Accepting request 231427 from home:pcerny:factory

- curve25519 key exchange fix (-curve25519-6.6.1p1.patch) - patch re-ordering (-audit3-key_auth_usage-fips.patch, -audit4-kex_results-fips.patch) OBS-URL: https://build.opensuse.org/request/show/231427 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=80
2014-04-25 13:11:58 +00:00 · 2014-04-25 13:11:58 +00:00 · 9fb40d132b
commit 9fb40d132b
parent 4dd2bec462
16 changed files with 252 additions and 171 deletions
--- a/fix-curve25519-kex.patch
+++ b/fix-curve25519-kex.patch
@ -1,136 +0,0 @@
 Hi,
 So I screwed up when writing the support for the curve25519 KEX method
 that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left
 leading zero bytes where they should have been skipped. The impact of
 this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a
 peer that implements curve25519-sha256@libssh.org properly about 0.2%
 of the time (one in every 512ish connections).
 We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256
 key exchange for previous versions, but I'd recommend distributors
 of OpenSSH apply this patch so the affected code doesn't become
 too entrenched in LTS releases.
 The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as
 to distinguish itself from the incorrect versions so the compatibility
 code to disable the affected KEX isn't activated.
 I've committed this on the 6.6 branch too.
 Apologies for the hassle.
 -d
 Index: version.h
 ===================================================================
 --- version.h.orig
 +++ version.h
@@ -1,6 +1,6 @@
 /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */
 -#define SSH_VERSION	"OpenSSH_6.6"
 +#define SSH_VERSION	"OpenSSH_6.6.1"
 #define SSH_PORTABLE	"p1"
 #define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
 Index: compat.c
 ===================================================================
 --- compat.c.orig
 +++ compat.c
@@ -95,6 +95,9 @@ compat_datafellows(const char *version)
 		{ "Sun_SSH_1.0*",	SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
 		{ "OpenSSH_4*",		0 },
 		{ "OpenSSH_5*",		SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT},
 +		{ "OpenSSH_6.6.1*",	SSH_NEW_OPENSSH},
 +		{ "OpenSSH_6.5*,"
 +		  "OpenSSH_6.6*",	SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD},
 		{ "OpenSSH*",		SSH_NEW_OPENSSH },
 		{ "*MindTerm*",		0 },
 		{ "2.1.0*",		SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop
 	return cipher_prop;
 }
 -
 char *
 compat_pkalg_proposal(char *pkalg_prop)
 {
@@ -265,3 +267,16 @@ compat_pkalg_proposal(char *pkalg_prop)
 	return pkalg_prop;
 }
 +char *
 +compat_kex_proposal(char *kex_prop)
 +{
 +	if (!(datafellows & SSH_BUG_CURVE25519PAD))
 +		return kex_prop;
 +	debug2("%s: original KEX proposal: %s", __func__, kex_prop);
 +	kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org");
 +	debug2("%s: compat KEX proposal: %s", __func__, kex_prop);
 +	if (*kex_prop == '\0')
 +		fatal("No supported key exchange algorithms found");
 +	return kex_prop;
 +}
 +
 Index: compat.h
 ===================================================================
 --- compat.h.orig
 +++ compat.h
@@ -59,6 +59,7 @@
 #define SSH_BUG_RFWD_ADDR	0x02000000
 #define SSH_NEW_OPENSSH		0x04000000
 #define SSH_BUG_DYNAMIC_RPORT	0x08000000
 +#define SSH_BUG_CURVE25519PAD	0x10000000
 void     enable_compat13(void);
 void     enable_compat20(void);
@@ -66,6 +67,7 @@ void     compat_datafellows(const char *
 int	 proto_spec(const char *);
 char	*compat_cipher_proposal(char *);
 char	*compat_pkalg_proposal(char *);
 +char	*compat_kex_proposal(char *);
 extern int compat13;
 extern int compat20;
 Index: sshd.c
 ===================================================================
 --- sshd.c.orig
 +++ sshd.c
@@ -2675,6 +2675,9 @@ do_ssh2_kex(void)
 	if (options.kex_algorithms != NULL)
 		myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
 +	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
 +	    myproposal[PROPOSAL_KEX_ALGS]);
 +
 	if (options.rekey_limit || options.rekey_interval)
 		packet_set_rekey_limits((u_int32_t)options.rekey_limit,
 		    (time_t)options.rekey_interval);
 Index: sshconnect2.c
 ===================================================================
 --- sshconnect2.c.orig
 +++ sshconnect2.c
@@ -232,6 +232,8 @@ ssh_kex2(char *host, struct sockaddr *ho
 	}
 	if (options.kex_algorithms != NULL)
 		myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
 +	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
 +	    myproposal[PROPOSAL_KEX_ALGS]);
 #ifdef GSSAPI
 	/* If we've got GSSAPI algorithms, then we also support the
 Index: bufaux.c
 ===================================================================
 --- bufaux.c.orig
 +++ bufaux.c
@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *b
 	if (l > 8 * 1024)
 		fatal("%s: length %u too long", __func__, l);
 +	/* Skip leading zero bytes */
 +	for (; l > 0 && *s == 0; l--, s++)
 +		;
 	p = buf = xmalloc(l + 1);
 	/*
 	 * If most significant bit is set then prepend a zero byte to
--- a/openssh-6.6p1-X_forward_with_disabled_ipv6.patch
+++ b/openssh-6.6p1-X_forward_with_disabled_ipv6.patch
@ -1,5 +1,5 @@
 # HG changeset patch
-# Parent 73eb63cbbd603bf8c13995c478333c1b5a2a020a
+# Parent 1055b218140c3cc19228c47878a68740363d80dd
 Do not throw away already open sockets for X11 forwarding if another socket
 family is not available for bind()
--- a/openssh-6.6p1-audit2-better_audit_of_user_actions.patch
+++ b/openssh-6.6p1-audit2-better_audit_of_user_actions.patch
@ -849,7 +849,7 @@ diff --git a/openssh-6.6p1/session.h b/openssh-6.6p1/session.h
 diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c
 --- a/openssh-6.6p1/sshd.c
 +++ b/openssh-6.6p1/sshd.c
-@@ -2529,13 +2529,14 @@ cleanup_exit(int i)
+@@ -2532,13 +2532,14 @@ cleanup_exit(int i)
 			if (kill(pmonitor->m_pid, SIGKILL) != 0 &&
 			    errno != ESRCH)
 				error("%s: kill(%d): %s", __func__,
--- a/openssh-6.6p1-audit3-key_auth_usage-fips.patch
+++ b/openssh-6.6p1-audit3-key_auth_usage-fips.patch
@ -1,5 +1,5 @@
 # HG changeset patch
-# Parent c487e15d91bc5cdfb0aedcf4d3c7fe4d0f309a73
+# Parent 5482d21e8bd06309af51dea77a5f3668859fb2a0
 diff --git a/openssh-6.6p1/auth-rsa.c b/openssh-6.6p1/auth-rsa.c
 --- a/openssh-6.6p1/auth-rsa.c
@ -11,7 +11,7 @@ diff --git a/openssh-6.6p1/auth-rsa.c b/openssh-6.6p1/auth-rsa.c
 	u_char buf[2 * SSH_DIGEST_MAX_LENGTH], mdbuf[SSH_DIGEST_MAX_LENGTH];
 	struct ssh_digest_ctx *md;
 	int len;
-     int dgst;
+ 	int dgst;
 	size_t dgst_len;
 +	int rv;
 +#ifdef SSH_AUDIT_EVENTS
--- a/openssh-6.6p1-audit4-kex_results-fips.patch
+++ b/openssh-6.6p1-audit4-kex_results-fips.patch
@ -1,5 +1,5 @@
 # HG changeset patch
-# Parent dec5efd68e0b652282f2b9b31f5999342123d33d
+# Parent 274a545b591567f1378c1086ad3ba40c911a8bd6
 diff --git a/openssh-6.6p1/Makefile.in b/openssh-6.6p1/Makefile.in
 --- a/openssh-6.6p1/Makefile.in
--- a/openssh-6.6p1-audit5-session_key_destruction.patch
+++ b/openssh-6.6p1-audit5-session_key_destruction.patch
@ -942,7 +942,7 @@ diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c
 	verbose("Closing connection to %.500s port %d", remote_ip, remote_port);
 #ifdef USE_PAM
-@@ -2523,26 +2532,38 @@ do_ssh2_kex(void)
+@@ -2526,26 +2535,38 @@ do_ssh2_kex(void)
 #endif
 	debug("KEX done");
 }
--- a/openssh-6.6p1-audit6-server_key_destruction.patch
+++ b/openssh-6.6p1-audit6-server_key_destruction.patch
@ -721,7 +721,7 @@ diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c
 	BN_clear_free(session_key_int);
 	/* Set the session key.  From this on all communications will be encrypted. */
-@@ -2553,16 +2603,18 @@ cleanup_exit(int i)
+@@ -2556,16 +2606,18 @@ cleanup_exit(int i)
 			debug("Killing privsep child %d", pmonitor->m_pid);
 			if (kill(pmonitor->m_pid, SIGKILL) != 0 &&
 			    errno != ESRCH)
--- a/openssh-6.6p1-curve25519-6.6.1p1.patch
+++ b/openssh-6.6p1-curve25519-6.6.1p1.patch
@ -0,0 +1,205 @@
 # Date: Sun, 20 Apr 2014 17:14:08 +1000 (EST)
 # From: Damien Miller <djm@mindrot.org>
 # To: openssh-unix-dev@mindrot.org
 # Subject: bad bignum encoding for curve25519-sha256@libssh.org
 # Message-ID: <alpine.BSO.2.11.1404201713390.26134@natsu.mindrot.org>
 #
 # Hi,
 #
 # So I screwed up when writing the support for the curve25519 KEX method
 # that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left
 # leading zero bytes where they should have been skipped. The impact of
 # this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a
 # peer that implements curve25519-sha256@libssh.org properly about 0.2%
 # of the time (one in every 512ish connections).
 #
 # We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256
 # key exchange for previous versions, but I'd recommend distributors
 # of OpenSSH apply this patch so the affected code doesn't become
 # too entrenched in LTS releases.
 #
 # The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as
 # to distinguish itself from the incorrect versions so the compatibility
 # code to disable the affected KEX isn't activated.
 #
 # I've committed this on the 6.6 branch too.
 #
 # Apologies for the hassle.
 #
 # -d
 diff --git a/openssh-6.6p1/bufaux.c b/openssh-6.6p1/bufaux.c
 --- a/openssh-6.6p1/bufaux.c
 +++ b/openssh-6.6p1/bufaux.c
@@ -1,9 +1,9 @@
 -/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */
 +/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
  * Auxiliary functions for storing and retrieving various data types to/from
  * Buffers.
  *
  * As far as I am concerned, the code I have written for this software
@@ -367,16 +367,19 @@ buffer_get_bignum2_as_string(Buffer *buf
 void
 buffer_put_bignum2_from_string(Buffer *buffer, const u_char *s, u_int l)
 {
 	u_char *buf, *p;
 	int pad = 0;
 	if (l > 8 * 1024)
 		fatal("%s: length %u too long", __func__, l);
 +	/* Skip leading zero bytes */
 +	for (; l > 0 && *s == 0; l--, s++)
 +		;
 	p = buf = xmalloc(l + 1);
 	/*
 	 * If most significant bit is set then prepend a zero byte to
 	 * avoid interpretation as a negative number.
 	 */
 	if (l > 0 && (s[0] & 0x80) != 0) {
 		*p++ = '\0';
 		pad = 1;
 diff --git a/openssh-6.6p1/compat.c b/openssh-6.6p1/compat.c
 --- a/openssh-6.6p1/compat.c
 +++ b/openssh-6.6p1/compat.c
@@ -90,16 +90,19 @@ compat_datafellows(const char *version)
 					SSH_OLD_FORWARD_ADDR},
 		{ "OpenSSH_2.*,"
 		  "OpenSSH_3.0*,"
 		  "OpenSSH_3.1*",	SSH_BUG_EXTEOF|SSH_OLD_FORWARD_ADDR},
 		{ "OpenSSH_3.*",	SSH_OLD_FORWARD_ADDR },
 		{ "Sun_SSH_1.0*",	SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
 		{ "OpenSSH_4*",		0 },
 		{ "OpenSSH_5*",		SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT},
 +		{ "OpenSSH_6.6.1*",	SSH_NEW_OPENSSH},
 +		{ "OpenSSH_6.5*,"
 +		  "OpenSSH_6.6*",	SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD},
 		{ "OpenSSH*",		SSH_NEW_OPENSSH },
 		{ "*MindTerm*",		0 },
 		{ "2.1.0*",		SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
 					SSH_OLD_SESSIONID|SSH_BUG_DEBUG|
 					SSH_BUG_RSASIGMD5|SSH_BUG_HBSERVICE|
 					SSH_BUG_FIRSTKEX },
 		{ "2.1 *",		SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
 					SSH_OLD_SESSIONID|SSH_BUG_DEBUG|
@@ -246,22 +249,34 @@ compat_cipher_proposal(char *cipher_prop
 	debug2("%s: original cipher proposal: %s", __func__, cipher_prop);
 	cipher_prop = filter_proposal(cipher_prop, "aes*");
 	debug2("%s: compat cipher proposal: %s", __func__, cipher_prop);
 	if (*cipher_prop == '\0')
 		fatal("No supported ciphers found");
 	return cipher_prop;
 }
 -
 char *
 compat_pkalg_proposal(char *pkalg_prop)
 {
 	if (!(datafellows & SSH_BUG_RSASIGMD5))
 		return pkalg_prop;
 	debug2("%s: original public key proposal: %s", __func__, pkalg_prop);
 	pkalg_prop = filter_proposal(pkalg_prop, "ssh-rsa");
 	debug2("%s: compat public key proposal: %s", __func__, pkalg_prop);
 	if (*pkalg_prop == '\0')
 		fatal("No supported PK algorithms found");
 	return pkalg_prop;
 }
 +char *
 +compat_kex_proposal(char *kex_prop)
 +{
 +	if (!(datafellows & SSH_BUG_CURVE25519PAD))
 +		return kex_prop;
 +	debug2("%s: original KEX proposal: %s", __func__, kex_prop);
 +	kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org");
 +	debug2("%s: compat KEX proposal: %s", __func__, kex_prop);
 +	if (*kex_prop == '\0')
 +		fatal("No supported key exchange algorithms found");
 +	return kex_prop;
 +}
 +
 diff --git a/openssh-6.6p1/compat.h b/openssh-6.6p1/compat.h
 --- a/openssh-6.6p1/compat.h
 +++ b/openssh-6.6p1/compat.h
@@ -54,20 +54,22 @@
 #define SSH_BUG_DUMMYCHAN	0x00100000
 #define SSH_BUG_EXTEOF		0x00200000
 #define SSH_BUG_PROBE		0x00400000
 #define SSH_BUG_FIRSTKEX	0x00800000
 #define SSH_OLD_FORWARD_ADDR	0x01000000
 #define SSH_BUG_RFWD_ADDR	0x02000000
 #define SSH_NEW_OPENSSH		0x04000000
 #define SSH_BUG_DYNAMIC_RPORT	0x08000000
 +#define SSH_BUG_CURVE25519PAD	0x10000000
 void     enable_compat13(void);
 void     enable_compat20(void);
 void     compat_datafellows(const char *);
 int	 proto_spec(const char *);
 char	*compat_cipher_proposal(char *);
 char	*compat_pkalg_proposal(char *);
 +char	*compat_kex_proposal(char *);
 extern int compat13;
 extern int compat20;
 extern int datafellows;
 #endif
 diff --git a/openssh-6.6p1/sshconnect2.c b/openssh-6.6p1/sshconnect2.c
 --- a/openssh-6.6p1/sshconnect2.c
 +++ b/openssh-6.6p1/sshconnect2.c
@@ -190,16 +190,18 @@ ssh_kex2(char *host, struct sockaddr *ho
 	else {
 		/* Prefer algorithms that we already have keys for */
 		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
 		    compat_pkalg_proposal(
 		    order_hostkeyalgs(host, hostaddr, port));
 	}
 	if (options.kex_algorithms != NULL)
 		myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
 +	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
 +	    myproposal[PROPOSAL_KEX_ALGS]);
 	if (options.rekey_limit || options.rekey_interval)
 		packet_set_rekey_limits((u_int32_t)options.rekey_limit,
 		    (time_t)options.rekey_interval);
 	/* start key exchange */
 	kex = kex_setup(myproposal);
 	kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client;
 diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c
 --- a/openssh-6.6p1/sshd.c
 +++ b/openssh-6.6p1/sshd.c
@@ -2457,16 +2457,19 @@ do_ssh2_kex(void)
 		myproposal[PROPOSAL_COMP_ALGS_STOC] = "none";
 	} else if (options.compression == COMP_DELAYED) {
 		myproposal[PROPOSAL_COMP_ALGS_CTOS] =
 		myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com";
 	}
 	if (options.kex_algorithms != NULL)
 		myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
 +	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
 +	    myproposal[PROPOSAL_KEX_ALGS]);
 +
 	if (options.rekey_limit || options.rekey_interval)
 		packet_set_rekey_limits((u_int32_t)options.rekey_limit,
 		    (time_t)options.rekey_interval);
 	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
 	    list_hostkey_types());
 	/* start key exchange */
 diff --git a/openssh-6.6p1/version.h b/openssh-6.6p1/version.h
 --- a/openssh-6.6p1/version.h
 +++ b/openssh-6.6p1/version.h
@@ -1,6 +1,6 @@
 /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */
 -#define SSH_VERSION	"OpenSSH_6.6"
 +#define SSH_VERSION	"OpenSSH_6.6.1"
 #define SSH_PORTABLE	"p1"
 #define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--- a/openssh-6.6p1-fingerprint_hash.patch
+++ b/openssh-6.6p1-fingerprint_hash.patch
@ -1,5 +1,5 @@
 # HG changeset patch
-# Parent a3a898b117b0f726e6cc923f18463de8e45e74f5
+# Parent 8b2615db484b7061edd15f3bee36958f790f790e
 # select fingerprint hash algorithms based on the environment variable
 # SSH_FP_TYPE_ENVVAR and append it to hex and randomart fingerprints
@ -690,7 +690,7 @@ diff --git a/openssh-6.6p1/sshconnect.c b/openssh-6.6p1/sshconnect.c
 diff --git a/openssh-6.6p1/sshconnect2.c b/openssh-6.6p1/sshconnect2.c
 --- a/openssh-6.6p1/sshconnect2.c
 +++ b/openssh-6.6p1/sshconnect2.c
-@@ -577,17 +577,17 @@ input_userauth_pk_ok(int type, u_int32_t
+@@ -579,17 +579,17 @@ input_userauth_pk_ok(int type, u_int32_t
 		goto done;
 	}
 	if (key->type != pktype) {
@ -709,7 +709,7 @@ diff --git a/openssh-6.6p1/sshconnect2.c b/openssh-6.6p1/sshconnect2.c
 	 * moved to the end of the queue.  this also avoids confusion by
 	 * duplicate keys
 	 */
-@@ -988,17 +988,17 @@ sign_and_send_pubkey(Authctxt *authctxt,
+@@ -990,17 +990,17 @@ sign_and_send_pubkey(Authctxt *authctxt,
 	Buffer b;
 	u_char *blob, *signature;
 	u_int bloblen, slen;
--- a/openssh-6.6p1-fips-checks.patch
+++ b/openssh-6.6p1-fips-checks.patch
@ -1,5 +1,17 @@
 # HG changeset patch
-# Parent 12ad7b6077ef9c6b3a3a53b4f0084c3eb2f80fe7
+# Parent 717873621cf4991164c61caafd9ac07473231f10
 # Simple implementation of FIPS 140-2 selfchecks. Use OpenSSL to generate and
 # verify checksums of binaries. Any hash iused in OpenSSH can be used (MD5 would
 # obviously be a poor choice, since OpenSSL would barf and abort immediately in
 # FIPS mode). SHA-2 seems to be a reasonable choice.
 #
 # The logic of the checks is as follows: decide whether FIPS mode is mandated
 # (either by checking /proc/sys/crypto/fips_enabled or envoroinment variable
 # SSH_FORCE_FIPS. In FIPS mode, checksums are required to match (inability to
 # retrieve pre-calculated hash is a fatal error). In non-FIPS mode the checks
 # still must be performed, unless the hashes are not installed. Thus if the hash
 # file is not found (or the hash matches), proceed in non-FIPS mode and abort
 # otherwise.
 diff --git a/openssh-6.6p1/fips-check.c b/openssh-6.6p1/fips-check.c
 new file mode 100644
--- a/openssh-6.6p1-fips.patch
+++ b/openssh-6.6p1-fips.patch
@ -2,7 +2,7 @@
 # when OpenSSL is detected to be running in FIPS mode
 #
 # HG changeset patch
-# Parent ff04a9a96b7c41e99445c68d91911a9a1474ffa2
+# Parent 844066cb9c0ec2b10eb1ace7134f7bced7cc802d
 diff --git a/openssh-6.6p1/Makefile.in b/openssh-6.6p1/Makefile.in
 --- a/openssh-6.6p1/Makefile.in
@ -66,7 +66,7 @@ diff --git a/openssh-6.6p1/auth-rsa.c b/openssh-6.6p1/auth-rsa.c
 +	u_char buf[2 * SSH_DIGEST_MAX_LENGTH], mdbuf[SSH_DIGEST_MAX_LENGTH];
 	struct ssh_digest_ctx *md;
 	int len;
-+    int dgst;
+	int dgst;
 +	size_t dgst_len;
 	/* don't allow short keys */
@ -78,7 +78,7 @@ diff --git a/openssh-6.6p1/auth-rsa.c b/openssh-6.6p1/auth-rsa.c
 	}
 -	/* The response is MD5 of decrypted challenge plus session id. */
-+    dgst = fips_correct_dgst(SSH_DIGEST_MD5);
+	dgst = fips_correct_dgst(SSH_DIGEST_MD5);
 +	dgst_len = ssh_digest_bytes(dgst);
 +
 +	/* The response is a hash of decrypted challenge plus session id.
--- a/openssh-6.6p1-gssapi_key_exchange.patch
+++ b/openssh-6.6p1-gssapi_key_exchange.patch
@ -1,5 +1,5 @@
 # HG changeset patch
-# Parent b50b01e06558d268ae59e8be8c1a41fde44fc70d
+# Parent 0b2761bdc8c2071a11ca24387c3f58be2fdbaa5e
 diff --git a/openssh-6.6p1/ChangeLog.gssapi b/openssh-6.6p1/ChangeLog.gssapi
 new file mode 100644
@ -3239,14 +3239,14 @@ diff --git a/openssh-6.6p1/sshconnect2.c b/openssh-6.6p1/sshconnect2.c
 		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
 		myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
 	} else if (fips_mode()) {
-@@ -203,32 +228,63 @@ ssh_kex2(char *host, struct sockaddr *ho
+@@ -205,32 +230,63 @@ ssh_kex2(char *host, struct sockaddr *ho
 		/* Prefer algorithms that we already have keys for */
 		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
 		    compat_pkalg_proposal(
 		    order_hostkeyalgs(host, hostaddr, port));
 	}
 	if (options.kex_algorithms != NULL)
 		myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
 	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
 	    myproposal[PROPOSAL_KEX_ALGS]);
 +#ifdef GSSAPI
 +	/* If we've got GSSAPI algorithms, then we also support the
@ -3291,7 +3291,7 @@ diff --git a/openssh-6.6p1/sshconnect2.c b/openssh-6.6p1/sshconnect2.c
 +			kex->gss_host = options.gss_server_identity;
 +		} else {
 +			kex->gss_host = gss_host;
-+        }
+		}
 +	}
 +#endif
 +
@ -3303,7 +3303,7 @@ diff --git a/openssh-6.6p1/sshconnect2.c b/openssh-6.6p1/sshconnect2.c
 		debug("Roaming not allowed by server");
 		options.use_roaming = 0;
 	}
-@@ -308,31 +364,37 @@ int	userauth_hostbased(Authctxt *);
+@@ -310,31 +366,37 @@ int	userauth_hostbased(Authctxt *);
 #ifdef GSSAPI
 int	userauth_gssapi(Authctxt *authctxt);
@ -3341,7 +3341,7 @@ diff --git a/openssh-6.6p1/sshconnect2.c b/openssh-6.6p1/sshconnect2.c
 	{"gssapi",
 		userauth_gssapi,
 		NULL,
-@@ -624,29 +686,41 @@ done:
+@@ -626,29 +688,41 @@ done:
 int
 userauth_gssapi(Authctxt *authctxt)
 {
@ -3385,7 +3385,7 @@ diff --git a/openssh-6.6p1/sshconnect2.c b/openssh-6.6p1/sshconnect2.c
 	if (!ok)
 		return 0;
-@@ -735,18 +809,18 @@ process_gssapi_token(void *ctxt, gss_buf
+@@ -737,18 +811,18 @@ process_gssapi_token(void *ctxt, gss_buf
 }
 /* ARGSUSED */
@ -3406,7 +3406,7 @@ diff --git a/openssh-6.6p1/sshconnect2.c b/openssh-6.6p1/sshconnect2.c
 	/* Setup our OID */
 	oidv = packet_get_string(&oidlen);
-@@ -845,16 +919,58 @@ input_gssapi_error(int type, u_int32_t p
+@@ -847,16 +921,58 @@ input_gssapi_error(int type, u_int32_t p
 	lang=packet_get_string(NULL);
 	packet_check_eom();
@ -3655,7 +3655,7 @@ diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c
 	 * mode; it is just annoying to have the server exit just when you
 	 * are about to discover the bug.
 	 */
-@@ -2559,24 +2674,73 @@ do_ssh2_kex(void)
+@@ -2562,24 +2677,73 @@ do_ssh2_kex(void)
 	if (options.rekey_limit || options.rekey_interval)
 		packet_set_rekey_limits((u_int32_t)options.rekey_limit,
--- a/openssh-6.6p1-gssapimitm.patch
+++ b/openssh-6.6p1-gssapimitm.patch
@ -356,7 +356,7 @@ diff --git a/openssh-6.6p1/ssh_config b/openssh-6.6p1/ssh_config
 diff --git a/openssh-6.6p1/sshconnect2.c b/openssh-6.6p1/sshconnect2.c
 --- a/openssh-6.6p1/sshconnect2.c
 +++ b/openssh-6.6p1/sshconnect2.c
-@@ -316,16 +316,21 @@ static char *authmethods_get(void);
+@@ -318,16 +318,21 @@ static char *authmethods_get(void);
 Authmethod authmethods[] = {
 #ifdef GSSAPI
@ -378,7 +378,7 @@ diff --git a/openssh-6.6p1/sshconnect2.c b/openssh-6.6p1/sshconnect2.c
 		NULL},
 	{"publickey",
 		userauth_pubkey,
-@@ -683,17 +688,19 @@ process_gssapi_token(void *ctxt, gss_buf
+@@ -685,17 +690,19 @@ process_gssapi_token(void *ctxt, gss_buf
 		packet_put_string(send_tok.value, send_tok.length);
 		packet_send();
--- a/openssh-6.6p1-seccomp_getuid.patch
+++ b/openssh-6.6p1-seccomp_getuid.patch
@ -1,5 +1,5 @@
 # HG changeset patch
-# Parent 47040f4641d43b039f19c8c902b0259729bb88e2
+# Parent bde6f1a808f345e141a976ebc3e37903c81a09cb
 add 'getuid' syscall to list of allowed ones to prevent the sanboxed thread
 from being killed by the seccomp filter
--- a/openssh.changes
+++ b/openssh.changes
@ -1,9 +1,9 @@
 -------------------------------------------------------------------
-Mon Apr 21 08:46:58 UTC 2014 - idonmez@suse.com
+Thu Apr 24 01:33:45 UTC 2014 - pcerny@suse.com
- Add fix-curve25519-kex.patch to fix a key-exchange problem
+- curve25519 key exchange fix (-curve25519-6.6.1p1.patch)
-  with curve25519-sha256@libssh.org, see
+- patch re-ordering (-audit3-key_auth_usage-fips.patch,
-  http://marc.info/?l=openssh-unix-dev&m=139797807804698&w=2
+    -audit4-kex_results-fips.patch)
 -------------------------------------------------------------------
 Tue Apr 15 09:26:16 UTC 2014 - rhafer@suse.com
--- a/openssh.spec
+++ b/openssh.spec
@ -108,6 +108,7 @@ Source7:        sshd.fw
 Source8:        sysconfig.ssh
 Source9:        sshd-gen-keys-start
 Source10:       sshd.service
 Patch0:         openssh-6.6p1-curve25519-6.6.1p1.patch
 Patch1:         openssh-6.6p1-key-converter.patch
 Patch2:         openssh-6.6p1-X11-forwarding.patch
 Patch3:         openssh-6.6p1-lastlog.patch
@ -128,9 +129,9 @@ Patch17:        openssh-6.6p1-fips.patch
 Patch18:        openssh-6.6p1-audit1-remove_duplicit_audit.patch
 Patch19:        openssh-6.6p1-audit2-better_audit_of_user_actions.patch
 Patch20:        openssh-6.6p1-audit3-key_auth_usage.patch
-Patch21:        openssh-6.6p1-audit3_fips-key_auth_usage.patch
+Patch21:        openssh-6.6p1-audit3-key_auth_usage-fips.patch
 Patch22:        openssh-6.6p1-audit4-kex_results.patch
-Patch23:        openssh-6.6p1-audit4_fips-kex_results.patch
+Patch23:        openssh-6.6p1-audit4-kex_results-fips.patch
 Patch24:        openssh-6.6p1-audit5-session_key_destruction.patch
 Patch25:        openssh-6.6p1-audit6-server_key_destruction.patch
 Patch26:        openssh-6.6p1-audit7-libaudit_compat.patch
@ -147,7 +148,6 @@ Patch36:        openssh-6.6p1-seccomp_getuid.patch
 Patch37:        openssh-6.6p1-X_forward_with_disabled_ipv6.patch
 Patch38:        openssh-6.6p1-fips-checks.patch
 Patch39:        openssh-6.6p1-ldap.patch
 Patch40:        fix-curve25519-kex.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %description
@ -181,6 +181,7 @@ cryptomodule.
 %prep
 %setup -q
 %patch0 -p2
 #patch1 -p2
 %patch2 -p2
 %patch3 -p2
@ -222,7 +223,6 @@ cryptomodule.
 %patch37 -p2
 %patch38 -p2
 %patch39 -p2
 %patch40 -p0
 cp %{SOURCE3} %{SOURCE4} .
 %build