Accepting request 226334 from home:pcerny:factory

- re-enabling the GSSAPI Key Exchange patch 
!!! currently breaks anythng else than Factory

OBS-URL: https://build.opensuse.org/request/show/226334
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=72

openssh-6.5p1-X_forward_with_disabled_ipv6.patch

@@ -1,5 +1,5 @@
 # HG changeset patch
-# Parent d7526bd96e81981aa3c94b7695a3f4009a2c176b
+# Parent bb0162afc928b3eeb69f11419e214e0737bb8034
 Do not throw away already open sockets for X11 forwarding if another socket
 family is not available for bind()
 

openssh-6.5p1-fips.patch

@@ -2,12 +2,12 @@
 # when OpenSSL is detected to be running in FIPS mode
 #
 # HG changeset patch
-# Parent 2a4df1014f286ec93a3e4dcf036f054745e4fee8
+# Parent df8b01308484dd9227b64c8bb820e52b56b89b4d
 
 diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
 --- a/openssh-6.5p1/Makefile.in
 +++ b/openssh-6.5p1/Makefile.in
-@@ -72,17 +72,18 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
+@@ -76,17 +76,18 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
  	atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
  	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
  	kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \

openssh-6.5p1-gssapi_key_exchange.patch

@@ -1,5 +1,5 @@
 # HG changeset patch
-# Parent a72dad36a987a441e9c92807b1d654e43ddee409
+# Parent fd62140898f5f8bfaa6d0b527c5893001322a662
 
 diff --git a/openssh-6.5p1/ChangeLog.gssapi b/openssh-6.5p1/ChangeLog.gssapi
 new file mode 100644
@@ -122,7 +122,7 @@ new file mode 100644
 diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
 --- a/openssh-6.5p1/Makefile.in
 +++ b/openssh-6.5p1/Makefile.in
-@@ -71,33 +71,34 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
+@@ -71,16 +71,17 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
  	canohost.o channels.o cipher.o cipher-aes.o \
  	cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
  	compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
@@ -133,13 +133,14 @@ diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
  	kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
 +	kexgssc.o \
  	msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
- 	jpake.o schnorr.o ssh-pkcs11.o krl.o auditstub.o
+ 	jpake.o schnorr.o ssh-pkcs11.o krl.o smult_curve25519_ref.o \
+ 	kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \
+ 	ssh-ed25519.o digest.o \
+ 	sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
+ 	auditstub.o \
+ 	fips.o
  
- SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
- 	sshconnect.o sshconnect1.o sshconnect2.o mux.o \
- 	roaming_common.o roaming_client.o
- 
- SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
+@@ -92,17 +93,17 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
  	audit.o audit-bsm.o audit-linux.o platform.o \
  	sshpty.o sshlogin.o servconf.o serverloop.o \
  	auth.o auth1.o auth2.o auth-options.o session.o \
@@ -147,21 +148,21 @@ diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
  	auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
  	auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
  	monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
- 	auth-krb5.o \
+ 	kexc25519s.o auth-krb5.o \
 -	auth2-gss.o gss-serv.o gss-serv-krb5.o \
 +	auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\
  	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
  	sftp-server.o sftp-common.o \
  	roaming_common.o roaming_serv.o \
  	sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
- 	sandbox-seccomp-filter.o
+ 	sandbox-seccomp-filter.o sandbox-capsicum.o
  
  MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap-helper.8.out ssh-ldap.conf.5.out
  MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 ssh-ldap-helper.8 ssh-ldap.conf.5
 diff --git a/openssh-6.5p1/auth-krb5.c b/openssh-6.5p1/auth-krb5.c
 --- a/openssh-6.5p1/auth-krb5.c
 +++ b/openssh-6.5p1/auth-krb5.c
-@@ -165,18 +165,23 @@ auth_krb5_password(Authctxt *authctxt, c
+@@ -177,18 +177,23 @@ auth_krb5_password(Authctxt *authctxt, c
  	if (problem)
  		goto out;
  #endif
@@ -185,7 +186,7 @@ diff --git a/openssh-6.5p1/auth-krb5.c b/openssh-6.5p1/auth-krb5.c
  
   out:
  	restore_uid();
-@@ -224,35 +229,42 @@ krb5_cleanup_proc(Authctxt *authctxt)
+@@ -238,35 +243,42 @@ krb5_cleanup_proc(Authctxt *authctxt)
  }
  
  #ifndef HEIMDAL
@@ -233,7 +234,7 @@ diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c
 --- a/openssh-6.5p1/auth2-gss.c
 +++ b/openssh-6.5p1/auth2-gss.c
 @@ -1,12 +1,12 @@
- /* $OpenBSD: auth2-gss.c,v 1.18 2012/12/02 20:34:09 djm Exp $ */
+ /* $OpenBSD: auth2-gss.c,v 1.20 2013/05/17 00:13:13 djm Exp $ */
  
  /*
 - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -297,7 +298,7 @@ diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c
  userauth_gssapi(Authctxt *authctxt)
  {
  	gss_OID_desc goid = {0, NULL};
-@@ -248,17 +282,18 @@ input_gssapi_exchange_complete(int type,
+@@ -244,17 +278,18 @@ input_gssapi_exchange_complete(int type,
  
  	/*
  	 * We don't need to check the status, because we're only enabled in
@@ -317,7 +318,7 @@ diff --git a/openssh-6.5p1/auth2-gss.c b/openssh-6.5p1/auth2-gss.c
  	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
  	userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
  }
-@@ -283,31 +318,38 @@ input_gssapi_mic(int type, u_int32_t ple
+@@ -279,31 +314,38 @@ input_gssapi_mic(int type, u_int32_t ple
  
  	ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
  	    "gssapi-with-mic");
@@ -414,7 +415,7 @@ diff --git a/openssh-6.5p1/clientloop.c b/openssh-6.5p1/clientloop.c
  
  /* Flag indicating that no shell has been requested */
  extern int no_shell_flag;
-@@ -1594,16 +1598,25 @@ client_loop(int have_pty, int escape_cha
+@@ -1603,16 +1607,25 @@ client_loop(int have_pty, int escape_cha
  		    &max_fd2, &nalloc, rekeying);
  
  		if (quit_pending)
@@ -443,7 +444,7 @@ diff --git a/openssh-6.5p1/clientloop.c b/openssh-6.5p1/clientloop.c
 diff --git a/openssh-6.5p1/configure.ac b/openssh-6.5p1/configure.ac
 --- a/openssh-6.5p1/configure.ac
 +++ b/openssh-6.5p1/configure.ac
-@@ -528,16 +528,40 @@ main() { if (NSVersionOfRunTimeLibrary("
+@@ -579,16 +579,40 @@ main() { if (NSVersionOfRunTimeLibrary("
  	AC_DEFINE([BROKEN_GLOB], [1], [OS X glob does not do what we expect])
  	AC_DEFINE_UNQUOTED([BIND_8_COMPAT], [1],
  		[Define if your resolver libs need this for getrrsetbyname])
@@ -488,7 +489,7 @@ diff --git a/openssh-6.5p1/gss-genr.c b/openssh-6.5p1/gss-genr.c
 --- a/openssh-6.5p1/gss-genr.c
 +++ b/openssh-6.5p1/gss-genr.c
 @@ -1,12 +1,12 @@
- /* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */
+ /* $OpenBSD: gss-genr.c,v 1.22 2013/11/08 00:39:15 djm Exp $ */
  
  /*
 - * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
@@ -878,7 +879,7 @@ diff --git a/openssh-6.5p1/gss-serv-krb5.c b/openssh-6.5p1/gss-serv-krb5.c
 --- a/openssh-6.5p1/gss-serv-krb5.c
 +++ b/openssh-6.5p1/gss-serv-krb5.c
 @@ -1,12 +1,12 @@
- /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
+ /* $OpenBSD: gss-serv-krb5.c,v 1.8 2013/07/20 01:55:13 djm Exp $ */
  
  /*
 - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -891,8 +892,7 @@ diff --git a/openssh-6.5p1/gss-serv-krb5.c b/openssh-6.5p1/gss-serv-krb5.c
   *    notice, this list of conditions and the following disclaimer.
   * 2. Redistributions in binary form must reproduce the above copyright
   *    notice, this list of conditions and the following disclaimer in the
-@@ -115,16 +115,17 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
- static void
+@@ -117,16 +117,17 @@ static void
  ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
  {
  	krb5_ccache ccache;
@@ -900,6 +900,7 @@ diff --git a/openssh-6.5p1/gss-serv-krb5.c b/openssh-6.5p1/gss-serv-krb5.c
  	krb5_principal princ;
  	OM_uint32 maj_status, min_status;
  	int len;
+ 	const char *errmsg;
 +	const char *new_ccname;
  
  	if (client->creds == NULL) {
@@ -909,7 +910,7 @@ diff --git a/openssh-6.5p1/gss-serv-krb5.c b/openssh-6.5p1/gss-serv-krb5.c
  
  	if (ssh_gssapi_krb5_init() == 0)
  		return;
-@@ -163,37 +164,108 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
+@@ -175,37 +176,108 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
  
  	if ((maj_status = gss_krb5_copy_ccache(&min_status,
  	    client->creds, ccache))) {
@@ -1027,7 +1028,7 @@ diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c
 --- a/openssh-6.5p1/gss-serv.c
 +++ b/openssh-6.5p1/gss-serv.c
 @@ -1,12 +1,12 @@
- /* $OpenBSD: gss-serv.c,v 1.23 2011/08/01 19:18:15 markus Exp $ */
+ /* $OpenBSD: gss-serv.c,v 1.24 2013/07/20 01:55:13 djm Exp $ */
  
  /*
 - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -1059,8 +1060,8 @@ diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c
  
  static ssh_gssapi_client gssapi_client =
      { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
--    GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}};
-+    GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME,  NULL, {NULL, NULL, NULL}, 0, 0};
+-    GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}};
++    GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME,  NULL, {NULL, NULL, NULL, NULL, NULL}, 0, 0};
  
  ssh_gssapi_mech gssapi_null_mech =
 -    { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL};
@@ -1415,19 +1416,15 @@ diff --git a/openssh-6.5p1/gss-serv.c b/openssh-6.5p1/gss-serv.c
 diff --git a/openssh-6.5p1/kex.c b/openssh-6.5p1/kex.c
 --- a/openssh-6.5p1/kex.c
 +++ b/openssh-6.5p1/kex.c
-@@ -46,16 +46,24 @@
- #include "log.h"
+@@ -47,16 +47,20 @@
  #include "mac.h"
  #include "match.h"
  #include "dispatch.h"
  #include "monitor.h"
  #include "roaming.h"
+ #include "digest.h"
  #include "audit.h"
  
-+#ifdef GSSAPI
-+#include "ssh-gss.h"
-+#endif
-+
 +#ifdef GSSAPI
 +#include "ssh-gss.h"
 +#endif
@@ -1440,42 +1437,32 @@ diff --git a/openssh-6.5p1/kex.c b/openssh-6.5p1/kex.c
  # endif
  #endif
  
-@@ -377,16 +385,30 @@ choose_kex(Kex *k, char *client, char *s
- 	} else if (strcmp(k->name, KEX_DHGEX_SHA256) == 0) {
- 		k->kex_type = KEX_DH_GEX_SHA256;
- 		k->evp_md = evp_ssh_sha256();
- 	} else if (strncmp(k->name, KEX_ECDH_SHA2_STEM,
- 	    sizeof(KEX_ECDH_SHA2_STEM) - 1) == 0) {
-  		k->kex_type = KEX_ECDH_SHA2;
- 		k->evp_md = kex_ecdh_name_to_evpmd(k->name);
+@@ -86,16 +90,21 @@ static const struct kexalg kexalgs[] = {
+ 	{ KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1,
+ 	    SSH_DIGEST_SHA512 },
+ # endif
+ #endif
+ 	{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
+ #ifdef HAVE_EVP_SHA256
+ 	{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
  #endif
 +#ifdef GSSAPI
-+	} else if (strncmp(k->name, KEX_GSS_GEX_SHA1_ID,
-+	    sizeof(KEX_GSS_GEX_SHA1_ID) - 1) == 0) {
-+		k->kex_type = KEX_GSS_GEX_SHA1;
-+		k->evp_md = EVP_sha1();
-+	} else if (strncmp(k->name, KEX_GSS_GRP1_SHA1_ID,
-+	    sizeof(KEX_GSS_GRP1_SHA1_ID) - 1) == 0) {
-+		k->kex_type = KEX_GSS_GRP1_SHA1;
-+		k->evp_md = EVP_sha1();
-+	} else if (strncmp(k->name, KEX_GSS_GRP14_SHA1_ID,
-+	    sizeof(KEX_GSS_GRP14_SHA1_ID) - 1) == 0) {
-+		k->kex_type = KEX_GSS_GRP14_SHA1;
-+		k->evp_md = EVP_sha1();
++    { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
++    { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
++    { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
 +#endif
- 	} else
- 		fatal("bad kex alg %s", k->name);
- }
+ 	{ NULL, -1, -1, -1},
+ };
  
- static void
- choose_hostkeyalg(Kex *k, char *client, char *server)
+ char *
+ kex_alg_list(char sep)
  {
- 	char *hostkeyalg = match_list(client, server, NULL);
+ 	char *ret = NULL;
+ 	size_t nlen, rlen = 0;
 diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
 --- a/openssh-6.5p1/kex.h
 +++ b/openssh-6.5p1/kex.h
-@@ -68,16 +68,19 @@ enum kex_modes {
- };
+@@ -71,16 +71,19 @@ enum kex_modes {
  
  enum kex_exchange {
  	KEX_DH_GRP1_SHA1,
@@ -1483,6 +1470,7 @@ diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
  	KEX_DH_GEX_SHA1,
  	KEX_DH_GEX_SHA256,
  	KEX_ECDH_SHA2,
+ 	KEX_C25519_SHA256,
 +	KEX_GSS_GRP1_SHA1,
 +	KEX_GSS_GRP14_SHA1,
 +	KEX_GSS_GEX_SHA1,
@@ -1494,15 +1482,15 @@ diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
  typedef struct Kex Kex;
  typedef struct Mac Mac;
  typedef struct Comp Comp;
-@@ -126,16 +129,22 @@ struct Kex {
- 	int	hostkey_type;
+@@ -131,16 +134,22 @@ struct Kex {
  	int	kex_type;
  	int	roaming;
  	Buffer	my;
  	Buffer	peer;
  	sig_atomic_t done;
  	int	flags;
- 	const EVP_MD *evp_md;
+ 	int	hash_alg;
+ 	int	ec_nid;
 +#ifdef GSSAPI
 +	int	gss_deleg_creds;
 +	int	gss_trust_dns;
@@ -1515,15 +1503,15 @@ diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
  	Key	*(*load_host_public_key)(int);
  	Key	*(*load_host_private_key)(int);
  	int	(*host_key_index)(Key *);
+ 	void    (*sign)(Key *, Key *, u_char **, u_int *, u_char *, u_int);
  	void	(*kex[KEX_MAX])(Kex *);
- };
-@@ -154,16 +163,21 @@ Newkeys *kex_get_newkeys(int);
- void	 kexdh_client(Kex *);
- void	 kexdh_server(Kex *);
+@@ -164,16 +173,21 @@ void	 kexdh_server(Kex *);
  void	 kexgex_client(Kex *);
  void	 kexgex_server(Kex *);
  void	 kexecdh_client(Kex *);
  void	 kexecdh_server(Kex *);
+ void	 kexc25519_client(Kex *);
+ void	 kexc25519_server(Kex *);
  
  void	 newkeys_destroy(Newkeys *newkeys);
 + 
@@ -1536,7 +1524,7 @@ diff --git a/openssh-6.5p1/kex.h b/openssh-6.5p1/kex.h
  kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
      BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
  void
- kexgex_hash(const EVP_MD *, char *, char *, char *, int, char *,
+ kexgex_hash(int, char *, char *, char *, int, char *,
      int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *,
      BIGNUM *, BIGNUM *, u_char **, u_int *);
 diff --git a/openssh-6.5p1/kexgssc.c b/openssh-6.5p1/kexgssc.c
@@ -1825,7 +1813,7 @@ new file mode 100644
 +		break;
 +	case KEX_GSS_GEX_SHA1:
 +		kexgex_hash(
-+		    kex->evp_md,
++		    kex->hash_alg,
 +		    kex->client_version_string,
 +		    kex->server_version_string,
 +		    buffer_ptr(&kex->my), buffer_len(&kex->my),
@@ -1872,7 +1860,7 @@ new file mode 100644
 +	else
 +		ssh_gssapi_delete_ctx(&ctxt);
 +
-+	kex_derive_keys(kex, hash, hashlen, shared_secret);
++	kex_derive_keys_bn(kex, hash, hashlen, shared_secret);
 +	BN_clear_free(shared_secret);
 +	kex_finish(kex);
 +}
@@ -2108,7 +2096,7 @@ new file mode 100644
 +		break;
 +	case KEX_GSS_GEX_SHA1:
 +		kexgex_hash(
-+		    kex->evp_md,
++		    kex->hash_alg,
 +		    kex->client_version_string, kex->server_version_string,
 +		    buffer_ptr(&kex->peer), buffer_len(&kex->peer),
 +		    buffer_ptr(&kex->my), buffer_len(&kex->my),
@@ -2161,7 +2149,7 @@ new file mode 100644
 +
 +	DH_free(dh);
 +
-+	kex_derive_keys(kex, hash, hashlen, shared_secret);
++	kex_derive_keys_bn(kex, hash, hashlen, shared_secret);
 +	BN_clear_free(shared_secret);
 +	kex_finish(kex);
 +
@@ -2174,54 +2162,35 @@ new file mode 100644
 diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c
 --- a/openssh-6.5p1/key.c
 +++ b/openssh-6.5p1/key.c
-@@ -1038,16 +1038,18 @@ key_ssh_name_from_type_nid(int type, int
- 			return "ecdsa-sha2-nistp384-cert-v01@openssh.com";
- 		case NID_secp521r1:
- 			return "ecdsa-sha2-nistp521-cert-v01@openssh.com";
- 		default:
- 			break;
- 		}
- 		break;
+@@ -1052,16 +1052,18 @@ static const struct keytype keytypes[] =
+ # endif
  #endif /* OPENSSL_HAS_ECC */
-+	case KEY_NULL:
-+		return "null";
- 	}
- 	return "ssh-unknown";
- }
+ 	{ "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00",
+ 	    KEY_RSA_CERT_V00, 0, 1 },
+ 	{ "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00",
+ 	    KEY_DSA_CERT_V00, 0, 1 },
+ 	{ "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT",
+ 	    KEY_ED25519_CERT, 0, 1 },
++	{ "null", "null",
++	    KEY_NULL, 0, 0 },
+ 	{ NULL, NULL, -1, -1, 0 }
+ };
  
  const char *
- key_ssh_name(const Key *k)
+ key_type(const Key *k)
  {
- 	return key_ssh_name_from_type_nid(k->type, k->ecdsa_nid);
-@@ -1343,16 +1345,18 @@ key_type_from_name(char *name)
- 	} else if (strcmp(name, "ssh-dss-cert-v01@openssh.com") == 0) {
- 		return KEY_DSA_CERT;
- #ifdef OPENSSL_HAS_ECC
- 	} else if (strcmp(name, "ecdsa-sha2-nistp256-cert-v01@openssh.com") == 0 ||
- 	    strcmp(name, "ecdsa-sha2-nistp384-cert-v01@openssh.com") == 0 ||
- 	    strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) {
- 		return KEY_ECDSA_CERT;
- #endif
-+	} else if (strcmp(name, "null") == 0) {
-+		return KEY_NULL;
- 	}
+ 	const struct keytype *kt;
  
- 	debug2("key_type_from_name: unknown key type '%s'", name);
- 	return KEY_UNSPEC;
- }
- 
- int
- key_ecdsa_nid_from_name(const char *name)
 diff --git a/openssh-6.5p1/key.h b/openssh-6.5p1/key.h
 --- a/openssh-6.5p1/key.h
 +++ b/openssh-6.5p1/key.h
-@@ -39,16 +39,17 @@ enum types {
- 	KEY_RSA,
- 	KEY_DSA,
+@@ -41,16 +41,17 @@ enum types {
  	KEY_ECDSA,
+ 	KEY_ED25519,
  	KEY_RSA_CERT,
  	KEY_DSA_CERT,
  	KEY_ECDSA_CERT,
+ 	KEY_ED25519_CERT,
  	KEY_RSA_CERT_V00,
  	KEY_DSA_CERT_V00,
 +	KEY_NULL,
@@ -2236,7 +2205,7 @@ diff --git a/openssh-6.5p1/key.h b/openssh-6.5p1/key.h
 diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
 --- a/openssh-6.5p1/monitor.c
 +++ b/openssh-6.5p1/monitor.c
-@@ -178,16 +178,18 @@ int mm_answer_pam_respond(int, Buffer *)
+@@ -179,16 +179,18 @@ int mm_answer_pam_respond(int, Buffer *)
  int mm_answer_pam_free_ctx(int, Buffer *);
  #endif
  
@@ -2255,7 +2224,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
  int mm_answer_audit_end_command(int, Buffer *);
  int mm_answer_audit_unsupported_body(int, Buffer *);
  int mm_answer_audit_kex_body(int, Buffer *);
-@@ -259,28 +261,35 @@ struct mon_table mon_dispatch_proto20[] 
+@@ -260,28 +262,35 @@ struct mon_table mon_dispatch_proto20[] 
  #endif
      {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
      {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify},
@@ -2291,7 +2260,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
  #ifdef SSH_AUDIT_EVENTS
      {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
      {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
-@@ -393,16 +402,20 @@ monitor_child_preauth(Authctxt *_authctx
+@@ -394,16 +403,20 @@ monitor_child_preauth(Authctxt *_authctx
  	authctxt->loginmsg = &loginmsg;
  
  	if (compat20) {
@@ -2333,8 +2302,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
  		monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
  		monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1);
  	}
-@@ -1912,16 +1929,23 @@ mm_get_kex(Buffer *m)
- 	    timingsafe_bcmp(kex->session_id, session_id2, session_id2_len) != 0)
+@@ -1931,16 +1948,23 @@ mm_get_kex(Buffer *m)
  		fatal("mm_get_get: internal error: bad session id");
  	kex->we_need = buffer_get_int(m);
  	kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
@@ -2342,6 +2310,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
  	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
  	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
  	kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
+ 	kex->kex[KEX_C25519_SHA256] = kexc25519_server;
 +#ifdef GSSAPI
 +	if (options.gss_keyex) {
 +		kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
@@ -2357,7 +2326,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
  	buffer_append(&kex->my, blob, bloblen);
  	free(blob);
  	blob = buffer_get_string(m, &bloblen);
-@@ -2135,16 +2159,19 @@ monitor_reinit(struct monitor *mon)
+@@ -2155,16 +2179,19 @@ monitor_reinit(struct monitor *mon)
  #ifdef GSSAPI
  int
  mm_answer_gss_setup_ctx(int sock, Buffer *m)
@@ -2377,7 +2346,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
  	free(goid.elements);
  
  	buffer_clear(m);
-@@ -2162,16 +2189,19 @@ int
+@@ -2182,16 +2209,19 @@ int
  mm_answer_gss_accept_ctx(int sock, Buffer *m)
  {
  	gss_buffer_desc in;
@@ -2397,7 +2366,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
  	buffer_clear(m);
  	buffer_put_int(m, major);
  	buffer_put_string(m, out.value, out.length);
-@@ -2179,27 +2209,31 @@ mm_answer_gss_accept_ctx(int sock, Buffe
+@@ -2199,27 +2229,31 @@ mm_answer_gss_accept_ctx(int sock, Buffe
  	mm_request_send(sock, MONITOR_ANS_GSSSTEP, m);
  
  	gss_release_buffer(&minor, &out);
@@ -2429,7 +2398,7 @@ diff --git a/openssh-6.5p1/monitor.c b/openssh-6.5p1/monitor.c
  	ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic);
  
  	free(gssbuf.value);
-@@ -2216,29 +2250,101 @@ mm_answer_gss_checkmic(int sock, Buffer 
+@@ -2236,29 +2270,101 @@ mm_answer_gss_checkmic(int sock, Buffer 
  	return (0);
  }
  
@@ -2558,7 +2527,7 @@ diff --git a/openssh-6.5p1/monitor.h b/openssh-6.5p1/monitor.h
 diff --git a/openssh-6.5p1/monitor_wrap.c b/openssh-6.5p1/monitor_wrap.c
 --- a/openssh-6.5p1/monitor_wrap.c
 +++ b/openssh-6.5p1/monitor_wrap.c
-@@ -1303,33 +1303,78 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
+@@ -1305,33 +1305,78 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
  	    &m);
  
  	major = buffer_get_int(&m);
@@ -2666,7 +2635,7 @@ diff --git a/openssh-6.5p1/monitor_wrap.h b/openssh-6.5p1/monitor_wrap.h
 diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
 --- a/openssh-6.5p1/readconf.c
 +++ b/openssh-6.5p1/readconf.c
-@@ -124,16 +124,18 @@ typedef enum {
+@@ -135,16 +135,18 @@ typedef enum {
  	oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
  	oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
  	oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
@@ -2682,10 +2651,10 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
  	oHashKnownHosts,
  	oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
  	oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
- 	oKexAlgorithms, oIPQoS, oRequestTTY,
- 	oDeprecated, oUnsupported
- } OpCodes;
-@@ -164,22 +166,31 @@ static struct {
+ 	oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
+ 	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
+ 	oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
+@@ -177,22 +179,31 @@ static struct {
  	{ "challengeresponseauthentication", oChallengeResponseAuthentication },
  	{ "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
  	{ "tisauthentication", oChallengeResponseAuthentication },  /* alias */
@@ -2717,7 +2686,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
  	{ "identitiesonly", oIdentitiesOnly },
  	{ "hostname", oHostName },
  	{ "hostkeyalias", oHostKeyAlias },
-@@ -500,24 +511,44 @@ parse_flag:
+@@ -836,24 +847,44 @@ parse_time:
  	case oChallengeResponseAuthentication:
  		intptr = &options->challenge_response_authentication;
  		goto parse_flag;
@@ -2762,7 +2731,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
  		intptr = &options->check_host_ip;
  		goto parse_flag;
  
-@@ -1159,18 +1190,23 @@ initialize_options(Options * options)
+@@ -1489,18 +1520,23 @@ initialize_options(Options * options)
  	options->exit_on_forward_failure = -1;
  	options->xauth_location = NULL;
  	options->gateway_ports = -1;
@@ -2786,7 +2755,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
  	options->batch_mode = -1;
  	options->check_host_ip = -1;
  	options->strict_host_key_checking = -1;
-@@ -1260,20 +1296,26 @@ fill_default_options(Options * options)
+@@ -1596,20 +1632,26 @@ fill_default_options(Options * options)
  	if (options->rsa_authentication == -1)
  		options->rsa_authentication = 1;
  	if (options->pubkey_authentication == -1)
@@ -2816,7 +2785,7 @@ diff --git a/openssh-6.5p1/readconf.c b/openssh-6.5p1/readconf.c
 diff --git a/openssh-6.5p1/readconf.h b/openssh-6.5p1/readconf.h
 --- a/openssh-6.5p1/readconf.h
 +++ b/openssh-6.5p1/readconf.h
-@@ -43,18 +43,23 @@ typedef struct {
+@@ -49,18 +49,23 @@ typedef struct {
  	int     rhosts_rsa_authentication;	/* Try rhosts with RSA
  						 * authentication. */
  	int     rsa_authentication;	/* Try RSA authentication. */
@@ -2843,7 +2812,7 @@ diff --git a/openssh-6.5p1/readconf.h b/openssh-6.5p1/readconf.h
 diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
 --- a/openssh-6.5p1/servconf.c
 +++ b/openssh-6.5p1/servconf.c
-@@ -98,18 +98,21 @@ initialize_server_options(ServerOptions 
+@@ -104,18 +104,21 @@ initialize_server_options(ServerOptions 
  	options->hostbased_uses_name_from_packet_only = -1;
  	options->rsa_authentication = -1;
  	options->pubkey_authentication = -1;
@@ -2864,8 +2833,8 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
  	options->permit_user_env = -1;
  	options->use_login = -1;
  	options->compression = -1;
- 	options->allow_tcp_forwarding = -1;
-@@ -232,20 +235,26 @@ fill_default_server_options(ServerOption
+ 	options->rekey_limit = -1;
+@@ -244,20 +247,26 @@ fill_default_server_options(ServerOption
  	if (options->kerberos_or_local_passwd == -1)
  		options->kerberos_or_local_passwd = 1;
  	if (options->kerberos_ticket_cleanup == -1)
@@ -2892,8 +2861,8 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
  		options->challenge_response_authentication = 1;
  	if (options->permit_empty_passwd == -1)
  		options->permit_empty_passwd = 0;
-@@ -329,16 +338,17 @@ typedef enum {
- 	sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
+@@ -345,16 +354,17 @@ typedef enum {
+ 	sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
  	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
  	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
  	sMaxStartups, sMaxAuthTries, sMaxSessions,
@@ -2908,9 +2877,9 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
  	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
  	sKexAlgorithms, sIPQoS, sVersionAddendum,
  	sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
- 	sAuthenticationMethods,
+ 	sAuthenticationMethods, sHostKeyAgent,
  	sDeprecated, sUnsupported
-@@ -397,21 +407,31 @@ static struct {
+@@ -414,21 +424,31 @@ static struct {
  	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
  #endif
  	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
@@ -2942,7 +2911,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
  	{ "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
  #else
  	{ "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
-@@ -1057,24 +1077,36 @@ process_server_config_line(ServerOptions
+@@ -1102,24 +1122,36 @@ process_server_config_line(ServerOptions
  	case sKerberosGetAFSToken:
  		intptr = &options->kerberos_get_afs_token;
  		goto parse_flag;
@@ -2979,7 +2948,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
  		intptr = &options->zero_knowledge_password_authentication;
  		goto parse_flag;
  
-@@ -1939,17 +1971,20 @@ dump_config(ServerOptions *o)
+@@ -2020,17 +2052,20 @@ dump_config(ServerOptions *o)
  	dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
  	dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
  # ifdef USE_AFS
@@ -3003,7 +2972,7 @@ diff --git a/openssh-6.5p1/servconf.c b/openssh-6.5p1/servconf.c
 diff --git a/openssh-6.5p1/servconf.h b/openssh-6.5p1/servconf.h
 --- a/openssh-6.5p1/servconf.h
 +++ b/openssh-6.5p1/servconf.h
-@@ -105,18 +105,21 @@ typedef struct {
+@@ -107,18 +107,21 @@ typedef struct {
  						 * authentication mechanism,
  						 * such as SecurID or
  						 * /etc/passwd */
@@ -3176,7 +3145,7 @@ diff --git a/openssh-6.5p1/ssh_config b/openssh-6.5p1/ssh_config
 diff --git a/openssh-6.5p1/ssh_config.5 b/openssh-6.5p1/ssh_config.5
 --- a/openssh-6.5p1/ssh_config.5
 +++ b/openssh-6.5p1/ssh_config.5
-@@ -525,21 +525,53 @@ host key database, separated by whitespa
+@@ -671,21 +671,53 @@ host key database, separated by whitespa
  The default is
  .Pa /etc/ssh/ssh_known_hosts ,
  .Pa /etc/ssh/ssh_known_hosts2 .
@@ -3234,7 +3203,7 @@ diff --git a/openssh-6.5p1/ssh_config.5 b/openssh-6.5p1/ssh_config.5
 diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
 --- a/openssh-6.5p1/sshconnect2.c
 +++ b/openssh-6.5p1/sshconnect2.c
-@@ -155,19 +155,44 @@ order_hostkeyalgs(char *host, struct soc
+@@ -156,19 +156,44 @@ order_hostkeyalgs(char *host, struct soc
  	return ret;
  }
  
@@ -3278,12 +3247,12 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
  	if (options.ciphers != NULL) {
  		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
  		myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
- 	}
-@@ -192,30 +217,61 @@ ssh_kex2(char *host, struct sockaddr *ho
- 	else {
+ 	} else if (fips_mode()) {
+@@ -204,32 +229,63 @@ ssh_kex2(char *host, struct sockaddr *ho
  		/* Prefer algorithms that we already have keys for */
  		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
- 		    order_hostkeyalgs(host, hostaddr, port);
+ 		    compat_pkalg_proposal(
+ 		    order_hostkeyalgs(host, hostaddr, port));
  	}
  	if (options.kex_algorithms != NULL)
  		myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
@@ -3299,8 +3268,9 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
 +	}
 +#endif
 +
- 	if (options.rekey_limit)
- 		packet_set_rekey_limit((u_int32_t)options.rekey_limit);
+ 	if (options.rekey_limit || options.rekey_interval)
+ 		packet_set_rekey_limits((u_int32_t)options.rekey_limit,
+ 		    (time_t)options.rekey_interval);
  
  	/* start key exchange */
  	kex = kex_setup(myproposal);
@@ -3309,6 +3279,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
  	kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
  	kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
  	kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
+ 	kex->kex[KEX_C25519_SHA256] = kexc25519_client;
 +#ifdef GSSAPI
 +	if (options.gss_keyex) {
 +		kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
@@ -3341,7 +3312,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
  		debug("Roaming not allowed by server");
  		options.use_roaming = 0;
  	}
-@@ -301,31 +357,37 @@ void	userauth_jpake_cleanup(Authctxt *);
+@@ -315,31 +371,37 @@ void	userauth_jpake_cleanup(Authctxt *);
  
  #ifdef GSSAPI
  int	userauth_gssapi(Authctxt *authctxt);
@@ -3379,7 +3350,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
  	{"gssapi",
  		userauth_gssapi,
  		NULL,
-@@ -627,29 +689,41 @@ done:
+@@ -638,29 +700,41 @@ done:
  int
  userauth_gssapi(Authctxt *authctxt)
  {
@@ -3423,7 +3394,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
  
  	if (!ok)
  		return 0;
-@@ -738,18 +812,18 @@ process_gssapi_token(void *ctxt, gss_buf
+@@ -749,18 +823,18 @@ process_gssapi_token(void *ctxt, gss_buf
  }
  
  /* ARGSUSED */
@@ -3444,7 +3415,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
  	/* Setup our OID */
  	oidv = packet_get_string(&oidlen);
  
-@@ -849,16 +923,58 @@ input_gssapi_error(int type, u_int32_t p
+@@ -859,16 +933,58 @@ input_gssapi_error(int type, u_int32_t p
  	lang=packet_get_string(NULL);
  
  	packet_check_eom();
@@ -3506,19 +3477,15 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
 diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
 --- a/openssh-6.5p1/sshd.c
 +++ b/openssh-6.5p1/sshd.c
-@@ -119,16 +119,24 @@
- #include "ssh-gss.h"
+@@ -121,16 +121,20 @@
  #endif
  #include "monitor_wrap.h"
  #include "roaming.h"
  #include "audit.h"
  #include "ssh-sandbox.h"
  #include "version.h"
+ #include "fips.h"
  
-+#ifdef USE_SECURITY_SESSION_API
-+#include <Security/AuthSession.h>
-+#endif
-+
 +#ifdef USE_SECURITY_SESSION_API
 +#include <Security/AuthSession.h>
 +#endif
@@ -3531,10 +3498,10 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
  #endif /* LIBWRAP */
  
  #ifndef O_NOCTTY
-@@ -1715,20 +1723,23 @@ main(int ac, char **av)
- 		}
- 		debug("private host key: #%d type %d %s", i, key->type,
- 		    key_type(key));
+@@ -1795,20 +1799,23 @@ main(int ac, char **av)
+ 	if ((options.protocol & SSH_PROTO_1) && fips_mode()) {
+ 		logit("Disabling protocol version 1. Not allowed in the FIPS mode.");
+ 		options.protocol &= ~SSH_PROTO_1;
  	}
  	if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
  		logit("Disabling protocol version 1. Could not load host key");
@@ -3555,7 +3522,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
  	/*
  	 * Load certificates. They are stored in an array at identical
  	 * indices to the public keys that they relate to.
-@@ -1920,16 +1931,70 @@ main(int ac, char **av)
+@@ -1998,16 +2005,70 @@ main(int ac, char **av)
  		/* Accept a connection and return in a forked child */
  		server_accept_loop(&sock_in, &sock_out,
  		    &newsock, config_s);
@@ -3626,14 +3593,14 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
  #if !defined(SSHD_ACQUIRES_CTTY)
  	/*
  	 * If setsid is called, on some platforms sshd will later acquire a
-@@ -2046,16 +2111,70 @@ main(int ac, char **av)
- 			fatal("libwrap refuse returns");
- 		}
+@@ -2125,16 +2186,70 @@ main(int ac, char **av)
  	}
  #endif /* LIBWRAP */
  
  	/* Log the connection. */
- 	verbose("Connection from %.500s port %d", remote_ip, remote_port);
+ 	verbose("Connection from %s port %d on %s port %d",
+ 	    remote_ip, remote_port,
+ 	    get_local_ipaddr(sock_in), get_local_port());
  
 +#ifdef USE_SECURITY_SESSION_API
 +	/*
@@ -3697,57 +3664,15 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
  	 * mode; it is just annoying to have the server exit just when you
  	 * are about to discover the bug.
  	 */
-@@ -2435,23 +2554,114 @@ do_ssh2_kex(void)
- 		myproposal[PROPOSAL_COMP_ALGS_CTOS] =
- 		myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com";
- 	}
- 	if (options.kex_algorithms != NULL)
- 		myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
+@@ -2544,24 +2659,73 @@ do_ssh2_kex(void)
  
- 	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
+ 	if (options.rekey_limit || options.rekey_interval)
+ 		packet_set_rekey_limits((u_int32_t)options.rekey_limit,
+ 		    (time_t)options.rekey_interval);
+ 
+ 	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
+ 	    list_hostkey_types());
  
-+#ifdef GSSAPI
-+	{
-+	char *orig;
-+	char *gss = NULL;
-+	char *newstr = NULL;
-+	orig = myproposal[PROPOSAL_KEX_ALGS];
-+
-+	/* 
-+	 * If we don't have a host key, then there's no point advertising
-+	 * the other key exchange algorithms
-+	 */
-+
-+	if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
-+		orig = NULL;
-+
-+	if (options.gss_keyex)
-+		gss = ssh_gssapi_server_mechanisms();
-+	else
-+		gss = NULL;
-+
-+	if (gss && orig)
-+		xasprintf(&newstr, "%s,%s", gss, orig);
-+	else if (gss)
-+		newstr = gss;
-+	else if (orig)
-+		newstr = orig;
-+
-+	/* 
-+	 * If we've got GSSAPI mechanisms, then we've got the 'null' host
-+	 * key alg, but we can't tell people about it unless its the only
-+  	 * host key algorithm we support
-+	 */
-+	if (gss && (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS])) == 0)
-+		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "null";
-+
-+	if (newstr)
-+		myproposal[PROPOSAL_KEX_ALGS] = newstr;
-+	else
-+		fatal("No supported key exchange algorithms");
-+	}
-+#endif
-+
 +#ifdef GSSAPI
 +	{
 +	char *orig;
@@ -3797,6 +3722,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
  	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
  	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
  	kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
+ 	kex->kex[KEX_C25519_SHA256] = kexc25519_server;
 +#ifdef GSSAPI
 +	if (options.gss_keyex) {
 +		kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
@@ -3810,12 +3736,12 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
  	kex->load_host_public_key=&get_hostkey_public_by_type;
  	kex->load_host_private_key=&get_hostkey_private_by_type;
  	kex->host_key_index=&get_hostkey_index;
+ 	kex->sign = sshd_hostkey_sign;
  
- 	xxx_kex = kex;
 diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config
 --- a/openssh-6.5p1/sshd_config
 +++ b/openssh-6.5p1/sshd_config
-@@ -75,16 +75,18 @@ PasswordAuthentication no
+@@ -79,16 +79,18 @@ PasswordAuthentication no
  #KerberosAuthentication no
  #KerberosOrLocalPasswd yes
  #KerberosTicketCleanup yes
@@ -3837,7 +3763,7 @@ diff --git a/openssh-6.5p1/sshd_config b/openssh-6.5p1/sshd_config
 diff --git a/openssh-6.5p1/sshd_config.5 b/openssh-6.5p1/sshd_config.5
 --- a/openssh-6.5p1/sshd_config.5
 +++ b/openssh-6.5p1/sshd_config.5
-@@ -475,22 +475,50 @@ to force remote port forwardings to bind
+@@ -487,22 +487,50 @@ to force remote port forwardings to bind
  to allow the client to select the address to which the forwarding is bound.
  The default is
  .Dq no .

openssh-6.5p1-login_options.patch

@@ -7,7 +7,7 @@
 diff --git a/openssh-6.5p1/configure.ac b/openssh-6.5p1/configure.ac
 --- a/openssh-6.5p1/configure.ac
 +++ b/openssh-6.5p1/configure.ac
-@@ -695,16 +695,18 @@ main() { if (NSVersionOfRunTimeLibrary("
+@@ -719,16 +719,18 @@ main() { if (NSVersionOfRunTimeLibrary("
  	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
  	AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
  	;;

openssh-6.5p1-no_fork-no_pid_file.patch

@@ -3,7 +3,7 @@
 diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
 --- a/openssh-6.5p1/sshd.c
 +++ b/openssh-6.5p1/sshd.c
-@@ -1973,17 +1973,17 @@ main(int ac, char **av)
+@@ -1985,17 +1985,17 @@ main(int ac, char **av)
  		signal(SIGCHLD, main_sigchld_handler);
  		signal(SIGTERM, sigterm_handler);
  		signal(SIGQUIT, sigterm_handler);

openssh.changes

@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Mon Mar 17 02:21:13 UTC 2014 - pcerny@suse.com
+
+- re-enabling the GSSAPI Key Exchange patch 
+
 -------------------------------------------------------------------
 Fri Feb 28 12:59:27 UTC 2014 - pcerny@suse.com
 

openssh.spec

@@ -198,7 +198,7 @@ Helper applications for OpenSSH which retrieve keys from various sources.
 %if 0%{?suse_version} > 1310
 %patch27 -p2
 %endif
-#patch28 -p2
+%patch28 -p2
 %patch29 -p2
 %patch30 -p2
 %patch31 -p2