packages/openssh
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update to 9.3p1

Browse Source
This commit is contained in:
renmingshuai 2023-07-24 21:42:50 +08:00
parent 47d5d7c56a
commit 620762bc3e
58 changed files with 5111 additions and 5413 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
backport-Allow-writev-is-seccomp-sandbox.patch
View File

@ -1,30 +0,0 @@
From 6283f4bd83eee714d0f5fc55802eff836b06fea8 Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@dtucker.net>
Date: Sat, 14 Jan 2023 22:02:44 +1100
Subject: [PATCH] Allow writev is seccomp sandbox.
This seems to be used by recent glibcs at least in some configurations.
From bz#3512, ok djm@
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=6283f4bd83eee714d0f5fc55802eff836b06fea8
---
sandbox-seccomp-filter.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index cec43c46..4ab49eb6 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -312,6 +312,9 @@ static const struct sock_filter preauth_insns[] = {
#ifdef __NR_write
SC_ALLOW(__NR_write),
#endif
+#ifdef __NR_writev
+ SC_ALLOW(__NR_writev),
+#endif
#ifdef __NR_socketcall
SC_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN),
SC_DENY(__NR_socketcall, EACCES),
--
2.27.0

39
backport-Defer-seed_rng-until-after-closefrom-call.patch
View File

@ -1,39 +0,0 @@
From cf1a9852d7fc93e4abc4168aed09529a57427cdc Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@dtucker.net>
Date: Wed, 9 Nov 2022 09:23:47 +1100
Subject: [PATCH] Defer seed_rng until after closefrom call.
seed_rng will initialize OpenSSL, and some engine providers (eg Intel's
QAT) will open descriptors for their own use. bz#3483, patch from
joel.d.schuetze at intel.com, ok djm@
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=cf1a9852d7fc93e4abc4168aed09529a57427cdc
---
sshd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sshd.c b/sshd.c
index b4bb7d65..808d91ef 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1580,8 +1580,6 @@ main(int ac, char **av)
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();
- seed_rng();
-
/* Initialize configuration options to their default values. */
initialize_server_options(&options);
@@ -1703,6 +1701,8 @@ main(int ac, char **av)
else
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
+ seed_rng();
+
/* If requested, redirect the logs to the specified logfile. */
if (logfile != NULL)
log_redirect_stderr_to(logfile);
--
2.27.0

51
backport-adapt-compat_kex_proposal-test-to-portable.patch
View File

@ -1,51 +0,0 @@
From 9fe207565b4ab0fe5d1ac5bb85e39188d96fb214 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Thu, 2 Feb 2023 23:17:49 +1100
Subject: [PATCH] adapt compat_kex_proposal() test to portable
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=9fe207565b4ab0fe5d1ac5bb85e39188d96fb214
---
Makefile.in | 1 +
regress/unittests/kex/test_proposal.c | 6 +++++-
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/Makefile.in b/Makefile.in
index 18f6ac9e..c0ebfa04 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -616,6 +616,7 @@ regress/unittests/conversion/test_conversion$(EXEEXT): \
UNITTESTS_TEST_KEX_OBJS=\
regress/unittests/kex/tests.o \
regress/unittests/kex/test_kex.o \
+ regress/unittests/kex/test_proposal.o \
$(SKOBJS)
regress/unittests/kex/test_kex$(EXEEXT): ${UNITTESTS_TEST_KEX_OBJS} \
diff --git a/regress/unittests/kex/test_proposal.c b/regress/unittests/kex/test_proposal.c
index b89ff59b..d6cf0f5d 100644
--- a/regress/unittests/kex/test_proposal.c
+++ b/regress/unittests/kex/test_proposal.c
@@ -5,14 +5,18 @@
* Placed in the public domain
*/
+#include "includes.h"
+
#include <sys/types.h>
#include <signal.h>
#include <stdio.h>
+#ifdef HAVE_STDINT_H
#include <stdint.h>
+#endif
#include <stdlib.h>
#include <string.h>
-#include "test_helper.h"
+#include "../test_helper/test_helper.h"
#include "compat.h"
#include "ssherr.h"
--
2.27.0

52
backport-don-t-test-IPv6-addresses-if-platform-lacks-support.patch
View File

@ -1,52 +0,0 @@
From dd1249bd5c45128a908395c61b26996a70f82205 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Sun, 8 Jan 2023 12:08:59 +1100
Subject: [PATCH] don't test IPv6 addresses if platform lacks support
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=dd1249bd5c45128a908395c61b26996a70f82205
---
regress/dynamic-forward.sh | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh
index f6c2393..1bfe05a 100644
--- a/regress/dynamic-forward.sh
+++ b/regress/dynamic-forward.sh
@@ -17,6 +17,11 @@ else
fi
trace "will use ProxyCommand $proxycmd"
+# This is a reasonable proxy for IPv6 support.
+if ! config_defined HAVE_STRUCT_IN6_ADDR ; then
+ SKIP_IPV6=yes
+fi
+
start_ssh() {
direction="$1"
arg="$2"
@@ -96,14 +101,16 @@ for d in D R; do
stop_ssh
verbose "PermitRemoteOpen=explicit"
- start_ssh $d \
- PermitRemoteOpen="127.0.0.1:$PORT [::1]:$PORT localhost:$PORT"
+ permit="127.0.0.1:$PORT [::1]:$PORT localhost:$PORT"
+ test -z "$SKIP_IPV6" || permit="127.0.0.1:$PORT localhost:$PORT"
+ start_ssh $d PermitRemoteOpen="$permit"
check_socks $d Y
stop_ssh
verbose "PermitRemoteOpen=disallowed"
- start_ssh $d \
- PermitRemoteOpen="127.0.0.1:1 [::1]:1 localhost:1"
+ permit="127.0.0.1:1 [::1]:1 localhost:1"
+ test -z "$SKIP_IPV6" || permit="127.0.0.1:1 localhost:1"
+ start_ssh $d PermitRemoteOpen="$permit"
check_socks $d N
stop_ssh
done
--
2.27.0

37
backport-upstream-Add-scp-s-path-to-test-sshd-s-PATH.patch
View File

@ -1,37 +0,0 @@
From 6e6f88647042b3cde54a628545c2f5fb656a9327 Mon Sep 17 00:00:00 2001
From: "dtucker@openbsd.org" <dtucker@openbsd.org>
Date: Fri, 13 Jan 2023 04:23:00 +0000
Subject: [PATCH] upstream: Add scp's path to test sshd's PATH.
If the scp we're testing is fully qualified (eg it's not in the system
PATH) then add its path to the under-test sshd's PATH so we can find
it. Prompted by bz#3518.
OpenBSD-Regress-ID: 7df4f5a0be3aa135495b7e5a6719d3cbc26cc4c0
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=6e6f88647042b3cde54a628545c2f5fb656a9327
---
regress/test-exec.sh | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index c51f8eac..5a6afac5 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -529,6 +529,13 @@ cat << EOF > $OBJ/sshd_config
Subsystem sftp $SFTPSERVER
EOF
+# If we're testing a non-installed scp, add its directory to sshd's PATH
+# so we can test it.
+case "$SCP" in
+/*) PATH_WITH_SCP="`dirname $SCP`:$PATH"
+ echo " SetEnv PATH='$PATH_WITH_SCP'" >>$OBJ/sshd_config ;;
+esac
+
# This may be necessary if /usr/src and/or /usr/obj are group-writable,
# but if you aren't careful with permissions then the unit tests could
# be abused to locally escalate privileges.
--
2.27.0

63
backport-upstream-CVE-2023-25136-fix-double-free-caused.patch
View File

@ -1,63 +0,0 @@
From 12da7823336434a403f25c7cc0c2c6aed0737a35 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Thu, 2 Feb 2023 12:10:05 +0000
Subject: [PATCH] upstream: fix double-free caused by compat_kex_proposal();
bz3522
by dtucker@, ok me
OpenBSD-Commit-ID: 2bfc37cd2d41f67dad64c17a64cf2cd3806a5c80
Reference:https://anongit.mindrot.org/openssh.git/patch/?id=12da7823336434a403f25c7cc0c2c6aed0737a35
Conflict:NA
---
compat.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/compat.c b/compat.c
index 46dfe3a9..478a9403 100644
--- a/compat.c
+++ b/compat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: compat.c,v 1.120 2022/07/01 03:35:45 dtucker Exp $ */
+/* $OpenBSD: compat.c,v 1.121 2023/02/02 12:10:05 djm Exp $ */
/*
* Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved.
*
@@ -190,26 +190,26 @@ compat_pkalg_proposal(struct ssh *ssh, char *pkalg_prop)
char *
compat_kex_proposal(struct ssh *ssh, char *p)
{
- char *cp = NULL;
+ char *cp = NULL, *cp2 = NULL;
if ((ssh->compat & (SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX)) == 0)
return xstrdup(p);
debug2_f("original KEX proposal: %s", p);
if ((ssh->compat & SSH_BUG_CURVE25519PAD) != 0)
- if ((p = match_filter_denylist(p,
+ if ((cp = match_filter_denylist(p,
"curve25519-sha256@libssh.org")) == NULL)
fatal("match_filter_denylist failed");
if ((ssh->compat & SSH_OLD_DHGEX) != 0) {
- cp = p;
- if ((p = match_filter_denylist(p,
+ if ((cp2 = match_filter_denylist(cp ? cp : p,
"diffie-hellman-group-exchange-sha256,"
"diffie-hellman-group-exchange-sha1")) == NULL)
fatal("match_filter_denylist failed");
free(cp);
+ cp = cp2;
}
- debug2_f("compat KEX proposal: %s", p);
- if (*p == '\0')
+ if (cp == NULL || *cp == '\0')
fatal("No supported key exchange algorithms found");
- return p;
+ debug2_f("compat KEX proposal: %s", cp);
+ return cp;
}
--
2.23.0

52
backport-upstream-Clear-signal-mask-early-in-main-sshd-may-ha.patch
View File

@ -1,52 +0,0 @@
From 93f2ce8c050a7a2a628646c00b40b9b53fef93ef Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Fri, 16 Dec 2022 06:56:47 +0000
Subject: [PATCH] upstream: Clear signal mask early in main(); sshd may have
been
started with one or more signals masked (sigprocmask(2) is not cleared
on fork/exec) and this could interfere with various things, e.g. the
login grace timer.
Execution environments that fail to clear the signal mask before running
sshd are clearly broken, but apparently they do exist.
Reported by Sreedhar Balasubramanian; ok dtucker@
OpenBSD-Commit-ID: 77078c0b1c53c780269fc0c416f121d05e3010ae
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=93f2ce8c050a7a2a628646c00b40b9b53fef93ef
---
sshd.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/sshd.c b/sshd.c
index cd42bd5..da39226 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.591 2022/09/17 10:34:29 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.594 2022/12/16 06:56:47 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1650,12 +1650,16 @@ main(int ac, char **av)
int keytype;
Authctxt *authctxt;
struct connection_info *connection_info = NULL;
+ sigset_t sigmask;
#ifdef HAVE_SECUREWARE
(void)set_auth_parameters(ac, av);
#endif
__progname = ssh_get_progname(av[0]);
+ sigemptyset(&sigmask);
+ sigprocmask(SIG_SETMASK, &sigmask, NULL);
+
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
saved_argc = ac;
rexec_argc = ac;
--
2.23.0

32
backport-upstream-Copy-bytes-from-the_banana-rather-than-bana.patch
View File

@ -1,32 +0,0 @@
From 018d671d78145f03d6f07ae9d64d51321da70325 Mon Sep 17 00:00:00 2001
From: "tb@openbsd.org" <tb@openbsd.org>
Date: Wed, 4 Jan 2023 22:48:57 +0000
Subject: [PATCH] upstream: Copy bytes from the_banana[] rather than banana()
Fixes test failure due to segfault seen on arm64 with xonly snap.
ok djm
OpenBSD-Regress-ID: 86e2aa4bbd1dff1bc4ebb2969c0d6474485be046
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=018d671d78145f03d6f07ae9d64d51321da70325
---
regress/unittests/sshkey/test_sshkey.c | 2 +-
1 file changed, 1 insertions(+), 1 deletions(-)
diff --git a/regress/unittests/sshkey/test_sshkey.c b/regress/unittests/sshkey/test_sshkey.c
index 982907ce..cc359aea 100644
--- a/regress/unittests/sshkey/test_sshkey.c
+++ b/regress/unittests/sshkey/test_sshkey.c
@@ -144,7 +144,7 @@ banana(u_char *s, size_t l)
memcpy(s + o, "nanananana", l - o);
break;
}
- memcpy(s + o, banana, sizeof(the_banana));
+ memcpy(s + o, the_banana, sizeof(the_banana));
}
}
--
2.27.0

48
backport-upstream-Ensure-that-there-is-a-terminating-newline-.patch
View File

@ -1,48 +0,0 @@
From 3c379c9a849a635cc7f05cbe49fe473ccf469ef9 Mon Sep 17 00:00:00 2001
From: "dtucker@openbsd.org" <dtucker@openbsd.org>
Date: Thu, 9 Feb 2023 09:54:11 +0000
Subject: [PATCH] upstream: Ensure that there is a terminating newline when
adding a new
entry to known_hosts. bz#3529, with git+openssh at limpsquid.nl, ok deraadt@
markus@
OpenBSD-Commit-ID: fa8d90698da1886570512b96f051e266eac105e0
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=3c379c9a849a635cc7f05cbe49fe473ccf469ef9
---
hostfile.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/hostfile.c b/hostfile.c
index bd49e3ac..f5fa8084 100644
--- a/hostfile.c
+++ b/hostfile.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: hostfile.c,v 1.93 2022/01/06 22:02:52 djm Exp $ */
+/* $OpenBSD: hostfile.c,v 1.94 2023/02/09 09:54:11 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -520,9 +520,17 @@ add_host_to_hostfile(const char *filename, const char *host,
if (key == NULL)
return 1; /* XXX ? */
hostfile_create_user_ssh_dir(filename, 0);
- f = fopen(filename, "a");
+ f = fopen(filename, "a+");
if (!f)
return 0;
+ /* Make sure we have a terminating newline. */
+ if (fseek(f, -1L, SEEK_END) == 0 && fgetc(f) != '\n')
+ if (fputc('\n', f) != '\n') {
+ error("Failed to add terminating newline to %s: %s",
+ filename, strerror(errno));
+ fclose(f);
+ return 0;
+ }
success = write_host_entry(f, host, NULL, key, store_hash);
fclose(f);
return success;
--
2.27.0

46
backport-upstream-Handle-dynamic-remote-port-forwarding-in-es.patch
View File

@ -1,46 +0,0 @@
From 650de7ecd3567b5a5dbf16dd1eb598bd8c20bca8 Mon Sep 17 00:00:00 2001
From: "dtucker@openbsd.org" <dtucker@openbsd.org>
Date: Thu, 10 Nov 2022 23:03:10 +0000
Subject: [PATCH] upstream: Handle dynamic remote port forwarding in escape
commandline's
-R processing. bz#3499, ok djm@
OpenBSD-Commit-ID: 194ee4cfe7ed0e2b8ad0727f493c798a50454208
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=650de7ecd3567b5a5dbf16dd1eb598bd8c20bca8
---
clientloop.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/clientloop.c b/clientloop.c
index 289d0b68..02349ccb 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.380 2022/06/03 04:30:46 djm Exp $ */
+/* $OpenBSD: clientloop.c,v 1.382 2022/11/10 23:03:10 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -846,8 +846,15 @@ process_cmdline(struct ssh *ssh)
}
logit("Canceled forwarding.");
} else {
- if (!parse_forward(&fwd, s, dynamic, remote)) {
- logit("Bad forwarding specification.");
+ /* -R specs can be both dynamic or not, so check both. */
+ if (remote) {
+ if (!parse_forward(&fwd, s, 0, remote) &&
+ !parse_forward(&fwd, s, 1, remote)) {
+ logit("Bad remote forwarding specification.");
+ goto out;
+ }
+ } else if (!parse_forward(&fwd, s, dynamic, remote)) {
+ logit("Bad local forwarding specification.");
goto out;
}
if (local || dynamic) {
--
2.27.0

44
backport-upstream-Instead-of-skipping-the-all-tokens-test-if-.patch
View File

@ -1,44 +0,0 @@
From 4d87a00f704e0365e11c3c38b170c1275ec461fc Mon Sep 17 00:00:00 2001
From: "dtucker@openbsd.org" <dtucker@openbsd.org>
Date: Sat, 14 Jan 2023 09:57:08 +0000
Subject: [PATCH] upstream: Instead of skipping the all-tokens test if we don't
have
OpenSSL (since we use it to compute the hash), put the hash at the end and
just omit it if we don't have it. Prompted by bz#3521.
OpenBSD-Regress-ID: c79ecba64250ed3b6417294b6c965e6b12ca5eea
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=4d87a00f704e0365e11c3c38b170c1275ec461fc
---
diff --git a/regress/percent.sh b/regress/percent.sh
index ed5c604d..3dfa8d2d 100644
--- a/regress/percent.sh
+++ b/regress/percent.sh
@@ -12,6 +12,7 @@ USER=`id -u -n`
USERID=`id -u`
HOST=`hostname | cut -f1 -d.`
HOSTNAME=`hostname`
+HASH=""
# Localcommand is evaluated after connection because %T is not available
# until then. Because of this we use a different method of exercising it,
@@ -98,10 +99,13 @@ for i in matchexec localcommand remotecommand controlpath identityagent \
# containing %d for UserKnownHostsFile
if [ "$i" != "userknownhostsfile" ]; then
trial $i '%d' $HOME
+ in='%%/%i/%h/%d/%L/%l/%n/%p/%r/%u'
+ out="%/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER"
if [ ! -z "${HASH}" ]; then
- trial $i '%%/%C/%i/%h/%d/%L/%l/%n/%p/%r/%u' \
- "%/$HASH/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER"
+ in="$in/%C"
+ out="$out/$HASH"
fi
+ trial $i "$in" "$out"
fi
done
--
2.27.0

150
backport-upstream-Move-scp-path-setting-to-a-helper-function.patch
View File

@ -1,150 +0,0 @@
From 625f6bc39840167dafb3bf5b6a3e18503ac986e8 Mon Sep 17 00:00:00 2001
From: "dtucker@openbsd.org" <dtucker@openbsd.org>
Date: Fri, 13 Jan 2023 04:47:34 +0000
Subject: [PATCH] upstream: Move scp path setting to a helper function.
The
previous
commit to add scp to the test sshd's path causes the t-envpass test to
fail
when the test scp is given using a fully qualified path. Put this in a
helper function and only call it from the scp tests.
OpenBSD-Regress-ID: 7533dc1c4265c1de716abb062957994195b36df4
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=625f6bc39840167dafb3bf5b6a3e18503ac986e8
---
regress/multiplex.sh | 3 ++-
regress/scp-uri.sh | 4 +++-
regress/scp.sh | 4 +++-
regress/scp3.sh | 6 ++++--
regress/test-exec.sh | 21 +++++++++++++--------
5 files changed, 25 insertions(+), 13 deletions(-)
diff --git a/regress/multiplex.sh b/regress/multiplex.sh
index 6317099..046194c 100644
--- a/regress/multiplex.sh
+++ b/regress/multiplex.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: multiplex.sh,v 1.34 2022/06/03 04:31:54 djm Exp $
+# $OpenBSD: multiplex.sh,v 1.35 2023/01/13 04:47:34 dtucker Exp $
# Placed in the Public Domain.
make_tmpdir
@@ -24,6 +24,7 @@ wait_for_mux_master_ready()
fatal "mux master never becomes ready"
}
+maybe_add_scp_path_to_sshd
start_sshd
start_mux_master()
diff --git a/regress/scp-uri.sh b/regress/scp-uri.sh
index 20ac3c8..eacbd45 100644
--- a/regress/scp-uri.sh
+++ b/regress/scp-uri.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: scp-uri.sh,v 1.4 2021/08/10 03:35:45 djm Exp $
+# $OpenBSD: scp-uri.sh,v 1.5 2023/01/13 04:47:34 dtucker Exp $
# Placed in the Public Domain.
tid="scp-uri"
@@ -9,6 +9,8 @@ COPY2=${OBJ}/copy2
DIR=${COPY}.dd
DIR2=${COPY}.dd2
+maybe_add_scp_path_to_sshd
+
SRC=`dirname ${SCRIPT}`
cp ${SRC}/scp-ssh-wrapper.sh ${OBJ}/scp-ssh-wrapper.scp
chmod 755 ${OBJ}/scp-ssh-wrapper.scp
diff --git a/regress/scp.sh b/regress/scp.sh
index f47c594..ef4399e 100644
--- a/regress/scp.sh
+++ b/regress/scp.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: scp.sh,v 1.14 2022/05/15 23:48:07 djm Exp $
+# $OpenBSD: scp.sh,v 1.18 2023/01/13 04:47:34 dtucker Exp $
# Placed in the Public Domain.
tid="scp"
@@ -16,6 +16,8 @@ COPY2=${OBJ}/copy2
DIR=${COPY}.dd
DIR2=${COPY}.dd2
+maybe_add_scp_path_to_sshd
+
SRC=`dirname ${SCRIPT}`
cp ${SRC}/scp-ssh-wrapper.sh ${OBJ}/scp-ssh-wrapper.scp
chmod 755 ${OBJ}/scp-ssh-wrapper.scp
diff --git a/regress/scp3.sh b/regress/scp3.sh
index 47db47c..dfb2d2f 100644
--- a/regress/scp3.sh
+++ b/regress/scp3.sh
@@ -1,9 +1,9 @@
-# $OpenBSD: scp3.sh,v 1.3 2021/08/10 03:35:45 djm Exp $
+# $OpenBSD: scp3.sh,v 1.4 2023/01/13 04:47:34 dtucker Exp $
# Placed in the Public Domain.
tid="scp3"
-#set -x
+set -x
COPY2=${OBJ}/copy2
DIR=${COPY}.dd
@@ -15,6 +15,8 @@ if [ $? -eq 1 ]; then
skip "No scp on remote path."
fi
+maybe_add_scp_path_to_sshd
+
SRC=`dirname ${SCRIPT}`
cp ${SRC}/scp-ssh-wrapper.sh ${OBJ}/scp-ssh-wrapper.scp
chmod 755 ${OBJ}/scp-ssh-wrapper.scp
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index 7e311e8..df43f02 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: test-exec.sh,v 1.92 2022/07/25 07:12:45 dtucker Exp $
+# $OpenBSD: test-exec.sh,v 1.94 2023/01/13 04:47:34 dtucker Exp $
# Placed in the Public Domain.
#SUDO=sudo
@@ -509,6 +509,18 @@ skip ()
exit $RESULT
}
+maybe_add_scp_path_to_sshd ()
+{
+ # If we're testing a non-installed scp, add its directory to sshd's
+ # PATH so we can test it. We don't do this for all tests as it
+ # breaks the SetEnv tests.
+ case "$SCP" in
+ /*) PATH_WITH_SCP="`dirname $SCP`:$PATH"
+ echo " SetEnv PATH='$PATH_WITH_SCP'" >>$OBJ/sshd_config
+ echo " SetEnv PATH='$PATH_WITH_SCP'" >>$OBJ/sshd_proxy ;;
+ esac
+}
+
RESULT=0
PIDFILE=$OBJ/pidfile
@@ -529,13 +541,6 @@ cat << EOF > $OBJ/sshd_config
Subsystem sftp $SFTPSERVER
EOF
-# If we're testing a non-installed scp, add its directory to sshd's PATH
-# so we can test it.
-case "$SCP" in
-/*) PATH_WITH_SCP="`dirname $SCP`:$PATH"
- echo " SetEnv PATH='$PATH_WITH_SCP'" >>$OBJ/sshd_config ;;
-esac
-
# This may be necessary if /usr/src and/or /usr/obj are group-writable,
# but if you aren't careful with permissions then the unit tests could
# be abused to locally escalate privileges.
--
2.23.0

26
backport-upstream-Shell-syntax-fix.-From-ren-mingshuai-vi-git.patch
View File

@ -1,26 +0,0 @@
From 923c3f437f439cfca238fba37e97a7041782f615 Mon Sep 17 00:00:00 2001
From: "dtucker@openbsd.org" <dtucker@openbsd.org>
Date: Sat, 14 Jan 2023 10:05:54 +0000
Subject: [PATCH] upstream: Shell syntax fix. From ren mingshuai vi github
PR#369.
OpenBSD-Regress-ID: 6696b2eeefe128099fc3d7ea9f23252cc35156f9
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=923c3f437f439cfca238fba37e97a7041782f615
---
diff --git a/regress/yes-head.sh b/regress/yes-head.sh
index 2759eb8c..1bde504f 100644
--- a/regress/yes-head.sh
+++ b/regress/yes-head.sh
@@ -6,7 +6,7 @@ tid="yes pipe head"
lines=`${SSH} -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -2000"' | (sleep 3 ; wc -l)`
if [ $? -ne 0 ]; then
fail "yes|head test failed"
- lines = 0;
++ lines=0
fi
if [ $lines -ne 2000 ]; then
fail "yes|head returns $lines lines instead of 2000"
--
2.27.0

40
backport-upstream-The-idiomatic-way-of-coping-with-signed-cha.patch
View File

@ -1,40 +0,0 @@
From 5a7a7acab2f466dc1d7467b5d05d35268c3137aa Mon Sep 17 00:00:00 2001
From: "deraadt@openbsd.org" <deraadt@openbsd.org>
Date: Thu, 15 Dec 2022 18:20:39 +0000
Subject: [PATCH] upstream: The idiomatic way of coping with signed char vs
unsigned
char (which did not come from stdio read functions) in the presence of
ctype macros, is to always cast to (unsigned char). casting to (int)
for a "macro" which is documented to take int, is weird. And sadly wrong,
because of the sing extension risk.. same diff from florian
OpenBSD-Commit-ID: 65b9a49a68e22ff3a0ebd593f363e9f22dd73fea
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=5a7a7acab2f466dc1d7467b5d05d35268c3137aa
---
misc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/misc.c b/misc.c
index 977c097e..41244da9 100644
--- a/misc.c
+++ b/misc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: misc.c,v 1.177 2022/08/11 01:56:51 djm Exp $ */
+/* $OpenBSD: misc.c,v 1.179 2022/12/15 18:20:39 deraadt Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2005-2020 Damien Miller. All rights reserved.
@@ -95,7 +95,7 @@ rtrim(char *s)
if ((i = strlen(s)) == 0)
return;
for (i--; i > 0; i--) {
- if (isspace((int)s[i]))
+ if (isspace((unsigned char)s[i]))
s[i] = '\0';
}
}
--
2.27.0

51
backport-upstream-When-OpenSSL-is-not-available-skip-parts-of.patch
View File

@ -1,51 +0,0 @@
From d77fc611a62f2dfee0b654c31a50a814b13310dd Mon Sep 17 00:00:00 2001
From: "dtucker@openbsd.org" <dtucker@openbsd.org>
Date: Fri, 6 Jan 2023 12:33:33 +0000
Subject: [PATCH] upstream: When OpenSSL is not available, skip parts of
percent test
that require it. Based on github pr#368 from ren mingshuai.
OpenBSD-Regress-ID: 49a375b2cf61ccb95b52e75e2e025cd10988ebb2
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=d77fc611a62f2dfee0b654c31a50a814b13310dd
---
regress/percent.sh | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/regress/percent.sh b/regress/percent.sh
index bb81779a..ed5c604d 100644
--- a/regress/percent.sh
+++ b/regress/percent.sh
@@ -79,10 +79,12 @@ for i in matchexec localcommand remotecommand controlpath identityagent \
trial $i '%T' NONE
fi
# Matches implementation in readconf.c:ssh_connection_hash()
- HASH=`printf "${HOSTNAME}127.0.0.1${PORT}$REMUSER" |
- $OPENSSL_BIN sha1 | cut -f2 -d' '`
+ if [ ! -z "${OPENSSL_BIN}" ]; then
+ HASH=`printf "${HOSTNAME}127.0.0.1${PORT}$REMUSER" |
+ $OPENSSL_BIN sha1 | cut -f2 -d' '`
+ trial $i '%C' $HASH
+ fi
trial $i '%%' '%'
- trial $i '%C' $HASH
trial $i '%i' $USERID
trial $i '%h' 127.0.0.1
trial $i '%L' $HOST
@@ -96,8 +98,10 @@ for i in matchexec localcommand remotecommand controlpath identityagent \
# containing %d for UserKnownHostsFile
if [ "$i" != "userknownhostsfile" ]; then
trial $i '%d' $HOME
- trial $i '%%/%C/%i/%h/%d/%L/%l/%n/%p/%r/%u' \
- "%/$HASH/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER"
+ if [ ! -z "${HASH}" ]; then
+ trial $i '%%/%C/%i/%h/%d/%L/%l/%n/%p/%r/%u' \
+ "%/$HASH/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER"
+ fi
fi
done
--
2.27.0

42
backport-upstream-avoid-printf-s-NULL-if-using-ssh.patch
View File

@ -1,42 +0,0 @@
From f673b49f3be3eb51074fbb8a405beb6cd0f7d93e Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Fri, 13 Jan 2023 02:44:02 +0000
Subject: [PATCH] upstream: avoid printf("%s", NULL) if using ssh
-oUserKnownHostsFile=none and a hostkey in one of the system known hosts file
changes; ok dtucker@
OpenBSD-Commit-ID: 7ca87614bfc6da491315536a7f2301434a9fe614
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=f673b49f3be3eb51074fbb8a405beb6cd0f7d93e
---
sshconnect.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/sshconnect.c b/sshconnect.c
index 0fca52b2..792bc34b 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect.c,v 1.358 2022/08/26 08:16:27 djm Exp $ */
+/* $OpenBSD: sshconnect.c,v 1.361 2023/01/13 02:44:02 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1276,8 +1276,11 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo,
}
/* The host key has changed. */
warn_changed_key(host_key);
- error("Add correct host key in %.100s to get rid of this message.",
- user_hostfiles[0]);
+ if (num_user_hostfiles > 0 || num_system_hostfiles > 0) {
+ error("Add correct host key in %.100s to get rid "
+ "of this message.", num_user_hostfiles > 0 ?
+ user_hostfiles[0] : system_hostfiles[0]);
+ }
error("Offending %s key in %s:%lu",
sshkey_type(host_found->key),
host_found->file, host_found->line);
--
2.27.0

113
backport-upstream-fix-bug-in-PermitRemoteOpen-which-caused-it.patch
View File

@ -1,113 +0,0 @@
From b3daa8dc582348d6ab8150bc1e571b7aa08c5388 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Mon, 2 Jan 2023 07:03:30 +0000
Subject: [PATCH] upstream: fix bug in PermitRemoteOpen which caused it
to
ignore its
first argument unless it was one of the special keywords "any" or
"none".
Reported by Georges Chaudy in bz3515; ok dtucker@
OpenBSD-Commit-ID: c5678a39f1ff79993d5ae3cfac5746a4ae148ea5
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=b3daa8dc582348d6ab8150bc1e571b7aa08c5388
---
readconf.c | 67 +++++++++++++++++++++++++++++-------------------------
1 file changed, 36 insertions(+), 31 deletions(-)
diff --git a/readconf.c b/readconf.c
index 284da26..ccac632 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.369 2022/09/17 10:33:18 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.371 2023/01/02 07:03:30 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1613,45 +1613,50 @@ parse_pubkey_algos:
case oPermitRemoteOpen:
uintptr = &options->num_permitted_remote_opens;
cppptr = &options->permitted_remote_opens;
- arg = argv_next(&ac, &av);
- if (!arg || *arg == '\0')
- fatal("%s line %d: missing %s specification",
- filename, linenum, lookup_opcode_name(opcode));
uvalue = *uintptr; /* modified later */
- if (strcmp(arg, "any") == 0 || strcmp(arg, "none") == 0) {
- if (*activep && uvalue == 0) {
- *uintptr = 1;
- *cppptr = xcalloc(1, sizeof(**cppptr));
- (*cppptr)[0] = xstrdup(arg);
- }
- break;
- }
+ i = 0;
while ((arg = argv_next(&ac, &av)) != NULL) {
arg2 = xstrdup(arg);
- p = hpdelim(&arg);
- if (p == NULL) {
- fatal("%s line %d: missing host in %s",
- filename, linenum,
- lookup_opcode_name(opcode));
- }
- p = cleanhostname(p);
- /*
- * don't want to use permitopen_port to avoid
- * dependency on channels.[ch] here.
- */
- if (arg == NULL ||
- (strcmp(arg, "*") != 0 && a2port(arg) <= 0)) {
- fatal("%s line %d: bad port number in %s",
- filename, linenum,
- lookup_opcode_name(opcode));
- }
- if (*activep && uvalue == 0) {
+ /* Allow any/none only in first position */
+ if (strcasecmp(arg, "none") == 0 ||
+ strcasecmp(arg, "any") == 0) {
+ if (i > 0 || ac > 0) {
+ error("%s line %d: keyword %s \"%s\" "
+ "argument must appear alone.",
+ filename, linenum, keyword, arg);
+ goto out;
+ }
+ } else {
+ p = hpdelim(&arg);
+ if (p == NULL) {
+ fatal("%s line %d: missing host in %s",
+ filename, linenum,
+ lookup_opcode_name(opcode));
+ }
+ p = cleanhostname(p);
+ /*
+ * don't want to use permitopen_port to avoid
+ * dependency on channels.[ch] here.
+ */
+ if (arg == NULL || (strcmp(arg, "*") != 0 &&
+ a2port(arg) <= 0)) {
+ fatal("%s line %d: bad port number "
+ "in %s", filename, linenum,
+ lookup_opcode_name(opcode));
+ }
+ }
+
+ if (*activep && uvalue == 0) {
opt_array_append(filename, linenum,
lookup_opcode_name(opcode),
cppptr, uintptr, arg2);
}
free(arg2);
+ i++;
}
+ if (i == 0)
+ fatal("%s line %d: missing %s specification",
+ filename, linenum, lookup_opcode_name(opcode));
break;
case oClearAllForwardings:
--
2.23.0

37
backport-upstream-honour-user-s-umask-if-it-is-more-restricti.patch
View File

@ -1,37 +0,0 @@
From 5ee2b8ccfcf4b606f450eb0ff2305e311f68b0be Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Thu, 6 Oct 2022 22:42:37 +0000
Subject: [PATCH] upstream: honour user's umask if it is more restrictive then
the ssh
default (022); based on patch from Alex Henrie, ok dtucker@ deraadt@
OpenBSD-Commit-ID: fe1b9e15fc9a4f49fc338e848ce14d8727abe82d
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=5ee2b8ccfcf4b606f450eb0ff2305e311f68b0be
---
ssh.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ssh.c b/ssh.c
index 25be53d5..e711dbd2 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.576 2022/09/17 10:33:18 djm Exp $ */
+/* $OpenBSD: ssh.c,v 1.577 2022/10/06 22:42:37 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -679,7 +679,7 @@ main(int ac, char **av)
* writable only by the owner, which is ok for all files for which we
* don't set the modes explicitly.
*/
- umask(022);
+ umask(022 | umask(077));
msetlocale();
--
2.27.0

138
backport-upstream-regression-test-for-PermitRemoteOpen.patch
View File

@ -1,138 +0,0 @@
From 845ceecea2ac311b0c267f9ecbd34862e1876fc6 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Mon, 2 Jan 2023 07:03:57 +0000
Subject: [PATCH] upstream: regression test for PermitRemoteOpen
OpenBSD-Regress-ID: 8271aafbf5c21950cd5bf966f08e585cebfe630c
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=845ceecea2ac311b0c267f9ecbd34862e1876fc6
---
regress/dynamic-forward.sh | 84 ++++++++++++++++++++++++++++++--------
1 file changed, 66 insertions(+), 18 deletions(-)
diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh
index 84f8ee19..f6c2393d 100644
--- a/regress/dynamic-forward.sh
+++ b/regress/dynamic-forward.sh
@@ -1,10 +1,12 @@
-# $OpenBSD: dynamic-forward.sh,v 1.13 2017/09/21 19:18:12 markus Exp $
+# $OpenBSD: dynamic-forward.sh,v 1.14 2023/01/02 07:03:57 djm Exp $
# Placed in the Public Domain.
tid="dynamic forwarding"
FWDPORT=`expr $PORT + 1`
+cp $OBJ/ssh_config $OBJ/ssh_config.orig
+
if have_prog nc && nc -h 2>&1 | grep "proxy address" >/dev/null; then
proxycmd="nc -x 127.0.0.1:$FWDPORT -X"
elif have_prog connect; then
@@ -15,16 +17,16 @@ else
fi
trace "will use ProxyCommand $proxycmd"
-start_sshd
-
-for d in D R; do
+start_ssh() {
+ direction="$1"
+ arg="$2"
n=0
error="1"
- trace "start dynamic forwarding, fork to background"
-
+ trace "start dynamic -$direction forwarding, fork to background"
+ (cat $OBJ/ssh_config.orig ; echo "$arg") > $OBJ/ssh_config
while [ "$error" -ne 0 -a "$n" -lt 3 ]; do
n=`expr $n + 1`
- ${SSH} -F $OBJ/ssh_config -f -$d $FWDPORT -q \
+ ${SSH} -F $OBJ/ssh_config -f -$direction $FWDPORT -q \
-oExitOnForwardFailure=yes somehost exec sh -c \
\'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\'
error=$?
@@ -36,18 +38,9 @@ for d in D R; do
if [ "$error" -ne 0 ]; then
fatal "failed to start dynamic forwarding"
fi
+}
- for s in 4 5; do
- for h in 127.0.0.1 localhost; do
- trace "testing ssh socks version $s host $h (-$d)"
- ${SSH} -F $OBJ/ssh_config \
- -o "ProxyCommand ${proxycmd}${s} $h $PORT" \
- somehost cat ${DATA} > ${COPY}
- test -f ${COPY} || fail "failed copy ${DATA}"
- cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
- done
- done
-
+stop_ssh() {
if [ -f $OBJ/remote_pid ]; then
remote=`cat $OBJ/remote_pid`
trace "terminate remote shell, pid $remote"
@@ -57,5 +50,60 @@ for d in D R; do
else
fail "no pid file: $OBJ/remote_pid"
fi
+}
+
+check_socks() {
+ direction=$1
+ expect_success=$2
+ for s in 4 5; do
+ for h in 127.0.0.1 localhost; do
+ trace "testing ssh socks version $s host $h (-$direction)"
+ ${SSH} -F $OBJ/ssh_config \
+ -o "ProxyCommand ${proxycmd}${s} $h $PORT 2>/dev/null" \
+ somehost cat ${DATA} > ${COPY}
+ r=$?
+ if [ "x$expect_success" = "xY" ] ; then
+ if [ $r -ne 0 ] ; then
+ fail "ssh failed with exit status $r"
+ fi
+ test -f ${COPY} || fail "failed copy ${DATA}"
+ cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
+ elif [ $r -eq 0 ] ; then
+ fail "ssh unexpectedly succeeded"
+ fi
+ done
+ done
+}
+
+start_sshd
+
+for d in D R; do
+ verbose "test -$d forwarding"
+ start_ssh $d
+ check_socks $d Y
+ stop_ssh
+ test "x$d" = "xR" || continue
+
+ # Test PermitRemoteOpen
+ verbose "PermitRemoteOpen=any"
+ start_ssh $d PermitRemoteOpen=any
+ check_socks $d Y
+ stop_ssh
+
+ verbose "PermitRemoteOpen=none"
+ start_ssh $d PermitRemoteOpen=none
+ check_socks $d N
+ stop_ssh
+
+ verbose "PermitRemoteOpen=explicit"
+ start_ssh $d \
+ PermitRemoteOpen="127.0.0.1:$PORT [::1]:$PORT localhost:$PORT"
+ check_socks $d Y
+ stop_ssh
+ verbose "PermitRemoteOpen=disallowed"
+ start_ssh $d \
+ PermitRemoteOpen="127.0.0.1:1 [::1]:1 localhost:1"
+ check_socks $d N
+ stop_ssh
done
--
2.27.0

125
backport-upstream-test-compat_kex_proposal-by-dtucker.patch
View File

@ -1,125 +0,0 @@
From 903c556b938fff2d7bff8da2cc460254430963c5 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Thu, 2 Feb 2023 12:12:52 +0000
Subject: [PATCH] upstream: test compat_kex_proposal(); by dtucker@
OpenBSD-Regress-ID: 0e404ee264db546f9fdbf53390689ab5f8d38bf2
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=903c556b938fff2d7bff8da2cc460254430963c5
---
regress/unittests/kex/test_proposal.c | 79 +++++++++++++++++++++++++++
regress/unittests/kex/tests.c | 4 +-
2 files changed, 82 insertions(+), 1 deletion(-)
create mode 100644 regress/unittests/kex/test_proposal.c
diff --git a/regress/unittests/kex/test_proposal.c b/regress/unittests/kex/test_proposal.c
new file mode 100644
index 0000000..b89ff59
--- /dev/null
+++ b/regress/unittests/kex/test_proposal.c
@@ -0,0 +1,79 @@
+/* $OpenBSD: test_proposal.c,v 1.1 2023/02/02 12:12:52 djm Exp $ */
+/*
+ * Regress test KEX
+ *
+ * Placed in the public domain
+ */
+
+#include <sys/types.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "test_helper.h"
+
+#include "compat.h"
+#include "ssherr.h"
+#include "sshbuf.h"
+#include "kex.h"
+#include "packet.h"
+#include "xmalloc.h"
+
+void kex_proposal(void);
+
+#define CURVE25519 "curve25519-sha256@libssh.org"
+#define DHGEX1 "diffie-hellman-group-exchange-sha1"
+#define DHGEX256 "diffie-hellman-group-exchange-sha256"
+#define KEXALGOS CURVE25519","DHGEX256","DHGEX1
+void
+kex_proposal(void)
+{
+ size_t i;
+ struct ssh ssh;
+ char *result, *out, *in;
+ struct {
+ char *in; /* TODO: make this const */
+ char *out;
+ int compat;
+ } tests[] = {
+ { KEXALGOS, KEXALGOS, 0},
+ { KEXALGOS, DHGEX256","DHGEX1, SSH_BUG_CURVE25519PAD },
+ { KEXALGOS, CURVE25519, SSH_OLD_DHGEX },
+ { "a,"KEXALGOS, "a", SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX },
+ /* TODO: enable once compat_kex_proposal doesn't fatal() */
+ /* { KEXALGOS, "", SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX }, */
+ };
+
+ TEST_START("compat_kex_proposal");
+ for (i = 0; i < sizeof(tests) / sizeof(*tests); i++) {
+ ssh.compat = tests[i].compat;
+ /* match entire string */
+ result = compat_kex_proposal(&ssh, tests[i].in);
+ ASSERT_STRING_EQ(result, tests[i].out);
+ free(result);
+ /* match at end */
+ in = kex_names_cat("a", tests[i].in);
+ out = kex_names_cat("a", tests[i].out);
+ result = compat_kex_proposal(&ssh, in);
+ ASSERT_STRING_EQ(result, out);
+ free(result); free(in); free(out);
+ /* match at start */
+ in = kex_names_cat(tests[i].in, "a");
+ out = kex_names_cat(tests[i].out, "a");
+ result = compat_kex_proposal(&ssh, in);
+ ASSERT_STRING_EQ(result, out);
+ free(result); free(in); free(out);
+ /* match in middle */
+ xasprintf(&in, "a,%s,b", tests[i].in);
+ if (*(tests[i].out) == '\0')
+ out = xstrdup("a,b");
+ else
+ xasprintf(&out, "a,%s,b", tests[i].out);
+ result = compat_kex_proposal(&ssh, in);
+ ASSERT_STRING_EQ(result, out);
+ free(result); free(in); free(out);
+ }
+ TEST_DONE();
+}
diff --git a/regress/unittests/kex/tests.c b/regress/unittests/kex/tests.c
index e7036ec..2a83daf 100644
--- a/regress/unittests/kex/tests.c
+++ b/regress/unittests/kex/tests.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tests.c,v 1.1 2015/01/15 23:41:29 markus Exp $ */
+/* $OpenBSD: tests.c,v 1.2 2023/02/02 12:12:52 djm Exp $ */
/*
* Placed in the public domain
*/
@@ -6,9 +6,11 @@
#include "../test_helper/test_helper.h"
void kex_tests(void);
+void kex_proposal(void);
void
tests(void)
{
kex_tests();
+ kex_proposal();
}
--
2.27.0

34
backport-upstream-use-correct-type-with-sizeof-ok-djm.patch
View File

@ -1,34 +0,0 @@
From 18376847b8043ba967eabbe23692ef74c9a3fddc Mon Sep 17 00:00:00 2001
From: "jsg@openbsd.org" <jsg@openbsd.org>
Date: Thu, 13 Oct 2022 09:09:28 +0000
Subject: [PATCH] upstream: use correct type with sizeof ok djm@
OpenBSD-Commit-ID: d6c882c2e8a42ff831a5b3cbc2c961ecb2dd6143
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=18376847b8043ba967eabbe23692ef74c9a3fddc
---
ssh.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ssh.c b/ssh.c
index e711dbd2..21cbd7c3 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.577 2022/10/06 22:42:37 djm Exp $ */
+/* $OpenBSD: ssh.c,v 1.578 2022/10/13 09:09:28 jsg Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1579,7 +1579,7 @@ main(int ac, char **av)
if (options.hostbased_authentication) {
sensitive_data.nkeys = 10;
sensitive_data.keys = xcalloc(sensitive_data.nkeys,
- sizeof(struct sshkey));
+ sizeof(*sensitive_data.keys));
/* XXX check errors? */
#define L_PUBKEY(p,o) do { \
--
2.27.0

92
backport-upstream-when-restoring-non-blocking-mode-to-stdio-f.patch
View File

@ -1,92 +0,0 @@
From 35253af01d8c0ab444c8377402121816e71c71f5 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Wed, 18 Jan 2023 02:00:10 +0000
Subject: [PATCH] upstream: when restoring non-blocking mode to stdio
fds,
restore
exactly the flags that ssh started with and don't just clobber them with
zero, as this could also remove the append flag from the set;
bz3523; ok dtucker@
OpenBSD-Commit-ID: 1336b03e881db7564a4b66014eb24c5230e9a0c0
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=35253af01d8c0ab444c8377402121816e71c71f5
---
channels.c | 19 ++++++++++++++-----
channels.h | 3 ++-
2 files changed, 16 insertions(+), 6 deletions(-)
diff --git a/channels.c b/channels.c
index ea4d8da..cee4d2c 100644
--- a/channels.c
+++ b/channels.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.c,v 1.420 2022/09/19 08:49:50 djm Exp $ */
+/* $OpenBSD: channels.c,v 1.427 2023/01/18 02:00:10 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -337,16 +337,19 @@ channel_register_fds(struct ssh *ssh, Channel *c, int rfd, int wfd, int efd,
*/
if (rfd != -1 && !isatty(rfd) &&
(val = fcntl(rfd, F_GETFL)) != -1 && !(val & O_NONBLOCK)) {
+ c->restore_flags[0] = val;
c->restore_block |= CHANNEL_RESTORE_RFD;
set_nonblock(rfd);
}
if (wfd != -1 && !isatty(wfd) &&
(val = fcntl(wfd, F_GETFL)) != -1 && !(val & O_NONBLOCK)) {
+ c->restore_flags[1] = val;
c->restore_block |= CHANNEL_RESTORE_WFD;
set_nonblock(wfd);
}
if (efd != -1 && !isatty(efd) &&
(val = fcntl(efd, F_GETFL)) != -1 && !(val & O_NONBLOCK)) {
+ c->restore_flags[2] = val;
c->restore_block |= CHANNEL_RESTORE_EFD;
set_nonblock(efd);
}
@@ -428,10 +431,16 @@ channel_close_fd(struct ssh *ssh, Channel *c, int *fdp)
if (fd == -1)
return 0;
- if ((*fdp == c->rfd && (c->restore_block & CHANNEL_RESTORE_RFD) != 0) ||
- (*fdp == c->wfd && (c->restore_block & CHANNEL_RESTORE_WFD) != 0) ||
- (*fdp == c->efd && (c->restore_block & CHANNEL_RESTORE_EFD) != 0))
- (void)fcntl(*fdp, F_SETFL, 0); /* restore blocking */
+ /* restore blocking */
+ if (*fdp == c->rfd &&
+ (c->restore_block & CHANNEL_RESTORE_RFD) != 0)
+ (void)fcntl(*fdp, F_SETFL, c->restore_flags[0]);
+ else if (*fdp == c->wfd &&
+ (c->restore_block & CHANNEL_RESTORE_WFD) != 0)
+ (void)fcntl(*fdp, F_SETFL, c->restore_flags[1]);
+ else if (*fdp == c->efd &&
+ (c->restore_block & CHANNEL_RESTORE_EFD) != 0)
+ (void)fcntl(*fdp, F_SETFL, c->restore_flags[2]);
if (*fdp == c->rfd) {
c->io_want &= ~SSH_CHAN_IO_RFD;
diff --git a/channels.h b/channels.h
index 7d8a83e..9b1b11e 100644
--- a/channels.h
+++ b/channels.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.h,v 1.143 2022/05/05 00:56:58 djm Exp $ */
+/* $OpenBSD: channels.h,v 1.148 2023/01/18 02:00:10 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -153,6 +153,7 @@ struct Channel {
* this way post-IO handlers are not
* accidentally called if a FD gets reused */
int restore_block; /* fd mask to restore blocking status */
+ int restore_flags[3]; /* flags to restore */
struct sshbuf *input; /* data read from socket, to be sent over
* encrypted connection */
struct sshbuf *output; /* data received over encrypted connection for
--
2.23.0

26
bugfix-openssh-add-option-check-username-splash.patch
View File

@ -14,10 +14,10 @@ this check
4 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/auth2.c b/auth2.c
index 203ba01..284ea19 100644
index 4d574bb..c480aab 100644
--- a/auth2.c
+++ b/auth2.c
@@ -281,11 +281,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
@@ -278,11 +278,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
debug("userauth-request for user %s service %s method %s", user, service, method);
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
@ -33,10 +33,10 @@ index 203ba01..284ea19 100644
*style++ = 0;
diff --git a/servconf.c b/servconf.c
index d72fb62..6888971 100644
index bcf69fd..b8340d8 100644
--- a/servconf.c
+++ b/servconf.c
@@ -201,6 +201,7 @@ initialize_server_options(ServerOptions *options)
@@ -199,6 +199,7 @@ initialize_server_options(ServerOptions *options)
options->ip_qos_interactive = -1;
options->ip_qos_bulk = -1;
options->version_addendum = NULL;
@ -44,7 +44,7 @@ index d72fb62..6888971 100644
options->fingerprint_hash = -1;
options->disable_forwarding = -1;
options->expose_userauth_info = -1;
@@ -460,6 +461,8 @@ fill_default_server_options(ServerOptions *options)
@@ -456,6 +457,8 @@ fill_default_server_options(ServerOptions *options)
options->ip_qos_bulk = IPTOS_DSCP_CS1;
if (options->version_addendum == NULL)
options->version_addendum = xstrdup("");
@ -53,15 +53,15 @@ index d72fb62..6888971 100644
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
options->fwd_opts.streamlocal_bind_mask = 0177;
if (options->fwd_opts.streamlocal_bind_unlink == -1)
@@ -553,6 +556,7 @@ typedef enum {
@@ -557,6 +560,7 @@ typedef enum {
sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
sRequiredRSASize,
sRequiredRSASize, sChannelTimeout, sUnusedConnectionTimeout,
+ sCheckUserSplash,
sDeprecated, sIgnore, sUnsupported
} ServerOpCodes;
@@ -726,6 +730,7 @@ static struct {
@@ -730,6 +734,7 @@ static struct {
{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
{ "disableforwarding", sDisableForwarding, SSHCFG_ALL },
{ "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
@ -69,7 +69,7 @@ index d72fb62..6888971 100644
{ "rdomain", sRDomain, SSHCFG_ALL },
{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
@@ -1384,6 +1389,9 @@ process_server_config_line_depth(ServerOptions *options, char *line,
@@ -1443,6 +1448,9 @@ process_server_config_line_depth(ServerOptions *options, char *line,
case sUsePAM:
intptr = &options->use_pam;
goto parse_flag;
@ -80,7 +80,7 @@ index d72fb62..6888971 100644
/* Standard Options */
case sBadOption:
diff --git a/servconf.h b/servconf.h
index 77fd779..694addf 100644
index ccc0181..cb57dac 100644
--- a/servconf.h
+++ b/servconf.h
@@ -237,6 +237,7 @@ typedef struct {
@ -90,9 +90,9 @@ index 77fd779..694addf 100644
+ int check_user_splash; /* check whether splash exists in username, if exist, disable login */
char *sk_provider;
int required_rsa_size; /* minimum size of RSA keys */
} ServerOptions;
diff --git a/sshd_config b/sshd_config
index 6d47368..973aecf 100644
index 9851748..d57f11d 100644
--- a/sshd_config
+++ b/sshd_config
@@ -128,3 +128,5 @@ Subsystem sftp /usr/libexec/sftp-server
@ -102,5 +102,5 @@ index 6d47368..973aecf 100644
+#CheckUserSplash yes
+
--
2.27.0
2.23.0

700
feature-add-SMx-support.patch
View File

File diff suppressed because it is too large Load Diff

1
openssh-5.8p2-sigpipe.patch
View File

@ -1,4 +1,3 @@
Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-5.8p2-sigpipe.patch
diff -up openssh-5.8p2/ssh-keyscan.c.sigpipe openssh-5.8p2/ssh-keyscan.c
--- openssh-5.8p2/ssh-keyscan.c.sigpipe 2011-08-23 18:30:33.873025916 +0200
+++ openssh-5.8p2/ssh-keyscan.c 2011-08-23 18:32:24.574025362 +0200

1
openssh-6.6.1p1-log-in-chroot.patch
View File

@ -1,4 +1,3 @@
Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.6.1p1-log-in-chroot.patch
diff -up openssh-8.6p1/log.c.log-in-chroot openssh-8.6p1/log.c
--- openssh-8.6p1/log.c.log-in-chroot 2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.6p1/log.c 2021-04-19 14:43:08.544843434 +0200

7
openssh-6.6p1-allow-ip-opts.patch
View File

@ -1,7 +1,7 @@
diff -up openssh/sshd.c.ip-opts openssh/sshd.c
--- openssh/sshd.c.ip-opts 2016-07-25 13:58:48.998507834 +0200
+++ openssh/sshd.c 2016-07-25 14:01:28.346469878 +0200
@@ -1507,12 +1507,29 @@ check_ip_options(struct ssh *ssh)
@@ -1507,12 +1507,32 @@ check_ip_options(struct ssh *ssh)
if (getsockopt(sock_in, IPPROTO_IP, IP_OPTIONS, opts,
&option_size) >= 0 && option_size != 0) {
@ -21,11 +21,14 @@ diff -up openssh/sshd.c.ip-opts openssh/sshd.c
+ case 130:
+ case 133:
+ case 134:
+ if (i + 1 < option_size && opts[i + 1] >= 2) {
+ i += opts[i + 1];
+ break;
+ }
+ /* FALLTHROUGH */
+ default:
+ /* Fail, fatally, if we detect either loose or strict
+ * source routing options. */
+ * or incorrect source routing options. */
+ text[0] = '\0';
+ for (i = 0; i < option_size; i++)
+ snprintf(text + i*3, sizeof(text) - i*3,

3
openssh-6.6p1-keycat.patch
View File

@ -1,4 +1,3 @@
Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.6p1-keycat.patch
diff -up openssh/misc.c.keycat openssh/misc.c
--- openssh/misc.c.keycat 2015-06-24 10:57:50.158849606 +0200
+++ openssh/misc.c 2015-06-24 11:04:23.989868638 +0200
@ -65,7 +64,7 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in
$(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2) $(CHANNELLIBS)
+ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
+ $(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS) $(CHANNELLIBS)
+ $(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS)
+
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(CHANNELLIBS)

12
openssh-6.6p1-kuserok.patch
View File

@ -91,7 +91,7 @@ diff -up openssh-7.4p1/gss-serv-krb5.c.kuserok openssh-7.4p1/gss-serv-krb5.c
+ * configuring krb5.conf or using a suitable plugin to meet the needs of the
+ * given environment.
+ *
+ * The Fedora and RHEL version of openssh contain two patches which modify the
+ * The openEuler version of openssh contain two patches which modify the
+ * access control behavior:
+ * - openssh-6.6p1-kuserok.patch
+ * - openssh-6.6p1-force_krb.patch
@ -106,8 +106,8 @@ diff -up openssh-7.4p1/gss-serv-krb5.c.kuserok openssh-7.4p1/gss-serv-krb5.c
+ * rejected. Nevertheless the patch ignores the fact that krb5_kuserok() does
+ * no only check .k5login but other sources as well and checking .k5login can
+ * be disabled for all applications in krb5.conf as well. With this new
+ * option KerberosUseKuserok set to 'no' (and this is the default for RHEL7
+ * and Fedora 21) openssh can only use krb5_aname_to_localname() with the
+ * option KerberosUseKuserok set to 'no' (and this is the default for
+ * openEuler) openssh can only use krb5_aname_to_localname() with the
+ * restrictions mentioned above.
+ *
+ * openssh-6.6p1-force_krb.patch adds a ksu like behaviour to ssh, i.e. when
@ -196,11 +196,11 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
sPort, sHostKeyFile, sLoginGraceTime,
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
- sKerberosGetAFSToken, sKerberosUniqueCCache,
+ sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok,
sPasswordAuthentication,
- sKerberosGetAFSToken, sKerberosUniqueCCache, sPasswordAuthentication,
+ sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok, sPasswordAuthentication,
sKbdInteractiveAuthentication, sListenAddress, sAddressFamily,
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
@@ -478,12 +481,14 @@ static struct {
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
#endif

359
openssh-6.7p1-coverity.patch
View File

@ -1,38 +1,7 @@
Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.7p1-coverity.patch
---
auth-krb5.c | 2 ++
auth-options.c | 1 +
channels.c | 6 ++++--
dns.c | 1 +
gss-genr.c | 3 ++-
kexgssc.c | 4 +++-
krl.c | 4 ++++
loginrec.c | 4 ++++
misc.c | 3 +++
moduli.c | 1 +
monitor.c | 4 ++--
monitor_wrap.c | 6 +++---
openbsd-compat/bindresvport.c | 2 +-
openbsd-compat/bsd-pselect.c | 8 ++++----
readconf.c | 1 +
scp.c | 4 ++--
servconf.c | 5 +++--
serverloop.c | 2 +-
session.c | 2 ++
sftp.c | 3 ++-
ssh-agent.c | 5 +++--
ssh-keygen.c | 7 +++++++
ssh.c | 1 +
sshd.c | 9 +++++++--
sshsig.c | 1 +
25 files changed, 65 insertions(+), 24 deletions(-)
diff --git a/auth-krb5.c b/auth-krb5.c
index d80c3ab..71ea1e3 100644
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -426,6 +426,7 @@ ssh_krb5_cc_new_unique(krb5_context ctx, krb5_ccache *ccache, int *need_environm
diff -up openssh-8.5p1/auth-krb5.c.coverity openssh-8.5p1/auth-krb5.c
--- openssh-8.5p1/auth-krb5.c.coverity 2021-03-24 12:03:33.724967756 +0100
+++ openssh-8.5p1/auth-krb5.c 2021-03-24 12:03:33.782968159 +0100
@@ -426,6 +426,7 @@ ssh_krb5_cc_new_unique(krb5_context ctx,
umask(old_umask);
if (tmpfd == -1) {
logit("mkstemp(): %.100s", strerror(oerrno));
@ -40,7 +9,7 @@ index d80c3ab..71ea1e3 100644
return oerrno;
}
@@ -433,6 +434,7 @@ ssh_krb5_cc_new_unique(krb5_context ctx, krb5_ccache *ccache, int *need_environm
@@ -433,6 +434,7 @@ ssh_krb5_cc_new_unique(krb5_context ctx,
oerrno = errno;
logit("fchmod(): %.100s", strerror(oerrno));
close(tmpfd);
@ -48,11 +17,10 @@ index d80c3ab..71ea1e3 100644
return oerrno;
}
/* make sure the KRB5CCNAME is set for non-standard location */
diff --git a/auth-options.c b/auth-options.c
index 7cb2a64..a4b1db4 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -723,6 +723,7 @@ serialise_array(struct sshbuf *m, char **a, size_t n)
diff -up openssh-8.5p1/auth-options.c.coverity openssh-8.5p1/auth-options.c
--- openssh-8.5p1/auth-options.c.coverity 2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/auth-options.c 2021-03-24 12:03:33.782968159 +0100
@@ -706,6 +708,7 @@ serialise_array(struct sshbuf *m, char *
return r;
}
/* success */
@ -60,54 +28,10 @@ index 7cb2a64..a4b1db4 100644
return 0;
}
diff --git a/channels.c b/channels.c
index 300c753..ea4d8da 100644
--- a/channels.c
+++ b/channels.c
@@ -4081,7 +4081,7 @@ int
channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd)
{
int r, success = 0, idx = -1;
- char *host_to_connect, *listen_host, *listen_path;
+ char *host_to_connect = NULL, *listen_host = NULL, *listen_path = NULL;
int port_to_connect, listen_port;
/* Send the forward request to the remote side. */
@@ -4109,7 +4109,6 @@ channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd)
success = 1;
if (success) {
/* Record that connection to this host/port is permitted. */
- host_to_connect = listen_host = listen_path = NULL;
port_to_connect = listen_port = 0;
if (fwd->connect_path != NULL) {
host_to_connect = xstrdup(fwd->connect_path);
@@ -4130,6 +4129,9 @@ channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd)
host_to_connect, port_to_connect,
listen_host, listen_path, listen_port, NULL);
}
+ free(host_to_connect);
+ free(listen_host);
+ free(listen_path);
return idx;
}
diff --git a/dns.c b/dns.c
index f2310be..15218f1 100644
--- a/dns.c
+++ b/dns.c
@@ -259,6 +259,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
&hostkey_digest, &hostkey_digest_len, hostkey)) {
error("Error calculating key fingerprint.");
freerrset(fingerprints);
+ free(dnskey_digest);
return -1;
}
diff --git a/gss-genr.c b/gss-genr.c
index 9f9745b..810b382 100644
--- a/gss-genr.c
+++ b/gss-genr.c
@@ -168,8 +168,9 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
diff -up openssh-8.5p1/gss-genr.c.coverity openssh-8.5p1/gss-genr.c
--- openssh-8.5p1/gss-genr.c.coverity 2021-03-26 11:52:46.613942552 +0100
+++ openssh-8.5p1/gss-genr.c 2021-03-26 11:54:37.881726318 +0100
@@ -167,8 +167,9 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
enclen = __b64_ntop(digest,
ssh_digest_bytes(SSH_DIGEST_MD5), encoded,
ssh_digest_bytes(SSH_DIGEST_MD5) * 2);
@ -118,10 +42,9 @@ index 9f9745b..810b382 100644
for ((p = strsep(&cp, ",")); p && *p != '\0';
(p = strsep(&cp, ","))) {
if (sshbuf_len(buf) != 0 &&
diff --git a/kexgssc.c b/kexgssc.c
index 1c62740..080cf04 100644
--- a/kexgssc.c
+++ b/kexgssc.c
diff -up openssh-8.5p1/kexgssc.c.coverity openssh-8.5p1/kexgssc.c
--- openssh-8.5p1/kexgssc.c.coverity 2021-03-24 12:03:33.711967665 +0100
+++ openssh-8.5p1/kexgssc.c 2021-03-24 12:03:33.783968166 +0100
@@ -98,8 +98,10 @@ kexgss_client(struct ssh *ssh)
default:
fatal_f("Unexpected KEX type %d", kex->kex_type);
@ -134,11 +57,10 @@ index 1c62740..080cf04 100644
token_ptr = GSS_C_NO_BUFFER;
diff --git a/krl.c b/krl.c
index 473a9d7..ae19762 100644
--- a/krl.c
+++ b/krl.c
@@ -1209,6 +1209,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
diff -up openssh-8.5p1/krl.c.coverity openssh-8.5p1/krl.c
--- openssh-8.5p1/krl.c.coverity 2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/krl.c 2021-03-24 12:03:33.783968166 +0100
@@ -1209,6 +1209,7 @@ ssh_krl_from_blob(struct sshbuf *buf, st
sshkey_free(key);
sshbuf_free(copy);
sshbuf_free(sect);
@ -146,7 +68,7 @@ index 473a9d7..ae19762 100644
return r;
}
@@ -1261,6 +1262,7 @@ is_key_revoked(struct ssh_krl *krl, const struct sshkey *key)
@@ -1261,6 +1262,7 @@ is_key_revoked(struct ssh_krl *krl, cons
return r;
erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb);
free(rb.blob);
@ -154,7 +76,7 @@ index 473a9d7..ae19762 100644
if (erb != NULL) {
KRL_DBG(("revoked by key SHA1"));
return SSH_ERR_KEY_REVOKED;
@@ -1271,6 +1273,7 @@ is_key_revoked(struct ssh_krl *krl, const struct sshkey *key)
@@ -1271,6 +1273,7 @@ is_key_revoked(struct ssh_krl *krl, cons
return r;
erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha256s, &rb);
free(rb.blob);
@ -162,7 +84,7 @@ index 473a9d7..ae19762 100644
if (erb != NULL) {
KRL_DBG(("revoked by key SHA256"));
return SSH_ERR_KEY_REVOKED;
@@ -1282,6 +1285,7 @@ is_key_revoked(struct ssh_krl *krl, const struct sshkey *key)
@@ -1282,6 +1285,7 @@ is_key_revoked(struct ssh_krl *krl, cons
return r;
erb = RB_FIND(revoked_blob_tree, &krl->revoked_keys, &rb);
free(rb.blob);
@ -170,11 +92,10 @@ index 473a9d7..ae19762 100644
if (erb != NULL) {
KRL_DBG(("revoked by explicit key"));
return SSH_ERR_KEY_REVOKED;
diff --git a/loginrec.c b/loginrec.c
index 4f21499..e0606be 100644
--- a/loginrec.c
+++ b/loginrec.c
@@ -691,9 +691,11 @@ construct_utmp(struct logininfo *li,
diff -up openssh-8.5p1/loginrec.c.coverity openssh-8.5p1/loginrec.c
--- openssh-8.5p1/loginrec.c.coverity 2021-03-24 13:18:53.793225885 +0100
+++ openssh-8.5p1/loginrec.c 2021-03-24 13:21:27.948404751 +0100
@@ -690,9 +690,11 @@ construct_utmp(struct logininfo *li,
*/
/* Use strncpy because we don't necessarily want null termination */
@ -186,7 +107,7 @@ index 4f21499..e0606be 100644
strncpy(ut->ut_host, li->hostname,
MIN_SIZEOF(ut->ut_host, li->hostname));
# endif
@@ -1691,6 +1693,7 @@ record_failed_login(struct ssh *ssh, const char *username, const char *hostname,
@@ -1690,6 +1692,7 @@ record_failed_login(struct ssh *ssh, con
memset(&ut, 0, sizeof(ut));
/* strncpy because we don't necessarily want nul termination */
@ -194,7 +115,7 @@ index 4f21499..e0606be 100644
strncpy(ut.ut_user, username, sizeof(ut.ut_user));
strlcpy(ut.ut_line, "ssh:notty", sizeof(ut.ut_line));
@@ -1700,6 +1703,7 @@ record_failed_login(struct ssh *ssh, const char *username, const char *hostname,
@@ -1699,6 +1702,7 @@ record_failed_login(struct ssh *ssh, con
ut.ut_pid = getpid();
/* strncpy because we don't necessarily want nul termination */
@ -202,11 +123,10 @@ index 4f21499..e0606be 100644
strncpy(ut.ut_host, hostname, sizeof(ut.ut_host));
if (ssh_packet_connection_is_on_socket(ssh) &&
diff --git a/misc.c b/misc.c
index e4d3120..5420e24 100644
--- a/misc.c
+++ b/misc.c
@@ -1492,6 +1492,8 @@ sanitise_stdfd(void)
diff -up openssh-8.5p1/misc.c.coverity openssh-8.5p1/misc.c
--- openssh-8.5p1/misc.c.coverity 2021-03-24 12:03:33.745967902 +0100
+++ openssh-8.5p1/misc.c 2021-03-24 13:31:47.037079617 +0100
@@ -1425,6 +1425,8 @@ sanitise_stdfd(void)
}
if (nullfd > STDERR_FILENO)
close(nullfd);
@ -215,7 +135,7 @@ index e4d3120..5420e24 100644
}
char *
@@ -2625,6 +2627,7 @@ stdfd_devnull(int do_stdin, int do_stdout, int do_stderr)
@@ -2511,6 +2513,7 @@ stdfd_devnull(int do_stdin, int do_stdou
}
if (devnull > STDERR_FILENO)
close(devnull);
@ -223,23 +143,10 @@ index e4d3120..5420e24 100644
return ret;
}
diff --git a/moduli.c b/moduli.c
index 9f660ef..2669edd 100644
--- a/moduli.c
+++ b/moduli.c
@@ -476,6 +476,7 @@ write_checkpoint(char *cpfile, u_int32_t lineno)
else
logit("failed to write to checkpoint file '%s': %s", cpfile,
strerror(errno));
+ /* coverity[leaked_storage : FALSE] */
}
static unsigned long
diff --git a/monitor.c b/monitor.c
index fc05db6..dca2fe7 100644
--- a/monitor.c
+++ b/monitor.c
@@ -397,7 +397,7 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor)
diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c
--- openssh-7.4p1/monitor.c.coverity 2016-12-23 16:40:26.888788688 +0100
+++ openssh-7.4p1/monitor.c 2016-12-23 16:40:26.900788691 +0100
@@ -411,7 +411,7 @@ monitor_child_preauth(Authctxt *_authctx
mm_get_keystate(ssh, pmonitor);
/* Drain any buffered messages from the child */
@ -248,7 +155,7 @@ index fc05db6..dca2fe7 100644
;
if (pmonitor->m_recvfd >= 0)
@@ -1684,7 +1684,7 @@ mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m)
@@ -1678,7 +1678,7 @@ mm_answer_pty(struct ssh *ssh, int sock,
s->ptymaster = s->ptyfd;
debug3_f("tty %s ptyfd %d", s->tty, s->ttyfd);
@ -257,11 +164,10 @@ index fc05db6..dca2fe7 100644
return (0);
error:
diff --git a/monitor_wrap.c b/monitor_wrap.c
index e125eca..c394d68 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -612,10 +612,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, size_t namebuflen)
diff -up openssh-7.4p1/monitor_wrap.c.coverity openssh-7.4p1/monitor_wrap.c
--- openssh-7.4p1/monitor_wrap.c.coverity 2016-12-23 16:40:26.892788689 +0100
+++ openssh-7.4p1/monitor_wrap.c 2016-12-23 16:40:26.900788691 +0100
@@ -525,10 +525,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
(tmp2 = dup(pmonitor->m_recvfd)) == -1) {
error_f("cannot allocate fds for pty");
@ -275,11 +181,10 @@ index e125eca..c394d68 100644
return 0;
}
close(tmp1);
diff --git a/openbsd-compat/bindresvport.c b/openbsd-compat/bindresvport.c
index 346c7fe..f42792f 100644
--- a/openbsd-compat/bindresvport.c
+++ b/openbsd-compat/bindresvport.c
@@ -59,7 +59,7 @@ bindresvport_sa(int sd, struct sockaddr *sa)
diff -up openssh-7.4p1/openbsd-compat/bindresvport.c.coverity openssh-7.4p1/openbsd-compat/bindresvport.c
--- openssh-7.4p1/openbsd-compat/bindresvport.c.coverity 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/openbsd-compat/bindresvport.c 2016-12-23 16:40:26.901788691 +0100
@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr
struct sockaddr_in6 *in6;
u_int16_t *portp;
u_int16_t port;
@ -288,10 +193,9 @@ index 346c7fe..f42792f 100644
int i;
if (sa == NULL) {
diff --git a/openbsd-compat/bsd-pselect.c b/openbsd-compat/bsd-pselect.c
index b363208..cf7157c 100644
--- a/openbsd-compat/bsd-pselect.c
+++ b/openbsd-compat/bsd-pselect.c
diff -up openssh-8.7p1/openbsd-compat/bsd-pselect.c.coverity openssh-8.7p1/openbsd-compat/bsd-pselect.c
--- openssh-8.7p1/openbsd-compat/bsd-pselect.c.coverity 2021-08-30 16:36:11.357288009 +0200
+++ openssh-8.7p1/openbsd-compat/bsd-pselect.c 2021-08-30 16:37:21.791897976 +0200
@@ -113,13 +113,13 @@ pselect_notify_setup(void)
static void
pselect_notify_parent(void)
@ -319,11 +223,10 @@ index b363208..cf7157c 100644
debug2_f("reading");
FD_CLR(notify_pipe[0], readset);
}
diff --git a/readconf.c b/readconf.c
index 1e1b78d..b6c998e 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1933,6 +1933,7 @@ parse_pubkey_algos:
diff -up openssh-8.5p1/readconf.c.coverity openssh-8.5p1/readconf.c
--- openssh-8.5p1/readconf.c.coverity 2021-03-24 12:03:33.778968131 +0100
+++ openssh-8.5p1/readconf.c 2021-03-24 12:03:33.785968180 +0100
@@ -1847,6 +1847,7 @@ parse_pubkey_algos:
} else if (r != 0) {
error("%.200s line %d: glob failed for %s.",
filename, linenum, arg2);
@ -331,11 +234,10 @@ index 1e1b78d..b6c998e 100644
goto out;
}
free(arg2);
diff --git a/scp.c b/scp.c
index 6146260..74f5b10 100644
--- a/scp.c
+++ b/scp.c
@@ -187,11 +187,11 @@ killchild(int signo)
diff -up openssh-8.7p1/scp.c.coverity openssh-8.7p1/scp.c
--- openssh-8.7p1/scp.c.coverity 2021-08-30 16:23:35.389741329 +0200
+++ openssh-8.7p1/scp.c 2021-08-30 16:27:04.854555296 +0200
@@ -186,11 +186,11 @@ killchild(int signo)
{
if (do_cmd_pid > 1) {
kill(do_cmd_pid, signo ? signo : SIGTERM);
@ -349,11 +251,10 @@ index 6146260..74f5b10 100644
}
if (signo)
diff --git a/servconf.c b/servconf.c
index 8b9540d..d72fb62 100644
--- a/servconf.c
+++ b/servconf.c
@@ -2081,8 +2081,9 @@ process_server_config_line_depth(ServerOptions *options, char *line,
diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c
--- openssh-7.4p1/servconf.c.coverity 2016-12-23 16:40:26.896788690 +0100
+++ openssh-7.4p1/servconf.c 2016-12-23 16:40:26.901788691 +0100
@@ -1638,8 +1638,9 @@ process_server_config_line(ServerOptions
if (*activep && *charptr == NULL) {
*charptr = tilde_expand_filename(arg, getuid());
/* increase optional counter */
@ -365,11 +266,10 @@ index 8b9540d..d72fb62 100644
}
break;
diff --git a/serverloop.c b/serverloop.c
index b4c0d82..62c7e90 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -546,7 +546,7 @@ server_request_tun(struct ssh *ssh)
diff -up openssh-8.7p1/serverloop.c.coverity openssh-8.7p1/serverloop.c
--- openssh-8.7p1/serverloop.c.coverity 2021-08-20 06:03:49.000000000 +0200
+++ openssh-8.7p1/serverloop.c 2021-08-30 16:28:22.416226981 +0200
@@ -547,7 +547,7 @@ server_request_tun(struct ssh *ssh)
debug_f("invalid tun");
goto done;
}
@ -378,30 +278,10 @@ index b4c0d82..62c7e90 100644
if (tun != SSH_TUNID_ANY &&
auth_opts->force_tun_device != (int)tun)
goto done;
diff --git a/session.c b/session.c
index 58cf557..cdb301b 100644
--- a/session.c
+++ b/session.c
@@ -1222,12 +1222,14 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
/* Environment specified by admin */
for (i = 0; i < options.num_setenv; i++) {
cp = xstrdup(options.setenv[i]);
+ /* coverity[overwrite_var : FALSE] */
if ((value = strchr(cp, '=')) == NULL) {
/* shouldn't happen; vars are checked in servconf.c */
fatal("Invalid config SetEnv: %s", options.setenv[i]);
}
*value++ = '\0';
child_set_env(&env, &envsize, cp, value);
+ free(cp);
}
/* SSH_CLIENT deprecated */
diff --git a/sftp.c b/sftp.c
index c3c347e..c18a354 100644
--- a/sftp.c
+++ b/sftp.c
@@ -226,7 +226,7 @@ killchild(int signo)
diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
--- openssh-7.4p1/sftp.c.coverity 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/sftp.c 2016-12-23 16:40:26.903788691 +0100
@@ -224,7 +224,7 @@ killchild(int signo)
pid = sshpid;
if (pid > 1) {
kill(pid, SIGTERM);
@ -410,19 +290,10 @@ index c3c347e..c18a354 100644
}
_exit(1);
@@ -1029,6 +1029,7 @@ do_globbed_ls(struct sftp_conn *conn, const char *path,
if (lflag & LS_LONG_VIEW) {
if (g.gl_statv[i] == NULL) {
error("no stat information for %s", fname);
+ free(fname);
continue;
}
lname = ls_file(fname, g.gl_statv[i], 1,
diff --git a/ssh-agent.c b/ssh-agent.c
index 50d0638..a292a9e 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1391,6 +1391,7 @@ sanitize_pkcs11_provider(const char *provider)
diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
--- openssh-7.4p1/ssh-agent.c.coverity 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/ssh-agent.c 2016-12-23 16:40:26.903788691 +0100
@@ -869,6 +869,7 @@ sanitize_pkcs11_provider(const char *pro
if (pkcs11_uri_parse(provider, uri) != 0) {
error("Failed to parse PKCS#11 URI");
@ -430,7 +301,7 @@ index 50d0638..a292a9e 100644
return NULL;
}
/* validate also provider from URI */
@@ -2080,8 +2081,8 @@ main(int ac, char **av)
@@ -1220,8 +1220,8 @@ main(int ac, char **av)
sanitise_stdfd();
/* drop */
@ -441,43 +312,10 @@ index 50d0638..a292a9e 100644
platform_disable_tracing(0); /* strict=no */
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 6ae72ab..076dd33 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -2365,6 +2365,9 @@ update_krl_from_file(struct passwd *pw, const char *file, int wild_ca,
r = ssh_krl_revoke_key_sha256(krl, blob, blen);
if (r != 0)
fatal_fr(r, "revoke key failed");
+ freezero(blob, blen);
+ blob = NULL;
+ blen = 0;
} else {
if (strncasecmp(cp, "key:", 4) == 0) {
cp += 4;
@@ -3023,6 +3026,7 @@ do_moduli_screen(const char *out_file, char **opts, size_t nopts)
} else if (strncmp(opts[i], "start-line=", 11) == 0) {
start_lineno = strtoul(opts[i]+11, NULL, 10);
} else if (strncmp(opts[i], "checkpoint=", 11) == 0) {
+ free(checkpoint);
checkpoint = xstrdup(opts[i]+11);
} else if (strncmp(opts[i], "generator=", 10) == 0) {
generator_wanted = (u_int32_t)strtonum(
@@ -3064,6 +3068,9 @@ do_moduli_screen(const char *out_file, char **opts, size_t nopts)
#else /* WITH_OPENSSL */
fatal("Moduli screening is not supported");
#endif /* WITH_OPENSSL */
+ free(checkpoint);
+ if (in != stdin)
+ fclose(in);
}
/* Read and confirm a passphrase */
diff --git a/ssh.c b/ssh.c
index a5155f4..68558d4 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1755,6 +1755,7 @@ control_persist_detach(void)
diff -up openssh-8.5p1/ssh.c.coverity openssh-8.5p1/ssh.c
--- openssh-8.5p1/ssh.c.coverity 2021-03-24 12:03:33.779968138 +0100
+++ openssh-8.5p1/ssh.c 2021-03-24 12:03:33.786968187 +0100
@@ -1746,6 +1746,7 @@ control_persist_detach(void)
close(muxserver_sock);
muxserver_sock = -1;
options.control_master = SSHCTL_MASTER_NO;
@ -485,11 +323,10 @@ index a5155f4..68558d4 100644
muxclient(options.control_path);
/* muxclient() doesn't return on success. */
fatal("Failed to connect to new control master");
diff --git a/sshd.c b/sshd.c
index e05dd82..a4a1b79 100644
--- a/sshd.c
+++ b/sshd.c
@@ -595,8 +595,10 @@ privsep_preauth(struct ssh *ssh)
diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c
--- openssh-7.4p1/sshd.c.coverity 2016-12-23 16:40:26.897788690 +0100
+++ openssh-7.4p1/sshd.c 2016-12-23 16:40:26.904788692 +0100
@@ -691,8 +691,10 @@ privsep_preauth(Authctxt *authctxt)
privsep_preauth_child(ssh);
setproctitle("%s", "[net]");
@ -501,7 +338,7 @@ index e05dd82..a4a1b79 100644
return 0;
}
@@ -2560,8 +2562,11 @@ do_ssh2_kex(struct ssh *ssh)
@@ -2519,8 +2524,11 @@ do_ssh2_kex(struct ssh *ssh)
if (newstr)
myproposal[PROPOSAL_KEX_ALGS] = newstr;
@ -514,18 +351,16 @@ index e05dd82..a4a1b79 100644
}
#endif
diff --git a/sshsig.c b/sshsig.c
index eb2a931..3e91c14 100644
--- a/sshsig.c
+++ b/sshsig.c
@@ -551,6 +551,7 @@ hash_file(int fd, const char *hashalg, struct sshbuf **bp)
oerrno = errno;
sshbuf_free(b);
ssh_digest_free(ctx);
+ ctx = NULL;
explicit_bzero(hash, sizeof(hash));
errno = oerrno;
return r;
--
2.27.0
diff -up openssh-8.5p1/ssh-keygen.c.coverity openssh-8.5p1/ssh-keygen.c
--- openssh-8.5p1/ssh-keygen.c.coverity 2021-03-24 12:03:33.780968145 +0100
+++ openssh-8.5p1/ssh-keygen.c 2021-03-24 12:03:33.787968194 +0100
@@ -2332,6 +2332,9 @@ update_krl_from_file(struct passwd *pw,
r = ssh_krl_revoke_key_sha256(krl, blob, blen);
if (r != 0)
fatal_fr(r, "revoke key failed");
+ freezero(blob, blen);
+ blob = NULL;
+ blen = 0;
} else {
if (strncasecmp(cp, "key:", 4) == 0) {
cp += 4;

106
openssh-7.3p1-x11-max-displays.patch
View File

@ -1,19 +1,7 @@
Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.3p1-x11-max-displays.patch
---
channels.c | 23 ++++++++++++++---------
channels.h | 2 +-
servconf.c | 12 +++++++++++-
servconf.h | 2 ++
session.c | 5 +++--
sshd_config.5 | 7 +++++++
6 files changed, 38 insertions(+), 13 deletions(-)
diff --git a/channels.c b/channels.c
index 7230540..040a4c6 100644
--- a/channels.c
+++ b/channels.c
@@ -101,8 +101,8 @@
diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
--- openssh-7.4p1/channels.c.x11max 2016-12-23 15:46:32.071506625 +0100
+++ openssh-7.4p1/channels.c 2016-12-23 15:46:32.139506636 +0100
@@ -152,8 +152,8 @@ static int all_opens_permitted = 0;
#define FWD_PERMIT_ANY_HOST "*"
/* -- X11 forwarding */
@ -24,7 +12,7 @@ index 7230540..040a4c6 100644
/* Per-channel callback for pre/post IO actions */
typedef void chan_fn(struct ssh *, Channel *c);
@@ -4801,7 +4801,7 @@ rdynamic_connect_finish(struct ssh *ssh, Channel *c)
@@ -4228,7 +4228,7 @@ channel_send_window_changes(void)
*/
int
x11_create_display_inet(struct ssh *ssh, int x11_display_offset,
@ -33,7 +21,7 @@ index 7230540..040a4c6 100644
u_int *display_numberp, int **chanids)
{
Channel *nc = NULL;
@@ -4814,10 +4814,15 @@ x11_create_display_inet(struct ssh *ssh, int x11_display_offset,
@@ -4240,10 +4241,15 @@ x11_create_display_inet(int x11_display_
if (chanids == NULL)
return -1;
@ -51,7 +39,7 @@ index 7230540..040a4c6 100644
memset(&hints, 0, sizeof(hints));
hints.ai_family = ssh->chanctxt->IPv4or6;
hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE;
@@ -4870,7 +4875,7 @@ x11_create_display_inet(struct ssh *ssh, int x11_display_offset,
@@ -4295,7 +4301,7 @@ x11_create_display_inet(int x11_display_
if (num_socks > 0)
break;
}
@ -60,7 +48,7 @@ index 7230540..040a4c6 100644
error("Failed to allocate internet-domain X11 display socket.");
return -1;
}
@@ -5054,7 +5059,7 @@ x11_connect_display(struct ssh *ssh)
@@ -4441,7 +4447,7 @@ x11_connect_display(void)
memset(&hints, 0, sizeof(hints));
hints.ai_family = ssh->chanctxt->IPv4or6;
hints.ai_socktype = SOCK_STREAM;
@ -69,7 +57,7 @@ index 7230540..040a4c6 100644
if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
error("%.100s: unknown host. (%s)", buf,
ssh_gai_strerror(gaierr));
@@ -5070,7 +5075,7 @@ x11_connect_display(struct ssh *ssh)
@@ -4457,7 +4463,7 @@ x11_connect_display(void)
/* Connect it to the display. */
if (connect(sock, ai->ai_addr, ai->ai_addrlen) == -1) {
debug2("connect %.100s port %u: %.100s", buf,
@ -78,33 +66,33 @@ index 7230540..040a4c6 100644
close(sock);
continue;
}
@@ -5080,7 +5085,7 @@ x11_connect_display(struct ssh *ssh)
@@ -4466,8 +4472,8 @@ x11_connect_display(void)
}
freeaddrinfo(aitop);
if (!ai) {
error("connect %.100s port %u: %.100s", buf,
- error("connect %.100s port %u: %.100s", buf,
- 6000 + display_number, strerror(errno));
+ error("connect %.100s port %u: %.100s", buf,
+ X11_PORT_MIN + display_number, strerror(errno));
return -1;
}
set_nodelay(sock);
diff --git a/channels.h b/channels.h
index 828c1b6..7d8a83e 100644
--- a/channels.h
+++ b/channels.h
@@ -361,7 +361,7 @@ int permitopen_port(const char *);
diff -up openssh-7.4p1/channels.h.x11max openssh-7.4p1/channels.h
--- openssh-7.4p1/channels.h.x11max 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/channels.h 2016-12-23 15:46:32.139506636 +0100
@@ -293,7 +293,7 @@ int permitopen_port(const char *);
void channel_set_x11_refuse_time(struct ssh *, u_int);
void channel_set_x11_refuse_time(struct ssh *, time_t);
int x11_connect_display(struct ssh *);
-int x11_create_display_inet(struct ssh *, int, int, int, u_int *, int **);
+int x11_create_display_inet(struct ssh *, int, int, int, int, u_int *, int **);
void x11_request_forwarding_with_spoofing(struct ssh *, int,
const char *, const char *, const char *, int);
diff --git a/servconf.c b/servconf.c
index 13c4a08..fdba127 100644
--- a/servconf.c
+++ b/servconf.c
@@ -115,6 +115,7 @@ initialize_server_options(ServerOptions *options)
diff -up openssh-7.4p1/servconf.c.x11max openssh-7.4p1/servconf.c
--- openssh-7.4p1/servconf.c.x11max 2016-12-23 15:46:32.133506635 +0100
+++ openssh-7.4p1/servconf.c 2016-12-23 15:47:27.320519121 +0100
@@ -95,6 +95,7 @@ initialize_server_options(ServerOptions
options->print_lastlog = -1;
options->x11_forwarding = -1;
options->x11_display_offset = -1;
@ -112,7 +100,7 @@ index 13c4a08..fdba127 100644
options->x11_use_localhost = -1;
options->permit_tty = -1;
options->permit_user_rc = -1;
@@ -330,6 +331,8 @@ fill_default_server_options(ServerOptions *options)
@@ -243,6 +244,8 @@ fill_default_server_options(ServerOption
options->x11_forwarding = 0;
if (options->x11_display_offset == -1)
options->x11_display_offset = 10;
@ -121,8 +109,8 @@ index 13c4a08..fdba127 100644
if (options->x11_use_localhost == -1)
options->x11_use_localhost = 1;
if (options->xauth_location == NULL)
@@ -518,7 +521,7 @@ typedef enum {
sPasswordAuthentication,
@@ -419,7 +422,7 @@ typedef enum {
sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok, sPasswordAuthentication,
sKbdInteractiveAuthentication, sListenAddress, sAddressFamily,
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
- sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
@ -130,7 +118,7 @@ index 13c4a08..fdba127 100644
sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
sPermitUserEnvironment, sAllowTcpForwarding, sCompression,
sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
@@ -652,6 +655,7 @@ static struct {
@@ -540,6 +543,7 @@ static struct {
{ "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
{ "x11forwarding", sX11Forwarding, SSHCFG_ALL },
{ "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
@ -138,7 +126,7 @@ index 13c4a08..fdba127 100644
{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
@@ -1680,6 +1684,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
@@ -1316,6 +1320,10 @@ process_server_config_line(ServerOptions
*intptr = value;
break;
@ -149,7 +137,7 @@ index 13c4a08..fdba127 100644
case sX11UseLocalhost:
intptr = &options->x11_use_localhost;
goto parse_flag;
@@ -2678,6 +2686,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
@@ -2063,6 +2071,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink);
M_CP_INTOPT(x11_display_offset);
M_CP_INTOPT(x11_forwarding);
@ -157,7 +145,7 @@ index 13c4a08..fdba127 100644
M_CP_INTOPT(x11_use_localhost);
M_CP_INTOPT(permit_tty);
M_CP_INTOPT(permit_user_rc);
@@ -2953,6 +2962,7 @@ dump_config(ServerOptions *o)
@@ -2315,6 +2324,7 @@ dump_config(ServerOptions *o)
#endif
dump_cfg_int(sLoginGraceTime, o->login_grace_time);
dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
@ -165,11 +153,10 @@ index 13c4a08..fdba127 100644
dump_cfg_int(sMaxAuthTries, o->max_authtries);
dump_cfg_int(sMaxSessions, o->max_sessions);
dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
diff --git a/servconf.h b/servconf.h
index 37d3a6f..77fd779 100644
--- a/servconf.h
+++ b/servconf.h
@@ -45,6 +45,7 @@
diff -up openssh-7.4p1/servconf.h.x11max openssh-7.4p1/servconf.h
--- openssh-7.4p1/servconf.h.x11max 2016-12-23 15:46:32.133506635 +0100
+++ openssh-7.4p1/servconf.h 2016-12-23 15:46:32.140506636 +0100
@@ -55,6 +55,7 @@
#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */
#define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */
@ -177,7 +164,7 @@ index 37d3a6f..77fd779 100644
/* Magic name for internal sftp-server */
#define INTERNAL_SFTP_NAME "internal-sftp"
@@ -105,6 +106,7 @@ typedef struct {
@@ -85,6 +86,7 @@ typedef struct {
int x11_forwarding; /* If true, permit inet (spoofing) X11 fwd. */
int x11_display_offset; /* What DISPLAY number to start
* searching at */
@ -185,11 +172,10 @@ index 37d3a6f..77fd779 100644
int x11_use_localhost; /* If true, use localhost for fake X11 server. */
char *xauth_location; /* Location of xauth program */
int permit_tty; /* If false, deny pty allocation */
diff --git a/session.c b/session.c
index 6040d51..dd7d148 100644
--- a/session.c
+++ b/session.c
@@ -2612,8 +2612,9 @@ session_setup_x11fwd(struct ssh *ssh, Session *s)
diff -up openssh-7.4p1/session.c.x11max openssh-7.4p1/session.c
--- openssh-7.4p1/session.c.x11max 2016-12-23 15:46:32.136506636 +0100
+++ openssh-7.4p1/session.c 2016-12-23 15:46:32.141506636 +0100
@@ -2518,8 +2518,9 @@ session_setup_x11fwd(Session *s)
return 0;
}
if (x11_create_display_inet(ssh, options.x11_display_offset,
@ -201,19 +187,18 @@ index 6040d51..dd7d148 100644
debug("x11_create_display_inet failed.");
return 0;
}
diff --git a/sshd_config.5 b/sshd_config.5
index 4396b93..440fe92 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -1280,6 +1280,7 @@ Available keywords are
.Cm StreamLocalBindUnlink ,
diff -up openssh-7.4p1/sshd_config.5.x11max openssh-7.4p1/sshd_config.5
--- openssh-7.4p1/sshd_config.5.x11max 2016-12-23 15:46:32.134506635 +0100
+++ openssh-7.4p1/sshd_config.5 2016-12-23 15:46:32.141506636 +0100
@@ -1133,6 +1133,7 @@ Available keywords are
.Cm TrustedUserCAKeys ,
.Cm UnusedConnectionTimeout ,
.Cm X11DisplayOffset ,
+.Cm X11MaxDisplays ,
.Cm X11Forwarding
and
.Cm X11UseLocalhost .
@@ -1847,6 +1848,12 @@ Specifies the first display number available for
@@ -1566,6 +1567,12 @@ Specifies the first display number avail
X11 forwarding.
This prevents sshd from interfering with real X11 servers.
The default is 10.
@ -226,6 +211,3 @@ index 4396b93..440fe92 100644
.It Cm X11Forwarding
Specifies whether X11 forwarding is permitted.
The argument must be
--
2.27.0

27
openssh-7.4p1-systemd.patch
View File

@ -1,17 +1,14 @@
Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.4p1-systemd.patch
commit 0e22b79bfde45a7cf7a2e51a68ec11c4285f3b31
Author: Jakub Jelen <jjelen@redhat.com>
Date: Mon Nov 21 15:04:06 2016 +0100
---
configure.ac | 24 ++++++++++++++++++++++++
contrib/sshd.service | 16 ++++++++++++++++
sshd.c | 9 +++++++++
3 files changed, 49 insertions(+)
create mode 100644 contrib/sshd.service
systemd stuff
diff --git a/configure.ac b/configure.ac
index bbe133e..6f7dc48 100644
index 2ffc369..162ce92 100644
--- a/configure.ac
+++ b/configure.ac
@@ -4822,6 +4822,29 @@ AC_SUBST([GSSLIBS])
@@ -4265,6 +4265,30 @@ AC_ARG_WITH([kerberos5],
AC_SUBST([K5LIBS])
AC_SUBST([CHANNELLIBS])
@ -37,11 +34,12 @@ index bbe133e..6f7dc48 100644
+ fi
+ fi ]
+)
+
+
# Looking for programs, paths and files
PRIVSEP_PATH=/var/empty
@@ -5621,6 +5644,7 @@ echo " libldns support: $LDNS_MSG"
@@ -5097,6 +5121,7 @@ echo " libedit support: $LIBEDIT_MSG"
echo " Solaris process contract support: $SPC_MSG"
echo " Solaris project support: $SP_MSG"
echo " Solaris privilege support: $SPP_MSG"
@ -72,10 +70,10 @@ index 0000000..e0d4923
+WantedBy=multi-user.target
+
diff --git a/sshd.c b/sshd.c
index 0d4cfef..2a9b96d 100644
index 816611c..b8b9d13 100644
--- a/sshd.c
+++ b/sshd.c
@@ -88,6 +88,10 @@
@@ -85,6 +85,10 @@
#include <prot.h>
#endif
@ -86,7 +84,7 @@ index 0d4cfef..2a9b96d 100644
#include "xmalloc.h"
#include "ssh.h"
#include "ssh2.h"
@@ -2121,6 +2125,11 @@ main(int ac, char **av)
@@ -1888,6 +1892,11 @@ main(int ac, char **av)
}
}
@ -98,6 +96,3 @@ index 0d4cfef..2a9b96d 100644
/* Accept a connection and return in a forked child */
server_accept_loop(&sock_in, &sock_out,
&newsock, config_s);
--
2.27.0

2
openssh-7.5p1-sandbox.patch
View File

@ -21,7 +21,7 @@ index ca75cc7..6e7de31 100644
+ SC_ALLOW(__NR_flock),
+#endif
#ifdef __NR_futex
SC_ALLOW(__NR_futex),
SC_FUTEX(__NR_futex),
#endif
@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = {
#ifdef __NR_gettimeofday

935
openssh-7.6p1-audit.patch
View File

File diff suppressed because it is too large Load Diff

5
openssh-7.7p1-gssapi-new-unique.patch
View File

@ -503,13 +503,12 @@ diff -up openssh-8.6p1/servconf.c.ccache_name openssh-8.6p1/servconf.c
if (options->gss_authentication == -1)
options->gss_authentication = 0;
if (options->gss_keyex == -1)
@@ -506,7 +509,8 @@ typedef enum {
@@ -506,7 +509,7 @@ typedef enum {
sPort, sHostKeyFile, sLoginGraceTime,
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
- sKerberosGetAFSToken, sPasswordAuthentication,
+ sKerberosGetAFSToken, sKerberosUniqueCCache,
+ sPasswordAuthentication,
+ sKerberosGetAFSToken, sKerberosUniqueCCache, sPasswordAuthentication,
sKbdInteractiveAuthentication, sListenAddress, sAddressFamily,
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,

16
openssh-7.7p1.patch
View File

@ -15,7 +15,7 @@ diff -up openssh/ssh_config.redhat openssh/ssh_config
diff -up openssh/ssh_config_redhat.redhat openssh/ssh_config_redhat
--- openssh/ssh_config_redhat.redhat 2020-02-13 18:13:39.180641839 +0100
+++ openssh/ssh_config_redhat 2020-02-13 18:13:39.180641839 +0100
@@ -0,0 +1,21 @@
@@ -0,0 +1,15 @@
+# The options here are in the "Match final block" to be applied as the last
+# options and could be potentially overwritten by the user configuration
+Match final all
@ -29,12 +29,6 @@ diff -up openssh/ssh_config_redhat.redhat openssh/ssh_config_redhat
+# mode correctly we set this to yes.
+ ForwardX11Trusted yes
+
+# Send locale-related environment variables
+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+ SendEnv XMODIFIERS
+
+# Uncomment this if you want to use .local domain
+# Host *.local
diff -up openssh/sshd_config.0.redhat openssh/sshd_config.0
@ -86,7 +80,7 @@ diff -up openssh/sshd_config.redhat openssh/sshd_config
diff -up openssh/sshd_config_redhat.redhat openssh/sshd_config_redhat
--- openssh/sshd_config_redhat.redhat 2020-02-13 18:14:02.268006439 +0100
+++ openssh/sshd_config_redhat 2020-02-13 18:19:20.765035947 +0100
@@ -0,0 +1,28 @@
@@ -0,0 +1,22 @@
+# This system is following system-wide crypto policy. The changes to
+# crypto properties (Ciphers, MACs, ...) will not have any effect in
+# this or following included files. To override some configuration option,
@ -109,9 +103,3 @@ diff -up openssh/sshd_config_redhat.redhat openssh/sshd_config_redhat
+# as it is more configurable and versatile than the built-in version.
+PrintMotd no
+
+# Accept locale-related environment variables
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+AcceptEnv XMODIFIERS
+

1
openssh-7.8p1-UsePAM-warning.patch
View File

@ -1,4 +1,3 @@
Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.8p1-UsePAM-warning.patch
diff -up openssh-8.6p1/sshd.c.log-usepam-no openssh-8.6p1/sshd.c
--- openssh-8.6p1/sshd.c.log-usepam-no 2021-04-19 14:00:45.099735129 +0200
+++ openssh-8.6p1/sshd.c 2021-04-19 14:03:21.140920974 +0200

79
openssh-8.0p1-crypto-policies.patch
View File

@ -1,8 +1,7 @@
Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.0p1-crypto-policies.patch
diff --color -ru a/ssh_config.5 b/ssh_config.5
--- a/ssh_config.5 2022-07-12 15:05:22.550013071 +0200
+++ b/ssh_config.5 2022-07-12 15:17:20.016704545 +0200
@@ -373,17 +373,13 @@
diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.3p1/ssh_config.5 openssh-9.3p1-patched/ssh_config.5
--- openssh-9.3p1/ssh_config.5 2023-06-07 10:26:48.284590156 +0200
+++ openssh-9.3p1-patched/ssh_config.5 2023-06-07 10:26:00.623052194 +0200
@@ -378,17 +378,13 @@
causes no CNAMEs to be considered for canonicalization.
This is the default behaviour.
.It Cm CASignatureAlgorithms
@ -25,7 +24,7 @@ diff --color -ru a/ssh_config.5 b/ssh_config.5
If the specified list begins with a
.Sq +
character, then the specified algorithms will be appended to the default set
@@ -445,20 +441,25 @@
@@ -450,20 +446,25 @@
(the default),
the check will not be executed.
.It Cm Ciphers
@ -55,7 +54,7 @@ diff --color -ru a/ssh_config.5 b/ssh_config.5
.Pp
The supported ciphers are:
.Bd -literal -offset indent
@@ -474,13 +475,6 @@
@@ -479,13 +480,6 @@
chacha20-poly1305@openssh.com
.Ed
.Pp
@ -69,7 +68,7 @@ diff --color -ru a/ssh_config.5 b/ssh_config.5
The list of available ciphers may also be obtained using
.Qq ssh -Q cipher .
.It Cm ClearAllForwardings
@@ -874,6 +868,11 @@
@@ -885,6 +879,11 @@
The default is
.Dq no .
.It Cm GSSAPIKexAlgorithms
@ -81,7 +80,7 @@ diff --color -ru a/ssh_config.5 b/ssh_config.5
The list of key exchange algorithms that are offered for GSSAPI
key exchange. Possible values are
.Bd -literal -offset 3n
@@ -886,10 +885,8 @@
@@ -897,10 +896,8 @@
gss-curve25519-sha256-
.Ed
.Pp
@ -93,7 +92,7 @@ diff --color -ru a/ssh_config.5 b/ssh_config.5
.It Cm HashKnownHosts
Indicates that
.Xr ssh 1
@@ -913,36 +910,25 @@
@@ -919,36 +916,25 @@
but may be manually hashed using
.Xr ssh-keygen 1 .
.It Cm HostbasedAcceptedAlgorithms
@ -138,7 +137,25 @@ diff --color -ru a/ssh_config.5 b/ssh_config.5
.Pp
The
.Fl Q
@@ -1219,30 +1216,25 @@
@@ -1001,6 +987,17 @@
.Pp
The list of available signature algorithms may also be obtained using
.Qq ssh -Q HostKeyAlgorithms .
+.Pp
+The proposed
+.Cm HostKeyAlgorithms
+during KEX are limited to the set of algorithms that is defined in
+.Cm PubkeyAcceptedAlgorithms
+and therefore they are indirectly affected by system-wide
+.Xr crypto_policies 7 .
+.Xr crypto_policies 7 can not handle the list of host key algorithms directly as doing so
+would break the order given by the
+.Pa known_hosts
+file.
.It Cm HostKeyAlias
Specifies an alias that should be used instead of the
real host name when looking up or saving the host key
@@ -1232,30 +1229,25 @@
and
.Cm pam .
.It Cm KexAlgorithms
@ -178,7 +195,7 @@ diff --color -ru a/ssh_config.5 b/ssh_config.5
.Pp
The list of available key exchange algorithms may also be obtained using
.Qq ssh -Q kex .
@@ -1351,37 +1344,33 @@
@@ -1365,37 +1357,33 @@
file.
This option is intended for debugging and no overrides are enabled by default.
.It Cm MACs
@ -225,7 +242,7 @@ diff --color -ru a/ssh_config.5 b/ssh_config.5
The list of available MAC algorithms may also be obtained using
.Qq ssh -Q mac .
.It Cm NoHostAuthenticationForLocalhost
@@ -1553,36 +1542,25 @@
@@ -1567,39 +1555,31 @@
The default is
.Cm no .
.It Cm PubkeyAcceptedAlgorithms
@ -271,7 +288,13 @@ diff --color -ru a/ssh_config.5 b/ssh_config.5
.Pp
The list of available signature algorithms may also be obtained using
.Qq ssh -Q PubkeyAcceptedAlgorithms .
@@ -2237,7 +2207,9 @@ for those users who do not have a config
+.Pp
+This option affects also
+.Cm HostKeyAlgorithms
.It Cm PubkeyAuthentication
Specifies whether to try public key authentication.
The argument to this keyword must be
@@ -2265,7 +2245,9 @@
This file must be world-readable.
.El
.Sh SEE ALSO
@ -282,10 +305,10 @@ diff --color -ru a/ssh_config.5 b/ssh_config.5
.Sh AUTHORS
.An -nosplit
OpenSSH is a derivative of the original and free
diff --color -ru a/sshd_config.5 b/sshd_config.5
--- a/sshd_config.5 2022-07-12 15:05:22.535012771 +0200
+++ b/sshd_config.5 2022-07-12 15:15:33.394809258 +0200
@@ -373,17 +373,13 @@
diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.3p1/sshd_config.5 openssh-9.3p1-patched/sshd_config.5
--- openssh-9.3p1/sshd_config.5 2023-06-07 10:26:48.277590077 +0200
+++ openssh-9.3p1-patched/sshd_config.5 2023-06-07 10:26:00.592051845 +0200
@@ -379,17 +379,13 @@
then no banner is displayed.
By default, no banner is displayed.
.It Cm CASignatureAlgorithms
@ -308,7 +331,7 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
If the specified list begins with a
.Sq +
character, then the specified algorithms will be appended to the default set
@@ -450,20 +446,25 @@
@@ -525,20 +521,25 @@
indicating not to
.Xr chroot 2 .
.It Cm Ciphers
@ -338,7 +361,7 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
.Pp
The supported ciphers are:
.Pp
@@ -490,13 +491,6 @@
@@ -565,13 +566,6 @@
chacha20-poly1305@openssh.com
.El
.Pp
@ -352,7 +375,7 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
The list of available ciphers may also be obtained using
.Qq ssh -Q cipher .
.It Cm ClientAliveCountMax
@@ -685,53 +679,43 @@
@@ -766,53 +760,43 @@
.Cm GSSAPIKeyExchange
needs to be enabled in the server and also used by the client.
.It Cm GSSAPIKexAlgorithms
@ -425,7 +448,7 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
.Pp
The list of available signature algorithms may also be obtained using
.Qq ssh -Q HostbasedAcceptedAlgorithms .
@@ -799,25 +794,14 @@
@@ -879,25 +863,14 @@
.Ev SSH_AUTH_SOCK
environment variable.
.It Cm HostKeyAlgorithms
@ -456,7 +479,7 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
The list of available signature algorithms may also be obtained using
.Qq ssh -Q HostKeyAlgorithms .
.It Cm IgnoreRhosts
@@ -965,20 +947,25 @@
@@ -1044,20 +1017,25 @@
The default is
.Cm yes .
.It Cm KexAlgorithms
@ -486,7 +509,7 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
The supported algorithms are:
.Pp
.Bl -item -compact -offset indent
@@ -1010,16 +997,6 @@
@@ -1089,16 +1067,6 @@
sntrup761x25519-sha512@openssh.com
.El
.Pp
@ -503,7 +526,7 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
The list of available key exchange algorithms may also be obtained using
.Qq ssh -Q KexAlgorithms .
.It Cm ListenAddress
@@ -1104,21 +1082,26 @@
@@ -1184,21 +1152,26 @@
file.
This option is intended for debugging and no overrides are enabled by default.
.It Cm MACs
@ -534,7 +557,7 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
.Pp
The algorithms that contain
.Qq -etm
@@ -1161,15 +1144,6 @@
@@ -1241,15 +1214,6 @@
umac-128-etm@openssh.com
.El
.Pp
@ -550,7 +573,7 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
The list of available MAC algorithms may also be obtained using
.Qq ssh -Q mac .
.It Cm Match
@@ -1548,36 +1522,25 @@
@@ -1633,36 +1597,25 @@
The default is
.Cm yes .
.It Cm PubkeyAcceptedAlgorithms
@ -596,7 +619,7 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
.Pp
The list of available signature algorithms may also be obtained using
.Qq ssh -Q PubkeyAcceptedAlgorithms .
@@ -2011,7 +1968,9 @@ This file should be writable by root onl
@@ -2131,7 +2084,9 @@
.El
.Sh SEE ALSO
.Xr sftp-server 8 ,

496
openssh-8.0p1-gssapi-keyex.patch
View File

File diff suppressed because it is too large Load Diff

720
openssh-8.0p1-openssl-evp.patch
View File

@ -1,720 +0,0 @@
From ed7ec0cdf577ffbb0b15145340cf51596ca3eb89 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 14 May 2019 10:45:45 +0200
Subject: [PATCH] Use high-level OpenSSL API for signatures
---
digest-openssl.c | 16 ++++
digest.h | 6 ++
ssh-dss.c | 65 ++++++++++------
ssh-ecdsa.c | 69 ++++++++++-------
ssh-rsa.c | 193 +++++++++--------------------------------------
sshkey.c | 77 +++++++++++++++++++
sshkey.h | 4 +
7 files changed, 221 insertions(+), 209 deletions(-)
diff --git a/digest-openssl.c b/digest-openssl.c
index da7ed72bc..6a21d8adb 100644
--- a/digest-openssl.c
+++ b/digest-openssl.c
@@ -63,6 +63,22 @@ const struct ssh_digest digests[] = {
{ -1, NULL, 0, NULL },
};
+const EVP_MD *
+ssh_digest_to_md(int digest_type)
+{
+ switch (digest_type) {
+ case SSH_DIGEST_SHA1:
+ return EVP_sha1();
+ case SSH_DIGEST_SHA256:
+ return EVP_sha256();
+ case SSH_DIGEST_SHA384:
+ return EVP_sha384();
+ case SSH_DIGEST_SHA512:
+ return EVP_sha512();
+ }
+ return NULL;
+}
+
static const struct ssh_digest *
ssh_digest_by_alg(int alg)
{
diff --git a/digest.h b/digest.h
index 274574d0e..c7ceeb36f 100644
--- a/digest.h
+++ b/digest.h
@@ -32,6 +32,12 @@
struct sshbuf;
struct ssh_digest_ctx;
+#ifdef WITH_OPENSSL
+#include <openssl/evp.h>
+/* Converts internal digest representation to the OpenSSL one */
+const EVP_MD *ssh_digest_to_md(int digest_type);
+#endif
+
/* Looks up a digest algorithm by name */
int ssh_digest_alg_by_name(const char *name);
diff --git a/ssh-dss.c b/ssh-dss.c
index a23c383dc..ea45e7275 100644
--- a/ssh-dss.c
+++ b/ssh-dss.c
@@ -52,11 +52,15 @@ int
ssh_dss_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
const u_char *data, size_t datalen, u_int compat)
{
+ EVP_PKEY *pkey = NULL;
DSA_SIG *sig = NULL;
const BIGNUM *sig_r, *sig_s;
- u_char digest[SSH_DIGEST_MAX_LENGTH], sigblob[SIGBLOB_LEN];
- size_t rlen, slen, len, dlen = ssh_digest_bytes(SSH_DIGEST_SHA1);
+ u_char sigblob[SIGBLOB_LEN];
+ size_t rlen, slen;
+ int len;
struct sshbuf *b = NULL;
+ u_char *sigb = NULL;
+ const u_char *psig = NULL;
int ret = SSH_ERR_INVALID_ARGUMENT;
if (lenp != NULL)
@@ -67,17 +71,24 @@ ssh_dss_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
if (key == NULL || key->dsa == NULL ||
sshkey_type_plain(key->type) != KEY_DSA)
return SSH_ERR_INVALID_ARGUMENT;
- if (dlen == 0)
- return SSH_ERR_INTERNAL_ERROR;
- if ((ret = ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen,
- digest, sizeof(digest))) != 0)
+ if ((pkey = EVP_PKEY_new()) == NULL ||
+ EVP_PKEY_set1_DSA(pkey, key->dsa) != 1)
+ return SSH_ERR_ALLOC_FAIL;
+ ret = sshkey_calculate_signature(pkey, SSH_DIGEST_SHA1, &sigb, &len,
+ data, datalen);
+ EVP_PKEY_free(pkey);
+ if (ret < 0) {
goto out;
+ }
- if ((sig = DSA_do_sign(digest, dlen, key->dsa)) == NULL) {
+ psig = sigb;
+ if ((sig = d2i_DSA_SIG(NULL, &psig, len)) == NULL) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
+ free(sigb);
+ sigb = NULL;
DSA_SIG_get0(sig, &sig_r, &sig_s);
rlen = BN_num_bytes(sig_r);
@@ -110,7 +121,7 @@ ssh_dss_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
*lenp = len;
ret = 0;
out:
- explicit_bzero(digest, sizeof(digest));
+ free(sigb);
DSA_SIG_free(sig);
sshbuf_free(b);
return ret;
@@ -121,20 +132,20 @@ ssh_dss_verify(const struct sshkey *key,
const u_char *signature, size_t signaturelen,
const u_char *data, size_t datalen, u_int compat)
{
+ EVP_PKEY *pkey = NULL;
DSA_SIG *sig = NULL;
BIGNUM *sig_r = NULL, *sig_s = NULL;
- u_char digest[SSH_DIGEST_MAX_LENGTH], *sigblob = NULL;
- size_t len, dlen = ssh_digest_bytes(SSH_DIGEST_SHA1);
+ u_char *sigblob = NULL;
+ size_t len, slen;
int ret = SSH_ERR_INTERNAL_ERROR;
struct sshbuf *b = NULL;
char *ktype = NULL;
+ u_char *sigb = NULL, *psig = NULL;
if (key == NULL || key->dsa == NULL ||
sshkey_type_plain(key->type) != KEY_DSA ||
signature == NULL || signaturelen == 0)
return SSH_ERR_INVALID_ARGUMENT;
- if (dlen == 0)
- return SSH_ERR_INTERNAL_ERROR;
/* fetch signature */
if ((b = sshbuf_from(signature, signaturelen)) == NULL)
@@ -176,25 +187,31 @@ ssh_dss_verify(const struct sshkey *key,
}
sig_r = sig_s = NULL; /* transferred */
- /* sha1 the data */
- if ((ret = ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen,
- digest, sizeof(digest))) != 0)
+ if ((slen = i2d_DSA_SIG(sig, NULL)) == 0) {
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
-
- switch (DSA_do_verify(digest, dlen, sig, key->dsa)) {
- case 1:
- ret = 0;
- break;
- case 0:
- ret = SSH_ERR_SIGNATURE_INVALID;
+ }
+ if ((sigb = malloc(slen)) == NULL) {
+ ret = SSH_ERR_ALLOC_FAIL;
goto out;
- default:
+ }
+ psig = sigb;
+ if ((slen = i2d_DSA_SIG(sig, &psig)) == 0) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
+ if ((pkey = EVP_PKEY_new()) == NULL ||
+ EVP_PKEY_set1_DSA(pkey, key->dsa) != 1) {
+ ret = SSH_ERR_ALLOC_FAIL;
+ goto out;
+ }
+ ret = sshkey_verify_signature(pkey, SSH_DIGEST_SHA1, data, datalen,
+ sigb, slen);
+ EVP_PKEY_free(pkey);
+
out:
- explicit_bzero(digest, sizeof(digest));
+ free(sigb);
DSA_SIG_free(sig);
BN_clear_free(sig_r);
BN_clear_free(sig_s);
diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c
index 599c7199d..b036796e8 100644
--- a/ssh-ecdsa.c
+++ b/ssh-ecdsa.c
@@ -50,11 +50,13 @@ int
ssh_ecdsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
const u_char *data, size_t datalen, u_int compat)
{
+ EVP_PKEY *pkey = NULL;
ECDSA_SIG *sig = NULL;
+ unsigned char *sigb = NULL;
+ const unsigned char *psig;
const BIGNUM *sig_r, *sig_s;
int hash_alg;
- u_char digest[SSH_DIGEST_MAX_LENGTH];
- size_t len, dlen;
+ int len;
struct sshbuf *b = NULL, *bb = NULL;
int ret = SSH_ERR_INTERNAL_ERROR;
@@ -67,18 +69,24 @@ ssh_ecdsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
sshkey_type_plain(key->type) != KEY_ECDSA)
return SSH_ERR_INVALID_ARGUMENT;
- if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1 ||
- (dlen = ssh_digest_bytes(hash_alg)) == 0)
+ if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1)
return SSH_ERR_INTERNAL_ERROR;
- if ((ret = ssh_digest_memory(hash_alg, data, datalen,
- digest, sizeof(digest))) != 0)
+
+ if ((pkey = EVP_PKEY_new()) == NULL ||
+ EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa) != 1)
+ return SSH_ERR_ALLOC_FAIL;
+ ret = sshkey_calculate_signature(pkey, hash_alg, &sigb, &len, data,
+ datalen);
+ EVP_PKEY_free(pkey);
+ if (ret < 0) {
goto out;
+ }
- if ((sig = ECDSA_do_sign(digest, dlen, key->ecdsa)) == NULL) {
+ psig = sigb;
+ if ((sig = d2i_ECDSA_SIG(NULL, &psig, len)) == NULL) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
-
if ((bb = sshbuf_new()) == NULL || (b = sshbuf_new()) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
@@ -102,7 +110,7 @@ ssh_ecdsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
*lenp = len;
ret = 0;
out:
- explicit_bzero(digest, sizeof(digest));
+ free(sigb);
sshbuf_free(b);
sshbuf_free(bb);
ECDSA_SIG_free(sig);
@@ -115,22 +123,21 @@ ssh_ecdsa_verify(const struct sshkey *key,
const u_char *signature, size_t signaturelen,
const u_char *data, size_t datalen, u_int compat)
{
+ EVP_PKEY *pkey = NULL;
ECDSA_SIG *sig = NULL;
BIGNUM *sig_r = NULL, *sig_s = NULL;
- int hash_alg;
- u_char digest[SSH_DIGEST_MAX_LENGTH];
- size_t dlen;
+ int hash_alg, len;
int ret = SSH_ERR_INTERNAL_ERROR;
struct sshbuf *b = NULL, *sigbuf = NULL;
char *ktype = NULL;
+ unsigned char *sigb = NULL, *psig = NULL;
if (key == NULL || key->ecdsa == NULL ||
sshkey_type_plain(key->type) != KEY_ECDSA ||
signature == NULL || signaturelen == 0)
return SSH_ERR_INVALID_ARGUMENT;
- if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1 ||
- (dlen = ssh_digest_bytes(hash_alg)) == 0)
+ if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1)
return SSH_ERR_INTERNAL_ERROR;
/* fetch signature */
@@ -166,28 +173,36 @@ ssh_ecdsa_verify(const struct sshkey *key,
}
sig_r = sig_s = NULL; /* transferred */
- if (sshbuf_len(sigbuf) != 0) {
- ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
+ /* Figure out the length */
+ if ((len = i2d_ECDSA_SIG(sig, NULL)) == 0) {
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
+ goto out;
+ }
+ if ((sigb = malloc(len)) == NULL) {
+ ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
- if ((ret = ssh_digest_memory(hash_alg, data, datalen,
- digest, sizeof(digest))) != 0)
+ psig = sigb;
+ if ((len = i2d_ECDSA_SIG(sig, &psig)) == 0) {
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
+ }
- switch (ECDSA_do_verify(digest, dlen, sig, key->ecdsa)) {
- case 1:
- ret = 0;
- break;
- case 0:
- ret = SSH_ERR_SIGNATURE_INVALID;
+ if (sshbuf_len(sigbuf) != 0) {
+ ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
goto out;
- default:
- ret = SSH_ERR_LIBCRYPTO_ERROR;
+ }
+
+ if ((pkey = EVP_PKEY_new()) == NULL ||
+ EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa) != 1) {
+ ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
+ ret = sshkey_verify_signature(pkey, hash_alg, data, datalen, sigb, len);
+ EVP_PKEY_free(pkey);
out:
- explicit_bzero(digest, sizeof(digest));
+ free(sigb);
sshbuf_free(sigbuf);
sshbuf_free(b);
ECDSA_SIG_free(sig);
diff --git a/ssh-rsa.c b/ssh-rsa.c
index 9b14f9a9a..8ef3a6aca 100644
--- a/ssh-rsa.c
+++ b/ssh-rsa.c
@@ -37,7 +37,7 @@
#include "openbsd-compat/openssl-compat.h"
-static int openssh_RSA_verify(int, u_char *, size_t, u_char *, size_t, RSA *);
+static int openssh_RSA_verify(int, const u_char *, size_t, u_char *, size_t, EVP_PKEY *);
static const char *
rsa_hash_alg_ident(int hash_alg)
@@ -90,21 +90,6 @@ rsa_hash_id_from_keyname(const char *alg)
return -1;
}
-static int
-rsa_hash_alg_nid(int type)
-{
- switch (type) {
- case SSH_DIGEST_SHA1:
- return NID_sha1;
- case SSH_DIGEST_SHA256:
- return NID_sha256;
- case SSH_DIGEST_SHA512:
- return NID_sha512;
- default:
- return -1;
- }
-}
-
int
ssh_rsa_complete_crt_parameters(struct sshkey *key, const BIGNUM *iqmp)
{
@@ -164,11 +149,10 @@ int
ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
const u_char *data, size_t datalen, const char *alg_ident)
{
- const BIGNUM *rsa_n;
- u_char digest[SSH_DIGEST_MAX_LENGTH], *sig = NULL;
- size_t slen = 0;
- u_int dlen, len;
- int nid, hash_alg, ret = SSH_ERR_INTERNAL_ERROR;
+ EVP_PKEY *pkey = NULL;
+ u_char *sig = NULL;
+ int len, slen = 0;
+ int hash_alg, ret = SSH_ERR_INTERNAL_ERROR;
struct sshbuf *b = NULL;
if (lenp != NULL)
@@ -180,33 +164,24 @@ ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
hash_alg = SSH_DIGEST_SHA1;
else
hash_alg = rsa_hash_id_from_keyname(alg_ident);
+
if (key == NULL || key->rsa == NULL || hash_alg == -1 ||
sshkey_type_plain(key->type) != KEY_RSA)
return SSH_ERR_INVALID_ARGUMENT;
- RSA_get0_key(key->rsa, &rsa_n, NULL, NULL);
- if (BN_num_bits(rsa_n) < SSH_RSA_MINIMUM_MODULUS_SIZE)
- return SSH_ERR_KEY_LENGTH;
slen = RSA_size(key->rsa);
- if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM)
- return SSH_ERR_INVALID_ARGUMENT;
-
- /* hash the data */
- nid = rsa_hash_alg_nid(hash_alg);
- if ((dlen = ssh_digest_bytes(hash_alg)) == 0)
- return SSH_ERR_INTERNAL_ERROR;
- if ((ret = ssh_digest_memory(hash_alg, data, datalen,
- digest, sizeof(digest))) != 0)
- goto out;
+ if (RSA_bits(key->rsa) < SSH_RSA_MINIMUM_MODULUS_SIZE)
+ return SSH_ERR_KEY_LENGTH;
- if ((sig = malloc(slen)) == NULL) {
- ret = SSH_ERR_ALLOC_FAIL;
+ if ((pkey = EVP_PKEY_new()) == NULL ||
+ EVP_PKEY_set1_RSA(pkey, key->rsa) != 1)
+ return SSH_ERR_ALLOC_FAIL;
+ ret = sshkey_calculate_signature(pkey, hash_alg, &sig, &len, data,
+ datalen);
+ EVP_PKEY_free(pkey);
+ if (ret < 0) {
goto out;
}
- if (RSA_sign(nid, digest, dlen, sig, &len, key->rsa) != 1) {
- ret = SSH_ERR_LIBCRYPTO_ERROR;
- goto out;
- }
if (len < slen) {
size_t diff = slen - len;
memmove(sig + diff, sig, len);
@@ -215,6 +190,7 @@ ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
ret = SSH_ERR_INTERNAL_ERROR;
goto out;
}
+
/* encode signature */
if ((b = sshbuf_new()) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
@@ -235,7 +211,6 @@ ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
*lenp = len;
ret = 0;
out:
- explicit_bzero(digest, sizeof(digest));
freezero(sig, slen);
sshbuf_free(b);
return ret;
@@ -246,10 +221,10 @@ ssh_rsa_verify(const struct sshkey *key,
const u_char *sig, size_t siglen, const u_char *data, size_t datalen,
const char *alg)
{
- const BIGNUM *rsa_n;
+ EVP_PKEY *pkey = NULL;
char *sigtype = NULL;
int hash_alg, want_alg, ret = SSH_ERR_INTERNAL_ERROR;
- size_t len = 0, diff, modlen, dlen;
+ size_t len = 0, diff, modlen;
struct sshbuf *b = NULL;
u_char digest[SSH_DIGEST_MAX_LENGTH], *osigblob, *sigblob = NULL;
@@ -257,8 +232,7 @@ ssh_rsa_verify(const struct sshkey *key,
sshkey_type_plain(key->type) != KEY_RSA ||
sig == NULL || siglen == 0)
return SSH_ERR_INVALID_ARGUMENT;
- RSA_get0_key(key->rsa, &rsa_n, NULL, NULL);
- if (BN_num_bits(rsa_n) < SSH_RSA_MINIMUM_MODULUS_SIZE)
+ if (RSA_bits(key->rsa) < SSH_RSA_MINIMUM_MODULUS_SIZE)
return SSH_ERR_KEY_LENGTH;
if ((b = sshbuf_from(sig, siglen)) == NULL)
@@ -310,16 +284,15 @@ ssh_rsa_verify(const struct sshkey *key,
explicit_bzero(sigblob, diff);
len = modlen;
}
- if ((dlen = ssh_digest_bytes(hash_alg)) == 0) {
- ret = SSH_ERR_INTERNAL_ERROR;
+
+ if ((pkey = EVP_PKEY_new()) == NULL ||
+ EVP_PKEY_set1_RSA(pkey, key->rsa) != 1) {
+ ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
- if ((ret = ssh_digest_memory(hash_alg, data, datalen,
- digest, sizeof(digest))) != 0)
- goto out;
+ ret = openssh_RSA_verify(hash_alg, data, datalen, sigblob, len, pkey);
+ EVP_PKEY_free(pkey);
- ret = openssh_RSA_verify(hash_alg, digest, dlen, sigblob, len,
- key->rsa);
out:
freezero(sigblob, len);
free(sigtype);
@@ -328,122 +301,26 @@ ssh_rsa_verify(const struct sshkey *key,
return ret;
}
-/*
- * See:
- * http://www.rsasecurity.com/rsalabs/pkcs/pkcs-1/
- * ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1.asn
- */
-
-/*
- * id-sha1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
- * oiw(14) secsig(3) algorithms(2) 26 }
- */
-static const u_char id_sha1[] = {
- 0x30, 0x21, /* type Sequence, length 0x21 (33) */
- 0x30, 0x09, /* type Sequence, length 0x09 */
- 0x06, 0x05, /* type OID, length 0x05 */
- 0x2b, 0x0e, 0x03, 0x02, 0x1a, /* id-sha1 OID */
- 0x05, 0x00, /* NULL */
- 0x04, 0x14 /* Octet string, length 0x14 (20), followed by sha1 hash */
-};
-
-/*
- * See http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/algorithms.html
- * id-sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840)
- * organization(1) gov(101) csor(3) nistAlgorithm(4) hashAlgs(2)
- * id-sha256(1) }
- */
-static const u_char id_sha256[] = {
- 0x30, 0x31, /* type Sequence, length 0x31 (49) */
- 0x30, 0x0d, /* type Sequence, length 0x0d (13) */
- 0x06, 0x09, /* type OID, length 0x09 */
- 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, /* id-sha256 */
- 0x05, 0x00, /* NULL */
- 0x04, 0x20 /* Octet string, length 0x20 (32), followed by sha256 hash */
-};
-
-/*
- * See http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/algorithms.html
- * id-sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840)
- * organization(1) gov(101) csor(3) nistAlgorithm(4) hashAlgs(2)
- * id-sha256(3) }
- */
-static const u_char id_sha512[] = {
- 0x30, 0x51, /* type Sequence, length 0x51 (81) */
- 0x30, 0x0d, /* type Sequence, length 0x0d (13) */
- 0x06, 0x09, /* type OID, length 0x09 */
- 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, /* id-sha512 */
- 0x05, 0x00, /* NULL */
- 0x04, 0x40 /* Octet string, length 0x40 (64), followed by sha512 hash */
-};
-
static int
-rsa_hash_alg_oid(int hash_alg, const u_char **oidp, size_t *oidlenp)
+openssh_RSA_verify(int hash_alg, const u_char *data, size_t datalen,
+ u_char *sigbuf, size_t siglen, EVP_PKEY *pkey)
{
- switch (hash_alg) {
- case SSH_DIGEST_SHA1:
- *oidp = id_sha1;
- *oidlenp = sizeof(id_sha1);
- break;
- case SSH_DIGEST_SHA256:
- *oidp = id_sha256;
- *oidlenp = sizeof(id_sha256);
- break;
- case SSH_DIGEST_SHA512:
- *oidp = id_sha512;
- *oidlenp = sizeof(id_sha512);
- break;
- default:
- return SSH_ERR_INVALID_ARGUMENT;
- }
- return 0;
-}
+ size_t rsasize = 0;
+ const RSA *rsa;
+ int ret;
-static int
-openssh_RSA_verify(int hash_alg, u_char *hash, size_t hashlen,
- u_char *sigbuf, size_t siglen, RSA *rsa)
-{
- size_t rsasize = 0, oidlen = 0, hlen = 0;
- int ret, len, oidmatch, hashmatch;
- const u_char *oid = NULL;
- u_char *decrypted = NULL;
-
- if ((ret = rsa_hash_alg_oid(hash_alg, &oid, &oidlen)) != 0)
- return ret;
- ret = SSH_ERR_INTERNAL_ERROR;
- hlen = ssh_digest_bytes(hash_alg);
- if (hashlen != hlen) {
- ret = SSH_ERR_INVALID_ARGUMENT;
- goto done;
- }
+ rsa = EVP_PKEY_get0_RSA(pkey);
rsasize = RSA_size(rsa);
if (rsasize <= 0 || rsasize > SSHBUF_MAX_BIGNUM ||
siglen == 0 || siglen > rsasize) {
ret = SSH_ERR_INVALID_ARGUMENT;
goto done;
}
- if ((decrypted = malloc(rsasize)) == NULL) {
- ret = SSH_ERR_ALLOC_FAIL;
- goto done;
- }
- if ((len = RSA_public_decrypt(siglen, sigbuf, decrypted, rsa,
- RSA_PKCS1_PADDING)) < 0) {
- ret = SSH_ERR_LIBCRYPTO_ERROR;
- goto done;
- }
- if (len < 0 || (size_t)len != hlen + oidlen) {
- ret = SSH_ERR_INVALID_FORMAT;
- goto done;
- }
- oidmatch = timingsafe_bcmp(decrypted, oid, oidlen) == 0;
- hashmatch = timingsafe_bcmp(decrypted + oidlen, hash, hlen) == 0;
- if (!oidmatch || !hashmatch) {
- ret = SSH_ERR_SIGNATURE_INVALID;
- goto done;
- }
- ret = 0;
+
+ ret = sshkey_verify_signature(pkey, hash_alg, data, datalen,
+ sigbuf, siglen);
+
done:
- freezero(decrypted, rsasize);
return ret;
}
#endif /* WITH_OPENSSL */
diff --git a/sshkey.c b/sshkey.c
index ad1957762..b95ed0b10 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -358,6 +358,83 @@ sshkey_type_plain(int type)
}
#ifdef WITH_OPENSSL
+int
+sshkey_calculate_signature(EVP_PKEY *pkey, int hash_alg, u_char **sigp,
+ int *lenp, const u_char *data, size_t datalen)
+{
+ EVP_MD_CTX *ctx = NULL;
+ u_char *sig = NULL;
+ int ret, slen, len;
+
+ if (sigp == NULL || lenp == NULL) {
+ return SSH_ERR_INVALID_ARGUMENT;
+ }
+
+ slen = EVP_PKEY_size(pkey);
+ if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM)
+ return SSH_ERR_INVALID_ARGUMENT;
+
+ len = slen;
+ if ((sig = malloc(slen)) == NULL) {
+ return SSH_ERR_ALLOC_FAIL;
+ }
+
+ if ((ctx = EVP_MD_CTX_new()) == NULL) {
+ ret = SSH_ERR_ALLOC_FAIL;
+ goto error;
+ }
+ if (EVP_SignInit_ex(ctx, ssh_digest_to_md(hash_alg), NULL) <= 0 ||
+ EVP_SignUpdate(ctx, data, datalen) <= 0 ||
+ EVP_SignFinal(ctx, sig, &len, pkey) <= 0) {
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
+ goto error;
+ }
+
+ *sigp = sig;
+ *lenp = len;
+ /* Now owned by the caller */
+ sig = NULL;
+ ret = 0;
+
+error:
+ EVP_MD_CTX_free(ctx);
+ free(sig);
+ return ret;
+}
+
+int
+sshkey_verify_signature(EVP_PKEY *pkey, int hash_alg, const u_char *data,
+ size_t datalen, u_char *sigbuf, int siglen)
+{
+ EVP_MD_CTX *ctx = NULL;
+ int ret;
+
+ if ((ctx = EVP_MD_CTX_new()) == NULL) {
+ return SSH_ERR_ALLOC_FAIL;
+ }
+ if (EVP_VerifyInit_ex(ctx, ssh_digest_to_md(hash_alg), NULL) <= 0 ||
+ EVP_VerifyUpdate(ctx, data, datalen) <= 0) {
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
+ goto done;
+ }
+ ret = EVP_VerifyFinal(ctx, sigbuf, siglen, pkey);
+ switch (ret) {
+ case 1:
+ ret = 0;
+ break;
+ case 0:
+ ret = SSH_ERR_SIGNATURE_INVALID;
+ break;
+ default:
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
+ break;
+ }
+
+done:
+ EVP_MD_CTX_free(ctx);
+ return ret;
+}
+
/* XXX: these are really begging for a table-driven approach */
int
sshkey_curve_name_to_nid(const char *name)
diff --git a/sshkey.h b/sshkey.h
index a91e60436..270901a87 100644
--- a/sshkey.h
+++ b/sshkey.h
@@ -179,6 +179,10 @@ const char *sshkey_ssh_name(const struct sshkey *);
const char *sshkey_ssh_name_plain(const struct sshkey *);
int sshkey_names_valid2(const char *, int);
char *sshkey_alg_list(int, int, int, char);
+int sshkey_calculate_signature(EVP_PKEY*, int, u_char **,
+ int *, const u_char *, size_t);
+int sshkey_verify_signature(EVP_PKEY *, int, const u_char *,
+ size_t, u_char *, int);
int sshkey_from_blob(const u_char *, size_t, struct sshkey **);
int sshkey_fromb(struct sshbuf *, struct sshkey **);

3148
openssh-8.0p1-pkcs11-uri.patch
View File

File diff suppressed because it is too large Load Diff

12
openssh-8.7p1-ibmca.patch Normal file
View File

@ -0,0 +1,12 @@
Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.7p1-ibmca.patch
--- openssh-8.7p1/openbsd-compat/bsd-closefrom.c.orig 2022-04-12 15:47:03.815044607 +0200
+++ openssh-8.7p1/openbsd-compat/bsd-closefrom.c 2022-04-12 15:48:12.464963511 +0200
@@ -16,7 +16,7 @@
#include "includes.h"
-#if !defined(HAVE_CLOSEFROM) || defined(BROKEN_CLOSEFROM)
+#if !defined(HAVE_CLOSEFROM) || defined(BROKEN_CLOSEFROM) || (defined __s390__)
#include <sys/types.h>
#include <unistd.h>

24
openssh-8.7p1-minrsabits.patch Normal file
View File

@ -0,0 +1,24 @@
diff --git a/readconf.c b/readconf.c
index 7f26c680..42be690b 100644
--- a/readconf.c
+++ b/readconf.c
@@ -320,6 +320,7 @@ static struct {
{ "securitykeyprovider", oSecurityKeyProvider },
{ "knownhostscommand", oKnownHostsCommand },
{ "requiredrsasize", oRequiredRSASize },
+ { "rsaminsize", oRequiredRSASize }, /* alias */
{ "enableescapecommandline", oEnableEscapeCommandline },
{ NULL, oBadOption }
diff --git a/servconf.c b/servconf.c
index 29df0463..423772b1 100644
--- a/servconf.c
+++ b/servconf.c
@@ -676,6 +680,7 @@ static struct {
{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
{ "requiredrsasize", sRequiredRSASize, SSHCFG_ALL },
+ { "rsaminsize", sRequiredRSASize, SSHCFG_ALL }, /* alias */
{ "channeltimeout", sChannelTimeout, SSHCFG_ALL },
{ "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL },
{ NULL, sBadOption, 0 }

117
openssh-8.7p1-negotiate-supported-algs.patch Normal file
View File

@ -0,0 +1,117 @@
diff -up openssh-9.3p1/regress/hostkey-agent.sh.xxx openssh-9.3p1/regress/hostkey-agent.sh
--- openssh-9.3p1/regress/hostkey-agent.sh.xxx 2023-05-29 18:15:56.311236887 +0200
+++ openssh-9.3p1/regress/hostkey-agent.sh 2023-05-29 18:16:07.598503551 +0200
@@ -17,8 +17,21 @@ trace "make CA key"
${SSHKEYGEN} -qt ed25519 -f $OBJ/agent-ca -N '' || fatal "ssh-keygen CA"
+PUBKEY_ACCEPTED_ALGOS=`$SSH -G "example.com" | \
+ grep -i "PubkeyAcceptedAlgorithms" | cut -d ' ' -f2- | tr "," "|"`
+SSH_ACCEPTED_KEYTYPES=`echo "$SSH_KEYTYPES" | egrep "$PUBKEY_ACCEPTED_ALGOS"`
+echo $PUBKEY_ACCEPTED_ALGOS | grep "rsa"
+r=$?
+if [ $r == 0 ]; then
+echo $SSH_ACCEPTED_KEYTYPES | grep "rsa"
+r=$?
+if [ $r -ne 0 ]; then
+SSH_ACCEPTED_KEYTYPES="$SSH_ACCEPTED_KEYTYPES ssh-rsa"
+fi
+fi
+
trace "load hostkeys"
-for k in $SSH_KEYTYPES ; do
+for k in $SSH_ACCEPTED_KEYTYPES ; do
${SSHKEYGEN} -qt $k -f $OBJ/agent-key.$k -N '' || fatal "ssh-keygen $k"
${SSHKEYGEN} -s $OBJ/agent-ca -qh -n localhost-with-alias \
-I localhost-with-alias $OBJ/agent-key.$k.pub || \
@@ -32,12 +48,16 @@ rm $OBJ/agent-ca # Don't need CA private
unset SSH_AUTH_SOCK
-for k in $SSH_KEYTYPES ; do
+for k in $SSH_ACCEPTED_KEYTYPES ; do
verbose "key type $k"
+ hka=$k
+ if [ $k = "ssh-rsa" ]; then
+ hka="rsa-sha2-512"
+ fi
cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
- echo "HostKeyAlgorithms $k" >> $OBJ/sshd_proxy
+ echo "HostKeyAlgorithms $hka" >> $OBJ/sshd_proxy
echo "Hostkey $OBJ/agent-key.${k}" >> $OBJ/sshd_proxy
- opts="-oHostKeyAlgorithms=$k -F $OBJ/ssh_proxy"
+ opts="-oHostKeyAlgorithms=$hka -F $OBJ/ssh_proxy"
( printf 'localhost-with-alias,127.0.0.1,::1 ' ;
cat $OBJ/agent-key.$k.pub) > $OBJ/known_hosts
SSH_CONNECTION=`${SSH} $opts host 'echo $SSH_CONNECTION'`
@@ -50,15 +70,16 @@ for k in $SSH_KEYTYPES ; do
done
SSH_CERTTYPES=`ssh -Q key-sig | grep 'cert-v01@openssh.com'`
+SSH_ACCEPTED_CERTTYPES=`echo "$SSH_CERTTYPES" | egrep "$PUBKEY_ACCEPTED_ALGOS"`
# Prepare sshd_proxy for certificates.
cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
HOSTKEYALGS=""
-for k in $SSH_CERTTYPES ; do
+for k in $SSH_ACCEPTED_CERTTYPES ; do
test -z "$HOSTKEYALGS" || HOSTKEYALGS="${HOSTKEYALGS},"
HOSTKEYALGS="${HOSTKEYALGS}${k}"
done
-for k in $SSH_KEYTYPES ; do
+for k in $SSH_ACCEPTED_KEYTYPES ; do
echo "Hostkey $OBJ/agent-key.${k}.pub" >> $OBJ/sshd_proxy
echo "HostCertificate $OBJ/agent-key.${k}-cert.pub" >> $OBJ/sshd_proxy
test -f $OBJ/agent-key.${k}.pub || fatal "no $k key"
@@ -70,7 +93,7 @@ echo "HostKeyAlgorithms $HOSTKEYALGS" >>
( printf '@cert-authority localhost-with-alias ' ;
cat $OBJ/agent-ca.pub) > $OBJ/known_hosts
-for k in $SSH_CERTTYPES ; do
+for k in $SSH_ACCEPTED_CERTTYPES ; do
verbose "cert type $k"
opts="-oHostKeyAlgorithms=$k -F $OBJ/ssh_proxy"
SSH_CONNECTION=`${SSH} $opts host 'echo $SSH_CONNECTION'`
diff -up openssh-9.3p1/sshconnect2.c.xxx openssh-9.3p1/sshconnect2.c
--- openssh-9.3p1/sshconnect2.c.xxx 2023-04-26 17:37:35.100827792 +0200
+++ openssh-9.3p1/sshconnect2.c 2023-04-26 17:50:31.860748877 +0200
@@ -221,7 +221,7 @@ ssh_kex2(struct ssh *ssh, char *host, st
const struct ssh_conn_info *cinfo)
{
char *myproposal[PROPOSAL_MAX];
- char *s, *all_key, *hkalgs = NULL;
+ char *s, *all_key, *hkalgs = NULL, *filtered_algs = NULL;
int r, use_known_hosts_order = 0;
#if defined(GSSAPI) && defined(WITH_OPENSSL)
@@ -260,9 +260,21 @@ ssh_kex2(struct ssh *ssh, char *host, st
if (use_known_hosts_order)
hkalgs = order_hostkeyalgs(host, hostaddr, port, cinfo);
+ filtered_algs = hkalgs ? match_filter_allowlist(hkalgs, options.pubkey_accepted_algos)
+ : match_filter_allowlist(options.hostkeyalgorithms,
+ options.pubkey_accepted_algos);
+ if (filtered_algs == NULL) {
+ if (hkalgs)
+ fatal_f("No match between algorithms for %s (host %s) and pubkey accepted algorithms %s",
+ hkalgs, host, options.pubkey_accepted_algos);
+ else
+ fatal_f("No match between host key algorithms %s and pubkey accepted algorithms %s",
+ options.hostkeyalgorithms, options.pubkey_accepted_algos);
+ }
+
kex_proposal_populate_entries(ssh, myproposal, s, options.ciphers,
options.macs, compression_alg_list(options.compression),
- hkalgs ? hkalgs : options.hostkeyalgorithms);
+ filtered_algs);
#if defined(GSSAPI) && defined(WITH_OPENSSL)
if (options.gss_keyex) {
@@ -303,6 +315,7 @@ ssh_kex2(struct ssh *ssh, char *host, st
#endif
free(hkalgs);
+ free(filtered_algs);
/* start key exchange */
if ((r = kex_setup(ssh, myproposal)) != 0)

181
openssh-8.7p1-recursive-scp.patch Normal file
View File

@ -0,0 +1,181 @@
diff -up openssh-8.7p1/scp.c.scp-sftpdirs openssh-8.7p1/scp.c
--- openssh-8.7p1/scp.c.scp-sftpdirs 2022-02-07 12:31:07.407740407 +0100
+++ openssh-8.7p1/scp.c 2022-02-07 12:31:07.409740424 +0100
@@ -1324,7 +1324,7 @@ source_sftp(int argc, char *src, char *t
if (src_is_dir && iamrecursive) {
if (upload_dir(conn, src, abs_dst, pflag,
- SFTP_PROGRESS_ONLY, 0, 0, 1, 1) != 0) {
+ SFTP_PROGRESS_ONLY, 0, 0, 1, 1, 1) != 0) {
error("failed to upload directory %s to %s", src, targ);
errs = 1;
}
diff -up openssh-8.7p1/sftp-client.c.scp-sftpdirs openssh-8.7p1/sftp-client.c
--- openssh-8.7p1/sftp-client.c.scp-sftpdirs 2021-08-20 06:03:49.000000000 +0200
+++ openssh-8.7p1/sftp-client.c 2022-02-07 12:47:59.117516131 +0100
@@ -971,7 +971,7 @@ do_fsetstat(struct sftp_conn *conn, cons
/* Implements both the realpath and expand-path operations */
static char *
-do_realpath_expand(struct sftp_conn *conn, const char *path, int expand)
+do_realpath_expand(struct sftp_conn *conn, const char *path, int expand, int create_dir)
{
struct sshbuf *msg;
u_int expected_id, count, id;
@@ -1033,11 +1033,43 @@ do_realpath_expand(struct sftp_conn *con
if ((r = sshbuf_get_u32(msg, &status)) != 0 ||
(r = sshbuf_get_cstring(msg, &errmsg, NULL)) != 0)
fatal_fr(r, "parse status");
- error("%s %s: %s", expand ? "expand" : "realpath",
- path, *errmsg == '\0' ? fx2txt(status) : errmsg);
- free(errmsg);
- sshbuf_free(msg);
- return NULL;
+ if ((status == SSH2_FX_NO_SUCH_FILE) && create_dir) {
+ memset(&a, '\0', sizeof(a));
+ if ((r = do_mkdir(conn, path, &a, 0)) != 0) {
+ sshbuf_free(msg);
+ return NULL;
+ }
+ debug2("Sending SSH2_FXP_REALPATH \"%s\" - create dir", path);
+ send_string_request(conn, id, SSH2_FXP_REALPATH,
+ path, strlen(path));
+
+ get_msg(conn, msg);
+ if ((r = sshbuf_get_u8(msg, &type)) != 0 ||
+ (r = sshbuf_get_u32(msg, &id)) != 0)
+ fatal_fr(r, "parse");
+
+ if (id != expected_id)
+ fatal("ID mismatch (%u != %u)", id, expected_id);
+
+ if (type == SSH2_FXP_STATUS) {
+ free(errmsg);
+
+ if ((r = sshbuf_get_u32(msg, &status)) != 0 ||
+ (r = sshbuf_get_cstring(msg, &errmsg, NULL)) != 0)
+ fatal_fr(r, "parse status");
+ error("%s %s: %s", expand ? "expand" : "realpath",
+ path, *errmsg == '\0' ? fx2txt(status) : errmsg);
+ free(errmsg);
+ sshbuf_free(msg);
+ return NULL;
+ }
+ } else {
+ error("%s %s: %s", expand ? "expand" : "realpath",
+ path, *errmsg == '\0' ? fx2txt(status) : errmsg);
+ free(errmsg);
+ sshbuf_free(msg);
+ return NULL;
+ }
} else if (type != SSH2_FXP_NAME)
fatal("Expected SSH2_FXP_NAME(%u) packet, got %u",
SSH2_FXP_NAME, type);
@@ -1039,9 +1067,9 @@ do_realpath_expand(struct sftp_conn *con
}
char *
-do_realpath(struct sftp_conn *conn, const char *path)
+do_realpath(struct sftp_conn *conn, const char *path, int create_dir)
{
- return do_realpath_expand(conn, path, 0);
+ return do_realpath_expand(conn, path, 0, create_dir);
}
int
@@ -1055,9 +1083,9 @@ do_expand_path(struct sftp_conn *conn, c
{
if (!can_expand_path(conn)) {
debug3_f("no server support, fallback to realpath");
- return do_realpath_expand(conn, path, 0);
+ return do_realpath_expand(conn, path, 0, 0);
}
- return do_realpath_expand(conn, path, 1);
+ return do_realpath_expand(conn, path, 1, 0);
}
int
@@ -1807,7 +1835,7 @@ download_dir(struct sftp_conn *conn, con
char *src_canon;
int ret;
- if ((src_canon = do_realpath(conn, src)) == NULL) {
+ if ((src_canon = do_realpath(conn, src, 0)) == NULL) {
error("download \"%s\": path canonicalization failed", src);
return -1;
}
@@ -2115,12 +2143,12 @@ upload_dir_internal(struct sftp_conn *co
int
upload_dir(struct sftp_conn *conn, const char *src, const char *dst,
int preserve_flag, int print_flag, int resume, int fsync_flag,
- int follow_link_flag, int inplace_flag)
+ int follow_link_flag, int inplace_flag, int create_dir)
{
char *dst_canon;
int ret;
- if ((dst_canon = do_realpath(conn, dst)) == NULL) {
+ if ((dst_canon = do_realpath(conn, dst, create_dir)) == NULL) {
error("upload \"%s\": path canonicalization failed", dst);
return -1;
}
@@ -2557,7 +2585,7 @@ crossload_dir(struct sftp_conn *from, st
char *from_path_canon;
int ret;
- if ((from_path_canon = do_realpath(from, from_path)) == NULL) {
+ if ((from_path_canon = do_realpath(from, from_path, 0)) == NULL) {
error("crossload \"%s\": path canonicalization failed",
from_path);
return -1;
diff -up openssh-8.7p1/sftp-client.h.scp-sftpdirs openssh-8.7p1/sftp-client.h
--- openssh-8.7p1/sftp-client.h.scp-sftpdirs 2021-08-20 06:03:49.000000000 +0200
+++ openssh-8.7p1/sftp-client.h 2022-02-07 12:31:07.410740433 +0100
@@ -111,7 +111,7 @@ int do_fsetstat(struct sftp_conn *, cons
int do_lsetstat(struct sftp_conn *conn, const char *path, Attrib *a);
/* Canonicalise 'path' - caller must free result */
-char *do_realpath(struct sftp_conn *, const char *);
+char *do_realpath(struct sftp_conn *, const char *, int);
/* Canonicalisation with tilde expansion (requires server extension) */
char *do_expand_path(struct sftp_conn *, const char *);
@@ -159,7 +159,7 @@ int do_upload(struct sftp_conn *, const
* times if 'pflag' is set
*/
int upload_dir(struct sftp_conn *, const char *, const char *,
- int, int, int, int, int, int);
+ int, int, int, int, int, int, int);
/*
* Download a 'from_path' from the 'from' connection and upload it to
diff -up openssh-8.7p1/sftp.c.scp-sftpdirs openssh-8.7p1/sftp.c
--- openssh-8.7p1/sftp.c.scp-sftpdirs 2021-08-20 06:03:49.000000000 +0200
+++ openssh-8.7p1/sftp.c 2022-02-07 12:31:07.411740442 +0100
@@ -760,7 +760,7 @@ process_put(struct sftp_conn *conn, cons
if (globpath_is_dir(g.gl_pathv[i]) && (rflag || global_rflag)) {
if (upload_dir(conn, g.gl_pathv[i], abs_dst,
pflag || global_pflag, 1, resume,
- fflag || global_fflag, 0, 0) == -1)
+ fflag || global_fflag, 0, 0, 0) == -1)
err = -1;
} else {
if (do_upload(conn, g.gl_pathv[i], abs_dst,
@@ -1577,7 +1577,7 @@ parse_dispatch_command(struct sftp_conn
if (path1 == NULL || *path1 == '\0')
path1 = xstrdup(startdir);
path1 = make_absolute(path1, *pwd);
- if ((tmp = do_realpath(conn, path1)) == NULL) {
+ if ((tmp = do_realpath(conn, path1, 0)) == NULL) {
err = 1;
break;
}
@@ -2160,7 +2160,7 @@ interactive_loop(struct sftp_conn *conn,
}
#endif /* USE_LIBEDIT */
- remote_path = do_realpath(conn, ".");
+ remote_path = do_realpath(conn, ".", 0);
if (remote_path == NULL)
fatal("Need cwd");
startdir = xstrdup(remote_path);

4
openssh-8.7p1-scp-kill-switch.patch
View File

@ -13,8 +13,8 @@ diff -up openssh-8.7p1/scp.1.kill-scp openssh-8.7p1/scp.1
--- openssh-8.7p1/scp.1.kill-scp 2021-09-16 12:09:02.646714578 +0200
+++ openssh-8.7p1/scp.1 2021-09-16 12:26:49.978628226 +0200
@@ -278,6 +278,13 @@ to print debugging messages about their
This is helpful in
debugging connection, authentication, and configuration problems.
By default a 32KB buffer is used.
.El
.El
+.Pp
+Usage of SCP protocol can be blocked by creating a world-readable

53
openssh-8.7p1-ssh-manpage.patch Normal file
View File

@ -0,0 +1,53 @@
diff --color -ru a/ssh.1 b/ssh.1
--- a/ssh.1 2022-07-12 11:47:51.307295880 +0200
+++ b/ssh.1 2022-07-12 11:50:28.793363263 +0200
@@ -493,6 +493,7 @@
.It AddressFamily
.It BatchMode
.It BindAddress
+.It BindInterface
.It CanonicalDomains
.It CanonicalizeFallbackLocal
.It CanonicalizeHostname
@@ -510,6 +511,7 @@
.It ControlPath
.It ControlPersist
.It DynamicForward
+.It EnableSSHKeysign
.It EnableEscapeCommandline
.It EscapeChar
.It ExitOnForwardFailure
@@ -538,6 +540,8 @@
.It IdentitiesOnly
.It IdentityAgent
.It IdentityFile
+.It IgnoreUnknown
+.It Include
.It IPQoS
.It KbdInteractiveAuthentication
.It KbdInteractiveDevices
@@ -546,6 +550,7 @@
.It LocalCommand
.It LocalForward
.It LogLevel
+.It LogVerbose
.It MACs
.It Match
.It NoHostAuthenticationForLocalhost
@@ -566,6 +571,8 @@
.It RemoteCommand
.It RemoteForward
.It RequestTTY
+.It RevokedHostKeys
+.It SecurityKeyProvider
.It RequiredRSASize
.It SendEnv
.It ServerAliveInterval
@@ -575,6 +582,7 @@
.It StreamLocalBindMask
.It StreamLocalBindUnlink
.It StrictHostKeyChecking
+.It SyslogFacility
.It TCPKeepAlive
.It Tunnel
.It TunnelDevice

BIN
openssh-9.1p1.tar.gz
View File

Binary file not shown.

16
openssh-9.1p1.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmM6+qUACgkQKj9BTnNg
YLqLSxAAi+hmachTcy9O2GNbCq4uPFlFqQ8hjZ697nhNvkIJtrtc2WSIg17ImN4E
3ucWQLEqbytwsj67J1UFC4NyOmGo2mfsZ3BEDsgkkd0Tp2YO7UhkrVzTD0l0Wl7/
qe0biPaYOLFptL+88wC3OdamNkWgHAtSYBizgHK4k2uEtLYsEXuC+0nnfqykL2vq
UEB3MZ7C00JYmBVHFfMjtmGmt+Z3ahv5LSzFsj//c6hwkhdJHtv/V4UlCIVrrMdG
XyTumREl+y5zuP5oGxsRU/LZNo7ncXYDUg2qE/FpR4o8giF9d1fm/aHuAmr+g03E
Ev3uUcrgA+Kq95bbv7ubtO2JxFnuzUmJkUy6SNIcE1o4naxGejxlEw7nvtvf7auV
BPqomw1yOWyQzbhXtD18OiSi1IJMXyDCei9HcsO+oM3aq8YQc9Bsed7UPhA36e6b
GjuAIOPtee+JqxDj3psN39G+y4YUcxSPqC4gKL8cKfImbP2DlSoHPmZ1fDf/pKPj
hWdNiA+a+KzsXR2fjBWMeUIkSvx2BYZC9NKFS/zN4X86jEdyOJtQJ4WQcIvekLIA
Z/yP6UrzM+2jYYqix4PBocP1utEakFDYfLPJu0G2pK9meU4dz6EzNUT7J3daF2h7
eaibQUZ0+wg+sI+MPys3INcqcKwv/5OVDl6wi7g2iNOdOII49VM=
=xfW+
-----END PGP SIGNATURE-----

1228
openssh-9.3p1-merged-openssl-evp.patch Normal file
View File

File diff suppressed because it is too large Load Diff

130
openssh-9.3p1-upstream-cve-2023-38408.patch Normal file
View File

@ -0,0 +1,130 @@
diff --git a/ssh-agent.c b/ssh-agent.c
index 618bb198..8ea831f4 100644
diff -up openssh-9.3p1/ssh-agent.c.cve openssh-9.3p1/ssh-agent.c
--- openssh-9.3p1/ssh-agent.c.cve 2023-07-21 15:38:13.237276580 +0200
+++ openssh-9.3p1/ssh-agent.c 2023-07-21 15:41:30.269943569 +0200
@@ -169,6 +169,12 @@ char socket_dir[PATH_MAX];
/* Pattern-list of allowed PKCS#11/Security key paths */
static char *allowed_providers;
+/*
+ * Allows PKCS11 providers or SK keys that use non-internal providers to
+ * be added over a remote connection (identified by session-bind@openssh.com).
+ */
+static int remote_add_provider;
+
/* locking */
#define LOCK_SIZE 32
#define LOCK_SALT_SIZE 16
@@ -1228,6 +1234,12 @@ process_add_identity(SocketEntry *e)
if (strcasecmp(sk_provider, "internal") == 0) {
debug_f("internal provider");
} else {
+ if (e->nsession_ids != 0 && !remote_add_provider) {
+ verbose("failed add of SK provider \"%.100s\": "
+ "remote addition of providers is disabled",
+ sk_provider);
+ goto out;
+ }
if (realpath(sk_provider, canonical_provider) == NULL) {
verbose("failed provider \"%.100s\": "
"realpath: %s", sk_provider,
@@ -1368,7 +1380,7 @@ no_identities(SocketEntry *e)
#ifdef ENABLE_PKCS11
static char *
-sanitize_pkcs11_provider(const char *provider)
+sanitize_pkcs11_provider(SocketEntry *e, const char *provider)
{
struct pkcs11_uri *uri = NULL;
char *sane_uri, *module_path = NULL; /* default path */
@@ -1399,6 +1411,11 @@ sanitize_pkcs11_provider(const char *pro
module_path = strdup(provider); /* simple path */
if (module_path != NULL) { /* do not validate default NULL path in URI */
+ if (e->nsession_ids != 0 && !remote_add_provider) {
+ verbose("failed PKCS#11 add of \"%.100s\": remote addition of "
+ "providers is disabled", provider);
+ return NULL;
+ }
if (realpath(module_path, canonical_provider) == NULL) {
verbose("failed PKCS#11 provider \"%.100s\": realpath: %s",
module_path, strerror(errno));
@@ -1455,7 +1472,7 @@ process_add_smartcard_key(SocketEntry *e
goto send;
}
- sane_uri = sanitize_pkcs11_provider(provider);
+ sane_uri = sanitize_pkcs11_provider(e, provider);
if (sane_uri == NULL)
goto send;
@@ -1516,7 +1533,7 @@ process_remove_smartcard_key(SocketEntry
}
free(pin);
- sane_uri = sanitize_pkcs11_provider(provider);
+ sane_uri = sanitize_pkcs11_provider(e, provider);
if (sane_uri == NULL)
goto send;
@@ -2108,7 +2125,9 @@ main(int ac, char **av)
break;
case 'O':
if (strcmp(optarg, "no-restrict-websafe") == 0)
- restrict_websafe = 0;
+ restrict_websafe = 0;
+ else if (strcmp(optarg, "allow-remote-pkcs11") == 0)
+ remote_add_provider = 1;
else
fatal("Unknown -O option");
break;
diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
index 6be647ec..ebddf6c3 100644
--- a/ssh-pkcs11.c
+++ b/ssh-pkcs11.c
@@ -1537,10 +1537,8 @@ pkcs11_register_provider(char *provider_id, char *pin,
error("dlopen %s failed: %s", provider_module, dlerror());
goto fail;
}
- if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) {
- error("dlsym(C_GetFunctionList) failed: %s", dlerror());
- goto fail;
- }
+ if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL)
+ fatal("dlsym(C_GetFunctionList) failed: %s", dlerror());
p->module->handle = handle;
/* setup the pkcs11 callbacks */
--- a/ssh-agent.1 2023-03-15 22:28:19.000000000 +0100
+++ b/ssh-agent.1 2023-07-19 21:39:17.981406432 +0200
@@ -107,9 +107,27 @@
.It Fl O Ar option
Specify an option when starting
.Nm .
-Currently only one option is supported:
+Currently two options are supported:
+.Cm allow-remote-pkcs11
+and
.Cm no-restrict-websafe .
-This instructs
+.Pp
+The
+.Cm allow-remote-pkcs11
+option allows clients of a forwarded
+.Nm
+to load PKCS#11 or FIDO provider libraries.
+By default only local clients may perform this operation.
+Note that signalling that a
+.Nm
+client remote is performed by
+.Xr ssh 1 ,
+and use of other tools to forward access to the agent socket may circumvent
+this restriction.
+.Pp
+The
+.Cm no-restrict-websafe ,
+instructs
.Nm
to permit signatures using FIDO keys that might be web authentication
requests.

BIN
openssh-9.3p1.tar.gz Normal file
View File

Binary file not shown.

16
openssh-9.3p1.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmQSOZYACgkQKj9BTnNg
YLrKJg//fSKjNlnb3l75ZwLoWhwpEZQp7poEq5qCCRNvu4dleuU1sMxNPl9/Ow1i
iZVW67OGNjIsJ7FJmHNF3UOgkH50c6OHivmDaTywDtyCLZvUVmaSfOe0own8s8KB
OV7czHqd9giHQlGWWTxg9eVAfOaqpzXugkzo7UoTVqEqJ3Ru/FQ4RGSIjTGzuM/0
EC+JkKyO+0pP3mr4XfZdxsbYc9WVEG9ZIlT153y9I5MfiWM1SC/0gg4NLz025Xaa
ment5c+BdhIwYjC2f5F/9s0J6+lFHiFBHLQVGx4qq/Tx3XGfP0xBcS1V9Mkhyjzf
ZXj6acQ+T50H8p3OWZyrWn11YNtGjzkwuQWrj8Ue4NPFGqgPbANeH32yOiIWpIh0
CtpGnRGQP1zF14hEAR5gKangTNCp/IVMBhIs4UL3zI6uS2yRLTGOWcgrnjJv26vg
jb2WmL0AeqYLZw41pbq+zmVizhhg8qk7KPQQsFxnalSFHz35tnHN8oQD5TCDxqtu
f/roTbZhW/nnlaMlEAnB09LO6e1nyDIcJ6hj0CK9cSgIn8pb1q9GdjYx5PNKwsoa
NuD+bqlzF5krjiOHJh+vDw0GKFusflL46Dmry5a4K0vLUGBn6uAUPtuwMdBsLofU
k3a4zBMlOCm6o3WqgAug4fSwCfYkJ9Dc+FaedGC1X4fys4lV/6k=
=deVJ
-----END PGP SIGNATURE-----

278
openssh.spec
View File

@ -6,10 +6,10 @@
%{?no_gtk2:%global gtk2 0}
%global sshd_uid 74
%global openssh_release 6
%global openssh_release 1
Name: openssh
Version: 9.1p1
Version: 9.3p1
Release: %{openssh_release}
URL: http://www.openssh.com/portable.html
License: BSD
@ -30,7 +30,8 @@ Source11: sshd-keygen
Source12: sshd.tmpfiles
Source13: sshd-keygen.target
Source14: ssh-agent.service
Source15: ssh-keygen-bash-completion.sh
Source15: ssh-agent.socket
Source16: ssh-keygen-bash-completion.sh
Patch0: openssh-6.7p1-coverity.patch
Patch1: openssh-7.6p1-audit.patch
Patch2: openssh-7.1p2-audit-race-condition.patch
@ -40,77 +41,63 @@ Patch5: pam_ssh_agent_auth-0.9.2-visibility.patch
Patch6: pam_ssh_agent_auth-0.9.3-agent_structure.patch
Patch7: pam_ssh_agent_auth-0.10.2-compat.patch
Patch8: pam_ssh_agent_auth-0.10.2-dereference.patch
Patch9: openssh-7.8p1-role-mls.patch
Patch10: openssh-6.6p1-privsep-selinux.patch
Patch12: openssh-6.6p1-keycat.patch
Patch13: openssh-6.6p1-allow-ip-opts.patch
Patch15: openssh-5.9p1-ipv6man.patch
Patch16: openssh-5.8p2-sigpipe.patch
Patch17: openssh-7.2p2-x11.patch
Patch19: openssh-5.1p1-askpass-progress.patch
Patch20: openssh-4.3p2-askpass-grab-info.patch
Patch21: openssh-7.7p1.patch
Patch22: openssh-7.8p1-UsePAM-warning.patch
Patch26: openssh-8.0p1-gssapi-keyex.patch
Patch27: openssh-6.6p1-force_krb.patch
Patch28: openssh-6.6p1-GSSAPIEnablek5users.patch
Patch29: openssh-7.7p1-gssapi-new-unique.patch
Patch30: openssh-7.2p2-k5login_directory.patch
Patch31: openssh-6.6p1-kuserok.patch
Patch32: openssh-6.4p1-fromto-remote.patch
Patch33: openssh-6.6.1p1-selinux-contexts.patch
Patch34: openssh-6.6.1p1-log-in-chroot.patch
Patch35: openssh-6.6.1p1-scp-non-existing-directory.patch
Patch36: openssh-6.8p1-sshdT-output.patch
Patch37: openssh-6.7p1-sftp-force-permission.patch
Patch38: openssh-7.2p2-s390-closefrom.patch
Patch39: openssh-7.3p1-x11-max-displays.patch
Patch40: openssh-7.4p1-systemd.patch
Patch41: openssh-7.6p1-cleanup-selinux.patch
Patch42: openssh-7.5p1-sandbox.patch
Patch43: openssh-8.0p1-pkcs11-uri.patch
Patch44: openssh-7.8p1-scp-ipv6.patch
Patch46: openssh-8.0p1-crypto-policies.patch
Patch47: openssh-8.0p1-openssl-evp.patch
Patch48: openssh-8.0p1-openssl-kdf.patch
Patch49: openssh-8.2p1-visibility.patch
Patch50: openssh-8.2p1-x11-without-ipv6.patch
Patch51: openssh-8.0p1-keygen-strip-doseol.patch
Patch52: openssh-8.0p1-preserve-pam-errors.patch
Patch53: openssh-8.7p1-scp-kill-switch.patch
Patch54: bugfix-sftp-when-parse_user_host_path-empty-path-should-be-allowed.patch
Patch56: bugfix-openssh-add-option-check-username-splash.patch
Patch57: feature-openssh-7.4-hima-sftpserver-oom-and-fix.patch
Patch58: bugfix-openssh-fix-sftpserver.patch
Patch59: set-sshd-config.patch
Patch60: feature-add-SMx-support.patch
Patch63: add-loongarch.patch
Patch65: openssh-Add-sw64-architecture.patch
Patch9: pam_ssh_agent_auth-0.10.4-rsasha2.patch
Patch10: pam_ssh_agent-configure-c99.patch
Patch11: openssh-7.8p1-role-mls.patch
Patch12: openssh-6.6p1-privsep-selinux.patch
Patch14: openssh-6.6p1-keycat.patch
Patch15: openssh-6.6p1-allow-ip-opts.patch
Patch17: openssh-5.9p1-ipv6man.patch
Patch18: openssh-5.8p2-sigpipe.patch
Patch19: openssh-7.2p2-x11.patch
Patch21: openssh-5.1p1-askpass-progress.patch
Patch22: openssh-4.3p2-askpass-grab-info.patch
Patch23: openssh-7.7p1.patch
Patch24: openssh-7.8p1-UsePAM-warning.patch
Patch28: openssh-8.0p1-gssapi-keyex.patch
Patch29: openssh-6.6p1-force_krb.patch
Patch30: openssh-6.6p1-GSSAPIEnablek5users.patch
Patch31: openssh-7.7p1-gssapi-new-unique.patch
Patch32: openssh-7.2p2-k5login_directory.patch
Patch33: openssh-6.6p1-kuserok.patch
Patch34: openssh-6.4p1-fromto-remote.patch
Patch35: openssh-6.6.1p1-selinux-contexts.patch
Patch36: openssh-6.6.1p1-log-in-chroot.patch
Patch37: openssh-6.6.1p1-scp-non-existing-directory.patch
Patch38: openssh-6.8p1-sshdT-output.patch
Patch39: openssh-6.7p1-sftp-force-permission.patch
Patch40: openssh-7.2p2-s390-closefrom.patch
Patch41: openssh-7.3p1-x11-max-displays.patch
Patch42: openssh-7.4p1-systemd.patch
Patch43: openssh-7.6p1-cleanup-selinux.patch
Patch44: openssh-7.5p1-sandbox.patch
Patch45: openssh-8.0p1-pkcs11-uri.patch
Patch46: openssh-7.8p1-scp-ipv6.patch
Patch48: openssh-8.0p1-crypto-policies.patch
Patch49: openssh-9.3p1-merged-openssl-evp.patch
Patch50: openssh-8.0p1-openssl-kdf.patch
Patch51: openssh-8.2p1-visibility.patch
Patch52: openssh-8.2p1-x11-without-ipv6.patch
Patch53: openssh-8.0p1-keygen-strip-doseol.patch
Patch54: openssh-8.0p1-preserve-pam-errors.patch
Patch55: openssh-8.7p1-scp-kill-switch.patch
Patch56: openssh-8.7p1-recursive-scp.patch
Patch57: openssh-8.7p1-minrsabits.patch
Patch58: openssh-8.7p1-ibmca.patch
Patch60: openssh-8.7p1-ssh-manpage.patch
Patch61: openssh-8.7p1-negotiate-supported-algs.patch
Patch65: openssh-9.3p1-upstream-cve-2023-38408.patch
Patch66: bugfix-sftp-when-parse_user_host_path-empty-path-should-be-allowed.patch
Patch67: bugfix-openssh-add-option-check-username-splash.patch
Patch68: feature-openssh-7.4-hima-sftpserver-oom-and-fix.patch
Patch69: bugfix-openssh-fix-sftpserver.patch
Patch70: set-sshd-config.patch
Patch71: feature-add-SMx-support.patch
Patch72: add-loongarch.patch
Patch73: openssh-Add-sw64-architecture.patch
Patch74: add-strict-scp-check-for-CVE-2020-15778.patch
Patch77: skip-scp-test-if-there-is-no-scp-on-remote-path-as-s.patch
Patch78: backport-upstream-CVE-2023-25136-fix-double-free-caused.patch
Patch79: set-ssh-config.patch
Patch80: backport-upstream-honour-user-s-umask-if-it-is-more-restricti.patch
Patch81: backport-upstream-use-correct-type-with-sizeof-ok-djm.patch
Patch82: backport-Defer-seed_rng-until-after-closefrom-call.patch
Patch83: backport-upstream-Handle-dynamic-remote-port-forwarding-in-es.patch
Patch84: backport-upstream-The-idiomatic-way-of-coping-with-signed-cha.patch
Patch85: backport-upstream-Clear-signal-mask-early-in-main-sshd-may-ha.patch
Patch86: backport-upstream-fix-bug-in-PermitRemoteOpen-which-caused-it.patch
Patch87: backport-upstream-regression-test-for-PermitRemoteOpen.patch
Patch88: backport-upstream-Copy-bytes-from-the_banana-rather-than-bana.patch
Patch89: backport-upstream-When-OpenSSL-is-not-available-skip-parts-of.patch
Patch90: backport-don-t-test-IPv6-addresses-if-platform-lacks-support.patch
Patch91: backport-upstream-avoid-printf-s-NULL-if-using-ssh.patch
Patch92: backport-upstream-Add-scp-s-path-to-test-sshd-s-PATH.patch
Patch93: backport-upstream-Instead-of-skipping-the-all-tokens-test-if-.patch
Patch94: backport-upstream-Shell-syntax-fix.-From-ren-mingshuai-vi-git.patch
Patch95: backport-Allow-writev-is-seccomp-sandbox.patch
Patch96: backport-upstream-Ensure-that-there-is-a-terminating-newline-.patch
Patch97: backport-upstream-when-restoring-non-blocking-mode-to-stdio-f.patch
Patch98: backport-upstream-test-compat_kex_proposal-by-dtucker.patch
Patch99: backport-adapt-compat_kex_proposal-test-to-portable.patch
Patch100: backport-upstream-Move-scp-path-setting-to-a-helper-function.patch
Patch75: skip-scp-test-if-there-is-no-scp-on-remote-path-as-s.patch
Patch77: set-ssh-config.patch
Requires: /sbin/nologin
Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8
@ -193,84 +180,71 @@ pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
%patch7 -p2 -b .psaa-compat
%patch6 -p2 -b .psaa-agent
%patch8 -p2 -b .psaa-deref
%patch9 -p2 -b .rsasha2
%patch10 -p1 -b .psaa-configure-c99
# Remove duplicate headers and library files
rm -f $(cat %{SOURCE4})
popd
%patch9 -p1 -b .role-mls
%patch10 -p1 -b .privsep-selinux
%patch12 -p1 -b .keycat
%patch13 -p1 -b .ip-opts
%patch15 -p1 -b .ipv6man
%patch16 -p1 -b .sigpipe
%patch17 -p1 -b .x11
%patch19 -p1 -b .progress
%patch20 -p1 -b .grab-info
%patch21 -p1
%patch22 -p1 -b .log-usepam-no
%patch26 -p1 -b .gsskex
%patch27 -p1 -b .force_krb
%patch29 -p1 -b .ccache_name
%patch30 -p1 -b .k5login
%patch31 -p1 -b .kuserok
%patch32 -p1 -b .fromto-remote
%patch33 -p1 -b .contexts
%patch34 -p1 -b .log-in-chroot
%patch35 -p1 -b .scp
%patch28 -p1 -b .GSSAPIEnablek5users
%patch36 -p1 -b .sshdt
%patch37 -p1 -b .sftp-force-mode
%patch38 -p1 -b .s390-dev
%patch39 -p1 -b .x11max
%patch40 -p1 -b .systemd
%patch41 -p1 -b .refactor
%patch42 -p1 -b .sandbox
%patch43 -p1 -b .pkcs11-uri
%patch44 -p1 -b .scp-ipv6
%patch46 -p1 -b .crypto-policies
%patch47 -p1 -b .openssl-evp
%patch48 -p1 -b .openssl-kdf
%patch49 -p1 -b .visibility
%patch50 -p1 -b .x11-ipv6
%patch51 -p1 -b .keygen-strip-doseol
%patch52 -p1 -b .preserve-pam-errors
%patch53 -p1 -b .kill-scp
%patch11 -p1 -b .role-mls
%patch12 -p1 -b .privsep-selinux
%patch14 -p1 -b .keycat
%patch15 -p1 -b .ip-opts
%patch17 -p1 -b .ipv6man
%patch18 -p1 -b .sigpipe
%patch19 -p1 -b .x11
%patch21 -p1 -b .progress
%patch22 -p1 -b .grab-info
%patch23 -p1
%patch24 -p1 -b .log-usepam-no
%patch28 -p1 -b .gsskex
%patch29 -p1 -b .force_krb
%patch31 -p1 -b .ccache_name
%patch32 -p1 -b .k5login
%patch33 -p1 -b .kuserok
%patch34 -p1 -b .fromto-remote
%patch35 -p1 -b .contexts
%patch36 -p1 -b .log-in-chroot
%patch37 -p1 -b .scp
%patch30 -p1 -b .GSSAPIEnablek5users
%patch38 -p1 -b .sshdt
%patch39 -p1 -b .sftp-force-mode
%patch40 -p1 -b .s390-dev
%patch41 -p1 -b .x11max
%patch42 -p1 -b .systemd
%patch43 -p1 -b .refactor
%patch44 -p1 -b .sandbox
%patch45 -p1 -b .pkcs11-uri
%patch46 -p1 -b .scp-ipv6
%patch48 -p1 -b .crypto-policies
%patch49 -p1 -b .openssl-evp
%patch50 -p1 -b .openssl-kdf
%patch51 -p1 -b .visibility
%patch52 -p1 -b .x11-ipv6
%patch53 -p1 -b .keygen-strip-doseol
%patch54 -p1 -b .preserve-pam-errors
%patch55 -p1 -b .kill-scp
%patch56 -p1 -b .scp-sftpdirs
%patch57 -p1 -b .minrsabits
%patch58 -p1 -b .ibmca
%patch60 -p1 -b .ssh-manpage
%patch61 -p1 -b .negotiate-supported-algs
%patch65 -p1 -b .cve-2023-38408
%patch1 -p1 -b .audit
%patch2 -p1 -b .audit-race
%patch0 -p1 -b .coverity
%patch54 -p1
%patch56 -p1
%patch57 -p1
%patch58 -p1
%patch59 -p1
%patch60 -p1
%patch63 -p1
%patch65 -p1
%patch66 -p1
%patch67 -p1
%patch68 -p1
%patch69 -p1
%patch70 -p1
%patch71 -p1
%patch72 -p1
%patch73 -p1
%patch74 -p1
%patch75 -p1
%patch77 -p1
%patch78 -p1
%patch79 -p1
%patch80 -p1
%patch81 -p1
%patch82 -p1
%patch83 -p1
%patch84 -p1
%patch85 -p1
%patch86 -p1
%patch87 -p1
%patch88 -p1
%patch89 -p1
%patch90 -p1
%patch91 -p1
%patch92 -p1
%patch93 -p1
%patch94 -p1
%patch95 -p1
%patch96 -p1
%patch97 -p1
%patch98 -p1
%patch99 -p1
%patch100 -p1
autoreconf
pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
@ -367,12 +341,13 @@ install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen@.service
install -m644 %{SOURCE13} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.target
install -d -m755 $RPM_BUILD_ROOT/%{_userunitdir}
install -m644 %{SOURCE14} $RPM_BUILD_ROOT/%{_userunitdir}/ssh-agent.service
install -m644 %{SOURCE15} $RPM_BUILD_ROOT/%{_userunitdir}/ssh-agent.socket
install -m744 %{SOURCE11} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen
install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
install -m644 -D %{SOURCE12} $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf
install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
install -m644 %{SOURCE15} $RPM_BUILD_ROOT/etc/bash_completion.d/ssh-keygen-bash-completion.sh
install -m644 %{SOURCE16} $RPM_BUILD_ROOT/etc/bash_completion.d/ssh-keygen-bash-completion.sh
ln -s gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass
install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
@ -403,6 +378,14 @@ getent passwd sshd >/dev/null || \
%postun server
%systemd_postun_with_restart sshd.service
%post clients
%systemd_user_post ssh-agent.service
%systemd_user_post ssh-agent.target
%preun clients
%systemd_user_preun ssh-agent.service
%systemd_user_preun ssh-agent.target
%files
%license LICENCE
%doc CREDITS README.platform
@ -424,7 +407,8 @@ getent passwd sshd >/dev/null || \
%attr(0755,root,root) %{_bindir}/ssh-copy-id
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-pkcs11-helper
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-sk-helper
%attr(0755,root,root) %{_userunitdir}/ssh-agent.service
%attr(0644,root,root) %{_userunitdir}/ssh-agent.service
%attr(0644,root,root) %{_userunitdir}/ssh-agent.socket
%files server
%dir %attr(0711,root,root) %{_var}/empty/sshd
@ -467,6 +451,12 @@ getent passwd sshd >/dev/null || \
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
%changelog
* Thu Jul 27 2023 renmingshuai<renmingshuai@huawei.com> - 9.3p1-1
- Type:requirement
- CVE:NA
- SUG:NA
- DESC:update to 9.3p1
* Tue Jun 13 2023 renmingshuai<renmingshuai@huawei.com> - 9.1p1-6
- Type:bugfix
- CVE:NA

249
pam_ssh_agent-configure-c99.patch Normal file
View File

@ -0,0 +1,249 @@
configure.ac: Improve C99 compatibility
Future compilers will not support implicit declarations and implicit
ints by default. This means that configure probes which rely on them
will fail unconditionally, without actually testing anything.
The changes mostly mirror what has been implemented in the openssh
repository, but had to be adapted somewhat because of drift between
the two versions of configure.ac.
Sam James has submitted similar fixes upstream:
<https://github.com/jbeverly/pam_ssh_agent_auth/pull/41>
diff --git a/configure.ac b/configure.ac
index 6496679..d927b62 100644
--- a/configure.ac
+++ b/configure.ac
@@ -500,10 +500,10 @@ int main(void) { exit(0); }
AC_DEFINE(HAVE_BUNDLE, 1, [Define if your system uses bundles instead of ELF shared objects])
AC_MSG_CHECKING(if we have working getaddrinfo)
AC_TRY_RUN([#include <mach-o/dyld.h>
-main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
- exit(0);
+int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
+ return 0;
else
- exit(1);
+ return 1;
}], [AC_MSG_RESULT(working)],
[AC_MSG_RESULT(buggy)
AC_DEFINE(BROKEN_GETADDRINFO, 1, [getaddrinfo is broken (if present)])],
@@ -917,8 +917,8 @@ AC_SUBST(LDFLAGS_SHARED)
AC_MSG_CHECKING(compiler and flags for sanity)
AC_RUN_IFELSE(
[AC_LANG_SOURCE([
-#include <stdio.h>
-int main(){exit(0);}
+#include <stdlib.h>
+int main(void){exit(0);}
])],
[ AC_MSG_RESULT(yes) ],
[
@@ -951,9 +951,9 @@ int main(int argc, char **argv) {
strncpy(buf,"/etc", 32);
s = dirname(buf);
if (!s || strncmp(s, "/", 32) != 0) {
- exit(1);
+ return 1;
} else {
- exit(0);
+ return 0;
}
}
]])],
@@ -1102,7 +1102,7 @@ AC_RUN_IFELSE(
[AC_LANG_SOURCE([[
#include <sys/types.h>
#include <dirent.h>
-int main(void){struct dirent d;exit(sizeof(d.d_name)<=sizeof(char));}
+int main(void){struct dirent d;return sizeof(d.d_name)<=sizeof(char);}
]])],
[AC_MSG_RESULT(yes)],
[
@@ -1327,8 +1327,10 @@ AC_CHECK_FUNCS(setresuid, [
AC_MSG_CHECKING(if setresuid seems to work)
AC_RUN_IFELSE(
[AC_LANG_SOURCE([[
+#define _GNU_SOURCE
#include <stdlib.h>
#include <errno.h>
+#include <unistd.h>
int main(){errno=0; setresuid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);}
]])],
[AC_MSG_RESULT(yes)],
@@ -1344,8 +1346,10 @@ AC_CHECK_FUNCS(setresgid, [
AC_MSG_CHECKING(if setresgid seems to work)
AC_RUN_IFELSE(
[AC_LANG_SOURCE([[
+#define _GNU_SOURCE
#include <stdlib.h>
#include <errno.h>
+#include <unistd.h>
int main(){errno=0; setresgid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);}
]])],
[AC_MSG_RESULT(yes)],
@@ -1384,7 +1388,7 @@ if test "x$ac_cv_func_snprintf" = "xyes" ; then
AC_RUN_IFELSE(
[AC_LANG_SOURCE([[
#include <stdio.h>
-int main(void){char b[5];snprintf(b,5,"123456789");exit(b[4]!='\0');}
+int main(void){char b[5];snprintf(b,5,"123456789");return b[4]!='\0';}
]])],
[AC_MSG_RESULT(yes)],
[
@@ -1418,7 +1422,7 @@ int x_snprintf(char *str,size_t count,const char *fmt,...)
int main(void)
{
char x[1];
- exit(x_snprintf(x, 1, "%s %d", "hello", 12345) == 11 ? 0 : 1);
+ return x_snprintf(x, 1, "%s %d", "hello", 12345) == 11 ? 0 : 1;
} ]])],
[AC_MSG_RESULT(yes)],
[
@@ -1467,7 +1471,8 @@ AC_MSG_CHECKING([for (overly) strict mkstemp])
AC_RUN_IFELSE(
[AC_LANG_SOURCE([[
#include <stdlib.h>
-main() { char template[]="conftest.mkstemp-test";
+#include <unistd.h>
+int main(void) { char template[]="conftest.mkstemp-test";
if (mkstemp(template) == -1)
exit(1);
unlink(template); exit(0);
@@ -1492,10 +1497,14 @@ if test ! -z "$check_for_openpty_ctty_bug"; then
AC_MSG_CHECKING(if openpty correctly handles controlling tty)
AC_RUN_IFELSE(
[AC_LANG_SOURCE([[
+#include <stdlib.h>
#include <stdio.h>
#include <sys/fcntl.h>
#include <sys/types.h>
#include <sys/wait.h>
+#ifdef HAVE_PTY_H
+#include <pty.h>
+#endif
int
main()
@@ -1543,6 +1552,7 @@ if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
AC_RUN_IFELSE(
[AC_LANG_SOURCE([[
#include <stdio.h>
+#include <stdlib.h>
#include <sys/socket.h>
#include <netdb.h>
#include <errno.h>
@@ -1748,6 +1758,7 @@ AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE(HAVE_OPENSSL, 1,
AC_MSG_CHECKING([OpenSSL header version])
AC_RUN_IFELSE(
[AC_LANG_SOURCE([[
+#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <openssl/opensslv.h>
@@ -1794,12 +1805,12 @@ int main(void) {
fd = fopen(DATA,"w");
if(fd == NULL)
- exit(1);
+ return 1;
if ((rc = fprintf(fd ,"%x (%s)\n", SSLeay(), SSLeay_version(SSLEAY_VERSION))) <0)
- exit(1);
+ return 1;
- exit(0);
+ return 0;
}
]])],
[
@@ -1829,7 +1840,7 @@ AC_RUN_IFELSE(
[AC_LANG_SOURCE([[
#include <string.h>
#include <openssl/opensslv.h>
-int main(void) { exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1); }
+int main(void) { return SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1; }
]])],
[
AC_MSG_RESULT(yes)
@@ -2598,7 +2609,7 @@ dnl test snprintf (broken on SCO w/gcc)
#include <stdio.h>
#include <string.h>
#ifdef HAVE_SNPRINTF
-main()
+int main(void)
{
char buf[50];
char expected_out[50];
@@ -2611,11 +2622,11 @@ main()
strcpy(expected_out, "9223372036854775807");
snprintf(buf, mazsize, "%lld", num);
if(strcmp(buf, expected_out) != 0)
- exit(1);
- exit(0);
+ return 1;
+ return 0;
}
#else
-main() { exit(0); }
+int main(void) { return 0; }
#endif
]])], [ true ], [ AC_DEFINE(BROKEN_SNPRINTF) ],
AC_MSG_WARN([cross compiling: Assuming working snprintf()])
@@ -2746,11 +2757,11 @@ AC_CACHE_CHECK([for msg_accrights field in struct msghdr],
int main() {
#ifdef msg_accrights
#error "msg_accrights is a macro"
-exit(1);
+return 1;
#endif
struct msghdr m;
m.msg_accrights = 0;
-exit(0);
+return 0;
}
])],
[ ac_cv_have_accrights_in_msghdr="yes" ],
@@ -2773,11 +2784,11 @@ AC_CACHE_CHECK([for msg_control field in struct msghdr],
int main() {
#ifdef msg_control
#error "msg_control is a macro"
-exit(1);
+return 1;
#endif
struct msghdr m;
m.msg_control = 0;
-exit(0);
+return 0;
}
])],
[ ac_cv_have_control_in_msghdr="yes" ],
@@ -2791,7 +2802,7 @@ if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then
fi
AC_CACHE_CHECK([if libc defines __progname], ac_cv_libc_defines___progname, [
- AC_TRY_LINK([],
+ AC_TRY_LINK([#include <stdio.h>],
[ extern char *__progname; printf("%s", __progname); ],
[ ac_cv_libc_defines___progname="yes" ],
[ ac_cv_libc_defines___progname="no" ]
@@ -2871,7 +2882,7 @@ if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then
fi
AC_CACHE_CHECK([if libc defines sys_errlist], ac_cv_libc_defines_sys_errlist, [
- AC_TRY_LINK([],
+ AC_TRY_LINK([#include <stdio.h>],
[ extern const char *const sys_errlist[]; printf("%s", sys_errlist[0]);],
[ ac_cv_libc_defines_sys_errlist="yes" ],
[ ac_cv_libc_defines_sys_errlist="no" ]
@@ -2884,7 +2895,7 @@ fi
AC_CACHE_CHECK([if libc defines sys_nerr], ac_cv_libc_defines_sys_nerr, [
- AC_TRY_LINK([],
+ AC_TRY_LINK([#include <stdio.h>],
[ extern int sys_nerr; printf("%i", sys_nerr);],
[ ac_cv_libc_defines_sys_nerr="yes" ],
[ ac_cv_libc_defines_sys_nerr="no" ]

19
pam_ssh_agent_auth-0.10.4-rsasha2.patch Normal file
View File

@ -0,0 +1,19 @@
diff -up openssh-8.7p1/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.c.rsasha2 openssh-8.7p1/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.c
--- openssh-8.7p1/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.c.rsasha2 2022-07-15 15:08:12.865585410 +0200
+++ openssh-8.7p1/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.c 2022-07-15 15:16:25.164282372 +0200
@@ -87,8 +87,13 @@ userauth_pubkey_from_id(const char *ruse
(r = sshbuf_put_string(b, pkblob, blen)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
- if (ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, sshbuf_ptr(b), sshbuf_len(b), NULL, 0) != 0)
- goto user_auth_clean_exit;
+ if (sshkey_type_plain(id->key->type) == KEY_RSA
+ && ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, sshbuf_ptr(b), sshbuf_len(b), "rsa-sha2-256", 0) == 0) {
+ /* Do nothing */
+ } else {
+ if (ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, sshbuf_ptr(b), sshbuf_len(b), NULL, 0) != 0)
+ goto user_auth_clean_exit;
+ }
/* test for correct signature */
if (sshkey_verify(id->key, sig, slen, sshbuf_ptr(b), sshbuf_len(b), NULL, 0, NULL) == 0)

5
ssh-agent.service
View File

@ -5,10 +5,15 @@
ConditionEnvironment=!SSH_AGENT_PID
Description=OpenSSH key agent
Documentation=man:ssh-agent(1) man:ssh-add(1) man:ssh(1)
Requires=ssh-agent.socket
[Service]
Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket
ExecStartPre=/usr/bin/rm -f $SSH_AUTH_SOCK
ExecStart=/usr/bin/ssh-agent -a $SSH_AUTH_SOCK
PassEnvironment=SSH_AGENT_PID
SuccessExitStatus=2
Type=forking
[Install]
Also=ssh-agent.socket

14
ssh-agent.socket Normal file
View File

@ -0,0 +1,14 @@
[Unit]
Description=OpenSSH key agent
Documentation=man:ssh-agent(1) man:ssh-add(1) man:ssh(1)
[Socket]
ListenStream=%t/ssh-agent.socket
Service=ssh-agent.service
Priority=6
Backlog=5
SocketMode=0600
DirectoryMode=0700
[Install]
WantedBy=sockets.target