Accepting request 812018 from network
OBS-URL: https://build.opensuse.org/request/show/812018 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=140
This commit is contained in:
commit
9bebc77e3d
@ -3,29 +3,29 @@
|
|||||||
CAVS test for OpenSSH's own CTR encryption mode implementation
|
CAVS test for OpenSSH's own CTR encryption mode implementation
|
||||||
|
|
||||||
diff --git a/Makefile.in b/Makefile.in
|
diff --git a/Makefile.in b/Makefile.in
|
||||||
index 7488595..d426006 100644
|
index d5c37b5..5d4fcd2 100644
|
||||||
--- a/Makefile.in
|
--- a/Makefile.in
|
||||||
+++ b/Makefile.in
|
+++ b/Makefile.in
|
||||||
@@ -24,6 +24,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
|
@@ -25,6 +25,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
|
||||||
SFTP_SERVER=$(libexecdir)/sftp-server
|
|
||||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||||
|
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
|
||||||
+CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
|
+CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
|
||||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
||||||
STRIP_OPT=@STRIP_OPT@
|
STRIP_OPT=@STRIP_OPT@
|
||||||
@@ -62,6 +63,8 @@ MKDIR_P=@MKDIR_P@
|
@@ -70,6 +71,8 @@ MKDIR_P=@MKDIR_P@
|
||||||
|
|
||||||
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
|
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
|
||||||
|
|
||||||
+TARGETS += cavstest-ctr$(EXEEXT)
|
+TARGETS += cavstest-ctr$(EXEEXT)
|
||||||
+
|
+
|
||||||
XMSS_OBJS=\
|
XMSS_OBJS=\
|
||||||
ssh-xmss.o \
|
ssh-xmss.o \
|
||||||
sshkey-xmss.o \
|
sshkey-xmss.o \
|
||||||
@@ -210,6 +213,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o s
|
@@ -244,6 +247,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS)
|
||||||
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
|
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS)
|
||||||
$(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
|
$(LD) -o $@ $(SFTP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
|
||||||
|
|
||||||
+# FIPS tests
|
+# FIPS tests
|
||||||
+cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-ctr.o
|
+cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-ctr.o
|
||||||
@ -34,8 +34,8 @@ index 7488595..d426006 100644
|
|||||||
# test driver for the loginrec code - not built by default
|
# test driver for the loginrec code - not built by default
|
||||||
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
|
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
|
||||||
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
|
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
|
||||||
@@ -354,6 +361,7 @@ install-files:
|
@@ -398,6 +405,7 @@ install-files:
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||||
+ $(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
|
+ $(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
|
||||||
@ -263,7 +263,7 @@ index 0000000..f81cb72
|
|||||||
+ return 0;
|
+ return 0;
|
||||||
+}
|
+}
|
||||||
diff --git a/cipher.c b/cipher.c
|
diff --git a/cipher.c b/cipher.c
|
||||||
index acca752..b67a4ff 100644
|
index 2f5430b..599b54a 100644
|
||||||
--- a/cipher.c
|
--- a/cipher.c
|
||||||
+++ b/cipher.c
|
+++ b/cipher.c
|
||||||
@@ -58,15 +58,6 @@
|
@@ -58,15 +58,6 @@
|
||||||
@ -274,7 +274,7 @@ index acca752..b67a4ff 100644
|
|||||||
- int plaintext;
|
- int plaintext;
|
||||||
- int encrypt;
|
- int encrypt;
|
||||||
- EVP_CIPHER_CTX *evp;
|
- EVP_CIPHER_CTX *evp;
|
||||||
- struct chachapoly_ctx cp_ctx; /* XXX union with evp? */
|
- struct chachapoly_ctx *cp_ctx;
|
||||||
- struct aesctr_ctx ac_ctx; /* XXX union with evp? */
|
- struct aesctr_ctx ac_ctx; /* XXX union with evp? */
|
||||||
- const struct sshcipher *cipher;
|
- const struct sshcipher *cipher;
|
||||||
-};
|
-};
|
||||||
@ -283,7 +283,7 @@ index acca752..b67a4ff 100644
|
|||||||
char *name;
|
char *name;
|
||||||
u_int block_size;
|
u_int block_size;
|
||||||
diff --git a/cipher.h b/cipher.h
|
diff --git a/cipher.h b/cipher.h
|
||||||
index 5843aab..d7d8c89 100644
|
index 1a591cd..10ccb28 100644
|
||||||
--- a/cipher.h
|
--- a/cipher.h
|
||||||
+++ b/cipher.h
|
+++ b/cipher.h
|
||||||
@@ -48,7 +48,15 @@
|
@@ -48,7 +48,15 @@
|
||||||
@ -295,7 +295,7 @@ index 5843aab..d7d8c89 100644
|
|||||||
+ int plaintext;
|
+ int plaintext;
|
||||||
+ int encrypt;
|
+ int encrypt;
|
||||||
+ EVP_CIPHER_CTX *evp;
|
+ EVP_CIPHER_CTX *evp;
|
||||||
+ struct chachapoly_ctx cp_ctx; /* XXX union with evp? */
|
+ struct chachapoly_ctx *cp_ctx; /* XXX union with evp? */
|
||||||
+ struct aesctr_ctx ac_ctx; /* XXX union with evp? */
|
+ struct aesctr_ctx ac_ctx; /* XXX union with evp? */
|
||||||
+ const struct sshcipher *cipher;
|
+ const struct sshcipher *cipher;
|
||||||
+};
|
+};
|
||||||
|
@ -3,27 +3,27 @@
|
|||||||
CAVS test for KDF implementation in OpenSSH
|
CAVS test for KDF implementation in OpenSSH
|
||||||
|
|
||||||
diff --git a/Makefile.in b/Makefile.in
|
diff --git a/Makefile.in b/Makefile.in
|
||||||
index d426006..85818f4 100644
|
index 5d4fcd2..9eab827 100644
|
||||||
--- a/Makefile.in
|
--- a/Makefile.in
|
||||||
+++ b/Makefile.in
|
+++ b/Makefile.in
|
||||||
@@ -25,6 +25,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
|
@@ -26,6 +26,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
|
||||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||||
|
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
|
||||||
CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
|
CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
|
||||||
+CAVSTEST_KDF=$(libexecdir)/cavstest-kdf
|
+CAVSTEST_KDF=$(libexecdir)/cavstest-kdf
|
||||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
||||||
STRIP_OPT=@STRIP_OPT@
|
STRIP_OPT=@STRIP_OPT@
|
||||||
@@ -63,7 +64,7 @@ MKDIR_P=@MKDIR_P@
|
@@ -71,7 +72,7 @@ MKDIR_P=@MKDIR_P@
|
||||||
|
|
||||||
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
|
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
|
||||||
|
|
||||||
-TARGETS += cavstest-ctr$(EXEEXT)
|
-TARGETS += cavstest-ctr$(EXEEXT)
|
||||||
+TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
|
+TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
|
||||||
|
|
||||||
XMSS_OBJS=\
|
XMSS_OBJS=\
|
||||||
ssh-xmss.o \
|
ssh-xmss.o \
|
||||||
@@ -217,6 +218,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glo
|
@@ -251,6 +252,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS)
|
||||||
cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-ctr.o
|
cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-ctr.o
|
||||||
$(LD) -o $@ cavstest-ctr.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
$(LD) -o $@ cavstest-ctr.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||||
|
|
||||||
@ -33,7 +33,7 @@ index d426006..85818f4 100644
|
|||||||
# test driver for the loginrec code - not built by default
|
# test driver for the loginrec code - not built by default
|
||||||
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
|
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
|
||||||
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
|
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
|
||||||
@@ -362,6 +366,7 @@ install-files:
|
@@ -406,6 +410,7 @@ install-files:
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
|
$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
|
||||||
|
@ -4,17 +4,17 @@ FIPS 140-2 compliance. Perform selftests on start and use only FIPS approved
|
|||||||
algorithms.
|
algorithms.
|
||||||
|
|
||||||
diff --git a/Makefile.in b/Makefile.in
|
diff --git a/Makefile.in b/Makefile.in
|
||||||
index 1d2b2d9..7488595 100644
|
index 62cd072..d5c37b5 100644
|
||||||
--- a/Makefile.in
|
--- a/Makefile.in
|
||||||
+++ b/Makefile.in
|
+++ b/Makefile.in
|
||||||
@@ -103,6 +103,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
@@ -114,6 +114,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||||
platform-pledge.o platform-tracing.o platform-misc.o
|
|
||||||
|
|
||||||
|
SKOBJS= ssh-sk-client.o
|
||||||
|
|
||||||
+LIBSSH_OBJS += fips.o
|
+LIBSSH_OBJS += fips.o
|
||||||
+
|
+
|
||||||
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
||||||
sshconnect.o sshconnect2.o mux.o
|
sshconnect.o sshconnect2.o mux.o $(SKOBJS)
|
||||||
|
|
||||||
diff --git a/cipher-ctr.c b/cipher-ctr.c
|
diff --git a/cipher-ctr.c b/cipher-ctr.c
|
||||||
index 32771f2..b66f92f 100644
|
index 32771f2..b66f92f 100644
|
||||||
@ -39,7 +39,7 @@ index 32771f2..b66f92f 100644
|
|||||||
return (&aes_ctr);
|
return (&aes_ctr);
|
||||||
}
|
}
|
||||||
diff --git a/cipher.c b/cipher.c
|
diff --git a/cipher.c b/cipher.c
|
||||||
index 25f98ba..acca752 100644
|
index 8195199..2f5430b 100644
|
||||||
--- a/cipher.c
|
--- a/cipher.c
|
||||||
+++ b/cipher.c
|
+++ b/cipher.c
|
||||||
@@ -51,6 +51,9 @@
|
@@ -51,6 +51,9 @@
|
||||||
@ -123,7 +123,7 @@ index 25f98ba..acca752 100644
|
|||||||
if ((c->flags & CFLAG_INTERNAL) != 0)
|
if ((c->flags & CFLAG_INTERNAL) != 0)
|
||||||
continue;
|
continue;
|
||||||
if (auth_only && c->auth_len == 0)
|
if (auth_only && c->auth_len == 0)
|
||||||
@@ -196,7 +243,7 @@ const struct sshcipher *
|
@@ -207,7 +254,7 @@ const struct sshcipher *
|
||||||
cipher_by_name(const char *name)
|
cipher_by_name(const char *name)
|
||||||
{
|
{
|
||||||
const struct sshcipher *c;
|
const struct sshcipher *c;
|
||||||
@ -401,10 +401,10 @@ index 0000000..a115a61
|
|||||||
+#endif
|
+#endif
|
||||||
+
|
+
|
||||||
diff --git a/hmac.c b/hmac.c
|
diff --git a/hmac.c b/hmac.c
|
||||||
index 3268887..b905a1e 100644
|
index 7b58801..5a92074 100644
|
||||||
--- a/hmac.c
|
--- a/hmac.c
|
||||||
+++ b/hmac.c
|
+++ b/hmac.c
|
||||||
@@ -146,7 +146,7 @@ hmac_test(void *key, size_t klen, void *m, size_t mlen, u_char *e, size_t elen)
|
@@ -145,7 +145,7 @@ hmac_test(void *key, size_t klen, void *m, size_t mlen, u_char *e, size_t elen)
|
||||||
size_t i;
|
size_t i;
|
||||||
u_char digest[16];
|
u_char digest[16];
|
||||||
|
|
||||||
@ -414,10 +414,10 @@ index 3268887..b905a1e 100644
|
|||||||
if (ssh_hmac_init(ctx, key, klen) < 0 ||
|
if (ssh_hmac_init(ctx, key, klen) < 0 ||
|
||||||
ssh_hmac_update(ctx, m, mlen) < 0 ||
|
ssh_hmac_update(ctx, m, mlen) < 0 ||
|
||||||
diff --git a/kex.c b/kex.c
|
diff --git a/kex.c b/kex.c
|
||||||
index 49d7015..1f82c2e 100644
|
index b09fbac..a5e4be7 100644
|
||||||
--- a/kex.c
|
--- a/kex.c
|
||||||
+++ b/kex.c
|
+++ b/kex.c
|
||||||
@@ -60,6 +60,8 @@
|
@@ -63,6 +63,8 @@
|
||||||
#include "sshbuf.h"
|
#include "sshbuf.h"
|
||||||
#include "digest.h"
|
#include "digest.h"
|
||||||
|
|
||||||
@ -426,7 +426,7 @@ index 49d7015..1f82c2e 100644
|
|||||||
/* prototype */
|
/* prototype */
|
||||||
static int kex_choose_conf(struct ssh *);
|
static int kex_choose_conf(struct ssh *);
|
||||||
static int kex_input_newkeys(int, u_int32_t, struct ssh *);
|
static int kex_input_newkeys(int, u_int32_t, struct ssh *);
|
||||||
@@ -83,7 +85,7 @@ struct kexalg {
|
@@ -86,7 +88,7 @@ struct kexalg {
|
||||||
int ec_nid;
|
int ec_nid;
|
||||||
int hash_alg;
|
int hash_alg;
|
||||||
};
|
};
|
||||||
@ -435,7 +435,7 @@ index 49d7015..1f82c2e 100644
|
|||||||
#ifdef WITH_OPENSSL
|
#ifdef WITH_OPENSSL
|
||||||
{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
|
{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
|
||||||
{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
|
{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
|
||||||
@@ -114,6 +116,47 @@ static const struct kexalg kexalgs[] = {
|
@@ -117,6 +119,47 @@ static const struct kexalg kexalgs[] = {
|
||||||
{ NULL, 0, -1, -1},
|
{ NULL, 0, -1, -1},
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -483,7 +483,7 @@ index 49d7015..1f82c2e 100644
|
|||||||
char *
|
char *
|
||||||
kex_alg_list(char sep)
|
kex_alg_list(char sep)
|
||||||
{
|
{
|
||||||
@@ -121,7 +164,7 @@ kex_alg_list(char sep)
|
@@ -124,7 +167,7 @@ kex_alg_list(char sep)
|
||||||
size_t nlen, rlen = 0;
|
size_t nlen, rlen = 0;
|
||||||
const struct kexalg *k;
|
const struct kexalg *k;
|
||||||
|
|
||||||
@ -492,7 +492,7 @@ index 49d7015..1f82c2e 100644
|
|||||||
if (ret != NULL)
|
if (ret != NULL)
|
||||||
ret[rlen++] = sep;
|
ret[rlen++] = sep;
|
||||||
nlen = strlen(k->name);
|
nlen = strlen(k->name);
|
||||||
@@ -141,7 +184,7 @@ kex_alg_by_name(const char *name)
|
@@ -144,7 +187,7 @@ kex_alg_by_name(const char *name)
|
||||||
{
|
{
|
||||||
const struct kexalg *k;
|
const struct kexalg *k;
|
||||||
|
|
||||||
@ -501,7 +501,7 @@ index 49d7015..1f82c2e 100644
|
|||||||
if (strcmp(k->name, name) == 0)
|
if (strcmp(k->name, name) == 0)
|
||||||
return k;
|
return k;
|
||||||
}
|
}
|
||||||
@@ -161,7 +204,10 @@ kex_names_valid(const char *names)
|
@@ -164,7 +207,10 @@ kex_names_valid(const char *names)
|
||||||
for ((p = strsep(&cp, ",")); p && *p != '\0';
|
for ((p = strsep(&cp, ",")); p && *p != '\0';
|
||||||
(p = strsep(&cp, ","))) {
|
(p = strsep(&cp, ","))) {
|
||||||
if (kex_alg_by_name(p) == NULL) {
|
if (kex_alg_by_name(p) == NULL) {
|
||||||
@ -595,21 +595,8 @@ index f3dda66..90d71c8 100644
|
|||||||
if (strcmp(name, m->name) != 0)
|
if (strcmp(name, m->name) != 0)
|
||||||
continue;
|
continue;
|
||||||
if (mac != NULL)
|
if (mac != NULL)
|
||||||
diff --git a/myproposal.h b/myproposal.h
|
|
||||||
index 34bd10c..e6be484 100644
|
|
||||||
--- a/myproposal.h
|
|
||||||
+++ b/myproposal.h
|
|
||||||
@@ -144,6 +144,8 @@
|
|
||||||
|
|
||||||
#else /* WITH_OPENSSL */
|
|
||||||
|
|
||||||
+#error "OpenSSL support is needed for FIPS mode to compile"
|
|
||||||
+
|
|
||||||
#define KEX_SERVER_KEX \
|
|
||||||
"curve25519-sha256," \
|
|
||||||
"curve25519-sha256@libssh.org"
|
|
||||||
diff --git a/readconf.c b/readconf.c
|
diff --git a/readconf.c b/readconf.c
|
||||||
index f78b4d6..228f481 100644
|
index 26e80c5..595f053 100644
|
||||||
--- a/readconf.c
|
--- a/readconf.c
|
||||||
+++ b/readconf.c
|
+++ b/readconf.c
|
||||||
@@ -68,6 +68,8 @@
|
@@ -68,6 +68,8 @@
|
||||||
@ -621,7 +608,7 @@ index f78b4d6..228f481 100644
|
|||||||
/* Format of the configuration file:
|
/* Format of the configuration file:
|
||||||
|
|
||||||
# Configuration data is parsed as follows:
|
# Configuration data is parsed as follows:
|
||||||
@@ -1837,6 +1839,23 @@ option_clear_or_none(const char *o)
|
@@ -1908,6 +1910,23 @@ option_clear_or_none(const char *o)
|
||||||
return o == NULL || strcasecmp(o, "none") == 0;
|
return o == NULL || strcasecmp(o, "none") == 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -645,40 +632,50 @@ index f78b4d6..228f481 100644
|
|||||||
/*
|
/*
|
||||||
* Initializes options to special values that indicate that they have not yet
|
* Initializes options to special values that indicate that they have not yet
|
||||||
* been set. Read_config_file will only set options with this value. Options
|
* been set. Read_config_file will only set options with this value. Options
|
||||||
@@ -2116,6 +2135,8 @@ fill_default_options(Options * options)
|
@@ -2196,6 +2215,9 @@ fill_default_options(Options * options)
|
||||||
options->canonicalize_hostname = SSH_CANONICALISE_NO;
|
options->canonicalize_hostname = SSH_CANONICALISE_NO;
|
||||||
if (options->fingerprint_hash == -1)
|
if (options->fingerprint_hash == -1)
|
||||||
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
||||||
+ options->fingerprint_hash =
|
+ options->fingerprint_hash =
|
||||||
+ fips_correct_dgst(options->fingerprint_hash);
|
+ fips_correct_dgst(options->fingerprint_hash);
|
||||||
if (options->update_hostkeys == -1)
|
+
|
||||||
options->update_hostkeys = 0;
|
#ifdef ENABLE_SK_INTERNAL
|
||||||
|
if (options->sk_provider == NULL)
|
||||||
@@ -2143,6 +2164,7 @@ fill_default_options(Options * options)
|
options->sk_provider = xstrdup("internal");
|
||||||
|
@@ -2229,6 +2251,7 @@ fill_default_options(Options * options)
|
||||||
|
ASSEMBLE(pubkey_key_types, def_key, all_key);
|
||||||
|
ASSEMBLE(ca_sign_algorithms, def_sig, all_sig);
|
||||||
|
#undef ASSEMBLE
|
||||||
|
+
|
||||||
|
free(all_cipher);
|
||||||
|
free(all_mac);
|
||||||
free(all_kex);
|
free(all_kex);
|
||||||
free(all_key);
|
@@ -2240,6 +2263,8 @@ fill_default_options(Options * options)
|
||||||
free(all_sig);
|
kex_default_pk_alg_filtered = def_key; /* save for later use */
|
||||||
+ filter_fips_algorithms(options);
|
free(def_sig);
|
||||||
|
|
||||||
|
+ filter_fips_algorithms(options);
|
||||||
|
+
|
||||||
#define CLEAR_ON_NONE(v) \
|
#define CLEAR_ON_NONE(v) \
|
||||||
do { \
|
do { \
|
||||||
|
if (option_clear_or_none(v)) { \
|
||||||
diff --git a/readconf.h b/readconf.h
|
diff --git a/readconf.h b/readconf.h
|
||||||
index 8e36bf3..67111e9 100644
|
index e143a10..ef18d5c 100644
|
||||||
--- a/readconf.h
|
--- a/readconf.h
|
||||||
+++ b/readconf.h
|
+++ b/readconf.h
|
||||||
@@ -197,6 +197,7 @@ typedef struct {
|
@@ -199,6 +199,7 @@ typedef struct {
|
||||||
#define SSH_STRICT_HOSTKEY_YES 2
|
#define SSH_STRICT_HOSTKEY_YES 2
|
||||||
#define SSH_STRICT_HOSTKEY_ASK 3
|
#define SSH_STRICT_HOSTKEY_ASK 3
|
||||||
|
|
||||||
+void filter_fips_algorithms(Options *o);
|
+void filter_fips_algorithms(Options *o);
|
||||||
void initialize_options(Options *);
|
const char *kex_default_pk_alg(void);
|
||||||
void fill_default_options(Options *);
|
char *ssh_connection_hash(const char *thishost, const char *host,
|
||||||
void fill_default_options_for_canonicalization(Options *);
|
const char *portstr, const char *user);
|
||||||
diff --git a/servconf.c b/servconf.c
|
diff --git a/servconf.c b/servconf.c
|
||||||
index f58fecb..a8833a9 100644
|
index 6be7274..9a51bfb 100644
|
||||||
--- a/servconf.c
|
--- a/servconf.c
|
||||||
+++ b/servconf.c
|
+++ b/servconf.c
|
||||||
@@ -64,6 +64,7 @@
|
@@ -69,6 +69,7 @@
|
||||||
#include "auth.h"
|
#include "auth.h"
|
||||||
#include "myproposal.h"
|
#include "myproposal.h"
|
||||||
#include "digest.h"
|
#include "digest.h"
|
||||||
@ -686,7 +683,7 @@ index f58fecb..a8833a9 100644
|
|||||||
|
|
||||||
static void add_listen_addr(ServerOptions *, const char *,
|
static void add_listen_addr(ServerOptions *, const char *,
|
||||||
const char *, int);
|
const char *, int);
|
||||||
@@ -190,6 +191,23 @@ option_clear_or_none(const char *o)
|
@@ -200,6 +201,23 @@ option_clear_or_none(const char *o)
|
||||||
return o == NULL || strcasecmp(o, "none") == 0;
|
return o == NULL || strcasecmp(o, "none") == 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -710,16 +707,16 @@ index f58fecb..a8833a9 100644
|
|||||||
static void
|
static void
|
||||||
assemble_algorithms(ServerOptions *o)
|
assemble_algorithms(ServerOptions *o)
|
||||||
{
|
{
|
||||||
@@ -219,6 +237,8 @@ assemble_algorithms(ServerOptions *o)
|
@@ -241,6 +259,8 @@ assemble_algorithms(ServerOptions *o)
|
||||||
free(all_kex);
|
free(def_kex);
|
||||||
free(all_key);
|
free(def_key);
|
||||||
free(all_sig);
|
free(def_sig);
|
||||||
+
|
+
|
||||||
+ filter_fips_algorithms_s(o);
|
+ filter_fips_algorithms_s(o);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
@@ -424,6 +444,8 @@ fill_default_server_options(ServerOptions *options)
|
@@ -453,6 +473,8 @@ fill_default_server_options(ServerOptions *options)
|
||||||
options->fwd_opts.streamlocal_bind_unlink = 0;
|
options->fwd_opts.streamlocal_bind_unlink = 0;
|
||||||
if (options->fingerprint_hash == -1)
|
if (options->fingerprint_hash == -1)
|
||||||
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
||||||
@ -729,19 +726,19 @@ index f58fecb..a8833a9 100644
|
|||||||
options->disable_forwarding = 0;
|
options->disable_forwarding = 0;
|
||||||
if (options->expose_userauth_info == -1)
|
if (options->expose_userauth_info == -1)
|
||||||
diff --git a/ssh-keygen.c b/ssh-keygen.c
|
diff --git a/ssh-keygen.c b/ssh-keygen.c
|
||||||
index 8c829ca..da63fb0 100644
|
index 944faca..c1ecc54 100644
|
||||||
--- a/ssh-keygen.c
|
--- a/ssh-keygen.c
|
||||||
+++ b/ssh-keygen.c
|
+++ b/ssh-keygen.c
|
||||||
@@ -64,6 +64,8 @@
|
@@ -66,6 +66,8 @@
|
||||||
#include "authfd.h"
|
#include "ssh-sk.h"
|
||||||
#include "sshsig.h"
|
#include "sk-api.h" /* XXX for SSH_SK_USER_PRESENCE_REQD; remove */
|
||||||
|
|
||||||
+#include "fips.h"
|
+#include "fips.h"
|
||||||
+
|
+
|
||||||
#ifdef WITH_OPENSSL
|
#ifdef WITH_OPENSSL
|
||||||
# define DEFAULT_KEY_TYPE_NAME "rsa"
|
# define DEFAULT_KEY_TYPE_NAME "rsa"
|
||||||
#else
|
#else
|
||||||
@@ -1002,11 +1004,13 @@ do_fingerprint(struct passwd *pw)
|
@@ -1032,11 +1034,13 @@ do_fingerprint(struct passwd *pw)
|
||||||
static void
|
static void
|
||||||
do_gen_all_hostkeys(struct passwd *pw)
|
do_gen_all_hostkeys(struct passwd *pw)
|
||||||
{
|
{
|
||||||
@ -757,7 +754,7 @@ index 8c829ca..da63fb0 100644
|
|||||||
#ifdef WITH_OPENSSL
|
#ifdef WITH_OPENSSL
|
||||||
{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
|
{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
|
||||||
{ "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
|
{ "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
|
||||||
@@ -1021,6 +1025,17 @@ do_gen_all_hostkeys(struct passwd *pw)
|
@@ -1051,6 +1055,17 @@ do_gen_all_hostkeys(struct passwd *pw)
|
||||||
{ NULL, NULL, NULL }
|
{ NULL, NULL, NULL }
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -775,9 +772,9 @@ index 8c829ca..da63fb0 100644
|
|||||||
u_int32_t bits = 0;
|
u_int32_t bits = 0;
|
||||||
int first = 0;
|
int first = 0;
|
||||||
struct stat st;
|
struct stat st;
|
||||||
@@ -1029,6 +1044,12 @@ do_gen_all_hostkeys(struct passwd *pw)
|
@@ -1058,6 +1073,12 @@ do_gen_all_hostkeys(struct passwd *pw)
|
||||||
|
char comment[1024], *prv_tmp, *pub_tmp, *prv_file, *pub_file;
|
||||||
int i, type, fd, r;
|
int i, type, fd, r;
|
||||||
FILE *f;
|
|
||||||
|
|
||||||
+ if (fips_mode()) {
|
+ if (fips_mode()) {
|
||||||
+ key_types = key_types_fips140_2;
|
+ key_types = key_types_fips140_2;
|
||||||
@ -788,7 +785,7 @@ index 8c829ca..da63fb0 100644
|
|||||||
for (i = 0; key_types[i].key_type; i++) {
|
for (i = 0; key_types[i].key_type; i++) {
|
||||||
public = private = NULL;
|
public = private = NULL;
|
||||||
prv_tmp = pub_tmp = prv_file = pub_file = NULL;
|
prv_tmp = pub_tmp = prv_file = pub_file = NULL;
|
||||||
@@ -3215,6 +3236,15 @@ main(int argc, char **argv)
|
@@ -3532,6 +3553,15 @@ main(int argc, char **argv)
|
||||||
key_type_name = DEFAULT_KEY_TYPE_NAME;
|
key_type_name = DEFAULT_KEY_TYPE_NAME;
|
||||||
|
|
||||||
type = sshkey_type_from_name(key_type_name);
|
type = sshkey_type_from_name(key_type_name);
|
||||||
@ -805,10 +802,10 @@ index 8c829ca..da63fb0 100644
|
|||||||
|
|
||||||
if (!quiet)
|
if (!quiet)
|
||||||
diff --git a/ssh_config.5 b/ssh_config.5
|
diff --git a/ssh_config.5 b/ssh_config.5
|
||||||
index 02a8789..f0cb291 100644
|
index c45fb8d..55d4b5e 100644
|
||||||
--- a/ssh_config.5
|
--- a/ssh_config.5
|
||||||
+++ b/ssh_config.5
|
+++ b/ssh_config.5
|
||||||
@@ -664,6 +664,8 @@ Valid options are:
|
@@ -669,6 +669,8 @@ Valid options are:
|
||||||
and
|
and
|
||||||
.Cm sha256
|
.Cm sha256
|
||||||
(the default).
|
(the default).
|
||||||
@ -818,12 +815,12 @@ index 02a8789..f0cb291 100644
|
|||||||
Specifies whether the connection to the authentication agent (if any)
|
Specifies whether the connection to the authentication agent (if any)
|
||||||
will be forwarded to the remote machine.
|
will be forwarded to the remote machine.
|
||||||
diff --git a/sshd.c b/sshd.c
|
diff --git a/sshd.c b/sshd.c
|
||||||
index 6b55ef7..c8086cd 100644
|
index a24241c..e18078f 100644
|
||||||
--- a/sshd.c
|
--- a/sshd.c
|
||||||
+++ b/sshd.c
|
+++ b/sshd.c
|
||||||
@@ -127,6 +127,8 @@
|
@@ -128,6 +128,8 @@
|
||||||
#include "version.h"
|
|
||||||
#include "ssherr.h"
|
#include "ssherr.h"
|
||||||
|
#include "sk-api.h"
|
||||||
|
|
||||||
+#include "fips.h"
|
+#include "fips.h"
|
||||||
+
|
+
|
||||||
@ -831,10 +828,10 @@ index 6b55ef7..c8086cd 100644
|
|||||||
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
|
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
|
||||||
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
|
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
|
||||||
diff --git a/sshd_config.5 b/sshd_config.5
|
diff --git a/sshd_config.5 b/sshd_config.5
|
||||||
index 0707b47..8818ea5 100644
|
index 52552d2..35affe5 100644
|
||||||
--- a/sshd_config.5
|
--- a/sshd_config.5
|
||||||
+++ b/sshd_config.5
|
+++ b/sshd_config.5
|
||||||
@@ -605,6 +605,8 @@ and
|
@@ -594,6 +594,8 @@ and
|
||||||
.Cm sha256 .
|
.Cm sha256 .
|
||||||
The default is
|
The default is
|
||||||
.Cm sha256 .
|
.Cm sha256 .
|
||||||
|
@ -7,7 +7,7 @@
|
|||||||
# FIPS mode). SHA-2 seems to be a reasonable choice.
|
# FIPS mode). SHA-2 seems to be a reasonable choice.
|
||||||
#
|
#
|
||||||
# The logic of the checks is as follows: decide whether FIPS mode is mandated
|
# The logic of the checks is as follows: decide whether FIPS mode is mandated
|
||||||
# (either by checking /proc/sys/crypto/fips_enabled or envoroinment variable
|
# (either by checking /proc/sys/crypto/fips_enabled or environment variable
|
||||||
# SSH_FORCE_FIPS. In FIPS mode, checksums are required to match (inability to
|
# SSH_FORCE_FIPS. In FIPS mode, checksums are required to match (inability to
|
||||||
# retrieve pre-calculated hash is a fatal error). In non-FIPS mode the checks
|
# retrieve pre-calculated hash is a fatal error). In non-FIPS mode the checks
|
||||||
# still must be performed, unless the hashes are not installed. Thus if the hash
|
# still must be performed, unless the hashes are not installed. Thus if the hash
|
||||||
@ -410,7 +410,7 @@ index a115a61..3404684 100644
|
|||||||
#endif
|
#endif
|
||||||
-
|
-
|
||||||
diff --git a/sftp-server.c b/sftp-server.c
|
diff --git a/sftp-server.c b/sftp-server.c
|
||||||
index b133cbc..c3086b6 100644
|
index 359204f..d6395fd 100644
|
||||||
--- a/sftp-server.c
|
--- a/sftp-server.c
|
||||||
+++ b/sftp-server.c
|
+++ b/sftp-server.c
|
||||||
@@ -53,6 +53,8 @@
|
@@ -53,6 +53,8 @@
|
||||||
@ -422,7 +422,7 @@ index b133cbc..c3086b6 100644
|
|||||||
/* Our verbosity */
|
/* Our verbosity */
|
||||||
static LogLevel log_level = SYSLOG_LEVEL_ERROR;
|
static LogLevel log_level = SYSLOG_LEVEL_ERROR;
|
||||||
|
|
||||||
@@ -1595,6 +1597,9 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
|
@@ -1576,6 +1578,9 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
|
||||||
extern char *optarg;
|
extern char *optarg;
|
||||||
extern char *__progname;
|
extern char *__progname;
|
||||||
|
|
||||||
@ -433,7 +433,7 @@ index b133cbc..c3086b6 100644
|
|||||||
log_init(__progname, log_level, log_facility, log_stderr);
|
log_init(__progname, log_level, log_facility, log_stderr);
|
||||||
|
|
||||||
diff --git a/ssh.c b/ssh.c
|
diff --git a/ssh.c b/ssh.c
|
||||||
index ee51823..882d1da 100644
|
index 98b6ce7..dce28fd 100644
|
||||||
--- a/ssh.c
|
--- a/ssh.c
|
||||||
+++ b/ssh.c
|
+++ b/ssh.c
|
||||||
@@ -113,6 +113,8 @@
|
@@ -113,6 +113,8 @@
|
||||||
@ -445,9 +445,9 @@ index ee51823..882d1da 100644
|
|||||||
extern char *__progname;
|
extern char *__progname;
|
||||||
|
|
||||||
/* Saves a copy of argv for setproctitle emulation */
|
/* Saves a copy of argv for setproctitle emulation */
|
||||||
@@ -596,6 +598,10 @@ main(int ac, char **av)
|
@@ -630,6 +632,10 @@ main(int ac, char **av)
|
||||||
struct ssh_digest_ctx *md;
|
struct addrinfo *addrs = NULL;
|
||||||
u_char conn_hash[SSH_DIGEST_MAX_LENGTH];
|
size_t n, len;
|
||||||
|
|
||||||
+ /* initialize fips - can go before ssh_malloc_init(), since that is a
|
+ /* initialize fips - can go before ssh_malloc_init(), since that is a
|
||||||
+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
|
+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
|
||||||
@ -457,10 +457,10 @@ index ee51823..882d1da 100644
|
|||||||
sanitise_stdfd();
|
sanitise_stdfd();
|
||||||
|
|
||||||
diff --git a/sshd.c b/sshd.c
|
diff --git a/sshd.c b/sshd.c
|
||||||
index c8086cd..bb20eec 100644
|
index b2146a6..6092f0f 100644
|
||||||
--- a/sshd.c
|
--- a/sshd.c
|
||||||
+++ b/sshd.c
|
+++ b/sshd.c
|
||||||
@@ -1443,6 +1443,10 @@ main(int ac, char **av)
|
@@ -1505,6 +1505,10 @@ main(int ac, char **av)
|
||||||
Authctxt *authctxt;
|
Authctxt *authctxt;
|
||||||
struct connection_info *connection_info = NULL;
|
struct connection_info *connection_info = NULL;
|
||||||
|
|
||||||
|
@ -3,14 +3,12 @@
|
|||||||
# -- uset do be called '-xauthlocalhostname'
|
# -- uset do be called '-xauthlocalhostname'
|
||||||
handle hostname changes when forwarding X
|
handle hostname changes when forwarding X
|
||||||
|
|
||||||
bnc#98627
|
|
||||||
|
|
||||||
diff --git a/session.c b/session.c
|
diff --git a/session.c b/session.c
|
||||||
index 94d7438..d81060c 100644
|
index 18cdfa8..85a9ee2 100644
|
||||||
--- a/session.c
|
--- a/session.c
|
||||||
+++ b/session.c
|
+++ b/session.c
|
||||||
@@ -981,7 +981,7 @@ copy_environment(char **source, char ***env, u_int *envsize)
|
@@ -985,7 +985,7 @@ copy_environment(char **source, char ***env, u_int *envsize)
|
||||||
}
|
#endif
|
||||||
|
|
||||||
static char **
|
static char **
|
||||||
-do_setup_env(struct ssh *ssh, Session *s, const char *shell)
|
-do_setup_env(struct ssh *ssh, Session *s, const char *shell)
|
||||||
@ -18,7 +16,7 @@ index 94d7438..d81060c 100644
|
|||||||
{
|
{
|
||||||
char buf[256];
|
char buf[256];
|
||||||
size_t n;
|
size_t n;
|
||||||
@@ -1191,6 +1191,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
|
@@ -1195,6 +1195,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
|
||||||
for (i = 0; env[i]; i++)
|
for (i = 0; env[i]; i++)
|
||||||
fprintf(stderr, " %.200s\n", env[i]);
|
fprintf(stderr, " %.200s\n", env[i]);
|
||||||
}
|
}
|
||||||
@ -27,7 +25,7 @@ index 94d7438..d81060c 100644
|
|||||||
return env;
|
return env;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1199,7 +1201,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
|
@@ -1203,7 +1205,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
|
||||||
* first in this order).
|
* first in this order).
|
||||||
*/
|
*/
|
||||||
static void
|
static void
|
||||||
@ -36,7 +34,7 @@ index 94d7438..d81060c 100644
|
|||||||
{
|
{
|
||||||
FILE *f = NULL;
|
FILE *f = NULL;
|
||||||
char cmd[1024];
|
char cmd[1024];
|
||||||
@@ -1254,12 +1256,20 @@ do_rc_files(struct ssh *ssh, Session *s, const char *shell)
|
@@ -1258,12 +1260,20 @@ do_rc_files(struct ssh *ssh, Session *s, const char *shell)
|
||||||
options.xauth_location);
|
options.xauth_location);
|
||||||
f = popen(cmd, "w");
|
f = popen(cmd, "w");
|
||||||
if (f) {
|
if (f) {
|
||||||
@ -57,7 +55,7 @@ index 94d7438..d81060c 100644
|
|||||||
} else {
|
} else {
|
||||||
fprintf(stderr, "Could not run %s\n",
|
fprintf(stderr, "Could not run %s\n",
|
||||||
cmd);
|
cmd);
|
||||||
@@ -1515,6 +1525,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
|
@@ -1519,6 +1529,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
|
||||||
char **env, *argv[ARGV_MAX], remote_id[512];
|
char **env, *argv[ARGV_MAX], remote_id[512];
|
||||||
const char *shell, *shell0;
|
const char *shell, *shell0;
|
||||||
struct passwd *pw = s->pw;
|
struct passwd *pw = s->pw;
|
||||||
@ -65,7 +63,7 @@ index 94d7438..d81060c 100644
|
|||||||
int r = 0;
|
int r = 0;
|
||||||
|
|
||||||
sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
|
sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
|
||||||
@@ -1571,7 +1582,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
|
@@ -1575,7 +1586,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
|
||||||
* Make sure $SHELL points to the shell from the password file,
|
* Make sure $SHELL points to the shell from the password file,
|
||||||
* even if shell is overridden from login.conf
|
* even if shell is overridden from login.conf
|
||||||
*/
|
*/
|
||||||
@ -74,7 +72,7 @@ index 94d7438..d81060c 100644
|
|||||||
|
|
||||||
#ifdef HAVE_LOGIN_CAP
|
#ifdef HAVE_LOGIN_CAP
|
||||||
shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
|
shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
|
||||||
@@ -1635,7 +1646,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
|
@@ -1639,7 +1650,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
|
||||||
|
|
||||||
closefrom(STDERR_FILENO + 1);
|
closefrom(STDERR_FILENO + 1);
|
||||||
|
|
||||||
@ -82,4 +80,4 @@ index 94d7438..d81060c 100644
|
|||||||
+ do_rc_files(ssh, s, shell, env, &env_size);
|
+ do_rc_files(ssh, s, shell, env, &env_size);
|
||||||
|
|
||||||
/* restore SIGPIPE for child */
|
/* restore SIGPIPE for child */
|
||||||
signal(SIGPIPE, SIG_DFL);
|
ssh_signal(SIGPIPE, SIG_DFL);
|
||||||
|
@ -125,19 +125,19 @@ index 0000000..831d399
|
|||||||
+ - Finlay dobbie.
|
+ - Finlay dobbie.
|
||||||
+ - Stefan Fisher.
|
+ - Stefan Fisher.
|
||||||
diff --git a/Makefile.in b/Makefile.in
|
diff --git a/Makefile.in b/Makefile.in
|
||||||
index 750aada..1baf5c6 100644
|
index 6010d1c..f54348b 100644
|
||||||
--- a/Makefile.in
|
--- a/Makefile.in
|
||||||
+++ b/Makefile.in
|
+++ b/Makefile.in
|
||||||
@@ -24,6 +24,8 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
|
@@ -25,6 +25,8 @@ SFTP_SERVER=$(libexecdir)/sftp-server
|
||||||
SFTP_SERVER=$(libexecdir)/sftp-server
|
|
||||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||||
|
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
|
||||||
+SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
|
+SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
|
||||||
+SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
|
+SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
|
||||||
CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
|
CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
|
||||||
CAVSTEST_KDF=$(libexecdir)/cavstest-kdf
|
CAVSTEST_KDF=$(libexecdir)/cavstest-kdf
|
||||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||||
@@ -66,6 +68,9 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keys
|
@@ -74,6 +76,9 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keys
|
||||||
|
|
||||||
TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
|
TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
|
||||||
|
|
||||||
@ -147,28 +147,28 @@ index 750aada..1baf5c6 100644
|
|||||||
XMSS_OBJS=\
|
XMSS_OBJS=\
|
||||||
ssh-xmss.o \
|
ssh-xmss.o \
|
||||||
sshkey-xmss.o \
|
sshkey-xmss.o \
|
||||||
@@ -127,8 +132,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \
|
@@ -158,8 +163,8 @@ SFTPSERVER_OBJS=sftp-common.o sftp-server.o sftp-server-main.o
|
||||||
sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
|
|
||||||
sandbox-solaris.o uidswap.o
|
|
||||||
|
|
||||||
-MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
|
SFTP_OBJS= sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
|
||||||
-MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
|
|
||||||
+MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap-helper.8.out ssh-ldap.conf.5.out
|
-MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out sshd_config.5.out ssh_config.5.out
|
||||||
+MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 ssh-ldap-helper.8 ssh-ldap.conf.5
|
-MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5
|
||||||
|
+MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap-helper.8.out ssh-ldap.conf.5.out
|
||||||
|
+MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5 ssh-ldap-helper.8 ssh-ldap.conf.5
|
||||||
MANTYPE = @MANTYPE@
|
MANTYPE = @MANTYPE@
|
||||||
|
|
||||||
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
|
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
|
||||||
@@ -208,6 +213,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11
|
@@ -242,6 +247,9 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
|
||||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
|
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
|
||||||
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||||
|
|
||||||
+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
|
+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
|
||||||
+ $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
+ $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||||
+
|
+
|
||||||
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-realpath.o sftp-server-main.o
|
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS)
|
||||||
$(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
$(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||||
|
|
||||||
@@ -363,6 +371,10 @@ install-files:
|
@@ -406,6 +414,10 @@ install-files:
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
|
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
|
||||||
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
||||||
@ -176,10 +176,10 @@ index 750aada..1baf5c6 100644
|
|||||||
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
|
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
|
||||||
+ $(INSTALL) -m 0755 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
|
+ $(INSTALL) -m 0755 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
|
||||||
+ fi
|
+ fi
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
|
@@ -425,6 +437,10 @@ install-files:
|
||||||
@@ -381,6 +393,10 @@ install-files:
|
|
||||||
$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
|
$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
|
||||||
$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
|
$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
|
||||||
$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
|
$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
|
||||||
@ -187,10 +187,10 @@ index 750aada..1baf5c6 100644
|
|||||||
+ $(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
|
+ $(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
|
||||||
+ $(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \
|
+ $(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \
|
||||||
+ fi
|
+ fi
|
||||||
|
$(INSTALL) -m 644 ssh-sk-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8
|
||||||
|
|
||||||
install-sysconf:
|
install-sysconf:
|
||||||
$(MKDIR_P) $(DESTDIR)$(sysconfdir)
|
@@ -449,6 +465,13 @@ install-sysconf:
|
||||||
@@ -404,6 +420,13 @@ install-sysconf:
|
|
||||||
else \
|
else \
|
||||||
echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
|
echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
|
||||||
fi
|
fi
|
||||||
@ -204,28 +204,28 @@ index 750aada..1baf5c6 100644
|
|||||||
|
|
||||||
host-key: ssh-keygen$(EXEEXT)
|
host-key: ssh-keygen$(EXEEXT)
|
||||||
@if [ -z "$(DESTDIR)" ] ; then \
|
@if [ -z "$(DESTDIR)" ] ; then \
|
||||||
@@ -441,6 +464,8 @@ uninstall:
|
@@ -487,6 +510,8 @@ uninstall:
|
||||||
-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
|
||||||
-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
||||||
-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
||||||
|
-rm -f $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
|
||||||
+ -rm -f $(DESTDIR)$(SSH_LDAP_HELPER)$(EXEEXT)
|
+ -rm -f $(DESTDIR)$(SSH_LDAP_HELPER)$(EXEEXT)
|
||||||
+ -rm -f $(DESTDIR)$(SSH_LDAP_WRAPPER)$(EXEEXT)
|
+ -rm -f $(DESTDIR)$(SSH_LDAP_WRAPPER)$(EXEEXT)
|
||||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
|
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
|
||||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
|
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
|
||||||
@@ -452,6 +477,7 @@ uninstall:
|
@@ -499,6 +524,7 @@ uninstall:
|
||||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
|
|
||||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
|
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
|
||||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
|
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
|
||||||
|
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8
|
||||||
+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
|
+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
|
||||||
|
|
||||||
regress-prep:
|
regress-prep:
|
||||||
$(MKDIR_P) `pwd`/regress/unittests/test_helper
|
$(MKDIR_P) `pwd`/regress/unittests/test_helper
|
||||||
diff --git a/configure.ac b/configure.ac
|
diff --git a/configure.ac b/configure.ac
|
||||||
index 20a1884..ff9c11a 100644
|
index 4ddf539..1fd0b17 100644
|
||||||
--- a/configure.ac
|
--- a/configure.ac
|
||||||
+++ b/configure.ac
|
+++ b/configure.ac
|
||||||
@@ -1651,6 +1651,106 @@ AC_ARG_WITH([audit],
|
@@ -1688,6 +1688,106 @@ AC_ARG_WITH([audit],
|
||||||
esac ]
|
esac ]
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -2,15 +2,11 @@
|
|||||||
# Parent bad0c8b3b8d72abb6960ed85b57ee42352371738
|
# Parent bad0c8b3b8d72abb6960ed85b57ee42352371738
|
||||||
Do not write a PID file when not daemonizing (e.g. when running from systemd)
|
Do not write a PID file when not daemonizing (e.g. when running from systemd)
|
||||||
|
|
||||||
diff --git a/openssh-7.7p1/sshd.c b/openssh-7.7p1/sshd.c
|
diff --git a/sshd.c b/sshd.c
|
||||||
--- openssh-7.7p1/sshd.c
|
index f3ccc3a..eadc1b3 100644
|
||||||
+++ openssh-7.7p1/sshd.c
|
--- a/sshd.c
|
||||||
@@ -1996,17 +1996,17 @@ main(int ac, char **av)
|
+++ b/sshd.c
|
||||||
signal(SIGCHLD, main_sigchld_handler);
|
@@ -2076,7 +2076,7 @@ main(int ac, char **av)
|
||||||
signal(SIGTERM, sigterm_handler);
|
|
||||||
signal(SIGQUIT, sigterm_handler);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Write out the pid file after the sigterm handler
|
* Write out the pid file after the sigterm handler
|
||||||
* is setup and the listen sockets are bound
|
* is setup and the listen sockets are bound
|
||||||
*/
|
*/
|
||||||
@ -19,8 +15,3 @@ diff --git a/openssh-7.7p1/sshd.c b/openssh-7.7p1/sshd.c
|
|||||||
FILE *f = fopen(options.pid_file, "w");
|
FILE *f = fopen(options.pid_file, "w");
|
||||||
|
|
||||||
if (f == NULL) {
|
if (f == NULL) {
|
||||||
error("Couldn't create pid file \"%s\": %s",
|
|
||||||
options.pid_file, strerror(errno));
|
|
||||||
} else {
|
|
||||||
fprintf(f, "%ld\n", (long) getpid());
|
|
||||||
fclose(f);
|
|
||||||
|
@ -1,379 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent e655fcb8e89d19ce9e954d6fc330e5e3e093a848
|
|
||||||
# extended support for (re-)seeding the OpenSSL PRNG from /dev/random
|
|
||||||
# bnc#703221, FATE#312172
|
|
||||||
|
|
||||||
diff --git a/Makefile.in b/Makefile.in
|
|
||||||
index 85818f4..750aada 100644
|
|
||||||
--- a/Makefile.in
|
|
||||||
+++ b/Makefile.in
|
|
||||||
@@ -182,13 +182,13 @@ libssh.a: $(LIBSSH_OBJS)
|
|
||||||
$(RANLIB) $@
|
|
||||||
|
|
||||||
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
|
|
||||||
- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
|
|
||||||
+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(SSHLIBS) $(LIBS) $(GSSLIBS)
|
|
||||||
|
|
||||||
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
|
|
||||||
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
|
|
||||||
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
|
|
||||||
|
|
||||||
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
|
|
||||||
- $(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
|
||||||
+ $(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
|
||||||
|
|
||||||
ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
|
|
||||||
$(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
|
||||||
@@ -197,10 +197,10 @@ ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
|
|
||||||
$(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
|
||||||
|
|
||||||
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o sshsig.o
|
|
||||||
- $(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
|
||||||
+ $(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
|
||||||
|
|
||||||
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o compat.o
|
|
||||||
- $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
|
||||||
+ $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
|
||||||
|
|
||||||
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
|
|
||||||
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
|
||||||
@@ -209,10 +209,10 @@ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
|
|
||||||
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
|
||||||
|
|
||||||
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-realpath.o sftp-server-main.o
|
|
||||||
- $(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
|
||||||
+ $(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
|
||||||
|
|
||||||
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
|
|
||||||
- $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
|
|
||||||
+ $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
|
|
||||||
|
|
||||||
# FIPS tests
|
|
||||||
cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-ctr.o
|
|
||||||
diff --git a/entropy.c b/entropy.c
|
|
||||||
index 5de6801..f8b9f42 100644
|
|
||||||
--- a/entropy.c
|
|
||||||
+++ b/entropy.c
|
|
||||||
@@ -239,6 +239,8 @@ seed_rng(void)
|
|
||||||
}
|
|
||||||
#endif /* OPENSSL_PRNG_ONLY */
|
|
||||||
|
|
||||||
+ linux_seed();
|
|
||||||
+
|
|
||||||
if (RAND_status() != 1)
|
|
||||||
fatal("PRNG is not seeded");
|
|
||||||
|
|
||||||
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
|
|
||||||
index 1162dc5..80fd688 100644
|
|
||||||
--- a/openbsd-compat/Makefile.in
|
|
||||||
+++ b/openbsd-compat/Makefile.in
|
|
||||||
@@ -91,6 +91,7 @@ COMPAT= arc4random.o \
|
|
||||||
PORTS= port-aix.o \
|
|
||||||
port-irix.o \
|
|
||||||
port-linux.o \
|
|
||||||
+ port-linux-prng.o \
|
|
||||||
port-solaris.o \
|
|
||||||
port-net.o \
|
|
||||||
port-uw.o
|
|
||||||
diff --git a/openbsd-compat/port-linux-prng.c b/openbsd-compat/port-linux-prng.c
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..dfc4bdb
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/openbsd-compat/port-linux-prng.c
|
|
||||||
@@ -0,0 +1,81 @@
|
|
||||||
+/*
|
|
||||||
+ * Copyright (c) 2011 Jan F. Chadima <jchadima@redhat.com>
|
|
||||||
+ * (c) 2011 Petr Cerny <pcerny@suse.cz>
|
|
||||||
+ *
|
|
||||||
+ * Permission to use, copy, modify, and distribute this software for any
|
|
||||||
+ * purpose with or without fee is hereby granted, provided that the above
|
|
||||||
+ * copyright notice and this permission notice appear in all copies.
|
|
||||||
+ *
|
|
||||||
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
||||||
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
||||||
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
||||||
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
||||||
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
||||||
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
||||||
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Linux-specific portability code - prng support
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#include "includes.h"
|
|
||||||
+#include "defines.h"
|
|
||||||
+
|
|
||||||
+#include <errno.h>
|
|
||||||
+#include <stdarg.h>
|
|
||||||
+#include <string.h>
|
|
||||||
+#include <stdio.h>
|
|
||||||
+#include <openssl/rand.h>
|
|
||||||
+
|
|
||||||
+#include "log.h"
|
|
||||||
+#include "port-linux.h"
|
|
||||||
+#include "fips.h"
|
|
||||||
+
|
|
||||||
+#define RNG_BYTES_DEFAULT 6L
|
|
||||||
+#define RNG_ENV_VAR "SSH_USE_STRONG_RNG"
|
|
||||||
+
|
|
||||||
+long rand_bytes = 0;
|
|
||||||
+char *rand_file = NULL;
|
|
||||||
+
|
|
||||||
+static void
|
|
||||||
+linux_seed_init(void)
|
|
||||||
+{
|
|
||||||
+ long elen = 0;
|
|
||||||
+ char *env = getenv(RNG_ENV_VAR);
|
|
||||||
+
|
|
||||||
+ if (env) {
|
|
||||||
+ errno = 0;
|
|
||||||
+ elen = strtol(env, NULL, 10);
|
|
||||||
+ if (errno) {
|
|
||||||
+ elen = RNG_BYTES_DEFAULT;
|
|
||||||
+ debug("bogus value in the %s environment variable, "
|
|
||||||
+ "using %li bytes from /dev/random\n",
|
|
||||||
+ RNG_ENV_VAR, RNG_BYTES_DEFAULT);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (elen || fips_mode())
|
|
||||||
+ rand_file = "/dev/random";
|
|
||||||
+ else
|
|
||||||
+ rand_file = "/dev/urandom";
|
|
||||||
+
|
|
||||||
+ rand_bytes = MAX(elen, RNG_BYTES_DEFAULT);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void
|
|
||||||
+linux_seed(void)
|
|
||||||
+{
|
|
||||||
+ long len;
|
|
||||||
+ if (!rand_file)
|
|
||||||
+ linux_seed_init();
|
|
||||||
+
|
|
||||||
+ errno = 0;
|
|
||||||
+ len = RAND_load_file(rand_file, rand_bytes);
|
|
||||||
+ if (len != rand_bytes) {
|
|
||||||
+ if (errno)
|
|
||||||
+ fatal ("cannot read from %s, %s", rand_file, strerror(errno));
|
|
||||||
+ else
|
|
||||||
+ fatal ("EOF reading %s", rand_file);
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
|
|
||||||
index 3c22a85..2dc1fd0 100644
|
|
||||||
--- a/openbsd-compat/port-linux.h
|
|
||||||
+++ b/openbsd-compat/port-linux.h
|
|
||||||
@@ -17,6 +17,10 @@
|
|
||||||
#ifndef _PORT_LINUX_H
|
|
||||||
#define _PORT_LINUX_H
|
|
||||||
|
|
||||||
+extern long rand_bytes;
|
|
||||||
+extern char *rand_file;
|
|
||||||
+void linux_seed(void);
|
|
||||||
+
|
|
||||||
#ifdef WITH_SELINUX
|
|
||||||
int ssh_selinux_enabled(void);
|
|
||||||
void ssh_selinux_setup_pty(char *, const char *);
|
|
||||||
diff --git a/ssh-add.1 b/ssh-add.1
|
|
||||||
index d4e1c60..6f76900 100644
|
|
||||||
--- a/ssh-add.1
|
|
||||||
+++ b/ssh-add.1
|
|
||||||
@@ -189,6 +189,20 @@ to make this work.)
|
|
||||||
Identifies the path of a
|
|
||||||
.Ux Ns -domain
|
|
||||||
socket used to communicate with the agent.
|
|
||||||
+.It Ev SSH_USE_STRONG_RNG
|
|
||||||
+The reseeding of the OpenSSL random generator is usually done from
|
|
||||||
+.Cm /dev/urandom .
|
|
||||||
+If the
|
|
||||||
+.Cm SSH_USE_STRONG_RNG
|
|
||||||
+environment variable is set to value other than
|
|
||||||
+.Cm 0
|
|
||||||
+the OpenSSL random generator is reseeded from
|
|
||||||
+.Cm /dev/random .
|
|
||||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
|
||||||
+Minimum is 6 bytes.
|
|
||||||
+This setting is not recommended on the computers without the hardware
|
|
||||||
+random generator because insufficient entropy causes the connection to
|
|
||||||
+be blocked until enough entropy is available.
|
|
||||||
.El
|
|
||||||
.Sh FILES
|
|
||||||
.Bl -tag -width Ds
|
|
||||||
diff --git a/ssh-agent.1 b/ssh-agent.1
|
|
||||||
index 83b2b41..9e187f2 100644
|
|
||||||
--- a/ssh-agent.1
|
|
||||||
+++ b/ssh-agent.1
|
|
||||||
@@ -214,6 +214,23 @@ sockets used to contain the connection to the authentication agent.
|
|
||||||
These sockets should only be readable by the owner.
|
|
||||||
The sockets should get automatically removed when the agent exits.
|
|
||||||
.El
|
|
||||||
+.Sh ENVIRONMENT
|
|
||||||
+.Bl -tag -width Ds -compact
|
|
||||||
+.Pp
|
|
||||||
+.It Pa SSH_USE_STRONG_RNG
|
|
||||||
+The reseeding of the OpenSSL random generator is usually done from
|
|
||||||
+.Cm /dev/urandom .
|
|
||||||
+If the
|
|
||||||
+.Cm SSH_USE_STRONG_RNG
|
|
||||||
+environment variable is set to value other than
|
|
||||||
+.Cm 0
|
|
||||||
+the OpenSSL random generator is reseeded from
|
|
||||||
+.Cm /dev/random .
|
|
||||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
|
||||||
+Minimum is 6 bytes.
|
|
||||||
+This setting is not recommended on the computers without the hardware
|
|
||||||
+random generator because insufficient entropy causes the connection to
|
|
||||||
+be blocked until enough entropy is available.
|
|
||||||
.Sh SEE ALSO
|
|
||||||
.Xr ssh 1 ,
|
|
||||||
.Xr ssh-add 1 ,
|
|
||||||
diff --git a/ssh-keygen.1 b/ssh-keygen.1
|
|
||||||
index 957d2f0..70c4a28 100644
|
|
||||||
--- a/ssh-keygen.1
|
|
||||||
+++ b/ssh-keygen.1
|
|
||||||
@@ -1054,6 +1054,23 @@ Contains Diffie-Hellman groups used for DH-GEX.
|
|
||||||
The file format is described in
|
|
||||||
.Xr moduli 5 .
|
|
||||||
.El
|
|
||||||
+.Sh ENVIRONMENT
|
|
||||||
+.Bl -tag -width Ds -compact
|
|
||||||
+.Pp
|
|
||||||
+.It Pa SSH_USE_STRONG_RNG
|
|
||||||
+The reseeding of the OpenSSL random generator is usually done from
|
|
||||||
+.Cm /dev/urandom .
|
|
||||||
+If the
|
|
||||||
+.Cm SSH_USE_STRONG_RNG
|
|
||||||
+environment variable is set to value other than
|
|
||||||
+.Cm 0
|
|
||||||
+the OpenSSL random generator is reseeded from
|
|
||||||
+.Cm /dev/random .
|
|
||||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
|
||||||
+Minimum is 6 bytes.
|
|
||||||
+This setting is not recommended on the computers without the hardware
|
|
||||||
+random generator because insufficient entropy causes the connection to
|
|
||||||
+be blocked until enough entropy is available.
|
|
||||||
.Sh SEE ALSO
|
|
||||||
.Xr ssh 1 ,
|
|
||||||
.Xr ssh-add 1 ,
|
|
||||||
diff --git a/ssh-keysign.8 b/ssh-keysign.8
|
|
||||||
index 19b0dbc..639b56e 100644
|
|
||||||
--- a/ssh-keysign.8
|
|
||||||
+++ b/ssh-keysign.8
|
|
||||||
@@ -80,6 +80,23 @@ must be set-uid root if host-based authentication is used.
|
|
||||||
If these files exist they are assumed to contain public certificate
|
|
||||||
information corresponding with the private keys above.
|
|
||||||
.El
|
|
||||||
+.Sh ENVIRONMENT
|
|
||||||
+.Bl -tag -width Ds -compact
|
|
||||||
+.Pp
|
|
||||||
+.It Pa SSH_USE_STRONG_RNG
|
|
||||||
+The reseeding of the OpenSSL random generator is usually done from
|
|
||||||
+.Cm /dev/urandom .
|
|
||||||
+If the
|
|
||||||
+.Cm SSH_USE_STRONG_RNG
|
|
||||||
+environment variable is set to value other than
|
|
||||||
+.Cm 0
|
|
||||||
+the OpenSSL random generator is reseeded from
|
|
||||||
+.Cm /dev/random .
|
|
||||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
|
||||||
+Minimum is 6 bytes.
|
|
||||||
+This setting is not recommended on the computers without the hardware
|
|
||||||
+random generator because insufficient entropy causes the connection to
|
|
||||||
+be blocked until enough entropy is available.
|
|
||||||
.Sh SEE ALSO
|
|
||||||
.Xr ssh 1 ,
|
|
||||||
.Xr ssh-keygen 1 ,
|
|
||||||
diff --git a/ssh.1 b/ssh.1
|
|
||||||
index 424d6c3..899a339 100644
|
|
||||||
--- a/ssh.1
|
|
||||||
+++ b/ssh.1
|
|
||||||
@@ -1433,6 +1433,20 @@ For more information, see the
|
|
||||||
.Cm PermitUserEnvironment
|
|
||||||
option in
|
|
||||||
.Xr sshd_config 5 .
|
|
||||||
+.It Ev SSH_USE_STRONG_RNG
|
|
||||||
+The reseeding of the OpenSSL random generator is usually done from
|
|
||||||
+.Cm /dev/urandom .
|
|
||||||
+If the
|
|
||||||
+.Cm SSH_USE_STRONG_RNG
|
|
||||||
+environment variable is set to value other than
|
|
||||||
+.Cm 0
|
|
||||||
+the OpenSSL random generator is reseeded from
|
|
||||||
+.Cm /dev/random .
|
|
||||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
|
||||||
+Minimum is 6 bytes.
|
|
||||||
+This setting is not recommended on the computers without the hardware
|
|
||||||
+random generator because insufficient entropy causes the connection to
|
|
||||||
+be blocked until enough entropy is available.
|
|
||||||
.Sh FILES
|
|
||||||
.Bl -tag -width Ds -compact
|
|
||||||
.It Pa ~/.rhosts
|
|
||||||
diff --git a/sshd.8 b/sshd.8
|
|
||||||
index fb133c1..2f1d3ab 100644
|
|
||||||
--- a/sshd.8
|
|
||||||
+++ b/sshd.8
|
|
||||||
@@ -966,6 +966,23 @@ concurrently for different ports, this contains the process ID of the one
|
|
||||||
started last).
|
|
||||||
The content of this file is not sensitive; it can be world-readable.
|
|
||||||
.El
|
|
||||||
+.Sh ENVIRONMENT
|
|
||||||
+.Bl -tag -width Ds -compact
|
|
||||||
+.Pp
|
|
||||||
+.It Pa SSH_USE_STRONG_RNG
|
|
||||||
+The reseeding of the OpenSSL random generator is usually done from
|
|
||||||
+.Cm /dev/urandom .
|
|
||||||
+If the
|
|
||||||
+.Cm SSH_USE_STRONG_RNG
|
|
||||||
+environment variable is set to value other than
|
|
||||||
+.Cm 0
|
|
||||||
+the OpenSSL random generator is reseeded from
|
|
||||||
+.Cm /dev/random .
|
|
||||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
|
||||||
+Minimum is 6 bytes.
|
|
||||||
+This setting is not recommended on the computers without the hardware
|
|
||||||
+random generator because insufficient entropy causes the connection to
|
|
||||||
+be blocked until enough entropy is available.
|
|
||||||
.Sh SEE ALSO
|
|
||||||
.Xr scp 1 ,
|
|
||||||
.Xr sftp 1 ,
|
|
||||||
diff --git a/sshd.c b/sshd.c
|
|
||||||
index bb20eec..c562094 100644
|
|
||||||
--- a/sshd.c
|
|
||||||
+++ b/sshd.c
|
|
||||||
@@ -55,6 +55,8 @@
|
|
||||||
#endif
|
|
||||||
#include "openbsd-compat/sys-tree.h"
|
|
||||||
#include "openbsd-compat/sys-queue.h"
|
|
||||||
+#include "openbsd-compat/port-linux.h"
|
|
||||||
+
|
|
||||||
#include <sys/wait.h>
|
|
||||||
|
|
||||||
#include <errno.h>
|
|
||||||
@@ -205,6 +207,13 @@ struct {
|
|
||||||
int have_ssh2_key;
|
|
||||||
} sensitive_data;
|
|
||||||
|
|
||||||
+/*
|
|
||||||
+ * Every RESEED_AFTERth connection triggers call to linux_seed() to re-seed the
|
|
||||||
+ * random pool.
|
|
||||||
+ */
|
|
||||||
+#define RESEED_AFTER 100
|
|
||||||
+static int re_seeding_counter = RESEED_AFTER;
|
|
||||||
+
|
|
||||||
/* This is set to true when a signal is received. */
|
|
||||||
static volatile sig_atomic_t received_sighup = 0;
|
|
||||||
static volatile sig_atomic_t received_sigterm = 0;
|
|
||||||
@@ -1201,6 +1210,10 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
|
|
||||||
startup_flags[j] = 1;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
+ if(!(--re_seeding_counter)) {
|
|
||||||
+ re_seeding_counter = RESEED_AFTER;
|
|
||||||
+ linux_seed();
|
|
||||||
+ }
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Got connection. Fork a child to handle it, unless
|
|
@ -2,12 +2,11 @@
|
|||||||
# Parent 60bdbe6dd8d6bc011883472363d56e1d97f68835
|
# Parent 60bdbe6dd8d6bc011883472363d56e1d97f68835
|
||||||
Put back sftp client diagnostic messages in batch mode
|
Put back sftp client diagnostic messages in batch mode
|
||||||
|
|
||||||
bsc#1023275
|
|
||||||
diff --git a/sftp.1 b/sftp.1
|
diff --git a/sftp.1 b/sftp.1
|
||||||
index a52c1cf..7333de8 100644
|
index a305b37..6e802ec 100644
|
||||||
--- a/sftp.1
|
--- a/sftp.1
|
||||||
+++ b/sftp.1
|
+++ b/sftp.1
|
||||||
@@ -278,6 +278,9 @@ Specifies the port to connect to on the remote host.
|
@@ -282,6 +282,9 @@ Specifies the port to connect to on the remote host.
|
||||||
.It Fl p
|
.It Fl p
|
||||||
Preserves modification times, access times, and modes from the
|
Preserves modification times, access times, and modes from the
|
||||||
original files transferred.
|
original files transferred.
|
||||||
@ -18,7 +17,7 @@ index a52c1cf..7333de8 100644
|
|||||||
Quiet mode: disables the progress meter as well as warning and
|
Quiet mode: disables the progress meter as well as warning and
|
||||||
diagnostic messages from
|
diagnostic messages from
|
||||||
diff --git a/sftp.c b/sftp.c
|
diff --git a/sftp.c b/sftp.c
|
||||||
index b66037f..6c94a38 100644
|
index 2799e4a..52b2c23 100644
|
||||||
--- a/sftp.c
|
--- a/sftp.c
|
||||||
+++ b/sftp.c
|
+++ b/sftp.c
|
||||||
@@ -85,6 +85,9 @@ static volatile pid_t sshpid = -1;
|
@@ -85,6 +85,9 @@ static volatile pid_t sshpid = -1;
|
||||||
@ -31,16 +30,16 @@ index b66037f..6c94a38 100644
|
|||||||
/* This is set to 0 if the progressmeter is not desired. */
|
/* This is set to 0 if the progressmeter is not desired. */
|
||||||
int showprogress = 1;
|
int showprogress = 1;
|
||||||
|
|
||||||
@@ -2406,7 +2409,7 @@ main(int argc, char **argv)
|
@@ -2409,7 +2412,7 @@ main(int argc, char **argv)
|
||||||
infile = stdin;
|
infile = stdin;
|
||||||
|
|
||||||
while ((ch = getopt(argc, argv,
|
while ((ch = getopt(argc, argv,
|
||||||
- "1246afhpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
|
- "1246afhNpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
|
||||||
+ "1246afhpQqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
|
+ "1246afhNpQqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
|
||||||
switch (ch) {
|
switch (ch) {
|
||||||
/* Passed through to ssh(1) */
|
/* Passed through to ssh(1) */
|
||||||
case '4':
|
case '4':
|
||||||
@@ -2423,6 +2426,9 @@ main(int argc, char **argv)
|
@@ -2426,6 +2429,9 @@ main(int argc, char **argv)
|
||||||
addargs(&args, "-%c", ch);
|
addargs(&args, "-%c", ch);
|
||||||
addargs(&args, "%s", optarg);
|
addargs(&args, "%s", optarg);
|
||||||
break;
|
break;
|
||||||
@ -50,7 +49,7 @@ index b66037f..6c94a38 100644
|
|||||||
case 'q':
|
case 'q':
|
||||||
ll = SYSLOG_LEVEL_ERROR;
|
ll = SYSLOG_LEVEL_ERROR;
|
||||||
quiet = 1;
|
quiet = 1;
|
||||||
@@ -2506,6 +2512,8 @@ main(int argc, char **argv)
|
@@ -2510,6 +2516,8 @@ main(int argc, char **argv)
|
||||||
usage();
|
usage();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -1,29 +1,29 @@
|
|||||||
diff --git a/Makefile.in b/Makefile.in
|
diff --git a/Makefile.in b/Makefile.in
|
||||||
index 1baf5c6..02bafbc 100644
|
index 9eab827..9d3f569 100644
|
||||||
--- a/Makefile.in
|
--- a/Makefile.in
|
||||||
+++ b/Makefile.in
|
+++ b/Makefile.in
|
||||||
@@ -109,6 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
@@ -113,6 +113,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||||
kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
|
kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
|
||||||
kexgexc.o kexgexs.o \
|
kexgexc.o kexgexs.o \
|
||||||
sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \
|
sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \
|
||||||
+ kexgssc.o \
|
+ kexgssc.o \
|
||||||
platform-pledge.o platform-tracing.o platform-misc.o
|
sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
|
||||||
|
sshbuf-io.o
|
||||||
|
|
||||||
|
@@ -131,7 +132,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \
|
||||||
@@ -125,7 +126,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \
|
|
||||||
auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
|
auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
|
||||||
auth2-none.o auth2-passwd.o auth2-pubkey.o \
|
auth2-none.o auth2-passwd.o auth2-pubkey.o \
|
||||||
monitor.o monitor_wrap.o auth-krb5.o \
|
monitor.o monitor_wrap.o auth-krb5.o \
|
||||||
- auth2-gss.o gss-serv.o gss-serv-krb5.o \
|
- auth2-gss.o gss-serv.o gss-serv-krb5.o \
|
||||||
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
|
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
|
||||||
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
|
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
|
||||||
sftp-server.o sftp-common.o sftp-realpath.o \
|
sftp-server.o sftp-common.o \
|
||||||
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
|
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
|
||||||
diff --git a/auth.c b/auth.c
|
diff --git a/auth.c b/auth.c
|
||||||
index 5c58dd1..ab43955 100644
|
index 0a2dd3a..779a1af 100644
|
||||||
--- a/auth.c
|
--- a/auth.c
|
||||||
+++ b/auth.c
|
+++ b/auth.c
|
||||||
@@ -399,7 +399,8 @@ auth_root_allowed(struct ssh *ssh, const char *method)
|
@@ -400,7 +400,8 @@ auth_root_allowed(struct ssh *ssh, const char *method)
|
||||||
case PERMIT_NO_PASSWD:
|
case PERMIT_NO_PASSWD:
|
||||||
if (strcmp(method, "publickey") == 0 ||
|
if (strcmp(method, "publickey") == 0 ||
|
||||||
strcmp(method, "hostbased") == 0 ||
|
strcmp(method, "hostbased") == 0 ||
|
||||||
@ -33,7 +33,7 @@ index 5c58dd1..ab43955 100644
|
|||||||
return 1;
|
return 1;
|
||||||
break;
|
break;
|
||||||
case PERMIT_FORCED_ONLY:
|
case PERMIT_FORCED_ONLY:
|
||||||
@@ -723,99 +724,6 @@ fakepw(void)
|
@@ -724,99 +725,6 @@ fakepw(void)
|
||||||
return (&fake);
|
return (&fake);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -62,7 +62,7 @@ index 5c58dd1..ab43955 100644
|
|||||||
- if (getpeername(ssh_packet_get_connection_in(ssh),
|
- if (getpeername(ssh_packet_get_connection_in(ssh),
|
||||||
- (struct sockaddr *)&from, &fromlen) == -1) {
|
- (struct sockaddr *)&from, &fromlen) == -1) {
|
||||||
- debug("getpeername failed: %.100s", strerror(errno));
|
- debug("getpeername failed: %.100s", strerror(errno));
|
||||||
- return strdup(ntop);
|
- return xstrdup(ntop);
|
||||||
- }
|
- }
|
||||||
-
|
-
|
||||||
- ipv64_normalise_mapped(&from, &fromlen);
|
- ipv64_normalise_mapped(&from, &fromlen);
|
||||||
@ -74,7 +74,7 @@ index 5c58dd1..ab43955 100644
|
|||||||
- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
|
- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
|
||||||
- NULL, 0, NI_NAMEREQD) != 0) {
|
- NULL, 0, NI_NAMEREQD) != 0) {
|
||||||
- /* Host name not found. Use ip address. */
|
- /* Host name not found. Use ip address. */
|
||||||
- return strdup(ntop);
|
- return xstrdup(ntop);
|
||||||
- }
|
- }
|
||||||
-
|
-
|
||||||
- /*
|
- /*
|
||||||
@ -89,7 +89,7 @@ index 5c58dd1..ab43955 100644
|
|||||||
- logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
|
- logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
|
||||||
- name, ntop);
|
- name, ntop);
|
||||||
- freeaddrinfo(ai);
|
- freeaddrinfo(ai);
|
||||||
- return strdup(ntop);
|
- return xstrdup(ntop);
|
||||||
- }
|
- }
|
||||||
-
|
-
|
||||||
- /* Names are stored in lowercase. */
|
- /* Names are stored in lowercase. */
|
||||||
@ -110,7 +110,7 @@ index 5c58dd1..ab43955 100644
|
|||||||
- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
|
- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
|
||||||
- logit("reverse mapping checking getaddrinfo for %.700s "
|
- logit("reverse mapping checking getaddrinfo for %.700s "
|
||||||
- "[%s] failed.", name, ntop);
|
- "[%s] failed.", name, ntop);
|
||||||
- return strdup(ntop);
|
- return xstrdup(ntop);
|
||||||
- }
|
- }
|
||||||
- /* Look for the address from the list of addresses. */
|
- /* Look for the address from the list of addresses. */
|
||||||
- for (ai = aitop; ai; ai = ai->ai_next) {
|
- for (ai = aitop; ai; ai = ai->ai_next) {
|
||||||
@ -125,9 +125,9 @@ index 5c58dd1..ab43955 100644
|
|||||||
- /* Address not found for the host name. */
|
- /* Address not found for the host name. */
|
||||||
- logit("Address %.100s maps to %.600s, but this does not "
|
- logit("Address %.100s maps to %.600s, but this does not "
|
||||||
- "map back to the address.", ntop, name);
|
- "map back to the address.", ntop, name);
|
||||||
- return strdup(ntop);
|
- return xstrdup(ntop);
|
||||||
- }
|
- }
|
||||||
- return strdup(name);
|
- return xstrdup(name);
|
||||||
-}
|
-}
|
||||||
-
|
-
|
||||||
/*
|
/*
|
||||||
@ -229,7 +229,7 @@ index 9351e04..d6446c0 100644
|
|||||||
"gssapi-with-mic",
|
"gssapi-with-mic",
|
||||||
userauth_gssapi,
|
userauth_gssapi,
|
||||||
diff --git a/auth2.c b/auth2.c
|
diff --git a/auth2.c b/auth2.c
|
||||||
index 0e77622..1c21726 100644
|
index 91aaf34..a4a5e00 100644
|
||||||
--- a/auth2.c
|
--- a/auth2.c
|
||||||
+++ b/auth2.c
|
+++ b/auth2.c
|
||||||
@@ -73,6 +73,7 @@ extern Authmethod method_passwd;
|
@@ -73,6 +73,7 @@ extern Authmethod method_passwd;
|
||||||
@ -249,7 +249,7 @@ index 0e77622..1c21726 100644
|
|||||||
#endif
|
#endif
|
||||||
&method_passwd,
|
&method_passwd,
|
||||||
diff --git a/canohost.c b/canohost.c
|
diff --git a/canohost.c b/canohost.c
|
||||||
index abea9c6..9a00fc2 100644
|
index abea9c6..8e81b51 100644
|
||||||
--- a/canohost.c
|
--- a/canohost.c
|
||||||
+++ b/canohost.c
|
+++ b/canohost.c
|
||||||
@@ -35,6 +35,99 @@
|
@@ -35,6 +35,99 @@
|
||||||
@ -281,7 +281,7 @@ index abea9c6..9a00fc2 100644
|
|||||||
+ if (getpeername(ssh_packet_get_connection_in(ssh),
|
+ if (getpeername(ssh_packet_get_connection_in(ssh),
|
||||||
+ (struct sockaddr *)&from, &fromlen) == -1) {
|
+ (struct sockaddr *)&from, &fromlen) == -1) {
|
||||||
+ debug("getpeername failed: %.100s", strerror(errno));
|
+ debug("getpeername failed: %.100s", strerror(errno));
|
||||||
+ return strdup(ntop);
|
+ return xstrdup(ntop);
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ ipv64_normalise_mapped(&from, &fromlen);
|
+ ipv64_normalise_mapped(&from, &fromlen);
|
||||||
@ -293,7 +293,7 @@ index abea9c6..9a00fc2 100644
|
|||||||
+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
|
+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
|
||||||
+ NULL, 0, NI_NAMEREQD) != 0) {
|
+ NULL, 0, NI_NAMEREQD) != 0) {
|
||||||
+ /* Host name not found. Use ip address. */
|
+ /* Host name not found. Use ip address. */
|
||||||
+ return strdup(ntop);
|
+ return xstrdup(ntop);
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ /*
|
+ /*
|
||||||
@ -308,7 +308,7 @@ index abea9c6..9a00fc2 100644
|
|||||||
+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
|
+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
|
||||||
+ name, ntop);
|
+ name, ntop);
|
||||||
+ freeaddrinfo(ai);
|
+ freeaddrinfo(ai);
|
||||||
+ return strdup(ntop);
|
+ return xstrdup(ntop);
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ /* Names are stored in lowercase. */
|
+ /* Names are stored in lowercase. */
|
||||||
@ -329,7 +329,7 @@ index abea9c6..9a00fc2 100644
|
|||||||
+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
|
+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
|
||||||
+ logit("reverse mapping checking getaddrinfo for %.700s "
|
+ logit("reverse mapping checking getaddrinfo for %.700s "
|
||||||
+ "[%s] failed.", name, ntop);
|
+ "[%s] failed.", name, ntop);
|
||||||
+ return strdup(ntop);
|
+ return xstrdup(ntop);
|
||||||
+ }
|
+ }
|
||||||
+ /* Look for the address from the list of addresses. */
|
+ /* Look for the address from the list of addresses. */
|
||||||
+ for (ai = aitop; ai; ai = ai->ai_next) {
|
+ for (ai = aitop; ai; ai = ai->ai_next) {
|
||||||
@ -344,9 +344,9 @@ index abea9c6..9a00fc2 100644
|
|||||||
+ /* Address not found for the host name. */
|
+ /* Address not found for the host name. */
|
||||||
+ logit("Address %.100s maps to %.600s, but this does not "
|
+ logit("Address %.100s maps to %.600s, but this does not "
|
||||||
+ "map back to the address.", ntop, name);
|
+ "map back to the address.", ntop, name);
|
||||||
+ return strdup(ntop);
|
+ return xstrdup(ntop);
|
||||||
+ }
|
+ }
|
||||||
+ return strdup(name);
|
+ return xstrdup(name);
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
void
|
void
|
||||||
@ -367,7 +367,7 @@ index 26d6285..0cadc9f 100644
|
|||||||
int get_peer_port(int);
|
int get_peer_port(int);
|
||||||
char *get_local_ipaddr(int);
|
char *get_local_ipaddr(int);
|
||||||
diff --git a/clientloop.c b/clientloop.c
|
diff --git a/clientloop.c b/clientloop.c
|
||||||
index b5a1f70..9def2a1 100644
|
index da396c7..42ace77 100644
|
||||||
--- a/clientloop.c
|
--- a/clientloop.c
|
||||||
+++ b/clientloop.c
|
+++ b/clientloop.c
|
||||||
@@ -112,6 +112,10 @@
|
@@ -112,6 +112,10 @@
|
||||||
@ -381,7 +381,7 @@ index b5a1f70..9def2a1 100644
|
|||||||
/* import options */
|
/* import options */
|
||||||
extern Options options;
|
extern Options options;
|
||||||
|
|
||||||
@@ -1373,9 +1377,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
|
@@ -1361,9 +1365,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
|
||||||
break;
|
break;
|
||||||
|
|
||||||
/* Do channel operations unless rekeying in progress. */
|
/* Do channel operations unless rekeying in progress. */
|
||||||
@ -402,10 +402,10 @@ index b5a1f70..9def2a1 100644
|
|||||||
client_process_net_input(ssh, readset);
|
client_process_net_input(ssh, readset);
|
||||||
|
|
||||||
diff --git a/configure.ac b/configure.ac
|
diff --git a/configure.ac b/configure.ac
|
||||||
index ff9c11a..c0db779 100644
|
index 82aafe3..8a0e791 100644
|
||||||
--- a/configure.ac
|
--- a/configure.ac
|
||||||
+++ b/configure.ac
|
+++ b/configure.ac
|
||||||
@@ -666,6 +666,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
|
@@ -676,6 +676,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
|
||||||
[Use tunnel device compatibility to OpenBSD])
|
[Use tunnel device compatibility to OpenBSD])
|
||||||
AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
|
AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
|
||||||
[Prepend the address family to IP tunnel traffic])
|
[Prepend the address family to IP tunnel traffic])
|
||||||
@ -959,11 +959,11 @@ index a151bc1..8d2b677 100644
|
|||||||
|
|
||||||
#endif /* KRB5 */
|
#endif /* KRB5 */
|
||||||
diff --git a/gss-serv.c b/gss-serv.c
|
diff --git a/gss-serv.c b/gss-serv.c
|
||||||
index ab3a15f..6ce56e9 100644
|
index b5d4bb2..d8010dd 100644
|
||||||
--- a/gss-serv.c
|
--- a/gss-serv.c
|
||||||
+++ b/gss-serv.c
|
+++ b/gss-serv.c
|
||||||
@@ -1,7 +1,7 @@
|
@@ -1,7 +1,7 @@
|
||||||
/* $OpenBSD: gss-serv.c,v 1.31 2018/07/09 21:37:55 markus Exp $ */
|
/* $OpenBSD: gss-serv.c,v 1.32 2020/03/13 03:17:07 djm Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
||||||
@ -1259,10 +1259,10 @@ index ab3a15f..6ce56e9 100644
|
|||||||
|
|
||||||
/* Privileged */
|
/* Privileged */
|
||||||
diff --git a/kex.c b/kex.c
|
diff --git a/kex.c b/kex.c
|
||||||
index 1f82c2e..92d8ee0 100644
|
index 53f7ff8..fbb8e4f 100644
|
||||||
--- a/kex.c
|
--- a/kex.c
|
||||||
+++ b/kex.c
|
+++ b/kex.c
|
||||||
@@ -55,11 +55,16 @@
|
@@ -57,11 +57,16 @@
|
||||||
#include "misc.h"
|
#include "misc.h"
|
||||||
#include "dispatch.h"
|
#include "dispatch.h"
|
||||||
#include "monitor.h"
|
#include "monitor.h"
|
||||||
@ -1279,7 +1279,7 @@ index 1f82c2e..92d8ee0 100644
|
|||||||
#include "fips.h"
|
#include "fips.h"
|
||||||
|
|
||||||
/* prototype */
|
/* prototype */
|
||||||
@@ -115,6 +120,19 @@ static const struct kexalg kexalgs_all[] = {
|
@@ -117,6 +122,19 @@ static const struct kexalg kexalgs_all[] = {
|
||||||
#endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
|
#endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
|
||||||
{ NULL, 0, -1, -1},
|
{ NULL, 0, -1, -1},
|
||||||
};
|
};
|
||||||
@ -1299,7 +1299,7 @@ index 1f82c2e..92d8ee0 100644
|
|||||||
|
|
||||||
static const struct kexalg kexalgs_fips140_2[] = {
|
static const struct kexalg kexalgs_fips140_2[] = {
|
||||||
#ifdef WITH_OPENSSL
|
#ifdef WITH_OPENSSL
|
||||||
@@ -142,12 +160,12 @@ static const struct kexalg kexalgs_fips140_2[] = {
|
@@ -144,12 +162,12 @@ static const struct kexalg kexalgs_fips140_2[] = {
|
||||||
|
|
||||||
/* Returns array of macs available depending on selected FIPS mode */
|
/* Returns array of macs available depending on selected FIPS mode */
|
||||||
static const struct kexalg *
|
static const struct kexalg *
|
||||||
@ -1314,7 +1314,7 @@ index 1f82c2e..92d8ee0 100644
|
|||||||
case 1:
|
case 1:
|
||||||
return kexalgs_fips140_2;
|
return kexalgs_fips140_2;
|
||||||
default:
|
default:
|
||||||
@@ -158,13 +176,13 @@ fips_select_kexalgs(void)
|
@@ -160,13 +178,13 @@ fips_select_kexalgs(void)
|
||||||
}
|
}
|
||||||
|
|
||||||
char *
|
char *
|
||||||
@ -1330,7 +1330,7 @@ index 1f82c2e..92d8ee0 100644
|
|||||||
if (ret != NULL)
|
if (ret != NULL)
|
||||||
ret[rlen++] = sep;
|
ret[rlen++] = sep;
|
||||||
nlen = strlen(k->name);
|
nlen = strlen(k->name);
|
||||||
@@ -179,15 +197,31 @@ kex_alg_list(char sep)
|
@@ -181,15 +199,31 @@ kex_alg_list(char sep)
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1363,7 +1363,7 @@ index 1f82c2e..92d8ee0 100644
|
|||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -359,6 +393,29 @@ kex_assemble_names(char **listp, const char *def, const char *all)
|
@@ -361,6 +395,29 @@ kex_assemble_names(char **listp, const char *def, const char *all)
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1393,7 +1393,7 @@ index 1f82c2e..92d8ee0 100644
|
|||||||
/* put algorithm proposal into buffer */
|
/* put algorithm proposal into buffer */
|
||||||
int
|
int
|
||||||
kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
|
kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
|
||||||
@@ -742,6 +799,9 @@ kex_free(struct kex *kex)
|
@@ -743,6 +800,9 @@ kex_free(struct kex *kex)
|
||||||
sshbuf_free(kex->server_version);
|
sshbuf_free(kex->server_version);
|
||||||
sshbuf_free(kex->client_pub);
|
sshbuf_free(kex->client_pub);
|
||||||
free(kex->session_id);
|
free(kex->session_id);
|
||||||
@ -1502,7 +1502,7 @@ index 67133e3..edaa467 100644
|
|||||||
break;
|
break;
|
||||||
case KEX_DH_GRP18_SHA512:
|
case KEX_DH_GRP18_SHA512:
|
||||||
diff --git a/kexgen.c b/kexgen.c
|
diff --git a/kexgen.c b/kexgen.c
|
||||||
index bb996b5..d353ed8 100644
|
index 69348b9..c0e8c2f 100644
|
||||||
--- a/kexgen.c
|
--- a/kexgen.c
|
||||||
+++ b/kexgen.c
|
+++ b/kexgen.c
|
||||||
@@ -44,7 +44,7 @@
|
@@ -44,7 +44,7 @@
|
||||||
@ -2596,10 +2596,10 @@ index 0000000..60bc02d
|
|||||||
+}
|
+}
|
||||||
+#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */
|
+#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */
|
||||||
diff --git a/monitor.c b/monitor.c
|
diff --git a/monitor.c b/monitor.c
|
||||||
index 00af44f..20812fa 100644
|
index b6e855d..cf775e5 100644
|
||||||
--- a/monitor.c
|
--- a/monitor.c
|
||||||
+++ b/monitor.c
|
+++ b/monitor.c
|
||||||
@@ -147,6 +147,8 @@ int mm_answer_gss_setup_ctx(struct ssh *, int, struct sshbuf *);
|
@@ -148,6 +148,8 @@ int mm_answer_gss_setup_ctx(struct ssh *, int, struct sshbuf *);
|
||||||
int mm_answer_gss_accept_ctx(struct ssh *, int, struct sshbuf *);
|
int mm_answer_gss_accept_ctx(struct ssh *, int, struct sshbuf *);
|
||||||
int mm_answer_gss_userok(struct ssh *, int, struct sshbuf *);
|
int mm_answer_gss_userok(struct ssh *, int, struct sshbuf *);
|
||||||
int mm_answer_gss_checkmic(struct ssh *, int, struct sshbuf *);
|
int mm_answer_gss_checkmic(struct ssh *, int, struct sshbuf *);
|
||||||
@ -2608,7 +2608,7 @@ index 00af44f..20812fa 100644
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef SSH_AUDIT_EVENTS
|
#ifdef SSH_AUDIT_EVENTS
|
||||||
@@ -219,11 +221,18 @@ struct mon_table mon_dispatch_proto20[] = {
|
@@ -220,11 +222,18 @@ struct mon_table mon_dispatch_proto20[] = {
|
||||||
{MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
|
{MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
|
||||||
{MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok},
|
{MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok},
|
||||||
{MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic},
|
{MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic},
|
||||||
@ -2627,7 +2627,7 @@ index 00af44f..20812fa 100644
|
|||||||
#ifdef WITH_OPENSSL
|
#ifdef WITH_OPENSSL
|
||||||
{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
|
{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
|
||||||
#endif
|
#endif
|
||||||
@@ -292,6 +301,10 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor)
|
@@ -293,6 +302,10 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor)
|
||||||
/* Permit requests for moduli and signatures */
|
/* Permit requests for moduli and signatures */
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
|
||||||
@ -2638,7 +2638,7 @@ index 00af44f..20812fa 100644
|
|||||||
|
|
||||||
/* The first few requests do not require asynchronous access */
|
/* The first few requests do not require asynchronous access */
|
||||||
while (!authenticated) {
|
while (!authenticated) {
|
||||||
@@ -405,6 +418,10 @@ monitor_child_postauth(struct ssh *ssh, struct monitor *pmonitor)
|
@@ -406,6 +419,10 @@ monitor_child_postauth(struct ssh *ssh, struct monitor *pmonitor)
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
|
||||||
@ -2649,7 +2649,7 @@ index 00af44f..20812fa 100644
|
|||||||
|
|
||||||
if (auth_opts->permit_pty_flag) {
|
if (auth_opts->permit_pty_flag) {
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
|
||||||
@@ -1687,6 +1704,17 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor)
|
@@ -1712,6 +1729,17 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor)
|
||||||
# ifdef OPENSSL_HAS_ECC
|
# ifdef OPENSSL_HAS_ECC
|
||||||
kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
|
kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
|
||||||
# endif
|
# endif
|
||||||
@ -2667,7 +2667,7 @@ index 00af44f..20812fa 100644
|
|||||||
#endif /* WITH_OPENSSL */
|
#endif /* WITH_OPENSSL */
|
||||||
kex->kex[KEX_C25519_SHA256] = kex_gen_server;
|
kex->kex[KEX_C25519_SHA256] = kex_gen_server;
|
||||||
kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server;
|
kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server;
|
||||||
@@ -1780,8 +1808,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
|
@@ -1805,8 +1833,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||||
u_char *p;
|
u_char *p;
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
@ -2678,7 +2678,7 @@ index 00af44f..20812fa 100644
|
|||||||
|
|
||||||
if ((r = sshbuf_get_string(m, &p, &len)) != 0)
|
if ((r = sshbuf_get_string(m, &p, &len)) != 0)
|
||||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||||
@@ -1813,8 +1841,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
|
@@ -1838,8 +1866,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||||
OM_uint32 flags = 0; /* GSI needs this */
|
OM_uint32 flags = 0; /* GSI needs this */
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
@ -2689,7 +2689,7 @@ index 00af44f..20812fa 100644
|
|||||||
|
|
||||||
if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0)
|
if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0)
|
||||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||||
@@ -1834,6 +1862,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
|
@@ -1859,6 +1887,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
|
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
|
||||||
@ -2697,7 +2697,7 @@ index 00af44f..20812fa 100644
|
|||||||
}
|
}
|
||||||
return (0);
|
return (0);
|
||||||
}
|
}
|
||||||
@@ -1845,8 +1874,8 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m)
|
@@ -1870,8 +1899,8 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||||
OM_uint32 ret;
|
OM_uint32 ret;
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
@ -2708,7 +2708,7 @@ index 00af44f..20812fa 100644
|
|||||||
|
|
||||||
if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 ||
|
if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 ||
|
||||||
(r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0)
|
(r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0)
|
||||||
@@ -1872,13 +1901,17 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m)
|
@@ -1897,13 +1926,17 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||||
int
|
int
|
||||||
mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
|
mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||||
{
|
{
|
||||||
@ -2730,7 +2730,7 @@ index 00af44f..20812fa 100644
|
|||||||
|
|
||||||
sshbuf_reset(m);
|
sshbuf_reset(m);
|
||||||
if ((r = sshbuf_put_u32(m, authenticated)) != 0)
|
if ((r = sshbuf_put_u32(m, authenticated)) != 0)
|
||||||
@@ -1887,7 +1920,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
|
@@ -1912,7 +1945,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||||
debug3("%s: sending result %d", __func__, authenticated);
|
debug3("%s: sending result %d", __func__, authenticated);
|
||||||
mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
|
mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
|
||||||
|
|
||||||
@ -2743,7 +2743,7 @@ index 00af44f..20812fa 100644
|
|||||||
|
|
||||||
if ((displayname = ssh_gssapi_displayname()) != NULL)
|
if ((displayname = ssh_gssapi_displayname()) != NULL)
|
||||||
auth2_record_info(authctxt, "%s", displayname);
|
auth2_record_info(authctxt, "%s", displayname);
|
||||||
@@ -1895,5 +1932,85 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
|
@@ -1920,5 +1957,85 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||||
/* Monitor loop will terminate if authenticated */
|
/* Monitor loop will terminate if authenticated */
|
||||||
return (authenticated);
|
return (authenticated);
|
||||||
}
|
}
|
||||||
@ -2843,10 +2843,10 @@ index 683e5e0..2b1a2d5 100644
|
|||||||
|
|
||||||
struct ssh;
|
struct ssh;
|
||||||
diff --git a/monitor_wrap.c b/monitor_wrap.c
|
diff --git a/monitor_wrap.c b/monitor_wrap.c
|
||||||
index 4169b76..fdca39a 100644
|
index 001a8fa..6edb509 100644
|
||||||
--- a/monitor_wrap.c
|
--- a/monitor_wrap.c
|
||||||
+++ b/monitor_wrap.c
|
+++ b/monitor_wrap.c
|
||||||
@@ -978,13 +978,15 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
|
@@ -993,13 +993,15 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
|
||||||
}
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
@ -2863,7 +2863,7 @@ index 4169b76..fdca39a 100644
|
|||||||
|
|
||||||
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, m);
|
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, m);
|
||||||
mm_request_receive_expect(pmonitor->m_recvfd,
|
mm_request_receive_expect(pmonitor->m_recvfd,
|
||||||
@@ -997,4 +999,57 @@ mm_ssh_gssapi_userok(char *user)
|
@@ -1012,4 +1014,57 @@ mm_ssh_gssapi_userok(char *user)
|
||||||
debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
|
debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
|
||||||
return (authenticated);
|
return (authenticated);
|
||||||
}
|
}
|
||||||
@ -2922,10 +2922,10 @@ index 4169b76..fdca39a 100644
|
|||||||
+
|
+
|
||||||
#endif /* GSSAPI */
|
#endif /* GSSAPI */
|
||||||
diff --git a/monitor_wrap.h b/monitor_wrap.h
|
diff --git a/monitor_wrap.h b/monitor_wrap.h
|
||||||
index 191277f..92dda57 100644
|
index 23ab096..485590c 100644
|
||||||
--- a/monitor_wrap.h
|
--- a/monitor_wrap.h
|
||||||
+++ b/monitor_wrap.h
|
+++ b/monitor_wrap.h
|
||||||
@@ -63,8 +63,10 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t,
|
@@ -64,8 +64,10 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t,
|
||||||
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
|
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
|
||||||
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
|
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
|
||||||
gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
|
gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
|
||||||
@ -2938,7 +2938,7 @@ index 191277f..92dda57 100644
|
|||||||
|
|
||||||
#ifdef USE_PAM
|
#ifdef USE_PAM
|
||||||
diff --git a/readconf.c b/readconf.c
|
diff --git a/readconf.c b/readconf.c
|
||||||
index 228f481..24f2cb1 100644
|
index 408a80c..d37658a 100644
|
||||||
--- a/readconf.c
|
--- a/readconf.c
|
||||||
+++ b/readconf.c
|
+++ b/readconf.c
|
||||||
@@ -67,6 +67,7 @@
|
@@ -67,6 +67,7 @@
|
||||||
@ -2949,7 +2949,7 @@ index 228f481..24f2cb1 100644
|
|||||||
|
|
||||||
#include "fips.h"
|
#include "fips.h"
|
||||||
|
|
||||||
@@ -164,6 +165,8 @@ typedef enum {
|
@@ -162,6 +163,8 @@ typedef enum {
|
||||||
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
|
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
|
||||||
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
|
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
|
||||||
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
|
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
|
||||||
@ -2958,7 +2958,7 @@ index 228f481..24f2cb1 100644
|
|||||||
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
|
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
|
||||||
oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
|
oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
|
||||||
oHashKnownHosts,
|
oHashKnownHosts,
|
||||||
@@ -204,10 +207,22 @@ static struct {
|
@@ -206,10 +209,22 @@ static struct {
|
||||||
/* Sometimes-unsupported options */
|
/* Sometimes-unsupported options */
|
||||||
#if defined(GSSAPI)
|
#if defined(GSSAPI)
|
||||||
{ "gssapiauthentication", oGssAuthentication },
|
{ "gssapiauthentication", oGssAuthentication },
|
||||||
@ -2981,7 +2981,7 @@ index 228f481..24f2cb1 100644
|
|||||||
#endif
|
#endif
|
||||||
#ifdef ENABLE_PKCS11
|
#ifdef ENABLE_PKCS11
|
||||||
{ "pkcs11provider", oPKCS11Provider },
|
{ "pkcs11provider", oPKCS11Provider },
|
||||||
@@ -990,10 +1005,42 @@ parse_time:
|
@@ -1055,10 +1070,42 @@ parse_time:
|
||||||
intptr = &options->gss_authentication;
|
intptr = &options->gss_authentication;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
|
|
||||||
@ -3024,7 +3024,7 @@ index 228f481..24f2cb1 100644
|
|||||||
case oBatchMode:
|
case oBatchMode:
|
||||||
intptr = &options->batch_mode;
|
intptr = &options->batch_mode;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
@@ -1882,7 +1929,13 @@ initialize_options(Options * options)
|
@@ -1954,7 +2001,13 @@ initialize_options(Options * options)
|
||||||
options->pubkey_authentication = -1;
|
options->pubkey_authentication = -1;
|
||||||
options->challenge_response_authentication = -1;
|
options->challenge_response_authentication = -1;
|
||||||
options->gss_authentication = -1;
|
options->gss_authentication = -1;
|
||||||
@ -3038,7 +3038,7 @@ index 228f481..24f2cb1 100644
|
|||||||
options->password_authentication = -1;
|
options->password_authentication = -1;
|
||||||
options->kbd_interactive_authentication = -1;
|
options->kbd_interactive_authentication = -1;
|
||||||
options->kbd_interactive_devices = NULL;
|
options->kbd_interactive_devices = NULL;
|
||||||
@@ -2028,8 +2081,18 @@ fill_default_options(Options * options)
|
@@ -2102,8 +2155,18 @@ fill_default_options(Options * options)
|
||||||
options->challenge_response_authentication = 1;
|
options->challenge_response_authentication = 1;
|
||||||
if (options->gss_authentication == -1)
|
if (options->gss_authentication == -1)
|
||||||
options->gss_authentication = 0;
|
options->gss_authentication = 0;
|
||||||
@ -3057,7 +3057,7 @@ index 228f481..24f2cb1 100644
|
|||||||
if (options->password_authentication == -1)
|
if (options->password_authentication == -1)
|
||||||
options->password_authentication = 1;
|
options->password_authentication = 1;
|
||||||
if (options->kbd_interactive_authentication == -1)
|
if (options->kbd_interactive_authentication == -1)
|
||||||
@@ -2647,7 +2710,14 @@ dump_client_config(Options *o, const char *host)
|
@@ -2751,7 +2814,14 @@ dump_client_config(Options *o, const char *host)
|
||||||
dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);
|
dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);
|
||||||
#ifdef GSSAPI
|
#ifdef GSSAPI
|
||||||
dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);
|
dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);
|
||||||
@ -3073,10 +3073,10 @@ index 228f481..24f2cb1 100644
|
|||||||
dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
|
dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
|
||||||
dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);
|
dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);
|
||||||
diff --git a/readconf.h b/readconf.h
|
diff --git a/readconf.h b/readconf.h
|
||||||
index 67111e9..2617764 100644
|
index ef18d5c..c0d797e 100644
|
||||||
--- a/readconf.h
|
--- a/readconf.h
|
||||||
+++ b/readconf.h
|
+++ b/readconf.h
|
||||||
@@ -40,7 +40,13 @@ typedef struct {
|
@@ -41,7 +41,13 @@ typedef struct {
|
||||||
int challenge_response_authentication;
|
int challenge_response_authentication;
|
||||||
/* Try S/Key or TIS, authentication. */
|
/* Try S/Key or TIS, authentication. */
|
||||||
int gss_authentication; /* Try GSS authentication */
|
int gss_authentication; /* Try GSS authentication */
|
||||||
@ -3091,10 +3091,10 @@ index 67111e9..2617764 100644
|
|||||||
* authentication. */
|
* authentication. */
|
||||||
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
|
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
|
||||||
diff --git a/servconf.c b/servconf.c
|
diff --git a/servconf.c b/servconf.c
|
||||||
index a8833a9..13cf154 100644
|
index 8a9db25..18b70b6 100644
|
||||||
--- a/servconf.c
|
--- a/servconf.c
|
||||||
+++ b/servconf.c
|
+++ b/servconf.c
|
||||||
@@ -64,6 +64,7 @@
|
@@ -69,6 +69,7 @@
|
||||||
#include "auth.h"
|
#include "auth.h"
|
||||||
#include "myproposal.h"
|
#include "myproposal.h"
|
||||||
#include "digest.h"
|
#include "digest.h"
|
||||||
@ -3102,7 +3102,7 @@ index a8833a9..13cf154 100644
|
|||||||
#include "fips.h"
|
#include "fips.h"
|
||||||
|
|
||||||
static void add_listen_addr(ServerOptions *, const char *,
|
static void add_listen_addr(ServerOptions *, const char *,
|
||||||
@@ -126,8 +127,11 @@ initialize_server_options(ServerOptions *options)
|
@@ -135,8 +136,11 @@ initialize_server_options(ServerOptions *options)
|
||||||
options->kerberos_ticket_cleanup = -1;
|
options->kerberos_ticket_cleanup = -1;
|
||||||
options->kerberos_get_afs_token = -1;
|
options->kerberos_get_afs_token = -1;
|
||||||
options->gss_authentication=-1;
|
options->gss_authentication=-1;
|
||||||
@ -3114,7 +3114,7 @@ index a8833a9..13cf154 100644
|
|||||||
options->password_authentication = -1;
|
options->password_authentication = -1;
|
||||||
options->kbd_interactive_authentication = -1;
|
options->kbd_interactive_authentication = -1;
|
||||||
options->challenge_response_authentication = -1;
|
options->challenge_response_authentication = -1;
|
||||||
@@ -374,10 +378,18 @@ fill_default_server_options(ServerOptions *options)
|
@@ -398,10 +402,18 @@ fill_default_server_options(ServerOptions *options)
|
||||||
options->kerberos_get_afs_token = 0;
|
options->kerberos_get_afs_token = 0;
|
||||||
if (options->gss_authentication == -1)
|
if (options->gss_authentication == -1)
|
||||||
options->gss_authentication = 0;
|
options->gss_authentication = 0;
|
||||||
@ -3133,7 +3133,7 @@ index a8833a9..13cf154 100644
|
|||||||
if (options->password_authentication == -1)
|
if (options->password_authentication == -1)
|
||||||
options->password_authentication = 1;
|
options->password_authentication = 1;
|
||||||
if (options->kbd_interactive_authentication == -1)
|
if (options->kbd_interactive_authentication == -1)
|
||||||
@@ -523,6 +535,7 @@ typedef enum {
|
@@ -556,6 +568,7 @@ typedef enum {
|
||||||
sHostKeyAlgorithms,
|
sHostKeyAlgorithms,
|
||||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
||||||
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
||||||
@ -3141,7 +3141,7 @@ index a8833a9..13cf154 100644
|
|||||||
sAcceptEnv, sSetEnv, sPermitTunnel,
|
sAcceptEnv, sSetEnv, sPermitTunnel,
|
||||||
sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
|
sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
|
||||||
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
||||||
@@ -599,12 +612,22 @@ static struct {
|
@@ -634,12 +647,22 @@ static struct {
|
||||||
#ifdef GSSAPI
|
#ifdef GSSAPI
|
||||||
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
|
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
|
||||||
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
|
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
|
||||||
@ -3164,7 +3164,7 @@ index a8833a9..13cf154 100644
|
|||||||
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
|
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
|
||||||
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
|
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
|
||||||
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
|
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
|
||||||
@@ -1518,6 +1541,10 @@ process_server_config_line(ServerOptions *options, char *line,
|
@@ -1585,6 +1608,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
|
||||||
intptr = &options->gss_authentication;
|
intptr = &options->gss_authentication;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
|
|
||||||
@ -3175,7 +3175,7 @@ index a8833a9..13cf154 100644
|
|||||||
case sGssCleanupCreds:
|
case sGssCleanupCreds:
|
||||||
intptr = &options->gss_cleanup_creds;
|
intptr = &options->gss_cleanup_creds;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
@@ -1526,6 +1553,22 @@ process_server_config_line(ServerOptions *options, char *line,
|
@@ -1593,6 +1620,22 @@ process_server_config_line_depth(ServerOptions *options, char *line,
|
||||||
intptr = &options->gss_strict_acceptor;
|
intptr = &options->gss_strict_acceptor;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
|
|
||||||
@ -3198,7 +3198,7 @@ index a8833a9..13cf154 100644
|
|||||||
case sPasswordAuthentication:
|
case sPasswordAuthentication:
|
||||||
intptr = &options->password_authentication;
|
intptr = &options->password_authentication;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
@@ -2615,6 +2658,10 @@ dump_config(ServerOptions *o)
|
@@ -2821,6 +2864,10 @@ dump_config(ServerOptions *o)
|
||||||
#ifdef GSSAPI
|
#ifdef GSSAPI
|
||||||
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
|
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
|
||||||
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
|
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
|
||||||
@ -3210,10 +3210,10 @@ index a8833a9..13cf154 100644
|
|||||||
dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
|
dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
|
||||||
dump_cfg_fmtint(sKbdInteractiveAuthentication,
|
dump_cfg_fmtint(sKbdInteractiveAuthentication,
|
||||||
diff --git a/servconf.h b/servconf.h
|
diff --git a/servconf.h b/servconf.h
|
||||||
index 4670a5a..56373e5 100644
|
index d24d459..45665df 100644
|
||||||
--- a/servconf.h
|
--- a/servconf.h
|
||||||
+++ b/servconf.h
|
+++ b/servconf.h
|
||||||
@@ -126,8 +126,11 @@ typedef struct {
|
@@ -137,8 +137,11 @@ typedef struct {
|
||||||
int kerberos_get_afs_token; /* If true, try to get AFS token if
|
int kerberos_get_afs_token; /* If true, try to get AFS token if
|
||||||
* authenticated with Kerberos. */
|
* authenticated with Kerberos. */
|
||||||
int gss_authentication; /* If true, permit GSSAPI authentication */
|
int gss_authentication; /* If true, permit GSSAPI authentication */
|
||||||
@ -3226,10 +3226,10 @@ index 4670a5a..56373e5 100644
|
|||||||
* authentication. */
|
* authentication. */
|
||||||
int kbd_interactive_authentication; /* If true, permit */
|
int kbd_interactive_authentication; /* If true, permit */
|
||||||
diff --git a/session.c b/session.c
|
diff --git a/session.c b/session.c
|
||||||
index d81060c..89f9539 100644
|
index 501bbdf..530aa26 100644
|
||||||
--- a/session.c
|
--- a/session.c
|
||||||
+++ b/session.c
|
+++ b/session.c
|
||||||
@@ -2713,13 +2713,19 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt)
|
@@ -2717,13 +2717,19 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt)
|
||||||
|
|
||||||
#ifdef KRB5
|
#ifdef KRB5
|
||||||
if (options.kerberos_ticket_cleanup &&
|
if (options.kerberos_ticket_cleanup &&
|
||||||
@ -3372,10 +3372,10 @@ index 36180d0..70dd366 100644
|
|||||||
|
|
||||||
#endif /* _SSH_GSS_H */
|
#endif /* _SSH_GSS_H */
|
||||||
diff --git a/ssh.1 b/ssh.1
|
diff --git a/ssh.1 b/ssh.1
|
||||||
index 899a339..70d3017 100644
|
index dce5f40..7a3ba31 100644
|
||||||
--- a/ssh.1
|
--- a/ssh.1
|
||||||
+++ b/ssh.1
|
+++ b/ssh.1
|
||||||
@@ -497,7 +497,13 @@ For full details of the options listed below, and their possible values, see
|
@@ -506,7 +506,13 @@ For full details of the options listed below, and their possible values, see
|
||||||
.It GatewayPorts
|
.It GatewayPorts
|
||||||
.It GlobalKnownHostsFile
|
.It GlobalKnownHostsFile
|
||||||
.It GSSAPIAuthentication
|
.It GSSAPIAuthentication
|
||||||
@ -3389,7 +3389,7 @@ index 899a339..70d3017 100644
|
|||||||
.It HashKnownHosts
|
.It HashKnownHosts
|
||||||
.It Host
|
.It Host
|
||||||
.It HostbasedAuthentication
|
.It HostbasedAuthentication
|
||||||
@@ -573,6 +579,8 @@ flag),
|
@@ -582,6 +588,8 @@ flag),
|
||||||
(supported message integrity codes),
|
(supported message integrity codes),
|
||||||
.Ar kex
|
.Ar kex
|
||||||
(key exchange algorithms),
|
(key exchange algorithms),
|
||||||
@ -3399,25 +3399,25 @@ index 899a339..70d3017 100644
|
|||||||
(key types),
|
(key types),
|
||||||
.Ar key-cert
|
.Ar key-cert
|
||||||
diff --git a/ssh.c b/ssh.c
|
diff --git a/ssh.c b/ssh.c
|
||||||
index 882d1da..5f3ca8d 100644
|
index dce28fd..c99e0e4 100644
|
||||||
--- a/ssh.c
|
--- a/ssh.c
|
||||||
+++ b/ssh.c
|
+++ b/ssh.c
|
||||||
@@ -742,6 +742,8 @@ main(int ac, char **av)
|
@@ -779,6 +779,8 @@ main(int ac, char **av)
|
||||||
cp = mac_alg_list('\n');
|
else if (strcmp(optarg, "kex") == 0 ||
|
||||||
else if (strcmp(optarg, "kex") == 0)
|
strcasecmp(optarg, "KexAlgorithms") == 0)
|
||||||
cp = kex_alg_list('\n');
|
cp = kex_alg_list('\n');
|
||||||
+ else if (strcmp(optarg, "kex-gss") == 0)
|
+ else if (strcmp(optarg, "kex-gss") == 0)
|
||||||
+ cp = kex_gss_alg_list('\n');
|
+ cp = kex_gss_alg_list('\n');
|
||||||
else if (strcmp(optarg, "key") == 0)
|
else if (strcmp(optarg, "key") == 0)
|
||||||
cp = sshkey_alg_list(0, 0, 0, '\n');
|
cp = sshkey_alg_list(0, 0, 0, '\n');
|
||||||
else if (strcmp(optarg, "key-cert") == 0)
|
else if (strcmp(optarg, "key-cert") == 0)
|
||||||
@@ -754,7 +756,7 @@ main(int ac, char **av)
|
@@ -803,7 +805,7 @@ main(int ac, char **av)
|
||||||
cp = xstrdup("2");
|
cp[n] = '\n';
|
||||||
else if (strcmp(optarg, "help") == 0) {
|
} else if (strcmp(optarg, "help") == 0) {
|
||||||
cp = xstrdup(
|
cp = xstrdup(
|
||||||
- "cipher\ncipher-auth\nkex\nkey\n"
|
- "cipher\ncipher-auth\ncompression\nkex\n"
|
||||||
+ "cipher\ncipher-auth\nkex\nkex-gss\nkey\n"
|
+ "cipher\ncipher-auth\ncompression\nkex\nkex-gss\n"
|
||||||
"key-cert\nkey-plain\nmac\n"
|
"key\nkey-cert\nkey-plain\nkey-sig\nmac\n"
|
||||||
"protocol-version\nsig");
|
"protocol-version\nsig");
|
||||||
}
|
}
|
||||||
diff --git a/ssh_config b/ssh_config
|
diff --git a/ssh_config b/ssh_config
|
||||||
@ -3434,10 +3434,10 @@ index 3a00f4d..a798a43 100644
|
|||||||
# CheckHostIP yes
|
# CheckHostIP yes
|
||||||
# AddressFamily any
|
# AddressFamily any
|
||||||
diff --git a/ssh_config.5 b/ssh_config.5
|
diff --git a/ssh_config.5 b/ssh_config.5
|
||||||
index f0cb291..3bf0502 100644
|
index f6c3bdc..30c22e5 100644
|
||||||
--- a/ssh_config.5
|
--- a/ssh_config.5
|
||||||
+++ b/ssh_config.5
|
+++ b/ssh_config.5
|
||||||
@@ -760,10 +760,67 @@ The default is
|
@@ -768,10 +768,67 @@ The default is
|
||||||
Specifies whether user authentication based on GSSAPI is allowed.
|
Specifies whether user authentication based on GSSAPI is allowed.
|
||||||
The default is
|
The default is
|
||||||
.Cm no .
|
.Cm no .
|
||||||
@ -3506,10 +3506,10 @@ index f0cb291..3bf0502 100644
|
|||||||
Indicates that
|
Indicates that
|
||||||
.Xr ssh 1
|
.Xr ssh 1
|
||||||
diff --git a/sshconnect2.c b/sshconnect2.c
|
diff --git a/sshconnect2.c b/sshconnect2.c
|
||||||
index 87fa70a..9e8c3e5 100644
|
index 1a6545e..b970198 100644
|
||||||
--- a/sshconnect2.c
|
--- a/sshconnect2.c
|
||||||
+++ b/sshconnect2.c
|
+++ b/sshconnect2.c
|
||||||
@@ -78,8 +78,6 @@
|
@@ -80,8 +80,6 @@
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* import */
|
/* import */
|
||||||
@ -3518,9 +3518,9 @@ index 87fa70a..9e8c3e5 100644
|
|||||||
extern Options options;
|
extern Options options;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@@ -161,6 +159,11 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
|
@@ -163,6 +161,11 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
|
||||||
char *s, *all_key;
|
char *s, *all_key;
|
||||||
int r;
|
int r, use_known_hosts_order = 0;
|
||||||
|
|
||||||
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
||||||
+ char *orig = NULL, *gss = NULL;
|
+ char *orig = NULL, *gss = NULL;
|
||||||
@ -3530,8 +3530,8 @@ index 87fa70a..9e8c3e5 100644
|
|||||||
xxx_host = host;
|
xxx_host = host;
|
||||||
xxx_hostaddr = hostaddr;
|
xxx_hostaddr = hostaddr;
|
||||||
|
|
||||||
@@ -193,6 +196,35 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
|
@@ -206,6 +209,35 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
|
||||||
order_hostkeyalgs(host, hostaddr, port));
|
compat_pkalg_proposal(options.hostkeyalgorithms);
|
||||||
}
|
}
|
||||||
|
|
||||||
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
||||||
@ -3566,7 +3566,7 @@ index 87fa70a..9e8c3e5 100644
|
|||||||
if (options.rekey_limit || options.rekey_interval)
|
if (options.rekey_limit || options.rekey_interval)
|
||||||
ssh_packet_set_rekey_limits(ssh, options.rekey_limit,
|
ssh_packet_set_rekey_limits(ssh, options.rekey_limit,
|
||||||
options.rekey_interval);
|
options.rekey_interval);
|
||||||
@@ -211,16 +243,46 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
|
@@ -224,16 +256,46 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
|
||||||
# ifdef OPENSSL_HAS_ECC
|
# ifdef OPENSSL_HAS_ECC
|
||||||
ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client;
|
ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client;
|
||||||
# endif
|
# endif
|
||||||
@ -3614,7 +3614,7 @@ index 87fa70a..9e8c3e5 100644
|
|||||||
if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0)
|
if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0)
|
||||||
fatal("kex_prop2buf: %s", ssh_err(r));
|
fatal("kex_prop2buf: %s", ssh_err(r));
|
||||||
|
|
||||||
@@ -317,6 +379,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *);
|
@@ -330,6 +392,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *);
|
||||||
static int input_gssapi_token(int type, u_int32_t, struct ssh *);
|
static int input_gssapi_token(int type, u_int32_t, struct ssh *);
|
||||||
static int input_gssapi_error(int, u_int32_t, struct ssh *);
|
static int input_gssapi_error(int, u_int32_t, struct ssh *);
|
||||||
static int input_gssapi_errtok(int, u_int32_t, struct ssh *);
|
static int input_gssapi_errtok(int, u_int32_t, struct ssh *);
|
||||||
@ -3622,7 +3622,7 @@ index 87fa70a..9e8c3e5 100644
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
void userauth(struct ssh *, char *);
|
void userauth(struct ssh *, char *);
|
||||||
@@ -333,6 +396,11 @@ static char *authmethods_get(void);
|
@@ -346,6 +409,11 @@ static char *authmethods_get(void);
|
||||||
|
|
||||||
Authmethod authmethods[] = {
|
Authmethod authmethods[] = {
|
||||||
#ifdef GSSAPI
|
#ifdef GSSAPI
|
||||||
@ -3634,7 +3634,7 @@ index 87fa70a..9e8c3e5 100644
|
|||||||
{"gssapi-with-mic",
|
{"gssapi-with-mic",
|
||||||
userauth_gssapi,
|
userauth_gssapi,
|
||||||
userauth_gssapi_cleanup,
|
userauth_gssapi_cleanup,
|
||||||
@@ -697,12 +765,23 @@ userauth_gssapi(struct ssh *ssh)
|
@@ -716,12 +784,23 @@ userauth_gssapi(struct ssh *ssh)
|
||||||
OM_uint32 min;
|
OM_uint32 min;
|
||||||
int r, ok = 0;
|
int r, ok = 0;
|
||||||
gss_OID mech = NULL;
|
gss_OID mech = NULL;
|
||||||
@ -3659,7 +3659,7 @@ index 87fa70a..9e8c3e5 100644
|
|||||||
|
|
||||||
/* Check to see whether the mechanism is usable before we offer it */
|
/* Check to see whether the mechanism is usable before we offer it */
|
||||||
while (authctxt->mech_tried < authctxt->gss_supported_mechs->count &&
|
while (authctxt->mech_tried < authctxt->gss_supported_mechs->count &&
|
||||||
@@ -711,13 +790,15 @@ userauth_gssapi(struct ssh *ssh)
|
@@ -730,13 +809,15 @@ userauth_gssapi(struct ssh *ssh)
|
||||||
elements[authctxt->mech_tried];
|
elements[authctxt->mech_tried];
|
||||||
/* My DER encoding requires length<128 */
|
/* My DER encoding requires length<128 */
|
||||||
if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
|
if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
|
||||||
@ -3676,7 +3676,7 @@ index 87fa70a..9e8c3e5 100644
|
|||||||
if (!ok || mech == NULL)
|
if (!ok || mech == NULL)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
@@ -957,6 +1038,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh)
|
@@ -976,6 +1057,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh)
|
||||||
free(lang);
|
free(lang);
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
@ -3733,10 +3733,10 @@ index 87fa70a..9e8c3e5 100644
|
|||||||
|
|
||||||
static int
|
static int
|
||||||
diff --git a/sshd.c b/sshd.c
|
diff --git a/sshd.c b/sshd.c
|
||||||
index c562094..0d5c4c4 100644
|
index 1a09e7b..7d23232 100644
|
||||||
--- a/sshd.c
|
--- a/sshd.c
|
||||||
+++ b/sshd.c
|
+++ b/sshd.c
|
||||||
@@ -815,8 +815,8 @@ notify_hostkeys(struct ssh *ssh)
|
@@ -826,8 +826,8 @@ notify_hostkeys(struct ssh *ssh)
|
||||||
}
|
}
|
||||||
debug3("%s: sent %u hostkeys", __func__, nkeys);
|
debug3("%s: sent %u hostkeys", __func__, nkeys);
|
||||||
if (nkeys == 0)
|
if (nkeys == 0)
|
||||||
@ -3747,7 +3747,7 @@ index c562094..0d5c4c4 100644
|
|||||||
sshpkt_fatal(ssh, r, "%s: send", __func__);
|
sshpkt_fatal(ssh, r, "%s: send", __func__);
|
||||||
sshbuf_free(buf);
|
sshbuf_free(buf);
|
||||||
}
|
}
|
||||||
@@ -1800,7 +1800,8 @@ main(int ac, char **av)
|
@@ -1865,7 +1865,8 @@ main(int ac, char **av)
|
||||||
free(fp);
|
free(fp);
|
||||||
}
|
}
|
||||||
accumulate_host_timing_secret(cfg, NULL);
|
accumulate_host_timing_secret(cfg, NULL);
|
||||||
@ -3757,7 +3757,7 @@ index c562094..0d5c4c4 100644
|
|||||||
logit("sshd: no hostkeys available -- exiting.");
|
logit("sshd: no hostkeys available -- exiting.");
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
@@ -2297,6 +2298,48 @@ do_ssh2_kex(struct ssh *ssh)
|
@@ -2361,6 +2362,48 @@ do_ssh2_kex(struct ssh *ssh)
|
||||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
|
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
|
||||||
list_hostkey_types());
|
list_hostkey_types());
|
||||||
|
|
||||||
@ -3806,7 +3806,7 @@ index c562094..0d5c4c4 100644
|
|||||||
/* start key exchange */
|
/* start key exchange */
|
||||||
if ((r = kex_setup(ssh, myproposal)) != 0)
|
if ((r = kex_setup(ssh, myproposal)) != 0)
|
||||||
fatal("kex_setup: %s", ssh_err(r));
|
fatal("kex_setup: %s", ssh_err(r));
|
||||||
@@ -2312,7 +2355,18 @@ do_ssh2_kex(struct ssh *ssh)
|
@@ -2376,7 +2419,18 @@ do_ssh2_kex(struct ssh *ssh)
|
||||||
# ifdef OPENSSL_HAS_ECC
|
# ifdef OPENSSL_HAS_ECC
|
||||||
kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
|
kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
|
||||||
# endif
|
# endif
|
||||||
@ -3840,10 +3840,10 @@ index 9ae8b05..8c1d1e5 100644
|
|||||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||||
# and session processing. If this is enabled, PAM authentication will
|
# and session processing. If this is enabled, PAM authentication will
|
||||||
diff --git a/sshd_config.5 b/sshd_config.5
|
diff --git a/sshd_config.5 b/sshd_config.5
|
||||||
index 8818ea5..50a4917 100644
|
index 9c64f41..36696cc 100644
|
||||||
--- a/sshd_config.5
|
--- a/sshd_config.5
|
||||||
+++ b/sshd_config.5
|
+++ b/sshd_config.5
|
||||||
@@ -657,6 +657,11 @@ Specifies whether to automatically destroy the user's credentials cache
|
@@ -646,6 +646,11 @@ Specifies whether to automatically destroy the user's credentials cache
|
||||||
on logout.
|
on logout.
|
||||||
The default is
|
The default is
|
||||||
.Cm yes .
|
.Cm yes .
|
||||||
@ -3855,7 +3855,7 @@ index 8818ea5..50a4917 100644
|
|||||||
.It Cm GSSAPIStrictAcceptorCheck
|
.It Cm GSSAPIStrictAcceptorCheck
|
||||||
Determines whether to be strict about the identity of the GSSAPI acceptor
|
Determines whether to be strict about the identity of the GSSAPI acceptor
|
||||||
a client authenticates against.
|
a client authenticates against.
|
||||||
@@ -671,6 +676,31 @@ machine's default store.
|
@@ -660,6 +665,31 @@ machine's default store.
|
||||||
This facility is provided to assist with operation on multi homed machines.
|
This facility is provided to assist with operation on multi homed machines.
|
||||||
The default is
|
The default is
|
||||||
.Cm yes .
|
.Cm yes .
|
||||||
@ -3888,18 +3888,18 @@ index 8818ea5..50a4917 100644
|
|||||||
Specifies the key types that will be accepted for hostbased authentication
|
Specifies the key types that will be accepted for hostbased authentication
|
||||||
as a list of comma-separated patterns.
|
as a list of comma-separated patterns.
|
||||||
diff --git a/sshkey.c b/sshkey.c
|
diff --git a/sshkey.c b/sshkey.c
|
||||||
index ef90563..4d2048b 100644
|
index 1571e3d..1ac32a0 100644
|
||||||
--- a/sshkey.c
|
--- a/sshkey.c
|
||||||
+++ b/sshkey.c
|
+++ b/sshkey.c
|
||||||
@@ -145,6 +145,7 @@ static const struct keytype keytypes[] = {
|
@@ -154,6 +154,7 @@ static const struct keytype keytypes[] = {
|
||||||
# endif /* OPENSSL_HAS_NISTP521 */
|
KEY_ECDSA_SK_CERT, NID_X9_62_prime256v1, 1, 0 },
|
||||||
# endif /* OPENSSL_HAS_ECC */
|
# endif /* OPENSSL_HAS_ECC */
|
||||||
#endif /* WITH_OPENSSL */
|
#endif /* WITH_OPENSSL */
|
||||||
+ { "null", "null", NULL, KEY_NULL, 0, 0, 0 },
|
+ { "null", "null", NULL, KEY_NULL, 0, 0, 0 },
|
||||||
{ NULL, NULL, NULL, -1, -1, 0, 0 }
|
{ NULL, NULL, NULL, -1, -1, 0, 0 }
|
||||||
};
|
};
|
||||||
|
|
||||||
@@ -233,7 +234,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
|
@@ -255,7 +256,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
|
||||||
const struct keytype *kt;
|
const struct keytype *kt;
|
||||||
|
|
||||||
for (kt = keytypes; kt->type != -1; kt++) {
|
for (kt = keytypes; kt->type != -1; kt++) {
|
||||||
@ -3909,13 +3909,13 @@ index ef90563..4d2048b 100644
|
|||||||
if (!include_sigonly && kt->sigonly)
|
if (!include_sigonly && kt->sigonly)
|
||||||
continue;
|
continue;
|
||||||
diff --git a/sshkey.h b/sshkey.h
|
diff --git a/sshkey.h b/sshkey.h
|
||||||
index 1119a7b..1bf30d0 100644
|
index 9c1d4f6..f586e89 100644
|
||||||
--- a/sshkey.h
|
--- a/sshkey.h
|
||||||
+++ b/sshkey.h
|
+++ b/sshkey.h
|
||||||
@@ -65,6 +65,7 @@ enum sshkey_types {
|
@@ -69,6 +69,7 @@ enum sshkey_types {
|
||||||
KEY_ED25519_CERT,
|
KEY_ECDSA_SK_CERT,
|
||||||
KEY_XMSS,
|
KEY_ED25519_SK,
|
||||||
KEY_XMSS_CERT,
|
KEY_ED25519_SK_CERT,
|
||||||
+ KEY_NULL,
|
+ KEY_NULL,
|
||||||
KEY_UNSPEC
|
KEY_UNSPEC
|
||||||
};
|
};
|
||||||
|
@ -1,17 +1,16 @@
|
|||||||
diff --git a/Makefile.in b/Makefile.in
|
diff --git a/Makefile.in b/Makefile.in
|
||||||
index 02bafbc..4ee4ab2 100644
|
index 9d3f569..5a0e0b6 100644
|
||||||
--- a/Makefile.in
|
--- a/Makefile.in
|
||||||
+++ b/Makefile.in
|
+++ b/Makefile.in
|
||||||
@@ -110,7 +110,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
@@ -115,7 +115,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||||
kexgexc.o kexgexs.o \
|
|
||||||
sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \
|
sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \
|
||||||
kexgssc.o \
|
kexgssc.o \
|
||||||
- platform-pledge.o platform-tracing.o platform-misc.o
|
sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
|
||||||
+ platform-pledge.o platform-tracing.o platform-misc.o \
|
- sshbuf-io.o
|
||||||
+ auditstub.o
|
+ sshbuf-io.o auditstub.o
|
||||||
|
|
||||||
|
SKOBJS= ssh-sk-client.o
|
||||||
|
|
||||||
LIBSSH_OBJS += fips.o
|
|
||||||
diff --git a/audit-bsm.c b/audit-bsm.c
|
diff --git a/audit-bsm.c b/audit-bsm.c
|
||||||
index 0ba16c7..d5e9cda 100644
|
index 0ba16c7..d5e9cda 100644
|
||||||
--- a/audit-bsm.c
|
--- a/audit-bsm.c
|
||||||
@ -744,10 +743,10 @@ index 0000000..639a798
|
|||||||
+{
|
+{
|
||||||
+}
|
+}
|
||||||
diff --git a/auth.c b/auth.c
|
diff --git a/auth.c b/auth.c
|
||||||
index ab43955..5a4d11a 100644
|
index 779a1af..f6f3c86 100644
|
||||||
--- a/auth.c
|
--- a/auth.c
|
||||||
+++ b/auth.c
|
+++ b/auth.c
|
||||||
@@ -366,7 +366,7 @@ auth_log(struct ssh *ssh, int authenticated, int partial,
|
@@ -367,7 +367,7 @@ auth_log(struct ssh *ssh, int authenticated, int partial,
|
||||||
# endif
|
# endif
|
||||||
#endif
|
#endif
|
||||||
#ifdef SSH_AUDIT_EVENTS
|
#ifdef SSH_AUDIT_EVENTS
|
||||||
@ -756,7 +755,7 @@ index ab43955..5a4d11a 100644
|
|||||||
audit_event(ssh, audit_classify_auth(method));
|
audit_event(ssh, audit_classify_auth(method));
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
@@ -592,9 +592,6 @@ getpwnamallow(struct ssh *ssh, const char *user)
|
@@ -593,9 +593,6 @@ getpwnamallow(struct ssh *ssh, const char *user)
|
||||||
record_failed_login(ssh, user,
|
record_failed_login(ssh, user,
|
||||||
auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
|
auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
|
||||||
#endif
|
#endif
|
||||||
@ -767,7 +766,7 @@ index ab43955..5a4d11a 100644
|
|||||||
}
|
}
|
||||||
if (!allowed_user(ssh, pw))
|
if (!allowed_user(ssh, pw))
|
||||||
diff --git a/auth.h b/auth.h
|
diff --git a/auth.h b/auth.h
|
||||||
index becc672..84532d0 100644
|
index becc672..c8a99fb 100644
|
||||||
--- a/auth.h
|
--- a/auth.h
|
||||||
+++ b/auth.h
|
+++ b/auth.h
|
||||||
@@ -189,6 +189,8 @@ struct passwd * getpwnamallow(struct ssh *, const char *user);
|
@@ -189,6 +189,8 @@ struct passwd * getpwnamallow(struct ssh *, const char *user);
|
||||||
@ -775,7 +774,7 @@ index becc672..84532d0 100644
|
|||||||
char *expand_authorized_keys(const char *, struct passwd *pw);
|
char *expand_authorized_keys(const char *, struct passwd *pw);
|
||||||
char *authorized_principals_file(struct passwd *);
|
char *authorized_principals_file(struct passwd *);
|
||||||
+int user_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t,
|
+int user_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t,
|
||||||
+ const u_char *, size_t, const char *, u_int);
|
+ const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
|
||||||
|
|
||||||
FILE *auth_openkeyfile(const char *, struct passwd *, int);
|
FILE *auth_openkeyfile(const char *, struct passwd *, int);
|
||||||
FILE *auth_openprincipals(const char *, struct passwd *, int);
|
FILE *auth_openprincipals(const char *, struct passwd *, int);
|
||||||
@ -784,12 +783,12 @@ index becc672..84532d0 100644
|
|||||||
int sshd_hostkey_sign(struct ssh *, struct sshkey *, struct sshkey *,
|
int sshd_hostkey_sign(struct ssh *, struct sshkey *, struct sshkey *,
|
||||||
u_char **, size_t *, const u_char *, size_t, const char *);
|
u_char **, size_t *, const u_char *, size_t, const char *);
|
||||||
+int hostbased_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t,
|
+int hostbased_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t,
|
||||||
+ const u_char *, size_t, const char *, u_int);
|
+ const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
|
||||||
|
|
||||||
/* Key / cert options linkage to auth layer */
|
/* Key / cert options linkage to auth layer */
|
||||||
const struct sshauthopt *auth_options(struct ssh *);
|
const struct sshauthopt *auth_options(struct ssh *);
|
||||||
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
|
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
|
||||||
index d460470..de26444 100644
|
index 5e9b7c6..c0a09a3 100644
|
||||||
--- a/auth2-hostbased.c
|
--- a/auth2-hostbased.c
|
||||||
+++ b/auth2-hostbased.c
|
+++ b/auth2-hostbased.c
|
||||||
@@ -150,7 +150,7 @@ userauth_hostbased(struct ssh *ssh)
|
@@ -150,7 +150,7 @@ userauth_hostbased(struct ssh *ssh)
|
||||||
@ -798,7 +797,7 @@ index d460470..de26444 100644
|
|||||||
chost, key)) &&
|
chost, key)) &&
|
||||||
- PRIVSEP(sshkey_verify(key, sig, slen,
|
- PRIVSEP(sshkey_verify(key, sig, slen,
|
||||||
+ PRIVSEP(hostbased_key_verify(ssh, key, sig, slen,
|
+ PRIVSEP(hostbased_key_verify(ssh, key, sig, slen,
|
||||||
sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat)) == 0)
|
sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat, NULL)) == 0)
|
||||||
authenticated = 1;
|
authenticated = 1;
|
||||||
|
|
||||||
@@ -167,6 +167,19 @@ done:
|
@@ -167,6 +167,19 @@ done:
|
||||||
@ -807,11 +806,11 @@ index d460470..de26444 100644
|
|||||||
|
|
||||||
+int
|
+int
|
||||||
+hostbased_key_verify(struct ssh *ssh, const struct sshkey *key, const u_char *sig,
|
+hostbased_key_verify(struct ssh *ssh, const struct sshkey *key, const u_char *sig,
|
||||||
+ size_t slen, const u_char *data, size_t datalen, const char *pkalg, u_int compat)
|
+ size_t slen, const u_char *data, size_t datalen, const char *pkalg, u_int compat, struct sshkey_sig_details **sigdet)
|
||||||
+{
|
+{
|
||||||
+ int rv;
|
+ int rv;
|
||||||
+
|
+
|
||||||
+ rv = sshkey_verify(key, sig, slen, data, datalen, pkalg, compat);
|
+ rv = sshkey_verify(key, sig, slen, data, datalen, pkalg, compat, sigdet);
|
||||||
+#ifdef SSH_AUDIT_EVENTS
|
+#ifdef SSH_AUDIT_EVENTS
|
||||||
+ audit_key(ssh, 0, &rv, key);
|
+ audit_key(ssh, 0, &rv, key);
|
||||||
+#endif
|
+#endif
|
||||||
@ -822,10 +821,10 @@ index d460470..de26444 100644
|
|||||||
int
|
int
|
||||||
hostbased_key_allowed(struct ssh *ssh, struct passwd *pw,
|
hostbased_key_allowed(struct ssh *ssh, struct passwd *pw,
|
||||||
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
|
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
|
||||||
index df12c2c..6062b8b 100644
|
index 815ea0f..f8a4325 100644
|
||||||
--- a/auth2-pubkey.c
|
--- a/auth2-pubkey.c
|
||||||
+++ b/auth2-pubkey.c
|
+++ b/auth2-pubkey.c
|
||||||
@@ -210,7 +210,7 @@ userauth_pubkey(struct ssh *ssh)
|
@@ -212,7 +212,7 @@ userauth_pubkey(struct ssh *ssh)
|
||||||
/* test for correct signature */
|
/* test for correct signature */
|
||||||
authenticated = 0;
|
authenticated = 0;
|
||||||
if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) &&
|
if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) &&
|
||||||
@ -833,18 +832,18 @@ index df12c2c..6062b8b 100644
|
|||||||
+ PRIVSEP(user_key_verify(ssh, key, sig, slen,
|
+ PRIVSEP(user_key_verify(ssh, key, sig, slen,
|
||||||
sshbuf_ptr(b), sshbuf_len(b),
|
sshbuf_ptr(b), sshbuf_len(b),
|
||||||
(ssh->compat & SSH_BUG_SIGTYPE) == 0 ? pkalg : NULL,
|
(ssh->compat & SSH_BUG_SIGTYPE) == 0 ? pkalg : NULL,
|
||||||
ssh->compat)) == 0) {
|
ssh->compat, &sig_details)) == 0) {
|
||||||
@@ -269,6 +269,19 @@ done:
|
@@ -294,6 +294,19 @@ done:
|
||||||
return authenticated;
|
return authenticated;
|
||||||
}
|
}
|
||||||
|
|
||||||
+int
|
+int
|
||||||
+user_key_verify(struct ssh *ssh, const struct sshkey *key, const u_char *sig,
|
+user_key_verify(struct ssh *ssh, const struct sshkey *key, const u_char *sig,
|
||||||
+ size_t slen, const u_char *data, size_t datalen, const char *pkalg, u_int compat)
|
+ size_t slen, const u_char *data, size_t datalen, const char *pkalg, u_int compat, struct sshkey_sig_details **sigdet)
|
||||||
+{
|
+{
|
||||||
+ int rv;
|
+ int rv;
|
||||||
+
|
+
|
||||||
+ rv = sshkey_verify(key, sig, slen, data, datalen, pkalg, compat);
|
+ rv = sshkey_verify(key, sig, slen, data, datalen, pkalg, compat, sigdet);
|
||||||
+#ifdef SSH_AUDIT_EVENTS
|
+#ifdef SSH_AUDIT_EVENTS
|
||||||
+ audit_key(ssh, 1, &rv, key);
|
+ audit_key(ssh, 1, &rv, key);
|
||||||
+#endif
|
+#endif
|
||||||
@ -855,7 +854,7 @@ index df12c2c..6062b8b 100644
|
|||||||
match_principals_option(const char *principal_list, struct sshkey_cert *cert)
|
match_principals_option(const char *principal_list, struct sshkey_cert *cert)
|
||||||
{
|
{
|
||||||
diff --git a/auth2.c b/auth2.c
|
diff --git a/auth2.c b/auth2.c
|
||||||
index 1c21726..e54509a 100644
|
index a4a5e00..b12d2ac 100644
|
||||||
--- a/auth2.c
|
--- a/auth2.c
|
||||||
+++ b/auth2.c
|
+++ b/auth2.c
|
||||||
@@ -293,9 +293,6 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
|
@@ -293,9 +293,6 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
|
||||||
@ -869,7 +868,7 @@ index 1c21726..e54509a 100644
|
|||||||
#ifdef USE_PAM
|
#ifdef USE_PAM
|
||||||
if (options.use_pam)
|
if (options.use_pam)
|
||||||
diff --git a/cipher.c b/cipher.c
|
diff --git a/cipher.c b/cipher.c
|
||||||
index b67a4ff..e0d23a5 100644
|
index 599b54a..7f25a18 100644
|
||||||
--- a/cipher.c
|
--- a/cipher.c
|
||||||
+++ b/cipher.c
|
+++ b/cipher.c
|
||||||
@@ -58,25 +58,6 @@
|
@@ -58,25 +58,6 @@
|
||||||
@ -898,17 +897,17 @@ index b67a4ff..e0d23a5 100644
|
|||||||
static const struct sshcipher ciphers_all[] = {
|
static const struct sshcipher ciphers_all[] = {
|
||||||
#ifdef WITH_OPENSSL
|
#ifdef WITH_OPENSSL
|
||||||
#ifndef OPENSSL_NO_DES
|
#ifndef OPENSSL_NO_DES
|
||||||
@@ -451,7 +432,7 @@ cipher_get_length(struct sshcipher_ctx *cc, u_int *plenp, u_int seqnr,
|
@@ -462,7 +443,7 @@ cipher_get_length(struct sshcipher_ctx *cc, u_int *plenp, u_int seqnr,
|
||||||
void
|
void
|
||||||
cipher_free(struct sshcipher_ctx *cc)
|
cipher_free(struct sshcipher_ctx *cc)
|
||||||
{
|
{
|
||||||
- if (cc == NULL)
|
- if (cc == NULL)
|
||||||
+ if (cc == NULL || cc->cipher == NULL)
|
+ if (cc == NULL || cc->cipher == NULL)
|
||||||
return;
|
return;
|
||||||
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
|
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
|
||||||
explicit_bzero(&cc->cp_ctx, sizeof(cc->cp_ctx));
|
chachapoly_free(cc->cp_ctx);
|
||||||
diff --git a/cipher.h b/cipher.h
|
diff --git a/cipher.h b/cipher.h
|
||||||
index d7d8c89..2341068 100644
|
index 626f2f5..b3383a5 100644
|
||||||
--- a/cipher.h
|
--- a/cipher.h
|
||||||
+++ b/cipher.h
|
+++ b/cipher.h
|
||||||
@@ -47,7 +47,25 @@
|
@@ -47,7 +47,25 @@
|
||||||
@ -939,10 +938,10 @@ index d7d8c89..2341068 100644
|
|||||||
int plaintext;
|
int plaintext;
|
||||||
int encrypt;
|
int encrypt;
|
||||||
diff --git a/kex.c b/kex.c
|
diff --git a/kex.c b/kex.c
|
||||||
index 92d8ee0..96e44a5 100644
|
index fbb8e4f..39cad99 100644
|
||||||
--- a/kex.c
|
--- a/kex.c
|
||||||
+++ b/kex.c
|
+++ b/kex.c
|
||||||
@@ -60,6 +60,7 @@
|
@@ -62,6 +62,7 @@
|
||||||
#include "ssherr.h"
|
#include "ssherr.h"
|
||||||
#include "sshbuf.h"
|
#include "sshbuf.h"
|
||||||
#include "digest.h"
|
#include "digest.h"
|
||||||
@ -950,7 +949,7 @@ index 92d8ee0..96e44a5 100644
|
|||||||
|
|
||||||
#ifdef GSSAPI
|
#ifdef GSSAPI
|
||||||
#include "ssh-gss.h"
|
#include "ssh-gss.h"
|
||||||
@@ -856,12 +857,16 @@ kex_start_rekex(struct ssh *ssh)
|
@@ -857,12 +858,16 @@ kex_start_rekex(struct ssh *ssh)
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
@ -969,7 +968,7 @@ index 92d8ee0..96e44a5 100644
|
|||||||
if ((enc->cipher = cipher_by_name(name)) == NULL) {
|
if ((enc->cipher = cipher_by_name(name)) == NULL) {
|
||||||
error("%s: unsupported cipher %s", __func__, name);
|
error("%s: unsupported cipher %s", __func__, name);
|
||||||
free(name);
|
free(name);
|
||||||
@@ -882,8 +887,12 @@ choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server)
|
@@ -883,8 +888,12 @@ choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server)
|
||||||
{
|
{
|
||||||
char *name = match_list(client, server, NULL);
|
char *name = match_list(client, server, NULL);
|
||||||
|
|
||||||
@ -983,7 +982,7 @@ index 92d8ee0..96e44a5 100644
|
|||||||
if (mac_setup(mac, name) < 0) {
|
if (mac_setup(mac, name) < 0) {
|
||||||
error("%s: unsupported MAC %s", __func__, name);
|
error("%s: unsupported MAC %s", __func__, name);
|
||||||
free(name);
|
free(name);
|
||||||
@@ -896,12 +905,16 @@ choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server)
|
@@ -897,12 +906,16 @@ choose_mac(struct ssh *ssh, struct sshmac *mac, char *client, char *server)
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
@ -999,10 +998,10 @@ index 92d8ee0..96e44a5 100644
|
|||||||
+#endif
|
+#endif
|
||||||
return SSH_ERR_NO_COMPRESS_ALG_MATCH;
|
return SSH_ERR_NO_COMPRESS_ALG_MATCH;
|
||||||
+ }
|
+ }
|
||||||
|
#ifdef WITH_ZLIB
|
||||||
if (strcmp(name, "zlib@openssh.com") == 0) {
|
if (strcmp(name, "zlib@openssh.com") == 0) {
|
||||||
comp->type = COMP_DELAYED;
|
comp->type = COMP_DELAYED;
|
||||||
} else if (strcmp(name, "zlib") == 0) {
|
@@ -1043,7 +1056,7 @@ kex_choose_conf(struct ssh *ssh)
|
||||||
@@ -1039,7 +1052,7 @@ kex_choose_conf(struct ssh *ssh)
|
|
||||||
nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC;
|
nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC;
|
||||||
nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC;
|
nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC;
|
||||||
ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
|
ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
|
||||||
@ -1011,7 +1010,7 @@ index 92d8ee0..96e44a5 100644
|
|||||||
sprop[nenc])) != 0) {
|
sprop[nenc])) != 0) {
|
||||||
kex->failed_choice = peer[nenc];
|
kex->failed_choice = peer[nenc];
|
||||||
peer[nenc] = NULL;
|
peer[nenc] = NULL;
|
||||||
@@ -1054,7 +1067,7 @@ kex_choose_conf(struct ssh *ssh)
|
@@ -1058,7 +1071,7 @@ kex_choose_conf(struct ssh *ssh)
|
||||||
peer[nmac] = NULL;
|
peer[nmac] = NULL;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@ -1020,7 +1019,7 @@ index 92d8ee0..96e44a5 100644
|
|||||||
sprop[ncomp])) != 0) {
|
sprop[ncomp])) != 0) {
|
||||||
kex->failed_choice = peer[ncomp];
|
kex->failed_choice = peer[ncomp];
|
||||||
peer[ncomp] = NULL;
|
peer[ncomp] = NULL;
|
||||||
@@ -1077,6 +1090,10 @@ kex_choose_conf(struct ssh *ssh)
|
@@ -1081,6 +1094,10 @@ kex_choose_conf(struct ssh *ssh)
|
||||||
dh_need = MAXIMUM(dh_need, newkeys->enc.block_size);
|
dh_need = MAXIMUM(dh_need, newkeys->enc.block_size);
|
||||||
dh_need = MAXIMUM(dh_need, newkeys->enc.iv_len);
|
dh_need = MAXIMUM(dh_need, newkeys->enc.iv_len);
|
||||||
dh_need = MAXIMUM(dh_need, newkeys->mac.key_len);
|
dh_need = MAXIMUM(dh_need, newkeys->mac.key_len);
|
||||||
@ -1031,7 +1030,7 @@ index 92d8ee0..96e44a5 100644
|
|||||||
}
|
}
|
||||||
/* XXX need runden? */
|
/* XXX need runden? */
|
||||||
kex->we_need = need;
|
kex->we_need = need;
|
||||||
@@ -1241,6 +1258,36 @@ dump_digest(const char *msg, const u_char *digest, int len)
|
@@ -1245,6 +1262,36 @@ dump_digest(const char *msg, const u_char *digest, int len)
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@ -1118,7 +1117,7 @@ index 0b119d7..5fb593b 100644
|
|||||||
|
|
||||||
#endif /* SSHMAC_H */
|
#endif /* SSHMAC_H */
|
||||||
diff --git a/monitor.c b/monitor.c
|
diff --git a/monitor.c b/monitor.c
|
||||||
index 20812fa..2e421cf 100644
|
index cf775e5..fcd8283 100644
|
||||||
--- a/monitor.c
|
--- a/monitor.c
|
||||||
+++ b/monitor.c
|
+++ b/monitor.c
|
||||||
@@ -93,6 +93,7 @@
|
@@ -93,6 +93,7 @@
|
||||||
@ -1128,8 +1127,8 @@ index 20812fa..2e421cf 100644
|
|||||||
+#include "audit.h"
|
+#include "audit.h"
|
||||||
#include "match.h"
|
#include "match.h"
|
||||||
#include "ssherr.h"
|
#include "ssherr.h"
|
||||||
|
#include "sk-api.h"
|
||||||
@@ -107,6 +108,8 @@ extern u_char session_id[];
|
@@ -108,6 +109,8 @@ extern u_char session_id[];
|
||||||
extern struct sshbuf *loginmsg;
|
extern struct sshbuf *loginmsg;
|
||||||
extern struct sshauthopt *auth_opts; /* XXX move to permanent ssh->authctxt? */
|
extern struct sshauthopt *auth_opts; /* XXX move to permanent ssh->authctxt? */
|
||||||
|
|
||||||
@ -1138,7 +1137,7 @@ index 20812fa..2e421cf 100644
|
|||||||
/* State exported from the child */
|
/* State exported from the child */
|
||||||
static struct sshbuf *child_state;
|
static struct sshbuf *child_state;
|
||||||
|
|
||||||
@@ -154,6 +157,11 @@ int mm_answer_gss_updatecreds(struct ssh*, int, struct sshbuf *);
|
@@ -155,6 +158,11 @@ int mm_answer_gss_updatecreds(struct ssh*, int, struct sshbuf *);
|
||||||
#ifdef SSH_AUDIT_EVENTS
|
#ifdef SSH_AUDIT_EVENTS
|
||||||
int mm_answer_audit_event(struct ssh *, int, struct sshbuf *);
|
int mm_answer_audit_event(struct ssh *, int, struct sshbuf *);
|
||||||
int mm_answer_audit_command(struct ssh *, int, struct sshbuf *);
|
int mm_answer_audit_command(struct ssh *, int, struct sshbuf *);
|
||||||
@ -1150,7 +1149,7 @@ index 20812fa..2e421cf 100644
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
static Authctxt *authctxt;
|
static Authctxt *authctxt;
|
||||||
@@ -209,6 +217,10 @@ struct mon_table mon_dispatch_proto20[] = {
|
@@ -210,6 +218,10 @@ struct mon_table mon_dispatch_proto20[] = {
|
||||||
#endif
|
#endif
|
||||||
#ifdef SSH_AUDIT_EVENTS
|
#ifdef SSH_AUDIT_EVENTS
|
||||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||||
@ -1161,7 +1160,7 @@ index 20812fa..2e421cf 100644
|
|||||||
#endif
|
#endif
|
||||||
#ifdef BSD_AUTH
|
#ifdef BSD_AUTH
|
||||||
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
|
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
|
||||||
@@ -243,6 +255,11 @@ struct mon_table mon_dispatch_postauth20[] = {
|
@@ -244,6 +256,11 @@ struct mon_table mon_dispatch_postauth20[] = {
|
||||||
#ifdef SSH_AUDIT_EVENTS
|
#ifdef SSH_AUDIT_EVENTS
|
||||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||||
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
|
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
|
||||||
@ -1173,19 +1172,19 @@ index 20812fa..2e421cf 100644
|
|||||||
#endif
|
#endif
|
||||||
{0, 0, NULL}
|
{0, 0, NULL}
|
||||||
};
|
};
|
||||||
@@ -1408,8 +1425,10 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m)
|
@@ -1406,8 +1423,10 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||||
char *sigalg;
|
|
||||||
size_t signaturelen, datalen, bloblen;
|
size_t signaturelen, datalen, bloblen;
|
||||||
int r, ret, valid_data = 0, encoded_ret;
|
int r, ret, req_presence = 0, valid_data = 0, encoded_ret;
|
||||||
|
struct sshkey_sig_details *sig_details = NULL;
|
||||||
+ int type = 0;
|
+ int type = 0;
|
||||||
|
|
||||||
- if ((r = sshbuf_get_string(m, &blob, &bloblen)) != 0 ||
|
- if ((r = sshbuf_get_string_direct(m, &blob, &bloblen)) != 0 ||
|
||||||
+ if ((r = sshbuf_get_u32(m, &type)) != 0 ||
|
+ if ((r = sshbuf_get_u32(m, &type)) != 0 ||
|
||||||
+ (r = sshbuf_get_string(m, &blob, &bloblen)) != 0 ||
|
+ (r = sshbuf_get_string_direct(m, &blob, &bloblen)) != 0 ||
|
||||||
(r = sshbuf_get_string(m, &signature, &signaturelen)) != 0 ||
|
(r = sshbuf_get_string_direct(m, &signature, &signaturelen)) != 0 ||
|
||||||
(r = sshbuf_get_string(m, &data, &datalen)) != 0 ||
|
(r = sshbuf_get_string_direct(m, &data, &datalen)) != 0 ||
|
||||||
(r = sshbuf_get_cstring(m, &sigalg, NULL)) != 0)
|
(r = sshbuf_get_cstring(m, &sigalg, NULL)) != 0)
|
||||||
@@ -1418,6 +1437,8 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m)
|
@@ -1416,6 +1435,8 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||||
if (hostbased_cuser == NULL || hostbased_chost == NULL ||
|
if (hostbased_cuser == NULL || hostbased_chost == NULL ||
|
||||||
!monitor_allowed_key(blob, bloblen))
|
!monitor_allowed_key(blob, bloblen))
|
||||||
fatal("%s: bad key, not previously allowed", __func__);
|
fatal("%s: bad key, not previously allowed", __func__);
|
||||||
@ -1194,19 +1193,19 @@ index 20812fa..2e421cf 100644
|
|||||||
|
|
||||||
/* Empty signature algorithm means NULL. */
|
/* Empty signature algorithm means NULL. */
|
||||||
if (*sigalg == '\0') {
|
if (*sigalg == '\0') {
|
||||||
@@ -1433,21 +1454,24 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m)
|
@@ -1431,14 +1452,19 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||||
case MM_USERKEY:
|
case MM_USERKEY:
|
||||||
valid_data = monitor_valid_userblob(data, datalen);
|
valid_data = monitor_valid_userblob(data, datalen);
|
||||||
auth_method = "publickey";
|
auth_method = "publickey";
|
||||||
+ ret = user_key_verify(ssh, key, signature, signaturelen, data,
|
+ ret = user_key_verify(ssh, key, signature, signaturelen, data,
|
||||||
+ datalen, sigalg, ssh->compat);
|
+ datalen, sigalg, ssh->compat, &sig_details);
|
||||||
break;
|
break;
|
||||||
case MM_HOSTKEY:
|
case MM_HOSTKEY:
|
||||||
valid_data = monitor_valid_hostbasedblob(data, datalen,
|
valid_data = monitor_valid_hostbasedblob(data, datalen,
|
||||||
hostbased_cuser, hostbased_chost);
|
hostbased_cuser, hostbased_chost);
|
||||||
+ ret = hostbased_key_verify(ssh, key, signature, signaturelen, data,
|
|
||||||
+ datalen, sigalg, ssh->compat);
|
|
||||||
auth_method = "hostbased";
|
auth_method = "hostbased";
|
||||||
|
+ ret = hostbased_key_verify(ssh, key, signature, signaturelen, data,
|
||||||
|
+ datalen, sigalg, ssh->compat, &sig_details);
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
valid_data = 0;
|
valid_data = 0;
|
||||||
@ -1214,14 +1213,16 @@ index 20812fa..2e421cf 100644
|
|||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
if (!valid_data)
|
if (!valid_data)
|
||||||
fatal("%s: bad signature data blob", __func__);
|
@@ -1448,8 +1474,6 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||||
|
SSH_FP_DEFAULT)) == NULL)
|
||||||
|
fatal("%s: sshkey_fingerprint failed", __func__);
|
||||||
|
|
||||||
- ret = sshkey_verify(key, signature, signaturelen, data, datalen,
|
- ret = sshkey_verify(key, signature, signaturelen, data, datalen,
|
||||||
- sigalg, ssh->compat);
|
- sigalg, ssh->compat, &sig_details);
|
||||||
debug3("%s: %s %p signature %s", __func__, auth_method, key,
|
debug3("%s: %s %p signature %s%s%s", __func__, auth_method, key,
|
||||||
(ret == 0) ? "verified" : "unverified");
|
(ret == 0) ? "verified" : "unverified",
|
||||||
auth2_record_key(authctxt, ret == 0, key);
|
(ret != 0) ? ": " : "", (ret != 0) ? ssh_err(ret) : "");
|
||||||
@@ -1499,13 +1523,19 @@ mm_record_login(struct ssh *ssh, Session *s, struct passwd *pw)
|
@@ -1524,13 +1548,19 @@ mm_record_login(struct ssh *ssh, Session *s, struct passwd *pw)
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
@ -1242,7 +1243,7 @@ index 20812fa..2e421cf 100644
|
|||||||
session_unused(s->self);
|
session_unused(s->self);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1572,7 +1602,7 @@ mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m)
|
@@ -1597,7 +1627,7 @@ mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||||
|
|
||||||
error:
|
error:
|
||||||
if (s != NULL)
|
if (s != NULL)
|
||||||
@ -1251,7 +1252,7 @@ index 20812fa..2e421cf 100644
|
|||||||
if ((r = sshbuf_put_u32(m, 0)) != 0)
|
if ((r = sshbuf_put_u32(m, 0)) != 0)
|
||||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||||
mm_request_send(sock, MONITOR_ANS_PTY, m);
|
mm_request_send(sock, MONITOR_ANS_PTY, m);
|
||||||
@@ -1591,7 +1621,7 @@ mm_answer_pty_cleanup(struct ssh *ssh, int sock, struct sshbuf *m)
|
@@ -1616,7 +1646,7 @@ mm_answer_pty_cleanup(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||||
if ((r = sshbuf_get_cstring(m, &tty, NULL)) != 0)
|
if ((r = sshbuf_get_cstring(m, &tty, NULL)) != 0)
|
||||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||||
if ((s = session_by_tty(tty)) != NULL)
|
if ((s = session_by_tty(tty)) != NULL)
|
||||||
@ -1260,7 +1261,7 @@ index 20812fa..2e421cf 100644
|
|||||||
sshbuf_reset(m);
|
sshbuf_reset(m);
|
||||||
free(tty);
|
free(tty);
|
||||||
return (0);
|
return (0);
|
||||||
@@ -1613,6 +1643,8 @@ mm_answer_term(struct ssh *ssh, int sock, struct sshbuf *req)
|
@@ -1638,6 +1668,8 @@ mm_answer_term(struct ssh *ssh, int sock, struct sshbuf *req)
|
||||||
sshpam_cleanup();
|
sshpam_cleanup();
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@ -1269,7 +1270,7 @@ index 20812fa..2e421cf 100644
|
|||||||
while (waitpid(pmonitor->m_pid, &status, 0) == -1)
|
while (waitpid(pmonitor->m_pid, &status, 0) == -1)
|
||||||
if (errno != EINTR)
|
if (errno != EINTR)
|
||||||
exit(1);
|
exit(1);
|
||||||
@@ -1659,12 +1691,47 @@ mm_answer_audit_command(struct ssh *ssh, int socket, struct sshbuf *m)
|
@@ -1684,12 +1716,47 @@ mm_answer_audit_command(struct ssh *ssh, int socket, struct sshbuf *m)
|
||||||
{
|
{
|
||||||
char *cmd;
|
char *cmd;
|
||||||
int r;
|
int r;
|
||||||
@ -1318,7 +1319,7 @@ index 20812fa..2e421cf 100644
|
|||||||
free(cmd);
|
free(cmd);
|
||||||
return (0);
|
return (0);
|
||||||
}
|
}
|
||||||
@@ -1730,6 +1797,7 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor)
|
@@ -1755,6 +1822,7 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor)
|
||||||
void
|
void
|
||||||
mm_get_keystate(struct ssh *ssh, struct monitor *pmonitor)
|
mm_get_keystate(struct ssh *ssh, struct monitor *pmonitor)
|
||||||
{
|
{
|
||||||
@ -1326,7 +1327,7 @@ index 20812fa..2e421cf 100644
|
|||||||
debug3("%s: Waiting for new keys", __func__);
|
debug3("%s: Waiting for new keys", __func__);
|
||||||
|
|
||||||
if ((child_state = sshbuf_new()) == NULL)
|
if ((child_state = sshbuf_new()) == NULL)
|
||||||
@@ -1737,6 +1805,19 @@ mm_get_keystate(struct ssh *ssh, struct monitor *pmonitor)
|
@@ -1762,6 +1830,19 @@ mm_get_keystate(struct ssh *ssh, struct monitor *pmonitor)
|
||||||
mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_KEYEXPORT,
|
mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_KEYEXPORT,
|
||||||
child_state);
|
child_state);
|
||||||
debug3("%s: GOT new keys", __func__);
|
debug3("%s: GOT new keys", __func__);
|
||||||
@ -1346,7 +1347,7 @@ index 20812fa..2e421cf 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@@ -2014,3 +2095,102 @@ mm_answer_gss_updatecreds(struct ssh *ssh, int socket, struct sshbuf *m) {
|
@@ -2039,3 +2120,102 @@ mm_answer_gss_updatecreds(struct ssh *ssh, int socket, struct sshbuf *m) {
|
||||||
|
|
||||||
#endif /* GSSAPI */
|
#endif /* GSSAPI */
|
||||||
|
|
||||||
@ -1469,7 +1470,7 @@ index 2b1a2d5..7817990 100644
|
|||||||
MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151,
|
MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151,
|
||||||
MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153,
|
MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153,
|
||||||
diff --git a/monitor_wrap.c b/monitor_wrap.c
|
diff --git a/monitor_wrap.c b/monitor_wrap.c
|
||||||
index fdca39a..b427dd6 100644
|
index 6edb509..cb5e5f3 100644
|
||||||
--- a/monitor_wrap.c
|
--- a/monitor_wrap.c
|
||||||
+++ b/monitor_wrap.c
|
+++ b/monitor_wrap.c
|
||||||
@@ -492,7 +492,7 @@ mm_key_allowed(enum mm_keytype type, const char *user, const char *host,
|
@@ -492,7 +492,7 @@ mm_key_allowed(enum mm_keytype type, const char *user, const char *host,
|
||||||
@ -1478,11 +1479,11 @@ index fdca39a..b427dd6 100644
|
|||||||
int
|
int
|
||||||
-mm_sshkey_verify(const struct sshkey *key, const u_char *sig, size_t siglen,
|
-mm_sshkey_verify(const struct sshkey *key, const u_char *sig, size_t siglen,
|
||||||
+mm_sshkey_verify(enum mm_keytype type, const struct sshkey *key, const u_char *sig, size_t siglen,
|
+mm_sshkey_verify(enum mm_keytype type, const struct sshkey *key, const u_char *sig, size_t siglen,
|
||||||
const u_char *data, size_t datalen, const char *sigalg, u_int compat)
|
const u_char *data, size_t datalen, const char *sigalg, u_int compat,
|
||||||
|
struct sshkey_sig_details **sig_detailsp)
|
||||||
{
|
{
|
||||||
struct sshbuf *m;
|
@@ -508,7 +508,8 @@ mm_sshkey_verify(const struct sshkey *key, const u_char *sig, size_t siglen,
|
||||||
@@ -504,7 +504,8 @@ mm_sshkey_verify(const struct sshkey *key, const u_char *sig, size_t siglen,
|
*sig_detailsp = NULL;
|
||||||
|
|
||||||
if ((m = sshbuf_new()) == NULL)
|
if ((m = sshbuf_new()) == NULL)
|
||||||
fatal("%s: sshbuf_new failed", __func__);
|
fatal("%s: sshbuf_new failed", __func__);
|
||||||
- if ((r = sshkey_puts(key, m)) != 0 ||
|
- if ((r = sshkey_puts(key, m)) != 0 ||
|
||||||
@ -1491,28 +1492,28 @@ index fdca39a..b427dd6 100644
|
|||||||
(r = sshbuf_put_string(m, sig, siglen)) != 0 ||
|
(r = sshbuf_put_string(m, sig, siglen)) != 0 ||
|
||||||
(r = sshbuf_put_string(m, data, datalen)) != 0 ||
|
(r = sshbuf_put_string(m, data, datalen)) != 0 ||
|
||||||
(r = sshbuf_put_cstring(m, sigalg == NULL ? "" : sigalg)) != 0)
|
(r = sshbuf_put_cstring(m, sigalg == NULL ? "" : sigalg)) != 0)
|
||||||
@@ -526,6 +527,20 @@ mm_sshkey_verify(const struct sshkey *key, const u_char *sig, size_t siglen,
|
@@ -541,6 +542,20 @@ mm_sshkey_verify(const struct sshkey *key, const u_char *sig, size_t siglen,
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
+int
|
+int
|
||||||
+mm_hostbased_key_verify(struct ssh *ssh, const struct sshkey *key, const u_char *sig, size_t siglen,
|
+mm_hostbased_key_verify(struct ssh *ssh, const struct sshkey *key, const u_char *sig, size_t siglen,
|
||||||
+ const u_char *data, size_t datalen, const char *pkalg, u_int compat)
|
+ const u_char *data, size_t datalen, const char *pkalg, u_int compat, struct sshkey_sig_details **sigdet)
|
||||||
+{
|
+{
|
||||||
+ return mm_sshkey_verify(MM_HOSTKEY, key, sig, siglen, data, datalen, pkalg, compat);
|
+ return mm_sshkey_verify(MM_HOSTKEY, key, sig, siglen, data, datalen, pkalg, compat, sigdet);
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+int
|
+int
|
||||||
+mm_user_key_verify(struct ssh *ssh, const struct sshkey *key, const u_char *sig, size_t siglen,
|
+mm_user_key_verify(struct ssh *ssh, const struct sshkey *key, const u_char *sig, size_t siglen,
|
||||||
+ const u_char *data, size_t datalen, const char *pkalg, u_int compat)
|
+ const u_char *data, size_t datalen, const char *pkalg, u_int compat, struct sshkey_sig_details **sigdet)
|
||||||
+{
|
+{
|
||||||
+ return mm_sshkey_verify(MM_USERKEY, key, sig, siglen, data, datalen, pkalg, compat);
|
+ return mm_sshkey_verify(MM_USERKEY, key, sig, siglen, data, datalen, pkalg, compat, sigdet);
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
void
|
void
|
||||||
mm_send_keystate(struct ssh *ssh, struct monitor *monitor)
|
mm_send_keystate(struct ssh *ssh, struct monitor *monitor)
|
||||||
{
|
{
|
||||||
@@ -879,11 +894,12 @@ mm_audit_event(struct ssh *ssh, ssh_audit_event_t event)
|
@@ -894,11 +909,12 @@ mm_audit_event(struct ssh *ssh, ssh_audit_event_t event)
|
||||||
sshbuf_free(m);
|
sshbuf_free(m);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1527,7 +1528,7 @@ index fdca39a..b427dd6 100644
|
|||||||
|
|
||||||
debug3("%s entering command %s", __func__, command);
|
debug3("%s entering command %s", __func__, command);
|
||||||
|
|
||||||
@@ -893,6 +909,30 @@ mm_audit_run_command(const char *command)
|
@@ -908,6 +924,30 @@ mm_audit_run_command(const char *command)
|
||||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||||
|
|
||||||
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, m);
|
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, m);
|
||||||
@ -1558,7 +1559,7 @@ index fdca39a..b427dd6 100644
|
|||||||
sshbuf_free(m);
|
sshbuf_free(m);
|
||||||
}
|
}
|
||||||
#endif /* SSH_AUDIT_EVENTS */
|
#endif /* SSH_AUDIT_EVENTS */
|
||||||
@@ -1053,3 +1093,83 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store)
|
@@ -1068,3 +1108,83 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store)
|
||||||
}
|
}
|
||||||
|
|
||||||
#endif /* GSSAPI */
|
#endif /* GSSAPI */
|
||||||
@ -1643,21 +1644,21 @@ index fdca39a..b427dd6 100644
|
|||||||
+}
|
+}
|
||||||
+#endif /* SSH_AUDIT_EVENTS */
|
+#endif /* SSH_AUDIT_EVENTS */
|
||||||
diff --git a/monitor_wrap.h b/monitor_wrap.h
|
diff --git a/monitor_wrap.h b/monitor_wrap.h
|
||||||
index 92dda57..d413dac 100644
|
index 485590c..73c095e 100644
|
||||||
--- a/monitor_wrap.h
|
--- a/monitor_wrap.h
|
||||||
+++ b/monitor_wrap.h
|
+++ b/monitor_wrap.h
|
||||||
@@ -56,7 +56,9 @@ int mm_user_key_allowed(struct ssh *, struct passwd *, struct sshkey *, int,
|
@@ -57,7 +57,9 @@ int mm_user_key_allowed(struct ssh *, struct passwd *, struct sshkey *, int,
|
||||||
struct sshauthopt **);
|
struct sshauthopt **);
|
||||||
int mm_hostbased_key_allowed(struct ssh *, struct passwd *, const char *,
|
int mm_hostbased_key_allowed(struct ssh *, struct passwd *, const char *,
|
||||||
const char *, struct sshkey *);
|
const char *, struct sshkey *);
|
||||||
-int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t,
|
-int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t,
|
||||||
+int mm_hostbased_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t,
|
+int mm_hostbased_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t,
|
||||||
+ const u_char *, size_t, const char *, u_int);
|
+ const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
|
||||||
+int mm_user_key_verify(struct ssh*, const struct sshkey *, const u_char *, size_t,
|
+int mm_user_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t,
|
||||||
const u_char *, size_t, const char *, u_int);
|
const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
|
||||||
|
|
||||||
#ifdef GSSAPI
|
#ifdef GSSAPI
|
||||||
@@ -81,7 +83,12 @@ void mm_sshpam_free_ctx(void *);
|
@@ -82,7 +84,12 @@ void mm_sshpam_free_ctx(void *);
|
||||||
#ifdef SSH_AUDIT_EVENTS
|
#ifdef SSH_AUDIT_EVENTS
|
||||||
#include "audit.h"
|
#include "audit.h"
|
||||||
void mm_audit_event(struct ssh *, ssh_audit_event_t);
|
void mm_audit_event(struct ssh *, ssh_audit_event_t);
|
||||||
@ -1672,18 +1673,18 @@ index 92dda57..d413dac 100644
|
|||||||
|
|
||||||
struct Session;
|
struct Session;
|
||||||
diff --git a/packet.c b/packet.c
|
diff --git a/packet.c b/packet.c
|
||||||
index 817da43..aec02e4 100644
|
index e7abb34..3e9c95e 100644
|
||||||
--- a/packet.c
|
--- a/packet.c
|
||||||
+++ b/packet.c
|
+++ b/packet.c
|
||||||
@@ -77,6 +77,7 @@
|
@@ -81,6 +81,7 @@
|
||||||
#include <zlib.h>
|
#endif
|
||||||
|
|
||||||
#include "xmalloc.h"
|
#include "xmalloc.h"
|
||||||
+#include "audit.h"
|
+#include "audit.h"
|
||||||
#include "compat.h"
|
#include "compat.h"
|
||||||
#include "ssh2.h"
|
#include "ssh2.h"
|
||||||
#include "cipher.h"
|
#include "cipher.h"
|
||||||
@@ -509,6 +510,13 @@ ssh_packet_get_connection_out(struct ssh *ssh)
|
@@ -515,6 +516,13 @@ ssh_packet_get_connection_out(struct ssh *ssh)
|
||||||
return ssh->state->connection_out;
|
return ssh->state->connection_out;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1697,7 +1698,7 @@ index 817da43..aec02e4 100644
|
|||||||
/*
|
/*
|
||||||
* Returns the IP-address of the remote host as a string. The returned
|
* Returns the IP-address of the remote host as a string. The returned
|
||||||
* string must not be freed.
|
* string must not be freed.
|
||||||
@@ -586,22 +594,19 @@ ssh_packet_close_internal(struct ssh *ssh, int do_close)
|
@@ -592,22 +600,19 @@ ssh_packet_close_internal(struct ssh *ssh, int do_close)
|
||||||
{
|
{
|
||||||
struct session_state *state = ssh->state;
|
struct session_state *state = ssh->state;
|
||||||
u_int mode;
|
u_int mode;
|
||||||
@ -1725,8 +1726,8 @@ index 817da43..aec02e4 100644
|
|||||||
for (mode = 0; mode < MODE_MAX; mode++) {
|
for (mode = 0; mode < MODE_MAX; mode++) {
|
||||||
kex_free_newkeys(state->newkeys[mode]); /* current keys */
|
kex_free_newkeys(state->newkeys[mode]); /* current keys */
|
||||||
state->newkeys[mode] = NULL;
|
state->newkeys[mode] = NULL;
|
||||||
@@ -635,8 +640,18 @@ ssh_packet_close_internal(struct ssh *ssh, int do_close)
|
@@ -643,8 +648,18 @@ ssh_packet_close_internal(struct ssh *ssh, int do_close)
|
||||||
}
|
#endif /* WITH_ZLIB */
|
||||||
cipher_free(state->send_context);
|
cipher_free(state->send_context);
|
||||||
cipher_free(state->receive_context);
|
cipher_free(state->receive_context);
|
||||||
+ if (had_keys && state->server_side) {
|
+ if (had_keys && state->server_side) {
|
||||||
@ -1744,7 +1745,7 @@ index 817da43..aec02e4 100644
|
|||||||
free(ssh->local_ipaddr);
|
free(ssh->local_ipaddr);
|
||||||
ssh->local_ipaddr = NULL;
|
ssh->local_ipaddr = NULL;
|
||||||
free(ssh->remote_ipaddr);
|
free(ssh->remote_ipaddr);
|
||||||
@@ -863,6 +878,7 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
|
@@ -899,6 +914,7 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
|
||||||
(unsigned long long)state->p_send.bytes,
|
(unsigned long long)state->p_send.bytes,
|
||||||
(unsigned long long)state->p_send.blocks);
|
(unsigned long long)state->p_send.blocks);
|
||||||
kex_free_newkeys(state->newkeys[mode]);
|
kex_free_newkeys(state->newkeys[mode]);
|
||||||
@ -1752,7 +1753,7 @@ index 817da43..aec02e4 100644
|
|||||||
state->newkeys[mode] = NULL;
|
state->newkeys[mode] = NULL;
|
||||||
}
|
}
|
||||||
/* note that both bytes and the seqnr are not reset */
|
/* note that both bytes and the seqnr are not reset */
|
||||||
@@ -2166,6 +2182,71 @@ ssh_packet_get_output(struct ssh *ssh)
|
@@ -2205,6 +2221,71 @@ ssh_packet_get_output(struct ssh *ssh)
|
||||||
return (void *)ssh->state->output;
|
return (void *)ssh->state->output;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1825,17 +1826,17 @@ index 817da43..aec02e4 100644
|
|||||||
static int
|
static int
|
||||||
ssh_packet_set_postauth(struct ssh *ssh)
|
ssh_packet_set_postauth(struct ssh *ssh)
|
||||||
diff --git a/packet.h b/packet.h
|
diff --git a/packet.h b/packet.h
|
||||||
index 8ccfd2e..cfd9ebe 100644
|
index c2544bd..239b391 100644
|
||||||
--- a/packet.h
|
--- a/packet.h
|
||||||
+++ b/packet.h
|
+++ b/packet.h
|
||||||
@@ -217,4 +217,5 @@ const u_char *sshpkt_ptr(struct ssh *, size_t *lenp);
|
@@ -218,4 +218,5 @@ const u_char *sshpkt_ptr(struct ssh *, size_t *lenp);
|
||||||
# undef EC_POINT
|
# undef EC_POINT
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
+void packet_destroy_all(struct ssh *, int, int);
|
+void packet_destroy_all(struct ssh *, int, int);
|
||||||
#endif /* PACKET_H */
|
#endif /* PACKET_H */
|
||||||
diff --git a/session.c b/session.c
|
diff --git a/session.c b/session.c
|
||||||
index 89f9539..07411f3 100644
|
index 530aa26..9e7a8f8 100644
|
||||||
--- a/session.c
|
--- a/session.c
|
||||||
+++ b/session.c
|
+++ b/session.c
|
||||||
@@ -136,7 +136,7 @@ extern char *__progname;
|
@@ -136,7 +136,7 @@ extern char *__progname;
|
||||||
@ -1884,7 +1885,7 @@ index 89f9539..07411f3 100644
|
|||||||
#endif
|
#endif
|
||||||
if (s->ttyfd != -1)
|
if (s->ttyfd != -1)
|
||||||
ret = do_exec_pty(ssh, s, command);
|
ret = do_exec_pty(ssh, s, command);
|
||||||
@@ -1531,8 +1543,11 @@ do_child(struct ssh *ssh, Session *s, const char *command)
|
@@ -1535,8 +1547,11 @@ do_child(struct ssh *ssh, Session *s, const char *command)
|
||||||
sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
|
sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
|
||||||
|
|
||||||
/* remove hostkey from the child's memory */
|
/* remove hostkey from the child's memory */
|
||||||
@ -1897,7 +1898,7 @@ index 89f9539..07411f3 100644
|
|||||||
|
|
||||||
/* Force a password change */
|
/* Force a password change */
|
||||||
if (s->authctxt->force_pwchange) {
|
if (s->authctxt->force_pwchange) {
|
||||||
@@ -1741,6 +1756,9 @@ session_unused(int id)
|
@@ -1745,6 +1760,9 @@ session_unused(int id)
|
||||||
sessions[id].ttyfd = -1;
|
sessions[id].ttyfd = -1;
|
||||||
sessions[id].ptymaster = -1;
|
sessions[id].ptymaster = -1;
|
||||||
sessions[id].x11_chanids = NULL;
|
sessions[id].x11_chanids = NULL;
|
||||||
@ -1907,7 +1908,7 @@ index 89f9539..07411f3 100644
|
|||||||
sessions[id].next_unused = sessions_first_unused;
|
sessions[id].next_unused = sessions_first_unused;
|
||||||
sessions_first_unused = id;
|
sessions_first_unused = id;
|
||||||
}
|
}
|
||||||
@@ -1822,6 +1840,19 @@ session_open(Authctxt *authctxt, int chanid)
|
@@ -1826,6 +1844,19 @@ session_open(Authctxt *authctxt, int chanid)
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1927,7 +1928,7 @@ index 89f9539..07411f3 100644
|
|||||||
Session *
|
Session *
|
||||||
session_by_tty(char *tty)
|
session_by_tty(char *tty)
|
||||||
{
|
{
|
||||||
@@ -2433,6 +2464,32 @@ session_exit_message(struct ssh *ssh, Session *s, int status)
|
@@ -2437,6 +2468,32 @@ session_exit_message(struct ssh *ssh, Session *s, int status)
|
||||||
chan_write_failed(ssh, c);
|
chan_write_failed(ssh, c);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1960,7 +1961,7 @@ index 89f9539..07411f3 100644
|
|||||||
void
|
void
|
||||||
session_close(struct ssh *ssh, Session *s)
|
session_close(struct ssh *ssh, Session *s)
|
||||||
{
|
{
|
||||||
@@ -2474,6 +2531,10 @@ session_close(struct ssh *ssh, Session *s)
|
@@ -2478,6 +2535,10 @@ session_close(struct ssh *ssh, Session *s)
|
||||||
|
|
||||||
if (s->ttyfd != -1)
|
if (s->ttyfd != -1)
|
||||||
session_pty_cleanup(s);
|
session_pty_cleanup(s);
|
||||||
@ -1971,7 +1972,7 @@ index 89f9539..07411f3 100644
|
|||||||
free(s->term);
|
free(s->term);
|
||||||
free(s->display);
|
free(s->display);
|
||||||
free(s->x11_chanids);
|
free(s->x11_chanids);
|
||||||
@@ -2549,14 +2610,14 @@ session_close_by_channel(struct ssh *ssh, int id, void *arg)
|
@@ -2553,14 +2614,14 @@ session_close_by_channel(struct ssh *ssh, int id, void *arg)
|
||||||
}
|
}
|
||||||
|
|
||||||
void
|
void
|
||||||
@ -1988,7 +1989,7 @@ index 89f9539..07411f3 100644
|
|||||||
else
|
else
|
||||||
session_close(ssh, s);
|
session_close(ssh, s);
|
||||||
}
|
}
|
||||||
@@ -2682,6 +2743,15 @@ do_authenticated2(struct ssh *ssh, Authctxt *authctxt)
|
@@ -2686,6 +2747,15 @@ do_authenticated2(struct ssh *ssh, Authctxt *authctxt)
|
||||||
server_loop2(ssh, authctxt);
|
server_loop2(ssh, authctxt);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -2004,7 +2005,7 @@ index 89f9539..07411f3 100644
|
|||||||
void
|
void
|
||||||
do_cleanup(struct ssh *ssh, Authctxt *authctxt)
|
do_cleanup(struct ssh *ssh, Authctxt *authctxt)
|
||||||
{
|
{
|
||||||
@@ -2745,7 +2815,7 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt)
|
@@ -2749,7 +2819,7 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt)
|
||||||
* or if running in monitor.
|
* or if running in monitor.
|
||||||
*/
|
*/
|
||||||
if (!use_privsep || mm_is_monitor())
|
if (!use_privsep || mm_is_monitor())
|
||||||
@ -2045,10 +2046,10 @@ index ce59dab..bcd4b1d 100644
|
|||||||
void session_close(struct ssh *, Session *);
|
void session_close(struct ssh *, Session *);
|
||||||
void do_setusercontext(struct passwd *);
|
void do_setusercontext(struct passwd *);
|
||||||
diff --git a/sshd.c b/sshd.c
|
diff --git a/sshd.c b/sshd.c
|
||||||
index 0d5c4c4..dca7b1e 100644
|
index 7d23232..9c83ce0 100644
|
||||||
--- a/sshd.c
|
--- a/sshd.c
|
||||||
+++ b/sshd.c
|
+++ b/sshd.c
|
||||||
@@ -124,6 +124,7 @@
|
@@ -122,6 +122,7 @@
|
||||||
#include "ssh-gss.h"
|
#include "ssh-gss.h"
|
||||||
#endif
|
#endif
|
||||||
#include "monitor_wrap.h"
|
#include "monitor_wrap.h"
|
||||||
@ -2056,7 +2057,7 @@ index 0d5c4c4..dca7b1e 100644
|
|||||||
#include "ssh-sandbox.h"
|
#include "ssh-sandbox.h"
|
||||||
#include "auth-options.h"
|
#include "auth-options.h"
|
||||||
#include "version.h"
|
#include "version.h"
|
||||||
@@ -272,8 +273,8 @@ struct sshbuf *loginmsg;
|
@@ -267,8 +268,8 @@ struct sshbuf *loginmsg;
|
||||||
struct passwd *privsep_pw = NULL;
|
struct passwd *privsep_pw = NULL;
|
||||||
|
|
||||||
/* Prototypes for various functions defined later in this file. */
|
/* Prototypes for various functions defined later in this file. */
|
||||||
@ -2066,8 +2067,8 @@ index 0d5c4c4..dca7b1e 100644
|
|||||||
+void demote_sensitive_data(struct ssh *);
|
+void demote_sensitive_data(struct ssh *);
|
||||||
static void do_ssh2_kex(struct ssh *);
|
static void do_ssh2_kex(struct ssh *);
|
||||||
|
|
||||||
/*
|
static char *listener_proctitle;
|
||||||
@@ -289,6 +290,15 @@ close_listen_socks(void)
|
@@ -286,6 +287,15 @@ close_listen_socks(void)
|
||||||
num_listen_socks = -1;
|
num_listen_socks = -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -2083,7 +2084,7 @@ index 0d5c4c4..dca7b1e 100644
|
|||||||
static void
|
static void
|
||||||
close_startup_pipes(void)
|
close_startup_pipes(void)
|
||||||
{
|
{
|
||||||
@@ -395,18 +405,45 @@ grace_alarm_handler(int sig)
|
@@ -390,18 +400,45 @@ grace_alarm_handler(int sig)
|
||||||
ssh_remote_port(the_active_state));
|
ssh_remote_port(the_active_state));
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -2132,7 +2133,7 @@ index 0d5c4c4..dca7b1e 100644
|
|||||||
sshkey_free(sensitive_data.host_certificates[i]);
|
sshkey_free(sensitive_data.host_certificates[i]);
|
||||||
sensitive_data.host_certificates[i] = NULL;
|
sensitive_data.host_certificates[i] = NULL;
|
||||||
}
|
}
|
||||||
@@ -415,14 +452,26 @@ destroy_sensitive_data(void)
|
@@ -410,14 +447,26 @@ destroy_sensitive_data(void)
|
||||||
|
|
||||||
/* Demote private to public keys for network child */
|
/* Demote private to public keys for network child */
|
||||||
void
|
void
|
||||||
@ -2160,7 +2161,7 @@ index 0d5c4c4..dca7b1e 100644
|
|||||||
if ((r = sshkey_from_private(
|
if ((r = sshkey_from_private(
|
||||||
sensitive_data.host_keys[i], &tmp)) != 0)
|
sensitive_data.host_keys[i], &tmp)) != 0)
|
||||||
fatal("could not demote host %s key: %s",
|
fatal("could not demote host %s key: %s",
|
||||||
@@ -430,6 +479,12 @@ demote_sensitive_data(void)
|
@@ -425,6 +474,12 @@ demote_sensitive_data(void)
|
||||||
ssh_err(r));
|
ssh_err(r));
|
||||||
sshkey_free(sensitive_data.host_keys[i]);
|
sshkey_free(sensitive_data.host_keys[i]);
|
||||||
sensitive_data.host_keys[i] = tmp;
|
sensitive_data.host_keys[i] = tmp;
|
||||||
@ -2173,7 +2174,7 @@ index 0d5c4c4..dca7b1e 100644
|
|||||||
}
|
}
|
||||||
/* Certs do not need demotion */
|
/* Certs do not need demotion */
|
||||||
}
|
}
|
||||||
@@ -457,7 +512,7 @@ reseed_prngs(void)
|
@@ -452,7 +507,7 @@ reseed_prngs(void)
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
@ -2182,7 +2183,7 @@ index 0d5c4c4..dca7b1e 100644
|
|||||||
{
|
{
|
||||||
gid_t gidset[1];
|
gid_t gidset[1];
|
||||||
|
|
||||||
@@ -472,7 +527,7 @@ privsep_preauth_child(void)
|
@@ -467,7 +522,7 @@ privsep_preauth_child(void)
|
||||||
reseed_prngs();
|
reseed_prngs();
|
||||||
|
|
||||||
/* Demote the private keys to public keys. */
|
/* Demote the private keys to public keys. */
|
||||||
@ -2191,7 +2192,7 @@ index 0d5c4c4..dca7b1e 100644
|
|||||||
|
|
||||||
/* Demote the child */
|
/* Demote the child */
|
||||||
if (privsep_chroot) {
|
if (privsep_chroot) {
|
||||||
@@ -507,7 +562,7 @@ privsep_preauth(struct ssh *ssh)
|
@@ -502,7 +557,7 @@ privsep_preauth(struct ssh *ssh)
|
||||||
|
|
||||||
if (use_privsep == PRIVSEP_ON)
|
if (use_privsep == PRIVSEP_ON)
|
||||||
box = ssh_sandbox_init(pmonitor);
|
box = ssh_sandbox_init(pmonitor);
|
||||||
@ -2200,7 +2201,7 @@ index 0d5c4c4..dca7b1e 100644
|
|||||||
if (pid == -1) {
|
if (pid == -1) {
|
||||||
fatal("fork of unprivileged child failed");
|
fatal("fork of unprivileged child failed");
|
||||||
} else if (pid != 0) {
|
} else if (pid != 0) {
|
||||||
@@ -553,7 +608,7 @@ privsep_preauth(struct ssh *ssh)
|
@@ -548,7 +603,7 @@ privsep_preauth(struct ssh *ssh)
|
||||||
/* Arrange for logging to be sent to the monitor */
|
/* Arrange for logging to be sent to the monitor */
|
||||||
set_log_handler(mm_log_handler, pmonitor);
|
set_log_handler(mm_log_handler, pmonitor);
|
||||||
|
|
||||||
@ -2209,7 +2210,7 @@ index 0d5c4c4..dca7b1e 100644
|
|||||||
setproctitle("%s", "[net]");
|
setproctitle("%s", "[net]");
|
||||||
if (box != NULL)
|
if (box != NULL)
|
||||||
ssh_sandbox_child(box);
|
ssh_sandbox_child(box);
|
||||||
@@ -597,7 +652,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
|
@@ -592,7 +647,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
|
||||||
pmonitor->m_sendfd = -1;
|
pmonitor->m_sendfd = -1;
|
||||||
|
|
||||||
/* Demote the private keys to public keys. */
|
/* Demote the private keys to public keys. */
|
||||||
@ -2218,7 +2219,7 @@ index 0d5c4c4..dca7b1e 100644
|
|||||||
|
|
||||||
reseed_prngs();
|
reseed_prngs();
|
||||||
|
|
||||||
@@ -1060,7 +1115,7 @@ server_listen(void)
|
@@ -1101,7 +1156,7 @@ server_listen(void)
|
||||||
* from this function are in a forked subprocess.
|
* from this function are in a forked subprocess.
|
||||||
*/
|
*/
|
||||||
static void
|
static void
|
||||||
@ -2227,7 +2228,7 @@ index 0d5c4c4..dca7b1e 100644
|
|||||||
{
|
{
|
||||||
fd_set *fdset;
|
fd_set *fdset;
|
||||||
int i, j, ret, maxfd;
|
int i, j, ret, maxfd;
|
||||||
@@ -1115,6 +1170,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
|
@@ -1162,6 +1217,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
|
||||||
if (received_sigterm) {
|
if (received_sigterm) {
|
||||||
logit("Received signal %d; terminating.",
|
logit("Received signal %d; terminating.",
|
||||||
(int) received_sigterm);
|
(int) received_sigterm);
|
||||||
@ -2235,7 +2236,7 @@ index 0d5c4c4..dca7b1e 100644
|
|||||||
close_listen_socks();
|
close_listen_socks();
|
||||||
if (options.pid_file != NULL)
|
if (options.pid_file != NULL)
|
||||||
unlink(options.pid_file);
|
unlink(options.pid_file);
|
||||||
@@ -1973,7 +2029,7 @@ main(int ac, char **av)
|
@@ -2039,7 +2095,7 @@ main(int ac, char **av)
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* Accept a connection and return in a forked child */
|
/* Accept a connection and return in a forked child */
|
||||||
@ -2244,7 +2245,7 @@ index 0d5c4c4..dca7b1e 100644
|
|||||||
&newsock, config_s);
|
&newsock, config_s);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -2212,6 +2268,9 @@ main(int ac, char **av)
|
@@ -2274,6 +2330,9 @@ main(int ac, char **av)
|
||||||
do_authenticated(ssh, authctxt);
|
do_authenticated(ssh, authctxt);
|
||||||
|
|
||||||
/* The connection has been terminated. */
|
/* The connection has been terminated. */
|
||||||
@ -2254,7 +2255,7 @@ index 0d5c4c4..dca7b1e 100644
|
|||||||
ssh_packet_get_bytes(ssh, &ibytes, &obytes);
|
ssh_packet_get_bytes(ssh, &ibytes, &obytes);
|
||||||
verbose("Transferred: sent %llu, received %llu bytes",
|
verbose("Transferred: sent %llu, received %llu bytes",
|
||||||
(unsigned long long)obytes, (unsigned long long)ibytes);
|
(unsigned long long)obytes, (unsigned long long)ibytes);
|
||||||
@@ -2393,6 +2452,15 @@ do_ssh2_kex(struct ssh *ssh)
|
@@ -2457,6 +2516,15 @@ do_ssh2_kex(struct ssh *ssh)
|
||||||
void
|
void
|
||||||
cleanup_exit(int i)
|
cleanup_exit(int i)
|
||||||
{
|
{
|
||||||
@ -2270,7 +2271,7 @@ index 0d5c4c4..dca7b1e 100644
|
|||||||
if (the_active_state != NULL && the_authctxt != NULL) {
|
if (the_active_state != NULL && the_authctxt != NULL) {
|
||||||
do_cleanup(the_active_state, the_authctxt);
|
do_cleanup(the_active_state, the_authctxt);
|
||||||
if (use_privsep && privsep_is_preauth &&
|
if (use_privsep && privsep_is_preauth &&
|
||||||
@@ -2404,9 +2472,16 @@ cleanup_exit(int i)
|
@@ -2468,9 +2536,16 @@ cleanup_exit(int i)
|
||||||
pmonitor->m_pid, strerror(errno));
|
pmonitor->m_pid, strerror(errno));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -2289,10 +2290,10 @@ index 0d5c4c4..dca7b1e 100644
|
|||||||
#endif
|
#endif
|
||||||
_exit(i);
|
_exit(i);
|
||||||
diff --git a/sshkey.c b/sshkey.c
|
diff --git a/sshkey.c b/sshkey.c
|
||||||
index 4d2048b..142dc09 100644
|
index 1ac32a0..f579108 100644
|
||||||
--- a/sshkey.c
|
--- a/sshkey.c
|
||||||
+++ b/sshkey.c
|
+++ b/sshkey.c
|
||||||
@@ -340,6 +340,38 @@ sshkey_type_is_valid_ca(int type)
|
@@ -368,6 +368,38 @@ sshkey_type_is_valid_ca(int type)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -2332,14 +2333,14 @@ index 4d2048b..142dc09 100644
|
|||||||
sshkey_is_cert(const struct sshkey *k)
|
sshkey_is_cert(const struct sshkey *k)
|
||||||
{
|
{
|
||||||
diff --git a/sshkey.h b/sshkey.h
|
diff --git a/sshkey.h b/sshkey.h
|
||||||
index 1bf30d0..065ef0b 100644
|
index f586e89..a08bc65 100644
|
||||||
--- a/sshkey.h
|
--- a/sshkey.h
|
||||||
+++ b/sshkey.h
|
+++ b/sshkey.h
|
||||||
@@ -164,6 +164,7 @@ int sshkey_shield_private(struct sshkey *);
|
@@ -187,6 +187,7 @@ int sshkey_shield_private(struct sshkey *);
|
||||||
int sshkey_unshield_private(struct sshkey *);
|
int sshkey_unshield_private(struct sshkey *);
|
||||||
|
|
||||||
int sshkey_type_from_name(const char *);
|
int sshkey_type_from_name(const char *);
|
||||||
+int sshkey_is_private(const struct sshkey *);
|
+int sshkey_is_private(const struct sshkey *);
|
||||||
int sshkey_is_cert(const struct sshkey *);
|
int sshkey_is_cert(const struct sshkey *);
|
||||||
|
int sshkey_is_sk(const struct sshkey *);
|
||||||
int sshkey_type_is_cert(int);
|
int sshkey_type_is_cert(int);
|
||||||
int sshkey_type_plain(int);
|
|
||||||
|
@ -1,10 +1,10 @@
|
|||||||
Index: openssh-8.1p1/sandbox-seccomp-filter.c
|
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
||||||
===================================================================
|
index c1e689e..74f69bc 100644
|
||||||
--- openssh-8.1p1.orig/sandbox-seccomp-filter.c
|
--- a/sandbox-seccomp-filter.c
|
||||||
+++ openssh-8.1p1/sandbox-seccomp-filter.c
|
+++ b/sandbox-seccomp-filter.c
|
||||||
@@ -248,6 +248,9 @@ static const struct sock_filter preauth_
|
@@ -264,6 +264,9 @@ static const struct sock_filter preauth_insns[] = {
|
||||||
#ifdef __NR_nanosleep
|
#ifdef __NR_clock_gettime64
|
||||||
SC_ALLOW(__NR_nanosleep),
|
SC_ALLOW(__NR_clock_gettime64),
|
||||||
#endif
|
#endif
|
||||||
+#ifdef __NR_clock_nanosleep
|
+#ifdef __NR_clock_nanosleep
|
||||||
+ SC_ALLOW(__NR_clock_nanosleep),
|
+ SC_ALLOW(__NR_clock_nanosleep),
|
||||||
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:02f5dbef3835d0753556f973cd57b4c19b6b1f6cd24c03445e23ac77ca1b93ff
|
|
||||||
size 1625894
|
|
@ -1,14 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAl2dLEgACgkQ0+X1a22S
|
|
||||||
DTAcUgx7BcRCaH7fb0AeQGvIrxXlyeN3uL6HOyo8MKkryN+y9zpvpcU6T8FBjtoh
|
|
||||||
zgjonewzodGj+C1ma0O9TgIfnUxdOVL+eQsPYgOWLJt2MzSnY/Ru+20J5ZGwGc+5
|
|
||||||
pJcuV+xlAuwae/EL+Pk86CdQ0D6zaf9NBHGTNmrswwhT9B3UWSCbEmmc8jm0DChm
|
|
||||||
F5+dW1nK0n6YSQ9dVUH17/ujvego5WQkOiaSxjaK29/xS39BD6jrbwfFpL3/iKru
|
|
||||||
mWVzcNJaX5WL3ZUnyZRcIHzVpBdr2n0pLCnmqIT8LGPwI3razEbZKIDXf+q0ZA88
|
|
||||||
wRfCL9aEVWjhG+v56c/NiM/wD3h3A4uh8fZeeeyP3hmgEv8Wp8g7fFxf5MaEJlGL
|
|
||||||
Oy6LeH0+x/uPySxaEvy4kuo/hapX2ClM16EMCUXHPwGIYRWdbTL7rzMTaoG3thyz
|
|
||||||
VO04LulI9Xmvadn6k3JR5mFPpIsV+LNwt3g+c+4rBWspOdTHnFqo+OO7Uk8Ee3E0
|
|
||||||
/MeuPBtqQq9o7RkoY8wtVOqT8q9/6g==
|
|
||||||
=mpF6
|
|
||||||
-----END PGP SIGNATURE-----
|
|
3
openssh-8.3p1.tar.gz
Normal file
3
openssh-8.3p1.tar.gz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:f2befbe0472fe7eb75d23340eb17531cb6b3aac24075e2066b41f814e12387b2
|
||||||
|
size 1706358
|
14
openssh-8.3p1.tar.gz.asc
Normal file
14
openssh-8.3p1.tar.gz.asc
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAl7N2TQACgkQ0+X1a22S
|
||||||
|
DTCXbAx/eycNNXxdVK3JtDQBUuSyup/eXeiuAdfTb77dKhdInk6ivaaKtVZ+3rlu
|
||||||
|
eEUwAY2Bf/majUUigI5OI/niODMqbYWBBDKRudQlDSGfH8XnRge6dRjIWXU6XvZP
|
||||||
|
MJpxVZWRorjnuCArWemlJ5QFxSds938Ae+7MFkveQ59UpRDeslYiI6twCXjRiZEL
|
||||||
|
e8lBfsfZqcOLO8KLVRvDx6sqD8EXlak8fhdjmjKdbvA4oWHLcwUcuaNT/o5I2ZWn
|
||||||
|
m2sOQcuhwt3+jm+f9SQKLURHcmGC6Hu5YXBq4+Ut7P9Qc9lAf76SDDnsrRQ8pv+Z
|
||||||
|
tLsXBO+bNe3tSkRbG/AQQRZtGEzlhM8KPyQ6oA0JqlN4Wb5XMWYFyYyJTwJ/95ZI
|
||||||
|
dluMmpwQTRVQGUNU7kVNe04TwRl+8APqvcnE3/i7MDm6EG5BHGcAneRmZfvt209F
|
||||||
|
z8yGtKQKCvZm5Rn9V0/Gm3+pq5O2sie90CPW9ebyPsajzQlrYBQPoJ1aQ+Ue4QE6
|
||||||
|
gee5eO3TZOJJ3peTqjihGUtpKH+21w==
|
||||||
|
=lhX0
|
||||||
|
-----END PGP SIGNATURE-----
|
@ -1,7 +1,7 @@
|
|||||||
#
|
#
|
||||||
# spec file for package openssh-askpass-gnome
|
# spec file for package openssh-askpass-gnome
|
||||||
#
|
#
|
||||||
# Copyright (c) 2020 SUSE LLC
|
# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||||
#
|
#
|
||||||
# All modifications and additions to the file contributed by third parties
|
# All modifications and additions to the file contributed by third parties
|
||||||
# remain the property of their copyright owners, unless otherwise agreed
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
@ -18,7 +18,7 @@
|
|||||||
|
|
||||||
%define _name openssh
|
%define _name openssh
|
||||||
Name: openssh-askpass-gnome
|
Name: openssh-askpass-gnome
|
||||||
Version: 8.1p1
|
Version: 8.3p1
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
|
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
|
||||||
License: BSD-2-Clause
|
License: BSD-2-Clause
|
||||||
|
103
openssh.changes
103
openssh.changes
@ -1,3 +1,106 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Jun 5 00:36:08 UTC 2020 - Hans Petter Jansson <hpj@suse.com>
|
||||||
|
|
||||||
|
- Version update to 8.3p1:
|
||||||
|
= Potentially-incompatible changes
|
||||||
|
* sftp(1): reject an argument of "-1" in the same way as ssh(1) and
|
||||||
|
scp(1) do instead of accepting and silently ignoring it.
|
||||||
|
|
||||||
|
= New features
|
||||||
|
* sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore
|
||||||
|
rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only"
|
||||||
|
to allow .shosts files but not .rhosts.
|
||||||
|
* sshd(8): allow the IgnoreRhosts directive to appear anywhere in a
|
||||||
|
sshd_config, not just before any Match blocks.
|
||||||
|
* ssh(1): add %TOKEN percent expansion for the LocalFoward and
|
||||||
|
RemoteForward keywords when used for Unix domain socket forwarding.
|
||||||
|
* all: allow loading public keys from the unencrypted envelope of a
|
||||||
|
private key file if no corresponding public key file is present.
|
||||||
|
* ssh(1), sshd(8): prefer to use chacha20 from libcrypto where
|
||||||
|
possible instead of the (slower) portable C implementation included
|
||||||
|
in OpenSSH.
|
||||||
|
* ssh-keygen(1): add ability to dump the contents of a binary key
|
||||||
|
revocation list via "ssh-keygen -lQf /path".
|
||||||
|
|
||||||
|
- Additional changes from 8.2p1 release:
|
||||||
|
= Potentially-incompatible changes
|
||||||
|
* ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
|
||||||
|
(RSA/SHA1) algorithm from those accepted for certificate signatures
|
||||||
|
(i.e. the client and server CASignatureAlgorithms option) and will
|
||||||
|
use the rsa-sha2-512 signature algorithm by default when the
|
||||||
|
ssh-keygen(1) CA signs new certificates.
|
||||||
|
* ssh(1), sshd(8): this release removes diffie-hellman-group14-sha1
|
||||||
|
from the default key exchange proposal for both the client and
|
||||||
|
server.
|
||||||
|
* ssh-keygen(1): the command-line options related to the generation
|
||||||
|
and screening of safe prime numbers used by the
|
||||||
|
diffie-hellman-group-exchange-* key exchange algorithms have
|
||||||
|
changed. Most options have been folded under the -O flag.
|
||||||
|
* sshd(8): the sshd listener process title visible to ps(1) has
|
||||||
|
changed to include information about the number of connections that
|
||||||
|
are currently attempting authentication and the limits configured
|
||||||
|
by MaxStartups.
|
||||||
|
* ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
|
||||||
|
support to provide address-space isolation for token middleware
|
||||||
|
libraries (including the internal one). It needs to be installed
|
||||||
|
in the expected path, typically under /usr/libexec or similar.
|
||||||
|
|
||||||
|
= New features
|
||||||
|
* This release adds support for FIDO/U2F hardware authenticators to
|
||||||
|
OpenSSH. U2F/FIDO are open standards for inexpensive two-factor
|
||||||
|
authentication hardware that are widely used for website
|
||||||
|
authentication. In OpenSSH FIDO devices are supported by new public
|
||||||
|
key types "ecdsa-sk" and "ed25519-sk", along with corresponding
|
||||||
|
certificate types.
|
||||||
|
* sshd(8): add an Include sshd_config keyword that allows including
|
||||||
|
additional configuration files via glob(3) patterns.
|
||||||
|
* ssh(1)/sshd(8): make the LE (low effort) DSCP code point available
|
||||||
|
via the IPQoS directive.
|
||||||
|
* ssh(1): when AddKeysToAgent=yes is set and the key contains no
|
||||||
|
comment, add the key to the agent with the key's path as the
|
||||||
|
comment.
|
||||||
|
* ssh-keygen(1), ssh-agent(1): expose PKCS#11 key labels and X.509
|
||||||
|
subjects as key comments, rather than simply listing the PKCS#11
|
||||||
|
provider library path.
|
||||||
|
* ssh-keygen(1): allow PEM export of DSA and ECDSA keys.
|
||||||
|
* ssh(1), sshd(8): make zlib compile-time optional, available via the
|
||||||
|
Makefile.inc ZLIB flag on OpenBSD or via the --with-zlib configure
|
||||||
|
option for OpenSSH portable.
|
||||||
|
* sshd(8): when clients get denied by MaxStartups, send a
|
||||||
|
notification prior to the SSH2 protocol banner according to
|
||||||
|
RFC4253 section 4.2.
|
||||||
|
* ssh(1), ssh-agent(1): when invoking the $SSH_ASKPASS prompt
|
||||||
|
program, pass a hint to the program to describe the type of
|
||||||
|
desired prompt. The possible values are "confirm" (indicating
|
||||||
|
that a yes/no confirmation dialog with no text entry should be
|
||||||
|
shown), "none" (to indicate an informational message only), or
|
||||||
|
blank for the original ssh-askpass behaviour of requesting a
|
||||||
|
password/phrase.
|
||||||
|
* ssh(1): allow forwarding a different agent socket to the path
|
||||||
|
specified by $SSH_AUTH_SOCK, by extending the existing ForwardAgent
|
||||||
|
option to accepting an explicit path or the name of an environment
|
||||||
|
variable in addition to yes/no.
|
||||||
|
* ssh-keygen(1): add a new signature operations "find-principals" to
|
||||||
|
look up the principal associated with a signature from an allowed-
|
||||||
|
signers file.
|
||||||
|
* sshd(8): expose the number of currently-authenticating connections
|
||||||
|
along with the MaxStartups limit in the process title visible to
|
||||||
|
"ps".
|
||||||
|
|
||||||
|
- Rebased patches:
|
||||||
|
* openssh-7.7p1-cavstest-ctr.patch
|
||||||
|
* openssh-7.7p1-cavstest-kdf.patch
|
||||||
|
* openssh-7.7p1-fips.patch
|
||||||
|
* openssh-7.7p1-fips_checks.patch
|
||||||
|
* openssh-7.7p1-ldap.patch
|
||||||
|
* openssh-7.7p1-no_fork-no_pid_file.patch
|
||||||
|
* openssh-7.7p1-sftp_print_diagnostic_messages.patch
|
||||||
|
* openssh-8.0p1-gssapi-keyex.patch
|
||||||
|
* openssh-8.1p1-audit.patch
|
||||||
|
* openssh-8.1p1-seccomp-clock_nanosleep.patch
|
||||||
|
|
||||||
|
- Removed openssh-7.7p1-seed-prng.patch (bsc#1165158).
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Sun May 31 11:25:07 UTC 2020 - Andreas Stieger <andreas.stieger@gmx.de>
|
Sun May 31 11:25:07 UTC 2020 - Andreas Stieger <andreas.stieger@gmx.de>
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
#
|
#
|
||||||
# spec file for package openssh
|
# spec file for package openssh
|
||||||
#
|
#
|
||||||
# Copyright (c) 2020 SUSE LLC
|
# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||||
#
|
#
|
||||||
# All modifications and additions to the file contributed by third parties
|
# All modifications and additions to the file contributed by third parties
|
||||||
# remain the property of their copyright owners, unless otherwise agreed
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
@ -35,7 +35,7 @@
|
|||||||
%define _fillupdir %{_localstatedir}/adm/fillup-templates
|
%define _fillupdir %{_localstatedir}/adm/fillup-templates
|
||||||
%endif
|
%endif
|
||||||
Name: openssh
|
Name: openssh
|
||||||
Version: 8.1p1
|
Version: 8.3p1
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: Secure Shell Client and Server (Remote Login Program)
|
Summary: Secure Shell Client and Server (Remote Login Program)
|
||||||
License: BSD-2-Clause AND MIT
|
License: BSD-2-Clause AND MIT
|
||||||
@ -77,7 +77,6 @@ Patch18: openssh-7.7p1-cavstest-ctr.patch
|
|||||||
Patch19: openssh-7.7p1-cavstest-kdf.patch
|
Patch19: openssh-7.7p1-cavstest-kdf.patch
|
||||||
# Local FIPS patchset
|
# Local FIPS patchset
|
||||||
Patch20: openssh-7.7p1-fips_checks.patch
|
Patch20: openssh-7.7p1-fips_checks.patch
|
||||||
Patch21: openssh-7.7p1-seed-prng.patch
|
|
||||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2641
|
# https://bugzilla.mindrot.org/show_bug.cgi?id=2641
|
||||||
Patch22: openssh-7.7p1-systemd-notify.patch
|
Patch22: openssh-7.7p1-systemd-notify.patch
|
||||||
Patch23: openssh-8.0p1-gssapi-keyex.patch
|
Patch23: openssh-8.0p1-gssapi-keyex.patch
|
||||||
@ -112,6 +111,7 @@ BuildRequires: openssl-devel
|
|||||||
BuildRequires: pam-devel
|
BuildRequires: pam-devel
|
||||||
BuildRequires: pkgconfig
|
BuildRequires: pkgconfig
|
||||||
BuildRequires: zlib-devel
|
BuildRequires: zlib-devel
|
||||||
|
BuildRequires: pkgconfig(libfido2)
|
||||||
BuildRequires: pkgconfig(libsystemd)
|
BuildRequires: pkgconfig(libsystemd)
|
||||||
Requires(post): %fillup_prereq
|
Requires(post): %fillup_prereq
|
||||||
Requires(pre): shadow
|
Requires(pre): shadow
|
||||||
@ -211,6 +211,7 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
|
|||||||
--with-ldap \
|
--with-ldap \
|
||||||
--with-xauth=%{_bindir}/xauth \
|
--with-xauth=%{_bindir}/xauth \
|
||||||
--with-libedit \
|
--with-libedit \
|
||||||
|
--with-security-key-builtin \
|
||||||
--target=%{_target_cpu}-suse-linux
|
--target=%{_target_cpu}-suse-linux
|
||||||
|
|
||||||
%make_build
|
%make_build
|
||||||
|
Loading…
Reference in New Issue
Block a user