh_config + int permit_user_env; /* If true, read ~/.ssh/environment */ + int use_login; /* If true, login(1) is used */ +diff --git a/openssh-6.6p1/ssh_config b/openssh-6.6p1/ssh_config +--- a/openssh-6.6p1/ssh_config ++++ b/openssh-6.6p1/ssh_config @@ -51,9 +51,16 @@ ForwardX11Trusted yes # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc # MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 @@ -356,10 +353,10 @@ diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config +# GSSAPIEnableMITMAttack no + # RekeyLimit 1G 1h -diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c ---- a/openssh-6.5p1/sshconnect2.c -+++ b/openssh-6.5p1/sshconnect2.c -@@ -324,16 +324,21 @@ static char *authmethods_get(void); +diff --git a/openssh-6.6p1/sshconnect2.c b/openssh-6.6p1/sshconnect2.c +--- a/openssh-6.6p1/sshconnect2.c ++++ b/openssh-6.6p1/sshconnect2.c +@@ -316,16 +316,21 @@ static char *authmethods_get(void); Authmethod authmethods[] = { #ifdef GSSAPI @@ -381,7 +378,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c NULL}, {"publickey", userauth_pubkey, -@@ -698,17 +703,19 @@ process_gssapi_token(void *ctxt, gss_buf +@@ -683,17 +688,19 @@ process_gssapi_token(void *ctxt, gss_buf packet_put_string(send_tok.value, send_tok.length); packet_send(); @@ -402,9 +399,9 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c gssbuf.value = buffer_ptr(&b); gssbuf.length = buffer_len(&b); -diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config ---- a/openssh-6.5p1/sshd_config -+++ b/openssh-6.5p1/sshd_config +diff --git a/openssh-6.6p1/sshd_config b/openssh-6.6p1/sshd_config +--- a/openssh-6.6p1/sshd_config ++++ b/openssh-6.6p1/sshd_config @@ -80,16 +80,23 @@ PasswordAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes diff --git a/openssh-6.5p1-host_ident.patch b/openssh-6.6p1-host_ident.patch similarity index 82% rename from openssh-6.5p1-host_ident.patch rename to openssh-6.6p1-host_ident.patch index 5a24c4c..3e07caf 100644 --- a/openssh-6.5p1-host_ident.patch +++ b/openssh-6.6p1-host_ident.patch @@ -1,10 +1,10 @@ # identify hashed hosts in known_hosts and suggest command line for their # removal -diff --git a/openssh-6.5p1/sshconnect.c b/openssh-6.5p1/sshconnect.c ---- a/openssh-6.5p1/sshconnect.c -+++ b/openssh-6.5p1/sshconnect.c -@@ -1067,16 +1067,21 @@ check_host_key(char *hostname, struct so +diff --git a/openssh-6.6p1/sshconnect.c b/openssh-6.6p1/sshconnect.c +--- a/openssh-6.6p1/sshconnect.c ++++ b/openssh-6.6p1/sshconnect.c +@@ -1070,16 +1070,21 @@ check_host_key(char *hostname, struct so ip_found->file, ip_found->line); } /* The host key has changed. */ diff --git a/openssh-6.5p1-key-converter.patch b/openssh-6.6p1-key-converter.patch similarity index 97% rename from openssh-6.5p1-key-converter.patch rename to openssh-6.6p1-key-converter.patch index 86c65c6..c628ad6 100644 --- a/openssh-6.5p1-key-converter.patch +++ b/openssh-6.6p1-key-converter.patch @@ -1,9 +1,9 @@ # SSHv1 to SSHv2 RSA keys converter -diff --git a/openssh-6.5p1/converter/Makefile b/openssh-6.5p1/converter/Makefile +diff --git a/openssh-6.6p1/converter/Makefile b/openssh-6.6p1/converter/Makefile new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/converter/Makefile ++++ b/openssh-6.6p1/converter/Makefile @@ -0,0 +1,17 @@ + +bindir=/usr/bin @@ -22,10 +22,10 @@ new file mode 100644 + install -m 755 ssh-keyconverter $(DESTDIR)$(bindir) + if [ ! -d $(DESTDIR)$(mandir)/man1 ]; then install -d -m 755 $(DESTDIR)$(mandir)/man1; fi + install -m 644 ssh-keyconverter.1 $(DESTDIR)$(mandir)/man1 -diff --git a/openssh-6.5p1/converter/ssh-keyconverter.1 b/openssh-6.5p1/converter/ssh-keyconverter.1 +diff --git a/openssh-6.6p1/converter/ssh-keyconverter.1 b/openssh-6.6p1/converter/ssh-keyconverter.1 new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/converter/ssh-keyconverter.1 ++++ b/openssh-6.6p1/converter/ssh-keyconverter.1 @@ -0,0 +1,155 @@ +.\" Manpage for ssh-keyconverter +.\" @@ -182,10 +182,10 @@ new file mode 100644 +.%D March 2001 +.%O work in progress material +.Re -diff --git a/openssh-6.5p1/converter/ssh-keyconverter.c b/openssh-6.5p1/converter/ssh-keyconverter.c +diff --git a/openssh-6.6p1/converter/ssh-keyconverter.c b/openssh-6.6p1/converter/ssh-keyconverter.c new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/converter/ssh-keyconverter.c ++++ b/openssh-6.6p1/converter/ssh-keyconverter.c @@ -0,0 +1,345 @@ +/* + * SSH v1 to v2 RSA key converter. diff --git a/openssh-6.5p1-lastlog.patch b/openssh-6.6p1-lastlog.patch similarity index 82% rename from openssh-6.5p1-lastlog.patch rename to openssh-6.6p1-lastlog.patch index 16fd2c6..4aceaee 100644 --- a/openssh-6.5p1-lastlog.patch +++ b/openssh-6.6p1-lastlog.patch @@ -1,9 +1,9 @@ # set uid for functions that use it to seek in lastlog and wtmp files # bnc#18024 (was suse #3024) -diff --git a/openssh-6.5p1/sshlogin.c b/openssh-6.5p1/sshlogin.c ---- a/openssh-6.5p1/sshlogin.c -+++ b/openssh-6.5p1/sshlogin.c +diff --git a/openssh-6.6p1/sshlogin.c b/openssh-6.6p1/sshlogin.c +--- a/openssh-6.6p1/sshlogin.c ++++ b/openssh-6.6p1/sshlogin.c @@ -128,16 +128,17 @@ record_login(pid_t pid, const char *tty, { struct logininfo *li; diff --git a/openssh-6.5p1-ldap.patch b/openssh-6.6p1-ldap.patch similarity index 97% rename from openssh-6.5p1-ldap.patch rename to openssh-6.6p1-ldap.patch index 7eee04a..a91ff94 100644 --- a/openssh-6.5p1-ldap.patch +++ b/openssh-6.6p1-ldap.patch @@ -8,10 +8,10 @@ # internal versions. ssh-keyconverter consequently fails to link as it lacks # the proper flags, and libopenbsd-compat doesn't contain the b64_* functions) -diff --git a/openssh-6.5p1/HOWTO.ldap-keys b/openssh-6.5p1/HOWTO.ldap-keys +diff --git a/openssh-6.6p1/HOWTO.ldap-keys b/openssh-6.6p1/HOWTO.ldap-keys new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/HOWTO.ldap-keys ++++ b/openssh-6.6p1/HOWTO.ldap-keys @@ -0,0 +1,108 @@ + +HOW TO START @@ -121,9 +121,9 @@ new file mode 100644 + - frederic peters. + - Finlay dobbie. + - Stefan Fisher. -diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in ---- a/openssh-6.5p1/Makefile.in -+++ b/openssh-6.5p1/Makefile.in +diff --git a/openssh-6.6p1/Makefile.in b/openssh-6.6p1/Makefile.in +--- a/openssh-6.6p1/Makefile.in ++++ b/openssh-6.6p1/Makefile.in @@ -20,16 +20,18 @@ srcdir=@srcdir@ top_srcdir=@top_srcdir@ @@ -164,7 +164,7 @@ diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in log.o match.o md-sha256.o moduli.o nchan.o packet.o \ readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \ atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ -@@ -94,18 +98,18 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw +@@ -96,18 +100,18 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw kexc25519s.o auth-krb5.o \ auth2-gss.o gss-serv.o gss-serv-krb5.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ @@ -185,7 +185,7 @@ diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in PATHSUBS = \ -e 's|/etc/ssh/ssh_config|$(sysconfdir)/ssh_config|g' \ -e 's|/etc/ssh/ssh_known_hosts|$(sysconfdir)/ssh_known_hosts|g' \ -@@ -169,16 +173,19 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss +@@ -171,16 +175,19 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o @@ -205,7 +205,7 @@ diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in # test driver for the loginrec code - not built by default logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o -@@ -271,30 +278,38 @@ install-files: +@@ -273,30 +280,38 @@ install-files: $(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT) $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) @@ -244,7 +244,7 @@ diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in install-sysconf: if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \ $(srcdir)/mkinstalldirs $(DESTDIR)$(sysconfdir); \ -@@ -314,16 +329,23 @@ install-sysconf: +@@ -316,16 +331,23 @@ install-sysconf: echo "moving $(DESTDIR)$(sysconfdir)/primes to $(DESTDIR)$(sysconfdir)/moduli"; \ mv "$(DESTDIR)$(sysconfdir)/primes" "$(DESTDIR)$(sysconfdir)/moduli"; \ else \ @@ -268,7 +268,7 @@ diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in else \ ./ssh-keygen -t rsa1 -f $(sysconfdir)/ssh_host_key -N "" ; \ fi ; \ -@@ -377,27 +399,30 @@ uninstall: +@@ -379,27 +401,30 @@ uninstall: -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) @@ -299,10 +299,10 @@ diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \ $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) -diff --git a/openssh-6.5p1/configure.ac b/openssh-6.5p1/configure.ac ---- a/openssh-6.5p1/configure.ac -+++ b/openssh-6.5p1/configure.ac -@@ -1573,16 +1573,116 @@ AC_ARG_WITH([audit], +diff --git a/openssh-6.6p1/configure.ac b/openssh-6.6p1/configure.ac +--- a/openssh-6.6p1/configure.ac ++++ b/openssh-6.6p1/configure.ac +@@ -1599,16 +1599,116 @@ AC_ARG_WITH([audit], AC_MSG_RESULT([no]) ;; *) @@ -419,10 +419,10 @@ diff --git a/openssh-6.5p1/configure.ac b/openssh-6.5p1/configure.ac if test "x$withval" = "xyes"; then use_pie=yes fi -diff --git a/openssh-6.5p1/ldap-helper.c b/openssh-6.5p1/ldap-helper.c +diff --git a/openssh-6.6p1/ldap-helper.c b/openssh-6.6p1/ldap-helper.c new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/ldap-helper.c ++++ b/openssh-6.6p1/ldap-helper.c @@ -0,0 +1,155 @@ +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -579,10 +579,10 @@ new file mode 100644 +void *buffer_get_string(Buffer *b, u_int *l) { return NULL; } +void buffer_put_string(Buffer *b, const void *f, u_int l) {} + -diff --git a/openssh-6.5p1/ldap-helper.h b/openssh-6.5p1/ldap-helper.h +diff --git a/openssh-6.6p1/ldap-helper.h b/openssh-6.6p1/ldap-helper.h new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/ldap-helper.h ++++ b/openssh-6.6p1/ldap-helper.h @@ -0,0 +1,32 @@ +/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -616,10 +616,10 @@ new file mode 100644 +extern int config_warning_config_file; + +#endif /* LDAP_HELPER_H */ -diff --git a/openssh-6.5p1/ldap.conf b/openssh-6.5p1/ldap.conf +diff --git a/openssh-6.6p1/ldap.conf b/openssh-6.6p1/ldap.conf new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/ldap.conf ++++ b/openssh-6.6p1/ldap.conf @@ -0,0 +1,88 @@ +# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $ +# @@ -709,10 +709,10 @@ new file mode 100644 +#tls_cert +#tls_key + -diff --git a/openssh-6.5p1/ldapbody.c b/openssh-6.5p1/ldapbody.c +diff --git a/openssh-6.6p1/ldapbody.c b/openssh-6.6p1/ldapbody.c new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/ldapbody.c ++++ b/openssh-6.6p1/ldapbody.c @@ -0,0 +1,494 @@ +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1208,10 +1208,10 @@ new file mode 100644 + return; +} + -diff --git a/openssh-6.5p1/ldapbody.h b/openssh-6.5p1/ldapbody.h +diff --git a/openssh-6.6p1/ldapbody.h b/openssh-6.6p1/ldapbody.h new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/ldapbody.h ++++ b/openssh-6.6p1/ldapbody.h @@ -0,0 +1,37 @@ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1250,10 +1250,10 @@ new file mode 100644 + +#endif /* LDAPBODY_H */ + -diff --git a/openssh-6.5p1/ldapconf.c b/openssh-6.5p1/ldapconf.c +diff --git a/openssh-6.6p1/ldapconf.c b/openssh-6.6p1/ldapconf.c new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/ldapconf.c ++++ b/openssh-6.6p1/ldapconf.c @@ -0,0 +1,682 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1937,10 +1937,10 @@ new file mode 100644 + dump_cfg_string(lSSH_Filter, options.ssh_filter); +} + -diff --git a/openssh-6.5p1/ldapconf.h b/openssh-6.5p1/ldapconf.h +diff --git a/openssh-6.6p1/ldapconf.h b/openssh-6.6p1/ldapconf.h new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/ldapconf.h ++++ b/openssh-6.6p1/ldapconf.h @@ -0,0 +1,71 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -2013,10 +2013,10 @@ new file mode 100644 +void dump_config(void); + +#endif /* LDAPCONF_H */ -diff --git a/openssh-6.5p1/ldapincludes.h b/openssh-6.5p1/ldapincludes.h +diff --git a/openssh-6.6p1/ldapincludes.h b/openssh-6.6p1/ldapincludes.h new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/ldapincludes.h ++++ b/openssh-6.6p1/ldapincludes.h @@ -0,0 +1,41 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -2059,10 +2059,10 @@ new file mode 100644 +#endif + +#endif /* LDAPINCLUDES_H */ -diff --git a/openssh-6.5p1/ldapmisc.c b/openssh-6.5p1/ldapmisc.c +diff --git a/openssh-6.6p1/ldapmisc.c b/openssh-6.6p1/ldapmisc.c new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/ldapmisc.c ++++ b/openssh-6.6p1/ldapmisc.c @@ -0,0 +1,79 @@ + +#include "ldapincludes.h" @@ -2143,10 +2143,10 @@ new file mode 100644 +} +#endif + -diff --git a/openssh-6.5p1/ldapmisc.h b/openssh-6.5p1/ldapmisc.h +diff --git a/openssh-6.6p1/ldapmisc.h b/openssh-6.6p1/ldapmisc.h new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/ldapmisc.h ++++ b/openssh-6.6p1/ldapmisc.h @@ -0,0 +1,35 @@ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -2183,9 +2183,9 @@ new file mode 100644 + +#endif /* LDAPMISC_H */ + -diff --git a/openssh-6.5p1/openbsd-compat/base64.c b/openssh-6.5p1/openbsd-compat/base64.c ---- a/openssh-6.5p1/openbsd-compat/base64.c -+++ b/openssh-6.5p1/openbsd-compat/base64.c +diff --git a/openssh-6.6p1/openbsd-compat/base64.c b/openssh-6.6p1/openbsd-compat/base64.c +--- a/openssh-6.6p1/openbsd-compat/base64.c ++++ b/openssh-6.6p1/openbsd-compat/base64.c @@ -41,17 +41,17 @@ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES. @@ -2243,9 +2243,9 @@ diff --git a/openssh-6.5p1/openbsd-compat/base64.c b/openssh-6.5p1/openbsd-compa */ int -diff --git a/openssh-6.5p1/openbsd-compat/base64.h b/openssh-6.5p1/openbsd-compat/base64.h ---- a/openssh-6.5p1/openbsd-compat/base64.h -+++ b/openssh-6.5p1/openbsd-compat/base64.h +diff --git a/openssh-6.6p1/openbsd-compat/base64.h b/openssh-6.6p1/openbsd-compat/base64.h +--- a/openssh-6.6p1/openbsd-compat/base64.h ++++ b/openssh-6.6p1/openbsd-compat/base64.h @@ -42,24 +42,24 @@ * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES. */ @@ -2275,10 +2275,10 @@ diff --git a/openssh-6.5p1/openbsd-compat/base64.h b/openssh-6.5p1/openbsd-compa #endif /* HAVE___B64_PTON */ #endif /* _BSD_BASE64_H */ -diff --git a/openssh-6.5p1/openssh-lpk-openldap.schema b/openssh-6.5p1/openssh-lpk-openldap.schema +diff --git a/openssh-6.6p1/openssh-lpk-openldap.schema b/openssh-6.6p1/openssh-lpk-openldap.schema new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/openssh-lpk-openldap.schema ++++ b/openssh-6.6p1/openssh-lpk-openldap.schema @@ -0,0 +1,21 @@ +# +# LDAP Public Key Patch schema for use with openssh-ldappubkey @@ -2301,10 +2301,10 @@ new file mode 100644 + DESC 'MANDATORY: OpenSSH LPK objectclass' + MUST ( sshPublicKey $ uid ) + ) -diff --git a/openssh-6.5p1/openssh-lpk-sun.schema b/openssh-6.5p1/openssh-lpk-sun.schema +diff --git a/openssh-6.6p1/openssh-lpk-sun.schema b/openssh-6.6p1/openssh-lpk-sun.schema new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/openssh-lpk-sun.schema ++++ b/openssh-6.6p1/openssh-lpk-sun.schema @@ -0,0 +1,23 @@ +# +# LDAP Public Key Patch schema for use with openssh-ldappubkey @@ -2329,10 +2329,10 @@ new file mode 100644 + DESC 'MANDATORY: OpenSSH LPK objectclass' + MUST ( sshPublicKey $ uid ) + ) -diff --git a/openssh-6.5p1/ssh-ldap-helper.8 b/openssh-6.5p1/ssh-ldap-helper.8 +diff --git a/openssh-6.6p1/ssh-ldap-helper.8 b/openssh-6.6p1/ssh-ldap-helper.8 new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/ssh-ldap-helper.8 ++++ b/openssh-6.6p1/ssh-ldap-helper.8 @@ -0,0 +1,79 @@ +.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" @@ -2413,19 +2413,19 @@ new file mode 100644 +OpenSSH 5.5 + PKA-LDAP . +.Sh AUTHORS +.An Jan F. Chadima Aq jchadima@redhat.com -diff --git a/openssh-6.5p1/ssh-ldap-wrapper b/openssh-6.5p1/ssh-ldap-wrapper +diff --git a/openssh-6.6p1/ssh-ldap-wrapper b/openssh-6.6p1/ssh-ldap-wrapper new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/ssh-ldap-wrapper ++++ b/openssh-6.6p1/ssh-ldap-wrapper @@ -0,0 +1,4 @@ +#!/bin/sh + +exec @LIBEXECDIR@/ssh-ldap-helper -s "$1" + -diff --git a/openssh-6.5p1/ssh-ldap.conf.5 b/openssh-6.5p1/ssh-ldap.conf.5 +diff --git a/openssh-6.6p1/ssh-ldap.conf.5 b/openssh-6.6p1/ssh-ldap.conf.5 new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/ssh-ldap.conf.5 ++++ b/openssh-6.6p1/ssh-ldap.conf.5 @@ -0,0 +1,376 @@ +.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" diff --git a/openssh-6.5p1-login_options.patch b/openssh-6.6p1-login_options.patch similarity index 89% rename from openssh-6.5p1-login_options.patch rename to openssh-6.6p1-login_options.patch index 5dcdcf9..15e0e6f 100644 --- a/openssh-6.5p1-login_options.patch +++ b/openssh-6.6p1-login_options.patch @@ -4,9 +4,9 @@ # # bnc#833605 -diff --git a/openssh-6.5p1/configure.ac b/openssh-6.5p1/configure.ac ---- a/openssh-6.5p1/configure.ac -+++ b/openssh-6.5p1/configure.ac +diff --git a/openssh-6.6p1/configure.ac b/openssh-6.6p1/configure.ac +--- a/openssh-6.6p1/configure.ac ++++ b/openssh-6.6p1/configure.ac @@ -719,16 +719,18 @@ main() { if (NSVersionOfRunTimeLibrary(" AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts]) AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins]) diff --git a/openssh-6.5p1-no_fork-no_pid_file.patch b/openssh-6.6p1-no_fork-no_pid_file.patch similarity index 79% rename from openssh-6.5p1-no_fork-no_pid_file.patch rename to openssh-6.6p1-no_fork-no_pid_file.patch index 3638d3b..9ad6c49 100644 --- a/openssh-6.5p1-no_fork-no_pid_file.patch +++ b/openssh-6.6p1-no_fork-no_pid_file.patch @@ -1,9 +1,9 @@ # Do not write a PID file when not daemonizing (e.g. when running from systemd) -diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c ---- a/openssh-6.5p1/sshd.c -+++ b/openssh-6.5p1/sshd.c -@@ -1985,17 +1985,17 @@ main(int ac, char **av) +diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c +--- a/openssh-6.6p1/sshd.c ++++ b/openssh-6.6p1/sshd.c +@@ -1994,17 +1994,17 @@ main(int ac, char **av) signal(SIGCHLD, main_sigchld_handler); signal(SIGTERM, sigterm_handler); signal(SIGQUIT, sigterm_handler); diff --git a/openssh-6.5p1-pam-check-locks.patch b/openssh-6.6p1-pam-check-locks.patch similarity index 87% rename from openssh-6.5p1-pam-check-locks.patch rename to openssh-6.6p1-pam-check-locks.patch index c48c3f2..1ac4580 100644 --- a/openssh-6.5p1-pam-check-locks.patch +++ b/openssh-6.6p1-pam-check-locks.patch @@ -2,9 +2,9 @@ # UsePAM is used # bnc#708678, FATE#312033 -diff --git a/openssh-6.5p1/auth.c b/openssh-6.5p1/auth.c ---- a/openssh-6.5p1/auth.c -+++ b/openssh-6.5p1/auth.c +diff --git a/openssh-6.6p1/auth.c b/openssh-6.6p1/auth.c +--- a/openssh-6.6p1/auth.c ++++ b/openssh-6.6p1/auth.c @@ -103,17 +103,17 @@ allowed_user(struct passwd * pw) struct spwd *spw = NULL; #endif @@ -43,9 +43,9 @@ diff --git a/openssh-6.5p1/auth.c b/openssh-6.5p1/auth.c #endif #ifdef LOCKED_PASSWD_PREFIX if (strncmp(passwd, LOCKED_PASSWD_PREFIX, -diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c ---- a/openssh-6.5p1/servconf.c -+++ b/openssh-6.5p1/servconf.c +diff --git a/openssh-6.6p1/servconf.c b/openssh-6.6p1/servconf.c +--- a/openssh-6.6p1/servconf.c ++++ b/openssh-6.6p1/servconf.c @@ -66,16 +66,17 @@ extern Buffer cfg; void @@ -64,7 +64,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c options->address_family = -1; options->num_host_key_files = 0; options->num_host_cert_files = 0; -@@ -158,16 +159,18 @@ initialize_server_options(ServerOptions +@@ -157,16 +158,18 @@ initialize_server_options(ServerOptions } void @@ -83,7 +83,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c /* fill default hostkeys for protocols */ if (options->protocol & SSH_PROTO_1) options->host_key_files[options->num_host_key_files++] = -@@ -320,17 +323,17 @@ fill_default_server_options(ServerOption +@@ -317,17 +320,17 @@ fill_default_server_options(ServerOption #endif } @@ -102,7 +102,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c sKerberosGetAFSToken, sKerberosTgtPassing, sChallengeResponseAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication, -@@ -365,18 +368,20 @@ typedef enum { +@@ -362,18 +365,20 @@ typedef enum { static struct { const char *name; ServerOpCodes opcode; @@ -123,7 +123,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL }, { "pidfile", sPidFile, SSHCFG_GLOBAL }, -@@ -878,16 +883,19 @@ process_server_config_line(ServerOptions +@@ -870,16 +875,19 @@ process_server_config_line(ServerOptions } } @@ -143,10 +143,10 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c /* ignore ports from configfile if cmdline specifies ports */ if (options->ports_from_cmdline) return 0; -diff --git a/openssh-6.5p1/servconf.h b/openssh-6.5p1/servconf.h ---- a/openssh-6.5p1/servconf.h -+++ b/openssh-6.5p1/servconf.h -@@ -162,16 +162,17 @@ typedef struct { +diff --git a/openssh-6.6p1/servconf.h b/openssh-6.6p1/servconf.h +--- a/openssh-6.6p1/servconf.h ++++ b/openssh-6.6p1/servconf.h +@@ -160,16 +160,17 @@ typedef struct { */ u_int num_authkeys_files; /* Files containing public keys */ @@ -164,10 +164,10 @@ diff --git a/openssh-6.5p1/servconf.h b/openssh-6.5p1/servconf.h char *chroot_directory; char *revoked_keys_file; char *trusted_user_ca_keys; -diff --git a/openssh-6.5p1/sshd_config.0 b/openssh-6.5p1/sshd_config.0 ---- a/openssh-6.5p1/sshd_config.0 -+++ b/openssh-6.5p1/sshd_config.0 -@@ -720,16 +720,24 @@ DESCRIPTION +diff --git a/openssh-6.6p1/sshd_config.0 b/openssh-6.6p1/sshd_config.0 +--- a/openssh-6.6p1/sshd_config.0 ++++ b/openssh-6.6p1/sshd_config.0 +@@ -728,16 +728,24 @@ DESCRIPTION Because PAM challenge-response authentication usually serves an equivalent role to password authentication, you should disable @@ -192,10 +192,10 @@ diff --git a/openssh-6.5p1/sshd_config.0 b/openssh-6.5p1/sshd_config.0 privilege separation is to prevent privilege escalation by containing any corruption within the unprivileged processes. The default is ``yes''. If UsePrivilegeSeparation is set to -diff --git a/openssh-6.5p1/sshd_config.5 b/openssh-6.5p1/sshd_config.5 ---- a/openssh-6.5p1/sshd_config.5 -+++ b/openssh-6.5p1/sshd_config.5 -@@ -1199,16 +1199,28 @@ or +diff --git a/openssh-6.6p1/sshd_config.5 b/openssh-6.6p1/sshd_config.5 +--- a/openssh-6.6p1/sshd_config.5 ++++ b/openssh-6.6p1/sshd_config.5 +@@ -1214,16 +1214,28 @@ or .Pp If .Cm UsePAM diff --git a/openssh-6.5p1-pam-fix2.patch b/openssh-6.6p1-pam-fix2.patch similarity index 91% rename from openssh-6.5p1-pam-fix2.patch rename to openssh-6.6p1-pam-fix2.patch index d3415c4..16c0db9 100644 --- a/openssh-6.5p1-pam-fix2.patch +++ b/openssh-6.6p1-pam-fix2.patch @@ -1,9 +1,9 @@ # force PAM in defaullt install (this was removed from upstream in 3.8p1) # bnc#46749 -diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config ---- a/openssh-6.5p1/sshd_config -+++ b/openssh-6.5p1/sshd_config +diff --git a/openssh-6.6p1/sshd_config b/openssh-6.6p1/sshd_config +--- a/openssh-6.6p1/sshd_config ++++ b/openssh-6.6p1/sshd_config @@ -64,17 +64,17 @@ AuthorizedKeysFile .ssh/authorized_keys #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for diff --git a/openssh-6.5p1-pam-fix3.patch b/openssh-6.6p1-pam-fix3.patch similarity index 85% rename from openssh-6.5p1-pam-fix3.patch rename to openssh-6.6p1-pam-fix3.patch index de3bb8e..1ea333c 100644 --- a/openssh-6.5p1-pam-fix3.patch +++ b/openssh-6.6p1-pam-fix3.patch @@ -1,9 +1,9 @@ # posix threads are generally not supported nor safe # (see upstream log from 2005-05-24) -diff --git a/openssh-6.5p1/auth-pam.c b/openssh-6.5p1/auth-pam.c ---- a/openssh-6.5p1/auth-pam.c -+++ b/openssh-6.5p1/auth-pam.c +diff --git a/openssh-6.6p1/auth-pam.c b/openssh-6.6p1/auth-pam.c +--- a/openssh-6.6p1/auth-pam.c ++++ b/openssh-6.6p1/auth-pam.c @@ -781,17 +781,19 @@ sshpam_query(void *ctx, char **name, cha } if (type == PAM_SUCCESS) { diff --git a/openssh-6.5p1-pts.patch b/openssh-6.6p1-pts.patch similarity index 91% rename from openssh-6.5p1-pts.patch rename to openssh-6.6p1-pts.patch index 6d0b826..fd5776e 100644 --- a/openssh-6.5p1-pts.patch +++ b/openssh-6.6p1-pts.patch @@ -1,9 +1,9 @@ # use same lines naming as utempter (prevents problems with using different # formats in ?tmp? files) -diff --git a/openssh-6.5p1/loginrec.c b/openssh-6.5p1/loginrec.c ---- a/openssh-6.5p1/loginrec.c -+++ b/openssh-6.5p1/loginrec.c +diff --git a/openssh-6.6p1/loginrec.c b/openssh-6.6p1/loginrec.c +--- a/openssh-6.6p1/loginrec.c ++++ b/openssh-6.6p1/loginrec.c @@ -538,17 +538,17 @@ getlast_entry(struct logininfo *li) /* * 'line' string utility functions diff --git a/openssh-6.5p1-saveargv-fix.patch b/openssh-6.6p1-saveargv-fix.patch similarity index 80% rename from openssh-6.5p1-saveargv-fix.patch rename to openssh-6.6p1-saveargv-fix.patch index b9f1ca6..9daf973 100644 --- a/openssh-6.5p1-saveargv-fix.patch +++ b/openssh-6.6p1-saveargv-fix.patch @@ -1,9 +1,9 @@ # related to bnc#49845, upstream bug #529 -diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c ---- a/openssh-6.5p1/sshd.c -+++ b/openssh-6.5p1/sshd.c -@@ -1399,17 +1399,21 @@ main(int ac, char **av) +diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c +--- a/openssh-6.6p1/sshd.c ++++ b/openssh-6.6p1/sshd.c +@@ -1405,17 +1405,21 @@ main(int ac, char **av) saved_argv = xcalloc(ac + 1, sizeof(*saved_argv)); for (i = 0; i < ac; i++) saved_argv[i] = xstrdup(av[i]); diff --git a/openssh-6.5p1-seccomp_getuid.patch b/openssh-6.6p1-seccomp_getuid.patch similarity index 76% rename from openssh-6.5p1-seccomp_getuid.patch rename to openssh-6.6p1-seccomp_getuid.patch index e10209e..8e5cbba 100644 --- a/openssh-6.5p1-seccomp_getuid.patch +++ b/openssh-6.6p1-seccomp_getuid.patch @@ -1,11 +1,11 @@ # HG changeset patch -# Parent d625afd0d51ac51161b25728bc2f227c098fa0fb +# Parent 47040f4641d43b039f19c8c902b0259729bb88e2 add 'getuid' syscall to list of allowed ones to prevent the sanboxed thread from being killed by the seccomp filter -diff --git a/openssh-6.5p1/sandbox-seccomp-filter.c b/openssh-6.5p1/sandbox-seccomp-filter.c ---- a/openssh-6.5p1/sandbox-seccomp-filter.c -+++ b/openssh-6.5p1/sandbox-seccomp-filter.c +diff --git a/openssh-6.6p1/sandbox-seccomp-filter.c b/openssh-6.6p1/sandbox-seccomp-filter.c +--- a/openssh-6.6p1/sandbox-seccomp-filter.c ++++ b/openssh-6.6p1/sandbox-seccomp-filter.c @@ -85,16 +85,20 @@ static const struct sock_filter preauth_ offsetof(struct seccomp_data, arch)), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SECCOMP_AUDIT_ARCH, 1, 0), diff --git a/openssh-6.5p1-seed-prng.patch b/openssh-6.6p1-seed-prng.patch similarity index 87% rename from openssh-6.5p1-seed-prng.patch rename to openssh-6.6p1-seed-prng.patch index cbc2c03..9a99148 100644 --- a/openssh-6.5p1-seed-prng.patch +++ b/openssh-6.6p1-seed-prng.patch @@ -1,9 +1,9 @@ # extended support for (re-)seeding the OpenSSL PRNG from /dev/random # bnc#703221, FATE#312172 -diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c ---- a/openssh-6.5p1/audit-bsm.c -+++ b/openssh-6.5p1/audit-bsm.c +diff --git a/openssh-6.6p1/audit-bsm.c b/openssh-6.6p1/audit-bsm.c +--- a/openssh-6.6p1/audit-bsm.c ++++ b/openssh-6.6p1/audit-bsm.c @@ -504,9 +504,15 @@ audit_destroy_sensitive_data(const char /* not implemented */ } @@ -20,9 +20,9 @@ diff --git a/openssh-6.5p1/audit-bsm.c b/openssh-6.5p1/audit-bsm.c + /* not implemented */ +} #endif /* BSM */ -diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c ---- a/openssh-6.5p1/audit-linux.c -+++ b/openssh-6.5p1/audit-linux.c +diff --git a/openssh-6.6p1/audit-linux.c b/openssh-6.6p1/audit-linux.c +--- a/openssh-6.6p1/audit-linux.c ++++ b/openssh-6.6p1/audit-linux.c @@ -398,9 +398,31 @@ audit_generate_ephemeral_server_key(cons } audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER, @@ -55,9 +55,9 @@ diff --git a/openssh-6.5p1/audit-linux.c b/openssh-6.5p1/audit-linux.c + error("cannot write into audit"); +} #endif /* USE_LINUX_AUDIT */ -diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c ---- a/openssh-6.5p1/audit.c -+++ b/openssh-6.5p1/audit.c +diff --git a/openssh-6.6p1/audit.c b/openssh-6.6p1/audit.c +--- a/openssh-6.6p1/audit.c ++++ b/openssh-6.6p1/audit.c @@ -304,10 +304,16 @@ audit_destroy_sensitive_data(const char /* * This will be called on generation of the ephemeral server key @@ -75,9 +75,9 @@ diff --git a/openssh-6.5p1/audit.c b/openssh-6.5p1/audit.c +} # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */ -diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h ---- a/openssh-6.5p1/audit.h -+++ b/openssh-6.5p1/audit.h +diff --git a/openssh-6.6p1/audit.h b/openssh-6.6p1/audit.h +--- a/openssh-6.6p1/audit.h ++++ b/openssh-6.6p1/audit.h @@ -63,10 +63,11 @@ void audit_key(int, int *, const Key *); void audit_unsupported(int); void audit_kex(int, char *, char *, char *); @@ -90,9 +90,9 @@ diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h +void audit_linux_prng_seed(long, const char *); #endif /* _SSH_AUDIT_H */ -diff --git a/openssh-6.5p1/entropy.c b/openssh-6.5p1/entropy.c ---- a/openssh-6.5p1/entropy.c -+++ b/openssh-6.5p1/entropy.c +diff --git a/openssh-6.6p1/entropy.c b/openssh-6.6p1/entropy.c +--- a/openssh-6.6p1/entropy.c ++++ b/openssh-6.6p1/entropy.c @@ -45,16 +45,17 @@ #include "ssh.h" @@ -126,15 +126,15 @@ diff --git a/openssh-6.5p1/entropy.c b/openssh-6.5p1/entropy.c if (RAND_status() != 1) fatal("PRNG is not seeded"); } -diff --git a/openssh-6.5p1/openbsd-compat/Makefile.in b/openssh-6.5p1/openbsd-compat/Makefile.in ---- a/openssh-6.5p1/openbsd-compat/Makefile.in -+++ b/openssh-6.5p1/openbsd-compat/Makefile.in +diff --git a/openssh-6.6p1/openbsd-compat/Makefile.in b/openssh-6.6p1/openbsd-compat/Makefile.in +--- a/openssh-6.6p1/openbsd-compat/Makefile.in ++++ b/openssh-6.6p1/openbsd-compat/Makefile.in @@ -15,17 +15,17 @@ AR=@AR@ RANLIB=@RANLIB@ INSTALL=@INSTALL@ LDFLAGS=-L. @LDFLAGS@ - OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o + OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o @@ -148,10 +148,10 @@ diff --git a/openssh-6.5p1/openbsd-compat/Makefile.in b/openssh-6.5p1/openbsd-co $(COMPAT): ../config.h $(OPENBSD): ../config.h -diff --git a/openssh-6.5p1/openbsd-compat/port-linux-prng.c b/openssh-6.5p1/openbsd-compat/port-linux-prng.c +diff --git a/openssh-6.6p1/openbsd-compat/port-linux-prng.c b/openssh-6.6p1/openbsd-compat/port-linux-prng.c new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/openbsd-compat/port-linux-prng.c ++++ b/openssh-6.6p1/openbsd-compat/port-linux-prng.c @@ -0,0 +1,79 @@ +/* + * Copyright (c) 2011 Jan F. Chadima @@ -232,9 +232,9 @@ new file mode 100644 + fatal ("EOF reading %s", random); + } +} -diff --git a/openssh-6.5p1/openbsd-compat/port-linux.h b/openssh-6.5p1/openbsd-compat/port-linux.h ---- a/openssh-6.5p1/openbsd-compat/port-linux.h -+++ b/openssh-6.5p1/openbsd-compat/port-linux.h +diff --git a/openssh-6.6p1/openbsd-compat/port-linux.h b/openssh-6.6p1/openbsd-compat/port-linux.h +--- a/openssh-6.6p1/openbsd-compat/port-linux.h ++++ b/openssh-6.6p1/openbsd-compat/port-linux.h @@ -14,16 +14,20 @@ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF @@ -256,9 +256,9 @@ diff --git a/openssh-6.5p1/openbsd-compat/port-linux.h b/openssh-6.5p1/openbsd-c void ssh_selinux_setfscreatecon(const char *); #endif -diff --git a/openssh-6.5p1/ssh-add.1 b/openssh-6.5p1/ssh-add.1 ---- a/openssh-6.5p1/ssh-add.1 -+++ b/openssh-6.5p1/ssh-add.1 +diff --git a/openssh-6.6p1/ssh-add.1 b/openssh-6.6p1/ssh-add.1 +--- a/openssh-6.6p1/ssh-add.1 ++++ b/openssh-6.6p1/ssh-add.1 @@ -156,16 +156,30 @@ or related script. (Note that on some machines it may be necessary to redirect the input from @@ -290,9 +290,9 @@ diff --git a/openssh-6.5p1/ssh-add.1 b/openssh-6.5p1/ssh-add.1 .It Pa ~/.ssh/id_dsa Contains the protocol version 2 DSA authentication identity of the user. .It Pa ~/.ssh/id_ecdsa -diff --git a/openssh-6.5p1/ssh-agent.1 b/openssh-6.5p1/ssh-agent.1 ---- a/openssh-6.5p1/ssh-agent.1 -+++ b/openssh-6.5p1/ssh-agent.1 +diff --git a/openssh-6.6p1/ssh-agent.1 b/openssh-6.6p1/ssh-agent.1 +--- a/openssh-6.6p1/ssh-agent.1 ++++ b/openssh-6.6p1/ssh-agent.1 @@ -196,16 +196,33 @@ Contains the protocol version 2 ED25519 .It Pa ~/.ssh/id_rsa Contains the protocol version 2 RSA authentication identity of the user. @@ -327,9 +327,9 @@ diff --git a/openssh-6.5p1/ssh-agent.1 b/openssh-6.5p1/ssh-agent.1 .Sh AUTHORS OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. -diff --git a/openssh-6.5p1/ssh-keygen.1 b/openssh-6.5p1/ssh-keygen.1 ---- a/openssh-6.5p1/ssh-keygen.1 -+++ b/openssh-6.5p1/ssh-keygen.1 +diff --git a/openssh-6.6p1/ssh-keygen.1 b/openssh-6.6p1/ssh-keygen.1 +--- a/openssh-6.6p1/ssh-keygen.1 ++++ b/openssh-6.6p1/ssh-keygen.1 @@ -827,16 +827,33 @@ on all machines where the user wishes to log in using public key authentication. There is no need to keep the contents of this file secret. @@ -364,9 +364,9 @@ diff --git a/openssh-6.5p1/ssh-keygen.1 b/openssh-6.5p1/ssh-keygen.1 .Xr sshd 8 .Rs .%R RFC 4716 -diff --git a/openssh-6.5p1/ssh-keysign.8 b/openssh-6.5p1/ssh-keysign.8 ---- a/openssh-6.5p1/ssh-keysign.8 -+++ b/openssh-6.5p1/ssh-keysign.8 +diff --git a/openssh-6.6p1/ssh-keysign.8 b/openssh-6.6p1/ssh-keysign.8 +--- a/openssh-6.6p1/ssh-keysign.8 ++++ b/openssh-6.6p1/ssh-keysign.8 @@ -75,16 +75,33 @@ must be set-uid root if host-based authe .Pp .It Pa /etc/ssh/ssh_host_dsa_key-cert.pub @@ -401,9 +401,9 @@ diff --git a/openssh-6.5p1/ssh-keysign.8 b/openssh-6.5p1/ssh-keysign.8 .Sh HISTORY .Nm first appeared in -diff --git a/openssh-6.5p1/ssh.1 b/openssh-6.5p1/ssh.1 ---- a/openssh-6.5p1/ssh.1 -+++ b/openssh-6.5p1/ssh.1 +diff --git a/openssh-6.6p1/ssh.1 b/openssh-6.6p1/ssh.1 +--- a/openssh-6.6p1/ssh.1 ++++ b/openssh-6.6p1/ssh.1 @@ -1304,16 +1304,30 @@ reads and adds lines of the format .Dq VARNAME=value @@ -435,9 +435,9 @@ diff --git a/openssh-6.5p1/ssh.1 b/openssh-6.5p1/ssh.1 world-readable if the user's home directory is on an NFS partition, because .Xr sshd 8 -diff --git a/openssh-6.5p1/sshd.8 b/openssh-6.5p1/sshd.8 ---- a/openssh-6.5p1/sshd.8 -+++ b/openssh-6.5p1/sshd.8 +diff --git a/openssh-6.6p1/sshd.8 b/openssh-6.6p1/sshd.8 +--- a/openssh-6.6p1/sshd.8 ++++ b/openssh-6.6p1/sshd.8 @@ -946,16 +946,33 @@ and not group or world-writable. .It Pa /var/run/sshd.pid Contains the process ID of the @@ -472,9 +472,9 @@ diff --git a/openssh-6.5p1/sshd.8 b/openssh-6.5p1/sshd.8 .Xr ssh-agent 1 , .Xr ssh-keygen 1 , .Xr ssh-keyscan 1 , -diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c ---- a/openssh-6.5p1/sshd.c -+++ b/openssh-6.5p1/sshd.c +diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c +--- a/openssh-6.6p1/sshd.c ++++ b/openssh-6.6p1/sshd.c @@ -50,16 +50,18 @@ #ifdef HAVE_SYS_STAT_H # include @@ -494,7 +494,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c #ifdef HAVE_PATHS_H #include #endif -@@ -215,16 +217,23 @@ struct { +@@ -218,16 +220,23 @@ struct { Key **host_pubkeys; /* all public host keys */ Key **host_certificates; /* all public host certificates */ int have_ssh1_key; @@ -518,7 +518,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c /* This is set to true when a signal is received. */ static volatile sig_atomic_t received_sighup = 0; static volatile sig_atomic_t received_sigterm = 0; -@@ -1313,16 +1322,21 @@ server_accept_loop(int *sock_in, int *so +@@ -1322,16 +1331,21 @@ server_accept_loop(int *sock_in, int *so for (j = 0; j < options.max_startups; j++) if (startup_pipes[j] == -1) { startup_pipes[j] = startup_p[0]; diff --git a/openssh-6.5p1-send_locale.patch b/openssh-6.6p1-send_locale.patch similarity index 84% rename from openssh-6.5p1-send_locale.patch rename to openssh-6.6p1-send_locale.patch index 2d67445..c4af273 100644 --- a/openssh-6.5p1-send_locale.patch +++ b/openssh-6.6p1-send_locale.patch @@ -1,9 +1,9 @@ # send locales in default configuration # bnc#65747 -diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config ---- a/openssh-6.5p1/ssh_config -+++ b/openssh-6.5p1/ssh_config +diff --git a/openssh-6.6p1/ssh_config b/openssh-6.6p1/ssh_config +--- a/openssh-6.6p1/ssh_config ++++ b/openssh-6.6p1/ssh_config @@ -58,9 +58,14 @@ ForwardX11Trusted yes # ProxyCommand ssh -q -W %h:%p gateway.example.com @@ -19,9 +19,9 @@ diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config +SendEnv LC_IDENTIFICATION LC_ALL + # RekeyLimit 1G 1h -diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config ---- a/openssh-6.5p1/sshd_config -+++ b/openssh-6.5p1/sshd_config +diff --git a/openssh-6.6p1/sshd_config b/openssh-6.6p1/sshd_config +--- a/openssh-6.6p1/sshd_config ++++ b/openssh-6.6p1/sshd_config @@ -127,14 +127,19 @@ UsePrivilegeSeparation sandbox # Defaul #VersionAddendum none diff --git a/openssh-6.5p1-sftp_force_permissions.patch b/openssh-6.6p1-sftp_force_permissions.patch similarity index 94% rename from openssh-6.5p1-sftp_force_permissions.patch rename to openssh-6.6p1-sftp_force_permissions.patch index 00bef0e..697662c 100644 --- a/openssh-6.5p1-sftp_force_permissions.patch +++ b/openssh-6.6p1-sftp_force_permissions.patch @@ -3,9 +3,9 @@ # http://lists.mindrot.org/pipermail/openssh-unix-dev/2010-November/029044.html # http://marc.info/?l=openssh-unix-dev&m=128896838930893 -diff --git a/openssh-6.5p1/sftp-server.8 b/openssh-6.5p1/sftp-server.8 ---- a/openssh-6.5p1/sftp-server.8 -+++ b/openssh-6.5p1/sftp-server.8 +diff --git a/openssh-6.6p1/sftp-server.8 b/openssh-6.6p1/sftp-server.8 +--- a/openssh-6.6p1/sftp-server.8 ++++ b/openssh-6.6p1/sftp-server.8 @@ -33,16 +33,17 @@ .Bk -words .Op Fl ehR @@ -45,9 +45,9 @@ diff --git a/openssh-6.5p1/sftp-server.8 b/openssh-6.5p1/sftp-server.8 .Pa /dev/log . Use of .Nm -diff --git a/openssh-6.5p1/sftp-server.c b/openssh-6.5p1/sftp-server.c ---- a/openssh-6.5p1/sftp-server.c -+++ b/openssh-6.5p1/sftp-server.c +diff --git a/openssh-6.6p1/sftp-server.c b/openssh-6.6p1/sftp-server.c +--- a/openssh-6.6p1/sftp-server.c ++++ b/openssh-6.6p1/sftp-server.c @@ -75,16 +75,20 @@ static u_int version; static int init_done; diff --git a/openssh-6.5p1-sftp_homechroot.patch b/openssh-6.6p1-sftp_homechroot.patch similarity index 91% rename from openssh-6.5p1-sftp_homechroot.patch rename to openssh-6.6p1-sftp_homechroot.patch index d5b28f1..71f9c83 100644 --- a/openssh-6.5p1-sftp_homechroot.patch +++ b/openssh-6.6p1-sftp_homechroot.patch @@ -1,8 +1,8 @@ # run sftp sessions inside a chroot -diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c ---- a/openssh-6.5p1/session.c -+++ b/openssh-6.5p1/session.c +diff --git a/openssh-6.6p1/session.c b/openssh-6.6p1/session.c +--- a/openssh-6.6p1/session.c ++++ b/openssh-6.6p1/session.c @@ -120,16 +120,18 @@ int do_exec(Session *, const char *); void do_login(Session *, const char *); #ifdef LOGIN_NEEDS_UTMPX @@ -44,7 +44,7 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c verbose("Starting session: %s%s%s for %s from %.200s port %d", session_type, -@@ -1458,67 +1465,132 @@ do_nologin(struct passwd *pw) +@@ -1463,67 +1470,132 @@ do_nologin(struct passwd *pw) while (fgets(buf, sizeof(buf), f)) fputs(buf, stderr); fclose(f); @@ -153,10 +153,11 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c if (!S_ISDIR(st.st_mode)) fatal("chroot path %s\"%s\" is not a directory", cp == NULL ? "" : "component ", component); +- + } + setenv ("TZ", "/etc/localtime", 0); + tzset(); - ++ + if (st.st_uid) { + test_nosuid(path, st.st_dev); + ++chroot_no_tree; @@ -179,10 +180,10 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c do_setusercontext(struct passwd *pw) { char *chroot_path, *tmp; -diff --git a/openssh-6.5p1/sftp-chrootenv.h b/openssh-6.5p1/sftp-chrootenv.h +diff --git a/openssh-6.6p1/sftp-chrootenv.h b/openssh-6.6p1/sftp-chrootenv.h new file mode 100644 --- /dev/null -+++ b/openssh-6.5p1/sftp-chrootenv.h ++++ b/openssh-6.6p1/sftp-chrootenv.h @@ -0,0 +1,30 @@ +/* + * Copyright (c) 2009 Jan F Chadima. All rights reserved. @@ -214,9 +215,9 @@ new file mode 100644 + +#endif + -diff --git a/openssh-6.5p1/sftp-common.c b/openssh-6.5p1/sftp-common.c ---- a/openssh-6.5p1/sftp-common.c -+++ b/openssh-6.5p1/sftp-common.c +diff --git a/openssh-6.6p1/sftp-common.c b/openssh-6.6p1/sftp-common.c +--- a/openssh-6.6p1/sftp-common.c ++++ b/openssh-6.6p1/sftp-common.c @@ -42,16 +42,17 @@ #endif @@ -261,9 +262,9 @@ diff --git a/openssh-6.5p1/sftp-common.c b/openssh-6.5p1/sftp-common.c if (ltime != NULL) { now = time(NULL); if (now - (365*24*60*60)/2 < st->st_mtime && -diff --git a/openssh-6.5p1/sftp-server-main.c b/openssh-6.5p1/sftp-server-main.c ---- a/openssh-6.5p1/sftp-server-main.c -+++ b/openssh-6.5p1/sftp-server-main.c +diff --git a/openssh-6.6p1/sftp-server-main.c b/openssh-6.6p1/sftp-server-main.c +--- a/openssh-6.6p1/sftp-server-main.c ++++ b/openssh-6.6p1/sftp-server-main.c @@ -17,21 +17,24 @@ #include "includes.h" @@ -289,9 +290,9 @@ diff --git a/openssh-6.5p1/sftp-server-main.c b/openssh-6.5p1/sftp-server-main.c int main(int argc, char **argv) -diff --git a/openssh-6.5p1/sftp.c b/openssh-6.5p1/sftp.c ---- a/openssh-6.5p1/sftp.c -+++ b/openssh-6.5p1/sftp.c +diff --git a/openssh-6.6p1/sftp.c b/openssh-6.6p1/sftp.c +--- a/openssh-6.6p1/sftp.c ++++ b/openssh-6.6p1/sftp.c @@ -109,16 +109,18 @@ struct complete_ctx { char **remote_pathp; }; @@ -311,9 +312,9 @@ diff --git a/openssh-6.5p1/sftp.c b/openssh-6.5p1/sftp.c #define LS_SHORT_VIEW 0x0002 /* Single row view ala ls -1 */ #define LS_NUMERIC_VIEW 0x0004 /* Long view with numeric uid/gid */ #define LS_NAME_SORT 0x0008 /* Sort by name (default) */ -diff --git a/openssh-6.5p1/sshd_config.0 b/openssh-6.5p1/sshd_config.0 ---- a/openssh-6.5p1/sshd_config.0 -+++ b/openssh-6.5p1/sshd_config.0 +diff --git a/openssh-6.6p1/sshd_config.0 b/openssh-6.6p1/sshd_config.0 +--- a/openssh-6.6p1/sshd_config.0 ++++ b/openssh-6.6p1/sshd_config.0 @@ -189,16 +189,24 @@ DESCRIPTION session this requires at least a shell, typically sh(1), and basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4), @@ -339,9 +340,9 @@ diff --git a/openssh-6.5p1/sshd_config.0 b/openssh-6.5p1/sshd_config.0 ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'', ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', -diff --git a/openssh-6.5p1/sshd_config.5 b/openssh-6.5p1/sshd_config.5 ---- a/openssh-6.5p1/sshd_config.5 -+++ b/openssh-6.5p1/sshd_config.5 +diff --git a/openssh-6.6p1/sshd_config.5 b/openssh-6.6p1/sshd_config.5 +--- a/openssh-6.6p1/sshd_config.5 ++++ b/openssh-6.6p1/sshd_config.5 @@ -324,16 +324,27 @@ For file transfer sessions using no additional configuration of the environment is necessary if the in-process sftp server is used, diff --git a/openssh-6.5p1-xauth.patch b/openssh-6.6p1-xauth.patch similarity index 87% rename from openssh-6.5p1-xauth.patch rename to openssh-6.6p1-xauth.patch index e799eed..52224cf 100644 --- a/openssh-6.5p1-xauth.patch +++ b/openssh-6.6p1-xauth.patch @@ -1,10 +1,10 @@ # try to remove xauth cookies on logout # bnc#98815 -diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c ---- a/openssh-6.5p1/session.c -+++ b/openssh-6.5p1/session.c -@@ -2505,18 +2505,50 @@ session_exit_message(Session *s, int sta +diff --git a/openssh-6.6p1/session.c b/openssh-6.6p1/session.c +--- a/openssh-6.6p1/session.c ++++ b/openssh-6.6p1/session.c +@@ -2510,18 +2510,50 @@ session_exit_message(Session *s, int sta if (c->ostate != CHAN_OUTPUT_CLOSED) chan_write_failed(c); } diff --git a/openssh-6.5p1-xauthlocalhostname.patch b/openssh-6.6p1-xauthlocalhostname.patch similarity index 86% rename from openssh-6.5p1-xauthlocalhostname.patch rename to openssh-6.6p1-xauthlocalhostname.patch index 1b9ea8c..c054cfe 100644 --- a/openssh-6.5p1-xauthlocalhostname.patch +++ b/openssh-6.6p1-xauthlocalhostname.patch @@ -1,10 +1,10 @@ # handle hostname changes when forwarding X # bnc#98627 -diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c ---- a/openssh-6.5p1/session.c -+++ b/openssh-6.5p1/session.c -@@ -1141,17 +1141,17 @@ copy_environment(char **source, char *** +diff --git a/openssh-6.6p1/session.c b/openssh-6.6p1/session.c +--- a/openssh-6.6p1/session.c ++++ b/openssh-6.6p1/session.c +@@ -1146,17 +1146,17 @@ copy_environment(char **source, char *** debug3("Copy environment: %s=%s", var_name, var_val); child_set_env(env, envsize, var_name, var_val); @@ -23,7 +23,7 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) char *path = NULL; #endif -@@ -1328,25 +1328,27 @@ do_setup_env(Session *s, const char *she +@@ -1333,25 +1333,27 @@ do_setup_env(Session *s, const char *she read_environment_file(&env, &envsize, buf); } if (debug_flag) { @@ -52,7 +52,7 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c do_xauth = s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL; -@@ -1390,22 +1392,30 @@ do_rc_files(Session *s, const char *shel +@@ -1395,22 +1397,30 @@ do_rc_files(Session *s, const char *shel "%.500s add %.100s %.100s %.100s\n", options.xauth_location, s->auth_display, s->auth_proto, s->auth_data); @@ -83,7 +83,7 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c } static void -@@ -1659,16 +1669,17 @@ child_close_fds(void) +@@ -1664,16 +1674,17 @@ child_close_fds(void) * ids, and executing the command or shell. */ #define ARGV_MAX 10 @@ -101,7 +101,7 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c /* remove hostkey from the child's memory */ destroy_sensitive_data(); -@@ -1725,17 +1736,17 @@ do_child(Session *s, const char *command +@@ -1730,17 +1741,17 @@ do_child(Session *s, const char *command * legal, and means /bin/sh. */ shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell; @@ -120,7 +120,7 @@ diff --git a/openssh-6.5p1/session.c b/openssh-6.5p1/session.c /* we have to stash the hostname before we close our socket. */ if (options.use_login) hostname = get_remote_name_or_ip(utmp_len, -@@ -1794,17 +1805,17 @@ do_child(Session *s, const char *command +@@ -1799,17 +1810,17 @@ do_child(Session *s, const char *command strerror(errno)); if (r) exit(1); diff --git a/openssh-6.6p1.tar.gz b/openssh-6.6p1.tar.gz new file mode 100644 index 0000000..f9e5859 --- /dev/null +++ b/openssh-6.6p1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:48c1f0664b4534875038004cc4f3555b8329c2a81c1df48db5c517800de203bb +size 1282502 diff --git a/openssh-askpass-gnome.changes b/openssh-askpass-gnome.changes index d8ff328..3a8dbfa 100644 --- a/openssh-askpass-gnome.changes +++ b/openssh-askpass-gnome.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Apr 11 21:50:51 UTC 2014 - pcerny@suse.com + +- Update of the underlying OpenSSH to 6.6p1 + ------------------------------------------------------------------- Wed Feb 12 01:24:16 UTC 2014 - pcerny@suse.com diff --git a/openssh-askpass-gnome.spec b/openssh-askpass-gnome.spec index 6738eef..e88baaa 100644 --- a/openssh-askpass-gnome.spec +++ b/openssh-askpass-gnome.spec @@ -26,7 +26,7 @@ BuildRequires: openssl-devel BuildRequires: pam-devel BuildRequires: tcpd-devel BuildRequires: update-desktop-files -Version: 6.5p1 +Version: 6.6p1 Release: 0 Requires: openssh = %{version} Summary: A GNOME-Based Passphrase Dialog for OpenSSH diff --git a/openssh.changes b/openssh.changes index f10b527..40bb887 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,4 +1,62 @@ ------------------------------------------------------------------- +Tue Apr 15 09:26:16 UTC 2014 - rhafer@suse.com + +- Remove uneeded dependency on the OpenLDAP server (openldap2) + from openssh-helpers. openssh-helpers just depends on the + openldap client libraries, which will be auto-generated by rpm. + +------------------------------------------------------------------- +Fri Apr 11 21:50:51 UTC 2014 - pcerny@suse.com + +- update to 6.6p1 + Security: + * sshd(8): when using environment passing with a sshd_config(5) + AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could + be tricked into accepting any enviornment variable that + contains the characters before the wildcard character. + Features since 6.5p1: + * ssh(1), sshd(8): removal of the J-PAKE authentication code, + which was experimental, never enabled and has been + unmaintained for some time. + * ssh(1): skip 'exec' clauses other clauses predicates failed + to match while processing Match blocks. + * ssh(1): if hostname canonicalisation is enabled and results + in the destination hostname being changed, then re-parse + ssh_config(5) files using the new destination hostname. This + gives 'Host' and 'Match' directives that use the expanded + hostname a chance to be applied. + Bugfixes: + * ssh(1): avoid spurious "getsockname failed: Bad file + descriptor" in ssh -W. bz#2200, debian#738692 + * sshd(8): allow the shutdown(2) syscall in seccomp-bpf and + systrace sandbox modes, as it is reachable if the connection + is terminated during the pre-auth phase. + * ssh(1), sshd(8): fix unsigned overflow that in SSH protocol 1 + bignum parsing. Minimum key length checks render this bug + unexploitable to compromise SSH 1 sessions. + * sshd_config(5): clarify behaviour of a keyword that appears + in multiple matching Match blocks. bz#2184 + * ssh(1): avoid unnecessary hostname lookups when + canonicalisation is disabled. bz#2205 + * sshd(8): avoid sandbox violation crashes in GSSAPI code by + caching the supported list of GSSAPI mechanism OIDs before + entering the sandbox. bz#2107 + * ssh(1): fix possible crashes in SOCKS4 parsing caused by + assumption that the SOCKS username is nul-terminated. + * ssh(1): fix regression for UsePrivilegedPort=yes when + BindAddress is not specified. + * ssh(1), sshd(8): fix memory leak in ECDSA signature + verification. + * ssh(1): fix matching of 'Host' directives in ssh_config(5) + files to be case-insensitive again (regression in 6.5). +- FIPS checks in sftp-server + +------------------------------------------------------------------- +Mon Mar 31 01:22:21 UTC 2014 - pcerny@suse.com + +- FIPS checks during ssh client and daemon startup + (-fips-checks.patch) +------------------------------------------------------------------- Tue Mar 25 10:07:18 UTC 2014 - idonmez@suse.com - Update openssh-6.5p1-audit4-kex_results.patch to ensure that diff --git a/openssh.spec b/openssh.spec index 28e7bbd..0bd0b84 100644 --- a/openssh.spec +++ b/openssh.spec @@ -91,7 +91,7 @@ PreReq: pwdutils %{insserv_prereq} %{fillup_prereq} coreutils Conflicts: nonfreessh Recommends: xauth Recommends: %{name}-helpers -Version: 6.5p1 +Version: 6.6p1 Release: 0 Summary: Secure Shell Client and Server (Remote Login Program) License: BSD-3-Clause and MIT @@ -108,43 +108,45 @@ Source7: sshd.fw Source8: sysconfig.ssh Source9: sshd-gen-keys-start Source10: sshd.service -Patch1: openssh-6.5p1-key-converter.patch -Patch2: openssh-6.5p1-X11-forwarding.patch -Patch3: openssh-6.5p1-lastlog.patch -Patch4: openssh-6.5p1-pam-fix2.patch -Patch5: openssh-6.5p1-saveargv-fix.patch -Patch6: openssh-6.5p1-pam-fix3.patch -Patch7: openssh-6.5p1-gssapimitm.patch -Patch8: openssh-6.5p1-eal3.patch -Patch9: openssh-6.5p1-blocksigalrm.patch -Patch10: openssh-6.5p1-send_locale.patch -Patch11: openssh-6.5p1-xauthlocalhostname.patch -Patch12: openssh-6.5p1-xauth.patch -Patch13: openssh-6.5p1-default-protocol.patch -Patch14: openssh-6.5p1-pts.patch -Patch15: openssh-6.5p1-pam-check-locks.patch -Patch16: openssh-6.5p1-fingerprint_hash.patch -Patch17: openssh-6.5p1-audit1-remove_duplicit_audit.patch -Patch18: openssh-6.5p1-audit2-better_audit_of_user_actions.patch -Patch19: openssh-6.5p1-audit3-key_auth_usage.patch -Patch20: openssh-6.5p1-audit4-kex_results.patch -Patch21: openssh-6.5p1-audit5-session_key_destruction.patch -Patch22: openssh-6.5p1-audit6-server_key_destruction.patch -Patch23: openssh-6.5p1-audit7-libaudit_compat.patch -Patch24: openssh-6.5p1-audit8-libaudit_dns_timeouts.patch -Patch25: openssh-6.5p1-seed-prng.patch -Patch26: openssh-6.5p1-ldap.patch -Patch27: openssh-6.5p1-fips.patch -Patch28: openssh-6.5p1-gssapi_key_exchange.patch -Patch29: openssh-6.5p1-login_options.patch -Patch30: openssh-6.5p1-disable-openssl-abi-check.patch -Patch31: openssh-6.5p1-no_fork-no_pid_file.patch -Patch32: openssh-6.5p1-host_ident.patch -Patch33: openssh-6.5p1-sftp_homechroot.patch -Patch34: openssh-6.5p1-sftp_force_permissions.patch -Patch35: openssh-6.5p1-seccomp_getuid.patch -Patch36: openssh-6.5p1-X_forward_with_disabled_ipv6.patch - +Patch1: openssh-6.6p1-key-converter.patch +Patch2: openssh-6.6p1-X11-forwarding.patch +Patch3: openssh-6.6p1-lastlog.patch +Patch4: openssh-6.6p1-pam-fix2.patch +Patch5: openssh-6.6p1-saveargv-fix.patch +Patch6: openssh-6.6p1-pam-fix3.patch +Patch7: openssh-6.6p1-gssapimitm.patch +Patch8: openssh-6.6p1-eal3.patch +Patch9: openssh-6.6p1-blocksigalrm.patch +Patch10: openssh-6.6p1-send_locale.patch +Patch11: openssh-6.6p1-xauthlocalhostname.patch +Patch12: openssh-6.6p1-xauth.patch +Patch13: openssh-6.6p1-default-protocol.patch +Patch14: openssh-6.6p1-pts.patch +Patch15: openssh-6.6p1-pam-check-locks.patch +Patch16: openssh-6.6p1-fingerprint_hash.patch +Patch17: openssh-6.6p1-fips.patch +Patch18: openssh-6.6p1-audit1-remove_duplicit_audit.patch +Patch19: openssh-6.6p1-audit2-better_audit_of_user_actions.patch +Patch20: openssh-6.6p1-audit3-key_auth_usage.patch +Patch21: openssh-6.6p1-audit3_fips-key_auth_usage.patch +Patch22: openssh-6.6p1-audit4-kex_results.patch +Patch23: openssh-6.6p1-audit4_fips-kex_results.patch +Patch24: openssh-6.6p1-audit5-session_key_destruction.patch +Patch25: openssh-6.6p1-audit6-server_key_destruction.patch +Patch26: openssh-6.6p1-audit7-libaudit_compat.patch +Patch27: openssh-6.6p1-audit8-libaudit_dns_timeouts.patch +Patch28: openssh-6.6p1-seed-prng.patch +Patch29: openssh-6.6p1-gssapi_key_exchange.patch +Patch30: openssh-6.6p1-login_options.patch +Patch31: openssh-6.6p1-disable-openssl-abi-check.patch +Patch32: openssh-6.6p1-no_fork-no_pid_file.patch +Patch33: openssh-6.6p1-host_ident.patch +Patch34: openssh-6.6p1-sftp_homechroot.patch +Patch35: openssh-6.6p1-sftp_force_permissions.patch +Patch36: openssh-6.6p1-seccomp_getuid.patch +Patch37: openssh-6.6p1-X_forward_with_disabled_ipv6.patch +Patch38: openssh-6.6p1-fips-checks.patch +Patch39: openssh-6.6p1-ldap.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -160,13 +162,22 @@ also be forwarded over the secure channel. %package helpers Summary: OpenSSH AuthorizedKeysCommand helpers Group: Productivity/Networking/SSH -Requires: openldap2 Requires: openssh %description helpers Helper applications for OpenSSH which retrieve keys from various sources. +%package fips +Summary: OpenSSH FIPS cryptomodule hashes +Group: Productivity/Networking/SSH +Requires: openssh + +%description fips +Hashes that together with the main package form the FIPS certifiable +cryptomodule. + + %prep %setup -q #patch1 -p2 @@ -207,13 +218,16 @@ Helper applications for OpenSSH which retrieve keys from various sources. %patch34 -p2 %patch35 -p2 %patch36 -p2 +%patch37 -p2 +%patch38 -p2 +%patch39 -p2 cp %{SOURCE3} %{SOURCE4} . %build # set libexec dir in the LDAP patch sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \ $( grep -Rl @LIBEXECDIR@ \ - $( grep "^+++" %{PATCH26} | sed -r 's@^.+/([^/\t ]+).*$@\1@' ) + $( grep "^+++" %{PATCH39} | sed -r 's@^.+/([^/\t ]+).*$@\1@' ) ) autoreconf -fiv @@ -311,6 +325,25 @@ rm -f %{buildroot}%{_datadir}/Ssh.bin # sshd keys generator wrapper install -D -m 0755 %{SOURCE9} %{buildroot}%{_sbindir}/sshd-gen-keys-start +# the hmac hashes - taken from openssl +# +# re-define the __os_install_post macro: the macro strips +# the binaries and thereby invalidates any hashes created earlier. +# +# this shows up earlier because otherwise the %expand of +# the macro is too late. +%{expand:%%global __os_install_post {%__os_install_post + +for b in \ + %{_bindir}/ssh \ + %{_sbindir}/sshd \ + %{_libexecdir}/ssh/sftp-server \ + ; do + ( printf "\03"; openssl dgst -sha256 -binary < %{buildroot}$b ) > %{buildroot}$b.chk +done + +}} + %pre getent group sshd >/dev/null || %{_sbindir}/groupadd -r sshd getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d /var/lib/sshd -s /bin/false -c "SSH daemon" sshd @@ -343,6 +376,9 @@ getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d /var/lib/sshd %files %defattr(-,root,root) +%exclude %{_bindir}/*.chk +%exclude %{_sbindir}/*.chk +%exclude %{_libexecdir}/ssh/sftp-server.chk %dir %attr(755,root,root) /var/lib/sshd %doc README.SuSE README.kerberos ChangeLog OVERVIEW README TODO LICENCE CREDITS %attr(0755,root,root) %dir %{_sysconfdir}/ssh @@ -384,4 +420,10 @@ getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d /var/lib/sshd %attr(0755,root,root) %{_libexecdir}/ssh/ssh-ldap* %doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema +%files fips +%defattr(-,root,root) +%attr(0444,root,root) %{_bindir}/ssh.chk +%attr(0444,root,root) %{_sbindir}/sshd.chk +%attr(0444,root,root) %{_libexecdir}/ssh/sftp-server.chk + %changelog