Accepting request 500279 from home:pcerny:factory
- Fix preauth seccomp separation on mainframes (bsc#1016709) [openssh-7.2p2-s390_hw_crypto_syscalls.patch] [openssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls.patch] - enable case-insensitive hostname matching (bsc#1017099) [openssh-7.2p2-ssh_case_insensitive_host_matching.patch] - add CAVS tests [openssh-7.2p2-cavstest-ctr.patch] [openssh-7.2p2-cavstest-kdf.patch] - Adding missing pieces for user matching (bsc#1021626) - Properly verify CIDR masks in configuration (bsc#1005893) [openssh-7.2p2-verify_CIDR_address_ranges.patch] - Remove pre-auth compression support from the server to prevent possible cryptographic attacks. (CVE-2016-10012, bsc#1016370) [openssh-7.2p2-disable_preauth_compression.patch] - limit directories for loading PKCS11 modules (CVE-2016-10009, bsc#1016366) [openssh-7.2p2-restrict_pkcs11-modules.patch] - Prevent possible leaks of host private keys to low-privilege process handling authentication (CVE-2016-10011, bsc#1016369) [openssh-7.2p2-prevent_private_key_leakage.patch] - Do not allow unix socket forwarding when running without privilege separation (CVE-2016-10010, bsc#1016368) [openssh-7.2p2-secure_unix_sockets_forwarding.patch] - prevent resource depletion during key exchange (bsc#1005480, CVE-2016-8858) [openssh-7.2p2-kex_resource_depletion.patch] OBS-URL: https://build.opensuse.org/request/show/500279 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=117
This commit is contained in:
parent
5829a44f01
commit
e8b9919265
README.SUSEREADME.kerberosopenssh-7.2p2-IPv6_X_forwarding.patchopenssh-7.2p2-X_forward_with_disabled_ipv6.patchopenssh-7.2p2-audit.patchopenssh-7.2p2-audit_fixes.patchopenssh-7.2p2-audit_seed_prng.patchopenssh-7.2p2-cavstest-ctr.patchopenssh-7.2p2-cavstest-kdf.patchopenssh-7.2p2-disable_openssl_abi_check.patchopenssh-7.2p2-disable_preauth_compression.patchopenssh-7.2p2-fips.patchopenssh-7.2p2-gssapi_key_exchange.patchopenssh-7.2p2-host_ident.patchopenssh-7.2p2-ignore_PAM_with_UseLogin.patchopenssh-7.2p2-keep_slogin.patchopenssh-7.2p2-kex_resource_depletion.patchopenssh-7.2p2-ldap.patchopenssh-7.2p2-limit_password_length.patchopenssh-7.2p2-login_options.patchopenssh-7.2p2-no_fork-no_pid_file.patchopenssh-7.2p2-prevent_private_key_leakage.patchopenssh-7.2p2-prevent_timing_user_enumeration.patchopenssh-7.2p2-restrict_pkcs11-modules.patchopenssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls.patchopenssh-7.2p2-s390_hw_crypto_syscalls.patchopenssh-7.2p2-seccomp_geteuid.patchopenssh-7.2p2-seccomp_getuid.patchopenssh-7.2p2-seccomp_stat.patchopenssh-7.2p2-secure_unix_sockets_forwarding.patchopenssh-7.2p2-sftp_force_permissions.patchopenssh-7.2p2-sftp_homechroot.patchopenssh-7.2p2-ssh_case_insensitive_host_matching.patchopenssh-7.2p2-verify_CIDR_address_ranges.patchopenssh-askpass-gnome.specopenssh.changesopenssh.spec
@ -22,5 +22,8 @@ There are following changes in default settings of ssh client and server:
|
|||||||
- the size of DSA keys is limited by the standard to 1024 bits which cannot
|
- the size of DSA keys is limited by the standard to 1024 bits which cannot
|
||||||
be considered safe any more.
|
be considered safe any more.
|
||||||
|
|
||||||
|
* Accepting all RFC4419 specified DH group parameters. See KexDHMin in
|
||||||
|
ssh_config and sshd_config manual pages.
|
||||||
|
|
||||||
For more information on differences in SUSE OpenSSH package see README.FIPS
|
For more information on differences in SUSE OpenSSH package see README.FIPS
|
||||||
|
|
||||||
|
@ -1,4 +1,3 @@
|
|||||||
|
|
||||||
This version of the Kerbros/GSSAPI support avoids DNS lookups
|
This version of the Kerbros/GSSAPI support avoids DNS lookups
|
||||||
for Kerberos-related names. These DNS lookups were problematic
|
for Kerberos-related names. These DNS lookups were problematic
|
||||||
for dialup users because they would lead to excessive delays
|
for dialup users because they would lead to excessive delays
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
# HG changeset patch
|
# HG changeset patch
|
||||||
# Parent 8c4cb20b9633595de68131224b2d434e8dc41e17
|
# Parent 9130c9e19c8a076a7f6f214070283cd3e0326894
|
||||||
Correctly parse DISPLAY variable for cases where it contains an IPv6 address
|
Correctly parse DISPLAY variable for cases where it contains an IPv6 address
|
||||||
(which should - but not always is - in (square) brackets).
|
(which should - but not always is - in (square) brackets).
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
# HG changeset patch
|
# HG changeset patch
|
||||||
# Parent 28e8840bbf49c6e603bf2b55a08ed9050a60f9fb
|
# Parent 2afee80335d5ef7efcf64f3a797e9b10ce0de4ae
|
||||||
Do not throw away already open sockets for X11 forwarding if another socket
|
Do not throw away already open sockets for X11 forwarding if another socket
|
||||||
family is not available for bind()
|
family is not available for bind()
|
||||||
|
|
||||||
|
@ -1,22 +1,20 @@
|
|||||||
# HG changeset patch
|
# HG changeset patch
|
||||||
# Parent af5c4026e36e7aa181c164d2eca72b7e2a8a897a
|
# Parent 83f18171bc2394ccd39fb176fe110b529da83a78
|
||||||
Extended auditing through the Linux Auditing subsystem
|
Extended auditing through the Linux Auditing subsystem
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/Makefile.in b/openssh-7.2p2/Makefile.in
|
diff --git a/openssh-7.2p2/Makefile.in b/openssh-7.2p2/Makefile.in
|
||||||
--- a/openssh-7.2p2/Makefile.in
|
--- a/openssh-7.2p2/Makefile.in
|
||||||
+++ b/openssh-7.2p2/Makefile.in
|
+++ b/openssh-7.2p2/Makefile.in
|
||||||
@@ -88,17 +88,18 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
@@ -94,16 +94,17 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||||
ssh-pkcs11.o smult_curve25519_ref.o \
|
|
||||||
poly1305.o chacha.o cipher-chachapoly.o \
|
|
||||||
ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \
|
ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \
|
||||||
sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
|
sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
|
||||||
kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
|
kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
|
||||||
kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o kexgssc.o \
|
kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o kexgssc.o \
|
||||||
kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o kexgsss.o \
|
kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o kexgsss.o \
|
||||||
platform-pledge.o \
|
platform-pledge.o
|
||||||
- fips.o
|
|
||||||
+ fips.o \
|
LIBSSH_OBJS += fips.o
|
||||||
+ auditstub.o
|
+LIBSSH_OBJS += auditstub.o
|
||||||
|
|
||||||
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
||||||
sshconnect.o sshconnect1.o sshconnect2.o mux.o
|
sshconnect.o sshconnect1.o sshconnect2.o mux.o
|
||||||
@ -2433,8 +2431,8 @@ diff --git a/openssh-7.2p2/packet.h b/openssh-7.2p2/packet.h
|
|||||||
diff --git a/openssh-7.2p2/sandbox-seccomp-filter.c b/openssh-7.2p2/sandbox-seccomp-filter.c
|
diff --git a/openssh-7.2p2/sandbox-seccomp-filter.c b/openssh-7.2p2/sandbox-seccomp-filter.c
|
||||||
--- a/openssh-7.2p2/sandbox-seccomp-filter.c
|
--- a/openssh-7.2p2/sandbox-seccomp-filter.c
|
||||||
+++ b/openssh-7.2p2/sandbox-seccomp-filter.c
|
+++ b/openssh-7.2p2/sandbox-seccomp-filter.c
|
||||||
@@ -157,16 +157,22 @@ static const struct sock_filter preauth_
|
@@ -163,16 +163,22 @@ static const struct sock_filter preauth_
|
||||||
SC_ALLOW(getuid32),
|
SC_ALLOW(geteuid32),
|
||||||
#endif
|
#endif
|
||||||
#ifdef __NR_getrandom
|
#ifdef __NR_getrandom
|
||||||
SC_ALLOW(getrandom),
|
SC_ALLOW(getrandom),
|
||||||
|
28
openssh-7.2p2-audit_fixes.patch
Normal file
28
openssh-7.2p2-audit_fixes.patch
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent 51a3a8eab1493a799c5a9df95e8e757f872886d0
|
||||||
|
Various auditing fixes to be merged into the RH-originated patch.
|
||||||
|
|
||||||
|
diff --git a/openssh-7.2p2/packet.c b/openssh-7.2p2/packet.c
|
||||||
|
--- a/openssh-7.2p2/packet.c
|
||||||
|
+++ b/openssh-7.2p2/packet.c
|
||||||
|
@@ -375,16 +375,20 @@ ssh_packet_start_discard(struct ssh *ssh
|
||||||
|
|
||||||
|
int
|
||||||
|
ssh_packet_connection_is_on_socket(struct ssh *ssh)
|
||||||
|
{
|
||||||
|
struct session_state *state = ssh->state;
|
||||||
|
struct sockaddr_storage from, to;
|
||||||
|
socklen_t fromlen, tolen;
|
||||||
|
|
||||||
|
+ /* auditing might get here without valid connection structure when
|
||||||
|
+ * destroying sensitive data on exit and thus aborting disgracefully */
|
||||||
|
+ if (!ssh)
|
||||||
|
+ return 0;
|
||||||
|
/* filedescriptors in and out are the same, so it's a socket */
|
||||||
|
if (state->connection_in == state->connection_out)
|
||||||
|
return 1;
|
||||||
|
fromlen = sizeof(from);
|
||||||
|
memset(&from, 0, sizeof(from));
|
||||||
|
if (getpeername(state->connection_in, (struct sockaddr *)&from,
|
||||||
|
&fromlen) < 0)
|
||||||
|
return 0;
|
@ -1,5 +1,5 @@
|
|||||||
# HG changeset patch
|
# HG changeset patch
|
||||||
# Parent 3aad88a155050008275527c0624ae6fa05d0cdad
|
# Parent e6ff441d171012183f7bd37cb7399473e8376acd
|
||||||
Audit PRNG re-seeding
|
Audit PRNG re-seeding
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/audit-bsm.c b/openssh-7.2p2/audit-bsm.c
|
diff --git a/openssh-7.2p2/audit-bsm.c b/openssh-7.2p2/audit-bsm.c
|
||||||
|
300
openssh-7.2p2-cavstest-ctr.patch
Normal file
300
openssh-7.2p2-cavstest-ctr.patch
Normal file
@ -0,0 +1,300 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent cb502e7e796ac9289a571167a97ad9ec91562efb
|
||||||
|
CAVS test for OpenSSH's own CTR encryption mode implementation
|
||||||
|
|
||||||
|
diff --git a/openssh-7.2p2/Makefile.in b/openssh-7.2p2/Makefile.in
|
||||||
|
--- a/openssh-7.2p2/Makefile.in
|
||||||
|
+++ b/openssh-7.2p2/Makefile.in
|
||||||
|
@@ -21,16 +21,17 @@ top_srcdir=@top_srcdir@
|
||||||
|
|
||||||
|
DESTDIR=
|
||||||
|
VPATH=@srcdir@
|
||||||
|
SSH_PROGRAM=@bindir@/ssh
|
||||||
|
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
|
||||||
|
SFTP_SERVER=$(libexecdir)/sftp-server
|
||||||
|
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||||
|
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||||
|
+CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
|
||||||
|
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||||
|
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
||||||
|
STRIP_OPT=@STRIP_OPT@
|
||||||
|
TEST_SHELL=@TEST_SHELL@
|
||||||
|
|
||||||
|
PATHS= -DSSHDIR=\"$(sysconfdir)\" \
|
||||||
|
-D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
|
||||||
|
-D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \
|
||||||
|
@@ -59,16 +60,18 @@ SED=@SED@
|
||||||
|
ENT=@ENT@
|
||||||
|
XAUTH_PATH=@XAUTH_PATH@
|
||||||
|
LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
|
||||||
|
EXEEXT=@EXEEXT@
|
||||||
|
MANFMT=@MANFMT@
|
||||||
|
|
||||||
|
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
|
||||||
|
|
||||||
|
+TARGETS += cavstest-ctr$(EXEEXT)
|
||||||
|
+
|
||||||
|
LIBOPENSSH_OBJS=\
|
||||||
|
ssh_api.o \
|
||||||
|
ssherr.o \
|
||||||
|
sshbuf.o \
|
||||||
|
sshkey.o \
|
||||||
|
sshbuf-getput-basic.o \
|
||||||
|
sshbuf-misc.o \
|
||||||
|
sshbuf-getput-crypto.o \
|
||||||
|
@@ -190,16 +193,20 @@ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libss
|
||||||
|
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||||
|
|
||||||
|
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
|
||||||
|
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||||
|
|
||||||
|
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
|
||||||
|
$(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
|
||||||
|
|
||||||
|
+# FIPS tests
|
||||||
|
+cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-ctr.o
|
||||||
|
+ $(LD) -o $@ cavstest-ctr.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||||
|
+
|
||||||
|
# test driver for the loginrec code - not built by default
|
||||||
|
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
|
||||||
|
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
|
||||||
|
|
||||||
|
$(MANPAGES): $(MANPAGES_IN)
|
||||||
|
if test "$(MANTYPE)" = "cat"; then \
|
||||||
|
manpage=$(srcdir)/`echo $@ | sed 's/\.[1-9]\.out$$/\.0/'`; \
|
||||||
|
else \
|
||||||
|
@@ -310,16 +317,17 @@ install-files:
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT) $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
|
||||||
|
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||||
|
+ $(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
|
||||||
|
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||||
|
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
|
||||||
|
$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
|
||||||
|
$(INSTALL) -m 644 ssh-agent.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1
|
||||||
|
$(INSTALL) -m 644 ssh-keygen.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
|
||||||
|
$(INSTALL) -m 644 ssh-keyscan.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
|
||||||
|
$(INSTALL) -m 644 moduli.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/moduli.5
|
||||||
|
$(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
|
||||||
|
diff --git a/openssh-7.2p2/cavstest-ctr.c b/openssh-7.2p2/cavstest-ctr.c
|
||||||
|
new file mode 100644
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/openssh-7.2p2/cavstest-ctr.c
|
||||||
|
@@ -0,0 +1,212 @@
|
||||||
|
+/*
|
||||||
|
+ *
|
||||||
|
+ * invocation (all of the following are equal):
|
||||||
|
+ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6
|
||||||
|
+ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 --iv 00000000000000000000000000000000
|
||||||
|
+ * echo -n a6deca405eef2e8e4609abf3c3ccf4a6 | ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+#include "includes.h"
|
||||||
|
+
|
||||||
|
+#include <sys/types.h>
|
||||||
|
+#include <sys/param.h>
|
||||||
|
+#include <stdarg.h>
|
||||||
|
+#include <stdio.h>
|
||||||
|
+#include <stdlib.h>
|
||||||
|
+#include <string.h>
|
||||||
|
+#include <ctype.h>
|
||||||
|
+
|
||||||
|
+#include "xmalloc.h"
|
||||||
|
+#include "log.h"
|
||||||
|
+#include "cipher.h"
|
||||||
|
+
|
||||||
|
+/* compatibility with old or broken OpenSSL versions */
|
||||||
|
+#include "openbsd-compat/openssl-compat.h"
|
||||||
|
+
|
||||||
|
+void
|
||||||
|
+usage(void)
|
||||||
|
+{
|
||||||
|
+ fprintf(stderr, "Usage: ctr-cavstest --algo <ssh-crypto-algorithm>\n"
|
||||||
|
+ " --key <hexadecimal-key> --mode <encrypt|decrypt>\n"
|
||||||
|
+ " [--iv <hexadecimal-iv>] --data <hexadecimal-data>\n\n"
|
||||||
|
+ "Hexadecimal output is printed to stdout.\n"
|
||||||
|
+ "Hexadecimal input data can be alternatively read from stdin.\n");
|
||||||
|
+ exit(1);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+void *
|
||||||
|
+fromhex(char *hex, size_t * len)
|
||||||
|
+{
|
||||||
|
+ unsigned char *bin;
|
||||||
|
+ char *p;
|
||||||
|
+ size_t n = 0;
|
||||||
|
+ int shift = 4;
|
||||||
|
+ unsigned char out = 0;
|
||||||
|
+ unsigned char *optr;
|
||||||
|
+
|
||||||
|
+ bin = xmalloc(strlen(hex) / 2);
|
||||||
|
+ optr = bin;
|
||||||
|
+
|
||||||
|
+ for (p = hex; *p != '\0'; ++p) {
|
||||||
|
+ unsigned char c;
|
||||||
|
+
|
||||||
|
+ c = *p;
|
||||||
|
+ if (isspace(c))
|
||||||
|
+ continue;
|
||||||
|
+
|
||||||
|
+ if (c >= '0' && c <= '9') {
|
||||||
|
+ c = c - '0';
|
||||||
|
+ } else if (c >= 'A' && c <= 'F') {
|
||||||
|
+ c = c - 'A' + 10;
|
||||||
|
+ } else if (c >= 'a' && c <= 'f') {
|
||||||
|
+ c = c - 'a' + 10;
|
||||||
|
+ } else {
|
||||||
|
+ /* truncate on nonhex cipher */
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ out |= c << shift;
|
||||||
|
+ shift = (shift + 4) % 8;
|
||||||
|
+
|
||||||
|
+ if (shift) {
|
||||||
|
+ *(optr++) = out;
|
||||||
|
+ out = 0;
|
||||||
|
+ ++n;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ *len = n;
|
||||||
|
+ return bin;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+#define READ_CHUNK 4096
|
||||||
|
+#define MAX_READ_SIZE 1024*1024*100
|
||||||
|
+char *
|
||||||
|
+read_stdin(void)
|
||||||
|
+{
|
||||||
|
+ char *buf;
|
||||||
|
+ size_t n, total = 0;
|
||||||
|
+
|
||||||
|
+ buf = xmalloc(READ_CHUNK);
|
||||||
|
+
|
||||||
|
+ do {
|
||||||
|
+ n = fread(buf + total, 1, READ_CHUNK, stdin);
|
||||||
|
+ if (n < READ_CHUNK) /* terminate on short read */
|
||||||
|
+ break;
|
||||||
|
+
|
||||||
|
+ total += n;
|
||||||
|
+ buf = xreallocarray(buf, total + READ_CHUNK, 1);
|
||||||
|
+ } while (total < MAX_READ_SIZE);
|
||||||
|
+ return buf;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+int
|
||||||
|
+main(int argc, char *argv[])
|
||||||
|
+{
|
||||||
|
+
|
||||||
|
+ struct sshcipher *c;
|
||||||
|
+ struct sshcipher_ctx cc;
|
||||||
|
+ char *algo = "aes128-ctr";
|
||||||
|
+ char *hexkey = NULL;
|
||||||
|
+ char *hexiv = "00000000000000000000000000000000";
|
||||||
|
+ char *hexdata = NULL;
|
||||||
|
+ char *p;
|
||||||
|
+ int i;
|
||||||
|
+ int encrypt = 1;
|
||||||
|
+ void *key;
|
||||||
|
+ size_t keylen;
|
||||||
|
+ void *iv;
|
||||||
|
+ size_t ivlen;
|
||||||
|
+ void *data;
|
||||||
|
+ size_t datalen;
|
||||||
|
+ void *outdata;
|
||||||
|
+
|
||||||
|
+ for (i = 1; i < argc; ++i) {
|
||||||
|
+ if (strcmp(argv[i], "--algo") == 0) {
|
||||||
|
+ algo = argv[++i];
|
||||||
|
+ } else if (strcmp(argv[i], "--key") == 0) {
|
||||||
|
+ hexkey = argv[++i];
|
||||||
|
+ } else if (strcmp(argv[i], "--mode") == 0) {
|
||||||
|
+ ++i;
|
||||||
|
+ if (argv[i] == NULL) {
|
||||||
|
+ usage();
|
||||||
|
+ }
|
||||||
|
+ if (strncmp(argv[i], "enc", 3) == 0) {
|
||||||
|
+ encrypt = 1;
|
||||||
|
+ } else if (strncmp(argv[i], "dec", 3) == 0) {
|
||||||
|
+ encrypt = 0;
|
||||||
|
+ } else {
|
||||||
|
+ usage();
|
||||||
|
+ }
|
||||||
|
+ } else if (strcmp(argv[i], "--iv") == 0) {
|
||||||
|
+ hexiv = argv[++i];
|
||||||
|
+ } else if (strcmp(argv[i], "--data") == 0) {
|
||||||
|
+ hexdata = argv[++i];
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (hexkey == NULL || algo == NULL) {
|
||||||
|
+ usage();
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ SSLeay_add_all_algorithms();
|
||||||
|
+
|
||||||
|
+ c = cipher_by_name(algo);
|
||||||
|
+ if (c == NULL) {
|
||||||
|
+ fprintf(stderr, "Error: unknown algorithm\n");
|
||||||
|
+ return 2;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (hexdata == NULL) {
|
||||||
|
+ hexdata = read_stdin();
|
||||||
|
+ } else {
|
||||||
|
+ hexdata = xstrdup(hexdata);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ key = fromhex(hexkey, &keylen);
|
||||||
|
+
|
||||||
|
+ if (keylen != 16 && keylen != 24 && keylen == 32) {
|
||||||
|
+ fprintf(stderr, "Error: unsupported key length\n");
|
||||||
|
+ return 2;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ iv = fromhex(hexiv, &ivlen);
|
||||||
|
+
|
||||||
|
+ if (ivlen != 16) {
|
||||||
|
+ fprintf(stderr, "Error: unsupported iv length\n");
|
||||||
|
+ return 2;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ data = fromhex(hexdata, &datalen);
|
||||||
|
+
|
||||||
|
+ if (data == NULL || datalen == 0) {
|
||||||
|
+ fprintf(stderr, "Error: no data to encrypt/decrypt\n");
|
||||||
|
+ return 2;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ cipher_init(&cc, c, key, keylen, iv, ivlen, encrypt);
|
||||||
|
+
|
||||||
|
+ free(key);
|
||||||
|
+ free(iv);
|
||||||
|
+
|
||||||
|
+ outdata = malloc(datalen);
|
||||||
|
+ if (outdata == NULL) {
|
||||||
|
+ fprintf(stderr, "Error: memory allocation failure\n");
|
||||||
|
+ return 2;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ cipher_crypt(&cc, 0, outdata, data, datalen, 0, 0);
|
||||||
|
+
|
||||||
|
+ free(data);
|
||||||
|
+
|
||||||
|
+ cipher_cleanup(&cc);
|
||||||
|
+
|
||||||
|
+ for (p = outdata; datalen > 0; ++p, --datalen) {
|
||||||
|
+ printf("%02X", (unsigned char) *p);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ free(outdata);
|
||||||
|
+
|
||||||
|
+ printf("\n");
|
||||||
|
+ return 0;
|
||||||
|
+}
|
469
openssh-7.2p2-cavstest-kdf.patch
Normal file
469
openssh-7.2p2-cavstest-kdf.patch
Normal file
@ -0,0 +1,469 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent f9ffcfb88e5a9d611a61aee3571050dea67e363e
|
||||||
|
CAVS test for KDF implementation in OpenSSH
|
||||||
|
|
||||||
|
diff --git a/openssh-7.2p2/Makefile.in b/openssh-7.2p2/Makefile.in
|
||||||
|
--- a/openssh-7.2p2/Makefile.in
|
||||||
|
+++ b/openssh-7.2p2/Makefile.in
|
||||||
|
@@ -22,16 +22,17 @@ top_srcdir=@top_srcdir@
|
||||||
|
DESTDIR=
|
||||||
|
VPATH=@srcdir@
|
||||||
|
SSH_PROGRAM=@bindir@/ssh
|
||||||
|
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
|
||||||
|
SFTP_SERVER=$(libexecdir)/sftp-server
|
||||||
|
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||||
|
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||||
|
CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
|
||||||
|
+CAVSTEST_KDF=$(libexecdir)/cavstest-kdf
|
||||||
|
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||||
|
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
||||||
|
STRIP_OPT=@STRIP_OPT@
|
||||||
|
TEST_SHELL=@TEST_SHELL@
|
||||||
|
|
||||||
|
PATHS= -DSSHDIR=\"$(sysconfdir)\" \
|
||||||
|
-D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
|
||||||
|
-D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \
|
||||||
|
@@ -60,17 +61,17 @@ SED=@SED@
|
||||||
|
ENT=@ENT@
|
||||||
|
XAUTH_PATH=@XAUTH_PATH@
|
||||||
|
LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
|
||||||
|
EXEEXT=@EXEEXT@
|
||||||
|
MANFMT=@MANFMT@
|
||||||
|
|
||||||
|
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
|
||||||
|
|
||||||
|
-TARGETS += cavstest-ctr$(EXEEXT)
|
||||||
|
+TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
|
||||||
|
|
||||||
|
LIBOPENSSH_OBJS=\
|
||||||
|
ssh_api.o \
|
||||||
|
ssherr.o \
|
||||||
|
sshbuf.o \
|
||||||
|
sshkey.o \
|
||||||
|
sshbuf-getput-basic.o \
|
||||||
|
sshbuf-misc.o \
|
||||||
|
@@ -197,16 +198,19 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libss
|
||||||
|
|
||||||
|
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
|
||||||
|
$(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
|
||||||
|
|
||||||
|
# FIPS tests
|
||||||
|
cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-ctr.o
|
||||||
|
$(LD) -o $@ cavstest-ctr.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||||
|
|
||||||
|
+cavstest-kdf$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-kdf.o
|
||||||
|
+ $(LD) -o $@ cavstest-kdf.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||||
|
+
|
||||||
|
# test driver for the loginrec code - not built by default
|
||||||
|
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
|
||||||
|
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
|
||||||
|
|
||||||
|
$(MANPAGES): $(MANPAGES_IN)
|
||||||
|
if test "$(MANTYPE)" = "cat"; then \
|
||||||
|
manpage=$(srcdir)/`echo $@ | sed 's/\.[1-9]\.out$$/\.0/'`; \
|
||||||
|
else \
|
||||||
|
@@ -318,16 +322,17 @@ install-files:
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
|
||||||
|
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
|
||||||
|
+ $(INSTALL) -m 0755 $(STRIP_OPT) cavstest-kdf$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-kdf$(EXEEXT)
|
||||||
|
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||||
|
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
|
||||||
|
$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
|
||||||
|
$(INSTALL) -m 644 ssh-agent.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1
|
||||||
|
$(INSTALL) -m 644 ssh-keygen.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
|
||||||
|
$(INSTALL) -m 644 ssh-keyscan.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
|
||||||
|
$(INSTALL) -m 644 moduli.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/moduli.5
|
||||||
|
$(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
|
||||||
|
diff --git a/openssh-7.2p2/cavstest-kdf.c b/openssh-7.2p2/cavstest-kdf.c
|
||||||
|
new file mode 100644
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/openssh-7.2p2/cavstest-kdf.c
|
||||||
|
@@ -0,0 +1,382 @@
|
||||||
|
+/*
|
||||||
|
+ * Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
|
||||||
|
+ *
|
||||||
|
+ * Redistribution and use in source and binary forms, with or without
|
||||||
|
+ * modification, are permitted provided that the following conditions
|
||||||
|
+ * are met:
|
||||||
|
+ * 1. Redistributions of source code must retain the above copyright
|
||||||
|
+ * notice, and the entire permission notice in its entirety,
|
||||||
|
+ * including the disclaimer of warranties.
|
||||||
|
+ * 2. Redistributions in binary form must reproduce the above copyright
|
||||||
|
+ * notice, this list of conditions and the following disclaimer in the
|
||||||
|
+ * documentation and/or other materials provided with the distribution.
|
||||||
|
+ * 3. The name of the author may not be used to endorse or promote
|
||||||
|
+ * products derived from this software without specific prior
|
||||||
|
+ * written permission.
|
||||||
|
+ *
|
||||||
|
+ * ALTERNATIVELY, this product may be distributed under the terms of
|
||||||
|
+ * the GNU General Public License, in which case the provisions of the GPL2
|
||||||
|
+ * are required INSTEAD OF the above restrictions. (This clause is
|
||||||
|
+ * necessary due to a potential bad interaction between the GPL and
|
||||||
|
+ * the restrictions contained in a BSD-style copyright.)
|
||||||
|
+ *
|
||||||
|
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
||||||
|
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||||
|
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
|
||||||
|
+ * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
|
||||||
|
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||||||
|
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
|
||||||
|
+ * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
|
||||||
|
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
||||||
|
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||||
|
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
|
||||||
|
+ * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
|
||||||
|
+ * DAMAGE.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+#include "includes.h"
|
||||||
|
+
|
||||||
|
+#include <stdio.h>
|
||||||
|
+#include <stdlib.h>
|
||||||
|
+#include <errno.h>
|
||||||
|
+#include <sys/types.h>
|
||||||
|
+#include <string.h>
|
||||||
|
+
|
||||||
|
+#include <openssl/bn.h>
|
||||||
|
+
|
||||||
|
+#include "xmalloc.h"
|
||||||
|
+#include "buffer.h"
|
||||||
|
+#include "key.h"
|
||||||
|
+#include "cipher.h"
|
||||||
|
+#include "kex.h"
|
||||||
|
+#include "packet.h"
|
||||||
|
+
|
||||||
|
+static int bin_char(unsigned char hex)
|
||||||
|
+{
|
||||||
|
+ if (48 <= hex && 57 >= hex)
|
||||||
|
+ return (hex - 48);
|
||||||
|
+ if (65 <= hex && 70 >= hex)
|
||||||
|
+ return (hex - 55);
|
||||||
|
+ if (97 <= hex && 102 >= hex)
|
||||||
|
+ return (hex - 87);
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Convert hex representation into binary string
|
||||||
|
+ * @hex input buffer with hex representation
|
||||||
|
+ * @hexlen length of hex
|
||||||
|
+ * @bin output buffer with binary data
|
||||||
|
+ * @binlen length of already allocated bin buffer (should be at least
|
||||||
|
+ * half of hexlen -- if not, only a fraction of hexlen is converted)
|
||||||
|
+ */
|
||||||
|
+static void hex2bin(const char *hex, size_t hexlen,
|
||||||
|
+ unsigned char *bin, size_t binlen)
|
||||||
|
+{
|
||||||
|
+ size_t i = 0;
|
||||||
|
+ size_t chars = (binlen > (hexlen / 2)) ? (hexlen / 2) : binlen;
|
||||||
|
+
|
||||||
|
+ for (i = 0; i < chars; i++) {
|
||||||
|
+ bin[i] = bin_char(hex[(i*2)]) << 4;
|
||||||
|
+ bin[i] |= bin_char(hex[((i*2)+1)]);
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Allocate sufficient space for binary representation of hex
|
||||||
|
+ * and convert hex into bin
|
||||||
|
+ *
|
||||||
|
+ * Caller must free bin
|
||||||
|
+ * @hex input buffer with hex representation
|
||||||
|
+ * @hexlen length of hex
|
||||||
|
+ * @bin return value holding the pointer to the newly allocated buffer
|
||||||
|
+ * @binlen return value holding the allocated size of bin
|
||||||
|
+ *
|
||||||
|
+ * return: 0 on success, !0 otherwise
|
||||||
|
+ */
|
||||||
|
+static int hex2bin_alloc(const char *hex, size_t hexlen,
|
||||||
|
+ unsigned char **bin, size_t *binlen)
|
||||||
|
+{
|
||||||
|
+ unsigned char *out = NULL;
|
||||||
|
+ size_t outlen = 0;
|
||||||
|
+
|
||||||
|
+ if (!hexlen)
|
||||||
|
+ return -EINVAL;
|
||||||
|
+
|
||||||
|
+ outlen = (hexlen + 1) / 2;
|
||||||
|
+
|
||||||
|
+ out = calloc(1, outlen);
|
||||||
|
+ if (!out)
|
||||||
|
+ return -errno;
|
||||||
|
+
|
||||||
|
+ hex2bin(hex, hexlen, out, outlen);
|
||||||
|
+ *bin = out;
|
||||||
|
+ *binlen = outlen;
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static char hex_char_map_l[] = { '0', '1', '2', '3', '4', '5', '6', '7',
|
||||||
|
+ '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' };
|
||||||
|
+static char hex_char_map_u[] = { '0', '1', '2', '3', '4', '5', '6', '7',
|
||||||
|
+ '8', '9', 'A', 'B', 'C', 'D', 'E', 'F' };
|
||||||
|
+static char hex_char(unsigned int bin, int u)
|
||||||
|
+{
|
||||||
|
+ if (bin < sizeof(hex_char_map_l))
|
||||||
|
+ return (u) ? hex_char_map_u[bin] : hex_char_map_l[bin];
|
||||||
|
+ return 'X';
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Convert binary string into hex representation
|
||||||
|
+ * @bin input buffer with binary data
|
||||||
|
+ * @binlen length of bin
|
||||||
|
+ * @hex output buffer to store hex data
|
||||||
|
+ * @hexlen length of already allocated hex buffer (should be at least
|
||||||
|
+ * twice binlen -- if not, only a fraction of binlen is converted)
|
||||||
|
+ * @u case of hex characters (0=>lower case, 1=>upper case)
|
||||||
|
+ */
|
||||||
|
+static void bin2hex(const unsigned char *bin, size_t binlen,
|
||||||
|
+ char *hex, size_t hexlen, int u)
|
||||||
|
+{
|
||||||
|
+ size_t i = 0;
|
||||||
|
+ size_t chars = (binlen > (hexlen / 2)) ? (hexlen / 2) : binlen;
|
||||||
|
+
|
||||||
|
+ for (i = 0; i < chars; i++) {
|
||||||
|
+ hex[(i*2)] = hex_char((bin[i] >> 4), u);
|
||||||
|
+ hex[((i*2)+1)] = hex_char((bin[i] & 0x0f), u);
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+struct kdf_cavs {
|
||||||
|
+ unsigned char *K;
|
||||||
|
+ size_t Klen;
|
||||||
|
+ unsigned char *H;
|
||||||
|
+ size_t Hlen;
|
||||||
|
+ unsigned char *session_id;
|
||||||
|
+ size_t session_id_len;
|
||||||
|
+
|
||||||
|
+ unsigned int iv_len;
|
||||||
|
+ unsigned int ek_len;
|
||||||
|
+ unsigned int ik_len;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+static int sshkdf_cavs(struct kdf_cavs *test)
|
||||||
|
+{
|
||||||
|
+ int ret = 0;
|
||||||
|
+ struct kex kex;
|
||||||
|
+ struct ssh ssh;
|
||||||
|
+ BIGNUM *Kbn = NULL;
|
||||||
|
+ int mode = 0;
|
||||||
|
+ struct newkeys *keys_client;
|
||||||
|
+ struct newkeys *keys_server;
|
||||||
|
+
|
||||||
|
+#define HEXOUTLEN 500
|
||||||
|
+ char hex[HEXOUTLEN];
|
||||||
|
+
|
||||||
|
+ memset(&ssh, 0, sizeof(struct ssh));
|
||||||
|
+ memset(&kex, 0, sizeof(struct kex));
|
||||||
|
+ ssh.kex = &kex;
|
||||||
|
+
|
||||||
|
+ Kbn = BN_new();
|
||||||
|
+ BN_bin2bn(test->K, test->Klen, Kbn);
|
||||||
|
+ if (!Kbn) {
|
||||||
|
+ printf("cannot convert K into BIGNUM\n");
|
||||||
|
+ ret = 1;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ kex.session_id = test->session_id;
|
||||||
|
+ kex.session_id_len = test->session_id_len;
|
||||||
|
+
|
||||||
|
+ /* setup kex */
|
||||||
|
+
|
||||||
|
+ /* select the right hash based on struct ssh_digest digests */
|
||||||
|
+ switch (test->ik_len) {
|
||||||
|
+ case 20:
|
||||||
|
+ kex.hash_alg = 2;
|
||||||
|
+ break;
|
||||||
|
+ case 32:
|
||||||
|
+ kex.hash_alg = 3;
|
||||||
|
+ break;
|
||||||
|
+ case 48:
|
||||||
|
+ kex.hash_alg = 4;
|
||||||
|
+ break;
|
||||||
|
+ case 64:
|
||||||
|
+ kex.hash_alg = 5;
|
||||||
|
+ break;
|
||||||
|
+ default:
|
||||||
|
+ printf("Wrong hash type %u\n", test->ik_len);
|
||||||
|
+ ret = 1;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* implement choose_enc */
|
||||||
|
+ for (mode = 0; mode < 2; mode++) {
|
||||||
|
+ kex.newkeys[mode] = calloc(1, sizeof(struct newkeys));
|
||||||
|
+ if (!kex.newkeys[mode]) {
|
||||||
|
+ printf("allocation of newkeys failed\n");
|
||||||
|
+ ret = 1;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+ kex.newkeys[mode]->enc.iv_len = test->iv_len;
|
||||||
|
+ kex.newkeys[mode]->enc.key_len = test->ek_len;
|
||||||
|
+ kex.newkeys[mode]->enc.block_size = (test->iv_len == 64) ? 8 : 16;
|
||||||
|
+ kex.newkeys[mode]->mac.key_len = test->ik_len;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* implement kex_choose_conf */
|
||||||
|
+ kex.we_need = kex.newkeys[0]->enc.key_len;
|
||||||
|
+ if (kex.we_need < kex.newkeys[0]->enc.block_size)
|
||||||
|
+ kex.we_need = kex.newkeys[0]->enc.block_size;
|
||||||
|
+ if (kex.we_need < kex.newkeys[0]->enc.iv_len)
|
||||||
|
+ kex.we_need = kex.newkeys[0]->enc.iv_len;
|
||||||
|
+ if (kex.we_need < kex.newkeys[0]->mac.key_len)
|
||||||
|
+ kex.we_need = kex.newkeys[0]->mac.key_len;
|
||||||
|
+
|
||||||
|
+ /* MODE_OUT (1) -> server to client
|
||||||
|
+ * MODE_IN (0) -> client to server */
|
||||||
|
+ kex.server = 1;
|
||||||
|
+
|
||||||
|
+ /* do it */
|
||||||
|
+ kex_derive_keys_bn(&ssh, test->H, test->Hlen, Kbn);
|
||||||
|
+
|
||||||
|
+ keys_client = ssh.kex->newkeys[0];
|
||||||
|
+ keys_server = ssh.kex->newkeys[1];
|
||||||
|
+
|
||||||
|
+ /* get data */
|
||||||
|
+ memset(hex, 0, HEXOUTLEN);
|
||||||
|
+ bin2hex(keys_client->enc.iv, (size_t)keys_client->enc.iv_len,
|
||||||
|
+ hex, HEXOUTLEN, 0);
|
||||||
|
+ printf("Initial IV (client to server) = %s\n", hex);
|
||||||
|
+
|
||||||
|
+ memset(hex, 0, HEXOUTLEN);
|
||||||
|
+ bin2hex(keys_server->enc.iv, (size_t)keys_server->enc.iv_len,
|
||||||
|
+ hex, HEXOUTLEN, 0);
|
||||||
|
+ printf("Initial IV (server to client) = %s\n", hex);
|
||||||
|
+
|
||||||
|
+ memset(hex, 0, HEXOUTLEN);
|
||||||
|
+ bin2hex(keys_client->enc.key, (size_t)keys_client->enc.key_len,
|
||||||
|
+ hex, HEXOUTLEN, 0);
|
||||||
|
+ printf("Encryption key (client to server) = %s\n", hex);
|
||||||
|
+
|
||||||
|
+ memset(hex, 0, HEXOUTLEN);
|
||||||
|
+ bin2hex(keys_server->enc.key, (size_t)keys_server->enc.key_len,
|
||||||
|
+ hex, HEXOUTLEN, 0);
|
||||||
|
+ printf("Encryption key (server to client) = %s\n", hex);
|
||||||
|
+
|
||||||
|
+ memset(hex, 0, HEXOUTLEN);
|
||||||
|
+ bin2hex(keys_client->mac.key, (size_t)keys_client->mac.key_len,
|
||||||
|
+ hex, HEXOUTLEN, 0);
|
||||||
|
+ printf("Integrity key (client to server) = %s\n", hex);
|
||||||
|
+
|
||||||
|
+ memset(hex, 0, HEXOUTLEN);
|
||||||
|
+ bin2hex(keys_server->mac.key, (size_t)keys_server->mac.key_len,
|
||||||
|
+ hex, HEXOUTLEN, 0);
|
||||||
|
+ printf("Integrity key (server to client) = %s\n", hex);
|
||||||
|
+
|
||||||
|
+ free(keys_client);
|
||||||
|
+ free(keys_server);
|
||||||
|
+
|
||||||
|
+out:
|
||||||
|
+ if (Kbn)
|
||||||
|
+ BN_free(Kbn);
|
||||||
|
+ if (kex.newkeys[0])
|
||||||
|
+ free(kex.newkeys[0]);
|
||||||
|
+ if (kex.newkeys[1])
|
||||||
|
+ free(kex.newkeys[1]);
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void usage(void)
|
||||||
|
+{
|
||||||
|
+ fprintf(stderr, "\nOpenSSH KDF CAVS Test\n\n");
|
||||||
|
+ fprintf(stderr, "Usage:\n");
|
||||||
|
+ fprintf(stderr, "\t-K\tShared secret string\n");
|
||||||
|
+ fprintf(stderr, "\t-H\tHash string\n");
|
||||||
|
+ fprintf(stderr, "\t-s\tSession ID string\n");
|
||||||
|
+ fprintf(stderr, "\t-i\tIV length to be generated\n");
|
||||||
|
+ fprintf(stderr, "\t-e\tEncryption key length to be generated\n");
|
||||||
|
+ fprintf(stderr, "\t-m\tMAC key length to be generated\n");
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Test command example:
|
||||||
|
+ * ./ssh-cavs -K 0055d50f2d163cc07cd8a93cc7c3430c30ce786b572c01ad29fec7597000cf8618d664e2ec3dcbc8bb7a1a7eb7ef67f61cdaf291625da879186ac0a5cb27af571b59612d6a6e0627344d846271959fda61c78354aa498773d59762f8ca2d0215ec590d8633de921f920d41e47b3de6ab9a3d0869e1c826d0e4adebf8e3fb646a15dea20a410b44e969f4b791ed6a67f13f1b74234004d5fa5e87eff7abc32d49bbdf44d7b0107e8f10609233b7e2b7eff74a4daf25641de7553975dac6ac1e5117df6f6dbaa1c263d23a6c3e5a3d7d49ae8a828c1e333ac3f85fbbf57b5c1a45be45e43a7be1a4707eac779b8285522d1f531fe23f890fd38a004339932b93eda4 -H d3ab91a850febb417a25d892ec48ed5952c7a5de -s d3ab91a850febb417a25d892ec48ed5952c7a5de -i 8 -e 24 -m 20
|
||||||
|
+ *
|
||||||
|
+ * Expected result for example:
|
||||||
|
+ * Initial IV (client to server) = 4bb320d1679dfd3a
|
||||||
|
+ * Encryption key (client to server) = 13048cc600b9d3cf9095aa6cf8e2ff9cf1c54ca0520c89ed
|
||||||
|
+ * Integrity key (client to server) = ecef63a092b0dcc585bdc757e01b2740af57d640
|
||||||
|
+ * Initial IV (server to client) = 43dea6fdf263a308
|
||||||
|
+ * Encryption key (server to client) = 1e483c5134e901aa11fc4e0a524e7ec7b75556148a222bb0
|
||||||
|
+ * Integrity key (server to client) = 7424b05f3c44a72b4ebd281fb71f9cbe7b64d479
|
||||||
|
+ */
|
||||||
|
+int main(int argc, char *argv[])
|
||||||
|
+{
|
||||||
|
+ struct kdf_cavs test;
|
||||||
|
+ int ret = 1;
|
||||||
|
+ int opt = 0;
|
||||||
|
+
|
||||||
|
+ memset(&test, 0, sizeof(struct kdf_cavs));
|
||||||
|
+ while((opt = getopt(argc, argv, "K:H:s:i:e:m:")) != -1)
|
||||||
|
+ {
|
||||||
|
+ size_t len = 0;
|
||||||
|
+ switch(opt)
|
||||||
|
+ {
|
||||||
|
+ /*
|
||||||
|
+ * CAVS K is MPINT
|
||||||
|
+ * we want a hex (i.e. the caller must ensure the
|
||||||
|
+ * following transformations already happened):
|
||||||
|
+ * 1. cut off first four bytes
|
||||||
|
+ * 2. if most significant bit of value is
|
||||||
|
+ * 1, prepend 0 byte
|
||||||
|
+ */
|
||||||
|
+ case 'K':
|
||||||
|
+ len = strlen(optarg);
|
||||||
|
+ ret = hex2bin_alloc(optarg, len,
|
||||||
|
+ &test.K, &test.Klen);
|
||||||
|
+ if (ret)
|
||||||
|
+ goto out;
|
||||||
|
+ break;
|
||||||
|
+ case 'H':
|
||||||
|
+ len = strlen(optarg);
|
||||||
|
+ ret = hex2bin_alloc(optarg, len,
|
||||||
|
+ &test.H, &test.Hlen);
|
||||||
|
+ if (ret)
|
||||||
|
+ goto out;
|
||||||
|
+ break;
|
||||||
|
+ case 's':
|
||||||
|
+ len = strlen(optarg);
|
||||||
|
+ ret = hex2bin_alloc(optarg, len,
|
||||||
|
+ &test.session_id,
|
||||||
|
+ &test.session_id_len);
|
||||||
|
+ if (ret)
|
||||||
|
+ goto out;
|
||||||
|
+ break;
|
||||||
|
+ case 'i':
|
||||||
|
+ test.iv_len = strtoul(optarg, NULL, 10);
|
||||||
|
+ break;
|
||||||
|
+ case 'e':
|
||||||
|
+ test.ek_len = strtoul(optarg, NULL, 10);
|
||||||
|
+ break;
|
||||||
|
+ case 'm':
|
||||||
|
+ test.ik_len = strtoul(optarg, NULL, 10);
|
||||||
|
+ break;
|
||||||
|
+ default:
|
||||||
|
+ usage();
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ ret = sshkdf_cavs(&test);
|
||||||
|
+
|
||||||
|
+out:
|
||||||
|
+ if (test.session_id)
|
||||||
|
+ free(test.session_id);
|
||||||
|
+ if (test.K)
|
||||||
|
+ free(test.K);
|
||||||
|
+ if (test.H)
|
||||||
|
+ free(test.H);
|
||||||
|
+ return ret;
|
||||||
|
+
|
||||||
|
+}
|
@ -1,5 +1,5 @@
|
|||||||
# HG changeset patch
|
# HG changeset patch
|
||||||
# Parent 16c4937db837ab7cdbe0422b81de0e7a9a8479cd
|
# Parent 4821397c95e57962905e6d47554bef9e4ea57483
|
||||||
disable run-time check for OpenSSL ABI by version number as that is not a
|
disable run-time check for OpenSSL ABI by version number as that is not a
|
||||||
reliable indicator of ABI changes and doesn't make much sense in a
|
reliable indicator of ABI changes and doesn't make much sense in a
|
||||||
distribution package
|
distribution package
|
||||||
@ -7,7 +7,7 @@ distribution package
|
|||||||
diff --git a/openssh-7.2p2/configure.ac b/openssh-7.2p2/configure.ac
|
diff --git a/openssh-7.2p2/configure.ac b/openssh-7.2p2/configure.ac
|
||||||
--- a/openssh-7.2p2/configure.ac
|
--- a/openssh-7.2p2/configure.ac
|
||||||
+++ b/openssh-7.2p2/configure.ac
|
+++ b/openssh-7.2p2/configure.ac
|
||||||
@@ -4639,16 +4639,29 @@ AC_ARG_WITH([bsd-auth],
|
@@ -4663,16 +4663,29 @@ AC_ARG_WITH([bsd-auth],
|
||||||
if test "x$withval" != "xno" ; then
|
if test "x$withval" != "xno" ; then
|
||||||
AC_DEFINE([BSD_AUTH], [1],
|
AC_DEFINE([BSD_AUTH], [1],
|
||||||
[Define if you have BSD auth support])
|
[Define if you have BSD auth support])
|
||||||
|
1317
openssh-7.2p2-disable_preauth_compression.patch
Normal file
1317
openssh-7.2p2-disable_preauth_compression.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -1,24 +1,22 @@
|
|||||||
# HG changeset patch
|
# HG changeset patch
|
||||||
# Parent 3e1393b771d6430ae09ae30741a3b9b382e3e041
|
# Parent 5f2b8faa3b60de28124d9d4a44ffa2635d67f601
|
||||||
FIPS 140-2 compliance. Perform selftests on start and use only FIPS approved
|
FIPS 140-2 compliance. Perform selftests on start and use only FIPS approved
|
||||||
algorithms.
|
algorithms.
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/Makefile.in b/openssh-7.2p2/Makefile.in
|
diff --git a/openssh-7.2p2/Makefile.in b/openssh-7.2p2/Makefile.in
|
||||||
--- a/openssh-7.2p2/Makefile.in
|
--- a/openssh-7.2p2/Makefile.in
|
||||||
+++ b/openssh-7.2p2/Makefile.in
|
+++ b/openssh-7.2p2/Makefile.in
|
||||||
@@ -87,17 +87,18 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
@@ -89,16 +89,18 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||||
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
|
|
||||||
ssh-pkcs11.o smult_curve25519_ref.o \
|
|
||||||
poly1305.o chacha.o cipher-chachapoly.o \
|
poly1305.o chacha.o cipher-chachapoly.o \
|
||||||
ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \
|
ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \
|
||||||
sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
|
sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
|
||||||
kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
|
kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
|
||||||
kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
|
kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
|
||||||
kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
|
kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
|
||||||
- platform-pledge.o
|
platform-pledge.o
|
||||||
+ platform-pledge.o \
|
|
||||||
+ fips.o
|
|
||||||
|
|
||||||
|
+LIBSSH_OBJS += fips.o
|
||||||
|
+
|
||||||
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
||||||
sshconnect.o sshconnect1.o sshconnect2.o mux.o
|
sshconnect.o sshconnect1.o sshconnect2.o mux.o
|
||||||
|
|
||||||
@ -26,6 +24,7 @@ diff --git a/openssh-7.2p2/Makefile.in b/openssh-7.2p2/Makefile.in
|
|||||||
audit.o audit-bsm.o audit-linux.o platform.o \
|
audit.o audit-bsm.o audit-linux.o platform.o \
|
||||||
sshpty.o sshlogin.o servconf.o serverloop.o \
|
sshpty.o sshlogin.o servconf.o serverloop.o \
|
||||||
auth.o auth1.o auth2.o auth-options.o session.o \
|
auth.o auth1.o auth2.o auth-options.o session.o \
|
||||||
|
auth-chall.o auth2-chall.o groupaccess.o \
|
||||||
diff --git a/openssh-7.2p2/auth-rsa.c b/openssh-7.2p2/auth-rsa.c
|
diff --git a/openssh-7.2p2/auth-rsa.c b/openssh-7.2p2/auth-rsa.c
|
||||||
--- a/openssh-7.2p2/auth-rsa.c
|
--- a/openssh-7.2p2/auth-rsa.c
|
||||||
+++ b/openssh-7.2p2/auth-rsa.c
|
+++ b/openssh-7.2p2/auth-rsa.c
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
# HG changeset patch
|
# HG changeset patch
|
||||||
# Parent 84a6252b7ac18855cf188e5911bdf8a757d4460a
|
# Parent df12d82287e3434a52c21a994b901302bd0c8064
|
||||||
GSSAPI Key Exchange implementation
|
GSSAPI Key Exchange implementation
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/ChangeLog.gssapi b/openssh-7.2p2/ChangeLog.gssapi
|
diff --git a/openssh-7.2p2/ChangeLog.gssapi b/openssh-7.2p2/ChangeLog.gssapi
|
||||||
@ -123,7 +123,7 @@ new file mode 100644
|
|||||||
diff --git a/openssh-7.2p2/Makefile.in b/openssh-7.2p2/Makefile.in
|
diff --git a/openssh-7.2p2/Makefile.in b/openssh-7.2p2/Makefile.in
|
||||||
--- a/openssh-7.2p2/Makefile.in
|
--- a/openssh-7.2p2/Makefile.in
|
||||||
+++ b/openssh-7.2p2/Makefile.in
|
+++ b/openssh-7.2p2/Makefile.in
|
||||||
@@ -85,18 +85,18 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
@@ -89,18 +89,18 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||||
atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o \
|
atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o \
|
||||||
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
|
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
|
||||||
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
|
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
|
||||||
@ -136,14 +136,14 @@ diff --git a/openssh-7.2p2/Makefile.in b/openssh-7.2p2/Makefile.in
|
|||||||
- kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
|
- kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
|
||||||
+ kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o kexgssc.o \
|
+ kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o kexgssc.o \
|
||||||
+ kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o kexgsss.o \
|
+ kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o kexgsss.o \
|
||||||
platform-pledge.o \
|
platform-pledge.o
|
||||||
fips.o
|
|
||||||
|
LIBSSH_OBJS += fips.o
|
||||||
|
|
||||||
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
||||||
sshconnect.o sshconnect1.o sshconnect2.o mux.o
|
sshconnect.o sshconnect1.o sshconnect2.o mux.o
|
||||||
|
|
||||||
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
|
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
|
||||||
audit.o audit-bsm.o audit-linux.o platform.o \
|
|
||||||
diff --git a/openssh-7.2p2/auth-krb5.c b/openssh-7.2p2/auth-krb5.c
|
diff --git a/openssh-7.2p2/auth-krb5.c b/openssh-7.2p2/auth-krb5.c
|
||||||
--- a/openssh-7.2p2/auth-krb5.c
|
--- a/openssh-7.2p2/auth-krb5.c
|
||||||
+++ b/openssh-7.2p2/auth-krb5.c
|
+++ b/openssh-7.2p2/auth-krb5.c
|
||||||
@ -1279,8 +1279,7 @@ diff --git a/openssh-7.2p2/gss-serv.c b/openssh-7.2p2/gss-serv.c
|
|||||||
+ return (PAM_CONV_ERR);
|
+ return (PAM_CONV_ERR);
|
||||||
+}
|
+}
|
||||||
+#endif
|
+#endif
|
||||||
|
+
|
||||||
- return (ctx->major);
|
|
||||||
+void
|
+void
|
||||||
+ssh_gssapi_rekey_creds() {
|
+ssh_gssapi_rekey_creds() {
|
||||||
+ int ok;
|
+ int ok;
|
||||||
@ -1302,7 +1301,8 @@ diff --git a/openssh-7.2p2/gss-serv.c b/openssh-7.2p2/gss-serv.c
|
|||||||
+ return;
|
+ return;
|
||||||
+
|
+
|
||||||
+ debug("Rekeyed credentials stored successfully");
|
+ debug("Rekeyed credentials stored successfully");
|
||||||
+
|
|
||||||
|
- return (ctx->major);
|
||||||
+ /* Actually managing to play with the ssh pam stack from here will
|
+ /* Actually managing to play with the ssh pam stack from here will
|
||||||
+ * be next to impossible. In any case, we may want different options
|
+ * be next to impossible. In any case, we may want different options
|
||||||
+ * for rekeying. So, use our own :)
|
+ * for rekeying. So, use our own :)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
# HG changeset patch
|
# HG changeset patch
|
||||||
# Parent 605a6220fcc2c96e9196681fe480fab16b505ee1
|
# Parent e2f9b3303b4a4ed5d0e5f01009dd1ebea166890d
|
||||||
Suggest command line for removal of offending keys from known_hosts file
|
Suggest command line for removal of offending keys from known_hosts file
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/sshconnect.c b/openssh-7.2p2/sshconnect.c
|
diff --git a/openssh-7.2p2/sshconnect.c b/openssh-7.2p2/sshconnect.c
|
||||||
@ -14,11 +14,11 @@ diff --git a/openssh-7.2p2/sshconnect.c b/openssh-7.2p2/sshconnect.c
|
|||||||
user_hostfiles[0]);
|
user_hostfiles[0]);
|
||||||
error("Offending %s key in %s:%lu", key_type(host_found->key),
|
error("Offending %s key in %s:%lu", key_type(host_found->key),
|
||||||
host_found->file, host_found->line);
|
host_found->file, host_found->line);
|
||||||
+ error("You can use following command to remove all keys for this IP:");
|
+ error("You can use following command to remove the offending key:");
|
||||||
+ if (host_found->file)
|
+ if (host_found->file)
|
||||||
+ error("ssh-keygen -R %s -f %s", hostname, host_found->file);
|
+ error("ssh-keygen -R %s -f %s", host, host_found->file);
|
||||||
+ else
|
+ else
|
||||||
+ error("ssh-keygen -R %s", hostname);
|
+ error("ssh-keygen -R %s", host);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* If strict host key checking is in use, the user will have
|
* If strict host key checking is in use, the user will have
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
# HG changeset patch
|
# HG changeset patch
|
||||||
# Parent cb9be7363a9f32133f0d105d515149dd77cc8cd3
|
# Parent 0f00e960e1069c6a6eec975cc184171343701077
|
||||||
|
|
||||||
Do not import PAM environment variables when using login, since it may have
|
Do not import PAM environment variables when using login, since it may have
|
||||||
security implications.
|
security implications.
|
||||||
|
66
openssh-7.2p2-keep_slogin.patch
Normal file
66
openssh-7.2p2-keep_slogin.patch
Normal file
@ -0,0 +1,66 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent 7c29b31d3502bbf5b80e01f8d1db8b2733a3c7f4
|
||||||
|
Add slogin back to the distribution, since it might be used downstreams
|
||||||
|
|
||||||
|
Revert of cupstream commit 69fead5d7cdaa73bdece9fcba80f8e8e70b90346
|
||||||
|
|
||||||
|
diff --git a/openssh-7.2p2/Makefile.in b/openssh-7.2p2/Makefile.in
|
||||||
|
--- a/openssh-7.2p2/Makefile.in
|
||||||
|
+++ b/openssh-7.2p2/Makefile.in
|
||||||
|
@@ -354,16 +354,20 @@ install-files:
|
||||||
|
$(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
|
||||||
|
$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
|
||||||
|
$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
|
||||||
|
$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
|
||||||
|
if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
|
||||||
|
$(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
|
||||||
|
$(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \
|
||||||
|
fi
|
||||||
|
+ -rm -f $(DESTDIR)$(bindir)/slogin
|
||||||
|
+ ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
|
||||||
|
+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
|
||||||
|
+ ln -s ./ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
|
||||||
|
|
||||||
|
install-sysconf:
|
||||||
|
if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \
|
||||||
|
$(srcdir)/mkinstalldirs $(DESTDIR)$(sysconfdir); \
|
||||||
|
fi
|
||||||
|
@if [ ! -f $(DESTDIR)$(sysconfdir)/ssh_config ]; then \
|
||||||
|
$(INSTALL) -m 644 ssh_config.out $(DESTDIR)$(sysconfdir)/ssh_config; \
|
||||||
|
else \
|
||||||
|
@@ -415,16 +419,17 @@ uninstallall: uninstall
|
||||||
|
-rmdir $(DESTDIR)$(bindir)
|
||||||
|
-rmdir $(DESTDIR)$(sbindir)
|
||||||
|
-rmdir $(DESTDIR)$(mandir)/$(mansubdir)1
|
||||||
|
-rmdir $(DESTDIR)$(mandir)/$(mansubdir)8
|
||||||
|
-rmdir $(DESTDIR)$(mandir)
|
||||||
|
-rmdir $(DESTDIR)$(libexecdir)
|
||||||
|
|
||||||
|
uninstall:
|
||||||
|
+ -rm -f $(DESTDIR)$(bindir)/slogin
|
||||||
|
-rm -f $(DESTDIR)$(bindir)/ssh$(EXEEXT)
|
||||||
|
-rm -f $(DESTDIR)$(bindir)/scp$(EXEEXT)
|
||||||
|
-rm -f $(DESTDIR)$(bindir)/ssh-add$(EXEEXT)
|
||||||
|
-rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
|
||||||
|
-rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
|
||||||
|
-rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
|
||||||
|
-rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||||
|
-rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
|
||||||
|
@@ -440,16 +445,17 @@ uninstall:
|
||||||
|
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
|
||||||
|
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
|
||||||
|
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
|
||||||
|
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
|
||||||
|
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
|
||||||
|
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
|
||||||
|
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
|
||||||
|
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
|
||||||
|
+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
|
||||||
|
|
||||||
|
regress-prep:
|
||||||
|
[ -d `pwd`/regress ] || mkdir -p `pwd`/regress
|
||||||
|
[ -d `pwd`/regress/unittests ] || mkdir -p `pwd`/regress/unittests
|
||||||
|
[ -d `pwd`/regress/unittests/test_helper ] || \
|
||||||
|
mkdir -p `pwd`/regress/unittests/test_helper
|
||||||
|
[ -d `pwd`/regress/unittests/sshbuf ] || \
|
||||||
|
mkdir -p `pwd`/regress/unittests/sshbuf
|
30
openssh-7.2p2-kex_resource_depletion.patch
Normal file
30
openssh-7.2p2-kex_resource_depletion.patch
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent 5d3b620e9c7c42bfb1d8f24eb7e0645a55d967fa
|
||||||
|
Prevent memory depletion during key exchange
|
||||||
|
|
||||||
|
CVE-2016-8858
|
||||||
|
bsc#1005480
|
||||||
|
|
||||||
|
upstream commit ec165c392ca54317dbe3064a8c200de6531e89ad
|
||||||
|
|
||||||
|
diff --git a/openssh-7.2p2/kex.c b/openssh-7.2p2/kex.c
|
||||||
|
--- a/openssh-7.2p2/kex.c
|
||||||
|
+++ b/openssh-7.2p2/kex.c
|
||||||
|
@@ -523,16 +523,17 @@ kex_input_kexinit(int type, u_int32_t se
|
||||||
|
u_int i;
|
||||||
|
size_t dlen;
|
||||||
|
int r;
|
||||||
|
|
||||||
|
debug("SSH2_MSG_KEXINIT received");
|
||||||
|
if (kex == NULL)
|
||||||
|
return SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
|
||||||
|
+ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
|
||||||
|
ptr = sshpkt_ptr(ssh, &dlen);
|
||||||
|
if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
|
||||||
|
return r;
|
||||||
|
|
||||||
|
/* discard packet */
|
||||||
|
for (i = 0; i < KEX_COOKIE_LEN; i++)
|
||||||
|
if ((r = sshpkt_get_u8(ssh, NULL)) != 0)
|
||||||
|
return r;
|
@ -1,5 +1,5 @@
|
|||||||
# HG changeset patch
|
# HG changeset patch
|
||||||
# Parent b8135c449e59282a8926ff44fcb4670baf8f158e
|
# Parent a47716db81c68026e9d37db568c2c313acc53f86
|
||||||
# Helper app for retrieving keys from a LDAP server
|
# Helper app for retrieving keys from a LDAP server
|
||||||
# by Jan F. Chadima <jchadima@redhat.com>
|
# by Jan F. Chadima <jchadima@redhat.com>
|
||||||
#
|
#
|
||||||
@ -137,28 +137,26 @@ diff --git a/openssh-7.2p2/Makefile.in b/openssh-7.2p2/Makefile.in
|
|||||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||||
+SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
|
+SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
|
||||||
+SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
|
+SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
|
||||||
|
CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
|
||||||
|
CAVSTEST_KDF=$(libexecdir)/cavstest-kdf
|
||||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
||||||
STRIP_OPT=@STRIP_OPT@
|
STRIP_OPT=@STRIP_OPT@
|
||||||
TEST_SHELL=@TEST_SHELL@
|
TEST_SHELL=@TEST_SHELL@
|
||||||
|
|
||||||
PATHS= -DSSHDIR=\"$(sysconfdir)\" \
|
PATHS= -DSSHDIR=\"$(sysconfdir)\" \
|
||||||
-D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
|
@@ -63,16 +65,19 @@ XAUTH_PATH=@XAUTH_PATH@
|
||||||
-D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \
|
|
||||||
@@ -57,17 +59,19 @@ INSTALL=@INSTALL@
|
|
||||||
PERL=@PERL@
|
|
||||||
SED=@SED@
|
|
||||||
ENT=@ENT@
|
|
||||||
XAUTH_PATH=@XAUTH_PATH@
|
|
||||||
LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
|
LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
|
||||||
EXEEXT=@EXEEXT@
|
EXEEXT=@EXEEXT@
|
||||||
MANFMT=@MANFMT@
|
MANFMT=@MANFMT@
|
||||||
|
|
||||||
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
|
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
|
||||||
+INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
|
|
||||||
+
|
|
||||||
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
|
|
||||||
|
|
||||||
|
TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
|
||||||
|
|
||||||
|
+INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
|
||||||
|
+TARGETS += ssh-ldap-helper$(EXEEXT)
|
||||||
|
+
|
||||||
LIBOPENSSH_OBJS=\
|
LIBOPENSSH_OBJS=\
|
||||||
ssh_api.o \
|
ssh_api.o \
|
||||||
ssherr.o \
|
ssherr.o \
|
||||||
@ -166,7 +164,8 @@ diff --git a/openssh-7.2p2/Makefile.in b/openssh-7.2p2/Makefile.in
|
|||||||
sshkey.o \
|
sshkey.o \
|
||||||
sshbuf-getput-basic.o \
|
sshbuf-getput-basic.o \
|
||||||
sshbuf-misc.o \
|
sshbuf-misc.o \
|
||||||
@@ -109,18 +113,18 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
|
sshbuf-getput-crypto.o \
|
||||||
|
@@ -114,18 +119,18 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
|
||||||
monitor_mm.o monitor.o monitor_wrap.o auth-krb5.o \
|
monitor_mm.o monitor.o monitor_wrap.o auth-krb5.o \
|
||||||
auth2-gss.o gss-serv.o gss-serv-krb5.o \
|
auth2-gss.o gss-serv.o gss-serv-krb5.o \
|
||||||
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
|
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
|
||||||
@ -187,7 +186,7 @@ diff --git a/openssh-7.2p2/Makefile.in b/openssh-7.2p2/Makefile.in
|
|||||||
PATHSUBS = \
|
PATHSUBS = \
|
||||||
-e 's|/etc/ssh/ssh_config|$(sysconfdir)/ssh_config|g' \
|
-e 's|/etc/ssh/ssh_config|$(sysconfdir)/ssh_config|g' \
|
||||||
-e 's|/etc/ssh/ssh_known_hosts|$(sysconfdir)/ssh_known_hosts|g' \
|
-e 's|/etc/ssh/ssh_known_hosts|$(sysconfdir)/ssh_known_hosts|g' \
|
||||||
@@ -184,16 +188,19 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss
|
@@ -189,16 +194,19 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss
|
||||||
$(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
$(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||||
|
|
||||||
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
|
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
|
||||||
@ -205,9 +204,9 @@ diff --git a/openssh-7.2p2/Makefile.in b/openssh-7.2p2/Makefile.in
|
|||||||
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
|
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
|
||||||
$(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
|
$(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
|
||||||
|
|
||||||
# test driver for the loginrec code - not built by default
|
# FIPS tests
|
||||||
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
|
cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-ctr.o
|
||||||
@@ -308,32 +315,40 @@ install-files:
|
@@ -320,16 +328,20 @@ install-files:
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
|
$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-add$(EXEEXT) $(DESTDIR)$(bindir)/ssh-add$(EXEEXT)
|
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-add$(EXEEXT) $(DESTDIR)$(bindir)/ssh-add$(EXEEXT)
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT) $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
|
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT) $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
|
||||||
@ -222,12 +221,13 @@ diff --git a/openssh-7.2p2/Makefile.in b/openssh-7.2p2/Makefile.in
|
|||||||
+ fi
|
+ fi
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-kdf$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-kdf$(EXEEXT)
|
||||||
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||||
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
|
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
|
||||||
$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
|
$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
|
||||||
$(INSTALL) -m 644 ssh-agent.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1
|
$(INSTALL) -m 644 ssh-agent.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1
|
||||||
$(INSTALL) -m 644 ssh-keygen.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
|
@@ -338,16 +350,20 @@ install-files:
|
||||||
$(INSTALL) -m 644 ssh-keyscan.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
|
|
||||||
$(INSTALL) -m 644 moduli.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/moduli.5
|
$(INSTALL) -m 644 moduli.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/moduli.5
|
||||||
$(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
|
$(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
|
||||||
$(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
|
$(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
|
||||||
@ -248,7 +248,7 @@ diff --git a/openssh-7.2p2/Makefile.in b/openssh-7.2p2/Makefile.in
|
|||||||
@if [ ! -f $(DESTDIR)$(sysconfdir)/ssh_config ]; then \
|
@if [ ! -f $(DESTDIR)$(sysconfdir)/ssh_config ]; then \
|
||||||
$(INSTALL) -m 644 ssh_config.out $(DESTDIR)$(sysconfdir)/ssh_config; \
|
$(INSTALL) -m 644 ssh_config.out $(DESTDIR)$(sysconfdir)/ssh_config; \
|
||||||
else \
|
else \
|
||||||
@@ -349,16 +364,23 @@ install-sysconf:
|
@@ -363,16 +379,23 @@ install-sysconf:
|
||||||
echo "moving $(DESTDIR)$(sysconfdir)/primes to $(DESTDIR)$(sysconfdir)/moduli"; \
|
echo "moving $(DESTDIR)$(sysconfdir)/primes to $(DESTDIR)$(sysconfdir)/moduli"; \
|
||||||
mv "$(DESTDIR)$(sysconfdir)/primes" "$(DESTDIR)$(sysconfdir)/moduli"; \
|
mv "$(DESTDIR)$(sysconfdir)/primes" "$(DESTDIR)$(sysconfdir)/moduli"; \
|
||||||
else \
|
else \
|
||||||
@ -272,7 +272,7 @@ diff --git a/openssh-7.2p2/Makefile.in b/openssh-7.2p2/Makefile.in
|
|||||||
|
|
||||||
host-key-force: ssh-keygen$(EXEEXT) ssh$(EXEEXT)
|
host-key-force: ssh-keygen$(EXEEXT) ssh$(EXEEXT)
|
||||||
if ./ssh -Q protocol-version | grep '^1$$' >/dev/null; then \
|
if ./ssh -Q protocol-version | grep '^1$$' >/dev/null; then \
|
||||||
@@ -389,27 +411,30 @@ uninstall:
|
@@ -403,27 +426,30 @@ uninstall:
|
||||||
-rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
|
-rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
|
||||||
-rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
|
-rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
|
||||||
-rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
|
-rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
|
||||||
@ -306,7 +306,7 @@ diff --git a/openssh-7.2p2/Makefile.in b/openssh-7.2p2/Makefile.in
|
|||||||
diff --git a/openssh-7.2p2/configure.ac b/openssh-7.2p2/configure.ac
|
diff --git a/openssh-7.2p2/configure.ac b/openssh-7.2p2/configure.ac
|
||||||
--- a/openssh-7.2p2/configure.ac
|
--- a/openssh-7.2p2/configure.ac
|
||||||
+++ b/openssh-7.2p2/configure.ac
|
+++ b/openssh-7.2p2/configure.ac
|
||||||
@@ -1620,16 +1620,116 @@ AC_ARG_WITH([audit],
|
@@ -1644,16 +1644,116 @@ AC_ARG_WITH([audit],
|
||||||
AC_MSG_RESULT([no])
|
AC_MSG_RESULT([no])
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
# HG changeset patch
|
# HG changeset patch
|
||||||
# Parent e351203d2784230a3b56b8e3dd6955403ed10ca4
|
# Parent 9888bc3f536eab9f528d9c96e5e8a2501ed168f5
|
||||||
Limit accepted passwords length to prevent DoS by resource consumption
|
Limit accepted passwords length to prevent DoS by resource consumption
|
||||||
(via crypt() eating CPU cycles).
|
(via crypt() eating CPU cycles).
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
# HG changeset patch
|
# HG changeset patch
|
||||||
# Parent 295ae9c5f5da12d273f3b91e90145b449984a7dc
|
# Parent b86c2190c93aeaf958c22fc7b224dcaf87100288
|
||||||
# HG changeset patch
|
# HG changeset patch
|
||||||
# Parent b262fd34c8ecd55e93d457b3ca5593abce716856
|
# Parent b262fd34c8ecd55e93d457b3ca5593abce716856
|
||||||
# login-pam cannot handle the option terminator "--" as login from util-linux
|
# login-pam cannot handle the option terminator "--" as login from util-linux
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
# HG changeset patch
|
# HG changeset patch
|
||||||
# Parent 7ce81a30bb196401c63782b646d8a6d511ddec4b
|
# Parent 4011d0f5c00b663976c9940dc4ef79642605cf90
|
||||||
Do not write a PID file when not daemonizing (e.g. when running from systemd)
|
Do not write a PID file when not daemonizing (e.g. when running from systemd)
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/sshd.c b/openssh-7.2p2/sshd.c
|
diff --git a/openssh-7.2p2/sshd.c b/openssh-7.2p2/sshd.c
|
||||||
|
188
openssh-7.2p2-prevent_private_key_leakage.patch
Normal file
188
openssh-7.2p2-prevent_private_key_leakage.patch
Normal file
@ -0,0 +1,188 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent e2a8c999f737bca97bbc330ce6683de842ba195e
|
||||||
|
Pre-allocare buffer for private keys data to prevent leaking of sensitive data
|
||||||
|
via heap.
|
||||||
|
|
||||||
|
CVE-2016-10011
|
||||||
|
bsc#1016369
|
||||||
|
|
||||||
|
backported upstream commit 54d022026aae4f53fa74cc636e4a032d9689b64d
|
||||||
|
backported upstream commit a9c746088787549bb5b1ae3add7d06a1b6d93d5e
|
||||||
|
|
||||||
|
diff --git a/openssh-7.2p2/authfile.c b/openssh-7.2p2/authfile.c
|
||||||
|
--- a/openssh-7.2p2/authfile.c
|
||||||
|
+++ b/openssh-7.2p2/authfile.c
|
||||||
|
@@ -95,23 +95,35 @@ sshkey_save_private(struct sshkey *key,
|
||||||
|
|
||||||
|
/* Load a key from a fd into a buffer */
|
||||||
|
int
|
||||||
|
sshkey_load_file(int fd, struct sshbuf *blob)
|
||||||
|
{
|
||||||
|
u_char buf[1024];
|
||||||
|
size_t len;
|
||||||
|
struct stat st;
|
||||||
|
- int r;
|
||||||
|
+ int r, dontmax = 0;
|
||||||
|
|
||||||
|
if (fstat(fd, &st) < 0)
|
||||||
|
return SSH_ERR_SYSTEM_ERROR;
|
||||||
|
if ((st.st_mode & (S_IFSOCK|S_IFCHR|S_IFIFO)) == 0 &&
|
||||||
|
st.st_size > MAX_KEY_FILE_SIZE)
|
||||||
|
return SSH_ERR_INVALID_FORMAT;
|
||||||
|
+ /*
|
||||||
|
+ * Pre-allocate the buffer used for the key contents and clamp its
|
||||||
|
+ * maximum size. This ensures that key contents are never leaked via
|
||||||
|
+ * implicit realloc() in the sshbuf code.
|
||||||
|
+ */
|
||||||
|
+ if ((st.st_mode & S_IFREG) == 0 || st.st_size <= 0) {
|
||||||
|
+ st.st_size = 64*1024; /* 64k should be enough for anyone :) */
|
||||||
|
+ dontmax = 1;
|
||||||
|
+ }
|
||||||
|
+ if ((r = sshbuf_allocate(blob, st.st_size)) != 0 ||
|
||||||
|
+ (dontmax && (r = sshbuf_set_max_size(blob, st.st_size)) != 0))
|
||||||
|
+ return r;
|
||||||
|
for (;;) {
|
||||||
|
if ((len = atomicio(read, fd, buf, sizeof(buf))) == 0) {
|
||||||
|
if (errno == EPIPE)
|
||||||
|
break;
|
||||||
|
r = SSH_ERR_SYSTEM_ERROR;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
if ((r = sshbuf_put(blob, buf, len)) != 0)
|
||||||
|
diff --git a/openssh-7.2p2/sshbuf.c b/openssh-7.2p2/sshbuf.c
|
||||||
|
--- a/openssh-7.2p2/sshbuf.c
|
||||||
|
+++ b/openssh-7.2p2/sshbuf.c
|
||||||
|
@@ -311,63 +311,73 @@ sshbuf_check_reserve(const struct sshbuf
|
||||||
|
SSHBUF_TELL("check");
|
||||||
|
/* Check that len is reasonable and that max_size + available < len */
|
||||||
|
if (len > buf->max_size || buf->max_size - len < buf->size - buf->off)
|
||||||
|
return SSH_ERR_NO_BUFFER_SPACE;
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
int
|
||||||
|
-sshbuf_reserve(struct sshbuf *buf, size_t len, u_char **dpp)
|
||||||
|
+sshbuf_allocate(struct sshbuf *buf, size_t len)
|
||||||
|
{
|
||||||
|
size_t rlen, need;
|
||||||
|
u_char *dp;
|
||||||
|
int r;
|
||||||
|
|
||||||
|
- if (dpp != NULL)
|
||||||
|
- *dpp = NULL;
|
||||||
|
-
|
||||||
|
- SSHBUF_DBG(("reserve buf = %p len = %zu", buf, len));
|
||||||
|
+ SSHBUF_DBG(("allocate buf = %p len = %zu", buf, len));
|
||||||
|
if ((r = sshbuf_check_reserve(buf, len)) != 0)
|
||||||
|
return r;
|
||||||
|
/*
|
||||||
|
* If the requested allocation appended would push us past max_size
|
||||||
|
* then pack the buffer, zeroing buf->off.
|
||||||
|
*/
|
||||||
|
sshbuf_maybe_pack(buf, buf->size + len > buf->max_size);
|
||||||
|
- SSHBUF_TELL("reserve");
|
||||||
|
- if (len + buf->size > buf->alloc) {
|
||||||
|
- /*
|
||||||
|
- * Prefer to alloc in SSHBUF_SIZE_INC units, but
|
||||||
|
- * allocate less if doing so would overflow max_size.
|
||||||
|
- */
|
||||||
|
- need = len + buf->size - buf->alloc;
|
||||||
|
- rlen = roundup(buf->alloc + need, SSHBUF_SIZE_INC);
|
||||||
|
- SSHBUF_DBG(("need %zu initial rlen %zu", need, rlen));
|
||||||
|
- if (rlen > buf->max_size)
|
||||||
|
- rlen = buf->alloc + need;
|
||||||
|
- SSHBUF_DBG(("adjusted rlen %zu", rlen));
|
||||||
|
- if ((dp = realloc(buf->d, rlen)) == NULL) {
|
||||||
|
- SSHBUF_DBG(("realloc fail"));
|
||||||
|
- if (dpp != NULL)
|
||||||
|
- *dpp = NULL;
|
||||||
|
- return SSH_ERR_ALLOC_FAIL;
|
||||||
|
- }
|
||||||
|
- buf->alloc = rlen;
|
||||||
|
- buf->cd = buf->d = dp;
|
||||||
|
- if ((r = sshbuf_check_reserve(buf, len)) < 0) {
|
||||||
|
- /* shouldn't fail */
|
||||||
|
- if (dpp != NULL)
|
||||||
|
- *dpp = NULL;
|
||||||
|
- return r;
|
||||||
|
- }
|
||||||
|
+ SSHBUF_TELL("allocate");
|
||||||
|
+ if (len + buf->size <= buf->alloc)
|
||||||
|
+ return 0; /* already have it. */
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Prefer to alloc in SSHBUF_SIZE_INC units, but
|
||||||
|
+ * allocate less if doing so would overflow max_size.
|
||||||
|
+ */
|
||||||
|
+ need = len + buf->size - buf->alloc;
|
||||||
|
+ rlen = roundup(buf->alloc + need, SSHBUF_SIZE_INC);
|
||||||
|
+ SSHBUF_DBG(("need %zu initial rlen %zu", need, rlen));
|
||||||
|
+ if (rlen > buf->max_size)
|
||||||
|
+ rlen = buf->alloc + need;
|
||||||
|
+ SSHBUF_DBG(("adjusted rlen %zu", rlen));
|
||||||
|
+ if ((dp = realloc(buf->d, rlen)) == NULL) {
|
||||||
|
+ SSHBUF_DBG(("realloc fail"));
|
||||||
|
+ return SSH_ERR_ALLOC_FAIL;
|
||||||
|
}
|
||||||
|
+ buf->alloc = rlen;
|
||||||
|
+ buf->cd = buf->d = dp;
|
||||||
|
+ if ((r = sshbuf_check_reserve(buf, len)) < 0) {
|
||||||
|
+ /* shouldn't fail */
|
||||||
|
+ return r;
|
||||||
|
+ }
|
||||||
|
+ SSHBUF_TELL("done");
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+int
|
||||||
|
+sshbuf_reserve(struct sshbuf *buf, size_t len, u_char **dpp)
|
||||||
|
+{
|
||||||
|
+ u_char *dp;
|
||||||
|
+ int r;
|
||||||
|
+
|
||||||
|
+ if (dpp != NULL)
|
||||||
|
+ *dpp = NULL;
|
||||||
|
+
|
||||||
|
+ SSHBUF_DBG(("reserve buf = %p len = %zu", buf, len));
|
||||||
|
+ if ((r = sshbuf_allocate(buf, len)) != 0)
|
||||||
|
+ return r;
|
||||||
|
+
|
||||||
|
dp = buf->d + buf->size;
|
||||||
|
buf->size += len;
|
||||||
|
- SSHBUF_TELL("done");
|
||||||
|
if (dpp != NULL)
|
||||||
|
*dpp = dp;
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
int
|
||||||
|
sshbuf_consume(struct sshbuf *buf, size_t len)
|
||||||
|
{
|
||||||
|
diff --git a/openssh-7.2p2/sshbuf.h b/openssh-7.2p2/sshbuf.h
|
||||||
|
--- a/openssh-7.2p2/sshbuf.h
|
||||||
|
+++ b/openssh-7.2p2/sshbuf.h
|
||||||
|
@@ -134,16 +134,24 @@ u_char *sshbuf_mutable_ptr(const struct
|
||||||
|
* Check whether a reservation of size len will succeed in buf
|
||||||
|
* Safer to use than direct comparisons again sshbuf_avail as it copes
|
||||||
|
* with unsigned overflows correctly.
|
||||||
|
* Returns 0 on success, or a negative SSH_ERR_* error code on failure.
|
||||||
|
*/
|
||||||
|
int sshbuf_check_reserve(const struct sshbuf *buf, size_t len);
|
||||||
|
|
||||||
|
/*
|
||||||
|
+ * Preallocates len additional bytes in buf.
|
||||||
|
+ * Useful for cases where the caller knows how many bytes will ultimately be
|
||||||
|
+ * required to avoid realloc in the buffer code.
|
||||||
|
+ * Returns 0 on success, or a negative SSH_ERR_* error code on failure.
|
||||||
|
+ */
|
||||||
|
+int sshbuf_allocate(struct sshbuf *buf, size_t len);
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
* Reserve len bytes in buf.
|
||||||
|
* Returns 0 on success and a pointer to the first reserved byte via the
|
||||||
|
* optional dpp parameter or a negative * SSH_ERR_* error code on failure.
|
||||||
|
*/
|
||||||
|
int sshbuf_reserve(struct sshbuf *buf, size_t len, u_char **dpp);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Consume len bytes from the start of buf
|
@ -1,5 +1,5 @@
|
|||||||
# HG changeset patch
|
# HG changeset patch
|
||||||
# Parent 323ac0fc20b1d5e9bf7037e020adfd760dd2d5f2
|
# Parent 4a254abf4ef391358257310ad2fe15c9e12dee34
|
||||||
Prevent user enumeration through password processing timing
|
Prevent user enumeration through password processing timing
|
||||||
CVE-2016-6210
|
CVE-2016-6210
|
||||||
bsc#989363
|
bsc#989363
|
||||||
|
297
openssh-7.2p2-restrict_pkcs11-modules.patch
Normal file
297
openssh-7.2p2-restrict_pkcs11-modules.patch
Normal file
@ -0,0 +1,297 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent 22de9aeddbde2b36da9c23475cfa5dcd42e95287
|
||||||
|
whitelist paths for loading of PKCS#11 modules in ssh-agent
|
||||||
|
|
||||||
|
CVE-2016-10009
|
||||||
|
bsc#1016366
|
||||||
|
|
||||||
|
upstream commit 786d5994da79151180cb14a6cf157ebbba61c0cc
|
||||||
|
|
||||||
|
diff --git a/openssh-7.2p2/ssh-agent.1 b/openssh-7.2p2/ssh-agent.1
|
||||||
|
--- a/openssh-7.2p2/ssh-agent.1
|
||||||
|
+++ b/openssh-7.2p2/ssh-agent.1
|
||||||
|
@@ -1,9 +1,9 @@
|
||||||
|
-.\" $OpenBSD: ssh-agent.1,v 1.62 2015/11/15 23:54:15 jmc Exp $
|
||||||
|
+.\" $OpenBSD: ssh-agent.1,v 1.63 2016/11/30 03:07:37 djm Exp $
|
||||||
|
.\"
|
||||||
|
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
|
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
|
.\" All rights reserved
|
||||||
|
.\"
|
||||||
|
.\" As far as I am concerned, the code I have written for this software
|
||||||
|
.\" can be used freely for any purpose. Any derived versions of this
|
||||||
|
.\" software must be clearly marked as such, and if the derived work is
|
||||||
|
@@ -29,29 +29,30 @@
|
||||||
|
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||||
|
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||||
|
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||||
|
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||||
|
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||||
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||||
|
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
|
.\"
|
||||||
|
-.Dd $Mdocdate: November 15 2015 $
|
||||||
|
+.Dd $Mdocdate: November 30 2016 $
|
||||||
|
.Dt SSH-AGENT 1
|
||||||
|
.Os
|
||||||
|
.Sh NAME
|
||||||
|
.Nm ssh-agent
|
||||||
|
.Nd authentication agent
|
||||||
|
.Sh SYNOPSIS
|
||||||
|
.Nm ssh-agent
|
||||||
|
.Op Fl c | s
|
||||||
|
.Op Fl \&Dd
|
||||||
|
.Op Fl a Ar bind_address
|
||||||
|
.Op Fl E Ar fingerprint_hash
|
||||||
|
.Op Fl t Ar life
|
||||||
|
+.Op Fl P Ar pkcs11_whitelist
|
||||||
|
.Op Ar command Op Ar arg ...
|
||||||
|
.Nm ssh-agent
|
||||||
|
.Op Fl c | s
|
||||||
|
.Fl k
|
||||||
|
.Sh DESCRIPTION
|
||||||
|
.Nm
|
||||||
|
is a program to hold private keys used for public key authentication
|
||||||
|
(RSA, DSA, ECDSA, Ed25519).
|
||||||
|
@@ -116,16 +117,28 @@ Valid options are:
|
||||||
|
and
|
||||||
|
.Dq sha256 .
|
||||||
|
The default is
|
||||||
|
.Dq sha256 .
|
||||||
|
.It Fl k
|
||||||
|
Kill the current agent (given by the
|
||||||
|
.Ev SSH_AGENT_PID
|
||||||
|
environment variable).
|
||||||
|
+.It Fl P
|
||||||
|
+Specify a pattern-list of acceptable paths for PKCS#11 shared libraries
|
||||||
|
+that may be added using the
|
||||||
|
+.Fl s
|
||||||
|
+option to
|
||||||
|
+.Xr ssh-add 1 .
|
||||||
|
+The default is to allow loading PKCS#11 libraries from
|
||||||
|
+.Dq /usr/lib/*,/usr/local/lib/* .
|
||||||
|
+PKCS#11 libraries that do not match the whitelist will be refused.
|
||||||
|
+See PATTERNS in
|
||||||
|
+.Xr ssh_config 5
|
||||||
|
+for a description of pattern-list syntax.
|
||||||
|
.It Fl s
|
||||||
|
Generate Bourne shell commands on
|
||||||
|
.Dv stdout .
|
||||||
|
This is the default if
|
||||||
|
.Ev SHELL
|
||||||
|
does not look like it's a csh style of shell.
|
||||||
|
.It Fl t Ar life
|
||||||
|
Set a default value for the maximum lifetime of identities added to the agent.
|
||||||
|
diff --git a/openssh-7.2p2/ssh-agent.c b/openssh-7.2p2/ssh-agent.c
|
||||||
|
--- a/openssh-7.2p2/ssh-agent.c
|
||||||
|
+++ b/openssh-7.2p2/ssh-agent.c
|
||||||
|
@@ -78,25 +78,30 @@
|
||||||
|
#include "sshbuf.h"
|
||||||
|
#include "sshkey.h"
|
||||||
|
#include "authfd.h"
|
||||||
|
#include "compat.h"
|
||||||
|
#include "log.h"
|
||||||
|
#include "misc.h"
|
||||||
|
#include "digest.h"
|
||||||
|
#include "ssherr.h"
|
||||||
|
+#include "match.h"
|
||||||
|
|
||||||
|
#ifdef ENABLE_PKCS11
|
||||||
|
#include "ssh-pkcs11.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(HAVE_SYS_PRCTL_H)
|
||||||
|
#include <sys/prctl.h> /* For prctl() and PR_SET_DUMPABLE */
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+#ifndef DEFAULT_PKCS11_WHITELIST
|
||||||
|
+# define DEFAULT_PKCS11_WHITELIST "/usr/lib/*,/usr/local/lib/*"
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
typedef enum {
|
||||||
|
AUTH_UNUSED,
|
||||||
|
AUTH_SOCKET,
|
||||||
|
AUTH_CONNECTION
|
||||||
|
} sock_type;
|
||||||
|
|
||||||
|
typedef struct {
|
||||||
|
int fd;
|
||||||
|
@@ -134,16 +139,19 @@ time_t parent_alive_interval = 0;
|
||||||
|
|
||||||
|
/* pid of process for which cleanup_socket is applicable */
|
||||||
|
pid_t cleanup_pid = 0;
|
||||||
|
|
||||||
|
/* pathname and directory for AUTH_SOCKET */
|
||||||
|
char socket_name[PATH_MAX];
|
||||||
|
char socket_dir[PATH_MAX];
|
||||||
|
|
||||||
|
+/* PKCS#11 path whitelist */
|
||||||
|
+static char *pkcs11_whitelist;
|
||||||
|
+
|
||||||
|
/* locking */
|
||||||
|
#define LOCK_SIZE 32
|
||||||
|
#define LOCK_SALT_SIZE 16
|
||||||
|
#define LOCK_ROUNDS 1
|
||||||
|
int locked = 0;
|
||||||
|
char lock_passwd[LOCK_SIZE];
|
||||||
|
char lock_salt[LOCK_SALT_SIZE];
|
||||||
|
|
||||||
|
@@ -736,17 +744,17 @@ no_identities(SocketEntry *e, u_int type
|
||||||
|
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||||
|
sshbuf_free(msg);
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifdef ENABLE_PKCS11
|
||||||
|
static void
|
||||||
|
process_add_smartcard_key(SocketEntry *e)
|
||||||
|
{
|
||||||
|
- char *provider = NULL, *pin;
|
||||||
|
+ char *provider = NULL, *pin, canonical_provider[PATH_MAX];
|
||||||
|
int r, i, version, count = 0, success = 0, confirm = 0;
|
||||||
|
u_int seconds;
|
||||||
|
time_t death = 0;
|
||||||
|
u_char type;
|
||||||
|
struct sshkey **keys = NULL, *k;
|
||||||
|
Identity *id;
|
||||||
|
Idtab *tab;
|
||||||
|
|
||||||
|
@@ -768,29 +776,40 @@ process_add_smartcard_key(SocketEntry *e
|
||||||
|
confirm = 1;
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
error("process_add_smartcard_key: "
|
||||||
|
"Unknown constraint type %d", type);
|
||||||
|
goto send;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+ if (realpath(provider, canonical_provider) == NULL) {
|
||||||
|
+ verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
|
||||||
|
+ provider, strerror(errno));
|
||||||
|
+ goto send;
|
||||||
|
+ }
|
||||||
|
+ if (match_pattern_list(canonical_provider, pkcs11_whitelist, 0) != 1) {
|
||||||
|
+ verbose("refusing PKCS#11 add of \"%.100s\": "
|
||||||
|
+ "provider not whitelisted", canonical_provider);
|
||||||
|
+ goto send;
|
||||||
|
+ }
|
||||||
|
+ debug("%s: add %.100s", __func__, canonical_provider);
|
||||||
|
if (lifetime && !death)
|
||||||
|
death = monotime() + lifetime;
|
||||||
|
|
||||||
|
- count = pkcs11_add_provider(provider, pin, &keys);
|
||||||
|
+ count = pkcs11_add_provider(canonical_provider, pin, &keys);
|
||||||
|
for (i = 0; i < count; i++) {
|
||||||
|
k = keys[i];
|
||||||
|
version = k->type == KEY_RSA1 ? 1 : 2;
|
||||||
|
tab = idtab_lookup(version);
|
||||||
|
if (lookup_identity(k, version) == NULL) {
|
||||||
|
id = xcalloc(1, sizeof(Identity));
|
||||||
|
id->key = k;
|
||||||
|
- id->provider = xstrdup(provider);
|
||||||
|
- id->comment = xstrdup(provider); /* XXX */
|
||||||
|
+ id->provider = xstrdup(canonical_provider);
|
||||||
|
+ id->comment = xstrdup(canonical_provider); /* XXX */
|
||||||
|
id->death = death;
|
||||||
|
id->confirm = confirm;
|
||||||
|
TAILQ_INSERT_TAIL(&tab->idlist, id, next);
|
||||||
|
tab->nentries++;
|
||||||
|
success = 1;
|
||||||
|
} else {
|
||||||
|
sshkey_free(k);
|
||||||
|
}
|
||||||
|
@@ -1171,17 +1190,17 @@ check_parent_exists(void)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
usage(void)
|
||||||
|
{
|
||||||
|
fprintf(stderr,
|
||||||
|
"usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n"
|
||||||
|
- " [-t life] [command [arg ...]]\n"
|
||||||
|
+ " [-P pkcs11_whitelist] [-t life] [command [arg ...]]\n"
|
||||||
|
" ssh-agent [-c | -s] -k\n");
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
|
||||||
|
int
|
||||||
|
main(int ac, char **av)
|
||||||
|
{
|
||||||
|
int c_flag = 0, d_flag = 0, D_flag = 0, k_flag = 0, s_flag = 0;
|
||||||
|
@@ -1215,31 +1234,36 @@ main(int ac, char **av)
|
||||||
|
|
||||||
|
#ifdef WITH_OPENSSL
|
||||||
|
OpenSSL_add_all_algorithms();
|
||||||
|
#endif
|
||||||
|
|
||||||
|
__progname = ssh_get_progname(av[0]);
|
||||||
|
seed_rng();
|
||||||
|
|
||||||
|
- while ((ch = getopt(ac, av, "cDdksE:a:t:")) != -1) {
|
||||||
|
+ while ((ch = getopt(ac, av, "cDdksE:a:P:t:")) != -1) {
|
||||||
|
switch (ch) {
|
||||||
|
case 'E':
|
||||||
|
fingerprint_hash = ssh_digest_alg_by_name(optarg);
|
||||||
|
if (fingerprint_hash == -1)
|
||||||
|
fatal("Invalid hash algorithm \"%s\"", optarg);
|
||||||
|
break;
|
||||||
|
case 'c':
|
||||||
|
if (s_flag)
|
||||||
|
usage();
|
||||||
|
c_flag++;
|
||||||
|
break;
|
||||||
|
case 'k':
|
||||||
|
k_flag++;
|
||||||
|
break;
|
||||||
|
+ case 'P':
|
||||||
|
+ if (pkcs11_whitelist != NULL)
|
||||||
|
+ fatal("-P option already specified");
|
||||||
|
+ pkcs11_whitelist = xstrdup(optarg);
|
||||||
|
+ break;
|
||||||
|
case 's':
|
||||||
|
if (c_flag)
|
||||||
|
usage();
|
||||||
|
s_flag++;
|
||||||
|
break;
|
||||||
|
case 'd':
|
||||||
|
if (d_flag || D_flag)
|
||||||
|
usage();
|
||||||
|
@@ -1264,16 +1288,19 @@ main(int ac, char **av)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
ac -= optind;
|
||||||
|
av += optind;
|
||||||
|
|
||||||
|
if (ac > 0 && (c_flag || k_flag || s_flag || d_flag || D_flag))
|
||||||
|
usage();
|
||||||
|
|
||||||
|
+ if (pkcs11_whitelist == NULL)
|
||||||
|
+ pkcs11_whitelist = xstrdup(DEFAULT_PKCS11_WHITELIST);
|
||||||
|
+
|
||||||
|
if (ac == 0 && !c_flag && !s_flag) {
|
||||||
|
shell = getenv("SHELL");
|
||||||
|
if (shell != NULL && (len = strlen(shell)) > 2 &&
|
||||||
|
strncmp(shell + len - 3, "csh", 3) == 0)
|
||||||
|
c_flag = 1;
|
||||||
|
}
|
||||||
|
if (k_flag) {
|
||||||
|
const char *errstr = NULL;
|
||||||
|
@@ -1411,17 +1438,17 @@ skip:
|
||||||
|
parent_alive_interval = 10;
|
||||||
|
idtab_init();
|
||||||
|
signal(SIGPIPE, SIG_IGN);
|
||||||
|
signal(SIGINT, (d_flag | D_flag) ? cleanup_handler : SIG_IGN);
|
||||||
|
signal(SIGHUP, cleanup_handler);
|
||||||
|
signal(SIGTERM, cleanup_handler);
|
||||||
|
nalloc = 0;
|
||||||
|
|
||||||
|
- if (pledge("stdio cpath unix id proc exec", NULL) == -1)
|
||||||
|
+ if (pledge("stdio rpath cpath unix id proc exec", NULL) == -1)
|
||||||
|
fatal("%s: pledge: %s", __progname, strerror(errno));
|
||||||
|
platform_pledge_agent();
|
||||||
|
|
||||||
|
while (1) {
|
||||||
|
prepare_select(&readsetp, &writesetp, &max_fd, &nalloc, &tvp);
|
||||||
|
result = select(max_fd + 1, readsetp, writesetp, NULL, tvp);
|
||||||
|
saved_errno = errno;
|
||||||
|
if (parent_alive_interval != 0)
|
82
openssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls.patch
Normal file
82
openssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls.patch
Normal file
@ -0,0 +1,82 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent bb92b9f037cc3686a669cd84caa44a2716f34058
|
||||||
|
Date: Tue, 9 May 2017 14:27:34 -0300
|
||||||
|
|
||||||
|
[PATCH 0/3] Allow syscalls for openssl engines
|
||||||
|
From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
|
||||||
|
To: openssh-unix-dev@mindrot.org
|
||||||
|
In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
|
||||||
|
and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
|
||||||
|
implementation) which calls the libraries that will communicate with the
|
||||||
|
crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
|
||||||
|
this is only need on s390 architecture.
|
||||||
|
|
||||||
|
The EP11 crypto card also needs to make an ioctl call, which receives an
|
||||||
|
specific argument.
|
||||||
|
|
||||||
|
Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
|
||||||
|
|
||||||
|
related to bsc#1016709
|
||||||
|
|
||||||
|
diff --git a/openssh-7.2p2/sandbox-seccomp-filter.c b/openssh-7.2p2/sandbox-seccomp-filter.c
|
||||||
|
--- a/openssh-7.2p2/sandbox-seccomp-filter.c
|
||||||
|
+++ b/openssh-7.2p2/sandbox-seccomp-filter.c
|
||||||
|
@@ -150,16 +150,19 @@ static const struct sock_filter preauth_
|
||||||
|
SC_ALLOW(stat),
|
||||||
|
#endif
|
||||||
|
#ifdef __NR_exit
|
||||||
|
SC_ALLOW(exit),
|
||||||
|
#endif
|
||||||
|
#ifdef __NR_exit_group
|
||||||
|
SC_ALLOW(exit_group),
|
||||||
|
#endif
|
||||||
|
+#if defined(__NR_flock) && defined(__s390__)
|
||||||
|
+ SC_ALLOW(flock),
|
||||||
|
+#endif
|
||||||
|
#ifdef __NR_getpgid
|
||||||
|
SC_ALLOW(getpgid),
|
||||||
|
#endif
|
||||||
|
#ifdef __NR_getpid
|
||||||
|
SC_ALLOW(getpid),
|
||||||
|
#endif
|
||||||
|
#ifdef __NR_getuid
|
||||||
|
SC_ALLOW(getuid),
|
||||||
|
@@ -180,16 +183,19 @@ static const struct sock_filter preauth_
|
||||||
|
SC_ALLOW(gettimeofday),
|
||||||
|
#endif
|
||||||
|
#ifdef SSH_AUDIT_EVENTS
|
||||||
|
SC_ALLOW(getuid),
|
||||||
|
#ifdef __NR_getuid32 /* not defined on x86_64 */
|
||||||
|
SC_ALLOW(getuid32),
|
||||||
|
#endif
|
||||||
|
#endif
|
||||||
|
+#if defined(__NR_ipc) && defined(__s390__)
|
||||||
|
+ SC_ALLOW(ipc),
|
||||||
|
+#endif
|
||||||
|
#ifdef __NR_madvise
|
||||||
|
SC_ALLOW(madvise),
|
||||||
|
#endif
|
||||||
|
#ifdef __NR_mmap
|
||||||
|
SC_ALLOW(mmap),
|
||||||
|
#endif
|
||||||
|
#ifdef __NR_mmap2
|
||||||
|
SC_ALLOW(mmap2),
|
||||||
|
@@ -233,16 +239,18 @@ static const struct sock_filter preauth_
|
||||||
|
#ifdef __NR_socketcall
|
||||||
|
SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
|
||||||
|
#endif
|
||||||
|
#ifdef __NR_ioctl
|
||||||
|
#ifdef __s390__
|
||||||
|
SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK),
|
||||||
|
SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO),
|
||||||
|
SC_ALLOW_ARG(ioctl, 1, ICARSACRT),
|
||||||
|
+ /* Allow ioctls for EP11 crypto card on s390 */
|
||||||
|
+ SC_ALLOW_ARG(ioctl, 1, ZSENDEP11CPRB),
|
||||||
|
#endif
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* Default deny */
|
||||||
|
BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
|
||||||
|
};
|
||||||
|
|
||||||
|
static const struct sock_fprog preauth_program = {
|
100
openssh-7.2p2-s390_hw_crypto_syscalls.patch
Normal file
100
openssh-7.2p2-s390_hw_crypto_syscalls.patch
Normal file
@ -0,0 +1,100 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent 6d8637bec747de081eccba9874f640dcbc4fbb68
|
||||||
|
This patch enables specific ioctl calls for ICA crypto card on s390
|
||||||
|
platform. Without this patch, users using the IBMCA engine are not able
|
||||||
|
to perform ssh login as the filter blocks the communication with the
|
||||||
|
crypto card.
|
||||||
|
|
||||||
|
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
|
||||||
|
Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
|
||||||
|
|
||||||
|
bsc#1016709
|
||||||
|
|
||||||
|
Upstreamed as:
|
||||||
|
5f1596e11d55539678c41f68aed358628d33d86f
|
||||||
|
58b8cfa2a062b72139d7229ae8de567f55776f24
|
||||||
|
|
||||||
|
diff --git a/openssh-7.2p2/sandbox-seccomp-filter.c b/openssh-7.2p2/sandbox-seccomp-filter.c
|
||||||
|
--- a/openssh-7.2p2/sandbox-seccomp-filter.c
|
||||||
|
+++ b/openssh-7.2p2/sandbox-seccomp-filter.c
|
||||||
|
@@ -54,42 +54,53 @@
|
||||||
|
#include <errno.h>
|
||||||
|
#include <signal.h>
|
||||||
|
#include <stdarg.h>
|
||||||
|
#include <stddef.h> /* for offsetof */
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <string.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
+#include <endian.h>
|
||||||
|
+
|
||||||
|
+#ifdef __s390__
|
||||||
|
+#include <asm/zcrypt.h>
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
#include "log.h"
|
||||||
|
#include "ssh-sandbox.h"
|
||||||
|
#include "xmalloc.h"
|
||||||
|
|
||||||
|
/* Linux seccomp_filter sandbox */
|
||||||
|
#define SECCOMP_FILTER_FAIL SECCOMP_RET_KILL
|
||||||
|
|
||||||
|
/* Use a signal handler to emit violations when debugging */
|
||||||
|
#ifdef SANDBOX_SECCOMP_FILTER_DEBUG
|
||||||
|
# undef SECCOMP_FILTER_FAIL
|
||||||
|
# define SECCOMP_FILTER_FAIL SECCOMP_RET_TRAP
|
||||||
|
#endif /* SANDBOX_SECCOMP_FILTER_DEBUG */
|
||||||
|
|
||||||
|
/* Simple helpers to avoid manual errors (but larger BPF programs). */
|
||||||
|
+#if __BYTE_ORDER == __LITTLE_ENDIAN
|
||||||
|
+#define LO_ARG(idx) offsetof(struct seccomp_data, args[(idx)])
|
||||||
|
+#elif __BYTE_ORDER == __BIG_ENDIAN
|
||||||
|
+#define LO_ARG(idx) offsetof(struct seccomp_data, args[(idx)]) + sizeof(uint32_t)
|
||||||
|
+#else
|
||||||
|
+#error "Unknown endianness"
|
||||||
|
+#endif
|
||||||
|
#define SC_DENY(_nr, _errno) \
|
||||||
|
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
|
||||||
|
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno))
|
||||||
|
#define SC_ALLOW(_nr) \
|
||||||
|
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
|
||||||
|
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
|
||||||
|
#define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \
|
||||||
|
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 4), \
|
||||||
|
- /* load first syscall argument */ \
|
||||||
|
- BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
|
||||||
|
- offsetof(struct seccomp_data, args[(_arg_nr)])), \
|
||||||
|
+ /* load the syscall argument to check into accumulator */ \
|
||||||
|
+ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, LO_ARG(_arg_nr)), \
|
||||||
|
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \
|
||||||
|
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \
|
||||||
|
/* reload syscall number; all rules expect it in accumulator */ \
|
||||||
|
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
|
||||||
|
offsetof(struct seccomp_data, nr))
|
||||||
|
|
||||||
|
/* Syscall filtering set for preauth. */
|
||||||
|
static const struct sock_filter preauth_insns[] = {
|
||||||
|
@@ -217,16 +228,23 @@ static const struct sock_filter preauth_
|
||||||
|
SC_ALLOW(time),
|
||||||
|
#endif
|
||||||
|
#ifdef __NR_write
|
||||||
|
SC_ALLOW(write),
|
||||||
|
#endif
|
||||||
|
#ifdef __NR_socketcall
|
||||||
|
SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
|
||||||
|
#endif
|
||||||
|
+#ifdef __NR_ioctl
|
||||||
|
+#ifdef __s390__
|
||||||
|
+ SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK),
|
||||||
|
+ SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO),
|
||||||
|
+ SC_ALLOW_ARG(ioctl, 1, ICARSACRT),
|
||||||
|
+#endif
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
/* Default deny */
|
||||||
|
BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
|
||||||
|
};
|
||||||
|
|
||||||
|
static const struct sock_fprog preauth_program = {
|
||||||
|
.len = (unsigned short)(sizeof(preauth_insns)/sizeof(preauth_insns[0])),
|
||||||
|
.filter = (struct sock_filter *)preauth_insns,
|
34
openssh-7.2p2-seccomp_geteuid.patch
Normal file
34
openssh-7.2p2-seccomp_geteuid.patch
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent b07f00d5d805c043f5bdc7b8cf6701d924879fa6
|
||||||
|
Add the 'geteuid' syscall to allowed list, since it may becalled on the
|
||||||
|
mainframes when OpenSSL is using hardware crypto accelerator via libica
|
||||||
|
(via ibmica)
|
||||||
|
|
||||||
|
bsc#1004258
|
||||||
|
|
||||||
|
diff --git a/openssh-7.2p2/sandbox-seccomp-filter.c b/openssh-7.2p2/sandbox-seccomp-filter.c
|
||||||
|
--- a/openssh-7.2p2/sandbox-seccomp-filter.c
|
||||||
|
+++ b/openssh-7.2p2/sandbox-seccomp-filter.c
|
||||||
|
@@ -148,16 +148,22 @@ static const struct sock_filter preauth_
|
||||||
|
SC_ALLOW(getpid),
|
||||||
|
#endif
|
||||||
|
#ifdef __NR_getuid
|
||||||
|
SC_ALLOW(getuid),
|
||||||
|
#endif
|
||||||
|
#ifdef __NR_getuid32
|
||||||
|
SC_ALLOW(getuid32),
|
||||||
|
#endif
|
||||||
|
+#ifdef __NR_geteuid
|
||||||
|
+ SC_ALLOW(geteuid),
|
||||||
|
+#endif
|
||||||
|
+#ifdef __NR_geteuid32
|
||||||
|
+ SC_ALLOW(geteuid32),
|
||||||
|
+#endif
|
||||||
|
#ifdef __NR_getrandom
|
||||||
|
SC_ALLOW(getrandom),
|
||||||
|
#endif
|
||||||
|
#ifdef __NR_gettimeofday
|
||||||
|
SC_ALLOW(gettimeofday),
|
||||||
|
#endif
|
||||||
|
#ifdef __NR_madvise
|
||||||
|
SC_ALLOW(madvise),
|
@ -1,5 +1,5 @@
|
|||||||
# HG changeset patch
|
# HG changeset patch
|
||||||
# Parent c66097e5e31cd607bf2206b2da95730cce518b7a
|
# Parent d75417bf0f4d50cabd84299773bab4ac68f68caa
|
||||||
add 'getuid' syscall to list of allowed ones to prevent the sanboxed thread
|
add 'getuid' syscall to list of allowed ones to prevent the sanboxed thread
|
||||||
from being killed by the seccomp filter
|
from being killed by the seccomp filter
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
# HG changeset patch
|
# HG changeset patch
|
||||||
# Parent def949a57b8101691c79ecce6366cc7ae1685b07
|
# Parent 2153c4af090728c778931d2fad72d4b260294122
|
||||||
Allow the stat() syscall for OpenSSL re-seed patch
|
Allow the stat() syscall for OpenSSL re-seed patch
|
||||||
(which causes OpenSSL use stat() on some file)
|
(which causes OpenSSL use stat() on some file)
|
||||||
|
|
||||||
|
51
openssh-7.2p2-secure_unix_sockets_forwarding.patch
Normal file
51
openssh-7.2p2-secure_unix_sockets_forwarding.patch
Normal file
@ -0,0 +1,51 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent 4e1fd41aaa9cafe8f7b07868ac38ed4dbdf594aa
|
||||||
|
Do not allow unix socket when running without privilege separation to prevent
|
||||||
|
privilege escalation through a socket created with root: ownership.
|
||||||
|
|
||||||
|
CVE-2016-10010
|
||||||
|
bsc#1016368
|
||||||
|
|
||||||
|
backported upstream commit b737e4d7433577403a31cff6614f6a1b0b5e22f4
|
||||||
|
|
||||||
|
diff --git a/openssh-7.2p2/serverloop.c b/openssh-7.2p2/serverloop.c
|
||||||
|
--- a/openssh-7.2p2/serverloop.c
|
||||||
|
+++ b/openssh-7.2p2/serverloop.c
|
||||||
|
@@ -990,17 +990,17 @@ server_request_direct_streamlocal(void)
|
||||||
|
originator_port = packet_get_int();
|
||||||
|
packet_check_eom();
|
||||||
|
|
||||||
|
debug("server_request_direct_streamlocal: originator %s port %d, target %s",
|
||||||
|
originator, originator_port, target);
|
||||||
|
|
||||||
|
/* XXX fine grained permissions */
|
||||||
|
if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
|
||||||
|
- !no_port_forwarding_flag) {
|
||||||
|
+ !no_port_forwarding_flag && use_privsep) {
|
||||||
|
c = channel_connect_to_path(target,
|
||||||
|
"direct-streamlocal@openssh.com", "direct-streamlocal");
|
||||||
|
} else {
|
||||||
|
logit("refused streamlocal port forward: "
|
||||||
|
"originator %s port %d, target %s",
|
||||||
|
originator, originator_port, target);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -1274,17 +1274,17 @@ server_input_global_request(int type, u_
|
||||||
|
|
||||||
|
memset(&fwd, 0, sizeof(fwd));
|
||||||
|
fwd.listen_path = packet_get_string(NULL);
|
||||||
|
debug("server_input_global_request: streamlocal-forward listen path %s",
|
||||||
|
fwd.listen_path);
|
||||||
|
|
||||||
|
/* check permissions */
|
||||||
|
if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
|
||||||
|
- || no_port_forwarding_flag) {
|
||||||
|
+ || no_port_forwarding_flag || !use_privsep) {
|
||||||
|
success = 0;
|
||||||
|
packet_send_debug("Server has disabled port forwarding.");
|
||||||
|
} else {
|
||||||
|
/* Start listening on the socket */
|
||||||
|
success = channel_setup_remote_fwd_listener(
|
||||||
|
&fwd, NULL, &options.fwd_opts);
|
||||||
|
}
|
||||||
|
free(fwd.listen_path);
|
@ -1,5 +1,5 @@
|
|||||||
# HG changeset patch
|
# HG changeset patch
|
||||||
# Parent efa850d8312ceef224dbec0f2ae1002201afabd9
|
# Parent 7b45c4f3fef6836db00c5b198736cce17290c5cd
|
||||||
additional option for sftp-server to force file mode for new files
|
additional option for sftp-server to force file mode for new files
|
||||||
FATE#312774
|
FATE#312774
|
||||||
http://lists.mindrot.org/pipermail/openssh-unix-dev/2010-November/029044.html
|
http://lists.mindrot.org/pipermail/openssh-unix-dev/2010-November/029044.html
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
# HG changeset patch
|
# HG changeset patch
|
||||||
# Parent 9b1033f35a6cb173fbc13416065ed40c4b14e656
|
# Parent fc81df6f2bf393e45e703c89976c3a0fe6e0a273
|
||||||
run sftp sessions inside a chroot
|
run sftp sessions inside a chroot
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/session.c b/openssh-7.2p2/session.c
|
diff --git a/openssh-7.2p2/session.c b/openssh-7.2p2/session.c
|
||||||
|
87
openssh-7.2p2-ssh_case_insensitive_host_matching.patch
Normal file
87
openssh-7.2p2-ssh_case_insensitive_host_matching.patch
Normal file
@ -0,0 +1,87 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent 1b99f71db584917a37c5e9140bf63dcb860e8b59
|
||||||
|
Match hostnames in a case-insensitive manner.
|
||||||
|
|
||||||
|
bsc#1017099
|
||||||
|
|
||||||
|
diff --git a/openssh-7.2p2/readconf.c b/openssh-7.2p2/readconf.c
|
||||||
|
--- a/openssh-7.2p2/readconf.c
|
||||||
|
+++ b/openssh-7.2p2/readconf.c
|
||||||
|
@@ -526,16 +526,17 @@ execute_in_shell(const char *cmd)
|
||||||
|
* Parse and execute a Match directive.
|
||||||
|
*/
|
||||||
|
static int
|
||||||
|
match_cfg_line(Options *options, char **condition, struct passwd *pw,
|
||||||
|
const char *host_arg, const char *original_host, int post_canon,
|
||||||
|
const char *filename, int linenum)
|
||||||
|
{
|
||||||
|
char *arg, *oattrib, *attrib, *cmd, *cp = *condition, *host, *criteria;
|
||||||
|
+ char *hostlc;
|
||||||
|
const char *ruser;
|
||||||
|
int r, port, this_result, result = 1, attributes = 0, negate;
|
||||||
|
char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV];
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Configuration is likely to be incomplete at this point so we
|
||||||
|
* must be prepared to use default values.
|
||||||
|
*/
|
||||||
|
@@ -546,16 +547,20 @@ match_cfg_line(Options *options, char **
|
||||||
|
} else if (options->hostname != NULL) {
|
||||||
|
/* NB. Please keep in sync with ssh.c:main() */
|
||||||
|
host = percent_expand(options->hostname,
|
||||||
|
"h", host_arg, (char *)NULL);
|
||||||
|
} else {
|
||||||
|
host = xstrdup(host_arg);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* match_hostname() requires the hostname to be lowercase */
|
||||||
|
+ hostlc = xstrdup(host);
|
||||||
|
+ lowercase(hostlc);
|
||||||
|
+
|
||||||
|
debug2("checking match for '%s' host %s originally %s",
|
||||||
|
cp, host, original_host);
|
||||||
|
while ((oattrib = attrib = strdelim(&cp)) && *attrib != '\0') {
|
||||||
|
criteria = NULL;
|
||||||
|
this_result = 1;
|
||||||
|
if ((negate = attrib[0] == '!'))
|
||||||
|
attrib++;
|
||||||
|
/* criteria "all" and "canonical" have no argument */
|
||||||
|
@@ -584,18 +589,18 @@ match_cfg_line(Options *options, char **
|
||||||
|
}
|
||||||
|
/* All other criteria require an argument */
|
||||||
|
if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
|
||||||
|
error("Missing Match criteria for %s", attrib);
|
||||||
|
result = -1;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
if (strcasecmp(attrib, "host") == 0) {
|
||||||
|
- criteria = xstrdup(host);
|
||||||
|
- r = match_hostname(host, arg) == 1;
|
||||||
|
+ criteria = xstrdup(hostlc);
|
||||||
|
+ r = match_hostname(hostlc, arg) == 1;
|
||||||
|
if (r == (negate ? 1 : 0))
|
||||||
|
this_result = result = 0;
|
||||||
|
} else if (strcasecmp(attrib, "originalhost") == 0) {
|
||||||
|
criteria = xstrdup(original_host);
|
||||||
|
r = match_hostname(original_host, arg) == 1;
|
||||||
|
if (r == (negate ? 1 : 0))
|
||||||
|
this_result = result = 0;
|
||||||
|
} else if (strcasecmp(attrib, "user") == 0) {
|
||||||
|
@@ -658,16 +663,17 @@ match_cfg_line(Options *options, char **
|
||||||
|
error("One or more attributes required for Match");
|
||||||
|
result = -1;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
out:
|
||||||
|
if (result != -1)
|
||||||
|
debug2("match %sfound", result ? "" : "not ");
|
||||||
|
*condition = cp;
|
||||||
|
+ free(hostlc);
|
||||||
|
free(host);
|
||||||
|
return result;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Check and prepare a domain name: removes trailing '.' and lowercases */
|
||||||
|
static void
|
||||||
|
valid_domain(char *name, const char *filename, int linenum)
|
||||||
|
{
|
175
openssh-7.2p2-verify_CIDR_address_ranges.patch
Normal file
175
openssh-7.2p2-verify_CIDR_address_ranges.patch
Normal file
@ -0,0 +1,175 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# Parent 1b2dad1b57b086d094fe09327fcf1c490475a7cd
|
||||||
|
Check for invalid CIDR adress masks.
|
||||||
|
bsc#1005893
|
||||||
|
|
||||||
|
backported upstream commit: 010359b32659f455fddd2bd85fd7cc4d7a3b994a (7.4)
|
||||||
|
backported upstream commit: 1a6f9d2e2493d445cd9ee496e6e3c2a2f283f66a
|
||||||
|
backported upstream commit: fe06b68f824f8f55670442fb31f2c03526dd326c
|
||||||
|
|
||||||
|
diff --git a/openssh-7.2p2/auth.c b/openssh-7.2p2/auth.c
|
||||||
|
--- a/openssh-7.2p2/auth.c
|
||||||
|
+++ b/openssh-7.2p2/auth.c
|
||||||
|
@@ -95,16 +95,17 @@ int auth_debug_init;
|
||||||
|
* Otherwise true is returned.
|
||||||
|
*/
|
||||||
|
int
|
||||||
|
allowed_user(struct passwd * pw)
|
||||||
|
{
|
||||||
|
struct stat st;
|
||||||
|
const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL;
|
||||||
|
u_int i;
|
||||||
|
+ int r;
|
||||||
|
#ifdef USE_SHADOW
|
||||||
|
struct spwd *spw = NULL;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* Shouldn't be called if pw is NULL, but better safe than sorry... */
|
||||||
|
if (!pw || !pw->pw_name)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
@@ -183,31 +184,41 @@ allowed_user(struct passwd * pw)
|
||||||
|
if (options.num_deny_users > 0 || options.num_allow_users > 0 ||
|
||||||
|
options.num_deny_groups > 0 || options.num_allow_groups > 0) {
|
||||||
|
hostname = get_canonical_hostname(options.use_dns);
|
||||||
|
ipaddr = get_remote_ipaddr();
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Return false if user is listed in DenyUsers */
|
||||||
|
if (options.num_deny_users > 0) {
|
||||||
|
- for (i = 0; i < options.num_deny_users; i++)
|
||||||
|
- if (match_user(pw->pw_name, hostname, ipaddr,
|
||||||
|
- options.deny_users[i])) {
|
||||||
|
+ for (i = 0; i < options.num_deny_users; i++) {
|
||||||
|
+ r = match_user(pw->pw_name, hostname, ipaddr,
|
||||||
|
+ options.deny_users[i]);
|
||||||
|
+ if (r < 0) {
|
||||||
|
+ fatal("Invalid DenyUsers pattern \"%.100s\"",
|
||||||
|
+ options.deny_users[i]);
|
||||||
|
+ } else if (r != 0) {
|
||||||
|
logit("User %.100s from %.100s not allowed "
|
||||||
|
"because listed in DenyUsers",
|
||||||
|
pw->pw_name, hostname);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
/* Return false if AllowUsers isn't empty and user isn't listed there */
|
||||||
|
if (options.num_allow_users > 0) {
|
||||||
|
- for (i = 0; i < options.num_allow_users; i++)
|
||||||
|
- if (match_user(pw->pw_name, hostname, ipaddr,
|
||||||
|
- options.allow_users[i]))
|
||||||
|
+ for (i = 0; i < options.num_allow_users; i++) {
|
||||||
|
+ r = match_user(pw->pw_name, hostname, ipaddr,
|
||||||
|
+ options.allow_users[i]);
|
||||||
|
+ if (r < 0) {
|
||||||
|
+ fatal("Invalid AllowUsers pattern \"%.100s\"",
|
||||||
|
+ options.allow_users[i]);
|
||||||
|
+ } else if (r == 1)
|
||||||
|
break;
|
||||||
|
+ }
|
||||||
|
/* i < options.num_allow_users iff we break for loop */
|
||||||
|
if (i >= options.num_allow_users) {
|
||||||
|
logit("User %.100s from %.100s not allowed because "
|
||||||
|
"not listed in AllowUsers", pw->pw_name, hostname);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
|
||||||
|
diff --git a/openssh-7.2p2/match.c b/openssh-7.2p2/match.c
|
||||||
|
--- a/openssh-7.2p2/match.c
|
||||||
|
+++ b/openssh-7.2p2/match.c
|
||||||
|
@@ -186,41 +186,50 @@ match_hostname(const char *host, const c
|
||||||
|
* successful match.
|
||||||
|
*/
|
||||||
|
int
|
||||||
|
match_host_and_ip(const char *host, const char *ipaddr,
|
||||||
|
const char *patterns)
|
||||||
|
{
|
||||||
|
int mhost, mip;
|
||||||
|
|
||||||
|
- /* error in ipaddr match */
|
||||||
|
if ((mip = addr_match_list(ipaddr, patterns)) == -2)
|
||||||
|
- return -1;
|
||||||
|
- else if (mip == -1) /* negative ip address match */
|
||||||
|
- return 0;
|
||||||
|
+ return -1; /* error in ipaddr match */
|
||||||
|
+ else if (host == NULL || ipaddr == NULL || mip == -1)
|
||||||
|
+ return 0; /* negative ip address match, or testing pattern */
|
||||||
|
|
||||||
|
/* negative hostname match */
|
||||||
|
if ((mhost = match_hostname(host, patterns)) == -1)
|
||||||
|
return 0;
|
||||||
|
/* no match at all */
|
||||||
|
if (mhost == 0 && mip == 0)
|
||||||
|
return 0;
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
- * match user, user@host_or_ip, user@host_or_ip_list against pattern
|
||||||
|
+ * Match user, user@host_or_ip, user@host_or_ip_list against pattern.
|
||||||
|
+ * If user, host and ipaddr are all NULL then validate pattern/
|
||||||
|
+ * Returns -1 on invalid pattern, 0 on no match, 1 on match.
|
||||||
|
*/
|
||||||
|
int
|
||||||
|
match_user(const char *user, const char *host, const char *ipaddr,
|
||||||
|
const char *pattern)
|
||||||
|
{
|
||||||
|
char *p, *pat;
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
+ /* test mode */
|
||||||
|
+ if (user == NULL && host == NULL && ipaddr == NULL) {
|
||||||
|
+ if ((p = strchr(pattern, '@')) != NULL &&
|
||||||
|
+ match_host_and_ip(NULL, NULL, p + 1) < 0)
|
||||||
|
+ return -1;
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if ((p = strchr(pattern,'@')) == NULL)
|
||||||
|
return match_pattern(user, pattern);
|
||||||
|
|
||||||
|
pat = xstrdup(pattern);
|
||||||
|
p = strchr(pat, '@');
|
||||||
|
*p++ = '\0';
|
||||||
|
|
||||||
|
if ((ret = match_pattern(user, pat)) == 1)
|
||||||
|
diff --git a/openssh-7.2p2/servconf.c b/openssh-7.2p2/servconf.c
|
||||||
|
--- a/openssh-7.2p2/servconf.c
|
||||||
|
+++ b/openssh-7.2p2/servconf.c
|
||||||
|
@@ -1462,28 +1462,34 @@ process_server_config_line(ServerOptions
|
||||||
|
multistate_ptr = multistate_privsep;
|
||||||
|
goto parse_multistate;
|
||||||
|
|
||||||
|
case sAllowUsers:
|
||||||
|
while ((arg = strdelim(&cp)) && *arg != '\0') {
|
||||||
|
if (options->num_allow_users >= MAX_ALLOW_USERS)
|
||||||
|
fatal("%s line %d: too many allow users.",
|
||||||
|
filename, linenum);
|
||||||
|
+ if (match_user(NULL, NULL, NULL, arg) == -1)
|
||||||
|
+ fatal("%s line %d: invalid AllowUsers pattern: "
|
||||||
|
+ "\"%.100s\"", filename, linenum, arg);
|
||||||
|
if (!*activep)
|
||||||
|
continue;
|
||||||
|
options->allow_users[options->num_allow_users++] =
|
||||||
|
xstrdup(arg);
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
|
||||||
|
case sDenyUsers:
|
||||||
|
while ((arg = strdelim(&cp)) && *arg != '\0') {
|
||||||
|
if (options->num_deny_users >= MAX_DENY_USERS)
|
||||||
|
fatal("%s line %d: too many deny users.",
|
||||||
|
filename, linenum);
|
||||||
|
+ if (match_user(NULL, NULL, NULL, arg) == -1)
|
||||||
|
+ fatal("%s line %d: invalid DenyUsers pattern: "
|
||||||
|
+ "\"%.100s\"", filename, linenum, arg);
|
||||||
|
if (!*activep)
|
||||||
|
continue;
|
||||||
|
options->deny_users[options->num_deny_users++] =
|
||||||
|
xstrdup(arg);
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
|
||||||
|
case sAllowGroups:
|
@ -1,7 +1,7 @@
|
|||||||
#
|
#
|
||||||
# spec file for package openssh-askpass-gnome
|
# spec file for package openssh-askpass-gnome
|
||||||
#
|
#
|
||||||
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
|
# Copyright (c) 2017 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||||
#
|
#
|
||||||
# All modifications and additions to the file contributed by third parties
|
# All modifications and additions to the file contributed by third parties
|
||||||
# remain the property of their copyright owners, unless otherwise agreed
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
|
@ -1,3 +1,47 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon May 15 20:47:29 UTC 2017 - pcerny@suse.com
|
||||||
|
|
||||||
|
- Fix preauth seccomp separation on mainframes (bsc#1016709)
|
||||||
|
[openssh-7.2p2-s390_hw_crypto_syscalls.patch]
|
||||||
|
[openssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls.patch]
|
||||||
|
- enable case-insensitive hostname matching (bsc#1017099)
|
||||||
|
[openssh-7.2p2-ssh_case_insensitive_host_matching.patch]
|
||||||
|
- add CAVS tests
|
||||||
|
[openssh-7.2p2-cavstest-ctr.patch]
|
||||||
|
[openssh-7.2p2-cavstest-kdf.patch]
|
||||||
|
- Adding missing pieces for user matching (bsc#1021626)
|
||||||
|
- Properly verify CIDR masks in configuration
|
||||||
|
(bsc#1005893)
|
||||||
|
[openssh-7.2p2-verify_CIDR_address_ranges.patch]
|
||||||
|
- Remove pre-auth compression support from the server to prevent
|
||||||
|
possible cryptographic attacks.
|
||||||
|
(CVE-2016-10012, bsc#1016370)
|
||||||
|
[openssh-7.2p2-disable_preauth_compression.patch]
|
||||||
|
- limit directories for loading PKCS11 modules
|
||||||
|
(CVE-2016-10009, bsc#1016366)
|
||||||
|
[openssh-7.2p2-restrict_pkcs11-modules.patch]
|
||||||
|
- Prevent possible leaks of host private keys to low-privilege
|
||||||
|
process handling authentication
|
||||||
|
(CVE-2016-10011, bsc#1016369)
|
||||||
|
[openssh-7.2p2-prevent_private_key_leakage.patch]
|
||||||
|
- Do not allow unix socket forwarding when running without
|
||||||
|
privilege separation
|
||||||
|
(CVE-2016-10010, bsc#1016368)
|
||||||
|
[openssh-7.2p2-secure_unix_sockets_forwarding.patch]
|
||||||
|
- prevent resource depletion during key exchange
|
||||||
|
(bsc#1005480, CVE-2016-8858)
|
||||||
|
[openssh-7.2p2-kex_resource_depletion.patch]
|
||||||
|
- fix suggested command for removing conflicting server keys from
|
||||||
|
the known_hosts file (bsc#1006221)
|
||||||
|
- enable geteuid{,32} syscalls on mainframes, since it may be
|
||||||
|
called from libica/ibmica on machines with hardware crypto
|
||||||
|
accelerator (bsc#1004258)
|
||||||
|
[openssh-7.2p2-seccomp_geteuid.patch]
|
||||||
|
- fix regression of (bsc#823710)
|
||||||
|
[openssh-7.2p2-audit_fixes.patch]
|
||||||
|
- add slogin (removed upstreams)
|
||||||
|
[openssh-7.2p2-keep_slogin.patch]
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Feb 22 19:31:08 UTC 2017 - crrodriguez@opensuse.org
|
Wed Feb 22 19:31:08 UTC 2017 - crrodriguez@opensuse.org
|
||||||
|
|
||||||
|
77
openssh.spec
77
openssh.spec
@ -1,7 +1,7 @@
|
|||||||
#
|
#
|
||||||
# spec file for package openssh
|
# spec file for package openssh
|
||||||
#
|
#
|
||||||
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
|
# Copyright (c) 2017 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||||
#
|
#
|
||||||
# All modifications and additions to the file contributed by third parties
|
# All modifications and additions to the file contributed by third parties
|
||||||
# remain the property of their copyright owners, unless otherwise agreed
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
@ -77,9 +77,12 @@ BuildRequires: libedit-devel
|
|||||||
%if %{has_libselinux}
|
%if %{has_libselinux}
|
||||||
BuildRequires: libselinux-devel
|
BuildRequires: libselinux-devel
|
||||||
%endif
|
%endif
|
||||||
BuildRequires: openldap2-devel
|
%if %{suse_version} < 1330
|
||||||
BuildRequires: openssl
|
|
||||||
BuildRequires: openssl-devel
|
BuildRequires: openssl-devel
|
||||||
|
%else
|
||||||
|
BuildRequires: libopenssl-1_0_0-devel
|
||||||
|
%endif
|
||||||
|
BuildRequires: openldap2-devel
|
||||||
BuildRequires: pam-devel
|
BuildRequires: pam-devel
|
||||||
%if %{uses_systemd}
|
%if %{uses_systemd}
|
||||||
BuildRequires: pkgconfig(systemd)
|
BuildRequires: pkgconfig(systemd)
|
||||||
@ -125,25 +128,39 @@ Patch11: openssh-7.2p2-pts_names_formatting.patch
|
|||||||
Patch12: openssh-7.2p2-pam_check_locks.patch
|
Patch12: openssh-7.2p2-pam_check_locks.patch
|
||||||
Patch13: openssh-7.2p2-disable_short_DH_parameters.patch
|
Patch13: openssh-7.2p2-disable_short_DH_parameters.patch
|
||||||
Patch14: openssh-7.2p2-seccomp_getuid.patch
|
Patch14: openssh-7.2p2-seccomp_getuid.patch
|
||||||
Patch15: openssh-7.2p2-seccomp_stat.patch
|
Patch15: openssh-7.2p2-seccomp_geteuid.patch
|
||||||
Patch16: openssh-7.2p2-fips.patch
|
Patch16: openssh-7.2p2-seccomp_stat.patch
|
||||||
Patch17: openssh-7.2p2-seed-prng.patch
|
Patch17: openssh-7.2p2-additional_seccomp_archs.patch
|
||||||
Patch18: openssh-7.2p2-gssapi_key_exchange.patch
|
Patch18: openssh-7.2p2-fips.patch
|
||||||
Patch19: openssh-7.2p2-audit.patch
|
Patch19: openssh-7.2p2-cavstest-ctr.patch
|
||||||
Patch20: openssh-7.2p2-audit_seed_prng.patch
|
Patch20: openssh-7.2p2-cavstest-kdf.patch
|
||||||
Patch21: openssh-7.2p2-login_options.patch
|
Patch21: openssh-7.2p2-seed-prng.patch
|
||||||
Patch22: openssh-7.2p2-disable_openssl_abi_check.patch
|
Patch22: openssh-7.2p2-gssapi_key_exchange.patch
|
||||||
Patch23: openssh-7.2p2-no_fork-no_pid_file.patch
|
Patch23: openssh-7.2p2-audit.patch
|
||||||
Patch24: openssh-7.2p2-host_ident.patch
|
Patch24: openssh-7.2p2-audit_fixes.patch
|
||||||
Patch25: openssh-7.2p2-sftp_homechroot.patch
|
Patch25: openssh-7.2p2-audit_seed_prng.patch
|
||||||
Patch26: openssh-7.2p2-sftp_force_permissions.patch
|
Patch26: openssh-7.2p2-login_options.patch
|
||||||
Patch27: openssh-7.2p2-X_forward_with_disabled_ipv6.patch
|
Patch27: openssh-7.2p2-disable_openssl_abi_check.patch
|
||||||
Patch28: openssh-7.2p2-ldap.patch
|
Patch28: openssh-7.2p2-no_fork-no_pid_file.patch
|
||||||
Patch29: openssh-7.2p2-additional_seccomp_archs.patch
|
Patch29: openssh-7.2p2-host_ident.patch
|
||||||
Patch30: openssh-7.2p2-IPv6_X_forwarding.patch
|
Patch30: openssh-7.2p2-sftp_homechroot.patch
|
||||||
Patch31: openssh-7.2p2-ignore_PAM_with_UseLogin.patch
|
Patch31: openssh-7.2p2-sftp_force_permissions.patch
|
||||||
Patch32: openssh-7.2p2-prevent_timing_user_enumeration.patch
|
Patch32: openssh-7.2p2-X_forward_with_disabled_ipv6.patch
|
||||||
Patch33: openssh-7.2p2-limit_password_length.patch
|
Patch33: openssh-7.2p2-ldap.patch
|
||||||
|
Patch34: openssh-7.2p2-IPv6_X_forwarding.patch
|
||||||
|
Patch35: openssh-7.2p2-ignore_PAM_with_UseLogin.patch
|
||||||
|
Patch36: openssh-7.2p2-prevent_timing_user_enumeration.patch
|
||||||
|
Patch37: openssh-7.2p2-limit_password_length.patch
|
||||||
|
Patch38: openssh-7.2p2-keep_slogin.patch
|
||||||
|
Patch39: openssh-7.2p2-kex_resource_depletion.patch
|
||||||
|
Patch40: openssh-7.2p2-verify_CIDR_address_ranges.patch
|
||||||
|
Patch41: openssh-7.2p2-restrict_pkcs11-modules.patch
|
||||||
|
Patch42: openssh-7.2p2-prevent_private_key_leakage.patch
|
||||||
|
Patch43: openssh-7.2p2-secure_unix_sockets_forwarding.patch
|
||||||
|
Patch44: openssh-7.2p2-ssh_case_insensitive_host_matching.patch
|
||||||
|
Patch45: openssh-7.2p2-disable_preauth_compression.patch
|
||||||
|
Patch46: openssh-7.2p2-s390_hw_crypto_syscalls.patch
|
||||||
|
Patch47: openssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls.patch
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
Conflicts: nonfreessh
|
Conflicts: nonfreessh
|
||||||
Recommends: audit
|
Recommends: audit
|
||||||
@ -229,13 +246,27 @@ FIPS140 CAVS tests related parts of the OpenSSH package
|
|||||||
%patch31 -p2
|
%patch31 -p2
|
||||||
%patch32 -p2
|
%patch32 -p2
|
||||||
%patch33 -p2
|
%patch33 -p2
|
||||||
|
%patch34 -p2
|
||||||
|
%patch35 -p2
|
||||||
|
%patch36 -p2
|
||||||
|
%patch37 -p2
|
||||||
|
%patch38 -p2
|
||||||
|
%patch39 -p2
|
||||||
|
%patch40 -p2
|
||||||
|
%patch41 -p2
|
||||||
|
%patch42 -p2
|
||||||
|
%patch43 -p2
|
||||||
|
%patch44 -p2
|
||||||
|
%patch45 -p2
|
||||||
|
%patch46 -p2
|
||||||
|
%patch47 -p2
|
||||||
cp %{SOURCE3} %{SOURCE4} %{SOURCE11} .
|
cp %{SOURCE3} %{SOURCE4} %{SOURCE11} .
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# set libexec dir in the LDAP patch
|
# set libexec dir in the LDAP patch
|
||||||
sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
|
sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
|
||||||
$( grep -Rl @LIBEXECDIR@ \
|
$( grep -Rl @LIBEXECDIR@ \
|
||||||
$( grep "^+++" %{PATCH28} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
|
$( grep "^+++" %{PATCH33} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
|
||||||
)
|
)
|
||||||
|
|
||||||
autoreconf -fiv
|
autoreconf -fiv
|
||||||
|
Loading…
Reference in New Issue
Block a user