packages/openssh
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!182 升级到openssh社区最新版本9.1p1

Browse Source 
From: @renmingshuai 
Reviewed-by: @kircher 
Signed-off-by: @kircher
This commit is contained in:
openeuler-ci-bot 2023-02-06 07:26:06 +00:00 committed by Gitee
commit 32736e9a66
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
35 changed files with 3708 additions and 3706 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

130
backport-Don-t-leak-the-strings-allocated-by-order_h.patch
View File

@ -1,130 +0,0 @@
From 6c31ba10e97b6953c4f325f526f3e846dfea647a Mon Sep 17 00:00:00 2001
From: "dtucker@openbsd.org" <dtucker@openbsd.org>
Date: Fri, 1 Jul 2022 03:39:44 +0000
Subject: upstream: Don't leak the strings allocated by order_hostkeyalgs()
and list_hostkey_types() that are passed to compat_pkalg_proposal(). Part of
github PR#324 from ZoltanFridrich, ok djm@
This is a roll-forward of the previous rollback now that the required
changes in compat.c have been done.
OpenBSD-Commit-ID: c7cd93730b3b9f53cdad3ae32462922834ef73eb
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/patch/?id=6c31ba10e97b6953c4f325f526f3e846dfea647a
---
sshconnect2.c | 16 ++++++++++------
sshd.c | 17 +++++++++++------
2 files changed, 21 insertions(+), 12 deletions(-)
diff --git a/sshconnect2.c b/sshconnect2.c
index 150d419..eb0df92 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.351 2021/07/23 05:24:02 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.359 2022/07/01 03:39:44 dtucker Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Damien Miller. All rights reserved.
@@ -218,6 +218,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
{
char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
char *s, *all_key;
+ char *prop_kex = NULL, *prop_enc = NULL, *prop_hostkey = NULL;
int r, use_known_hosts_order = 0;
#if defined(GSSAPI) && defined(WITH_OPENSSL)
@@ -248,10 +249,9 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL)
fatal_f("kex_names_cat");
- myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh, s);
+ myproposal[PROPOSAL_KEX_ALGS] = prop_kex = compat_kex_proposal(ssh, s);
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
- compat_cipher_proposal(ssh, options.ciphers);
- myproposal[PROPOSAL_ENC_ALGS_STOC] =
+ myproposal[PROPOSAL_ENC_ALGS_STOC] = prop_enc =
compat_cipher_proposal(ssh, options.ciphers);
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
myproposal[PROPOSAL_COMP_ALGS_STOC] =
@@ -260,12 +260,12 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
if (use_known_hosts_order) {
/* Query known_hosts and prefer algorithms that appear there */
- myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
+ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey =
compat_pkalg_proposal(ssh,
order_hostkeyalgs(host, hostaddr, port, cinfo));
} else {
/* Use specified HostkeyAlgorithms exactly */
- myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
+ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey =
compat_pkalg_proposal(ssh, options.hostkeyalgorithms);
}
@@ -380,6 +380,10 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
(r = ssh_packet_write_wait(ssh)) != 0)
fatal_fr(r, "send packet");
#endif
+ /* Free only parts of proposal that were dynamically allocated here. */
+ free(prop_kex);
+ free(prop_enc);
+ free(prop_hostkey);
}
/*
diff --git a/sshd.c b/sshd.c
index 98a9754..6c77f07 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.578 2021/07/19 02:21:50 dtucker Exp $ */
+/* $OpenBSD: sshd.c,v 1.589 2022/07/01 03:39:44 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -2522,12 +2522,14 @@ do_ssh2_kex(struct ssh *ssh)
{
char *myproposal[PROPOSAL_MAX] = { KEX_SERVER };
struct kex *kex;
+ char *prop_kex = NULL, *prop_enc = NULL, *prop_hostkey = NULL;
int r;
- myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh,
+ myproposal[PROPOSAL_KEX_ALGS] = prop_kex = compat_kex_proposal(ssh,
options.kex_algorithms);
- myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(ssh,
- options.ciphers);
+ myproposal[PROPOSAL_ENC_ALGS_CTOS] =
+ myproposal[PROPOSAL_ENC_ALGS_STOC] = prop_enc =
+ compat_cipher_proposal(ssh, options.ciphers);
myproposal[PROPOSAL_ENC_ALGS_STOC] = compat_cipher_proposal(ssh,
options.ciphers);
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
@@ -2542,8 +2544,8 @@ do_ssh2_kex(struct ssh *ssh)
ssh_packet_set_rekey_limits(ssh, options.rekey_limit,
options.rekey_interval);
/* coverity[leaked_storage : FALSE]*/
- myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
- ssh, list_hostkey_types());
+ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey =
+ compat_pkalg_proposal(ssh, list_hostkey_types());
#if defined(GSSAPI) && defined(WITH_OPENSSL)
{
@@ -2639,6 +2641,9 @@ do_ssh2_kex(struct ssh *ssh)
(r = ssh_packet_write_wait(ssh)) != 0)
fatal_fr(r, "send test");
#endif
+ free(prop_kex);
+ free(prop_enc);
+ free(prop_hostkey);
debug("KEX done");
}
--
2.33.0

43
backport-Return-ERANGE-from-getcwd-if-buffer-size-is-1.patch
View File

@ -1,43 +0,0 @@
From 527cb43fa1b4e55df661feabbac51b8e608b6519 Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@dtucker.net>
Date: Thu, 14 Jul 2022 11:22:08 +1000
Subject: Return ERANGE from getcwd() if buffer size is 1.
If getcwd() is supplied a buffer size of exactly 1 and a path of "/", it
could result in a nul byte being written out of array bounds. POSIX says
it should return ERANGE if the path will not fit in the available buffer
(with terminating nul). 1 byte cannot fit any possible path with its nul,
so immediately return ERANGE in that case.
OpenSSH never uses getcwd() with this buffer size, and all current
(and even quite old) platforms that we are currently known to work
on have a native getcwd() so this code is not used on those anyway.
Reported by Qualys, ok djm@
Reference:https://anongit.mindrot.org/openssh.git/patch/?id=527cb43fa1b4e55df661feabbac51b8e608b6519
Conflict:NA
---
openbsd-compat/getcwd.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/openbsd-compat/getcwd.c b/openbsd-compat/getcwd.c
index e4f7f5a..a403a01 100644
--- a/openbsd-compat/getcwd.c
+++ b/openbsd-compat/getcwd.c
@@ -71,9 +71,12 @@ getcwd(char *pt, size_t size)
*/
if (pt) {
ptsize = 0;
- if (!size) {
+ if (size == 0) {
errno = EINVAL;
return (NULL);
+ } else if (size == 1) {
+ errno = ERANGE;
+ return (NULL);
}
ept = pt + size;
} else {
--
2.33.0

34
backport-Skip-scp3-test-if-there-s-no-scp-on-remote-path.patch
View File

@ -1,34 +0,0 @@
From ea7ecc2c3ae39fdf5c6ad97b7bc0b47a98847f43 Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@dtucker.net>
Date: Sat, 23 Jul 2022 14:36:38 +1000
Subject: [PATCH] Skip scp3 test if there's no scp on remote path.
scp -3 ends up using the scp that's in the remote path and will fail if
one is not available. Based on a patch from rapier at psc.edu.
Reference:https://github.com/openssh/openssh-portable/commit/ea7ecc2c3ae39fdf5c6ad97b7bc0b47a98847f43
Conflict:NA
---
regress/scp3.sh | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/regress/scp3.sh b/regress/scp3.sh
index f71b1567..47db47cd 100644
--- a/regress/scp3.sh
+++ b/regress/scp3.sh
@@ -9,6 +9,12 @@ COPY2=${OBJ}/copy2
DIR=${COPY}.dd
DIR2=${COPY}.dd2
+$SSH -F $OBJ/ssh_proxy somehost \
+ 'IFS=":"; for i in $PATH;do [ -x "$i/scp" ] && exit 0; done; exit 1'
+if [ $? -eq 1 ]; then
+ skip "No scp on remote path."
+fi
+
SRC=`dirname ${SCRIPT}`
cp ${SRC}/scp-ssh-wrapper.sh ${OBJ}/scp-ssh-wrapper.scp
chmod 755 ${OBJ}/scp-ssh-wrapper.scp
--
2.23.0

33
backport-fix-possible-NULL-deref-when-built-without-FIDO.patch
View File

@ -1,33 +0,0 @@
From 7d25b37fb2a5ff4dadabcbdac6087a97479434f5 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Fri, 24 Jun 2022 13:46:39 +1000
Subject: [PATCH] fix possible NULL deref when built without FIDO
Analysis/fix from kircher in bz3443; ok dtucker@
Reference:https://github.com/openssh/openssh-portable/commit/7d25b37fb2a5ff
Conflict:NA
---
ssh-sk.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ssh-sk.c b/ssh-sk.c
index a1ff5cc4..ba514607 100644
--- a/ssh-sk.c
+++ b/ssh-sk.c
@@ -127,10 +127,11 @@ sshsk_open(const char *path)
ret->sk_enroll = ssh_sk_enroll;
ret->sk_sign = ssh_sk_sign;
ret->sk_load_resident_keys = ssh_sk_load_resident_keys;
+ return ret;
#else
error("internal security key support not enabled");
+ goto fail;
#endif
- return ret;
}
if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) {
error("Provider \"%s\" dlopen failed: %s", path, dlerror());
--
2.23.0

88
backport-upstream-Always-return-allocated-strings-from-the-ke.patch
View File

@ -1,88 +0,0 @@
From 486c4dc3b83b4b67d663fb0fa62bc24138ec3946 Mon Sep 17 00:00:00 2001
From: "dtucker@openbsd.org" <dtucker@openbsd.org>
Date: Fri, 1 Jul 2022 03:35:45 +0000
Subject: upstream: Always return allocated strings from the kex filtering so
that we can free them later. Fix one leak in compat_kex_proposal. Based on
github PR#324 from ZoltanFridrich with some simplications by me. ok djm@
OpenBSD-Commit-ID: 9171616da3307612d0ede086fd511142f91246e4
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/patch/?id=486c4dc3b83b4b67d663fb0fa62bc24138ec3946
---
compat.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/compat.c b/compat.c
index 9120bd2..1d50349 100644
--- a/compat.c
+++ b/compat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: compat.c,v 1.119 2021/09/10 05:46:09 djm Exp $ */
+/* $OpenBSD: compat.c,v 1.120 2022/07/01 03:35:45 dtucker Exp $ */
/*
* Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved.
*
@@ -156,11 +156,12 @@ compat_banner(struct ssh *ssh, const char *version)
debug_f("no match: %s", version);
}
+/* Always returns pointer to allocated memory, caller must free. */
char *
compat_cipher_proposal(struct ssh *ssh, char *cipher_prop)
{
if (!(ssh->compat & SSH_BUG_BIGENDIANAES))
- return cipher_prop;
+ return xstrdup(cipher_prop);
debug2_f("original cipher proposal: %s", cipher_prop);
if ((cipher_prop = match_filter_denylist(cipher_prop, "aes*")) == NULL)
fatal("match_filter_denylist failed");
@@ -170,11 +171,12 @@ compat_cipher_proposal(struct ssh *ssh, char *cipher_prop)
return cipher_prop;
}
+/* Always returns pointer to allocated memory, caller must free. */
char *
compat_pkalg_proposal(struct ssh *ssh, char *pkalg_prop)
{
if (!(ssh->compat & SSH_BUG_RSASIGMD5))
- return pkalg_prop;
+ return xstrdup(pkalg_prop);
debug2_f("original public key proposal: %s", pkalg_prop);
if ((pkalg_prop = match_filter_denylist(pkalg_prop, "ssh-rsa")) == NULL)
fatal("match_filter_denylist failed");
@@ -184,11 +186,15 @@ compat_pkalg_proposal(struct ssh *ssh, char *pkalg_prop)
return pkalg_prop;
}
+/* Always returns pointer to allocated memory, caller must free. */
char *
compat_kex_proposal(struct ssh *ssh, char *p)
{
+ char *cp = NULL;
+
+
if ((ssh->compat & (SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX)) == 0)
- return p;
+ return xstrdup(p);
debug2_f("original KEX proposal: %s", p);
if ((ssh->compat & SSH_BUG_CURVE25519PAD) != 0)
/* coverity[overwrite_var : FALSE] */
@@ -196,11 +202,13 @@ compat_kex_proposal(struct ssh *ssh, char *p)
"curve25519-sha256@libssh.org")) == NULL)
fatal("match_filter_denylist failed");
if ((ssh->compat & SSH_OLD_DHGEX) != 0) {
+ cp = p;
/* coverity[overwrite_var : FALSE] */
if ((p = match_filter_denylist(p,
"diffie-hellman-group-exchange-sha256,"
"diffie-hellman-group-exchange-sha1")) == NULL)
fatal("match_filter_denylist failed");
+ free(cp);
}
debug2_f("compat KEX proposal: %s", p);
if (*p == '\0')
--
2.33.0

37
backport-upstream-Donot-attempt-to-fprintf-a-null-identity-co.patch
View File

@ -1,37 +0,0 @@
From f29d6cf98c25bf044079032d22c1a57c63ab9d8e Mon Sep 17 00:00:00 2001
From: "dtucker@openbsd.org" <dtucker@openbsd.org>
Date: Sat, 18 Jun 2022 02:17:16 +0000
Subject: upstream: Don't attempt to fprintf a null identity comment. From
Martin Vahlensieck via tech@.
OpenBSD-Commit-ID: 4c54d20a8e8e4e9912c38a7b4ef5bfc5ca2e05c2
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/patch/?id=f29d6cf98c25bf044079032d22c1a57c63ab9d8e
---
ssh-add.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ssh-add.c b/ssh-add.c
index 29c0b17..d60bafc 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-add.c,v 1.160 2021/04/03 06:18:41 djm Exp $ */
+/* $OpenBSD: ssh-add.c,v 1.166 2022/06/18 02:17:16 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -125,7 +125,7 @@ delete_one(int agent_fd, const struct sshkey *key, const char *comment,
}
if (!qflag) {
fprintf(stderr, "Identity removed: %s %s (%s)\n", path,
- sshkey_type(key), comment);
+ sshkey_type(key), comment ? comment : "no comment");
}
return 0;
}
--
2.33.0

63
backport-upstream-Make-sure-not-to-fclose-the-same-fd-twice-i.patch
View File

@ -1,63 +0,0 @@
From 17904f05802988d0bb9ed3c8d1d37411e8f459c3 Mon Sep 17 00:00:00 2001
From: "tobhe@openbsd.org" <tobhe@openbsd.org>
Date: Tue, 21 Jun 2022 14:52:13 +0000
Subject: upstream: Make sure not to fclose() the same fd twice in case of an
error.
ok dtucker@
OpenBSD-Commit-ID: e384c4e05d5521e7866b3d53ca59acd2a86eef99
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/patch/?id=17904f05802988d0bb9ed3c8d1d37411e8f459c3
---
authfile.c | 19 ++++++++++++-------
1 file changed, 12 insertions(+), 7 deletions(-)
diff --git a/authfile.c b/authfile.c
index 8990137..dce1e84 100644
--- a/authfile.c
+++ b/authfile.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: authfile.c,v 1.141 2020/06/18 23:33:38 djm Exp $ */
+/* $OpenBSD: authfile.c,v 1.143 2022/06/21 14:52:13 tobhe Exp $ */
/*
* Copyright (c) 2000, 2013 Markus Friedl. All rights reserved.
*
@@ -515,20 +515,25 @@ sshkey_save_public(const struct sshkey *key, const char *path,
return SSH_ERR_SYSTEM_ERROR;
if ((f = fdopen(fd, "w")) == NULL) {
r = SSH_ERR_SYSTEM_ERROR;
+ close(fd);
goto fail;
}
if ((r = sshkey_write(key, f)) != 0)
goto fail;
fprintf(f, " %s\n", comment);
- if (ferror(f) || fclose(f) != 0) {
+ if (ferror(f)) {
r = SSH_ERR_SYSTEM_ERROR;
+ goto fail;
+ }
+ if (fclose(f) != 0) {
+ r = SSH_ERR_SYSTEM_ERROR;
+ f = NULL;
fail:
- oerrno = errno;
- if (f != NULL)
+ if (f != NULL) {
+ oerrno = errno;
fclose(f);
- else
- close(fd);
- errno = oerrno;
+ errno = oerrno;
+ }
return r;
}
return 0;
--
2.33.0

34
backport-upstream-a-little-extra-debugging.patch
View File

@ -1,34 +0,0 @@
From 940dc10729cb5a95b7ee82c10184e2b9621c8a1d Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Wed, 14 Sep 2022 00:13:13 +0000
Subject: [PATCH] upstream: a little extra debugging
OpenBSD-Commit-ID: edf1601c1d0905f6da4c713f4d9cecc7d1c0295a
Reference:https://github.com/openssh/openssh-portable/commit/940dc10729cb5a95b7ee82c10184e2b9621c8a1d
Conflict:NA
---
ssh-agent.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ssh-agent.c b/ssh-agent.c
index ddda4d77..0aef07eb 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-agent.c,v 1.278 2021/04/03 06:18:41 djm Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.291 2022/09/14 00:13:13 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -845,6 +845,7 @@ process_sign_request2(SocketEntry *e)
/* Success */
ok = 0;
send:
+ debug_f("good signature");
notify_complete(notifier, "User presence confirmed");
if (ok == 0) {
--
2.23.0

44
backport-upstream-avoid-integer-overflow-of-auth-attempts-har.patch
View File

@ -1,44 +0,0 @@
From 32ebaa0dbca5d0bb86e384e72bebc153f48413e4 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Wed, 23 Feb 2022 11:18:13 +0000
Subject: [PATCH] upstream: avoid integer overflow of auth attempts
(harmless,caught by monitor)
OpenBSD-Commit-ID: 488ad570b003b21e0cd9e7a00349cfc1003b4d86
Reference:https://github.com/openssh/openssh-portable/commit/32ebaa0dbca5d0
Conflict:NA
---
auth2.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/auth2.c b/auth2.c
index 7290d54..0de58e6 100644
--- a/auth2.c
+++ b/auth2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2.c,v 1.161 2021/04/03 06:18:40 djm Exp $ */
+/* $OpenBSD: auth2.c,v 1.164 2022/02/23 11:18:13 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -290,6 +290,8 @@ if (options.check_user_splash)
if ((style = strchr(user, ':')) != NULL)
*style++ = 0;
+ if (authctxt->attempt >= 1024)
+ auth_maxtries_exceeded(ssh);
if (authctxt->attempt++ == 0) {
/* setup auth context */
authctxt->pw = PRIVSEP(getpwnamallow(ssh, user));
@@ -298,6 +300,7 @@ if (options.check_user_splash)
authctxt->valid = 1;
debug2_f("setting up authctxt for %s", user);
} else {
+ authctxt->valid = 0;
/* Invalid user, fake password information */
authctxt->pw = fakepw();
}
--
2.23.0

66
backport-upstream-better-debugging-for-connect_next.patch
View File

@ -1,66 +0,0 @@
From 231a346c0c67cc7ca098360f9a554fa7d4f1eddb Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Mon, 19 Sep 2022 08:49:50 +0000
Subject: [PATCH] upstream: better debugging for connect_next()
OpenBSD-Commit-ID: d16a307a0711499c971807f324484ed3a6036640
Reference:https://github.com/openssh/openssh-portable/commit/231a346c0c67cc7ca098360f9a554fa7d4f1eddb
Conflict:NA
---
channels.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/channels.c b/channels.c
index 3ac51bac..6a78de9d 100644
--- a/channels.c
+++ b/channels.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.c,v 1.408 2021/09/14 11:04:21 mbuhl Exp $ */
+/* $OpenBSD: channels.c,v 1.420 2022/09/19 08:49:50 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -4403,13 +4403,15 @@ connect_next(struct channel_connect *cctx)
if (getnameinfo(cctx->ai->ai_addr, cctx->ai->ai_addrlen,
ntop, sizeof(ntop), strport, sizeof(strport),
NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
- error("connect_next: getnameinfo failed");
+ error_f("getnameinfo failed");
continue;
}
break;
default:
continue;
}
+ debug_f("start for host %.100s ([%.100s]:%s)",
+ cctx->host, ntop, strport);
if ((sock = socket(cctx->ai->ai_family, cctx->ai->ai_socktype,
cctx->ai->ai_protocol)) == -1) {
if (cctx->ai->ai_next == NULL)
@@ -4422,9 +4424,8 @@ connect_next(struct channel_connect *cctx)
fatal_f("set_nonblock(%d)", sock);
if (connect(sock, cctx->ai->ai_addr,
cctx->ai->ai_addrlen) == -1 && errno != EINPROGRESS) {
- debug("connect_next: host %.100s ([%.100s]:%s): "
- "%.100s", cctx->host, ntop, strport,
- strerror(errno));
+ debug_f("host %.100s ([%.100s]:%s): %.100s",
+ cctx->host, ntop, strport, strerror(errno));
saved_errno = errno;
close(sock);
errno = saved_errno;
@@ -4432,8 +4433,8 @@ connect_next(struct channel_connect *cctx)
}
if (cctx->ai->ai_family != AF_UNIX)
set_nodelay(sock);
- debug("connect_next: host %.100s ([%.100s]:%s) "
- "in progress, fd=%d", cctx->host, ntop, strport, sock);
+ debug_f("connect host %.100s ([%.100s]:%s) in progress, fd=%d",
+ cctx->host, ntop, strport, sock);
cctx->ai = cctx->ai->ai_next;
return sock;
}
--
2.23.0

56
backport-upstream-double-free-in-error-path-from-Eusgor-via-G.patch
View File

@ -1,56 +0,0 @@
From 5062ad48814b06162511c4f5924a33d97b6b2566 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Fri, 19 Aug 2022 03:06:30 +0000
Subject: upstream: double free() in error path; from Eusgor via GHPR333
OpenBSD-Commit-ID: 39f35e16ba878c8d02b4d01d8826d9b321be26d4
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/patch/?id=5062ad48814b06162511c4f5924a33d97b6b2566
---
sshsig.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/sshsig.c b/sshsig.c
index 0e8abf1..58c7df4 100644
--- a/sshsig.c
+++ b/sshsig.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshsig.c,v 1.21 2021/07/23 04:00:59 djm Exp $ */
+/* $OpenBSD: sshsig.c,v 1.30 2022/08/19 03:06:30 djm Exp $ */
/*
* Copyright (c) 2019 Google LLC
*
@@ -491,7 +491,7 @@ hash_file(int fd, const char *hashalg, struct sshbuf **bp)
{
char *hex, rbuf[8192], hash[SSH_DIGEST_MAX_LENGTH];
ssize_t n, total = 0;
- struct ssh_digest_ctx *ctx;
+ struct ssh_digest_ctx *ctx = NULL;
int alg, oerrno, r = SSH_ERR_INTERNAL_ERROR;
struct sshbuf *b = NULL;
@@ -514,7 +514,6 @@ hash_file(int fd, const char *hashalg, struct sshbuf **bp)
continue;
oerrno = errno;
error_f("read: %s", strerror(errno));
- ssh_digest_free(ctx);
ctx = NULL;
errno = oerrno;
r = SSH_ERR_SYSTEM_ERROR;
@@ -550,9 +549,11 @@ hash_file(int fd, const char *hashalg, struct sshbuf **bp)
/* success */
r = 0;
out:
+ oerrno = errno;
sshbuf_free(b);
ssh_digest_free(ctx);
explicit_bzero(hash, sizeof(hash));
+ errno = oerrno;
return r;
}
--
2.33.0

54
backport-upstream-if-sshpkt-functions-fail-then-password-is-n.patch
View File

@ -1,54 +0,0 @@
From 2c334fd36f80cb91cc42e4b978b10aa35e0df236 Mon Sep 17 00:00:00 2001
From: "dtucker@openbsd.org" <dtucker@openbsd.org>
Date: Fri, 27 May 2022 04:29:40 +0000
Subject: upstream: f sshpkt functions fail, then password is not cleared
with freezero. Unconditionally call freezero to guarantee that password is
removed from RAM.
From tobias@ and c3h2_ctf via github PR#286, ok djm@
OpenBSD-Commit-ID: 6b093619c9515328e25b0f8093779c52402c89cd
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=2c334fd36f80cb91cc42e4b978b10aa35e0df236
---
auth2-passwd.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/auth2-passwd.c b/auth2-passwd.c
index be4b860..1d80481 100644
--- a/auth2-passwd.c
+++ b/auth2-passwd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-passwd.c,v 1.19 2020/10/18 11:32:01 djm Exp $ */
+/* $OpenBSD: auth2-passwd.c,v 1.21 2022/05/27 04:29:40 dtucker Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -51,16 +51,18 @@ extern ServerOptions options;
static int
userauth_passwd(struct ssh *ssh)
{
- char *password;
+ char *password = NULL;
int authenticated = 0, r;
u_char change;
- size_t len;
+ size_t len = 0;
if ((r = sshpkt_get_u8(ssh, &change)) != 0 ||
(r = sshpkt_get_cstring(ssh, &password, &len)) != 0 ||
(change && (r = sshpkt_get_cstring(ssh, NULL, NULL)) != 0) ||
- (r = sshpkt_get_end(ssh)) != 0)
+ (r = sshpkt_get_end(ssh)) != 0) {
+ freezero(password, len);
fatal_fr(r, "parse packet");
+ }
if (change)
logit("password change not supported");
--
2.33.0

46
backport-upstream-ignore-SIGPIPE-earlier-in-main-specifically.patch
View File

@ -1,46 +0,0 @@
From 96faa0de6c673a2ce84736eba37fc9fb723d9e5c Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Fri, 1 Jul 2022 00:36:30 +0000
Subject: upstream: ignore SIGPIPE earlier in main(), specifically before
muxclient() which performs operations that could cause one; Reported by Noam
Lewis via bz3454, ok dtucker@
OpenBSD-Commit-ID: 63d8e13276869eebac6d7a05d5a96307f9026e47
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/patch/?id=96faa0de6c673a2ce84736eba37fc9fb723d9e5c
---
ssh.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/ssh.c b/ssh.c
index f55ff73..e987cd5 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.569 2021/09/20 04:02:13 dtucker Exp $ */
+/* $OpenBSD: ssh.c,v 1.575 2022/07/01 00:36:30 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1135,6 +1135,8 @@ main(int ac, char **av)
}
}
+ ssh_signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */
+
/*
* Initialize "log" output. Since we are the client all output
* goes to stderr unless otherwise specified by -y or -E.
@@ -1660,7 +1662,6 @@ main(int ac, char **av)
options.num_system_hostfiles);
tilde_expand_paths(options.user_hostfiles, options.num_user_hostfiles);
- ssh_signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */
ssh_signal(SIGCHLD, main_sigchld_handler);
/* Log into the remote system. Never returns if the login fails. */
--
2.33.0

41
backport-upstream-ssh-keygen-Y-check-novalidate-requires-name.patch
View File

@ -1,41 +0,0 @@
From a0b5816f8f1f645acdf74f7bc11b34455ec30bac Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Fri, 18 Mar 2022 02:31:25 +0000
Subject: [PATCH] upstream: ssh-keygen -Y check-novalidate requires namespace
or SEGV
will ensue. Patch from Mateusz Adamowski via GHPR#307
OpenBSD-Commit-ID: 99e8ec38f9feb38bce6de240335be34aedeba5fd
Reference:https://github.com/openssh/openssh-portable/commit/a0b5816f8f1f645acdf74f7bc11b34455ec30bac
Conflict:NA
---
ssh-keygen.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 7fc616c..bd6ea16 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.437 2021/09/08 03:23:44 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.449 2022/03/18 02:31:25 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -3489,6 +3489,12 @@ main(int argc, char **argv)
return sig_sign(identity_file, cert_principals,
argc, argv);
} else if (strncmp(sign_op, "check-novalidate", 16) == 0) {
+ if (cert_principals == NULL ||
+ *cert_principals == '\0') {
+ error("Too few arguments for check-novalidate: "
+ "missing namespace");
+ exit(1);
+ }
if (ca_key_path == NULL) {
error("Too few arguments for check-novalidate: "
"missing signature file");
--
2.23.0

34
bugfix-openssh-add-option-check-username-splash.patch
View File

@ -6,7 +6,6 @@ Subject: [PATCH] openssh: add option check username splash
add a check to inhibit username contains splash
add an option 'CheckUserSplash' so that user can turn off
this check
---
auth2.c | 4 +++-
servconf.c | 8 ++++++++
@ -15,10 +14,10 @@ this check
4 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/auth2.c b/auth2.c
index 4adc502..956b9cf 100644
index 203ba01..284ea19 100644
--- a/auth2.c
+++ b/auth2.c
@@ -282,11 +282,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
@@ -281,11 +281,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
debug("userauth-request for user %s service %s method %s", user, service, method);
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
@ -34,10 +33,10 @@ index 4adc502..956b9cf 100644
*style++ = 0;
diff --git a/servconf.c b/servconf.c
index 7001d56..76147f9 100644
index d72fb62..6888971 100644
--- a/servconf.c
+++ b/servconf.c
@@ -195,6 +195,7 @@ initialize_server_options(ServerOptions *options)
@@ -201,6 +201,7 @@ initialize_server_options(ServerOptions *options)
options->ip_qos_interactive = -1;
options->ip_qos_bulk = -1;
options->version_addendum = NULL;
@ -45,7 +44,7 @@ index 7001d56..76147f9 100644
options->fingerprint_hash = -1;
options->disable_forwarding = -1;
options->expose_userauth_info = -1;
@@ -473,6 +474,8 @@ fill_default_server_options(ServerOptions *options)
@@ -460,6 +461,8 @@ fill_default_server_options(ServerOptions *options)
options->ip_qos_bulk = IPTOS_DSCP_CS1;
if (options->version_addendum == NULL)
options->version_addendum = xstrdup("");
@ -54,15 +53,15 @@ index 7001d56..76147f9 100644
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
options->fwd_opts.streamlocal_bind_mask = 0177;
if (options->fwd_opts.streamlocal_bind_unlink == -1)
@@ -574,6 +577,7 @@ typedef enum {
sStreamLocalBindMask, sStreamLocalBindUnlink,
@@ -553,6 +556,7 @@ typedef enum {
sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
sRequiredRSASize,
+ sCheckUserSplash,
sDeprecated, sIgnore, sUnsupported
} ServerOpCodes;
@@ -740,6 +744,7 @@ static struct {
@@ -726,6 +730,7 @@ static struct {
{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
{ "disableforwarding", sDisableForwarding, SSHCFG_ALL },
{ "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
@ -70,7 +69,7 @@ index 7001d56..76147f9 100644
{ "rdomain", sRDomain, SSHCFG_ALL },
{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
@@ -1360,6 +1365,9 @@ process_server_config_line_depth(ServerOptions *options, char *line,
@@ -1384,6 +1389,9 @@ process_server_config_line_depth(ServerOptions *options, char *line,
case sUsePAM:
intptr = &options->use_pam;
goto parse_flag;
@ -81,30 +80,27 @@ index 7001d56..76147f9 100644
/* Standard Options */
case sBadOption:
diff --git a/servconf.h b/servconf.h
index a3827e5..2c16b5a 100644
index 77fd779..694addf 100644
--- a/servconf.h
+++ b/servconf.h
@@ -226,6 +226,7 @@ typedef struct {
@@ -237,6 +237,7 @@ typedef struct {
int fingerprint_hash;
int expose_userauth_info;
u_int64_t timing_secret;
+ int check_user_splash; /* check whether splash exists in username, if exist, disable login */
char *sk_provider;
int required_rsa_size; /* minimum size of RSA keys */
} ServerOptions;
diff --git a/sshd_config b/sshd_config
index ebc28b3..b121450 100644
index 6d47368..973aecf 100644
--- a/sshd_config
+++ b/sshd_config
@@ -125,6 +125,8 @@ Subsystem sftp /usr/libexec/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
@@ -128,3 +128,5 @@ Subsystem sftp /usr/libexec/sftp-server
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
+#CheckUserSplash yes
+
--
2.23.0
2.27.0

502
feature-add-SMx-support.patch
View File

@ -18,12 +18,12 @@ FingerprintHash sm3
digest.h | 3 +-
kex.c | 1 +
kex.h | 3 +
kexecdh.c | 22 ++-
kexecdh.c | 23 +-
kexgen.c | 3 +
kexsm2.c | 29 ++++
kexsm2.c | 406 ++++++++++++++++++++++++++
mac.c | 1 +
pathnames.h | 1 +
regress/agent.sh | 8 +
regress/agent.sh | 9 +
regress/keytype.sh | 2 +
regress/knownhosts-command.sh | 1 +
regress/misc/fuzz-harness/sig_fuzz.cc | 4 +
@ -31,18 +31,18 @@ FingerprintHash sm3
ssh-ecdsa.c | 6 +-
ssh-keygen.c | 12 +-
ssh-keyscan.c | 12 +-
ssh-sm2.c | 232 ++++++++++++++++++++++++++
ssh-sm2.c | 230 +++++++++++++++
ssh_api.c | 2 +
sshconnect2.c | 1 +
sshd.c | 7 +
sshkey.c | 62 ++++++-
sshkey.c | 62 +++-
sshkey.h | 9 +
27 files changed, 417 insertions(+), 16 deletions(-)
27 files changed, 794 insertions(+), 16 deletions(-)
create mode 100644 kexsm2.c
create mode 100644 ssh-sm2.c
diff --git a/Makefile.in b/Makefile.in
index 07bf440..fb8b006 100644
index 07bf440..1393190 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -100,14 +100,14 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
@ -50,7 +50,7 @@ index 07bf440..fb8b006 100644
readpass.o ttymodes.o xmalloc.o addr.o addrmatch.o \
atomicio.o dispatch.o mac.o misc.o utf8.o \
- monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-ecdsa-sk.o \
+ monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-ecdsa-sk.o ssh-sm2.o \
+ monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-sm2.o ssh-ecdsa-sk.o \
ssh-ed25519-sk.o ssh-rsa.o dh.o \
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
ssh-pkcs11.o ssh-pkcs11-uri.o smult_curve25519_ref.o \
@ -76,7 +76,7 @@ index 9f092f7..163b4b5 100644
case KEY_ECDSA_SK_CERT:
#endif
diff --git a/authfile.c b/authfile.c
index d7827ed..8990137 100644
index 666730b..dce1e84 100644
--- a/authfile.c
+++ b/authfile.c
@@ -343,6 +343,7 @@ sshkey_load_private_cert(int type, const char *filename, const char *passphrase,
@ -88,7 +88,7 @@ index d7827ed..8990137 100644
case KEY_ED25519:
case KEY_XMSS:
diff --git a/cipher.c b/cipher.c
index b54b994..16bfdcb 100644
index b54b994..039e414 100644
--- a/cipher.c
+++ b/cipher.c
@@ -88,6 +88,7 @@ static const struct sshcipher ciphers[] = {
@ -100,7 +100,7 @@ index b54b994..16bfdcb 100644
{ NULL, 0, 0, 0, 0, 0, NULL }
diff --git a/digest-openssl.c b/digest-openssl.c
index 94730e9..a93924b 100644
index 94730e9..fa92360 100644
--- a/digest-openssl.c
+++ b/digest-openssl.c
@@ -61,6 +61,7 @@ const struct ssh_digest digests[] = {
@ -112,7 +112,7 @@ index 94730e9..a93924b 100644
};
diff --git a/digest.h b/digest.h
index c7ceeb3..e42affe 100644
index c7ceeb3..520722c 100644
--- a/digest.h
+++ b/digest.h
@@ -27,7 +27,8 @@
@ -159,7 +159,7 @@ index d26ba26..8b95227 100644
void dump_digest(const char *, const u_char *, int);
#endif
diff --git a/kexecdh.c b/kexecdh.c
index efb2e55..a780517 100644
index efb2e55..69ec13b 100644
--- a/kexecdh.c
+++ b/kexecdh.c
@@ -44,7 +44,7 @@
@ -176,7 +176,7 @@ index efb2e55..a780517 100644
goto out;
if ((r = kex_ecdh_dec_key_group(kex, client_blob, server_key, group,
- shared_secretp)) != 0)
+ shared_secretp, 0)) != 0)
+ shared_secretp, 1)) != 0)
goto out;
*server_blobp = server_blob;
server_blob = NULL;
@ -189,7 +189,7 @@ index efb2e55..a780517 100644
{
struct sshbuf *buf = NULL;
BIGNUM *shared_secret = NULL;
@@ -176,10 +176,18 @@ kex_ecdh_dec_key_group(struct kex *kex, const struct sshbuf *ec_blob,
@@ -176,11 +176,20 @@ kex_ecdh_dec_key_group(struct kex *kex, const struct sshbuf *ec_blob,
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
@ -209,14 +209,16 @@ index efb2e55..a780517 100644
+ goto out;
+ }
}
+
#ifdef DEBUG_KEXECDH
dump_digest("shared secret", kbuf, klen);
@@ -203,7 +211,7 @@ kex_ecdh_dec(struct kex *kex, const struct sshbuf *server_blob,
#endif
@@ -203,7 +212,7 @@ kex_ecdh_dec(struct kex *kex, const struct sshbuf *server_blob,
int r;
r = kex_ecdh_dec_key_group(kex, server_blob, kex->ec_client_key,
- kex->ec_group, shared_secretp);
+ kex->ec_group, shared_secretp, 1);
+ kex->ec_group, shared_secretp, 0);
EC_KEY_free(kex->ec_client_key);
kex->ec_client_key = NULL;
return r;
@ -250,17 +252,394 @@ index 31f90f5..f3eff47 100644
break;
diff --git a/kexsm2.c b/kexsm2.c
new file mode 100644
index 0000000..f9b8bb9
index 0000000..f507557
--- /dev/null
+++ b/kexsm2.c
@@ -0,0 +1,29 @@
@@ -0,0 +1,406 @@
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/bn.h>
+#include <string.h>
+#include <openssl/ecdh.h>
+#include <openssl/ec.h>
+#include <openssl/sm2.h>
+#include <string.h>
+
+int sm2_compute_z_digest(uint8_t *out,
+ const EVP_MD *digest,
+ const uint8_t *id,
+ const size_t id_len,
+ const EC_KEY *key)
+{
+ int rc = 0;
+ const EC_GROUP *group = EC_KEY_get0_group(key);
+ BN_CTX *ctx = NULL;
+ EVP_MD_CTX *hash = NULL;
+ BIGNUM *p = NULL;
+ BIGNUM *a = NULL;
+ BIGNUM *b = NULL;
+ BIGNUM *xG = NULL;
+ BIGNUM *yG = NULL;
+ BIGNUM *xA = NULL;
+ BIGNUM *yA = NULL;
+ int p_bytes = 0;
+ uint8_t *buf = NULL;
+ uint16_t entl = 0;
+ uint8_t e_byte = 0;
+
+ hash = EVP_MD_CTX_new();
+ ctx = BN_CTX_new();
+ if (hash == NULL || ctx == NULL) {
+ goto done;
+ }
+
+ p = BN_CTX_get(ctx);
+ a = BN_CTX_get(ctx);
+ b = BN_CTX_get(ctx);
+ xG = BN_CTX_get(ctx);
+ yG = BN_CTX_get(ctx);
+ xA = BN_CTX_get(ctx);
+ yA = BN_CTX_get(ctx);
+
+ if (yA == NULL) {
+ goto done;
+ }
+
+ if (!EVP_DigestInit(hash, digest)) {
+ goto done;
+ }
+
+ /* Z = h(ENTL || ID || a || b || xG || yG || xA || yA) */
+
+ if (id_len >= (UINT16_MAX / 8)) {
+ /* too large */
+ goto done;
+ }
+
+ entl = (uint16_t)(8 * id_len);
+
+ e_byte = entl >> 8;
+ if (!EVP_DigestUpdate(hash, &e_byte, 1)) {
+ goto done;
+ }
+ e_byte = entl & 0xFF;
+ if (!EVP_DigestUpdate(hash, &e_byte, 1)) {
+ goto done;
+ }
+
+ if (id_len > 0 && !EVP_DigestUpdate(hash, id, id_len)) {
+ goto done;
+ }
+
+ if (!EC_GROUP_get_curve(group, p, a, b, ctx)) {
+ goto done;
+ }
+
+ p_bytes = BN_num_bytes(p);
+ buf = OPENSSL_zalloc(p_bytes);
+ if (buf == NULL) {
+ goto done;
+ }
+
+ if (BN_bn2binpad(a, buf, p_bytes) < 0
+ || !EVP_DigestUpdate(hash, buf, p_bytes)
+ || BN_bn2binpad(b, buf, p_bytes) < 0
+ || !EVP_DigestUpdate(hash, buf, p_bytes)
+ || !EC_POINT_get_affine_coordinates(group,
+ EC_GROUP_get0_generator(group),
+ xG, yG, ctx)
+ || BN_bn2binpad(xG, buf, p_bytes) < 0
+ || !EVP_DigestUpdate(hash, buf, p_bytes)
+ || BN_bn2binpad(yG, buf, p_bytes) < 0
+ || !EVP_DigestUpdate(hash, buf, p_bytes)
+ || !EC_POINT_get_affine_coordinates(group,
+ EC_KEY_get0_public_key(key),
+ xA, yA, ctx)
+ || BN_bn2binpad(xA, buf, p_bytes) < 0
+ || !EVP_DigestUpdate(hash, buf, p_bytes)
+ || BN_bn2binpad(yA, buf, p_bytes) < 0
+ || !EVP_DigestUpdate(hash, buf, p_bytes)
+ || !EVP_DigestFinal(hash, out, NULL)) {
+ goto done;
+ }
+
+ rc = 1;
+
+ done:
+ OPENSSL_free(buf);
+ BN_CTX_free(ctx);
+ EVP_MD_CTX_free(hash);
+ return rc;
+}
+
+
+/* GM/T003_2012 Defined Key Derive Function */
+int kdf_gmt003_2012(unsigned char *out, size_t outlen, const unsigned char *Z, size_t Zlen, const unsigned char *SharedInfo, size_t SharedInfolen, const EVP_MD *md)
+{
+ EVP_MD_CTX *mctx = NULL;
+ unsigned int counter;
+ unsigned char ctr[4];
+ size_t mdlen;
+ int retval = 0;
+ unsigned char dgst[EVP_MAX_MD_SIZE];
+
+ if (!out || !outlen) return retval;
+ if (md == NULL) {
+ md = EVP_sm3();
+ }
+ mdlen = EVP_MD_size(md);
+ mctx = EVP_MD_CTX_new();
+ if (mctx == NULL) {
+ goto err;
+ }
+
+ for (counter = 1;; counter++) {
+ if (!EVP_DigestInit(mctx, md)) {
+ goto err;
+ }
+ ctr[0] = (unsigned char)((counter >> 24) & 0xFF);
+ ctr[1] = (unsigned char)((counter >> 16) & 0xFF);
+ ctr[2] = (unsigned char)((counter >> 8) & 0xFF);
+ ctr[3] = (unsigned char)(counter & 0xFF);
+
+ if (!EVP_DigestUpdate(mctx, Z, Zlen)) {
+ goto err;
+ }
+ if (!EVP_DigestUpdate(mctx, ctr, sizeof(ctr))) {
+ goto err;
+ }
+ if (!EVP_DigestUpdate(mctx, SharedInfo, SharedInfolen)) {
+ goto err;
+ }
+ if (!EVP_DigestFinal(mctx, dgst, NULL)) {
+ goto err;
+ }
+
+ if (outlen > mdlen) {
+ memcpy(out, dgst, mdlen);
+ out += mdlen;
+ outlen -= mdlen;
+ } else {
+ memcpy(out, dgst, outlen);
+ memset(dgst, 0, mdlen);
+ break;
+ }
+ }
+
+ retval = 1;
+
+err:
+ EVP_MD_CTX_free(mctx);
+ return retval;
+}
+
+int sm2_kap_compute_key(void *out, size_t outlen, int server,\
+ const uint8_t *peer_uid, int peer_uid_len, const uint8_t *self_uid, int self_uid_len, \
+ const EC_KEY *peer_ecdhe_key, const EC_KEY *self_ecdhe_key, const EC_KEY *peer_pub_key, const EC_KEY *self_eckey, \
+ const EVP_MD *md)
+{
+ BN_CTX *ctx = NULL;
+ EC_POINT *UorV = NULL;
+ const EC_POINT *Rs, *Rp;
+ BIGNUM *Xs = NULL, *Xp = NULL, *h = NULL, *t = NULL, *two_power_w = NULL, *order = NULL;
+ const BIGNUM *priv_key, *r;
+ const EC_GROUP *group;
+ int w;
+ int ret = -1;
+ size_t buflen, len;
+ unsigned char *buf = NULL;
+
+ if (outlen > INT_MAX) {
+ goto err;
+ }
+
+ if (!peer_pub_key || !self_eckey) {
+ goto err;
+ }
+
+ priv_key = EC_KEY_get0_private_key(self_eckey);
+ if (!priv_key) {
+ goto err;
+ }
+
+ if (!peer_ecdhe_key || !self_ecdhe_key) {
+ goto err;
+ }
+
+ Rs = EC_KEY_get0_public_key(self_ecdhe_key);
+ Rp = EC_KEY_get0_public_key(peer_ecdhe_key);
+ r = EC_KEY_get0_private_key(self_ecdhe_key);
+
+ if (!Rs || !Rp || !r) {
+ goto err;
+ }
+
+ ctx = BN_CTX_new();
+ Xs = BN_new();
+ Xp = BN_new();
+ h = BN_new();
+ t = BN_new();
+ two_power_w = BN_new();
+ order = BN_new();
+ if (!Xs || !Xp || !h || !t || !two_power_w || !order) {
+ goto err;
+ }
+
+ group = EC_KEY_get0_group(self_eckey);
+
+ /*Second: Caculate -- w*/
+ if (!EC_GROUP_get_order(group, order, ctx) || !EC_GROUP_get_cofactor(group, h, ctx)) {
+ goto err;
+ }
+
+ w = (BN_num_bits(order) + 1) / 2 - 1;
+ if (!BN_lshift(two_power_w, BN_value_one(), w)) {
+ goto err;
+ }
+
+ /*Third: Caculate -- X = 2 ^ w + (x & (2 ^ w - 1)) = 2 ^ w + (x mod 2 ^ w)*/
+ UorV = EC_POINT_new(group);
+
+ if (!UorV) {
+ goto err;
+ }
+
+ /*Test peer public key On curve*/
+ if (!EC_POINT_is_on_curve(group, Rp, ctx)) {
+ goto err;
+ }
+
+ /*Get x*/
+ if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field) {
+ if (!EC_POINT_get_affine_coordinates_GFp(group, Rs, Xs, NULL, ctx)) {
+ goto err;
+ }
+
+ if (!EC_POINT_get_affine_coordinates_GFp(group, Rp, Xp, NULL, ctx)) {
+ goto err;
+ }
+ }
+
+ /*x mod 2 ^ w*/
+ /*Caculate Self x*/
+ if (!BN_nnmod(Xs, Xs, two_power_w, ctx)) {
+ goto err;
+ }
+
+ if (!BN_add(Xs, Xs, two_power_w)) {
+ goto err;
+ }
+
+ /*Caculate Peer x*/
+ if (!BN_nnmod(Xp, Xp, two_power_w, ctx)) {
+ goto err;
+ }
+
+ if (!BN_add(Xp, Xp, two_power_w)) {
+ goto err;
+ }
+
+ /*Forth: Caculate t*/
+ if (!BN_mod_mul(t, Xs, r, order, ctx)) {
+ goto err;
+ }
+
+ if (!BN_mod_add(t, t, priv_key, order, ctx)) {
+ goto err;
+ }
+
+ /*Fifth: Caculate V or U*/
+ if (!BN_mul(t, t, h, ctx)) {
+ goto err;
+ }
+
+ /* [x]R */
+ if (!EC_POINT_mul(group, UorV, NULL, Rp, Xp, ctx)) {
+ goto err;
+ }
+
+ /* P + [x]R */
+ if (!EC_POINT_add(group, UorV, UorV, EC_KEY_get0_public_key(peer_pub_key), ctx)) {
+ goto err;
+ }
+
+ if (!EC_POINT_mul(group, UorV, NULL, UorV, t, ctx)) {
+ goto err;
+ }
+
+ /* Detect UorV is in */
+ if (EC_POINT_is_at_infinity(group, UorV)) {
+ goto err;
+ }
+
+ /*Sixth: Caculate Key -- Need Xuorv, Yuorv, Zc, Zs, klen*/
+ {
+ /*
+ size_t buflen, len;
+ unsigned char *buf = NULL;
+ */
+ size_t elemet_len, idx;
+
+ elemet_len = (size_t)((EC_GROUP_get_degree(group) + 7) / 8);
+ buflen = elemet_len * 2 + 32 * 2 + 1; /*add 1 byte tag*/
+ buf = (unsigned char *)OPENSSL_malloc(buflen + 10);
+ if (!buf) {
+ goto err;
+ }
+ memset(buf, 0, buflen + 10);
+ /*1 : Get public key for UorV, Notice: the first byte is a tag, not a valid char*/
+ idx = EC_POINT_point2oct(group, UorV, 4, buf, buflen, ctx);
+ if (!idx) {
+ goto err;
+ }
+
+ if (!server) {
+ /*SIDE A*/
+ len = buflen - idx;
+ if (!sm2_compute_z_digest( (unsigned char *)(buf + idx), md, (const uint8_t *)self_uid, self_uid_len, self_eckey)) {
+ goto err;
+ }
+ len = 32;
+ idx += len;
+ }
+
+ /*Caculate Peer Z*/
+ len = buflen - idx;
+ if (!sm2_compute_z_digest( (unsigned char *)(buf + idx), md, (const uint8_t *)peer_uid, peer_uid_len, peer_pub_key)) {
+ goto err;
+ }
+ len = 32;
+ idx += len;
+
+ if (server) {
+ /*SIDE B*/
+ len = buflen - idx;
+ if (!sm2_compute_z_digest( (unsigned char *)(buf + idx), md, (const uint8_t *)self_uid, self_uid_len, self_eckey)) {
+ goto err;
+ }
+ len = 32;
+ idx += len;
+ }
+
+ len = outlen;
+ if (!kdf_gmt003_2012(out, len, (const unsigned char *)(buf + 1), idx - 1, NULL, 0, md)) {
+ goto err;
+ }
+ }
+
+ ret = outlen;
+
+err:
+ if (Xs) BN_free(Xs);
+ if (Xp) BN_free(Xp);
+ if (h) BN_free(h);
+ if (t) BN_free(t);
+ if (two_power_w) BN_free(two_power_w);
+ if (order) BN_free(order);
+ if (UorV) EC_POINT_free(UorV);
+ if (buf) OPENSSL_free(buf);
+ if (ctx) BN_CTX_free(ctx);
+
+ return ret;
+}
+
+int SM2KAP_compute_key(void *out, size_t outlen, const EC_POINT *pub_key, const EC_KEY *eckey, int server)
+{
@ -277,14 +656,14 @@ index 0000000..f9b8bb9
+ goto out;
+ }
+
+ ret = SM2_compute_key(out, outlen, server, id, sizeof(id), id, sizeof(id), pubkey, eckey, pubkey, eckey, (EVP_MD*)EVP_sm3());
+ ret = sm2_kap_compute_key(out, outlen, server, id, sizeof(id), id, sizeof(id), pubkey, eckey, pubkey, eckey, (EVP_MD*)EVP_sm3());
+
+out:
+ EC_KEY_free(pubkey);
+ return ret;
+}
diff --git a/mac.c b/mac.c
index bf051ba..d643dc8 100644
index bf051ba..2de17a0 100644
--- a/mac.c
+++ b/mac.c
@@ -65,6 +65,7 @@ static const struct macalg macs[] = {
@ -296,7 +675,7 @@ index bf051ba..d643dc8 100644
/* Encrypt-then-MAC variants */
{ "hmac-sha1-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 1 },
diff --git a/pathnames.h b/pathnames.h
index a094888..0323fac 100644
index a094888..0a805ad 100644
--- a/pathnames.h
+++ b/pathnames.h
@@ -80,6 +80,7 @@
@ -308,10 +687,10 @@ index a094888..0323fac 100644
/*
* Configuration file in user's home directory. This file need not be
diff --git a/regress/agent.sh b/regress/agent.sh
index f187b67..046c2a6 100644
index f187b67..42a5124 100644
--- a/regress/agent.sh
+++ b/regress/agent.sh
@@ -87,9 +87,17 @@ fi
@@ -87,9 +87,18 @@ fi
for t in ${SSH_KEYTYPES}; do
trace "connect via agent using $t key"
if [ "$t" = "ssh-dss" ]; then
@ -326,6 +705,7 @@ index f187b67..046c2a6 100644
+ echo "PubkeyAcceptedAlgorithms +sm2,sm2-cert" >> $OBJ/ssh_proxy
+ echo "PubkeyAcceptedAlgorithms +sm2,sm2-cert" >> $OBJ/sshd_proxy
+ fi
+
${SSH} -F $OBJ/ssh_proxy -i $OBJ/$t-agent.pub -oIdentitiesOnly=yes \
somehost exit 52
r=$?
@ -384,17 +764,17 @@ index b32502b..f260692 100644
sshkey_verify(ed25519, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
sshkey_sig_details_free(details);
diff --git a/regress/unittests/kex/test_kex.c b/regress/unittests/kex/test_kex.c
index 3bd71a9..9c537d1 100644
index 3bd71a9..312e8f2 100644
--- a/regress/unittests/kex/test_kex.c
+++ b/regress/unittests/kex/test_kex.c
@@ -153,6 +153,7 @@ do_kex_with_key(char *kex, int keytype, int bits)
@@ -152,6 +152,7 @@ do_kex_with_key(char *kex, int keytype, int bits)
#endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */
server2->kex->kex[KEX_C25519_SHA256] = kex_gen_server;
server2->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
+ server2->kex->kex[KEX_SM2_SM3] = kex_gen_server;
server2->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
server2->kex->load_host_public_key = server->kex->load_host_public_key;
server2->kex->load_host_private_key = server->kex->load_host_private_key;
server2->kex->sign = server->kex->sign;
@@ -186,6 +187,7 @@ do_kex(char *kex)
#endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */
@ -412,7 +792,7 @@ index 3bd71a9..9c537d1 100644
do_kex("sntrup761x25519-sha512@openssh.com");
# endif /* USE_SNTRUP761X25519 */
diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c
index b036796..7eed8ae 100644
index b036796..6697be6 100644
--- a/ssh-ecdsa.c
+++ b/ssh-ecdsa.c
@@ -66,7 +66,8 @@ ssh_ecdsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
@ -436,7 +816,7 @@ index b036796..7eed8ae 100644
return SSH_ERR_INVALID_ARGUMENT;
diff --git a/ssh-keygen.c b/ssh-keygen.c
index e04bade..7fc616c 100644
index b9c4dce..bd6ea16 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -192,6 +192,7 @@ type_bits_valid(int type, const char *name, u_int32_t *bitsp)
@ -494,7 +874,7 @@ index e04bade..7fc616c 100644
" ssh-keygen -p [-a rounds] [-f keyfile] [-m format] [-N new_passphrase]\n"
" [-P old_passphrase] [-Z cipher]\n"
diff --git a/ssh-keyscan.c b/ssh-keyscan.c
index 9ec4d9a..94a734c 100644
index 9ec4d9a..be2af0a 100644
--- a/ssh-keyscan.c
+++ b/ssh-keyscan.c
@@ -63,9 +63,10 @@ int ssh_port = SSH_DEFAULT_PORT;
@ -541,10 +921,10 @@ index 9ec4d9a..94a734c 100644
break;
diff --git a/ssh-sm2.c b/ssh-sm2.c
new file mode 100644
index 0000000..4d452e4
index 0000000..c242139
--- /dev/null
+++ b/ssh-sm2.c
@@ -0,0 +1,232 @@
@@ -0,0 +1,220 @@
+#include "includes.h"
+#include <sys/types.h>
+#include <openssl/bn.h>
@ -582,9 +962,8 @@ index 0000000..4d452e4
+ *sigp = NULL;
+
+ if (key == NULL || key->ecdsa == NULL ||
+ sshkey_type_plain(key->type) != KEY_SM2) {
+ sshkey_type_plain(key->type) != KEY_SM2)
+ return SSH_ERR_INVALID_ARGUMENT;
+ }
+
+ if ((key_sm2 = EVP_PKEY_new()) == NULL) {
+ return SSH_ERR_ALLOC_FAIL;
@ -602,11 +981,6 @@ index 0000000..4d452e4
+
+ slen = pkey_len;
+
+ if ((EVP_PKEY_set_alias_type(key_sm2, EVP_PKEY_SM2)) != 1) {
+ ret = SSH_ERR_INTERNAL_ERROR;
+ goto out;
+ }
+
+ if ((sig = OPENSSL_malloc(pkey_len)) == NULL) {
+ ret = SSH_ERR_ALLOC_FAIL;
+ goto out;
@ -652,7 +1026,6 @@ index 0000000..4d452e4
+ if ((r = sshbuf_put_cstring(b, "sm2")) != 0 ||
+ (r = sshbuf_put_string(b, sig, slen)) != 0)
+ goto out;
+
+ len = sshbuf_len(b);
+ if (sigp != NULL) {
+ if ((*sigp = malloc(len)) == NULL) {
@ -731,11 +1104,6 @@ index 0000000..4d452e4
+ goto out;
+ }
+
+ if ((EVP_PKEY_set_alias_type(key_sm2, EVP_PKEY_SM2)) != 1) {
+ ret = SSH_ERR_INTERNAL_ERROR;
+ goto out;
+ }
+
+ if ((pctx = EVP_PKEY_CTX_new(key_sm2, NULL)) == NULL) {
+ ret = SSH_ERR_ALLOC_FAIL;
+ goto out;
@ -798,7 +1166,7 @@ index d3c6617..adc2598 100644
#endif /* WITH_OPENSSL */
ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client;
diff --git a/sshconnect2.c b/sshconnect2.c
index aa32ece..e90eb89 100644
index fafc0a2..9a01f1a 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -327,6 +327,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
@ -810,7 +1178,7 @@ index aa32ece..e90eb89 100644
# ifdef GSSAPI
if (options.gss_keyex) {
diff --git a/sshd.c b/sshd.c
index b7b0c18..dd7cdee 100644
index 8424e33..57d70fe 100644
--- a/sshd.c
+++ b/sshd.c
@@ -706,6 +706,7 @@ list_hostkey_types(void)
@ -856,7 +1224,7 @@ index b7b0c18..dd7cdee 100644
case KEY_ED25519:
case KEY_ECDSA_SK:
case KEY_ED25519_SK:
@@ -2570,6 +2576,7 @@ do_ssh2_kex(struct ssh *ssh)
@@ -2572,6 +2578,7 @@ do_ssh2_kex(struct ssh *ssh)
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
# ifdef OPENSSL_HAS_ECC
kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
@ -865,7 +1233,7 @@ index b7b0c18..dd7cdee 100644
# ifdef GSSAPI
if (options.gss_keyex) {
diff --git a/sshkey.c b/sshkey.c
index b0c2189..1b70488 100644
index b0c2189..51f8e51 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -159,6 +159,8 @@ static const struct keytype keytypes[] = {
@ -886,15 +1254,15 @@ index b0c2189..1b70488 100644
return 1;
}
return 0;
@@ -340,6 +344,8 @@ sshkey_size(const struct sshkey *k)
return BN_num_bits(dsa_p);
case KEY_ECDSA:
@@ -342,6 +346,8 @@ sshkey_size(const struct sshkey *k)
case KEY_ECDSA_CERT:
+ case KEY_SM2:
+ case KEY_SM2_CERT:
case KEY_ECDSA_SK:
case KEY_ECDSA_SK_CERT:
+ case KEY_SM2:
+ case KEY_SM2_CERT:
return sshkey_curve_nid_to_bits(k->ecdsa_nid);
#endif /* WITH_OPENSSL */
case KEY_ED25519:
@@ -366,6 +372,8 @@ sshkey_type_is_valid_ca(int type)
case KEY_ED25519:
case KEY_ED25519_SK:
@ -940,15 +1308,15 @@ index b0c2189..1b70488 100644
default:
return NULL;
}
@@ -693,6 +709,8 @@ sshkey_new(int type)
break;
case KEY_ECDSA:
@@ -695,6 +711,8 @@ sshkey_new(int type)
case KEY_ECDSA_CERT:
+ case KEY_SM2:
+ case KEY_SM2_CERT:
case KEY_ECDSA_SK:
case KEY_ECDSA_SK_CERT:
+ case KEY_SM2:
+ case KEY_SM2_CERT:
/* Cannot do anything until we know the group */
break;
#endif /* WITH_OPENSSL */
@@ -749,6 +767,8 @@ sshkey_free(struct sshkey *k)
/* FALLTHROUGH */
case KEY_ECDSA:
@ -962,8 +1330,8 @@ index b0c2189..1b70488 100644
/* FALLTHROUGH */
case KEY_ECDSA_CERT:
case KEY_ECDSA:
+ case KEY_SM2_CERT:
+ case KEY_SM2:
+ case KEY_SM2_CERT:
if (a->ecdsa == NULL || b->ecdsa == NULL ||
EC_KEY_get0_public_key(a->ecdsa) == NULL ||
EC_KEY_get0_public_key(b->ecdsa) == NULL)
@ -1049,14 +1417,14 @@ index b0c2189..1b70488 100644
case KEY_ECDSA_SK_CERT:
/* Skip nonce */
if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
@@ -2556,6 +2593,7 @@ sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp,
}
@@ -2557,6 +2594,7 @@ sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp,
/* FALLTHROUGH */
case KEY_ECDSA:
+ case KEY_SM2:
case KEY_ECDSA_SK:
+ case KEY_SM2:
if ((key = sshkey_new(type)) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
@@ -2865,6 +2903,10 @@ sshkey_sign(struct sshkey *key,
case KEY_ECDSA:
r = ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat);
@ -1189,5 +1557,5 @@ index 43eef5e..3b84096 100644
#if !defined(WITH_OPENSSL)
--
2.33.0
2.23.0

72
feature-openssh-7.4-hima-sftpserver-oom-and-fix.patch
View File

@ -1,19 +1,20 @@
From 6d98c61e18fe65a52e21df9cece74675f9c18125 Mon Sep 17 00:00:00 2001
From: s00467541 <shenyining@huawei.com>
From: shenyining <shenyining@huawei.com>
Date: Thu, 16 Apr 2020 17:13:24 +0800
Subject: [PATCH] sync patch, add new judgement and
delete default sftp-put-check.cfg
Signed-off-by: s00467541 <shenyining@huawei.com>
Signed-off-by: shenyining <shenyining@huawei.com>
---
sftp-server.c | 703 +++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 691 insertions(+), 12 deletions(-)
sftp-server.c | 702 +++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 690 insertions(+), 12 deletions(-)
diff --git a/sftp-server.c b/sftp-server.c
index 01d6f8f..682c19a 100644
index 5677aa3..4eb06d1 100644
--- a/sftp-server.c
+++ b/sftp-server.c
@@ -29,6 +29,12 @@
@@ -30,6 +30,12 @@
#include <sys/statvfs.h>
#endif
@ -26,7 +27,7 @@ index 01d6f8f..682c19a 100644
#include <dirent.h>
#include <errno.h>
#include <fcntl.h>
@@ -51,6 +57,17 @@
@@ -57,6 +63,17 @@
#include "sftp.h"
#include "sftp-common.h"
@ -44,7 +45,7 @@ index 01d6f8f..682c19a 100644
char *sftp_realpath(const char *, char *); /* sftp-realpath.c */
/* Maximum data read that we are willing to accept */
@@ -89,6 +106,452 @@ struct Stat {
@@ -98,6 +115,452 @@ struct Stat {
Attrib attrib;
};
@ -497,7 +498,7 @@ index 01d6f8f..682c19a 100644
/* Packet handlers */
static void process_open(u_int32_t id);
static void process_close(u_int32_t id);
@@ -695,6 +1158,15 @@ process_open(u_int32_t id)
@@ -755,6 +1218,15 @@ process_open(u_int32_t id)
(r = sshbuf_get_u32(iqueue, &pflags)) != 0 || /* portable flags */
(r = decode_attrib(iqueue, &a)) != 0)
fatal_fr(r, "parse");
@ -513,7 +514,7 @@ index 01d6f8f..682c19a 100644
debug3("request %u: open flags %d", id, pflags);
flags = flags_from_portable(pflags);
@@ -728,6 +1200,8 @@ process_open(u_int32_t id)
@@ -788,6 +1260,8 @@ process_open(u_int32_t id)
(void) umask(old_umask); /* restore umask to something sane */
if (status != SSH2_FX_OK)
send_status(id, status);
@ -522,7 +523,7 @@ index 01d6f8f..682c19a 100644
free(name);
}
@@ -759,6 +1233,17 @@ process_read(u_int32_t id)
@@ -820,6 +1294,17 @@ process_read(u_int32_t id)
(r = sshbuf_get_u32(iqueue, &len)) != 0)
fatal_fr(r, "parse");
@ -540,7 +541,7 @@ index 01d6f8f..682c19a 100644
debug("request %u: read \"%s\" (handle %d) off %llu len %u",
id, handle_to_name(handle), handle, (unsigned long long)off, len);
if ((fd = handle_to_fd(handle)) == -1)
@@ -800,6 +1285,18 @@ process_write(u_int32_t id)
@@ -874,6 +1359,18 @@ process_write(u_int32_t id)
(r = sshbuf_get_string(iqueue, &data, &len)) != 0)
fatal_fr(r, "parse");
@ -559,7 +560,7 @@ index 01d6f8f..682c19a 100644
debug("request %u: write \"%s\" (handle %d) off %llu len %zu",
id, handle_to_name(handle), handle, (unsigned long long)off, len);
fd = handle_to_fd(handle);
@@ -813,17 +1310,30 @@ process_write(u_int32_t id)
@@ -888,17 +1385,30 @@ process_write(u_int32_t id)
strerror(errno));
} else {
/* XXX ATOMICIO ? */
@ -600,7 +601,7 @@ index 01d6f8f..682c19a 100644
}
}
}
@@ -841,6 +1352,16 @@ process_do_stat(u_int32_t id, int do_lstat)
@@ -917,6 +1427,16 @@ process_do_stat(u_int32_t id, int do_lstat)
if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0)
fatal_fr(r, "parse");
@ -617,7 +618,7 @@ index 01d6f8f..682c19a 100644
debug3("request %u: %sstat", id, do_lstat ? "l" : "");
verbose("%sstat name \"%s\"", do_lstat ? "l" : "", name);
r = do_lstat ? lstat(name, &st) : stat(name, &st);
@@ -877,6 +1398,16 @@ process_fstat(u_int32_t id)
@@ -953,6 +1473,16 @@ process_fstat(u_int32_t id)
if ((r = get_handle(iqueue, &handle)) != 0)
fatal_fr(r, "parse");
@ -634,7 +635,7 @@ index 01d6f8f..682c19a 100644
debug("request %u: fstat \"%s\" (handle %u)",
id, handle_to_name(handle), handle);
fd = handle_to_fd(handle);
@@ -929,6 +1460,14 @@ process_setstat(u_int32_t id)
@@ -1005,6 +1535,14 @@ process_setstat(u_int32_t id)
(r = decode_attrib(iqueue, &a)) != 0)
fatal_fr(r, "parse");
@ -649,7 +650,7 @@ index 01d6f8f..682c19a 100644
debug("request %u: setstat name \"%s\"", id, name);
if (a.flags & SSH2_FILEXFER_ATTR_SIZE) {
logit("set \"%s\" size %llu",
@@ -983,6 +1522,13 @@ process_fsetstat(u_int32_t id)
@@ -1059,6 +1597,13 @@ process_fsetstat(u_int32_t id)
else {
char *name = handle_to_name(handle);
@ -663,7 +664,7 @@ index 01d6f8f..682c19a 100644
if (a.flags & SSH2_FILEXFER_ATTR_SIZE) {
logit("set \"%s\" size %llu",
name, (unsigned long long)a.size);
@@ -1040,6 +1586,14 @@ process_opendir(u_int32_t id)
@@ -1116,6 +1661,14 @@ process_opendir(u_int32_t id)
if ((r = sshbuf_get_cstring(iqueue, &path, NULL)) != 0)
fatal_fr(r, "parse");
@ -678,18 +679,17 @@ index 01d6f8f..682c19a 100644
debug3("request %u: opendir", id);
logit("opendir \"%s\"", path);
dirp = opendir(path);
@@ -1094,6 +1648,10 @@ process_readdir(u_int32_t id)
@@ -1170,6 +1723,9 @@ process_readdir(u_int32_t id)
strcmp(path, "/") ? "/" : "", dp->d_name);
if (lstat(pathname, &st) == -1)
continue;
+ if (RETURN_OK != path_permition_check(pathname,FLAG_PERMITOP))
+ {
+ if (RETURN_OK != path_permition_check(pathname,FLAG_PERMITOP)) {
+ continue;
+ }
stat_to_attrib(&st, &(stats[count].attrib));
stats[count].name = xstrdup(dp->d_name);
stats[count].long_name = ls_file(dp->d_name, &st, 0, 0);
@@ -1125,6 +1683,14 @@ process_remove(u_int32_t id)
stats[count].long_name = ls_file(dp->d_name, &st,
@@ -1202,6 +1758,14 @@ process_remove(u_int32_t id)
if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0)
fatal_fr(r, "parse");
@ -704,7 +704,7 @@ index 01d6f8f..682c19a 100644
debug3("request %u: remove", id);
logit("remove name \"%s\"", name);
r = unlink(name);
@@ -1144,6 +1710,14 @@ process_mkdir(u_int32_t id)
@@ -1221,6 +1785,14 @@ process_mkdir(u_int32_t id)
(r = decode_attrib(iqueue, &a)) != 0)
fatal_fr(r, "parse");
@ -719,7 +719,7 @@ index 01d6f8f..682c19a 100644
mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ?
a.perm & 07777 : 0777;
debug3("request %u: mkdir", id);
@@ -1163,6 +1737,14 @@ process_rmdir(u_int32_t id)
@@ -1240,6 +1812,14 @@ process_rmdir(u_int32_t id)
if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0)
fatal_fr(r, "parse");
@ -734,7 +734,7 @@ index 01d6f8f..682c19a 100644
debug3("request %u: rmdir", id);
logit("rmdir name \"%s\"", name);
r = rmdir(name);
@@ -1187,8 +1769,12 @@ process_realpath(u_int32_t id)
@@ -1264,8 +1844,12 @@ process_realpath(u_int32_t id)
}
debug3("request %u: realpath", id);
verbose("realpath \"%s\"", path);
@ -749,7 +749,7 @@ index 01d6f8f..682c19a 100644
} else {
Stat s;
attrib_clear(&s.attrib);
@@ -1209,6 +1795,16 @@ process_rename(u_int32_t id)
@@ -1286,6 +1870,16 @@ process_rename(u_int32_t id)
(r = sshbuf_get_cstring(iqueue, &newpath, NULL)) != 0)
fatal_fr(r, "parse");
@ -766,7 +766,7 @@ index 01d6f8f..682c19a 100644
debug3("request %u: rename", id);
logit("rename old \"%s\" new \"%s\"", oldpath, newpath);
status = SSH2_FX_FAILURE;
@@ -1268,6 +1864,14 @@ process_readlink(u_int32_t id)
@@ -1345,6 +1939,14 @@ process_readlink(u_int32_t id)
if ((r = sshbuf_get_cstring(iqueue, &path, NULL)) != 0)
fatal_fr(r, "parse");
@ -781,7 +781,7 @@ index 01d6f8f..682c19a 100644
debug3("request %u: readlink", id);
verbose("readlink \"%s\"", path);
if ((len = readlink(path, buf, sizeof(buf) - 1)) == -1)
@@ -1293,6 +1897,16 @@ process_symlink(u_int32_t id)
@@ -1370,6 +1972,16 @@ process_symlink(u_int32_t id)
(r = sshbuf_get_cstring(iqueue, &newpath, NULL)) != 0)
fatal_fr(r, "parse");
@ -798,7 +798,7 @@ index 01d6f8f..682c19a 100644
debug3("request %u: symlink", id);
logit("symlink old \"%s\" new \"%s\"", oldpath, newpath);
/* this will fail if 'newpath' exists */
@@ -1313,6 +1927,16 @@ process_extended_posix_rename(u_int32_t id)
@@ -1390,6 +2002,16 @@ process_extended_posix_rename(u_int32_t id)
(r = sshbuf_get_cstring(iqueue, &newpath, NULL)) != 0)
fatal_fr(r, "parse");
@ -815,7 +815,7 @@ index 01d6f8f..682c19a 100644
debug3("request %u: posix-rename", id);
logit("posix-rename old \"%s\" new \"%s\"", oldpath, newpath);
r = rename(oldpath, newpath);
@@ -1331,6 +1955,15 @@ process_extended_statvfs(u_int32_t id)
@@ -1408,6 +2030,15 @@ process_extended_statvfs(u_int32_t id)
if ((r = sshbuf_get_cstring(iqueue, &path, NULL)) != 0)
fatal_fr(r, "parse");
@ -831,7 +831,7 @@ index 01d6f8f..682c19a 100644
debug3("request %u: statvfs", id);
logit("statvfs \"%s\"", path);
@@ -1349,6 +1982,17 @@ process_extended_fstatvfs(u_int32_t id)
@@ -1426,6 +2057,17 @@ process_extended_fstatvfs(u_int32_t id)
if ((r = get_handle(iqueue, &handle)) != 0)
fatal_fr(r, "parse");
@ -849,7 +849,7 @@ index 01d6f8f..682c19a 100644
debug("request %u: fstatvfs \"%s\" (handle %u)",
id, handle_to_name(handle), handle);
if ((fd = handle_to_fd(handle)) < 0) {
@@ -1371,6 +2015,15 @@ process_extended_hardlink(u_int32_t id)
@@ -1448,6 +2090,15 @@ process_extended_hardlink(u_int32_t id)
(r = sshbuf_get_cstring(iqueue, &newpath, NULL)) != 0)
fatal_fr(r, "parse");
@ -865,7 +865,7 @@ index 01d6f8f..682c19a 100644
debug3("request %u: hardlink", id);
logit("hardlink old \"%s\" new \"%s\"", oldpath, newpath);
r = link(oldpath, newpath);
@@ -1387,6 +2040,17 @@ process_extended_fsync(u_int32_t id)
@@ -1464,6 +2115,17 @@ process_extended_fsync(u_int32_t id)
if ((r = get_handle(iqueue, &handle)) != 0)
fatal_fr(r, "parse");
@ -883,7 +883,7 @@ index 01d6f8f..682c19a 100644
debug3("request %u: fsync (handle %u)", id, handle);
verbose("fsync \"%s\"", handle_to_name(handle));
if ((fd = handle_to_fd(handle)) < 0)
@@ -1672,6 +2336,22 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw, int reset_handle
@@ -2006,6 +2668,22 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw, int reset_handle
log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler);
@ -907,5 +907,5 @@ index 01d6f8f..682c19a 100644
* On platforms where we can, avoid making /proc/self/{mem,maps}
* available to the user so that sftp access doesn't automatically
--
2.23.0
2.27.0

11
openssh-5.8p2-sigpipe.patch
View File

@ -1,12 +1,15 @@
Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-5.8p2-sigpipe.patch
diff -up openssh-5.8p2/ssh-keyscan.c.sigpipe openssh-5.8p2/ssh-keyscan.c
--- openssh-5.8p2/ssh-keyscan.c.sigpipe 2011-08-23 18:30:33.873025916 +0200
+++ openssh-5.8p2/ssh-keyscan.c 2011-08-23 18:32:24.574025362 +0200
@@ -715,6 +715,8 @@ main(int argc, char **argv)
@@ -715,6 +715,9 @@ main(int argc, char **argv)
if (maxfd > fdlim_get(0))
fdlim_set(maxfd);
fdcon = xcalloc(maxfd, sizeof(con));
+
+ signal(SIGPIPE, SIG_IGN);
+
read_wait_nfdset = howmany(maxfd, NFDBITS);
read_wait = xcalloc(read_wait_nfdset, sizeof(fd_mask));
read_wait = xcalloc(maxfd, sizeof(struct pollfd));
for (j = 0; j < maxfd; j++)
read_wait[j].fd = -1;

5
openssh-6.6.1p1-log-in-chroot.patch
View File

@ -1,3 +1,4 @@
Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.6.1p1-log-in-chroot.patch
diff -up openssh-8.6p1/log.c.log-in-chroot openssh-8.6p1/log.c
--- openssh-8.6p1/log.c.log-in-chroot 2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.6p1/log.c 2021-04-19 14:43:08.544843434 +0200
@ -207,8 +208,8 @@ diff -up openssh-8.6p1/sftp-server.c.log-in-chroot openssh-8.6p1/sftp-server.c
-sftp_server_main(int argc, char **argv, struct passwd *user_pw)
+sftp_server_main(int argc, char **argv, struct passwd *user_pw, int reset_handler)
{
fd_set *rset, *wset;
int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0;
int i, r, in, out, ch, skipargs = 0, log_stderr = 0;
ssize_t len, olen;
@@ -1657,7 +1657,7 @@ sftp_server_main(int argc, char **argv,
extern char *__progname;

7
openssh-6.6p1-keycat.patch
View File

@ -1,3 +1,4 @@
Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.6p1-keycat.patch
diff -up openssh/misc.c.keycat openssh/misc.c
--- openssh/misc.c.keycat 2015-06-24 10:57:50.158849606 +0200
+++ openssh/misc.c 2015-06-24 11:04:23.989868638 +0200
@ -61,13 +62,13 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in
ssh-xmss.o \
@@ -190,6 +191,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
$(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2)
$(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2) $(CHANNELLIBS)
+ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
+ $(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS)
+ $(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS) $(CHANNELLIBS)
+
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(CHANNELLIBS)
@@ -321,6 +325,7 @@ install-files:
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)

434
openssh-6.7p1-coverity.patch
View File

@ -1,41 +1,38 @@
diff -up openssh-8.5p1/addr.c.coverity openssh-8.5p1/addr.c
--- openssh-8.5p1/addr.c.coverity 2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/addr.c 2021-03-24 12:03:33.782968159 +0100
@@ -312,8 +312,10 @@ addr_pton(const char *p, struct xaddr *n
if (p == NULL || getaddrinfo(p, NULL, &hints, &ai) != 0)
return -1;
Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.7p1-coverity.patch
- if (ai == NULL || ai->ai_addr == NULL)
+ if (ai == NULL || ai->ai_addr == NULL) {
+ freeaddrinfo(ai);
return -1;
+ }
---
auth-krb5.c | 2 ++
auth-options.c | 1 +
channels.c | 6 ++++--
dns.c | 1 +
gss-genr.c | 3 ++-
kexgssc.c | 4 +++-
krl.c | 4 ++++
loginrec.c | 4 ++++
misc.c | 3 +++
moduli.c | 1 +
monitor.c | 4 ++--
monitor_wrap.c | 6 +++---
openbsd-compat/bindresvport.c | 2 +-
openbsd-compat/bsd-pselect.c | 8 ++++----
readconf.c | 1 +
scp.c | 4 ++--
servconf.c | 5 +++--
serverloop.c | 2 +-
session.c | 2 ++
sftp.c | 3 ++-
ssh-agent.c | 5 +++--
ssh-keygen.c | 7 +++++++
ssh.c | 1 +
sshd.c | 9 +++++++--
sshsig.c | 1 +
25 files changed, 65 insertions(+), 24 deletions(-)
if (n != NULL && addr_sa_to_xaddr(ai->ai_addr, ai->ai_addrlen,
n) == -1) {
@@ -336,12 +338,16 @@ addr_sa_pton(const char *h, const char *
if (h == NULL || getaddrinfo(h, s, &hints, &ai) != 0)
return -1;
- if (ai == NULL || ai->ai_addr == NULL)
+ if (ai == NULL || ai->ai_addr == NULL) {
+ freeaddrinfo(ai);
return -1;
+ }
if (sa != NULL) {
- if (slen < ai->ai_addrlen)
+ if (slen < ai->ai_addrlen) {
+ freeaddrinfo(ai);
return -1;
+ }
memcpy(sa, &ai->ai_addr, ai->ai_addrlen);
}
diff -up openssh-8.5p1/auth-krb5.c.coverity openssh-8.5p1/auth-krb5.c
--- openssh-8.5p1/auth-krb5.c.coverity 2021-03-24 12:03:33.724967756 +0100
+++ openssh-8.5p1/auth-krb5.c 2021-03-24 12:03:33.782968159 +0100
@@ -426,6 +426,7 @@ ssh_krb5_cc_new_unique(krb5_context ctx,
diff --git a/auth-krb5.c b/auth-krb5.c
index d80c3ab..71ea1e3 100644
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -426,6 +426,7 @@ ssh_krb5_cc_new_unique(krb5_context ctx, krb5_ccache *ccache, int *need_environm
umask(old_umask);
if (tmpfd == -1) {
logit("mkstemp(): %.100s", strerror(oerrno));
@ -43,7 +40,7 @@ diff -up openssh-8.5p1/auth-krb5.c.coverity openssh-8.5p1/auth-krb5.c
return oerrno;
}
@@ -433,6 +434,7 @@ ssh_krb5_cc_new_unique(krb5_context ctx,
@@ -433,6 +434,7 @@ ssh_krb5_cc_new_unique(krb5_context ctx, krb5_ccache *ccache, int *need_environm
oerrno = errno;
logit("fchmod(): %.100s", strerror(oerrno));
close(tmpfd);
@ -51,10 +48,11 @@ diff -up openssh-8.5p1/auth-krb5.c.coverity openssh-8.5p1/auth-krb5.c
return oerrno;
}
/* make sure the KRB5CCNAME is set for non-standard location */
diff -up openssh-8.5p1/auth-options.c.coverity openssh-8.5p1/auth-options.c
--- openssh-8.5p1/auth-options.c.coverity 2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/auth-options.c 2021-03-24 12:03:33.782968159 +0100
@@ -706,6 +708,7 @@ serialise_array(struct sshbuf *m, char *
diff --git a/auth-options.c b/auth-options.c
index 7cb2a64..a4b1db4 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -723,6 +723,7 @@ serialise_array(struct sshbuf *m, char **a, size_t n)
return r;
}
/* success */
@ -62,19 +60,11 @@ diff -up openssh-8.5p1/auth-options.c.coverity openssh-8.5p1/auth-options.c
return 0;
}
diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c
--- openssh-7.4p1/channels.c.coverity 2016-12-23 16:40:26.881788686 +0100
+++ openssh-7.4p1/channels.c 2016-12-23 16:42:36.244818763 +0100
@@ -1875,7 +1875,7 @@ channel_post_connecting(struct ssh *ssh,
debug("channel %d: connection failed: %s",
c->self, strerror(err));
/* Try next address, if any */
- if ((sock = connect_next(&c->connect_ctx)) > 0) {
+ if ((sock = connect_next(&c->connect_ctx)) >= 0) {
close(c->sock);
c->sock = c->rfd = c->wfd = sock;
channel_find_maxfd(ssh->chanctxt);
@@ -3804,7 +3804,7 @@ int
diff --git a/channels.c b/channels.c
index 300c753..ea4d8da 100644
--- a/channels.c
+++ b/channels.c
@@ -4081,7 +4081,7 @@ int
channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd)
{
int r, success = 0, idx = -1;
@ -83,7 +73,7 @@ diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c
int port_to_connect, listen_port;
/* Send the forward request to the remote side. */
@@ -3832,7 +3832,6 @@ channel_request_remote_forwarding(struct
@@ -4109,7 +4109,6 @@ channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd)
success = 1;
if (success) {
/* Record that connection to this host/port is permitted. */
@ -91,7 +81,7 @@ diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c
port_to_connect = listen_port = 0;
if (fwd->connect_path != NULL) {
host_to_connect = xstrdup(fwd->connect_path);
@@ -3853,6 +3852,9 @@ channel_request_remote_forwarding(struct
@@ -4130,6 +4129,9 @@ channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd)
host_to_connect, port_to_connect,
listen_host, listen_path, listen_port, NULL);
}
@ -101,26 +91,11 @@ diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c
return idx;
}
diff -up openssh-8.5p1/compat.c.coverity openssh-8.5p1/compat.c
--- openssh-8.5p1/compat.c.coverity 2021-03-24 12:03:33.768968062 +0100
+++ openssh-8.5p1/compat.c 2021-03-24 12:03:33.783968166 +0100
@@ -191,10 +191,12 @@ compat_kex_proposal(struct ssh *ssh, cha
return p;
debug2_f("original KEX proposal: %s", p);
if ((ssh->compat & SSH_BUG_CURVE25519PAD) != 0)
+ /* coverity[overwrite_var : FALSE] */
if ((p = match_filter_denylist(p,
"curve25519-sha256@libssh.org")) == NULL)
fatal("match_filter_denylist failed");
if ((ssh->compat & SSH_OLD_DHGEX) != 0) {
+ /* coverity[overwrite_var : FALSE] */
if ((p = match_filter_denylist(p,
"diffie-hellman-group-exchange-sha256,"
"diffie-hellman-group-exchange-sha1")) == NULL)
diff -up openssh-8.5p1/dns.c.coverity openssh-8.5p1/dns.c
--- openssh-8.5p1/dns.c.coverity 2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/dns.c 2021-03-24 12:03:33.783968166 +0100
@@ -282,6 +282,7 @@ verify_host_key_dns(const char *hostname
diff --git a/dns.c b/dns.c
index f2310be..15218f1 100644
--- a/dns.c
+++ b/dns.c
@@ -259,6 +259,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
&hostkey_digest, &hostkey_digest_len, hostkey)) {
error("Error calculating key fingerprint.");
freerrset(fingerprints);
@ -128,10 +103,11 @@ diff -up openssh-8.5p1/dns.c.coverity openssh-8.5p1/dns.c
return -1;
}
diff -up openssh-8.5p1/gss-genr.c.coverity openssh-8.5p1/gss-genr.c
--- openssh-8.5p1/gss-genr.c.coverity 2021-03-26 11:52:46.613942552 +0100
+++ openssh-8.5p1/gss-genr.c 2021-03-26 11:54:37.881726318 +0100
@@ -167,8 +167,9 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
diff --git a/gss-genr.c b/gss-genr.c
index 9f9745b..810b382 100644
--- a/gss-genr.c
+++ b/gss-genr.c
@@ -168,8 +168,9 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
enclen = __b64_ntop(digest,
ssh_digest_bytes(SSH_DIGEST_MD5), encoded,
ssh_digest_bytes(SSH_DIGEST_MD5) * 2);
@ -142,9 +118,10 @@ diff -up openssh-8.5p1/gss-genr.c.coverity openssh-8.5p1/gss-genr.c
for ((p = strsep(&cp, ",")); p && *p != '\0';
(p = strsep(&cp, ","))) {
if (sshbuf_len(buf) != 0 &&
diff -up openssh-8.5p1/kexgssc.c.coverity openssh-8.5p1/kexgssc.c
--- openssh-8.5p1/kexgssc.c.coverity 2021-03-24 12:03:33.711967665 +0100
+++ openssh-8.5p1/kexgssc.c 2021-03-24 12:03:33.783968166 +0100
diff --git a/kexgssc.c b/kexgssc.c
index 1c62740..080cf04 100644
--- a/kexgssc.c
+++ b/kexgssc.c
@@ -98,8 +98,10 @@ kexgss_client(struct ssh *ssh)
default:
fatal_f("Unexpected KEX type %d", kex->kex_type);
@ -157,10 +134,11 @@ diff -up openssh-8.5p1/kexgssc.c.coverity openssh-8.5p1/kexgssc.c
token_ptr = GSS_C_NO_BUFFER;
diff -up openssh-8.5p1/krl.c.coverity openssh-8.5p1/krl.c
--- openssh-8.5p1/krl.c.coverity 2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/krl.c 2021-03-24 12:03:33.783968166 +0100
@@ -1209,6 +1209,7 @@ ssh_krl_from_blob(struct sshbuf *buf, st
diff --git a/krl.c b/krl.c
index 473a9d7..ae19762 100644
--- a/krl.c
+++ b/krl.c
@@ -1209,6 +1209,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
sshkey_free(key);
sshbuf_free(copy);
sshbuf_free(sect);
@ -168,7 +146,7 @@ diff -up openssh-8.5p1/krl.c.coverity openssh-8.5p1/krl.c
return r;
}
@@ -1261,6 +1262,7 @@ is_key_revoked(struct ssh_krl *krl, cons
@@ -1261,6 +1262,7 @@ is_key_revoked(struct ssh_krl *krl, const struct sshkey *key)
return r;
erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb);
free(rb.blob);
@ -176,7 +154,7 @@ diff -up openssh-8.5p1/krl.c.coverity openssh-8.5p1/krl.c
if (erb != NULL) {
KRL_DBG(("revoked by key SHA1"));
return SSH_ERR_KEY_REVOKED;
@@ -1271,6 +1273,7 @@ is_key_revoked(struct ssh_krl *krl, cons
@@ -1271,6 +1273,7 @@ is_key_revoked(struct ssh_krl *krl, const struct sshkey *key)
return r;
erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha256s, &rb);
free(rb.blob);
@ -184,7 +162,7 @@ diff -up openssh-8.5p1/krl.c.coverity openssh-8.5p1/krl.c
if (erb != NULL) {
KRL_DBG(("revoked by key SHA256"));
return SSH_ERR_KEY_REVOKED;
@@ -1282,6 +1285,7 @@ is_key_revoked(struct ssh_krl *krl, cons
@@ -1282,6 +1285,7 @@ is_key_revoked(struct ssh_krl *krl, const struct sshkey *key)
return r;
erb = RB_FIND(revoked_blob_tree, &krl->revoked_keys, &rb);
free(rb.blob);
@ -192,10 +170,11 @@ diff -up openssh-8.5p1/krl.c.coverity openssh-8.5p1/krl.c
if (erb != NULL) {
KRL_DBG(("revoked by explicit key"));
return SSH_ERR_KEY_REVOKED;
diff -up openssh-8.5p1/loginrec.c.coverity openssh-8.5p1/loginrec.c
--- openssh-8.5p1/loginrec.c.coverity 2021-03-24 13:18:53.793225885 +0100
+++ openssh-8.5p1/loginrec.c 2021-03-24 13:21:27.948404751 +0100
@@ -690,9 +690,11 @@ construct_utmp(struct logininfo *li,
diff --git a/loginrec.c b/loginrec.c
index 4f21499..e0606be 100644
--- a/loginrec.c
+++ b/loginrec.c
@@ -691,9 +691,11 @@ construct_utmp(struct logininfo *li,
*/
/* Use strncpy because we don't necessarily want null termination */
@ -207,7 +186,7 @@ diff -up openssh-8.5p1/loginrec.c.coverity openssh-8.5p1/loginrec.c
strncpy(ut->ut_host, li->hostname,
MIN_SIZEOF(ut->ut_host, li->hostname));
# endif
@@ -1690,6 +1692,7 @@ record_failed_login(struct ssh *ssh, con
@@ -1691,6 +1693,7 @@ record_failed_login(struct ssh *ssh, const char *username, const char *hostname,
memset(&ut, 0, sizeof(ut));
/* strncpy because we don't necessarily want nul termination */
@ -215,7 +194,7 @@ diff -up openssh-8.5p1/loginrec.c.coverity openssh-8.5p1/loginrec.c
strncpy(ut.ut_user, username, sizeof(ut.ut_user));
strlcpy(ut.ut_line, "ssh:notty", sizeof(ut.ut_line));
@@ -1699,6 +1702,7 @@ record_failed_login(struct ssh *ssh, con
@@ -1700,6 +1703,7 @@ record_failed_login(struct ssh *ssh, const char *username, const char *hostname,
ut.ut_pid = getpid();
/* strncpy because we don't necessarily want nul termination */
@ -223,10 +202,11 @@ diff -up openssh-8.5p1/loginrec.c.coverity openssh-8.5p1/loginrec.c
strncpy(ut.ut_host, hostname, sizeof(ut.ut_host));
if (ssh_packet_connection_is_on_socket(ssh) &&
diff -up openssh-8.5p1/misc.c.coverity openssh-8.5p1/misc.c
--- openssh-8.5p1/misc.c.coverity 2021-03-24 12:03:33.745967902 +0100
+++ openssh-8.5p1/misc.c 2021-03-24 13:31:47.037079617 +0100
@@ -1425,6 +1425,8 @@ sanitise_stdfd(void)
diff --git a/misc.c b/misc.c
index e4d3120..5420e24 100644
--- a/misc.c
+++ b/misc.c
@@ -1492,6 +1492,8 @@ sanitise_stdfd(void)
}
if (nullfd > STDERR_FILENO)
close(nullfd);
@ -235,7 +215,7 @@ diff -up openssh-8.5p1/misc.c.coverity openssh-8.5p1/misc.c
}
char *
@@ -2511,6 +2513,7 @@ stdfd_devnull(int do_stdin, int do_stdou
@@ -2625,6 +2627,7 @@ stdfd_devnull(int do_stdin, int do_stdout, int do_stderr)
}
if (devnull > STDERR_FILENO)
close(devnull);
@ -243,10 +223,11 @@ diff -up openssh-8.5p1/misc.c.coverity openssh-8.5p1/misc.c
return ret;
}
diff -up openssh-8.5p1/moduli.c.coverity openssh-8.5p1/moduli.c
--- openssh-8.5p1/moduli.c.coverity 2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/moduli.c 2021-03-24 12:03:33.784968173 +0100
@@ -476,6 +476,7 @@ write_checkpoint(char *cpfile, u_int32_t
diff --git a/moduli.c b/moduli.c
index 9f660ef..2669edd 100644
--- a/moduli.c
+++ b/moduli.c
@@ -476,6 +476,7 @@ write_checkpoint(char *cpfile, u_int32_t lineno)
else
logit("failed to write to checkpoint file '%s': %s", cpfile,
strerror(errno));
@ -254,10 +235,11 @@ diff -up openssh-8.5p1/moduli.c.coverity openssh-8.5p1/moduli.c
}
static unsigned long
diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c
--- openssh-7.4p1/monitor.c.coverity 2016-12-23 16:40:26.888788688 +0100
+++ openssh-7.4p1/monitor.c 2016-12-23 16:40:26.900788691 +0100
@@ -411,7 +411,7 @@ monitor_child_preauth(Authctxt *_authctx
diff --git a/monitor.c b/monitor.c
index fc05db6..dca2fe7 100644
--- a/monitor.c
+++ b/monitor.c
@@ -397,7 +397,7 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor)
mm_get_keystate(ssh, pmonitor);
/* Drain any buffered messages from the child */
@ -266,7 +248,7 @@ diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c
;
if (pmonitor->m_recvfd >= 0)
@@ -1678,7 +1678,7 @@ mm_answer_pty(struct ssh *ssh, int sock,
@@ -1684,7 +1684,7 @@ mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m)
s->ptymaster = s->ptyfd;
debug3_f("tty %s ptyfd %d", s->tty, s->ttyfd);
@ -275,10 +257,11 @@ diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c
return (0);
error:
diff -up openssh-7.4p1/monitor_wrap.c.coverity openssh-7.4p1/monitor_wrap.c
--- openssh-7.4p1/monitor_wrap.c.coverity 2016-12-23 16:40:26.892788689 +0100
+++ openssh-7.4p1/monitor_wrap.c 2016-12-23 16:40:26.900788691 +0100
@@ -525,10 +525,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
diff --git a/monitor_wrap.c b/monitor_wrap.c
index e125eca..c394d68 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -612,10 +612,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, size_t namebuflen)
if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
(tmp2 = dup(pmonitor->m_recvfd)) == -1) {
error_f("cannot allocate fds for pty");
@ -292,10 +275,11 @@ diff -up openssh-7.4p1/monitor_wrap.c.coverity openssh-7.4p1/monitor_wrap.c
return 0;
}
close(tmp1);
diff -up openssh-7.4p1/openbsd-compat/bindresvport.c.coverity openssh-7.4p1/openbsd-compat/bindresvport.c
--- openssh-7.4p1/openbsd-compat/bindresvport.c.coverity 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/openbsd-compat/bindresvport.c 2016-12-23 16:40:26.901788691 +0100
@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr
diff --git a/openbsd-compat/bindresvport.c b/openbsd-compat/bindresvport.c
index 346c7fe..f42792f 100644
--- a/openbsd-compat/bindresvport.c
+++ b/openbsd-compat/bindresvport.c
@@ -59,7 +59,7 @@ bindresvport_sa(int sd, struct sockaddr *sa)
struct sockaddr_in6 *in6;
u_int16_t *portp;
u_int16_t port;
@ -304,9 +288,10 @@ diff -up openssh-7.4p1/openbsd-compat/bindresvport.c.coverity openssh-7.4p1/open
int i;
if (sa == NULL) {
diff -up openssh-8.7p1/openbsd-compat/bsd-pselect.c.coverity openssh-8.7p1/openbsd-compat/bsd-pselect.c
--- openssh-8.7p1/openbsd-compat/bsd-pselect.c.coverity 2021-08-30 16:36:11.357288009 +0200
+++ openssh-8.7p1/openbsd-compat/bsd-pselect.c 2021-08-30 16:37:21.791897976 +0200
diff --git a/openbsd-compat/bsd-pselect.c b/openbsd-compat/bsd-pselect.c
index b363208..cf7157c 100644
--- a/openbsd-compat/bsd-pselect.c
+++ b/openbsd-compat/bsd-pselect.c
@@ -113,13 +113,13 @@ pselect_notify_setup(void)
static void
pselect_notify_parent(void)
@ -334,10 +319,11 @@ diff -up openssh-8.7p1/openbsd-compat/bsd-pselect.c.coverity openssh-8.7p1/openb
debug2_f("reading");
FD_CLR(notify_pipe[0], readset);
}
diff -up openssh-8.5p1/readconf.c.coverity openssh-8.5p1/readconf.c
--- openssh-8.5p1/readconf.c.coverity 2021-03-24 12:03:33.778968131 +0100
+++ openssh-8.5p1/readconf.c 2021-03-24 12:03:33.785968180 +0100
@@ -1847,6 +1847,7 @@ parse_pubkey_algos:
diff --git a/readconf.c b/readconf.c
index 1e1b78d..b6c998e 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1933,6 +1933,7 @@ parse_pubkey_algos:
} else if (r != 0) {
error("%.200s line %d: glob failed for %s.",
filename, linenum, arg2);
@ -345,10 +331,11 @@ diff -up openssh-8.5p1/readconf.c.coverity openssh-8.5p1/readconf.c
goto out;
}
free(arg2);
diff -up openssh-8.7p1/scp.c.coverity openssh-8.7p1/scp.c
--- openssh-8.7p1/scp.c.coverity 2021-08-30 16:23:35.389741329 +0200
+++ openssh-8.7p1/scp.c 2021-08-30 16:27:04.854555296 +0200
@@ -186,11 +186,11 @@ killchild(int signo)
diff --git a/scp.c b/scp.c
index 6146260..74f5b10 100644
--- a/scp.c
+++ b/scp.c
@@ -187,11 +187,11 @@ killchild(int signo)
{
if (do_cmd_pid > 1) {
kill(do_cmd_pid, signo ? signo : SIGTERM);
@ -362,10 +349,11 @@ diff -up openssh-8.7p1/scp.c.coverity openssh-8.7p1/scp.c
}
if (signo)
diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c
--- openssh-7.4p1/servconf.c.coverity 2016-12-23 16:40:26.896788690 +0100
+++ openssh-7.4p1/servconf.c 2016-12-23 16:40:26.901788691 +0100
@@ -1638,8 +1638,9 @@ process_server_config_line(ServerOptions
diff --git a/servconf.c b/servconf.c
index 8b9540d..d72fb62 100644
--- a/servconf.c
+++ b/servconf.c
@@ -2081,8 +2081,9 @@ process_server_config_line_depth(ServerOptions *options, char *line,
if (*activep && *charptr == NULL) {
*charptr = tilde_expand_filename(arg, getuid());
/* increase optional counter */
@ -377,10 +365,11 @@ diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c
}
break;
diff -up openssh-8.7p1/serverloop.c.coverity openssh-8.7p1/serverloop.c
--- openssh-8.7p1/serverloop.c.coverity 2021-08-20 06:03:49.000000000 +0200
+++ openssh-8.7p1/serverloop.c 2021-08-30 16:28:22.416226981 +0200
@@ -547,7 +547,7 @@ server_request_tun(struct ssh *ssh)
diff --git a/serverloop.c b/serverloop.c
index b4c0d82..62c7e90 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -546,7 +546,7 @@ server_request_tun(struct ssh *ssh)
debug_f("invalid tun");
goto done;
}
@ -389,10 +378,11 @@ diff -up openssh-8.7p1/serverloop.c.coverity openssh-8.7p1/serverloop.c
if (tun != SSH_TUNID_ANY &&
auth_opts->force_tun_device != (int)tun)
goto done;
diff -up openssh-8.5p1/session.c.coverity openssh-8.5p1/session.c
--- openssh-8.5p1/session.c.coverity 2021-03-24 12:03:33.777968124 +0100
+++ openssh-8.5p1/session.c 2021-03-24 12:03:33.786968187 +0100
@@ -1223,12 +1223,14 @@ do_setup_env(struct ssh *ssh, Session *s
diff --git a/session.c b/session.c
index 58cf557..cdb301b 100644
--- a/session.c
+++ b/session.c
@@ -1222,12 +1222,14 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
/* Environment specified by admin */
for (i = 0; i < options.num_setenv; i++) {
cp = xstrdup(options.setenv[i]);
@ -407,10 +397,11 @@ diff -up openssh-8.5p1/session.c.coverity openssh-8.5p1/session.c
}
/* SSH_CLIENT deprecated */
diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
--- openssh-7.4p1/sftp.c.coverity 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/sftp.c 2016-12-23 16:40:26.903788691 +0100
@@ -224,7 +224,7 @@ killchild(int signo)
diff --git a/sftp.c b/sftp.c
index c3c347e..c18a354 100644
--- a/sftp.c
+++ b/sftp.c
@@ -226,7 +226,7 @@ killchild(int signo)
pid = sshpid;
if (pid > 1) {
kill(pid, SIGTERM);
@ -419,16 +410,7 @@ diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
}
_exit(1);
@@ -762,6 +762,8 @@ process_put(struct sftp_conn *conn, cons
fflag || global_fflag) == -1)
err = -1;
}
+ free(abs_dst);
+ abs_dst = NULL;
}
out:
@@ -985,6 +987,7 @@ do_globbed_ls(struct sftp_conn *conn, co
@@ -1029,6 +1029,7 @@ do_globbed_ls(struct sftp_conn *conn, const char *path,
if (lflag & LS_LONG_VIEW) {
if (g.gl_statv[i] == NULL) {
error("no stat information for %s", fname);
@ -436,21 +418,11 @@ diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
continue;
}
lname = ls_file(fname, g.gl_statv[i], 1,
diff -up openssh-8.5p1/sk-usbhid.c.coverity openssh-8.5p1/sk-usbhid.c
--- openssh-8.5p1/sk-usbhid.c.coverity 2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/sk-usbhid.c 2021-03-24 12:03:33.786968187 +0100
@@ -1256,6 +1256,7 @@ sk_load_resident_keys(const char *pin, s
freezero(rks[i], sizeof(*rks[i]));
}
free(rks);
+ free(device);
return ret;
}
diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
--- openssh-7.4p1/ssh-agent.c.coverity 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/ssh-agent.c 2016-12-23 16:40:26.903788691 +0100
@@ -869,6 +869,7 @@ sanitize_pkcs11_provider(const char *pro
diff --git a/ssh-agent.c b/ssh-agent.c
index 50d0638..a292a9e 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1391,6 +1391,7 @@ sanitize_pkcs11_provider(const char *provider)
if (pkcs11_uri_parse(provider, uri) != 0) {
error("Failed to parse PKCS#11 URI");
@ -458,7 +430,7 @@ diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
return NULL;
}
/* validate also provider from URI */
@@ -1220,8 +1220,8 @@ main(int ac, char **av)
@@ -2080,8 +2081,8 @@ main(int ac, char **av)
sanitise_stdfd();
/* drop */
@ -469,10 +441,43 @@ diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
platform_disable_tracing(0); /* strict=no */
diff -up openssh-8.5p1/ssh.c.coverity openssh-8.5p1/ssh.c
--- openssh-8.5p1/ssh.c.coverity 2021-03-24 12:03:33.779968138 +0100
+++ openssh-8.5p1/ssh.c 2021-03-24 12:03:33.786968187 +0100
@@ -1746,6 +1746,7 @@ control_persist_detach(void)
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 6ae72ab..076dd33 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -2365,6 +2365,9 @@ update_krl_from_file(struct passwd *pw, const char *file, int wild_ca,
r = ssh_krl_revoke_key_sha256(krl, blob, blen);
if (r != 0)
fatal_fr(r, "revoke key failed");
+ freezero(blob, blen);
+ blob = NULL;
+ blen = 0;
} else {
if (strncasecmp(cp, "key:", 4) == 0) {
cp += 4;
@@ -3023,6 +3026,7 @@ do_moduli_screen(const char *out_file, char **opts, size_t nopts)
} else if (strncmp(opts[i], "start-line=", 11) == 0) {
start_lineno = strtoul(opts[i]+11, NULL, 10);
} else if (strncmp(opts[i], "checkpoint=", 11) == 0) {
+ free(checkpoint);
checkpoint = xstrdup(opts[i]+11);
} else if (strncmp(opts[i], "generator=", 10) == 0) {
generator_wanted = (u_int32_t)strtonum(
@@ -3064,6 +3068,9 @@ do_moduli_screen(const char *out_file, char **opts, size_t nopts)
#else /* WITH_OPENSSL */
fatal("Moduli screening is not supported");
#endif /* WITH_OPENSSL */
+ free(checkpoint);
+ if (in != stdin)
+ fclose(in);
}
/* Read and confirm a passphrase */
diff --git a/ssh.c b/ssh.c
index a5155f4..68558d4 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1755,6 +1755,7 @@ control_persist_detach(void)
close(muxserver_sock);
muxserver_sock = -1;
options.control_master = SSHCTL_MASTER_NO;
@ -480,10 +485,11 @@ diff -up openssh-8.5p1/ssh.c.coverity openssh-8.5p1/ssh.c
muxclient(options.control_path);
/* muxclient() doesn't return on success. */
fatal("Failed to connect to new control master");
diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c
--- openssh-7.4p1/sshd.c.coverity 2016-12-23 16:40:26.897788690 +0100
+++ openssh-7.4p1/sshd.c 2016-12-23 16:40:26.904788692 +0100
@@ -691,8 +691,10 @@ privsep_preauth(Authctxt *authctxt)
diff --git a/sshd.c b/sshd.c
index e05dd82..a4a1b79 100644
--- a/sshd.c
+++ b/sshd.c
@@ -595,8 +595,10 @@ privsep_preauth(struct ssh *ssh)
privsep_preauth_child(ssh);
setproctitle("%s", "[net]");
@ -495,26 +501,7 @@ diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c
return 0;
}
@@ -1386,6 +1388,9 @@ server_accept_loop(int *sock_in, int *so
explicit_bzero(rnd, sizeof(rnd));
}
}
+
+ if (fdset != NULL)
+ free(fdset);
}
/*
@@ -2474,7 +2479,7 @@ do_ssh2_kex(struct ssh *ssh)
if (options.rekey_limit || options.rekey_interval)
ssh_packet_set_rekey_limits(ssh, options.rekey_limit,
options.rekey_interval);
-
+ /* coverity[leaked_storage : FALSE]*/
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
ssh, list_hostkey_types());
@@ -2519,8 +2524,11 @@ do_ssh2_kex(struct ssh *ssh)
@@ -2560,8 +2562,11 @@ do_ssh2_kex(struct ssh *ssh)
if (newstr)
myproposal[PROPOSAL_KEX_ALGS] = newstr;
@ -527,45 +514,18 @@ diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c
}
#endif
diff -up openssh-8.5p1/ssh-keygen.c.coverity openssh-8.5p1/ssh-keygen.c
--- openssh-8.5p1/ssh-keygen.c.coverity 2021-03-24 12:03:33.780968145 +0100
+++ openssh-8.5p1/ssh-keygen.c 2021-03-24 12:03:33.787968194 +0100
@@ -2332,6 +2332,9 @@ update_krl_from_file(struct passwd *pw,
r = ssh_krl_revoke_key_sha256(krl, blob, blen);
if (r != 0)
fatal_fr(r, "revoke key failed");
+ freezero(blob, blen);
+ blob = NULL;
+ blen = 0;
} else {
if (strncasecmp(cp, "key:", 4) == 0) {
cp += 4;
@@ -2879,6 +2882,7 @@ do_moduli_screen(const char *out_file, c
} else if (strncmp(opts[i], "start-line=", 11) == 0) {
start_lineno = strtoul(opts[i]+11, NULL, 10);
} else if (strncmp(opts[i], "checkpoint=", 11) == 0) {
+ free(checkpoint);
checkpoint = xstrdup(opts[i]+11);
} else if (strncmp(opts[i], "generator=", 10) == 0) {
generator_wanted = (u_int32_t)strtonum(
@@ -2920,6 +2924,9 @@ do_moduli_screen(const char *out_file, c
#else /* WITH_OPENSSL */
fatal("Moduli screening is not supported");
#endif /* WITH_OPENSSL */
+ free(checkpoint);
+ if (in != stdin)
+ fclose(in);
}
static char *
diff -up openssh-8.5p1/sshsig.c.coverity openssh-8.5p1/sshsig.c
--- openssh-8.5p1/sshsig.c.coverity 2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/sshsig.c 2021-03-24 12:03:33.787968194 +0100
@@ -515,6 +515,7 @@ hash_file(int fd, const char *hashalg, s
diff --git a/sshsig.c b/sshsig.c
index eb2a931..3e91c14 100644
--- a/sshsig.c
+++ b/sshsig.c
@@ -551,6 +551,7 @@ hash_file(int fd, const char *hashalg, struct sshbuf **bp)
oerrno = errno;
error_f("read: %s", strerror(errno));
sshbuf_free(b);
ssh_digest_free(ctx);
+ ctx = NULL;
explicit_bzero(hash, sizeof(hash));
errno = oerrno;
r = SSH_ERR_SYSTEM_ERROR;
goto out;
return r;
--
2.27.0

104
openssh-7.3p1-x11-max-displays.patch
View File

@ -1,7 +1,19 @@
diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
--- openssh-7.4p1/channels.c.x11max 2016-12-23 15:46:32.071506625 +0100
+++ openssh-7.4p1/channels.c 2016-12-23 15:46:32.139506636 +0100
@@ -152,8 +152,8 @@ static int all_opens_permitted = 0;
Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.3p1-x11-max-displays.patch
---
channels.c | 23 ++++++++++++++---------
channels.h | 2 +-
servconf.c | 12 +++++++++++-
servconf.h | 2 ++
session.c | 5 +++--
sshd_config.5 | 7 +++++++
6 files changed, 38 insertions(+), 13 deletions(-)
diff --git a/channels.c b/channels.c
index 7230540..040a4c6 100644
--- a/channels.c
+++ b/channels.c
@@ -101,8 +101,8 @@
#define FWD_PERMIT_ANY_HOST "*"
/* -- X11 forwarding */
@ -10,9 +22,9 @@ diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
+/* Minimum port number for X11 forwarding */
+#define X11_PORT_MIN 6000
/* Per-channel callback for pre/post select() actions */
typedef void chan_fn(struct ssh *, Channel *c,
@@ -4228,7 +4228,7 @@ channel_send_window_changes(void)
/* Per-channel callback for pre/post IO actions */
typedef void chan_fn(struct ssh *, Channel *c);
@@ -4801,7 +4801,7 @@ rdynamic_connect_finish(struct ssh *ssh, Channel *c)
*/
int
x11_create_display_inet(struct ssh *ssh, int x11_display_offset,
@ -21,7 +33,7 @@ diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
u_int *display_numberp, int **chanids)
{
Channel *nc = NULL;
@@ -4240,10 +4241,15 @@ x11_create_display_inet(int x11_display_
@@ -4814,10 +4814,15 @@ x11_create_display_inet(struct ssh *ssh, int x11_display_offset,
if (chanids == NULL)
return -1;
@ -39,7 +51,7 @@ diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
memset(&hints, 0, sizeof(hints));
hints.ai_family = ssh->chanctxt->IPv4or6;
hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE;
@@ -4295,7 +4301,7 @@ x11_create_display_inet(int x11_display_
@@ -4870,7 +4875,7 @@ x11_create_display_inet(struct ssh *ssh, int x11_display_offset,
if (num_socks > 0)
break;
}
@ -48,7 +60,7 @@ diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
error("Failed to allocate internet-domain X11 display socket.");
return -1;
}
@@ -4441,7 +4447,7 @@ x11_connect_display(void)
@@ -5054,7 +5059,7 @@ x11_connect_display(struct ssh *ssh)
memset(&hints, 0, sizeof(hints));
hints.ai_family = ssh->chanctxt->IPv4or6;
hints.ai_socktype = SOCK_STREAM;
@ -57,7 +69,7 @@ diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
error("%.100s: unknown host. (%s)", buf,
ssh_gai_strerror(gaierr));
@@ -4457,7 +4463,7 @@ x11_connect_display(void)
@@ -5070,7 +5075,7 @@ x11_connect_display(struct ssh *ssh)
/* Connect it to the display. */
if (connect(sock, ai->ai_addr, ai->ai_addrlen) == -1) {
debug2("connect %.100s port %u: %.100s", buf,
@ -66,21 +78,20 @@ diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
close(sock);
continue;
}
@@ -4466,8 +4472,8 @@ x11_connect_display(void)
}
@@ -5080,7 +5085,7 @@ x11_connect_display(struct ssh *ssh)
freeaddrinfo(aitop);
if (!ai) {
- error("connect %.100s port %u: %.100s", buf,
error("connect %.100s port %u: %.100s", buf,
- 6000 + display_number, strerror(errno));
+ error("connect %.100s port %u: %.100s", buf,
+ X11_PORT_MIN + display_number, strerror(errno));
return -1;
}
set_nodelay(sock);
diff -up openssh-7.4p1/channels.h.x11max openssh-7.4p1/channels.h
--- openssh-7.4p1/channels.h.x11max 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/channels.h 2016-12-23 15:46:32.139506636 +0100
@@ -293,7 +293,7 @@ int permitopen_port(const char *);
diff --git a/channels.h b/channels.h
index 828c1b6..7d8a83e 100644
--- a/channels.h
+++ b/channels.h
@@ -361,7 +361,7 @@ int permitopen_port(const char *);
void channel_set_x11_refuse_time(struct ssh *, u_int);
int x11_connect_display(struct ssh *);
@ -89,10 +100,11 @@ diff -up openssh-7.4p1/channels.h.x11max openssh-7.4p1/channels.h
void x11_request_forwarding_with_spoofing(struct ssh *, int,
const char *, const char *, const char *, int);
diff -up openssh-7.4p1/servconf.c.x11max openssh-7.4p1/servconf.c
--- openssh-7.4p1/servconf.c.x11max 2016-12-23 15:46:32.133506635 +0100
+++ openssh-7.4p1/servconf.c 2016-12-23 15:47:27.320519121 +0100
@@ -95,6 +95,7 @@ initialize_server_options(ServerOptions
diff --git a/servconf.c b/servconf.c
index 13c4a08..fdba127 100644
--- a/servconf.c
+++ b/servconf.c
@@ -115,6 +115,7 @@ initialize_server_options(ServerOptions *options)
options->print_lastlog = -1;
options->x11_forwarding = -1;
options->x11_display_offset = -1;
@ -100,7 +112,7 @@ diff -up openssh-7.4p1/servconf.c.x11max openssh-7.4p1/servconf.c
options->x11_use_localhost = -1;
options->permit_tty = -1;
options->permit_user_rc = -1;
@@ -243,6 +244,8 @@ fill_default_server_options(ServerOption
@@ -330,6 +331,8 @@ fill_default_server_options(ServerOptions *options)
options->x11_forwarding = 0;
if (options->x11_display_offset == -1)
options->x11_display_offset = 10;
@ -109,7 +121,7 @@ diff -up openssh-7.4p1/servconf.c.x11max openssh-7.4p1/servconf.c
if (options->x11_use_localhost == -1)
options->x11_use_localhost = 1;
if (options->xauth_location == NULL)
@@ -419,7 +422,7 @@ typedef enum {
@@ -518,7 +521,7 @@ typedef enum {
sPasswordAuthentication,
sKbdInteractiveAuthentication, sListenAddress, sAddressFamily,
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
@ -118,7 +130,7 @@ diff -up openssh-7.4p1/servconf.c.x11max openssh-7.4p1/servconf.c
sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
sPermitUserEnvironment, sAllowTcpForwarding, sCompression,
sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
@@ -540,6 +543,7 @@ static struct {
@@ -652,6 +655,7 @@ static struct {
{ "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
{ "x11forwarding", sX11Forwarding, SSHCFG_ALL },
{ "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
@ -126,7 +138,7 @@ diff -up openssh-7.4p1/servconf.c.x11max openssh-7.4p1/servconf.c
{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
@@ -1316,6 +1320,10 @@ process_server_config_line(ServerOptions
@@ -1680,6 +1684,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
*intptr = value;
break;
@ -137,7 +149,7 @@ diff -up openssh-7.4p1/servconf.c.x11max openssh-7.4p1/servconf.c
case sX11UseLocalhost:
intptr = &options->x11_use_localhost;
goto parse_flag;
@@ -2063,6 +2071,7 @@ copy_set_server_options(ServerOptions *d
@@ -2678,6 +2686,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink);
M_CP_INTOPT(x11_display_offset);
M_CP_INTOPT(x11_forwarding);
@ -145,7 +157,7 @@ diff -up openssh-7.4p1/servconf.c.x11max openssh-7.4p1/servconf.c
M_CP_INTOPT(x11_use_localhost);
M_CP_INTOPT(permit_tty);
M_CP_INTOPT(permit_user_rc);
@@ -2315,6 +2324,7 @@ dump_config(ServerOptions *o)
@@ -2953,6 +2962,7 @@ dump_config(ServerOptions *o)
#endif
dump_cfg_int(sLoginGraceTime, o->login_grace_time);
dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
@ -153,10 +165,11 @@ diff -up openssh-7.4p1/servconf.c.x11max openssh-7.4p1/servconf.c
dump_cfg_int(sMaxAuthTries, o->max_authtries);
dump_cfg_int(sMaxSessions, o->max_sessions);
dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
diff -up openssh-7.4p1/servconf.h.x11max openssh-7.4p1/servconf.h
--- openssh-7.4p1/servconf.h.x11max 2016-12-23 15:46:32.133506635 +0100
+++ openssh-7.4p1/servconf.h 2016-12-23 15:46:32.140506636 +0100
@@ -55,6 +55,7 @@
diff --git a/servconf.h b/servconf.h
index 37d3a6f..77fd779 100644
--- a/servconf.h
+++ b/servconf.h
@@ -45,6 +45,7 @@
#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */
#define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */
@ -164,7 +177,7 @@ diff -up openssh-7.4p1/servconf.h.x11max openssh-7.4p1/servconf.h
/* Magic name for internal sftp-server */
#define INTERNAL_SFTP_NAME "internal-sftp"
@@ -85,6 +86,7 @@ typedef struct {
@@ -105,6 +106,7 @@ typedef struct {
int x11_forwarding; /* If true, permit inet (spoofing) X11 fwd. */
int x11_display_offset; /* What DISPLAY number to start
* searching at */
@ -172,10 +185,11 @@ diff -up openssh-7.4p1/servconf.h.x11max openssh-7.4p1/servconf.h
int x11_use_localhost; /* If true, use localhost for fake X11 server. */
char *xauth_location; /* Location of xauth program */
int permit_tty; /* If false, deny pty allocation */
diff -up openssh-7.4p1/session.c.x11max openssh-7.4p1/session.c
--- openssh-7.4p1/session.c.x11max 2016-12-23 15:46:32.136506636 +0100
+++ openssh-7.4p1/session.c 2016-12-23 15:46:32.141506636 +0100
@@ -2518,8 +2518,9 @@ session_setup_x11fwd(Session *s)
diff --git a/session.c b/session.c
index 6040d51..dd7d148 100644
--- a/session.c
+++ b/session.c
@@ -2612,8 +2612,9 @@ session_setup_x11fwd(struct ssh *ssh, Session *s)
return 0;
}
if (x11_create_display_inet(ssh, options.x11_display_offset,
@ -187,10 +201,11 @@ diff -up openssh-7.4p1/session.c.x11max openssh-7.4p1/session.c
debug("x11_create_display_inet failed.");
return 0;
}
diff -up openssh-7.4p1/sshd_config.5.x11max openssh-7.4p1/sshd_config.5
--- openssh-7.4p1/sshd_config.5.x11max 2016-12-23 15:46:32.134506635 +0100
+++ openssh-7.4p1/sshd_config.5 2016-12-23 15:46:32.141506636 +0100
@@ -1133,6 +1133,7 @@ Available keywords are
diff --git a/sshd_config.5 b/sshd_config.5
index 4396b93..440fe92 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -1280,6 +1280,7 @@ Available keywords are
.Cm StreamLocalBindUnlink ,
.Cm TrustedUserCAKeys ,
.Cm X11DisplayOffset ,
@ -198,7 +213,7 @@ diff -up openssh-7.4p1/sshd_config.5.x11max openssh-7.4p1/sshd_config.5
.Cm X11Forwarding
and
.Cm X11UseLocalhost .
@@ -1566,6 +1567,12 @@ Specifies the first display number avail
@@ -1847,6 +1848,12 @@ Specifies the first display number available for
X11 forwarding.
This prevents sshd from interfering with real X11 servers.
The default is 10.
@ -211,3 +226,6 @@ diff -up openssh-7.4p1/sshd_config.5.x11max openssh-7.4p1/sshd_config.5
.It Cm X11Forwarding
Specifies whether X11 forwarding is permitted.
The argument must be
--
2.27.0

29
openssh-7.4p1-systemd.patch
View File

@ -1,16 +1,19 @@
commit 0e22b79bfde45a7cf7a2e51a68ec11c4285f3b31
Author: Jakub Jelen <jjelen@redhat.com>
Date: Mon Nov 21 15:04:06 2016 +0100
Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.4p1-systemd.patch
systemd stuff
---
configure.ac | 24 ++++++++++++++++++++++++
contrib/sshd.service | 16 ++++++++++++++++
sshd.c | 9 +++++++++
3 files changed, 49 insertions(+)
create mode 100644 contrib/sshd.service
diff --git a/configure.ac b/configure.ac
index 2ffc369..162ce92 100644
index bbe133e..6f7dc48 100644
--- a/configure.ac
+++ b/configure.ac
@@ -4265,6 +4265,30 @@ AC_ARG_WITH([kerberos5],
AC_SUBST([GSSLIBS])
@@ -4822,6 +4822,29 @@ AC_SUBST([GSSLIBS])
AC_SUBST([K5LIBS])
AC_SUBST([CHANNELLIBS])
+# Check whether user wants systemd support
+SYSTEMD_MSG="no"
@ -34,12 +37,11 @@ index 2ffc369..162ce92 100644
+ fi
+ fi ]
+)
+
+
# Looking for programs, paths and files
PRIVSEP_PATH=/var/empty
@@ -5097,6 +5121,7 @@ echo " libedit support: $LIBEDIT_MSG"
@@ -5621,6 +5644,7 @@ echo " libldns support: $LDNS_MSG"
echo " Solaris process contract support: $SPC_MSG"
echo " Solaris project support: $SP_MSG"
echo " Solaris privilege support: $SPP_MSG"
@ -70,10 +72,10 @@ index 0000000..e0d4923
+WantedBy=multi-user.target
+
diff --git a/sshd.c b/sshd.c
index 816611c..b8b9d13 100644
index 0d4cfef..2a9b96d 100644
--- a/sshd.c
+++ b/sshd.c
@@ -85,6 +85,10 @@
@@ -88,6 +88,10 @@
#include <prot.h>
#endif
@ -84,7 +86,7 @@ index 816611c..b8b9d13 100644
#include "xmalloc.h"
#include "ssh.h"
#include "ssh2.h"
@@ -1888,6 +1892,11 @@ main(int ac, char **av)
@@ -2121,6 +2125,11 @@ main(int ac, char **av)
}
}
@ -96,3 +98,6 @@ index 816611c..b8b9d13 100644
/* Accept a connection and return in a forked child */
server_accept_loop(&sock_in, &sock_out,
&newsock, config_s);
--
2.27.0

949
openssh-7.6p1-audit.patch
View File

File diff suppressed because it is too large Load Diff

321
openssh-7.7p1-fips.patch
View File

@ -1,25 +1,21 @@
diff -up openssh-8.6p1/cipher-ctr.c.fips openssh-8.6p1/cipher-ctr.c
--- openssh-8.6p1/cipher-ctr.c.fips 2021-04-19 16:53:02.994577324 +0200
+++ openssh-8.6p1/cipher-ctr.c 2021-04-19 16:53:03.064577862 +0200
@@ -179,7 +179,8 @@ evp_aes_128_ctr(void)
aes_ctr.do_cipher = ssh_aes_ctr;
#ifndef SSH_OLD_EVP
aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
- EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
+ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV |
+ EVP_CIPH_FLAG_FIPS;
#endif
return (&aes_ctr);
}
Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.7p1-fips.patch
diff -up openssh-8.6p1/dh.c.fips openssh-8.6p1/dh.c
--- openssh-8.6p1/dh.c.fips 2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.6p1/dh.c 2021-04-19 16:58:47.750263410 +0200
+++ openssh-8.6p1/dh.c 2021-05-06 12:12:10.107634472 +0200
@@ -36,6 +36,7 @@
#include <openssl/bn.h>
#include <openssl/dh.h>
+#include <openssl/fips.h>
#include "dh.h"
#include "pathnames.h"
@@ -164,6 +164,12 @@ choose_dh(int min, int wantbits, int max
int best, bestcount, which, linenum;
struct dhgroup dhg;
+ if (FIPS_mode()) {
+ logit("Using arbitrary primes is not allowed in FIPS mode."
+ verbose("Using arbitrary primes is not allowed in FIPS mode."
+ " Falling back to known groups.");
+ return (dh_new_group_fallback(max));
+ }
@ -67,8 +63,8 @@ diff -up openssh-8.6p1/dh.c.fips openssh-8.6p1/dh.c
+
#endif /* WITH_OPENSSL */
diff -up openssh-8.6p1/dh.h.fips openssh-8.6p1/dh.h
--- openssh-8.6p1/dh.h.fips 2021-04-19 16:53:03.064577862 +0200
+++ openssh-8.6p1/dh.h 2021-04-19 16:59:31.951616078 +0200
--- openssh-8.6p1/dh.h.fips 2021-05-06 12:08:36.498926877 +0200
+++ openssh-8.6p1/dh.h 2021-05-06 12:11:28.393298005 +0200
@@ -45,6 +45,7 @@ DH *dh_new_group_fallback(int);
int dh_gen_key(DH *, int);
@ -78,8 +74,16 @@ diff -up openssh-8.6p1/dh.h.fips openssh-8.6p1/dh.h
u_int dh_estimate(int);
void dh_set_moduli_file(const char *);
diff -up openssh-8.6p1/kex.c.fips openssh-8.6p1/kex.c
--- openssh-8.6p1/kex.c.fips 2021-04-19 16:53:03.058577815 +0200
+++ openssh-8.6p1/kex.c 2021-04-19 16:53:03.065577869 +0200
--- openssh-8.6p1/kex.c.fips 2021-05-06 12:08:36.489926807 +0200
+++ openssh-8.6p1/kex.c 2021-05-06 12:08:36.498926877 +0200
@@ -39,6 +39,7 @@
#ifdef WITH_OPENSSL
#include <openssl/crypto.h>
+#include <openssl/fips.h>
#include <openssl/dh.h>
# ifdef HAVE_EVP_KDF_CTX_NEW_ID
# include <openssl/kdf.h>
@@ -203,7 +203,10 @@ kex_names_valid(const char *names)
for ((p = strsep(&cp, ",")); p && *p != '\0';
(p = strsep(&cp, ","))) {
@ -94,12 +98,12 @@ diff -up openssh-8.6p1/kex.c.fips openssh-8.6p1/kex.c
}
diff -up openssh-8.6p1/kexgexc.c.fips openssh-8.6p1/kexgexc.c
--- openssh-8.6p1/kexgexc.c.fips 2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.6p1/kexgexc.c 2021-04-19 16:53:03.065577869 +0200
+++ openssh-8.6p1/kexgexc.c 2021-05-06 12:08:36.498926877 +0200
@@ -28,6 +28,7 @@
#ifdef WITH_OPENSSL
+#include <openssl/crypto.h>
+#include <openssl/fips.h>
#include <sys/types.h>
#include <openssl/dh.h>
@ -116,7 +120,7 @@ diff -up openssh-8.6p1/kexgexc.c.fips openssh-8.6p1/kexgexc.c
/* generate and send 'e', client DH public key */
diff -up openssh-8.6p1/myproposal.h.fips openssh-8.6p1/myproposal.h
--- openssh-8.6p1/myproposal.h.fips 2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.6p1/myproposal.h 2021-04-19 16:53:03.065577869 +0200
+++ openssh-8.6p1/myproposal.h 2021-05-06 12:08:36.498926877 +0200
@@ -57,6 +57,18 @@
"rsa-sha2-512," \
"rsa-sha2-256"
@ -131,7 +135,7 @@ diff -up openssh-8.6p1/myproposal.h.fips openssh-8.6p1/myproposal.h
+ "ecdsa-sha2-nistp384," \
+ "ecdsa-sha2-nistp521," \
+ "rsa-sha2-512," \
+ "rsa-sha2-256," \
+ "rsa-sha2-256"
+
#define KEX_SERVER_ENCRYPT \
"chacha20-poly1305@openssh.com," \
@ -165,8 +169,16 @@ diff -up openssh-8.6p1/myproposal.h.fips openssh-8.6p1/myproposal.h
#define SSH_ALLOWED_CA_SIGALGS \
"ssh-ed25519," \
diff -up openssh-8.6p1/readconf.c.fips openssh-8.6p1/readconf.c
--- openssh-8.6p1/readconf.c.fips 2021-04-19 16:53:02.999577362 +0200
+++ openssh-8.6p1/readconf.c 2021-04-19 16:53:03.065577869 +0200
--- openssh-8.6p1/readconf.c.fips 2021-05-06 12:08:36.428926336 +0200
+++ openssh-8.6p1/readconf.c 2021-05-06 12:08:36.499926885 +0200
@@ -39,6 +39,7 @@
#include <string.h>
#include <stdarg.h>
#include <unistd.h>
+#include <openssl/fips.h>
#ifdef USE_SYSTEM_GLOB
# include <glob.h>
#else
@@ -2538,11 +2538,16 @@ fill_default_options(Options * options)
all_key = sshkey_alg_list(0, 0, 1, ',');
all_sig = sshkey_alg_list(0, 1, 1, ',');
@ -190,8 +202,8 @@ diff -up openssh-8.6p1/readconf.c.fips openssh-8.6p1/readconf.c
do { \
if ((r = kex_assemble_names(&options->what, \
diff -up openssh-8.6p1/sandbox-seccomp-filter.c.fips openssh-8.6p1/sandbox-seccomp-filter.c
--- openssh-8.6p1/sandbox-seccomp-filter.c.fips 2021-04-19 16:53:03.034577631 +0200
+++ openssh-8.6p1/sandbox-seccomp-filter.c 2021-04-19 16:53:03.065577869 +0200
--- openssh-8.6p1/sandbox-seccomp-filter.c.fips 2021-05-06 12:08:36.463926606 +0200
+++ openssh-8.6p1/sandbox-seccomp-filter.c 2021-05-06 12:08:36.499926885 +0200
@@ -160,6 +160,9 @@ static const struct sock_filter preauth_
#ifdef __NR_open
SC_DENY(__NR_open, EACCES),
@ -203,8 +215,16 @@ diff -up openssh-8.6p1/sandbox-seccomp-filter.c.fips openssh-8.6p1/sandbox-secco
SC_DENY(__NR_openat, EACCES),
#endif
diff -up openssh-8.6p1/servconf.c.fips openssh-8.6p1/servconf.c
--- openssh-8.6p1/servconf.c.fips 2021-04-19 16:53:03.027577577 +0200
+++ openssh-8.6p1/servconf.c 2021-04-19 16:53:03.066577877 +0200
--- openssh-8.6p1/servconf.c.fips 2021-05-06 12:08:36.455926545 +0200
+++ openssh-8.6p1/servconf.c 2021-05-06 12:08:36.500926893 +0200
@@ -38,6 +38,7 @@
#include <limits.h>
#include <stdarg.h>
#include <errno.h>
+#include <openssl/fips.h>
#ifdef HAVE_UTIL_H
#include <util.h>
#endif
@@ -226,11 +226,16 @@ assemble_algorithms(ServerOptions *o)
all_key = sshkey_alg_list(0, 0, 1, ',');
all_sig = sshkey_alg_list(0, 1, 1, ',');
@ -228,13 +248,13 @@ diff -up openssh-8.6p1/servconf.c.fips openssh-8.6p1/servconf.c
do { \
if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
diff -up openssh-8.6p1/ssh.c.fips openssh-8.6p1/ssh.c
--- openssh-8.6p1/ssh.c.fips 2021-04-19 16:53:03.038577662 +0200
+++ openssh-8.6p1/ssh.c 2021-04-19 16:53:03.066577877 +0200
--- openssh-8.6p1/ssh.c.fips 2021-05-06 12:08:36.467926637 +0200
+++ openssh-8.6p1/ssh.c 2021-05-06 12:08:36.500926893 +0200
@@ -77,6 +77,7 @@
#include <openssl/evp.h>
#include <openssl/err.h>
#endif
+#include <openssl/crypto.h>
+#include <openssl/fips.h>
#include "openbsd-compat/openssl-compat.h"
#include "openbsd-compat/sys-queue.h"
@ -250,13 +270,13 @@ diff -up openssh-8.6p1/ssh.c.fips openssh-8.6p1/ssh.c
if (options.sk_provider != NULL && *options.sk_provider == '$' &&
strlen(options.sk_provider) > 1) {
diff -up openssh-8.6p1/sshconnect2.c.fips openssh-8.6p1/sshconnect2.c
--- openssh-8.6p1/sshconnect2.c.fips 2021-04-19 16:53:03.055577792 +0200
+++ openssh-8.6p1/sshconnect2.c 2021-04-19 16:53:03.066577877 +0200
--- openssh-8.6p1/sshconnect2.c.fips 2021-05-06 12:08:36.485926777 +0200
+++ openssh-8.6p1/sshconnect2.c 2021-05-06 12:08:36.501926900 +0200
@@ -45,6 +45,8 @@
#include <vis.h>
#endif
+#include <openssl/crypto.h>
+#include <openssl/fips.h>
+
#include "openbsd-compat/sys-queue.h"
@ -331,10 +351,10 @@ diff -up openssh-8.6p1/sshconnect2.c.fips openssh-8.6p1/sshconnect2.c
}
#endif
diff -up openssh-8.6p1/sshd.c.fips openssh-8.6p1/sshd.c
--- openssh-8.6p1/sshd.c.fips 2021-04-19 16:53:03.060577831 +0200
+++ openssh-8.6p1/sshd.c 2021-04-19 16:57:45.827769340 +0200
--- openssh-8.6p1/sshd.c.fips 2021-05-06 12:08:36.493926838 +0200
+++ openssh-8.6p1/sshd.c 2021-05-06 12:13:56.501492639 +0200
@@ -66,6 +66,7 @@
#include <grp.h>
#endif
#include <pwd.h>
#include <signal.h>
+#include <syslog.h>
@ -345,7 +365,7 @@ diff -up openssh-8.6p1/sshd.c.fips openssh-8.6p1/sshd.c
#include <openssl/dh.h>
#include <openssl/bn.h>
#include <openssl/rand.h>
+#include <openssl/crypto.h>
+#include <openssl/fips.h>
#include "openbsd-compat/openssl-compat.h"
#endif
@ -357,6 +377,20 @@ diff -up openssh-8.6p1/sshd.c.fips openssh-8.6p1/sshd.c
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
saved_argc = ac;
rexec_argc = ac;
@@ -1931,6 +1931,13 @@ main(int ac, char **av)
&key, NULL)) != 0 && r != SSH_ERR_SYSTEM_ERROR)
do_log2_r(r, ll, "Unable to load host key \"%s\"",
options.host_key_files[i]);
+ if (FIPS_mode() && key != NULL && (sshkey_type_plain(key->type) == KEY_ED25519_SK
+ || sshkey_type_plain(key->type) == KEY_ED25519)) {
+ logit_f("sshd: Ed25519 keys are not allowed in FIPS mode, skipping %s", options.host_key_files[i]);
+ sshkey_free(key);
+ key = NULL;
+ continue;
+ }
if (sshkey_is_sk(key) &&
key->sk_flags & SSH_SK_USER_PRESENCE_REQD) {
debug("host key %s requires user presence, ignoring",
@@ -2110,6 +2113,10 @@ main(int ac, char **av)
/* Reinitialize the log (because of the fork above). */
log_init(__progname, options.log_level, options.log_facility, log_stderr);
@ -388,13 +422,13 @@ diff -up openssh-8.6p1/sshd.c.fips openssh-8.6p1/sshd.c
if (gss && orig)
xasprintf(&newstr, "%s,%s", gss, orig);
diff -up openssh-8.6p1/sshkey.c.fips openssh-8.6p1/sshkey.c
--- openssh-8.6p1/sshkey.c.fips 2021-04-19 16:53:03.061577838 +0200
+++ openssh-8.6p1/sshkey.c 2021-04-19 16:53:03.067577885 +0200
--- openssh-8.6p1/sshkey.c.fips 2021-05-06 12:08:36.493926838 +0200
+++ openssh-8.6p1/sshkey.c 2021-05-06 12:08:36.502926908 +0200
@@ -34,6 +34,7 @@
#include <openssl/evp.h>
#include <openssl/err.h>
#include <openssl/pem.h>
+#include <openssl/crypto.h>
+#include <openssl/fips.h>
#endif
#include "crypto_api.h"
@ -406,18 +440,80 @@ diff -up openssh-8.6p1/sshkey.c.fips openssh-8.6p1/sshkey.c
#include "ssh-sk.h"
#ifdef WITH_XMSS
@@ -1705,6 +1707,8 @@ rsa_generate_private_key(u_int bits, RSA
}
if (!BN_set_word(f4, RSA_F4) ||
!RSA_generate_key_ex(private, bits, f4, NULL)) {
+ if (FIPS_mode())
+ logit_f("the key length might be unsupported by FIPS mode approved key generation method");
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
@@ -285,6 +285,18 @@ sshkey_alg_list(int certs_only, int plai
for (kt = keytypes; kt->type != -1; kt++) {
if (kt->name == NULL || kt->type == KEY_NULL)
continue;
+ if (FIPS_mode()) {
+ switch (kt->type) {
+ case KEY_ED25519:
+ case KEY_ED25519_SK:
+ case KEY_ED25519_CERT:
+ case KEY_ED25519_SK_CERT:
+ continue;
+ break;
+ default:
+ break;
+ }
+ }
if (!include_sigonly && kt->sigonly)
continue;
if ((certs_only && !kt->cert) || (plain_only && kt->cert))
@@ -1503,6 +1503,20 @@ sshkey_read(struct sshkey *ret, char **c
return SSH_ERR_EC_CURVE_MISMATCH;
}
+ switch (type) {
+ case KEY_ED25519:
+ case KEY_ED25519_SK:
+ case KEY_ED25519_CERT:
+ case KEY_ED25519_SK_CERT:
+ if (FIPS_mode()) {
+ sshkey_free(k);
+ logit_f("Ed25519 keys are not allowed in FIPS mode");
+ return SSH_ERR_INVALID_ARGUMENT;
+ }
+ break;
+ default:
+ break;
+ }
/* Fill in ret from parsed key */
ret->type = type;
if (sshkey_is_cert(ret)) {
@@ -2916,6 +2916,11 @@ sshkey_sign(struct sshkey *key,
break;
case KEY_ED25519_SK:
case KEY_ED25519_SK_CERT:
+ if (FIPS_mode()) {
+ logit_f("Ed25519 keys are not allowed in FIPS mode");
+ return SSH_ERR_INVALID_ARGUMENT;
+ }
+ /* Fallthrough */
case KEY_ECDSA_SK_CERT:
case KEY_ECDSA_SK:
r = sshsk_sign(sk_provider, key, sigp, lenp, data,
@@ -2973,6 +2978,10 @@ sshkey_verify(const struct sshkey *key,
return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat);
case KEY_ED25519_SK:
case KEY_ED25519_SK_CERT:
+ if (FIPS_mode()) {
+ logit_f("Ed25519 keys are not allowed in FIPS mode");
+ return SSH_ERR_INVALID_ARGUMENT;
+ }
return ssh_ed25519_sk_verify(key, sig, siglen, data, dlen,
compat, detailsp);
#ifdef WITH_XMSS
diff -up openssh-8.6p1/ssh-keygen.c.fips openssh-8.6p1/ssh-keygen.c
--- openssh-8.6p1/ssh-keygen.c.fips 2021-04-19 16:53:03.038577662 +0200
+++ openssh-8.6p1/ssh-keygen.c 2021-04-19 16:53:03.068577892 +0200
--- openssh-8.6p1/ssh-keygen.c.fips 2021-05-06 12:08:36.467926637 +0200
+++ openssh-8.6p1/ssh-keygen.c 2021-05-06 12:08:36.503926916 +0200
@@ -20,6 +20,7 @@
#ifdef WITH_OPENSSL
#include <openssl/evp.h>
+#include <openssl/fips.h>
#include <openssl/pem.h>
#include "openbsd-compat/openssl-compat.h"
#endif
@@ -205,6 +205,12 @@ type_bits_valid(int type, const char *na
#endif
}
@ -425,7 +521,7 @@ diff -up openssh-8.6p1/ssh-keygen.c.fips openssh-8.6p1/ssh-keygen.c
+ if (FIPS_mode()) {
+ if (type == KEY_DSA)
+ fatal("DSA keys are not allowed in FIPS mode");
+ if (type == KEY_ED25519)
+ if (type == KEY_ED25519 || type == KEY_ED25519_SK)
+ fatal("ED25519 keys are not allowed in FIPS mode");
+ }
switch (type) {
@ -450,3 +546,122 @@ diff -up openssh-8.6p1/ssh-keygen.c.fips openssh-8.6p1/ssh-keygen.c
if ((fd = mkstemp(prv_tmp)) == -1) {
error("Could not save your private key in %s: %s",
prv_tmp, strerror(errno));
diff -up openssh-8.7p1/kexgen.c.fips3 openssh-8.7p1/kexgen.c
--- openssh-8.7p1/kexgen.c.fips3 2022-07-11 16:11:21.973519913 +0200
+++ openssh-8.7p1/kexgen.c 2022-07-11 16:25:31.172187365 +0200
@@ -31,6 +31,7 @@
#include <stdio.h>
#include <string.h>
#include <signal.h>
+#include <openssl/fips.h>
#include "sshkey.h"
#include "kex.h"
@@ -115,10 +116,20 @@ kex_gen_client(struct ssh *ssh)
break;
#endif
case KEX_C25519_SHA256:
- r = kex_c25519_keypair(kex);
+ if (FIPS_mode()) {
+ logit_f("Key exchange type c25519 is not allowed in FIPS mode");
+ r = SSH_ERR_INVALID_ARGUMENT;
+ } else {
+ r = kex_c25519_keypair(kex);
+ }
break;
case KEX_KEM_SNTRUP761X25519_SHA512:
- r = kex_kem_sntrup761x25519_keypair(kex);
+ if (FIPS_mode()) {
+ logit_f("Key exchange type sntrup761 is not allowed in FIPS mode");
+ r = SSH_ERR_INVALID_ARGUMENT;
+ } else {
+ r = kex_kem_sntrup761x25519_keypair(kex);
+ }
break;
default:
r = SSH_ERR_INVALID_ARGUMENT;
@@ -186,11 +197,21 @@ input_kex_gen_reply(int type, u_int32_t
break;
#endif
case KEX_C25519_SHA256:
- r = kex_c25519_dec(kex, server_blob, &shared_secret);
+ if (FIPS_mode()) {
+ logit_f("Key exchange type c25519 is not allowed in FIPS mode");
+ r = SSH_ERR_INVALID_ARGUMENT;
+ } else {
+ r = kex_c25519_dec(kex, server_blob, &shared_secret);
+ }
break;
case KEX_KEM_SNTRUP761X25519_SHA512:
- r = kex_kem_sntrup761x25519_dec(kex, server_blob,
- &shared_secret);
+ if (FIPS_mode()) {
+ logit_f("Key exchange type sntrup761 is not allowed in FIPS mode");
+ r = SSH_ERR_INVALID_ARGUMENT;
+ } else {
+ r = kex_kem_sntrup761x25519_dec(kex, server_blob,
+ &shared_secret);
+ }
break;
default:
r = SSH_ERR_INVALID_ARGUMENT;
@@ -285,12 +306,22 @@ input_kex_gen_init(int type, u_int32_t s
break;
#endif
case KEX_C25519_SHA256:
- r = kex_c25519_enc(kex, client_pubkey, &server_pubkey,
- &shared_secret);
+ if (FIPS_mode()) {
+ logit_f("Key exchange type c25519 is not allowed in FIPS mode");
+ r = SSH_ERR_INVALID_ARGUMENT;
+ } else {
+ r = kex_c25519_enc(kex, client_pubkey, &server_pubkey,
+ &shared_secret);
+ }
break;
case KEX_KEM_SNTRUP761X25519_SHA512:
- r = kex_kem_sntrup761x25519_enc(kex, client_pubkey,
- &server_pubkey, &shared_secret);
+ if (FIPS_mode()) {
+ logit_f("Key exchange type sntrup761 is not allowed in FIPS mode");
+ r = SSH_ERR_INVALID_ARGUMENT;
+ } else {
+ r = kex_kem_sntrup761x25519_enc(kex, client_pubkey,
+ &server_pubkey, &shared_secret);
+ }
break;
default:
r = SSH_ERR_INVALID_ARGUMENT;
diff -up openssh-8.7p1/ssh-ed25519.c.fips3 openssh-8.7p1/ssh-ed25519.c
--- openssh-8.7p1/ssh-ed25519.c.fips3 2022-07-11 16:53:41.428343304 +0200
+++ openssh-8.7p1/ssh-ed25519.c 2022-07-11 16:56:09.284663661 +0200
@@ -24,6 +24,7 @@
#include <string.h>
#include <stdarg.h>
+#include <openssl/fips.h>
#include "log.h"
#include "sshbuf.h"
@@ -52,6 +53,10 @@ ssh_ed25519_sign(const struct sshkey *ke
key->ed25519_sk == NULL ||
datalen >= INT_MAX - crypto_sign_ed25519_BYTES)
return SSH_ERR_INVALID_ARGUMENT;
+ if (FIPS_mode()) {
+ logit_f("Ed25519 keys are not allowed in FIPS mode");
+ return SSH_ERR_INVALID_ARGUMENT;
+ }
smlen = slen = datalen + crypto_sign_ed25519_BYTES;
if ((sig = malloc(slen)) == NULL)
return SSH_ERR_ALLOC_FAIL;
@@ -108,6 +113,10 @@ ssh_ed25519_verify(const struct sshkey *
datalen >= INT_MAX - crypto_sign_ed25519_BYTES ||
signature == NULL || signaturelen == 0)
return SSH_ERR_INVALID_ARGUMENT;
+ if (FIPS_mode()) {
+ logit_f("Ed25519 keys are not allowed in FIPS mode");
+ return SSH_ERR_INVALID_ARGUMENT;
+ }
if ((b = sshbuf_from(signature, signaturelen)) == NULL)
return SSH_ERR_ALLOC_FAIL;

9
openssh-7.8p1-UsePAM-warning.patch
View File

@ -1,13 +1,14 @@
Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.8p1-UsePAM-warning.patch
diff -up openssh-8.6p1/sshd.c.log-usepam-no openssh-8.6p1/sshd.c
--- openssh-8.6p1/sshd.c.log-usepam-no 2021-04-19 14:00:45.099735129 +0200
+++ openssh-8.6p1/sshd.c 2021-04-19 14:03:21.140920974 +0200
@@ -1749,6 +1749,10 @@ main(int ac, char **av)
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
cfg, &includes, NULL);
cfg, &includes, NULL, rexeced_flag);
+ /* 'UsePAM no' is not supported in Fedora */
+ /* 'UsePAM no' is not supported in openEuler */
+ if (! options.use_pam)
+ logit("WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems.");
+ logit("WARNING: 'UsePAM no' is not supported in openEuler and may cause several problems.");
+
#ifdef WITH_OPENSSL
if (options.moduli_file != NULL)
@ -19,7 +20,7 @@ diff -up openssh-8.6p1/sshd_config.log-usepam-no openssh-8.6p1/sshd_config
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
+# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
+# WARNING: 'UsePAM no' is not supported in openEuler and may cause several
+# problems.
#UsePAM no

6
openssh-7.8p1-role-mls.patch
View File

@ -93,7 +93,7 @@ diff -up openssh/auth2-hostbased.c.role-mls openssh/auth2-hostbased.c
(r = sshbuf_put_cstring(b, authctxt->user)) != 0 ||
+#endif
(r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
(r = sshbuf_put_cstring(b, "hostbased")) != 0 ||
(r = sshbuf_put_cstring(b, method)) != 0 ||
(r = sshbuf_put_string(b, pkalg, alen)) != 0 ||
diff -up openssh/auth2-pubkey.c.role-mls openssh/auth2-pubkey.c
--- openssh/auth2-pubkey.c.role-mls 2018-08-22 11:14:56.816430924 +0200
@ -240,14 +240,14 @@ diff -up openssh-8.6p1/monitor.c.role-mls openssh-8.6p1/monitor.c
mm_answer_authpassword(struct ssh *ssh, int sock, struct sshbuf *m)
{
@@ -1251,7 +1280,7 @@ monitor_valid_userblob(struct ssh *ssh,
{
struct sshbuf *b;
struct sshkey *hostkey = NULL;
const u_char *p;
- char *userstyle, *cp;
+ char *userstyle, *s, *cp;
size_t len;
u_char type;
int r, fail = 0;
int hostbound = 0, r, fail = 0;
@@ -1282,6 +1311,8 @@ monitor_valid_userblob(struct ssh *ssh,
fail++;
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)

206
openssh-8.0p1-crypto-policies.patch
View File

@ -1,13 +1,14 @@
diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
--- openssh-8.7p1/ssh_config.5.crypto-policies 2021-08-30 13:29:00.174292872 +0200
+++ openssh-8.7p1/ssh_config.5 2021-08-30 13:31:32.009548808 +0200
@@ -373,17 +373,13 @@ or
Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.0p1-crypto-policies.patch
diff --color -ru a/ssh_config.5 b/ssh_config.5
--- a/ssh_config.5 2022-07-12 15:05:22.550013071 +0200
+++ b/ssh_config.5 2022-07-12 15:17:20.016704545 +0200
@@ -373,17 +373,13 @@
causes no CNAMEs to be considered for canonicalization.
This is the default behaviour.
.It Cm CASignatureAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
Specifies which algorithms are allowed for signing of certificates
@ -24,13 +25,13 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
If the specified list begins with a
.Sq +
character, then the specified algorithms will be appended to the default set
@@ -445,20 +441,25 @@ If the option is set to
@@ -445,20 +441,25 @@
(the default),
the check will not be executed.
.It Cm Ciphers
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
Specifies the ciphers allowed and their order of preference.
@ -54,7 +55,7 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
.Pp
The supported ciphers are:
.Bd -literal -offset indent
@@ -474,13 +475,6 @@ aes256-gcm@openssh.com
@@ -474,13 +475,6 @@
chacha20-poly1305@openssh.com
.Ed
.Pp
@ -68,19 +69,19 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
The list of available ciphers may also be obtained using
.Qq ssh -Q cipher .
.It Cm ClearAllForwardings
@@ -874,6 +868,11 @@ command line will be passed untouched to
@@ -874,6 +868,11 @@
The default is
.Dq no .
.It Cm GSSAPIKexAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
The list of key exchange algorithms that are offered for GSSAPI
key exchange. Possible values are
.Bd -literal -offset 3n
@@ -886,10 +885,8 @@ gss-nistp256-sha256-,
@@ -886,10 +885,8 @@
gss-curve25519-sha256-
.Ed
.Pp
@ -92,13 +93,58 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
.It Cm HashKnownHosts
Indicates that
.Xr ssh 1
@@ -1219,29 +1216,25 @@ it may be zero or more of:
@@ -913,36 +910,25 @@
but may be manually hashed using
.Xr ssh-keygen 1 .
.It Cm HostbasedAcceptedAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
Specifies the signature algorithms that will be used for hostbased
authentication as a comma-separated list of patterns.
Alternately if the specified list begins with a
.Sq +
character, then the specified signature algorithms will be appended
-to the default set instead of replacing them.
+to the built-in openssh default set instead of replacing them.
If the specified list begins with a
.Sq -
character, then the specified signature algorithms (including wildcards)
-will be removed from the default set instead of replacing them.
+will be removed from the built-in openssh default set instead of replacing them.
If the specified list begins with a
.Sq ^
character, then the specified signature algorithms will be placed
-at the head of the default set.
-The default for this option is:
-.Bd -literal -offset 3n
-ssh-ed25519-cert-v01@openssh.com,
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
-sk-ssh-ed25519-cert-v01@openssh.com,
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
-rsa-sha2-512-cert-v01@openssh.com,
-rsa-sha2-256-cert-v01@openssh.com,
-ssh-ed25519,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-sk-ssh-ed25519@openssh.com,
-sk-ecdsa-sha2-nistp256@openssh.com,
-rsa-sha2-512,rsa-sha2-256
-.Ed
+at the head of the built-in openssh default set.
.Pp
The
.Fl Q
@@ -1219,30 +1216,25 @@
and
.Cm pam .
.It Cm KexAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
Specifies the available KEX (Key Exchange) algorithms.
@ -107,7 +153,7 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
.Sq +
-character, then the specified algorithms will be appended to the default set
-instead of replacing them.
+character, then the specified algorithms will be appended to the built-in
+character, then the specified methods will be appended to the built-in
+openssh default set instead of replacing them.
If the specified list begins with a
.Sq -
@ -120,6 +166,7 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
-default set.
-The default is:
-.Bd -literal -offset indent
-sntrup761x25519-sha512@openssh.com,
-curve25519-sha256,curve25519-sha256@libssh.org,
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
-diffie-hellman-group-exchange-sha256,
@ -131,13 +178,13 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
.Pp
The list of available key exchange algorithms may also be obtained using
.Qq ssh -Q kex .
@@ -1351,37 +1344,33 @@ function, and all code in the
@@ -1351,37 +1344,33 @@
file.
This option is intended for debugging and no overrides are enabled by default.
.It Cm MACs
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
Specifies the MAC (message authentication code) algorithms
@ -178,13 +225,13 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
The list of available MAC algorithms may also be obtained using
.Qq ssh -Q mac .
.It Cm NoHostAuthenticationForLocalhost
@@ -1553,36 +1542,25 @@ instead of continuing to execute and pas
@@ -1553,36 +1542,25 @@
The default is
.Cm no .
.It Cm PubkeyAcceptedAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
Specifies the signature algorithms that will be used for public key
@ -224,16 +271,27 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
.Pp
The list of available signature algorithms may also be obtained using
.Qq ssh -Q PubkeyAcceptedAlgorithms .
diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
--- openssh-8.7p1/sshd_config.5.crypto-policies 2021-08-30 13:29:00.157292731 +0200
+++ openssh-8.7p1/sshd_config.5 2021-08-30 13:32:16.263918533 +0200
@@ -373,17 +373,13 @@ If the argument is
@@ -2237,7 +2207,9 @@ for those users who do not have a config
This file must be world-readable.
.El
.Sh SEE ALSO
-.Xr ssh 1
+.Xr ssh 1 ,
+.Xr crypto-policies 7 ,
+.Xr update-crypto-policies 8
.Sh AUTHORS
.An -nosplit
OpenSSH is a derivative of the original and free
diff --color -ru a/sshd_config.5 b/sshd_config.5
--- a/sshd_config.5 2022-07-12 15:05:22.535012771 +0200
+++ b/sshd_config.5 2022-07-12 15:15:33.394809258 +0200
@@ -373,17 +373,13 @@
then no banner is displayed.
By default, no banner is displayed.
.It Cm CASignatureAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
Specifies which algorithms are allowed for signing of certificates
@ -250,13 +308,13 @@ diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
If the specified list begins with a
.Sq +
character, then the specified algorithms will be appended to the default set
@@ -450,20 +446,25 @@ The default is
@@ -450,20 +446,25 @@
indicating not to
.Xr chroot 2 .
.It Cm Ciphers
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
Specifies the ciphers allowed.
@ -280,7 +338,7 @@ diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
.Pp
The supported ciphers are:
.Pp
@@ -490,13 +491,6 @@ aes256-gcm@openssh.com
@@ -490,13 +491,6 @@
chacha20-poly1305@openssh.com
.El
.Pp
@ -294,13 +352,13 @@ diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
The list of available ciphers may also be obtained using
.Qq ssh -Q cipher .
.It Cm ClientAliveCountMax
@@ -685,21 +679,22 @@ For this to work
@@ -685,53 +679,43 @@
.Cm GSSAPIKeyExchange
needs to be enabled in the server and also used by the client.
.It Cm GSSAPIKexAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
The list of key exchange algorithms that are accepted by GSSAPI
@ -326,18 +384,27 @@ diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
This option only applies to connections using GSSAPI.
.It Cm HostbasedAcceptedAlgorithms
Specifies the signature algorithms that will be accepted for hostbased
@@ -799,26 +794,13 @@ is specified, the location of the socket
.Ev SSH_AUTH_SOCK
environment variable.
.It Cm HostKeyAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
Specifies the host key signature algorithms
that the server offers.
Specifies the signature algorithms that will be accepted for hostbased
authentication as a list of comma-separated patterns.
Alternately if the specified list begins with a
.Sq +
character, then the specified signature algorithms will be appended to
-the default set instead of replacing them.
+the built-in openssh default set instead of replacing them.
If the specified list begins with a
.Sq -
character, then the specified signature algorithms (including wildcards)
-will be removed from the default set instead of replacing them.
+will be removed from the built-in openssh default set instead of replacing them.
If the specified list begins with a
.Sq ^
character, then the specified signature algorithms will be placed at
-the head of the default set.
-The default for this option is:
-.Bd -literal -offset 3n
-ssh-ed25519-cert-v01@openssh.com,
@ -348,24 +415,54 @@ diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
-rsa-sha2-512-cert-v01@openssh.com,
-rsa-sha2-256-cert-v01@openssh.com,
-ssh-rsa-cert-v01@openssh.com,
-ssh-ed25519,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-sk-ssh-ed25519@openssh.com,
-sk-ecdsa-sha2-nistp256@openssh.com,
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
-rsa-sha2-512,rsa-sha2-256
-.Ed
+the head of the built-in openssh default set.
.Pp
The list of available signature algorithms may also be obtained using
.Qq ssh -Q HostbasedAcceptedAlgorithms .
@@ -799,25 +794,14 @@
.Ev SSH_AUTH_SOCK
environment variable.
.It Cm HostKeyAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
Specifies the host key signature algorithms
that the server offers.
The default for this option is:
-.Bd -literal -offset 3n
-ssh-ed25519-cert-v01@openssh.com,
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
-sk-ssh-ed25519-cert-v01@openssh.com,
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
-rsa-sha2-512-cert-v01@openssh.com,
-rsa-sha2-256-cert-v01@openssh.com,
-ssh-ed25519,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-sk-ssh-ed25519@openssh.com,
-sk-ecdsa-sha2-nistp256@openssh.com,
-rsa-sha2-512,rsa-sha2-256
-.Ed
-.Pp
The list of available signature algorithms may also be obtained using
.Qq ssh -Q HostKeyAlgorithms .
.It Cm IgnoreRhosts
@@ -965,20 +947,25 @@ Specifies whether to look at .k5login fi
@@ -965,20 +947,25 @@
The default is
.Cm yes .
.It Cm KexAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
Specifies the available KEX (Key Exchange) algorithms.
@ -374,7 +471,7 @@ diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
.Sq +
-character, then the specified algorithms will be appended to the default set
-instead of replacing them.
+character, then the specified algorithms will be appended to the built-in
+character, then the specified methods will be appended to the built-in
+openssh default set instead of replacing them.
If the specified list begins with a
.Sq -
@ -389,12 +486,13 @@ diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
The supported algorithms are:
.Pp
.Bl -item -compact -offset indent
@@ -1010,15 +997,6 @@ ecdh-sha2-nistp521
@@ -1010,16 +997,6 @@
sntrup761x25519-sha512@openssh.com
.El
.Pp
-The default is:
-.Bd -literal -offset indent
-sntrup761x25519-sha512@openssh.com,
-curve25519-sha256,curve25519-sha256@libssh.org,
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
-diffie-hellman-group-exchange-sha256,
@ -405,13 +503,13 @@ diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
The list of available key exchange algorithms may also be obtained using
.Qq ssh -Q KexAlgorithms .
.It Cm ListenAddress
@@ -1104,21 +1082,26 @@ function, and all code in the
@@ -1104,21 +1082,26 @@
file.
This option is intended for debugging and no overrides are enabled by default.
.It Cm MACs
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
Specifies the available MAC (message authentication code) algorithms.
@ -436,7 +534,7 @@ diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
.Pp
The algorithms that contain
.Qq -etm
@@ -1161,15 +1144,6 @@ umac-64-etm@openssh.com
@@ -1161,15 +1144,6 @@
umac-128-etm@openssh.com
.El
.Pp
@ -452,13 +550,13 @@ diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
The list of available MAC algorithms may also be obtained using
.Qq ssh -Q mac .
.It Cm Match
@@ -1548,37 +1522,25 @@ or equivalent.)
@@ -1548,36 +1522,25 @@
The default is
.Cm yes .
.It Cm PubkeyAcceptedAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
Specifies the signature algorithms that will be accepted for public key
@ -488,14 +586,24 @@ diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
-rsa-sha2-512-cert-v01@openssh.com,
-rsa-sha2-256-cert-v01@openssh.com,
-ssh-rsa-cert-v01@openssh.com,
-ssh-ed25519,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-sk-ssh-ed25519@openssh.com,
-sk-ecdsa-sha2-nistp256@openssh.com,
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
-rsa-sha2-512,rsa-sha2-256
-.Ed
+built-in openssh default set.
.Pp
The list of available signature algorithms may also be obtained using
.Qq ssh -Q PubkeyAcceptedAlgorithms .
@@ -2011,7 +1968,9 @@ This file should be writable by root onl
.El
.Sh SEE ALSO
.Xr sftp-server 8 ,
-.Xr sshd 8
+.Xr sshd 8 ,
+.Xr crypto-policies 7 ,
+.Xr update-crypto-policies 8
.Sh AUTHORS
.An -nosplit
OpenSSH is a derivative of the original and free

363
openssh-8.0p1-gssapi-keyex.patch
View File

File diff suppressed because it is too large Load Diff

3179
openssh-8.0p1-pkcs11-uri.patch
View File

File diff suppressed because it is too large Load Diff

BIN
openssh-8.8p1.tar.gz
View File

Binary file not shown.

16
openssh-8.8p1.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmFQfp8ACgkQKj9BTnNg
YLq2SQ/8C3iOHTkyqX82FYt0SKkybebe9b2iBPr91HQOUmx+U3I+vgrSWArXabWJ
uSu0b685RQKlcr7UjEtPk6g0cm45NoJFjju9ljvnOFfZw73V3a5qX15Lx4xRnkRx
v1LJn6Yh12PKLWL4/A1qPQnfAObVwq/BF0BR01FfXLAOt5+lFwYvg79HpE+69b0r
KtcIEpsyTEn2lSKSWD7q4lpe6Z/iR+XzBKfnB6JJXhKyHiDV63hlAJk9Pt3mIvS6
tnE9/7GDawvi+Tsl018kw3wsf6aHVSQ+O+vzcDgfy0vDJVGjD6Ec9it9FvikXJh6
3pSTBYuUJdt+CAQYvmEui73v4nrkfouHXsxqgzEDZaTwIZC4wPrvNYxUaIyirWlc
l4/YSnxSxSiYbvPa5eYRBvXvoWbnQXjPOkuhjETxz/KTcHirQpWE9eldi0jHcKUa
FVu9YqMPAjIUd1Jj4vC5bgH7v5cLeEMm/AetMvKsJs+rhY9NZaKpiqOqU2m6Geb+
sQSXHNTeA8uOlrHim4SmYHtmfglVbH5lIroiUqtRzjbOhMhqUb+yN9+aAxe0bwmN
VcFMSThlbmYokb9bkQryY2I/FfXb997vxgF6v15Z8d9e8HH2zc2Irj1HYXG4Bf3o
WCiSvd8+Tr/FxS2Gn8qj/vgSPWXT0d0Hy4zHW9JeT/jn3RtIYhU=
=EnoG
-----END PGP SIGNATURE-----

BIN
openssh-9.1p1.tar.gz Normal file
View File

Binary file not shown.

16
openssh-9.1p1.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmM6+qUACgkQKj9BTnNg
YLqLSxAAi+hmachTcy9O2GNbCq4uPFlFqQ8hjZ697nhNvkIJtrtc2WSIg17ImN4E
3ucWQLEqbytwsj67J1UFC4NyOmGo2mfsZ3BEDsgkkd0Tp2YO7UhkrVzTD0l0Wl7/
qe0biPaYOLFptL+88wC3OdamNkWgHAtSYBizgHK4k2uEtLYsEXuC+0nnfqykL2vq
UEB3MZ7C00JYmBVHFfMjtmGmt+Z3ahv5LSzFsj//c6hwkhdJHtv/V4UlCIVrrMdG
XyTumREl+y5zuP5oGxsRU/LZNo7ncXYDUg2qE/FpR4o8giF9d1fm/aHuAmr+g03E
Ev3uUcrgA+Kq95bbv7ubtO2JxFnuzUmJkUy6SNIcE1o4naxGejxlEw7nvtvf7auV
BPqomw1yOWyQzbhXtD18OiSi1IJMXyDCei9HcsO+oM3aq8YQc9Bsed7UPhA36e6b
GjuAIOPtee+JqxDj3psN39G+y4YUcxSPqC4gKL8cKfImbP2DlSoHPmZ1fDf/pKPj
hWdNiA+a+KzsXR2fjBWMeUIkSvx2BYZC9NKFS/zN4X86jEdyOJtQJ4WQcIvekLIA
Z/yP6UrzM+2jYYqix4PBocP1utEakFDYfLPJu0G2pK9meU4dz6EzNUT7J3daF2h7
eaibQUZ0+wg+sI+MPys3INcqcKwv/5OVDl6wi7g2iNOdOII49VM=
=xfW+
-----END PGP SIGNATURE-----

98
openssh.spec
View File

@ -6,10 +6,10 @@
%{?no_gtk2:%global gtk2 0}
%global sshd_uid 74
%global openssh_release 17
%global openssh_release 1
Name: openssh
Version: 8.8p1
Version: 9.1p1
Release: %{openssh_release}
URL: http://www.openssh.com/portable.html
License: BSD
@ -18,19 +18,19 @@ Summary: An open source implementation of SSH protocol version 2
Source0: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
Source1: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
Source2: sshd.pam
Source4: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/pam_ssh_agent_auth-0.10.4.tar.gz
Source5: pam_ssh_agent-rmheaders
Source6: ssh-keycat.pam
Source7: sshd.sysconfig
Source9: sshd@.service
Source10: sshd.socket
Source11: sshd.service
Source12: sshd-keygen@.service
Source13: sshd-keygen
Source14: sshd.tmpfiles
Source15: sshd-keygen.target
Source16: ssh-agent.service
Source17: ssh-keygen-bash-completion.sh
Source3: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/pam_ssh_agent_auth-0.10.4.tar.gz
Source4: pam_ssh_agent-rmheaders
Source5: ssh-keycat.pam
Source6: sshd.sysconfig
Source7: sshd@.service
Source8: sshd.socket
Source9: sshd.service
Source10: sshd-keygen@.service
Source11: sshd-keygen
Source12: sshd.tmpfiles
Source13: sshd-keygen.target
Source14: ssh-agent.service
Source15: ssh-keygen-bash-completion.sh
Patch0: openssh-6.7p1-coverity.patch
Patch1: openssh-7.6p1-audit.patch
Patch2: openssh-7.1p2-audit-race-condition.patch
@ -48,12 +48,10 @@ Patch14: openssh-6.6p1-keyperm.patch
Patch15: openssh-5.9p1-ipv6man.patch
Patch16: openssh-5.8p2-sigpipe.patch
Patch17: openssh-7.2p2-x11.patch
Patch18: openssh-7.7p1-fips.patch
Patch19: openssh-5.1p1-askpass-progress.patch
Patch20: openssh-4.3p2-askpass-grab-info.patch
Patch21: openssh-7.7p1.patch
Patch22: openssh-7.8p1-UsePAM-warning.patch
Patch23: openssh-6.3p1-ctr-evp-fast.patch
Patch26: openssh-8.0p1-gssapi-keyex.patch
Patch27: openssh-6.6p1-force_krb.patch
Patch28: openssh-6.6p1-GSSAPIEnablek5users.patch
@ -82,31 +80,16 @@ Patch51: openssh-8.0p1-keygen-strip-doseol.patch
Patch52: openssh-8.0p1-preserve-pam-errors.patch
Patch53: openssh-8.7p1-scp-kill-switch.patch
Patch54: bugfix-sftp-when-parse_user_host_path-empty-path-should-be-allowed.patch
Patch55: bugfix-openssh-6.6p1-log-usepam-no.patch
Patch56: bugfix-openssh-add-option-check-username-splash.patch
Patch57: feature-openssh-7.4-hima-sftpserver-oom-and-fix.patch
Patch58: bugfix-openssh-fix-sftpserver.patch
Patch59: set-sshd-config.patch
Patch60: feature-add-SMx-support.patch
Patch61: backport-upstream-a-little-extra-debugging.patch
Patch62: backport-upstream-better-debugging-for-connect_next.patch
Patch63: add-loongarch.patch
Patch64: backport-upstream-ssh-keygen-Y-check-novalidate-requires-name.patch
Patch65: openssh-Add-sw64-architecture.patch
Patch66: backport-upstream-if-sshpkt-functions-fail-then-password-is-n.patch
Patch67: backport-upstream-Make-sure-not-to-fclose-the-same-fd-twice-i.patch
Patch68: backport-upstream-Donot-attempt-to-fprintf-a-null-identity-co.patch
Patch69: backport-upstream-ignore-SIGPIPE-earlier-in-main-specifically.patch
Patch70: backport-upstream-Always-return-allocated-strings-from-the-ke.patch
Patch71: backport-Don-t-leak-the-strings-allocated-by-order_h.patch
Patch72: backport-Return-ERANGE-from-getcwd-if-buffer-size-is-1.patch
Patch73: backport-upstream-double-free-in-error-path-from-Eusgor-via-G.patch
Patch74: add-strict-scp-check-for-CVE-2020-15778.patch
Patch75: backport-upstream-avoid-integer-overflow-of-auth-attempts-har.patch
Patch76: backport-Skip-scp3-test-if-there-s-no-scp-on-remote-path.patch
Patch77: skip-scp-test-if-there-is-no-scp-on-remote-path-as-s.patch
Patch78: skip-tests-for-C-if-there-is-no-openssl-on-local-pat.patch
Patch79: backport-fix-possible-NULL-deref-when-built-without-FIDO.patch
Requires: /sbin/nologin
Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8
@ -180,7 +163,7 @@ instance. The module is most useful for su and sudo service stacks.
%package_help
%prep
%setup -q -a 4
%setup -q -a 3
pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
%patch3 -p2 -b .psaa-build
@ -190,14 +173,13 @@ pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
%patch6 -p2 -b .psaa-agent
%patch8 -p2 -b .psaa-deref
# Remove duplicate headers and library files
rm -f $(cat %{SOURCE5})
rm -f $(cat %{SOURCE4})
popd
%patch9 -p1 -b .role-mls
%patch10 -p1 -b .privsep-selinux
%patch12 -p1 -b .keycat
%patch13 -p1 -b .ip-opts
%patch14 -p1 -b .keyperm
%patch15 -p1 -b .ipv6man
%patch16 -p1 -b .sigpipe
%patch17 -p1 -b .x11
@ -205,7 +187,6 @@ popd
%patch20 -p1 -b .grab-info
%patch21 -p1
%patch22 -p1 -b .log-usepam-no
%patch23 -p1 -b .evp-ctr
%patch26 -p1 -b .gsskex
%patch27 -p1 -b .force_krb
%patch29 -p1 -b .ccache_name
@ -235,35 +216,18 @@ popd
%patch53 -p1 -b .kill-scp
%patch1 -p1 -b .audit
%patch2 -p1 -b .audit-race
%patch18 -p1 -b .fips
%patch0 -p1 -b .coverity
%patch54 -p1
%patch55 -p1
%patch56 -p1
%patch57 -p1
%patch58 -p1
%patch59 -p1
%patch60 -p1
%patch61 -p1
%patch62 -p1
%patch63 -p1
%patch64 -p1
%patch65 -p1
%patch66 -p1
%patch67 -p1
%patch68 -p1
%patch69 -p1
%patch70 -p1
%patch71 -p1
%patch72 -p1
%patch73 -p1
%patch74 -p1
%patch75 -p1
%patch76 -p1
%patch77 -p1
%patch78 -p1
%patch79 -p1
autoreconf
pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
@ -350,23 +314,23 @@ install -d $RPM_BUILD_ROOT/etc/pam.d/
install -d $RPM_BUILD_ROOT/etc/sysconfig/
install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd
install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat
install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd
install -m644 %{SOURCE5} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat
install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/sysconfig/sshd
install -m644 ssh_config_redhat $RPM_BUILD_ROOT/etc/ssh/ssh_config.d/05-redhat.conf
install -d -m755 $RPM_BUILD_ROOT/%{_unitdir}
install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service
install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket
install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service
install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen@.service
install -m644 %{SOURCE15} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.target
install -m644 %{SOURCE7} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service
install -m644 %{SOURCE8} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket
install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service
install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen@.service
install -m644 %{SOURCE13} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.target
install -d -m755 $RPM_BUILD_ROOT/%{_userunitdir}
install -m644 %{SOURCE16} $RPM_BUILD_ROOT/%{_userunitdir}/ssh-agent.service
install -m744 %{SOURCE13} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen
install -m644 %{SOURCE14} $RPM_BUILD_ROOT/%{_userunitdir}/ssh-agent.service
install -m744 %{SOURCE11} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen
install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
install -m644 -D %{SOURCE14} $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf
install -m644 -D %{SOURCE12} $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf
install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
install -m644 %{SOURCE17} $RPM_BUILD_ROOT/etc/bash_completion.d/ssh-keygen-bash-completion.sh
install -m644 %{SOURCE15} $RPM_BUILD_ROOT/etc/bash_completion.d/ssh-keygen-bash-completion.sh
ln -s gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass
install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
@ -462,6 +426,12 @@ getent passwd sshd >/dev/null || \
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
%changelog
* Mon Jan 30 2023 renmingshuai<renmingshuai@huawei.com> - 9.1p1-1
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:update to openssh-9.1p1
* Mon Jan 9 2023 renmingshuai <renmingshuai@huawei.com> - 8.8p1-17
- Type:bugfix
- CVE:NA