forked from pool/openssh
Accepting request 738544 from network
- Add openssh-7.9p1-keygen-preserve-perms.patch (bsc#1150574). This attempts to preserve the permissions of any existing known_hosts file when modified by ssh-keygen (for instance, with -R). - Add patch from upstream openssh-7.9p1-revert-new-qos-defaults.patch - Run 'ssh-keygen -A' on startup only if SSHD_AUTO_KEYGEN="yes" in /etc/sysconfig/ssh. This is set to "yes" by default, but can be changed by the system administrator (bsc#1139089). - Add openssh-7.9p1-keygen-preserve-perms.patch (bsc#1150574). This attempts to preserve the permissions of any existing known_hosts file when modified by ssh-keygen (for instance, with -R). - Version update to 8.1p1: * ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. Certificates signed by RSA keys will therefore be incompatible with OpenSSH versions prior to 7.2 unless the default is overridden (using "ssh-keygen -t ssh-rsa -s ..."). * ssh(1): Allow %n to be expanded in ProxyCommand strings * ssh(1), sshd(8): Allow prepending a list of algorithms to the default set by starting the list with the '^' character, E.g. "HostKeyAlgorithms ^ssh-ed25519" * ssh-keygen(1): add an experimental lightweight signature and verification ability. Signatures may be made using regular ssh keys held on disk or stored in a ssh-agent and verified against an authorized_keys-like list of allowed keys. Signatures embed a namespace that prevents confusion and attacks between different OBS-URL: https://build.opensuse.org/request/show/738544 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=135
This commit is contained in:
commit
a68d0c642d
@ -1,252 +0,0 @@
|
||||
From 76a24b3fa193a9ca3e47a8779d497cb06500798b Mon Sep 17 00:00:00 2001
|
||||
From: "djm@openbsd.org" <djm@openbsd.org>
|
||||
Date: Fri, 1 Mar 2019 02:32:39 +0000
|
||||
Subject: upstream: Fix two race conditions in sshd relating to SIGHUP:
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
1. Recently-forked child processes will briefly remain listening to
|
||||
listen_socks. If the main server sshd process completes its restart
|
||||
via execv() before these sockets are closed by the child processes
|
||||
then it can fail to listen at the desired addresses/ports and/or
|
||||
fail to restart.
|
||||
|
||||
2. When a SIGHUP is received, there may be forked child processes that
|
||||
are awaiting their reexecution state. If the main server sshd
|
||||
process restarts before passing this state, these child processes
|
||||
will yield errors and use a fallback path of reading the current
|
||||
sshd_config from the filesystem rather than use the one that sshd
|
||||
was started with.
|
||||
|
||||
To fix both of these cases, we reuse the startup_pipes that are shared
|
||||
between the main server sshd and forked children. Previously this was
|
||||
used solely to implement tracking of pre-auth child processes for
|
||||
MaxStartups, but this extends the messaging over these pipes to include
|
||||
a child->parent message that the parent process is safe to restart. This
|
||||
message is sent from the child after it has completed its preliminaries:
|
||||
closing listen_socks and receiving its reexec state.
|
||||
|
||||
bz#2953, reported by Michal Koutný; ok markus@ dtucker@
|
||||
|
||||
OpenBSD-Commit-ID: 7df09eacfa3ce13e9a7b1e9f17276ecc924d65ab
|
||||
---
|
||||
sshd.c | 114 +++++++++++++++++++++++++++++++++++++++++++++++++----------------
|
||||
1 file changed, 86 insertions(+), 28 deletions(-)
|
||||
|
||||
Index: openssh-7.9p1/sshd.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/sshd.c 2019-03-11 15:26:34.532966127 +0100
|
||||
+++ openssh-7.9p1/sshd.c 2019-03-11 16:05:21.242748303 +0100
|
||||
@@ -240,9 +240,26 @@ u_int session_id2_len = 0;
|
||||
/* record remote hostname or ip */
|
||||
u_int utmp_len = HOST_NAME_MAX+1;
|
||||
|
||||
-/* options.max_startup sized array of fd ints */
|
||||
+/*
|
||||
+ * startup_pipes/flags are used for tracking children of the listening sshd
|
||||
+ * process early in their lifespans. This tracking is needed for three things:
|
||||
+ *
|
||||
+ * 1) Implementing the MaxStartups limit of concurrent unauthenticated
|
||||
+ * connections.
|
||||
+ * 2) Avoiding a race condition for SIGHUP processing, where child processes
|
||||
+ * may have listen_socks open that could collide with main listener process
|
||||
+ * after it restarts.
|
||||
+ * 3) Ensuring that rexec'd sshd processes have received their initial state
|
||||
+ * from the parent listen process before handling SIGHUP.
|
||||
+ *
|
||||
+ * Child processes signal that they have completed closure of the listen_socks
|
||||
+ * and (if applicable) received their rexec state by sending a char over their
|
||||
+ * sock. Child processes signal that authentication has completed by closing
|
||||
+ * the sock (or by exiting).
|
||||
+ */
|
||||
int *startup_pipes = NULL;
|
||||
-int startup_pipe; /* in child */
|
||||
+static int *startup_flags = NULL; /* Indicates child closed listener */
|
||||
+static int startup_pipe = -1; /* in child */
|
||||
|
||||
/* variables used for privilege separation */
|
||||
int use_privsep = -1;
|
||||
@@ -1081,14 +1098,9 @@ server_accept_inetd(int *sock_in, int *s
|
||||
{
|
||||
int fd;
|
||||
|
||||
- startup_pipe = -1;
|
||||
if (rexeced_flag) {
|
||||
close(REEXEC_CONFIG_PASS_FD);
|
||||
*sock_in = *sock_out = dup(STDIN_FILENO);
|
||||
- if (!debug_flag) {
|
||||
- startup_pipe = dup(REEXEC_STARTUP_PIPE_FD);
|
||||
- close(REEXEC_STARTUP_PIPE_FD);
|
||||
- }
|
||||
} else {
|
||||
*sock_in = dup(STDIN_FILENO);
|
||||
*sock_out = dup(STDOUT_FILENO);
|
||||
@@ -1213,8 +1225,9 @@ server_accept_loop(int *sock_in, int *so
|
||||
{
|
||||
fd_set *fdset;
|
||||
int i, j, ret, maxfd;
|
||||
- int startups = 0;
|
||||
+ int startups = 0, listening = 0, lameduck = 0;
|
||||
int startup_p[2] = { -1 , -1 };
|
||||
+ char c = 0;
|
||||
struct sockaddr_storage from;
|
||||
socklen_t fromlen;
|
||||
pid_t pid;
|
||||
@@ -1228,6 +1241,7 @@ server_accept_loop(int *sock_in, int *so
|
||||
maxfd = listen_socks[i];
|
||||
/* pipes connected to unauthenticated childs */
|
||||
startup_pipes = xcalloc(options.max_startups, sizeof(int));
|
||||
+ startup_flags = xcalloc(options.max_startups, sizeof(int));
|
||||
for (i = 0; i < options.max_startups; i++)
|
||||
startup_pipes[i] = -1;
|
||||
|
||||
@@ -1236,8 +1250,15 @@ server_accept_loop(int *sock_in, int *so
|
||||
* the daemon is killed with a signal.
|
||||
*/
|
||||
for (;;) {
|
||||
- if (received_sighup)
|
||||
- sighup_restart();
|
||||
+ if (received_sighup) {
|
||||
+ if (!lameduck) {
|
||||
+ debug("Received SIGHUP; waiting for children");
|
||||
+ close_listen_socks();
|
||||
+ lameduck = 1;
|
||||
+ }
|
||||
+ if (listening <= 0)
|
||||
+ sighup_restart();
|
||||
+ }
|
||||
free(fdset);
|
||||
fdset = xcalloc(howmany(maxfd + 1, NFDBITS),
|
||||
sizeof(fd_mask));
|
||||
@@ -1264,19 +1285,37 @@ server_accept_loop(int *sock_in, int *so
|
||||
if (ret < 0)
|
||||
continue;
|
||||
|
||||
- for (i = 0; i < options.max_startups; i++)
|
||||
- if (startup_pipes[i] != -1 &&
|
||||
- FD_ISSET(startup_pipes[i], fdset)) {
|
||||
- /*
|
||||
- * the read end of the pipe is ready
|
||||
- * if the child has closed the pipe
|
||||
- * after successful authentication
|
||||
- * or if the child has died
|
||||
- */
|
||||
+ for (i = 0; i < options.max_startups; i++) {
|
||||
+ if (startup_pipes[i] == -1 ||
|
||||
+ !FD_ISSET(startup_pipes[i], fdset))
|
||||
+ continue;
|
||||
+ switch (read(startup_pipes[i], &c, sizeof(c))) {
|
||||
+ case -1:
|
||||
+ if (errno == EINTR || errno == EAGAIN)
|
||||
+ continue;
|
||||
+ if (errno != EPIPE) {
|
||||
+ error("%s: startup pipe %d (fd=%d): "
|
||||
+ "read %s", __func__, i,
|
||||
+ startup_pipes[i], strerror(errno));
|
||||
+ }
|
||||
+ /* FALLTHROUGH */
|
||||
+ case 0:
|
||||
+ /* child exited or completed auth */
|
||||
close(startup_pipes[i]);
|
||||
startup_pipes[i] = -1;
|
||||
startups--;
|
||||
+ if (startup_flags[i])
|
||||
+ listening--;
|
||||
+ break;
|
||||
+ case 1:
|
||||
+ /* child has finished preliminaries */
|
||||
+ if (startup_flags[i]) {
|
||||
+ listening--;
|
||||
+ startup_flags[i] = 0;
|
||||
+ }
|
||||
+ break;
|
||||
}
|
||||
+ }
|
||||
for (i = 0; i < num_listen_socks; i++) {
|
||||
if (!FD_ISSET(listen_socks[i], fdset))
|
||||
continue;
|
||||
@@ -1330,6 +1369,7 @@ server_accept_loop(int *sock_in, int *so
|
||||
if (maxfd < startup_p[0])
|
||||
maxfd = startup_p[0];
|
||||
startups++;
|
||||
+ startup_flags[j] = 1;
|
||||
break;
|
||||
}
|
||||
if(!(--re_seeding_counter)) {
|
||||
@@ -1359,7 +1399,7 @@ server_accept_loop(int *sock_in, int *so
|
||||
send_rexec_state(config_s[0], cfg);
|
||||
close(config_s[0]);
|
||||
}
|
||||
- break;
|
||||
+ return;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -1368,13 +1408,14 @@ server_accept_loop(int *sock_in, int *so
|
||||
* parent continues listening.
|
||||
*/
|
||||
platform_pre_fork();
|
||||
+ listening++;
|
||||
if ((pid = fork()) == 0) {
|
||||
/*
|
||||
* Child. Close the listening and
|
||||
* max_startup sockets. Start using
|
||||
* the accepted socket. Reinitialize
|
||||
* logging (since our pid has changed).
|
||||
- * We break out of the loop to handle
|
||||
+ * We return from this function to handle
|
||||
* the connection.
|
||||
*/
|
||||
platform_post_fork_child();
|
||||
@@ -1389,7 +1430,18 @@ server_accept_loop(int *sock_in, int *so
|
||||
log_stderr);
|
||||
if (rexec_flag)
|
||||
close(config_s[0]);
|
||||
- break;
|
||||
+ else {
|
||||
+ /*
|
||||
+ * Signal parent that the preliminaries
|
||||
+ * for this child are complete. For the
|
||||
+ * re-exec case, this happens after the
|
||||
+ * child has received the rexec state
|
||||
+ * from the server.
|
||||
+ */
|
||||
+ (void)atomicio(vwrite, startup_pipe,
|
||||
+ "\0", 1);
|
||||
+ }
|
||||
+ return;
|
||||
}
|
||||
|
||||
/* Parent. Stay in the loop. */
|
||||
@@ -1421,10 +1473,6 @@ server_accept_loop(int *sock_in, int *so
|
||||
#endif
|
||||
explicit_bzero(rnd, sizeof(rnd));
|
||||
}
|
||||
-
|
||||
- /* child process check (or debug mode) */
|
||||
- if (num_listen_socks < 0)
|
||||
- break;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1760,8 +1808,18 @@ main(int ac, char **av)
|
||||
/* Fetch our configuration */
|
||||
if ((cfg = sshbuf_new()) == NULL)
|
||||
fatal("%s: sshbuf_new failed", __func__);
|
||||
- if (rexeced_flag)
|
||||
+ if (rexeced_flag) {
|
||||
recv_rexec_state(REEXEC_CONFIG_PASS_FD, cfg);
|
||||
+ if (!debug_flag) {
|
||||
+ startup_pipe = dup(REEXEC_STARTUP_PIPE_FD);
|
||||
+ close(REEXEC_STARTUP_PIPE_FD);
|
||||
+ /*
|
||||
+ * Signal parent that this child is at a point where
|
||||
+ * they can go away if they have a SIGHUP pending.
|
||||
+ */
|
||||
+ (void)atomicio(vwrite, startup_pipe, "\0", 1);
|
||||
+ }
|
||||
+ }
|
||||
else if (strcasecmp(config_file_name, "none") != 0)
|
||||
load_server_config(config_file_name, cfg);
|
||||
|
@ -3,15 +3,11 @@
|
||||
Do not throw away already open sockets for X11 forwarding if another socket
|
||||
family is not available for bind()
|
||||
|
||||
diff --git a/openssh-7.7p1/channels.c b/openssh-7.7p1/channels.c
|
||||
--- openssh-7.7p1/channels.c
|
||||
+++ openssh-7.7p1/channels.c
|
||||
@@ -4421,16 +4421,23 @@ x11_create_display_inet(struct ssh *ssh,
|
||||
if (ai->ai_family == AF_INET6)
|
||||
sock_set_v6only(sock);
|
||||
if (x11_use_localhost)
|
||||
set_reuseaddr(sock);
|
||||
if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
|
||||
diff --git a/channels.c b/channels.c
|
||||
index f51b7e3..95af47e 100644
|
||||
--- a/channels.c
|
||||
+++ b/channels.c
|
||||
@@ -4637,6 +4637,13 @@ x11_create_display_inet(struct ssh *ssh, int x11_display_offset,
|
||||
debug2("%s: bind port %d: %.100s", __func__,
|
||||
port, strerror(errno));
|
||||
close(sock);
|
||||
@ -21,12 +17,7 @@ diff --git a/openssh-7.7p1/channels.c b/openssh-7.7p1/channels.c
|
||||
+ * disabled while being supported)
|
||||
+ */
|
||||
+ if (EADDRNOTAVAIL == errno)
|
||||
+ continue;
|
||||
+ continue;
|
||||
for (n = 0; n < num_socks; n++)
|
||||
close(socks[n]);
|
||||
num_socks = 0;
|
||||
break;
|
||||
}
|
||||
socks[num_socks++] = sock;
|
||||
if (num_socks == NUM_SOCKS)
|
||||
break;
|
||||
|
@ -2,11 +2,11 @@
|
||||
# Parent cc1022edba2c5eeb0facba08468f65afc2466b63
|
||||
CAVS test for OpenSSH's own CTR encryption mode implementation
|
||||
|
||||
Index: openssh-7.9p1/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/Makefile.in
|
||||
+++ openssh-7.9p1/Makefile.in
|
||||
@@ -24,6 +24,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas
|
||||
diff --git a/Makefile.in b/Makefile.in
|
||||
index 7488595..d426006 100644
|
||||
--- a/Makefile.in
|
||||
+++ b/Makefile.in
|
||||
@@ -24,6 +24,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
|
||||
SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
@ -23,7 +23,7 @@ Index: openssh-7.9p1/Makefile.in
|
||||
XMSS_OBJS=\
|
||||
ssh-xmss.o \
|
||||
sshkey-xmss.o \
|
||||
@@ -204,6 +207,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libss
|
||||
@@ -210,6 +213,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o s
|
||||
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
|
||||
$(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
|
||||
|
||||
@ -34,7 +34,7 @@ Index: openssh-7.9p1/Makefile.in
|
||||
# test driver for the loginrec code - not built by default
|
||||
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
|
||||
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
|
||||
@@ -348,6 +355,7 @@ install-files:
|
||||
@@ -354,6 +361,7 @@ install-files:
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
@ -42,10 +42,11 @@ Index: openssh-7.9p1/Makefile.in
|
||||
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
|
||||
$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
|
||||
Index: openssh-7.9p1/cavstest-ctr.c
|
||||
===================================================================
|
||||
diff --git a/cavstest-ctr.c b/cavstest-ctr.c
|
||||
new file mode 100644
|
||||
index 0000000..f81cb72
|
||||
--- /dev/null
|
||||
+++ openssh-7.9p1/cavstest-ctr.c
|
||||
+++ b/cavstest-ctr.c
|
||||
@@ -0,0 +1,214 @@
|
||||
+/*
|
||||
+ *
|
||||
@ -261,13 +262,13 @@ Index: openssh-7.9p1/cavstest-ctr.c
|
||||
+ printf("\n");
|
||||
+ return 0;
|
||||
+}
|
||||
Index: openssh-7.9p1/cipher.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/cipher.c
|
||||
+++ openssh-7.9p1/cipher.c
|
||||
@@ -54,15 +54,6 @@
|
||||
#include "fips.h"
|
||||
#include "log.h"
|
||||
diff --git a/cipher.c b/cipher.c
|
||||
index acca752..b67a4ff 100644
|
||||
--- a/cipher.c
|
||||
+++ b/cipher.c
|
||||
@@ -58,15 +58,6 @@
|
||||
#define EVP_CIPHER_CTX void
|
||||
#endif
|
||||
|
||||
-struct sshcipher_ctx {
|
||||
- int plaintext;
|
||||
@ -281,11 +282,11 @@ Index: openssh-7.9p1/cipher.c
|
||||
struct sshcipher {
|
||||
char *name;
|
||||
u_int block_size;
|
||||
Index: openssh-7.9p1/cipher.h
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/cipher.h
|
||||
+++ openssh-7.9p1/cipher.h
|
||||
@@ -46,7 +46,15 @@
|
||||
diff --git a/cipher.h b/cipher.h
|
||||
index 5843aab..d7d8c89 100644
|
||||
--- a/cipher.h
|
||||
+++ b/cipher.h
|
||||
@@ -48,7 +48,15 @@
|
||||
#define CIPHER_DECRYPT 0
|
||||
|
||||
struct sshcipher;
|
||||
|
@ -2,10 +2,10 @@
|
||||
# Parent 1e1d5a2ab8bddfc800f570755f9ea1addcc878c1
|
||||
CAVS test for KDF implementation in OpenSSH
|
||||
|
||||
Index: openssh-7.9p1/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/Makefile.in 2019-03-12 16:12:42.213142294 +0100
|
||||
+++ openssh-7.9p1/Makefile.in 2019-03-28 13:49:37.150166231 +0100
|
||||
diff --git a/Makefile.in b/Makefile.in
|
||||
index d426006..85818f4 100644
|
||||
--- a/Makefile.in
|
||||
+++ b/Makefile.in
|
||||
@@ -25,6 +25,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
@ -23,7 +23,7 @@ Index: openssh-7.9p1/Makefile.in
|
||||
|
||||
XMSS_OBJS=\
|
||||
ssh-xmss.o \
|
||||
@@ -211,6 +212,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sft
|
||||
@@ -217,6 +218,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glo
|
||||
cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-ctr.o
|
||||
$(LD) -o $@ cavstest-ctr.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
@ -33,7 +33,7 @@ Index: openssh-7.9p1/Makefile.in
|
||||
# test driver for the loginrec code - not built by default
|
||||
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
|
||||
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
|
||||
@@ -356,6 +360,7 @@ install-files:
|
||||
@@ -362,6 +366,7 @@ install-files:
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
|
||||
@ -41,11 +41,12 @@ Index: openssh-7.9p1/Makefile.in
|
||||
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
|
||||
$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
|
||||
Index: openssh-7.9p1/cavstest-kdf.c
|
||||
===================================================================
|
||||
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
|
||||
+++ openssh-7.9p1/cavstest-kdf.c 2019-03-28 13:54:20.047709759 +0100
|
||||
@@ -0,0 +1,384 @@
|
||||
diff --git a/cavstest-kdf.c b/cavstest-kdf.c
|
||||
new file mode 100644
|
||||
index 0000000..a6ecf45
|
||||
--- /dev/null
|
||||
+++ b/cavstest-kdf.c
|
||||
@@ -0,0 +1,402 @@
|
||||
+/*
|
||||
+ * Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
|
||||
+ *
|
||||
@ -93,6 +94,7 @@ Index: openssh-7.9p1/cavstest-kdf.c
|
||||
+#include <openssl/bn.h>
|
||||
+
|
||||
+#include "xmalloc.h"
|
||||
+#include "ssherr.h"
|
||||
+#include "sshbuf.h"
|
||||
+#include "sshkey.h"
|
||||
+#include "cipher.h"
|
||||
@ -208,6 +210,23 @@ Index: openssh-7.9p1/cavstest-kdf.c
|
||||
+ unsigned int ik_len;
|
||||
+};
|
||||
+
|
||||
+#ifdef WITH_OPENSSL
|
||||
+static int
|
||||
+kex_derive_keys_bn(struct ssh *ssh, u_char *hash, u_int hashlen,
|
||||
+ const BIGNUM *secret)
|
||||
+{
|
||||
+ struct sshbuf *shared_secret;
|
||||
+ int r;
|
||||
+
|
||||
+ if ((shared_secret = sshbuf_new()) == NULL)
|
||||
+ return SSH_ERR_ALLOC_FAIL;
|
||||
+ if ((r = sshbuf_put_bignum2(shared_secret, secret)) == 0)
|
||||
+ r = kex_derive_keys(ssh, hash, hashlen, shared_secret);
|
||||
+ sshbuf_free(shared_secret);
|
||||
+ return r;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
+static int sshkdf_cavs(struct kdf_cavs *test)
|
||||
+{
|
||||
+ int ret = 0;
|
||||
|
@ -4,15 +4,11 @@ disable run-time check for OpenSSL ABI by version number as that is not a
|
||||
reliable indicator of ABI changes and doesn't make much sense in a
|
||||
distribution package
|
||||
|
||||
diff --git a/openssh-7.7p1/configure.ac b/openssh-7.7p1/configure.ac
|
||||
--- openssh-7.7p1/configure.ac
|
||||
+++ openssh-7.7p1/configure.ac
|
||||
@@ -4895,16 +4895,29 @@ AC_ARG_WITH([bsd-auth],
|
||||
if test "x$withval" != "xno" ; then
|
||||
AC_DEFINE([BSD_AUTH], [1],
|
||||
[Define if you have BSD auth support])
|
||||
BSD_AUTH_MSG=yes
|
||||
fi
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 42ffd95..20a1884 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -4878,6 +4878,19 @@ AC_ARG_WITH([bsd-auth],
|
||||
]
|
||||
)
|
||||
|
||||
@ -32,33 +28,21 @@ diff --git a/openssh-7.7p1/configure.ac b/openssh-7.7p1/configure.ac
|
||||
# Where to place sshd.pid
|
||||
piddir=/var/run
|
||||
# make sure the directory exists
|
||||
if test ! -d $piddir ; then
|
||||
piddir=`eval echo ${sysconfdir}`
|
||||
case $piddir in
|
||||
NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
|
||||
esac
|
||||
diff --git a/openssh-7.7p1/entropy.c b/openssh-7.7p1/entropy.c
|
||||
--- openssh-7.7p1/entropy.c
|
||||
+++ openssh-7.7p1/entropy.c
|
||||
@@ -209,19 +209,21 @@ rexec_recv_rng_seed(Buffer *m)
|
||||
#endif /* OPENSSL_PRNG_ONLY */
|
||||
diff --git a/entropy.c b/entropy.c
|
||||
index f8b9f42..4957b23 100644
|
||||
--- a/entropy.c
|
||||
+++ b/entropy.c
|
||||
@@ -223,11 +223,13 @@ seed_rng(void)
|
||||
/* Initialise libcrypto */
|
||||
ssh_libcrypto_init();
|
||||
|
||||
void
|
||||
seed_rng(void)
|
||||
{
|
||||
#ifndef OPENSSL_PRNG_ONLY
|
||||
unsigned char buf[RANDOM_SEED_SIZE];
|
||||
#endif
|
||||
+#ifndef DISTRO_SSL
|
||||
if (!ssh_compatible_openssl(OPENSSL_VERSION_NUMBER, SSLeay()))
|
||||
if (!ssh_compatible_openssl(OPENSSL_VERSION_NUMBER,
|
||||
OpenSSL_version_num()))
|
||||
fatal("OpenSSL version mismatch. Built against %lx, you "
|
||||
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
|
||||
"have %lx", (u_long)OPENSSL_VERSION_NUMBER,
|
||||
OpenSSL_version_num());
|
||||
+#endif
|
||||
|
||||
#ifndef OPENSSL_PRNG_ONLY
|
||||
if (RAND_status() == 1) {
|
||||
debug3("RNG is ready, skipping seeding");
|
||||
return;
|
||||
}
|
||||
|
||||
if (seed_from_prngd(buf, sizeof(buf)) == -1)
|
||||
if (RAND_status() == 1)
|
||||
|
@ -3,23 +3,23 @@
|
||||
FIPS 140-2 compliance. Perform selftests on start and use only FIPS approved
|
||||
algorithms.
|
||||
|
||||
Index: openssh-7.9p1/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/Makefile.in 2019-02-28 17:20:15.767164591 +0100
|
||||
+++ openssh-7.9p1/Makefile.in 2019-03-12 11:41:49.662894934 +0100
|
||||
@@ -102,6 +102,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||
kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
|
||||
diff --git a/Makefile.in b/Makefile.in
|
||||
index 1d2b2d9..7488595 100644
|
||||
--- a/Makefile.in
|
||||
+++ b/Makefile.in
|
||||
@@ -103,6 +103,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||
platform-pledge.o platform-tracing.o platform-misc.o
|
||||
|
||||
|
||||
+LIBSSH_OBJS += fips.o
|
||||
+
|
||||
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
||||
sshconnect.o sshconnect2.o mux.o
|
||||
|
||||
Index: openssh-7.9p1/cipher-ctr.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/cipher-ctr.c 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/cipher-ctr.c 2019-02-28 17:20:15.919165544 +0100
|
||||
diff --git a/cipher-ctr.c b/cipher-ctr.c
|
||||
index 32771f2..b66f92f 100644
|
||||
--- a/cipher-ctr.c
|
||||
+++ b/cipher-ctr.c
|
||||
@@ -27,6 +27,8 @@
|
||||
#include "xmalloc.h"
|
||||
#include "log.h"
|
||||
@ -38,20 +38,21 @@ Index: openssh-7.9p1/cipher-ctr.c
|
||||
#endif
|
||||
return (&aes_ctr);
|
||||
}
|
||||
Index: openssh-7.9p1/cipher.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/cipher.c 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/cipher.c 2019-03-12 11:41:49.662894934 +0100
|
||||
@@ -51,6 +51,8 @@
|
||||
diff --git a/cipher.c b/cipher.c
|
||||
index 25f98ba..acca752 100644
|
||||
--- a/cipher.c
|
||||
+++ b/cipher.c
|
||||
@@ -51,6 +51,9 @@
|
||||
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
|
||||
+#include "fips.h"
|
||||
+#include "log.h"
|
||||
|
||||
struct sshcipher_ctx {
|
||||
int plaintext;
|
||||
@@ -80,7 +82,7 @@ struct sshcipher {
|
||||
+
|
||||
#ifndef WITH_OPENSSL
|
||||
#define EVP_CIPHER_CTX void
|
||||
#endif
|
||||
@@ -83,7 +86,7 @@ struct sshcipher {
|
||||
#endif
|
||||
};
|
||||
|
||||
@ -60,7 +61,7 @@ Index: openssh-7.9p1/cipher.c
|
||||
#ifdef WITH_OPENSSL
|
||||
#ifndef OPENSSL_NO_DES
|
||||
{ "3des-cbc", 8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc },
|
||||
@@ -111,8 +113,52 @@ static const struct sshcipher ciphers[]
|
||||
@@ -114,8 +117,52 @@ static const struct sshcipher ciphers[] = {
|
||||
{ NULL, 0, 0, 0, 0, 0, NULL }
|
||||
};
|
||||
|
||||
@ -113,7 +114,7 @@ Index: openssh-7.9p1/cipher.c
|
||||
/* Returns a comma-separated list of supported ciphers. */
|
||||
char *
|
||||
cipher_alg_list(char sep, int auth_only)
|
||||
@@ -121,7 +167,7 @@ cipher_alg_list(char sep, int auth_only)
|
||||
@@ -124,7 +171,7 @@ cipher_alg_list(char sep, int auth_only)
|
||||
size_t nlen, rlen = 0;
|
||||
const struct sshcipher *c;
|
||||
|
||||
@ -122,7 +123,7 @@ Index: openssh-7.9p1/cipher.c
|
||||
if ((c->flags & CFLAG_INTERNAL) != 0)
|
||||
continue;
|
||||
if (auth_only && c->auth_len == 0)
|
||||
@@ -193,7 +239,7 @@ const struct sshcipher *
|
||||
@@ -196,7 +243,7 @@ const struct sshcipher *
|
||||
cipher_by_name(const char *name)
|
||||
{
|
||||
const struct sshcipher *c;
|
||||
@ -131,10 +132,11 @@ Index: openssh-7.9p1/cipher.c
|
||||
if (strcmp(c->name, name) == 0)
|
||||
return c;
|
||||
return NULL;
|
||||
Index: openssh-7.9p1/fips.c
|
||||
===================================================================
|
||||
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
|
||||
+++ openssh-7.9p1/fips.c 2019-03-12 11:42:10.971006569 +0100
|
||||
diff --git a/fips.c b/fips.c
|
||||
new file mode 100644
|
||||
index 0000000..23e3876
|
||||
--- /dev/null
|
||||
+++ b/fips.c
|
||||
@@ -0,0 +1,212 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
|
||||
@ -348,10 +350,11 @@ Index: openssh-7.9p1/fips.c
|
||||
+ return dgst;
|
||||
+}
|
||||
+
|
||||
Index: openssh-7.9p1/fips.h
|
||||
===================================================================
|
||||
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
|
||||
+++ openssh-7.9p1/fips.h 2019-03-12 11:41:49.514894158 +0100
|
||||
diff --git a/fips.h b/fips.h
|
||||
new file mode 100644
|
||||
index 0000000..a115a61
|
||||
--- /dev/null
|
||||
+++ b/fips.h
|
||||
@@ -0,0 +1,44 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
|
||||
@ -397,11 +400,11 @@ Index: openssh-7.9p1/fips.h
|
||||
+
|
||||
+#endif
|
||||
+
|
||||
Index: openssh-7.9p1/hmac.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/hmac.c 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/hmac.c 2019-02-28 17:20:15.919165544 +0100
|
||||
@@ -144,7 +144,7 @@ hmac_test(void *key, size_t klen, void *
|
||||
diff --git a/hmac.c b/hmac.c
|
||||
index 3268887..b905a1e 100644
|
||||
--- a/hmac.c
|
||||
+++ b/hmac.c
|
||||
@@ -146,7 +146,7 @@ hmac_test(void *key, size_t klen, void *m, size_t mlen, u_char *e, size_t elen)
|
||||
size_t i;
|
||||
u_char digest[16];
|
||||
|
||||
@ -410,11 +413,11 @@ Index: openssh-7.9p1/hmac.c
|
||||
printf("ssh_hmac_start failed");
|
||||
if (ssh_hmac_init(ctx, key, klen) < 0 ||
|
||||
ssh_hmac_update(ctx, m, mlen) < 0 ||
|
||||
Index: openssh-7.9p1/kex.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/kex.c 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/kex.c 2019-02-28 17:20:15.919165544 +0100
|
||||
@@ -54,6 +54,8 @@
|
||||
diff --git a/kex.c b/kex.c
|
||||
index 49d7015..1f82c2e 100644
|
||||
--- a/kex.c
|
||||
+++ b/kex.c
|
||||
@@ -60,6 +60,8 @@
|
||||
#include "sshbuf.h"
|
||||
#include "digest.h"
|
||||
|
||||
@ -423,7 +426,7 @@ Index: openssh-7.9p1/kex.c
|
||||
/* prototype */
|
||||
static int kex_choose_conf(struct ssh *);
|
||||
static int kex_input_newkeys(int, u_int32_t, struct ssh *);
|
||||
@@ -77,7 +79,7 @@ struct kexalg {
|
||||
@@ -83,7 +85,7 @@ struct kexalg {
|
||||
int ec_nid;
|
||||
int hash_alg;
|
||||
};
|
||||
@ -432,8 +435,8 @@ Index: openssh-7.9p1/kex.c
|
||||
#ifdef WITH_OPENSSL
|
||||
{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
|
||||
{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
|
||||
@@ -106,6 +108,47 @@ static const struct kexalg kexalgs[] = {
|
||||
{ NULL, -1, -1, -1},
|
||||
@@ -114,6 +116,47 @@ static const struct kexalg kexalgs[] = {
|
||||
{ NULL, 0, -1, -1},
|
||||
};
|
||||
|
||||
+static const struct kexalg kexalgs_fips140_2[] = {
|
||||
@ -480,7 +483,7 @@ Index: openssh-7.9p1/kex.c
|
||||
char *
|
||||
kex_alg_list(char sep)
|
||||
{
|
||||
@@ -113,7 +156,7 @@ kex_alg_list(char sep)
|
||||
@@ -121,7 +164,7 @@ kex_alg_list(char sep)
|
||||
size_t nlen, rlen = 0;
|
||||
const struct kexalg *k;
|
||||
|
||||
@ -489,7 +492,7 @@ Index: openssh-7.9p1/kex.c
|
||||
if (ret != NULL)
|
||||
ret[rlen++] = sep;
|
||||
nlen = strlen(k->name);
|
||||
@@ -133,7 +176,7 @@ kex_alg_by_name(const char *name)
|
||||
@@ -141,7 +184,7 @@ kex_alg_by_name(const char *name)
|
||||
{
|
||||
const struct kexalg *k;
|
||||
|
||||
@ -498,7 +501,7 @@ Index: openssh-7.9p1/kex.c
|
||||
if (strcmp(k->name, name) == 0)
|
||||
return k;
|
||||
}
|
||||
@@ -153,7 +196,10 @@ kex_names_valid(const char *names)
|
||||
@@ -161,7 +204,10 @@ kex_names_valid(const char *names)
|
||||
for ((p = strsep(&cp, ",")); p && *p != '\0';
|
||||
(p = strsep(&cp, ","))) {
|
||||
if (kex_alg_by_name(p) == NULL) {
|
||||
@ -509,11 +512,11 @@ Index: openssh-7.9p1/kex.c
|
||||
free(s);
|
||||
return 0;
|
||||
}
|
||||
Index: openssh-7.9p1/mac.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/mac.c 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/mac.c 2019-02-28 17:20:15.923165569 +0100
|
||||
@@ -40,6 +40,9 @@
|
||||
diff --git a/mac.c b/mac.c
|
||||
index f3dda66..90d71c8 100644
|
||||
--- a/mac.c
|
||||
+++ b/mac.c
|
||||
@@ -41,6 +41,9 @@
|
||||
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
|
||||
@ -523,7 +526,7 @@ Index: openssh-7.9p1/mac.c
|
||||
#define SSH_DIGEST 1 /* SSH_DIGEST_XXX */
|
||||
#define SSH_UMAC 2 /* UMAC (not integrated with OpenSSL) */
|
||||
#define SSH_UMAC128 3
|
||||
@@ -54,7 +57,7 @@ struct macalg {
|
||||
@@ -55,7 +58,7 @@ struct macalg {
|
||||
int etm; /* Encrypt-then-MAC */
|
||||
};
|
||||
|
||||
@ -532,7 +535,7 @@ Index: openssh-7.9p1/mac.c
|
||||
/* Encrypt-and-MAC (encrypt-and-authenticate) variants */
|
||||
{ "hmac-sha1", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 },
|
||||
{ "hmac-sha1-96", SSH_DIGEST, SSH_DIGEST_SHA1, 96, 0, 0, 0 },
|
||||
@@ -82,6 +85,41 @@ static const struct macalg macs[] = {
|
||||
@@ -79,6 +82,41 @@ static const struct macalg macs[] = {
|
||||
{ NULL, 0, 0, 0, 0, 0, 0 }
|
||||
};
|
||||
|
||||
@ -574,7 +577,7 @@ Index: openssh-7.9p1/mac.c
|
||||
/* Returns a list of supported MACs separated by the specified char. */
|
||||
char *
|
||||
mac_alg_list(char sep)
|
||||
@@ -90,7 +128,7 @@ mac_alg_list(char sep)
|
||||
@@ -87,7 +125,7 @@ mac_alg_list(char sep)
|
||||
size_t nlen, rlen = 0;
|
||||
const struct macalg *m;
|
||||
|
||||
@ -583,7 +586,7 @@ Index: openssh-7.9p1/mac.c
|
||||
if (ret != NULL)
|
||||
ret[rlen++] = sep;
|
||||
nlen = strlen(m->name);
|
||||
@@ -129,7 +167,7 @@ mac_setup(struct sshmac *mac, char *name
|
||||
@@ -126,7 +164,7 @@ mac_setup(struct sshmac *mac, char *name)
|
||||
{
|
||||
const struct macalg *m;
|
||||
|
||||
@ -592,11 +595,11 @@ Index: openssh-7.9p1/mac.c
|
||||
if (strcmp(name, m->name) != 0)
|
||||
continue;
|
||||
if (mac != NULL)
|
||||
Index: openssh-7.9p1/myproposal.h
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/myproposal.h 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/myproposal.h 2019-02-28 17:20:15.923165569 +0100
|
||||
@@ -151,6 +151,8 @@
|
||||
diff --git a/myproposal.h b/myproposal.h
|
||||
index 34bd10c..e6be484 100644
|
||||
--- a/myproposal.h
|
||||
+++ b/myproposal.h
|
||||
@@ -144,6 +144,8 @@
|
||||
|
||||
#else /* WITH_OPENSSL */
|
||||
|
||||
@ -605,10 +608,10 @@ Index: openssh-7.9p1/myproposal.h
|
||||
#define KEX_SERVER_KEX \
|
||||
"curve25519-sha256," \
|
||||
"curve25519-sha256@libssh.org"
|
||||
Index: openssh-7.9p1/readconf.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/readconf.c 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/readconf.c 2019-02-28 20:20:19.619112418 +0100
|
||||
diff --git a/readconf.c b/readconf.c
|
||||
index f78b4d6..228f481 100644
|
||||
--- a/readconf.c
|
||||
+++ b/readconf.c
|
||||
@@ -68,6 +68,8 @@
|
||||
#include "myproposal.h"
|
||||
#include "digest.h"
|
||||
@ -618,7 +621,7 @@ Index: openssh-7.9p1/readconf.c
|
||||
/* Format of the configuration file:
|
||||
|
||||
# Configuration data is parsed as follows:
|
||||
@@ -1816,6 +1818,23 @@ option_clear_or_none(const char *o)
|
||||
@@ -1837,6 +1839,23 @@ option_clear_or_none(const char *o)
|
||||
return o == NULL || strcasecmp(o, "none") == 0;
|
||||
}
|
||||
|
||||
@ -642,7 +645,7 @@ Index: openssh-7.9p1/readconf.c
|
||||
/*
|
||||
* Initializes options to special values that indicate that they have not yet
|
||||
* been set. Read_config_file will only set options with this value. Options
|
||||
@@ -2095,6 +2114,8 @@ fill_default_options(Options * options)
|
||||
@@ -2116,6 +2135,8 @@ fill_default_options(Options * options)
|
||||
options->canonicalize_hostname = SSH_CANONICALISE_NO;
|
||||
if (options->fingerprint_hash == -1)
|
||||
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
||||
@ -651,7 +654,7 @@ Index: openssh-7.9p1/readconf.c
|
||||
if (options->update_hostkeys == -1)
|
||||
options->update_hostkeys = 0;
|
||||
|
||||
@@ -2122,6 +2143,7 @@ fill_default_options(Options * options)
|
||||
@@ -2143,6 +2164,7 @@ fill_default_options(Options * options)
|
||||
free(all_kex);
|
||||
free(all_key);
|
||||
free(all_sig);
|
||||
@ -659,10 +662,10 @@ Index: openssh-7.9p1/readconf.c
|
||||
|
||||
#define CLEAR_ON_NONE(v) \
|
||||
do { \
|
||||
Index: openssh-7.9p1/readconf.h
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/readconf.h 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/readconf.h 2019-02-28 17:20:15.923165569 +0100
|
||||
diff --git a/readconf.h b/readconf.h
|
||||
index 8e36bf3..67111e9 100644
|
||||
--- a/readconf.h
|
||||
+++ b/readconf.h
|
||||
@@ -197,6 +197,7 @@ typedef struct {
|
||||
#define SSH_STRICT_HOSTKEY_YES 2
|
||||
#define SSH_STRICT_HOSTKEY_ASK 3
|
||||
@ -671,10 +674,10 @@ Index: openssh-7.9p1/readconf.h
|
||||
void initialize_options(Options *);
|
||||
void fill_default_options(Options *);
|
||||
void fill_default_options_for_canonicalization(Options *);
|
||||
Index: openssh-7.9p1/servconf.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/servconf.c 2019-02-28 17:20:15.851165117 +0100
|
||||
+++ openssh-7.9p1/servconf.c 2019-02-28 17:20:15.923165569 +0100
|
||||
diff --git a/servconf.c b/servconf.c
|
||||
index f58fecb..a8833a9 100644
|
||||
--- a/servconf.c
|
||||
+++ b/servconf.c
|
||||
@@ -64,6 +64,7 @@
|
||||
#include "auth.h"
|
||||
#include "myproposal.h"
|
||||
@ -716,7 +719,7 @@ Index: openssh-7.9p1/servconf.c
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -410,6 +430,8 @@ fill_default_server_options(ServerOption
|
||||
@@ -424,6 +444,8 @@ fill_default_server_options(ServerOptions *options)
|
||||
options->fwd_opts.streamlocal_bind_unlink = 0;
|
||||
if (options->fingerprint_hash == -1)
|
||||
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
||||
@ -725,20 +728,20 @@ Index: openssh-7.9p1/servconf.c
|
||||
if (options->disable_forwarding == -1)
|
||||
options->disable_forwarding = 0;
|
||||
if (options->expose_userauth_info == -1)
|
||||
Index: openssh-7.9p1/ssh-keygen.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/ssh-keygen.c 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/ssh-keygen.c 2019-02-28 17:20:15.923165569 +0100
|
||||
@@ -61,6 +61,8 @@
|
||||
#include "utf8.h"
|
||||
diff --git a/ssh-keygen.c b/ssh-keygen.c
|
||||
index 8c829ca..da63fb0 100644
|
||||
--- a/ssh-keygen.c
|
||||
+++ b/ssh-keygen.c
|
||||
@@ -64,6 +64,8 @@
|
||||
#include "authfd.h"
|
||||
#include "sshsig.h"
|
||||
|
||||
+#include "fips.h"
|
||||
+
|
||||
#ifdef WITH_OPENSSL
|
||||
# define DEFAULT_KEY_TYPE_NAME "rsa"
|
||||
#else
|
||||
@@ -996,11 +998,13 @@ do_fingerprint(struct passwd *pw)
|
||||
@@ -1002,11 +1004,13 @@ do_fingerprint(struct passwd *pw)
|
||||
static void
|
||||
do_gen_all_hostkeys(struct passwd *pw)
|
||||
{
|
||||
@ -754,7 +757,7 @@ Index: openssh-7.9p1/ssh-keygen.c
|
||||
#ifdef WITH_OPENSSL
|
||||
{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
|
||||
{ "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
|
||||
@@ -1015,6 +1019,17 @@ do_gen_all_hostkeys(struct passwd *pw)
|
||||
@@ -1021,6 +1025,17 @@ do_gen_all_hostkeys(struct passwd *pw)
|
||||
{ NULL, NULL, NULL }
|
||||
};
|
||||
|
||||
@ -769,10 +772,10 @@ Index: openssh-7.9p1/ssh-keygen.c
|
||||
+ };
|
||||
+
|
||||
+ struct Key_types *key_types;
|
||||
u_int32_t bits = 0;
|
||||
int first = 0;
|
||||
struct stat st;
|
||||
struct sshkey *private, *public;
|
||||
@@ -1022,6 +1037,12 @@ do_gen_all_hostkeys(struct passwd *pw)
|
||||
@@ -1029,6 +1044,12 @@ do_gen_all_hostkeys(struct passwd *pw)
|
||||
int i, type, fd, r;
|
||||
FILE *f;
|
||||
|
||||
@ -785,7 +788,7 @@ Index: openssh-7.9p1/ssh-keygen.c
|
||||
for (i = 0; key_types[i].key_type; i++) {
|
||||
public = private = NULL;
|
||||
prv_tmp = pub_tmp = prv_file = pub_file = NULL;
|
||||
@@ -2817,6 +2838,15 @@ main(int argc, char **argv)
|
||||
@@ -3215,6 +3236,15 @@ main(int argc, char **argv)
|
||||
key_type_name = DEFAULT_KEY_TYPE_NAME;
|
||||
|
||||
type = sshkey_type_from_name(key_type_name);
|
||||
@ -801,35 +804,11 @@ Index: openssh-7.9p1/ssh-keygen.c
|
||||
type_bits_valid(type, key_type_name, &bits);
|
||||
|
||||
if (!quiet)
|
||||
Index: openssh-7.9p1/ssh_config.0
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/ssh_config.0 2018-10-19 03:06:19.000000000 +0200
|
||||
+++ openssh-7.9p1/ssh_config.0 2019-02-28 17:20:15.923165569 +0100
|
||||
@@ -353,6 +353,9 @@ DESCRIPTION
|
||||
Specifies the hash algorithm used when displaying key
|
||||
fingerprints. Valid options are: md5 and sha256 (the default).
|
||||
|
||||
+ In the FIPS mode the minimum of SHA-1 is enforced (which means
|
||||
+ sha256).
|
||||
+
|
||||
ForwardAgent
|
||||
Specifies whether the connection to the authentication agent (if
|
||||
any) will be forwarded to the remote machine. The argument must
|
||||
@@ -610,6 +613,9 @@ DESCRIPTION
|
||||
The list of available key exchange algorithms may also be
|
||||
obtained using "ssh -Q kex".
|
||||
|
||||
+ In the FIPS mode the FIPS standard takes precedence over RFC and
|
||||
+ forces the minimum to a higher value, currently 2048 bits.
|
||||
+
|
||||
LocalCommand
|
||||
Specifies a command to execute on the local machine after
|
||||
successfully connecting to the server. The command string
|
||||
Index: openssh-7.9p1/ssh_config.5
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/ssh_config.5 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/ssh_config.5 2019-02-28 17:20:15.923165569 +0100
|
||||
@@ -642,6 +642,8 @@ Valid options are:
|
||||
diff --git a/ssh_config.5 b/ssh_config.5
|
||||
index 02a8789..f0cb291 100644
|
||||
--- a/ssh_config.5
|
||||
+++ b/ssh_config.5
|
||||
@@ -664,6 +664,8 @@ Valid options are:
|
||||
and
|
||||
.Cm sha256
|
||||
(the default).
|
||||
@ -838,11 +817,11 @@ Index: openssh-7.9p1/ssh_config.5
|
||||
.It Cm ForwardAgent
|
||||
Specifies whether the connection to the authentication agent (if any)
|
||||
will be forwarded to the remote machine.
|
||||
Index: openssh-7.9p1/sshd.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/sshd.c 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/sshd.c 2019-03-12 11:41:49.514894158 +0100
|
||||
@@ -123,6 +123,8 @@
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index 6b55ef7..c8086cd 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -127,6 +127,8 @@
|
||||
#include "version.h"
|
||||
#include "ssherr.h"
|
||||
|
||||
@ -851,35 +830,11 @@ Index: openssh-7.9p1/sshd.c
|
||||
/* Re-exec fds */
|
||||
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
|
||||
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
|
||||
Index: openssh-7.9p1/sshd_config.0
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/sshd_config.0 2019-02-28 17:20:15.851165117 +0100
|
||||
+++ openssh-7.9p1/sshd_config.0 2019-02-28 17:20:15.927165594 +0100
|
||||
@@ -348,6 +348,9 @@ DESCRIPTION
|
||||
Specifies the hash algorithm used when logging key fingerprints.
|
||||
Valid options are: md5 and sha256. The default is sha256.
|
||||
|
||||
+ In the FIPS mode the minimum of SHA-1 is enforced (which means
|
||||
+ sha256).
|
||||
+
|
||||
ForceCommand
|
||||
Forces the execution of the command specified by ForceCommand,
|
||||
ignoring any command supplied by the client and ~/.ssh/rc if
|
||||
@@ -555,6 +558,9 @@ DESCRIPTION
|
||||
The list of available key exchange algorithms may also be
|
||||
obtained using "ssh -Q kex".
|
||||
|
||||
+ In the FIPS mode the FIPS standard takes precedence over RFC and
|
||||
+ forces the minimum to a higher value, currently 2048 bits.
|
||||
+
|
||||
ListenAddress
|
||||
Specifies the local addresses sshd(8) should listen on. The
|
||||
following forms may be used:
|
||||
Index: openssh-7.9p1/sshd_config.5
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/sshd_config.5 2019-02-28 17:20:15.851165117 +0100
|
||||
+++ openssh-7.9p1/sshd_config.5 2019-02-28 17:20:15.927165594 +0100
|
||||
@@ -603,6 +603,8 @@ and
|
||||
diff --git a/sshd_config.5 b/sshd_config.5
|
||||
index 0707b47..8818ea5 100644
|
||||
--- a/sshd_config.5
|
||||
+++ b/sshd_config.5
|
||||
@@ -605,6 +605,8 @@ and
|
||||
.Cm sha256 .
|
||||
The default is
|
||||
.Cm sha256 .
|
||||
|
@ -14,10 +14,11 @@
|
||||
# file is not found (or the hash matches), proceed in non-FIPS mode and abort
|
||||
# otherwise.
|
||||
|
||||
Index: openssh-7.9p1/fips-check.c
|
||||
===================================================================
|
||||
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
|
||||
+++ openssh-7.9p1/fips-check.c 2019-03-12 11:42:19.299050200 +0100
|
||||
diff --git a/fips-check.c b/fips-check.c
|
||||
new file mode 100644
|
||||
index 0000000..eceb031
|
||||
--- /dev/null
|
||||
+++ b/fips-check.c
|
||||
@@ -0,0 +1,34 @@
|
||||
+#include "includes.h"
|
||||
+#include <fcntl.h>
|
||||
@ -53,10 +54,10 @@ Index: openssh-7.9p1/fips-check.c
|
||||
+ fips_ssh_init();
|
||||
+ return 0;
|
||||
+}
|
||||
Index: openssh-7.9p1/fips.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/fips.c 2019-03-12 11:42:19.299050200 +0100
|
||||
+++ openssh-7.9p1/fips.c 2019-03-12 11:43:02.363275819 +0100
|
||||
diff --git a/fips.c b/fips.c
|
||||
index 23e3876..297ae99 100644
|
||||
--- a/fips.c
|
||||
+++ b/fips.c
|
||||
@@ -35,30 +35,293 @@
|
||||
#include "log.h"
|
||||
#include "xmalloc.h"
|
||||
@ -245,9 +246,7 @@ Index: openssh-7.9p1/fips.c
|
||||
{
|
||||
int fips_required = 0;
|
||||
- char *env = getenv(SSH_FORCE_FIPS_ENV);
|
||||
+ int fips_fd;
|
||||
+ char fips_sys = 0;
|
||||
|
||||
-
|
||||
- if (env) {
|
||||
- errno = 0;
|
||||
- fips_required = strtol(env, NULL, 10);
|
||||
@ -257,6 +256,9 @@ Index: openssh-7.9p1/fips.c
|
||||
- fips_required = 0;
|
||||
- } else
|
||||
- fips_required = 1;
|
||||
+ int fips_fd;
|
||||
+ char fips_sys = 0;
|
||||
+
|
||||
+ struct stat dummy;
|
||||
+ if (-1 == stat(FIPS_PROC_PATH, &dummy)) {
|
||||
+ switch (errno) {
|
||||
@ -362,10 +364,10 @@ Index: openssh-7.9p1/fips.c
|
||||
int
|
||||
fips_mode(void)
|
||||
{
|
||||
Index: openssh-7.9p1/fips.h
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/fips.h 2019-03-12 11:42:13.819021490 +0100
|
||||
+++ openssh-7.9p1/fips.h 2019-03-12 11:42:19.303050221 +0100
|
||||
diff --git a/fips.h b/fips.h
|
||||
index a115a61..3404684 100644
|
||||
--- a/fips.h
|
||||
+++ b/fips.h
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
- * Copyright (c) 2012 Petr Cerny. All rights reserved.
|
||||
@ -402,38 +404,38 @@ Index: openssh-7.9p1/fips.h
|
||||
int fips_mode(void);
|
||||
int fips_correct_dgst(int);
|
||||
int fips_dgst_min(void);
|
||||
@@ -41,4 +56,3 @@ enum fp_type fips_correct_fp_type(enum
|
||||
@@ -41,4 +56,3 @@ enum fp_type fips_correct_fp_type(enum fp_type);
|
||||
int fips_filter_crypto(char **, fips_filters);
|
||||
|
||||
#endif
|
||||
-
|
||||
Index: openssh-7.9p1/sftp-server.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/sftp-server.c 2019-03-12 11:42:13.819021490 +0100
|
||||
+++ openssh-7.9p1/sftp-server.c 2019-03-12 11:42:19.303050221 +0100
|
||||
@@ -51,6 +51,8 @@
|
||||
#include "sftp.h"
|
||||
#include "sftp-common.h"
|
||||
diff --git a/sftp-server.c b/sftp-server.c
|
||||
index b133cbc..c3086b6 100644
|
||||
--- a/sftp-server.c
|
||||
+++ b/sftp-server.c
|
||||
@@ -53,6 +53,8 @@
|
||||
|
||||
char *sftp_realpath(const char *, char *); /* sftp-realpath.c */
|
||||
|
||||
+#include "fips.h"
|
||||
+
|
||||
/* Our verbosity */
|
||||
static LogLevel log_level = SYSLOG_LEVEL_ERROR;
|
||||
|
||||
@@ -1509,6 +1511,9 @@ sftp_server_main(int argc, char **argv,
|
||||
@@ -1595,6 +1597,9 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
|
||||
extern char *optarg;
|
||||
extern char *__progname;
|
||||
|
||||
+ /* initialize fips */
|
||||
+ fips_ssh_init();
|
||||
+
|
||||
ssh_malloc_init(); /* must be called before any mallocs */
|
||||
__progname = ssh_get_progname(argv[0]);
|
||||
log_init(__progname, log_level, log_facility, log_stderr);
|
||||
Index: openssh-7.9p1/ssh.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/ssh.c 2019-03-12 11:42:13.823021511 +0100
|
||||
+++ openssh-7.9p1/ssh.c 2019-03-12 11:42:19.303050221 +0100
|
||||
|
||||
diff --git a/ssh.c b/ssh.c
|
||||
index ee51823..882d1da 100644
|
||||
--- a/ssh.c
|
||||
+++ b/ssh.c
|
||||
@@ -113,6 +113,8 @@
|
||||
#include "ssh-pkcs11.h"
|
||||
#endif
|
||||
@ -443,29 +445,29 @@ Index: openssh-7.9p1/ssh.c
|
||||
extern char *__progname;
|
||||
|
||||
/* Saves a copy of argv for setproctitle emulation */
|
||||
@@ -593,6 +595,10 @@ main(int ac, char **av)
|
||||
@@ -596,6 +598,10 @@ main(int ac, char **av)
|
||||
struct ssh_digest_ctx *md;
|
||||
u_char conn_hash[SSH_DIGEST_MAX_LENGTH];
|
||||
|
||||
+ /* initialize fips - can go before ssh_malloc_init(), since that is a
|
||||
+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
|
||||
+ /* initialize fips - can go before ssh_malloc_init(), since that is a
|
||||
+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
|
||||
+ fips_ssh_init();
|
||||
+
|
||||
ssh_malloc_init(); /* must be called before any mallocs */
|
||||
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
|
||||
sanitise_stdfd();
|
||||
Index: openssh-7.9p1/sshd.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/sshd.c 2019-03-12 11:42:13.823021511 +0100
|
||||
+++ openssh-7.9p1/sshd.c 2019-03-12 11:42:19.303050221 +0100
|
||||
@@ -1485,6 +1485,10 @@ main(int ac, char **av)
|
||||
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index c8086cd..bb20eec 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -1443,6 +1443,10 @@ main(int ac, char **av)
|
||||
Authctxt *authctxt;
|
||||
struct connection_info *connection_info = NULL;
|
||||
|
||||
+ /* initialize fips - can go before ssh_malloc_init(), since that is a
|
||||
+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
|
||||
+ /* initialize fips - can go before ssh_malloc_init(), since that is a
|
||||
+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
|
||||
+ fips_ssh_init();
|
||||
+
|
||||
ssh_malloc_init(); /* must be called before any mallocs */
|
||||
|
||||
#ifdef HAVE_SECUREWARE
|
||||
(void)set_auth_parameters(ac, av);
|
||||
#endif
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -5,11 +5,11 @@ handle hostname changes when forwarding X
|
||||
|
||||
bnc#98627
|
||||
|
||||
Index: openssh-7.8p1/session.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/session.c
|
||||
+++ openssh-7.8p1/session.c
|
||||
@@ -1009,7 +1009,7 @@ copy_environment(char **source, char ***
|
||||
diff --git a/session.c b/session.c
|
||||
index 94d7438..d81060c 100644
|
||||
--- a/session.c
|
||||
+++ b/session.c
|
||||
@@ -981,7 +981,7 @@ copy_environment(char **source, char ***env, u_int *envsize)
|
||||
}
|
||||
|
||||
static char **
|
||||
@ -18,7 +18,7 @@ Index: openssh-7.8p1/session.c
|
||||
{
|
||||
char buf[256];
|
||||
size_t n;
|
||||
@@ -1213,6 +1213,8 @@ do_setup_env(struct ssh *ssh, Session *s
|
||||
@@ -1191,6 +1191,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
|
||||
for (i = 0; env[i]; i++)
|
||||
fprintf(stderr, " %.200s\n", env[i]);
|
||||
}
|
||||
@ -27,7 +27,7 @@ Index: openssh-7.8p1/session.c
|
||||
return env;
|
||||
}
|
||||
|
||||
@@ -1221,7 +1223,7 @@ do_setup_env(struct ssh *ssh, Session *s
|
||||
@@ -1199,7 +1201,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
|
||||
* first in this order).
|
||||
*/
|
||||
static void
|
||||
@ -36,7 +36,7 @@ Index: openssh-7.8p1/session.c
|
||||
{
|
||||
FILE *f = NULL;
|
||||
char cmd[1024];
|
||||
@@ -1276,12 +1278,20 @@ do_rc_files(struct ssh *ssh, Session *s,
|
||||
@@ -1254,12 +1256,20 @@ do_rc_files(struct ssh *ssh, Session *s, const char *shell)
|
||||
options.xauth_location);
|
||||
f = popen(cmd, "w");
|
||||
if (f) {
|
||||
@ -57,15 +57,15 @@ Index: openssh-7.8p1/session.c
|
||||
} else {
|
||||
fprintf(stderr, "Could not run %s\n",
|
||||
cmd);
|
||||
@@ -1534,6 +1544,7 @@ do_child(struct ssh *ssh, Session *s, co
|
||||
{
|
||||
extern char **environ;
|
||||
char **env;
|
||||
+ int env_size;
|
||||
char *argv[ARGV_MAX];
|
||||
@@ -1515,6 +1525,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
|
||||
char **env, *argv[ARGV_MAX], remote_id[512];
|
||||
const char *shell, *shell0;
|
||||
struct passwd *pw = s->pw;
|
||||
@@ -1591,7 +1602,7 @@ do_child(struct ssh *ssh, Session *s, co
|
||||
+ int env_size;
|
||||
int r = 0;
|
||||
|
||||
sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
|
||||
@@ -1571,7 +1582,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
|
||||
* Make sure $SHELL points to the shell from the password file,
|
||||
* even if shell is overridden from login.conf
|
||||
*/
|
||||
@ -74,7 +74,7 @@ Index: openssh-7.8p1/session.c
|
||||
|
||||
#ifdef HAVE_LOGIN_CAP
|
||||
shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
|
||||
@@ -1655,7 +1666,7 @@ do_child(struct ssh *ssh, Session *s, co
|
||||
@@ -1635,7 +1646,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
|
||||
|
||||
closefrom(STDERR_FILENO + 1);
|
||||
|
||||
|
@ -10,10 +10,11 @@
|
||||
# internal versions. ssh-keyconverter consequently fails to link as it lacks
|
||||
# the proper flags, and libopenbsd-compat doesn't contain the b64_* functions)
|
||||
|
||||
Index: openssh-7.9p1/HOWTO.ldap-keys
|
||||
===================================================================
|
||||
diff --git a/HOWTO.ldap-keys b/HOWTO.ldap-keys
|
||||
new file mode 100644
|
||||
index 0000000..831d399
|
||||
--- /dev/null
|
||||
+++ openssh-7.9p1/HOWTO.ldap-keys
|
||||
+++ b/HOWTO.ldap-keys
|
||||
@@ -0,0 +1,108 @@
|
||||
+
|
||||
+HOW TO START
|
||||
@ -123,11 +124,11 @@ Index: openssh-7.9p1/HOWTO.ldap-keys
|
||||
+ - frederic peters.
|
||||
+ - Finlay dobbie.
|
||||
+ - Stefan Fisher.
|
||||
Index: openssh-7.9p1/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/Makefile.in
|
||||
+++ openssh-7.9p1/Makefile.in
|
||||
@@ -24,6 +24,8 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas
|
||||
diff --git a/Makefile.in b/Makefile.in
|
||||
index 750aada..1baf5c6 100644
|
||||
--- a/Makefile.in
|
||||
+++ b/Makefile.in
|
||||
@@ -24,6 +24,8 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
|
||||
SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
@ -136,7 +137,7 @@ Index: openssh-7.9p1/Makefile.in
|
||||
CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
|
||||
CAVSTEST_KDF=$(libexecdir)/cavstest-kdf
|
||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||
@@ -66,6 +68,9 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-a
|
||||
@@ -66,6 +68,9 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keys
|
||||
|
||||
TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
|
||||
|
||||
@ -146,7 +147,7 @@ Index: openssh-7.9p1/Makefile.in
|
||||
XMSS_OBJS=\
|
||||
ssh-xmss.o \
|
||||
sshkey-xmss.o \
|
||||
@@ -130,8 +135,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
|
||||
@@ -127,8 +132,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \
|
||||
sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
|
||||
sandbox-solaris.o uidswap.o
|
||||
|
||||
@ -157,17 +158,17 @@ Index: openssh-7.9p1/Makefile.in
|
||||
MANTYPE = @MANTYPE@
|
||||
|
||||
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
|
||||
@@ -206,6 +211,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
|
||||
@@ -208,6 +213,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
|
||||
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
|
||||
+ $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||
+
|
||||
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
|
||||
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-realpath.o sftp-server-main.o
|
||||
$(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
@@ -361,6 +369,10 @@ install-files:
|
||||
@@ -363,6 +371,10 @@ install-files:
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
|
||||
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
||||
@ -178,7 +179,7 @@ Index: openssh-7.9p1/Makefile.in
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
|
||||
@@ -379,6 +391,10 @@ install-files:
|
||||
@@ -381,6 +393,10 @@ install-files:
|
||||
$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
|
||||
$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
|
||||
$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
|
||||
@ -189,7 +190,7 @@ Index: openssh-7.9p1/Makefile.in
|
||||
|
||||
install-sysconf:
|
||||
$(MKDIR_P) $(DESTDIR)$(sysconfdir)
|
||||
@@ -402,6 +418,13 @@ install-sysconf:
|
||||
@@ -404,6 +420,13 @@ install-sysconf:
|
||||
else \
|
||||
echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
|
||||
fi
|
||||
@ -203,7 +204,7 @@ Index: openssh-7.9p1/Makefile.in
|
||||
|
||||
host-key: ssh-keygen$(EXEEXT)
|
||||
@if [ -z "$(DESTDIR)" ] ; then \
|
||||
@@ -439,6 +462,8 @@ uninstall:
|
||||
@@ -441,6 +464,8 @@ uninstall:
|
||||
-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
||||
-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
||||
@ -212,7 +213,7 @@ Index: openssh-7.9p1/Makefile.in
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
|
||||
@@ -450,6 +475,7 @@ uninstall:
|
||||
@@ -452,6 +477,7 @@ uninstall:
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
|
||||
@ -220,11 +221,11 @@ Index: openssh-7.9p1/Makefile.in
|
||||
|
||||
regress-prep:
|
||||
$(MKDIR_P) `pwd`/regress/unittests/test_helper
|
||||
Index: openssh-7.9p1/configure.ac
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/configure.ac
|
||||
+++ openssh-7.9p1/configure.ac
|
||||
@@ -1671,6 +1671,106 @@ AC_ARG_WITH([audit],
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 20a1884..ff9c11a 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -1651,6 +1651,106 @@ AC_ARG_WITH([audit],
|
||||
esac ]
|
||||
)
|
||||
|
||||
@ -331,10 +332,11 @@ Index: openssh-7.9p1/configure.ac
|
||||
AC_ARG_WITH([pie],
|
||||
[ --with-pie Build Position Independent Executables if possible], [
|
||||
if test "x$withval" = "xno"; then
|
||||
Index: openssh-7.9p1/ldap-helper.c
|
||||
===================================================================
|
||||
diff --git a/ldap-helper.c b/ldap-helper.c
|
||||
new file mode 100644
|
||||
index 0000000..0efff1f
|
||||
--- /dev/null
|
||||
+++ openssh-7.9p1/ldap-helper.c
|
||||
+++ b/ldap-helper.c
|
||||
@@ -0,0 +1,155 @@
|
||||
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -491,10 +493,11 @@ Index: openssh-7.9p1/ldap-helper.c
|
||||
+void *buffer_get_string(struct sshbuf *b, u_int *l) { return NULL; }
|
||||
+void buffer_put_string(struct sshbuf *b, const void *f, u_int l) {}
|
||||
+
|
||||
Index: openssh-7.9p1/ldap-helper.h
|
||||
===================================================================
|
||||
diff --git a/ldap-helper.h b/ldap-helper.h
|
||||
new file mode 100644
|
||||
index 0000000..14cb29a
|
||||
--- /dev/null
|
||||
+++ openssh-7.9p1/ldap-helper.h
|
||||
+++ b/ldap-helper.h
|
||||
@@ -0,0 +1,32 @@
|
||||
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -528,10 +531,11 @@ Index: openssh-7.9p1/ldap-helper.h
|
||||
+extern int config_warning_config_file;
|
||||
+
|
||||
+#endif /* LDAP_HELPER_H */
|
||||
Index: openssh-7.9p1/ldap.conf
|
||||
===================================================================
|
||||
diff --git a/ldap.conf b/ldap.conf
|
||||
new file mode 100644
|
||||
index 0000000..42e38d3
|
||||
--- /dev/null
|
||||
+++ openssh-7.9p1/ldap.conf
|
||||
+++ b/ldap.conf
|
||||
@@ -0,0 +1,88 @@
|
||||
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
|
||||
+#
|
||||
@ -621,10 +625,11 @@ Index: openssh-7.9p1/ldap.conf
|
||||
+#tls_cert
|
||||
+#tls_key
|
||||
+
|
||||
Index: openssh-7.9p1/ldapbody.c
|
||||
===================================================================
|
||||
diff --git a/ldapbody.c b/ldapbody.c
|
||||
new file mode 100644
|
||||
index 0000000..032cc89
|
||||
--- /dev/null
|
||||
+++ openssh-7.9p1/ldapbody.c
|
||||
+++ b/ldapbody.c
|
||||
@@ -0,0 +1,494 @@
|
||||
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -1120,10 +1125,11 @@ Index: openssh-7.9p1/ldapbody.c
|
||||
+ return;
|
||||
+}
|
||||
+
|
||||
Index: openssh-7.9p1/ldapbody.h
|
||||
===================================================================
|
||||
diff --git a/ldapbody.h b/ldapbody.h
|
||||
new file mode 100644
|
||||
index 0000000..665dca2
|
||||
--- /dev/null
|
||||
+++ openssh-7.9p1/ldapbody.h
|
||||
+++ b/ldapbody.h
|
||||
@@ -0,0 +1,37 @@
|
||||
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -1162,10 +1168,11 @@ Index: openssh-7.9p1/ldapbody.h
|
||||
+
|
||||
+#endif /* LDAPBODY_H */
|
||||
+
|
||||
Index: openssh-7.9p1/ldapconf.c
|
||||
===================================================================
|
||||
diff --git a/ldapconf.c b/ldapconf.c
|
||||
new file mode 100644
|
||||
index 0000000..2e22438
|
||||
--- /dev/null
|
||||
+++ openssh-7.9p1/ldapconf.c
|
||||
+++ b/ldapconf.c
|
||||
@@ -0,0 +1,711 @@
|
||||
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -1878,10 +1885,11 @@ Index: openssh-7.9p1/ldapconf.c
|
||||
+ dump_cfg_string(lSSH_Filter, options.ssh_filter);
|
||||
+}
|
||||
+
|
||||
Index: openssh-7.9p1/ldapconf.h
|
||||
===================================================================
|
||||
diff --git a/ldapconf.h b/ldapconf.h
|
||||
new file mode 100644
|
||||
index 0000000..c2aa704
|
||||
--- /dev/null
|
||||
+++ openssh-7.9p1/ldapconf.h
|
||||
+++ b/ldapconf.h
|
||||
@@ -0,0 +1,71 @@
|
||||
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -1954,10 +1962,11 @@ Index: openssh-7.9p1/ldapconf.h
|
||||
+void dump_config(void);
|
||||
+
|
||||
+#endif /* LDAPCONF_H */
|
||||
Index: openssh-7.9p1/ldapincludes.h
|
||||
===================================================================
|
||||
diff --git a/ldapincludes.h b/ldapincludes.h
|
||||
new file mode 100644
|
||||
index 0000000..8539bdc
|
||||
--- /dev/null
|
||||
+++ openssh-7.9p1/ldapincludes.h
|
||||
+++ b/ldapincludes.h
|
||||
@@ -0,0 +1,41 @@
|
||||
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -2000,10 +2009,11 @@ Index: openssh-7.9p1/ldapincludes.h
|
||||
+#endif
|
||||
+
|
||||
+#endif /* LDAPINCLUDES_H */
|
||||
Index: openssh-7.9p1/ldapmisc.c
|
||||
===================================================================
|
||||
diff --git a/ldapmisc.c b/ldapmisc.c
|
||||
new file mode 100644
|
||||
index 0000000..de23c0c
|
||||
--- /dev/null
|
||||
+++ openssh-7.9p1/ldapmisc.c
|
||||
+++ b/ldapmisc.c
|
||||
@@ -0,0 +1,79 @@
|
||||
+
|
||||
+#include "ldapincludes.h"
|
||||
@ -2084,10 +2094,11 @@ Index: openssh-7.9p1/ldapmisc.c
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
Index: openssh-7.9p1/ldapmisc.h
|
||||
===================================================================
|
||||
diff --git a/ldapmisc.h b/ldapmisc.h
|
||||
new file mode 100644
|
||||
index 0000000..4c271df
|
||||
--- /dev/null
|
||||
+++ openssh-7.9p1/ldapmisc.h
|
||||
+++ b/ldapmisc.h
|
||||
@@ -0,0 +1,35 @@
|
||||
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -2124,10 +2135,10 @@ Index: openssh-7.9p1/ldapmisc.h
|
||||
+
|
||||
+#endif /* LDAPMISC_H */
|
||||
+
|
||||
Index: openssh-7.9p1/openbsd-compat/base64.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/openbsd-compat/base64.c
|
||||
+++ openssh-7.9p1/openbsd-compat/base64.c
|
||||
diff --git a/openbsd-compat/base64.c b/openbsd-compat/base64.c
|
||||
index 9e74667..14824be 100644
|
||||
--- a/openbsd-compat/base64.c
|
||||
+++ b/openbsd-compat/base64.c
|
||||
@@ -46,7 +46,7 @@
|
||||
|
||||
#include "includes.h"
|
||||
@ -2146,7 +2157,7 @@ Index: openssh-7.9p1/openbsd-compat/base64.c
|
||||
int
|
||||
b64_ntop(u_char const *src, size_t srclength, char *target, size_t targsize)
|
||||
{
|
||||
@@ -185,7 +185,7 @@ b64_ntop(u_char const *src, size_t srcle
|
||||
@@ -185,7 +185,7 @@ b64_ntop(u_char const *src, size_t srclength, char *target, size_t targsize)
|
||||
}
|
||||
#endif /* !defined(HAVE_B64_NTOP) && !defined(HAVE___B64_NTOP) */
|
||||
|
||||
@ -2155,10 +2166,10 @@ Index: openssh-7.9p1/openbsd-compat/base64.c
|
||||
|
||||
/* skips all whitespace anywhere.
|
||||
converts characters, four at a time, starting at (or after)
|
||||
Index: openssh-7.9p1/openbsd-compat/base64.h
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/openbsd-compat/base64.h
|
||||
+++ openssh-7.9p1/openbsd-compat/base64.h
|
||||
diff --git a/openbsd-compat/base64.h b/openbsd-compat/base64.h
|
||||
index bd77293..e27df9a 100644
|
||||
--- a/openbsd-compat/base64.h
|
||||
+++ b/openbsd-compat/base64.h
|
||||
@@ -45,16 +45,16 @@
|
||||
|
||||
#include "includes.h"
|
||||
@ -2180,10 +2191,11 @@ Index: openssh-7.9p1/openbsd-compat/base64.h
|
||||
int b64_pton(char const *src, u_char *target, size_t targsize);
|
||||
# endif /* !HAVE_B64_PTON */
|
||||
# define __b64_pton(a,b,c) b64_pton(a,b,c)
|
||||
Index: openssh-7.9p1/openssh-lpk-openldap.schema
|
||||
===================================================================
|
||||
diff --git a/openssh-lpk-openldap.schema b/openssh-lpk-openldap.schema
|
||||
new file mode 100644
|
||||
index 0000000..c84f90f
|
||||
--- /dev/null
|
||||
+++ openssh-7.9p1/openssh-lpk-openldap.schema
|
||||
+++ b/openssh-lpk-openldap.schema
|
||||
@@ -0,0 +1,21 @@
|
||||
+#
|
||||
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
|
||||
@ -2206,10 +2218,11 @@ Index: openssh-7.9p1/openssh-lpk-openldap.schema
|
||||
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
|
||||
+ MUST ( sshPublicKey $ uid )
|
||||
+ )
|
||||
Index: openssh-7.9p1/openssh-lpk-sun.schema
|
||||
===================================================================
|
||||
diff --git a/openssh-lpk-sun.schema b/openssh-lpk-sun.schema
|
||||
new file mode 100644
|
||||
index 0000000..3136673
|
||||
--- /dev/null
|
||||
+++ openssh-7.9p1/openssh-lpk-sun.schema
|
||||
+++ b/openssh-lpk-sun.schema
|
||||
@@ -0,0 +1,23 @@
|
||||
+#
|
||||
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
|
||||
@ -2234,10 +2247,11 @@ Index: openssh-7.9p1/openssh-lpk-sun.schema
|
||||
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
|
||||
+ MUST ( sshPublicKey $ uid )
|
||||
+ )
|
||||
Index: openssh-7.9p1/ssh-ldap-helper.8
|
||||
===================================================================
|
||||
diff --git a/ssh-ldap-helper.8 b/ssh-ldap-helper.8
|
||||
new file mode 100644
|
||||
index 0000000..f8440e4
|
||||
--- /dev/null
|
||||
+++ openssh-7.9p1/ssh-ldap-helper.8
|
||||
+++ b/ssh-ldap-helper.8
|
||||
@@ -0,0 +1,79 @@
|
||||
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
|
||||
+.\"
|
||||
@ -2318,19 +2332,21 @@ Index: openssh-7.9p1/ssh-ldap-helper.8
|
||||
+OpenSSH 5.5 + PKA-LDAP .
|
||||
+.Sh AUTHORS
|
||||
+.An Jan F. Chadima Aq jchadima@redhat.com
|
||||
Index: openssh-7.9p1/ssh-ldap-wrapper
|
||||
===================================================================
|
||||
diff --git a/ssh-ldap-wrapper b/ssh-ldap-wrapper
|
||||
new file mode 100644
|
||||
index 0000000..9fdfc37
|
||||
--- /dev/null
|
||||
+++ openssh-7.9p1/ssh-ldap-wrapper
|
||||
+++ b/ssh-ldap-wrapper
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/sh
|
||||
+
|
||||
+exec @LIBEXECDIR@/ssh-ldap-helper -s "$1"
|
||||
+
|
||||
Index: openssh-7.9p1/ssh-ldap.conf.5
|
||||
===================================================================
|
||||
diff --git a/ssh-ldap.conf.5 b/ssh-ldap.conf.5
|
||||
new file mode 100644
|
||||
index 0000000..15eb03d
|
||||
--- /dev/null
|
||||
+++ openssh-7.9p1/ssh-ldap.conf.5
|
||||
+++ b/ssh-ldap.conf.5
|
||||
@@ -0,0 +1,376 @@
|
||||
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
|
||||
+.\"
|
||||
|
@ -1,36 +0,0 @@
|
||||
# HG changeset patch
|
||||
# Parent a7b18fdd68dba10349e59a9085fd822343311f45
|
||||
Patch from IBM enabling use of EP11 hw crypto accelerator, submitted upstreams:
|
||||
|
||||
From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
|
||||
To: openssh-unix-dev@mindrot.org
|
||||
Subject: [PATCH 3/3] Enable specific ioctl call for EP11 crypto card (s390)
|
||||
Date: Tue, 9 May 2017 14:27:15 -0300
|
||||
|
||||
The EP11 crypto card needs to make an ioctl call, which receives an
|
||||
specific argument. This crypto card is for s390 only.
|
||||
|
||||
Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
|
||||
|
||||
diff --git a/openssh-7.7p1/sandbox-seccomp-filter.c b/openssh-7.7p1/sandbox-seccomp-filter.c
|
||||
--- openssh-7.7p1/sandbox-seccomp-filter.c
|
||||
+++ openssh-7.7p1/sandbox-seccomp-filter.c
|
||||
@@ -248,16 +248,18 @@ static const struct sock_filter preauth_
|
||||
SC_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN),
|
||||
SC_DENY(__NR_socketcall, EACCES),
|
||||
#endif
|
||||
#if defined(__NR_ioctl) && defined(__s390__)
|
||||
/* Allow ioctls for ICA crypto card on s390 */
|
||||
SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),
|
||||
SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO),
|
||||
SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
|
||||
+ /* Allow ioctls for EP11 crypto card on s390 */
|
||||
+ SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB),
|
||||
#endif
|
||||
#if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
|
||||
/*
|
||||
* On Linux x32, the clock_gettime VDSO falls back to the
|
||||
* x86-64 syscall under some circumstances, e.g.
|
||||
* https://bugs.debian.org/849923
|
||||
*/
|
||||
SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT),
|
@ -3,25 +3,71 @@
|
||||
# extended support for (re-)seeding the OpenSSL PRNG from /dev/random
|
||||
# bnc#703221, FATE#312172
|
||||
|
||||
Index: openssh-7.8p1/entropy.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/entropy.c
|
||||
+++ openssh-7.8p1/entropy.c
|
||||
@@ -235,6 +235,9 @@ seed_rng(void)
|
||||
memset(buf, '\0', sizeof(buf));
|
||||
diff --git a/Makefile.in b/Makefile.in
|
||||
index 85818f4..750aada 100644
|
||||
--- a/Makefile.in
|
||||
+++ b/Makefile.in
|
||||
@@ -182,13 +182,13 @@ libssh.a: $(LIBSSH_OBJS)
|
||||
$(RANLIB) $@
|
||||
|
||||
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
|
||||
- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
|
||||
+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(SSHLIBS) $(LIBS) $(GSSLIBS)
|
||||
|
||||
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
|
||||
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
|
||||
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
|
||||
|
||||
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
|
||||
- $(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
|
||||
$(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
@@ -197,10 +197,10 @@ ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
|
||||
$(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o sshsig.o
|
||||
- $(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o compat.o
|
||||
- $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
|
||||
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||
@@ -209,10 +209,10 @@ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
|
||||
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-realpath.o sftp-server-main.o
|
||||
- $(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
|
||||
- $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
|
||||
+ $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
|
||||
|
||||
# FIPS tests
|
||||
cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-ctr.o
|
||||
diff --git a/entropy.c b/entropy.c
|
||||
index 5de6801..f8b9f42 100644
|
||||
--- a/entropy.c
|
||||
+++ b/entropy.c
|
||||
@@ -239,6 +239,8 @@ seed_rng(void)
|
||||
}
|
||||
#endif /* OPENSSL_PRNG_ONLY */
|
||||
+
|
||||
|
||||
+ linux_seed();
|
||||
+
|
||||
if (RAND_status() != 1)
|
||||
fatal("PRNG is not seeded");
|
||||
}
|
||||
Index: openssh-7.8p1/openbsd-compat/Makefile.in
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/openbsd-compat/Makefile.in
|
||||
+++ openssh-7.8p1/openbsd-compat/Makefile.in
|
||||
@@ -90,6 +90,7 @@ COMPAT= arc4random.o \
|
||||
|
||||
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
|
||||
index 1162dc5..80fd688 100644
|
||||
--- a/openbsd-compat/Makefile.in
|
||||
+++ b/openbsd-compat/Makefile.in
|
||||
@@ -91,6 +91,7 @@ COMPAT= arc4random.o \
|
||||
PORTS= port-aix.o \
|
||||
port-irix.o \
|
||||
port-linux.o \
|
||||
@ -29,10 +75,11 @@ Index: openssh-7.8p1/openbsd-compat/Makefile.in
|
||||
port-solaris.o \
|
||||
port-net.o \
|
||||
port-uw.o
|
||||
Index: openssh-7.8p1/openbsd-compat/port-linux-prng.c
|
||||
===================================================================
|
||||
diff --git a/openbsd-compat/port-linux-prng.c b/openbsd-compat/port-linux-prng.c
|
||||
new file mode 100644
|
||||
index 0000000..dfc4bdb
|
||||
--- /dev/null
|
||||
+++ openssh-7.8p1/openbsd-compat/port-linux-prng.c
|
||||
+++ b/openbsd-compat/port-linux-prng.c
|
||||
@@ -0,0 +1,81 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2011 Jan F. Chadima <jchadima@redhat.com>
|
||||
@ -115,10 +162,10 @@ Index: openssh-7.8p1/openbsd-compat/port-linux-prng.c
|
||||
+ fatal ("EOF reading %s", rand_file);
|
||||
+ }
|
||||
+}
|
||||
Index: openssh-7.8p1/openbsd-compat/port-linux.h
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/openbsd-compat/port-linux.h
|
||||
+++ openssh-7.8p1/openbsd-compat/port-linux.h
|
||||
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
|
||||
index 3c22a85..2dc1fd0 100644
|
||||
--- a/openbsd-compat/port-linux.h
|
||||
+++ b/openbsd-compat/port-linux.h
|
||||
@@ -17,6 +17,10 @@
|
||||
#ifndef _PORT_LINUX_H
|
||||
#define _PORT_LINUX_H
|
||||
@ -130,11 +177,11 @@ Index: openssh-7.8p1/openbsd-compat/port-linux.h
|
||||
#ifdef WITH_SELINUX
|
||||
int ssh_selinux_enabled(void);
|
||||
void ssh_selinux_setup_pty(char *, const char *);
|
||||
Index: openssh-7.8p1/ssh-add.1
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/ssh-add.1
|
||||
+++ openssh-7.8p1/ssh-add.1
|
||||
@@ -172,6 +172,20 @@ to make this work.)
|
||||
diff --git a/ssh-add.1 b/ssh-add.1
|
||||
index d4e1c60..6f76900 100644
|
||||
--- a/ssh-add.1
|
||||
+++ b/ssh-add.1
|
||||
@@ -189,6 +189,20 @@ to make this work.)
|
||||
Identifies the path of a
|
||||
.Ux Ns -domain
|
||||
socket used to communicate with the agent.
|
||||
@ -155,11 +202,11 @@ Index: openssh-7.8p1/ssh-add.1
|
||||
.El
|
||||
.Sh FILES
|
||||
.Bl -tag -width Ds
|
||||
Index: openssh-7.8p1/ssh-agent.1
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/ssh-agent.1
|
||||
+++ openssh-7.8p1/ssh-agent.1
|
||||
@@ -214,6 +214,23 @@ sockets used to contain the connection t
|
||||
diff --git a/ssh-agent.1 b/ssh-agent.1
|
||||
index 83b2b41..9e187f2 100644
|
||||
--- a/ssh-agent.1
|
||||
+++ b/ssh-agent.1
|
||||
@@ -214,6 +214,23 @@ sockets used to contain the connection to the authentication agent.
|
||||
These sockets should only be readable by the owner.
|
||||
The sockets should get automatically removed when the agent exits.
|
||||
.El
|
||||
@ -183,11 +230,11 @@ Index: openssh-7.8p1/ssh-agent.1
|
||||
.Sh SEE ALSO
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-add 1 ,
|
||||
Index: openssh-7.8p1/ssh-keygen.1
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/ssh-keygen.1
|
||||
+++ openssh-7.8p1/ssh-keygen.1
|
||||
@@ -869,6 +869,23 @@ Contains Diffie-Hellman groups used for
|
||||
diff --git a/ssh-keygen.1 b/ssh-keygen.1
|
||||
index 957d2f0..70c4a28 100644
|
||||
--- a/ssh-keygen.1
|
||||
+++ b/ssh-keygen.1
|
||||
@@ -1054,6 +1054,23 @@ Contains Diffie-Hellman groups used for DH-GEX.
|
||||
The file format is described in
|
||||
.Xr moduli 5 .
|
||||
.El
|
||||
@ -211,11 +258,11 @@ Index: openssh-7.8p1/ssh-keygen.1
|
||||
.Sh SEE ALSO
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-add 1 ,
|
||||
Index: openssh-7.8p1/ssh-keysign.8
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/ssh-keysign.8
|
||||
+++ openssh-7.8p1/ssh-keysign.8
|
||||
@@ -80,6 +80,23 @@ must be set-uid root if host-based authe
|
||||
diff --git a/ssh-keysign.8 b/ssh-keysign.8
|
||||
index 19b0dbc..639b56e 100644
|
||||
--- a/ssh-keysign.8
|
||||
+++ b/ssh-keysign.8
|
||||
@@ -80,6 +80,23 @@ must be set-uid root if host-based authentication is used.
|
||||
If these files exist they are assumed to contain public certificate
|
||||
information corresponding with the private keys above.
|
||||
.El
|
||||
@ -239,11 +286,11 @@ Index: openssh-7.8p1/ssh-keysign.8
|
||||
.Sh SEE ALSO
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-keygen 1 ,
|
||||
Index: openssh-7.8p1/ssh.1
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/ssh.1
|
||||
+++ openssh-7.8p1/ssh.1
|
||||
@@ -1432,6 +1432,20 @@ For more information, see the
|
||||
diff --git a/ssh.1 b/ssh.1
|
||||
index 424d6c3..899a339 100644
|
||||
--- a/ssh.1
|
||||
+++ b/ssh.1
|
||||
@@ -1433,6 +1433,20 @@ For more information, see the
|
||||
.Cm PermitUserEnvironment
|
||||
option in
|
||||
.Xr sshd_config 5 .
|
||||
@ -264,11 +311,11 @@ Index: openssh-7.8p1/ssh.1
|
||||
.Sh FILES
|
||||
.Bl -tag -width Ds -compact
|
||||
.It Pa ~/.rhosts
|
||||
Index: openssh-7.8p1/sshd.8
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/sshd.8
|
||||
+++ openssh-7.8p1/sshd.8
|
||||
@@ -966,6 +966,23 @@ concurrently for different ports, this c
|
||||
diff --git a/sshd.8 b/sshd.8
|
||||
index fb133c1..2f1d3ab 100644
|
||||
--- a/sshd.8
|
||||
+++ b/sshd.8
|
||||
@@ -966,6 +966,23 @@ concurrently for different ports, this contains the process ID of the one
|
||||
started last).
|
||||
The content of this file is not sensitive; it can be world-readable.
|
||||
.El
|
||||
@ -292,10 +339,10 @@ Index: openssh-7.8p1/sshd.8
|
||||
.Sh SEE ALSO
|
||||
.Xr scp 1 ,
|
||||
.Xr sftp 1 ,
|
||||
Index: openssh-7.8p1/sshd.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/sshd.c
|
||||
+++ openssh-7.8p1/sshd.c
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index bb20eec..c562094 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -55,6 +55,8 @@
|
||||
#endif
|
||||
#include "openbsd-compat/sys-tree.h"
|
||||
@ -305,7 +352,7 @@ Index: openssh-7.8p1/sshd.c
|
||||
#include <sys/wait.h>
|
||||
|
||||
#include <errno.h>
|
||||
@@ -208,6 +210,13 @@ struct {
|
||||
@@ -205,6 +207,13 @@ struct {
|
||||
int have_ssh2_key;
|
||||
} sensitive_data;
|
||||
|
||||
@ -319,8 +366,8 @@ Index: openssh-7.8p1/sshd.c
|
||||
/* This is set to true when a signal is received. */
|
||||
static volatile sig_atomic_t received_sighup = 0;
|
||||
static volatile sig_atomic_t received_sigterm = 0;
|
||||
@@ -1252,6 +1261,10 @@ server_accept_loop(int *sock_in, int *so
|
||||
startups++;
|
||||
@@ -1201,6 +1210,10 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
|
||||
startup_flags[j] = 1;
|
||||
break;
|
||||
}
|
||||
+ if(!(--re_seeding_counter)) {
|
||||
|
@ -3,26 +3,11 @@
|
||||
Put back sftp client diagnostic messages in batch mode
|
||||
|
||||
bsc#1023275
|
||||
|
||||
Index: openssh-7.8p1/sftp.0
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/sftp.0
|
||||
+++ openssh-7.8p1/sftp.0
|
||||
@@ -160,6 +160,9 @@ DESCRIPTION
|
||||
-p Preserves modification times, access times, and modes from the
|
||||
original files transferred.
|
||||
|
||||
+ -Q Not-so-quiet batch mode: forces printing of diagnostic messages
|
||||
+ in batch mode.
|
||||
+
|
||||
-q Quiet mode: disables the progress meter as well as warning and
|
||||
diagnostic messages from ssh(1).
|
||||
|
||||
Index: openssh-7.8p1/sftp.1
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/sftp.1
|
||||
+++ openssh-7.8p1/sftp.1
|
||||
@@ -256,6 +256,9 @@ Specifies the port to connect to on the
|
||||
diff --git a/sftp.1 b/sftp.1
|
||||
index a52c1cf..7333de8 100644
|
||||
--- a/sftp.1
|
||||
+++ b/sftp.1
|
||||
@@ -278,6 +278,9 @@ Specifies the port to connect to on the remote host.
|
||||
.It Fl p
|
||||
Preserves modification times, access times, and modes from the
|
||||
original files transferred.
|
||||
@ -32,11 +17,11 @@ Index: openssh-7.8p1/sftp.1
|
||||
.It Fl q
|
||||
Quiet mode: disables the progress meter as well as warning and
|
||||
diagnostic messages from
|
||||
Index: openssh-7.8p1/sftp.c
|
||||
===================================================================
|
||||
--- openssh-7.8p1.orig/sftp.c
|
||||
+++ openssh-7.8p1/sftp.c
|
||||
@@ -86,6 +86,9 @@ static volatile pid_t sshpid = -1;
|
||||
diff --git a/sftp.c b/sftp.c
|
||||
index b66037f..6c94a38 100644
|
||||
--- a/sftp.c
|
||||
+++ b/sftp.c
|
||||
@@ -85,6 +85,9 @@ static volatile pid_t sshpid = -1;
|
||||
/* Suppress diagnositic messages */
|
||||
int quiet = 0;
|
||||
|
||||
@ -46,16 +31,16 @@ Index: openssh-7.8p1/sftp.c
|
||||
/* This is set to 0 if the progressmeter is not desired. */
|
||||
int showprogress = 1;
|
||||
|
||||
@@ -2373,7 +2376,7 @@ main(int argc, char **argv)
|
||||
@@ -2406,7 +2409,7 @@ main(int argc, char **argv)
|
||||
infile = stdin;
|
||||
|
||||
while ((ch = getopt(argc, argv,
|
||||
- "1246afhpqrvCc:D:i:l:o:s:S:b:B:F:P:R:")) != -1) {
|
||||
+ "1246afhpQqrvCc:D:i:l:o:s:S:b:B:F:P:R:")) != -1) {
|
||||
- "1246afhpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
|
||||
+ "1246afhpQqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
|
||||
switch (ch) {
|
||||
/* Passed through to ssh(1) */
|
||||
case '4':
|
||||
@@ -2389,6 +2392,9 @@ main(int argc, char **argv)
|
||||
@@ -2423,6 +2426,9 @@ main(int argc, char **argv)
|
||||
addargs(&args, "-%c", ch);
|
||||
addargs(&args, "%s", optarg);
|
||||
break;
|
||||
@ -65,7 +50,7 @@ Index: openssh-7.8p1/sftp.c
|
||||
case 'q':
|
||||
ll = SYSLOG_LEVEL_ERROR;
|
||||
quiet = 1;
|
||||
@@ -2472,6 +2478,8 @@ main(int argc, char **argv)
|
||||
@@ -2506,6 +2512,8 @@ main(int argc, char **argv)
|
||||
usage();
|
||||
}
|
||||
}
|
||||
|
@ -1,33 +0,0 @@
|
||||
From 6010c0303a422a9c5fa8860c061bf7105eb7f8b2 Mon Sep 17 00:00:00 2001
|
||||
From: "djm@openbsd.org" <djm@openbsd.org>
|
||||
Date: Fri, 16 Nov 2018 03:03:10 +0000
|
||||
Subject: [PATCH] upstream: disallow empty incoming filename or ones that refer
|
||||
to the
|
||||
|
||||
current directory; based on report/patch from Harry Sintonen
|
||||
|
||||
OpenBSD-Commit-ID: f27651b30eaee2df49540ab68d030865c04f6de9
|
||||
---
|
||||
scp.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/scp.c b/scp.c
|
||||
index 60682c687..4f3fdcd3d 100644
|
||||
--- a/scp.c
|
||||
+++ b/scp.c
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $OpenBSD: scp.c,v 1.197 2018/06/01 04:31:48 dtucker Exp $ */
|
||||
+/* $OpenBSD: scp.c,v 1.198 2018/11/16 03:03:10 djm Exp $ */
|
||||
/*
|
||||
* scp - secure remote copy. This is basically patched BSD rcp which
|
||||
* uses ssh to do the data transfer (instead of using rcmd).
|
||||
@@ -1106,7 +1106,8 @@ sink(int argc, char **argv)
|
||||
SCREWUP("size out of range");
|
||||
size = (off_t)ull;
|
||||
|
||||
- if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {
|
||||
+ if (*cp == '\0' || strchr(cp, '/') != NULL ||
|
||||
+ strcmp(cp, ".") == 0 || strcmp(cp, "..") == 0) {
|
||||
run_err("error: unexpected filename: %s", cp);
|
||||
exit(1);
|
||||
}
|
@ -1,348 +0,0 @@
|
||||
From 3d896c157c722bc47adca51a58dca859225b5874 Mon Sep 17 00:00:00 2001
|
||||
From: "djm@openbsd.org" <djm@openbsd.org>
|
||||
Date: Sun, 10 Feb 2019 11:15:52 +0000
|
||||
Subject: [PATCH] upstream: when checking that filenames sent by the server
|
||||
side
|
||||
|
||||
match what the client requested, be prepared to handle shell-style brace
|
||||
alternations, e.g. "{foo,bar}".
|
||||
|
||||
"looks good to me" millert@ + in snaps for the last week courtesy
|
||||
deraadt@
|
||||
|
||||
OpenBSD-Commit-ID: 3b1ce7639b0b25b2248e3a30f561a548f6815f3e
|
||||
---
|
||||
scp.c | 282 +++++++++++++++++++++++++++++++++++++++++++++++++++++++---
|
||||
1 file changed, 270 insertions(+), 12 deletions(-)
|
||||
|
||||
Index: openssh-7.9p1/scp.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/scp.c
|
||||
+++ openssh-7.9p1/scp.c
|
||||
@@ -627,6 +627,253 @@ parse_scp_uri(const char *uri, char **us
|
||||
return r;
|
||||
}
|
||||
|
||||
+/* Appends a string to an array; returns 0 on success, -1 on alloc failure */
|
||||
+static int
|
||||
+append(char *cp, char ***ap, size_t *np)
|
||||
+{
|
||||
+ char **tmp;
|
||||
+
|
||||
+ if ((tmp = reallocarray(*ap, *np + 1, sizeof(*tmp))) == NULL)
|
||||
+ return -1;
|
||||
+ tmp[(*np)] = cp;
|
||||
+ (*np)++;
|
||||
+ *ap = tmp;
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Finds the start and end of the first brace pair in the pattern.
|
||||
+ * returns 0 on success or -1 for invalid patterns.
|
||||
+ */
|
||||
+static int
|
||||
+find_brace(const char *pattern, int *startp, int *endp)
|
||||
+{
|
||||
+ int i;
|
||||
+ int in_bracket, brace_level;
|
||||
+
|
||||
+ *startp = *endp = -1;
|
||||
+ in_bracket = brace_level = 0;
|
||||
+ for (i = 0; i < INT_MAX && *endp < 0 && pattern[i] != '\0'; i++) {
|
||||
+ switch (pattern[i]) {
|
||||
+ case '\\':
|
||||
+ /* skip next character */
|
||||
+ if (pattern[i + 1] != '\0')
|
||||
+ i++;
|
||||
+ break;
|
||||
+ case '[':
|
||||
+ in_bracket = 1;
|
||||
+ break;
|
||||
+ case ']':
|
||||
+ in_bracket = 0;
|
||||
+ break;
|
||||
+ case '{':
|
||||
+ if (in_bracket)
|
||||
+ break;
|
||||
+ if (pattern[i + 1] == '}') {
|
||||
+ /* Protect a single {}, for find(1), like csh */
|
||||
+ i++; /* skip */
|
||||
+ break;
|
||||
+ }
|
||||
+ if (*startp == -1)
|
||||
+ *startp = i;
|
||||
+ brace_level++;
|
||||
+ break;
|
||||
+ case '}':
|
||||
+ if (in_bracket)
|
||||
+ break;
|
||||
+ if (*startp < 0) {
|
||||
+ /* Unbalanced brace */
|
||||
+ return -1;
|
||||
+ }
|
||||
+ if (--brace_level <= 0)
|
||||
+ *endp = i;
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ /* unbalanced brackets/braces */
|
||||
+ if (*endp < 0 && (*startp >= 0 || in_bracket))
|
||||
+ return -1;
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Assembles and records a successfully-expanded pattern, returns -1 on
|
||||
+ * alloc failure.
|
||||
+ */
|
||||
+static int
|
||||
+emit_expansion(const char *pattern, int brace_start, int brace_end,
|
||||
+ int sel_start, int sel_end, char ***patternsp, size_t *npatternsp)
|
||||
+{
|
||||
+ char *cp;
|
||||
+ int o = 0, tail_len = strlen(pattern + brace_end + 1);
|
||||
+
|
||||
+ if ((cp = malloc(brace_start + (sel_end - sel_start) +
|
||||
+ tail_len + 1)) == NULL)
|
||||
+ return -1;
|
||||
+
|
||||
+ /* Pattern before initial brace */
|
||||
+ if (brace_start > 0) {
|
||||
+ memcpy(cp, pattern, brace_start);
|
||||
+ o = brace_start;
|
||||
+ }
|
||||
+ /* Current braced selection */
|
||||
+ if (sel_end - sel_start > 0) {
|
||||
+ memcpy(cp + o, pattern + sel_start,
|
||||
+ sel_end - sel_start);
|
||||
+ o += sel_end - sel_start;
|
||||
+ }
|
||||
+ /* Remainder of pattern after closing brace */
|
||||
+ if (tail_len > 0) {
|
||||
+ memcpy(cp + o, pattern + brace_end + 1, tail_len);
|
||||
+ o += tail_len;
|
||||
+ }
|
||||
+ cp[o] = '\0';
|
||||
+ if (append(cp, patternsp, npatternsp) != 0) {
|
||||
+ free(cp);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Expand the first encountered brace in pattern, appending the expanded
|
||||
+ * patterns it yielded to the *patternsp array.
|
||||
+ *
|
||||
+ * Returns 0 on success or -1 on allocation failure.
|
||||
+ *
|
||||
+ * Signals whether expansion was performed via *expanded and whether
|
||||
+ * pattern was invalid via *invalid.
|
||||
+ */
|
||||
+static int
|
||||
+brace_expand_one(const char *pattern, char ***patternsp, size_t *npatternsp,
|
||||
+ int *expanded, int *invalid)
|
||||
+{
|
||||
+ int i;
|
||||
+ int in_bracket, brace_start, brace_end, brace_level;
|
||||
+ int sel_start, sel_end;
|
||||
+
|
||||
+ *invalid = *expanded = 0;
|
||||
+
|
||||
+ if (find_brace(pattern, &brace_start, &brace_end) != 0) {
|
||||
+ *invalid = 1;
|
||||
+ return 0;
|
||||
+ } else if (brace_start == -1)
|
||||
+ return 0;
|
||||
+
|
||||
+ in_bracket = brace_level = 0;
|
||||
+ for (i = sel_start = brace_start + 1; i < brace_end; i++) {
|
||||
+ switch (pattern[i]) {
|
||||
+ case '{':
|
||||
+ if (in_bracket)
|
||||
+ break;
|
||||
+ brace_level++;
|
||||
+ break;
|
||||
+ case '}':
|
||||
+ if (in_bracket)
|
||||
+ break;
|
||||
+ brace_level--;
|
||||
+ break;
|
||||
+ case '[':
|
||||
+ in_bracket = 1;
|
||||
+ break;
|
||||
+ case ']':
|
||||
+ in_bracket = 0;
|
||||
+ break;
|
||||
+ case '\\':
|
||||
+ if (i < brace_end - 1)
|
||||
+ i++; /* skip */
|
||||
+ break;
|
||||
+ }
|
||||
+ if (pattern[i] == ',' || i == brace_end - 1) {
|
||||
+ if (in_bracket || brace_level > 0)
|
||||
+ continue;
|
||||
+ /* End of a selection, emit an expanded pattern */
|
||||
+
|
||||
+ /* Adjust end index for last selection */
|
||||
+ sel_end = (i == brace_end - 1) ? brace_end : i;
|
||||
+ if (emit_expansion(pattern, brace_start, brace_end,
|
||||
+ sel_start, sel_end, patternsp, npatternsp) != 0)
|
||||
+ return -1;
|
||||
+ /* move on to the next selection */
|
||||
+ sel_start = i + 1;
|
||||
+ continue;
|
||||
+ }
|
||||
+ }
|
||||
+ if (in_bracket || brace_level > 0) {
|
||||
+ *invalid = 1;
|
||||
+ return 0;
|
||||
+ }
|
||||
+ /* success */
|
||||
+ *expanded = 1;
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+/* Expand braces from pattern. Returns 0 on success, -1 on failure */
|
||||
+static int
|
||||
+brace_expand(const char *pattern, char ***patternsp, size_t *npatternsp)
|
||||
+{
|
||||
+ char *cp, *cp2, **active = NULL, **done = NULL;
|
||||
+ size_t i, nactive = 0, ndone = 0;
|
||||
+ int ret = -1, invalid = 0, expanded = 0;
|
||||
+
|
||||
+ *patternsp = NULL;
|
||||
+ *npatternsp = 0;
|
||||
+
|
||||
+ /* Start the worklist with the original pattern */
|
||||
+ if ((cp = strdup(pattern)) == NULL)
|
||||
+ return -1;
|
||||
+ if (append(cp, &active, &nactive) != 0) {
|
||||
+ free(cp);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ while (nactive > 0) {
|
||||
+ cp = active[nactive - 1];
|
||||
+ nactive--;
|
||||
+ if (brace_expand_one(cp, &active, &nactive,
|
||||
+ &expanded, &invalid) == -1) {
|
||||
+ free(cp);
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ if (invalid)
|
||||
+ fatal("%s: invalid brace pattern \"%s\"", __func__, cp);
|
||||
+ if (expanded) {
|
||||
+ /*
|
||||
+ * Current entry expanded to new entries on the
|
||||
+ * active list; discard the progenitor pattern.
|
||||
+ */
|
||||
+ free(cp);
|
||||
+ continue;
|
||||
+ }
|
||||
+ /*
|
||||
+ * Pattern did not expand; append the finename component to
|
||||
+ * the completed list
|
||||
+ */
|
||||
+ if ((cp2 = strrchr(cp, '/')) != NULL)
|
||||
+ *cp2++ = '\0';
|
||||
+ else
|
||||
+ cp2 = cp;
|
||||
+ if (append(xstrdup(cp2), &done, &ndone) != 0) {
|
||||
+ free(cp);
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ free(cp);
|
||||
+ }
|
||||
+ /* success */
|
||||
+ *patternsp = done;
|
||||
+ *npatternsp = ndone;
|
||||
+ done = NULL;
|
||||
+ ndone = 0;
|
||||
+ ret = 0;
|
||||
+ fail:
|
||||
+ for (i = 0; i < nactive; i++)
|
||||
+ free(active[i]);
|
||||
+ free(active);
|
||||
+ for (i = 0; i < ndone; i++)
|
||||
+ free(done[i]);
|
||||
+ free(done);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
void
|
||||
toremote(int argc, char **argv)
|
||||
{
|
||||
@@ -990,7 +1237,8 @@ sink(int argc, char **argv, const char *
|
||||
unsigned long long ull;
|
||||
int setimes, targisdir, wrerrno = 0;
|
||||
char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048];
|
||||
- char *src_copy = NULL, *restrict_pattern = NULL;
|
||||
+ char **patterns = NULL;
|
||||
+ size_t n, npatterns = 0;
|
||||
struct timeval tv[2];
|
||||
|
||||
#define atime tv[0]
|
||||
@@ -1020,16 +1268,13 @@ sink(int argc, char **argv, const char *
|
||||
* Prepare to try to restrict incoming filenames to match
|
||||
* the requested destination file glob.
|
||||
*/
|
||||
- if ((src_copy = strdup(src)) == NULL)
|
||||
- fatal("strdup failed");
|
||||
- if ((restrict_pattern = strrchr(src_copy, '/')) != NULL) {
|
||||
- *restrict_pattern++ = '\0';
|
||||
- }
|
||||
+ if (brace_expand(src, &patterns, &npatterns) != 0)
|
||||
+ fatal("%s: could not expand pattern", __func__);
|
||||
}
|
||||
for (first = 1;; first = 0) {
|
||||
cp = buf;
|
||||
if (atomicio(read, remin, cp, 1) != 1)
|
||||
- return;
|
||||
+ goto done;
|
||||
if (*cp++ == '\n')
|
||||
SCREWUP("unexpected <newline>");
|
||||
do {
|
||||
@@ -1055,7 +1300,7 @@ sink(int argc, char **argv, const char *
|
||||
}
|
||||
if (buf[0] == 'E') {
|
||||
(void) atomicio(vwrite, remout, "", 1);
|
||||
- return;
|
||||
+ goto done;
|
||||
}
|
||||
if (ch == '\n')
|
||||
*--cp = 0;
|
||||
@@ -1130,9 +1375,14 @@ sink(int argc, char **argv, const char *
|
||||
run_err("error: unexpected filename: %s", cp);
|
||||
exit(1);
|
||||
}
|
||||
- if (restrict_pattern != NULL &&
|
||||
- fnmatch(restrict_pattern, cp, 0) != 0)
|
||||
- SCREWUP("filename does not match request");
|
||||
+ if (npatterns > 0) {
|
||||
+ for (n = 0; n < npatterns; n++) {
|
||||
+ if (fnmatch(patterns[n], cp, 0) == 0)
|
||||
+ break;
|
||||
+ }
|
||||
+ if (n >= npatterns)
|
||||
+ SCREWUP("filename does not match request");
|
||||
+ }
|
||||
if (targisdir) {
|
||||
static char *namebuf;
|
||||
static size_t cursize;
|
||||
@@ -1291,7 +1541,15 @@ bad: run_err("%s: %s", np, strerror(er
|
||||
break;
|
||||
}
|
||||
}
|
||||
+done:
|
||||
+ for (n = 0; n < npatterns; n++)
|
||||
+ free(patterns[n]);
|
||||
+ free(patterns);
|
||||
+ return;
|
||||
screwup:
|
||||
+ for (n = 0; n < npatterns; n++)
|
||||
+ free(patterns[n]);
|
||||
+ free(patterns);
|
||||
run_err("protocol error: %s", why);
|
||||
exit(1);
|
||||
}
|
39
openssh-7.9p1-keygen-preserve-perms.patch
Normal file
39
openssh-7.9p1-keygen-preserve-perms.patch
Normal file
@ -0,0 +1,39 @@
|
||||
commit 07ffb49749c310b82e44278ae05e081d6f4a82bf
|
||||
Author: Hans Petter Jansson <hpj@cl.no>
|
||||
Date: Fri Sep 27 01:57:16 2019 +0200
|
||||
|
||||
ssh-keygen: Preserve known_hosts permissions on rewrite
|
||||
|
||||
Transfer the permissions of the old known_hosts file instead of
|
||||
just going with what mkstemp() gives us. This is useful in corner
|
||||
cases where known_hosts is shared between users.
|
||||
|
||||
diff --git a/ssh-keygen.c b/ssh-keygen.c
|
||||
index 03a7fe5..ca8a309 100644
|
||||
--- a/ssh-keygen.c
|
||||
+++ b/ssh-keygen.c
|
||||
@@ -1338,6 +1338,11 @@ do_known_hosts(struct passwd *pw, const char *name)
|
||||
if (inplace)
|
||||
unlink(tmp);
|
||||
} else if (inplace) {
|
||||
+ struct stat st;
|
||||
+
|
||||
+ /* Get metadata for existing file */
|
||||
+ r = stat(identity_file, &st);
|
||||
+
|
||||
/* Backup existing file */
|
||||
if (unlink(old) == -1 && errno != ENOENT)
|
||||
fatal("unlink %.100s: %s", old, strerror(errno));
|
||||
@@ -1352,6 +1357,12 @@ do_known_hosts(struct passwd *pw, const char *name)
|
||||
unlink(old);
|
||||
exit(1);
|
||||
}
|
||||
+ /* Preserve permissions; non-critical */
|
||||
+ if (r != -1)
|
||||
+ r = chown(identity_file, st.st_uid, st.st_gid);
|
||||
+ if (r != -1)
|
||||
+ chmod(identity_file,
|
||||
+ st.st_mode & (S_IRWXU | S_IRWXG | S_IRWXO));
|
||||
|
||||
printf("%s updated.\n", identity_file);
|
||||
printf("Original contents retained as %s\n", old);
|
76
openssh-7.9p1-revert-new-qos-defaults.patch
Normal file
76
openssh-7.9p1-revert-new-qos-defaults.patch
Normal file
@ -0,0 +1,76 @@
|
||||
commit 101aa2f70c937abb428c9433c39ba0fd9a91fe6b
|
||||
Author: Hans Petter Jansson <hpj@cl.no>
|
||||
Date: Thu Jun 20 23:54:11 2019 +0200
|
||||
|
||||
Revert IPQoS DSCP AF21/CS1 from upstream due to bugs in other software
|
||||
|
||||
Reverts OpenBSD-Commit-ID: d11d2a4484f461524ef0c20870523dfcdeb52181
|
||||
|
||||
diff --git a/readconf.c b/readconf.c
|
||||
index 24f2cb1..bbdea0d 100644
|
||||
--- a/readconf.c
|
||||
+++ b/readconf.c
|
||||
@@ -2183,9 +2183,9 @@ fill_default_options(Options * options)
|
||||
if (options->visual_host_key == -1)
|
||||
options->visual_host_key = 0;
|
||||
if (options->ip_qos_interactive == -1)
|
||||
- options->ip_qos_interactive = IPTOS_DSCP_AF21;
|
||||
+ options->ip_qos_interactive = IPTOS_LOWDELAY;
|
||||
if (options->ip_qos_bulk == -1)
|
||||
- options->ip_qos_bulk = IPTOS_DSCP_CS1;
|
||||
+ options->ip_qos_bulk = IPTOS_THROUGHPUT;
|
||||
if (options->request_tty == -1)
|
||||
options->request_tty = REQUEST_TTY_AUTO;
|
||||
if (options->proxy_use_fdpass == -1)
|
||||
diff --git a/servconf.c b/servconf.c
|
||||
index 13cf154..766ac6b 100644
|
||||
--- a/servconf.c
|
||||
+++ b/servconf.c
|
||||
@@ -445,9 +445,9 @@ fill_default_server_options(ServerOptions *options)
|
||||
if (options->permit_tun == -1)
|
||||
options->permit_tun = SSH_TUNMODE_NO;
|
||||
if (options->ip_qos_interactive == -1)
|
||||
- options->ip_qos_interactive = IPTOS_DSCP_AF21;
|
||||
+ options->ip_qos_interactive = IPTOS_LOWDELAY;
|
||||
if (options->ip_qos_bulk == -1)
|
||||
- options->ip_qos_bulk = IPTOS_DSCP_CS1;
|
||||
+ options->ip_qos_bulk = IPTOS_THROUGHPUT;
|
||||
if (options->version_addendum == NULL)
|
||||
options->version_addendum = xstrdup("");
|
||||
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
|
||||
diff --git a/ssh_config.5 b/ssh_config.5
|
||||
index 3bf0502..10246f8 100644
|
||||
--- a/ssh_config.5
|
||||
+++ b/ssh_config.5
|
||||
@@ -1088,11 +1088,9 @@ If one argument is specified, it is used as the packet class unconditionally.
|
||||
If two values are specified, the first is automatically selected for
|
||||
interactive sessions and the second for non-interactive sessions.
|
||||
The default is
|
||||
-.Cm af21
|
||||
-(Low-Latency Data)
|
||||
+.Cm lowdelay
|
||||
for interactive sessions and
|
||||
-.Cm cs1
|
||||
-(Lower Effort)
|
||||
+.Cm throughput
|
||||
for non-interactive sessions.
|
||||
.It Cm KbdInteractiveAuthentication
|
||||
Specifies whether to use keyboard-interactive authentication.
|
||||
diff --git a/sshd_config.5 b/sshd_config.5
|
||||
index 50a4917..a276fcb 100644
|
||||
--- a/sshd_config.5
|
||||
+++ b/sshd_config.5
|
||||
@@ -868,11 +868,9 @@ If one argument is specified, it is used as the packet class unconditionally.
|
||||
If two values are specified, the first is automatically selected for
|
||||
interactive sessions and the second for non-interactive sessions.
|
||||
The default is
|
||||
-.Cm af21
|
||||
-(Low-Latency Data)
|
||||
+.Cm lowdelay
|
||||
for interactive sessions and
|
||||
-.Cm cs1
|
||||
-(Lower Effort)
|
||||
+.Cm throughput
|
||||
for non-interactive sessions.
|
||||
.It Cm KbdInteractiveAuthentication
|
||||
Specifies whether to allow keyboard-interactive authentication.
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:6b4b3ba2253d84ed3771c8050728d597c91cfce898713beb7b64a305b6f11aad
|
||||
size 1565384
|
@ -1,14 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAlvJLhsACgkQ0+X1a22S
|
||||
DTBjHwx/T3EX3EtCzB9I6zHFUgF2/0hEKVYZw2Yl4UbUvgjy/KdEdlJzdH3Hc/yU
|
||||
jJZzraDY7nJMrCly734FbFGKsKoRkxWMkeuQGOhvpzgTYg+fOa1J0a14xK/ub9Y0
|
||||
9Z/4zP0Zs7mn+8MApMS3XOZ+AJgdRiXN9i3PXmbYO9Gcg+QthtgE1DeG0d0vVTP/
|
||||
ipCBBg8mMlAANdlu9IUCv4CJPwJjQt2aYsvCiuUQuzrKYsV5noCOBaGRbmPcN9SM
|
||||
3cvSTZgDbK3kHdL1RnBgWpcO+o+D8sqSW2rm8xpCQv/ILo86/BLBjXDCYLEt0nSn
|
||||
+dONPytwhwwJWPPYe7+RSYWHS2cKwVTDk7lr2E636SwU1fM1NiNYle9hB6cUT0nU
|
||||
sypfHOIARAMSqepnaT3WgffM0jlEWrSB0PuDLTLTO5ZPmUijqqT6xGwWSUc4GQZY
|
||||
WNyGg1w0Ryj2pRd7DlXDDivTCneXFqV7JZiR3R4ZXJJV0uVQOUitCS/DnwSDpIfp
|
||||
HlVEWeRAszQFKLKttu0/4SY2NVrRBA==
|
||||
=4Z9x
|
||||
-----END PGP SIGNATURE-----
|
3922
openssh-8.0p1-gssapi-keyex.patch
Normal file
3922
openssh-8.0p1-gssapi-keyex.patch
Normal file
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
3
openssh-8.1p1.tar.gz
Normal file
3
openssh-8.1p1.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:02f5dbef3835d0753556f973cd57b4c19b6b1f6cd24c03445e23ac77ca1b93ff
|
||||
size 1625894
|
14
openssh-8.1p1.tar.gz.asc
Normal file
14
openssh-8.1p1.tar.gz.asc
Normal file
@ -0,0 +1,14 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAl2dLEgACgkQ0+X1a22S
|
||||
DTAcUgx7BcRCaH7fb0AeQGvIrxXlyeN3uL6HOyo8MKkryN+y9zpvpcU6T8FBjtoh
|
||||
zgjonewzodGj+C1ma0O9TgIfnUxdOVL+eQsPYgOWLJt2MzSnY/Ru+20J5ZGwGc+5
|
||||
pJcuV+xlAuwae/EL+Pk86CdQ0D6zaf9NBHGTNmrswwhT9B3UWSCbEmmc8jm0DChm
|
||||
F5+dW1nK0n6YSQ9dVUH17/ujvego5WQkOiaSxjaK29/xS39BD6jrbwfFpL3/iKru
|
||||
mWVzcNJaX5WL3ZUnyZRcIHzVpBdr2n0pLCnmqIT8LGPwI3razEbZKIDXf+q0ZA88
|
||||
wRfCL9aEVWjhG+v56c/NiM/wD3h3A4uh8fZeeeyP3hmgEv8Wp8g7fFxf5MaEJlGL
|
||||
Oy6LeH0+x/uPySxaEvy4kuo/hapX2ClM16EMCUXHPwGIYRWdbTL7rzMTaoG3thyz
|
||||
VO04LulI9Xmvadn6k3JR5mFPpIsV+LNwt3g+c+4rBWspOdTHnFqo+OO7Uk8Ee3E0
|
||||
/MeuPBtqQq9o7RkoY8wtVOqT8q9/6g==
|
||||
=mpF6
|
||||
-----END PGP SIGNATURE-----
|
@ -1,110 +0,0 @@
|
||||
commit bdc6c63c80b55bcbaa66b5fde31c1cb1d09a41eb
|
||||
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
||||
Date: Thu Jan 24 16:52:17 2019 +0000
|
||||
|
||||
upstream: Have progressmeter force an update at the beginning and
|
||||
|
||||
end of each transfer. Fixes the problem recently introduces where very quick
|
||||
transfers do not display the progressmeter at all. Spotted by naddy@
|
||||
|
||||
OpenBSD-Commit-ID: 68dc46c259e8fdd4f5db3ec2a130f8e4590a7a9a
|
||||
|
||||
Index: openssh-7.9p1/progressmeter.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/progressmeter.c
|
||||
+++ openssh-7.9p1/progressmeter.c
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $OpenBSD: progressmeter.c,v 1.46 2019/01/23 08:01:46 dtucker Exp $ */
|
||||
+/* $OpenBSD: progressmeter.c,v 1.47 2019/01/24 16:52:17 dtucker Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2003 Nils Nordman. All rights reserved.
|
||||
*
|
||||
@@ -59,9 +59,6 @@ static void format_rate(char *, int, off
|
||||
static void sig_winch(int);
|
||||
static void setscreensize(void);
|
||||
|
||||
-/* updates the progressmeter to reflect the current state of the transfer */
|
||||
-void refresh_progress_meter(void);
|
||||
-
|
||||
/* signal handler for updating the progress meter */
|
||||
static void sig_alarm(int);
|
||||
|
||||
@@ -120,7 +117,7 @@ format_size(char *buf, int size, off_t b
|
||||
}
|
||||
|
||||
void
|
||||
-refresh_progress_meter(void)
|
||||
+refresh_progress_meter(int force_update)
|
||||
{
|
||||
char buf[MAX_WINSIZE + 1];
|
||||
off_t transferred;
|
||||
@@ -131,7 +128,7 @@ refresh_progress_meter(void)
|
||||
int hours, minutes, seconds;
|
||||
int file_len;
|
||||
|
||||
- if ((!alarm_fired && !win_resized) || !can_output())
|
||||
+ if ((!force_update && !alarm_fired && !win_resized) || !can_output())
|
||||
return;
|
||||
alarm_fired = 0;
|
||||
|
||||
@@ -254,7 +251,7 @@ start_progress_meter(const char *f, off_
|
||||
bytes_per_second = 0;
|
||||
|
||||
setscreensize();
|
||||
- refresh_progress_meter();
|
||||
+ refresh_progress_meter(1);
|
||||
|
||||
signal(SIGALRM, sig_alarm);
|
||||
signal(SIGWINCH, sig_winch);
|
||||
@@ -271,7 +268,7 @@ stop_progress_meter(void)
|
||||
|
||||
/* Ensure we complete the progress */
|
||||
if (cur_pos != end_pos)
|
||||
- refresh_progress_meter();
|
||||
+ refresh_progress_meter(1);
|
||||
|
||||
atomicio(vwrite, STDOUT_FILENO, "\n", 1);
|
||||
}
|
||||
Index: openssh-7.9p1/progressmeter.h
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/progressmeter.h
|
||||
+++ openssh-7.9p1/progressmeter.h
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $OpenBSD: progressmeter.h,v 1.4 2019/01/23 08:01:46 dtucker Exp $ */
|
||||
+/* $OpenBSD: progressmeter.h,v 1.5 2019/01/24 16:52:17 dtucker Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2002 Nils Nordman. All rights reserved.
|
||||
*
|
||||
@@ -24,5 +24,5 @@
|
||||
*/
|
||||
|
||||
void start_progress_meter(const char *, off_t, off_t *);
|
||||
-void refresh_progress_meter(void);
|
||||
+void refresh_progress_meter(int);
|
||||
void stop_progress_meter(void);
|
||||
Index: openssh-7.9p1/scp.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/scp.c
|
||||
+++ openssh-7.9p1/scp.c
|
||||
@@ -585,7 +585,7 @@ scpio(void *_cnt, size_t s)
|
||||
off_t *cnt = (off_t *)_cnt;
|
||||
|
||||
*cnt += s;
|
||||
- refresh_progress_meter();
|
||||
+ refresh_progress_meter(0);
|
||||
if (limit_kbps > 0)
|
||||
bandwidth_limit(&bwlimit, s);
|
||||
return 0;
|
||||
Index: openssh-7.9p1/sftp-client.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/sftp-client.c
|
||||
+++ openssh-7.9p1/sftp-client.c
|
||||
@@ -101,7 +101,7 @@ sftpio(void *_bwlimit, size_t amount)
|
||||
{
|
||||
struct bwlimit *bwlimit = (struct bwlimit *)_bwlimit;
|
||||
|
||||
- refresh_progress_meter();
|
||||
+ refresh_progress_meter(0);
|
||||
if (bwlimit != NULL)
|
||||
bandwidth_limit(bwlimit, amount);
|
||||
return 0;
|
@ -1,262 +0,0 @@
|
||||
commit 8976f1c4b2721c26e878151f52bdf346dfe2d54c
|
||||
Author: dtucker@openbsd.org <dtucker@openbsd.org>
|
||||
Date: Wed Jan 23 08:01:46 2019 +0000
|
||||
|
||||
upstream: Sanitize scp filenames via snmprintf. To do this we move
|
||||
|
||||
the progressmeter formatting outside of signal handler context and have the
|
||||
atomicio callback called for EINTR too. bz#2434 with contributions from djm
|
||||
and jjelen at redhat.com, ok djm@
|
||||
|
||||
OpenBSD-Commit-ID: 1af61c1f70e4f3bd8ab140b9f1fa699481db57d8
|
||||
|
||||
Index: openssh-7.9p1/atomicio.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/atomicio.c
|
||||
+++ openssh-7.9p1/atomicio.c
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $OpenBSD: atomicio.c,v 1.28 2016/07/27 23:18:12 djm Exp $ */
|
||||
+/* $OpenBSD: atomicio.c,v 1.29 2019/01/23 08:01:46 dtucker Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2006 Damien Miller. All rights reserved.
|
||||
* Copyright (c) 2005 Anil Madhavapeddy. All rights reserved.
|
||||
@@ -65,9 +65,14 @@ atomicio6(ssize_t (*f) (int, void *, siz
|
||||
res = (f) (fd, s + pos, n - pos);
|
||||
switch (res) {
|
||||
case -1:
|
||||
- if (errno == EINTR)
|
||||
+ if (errno == EINTR) {
|
||||
+ /* possible SIGALARM, update callback */
|
||||
+ if (cb != NULL && cb(cb_arg, 0) == -1) {
|
||||
+ errno = EINTR;
|
||||
+ return pos;
|
||||
+ }
|
||||
continue;
|
||||
- if (errno == EAGAIN || errno == EWOULDBLOCK) {
|
||||
+ } else if (errno == EAGAIN || errno == EWOULDBLOCK) {
|
||||
#ifndef BROKEN_READ_COMPARISON
|
||||
(void)poll(&pfd, 1, -1);
|
||||
#endif
|
||||
@@ -122,9 +127,14 @@ atomiciov6(ssize_t (*f) (int, const stru
|
||||
res = (f) (fd, iov, iovcnt);
|
||||
switch (res) {
|
||||
case -1:
|
||||
- if (errno == EINTR)
|
||||
+ if (errno == EINTR) {
|
||||
+ /* possible SIGALARM, update callback */
|
||||
+ if (cb != NULL && cb(cb_arg, 0) == -1) {
|
||||
+ errno = EINTR;
|
||||
+ return pos;
|
||||
+ }
|
||||
continue;
|
||||
- if (errno == EAGAIN || errno == EWOULDBLOCK) {
|
||||
+ } else if (errno == EAGAIN || errno == EWOULDBLOCK) {
|
||||
#ifndef BROKEN_READV_COMPARISON
|
||||
(void)poll(&pfd, 1, -1);
|
||||
#endif
|
||||
Index: openssh-7.9p1/progressmeter.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/progressmeter.c
|
||||
+++ openssh-7.9p1/progressmeter.c
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $OpenBSD: progressmeter.c,v 1.45 2016/06/30 05:17:05 dtucker Exp $ */
|
||||
+/* $OpenBSD: progressmeter.c,v 1.46 2019/01/23 08:01:46 dtucker Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2003 Nils Nordman. All rights reserved.
|
||||
*
|
||||
@@ -31,6 +31,7 @@
|
||||
|
||||
#include <errno.h>
|
||||
#include <signal.h>
|
||||
+#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <time.h>
|
||||
@@ -39,6 +40,7 @@
|
||||
#include "progressmeter.h"
|
||||
#include "atomicio.h"
|
||||
#include "misc.h"
|
||||
+#include "utf8.h"
|
||||
|
||||
#define DEFAULT_WINSIZE 80
|
||||
#define MAX_WINSIZE 512
|
||||
@@ -61,7 +63,7 @@ static void setscreensize(void);
|
||||
void refresh_progress_meter(void);
|
||||
|
||||
/* signal handler for updating the progress meter */
|
||||
-static void update_progress_meter(int);
|
||||
+static void sig_alarm(int);
|
||||
|
||||
static double start; /* start progress */
|
||||
static double last_update; /* last progress update */
|
||||
@@ -74,6 +76,7 @@ static long stalled; /* how long we hav
|
||||
static int bytes_per_second; /* current speed in bytes per second */
|
||||
static int win_size; /* terminal window size */
|
||||
static volatile sig_atomic_t win_resized; /* for window resizing */
|
||||
+static volatile sig_atomic_t alarm_fired;
|
||||
|
||||
/* units for format_size */
|
||||
static const char unit[] = " KMGT";
|
||||
@@ -126,9 +129,17 @@ refresh_progress_meter(void)
|
||||
off_t bytes_left;
|
||||
int cur_speed;
|
||||
int hours, minutes, seconds;
|
||||
- int i, len;
|
||||
int file_len;
|
||||
|
||||
+ if ((!alarm_fired && !win_resized) || !can_output())
|
||||
+ return;
|
||||
+ alarm_fired = 0;
|
||||
+
|
||||
+ if (win_resized) {
|
||||
+ setscreensize();
|
||||
+ win_resized = 0;
|
||||
+ }
|
||||
+
|
||||
transferred = *counter - (cur_pos ? cur_pos : start_pos);
|
||||
cur_pos = *counter;
|
||||
now = monotime_double();
|
||||
@@ -158,16 +169,11 @@ refresh_progress_meter(void)
|
||||
|
||||
/* filename */
|
||||
buf[0] = '\0';
|
||||
- file_len = win_size - 35;
|
||||
+ file_len = win_size - 36;
|
||||
if (file_len > 0) {
|
||||
- len = snprintf(buf, file_len + 1, "\r%s", file);
|
||||
- if (len < 0)
|
||||
- len = 0;
|
||||
- if (len >= file_len + 1)
|
||||
- len = file_len;
|
||||
- for (i = len; i < file_len; i++)
|
||||
- buf[i] = ' ';
|
||||
- buf[file_len] = '\0';
|
||||
+ buf[0] = '\r';
|
||||
+ snmprintf(buf+1, sizeof(buf)-1 , &file_len, "%*s",
|
||||
+ file_len * -1, file);
|
||||
}
|
||||
|
||||
/* percent of transfer done */
|
||||
@@ -228,22 +234,11 @@ refresh_progress_meter(void)
|
||||
|
||||
/*ARGSUSED*/
|
||||
static void
|
||||
-update_progress_meter(int ignore)
|
||||
+sig_alarm(int ignore)
|
||||
{
|
||||
- int save_errno;
|
||||
-
|
||||
- save_errno = errno;
|
||||
-
|
||||
- if (win_resized) {
|
||||
- setscreensize();
|
||||
- win_resized = 0;
|
||||
- }
|
||||
- if (can_output())
|
||||
- refresh_progress_meter();
|
||||
-
|
||||
- signal(SIGALRM, update_progress_meter);
|
||||
+ signal(SIGALRM, sig_alarm);
|
||||
+ alarm_fired = 1;
|
||||
alarm(UPDATE_INTERVAL);
|
||||
- errno = save_errno;
|
||||
}
|
||||
|
||||
void
|
||||
@@ -259,10 +254,9 @@ start_progress_meter(const char *f, off_
|
||||
bytes_per_second = 0;
|
||||
|
||||
setscreensize();
|
||||
- if (can_output())
|
||||
- refresh_progress_meter();
|
||||
+ refresh_progress_meter();
|
||||
|
||||
- signal(SIGALRM, update_progress_meter);
|
||||
+ signal(SIGALRM, sig_alarm);
|
||||
signal(SIGWINCH, sig_winch);
|
||||
alarm(UPDATE_INTERVAL);
|
||||
}
|
||||
@@ -286,6 +280,7 @@ stop_progress_meter(void)
|
||||
static void
|
||||
sig_winch(int sig)
|
||||
{
|
||||
+ signal(SIGWINCH, sig_winch);
|
||||
win_resized = 1;
|
||||
}
|
||||
|
||||
Index: openssh-7.9p1/progressmeter.h
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/progressmeter.h
|
||||
+++ openssh-7.9p1/progressmeter.h
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $OpenBSD: progressmeter.h,v 1.3 2015/01/14 13:54:13 djm Exp $ */
|
||||
+/* $OpenBSD: progressmeter.h,v 1.4 2019/01/23 08:01:46 dtucker Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2002 Nils Nordman. All rights reserved.
|
||||
*
|
||||
@@ -24,4 +24,5 @@
|
||||
*/
|
||||
|
||||
void start_progress_meter(const char *, off_t, off_t *);
|
||||
+void refresh_progress_meter(void);
|
||||
void stop_progress_meter(void);
|
||||
Index: openssh-7.9p1/scp.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/scp.c
|
||||
+++ openssh-7.9p1/scp.c
|
||||
@@ -585,6 +585,7 @@ scpio(void *_cnt, size_t s)
|
||||
off_t *cnt = (off_t *)_cnt;
|
||||
|
||||
*cnt += s;
|
||||
+ refresh_progress_meter();
|
||||
if (limit_kbps > 0)
|
||||
bandwidth_limit(&bwlimit, s);
|
||||
return 0;
|
||||
Index: openssh-7.9p1/sftp-client.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/sftp-client.c
|
||||
+++ openssh-7.9p1/sftp-client.c
|
||||
@@ -101,7 +101,9 @@ sftpio(void *_bwlimit, size_t amount)
|
||||
{
|
||||
struct bwlimit *bwlimit = (struct bwlimit *)_bwlimit;
|
||||
|
||||
- bandwidth_limit(bwlimit, amount);
|
||||
+ refresh_progress_meter();
|
||||
+ if (bwlimit != NULL)
|
||||
+ bandwidth_limit(bwlimit, amount);
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -121,8 +123,8 @@ send_msg(struct sftp_conn *conn, struct
|
||||
iov[1].iov_base = (u_char *)sshbuf_ptr(m);
|
||||
iov[1].iov_len = sshbuf_len(m);
|
||||
|
||||
- if (atomiciov6(writev, conn->fd_out, iov, 2,
|
||||
- conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_out) !=
|
||||
+ if (atomiciov6(writev, conn->fd_out, iov, 2, sftpio,
|
||||
+ conn->limit_kbps > 0 ? &conn->bwlimit_out : NULL) !=
|
||||
sshbuf_len(m) + sizeof(mlen))
|
||||
fatal("Couldn't send packet: %s", strerror(errno));
|
||||
|
||||
@@ -138,8 +140,8 @@ get_msg_extended(struct sftp_conn *conn,
|
||||
|
||||
if ((r = sshbuf_reserve(m, 4, &p)) != 0)
|
||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
- if (atomicio6(read, conn->fd_in, p, 4,
|
||||
- conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_in) != 4) {
|
||||
+ if (atomicio6(read, conn->fd_in, p, 4, sftpio,
|
||||
+ conn->limit_kbps > 0 ? &conn->bwlimit_in : NULL) != 4) {
|
||||
if (errno == EPIPE || errno == ECONNRESET)
|
||||
fatal("Connection closed");
|
||||
else
|
||||
@@ -157,8 +159,8 @@ get_msg_extended(struct sftp_conn *conn,
|
||||
|
||||
if ((r = sshbuf_reserve(m, msg_len, &p)) != 0)
|
||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
- if (atomicio6(read, conn->fd_in, p, msg_len,
|
||||
- conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_in)
|
||||
+ if (atomicio6(read, conn->fd_in, p, msg_len, sftpio,
|
||||
+ conn->limit_kbps > 0 ? &conn->bwlimit_in : NULL)
|
||||
!= msg_len) {
|
||||
if (errno == EPIPE)
|
||||
fatal("Connection closed");
|
@ -1,186 +0,0 @@
|
||||
commit 391ffc4b9d31fa1f4ad566499fef9176ff8a07dc
|
||||
Author: djm@openbsd.org <djm@openbsd.org>
|
||||
Date: Sat Jan 26 22:41:28 2019 +0000
|
||||
|
||||
upstream: check in scp client that filenames sent during
|
||||
|
||||
remote->local directory copies satisfy the wildcard specified by the user.
|
||||
|
||||
This checking provides some protection against a malicious server
|
||||
sending unexpected filenames, but it comes at a risk of rejecting wanted
|
||||
files due to differences between client and server wildcard expansion rules.
|
||||
|
||||
For this reason, this also adds a new -T flag to disable the check.
|
||||
|
||||
reported by Harry Sintonen
|
||||
fix approach suggested by markus@;
|
||||
has been in snaps for ~1wk courtesy deraadt@
|
||||
|
||||
OpenBSD-Commit-ID: 00f44b50d2be8e321973f3c6d014260f8f7a8eda
|
||||
|
||||
Index: openssh-7.9p1/scp.1
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/scp.1
|
||||
+++ openssh-7.9p1/scp.1
|
||||
@@ -18,7 +18,7 @@
|
||||
.Nd secure copy (remote file copy program)
|
||||
.Sh SYNOPSIS
|
||||
.Nm scp
|
||||
-.Op Fl 346BCpqrv
|
||||
+.Op Fl 346BCpqrTv
|
||||
.Op Fl c Ar cipher
|
||||
.Op Fl F Ar ssh_config
|
||||
.Op Fl i Ar identity_file
|
||||
@@ -208,6 +208,16 @@ to use for the encrypted connection.
|
||||
The program must understand
|
||||
.Xr ssh 1
|
||||
options.
|
||||
+.It Fl T
|
||||
+Disable strict filename checking.
|
||||
+By default when copying files from a remote host to a local directory
|
||||
+.Nm
|
||||
+checks that the received filenames match those requested on the command-line
|
||||
+to prevent the remote end from sending unexpected or unwanted files.
|
||||
+Because of differences in how various operating systems and shells interpret
|
||||
+filename wildcards, these checks may cause wanted files to be rejected.
|
||||
+This option disables these checks at the expense of fully trusting that
|
||||
+the server will not send unexpected filenames.
|
||||
.It Fl v
|
||||
Verbose mode.
|
||||
Causes
|
||||
Index: openssh-7.9p1/scp.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/scp.c
|
||||
+++ openssh-7.9p1/scp.c
|
||||
@@ -94,6 +94,7 @@
|
||||
#include <dirent.h>
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
+#include <fnmatch.h>
|
||||
#include <limits.h>
|
||||
#include <locale.h>
|
||||
#include <pwd.h>
|
||||
@@ -375,14 +376,14 @@ void verifydir(char *);
|
||||
struct passwd *pwd;
|
||||
uid_t userid;
|
||||
int errs, remin, remout;
|
||||
-int pflag, iamremote, iamrecursive, targetshouldbedirectory;
|
||||
+int Tflag, pflag, iamremote, iamrecursive, targetshouldbedirectory;
|
||||
|
||||
#define CMDNEEDS 64
|
||||
char cmd[CMDNEEDS]; /* must hold "rcp -r -p -d\0" */
|
||||
|
||||
int response(void);
|
||||
void rsource(char *, struct stat *);
|
||||
-void sink(int, char *[]);
|
||||
+void sink(int, char *[], const char *);
|
||||
void source(int, char *[]);
|
||||
void tolocal(int, char *[]);
|
||||
void toremote(int, char *[]);
|
||||
@@ -421,8 +422,9 @@ main(int argc, char **argv)
|
||||
addargs(&args, "-oRemoteCommand=none");
|
||||
addargs(&args, "-oRequestTTY=no");
|
||||
|
||||
- fflag = tflag = 0;
|
||||
- while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q12346S:o:F:")) != -1)
|
||||
+ fflag = Tflag = tflag = 0;
|
||||
+ while ((ch = getopt(argc, argv,
|
||||
+ "dfl:prtTvBCc:i:P:q12346S:o:F:J:")) != -1) {
|
||||
switch (ch) {
|
||||
/* User-visible flags. */
|
||||
case '1':
|
||||
@@ -501,9 +503,13 @@ main(int argc, char **argv)
|
||||
setmode(0, O_BINARY);
|
||||
#endif
|
||||
break;
|
||||
+ case 'T':
|
||||
+ Tflag = 1;
|
||||
+ break;
|
||||
default:
|
||||
usage();
|
||||
}
|
||||
+ }
|
||||
argc -= optind;
|
||||
argv += optind;
|
||||
|
||||
@@ -534,7 +540,7 @@ main(int argc, char **argv)
|
||||
}
|
||||
if (tflag) {
|
||||
/* Receive data. */
|
||||
- sink(argc, argv);
|
||||
+ sink(argc, argv, NULL);
|
||||
exit(errs != 0);
|
||||
}
|
||||
if (argc < 2)
|
||||
@@ -792,7 +798,7 @@ tolocal(int argc, char **argv)
|
||||
continue;
|
||||
}
|
||||
free(bp);
|
||||
- sink(1, argv + argc - 1);
|
||||
+ sink(1, argv + argc - 1, src);
|
||||
(void) close(remin);
|
||||
remin = remout = -1;
|
||||
}
|
||||
@@ -968,7 +974,7 @@ rsource(char *name, struct stat *statp)
|
||||
(sizeof(type) != 4 && sizeof(type) != 8))
|
||||
|
||||
void
|
||||
-sink(int argc, char **argv)
|
||||
+sink(int argc, char **argv, const char *src)
|
||||
{
|
||||
static BUF buffer;
|
||||
struct stat stb;
|
||||
@@ -984,6 +990,7 @@ sink(int argc, char **argv)
|
||||
unsigned long long ull;
|
||||
int setimes, targisdir, wrerrno = 0;
|
||||
char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048];
|
||||
+ char *src_copy = NULL, *restrict_pattern = NULL;
|
||||
struct timeval tv[2];
|
||||
|
||||
#define atime tv[0]
|
||||
@@ -1008,6 +1015,17 @@ sink(int argc, char **argv)
|
||||
(void) atomicio(vwrite, remout, "", 1);
|
||||
if (stat(targ, &stb) == 0 && S_ISDIR(stb.st_mode))
|
||||
targisdir = 1;
|
||||
+ if (src != NULL && !iamrecursive && !Tflag) {
|
||||
+ /*
|
||||
+ * Prepare to try to restrict incoming filenames to match
|
||||
+ * the requested destination file glob.
|
||||
+ */
|
||||
+ if ((src_copy = strdup(src)) == NULL)
|
||||
+ fatal("strdup failed");
|
||||
+ if ((restrict_pattern = strrchr(src_copy, '/')) != NULL) {
|
||||
+ *restrict_pattern++ = '\0';
|
||||
+ }
|
||||
+ }
|
||||
for (first = 1;; first = 0) {
|
||||
cp = buf;
|
||||
if (atomicio(read, remin, cp, 1) != 1)
|
||||
@@ -1112,6 +1130,9 @@ sink(int argc, char **argv)
|
||||
run_err("error: unexpected filename: %s", cp);
|
||||
exit(1);
|
||||
}
|
||||
+ if (restrict_pattern != NULL &&
|
||||
+ fnmatch(restrict_pattern, cp, 0) != 0)
|
||||
+ SCREWUP("filename does not match request");
|
||||
if (targisdir) {
|
||||
static char *namebuf;
|
||||
static size_t cursize;
|
||||
@@ -1149,7 +1170,7 @@ sink(int argc, char **argv)
|
||||
goto bad;
|
||||
}
|
||||
vect[0] = xstrdup(np);
|
||||
- sink(1, vect);
|
||||
+ sink(1, vect, src);
|
||||
if (setimes) {
|
||||
setimes = 0;
|
||||
if (utimes(vect[0], tv) < 0)
|
||||
@@ -1317,7 +1338,7 @@ void
|
||||
usage(void)
|
||||
{
|
||||
(void) fprintf(stderr,
|
||||
- "usage: scp [-346BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file]\n"
|
||||
+ "usage: scp [-346BCpqrTv] [-c cipher] [-F ssh_config] [-i identity_file]\n"
|
||||
" [-l limit] [-o ssh_option] [-P port] [-S program] source ... target\n");
|
||||
exit(1);
|
||||
}
|
@ -18,7 +18,7 @@
|
||||
|
||||
%define _name openssh
|
||||
Name: openssh-askpass-gnome
|
||||
Version: 7.9p1
|
||||
Version: 8.1p1
|
||||
Release: 0
|
||||
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
|
||||
License: BSD-2-Clause
|
||||
|
@ -1,41 +0,0 @@
|
||||
Index: openssh-7.9p1/openbsd-compat/openssl-compat.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/openbsd-compat/openssl-compat.c 2018-11-26 11:47:17.417925053 +0100
|
||||
+++ openssh-7.9p1/openbsd-compat/openssl-compat.c 2018-11-26 11:52:47.127727580 +0100
|
||||
@@ -76,7 +76,7 @@ ssh_OpenSSL_add_all_algorithms(void)
|
||||
ENGINE_load_builtin_engines();
|
||||
ENGINE_register_all_complete();
|
||||
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x10001000L
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
OPENSSL_config(NULL);
|
||||
#else
|
||||
OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS |
|
||||
Index: openssh-7.9p1/gss-genr.c
|
||||
===================================================================
|
||||
--- openssh-7.9p1.orig/gss-genr.c 2018-11-26 11:47:17.417925053 +0100
|
||||
+++ openssh-7.9p1/gss-genr.c 2018-11-26 12:01:40.354642746 +0100
|
||||
@@ -114,7 +114,11 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
|
||||
if ((buf = sshbuf_new()) == NULL)
|
||||
fatal("%s: sshbuf_new failed", __func__);
|
||||
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
+ md = EVP_MD_CTX_create();
|
||||
+#else
|
||||
md = EVP_MD_CTX_new();
|
||||
+#endif
|
||||
oidpos = 0;
|
||||
for (i = 0; i < gss_supported->count; i++) {
|
||||
if (gss_supported->elements[i].length < 128 &&
|
||||
@@ -156,7 +160,11 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
|
||||
oidpos++;
|
||||
}
|
||||
}
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
+ EVP_MD_CTX_destroy(md);
|
||||
+#else
|
||||
EVP_MD_CTX_free(md);
|
||||
+#endif
|
||||
gss_enc2oid[oidpos].oid = NULL;
|
||||
gss_enc2oid[oidpos].encoded = NULL;
|
||||
|
132
openssh.changes
132
openssh.changes
@ -1,3 +1,135 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Oct 14 23:58:39 UTC 2019 - Hans Petter Jansson <hpj@suse.com>
|
||||
|
||||
- Add openssh-7.9p1-keygen-preserve-perms.patch (bsc#1150574).
|
||||
This attempts to preserve the permissions of any existing
|
||||
known_hosts file when modified by ssh-keygen (for instance,
|
||||
with -R).
|
||||
- Add patch from upstream openssh-7.9p1-revert-new-qos-defaults.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Oct 14 23:56:42 UTC 2019 - Hans Petter Jansson <hpj@suse.com>
|
||||
|
||||
- Run 'ssh-keygen -A' on startup only if SSHD_AUTO_KEYGEN="yes"
|
||||
in /etc/sysconfig/ssh. This is set to "yes" by default, but
|
||||
can be changed by the system administrator (bsc#1139089).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Oct 14 23:50:04 UTC 2019 - Hans Petter Jansson <hpj@suse.com>
|
||||
|
||||
- Add openssh-7.9p1-keygen-preserve-perms.patch (bsc#1150574).
|
||||
This attempts to preserve the permissions of any existing
|
||||
known_hosts file when modified by ssh-keygen (for instance,
|
||||
with -R).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Oct 10 00:41:18 UTC 2019 - Hans Petter Jansson <hpj@suse.com>
|
||||
|
||||
- Version update to 8.1p1:
|
||||
* ssh-keygen(1): when acting as a CA and signing certificates with
|
||||
an RSA key, default to using the rsa-sha2-512 signature algorithm.
|
||||
Certificates signed by RSA keys will therefore be incompatible
|
||||
with OpenSSH versions prior to 7.2 unless the default is
|
||||
overridden (using "ssh-keygen -t ssh-rsa -s ...").
|
||||
* ssh(1): Allow %n to be expanded in ProxyCommand strings
|
||||
* ssh(1), sshd(8): Allow prepending a list of algorithms to the
|
||||
default set by starting the list with the '^' character, E.g.
|
||||
"HostKeyAlgorithms ^ssh-ed25519"
|
||||
* ssh-keygen(1): add an experimental lightweight signature and
|
||||
verification ability. Signatures may be made using regular ssh keys
|
||||
held on disk or stored in a ssh-agent and verified against an
|
||||
authorized_keys-like list of allowed keys. Signatures embed a
|
||||
namespace that prevents confusion and attacks between different
|
||||
usage domains (e.g. files vs email).
|
||||
* ssh-keygen(1): print key comment when extracting public key from a
|
||||
private key.
|
||||
* ssh-keygen(1): accept the verbose flag when searching for host keys
|
||||
in known hosts (i.e. "ssh-keygen -vF host") to print the matching
|
||||
host's random-art signature too.
|
||||
* All: support PKCS8 as an optional format for storage of private
|
||||
keys to disk. The OpenSSH native key format remains the default,
|
||||
but PKCS8 is a superior format to PEM if interoperability with
|
||||
non-OpenSSH software is required, as it may use a less insecure
|
||||
key derivation function than PEM's.
|
||||
|
||||
- Additional changes from 8.0p1 release:
|
||||
* scp(1): Add "-T" flag to disable client-side filtering of
|
||||
server file list.
|
||||
* sshd(8): Remove support for obsolete "host/port" syntax.
|
||||
* ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in
|
||||
PKCS#11 tokens.
|
||||
* ssh(1), sshd(8): Add experimental quantum-computing resistant
|
||||
key exchange method, based on a combination of Streamlined NTRU
|
||||
Prime 4591^761 and X25519.
|
||||
* ssh-keygen(1): Increase the default RSA key size to 3072 bits,
|
||||
following NIST Special Publication 800-57's guidance for a
|
||||
128-bit equivalent symmetric security level.
|
||||
* ssh(1): Allow "PKCS11Provider=none" to override later instances of
|
||||
the PKCS11Provider directive in ssh_config,
|
||||
* sshd(8): Add a log message for situations where a connection is
|
||||
dropped for attempting to run a command but a sshd_config
|
||||
ForceCommand=internal-sftp restriction is in effect.
|
||||
* ssh(1): When prompting whether to record a new host key, accept
|
||||
the key fingerprint as a synonym for "yes". This allows the user
|
||||
to paste a fingerprint obtained out of band at the prompt and
|
||||
have the client do the comparison for you.
|
||||
* ssh-keygen(1): When signing multiple certificates on a single
|
||||
command-line invocation, allow automatically incrementing the
|
||||
certificate serial number.
|
||||
* scp(1), sftp(1): Accept -J option as an alias to ProxyJump on
|
||||
the scp and sftp command-lines.
|
||||
* ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v"
|
||||
command-line flags to increase the verbosity of output; pass
|
||||
verbose flags though to subprocesses, such as ssh-pkcs11-helper
|
||||
started from ssh-agent.
|
||||
* ssh-add(1): Add a "-T" option to allowing testing whether keys in
|
||||
an agent are usable by performing a signature and a verification.
|
||||
* sftp-server(8): Add a "lsetstat@openssh.com" protocol extension
|
||||
that replicates the functionality of the existing SSH2_FXP_SETSTAT
|
||||
operation but does not follow symlinks.
|
||||
* sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request
|
||||
they do not follow symlinks.
|
||||
* sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes
|
||||
the connection 4-tuple available to PAM modules that wish to use
|
||||
it in decision-making.
|
||||
* sshd(8): Add a ssh_config "Match final" predicate Matches in same
|
||||
pass as "Match canonical" but doesn't require hostname
|
||||
canonicalisation be enabled.
|
||||
* sftp(1): Support a prefix of '@' to suppress echo of sftp batch
|
||||
commands.
|
||||
* ssh-keygen(1): When printing certificate contents using
|
||||
"ssh-keygen -Lf /path/certificate", include the algorithm that
|
||||
the CA used to sign the cert.
|
||||
|
||||
- Rebased patches:
|
||||
* openssh-7.7p1-IPv6_X_forwarding.patch
|
||||
* openssh-7.7p1-X_forward_with_disabled_ipv6.patch
|
||||
* openssh-7.7p1-cavstest-ctr.patch
|
||||
* openssh-7.7p1-cavstest-kdf.patch
|
||||
* openssh-7.7p1-disable_openssl_abi_check.patch
|
||||
* openssh-7.7p1-fips.patch
|
||||
* openssh-7.7p1-fips_checks.patch
|
||||
* openssh-7.7p1-hostname_changes_when_forwarding_X.patch
|
||||
* openssh-7.7p1-ldap.patch
|
||||
* openssh-7.7p1-seed-prng.patch
|
||||
* openssh-7.7p1-sftp_force_permissions.patch
|
||||
* openssh-7.7p1-sftp_print_diagnostic_messages.patch
|
||||
* openssh-8.0p1-gssapi-keyex.patch (formerly
|
||||
openssh-7.7p1-gssapi_key_exchange.patch)
|
||||
* openssh-8.1p1-audit.patch (formerly openssh-7.7p1-audit.patch)
|
||||
|
||||
- Removed patches (integrated upstream):
|
||||
* 0001-upstream-Fix-two-race-conditions-in-sshd-relating-to.patch
|
||||
* openssh-7.7p1-seccomp_ioctl_s390_EP11.patch
|
||||
* openssh-7.9p1-CVE-2018-20685.patch
|
||||
* openssh-7.9p1-brace-expansion.patch
|
||||
* openssh-CVE-2019-6109-force-progressmeter-update.patch
|
||||
* openssh-CVE-2019-6109-sanitize-scp-filenames.patch
|
||||
* openssh-CVE-2019-6111-scp-client-wildcard.patch
|
||||
|
||||
- Removed patches (obsolete):
|
||||
* openssh-openssl-1_0_0-compatibility.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Aug 19 11:24:36 CEST 2019 - kukuk@suse.de
|
||||
|
||||
|
16
openssh.spec
16
openssh.spec
@ -37,7 +37,7 @@
|
||||
%define _fillupdir %{_localstatedir}/adm/fillup-templates
|
||||
%endif
|
||||
Name: openssh
|
||||
Version: 7.9p1
|
||||
Version: 8.1p1
|
||||
Release: 0
|
||||
Summary: Secure Shell Client and Server (Remote Login Program)
|
||||
License: BSD-2-Clause AND MIT
|
||||
@ -70,7 +70,6 @@ Patch14: openssh-7.7p1-seccomp_stat.patch
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
|
||||
Patch15: openssh-7.7p1-seccomp_ipc_flock.patch
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
|
||||
Patch16: openssh-7.7p1-seccomp_ioctl_s390_EP11.patch
|
||||
# Local FIPS patchset
|
||||
Patch17: openssh-7.7p1-fips.patch
|
||||
# Local cavs patchset
|
||||
@ -82,9 +81,9 @@ Patch20: openssh-7.7p1-fips_checks.patch
|
||||
Patch21: openssh-7.7p1-seed-prng.patch
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2641
|
||||
Patch22: openssh-7.7p1-systemd-notify.patch
|
||||
Patch23: openssh-7.7p1-gssapi_key_exchange.patch
|
||||
Patch23: openssh-8.0p1-gssapi-keyex.patch
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=1402
|
||||
Patch24: openssh-7.7p1-audit.patch
|
||||
Patch24: openssh-8.1p1-audit.patch
|
||||
# Local patch to disable runtime abi SSL checks, quite pointless for us
|
||||
Patch26: openssh-7.7p1-disable_openssl_abi_check.patch
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2641
|
||||
@ -98,13 +97,8 @@ Patch31: openssh-7.7p1-ldap.patch
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2213
|
||||
Patch32: openssh-7.7p1-IPv6_X_forwarding.patch
|
||||
Patch33: openssh-7.7p1-sftp_print_diagnostic_messages.patch
|
||||
Patch34: openssh-openssl-1_0_0-compatibility.patch
|
||||
Patch35: openssh-7.9p1-CVE-2018-20685.patch
|
||||
Patch36: openssh-CVE-2019-6109-sanitize-scp-filenames.patch
|
||||
Patch37: openssh-CVE-2019-6109-force-progressmeter-update.patch
|
||||
Patch38: openssh-CVE-2019-6111-scp-client-wildcard.patch
|
||||
Patch39: openssh-7.9p1-brace-expansion.patch
|
||||
Patch40: 0001-upstream-Fix-two-race-conditions-in-sshd-relating-to.patch
|
||||
Patch34: openssh-7.9p1-keygen-preserve-perms.patch
|
||||
Patch35: openssh-7.9p1-revert-new-qos-defaults.patch
|
||||
BuildRequires: audit-devel
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: groff
|
||||
|
@ -1,5 +1,8 @@
|
||||
#!/bin/sh
|
||||
if ! grep -q '^[[:space:]]*HostKey[[:space:]]' /etc/ssh/sshd_config; then
|
||||
|
||||
. /etc/sysconfig/ssh
|
||||
|
||||
if [ "$SSHD_AUTO_KEYGEN" = "yes" ]; then
|
||||
echo "Checking for missing server keys in /etc/ssh"
|
||||
ssh-keygen -A
|
||||
fi
|
||||
|
@ -7,3 +7,8 @@
|
||||
# Options for sshd
|
||||
#
|
||||
SSHD_OPTS=""
|
||||
|
||||
#
|
||||
# Whether to run ssh-keygen -A
|
||||
#
|
||||
SSHD_AUTO_KEYGEN="yes"
|
||||
|
Loading…
Reference in New Issue
Block a user