Accepting request 428545 from network

- FIPS compatibility (no selfchecks, only crypto restrictions)
  [openssh-7.2p2-fips.patch]
- PRNG re-seeding
  [openssh-7.2p2-seed-prng.patch]
- preliminary version of GSSAPI KEX
  [openssh-7.2p2-gssapi_key_exchange.patch] (forwarded request 428544 from pcerny)

OBS-URL: https://build.opensuse.org/request/show/428545
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=107

openssh-7.2p2-disable_short_DH_parameters.patch

@@ -1,5 +1,5 @@
 # HG changeset patch
-# Parent  c924f46e3639b3646e42dd7505c206d43d7180fa
+# Parent  c40dce555117c740f3df867e9fc2b07b64b3ad96
 
 Raise minimal size of DH group parameters to 2048 bits like upstream did in
 7.2. 1024b values are believed to be in breaking range for state adversaries
@@ -101,7 +101,7 @@ diff --git a/openssh-7.2p2/kexgexc.c b/openssh-7.2p2/kexgexc.c
  		goto out;
  	if ((bits = BN_num_bits(p)) < 0 ||
  	    (u_int)bits < kex->min || (u_int)bits > kex->max) {
-+		if (bits < kex->min && bits >= DH_GRP_MIN_RFC)
++		if ((u_int)bits < kex->min && (u_int)bits >= DH_GRP_MIN_RFC)
 +			logit("DH parameter offered by the server (%d bits) "
 +			    "is considered insecure. "
 +			    "You can lower the accepted the minimum "
@@ -115,6 +115,61 @@ diff --git a/openssh-7.2p2/kexgexc.c b/openssh-7.2p2/kexgexc.c
  		goto out;
  	}
  	p = g = NULL; /* belong to kex->dh now */
+diff --git a/openssh-7.2p2/kexgexs.c b/openssh-7.2p2/kexgexs.c
+--- a/openssh-7.2p2/kexgexs.c
++++ b/openssh-7.2p2/kexgexs.c
+@@ -49,16 +49,19 @@
+ #ifdef GSSAPI
+ #include "ssh-gss.h"
+ #endif
+ #include "monitor_wrap.h"
+ #include "dispatch.h"
+ #include "ssherr.h"
+ #include "sshbuf.h"
+ 
++/* import from dh.c */
++extern int dh_grp_min;
++
+ static int input_kex_dh_gex_request(int, u_int32_t, void *);
+ static int input_kex_dh_gex_init(int, u_int32_t, void *);
+ 
+ int
+ kexgex_server(struct ssh *ssh)
+ {
+ 	ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST,
+ 	    &input_kex_dh_gex_request);
+@@ -78,23 +81,29 @@ input_kex_dh_gex_request(int type, u_int
+ 	if ((r = sshpkt_get_u32(ssh, &min)) != 0 ||
+ 	    (r = sshpkt_get_u32(ssh, &nbits)) != 0 ||
+ 	    (r = sshpkt_get_u32(ssh, &max)) != 0 ||
+ 	    (r = sshpkt_get_end(ssh)) != 0)
+ 		goto out;
+ 	kex->nbits = nbits;
+ 	kex->min = min;
+ 	kex->max = max;
+-	min = MAX(DH_GRP_MIN, min);
++	min = MAX(dh_grp_min, min);
+ 	max = MIN(DH_GRP_MAX, max);
+-	nbits = MAX(DH_GRP_MIN, nbits);
++	nbits = MAX(dh_grp_min, nbits);
+ 	nbits = MIN(DH_GRP_MAX, nbits);
+ 
+ 	if (kex->max < kex->min || kex->nbits < kex->min ||
+ 	    kex->max < kex->nbits) {
++		if (kex->nbits < kex->min && kex->nbits >= DH_GRP_MIN_RFC)
++			logit("DH parameter requested by the client (%d bits) "
++			    "is considered insecure. "
++			    "You can lower the accepted minimum "
++			    "via the KexDHMin option.",
++			    kex->nbits);
+ 		r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
+ 		goto out;
+ 	}
+ 
+ 	/* Contact privileged parent */
+ 	kex->dh = PRIVSEP(choose_dh(min, nbits, max));
+ 	if (kex->dh == NULL) {
+ 		sshpkt_disconnect(ssh, "no matching DH grp found");
 diff --git a/openssh-7.2p2/readconf.c b/openssh-7.2p2/readconf.c
 --- a/openssh-7.2p2/readconf.c
 +++ b/openssh-7.2p2/readconf.c
@@ -147,7 +202,7 @@ diff --git a/openssh-7.2p2/readconf.c b/openssh-7.2p2/readconf.c
  	oVisualHostKey,
 -	oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
 +	oKexAlgorithms, oKexDHMin,
-+    oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
++	oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
  	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
  	oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
  	oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
@@ -243,7 +298,7 @@ diff --git a/openssh-7.2p2/readconf.c b/openssh-7.2p2/readconf.c
  	if (options->cipher == -1)
  		options->cipher = SSH_CIPHER_NOT_SET;
 +	if (options->kex_dhmin == -1)
-+		options->kex_dhmin = DH_GRP_MIN;
++		options->kex_dhmin = DH_GRP_MIN_RFC;
 +	else {
 +		options->kex_dhmin = MAX(options->kex_dhmin, DH_GRP_MIN_RFC);
 +		options->kex_dhmin = MIN(options->kex_dhmin, DH_GRP_MAX);
@@ -278,10 +333,199 @@ diff --git a/openssh-7.2p2/readconf.h b/openssh-7.2p2/readconf.h
  	int     escape_char;	/* Escape character; -2 = none */
  
  	u_int	num_system_hostfiles;	/* Paths for /etc/ssh/ssh_known_hosts */
+diff --git a/openssh-7.2p2/servconf.c b/openssh-7.2p2/servconf.c
+--- a/openssh-7.2p2/servconf.c
++++ b/openssh-7.2p2/servconf.c
+@@ -52,16 +52,20 @@
+ #include "channels.h"
+ #include "groupaccess.h"
+ #include "canohost.h"
+ #include "packet.h"
+ #include "hostfile.h"
+ #include "auth.h"
+ #include "myproposal.h"
+ #include "digest.h"
++#include "dh.h"
++
++/* import from dh.c */
++extern int dh_grp_min;
+ 
+ static void add_listen_addr(ServerOptions *, char *, int);
+ static void add_one_listen_addr(ServerOptions *, char *, int);
+ 
+ /* Use of privilege separation or not */
+ extern int use_privsep;
+ extern Buffer cfg;
+ 
+@@ -134,16 +138,17 @@ initialize_server_options(ServerOptions 
+ 	options->allow_agent_forwarding = -1;
+ 	options->num_allow_users = 0;
+ 	options->num_deny_users = 0;
+ 	options->num_allow_groups = 0;
+ 	options->num_deny_groups = 0;
+ 	options->ciphers = NULL;
+ 	options->macs = NULL;
+ 	options->kex_algorithms = NULL;
++	options->kex_dhmin = -1;
+ 	options->protocol = SSH_PROTO_UNKNOWN;
+ 	options->fwd_opts.gateway_ports = -1;
+ 	options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
+ 	options->fwd_opts.streamlocal_bind_unlink = -1;
+ 	options->num_subsystems = 0;
+ 	options->max_startups_begin = -1;
+ 	options->max_startups_rate = -1;
+ 	options->max_startups = -1;
+@@ -199,16 +204,23 @@ fill_default_server_options(ServerOption
+ 	int i;
+ 
+ 	/* Portable-specific options */
+ 	if (options->use_pam == -1)
+ 		options->use_pam = 0;
+ 	if (options->use_pam_check_locks == -1)
+ 		options->use_pam_check_locks = 0;
+ 
++	if (options->kex_dhmin == -1)
++		options->kex_dhmin = DH_GRP_MIN_RFC;
++	else {
++		options->kex_dhmin = MAX(options->kex_dhmin, DH_GRP_MIN_RFC);
++		options->kex_dhmin = MIN(options->kex_dhmin, DH_GRP_MAX);
++	}
++	dh_grp_min = options->kex_dhmin;
+ 	/* Standard Options */
+ 	if (options->protocol == SSH_PROTO_UNKNOWN)
+ 		options->protocol = SSH_PROTO_2;
+ 	if (options->num_host_key_files == 0) {
+ 		/* fill default hostkeys for protocols */
+ 		if (options->protocol & SSH_PROTO_1)
+ 			options->host_key_files[options->num_host_key_files++] =
+ 			    _PATH_HOST_KEY_FILE;
+@@ -423,17 +435,18 @@ typedef enum {
+ 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
+ 	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
+ 	sAcceptEnv, sPermitTunnel,
+ 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
+ 	sUsePrivilegeSeparation, sAllowAgentForwarding,
+ 	sHostCertificate,
+ 	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
+ 	sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
+-	sKexAlgorithms, sIPQoS, sVersionAddendum,
++	sKexAlgorithms, sKexDHMin,
++	sIPQoS, sVersionAddendum,
+ 	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
+ 	sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
+ 	sStreamLocalBindMask, sStreamLocalBindUnlink,
+ 	sAllowStreamLocalForwarding, sFingerprintHash,
+ 	sDeprecated, sUnsupported
+ } ServerOpCodes;
+ 
+ #define SSHCFG_GLOBAL	0x01	/* allowed in main section of sshd_config */
+@@ -561,16 +574,17 @@ static struct {
+ 	{ "permitopen", sPermitOpen, SSHCFG_ALL },
+ 	{ "forcecommand", sForceCommand, SSHCFG_ALL },
+ 	{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
+ 	{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
+ 	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
+ 	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
+ 	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
+ 	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
++	{ "kexdhmin", sKexDHMin },
+ 	{ "ipqos", sIPQoS, SSHCFG_ALL },
+ 	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
+ 	{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
+ 	{ "authorizedprincipalscommand", sAuthorizedPrincipalsCommand, SSHCFG_ALL },
+ 	{ "authorizedprincipalscommanduser", sAuthorizedPrincipalsCommandUser, SSHCFG_ALL },
+ 	{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
+ 	{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
+ 	{ "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
+@@ -1481,16 +1495,20 @@ process_server_config_line(ServerOptions
+ 			    filename, linenum);
+ 		if (!kex_names_valid(*arg == '+' ? arg + 1 : arg))
+ 			fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
+ 			    filename, linenum, arg ? arg : "<NONE>");
+ 		if (options->kex_algorithms == NULL)
+ 			options->kex_algorithms = xstrdup(arg);
+ 		break;
+ 
++	case sKexDHMin:
++		intptr = &options->kex_dhmin;
++		goto parse_int;
++
+ 	case sProtocol:
+ 		intptr = &options->protocol;
+ 		arg = strdelim(&cp);
+ 		if (!arg || *arg == '\0')
+ 			fatal("%s line %d: Missing argument.", filename, linenum);
+ 		value = proto_spec(arg);
+ 		if (value == SSH_PROTO_UNKNOWN)
+ 			fatal("%s line %d: Bad protocol spec '%s'.",
+@@ -2247,16 +2265,17 @@ dump_config(ServerOptions *o)
+ 	dump_cfg_int(sLoginGraceTime, o->login_grace_time);
+ 	dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
+ 	dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
+ 	dump_cfg_int(sMaxAuthTries, o->max_authtries);
+ 	dump_cfg_int(sMaxSessions, o->max_sessions);
+ 	dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
+ 	dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
+ 	dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
++	dump_cfg_int(sKexDHMin, o->kex_dhmin);
+ 
+ 	/* formatted integer arguments */
+ 	dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
+ 	dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
+ 	dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
+ 	dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
+ 	dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
+ 	dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
+diff --git a/openssh-7.2p2/servconf.h b/openssh-7.2p2/servconf.h
+--- a/openssh-7.2p2/servconf.h
++++ b/openssh-7.2p2/servconf.h
+@@ -88,16 +88,17 @@ typedef struct {
+ 	int	permit_user_rc;	/* If false, deny ~/.ssh/rc execution */
+ 	int     strict_modes;	/* If true, require string home dir modes. */
+ 	int     tcp_keep_alive;	/* If true, set SO_KEEPALIVE. */
+ 	int	ip_qos_interactive;	/* IP ToS/DSCP/class for interactive */
+ 	int	ip_qos_bulk;		/* IP ToS/DSCP/class for bulk traffic */
+ 	char   *ciphers;	/* Supported SSH2 ciphers. */
+ 	char   *macs;		/* Supported SSH2 macs. */
+ 	char   *kex_algorithms;	/* SSH2 kex methods in order of preference. */
++	int     kex_dhmin;	/* minimum bit length of the DH group parameter */
+ 	int	protocol;	/* Supported protocol versions. */
+ 	struct ForwardOptions fwd_opts;	/* forwarding options */
+ 	SyslogFacility log_facility;	/* Facility for system logging. */
+ 	LogLevel log_level;	/* Level for system logging. */
+ 	int     rhosts_rsa_authentication;	/* If true, permit rhosts RSA
+ 						 * authentication. */
+ 	int     hostbased_authentication;	/* If true, permit ssh2 hostbased auth */
+ 	int     hostbased_uses_name_from_packet_only; /* experimental */
+diff --git a/openssh-7.2p2/ssh_config b/openssh-7.2p2/ssh_config
+--- a/openssh-7.2p2/ssh_config
++++ b/openssh-7.2p2/ssh_config
+@@ -12,16 +12,21 @@
+ # Any configuration value is only changed the first time it is set.
+ # Thus, host-specific definitions should be at the beginning of the
+ # configuration file, and defaults at the end.
+ 
+ # Site-wide defaults for some commonly used options.  For a comprehensive
+ # list of available options, their meanings and defaults, please see the
+ # ssh_config(5) man page.
+ 
++# Minimum accepted size of the DH parameter p. By default this is set to 1024
++# to maintain compatibility with RFC4419, but should be set higher.
++# Upstream default is identical to setting this to 2048.
++#KexDHMin 1024
++
+ Host *
+ #   ForwardAgent no
+ #   ForwardX11 no
+ 
+ # If you do not trust your remote host (or its administrator), you
+ # should not forward X11 connections to your local X11-display for
+ # security reasons: Someone stealing the authentification data on the
+ # remote side (the "spoofed" X-server by the remote sshd) can read your
 diff --git a/openssh-7.2p2/ssh_config.0 b/openssh-7.2p2/ssh_config.0
 --- a/openssh-7.2p2/ssh_config.0
 +++ b/openssh-7.2p2/ssh_config.0
-@@ -606,16 +606,29 @@ DESCRIPTION
+@@ -606,16 +606,33 @@ DESCRIPTION
                     ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
                     diffie-hellman-group-exchange-sha256,
                     diffie-hellman-group-exchange-sha1,
@@ -291,17 +535,21 @@ diff --git a/openssh-7.2p2/ssh_config.0 b/openssh-7.2p2/ssh_config.0
               obtained using the -Q option of ssh(1) with an argument of M-bM-^@M-^\kexM-bM-^@M-^].
  
 +     KexDHMin
-+             Specifies the minimum accepted bit length of the DH group parameter p.
-+             As per RFC4419, this is 1024 bits however, this has increasingly
++             Specifies the minimum accepted bit length of the DH group
++             parameter p.
++
++             As per RFC4419, this is 1024 bits, however this has increasingly
 +             been seen as insecure, which prompted the change to 2048 bits.
 +             Setting this option allows the client to accept parameters shorter
 +             than the current minimum, down to the RFC specified 1024 bits.
 +             Using this option may be needed when connecting to servers that
 +             only know short DH group parameters.
 +
-+             Note that using this option can severly impact security and thus
-+             should be viewed as a temporary fix of last resort and all efforts
-+             should be made to fix the server.
++             Note, that while by default this option is set to 1024 to maintain
++             maximum backward compatibility, using it can severly impact
++             security and thus should be viewed as a temporary fix of last
++             resort and all efforts should be made to fix the (broken)
++             counterparty.
 +
       LocalCommand
               Specifies a command to execute on the local machine after
@@ -314,7 +562,7 @@ diff --git a/openssh-7.2p2/ssh_config.0 b/openssh-7.2p2/ssh_config.0
 diff --git a/openssh-7.2p2/ssh_config.5 b/openssh-7.2p2/ssh_config.5
 --- a/openssh-7.2p2/ssh_config.5
 +++ b/openssh-7.2p2/ssh_config.5
-@@ -1092,16 +1092,28 @@ diffie-hellman-group14-sha1
+@@ -1092,16 +1092,32 @@ diffie-hellman-group14-sha1
  .Ed
  .Pp
  The list of available key exchange algorithms may also be obtained using the
@@ -324,17 +572,21 @@ diff --git a/openssh-7.2p2/ssh_config.5 b/openssh-7.2p2/ssh_config.5
  with an argument of
  .Dq kex .
 +.It Cm KexDHMin
-+Specifies the minimum accepted bit length of the DH group parameter p.
-+As per RFC4419, this is 1024 bits however, this has increasingly
++Specifies the minimum accepted bit length of the DH group
++parameter p.
++.Pp
++As per RFC4419, this is 1024 bits, however this has increasingly
 +been seen as insecure, which prompted the change to 2048 bits.
 +Setting this option allows the client to accept parameters shorter
 +than the current minimum, down to the RFC specified 1024 bits.
 +Using this option may be needed when connecting to servers that
 +only know short DH group parameters.
-+
-+Note that using this option can severly impact security and thus
-+should be viewed as a temporary fix of last resort and all efforts
-+should be made to fix the server.
++.Pp
++Note, that while by default this option is set to 1024 to maintain
++maximum backward compatibility, using it can severly impact
++security and thus should be viewed as a temporary fix of last
++resort and all efforts should be made to fix the (broken)
++counterparty.
  .It Cm LocalCommand
  Specifies a command to execute on the local machine after successfully
  connecting to the server.
@@ -343,3 +595,101 @@ diff --git a/openssh-7.2p2/ssh_config.5 b/openssh-7.2p2/ssh_config.5
  The following escape character substitutions will be performed:
  .Ql %d
  (local user's home directory),
+diff --git a/openssh-7.2p2/sshd_config b/openssh-7.2p2/sshd_config
+--- a/openssh-7.2p2/sshd_config
++++ b/openssh-7.2p2/sshd_config
+@@ -21,16 +21,21 @@
+ # HostKey for protocol version 1
+ #HostKey /etc/ssh/ssh_host_key
+ # HostKeys for protocol version 2
+ #HostKey /etc/ssh/ssh_host_rsa_key
+ #HostKey /etc/ssh/ssh_host_dsa_key
+ #HostKey /etc/ssh/ssh_host_ecdsa_key
+ #HostKey /etc/ssh/ssh_host_ed25519_key
+ 
++# Minimum accepted size of the DH parameter p. By default this is set to 1024
++# to maintain compatibility with RFC4419, but should be set higher.
++# Upstream default is identical to setting this to 2048.
++#KexDHMin 1024
++
+ # Lifetime and size of ephemeral version 1 server key
+ #KeyRegenerationInterval 1h
+ #ServerKeyBits 1024
+ 
+ # Ciphers and keying
+ #RekeyLimit default none
+ 
+ # Logging
+diff --git a/openssh-7.2p2/sshd_config.0 b/openssh-7.2p2/sshd_config.0
+--- a/openssh-7.2p2/sshd_config.0
++++ b/openssh-7.2p2/sshd_config.0
+@@ -539,16 +539,33 @@ DESCRIPTION
+                    curve25519-sha256@libssh.org,
+                    ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
+                    diffie-hellman-group-exchange-sha256,
+                    diffie-hellman-group14-sha1
+ 
+              The list of available key exchange algorithms may also be
+              obtained using the -Q option of ssh(1) with an argument of M-bM-^@M-^\kexM-bM-^@M-^].
+ 
++     KexDHMin
++             Specifies the minimum accepted bit length of the DH group
++             parameter p.
++
++             As per RFC4419, this is 1024 bits, however this has increasingly
++             been seen as insecure, which prompted the change to 2048 bits.
++             Setting this option allows the server to accept parameters shorter
++             than the current minimum, down to the RFC specified 1024 bits.
++             Using this option may be needed when some of the connectiong
++             clients only know short DH group parameters.
++
++             Note, that while by default this option is set to 1024 to maintain
++             maximum backward compatibility, using it can severly impact
++             security and thus should be viewed as a temporary fix of last
++             resort and all efforts should be made to fix the (broken)
++             counterparty.
++
+      KeyRegenerationInterval
+              In protocol version 1, the ephemeral server key is automatically
+              regenerated after this many seconds (if it has been used).  The
+              purpose of regeneration is to prevent decrypting captured
+              sessions by later breaking into the machine and stealing the
+              keys.  The key is never stored anywhere.  If the value is 0, the
+              key is never regenerated.  The default is 3600 (seconds).
+ 
+diff --git a/openssh-7.2p2/sshd_config.5 b/openssh-7.2p2/sshd_config.5
+--- a/openssh-7.2p2/sshd_config.5
++++ b/openssh-7.2p2/sshd_config.5
+@@ -895,16 +895,32 @@ diffie-hellman-group14-sha1
+ .Ed
+ .Pp
+ The list of available key exchange algorithms may also be obtained using the
+ .Fl Q
+ option of
+ .Xr ssh 1
+ with an argument of
+ .Dq kex .
++.It Cm KexDHMin
++Specifies the minimum accepted bit length of the DH group
++parameter p.
++.Pp
++As per RFC4419, this is 1024 bits, however this has increasingly
++been seen as insecure, which prompted the change to 2048 bits.
++Setting this option allows the server to accept parameters shorter
++than the current minimum, down to the RFC specified 1024 bits.
++Using this option may be needed when some of the connectiong
++clients only know short DH group parameters.
++.Pp
++Note, that while by default this option is set to 1024 to maintain
++maximum backward compatibility, using it can severly impact
++security and thus should be viewed as a temporary fix of last
++resort and all efforts should be made to fix the (broken)
++counterparty.
+ .It Cm KeyRegenerationInterval
+ In protocol version 1, the ephemeral server key is automatically regenerated
+ after this many seconds (if it has been used).
+ The purpose of regeneration is to prevent
+ decrypting captured sessions by later breaking into the machine and
+ stealing the keys.
+ The key is never stored anywhere.
+ If the value is 0, the key is never regenerated.

openssh-7.2p2-seed-prng.patch

@@ -0,0 +1,461 @@
+# HG changeset patch
+# Parent  36ab4b78afea8cea4e3bed1291a49ba05cbb9115
+# extended support for (re-)seeding the OpenSSL PRNG from /dev/random
+# bnc#703221, FATE#312172
+
+diff --git a/openssh-7.2p2/entropy.c b/openssh-7.2p2/entropy.c
+--- a/openssh-7.2p2/entropy.c
++++ b/openssh-7.2p2/entropy.c
+@@ -49,16 +49,17 @@
+ 
+ #include "ssh.h"
+ #include "misc.h"
+ #include "xmalloc.h"
+ #include "atomicio.h"
+ #include "pathnames.h"
+ #include "log.h"
+ #include "buffer.h"
++#include "openbsd-compat/port-linux.h"
+ 
+ /*
+  * Portable OpenSSH PRNG seeding:
+  * If OpenSSL has not "internally seeded" itself (e.g. pulled data from
+  * /dev/random), then collect RANDOM_SEED_SIZE bytes of randomness from
+  * PRNGd.
+  */
+ #ifndef OPENSSL_PRNG_ONLY
+@@ -224,16 +225,19 @@ seed_rng(void)
+ 	}
+ 
+ 	if (seed_from_prngd(buf, sizeof(buf)) == -1)
+ 		fatal("Could not obtain seed from PRNGd");
+ 	RAND_add(buf, sizeof(buf), sizeof(buf));
+ 	memset(buf, '\0', sizeof(buf));
+ 
+ #endif /* OPENSSL_PRNG_ONLY */
++
++	linux_seed();
++
+ 	if (RAND_status() != 1)
+ 		fatal("PRNG is not seeded");
+ }
+ 
+ #else /* WITH_OPENSSL */
+ 
+ /* Handled in arc4random() */
+ void
+diff --git a/openssh-7.2p2/openbsd-compat/Makefile.in b/openssh-7.2p2/openbsd-compat/Makefile.in
+--- a/openssh-7.2p2/openbsd-compat/Makefile.in
++++ b/openssh-7.2p2/openbsd-compat/Makefile.in
+@@ -15,17 +15,17 @@ AR=@AR@
+ RANLIB=@RANLIB@
+ INSTALL=@INSTALL@
+ LDFLAGS=-L. @LDFLAGS@
+ 
+ OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o reallocarray.o realpath.o rresvport.o setenv.o setproctitle.o sha1.o sha2.o rmd160.o md5.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o
+ 
+ COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o
+ 
+-PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
++PORTS=port-aix.o port-irix.o port-linux.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o
+ 
+ .c.o:
+ 	$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
+ 
+ all: libopenbsd-compat.a
+ 
+ $(COMPAT): ../config.h
+ $(OPENBSD): ../config.h
+diff --git a/openssh-7.2p2/openbsd-compat/port-linux-prng.c b/openssh-7.2p2/openbsd-compat/port-linux-prng.c
+new file mode 100644
+--- /dev/null
++++ b/openssh-7.2p2/openbsd-compat/port-linux-prng.c
+@@ -0,0 +1,81 @@
++/*
++ * Copyright (c) 2011 Jan F. Chadima <jchadima@redhat.com>
++ *           (c) 2011 Petr Cerny <pcerny@suse.cz>
++ *
++ * Permission to use, copy, modify, and distribute this software for any
++ * purpose with or without fee is hereby granted, provided that the above
++ * copyright notice and this permission notice appear in all copies.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
++ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
++ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
++ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
++ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
++ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
++ */
++
++/*
++ * Linux-specific portability code - prng support
++ */
++
++#include "includes.h"
++#include "defines.h"
++
++#include <errno.h>
++#include <stdarg.h>
++#include <string.h>
++#include <stdio.h>
++#include <openssl/rand.h>
++
++#include "log.h"
++#include "port-linux.h"
++#include "fips.h"
++
++#define RNG_BYTES_DEFAULT	6L
++#define RNG_ENV_VAR		"SSH_USE_STRONG_RNG"
++
++long rand_bytes = 0;
++char *rand_file = NULL;
++
++static void
++linux_seed_init(void)
++{
++	long elen = 0;
++	char *env = getenv(RNG_ENV_VAR);
++
++	if (env) {
++		errno = 0;
++		elen = strtol(env, NULL, 10);
++		if (errno) {
++			elen = RNG_BYTES_DEFAULT;
++			debug("bogus value in the %s environment variable, "
++				"using %li bytes from /dev/random\n",
++				RNG_ENV_VAR, RNG_BYTES_DEFAULT);
++		}
++	}
++
++	if (elen || fips_mode())
++		rand_file = "/dev/random";
++	else
++		rand_file = "/dev/urandom";
++
++	rand_bytes = MAX(elen, RNG_BYTES_DEFAULT);
++}
++
++void
++linux_seed(void)
++{
++	long len;
++	if (!rand_file)
++		linux_seed_init();
++
++	errno = 0;
++	len = RAND_load_file(rand_file, rand_bytes);
++	if (len != rand_bytes) {
++		if (errno)
++			fatal ("cannot read from %s, %s", rand_file, strerror(errno));
++		else
++			fatal ("EOF reading %s", rand_file);
++	}
++}
+diff --git a/openssh-7.2p2/openbsd-compat/port-linux.h b/openssh-7.2p2/openbsd-compat/port-linux.h
+--- a/openssh-7.2p2/openbsd-compat/port-linux.h
++++ b/openssh-7.2p2/openbsd-compat/port-linux.h
+@@ -14,16 +14,20 @@
+  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+  */
+ 
+ #ifndef _PORT_LINUX_H
+ #define _PORT_LINUX_H
+ 
++extern long rand_bytes;
++extern char *rand_file;
++void linux_seed(void);
++
+ #ifdef WITH_SELINUX
+ int ssh_selinux_enabled(void);
+ void ssh_selinux_setup_pty(char *, const char *);
+ void ssh_selinux_setup_exec_context(char *);
+ void ssh_selinux_change_context(const char *);
+ void ssh_selinux_setfscreatecon(const char *);
+ #endif
+ 
+diff --git a/openssh-7.2p2/ssh-add.1 b/openssh-7.2p2/ssh-add.1
+--- a/openssh-7.2p2/ssh-add.1
++++ b/openssh-7.2p2/ssh-add.1
+@@ -166,16 +166,30 @@ or related script.
+ (Note that on some machines it
+ may be necessary to redirect the input from
+ .Pa /dev/null
+ to make this work.)
+ .It Ev SSH_AUTH_SOCK
+ Identifies the path of a
+ .Ux Ns -domain
+ socket used to communicate with the agent.
++.It Ev SSH_USE_STRONG_RNG
++The reseeding of the OpenSSL random generator is usually done from
++.Cm /dev/urandom .
++If the 
++.Cm SSH_USE_STRONG_RNG
++environment variable is set to value other than
++.Cm 0
++the OpenSSL random generator is reseeded from
++.Cm /dev/random .
++The number of bytes read is defined by the SSH_USE_STRONG_RNG value. 
++Minimum is 6 bytes.
++This setting is not recommended on the computers without the hardware
++random generator because insufficient entropy causes the connection to 
++be blocked until enough entropy is available.
+ .El
+ .Sh FILES
+ .Bl -tag -width Ds
+ .It Pa ~/.ssh/identity
+ Contains the protocol version 1 RSA authentication identity of the user.
+ .It Pa ~/.ssh/id_dsa
+ Contains the protocol version 2 DSA authentication identity of the user.
+ .It Pa ~/.ssh/id_ecdsa
+diff --git a/openssh-7.2p2/ssh-agent.1 b/openssh-7.2p2/ssh-agent.1
+--- a/openssh-7.2p2/ssh-agent.1
++++ b/openssh-7.2p2/ssh-agent.1
+@@ -196,16 +196,33 @@ line terminates.
+ .Sh FILES
+ .Bl -tag -width Ds
+ .It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt
+ .Ux Ns -domain
+ sockets used to contain the connection to the authentication agent.
+ These sockets should only be readable by the owner.
+ The sockets should get automatically removed when the agent exits.
+ .El
++.Sh ENVIRONMENT
++.Bl -tag -width Ds -compact
++.Pp
++.It Pa SSH_USE_STRONG_RNG
++The reseeding of the OpenSSL random generator is usually done from
++.Cm /dev/urandom .
++If the 
++.Cm SSH_USE_STRONG_RNG
++environment variable is set to value other than
++.Cm 0
++the OpenSSL random generator is reseeded from
++.Cm /dev/random .
++The number of bytes read is defined by the SSH_USE_STRONG_RNG value. 
++Minimum is 6 bytes.
++This setting is not recommended on the computers without the hardware
++random generator because insufficient entropy causes the connection to 
++be blocked until enough entropy is available.
+ .Sh SEE ALSO
+ .Xr ssh 1 ,
+ .Xr ssh-add 1 ,
+ .Xr ssh-keygen 1 ,
+ .Xr sshd 8
+ .Sh AUTHORS
+ OpenSSH is a derivative of the original and free
+ ssh 1.2.12 release by Tatu Ylonen.
+diff --git a/openssh-7.2p2/ssh-keygen.1 b/openssh-7.2p2/ssh-keygen.1
+--- a/openssh-7.2p2/ssh-keygen.1
++++ b/openssh-7.2p2/ssh-keygen.1
+@@ -841,16 +841,33 @@ on all machines
+ where the user wishes to log in using public key authentication.
+ There is no need to keep the contents of this file secret.
+ .Pp
+ .It Pa /etc/moduli
+ Contains Diffie-Hellman groups used for DH-GEX.
+ The file format is described in
+ .Xr moduli 5 .
+ .El
++.Sh ENVIRONMENT
++.Bl -tag -width Ds -compact
++.Pp
++.It Pa SSH_USE_STRONG_RNG
++The reseeding of the OpenSSL random generator is usually done from
++.Cm /dev/urandom .
++If the 
++.Cm SSH_USE_STRONG_RNG
++environment variable is set to value other than
++.Cm 0
++the OpenSSL random generator is reseeded from
++.Cm /dev/random .
++The number of bytes read is defined by the SSH_USE_STRONG_RNG value. 
++Minimum is 6 bytes.
++This setting is not recommended on the computers without the hardware
++random generator because insufficient entropy causes the connection to 
++be blocked until enough entropy is available.
+ .Sh SEE ALSO
+ .Xr ssh 1 ,
+ .Xr ssh-add 1 ,
+ .Xr ssh-agent 1 ,
+ .Xr moduli 5 ,
+ .Xr sshd 8
+ .Rs
+ .%R RFC 4716
+diff --git a/openssh-7.2p2/ssh-keysign.8 b/openssh-7.2p2/ssh-keysign.8
+--- a/openssh-7.2p2/ssh-keysign.8
++++ b/openssh-7.2p2/ssh-keysign.8
+@@ -75,16 +75,33 @@ must be set-uid root if host-based authe
+ .Pp
+ .It Pa /etc/ssh/ssh_host_dsa_key-cert.pub
+ .It Pa /etc/ssh/ssh_host_ecdsa_key-cert.pub
+ .It Pa /etc/ssh/ssh_host_ed25519_key-cert.pub
+ .It Pa /etc/ssh/ssh_host_rsa_key-cert.pub
+ If these files exist they are assumed to contain public certificate
+ information corresponding with the private keys above.
+ .El
++.Sh ENVIRONMENT
++.Bl -tag -width Ds -compact
++.Pp
++.It Pa SSH_USE_STRONG_RNG
++The reseeding of the OpenSSL random generator is usually done from
++.Cm /dev/urandom .
++If the 
++.Cm SSH_USE_STRONG_RNG
++environment variable is set to value other than
++.Cm 0
++the OpenSSL random generator is reseeded from
++.Cm /dev/random .
++The number of bytes read is defined by the SSH_USE_STRONG_RNG value. 
++Minimum is 6 bytes.
++This setting is not recommended on the computers without the hardware
++random generator because insufficient entropy causes the connection to 
++be blocked until enough entropy is available.
+ .Sh SEE ALSO
+ .Xr ssh 1 ,
+ .Xr ssh-keygen 1 ,
+ .Xr ssh_config 5 ,
+ .Xr sshd 8
+ .Sh HISTORY
+ .Nm
+ first appeared in
+diff --git a/openssh-7.2p2/ssh.1 b/openssh-7.2p2/ssh.1
+--- a/openssh-7.2p2/ssh.1
++++ b/openssh-7.2p2/ssh.1
+@@ -1411,16 +1411,30 @@ reads
+ and adds lines of the format
+ .Dq VARNAME=value
+ to the environment if the file exists and users are allowed to
+ change their environment.
+ For more information, see the
+ .Cm PermitUserEnvironment
+ option in
+ .Xr sshd_config 5 .
++.It Ev SSH_USE_STRONG_RNG
++The reseeding of the OpenSSL random generator is usually done from
++.Cm /dev/urandom .
++If the 
++.Cm SSH_USE_STRONG_RNG
++environment variable is set to value other than
++.Cm 0
++the OpenSSL random generator is reseeded from
++.Cm /dev/random .
++The number of bytes read is defined by the SSH_USE_STRONG_RNG value. 
++Minimum is 6 bytes.
++This setting is not recommended on the computers without the hardware
++random generator because insufficient entropy causes the connection to 
++be blocked until enough entropy is available.
+ .Sh FILES
+ .Bl -tag -width Ds -compact
+ .It Pa ~/.rhosts
+ This file is used for host-based authentication (see above).
+ On some machines this file may need to be
+ world-readable if the user's home directory is on an NFS partition,
+ because
+ .Xr sshd 8
+diff --git a/openssh-7.2p2/sshd.8 b/openssh-7.2p2/sshd.8
+--- a/openssh-7.2p2/sshd.8
++++ b/openssh-7.2p2/sshd.8
+@@ -972,16 +972,33 @@ and not group or world-writable.
+ .It Pa /var/run/sshd.pid
+ Contains the process ID of the
+ .Nm
+ listening for connections (if there are several daemons running
+ concurrently for different ports, this contains the process ID of the one
+ started last).
+ The content of this file is not sensitive; it can be world-readable.
+ .El
++.Sh ENVIRONMENT
++.Bl -tag -width Ds -compact
++.Pp
++.It Pa SSH_USE_STRONG_RNG
++The reseeding of the OpenSSL random generator is usually done from
++.Cm /dev/urandom .
++If the 
++.Cm SSH_USE_STRONG_RNG
++environment variable is set to value other than
++.Cm 0
++the OpenSSL random generator is reseeded from
++.Cm /dev/random .
++The number of bytes read is defined by the SSH_USE_STRONG_RNG value. 
++Minimum is 6 bytes.
++This setting is not recommended on the computers without the hardware
++random generator because insufficient entropy causes the connection to 
++be blocked until enough entropy is available.
+ .Sh SEE ALSO
+ .Xr scp 1 ,
+ .Xr sftp 1 ,
+ .Xr ssh 1 ,
+ .Xr ssh-add 1 ,
+ .Xr ssh-agent 1 ,
+ .Xr ssh-keygen 1 ,
+ .Xr ssh-keyscan 1 ,
+diff --git a/openssh-7.2p2/sshd.c b/openssh-7.2p2/sshd.c
+--- a/openssh-7.2p2/sshd.c
++++ b/openssh-7.2p2/sshd.c
+@@ -50,16 +50,18 @@
+ #ifdef HAVE_SYS_STAT_H
+ # include <sys/stat.h>
+ #endif
+ #ifdef HAVE_SYS_TIME_H
+ # include <sys/time.h>
+ #endif
+ #include "openbsd-compat/sys-tree.h"
+ #include "openbsd-compat/sys-queue.h"
++#include "openbsd-compat/port-linux.h"
++
+ #include <sys/wait.h>
+ 
+ #include <errno.h>
+ #include <fcntl.h>
+ #include <netdb.h>
+ #ifdef HAVE_PATHS_H
+ #include <paths.h>
+ #endif
+@@ -209,16 +211,23 @@ struct {
+ 	Key	**host_pubkeys;		/* all public host keys */
+ 	Key	**host_certificates;	/* all public host certificates */
+ 	int	have_ssh1_key;
+ 	int	have_ssh2_key;
+ 	u_char	ssh1_cookie[SSH_SESSION_KEY_LENGTH];
+ } sensitive_data;
+ 
+ /*
++ * Every RESEED_AFTERth connection triggers call to linux_seed() to re-seed the
++ * random pool.
++ */
++#define RESEED_AFTER    100
++static int re_seeding_counter = RESEED_AFTER;
++
++/*
+  * Flag indicating whether the RSA server key needs to be regenerated.
+  * Is set in the SIGALRM handler and cleared when the key is regenerated.
+  */
+ static volatile sig_atomic_t key_do_regen = 0;
+ 
+ /* This is set to true when a signal is received. */
+ static volatile sig_atomic_t received_sighup = 0;
+ static volatile sig_atomic_t received_sigterm = 0;
+@@ -1343,16 +1352,20 @@ server_accept_loop(int *sock_in, int *so
+ 			for (j = 0; j < options.max_startups; j++)
+ 				if (startup_pipes[j] == -1) {
+ 					startup_pipes[j] = startup_p[0];
+ 					if (maxfd < startup_p[0])
+ 						maxfd = startup_p[0];
+ 					startups++;
+ 					break;
+ 				}
++			if(!(--re_seeding_counter)) {
++				re_seeding_counter = RESEED_AFTER;
++				linux_seed();
++			}
+ 
+ 			/*
+ 			 * Got connection.  Fork a child to handle it, unless
+ 			 * we are in debugging mode.
+ 			 */
+ 			if (debug_flag) {
+ 				/*
+ 				 * In debugging mode.  Close the listening

openssh-askpass-gnome.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package openssh-askpass-gnome
 #
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed

openssh.changes

@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Fri Sep 16 12:45:11 UTC 2016 - pcerny@suse.com
+
+- FIPS compatibility (no selfchecks, only crypto restrictions)
+  [openssh-7.2p2-fips.patch]
+- PRNG re-seeding
+  [openssh-7.2p2-seed-prng.patch]
+- preliminary version of GSSAPI KEX
+  [openssh-7.2p2-gssapi_key_exchange.patch]
+
 -------------------------------------------------------------------
 Mon Jul 25 13:46:06 UTC 2016 - meissner@suse.com
 

openssh.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package openssh
 #
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -125,6 +125,9 @@ Patch12:        openssh-7.2p2-pam_check_locks.patch
 Patch13:        openssh-7.2p2-disable_short_DH_parameters.patch
 Patch14:        openssh-7.2p2-seccomp_getuid.patch
 Patch15:        openssh-7.2p2-seccomp_stat.patch
+Patch16:        openssh-7.2p2-fips.patch
+Patch17:        openssh-7.2p2-seed-prng.patch
+Patch18:        openssh-7.2p2-gssapi_key_exchange.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 Conflicts:      nonfreessh
 Recommends:     audit
@@ -192,6 +195,9 @@ FIPS140 CAVS tests related parts of the OpenSSH package
 %patch13 -p2
 %patch14 -p2
 %patch15 -p2
+%patch16 -p2
+%patch17 -p2
+%patch18 -p2
 cp %{SOURCE3} %{SOURCE4} %{SOURCE11} .
 
 %build